diff --git a/rules/network/cisco/aaa/cisco_cli_clear_logs.yml b/rules/network/cisco/aaa/cisco_cli_clear_logs.yml index 0eb81291d..457744c35 100644 --- a/rules/network/cisco/aaa/cisco_cli_clear_logs.yml +++ b/rules/network/cisco/aaa/cisco_cli_clear_logs.yml @@ -1,31 +1,31 @@ -title: Cisco Clear Logs -id: ceb407f6-8277-439b-951f-e4210e3ed956 -status: experimental -description: Clear command history in network OS which is used for defense evasion. -references: - - https://attack.mitre.org/techniques/T1146/ - - https://attack.mitre.org/techniques/T1070/ -author: Austin Clark -date: 2019/08/12 -tags: - - attack.defense_evasion - - attack.t1146 - - attack.t1070 -logsource: - product: cisco - service: aaa - category: accounting -fields: - - src - - CmdSet - - User - - Privilege_Level - - Remote_Address -detection: - keywords: - - 'clear logging' - - 'clear archive' - condition: keywords -falsepositives: - - Legitimate administrators may run these commands. -level: high +title: Cisco Clear Logs +id: ceb407f6-8277-439b-951f-e4210e3ed956 +status: experimental +description: Clear command history in network OS which is used for defense evasion. +references: + - https://attack.mitre.org/techniques/T1146/ + - https://attack.mitre.org/techniques/T1070/ +author: Austin Clark +date: 2019/08/12 +tags: + - attack.defense_evasion + - attack.t1146 + - attack.t1070 +logsource: + product: cisco + service: aaa + category: accounting +fields: + - src + - CmdSet + - User + - Privilege_Level + - Remote_Address +detection: + keywords: + - 'clear logging' + - 'clear archive' + condition: keywords +falsepositives: + - Legitimate administrators may run these commands. +level: high diff --git a/rules/network/cisco/aaa/cisco_cli_collect_data.yml b/rules/network/cisco/aaa/cisco_cli_collect_data.yml index 0983875f2..99a6378a0 100644 --- a/rules/network/cisco/aaa/cisco_cli_collect_data.yml +++ b/rules/network/cisco/aaa/cisco_cli_collect_data.yml @@ -1,39 +1,39 @@ -title: Cisco Collect Data -id: cd072b25-a418-4f98-8ebc-5093fb38fe1a -status: experimental -description: Collect pertinent data from the configuration files -references: - - https://attack.mitre.org/techniques/T1087/ - - https://attack.mitre.org/techniques/T1003/ - - https://attack.mitre.org/techniques/T1081/ - - https://attack.mitre.org/techniques/T1005/ -author: Austin Clark -date: 2019/08/11 -tags: - - attack.discovery - - attack.credential_access - - attack.collection - - attack.t1087 - - attack.t1003 - - attack.t1081 - - attack.t1005 -logsource: - product: cisco - service: aaa - category: accounting -fields: - - src - - CmdSet - - User - - Privilege_Level - - Remote_Address -detection: - keywords: - - 'show running-config' - - 'show startup-config' - - 'show archive config' - - 'more' - condition: keywords -falsepositives: - - Commonly run by administrators. -level: low +title: Cisco Collect Data +id: cd072b25-a418-4f98-8ebc-5093fb38fe1a +status: experimental +description: Collect pertinent data from the configuration files +references: + - https://attack.mitre.org/techniques/T1087/ + - https://attack.mitre.org/techniques/T1003/ + - https://attack.mitre.org/techniques/T1081/ + - https://attack.mitre.org/techniques/T1005/ +author: Austin Clark +date: 2019/08/11 +tags: + - attack.discovery + - attack.credential_access + - attack.collection + - attack.t1087 + - attack.t1003 + - attack.t1081 + - attack.t1005 +logsource: + product: cisco + service: aaa + category: accounting +fields: + - src + - CmdSet + - User + - Privilege_Level + - Remote_Address +detection: + keywords: + - 'show running-config' + - 'show startup-config' + - 'show archive config' + - 'more' + condition: keywords +falsepositives: + - Commonly run by administrators. +level: low diff --git a/rules/network/cisco/aaa/cisco_cli_crypto_actions.yml b/rules/network/cisco/aaa/cisco_cli_crypto_actions.yml index 4cedb6deb..a032c9d48 100644 --- a/rules/network/cisco/aaa/cisco_cli_crypto_actions.yml +++ b/rules/network/cisco/aaa/cisco_cli_crypto_actions.yml @@ -1,33 +1,33 @@ -title: Cisco Crypto Commands -id: 1f978c6a-4415-47fb-aca5-736a44d7ca3d -status: experimental -description: Show when private keys are being exported from the device, or when new certificates are installed. -references: - - https://attack.mitre.org/techniques/T1145/ - - https://attack.mitre.org/techniques/T1130/ -author: Austin Clark -date: 2019/08/12 -tags: - - attack.credential_access - - attack.defense_evasion - - attack.t1130 - - attack.t1145 -logsource: - product: cisco - service: aaa - category: accounting -fields: - - src - - CmdSet - - User - - Privilege_Level - - Remote_Address -detection: - keywords: - - 'crypto pki export' - - 'crypto pki import' - - 'crypto pki trustpoint' - condition: keywords -falsepositives: - - Not commonly run by administrators. Also whitelist your known good certificates. -level: high +title: Cisco Crypto Commands +id: 1f978c6a-4415-47fb-aca5-736a44d7ca3d +status: experimental +description: Show when private keys are being exported from the device, or when new certificates are installed. +references: + - https://attack.mitre.org/techniques/T1145/ + - https://attack.mitre.org/techniques/T1130/ +author: Austin Clark +date: 2019/08/12 +tags: + - attack.credential_access + - attack.defense_evasion + - attack.t1130 + - attack.t1145 +logsource: + product: cisco + service: aaa + category: accounting +fields: + - src + - CmdSet + - User + - Privilege_Level + - Remote_Address +detection: + keywords: + - 'crypto pki export' + - 'crypto pki import' + - 'crypto pki trustpoint' + condition: keywords +falsepositives: + - Not commonly run by administrators. Also whitelist your known good certificates. +level: high diff --git a/rules/network/cisco/aaa/cisco_cli_disable_logging.yml b/rules/network/cisco/aaa/cisco_cli_disable_logging.yml index d652b4286..b81e265ba 100644 --- a/rules/network/cisco/aaa/cisco_cli_disable_logging.yml +++ b/rules/network/cisco/aaa/cisco_cli_disable_logging.yml @@ -1,29 +1,29 @@ -title: Cisco Disabling Logging -id: 9e8f6035-88bf-4a63-96b6-b17c0508257e -status: experimental -description: Turn off logging locally or remote -references: - - https://attack.mitre.org/techniques/T1089 -author: Austin Clark -date: 2019/08/11 -tags: - - attack.defense_evasion - - attack.t1089 -logsource: - product: cisco - service: aaa - category: accounting -fields: - - src - - CmdSet - - User - - Privilege_Level - - Remote_Address -detection: - keywords: - - 'no logging' - - 'no aaa new-model' - condition: keywords -falsepositives: - - Unknown -level: high +title: Cisco Disabling Logging +id: 9e8f6035-88bf-4a63-96b6-b17c0508257e +status: experimental +description: Turn off logging locally or remote +references: + - https://attack.mitre.org/techniques/T1089 +author: Austin Clark +date: 2019/08/11 +tags: + - attack.defense_evasion + - attack.t1089 +logsource: + product: cisco + service: aaa + category: accounting +fields: + - src + - CmdSet + - User + - Privilege_Level + - Remote_Address +detection: + keywords: + - 'no logging' + - 'no aaa new-model' + condition: keywords +falsepositives: + - Unknown +level: high diff --git a/rules/network/cisco/aaa/cisco_cli_discovery.yml b/rules/network/cisco/aaa/cisco_cli_discovery.yml index 19a88fa7f..5bf64792e 100644 --- a/rules/network/cisco/aaa/cisco_cli_discovery.yml +++ b/rules/network/cisco/aaa/cisco_cli_discovery.yml @@ -1,46 +1,46 @@ -title: Cisco Discovery -id: 9705a6a1-6db6-4a16-a987-15b7151e299b -status: experimental -description: Find information about network devices that are not stored in config files. -references: - - https://attack.mitre.org/tactics/TA0007/ -author: Austin Clark -date: 2019/08/12 -tags: - - attack.discovery - - attack.t1083 - - attack.t1201 - - attack.t1057 - - attack.t1018 - - attack.t1082 - - attack.t1016 - - attack.t1049 - - attack.t1033 - - attack.t1124 -logsource: - product: cisco - service: aaa - category: accounting -fields: - - src - - CmdSet - - User - - Privilege_Level - - Remote_Address -detection: - keywords: - - 'dir' - - 'show processes' - - 'show arp' - - 'show cdp' - - 'show version' - - 'show ip route' - - 'show ip interface' - - 'show ip sockets' - - 'show users' - - 'show ssh' - - 'show clock' - condition: keywords -falsepositives: - - Commonly used by administrators for troubleshooting -level: low +title: Cisco Discovery +id: 9705a6a1-6db6-4a16-a987-15b7151e299b +status: experimental +description: Find information about network devices that are not stored in config files. +references: + - https://attack.mitre.org/tactics/TA0007/ +author: Austin Clark +date: 2019/08/12 +tags: + - attack.discovery + - attack.t1083 + - attack.t1201 + - attack.t1057 + - attack.t1018 + - attack.t1082 + - attack.t1016 + - attack.t1049 + - attack.t1033 + - attack.t1124 +logsource: + product: cisco + service: aaa + category: accounting +fields: + - src + - CmdSet + - User + - Privilege_Level + - Remote_Address +detection: + keywords: + - 'dir' + - 'show processes' + - 'show arp' + - 'show cdp' + - 'show version' + - 'show ip route' + - 'show ip interface' + - 'show ip sockets' + - 'show users' + - 'show ssh' + - 'show clock' + condition: keywords +falsepositives: + - Commonly used by administrators for troubleshooting +level: low diff --git a/rules/network/cisco/aaa/cisco_cli_dos.yml b/rules/network/cisco/aaa/cisco_cli_dos.yml index 9d8c1a6c2..847f0d216 100644 --- a/rules/network/cisco/aaa/cisco_cli_dos.yml +++ b/rules/network/cisco/aaa/cisco_cli_dos.yml @@ -1,28 +1,28 @@ -title: Cisco Denial of Service -id: d94a35f0-7a29-45f6-90a0-80df6159967c -status: experimental -description: Detect a system being shutdown or put into different boot mode -references: - - https://attack.mitre.org/techniques/T1499/ - - https://attack.mitre.org/techniques/T1495/ -author: Austin Clark -date: 2019/08/15 -tags: - - attack.impact - - attack.t1499 - - attack.t1495 -logsource: - product: cisco - service: aaa - category: accounting -fields: - - CmdSet -detection: - keywords: - - 'shutdown' - - 'config-register 0x2100' - - 'config-register 0x2142' - condition: keywords -falsepositives: - - Legitimate administrators may run these commands, though rarely. -level: medium +title: Cisco Denial of Service +id: d94a35f0-7a29-45f6-90a0-80df6159967c +status: experimental +description: Detect a system being shutdown or put into different boot mode +references: + - https://attack.mitre.org/techniques/T1499/ + - https://attack.mitre.org/techniques/T1495/ +author: Austin Clark +date: 2019/08/15 +tags: + - attack.impact + - attack.t1499 + - attack.t1495 +logsource: + product: cisco + service: aaa + category: accounting +fields: + - CmdSet +detection: + keywords: + - 'shutdown' + - 'config-register 0x2100' + - 'config-register 0x2142' + condition: keywords +falsepositives: + - Legitimate administrators may run these commands, though rarely. +level: medium diff --git a/rules/network/cisco/aaa/cisco_cli_file_deletion.yml b/rules/network/cisco/aaa/cisco_cli_file_deletion.yml index 5c82fa85e..cc6155e1b 100644 --- a/rules/network/cisco/aaa/cisco_cli_file_deletion.yml +++ b/rules/network/cisco/aaa/cisco_cli_file_deletion.yml @@ -1,31 +1,31 @@ -title: Cisco Show Commands Input -id: 71d65515-c436-43c0-841b-236b1f32c21e -status: experimental -description: See what files are being deleted from flash file systems -references: - - https://attack.mitre.org/techniques/T1107/ - - https://attack.mitre.org/techniques/T1488/ - - https://attack.mitre.org/techniques/T1487/ -author: Austin Clark -date: 2019/08/12 -tags: - - attack.defense_evasion - - attack.impact - - attack.t1107 - - attack.t1488 - - attack.t1487 -logsource: - product: cisco - service: aaa - category: accounting -fields: - - CmdSet -detection: - keywords: - - 'erase' - - 'delete' - - 'format' - condition: keywords -falsepositives: - - Will be used sometimes by admins to clean up local flash space. -level: medium +title: Cisco Show Commands Input +id: 71d65515-c436-43c0-841b-236b1f32c21e +status: experimental +description: See what files are being deleted from flash file systems +references: + - https://attack.mitre.org/techniques/T1107/ + - https://attack.mitre.org/techniques/T1488/ + - https://attack.mitre.org/techniques/T1487/ +author: Austin Clark +date: 2019/08/12 +tags: + - attack.defense_evasion + - attack.impact + - attack.t1107 + - attack.t1488 + - attack.t1487 +logsource: + product: cisco + service: aaa + category: accounting +fields: + - CmdSet +detection: + keywords: + - 'erase' + - 'delete' + - 'format' + condition: keywords +falsepositives: + - Will be used sometimes by admins to clean up local flash space. +level: medium diff --git a/rules/network/cisco/aaa/cisco_cli_input_capture.yml b/rules/network/cisco/aaa/cisco_cli_input_capture.yml