Merge pull request #676 from Neo23x0/devel

Devel

rules/network/cisco/aaa/cisco_cli_clear_logs.yml

@@ -1,31 +1,31 @@
-title: Cisco Clear Logs
-id: ceb407f6-8277-439b-951f-e4210e3ed956
-status: experimental
-description: Clear command history in network OS which is used for defense evasion.
-references:
-    - https://attack.mitre.org/techniques/T1146/
-    - https://attack.mitre.org/techniques/T1070/
-author: Austin Clark
-date: 2019/08/12
-tags:
-    - attack.defense_evasion
-    - attack.t1146
-    - attack.t1070
-logsource:
-    product: cisco
-    service: aaa
-    category: accounting
-fields:
-    - src
-    - CmdSet
-    - User
-    - Privilege_Level
-    - Remote_Address
-detection:
-    keywords:
-        - 'clear logging'
-        - 'clear archive'
-    condition: keywords
-falsepositives:
-    - Legitimate administrators may run these commands.
-level: high
+title: Cisco Clear Logs
+id: ceb407f6-8277-439b-951f-e4210e3ed956
+status: experimental
+description: Clear command history in network OS which is used for defense evasion.
+references:
+    - https://attack.mitre.org/techniques/T1146/
+    - https://attack.mitre.org/techniques/T1070/
+author: Austin Clark
+date: 2019/08/12
+tags:
+    - attack.defense_evasion
+    - attack.t1146
+    - attack.t1070
+logsource:
+    product: cisco
+    service: aaa
+    category: accounting
+fields:
+    - src
+    - CmdSet
+    - User
+    - Privilege_Level
+    - Remote_Address
+detection:
+    keywords:
+        - 'clear logging'
+        - 'clear archive'
+    condition: keywords
+falsepositives:
+    - Legitimate administrators may run these commands.
+level: high

rules/network/cisco/aaa/cisco_cli_collect_data.yml

@@ -1,39 +1,39 @@
-title: Cisco Collect Data
-id: cd072b25-a418-4f98-8ebc-5093fb38fe1a
-status: experimental
-description: Collect pertinent data from the configuration files
-references:
-    - https://attack.mitre.org/techniques/T1087/
-    - https://attack.mitre.org/techniques/T1003/
-    - https://attack.mitre.org/techniques/T1081/
-    - https://attack.mitre.org/techniques/T1005/
-author: Austin Clark
-date: 2019/08/11
-tags:
-    - attack.discovery
-    - attack.credential_access
-    - attack.collection
-    - attack.t1087
-    - attack.t1003
-    - attack.t1081
-    - attack.t1005
-logsource:
-    product: cisco
-    service: aaa
-    category: accounting
-fields:
-    - src
-    - CmdSet
-    - User
-    - Privilege_Level
-    - Remote_Address
-detection:
-    keywords:
-        - 'show running-config'
-        - 'show startup-config'
-        - 'show archive config'
-        - 'more'
-    condition: keywords
-falsepositives:
-    - Commonly run by administrators.
-level: low
+title: Cisco Collect Data
+id: cd072b25-a418-4f98-8ebc-5093fb38fe1a
+status: experimental
+description: Collect pertinent data from the configuration files
+references:
+    - https://attack.mitre.org/techniques/T1087/
+    - https://attack.mitre.org/techniques/T1003/
+    - https://attack.mitre.org/techniques/T1081/
+    - https://attack.mitre.org/techniques/T1005/
+author: Austin Clark
+date: 2019/08/11
+tags:
+    - attack.discovery
+    - attack.credential_access
+    - attack.collection
+    - attack.t1087
+    - attack.t1003
+    - attack.t1081
+    - attack.t1005
+logsource:
+    product: cisco
+    service: aaa
+    category: accounting
+fields:
+    - src
+    - CmdSet
+    - User
+    - Privilege_Level
+    - Remote_Address
+detection:
+    keywords:
+        - 'show running-config'
+        - 'show startup-config'
+        - 'show archive config'
+        - 'more'
+    condition: keywords
+falsepositives:
+    - Commonly run by administrators.
+level: low

rules/network/cisco/aaa/cisco_cli_crypto_actions.yml

@@ -1,33 +1,33 @@
-title: Cisco Crypto Commands
-id: 1f978c6a-4415-47fb-aca5-736a44d7ca3d
-status: experimental
-description: Show when private keys are being exported from the device, or when new certificates are installed.
-references:
-    - https://attack.mitre.org/techniques/T1145/
-    - https://attack.mitre.org/techniques/T1130/
-author: Austin Clark
-date: 2019/08/12
-tags:
-    - attack.credential_access
-    - attack.defense_evasion
-    - attack.t1130
-    - attack.t1145
-logsource:
-    product: cisco
-    service: aaa
-    category: accounting
-fields:
-    - src
-    - CmdSet
-    - User
-    - Privilege_Level
-    - Remote_Address
-detection:
-    keywords:
-        - 'crypto pki export'
-        - 'crypto pki import'
-        - 'crypto pki trustpoint'
-    condition: keywords
-falsepositives:
-    - Not commonly run by administrators.  Also whitelist your known good certificates.
-level: high
+title: Cisco Crypto Commands
+id: 1f978c6a-4415-47fb-aca5-736a44d7ca3d
+status: experimental
+description: Show when private keys are being exported from the device, or when new certificates are installed.
+references:
+    - https://attack.mitre.org/techniques/T1145/
+    - https://attack.mitre.org/techniques/T1130/
+author: Austin Clark
+date: 2019/08/12
+tags:
+    - attack.credential_access
+    - attack.defense_evasion
+    - attack.t1130
+    - attack.t1145
+logsource:
+    product: cisco
+    service: aaa
+    category: accounting
+fields:
+    - src
+    - CmdSet
+    - User
+    - Privilege_Level
+    - Remote_Address
+detection:
+    keywords:
+        - 'crypto pki export'
+        - 'crypto pki import'
+        - 'crypto pki trustpoint'
+    condition: keywords
+falsepositives:
+    - Not commonly run by administrators.  Also whitelist your known good certificates.
+level: high

rules/network/cisco/aaa/cisco_cli_disable_logging.yml

@@ -1,29 +1,29 @@
-title: Cisco Disabling Logging
-id: 9e8f6035-88bf-4a63-96b6-b17c0508257e
-status: experimental
-description: Turn off logging locally or remote
-references:
-    - https://attack.mitre.org/techniques/T1089
-author: Austin Clark
-date: 2019/08/11
-tags:
-    - attack.defense_evasion
-    - attack.t1089
-logsource:
-    product: cisco
-    service: aaa
-    category: accounting
-fields:
-    - src
-    - CmdSet
-    - User
-    - Privilege_Level
-    - Remote_Address
-detection:
-    keywords:
-        - 'no logging'
-        - 'no aaa new-model'
-    condition: keywords
-falsepositives:
-    - Unknown
-level: high
+title: Cisco Disabling Logging
+id: 9e8f6035-88bf-4a63-96b6-b17c0508257e
+status: experimental
+description: Turn off logging locally or remote
+references:
+    - https://attack.mitre.org/techniques/T1089
+author: Austin Clark
+date: 2019/08/11
+tags:
+    - attack.defense_evasion
+    - attack.t1089
+logsource:
+    product: cisco
+    service: aaa
+    category: accounting
+fields:
+    - src
+    - CmdSet
+    - User
+    - Privilege_Level
+    - Remote_Address
+detection:
+    keywords:
+        - 'no logging'
+        - 'no aaa new-model'
+    condition: keywords
+falsepositives:
+    - Unknown
+level: high

