diff --git a/.github/workflows/sigma-test.yml b/.github/workflows/sigma-test.yml index 7285edfe8..6f207e83d 100644 --- a/.github/workflows/sigma-test.yml +++ b/.github/workflows/sigma-test.yml @@ -62,7 +62,7 @@ jobs: run: | pip install pysigma pip install sigma-cli - pip install pySigma-validators-sigmahq==0.10.* + pip install pySigma-validators-sigmahq==0.11.* - name: Test Sigma Rule Syntax run: | sigma check --fail-on-error --fail-on-issues --validation-config tests/sigma_cli_conf.yml rules* diff --git a/rules-emerging-threats/2014/Exploits/CVE-2014-6287/web_cve_2014_6287_hfs_rce.yml b/rules-emerging-threats/2014/Exploits/CVE-2014-6287/web_cve_2014_6287_hfs_rce.yml index 9f11fc018..767f5ef99 100644 --- a/rules-emerging-threats/2014/Exploits/CVE-2014-6287/web_cve_2014_6287_hfs_rce.yml +++ b/rules-emerging-threats/2014/Exploits/CVE-2014-6287/web_cve_2014_6287_hfs_rce.yml @@ -10,6 +10,7 @@ author: Nasreddine Bencherchali (Nextron Systems) date: 2022-07-19 modified: 2023-01-02 tags: + - attack.persistence - attack.initial-access - attack.t1190 - attack.t1505.003 diff --git a/rules-emerging-threats/2014/TA/Turla/proc_creation_win_apt_turla_comrat_may20.yml b/rules-emerging-threats/2014/TA/Turla/proc_creation_win_apt_turla_comrat_may20.yml index c912f3e83..99dbbe1af 100644 --- a/rules-emerging-threats/2014/TA/Turla/proc_creation_win_apt_turla_comrat_may20.yml +++ b/rules-emerging-threats/2014/TA/Turla/proc_creation_win_apt_turla_comrat_may20.yml @@ -8,6 +8,9 @@ author: Florian Roth (Nextron Systems) date: 2020-05-26 modified: 2021-11-27 tags: + - attack.privilege-escalation + - attack.persistence + - attack.defense-evasion - attack.g0010 - attack.execution - attack.t1059.001 diff --git a/rules-emerging-threats/2017/Malware/CosmicDuke/win_security_mal_cosmik_duke_persistence.yml b/rules-emerging-threats/2017/Malware/CosmicDuke/win_security_mal_cosmik_duke_persistence.yml index d6f85a435..db6d67a52 100644 --- a/rules-emerging-threats/2017/Malware/CosmicDuke/win_security_mal_cosmik_duke_persistence.yml +++ b/rules-emerging-threats/2017/Malware/CosmicDuke/win_security_mal_cosmik_duke_persistence.yml @@ -13,6 +13,8 @@ author: Florian Roth (Nextron Systems), Daniil Yugoslavskiy, oscd.community (upd date: 2017-03-27 modified: 2022-10-09 tags: + - attack.privilege-escalation + - attack.execution - attack.persistence - attack.t1543.003 - attack.t1569.002 diff --git a/rules-emerging-threats/2017/Malware/PlugX/proc_creation_win_malware_plugx_susp_exe_locations.yml b/rules-emerging-threats/2017/Malware/PlugX/proc_creation_win_malware_plugx_susp_exe_locations.yml index 4dc76bf88..b7f25af0c 100644 --- a/rules-emerging-threats/2017/Malware/PlugX/proc_creation_win_malware_plugx_susp_exe_locations.yml +++ b/rules-emerging-threats/2017/Malware/PlugX/proc_creation_win_malware_plugx_susp_exe_locations.yml @@ -9,6 +9,8 @@ author: Florian Roth (Nextron Systems) date: 2017-06-12 modified: 2023-02-03 tags: + - attack.privilege-escalation + - attack.persistence - attack.s0013 - attack.defense-evasion - attack.t1574.001 diff --git a/rules-emerging-threats/2017/Malware/StoneDrill/win_system_apt_stonedrill.yml b/rules-emerging-threats/2017/Malware/StoneDrill/win_system_apt_stonedrill.yml index 526e33f1d..1cba6ccc7 100644 --- a/rules-emerging-threats/2017/Malware/StoneDrill/win_system_apt_stonedrill.yml +++ b/rules-emerging-threats/2017/Malware/StoneDrill/win_system_apt_stonedrill.yml @@ -8,6 +8,7 @@ author: Florian Roth (Nextron Systems) date: 2017-03-07 modified: 2021-11-30 tags: + - attack.privilege-escalation - attack.persistence - attack.g0064 - attack.t1543.003 diff --git a/rules-emerging-threats/2017/TA/Equation-Group/net_firewall_apt_equationgroup_c2.yml b/rules-emerging-threats/2017/TA/Equation-Group/net_firewall_apt_equationgroup_c2.yml index 626ef71ea..e5098c8fb 100644 --- a/rules-emerging-threats/2017/TA/Equation-Group/net_firewall_apt_equationgroup_c2.yml +++ b/rules-emerging-threats/2017/TA/Equation-Group/net_firewall_apt_equationgroup_c2.yml @@ -9,6 +9,7 @@ author: Florian Roth (Nextron Systems) date: 2017-04-15 modified: 2021-11-27 tags: + - attack.exfiltration - attack.command-and-control - attack.g0020 - attack.t1041 diff --git a/rules-emerging-threats/2017/TA/Turla/win_system_apt_carbonpaper_turla.yml b/rules-emerging-threats/2017/TA/Turla/win_system_apt_carbonpaper_turla.yml index 1fed02ec2..db7c79d49 100644 --- a/rules-emerging-threats/2017/TA/Turla/win_system_apt_carbonpaper_turla.yml +++ b/rules-emerging-threats/2017/TA/Turla/win_system_apt_carbonpaper_turla.yml @@ -8,6 +8,7 @@ author: Florian Roth (Nextron Systems) date: 2017-03-31 modified: 2021-11-30 tags: + - attack.privilege-escalation - attack.persistence - attack.g0010 - attack.t1543.003 diff --git a/rules-emerging-threats/2017/TA/Turla/win_system_apt_turla_service_png.yml b/rules-emerging-threats/2017/TA/Turla/win_system_apt_turla_service_png.yml index b1b89ef68..9ea1ed539 100644 --- a/rules-emerging-threats/2017/TA/Turla/win_system_apt_turla_service_png.yml +++ b/rules-emerging-threats/2017/TA/Turla/win_system_apt_turla_service_png.yml @@ -8,6 +8,7 @@ author: Florian Roth (Nextron Systems) date: 2018-11-23 modified: 2021-11-30 tags: + - attack.privilege-escalation - attack.persistence - attack.g0010 - attack.t1543.003 diff --git a/rules-emerging-threats/2018/TA/APT27/proc_creation_win_apt_apt27_emissary_panda.yml b/rules-emerging-threats/2018/TA/APT27/proc_creation_win_apt_apt27_emissary_panda.yml index 41ae313cb..b226632ea 100644 --- a/rules-emerging-threats/2018/TA/APT27/proc_creation_win_apt_apt27_emissary_panda.yml +++ b/rules-emerging-threats/2018/TA/APT27/proc_creation_win_apt_apt27_emissary_panda.yml @@ -10,6 +10,8 @@ author: Florian Roth (Nextron Systems) date: 2018-09-03 modified: 2023-03-09 tags: + - attack.privilege-escalation + - attack.persistence - attack.defense-evasion - attack.t1574.001 - attack.g0027 diff --git a/rules-emerging-threats/2018/TA/APT32-Oceanlotus/registry_event_apt_oceanlotus_registry.yml b/rules-emerging-threats/2018/TA/APT32-Oceanlotus/registry_event_apt_oceanlotus_registry.yml index 93af14487..123fa28ff 100644 --- a/rules-emerging-threats/2018/TA/APT32-Oceanlotus/registry_event_apt_oceanlotus_registry.yml +++ b/rules-emerging-threats/2018/TA/APT32-Oceanlotus/registry_event_apt_oceanlotus_registry.yml @@ -9,6 +9,7 @@ author: megan201296, Jonhnathan Ribeiro date: 2019-04-14 modified: 2023-09-28 tags: + - attack.persistence - attack.defense-evasion - attack.t1112 - detection.emerging-threats diff --git a/rules-emerging-threats/2018/TA/OilRig/proc_creation_win_apt_oilrig_mar18.yml b/rules-emerging-threats/2018/TA/OilRig/proc_creation_win_apt_oilrig_mar18.yml index 9887fdd3f..e63a3424a 100644 --- a/rules-emerging-threats/2018/TA/OilRig/proc_creation_win_apt_oilrig_mar18.yml +++ b/rules-emerging-threats/2018/TA/OilRig/proc_creation_win_apt_oilrig_mar18.yml @@ -15,6 +15,8 @@ author: Florian Roth (Nextron Systems), Markus Neis, Jonhnathan Ribeiro, Daniil date: 2018-03-23 modified: 2023-03-08 tags: + - attack.privilege-escalation + - attack.execution - attack.persistence - attack.g0049 - attack.t1053.005 diff --git a/rules-emerging-threats/2018/TA/OilRig/registry_event_apt_oilrig_mar18.yml b/rules-emerging-threats/2018/TA/OilRig/registry_event_apt_oilrig_mar18.yml index 677e3d762..47792f214 100644 --- a/rules-emerging-threats/2018/TA/OilRig/registry_event_apt_oilrig_mar18.yml +++ b/rules-emerging-threats/2018/TA/OilRig/registry_event_apt_oilrig_mar18.yml @@ -15,6 +15,8 @@ author: Florian Roth (Nextron Systems), Markus Neis, Jonhnathan Ribeiro, Daniil date: 2018-03-23 modified: 2023-03-08 tags: + - attack.privilege-escalation + - attack.execution - attack.persistence - attack.g0049 - attack.t1053.005 diff --git a/rules-emerging-threats/2018/TA/OilRig/win_security_apt_oilrig_mar18.yml b/rules-emerging-threats/2018/TA/OilRig/win_security_apt_oilrig_mar18.yml index d797c0193..8a1127aea 100644 --- a/rules-emerging-threats/2018/TA/OilRig/win_security_apt_oilrig_mar18.yml +++ b/rules-emerging-threats/2018/TA/OilRig/win_security_apt_oilrig_mar18.yml @@ -15,6 +15,8 @@ author: Florian Roth (Nextron Systems), Markus Neis, Jonhnathan Ribeiro, Daniil date: 2018-03-23 modified: 2023-03-08 tags: + - attack.privilege-escalation + - attack.execution - attack.persistence - attack.g0049 - attack.t1053.005 diff --git a/rules-emerging-threats/2018/TA/OilRig/win_system_apt_oilrig_mar18.yml b/rules-emerging-threats/2018/TA/OilRig/win_system_apt_oilrig_mar18.yml index ea748e64f..f15798a15 100644 --- a/rules-emerging-threats/2018/TA/OilRig/win_system_apt_oilrig_mar18.yml +++ b/rules-emerging-threats/2018/TA/OilRig/win_system_apt_oilrig_mar18.yml @@ -15,6 +15,8 @@ author: Florian Roth (Nextron Systems), Markus Neis, Jonhnathan Ribeiro, Daniil date: 2018-03-23 modified: 2023-03-08 tags: + - attack.privilege-escalation + - attack.execution - attack.persistence - attack.g0049 - attack.t1053.005 diff --git a/rules-emerging-threats/2018/TA/Slingshot/proc_creation_win_apt_slingshot.yml b/rules-emerging-threats/2018/TA/Slingshot/proc_creation_win_apt_slingshot.yml index fe275344b..64c240df7 100644 --- a/rules-emerging-threats/2018/TA/Slingshot/proc_creation_win_apt_slingshot.yml +++ b/rules-emerging-threats/2018/TA/Slingshot/proc_creation_win_apt_slingshot.yml @@ -8,6 +8,8 @@ author: Florian Roth (Nextron Systems), Bartlomiej Czyz (@bczyz1) date: 2019-03-04 modified: 2022-10-09 tags: + - attack.privilege-escalation + - attack.execution - attack.persistence - attack.t1053.005 - attack.s0111 diff --git a/rules-emerging-threats/2018/TA/Slingshot/win_security_apt_slingshot.yml b/rules-emerging-threats/2018/TA/Slingshot/win_security_apt_slingshot.yml index c5c66cf4c..f01134888 100644 --- a/rules-emerging-threats/2018/TA/Slingshot/win_security_apt_slingshot.yml +++ b/rules-emerging-threats/2018/TA/Slingshot/win_security_apt_slingshot.yml @@ -11,6 +11,8 @@ author: Florian Roth (Nextron Systems), Bartlomiej Czyz (@bczyz1) date: 2019-03-04 modified: 2022-11-27 tags: + - attack.privilege-escalation + - attack.execution - attack.persistence - attack.t1053 - attack.s0111 diff --git a/rules-emerging-threats/2019/Exploits/BearLPE-Exploit/proc_creation_win_exploit_other_bearlpe.yml b/rules-emerging-threats/2019/Exploits/BearLPE-Exploit/proc_creation_win_exploit_other_bearlpe.yml index d41cc4f1d..a4d7cd4ee 100644 --- a/rules-emerging-threats/2019/Exploits/BearLPE-Exploit/proc_creation_win_exploit_other_bearlpe.yml +++ b/rules-emerging-threats/2019/Exploits/BearLPE-Exploit/proc_creation_win_exploit_other_bearlpe.yml @@ -8,6 +8,8 @@ author: Olaf Hartong date: 2019-05-22 modified: 2023-01-26 tags: + - attack.persistence + - attack.execution - attack.privilege-escalation - attack.t1053.005 - car.2013-08-001 diff --git a/rules-emerging-threats/2019/Exploits/CVE-2019-1378/proc_creation_win_exploit_cve_2019_1378.yml b/rules-emerging-threats/2019/Exploits/CVE-2019-1378/proc_creation_win_exploit_cve_2019_1378.yml index e84490ea8..0dccbb91b 100644 --- a/rules-emerging-threats/2019/Exploits/CVE-2019-1378/proc_creation_win_exploit_cve_2019_1378.yml +++ b/rules-emerging-threats/2019/Exploits/CVE-2019-1378/proc_creation_win_exploit_cve_2019_1378.yml @@ -8,6 +8,8 @@ author: Florian Roth (Nextron Systems), oscd.community, Jonhnathan Ribeiro date: 2019-11-15 modified: 2021-11-27 tags: + - attack.persistence + - attack.defense-evasion - attack.privilege-escalation - attack.t1068 - attack.execution diff --git a/rules-emerging-threats/2019/Malware/Ryuk/proc_creation_win_malware_ryuk.yml b/rules-emerging-threats/2019/Malware/Ryuk/proc_creation_win_malware_ryuk.yml index 8ec78b3fe..1cf848e06 100644 --- a/rules-emerging-threats/2019/Malware/Ryuk/proc_creation_win_malware_ryuk.yml +++ b/rules-emerging-threats/2019/Malware/Ryuk/proc_creation_win_malware_ryuk.yml @@ -14,6 +14,7 @@ author: Florian Roth (Nextron Systems), Vasiliy Burov, Nasreddine Bencherchali ( date: 2019-12-16 modified: 2023-02-03 tags: + - attack.privilege-escalation - attack.persistence - attack.t1547.001 - detection.emerging-threats diff --git a/rules-emerging-threats/2019/Malware/Ursnif/registry_add_malware_ursnif.yml b/rules-emerging-threats/2019/Malware/Ursnif/registry_add_malware_ursnif.yml index 13245e218..9f1b06fed 100644 --- a/rules-emerging-threats/2019/Malware/Ursnif/registry_add_malware_ursnif.yml +++ b/rules-emerging-threats/2019/Malware/Ursnif/registry_add_malware_ursnif.yml @@ -9,6 +9,8 @@ author: megan201296 date: 2019-02-13 modified: 2023-02-07 tags: + - attack.persistence + - attack.defense-evasion - attack.execution - attack.t1112 - detection.emerging-threats diff --git a/rules-emerging-threats/2019/TA/APT31/proc_creation_win_apt_apt31_judgement_panda.yml b/rules-emerging-threats/2019/TA/APT31/proc_creation_win_apt_apt31_judgement_panda.yml index 69a560650..989023ffa 100644 --- a/rules-emerging-threats/2019/TA/APT31/proc_creation_win_apt_apt31_judgement_panda.yml +++ b/rules-emerging-threats/2019/TA/APT31/proc_creation_win_apt_apt31_judgement_panda.yml @@ -8,6 +8,7 @@ author: Florian Roth (Nextron Systems) date: 2019-02-21 modified: 2023-03-10 tags: + - attack.collection - attack.lateral-movement - attack.credential-access - attack.g0128 diff --git a/rules-emerging-threats/2019/TA/Operation-Wocao/proc_creation_win_apt_wocao.yml b/rules-emerging-threats/2019/TA/Operation-Wocao/proc_creation_win_apt_wocao.yml index 22a24d09e..094caf27b 100644 --- a/rules-emerging-threats/2019/TA/Operation-Wocao/proc_creation_win_apt_wocao.yml +++ b/rules-emerging-threats/2019/TA/Operation-Wocao/proc_creation_win_apt_wocao.yml @@ -12,6 +12,8 @@ author: Florian Roth (Nextron Systems), frack113 date: 2019-12-20 modified: 2022-10-09 tags: + - attack.privilege-escalation + - attack.persistence - attack.discovery - attack.t1012 - attack.defense-evasion diff --git a/rules-emerging-threats/2019/TA/Operation-Wocao/win_security_apt_wocao.yml b/rules-emerging-threats/2019/TA/Operation-Wocao/win_security_apt_wocao.yml index 4507c1bb2..f43960fa7 100644 --- a/rules-emerging-threats/2019/TA/Operation-Wocao/win_security_apt_wocao.yml +++ b/rules-emerging-threats/2019/TA/Operation-Wocao/win_security_apt_wocao.yml @@ -10,6 +10,8 @@ author: Florian Roth (Nextron Systems), frack113 date: 2019-12-20 modified: 2022-11-27 tags: + - attack.privilege-escalation + - attack.persistence - attack.discovery - attack.t1012 - attack.defense-evasion diff --git a/rules-emerging-threats/2020/Malware/Blue-Mockingbird/proc_creation_win_malware_blue_mockingbird.yml b/rules-emerging-threats/2020/Malware/Blue-Mockingbird/proc_creation_win_malware_blue_mockingbird.yml index 49aa7d15a..bfe71e326 100644 --- a/rules-emerging-threats/2020/Malware/Blue-Mockingbird/proc_creation_win_malware_blue_mockingbird.yml +++ b/rules-emerging-threats/2020/Malware/Blue-Mockingbird/proc_creation_win_malware_blue_mockingbird.yml @@ -11,6 +11,8 @@ author: Trent Liffick (@tliffick) date: 2020-05-14 modified: 2022-10-09 tags: + - attack.persistence + - attack.defense-evasion - attack.execution - attack.t1112 - attack.t1047 diff --git a/rules-emerging-threats/2020/Malware/FlowCloud/registry_event_malware_flowcloud_markers.yml b/rules-emerging-threats/2020/Malware/FlowCloud/registry_event_malware_flowcloud_markers.yml index cbb841a40..5cc2c99be 100644 --- a/rules-emerging-threats/2020/Malware/FlowCloud/registry_event_malware_flowcloud_markers.yml +++ b/rules-emerging-threats/2020/Malware/FlowCloud/registry_event_malware_flowcloud_markers.yml @@ -10,6 +10,7 @@ author: NVISO date: 2020-06-09 modified: 2024-03-20 tags: + - attack.defense-evasion - attack.persistence - attack.t1112 - detection.emerging-threats diff --git a/rules-emerging-threats/2020/TA/Leviathan/registry_event_apt_leviathan.yml b/rules-emerging-threats/2020/TA/Leviathan/registry_event_apt_leviathan.yml index da0ce1282..6c2c95a49 100644 --- a/rules-emerging-threats/2020/TA/Leviathan/registry_event_apt_leviathan.yml +++ b/rules-emerging-threats/2020/TA/Leviathan/registry_event_apt_leviathan.yml @@ -8,6 +8,7 @@ author: Aidan Bracher date: 2020-07-07 modified: 2023-09-19 tags: + - attack.privilege-escalation - attack.persistence - attack.t1547.001 - detection.emerging-threats diff --git a/rules-emerging-threats/2020/TA/SolarWinds-Supply-Chain/proc_creation_win_apt_unc2452_vbscript_pattern.yml b/rules-emerging-threats/2020/TA/SolarWinds-Supply-Chain/proc_creation_win_apt_unc2452_vbscript_pattern.yml index 64db6e2a6..c13dfec9b 100644 --- a/rules-emerging-threats/2020/TA/SolarWinds-Supply-Chain/proc_creation_win_apt_unc2452_vbscript_pattern.yml +++ b/rules-emerging-threats/2020/TA/SolarWinds-Supply-Chain/proc_creation_win_apt_unc2452_vbscript_pattern.yml @@ -8,6 +8,7 @@ author: Florian Roth (Nextron Systems) date: 2021-03-05 modified: 2022-10-09 tags: + - attack.privilege-escalation - attack.persistence - attack.t1547.001 - detection.emerging-threats diff --git a/rules-emerging-threats/2020/TA/TAIDOOR-RAT/proc_creation_win_apt_taidoor.yml b/rules-emerging-threats/2020/TA/TAIDOOR-RAT/proc_creation_win_apt_taidoor.yml index 389743136..36c897893 100644 --- a/rules-emerging-threats/2020/TA/TAIDOOR-RAT/proc_creation_win_apt_taidoor.yml +++ b/rules-emerging-threats/2020/TA/TAIDOOR-RAT/proc_creation_win_apt_taidoor.yml @@ -8,6 +8,8 @@ author: Florian Roth (Nextron Systems) date: 2020-07-30 modified: 2021-11-27 tags: + - attack.privilege-escalation + - attack.defense-evasion - attack.execution - attack.t1055.001 - detection.emerging-threats diff --git a/rules-emerging-threats/2020/TA/Winnti/proc_creation_win_apt_winnti_mal_hk_jan20.yml b/rules-emerging-threats/2020/TA/Winnti/proc_creation_win_apt_winnti_mal_hk_jan20.yml index 5b0cc6e88..8a06ce04c 100644 --- a/rules-emerging-threats/2020/TA/Winnti/proc_creation_win_apt_winnti_mal_hk_jan20.yml +++ b/rules-emerging-threats/2020/TA/Winnti/proc_creation_win_apt_winnti_mal_hk_jan20.yml @@ -8,6 +8,8 @@ author: Florian Roth (Nextron Systems), Markus Neis date: 2020-02-01 modified: 2021-11-27 tags: + - attack.privilege-escalation + - attack.persistence - attack.defense-evasion - attack.t1574.001 - attack.g0044 diff --git a/rules-emerging-threats/2020/TA/Winnti/proc_creation_win_apt_winnti_pipemon.yml b/rules-emerging-threats/2020/TA/Winnti/proc_creation_win_apt_winnti_pipemon.yml index ab2f4486d..f283f5018 100644 --- a/rules-emerging-threats/2020/TA/Winnti/proc_creation_win_apt_winnti_pipemon.yml +++ b/rules-emerging-threats/2020/TA/Winnti/proc_creation_win_apt_winnti_pipemon.yml @@ -8,6 +8,8 @@ author: Florian Roth (Nextron Systems), oscd.community date: 2020-07-30 modified: 2021-11-27 tags: + - attack.privilege-escalation + - attack.persistence - attack.defense-evasion - attack.t1574.001 - attack.g0044 diff --git a/rules-emerging-threats/2021/Exploits/CVE-2021-1675/av_printernightmare_cve_2021_34527.yml b/rules-emerging-threats/2021/Exploits/CVE-2021-1675/av_printernightmare_cve_2021_34527.yml index 4111e5162..e077fc20d 100644 --- a/rules-emerging-threats/2021/Exploits/CVE-2021-1675/av_printernightmare_cve_2021_34527.yml +++ b/rules-emerging-threats/2021/Exploits/CVE-2021-1675/av_printernightmare_cve_2021_34527.yml @@ -10,6 +10,7 @@ author: Sittikorn S, Nuttakorn T, Tim Shelton date: 2021-07-01 modified: 2023-10-23 tags: + - attack.defense-evasion - attack.privilege-escalation - attack.t1055 - detection.emerging-threats diff --git a/rules-emerging-threats/2021/Exploits/CVE-2021-33771/file_event_win_cve_2021_31979_cve_2021_33771_exploits.yml b/rules-emerging-threats/2021/Exploits/CVE-2021-33771/file_event_win_cve_2021_31979_cve_2021_33771_exploits.yml index 1fc3b0f07..0abb09003 100644 --- a/rules-emerging-threats/2021/Exploits/CVE-2021-33771/file_event_win_cve_2021_31979_cve_2021_33771_exploits.yml +++ b/rules-emerging-threats/2021/Exploits/CVE-2021-33771/file_event_win_cve_2021_31979_cve_2021_33771_exploits.yml @@ -9,6 +9,8 @@ author: Sittikorn S date: 2021-07-16 modified: 2022-10-09 tags: + - attack.initial-access + - attack.execution - attack.credential-access - attack.t1566 - attack.t1203 diff --git a/rules-emerging-threats/2021/Exploits/CVE-2021-33771/registry_set_cve_2021_31979_cve_2021_33771_exploits.yml b/rules-emerging-threats/2021/Exploits/CVE-2021-33771/registry_set_cve_2021_31979_cve_2021_33771_exploits.yml index 16223daa0..60d4af2bb 100644 --- a/rules-emerging-threats/2021/Exploits/CVE-2021-33771/registry_set_cve_2021_31979_cve_2021_33771_exploits.yml +++ b/rules-emerging-threats/2021/Exploits/CVE-2021-33771/registry_set_cve_2021_31979_cve_2021_33771_exploits.yml @@ -9,6 +9,8 @@ author: Sittikorn S, frack113 date: 2021-07-16 modified: 2023-08-17 tags: + - attack.initial-access + - attack.execution - attack.credential-access - attack.t1566 - attack.t1203 diff --git a/rules-emerging-threats/2021/Exploits/CVE-2021-42287/win_security_samaccountname_spoofing_cve_2021_42287.yml b/rules-emerging-threats/2021/Exploits/CVE-2021-42287/win_security_samaccountname_spoofing_cve_2021_42287.yml index 2371c9692..a72e13432 100644 --- a/rules-emerging-threats/2021/Exploits/CVE-2021-42287/win_security_samaccountname_spoofing_cve_2021_42287.yml +++ b/rules-emerging-threats/2021/Exploits/CVE-2021-42287/win_security_samaccountname_spoofing_cve_2021_42287.yml @@ -8,6 +8,7 @@ author: Florian Roth (Nextron Systems) date: 2021-12-22 modified: 2022-12-25 tags: + - attack.privilege-escalation - attack.defense-evasion - attack.persistence - attack.t1036 diff --git a/rules-emerging-threats/2021/Exploits/RazerInstaller-LPE-Exploit/proc_creation_win_exploit_other_razorinstaller_lpe.yml b/rules-emerging-threats/2021/Exploits/RazerInstaller-LPE-Exploit/proc_creation_win_exploit_other_razorinstaller_lpe.yml index 725e9025d..042d43a16 100644 --- a/rules-emerging-threats/2021/Exploits/RazerInstaller-LPE-Exploit/proc_creation_win_exploit_other_razorinstaller_lpe.yml +++ b/rules-emerging-threats/2021/Exploits/RazerInstaller-LPE-Exploit/proc_creation_win_exploit_other_razorinstaller_lpe.yml @@ -9,6 +9,7 @@ author: Florian Roth (Nextron Systems), Maxime Thiebaut date: 2021-08-23 modified: 2024-12-01 tags: + - attack.defense-evasion - attack.privilege-escalation - attack.t1553 - detection.emerging-threats diff --git a/rules-emerging-threats/2021/Malware/BlackByte/registry_set_win_malware_blackbyte_privesc_registry.yml b/rules-emerging-threats/2021/Malware/BlackByte/registry_set_win_malware_blackbyte_privesc_registry.yml index e007f9280..3ef31cd94 100644 --- a/rules-emerging-threats/2021/Malware/BlackByte/registry_set_win_malware_blackbyte_privesc_registry.yml +++ b/rules-emerging-threats/2021/Malware/BlackByte/registry_set_win_malware_blackbyte_privesc_registry.yml @@ -12,6 +12,7 @@ author: frack113 date: 2022-01-24 modified: 2025-10-21 tags: + - attack.persistence - attack.defense-evasion - attack.t1112 - detection.emerging-threats diff --git a/rules-emerging-threats/2021/Malware/Pingback/file_event_win_malware_pingback_backdoor.yml b/rules-emerging-threats/2021/Malware/Pingback/file_event_win_malware_pingback_backdoor.yml index 0abc66e04..f023e2d9b 100644 --- a/rules-emerging-threats/2021/Malware/Pingback/file_event_win_malware_pingback_backdoor.yml +++ b/rules-emerging-threats/2021/Malware/Pingback/file_event_win_malware_pingback_backdoor.yml @@ -14,6 +14,8 @@ author: Bhabesh Raj date: 2021-05-05 modified: 2023-02-17 tags: + - attack.privilege-escalation + - attack.defense-evasion - attack.persistence - attack.t1574.001 - detection.emerging-threats diff --git a/rules-emerging-threats/2021/Malware/Pingback/image_load_malware_pingback_backdoor.yml b/rules-emerging-threats/2021/Malware/Pingback/image_load_malware_pingback_backdoor.yml index 8c00d5ef0..766f4abca 100644 --- a/rules-emerging-threats/2021/Malware/Pingback/image_load_malware_pingback_backdoor.yml +++ b/rules-emerging-threats/2021/Malware/Pingback/image_load_malware_pingback_backdoor.yml @@ -14,6 +14,8 @@ author: Bhabesh Raj date: 2021-05-05 modified: 2023-02-17 tags: + - attack.privilege-escalation + - attack.defense-evasion - attack.persistence - attack.t1574.001 - detection.emerging-threats diff --git a/rules-emerging-threats/2021/Malware/Pingback/proc_creation_win_malware_pingback_backdoor.yml b/rules-emerging-threats/2021/Malware/Pingback/proc_creation_win_malware_pingback_backdoor.yml index 0e132ce40..dd9a4e30f 100644 --- a/rules-emerging-threats/2021/Malware/Pingback/proc_creation_win_malware_pingback_backdoor.yml +++ b/rules-emerging-threats/2021/Malware/Pingback/proc_creation_win_malware_pingback_backdoor.yml @@ -14,6 +14,8 @@ author: Bhabesh Raj date: 2021-05-05 modified: 2023-02-17 tags: + - attack.privilege-escalation + - attack.defense-evasion - attack.persistence - attack.t1574.001 - detection.emerging-threats diff --git a/rules-emerging-threats/2021/Malware/Small-Sieve/proc_creation_win_malware_small_sieve_cli_arg.yml b/rules-emerging-threats/2021/Malware/Small-Sieve/proc_creation_win_malware_small_sieve_cli_arg.yml index 086615fd3..b6b59c3f6 100644 --- a/rules-emerging-threats/2021/Malware/Small-Sieve/proc_creation_win_malware_small_sieve_cli_arg.yml +++ b/rules-emerging-threats/2021/Malware/Small-Sieve/proc_creation_win_malware_small_sieve_cli_arg.yml @@ -7,6 +7,8 @@ references: author: Nasreddine Bencherchali (Nextron Systems) date: 2023-05-19 tags: + - attack.privilege-escalation + - attack.defense-evasion - attack.persistence - attack.t1574.001 - detection.emerging-threats diff --git a/rules-emerging-threats/2021/TA/HAFNIUM/proc_creation_win_apt_hafnium.yml b/rules-emerging-threats/2021/TA/HAFNIUM/proc_creation_win_apt_hafnium.yml index df22ca9ee..783c8502f 100644 --- a/rules-emerging-threats/2021/TA/HAFNIUM/proc_creation_win_apt_hafnium.yml +++ b/rules-emerging-threats/2021/TA/HAFNIUM/proc_creation_win_apt_hafnium.yml @@ -12,6 +12,8 @@ author: Florian Roth (Nextron Systems) date: 2021-03-09 modified: 2023-03-09 tags: + - attack.privilege-escalation + - attack.execution - attack.persistence - attack.t1546 - attack.t1053 diff --git a/rules-emerging-threats/2022/Exploits/CVE-2022-24527/file_event_win_cve_2022_24527_lpe.yml b/rules-emerging-threats/2022/Exploits/CVE-2022-24527/file_event_win_cve_2022_24527_lpe.yml index de600e03b..e69ae4afe 100644 --- a/rules-emerging-threats/2022/Exploits/CVE-2022-24527/file_event_win_cve_2022_24527_lpe.yml +++ b/rules-emerging-threats/2022/Exploits/CVE-2022-24527/file_event_win_cve_2022_24527_lpe.yml @@ -7,6 +7,7 @@ references: author: Florian Roth (Nextron Systems) date: 2022-04-13 tags: + - attack.execution - attack.privilege-escalation - attack.t1059.001 - cve.2022-24527 diff --git a/rules-emerging-threats/2022/Malware/ChromeLoader/proc_creation_win_malware_chrome_loader_execution.yml b/rules-emerging-threats/2022/Malware/ChromeLoader/proc_creation_win_malware_chrome_loader_execution.yml index 64fac0615..c84181884 100644 --- a/rules-emerging-threats/2022/Malware/ChromeLoader/proc_creation_win_malware_chrome_loader_execution.yml +++ b/rules-emerging-threats/2022/Malware/ChromeLoader/proc_creation_win_malware_chrome_loader_execution.yml @@ -10,6 +10,7 @@ references: author: '@kostastsale' date: 2022-01-10 tags: + - attack.privilege-escalation - attack.execution - attack.persistence - attack.t1053.005 diff --git a/rules-emerging-threats/2022/Malware/Serpent-Backdoor/proc_creation_win_malware_serpent_backdoor_payload_execution.yml b/rules-emerging-threats/2022/Malware/Serpent-Backdoor/proc_creation_win_malware_serpent_backdoor_payload_execution.yml index 72962ce2f..4954b6667 100644 --- a/rules-emerging-threats/2022/Malware/Serpent-Backdoor/proc_creation_win_malware_serpent_backdoor_payload_execution.yml +++ b/rules-emerging-threats/2022/Malware/Serpent-Backdoor/proc_creation_win_malware_serpent_backdoor_payload_execution.yml @@ -10,6 +10,7 @@ references: author: '@kostastsale' date: 2022-03-21 tags: + - attack.privilege-escalation - attack.execution - attack.persistence - attack.t1053.005 diff --git a/rules-emerging-threats/2022/Malware/win_mssql_sp_maggie.yml b/rules-emerging-threats/2022/Malware/win_mssql_sp_maggie.yml index 523d72407..6f944e610 100644 --- a/rules-emerging-threats/2022/Malware/win_mssql_sp_maggie.yml +++ b/rules-emerging-threats/2022/Malware/win_mssql_sp_maggie.yml @@ -7,6 +7,7 @@ references: author: Denis Szadkowski, DIRT / DCSO CyTec date: 2022-10-09 tags: + - attack.privilege-escalation - attack.persistence - attack.t1546 - detection.emerging-threats diff --git a/rules-emerging-threats/2022/TA/ACTINIUM/proc_creation_win_apt_actinium_persistence.yml b/rules-emerging-threats/2022/TA/ACTINIUM/proc_creation_win_apt_actinium_persistence.yml index d8f9daa99..ebea2bbd1 100644 --- a/rules-emerging-threats/2022/TA/ACTINIUM/proc_creation_win_apt_actinium_persistence.yml +++ b/rules-emerging-threats/2022/TA/ACTINIUM/proc_creation_win_apt_actinium_persistence.yml @@ -8,6 +8,8 @@ author: Andreas Hunkeler (@Karneades) date: 2022-02-07 modified: 2023-03-18 tags: + - attack.privilege-escalation + - attack.execution - attack.persistence - attack.t1053 - attack.t1053.005 diff --git a/rules-emerging-threats/2023/Malware/GuLoader/proc_creation_win_malware_guloader_execution.yml b/rules-emerging-threats/2023/Malware/GuLoader/proc_creation_win_malware_guloader_execution.yml index ad63c36c6..8b09f5e0f 100644 --- a/rules-emerging-threats/2023/Malware/GuLoader/proc_creation_win_malware_guloader_execution.yml +++ b/rules-emerging-threats/2023/Malware/GuLoader/proc_creation_win_malware_guloader_execution.yml @@ -9,6 +9,7 @@ references: author: '@kostastsale' date: 2023-08-07 tags: + - attack.privilege-escalation - attack.defense-evasion - attack.t1055 - detection.emerging-threats diff --git a/rules-emerging-threats/2023/Malware/Pikabot/proc_creation_win_malware_pikabot_combined_commands_execution.yml b/rules-emerging-threats/2023/Malware/Pikabot/proc_creation_win_malware_pikabot_combined_commands_execution.yml index 86c1d3920..d05d96155 100644 --- a/rules-emerging-threats/2023/Malware/Pikabot/proc_creation_win_malware_pikabot_combined_commands_execution.yml +++ b/rules-emerging-threats/2023/Malware/Pikabot/proc_creation_win_malware_pikabot_combined_commands_execution.yml @@ -11,6 +11,8 @@ references: author: Alejandro Houspanossian ('@lekz86') date: 2024-01-02 tags: + - attack.defense-evasion + - attack.command-and-control - attack.execution - attack.t1059.003 - attack.t1105 diff --git a/rules-emerging-threats/2023/Malware/Pikabot/proc_creation_win_malware_pikabot_rundll32_hollowing.yml b/rules-emerging-threats/2023/Malware/Pikabot/proc_creation_win_malware_pikabot_rundll32_hollowing.yml index 8e9bf8d43..f62ee3dab 100644 --- a/rules-emerging-threats/2023/Malware/Pikabot/proc_creation_win_malware_pikabot_rundll32_hollowing.yml +++ b/rules-emerging-threats/2023/Malware/Pikabot/proc_creation_win_malware_pikabot_rundll32_hollowing.yml @@ -12,6 +12,7 @@ author: Andreas Braathen (mnemonic.io) date: 2023-10-27 modified: 2024-01-26 tags: + - attack.privilege-escalation - attack.defense-evasion - attack.t1055.012 - detection.emerging-threats diff --git a/rules-emerging-threats/2023/TA/3CX-Supply-Chain/proc_creation_win_malware_3cx_compromise_susp_children.yml b/rules-emerging-threats/2023/TA/3CX-Supply-Chain/proc_creation_win_malware_3cx_compromise_susp_children.yml index f0967eb28..c2f0253b4 100644 --- a/rules-emerging-threats/2023/TA/3CX-Supply-Chain/proc_creation_win_malware_3cx_compromise_susp_children.yml +++ b/rules-emerging-threats/2023/TA/3CX-Supply-Chain/proc_creation_win_malware_3cx_compromise_susp_children.yml @@ -25,6 +25,7 @@ date: 2023-03-29 tags: - attack.command-and-control - attack.execution + - attack.defense-evasion - attack.t1218 - detection.emerging-threats logsource: diff --git a/rules-emerging-threats/2023/TA/Cozy-Bear/image_load_apt_cozy_bear_graphical_proton_dlls.yml b/rules-emerging-threats/2023/TA/Cozy-Bear/image_load_apt_cozy_bear_graphical_proton_dlls.yml index 2e6a251e0..db6e3d967 100644 --- a/rules-emerging-threats/2023/TA/Cozy-Bear/image_load_apt_cozy_bear_graphical_proton_dlls.yml +++ b/rules-emerging-threats/2023/TA/Cozy-Bear/image_load_apt_cozy_bear_graphical_proton_dlls.yml @@ -8,6 +8,8 @@ author: CISA date: 2023-12-18 tags: - attack.defense-evasion + - attack.persistence + - attack.privilege-escalation - attack.t1574.001 - detection.emerging-threats logsource: diff --git a/rules-emerging-threats/2023/TA/Diamond-Sleet/image_load_apt_diamond_sleet_side_load.yml b/rules-emerging-threats/2023/TA/Diamond-Sleet/image_load_apt_diamond_sleet_side_load.yml index ce5de1300..9b4989d0b 100644 --- a/rules-emerging-threats/2023/TA/Diamond-Sleet/image_load_apt_diamond_sleet_side_load.yml +++ b/rules-emerging-threats/2023/TA/Diamond-Sleet/image_load_apt_diamond_sleet_side_load.yml @@ -8,6 +8,8 @@ author: Nasreddine Bencherchali (Nextron Systems) date: 2023-10-24 tags: - attack.defense-evasion + - attack.persistence + - attack.privilege-escalation - attack.t1574.001 - detection.emerging-threats logsource: diff --git a/rules-emerging-threats/2023/TA/Lazarus/image_load_apt_lazarus_side_load_activity.yml b/rules-emerging-threats/2023/TA/Lazarus/image_load_apt_lazarus_side_load_activity.yml index 0cc0a8b1b..c8cc16e68 100644 --- a/rules-emerging-threats/2023/TA/Lazarus/image_load_apt_lazarus_side_load_activity.yml +++ b/rules-emerging-threats/2023/TA/Lazarus/image_load_apt_lazarus_side_load_activity.yml @@ -10,6 +10,7 @@ date: 2023-10-18 tags: - attack.defense-evasion - attack.privilege-escalation + - attack.persistence - attack.t1574.001 - attack.g0032 - detection.emerging-threats diff --git a/rules-emerging-threats/2024/Exploits/CVE-2024-50623/proc_creation_win_exploit_cve_2024_50623_cleo.yml b/rules-emerging-threats/2024/Exploits/CVE-2024-50623/proc_creation_win_exploit_cve_2024_50623_cleo.yml index f55b327e6..a07be2234 100644 --- a/rules-emerging-threats/2024/Exploits/CVE-2024-50623/proc_creation_win_exploit_cve_2024_50623_cleo.yml +++ b/rules-emerging-threats/2024/Exploits/CVE-2024-50623/proc_creation_win_exploit_cve_2024_50623_cleo.yml @@ -8,6 +8,7 @@ references: author: Tanner Filip, Austin Worline, Chad Hudson, Matt Anderson date: 2024-12-09 tags: + - attack.initial-access - attack.execution - attack.t1190 - cve.2024-50623 diff --git a/rules-emerging-threats/2024/Malware/KamiKakaBot/registry_set_malware_kamikakabot_winlogon_persistence.yml b/rules-emerging-threats/2024/Malware/KamiKakaBot/registry_set_malware_kamikakabot_winlogon_persistence.yml index f60f41bdc..63440d697 100644 --- a/rules-emerging-threats/2024/Malware/KamiKakaBot/registry_set_malware_kamikakabot_winlogon_persistence.yml +++ b/rules-emerging-threats/2024/Malware/KamiKakaBot/registry_set_malware_kamikakabot_winlogon_persistence.yml @@ -8,6 +8,7 @@ references: author: Nasreddine Bencherchali (Nextron Systems), X__Junior date: 2024-03-22 tags: + - attack.privilege-escalation - attack.persistence - attack.t1547.001 - detection.emerging-threats diff --git a/rules-emerging-threats/2024/Malware/Lummac-Stealer/proc_creation_win_malware_lummac_more_vbc.yml b/rules-emerging-threats/2024/Malware/Lummac-Stealer/proc_creation_win_malware_lummac_more_vbc.yml index 2f19a9cb0..2fb0416ce 100644 --- a/rules-emerging-threats/2024/Malware/Lummac-Stealer/proc_creation_win_malware_lummac_more_vbc.yml +++ b/rules-emerging-threats/2024/Malware/Lummac-Stealer/proc_creation_win_malware_lummac_more_vbc.yml @@ -13,6 +13,7 @@ references: author: Joseliyo Sanchez, @Joseliyo_Jstnk date: 2024-12-19 tags: + - attack.privilege-escalation - attack.defense-evasion - attack.t1055 - detection.emerging-threats diff --git a/rules-emerging-threats/2024/Malware/Raspberry-Robin/image_load_malware_raspberry_robin_side_load_aclui_oleview.yml b/rules-emerging-threats/2024/Malware/Raspberry-Robin/image_load_malware_raspberry_robin_side_load_aclui_oleview.yml index 0281d3f9e..1c05db50c 100644 --- a/rules-emerging-threats/2024/Malware/Raspberry-Robin/image_load_malware_raspberry_robin_side_load_aclui_oleview.yml +++ b/rules-emerging-threats/2024/Malware/Raspberry-Robin/image_load_malware_raspberry_robin_side_load_aclui_oleview.yml @@ -12,6 +12,7 @@ references: author: Swachchhanda Shrawan Poudel date: 2024-07-31 tags: + - attack.persistence - attack.defense-evasion - attack.privilege-escalation - attack.t1574.001 diff --git a/rules-emerging-threats/2024/Malware/Raspberry-Robin/registry_set_malware_raspberry_robin_internet_settings_zonemap_tamper.yml b/rules-emerging-threats/2024/Malware/Raspberry-Robin/registry_set_malware_raspberry_robin_internet_settings_zonemap_tamper.yml index fcd309079..80a7329bf 100644 --- a/rules-emerging-threats/2024/Malware/Raspberry-Robin/registry_set_malware_raspberry_robin_internet_settings_zonemap_tamper.yml +++ b/rules-emerging-threats/2024/Malware/Raspberry-Robin/registry_set_malware_raspberry_robin_internet_settings_zonemap_tamper.yml @@ -15,6 +15,7 @@ references: author: Swachchhanda Shrawan Poudel date: 2024-07-31 tags: + - attack.persistence - attack.t1112 - attack.defense-evasion - detection.emerging-threats diff --git a/rules-emerging-threats/2024/Malware/kapeka/proc_creation_win_malware_kapeka_backdoor_persistence.yml b/rules-emerging-threats/2024/Malware/kapeka/proc_creation_win_malware_kapeka_backdoor_persistence.yml index cea5c8a79..1a1337d6a 100644 --- a/rules-emerging-threats/2024/Malware/kapeka/proc_creation_win_malware_kapeka_backdoor_persistence.yml +++ b/rules-emerging-threats/2024/Malware/kapeka/proc_creation_win_malware_kapeka_backdoor_persistence.yml @@ -14,6 +14,8 @@ references: author: Swachchhanda Shrawan Poudel date: 2024-07-03 tags: + - attack.privilege-escalation + - attack.execution - attack.persistence - attack.t1053.005 - detection.emerging-threats diff --git a/rules-emerging-threats/2024/Malware/kapeka/registry_set_malware_kapeka_backdoor_autorun_persistence.yml b/rules-emerging-threats/2024/Malware/kapeka/registry_set_malware_kapeka_backdoor_autorun_persistence.yml index f6e582122..ed86d6ae1 100644 --- a/rules-emerging-threats/2024/Malware/kapeka/registry_set_malware_kapeka_backdoor_autorun_persistence.yml +++ b/rules-emerging-threats/2024/Malware/kapeka/registry_set_malware_kapeka_backdoor_autorun_persistence.yml @@ -11,6 +11,7 @@ references: author: Swachchhanda Shrawan Poudel date: 2024-07-03 tags: + - attack.privilege-escalation - attack.persistence - attack.t1547.001 - detection.emerging-threats diff --git a/rules-emerging-threats/2024/TA/Forest-Blizzard/registry_set_apt_forest_blizzard_custom_protocol_handler.yml b/rules-emerging-threats/2024/TA/Forest-Blizzard/registry_set_apt_forest_blizzard_custom_protocol_handler.yml index 639217c33..9edd10739 100644 --- a/rules-emerging-threats/2024/TA/Forest-Blizzard/registry_set_apt_forest_blizzard_custom_protocol_handler.yml +++ b/rules-emerging-threats/2024/TA/Forest-Blizzard/registry_set_apt_forest_blizzard_custom_protocol_handler.yml @@ -9,6 +9,7 @@ references: author: Nasreddine Bencherchali (Nextron Systems) date: 2024-04-23 tags: + - attack.privilege-escalation - attack.persistence - attack.t1547.001 - detection.emerging-threats diff --git a/rules-emerging-threats/2024/TA/Forest-Blizzard/registry_set_apt_forest_blizzard_custom_protocol_handler_dll.yml b/rules-emerging-threats/2024/TA/Forest-Blizzard/registry_set_apt_forest_blizzard_custom_protocol_handler_dll.yml index 8f32311b5..db12f36a8 100644 --- a/rules-emerging-threats/2024/TA/Forest-Blizzard/registry_set_apt_forest_blizzard_custom_protocol_handler_dll.yml +++ b/rules-emerging-threats/2024/TA/Forest-Blizzard/registry_set_apt_forest_blizzard_custom_protocol_handler_dll.yml @@ -9,6 +9,7 @@ references: author: Nasreddine Bencherchali (Nextron Systems) date: 2024-04-23 tags: + - attack.privilege-escalation - attack.persistence - attack.t1547.001 - detection.emerging-threats diff --git a/rules-emerging-threats/2025/Exploits/CVE-2025-30406/proc_creation_win_exploit_cve_2025_30406_centrestack_portal_child_process.yml b/rules-emerging-threats/2025/Exploits/CVE-2025-30406/proc_creation_win_exploit_cve_2025_30406_centrestack_portal_child_process.yml index c923e155a..0a945f816 100644 --- a/rules-emerging-threats/2025/Exploits/CVE-2025-30406/proc_creation_win_exploit_cve_2025_30406_centrestack_portal_child_process.yml +++ b/rules-emerging-threats/2025/Exploits/CVE-2025-30406/proc_creation_win_exploit_cve_2025_30406_centrestack_portal_child_process.yml @@ -11,6 +11,7 @@ references: author: Jason Rathbun (Blackpoint Cyber) date: 2025-04-17 tags: + - attack.persistence - attack.execution - attack.t1059.003 - attack.t1505.003 diff --git a/rules-emerging-threats/2025/Exploits/CVE-2025-31324/file_event_lnx_sap_netweaver_webshell_creation.yml b/rules-emerging-threats/2025/Exploits/CVE-2025-31324/file_event_lnx_sap_netweaver_webshell_creation.yml index 381dfea35..d2c4c9b56 100644 --- a/rules-emerging-threats/2025/Exploits/CVE-2025-31324/file_event_lnx_sap_netweaver_webshell_creation.yml +++ b/rules-emerging-threats/2025/Exploits/CVE-2025-31324/file_event_lnx_sap_netweaver_webshell_creation.yml @@ -11,6 +11,7 @@ references: author: Elastic (idea), Swachchhanda Shrawan Poudel (Nextron Systems) date: 2025-04-28 tags: + - attack.execution - attack.initial-access - attack.t1190 - attack.persistence diff --git a/rules-emerging-threats/2025/Exploits/CVE-2025-31324/file_event_win_sap_netweaver_webshell_creation.yml b/rules-emerging-threats/2025/Exploits/CVE-2025-31324/file_event_win_sap_netweaver_webshell_creation.yml index 8def10536..f4607fc47 100644 --- a/rules-emerging-threats/2025/Exploits/CVE-2025-31324/file_event_win_sap_netweaver_webshell_creation.yml +++ b/rules-emerging-threats/2025/Exploits/CVE-2025-31324/file_event_win_sap_netweaver_webshell_creation.yml @@ -11,6 +11,7 @@ references: author: Elastic (idea), Swachchhanda Shrawan Poudel (Nextron Systems) date: 2025-04-28 tags: + - attack.execution - attack.initial-access - attack.t1190 - attack.persistence diff --git a/rules-emerging-threats/2025/Exploits/CVE-2025-31324/proc_creation_lnx_sap_netweaver_susp_child_process.yml b/rules-emerging-threats/2025/Exploits/CVE-2025-31324/proc_creation_lnx_sap_netweaver_susp_child_process.yml index 5d0d47fa5..b10091d25 100644 --- a/rules-emerging-threats/2025/Exploits/CVE-2025-31324/proc_creation_lnx_sap_netweaver_susp_child_process.yml +++ b/rules-emerging-threats/2025/Exploits/CVE-2025-31324/proc_creation_lnx_sap_netweaver_susp_child_process.yml @@ -7,6 +7,7 @@ description: | author: Elastic (idea), Swachchhanda Shrawan Poudel (Nextron Systems) date: 2025-04-28 tags: + - attack.execution - attack.initial-access - attack.t1190 - attack.persistence diff --git a/rules-emerging-threats/2025/Exploits/CVE-2025-31324/proc_creation_win_sap_netweaver_susp_child_process.yml b/rules-emerging-threats/2025/Exploits/CVE-2025-31324/proc_creation_win_sap_netweaver_susp_child_process.yml index c531b74ce..ddfe2f75c 100644 --- a/rules-emerging-threats/2025/Exploits/CVE-2025-31324/proc_creation_win_sap_netweaver_susp_child_process.yml +++ b/rules-emerging-threats/2025/Exploits/CVE-2025-31324/proc_creation_win_sap_netweaver_susp_child_process.yml @@ -7,6 +7,7 @@ description: | author: Elastic (idea), Swachchhanda Shrawan Poudel (Nextron Systems) date: 2025-04-28 tags: + - attack.execution - attack.initial-access - attack.t1190 - attack.persistence diff --git a/rules-emerging-threats/2025/Exploits/CVE-2025-33053/image_load_win_exploit_cve_2025_33053.yml b/rules-emerging-threats/2025/Exploits/CVE-2025-33053/image_load_win_exploit_cve_2025_33053.yml index 36fe9c856..a1b498c42 100644 --- a/rules-emerging-threats/2025/Exploits/CVE-2025-33053/image_load_win_exploit_cve_2025_33053.yml +++ b/rules-emerging-threats/2025/Exploits/CVE-2025-33053/image_load_win_exploit_cve_2025_33053.yml @@ -16,6 +16,7 @@ references: author: Swachchhanda Shrawan Poudel (Nextron Systems) date: 2025-06-13 tags: + - attack.command-and-control - attack.execution - attack.defense-evasion - attack.t1218 diff --git a/rules-emerging-threats/2025/Exploits/CVE-2025-33053/proc_access_win_exploit_cve_2025_33053.yml b/rules-emerging-threats/2025/Exploits/CVE-2025-33053/proc_access_win_exploit_cve_2025_33053.yml