index 98a240bdc..51467f579 100644 --- a/rules/network/cisco/aaa/cisco_cli_input_capture.yml +++ b/rules/network/cisco/aaa/cisco_cli_input_capture.yml @@ -1,29 +1,29 @@ -title: Cisco Show Commands Input -id: b094d9fb-b1ad-4650-9f1a-fb7be9f1d34b -status: experimental -description: See what commands are being input into the device by other people, full credentials can be in the history -references: - - https://attack.mitre.org/techniques/T1056/ - - https://attack.mitre.org/techniques/T1139/ -author: Austin Clark -date: 2019/08/11 -tags: - - attack.collection - - attack.credential_access - - attack.t1139 - - attack.t1056 -logsource: - product: cisco - service: aaa - category: accounting -fields: - - CmdSet -detection: - keywords: - - 'show history' - - 'show history all' - - 'show logging' - condition: keywords -falsepositives: - - Not commonly run by administrators, especially if remote logging is configured. -level: medium +title: Cisco Show Commands Input +id: b094d9fb-b1ad-4650-9f1a-fb7be9f1d34b +status: experimental +description: See what commands are being input into the device by other people, full credentials can be in the history +references: + - https://attack.mitre.org/techniques/T1056/ + - https://attack.mitre.org/techniques/T1139/ +author: Austin Clark +date: 2019/08/11 +tags: + - attack.collection + - attack.credential_access + - attack.t1139 + - attack.t1056 +logsource: + product: cisco + service: aaa + category: accounting +fields: + - CmdSet +detection: + keywords: + - 'show history' + - 'show history all' + - 'show logging' + condition: keywords +falsepositives: + - Not commonly run by administrators, especially if remote logging is configured. +level: medium diff --git a/rules/network/cisco/aaa/cisco_cli_local_accounts.yml b/rules/network/cisco/aaa/cisco_cli_local_accounts.yml index ddab70721..b563459f5 100644 --- a/rules/network/cisco/aaa/cisco_cli_local_accounts.yml +++ b/rules/network/cisco/aaa/cisco_cli_local_accounts.yml @@ -1,27 +1,27 @@ -title: Cisco Local Accounts -id: 6d844f0f-1c18-41af-8f19-33e7654edfc3 -status: experimental -description: Find local accounts being created or modified as well as remote authentication configurations -references: - - https://attack.mitre.org/techniques/T1098/ - - https://attack.mitre.org/techniques/T1136/ -author: Austin Clark -date: 2019/08/12 -tags: - - attack.persistence - - attack.t1136 - - attack.t1098 -logsource: - product: cisco - service: aaa - category: accounting -fields: - - CmdSet -detection: - keywords: - - 'username' - - 'aaa' - condition: keywords -falsepositives: - - When remote authentication is in place, this should not change often. -level: high +title: Cisco Local Accounts +id: 6d844f0f-1c18-41af-8f19-33e7654edfc3 +status: experimental +description: Find local accounts being created or modified as well as remote authentication configurations +references: + - https://attack.mitre.org/techniques/T1098/ + - https://attack.mitre.org/techniques/T1136/ +author: Austin Clark +date: 2019/08/12 +tags: + - attack.persistence + - attack.t1136 + - attack.t1098 +logsource: + product: cisco + service: aaa + category: accounting +fields: + - CmdSet +detection: + keywords: + - 'username' + - 'aaa' + condition: keywords +falsepositives: + - When remote authentication is in place, this should not change often. +level: high diff --git a/rules/network/cisco/aaa/cisco_cli_modify_config.yml b/rules/network/cisco/aaa/cisco_cli_modify_config.yml index b79eb0537..bc11ecafc 100644 --- a/rules/network/cisco/aaa/cisco_cli_modify_config.yml +++ b/rules/network/cisco/aaa/cisco_cli_modify_config.yml @@ -1,38 +1,38 @@ -title: Cisco Modify Configuration -id: 671ffc77-50a7-464f-9e3d-9ea2b493b26b -status: experimental -description: Modifications to a config that will serve an adversary's impacts or persistence -references: - - https://attack.mitre.org/techniques/T1100/ - - https://attack.mitre.org/techniques/T1168/ - - https://attack.mitre.org/techniques/T1493/ -author: Austin Clark -date: 2019/08/12 -tags: - - attack.persistence - - attack.privilege_escalation - - attack.impact - - attack.t1493 - - attack.t1100 - - attack.t1168 - - attack.t1490 -logsource: - product: cisco - service: aaa - category: accounting -fields: - - CmdSet -detection: - keywords: - - 'ip http server' - - 'ip https server' - - 'kron policy-list' - - 'kron occurrence' - - 'policy-list' - - 'access-list' - - 'ip access-group' - - 'archive maximum' - condition: keywords -falsepositives: - - Legitimate administrators may run these commands. -level: medium +title: Cisco Modify Configuration +id: 671ffc77-50a7-464f-9e3d-9ea2b493b26b +status: experimental +description: Modifications to a config that will serve an adversary's impacts or persistence +references: + - https://attack.mitre.org/techniques/T1100/ + - https://attack.mitre.org/techniques/T1168/ + - https://attack.mitre.org/techniques/T1493/ +author: Austin Clark +date: 2019/08/12 +tags: + - attack.persistence + - attack.privilege_escalation + - attack.impact + - attack.t1493 + - attack.t1100 + - attack.t1168 + - attack.t1490 +logsource: + product: cisco + service: aaa + category: accounting +fields: + - CmdSet +detection: + keywords: + - 'ip http server' + - 'ip https server' + - 'kron policy-list' + - 'kron occurrence' + - 'policy-list' + - 'access-list' + - 'ip access-group' + - 'archive maximum' + condition: keywords +falsepositives: + - Legitimate administrators may run these commands. +level: medium diff --git a/rules/network/cisco/aaa/cisco_cli_moving_data.yml b/rules/network/cisco/aaa/cisco_cli_moving_data.yml index 0b603bca7..f9aa4c847 100644 --- a/rules/network/cisco/aaa/cisco_cli_moving_data.yml +++ b/rules/network/cisco/aaa/cisco_cli_moving_data.yml @@ -1,39 +1,39 @@ -title: Cisco Stage Data -id: 5e51acb2-bcbe-435b-99c6-0e3cd5e2aa59 -status: experimental -description: Various protocols maybe used to put data on the device for exfil or infil -references: - - https://attack.mitre.org/techniques/T1074/ - - https://attack.mitre.org/techniques/T1105/ - - https://attack.mitre.org/techniques/T1498/ - - https://attack.mitre.org/techniques/T1002/ -author: Austin Clark -date: 2019/08/12 -tags: - - attack.collection - - attack.lateral_movement - - attack.command_and_control - - attack.exfiltration - - attack.impact - - attack.t1074 - - attack.t1105 - - attack.t1492 - - attack.t1002 -logsource: - product: cisco - service: aaa - category: accounting -fields: - - CmdSet -detection: - keywords: - - 'tftp' - - 'rcp' - - 'puts' - - 'copy' - - 'configure replace' - - 'archive tar' - condition: keywords -falsepositives: - - Generally used to copy configs or IOS images. -level: low +title: Cisco Stage Data +id: 5e51acb2-bcbe-435b-99c6-0e3cd5e2aa59 +status: experimental +description: Various protocols maybe used to put data on the device for exfil or infil +references: + - https://attack.mitre.org/techniques/T1074/ + - https://attack.mitre.org/techniques/T1105/ + - https://attack.mitre.org/techniques/T1498/ + - https://attack.mitre.org/techniques/T1002/ +author: Austin Clark +date: 2019/08/12 +tags: + - attack.collection + - attack.lateral_movement + - attack.command_and_control + - attack.exfiltration + - attack.impact + - attack.t1074 + - attack.t1105 + - attack.t1492 + - attack.t1002 +logsource: + product: cisco + service: aaa + category: accounting +fields: + - CmdSet +detection: + keywords: + - 'tftp' + - 'rcp' + - 'puts' + - 'copy' + - 'configure replace' + - 'archive tar' + condition: keywords +falsepositives: + - Generally used to copy configs or IOS images. +level: low diff --git a/rules/network/cisco/aaa/cisco_cli_net_sniff.yml b/rules/network/cisco/aaa/cisco_cli_net_sniff.yml index 3a329fce0..3cc2a4103 100644 --- a/rules/network/cisco/aaa/cisco_cli_net_sniff.yml +++ b/rules/network/cisco/aaa/cisco_cli_net_sniff.yml @@ -1,27 +1,27 @@ -title: Cisco Sniffing -id: b9e1f193-d236-4451-aaae-2f3d2102120d -status: experimental -description: Show when a monitor or a span/rspan is setup or modified -references: - - https://attack.mitre.org/techniques/T1040 -author: Austin Clark -date: 2019/08/11 -tags: - - attack.credential_access - - attack.discovery - - attack.t1040 -logsource: - product: cisco - service: aaa - category: accounting -fields: - - CmdSet -detection: - keywords: - - 'monitor capture point' - - 'set span' - - 'set rspan' - condition: keywords -falsepositives: - - Admins may setup new or modify old spans, or use a monitor for troubleshooting. -level: medium +title: Cisco Sniffing +id: b9e1f193-d236-4451-aaae-2f3d2102120d +status: experimental +description: Show when a monitor or a span/rspan is setup or modified +references: + - https://attack.mitre.org/techniques/T1040 +author: Austin Clark +date: 2019/08/11 +tags: + - attack.credential_access + - attack.discovery + - attack.t1040 +logsource: + product: cisco + service: aaa + category: accounting +fields: + - CmdSet +detection: + keywords: + - 'monitor capture point' + - 'set span' + - 'set rspan' + condition: keywords +falsepositives: + - Admins may setup new or modify old spans, or use a monitor for troubleshooting. +level: medium diff --git a/rules/windows/other/win_defender_bypass.yml b/rules/windows/other/win_defender_bypass.yml index 0dc753664..cc4fb5b86 100644 --- a/rules/windows/other/win_defender_bypass.yml +++ b/rules/windows/other/win_defender_bypass.yml @@ -1,26 +1,26 @@ -title: Windows Defender Exclusion Set -id: e9c8808f-4cfb-4ba9-97d4-e5f3beaa244d -description: 'Detects scenarios where an windows defender exclusion was added in registry where an entity would want to bypass antivirus scanning from windows defender' -references: - - https://www.bleepingcomputer.com/news/security/gootkit-malware-bypasses-windows-defender-by-setting-path-exclusions/ -tags: - - attack.defense_evasion - - attack.t1089 -author: "@BarryShooshooga" -date: 2019/10/26 -logsource: - product: windows - service: security - definition: 'Requirements: Audit Policy : Security Settings/Local Policies/Audit Policy, Registry System Access Control (SACL): Auditing/User' -detection: - selection: - EventID: - - 4657 - - 4656 - - 4660 - - 4663 - ObjectName|contains: '\Microsoft\Windows Defender\Exclusions\' - condition: selection -falsepositives: - - Intended inclusions by administrator -level: high +title: Windows Defender Exclusion Set +id: e9c8808f-4cfb-4ba9-97d4-e5f3beaa244d +description: 'Detects scenarios where an windows defender exclusion was added in registry where an entity would want to bypass antivirus scanning from windows defender' +references: + - https://www.bleepingcomputer.com/news/security/gootkit-malware-bypasses-windows-defender-by-setting-path-exclusions/ +tags: + - attack.defense_evasion + - attack.t1089 +author: "@BarryShooshooga" +date: 2019/10/26 +logsource: + product: windows + service: security + definition: 'Requirements: Audit Policy : Security Settings/Local Policies/Audit Policy, Registry System Access Control (SACL): Auditing/User' +detection: + selection: + EventID: + - 4657 + - 4656 + - 4660 + - 4663 + ObjectName|contains: '\Microsoft\Windows Defender\Exclusions\' + condition: selection +falsepositives: + - Intended inclusions by administrator +level: high diff --git a/rules/windows/powershell/powershell_suspicious_download.yml b/rules/windows/powershell/powershell_suspicious_download.yml index 2ab91194c..cc7351864 100644 --- a/rules/windows/powershell/powershell_suspicious_download.yml +++ b/rules/windows/powershell/powershell_suspicious_download.yml @@ -7,15 +7,20 @@ tags: - attack.t1086 author: Florian Roth date: 2017/03/05 +modified: 2020/03/25 logsource: product: windows service: powershell detection: - keywords: - Message: - - '*System.Net.WebClient).DownloadString(*' - - '*system.net.webclient).downloadfile(*' - condition: keywords + downloadfile: + Message|contains|all: + - 'System.Net.WebClient' + - '.DownloadFile(' + downloadstring: + Message|contains|all: + - 'System.Net.WebClient' + - '.DownloadString(' + condition: downloadfile or downloadstring falsepositives: - PowerShell scripts that download content from the Internet level: medium diff --git a/rules/windows/process_creation/win_exploit_cve_2020_10189.yml b/rules/windows/process_creation/win_exploit_cve_2020_10189.yml new file mode 100644 index 000000000..1dabd07b0 --- /dev/null +++ b/rules/windows/process_creation/win_exploit_cve_2020_10189.yml @@ -0,0 +1,28 @@ +title: Exploited CVE-2020-10189 Zoho ManageEngine +id: 846b866e-2a57-46ee-8e16-85fa92759be7 +status: experimental +description: Detects the exploitation of Zoho ManageEngine Desktop Central Java Deserialization vulnerability reported as CVE-2020-10189 +references: + - https://www.fireeye.com/blog/threat-research/2020/03/apt41-initiates-global-intrusion-campaign-using-multiple-exploits.html + - https://nvd.nist.gov/vuln/detail/CVE-2020-10189 + - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-10189 + - https://vulmon.com/exploitdetails?qidtp=exploitdb&qid=48224 +author: Florian Roth +date: 2020/03/25 +tags: + - attack.launch + - attack.t1377 +logsource: + category: process_creation + product: windows +detection: + selection: + ParentImage|endswith: 'DesktopCentral_Server\jre\bin\java.exe' + Image|endswith: + - '*\cmd.exe' + - '*\powershell.exe' + - '*\bitsadmin.exe' + condition: selection +falsepositives: + - Unknown +level: critical diff --git a/rules/windows/process_creation/win_susp_curl_start_combo.yml b/rules/windows/process_creation/win_susp_curl_start_combo.yml index ddc53c6a2..c65cfc278 100644 --- a/rules/windows/process_creation/win_susp_curl_start_combo.yml +++ b/rules/windows/process_creation/win_susp_curl_start_combo.yml @@ -1,24 +1,24 @@ -title: Curl Start Combination -id: 21dd6d38-2b18-4453-9404-a0fe4a0cc288 -status: experimental -description: Adversaries can use curl to download payloads remotely and execute them. Curl is included by default in Windows 10 build 17063 and later. -references: - - https://medium.com/@reegun/curl-exe-is-the-new-rundll32-exe-lolbin-3f79c5f35983 -author: Sreeman -date: 2020/01/13 -tags: - - attack.execution - - attack.t1218 -logsource: - category: process_creation - product: windows -detection: - condition: selection - selection: - CommandLine|contains: 'curl* start ' -falsepositives: - - Administrative scripts (installers) -fields: - - ParentImage - - CommandLine -level: medium +title: Curl Start Combination +id: 21dd6d38-2b18-4453-9404-a0fe4a0cc288 +status: experimental +description: Adversaries can use curl to download payloads remotely and execute them. Curl is included by default in Windows 10 build 17063 and later. +references: + - https://medium.com/@reegun/curl-exe-is-the-new-rundll32-exe-lolbin-3f79c5f35983 +author: Sreeman +date: 2020/01/13 +tags: + - attack.execution + - attack.t1218 +logsource: + category: process_creation + product: windows +detection: + condition: selection + selection: + CommandLine|contains: 'curl* start ' +falsepositives: + - Administrative scripts (installers) +fields: + - ParentImage + - CommandLine +level: medium diff --git a/rules/windows/process_creation/win_task_folder_evasion.yml b/rules/windows/process_creation/win_task_folder_evasion.yml index 988342f70..82a3e4d6a 100644 --- a/rules/windows/process_creation/win_task_folder_evasion.yml +++ b/rules/windows/process_creation/win_task_folder_evasion.yml @@ -1,36 +1,36 @@ -title: Tasks Folder Evasion -id: cc4e02ba-9c06-48e2-b09e-2500cace9ae0 -status: experimental -description: The Tasks folder in system32 and syswow64 are globally writable paths. Adversaries can take advantage of this and load or influence any script hosts or ANY .NET Application in Tasks to load and execute a custom assembly into cscript, wscript, regsvr32, mshta, eventvwr -references: - - https://twitter.com/subTee/status/1216465628946563073 - - https://gist.github.com/am0nsec/8378da08f848424e4ab0cc5b317fdd26 -date: 2020/13/01 -author: Sreeman -tags: - - attack.t1064 - - attack.t1211 - - attack.t1059 - - attack.defense_evasion - - attack.persistence -logsource: - product: Windows -detection: - selection1: - CommandLine|contains: - - 'echo ' - - 'copy ' - - 'type ' - - 'file createnew' - selection2: - CommandLine|contains: - - ' C:\Windows\System32\Tasks\' - - ' C:\Windows\SysWow64\Tasks\' - condition: selection1 and selection2 -fields: - - CommandLine - - ParentProcess - - CommandLine -falsepositives: - - Unknown -level: high +title: Tasks Folder Evasion +id: cc4e02ba-9c06-48e2-b09e-2500cace9ae0 +status: experimental +description: The Tasks folder in system32 and syswow64 are globally writable paths. Adversaries can take advantage of this and load or influence any script hosts or ANY .NET Application in Tasks to load and execute a custom assembly into cscript, wscript, regsvr32, mshta, eventvwr +references: + - https://twitter.com/subTee/status/1216465628946563073 + - https://gist.github.com/am0nsec/8378da08f848424e4ab0cc5b317fdd26 +date: 2020/13/01 +author: Sreeman +tags: + - attack.t1064 + - attack.t1211 + - attack.t1059 + - attack.defense_evasion + - attack.persistence +logsource: + product: Windows +detection: + selection1: + CommandLine|contains: + - 'echo ' + - 'copy ' + - 'type ' + - 'file createnew' + selection2: + CommandLine|contains: + - ' C:\Windows\System32\Tasks\' + - ' C:\Windows\SysWow64\Tasks\' + condition: selection1 and selection2 +fields: + - CommandLine + - ParentProcess + - CommandLine +falsepositives: + - Unknown +level: high diff --git a/rules/windows/process_creation/win_webshell_spawn.yml b/rules/windows/process_creation/win_webshell_spawn.yml index a6a147ee0..0f1192625 100644 --- a/rules/windows/process_creation/win_webshell_spawn.yml +++ b/rules/windows/process_creation/win_webshell_spawn.yml @@ -4,7 +4,7 @@ status: experimental description: Web servers that spawn shell processes could be the result of a successfully placed web shell or an other attack author: Thomas Patzke date: 2019/01/16 -modified: 2020/03/03 +modified: 2020/03/25 logsource: category: process_creation product: windows @@ -21,6 +21,7 @@ detection: - '*\sh.exe' - '*\bash.exe' - '*\powershell.exe' + - '*\bitsadmin.exe' condition: selection fields: - CommandLine diff --git a/rules/windows/sysmon/sysmon_registry_trust_record_modification.yml b/rules/windows/sysmon/sysmon_registry_trust_record_modification.yml index 1d9dd6902..eec9375ae 100644 --- a/rules/windows/sysmon/sysmon_registry_trust_record_modification.yml +++ b/rules/windows/sysmon/sysmon_registry_trust_record_modification.yml @@ -1,24 +1,24 @@ -title: Windows Registry Trust Record Modification -id: 295a59c1-7b79-4b47-a930-df12c15fc9c2 -status: experimental -description: Alerts on trust record modification within the registry, indicating usage of macros -references: - - https://outflank.nl/blog/2018/01/16/hunting-for-evil-detect-macros-being-executed/ - - http://az4n6.blogspot.com/2016/02/more-on-trust-records-macros-and.html -author: Antonlovesdnb -date: 2020/02/19 -modified: 2020/02/19 -tags: - - attack.initial_access - - attack.t1193 -logsource: - product: windows - service: sysmon -detection: - selection: - EventID: 12 - TargetObject|contains: 