rules/network/cisco/aaa/cisco_cli_discovery.yml

@@ -1,46 +1,46 @@
-title: Cisco Discovery
-id: 9705a6a1-6db6-4a16-a987-15b7151e299b
-status: experimental
-description: Find information about network devices that are not stored in config files.
-references:
-    - https://attack.mitre.org/tactics/TA0007/
-author: Austin Clark
-date: 2019/08/12
-tags:
-    - attack.discovery
-    - attack.t1083
-    - attack.t1201
-    - attack.t1057
-    - attack.t1018
-    - attack.t1082
-    - attack.t1016
-    - attack.t1049
-    - attack.t1033
-    - attack.t1124
-logsource:
-    product: cisco
-    service: aaa
-    category: accounting
-fields:
-    - src
-    - CmdSet
-    - User
-    - Privilege_Level
-    - Remote_Address
-detection:
-    keywords:
-        - 'dir'
-        - 'show processes'
-        - 'show arp'
-        - 'show cdp'
-        - 'show version'
-        - 'show ip route'
-        - 'show ip interface'
-        - 'show ip sockets'
-        - 'show users'
-        - 'show ssh'
-        - 'show clock'
-    condition: keywords
-falsepositives:
-    - Commonly used by administrators for troubleshooting
-level: low
+title: Cisco Discovery
+id: 9705a6a1-6db6-4a16-a987-15b7151e299b
+status: experimental
+description: Find information about network devices that are not stored in config files.
+references:
+    - https://attack.mitre.org/tactics/TA0007/
+author: Austin Clark
+date: 2019/08/12
+tags:
+    - attack.discovery
+    - attack.t1083
+    - attack.t1201
+    - attack.t1057
+    - attack.t1018
+    - attack.t1082
+    - attack.t1016
+    - attack.t1049
+    - attack.t1033
+    - attack.t1124
+logsource:
+    product: cisco
+    service: aaa
+    category: accounting
+fields:
+    - src
+    - CmdSet
+    - User
+    - Privilege_Level
+    - Remote_Address
+detection:
+    keywords:
+        - 'dir'
+        - 'show processes'
+        - 'show arp'
+        - 'show cdp'
+        - 'show version'
+        - 'show ip route'
+        - 'show ip interface'
+        - 'show ip sockets'
+        - 'show users'
+        - 'show ssh'
+        - 'show clock'
+    condition: keywords
+falsepositives:
+    - Commonly used by administrators for troubleshooting
+level: low

rules/network/cisco/aaa/cisco_cli_dos.yml

@@ -1,28 +1,28 @@
-title: Cisco Denial of Service
-id: d94a35f0-7a29-45f6-90a0-80df6159967c
-status: experimental
-description: Detect a system being shutdown or put into different boot mode
-references:
-    - https://attack.mitre.org/techniques/T1499/
-    - https://attack.mitre.org/techniques/T1495/
-author: Austin Clark
-date: 2019/08/15
-tags:
-    - attack.impact
-    - attack.t1499
-    - attack.t1495
-logsource:
-    product: cisco
-    service: aaa
-    category: accounting
-fields:
-    - CmdSet
-detection:
-    keywords:
-        - 'shutdown'
-        - 'config-register 0x2100'
-        - 'config-register 0x2142'
-    condition: keywords
-falsepositives:
-    - Legitimate administrators may run these commands, though rarely.
-level: medium
+title: Cisco Denial of Service
+id: d94a35f0-7a29-45f6-90a0-80df6159967c
+status: experimental
+description: Detect a system being shutdown or put into different boot mode
+references:
+    - https://attack.mitre.org/techniques/T1499/
+    - https://attack.mitre.org/techniques/T1495/
+author: Austin Clark
+date: 2019/08/15
+tags:
+    - attack.impact
+    - attack.t1499
+    - attack.t1495
+logsource:
+    product: cisco
+    service: aaa
+    category: accounting
+fields:
+    - CmdSet
+detection:
+    keywords:
+        - 'shutdown'
+        - 'config-register 0x2100'
+        - 'config-register 0x2142'
+    condition: keywords
+falsepositives:
+    - Legitimate administrators may run these commands, though rarely.
+level: medium

rules/network/cisco/aaa/cisco_cli_file_deletion.yml

@@ -1,31 +1,31 @@
-title: Cisco Show Commands Input
-id: 71d65515-c436-43c0-841b-236b1f32c21e
-status: experimental
-description: See what files are being deleted from flash file systems
-references:
-    - https://attack.mitre.org/techniques/T1107/
-    - https://attack.mitre.org/techniques/T1488/
-    - https://attack.mitre.org/techniques/T1487/
-author: Austin Clark
-date: 2019/08/12
-tags:
-    - attack.defense_evasion
-    - attack.impact
-    - attack.t1107
-    - attack.t1488
-    - attack.t1487
-logsource:
-    product: cisco
-    service: aaa
-    category: accounting
-fields:
-    - CmdSet
-detection:
-    keywords:
-        - 'erase'
-        - 'delete'
-        - 'format'
-    condition: keywords
-falsepositives:
-    - Will be used sometimes by admins to clean up local flash space.
-level: medium
+title: Cisco Show Commands Input
+id: 71d65515-c436-43c0-841b-236b1f32c21e
+status: experimental
+description: See what files are being deleted from flash file systems
+references:
+    - https://attack.mitre.org/techniques/T1107/
+    - https://attack.mitre.org/techniques/T1488/
+    - https://attack.mitre.org/techniques/T1487/
+author: Austin Clark
+date: 2019/08/12
+tags:
+    - attack.defense_evasion
+    - attack.impact
+    - attack.t1107
+    - attack.t1488
+    - attack.t1487
+logsource:
+    product: cisco
+    service: aaa
+    category: accounting
+fields:
+    - CmdSet
+detection:
+    keywords:
+        - 'erase'
+        - 'delete'
+        - 'format'
+    condition: keywords
+falsepositives:
+    - Will be used sometimes by admins to clean up local flash space.
+level: medium