index 1c3a5ec06..e1919d9d9 100644 --- a/rules-emerging-threats/2025/Exploits/CVE-2025-33053/proc_access_win_exploit_cve_2025_33053.yml +++ b/rules-emerging-threats/2025/Exploits/CVE-2025-33053/proc_access_win_exploit_cve_2025_33053.yml @@ -19,6 +19,7 @@ references: author: Swachchhanda Shrawan Poudel (Nextron Systems) date: 2025-06-13 tags: + - attack.command-and-control - attack.execution - attack.defense-evasion - attack.t1218 diff --git a/rules-emerging-threats/2025/Exploits/CVE-2025-33053/proc_creation_win_exploit_cve_2025_33053.yml b/rules-emerging-threats/2025/Exploits/CVE-2025-33053/proc_creation_win_exploit_cve_2025_33053.yml index e0194dee4..be0a641ae 100644 --- a/rules-emerging-threats/2025/Exploits/CVE-2025-33053/proc_creation_win_exploit_cve_2025_33053.yml +++ b/rules-emerging-threats/2025/Exploits/CVE-2025-33053/proc_creation_win_exploit_cve_2025_33053.yml @@ -19,6 +19,7 @@ references: author: Swachchhanda Shrawan Poudel (Nextron Systems) date: 2025-06-13 tags: + - attack.command-and-control - attack.execution - attack.defense-evasion - attack.t1218 diff --git a/rules-emerging-threats/2025/Exploits/CVE-2025-49144/proc_creation_win_exploit_cve_2025_49144.yml b/rules-emerging-threats/2025/Exploits/CVE-2025-49144/proc_creation_win_exploit_cve_2025_49144.yml index 0290f3985..57ecd307e 100644 --- a/rules-emerging-threats/2025/Exploits/CVE-2025-49144/proc_creation_win_exploit_cve_2025_49144.yml +++ b/rules-emerging-threats/2025/Exploits/CVE-2025-49144/proc_creation_win_exploit_cve_2025_49144.yml @@ -11,6 +11,7 @@ references: author: Swachchhanda Shrawan Poudel (Nextron Systems) date: 2025-06-26 tags: + - attack.persistence - attack.privilege-escalation - attack.defense-evasion - attack.t1574.008 diff --git a/rules-emerging-threats/2025/Exploits/CVE-2025-54309/proc_creation_win_exploit_cve_2025_54309.yml b/rules-emerging-threats/2025/Exploits/CVE-2025-54309/proc_creation_win_exploit_cve_2025_54309.yml index c82ecba5f..bf46ea2b2 100644 --- a/rules-emerging-threats/2025/Exploits/CVE-2025-54309/proc_creation_win_exploit_cve_2025_54309.yml +++ b/rules-emerging-threats/2025/Exploits/CVE-2025-54309/proc_creation_win_exploit_cve_2025_54309.yml @@ -9,6 +9,7 @@ references: author: Nisarg Suthar date: 2025-08-01 tags: + - attack.privilege-escalation - attack.initial-access - attack.execution - attack.t1059.001 diff --git a/rules-emerging-threats/2025/Exploits/CVE-2025-57788/proc_creation_win_exploit_cve_2025_57788.yml b/rules-emerging-threats/2025/Exploits/CVE-2025-57788/proc_creation_win_exploit_cve_2025_57788.yml index c6586c165..d23a97ea9 100644 --- a/rules-emerging-threats/2025/Exploits/CVE-2025-57788/proc_creation_win_exploit_cve_2025_57788.yml +++ b/rules-emerging-threats/2025/Exploits/CVE-2025-57788/proc_creation_win_exploit_cve_2025_57788.yml @@ -9,6 +9,9 @@ references: author: Swachchhanda Shrawan Poudel (Nextron Systems) date: 2025-10-20 tags: + - attack.privilege-escalation + - attack.persistence + - attack.defense-evasion - attack.initial-access - attack.t1078.001 - detection.emerging-threats diff --git a/rules-emerging-threats/2025/Malware/file_event_win_malware_funklocker_ransomware_extension.yml b/rules-emerging-threats/2025/Malware/file_event_win_malware_funklocker_ransomware_extension.yml index 79ce424fa..f5d79dca4 100644 --- a/rules-emerging-threats/2025/Malware/file_event_win_malware_funklocker_ransomware_extension.yml +++ b/rules-emerging-threats/2025/Malware/file_event_win_malware_funklocker_ransomware_extension.yml @@ -8,6 +8,7 @@ references: author: Saiprashanth Pulisetti ( @Prashanthblogs) date: 2025-08-08 tags: + - attack.impact - attack.t1486 - detection.emerging-threats logsource: diff --git a/rules-emerging-threats/2025/Malware/proc_creation_win_malware_kalambur_curl_socks_tor.yml b/rules-emerging-threats/2025/Malware/proc_creation_win_malware_kalambur_curl_socks_tor.yml index f127888cc..da8d31bf2 100644 --- a/rules-emerging-threats/2025/Malware/proc_creation_win_malware_kalambur_curl_socks_tor.yml +++ b/rules-emerging-threats/2025/Malware/proc_creation_win_malware_kalambur_curl_socks_tor.yml @@ -7,6 +7,7 @@ references: author: Arda Buyukkaya (EclecticIQ) date: 2025-02-11 tags: + - attack.execution - attack.command-and-control - attack.t1090 - attack.t1573 diff --git a/rules-placeholder/cloud/aws/cloudtrail/aws_cloudtrail_console_login_success_from_susp_locations.yml b/rules-placeholder/cloud/aws/cloudtrail/aws_cloudtrail_console_login_success_from_susp_locations.yml index db2de905f..dc57d4148 100644 --- a/rules-placeholder/cloud/aws/cloudtrail/aws_cloudtrail_console_login_success_from_susp_locations.yml +++ b/rules-placeholder/cloud/aws/cloudtrail/aws_cloudtrail_console_login_success_from_susp_locations.yml @@ -10,6 +10,9 @@ author: Ivan Saakov date: 2025-10-19 tags: - attack.privilege-escalation + - attack.defense-evasion + - attack.initial-access + - attack.persistence - attack.t1078.004 logsource: product: aws diff --git a/rules-placeholder/cloud/azure/azure_ad_account_created_deleted_nonapproved_user.yml b/rules-placeholder/cloud/azure/azure_ad_account_created_deleted_nonapproved_user.yml index f0b367d04..7d6a24509 100644 --- a/rules-placeholder/cloud/azure/azure_ad_account_created_deleted_nonapproved_user.yml +++ b/rules-placeholder/cloud/azure/azure_ad_account_created_deleted_nonapproved_user.yml @@ -9,6 +9,9 @@ date: 2022-08-11 modified: 2023-12-15 tags: - attack.defense-evasion + - attack.initial-access + - attack.persistence + - attack.privilege-escalation - attack.t1078 logsource: product: azure diff --git a/rules-placeholder/cloud/azure/azure_ad_account_signin_outside_hours.yml b/rules-placeholder/cloud/azure/azure_ad_account_signin_outside_hours.yml index 1705bafb1..ad1ed1388 100644 --- a/rules-placeholder/cloud/azure/azure_ad_account_signin_outside_hours.yml +++ b/rules-placeholder/cloud/azure/azure_ad_account_signin_outside_hours.yml @@ -9,6 +9,9 @@ date: 2022-08-11 modified: 2023-12-15 tags: - attack.persistence + - attack.defense-evasion + - attack.initial-access + - attack.privilege-escalation - attack.t1078 logsource: product: azure diff --git a/rules-placeholder/cloud/azure/azure_privileged_account_no_saw_paw.yml b/rules-placeholder/cloud/azure/azure_privileged_account_no_saw_paw.yml index 6a5c87b89..12f7a11a1 100644 --- a/rules-placeholder/cloud/azure/azure_privileged_account_no_saw_paw.yml +++ b/rules-placeholder/cloud/azure/azure_privileged_account_no_saw_paw.yml @@ -10,6 +10,8 @@ modified: 2023-12-15 tags: - attack.defense-evasion - attack.privilege-escalation + - attack.initial-access + - attack.persistence - attack.t1078 logsource: product: azure diff --git a/rules-placeholder/cloud/azure/azure_privileged_account_sigin_expected_controls.yml b/rules-placeholder/cloud/azure/azure_privileged_account_sigin_expected_controls.yml index a9e85a786..2fb3fc614 100644 --- a/rules-placeholder/cloud/azure/azure_privileged_account_sigin_expected_controls.yml +++ b/rules-placeholder/cloud/azure/azure_privileged_account_sigin_expected_controls.yml @@ -9,6 +9,9 @@ date: 2022-08-11 modified: 2023-12-15 tags: - attack.defense-evasion + - attack.initial-access + - attack.persistence + - attack.privilege-escalation - attack.t1078 logsource: product: azure diff --git a/rules-placeholder/cloud/azure/azure_privileged_account_signin_outside_hours.yml b/rules-placeholder/cloud/azure/azure_privileged_account_signin_outside_hours.yml index 86c1029e6..ec70d6ce6 100644 --- a/rules-placeholder/cloud/azure/azure_privileged_account_signin_outside_hours.yml +++ b/rules-placeholder/cloud/azure/azure_privileged_account_signin_outside_hours.yml @@ -9,6 +9,9 @@ date: 2022-08-11 modified: 2023-12-15 tags: - attack.persistence + - attack.defense-evasion + - attack.initial-access + - attack.privilege-escalation - attack.t1078 logsource: product: azure diff --git a/rules-placeholder/windows/builtin/security/win_security_potential_pass_the_hash.yml b/rules-placeholder/windows/builtin/security/win_security_potential_pass_the_hash.yml index b1bce3bb4..f9bd1e2ad 100644 --- a/rules-placeholder/windows/builtin/security/win_security_potential_pass_the_hash.yml +++ b/rules-placeholder/windows/builtin/security/win_security_potential_pass_the_hash.yml @@ -9,6 +9,7 @@ date: 2017-03-08 modified: 2023-12-15 tags: - attack.lateral-movement + - attack.defense-evasion - attack.t1550.002 - car.2016-04-004 logsource: diff --git a/rules-placeholder/windows/builtin/security/win_security_remote_registry_management_via_reg.yml b/rules-placeholder/windows/builtin/security/win_security_remote_registry_management_via_reg.yml index a76fd16a6..89bd8872b 100644 --- a/rules-placeholder/windows/builtin/security/win_security_remote_registry_management_via_reg.yml +++ b/rules-placeholder/windows/builtin/security/win_security_remote_registry_management_via_reg.yml @@ -10,6 +10,7 @@ modified: 2023-12-15 tags: - attack.credential-access - attack.defense-evasion + - attack.persistence - attack.discovery - attack.s0075 - attack.t1012 diff --git a/rules-placeholder/windows/builtin/security/win_security_susp_interactive_logons.yml b/rules-placeholder/windows/builtin/security/win_security_susp_interactive_logons.yml index 165e78f1d..6467d75d7 100644 --- a/rules-placeholder/windows/builtin/security/win_security_susp_interactive_logons.yml +++ b/rules-placeholder/windows/builtin/security/win_security_susp_interactive_logons.yml @@ -9,6 +9,10 @@ date: 2017-03-17 modified: 2023-12-15 tags: - attack.lateral-movement + - attack.defense-evasion + - attack.initial-access + - attack.persistence + - attack.privilege-escalation - attack.t1078 logsource: product: windows diff --git a/rules-threat-hunting/windows/builtin/security/win_security_scheduled_task_deletion.yml b/rules-threat-hunting/windows/builtin/security/win_security_scheduled_task_deletion.yml index 3c0619b8b..3e8e3d4a4 100644 --- a/rules-threat-hunting/windows/builtin/security/win_security_scheduled_task_deletion.yml +++ b/rules-threat-hunting/windows/builtin/security/win_security_scheduled_task_deletion.yml @@ -11,6 +11,7 @@ modified: 2023-01-20 tags: - attack.execution - attack.privilege-escalation + - attack.persistence - car.2013-08-001 - attack.t1053.005 - detection.threat-hunting diff --git a/rules-threat-hunting/windows/create_remote_thread/create_remote_thread_win_loadlibrary.yml b/rules-threat-hunting/windows/create_remote_thread/create_remote_thread_win_loadlibrary.yml index da7b5d252..ebae49d4b 100644 --- a/rules-threat-hunting/windows/create_remote_thread/create_remote_thread_win_loadlibrary.yml +++ b/rules-threat-hunting/windows/create_remote_thread/create_remote_thread_win_loadlibrary.yml @@ -9,6 +9,7 @@ date: 2019-08-11 modified: 2024-01-22 tags: - attack.defense-evasion + - attack.privilege-escalation - attack.t1055.001 - detection.threat-hunting logsource: diff --git a/rules-threat-hunting/windows/create_remote_thread/create_remote_thread_win_susp_target_shell_application.yml b/rules-threat-hunting/windows/create_remote_thread/create_remote_thread_win_susp_target_shell_application.yml index a9cf2f3bb..82033bae0 100644 --- a/rules-threat-hunting/windows/create_remote_thread/create_remote_thread_win_susp_target_shell_application.yml +++ b/rules-threat-hunting/windows/create_remote_thread/create_remote_thread_win_susp_target_shell_application.yml @@ -12,6 +12,7 @@ date: 2024-07-29 modified: 2025-07-04 tags: - attack.defense-evasion + - attack.privilege-escalation - attack.t1055 - detection.threat-hunting logsource: diff --git a/rules-threat-hunting/windows/file/file_access/file_access_win_susp_reg_and_hive.yml b/rules-threat-hunting/windows/file/file_access/file_access_win_susp_reg_and_hive.yml index 3864c282a..c53dd2a43 100644 --- a/rules-threat-hunting/windows/file/file_access/file_access_win_susp_reg_and_hive.yml +++ b/rules-threat-hunting/windows/file/file_access/file_access_win_susp_reg_and_hive.yml @@ -10,6 +10,7 @@ modified: 2024-07-29 tags: - attack.t1112 - attack.defense-evasion + - attack.persistence - detection.threat-hunting logsource: category: file_access diff --git a/rules-threat-hunting/windows/file/file_event/file_event_win_webdav_tmpfile_creation.yml b/rules-threat-hunting/windows/file/file_event/file_event_win_webdav_tmpfile_creation.yml index 696765cc4..3d9d54dee 100644 --- a/rules-threat-hunting/windows/file/file_event/file_event_win_webdav_tmpfile_creation.yml +++ b/rules-threat-hunting/windows/file/file_event/file_event_win_webdav_tmpfile_creation.yml @@ -13,6 +13,7 @@ author: Micah Babinski date: 2023-08-21 tags: - attack.initial-access + - attack.resource-development - attack.t1584 - attack.t1566 - detection.threat-hunting diff --git a/rules-threat-hunting/windows/image_load/image_load_dll_taskschd_by_process_in_potentially_suspicious_location.yml b/rules-threat-hunting/windows/image_load/image_load_dll_taskschd_by_process_in_potentially_suspicious_location.yml index c04e44df6..0824f6a2d 100644 --- a/rules-threat-hunting/windows/image_load/image_load_dll_taskschd_by_process_in_potentially_suspicious_location.yml +++ b/rules-threat-hunting/windows/image_load/image_load_dll_taskschd_by_process_in_potentially_suspicious_location.yml @@ -13,6 +13,7 @@ date: 2024-09-02 tags: - attack.persistence - attack.execution + - attack.privilege-escalation - attack.t1053.005 - detection.threat-hunting logsource: diff --git a/rules-threat-hunting/windows/network_connection/net_connection_win_susp_azurefd_connection.yml b/rules-threat-hunting/windows/network_connection/net_connection_win_susp_azurefd_connection.yml index cad798468..38a8720cf 100644 --- a/rules-threat-hunting/windows/network_connection/net_connection_win_susp_azurefd_connection.yml +++ b/rules-threat-hunting/windows/network_connection/net_connection_win_susp_azurefd_connection.yml @@ -11,6 +11,7 @@ references: author: Isaac Dunham date: 2024-11-07 tags: + - attack.command-and-control - attack.t1102.002 - attack.t1090.004 - detection.threat-hunting diff --git a/rules-threat-hunting/windows/powershell/powershell_script/posh_ps_compress_archive_usage.yml b/rules-threat-hunting/windows/powershell/powershell_script/posh_ps_compress_archive_usage.yml index 8fa81f935..8bc98a67d 100644 --- a/rules-threat-hunting/windows/powershell/powershell_script/posh_ps_compress_archive_usage.yml +++ b/rules-threat-hunting/windows/powershell/powershell_script/posh_ps_compress_archive_usage.yml @@ -11,6 +11,7 @@ date: 2019-10-21 modified: 2023-12-15 tags: - attack.exfiltration + - attack.collection - attack.t1560 - detection.threat-hunting logsource: diff --git a/rules-threat-hunting/windows/process_creation/proc_creation_win_conhost_headless_execution.yml b/rules-threat-hunting/windows/process_creation/proc_creation_win_conhost_headless_execution.yml index 39f4cd5b4..d7ed21d40 100644 --- a/rules-threat-hunting/windows/process_creation/proc_creation_win_conhost_headless_execution.yml +++ b/rules-threat-hunting/windows/process_creation/proc_creation_win_conhost_headless_execution.yml @@ -13,6 +13,7 @@ author: Nasreddine Bencherchali (Nextron Systems) date: 2024-07-23 tags: - attack.defense-evasion + - attack.execution - attack.t1059.001 - attack.t1059.003 - detection.threat-hunting diff --git a/rules-threat-hunting/windows/process_creation/proc_creation_win_curl_fileupload.yml b/rules-threat-hunting/windows/process_creation/proc_creation_win_curl_fileupload.yml index 98ad58c77..fad4ff466 100644 --- a/rules-threat-hunting/windows/process_creation/proc_creation_win_curl_fileupload.yml +++ b/rules-threat-hunting/windows/process_creation/proc_creation_win_curl_fileupload.yml @@ -12,6 +12,7 @@ date: 2020-07-03 modified: 2023-05-02 tags: - attack.exfiltration + - attack.command-and-control - attack.t1567 - attack.t1105 - detection.threat-hunting diff --git a/rules-threat-hunting/windows/process_creation/proc_creation_win_powershell_crypto_namespace.yml b/rules-threat-hunting/windows/process_creation/proc_creation_win_powershell_crypto_namespace.yml index 614671544..e3352f88f 100644 --- a/rules-threat-hunting/windows/process_creation/proc_creation_win_powershell_crypto_namespace.yml +++ b/rules-threat-hunting/windows/process_creation/proc_creation_win_powershell_crypto_namespace.yml @@ -13,6 +13,7 @@ author: Andreas Braathen (mnemonic.io) date: 2023-12-01 tags: - attack.defense-evasion + - attack.execution - attack.t1059.001 - attack.t1027.010 - detection.threat-hunting diff --git a/rules-threat-hunting/windows/process_creation/proc_creation_win_powershell_new_netfirewallrule_allow.yml b/rules-threat-hunting/windows/process_creation/proc_creation_win_powershell_new_netfirewallrule_allow.yml index 04551a2c3..4334b1c04 100644 --- a/rules-threat-hunting/windows/process_creation/proc_creation_win_powershell_new_netfirewallrule_allow.yml +++ b/rules-threat-hunting/windows/process_creation/proc_creation_win_powershell_new_netfirewallrule_allow.yml @@ -13,6 +13,7 @@ references: author: frack113 date: 2024-05-03 tags: + - attack.defense-evasion - attack.t1562.004 - detection.threat-hunting logsource: diff --git a/rules-threat-hunting/windows/process_creation/proc_creation_win_schtasks_creation_from_susp_parent.yml b/rules-threat-hunting/windows/process_creation/proc_creation_win_schtasks_creation_from_susp_parent.yml index 647f98898..bb2989de3 100644 --- a/rules-threat-hunting/windows/process_creation/proc_creation_win_schtasks_creation_from_susp_parent.yml +++ b/rules-threat-hunting/windows/process_creation/proc_creation_win_schtasks_creation_from_susp_parent.yml @@ -11,6 +11,8 @@ date: 2022-02-23 modified: 2024-05-13 tags: - attack.execution + - attack.persistence + - attack.privilege-escalation - attack.t1053.005 - detection.threat-hunting logsource: diff --git a/rules-threat-hunting/windows/process_creation/proc_creation_win_webdav_process_execution.yml b/rules-threat-hunting/windows/process_creation/proc_creation_win_webdav_process_execution.yml index ee9c64763..9464ead5a 100644 --- a/rules-threat-hunting/windows/process_creation/proc_creation_win_webdav_process_execution.yml +++ b/rules-threat-hunting/windows/process_creation/proc_creation_win_webdav_process_execution.yml @@ -11,6 +11,7 @@ author: Swachchhanda Shrawan Poudel (Nextron Systems) date: 2025-06-13 tags: - attack.execution + - attack.command-and-control - attack.lateral-movement - attack.t1105 - detection.threat-hunting diff --git a/rules-threat-hunting/windows/registry/registry_set/registry_set_office_trusted_location.yml b/rules-threat-hunting/windows/registry/registry_set/registry_set_office_trusted_location.yml index 3d0365a12..d22744cc0 100644 --- a/rules-threat-hunting/windows/registry/registry_set/registry_set_office_trusted_location.yml +++ b/rules-threat-hunting/windows/registry/registry_set/registry_set_office_trusted_location.yml @@ -12,6 +12,7 @@ date: 2023-06-21 modified: 2023-08-17 tags: - attack.defense-evasion + - attack.persistence - attack.t1112 - detection.threat-hunting logsource: diff --git a/rules-threat-hunting/windows/registry/registry_set/registry_set_powershell_crypto_namespace.yml b/rules-threat-hunting/windows/registry/registry_set/registry_set_powershell_crypto_namespace.yml index 3d19e70b7..e761849b9 100644 --- a/rules-threat-hunting/windows/registry/registry_set/registry_set_powershell_crypto_namespace.yml +++ b/rules-threat-hunting/windows/registry/registry_set/registry_set_powershell_crypto_namespace.yml @@ -12,6 +12,9 @@ author: Andreas Braathen (mnemonic.io) date: 2023-12-01 tags: - attack.defense-evasion + - attack.execution + - attack.persistence + - attack.privilege-escalation - attack.t1059.001 - attack.t1027.010 - attack.t1547.001 diff --git a/rules-threat-hunting/windows/registry/registry_set/registry_set_service_image_path_user_controlled_folder.yml b/rules-threat-hunting/windows/registry/registry_set/registry_set_service_image_path_user_controlled_folder.yml index a0673f43a..00c664593 100644 --- a/rules-threat-hunting/windows/registry/registry_set/registry_set_service_image_path_user_controlled_folder.yml +++ b/rules-threat-hunting/windows/registry/registry_set/registry_set_service_image_path_user_controlled_folder.yml @@ -16,6 +16,7 @@ date: 2022-05-02 modified: 2024-03-25 tags: - attack.defense-evasion + - attack.persistence - attack.t1112 - detection.threat-hunting logsource: diff --git a/rules/application/kubernetes/audit/kubernetes_audit_change_admission_controller.yml b/rules/application/kubernetes/audit/kubernetes_audit_change_admission_controller.yml index ac3e76663..5c39f9f5e 100644 --- a/rules/application/kubernetes/audit/kubernetes_audit_change_admission_controller.yml +++ b/rules/application/kubernetes/audit/kubernetes_audit_change_admission_controller.yml @@ -12,6 +12,9 @@ references: author: kelnage date: 2024-07-11 tags: + - attack.privilege-escalation + - attack.initial-access + - attack.defense-evasion - attack.persistence - attack.t1078 - attack.credential-access diff --git a/rules/application/opencanary/opencanary_ssh_login_attempt.yml b/rules/application/opencanary/opencanary_ssh_login_attempt.yml index 0e1572426..0704ee1ba 100644 --- a/rules/application/opencanary/opencanary_ssh_login_attempt.yml +++ b/rules/application/opencanary/opencanary_ssh_login_attempt.yml @@ -8,6 +8,8 @@ references: author: Security Onion Solutions date: 2024-03-08 tags: + - attack.privilege-escalation + - attack.defense-evasion - attack.initial-access - attack.lateral-movement - attack.persistence diff --git a/rules/application/opencanary/opencanary_ssh_new_connection.yml b/rules/application/opencanary/opencanary_ssh_new_connection.yml index f3656da4c..34f7db373 100644 --- a/rules/application/opencanary/opencanary_ssh_new_connection.yml +++ b/rules/application/opencanary/opencanary_ssh_new_connection.yml @@ -8,6 +8,8 @@ references: author: Security Onion Solutions date: 2024-03-08 tags: + - attack.privilege-escalation + - attack.defense-evasion - attack.initial-access - attack.lateral-movement - attack.persistence diff --git a/rules/application/opencanary/opencanary_telnet_login_attempt.yml b/rules/application/opencanary/opencanary_telnet_login_attempt.yml index 0d4aca202..d9c973047 100644 --- a/rules/application/opencanary/opencanary_telnet_login_attempt.yml +++ b/rules/application/opencanary/opencanary_telnet_login_attempt.yml @@ -8,6 +8,9 @@ references: author: Security Onion Solutions date: 2024-03-08 tags: + - attack.privilege-escalation + - attack.persistence + - attack.defense-evasion - attack.initial-access - attack.command-and-control - attack.t1133 diff --git a/rules/application/rpc_firewall/rpc_firewall_atsvc_lateral_movement.yml b/rules/application/rpc_firewall/rpc_firewall_atsvc_lateral_movement.yml index b4b14bcfb..72c7ebf34 100644 --- a/rules/application/rpc_firewall/rpc_firewall_atsvc_lateral_movement.yml +++ b/rules/application/rpc_firewall/rpc_firewall_atsvc_lateral_movement.yml @@ -10,6 +10,7 @@ references: author: Sagie Dulce, Dekel Paz date: 2022-01-01 tags: + - attack.privilege-escalation - attack.lateral-movement - attack.execution - attack.persistence diff --git a/rules/application/rpc_firewall/rpc_firewall_itaskschedulerservice_lateral_movement.yml b/rules/application/rpc_firewall/rpc_firewall_itaskschedulerservice_lateral_movement.yml index 8b2dc0c10..f0bc075fe 100644 --- a/rules/application/rpc_firewall/rpc_firewall_itaskschedulerservice_lateral_movement.yml +++ b/rules/application/rpc_firewall/rpc_firewall_itaskschedulerservice_lateral_movement.yml @@ -10,6 +10,9 @@ references: author: Sagie Dulce, Dekel Paz date: 2022-01-01 tags: + - attack.privilege-escalation + - attack.persistence + - attack.execution - attack.lateral-movement - attack.t1053 - attack.t1053.002 diff --git a/rules/application/rpc_firewall/rpc_firewall_remote_registry_lateral_movement.yml b/rules/application/rpc_firewall/rpc_firewall_remote_registry_lateral_movement.yml index aca398581..801d633ad 100644 --- a/rules/application/rpc_firewall/rpc_firewall_remote_registry_lateral_movement.yml +++ b/rules/application/rpc_firewall/rpc_firewall_remote_registry_lateral_movement.yml @@ -10,6 +10,7 @@ references: author: Sagie Dulce, Dekel Paz date: 2022-01-01 tags: + - attack.defense-evasion - attack.lateral-movement - attack.t1112 - attack.persistence diff --git a/rules/application/rpc_firewall/rpc_firewall_sasec_lateral_movement.yml b/rules/application/rpc_firewall/rpc_firewall_sasec_lateral_movement.yml index 272e1a21d..a0a766488 100644 --- a/rules/application/rpc_firewall/rpc_firewall_sasec_lateral_movement.yml +++ b/rules/application/rpc_firewall/rpc_firewall_sasec_lateral_movement.yml @@ -10,6 +10,7 @@ references: author: Sagie Dulce, Dekel Paz date: 2022-01-01 tags: + - attack.privilege-escalation - attack.lateral-movement - attack.execution - attack.persistence diff --git a/rules/cloud/aws/cloudtrail/aws_cloudtrail_console_login_success_without_mfa.yml b/rules/cloud/aws/cloudtrail/aws_cloudtrail_console_login_success_without_mfa.yml index e51d9865f..b800b4f84 100644 --- a/rules/cloud/aws/cloudtrail/aws_cloudtrail_console_login_success_without_mfa.yml +++ b/rules/cloud/aws/cloudtrail/aws_cloudtrail_console_login_success_without_mfa.yml @@ -12,6 +12,9 @@ date: 2025-10-18 modified: 2025-10-21 tags: - attack.initial-access + - attack.defense-evasion + - attack.persistence + - attack.privilege-escalation - attack.t1078.004 logsource: product: aws diff --git a/rules/cloud/aws/cloudtrail/aws_cloudtrail_imds_malicious_usage.yml b/rules/cloud/aws/cloudtrail/aws_cloudtrail_imds_malicious_usage.yml index 7f7367ce8..b08c11de6 100644 --- a/rules/cloud/aws/cloudtrail/aws_cloudtrail_imds_malicious_usage.yml +++ b/rules/cloud/aws/cloudtrail/aws_cloudtrail_imds_malicious_usage.yml @@ -13,6 +13,8 @@ date: 2024-07-11 tags: - attack.privilege-escalation - attack.defense-evasion + - attack.initial-access + - attack.persistence - attack.t1078 - attack.t1078.002 logsource: diff --git a/rules/cloud/aws/cloudtrail/aws_console_getsignintoken.yml b/rules/cloud/aws/cloudtrail/aws_console_getsignintoken.yml index 4c9e9d3de..e360d5d52 100644 --- a/rules/cloud/aws/cloudtrail/aws_console_getsignintoken.yml +++ b/rules/cloud/aws/cloudtrail/aws_console_getsignintoken.yml @@ -11,6 +11,7 @@ author: Chester Le Bron (@123Le_Bron) date: 2024-02-26 tags: - attack.lateral-movement + - attack.defense-evasion - attack.t1021.007 - attack.t1550.001 logsource: diff --git a/rules/cloud/aws/cloudtrail/aws_delete_saml_provider.yml b/rules/cloud/aws/cloudtrail/aws_delete_saml_provider.yml index 0a527ddbc..b9f691ce7 100644 --- a/rules/cloud/aws/cloudtrail/aws_delete_saml_provider.yml +++ b/rules/cloud/aws/cloudtrail/aws_delete_saml_provider.yml @@ -11,6 +11,9 @@ date: 2024-12-19 tags: - attack.t1078.004 - attack.privilege-escalation + - attack.defense-evasion + - attack.initial-access + - attack.persistence - attack.t1531 - attack.impact logsource: diff --git a/rules/cloud/aws/cloudtrail/aws_ec2_import_key_pair_activity.yml b/rules/cloud/aws/cloudtrail/aws_ec2_import_key_pair_activity.yml index 013011880..18e6d4861 100644 --- a/rules/cloud/aws/cloudtrail/aws_ec2_import_key_pair_activity.yml +++ b/rules/cloud/aws/cloudtrail/aws_ec2_import_key_pair_activity.yml @@ -9,6 +9,7 @@ author: Ivan Saakov date: 2024-12-19 tags: - attack.initial-access + - attack.defense-evasion - attack.t1078 - attack.persistence - attack.privilege-escalation diff --git a/rules/cloud/aws/cloudtrail/aws_iam_backdoor_users_keys.yml b/rules/cloud/aws/cloudtrail/aws_iam_backdoor_users_keys.yml index e3734e6a9..13728aa9f 100644 --- a/rules/cloud/aws/cloudtrail/aws_iam_backdoor_users_keys.yml +++ b/rules/cloud/aws/cloudtrail/aws_iam_backdoor_users_keys.yml @@ -12,6 +12,7 @@ date: 2020-02-12 modified: 2022-10-09 tags: - attack.persistence + - attack.privilege-escalation - attack.t1098 logsource: product: aws diff --git a/rules/cloud/aws/cloudtrail/aws_iam_s3browser_loginprofile_creation.yml b/rules/cloud/aws/cloudtrail/aws_iam_s3browser_loginprofile_creation.yml index ca9d50ae7..3fb226e36 100644 --- a/rules/cloud/aws/cloudtrail/aws_iam_s3browser_loginprofile_creation.yml +++ b/rules/cloud/aws/cloudtrail/aws_iam_s3browser_loginprofile_creation.yml @@ -9,6 +9,9 @@ date: 2023-05-17 tags: - attack.execution - attack.persistence + - attack.defense-evasion + - attack.initial-access + - attack.privilege-escalation - attack.t1059.009 - attack.t1078.004 logsource: diff --git a/rules/cloud/aws/cloudtrail/aws_iam_s3browser_templated_s3_bucket_policy_creation.yml b/rules/cloud/aws/cloudtrail/aws_iam_s3browser_templated_s3_bucket_policy_creation.yml index 55d29d2b5..a634c0a3c 100644 --- a/rules/cloud/aws/cloudtrail/aws_iam_s3browser_templated_s3_bucket_policy_creation.yml +++ b/rules/cloud/aws/cloudtrail/aws_iam_s3browser_templated_s3_bucket_policy_creation.yml @@ -10,6 +10,9 @@ tags: - attack.execution - attack.t1059.009 - attack.persistence + - attack.defense-evasion + - attack.initial-access + - attack.privilege-escalation - attack.t1078.004 logsource: product: aws diff --git a/rules/cloud/aws/cloudtrail/aws_iam_s3browser_user_or_accesskey_creation.yml b/rules/cloud/aws/cloudtrail/aws_iam_s3browser_user_or_accesskey_creation.yml index fd4bf7a39..6e248f44b 100644 --- a/rules/cloud/aws/cloudtrail/aws_iam_s3browser_user_or_accesskey_creation.yml +++ b/rules/cloud/aws/cloudtrail/aws_iam_s3browser_user_or_accesskey_creation.yml @@ -7,8 +7,11 @@ references: author: daniel.bohannon@permiso.io (@danielhbohannon) date: 2023-05-17 tags: + - attack.privilege-escalation - attack.execution - attack.persistence + - attack.defense-evasion + - attack.initial-access - attack.t1059.009 - attack.t1078.004 logsource: diff --git a/rules/cloud/aws/cloudtrail/aws_root_account_usage.yml b/rules/cloud/aws/cloudtrail/aws_root_account_usage.yml index 0127c7b60..97d0a15b0 100644 --- a/rules/cloud/aws/cloudtrail/aws_root_account_usage.yml +++ b/rules/cloud/aws/cloudtrail/aws_root_account_usage.yml @@ -9,6 +9,9 @@ date: 2020-01-21 modified: 2022-10-09 tags: - attack.privilege-escalation + - attack.defense-evasion + - attack.initial-access + - attack.persistence - attack.t1078.004 logsource: product: aws diff --git a/rules/cloud/aws/cloudtrail/aws_route_53_domain_transferred_lock_disabled.yml b/rules/cloud/aws/cloudtrail/aws_route_53_domain_transferred_lock_disabled.yml index 4e8093354..72a16387c 100644 --- a/rules/cloud/aws/cloudtrail/aws_route_53_domain_transferred_lock_disabled.yml +++ b/rules/cloud/aws/cloudtrail/aws_route_53_domain_transferred_lock_disabled.yml @@ -11,6 +11,7 @@ date: 2021-07-22 modified: 2022-10-09 tags: - attack.persistence + - attack.privilege-escalation - attack.credential-access - attack.t1098 logsource: diff --git a/rules/cloud/aws/cloudtrail/aws_route_53_domain_transferred_to_another_account.yml b/rules/cloud/aws/cloudtrail/aws_route_53_domain_transferred_to_another_account.yml index 9bfe871a8..a5e3a588f 100644 --- a/rules/cloud/aws/cloudtrail/aws_route_53_domain_transferred_to_another_account.yml +++ b/rules/cloud/aws/cloudtrail/aws_route_53_domain_transferred_to_another_account.yml @@ -10,6 +10,7 @@ modified: 2022-10-09 tags: - attack.persistence - attack.credential-access + - attack.privilege-escalation - attack.t1098 logsource: product: aws diff --git a/rules/cloud/aws/cloudtrail/aws_sso_idp_change.yml b/rules/cloud/aws/cloudtrail/aws_sso_idp_change.yml index 1bb277fc1..36ee10fa3 100644 --- a/rules/cloud/aws/cloudtrail/aws_sso_idp_change.yml +++ b/rules/cloud/aws/cloudtrail/aws_sso_idp_change.yml @@ -12,6 +12,8 @@ author: Michael McIntyre @wtfender date: 2023-09-27 tags: - attack.persistence + - attack.credential-access + - attack.defense-evasion - attack.t1556 logsource: product: aws diff --git a/rules/cloud/aws/cloudtrail/aws_sts_assumerole_misuse.yml b/rules/cloud/aws/cloudtrail/aws_sts_assumerole_misuse.yml index 88ce08bd6..cc02fccb1 100644 --- a/rules/cloud/aws/cloudtrail/aws_sts_assumerole_misuse.yml +++ b/rules/cloud/aws/cloudtrail/aws_sts_assumerole_misuse.yml @@ -11,6 +11,7 @@ modified: 2022-10-09 tags: - attack.lateral-movement - attack.privilege-escalation + - attack.defense-evasion - attack.t1548 - attack.t1550 - attack.t1550.001 diff --git a/rules/cloud/aws/cloudtrail/aws_sts_getsessiontoken_misuse.yml b/rules/cloud/aws/cloudtrail/aws_sts_getsessiontoken_misuse.yml index a0dece9ed..fac3dd9e9 100644 --- a/rules/cloud/aws/cloudtrail/aws_sts_getsessiontoken_misuse.yml +++ b/rules/cloud/aws/cloudtrail/aws_sts_getsessiontoken_misuse.yml @@ -11,6 +11,7 @@ modified: 2022-10-09 tags: - attack.lateral-movement - attack.privilege-escalation + - attack.defense-evasion - attack.t1548 - attack.t1550 - attack.t1550.001 diff --git a/rules/cloud/aws/cloudtrail/aws_susp_saml_activity.yml b/rules/cloud/aws/cloudtrail/aws_susp_saml_activity.yml index 2d60672a7..39cca9da1 100644 --- a/rules/cloud/aws/cloudtrail/aws_susp_saml_activity.yml +++ b/rules/cloud/aws/cloudtrail/aws_susp_saml_activity.yml @@ -9,11 +9,13 @@ author: Austin Songer date: 2021-09-22 modified: 2022-12-18 tags: + - attack.defense-evasion - attack.initial-access - - attack.t1078 - attack.lateral-movement - - attack.t1548 + - attack.persistence - attack.privilege-escalation + - attack.t1078 + - attack.t1548 - attack.t1550 - attack.t1550.001 logsource: diff --git a/rules/cloud/aws/cloudtrail/aws_update_login_profile.yml b/rules/cloud/aws/cloudtrail/aws_update_login_profile.yml index 7e9abb1ba..88f1532d5 100644 --- a/rules/cloud/aws/cloudtrail/aws_update_login_profile.yml +++ b/rules/cloud/aws/cloudtrail/aws_update_login_profile.yml @@ -11,6 +11,7 @@ date: 2021-08-09 modified: 2024-04-26 tags: - attack.persistence + - attack.privilege-escalation - attack.t1098 logsource: product: aws diff --git a/rules/cloud/azure/activity_logs/azure_ad_user_added_to_admin_role.yml b/rules/cloud/azure/activity_logs/azure_ad_user_added_to_admin_role.yml index cbd52eb85..1c46196e5 100644 --- a/rules/cloud/azure/activity_logs/azure_ad_user_added_to_admin_role.yml +++ b/rules/cloud/azure/activity_logs/azure_ad_user_added_to_admin_role.yml @@ -8,6 +8,8 @@ author: Raphaël CALVET, @MetallicHack date: 2021-10-04 modified: 2022-10-09 tags: + - attack.initial-access + - attack.defense-evasion - attack.persistence - attack.privilege-escalation - attack.t1098.003 diff --git a/rules/cloud/azure/activity_logs/azure_creating_number_of_resources_detection.yml b/rules/cloud/azure/activity_logs/azure_creating_number_of_resources_detection.yml index 895337e6f..854efc0d5 100644 --- a/rules/cloud/azure/activity_logs/azure_creating_number_of_resources_detection.yml +++ b/rules/cloud/azure/activity_logs/azure_creating_number_of_resources_detection.yml @@ -8,6 +8,7 @@ author: sawwinnnaung date: 2020-05-07 modified: 2023-10-11 tags: + - attack.privilege-escalation - attack.persistence - attack.t1098 logsource: diff --git a/rules/cloud/azure/activity_logs/azure_granting_permission_detection.yml b/rules/cloud/azure/activity_logs/azure_granting_permission_detection.yml index db30c8f58..15342cee5 100644 --- a/rules/cloud/azure/activity_logs/azure_granting_permission_detection.yml +++ b/rules/cloud/azure/activity_logs/azure_granting_permission_detection.yml @@ -8,6 +8,7 @@ author: sawwinnnaung date: 2020-05-07 modified: 2023-10-11 tags: + - attack.privilege-escalation - attack.persistence - attack.t1098.003 logsource: diff --git a/rules/cloud/azure/activity_logs/azure_kubernetes_admission_controller.yml b/rules/cloud/azure/activity_logs/azure_kubernetes_admission_controller.yml index 0576c63b9..b9e05943f 100644 --- a/rules/cloud/azure/activity_logs/azure_kubernetes_admission_controller.yml +++ b/rules/cloud/azure/activity_logs/azure_kubernetes_admission_controller.yml @@ -15,6 +15,9 @@ author: Austin Songer @austinsonger date: 2021-11-25 modified: 2022-12-18 tags: + - attack.privilege-escalation + - attack.initial-access + - attack.defense-evasion - attack.persistence - attack.t1078 - attack.credential-access diff --git a/rules/cloud/azure/activity_logs/azure_mfa_disabled.yml b/rules/cloud/azure/activity_logs/azure_mfa_disabled.yml index 09ffe08ef..2dcffa0b3 100644 --- a/rules/cloud/azure/activity_logs/azure_mfa_disabled.yml +++ b/rules/cloud/azure/activity_logs/azure_mfa_disabled.yml @@ -7,6 +7,8 @@ references: author: '@ionsor' date: 2022-02-08 tags: + - attack.defense-evasion + - attack.credential-access - attack.persistence - attack.t1556 logsource: diff --git a/rules/cloud/azure/activity_logs/azure_subscription_permissions_elevation_via_activitylogs.yml b/rules/cloud/azure/activity_logs/azure_subscription_permissions_elevation_via_activitylogs.yml index b646976e5..0b7045ff9 100644 --- a/rules/cloud/azure/activity_logs/azure_subscription_permissions_elevation_via_activitylogs.yml +++ b/rules/cloud/azure/activity_logs/azure_subscription_permissions_elevation_via_activitylogs.yml @@ -11,6 +11,9 @@ author: Austin Songer @austinsonger date: 2021-11-26 modified: 2022-08-23 tags: + - attack.privilege-escalation + - attack.persistence + - attack.defense-evasion - attack.initial-access - attack.t1078.004 logsource: diff --git a/rules/cloud/azure/audit_logs/azure_aad_secops_ca_policy_removedby_bad_actor.yml b/rules/cloud/azure/audit_logs/azure_aad_secops_ca_policy_removedby_bad_actor.yml index a7872f2d1..39460f6d2 100644 --- a/rules/cloud/azure/audit_logs/azure_aad_secops_ca_policy_removedby_bad_actor.yml +++ b/rules/cloud/azure/audit_logs/azure_aad_secops_ca_policy_removedby_bad_actor.yml @@ -7,6 +7,8 @@ references: author: Corissa Koopmans, '@corissalea' date: 2022-07-19 tags: + - attack.privilege-escalation + - attack.credential-access - attack.defense-evasion - attack.persistence - attack.t1548 diff --git a/rules/cloud/azure/audit_logs/azure_aad_secops_ca_policy_updatedby_bad_actor.yml b/rules/cloud/azure/audit_logs/azure_aad_secops_ca_policy_updatedby_bad_actor.yml index 09903cbc1..c77434213 100644 --- a/rules/cloud/azure/audit_logs/azure_aad_secops_ca_policy_updatedby_bad_actor.yml +++ b/rules/cloud/azure/audit_logs/azure_aad_secops_ca_policy_updatedby_bad_actor.yml @@ -8,6 +8,8 @@ author: Corissa Koopmans, '@corissalea' date: 2022-07-19 modified: 2024-05-28 tags: + - attack.privilege-escalation + - attack.credential-access - attack.defense-evasion - attack.persistence - attack.t1548 diff --git a/rules/cloud/azure/audit_logs/azure_aad_secops_new_ca_policy_addedby_bad_actor.yml b/rules/cloud/azure/audit_logs/azure_aad_secops_new_ca_policy_addedby_bad_actor.yml index 6ad71d86c..5b317edd4 100644 --- a/rules/cloud/azure/audit_logs/azure_aad_secops_new_ca_policy_addedby_bad_actor.yml +++ b/rules/cloud/azure/audit_logs/azure_aad_secops_new_ca_policy_addedby_bad_actor.yml @@ -7,6 +7,7 @@ references: author: Corissa Koopmans, '@corissalea' date: 2022-07-18 tags: + - attack.privilege-escalation - attack.defense-evasion - attack.t1548 logsource: diff --git a/rules/cloud/azure/audit_logs/azure_ad_account_created_deleted.yml b/rules/cloud/azure/audit_logs/azure_ad_account_created_deleted.yml index 87506b737..a35058e30 100644 --- a/rules/cloud/azure/audit_logs/azure_ad_account_created_deleted.yml +++ b/rules/cloud/azure/audit_logs/azure_ad_account_created_deleted.yml @@ -8,6 +8,9 @@ author: Mark Morowczynski '@markmorow', MikeDuddington, '@dudders1', Tim Shelton date: 2022-08-11 modified: 2022-08-18 tags: + - attack.privilege-escalation + - attack.persistence + - attack.initial-access - attack.defense-evasion - attack.t1078 logsource: diff --git a/rules/cloud/azure/audit_logs/azure_ad_bitlocker_key_retrieval.yml b/rules/cloud/azure/audit_logs/azure_ad_bitlocker_key_retrieval.yml index f6dddd751..5b6db360b 100644 --- a/rules/cloud/azure/audit_logs/azure_ad_bitlocker_key_retrieval.yml +++ b/rules/cloud/azure/audit_logs/azure_ad_bitlocker_key_retrieval.yml @@ -7,6 +7,9 @@ references: author: Michael Epping, '@mepples21' date: 2022-06-28 tags: + - attack.privilege-escalation + - attack.persistence + - attack.initial-access - attack.defense-evasion - attack.t1078.004 logsource: diff --git a/rules/cloud/azure/audit_logs/azure_ad_certificate_based_authencation_enabled.yml b/rules/cloud/azure/audit_logs/azure_ad_certificate_based_authencation_enabled.yml index 109fbc699..e7159d27d 100644 --- a/rules/cloud/azure/audit_logs/azure_ad_certificate_based_authencation_enabled.yml +++ b/rules/cloud/azure/audit_logs/azure_ad_certificate_based_authencation_enabled.yml @@ -8,6 +8,8 @@ references: author: Harjot Shah Singh, '@cyb3rjy0t' date: 2024-03-26 tags: + - attack.defense-evasion + - attack.credential-access - attack.persistence - attack.privilege-escalation - attack.t1556 diff --git a/rules/cloud/azure/audit_logs/azure_ad_guest_users_invited_to_tenant_by_non_approved_inviters.yml b/rules/cloud/azure/audit_logs/azure_ad_guest_users_invited_to_tenant_by_non_approved_inviters.yml index 4191de418..9961cff96 100644 --- a/rules/cloud/azure/audit_logs/azure_ad_guest_users_invited_to_tenant_by_non_approved_inviters.yml +++ b/rules/cloud/azure/audit_logs/azure_ad_guest_users_invited_to_tenant_by_non_approved_inviters.yml @@ -7,6 +7,9 @@ references: author: MikeDuddington, '@dudders1' date: 2022-07-28 tags: + - attack.privilege-escalation + - attack.persistence + - attack.defense-evasion - attack.initial-access - attack.t1078 logsource: diff --git a/rules/cloud/azure/audit_logs/azure_ad_new_root_ca_added.yml b/rules/cloud/azure/audit_logs/azure_ad_new_root_ca_added.yml index e440d33a7..9c21a1164 100644 --- a/rules/cloud/azure/audit_logs/azure_ad_new_root_ca_added.yml +++ b/rules/cloud/azure/audit_logs/azure_ad_new_root_ca_added.yml @@ -8,6 +8,8 @@ references: author: Harjot Shah Singh, '@cyb3rjy0t' date: 2024-03-26 tags: + - attack.defense-evasion + - attack.credential-access - attack.persistence - attack.privilege-escalation - attack.t1556 diff --git a/rules/cloud/azure/audit_logs/azure_ad_users_added_to_device_admin_roles.yml b/rules/cloud/azure/audit_logs/azure_ad_users_added_to_device_admin_roles.yml index 6e78827ae..5923f0a10 100644 --- a/rules/cloud/azure/audit_logs/azure_ad_users_added_to_device_admin_roles.yml +++ b/rules/cloud/azure/audit_logs/azure_ad_users_added_to_device_admin_roles.yml @@ -7,6 +7,8 @@ references: author: Michael Epping, '@mepples21' date: 2022-06-28 tags: + - attack.persistence + - attack.initial-access - attack.defense-evasion - attack.privilege-escalation - attack.t1078.004 diff --git a/rules/cloud/azure/audit_logs/azure_app_appid_uri_changes.yml b/rules/cloud/azure/audit_logs/azure_app_appid_uri_changes.yml index 778913cd8..b3cda28b3 100644 --- a/rules/cloud/azure/audit_logs/azure_app_appid_uri_changes.yml +++ b/rules/cloud/azure/audit_logs/azure_app_appid_uri_changes.yml @@ -7,6 +7,8 @@ references: author: Mark Morowczynski '@markmorow', Bailey Bercik '@baileybercik' date: 2022-06-02 tags: + - attack.initial-access + - attack.defense-evasion - attack.persistence - attack.credential-access - attack.privilege-escalation diff --git a/rules/cloud/azure/audit_logs/azure_app_credential_added.yml b/rules/cloud/azure/audit_logs/azure_app_credential_added.yml index b46323ec6..d3c7b79e7 100644 --- a/rules/cloud/azure/audit_logs/azure_app_credential_added.yml +++ b/rules/cloud/azure/audit_logs/azure_app_credential_added.yml @@ -8,6 +8,7 @@ author: Mark Morowczynski '@markmorow', Bailey Bercik '@baileybercik' date: 2022-05-26 modified: 2025-07-18 tags: + - attack.privilege-escalation - attack.t1098.001 - attack.persistence logsource: diff --git a/rules/cloud/azure/audit_logs/azure_app_uri_modifications.yml b/rules/cloud/azure/audit_logs/azure_app_uri_modifications.yml index 1913528e0..ebe85c311 100644 --- a/rules/cloud/azure/audit_logs/azure_app_uri_modifications.yml +++ b/rules/cloud/azure/audit_logs/azure_app_uri_modifications.yml @@ -9,6 +9,8 @@ references: author: Mark Morowczynski '@markmorow', Bailey Bercik '@baileybercik' date: 2022-06-02 tags: + - attack.initial-access + - attack.defense-evasion - attack.t1528 - attack.t1078.004 - attack.persistence diff --git a/rules/cloud/azure/audit_logs/azure_change_to_authentication_method.yml b/rules/cloud/azure/audit_logs/azure_change_to_authentication_method.yml