'TrustRecords' - condition: selection -falsepositives: - - Alerts on legitimate macro usage as well, will need to filter as appropriate -level: medium +title: Windows Registry Trust Record Modification +id: 295a59c1-7b79-4b47-a930-df12c15fc9c2 +status: experimental +description: Alerts on trust record modification within the registry, indicating usage of macros +references: + - https://outflank.nl/blog/2018/01/16/hunting-for-evil-detect-macros-being-executed/ + - http://az4n6.blogspot.com/2016/02/more-on-trust-records-macros-and.html +author: Antonlovesdnb +date: 2020/02/19 +modified: 2020/02/19 +tags: + - attack.initial_access + - attack.t1193 +logsource: + product: windows + service: sysmon +detection: + selection: + EventID: 12 + TargetObject|contains: 'TrustRecords' + condition: selection +falsepositives: + - Alerts on legitimate macro usage as well, will need to filter as appropriate +level: medium diff --git a/rules/windows/sysmon/sysmon_renamed_jusched.yml b/rules/windows/sysmon/sysmon_renamed_jusched.yml index ea2370971..7e03d04a7 100644 --- a/rules/windows/sysmon/sysmon_renamed_jusched.yml +++ b/rules/windows/sysmon/sysmon_renamed_jusched.yml @@ -1,26 +1,26 @@ -title: Renamed jusched.exe -status: experimental -id: edd8a48c-1b9f-4ba1-83aa-490338cd1ccb -description: Detects renamed jusched.exe used by cobalt group -references: - - https://www.bitdefender.com/files/News/CaseStudies/study/262/Bitdefender-WhitePaper-An-APT-Blueprint-Gaining-New-Visibility-into-Financial-Threats-interactive.pdf -tags: - - attack.t1036 - - attack.execution -author: Markus Neis, Swisscom -date: 2019/06/04 -logsource: - category: process_creation - product: windows -detection: - selection1: - Description: Java Update Scheduler - selection2: - Description: Java(TM) Update Scheduler - filter: - Image|endswith: - - '\jusched.exe' - condition: (selection1 or selection2) and not filter -falsepositives: - - penetration tests, red teaming -level: high +title: Renamed jusched.exe +status: experimental +id: edd8a48c-1b9f-4ba1-83aa-490338cd1ccb +description: Detects renamed jusched.exe used by cobalt group +references: + - https://www.bitdefender.com/files/News/CaseStudies/study/262/Bitdefender-WhitePaper-An-APT-Blueprint-Gaining-New-Visibility-into-Financial-Threats-interactive.pdf +tags: + - attack.t1036 + - attack.execution +author: Markus Neis, Swisscom +date: 2019/06/04 +logsource: + category: process_creation + product: windows +detection: + selection1: + Description: Java Update Scheduler + selection2: + Description: Java(TM) Update Scheduler + filter: + Image|endswith: + - '\jusched.exe' + condition: (selection1 or selection2) and not filter +falsepositives: + - penetration tests, red teaming +level: high diff --git a/rules/windows/sysmon/sysmon_susp_office_dotnet_assembly_dll_load.yml b/rules/windows/sysmon/sysmon_susp_office_dotnet_assembly_dll_load.yml index 1690d51b5..6017a7162 100644 --- a/rules/windows/sysmon/sysmon_susp_office_dotnet_assembly_dll_load.yml +++ b/rules/windows/sysmon/sysmon_susp_office_dotnet_assembly_dll_load.yml @@ -1,28 +1,28 @@ -title: dotNET DLL Loaded Via Office Applications -id: ff0f2b05-09db-4095-b96d-1b75ca24894a -status: experimental -description: Detects any assembly DLL being loaded by an Office Product -references: - - https://medium.com/threatpunter/detecting-adversary-tradecraft-with-image-load-event-logging-and-eql-8de93338c16 -author: Antonlovesdnb -date: 2020/02/19 -tags: - - attack.initial_access - - attack.t1193 -logsource: - product: windows - service: sysmon -detection: - selection: - EventID: 7 - Image: - - '*\winword.exe*' - - '*\powerpnt.exe*' - - '*\excel.exe*' - - '*\outlook.exe*' - ImageLoaded: - - '*C:\Windows\assembly\*' - condition: selection -falsepositives: - - Alerts on legitimate macro usage as well, will need to filter as appropriate -level: high +title: dotNET DLL Loaded Via Office Applications +id: ff0f2b05-09db-4095-b96d-1b75ca24894a +status: experimental +description: Detects any assembly DLL being loaded by an Office Product +references: + - https://medium.com/threatpunter/detecting-adversary-tradecraft-with-image-load-event-logging-and-eql-8de93338c16 +author: Antonlovesdnb +date: 2020/02/19 +tags: + - attack.initial_access + - attack.t1193 +logsource: + product: windows + service: sysmon +detection: + selection: + EventID: 7 + Image: + - '*\winword.exe*' + - '*\powerpnt.exe*' + - '*\excel.exe*' + - '*\outlook.exe*' + ImageLoaded: + - '*C:\Windows\assembly\*' + condition: selection +falsepositives: + - Alerts on legitimate macro usage as well, will need to filter as appropriate +level: high diff --git a/rules/windows/sysmon/sysmon_susp_office_dotnet_clr_dll_load.yml b/rules/windows/sysmon/sysmon_susp_office_dotnet_clr_dll_load.yml index 42b6858be..bd58c23b1 100644 --- a/rules/windows/sysmon/sysmon_susp_office_dotnet_clr_dll_load.yml +++ b/rules/windows/sysmon/sysmon_susp_office_dotnet_clr_dll_load.yml @@ -1,28 +1,28 @@ -title: CLR DLL Loaded Via Office Applications -id: d13c43f0-f66b-4279-8b2c-5912077c1780 -status: experimental -description: Detects CLR DLL being loaded by an Office Product -references: - - https://medium.com/threatpunter/detecting-adversary-tradecraft-with-image-load-event-logging-and-eql-8de93338c16 -author: Antonlovesdnb -date: 2020/02/19 -tags: - - attack.initial_access - - attack.t1193 -logsource: - product: windows - service: sysmon -detection: - selection: - EventID: 7 - Image: - - '*\winword.exe' - - '*\powerpnt.exe' - - '*\excel.exe' - - '*\outlook.exe' - ImageLoaded: - - '*\clr.dll*' - condition: selection -falsepositives: - - Alerts on legitimate macro usage as well, will need to filter as appropriate -level: high +title: CLR DLL Loaded Via Office Applications +id: d13c43f0-f66b-4279-8b2c-5912077c1780 +status: experimental +description: Detects CLR DLL being loaded by an Office Product +references: + - https://medium.com/threatpunter/detecting-adversary-tradecraft-with-image-load-event-logging-and-eql-8de93338c16 +author: Antonlovesdnb +date: 2020/02/19 +tags: + - attack.initial_access + - attack.t1193 +logsource: + product: windows + service: sysmon +detection: + selection: + EventID: 7 + Image: + - '*\winword.exe' + - '*\powerpnt.exe' + - '*\excel.exe' + - '*\outlook.exe' + ImageLoaded: + - '*\clr.dll*' + condition: selection +falsepositives: + - Alerts on legitimate