rules/network/cisco/aaa/cisco_cli_input_capture.yml

@@ -1,29 +1,29 @@
-title: Cisco Show Commands Input
-id: b094d9fb-b1ad-4650-9f1a-fb7be9f1d34b
-status: experimental
-description: See what commands are being input into the device by other people, full credentials can be in the history
-references:
-    - https://attack.mitre.org/techniques/T1056/
-    - https://attack.mitre.org/techniques/T1139/
-author: Austin Clark
-date: 2019/08/11
-tags:
-    - attack.collection
-    - attack.credential_access
-    - attack.t1139
-    - attack.t1056
-logsource:
-    product: cisco
-    service: aaa
-    category: accounting
-fields:
-    - CmdSet
-detection:
-    keywords:
-        - 'show history'
-        - 'show history all'
-        - 'show logging'
-    condition: keywords
-falsepositives:
-    - Not commonly run by administrators, especially if remote logging is configured.
-level: medium
+title: Cisco Show Commands Input
+id: b094d9fb-b1ad-4650-9f1a-fb7be9f1d34b
+status: experimental
+description: See what commands are being input into the device by other people, full credentials can be in the history
+references:
+    - https://attack.mitre.org/techniques/T1056/
+    - https://attack.mitre.org/techniques/T1139/
+author: Austin Clark
+date: 2019/08/11
+tags:
+    - attack.collection
+    - attack.credential_access
+    - attack.t1139
+    - attack.t1056
+logsource:
+    product: cisco
+    service: aaa
+    category: accounting
+fields:
+    - CmdSet
+detection:
+    keywords:
+        - 'show history'
+        - 'show history all'
+        - 'show logging'
+    condition: keywords
+falsepositives:
+    - Not commonly run by administrators, especially if remote logging is configured.
+level: medium

rules/network/cisco/aaa/cisco_cli_local_accounts.yml

@@ -1,27 +1,27 @@
-title: Cisco Local Accounts
-id: 6d844f0f-1c18-41af-8f19-33e7654edfc3
-status: experimental
-description: Find local accounts being created or modified as well as remote authentication configurations
-references:
-    - https://attack.mitre.org/techniques/T1098/
-    - https://attack.mitre.org/techniques/T1136/
-author: Austin Clark
-date: 2019/08/12
-tags:
-    - attack.persistence
-    - attack.t1136
-    - attack.t1098
-logsource:
-    product: cisco
-    service: aaa
-    category: accounting
-fields:
-    - CmdSet
-detection:
-    keywords:
-        - 'username'
-        - 'aaa'
-    condition: keywords
-falsepositives:
-    - When remote authentication is in place, this should not change often.
-level: high
+title: Cisco Local Accounts
+id: 6d844f0f-1c18-41af-8f19-33e7654edfc3
+status: experimental
+description: Find local accounts being created or modified as well as remote authentication configurations
+references:
+    - https://attack.mitre.org/techniques/T1098/
+    - https://attack.mitre.org/techniques/T1136/
+author: Austin Clark
+date: 2019/08/12
+tags:
+    - attack.persistence
+    - attack.t1136
+    - attack.t1098
+logsource:
+    product: cisco
+    service: aaa
+    category: accounting
+fields:
+    - CmdSet
+detection:
+    keywords:
+        - 'username'
+        - 'aaa'
+    condition: keywords
+falsepositives:
+    - When remote authentication is in place, this should not change often.
+level: high

rules/network/cisco/aaa/cisco_cli_modify_config.yml

@@ -1,38 +1,38 @@
-title: Cisco Modify Configuration
-id: 671ffc77-50a7-464f-9e3d-9ea2b493b26b
-status: experimental
-description: Modifications to a config that will serve an adversary's impacts or persistence
-references:
-    - https://attack.mitre.org/techniques/T1100/
-    - https://attack.mitre.org/techniques/T1168/
-    - https://attack.mitre.org/techniques/T1493/
-author: Austin Clark
-date: 2019/08/12
-tags:
-    - attack.persistence
-    - attack.privilege_escalation
-    - attack.impact
-    - attack.t1493
-    - attack.t1100
-    - attack.t1168
-    - attack.t1490
-logsource:
-    product: cisco
-    service: aaa
-    category: accounting
-fields:
-    - CmdSet
-detection:
-    keywords:
-        - 'ip http server'
-        - 'ip https server'
-        - 'kron policy-list'
-        - 'kron occurrence'
-        - 'policy-list'
-        - 'access-list'
-        - 'ip access-group'
-        - 'archive maximum'
-    condition: keywords
-falsepositives:
-    - Legitimate administrators may run these commands.
-level: medium
+title: Cisco Modify Configuration
+id: 671ffc77-50a7-464f-9e3d-9ea2b493b26b
+status: experimental
+description: Modifications to a config that will serve an adversary's impacts or persistence
+references:
+    - https://attack.mitre.org/techniques/T1100/
+    - https://attack.mitre.org/techniques/T1168/
+    - https://attack.mitre.org/techniques/T1493/
+author: Austin Clark
+date: 2019/08/12
+tags:
+    - attack.persistence
+    - attack.privilege_escalation
+    - attack.impact
+    - attack.t1493
+    - attack.t1100
+    - attack.t1168
+    - attack.t1490
+logsource:
+    product: cisco
+    service: aaa
+    category: accounting
+fields:
+    - CmdSet
+detection:
+    keywords:
+        - 'ip http server'
+        - 'ip https server'
+        - 'kron policy-list'
+        - 'kron occurrence'
+        - 'policy-list'
+        - 'access-list'
+        - 'ip access-group'
+        - 'archive maximum'
+    condition: keywords
+falsepositives:
+    - Legitimate administrators may run these commands.
+level: medium

rules/network/cisco/aaa/cisco_cli_moving_data.yml

@@ -1,39 +1,39 @@
-title: Cisco Stage Data
-id: 5e51acb2-bcbe-435b-99c6-0e3cd5e2aa59
-status: experimental
-description: Various protocols maybe used to put data on the device for exfil or infil
-references:
-    - https://attack.mitre.org/techniques/T1074/
-    - https://attack.mitre.org/techniques/T1105/
-    - https://attack.mitre.org/techniques/T1498/
-    - https://attack.mitre.org/techniques/T1002/
-author: Austin Clark
-date: 2019/08/12
-tags:
-    - attack.collection
-    - attack.lateral_movement
-    - attack.command_and_control
-    - attack.exfiltration
-    - attack.impact
-    - attack.t1074
-    - attack.t1105
-    - attack.t1492
-    - attack.t1002
-logsource:
-    product: cisco
-    service: aaa
-    category: accounting
-fields:
-    - CmdSet
-detection:
-    keywords:
-        - 'tftp'
-        - 'rcp'
-        - 'puts'
-        - 'copy'
-        - 'configure replace'
-        - 'archive tar'
-    condition: keywords
-falsepositives:
-    - Generally used to copy configs or IOS images.
-level: low
+title: Cisco Stage Data
+id: 5e51acb2-bcbe-435b-99c6-0e3cd5e2aa59
+status: experimental
+description: Various protocols maybe used to put data on the device for exfil or infil
+references:
+    - https://attack.mitre.org/techniques/T1074/
+    - https://attack.mitre.org/techniques/T1105/
+    - https://attack.mitre.org/techniques/T1498/
+    - https://attack.mitre.org/techniques/T1002/
+author: Austin Clark
+date: 2019/08/12
+tags:
+    - attack.collection
+    - attack.lateral_movement
+    - attack.command_and_control
+    - attack.exfiltration
+    - attack.impact
+    - attack.t1074
+    - attack.t1105
+    - attack.t1492
+    - attack.t1002
+logsource:
+    product: cisco
+    service: aaa
+    category: accounting
+fields:
+    - CmdSet
+detection:
+    keywords:
+        - 'tftp'
+        - 'rcp'
+        - 'puts'
+        - 'copy'
+        - 'configure replace'
+        - 'archive tar'
+    condition: keywords
+falsepositives:
+    - Generally used to copy configs or IOS images.
+level: low

