Order yaml field

2022-10-25 12:00:56 +02:00
parent 8b749fb126
commit dfdaecc52c
63 changed files with 565 additions and 556 deletions
@@ -2,10 +2,15 @@ title: Bumblebee Remote Thread Creation
 id: 994cac2b-92c2-44bf-8853-14f6ca39fbda
 status: experimental
 description: Detects remote thread injection events based on action seen used by bumblebee
-author: Nasreddine Bencherchali
 references:
    - https://thedfirreport.com/2022/09/26/bumblebee-round-two/
+author: Nasreddine Bencherchali
 date: 2022/09/27
+tags:
+    - attack.defense_evasion
+    - attack.execution
+    - attack.t1218.011
+    - attack.t1059.001
 logsource:
    product: windows
    category: create_remote_thread
@@ -17,11 +22,6 @@ detection:
            - '\ImagingDevices.exe'
        TargetImage|endswith: '\rundll32.exe'
    condition: selection
-tags:
-    - attack.defense_evasion
-    - attack.execution
-    - attack.t1218.011
-    - attack.t1059.001
 falsepositives:
    - Unknown
 level: high
@@ -1,13 +1,20 @@
 title: CACTUSTORCH Remote Thread Creation
 id: 2e4e488a-6164-4811-9ea1-f960c7359c40
+status: experimental
 description: Detects remote thread creation from CACTUSTORCH as described in references.
 references:
    - https://twitter.com/SBousseaden/status/1090588499517079552
    - https://github.com/mdsecactivebreach/CACTUSTORCH
-status: experimental
 author: '@SBousseaden (detection), Thomas Patzke (rule)'
 date: 2019/02/01
 modified: 2021/11/12
+tags:
+    - attack.defense_evasion
+    - attack.t1055.012
+    - attack.execution
+    - attack.t1059.005
+    - attack.t1059.007
+    - attack.t1218.005
 logsource:
    product: windows
    category: create_remote_thread
@@ -22,13 +29,6 @@ detection:
        TargetImage|contains: '\SysWOW64\'
        StartModule: null
    condition: selection
-tags:
-    - attack.defense_evasion
-    - attack.t1055.012
-    - attack.execution
-    - attack.t1059.005
-    - attack.t1059.007
-    - attack.t1218.005
 falsepositives:
    - Unknown
 level: high
@@ -1,22 +1,22 @@
 title: CobaltStrike Process Injection
 id: 6309645e-122d-4c5b-bb2b-22e4f9c2fa42
+status: experimental
 description: Detects a possible remote threat creation with certain characteristics which are typical for Cobalt Strike beacons
 references:
    - https://medium.com/@olafhartong/cobalt-strike-remote-threads-detection-206372d11d0f
    - https://blog.cobaltstrike.com/2018/04/09/cobalt-strike-3-11-the-snake-that-eats-its-tail/
-tags:
-    - attack.defense_evasion
-    - attack.t1055.001
-status: experimental
 author: Olaf Hartong, Florian Roth, Aleksey Potapov, oscd.community
 date: 2018/11/30
 modified: 2021/11/20
+tags:
+    - attack.defense_evasion
+    - attack.t1055.001
 logsource:
    product: windows
    category: create_remote_thread
 detection:
    selection:
-        StartAddress|endswith: 
+        StartAddress|endswith:
            - '0B80'
            - '0C7C'
            - '0C88'
@@ -24,4 +24,3 @@ detection:
 falsepositives:
    - Unknown
 level: high
-
@@ -2,11 +2,14 @@ title: CreateRemoteThread API and LoadLibrary
 id: 052ec6f6-1adc-41e6-907a-f1c813478bee
 status: test
 description: Detects potential use of CreateRemoteThread api and LoadLibrary function to inject DLL into a process
-author: Roberto Rodriguez @Cyb3rWard0g
 references:
    - https://threathunterplaybook.com/notebooks/windows/05_defense_evasion/WIN-180719170510.html
+author: Roberto Rodriguez @Cyb3rWard0g
 date: 2019/08/11
 modified: 2021/11/27
+tags:
+    - attack.defense_evasion
+    - attack.t1055.001
 logsource:
    product: windows
    category: create_remote_thread
@@ -18,6 +21,3 @@ detection:
 falsepositives:
    - Unknown
 level: high
-tags:
-    - attack.defense_evasion
-    - attack.t1055.001
@@ -1,13 +1,16 @@
 title: KeePass Password Dumping
 id: 77564cc2-7382-438b-a7f6-395c2ae53b9a
+status: experimental
 description: Detects remote thread creation in KeePass.exe indicating password dumping activity
 references:
    - https://www.cisa.gov/uscert/ncas/alerts/aa20-259a
    - https://github.com/denandz/KeeFarce
    - https://github.com/GhostPack/KeeThief
-status: experimental
 author: Timon Hackenjos
 date: 2022/04/22
+tags:
+    - attack.credential_access
+    - attack.t1555.005
 logsource:
    product: windows
    category: create_remote_thread
@@ -15,9 +18,6 @@ detection:
    selection:
        TargetImage|endswith: '\KeePass.exe'
    condition: selection
-tags:
-    - attack.credential_access
-    - attack.t1555.005
 falsepositives:
    - Unknown
 level: high
@@ -1,12 +1,18 @@
 title: Password Dumper Remote Thread in LSASS
 id: f239b326-2f41-4d6b-9dfa-c846a60ef505
-description: Detects password dumper activity by monitoring remote thread creation EventID 8 in combination with the lsass.exe process as TargetImage. The process in field Process is the malicious program. A single execution can lead to hundreds of events.
+status: stable
+description: |
+  Detects password dumper activity by monitoring remote thread creation EventID 8 in combination with the lsass.exe process as TargetImage.
+  The process in field Process is the malicious program. A single execution can lead to hundreds of events.
 references:
    - https://jpcertcc.github.io/ToolAnalysisResultSheet/details/WCE.htm
-status: stable
 author: Thomas Patzke
 date: 2017/02/19
 modified: 2021/06/21
+tags:
+    - attack.credential_access
+    - attack.s0005
+    - attack.t1003.001
 logsource:
    product: windows
    category: create_remote_thread
@@ -15,10 +21,6 @@ detection:
        TargetImage|endswith: '\lsass.exe'
        StartModule: ''
    condition: selection
-tags:
-    - attack.credential_access
-    - attack.s0005
-    - attack.t1003.001
 falsepositives:
    - Antivirus products
 level: high
@@ -2,11 +2,14 @@ title: Accessing WinAPI in PowerShell. Code Injection
 id: eeb2e3dc-c1f4-40dd-9bd5-149ee465ad50
 status: test
 description: Detects the creation of a remote thread from a Powershell process to another process
-author: Nikita Nazarov, oscd.community
 references:
    - https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse
+author: Nikita Nazarov, oscd.community
 date: 2020/10/06
 modified: 2022/08/12
+tags:
+    - attack.execution
+    - attack.t1059.001
 logsource:
    product: windows
    category: create_remote_thread
@@ -22,6 +25,3 @@ detection:
 falsepositives:
    - Unknown
 level: high
-tags:
-    - attack.execution
-    - attack.t1059.001
@@ -2,11 +2,16 @@ title: PowerShell Rundll32 Remote Thread Creation
 id: 99b97608-3e21-4bfe-8217-2a127c396a0e
 status: experimental
 description: Detects PowerShell remote thread creation in Rundll32.exe
-author: Florian Roth
 references:
    - https://www.fireeye.com/blog/threat-research/2018/06/bring-your-own-land-novel-red-teaming-technique.html
+author: Florian Roth
 date: 2018/06/25
 modified: 2022/07/14
+tags:
+    - attack.defense_evasion
+    - attack.execution
+    - attack.t1218.011
+    - attack.t1059.001
 logsource:
    product: windows
    category: create_remote_thread
@@ -17,11 +22,6 @@ detection:
            - '\pwsh.exe'
        TargetImage|endswith: '\rundll32.exe'
    condition: selection
-tags:
-    - attack.defense_evasion
-    - attack.execution
-    - attack.t1218.011
-    - attack.t1059.001
 falsepositives:
    - Unknown
 level: high
@@ -1,22 +1,23 @@
 title: Suspicious Remote Thread Source
 id: 66d31e5f-52d6-40a4-9615-002d3789a119
-description: Offensive tradecraft is switching away from using APIs like "CreateRemoteThread", however, this is still largely observed in the wild. This rule aims to detect suspicious processes (those we would not expect to behave in this way like word.exe or outlook.exe) creating remote threads on other processes. It is a generalistic rule, but it should have a low FP ratio due to the selected range of processes.
-notes:
-    - MonitoringHost.exe is a process that loads .NET CLR by default and thus a favorite for process injection for .NET in-memory offensive tools.
 status: experimental
-date: 2019/10/27
-modified: 2022/08/26
-author: Perez Diego (@darkquassar), oscd.community
+description: |
+  Offensive tradecraft is switching away from using APIs like "CreateRemoteThread", however, this is still largely observed in the wild.
+  This rule aims to detect suspicious processes (those we would not expect to behave in this way like word.exe or outlook.exe) creating remote threads on other processes.
+  It is a generalistic rule, but it should have a low FP ratio due to the selected range of processes.
 references:
    - Personal research, statistical analysis
    - https://lolbas-project.github.io
-logsource:
-    product: windows
-    category: create_remote_thread
+author: Perez Diego (@darkquassar), oscd.community
+date: 2019/10/27
+modified: 2022/08/26
 tags:
    - attack.privilege_escalation
    - attack.defense_evasion
    - attack.t1055
+logsource:
+    product: windows
+    category: create_remote_thread
 detection:
    selection:
        SourceImage|endswith:
@@ -103,3 +104,5 @@ fields:
 falsepositives:
    - Unknown
 level: high
+notes:
+    - MonitoringHost.exe is a process that loads .NET CLR by default and thus a favorite for process injection for .NET in-memory offensive tools.
@@ -1,12 +1,15 @@
 title: Suspicious Remote Thread Target
 id: f016c716-754a-467f-a39e-63c06f773987
-description: Offensive tradecraft is switching away from using APIs like "CreateRemoteThread", however, this is still largely observed in the wild. This rule aims to detect suspicious processes (those we would not expect to behave in this way like word.exe or outlook.exe) creating remote threads on other processes. It is a generalistic rule, but it should have a low FP ratio due to the selected range of processes.
 status: experimental
-date: 2022/08/25
-modified: 2022/08/29
-author: Florian Roth
+description: |
+  Offensive tradecraft is switching away from using APIs like "CreateRemoteThread", however, this is still largely observed in the wild.
+  This rule aims to detect suspicious processes (those we would not expect to behave in this way like word.exe or outlook.exe) creating remote threads on other processes.