index 65c1be6c9..160f1d519 100644 --- a/rules/cloud/azure/audit_logs/azure_change_to_authentication_method.yml +++ b/rules/cloud/azure/audit_logs/azure_change_to_authentication_method.yml @@ -8,6 +8,7 @@ author: AlertIQ date: 2021-10-10 modified: 2022-12-25 tags: + - attack.privilege-escalation - attack.credential-access - attack.t1556 - attack.persistence diff --git a/rules/cloud/azure/audit_logs/azure_federation_modified.yml b/rules/cloud/azure/audit_logs/azure_federation_modified.yml index ce6330749..56a43c15f 100644 --- a/rules/cloud/azure/audit_logs/azure_federation_modified.yml +++ b/rules/cloud/azure/audit_logs/azure_federation_modified.yml @@ -8,6 +8,9 @@ author: Austin Songer date: 2021-09-06 modified: 2022-06-08 tags: + - attack.privilege-escalation + - attack.persistence + - attack.defense-evasion - attack.initial-access - attack.t1078 logsource: diff --git a/rules/cloud/azure/audit_logs/azure_group_user_addition_ca_modification.yml b/rules/cloud/azure/audit_logs/azure_group_user_addition_ca_modification.yml index 89d51accc..de4f5edb2 100644 --- a/rules/cloud/azure/audit_logs/azure_group_user_addition_ca_modification.yml +++ b/rules/cloud/azure/audit_logs/azure_group_user_addition_ca_modification.yml @@ -7,6 +7,8 @@ references: author: Mark Morowczynski '@markmorow', Thomas Detzner '@tdetzner' date: 2022-08-04 tags: + - attack.privilege-escalation + - attack.credential-access - attack.defense-evasion - attack.persistence - attack.t1548 diff --git a/rules/cloud/azure/audit_logs/azure_group_user_removal_ca_modification.yml b/rules/cloud/azure/audit_logs/azure_group_user_removal_ca_modification.yml index 8b8d55068..c465c2dbf 100644 --- a/rules/cloud/azure/audit_logs/azure_group_user_removal_ca_modification.yml +++ b/rules/cloud/azure/audit_logs/azure_group_user_removal_ca_modification.yml @@ -7,6 +7,8 @@ references: author: Mark Morowczynski '@markmorow', Thomas Detzner '@tdetzner' date: 2022-08-04 tags: + - attack.privilege-escalation + - attack.credential-access - attack.defense-evasion - attack.persistence - attack.t1548 diff --git a/rules/cloud/azure/audit_logs/azure_guest_invite_failure.yml b/rules/cloud/azure/audit_logs/azure_guest_invite_failure.yml index 5e9d2abde..8e4fd8cd8 100644 --- a/rules/cloud/azure/audit_logs/azure_guest_invite_failure.yml +++ b/rules/cloud/azure/audit_logs/azure_guest_invite_failure.yml @@ -7,6 +7,8 @@ references: author: Mark Morowczynski '@markmorow', Yochana Henderson, '@Yochana-H' date: 2022-08-10 tags: + - attack.privilege-escalation + - attack.initial-access - attack.persistence - attack.defense-evasion - attack.t1078.004 diff --git a/rules/cloud/azure/audit_logs/azure_guest_to_member.yml b/rules/cloud/azure/audit_logs/azure_guest_to_member.yml index 63d4ca7c6..566a0e046 100644 --- a/rules/cloud/azure/audit_logs/azure_guest_to_member.yml +++ b/rules/cloud/azure/audit_logs/azure_guest_to_member.yml @@ -7,6 +7,8 @@ references: author: MikeDuddington, '@dudders1' date: 2022-06-30 tags: + - attack.persistence + - attack.defense-evasion - attack.privilege-escalation - attack.initial-access - attack.t1078.004 diff --git a/rules/cloud/azure/audit_logs/azure_pim_activation_approve_deny.yml b/rules/cloud/azure/audit_logs/azure_pim_activation_approve_deny.yml index 3a55d2021..8e28844a8 100644 --- a/rules/cloud/azure/audit_logs/azure_pim_activation_approve_deny.yml +++ b/rules/cloud/azure/audit_logs/azure_pim_activation_approve_deny.yml @@ -7,6 +7,9 @@ references: author: Mark Morowczynski '@markmorow', Yochana Henderson, '@Yochana-H' date: 2022-08-09 tags: + - attack.persistence + - attack.initial-access + - attack.defense-evasion - attack.privilege-escalation - attack.t1078.004 logsource: diff --git a/rules/cloud/azure/audit_logs/azure_pim_alerts_disabled.yml b/rules/cloud/azure/audit_logs/azure_pim_alerts_disabled.yml index b12ef9424..07f90274a 100644 --- a/rules/cloud/azure/audit_logs/azure_pim_alerts_disabled.yml +++ b/rules/cloud/azure/audit_logs/azure_pim_alerts_disabled.yml @@ -7,6 +7,8 @@ references: author: Mark Morowczynski '@markmorow', Yochana Henderson, '@Yochana-H' date: 2022-08-09 tags: + - attack.initial-access + - attack.defense-evasion - attack.persistence - attack.privilege-escalation - attack.t1078 diff --git a/rules/cloud/azure/audit_logs/azure_pim_change_settings.yml b/rules/cloud/azure/audit_logs/azure_pim_change_settings.yml index 1f3db29d2..2a9112147 100644 --- a/rules/cloud/azure/audit_logs/azure_pim_change_settings.yml +++ b/rules/cloud/azure/audit_logs/azure_pim_change_settings.yml @@ -7,6 +7,8 @@ references: author: Mark Morowczynski '@markmorow', Yochana Henderson, '@Yochana-H' date: 2022-08-09 tags: + - attack.initial-access + - attack.defense-evasion - attack.privilege-escalation - attack.persistence - attack.t1078.004 diff --git a/rules/cloud/azure/audit_logs/azure_priviledged_role_assignment_add.yml b/rules/cloud/azure/audit_logs/azure_priviledged_role_assignment_add.yml index 31c451320..81f13baf2 100644 --- a/rules/cloud/azure/audit_logs/azure_priviledged_role_assignment_add.yml +++ b/rules/cloud/azure/audit_logs/azure_priviledged_role_assignment_add.yml @@ -7,6 +7,8 @@ references: author: Mark Morowczynski '@markmorow', Yochana Henderson, '@Yochana-H' date: 2022-08-06 tags: + - attack.persistence + - attack.initial-access - attack.privilege-escalation - attack.defense-evasion - attack.t1078.004 diff --git a/rules/cloud/azure/audit_logs/azure_priviledged_role_assignment_bulk_change.yml b/rules/cloud/azure/audit_logs/azure_priviledged_role_assignment_bulk_change.yml index 6ce06e8ee..62823d881 100644 --- a/rules/cloud/azure/audit_logs/azure_priviledged_role_assignment_bulk_change.yml +++ b/rules/cloud/azure/audit_logs/azure_priviledged_role_assignment_bulk_change.yml @@ -7,6 +7,7 @@ references: author: Mark Morowczynski '@markmorow', Yochana Henderson, '@Yochana-H' date: 2022-08-05 tags: + - attack.privilege-escalation - attack.persistence - attack.t1098 logsource: diff --git a/rules/cloud/azure/audit_logs/azure_privileged_account_creation.yml b/rules/cloud/azure/audit_logs/azure_privileged_account_creation.yml index faf5fcfb0..7172839fe 100644 --- a/rules/cloud/azure/audit_logs/azure_privileged_account_creation.yml +++ b/rules/cloud/azure/audit_logs/azure_privileged_account_creation.yml @@ -8,6 +8,8 @@ author: Mark Morowczynski '@markmorow', Yochana Henderson, '@Yochana-H', Tim She date: 2022-08-11 modified: 2022-08-16 tags: + - attack.initial-access + - attack.defense-evasion - attack.persistence - attack.privilege-escalation - attack.t1078.004 diff --git a/rules/cloud/azure/audit_logs/azure_subscription_permissions_elevation_via_auditlogs.yml b/rules/cloud/azure/audit_logs/azure_subscription_permissions_elevation_via_auditlogs.yml index 0f545eee1..601cbd3cb 100644 --- a/rules/cloud/azure/audit_logs/azure_subscription_permissions_elevation_via_auditlogs.yml +++ b/rules/cloud/azure/audit_logs/azure_subscription_permissions_elevation_via_auditlogs.yml @@ -11,6 +11,9 @@ author: Austin Songer @austinsonger date: 2021-11-26 modified: 2022-12-25 tags: + - attack.privilege-escalation + - attack.persistence + - attack.defense-evasion - attack.initial-access - attack.t1078 logsource: diff --git a/rules/cloud/azure/audit_logs/azure_tap_added.yml b/rules/cloud/azure/audit_logs/azure_tap_added.yml index 7bf89b164..acfb3c073 100644 --- a/rules/cloud/azure/audit_logs/azure_tap_added.yml +++ b/rules/cloud/azure/audit_logs/azure_tap_added.yml @@ -7,6 +7,9 @@ references: author: Mark Morowczynski '@markmorow', Yochana Henderson, '@Yochana-H' date: 2022-08-10 tags: + - attack.privilege-escalation + - attack.initial-access + - attack.defense-evasion - attack.persistence - attack.t1078.004 logsource: diff --git a/rules/cloud/azure/audit_logs/azure_user_password_change.yml b/rules/cloud/azure/audit_logs/azure_user_password_change.yml index 6b51691ac..ce6fb841a 100644 --- a/rules/cloud/azure/audit_logs/azure_user_password_change.yml +++ b/rules/cloud/azure/audit_logs/azure_user_password_change.yml @@ -7,6 +7,9 @@ references: author: YochanaHenderson, '@Yochana-H' date: 2022-08-03 tags: + - attack.privilege-escalation + - attack.initial-access + - attack.defense-evasion - attack.persistence - attack.credential-access - attack.t1078.004 diff --git a/rules/cloud/azure/identity_protection/azure_identity_protection_anomalous_user.yml b/rules/cloud/azure/identity_protection/azure_identity_protection_anomalous_user.yml index e20d60d2c..2a6426e22 100644 --- a/rules/cloud/azure/identity_protection/azure_identity_protection_anomalous_user.yml +++ b/rules/cloud/azure/identity_protection/azure_identity_protection_anomalous_user.yml @@ -8,6 +8,7 @@ references: author: Mark Morowczynski '@markmorow', Gloria Lee, '@gleeiamglo' date: 2023-09-03 tags: + - attack.privilege-escalation - attack.t1098 - attack.persistence logsource: diff --git a/rules/cloud/azure/privileged_identity_management/azure_pim_account_stale.yml b/rules/cloud/azure/privileged_identity_management/azure_pim_account_stale.yml index c6bf45cc8..b17c8eb21 100644 --- a/rules/cloud/azure/privileged_identity_management/azure_pim_account_stale.yml +++ b/rules/cloud/azure/privileged_identity_management/azure_pim_account_stale.yml @@ -7,6 +7,8 @@ references: author: Mark Morowczynski '@markmorow', Gloria Lee, '@gleeiamglo' date: 2023-09-14 tags: + - attack.initial-access + - attack.defense-evasion - attack.t1078 - attack.persistence - attack.privilege-escalation diff --git a/rules/cloud/azure/privileged_identity_management/azure_pim_invalid_license.yml b/rules/cloud/azure/privileged_identity_management/azure_pim_invalid_license.yml index dfcef1f54..c883a0995 100644 --- a/rules/cloud/azure/privileged_identity_management/azure_pim_invalid_license.yml +++ b/rules/cloud/azure/privileged_identity_management/azure_pim_invalid_license.yml @@ -7,6 +7,8 @@ references: author: Mark Morowczynski '@markmorow', Gloria Lee, '@gleeiamglo' date: 2023-09-14 tags: + - attack.initial-access + - attack.defense-evasion - attack.t1078 - attack.persistence - attack.privilege-escalation diff --git a/rules/cloud/azure/privileged_identity_management/azure_pim_role_assigned_outside_of_pim.yml b/rules/cloud/azure/privileged_identity_management/azure_pim_role_assigned_outside_of_pim.yml index 33f0d647f..abf5b40ea 100644 --- a/rules/cloud/azure/privileged_identity_management/azure_pim_role_assigned_outside_of_pim.yml +++ b/rules/cloud/azure/privileged_identity_management/azure_pim_role_assigned_outside_of_pim.yml @@ -7,6 +7,8 @@ references: author: Mark Morowczynski '@markmorow', Gloria Lee, '@gleeiamglo' date: 2023-09-14 tags: + - attack.initial-access + - attack.defense-evasion - attack.t1078 - attack.persistence - attack.privilege-escalation diff --git a/rules/cloud/azure/privileged_identity_management/azure_pim_role_frequent_activation.yml b/rules/cloud/azure/privileged_identity_management/azure_pim_role_frequent_activation.yml index ae57b20f4..023c7f534 100644 --- a/rules/cloud/azure/privileged_identity_management/azure_pim_role_frequent_activation.yml +++ b/rules/cloud/azure/privileged_identity_management/azure_pim_role_frequent_activation.yml @@ -7,6 +7,8 @@ references: author: Mark Morowczynski '@markmorow', Gloria Lee, '@gleeiamglo' date: 2023-09-14 tags: + - attack.initial-access + - attack.defense-evasion - attack.t1078 - attack.persistence - attack.privilege-escalation diff --git a/rules/cloud/azure/privileged_identity_management/azure_pim_role_no_mfa_required.yml b/rules/cloud/azure/privileged_identity_management/azure_pim_role_no_mfa_required.yml index eda10ef3b..3832dc4fd 100644 --- a/rules/cloud/azure/privileged_identity_management/azure_pim_role_no_mfa_required.yml +++ b/rules/cloud/azure/privileged_identity_management/azure_pim_role_no_mfa_required.yml @@ -7,6 +7,8 @@ references: author: Mark Morowczynski '@markmorow', Gloria Lee, '@gleeiamglo' date: 2023-09-14 tags: + - attack.initial-access + - attack.defense-evasion - attack.t1078 - attack.persistence - attack.privilege-escalation diff --git a/rules/cloud/azure/privileged_identity_management/azure_pim_role_not_used.yml b/rules/cloud/azure/privileged_identity_management/azure_pim_role_not_used.yml index 066bc8cc7..66703cb1d 100644 --- a/rules/cloud/azure/privileged_identity_management/azure_pim_role_not_used.yml +++ b/rules/cloud/azure/privileged_identity_management/azure_pim_role_not_used.yml @@ -7,6 +7,8 @@ references: author: Mark Morowczynski '@markmorow', Gloria Lee, '@gleeiamglo' date: 2023-09-14 tags: + - attack.initial-access + - attack.defense-evasion - attack.t1078 - attack.persistence - attack.privilege-escalation diff --git a/rules/cloud/azure/privileged_identity_management/azure_pim_too_many_global_admins.yml b/rules/cloud/azure/privileged_identity_management/azure_pim_too_many_global_admins.yml index 4d783c339..e0882458c 100644 --- a/rules/cloud/azure/privileged_identity_management/azure_pim_too_many_global_admins.yml +++ b/rules/cloud/azure/privileged_identity_management/azure_pim_too_many_global_admins.yml @@ -7,6 +7,8 @@ references: author: Mark Morowczynski '@markmorow', Gloria Lee, '@gleeiamglo' date: 2023-09-14 tags: + - attack.initial-access + - attack.defense-evasion - attack.t1078 - attack.persistence - attack.privilege-escalation diff --git a/rules/cloud/azure/signin_logs/azure_ad_auth_failure_increase.yml b/rules/cloud/azure/signin_logs/azure_ad_auth_failure_increase.yml index 79f8cd90b..2912d87b1 100644 --- a/rules/cloud/azure/signin_logs/azure_ad_auth_failure_increase.yml +++ b/rules/cloud/azure/signin_logs/azure_ad_auth_failure_increase.yml @@ -7,6 +7,9 @@ references: author: Mark Morowczynski '@markmorow', MikeDuddington, '@dudders1' date: 2022-08-11 tags: + - attack.privilege-escalation + - attack.persistence + - attack.initial-access - attack.defense-evasion - attack.t1078 logsource: diff --git a/rules/cloud/azure/signin_logs/azure_ad_auth_sucess_increase.yml b/rules/cloud/azure/signin_logs/azure_ad_auth_sucess_increase.yml index 3655641d1..0d3fcd8da 100644 --- a/rules/cloud/azure/signin_logs/azure_ad_auth_sucess_increase.yml +++ b/rules/cloud/azure/signin_logs/azure_ad_auth_sucess_increase.yml @@ -8,6 +8,9 @@ author: Mark Morowczynski '@markmorow', MikeDuddington, '@dudders1', Tim Shelton date: 2022-08-11 modified: 2022-08-18 tags: + - attack.privilege-escalation + - attack.persistence + - attack.initial-access - attack.defense-evasion - attack.t1078 logsource: diff --git a/rules/cloud/azure/signin_logs/azure_ad_auth_to_important_apps_using_single_factor_auth.yml b/rules/cloud/azure/signin_logs/azure_ad_auth_to_important_apps_using_single_factor_auth.yml index 218170dec..08cadadcb 100644 --- a/rules/cloud/azure/signin_logs/azure_ad_auth_to_important_apps_using_single_factor_auth.yml +++ b/rules/cloud/azure/signin_logs/azure_ad_auth_to_important_apps_using_single_factor_auth.yml @@ -7,6 +7,9 @@ references: author: MikeDuddington, '@dudders1' date: 2022-07-28 tags: + - attack.privilege-escalation + - attack.persistence + - attack.defense-evasion - attack.initial-access - attack.t1078 logsource: diff --git a/rules/cloud/azure/signin_logs/azure_ad_authentications_from_countries_you_do_not_operate_out_of.yml b/rules/cloud/azure/signin_logs/azure_ad_authentications_from_countries_you_do_not_operate_out_of.yml index 323219947..bb4e75667 100644 --- a/rules/cloud/azure/signin_logs/azure_ad_authentications_from_countries_you_do_not_operate_out_of.yml +++ b/rules/cloud/azure/signin_logs/azure_ad_authentications_from_countries_you_do_not_operate_out_of.yml @@ -7,6 +7,9 @@ references: author: MikeDuddington, '@dudders1' date: 2022-07-28 tags: + - attack.privilege-escalation + - attack.persistence + - attack.defense-evasion - attack.initial-access - attack.credential-access - attack.t1078.004 diff --git a/rules/cloud/azure/signin_logs/azure_ad_device_registration_or_join_without_mfa.yml b/rules/cloud/azure/signin_logs/azure_ad_device_registration_or_join_without_mfa.yml index 53ebb0788..f7c248152 100644 --- a/rules/cloud/azure/signin_logs/azure_ad_device_registration_or_join_without_mfa.yml +++ b/rules/cloud/azure/signin_logs/azure_ad_device_registration_or_join_without_mfa.yml @@ -7,6 +7,9 @@ references: author: Michael Epping, '@mepples21' date: 2022-06-28 tags: + - attack.privilege-escalation + - attack.persistence + - attack.initial-access - attack.defense-evasion - attack.t1078.004 logsource: diff --git a/rules/cloud/azure/signin_logs/azure_ad_failed_auth_from_countries_you_do_not_operate_out_of.yml b/rules/cloud/azure/signin_logs/azure_ad_failed_auth_from_countries_you_do_not_operate_out_of.yml index 45ffc7ed4..1169640e3 100644 --- a/rules/cloud/azure/signin_logs/azure_ad_failed_auth_from_countries_you_do_not_operate_out_of.yml +++ b/rules/cloud/azure/signin_logs/azure_ad_failed_auth_from_countries_you_do_not_operate_out_of.yml @@ -7,6 +7,9 @@ references: author: MikeDuddington, '@dudders1' date: 2022-07-28 tags: + - attack.privilege-escalation + - attack.persistence + - attack.defense-evasion - attack.initial-access - attack.credential-access - attack.t1078.004 diff --git a/rules/cloud/azure/signin_logs/azure_ad_only_single_factor_auth_required.yml b/rules/cloud/azure/signin_logs/azure_ad_only_single_factor_auth_required.yml index ef13cded4..b3a615aa8 100644 --- a/rules/cloud/azure/signin_logs/azure_ad_only_single_factor_auth_required.yml +++ b/rules/cloud/azure/signin_logs/azure_ad_only_single_factor_auth_required.yml @@ -7,6 +7,9 @@ references: author: MikeDuddington, '@dudders1' date: 2022-07-27 tags: + - attack.privilege-escalation + - attack.persistence + - attack.defense-evasion - attack.initial-access - attack.credential-access - attack.t1078.004 diff --git a/rules/cloud/azure/signin_logs/azure_ad_risky_sign_ins_with_singlefactorauth_from_unknown_devices.yml b/rules/cloud/azure/signin_logs/azure_ad_risky_sign_ins_with_singlefactorauth_from_unknown_devices.yml index ecfc71fde..00434abe6 100644 --- a/rules/cloud/azure/signin_logs/azure_ad_risky_sign_ins_with_singlefactorauth_from_unknown_devices.yml +++ b/rules/cloud/azure/signin_logs/azure_ad_risky_sign_ins_with_singlefactorauth_from_unknown_devices.yml @@ -8,6 +8,9 @@ author: Harjot Singh, '@cyb3rjy0t' date: 2023-01-10 modified: 2025-07-02 tags: + - attack.privilege-escalation + - attack.persistence + - attack.initial-access - attack.defense-evasion - attack.t1078 logsource: diff --git a/rules/cloud/azure/signin_logs/azure_ad_sign_ins_from_noncompliant_devices.yml b/rules/cloud/azure/signin_logs/azure_ad_sign_ins_from_noncompliant_devices.yml index 1d3d97c9e..526c1345c 100644 --- a/rules/cloud/azure/signin_logs/azure_ad_sign_ins_from_noncompliant_devices.yml +++ b/rules/cloud/azure/signin_logs/azure_ad_sign_ins_from_noncompliant_devices.yml @@ -7,6 +7,9 @@ references: author: Michael Epping, '@mepples21' date: 2022-06-28 tags: + - attack.privilege-escalation + - attack.persistence + - attack.initial-access - attack.defense-evasion - attack.t1078.004 logsource: diff --git a/rules/cloud/azure/signin_logs/azure_ad_sign_ins_from_unknown_devices.yml b/rules/cloud/azure/signin_logs/azure_ad_sign_ins_from_unknown_devices.yml index 3b4825996..5f02ec3fc 100644 --- a/rules/cloud/azure/signin_logs/azure_ad_sign_ins_from_unknown_devices.yml +++ b/rules/cloud/azure/signin_logs/azure_ad_sign_ins_from_unknown_devices.yml @@ -8,6 +8,9 @@ author: Michael Epping, '@mepples21' date: 2022-06-28 modified: 2022-10-05 tags: + - attack.privilege-escalation + - attack.persistence + - attack.initial-access - attack.defense-evasion - attack.t1078.004 logsource: diff --git a/rules/cloud/azure/signin_logs/azure_ad_suspicious_signin_bypassing_mfa.yml b/rules/cloud/azure/signin_logs/azure_ad_suspicious_signin_bypassing_mfa.yml index f09a59aad..80e68e1a8 100644 --- a/rules/cloud/azure/signin_logs/azure_ad_suspicious_signin_bypassing_mfa.yml +++ b/rules/cloud/azure/signin_logs/azure_ad_suspicious_signin_bypassing_mfa.yml @@ -8,6 +8,9 @@ references: author: Harjot Singh, '@cyb3rjy0t' date: 2023-03-20 tags: + - attack.privilege-escalation + - attack.persistence + - attack.defense-evasion - attack.initial-access - attack.credential-access - attack.t1078.004 diff --git a/rules/cloud/azure/signin_logs/azure_blocked_account_attempt.yml b/rules/cloud/azure/signin_logs/azure_blocked_account_attempt.yml index d648bff0b..c2efa92c3 100644 --- a/rules/cloud/azure/signin_logs/azure_blocked_account_attempt.yml +++ b/rules/cloud/azure/signin_logs/azure_blocked_account_attempt.yml @@ -7,6 +7,9 @@ references: author: Yochana Henderson, '@Yochana-H' date: 2022-06-17 tags: + - attack.privilege-escalation + - attack.persistence + - attack.defense-evasion - attack.initial-access - attack.t1078.004 logsource: diff --git a/rules/cloud/azure/signin_logs/azure_conditional_access_failure.yml b/rules/cloud/azure/signin_logs/azure_conditional_access_failure.yml index 5cb94a415..8321c18b9 100644 --- a/rules/cloud/azure/signin_logs/azure_conditional_access_failure.yml +++ b/rules/cloud/azure/signin_logs/azure_conditional_access_failure.yml @@ -7,6 +7,9 @@ references: author: Yochana Henderson, '@Yochana-H' date: 2022-06-01 tags: + - attack.privilege-escalation + - attack.persistence + - attack.defense-evasion - attack.initial-access - attack.credential-access - attack.t1110 diff --git a/rules/cloud/azure/signin_logs/azure_legacy_authentication_protocols.yml b/rules/cloud/azure/signin_logs/azure_legacy_authentication_protocols.yml index 271bcdb98..8219a0e4a 100644 --- a/rules/cloud/azure/signin_logs/azure_legacy_authentication_protocols.yml +++ b/rules/cloud/azure/signin_logs/azure_legacy_authentication_protocols.yml @@ -7,6 +7,9 @@ references: author: Yochana Henderson, '@Yochana-H' date: 2022-06-17 tags: + - attack.privilege-escalation + - attack.persistence + - attack.defense-evasion - attack.initial-access - attack.credential-access - attack.t1078.004 diff --git a/rules/cloud/azure/signin_logs/azure_login_to_disabled_account.yml b/rules/cloud/azure/signin_logs/azure_login_to_disabled_account.yml index 009484b49..ad08b7a46 100644 --- a/rules/cloud/azure/signin_logs/azure_login_to_disabled_account.yml +++ b/rules/cloud/azure/signin_logs/azure_login_to_disabled_account.yml @@ -8,6 +8,9 @@ author: AlertIQ date: 2021-10-10 modified: 2022-12-25 tags: + - attack.privilege-escalation + - attack.persistence + - attack.defense-evasion - attack.initial-access - attack.t1078.004 logsource: diff --git a/rules/cloud/azure/signin_logs/azure_mfa_denies.yml b/rules/cloud/azure/signin_logs/azure_mfa_denies.yml index 189524079..347691299 100644 --- a/rules/cloud/azure/signin_logs/azure_mfa_denies.yml +++ b/rules/cloud/azure/signin_logs/azure_mfa_denies.yml @@ -7,6 +7,9 @@ references: author: AlertIQ date: 2022-03-24 tags: + - attack.privilege-escalation + - attack.persistence + - attack.defense-evasion - attack.initial-access - attack.credential-access - attack.t1078.004 diff --git a/rules/cloud/azure/signin_logs/azure_mfa_interrupted.yml b/rules/cloud/azure/signin_logs/azure_mfa_interrupted.yml index a4edd40a0..673f50032 100644 --- a/rules/cloud/azure/signin_logs/azure_mfa_interrupted.yml +++ b/rules/cloud/azure/signin_logs/azure_mfa_interrupted.yml @@ -8,6 +8,9 @@ author: AlertIQ date: 2021-10-10 modified: 2022-12-18 tags: + - attack.privilege-escalation + - attack.persistence + - attack.defense-evasion - attack.initial-access - attack.credential-access - attack.t1078.004 diff --git a/rules/cloud/azure/signin_logs/azure_unusual_authentication_interruption.yml b/rules/cloud/azure/signin_logs/azure_unusual_authentication_interruption.yml index 586aa6bbb..3833ad043 100644 --- a/rules/cloud/azure/signin_logs/azure_unusual_authentication_interruption.yml +++ b/rules/cloud/azure/signin_logs/azure_unusual_authentication_interruption.yml @@ -8,6 +8,9 @@ author: Austin Songer @austinsonger date: 2021-11-26 modified: 2022-12-18 tags: + - attack.privilege-escalation + - attack.persistence + - attack.defense-evasion - attack.initial-access - attack.t1078 logsource: diff --git a/rules/cloud/azure/signin_logs/azure_user_login_blocked_by_conditional_access.yml b/rules/cloud/azure/signin_logs/azure_user_login_blocked_by_conditional_access.yml index a2f503b28..56441bfe2 100644 --- a/rules/cloud/azure/signin_logs/azure_user_login_blocked_by_conditional_access.yml +++ b/rules/cloud/azure/signin_logs/azure_user_login_blocked_by_conditional_access.yml @@ -10,6 +10,9 @@ author: AlertIQ date: 2021-10-10 modified: 2022-12-25 tags: + - attack.privilege-escalation + - attack.persistence + - attack.defense-evasion - attack.credential-access - attack.initial-access - attack.t1110 diff --git a/rules/cloud/azure/signin_logs/azure_users_authenticating_to_other_azure_ad_tenants.yml b/rules/cloud/azure/signin_logs/azure_users_authenticating_to_other_azure_ad_tenants.yml index 88f906078..4afdee73f 100644 --- a/rules/cloud/azure/signin_logs/azure_users_authenticating_to_other_azure_ad_tenants.yml +++ b/rules/cloud/azure/signin_logs/azure_users_authenticating_to_other_azure_ad_tenants.yml @@ -7,6 +7,9 @@ references: author: MikeDuddington, '@dudders1' date: 2022-06-30 tags: + - attack.privilege-escalation + - attack.persistence + - attack.defense-evasion - attack.initial-access - attack.t1078.004 logsource: diff --git a/rules/cloud/bitbucket/audit/bitbucket_audit_user_login_failure_detected.yml b/rules/cloud/bitbucket/audit/bitbucket_audit_user_login_failure_detected.yml index 4fad0d31b..bd758e045 100644 --- a/rules/cloud/bitbucket/audit/bitbucket_audit_user_login_failure_detected.yml +++ b/rules/cloud/bitbucket/audit/bitbucket_audit_user_login_failure_detected.yml @@ -9,6 +9,9 @@ references: author: Muhammad Faisal (@faisalusuf) date: 2024-02-25 tags: + - attack.privilege-escalation + - attack.persistence + - attack.initial-access - attack.defense-evasion - attack.credential-access - attack.t1078.004 diff --git a/rules/cloud/gcp/audit/gcp_breakglass_container_workload_deployed.yml b/rules/cloud/gcp/audit/gcp_breakglass_container_workload_deployed.yml index cf675d705..97322b641 100644 --- a/rules/cloud/gcp/audit/gcp_breakglass_container_workload_deployed.yml +++ b/rules/cloud/gcp/audit/gcp_breakglass_container_workload_deployed.yml @@ -8,6 +8,7 @@ references: author: Bryan Lim date: 2024-01-12 tags: + - attack.privilege-escalation - attack.defense-evasion - attack.t1548 logsource: diff --git a/rules/cloud/gcp/audit/gcp_kubernetes_admission_controller.yml b/rules/cloud/gcp/audit/gcp_kubernetes_admission_controller.yml index 09434b208..4b952588a 100644 --- a/rules/cloud/gcp/audit/gcp_kubernetes_admission_controller.yml +++ b/rules/cloud/gcp/audit/gcp_kubernetes_admission_controller.yml @@ -14,6 +14,9 @@ author: Austin Songer @austinsonger date: 2021-11-25 modified: 2022-12-18 tags: + - attack.privilege-escalation + - attack.initial-access + - attack.defense-evasion - attack.persistence - attack.t1078 - attack.credential-access diff --git a/rules/cloud/gcp/gworkspace/gcp_gworkspace_granted_domain_api_access.yml b/rules/cloud/gcp/gworkspace/gcp_gworkspace_granted_domain_api_access.yml index 9bc68121a..e9f4a1db3 100644 --- a/rules/cloud/gcp/gworkspace/gcp_gworkspace_granted_domain_api_access.yml +++ b/rules/cloud/gcp/gworkspace/gcp_gworkspace_granted_domain_api_access.yml @@ -9,6 +9,7 @@ author: Austin Songer date: 2021-08-23 modified: 2023-10-11 tags: + - attack.privilege-escalation - attack.persistence - attack.t1098 logsource: diff --git a/rules/cloud/gcp/gworkspace/gcp_gworkspace_user_granted_admin_privileges.yml b/rules/cloud/gcp/gworkspace/gcp_gworkspace_user_granted_admin_privileges.yml index ddb751117..95e27d20e 100644 --- a/rules/cloud/gcp/gworkspace/gcp_gworkspace_user_granted_admin_privileges.yml +++ b/rules/cloud/gcp/gworkspace/gcp_gworkspace_user_granted_admin_privileges.yml @@ -9,6 +9,7 @@ author: Austin Songer date: 2021-08-23 modified: 2023-10-11 tags: + - attack.privilege-escalation - attack.persistence - attack.t1098 logsource: diff --git a/rules/cloud/github/github_outside_collaborator_detected.yml b/rules/cloud/github/github_outside_collaborator_detected.yml index d9c35e532..ada535c5e 100644 --- a/rules/cloud/github/github_outside_collaborator_detected.yml +++ b/rules/cloud/github/github_outside_collaborator_detected.yml @@ -9,6 +9,7 @@ references: - https://docs.github.com/en/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/reviewing-the-audit-log-for-your-organization#audit-log-actions - https://docs.github.com/en/organizations/keeping-your-organization-secure/managing-two-factor-authentication-for-your-organization/requiring-two-factor-authentication-in-your-organization tags: + - attack.privilege-escalation - attack.persistence - attack.collection - attack.t1098.001 diff --git a/rules/cloud/github/github_ssh_certificate_config_changed.yml b/rules/cloud/github/github_ssh_certificate_config_changed.yml index 03f8a0b2c..f0ab5a824 100644 --- a/rules/cloud/github/github_ssh_certificate_config_changed.yml +++ b/rules/cloud/github/github_ssh_certificate_config_changed.yml @@ -8,6 +8,8 @@ references: author: Romain Gaillard (@romain-gaillard) date: 2024-07-29 tags: + - attack.initial-access + - attack.defense-evasion - attack.persistence - attack.privilege-escalation - attack.t1078.004 diff --git a/rules/cloud/m365/audit/microsoft365_bypass_conditional_access.yml b/rules/cloud/m365/audit/microsoft365_bypass_conditional_access.yml index ea65230b3..1c79ddd38 100644 --- a/rules/cloud/m365/audit/microsoft365_bypass_conditional_access.yml +++ b/rules/cloud/m365/audit/microsoft365_bypass_conditional_access.yml @@ -9,6 +9,9 @@ references: - https://github.com/JumpsecLabs/TokenSmith date: 2025-01-08 tags: + - attack.privilege-escalation + - attack.persistence + - attack.initial-access - attack.defense-evasion - attack.t1078 logsource: diff --git a/rules/cloud/m365/threat_management/microsoft365_impossible_travel_activity.yml b/rules/cloud/m365/threat_management/microsoft365_impossible_travel_activity.yml index 196109e67..4a67a1230 100644 --- a/rules/cloud/m365/threat_management/microsoft365_impossible_travel_activity.yml +++ b/rules/cloud/m365/threat_management/microsoft365_impossible_travel_activity.yml @@ -9,6 +9,9 @@ author: Austin Songer @austinsonger date: 2020-07-06 modified: 2021-11-27 tags: + - attack.privilege-escalation + - attack.persistence + - attack.defense-evasion - attack.initial-access - attack.t1078 logsource: diff --git a/rules/cloud/m365/threat_management/microsoft365_logon_from_risky_ip_address.yml b/rules/cloud/m365/threat_management/microsoft365_logon_from_risky_ip_address.yml index 776e8140b..d58a715ac 100644 --- a/rules/cloud/m365/threat_management/microsoft365_logon_from_risky_ip_address.yml +++ b/rules/cloud/m365/threat_management/microsoft365_logon_from_risky_ip_address.yml @@ -9,6 +9,9 @@ author: Austin Songer @austinsonger date: 2021-08-23 modified: 2022-10-09 tags: + - attack.privilege-escalation + - attack.persistence + - attack.defense-evasion - attack.initial-access - attack.t1078 logsource: diff --git a/rules/cloud/okta/okta_admin_role_assigned_to_user_or_group.yml b/rules/cloud/okta/okta_admin_role_assigned_to_user_or_group.yml index 4a2e0abf3..c7018eef5 100644 --- a/rules/cloud/okta/okta_admin_role_assigned_to_user_or_group.yml +++ b/rules/cloud/okta/okta_admin_role_assigned_to_user_or_group.yml @@ -9,6 +9,7 @@ author: Austin Songer @austinsonger date: 2021-09-12 modified: 2022-10-09 tags: + - attack.privilege-escalation - attack.persistence - attack.t1098.003 logsource: diff --git a/rules/cloud/okta/okta_identity_provider_created.yml b/rules/cloud/okta/okta_identity_provider_created.yml index 9cdb42b5d..9432b6f38 100644 --- a/rules/cloud/okta/okta_identity_provider_created.yml +++ b/rules/cloud/okta/okta_identity_provider_created.yml @@ -8,6 +8,7 @@ references: author: kelnage date: 2023-09-07 tags: + - attack.privilege-escalation - attack.persistence - attack.t1098.001 logsource: diff --git a/rules/cloud/okta/okta_new_behaviours_admin_console.yml b/rules/cloud/okta/okta_new_behaviours_admin_console.yml index ae403e461..b4d90fc06 100644 --- a/rules/cloud/okta/okta_new_behaviours_admin_console.yml +++ b/rules/cloud/okta/okta_new_behaviours_admin_console.yml @@ -9,6 +9,9 @@ author: kelnage date: 2023-09-07 modified: 2024-06-26 tags: + - attack.privilege-escalation + - attack.persistence + - attack.defense-evasion - attack.initial-access - attack.t1078.004 logsource: diff --git a/rules/linux/auditd/lnx_auditd_capabilities_discovery.yml b/rules/linux/auditd/lnx_auditd_capabilities_discovery.yml index 1102264f1..223690155 100644 --- a/rules/linux/auditd/lnx_auditd_capabilities_discovery.yml +++ b/rules/linux/auditd/lnx_auditd_capabilities_discovery.yml @@ -11,6 +11,7 @@ author: 'Pawel Mazur' date: 2021-11-28 modified: 2022-12-25 tags: + - attack.defense-evasion - attack.collection - attack.privilege-escalation - attack.t1123 diff --git a/rules/linux/auditd/lnx_auditd_disable_aslr_protection.yml b/rules/linux/auditd/lnx_auditd_disable_aslr_protection.yml index c61110e6e..fb925de1f 100644 --- a/rules/linux/auditd/lnx_auditd_disable_aslr_protection.yml +++ b/rules/linux/auditd/lnx_auditd_disable_aslr_protection.yml @@ -15,6 +15,7 @@ author: Milad Cheraghi date: 2025-05-26 modified: 2025-06-05 tags: + - attack.privilege-escalation - attack.defense-evasion - attack.t1562.001 - attack.t1055.009 diff --git a/rules/linux/auditd/lnx_auditd_hidden_binary_execution.yml b/rules/linux/auditd/lnx_auditd_hidden_binary_execution.yml index d0ae6033e..8e3c766e0 100644 --- a/rules/linux/auditd/lnx_auditd_hidden_binary_execution.yml +++ b/rules/linux/auditd/lnx_auditd_hidden_binary_execution.yml @@ -10,6 +10,8 @@ references: author: David Burkett, @signalblur date: 2022-12-30 tags: + - attack.privilege-escalation + - attack.persistence - attack.defense-evasion - attack.t1574.001 logsource: diff --git a/rules/linux/auditd/lnx_auditd_keylogging_with_pam_d.yml b/rules/linux/auditd/lnx_auditd_keylogging_with_pam_d.yml index 0e74a32cc..2fd8fefef 100644 --- a/rules/linux/auditd/lnx_auditd_keylogging_with_pam_d.yml +++ b/rules/linux/auditd/lnx_auditd_keylogging_with_pam_d.yml @@ -11,6 +11,7 @@ author: 'Pawel Mazur' date: 2021-05-24 modified: 2022-12-18 tags: + - attack.collection - attack.credential-access - attack.t1003 - attack.t1056.001 diff --git a/rules/linux/auditd/lnx_auditd_ld_so_preload_mod.yml b/rules/linux/auditd/lnx_auditd_ld_so_preload_mod.yml index 63b46b9de..fc2ae8ece 100644 --- a/rules/linux/auditd/lnx_auditd_ld_so_preload_mod.yml +++ b/rules/linux/auditd/lnx_auditd_ld_so_preload_mod.yml @@ -9,6 +9,8 @@ author: E.M. Anhaus (originally from Atomic Blue Detections, Tony Lambert), oscd date: 2019-10-24 modified: 2021-11-27 tags: + - attack.privilege-escalation + - attack.persistence - attack.defense-evasion - attack.t1574.006 logsource: diff --git a/rules/linux/auditd/lnx_auditd_susp_service_reload_or_restart.yml b/rules/linux/auditd/lnx_auditd_susp_service_reload_or_restart.yml index 06b599a71..8226ea3ec 100644 --- a/rules/linux/auditd/lnx_auditd_susp_service_reload_or_restart.yml +++ b/rules/linux/auditd/lnx_auditd_susp_service_reload_or_restart.yml @@ -8,6 +8,7 @@ author: Jakob Weinzettl, oscd.community, CheraghiMilad date: 2019-09-23 modified: 2025-03-03 tags: + - attack.privilege-escalation - attack.persistence - attack.t1543.002 logsource: diff --git a/rules/linux/auditd/lnx_auditd_susp_special_file_creation_via_mknod_syscall.yml b/rules/linux/auditd/lnx_auditd_susp_special_file_creation_via_mknod_syscall.yml index 0691f07bf..b3315cd20 100644 --- a/rules/linux/auditd/lnx_auditd_susp_special_file_creation_via_mknod_syscall.yml +++ b/rules/linux/auditd/lnx_auditd_susp_special_file_creation_via_mknod_syscall.yml @@ -13,6 +13,7 @@ references: author: Milad Cheraghi date: 2025-05-31 tags: + - attack.privilege-escalation - attack.persistence - attack.t1543.003 logsource: diff --git a/rules/linux/auditd/lnx_auditd_systemd_service_creation.yml b/rules/linux/auditd/lnx_auditd_systemd_service_creation.yml index 528056f66..d1d9e0a99 100644 --- a/rules/linux/auditd/lnx_auditd_systemd_service_creation.yml +++ b/rules/linux/auditd/lnx_auditd_systemd_service_creation.yml @@ -8,6 +8,7 @@ author: 'Pawel Mazur' date: 2022-02-03 modified: 2022-02-06 tags: + - attack.privilege-escalation - attack.persistence - attack.t1543.002 logsource: diff --git a/rules/linux/auditd/lnx_auditd_unix_shell_configuration_modification.yml b/rules/linux/auditd/lnx_auditd_unix_shell_configuration_modification.yml index 541b7fce5..5e22ceaaa 100644 --- a/rules/linux/auditd/lnx_auditd_unix_shell_configuration_modification.yml +++ b/rules/linux/auditd/lnx_auditd_unix_shell_configuration_modification.yml @@ -13,6 +13,7 @@ author: Peter Matkovski, IAI date: 2023-03-06 modified: 2023-03-15 tags: + - attack.privilege-escalation - attack.persistence - attack.t1546.004 logsource: diff --git a/rules/linux/builtin/auth/lnx_auth_pwnkit_local_privilege_escalation.yml b/rules/linux/builtin/auth/lnx_auth_pwnkit_local_privilege_escalation.yml index b392939d0..87d37c33c 100644 --- a/rules/linux/builtin/auth/lnx_auth_pwnkit_local_privilege_escalation.yml +++ b/rules/linux/builtin/auth/lnx_auth_pwnkit_local_privilege_escalation.yml @@ -8,6 +8,7 @@ author: Sreeman date: 2022-01-26 modified: 2024-09-11 tags: + - attack.defense-evasion - attack.privilege-escalation - attack.t1548.001 logsource: diff --git a/rules/linux/builtin/cron/lnx_cron_crontab_file_modification.yml b/rules/linux/builtin/cron/lnx_cron_crontab_file_modification.yml index 480ae81f6..cbe51a145 100644 --- a/rules/linux/builtin/cron/lnx_cron_crontab_file_modification.yml +++ b/rules/linux/builtin/cron/lnx_cron_crontab_file_modification.yml @@ -7,6 +7,8 @@ references: author: Pawel Mazur date: 2022-04-16 tags: + - attack.privilege-escalation + - attack.execution - attack.persistence - attack.t1053.003 logsource: diff --git a/rules/linux/builtin/lnx_ldso_preload_injection.yml b/rules/linux/builtin/lnx_ldso_preload_injection.yml index 6f3bddb53..f40de8728 100644 --- a/rules/linux/builtin/lnx_ldso_preload_injection.yml +++ b/rules/linux/builtin/lnx_ldso_preload_injection.yml @@ -8,6 +8,7 @@ author: Christian Burkard (Nextron Systems) date: 2021-05-05 modified: 2022-10-09 tags: + - attack.defense-evasion - attack.persistence - attack.privilege-escalation - attack.t1574.006 diff --git a/rules/linux/builtin/lnx_privileged_user_creation.yml b/rules/linux/builtin/lnx_privileged_user_creation.yml index 3c87d9428..3c6dcc4cc 100644 --- a/rules/linux/builtin/lnx_privileged_user_creation.yml +++ b/rules/linux/builtin/lnx_privileged_user_creation.yml @@ -10,6 +10,7 @@ author: Pawel Mazur date: 2022-12-21 modified: 2025-01-21 tags: + - attack.privilege-escalation - attack.persistence - attack.t1136.001 - attack.t1098 diff --git a/rules/linux/builtin/sudo/lnx_sudo_cve_2019_14287_user.yml b/rules/linux/builtin/sudo/lnx_sudo_cve_2019_14287_user.yml index d2df0e0e8..c5ec998e0 100644 --- a/rules/linux/builtin/sudo/lnx_sudo_cve_2019_14287_user.yml +++ b/rules/linux/builtin/sudo/lnx_sudo_cve_2019_14287_user.yml @@ -13,6 +13,7 @@ author: Florian Roth (Nextron Systems) date: 2019-10-15 modified: 2022-11-26 tags: + - attack.defense-evasion - attack.privilege-escalation - attack.t1068 - attack.t1548.003 diff --git a/rules/linux/file_event/file_event_lnx_doas_conf_creation.yml b/rules/linux/file_event/file_event_lnx_doas_conf_creation.yml index f92735f30..a4f7365e4 100644 --- a/rules/linux/file_event/file_event_lnx_doas_conf_creation.yml +++ b/rules/linux/file_event/file_event_lnx_doas_conf_creation.yml @@ -9,6 +9,7 @@ author: Sittikorn S, Teoderick Contreras date: 2022-01-20 modified: 2022-12-31 tags: + - attack.defense-evasion - attack.privilege-escalation - attack.t1548 logsource: diff --git a/rules/linux/file_event/file_event_lnx_persistence_cron_files.yml b/rules/linux/file_event/file_event_lnx_persistence_cron_files.yml index e02b5abf5..30a676175 100644 --- a/rules/linux/file_event/file_event_lnx_persistence_cron_files.yml +++ b/rules/linux/file_event/file_event_lnx_persistence_cron_files.yml @@ -8,6 +8,8 @@ author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research), MSTIC date: 2021-10-15 modified: 2022-12-31 tags: + - attack.privilege-escalation + - attack.execution - attack.persistence - attack.t1053.003 logsource: diff --git a/rules/linux/file_event/file_event_lnx_persistence_sudoers_files.yml b/rules/linux/file_event/file_event_lnx_persistence_sudoers_files.yml index 27dca4e9c..0ec367ad4 100644 --- a/rules/linux/file_event/file_event_lnx_persistence_sudoers_files.yml +++ b/rules/linux/file_event/file_event_lnx_persistence_sudoers_files.yml @@ -8,6 +8,8 @@ author: Nasreddine Bencherchali (Nextron Systems) date: 2022-07-05 modified: 2022-12-31 tags: + - attack.privilege-escalation + - attack.execution - attack.persistence - attack.t1053.003 logsource: diff --git a/rules/linux/file_event/file_event_lnx_triple_cross_rootkit_persistence.yml b/rules/linux/file_event/file_event_lnx_triple_cross_rootkit_persistence.yml index 317ebc444..456375856 100644 --- a/rules/linux/file_event/file_event_lnx_triple_cross_rootkit_persistence.yml +++ b/rules/linux/file_event/file_event_lnx_triple_cross_rootkit_persistence.yml @@ -8,6 +8,8 @@ author: Nasreddine Bencherchali (Nextron Systems) date: 2022-07-05 modified: 2022-12-31 tags: + - attack.privilege-escalation + - attack.execution - attack.persistence - attack.defense-evasion - attack.t1053.003 diff --git a/rules/linux/process_creation/proc_creation_lnx_at_command.yml b/rules/linux/process_creation/proc_creation_lnx_at_command.yml index d2126c9e0..6267fabcd 100644 --- a/rules/linux/process_creation/proc_creation_lnx_at_command.yml +++ b/rules/linux/process_creation/proc_creation_lnx_at_command.yml @@ -10,6 +10,8 @@ author: Ömer Günal, oscd.community date: 2020-10-06 modified: 2022-07-07 tags: + - attack.privilege-escalation + - attack.execution - attack.persistence - attack.t1053.002 logsource: diff --git a/rules/linux/process_creation/proc_creation_lnx_dd_process_injection.yml b/rules/linux/process_creation/proc_creation_lnx_dd_process_injection.yml index 38d010306..2dab16776 100644 --- a/rules/linux/process_creation/proc_creation_lnx_dd_process_injection.yml +++ b/rules/linux/process_creation/proc_creation_lnx_dd_process_injection.yml @@ -8,6 +8,7 @@ references: author: Joseph Kamau date: 2023-12-01 tags: + - attack.privilege-escalation - attack.defense-evasion - attack.t1055.009 logsource: diff --git a/rules/linux/process_creation/proc_creation_lnx_doas_execution.yml b/rules/linux/process_creation/proc_creation_lnx_doas_execution.yml index 900d56296..9b786a75a 100644 --- a/rules/linux/process_creation/proc_creation_lnx_doas_execution.yml +++ b/rules/linux/process_creation/proc_creation_lnx_doas_execution.yml @@ -8,6 +8,7 @@ references: author: Sittikorn S, Teoderick Contreras date: 2022-01-20 tags: + - attack.defense-evasion - attack.privilege-escalation - attack.t1548 logsource: diff --git a/rules/linux/process_creation/proc_creation_lnx_esxcli_permission_change_admin.yml b/rules/linux/process_creation/proc_creation_lnx_esxcli_permission_change_admin.yml index 1219b5a07..6b3c91b68 100644 --- a/rules/linux/process_creation/proc_creation_lnx_esxcli_permission_change_admin.yml +++ b/rules/linux/process_creation/proc_creation_lnx_esxcli_permission_change_admin.yml @@ -7,6 +7,7 @@ references: author: Nasreddine Bencherchali (Nextron Systems) date: 2023-09-04 tags: + - attack.persistence - attack.execution - attack.privilege-escalation - attack.t1059.012 diff --git a/rules/linux/process_creation/proc_creation_lnx_remote_access_tools_teamviewer_incoming_connection.yml b/rules/linux/process_creation/proc_creation_lnx_remote_access_tools_teamviewer_incoming_connection.yml index 6a344a515..bda4b4b7d 100644 --- a/rules/linux/process_creation/proc_creation_lnx_remote_access_tools_teamviewer_incoming_connection.yml +++ b/rules/linux/process_creation/proc_creation_lnx_remote_access_tools_teamviewer_incoming_connection.yml @@ -14,6 +14,7 @@ references: author: Josh Nickels, Qi Nan date: 2024-03-11 tags: + - attack.persistence - attack.initial-access - attack.t1133 logsource: diff --git a/rules/linux/process_creation/proc_creation_lnx_setgid_setuid.yml b/rules/linux/process_creation/proc_creation_lnx_setgid_setuid.yml index 723a15990..d9e77b3db 100644 --- a/rules/linux/process_creation/proc_creation_lnx_setgid_setuid.yml +++ b/rules/linux/process_creation/proc_creation_lnx_setgid_setuid.yml @@ -8,6 +8,7 @@ author: Ömer Günal date: 2020-06-16 modified: 2022-10-05 tags: + - attack.defense-evasion - attack.persistence - attack.privilege-escalation - attack.t1548.001 diff --git a/rules/linux/process_creation/proc_creation_lnx_sudo_cve_2019_14287.yml b/rules/linux/process_creation/proc_creation_lnx_sudo_cve_2019_14287.yml index 5cf978a1d..1a439819d 100644 --- a/rules/linux/process_creation/proc_creation_lnx_sudo_cve_2019_14287.yml +++ b/rules/linux/process_creation/proc_creation_lnx_sudo_cve_2019_14287.yml @@ -10,6 +10,7 @@ author: Florian Roth (Nextron Systems) date: 2019-10-15 modified: 2022-10-05 tags: + - attack.defense-evasion - attack.privilege-escalation - attack.t1068 - attack.t1548.003 diff --git a/rules/macos/process_creation/proc_creation_macos_dscl_add_user_to_admin_group.yml b/rules/macos/process_creation/proc_creation_macos_dscl_add_user_to_admin_group.yml index b07a2082e..d97f66fa3 100644 --- a/rules/macos/process_creation/proc_creation_macos_dscl_add_user_to_admin_group.yml +++ b/rules/macos/process_creation/proc_creation_macos_dscl_add_user_to_admin_group.yml @@ -11,6 +11,8 @@ references: author: Sohan G (D4rkCiph3r) date: 2023-03-19 tags: + - attack.persistence + - attack.defense-evasion - attack.initial-access - attack.privilege-escalation - attack.t1078.003 diff --git a/rules/macos/process_creation/proc_creation_macos_dseditgroup_add_to_admin_group.yml b/rules/macos/process_creation/proc_creation_macos_dseditgroup_add_to_admin_group.yml index 7750a439a..0ef190f50 100644 --- a/rules/macos/process_creation/proc_creation_macos_dseditgroup_add_to_admin_group.yml +++ b/rules/macos/process_creation/proc_creation_macos_dseditgroup_add_to_admin_group.yml @@ -8,6 +8,8 @@ references: author: Sohan G (D4rkCiph3r) date: 2023-08-22 tags: + - attack.persistence + - attack.defense-evasion - attack.initial-access - attack.privilege-escalation - attack.t1078.003 diff --git a/rules/macos/process_creation/proc_creation_macos_dsenableroot_enable_root_account.yml b/rules/macos/process_creation/proc_creation_macos_dsenableroot_enable_root_account.yml index 8c65fef06..cea9afe80 100644 --- a/rules/macos/process_creation/proc_creation_macos_dsenableroot_enable_root_account.yml +++ b/rules/macos/process_creation/proc_creation_macos_dsenableroot_enable_root_account.yml @@ -9,6 +9,8 @@ references: author: Sohan G (D4rkCiph3r) date: 2023-08-22 tags: + - attack.privilege-escalation + - attack.defense-evasion - attack.t1078 - attack.t1078.001 - attack.t1078.003 diff --git a/rules/macos/process_creation/proc_creation_macos_gui_input_capture.yml b/rules/macos/process_creation/proc_creation_macos_gui_input_capture.yml index dd931957b..74b08316d 100644 --- a/rules/macos/process_creation/proc_creation_macos_gui_input_capture.yml +++ b/rules/macos/process_creation/proc_creation_macos_gui_input_capture.yml @@ -9,6 +9,7 @@ author: remotephone, oscd.community date: 2020-10-13 modified: 2022-12-25 tags: + - attack.collection - attack.credential-access - attack.t1056.002 logsource: diff --git a/rules/macos/process_creation/proc_creation_macos_launchctl_execution.yml b/rules/macos/process_creation/proc_creation_macos_launchctl_execution.yml index 744eed45f..750a52af1 100644 --- a/rules/macos/process_creation/proc_creation_macos_launchctl_execution.yml +++ b/rules/macos/process_creation/proc_creation_macos_launchctl_execution.yml @@ -11,6 +11,7 @@ references: author: Pratinav Chandra date: 2024-05-13 tags: + - attack.privilege-escalation - attack.execution - attack.persistence - attack.t1569.001 diff --git a/rules/macos/process_creation/proc_creation_macos_persistence_via_plistbuddy.yml b/rules/macos/process_creation/proc_creation_macos_persistence_via_plistbuddy.yml index b69e77d7b..282677dcd 100644 --- a/rules/macos/process_creation/proc_creation_macos_persistence_via_plistbuddy.yml +++ b/rules/macos/process_creation/proc_creation_macos_persistence_via_plistbuddy.yml @@ -8,6 +8,7 @@ references: author: Sohan G (D4rkCiph3r) date: 2023-02-18 tags: + - attack.privilege-escalation - attack.persistence - attack.t1543.001 - attack.t1543.004 diff --git a/rules/macos/process_creation/proc_creation_macos_remote_access_tools_teamviewer_incoming_connection.yml b/rules/macos/process_creation/proc_creation_macos_remote_access_tools_teamviewer_incoming_connection.yml index 088ffdb20..e0b101e13 100644 --- a/rules/macos/process_creation/proc_creation_macos_remote_access_tools_teamviewer_incoming_connection.yml +++ b/rules/macos/process_creation/proc_creation_macos_remote_access_tools_teamviewer_incoming_connection.yml @@ -14,6 +14,7 @@ references: author: Josh Nickels, Qi Nan date: 2024-03-11 tags: + - attack.persistence - attack.initial-access - attack.t1133 logsource: diff --git a/rules/macos/process_creation/proc_creation_macos_sysadminctl_add_user_to_admin_group.yml b/rules/macos/process_creation/proc_creation_macos_sysadminctl_add_user_to_admin_group.yml index 17b0026dc..f78c22dc8 100644 --- a/rules/macos/process_creation/proc_creation_macos_sysadminctl_add_user_to_admin_group.yml +++ b/rules/macos/process_creation/proc_creation_macos_sysadminctl_add_user_to_admin_group.yml @@ -11,6 +11,8 @@ references: author: Sohan G (D4rkCiph3r) date: 2023-03-19 tags: + - attack.persistence + - attack.defense-evasion - attack.initial-access - attack.privilege-escalation - attack.t1078.003 diff --git a/rules/macos/process_creation/proc_creation_macos_sysadminctl_enable_guest_account.yml b/rules/macos/process_creation/proc_creation_macos_sysadminctl_enable_guest_account.yml index 354dcb77b..1545bd73a 100644 --- a/rules/macos/process_creation/proc_creation_macos_sysadminctl_enable_guest_account.yml +++ b/rules/macos/process_creation/proc_creation_macos_sysadminctl_enable_guest_account.yml @@ -7,6 +7,9 @@ references: author: Sohan G (D4rkCiph3r) date: 2023-02-18 tags: + - attack.privilege-escalation + - attack.persistence + - attack.defense-evasion - attack.initial-access - attack.t1078 - attack.t1078.001 diff --git a/rules/network/cisco/aaa/cisco_cli_local_accounts.yml b/rules/network/cisco/aaa/cisco_cli_local_accounts.yml index e1d47c0bc..f6c3b0043 100644 --- a/rules/network/cisco/aaa/cisco_cli_local_accounts.yml +++ b/rules/network/cisco/aaa/cisco_cli_local_accounts.yml @@ -6,6 +6,7 @@ author: Austin Clark date: 2019-08-12 modified: 2023-01-04 tags: + - attack.privilege-escalation - attack.persistence - attack.t1136.001 - attack.t1098 diff --git a/rules/network/cisco/aaa/cisco_cli_modify_config.yml b/rules/network/cisco/aaa/cisco_cli_modify_config.yml index 897399a81..31865e0b8 100644 --- a/rules/network/cisco/aaa/cisco_cli_modify_config.yml +++ b/rules/network/cisco/aaa/cisco_cli_modify_config.yml @@ -6,6 +6,8 @@ author: Austin Clark date: 2019-08-12 modified: 2025-04-28 tags: + - attack.privilege-escalation + - attack.execution - attack.persistence - attack.impact - attack.t1490 diff --git a/rules/network/zeek/zeek_dce_rpc_mitre_bzar_execution.yml b/rules/network/zeek/zeek_dce_rpc_mitre_bzar_execution.yml index 0df946238..dc9010c36 100644 --- a/rules/network/zeek/zeek_dce_rpc_mitre_bzar_execution.yml +++ b/rules/network/zeek/zeek_dce_rpc_mitre_bzar_execution.yml @@ -8,6 +8,8 @@ author: '@neu5ron, SOC Prime' date: 2020-03-19 modified: 2021-11-27 tags: + - attack.privilege-escalation + - attack.persistence - attack.execution - attack.t1047 - attack.t1053.002 diff --git a/rules/network/zeek/zeek_dce_rpc_mitre_bzar_persistence.yml b/rules/network/zeek/zeek_dce_rpc_mitre_bzar_persistence.yml index 31fa8d65f..dca699aa1 100644 --- a/rules/network/zeek/zeek_dce_rpc_mitre_bzar_persistence.yml +++ b/rules/network/zeek/zeek_dce_rpc_mitre_bzar_persistence.yml @@ -8,6 +8,7 @@ author: '@neu5ron, SOC Prime' date: 2020-03-19 modified: 2021-11-27 tags: + - attack.privilege-escalation - attack.persistence - attack.t1547.004 logsource: diff --git a/rules/network/zeek/zeek_dce_rpc_potential_petit_potam_efs_rpc_call.yml b/rules/network/zeek/zeek_dce_rpc_potential_petit_potam_efs_rpc_call.yml index 3c9c83f8d..60cdf454d 100644 --- a/rules/network/zeek/zeek_dce_rpc_potential_petit_potam_efs_rpc_call.yml +++ b/rules/network/zeek/zeek_dce_rpc_potential_petit_potam_efs_rpc_call.yml @@ -15,6 +15,7 @@ author: '@neu5ron, @Antonlovesdnb, Mike Remen' date: 2021-08-17 modified: 2022-11-28 tags: + - attack.collection - attack.credential-access - attack.t1557.001 - attack.t1187 diff --git a/rules/network/zeek/zeek_dns_kerberos_coercion_via_dns_object_spn_spoofing.yml b/rules/network/zeek/zeek_dns_kerberos_coercion_via_dns_object_spn_spoofing.yml index 65f501755..aea0c2826 100644 --- a/rules/network/zeek/zeek_dns_kerberos_coercion_via_dns_object_spn_spoofing.yml +++ b/rules/network/zeek/zeek_dns_kerberos_coercion_via_dns_object_spn_spoofing.yml @@ -18,6 +18,7 @@ references: author: Swachchhanda Shrawan Poudel (Nextron Systems) date: 2025-06-20 tags: + - attack.collection - attack.credential-access - attack.persistence - attack.privilege-escalation diff --git a/rules/network/zeek/zeek_smb_converted_win_atsvc_task.yml b/rules/network/zeek/zeek_smb_converted_win_atsvc_task.yml index 65c68a831..a4385ade2 100644 --- a/rules/network/zeek/zeek_smb_converted_win_atsvc_task.yml +++ b/rules/network/zeek/zeek_smb_converted_win_atsvc_task.yml @@ -11,6 +11,8 @@ author: 'Samir Bousseaden, @neu5rn' date: 2020-04-03 modified: 2022-12-27 tags: + - attack.privilege-escalation + - attack.execution - attack.lateral-movement - attack.persistence - car.2013-05-004 diff --git a/rules/web/proxy_generic/proxy_susp_ipfs_cred_harvest.yml b/rules/web/proxy_generic/proxy_susp_ipfs_cred_harvest.yml index 36f7535dc..52f8cecb9 100644 --- a/rules/web/proxy_generic/proxy_susp_ipfs_cred_harvest.yml +++ b/rules/web/proxy_generic/proxy_susp_ipfs_cred_harvest.yml @@ -9,6 +9,7 @@ references: author: Gavin Knapp date: 2023-03-16 tags: + - attack.collection - attack.credential-access - attack.t1056 logsource: diff --git a/rules/windows/builtin/application/microsoft_windows_software_restriction_policies/win_software_restriction_policies_block.yml b/rules/windows/builtin/application/microsoft_windows_software_restriction_policies/win_software_restriction_policies_block.yml index 0df2c011d..7c9da1ca0 100644 --- a/rules/windows/builtin/application/microsoft_windows_software_restriction_policies/win_software_restriction_policies_block.yml +++ b/rules/windows/builtin/application/microsoft_windows_software_restriction_policies/win_software_restriction_policies_block.yml @@ -8,6 +8,8 @@ references: author: frack113 date: 2023-01-12 tags: + - attack.lateral-movement + - attack.execution - attack.defense-evasion - attack.t1072 logsource: diff --git a/rules/windows/builtin/code_integrity/win_codeintegrity_enforced_policy_block.yml b/rules/windows/builtin/code_integrity/win_codeintegrity_enforced_policy_block.yml index 4b31e4165..7f0d192d9 100644 --- a/rules/windows/builtin/code_integrity/win_codeintegrity_enforced_policy_block.yml +++ b/rules/windows/builtin/code_integrity/win_codeintegrity_enforced_policy_block.yml @@ -10,6 +10,7 @@ author: Nasreddine Bencherchali (Nextron Systems) date: 2022-11-10 modified: 2023-06-07 tags: + - attack.persistence - attack.privilege-escalation - attack.t1543 logsource: diff --git a/rules/windows/builtin/code_integrity/win_codeintegrity_revoked_driver_blocked.yml b/rules/windows/builtin/code_integrity/win_codeintegrity_revoked_driver_blocked.yml index c85104a1c..9a920e45c 100644 --- a/rules/windows/builtin/code_integrity/win_codeintegrity_revoked_driver_blocked.yml +++ b/rules/windows/builtin/code_integrity/win_codeintegrity_revoked_driver_blocked.yml @@ -9,6 +9,7 @@ references: author: Nasreddine Bencherchali (Nextron Systems) date: 2023-06-06 tags: + - attack.persistence - attack.privilege-escalation - attack.t1543 logsource: diff --git a/rules/windows/builtin/dns_server/win_dns_server_susp_server_level_plugin_dll.yml b/rules/windows/builtin/dns_server/win_dns_server_susp_server_level_plugin_dll.yml index 5b1c2bc5e..cb15f1d81 100644 --- a/rules/windows/builtin/dns_server/win_dns_server_susp_server_level_plugin_dll.yml +++ b/rules/windows/builtin/dns_server/win_dns_server_susp_server_level_plugin_dll.yml @@ -15,6 +15,8 @@ author: Florian Roth (Nextron Systems) date: 2017-05-08 modified: 2023-02-05 tags: + - attack.privilege-escalation + - attack.persistence - attack.defense-evasion - attack.t1574.001 logsource: diff --git a/rules/windows/builtin/ntlm/win_susp_ntlm_auth.yml b/rules/windows/builtin/ntlm/win_susp_ntlm_auth.yml index 856952d4e..1dd486c61 100644 --- a/rules/windows/builtin/ntlm/win_susp_ntlm_auth.yml +++ b/rules/windows/builtin/ntlm/win_susp_ntlm_auth.yml @@ -8,6 +8,7 @@ author: Florian Roth (Nextron Systems) date: 2018-06-08 modified: 2024-07-22 tags: + - attack.defense-evasion - attack.lateral-movement - attack.t1550.002 logsource: diff --git a/rules/windows/builtin/security/account_management/win_security_admin_rdp_login.yml b/rules/windows/builtin/security/account_management/win_security_admin_rdp_login.yml index d2f3e298b..9fd93bb13 100644 --- a/rules/windows/builtin/security/account_management/win_security_admin_rdp_login.yml +++ b/rules/windows/builtin/security/account_management/win_security_admin_rdp_login.yml @@ -8,6 +8,9 @@ author: juju4 date: 2017-10-29 modified: 2022-10-09 tags: + - attack.privilege-escalation + - attack.persistence + - attack.defense-evasion - attack.lateral-movement - attack.initial-access - attack.t1078.001 diff --git a/rules/windows/builtin/security/account_management/win_security_member_added_security_enabled_global_group.yml b/rules/windows/builtin/security/account_management/win_security_member_added_security_enabled_global_group.yml index 49ab072e3..96b6bdb1b 100644 --- a/rules/windows/builtin/security/account_management/win_security_member_added_security_enabled_global_group.yml +++ b/rules/windows/builtin/security/account_management/win_security_member_added_security_enabled_global_group.yml @@ -14,6 +14,7 @@ references: author: Alexandr Yampolskyi, SOC Prime date: 2023-04-26 tags: + - attack.privilege-escalation - attack.persistence - attack.t1098 logsource: diff --git a/rules/windows/builtin/security/account_management/win_security_member_removed_security_enabled_global_group.yml b/rules/windows/builtin/security/account_management/win_security_member_removed_security_enabled_global_group.yml index b19f83a08..a2b8cf818 100644 --- a/rules/windows/builtin/security/account_management/win_security_member_removed_security_enabled_global_group.yml +++ b/rules/windows/builtin/security/account_management/win_security_member_removed_security_enabled_global_group.yml @@ -14,6 +14,7 @@ references: author: Alexandr Yampolskyi, SOC Prime date: 2023-04-26 tags: + - attack.privilege-escalation - attack.persistence - attack.t1098 logsource: diff --git a/rules/windows/builtin/security/account_management/win_security_overpass_the_hash.yml b/rules/windows/builtin/security/account_management/win_security_overpass_the_hash.yml index 1983e0316..c0aad5df7 100644 --- a/rules/windows/builtin/security/account_management/win_security_overpass_the_hash.yml +++ b/rules/windows/builtin/security/account_management/win_security_overpass_the_hash.yml @@ -8,6 +8,7 @@ author: Roberto Rodriguez (source), Dominik Schaudel (rule) date: 2018-02-12 modified: 2021-11-27 tags: + - attack.defense-evasion - attack.lateral-movement - attack.s0002 - attack.t1550.002 diff --git a/rules/windows/builtin/security/account_management/win_security_pass_the_hash_2.yml b/rules/windows/builtin/security/account_management/win_security_pass_the_hash_2.yml index 9a011cfe1..1ce63f070 100644 --- a/rules/windows/builtin/security/account_management/win_security_pass_the_hash_2.yml +++ b/rules/windows/builtin/security/account_management/win_security_pass_the_hash_2.yml @@ -10,6 +10,7 @@ author: Dave Kennedy, Jeff Warren (method) / David Vassallo (rule) date: 2019-06-14 modified: 2022-10-05 tags: + - attack.defense-evasion - attack.lateral-movement - attack.t1550.002 logsource: diff --git a/rules/windows/builtin/security/account_management/win_security_security_enabled_global_group_deleted.yml b/rules/windows/builtin/security/account_management/win_security_security_enabled_global_group_deleted.yml index 99720325b..30a947717 100644 --- a/rules/windows/builtin/security/account_management/win_security_security_enabled_global_group_deleted.yml +++ b/rules/windows/builtin/security/account_management/win_security_security_enabled_global_group_deleted.yml @@ -14,6 +14,7 @@ references: author: Alexandr Yampolskyi, SOC Prime date: 2023-04-26 tags: + - attack.privilege-escalation - attack.persistence - attack.t1098 logsource: diff --git a/rules/windows/builtin/security/account_management/win_security_successful_external_remote_rdp_login.yml b/rules/windows/builtin/security/account_management/win_security_successful_external_remote_rdp_login.yml index b55315b33..ac86bbbe6 100644 --- a/rules/windows/builtin/security/account_management/win_security_successful_external_remote_rdp_login.yml +++ b/rules/windows/builtin/security/account_management/win_security_successful_external_remote_rdp_login.yml @@ -12,6 +12,9 @@ author: Micah Babinski (@micahbabinski), Zach Mathis (@yamatosecurity) date: 2023-01-19 modified: 2024-03-11 tags: + - attack.privilege-escalation + - attack.persistence + - attack.defense-evasion - attack.initial-access - attack.credential-access - attack.t1133 diff --git a/rules/windows/builtin/security/account_management/win_security_successful_external_remote_smb_login.yml b/rules/windows/builtin/security/account_management/win_security_successful_external_remote_smb_login.yml index 9457318f6..dafa835a0 100644 --- a/rules/windows/builtin/security/account_management/win_security_successful_external_remote_smb_login.yml +++ b/rules/windows/builtin/security/account_management/win_security_successful_external_remote_smb_login.yml @@ -12,6 +12,9 @@ author: Micah Babinski (@micahbabinski), Zach Mathis (@yamatosecurity) date: 2023-01-19 modified: 2024-03-11 tags: + - attack.privilege-escalation + - attack.persistence + - attack.defense-evasion - attack.initial-access - attack.credential-access - attack.t1133 diff --git a/rules/windows/builtin/security/account_management/win_security_susp_failed_logon_source.yml b/rules/windows/builtin/security/account_management/win_security_susp_failed_logon_source.yml index 25409436c..57dddbe73 100644 --- a/rules/windows/builtin/security/account_management/win_security_susp_failed_logon_source.yml +++ b/rules/windows/builtin/security/account_management/win_security_susp_failed_logon_source.yml @@ -8,6 +8,8 @@ author: NVISO date: 2020-05-06 modified: 2024-03-11 tags: + - attack.privilege-escalation + - attack.defense-evasion - attack.initial-access - attack.persistence - attack.t1078 diff --git a/rules/windows/builtin/security/account_management/win_security_susp_privesc_kerberos_relay_over_ldap.yml b/rules/windows/builtin/security/account_management/win_security_susp_privesc_kerberos_relay_over_ldap.yml index b1694d3d2..992e0f464 100644 --- a/rules/windows/builtin/security/account_management/win_security_susp_privesc_kerberos_relay_over_ldap.yml +++ b/rules/windows/builtin/security/account_management/win_security_susp_privesc_kerberos_relay_over_ldap.yml @@ -11,6 +11,7 @@ author: Elastic, @SBousseaden date: 2022-04-27 modified: 2024-08-13 tags: + - attack.defense-evasion - attack.privilege-escalation - attack.credential-access - attack.t1548 diff --git a/rules/windows/builtin/security/account_management/win_security_susp_rottenpotato.yml b/rules/windows/builtin/security/account_management/win_security_susp_rottenpotato.yml index e53c6f5fc..998976a26 100644 --- a/rules/windows/builtin/security/account_management/win_security_susp_rottenpotato.yml +++ b/rules/windows/builtin/security/account_management/win_security_susp_rottenpotato.yml @@ -8,6 +8,7 @@ author: '@SBousseaden, Florian Roth' date: 2019-11-15 modified: 2022-12-22 tags: + - attack.collection - attack.privilege-escalation - attack.credential-access - attack.t1557.001 diff --git a/rules/windows/builtin/security/win_security_account_backdoor_dcsync_rights.yml b/rules/windows/builtin/security/win_security_account_backdoor_dcsync_rights.yml index 09362d1ba..aff5ab704 100644 --- a/rules/windows/builtin/security/win_security_account_backdoor_dcsync_rights.yml +++ b/rules/windows/builtin/security/win_security_account_backdoor_dcsync_rights.yml @@ -9,6 +9,7 @@ author: Samir Bousseaden, Roberto Rodriguez @Cyb3rWard0g, oscd.community, Tim Sh date: 2019-04-03 modified: 2022-08-16 tags: + - attack.privilege-escalation - attack.persistence - attack.t1098 logsource: diff --git a/rules/windows/builtin/security/win_security_alert_active_directory_user_control.yml b/rules/windows/builtin/security/win_security_alert_active_directory_user_control.yml index 1e3cb3365..abe40918a 100644 --- a/rules/windows/builtin/security/win_security_alert_active_directory_user_control.yml +++ b/rules/windows/builtin/security/win_security_alert_active_directory_user_control.yml @@ -8,6 +8,7 @@ author: '@neu5ron' date: 2017-07-30 modified: 2021-12-02 tags: + - attack.privilege-escalation - attack.persistence - attack.t1098 logsource: diff --git a/rules/windows/builtin/security/win_security_alert_ad_user_backdoors.yml b/rules/windows/builtin/security/win_security_alert_ad_user_backdoors.yml index fb9a78d5f..36ac159a5 100644 --- a/rules/windows/builtin/security/win_security_alert_ad_user_backdoors.yml +++ b/rules/windows/builtin/security/win_security_alert_ad_user_backdoors.yml @@ -10,6 +10,7 @@ author: '@neu5ron' date: 2017-04-13 modified: 2024-02-26 tags: + - attack.privilege-escalation - attack.t1098 - attack.persistence logsource: diff --git a/rules/windows/builtin/security/win_security_alert_ruler.yml b/rules/windows/builtin/security/win_security_alert_ruler.yml index 8db4d5e5e..4bc220a0f 100644 --- a/rules/windows/builtin/security/win_security_alert_ruler.yml +++ b/rules/windows/builtin/security/win_security_alert_ruler.yml @@ -12,6 +12,7 @@ author: Florian Roth (Nextron Systems) date: 2017-05-31 modified: 2022-10-09 tags: + - attack.defense-evasion - attack.discovery - attack.execution - attack.collection diff --git a/rules/windows/builtin/security/win_security_atsvc_task.yml b/rules/windows/builtin/security/win_security_atsvc_task.yml index 4aaa0440e..1b96ff007 100644 --- a/rules/windows/builtin/security/win_security_atsvc_task.yml +++ b/rules/windows/builtin/security/win_security_atsvc_task.yml @@ -8,6 +8,8 @@ author: Samir Bousseaden date: 2019-04-03 modified: 2024-08-01 tags: + - attack.privilege-escalation + - attack.execution - attack.lateral-movement - attack.persistence - car.2013-05-004 diff --git a/rules/windows/builtin/security/win_security_cobaltstrike_service_installs.yml b/rules/windows/builtin/security/win_security_cobaltstrike_service_installs.yml index 9efcab107..0d81e0835 100644 --- a/rules/windows/builtin/security/win_security_cobaltstrike_service_installs.yml +++ b/rules/windows/builtin/security/win_security_cobaltstrike_service_installs.yml @@ -13,6 +13,7 @@ author: Florian Roth (Nextron Systems), Wojciech Lesicki date: 2021-05-26 modified: 2022-11-27 tags: + - attack.persistence - attack.execution - attack.privilege-escalation - attack.lateral-movement diff --git a/rules/windows/builtin/security/win_security_dot_net_etw_tamper.yml b/rules/windows/builtin/security/win_security_dot_net_etw_tamper.yml index 5de777d3d..06b0cbd73 100644 --- a/rules/windows/builtin/security/win_security_dot_net_etw_tamper.yml +++ b/rules/windows/builtin/security/win_security_dot_net_etw_tamper.yml @@ -20,6 +20,7 @@ author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) date: 2020-06-05 modified: 2022-12-20 tags: + - attack.persistence - attack.defense-evasion - attack.t1112 - attack.t1562 diff --git a/rules/windows/builtin/security/win_security_gpo_scheduledtasks.yml b/rules/windows/builtin/security/win_security_gpo_scheduledtasks.yml index a7f5b3467..6ec2df1be 100644 --- a/rules/windows/builtin/security/win_security_gpo_scheduledtasks.yml +++ b/rules/windows/builtin/security/win_security_gpo_scheduledtasks.yml @@ -10,6 +10,8 @@ author: Samir Bousseaden date: 2019-04-03 modified: 2024-09-04 tags: + - attack.privilege-escalation + - attack.execution - attack.persistence - attack.lateral-movement - attack.t1053.005 diff --git a/rules/windows/builtin/security/win_security_hktl_nofilter.yml b/rules/windows/builtin/security/win_security_hktl_nofilter.yml index b1fa46172..12d1d0a00 100644 --- a/rules/windows/builtin/security/win_security_hktl_nofilter.yml +++ b/rules/windows/builtin/security/win_security_hktl_nofilter.yml @@ -11,6 +11,7 @@ references: author: Stamatis Chatzimangou (st0pp3r) date: 2024-01-05 tags: + - attack.defense-evasion - attack.privilege-escalation - attack.t1134 - attack.t1134.001 diff --git a/rules/windows/builtin/security/win_security_kerberos_coercion_via_dns_object.yml b/rules/windows/builtin/security/win_security_kerberos_coercion_via_dns_object.yml index 5ff688de1..bc36a82fb 100644 --- a/rules/windows/builtin/security/win_security_kerberos_coercion_via_dns_object.yml +++ b/rules/windows/builtin/security/win_security_kerberos_coercion_via_dns_object.yml @@ -21,6 +21,7 @@ references: author: Swachchhanda Shrawan Poudel (Nextron Systems) date: 2025-06-20 tags: + - attack.collection - attack.credential-access - attack.t1557.003 - attack.persistence diff --git a/rules/windows/builtin/security/win_security_meterpreter_or_cobaltstrike_getsystem_service_install.yml b/rules/windows/builtin/security/win_security_meterpreter_or_cobaltstrike_getsystem_service_install.yml index 661164772..489e46825 100644 --- a/rules/windows/builtin/security/win_security_meterpreter_or_cobaltstrike_getsystem_service_install.yml +++ b/rules/windows/builtin/security/win_security_meterpreter_or_cobaltstrike_getsystem_service_install.yml @@ -12,6 +12,7 @@ author: Teymur Kheirkhabarov, Ecco, Florian Roth (Nextron Systems) date: 2019-10-26 modified: 2023-11-15 tags: + - attack.defense-evasion - attack.privilege-escalation - attack.t1134.001 - attack.t1134.002 diff --git a/rules/windows/builtin/security/win_security_net_ntlm_downgrade.yml b/rules/windows/builtin/security/win_security_net_ntlm_downgrade.yml index 8f89ffb5c..21ef19f0e 100644 --- a/rules/windows/builtin/security/win_security_net_ntlm_downgrade.yml +++ b/rules/windows/builtin/security/win_security_net_ntlm_downgrade.yml @@ -11,6 +11,7 @@ author: Florian Roth (Nextron Systems), wagga date: 2018-03-20 modified: 2022-10-09 tags: + - attack.persistence - attack.defense-evasion - attack.t1562.001 - attack.t1112 diff --git a/rules/windows/builtin/security/win_security_net_share_obj_susp_desktop_ini.yml b/rules/windows/builtin/security/win_security_net_share_obj_susp_desktop_ini.yml index 5d72c067a..5b6387c43 100755 --- a/rules/windows/builtin/security/win_security_net_share_obj_susp_desktop_ini.yml +++ b/rules/windows/builtin/security/win_security_net_share_obj_susp_desktop_ini.yml @@ -8,6 +8,7 @@ author: Tim Shelton (HAWK.IO) date: 2021-12-06 modified: 2022-01-16 tags: + - attack.privilege-escalation - attack.persistence - attack.t1547.009 logsource: diff --git a/rules/windows/builtin/security/win_security_scm_database_privileged_operation.yml b/rules/windows/builtin/security/win_security_scm_database_privileged_operation.yml index 4fe9c2da3..def8aac3b 100644 --- a/rules/windows/builtin/security/win_security_scm_database_privileged_operation.yml +++ b/rules/windows/builtin/security/win_security_scm_database_privileged_operation.yml @@ -8,6 +8,7 @@ author: Roberto Rodriguez @Cyb3rWard0g, Tim Shelton date: 2019-08-15 modified: 2022-09-18 tags: + - attack.defense-evasion - attack.privilege-escalation - attack.t1548 logsource: diff --git a/rules/windows/builtin/security/win_security_service_install_remote_access_software.yml b/rules/windows/builtin/security/win_security_service_install_remote_access_software.yml index c2ebdc3ea..f3a4d4f58 100644 --- a/rules/windows/builtin/security/win_security_service_install_remote_access_software.yml +++ b/rules/windows/builtin/security/win_security_service_install_remote_access_software.yml @@ -11,6 +11,7 @@ author: Connor Martin, Nasreddine Bencherchali (Nextron Systems) date: 2022-12-23 modified: 2024-12-07 tags: + - attack.privilege-escalation - attack.persistence - attack.execution - attack.t1543.003 diff --git a/rules/windows/builtin/security/win_security_service_installation_by_unusal_client.yml b/rules/windows/builtin/security/win_security_service_installation_by_unusal_client.yml index 6b7dcfc1c..20ec0efec 100644 --- a/rules/windows/builtin/security/win_security_service_installation_by_unusal_client.yml +++ b/rules/windows/builtin/security/win_security_service_installation_by_unusal_client.yml @@ -13,6 +13,7 @@ author: Tim Rauch (Nextron Systems), Elastic (idea) date: 2022-09-15 modified: 2023-01-04 tags: + - attack.persistence - attack.privilege-escalation - attack.t1543 logsource: diff --git a/rules/windows/builtin/security/win_security_susp_add_domain_trust.yml b/rules/windows/builtin/security/win_security_susp_add_domain_trust.yml index 4f5388a2a..cb5529dd8 100644 --- a/rules/windows/builtin/security/win_security_susp_add_domain_trust.yml +++ b/rules/windows/builtin/security/win_security_susp_add_domain_trust.yml @@ -8,6 +8,7 @@ author: Thomas Patzke date: 2019-12-03 modified: 2024-01-16 tags: + - attack.privilege-escalation - attack.persistence - attack.t1098 logsource: diff --git a/rules/windows/builtin/security/win_security_susp_add_sid_history.yml b/rules/windows/builtin/security/win_security_susp_add_sid_history.yml index 9019ef076..0420eb090 100644 --- a/rules/windows/builtin/security/win_security_susp_add_sid_history.yml +++ b/rules/windows/builtin/security/win_security_susp_add_sid_history.yml @@ -7,6 +7,7 @@ references: author: Thomas Patzke, @atc_project (improvements) date: 2017-02-19 tags: + - attack.defense-evasion - attack.persistence - attack.privilege-escalation - attack.t1134.005 diff --git a/rules/windows/builtin/security/win_security_susp_computer_name.yml b/rules/windows/builtin/security/win_security_susp_computer_name.yml index 9d37600fd..e9d793d01 100644 --- a/rules/windows/builtin/security/win_security_susp_computer_name.yml +++ b/rules/windows/builtin/security/win_security_susp_computer_name.yml @@ -9,6 +9,8 @@ author: elhoim date: 2022-09-09 modified: 2023-01-04 tags: + - attack.initial-access + - attack.defense-evasion - cve.2021-42278 - cve.2021-42287 - attack.persistence diff --git a/rules/windows/builtin/security/win_security_susp_dsrm_password_change.yml b/rules/windows/builtin/security/win_security_susp_dsrm_password_change.yml index 687525322..6516a3f40 100644 --- a/rules/windows/builtin/security/win_security_susp_dsrm_password_change.yml +++ b/rules/windows/builtin/security/win_security_susp_dsrm_password_change.yml @@ -15,6 +15,7 @@ author: Thomas Patzke date: 2017-02-19 modified: 2020-08-23 tags: + - attack.privilege-escalation - attack.persistence - attack.t1098 logsource: diff --git a/rules/windows/builtin/security/win_security_susp_group_policy_abuse_privilege_addition.yml b/rules/windows/builtin/security/win_security_susp_group_policy_abuse_privilege_addition.yml index 77735eb32..13b375918 100644 --- a/rules/windows/builtin/security/win_security_susp_group_policy_abuse_privilege_addition.yml +++ b/rules/windows/builtin/security/win_security_susp_group_policy_abuse_privilege_addition.yml @@ -8,6 +8,7 @@ references: - https://www.elastic.co/guide/en/security/current/group-policy-abuse-for-privilege-addition.html#_setup_275 date: 2024-09-04 tags: + - attack.defense-evasion - attack.privilege-escalation - attack.t1484.001 logsource: diff --git a/rules/windows/builtin/security/win_security_susp_group_policy_startup_script_added_to_gpo.yml b/rules/windows/builtin/security/win_security_susp_group_policy_startup_script_added_to_gpo.yml index 0ec841bc7..3578a7fb2 100644 --- a/rules/windows/builtin/security/win_security_susp_group_policy_startup_script_added_to_gpo.yml +++ b/rules/windows/builtin/security/win_security_susp_group_policy_startup_script_added_to_gpo.yml @@ -8,6 +8,8 @@ references: author: Elastic, Josh Nickels, Marius Rothenbücher date: 2024-09-06 tags: + - attack.persistence + - attack.defense-evasion - attack.privilege-escalation - attack.t1484.001 - attack.t1547 diff --git a/rules/windows/builtin/security/win_security_susp_logon_explicit_credentials.yml b/rules/windows/builtin/security/win_security_susp_logon_explicit_credentials.yml index 5e6a3c0dc..06138f399 100644 --- a/rules/windows/builtin/security/win_security_susp_logon_explicit_credentials.yml +++ b/rules/windows/builtin/security/win_security_susp_logon_explicit_credentials.yml @@ -8,6 +8,10 @@ author: oscd.community, Teymur Kheirkhabarov @HeirhabarovT, Zach Stanford @svch0 date: 2020-10-05 modified: 2022-08-03 tags: + - attack.privilege-escalation + - attack.persistence + - attack.initial-access + - attack.defense-evasion - attack.t1078 - attack.lateral-movement logsource: diff --git a/rules/windows/builtin/security/win_security_susp_possible_shadow_credentials_added.yml b/rules/windows/builtin/security/win_security_susp_possible_shadow_credentials_added.yml index fe014d713..b3dabac22 100644 --- a/rules/windows/builtin/security/win_security_susp_possible_shadow_credentials_added.yml +++ b/rules/windows/builtin/security/win_security_susp_possible_shadow_credentials_added.yml @@ -9,6 +9,8 @@ references: author: Nasreddine Bencherchali (Nextron Systems), Elastic (idea) date: 2022-10-17 tags: + - attack.persistence + - attack.defense-evasion - attack.credential-access - attack.t1556 logsource: diff --git a/rules/windows/builtin/security/win_security_sysmon_channel_reference_deletion.yml b/rules/windows/builtin/security/win_security_sysmon_channel_reference_deletion.yml index 7ce6334c6..a6e0ac7fa 100644 --- a/rules/windows/builtin/security/win_security_sysmon_channel_reference_deletion.yml +++ b/rules/windows/builtin/security/win_security_sysmon_channel_reference_deletion.yml @@ -11,6 +11,7 @@ author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) date: 2020-07-14 modified: 2025-10-22 tags: + - attack.persistence - attack.defense-evasion - attack.t1112 logsource: diff --git a/rules/windows/builtin/security/win_security_user_added_to_local_administrators.yml b/rules/windows/builtin/security/win_security_user_added_to_local_administrators.yml index d570c0c03..017d69c16 100644 --- a/rules/windows/builtin/security/win_security_user_added_to_local_administrators.yml +++ b/rules/windows/builtin/security/win_security_user_added_to_local_administrators.yml @@ -9,6 +9,8 @@ author: Florian Roth (Nextron Systems) date: 2017-03-14 modified: 2021-01-17 tags: + - attack.initial-access + - attack.defense-evasion - attack.privilege-escalation - attack.t1078 - attack.persistence diff --git a/rules/windows/builtin/security/win_security_user_couldnt_call_priv_service_lsaregisterlogonprocess.yml b/rules/windows/builtin/security/win_security_user_couldnt_call_priv_service_lsaregisterlogonprocess.yml index 922817af3..5adbc5e12 100644 --- a/rules/windows/builtin/security/win_security_user_couldnt_call_priv_service_lsaregisterlogonprocess.yml +++ b/rules/windows/builtin/security/win_security_user_couldnt_call_priv_service_lsaregisterlogonprocess.yml @@ -8,6 +8,7 @@ author: Roberto Rodriguez (source), Ilyas Ochkov (rule), oscd.community date: 2019-10-24 modified: 2022-12-25 tags: + - attack.credential-access - attack.lateral-movement - attack.privilege-escalation - attack.t1558.003 diff --git a/rules/windows/builtin/security_mitigations/win_security_mitigations_defender_load_unsigned_dll.yml b/rules/windows/builtin/security_mitigations/win_security_mitigations_defender_load_unsigned_dll.yml index b08a018ab..8bb7aa63f 100644 --- a/rules/windows/builtin/security_mitigations/win_security_mitigations_defender_load_unsigned_dll.yml +++ b/rules/windows/builtin/security_mitigations/win_security_mitigations_defender_load_unsigned_dll.yml @@ -8,6 +8,8 @@ author: Bhabesh Raj date: 2022-08-02 modified: 2022-09-28 tags: + - attack.privilege-escalation + - attack.persistence - attack.defense-evasion - attack.t1574.001 logsource: diff --git a/rules/windows/builtin/security_mitigations/win_security_mitigations_unsigned_dll_from_susp_location.yml b/rules/windows/builtin/security_mitigations/win_security_mitigations_unsigned_dll_from_susp_location.yml index 4cb8287ea..66857f237 100644 --- a/rules/windows/builtin/security_mitigations/win_security_mitigations_unsigned_dll_from_susp_location.yml +++ b/rules/windows/builtin/security_mitigations/win_security_mitigations_unsigned_dll_from_susp_location.yml @@ -8,6 +8,8 @@ author: Nasreddine Bencherchali (Nextron Systems) date: 2022-08-03 modified: 2022-09-28 tags: + - attack.privilege-escalation + - attack.persistence - attack.defense-evasion - attack.t1574.001 logsource: diff --git a/rules/windows/builtin/system/microsoft_windows_Iphlpsvc/win_system_isatap_router_address_set.yml b/rules/windows/builtin/system/microsoft_windows_Iphlpsvc/win_system_isatap_router_address_set.yml index 774d74d44..fd7674354 100644 --- a/rules/windows/builtin/system/microsoft_windows_Iphlpsvc/win_system_isatap_router_address_set.yml +++ b/rules/windows/builtin/system/microsoft_windows_Iphlpsvc/win_system_isatap_router_address_set.yml @@ -13,6 +13,9 @@ references: author: hamid date: 2025-10-19 tags: + - attack.impact + - attack.credential-access + - attack.collection - attack.initial-access - attack.privilege-escalation - attack.execution diff --git a/rules/windows/builtin/system/microsoft_windows_dhcp_server/win_system_susp_dhcp_config.yml b/rules/windows/builtin/system/microsoft_windows_dhcp_server/win_system_susp_dhcp_config.yml index 42a96b60c..b19d4ac95 100644 --- a/rules/windows/builtin/system/microsoft_windows_dhcp_server/win_system_susp_dhcp_config.yml +++ b/rules/windows/builtin/system/microsoft_windows_dhcp_server/win_system_susp_dhcp_config.yml @@ -10,6 +10,8 @@ author: Dimitrios Slamaris date: 2017-05-15 modified: 2022-12-25 tags: + - attack.privilege-escalation + - attack.persistence - attack.defense-evasion - attack.t1574.001 logsource: diff --git a/rules/windows/builtin/system/microsoft_windows_dhcp_server/win_system_susp_dhcp_config_failed.yml b/rules/windows/builtin/system/microsoft_windows_dhcp_server/win_system_susp_dhcp_config_failed.yml index e15dabe59..f158ddb98 100644 --- a/rules/windows/builtin/system/microsoft_windows_dhcp_server/win_system_susp_dhcp_config_failed.yml +++ b/rules/windows/builtin/system/microsoft_windows_dhcp_server/win_system_susp_dhcp_config_failed.yml @@ -10,6 +10,8 @@ author: 'Dimitrios Slamaris, @atc_project (fix)' date: 2017-05-15 modified: 2022-12-25 tags: + - attack.privilege-escalation + - attack.persistence - attack.defense-evasion - attack.t1574.001 logsource: diff --git a/rules/windows/builtin/system/microsoft_windows_distributed_com/win_system_lpe_indicators_tabtip.yml b/rules/windows/builtin/system/microsoft_windows_distributed_com/win_system_lpe_indicators_tabtip.yml index 1b85ee70f..06e643637 100644 --- a/rules/windows/builtin/system/microsoft_windows_distributed_com/win_system_lpe_indicators_tabtip.yml +++ b/rules/windows/builtin/system/microsoft_windows_distributed_com/win_system_lpe_indicators_tabtip.yml @@ -8,6 +8,7 @@ author: Florian Roth (Nextron Systems) date: 2022-10-07 modified: 2023-04-14 tags: + - attack.collection - attack.execution - attack.credential-access - attack.t1557.001 diff --git a/rules/windows/builtin/system/netlogon/win_system_vul_cve_2020_1472.yml b/rules/windows/builtin/system/netlogon/win_system_vul_cve_2020_1472.yml index 95c8eaecf..ce5b4a28d 100644 --- a/rules/windows/builtin/system/netlogon/win_system_vul_cve_2020_1472.yml +++ b/rules/windows/builtin/system/netlogon/win_system_vul_cve_2020_1472.yml @@ -8,6 +8,7 @@ author: NVISO date: 2020-09-15 modified: 2022-12-25 tags: + - attack.defense-evasion - attack.privilege-escalation - attack.t1548 logsource: diff --git a/rules/windows/builtin/system/service_control_manager/win_system_cobaltstrike_service_installs.yml b/rules/windows/builtin/system/service_control_manager/win_system_cobaltstrike_service_installs.yml index cfc58dc46..74c4cd03f 100644 --- a/rules/windows/builtin/system/service_control_manager/win_system_cobaltstrike_service_installs.yml +++ b/rules/windows/builtin/system/service_control_manager/win_system_cobaltstrike_service_installs.yml @@ -10,6 +10,7 @@ author: Florian Roth (Nextron Systems), Wojciech Lesicki date: 2021-05-26 modified: 2022-11-27 tags: + - attack.persistence - attack.execution - attack.privilege-escalation - attack.lateral-movement diff --git a/rules/windows/builtin/system/service_control_manager/win_system_krbrelayup_service_installation.yml b/rules/windows/builtin/system/service_control_manager/win_system_krbrelayup_service_installation.yml index b19f342ab..7d31d91fe 100644 --- a/rules/windows/builtin/system/service_control_manager/win_system_krbrelayup_service_installation.yml +++ b/rules/windows/builtin/system/service_control_manager/win_system_krbrelayup_service_installation.yml @@ -8,6 +8,7 @@ author: Sittikorn S, Tim Shelton date: 2022-05-11 modified: 2022-10-05 tags: + - attack.persistence - attack.privilege-escalation - attack.t1543 logsource: diff --git a/rules/windows/builtin/system/service_control_manager/win_system_meterpreter_or_cobaltstrike_getsystem_service_installation.yml b/rules/windows/builtin/system/service_control_manager/win_system_meterpreter_or_cobaltstrike_getsystem_service_installation.yml index 6292f8125..c47ac6f59 100644 --- a/rules/windows/builtin/system/service_control_manager/win_system_meterpreter_or_cobaltstrike_getsystem_service_installation.yml +++ b/rules/windows/builtin/system/service_control_manager/win_system_meterpreter_or_cobaltstrike_getsystem_service_installation.yml @@ -9,6 +9,7 @@ author: Teymur Kheirkhabarov, Ecco, Florian Roth (Nextron Systems) date: 2019-10-26 modified: 2023-11-15 tags: + - attack.defense-evasion - attack.privilege-escalation - attack.t1134.001 - attack.t1134.002 diff --git a/rules/windows/builtin/system/service_control_manager/win_system_service_install_pdqdeploy.yml b/rules/windows/builtin/system/service_control_manager/win_system_service_install_pdqdeploy.yml index 0297275ba..eeb4b142f 100644 --- a/rules/windows/builtin/system/service_control_manager/win_system_service_install_pdqdeploy.yml +++ b/rules/windows/builtin/system/service_control_manager/win_system_service_install_pdqdeploy.yml @@ -9,6 +9,7 @@ references: author: Nasreddine Bencherchali (Nextron Systems) date: 2022-07-22 tags: + - attack.persistence - attack.privilege-escalation - attack.t1543.003 logsource: diff --git a/rules/windows/builtin/system/service_control_manager/win_system_service_install_pdqdeploy_runner.yml b/rules/windows/builtin/system/service_control_manager/win_system_service_install_pdqdeploy_runner.yml index e73fdcdd4..d4aba251c 100644 --- a/rules/windows/builtin/system/service_control_manager/win_system_service_install_pdqdeploy_runner.yml +++ b/rules/windows/builtin/system/service_control_manager/win_system_service_install_pdqdeploy_runner.yml @@ -9,6 +9,7 @@ references: author: Nasreddine Bencherchali (Nextron Systems) date: 2022-07-22 tags: + - attack.persistence - attack.privilege-escalation - attack.t1543.003 logsource: diff --git