rules/network/cisco/aaa/cisco_cli_net_sniff.yml

@@ -1,27 +1,27 @@
-title: Cisco Sniffing
-id: b9e1f193-d236-4451-aaae-2f3d2102120d
-status: experimental
-description: Show when a monitor or a span/rspan is setup or modified
-references:
-    - https://attack.mitre.org/techniques/T1040
-author: Austin Clark
-date: 2019/08/11
-tags:
-    - attack.credential_access
-    - attack.discovery
-    - attack.t1040
-logsource:
-    product: cisco
-    service: aaa
-    category: accounting
-fields:
-    - CmdSet
-detection:
-    keywords:
-        - 'monitor capture point'
-        - 'set span'
-        - 'set rspan'
-    condition: keywords
-falsepositives:
-    - Admins may setup new or modify old spans, or use a monitor for troubleshooting.
-level: medium
+title: Cisco Sniffing
+id: b9e1f193-d236-4451-aaae-2f3d2102120d
+status: experimental
+description: Show when a monitor or a span/rspan is setup or modified
+references:
+    - https://attack.mitre.org/techniques/T1040
+author: Austin Clark
+date: 2019/08/11
+tags:
+    - attack.credential_access
+    - attack.discovery
+    - attack.t1040
+logsource:
+    product: cisco
+    service: aaa
+    category: accounting
+fields:
+    - CmdSet
+detection:
+    keywords:
+        - 'monitor capture point'
+        - 'set span'
+        - 'set rspan'
+    condition: keywords
+falsepositives:
+    - Admins may setup new or modify old spans, or use a monitor for troubleshooting.
+level: medium

rules/windows/other/win_defender_bypass.yml

@@ -1,26 +1,26 @@
-title: Windows Defender Exclusion Set
-id: e9c8808f-4cfb-4ba9-97d4-e5f3beaa244d
-description: 'Detects scenarios where an windows defender exclusion was added in registry where an entity would want to bypass antivirus scanning from windows defender'
-references:
-    - https://www.bleepingcomputer.com/news/security/gootkit-malware-bypasses-windows-defender-by-setting-path-exclusions/
-tags:
-    - attack.defense_evasion
-    - attack.t1089
-author: "@BarryShooshooga"
-date: 2019/10/26
-logsource:
-    product: windows
-    service: security
-    definition: 'Requirements: Audit Policy : Security Settings/Local Policies/Audit Policy, Registry System Access Control (SACL): Auditing/User'
-detection:
-    selection:
-        EventID: 
-            - 4657
-            - 4656
-            - 4660
-            - 4663
-        ObjectName|contains: '\Microsoft\Windows Defender\Exclusions\'
-    condition: selection
-falsepositives: 
-    - Intended inclusions by administrator
-level: high
+title: Windows Defender Exclusion Set
+id: e9c8808f-4cfb-4ba9-97d4-e5f3beaa244d
+description: 'Detects scenarios where an windows defender exclusion was added in registry where an entity would want to bypass antivirus scanning from windows defender'
+references:
+    - https://www.bleepingcomputer.com/news/security/gootkit-malware-bypasses-windows-defender-by-setting-path-exclusions/
+tags:
+    - attack.defense_evasion
+    - attack.t1089
+author: "@BarryShooshooga"
+date: 2019/10/26
+logsource:
+    product: windows
+    service: security
+    definition: 'Requirements: Audit Policy : Security Settings/Local Policies/Audit Policy, Registry System Access Control (SACL): Auditing/User'
+detection:
+    selection:
+        EventID: 
+            - 4657
+            - 4656
+            - 4660
+            - 4663
+        ObjectName|contains: '\Microsoft\Windows Defender\Exclusions\'
+    condition: selection
+falsepositives: 
+    - Intended inclusions by administrator
+level: high

rules/windows/powershell/powershell_suspicious_download.yml

@@ -7,15 +7,20 @@ tags:
     - attack.t1086
 author: Florian Roth
 date: 2017/03/05
+modified: 2020/03/25
 logsource:
     product: windows
     service: powershell
 detection:
-    keywords:
-        Message:
-            - '*System.Net.WebClient).DownloadString(*'
-            - '*system.net.webclient).downloadfile(*'
-    condition: keywords
+    downloadfile:
+        Message|contains|all:
+            - 'System.Net.WebClient'
+            - '.DownloadFile('
+    downloadstring:
+        Message|contains|all:
+            - 'System.Net.WebClient'
+            - '.DownloadString('
+    condition: downloadfile or downloadstring
 falsepositives:
     - PowerShell scripts that download content from the Internet
 level: medium

rules/windows/process_creation/win_exploit_cve_2020_10189.yml

@@ -0,0 +1,28 @@
+title: Exploited CVE-2020-10189 Zoho ManageEngine
+id: 846b866e-2a57-46ee-8e16-85fa92759be7
+status: experimental
+description: Detects the exploitation of Zoho ManageEngine Desktop Central Java Deserialization vulnerability reported as CVE-2020-10189
+references:
+    - https://www.fireeye.com/blog/threat-research/2020/03/apt41-initiates-global-intrusion-campaign-using-multiple-exploits.html
+    - https://nvd.nist.gov/vuln/detail/CVE-2020-10189
+    - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-10189
+    - https://vulmon.com/exploitdetails?qidtp=exploitdb&qid=48224
+author: Florian Roth
+date: 2020/03/25
+tags:
+    - attack.launch
+    - attack.t1377
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    selection:
+        ParentImage|endswith: 'DesktopCentral_Server\jre\bin\java.exe'
+        Image|endswith: 
+            - '*\cmd.exe'
+            - '*\powershell.exe'
+            - '*\bitsadmin.exe'
+    condition: selection
+falsepositives:
+    - Unknown
+level: critical