+  It is a generalistic rule, but it should have a low FP ratio due to the selected range of processes.
 references:
    - https://www.microsoft.com/security/blog/2022/08/24/looking-for-the-sliver-lining-hunting-for-emerging-command-and-control-frameworks/
+author: Florian Roth
+date: 2022/08/25
+modified: 2022/08/29
 logsource:
    product: windows
    category: create_remote_thread
@@ -3,10 +3,14 @@ id: a1a144b7-5c9b-4853-a559-2172be8d4a03
 status: experimental
 description: Detects a remote thread creation in suspicious target images
 references:
-   - https://blog.redbluepurple.io/offensive-research/bypassing-injection-detection
+    - https://blog.redbluepurple.io/offensive-research/bypassing-injection-detection
 author: Florian Roth
 date: 2022/03/16
 modified: 2022/09/29
+tags:
+    - attack.defense_evasion
+    - attack.privilege_escalation
+    - attack.t1055.003
 logsource:
    product: windows
    category: create_remote_thread
@@ -30,7 +34,3 @@ detection:
 falsepositives:
    - Unknown
 level: high
-tags:
-    - attack.defense_evasion
-    - attack.privilege_escalation
-    - attack.t1055.003
@@ -2,11 +2,14 @@ title: Remote Thread Creation Ttdinject.exe Proxy
 id: c15e99a3-c474-48ab-b9a7-84549a7a9d16
 status: experimental
 description: Detects a remote thread creation of Ttdinject.exe used as proxy
-author: frack113
 references:
    - https://lolbas-project.github.io/lolbas/Binaries/Ttdinject/
+author: frack113
 date: 2022/05/16
 modified: 2022/06/02
+tags:
+    - attack.defense_evasion
+    - attack.t1127
 logsource:
    product: windows
    category: create_remote_thread
@@ -17,6 +20,3 @@ detection:
 falsepositives:
    - Unknown
 level: high
-tags:
-    - attack.defense_evasion
-    - attack.t1127
@@ -2,28 +2,28 @@ title: Executable in ADS
 id: b69888d4-380c-45ce-9cf9-d9ce46e67821
 status: test
 description: Detects the creation of an ADS data stream that contains an executable (non-empty imphash)
-author: Florian Roth, @0xrawsec
 references:
-  - https://twitter.com/0xrawsec/status/1002478725605273600?s=21
+    - https://twitter.com/0xrawsec/status/1002478725605273600?s=21
+author: Florian Roth, @0xrawsec
 date: 2018/06/03
 modified: 2022/08/24
-logsource:
-  product: windows
-  category: create_stream_hash
-  definition: 'Requirements: Sysmon config with Imphash logging activated'
-detection:
-  selection:
-    Hashes|contains: 'IMPHASH='
-  filter:
-    Hashes|contains: 'IMPHASH=00000000000000000000000000000000'
-  condition: selection and not filter
-fields:
-  - TargetFilename
-  - Image
-falsepositives:
-  - Unknown
-level: medium
 tags:
-  - attack.defense_evasion
-  - attack.s0139
-  - attack.t1564.004
+    - attack.defense_evasion
+    - attack.s0139
+    - attack.t1564.004
+logsource:
+    product: windows
+    category: create_stream_hash
+    definition: 'Requirements: Sysmon config with Imphash logging activated'
+detection:
+    selection:
+        Hashes|contains: 'IMPHASH='
+    filter:
+        Hashes|contains: 'IMPHASH=00000000000000000000000000000000'
+    condition: selection and not filter
+fields:
+    - TargetFilename
+    - Image
+falsepositives:
+    - Unknown
+level: medium
@@ -2,9 +2,9 @@ title: Creation Of a Suspicious ADS File Outside a Browser Download
 id: 573df571-a223-43bc-846e-3f98da481eca
 status: experimental
 description: Detects the creation of a suspicious ADS (Alternate Data Stream) file by software other than browsers
-author: frack113
 references:
    - https://www.bleepingcomputer.com/news/security/exploited-windows-zero-day-lets-javascript-files-bypass-security-warnings/
+author: frack113
 date: 2022/10/22
 tags:
    - attack.defense_evasion
@@ -2,201 +2,201 @@ title: Hacktool Download
 id: 19b041f6-e583-40dc-b842-d6fa8011493f
 status: experimental
 description: Detects the creation of a file on disk that has an imphash of a well-known hack tool
-author: Florian Roth
 references:
-   - https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=90015
+    - https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=90015
+author: Florian Roth
 date: 2022/08/24
 modified: 2022/09/07
 tags:
-   - attack.defense_evasion
-   - attack.s0139
-   - attack.t1564.004
+    - attack.defense_evasion
+    - attack.s0139
+    - attack.t1564.004
 logsource:
-   product: windows
-   category: create_stream_hash
-definition: 'Requirements: Sysmon config with Imphash logging activated'
+    product: windows
+    category: create_stream_hash
+    definition: Requirements Sysmon config with Imphash logging activated
 detection:
-   selection:
-      - Imphash:
-         - bcca3c247b619dcd13c8cdff5f123932 # PetitPotam
-         - 3a19059bd7688cb88e70005f18efc439 # PetitPotam
-         - bf6223a49e45d99094406777eb6004ba # PetitPotam
-         - 0c106686a31bfe2ba931ae1cf6e9dbc6 # Mimikatz
-         - 0d1447d4b3259b3c2a1d4cfb7ece13c3 # Mimikatz
-         - 1b0369a1e06271833f78ffa70ffb4eaf # Mimikatz
-         - 4c1b52a19748428e51b14c278d0f58e3 # Mimikatz
-         - 4d927a711f77d62cebd4f322cb57ec6f # Mimikatz
-         - 66ee036df5fc1004d9ed5e9a94a1086a # Mimikatz
-         - 672b13f4a0b6f27d29065123fe882dfc # Mimikatz
-         - 6bbd59cea665c4afcc2814c1327ec91f # Mimikatz
-         - 725bb81dc24214f6ecacc0cfb36ad30d # Mimikatz
-         - 9528a0e91e28fbb88ad433feabca2456 # Mimikatz
-         - 9da6d5d77be11712527dcab86df449a3 # Mimikatz
-         - a6e01bc1ab89f8d91d9eab72032aae88 # Mimikatz
-         - b24c5eddaea4fe50c6a96a2a133521e4 # Mimikatz
-         - d21bbc50dcc169d7b4d0f01962793154 # Mimikatz
-         - fcc251cceae90d22c392215cc9a2d5d6 # Mimikatz
-         - 23867a89c2b8fc733be6cf5ef902f2d1 # JuicyPotato 
-         - a37ff327f8d48e8a4d2f757e1b6e70bc # JuicyPotato 
-         - f9a28c458284584a93b14216308d31bd # JuicyPotatoNG
-         - 6118619783fc175bc7ebecff0769b46e # RoguePotato
-         - 959a83047e80ab68b368fdb3f4c6e4ea # RoguePotato
-         - 563233bfa169acc7892451f71ad5850a # RoguePotato
-         - 87575cb7a0e0700eb37f2e3668671a08 # RoguePotato
-         - 13f08707f759af6003837a150a371ba1 # Pwdump
-         - 1781f06048a7e58b323f0b9259be798b # Pwdump
-         - 233f85f2d4bc9d6521a6caae11a1e7f5 # Pwdump
-         - 24af2584cbf4d60bbe5c6d1b31b3be6d # Pwdump
-         - 632969ddf6dbf4e0f53424b75e4b91f2 # Pwdump
-         - 713c29b396b907ed71a72482759ed757 # Pwdump
-         - 749a7bb1f0b4c4455949c0b2bf7f9e9f # Pwdump
-         - 8628b2608957a6b0c6330ac3de28ce2e # Pwdump
-         - 8b114550386e31895dfab371e741123d # Pwdump
-         - 94cb940a1a6b65bed4d5a8f849ce9793 # PwDumpX
-         - 9d68781980370e00e0bd939ee5e6c141 # Pwdump
-         - b18a1401ff8f444056d29450fbc0a6ce # Pwdump
-         - cb567f9498452721d77a451374955f5f # Pwdump
-         - 730073214094cd328547bf1f72289752 # Htran
-         - 17b461a082950fc6332228572138b80c # Cobalt Strike beacons
-         - dc25ee78e2ef4d36faa0badf1e7461c9 # Cobalt Strike beacons
-         - 819b19d53ca6736448f9325a85736792 # Cobalt Strike beacons
-         - 829da329ce140d873b4a8bde2cbfaa7e # Cobalt Strike beacons
-         - c547f2e66061a8dffb6f5a3ff63c0a74 # PPLDump
-         - 0588081ab0e63ba785938467e1b10cca # PPLDump
-         - 0d9ec08bac6c07d9987dfd0f1506587c # NanoDump
-         - bc129092b71c89b4d4c8cdf8ea590b29 # NanoDump
-         - 4da924cf622d039d58bce71cdf05d242 # NanoDump
-         - e7a3a5c377e2d29324093377d7db1c66 # NanoDump
-         - 9a9dbec5c62f0380b4fa5fd31deffedf # NanoDump
-         - af8a3976ad71e5d5fdfb67ddb8dadfce # NanoDump
-         - 0c477898bbf137bbd6f2a54e3b805ff4 # NanoDump
-         - 0ca9f02b537bcea20d4ea5eb1a9fe338 # NanoDump
-         - 3ab3655e5a14d4eefc547f4781bf7f9e # NanoDump
-         - e6f9d5152da699934b30daab206471f6 # NanoDump
-         - 3ad59991ccf1d67339b319b15a41b35d # NanoDump
-         - ffdd59e0318b85a3e480874d9796d872 # NanoDump
-         - 0cf479628d7cc1ea25ec7998a92f5051 # NanoDump
-         - 07a2d4dcbd6cb2c6a45e6b101f0b6d51 # NanoDump
-         - d6d0f80386e1380d05cb78e871bc72b1 # NanoDump
-         - 38d9e015591bbfd4929e0d0f47fa0055 # HandleKatz
-         - 0e2216679ca6e1094d63322e3412d650 # HandleKatz
-         - ada161bf41b8e5e9132858cb54cab5fb # DripLoader
-         - 2a1bc4913cd5ecb0434df07cb675b798 # DripLoader
-         - 11083e75553baae21dc89ce8f9a195e4 # DripLoader
-         - a23d29c9e566f2fa8ffbb79267f5df80 # DripLoader
-         - 4a07f944a83e8a7c2525efa35dd30e2f # CreateMiniDump
-         - 767637c23bb42cd5d7397cf58b0be688 # UACMe Akagi
-         - 14c4e4c72ba075e9069ee67f39188ad8 # UACMe Akagi
-         - 3c782813d4afce07bbfc5a9772acdbdc # UACMe Akagi
-         - 7d010c6bb6a3726f327f7e239166d127 # UACMe Akagi
-         - 89159ba4dd04e4ce5559f132a9964eb3 # UACMe Akagi
-         - 6f33f4a5fc42b8cec7314947bd13f30f # UACMe Akagi
-         - 5834ed4291bdeb928270428ebbaf7604 # UACMe Akagi
-         - 5a8a8a43f25485e7ee1b201edcbc7a38 # UACMe Akagi
-         - dc7d30b90b2d8abf664fbed2b1b59894 # UACMe Akagi
-         - 41923ea1f824fe63ea5beb84db7a3e74 # UACMe Akagi
