diff --git a/rules/application/rpc_firewall/rpc_firewall_atsvc_lateral_movement.yml b/rules/application/rpc_firewall/rpc_firewall_atsvc_lateral_movement.yml index d5d36941e..7d17dbfdc 100644 --- a/rules/application/rpc_firewall/rpc_firewall_atsvc_lateral_movement.yml +++ b/rules/application/rpc_firewall/rpc_firewall_atsvc_lateral_movement.yml @@ -1,6 +1,6 @@ title: Remote Schedule Task Lateral Movement via ATSvc id: 0fcd1c79-4eeb-4746-aba9-1b458f7a79cb -status: test +status: experimental description: Detects remote RPC calls to create or execute a scheduled task via ATSvc references: - https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-tsch/d1058a28-7e02-4948-8b8d-4a347fa64931 @@ -9,7 +9,7 @@ references: - https://zeronetworks.com/blog/stopping_lateral_movement_via_the_rpc_firewall/ author: Sagie Dulce, Dekel Paz date: 2022/01/01 -modified: 2023/01/25 +modified: 2022/01/01 tags: - attack.lateral_movement - attack.t1053 diff --git a/rules/application/rpc_firewall/rpc_firewall_atsvc_recon.yml b/rules/application/rpc_firewall/rpc_firewall_atsvc_recon.yml index 066bd16ce..9d52743e1 100644 --- a/rules/application/rpc_firewall/rpc_firewall_atsvc_recon.yml +++ b/rules/application/rpc_firewall/rpc_firewall_atsvc_recon.yml @@ -1,6 +1,6 @@ title: Remote Schedule Task Recon via AtScv id: f177f2bc-5f3e-4453-b599-57eefce9a59c -status: test +status: experimental description: Detects remote RPC calls to read information about scheduled tasks via AtScv references: - https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-tsch/d1058a28-7e02-4948-8b8d-4a347fa64931 @@ -10,7 +10,7 @@ references: - https://zeronetworks.com/blog/stopping_lateral_movement_via_the_rpc_firewall/ author: Sagie Dulce, Dekel Paz date: 2022/01/01 -modified: 2023/01/25 +modified: 2022/01/01 tags: - attack.discovery logsource: diff --git a/rules/application/rpc_firewall/rpc_firewall_dcsync_attack.yml b/rules/application/rpc_firewall/rpc_firewall_dcsync_attack.yml index 7c29e760a..5c07e7c6e 100644 --- a/rules/application/rpc_firewall/rpc_firewall_dcsync_attack.yml +++ b/rules/application/rpc_firewall/rpc_firewall_dcsync_attack.yml @@ -1,6 +1,6 @@ title: Possible DCSync Attack id: 56fda488-113e-4ce9-8076-afc2457922c3 -status: test +status: experimental description: Detects remote RPC calls to MS-DRSR from non DC hosts, which could indicate DCSync / DCShadow attacks. references: - https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-drsr/f977faaa-673e-4f66-b9bf-48c640241d47?redirectedfrom=MSDN @@ -9,7 +9,7 @@ references: - https://zeronetworks.com/blog/stopping_lateral_movement_via_the_rpc_firewall/ author: Sagie Dulce, Dekel Paz date: 2022/01/01 -modified: 2023/01/25 +modified: 2022/01/01 tags: - attack.t1033 - attack.discovery diff --git a/rules/application/rpc_firewall/rpc_firewall_efs_abuse.yml b/rules/application/rpc_firewall/rpc_firewall_efs_abuse.yml index 6a961a26d..3372c0926 100644 --- a/rules/application/rpc_firewall/rpc_firewall_efs_abuse.yml +++ b/rules/application/rpc_firewall/rpc_firewall_efs_abuse.yml @@ -1,6 +1,6 @@ title: Remote Encrypting File System Abuse id: 5f92fff9-82e2-48eb-8fc1-8b133556a551 -status: test +status: experimental description: Detects remote RPC calls to possibly abuse remote encryption service via MS-EFSR references: - https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-36942 @@ -9,7 +9,7 @@ references: - https://zeronetworks.com/blog/stopping_lateral_movement_via_the_rpc_firewall/ author: Sagie Dulce, Dekel Paz date: 2022/01/01 -modified: 2023/01/25 +modified: 2022/01/01 tags: - attack.lateral_movement logsource: diff --git a/rules/application/rpc_firewall/rpc_firewall_eventlog_recon.yml b/rules/application/rpc_firewall/rpc_firewall_eventlog_recon.yml index 7cea95c98..cd2abfc03 100644 --- a/rules/application/rpc_firewall/rpc_firewall_eventlog_recon.yml +++ b/rules/application/rpc_firewall/rpc_firewall_eventlog_recon.yml @@ -1,13 +1,13 @@ title: Remote Event Log Recon id: 2053961f-44c7-4a64-b62d-f6e72800af0d -status: test +status: experimental description: Detects remote RPC calls to get event log information via EVEN or EVEN6 references: - https://github.com/zeronetworks/rpcfirewall - https://zeronetworks.com/blog/stopping_lateral_movement_via_the_rpc_firewall/ author: Sagie Dulce, Dekel Paz date: 2022/01/01 -modified: 2023/01/25 +modified: 2022/01/01 tags: - attack.discovery logsource: diff --git a/rules/application/rpc_firewall/rpc_firewall_itaskschedulerservice_lateral_movement.yml b/rules/application/rpc_firewall/rpc_firewall_itaskschedulerservice_lateral_movement.yml index 4ff9923cb..d62cd3c59 100644 --- a/rules/application/rpc_firewall/rpc_firewall_itaskschedulerservice_lateral_movement.yml +++ b/rules/application/rpc_firewall/rpc_firewall_itaskschedulerservice_lateral_movement.yml @@ -1,6 +1,6 @@ title: Remote Schedule Task Lateral Movement via ITaskSchedulerService id: ace3ff54-e7fd-46bd-8ea0-74b49a0aca1d -status: test +status: experimental description: Detects remote RPC calls to create or execute a scheduled task references: - https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-tsch/d1058a28-7e02-4948-8b8d-4a347fa64931 @@ -9,7 +9,7 @@ references: - https://zeronetworks.com/blog/stopping_lateral_movement_via_the_rpc_firewall/ author: Sagie Dulce, Dekel Paz date: 2022/01/01 -modified: 2023/01/25 +modified: 2022/01/01 tags: - attack.lateral_movement - attack.t1053 diff --git a/rules/application/rpc_firewall/rpc_firewall_itaskschedulerservice_recon.yml b/rules/application/rpc_firewall/rpc_firewall_itaskschedulerservice_recon.yml index 52c9e0990..b92222812 100644 --- a/rules/application/rpc_firewall/rpc_firewall_itaskschedulerservice_recon.yml +++ b/rules/application/rpc_firewall/rpc_firewall_itaskschedulerservice_recon.yml @@ -1,6 +1,6 @@ title: Remote Schedule Task Recon via ITaskSchedulerService id: 7f7c49eb-2977-4ac8-8ab0-ab1bae14730e -status: test +status: experimental description: Detects remote RPC calls to read information about scheduled tasks references: - https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-tsch/d1058a28-7e02-4948-8b8d-4a347fa64931 @@ -9,7 +9,7 @@ references: - https://zeronetworks.com/blog/stopping_lateral_movement_via_the_rpc_firewall/ author: Sagie Dulce, Dekel Paz date: 2022/01/01 -modified: 2023/01/25 +modified: 2022/01/01 tags: - attack.discovery logsource: diff --git a/rules/application/rpc_firewall/rpc_firewall_printing_lateral_movement.yml b/rules/application/rpc_firewall/rpc_firewall_printing_lateral_movement.yml index 4f714aa3d..5cd803828 100644 --- a/rules/application/rpc_firewall/rpc_firewall_printing_lateral_movement.yml +++ b/rules/application/rpc_firewall/rpc_firewall_printing_lateral_movement.yml @@ -1,6 +1,6 @@ title: Remote Printing Abuse for Lateral Movement id: bc3a4b0c-e167-48e1-aa88-b3020950e560 -status: test +status: experimental description: Detects remote RPC calls to possibly abuse remote printing service via MS-RPRN / MS-PAR references: - https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527 @@ -11,7 +11,7 @@ references: - https://zeronetworks.com/blog/stopping_lateral_movement_via_the_rpc_firewall/ author: Sagie Dulce, Dekel Paz date: 2022/01/01 -modified: 2023/01/25 +modified: 2022/01/01 tags: - attack.lateral_movement logsource: diff --git a/rules/application/rpc_firewall/rpc_firewall_remote_dcom_or_wmi.yml b/rules/application/rpc_firewall/rpc_firewall_remote_dcom_or_wmi.yml index 8e255c77c..ea6bc6829 100644 --- a/rules/application/rpc_firewall/rpc_firewall_remote_dcom_or_wmi.yml +++ b/rules/application/rpc_firewall/rpc_firewall_remote_dcom_or_wmi.yml @@ -1,6 +1,6 @@ title: Remote DCOM/WMI Lateral Movement id: 68050b10-e477-4377-a99b-3721b422d6ef -status: test +status: experimental description: Detects remote RPC calls that performs remote DCOM operations. These could be abused for lateral movement via DCOM or WMI. references: - https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-srvs/accf23b0-0f57-441c-9185-43041f1b0ee9 @@ -8,7 +8,7 @@ references: - https://zeronetworks.com/blog/stopping_lateral_movement_via_the_rpc_firewall/ author: Sagie Dulce, Dekel Paz date: 2022/01/01 -modified: 2023/01/25 +modified: 2022/01/01 tags: - attack.lateral_movement - attack.t1021.003 diff --git a/rules/application/rpc_firewall/rpc_firewall_remote_registry_lateral_movement.yml b/rules/application/rpc_firewall/rpc_firewall_remote_registry_lateral_movement.yml index aa51e273f..6bbd9a54a 100644 --- a/rules/application/rpc_firewall/rpc_firewall_remote_registry_lateral_movement.yml +++ b/rules/application/rpc_firewall/rpc_firewall_remote_registry_lateral_movement.yml @@ -1,6 +1,6 @@ title: Remote Registry Lateral Movement id: 35c55673-84ca-4e99-8d09-e334f3c29539 -status: test +status: experimental description: Detects remote RPC calls to modify the registry and possible execute code references: - https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rrp/0fa3191d-bb79-490a-81bd-54c2601b7a78 @@ -9,7 +9,7 @@ references: - https://zeronetworks.com/blog/stopping_lateral_movement_via_the_rpc_firewall/ author: Sagie Dulce, Dekel Paz date: 2022/01/01 -modified: 2023/01/25 +modified: 2022/01/01 tags: - attack.lateral_movement - attack.t1112 diff --git a/rules/application/rpc_firewall/rpc_firewall_remote_registry_recon.yml b/rules/application/rpc_firewall/rpc_firewall_remote_registry_recon.yml index 02507caeb..031bf972c 100644 --- a/rules/application/rpc_firewall/rpc_firewall_remote_registry_recon.yml +++ b/rules/application/rpc_firewall/rpc_firewall_remote_registry_recon.yml @@ -1,6 +1,6 @@ title: Remote Registry Recon id: d8ffe17e-04be-4886-beb9-c1dd1944b9a8 -status: test +status: experimental description: Detects remote RPC calls to collect information references: - https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rrp/0fa3191d-bb79-490a-81bd-54c2601b7a78 @@ -9,7 +9,7 @@ references: - https://zeronetworks.com/blog/stopping_lateral_movement_via_the_rpc_firewall/ author: Sagie Dulce, Dekel Paz date: 2022/01/01 -modified: 2023/01/25 +modified: 2022/01/01 tags: - attack.discovery logsource: diff --git a/rules/application/rpc_firewall/rpc_firewall_remote_server_service_abuse.yml b/rules/application/rpc_firewall/rpc_firewall_remote_server_service_abuse.yml index c022192eb..5187b732c 100644 --- a/rules/application/rpc_firewall/rpc_firewall_remote_server_service_abuse.yml +++ b/rules/application/rpc_firewall/rpc_firewall_remote_server_service_abuse.yml @@ -1,6 +1,6 @@ title: Remote Server Service Abuse id: b6ea3cc7-542f-43ef-bbe4-980fbed444c7 -status: test +status: experimental description: Detects remote RPC calls to possibly abuse remote encryption service via MS-SRVS references: - https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-srvs/accf23b0-0f57-441c-9185-43041f1b0ee9 @@ -9,7 +9,7 @@ references: - https://zeronetworks.com/blog/stopping_lateral_movement_via_the_rpc_firewall/ author: Sagie Dulce, Dekel Paz date: 2022/01/01 -modified: 2023/01/25 +modified: 2022/01/01 tags: - attack.lateral_movement logsource: diff --git a/rules/application/rpc_firewall/rpc_firewall_remote_service_lateral_movement.yml b/rules/application/rpc_firewall/rpc_firewall_remote_service_lateral_movement.yml index 6c00cb697..fe38b44b0 100644 --- a/rules/application/rpc_firewall/rpc_firewall_remote_service_lateral_movement.yml +++ b/rules/application/rpc_firewall/rpc_firewall_remote_service_lateral_movement.yml @@ -1,6 +1,6 @@ title: Remote Server Service Abuse for Lateral Movement id: 10018e73-06ec-46ec-8107-9172f1e04ff2 -status: test +status: experimental description: Detects remote RPC calls to possibly abuse remote encryption service via MS-EFSR references: - https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-srvs/accf23b0-0f57-441c-9185-43041f1b0ee9 @@ -9,7 +9,7 @@ references: - https://zeronetworks.com/blog/stopping_lateral_movement_via_the_rpc_firewall/ author: Sagie Dulce, Dekel Paz date: 2022/01/01 -modified: 2023/01/25 +modified: 2022/01/01 tags: - attack.lateral_movement - attack.t1569.002 diff --git a/rules/application/rpc_firewall/rpc_firewall_sasec_lateral_movement.yml b/rules/application/rpc_firewall/rpc_firewall_sasec_lateral_movement.yml index c22c17e0d..f729ea513 100644 --- a/rules/application/rpc_firewall/rpc_firewall_sasec_lateral_movement.yml +++ b/rules/application/rpc_firewall/rpc_firewall_sasec_lateral_movement.yml @@ -1,6 +1,6 @@ title: Remote Schedule Task Lateral Movement via SASec id: aff229ab-f8cd-447b-b215-084d11e79eb0 -status: test +status: experimental description: Detects remote RPC calls to create or execute a scheduled task via SASec references: - https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-tsch/d1058a28-7e02-4948-8b8d-4a347fa64931 @@ -9,7 +9,7 @@ references: - https://zeronetworks.com/blog/stopping_lateral_movement_via_the_rpc_firewall/ author: Sagie Dulce, Dekel Paz date: 2022/01/01 -modified: 2023/01/25 +modified: 2022/01/01 tags: - attack.lateral_movement - attack.t1053 diff --git a/rules/application/rpc_firewall/rpc_firewall_sharphound_recon_account.yml b/rules/application/rpc_firewall/rpc_firewall_sharphound_recon_account.yml index 0e94f407f..d501c39db 100644 --- a/rules/application/rpc_firewall/rpc_firewall_sharphound_recon_account.yml +++ b/rules/application/rpc_firewall/rpc_firewall_sharphound_recon_account.yml @@ -1,6 +1,6 @@ title: SharpHound Recon Account Discovery id: 65f77b1e-8e79-45bf-bb67-5988a8ce45a5 -status: test +status: experimental description: Detects remote RPC calls useb by SharpHound to map remote connections and local group membership. references: - https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-wkst/55118c55-2122-4ef9-8664-0c1ff9e168f3 @@ -9,7 +9,7 @@ references: - https://zeronetworks.com/blog/stopping_lateral_movement_via_the_rpc_firewall/ author: Sagie Dulce, Dekel Paz date: 2022/01/01 -modified: 2023/01/25 +modified: 2022/01/01 tags: - attack.t1087 - attack.discovery diff --git a/rules/application/rpc_firewall/rpc_firewall_sharphound_recon_sessions.yml b/rules/application/rpc_firewall/rpc_firewall_sharphound_recon_sessions.yml index 3a28e0976..122843692 100644 --- a/rules/application/rpc_firewall/rpc_firewall_sharphound_recon_sessions.yml +++ b/rules/application/rpc_firewall/rpc_firewall_sharphound_recon_sessions.yml @@ -1,6 +1,6 @@ title: SharpHound Recon Sessions id: 6d580420-ff3f-4e0e-b6b0-41b90c787e28 -status: test +status: experimental description: Detects remote RPC calls useb by SharpHound to map remote connections and local group membership. references: - https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-srvs/02b1f559-fda2-4ba3-94c2-806eb2777183 @@ -9,7 +9,7 @@ references: - https://zeronetworks.com/blog/stopping_lateral_movement_via_the_rpc_firewall/ author: Sagie Dulce, Dekel Paz date: 2022/01/01 -modified: 2023/01/25 +modified: 2022/01/01 tags: - attack.t1033 logsource: diff --git a/rules/linux/auditd/lnx_auditd_disable_system_firewall.yml b/rules/linux/auditd/lnx_auditd_disable_system_firewall.yml index 5a3816e73..d076b7593 100644 --- a/rules/linux/auditd/lnx_auditd_disable_system_firewall.yml +++ b/rules/linux/auditd/lnx_auditd_disable_system_firewall.yml @@ -1,13 +1,12 @@ title: Disable System Firewall id: 53059bc0-1472-438b-956a-7508a94a91f0 -status: test +status: experimental description: Detects disabling of system firewalls which could be used by adversaries to bypass controls that limit usage of the network. references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.004/T1562.004.md - https://firewalld.org/documentation/man-pages/firewall-cmd.html author: 'Pawel Mazur' date: 2022/01/22 -modified: 2023/01/25 tags: - attack.t1562.004 - attack.defense_evasion diff --git a/rules/windows/builtin/win_alert_mimikatz_keywords.yml b/rules/windows/builtin/win_alert_mimikatz_keywords.yml index 206ff87e3..63e0b7288 100644 --- a/rules/windows/builtin/win_alert_mimikatz_keywords.yml +++ b/rules/windows/builtin/win_alert_mimikatz_keywords.yml @@ -1,12 +1,12 @@ title: Mimikatz Use id: 06d71506-7beb-4f22-8888-e2e5e2ca7fd8 -status: test +status: experimental description: This method detects mimikatz keywords in different Eventlogs (some of them only appear in older Mimikatz version that are however still used by different threat groups) references: - https://tools.thehacker.recipes/mimikatz/modules author: Florian Roth (rule), David ANDRE (additional keywords) date: 2017/01/10 -modified: 2023/01/25 +modified: 2022/01/05 tags: - attack.s0002 - attack.lateral_movement diff --git a/rules/windows/file/file_delete/file_delete_win_delete_appli_log.yml b/rules/windows/file/file_delete/file_delete_win_delete_appli_log.yml index a39453137..6ba9b58d0 100644 --- a/rules/windows/file/file_delete/file_delete_win_delete_appli_log.yml +++ b/rules/windows/file/file_delete/file_delete_win_delete_appli_log.yml @@ -1,12 +1,11 @@ title: Delete Log from Application id: b1decb61-ed83-4339-8e95-53ea51901720 -status: test +status: experimental description: Deletion of log files is a known anti-forensic technique references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070.004/T1070.004.md