rules/windows/process_creation/win_susp_curl_start_combo.yml

@@ -1,24 +1,24 @@
-title: Curl Start Combination
-id: 21dd6d38-2b18-4453-9404-a0fe4a0cc288
-status: experimental
-description: Adversaries can use curl to download payloads remotely and execute them. Curl is included by default in Windows 10 build 17063 and later.
-references: 
-    - https://medium.com/@reegun/curl-exe-is-the-new-rundll32-exe-lolbin-3f79c5f35983
-author: Sreeman
-date: 2020/01/13
-tags:
-    - attack.execution
-    - attack.t1218
-logsource:
-   category: process_creation
-   product: windows
-detection:
-  condition: selection
-  selection:
-      CommandLine|contains: 'curl* start '
-falsepositives:
-    - Administrative scripts (installers)
-fields:
-    - ParentImage
-    - CommandLine
-level: medium
+title: Curl Start Combination
+id: 21dd6d38-2b18-4453-9404-a0fe4a0cc288
+status: experimental
+description: Adversaries can use curl to download payloads remotely and execute them. Curl is included by default in Windows 10 build 17063 and later.
+references: 
+    - https://medium.com/@reegun/curl-exe-is-the-new-rundll32-exe-lolbin-3f79c5f35983
+author: Sreeman
+date: 2020/01/13
+tags:
+    - attack.execution
+    - attack.t1218
+logsource:
+   category: process_creation
+   product: windows
+detection:
+  condition: selection
+  selection:
+      CommandLine|contains: 'curl* start '
+falsepositives:
+    - Administrative scripts (installers)
+fields:
+    - ParentImage
+    - CommandLine
+level: medium

rules/windows/process_creation/win_task_folder_evasion.yml

@@ -1,36 +1,36 @@
-title: Tasks Folder Evasion
-id: cc4e02ba-9c06-48e2-b09e-2500cace9ae0
-status: experimental
-description: The Tasks folder in system32 and syswow64 are globally writable paths. Adversaries can take advantage of this and load or influence any script hosts or ANY .NET Application in Tasks to load and execute a custom assembly into cscript, wscript, regsvr32, mshta, eventvwr 
-references: 
-    - https://twitter.com/subTee/status/1216465628946563073
-    - https://gist.github.com/am0nsec/8378da08f848424e4ab0cc5b317fdd26
-date: 2020/13/01
-author: Sreeman
-tags:
-    - attack.t1064
-    - attack.t1211
-    - attack.t1059
-    - attack.defense_evasion
-    - attack.persistence
-logsource:
-    product: Windows
-detection:
-    selection1:
-        CommandLine|contains:
-            - 'echo '
-            - 'copy '
-            - 'type '
-            - 'file createnew'
-    selection2:
-        CommandLine|contains:
-            - ' C:\Windows\System32\Tasks\'
-            - ' C:\Windows\SysWow64\Tasks\'
-    condition: selection1 and selection2
-fields:
-    - CommandLine
-    - ParentProcess
-    - CommandLine
-falsepositives:
-    - Unknown
-level: high
+title: Tasks Folder Evasion
+id: cc4e02ba-9c06-48e2-b09e-2500cace9ae0
+status: experimental
+description: The Tasks folder in system32 and syswow64 are globally writable paths. Adversaries can take advantage of this and load or influence any script hosts or ANY .NET Application in Tasks to load and execute a custom assembly into cscript, wscript, regsvr32, mshta, eventvwr 
+references: 
+    - https://twitter.com/subTee/status/1216465628946563073
+    - https://gist.github.com/am0nsec/8378da08f848424e4ab0cc5b317fdd26
+date: 2020/13/01
+author: Sreeman
+tags:
+    - attack.t1064
+    - attack.t1211
+    - attack.t1059
+    - attack.defense_evasion
+    - attack.persistence
+logsource:
+    product: Windows
+detection:
+    selection1:
+        CommandLine|contains:
+            - 'echo '
+            - 'copy '
+            - 'type '
+            - 'file createnew'
+    selection2:
+        CommandLine|contains:
+            - ' C:\Windows\System32\Tasks\'
+            - ' C:\Windows\SysWow64\Tasks\'
+    condition: selection1 and selection2
+fields:
+    - CommandLine
+    - ParentProcess
+    - CommandLine
+falsepositives:
+    - Unknown
+level: high

rules/windows/process_creation/win_webshell_spawn.yml

@@ -4,7 +4,7 @@ status: experimental
 description: Web servers that spawn shell processes could be the result of a successfully placed web shell or an other attack
 author: Thomas Patzke
 date: 2019/01/16
-modified: 2020/03/03
+modified: 2020/03/25
 logsource:
     category: process_creation
     product: windows
@@ -21,6 +21,7 @@ detection:
             - '*\sh.exe'
             - '*\bash.exe'
             - '*\powershell.exe'
+            - '*\bitsadmin.exe'
     condition: selection
 fields:
     - CommandLine

rules/windows/sysmon/sysmon_registry_trust_record_modification.yml

@@ -1,24 +1,24 @@
-title: Windows Registry Trust Record Modification
-id: 295a59c1-7b79-4b47-a930-df12c15fc9c2
-status: experimental
-description: Alerts on trust record modification within the registry, indicating usage of macros
-references:
-    - https://outflank.nl/blog/2018/01/16/hunting-for-evil-detect-macros-being-executed/
-    - http://az4n6.blogspot.com/2016/02/more-on-trust-records-macros-and.html
-author: Antonlovesdnb
-date: 2020/02/19
-modified: 2020/02/19
-tags:
-    - attack.initial_access
-    - attack.t1193
-logsource:
-    product: windows
-    service: sysmon
-detection:
-    selection:
-        EventID: 12
-        TargetObject|contains: 'TrustRecords'
-    condition: selection
-falsepositives:
-    - Alerts on legitimate macro usage as well, will need to filter as appropriate
-level: medium
+title: Windows Registry Trust Record Modification
+id: 295a59c1-7b79-4b47-a930-df12c15fc9c2
+status: experimental
+description: Alerts on trust record modification within the registry, indicating usage of macros
+references:
+    - https://outflank.nl/blog/2018/01/16/hunting-for-evil-detect-macros-being-executed/
+    - http://az4n6.blogspot.com/2016/02/more-on-trust-records-macros-and.html
+author: Antonlovesdnb
+date: 2020/02/19
+modified: 2020/02/19
+tags:
+    - attack.initial_access
+    - attack.t1193
+logsource:
+    product: windows
+    service: sysmon
+detection:
+    selection:
+        EventID: 12
+        TargetObject|contains: 'TrustRecords'
+    condition: selection
+falsepositives:
+    - Alerts on legitimate macro usage as well, will need to filter as appropriate
+level: medium