-         - 3de09703c8e79ed2ca3f01074719906b # UACMe Akagi
-         - a53a02b997935fd8eedcb5f7abab9b9f # WCE
-         - e96a73c7bf33a464c510ede582318bf2 # WCE
-         - 32089b8851bbf8bc2d014e9f37288c83 # Sliver Stagers
-         - 09D278F9DE118EF09163C6140255C690 # Dumpert
-         - 03866661686829d806989e2fc5a72606 # Dumpert
-         - e57401fbdadcd4571ff385ab82bd5d6d # Dumpert
-         - 84B763C45C0E4A3E7CA5548C710DB4EE # SysmonEnte
-         - 19584675d94829987952432e018d5056 # SysmonQuiet
-         - 330768a4f172e10acb6287b87289d83b # ShaprEvtMute Hook
-      - Hashes|contains:  # Sysmon field hashes contains all types
-         - IMPHASH=BCCA3C247B619DCD13C8CDFF5F123932 # PetitPotam
-         - IMPHASH=3A19059BD7688CB88E70005F18EFC439 # PetitPotam
-         - IMPHASH=bf6223a49e45d99094406777eb6004ba # PetitPotam
-         - IMPHASH=0C106686A31BFE2BA931AE1CF6E9DBC6 # Mimikatz
-         - IMPHASH=0D1447D4B3259B3C2A1D4CFB7ECE13C3 # Mimikatz
-         - IMPHASH=1B0369A1E06271833F78FFA70FFB4EAF # Mimikatz
-         - IMPHASH=4C1B52A19748428E51B14C278D0F58E3 # Mimikatz
-         - IMPHASH=4D927A711F77D62CEBD4F322CB57EC6F # Mimikatz
-         - IMPHASH=66EE036DF5FC1004D9ED5E9A94A1086A # Mimikatz
-         - IMPHASH=672B13F4A0B6F27D29065123FE882DFC # Mimikatz
-         - IMPHASH=6BBD59CEA665C4AFCC2814C1327EC91F # Mimikatz
-         - IMPHASH=725BB81DC24214F6ECACC0CFB36AD30D # Mimikatz
-         - IMPHASH=9528A0E91E28FBB88AD433FEABCA2456 # Mimikatz
-         - IMPHASH=9DA6D5D77BE11712527DCAB86DF449A3 # Mimikatz
-         - IMPHASH=A6E01BC1AB89F8D91D9EAB72032AAE88 # Mimikatz
-         - IMPHASH=B24C5EDDAEA4FE50C6A96A2A133521E4 # Mimikatz
-         - IMPHASH=D21BBC50DCC169D7B4D0F01962793154 # Mimikatz
-         - IMPHASH=FCC251CCEAE90D22C392215CC9A2D5D6 # Mimikatz
-         - IMPHASH=23867A89C2B8FC733BE6CF5EF902F2D1 # JuicyPotato 
-         - IMPHASH=A37FF327F8D48E8A4D2F757E1B6E70BC # JuicyPotato 
-         - IMPHASH=F9A28C458284584A93B14216308D31BD # JuicyPotatoNG
-         - IMPHASH=6118619783FC175BC7EBECFF0769B46E # RoguePotato
-         - IMPHASH=959A83047E80AB68B368FDB3F4C6E4EA # RoguePotato
-         - IMPHASH=563233BFA169ACC7892451F71AD5850A # RoguePotato
-         - IMPHASH=87575CB7A0E0700EB37F2E3668671A08 # RoguePotato
-         - IMPHASH=13F08707F759AF6003837A150A371BA1 # Pwdump
-         - IMPHASH=1781F06048A7E58B323F0B9259BE798B # Pwdump
-         - IMPHASH=233F85F2D4BC9D6521A6CAAE11A1E7F5 # Pwdump
-         - IMPHASH=24AF2584CBF4D60BBE5C6D1B31B3BE6D # Pwdump
-         - IMPHASH=632969DDF6DBF4E0F53424B75E4B91F2 # Pwdump
-         - IMPHASH=713C29B396B907ED71A72482759ED757 # Pwdump
-         - IMPHASH=749A7BB1F0B4C4455949C0B2BF7F9E9F # Pwdump
-         - IMPHASH=8628B2608957A6B0C6330AC3DE28CE2E # Pwdump
-         - IMPHASH=8B114550386E31895DFAB371E741123D # Pwdump
-         - IMPHASH=94CB940A1A6B65BED4D5A8F849CE9793 # PwDumpX
-         - IMPHASH=9D68781980370E00E0BD939EE5E6C141 # Pwdump
-         - IMPHASH=B18A1401FF8F444056D29450FBC0A6CE # Pwdump
-         - IMPHASH=CB567F9498452721D77A451374955F5F # Pwdump
-         - IMPHASH=730073214094CD328547BF1F72289752 # Htran
-         - IMPHASH=17B461A082950FC6332228572138B80C # Cobalt Strike beacons
-         - IMPHASH=DC25EE78E2EF4D36FAA0BADF1E7461C9 # Cobalt Strike beacons
-         - IMPHASH=819B19D53CA6736448F9325A85736792 # Cobalt Strike beacons
-         - IMPHASH=829DA329CE140D873B4A8BDE2CBFAA7E # Cobalt Strike beacons
-         - IMPHASH=C547F2E66061A8DFFB6F5A3FF63C0A74 # PPLDump
-         - IMPHASH=0588081AB0E63BA785938467E1B10CCA # PPLDump
-         - IMPHASH=0D9EC08BAC6C07D9987DFD0F1506587C # NanoDump
-         - IMPHASH=BC129092B71C89B4D4C8CDF8EA590B29 # NanoDump
-         - IMPHASH=4DA924CF622D039D58BCE71CDF05D242 # NanoDump
-         - IMPHASH=E7A3A5C377E2D29324093377D7DB1C66 # NanoDump
-         - IMPHASH=9A9DBEC5C62F0380B4FA5FD31DEFFEDF # NanoDump
-         - IMPHASH=AF8A3976AD71E5D5FDFB67DDB8DADFCE # NanoDump
-         - IMPHASH=0C477898BBF137BBD6F2A54E3B805FF4 # NanoDump
-         - IMPHASH=0CA9F02B537BCEA20D4EA5EB1A9FE338 # NanoDump
-         - IMPHASH=3AB3655E5A14D4EEFC547F4781BF7F9E # NanoDump
-         - IMPHASH=E6F9D5152DA699934B30DAAB206471F6 # NanoDump
-         - IMPHASH=3AD59991CCF1D67339B319B15A41B35D # NanoDump
-         - IMPHASH=FFDD59E0318B85A3E480874D9796D872 # NanoDump
-         - IMPHASH=0CF479628D7CC1EA25EC7998A92F5051 # NanoDump
-         - IMPHASH=07A2D4DCBD6CB2C6A45E6B101F0B6D51 # NanoDump
-         - IMPHASH=D6D0F80386E1380D05CB78E871BC72B1 # NanoDump
-         - IMPHASH=38D9E015591BBFD4929E0D0F47FA0055 # HandleKatz
-         - IMPHASH=0E2216679CA6E1094D63322E3412D650 # HandleKatz
-         - IMPHASH=ADA161BF41B8E5E9132858CB54CAB5FB # DripLoader
-         - IMPHASH=2A1BC4913CD5ECB0434DF07CB675B798 # DripLoader
-         - IMPHASH=11083E75553BAAE21DC89CE8F9A195E4 # DripLoader
-         - IMPHASH=A23D29C9E566F2FA8FFBB79267F5DF80 # DripLoader
-         - IMPHASH=4A07F944A83E8A7C2525EFA35DD30E2F # CreateMiniDump
-         - IMPHASH=767637C23BB42CD5D7397CF58B0BE688 # UACMe Akagi
-         - IMPHASH=14C4E4C72BA075E9069EE67F39188AD8 # UACMe Akagi
-         - IMPHASH=3C782813D4AFCE07BBFC5A9772ACDBDC # UACMe Akagi
-         - IMPHASH=7D010C6BB6A3726F327F7E239166D127 # UACMe Akagi
-         - IMPHASH=89159BA4DD04E4CE5559F132A9964EB3 # UACMe Akagi
-         - IMPHASH=6F33F4A5FC42B8CEC7314947BD13F30F # UACMe Akagi
-         - IMPHASH=5834ED4291BDEB928270428EBBAF7604 # UACMe Akagi
-         - IMPHASH=5A8A8A43F25485E7EE1B201EDCBC7A38 # UACMe Akagi
-         - IMPHASH=DC7D30B90B2D8ABF664FBED2B1B59894 # UACMe Akagi
-         - IMPHASH=41923EA1F824FE63EA5BEB84DB7A3E74 # UACMe Akagi
-         - IMPHASH=3DE09703C8E79ED2CA3F01074719906B # UACMe Akagi
-         - IMPHASH=A53A02B997935FD8EEDCB5F7ABAB9B9F # WCE
-         - IMPHASH=E96A73C7BF33A464C510EDE582318BF2 # WCE
-         - IMPHASH=32089B8851BBF8BC2D014E9F37288C83 # Sliver Stagers
-         - IMPHASH=09D278F9DE118EF09163C6140255C690 # Dumpert
-         - IMPHASH=03866661686829d806989e2fc5a72606 # Dumpert
-         - IMPHASH=e57401fbdadcd4571ff385ab82bd5d6d # Dumpert
-         - IMPHASH=84B763C45C0E4A3E7CA5548C710DB4EE # SysmonEnte
-         - IMPHASH=19584675D94829987952432E018D5056 # SysmonQuiet
-         - IMPHASH=330768A4F172E10ACB6287B87289D83B # ShaprEvtMute Hook
-   condition: selection
+    selection:
+        - Imphash:
+            - bcca3c247b619dcd13c8cdff5f123932 # PetitPotam
+            - 3a19059bd7688cb88e70005f18efc439 # PetitPotam
+            - bf6223a49e45d99094406777eb6004ba # PetitPotam
+            - 0c106686a31bfe2ba931ae1cf6e9dbc6 # Mimikatz
+            - 0d1447d4b3259b3c2a1d4cfb7ece13c3 # Mimikatz
+            - 1b0369a1e06271833f78ffa70ffb4eaf # Mimikatz
+            - 4c1b52a19748428e51b14c278d0f58e3 # Mimikatz
+            - 4d927a711f77d62cebd4f322cb57ec6f # Mimikatz
+            - 66ee036df5fc1004d9ed5e9a94a1086a # Mimikatz
+            - 672b13f4a0b6f27d29065123fe882dfc # Mimikatz
+            - 6bbd59cea665c4afcc2814c1327ec91f # Mimikatz
+            - 725bb81dc24214f6ecacc0cfb36ad30d # Mimikatz
+            - 9528a0e91e28fbb88ad433feabca2456 # Mimikatz
+            - 9da6d5d77be11712527dcab86df449a3 # Mimikatz
+            - a6e01bc1ab89f8d91d9eab72032aae88 # Mimikatz
+            - b24c5eddaea4fe50c6a96a2a133521e4 # Mimikatz
+            - d21bbc50dcc169d7b4d0f01962793154 # Mimikatz
+            - fcc251cceae90d22c392215cc9a2d5d6 # Mimikatz
+            - 23867a89c2b8fc733be6cf5ef902f2d1 # JuicyPotato 
+            - a37ff327f8d48e8a4d2f757e1b6e70bc # JuicyPotato 
+            - f9a28c458284584a93b14216308d31bd # JuicyPotatoNG
+            - 6118619783fc175bc7ebecff0769b46e # RoguePotato
+            - 959a83047e80ab68b368fdb3f4c6e4ea # RoguePotato
+            - 563233bfa169acc7892451f71ad5850a # RoguePotato
+            - 87575cb7a0e0700eb37f2e3668671a08 # RoguePotato
+            - 13f08707f759af6003837a150a371ba1 # Pwdump
+            - 1781f06048a7e58b323f0b9259be798b # Pwdump
+            - 233f85f2d4bc9d6521a6caae11a1e7f5 # Pwdump
+            - 24af2584cbf4d60bbe5c6d1b31b3be6d # Pwdump
+            - 632969ddf6dbf4e0f53424b75e4b91f2 # Pwdump
+            - 713c29b396b907ed71a72482759ed757 # Pwdump
+            - 749a7bb1f0b4c4455949c0b2bf7f9e9f # Pwdump
+            - 8628b2608957a6b0c6330ac3de28ce2e # Pwdump
+            - 8b114550386e31895dfab371e741123d # Pwdump
+            - 94cb940a1a6b65bed4d5a8f849ce9793 # PwDumpX
+            - 9d68781980370e00e0bd939ee5e6c141 # Pwdump
+            - b18a1401ff8f444056d29450fbc0a6ce # Pwdump
+            - cb567f9498452721d77a451374955f5f # Pwdump
+            - 730073214094cd328547bf1f72289752 # Htran
+            - 17b461a082950fc6332228572138b80c # Cobalt Strike beacons
+            - dc25ee78e2ef4d36faa0badf1e7461c9 # Cobalt Strike beacons
+            - 819b19d53ca6736448f9325a85736792 # Cobalt Strike beacons
+            - 829da329ce140d873b4a8bde2cbfaa7e # Cobalt Strike beacons
+            - c547f2e66061a8dffb6f5a3ff63c0a74 # PPLDump
