diff --git a/rules-emerging-threats/2023/Malware/dns_query_win_malware_socgholish_second_stage_c2.yml b/rules-emerging-threats/2023/Malware/dns_query_win_malware_socgholish_second_stage_c2.yml index ae2fe2e10..38d14c0b6 100644 --- a/rules-emerging-threats/2023/Malware/dns_query_win_malware_socgholish_second_stage_c2.yml +++ b/rules-emerging-threats/2023/Malware/dns_query_win_malware_socgholish_second_stage_c2.yml @@ -10,7 +10,7 @@ author: Dusty Miller date: 2023-02-23 tags: - attack.command-and-control - - attack.t1219 + - attack.t1219.002 - detection.emerging-threats logsource: product: windows diff --git a/rules-emerging-threats/2024/Malware/CSharp-Streamer/image_load_malware_csharp_streamer_dotnet_load.yml b/rules-emerging-threats/2024/Malware/CSharp-Streamer/image_load_malware_csharp_streamer_dotnet_load.yml index 1d62d0039..b2637b860 100644 --- a/rules-emerging-threats/2024/Malware/CSharp-Streamer/image_load_malware_csharp_streamer_dotnet_load.yml +++ b/rules-emerging-threats/2024/Malware/CSharp-Streamer/image_load_malware_csharp_streamer_dotnet_load.yml @@ -10,7 +10,7 @@ author: Luca Di Bartolomeo date: 2024-06-22 tags: - attack.command-and-control - - attack.t1219 + - attack.t1219.002 - detection.emerging-threats logsource: category: image_load diff --git a/rules-threat-hunting/windows/process_creation/proc_creation_win_remote_access_tools_action1_code_exec_and_remote_sessions.yml b/rules-threat-hunting/windows/process_creation/proc_creation_win_remote_access_tools_action1_code_exec_and_remote_sessions.yml index 2eb0f4820..fddde8efa 100644 --- a/rules-threat-hunting/windows/process_creation/proc_creation_win_remote_access_tools_action1_code_exec_and_remote_sessions.yml +++ b/rules-threat-hunting/windows/process_creation/proc_creation_win_remote_access_tools_action1_code_exec_and_remote_sessions.yml @@ -25,7 +25,7 @@ author: '@kostastsale' date: 2023-04-13 tags: - attack.command-and-control - - attack.t1219 + - attack.t1219.002 - detection.threat-hunting logsource: category: process_creation diff --git a/rules/category/antivirus/av_exploiting.yml b/rules/category/antivirus/av_exploiting.yml index 0639a147d..ab6e083e3 100644 --- a/rules/category/antivirus/av_exploiting.yml +++ b/rules/category/antivirus/av_exploiting.yml @@ -16,7 +16,7 @@ tags: - attack.execution - attack.t1203 - attack.command-and-control - - attack.t1219 + - attack.t1219.002 logsource: category: antivirus detection: diff --git a/rules/linux/process_creation/proc_creation_lnx_ssm_agent_abuse.yml b/rules/linux/process_creation/proc_creation_lnx_ssm_agent_abuse.yml index 3f24ef841..6d43312a7 100644 --- a/rules/linux/process_creation/proc_creation_lnx_ssm_agent_abuse.yml +++ b/rules/linux/process_creation/proc_creation_lnx_ssm_agent_abuse.yml @@ -11,7 +11,7 @@ date: 2023-08-03 tags: - attack.command-and-control - attack.persistence - - attack.t1219 + - attack.t1219.002 logsource: category: process_creation product: linux diff --git a/rules/windows/builtin/application/msiinstaller/win_software_atera_rmm_agent_install.yml b/rules/windows/builtin/application/msiinstaller/win_software_atera_rmm_agent_install.yml index 6369431a4..0995a988b 100644 --- a/rules/windows/builtin/application/msiinstaller/win_software_atera_rmm_agent_install.yml +++ b/rules/windows/builtin/application/msiinstaller/win_software_atera_rmm_agent_install.yml @@ -9,7 +9,7 @@ date: 2021-09-01 modified: 2022-12-25 tags: - attack.command-and-control - - attack.t1219 + - attack.t1219.002 logsource: service: application product: windows diff --git a/rules/windows/builtin/ntlm/win_susp_ntlm_rdp.yml b/rules/windows/builtin/ntlm/win_susp_ntlm_rdp.yml index 9fa708b59..da370d2b8 100644 --- a/rules/windows/builtin/ntlm/win_susp_ntlm_rdp.yml +++ b/rules/windows/builtin/ntlm/win_susp_ntlm_rdp.yml @@ -9,7 +9,7 @@ date: 2020-05-22 modified: 