a/rules/windows/builtin/system/service_control_manager/win_system_service_install_pua_proceshacker.yml b/rules/windows/builtin/system/service_control_manager/win_system_service_install_pua_proceshacker.yml index ca7f6c3be..60bd7d49d 100644 --- a/rules/windows/builtin/system/service_control_manager/win_system_service_install_pua_proceshacker.yml +++ b/rules/windows/builtin/system/service_control_manager/win_system_service_install_pua_proceshacker.yml @@ -8,6 +8,7 @@ author: Florian Roth (Nextron Systems) date: 2021-05-27 modified: 2022-12-25 tags: + - attack.persistence - attack.execution - attack.privilege-escalation - attack.t1543.003 diff --git a/rules/windows/builtin/system/service_control_manager/win_system_service_install_remote_access_software.yml b/rules/windows/builtin/system/service_control_manager/win_system_service_install_remote_access_software.yml index 79cc77650..b56ea2fd9 100644 --- a/rules/windows/builtin/system/service_control_manager/win_system_service_install_remote_access_software.yml +++ b/rules/windows/builtin/system/service_control_manager/win_system_service_install_remote_access_software.yml @@ -11,6 +11,7 @@ author: Connor Martin, Nasreddine Bencherchali date: 2022-12-23 modified: 2023-06-22 tags: + - attack.privilege-escalation - attack.persistence - attack.execution - attack.t1543.003 diff --git a/rules/windows/builtin/system/service_control_manager/win_system_service_install_sliver.yml b/rules/windows/builtin/system/service_control_manager/win_system_service_install_sliver.yml index cfbdb8c84..ebcc57341 100644 --- a/rules/windows/builtin/system/service_control_manager/win_system_service_install_sliver.yml +++ b/rules/windows/builtin/system/service_control_manager/win_system_service_install_sliver.yml @@ -8,6 +8,7 @@ references: author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) date: 2022-08-25 tags: + - attack.persistence - attack.execution - attack.privilege-escalation - attack.t1543.003 diff --git a/rules/windows/builtin/system/service_control_manager/win_system_service_install_sups_unusal_client.yml b/rules/windows/builtin/system/service_control_manager/win_system_service_install_sups_unusal_client.yml index ad3fc9e50..64bb631ff 100644 --- a/rules/windows/builtin/system/service_control_manager/win_system_service_install_sups_unusal_client.yml +++ b/rules/windows/builtin/system/service_control_manager/win_system_service_install_sups_unusal_client.yml @@ -11,6 +11,7 @@ author: Tim Rauch (Nextron Systems), Elastic (idea) date: 2022-09-15 modified: 2023-01-04 tags: + - attack.persistence - attack.privilege-escalation - attack.t1543 logsource: diff --git a/rules/windows/builtin/taskscheduler/win_taskscheduler_execution_from_susp_locations.yml b/rules/windows/builtin/taskscheduler/win_taskscheduler_execution_from_susp_locations.yml index 247c55c6e..7e65b6939 100644 --- a/rules/windows/builtin/taskscheduler/win_taskscheduler_execution_from_susp_locations.yml +++ b/rules/windows/builtin/taskscheduler/win_taskscheduler_execution_from_susp_locations.yml @@ -8,6 +8,8 @@ author: Nasreddine Bencherchali (Nextron Systems) date: 2022-12-05 modified: 2023-02-07 tags: + - attack.privilege-escalation + - attack.execution - attack.persistence - attack.t1053.005 logsource: diff --git a/rules/windows/builtin/taskscheduler/win_taskscheduler_lolbin_execution_via_task_scheduler.yml b/rules/windows/builtin/taskscheduler/win_taskscheduler_lolbin_execution_via_task_scheduler.yml index 98b48af79..81fd92e32 100644 --- a/rules/windows/builtin/taskscheduler/win_taskscheduler_lolbin_execution_via_task_scheduler.yml +++ b/rules/windows/builtin/taskscheduler/win_taskscheduler_lolbin_execution_via_task_scheduler.yml @@ -8,6 +8,8 @@ author: Nasreddine Bencherchali (Nextron Systems) date: 2022-12-05 modified: 2023-02-07 tags: + - attack.privilege-escalation + - attack.execution - attack.persistence - attack.t1053.005 logsource: diff --git a/rules/windows/create_remote_thread/create_remote_thread_win_hktl_cactustorch.yml b/rules/windows/create_remote_thread/create_remote_thread_win_hktl_cactustorch.yml index 1605c54ba..6b4f84977 100644 --- a/rules/windows/create_remote_thread/create_remote_thread_win_hktl_cactustorch.yml +++ b/rules/windows/create_remote_thread/create_remote_thread_win_hktl_cactustorch.yml @@ -9,6 +9,7 @@ author: '@SBousseaden (detection), Thomas Patzke (rule)' date: 2019-02-01 modified: 2023-05-05 tags: + - attack.privilege-escalation - attack.defense-evasion - attack.execution - attack.t1055.012 diff --git a/rules/windows/create_remote_thread/create_remote_thread_win_hktl_cobaltstrike.yml b/rules/windows/create_remote_thread/create_remote_thread_win_hktl_cobaltstrike.yml index 06da54deb..d3810300a 100644 --- a/rules/windows/create_remote_thread/create_remote_thread_win_hktl_cobaltstrike.yml +++ b/rules/windows/create_remote_thread/create_remote_thread_win_hktl_cobaltstrike.yml @@ -9,6 +9,7 @@ author: Olaf Hartong, Florian Roth (Nextron Systems), Aleksey Potapov, oscd.comm date: 2018-11-30 modified: 2023-05-05 tags: + - attack.privilege-escalation - attack.defense-evasion - attack.t1055.001 logsource: diff --git a/rules/windows/dns_query/dns_query_win_kerberos_coercion_via_dns_object_spoofing.yml b/rules/windows/dns_query/dns_query_win_kerberos_coercion_via_dns_object_spoofing.yml index 8424731df..df9641375 100644 --- a/rules/windows/dns_query/dns_query_win_kerberos_coercion_via_dns_object_spoofing.yml +++ b/rules/windows/dns_query/dns_query_win_kerberos_coercion_via_dns_object_spoofing.yml @@ -18,6 +18,7 @@ references: author: Swachchhanda Shrawan Poudel (Nextron Systems) date: 2025-06-20 tags: + - attack.collection - attack.credential-access - attack.persistence - attack.privilege-escalation diff --git a/rules/windows/dns_query/dns_query_win_onelaunch_update_service.yml b/rules/windows/dns_query/dns_query_win_onelaunch_update_service.yml index bb67b6b82..917a9043c 100644 --- a/rules/windows/dns_query/dns_query_win_onelaunch_update_service.yml +++ b/rules/windows/dns_query/dns_query_win_onelaunch_update_service.yml @@ -11,6 +11,7 @@ references: author: Josh Nickels date: 2024-02-26 tags: + - attack.credential-access - attack.collection - attack.t1056 logsource: diff --git a/rules/windows/driver_load/driver_load_win_mal_drivers.yml b/rules/windows/driver_load/driver_load_win_mal_drivers.yml index 3c29bb116..1bbc6d554 100644 --- a/rules/windows/driver_load/driver_load_win_mal_drivers.yml +++ b/rules/windows/driver_load/driver_load_win_mal_drivers.yml @@ -8,6 +8,7 @@ author: Nasreddine Bencherchali (Nextron Systems) date: 2022-08-18 modified: 2023-12-02 tags: + - attack.persistence - attack.privilege-escalation - attack.t1543.003 - attack.t1068 diff --git a/rules/windows/driver_load/driver_load_win_mal_drivers_names.yml b/rules/windows/driver_load/driver_load_win_mal_drivers_names.yml index 49c631b5a..5444e72b9 100644 --- a/rules/windows/driver_load/driver_load_win_mal_drivers_names.yml +++ b/rules/windows/driver_load/driver_load_win_mal_drivers_names.yml @@ -8,6 +8,7 @@ author: Nasreddine Bencherchali (Nextron Systems) date: 2022-10-03 modified: 2023-12-02 tags: + - attack.persistence - attack.privilege-escalation - attack.t1543.003 - attack.t1068 diff --git a/rules/windows/driver_load/driver_load_win_pua_process_hacker.yml b/rules/windows/driver_load/driver_load_win_pua_process_hacker.yml index e6987a082..1cd38bbfd 100644 --- a/rules/windows/driver_load/driver_load_win_pua_process_hacker.yml +++ b/rules/windows/driver_load/driver_load_win_pua_process_hacker.yml @@ -11,6 +11,7 @@ author: Florian Roth (Nextron Systems) date: 2022-11-16 modified: 2024-11-23 tags: + - attack.persistence - attack.privilege-escalation - cve.2021-21551 - attack.t1543 diff --git a/rules/windows/driver_load/driver_load_win_pua_system_informer.yml b/rules/windows/driver_load/driver_load_win_pua_system_informer.yml index 27b135255..bde7c5675 100644 --- a/rules/windows/driver_load/driver_load_win_pua_system_informer.yml +++ b/rules/windows/driver_load/driver_load_win_pua_system_informer.yml @@ -12,6 +12,7 @@ author: Florian Roth (Nextron Systems) date: 2023-05-08 modified: 2024-11-23 tags: + - attack.persistence - attack.privilege-escalation - attack.t1543 logsource: diff --git a/rules/windows/driver_load/driver_load_win_vuln_drivers.yml b/rules/windows/driver_load/driver_load_win_vuln_drivers.yml index 3909b7b6e..b9f6bcdc5 100644 --- a/rules/windows/driver_load/driver_load_win_vuln_drivers.yml +++ b/rules/windows/driver_load/driver_load_win_vuln_drivers.yml @@ -8,6 +8,7 @@ author: Nasreddine Bencherchali (Nextron Systems) date: 2022-08-18 modified: 2023-12-02 tags: + - attack.persistence - attack.privilege-escalation - attack.t1543.003 - attack.t1068 diff --git a/rules/windows/driver_load/driver_load_win_vuln_drivers_names.yml b/rules/windows/driver_load/driver_load_win_vuln_drivers_names.yml index e56a0c68a..c0bfc2dae 100644 --- a/rules/windows/driver_load/driver_load_win_vuln_drivers_names.yml +++ b/rules/windows/driver_load/driver_load_win_vuln_drivers_names.yml @@ -8,6 +8,7 @@ author: Nasreddine Bencherchali (Nextron Systems) date: 2022-10-03 modified: 2023-12-02 tags: + - attack.persistence - attack.privilege-escalation - attack.t1543.003 - attack.t1068 diff --git a/rules/windows/driver_load/driver_load_win_vuln_hevd_driver.yml b/rules/windows/driver_load/driver_load_win_vuln_hevd_driver.yml index 6ea75fa82..c1f7d2eaa 100644 --- a/rules/windows/driver_load/driver_load_win_vuln_hevd_driver.yml +++ b/rules/windows/driver_load/driver_load_win_vuln_hevd_driver.yml @@ -8,6 +8,7 @@ author: Nasreddine Bencherchali (Nextron Systems) date: 2022-08-18 modified: 2024-11-23 tags: + - attack.persistence - attack.privilege-escalation - attack.t1543.003 logsource: diff --git a/rules/windows/driver_load/driver_load_win_vuln_winring0_driver.yml b/rules/windows/driver_load/driver_load_win_vuln_winring0_driver.yml index a844938bb..c73558782 100644 --- a/rules/windows/driver_load/driver_load_win_vuln_winring0_driver.yml +++ b/rules/windows/driver_load/driver_load_win_vuln_winring0_driver.yml @@ -9,6 +9,7 @@ author: Florian Roth (Nextron Systems) date: 2022-07-26 modified: 2024-11-23 tags: + - attack.persistence - attack.privilege-escalation - attack.t1543.003 logsource: diff --git a/rules/windows/driver_load/driver_load_win_windivert.yml b/rules/windows/driver_load/driver_load_win_windivert.yml index 2b08c4ac8..68e1757c3 100644 --- a/rules/windows/driver_load/driver_load_win_windivert.yml +++ b/rules/windows/driver_load/driver_load_win_windivert.yml @@ -9,6 +9,7 @@ author: Florian Roth (Nextron Systems) date: 2021-07-30 modified: 2024-11-23 tags: + - attack.credential-access - attack.collection - attack.defense-evasion - attack.t1599.001 diff --git a/rules/windows/file/file_change/file_change_win_unusual_modification_by_dns_exe.yml b/rules/windows/file/file_change/file_change_win_unusual_modification_by_dns_exe.yml index 31e14a9e7..3dd0d466b 100644 --- a/rules/windows/file/file_change/file_change_win_unusual_modification_by_dns_exe.yml +++ b/rules/windows/file/file_change/file_change_win_unusual_modification_by_dns_exe.yml @@ -10,6 +10,7 @@ references: author: Tim Rauch (Nextron Systems), Elastic (idea) date: 2022-09-27 tags: + - attack.persistence - attack.initial-access - attack.t1133 logsource: diff --git a/rules/windows/file/file_delete/file_delete_win_unusual_deletion_by_dns_exe.yml b/rules/windows/file/file_delete/file_delete_win_unusual_deletion_by_dns_exe.yml index ff8697721..bc01aed87 100644 --- a/rules/windows/file/file_delete/file_delete_win_unusual_deletion_by_dns_exe.yml +++ b/rules/windows/file/file_delete/file_delete_win_unusual_deletion_by_dns_exe.yml @@ -11,6 +11,7 @@ author: Tim Rauch (Nextron Systems), Elastic (idea) date: 2022-09-27 modified: 2023-02-15 tags: + - attack.persistence - attack.initial-access - attack.t1133 logsource: diff --git a/rules/windows/file/file_event/file_event_win_creation_new_shim_database.yml b/rules/windows/file/file_event/file_event_win_creation_new_shim_database.yml index 6c030c135..850807c43 100644 --- a/rules/windows/file/file_event/file_event_win_creation_new_shim_database.yml +++ b/rules/windows/file/file_event/file_event_win_creation_new_shim_database.yml @@ -13,6 +13,7 @@ author: frack113, Nasreddine Bencherchali (Nextron Systems) date: 2021-12-29 modified: 2023-12-06 tags: + - attack.privilege-escalation - attack.persistence - attack.t1547.009 logsource: diff --git a/rules/windows/file/file_event/file_event_win_creation_scr_binary_file.yml b/rules/windows/file/file_event/file_event_win_creation_scr_binary_file.yml index 669052951..7a687d5cd 100644 --- a/rules/windows/file/file_event/file_event_win_creation_scr_binary_file.yml +++ b/rules/windows/file/file_event/file_event_win_creation_scr_binary_file.yml @@ -10,6 +10,7 @@ author: frack113 date: 2021-12-29 modified: 2022-11-08 tags: + - attack.privilege-escalation - attack.persistence - attack.t1546.002 logsource: diff --git a/rules/windows/file/file_event/file_event_win_creation_unquoted_service_path.yml b/rules/windows/file/file_event/file_event_win_creation_unquoted_service_path.yml index 0ba1c9bcf..360654d08 100644 --- a/rules/windows/file/file_event/file_event_win_creation_unquoted_service_path.yml +++ b/rules/windows/file/file_event/file_event_win_creation_unquoted_service_path.yml @@ -9,6 +9,7 @@ references: author: frack113 date: 2021-12-30 tags: + - attack.privilege-escalation - attack.persistence - attack.t1547.009 logsource: diff --git a/rules/windows/file/file_event/file_event_win_initial_access_dll_search_order_hijacking.yml b/rules/windows/file/file_event/file_event_win_initial_access_dll_search_order_hijacking.yml index a7f0f0d48..5b73a99e4 100644 --- a/rules/windows/file/file_event/file_event_win_initial_access_dll_search_order_hijacking.yml +++ b/rules/windows/file/file_event/file_event_win_initial_access_dll_search_order_hijacking.yml @@ -8,6 +8,8 @@ references: author: Tim Rauch (rule), Elastic (idea) date: 2022-10-21 tags: + - attack.privilege-escalation + - attack.persistence - attack.t1566 - attack.t1566.001 - attack.initial-access diff --git a/rules/windows/file/file_event/file_event_win_msdt_susp_directories.yml b/rules/windows/file/file_event/file_event_win_msdt_susp_directories.yml index e19e5061d..aa8bfaab2 100644 --- a/rules/windows/file/file_event/file_event_win_msdt_susp_directories.yml +++ b/rules/windows/file/file_event/file_event_win_msdt_susp_directories.yml @@ -9,6 +9,7 @@ author: Vadim Varganov, Florian Roth (Nextron Systems) date: 2022-08-24 modified: 2023-02-23 tags: + - attack.privilege-escalation - attack.persistence - attack.t1547.001 - cve.2022-30190 diff --git a/rules/windows/file/file_event/file_event_win_office_outlook_macro_creation.yml b/rules/windows/file/file_event/file_event_win_office_outlook_macro_creation.yml index 8331239e9..afab9e8d8 100644 --- a/rules/windows/file/file_event/file_event_win_office_outlook_macro_creation.yml +++ b/rules/windows/file/file_event/file_event_win_office_outlook_macro_creation.yml @@ -11,6 +11,7 @@ author: '@ScoubiMtl' date: 2021-04-05 modified: 2023-02-08 tags: + - attack.privilege-escalation - attack.persistence - attack.command-and-control - attack.t1137 diff --git a/rules/windows/file/file_event/file_event_win_office_outlook_susp_macro_creation.yml b/rules/windows/file/file_event/file_event_win_office_outlook_susp_macro_creation.yml index 31b2b1cf1..ef6b56314 100644 --- a/rules/windows/file/file_event/file_event_win_office_outlook_susp_macro_creation.yml +++ b/rules/windows/file/file_event/file_event_win_office_outlook_susp_macro_creation.yml @@ -12,6 +12,7 @@ references: author: Nasreddine Bencherchali (Nextron Systems) date: 2023-02-08 tags: + - attack.privilege-escalation - attack.persistence - attack.command-and-control - attack.t1137 diff --git a/rules/windows/file/file_event/file_event_win_powershell_startup_shortcuts.yml b/rules/windows/file/file_event/file_event_win_powershell_startup_shortcuts.yml index a8b62397f..cdbc73b3d 100644 --- a/rules/windows/file/file_event/file_event_win_powershell_startup_shortcuts.yml +++ b/rules/windows/file/file_event/file_event_win_powershell_startup_shortcuts.yml @@ -13,6 +13,7 @@ author: Christopher Peacock '@securepeacock', SCYTHE date: 2021-10-24 modified: 2023-02-23 tags: + - attack.privilege-escalation - attack.persistence - attack.t1547.001 logsource: diff --git a/rules/windows/file/file_event/file_event_win_ripzip_attack.yml b/rules/windows/file/file_event/file_event_win_ripzip_attack.yml index e342ee952..e958abb28 100644 --- a/rules/windows/file/file_event/file_event_win_ripzip_attack.yml +++ b/rules/windows/file/file_event/file_event_win_ripzip_attack.yml @@ -11,6 +11,7 @@ author: Greg (rule) date: 2022-07-21 modified: 2023-01-05 tags: + - attack.privilege-escalation - attack.persistence - attack.t1547 logsource: diff --git a/rules/windows/file/file_event/file_event_win_startup_folder_file_write.yml b/rules/windows/file/file_event/file_event_win_startup_folder_file_write.yml index 962fd859a..96ed22891 100644 --- a/rules/windows/file/file_event/file_event_win_startup_folder_file_write.yml +++ b/rules/windows/file/file_event/file_event_win_startup_folder_file_write.yml @@ -12,6 +12,7 @@ author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) date: 2020-05-02 modified: 2025-10-17 tags: + - attack.privilege-escalation - attack.persistence - attack.t1547.001 logsource: diff --git a/rules/windows/file/file_event/file_event_win_susp_creation_by_mobsync.yml b/rules/windows/file/file_event/file_event_win_susp_creation_by_mobsync.yml index ce5a55639..24fe4d9a7 100644 --- a/rules/windows/file/file_event/file_event_win_susp_creation_by_mobsync.yml +++ b/rules/windows/file/file_event/file_event_win_susp_creation_by_mobsync.yml @@ -8,6 +8,7 @@ author: elhoim date: 2022-04-28 modified: 2022-06-02 tags: + - attack.privilege-escalation - attack.t1055 - attack.t1218 - attack.execution diff --git a/rules/windows/file/file_event/file_event_win_susp_desktop_ini.yml b/rules/windows/file/file_event/file_event_win_susp_desktop_ini.yml index 1f52f96a1..158bb9b60 100755 --- a/rules/windows/file/file_event/file_event_win_susp_desktop_ini.yml +++ b/rules/windows/file/file_event/file_event_win_susp_desktop_ini.yml @@ -8,6 +8,7 @@ author: Maxime Thiebaut (@0xThiebaut), Tim Shelton (HAWK.IO) date: 2020-03-19 modified: 2022-10-07 tags: + - attack.privilege-escalation - attack.persistence - attack.t1547.009 logsource: diff --git a/rules/windows/file/file_event/file_event_win_susp_get_variable.yml b/rules/windows/file/file_event/file_event_win_susp_get_variable.yml index 762cb5bb4..b59d21bfa 100644 --- a/rules/windows/file/file_event/file_event_win_susp_get_variable.yml +++ b/rules/windows/file/file_event/file_event_win_susp_get_variable.yml @@ -11,6 +11,7 @@ references: author: frack113 date: 2022-04-23 tags: + - attack.privilege-escalation - attack.persistence - attack.t1546 - attack.defense-evasion diff --git a/rules/windows/file/file_event/file_event_win_susp_startup_folder_persistence.yml b/rules/windows/file/file_event/file_event_win_susp_startup_folder_persistence.yml index 52dfad207..b15537203 100644 --- a/rules/windows/file/file_event/file_event_win_susp_startup_folder_persistence.yml +++ b/rules/windows/file/file_event/file_event_win_susp_startup_folder_persistence.yml @@ -16,6 +16,7 @@ author: Nasreddine Bencherchali (Nextron Systems), Swachchhanda Shrawan Poudel ( date: 2022-08-10 modified: 2025-10-12 tags: + - attack.privilege-escalation - attack.execution - attack.t1204.002 - attack.persistence diff --git a/rules/windows/file/file_event/file_event_win_susp_task_write.yml b/rules/windows/file/file_event/file_event_win_susp_task_write.yml index ac377be29..178455aef 100644 --- a/rules/windows/file/file_event/file_event_win_susp_task_write.yml +++ b/rules/windows/file/file_event/file_event_win_susp_task_write.yml @@ -8,6 +8,7 @@ author: Florian Roth (Nextron Systems) date: 2021-11-16 modified: 2022-01-12 tags: + - attack.privilege-escalation - attack.persistence - attack.execution - attack.t1053 diff --git a/rules/windows/file/file_event/file_event_win_susp_windows_terminal_profile.yml b/rules/windows/file/file_event/file_event_win_susp_windows_terminal_profile.yml index d633343a4..c45da5fb5 100644 --- a/rules/windows/file/file_event/file_event_win_susp_windows_terminal_profile.yml +++ b/rules/windows/file/file_event/file_event_win_susp_windows_terminal_profile.yml @@ -8,6 +8,7 @@ references: author: frack113, Nasreddine Bencherchali (Nextron Systems) date: 2023-07-22 tags: + - attack.privilege-escalation - attack.persistence - attack.t1547.015 logsource: diff --git a/rules/windows/file/file_event/file_event_win_werfault_dll_hijacking.yml b/rules/windows/file/file_event/file_event_win_werfault_dll_hijacking.yml index dc64f6d29..bde7198d5 100644 --- a/rules/windows/file/file_event/file_event_win_werfault_dll_hijacking.yml +++ b/rules/windows/file/file_event/file_event_win_werfault_dll_hijacking.yml @@ -8,6 +8,7 @@ author: frack113 date: 2022-05-09 modified: 2024-11-28 tags: + - attack.privilege-escalation - attack.persistence - attack.defense-evasion - attack.t1574.001 diff --git a/rules/windows/file/file_event/file_event_win_winrar_file_creation_in_startup_folder.yml b/rules/windows/file/file_event/file_event_win_winrar_file_creation_in_startup_folder.yml index 70e539b64..f62ea9965 100644 --- a/rules/windows/file/file_event/file_event_win_winrar_file_creation_in_startup_folder.yml +++ b/rules/windows/file/file_event/file_event_win_winrar_file_creation_in_startup_folder.yml @@ -11,6 +11,7 @@ references: author: Swachchhanda Shrawan Poudel (Nextron Systems) date: 2025-07-16 tags: + - attack.privilege-escalation - attack.persistence - attack.t1547.001 logsource: diff --git a/rules/windows/file/file_event/file_event_win_wmi_persistence_script_event_consumer_write.yml b/rules/windows/file/file_event/file_event_win_wmi_persistence_script_event_consumer_write.yml index ca9c5ded3..a6e8282bb 100755 --- a/rules/windows/file/file_event/file_event_win_wmi_persistence_script_event_consumer_write.yml +++ b/rules/windows/file/file_event/file_event_win_wmi_persistence_script_event_consumer_write.yml @@ -8,6 +8,7 @@ author: Thomas Patzke date: 2018-03-07 modified: 2021-11-27 tags: + - attack.privilege-escalation - attack.t1546.003 - attack.persistence logsource: diff --git a/rules/windows/file/file_event/file_event_win_writing_local_admin_share.yml b/rules/windows/file/file_event/file_event_win_writing_local_admin_share.yml index 009f3dae5..5f4e44375 100644 --- a/rules/windows/file/file_event/file_event_win_writing_local_admin_share.yml +++ b/rules/windows/file/file_event/file_event_win_writing_local_admin_share.yml @@ -10,6 +10,8 @@ author: frack113 date: 2022-01-01 modified: 2022-08-13 tags: + - attack.privilege-escalation + - attack.persistence - attack.lateral-movement - attack.t1546.002 logsource: diff --git a/rules/windows/image_load/image_load_dll_azure_microsoft_account_token_provider_dll_load.yml b/rules/windows/image_load/image_load_dll_azure_microsoft_account_token_provider_dll_load.yml index b7a197027..02b023a57 100644 --- a/rules/windows/image_load/image_load_dll_azure_microsoft_account_token_provider_dll_load.yml +++ b/rules/windows/image_load/image_load_dll_azure_microsoft_account_token_provider_dll_load.yml @@ -10,6 +10,7 @@ author: Den Iuzvyk date: 2020-07-15 modified: 2023-04-18 tags: + - attack.persistence - attack.defense-evasion - attack.privilege-escalation - attack.t1574.001 diff --git a/rules/windows/image_load/image_load_side_load_appverifui.yml b/rules/windows/image_load/image_load_side_load_appverifui.yml index 600bfd5eb..6044538f1 100644 --- a/rules/windows/image_load/image_load_side_load_appverifui.yml +++ b/rules/windows/image_load/image_load_side_load_appverifui.yml @@ -7,6 +7,7 @@ references: author: X__Junior (Nextron Systems) date: 2023-06-20 tags: + - attack.persistence - attack.defense-evasion - attack.privilege-escalation - attack.t1574.001 diff --git a/rules/windows/image_load/image_load_side_load_aruba_networks_virtual_intranet_access.yml b/rules/windows/image_load/image_load_side_load_aruba_networks_virtual_intranet_access.yml index 3305cd8fc..56fe989b8 100644 --- a/rules/windows/image_load/image_load_side_load_aruba_networks_virtual_intranet_access.yml +++ b/rules/windows/image_load/image_load_side_load_aruba_networks_virtual_intranet_access.yml @@ -8,6 +8,7 @@ author: Nasreddine Bencherchali (Nextron Systems) date: 2023-01-22 modified: 2023-03-15 tags: + - attack.defense-evasion - attack.privilege-escalation - attack.persistence - attack.t1574.001 diff --git a/rules/windows/image_load/image_load_side_load_avkkid.yml b/rules/windows/image_load/image_load_side_load_avkkid.yml index e0c0487c5..f4052a4a0 100644 --- a/rules/windows/image_load/image_load_side_load_avkkid.yml +++ b/rules/windows/image_load/image_load_side_load_avkkid.yml @@ -7,6 +7,7 @@ references: author: X__Junior (Nextron Systems) date: 2023-08-03 tags: + - attack.persistence - attack.defense-evasion - attack.privilege-escalation - attack.t1574.001 diff --git a/rules/windows/image_load/image_load_side_load_coregen.yml b/rules/windows/image_load/image_load_side_load_coregen.yml index 55fdb35e2..64dc35a5a 100644 --- a/rules/windows/image_load/image_load_side_load_coregen.yml +++ b/rules/windows/image_load/image_load_side_load_coregen.yml @@ -7,6 +7,7 @@ references: author: frack113 date: 2022-12-31 tags: + - attack.privilege-escalation - attack.defense-evasion - attack.t1218 - attack.t1055 diff --git a/rules/windows/image_load/image_load_side_load_dbgmodel.yml b/rules/windows/image_load/image_load_side_load_dbgmodel.yml index d53e57dd0..2a076e9f4 100644 --- a/rules/windows/image_load/image_load_side_load_dbgmodel.yml +++ b/rules/windows/image_load/image_load_side_load_dbgmodel.yml @@ -8,6 +8,8 @@ author: Gary Lobermier date: 2024-07-11 modified: 2024-07-22 tags: + - attack.privilege-escalation + - attack.persistence - attack.defense-evasion - attack.t1574.001 logsource: diff --git a/rules/windows/image_load/image_load_side_load_eacore.yml b/rules/windows/image_load/image_load_side_load_eacore.yml index 52b90f934..e4fb13c02 100644 --- a/rules/windows/image_load/image_load_side_load_eacore.yml +++ b/rules/windows/image_load/image_load_side_load_eacore.yml @@ -7,6 +7,7 @@ references: author: X__Junior (Nextron Systems) date: 2023-08-03 tags: + - attack.persistence - attack.defense-evasion - attack.privilege-escalation - attack.t1574.001 diff --git a/rules/windows/image_load/image_load_side_load_edputil.yml b/rules/windows/image_load/image_load_side_load_edputil.yml index e14b8f6f2..0be84bd96 100644 --- a/rules/windows/image_load/image_load_side_load_edputil.yml +++ b/rules/windows/image_load/image_load_side_load_edputil.yml @@ -7,6 +7,7 @@ references: author: X__Junior (Nextron Systems) date: 2023-06-09 tags: + - attack.persistence - attack.defense-evasion - attack.privilege-escalation - attack.t1574.001 diff --git a/rules/windows/image_load/image_load_side_load_goopdate.yml b/rules/windows/image_load/image_load_side_load_goopdate.yml index 4b1e455e5..a92834ba1 100644 --- a/rules/windows/image_load/image_load_side_load_goopdate.yml +++ b/rules/windows/image_load/image_load_side_load_goopdate.yml @@ -8,6 +8,7 @@ author: X__Junior (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) date: 2023-05-15 modified: 2025-10-07 tags: + - attack.persistence - attack.defense-evasion - attack.privilege-escalation - attack.t1574.001 diff --git a/rules/windows/image_load/image_load_side_load_iviewers.yml b/rules/windows/image_load/image_load_side_load_iviewers.yml index 19a3d64af..c22f86e34 100644 --- a/rules/windows/image_load/image_load_side_load_iviewers.yml +++ b/rules/windows/image_load/image_load_side_load_iviewers.yml @@ -7,6 +7,7 @@ references: author: X__Junior (Nextron Systems) date: 2023-03-21 tags: + - attack.persistence - attack.defense-evasion - attack.privilege-escalation - attack.t1574.001 diff --git a/rules/windows/image_load/image_load_side_load_keyscrambler.yml b/rules/windows/image_load/image_load_side_load_keyscrambler.yml index 722e80738..6b3bca73a 100644 --- a/rules/windows/image_load/image_load_side_load_keyscrambler.yml +++ b/rules/windows/image_load/image_load_side_load_keyscrambler.yml @@ -16,6 +16,7 @@ references: author: Swachchhanda Shrawan Poudel date: 2024-04-15 tags: + - attack.persistence - attack.defense-evasion - attack.privilege-escalation - attack.t1574.001 diff --git a/rules/windows/image_load/image_load_side_load_mfdetours.yml b/rules/windows/image_load/image_load_side_load_mfdetours.yml index 8df9b617c..eef04981a 100644 --- a/rules/windows/image_load/image_load_side_load_mfdetours.yml +++ b/rules/windows/image_load/image_load_side_load_mfdetours.yml @@ -7,6 +7,7 @@ references: author: Nasreddine Bencherchali (Nextron Systems) date: 2023-08-03 tags: + - attack.persistence - attack.defense-evasion - attack.privilege-escalation - attack.t1574.001 diff --git a/rules/windows/image_load/image_load_side_load_mfdetours_unsigned.yml b/rules/windows/image_load/image_load_side_load_mfdetours_unsigned.yml index ad485c892..fce67c510 100644 --- a/rules/windows/image_load/image_load_side_load_mfdetours_unsigned.yml +++ b/rules/windows/image_load/image_load_side_load_mfdetours_unsigned.yml @@ -10,6 +10,7 @@ references: author: Nasreddine Bencherchali (Nextron Systems) date: 2023-08-11 tags: + - attack.persistence - attack.defense-evasion - attack.privilege-escalation - attack.t1574.001 diff --git a/rules/windows/image_load/image_load_side_load_mpsvc.yml b/rules/windows/image_load/image_load_side_load_mpsvc.yml index 66b2298b5..058fa4308 100644 --- a/rules/windows/image_load/image_load_side_load_mpsvc.yml +++ b/rules/windows/image_load/image_load_side_load_mpsvc.yml @@ -7,6 +7,8 @@ references: author: Nasreddine Bencherchali (Nextron Systems), Wietze Beukema date: 2024-07-11 tags: + - attack.privilege-escalation + - attack.persistence - attack.defense-evasion - attack.t1574.001 logsource: diff --git a/rules/windows/image_load/image_load_side_load_mscorsvc.yml b/rules/windows/image_load/image_load_side_load_mscorsvc.yml index ceaa4ef25..15de52ddb 100644 --- a/rules/windows/image_load/image_load_side_load_mscorsvc.yml +++ b/rules/windows/image_load/image_load_side_load_mscorsvc.yml @@ -8,6 +8,8 @@ author: Wietze Beukema date: 2024-07-11 modified: 2025-02-26 tags: + - attack.privilege-escalation + - attack.persistence - attack.defense-evasion - attack.t1574.001 logsource: diff --git a/rules/windows/image_load/image_load_side_load_python.yml b/rules/windows/image_load/image_load_side_load_python.yml index c1e4fe343..920437331 100644 --- a/rules/windows/image_load/image_load_side_load_python.yml +++ b/rules/windows/image_load/image_load_side_load_python.yml @@ -10,6 +10,8 @@ author: Swachchhanda Shrawan Poudel date: 2024-10-06 modified: 2025-08-18 tags: + - attack.privilege-escalation + - attack.persistence - attack.defense-evasion - attack.t1574.001 logsource: diff --git a/rules/windows/image_load/image_load_side_load_rcdll.yml b/rules/windows/image_load/image_load_side_load_rcdll.yml index 0ea5027d5..610e53d92 100644 --- a/rules/windows/image_load/image_load_side_load_rcdll.yml +++ b/rules/windows/image_load/image_load_side_load_rcdll.yml @@ -8,6 +8,7 @@ author: X__Junior (Nextron Systems) date: 2023-03-13 modified: 2023-03-15 tags: + - attack.persistence - attack.defense-evasion - attack.privilege-escalation - attack.t1574.001 diff --git a/rules/windows/image_load/image_load_side_load_rjvplatform_default_location.yml b/rules/windows/image_load/image_load_side_load_rjvplatform_default_location.yml index e99ab2883..9628b7c7b 100644 --- a/rules/windows/image_load/image_load_side_load_rjvplatform_default_location.yml +++ b/rules/windows/image_load/image_load_side_load_rjvplatform_default_location.yml @@ -7,6 +7,7 @@ references: author: X__Junior (Nextron Systems) date: 2023-06-09 tags: + - attack.persistence - attack.defense-evasion - attack.privilege-escalation - attack.t1574.001 diff --git a/rules/windows/image_load/image_load_side_load_rjvplatform_non_default_location.yml b/rules/windows/image_load/image_load_side_load_rjvplatform_non_default_location.yml index 8f1bbc419..ac675c66b 100644 --- a/rules/windows/image_load/image_load_side_load_rjvplatform_non_default_location.yml +++ b/rules/windows/image_load/image_load_side_load_rjvplatform_non_default_location.yml @@ -7,6 +7,7 @@ references: author: X__Junior (Nextron Systems) date: 2023-06-09 tags: + - attack.persistence - attack.defense-evasion - attack.privilege-escalation - attack.t1574.001 diff --git a/rules/windows/image_load/image_load_side_load_robform.yml b/rules/windows/image_load/image_load_side_load_robform.yml index 787ad6c97..e1973606c 100644 --- a/rules/windows/image_load/image_load_side_load_robform.yml +++ b/rules/windows/image_load/image_load_side_load_robform.yml @@ -9,6 +9,7 @@ references: author: X__Junior (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) date: 2023-05-14 tags: + - attack.persistence - attack.defense-evasion - attack.privilege-escalation - attack.t1574.001 diff --git a/rules/windows/image_load/image_load_side_load_shelldispatch.yml b/rules/windows/image_load/image_load_side_load_shelldispatch.yml index aa953f957..23a5373e6 100644 --- a/rules/windows/image_load/image_load_side_load_shelldispatch.yml +++ b/rules/windows/image_load/image_load_side_load_shelldispatch.yml @@ -7,6 +7,7 @@ references: author: X__Junior (Nextron Systems) date: 2023-06-20 tags: + - attack.persistence - attack.defense-evasion - attack.privilege-escalation - attack.t1574.001 diff --git a/rules/windows/image_load/image_load_side_load_smadhook.yml b/rules/windows/image_load/image_load_side_load_smadhook.yml index f89d39abd..f60ff84a4 100644 --- a/rules/windows/image_load/image_load_side_load_smadhook.yml +++ b/rules/windows/image_load/image_load_side_load_smadhook.yml @@ -8,6 +8,7 @@ references: author: X__Junior (Nextron Systems) date: 2023-06-01 tags: + - attack.persistence - attack.defense-evasion - attack.privilege-escalation - attack.t1574.001 diff --git a/rules/windows/image_load/image_load_side_load_solidpdfcreator.yml b/rules/windows/image_load/image_load_side_load_solidpdfcreator.yml index 14fe9478f..975b72807 100644 --- a/rules/windows/image_load/image_load_side_load_solidpdfcreator.yml +++ b/rules/windows/image_load/image_load_side_load_solidpdfcreator.yml @@ -7,6 +7,7 @@ references: author: X__Junior (Nextron Systems) date: 2023-05-07 tags: + - attack.persistence - attack.defense-evasion - attack.privilege-escalation - attack.t1574.001 diff --git a/rules/windows/image_load/image_load_side_load_ualapi.yml b/rules/windows/image_load/image_load_side_load_ualapi.yml index c5585deda..c1f454cf6 100644 --- a/rules/windows/image_load/image_load_side_load_ualapi.yml +++ b/rules/windows/image_load/image_load_side_load_ualapi.yml @@ -8,6 +8,7 @@ author: NVISO date: 2020-05-04 modified: 2022-06-02 tags: + - attack.privilege-escalation - attack.persistence - attack.defense-evasion - attack.t1574.001 diff --git a/rules/windows/image_load/image_load_side_load_vivaldi_elf.yml b/rules/windows/image_load/image_load_side_load_vivaldi_elf.yml index 958768ef4..0ceb195e7 100644 --- a/rules/windows/image_load/image_load_side_load_vivaldi_elf.yml +++ b/rules/windows/image_load/image_load_side_load_vivaldi_elf.yml @@ -7,6 +7,7 @@ references: author: X__Junior (Nextron Systems) date: 2023-08-03 tags: + - attack.persistence - attack.defense-evasion - attack.privilege-escalation - attack.t1574.001 diff --git a/rules/windows/image_load/image_load_side_load_vmware_xfer.yml b/rules/windows/image_load/image_load_side_load_vmware_xfer.yml index 3f6f04a46..ade77083e 100644 --- a/rules/windows/image_load/image_load_side_load_vmware_xfer.yml +++ b/rules/windows/image_load/image_load_side_load_vmware_xfer.yml @@ -8,6 +8,8 @@ author: Nasreddine Bencherchali (Nextron Systems) date: 2022-08-02 modified: 2023-02-17 tags: + - attack.privilege-escalation + - attack.persistence - attack.defense-evasion - attack.t1574.001 logsource: diff --git a/rules/windows/image_load/image_load_side_load_waveedit.yml b/rules/windows/image_load/image_load_side_load_waveedit.yml index f826169b2..3984fab9a 100644 --- a/rules/windows/image_load/image_load_side_load_waveedit.yml +++ b/rules/windows/image_load/image_load_side_load_waveedit.yml @@ -7,6 +7,7 @@ references: author: X__Junior (Nextron Systems) date: 2023-06-14 tags: + - attack.persistence - attack.defense-evasion - attack.privilege-escalation - attack.t1574.001 diff --git a/rules/windows/image_load/image_load_side_load_windows_defender.yml b/rules/windows/image_load/image_load_side_load_windows_defender.yml index b16e9577e..08c37f904 100644 --- a/rules/windows/image_load/image_load_side_load_windows_defender.yml +++ b/rules/windows/image_load/image_load_side_load_windows_defender.yml @@ -11,6 +11,8 @@ author: Bhabesh Raj date: 2022-08-02 modified: 2023-08-04 tags: + - attack.privilege-escalation + - attack.persistence - attack.defense-evasion - attack.t1574.001 logsource: diff --git a/rules/windows/image_load/image_load_side_load_wwlib.yml b/rules/windows/image_load/image_load_side_load_wwlib.yml index 8b51f0355..95f22de97 100644 --- a/rules/windows/image_load/image_load_side_load_wwlib.yml +++ b/rules/windows/image_load/image_load_side_load_wwlib.yml @@ -9,6 +9,7 @@ references: author: X__Junior (Nextron Systems) date: 2023-05-18 tags: + - attack.persistence - attack.defense-evasion - attack.privilege-escalation - attack.t1574.001 diff --git a/rules/windows/image_load/image_load_susp_clickonce_unsigned_module_loaded.yml b/rules/windows/image_load/image_load_susp_clickonce_unsigned_module_loaded.yml index 1ec3baba9..d6f8dd14e 100644 --- a/rules/windows/image_load/image_load_susp_clickonce_unsigned_module_loaded.yml +++ b/rules/windows/image_load/image_load_susp_clickonce_unsigned_module_loaded.yml @@ -7,6 +7,8 @@ references: author: '@SerkinValery' date: 2023-06-08 tags: + - attack.privilege-escalation + - attack.defense-evasion - attack.persistence - attack.t1574.001 logsource: diff --git a/rules/windows/image_load/image_load_susp_script_dotnet_clr_dll_load.yml b/rules/windows/image_load/image_load_susp_script_dotnet_clr_dll_load.yml index 81117a5f3..ff993e82c 100644 --- a/rules/windows/image_load/image_load_susp_script_dotnet_clr_dll_load.yml +++ b/rules/windows/image_load/image_load_susp_script_dotnet_clr_dll_load.yml @@ -11,6 +11,7 @@ author: omkar72, oscd.community date: 2020-10-14 modified: 2023-02-23 tags: + - attack.defense-evasion - attack.execution - attack.privilege-escalation - attack.t1055 diff --git a/rules/windows/image_load/image_load_thor_unsigned_execution.yml b/rules/windows/image_load/image_load_thor_unsigned_execution.yml index 1a1135700..49d671b22 100644 --- a/rules/windows/image_load/image_load_thor_unsigned_execution.yml +++ b/rules/windows/image_load/image_load_thor_unsigned_execution.yml @@ -7,6 +7,8 @@ references: author: Nasreddine Bencherchali (Nextron Systems) date: 2023-10-29 tags: + - attack.privilege-escalation + - attack.persistence - attack.defense-evasion - attack.t1574.001 logsource: diff --git a/rules/windows/image_load/image_load_win_trusted_path_bypass.yml b/rules/windows/image_load/image_load_win_trusted_path_bypass.yml index 9bfb51849..2b8d5828a 100644 --- a/rules/windows/image_load/image_load_win_trusted_path_bypass.yml +++ b/rules/windows/image_load/image_load_win_trusted_path_bypass.yml @@ -12,6 +12,7 @@ references: author: Swachchhanda Shrawan Poudel (Nextron Systems) date: 2025-06-17 tags: + - attack.persistence - attack.defense-evasion - attack.privilege-escalation - attack.t1574.007 diff --git a/rules/windows/image_load/image_load_wmi_persistence_commandline_event_consumer.yml b/rules/windows/image_load/image_load_wmi_persistence_commandline_event_consumer.yml index 3f27a9f96..d56068df6 100755 --- a/rules/windows/image_load/image_load_wmi_persistence_commandline_event_consumer.yml +++ b/rules/windows/image_load/image_load_wmi_persistence_commandline_event_consumer.yml @@ -8,6 +8,7 @@ author: Thomas Patzke date: 2018-03-07 modified: 2021-11-27 tags: + - attack.privilege-escalation - attack.t1546.003 - attack.persistence logsource: diff --git a/rules/windows/network_connection/net_connection_win_notepad.yml b/rules/windows/network_connection/net_connection_win_notepad.yml index eba8e4b21..2f999dcba 100644 --- a/rules/windows/network_connection/net_connection_win_notepad.yml +++ b/rules/windows/network_connection/net_connection_win_notepad.yml @@ -12,6 +12,7 @@ author: EagleEye Team date: 2020-05-14 modified: 2024-02-02 tags: + - attack.privilege-escalation - attack.command-and-control - attack.execution - attack.defense-evasion diff --git a/rules/windows/network_connection/net_connection_win_susp_outbound_kerberos_connection.yml b/rules/windows/network_connection/net_connection_win_susp_outbound_kerberos_connection.yml index 46380d22f..972faa404 100755 --- a/rules/windows/network_connection/net_connection_win_susp_outbound_kerberos_connection.yml +++ b/rules/windows/network_connection/net_connection_win_susp_outbound_kerberos_connection.yml @@ -12,6 +12,7 @@ author: Ilyas Ochkov, oscd.community date: 2019-10-24 modified: 2024-03-15 tags: + - attack.defense-evasion - attack.credential-access - attack.t1558 - attack.lateral-movement diff --git a/rules/windows/network_connection/net_connection_win_susp_outbound_mobsync_connection.yml b/rules/windows/network_connection/net_connection_win_susp_outbound_mobsync_connection.yml index 4297d9aa2..5bc9e0718 100644 --- a/rules/windows/network_connection/net_connection_win_susp_outbound_mobsync_connection.yml +++ b/rules/windows/network_connection/net_connection_win_susp_outbound_mobsync_connection.yml @@ -8,6 +8,7 @@ author: elhoim date: 2022-04-28 modified: 2024-03-12 tags: + - attack.privilege-escalation - attack.t1055 - attack.t1218 - attack.execution diff --git a/rules/windows/pipe_created/pipe_created_hktl_koh_default_pipe.yml b/rules/windows/pipe_created/pipe_created_hktl_koh_default_pipe.yml index d0e50988d..da13d9652 100644 --- a/rules/windows/pipe_created/pipe_created_hktl_koh_default_pipe.yml +++ b/rules/windows/pipe_created/pipe_created_hktl_koh_default_pipe.yml @@ -8,6 +8,7 @@ author: Nasreddine Bencherchali (Nextron Systems) date: 2022-07-08 modified: 2023-08-07 tags: + - attack.defense-evasion - attack.privilege-escalation - attack.credential-access - attack.t1528 diff --git a/rules/windows/powershell/powershell_module/posh_pm_susp_reset_computermachinepassword.yml b/rules/windows/powershell/powershell_module/posh_pm_susp_reset_computermachinepassword.yml index 0bf434c52..5e379cee3 100644 --- a/rules/windows/powershell/powershell_module/posh_pm_susp_reset_computermachinepassword.yml +++ b/rules/windows/powershell/powershell_module/posh_pm_susp_reset_computermachinepassword.yml @@ -10,6 +10,9 @@ references: author: frack113 date: 2022-02-21 tags: + - attack.privilege-escalation + - attack.persistence + - attack.defense-evasion - attack.initial-access - attack.t1078 logsource: diff --git a/rules/windows/powershell/powershell_script/posh_ps_cmdlet_scheduled_task.yml b/rules/windows/powershell/powershell_script/posh_ps_cmdlet_scheduled_task.yml index 0916328f8..9bd9d7e32 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_cmdlet_scheduled_task.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_cmdlet_scheduled_task.yml @@ -9,6 +9,8 @@ author: frack113 date: 2021-12-28 modified: 2025-10-07 tags: + - attack.privilege-escalation + - attack.execution - attack.persistence - attack.t1053.005 logsource: diff --git a/rules/windows/powershell/powershell_script/posh_ps_copy_item_system_directory.yml b/rules/windows/powershell/powershell_script/posh_ps_copy_item_system_directory.yml index 7619adb06..1ddfaa7ad 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_copy_item_system_directory.