+            - 0588081ab0e63ba785938467e1b10cca # PPLDump
+            - 0d9ec08bac6c07d9987dfd0f1506587c # NanoDump
+            - bc129092b71c89b4d4c8cdf8ea590b29 # NanoDump
+            - 4da924cf622d039d58bce71cdf05d242 # NanoDump
+            - e7a3a5c377e2d29324093377d7db1c66 # NanoDump
+            - 9a9dbec5c62f0380b4fa5fd31deffedf # NanoDump
+            - af8a3976ad71e5d5fdfb67ddb8dadfce # NanoDump
+            - 0c477898bbf137bbd6f2a54e3b805ff4 # NanoDump
+            - 0ca9f02b537bcea20d4ea5eb1a9fe338 # NanoDump
+            - 3ab3655e5a14d4eefc547f4781bf7f9e # NanoDump
+            - e6f9d5152da699934b30daab206471f6 # NanoDump
+            - 3ad59991ccf1d67339b319b15a41b35d # NanoDump
+            - ffdd59e0318b85a3e480874d9796d872 # NanoDump
+            - 0cf479628d7cc1ea25ec7998a92f5051 # NanoDump
+            - 07a2d4dcbd6cb2c6a45e6b101f0b6d51 # NanoDump
+            - d6d0f80386e1380d05cb78e871bc72b1 # NanoDump
+            - 38d9e015591bbfd4929e0d0f47fa0055 # HandleKatz
+            - 0e2216679ca6e1094d63322e3412d650 # HandleKatz
+            - ada161bf41b8e5e9132858cb54cab5fb # DripLoader
+            - 2a1bc4913cd5ecb0434df07cb675b798 # DripLoader
+            - 11083e75553baae21dc89ce8f9a195e4 # DripLoader
+            - a23d29c9e566f2fa8ffbb79267f5df80 # DripLoader
+            - 4a07f944a83e8a7c2525efa35dd30e2f # CreateMiniDump
+            - 767637c23bb42cd5d7397cf58b0be688 # UACMe Akagi
+            - 14c4e4c72ba075e9069ee67f39188ad8 # UACMe Akagi
+            - 3c782813d4afce07bbfc5a9772acdbdc # UACMe Akagi
+            - 7d010c6bb6a3726f327f7e239166d127 # UACMe Akagi
+            - 89159ba4dd04e4ce5559f132a9964eb3 # UACMe Akagi
+            - 6f33f4a5fc42b8cec7314947bd13f30f # UACMe Akagi
+            - 5834ed4291bdeb928270428ebbaf7604 # UACMe Akagi
+            - 5a8a8a43f25485e7ee1b201edcbc7a38 # UACMe Akagi
+            - dc7d30b90b2d8abf664fbed2b1b59894 # UACMe Akagi
+            - 41923ea1f824fe63ea5beb84db7a3e74 # UACMe Akagi
+            - 3de09703c8e79ed2ca3f01074719906b # UACMe Akagi
+            - a53a02b997935fd8eedcb5f7abab9b9f # WCE
+            - e96a73c7bf33a464c510ede582318bf2 # WCE
+            - 32089b8851bbf8bc2d014e9f37288c83 # Sliver Stagers
+            - 09D278F9DE118EF09163C6140255C690 # Dumpert
+            - 03866661686829d806989e2fc5a72606 # Dumpert
+            - e57401fbdadcd4571ff385ab82bd5d6d # Dumpert
+            - 84B763C45C0E4A3E7CA5548C710DB4EE # SysmonEnte
+            - 19584675d94829987952432e018d5056 # SysmonQuiet
+            - 330768a4f172e10acb6287b87289d83b # ShaprEvtMute Hook
+        - Hashes|contains: # Sysmon field hashes contains all types
+            - IMPHASH=BCCA3C247B619DCD13C8CDFF5F123932 # PetitPotam
+            - IMPHASH=3A19059BD7688CB88E70005F18EFC439 # PetitPotam
+            - IMPHASH=bf6223a49e45d99094406777eb6004ba # PetitPotam
+            - IMPHASH=0C106686A31BFE2BA931AE1CF6E9DBC6 # Mimikatz
+            - IMPHASH=0D1447D4B3259B3C2A1D4CFB7ECE13C3 # Mimikatz
+            - IMPHASH=1B0369A1E06271833F78FFA70FFB4EAF # Mimikatz
+            - IMPHASH=4C1B52A19748428E51B14C278D0F58E3 # Mimikatz
+            - IMPHASH=4D927A711F77D62CEBD4F322CB57EC6F # Mimikatz
+            - IMPHASH=66EE036DF5FC1004D9ED5E9A94A1086A # Mimikatz
+            - IMPHASH=672B13F4A0B6F27D29065123FE882DFC # Mimikatz
+            - IMPHASH=6BBD59CEA665C4AFCC2814C1327EC91F # Mimikatz
+            - IMPHASH=725BB81DC24214F6ECACC0CFB36AD30D # Mimikatz
+            - IMPHASH=9528A0E91E28FBB88AD433FEABCA2456 # Mimikatz
+            - IMPHASH=9DA6D5D77BE11712527DCAB86DF449A3 # Mimikatz
+            - IMPHASH=A6E01BC1AB89F8D91D9EAB72032AAE88 # Mimikatz
+            - IMPHASH=B24C5EDDAEA4FE50C6A96A2A133521E4 # Mimikatz
+            - IMPHASH=D21BBC50DCC169D7B4D0F01962793154 # Mimikatz
+            - IMPHASH=FCC251CCEAE90D22C392215CC9A2D5D6 # Mimikatz
+            - IMPHASH=23867A89C2B8FC733BE6CF5EF902F2D1 # JuicyPotato 
+            - IMPHASH=A37FF327F8D48E8A4D2F757E1B6E70BC # JuicyPotato 
+            - IMPHASH=F9A28C458284584A93B14216308D31BD # JuicyPotatoNG
+            - IMPHASH=6118619783FC175BC7EBECFF0769B46E # RoguePotato
+            - IMPHASH=959A83047E80AB68B368FDB3F4C6E4EA # RoguePotato
+            - IMPHASH=563233BFA169ACC7892451F71AD5850A # RoguePotato
+            - IMPHASH=87575CB7A0E0700EB37F2E3668671A08 # RoguePotato
+            - IMPHASH=13F08707F759AF6003837A150A371BA1 # Pwdump
+            - IMPHASH=1781F06048A7E58B323F0B9259BE798B # Pwdump
+            - IMPHASH=233F85F2D4BC9D6521A6CAAE11A1E7F5 # Pwdump
+            - IMPHASH=24AF2584CBF4D60BBE5C6D1B31B3BE6D # Pwdump
+            - IMPHASH=632969DDF6DBF4E0F53424B75E4B91F2 # Pwdump
+            - IMPHASH=713C29B396B907ED71A72482759ED757 # Pwdump
+            - IMPHASH=749A7BB1F0B4C4455949C0B2BF7F9E9F # Pwdump
+            - IMPHASH=8628B2608957A6B0C6330AC3DE28CE2E # Pwdump
+            - IMPHASH=8B114550386E31895DFAB371E741123D # Pwdump
+            - IMPHASH=94CB940A1A6B65BED4D5A8F849CE9793 # PwDumpX
+            - IMPHASH=9D68781980370E00E0BD939EE5E6C141 # Pwdump
+            - IMPHASH=B18A1401FF8F444056D29450FBC0A6CE # Pwdump
+            - IMPHASH=CB567F9498452721D77A451374955F5F # Pwdump
+            - IMPHASH=730073214094CD328547BF1F72289752 # Htran
+            - IMPHASH=17B461A082950FC6332228572138B80C # Cobalt Strike beacons
+            - IMPHASH=DC25EE78E2EF4D36FAA0BADF1E7461C9 # Cobalt Strike beacons
+            - IMPHASH=819B19D53CA6736448F9325A85736792 # Cobalt Strike beacons
+            - IMPHASH=829DA329CE140D873B4A8BDE2CBFAA7E # Cobalt Strike beacons
+            - IMPHASH=C547F2E66061A8DFFB6F5A3FF63C0A74 # PPLDump
+            - IMPHASH=0588081AB0E63BA785938467E1B10CCA # PPLDump
+            - IMPHASH=0D9EC08BAC6C07D9987DFD0F1506587C # NanoDump
+            - IMPHASH=BC129092B71C89B4D4C8CDF8EA590B29 # NanoDump
+            - IMPHASH=4DA924CF622D039D58BCE71CDF05D242 # NanoDump
+            - IMPHASH=E7A3A5C377E2D29324093377D7DB1C66 # NanoDump
+            - IMPHASH=9A9DBEC5C62F0380B4FA5FD31DEFFEDF # NanoDump
+            - IMPHASH=AF8A3976AD71E5D5FDFB67DDB8DADFCE # NanoDump
+            - IMPHASH=0C477898BBF137BBD6F2A54E3B805FF4 # NanoDump
+            - IMPHASH=0CA9F02B537BCEA20D4EA5EB1A9FE338 # NanoDump
+            - IMPHASH=3AB3655E5A14D4EEFC547F4781BF7F9E # NanoDump
+            - IMPHASH=E6F9D5152DA699934B30DAAB206471F6 # NanoDump
+            - IMPHASH=3AD59991CCF1D67339B319B15A41B35D # NanoDump
+            - IMPHASH=FFDD59E0318B85A3E480874D9796D872 # NanoDump
+            - IMPHASH=0CF479628D7CC1EA25EC7998A92F5051 # NanoDump
+            - IMPHASH=07A2D4DCBD6CB2C6A45E6B101F0B6D51 # NanoDump
+            - IMPHASH=D6D0F80386E1380D05CB78E871BC72B1 # NanoDump
+            - IMPHASH=38D9E015591BBFD4929E0D0F47FA0055 # HandleKatz
+            - IMPHASH=0E2216679CA6E1094D63322E3412D650 # HandleKatz
+            - IMPHASH=ADA161BF41B8E5E9132858CB54CAB5FB # DripLoader
+            - IMPHASH=2A1BC4913CD5ECB0434DF07CB675B798 # DripLoader
+            - IMPHASH=11083E75553BAAE21DC89CE8F9A195E4 # DripLoader
+            - IMPHASH=A23D29C9E566F2FA8FFBB79267F5DF80 # DripLoader
+            - IMPHASH=4A07F944A83E8A7C2525EFA35DD30E2F # CreateMiniDump
+            - IMPHASH=767637C23BB42CD5D7397CF58B0BE688 # UACMe Akagi
+            - IMPHASH=14C4E4C72BA075E9069EE67F39188AD8 # UACMe Akagi
+            - IMPHASH=3C782813D4AFCE07BBFC5A9772ACDBDC # UACMe Akagi
+            - IMPHASH=7D010C6BB6A3726F327F7E239166D127 # UACMe Akagi
+            - IMPHASH=89159BA4DD04E4CE5559F132A9964EB3 # UACMe Akagi
+            - IMPHASH=6F33F4A5FC42B8CEC7314947BD13F30F # UACMe Akagi
+            - IMPHASH=5834ED4291BDEB928270428EBBAF7604 # UACMe Akagi
+            - IMPHASH=5A8A8A43F25485E7EE1B201EDCBC7A38 # UACMe Akagi
+            - IMPHASH=DC7D30B90B2D8ABF664FBED2B1B59894 # UACMe Akagi
+            - IMPHASH=41923EA1F824FE63EA5BEB84DB7A3E74 # UACMe Akagi
+            - IMPHASH=3DE09703C8E79ED2CA3F01074719906B # UACMe Akagi
+            - IMPHASH=A53A02B997935FD8EEDCB5F7ABAB9B9F # WCE
+            - IMPHASH=E96A73C7BF33A464C510EDE582318BF2 # WCE
+            - IMPHASH=32089B8851BBF8BC2D014E9F37288C83 # Sliver Stagers
+            - IMPHASH=09D278F9DE118EF09163C6140255C690 # Dumpert
+            - IMPHASH=03866661686829d806989e2fc5a72606 # Dumpert
+            - IMPHASH=e57401fbdadcd4571ff385ab82bd5d6d # Dumpert
+            - IMPHASH=84B763C45C0E4A3E7CA5548C710DB4EE # SysmonEnte
+            - IMPHASH=19584675D94829987952432E018D5056 # SysmonQuiet
+            - IMPHASH=330768A4F172E10ACB6287B87289D83B # ShaprEvtMute Hook
+    condition: selection
 fields:
-   - TargetFilename
-   - Image
+    - TargetFilename
+    - Image
 falsepositives:
-   - Unknown
+    - Unknown
 level: high
@@ -2,12 +2,15 @@ title: Exports Registry Key To an Alternate Data Stream
 id: 0d7a9363-af70-4e7b-a3b7-1a176b7fbe84
 status: test
 description: Exports the target Registry key and hides it in the specified alternate data stream.