2021-11-27 tags: - attack.command-and-control - - attack.t1219 + - attack.t1219.002 logsource: product: windows service: ntlm diff --git a/rules/windows/builtin/system/service_control_manager/win_system_service_install_mesh_agent.yml b/rules/windows/builtin/system/service_control_manager/win_system_service_install_mesh_agent.yml index e3e0c2f2b..eb6c96297 100644 --- a/rules/windows/builtin/system/service_control_manager/win_system_service_install_mesh_agent.yml +++ b/rules/windows/builtin/system/service_control_manager/win_system_service_install_mesh_agent.yml @@ -8,7 +8,7 @@ author: Nasreddine Bencherchali (Nextron Systems) date: 2022-11-28 tags: - attack.command-and-control - - attack.t1219 + - attack.t1219.002 logsource: product: windows service: system diff --git a/rules/windows/builtin/system/service_control_manager/win_system_service_install_tacticalrmm.yml b/rules/windows/builtin/system/service_control_manager/win_system_service_install_tacticalrmm.yml index 246883fb0..631cd77ea 100644 --- a/rules/windows/builtin/system/service_control_manager/win_system_service_install_tacticalrmm.yml +++ b/rules/windows/builtin/system/service_control_manager/win_system_service_install_tacticalrmm.yml @@ -8,7 +8,7 @@ author: Nasreddine Bencherchali (Nextron Systems) date: 2022-11-28 tags: - attack.command-and-control - - attack.t1219 + - attack.t1219.002 logsource: product: windows service: system diff --git a/rules/windows/dns_query/dns_query_win_domain_azurewebsites.yml b/rules/windows/dns_query/dns_query_win_domain_azurewebsites.yml index 5e2c4eb70..c6bf8ddd1 100644 --- a/rules/windows/dns_query/dns_query_win_domain_azurewebsites.yml +++ b/rules/windows/dns_query/dns_query_win_domain_azurewebsites.yml @@ -15,7 +15,7 @@ author: Nasreddine Bencherchali (Nextron Systems) date: 2024-06-24 tags: - attack.command-and-control - - attack.t1219 + - attack.t1219.002 logsource: product: windows category: dns_query diff --git a/rules/windows/dns_query/dns_query_win_remote_access_software_domains_non_browsers.yml b/rules/windows/dns_query/dns_query_win_remote_access_software_domains_non_browsers.yml index 78e12bf5c..1db37655b 100644 --- a/rules/windows/dns_query/dns_query_win_remote_access_software_domains_non_browsers.yml +++ b/rules/windows/dns_query/dns_query_win_remote_access_software_domains_non_browsers.yml @@ -26,7 +26,7 @@ date: 2022-07-11 modified: 2024-12-17 tags: - attack.command-and-control - - attack.t1219 + - attack.t1219.002 logsource: product: windows category: dns_query diff --git a/rules/windows/dns_query/dns_query_win_teamviewer_domain_query_by_uncommon_app.yml b/rules/windows/dns_query/dns_query_win_teamviewer_domain_query_by_uncommon_app.yml index 6b1368c2c..487b07184 100644 --- a/rules/windows/dns_query/dns_query_win_teamviewer_domain_query_by_uncommon_app.yml +++ b/rules/windows/dns_query/dns_query_win_teamviewer_domain_query_by_uncommon_app.yml @@ -9,7 +9,7 @@ date: 2022-01-30 modified: 2023-09-18 tags: - attack.command-and-control - - attack.t1219 + - attack.t1219.002 logsource: product: windows category: dns_query diff --git a/rules/windows/file/file_event/file_event_win_anydesk_artefact.yml b/rules/windows/file/file_event/file_event_win_anydesk_artefact.yml index d55071c51..8739223b2 100644 --- a/rules/windows/file/file_event/file_event_win_anydesk_artefact.yml +++ b/rules/windows/file/file_event/file_event_win_anydesk_artefact.yml @@ -12,7 +12,7 @@ date: 2022-02-11 modified: 2024-07-20 tags: - attack.command-and-control - - attack.t1219 + - attack.t1219.002 logsource: category: file_event product: windows diff --git a/rules/windows/file/file_event/file_event_win_anydesk_writing_susp_binaries.yml b/rules/windows/file/file_event/file_event_win_anydesk_writing_susp_binaries.yml index 21ac5bc2e..097bc66d8 100644 --- a/rules/windows/file/file_event/file_event_win_anydesk_writing_susp_binaries.yml +++ b/rules/windows/file/file_event/file_event_win_anydesk_writing_susp_binaries.yml @@ -13,7 +13,7 @@ date: 2022-09-28 modified: 2025-02-24 tags: - attack.command-and-control - - attack.t1219 + - attack.t1219.002 logsource: product: windows category: file_event diff --git a/rules/windows/file/file_event/file_event_win_gotoopener_artefact.yml b/rules/windows/file/file_event/file_event_win_gotoopener_artefact.yml index 772a84e4d..8f53ef1f3 100644 --- a/rules/windows/file/file_event/file_event_win_gotoopener_artefact.yml +++ b/rules/windows/file/file_event/file_event_win_gotoopener_artefact.yml @@ -11,7 +11,7 @@ author: frack113 date: 2022-02-13 tags: - attack.command-and-control - - attack.t1219 + - attack.t1219.002 logsource: category: file_event product: windows diff --git a/rules/windows/file/file_event/file_event_win_hktl_inveigh_artefacts.yml b/rules/windows/file/file_event/file_event_win_hktl_inveigh_artefacts.yml index f8fc0b1f9..49c15d87a 100644 --- a/rules/windows/file/file_event/file_event_win_hktl_inveigh_artefacts.yml +++ b/rules/windows/file/file_event/file_event_win_hktl_inveigh_artefacts.yml @@ -11,7 +11,7 @@ date: 2022-10-24 modified: 2024-06-27 tags: - attack.command-and-control - - attack.t1219 + - attack.t1219.002 logsource: product: windows category: file_event diff --git a/rules/windows/file/file_event/file_event_win_hktl_krbrelay_remote_ioc.yml b/rules/windows/file/file_event/file_event_win_hktl_krbrelay_remote_ioc.yml index 97c9cedab..f257eb99e 100644 --- a/rules/windows/file/file_event/file_event_win_hktl_krbrelay_remote_ioc.yml +++ b/rules/windows/file/file_event/file_event_win_hktl_krbrelay_remote_ioc.yml @@ -8,7 +8,7 @@ author: Nasreddine Bencherchali (Nextron Systems) date: 2024-06-27 tags: - attack.command-and-control - - attack.t1219 + - attack.t1219.002 logsource: product: windows category: file_event diff --git a/rules/windows/file/file_event/file_event_win_install_teamviewer_desktop.yml b/rules/windows/file/file_event/file_event_win_install_teamviewer_desktop.yml index f6b3b9f85..b3019e7a5 100644 --- a/rules/windows/file/file_event/file_event_win_install_teamviewer_desktop.yml +++ b/rules/windows/file/file_event/file_event_win_install_teamviewer_desktop.yml @@ -8,7 +8,7 @@ author: frack113 date: 2022-01-28 tags: - attack.command-and-control - - attack.t1219 + - attack.t1219.002 logsource: product: windows category: file_event diff --git a/rules/windows/file/file_event/file_event_win_remote_access_tools_screenconnect_artefact.yml b/rules/windows/file/file_event/file_event_win_remote_access_tools_screenconnect_artefact.yml index 42b2463ac..f49e240ba 100644 --- a/rules/windows/file/file_event/file_event_win_remote_access_tools_screenconnect_artefact.yml +++ b/rules/windows/file/file_event/file_event_win_remote_access_tools_screenconnect_artefact.yml @@ -11,7 +11,7 @@ author: frack113 date: 2022-02-13 tags: - attack.command-and-control - - attack.t1219 + - attack.t1219.002 logsource: category: file_event product: windows diff --git a/rules/windows/file/file_event/file_event_win_susp_teamviewer_remote_session.yml b/rules/windows/file/file_event/file_event_win_susp_teamviewer_remote_session.yml index 3206efcd7..c8056647e 100644 --- a/rules/windows/file/file_event/file_event_win_susp_teamviewer_remote_session.yml +++ b/rules/windows/file/file_event/file_event_win_susp_teamviewer_remote_session.yml @@ -8,7 +8,7 @@ author: Florian Roth (Nextron Systems) date: 2022-01-30 tags: - attack.command-and-control - - attack.t1219 + - attack.t1219.002 logsource: product: windows category: file_event diff --git a/rules/windows/file/file_event/file_event_win_tsclient_filewrite_startup.yml b/rules/windows/file/file_event/file_event_win_tsclient_filewrite_startup.yml index 42bda88b1..ddf43216c 100755 --- a/rules/windows/file/file_event/file_event_win_tsclient_filewrite_startup.yml +++ b/rules/windows/file/file_event/file_event_win_tsclient_filewrite_startup.yml @@ -9,7 +9,7 @@ date: 2019-02-21 modified: 2021-11-27 tags: - attack.command-and-control - - attack.t1219 + - attack.t1219.002 logsource: product: windows category: file_event diff --git a/rules/windows/network_connection/net_connection_win_remote_access_tools_anydesk_incoming_connection.yml b/rules/windows/network_connection/net_connection_win_remote_access_tools_anydesk_incoming_connection.yml index aab7bdb52..bbddb7da3 100644 --- a/rules/windows/network_connection/net_connection_win_remote_access_tools_anydesk_incoming_connection.yml +++ b/rules/windows/network_connection/net_connection_win_remote_access_tools_anydesk_incoming_connection.yml @@ -12,7 +12,7 @@ modified: 2025-02-24 tags: - attack.persistence - attack.command-and-control - - attack.t1219 + - attack.t1219.002 logsource: category: network_connection product: windows diff --git a/rules/windows/process_creation/proc_creation_win_mstsc_run_local_rdp_file.yml b/rules/windows/process_creation/proc_creation_win_mstsc_run_local_rdp_file.yml index ee950308e..d73ad341c 100644 --- a/rules/windows/process_creation/proc_creation_win_mstsc_run_local_rdp_file.yml +++ b/rules/windows/process_creation/proc_creation_win_mstsc_run_local_rdp_file.yml @@ -10,7 +10,7 @@ date: 2023-04-18 modified: 2023-04-30 tags: - attack.command-and-control - - attack.t1219 + - attack.t1219.002 logsource: category: process_creation product: windows diff --git a/rules/windows/process_creation/proc_creation_win_mstsc_run_local_rdp_file_susp_location.yml b/rules/windows/process_creation/proc_creation_win_mstsc_run_local_rdp_file_susp_location.yml index 46924362e..97b92232e 100644 --- a/rules/windows/process_creation/proc_creation_win_mstsc_run_local_rdp_file_susp_location.yml +++ b/rules/windows/process_creation/proc_creation_win_mstsc_run_local_rdp_file_susp_location.yml @@ -9,7 +9,7 @@ author: Nasreddine Bencherchali (Nextron Systems) date: 2023-04-18 tags: - attack.command-and-control - - attack.t1219 + - attack.t1219.002 logsource: category: process_creation product: windows diff --git a/rules/windows/process_creation/proc_creation_win_quickassist_execution.yml b/rules/windows/process_creation/proc_creation_win_quickassist_execution.yml index 78987739d..922387bda 100644 --- a/rules/windows/process_creation/proc_creation_win_quickassist_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_quickassist_execution.yml @@ -12,7 +12,7 @@ author: Muhammad Faisal (@faisalusuf) date: 2024-12-19 tags: - attack.command-and-control - - attack.t1219 + - attack.t1219.002 logsource: category: process_creation product: windows diff --git a/rules/windows/process_creation/proc_creation_win_remote_access_tools_anydesk.yml b/rules/windows/process_creation/proc_creation_win_remote_access_tools_anydesk.yml index 3d12afae8..30bef0487 100644 --- a/rules/windows/process_creation/proc_creation_win_remote_access_tools_anydesk.yml +++ b/rules/windows/process_creation/proc_creation_win_remote_access_tools_anydesk.yml @@ -16,7 +16,7 @@ date: 2022-02-11 modified: 2025-02-24 tags: - attack.command-and-control - - attack.t1219 + - attack.t1219.002 logsource: category: process_creation product: windows diff --git a/rules/windows/process_creation/proc_creation_win_remote_access_tools_anydesk_piped_password_via_cli.yml b/rules/windows/process_creation/proc_creation_win_remote_access_tools_anydesk_piped_password_via_cli.yml index 8a870c0eb..e6bc63ca3 100644 --- a/rules/windows/process_creation/proc_creation_win_remote_access_tools_anydesk_piped_password_via_cli.yml +++ b/rules/windows/process_creation/proc_creation_win_remote_access_tools_anydesk_piped_password_via_cli.yml @@ -9,7 +9,7 @@ date: 2022-09-28 modified: 