author: frack113 date: 2022/01/16 -modified: 2023/01/25 tags: - attack.defense_evasion - attack.t1070.004 diff --git a/rules/windows/file/file_event/file_event_win_creation_new_shim_database.yml b/rules/windows/file/file_event/file_event_win_creation_new_shim_database.yml index c74b8d436..fea4b166f 100644 --- a/rules/windows/file/file_event/file_event_win_creation_new_shim_database.yml +++ b/rules/windows/file/file_event/file_event_win_creation_new_shim_database.yml @@ -1,6 +1,6 @@ title: New Shim Database Created in the Default Directory id: ee63c85c-6d51-4d12-ad09-04e25877a947 -status: test +status: experimental description: | Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by application shims. The Microsoft Windows Application Compatibility Infrastructure/Framework (Application Shim) was created to allow for backward compatibility of software as the operating system codebase changes over time. @@ -8,7 +8,6 @@ references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1546.011/T1546.011.md#atomic-test-2---new-shim-database-files-created-in-the-default-shim-database-directory author: frack113 date: 2021/12/29 -modified: 2023/01/25 tags: - attack.persistence - attack.t1547.009 diff --git a/rules/windows/file/file_event/file_event_win_creation_unquoted_service_path.yml b/rules/windows/file/file_event/file_event_win_creation_unquoted_service_path.yml index a4b95f918..e8dda4a85 100644 --- a/rules/windows/file/file_event/file_event_win_creation_unquoted_service_path.yml +++ b/rules/windows/file/file_event/file_event_win_creation_unquoted_service_path.yml @@ -1,6 +1,6 @@ title: Creation Exe for Service with Unquoted Path id: 8c3c76ca-8f8b-4b1d-aaf3-81aebcd367c9 -status: test +status: experimental description: | Adversaries may execute their own malicious payloads by hijacking vulnerable file path references. Adversaries can take advantage of paths that lack surrounding quotations by placing an executable in a higher level directory within the path, so that Windows will choose the adversary's executable to launch. @@ -8,7 +8,6 @@ references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1574.009/T1574.009.md author: frack113 date: 2021/12/30 -modified: 2023/01/25 tags: - attack.persistence - attack.t1547.009 diff --git a/rules/windows/file/file_event/file_event_win_csharp_compile_artefact.yml b/rules/windows/file/file_event/file_event_win_csharp_compile_artefact.yml index a26a213a4..e6aa57282 100644 --- a/rules/windows/file/file_event/file_event_win_csharp_compile_artefact.yml +++ b/rules/windows/file/file_event/file_event_win_csharp_compile_artefact.yml @@ -1,6 +1,6 @@ title: Dynamic C Sharp Compile Artefact id: e4a74e34-ecde-4aab-b2fb-9112dd01aed0 -status: test +status: experimental description: | When C# is compiled dynamically, a .cmdline file will be created as a part of the process. Certain processes are not typically observed compiling C# code, but can do so without touching disk. @@ -9,7 +9,6 @@ references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1027.004/T1027.004.md#atomic-test-2---dynamic-c-compile author: frack113 date: 2022/01/09 -modified: 2023/01/25 tags: - attack.defense_evasion - attack.t1027.004 diff --git a/rules/windows/file/file_event/file_event_win_install_teamviewer_desktop.yml b/rules/windows/file/file_event/file_event_win_install_teamviewer_desktop.yml index b54330e7b..925faee7c 100644 --- a/rules/windows/file/file_event/file_event_win_install_teamviewer_desktop.yml +++ b/rules/windows/file/file_event/file_event_win_install_teamviewer_desktop.yml @@ -1,12 +1,11 @@ title: Installation of TeamViewer Desktop id: 9711de76-5d4f-4c50-a94f-21e4e8f8384d -status: test +status: experimental description: TeamViewer_Desktop.exe is create during install references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1219/T1219.md#atomic-test-1---teamviewer-files-detected-test-on-windows author: frack113 date: 2022/01/28 -modified: 2023/01/25 tags: - attack.command_and_control - attack.t1219 diff --git a/rules/windows/file/file_event/file_event_win_susp_desktop_txt.yml b/rules/windows/file/file_event/file_event_win_susp_desktop_txt.yml index 2b52e7030..231684d35 100644 --- a/rules/windows/file/file_event/file_event_win_susp_desktop_txt.yml +++ b/rules/windows/file/file_event/file_event_win_susp_desktop_txt.yml @@ -1,12 +1,11 @@ title: Suspicious Creation TXT File in User Desktop id: caf02a0a-1e1c-4552-9b48-5e070bd88d11 -status: test +status: experimental description: Ransomware create txt file in the user Desktop references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1486/T1486.md#atomic-test-5---purelocker-ransom-note author: frack113 date: 2021/12/26 -modified: 2023/01/25 tags: - attack.impact - attack.t1486 diff --git a/rules/windows/file/file_event/file_event_win_susp_task_write.yml b/rules/windows/file/file_event/file_event_win_susp_task_write.yml index 407e4c569..cf1572edd 100644 --- a/rules/windows/file/file_event/file_event_win_susp_task_write.yml +++ b/rules/windows/file/file_event/file_event_win_susp_task_write.yml @@ -1,12 +1,12 @@ title: Suspicious Scheduled Task Write to System32 Tasks id: 80e1f67a-4596-4351-98f5-a9c3efabac95 -status: test +status: experimental description: Detects the creation of tasks from processes executed from suspicious locations references: - Internal Research author: Florian Roth date: 2021/11/16 -modified: 2023/01/25 +modified: 2022/01/12 tags: - attack.persistence - attack.execution diff --git a/rules/windows/image_load/image_load_wmi_module_load.yml b/rules/windows/image_load/image_load_wmi_module_load.yml index bca243194..c2023cc84 100755 --- a/rules/windows/image_load/image_load_wmi_module_load.yml +++ b/rules/windows/image_load/image_load_wmi_module_load.yml @@ -1,12 +1,12 @@ title: WMI Modules Loaded id: 671bb7e3-a020-4824-a00e-2ee5b55f385e -status: test +status: experimental description: Detects non wmiprvse loading WMI modules references: - https://threathunterplaybook.com/notebooks/windows/02_execution/WIN-190811201010.html author: Roberto Rodriguez @Cyb3rWard0g date: 2019/08/10 -modified: 2023/01/25 +modified: 2022/01/12 tags: - attack.execution - attack.t1047 diff --git a/rules/windows/network_connection/net_connection_win_imewdbld.yml b/rules/windows/network_connection/net_connection_win_imewdbld.yml index b28334375..ebd073af8 100644 --- a/rules/windows/network_connection/net_connection_win_imewdbld.yml +++ b/rules/windows/network_connection/net_connection_win_imewdbld.yml @@ -1,13 +1,12 @@ title: Download a File with IMEWDBLD.exe id: 8d7e392e-9b28-49e1-831d-5949c6281228 -status: test +status: experimental description: Use IMEWDBLD.exe (built-in to windows) to download a file references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1105/T1105.md#atomic-test-10---windows---powershell-download - https://lolbas-project.github.io/lolbas/Binaries/IMEWDBLD/ author: frack113 date: 2022/01/22 -modified: 2023/01/25 tags: - attack.command_and_control - attack.t1105 diff --git a/rules/windows/network_connection/net_connection_win_msiexec.yml b/rules/windows/network_connection/net_connection_win_msiexec.yml index 99125df6c..00bf5ae15 100644 --- a/rules/windows/network_connection/net_connection_win_msiexec.yml +++ b/rules/windows/network_connection/net_connection_win_msiexec.yml @@ -1,6 +1,6 @@ title: Msiexec Initiated Connection id: 8e5e38e4-5350-4c0b-895a-e872ce0dd54f -status: test +status: experimental description: | Adversaries may abuse msiexec.exe to proxy execution of malicious payloads. Msiexec.exe is the command-line utility for the Windows Installer and is thus commonly associated with executing installation packages (.msi) @@ -9,7 +9,6 @@ references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218.007/T1218.007.md author: frack113 date: 2022/01/16 -modified: 2023/01/25 tags: - attack.defense_evasion - attack.t1218.007 diff --git a/rules/windows/powershell/powershell_script/posh_ps_cmdlet_scheduled_task.yml b/rules/windows/powershell/powershell_script/posh_ps_cmdlet_scheduled_task.yml index a332867d4..3f7ced816 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_cmdlet_scheduled_task.