-author: Oddvar Moe, Sander Wiebing, oscd.community
 references:
    - https://lolbas-project.github.io/lolbas/Binaries/Regedit/
    - https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f
+author: Oddvar Moe, Sander Wiebing, oscd.community
 date: 2020/10/07
 modified: 2021/11/27
+tags:
+    - attack.defense_evasion
+    - attack.t1564.004
 logsource:
    product: windows
    category: create_stream_hash
@@ -20,6 +23,3 @@ fields:
 falsepositives:
    - Unknown
 level: high
-tags:
-    - attack.defense_evasion
-    - attack.t1564.004
@@ -2,14 +2,18 @@ title: Suspicious File Download from File Sharing Domain
 id: 52182dfb-afb7-41db-b4bc-5336cb29b464
 status: experimental
 description: Detects the download of suspicious file type from a well-known file and paste sharing domain
-author: Florian Roth
 references:
-  - https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=90015
+    - https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=90015
+author: Florian Roth
 date: 2022/08/24
+tags:
+    - attack.defense_evasion
+    - attack.s0139
+    - attack.t1564.004
 logsource:
-  product: windows
-  category: create_stream_hash
-  definition: 'Requirements: Sysmon config with Imphash logging activated'
+    product: windows
+    category: create_stream_hash
+    definition: 'Requirements: Sysmon config with Imphash logging activated'
 detection:
    selection_domain:
        Contents|contains:
@@ -35,12 +39,8 @@ detection:
            - '.dll:Zone'
    condition: all of selection*
 fields:
-  - TargetFilename
-  - Image
+    - TargetFilename
+    - Image
 falsepositives:
-  - Unknown
+    - Unknown
 level: high
-tags:
-  - attack.defense_evasion
-  - attack.s0139
-  - attack.t1564.004
@@ -2,14 +2,18 @@ title: Unusual File Download from File Sharing Domain
 id: ae02ed70-11aa-4a22-b397-c0d0e8f6ea99
 status: experimental
 description: Detects the download of suspicious file type from a well-known file and paste sharing domain
-author: Florian Roth
 references:
-  - https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=90015
+    - https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=90015
+author: Florian Roth
 date: 2022/08/24
+tags:
+    - attack.defense_evasion
+    - attack.s0139
+    - attack.t1564.004
 logsource:
-  product: windows
-  category: create_stream_hash
-  definition: 'Requirements: Sysmon config with Imphash logging activated'
+    product: windows
+    category: create_stream_hash
+    definition: 'Requirements: Sysmon config with Imphash logging activated'
 detection:
    selection_domain:
        Contents|contains:
@@ -34,12 +38,8 @@ detection:
            - '.bat:Zone'
    condition: all of selection*
 fields:
-  - TargetFilename
-  - Image
+    - TargetFilename
+    - Image
 falsepositives:
-  - Unknown
+    - Unknown
 level: medium
-tags:
-  - attack.defense_evasion
-  - attack.s0139
-  - attack.t1564.004
@@ -2,10 +2,13 @@ title: Unusual File Download from Direct IP Address
 id: 025bd229-fd1f-4fdb-97ab-20006e1a5368
 status: experimental
 description: Detects the download of suspicious file type from URLs with IP
-author: Nasreddine Bencherchali
 references:
    - https://github.com/trustedsec/SysmonCommunityGuide/blob/adcdfee20999f422b974c8d4149bf4c361237db7/chapters/file-stream-creation-hash.md
+author: Nasreddine Bencherchali
 date: 2022/09/07
+tags:
+    - attack.defense_evasion
+    - attack.t1564.004
 logsource:
    product: windows
    category: create_stream_hash
@@ -33,6 +36,3 @@ detection:
 falsepositives:
    - Unknown
 level: high
-tags:
-    - attack.defense_evasion
-    - attack.t1564.004
@@ -20,6 +20,9 @@ references:
 author: frack113
 date: 2022/07/11
 modified: 2022/09/19
+tags:
+    - attack.command_and_control
+    - attack.t1219
 logsource:
    product: windows
    category: dns_query
@@ -35,6 +38,3 @@ detection:
 falsepositives:
    - FP may be caused in legitimate usage of the softwares mentioned above
 level: medium
-tags:
-    - attack.command_and_control
-    - attack.t1219
@@ -1,11 +1,11 @@
 title: DNS Query for Anonfiles.com Domain
 id: 065cceea-77ec-4030-9052-fc0affea7110
-description: Detects DNS queries for anonfiles.com, which is an anonymous file upload platform often used for malicious purposes
 status: experimental
-date: 2022/07/15
-author: pH-T
+description: Detects DNS queries for anonfiles.com, which is an anonymous file upload platform often used for malicious purposes
 references:
    - https://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-blackbyte
+author: pH-T
+date: 2022/07/15
 tags:
    - attack.exfiltration
    - attack.t1567.002
@@ -1,15 +1,15 @@
 title: AppInstaller Attempts From URL by DNS
 id: 7cff77e1-9663-46a3-8260-17f2e1aa9d0a
-description: AppInstaller.exe is spawned by the default handler for the URI, it attempts to load/install a package from the URL
 status: experimental
-date: 2021/11/24
-author: frack113
-tags:
-    - attack.command_and_control
-    - attack.t1105
+description: AppInstaller.exe is spawned by the default handler for the URI, it attempts to load/install a package from the URL
 references:
    - https://twitter.com/notwhickey/status/1333900137232523264
    - https://lolbas-project.github.io/lolbas/Binaries/AppInstaller/
+author: frack113
+date: 2021/11/24
+tags:
+    - attack.command_and_control
+    - attack.t1105
 logsource:
    product: windows
    category: dns_query
@@ -20,4 +20,4 @@ detection:
    condition: selection
 falsepositives:
    - Unknown
-level: medium
+level: medium
@@ -2,11 +2,11 @@ title: Suspicious Cobalt Strike DNS Beaconing
 id: f356a9c4-effd-4608-bbf8-408afd5cd006
 status: experimental
 description: Detects a program that invoked suspicious DNS queries known from Cobalt Strike beacons
-author: Florian Roth
-date: 2021/11/09
 references:
    - https://www.icebrg.io/blog/footprints-of-fin7-tracking-actor-patterns
    - https://www.sekoia.io/en/hunting-and-detecting-cobalt-strike/
+author: Florian Roth
+date: 2021/11/09
 tags:
    - attack.command_and_control
    - attack.t1071.004
@@ -16,7 +16,7 @@ logsource:
 detection:
    selection1:
        QueryName|startswith:
-            - 'aaa.stage.' 
+            - 'aaa.stage.'
            - 'post.1'
    selection2:
        QueryName|contains: '.stage.123456.'
@@ -2,42 +2,42 @@ title: Possible DNS Rebinding
 id: eb07e747-2552-44cd-af36-b659ae0958e4
 status: test
 description: Detects several different DNS-answers by one domain with IPs from internal and external networks. Normally, DNS-answer contain TTL >100. (DNS-record will saved in host cache for a while TTL).
-author: Ilyas Ochkov, oscd.community
 references:
-  - https://medium.com/@brannondorsey/attacking-private-networks-from-the-internet-with-dns-rebinding-ea7098a2d325
+    - https://medium.com/@brannondorsey/attacking-private-networks-from-the-internet-with-dns-rebinding-ea7098a2d325
+author: Ilyas Ochkov, oscd.community
 date: 2019/10/25
 modified: 2021/11/27
-logsource:
-  product: windows
-  category: dns_query
-detection:
-  dns_answer:
-    QueryName: '*'
-    QueryStatus: '0'
-  filter_int_ip:
-    QueryResults|startswith:
-      - '(::ffff:)?10.'
-      - '(::ffff:)?192.168.'
-      - '(::ffff:)?172.16.'
-      - '(::ffff:)?172.17.'
-      - '(::ffff:)?172.18.'
-      - '(::ffff:)?172.19.'
-      - '(::ffff:)?172.20.'
-      - '(::ffff:)?172.21.'
-      - '(::ffff:)?172.22.'
-      - '(::ffff:)?172.23.'
-      - '(::ffff:)?172.24.'
-      - '(::ffff:)?172.25.'
-      - '(::ffff:)?172.26.'
-      - '(::ffff:)?172.27.'
-      - '(::ffff:)?172.28.'
-      - '(::ffff:)?172.29.'
-      - '(::ffff:)?172.30.'
-      - '(::ffff:)?172.31.'
-      - '(::ffff:)?127.'
-  timeframe: 30s
-  condition: (dns_answer and filter_int_ip) and (dns_answer and not filter_int_ip) | count(QueryName) by ComputerName > 3
-level: medium
 tags:
-  - attack.initial_access
-  - attack.t1189
+    - attack.initial_access
+    - attack.t1189
+logsource:
+    product: windows
+    category: dns_query
+detection:
+    dns_answer:
+        QueryName: '*'
+        QueryStatus: '0'
+    filter_int_ip:
+        QueryResults|startswith:
+            - '(::ffff:)?10.'
+            - '(::ffff:)?192.168.'
+            - '(::ffff:)?172.16.'
+            - '(::ffff:)?172.17.'
+            - '(::ffff:)?172.18.'
+            - '(::ffff:)?172.19.'
+            - '(::ffff:)?172.20.'
+            - '(::ffff:)?172.21.'
+            - '(::ffff:)?172.22.'
+            - '(::ffff:)?172.23.'
+            - '(::ffff:)?172.24.'
+            - '(::ffff:)?172.25.'
+            - '(::ffff:)?172.26.'
+            - '(::ffff:)?172.27.'
+            - '(::ffff:)?172.28.'
+            - '(::ffff:)?172.29.'
+            - '(::ffff:)?172.30.'
+            - '(::ffff:)?172.31.'
+            - '(::ffff:)?127.'