2023-03-05 tags: - attack.command-and-control - - attack.t1219 + - attack.t1219.002 logsource: category: process_creation product: windows diff --git a/rules/windows/process_creation/proc_creation_win_remote_access_tools_anydesk_silent_install.yml b/rules/windows/process_creation/proc_creation_win_remote_access_tools_anydesk_silent_install.yml index 07109aad8..cc1f2edee 100644 --- a/rules/windows/process_creation/proc_creation_win_remote_access_tools_anydesk_silent_install.yml +++ b/rules/windows/process_creation/proc_creation_win_remote_access_tools_anydesk_silent_install.yml @@ -10,7 +10,7 @@ date: 2021-08-06 modified: 2023-03-05 tags: - attack.command-and-control - - attack.t1219 + - attack.t1219.002 logsource: category: process_creation product: windows diff --git a/rules/windows/process_creation/proc_creation_win_remote_access_tools_anydesk_susp_exec.yml b/rules/windows/process_creation/proc_creation_win_remote_access_tools_anydesk_susp_exec.yml index 22befae01..1cfc29771 100644 --- a/rules/windows/process_creation/proc_creation_win_remote_access_tools_anydesk_susp_exec.yml +++ b/rules/windows/process_creation/proc_creation_win_remote_access_tools_anydesk_susp_exec.yml @@ -16,7 +16,7 @@ date: 2022-05-20 modified: 2025-02-24 tags: - attack.command-and-control - - attack.t1219 + - attack.t1219.002 logsource: category: process_creation product: windows diff --git a/rules/windows/process_creation/proc_creation_win_remote_access_tools_gotoopener.yml b/rules/windows/process_creation/proc_creation_win_remote_access_tools_gotoopener.yml index c60e56527..84006e7e2 100644 --- a/rules/windows/process_creation/proc_creation_win_remote_access_tools_gotoopener.yml +++ b/rules/windows/process_creation/proc_creation_win_remote_access_tools_gotoopener.yml @@ -12,7 +12,7 @@ date: 2022-02-13 modified: 2023-03-05 tags: - attack.command-and-control - - attack.t1219 + - attack.t1219.002 logsource: category: process_creation product: windows diff --git a/rules/windows/process_creation/proc_creation_win_remote_access_tools_logmein.yml b/rules/windows/process_creation/proc_creation_win_remote_access_tools_logmein.yml index 0e331ced8..584bcde9e 100644 --- a/rules/windows/process_creation/proc_creation_win_remote_access_tools_logmein.yml +++ b/rules/windows/process_creation/proc_creation_win_remote_access_tools_logmein.yml @@ -12,7 +12,7 @@ date: 2022-02-11 modified: 2023-03-05 tags: - attack.command-and-control - - attack.t1219 + - attack.t1219.002 logsource: category: process_creation product: windows diff --git a/rules/windows/process_creation/proc_creation_win_remote_access_tools_meshagent_exec.yml b/rules/windows/process_creation/proc_creation_win_remote_access_tools_meshagent_exec.yml index 22c35ffb5..3f7bdcdf6 100644 --- a/rules/windows/process_creation/proc_creation_win_remote_access_tools_meshagent_exec.yml +++ b/rules/windows/process_creation/proc_creation_win_remote_access_tools_meshagent_exec.yml @@ -12,7 +12,7 @@ author: '@Kostastsale' date: 2024-09-22 tags: - attack.command-and-control - - attack.t1219 + - attack.t1219.002 logsource: product: windows category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_remote_access_tools_netsupport.yml b/rules/windows/process_creation/proc_creation_win_remote_access_tools_netsupport.yml index 5610ff2a3..3a0768b9b 100644 --- a/rules/windows/process_creation/proc_creation_win_remote_access_tools_netsupport.yml +++ b/rules/windows/process_creation/proc_creation_win_remote_access_tools_netsupport.yml @@ -12,7 +12,7 @@ date: 2022-09-25 modified: 2023-03-06 tags: - attack.command-and-control - - attack.t1219 + - attack.t1219.002 logsource: category: process_creation product: windows diff --git a/rules/windows/process_creation/proc_creation_win_remote_access_tools_screenconnect.yml b/rules/windows/process_creation/proc_creation_win_remote_access_tools_screenconnect.yml