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_cmdlet_scheduled_task.yml @@ -1,13 +1,12 @@ title: Powershell Create Scheduled Task id: 363eccc0-279a-4ccf-a3ab-24c2e63b11fb -status: test +status: experimental description: Adversaries may abuse the Windows Task Scheduler to perform task scheduling for initial or recurring execution of malicious code references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1053.005/T1053.005.md#atomic-test-4---powershell-cmdlet-scheduled-task - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1053.005/T1053.005.md#atomic-test-6---wmi-invoke-cimmethod-scheduled-task author: frack113 date: 2021/12/28 -modified: 2023/01/25 tags: - attack.persistence - attack.t1053.005 diff --git a/rules/windows/powershell/powershell_script/posh_ps_cor_profiler.yml b/rules/windows/powershell/powershell_script/posh_ps_cor_profiler.yml index 5146cb820..c958c74e5 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_cor_profiler.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_cor_profiler.yml @@ -1,6 +1,6 @@ title: Registry-Free Process Scope COR_PROFILER id: 23590215-4702-4a70-8805-8dc9e58314a2 -status: test +status: experimental description: | Adversaries may leverage the COR_PROFILER environment variable to hijack the execution flow of programs that load the .NET CLR. The COR_PROFILER is a .NET Framework feature which allows developers to specify an unmanaged (or external of .NET) profiling DLL to be loaded into each .NET process that loads the Common Language Runtime (CLR). @@ -11,7 +11,6 @@ references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1574.012/T1574.012.md#atomic-test-3---registry-free-process-scope-cor_profiler author: frack113 date: 2021/12/30 -modified: 2023/01/25 tags: - attack.persistence - attack.t1574.012 diff --git a/rules/windows/powershell/powershell_script/posh_ps_create_volume_shadow_copy.yml b/rules/windows/powershell/powershell_script/posh_ps_create_volume_shadow_copy.yml index f3587cd5a..295acc7b8 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_create_volume_shadow_copy.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_create_volume_shadow_copy.yml @@ -1,13 +1,12 @@ title: Create Volume Shadow Copy with Powershell id: afd12fed-b0ec-45c9-a13d-aa86625dac81 -status: test +status: experimental description: Adversaries may attempt to access or create a copy of the Active Directory domain database in order to steal credential information references: - https://attack.mitre.org/datasources/DS0005/ - https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.management/get-wmiobject?view=powershell-5.1&viewFallbackFrom=powershell-7 author: frack113 date: 2022/01/12 -modified: 2023/01/25 tags: - attack.credential_access - attack.t1003.003 diff --git a/rules/windows/powershell/powershell_script/posh_ps_directoryservices_accountmanagement.yml b/rules/windows/powershell/powershell_script/posh_ps_directoryservices_accountmanagement.yml index 142d2642d..8f22cc66e 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_directoryservices_accountmanagement.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_directoryservices_accountmanagement.yml @@ -1,6 +1,6 @@ title: Manipulation of User Computer or Group Security Principals Across AD id: b29a93fb-087c-4b5b-a84d-ee3309e69d08 -status: test +status: experimental description: | Adversaries may create a domain account to maintain access to victim systems. Domain accounts are those managed by Active Directory Domain Services where access and permissions are configured across systems and services that are part of that domain.. @@ -9,7 +9,6 @@ references: - https://docs.microsoft.com/en-us/dotnet/api/system.directoryservices.accountmanagement?view=dotnet-plat-ext-6.0 author: frack113 date: 2021/12/28 -modified: 2023/01/25 tags: - attack.persistence - attack.t1136.002 diff --git a/rules/windows/powershell/powershell_script/posh_ps_enable_psremoting.yml b/rules/windows/powershell/powershell_script/posh_ps_enable_psremoting.yml index 26aae1ed3..261f32155 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_enable_psremoting.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_enable_psremoting.yml @@ -1,13 +1,12 @@ title: Enable Windows Remote Management id: 991a9744-f2f0-44f2-bd33-9092eba17dc3 -status: test +status: experimental description: Adversaries may use Valid Accounts to interact with remote systems using Windows Remote Management (WinRM). The adversary may then perform actions as the logged-on user. references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1021.006/T1021.006.md#atomic-test-1---enable-windows-remote-management - https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.core/enable-psremoting?view=powershell-7.2 author: frack113 date: 2022/01/07 -modified: 2023/01/25 tags: - attack.lateral_movement - attack.t1021.006 diff --git a/rules/windows/powershell/powershell_script/posh_ps_get_acl_service.yml b/rules/windows/powershell/powershell_script/posh_ps_get_acl_service.yml index 59d637016..65ba85aca 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_get_acl_service.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_get_acl_service.yml @@ -1,6 +1,6 @@ title: Service Registry Permissions Weakness Check id: 95afc12e-3cbb-40c3-9340-84a032e596a3 -status: test +status: experimental description: | Adversaries may execute their own malicious payloads by hijacking the Registry entries used by services. Adversaries may use flaws in the permissions for registry to redirect from the originally specified executable to one that they control, in order to launch their own code at Service start. @@ -10,7 +10,6 @@ references: - https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.security/get-acl?view=powershell-7.2 author: frack113 date: 2021/12/30 -modified: 2023/01/25 tags: - attack.persistence - attack.t1574.011 diff --git a/rules/windows/powershell/powershell_script/posh_ps_invoke_command_remote.yml b/rules/windows/powershell/powershell_script/posh_ps_invoke_command_remote.yml index 53b607513..fd593ed98 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_invoke_command_remote.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_invoke_command_remote.yml @@ -1,13 +1,12 @@ title: Execute Invoke-command on Remote Host id: 7b836d7f-179c-4ba4-90a7-a7e60afb48e6 -status: test +status: experimental description: Adversaries may use Valid Accounts to interact with remote systems using Windows Remote Management (WinRM). The adversary may then perform actions as the logged-on user. references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1021.006/T1021.006.md#atomic-test-2---invoke-command - https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.core/invoke-command?view=powershell-7.2 author: frack113 date: 2022/01/07 -modified: 2023/01/25 tags: - attack.lateral_movement - attack.t1021.006 diff --git a/rules/windows/powershell/powershell_script/posh_ps_invoke_dnsexfiltration.yml b/rules/windows/powershell/powershell_script/posh_ps_invoke_dnsexfiltration.yml index 5ff81edf7..81743a193 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_invoke_dnsexfiltration.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_invoke_dnsexfiltration.yml @@ -1,13 +1,12 @@ title: Powershell DNSExfiltration id: d59d7842-9a21-4bc6-ba98-64bfe0091355 -status: test +status: experimental description: DNSExfiltrator allows for transferring (exfiltrate) a file over a DNS request covert channel references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1048/T1048.md#atomic-test-3---dnsexfiltration-doh - https://github.com/Arno0x/DNSExfiltrator author: frack113 date: 2022/01/07 -modified: 2023/01/25 tags: - attack.exfiltration - attack.t1048 diff --git a/rules/windows/powershell/powershell_script/posh_ps_localuser.yml b/rules/windows/powershell/powershell_script/posh_ps_localuser.yml index edad0942a..18053947f 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_localuser.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_localuser.yml @@ -1,6 +1,6 @@ title: Powershell LocalAccount Manipulation id: 4fdc44df-bfe9-4fcc-b041-68f5a2d3031c -status: test +status: experimental description: | Adversaries may manipulate accounts to maintain access to victim systems. Account manipulation may consist of any action that preserves adversary access to a compromised account, such as modifying credentials or permission groups @@ -9,7 +9,6 @@ references: - https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.localaccounts/?view=powershell-5.1 author: frack113 date: 2021/12/28 -modified: 2023/01/25 tags: - attack.persistence - attack.t1098 diff --git a/rules/windows/powershell/powershell_script/posh_ps_office_comobject_registerxll.yml b/rules/windows/powershell/powershell_script/posh_ps_office_comobject_registerxll.yml index e72df38ae..27ebe0fde 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_office_comobject_registerxll.