+    timeframe: 30s
+    condition: (dns_answer and filter_int_ip) and (dns_answer and not filter_int_ip) | count(QueryName) by ComputerName > 3
+level: medium
@@ -23,12 +23,12 @@ detection:
    selection:
        Image|endswith: '\regsvr32.exe'
    condition: selection
-falsepositives:
-    - Unknown
-level: high
 fields:
    - ComputerName
    - User
    - Image
    - DestinationIp
    - DestinationPort
+falsepositives:
+    - Unknown
+level: high
@@ -1,12 +1,15 @@
 title: Suspicious LDAP Domain Access
 id: a21bcd7e-38ec-49ad-b69a-9ea17e69509e
-description: Detect suspicious LDAP request from non-Windows application
 status: experimental
-date: 2022/08/20
-modified: 2022/09/21
-author: frack113
+description: Detect suspicious LDAP request from non-Windows application
 references:
    - https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1482/T1482.md
+author: frack113
+date: 2022/08/20
+modified: 2022/09/21
+tags:
+    - attack.discovery
+    - attack.t1482
 logsource:
    product: windows
    category: dns_query
@@ -29,6 +32,3 @@ detection:
 falsepositives:
    - Programs that also lookup the observed domain
 level: medium
-tags:
-    - attack.discovery
-    - attack.t1482
@@ -1,12 +1,12 @@
 title: Suspicious TeamViewer Domain Access
 id: 778ba9a8-45e4-4b80-8e3e-34a419f0b85e
-description: Detects DNS queries to a TeamViewer domain only resolved by a TeamViewer client by an image that isn't named TeamViewer (sometimes used by threat actors for obfuscation)
 status: experimental
-date: 2022/01/30
-modified: 2022/02/08
-author: Florian Roth
+description: Detects DNS queries to a TeamViewer domain only resolved by a TeamViewer client by an image that isn't named TeamViewer (sometimes used by threat actors for obfuscation)
 references:
    - https://www.teamviewer.com/en-us/
+author: Florian Roth
+date: 2022/01/30
+modified: 2022/02/08
 tags:
    - attack.command_and_control
    - attack.t1219
@@ -15,7 +15,7 @@ logsource:
    category: dns_query
 detection:
    dns_request:
-        QueryName: 
+        QueryName:
            - 'taf.teamviewer.com'
            - 'udp.ping.teamviewer.com'
    filter:
@@ -24,4 +24,4 @@ detection:
 falsepositives:
    - Unknown binary names of TeamViewer
    - Other programs that also lookup the observed domain
-level: medium
+level: medium
@@ -6,6 +6,9 @@ references:
    - https://www.logpoint.com/en/blog/detecting-tor-use-with-logpoint/
 author: frack113
 date: 2022/02/20
+tags:
+    - attack.command_and_control
+    - attack.t1090.003
 logsource:
    product: windows
    category: dns_query
@@ -16,6 +19,3 @@ detection:
 falsepositives:
    - Unknown
 level: high
-tags:
-    - attack.command_and_control
-    - attack.t1090.003
@@ -1,11 +1,14 @@
 title: DNS Query for Ufile.io Upload Domain
 id: 1cbbeaaf-3c8c-4e4c-9d72-49485b6a176b
-description: Detects DNS queries for subdomains used for upload to ufile.io
 status: experimental
-date: 2022/06/23
-author: yatinwad and TheDFIRReport
+description: Detects DNS queries for subdomains used for upload to ufile.io
 references:
    - https://thedfirreport.com/2021/12/13/diavol-ransomware/
+author: yatinwad and TheDFIRReport
+date: 2022/06/23
+tags:
+    - attack.exfiltration
+    - attack.t1567.002
 logsource:
    product: windows
    category: dns_query
@@ -13,9 +16,6 @@ detection:
    selection:
        QueryName|contains: ufile.io
    condition: selection
-tags:
-    - attack.exfiltration
-    - attack.t1567.002
 falsepositives:
    - Legitimate Ufile upload
 level: high
@@ -3,13 +3,13 @@ id: df5ff0a5-f83f-4a5b-bba1-3e6a3f6f6ea2
 related:
    - id: 4976aa50-8f41-45c6-8b15-ab3fc10e79ed
      type: derived
-description: Detects well-known credential dumping tools execution via service execution events
 status: experimental
+description: Detects well-known credential dumping tools execution via service execution events
+references:
+    - https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment
 author: Florian Roth, Teymur Kheirkhabarov, Daniil Yugoslavskiy, oscd.community
 date: 2017/03/05
 modified: 2021/11/10
-references:
-    - https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment
 tags:
    - attack.credential_access
    - attack.execution
@@ -44,11 +44,11 @@ detection:
            - '.dll,a'
            - '/p:'
    condition: selection
-falsepositives:
-    - Highly unlikely
-level: critical
 fields:
    - ComputerName
    - SubjectDomainName
    - SubjectUserName
    - ImagePath
+falsepositives:
+    - Highly unlikely
+level: critical
@@ -5,6 +5,10 @@ description: Detects a driver load from a temporary directory
 author: Florian Roth
 date: 2017/02/12
 modified: 2021/11/27
+tags:
+    - attack.persistence
+    - attack.privilege_escalation
+    - attack.t1543.003
 logsource:
    category: driver_load
    product: windows
@@ -15,7 +19,3 @@ detection:
 falsepositives:
    - There is a relevant set of false positives depending on applications in the environment
 level: high
-tags:
-    - attack.persistence
-    - attack.privilege_escalation
-    - attack.t1543.003
@@ -2,11 +2,14 @@ title: Vulnerable AVAST Anti Rootkit Driver Load
 id: 7c676970-af4f-43c8-80af-ec9b49952852
 status: experimental
 description: Detects the load of a signed and vulnerable AVAST Anti Rootkit driver often used by threat actors or malware for stopping and disabling AV and EDR products
-author: Nasreddine Bencherchali
 references:
    - https://www.aon.com/cyber-solutions/aon_cyber_labs/yours-truly-signed-av-driver-weaponizing-an-antivirus-driver/
+author: Nasreddine Bencherchali
 date: 2022/07/28
 modified: 2022/08/24
+tags:
+    - attack.privilege_escalation
+    - attack.t1543.003
 logsource:
    product: windows
    category: driver_load
@@ -29,6 +32,3 @@ detection:
 falsepositives:
    - Unknown
 level: high
-tags:
-    - attack.privilege_escalation
-    - attack.t1543.003
@@ -1,19 +1,19 @@
 title: Vulnerable Dell BIOS Update Driver Load
 id: 21b23707-60d6-41bb-96e3-0f0481b0fed9
-description: Detects the load of the vulnerable Dell BIOS update driver as reported in CVE-2021-21551
 status: experimental
+description: Detects the load of the vulnerable Dell BIOS update driver as reported in CVE-2021-21551
+references:
+    - https://labs.sentinelone.com/cve-2021-21551-hundreds-of-millions-of-dell-computers-at-risk-due-to-multiple-bios-driver-privilege-escalation-flaws/
 author: Florian Roth
 date: 2021/05/05
 modified: 2022/07/27
-references:
-    - https://labs.sentinelone.com/cve-2021-21551-hundreds-of-millions-of-dell-computers-at-risk-due-to-multiple-bios-driver-privilege-escalation-flaws/
-logsource:
-    category: driver_load
-    product: windows
 tags:
    - attack.privilege_escalation
    - cve.2021.21551
    - attack.t1543
+logsource:
+    category: driver_load
+    product: windows
 detection:
    selection_image:
        ImageLoaded|contains: '\DBUtil_2_3.Sys'
@@ -2,7 +2,6 @@ title: Vulnerable Driver Load
 id: 7aaaf4b8-e47c-4295-92ee-6ed40a6f60c8
 status: experimental
 description: Detects the load of known vulnerable drivers by hash value
-author: Nasreddine Bencherchali
 references:
    - https://github.com/eclypsium/Screwed-Drivers/blob/master/DRIVERS.md
    - https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules
@@ -20,8 +19,12 @@ references:
    - https://www.rapid7.com/db/modules/exploit/windows/local/razer_zwopenprocess/
    - https://www.unknowncheats.me/forum/downloads.php?do=file&id=25444
    - https://www.zscaler.com/blogs/security-research/technical-analysis-windows-clfs-zero-day-vulnerability-cve-2022-37969-part
+author: Nasreddine Bencherchali
 date: 2022/08/18
 modified: 2022/10/19
+tags:
+    - attack.privilege_escalation
+    - attack.t1543.003
 logsource:
    product: windows
    category: driver_load
@@ -1062,6 +1065,3 @@ detection:
 falsepositives:
    - Unknown
 level: high
-tags:
-    - attack.privilege_escalation
-    - attack.t1543.003
@@ -5,7 +5,6 @@ related:
      type: derived
 status: experimental
 description: Detects the load of known vulnerable drivers via their names only.
-author: Nasreddine Bencherchali
 references:
    - https://github.com/eclypsium/Screwed-Drivers/blob/master/DRIVERS.md
    - https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules
@@ -19,6 +18,7 @@ references:
    - https://www.welivesecurity.com/2022/01/11/signed-kernel-drivers-unguarded-gateway-windows-core/
    - https://eclypsium.com/2019/11/12/mother-of-all-drivers/
    - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-37969
+author: Nasreddine Bencherchali
 date: 2022/10/03
 modified: 2022/10/17
 tags:
@@ -2,21 +2,24 @@ title: Vulnerable GIGABYTE Driver Load
 id: 7bcfeece-e5ed-4ff3-a5fb-2640d8cc8647
 status: experimental
 description: Detects the load of a signed and vulnerable GIGABYTE driver often used by threat actors or malware for privilege escalation
-author: Florian Roth
 references:
    - https://medium.com/@fsx30/weaponizing-vulnerable-driver-for-privilege-escalation-gigabyte-edition-e73ee523598b
    - https://twitter.com/malmoeb/status/1551449425842786306
    - https://github.com/fengjixuchui/gdrv-loader
    - https://www.virustotal.com/gui/file/31f4cfb4c71da44120752721103a16512444c13c2ac2d857a7e6f13cb679b427/details
    - https://www.virustotal.com/gui/file/cfc5c585dd4e592dd1a08887ded28b92d9a5820587b6f4f8fa4f56d60289259b/details
+author: Florian Roth
 date: 2022/07/25
 modified: 2022/07/26
+tags:
+    - attack.privilege_escalation
+    - attack.t1543.003
 logsource:
    product: windows
    category: driver_load
 detection:
    selection_sysmon:
-        Hashes|contains: 
+        Hashes|contains:
            - 'MD5=9AB9F3B75A2EB87FAFB1B7361BE9DFB3'
            - 'MD5=C832A4313FF082258240B61B88EFA025'
            - 'SHA1=FE10018AF723986DB50701C8532DF5ED98B17C39'
@@ -37,6 +40,3 @@ detection:
 falsepositives:
    - Unknown
 level: high
-tags:
-    - attack.privilege_escalation
-    - attack.t1543.003
@@ -2,10 +2,13 @@ title: Vulnerable HackSys Extreme Vulnerable Driver Load
 id: 295c9289-acee-4503-a571-8eacaef36b28
 status: experimental
 description: Detects the load of HackSys Extreme Vulnerable Driver which is an intentionally vulnerable Windows driver developed for security enthusiasts to learn and polish their exploitation skills at Kernel level and often abused by threat actors
-author: Nasreddine Bencherchali
 references:
    - https://github.com/hacksysteam/HackSysExtremeVulnerableDriver
+author: Nasreddine Bencherchali
 date: 2022/08/18
+tags:
+    - attack.privilege_escalation
+    - attack.t1543.003
 logsource:
    product: windows
    category: driver_load
@@ -24,6 +27,3 @@ detection:
 falsepositives:
    - Unlikely
 level: high
-tags:
-    - attack.privilege_escalation
-    - attack.t1543.003
@@ -2,11 +2,14 @@ title: Vulnerable HW Driver Load
 id: 9bacc538-d1b9-4d42-862e-469eafc05a41
 status: experimental
 description: Detects the load of a legitimate signed driver named HW.sys by often used by threat actors or malware for privilege escalation
-author: Florian Roth
 references:
    - https://decoded.avast.io/janvojtesek/the-return-of-candiru-zero-days-in-the-middle-east/
    - https://www.virustotal.com/gui/file/6a4875ae86131a594019dec4abd46ac6ba47e57a88287b814d07d929858fe3e5/details
+author: Florian Roth
 date: 2022/07/26
+tags:
+    - attack.privilege_escalation
+    - attack.t1543.003
 logsource:
    product: windows
    category: driver_load
@@ -14,7 +17,7 @@ detection:
    selection_name:
        ImageLoaded|endswith: '\HW.sys'
    selection_sysmon:
-        Hashes|contains: 
+        Hashes|contains:
            - 'SHA256=4880F40F2E557CFF38100620B9AA1A3A753CB693AF16CD3D95841583EDCB57A8'
            - 'SHA256=55963284BBD5A3297F39F12F0D8A01ED99FE59D008561E3537BCD4DB4B4268FA'
            - 'SHA256=6A4875AE86131A594019DEC4ABD46AC6BA47E57A88287B814D07D929858FE3E5'
@@ -25,11 +28,11 @@ detection:
            - 'MD5=376B1E8957227A3639EC1482900D9B97'
            - 'MD5=45C2D133D41D2732F3653ED615A745C8'
    selection_other:
-        - SHA256: 
+        - SHA256:
            - '4880f40f2e557cff38100620b9aa1a3a753cb693af16cd3d95841583edcb57a8'
            - '55963284bbd5a3297f39f12f0d8a01ed99fe59d008561e3537bcd4db4b4268fa'
            - '6a4875ae86131a594019dec4abd46ac6ba47e57a88287b814d07d929858fe3e5'
-        - SHA1: 
+        - SHA1:
            - '74e4e3006b644392f5fcea4a9bae1d9d84714b57'
            - '18f34a0005e82a9a1556ba40b997b0eae554d5fd'
            - '4e56e0b1d12664c05615c69697a2f5c5d893058a'
@@ -41,6 +44,3 @@ detection:
 falsepositives:
    - Unknown
 level: high
-tags:
-    - attack.privilege_escalation
-    - attack.t1543.003
@@ -2,12 +2,15 @@ title: Vulnerable WinRing0 Driver Load
 id: 1a42dfa6-6cb2-4df9-9b48-295be477e835
 status: experimental
 description: Detects the load of a signed WinRing0 driver often used by threat actors, crypto miners (XMRIG) or malware for privilege escalation
-author: Florian Roth
 references:
    - https://github.com/xmrig/xmrig/tree/master/bin/WinRing0
    - https://www.rapid7.com/blog/post/2021/12/13/driver-based-attacks-past-and-present/
+author: Florian Roth
 date: 2022/07/26
 modified: 2022/10/03
+tags:
+    - attack.privilege_escalation
+    - attack.t1543.003
 logsource:
    product: windows
    category: driver_load
@@ -27,6 +30,3 @@ detection:
 falsepositives:
    - Unknown
 level: high
-tags:
-    - attack.privilege_escalation
-    - attack.t1543.003
@@ -2,12 +2,12 @@ title: WinDivert Driver Load
 id: 679085d5-f427-4484-9f58-1dc30a7c426d
 status: experimental
 description: Detects the load of the Windiver driver, a powerful user-mode capture/sniffing/modification/blocking/re-injection package for Windows
-author: Florian Roth
-date: 2021/07/30
-modified: 2022/07/27
 references:
    - https://reqrypt.org/windivert-doc.html
    - https://rastamouse.me/ntlm-relaying-via-cobalt-strike/
+author: Florian Roth
+date: 2021/07/30
+modified: 2022/07/27
 tags:
    - attack.collection
    - attack.defense_evasion
@@ -18,7 +18,7 @@ logsource:
    product: windows
 detection:
    selection:
-        ImageLoaded|contains: 
+        ImageLoaded|contains:
            - '\WinDivert.sys'
            - '\WinDivert64.sys'
            # Other used names
@@ -2,11 +2,14 @@ title: Alternate PowerShell Hosts Pipe
 id: 58cb02d5-78ce-4692-b3e1-dce850aae41a
 status: test
 description: Detects alternate PowerShell hosts potentially bypassing detections looking for powershell.exe
-author: Roberto Rodriguez @Cyb3rWard0g, Tim Shelton
 references:
    - https://threathunterplaybook.com/notebooks/windows/02_execution/WIN-190815181010.html
+author: Roberto Rodriguez @Cyb3rWard0g, Tim Shelton
 date: 2019/09/12
 modified: 2022/10/10
+tags:
+    - attack.execution
+    - attack.t1059.001
 logsource:
    product: windows
    category: pipe_created
@@ -48,6 +51,3 @@ fields:
 falsepositives:
    - Programs using PowerShell directly without invocation of a dedicated interpreter.
 level: medium
-tags:
-    - attack.execution
-    - attack.t1059.001
@@ -2,12 +2,16 @@ title: Turla Group Named Pipes
 id: 739915e4-1e70-4778-8b8a-17db02f66db1
 status: test
 description: Detects a named pipe used by Turla group samples
-author: Markus Neis
 references:
    - Internal Research
    - https://attack.mitre.org/groups/G0010/
+author: Markus Neis
 date: 2017/11/06
 modified: 2021/11/27
+tags:
+    - attack.g0010
+    - attack.execution
+    - attack.t1106
 logsource:
    product: windows
    category: pipe_created
@@ -25,7 +29,3 @@ detection:
 falsepositives:
    - Unknown
 level: critical
-tags:
-    - attack.g0010
-    - attack.execution
-    - attack.t1106
@@ -2,11 +2,17 @@ title: Cred Dump-Tools Named Pipes
 id: 961d0ba2-3eea-4303-a930-2cf78bbfcc5e
 status: test
 description: Detects well-known credential dumping tools execution via specific named pipes
-author: Teymur Kheirkhabarov, oscd.community
 references:
    - https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment
+author: Teymur Kheirkhabarov, oscd.community
 date: 2019/11/01
 modified: 2021/11/27
+tags:
+    - attack.credential_access
+    - attack.t1003.001
+    - attack.t1003.002
+    - attack.t1003.004
+    - attack.t1003.005
 logsource:
    product: windows
    category: pipe_created
@@ -21,9 +27,3 @@ detection:
 falsepositives:
    - Legitimate Administrator using tool for password recovery
 level: critical
-tags:
-    - attack.credential_access
-    - attack.t1003.001
-    - attack.t1003.002
-    - attack.t1003.004
-    - attack.t1003.005
@@ -2,10 +2,12 @@ title: DiagTrackEoP Default Named Pipe
 id: 1f7025a6-e747-4130-aac4-961eb47015f1
 status: experimental
 description: Detects creation of default named pipe used by the DiagTrackEoP POC
-author: Nasreddine Bencherchali
 references:
    - https://github.com/Wh04m1001/DiagTrackEoP/blob/3a2fc99c9700623eb7dc7d4b5f314fd9ce5ef51f/main.cpp#L22
+author: Nasreddine Bencherchali
 date: 2022/08/03
+tags:
+    - attack.privilege_escalation
 logsource:
    product: windows
    category: pipe_created
@@ -17,5 +19,3 @@ detection:
 falsepositives:
    - Unlikely
 level: critical
-tags:
-    - attack.privilege_escalation
@@ -5,9 +5,13 @@ description: Detects the pattern of a pipe name as used by the tool EfsPotato
 references:
    - https://twitter.com/SBousseaden/status/1429530155291193354?s=20
    - https://github.com/zcgonvh/EfsPotato
+author: Florian Roth
 date: 2021/08/23
 modified: 2022/06/20
-author: Florian Roth
+tags:
+    - attack.defense_evasion
+    - attack.privilege_escalation
+    - attack.t1055
 logsource:
    product: windows
    category: pipe_created
@@ -20,10 +24,6 @@ detection:
    filter:
        PipeName|contains: '\CtxShare'
    condition: selection and not filter
-tags:
-    - attack.defense_evasion
-    - attack.privilege_escalation
-    - attack.t1055
 falsepositives:
    - Unknown
 level: high
@@ -2,10 +2,15 @@ title: Koh Default Named Pipes
 id: 0adc67e0-a68f-4ffd-9c43-28905aad5d6a
 status: experimental
 description: Detects creation of default named pipes used by the Koh tool
-author: Nasreddine Bencherchali
 references:
    - https://github.com/GhostPack/Koh/blob/0283d9f3f91cf74732ad377821986cfcb088e20a/Clients/BOF/KohClient.c#L12
+author: Nasreddine Bencherchali
 date: 2022/07/08
+tags:
+    - attack.privilege_escalation
+    - attack.credential_access
+    - attack.t1528
+    - attack.t1134.001
 logsource:
    product: windows
    category: pipe_created
@@ -19,8 +24,3 @@ detection:
 falsepositives:
    - Unlikely
 level: critical
-tags:
-    - attack.privilege_escalation
-    - attack.credential_access
-    - attack.t1528
-    - attack.t1134.001
@@ -15,16 +15,20 @@ references:
    - https://download.bitdefender.com/resources/files/News/CaseStudies/study/115/Bitdefender-Whitepaper-PAC-A4-en-EN1.pdf
    - https://unit42.paloaltonetworks.com/emissary-panda-attacks-middle-east-government-sharepoint-servers/
    - https://thedfirreport.com/2022/02/21/qbot-and-zerologon-lead-to-full-domain-compromise/
+author: Florian Roth, blueteam0ps, elhoim
 date: 2017/11/06
 modified: 2022/03/15
-author: Florian Roth, blueteam0ps, elhoim
+tags:
+    - attack.defense_evasion
+    - attack.privilege_escalation
+    - attack.t1055
 logsource:
-   product: windows
-   category: pipe_created
-   definition: 'Note that you have to configure logging for Named Pipe Events in Sysmon config (Event ID 17 and Event ID 18). The basic configuration is in popular sysmon configuration (https://github.com/SwiftOnSecurity/sysmon-config), but it is worth verifying. You can also use other repo, e.g. https://github.com/Neo23x0/sysmon-config, https://github.com/olafhartong/sysmon-modular. How to test detection? You can check powershell script from this site https://svch0st.medium.com/guide-to-named-pipes-and-hunting-for-cobalt-strike-pipes-dc46b2c5f575'
+    product: windows
+    category: pipe_created
+    definition: 'Note that you have to configure logging for Named Pipe Events in Sysmon config (Event ID 17 and Event ID 18). The basic configuration is in popular sysmon configuration (https://github.com/SwiftOnSecurity/sysmon-config), but it is worth verifying. You can also use other repo, e.g. https://github.com/Neo23x0/sysmon-config, https://github.com/olafhartong/sysmon-modular. How to test detection? You can check powershell script from this site https://svch0st.medium.com/guide-to-named-pipes-and-hunting-for-cobalt-strike-pipes-dc46b2c5f575'
 detection:
    selection:
-        PipeName: 
+        PipeName:
            - '\isapi_http'  # Uroburos Malware
            - '\isapi_dg'  # Uroburos Malware
            - '\isapi_dg2'  # Uroburos Malware
@@ -54,10 +58,6 @@ detection:
            - '\testPipe'  # Emissary Panda Hyperbro
            - '\dce_3d' #Qbot
    condition: selection
-tags:
-    - attack.defense_evasion
-    - attack.privilege_escalation
-    - attack.t1055
 falsepositives:
    - Unknown
 level: critical
@@ -2,11 +2,14 @@ title: PowerShell Execution Via Named Pipe
 id: ac7102b4-9e1e-4802-9b4f-17c5524c015c
 status: test
 description: Detects execution of PowerShell via creation of named pipe starting with PSHost
-author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
 references:
    - https://threathunterplaybook.com/notebooks/windows/02_execution/WIN-190410151110.html
+author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
 date: 2019/09/12
 modified: 2022/08/04
+tags:
+    - attack.execution
+    - attack.t1059.001
 logsource:
    product: windows
    category: pipe_created
@@ -18,6 +21,3 @@ detection:
 falsepositives:
    - Unknown
 level: informational
-tags:
-    - attack.execution
-    - attack.t1059.001
@@ -23,9 +23,6 @@ detection:
    selection:
        PipeName: '\PSEXESVC'
    condition: selection
-falsepositives:
-    - Unknown
-level: low
 fields:
    - EventID
    - CommandLine
@@ -34,3 +31,6 @@ fields:
    - ServiceFileName
    - TargetFilename
    - PipeName
+falsepositives:
+    - Unknown
+level: low
@@ -5,11 +5,11 @@ related:
      type: derived
 status: experimental
 description: Detects PsExec default pipe creation where the image executed is located in a suspicious location. Which could indicate that the tool is being used in an attack
-author: Nasreddine Bencherchali
-date: 2022/08/04
 references:
    - https://www.jpcert.or.jp/english/pub/sr/ir_research.html
    - https://jpcertcc.github.io/ToolAnalysisResultSheet
+author: Nasreddine Bencherchali
+date: 2022/08/04
 tags:
    - attack.execution
    - attack.t1569.002
@@ -2,11 +2,16 @@ title: PsExec Pipes Artifacts
 id: 9e77ed63-2ecf-4c7b-b09d-640834882028
 status: test
 description: Detecting use PsExec via Pipe Creation/Access to pipes
-author: Nikita Nazarov, oscd.community
 references:
    - https://drive.google.com/file/d/1lKya3_mLnR3UQuCoiYruO3qgu052_iS_/view
+author: Nikita Nazarov, oscd.community
 date: 2020/05/10
 modified: 2021/11/27
+tags:
+    - attack.lateral_movement
+    - attack.t1021.002
+    - attack.execution
+    - attack.t1569.002
 logsource:
    product: windows
    category: pipe_created
@@ -22,8 +27,3 @@ detection:
 falsepositives:
    - Legitimate Administrator activity
 level: medium
-tags:
-    - attack.lateral_movement
-    - attack.t1021.002
-    - attack.execution
-    - attack.t1569.002
@@ -1,14 +1,16 @@
 title: ADFS Database Named Pipe Connection
 id: 1ea13e8c-03ea-409b-877d-ce5c3d2c1cb3
-description: Detects suspicious local connections via a named pipe to the AD FS configuration database (Windows Internal Database). Used to access information such as the AD FS configuration settings which contains sensitive information used to sign SAML tokens.
 status: experimental
-date: 2021/10/08
-modified: 2022/02/16
-author: Roberto Rodriguez @Cyb3rWard0g
+description: |
+  Detects suspicious local connections via a named pipe to the AD FS configuration database (Windows Internal Database).
+  Used to access information such as the AD FS configuration settings which contains sensitive information used to sign SAML tokens.
 references:
    - https://github.com/Azure/Azure-Sentinel/blob/f99542b94afe0ad2f19a82cc08262e7ac8e1428e/Detections/SecurityEvent/ADFSDBNamedPipeConnection.yaml
    - https://o365blog.com/post/adfs/
    - https://github.com/Azure/SimuLand
+author: Roberto Rodriguez @Cyb3rWard0g
+date: 2021/10/08
+modified: 2022/02/16
 tags:
    - attack.collection
    - attack.t1005
@@ -1,12 +1,12 @@
 title: Raw Disk Access Using Illegitimate Tools
 id: db809f10-56ce-4420-8c86-d6a7d793c79c
-description: Raw disk access using illegitimate tools, possible defence evasion
-author: Teymur Kheirkhabarov, oscd.community
 status: test
-date: 2019/10/22
-modified: 2022/03/15
+description: Raw disk access using illegitimate tools, possible defence evasion
 references:
    - https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment
+author: Teymur Kheirkhabarov, oscd.community
+date: 2019/10/22
+modified: 2022/03/15
 tags:
    - attack.defense_evasion
    - attack.t1006
@@ -63,5 +63,5 @@ fields:
    - Device
 falsepositives:
    - Legitimate Administrator using tool for raw access or ongoing forensic investigation
-level: low  # far too many false positives
-
+# far too many false positives
+level: low
@@ -1,12 +1,12 @@
 title: Accessing WinAPI in PowerShell for Credentials Dumping
 id: 3f07b9d1-2082-4c56-9277-613a621983cc
-description: Detects Accessing to lsass.exe by Powershell
 status: experimental
+description: Detects Accessing to lsass.exe by Powershell
+references:
+    - https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse
 author: oscd.community, Natalia Shornikova
 date: 2020/10/06
 modified: 2022/07/14
-references:
-    - https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse
 tags:
    - attack.credential_access
    - attack.t1003.001
@@ -1,11 +1,13 @@
 title: Sysmon Configuration Change
 id: 8ac03a65-6c84-4116-acad-dc1558ff7a77
-description: Detects a Sysmon configuration change, which could be the result of a legitimate reconfiguration or someone trying manipulate the configuration
 status: experimental
-author: frack113
-date: 2022/01/12
+description: Detects a Sysmon configuration change, which could be the result of a legitimate reconfiguration or someone trying manipulate the configuration
 references:
    - https://docs.microsoft.com/en-us/sysinternals/downloads/sysmon
+author: frack113
+date: 2022/01/12
+tags:
+    - attack.defense_evasion
 logsource:
    product: windows
    service: sysmon
@@ -20,5 +22,3 @@ detection:
 falsepositives:
    - Legitimate administrative action
 level: medium
-tags:
-    - attack.defense_evasion
@@ -1,13 +1,13 @@
 title: Sysmon Configuration Error
 id: 815cd91b-7dbc-4247-841a-d7dd1392b0a8
-description: Detects when an adversary is trying to hide it's action from Sysmon logging based on error messages
 status: experimental
-author: frack113
-date: 2021/06/04
-modified: 2022/07/07
+description: Detects when an adversary is trying to hide it's action from Sysmon logging based on error messages
 references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md
    - https://talesfrominfosec.blogspot.com/2017/12/killing-sysmon-silently.html
+author: frack113
+date: 2021/06/04
+modified: 2022/07/07
 tags:
    - attack.defense_evasion
    - attack.t1564
@@ -1,13 +1,13 @@
 title: Sysmon Configuration Modification
 id: 1f2b5353-573f-4880-8e33-7d04dcf97744
-description: Detects when an attacker tries to hide from Sysmon by disabling or stopping it
 status: test
-author: frack113
-date: 2021/06/04
-modified: 2022/08/02
+description: Detects when an attacker tries to hide from Sysmon by disabling or stopping it
 references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md
    - https://talesfrominfosec.blogspot.com/2017/12/killing-sysmon-silently.html
+author: frack113
+date: 2021/06/04
+modified: 2022/08/02
 tags:
    - attack.defense_evasion
    - attack.t1564
@@ -1,12 +1,12 @@
 title: Sysmon Blocked Executable
 id: 23b71bc5-953e-4971-be4c-c896cda73fc2
-description: Triggers on any Sysmon file block executable event. Which should indicates a violation of the block policy set
 status: experimental
+description: Triggers on any Sysmon file block executable event. Which should indicates a violation of the block policy set
+references:
+    - https://medium.com/@olafhartong/sysmon-14-0-fileblockexecutable-13d7ba3dff3e
 author: Nasreddine Bencherchali
 date: 2022/08/16
 modified: 2022/09/12
-references:
-    - https://medium.com/@olafhartong/sysmon-14-0-fileblockexecutable-13d7ba3dff3e
 tags:
    - attack.defense_evasion
 logsource:
@@ -2,12 +2,12 @@ title: Sysmon Process Hollowing Detection
 id: c4b890e5-8d8c-4496-8c66-c805753817cd
 status: experimental
 description: Detects when a memory process image does not match the disk image, indicative of process hollowing.
-author: Christopher Peacock '@securepeacock', SCYTHE '@scythe_io', Sittikorn S
-date: 2022/01/25
-modified: 2022/02/01
 references:
    - https://twitter.com/SecurePeacock/status/1486054048390332423?s=20
    - https://www.bleepingcomputer.com/news/microsoft/microsoft-sysmon-now-detects-malware-process-tampering-attempts/
+author: Christopher Peacock '@securepeacock', SCYTHE '@scythe_io', Sittikorn S
+date: 2022/01/25
+modified: 2022/02/01
 tags:
    - attack.defense_evasion
    - attack.privilege_escalation
@@ -5,19 +5,19 @@ description: Detects creation of WMI event subscription persistence method
 author: Tom Ueltschi (@c_APT_ure)
 date: 2019/01/12
 modified: 2021/11/27
-logsource:
-  product: windows
-  category: wmi_event
-detection:
-  selection:
-    EventID:
-      - 19
-      - 20
-      - 21
-  condition: selection
-falsepositives:
-  - Exclude legitimate (vetted) use of WMI event subscription in your network
-level: medium
 tags:
-  - attack.persistence
-  - attack.t1546.003
+    - attack.persistence
+    - attack.t1546.003
+logsource:
+    product: windows
+    category: wmi_event
+detection:
+    selection:
+        EventID:
+            - 19
+            - 20
+            - 21
+    condition: selection
+falsepositives:
+    - Exclude legitimate (vetted) use of WMI event subscription in your network
+level: medium
@@ -22,9 +22,9 @@ detection:
            - 'This program cannot be run in DOS mode'
            - 'This program must be run under Win32'
    condition: selection_destination
-falsepositives:
-    - Unknown
-level: high
 fields:
    - User
    - Operation
+falsepositives:
+    - Unknown
+level: high
@@ -2,36 +2,39 @@ title: Suspicious Scripting in a WMI Consumer
 id: fe21810c-2a8c-478f-8dd3-5a287fb2a0e0
 status: experimental
 description: Detects suspicious commands that are related to scripting/powershell in WMI Event Consumers
-author: Florian Roth, Jonhnathan Ribeiro
 references:
    - https://in.security/an-intro-into-abusing-and-identifying-wmi-event-subscriptions-for-persistence/
    - https://github.com/Neo23x0/signature-base/blob/615bf1f6bac3c1bdc417025c40c073e6c2771a76/yara/gen_susp_lnk_files.yar#L19
    - https://github.com/RiccardoAncarani/LiquidSnake
+author: Florian Roth, Jonhnathan Ribeiro
 date: 2019/04/15
 modified: 2022/07/07
+tags:
+    - attack.execution
+    - attack.t1059.005
 logsource:
    product: windows
    category: wmi_event
 detection:
    selection_destination:
        - Destination|contains|all:
-              - 'new-object'
-              - 'net.webclient'
-              - '.downloadstring'
+            - 'new-object'
+            - 'net.webclient'
+            - '.downloadstring'
        - Destination|contains|all:
-              - 'new-object'
-              - 'net.webclient'
-              - '.downloadfile'
+            - 'new-object'
+            - 'net.webclient'
+            - '.downloadfile'
        - Destination|contains:
-              - ' iex('
-              - 'WScript.shell'
-              - ' -nop '
-              - ' -noprofile '
-              - ' -decode '
-              - ' -enc '
+            - ' iex('
+            - 'WScript.shell'
+            - ' -nop '
+            - ' -noprofile '
+            - ' -decode '
+            - ' -enc '
        - Destination|contains:
-              - 'WScript.Shell'
-              - 'System.Security.Cryptography.FromBase64Transform'
+            - 'WScript.Shell'
+            - 'System.Security.Cryptography.FromBase64Transform'
    condition: selection_destination
 fields:
    - User
@@ -39,6 +42,3 @@ fields:
 falsepositives:
    - Legitimate administrative scripts
 level: high
-tags:
-    - attack.execution
-    - attack.t1059.005