rules/windows/sysmon/sysmon_renamed_jusched.yml

@@ -1,26 +1,26 @@
-title: Renamed jusched.exe 
-status: experimental
-id: edd8a48c-1b9f-4ba1-83aa-490338cd1ccb
-description: Detects renamed jusched.exe used by cobalt group 
-references:
-    - https://www.bitdefender.com/files/News/CaseStudies/study/262/Bitdefender-WhitePaper-An-APT-Blueprint-Gaining-New-Visibility-into-Financial-Threats-interactive.pdf
-tags:
-    - attack.t1036 
-    - attack.execution
-author: Markus Neis, Swisscom
-date: 2019/06/04
-logsource:
-    category: process_creation
-    product: windows
-detection:
-    selection1:
-        Description: Java Update Scheduler
-    selection2:
-        Description: Java(TM) Update Scheduler
-    filter:
-        Image|endswith:
-            - '\jusched.exe'
-    condition: (selection1 or selection2) and not filter
-falsepositives:
-    - penetration tests, red teaming
-level: high
+title: Renamed jusched.exe 
+status: experimental
+id: edd8a48c-1b9f-4ba1-83aa-490338cd1ccb
+description: Detects renamed jusched.exe used by cobalt group 
+references:
+    - https://www.bitdefender.com/files/News/CaseStudies/study/262/Bitdefender-WhitePaper-An-APT-Blueprint-Gaining-New-Visibility-into-Financial-Threats-interactive.pdf
+tags:
+    - attack.t1036 
+    - attack.execution
+author: Markus Neis, Swisscom
+date: 2019/06/04
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    selection1:
+        Description: Java Update Scheduler
+    selection2:
+        Description: Java(TM) Update Scheduler
+    filter:
+        Image|endswith:
+            - '\jusched.exe'
+    condition: (selection1 or selection2) and not filter
+falsepositives:
+    - penetration tests, red teaming
+level: high

rules/windows/sysmon/sysmon_susp_office_dotnet_assembly_dll_load.yml

@@ -1,28 +1,28 @@
-title: dotNET DLL Loaded Via Office Applications
-id: ff0f2b05-09db-4095-b96d-1b75ca24894a
-status: experimental
-description: Detects any assembly DLL being loaded by an Office Product
-references:
-    - https://medium.com/threatpunter/detecting-adversary-tradecraft-with-image-load-event-logging-and-eql-8de93338c16
-author: Antonlovesdnb
-date: 2020/02/19
-tags:
-    - attack.initial_access
-    - attack.t1193
-logsource:
-    product: windows
-    service: sysmon
-detection:
-    selection:
-        EventID: 7
-        Image:
-            - '*\winword.exe*'
-            - '*\powerpnt.exe*'
-            - '*\excel.exe*'
-            - '*\outlook.exe*'
-        ImageLoaded:
-            - '*C:\Windows\assembly\*'
-    condition: selection
-falsepositives:
-    - Alerts on legitimate macro usage as well, will need to filter as appropriate
-level: high
+title: dotNET DLL Loaded Via Office Applications
+id: ff0f2b05-09db-4095-b96d-1b75ca24894a
+status: experimental
+description: Detects any assembly DLL being loaded by an Office Product
+references:
+    - https://medium.com/threatpunter/detecting-adversary-tradecraft-with-image-load-event-logging-and-eql-8de93338c16
+author: Antonlovesdnb
+date: 2020/02/19
+tags:
+    - attack.initial_access
+    - attack.t1193
+logsource:
+    product: windows
+    service: sysmon
+detection:
+    selection:
+        EventID: 7
+        Image:
+            - '*\winword.exe*'
+            - '*\powerpnt.exe*'
+            - '*\excel.exe*'
+            - '*\outlook.exe*'
+        ImageLoaded:
+            - '*C:\Windows\assembly\*'
+    condition: selection
+falsepositives:
+    - Alerts on legitimate macro usage as well, will need to filter as appropriate
+level: high

rules/windows/sysmon/sysmon_susp_office_dotnet_clr_dll_load.yml

@@ -1,28 +1,28 @@
-title: CLR DLL Loaded Via Office Applications
-id: d13c43f0-f66b-4279-8b2c-5912077c1780
-status: experimental
-description: Detects CLR DLL being loaded by an Office Product
-references:
-    - https://medium.com/threatpunter/detecting-adversary-tradecraft-with-image-load-event-logging-and-eql-8de93338c16
-author: Antonlovesdnb
-date: 2020/02/19
-tags:
-    - attack.initial_access
-    - attack.t1193
-logsource:
-    product: windows
-    service: sysmon
-detection:
-    selection:
-        EventID: 7
-        Image:
-            - '*\winword.exe'
-            - '*\powerpnt.exe'
-            - '*\excel.exe'
-            - '*\outlook.exe'
-        ImageLoaded:
-            - '*\clr.dll*'
-    condition: selection
-falsepositives:
-    - Alerts on legitimate macro usage as well, will need to filter as appropriate
-level: high
+title: CLR DLL Loaded Via Office Applications
+id: d13c43f0-f66b-4279-8b2c-5912077c1780
+status: experimental
+description: Detects CLR DLL being loaded by an Office Product
+references:
+    - https://medium.com/threatpunter/detecting-adversary-tradecraft-with-image-load-event-logging-and-eql-8de93338c16
+author: Antonlovesdnb
+date: 2020/02/19
+tags:
+    - attack.initial_access
+    - attack.t1193
+logsource:
+    product: windows
+    service: sysmon
+detection:
+    selection:
+        EventID: 7
+        Image:
+            - '*\winword.exe'
+            - '*\powerpnt.exe'
+            - '*\excel.exe'
+            - '*\outlook.exe'
+        ImageLoaded:
+            - '*\clr.dll*'
+    condition: selection
+falsepositives:
+    - Alerts on legitimate macro usage as well, will need to filter as appropriate
+level: high

rules/windows/sysmon/sysmon_susp_office_dotnet_gac_dll_load.yml

@@ -1,28 +1,28 @@
-title: GAC DLL Loaded Via Office Applications
-id: 90217a70-13fc-48e4-b3db-0d836c5824ac
-status: experimental
-description: Detects any GAC DLL being loaded by an Office Product
-references:
-    - https://medium.com/threatpunter/detecting-adversary-tradecraft-with-image-load-event-logging-and-eql-8de93338c16
-author: Antonlovesdnb
-date: 2020/02/19
-tags:
-    - attack.initial_access
-    - attack.t1193
-logsource:
-    product: windows
-    service: sysmon
-detection:
-    selection:
-        EventID: 7
-        Image:
-            - '*\winword.exe*'
-            - '*\powerpnt.exe*'
-            - '*\excel.exe*'
-            - '*\outlook.exe*'
-        ImageLoaded:
-            - '*C:\Windows\Microsoft.NET\assembly\GAC_MSIL*'
-    condition: selection
-falsepositives:
-    - Alerts on legitimate macro usage as well, will need to filter as appropriate
-level: high
+title: GAC DLL Loaded Via Office Applications
+id: 90217a70-13fc-48e4-b3db-0d836c5824ac
+status: experimental
+description: Detects any GAC DLL being loaded by an Office Product
+references:
+    - https://medium.com/threatpunter/detecting-adversary-tradecraft-with-image-load-event-logging-and-eql-8de93338c16
+author: Antonlovesdnb
+date: 2020/02/19
+tags:
+    - attack.initial_access
+    - attack.t1193
+logsource:
+    product: windows
+    service: sysmon
+detection:
+    selection:
+        EventID: 7
+        Image:
+            - '*\winword.exe*'
+            - '*\powerpnt.exe*'
+            - '*\excel.exe*'
+            - '*\outlook.exe*'
+        ImageLoaded:
+            - '*C:\Windows\Microsoft.NET\assembly\GAC_MSIL*'
+    condition: selection
+falsepositives:
+    - Alerts on legitimate macro usage as well, will need to filter as appropriate
+level: high