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_office_comobject_registerxll.yml @@ -1,6 +1,6 @@ title: Code Executed Via Office Add-in XLL File id: 36fbec91-fa1b-4d5d-8df1-8d8edcb632ad -status: test +status: experimental description: | Adversaries may abuse Microsoft Office add-ins to obtain persistence on a compromised system. Office add-ins can be used to add functionality to Office programs @@ -8,7 +8,6 @@ references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1137.006/T1137.006.md author: frack113 date: 2021/12/28 -modified: 2023/01/25 tags: - attack.persistence - attack.t1137.006 diff --git a/rules/windows/powershell/powershell_script/posh_ps_request_kerberos_ticket.yml b/rules/windows/powershell/powershell_script/posh_ps_request_kerberos_ticket.yml index e74ac77e7..ddc1cf1ef 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_request_kerberos_ticket.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_request_kerberos_ticket.yml @@ -1,6 +1,6 @@ title: Request A Single Ticket via PowerShell id: a861d835-af37-4930-bcd6-5b178bfb54df -status: test +status: experimental description: | utilize native PowerShell Identity modules to query the domain to extract the Service Principal Names for a single computer. This behavior is typically used during a kerberos or silver ticket attack. @@ -9,7 +9,6 @@ references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1558.003/T1558.003.md#atomic-test-4---request-a-single-ticket-via-powershell author: frack113 date: 2021/12/28 -modified: 2023/01/25 tags: - attack.credential_access - attack.t1558.003 diff --git a/rules/windows/powershell/powershell_script/posh_ps_susp_execute_batch_script.yml b/rules/windows/powershell/powershell_script/posh_ps_susp_execute_batch_script.yml index 86d4201cb..f26d83b63 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_susp_execute_batch_script.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_susp_execute_batch_script.yml @@ -1,6 +1,6 @@ title: Powershell Execute Batch Script id: b5522a23-82da-44e5-9c8b-e10ed8955f88 -status: test +status: experimental description: | Adversaries may abuse the Windows command shell for execution. The Windows command shell ([cmd](https://attack.mitre.org/software/S0106)) is the primary command prompt on Windows systems. @@ -11,7 +11,6 @@ references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1059.003/T1059.003.md#atomic-test-1---create-and-execute-batch-script author: frack113 date: 2022/01/02 -modified: 2023/01/25 tags: - attack.execution - attack.t1059.003 diff --git a/rules/windows/powershell/powershell_script/posh_ps_susp_networkcredential.yml b/rules/windows/powershell/powershell_script/posh_ps_susp_networkcredential.yml index 9ece75125..4020eb333 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_susp_networkcredential.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_susp_networkcredential.yml @@ -1,6 +1,6 @@ title: Suspicious Connection to Remote Account id: 1883444f-084b-419b-ac62-e0d0c5b3693f -status: test +status: experimental description: | Adversaries with no prior knowledge of legitimate credentials within the system or environment may guess passwords to attempt access to accounts. Without knowledge of the password for an account, an adversary may opt to systematically guess the password using a repetitive or iterative mechanism @@ -8,7 +8,6 @@ references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1110.001/T1110.001.md#atomic-test-2---brute-force-credentials-of-single-active-directory-domain-user-via-ldap-against-domain-controller-ntlm-or-kerberos author: frack113 date: 2021/12/27 -modified: 2023/01/25 tags: - attack.credential_access - attack.t1110.001 diff --git a/rules/windows/powershell/powershell_script/posh_ps_susp_remove_adgroupmember.yml b/rules/windows/powershell/powershell_script/posh_ps_susp_remove_adgroupmember.yml index d7b4613bb..f5b63be2d 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_susp_remove_adgroupmember.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_susp_remove_adgroupmember.yml @@ -1,6 +1,6 @@ title: Remove Account From Domain Admin Group id: 48a45d45-8112-416b-8a67-46e03a4b2107 -status: test +status: experimental description: | Adversaries may interrupt availability of system and network resources by inhibiting access to accounts utilized by legitimate users. Accounts may be deleted, locked, or manipulated (ex: changed credentials) to remove access to accounts. @@ -8,7 +8,6 @@ references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1531/T1531.md#atomic-test-3---remove-account-from-domain-admin-group author: frack113 date: 2021/12/26 -modified: 2023/01/25 tags: - attack.impact - attack.t1531 diff --git a/rules/windows/powershell/powershell_script/posh_ps_susp_ssl_keyword.yml b/rules/windows/powershell/powershell_script/posh_ps_susp_ssl_keyword.yml index 0fcd725a9..fe2906a00 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_susp_ssl_keyword.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_susp_ssl_keyword.yml @@ -1,13 +1,12 @@ title: Suspicious SSL Connection id: 195626f3-5f1b-4403-93b7-e6cfd4d6a078 -status: test +status: experimental description: Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1573/T1573.md#atomic-test-1---openssl-c2 - https://medium.com/walmartglobaltech/openssl-server-reverse-shell-from-windows-client-aee2dbfa0926 author: frack113 date: 2022/01/23 -modified: 2023/01/25 tags: - attack.command_and_control - attack.t1573 diff --git a/rules/windows/powershell/powershell_script/posh_ps_susp_start_process.yml b/rules/windows/powershell/powershell_script/posh_ps_susp_start_process.yml index 409b9e276..4e689a786 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_susp_start_process.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_susp_start_process.yml @@ -1,13 +1,12 @@ title: Suspicious Start-Process PassThru id: 0718cd72-f316-4aa2-988f-838ea8533277 -status: test +status: experimental description: Powershell use PassThru option to start in background references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1036.003/T1036.003.md - https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.management/Start-Process?view=powershell-5.1&viewFallbackFrom=powershell-7 author: frack113 date: 2022/01/15 -modified: 2023/01/25 tags: - attack.defense_evasion - attack.t1036.003 diff --git a/rules/windows/powershell/powershell_script/posh_ps_susp_wallpaper.yml b/rules/windows/powershell/powershell_script/posh_ps_susp_wallpaper.yml index fe0276eeb..03bf4c28b 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_susp_wallpaper.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_susp_wallpaper.yml @@ -1,6 +1,6 @@ title: Replace Desktop Wallpaper by Powershell id: c5ac6a1e-9407-45f5-a0ce-ca9a0806a287 -status: test +status: experimental description: | An adversary may deface systems internal to an organization in an attempt to intimidate or mislead users. This may take the form of modifications to internal websites, or directly to user systems with the replacement of the desktop wallpaper @@ -8,7 +8,6 @@ references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1491.001/T1491.001.md author: frack113 date: 2021/12/26 -modified: 2023/01/25 tags: - attack.impact - attack.t1491.001 diff --git a/rules/windows/powershell/powershell_script/posh_ps_test_netconnection.yml b/rules/windows/powershell/powershell_script/posh_ps_test_netconnection.yml index 2406a2cc8..8476044f5 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_test_netconnection.