index 5837ee40a..6f46bbdc3 100644 --- a/rules/windows/process_creation/proc_creation_win_remote_access_tools_screenconnect.yml +++ b/rules/windows/process_creation/proc_creation_win_remote_access_tools_screenconnect.yml @@ -12,7 +12,7 @@ date: 2022-02-13 modified: 2023-03-05 tags: - attack.command-and-control - - attack.t1219 + - attack.t1219.002 logsource: category: process_creation product: windows diff --git a/rules/windows/process_creation/proc_creation_win_remote_access_tools_screenconnect_remote_execution_susp.yml b/rules/windows/process_creation/proc_creation_win_remote_access_tools_screenconnect_remote_execution_susp.yml index 1ffeab35c..81d3dde6c 100644 --- a/rules/windows/process_creation/proc_creation_win_remote_access_tools_screenconnect_remote_execution_susp.yml +++ b/rules/windows/process_creation/proc_creation_win_remote_access_tools_screenconnect_remote_execution_susp.yml @@ -16,7 +16,7 @@ date: 2022-02-25 modified: 2024-02-28 tags: - attack.command-and-control - - attack.t1219 + - attack.t1219.002 logsource: product: windows category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_remote_access_tools_simple_help.yml b/rules/windows/process_creation/proc_creation_win_remote_access_tools_simple_help.yml index 36cbe7bef..d0f91eab9 100644 --- a/rules/windows/process_creation/proc_creation_win_remote_access_tools_simple_help.yml +++ b/rules/windows/process_creation/proc_creation_win_remote_access_tools_simple_help.yml @@ -11,7 +11,7 @@ author: Nasreddine Bencherchali (Nextron Systems) date: 2024-02-23 tags: - attack.command-and-control - - attack.t1219 + - attack.t1219.002 logsource: category: process_creation product: windows diff --git a/rules/windows/process_creation/proc_creation_win_remote_access_tools_ultraviewer.yml b/rules/windows/process_creation/proc_creation_win_remote_access_tools_ultraviewer.yml index 6ac260503..e780c51c3 100644 --- a/rules/windows/process_creation/proc_creation_win_remote_access_tools_ultraviewer.yml +++ b/rules/windows/process_creation/proc_creation_win_remote_access_tools_ultraviewer.yml @@ -12,7 +12,7 @@ date: 2022-09-25 modified: 2024-03-14 tags: - attack.command-and-control - - attack.t1219 + - attack.t1219.002 logsource: category: process_creation product: windows diff --git a/rules/windows/process_creation/proc_creation_win_ssm_agent_abuse.yml b/rules/windows/process_creation/proc_creation_win_ssm_agent_abuse.yml index 026345ac2..1756b4d9e 100644 --- a/rules/windows/process_creation/proc_creation_win_ssm_agent_abuse.yml +++ b/rules/windows/process_creation/proc_creation_win_ssm_agent_abuse.yml @@ -11,7 +11,7 @@ date: 2023-08-02 tags: - attack.command-and-control - attack.persistence - - attack.t1219 + - attack.t1219.002 logsource: category: process_creation product: windows diff --git a/rules/windows/process_creation/proc_creation_win_tscon_localsystem.yml b/rules/windows/process_creation/proc_creation_win_tscon_localsystem.yml index 536b31758..5759f742b 100644 --- a/rules/windows/process_creation/proc_creation_win_tscon_localsystem.yml +++ b/rules/windows/process_creation/proc_creation_win_tscon_localsystem.yml @@ -11,7 +11,7 @@ date: 2018-03-17 modified: 2022-05-27 tags: - attack.command-and-control - - attack.t1219 + - attack.t1219.002 logsource: category: process_creation product: windows diff --git a/rules/windows/process_creation/proc_creation_win_ultravnc.yml b/rules/windows/process_creation/proc_creation_win_ultravnc.yml index 31c62dd91..abe47a248 100644 --- a/rules/windows/process_creation/proc_creation_win_ultravnc.yml +++ b/rules/windows/process_creation/proc_creation_win_ultravnc.yml @@ -8,7 +8,7 @@ author: frack113 date: 2022-10-02 tags: - attack.command-and-control - - attack.t1219 + - attack.t1219.002 logsource: category: process_creation product: windows