rules/windows/sysmon/sysmon_susp_office_dsparse_dll_load.yml

@@ -1,28 +1,28 @@
-title: Active Directory Parsing DLL Loaded Via Office Applications
-id: a2a3b925-7bb0-433b-b508-db9003263cc4
-status: experimental
-description: Detects DSParse DLL being loaded by an Office Product
-references:
-    - https://medium.com/threatpunter/detecting-adversary-tradecraft-with-image-load-event-logging-and-eql-8de93338c16
-author: Antonlovesdnb
-date: 2020/02/19
-tags:
-    - attack.initial_access
-    - attack.t1193
-logsource:
-    product: windows
-    service: sysmon
-detection:
-    selection:
-        EventID: 7
-        Image:
-            - '*\winword.exe'
-            - '*\powerpnt.exe'
-            - '*\excel.exe'
-            - '*\outlook.exe'
-        ImageLoaded:
-            - '*\dsparse.dll*'
-    condition: selection
-falsepositives:
-    - Alerts on legitimate macro usage as well, will need to filter as appropriate
-level: high
+title: Active Directory Parsing DLL Loaded Via Office Applications
+id: a2a3b925-7bb0-433b-b508-db9003263cc4
+status: experimental
+description: Detects DSParse DLL being loaded by an Office Product
+references:
+    - https://medium.com/threatpunter/detecting-adversary-tradecraft-with-image-load-event-logging-and-eql-8de93338c16
+author: Antonlovesdnb
+date: 2020/02/19
+tags:
+    - attack.initial_access
+    - attack.t1193
+logsource:
+    product: windows
+    service: sysmon
+detection:
+    selection:
+        EventID: 7
+        Image:
+            - '*\winword.exe'
+            - '*\powerpnt.exe'
+            - '*\excel.exe'
+            - '*\outlook.exe'
+        ImageLoaded:
+            - '*\dsparse.dll*'
+    condition: selection
+falsepositives:
+    - Alerts on legitimate macro usage as well, will need to filter as appropriate
+level: high

rules/windows/sysmon/sysmon_susp_office_kerberos_dll_load.yml

@@ -1,28 +1,28 @@
-title: Active Directory Kerberos DLL Loaded Via Office Applications
-id: 7417e29e-c2e7-4cf6-a2e8-767228c64837
-status: experimental
-description: Detects Kerberos DLL being loaded by an Office Product
-references:
-    - https://medium.com/threatpunter/detecting-adversary-tradecraft-with-image-load-event-logging-and-eql-8de93338c16
-author: Antonlovesdnb
-date: 2020/02/19
-tags:
-    - attack.initial_access
-    - attack.t1193
-logsource:
-    product: windows
-    service: sysmon
-detection:
-    selection:
-        EventID: 7
-        Image:
-            - '*\winword.exe*'
-            - '*\powerpnt.exe*'
-            - '*\excel.exe*'
-            - '*\outlook.exe*'
-        ImageLoaded:
-            - '*\kerberos.dll*'
-    condition: selection
-falsepositives:
-    - Alerts on legitimate macro usage as well, will need to filter as appropriate
-level: high
+title: Active Directory Kerberos DLL Loaded Via Office Applications
+id: 7417e29e-c2e7-4cf6-a2e8-767228c64837
+status: experimental
+description: Detects Kerberos DLL being loaded by an Office Product
+references:
+    - https://medium.com/threatpunter/detecting-adversary-tradecraft-with-image-load-event-logging-and-eql-8de93338c16
+author: Antonlovesdnb
+date: 2020/02/19
+tags:
+    - attack.initial_access
+    - attack.t1193
+logsource:
+    product: windows
+    service: sysmon
+detection:
+    selection:
+        EventID: 7
+        Image:
+            - '*\winword.exe*'
+            - '*\powerpnt.exe*'
+            - '*\excel.exe*'
+            - '*\outlook.exe*'
+        ImageLoaded:
+            - '*\kerberos.dll*'
+    condition: selection
+falsepositives:
+    - Alerts on legitimate macro usage as well, will need to filter as appropriate
+level: high

rules/windows/sysmon/sysmon_susp_winword_vbadll_load.yml

@@ -1,30 +1,30 @@
-title: VBA DLL Loaded Via Microsoft Word
-id: e6ce8457-68b1-485b-9bdd-3c2b5d679aa9
-status: experimental
-description: Detects DLL's Loaded Via Word Containing VBA Macros
-references:
-    - https://medium.com/threatpunter/detecting-adversary-tradecraft-with-image-load-event-logging-and-eql-8de93338c16
-author: Antonlovesdnb
-date: 2020/02/19
-tags:
-    - attack.initial_access
-    - attack.t1193
-logsource:
-    product: windows
-    service: sysmon
-detection:
-    selection:
-        EventID: 7
-        Image:
-            - '*\winword.exe*'
-            - '*\powerpnt.exe*'
-            - '*\excel.exe*'
-            - '*\outlook.exe*'
-        ImageLoaded:
-            - '*\VBE7.DLL*'
-            - '*\VBEUI.DLL*'
-            - '*\VBE7INTL.DLL*'
-    condition: selection
-falsepositives:
-    - Alerts on legitimate macro usage as well, will need to filter as appropriate
-level: high
+title: VBA DLL Loaded Via Microsoft Word
+id: e6ce8457-68b1-485b-9bdd-3c2b5d679aa9
+status: experimental
+description: Detects DLL's Loaded Via Word Containing VBA Macros
+references:
+    - https://medium.com/threatpunter/detecting-adversary-tradecraft-with-image-load-event-logging-and-eql-8de93338c16
+author: Antonlovesdnb
+date: 2020/02/19
+tags:
+    - attack.initial_access
+    - attack.t1193
+logsource:
+    product: windows
+    service: sysmon
+detection:
+    selection:
+        EventID: 7
+        Image:
+            - '*\winword.exe*'
+            - '*\powerpnt.exe*'
+            - '*\excel.exe*'
+            - '*\outlook.exe*'
+        ImageLoaded:
+            - '*\VBE7.DLL*'
+            - '*\VBEUI.DLL*'
+            - '*\VBE7INTL.DLL*'
+    condition: selection
+falsepositives:
+    - Alerts on legitimate macro usage as well, will need to filter as appropriate
+level: high

tests/test_rules.py

@@ -238,6 +238,7 @@ class TestRules(unittest.TestCase):
             "t1221",
             "t1222",
             "t1223",
+            "t1377",
             "t1480",
             "t1482",
             "t1482",
@@ -284,7 +285,7 @@ class TestRules(unittest.TestCase):
             "t1539",
 ]
     MITRE_TECHNIQUE_NAMES = ["process_injection", "signed_binary_proxy_execution", "process_injection"] # incomplete list
-    MITRE_TACTICS = ["initial_access", "execution", "persistence", "privilege_escalation", "defense_evasion", "credential_access", "discovery", "lateral_movement", "collection", "exfiltration", "command_and_control", "impact"]
+    MITRE_TACTICS = ["initial_access", "execution", "persistence", "privilege_escalation", "defense_evasion", "credential_access", "discovery", "lateral_movement", "collection", "exfiltration", "command_and_control", "impact", "launch"]
     MITRE_GROUPS =  ["g0001", "g0002", "g0003", "g0004", "g0005", "g0006", "g0007", "g0008", "g0009", "g0010", "g0011", "g0012", "g0013", "g0014", "g0015", "g0016", "g0017", "g0018", "g0019", "g0020", "g0021", "g0022", "g0023", "g0024", "g0025", "g0026", "g0027", "g0028", "g0029", "g0030", "g0031", "g0032", "g0033", "g0034", "g0035", "g0036", "g0037", "g0038", "g0039", "g0040", "g0041", "g0042", "g0043", "g0044", "g0045", "g0046", "g0047", "g0048", "g0049", "g0050", "g0051", "g0052", "g0053", "g0054", "g0055", "g0056", "g0057", "g0058", "g0059", "g0060", "g0061", "g0062", "g0063", "g0064", "g0065", "g0066", "g0067", "g0068", "g0069", "g0070", "g0071", "g0072", "g0073", "g0074", "g0075", "g0076", "g0077", "g0078", "g0079", "g0080", "g0081", "g0082", "g0083", "g0084", "g0085", "g0086", "g0087", "g0088", "g0089", "g0090", "g0091", "g0092", "g0093", "g0094", "g0095", "g0096"]
     MITRE_SOFTWARE = ["s0001", "s0002", "s0003", "s0004", "s0005", "s0006", "s0007", "s0008", "s0009", "s0010", "s0011", "s0012", "s0013", "s0014", "s0015", "s0016", "s0017", "s0018", "s0019", "s0020", "s0021", "s0022", "s0023", "s0024", "s0025", "s0026", "s0027", "s0028", "s0029", "s0030", "s0031", "s0032", "s0033", "s0034", "s0035", "s0036", "s0037", "s0038", "s0039", "s0040", "s0041", "s0042", "s0043", "s0044", "s0045", "s0046", "s0047", "s0048", "s0049", "s0050", "s0051", "s0052", "s0053", "s0054", "s0055", "s0056", "s0057", "s0058", "s0059", "s0060", "s0061", "s0062", "s0063", "s0064", "s0065", "s0066", "s0067", "s0068", "s0069", "s0070", "s0071", "s0072", "s0073", "s0074", "s0075", "s0076", "s0077", "s0078", "s0079", "s0080", "s0081", "s0082", "s0083", "s0084", "s0085", "s0086", "s0087", "s0088", "s0089", "s0090", "s0091", "s0092", "s0093", "s0094", "s0095", "s0096", "s0097", "s0098", "s0099", "s0100", "s0101", "s0102", "s0103", "s0104", "s0105", "s0106", "s0107", "s0108", "s0109", "s0110", "s0111", "s0112", "s0113", "s0114", "s0115", "s0116", "s0117", "s0118", "s0119", "s0120", "s0121", "s0122", "s0123", "s0124", "s0125", "s0126", "s0127", "s0128", "s0129", "s0130", "s0131", "s0132", "s0133", "s0134", "s0135", "s0136", "s0137", "s0138", "s0139", "s0140", "s0141", "s0142", "s0143", "s0144", "s0145", "s0146", "s0147", "s0148", "s0149", "s0150", "s0151", "s0152", "s0153", "s0154", "s0155", "s0156", "s0157", "s0158", "s0159", "s0160", "s0161", "s0162", "s0163", "s0164", "s0165", "s0166", "s0167", "s0168", "s0169", "s0170", "s0171", "s0172", "s0173", "s0174", "s0175", "s0176", "s0177", "s0178", "s0179", "s0180", "s0181", "s0182", "s0183", "s0184", "s0185", "s0186", "s0187", "s0188", "s0189", "s0190", "s0191", "s0192", "s0193", "s0194", "s0195", "s0196", "s0197", "s0198", "s0199", "s0200", "s0201", "s0202", "s0203", "s0204", "s0205", "s0206", "s0207", "s0208", "s0209", "s0210", "s0211", "s0212", "s0213", "s0214", "s0215", "s0216", "s0217", "s0218", "s0219", "s0220", "s0221", "s0222", "s0223", "s0224", "s0225", "s0226", "s0227", "s0228", "s0229", "s0230", "s0231", "s0232", "s0233", "s0234", "s0235", "s0236", "s0237", "s0238", "s0239", "s0240", "s0241", "s0242", "s0243", "s0244", "s0245", "s0246", "s0247", "s0248", "s0249", "s0250", "s0251", "s0252", "s0253", "s0254", "s0255", "s0256", "s0257", "s0258", "s0259", "s0260", "s0261", "s0262", "s0263", "s0264", "s0265", "s0266", "s0267", "s0268", "s0269", "s0270", "s0271", "s0272", "s0273", "s0274", "s0275", "s0276", "s0277", "s0278", "s0279", "s0280", "s0281", "s0282", "s0283", "s0284", "s0330", "s0331", "s0332", "s0333", "s0334", "s0335", "s0336", "s0337", "s0338", "s0339", "s0340", "s0341", "s0342", "s0343", "s0344", "s0345", "s0346", "s0347", "s0348", "s0349", "s0350", "s0351", "s0352", "s0353", "s0354", "s0355", "s0356", "s0357", "s0358", "s0359", "s0360", "s0361", "s0362", "s0363", "s0364", "s0365", "s0366", "s0367", "s0368", "s0369", "s0370", "s0371", "s0372", "s0373", "s0374", "s0375", "s0376", "s0377", "s0378", "s0379", "s0380", "s0381", "s0382", "s0383", "s0384", "s0385", "s0386", "s0387", "s0388", "s0389", "s0390", "s0391", "s0393", "s0394", "s0395", "s0396", "s0397", "s0398", "s0400", "s0401", "s0402", "s0404", "s0409", "s0410", "s0412", "s0413", "s0414", "s0415", "s0416", "s0417"]
     MITRE_ALL = ["attack." + item for item in MITRE_TECHNIQUES + MITRE_TACTICS + MITRE_GROUPS + MITRE_SOFTWARE]