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_test_netconnection.yml @@ -1,6 +1,6 @@ title: Testing Usage of Uncommonly Used Port id: adf876b3-f1f8-4aa9-a4e4-a64106feec06 -status: test +status: experimental description: | Adversaries may communicate using a protocol and port paring that are typically not associated. For example, HTTPS over port 8088(Citation: Symantec Elfin Mar 2019) or port 587(Citation: Fortinet Agent Tesla April 2018) as opposed to the traditional port 443. @@ -9,7 +9,6 @@ references: - https://docs.microsoft.com/en-us/powershell/module/nettcpip/test-netconnection?view=windowsserver2022-ps author: frack113 date: 2022/01/23 -modified: 2023/01/25 tags: - attack.command_and_control - attack.t1571 diff --git a/rules/windows/process_creation/proc_creation_win_evil_winrm.yml b/rules/windows/process_creation/proc_creation_win_evil_winrm.yml index fc087ca14..ff3bbbb56 100644 --- a/rules/windows/process_creation/proc_creation_win_evil_winrm.yml +++ b/rules/windows/process_creation/proc_creation_win_evil_winrm.yml @@ -1,13 +1,12 @@ title: WinRM Access with Evil-WinRM id: a197e378-d31b-41c0-9635-cfdf1c1bb423 -status: test +status: experimental description: Adversaries may use Valid Accounts to log into a computer using the Remote Desktop Protocol (RDP). The adversary may then perform actions as the logged-on user. references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1021.006/T1021.006.md#atomic-test-3---winrm-access-with-evil-winrm - https://github.com/Hackplayers/evil-winrm author: frack113 date: 2022/01/07 -modified: 2023/01/25 tags: - attack.lateral_movement - attack.t1021.006 diff --git a/rules/windows/process_creation/proc_creation_win_findstr_gpp_passwords.yml b/rules/windows/process_creation/proc_creation_win_findstr_gpp_passwords.yml index 9c202222f..28a7f93c4 100644 --- a/rules/windows/process_creation/proc_creation_win_findstr_gpp_passwords.yml +++ b/rules/windows/process_creation/proc_creation_win_findstr_gpp_passwords.yml @@ -1,12 +1,11 @@ title: Findstr GPP Passwords id: 91a2c315-9ee6-4052-a853-6f6a8238f90d -status: test +status: experimental description: Look for the encrypted cpassword value within Group Policy Preference files on the Domain Controller. This value can be decrypted with gpp-decrypt. references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1552.006/T1552.006.md#atomic-test-1---gpp-passwords-findstr author: frack113 date: 2021/12/27 -modified: 2023/01/25 tags: - attack.credential_access - attack.t1552.006 diff --git a/rules/windows/process_creation/proc_creation_win_headless_browser_file_download.yml b/rules/windows/process_creation/proc_creation_win_headless_browser_file_download.yml index a05805e3d..609ad0dba 100644 --- a/rules/windows/process_creation/proc_creation_win_headless_browser_file_download.yml +++ b/rules/windows/process_creation/proc_creation_win_headless_browser_file_download.yml @@ -1,12 +1,11 @@ title: File Download with Headless Browser id: 0e8cfe08-02c9-4815-a2f8-0d157b7ed33e -status: test +status: experimental description: This is an unusual method to download files. It starts a browser headless and downloads a file from a location. This can be used by threat actors to download files. references: - https://twitter.com/mrd0x/status/1478234484881436672?s=12 author: Sreeman, Florian Roth date: 2022/01/04 -modified: 2023/01/25 tags: - attack.command_and_control - attack.t1105 diff --git a/rules/windows/process_creation/proc_creation_win_lolbin_cscript_gathernetworkinfo.yml b/rules/windows/process_creation/proc_creation_win_lolbin_cscript_gathernetworkinfo.yml index 1d0c2a562..453bc7be3 100644 --- a/rules/windows/process_creation/proc_creation_win_lolbin_cscript_gathernetworkinfo.yml +++ b/rules/windows/process_creation/proc_creation_win_lolbin_cscript_gathernetworkinfo.yml @@ -1,12 +1,11 @@ title: GatherNetworkInfo.vbs Script Usage id: 575dce0c-8139-4e30-9295-1ee75969f7fe -status: test +status: experimental description: Adversaries can abuse of C:\Windows\System32\gatherNetworkInfo.vbs script along with cscript.exe to gather information about the target references: - https://posts.slayerlabs.com/living-off-the-land/#gathernetworkinfovbs author: blueteamer8699 date: 2022/01/03 -modified: 2023/01/25 tags: - attack.discovery - attack.execution diff --git a/rules/windows/process_creation/proc_creation_win_lolbin_susp_acccheckconsole.yml b/rules/windows/process_creation/proc_creation_win_lolbin_susp_acccheckconsole.yml index a4f4a773a..2da66feb5 100644 --- a/rules/windows/process_creation/proc_creation_win_lolbin_susp_acccheckconsole.yml +++ b/rules/windows/process_creation/proc_creation_win_lolbin_susp_acccheckconsole.yml @@ -1,6 +1,6 @@ title: Suspicious LOLBIN AccCheckConsole id: 0f6da907-5854-4be6-859a-e9958747b0aa -status: test +status: experimental description: Detects suspicious LOLBIN AccCheckConsole execution with parameters as used to load an arbitrary DLL references: - https://gist.github.com/bohops/2444129419c8acf837aedda5f0e7f340 @@ -8,7 +8,6 @@ references: - https://lolbas-project.github.io/lolbas/OtherMSBinaries/AccCheckConsole/ author: Florian Roth date: 2022/01/06 -modified: 2023/01/25 tags: - attack.execution logsource: diff --git a/rules/windows/process_creation/proc_creation_win_msedge_minimized_download.yml b/rules/windows/process_creation/proc_creation_win_msedge_minimized_download.yml index 57207fbc9..45a69f540 100644 --- a/rules/windows/process_creation/proc_creation_win_msedge_minimized_download.yml +++ b/rules/windows/process_creation/proc_creation_win_msedge_minimized_download.yml @@ -1,12 +1,11 @@ title: Suspicious Minimized MSEdge Start id: 94771a71-ba41-4b6e-a757-b531372eaab6 -status: test +status: experimental description: Detects the suspicious minimized start of MsEdge browser, which can be used to download files from the Internet references: - https://twitter.com/mrd0x/status/1478234484881436672?s=12 author: Florian Roth date: 2022/01/11 -modified: 2023/01/25 tags: - attack.command_and_control - attack.t1105 diff --git a/rules/windows/process_creation/proc_creation_win_netsh_fw_enable_group_rule.yml b/rules/windows/process_creation/proc_creation_win_netsh_fw_enable_group_rule.yml index 2901376f5..136d1c43c 100644 --- a/rules/windows/process_creation/proc_creation_win_netsh_fw_enable_group_rule.yml +++ b/rules/windows/process_creation/proc_creation_win_netsh_fw_enable_group_rule.yml @@ -1,13 +1,12 @@ title: Netsh Allow Group Policy on Microsoft Defender Firewall id: 347906f3-e207-4d18-ae5b-a9403d6bcdef -status: test +status: experimental description: Adversaries may modify system firewalls in order to bypass controls limiting network usage references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.004/T1562.004.md#atomic-test-3---allow-smb-and-rdp-on-microsoft-defender-firewall - https://docs.microsoft.com/en-us/troubleshoot/windows-server/networking/netsh-advfirewall-firewall-control-firewall-behavior author: frack113 date: 2022/01/09 -modified: 2023/01/25 tags: - attack.defense_evasion - attack.t1562.004 diff --git a/rules/windows/process_creation/proc_creation_win_procdump_evasion.yml b/rules/windows/process_creation/proc_creation_win_procdump_evasion.yml index c98022d6d..6022a7621 100644 --- a/rules/windows/process_creation/proc_creation_win_procdump_evasion.yml +++ b/rules/windows/process_creation/proc_creation_win_procdump_evasion.yml @@ -1,12 +1,11 @@ title: Procdump Evasion id: 79b06761-465f-4f88-9ef2-150e24d3d737 -status: test +status: experimental description: Detects uses of the SysInternals Procdump utility in which procdump or its output get renamed or a dump file is moved ot copied to a different name references: - https://twitter.com/mrd0x/status/1480785527901204481 author: Florian Roth date: 2022/01/11 -modified: 2023/01/25 tags: - attack.defense_evasion - attack.t1036 diff --git a/rules/windows/process_creation/proc_creation_win_purplesharp_indicators.yml b/rules/windows/process_creation/proc_creation_win_purplesharp_indicators.yml index d1365e115..a750181b4 100644 --- a/rules/windows/process_creation/proc_creation_win_purplesharp_indicators.yml +++ b/rules/windows/process_creation/proc_creation_win_purplesharp_indicators.yml @@ -1,12 +1,12 @@ title: PurpleSharp Indicator id: ff23ffbc-3378-435e-992f-0624dcf93ab4 -status: test +status: experimental description: Detects the execution of the PurpleSharp adversary simulation tool references: - https://github.com/mvelazc0/PurpleSharp author: Florian Roth date: 2021/06/18 -modified: 2023/01/25 +modified: 2022/01/12 tags: - attack.t1587 - attack.resource_development diff --git a/rules/windows/process_creation/proc_creation_win_pypykatz.yml b/rules/windows/process_creation/proc_creation_win_pypykatz.yml index 08bb08924..2daf1b9ca 100644 --- a/rules/windows/process_creation/proc_creation_win_pypykatz.yml +++ b/rules/windows/process_creation/proc_creation_win_pypykatz.yml @@ -1,13 +1,12 @@ title: Registry Parse with Pypykatz id: a29808fd-ef50-49ff-9c7a-59a9b040b404 -status: test +status: experimental description: Adversaries may attempt to extract credential material from the Security Account Manager (SAM) database either through Windows Registry where the SAM database is stored references: - https://github.com/skelsec/pypykatz - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1003.002/T1003.002.md#atomic-test-2---registry-parse-with-pypykatz author: frack113 date: 2022/01/05 -modified: 2023/01/25 tags: - attack.credential_access - attack.t1003.002 diff --git a/rules/windows/process_creation/proc_creation_win_reg_dump_sam.yml