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_copy_item_system_directory.yml @@ -8,6 +8,8 @@ author: frack113, Nasreddine Bencherchali (Nextron Systems) date: 2021-12-27 modified: 2024-01-22 tags: + - attack.persistence + - attack.defense-evasion - attack.credential-access - attack.t1556.002 logsource: diff --git a/rules/windows/powershell/powershell_script/posh_ps_cor_profiler.yml b/rules/windows/powershell/powershell_script/posh_ps_cor_profiler.yml index 569871700..e1593fb84 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_cor_profiler.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_cor_profiler.yml @@ -12,6 +12,8 @@ references: author: frack113 date: 2021-12-30 tags: + - attack.privilege-escalation + - attack.defense-evasion - attack.persistence - attack.t1574.012 logsource: diff --git a/rules/windows/powershell/powershell_script/posh_ps_detect_vm_env.yml b/rules/windows/powershell/powershell_script/posh_ps_detect_vm_env.yml index 5969b4001..20798897b 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_detect_vm_env.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_detect_vm_env.yml @@ -11,6 +11,7 @@ author: frack113, Duc.Le-GTSC date: 2021-08-03 modified: 2022-03-03 tags: + - attack.discovery - attack.defense-evasion - attack.t1497.001 logsource: diff --git a/rules/windows/powershell/powershell_script/posh_ps_get_acl_service.yml b/rules/windows/powershell/powershell_script/posh_ps_get_acl_service.yml index fccff1d2f..10c2b77b8 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_get_acl_service.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_get_acl_service.yml @@ -11,6 +11,8 @@ references: author: frack113 date: 2021-12-30 tags: + - attack.privilege-escalation + - attack.defense-evasion - attack.persistence - attack.t1574.011 - stp.2a diff --git a/rules/windows/powershell/powershell_script/posh_ps_hktl_rubeus.yml b/rules/windows/powershell/powershell_script/posh_ps_hktl_rubeus.yml index 1c525bf0d..e89106894 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_hktl_rubeus.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_hktl_rubeus.yml @@ -12,6 +12,7 @@ references: author: Christian Burkard (Nextron Systems), Florian Roth (Nextron Systems) date: 2023-04-27 tags: + - attack.defense-evasion - attack.credential-access - attack.t1003 - attack.t1558.003 diff --git a/rules/windows/powershell/powershell_script/posh_ps_keylogging.yml b/rules/windows/powershell/powershell_script/posh_ps_keylogging.yml index 8a6ee575d..7b50a8da4 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_keylogging.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_keylogging.yml @@ -9,6 +9,7 @@ author: frack113 date: 2021-07-30 modified: 2022-07-11 tags: + - attack.credential-access - attack.collection - attack.t1056.001 logsource: diff --git a/rules/windows/powershell/powershell_script/posh_ps_localuser.yml b/rules/windows/powershell/powershell_script/posh_ps_localuser.yml index daa33de6c..da7263b41 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_localuser.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_localuser.yml @@ -10,6 +10,7 @@ references: author: frack113 date: 2021-12-28 tags: + - attack.privilege-escalation - attack.persistence - attack.t1098 logsource: diff --git a/rules/windows/powershell/powershell_script/posh_ps_winlogon_helper_dll.yml b/rules/windows/powershell/powershell_script/posh_ps_winlogon_helper_dll.yml index d27184e87..4903991ca 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_winlogon_helper_dll.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_winlogon_helper_dll.yml @@ -12,6 +12,7 @@ author: Timur Zinniatullin, oscd.community date: 2019-10-21 modified: 2022-07-07 tags: + - attack.privilege-escalation - attack.persistence - attack.t1547.004 logsource: diff --git a/rules/windows/powershell/powershell_script/posh_ps_wmi_persistence.yml b/rules/windows/powershell/powershell_script/posh_ps_wmi_persistence.yml index 65e4256eb..2f7ce46e9 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_wmi_persistence.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_wmi_persistence.yml @@ -9,6 +9,7 @@ author: frack113 date: 2021-08-19 modified: 2022-12-25 tags: + - attack.persistence - attack.privilege-escalation - attack.t1546.003 logsource: diff --git a/rules/windows/process_access/proc_access_win_hktl_littlecorporal_generated_maldoc.yml b/rules/windows/process_access/proc_access_win_hktl_littlecorporal_generated_maldoc.yml index 6ff15466d..5b68dfe5f 100644 --- a/rules/windows/process_access/proc_access_win_hktl_littlecorporal_generated_maldoc.yml +++ b/rules/windows/process_access/proc_access_win_hktl_littlecorporal_generated_maldoc.yml @@ -8,6 +8,7 @@ author: Christian Burkard (Nextron Systems) date: 2021-08-09 modified: 2023-11-28 tags: + - attack.defense-evasion - attack.execution - attack.privilege-escalation - attack.t1204.002 diff --git a/rules/windows/process_access/proc_access_win_svchost_credential_dumping.yml b/rules/windows/process_access/proc_access_win_svchost_credential_dumping.yml index 303d1d51d..69eaedb8a 100644 --- a/rules/windows/process_access/proc_access_win_svchost_credential_dumping.yml +++ b/rules/windows/process_access/proc_access_win_svchost_credential_dumping.yml @@ -8,6 +8,7 @@ author: Florent Labouyrie date: 2021-04-30 modified: 2022-10-09 tags: + - attack.defense-evasion - attack.privilege-escalation - attack.t1548 logsource: diff --git a/rules/windows/process_creation/proc_creation_win_at_interactive_execution.yml b/rules/windows/process_creation/proc_creation_win_at_interactive_execution.yml index ec59ed03d..c0386597b 100644 --- a/rules/windows/process_creation/proc_creation_win_at_interactive_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_at_interactive_execution.yml @@ -9,6 +9,8 @@ author: E.M. Anhaus (originally from Atomic Blue Detections, Endgame), oscd.comm date: 2019-10-24 modified: 2021-11-27 tags: + - attack.persistence + - attack.execution - attack.privilege-escalation - attack.t1053.002 logsource: diff --git a/rules/windows/process_creation/proc_creation_win_autorun_registry_modified_via_wmic.yml b/rules/windows/process_creation/proc_creation_win_autorun_registry_modified_via_wmic.yml index 0185a7ffa..9576c22f7 100644 --- a/rules/windows/process_creation/proc_creation_win_autorun_registry_modified_via_wmic.yml +++ b/rules/windows/process_creation/proc_creation_win_autorun_registry_modified_via_wmic.yml @@ -9,6 +9,7 @@ references: author: Swachchhanda Shrawan Poudel (Nextron Systems) date: 2025-02-17 tags: + - attack.privilege-escalation - attack.execution - attack.persistence - attack.t1547.001 diff --git a/rules/windows/process_creation/proc_creation_win_bitsadmin_potential_persistence.yml b/rules/windows/process_creation/proc_creation_win_bitsadmin_potential_persistence.yml index f450bd6d2..7280155a0 100644 --- a/rules/windows/process_creation/proc_creation_win_bitsadmin_potential_persistence.yml +++ b/rules/windows/process_creation/proc_creation_win_bitsadmin_potential_persistence.yml @@ -14,6 +14,7 @@ author: Sreeman date: 2020-10-29 modified: 2024-01-25 tags: + - attack.persistence - attack.defense-evasion - attack.t1197 logsource: diff --git a/rules/windows/process_creation/proc_creation_win_browsers_chromium_headless_debugging.yml b/rules/windows/process_creation/proc_creation_win_browsers_chromium_headless_debugging.yml index c74d5cf2e..233ad4734 100644 --- a/rules/windows/process_creation/proc_creation_win_browsers_chromium_headless_debugging.yml +++ b/rules/windows/process_creation/proc_creation_win_browsers_chromium_headless_debugging.yml @@ -13,6 +13,7 @@ references: author: Nasreddine Bencherchali (Nextron Systems) date: 2022-12-23 tags: + - attack.defense-evasion - attack.credential-access - attack.collection - attack.t1185 diff --git a/rules/windows/process_creation/proc_creation_win_browsers_chromium_headless_exec.yml b/rules/windows/process_creation/proc_creation_win_browsers_chromium_headless_exec.yml index b16c2ee37..f97e9385c 100644 --- a/rules/windows/process_creation/proc_creation_win_browsers_chromium_headless_exec.yml +++ b/rules/windows/process_creation/proc_creation_win_browsers_chromium_headless_exec.yml @@ -11,6 +11,7 @@ references: author: Nasreddine Bencherchali (Nextron Systems) date: 2023-09-12 tags: + - attack.defense-evasion - attack.command-and-control - attack.t1105 - attack.t1564.003 diff --git a/rules/windows/process_creation/proc_creation_win_browsers_chromium_headless_file_download.yml b/rules/windows/process_creation/proc_creation_win_browsers_chromium_headless_file_download.yml index b09b9b5e4..fe39b2885 100644 --- a/rules/windows/process_creation/proc_creation_win_browsers_chromium_headless_file_download.yml +++ b/rules/windows/process_creation/proc_creation_win_browsers_chromium_headless_file_download.yml @@ -12,6 +12,7 @@ author: Sreeman, Florian Roth (Nextron Systems) date: 2022-01-04 modified: 2025-10-07 tags: + - attack.defense-evasion - attack.command-and-control - attack.t1105 - attack.t1564.003 diff --git a/rules/windows/process_creation/proc_creation_win_cmd_assoc_execution.yml b/rules/windows/process_creation/proc_creation_win_cmd_assoc_execution.yml index 15f2e8312..1203d07a8 100644 --- a/rules/windows/process_creation/proc_creation_win_cmd_assoc_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_cmd_assoc_execution.yml @@ -13,6 +13,7 @@ author: Timur Zinniatullin, oscd.community date: 2019-10-21 modified: 2023-03-06 tags: + - attack.privilege-escalation - attack.persistence - attack.t1546.001 logsource: diff --git a/rules/windows/process_creation/proc_creation_win_cmd_assoc_tamper_exe_file_association.yml b/rules/windows/process_creation/proc_creation_win_cmd_assoc_tamper_exe_file_association.yml index b0ab2ab46..68de9e82b 100644 --- a/rules/windows/process_creation/proc_creation_win_cmd_assoc_tamper_exe_file_association.yml +++ b/rules/windows/process_creation/proc_creation_win_cmd_assoc_tamper_exe_file_association.yml @@ -13,6 +13,7 @@ author: Nasreddine Bencherchali (Nextron Systems) date: 2022-06-28 modified: 2023-03-06 tags: + - attack.privilege-escalation - attack.persistence - attack.t1546.001 logsource: diff --git a/rules/windows/process_creation/proc_creation_win_cmd_sticky_keys_replace.yml b/rules/windows/process_creation/proc_creation_win_cmd_sticky_keys_replace.yml index e838850bc..5d93fb316 100644 --- a/rules/windows/process_creation/proc_creation_win_cmd_sticky_keys_replace.yml +++ b/rules/windows/process_creation/proc_creation_win_cmd_sticky_keys_replace.yml @@ -12,6 +12,7 @@ author: Sreeman date: 2020-02-18 modified: 2023-03-07 tags: + - attack.persistence - attack.t1546.008 - attack.privilege-escalation logsource: diff --git a/rules/windows/process_creation/proc_creation_win_control_panel_item.yml b/rules/windows/process_creation/proc_creation_win_control_panel_item.yml index fe73817df..bf77a0878 100644 --- a/rules/windows/process_creation/proc_creation_win_control_panel_item.yml +++ b/rules/windows/process_creation/proc_creation_win_control_panel_item.yml @@ -8,6 +8,7 @@ author: Kyaw Min Thein, Furkan Caliskan (@caliskanfurkan_) date: 2020-06-22 modified: 2023-10-11 tags: + - attack.privilege-escalation - attack.execution - attack.defense-evasion - attack.t1218.002 diff --git a/rules/windows/process_creation/proc_creation_win_csi_execution.yml b/rules/windows/process_creation/proc_creation_win_csi_execution.yml index a3f5e0697..f26f48240 100644 --- a/rules/windows/process_creation/proc_creation_win_csi_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_csi_execution.yml @@ -11,6 +11,7 @@ author: Konstantin Grishchenko, oscd.community date: 2020-10-17 modified: 2022-07-11 tags: + - attack.lateral-movement - attack.execution - attack.t1072 - attack.defense-evasion diff --git a/rules/windows/process_creation/proc_creation_win_dctask64_arbitrary_command_and_dll_execution.yml b/rules/windows/process_creation/proc_creation_win_dctask64_arbitrary_command_and_dll_execution.yml index fc560bb5b..b6faa6ded 100644 --- a/rules/windows/process_creation/proc_creation_win_dctask64_arbitrary_command_and_dll_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_dctask64_arbitrary_command_and_dll_execution.yml @@ -12,6 +12,7 @@ author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems date: 2020-01-28 modified: 2025-01-22 tags: + - attack.privilege-escalation - attack.defense-evasion - attack.t1055.001 logsource: diff --git a/rules/windows/process_creation/proc_creation_win_deviceenroller_dll_sideloading.yml b/rules/windows/process_creation/proc_creation_win_deviceenroller_dll_sideloading.yml index 391cc212f..176cd3434 100644 --- a/rules/windows/process_creation/proc_creation_win_deviceenroller_dll_sideloading.yml +++ b/rules/windows/process_creation/proc_creation_win_deviceenroller_dll_sideloading.yml @@ -14,6 +14,8 @@ author: '@gott_cyber' date: 2022-08-29 modified: 2023-02-04 tags: + - attack.privilege-escalation + - attack.persistence - attack.defense-evasion - attack.t1574.001 logsource: diff --git a/rules/windows/process_creation/proc_creation_win_dism_enable_powershell_web_access_feature.yml b/rules/windows/process_creation/proc_creation_win_dism_enable_powershell_web_access_feature.yml index f10fe0471..f332d6054 100644 --- a/rules/windows/process_creation/proc_creation_win_dism_enable_powershell_web_access_feature.yml +++ b/rules/windows/process_creation/proc_creation_win_dism_enable_powershell_web_access_feature.yml @@ -9,6 +9,8 @@ references: author: Michael Haag date: 2024-09-03 tags: + - attack.privilege-escalation + - attack.defense-evasion - attack.persistence - attack.t1548.002 logsource: diff --git a/rules/windows/process_creation/proc_creation_win_dll_sideload_vmware_xfer.yml b/rules/windows/process_creation/proc_creation_win_dll_sideload_vmware_xfer.yml index 4142faea9..f2c69fe7c 100644 --- a/rules/windows/process_creation/proc_creation_win_dll_sideload_vmware_xfer.yml +++ b/rules/windows/process_creation/proc_creation_win_dll_sideload_vmware_xfer.yml @@ -7,6 +7,8 @@ references: author: Nasreddine Bencherchali (Nextron Systems) date: 2022-08-02 tags: + - attack.privilege-escalation + - attack.persistence - attack.defense-evasion - attack.t1574.001 logsource: diff --git a/rules/windows/process_creation/proc_creation_win_dllhost_no_cli_execution.yml b/rules/windows/process_creation/proc_creation_win_dllhost_no_cli_execution.yml index 0caeaa9b7..2d0236e31 100644 --- a/rules/windows/process_creation/proc_creation_win_dllhost_no_cli_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_dllhost_no_cli_execution.yml @@ -10,6 +10,7 @@ author: Nasreddine Bencherchali (Nextron Systems) date: 2022-06-27 modified: 2023-05-15 tags: + - attack.privilege-escalation - attack.defense-evasion - attack.t1055 logsource: diff --git a/rules/windows/process_creation/proc_creation_win_dns_susp_child_process.yml b/rules/windows/process_creation/proc_creation_win_dns_susp_child_process.yml index 296b90292..ca892a803 100644 --- a/rules/windows/process_creation/proc_creation_win_dns_susp_child_process.yml +++ b/rules/windows/process_creation/proc_creation_win_dns_susp_child_process.yml @@ -8,6 +8,7 @@ author: Tim Rauch, Elastic (idea) date: 2022-09-27 modified: 2023-02-05 tags: + - attack.persistence - attack.initial-access - attack.t1133 logsource: diff --git a/rules/windows/process_creation/proc_creation_win_dnscmd_install_new_server_level_plugin_dll.yml b/rules/windows/process_creation/proc_creation_win_dnscmd_install_new_server_level_plugin_dll.yml index ea80cbbdf..ec611ecf5 100644 --- a/rules/windows/process_creation/proc_creation_win_dnscmd_install_new_server_level_plugin_dll.yml +++ b/rules/windows/process_creation/proc_creation_win_dnscmd_install_new_server_level_plugin_dll.yml @@ -14,6 +14,8 @@ author: Florian Roth (Nextron Systems) date: 2017-05-08 modified: 2023-02-05 tags: + - attack.privilege-escalation + - attack.persistence - attack.defense-evasion - attack.t1574.001 - attack.t1112 diff --git a/rules/windows/process_creation/proc_creation_win_event_logging_disable_via_key_minint.yml b/rules/windows/process_creation/proc_creation_win_event_logging_disable_via_key_minint.yml index de68050b9..3e9bb6981 100644 --- a/rules/windows/process_creation/proc_creation_win_event_logging_disable_via_key_minint.yml +++ b/rules/windows/process_creation/proc_creation_win_event_logging_disable_via_key_minint.yml @@ -13,6 +13,7 @@ references: author: Swachchhanda Shrawan Poudel (Nextron Systems) date: 2025-04-09 tags: + - attack.persistence - attack.defense-evasion - attack.t1562.002 - attack.t1112 diff --git a/rules/windows/process_creation/proc_creation_win_explorer_nouaccheck.yml b/rules/windows/process_creation/proc_creation_win_explorer_nouaccheck.yml index 71ef80b1b..053ce4adc 100644 --- a/rules/windows/process_creation/proc_creation_win_explorer_nouaccheck.yml +++ b/rules/windows/process_creation/proc_creation_win_explorer_nouaccheck.yml @@ -8,6 +8,7 @@ author: Florian Roth (Nextron Systems) date: 2022-02-23 modified: 2022-04-21 tags: + - attack.privilege-escalation - attack.defense-evasion - attack.t1548.002 logsource: diff --git a/rules/windows/process_creation/proc_creation_win_gup_suspicious_execution.yml b/rules/windows/process_creation/proc_creation_win_gup_suspicious_execution.yml index bc8c5c126..f2439674a 100644 --- a/rules/windows/process_creation/proc_creation_win_gup_suspicious_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_gup_suspicious_execution.yml @@ -8,6 +8,8 @@ author: Florian Roth (Nextron Systems) date: 2019-02-06 modified: 2022-08-13 tags: + - attack.privilege-escalation + - attack.persistence - attack.defense-evasion - attack.t1574.001 logsource: diff --git a/rules/windows/process_creation/proc_creation_win_hktl_adcspwn.yml b/rules/windows/process_creation/proc_creation_win_hktl_adcspwn.yml index c81e653fc..f4d861da3 100644 --- a/rules/windows/process_creation/proc_creation_win_hktl_adcspwn.yml +++ b/rules/windows/process_creation/proc_creation_win_hktl_adcspwn.yml @@ -8,6 +8,7 @@ author: Florian Roth (Nextron Systems) date: 2021-07-31 modified: 2023-02-04 tags: + - attack.collection - attack.credential-access - attack.t1557.001 logsource: diff --git a/rules/windows/process_creation/proc_creation_win_hktl_crackmapexec_execution_patterns.yml b/rules/windows/process_creation/proc_creation_win_hktl_crackmapexec_execution_patterns.yml index dbcd9463f..ae9c07e82 100644 --- a/rules/windows/process_creation/proc_creation_win_hktl_crackmapexec_execution_patterns.yml +++ b/rules/windows/process_creation/proc_creation_win_hktl_crackmapexec_execution_patterns.yml @@ -8,6 +8,8 @@ author: Thomas Patzke date: 2020-05-22 modified: 2023-11-06 tags: + - attack.privilege-escalation + - attack.persistence - attack.execution - attack.t1047 - attack.t1053 diff --git a/rules/windows/process_creation/proc_creation_win_hktl_dinjector.yml b/rules/windows/process_creation/proc_creation_win_hktl_dinjector.yml index 021d1341f..21ece4e18 100644 --- a/rules/windows/process_creation/proc_creation_win_hktl_dinjector.yml +++ b/rules/windows/process_creation/proc_creation_win_hktl_dinjector.yml @@ -8,6 +8,7 @@ author: Florian Roth (Nextron Systems) date: 2021-12-07 modified: 2023-02-04 tags: + - attack.privilege-escalation - attack.defense-evasion - attack.t1055 logsource: diff --git a/rules/windows/process_creation/proc_creation_win_hktl_hollowreaper.yml b/rules/windows/process_creation/proc_creation_win_hktl_hollowreaper.yml index af7882886..508bcf01f 100644 --- a/rules/windows/process_creation/proc_creation_win_hktl_hollowreaper.yml +++ b/rules/windows/process_creation/proc_creation_win_hktl_hollowreaper.yml @@ -9,6 +9,7 @@ references: author: Swachchhanda Shrawan Poudel (Nextron Systems) date: 2025-07-01 tags: + - attack.privilege-escalation - attack.defense-evasion - attack.t1055.012 logsource: diff --git a/rules/windows/process_creation/proc_creation_win_hktl_impacket_tools.yml b/rules/windows/process_creation/proc_creation_win_hktl_impacket_tools.yml index 651136c50..0480aa762 100644 --- a/rules/windows/process_creation/proc_creation_win_hktl_impacket_tools.yml +++ b/rules/windows/process_creation/proc_creation_win_hktl_impacket_tools.yml @@ -8,6 +8,7 @@ author: Florian Roth (Nextron Systems) date: 2021-07-24 modified: 2023-02-07 tags: + - attack.collection - attack.execution - attack.credential-access - attack.t1557.001 diff --git a/rules/windows/process_creation/proc_creation_win_hktl_krbrelayup.yml b/rules/windows/process_creation/proc_creation_win_hktl_krbrelayup.yml index 46f3cb68e..02a796ed1 100644 --- a/rules/windows/process_creation/proc_creation_win_hktl_krbrelayup.yml +++ b/rules/windows/process_creation/proc_creation_win_hktl_krbrelayup.yml @@ -8,6 +8,7 @@ author: Florian Roth (Nextron Systems) date: 2022-04-26 modified: 2023-02-04 tags: + - attack.defense-evasion - attack.credential-access - attack.t1558.003 - attack.lateral-movement diff --git a/rules/windows/process_creation/proc_creation_win_hktl_meterpreter_getsystem.yml b/rules/windows/process_creation/proc_creation_win_hktl_meterpreter_getsystem.yml index 3594d1115..54ae1d840 100644 --- a/rules/windows/process_creation/proc_creation_win_hktl_meterpreter_getsystem.yml +++ b/rules/windows/process_creation/proc_creation_win_hktl_meterpreter_getsystem.yml @@ -9,6 +9,7 @@ author: Teymur Kheirkhabarov, Ecco, Florian Roth date: 2019-10-26 modified: 2023-02-05 tags: + - attack.defense-evasion - attack.privilege-escalation - attack.t1134.001 - attack.t1134.002 diff --git a/rules/windows/process_creation/proc_creation_win_hktl_relay_attacks_tools.yml b/rules/windows/process_creation/proc_creation_win_hktl_relay_attacks_tools.yml index 94db90c07..55bb21694 100644 --- a/rules/windows/process_creation/proc_creation_win_hktl_relay_attacks_tools.yml +++ b/rules/windows/process_creation/proc_creation_win_hktl_relay_attacks_tools.yml @@ -13,6 +13,7 @@ author: Florian Roth (Nextron Systems) date: 2021-07-24 modified: 2023-02-14 tags: + - attack.collection - attack.execution - attack.credential-access - attack.t1557.001 diff --git a/rules/windows/process_creation/proc_creation_win_hktl_rubeus.yml b/rules/windows/process_creation/proc_creation_win_hktl_rubeus.yml index 97f88c953..d7b4453c7 100644 --- a/rules/windows/process_creation/proc_creation_win_hktl_rubeus.yml +++ b/rules/windows/process_creation/proc_creation_win_hktl_rubeus.yml @@ -13,6 +13,7 @@ author: Florian Roth (Nextron Systems) date: 2018-12-19 modified: 2023-04-20 tags: + - attack.defense-evasion - attack.credential-access - attack.t1003 - attack.t1558.003 diff --git a/rules/windows/process_creation/proc_creation_win_hktl_selectmyparent.yml b/rules/windows/process_creation/proc_creation_win_hktl_selectmyparent.yml index 619cac573..56d9fb93a 100644 --- a/rules/windows/process_creation/proc_creation_win_hktl_selectmyparent.yml +++ b/rules/windows/process_creation/proc_creation_win_hktl_selectmyparent.yml @@ -11,6 +11,7 @@ author: Florian Roth (Nextron Systems) date: 2022-07-23 modified: 2024-11-23 tags: + - attack.privilege-escalation - attack.defense-evasion - attack.t1134.004 logsource: diff --git a/rules/windows/process_creation/proc_creation_win_hktl_sharpersist.yml b/rules/windows/process_creation/proc_creation_win_hktl_sharpersist.yml index c6d3e2565..53c784144 100644 --- a/rules/windows/process_creation/proc_creation_win_hktl_sharpersist.yml +++ b/rules/windows/process_creation/proc_creation_win_hktl_sharpersist.yml @@ -9,6 +9,8 @@ author: Florian Roth (Nextron Systems) date: 2022-09-15 modified: 2023-02-04 tags: + - attack.privilege-escalation + - attack.execution - attack.persistence - attack.t1053 logsource: diff --git a/rules/windows/process_creation/proc_creation_win_hktl_sharpup.yml b/rules/windows/process_creation/proc_creation_win_hktl_sharpup.yml index c971a46b2..333089a43 100644 --- a/rules/windows/process_creation/proc_creation_win_hktl_sharpup.yml +++ b/rules/windows/process_creation/proc_creation_win_hktl_sharpup.yml @@ -8,6 +8,8 @@ author: Florian Roth (Nextron Systems) date: 2022-08-20 modified: 2023-02-13 tags: + - attack.persistence + - attack.defense-evasion - attack.privilege-escalation - attack.discovery - attack.execution diff --git a/rules/windows/process_creation/proc_creation_win_kerberos_coercion_via_dns_spn_spoofing.yml b/rules/windows/process_creation/proc_creation_win_kerberos_coercion_via_dns_spn_spoofing.yml index 17815d5c1..7ef36f113 100644 --- a/rules/windows/process_creation/proc_creation_win_kerberos_coercion_via_dns_spn_spoofing.yml +++ b/rules/windows/process_creation/proc_creation_win_kerberos_coercion_via_dns_spn_spoofing.yml @@ -18,6 +18,7 @@ references: author: Swachchhanda Shrawan Poudel (Nextron Systems) date: 2025-06-20 tags: + - attack.collection - attack.credential-access - attack.persistence - attack.privilege-escalation diff --git a/rules/windows/process_creation/proc_creation_win_keyscrambler_susp_child_process.yml b/rules/windows/process_creation/proc_creation_win_keyscrambler_susp_child_process.yml index 5cb81648e..999c74df4 100644 --- a/rules/windows/process_creation/proc_creation_win_keyscrambler_susp_child_process.yml +++ b/rules/windows/process_creation/proc_creation_win_keyscrambler_susp_child_process.yml @@ -10,6 +10,7 @@ references: author: Swachchhanda Shrawan Poudel date: 2024-05-13 tags: + - attack.persistence - attack.execution - attack.defense-evasion - attack.privilege-escalation diff --git a/rules/windows/process_creation/proc_creation_win_lolbin_settingsynchost.yml b/rules/windows/process_creation/proc_creation_win_lolbin_settingsynchost.yml index b19ba6b5a..e4b71be86 100644 --- a/rules/windows/process_creation/proc_creation_win_lolbin_settingsynchost.yml +++ b/rules/windows/process_creation/proc_creation_win_lolbin_settingsynchost.yml @@ -8,6 +8,8 @@ author: Anton Kutepov, oscd.community date: 2020-02-05 modified: 2021-11-27 tags: + - attack.privilege-escalation + - attack.persistence - attack.execution - attack.defense-evasion - attack.t1574.008 diff --git a/rules/windows/process_creation/proc_creation_win_lolbin_susp_driver_installed_by_pnputil.yml b/rules/windows/process_creation/proc_creation_win_lolbin_susp_driver_installed_by_pnputil.yml index 17eade9ef..fa735982f 100644 --- a/rules/windows/process_creation/proc_creation_win_lolbin_susp_driver_installed_by_pnputil.yml +++ b/rules/windows/process_creation/proc_creation_win_lolbin_susp_driver_installed_by_pnputil.yml @@ -9,6 +9,7 @@ author: Hai Vaknin @LuxNoBulIshit, Avihay eldad @aloneliassaf, Austin Songer @a date: 2021-09-30 modified: 2022-10-09 tags: + - attack.privilege-escalation - attack.persistence - attack.t1547 logsource: diff --git a/rules/windows/process_creation/proc_creation_win_lolbin_susp_grpconv.yml b/rules/windows/process_creation/proc_creation_win_lolbin_susp_grpconv.yml index 3710a8760..06c2fabaa 100644 --- a/rules/windows/process_creation/proc_creation_win_lolbin_susp_grpconv.yml +++ b/rules/windows/process_creation/proc_creation_win_lolbin_susp_grpconv.yml @@ -7,6 +7,7 @@ references: author: Florian Roth (Nextron Systems) date: 2022-05-19 tags: + - attack.privilege-escalation - attack.persistence - attack.t1547 logsource: diff --git a/rules/windows/process_creation/proc_creation_win_lolbin_tracker.yml b/rules/windows/process_creation/proc_creation_win_lolbin_tracker.yml index eb80b979d..daa1b9a59 100644 --- a/rules/windows/process_creation/proc_creation_win_lolbin_tracker.yml +++ b/rules/windows/process_creation/proc_creation_win_lolbin_tracker.yml @@ -8,6 +8,7 @@ author: 'Avneet Singh @v3t0_, oscd.community' date: 2020-10-18 modified: 2023-01-09 tags: + - attack.privilege-escalation - attack.defense-evasion - attack.t1055.001 logsource: diff --git a/rules/windows/process_creation/proc_creation_win_mpcmdrun_dll_sideload_defender.yml b/rules/windows/process_creation/proc_creation_win_mpcmdrun_dll_sideload_defender.yml index 16fa80ec3..bf697f6c1 100644 --- a/rules/windows/process_creation/proc_creation_win_mpcmdrun_dll_sideload_defender.yml +++ b/rules/windows/process_creation/proc_creation_win_mpcmdrun_dll_sideload_defender.yml @@ -11,6 +11,8 @@ author: Bhabesh Raj date: 2022-08-01 modified: 2023-08-04 tags: + - attack.privilege-escalation + - attack.persistence - attack.defense-evasion - attack.t1574.001 logsource: diff --git a/rules/windows/process_creation/proc_creation_win_msra_process_injection.yml b/rules/windows/process_creation/proc_creation_win_msra_process_injection.yml index d6f3c55de..a1518440c 100644 --- a/rules/windows/process_creation/proc_creation_win_msra_process_injection.yml +++ b/rules/windows/process_creation/proc_creation_win_msra_process_injection.yml @@ -9,6 +9,7 @@ author: Alexander McDonald date: 2022-06-24 modified: 2023-02-03 tags: + - attack.privilege-escalation - attack.defense-evasion - attack.t1055 logsource: diff --git a/rules/windows/process_creation/proc_creation_win_pktmon_execution.yml b/rules/windows/process_creation/proc_creation_win_pktmon_execution.yml index f5c4db2b2..9173be47e 100644 --- a/rules/windows/process_creation/proc_creation_win_pktmon_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_pktmon_execution.yml @@ -8,6 +8,7 @@ author: frack113 date: 2022-03-17 modified: 2023-06-23 tags: + - attack.discovery - attack.credential-access - attack.t1040 logsource: diff --git a/rules/windows/process_creation/proc_creation_win_powershell_service_dacl_modification_set_service.yml b/rules/windows/process_creation/proc_creation_win_powershell_service_dacl_modification_set_service.yml index 5f7cebbea..b3cbb2f74 100644 --- a/rules/windows/process_creation/proc_creation_win_powershell_service_dacl_modification_set_service.yml +++ b/rules/windows/process_creation/proc_creation_win_powershell_service_dacl_modification_set_service.yml @@ -11,6 +11,7 @@ references: author: Nasreddine Bencherchali (Nextron Systems) date: 2022-10-18 tags: + - attack.privilege-escalation - attack.persistence - attack.t1543.003 logsource: diff --git a/rules/windows/process_creation/proc_creation_win_reg_add_run_key.yml b/rules/windows/process_creation/proc_creation_win_reg_add_run_key.yml index 9e84a681d..9140fb4ab 100644 --- a/rules/windows/process_creation/proc_creation_win_reg_add_run_key.yml +++ b/rules/windows/process_creation/proc_creation_win_reg_add_run_key.yml @@ -10,6 +10,7 @@ author: Florian Roth (Nextron Systems), Swachchhanda Shrawan Poudel (Nextron Sys date: 2021-06-28 modified: 2025-02-17 tags: + - attack.privilege-escalation - attack.persistence - attack.t1547.001 logsource: diff --git a/rules/windows/process_creation/proc_creation_win_reg_credential_access_via_password_filter.yml b/rules/windows/process_creation/proc_creation_win_reg_credential_access_via_password_filter.yml index 1af51441a..6b7ca4798 100644 --- a/rules/windows/process_creation/proc_creation_win_reg_credential_access_via_password_filter.yml +++ b/rules/windows/process_creation/proc_creation_win_reg_credential_access_via_password_filter.yml @@ -9,6 +9,8 @@ author: Sreeman date: 2020-10-29 modified: 2022-10-09 tags: + - attack.persistence + - attack.defense-evasion - attack.credential-access - attack.t1556.002 logsource: diff --git a/rules/windows/process_creation/proc_creation_win_reg_desktop_background_change.yml b/rules/windows/process_creation/proc_creation_win_reg_desktop_background_change.yml index fcb0e03b6..20a2685d8 100644 --- a/rules/windows/process_creation/proc_creation_win_reg_desktop_background_change.yml +++ b/rules/windows/process_creation/proc_creation_win_reg_desktop_background_change.yml @@ -17,6 +17,7 @@ references: author: Stephen Lincoln @slincoln-aiq (AttackIQ) date: 2023-12-21 tags: + - attack.persistence - attack.defense-evasion - attack.impact - attack.t1112 diff --git a/rules/windows/process_creation/proc_creation_win_reg_direct_asep_registry_keys_modification.yml b/rules/windows/process_creation/proc_creation_win_reg_direct_asep_registry_keys_modification.yml index f74975989..03f1d4511 100644 --- a/rules/windows/process_creation/proc_creation_win_reg_direct_asep_registry_keys_modification.yml +++ b/rules/windows/process_creation/proc_creation_win_reg_direct_asep_registry_keys_modification.yml @@ -9,6 +9,7 @@ author: Victor Sergeev, Daniil Yugoslavskiy, oscd.community, Swachchhanda Shrawa date: 2019-10-25 modified: 2025-02-17 tags: + - attack.privilege-escalation - attack.persistence - attack.t1547.001 logsource: diff --git a/rules/windows/process_creation/proc_creation_win_reg_import_from_suspicious_paths.yml b/rules/windows/process_creation/proc_creation_win_reg_import_from_suspicious_paths.yml index bd55d92cd..1f476c772 100644 --- a/rules/windows/process_creation/proc_creation_win_reg_import_from_suspicious_paths.yml +++ b/rules/windows/process_creation/proc_creation_win_reg_import_from_suspicious_paths.yml @@ -11,6 +11,7 @@ author: frack113, Nasreddine Bencherchali date: 2022-08-01 modified: 2023-02-05 tags: + - attack.persistence - attack.t1112 - attack.defense-evasion logsource: diff --git a/rules/windows/process_creation/proc_creation_win_reg_lsa_disable_restricted_admin.yml b/rules/windows/process_creation/proc_creation_win_reg_lsa_disable_restricted_admin.yml index 3a4ec330b..65d488a2e 100644 --- a/rules/windows/process_creation/proc_creation_win_reg_lsa_disable_restricted_admin.yml +++ b/rules/windows/process_creation/proc_creation_win_reg_lsa_disable_restricted_admin.yml @@ -16,6 +16,7 @@ author: frack113 date: 2023-01-13 modified: 2025-08-28 tags: + - attack.persistence - attack.defense-evasion - attack.t1112 logsource: diff --git a/rules/windows/process_creation/proc_creation_win_reg_nolmhash.yml b/rules/windows/process_creation/proc_creation_win_reg_nolmhash.yml index 85b3c92b6..2c54f61f1 100644 --- a/rules/windows/process_creation/proc_creation_win_reg_nolmhash.yml +++ b/rules/windows/process_creation/proc_creation_win_reg_nolmhash.yml @@ -15,6 +15,7 @@ author: Nasreddine Bencherchali (Nextron Systems) date: 2023-12-15 modified: 2023-12-22 tags: + - attack.persistence - attack.defense-evasion - attack.t1112 logsource: diff --git a/rules/windows/process_creation/proc_creation_win_reg_rdp_keys_tamper.yml b/rules/windows/process_creation/proc_creation_win_reg_rdp_keys_tamper.yml index 713c59829..9c8ec9b37 100644 --- a/rules/windows/process_creation/proc_creation_win_reg_rdp_keys_tamper.yml +++ b/rules/windows/process_creation/proc_creation_win_reg_rdp_keys_tamper.yml @@ -8,6 +8,7 @@ author: pH-T (Nextron Systems), @Kostastsale, TheDFIRReport date: 2022-02-12 modified: 2023-02-05 tags: + - attack.persistence - attack.defense-evasion - attack.lateral-movement - attack.t1021.001 diff --git a/rules/windows/process_creation/proc_creation_win_reg_screensaver.yml b/rules/windows/process_creation/proc_creation_win_reg_screensaver.yml index b16ba1acd..7be25680c 100644 --- a/rules/windows/process_creation/proc_creation_win_reg_screensaver.yml +++ b/rules/windows/process_creation/proc_creation_win_reg_screensaver.yml @@ -11,6 +11,7 @@ author: frack113 date: 2021-08-19 modified: 2022-06-02 tags: + - attack.persistence - attack.privilege-escalation - attack.t1546.002 logsource: diff --git a/rules/windows/process_creation/proc_creation_win_reg_service_imagepath_change.yml b/rules/windows/process_creation/proc_creation_win_reg_service_imagepath_change.yml index aa688ab70..7a7e81fb2 100644 --- a/rules/windows/process_creation/proc_creation_win_reg_service_imagepath_change.yml +++ b/rules/windows/process_creation/proc_creation_win_reg_service_imagepath_change.yml @@ -11,6 +11,8 @@ author: frack113 date: 2021-12-30 modified: 2024-03-13 tags: + - attack.privilege-escalation + - attack.defense-evasion - attack.persistence - attack.t1574.011 logsource: diff --git a/rules/windows/process_creation/proc_creation_win_reg_susp_paths.yml b/rules/windows/process_creation/proc_creation_win_reg_susp_paths.yml index f07bd00e7..ff558683e 100644 --- a/rules/windows/process_creation/proc_creation_win_reg_susp_paths.yml +++ b/rules/windows/process_creation/proc_creation_win_reg_susp_paths.yml @@ -10,6 +10,7 @@ author: frack113, Nasreddine Bencherchali (Nextron Systems) date: 2022-08-19 modified: 2022-10-10 tags: + - attack.persistence - attack.defense-evasion - attack.t1112 - attack.t1562.001 diff --git a/rules/windows/process_creation/proc_creation_win_regedit_import_keys.yml b/rules/windows/process_creation/proc_creation_win_regedit_import_keys.yml index 3fdee181e..18adb6776 100644 --- a/rules/windows/process_creation/proc_creation_win_regedit_import_keys.yml +++ b/rules/windows/process_creation/proc_creation_win_regedit_import_keys.yml @@ -12,6 +12,7 @@ author: Oddvar Moe, Sander Wiebing, oscd.community date: 2020-10-07 modified: 2024-03-13 tags: + - attack.persistence - attack.t1112 - attack.defense-evasion logsource: diff --git a/rules/windows/process_creation/proc_creation_win_regedit_import_keys_ads.yml b/rules/windows/process_creation/proc_creation_win_regedit_import_keys_ads.yml index f7fa00e5e..5b7d20b78 100644 --- a/rules/windows/process_creation/proc_creation_win_regedit_import_keys_ads.yml +++ b/rules/windows/process_creation/proc_creation_win_regedit_import_keys_ads.yml @@ -12,6 +12,7 @@ author: Oddvar Moe, Sander Wiebing, oscd.community date: 2020-10-12 modified: 2024-03-13 tags: + - attack.persistence - attack.t1112 - attack.defense-evasion logsource: diff --git a/rules/windows/process_creation/proc_creation_win_regedit_trustedinstaller.yml b/rules/windows/process_creation/proc_creation_win_regedit_trustedinstaller.yml index 983759d1b..b434b6945 100644 --- a/rules/windows/process_creation/proc_creation_win_regedit_trustedinstaller.yml +++ b/rules/windows/process_creation/proc_creation_win_regedit_trustedinstaller.yml @@ -8,6 +8,7 @@ author: Florian Roth (Nextron Systems) date: 2021-05-27 modified: 2022-10-09 tags: + - attack.defense-evasion - attack.privilege-escalation - attack.t1548 logsource: diff --git a/rules/windows/process_creation/proc_creation_win_regini_ads.yml b/rules/windows/process_creation/proc_creation_win_regini_ads.yml index 8be1f4f7b..8f268cb79 100644 --- a/rules/windows/process_creation/proc_creation_win_regini_ads.yml +++ b/rules/windows/process_creation/proc_creation_win_regini_ads.yml @@ -13,6 +13,7 @@ author: Eli Salem, Sander Wiebing, oscd.community date: 2020-10-12 modified: 2023-02-08 tags: + - attack.persistence - attack.t1112 - attack.defense-evasion logsource: diff --git a/rules/windows/process_creation/proc_creation_win_regini_execution.yml b/rules/windows/process_creation/proc_creation_win_regini_execution.yml index 21b40aacf..04f465f1b 100644 --- a/rules/windows/process_creation/proc_creation_win_regini_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_regini_execution.yml @@ -13,6 +13,7 @@ author: Eli Salem, Sander Wiebing, oscd.community date: 2020-10-08 modified: 2023-02-08 tags: + - attack.persistence - attack.t1112 - attack.defense-evasion logsource: diff --git a/rules/windows/process_creation/proc_creation_win_registry_cimprovider_dll_load.yml b/rules/windows/process_creation/proc_creation_win_registry_cimprovider_dll_load.yml index 4d37473fb..25c4b2ecf 100644 --- a/rules/windows/process_creation/proc_creation_win_registry_cimprovider_dll_load.yml +++ b/rules/windows/process_creation/proc_creation_win_registry_cimprovider_dll_load.yml @@ -9,6 +9,8 @@ author: Ivan Dyachkov, Yulia Fomina, oscd.community date: 2020-10-07 modified: 2021-11-27 tags: + - attack.privilege-escalation + - attack.persistence - attack.defense-evasion - attack.t1574 logsource: diff --git a/rules/windows/process_creation/proc_creation_win_registry_logon_script.yml b/rules/windows/process_creation/proc_creation_win_registry_logon_script.yml index f194259c9..87599ace7 100644 --- a/rules/windows/process_creation/proc_creation_win_registry_logon_script.yml +++ b/rules/windows/process_creation/proc_creation_win_registry_logon_script.yml @@ -11,6 +11,7 @@ author: Tom Ueltschi (@c_APT_ure) date: 2019-01-12 modified: 2023-06-09 tags: + - attack.privilege-escalation - attack.persistence - attack.t1037.001 logsource: diff --git a/rules/windows/process_creation/proc_creation_win_registry_privilege_escalation_via_service_key.yml b/rules/windows/process_creation/proc_creation_win_registry_privilege_escalation_via_service_key.yml index 5882e2661..926d8bdea 100644 --- a/rules/windows/process_creation/proc_creation_win_registry_privilege_escalation_via_service_key.yml +++ b/rules/windows/process_creation/proc_creation_win_registry_privilege_escalation_via_service_key.yml @@ -9,6 +9,8 @@ author: Teymur Kheirkhabarov date: 2019-10-26 modified: 2024-12-01 tags: + - attack.persistence + - attack.defense-evasion - attack.privilege-escalation - attack.t1574.011 logsource: diff --git a/rules/windows/process_creation/proc_creation_win_regsvr32_uncommon_extension.yml b/rules/windows/process_creation/proc_creation_win_regsvr32_uncommon_extension.yml index 85799d495..9bb848807 100644 --- a/rules/windows/process_creation/proc_creation_win_regsvr32_uncommon_extension.yml +++ b/rules/windows/process_creation/proc_creation_win_regsvr32_uncommon_extension.yml @@ -8,6 +8,8 @@ author: Florian Roth (Nextron Systems) date: 2019-07-17 modified: 2023-05-24 tags: + - attack.privilege-escalation + - attack.persistence - attack.defense-evasion - attack.t1574 - attack.execution diff --git a/rules/windows/process_creation/proc_creation_win_remote_access_tools_screenconnect_installation_cli_param.yml b/rules/windows/process_creation/proc_creation_win_remote_access_tools_screenconnect_installation_cli_param.yml index 6a823017d..8e97b0771 100644 --- a/rules/windows/process_creation/proc_creation_win_remote_access_tools_screenconnect_installation_cli_param.yml +++ b/rules/windows/process_creation/proc_creation_win_remote_access_tools_screenconnect_installation_cli_param.yml @@ -8,6 +8,7 @@ author: Florian Roth (Nextron Systems) date: 2021-02-11 modified: 2024-02-26 tags: + - attack.persistence - attack.initial-access - attack.t1133 logsource: diff --git a/rules/windows/process_creation/proc_creation_win_remote_access_tools_teamviewer_incoming_connection.yml b/rules/windows/process_creation/proc_creation_win_remote_access_tools_teamviewer_incoming_connection.yml index 5c3cee11b..b487f7b28 100644 --- a/rules/windows/process_creation/proc_creation_win_remote_access_tools_teamviewer_incoming_connection.yml +++ b/rules/windows/process_creation/proc_creation_win_remote_access_tools_teamviewer_incoming_connection.yml @@ -14,6 +14,7 @@ references: author: Josh Nickels, Qi Nan date: 2024-03-11 tags: + - attack.persistence - attack.initial-access - attack.t1133 logsource: diff --git a/rules/windows/process_creation/proc_creation_win_renamed_dctask64.yml b/rules/windows/process_creation/proc_creation_win_renamed_dctask64.yml index e851300f4..855a3a114 100644 --- a/rules/windows/process_creation/proc_creation_win_renamed_dctask64.yml +++ b/rules/windows/process_creation/proc_creation_win_renamed_dctask64.yml @@ -12,6 +12,7 @@ author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems date: 2020-01-28 modified: 2025-01-22 tags: + - attack.privilege-escalation - attack.defense-evasion - attack.t1036 - attack.t1055.001 diff --git a/rules/windows/process_creation/proc_creation_win_renamed_vmnat.yml b/rules/windows/process_creation/proc_creation_win_renamed_vmnat.yml index 5c239bea7..216434f1a 100644 --- a/rules/windows/process_creation/proc_creation_win_renamed_vmnat.yml +++ b/rules/windows/process_creation/proc_creation_win_renamed_vmnat.yml @@ -8,6 +8,8 @@ author: elhoim date: 2022-09-09 modified: 2023-02-03 tags: + - attack.privilege-escalation + - attack.persistence - attack.defense-evasion - attack.t1574.001 logsource: diff --git a/rules/windows/process_creation/proc_creation_win_rundll32_inline_vbs.yml b/rules/windows/process_creation/proc_creation_win_rundll32_inline_vbs.yml index df306b41d..5ac05e97d 100644 --- a/rules/windows/process_creation/proc_creation_win_rundll32_inline_vbs.yml +++ b/rules/windows/process_creation/proc_creation_win_rundll32_inline_vbs.yml @@ -8,6 +8,7 @@ author: Florian Roth (Nextron Systems) date: 2021-03-05 modified: 2022-10-09 tags: + - attack.privilege-escalation - attack.defense-evasion - attack.t1055 logsource: diff --git a/rules/windows/process_creation/proc_creation_win_rundll32_susp_shimcache_flush.yml b/rules/windows/process_creation/proc_creation_win_rundll32_susp_shimcache_flush.yml index 5a0ec908d..950729948 100644 --- a/rules/windows/process_creation/proc_creation_win_rundll32_susp_shimcache_flush.yml +++ b/rules/windows/process_creation/proc_creation_win_rundll32_susp_shimcache_flush.yml @@ -7,6 +7,7 @@ references: author: Florian Roth (Nextron Systems) date: 2021-02-01 tags: + - attack.persistence - attack.defense-evasion - attack.t1112 logsource: diff --git a/rules/windows/process_creation/proc_creation_win_runonce_execution.yml b/rules/windows/process_creation/proc_creation_win_runonce_execution.yml index 06388ff47..ad12be4ac 100644 --- a/rules/windows/process_creation/proc_creation_win_runonce_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_runonce_execution.yml @@ -10,6 +10,7 @@ author: 'Avneet Singh @v3t0_, oscd.community, Christopher Peacock @SecurePeacock date: 2020-10-18 modified: 2022-12-13 tags: + - attack.persistence - attack.defense-evasion - attack.t1112 logsource: diff --git a/rules/windows/process_creation/proc_creation_win_sc_sdset_allow_service_changes.yml b/rules/windows/process_creation/proc_creation_win_sc_sdset_allow_service_changes.yml index 0c575bd87..9a3e91a35 100644 --- a/rules/windows/process_creation/proc_creation_win_sc_sdset_allow_service_changes.yml +++ b/rules/windows/process_creation/proc_creation_win_sc_sdset_allow_service_changes.yml @@ -13,6 +13,7 @@ author: Nasreddine Bencherchali (Nextron Systems) date: 2023-02-28 modified: 2025-10-22 tags: + - attack.privilege-escalation - attack.persistence - attack.t1543.003 logsource: diff --git a/rules/windows/process_creation/proc_creation_win_sc_sdset_deny_service_access.yml b/rules/windows/process_creation/proc_creation_win_sc_sdset_deny_service_access.yml index d10b3de7c..0d246b74a 100644 --- a/rules/windows/process_creation/proc_creation_win_sc_sdset_deny_service_access.yml +++ b/rules/windows/process_creation/proc_creation_win_sc_sdset_deny_service_access.yml @@ -15,6 +15,7 @@ author: Jonhnathan Ribeiro, oscd.community date: 2020-10-16 modified: 2023-02-28 tags: + - attack.privilege-escalation - attack.persistence - attack.t1543.003 logsource: diff --git a/rules/windows/process_creation/proc_creation_win_sc_service_tamper_for_persistence.yml b/rules/windows/process_creation/proc_creation_win_sc_service_tamper_for_persistence.yml index b2c29769f..0b9cf254d 100644 --- a/rules/windows/process_creation/proc_creation_win_sc_service_tamper_for_persistence.yml +++ b/rules/windows/process_creation/proc_creation_win_sc_service_tamper_for_persistence.yml @@ -8,6 +8,8 @@ author: Sreeman date: 2020-09-29 modified: 2023-02-04 tags: + - attack.privilege-escalation + - attack.defense-evasion - attack.persistence - attack.t1543.003 - attack.t1574.011 diff --git a/rules/windows/process_creation/proc_creation_win_schtasks_appdata_local_system.yml b/rules/windows/process_creation/proc_creation_win_schtasks_appdata_local_system.yml index 9ff4c256b..c83196d5f 100644 --- a/rules/windows/process_creation/proc_creation_win_schtasks_appdata_local_system.yml +++ b/rules/windows/process_creation/proc_creation_win_schtasks_appdata_local_system.yml @@ -8,6 +8,7 @@ author: pH-T (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) date: 2022-03-15 modified: 2022-07-28 tags: + - attack.privilege-escalation - attack.execution - attack.persistence - attack.t1053.005 diff --git a/rules/windows/process_creation/proc_creation_win_schtasks_change.yml b/rules/windows/process_creation/proc_creation_win_schtasks_change.yml index d6ae42d41..f348ecd43 100644 --- a/rules/windows/process_creation/proc_creation_win_schtasks_change.yml +++ b/rules/windows/process_creation/proc_creation_win_schtasks_change.yml @@ -15,6 +15,8 @@ author: Nasreddine Bencherchali (Nextron Systems) date: 2022-07-28 modified: 2022-11-18 tags: + - attack.privilege-escalation + - attack.persistence - attack.execution - attack.t1053.005 logsource: diff --git a/rules/windows/process_creation/proc_creation_win_schtasks_creation_temp_folder.yml b/rules/windows/process_creation/proc_creation_win_schtasks_creation_temp_folder.yml index e79bc2c63..d5f5269d3 100644 --- a/rules/windows/process_creation/proc_creation_win_schtasks_creation_temp_folder.yml +++ b/rules/windows/process_creation/proc_creation_win_schtasks_creation_temp_folder.yml @@ -8,6 +8,7 @@ author: Florian Roth (Nextron Systems) date: 2021-03-11 modified: 2022-10-09 tags: + - attack.privilege-escalation - attack.execution - attack.persistence - attack.t1053.005 diff --git a/rules/windows/process_creation/proc_creation_win_schtasks_curl_and_powershell_combo.yml b/rules/windows/process_creation/proc_creation_win_schtasks_curl_and_powershell_combo.yml index eda760755..b238f764a 100644 --- a/rules/windows/process_creation/proc_creation_win_schtasks_curl_and_powershell_combo.yml +++ b/rules/windows/process_creation/proc_creation_win_schtasks_curl_and_powershell_combo.yml @@ -9,6 +9,8 @@ references: author: Swachchhanda Shrawan Poudel (Nextron Systems) date: 2025-02-05 tags: + - attack.privilege-escalation + - attack.execution - attack.persistence - attack.t1053.005 - attack.defense-evasion diff --git a/rules/windows/process_creation/proc_creation_win_schtasks_env_folder.yml b/rules/windows/process_creation/proc_creation_win_schtasks_env_folder.yml index 6529c5d0f..1f1159d45 100644 --- a/rules/windows/process_creation/proc_creation_win_schtasks_env_folder.yml +++ b/rules/windows/process_creation/proc_creation_win_schtasks_env_folder.yml @@ -13,6 +13,8 @@ author: Florian Roth (Nextron Systems) date: 2022-02-21 modified: 2025-10-07 tags: + - attack.privilege-escalation + - attack.persistence - attack.execution - attack.t1053.005 logsource: diff --git a/rules/windows/process_creation/proc_creation_win_schtasks_folder_combos.yml b/rules/windows/process_creation/proc_creation_win_schtasks_folder_combos.yml index bfe2883ee..51f843074 100644 --- a/rules/windows/process_creation/proc_creation_win_schtasks_folder_combos.yml +++ b/rules/windows/process_creation/proc_creation_win_schtasks_folder_combos.yml @@ -8,6 +8,8 @@ author: Florian Roth (Nextron Systems) date: 2022-04-15 modified: 2022-11-18 tags: + - attack.privilege-escalation + - attack.persistence - attack.execution - attack.t1053.005 logsource: diff --git a/rules/windows/process_creation/proc_creation_win_schtasks_guid_task_name.yml b/rules/windows/process_creation/proc_creation_win_schtasks_guid_task_name.yml index f4b7ec16a..d1f802cde 100644 --- a/rules/windows/process_creation/proc_creation_win_schtasks_guid_task_name.yml +++ b/rules/windows/process_creation/proc_creation_win_schtasks_guid_task_name.yml @@ -8,6 +8,8 @@ references: author: Nasreddine Bencherchali (Nextron Systems) date: 2022-10-31 tags: + - attack.privilege-escalation + - attack.persistence - attack.execution - attack.t1053.005 logsource: diff --git a/rules/windows/process_creation/proc_creation_win_schtasks_openssh_tunnelling.yml b/rules/windows/process_creation/proc_creation_win_schtasks_openssh_tunnelling.yml index 3821b2c60..2b11d0316 100644 --- a/rules/windows/process_creation/proc_creation_win_schtasks_openssh_tunnelling.yml +++ b/rules/windows/process_creation/proc_creation_win_schtasks_openssh_tunnelling.yml @@ -8,6 +8,7 @@ references: author: Rory Duncan date: 2025-07-14 tags: + - attack.privilege-escalation - attack.persistence - attack.execution - attack.t1053.005 diff --git a/rules/windows/process_creation/proc_creation_win_schtasks_persistence_windows_telemetry.yml b/rules/windows/process_creation/proc_creation_win_schtasks_persistence_windows_telemetry.yml index a65cee2b8..2f71abf74 100644 --- a/rules/windows/process_creation/proc_creation_win_schtasks_persistence_windows_telemetry.yml +++ b/rules/windows/process_creation/proc_creation_win_schtasks_persistence_windows_telemetry.yml @@ -13,6 +13,8 @@ author: Sreeman date: 2020-09-29 modified: 2023-02-10 tags: + - attack.privilege-escalation + - attack.execution - attack.persistence - attack.t1053.005 logsource: diff --git a/rules/windows/process_creation/proc_creation_win_schtasks_powershell_persistence.yml b/rules/windows/process_creation/proc_creation_win_schtasks_powershell_persistence.yml index 87bb266a3..def1f25af 100644 --- a/rules/windows/process_creation/proc_creation_win_schtasks_powershell_persistence.yml +++ b/rules/windows/process_creation/proc_creation_win_schtasks_powershell_persistence.yml @@ -11,6 +11,7 @@ author: pH-T (Nextron Systems), Florian Roth (Nextron Systems) date: 2022-04-08 modified: 2023-02-03 tags: + - attack.privilege-escalation - attack.execution - attack.persistence - attack.t1053.005 diff --git a/rules/windows/process_creation/proc_creation_win_schtasks_reg_loader.yml b/rules/windows/process_creation/proc_creation_win_schtasks_reg_loader.yml index 991637168..353c2ab52 100644 --- a/rules/windows/process_creation/proc_creation_win_schtasks_reg_loader.yml +++ b/rules/windows/process_creation/proc_creation_win_schtasks_reg_loader.yml @@ -10,6 +10,7 @@ references: author: X__Junior (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) date: 2023-07-18 tags: + - attack.privilege-escalation - attack.execution - attack.persistence - attack.t1053.005 diff --git a/rules/windows/process_creation/proc_creation_win_schtasks_reg_loader_encoded.yml b/rules/windows/process_creation/proc_creation_win_schtasks_reg_loader_encoded.yml index 7d2ec04b6..21370b047 100644 --- a/rules/windows/process_creation/proc_creation_win_schtasks_reg_loader_encoded.yml +++ b/rules/windows/process_creation/proc_creation_win_schtasks_reg_loader_encoded.yml @@ -8,6 +8,7 @@ author: pH-T (Nextron Systems), @Kostastsale, TheDFIRReport, X__Junior (Nextron date: 2022-02-12 modified: 2023-02-04 tags: + - attack.privilege-escalation - attack.execution - attack.persistence - attack.t1053.005 diff --git a/rules/windows/process_creation/proc_creation_win_schtasks_schedule_type.yml b/rules/windows/process_creation/proc_creation_win_schtasks_schedule_type.yml index 26dd70113..ee56a617b 100644 --- a/rules/windows/process_creation/proc_creation_win_schtasks_schedule_type.yml +++ b/rules/windows/process_creation/proc_creation_win_schtasks_schedule_type.yml @@ -12,6 +12,8 @@ references: author: Nasreddine Bencherchali (Nextron Systems) date: 2022-09-09 tags: + - attack.privilege-escalation + - attack.persistence - attack.execution - attack.t1053.005 logsource: diff --git a/rules/windows/process_creation/proc_creation_win_schtasks_schedule_type_system.yml b/rules/windows/process_creation/proc_creation_win_schtasks_schedule_type_system.yml index 512b2356d..4338f343a 100644 --- a/rules/windows/process_creation/proc_creation_win_schtasks_schedule_type_system.yml +++ b/rules/windows/process_creation/proc_creation_win_schtasks_schedule_type_system.yml @@ -11,6 +11,8 @@ references: author: Nasreddine Bencherchali (Nextron Systems) date: 2022-08-31 tags: + - attack.privilege-escalation + - attack.persistence - attack.execution - attack.t1053.005 logsource: diff --git a/rules/windows/process_creation/proc_creation_win_schtasks_schedule_via_masqueraded_xml_file.yml b/rules/windows/process_creation/proc_creation_win_schtasks_schedule_via_masqueraded_xml_file.yml index 541d8fc09..492319dd9 100644 --- a/rules/windows/process_creation/proc_creation_win_schtasks_schedule_via_masqueraded_xml_file.yml +++ b/rules/windows/process_creation/proc_creation_win_schtasks_schedule_via_masqueraded_xml_file.yml @@ -9,6 +9,8 @@ author: Swachchhanda Shrawan Poudel, Elastic (idea) date: 2023-04-20 modified: 2024-12-01 tags: + - attack.privilege-escalation + - attack.execution - attack.defense-evasion - attack.persistence - attack.t1036.005 diff --git a/rules/windows/process_creation/proc_creation_win_schtasks_susp_pattern.yml b/rules/windows/process_creation/proc_creation_win_schtasks_susp_pattern.yml index 70ed5f6d1..9904fcaa1 100644 --- a/rules/windows/process_creation/proc_creation_win_schtasks_susp_pattern.yml +++ b/rules/windows/process_creation/proc_creation_win_schtasks_susp_pattern.yml @@ -10,6 +10,8 @@ author: Florian Roth (Nextron Systems) date: 2022-02-23 modified: 2024-03-19 tags: + - attack.privilege-escalation + - attack.persistence - attack.execution - attack.t1053.005 logsource: diff --git a/rules/windows/process_creation/proc_creation_win_schtasks_system.yml b/rules/windows/process_creation/proc_creation_win_schtasks_system.yml index c92da2588..c8bc36e65 100644 --- a/rules/windows/process_creation/proc_creation_win_schtasks_system.yml +++ b/rules/windows/process_creation/proc_creation_win_schtasks_system.yml @@ -9,6 +9,7 @@ author: Nasreddine Bencherchali (Nextron Systems) date: 2022-07-28 modified: 2025-02-15 tags: + - attack.privilege-escalation - attack.execution - attack.persistence - attack.t1053.005 diff --git a/rules/windows/process_creation/proc_creation_win_schtasks_system_process.yml b/rules/windows/process_creation/proc_creation_win_schtasks_system_process.yml index 2723c7d59..3639f409b 100644 --- a/rules/windows/process_creation/proc_creation_win_schtasks_system_process.yml +++ b/rules/windows/process_creation/proc_creation_win_schtasks_system_process.yml @@ -7,6 +7,8 @@ references: author: Swachchhanda Shrawan Poudel (Nextron Systems) date: 2025-02-05 tags: + - attack.privilege-escalation + - attack.execution - attack.persistence - attack.t1053.005 - attack.defense-evasion diff --git a/rules/windows/process_creation/proc_creation_win_sdclt_child_process.yml b/rules/windows/process_creation/proc_creation_win_sdclt_child_process.yml index 9863eb337..ebb556620 100644 --- a/rules/windows/process_creation/proc_creation_win_sdclt_child_process.yml +++ b/rules/windows/process_creation/proc_creation_win_sdclt_child_process.yml @@ -9,6 +9,7 @@ author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) date: 2020-05-02 modified: 2021-11-27 tags: + - attack.defense-evasion - attack.privilege-escalation - attack.t1548.002 logsource: diff --git a/rules/windows/process_creation/proc_creation_win_secedit_execution.yml b/rules/windows/process_creation/proc_creation_win_secedit_execution.yml index bd6dba033..80fa5ea93 100644 --- a/rules/windows/process_creation/proc_creation_win_secedit_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_secedit_execution.yml @@ -9,6 +9,7 @@ author: Janantha Marasinghe date: 2022-11-18 modified: 2022-12-30 tags: + - attack.collection - attack.discovery - attack.persistence - attack.defense-evasion diff --git a/rules/windows/process_creation/proc_creation_win_setup16_custom_lst_execution.yml b/rules/windows/process_creation/proc_creation_win_setup16_custom_lst_execution.yml index 8ecb9a572..d6647c5f6 100644 --- a/rules/windows/process_creation/proc_creation_win_setup16_custom_lst_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_setup16_custom_lst_execution.yml @@ -10,6 +10,8 @@ references: author: frack113 date: 2024-12-01 tags: + - attack.privilege-escalation + - attack.persistence - attack.defense-evasion - attack.t1574.005 logsource: diff --git a/rules/windows/process_creation/proc_creation_win_susp_abusing_debug_privilege.yml b/rules/windows/process_creation/proc_creation_win_susp_abusing_debug_privilege.yml index 2ab8fb6b9..ecc829941 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_abusing_debug_privilege.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_abusing_debug_privilege.yml @@ -8,6 +8,7 @@ author: 'Semanur Guneysu @semanurtg, oscd.community' date: 2020-10-28 modified: 2022-11-11 tags: + - attack.defense-evasion - attack.privilege-escalation - attack.t1548 logsource: diff --git a/rules/windows/process_creation/proc_creation_win_susp_add_user_local_admin_group.yml b/rules/windows/process_creation/proc_creation_win_susp_add_user_local_admin_group.yml index a76b7c779..3a0b8b588 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_add_user_local_admin_group.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_add_user_local_admin_group.yml @@ -13,6 +13,7 @@ author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems date: 2022-08-12 modified: 2023-03-02 tags: + - attack.privilege-escalation - attack.persistence - attack.t1098 logsource: diff --git a/rules/windows/process_creation/proc_creation_win_susp_add_user_privileged_group.yml b/rules/windows/process_creation/proc_creation_win_susp_add_user_privileged_group.yml index c15579cb9..4d297da42 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_add_user_privileged_group.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_add_user_privileged_group.yml @@ -12,6 +12,7 @@ references: author: Nasreddine Bencherchali (Nextron Systems) date: 2024-02-23 tags: + - attack.privilege-escalation - attack.persistence - attack.t1098 logsource: diff --git a/rules/windows/process_creation/proc_creation_win_susp_add_user_remote_desktop_group.yml b/rules/windows/process_creation/proc_creation_win_susp_add_user_remote_desktop_group.yml index 4ff9dcceb..2e30bcee2 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_add_user_remote_desktop_group.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_add_user_remote_desktop_group.yml @@ -13,6 +13,7 @@ author: Florian Roth (Nextron Systems) date: 2021-12-06 modified: 2022-09-09 tags: + - attack.initial-access - attack.persistence - attack.lateral-movement - attack.t1133 diff --git a/rules/windows/process_creation/proc_creation_win_susp_always_install_elevated_windows_installer.yml b/rules/windows/process_creation/proc_creation_win_susp_always_install_elevated_windows_installer.yml index 8e4efb8d4..286962327 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_always_install_elevated_windows_installer.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_always_install_elevated_windows_installer.yml @@ -8,6 +8,7 @@ author: Teymur Kheirkhabarov (idea), Mangatas Tondang (rule), oscd.community date: 2020-10-13 modified: 2024-12-01 tags: + - attack.defense-evasion - attack.privilege-escalation - attack.t1548.002 logsource: diff --git a/rules/windows/process_creation/proc_creation_win_susp_child_process_as_system_.yml b/rules/windows/process_creation/proc_creation_win_susp_child_process_as_system_.yml index 1234c1227..ad52a7053 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_child_process_as_system_.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_child_process_as_system_.yml @@ -11,6 +11,7 @@ author: Teymur Kheirkhabarov, Roberto Rodriguez (@Cyb3rWard0g), Open Threat Rese date: 2019-10-26 modified: 2024-12-01 tags: + - attack.defense-evasion - attack.privilege-escalation - attack.t1134.002 logsource: diff --git a/rules/windows/process_creation/proc_creation_win_susp_elavated_msi_spawned_shell.yml b/rules/windows/process_creation/proc_creation_win_susp_elavated_msi_spawned_shell.yml index db394807f..082202c95 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_elavated_msi_spawned_shell.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_elavated_msi_spawned_shell.yml @@ -8,6 +8,7 @@ author: Teymur Kheirkhabarov (idea), Mangatas Tondang (rule), oscd.community date: 2020-10-13 modified: 2022-10-20 tags: + - attack.defense-evasion - attack.privilege-escalation - attack.t1548.002 logsource: diff --git a/rules/windows/process_creation/proc_creation_win_susp_non_priv_reg_or_ps.yml b/rules/windows/process_creation/proc_creation_win_susp_non_priv_reg_or_ps.yml index a5e46c532..357b22fd9 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_non_priv_reg_or_ps.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_non_priv_reg_or_ps.yml @@ -8,6 +8,7 @@ author: Teymur Kheirkhabarov (idea), Ryan Plas (rule), oscd.community date: 2020-10-05 modified: 2024-12-01 tags: + - attack.persistence - attack.defense-evasion - attack.t1112 logsource: diff --git a/rules/windows/process_creation/proc_creation_win_susp_task_folder_evasion.yml b/rules/windows/process_creation/proc_creation_win_susp_task_folder_evasion.yml index 39847bf8d..7f94f128e 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_task_folder_evasion.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_task_folder_evasion.yml @@ -12,6 +12,7 @@ author: Sreeman date: 2020-01-13 modified: 2022-12-25 tags: + - attack.privilege-escalation - attack.defense-evasion - attack.persistence - attack.execution diff --git a/rules/windows/process_creation/proc_creation_win_susp_userinit_child.yml b/rules/windows/process_creation/proc_creation_win_susp_userinit_child.yml index 2e93071db..dac1a5a89 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_userinit_child.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_userinit_child.yml @@ -8,6 +8,7 @@ author: Florian Roth (Nextron Systems), Samir Bousseaden (idea) date: 2019-06-17 modified: 2025-10-17 tags: + - attack.privilege-escalation - attack.defense-evasion - attack.t1055 logsource: diff --git a/rules/windows/process_creation/proc_creation_win_susp_velociraptor_child_process.yml b/rules/windows/process_creation/proc_creation_win_susp_velociraptor_child_process.yml index 3962e121a..d6706ae6a 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_velociraptor_child_process.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_velociraptor_child_process.yml @@ -7,6 +7,7 @@ references: author: Swachchhanda Shrawan Poudel (Nextron Systems) date: 2025-08-29 tags: + - attack.command-and-control - attack.persistence - attack.defense-evasion - attack.t1219 diff --git a/rules/windows/process_creation/proc_creation_win_sysinternals_psservice.yml b/rules/windows/process_creation/proc_creation_win_sysinternals_psservice.yml index 48348d71d..7c87186c6 100644 --- a/rules/windows/process_creation/proc_creation_win_sysinternals_psservice.yml +++ b/rules/windows/process_creation/proc_creation_win_sysinternals_psservice.yml @@ -8,6 +8,7 @@ author: Nasreddine Bencherchali (Nextron Systems) date: 2022-06-16 modified: 2023-02-24 tags: + - attack.privilege-escalation - attack.discovery - attack.persistence - attack.t1543.003 diff --git a/rules/windows/process_creation/proc_creation_win_sysinternals_pssuspend_execution.yml b/rules/windows/process_creation/proc_creation_win_sysinternals_pssuspend_execution.yml index 92433b191..fbd95fa9b 100644 --- a/rules/windows/process_creation/proc_creation_win_sysinternals_pssuspend_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_sysinternals_pssuspend_execution.yml @@ -11,6 +11,7 @@ references: author: Nasreddine Bencherchali (Nextron Systems) date: 2023-03-23 tags: + - attack.privilege-escalation - attack.discovery - attack.persistence - attack.t1543.003 diff --git a/rules/windows/process_creation/proc_creation_win_uac_bypass_fodhelper.yml b/rules/windows/process_creation/proc_creation_win_uac_bypass_fodhelper.yml index 5ada3cce6..b0bfccfe4 100644 --- a/rules/windows/process_creation/proc_creation_win_uac_bypass_fodhelper.yml +++ b/rules/windows/process_creation/proc_creation_win_uac_bypass_fodhelper.yml @@ -9,6 +9,7 @@ author: E.M. Anhaus (originally from Atomic Blue Detections, Tony Lambert), oscd date: 2019-10-24 modified: 2021-11-27 tags: + - attack.defense-evasion - attack.privilege-escalation - attack.t1548.002 logsource: diff --git a/rules/windows/process_creation/proc_creation_win_uac_bypass_hijacking_firwall_snap_in.yml b/rules/windows/process_creation/proc_creation_win_uac_bypass_hijacking_firwall_snap_in.yml index c987fc15d..9422e51e8 100644 --- a/rules/windows/process_creation/proc_creation_win_uac_bypass_hijacking_firwall_snap_in.yml +++ b/rules/windows/process_creation/proc_creation_win_uac_bypass_hijacking_firwall_snap_in.yml @@ -7,6 +7,7 @@ references: author: Tim Rauch, Elastic (idea) date: 2022-09-27 tags: + - attack.defense-evasion - attack.privilege-escalation - attack.t1548 logsource: diff --git a/rules/windows/process_creation/proc_creation_win_uac_bypass_trustedpath.yml b/rules/windows/process_creation/proc_creation_win_uac_bypass_trustedpath.yml index cbd220224..0fe66c35b 100644 --- a/rules/windows/process_creation/proc_creation_win_uac_bypass_trustedpath.yml +++ b/rules/windows/process_creation/proc_creation_win_uac_bypass_trustedpath.yml @@ -14,6 +14,7 @@ author: Florian Roth (Nextron Systems) date: 2021-08-27 modified: 2025-06-17 tags: + - attack.privilege-escalation - attack.defense-evasion - attack.t1548.002 logsource: diff --git a/rules/windows/process_creation/proc_creation_win_userinit_uncommon_child_processes.yml b/rules/windows/process_creation/proc_creation_win_userinit_uncommon_child_processes.yml index b7893d038..1cb76c927 100644 --- a/rules/windows/process_creation/proc_creation_win_userinit_uncommon_child_processes.yml +++ b/rules/windows/process_creation/proc_creation_win_userinit_uncommon_child_processes.yml @@ -12,6 +12,7 @@ author: Tom Ueltschi (@c_APT_ure), Tim Shelton date: 2019-01-12 modified: 2023-11-14 tags: + - attack.privilege-escalation - attack.t1037.001 - attack.persistence logsource: diff --git a/rules/windows/process_creation/proc_creation_win_virtualbox_vboxdrvinst_execution.yml b/rules/windows/process_creation/proc_creation_win_virtualbox_vboxdrvinst_execution.yml index edc4a660e..1a29ce8fb 100644 --- a/rules/windows/process_creation/proc_creation_win_virtualbox_vboxdrvinst_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_virtualbox_vboxdrvinst_execution.yml @@ -12,6 +12,7 @@ author: Konstantin Grishchenko, oscd.community date: 2020-10-06 modified: 2021-11-27 tags: + - attack.persistence - attack.defense-evasion - attack.t1112 logsource: diff --git a/rules/windows/process_creation/proc_creation_win_wmi_backdoor_exchange_transport_agent.yml b/rules/windows/process_creation/proc_creation_win_wmi_backdoor_exchange_transport_agent.yml index 7af9fb7ce..ce97ceb1f 100644 --- a/rules/windows/process_creation/proc_creation_win_wmi_backdoor_exchange_transport_agent.yml +++ b/rules/windows/process_creation/proc_creation_win_wmi_backdoor_exchange_transport_agent.yml @@ -9,6 +9,7 @@ author: Florian Roth (Nextron Systems) date: 2019-10-11 modified: 2023-02-08 tags: + - attack.privilege-escalation - attack.persistence - attack.t1546.003 logsource: diff --git a/rules/windows/process_creation/proc_creation_win_wmi_password_never_expire.yml b/rules/windows/process_creation/proc_creation_win_wmi_password_never_expire.yml index 829c53524..8e5cf0909 100644 --- a/rules/windows/process_creation/proc_creation_win_wmi_password_never_expire.yml +++ b/rules/windows/process_creation/proc_creation_win_wmi_password_never_expire.yml @@ -8,6 +8,7 @@ references: author: "Daniel Koifman (KoifSec)" date: 2025-07-30 tags: + - attack.privilege-escalation - attack.execution - attack.persistence - attack.t1047 diff --git a/rules/windows/process_creation/proc_creation_win_wmic_eventconsumer_creation.yml b/rules/windows/process_creation/proc_creation_win_wmic_eventconsumer_creation.yml index ead1a4d82..275cc819b 100644 --- a/rules/windows/process_creation/proc_creation_win_wmic_eventconsumer_creation.yml +++ b/rules/windows/process_creation/proc_creation_win_wmic_eventconsumer_creation.yml @@ -9,6 +9,7 @@ author: Florian Roth (Nextron Systems) date: 2021-06-25 modified: 2023-02-14 tags: + - attack.privilege-escalation - attack.persistence - attack.t1546.003 logsource: diff --git a/rules/windows/process_creation/proc_creation_win_wmic_stdregprov_reg_modification.yml b/rules/windows/process_creation/proc_creation_win_wmic_stdregprov_reg_modification.yml index 56d6e4f8c..4d94eafcd 100644 --- a/rules/windows/process_creation/proc_creation_win_wmic_stdregprov_reg_modification.yml +++ b/rules/windows/process_creation/proc_creation_win_wmic_stdregprov_reg_modification.yml @@ -12,6 +12,7 @@ references: author: Daniel Koifman (KoifSec) date: 2025-07-30 tags: + - attack.persistence - attack.execution - attack.defense-evasion - attack.discovery diff --git a/rules/windows/process_creation/proc_creation_win_xwizard_execution_non_default_location.yml b/rules/windows/process_creation/proc_creation_win_xwizard_execution_non_default_location.yml index 83181a129..2af1da66b 100644 --- a/rules/windows/process_creation/proc_creation_win_xwizard_execution_non_default_location.yml +++ b/rules/windows/process_creation/proc_creation_win_xwizard_execution_non_default_location.yml @@ -11,6 +11,8 @@ author: Christian Burkard (Nextron Systems) date: 2021-09-20 modified: 2024-08-15 tags: + - attack.privilege-escalation + - attack.persistence - attack.defense-evasion - attack.t1574.001 logsource: diff --git a/rules/windows/registry/registry_add/registry_add_malware_netwire.yml b/rules/windows/registry/registry_add/registry_add_malware_netwire.yml index 3bbb016b8..3c020f7b6 100644 --- a/rules/windows/registry/registry_add/registry_add_malware_netwire.yml +++ b/rules/windows/registry/registry_add/registry_add_malware_netwire.yml @@ -12,6 +12,7 @@ author: Christopher Peacock date: 2021-10-07 modified: 2023-02-07 tags: + - attack.persistence - attack.defense-evasion - attack.t1112 logsource: diff --git a/rules/windows/registry/registry_add/registry_add_persistence_com_key_linking.yml b/rules/windows/registry/registry_add/registry_add_persistence_com_key_linking.yml index 015af3461..788fe0c7a 100644 --- a/rules/windows/registry/registry_add/registry_add_persistence_com_key_linking.yml +++ b/rules/windows/registry/registry_add/registry_add_persistence_com_key_linking.yml @@ -8,6 +8,7 @@ author: Kutepov Anton, oscd.community date: 2019-10-23 modified: 2023-02-07 tags: + - attack.privilege-escalation - attack.persistence - attack.t1546.015 logsource: diff --git a/rules/windows/registry/registry_add/registry_add_persistence_logon_scripts_userinitmprlogonscript.yml b/rules/windows/registry/registry_add/registry_add_persistence_logon_scripts_userinitmprlogonscript.yml index d1374b978..b112c18e0 100644 --- a/rules/windows/registry/registry_add/registry_add_persistence_logon_scripts_userinitmprlogonscript.yml +++ b/rules/windows/registry/registry_add/registry_add_persistence_logon_scripts_userinitmprlogonscript.yml @@ -8,6 +8,7 @@ author: Tom Ueltschi (@c_APT_ure) date: 2019-01-12 modified: 2023-06-09 tags: + - attack.privilege-escalation - attack.t1037.001 - attack.persistence - attack.lateral-movement diff --git a/rules/windows/registry/registry_delete/registry_delete_mstsc_history_cleared.yml b/rules/windows/registry/registry_delete/registry_delete_mstsc_history_cleared.yml index 995882368..91dcf400a 100644 --- a/rules/windows/registry/registry_delete/registry_delete_mstsc_history_cleared.yml +++ b/rules/windows/registry/registry_delete/registry_delete_mstsc_history_cleared.yml @@ -10,6 +10,7 @@ author: Christian Burkard (Nextron Systems) date: 2021-10-19 modified: 2023-02-08 tags: + - attack.persistence - attack.defense-evasion - attack.t1070 - attack.t1112 diff --git a/rules/windows/registry/registry_delete/registry_delete_removal_com_hijacking_registry_key.yml b/rules/windows/registry/registry_delete/registry_delete_removal_com_hijacking_registry_key.yml index fd3c00d15..60d10e767 100644 --- a/rules/windows/registry/registry_delete/registry_delete_removal_com_hijacking_registry_key.yml +++ b/rules/windows/registry/registry_delete/registry_delete_removal_com_hijacking_registry_key.yml @@ -14,6 +14,7 @@ author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) date: 2020-05-02 modified: 2025-10-07 tags: + - attack.persistence - attack.defense-evasion - attack.t1112 logsource: diff --git a/rules/windows/registry/registry_event/registry_event_disable_security_events_logging_adding_reg_key_minint.yml b/rules/windows/registry/registry_event/registry_event_disable_security_events_logging_adding_reg_key_minint.yml index 20247e338..041424007 100755 --- a/rules/windows/registry/registry_event/registry_event_disable_security_events_logging_adding_reg_key_minint.yml +++ b/rules/windows/registry/registry_event/registry_event_disable_security_events_logging_adding_reg_key_minint.yml @@ -9,6 +9,7 @@ author: Ilyas Ochkov, oscd.community date: 2019-10-25 modified: 2021-11-27 tags: + - attack.persistence - attack.defense-evasion - attack.t1562.002 - attack.t1112 diff --git a/rules/windows/registry/registry_event/registry_event_disable_wdigest_credential_guard.yml b/rules/windows/registry/registry_event/registry_event_disable_wdigest_credential_guard.yml index 56a249bb1..27281a36e 100644 --- a/rules/windows/registry/registry_event/registry_event_disable_wdigest_credential_guard.yml +++ b/rules/windows/registry/registry_event/registry_event_disable_wdigest_credential_guard.yml @@ -11,6 +11,7 @@ author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) date: 2019-08-25 modified: 2021-11-27 tags: + - attack.persistence - attack.defense-evasion - attack.t1112 logsource: diff --git a/rules/windows/registry/registry_event/registry_event_mal_azorult.yml b/rules/windows/registry/registry_event/registry_event_mal_azorult.yml index dea91ae94..a3f72eea2 100644 --- a/rules/windows/registry/registry_event/registry_event_mal_azorult.yml +++ b/rules/windows/registry/registry_event/registry_event_mal_azorult.yml @@ -8,6 +8,7 @@ author: Trent Liffick date: 2020-05-08 modified: 2021-11-27 tags: + - attack.defense-evasion - attack.persistence - attack.execution - attack.t1112 diff --git a/rules/windows/registry/registry_event/registry_event_malware_qakbot_registry.yml b/rules/windows/registry/registry_event/registry_event_malware_qakbot_registry.yml index 52adb226f..5a53af9c3 100644 --- a/rules/windows/registry/registry_event/registry_event_malware_qakbot_registry.yml +++ b/rules/windows/registry/registry_event/registry_event_malware_qakbot_registry.yml @@ -7,6 +7,7 @@ references: author: Hieu Tran date: 2023-03-13 tags: + - attack.persistence - attack.defense-evasion - attack.t1112 logsource: diff --git a/rules/windows/registry/registry_event/registry_event_narrator_feedback_persistance.yml b/rules/windows/registry/registry_event/registry_event_narrator_feedback_persistance.yml index c8ab85339..9fda1f821 100755 --- a/rules/windows/registry/registry_event/registry_event_narrator_feedback_persistance.yml +++ b/rules/windows/registry/registry_event/registry_event_narrator_feedback_persistance.yml @@ -8,6 +8,7 @@ author: Dmitriy Lifanov, oscd.community date: 2019-10-25 modified: 2022-03-26 tags: + - attack.privilege-escalation - attack.persistence - attack.t1547.001 logsource: diff --git a/rules/windows/registry/registry_event/registry_event_net_ntlm_downgrade.yml b/rules/windows/registry/registry_event/registry_event_net_ntlm_downgrade.yml index 9f131a0f3..069a0b82d 100644 --- a/rules/windows/registry/registry_event/registry_event_net_ntlm_downgrade.yml +++ b/rules/windows/registry/registry_event/registry_event_net_ntlm_downgrade.yml @@ -9,6 +9,7 @@ author: Florian Roth (Nextron Systems), wagga, Nasreddine Bencherchali (Splunk S date: 2018-03-20 modified: 2024-12-03 tags: + - attack.persistence - attack.defense-evasion - attack.t1562.001 - attack.t1112 diff --git a/rules/windows/registry/registry_event/registry_event_new_dll_added_to_appcertdlls_registry_key.yml b/rules/windows/registry/registry_event/registry_event_new_dll_added_to_appcertdlls_registry_key.yml index 93d902ac5..1f55e687a 100755 --- a/rules/windows/registry/registry_event/registry_event_new_dll_added_to_appcertdlls_registry_key.yml +++ b/rules/windows/registry/registry_event/registry_event_new_dll_added_to_appcertdlls_registry_key.yml @@ -11,6 +11,7 @@ author: Ilyas Ochkov, oscd.community date: 2019-10-25 modified: 2021-11-27 tags: + - attack.privilege-escalation - attack.persistence - attack.t1546.009 logsource: diff --git a/rules/windows/registry/registry_event/registry_event_new_dll_added_to_appinit_dlls_registry_key.yml b/rules/windows/registry/registry_event/registry_event_new_dll_added_to_appinit_dlls_registry_key.yml index 71bdd1288..c98cbc5b6 100755 --- a/rules/windows/registry/registry_event/registry_event_new_dll_added_to_appinit_dlls_registry_key.yml +++ b/rules/windows/registry/registry_event/registry_event_new_dll_added_to_appinit_dlls_registry_key.yml @@ -8,6 +8,7 @@ author: Ilyas Ochkov, oscd.community, Tim Shelton date: 2019-10-25 modified: 2022-12-25 tags: + - attack.privilege-escalation - attack.persistence - attack.t1546.010 logsource: diff --git a/rules/windows/registry/registry_event/registry_event_persistence_recycle_bin.yml b/rules/windows/registry/registry_event/registry_event_persistence_recycle_bin.yml index 4f6a06aef..91a97245d 100644 --- a/rules/windows/registry/registry_event/registry_event_persistence_recycle_bin.yml +++ b/rules/windows/registry/registry_event/registry_event_persistence_recycle_bin.yml @@ -10,6 +10,7 @@ author: frack113 date: 2021-11-18 modified: 2022-12-06 tags: + - attack.privilege-escalation - attack.persistence - attack.t1547 logsource: diff --git a/rules/windows/registry/registry_event/registry_event_redmimicry_winnti_reg.yml b/rules/windows/registry/registry_event/registry_event_redmimicry_winnti_reg.yml index c31f0ad85..b23b06a4c 100644 --- a/rules/windows/registry/registry_event/registry_event_redmimicry_winnti_reg.yml +++ b/rules/windows/registry/registry_event/registry_event_redmimicry_winnti_reg.yml @@ -8,6 +8,7 @@ author: Alexander Rausch date: 2020-06-24 modified: 2021-11-27 tags: + - attack.persistence - attack.defense-evasion - attack.t1112 logsource: diff --git a/rules/windows/registry/registry_event/registry_event_runkey_winekey.yml b/rules/windows/registry/registry_event/registry_event_runkey_winekey.yml index 7819beef5..b7a058814 100644 --- a/rules/windows/registry/registry_event/registry_event_runkey_winekey.yml +++ b/rules/windows/registry/registry_event/registry_event_runkey_winekey.yml @@ -8,6 +8,7 @@ author: omkar72 date: 2020-10-30 modified: 2021-11-27 tags: + - attack.privilege-escalation - attack.persistence - attack.t1547 logsource: diff --git a/rules/windows/registry/registry_event/registry_event_runonce_persistence.yml b/rules/windows/registry/registry_event/registry_event_runonce_persistence.yml index ece118bc4..eb30bcf28 100644 --- a/rules/windows/registry/registry_event/registry_event_runonce_persistence.yml +++ b/rules/windows/registry/registry_event/registry_event_runonce_persistence.yml @@ -9,6 +9,7 @@ author: 'Avneet Singh @v3t0_, oscd.community' date: 2020-11-15 modified: 2024-03-25 tags: + - attack.persistence - attack.defense-evasion - attack.t1112 logsource: diff --git a/rules/windows/registry/registry_event/registry_event_shell_open_keys_manipulation.yml b/rules/windows/registry/registry_event/registry_event_shell_open_keys_manipulation.yml index e7a7cf01b..57b07c733 100644 --- a/rules/windows/registry/registry_event/registry_event_shell_open_keys_manipulation.yml +++ b/rules/windows/registry/registry_event/registry_event_shell_open_keys_manipulation.yml @@ -11,6 +11,7 @@ author: Christian Burkard (Nextron Systems) date: 2021-08-30 modified: 2022-01-13 tags: + - attack.persistence - attack.defense-evasion - attack.privilege-escalation - attack.t1548.002 diff --git a/rules/windows/registry/registry_event/registry_event_ssp_added_lsa_config.yml b/rules/windows/registry/registry_event/registry_event_ssp_added_lsa_config.yml index 45bf4bee0..f75c58b64 100755 --- a/rules/windows/registry/registry_event/registry_event_ssp_added_lsa_config.yml +++ b/rules/windows/registry/registry_event/registry_event_ssp_added_lsa_config.yml @@ -10,6 +10,7 @@ author: iwillkeepwatch date: 2019-01-18 modified: 2022-08-09 tags: + - attack.privilege-escalation - attack.persistence - attack.t1547.005 logsource: diff --git a/rules/windows/registry/registry_event/registry_event_susp_atbroker_change.yml b/rules/windows/registry/registry_event/registry_event_susp_atbroker_change.yml index 772eaf2fd..3da1adbb6 100644 --- a/rules/windows/registry/registry_event/registry_event_susp_atbroker_change.yml +++ b/rules/windows/registry/registry_event/registry_event_susp_atbroker_change.yml @@ -9,6 +9,7 @@ author: Mateusz Wydra, oscd.community date: 2020-10-13 modified: 2023-01-19 tags: + - attack.privilege-escalation - attack.defense-evasion - attack.t1218 - attack.persistence diff --git a/rules/windows/registry/registry_event/registry_event_susp_download_run_key.yml b/rules/windows/registry/registry_event/registry_event_susp_download_run_key.yml index 11610042a..75137f926 100755 --- a/rules/windows/registry/registry_event/registry_event_susp_download_run_key.yml +++ b/rules/windows/registry/registry_event/registry_event_susp_download_run_key.yml @@ -9,6 +9,7 @@ author: Florian Roth (Nextron Systems), Swachchhanda Shrawan Poude (Nextron Syst date: 2019-10-01 modified: 2025-02-17 tags: + - attack.privilege-escalation - attack.persistence - attack.t1547.001 logsource: diff --git a/rules/windows/registry/registry_event/registry_event_susp_lsass_dll_load.yml b/rules/windows/registry/registry_event/registry_event_susp_lsass_dll_load.yml index 088f2c485..b8264d5ec 100644 --- a/rules/windows/registry/registry_event/registry_event_susp_lsass_dll_load.yml +++ b/rules/windows/registry/registry_event/registry_event_susp_lsass_dll_load.yml @@ -9,6 +9,7 @@ author: Florian Roth (Nextron Systems) date: 2019-10-16 modified: 2022-04-21 tags: + - attack.privilege-escalation - attack.execution - attack.persistence - attack.t1547.008 diff --git a/rules/windows/registry/registry_set/registry_set_add_port_monitor.yml b/rules/windows/registry/registry_set/registry_set_add_port_monitor.yml index 75ac8d1ae..922861fe9 100644 --- a/rules/windows/registry/registry_set/registry_set_add_port_monitor.yml +++ b/rules/windows/registry/registry_set/registry_set_add_port_monitor.yml @@ -10,6 +10,7 @@ author: frack113 date: 2021-12-30 modified: 2024-03-25 tags: + - attack.privilege-escalation - attack.persistence - attack.t1547.010 logsource: diff --git a/rules/windows/registry/registry_set/registry_set_allow_rdp_remote_assistance_feature.yml b/rules/windows/registry/registry_set/registry_set_allow_rdp_remote_assistance_feature.yml index 050a8bad6..b6451dfe2 100644 --- a/rules/windows/registry/registry_set/registry_set_allow_rdp_remote_assistance_feature.yml +++ b/rules/windows/registry/registry_set/registry_set_allow_rdp_remote_assistance_feature.yml @@ -8,6 +8,7 @@ author: frack113 date: 2022-08-19 modified: 2023-08-17 tags: + - attack.persistence - attack.defense-evasion - attack.t1112 logsource: diff --git a/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_classes.yml b/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_classes.yml index b799dd05b..78da51ab5 100644 --- a/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_classes.yml +++ b/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_classes.yml @@ -13,6 +13,7 @@ author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatull date: 2019-10-25 modified: 2023-08-17 tags: + - attack.privilege-escalation - attack.persistence - attack.t1547.001 logsource: diff --git a/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_common.yml b/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_common.yml index 47a01b08b..1b1a1e814 100644 --- a/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_common.yml +++ b/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_common.yml @@ -14,6 +14,7 @@ author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatull date: 2019-10-25 modified: 2025-06-16 tags: + - attack.privilege-escalation - attack.persistence - attack.t1547.001 logsource: diff --git a/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_currentcontrolset.yml b/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_currentcontrolset.yml index 1e9344aa9..4f69735d7 100644 --- a/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_currentcontrolset.yml +++ b/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_currentcontrolset.yml @@ -13,6 +13,7 @@ author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatull date: 2019-10-25 modified: 2023-08-17 tags: + - attack.privilege-escalation - attack.persistence - attack.t1547.001 logsource: diff --git a/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_currentversion.yml b/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_currentversion.yml index 0f768b106..48994c5ea 100644 --- a/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_currentversion.yml +++ b/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_currentversion.yml @@ -14,6 +14,7 @@ author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatull date: 2019-10-25 modified: 2025-10-17 tags: + - attack.privilege-escalation - attack.persistence - attack.t1547.001 logsource: diff --git a/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_currentversion_nt.yml b/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_currentversion_nt.yml index d142d5265..df7358e11 100644 --- a/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_currentversion_nt.yml +++ b/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_currentversion_nt.yml @@ -13,6 +13,7 @@ author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatull date: 2019-10-25 modified: 2025-10-17 tags: + - attack.privilege-escalation - attack.persistence - attack.t1547.001 logsource: diff --git a/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_internet_explorer.yml b/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_internet_explorer.yml index 9f5780577..28c302765 100644 --- a/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_internet_explorer.yml +++ b/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_internet_explorer.yml @@ -13,6 +13,7 @@ author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatull date: 2019-10-25 modified: 2023-08-17 tags: + - attack.privilege-escalation - attack.persistence - attack.t1547.001 logsource: diff --git a/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_office.yml b/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_office.yml index 2c7c412fb..6ffc70162 100644 --- a/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_office.yml +++ b/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_office.yml @@ -13,6 +13,7 @@ author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatull date: 2019-10-25 modified: 2025-10-17 tags: + - attack.privilege-escalation - attack.persistence - attack.t1547.001 logsource: diff --git a/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_session_manager.yml b/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_session_manager.yml index 1bfaea456..2abffb1ce 100644 --- a/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_session_manager.yml +++ b/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_session_manager.yml @@ -13,6 +13,7 @@ author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatull date: 2019-10-25 modified: 2023-08-17 tags: + - attack.privilege-escalation - attack.persistence - attack.t1547.001 - attack.t1546.009 diff --git a/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_system_scripts.yml b/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_system_scripts.yml index 20d89348b..51f3d1d20 100644 --- a/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_system_scripts.yml +++ b/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_system_scripts.yml @@ -13,6 +13,7 @@ author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatull date: 2019-10-25 modified: 2023-08-17 tags: + - attack.privilege-escalation - attack.persistence - attack.t1547.001 logsource: diff --git a/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_winsock2.yml b/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_winsock2.yml index 0beedb07e..a60857234 100644 --- a/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_winsock2.yml +++ b/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_winsock2.yml @@ -13,6 +13,7 @@ author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatull date: 2019-10-25 modified: 2023-08-17 tags: + - attack.privilege-escalation - attack.persistence - attack.t1547.001 logsource: diff --git a/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_wow6432node.yml b/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_wow6432node.yml index 9363958fd..c94e1dc18 100644 --- a/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_wow6432node.yml +++ b/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_wow6432node.yml @@ -14,6 +14,7 @@ author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatull date: 2019-10-25 modified: 2025-10-07 tags: + - attack.privilege-escalation - attack.persistence - attack.t1547.001 logsource: diff --git a/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_wow6432node_classes.yml b/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_wow6432node_classes.yml index 4cb70d032..88a9f6e4f 100644 --- a/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_wow6432node_classes.yml +++ b/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_wow6432node_classes.yml @@ -13,6 +13,7 @@ author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatull date: 2019-10-25 modified: 2023-08-17 tags: + - attack.privilege-escalation - attack.persistence - attack.t1547.001 logsource: diff --git a/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_wow6432node_currentversion.yml b/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_wow6432node_currentversion.yml index d99258b07..b0e4edb83 100644 --- a/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_wow6432node_currentversion.yml +++ b/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_wow6432node_currentversion.yml @@ -13,6 +13,7 @@ author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatull date: 2019-10-25 modified: 2023-08-17 tags: + - attack.privilege-escalation - attack.persistence - attack.t1547.001 logsource: diff --git a/rules/windows/registry/registry_set/registry_set_bginfo_custom_db.yml b/rules/windows/registry/registry_set/registry_set_bginfo_custom_db.yml index 5ce4cc41f..e717b00e2 100644 --- a/rules/windows/registry/registry_set/registry_set_bginfo_custom_db.yml +++ b/rules/windows/registry/registry_set/registry_set_bginfo_custom_db.yml @@ -7,6 +7,7 @@ references: author: Nasreddine Bencherchali (Nextron Systems) date: 2023-08-16 tags: + - attack.persistence - attack.defense-evasion - attack.t1112 logsource: diff --git a/rules/windows/registry/registry_set/registry_set_bginfo_custom_vbscript.yml b/rules/windows/registry/registry_set/registry_set_bginfo_custom_vbscript.yml index 9c4c1e35b..a32506418 100644 --- a/rules/windows/registry/registry_set/registry_set_bginfo_custom_vbscript.yml +++ b/rules/windows/registry/registry_set/registry_set_bginfo_custom_vbscript.yml @@ -10,6 +10,7 @@ references: author: Nasreddine Bencherchali (Nextron Systems) date: 2023-08-16 tags: + - attack.persistence - attack.defense-evasion - attack.t1112 logsource: diff --git a/rules/windows/registry/registry_set/registry_set_bginfo_custom_wmi_query.yml b/rules/windows/registry/registry_set/registry_set_bginfo_custom_wmi_query.yml index 014cd8e34..6ae92024b 100644 --- a/rules/windows/registry/registry_set/registry_set_bginfo_custom_wmi_query.yml +++ b/rules/windows/registry/registry_set/registry_set_bginfo_custom_wmi_query.yml @@ -10,6 +10,7 @@ references: author: Nasreddine Bencherchali (Nextron Systems) date: 2023-08-16 tags: + - attack.persistence - attack.defense-evasion - attack.t1112 logsource: diff --git a/rules/windows/registry/registry_set/registry_set_bypass_uac_using_eventviewer.yml b/rules/windows/registry/registry_set/registry_set_bypass_uac_using_eventviewer.yml index a229c550b..d07c281b1 100644 --- a/rules/windows/registry/registry_set/registry_set_bypass_uac_using_eventviewer.yml +++ b/rules/windows/registry/registry_set/registry_set_bypass_uac_using_eventviewer.yml @@ -9,6 +9,7 @@ author: frack113 date: 2022-01-05 modified: 2023-08-17 tags: + - attack.privilege-escalation - attack.persistence - attack.t1547.010 logsource: diff --git a/rules/windows/registry/registry_set/registry_set_change_rdp_port.yml b/rules/windows/registry/registry_set/registry_set_change_rdp_port.yml index 8d36c147b..6cae9accb 100644 --- a/rules/windows/registry/registry_set/registry_set_change_rdp_port.yml +++ b/rules/windows/registry/registry_set/registry_set_change_rdp_port.yml @@ -11,6 +11,7 @@ author: frack113 date: 2022-01-01 modified: 2024-03-25 tags: + - attack.privilege-escalation - attack.persistence - attack.t1547.010 logsource: diff --git a/rules/windows/registry/registry_set/registry_set_chrome_extension.yml b/rules/windows/registry/registry_set/registry_set_chrome_extension.yml index 0771d6288..29478e3df 100644 --- a/rules/windows/registry/registry_set/registry_set_chrome_extension.yml +++ b/rules/windows/registry/registry_set/registry_set_chrome_extension.yml @@ -8,6 +8,7 @@ author: frack113 date: 2021-12-28 modified: 2023-08-17 tags: + - attack.initial-access - attack.persistence - attack.t1133 logsource: diff --git a/rules/windows/registry/registry_set/registry_set_clickonce_trust_prompt.yml b/rules/windows/registry/registry_set/registry_set_clickonce_trust_prompt.yml index 32370ff28..c6afcca11 100644 --- a/rules/windows/registry/registry_set/registry_set_clickonce_trust_prompt.yml +++ b/rules/windows/registry/registry_set/registry_set_clickonce_trust_prompt.yml @@ -9,6 +9,7 @@ author: '@SerkinValery, Nasreddine Bencherchali (Nextron Systems)' date: 2023-06-12 modified: 2023-08-17 tags: + - attack.persistence - attack.defense-evasion - attack.t1112 logsource: diff --git a/rules/windows/registry/registry_set/registry_set_cobaltstrike_service_installs.yml b/rules/windows/registry/registry_set/registry_set_cobaltstrike_service_installs.yml index a393bbf48..158b67d47 100644 --- a/rules/windows/registry/registry_set/registry_set_cobaltstrike_service_installs.yml +++ b/rules/windows/registry/registry_set/registry_set_cobaltstrike_service_installs.yml @@ -9,6 +9,7 @@ author: Wojciech Lesicki date: 2021-06-29 modified: 2024-03-25 tags: + - attack.persistence - attack.execution - attack.privilege-escalation - attack.lateral-movement diff --git a/rules/windows/registry/registry_set/registry_set_comhijack_sdclt.yml b/rules/windows/registry/registry_set/registry_set_comhijack_sdclt.yml index 9fd6561e0..38951f4a3 100644 --- a/rules/windows/registry/registry_set/registry_set_comhijack_sdclt.yml +++ b/rules/windows/registry/registry_set/registry_set_comhijack_sdclt.yml @@ -9,6 +9,8 @@ author: Omkar Gudhate date: 2020-09-27 modified: 2023-09-28 tags: + - attack.persistence + - attack.defense-evasion - attack.privilege-escalation - attack.t1546 - attack.t1548 diff --git a/rules/windows/registry/registry_set/registry_set_crashdump_disabled.yml b/rules/windows/registry/registry_set/registry_set_crashdump_disabled.yml index 871923baa..34064efbd 100644 --- a/rules/windows/registry/registry_set/registry_set_crashdump_disabled.yml +++ b/rules/windows/registry/registry_set/registry_set_crashdump_disabled.yml @@ -8,6 +8,7 @@ author: Tobias Michalski (Nextron Systems) date: 2022-02-24 modified: 2023-08-17 tags: + - attack.persistence - attack.defense-evasion - attack.t1564 - attack.t1112 diff --git a/rules/windows/registry/registry_set/registry_set_create_minint_key.yml b/rules/windows/registry/registry_set/registry_set_create_minint_key.yml index 724be0f10..82c13ca64 100644 --- a/rules/windows/registry/registry_set/registry_set_create_minint_key.yml +++ b/rules/windows/registry/registry_set/registry_set_create_minint_key.yml @@ -13,6 +13,7 @@ references: author: Swachchhanda Shrawan Poudel (Nextron Systems) date: 2025-04-09 tags: + - attack.persistence - attack.defense-evasion - attack.t1562.002 - attack.t1112 diff --git a/rules/windows/registry/registry_set/registry_set_creation_service_susp_folder.yml b/rules/windows/registry/registry_set/registry_set_creation_service_susp_folder.yml index dcba95424..76fe5360a 100644 --- a/rules/windows/registry/registry_set/registry_set_creation_service_susp_folder.yml +++ b/rules/windows/registry/registry_set/registry_set_creation_service_susp_folder.yml @@ -11,6 +11,7 @@ author: Florian Roth (Nextron Systems), frack113 date: 2022-05-02 modified: 2025-10-07 tags: + - attack.persistence - attack.defense-evasion - attack.t1112 logsource: diff --git a/rules/windows/registry/registry_set/registry_set_dbgmanageddebugger_persistence.yml b/rules/windows/registry/registry_set/registry_set_dbgmanageddebugger_persistence.yml index 4821a80b6..269ee0805 100644 --- a/rules/windows/registry/registry_set/registry_set_dbgmanageddebugger_persistence.yml +++ b/rules/windows/registry/registry_set/registry_set_dbgmanageddebugger_persistence.yml @@ -9,6 +9,8 @@ author: frack113 date: 2022-08-07 modified: 2023-08-17 tags: + - attack.privilege-escalation + - attack.defense-evasion - attack.persistence - attack.t1574 logsource: diff --git a/rules/windows/registry/registry_set/registry_set_desktop_background_change.yml b/rules/windows/registry/registry_set/registry_set_desktop_background_change.yml index 7de036f7d..51cba8ce2 100644 --- a/rules/windows/registry/registry_set/registry_set_desktop_background_change.yml +++ b/rules/windows/registry/registry_set/registry_set_desktop_background_change.yml @@ -18,6 +18,7 @@ author: Nasreddine Bencherchali (Nextron Systems), Stephen Lincoln @slincoln-aiq date: 2023-12-21 modified: 2025-10-17 tags: + - attack.persistence - attack.defense-evasion - attack.impact - attack.t1112 diff --git a/rules/windows/registry/registry_set/registry_set_dhcp_calloutdll.yml b/rules/windows/registry/registry_set/registry_set_dhcp_calloutdll.yml index d0232d452..33c9c15f5 100755 --- a/rules/windows/registry/registry_set/registry_set_dhcp_calloutdll.yml +++ b/rules/windows/registry/registry_set/registry_set_dhcp_calloutdll.yml @@ -10,6 +10,8 @@ author: Dimitrios Slamaris date: 2017-05-15 modified: 2023-08-17 tags: + - attack.privilege-escalation + - attack.persistence - attack.defense-evasion - attack.t1574.001 - attack.t1112 diff --git a/rules/windows/registry/registry_set/registry_set_disable_function_user.yml b/rules/windows/registry/registry_set/registry_set_disable_function_user.yml index 32231a883..42ffb0b44 100644 --- a/rules/windows/registry/registry_set/registry_set_disable_function_user.yml +++ b/rules/windows/registry/registry_set/registry_set_disable_function_user.yml @@ -13,6 +13,7 @@ author: frack113, Nasreddine Bencherchali (Nextron Systems), CrimpSec date: 2022-03-18 modified: 2025-06-04 tags: + - attack.persistence - attack.defense-evasion - attack.t1112 logsource: diff --git a/rules/windows/registry/registry_set/registry_set_disable_security_center_notifications.yml b/rules/windows/registry/registry_set/registry_set_disable_security_center_notifications.yml index e69c0e5cc..942ec0a23 100644 --- a/rules/windows/registry/registry_set/registry_set_disable_security_center_notifications.yml +++ b/rules/windows/registry/registry_set/registry_set_disable_security_center_notifications.yml @@ -8,6 +8,7 @@ author: frack113 date: 2022-08-19 modified: 2023-08-17 tags: + - attack.persistence - attack.defense-evasion - attack.t1112 logsource: diff --git a/rules/windows/registry/registry_set/registry_set_disable_windows_event_log_access.yml b/rules/windows/registry/registry_set/registry_set_disable_windows_event_log_access.yml index 8377f4a5d..923e7b270 100644 --- a/rules/windows/registry/registry_set/registry_set_disable_windows_event_log_access.yml +++ b/rules/windows/registry/registry_set/registry_set_disable_windows_event_log_access.yml @@ -11,6 +11,8 @@ author: X__Junior date: 2025-01-16 modified: 2025-08-16 tags: + - attack.privilege-escalation + - attack.persistence - attack.defense-evasion - attack.t1547.001 - attack.t1112 diff --git a/rules/windows/registry/registry_set/registry_set_disallowrun_execution.yml b/rules/windows/registry/registry_set/registry_set_disallowrun_execution.yml index 241d0948a..aaee3dd80 100644 --- a/rules/windows/registry/registry_set/registry_set_disallowrun_execution.yml +++ b/rules/windows/registry/registry_set/registry_set_disallowrun_execution.yml @@ -8,6 +8,7 @@ author: frack113 date: 2022-08-19 modified: 2023-08-17 tags: + - attack.persistence - attack.defense-evasion - attack.t1112 logsource: diff --git a/rules/windows/registry/registry_set/registry_set_dns_over_https_enabled.yml b/rules/windows/registry/registry_set/registry_set_dns_over_https_enabled.yml index ae806c898..31029adfa 100644 --- a/rules/windows/registry/registry_set/registry_set_dns_over_https_enabled.yml +++ b/rules/windows/registry/registry_set/registry_set_dns_over_https_enabled.yml @@ -14,6 +14,7 @@ author: Austin Songer date: 2021-07-22 modified: 2023-08-17 tags: + - attack.persistence - attack.defense-evasion - attack.t1140 - attack.t1112 diff --git a/rules/windows/registry/registry_set/registry_set_dns_server_level_plugin_dll.yml b/rules/windows/registry/registry_set/registry_set_dns_server_level_plugin_dll.yml index b68e998f0..0c834fdda 100644 --- a/rules/windows/registry/registry_set/registry_set_dns_server_level_plugin_dll.yml +++ b/rules/windows/registry/registry_set/registry_set_dns_server_level_plugin_dll.yml @@ -14,6 +14,8 @@ author: Florian Roth (Nextron Systems) date: 2017-05-08 modified: 2023-08-17 tags: + - attack.privilege-escalation + - attack.persistence - attack.defense-evasion - attack.t1574.001 - attack.t1112 diff --git a/rules/windows/registry/registry_set/registry_set_dot_net_etw_tamper.yml b/rules/windows/registry/registry_set/registry_set_dot_net_etw_tamper.yml index b71ae4c38..9a86f7983 100644 --- a/rules/windows/registry/registry_set/registry_set_dot_net_etw_tamper.yml +++ b/rules/windows/registry/registry_set/registry_set_dot_net_etw_tamper.yml @@ -21,6 +21,7 @@ author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) date: 2020-06-05 modified: 2023-08-17 tags: + - attack.persistence - attack.defense-evasion - attack.t1112 - attack.t1562 diff --git a/rules/windows/registry/registry_set/registry_set_dsrm_tampering.yml b/rules/windows/registry/registry_set/registry_set_dsrm_tampering.yml index 7dfbbebd5..40b058bc1 100644 --- a/rules/windows/registry/registry_set/registry_set_dsrm_tampering.yml +++ b/rules/windows/registry/registry_set/registry_set_dsrm_tampering.yml @@ -18,6 +18,8 @@ references: author: Nischal Khadgi date: 2024-07-11 tags: + - attack.defense-evasion + - attack.credential-access - attack.persistence - attack.t1556 logsource: diff --git a/rules/windows/registry/registry_set/registry_set_fax_change_service_user.yml b/rules/windows/registry/registry_set/registry_set_fax_change_service_user.yml index f3ea04cf0..1a76560aa 100644 --- a/rules/windows/registry/registry_set/registry_set_fax_change_service_user.yml +++ b/rules/windows/registry/registry_set/registry_set_fax_change_service_user.yml @@ -9,6 +9,7 @@ author: frack113 date: 2022-07-17 modified: 2022-12-30 tags: + - attack.persistence - attack.defense-evasion - attack.t1112 logsource: diff --git a/rules/windows/registry/registry_set/registry_set_fax_dll_persistance.yml b/rules/windows/registry/registry_set/registry_set_fax_dll_persistance.yml index 74ea732a0..a4a7d7704 100644 --- a/rules/windows/registry/registry_set/registry_set_fax_dll_persistance.yml +++ b/rules/windows/registry/registry_set/registry_set_fax_dll_persistance.yml @@ -9,6 +9,7 @@ author: frack113 date: 2022-07-17 modified: 2022-12-30 tags: + - attack.persistence - attack.defense-evasion - attack.t1112 logsource: diff --git a/rules/windows/registry/registry_set/registry_set_hide_function_user.yml b/rules/windows/registry/registry_set/registry_set_hide_function_user.yml index f90288697..3bf497ab4 100644 --- a/rules/windows/registry/registry_set/registry_set_hide_function_user.yml +++ b/rules/windows/registry/registry_set/registry_set_hide_function_user.yml @@ -8,6 +8,7 @@ author: frack113 date: 2022-03-18 modified: 2023-08-17 tags: + - attack.persistence - attack.defense-evasion - attack.t1112 logsource: diff --git a/rules/windows/registry/registry_set/registry_set_lsa_disablerestrictedadmin.yml b/rules/windows/registry/registry_set/registry_set_lsa_disablerestrictedadmin.yml index 59be85afc..8b943256e 100644 --- a/rules/windows/registry/registry_set/registry_set_lsa_disablerestrictedadmin.yml +++ b/rules/windows/registry/registry_set/registry_set_lsa_disablerestrictedadmin.yml @@ -15,6 +15,7 @@ author: frack113 date: 2023-01-13 modified: 2024-08-23 tags: + - attack.persistence - attack.defense-evasion - attack.t1112 logsource: diff --git a/rules/windows/registry/registry_set/registry_set_mal_blue_mockingbird.yml b/rules/windows/registry/registry_set/registry_set_mal_blue_mockingbird.yml index 7ac2c3789..4002f7483 100644 --- a/rules/windows/registry/registry_set/registry_set_mal_blue_mockingbird.yml +++ b/rules/windows/registry/registry_set/registry_set_mal_blue_mockingbird.yml @@ -11,6 +11,7 @@ author: Trent Liffick (@tliffick) date: 2020-05-14 modified: 2023-08-17 tags: + - attack.defense-evasion - attack.execution - attack.persistence - attack.t1112 diff --git a/rules/windows/registry/registry_set/registry_set_net_cli_ngenassemblyusagelog.yml b/rules/windows/registry/registry_set/registry_set_net_cli_ngenassemblyusagelog.yml index 3df719ef0..b1a4b5316 100644 --- a/rules/windows/registry/registry_set/registry_set_net_cli_ngenassemblyusagelog.yml +++ b/rules/windows/registry/registry_set/registry_set_net_cli_ngenassemblyusagelog.yml @@ -11,6 +11,7 @@ author: frack113 date: 2022-11-18 modified: 2023-08-17 tags: + - attack.persistence - attack.defense-evasion - attack.t1112 logsource: diff --git a/rules/windows/registry/registry_set/registry_set_netsh_help_dll_persistence_susp_location.yml b/rules/windows/registry/registry_set/registry_set_netsh_help_dll_persistence_susp_location.yml index 44e763fd7..a066f5e60 100644 --- a/rules/windows/registry/registry_set/registry_set_netsh_help_dll_persistence_susp_location.yml +++ b/rules/windows/registry/registry_set/registry_set_netsh_help_dll_persistence_susp_location.yml @@ -14,6 +14,7 @@ references: author: Nasreddine Bencherchali (Nextron Systems) date: 2023-11-28 tags: + - attack.privilege-escalation - attack.persistence - attack.t1546.007 logsource: diff --git a/rules/windows/registry/registry_set/registry_set_netsh_helper_dll_potential_persistence.yml b/rules/windows/registry/registry_set/registry_set_netsh_helper_dll_potential_persistence.yml index 903ba29c2..8ad300bef 100644 --- a/rules/windows/registry/registry_set/registry_set_netsh_helper_dll_potential_persistence.yml +++ b/rules/windows/registry/registry_set/registry_set_netsh_helper_dll_potential_persistence.yml @@ -15,6 +15,7 @@ author: Anish Bogati date: 2023-11-28 modified: 2025-10-08 tags: + - attack.privilege-escalation - attack.persistence - attack.t1546.007 logsource: diff --git a/rules/windows/registry/registry_set/registry_set_office_access_vbom_tamper.yml b/rules/windows/registry/registry_set/registry_set_office_access_vbom_tamper.yml index bf362b622..7eb6d8332 100644 --- a/rules/windows/registry/registry_set/registry_set_office_access_vbom_tamper.yml +++ b/rules/windows/registry/registry_set/registry_set_office_access_vbom_tamper.yml @@ -13,6 +13,7 @@ author: Trent Liffick (@tliffick), Nasreddine Bencherchali (Nextron Systems) date: 2020-05-22 modified: 2023-08-17 tags: + - attack.persistence - attack.defense-evasion - attack.t1112 logsource: diff --git a/rules/windows/registry/registry_set/registry_set_office_outlook_enable_load_macro_provider_on_boot.yml b/rules/windows/registry/registry_set/registry_set_office_outlook_enable_load_macro_provider_on_boot.yml index 9865487ee..463773fcd 100644 --- a/rules/windows/registry/registry_set/registry_set_office_outlook_enable_load_macro_provider_on_boot.yml +++ b/rules/windows/registry/registry_set/registry_set_office_outlook_enable_load_macro_provider_on_boot.yml @@ -9,6 +9,7 @@ author: Nasreddine Bencherchali (Nextron Systems) date: 2021-04-05 modified: 2023-08-17 tags: + - attack.privilege-escalation - attack.persistence - attack.command-and-control - attack.t1137 diff --git a/rules/windows/registry/registry_set/registry_set_office_outlook_enable_macro_execution.yml b/rules/windows/registry/registry_set/registry_set_office_outlook_enable_macro_execution.yml index 264e7acf1..ec07ff082 100644 --- a/rules/windows/registry/registry_set/registry_set_office_outlook_enable_macro_execution.yml +++ b/rules/windows/registry/registry_set/registry_set_office_outlook_enable_macro_execution.yml @@ -9,6 +9,7 @@ author: '@ScoubiMtl' date: 2021-04-05 modified: 2023-08-17 tags: + - attack.privilege-escalation - attack.persistence - attack.command-and-control - attack.t1137 diff --git a/rules/windows/registry/registry_set/registry_set_office_outlook_enable_unsafe_client_mail_rules.yml b/rules/windows/registry/registry_set/registry_set_office_outlook_enable_unsafe_client_mail_rules.yml index fa2a2c5d4..bb43bcf1c 100644 --- a/rules/windows/registry/registry_set/registry_set_office_outlook_enable_unsafe_client_mail_rules.yml +++ b/rules/windows/registry/registry_set/registry_set_office_outlook_enable_unsafe_client_mail_rules.yml @@ -14,6 +14,7 @@ author: Nasreddine Bencherchali (Nextron Systems) date: 2023-02-08 modified: 2023-08-17 tags: + - attack.persistence - attack.defense-evasion - attack.t1112 logsource: diff --git a/rules/windows/registry/registry_set/registry_set_office_trust_record_susp_location.yml b/rules/windows/registry/registry_set/registry_set_office_trust_record_susp_location.yml index 2ad8ad3f9..d917c4445 100644 --- a/rules/windows/registry/registry_set/registry_set_office_trust_record_susp_location.yml +++ b/rules/windows/registry/registry_set/registry_set_office_trust_record_susp_location.yml @@ -12,6 +12,7 @@ author: Nasreddine Bencherchali (Nextron Systems) date: 2023-06-21 modified: 2023-08-17 tags: + - attack.persistence - attack.defense-evasion - attack.t1112 logsource: diff --git a/rules/windows/registry/registry_set/registry_set_office_trusted_location_uncommon.yml b/rules/windows/registry/registry_set/registry_set_office_trusted_location_uncommon.yml index a459bf57f..b83c26fcb 100644 --- a/rules/windows/registry/registry_set/registry_set_office_trusted_location_uncommon.yml +++ b/rules/windows/registry/registry_set/registry_set_office_trusted_location_uncommon.yml @@ -12,6 +12,7 @@ author: Nasreddine Bencherchali (Nextron Systems) date: 2023-06-21 modified: 2023-09-29 tags: + - attack.persistence - attack.defense-evasion - attack.t1112 logsource: diff --git a/rules/windows/registry/registry_set/registry_set_office_vba_warnings_tamper.yml b/rules/windows/registry/registry_set/registry_set_office_vba_warnings_tamper.yml index d9a2515c9..bac2794ec 100644 --- a/rules/windows/registry/registry_set/registry_set_office_vba_warnings_tamper.yml +++ b/rules/windows/registry/registry_set/registry_set_office_vba_warnings_tamper.yml @@ -13,6 +13,7 @@ author: Trent Liffick (@tliffick), Nasreddine Bencherchali (Nextron Systems) date: 2020-05-22 modified: 2024-03-19 tags: + - attack.persistence - attack.defense-evasion - attack.t1112 logsource: diff --git a/rules/windows/registry/registry_set/registry_set_persistence_app_cpmpat_layer_registerapprestart.yml b/rules/windows/registry/registry_set/registry_set_persistence_app_cpmpat_layer_registerapprestart.yml index 5e439d63d..dbdc7ca51 100644 --- a/rules/windows/registry/registry_set/registry_set_persistence_app_cpmpat_layer_registerapprestart.yml +++ b/rules/windows/registry/registry_set/registry_set_persistence_app_cpmpat_layer_registerapprestart.yml @@ -10,6 +10,7 @@ references: author: Nasreddine Bencherchali (Nextron Systems) date: 2024-01-01 tags: + - attack.privilege-escalation - attack.persistence - attack.t1546.011 logsource: diff --git a/rules/windows/registry/registry_set/registry_set_persistence_app_paths.yml b/rules/windows/registry/registry_set/registry_set_persistence_app_paths.yml index 3e047066a..07f1ab0b8 100644 --- a/rules/windows/registry/registry_set/registry_set_persistence_app_paths.yml +++ b/rules/windows/registry/registry_set/registry_set_persistence_app_paths.yml @@ -13,6 +13,7 @@ author: Nasreddine Bencherchali (Nextron Systems) date: 2022-08-10 modified: 2023-08-17 tags: + - attack.privilege-escalation - attack.persistence - attack.t1546.012 logsource: diff --git a/rules/windows/registry/registry_set/registry_set_persistence_appx_debugger.yml b/rules/windows/registry/registry_set/registry_set_persistence_appx_debugger.yml index e864f4769..9500c38fa 100644 --- a/rules/windows/registry/registry_set/registry_set_persistence_appx_debugger.yml +++ b/rules/windows/registry/registry_set/registry_set_persistence_appx_debugger.yml @@ -9,6 +9,7 @@ author: frack113 date: 2022-07-27 modified: 2023-08-17 tags: + - attack.privilege-escalation - attack.persistence - attack.t1546.015 logsource: diff --git a/rules/windows/registry/registry_set/registry_set_persistence_com_hijacking_builtin.yml b/rules/windows/registry/registry_set/registry_set_persistence_com_hijacking_builtin.yml index 52115f0fc..603e84e23 100644 --- a/rules/windows/registry/registry_set/registry_set_persistence_com_hijacking_builtin.yml +++ b/rules/windows/registry/registry_set/registry_set_persistence_com_hijacking_builtin.yml @@ -20,6 +20,7 @@ author: Nasreddine Bencherchali (Nextron Systems) date: 2024-07-16 modified: 2025-07-01 tags: + - attack.privilege-escalation - attack.persistence - attack.t1546.015 logsource: diff --git a/rules/windows/registry/registry_set/registry_set_persistence_comhijack_psfactorybuffer.yml b/rules/windows/registry/registry_set/registry_set_persistence_comhijack_psfactorybuffer.yml index 024ff90f1..24833ef44 100644 --- a/rules/windows/registry/registry_set/registry_set_persistence_comhijack_psfactorybuffer.yml +++ b/rules/windows/registry/registry_set/registry_set_persistence_comhijack_psfactorybuffer.yml @@ -11,6 +11,7 @@ author: BlackBerry Threat Research and Intelligence Team - @Joseliyo_Jstnk date: 2023-06-07 modified: 2023-08-17 tags: + - attack.privilege-escalation - attack.persistence - attack.t1546.015 logsource: diff --git a/rules/windows/registry/registry_set/registry_set_persistence_custom_protocol_handler.yml b/rules/windows/registry/registry_set/registry_set_persistence_custom_protocol_handler.yml index 1d13b5b99..acdbf733e 100644 --- a/rules/windows/registry/registry_set/registry_set_persistence_custom_protocol_handler.yml +++ b/rules/windows/registry/registry_set/registry_set_persistence_custom_protocol_handler.yml @@ -8,6 +8,7 @@ author: Nasreddine Bencherchali (Nextron Systems) date: 2022-05-30 modified: 2023-05-12 tags: + - attack.persistence - attack.defense-evasion - attack.t1112 logsource: diff --git a/rules/windows/registry/registry_set/registry_set_persistence_ie.yml b/rules/windows/registry/registry_set/registry_set_persistence_ie.yml index 44d0e2b32..de4c9572b 100644 --- a/rules/windows/registry/registry_set/registry_set_persistence_ie.yml +++ b/rules/windows/registry/registry_set/registry_set_persistence_ie.yml @@ -9,6 +9,7 @@ author: frack113 date: 2022-01-22 modified: 2025-07-04 tags: + - attack.persistence - attack.defense-evasion - attack.t1112 logsource: diff --git a/rules/windows/registry/registry_set/registry_set_persistence_outlook_homepage.yml b/rules/windows/registry/registry_set/registry_set_persistence_outlook_homepage.yml index d3bfa4b7d..cefe4979b 100644 --- a/rules/windows/registry/registry_set/registry_set_persistence_outlook_homepage.yml +++ b/rules/windows/registry/registry_set/registry_set_persistence_outlook_homepage.yml @@ -15,6 +15,7 @@ author: Tobias Michalski (Nextron Systems), David Bertho (@dbertho) & Eirik Svee date: 2021-06-09 modified: 2024-08-07 tags: + - attack.defense-evasion - attack.persistence - attack.t1112 logsource: diff --git a/rules/windows/registry/registry_set/registry_set_persistence_outlook_todaypage.yml b/rules/windows/registry/registry_set/registry_set_persistence_outlook_todaypage.yml index 045fc4688..bdd1d8555 100644 --- a/rules/windows/registry/registry_set/registry_set_persistence_outlook_todaypage.yml +++ b/rules/windows/registry/registry_set/registry_set_persistence_outlook_todaypage.yml @@ -14,6 +14,7 @@ author: Tobias Michalski (Nextron Systems), David Bertho (@dbertho) & Eirik Svee date: 2021-06-10 modified: 2024-08-07 tags: + - attack.defense-evasion - attack.persistence - attack.t1112 logsource: diff --git a/rules/windows/registry/registry_set/registry_set_persistence_scrobj_dll.yml b/rules/windows/registry/registry_set/registry_set_persistence_scrobj_dll.yml index 19605f385..7eb69df3b 100644 --- a/rules/windows/registry/registry_set/registry_set_persistence_scrobj_dll.yml +++ b/rules/windows/registry/registry_set/registry_set_persistence_scrobj_dll.yml @@ -8,6 +8,7 @@ author: frack113 date: 2022-08-20 modified: 2023-08-17 tags: + - attack.privilege-escalation - attack.persistence - attack.t1546.015 logsource: diff --git a/rules/windows/registry/registry_set/registry_set_persistence_shim_database.yml b/rules/windows/registry/registry_set/registry_set_persistence_shim_database.yml index 0090b5367..82a36ed63 100644 --- a/rules/windows/registry/registry_set/registry_set_persistence_shim_database.yml +++ b/rules/windows/registry/registry_set/registry_set_persistence_shim_database.yml @@ -12,6 +12,7 @@ author: frack113 date: 2021-12-30 modified: 2023-08-17 tags: + - attack.privilege-escalation - attack.persistence - attack.t1546.011 logsource: diff --git a/rules/windows/registry/registry_set/registry_set_persistence_shim_database_susp_application.yml b/rules/windows/registry/registry_set/registry_set_persistence_shim_database_susp_application.yml index f63227544..d6530aa06 100644 --- a/rules/windows/registry/registry_set/registry_set_persistence_shim_database_susp_application.yml +++ b/rules/windows/registry/registry_set/registry_set_persistence_shim_database_susp_application.yml @@ -9,6 +9,7 @@ author: Nasreddine Bencherchali (Nextron Systems) date: 2023-08-01 modified: 2023-12-06 tags: + - attack.privilege-escalation - attack.persistence - attack.t1546.011 logsource: diff --git a/rules/windows/registry/registry_set/registry_set_persistence_shim_database_uncommon_location.yml b/rules/windows/registry/registry_set/registry_set_persistence_shim_database_uncommon_location.yml index febab1a54..e8b598380 100644 --- a/rules/windows/registry/registry_set/registry_set_persistence_shim_database_uncommon_location.yml +++ b/rules/windows/registry/registry_set/registry_set_persistence_shim_database_uncommon_location.yml @@ -10,6 +10,7 @@ author: Nasreddine Bencherchali (Nextron Systems) date: 2023-08-01 modified: 2023-08-17 tags: + - attack.privilege-escalation - attack.persistence - attack.t1546.011 logsource: diff --git a/rules/windows/registry/registry_set/registry_set_powershell_in_run_keys.yml b/rules/windows/registry/registry_set/registry_set_powershell_in_run_keys.yml index 7b7684472..db995d0dd 100644 --- a/rules/windows/registry/registry_set/registry_set_powershell_in_run_keys.yml +++ b/rules/windows/registry/registry_set/registry_set_powershell_in_run_keys.yml @@ -10,6 +10,7 @@ author: frack113, Florian Roth (Nextron Systems) date: 2022-03-17 modified: 2025-07-18 tags: + - attack.privilege-escalation - attack.persistence - attack.t1547.001 logsource: diff --git a/rules/windows/registry/registry_set/registry_set_rpcrt4_etw_tamper.yml b/rules/windows/registry/registry_set/registry_set_rpcrt4_etw_tamper.yml index 6fa1557be..a27d6fa27 100644 --- a/rules/windows/registry/registry_set/registry_set_rpcrt4_etw_tamper.yml +++ b/rules/windows/registry/registry_set/registry_set_rpcrt4_etw_tamper.yml @@ -8,6 +8,7 @@ author: Nasreddine Bencherchali (Nextron Systems) date: 2022-12-09 modified: 2023-08-17 tags: + - attack.persistence - attack.defense-evasion - attack.t1112 - attack.t1562 diff --git a/rules/windows/registry/registry_set/registry_set_services_etw_tamper.yml b/rules/windows/registry/registry_set/registry_set_services_etw_tamper.yml index e466ab1ad..70a61d64b 100644 --- a/rules/windows/registry/registry_set/registry_set_services_etw_tamper.yml +++ b/rules/windows/registry/registry_set/registry_set_services_etw_tamper.yml @@ -8,6 +8,7 @@ author: Nasreddine Bencherchali (Nextron Systems) date: 2022-12-09 modified: 2023-08-17 tags: + - attack.persistence - attack.defense-evasion - attack.t1112 - attack.t1562 diff --git a/rules/windows/registry/registry_set/registry_set_set_nopolicies_user.yml b/rules/windows/registry/registry_set/registry_set_set_nopolicies_user.yml index cdb33222c..3163de270 100644 --- a/rules/windows/registry/registry_set/registry_set_set_nopolicies_user.yml +++ b/rules/windows/registry/registry_set/registry_set_set_nopolicies_user.yml @@ -8,6 +8,7 @@ author: frack113 date: 2022-03-18 modified: 2023-08-17 tags: + - attack.persistence - attack.defense-evasion - attack.t1112 logsource: diff --git a/rules/windows/registry/registry_set/registry_set_suppress_defender_notifications.yml b/rules/windows/registry/registry_set/registry_set_suppress_defender_notifications.yml index 75aa70f2c..b1c23f87a 100644 --- a/rules/windows/registry/registry_set/registry_set_suppress_defender_notifications.yml +++ b/rules/windows/registry/registry_set/registry_set_suppress_defender_notifications.yml @@ -8,6 +8,7 @@ author: frack113 date: 2022-08-19 modified: 2023-08-17 tags: + - attack.persistence - attack.defense-evasion - attack.t1112 logsource: diff --git a/rules/windows/registry/registry_set/registry_set_susp_printer_driver.yml b/rules/windows/registry/registry_set/registry_set_susp_printer_driver.yml index a6f0d4ded..736468ed7 100644 --- a/rules/windows/registry/registry_set/registry_set_susp_printer_driver.yml +++ b/rules/windows/registry/registry_set/registry_set_susp_printer_driver.yml @@ -8,6 +8,8 @@ author: Florian Roth (Nextron Systems) date: 2020-07-01 modified: 2023-08-17 tags: + - attack.persistence + - attack.defense-evasion - attack.privilege-escalation - attack.t1574 - cve.2021-1675 diff --git a/rules/windows/registry/registry_set/registry_set_susp_reg_persist_explorer_run.yml b/rules/windows/registry/registry_set/registry_set_susp_reg_persist_explorer_run.yml index daaf3cef5..7ac4b355c 100755 --- a/rules/windows/registry/registry_set/registry_set_susp_reg_persist_explorer_run.yml +++ b/rules/windows/registry/registry_set/registry_set_susp_reg_persist_explorer_run.yml @@ -8,6 +8,7 @@ author: Florian Roth (Nextron Systems), oscd.community date: 2018-07-18 modified: 2023-12-11 tags: + - attack.privilege-escalation - attack.persistence - attack.t1547.001 logsource: diff --git a/rules/windows/registry/registry_set/registry_set_susp_run_key_img_folder.yml b/rules/windows/registry/registry_set/registry_set_susp_run_key_img_folder.yml index 6fdf9bcb6..74e0b1055 100755 --- a/rules/windows/registry/registry_set/registry_set_susp_run_key_img_folder.yml +++ b/rules/windows/registry/registry_set/registry_set_susp_run_key_img_folder.yml @@ -9,6 +9,7 @@ author: Florian Roth (Nextron Systems), Markus Neis, Sander Wiebing, Swachchhand date: 2018-08-25 modified: 2025-10-06 tags: + - attack.privilege-escalation - attack.persistence - attack.t1547.001 logsource: diff --git a/rules/windows/registry/registry_set/registry_set_system_lsa_nolmhash.yml b/rules/windows/registry/registry_set/registry_set_system_lsa_nolmhash.yml index 88939c9dd..dca4ea2b8 100644 --- a/rules/windows/registry/registry_set/registry_set_system_lsa_nolmhash.yml +++ b/rules/windows/registry/registry_set/registry_set_system_lsa_nolmhash.yml @@ -14,6 +14,7 @@ references: author: Nasreddine Bencherchali (Nextron Systems) date: 2023-12-15 tags: + - attack.persistence - attack.defense-evasion - attack.t1112 logsource: diff --git a/rules/windows/registry/registry_set/registry_set_taskcache_entry.yml b/rules/windows/registry/registry_set/registry_set_taskcache_entry.yml index 4ebede3bd..cd9bfd5fe 100644 --- a/rules/windows/registry/registry_set/registry_set_taskcache_entry.yml +++ b/rules/windows/registry/registry_set/registry_set_taskcache_entry.yml @@ -9,6 +9,8 @@ author: Syed Hasan (@syedhasan009) date: 2021-06-18 modified: 2025-07-04 tags: + - attack.privilege-escalation + - attack.execution - attack.persistence - attack.t1053 - attack.t1053.005 diff --git a/rules/windows/registry/registry_set/registry_set_telemetry_persistence.yml b/rules/windows/registry/registry_set/registry_set_telemetry_persistence.yml index c251bd1a8..6ab950ea8 100644 --- a/rules/windows/registry/registry_set/registry_set_telemetry_persistence.yml +++ b/rules/windows/registry/registry_set/registry_set_telemetry_persistence.yml @@ -15,6 +15,8 @@ author: Lednyov Alexey, oscd.community, Sreeman date: 2020-10-16 modified: 2023-08-17 tags: + - attack.privilege-escalation + - attack.execution - attack.persistence - attack.t1053.005 logsource: diff --git a/rules/windows/registry/registry_set/registry_set_treatas_persistence.yml b/rules/windows/registry/registry_set/registry_set_treatas_persistence.yml index ba44cc7bd..84da2fa71 100644 --- a/rules/windows/registry/registry_set/registry_set_treatas_persistence.yml +++ b/rules/windows/registry/registry_set/registry_set_treatas_persistence.yml @@ -9,6 +9,7 @@ author: frack113 date: 2022-08-28 modified: 2025-07-11 tags: + - attack.privilege-escalation - attack.persistence - attack.t1546.015 logsource: diff --git a/rules/windows/registry/registry_set/registry_set_vbs_payload_stored.yml b/rules/windows/registry/registry_set/registry_set_vbs_payload_stored.yml index 52aeb3c5d..89a114d4f 100644 --- a/rules/windows/registry/registry_set/registry_set_vbs_payload_stored.yml +++ b/rules/windows/registry/registry_set/registry_set_vbs_payload_stored.yml @@ -8,6 +8,7 @@ author: Florian Roth (Nextron Systems) date: 2021-03-05 modified: 2023-08-17 tags: + - attack.privilege-escalation - attack.persistence - attack.t1547.001 logsource: diff --git a/rules/windows/registry/registry_set/registry_set_wdigest_enable_uselogoncredential.yml b/rules/windows/registry/registry_set/registry_set_wdigest_enable_uselogoncredential.yml index 7781c7f09..ebac2060a 100644 --- a/rules/windows/registry/registry_set/registry_set_wdigest_enable_uselogoncredential.yml +++ b/rules/windows/registry/registry_set/registry_set_wdigest_enable_uselogoncredential.yml @@ -10,6 +10,7 @@ author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) date: 2019-09-12 modified: 2023-08-17 tags: + - attack.persistence - attack.defense-evasion - attack.t1112 logsource: diff --git a/rules/windows/registry/registry_set/registry_set_winlogon_notify_key.yml b/rules/windows/registry/registry_set/registry_set_winlogon_notify_key.yml index f37acde03..c2f3eb55c 100644 --- a/rules/windows/registry/registry_set/registry_set_winlogon_notify_key.yml +++ b/rules/windows/registry/registry_set/registry_set_winlogon_notify_key.yml @@ -10,6 +10,7 @@ author: frack113 date: 2021-12-30 modified: 2023-08-17 tags: + - attack.privilege-escalation - attack.persistence - attack.t1547.004 logsource: diff --git a/rules/windows/wmi_event/sysmon_wmi_event_subscription.yml b/rules/windows/wmi_event/sysmon_wmi_event_subscription.yml index 173f03817..b39cafc62 100644 --- a/rules/windows/wmi_event/sysmon_wmi_event_subscription.yml +++ b/rules/windows/wmi_event/sysmon_wmi_event_subscription.yml @@ -10,6 +10,7 @@ author: Tom Ueltschi (@c_APT_ure) date: 2019-01-12 modified: 2021-11-27 tags: + - attack.privilege-escalation - attack.persistence - attack.t1546.003 logsource: diff --git a/rules/windows/wmi_event/sysmon_wmi_susp_encoded_scripts.yml b/rules/windows/wmi_event/sysmon_wmi_susp_encoded_scripts.yml index 7bea92992..1692dfd8b 100644 --- a/rules/windows/wmi_event/sysmon_wmi_susp_encoded_scripts.yml +++ b/rules/windows/wmi_event/sysmon_wmi_susp_encoded_scripts.yml @@ -8,6 +8,7 @@ author: Florian Roth (Nextron Systems) date: 2021-09-01 modified: 2022-10-09 tags: + - attack.privilege-escalation - attack.execution - attack.t1047 - attack.persistence