macro usage as well, will need to filter as appropriate +level: high diff --git a/rules/windows/sysmon/sysmon_susp_office_dotnet_gac_dll_load.yml b/rules/windows/sysmon/sysmon_susp_office_dotnet_gac_dll_load.yml index 9806cf084..a0f3ddae2 100644 --- a/rules/windows/sysmon/sysmon_susp_office_dotnet_gac_dll_load.yml +++ b/rules/windows/sysmon/sysmon_susp_office_dotnet_gac_dll_load.yml @@ -1,28 +1,28 @@ -title: GAC DLL Loaded Via Office Applications -id: 90217a70-13fc-48e4-b3db-0d836c5824ac -status: experimental -description: Detects any GAC DLL being loaded by an Office Product -references: - - https://medium.com/threatpunter/detecting-adversary-tradecraft-with-image-load-event-logging-and-eql-8de93338c16 -author: Antonlovesdnb -date: 2020/02/19 -tags: - - attack.initial_access - - attack.t1193 -logsource: - product: windows - service: sysmon -detection: - selection: - EventID: 7 - Image: - - '*\winword.exe*' - - '*\powerpnt.exe*' - - '*\excel.exe*' - - '*\outlook.exe*' - ImageLoaded: - - '*C:\Windows\Microsoft.NET\assembly\GAC_MSIL*' - condition: selection -falsepositives: - - Alerts on legitimate macro usage as well, will need to filter as appropriate -level: high +title: GAC DLL Loaded Via Office Applications +id: 90217a70-13fc-48e4-b3db-0d836c5824ac +status: experimental +description: Detects any GAC DLL being loaded by an Office Product +references: + - https://medium.com/threatpunter/detecting-adversary-tradecraft-with-image-load-event-logging-and-eql-8de93338c16 +author: Antonlovesdnb +date: 2020/02/19 +tags: + - attack.initial_access + - attack.t1193 +logsource: + product: windows + service: sysmon +detection: + selection: + EventID: 7 + Image: + - '*\winword.exe*' + - '*\powerpnt.exe*' + - '*\excel.exe*' + - '*\outlook.exe*' + ImageLoaded: + - '*C:\Windows\Microsoft.NET\assembly\GAC_MSIL*' + condition: selection +falsepositives: + - Alerts on legitimate macro usage as well, will need to filter as appropriate +level: high diff --git a/rules/windows/sysmon/sysmon_susp_office_dsparse_dll_load.yml b/rules/windows/sysmon/sysmon_susp_office_dsparse_dll_load.yml index 232f71908..e46824e6d 100644 --- a/rules/windows/sysmon/sysmon_susp_office_dsparse_dll_load.yml +++ b/rules/windows/sysmon/sysmon_susp_office_dsparse_dll_load.yml @@ -1,28 +1,28 @@ -title: Active Directory Parsing DLL Loaded Via Office Applications -id: a2a3b925-7bb0-433b-b508-db9003263cc4 -status: experimental -description: Detects DSParse DLL being loaded by an Office Product -references: - - https://medium.com/threatpunter/detecting-adversary-tradecraft-with-image-load-event-logging-and-eql-8de93338c16 -author: Antonlovesdnb -date: 2020/02/19 -tags: - - attack.initial_access - - attack.t1193 -logsource: - product: windows - service: sysmon -detection: - selection: - EventID: 7 - Image: - - '*\winword.exe' - - '*\powerpnt.exe' - - '*\excel.exe' - - '*\outlook.exe' - ImageLoaded: - - '*\dsparse.dll*' - condition: selection -falsepositives: - - Alerts on legitimate macro usage as well, will need to filter as appropriate -level: high +title: Active Directory Parsing DLL Loaded Via Office Applications +id: a2a3b925-7bb0-433b-b508-db9003263cc4 +status: experimental +description: Detects DSParse DLL being loaded by an Office Product +references: + - https://medium.com/threatpunter/detecting-adversary-tradecraft-with-image-load-event-logging-and-eql-8de93338c16 +author: Antonlovesdnb +date: 2020/02/19 +tags: + - attack.initial_access + - attack.t1193 +logsource: + product: windows + service: sysmon +detection: + selection: + EventID: 7 + Image: + - '*\winword.exe' + - '*\powerpnt.exe' + - '*\excel.exe' + - '*\outlook.exe' + ImageLoaded: + - '*\dsparse.dll*' + condition: selection +falsepositives: + - Alerts on legitimate macro usage as well, will need to filter as appropriate +level: high diff --git a/rules/windows/sysmon/sysmon_susp_office_kerberos_dll_load.yml b/rules/windows/sysmon/sysmon_susp_office_kerberos_dll_load.yml index 1cd4628bd..86aedc7e2 100644 --- a/rules/windows/sysmon/sysmon_susp_office_kerberos_dll_load.yml +++ b/rules/windows/sysmon/sysmon_susp_office_kerberos_dll_load.yml @@ -1,28 +1,28 @@ -title: Active Directory Kerberos DLL Loaded Via Office Applications -id: 7417e29e-c2e7-4cf6-a2e8-767228c64837 -status: experimental -description: Detects Kerberos DLL being loaded by an Office Product -references: - - https://medium.com/threatpunter/detecting-adversary-tradecraft-with-image-load-event-logging-and-eql-8de93338c16 -author: Antonlovesdnb -date: 2020/02/19 -tags: - - attack.initial_access - - attack.t1193 -logsource: - product: windows - service: sysmon -detection: - selection: - EventID: 7 - Image: - - '*\winword.exe*' - - '*\powerpnt.exe*' - - '*\excel.exe*' - - '*\outlook.exe*' - ImageLoaded: - - '*\kerberos.dll*' - condition: selection -falsepositives: - - Alerts on legitimate macro usage as well, will need to filter as appropriate -level: high +title: Active Directory Kerberos DLL Loaded Via Office Applications +id: 7417e29e-c2e7-4cf6-a2e8-767228c64837 +status: experimental +description: Detects Kerberos DLL being loaded by an Office Product +references: + - https://medium.com/threatpunter/detecting-adversary-tradecraft-with-image-load-event-logging-and-eql-8de93338c16 +author: Antonlovesdnb +date: 2020/02/19 +tags: + - attack.initial_access + - attack.t1193 +logsource: + product: windows + service: sysmon +detection: + selection: + EventID: 7 + Image: + - '*\winword.exe*' + - '*\powerpnt.exe*' + - '*\excel.exe*' + - '*\outlook.exe*' + ImageLoaded: + - '*\kerberos.dll*' + condition: selection +falsepositives: + - Alerts on legitimate macro usage as well, will need to filter as appropriate +level: high diff --git a/rules/windows/sysmon/sysmon_susp_winword_vbadll_load.yml b/rules/windows/sysmon/sysmon_susp_winword_vbadll_load.yml index e2d298941..b371692e1 100644 --- a/rules/windows/sysmon/sysmon_susp_winword_vbadll_load.yml +++ b/rules/windows/sysmon/sysmon_susp_winword_vbadll_load.yml @@ -1,30 +1,30 @@ -title: VBA DLL Loaded Via Microsoft Word -id: e6ce8457-68b1-485b-9bdd-3c2b5d679aa9 -status: experimental -description: Detects DLL's Loaded Via Word Containing VBA Macros -references: - - https://medium.com/threatpunter/detecting-adversary-tradecraft-with-image-load-event-logging-and-eql-8de93338c16 -author: Antonlovesdnb -date: 2020/02/19 -tags: - - attack.initial_access - - attack.t1193 -logsource: - product: windows - service: sysmon -detection: - selection: - EventID: 7 - Image: - - '*\winword.exe*' - - '*\powerpnt.exe*' - - '*\excel.exe*' - - '*\outlook.exe*' - ImageLoaded: - - '*\VBE7.DLL*' - - '*\VBEUI.DLL*' - - '*\VBE7INTL.DLL*' - condition: selection -falsepositives: - - Alerts on legitimate macro usage as well, will need to filter as appropriate -level: high +title: VBA DLL Loaded Via Microsoft Word +id: e6ce8457-68b1-485b-9bdd-3c2b5d679aa9 +status: experimental +description: Detects DLL's Loaded Via Word Containing VBA Macros +references: + - https://medium.com/threatpunter/detecting-adversary-tradecraft-with-image-load-event-logging-and-eql-8de93338c16 +author: Antonlovesdnb +date: 2020/02/19 +tags: + - attack.initial_access + - attack.t1193 +logsource: + product: windows + service: sysmon +detection: + selection: + EventID: 7 + Image: + - '*\winword.exe*' + - '*\powerpnt.exe*' + - '*\excel.exe*' + - '*\outlook.exe*' + ImageLoaded: + - '*\VBE7.DLL*' + - '*\VBEUI.DLL*' + - '*\VBE7INTL.DLL*' + condition: selection +falsepositives: + - Alerts on legitimate macro usage as well, will need to filter as appropriate +level: high diff --git a/tests/test_rules.py b/tests/test_rules.py index c8ab9d32b..881dbcd7e 100755 --- a/tests/test_rules.py +++ b/tests/test_rules.py @@ -238,6 +238,7 @@ class TestRules(unittest.TestCase): "t1221", "t1222", "t1223", + "t1377", "t1480", "t1482", "t1482", @@ -284,7 +285,7 @@ class TestRules(unittest.TestCase): "t1539", ] MITRE_TECHNIQUE_NAMES = ["process_injection", "signed_binary_proxy_execution", "process_injection"] # incomplete list - MITRE_TACTICS = ["initial_access", "execution", "persistence", "privilege_escalation", "defense_evasion", "credential_access", "discovery", "lateral_movement", "collection", "exfiltration", "command_and_control", "impact"] + MITRE_TACTICS = ["initial_access", "execution", "persistence", "privilege_escalation", "defense_evasion", "credential_access", "discovery", "lateral_movement", "collection", "exfiltration", "command_and_control", "impact", "launch"] MITRE_GROUPS = ["g0001", "g0002", "g0003", "g0004", "g0005", "g0006", "g0007", "g0008", "g0009", "g0010", "g0011", "g0012", "g0013", "g0014", "g0015", "g0016", "g0017", "g0018", "g0019", "g0020", "g0021", "g0022", "g0023", "g0024", "g0025", "g0026", "g0027", "g0028", "g0029", "g0030", "g0031", "g0032", "g0033", "g0034", "g0035", "g0036", "g0037", "g0038", "g0039", "g0040", "g0041", "g0042", "g0043", "g0044", "g0045", "g0046", "g0047", "g0048", "g0049", "g0050", "g0051", "g0052", "g0053", "g0054", "g0055", "g0056", "g0057", "g0058", "g0059", "g0060", "g0061", "g0062", "g0063", "g0064", "g0065", "g0066", "g0067", "g0068", "g0069", "g0070", "g0071", "g0072", "g0073", "g0074", "g0075", "g0076", "g0077", "g0078", "g0079", "g0080", "g0081", "g0082", "g0083", "g0084", "g0085", "g0086", "g0087", "g0088", "g0089", "g0090", "g0091", "g0092", "g0093", "g0094", "g0095", "g0096"] MITRE_SOFTWARE = ["s0001", "s0002", "s0003", "s0004", "s0005", "s0006", "s0007", "s0008", "s0009", "s0010", "s0011", "s0012", "s0013", "s0014", "s0015", "s0016", "s0017", "s0018", "s0019", "s0020", "s0021", "s0022", "s0023", "s0024", "s0025", "s0026", "s0027", "s0028", "s0029", "s0030", "s0031", "s0032", "s0033", "s0034", "s0035", "s0036", "s0037", "s0038", "s0039", "s0040", "s0041", "s0042", "s0043", "s0044", "s0045", "s0046", "s0047", "s0048", "s0049", "s0050", "s0051", "s0052", "s0053", "s0054", "s0055", "s0056", "s0057", "s0058", "s0059", "s0060", "s0061", "s0062", "s0063", "s0064", "s0065", "s0066", "s0067", "s0068", "s0069", "s0070", "s0071", "s0072", "s0073", "s0074", "s0075", "s0076", "s0077", "s0078", "s0079", "s0080", "s0081", "s0082", "s0083", "s0084", "s0085", "s0086", "s0087", "s0088", "s0089", "s0090", "s0091", "s0092", "s0093", "s0094", "s0095", "s0096", "s0097", "s0098", "s0099", "s0100", "s0101", "s0102", "s0103", "s0104", "s0105", "s0106", "s0107", "s0108", "s0109", "s0110", "s0111", "s0112", "s0113", "s0114", "s0115", "s0116", "s0117", "s0118", "s0119", "s0120", "s0121", "s0122", "s0123", "s0124", "s0125", "s0126", "s0127", "s0128", "s0129", "s0130", "s0131", "s0132", "s0133", "s0134", "s0135", "s0136", "s0137", "s0138", "s0139", "s0140", "s0141", "s0142", "s0143", "s0144", "s0145", "s0146", "s0147", "s0148", "s0149", "s0150", "s0151", "s0152", "s0153", "s0154", "s0155", "s0156", "s0157", "s0158", "s0159", "s0160", "s0161", "s0162", "s0163", "s0164", "s0165", "s0166", "s0167", "s0168", "s0169", "s0170", "s0171", "s0172", "s0173", "s0174", "s0175", "s0176", "s0177", "s0178", "s0179", "s0180", "s0181", "s0182", "s0183", "s0184", "s0185", "s0186", "s0187", "s0188", "s0189", "s0190", "s0191", "s0192", "s0193", "s0194", "s0195", "s0196", "s0197", "s0198", "s0199", "s0200", "s0201", "s0202", "s0203", "s0204", "s0205", "s0206", "s0207", "s0208", "s0209", "s0210", "s0211", "s0212", "s0213", "s0214", "s0215", "s0216", "s0217", "s0218", "s0219", "s0220", "s0221", "s0222", "s0223", "s0224", "s0225", "s0226", "s0227", "s0228", "s0229", "s0230", "s0231", "s0232", "s0233", "s0234", "s0235", "s0236", "s0237", "s0238", "s0239", "s0240", "s0241", "s0242", "s0243", "s0244", "s0245", "s0246", "s0247", "s0248", "s0249", "s0250", "s0251", "s0252", "s0253", "s0254", "s0255", "s0256", "s0257", "s0258", "s0259", "s0260", "s0261", "s0262", "s0263", "s0264", "s0265", "s0266", "s0267", "s0268", "s0269", "s0270", "s0271", "s0272", "s0273", "s0274", "s0275", "s0276", "s0277", "s0278", "s0279", "s0280", "s0281", "s0282", "s0283", "s0284", "s0330", "s0331", "s0332", "s0333", "s0334", "s0335", "s0336", "s0337", "s0338", "s0339", "s0340", "s0341", "s0342", "s0343", "s0344", "s0345", "s0346", "s0347", "s0348", "s0349", "s0350", "s0351", "s0352", "s0353", "s0354", "s0355", "s0356", "s0357", "s0358", "s0359", "s0360", "s0361", "s0362", "s0363", "s0364", "s0365", "s0366", "s0367", "s0368", "s0369", "s0370", "s0371", "s0372", "s0373", "s0374", "s0375", "s0376", "s0377", "s0378", "s0379", "s0380", "s0381", "s0382", "s0383", "s0384", "s0385", "s0386", "s0387", "s0388", "s0389", "s0390", "s0391", "s0393", "s0394", "s0395", "s0396", "s0397", "s0398", "s0400", "s0401", "s0402", "s0404", "s0409", "s0410", "s0412", "s0413", "s0414", "s0415", "s0416", "s0417"] MITRE_ALL = ["attack." + item for item in MITRE_TECHNIQUES + MITRE_TACTICS + MITRE_GROUPS + MITRE_SOFTWARE]