b/rules/windows/process_creation/proc_creation_win_reg_dump_sam.yml index f6b7013fd..3b531f793 100644 --- a/rules/windows/process_creation/proc_creation_win_reg_dump_sam.yml +++ b/rules/windows/process_creation/proc_creation_win_reg_dump_sam.yml @@ -1,12 +1,11 @@ title: Registry Dump of SAM Creds and Secrets id: 038cd51c-3ad8-41c5-ba8f-5d1c92f3cc1e -status: test +status: experimental description: Adversaries may attempt to extract credential material from the Security Account Manager (SAM) database either through Windows Registry where the SAM database is stored references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1003.002/T1003.002.md#atomic-test-1---registry-dump-of-sam-creds-and-secrets author: frack113 date: 2022/01/05 -modified: 2023/01/25 tags: - attack.credential_access - attack.t1003.002 diff --git a/rules/windows/process_creation/proc_creation_win_run_from_zip.yml b/rules/windows/process_creation/proc_creation_win_run_from_zip.yml index fd0943933..ef4100dca 100644 --- a/rules/windows/process_creation/proc_creation_win_run_from_zip.yml +++ b/rules/windows/process_creation/proc_creation_win_run_from_zip.yml @@ -1,12 +1,11 @@ title: Run from a Zip File id: 1a70042a-6622-4a2b-8958-267625349abf -status: test +status: experimental description: Payloads may be compressed, archived, or encrypted in order to avoid detection references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1027/T1027.md#atomic-test-4---execution-from-compressed-file author: frack113 date: 2021/12/26 -modified: 2023/01/25 tags: - attack.impact - attack.t1485 diff --git a/rules/windows/process_creation/proc_creation_win_susp_adidnsdump.yml b/rules/windows/process_creation/proc_creation_win_susp_adidnsdump.yml index 51bfc400f..c4e7b55ed 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_adidnsdump.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_adidnsdump.yml @@ -1,6 +1,6 @@ title: Suspicious Execution of Adidnsdump id: 26d3f0a2-f514-4a3f-a8a7-e7e48a8d9160 -status: test +status: experimental description: | This tool enables enumeration and exporting of all DNS records in the zone for recon purposes of internal networks Python 3 and python.exe must be installed, Usee to Query/modify DNS records for Active Directory integrated DNS via LDAP @@ -8,7 +8,6 @@ references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1018/T1018.md#atomic-test-9---remote-system-discovery---adidnsdump author: frack113 date: 2022/01/01 -modified: 2023/01/25 tags: - attack.discovery - attack.t1018 diff --git a/rules/windows/process_creation/proc_creation_win_susp_char_in_cmd.yml b/rules/windows/process_creation/proc_creation_win_susp_char_in_cmd.yml index bfaf5ae29..648a5a9cf 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_char_in_cmd.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_char_in_cmd.yml @@ -1,13 +1,12 @@ title: Obfuscated Command Line Using Special Unicode Characters id: e0552b19-5a83-4222-b141-b36184bb8d79 -status: test +status: experimental description: Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. references: - https://www.wietzebeukema.nl/blog/windows-command-line-obfuscation - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1027/T1027.md#atomic-test-6---dlp-evasion-via-sensitive-data-in-vba-macro-over-http author: frack113 date: 2022/01/15 -modified: 2023/01/25 tags: - attack.defense_evasion - attack.t1027 diff --git a/rules/windows/process_creation/proc_creation_win_susp_cscript_vbs.yml b/rules/windows/process_creation/proc_creation_win_susp_cscript_vbs.yml index 4d1064e58..ce0bcec9a 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_cscript_vbs.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_cscript_vbs.yml @@ -1,12 +1,11 @@ title: Cscript Visual Basic Script Execution id: 23250293-eed5-4c39-b57a-841c8933a57d -status: test +status: experimental description: Adversaries may abuse Visual Basic (VB) for execution references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1059.005/T1059.005.md author: frack113 date: 2022/01/02 -modified: 2023/01/25 tags: - attack.execution - attack.t1059.005 diff --git a/rules/windows/process_creation/proc_creation_win_susp_curl_useragent.yml b/rules/windows/process_creation/proc_creation_win_susp_curl_useragent.yml index 5fbdc876c..979539610 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_curl_useragent.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_curl_useragent.yml @@ -1,13 +1,12 @@ title: Suspicious Curl Change User Agents id: 3286d37a-00fd-41c2-a624-a672dcd34e60 -status: test +status: experimental description: Detects a suspicious curl process start on Windows with set useragent options references: - https://curl.se/docs/manpage.html - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1071.001/T1071.001.md#atomic-test-2---malicious-user-agents---cmd author: frack113 date: 2022/01/23 -modified: 2023/01/25 tags: - attack.command_and_control - attack.t1071.001 diff --git a/rules/windows/process_creation/proc_creation_win_susp_devinit_lolbin.yml b/rules/windows/process_creation/proc_creation_win_susp_devinit_lolbin.yml index 365a94009..5416f0124 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_devinit_lolbin.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_devinit_lolbin.yml @@ -1,12 +1,11 @@ title: DevInit Lolbin Download id: 90d50722-0483-4065-8e35-57efaadd354d -status: test +status: experimental description: Detects a certain command line flag combination used by devinit.exe lolbin to download arbitrary MSI packages on a Windows system references: - https://twitter.com/mrd0x/status/1460815932402679809 author: Florian Roth date: 2022/01/11 -modified: 2023/01/25 tags: - attack.execution - attack.defense_evasion diff --git a/rules/windows/process_creation/proc_creation_win_susp_dtrace_kernel_dump.yml b/rules/windows/process_creation/proc_creation_win_susp_dtrace_kernel_dump.yml index 03836875b..52918c705 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_dtrace_kernel_dump.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_dtrace_kernel_dump.yml @@ -1,13 +1,12 @@ title: Suspicious Kernel Dump Using Dtrace id: 7124aebe-4cd7-4ccb-8df0-6d6b93c96795 -status: test +status: experimental description: Detects suspicious way to dump the kernel on Windows systems using dtrace.exe, which is available on Windows systems since Windows 10 19H1 references: - https://twitter.com/0gtweet/status/1474899714290208777?s=12 - https://docs.microsoft.com/en-us/windows-hardware/drivers/devtest/dtrace author: Florian Roth date: 2021/12/28 -modified: 2023/01/25 logsource: product: windows category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_susp_format.yml b/rules/windows/process_creation/proc_creation_win_susp_format.yml index f92c65253..cdc8c2eab 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_format.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_format.yml @@ -1,13 +1,12 @@ title: Format.com FileSystem LOLBIN id: 9fb6b26e-7f9e-4517-a48b-8cac4a1b6c60 -status: test +status: experimental description: Detects the execution of format.com with a suspicious filesystem selection that could indicate a defense evasion activity in which format.com is used to load malicious DLL files or other programs references: - https://twitter.com/0gtweet/status/1477925112561209344 - https://twitter.com/wdormann/status/1478011052130459653?s=20 author: Florian Roth date: 2022/01/04 -modified: 2023/01/25 tags: - attack.defense_evasion logsource: diff --git a/rules/windows/process_creation/proc_creation_win_susp_hostname.yml b/rules/windows/process_creation/proc_creation_win_susp_hostname.yml index a6430940f..10865a294 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_hostname.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_hostname.yml @@ -1,13 +1,12 @@ title: Suspicious Execution of Hostname id: 7be5fb68-f9ef-476d-8b51-0256ebece19e -status: test +status: experimental description: Use of hostname to get information references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1082/T1082.md#atomic-test-6---hostname-discovery-windows - https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/hostname author: frack113 date: 2022/01/01 -modified: 2023/01/25 tags: - attack.discovery - attack.t1082 diff --git a/rules/windows/process_creation/proc_creation_win_susp_machineguid.yml b/rules/windows/process_creation/proc_creation_win_susp_machineguid.yml index a8cd3f891..1f080f185 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_machineguid.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_machineguid.yml @@ -1,12 +1,11 @@ title: Suspicious Query of MachineGUID id: f5240972-3938-4e56-8e4b-e33893176c1f -status: test +status: experimental description: Use of reg to get MachineGuid information references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1082/T1082.md#atomic-test-8---windows-machineguid-discovery author: frack113 date: 2022/01/01 -modified: 2023/01/25 tags: - attack.discovery - attack.t1082 diff --git a/rules/windows/process_creation/proc_creation_win_susp_pressynkey_lolbin.yml b/rules/windows/process_creation/proc_creation_win_susp_pressynkey_lolbin.yml index 8de82002e..2e8889c1c 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_pressynkey_lolbin.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_pressynkey_lolbin.yml @@ -1,12 +1,11 @@ title: NodejsTools PressAnyKey Lolbin id: a20391f8-76fb-437b-abc0-dba2df1952c6 -status: test +status: experimental description: Detects a certain command line flag combination used by Microsoft.NodejsTools.PressAnyKey.exe that can be used to execute any other binary references: - https://twitter.com/mrd0x/status/1463526834918854661 author: Florian Roth date: 2022/01/11 -modified: 2023/01/25 tags: - attack.execution - attack.defense_evasion diff --git a/rules/windows/process_creation/proc_creation_win_susp_radmin.yml b/rules/windows/process_creation/proc_creation_win_susp_radmin.yml index efbe3314b..452889ada 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_radmin.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_radmin.yml @@ -1,13 +1,12 @@ title: Use Radmin Viewer Utility id: 5817e76f-4804-41e6-8f1d-5fa0b3ecae2d -status: test +status: experimental description: An adversary may use Radmin Viewer Utility to remotely control Windows device references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1072/T1072.md - https://www.radmin.fr/ author: frack113 date: 2022/01/22 -modified: 2023/01/25 tags: - attack.execution - attack.lateral_movement diff --git a/rules/windows/process_creation/proc_creation_win_susp_rundll32_js_runhtmlapplication.yml b/rules/windows/process_creation/proc_creation_win_susp_rundll32_js_runhtmlapplication.yml index 3133b7cee..77505e78a 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_rundll32_js_runhtmlapplication.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_rundll32_js_runhtmlapplication.yml @@ -1,12 +1,11 @@ title: Rundll32 JS RunHTMLApplication Pattern id: 9f06447a-a33a-4cbe-a94f-a3f43184a7a3 -status: test +status: experimental description: Detects suspicious command line patterns used when rundll32 is used to run JavaScript code references: - http://hyp3rlinx.altervista.org/advisories/MICROSOFT_WINDOWS_DEFENDER_DETECTION_BYPASS.txt author: Florian Roth date: 2022/01/14 -modified: 2023/01/25 tags: - attack.defense_evasion logsource: diff --git a/rules/windows/process_creation/proc_creation_win_susp_shutdown.yml b/rules/windows/process_creation/proc_creation_win_susp_shutdown.yml index cccf978c5..ab5e022c7 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_shutdown.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_shutdown.yml @@ -1,13 +1,12 @@ title: Suspicious Execution of Shutdown id: 34ebb878-1b15-4895-b352-ca2eeb99b274 -status: test +status: experimental description: Use of the commandline to shutdown or reboot windows references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1529/T1529.md - https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/shutdown author: frack113 date: 2022/01/01 -modified: 2023/01/25 tags: - attack.impact - attack.t1529 diff --git a/rules/windows/process_creation/proc_creation_win_tool_nircmd_as_system.yml b/rules/windows/process_creation/proc_creation_win_tool_nircmd_as_system.yml index 3cf35a3a2..e07b61730 100644 --- a/rules/windows/process_creation/proc_creation_win_tool_nircmd_as_system.yml +++ b/rules/windows/process_creation/proc_creation_win_tool_nircmd_as_system.yml @@ -1,6 +1,6 @@ title: NirCmd Tool Execution As LOCAL SYSTEM id: d9047477-0359-48c9-b8c7-792cedcdc9c4 -status: test +status: experimental description: Detects the use of NirCmd tool for command execution as SYSTEM user references: - https://www.nirsoft.net/utils/nircmd.html @@ -8,7 +8,6 @@ references: - https://www.nirsoft.net/utils/nircmd2.html#using author: 'Florian Roth, Nasreddine Bencherchali @nas_bench' date: 2022/01/24 -modified: 2023/01/25 tags: - attack.execution - attack.t1569.002 diff --git a/rules/windows/process_creation/proc_creation_win_tool_runx_as_system.yml b/rules/windows/process_creation/proc_creation_win_tool_runx_as_system.yml index 4e8aceb7e..d55de6c27 100644 --- a/rules/windows/process_creation/proc_creation_win_tool_runx_as_system.yml +++ b/rules/windows/process_creation/proc_creation_win_tool_runx_as_system.yml @@ -1,13 +1,12 @@ title: RunXCmd Tool Execution As System id: 93199800-b52a-4dec-b762-75212c196542 -status: test +status: experimental description: Detects the use of RunXCmd tool for command execution references: - https://www.d7xtech.com/free-software/runx/ - https://www.winhelponline.com/blog/run-program-as-system-localsystem-account-windows/ author: Florian Roth date: 2022/01/24 -modified: 2023/01/25 tags: - attack.execution - attack.t1569.002 diff --git a/rules/windows/process_creation/proc_creation_win_uninstall_sysmon.yml b/rules/windows/process_creation/proc_creation_win_uninstall_sysmon.yml index 579b08f68..092d3a964 100644 --- a/rules/windows/process_creation/proc_creation_win_uninstall_sysmon.yml +++ b/rules/windows/process_creation/proc_creation_win_uninstall_sysmon.yml @@ -1,12 +1,11 @@ title: Uninstall Sysinternals Sysmon id: 6a5f68d1-c4b5-46b9-94ee-5324892ea939 -status: test +status: experimental description: Detects the uninstallation of Sysinternals Sysmon, which could be the result of legitimate administration or a manipulation for defense evasion references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md#atomic-test-11---uninstall-sysmon author: frack113 date: 2022/01/12 -modified: 2023/01/25 tags: - attack.defense_evasion - attack.t1562.001 diff --git a/rules/windows/process_creation/proc_creation_win_xordump.yml b/rules/windows/process_creation/proc_creation_win_xordump.yml index 89b1a9b20..ec42afe4a 100644 --- a/rules/windows/process_creation/proc_creation_win_xordump.yml +++ b/rules/windows/process_creation/proc_creation_win_xordump.yml @@ -1,12 +1,11 @@ title: XORDump Use id: 66e563f9-1cbd-4a22-a957-d8b7c0f44372 -status: test +status: experimental description: Detects suspicious use of XORDump process memory dumping utility references: - https://github.com/audibleblink/xordump author: Florian Roth date: 2022/01/28 -modified: 2023/01/25 tags: - attack.defense_evasion - attack.t1036 diff --git a/rules/windows/registry/registry_event/registry_event_shell_open_keys_manipulation.yml b/rules/windows/registry/registry_event/registry_event_shell_open_keys_manipulation.yml index acf95680e..1986b53a0 100644 --- a/rules/windows/registry/registry_event/registry_event_shell_open_keys_manipulation.yml +++ b/rules/windows/registry/registry_event/registry_event_shell_open_keys_manipulation.yml @@ -1,6 +1,6 @@ title: Shell Open Registry Keys Manipulation id: 152f3630-77c1-4284-bcc0-4cc68ab2f6e7 -status: test +status: experimental description: Detects the shell open key manipulation (exefile and ms-settings) used for persistence and the pattern of UAC Bypass using fodhelper.exe, computerdefaults.exe, slui.exe via registry keys (e.g. UACMe 33 or 62) references: - https://github.com/hfiref0x/UACME @@ -9,7 +9,7 @@ references: - https://tria.ge/211119-gs7rtshcfr/behavioral2 [Lokibot sample from Nov 2021] author: Christian Burkard date: 2021/08/30 -modified: 2023/01/25 +modified: 2022/01/13 tags: - attack.defense_evasion - attack.privilege_escalation diff --git a/rules/windows/sysmon/sysmon_config_modification.yml b/rules/windows/sysmon/sysmon_config_modification.yml index a541306b5..91f919ff9 100644 --- a/rules/windows/sysmon/sysmon_config_modification.yml +++ b/rules/windows/sysmon/sysmon_config_modification.yml @@ -1,12 +1,11 @@ title: Sysmon Configuration Change id: 8ac03a65-6c84-4116-acad-dc1558ff7a77 -status: test +status: experimental description: Detects a Sysmon configuration change, which could be the result of a legitimate reconfiguration or someone trying manipulate the configuration references: - https://docs.microsoft.com/en-us/sysinternals/downloads/sysmon author: frack113 date: 2022/01/12 -modified: 2023/01/25 tags: - attack.defense_evasion logsource: