diff --git a/rules/apt/apt_turla_commands.yml b/rules/apt/apt_turla_commands.yml index 5d659fe02..2ccc6fc27 100755 --- a/rules/apt/apt_turla_commands.yml +++ b/rules/apt/apt_turla_commands.yml @@ -2,7 +2,6 @@ action: global title: Turla Group Lateral Movement id: c601f20d-570a-4cde-a7d6-e17f99cb8e7f status: experimental -date: 2017/11/08 description: Detects automated lateral movement by Turla group references: - https://securelist.com/the-epic-turla-operation/65545/ diff --git a/rules/linux/modsecurity/modsec_mulitple_blocks.yml b/rules/linux/modsecurity/modsec_mulitple_blocks.yml index 310b94db7..4122f9f16 100644 --- a/rules/linux/modsecurity/modsec_mulitple_blocks.yml +++ b/rules/linux/modsecurity/modsec_mulitple_blocks.yml @@ -1,6 +1,8 @@ title: Multiple Modsecurity Blocks id: a06eea10-d932-4aa6-8ba9-186df72c8d23 description: Detects multiple blocks by the mod_security module (Web Application Firewall) +date: 2017/02/28 +author: Florian Roth logsource: product: linux service: modsecurity @@ -9,10 +11,9 @@ detection: - 'mod_security: Access denied' - 'ModSecurity: Access denied' - 'mod_security-message: Access denied' - timeframe: 120m + timeframe: 120m condition: selection | count() > 6 falsepositives: - Vulnerability scanners - Frequent attacks if system faces Internet level: medium - diff --git a/rules/windows/builtin/win_GPO_scheduledtasks.yml b/rules/windows/builtin/win_GPO_scheduledtasks.yml index 3aa5a5653..0cfaf8b19 100644 --- a/rules/windows/builtin/win_GPO_scheduledtasks.yml +++ b/rules/windows/builtin/win_GPO_scheduledtasks.yml @@ -2,6 +2,7 @@ title: Persistence and Execution at scale via GPO scheduled task id: a8f29a7b-b137-4446-80a0-b804272f3da2 description: Detect lateral movement using GPO scheduled task, ususally used to deploy ransomware at scale author: Samir Bousseaden +date: 2019/04/03 references: - https://twitter.com/menasec1/status/1106899890377052160 tags: @@ -19,6 +20,6 @@ detection: RelativeTargetName: '*ScheduledTasks.xml' Accesses: '*WriteData*' condition: selection -falsepositives: +falsepositives: - if the source IP is not localhost then it's super suspicious, better to monitor both local and remote changes to GPO scheduledtasks level: high diff --git a/rules/windows/builtin/win_account_discovery.yml b/rules/windows/builtin/win_account_discovery.yml index ce8b889ba..20f4575b4 100644 --- a/rules/windows/builtin/win_account_discovery.yml +++ b/rules/windows/builtin/win_account_discovery.yml @@ -8,6 +8,7 @@ tags: - attack.t1087 status: experimental author: Samir Bousseaden +date: 2019/04/03 logsource: product: windows service: security diff --git a/rules/windows/builtin/win_admin_rdp_login.yml b/rules/windows/builtin/win_admin_rdp_login.yml index 796757320..79ac84bc3 100644 --- a/rules/windows/builtin/win_admin_rdp_login.yml +++ b/rules/windows/builtin/win_admin_rdp_login.yml @@ -9,6 +9,7 @@ tags: - car.2016-04-005 status: experimental author: juju4 +date: 2017/10/29 logsource: product: windows service: security diff --git a/rules/windows/builtin/win_admin_share_access.yml b/rules/windows/builtin/win_admin_share_access.yml index 40afb2d8d..e489b78f6 100644 --- a/rules/windows/builtin/win_admin_share_access.yml +++ b/rules/windows/builtin/win_admin_share_access.yml @@ -6,6 +6,7 @@ tags: - attack.t1077 status: experimental author: Florian Roth +date: 2017/03/04 logsource: product: windows service: security @@ -17,6 +18,6 @@ detection: filter: SubjectUserName: '*$' condition: selection and not filter -falsepositives: +falsepositives: - Legitimate administrative activity level: low diff --git a/rules/windows/builtin/win_alert_active_directory_user_control.yml b/rules/windows/builtin/win_alert_active_directory_user_control.yml index 7e4a42b2a..53bf052b7 100644 --- a/rules/windows/builtin/win_alert_active_directory_user_control.yml +++ b/rules/windows/builtin/win_alert_active_directory_user_control.yml @@ -7,6 +7,7 @@ tags: references: - https://www.harmj0y.net/blog/activedirectory/the-most-dangerous-user-right-you-probably-have-never-heard-of/ author: '@neu5ron' +date: 2017/07/30 logsource: product: windows service: security @@ -18,6 +19,6 @@ detection: Message: - '*SeEnableDelegationPrivilege*' condition: all of them -falsepositives: +falsepositives: - Unknown level: high diff --git a/rules/windows/builtin/win_alert_ad_user_backdoors.yml b/rules/windows/builtin/win_alert_ad_user_backdoors.yml index 5bddbe57e..d7693d1bd 100644 --- a/rules/windows/builtin/win_alert_ad_user_backdoors.yml +++ b/rules/windows/builtin/win_alert_ad_user_backdoors.yml @@ -6,6 +6,7 @@ references: - https://adsecurity.org/?p=3466 - https://www.harmj0y.net/blog/redteaming/another-word-on-delegation/ author: '@neu5ron' +date: 2017/04/13 tags: - attack.t1098 - attack.credential_access @@ -31,8 +32,8 @@ detection: AttributeLDAPDisplayName: 'servicePrincipalName' selection4: EventID: 5136 - AttributeLDAPDisplayName: 'msDS-AllowedToActOnBehalfOfOtherIdentity' + AttributeLDAPDisplayName: 'msDS-AllowedToActOnBehalfOfOtherIdentity' condition: (selection1 and not 1 of filter*) or selection2 or selection3 or selection4 -falsepositives: +falsepositives: - Unknown level: high diff --git a/rules/windows/builtin/win_alert_enable_weak_encryption.yml b/rules/windows/builtin/win_alert_enable_weak_encryption.yml index d2400865e..906ac89bb 100644 --- a/rules/windows/builtin/win_alert_enable_weak_encryption.yml +++ b/rules/windows/builtin/win_alert_enable_weak_encryption.yml @@ -5,6 +5,7 @@ references: - https://adsecurity.org/?p=2053 - https://www.harmj0y.net/blog/activedirectory/roasting-as-reps/ author: '@neu5ron' +date: 2017/07/30 tags: - attack.defense_evasion - attack.t1089 @@ -24,6 +25,6 @@ detection: Message: - '*Enabled*' condition: selection and keywords and filters -falsepositives: +falsepositives: - Unknown level: high diff --git a/rules/windows/builtin/win_atsvc_task.yml b/rules/windows/builtin/win_atsvc_task.yml index f823e1680..63acfa186 100644 --- a/rules/windows/builtin/win_atsvc_task.yml +++ b/rules/windows/builtin/win_atsvc_task.yml @@ -2,6 +2,7 @@ title: Remote Task Creation via ATSVC named pipe id: f6de6525-4509-495a-8a82-1f8b0ed73a00 description: Detects remote task creation via at.exe or API interacting with ATSVC namedpipe author: Samir Bousseaden +date: 2019/04/03 references: - https://blog.menasec.net/2019/03/threat-hunting-25-scheduled-tasks-for.html tags: @@ -21,6 +22,6 @@ detection: RelativeTargetName: atsvc Accesses: '*WriteData*' condition: selection -falsepositives: +falsepositives: - pentesting level: medium diff --git a/rules/windows/builtin/win_av_relevant_match.yml b/rules/windows/builtin/win_av_relevant_match.yml index b7366ad60..360f9a1b0 100644 --- a/rules/windows/builtin/win_av_relevant_match.yml +++ b/rules/windows/builtin/win_av_relevant_match.yml @@ -2,6 +2,7 @@ title: Relevant Anti-Virus Event id: 78bc5783-81d9-4d73-ac97-59f6db4f72a8 description: This detection method points out highly relevant Antivirus events author: Florian Roth +date: 2017/02/19 logsource: product: windows service: application diff --git a/rules/windows/builtin/win_disable_event_logging.yml b/rules/windows/builtin/win_disable_event_logging.yml index 779dd1746..20463e6a8 100644 --- a/rules/windows/builtin/win_disable_event_logging.yml +++ b/rules/windows/builtin/win_disable_event_logging.yml @@ -11,6 +11,7 @@ tags: - attack.defense_evasion - attack.t1054 author: '@neu5ron' +date: 2017/11/19 logsource: product: windows service: security @@ -20,6 +21,6 @@ detection: EventID: 4719 AuditPolicyChanges: 'removed' condition: selection -falsepositives: +falsepositives: - Unknown level: high diff --git a/rules/windows/builtin/win_impacket_secretdump.yml b/rules/windows/builtin/win_impacket_secretdump.yml index f6ef8104f..4d358a4d1 100644 --- a/rules/windows/builtin/win_impacket_secretdump.yml +++ b/rules/windows/builtin/win_impacket_secretdump.yml @@ -2,6 +2,7 @@ title: Possible Impacket SecretDump remote activity id: 252902e3-5830-4cf6-bf21-c22083dfd5cf description: Detect AD credential dumping using impacket secretdump HKTL author: Samir Bousseaden +date: 2019/04/03 references: - https://blog.menasec.net/2019/02/threat-huting-10-impacketsecretdump.html tags: @@ -17,6 +18,6 @@ detection: ShareName: \\*\ADMIN$ RelativeTargetName: 'SYSTEM32\\*.tmp' condition: selection -falsepositives: +falsepositives: - pentesting level: high diff --git a/rules/windows/builtin/win_lm_namedpipe.yml b/rules/windows/builtin/win_lm_namedpipe.yml index 767b5061f..85d7e5ed1 100644 --- a/rules/windows/builtin/win_lm_namedpipe.yml +++ b/rules/windows/builtin/win_lm_namedpipe.yml @@ -3,6 +3,7 @@ id: 52d8b0c6-53d6-439a-9e41-52ad442ad9ad description: This detection excludes known namped pipes accessible remotely and notify on newly observed ones, may help to detect lateral movement and remote exec using named pipes author: Samir Bousseaden +date: 2019/04/03 references: - https://twitter.com/menasec1/status/1104489274387451904 tags: @@ -30,14 +31,14 @@ detection: - 'wkssvc' - 'browser' - 'netdfs' - - 'svcctl' - - 'spoolss' - - 'ntsvcs' - - 'LSM_API_service' - - 'HydraLsPipe' - - 'TermSrv_API_service' + - 'svcctl' + - 'spoolss' + - 'ntsvcs' + - 'LSM_API_service' + - 'HydraLsPipe' + - 'TermSrv_API_service' - 'MsFteWds' condition: selection1 and not selection2 -falsepositives: +falsepositives: - update the excluded named pipe to filter out any newly observed legit named pipe level: high diff --git a/rules/windows/builtin/win_mal_creddumper.yml b/rules/windows/builtin/win_mal_creddumper.yml index 160724791..34a993cca 100644 --- a/rules/windows/builtin/win_mal_creddumper.yml +++ b/rules/windows/builtin/win_mal_creddumper.yml @@ -3,6 +3,7 @@ title: Malicious Service Install id: 4976aa50-8f41-45c6-8b15-ab3fc10e79ed description: This method detects well-known keywords of malicious services in the Windows System Eventlog author: Florian Roth +date: 2017/03/05 tags: - attack.credential_access - attack.t1003 @@ -12,7 +13,7 @@ logsource: service: system detection: selection1: - EventID: + EventID: - 7045 keywords: Message: diff --git a/rules/windows/builtin/win_mal_service_installs.yml b/rules/windows/builtin/win_mal_service_installs.yml index 17d6071ee..c23a2ed29 100644 --- a/rules/windows/builtin/win_mal_service_installs.yml +++ b/rules/windows/builtin/win_mal_service_installs.yml @@ -2,6 +2,7 @@ title: Malicious Service Installations id: 5a105d34-05fc-401e-8553-272b45c1522d description: Detects known malicious service installs that only appear in cases of lateral movement, credential dumping and other suspicious activity author: Florian Roth +date: 2017/03/27 tags: - attack.persistence - attack.privilege_escalation @@ -14,7 +15,7 @@ detection: selection: EventID: 7045 malsvc_wce: - ServiceName: + ServiceName: - 'WCESERVICE' - 'WCE SERVICE' malsvc_paexec: @@ -33,6 +34,6 @@ detection: - 'gsecdump*' - 'cachedump*' condition: selection and 1 of malsvc_* -falsepositives: +falsepositives: - Penetration testing level: critical diff --git a/rules/windows/builtin/win_mal_wceaux_dll.yml b/rules/windows/builtin/win_mal_wceaux_dll.yml index 4754dd5e8..df16fe303 100644 --- a/rules/windows/builtin/win_mal_wceaux_dll.yml +++ b/rules/windows/builtin/win_mal_wceaux_dll.yml @@ -3,6 +3,7 @@ id: 1de68c67-af5c-4097-9c85-fe5578e09e67 status: experimental description: Detects wceaux.dll access while WCE pass-the-hash remote command execution on source host author: Thomas Patzke +date: 2017/06/14 references: - https://www.jpcert.or.jp/english/pub/sr/ir_research.html - https://jpcertcc.github.io/ToolAnalysisResultSheet @@ -22,6 +23,6 @@ detection: - 4663 ObjectName: '*\wceaux.dll' condition: selection -falsepositives: +falsepositives: - Penetration testing level: critical diff --git a/rules/windows/builtin/win_pass_the_hash.yml b/rules/windows/builtin/win_pass_the_hash.yml index 6319edc79..582a77b97 100644 --- a/rules/windows/builtin/win_pass_the_hash.yml +++ b/rules/windows/builtin/win_pass_the_hash.yml @@ -5,6 +5,7 @@ description: Detects the attack technique pass the hash which is used to move la references: - https://github.com/iadgov/Event-Forwarding-Guidance/tree/master/Events author: Ilias el Matani (rule), The Information Assurance Directorate at the NSA (method) +date: 2017/03/08 tags: - attack.lateral_movement - attack.t1075 diff --git a/rules/windows/builtin/win_pass_the_hash_2.yml b/rules/windows/builtin/win_pass_the_hash_2.yml index ecbb74443..6930ee9c2 100644 --- a/rules/windows/builtin/win_pass_the_hash_2.yml +++ b/rules/windows/builtin/win_pass_the_hash_2.yml @@ -7,6 +7,7 @@ references: - https://blog.binarydefense.com/reliably-detecting-pass-the-hash-through-event-log-analysis - https://blog.stealthbits.com/how-to-detect-pass-the-hash-attacks/ author: Dave Kennedy, Jeff Warren (method) / David Vassallo (rule) +date: 2019/06/14 tags: - attack.lateral_movement - attack.t1075 diff --git a/rules/windows/builtin/win_rare_schtasks_creations.yml b/rules/windows/builtin/win_rare_schtasks_creations.yml index b5919e810..669c53733 100644 --- a/rules/windows/builtin/win_rare_schtasks_creations.yml +++ b/rules/windows/builtin/win_rare_schtasks_creations.yml @@ -4,6 +4,7 @@ description: Detects rare scheduled tasks creations that only appear a few times of malicious code status: experimental author: Florian Roth +date: 2017/03/23 tags: - attack.execution - attack.privilege_escalation @@ -18,8 +19,8 @@ detection: selection: EventID: 4698 timeframe: 7d - condition: selection | count() by TaskName < 5 -falsepositives: + condition: selection | count() by TaskName < 5 +falsepositives: - Software installation - Software updates level: low diff --git a/rules/windows/builtin/win_rare_service_installs.yml b/rules/windows/builtin/win_rare_service_installs.yml index 9581c737a..c6469c4a6 100644 --- a/rules/windows/builtin/win_rare_service_installs.yml +++ b/rules/windows/builtin/win_rare_service_installs.yml @@ -4,6 +4,7 @@ description: Detects rare service installs that only appear a few times per time services status: experimental author: Florian Roth +date: 2017/03/08 tags: - attack.persistence - attack.privilege_escalation @@ -16,8 +17,8 @@ detection: selection: EventID: 7045 timeframe: 7d - condition: selection | count() by ServiceFileName < 5 -falsepositives: + condition: selection | count() by ServiceFileName < 5 +falsepositives: - Software installation - Software updates -level: low \ No newline at end of file +level: low diff --git a/rules/windows/builtin/win_rdp_potential_cve-2019-0708.yml b/rules/windows/builtin/win_rdp_potential_cve-2019-0708.yml index 1e349f0ac..ae02e2af0 100644 --- a/rules/windows/builtin/win_rdp_potential_cve-2019-0708.yml +++ b/rules/windows/builtin/win_rdp_potential_cve-2019-0708.yml @@ -12,12 +12,13 @@ tags: - car.2013-07-002 status: experimental author: "Lionel PRAT, Christophe BROCAS, @atc_project (improvements)" +date: 2019/05/24 logsource: product: windows service: system detection: selection: - EventID: + EventID: - 56 - 50 Source: TermDD @@ -25,4 +26,3 @@ detection: falsepositives: - Bad connections or network interruptions level: high - diff --git a/rules/windows/builtin/win_susp_add_domain_trust.yml b/rules/windows/builtin/win_susp_add_domain_trust.yml index bab673064..4a2115b0e 100644 --- a/rules/windows/builtin/win_susp_add_domain_trust.yml +++ b/rules/windows/builtin/win_susp_add_domain_trust.yml @@ -3,6 +3,7 @@ id: 0255a820-e564-4e40-af2b-6ac61160335c status: stable description: Addition of domains is seldom and should be verified for legitimacy. author: Thomas Patzke +date: 2019/12/03 tags: - attack.persistence logsource: diff --git a/rules/windows/builtin/win_susp_add_sid_history.yml b/rules/windows/builtin/win_susp_add_sid_history.yml index 9188f08f8..21ac8c611 100644 --- a/rules/windows/builtin/win_susp_add_sid_history.yml +++ b/rules/windows/builtin/win_susp_add_sid_history.yml @@ -5,6 +5,7 @@ description: An attacker can use the SID history attribute to gain additional pr references: - https://adsecurity.org/?p=1772 author: Thomas Patzke, @atc_project (improvements) +date: 2017/02/19 tags: - attack.persistence - attack.privilege_escalation @@ -20,7 +21,7 @@ detection: selection2: EventID: 4738 selection3: - SidHistory: + SidHistory: - '-' - '%%1793' condition: selection1 or (selection2 and not selection3) diff --git a/rules/windows/builtin/win_susp_backup_delete.yml b/rules/windows/builtin/win_susp_backup_delete.yml index cbf38ab2f..7741c3eb5 100644 --- a/rules/windows/builtin/win_susp_backup_delete.yml +++ b/rules/windows/builtin/win_susp_backup_delete.yml @@ -6,6 +6,7 @@ references: - https://technet.microsoft.com/en-us/library/cc742154(v=ws.11).aspx - https://www.hybrid-analysis.com/sample/ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa?environmentId=100 author: Florian Roth (rule), Tom U. @c_APT_ure (collection) +date: 2017/05/12 tags: - attack.defense_evasion - attack.t1107 @@ -20,4 +21,3 @@ detection: falsepositives: - Unknown level: medium - diff --git a/rules/windows/builtin/win_susp_codeintegrity_check_failure.yml b/rules/windows/builtin/win_susp_codeintegrity_check_failure.yml index 54ac87276..34331edc5 100644 --- a/rules/windows/builtin/win_susp_codeintegrity_check_failure.yml +++ b/rules/windows/builtin/win_susp_codeintegrity_check_failure.yml @@ -3,6 +3,7 @@ id: 470ec5fa-7b4e-4071-b200-4c753100f49b status: stable description: Code integrity failures may indicate tampered executables. author: Thomas Patzke +date: 2019/12/03 tags: - attack.defense_evasion - attack.t1009 diff --git a/rules/windows/builtin/win_susp_dsrm_password_change.yml b/rules/windows/builtin/win_susp_dsrm_password_change.yml index f3a0a5270..98f6cbf01 100644 --- a/rules/windows/builtin/win_susp_dsrm_password_change.yml +++ b/rules/windows/builtin/win_susp_dsrm_password_change.yml @@ -5,6 +5,7 @@ description: The Directory Service Restore Mode (DSRM) account is a local admini references: - https://adsecurity.org/?p=1714 author: Thomas Patzke +date: 2017/02/19 tags: - attack.persistence - attack.privilege_escalation diff --git a/rules/windows/builtin/win_susp_eventlog_cleared.yml b/rules/windows/builtin/win_susp_eventlog_cleared.yml index 65d48c6bc..ec1981f54 100644 --- a/rules/windows/builtin/win_susp_eventlog_cleared.yml +++ b/rules/windows/builtin/win_susp_eventlog_cleared.yml @@ -5,6 +5,7 @@ references: - https://twitter.com/deviouspolack/status/832535435960209408 - https://www.hybrid-analysis.com/sample/027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745?environmentId=100 author: Florian Roth +date: 2017/01/10 tags: - attack.defense_evasion - attack.t1070 @@ -20,4 +21,3 @@ detection: falsepositives: - Unknown level: medium - diff --git a/rules/windows/builtin/win_susp_failed_logon_reasons.yml b/rules/windows/builtin/win_susp_failed_logon_reasons.yml index 1d295f805..f97ec0a0a 100644 --- a/rules/windows/builtin/win_susp_failed_logon_reasons.yml +++ b/rules/windows/builtin/win_susp_failed_logon_reasons.yml @@ -3,6 +3,7 @@ id: 9eb99343-d336-4020-a3cd-67f3819e68ee description: This method uses uncommon error codes on failed logons to determine suspicious activity and tampering with accounts that have been disabled or somehow restricted. author: Florian Roth +date: 2017/02/19 modified: 2019/03/01 references: - https://twitter.com/SBousseaden/status/1101431884540710913 diff --git a/rules/windows/builtin/win_susp_failed_logons_single_source.yml b/rules/windows/builtin/win_susp_failed_logons_single_source.yml index a39d32260..d3941c305 100644 --- a/rules/windows/builtin/win_susp_failed_logons_single_source.yml +++ b/rules/windows/builtin/win_susp_failed_logons_single_source.yml @@ -2,6 +2,7 @@ title: Multiple Failed Logins with Different Accounts from Single Source System id: e98374a6-e2d9-4076-9b5c-11bdb2569995 description: Detects suspicious failed logins with different user accounts from a single source system author: Florian Roth +date: 2017/01/10 tags: - attack.persistence - attack.privilege_escalation @@ -20,7 +21,7 @@ detection: EventID: 4776 UserName: '*' Workstation: '*' - timeframe: 24h + timeframe: 24h condition: - selection1 | count(UserName) by WorkstationName > 3 - selection2 | count(UserName) by Workstation > 3 @@ -28,7 +29,5 @@ falsepositives: - Terminal servers - Jump servers - Other multiuser systems like Citrix server farms - - Workstations with frequently changing users + - Workstations with frequently changing users level: medium - - diff --git a/rules/windows/builtin/win_susp_interactive_logons.yml b/rules/windows/builtin/win_susp_interactive_logons.yml index 10fd8ed6b..a4a55eb4a 100644 --- a/rules/windows/builtin/win_susp_interactive_logons.yml +++ b/rules/windows/builtin/win_susp_interactive_logons.yml @@ -2,6 +2,7 @@ title: Interactive Logon to Server Systems id: 3ff152b2-1388-4984-9cd9-a323323fdadf description: Detects interactive console logons to author: Florian Roth +date: 2017/03/17 tags: - attack.lateral_movement - attack.t1078 @@ -26,5 +27,3 @@ detection: falsepositives: - Administrative activity via KVM or ILO board level: medium - - diff --git a/rules/windows/builtin/win_susp_kerberos_manipulation.yml b/rules/windows/builtin/win_susp_kerberos_manipulation.yml index 78940cb18..0edd7c679 100644 --- a/rules/windows/builtin/win_susp_kerberos_manipulation.yml +++ b/rules/windows/builtin/win_susp_kerberos_manipulation.yml @@ -2,6 +2,7 @@ title: Kerberos Manipulation id: f7644214-0eb0-4ace-9455-331ec4c09253 description: This method triggers on rare Kerberos Failure Codes caused by manipulations of Kerberos messages author: Florian Roth +date: 2017/02/10 tags: - attack.credential_access - attack.t1212 diff --git a/rules/windows/builtin/win_susp_lsass_dump.yml b/rules/windows/builtin/win_susp_lsass_dump.yml index 46527786e..52921441c 100644 --- a/rules/windows/builtin/win_susp_lsass_dump.yml +++ b/rules/windows/builtin/win_susp_lsass_dump.yml @@ -2,6 +2,7 @@ title: Password Dumper Activity on LSASS id: aa1697b7-d611-4f9a-9cb2-5125b4ccfd5c description: Detects process handle on LSASS process with certain access mask and object type SAM_DOMAIN status: experimental +date: 2017/02/12 references: - https://twitter.com/jackcr/status/807385668833968128 tags: diff --git a/rules/windows/builtin/win_susp_net_recon_activity.yml b/rules/windows/builtin/win_susp_net_recon_activity.yml index 68cd02701..7ac778420 100644 --- a/rules/windows/builtin/win_susp_net_recon_activity.yml +++ b/rules/windows/builtin/win_susp_net_recon_activity.yml @@ -5,6 +5,7 @@ description: Detects activity as "net user administrator /domain" and "net group references: - https://findingbad.blogspot.de/2017/01/hunting-what-does-it-look-like.html author: Florian Roth (rule), Jack Croock (method) +date: 2017/03/07 tags: - attack.discovery - attack.t1087 diff --git a/rules/windows/builtin/win_susp_psexec.yml b/rules/windows/builtin/win_susp_psexec.yml index 3530469c6..27aa7dc1f 100644 --- a/rules/windows/builtin/win_susp_psexec.yml +++ b/rules/windows/builtin/win_susp_psexec.yml @@ -3,6 +3,7 @@ id: c462f537-a1e3-41a6-b5fc-b2c2cef9bf82 description: detects execution of psexec or paexec with renamed service name, this rule helps to filter out the noise if psexec is used for legit purposes or if attacker uses a different psexec client other than sysinternal one author: Samir Bousseaden +date: 2019/04/03 references: - https://blog.menasec.net/2019/02/threat-hunting-3-detecting-psexec.html tags: @@ -25,6 +26,6 @@ detection: ShareName: \\*\IPC$ RelativeTargetName: 'PSEXESVC*' condition: selection1 and not selection2 -falsepositives: +falsepositives: - nothing observed so far level: high diff --git a/rules/windows/builtin/win_susp_raccess_sensitive_fext.yml b/rules/windows/builtin/win_susp_raccess_sensitive_fext.yml index 9faa3588f..dbd7063bc 100644 --- a/rules/windows/builtin/win_susp_raccess_sensitive_fext.yml +++ b/rules/windows/builtin/win_susp_raccess_sensitive_fext.yml @@ -2,6 +2,7 @@ title: Suspicious access to sensitive file extensions id: 91c945bc-2ad1-4799-a591-4d00198a1215 description: Detects known sensitive file extensions author: Samir Bousseaden +date: 2019/04/03 tags: - attack.collection logsource: @@ -18,7 +19,7 @@ detection: - '*.nst' - '*.oab' - '*.edb' - - '*.nsf' + - '*.nsf' - '*.bak' - '*.dmp' - '*.kirbi' diff --git a/rules/windows/builtin/win_susp_rc4_kerberos.yml b/rules/windows/builtin/win_susp_rc4_kerberos.yml index 7e54b1822..534151c45 100644 --- a/rules/windows/builtin/win_susp_rc4_kerberos.yml +++ b/rules/windows/builtin/win_susp_rc4_kerberos.yml @@ -8,6 +8,8 @@ tags: - attack.credential_access - attack.t1208 description: Detects service ticket requests using RC4 encryption type +author: Florian Roth +date: 2017/02/06 logsource: product: windows service: security diff --git a/rules/windows/builtin/win_susp_sam_dump.yml b/rules/windows/builtin/win_susp_sam_dump.yml index d0a832625..8ce625a45 100644 --- a/rules/windows/builtin/win_susp_sam_dump.yml +++ b/rules/windows/builtin/win_susp_sam_dump.yml @@ -6,6 +6,7 @@ tags: - attack.credential_access - attack.t1003 author: Florian Roth +date: 2018/01/27 logsource: product: windows service: system diff --git a/rules/windows/builtin/win_susp_samr_pwset.yml b/rules/windows/builtin/win_susp_samr_pwset.yml index c33a69078..e1b6cc39e 100644 --- a/rules/windows/builtin/win_susp_samr_pwset.yml +++ b/rules/windows/builtin/win_susp_samr_pwset.yml @@ -3,6 +3,7 @@ id: 7818b381-5eb1-4641-bea5-ef9e4cfb5951 description: Detects a possible remote NTLM hash change through SAMR API SamiChangePasswordUser() or SamSetInformationUser(). "Audit User Account Management" in "Advanced Audit Policy Configuration" has to be enabled in your local security policy / GPO to see this events. author: Dimitrios Slamaris +date: 2017/06/09 tags: - attack.credential_access - attack.t1212 @@ -17,6 +18,6 @@ detection: EventID: 4738 passwordchanged_filter: PasswordLastSet: null - timeframe: 15s + timeframe: 15s condition: ( passwordchanged and not passwordchanged_filter ) | near samrpipe level: medium diff --git a/rules/windows/builtin/win_susp_sdelete.yml b/rules/windows/builtin/win_susp_sdelete.yml index 0556c1a32..5f8df21e5 100644 --- a/rules/windows/builtin/win_susp_sdelete.yml +++ b/rules/windows/builtin/win_susp_sdelete.yml @@ -3,6 +3,7 @@ id: 39a80702-d7ca-4a83-b776-525b1f86a36d status: experimental description: Detects renaming of file while deletion with SDelete tool author: Thomas Patzke +date: 2017/06/14 references: - https://jpcertcc.github.io/ToolAnalysisResultSheet - https://www.jpcert.or.jp/english/pub/sr/ir_research.html diff --git a/rules/windows/builtin/win_susp_security_eventlog_cleared.yml b/rules/windows/builtin/win_susp_security_eventlog_cleared.yml index 01c05c9db..7b0b7dccf 100644 --- a/rules/windows/builtin/win_susp_security_eventlog_cleared.yml +++ b/rules/windows/builtin/win_susp_security_eventlog_cleared.yml @@ -6,6 +6,7 @@ tags: - attack.t1070 - car.2016-04-002 author: Florian Roth +date: 2017/02/19 logsource: product: windows service: security diff --git a/rules/windows/builtin/win_susp_wmi_login.yml b/rules/windows/builtin/win_susp_wmi_login.yml index 9d7e71e2d..e9627a54e 100644 --- a/rules/windows/builtin/win_susp_wmi_login.yml +++ b/rules/windows/builtin/win_susp_wmi_login.yml @@ -3,6 +3,7 @@ id: 5af54681-df95-4c26-854f-2565e13cfab0 status: stable description: Detection of logins performed with WMI author: Thomas Patzke +date: 2019/12/04 tags: - attack.execution - attack.t1047 diff --git a/rules/windows/builtin/win_svcctl_remote_service.yml b/rules/windows/builtin/win_svcctl_remote_service.yml index aa1481c54..3395df59e 100644 --- a/rules/windows/builtin/win_svcctl_remote_service.yml +++ b/rules/windows/builtin/win_svcctl_remote_service.yml @@ -2,6 +2,7 @@ title: Remote Service Activity Detected via SVCCTL named pipe id: 586a8d6b-6bfe-4ad9-9d78-888cd2fe50c3 description: Detects remote remote service activity via remote access to the svcctl named pipe author: Samir Bousseaden +date: 2019/04/03 references: - https://blog.menasec.net/2019/03/threat-hunting-26-remote-windows.html tags: @@ -18,6 +19,6 @@ detection: RelativeTargetName: svcctl Accesses: '*WriteData*' condition: selection -falsepositives: +falsepositives: - pentesting level: medium diff --git a/rules/windows/builtin/win_usb_device_plugged.yml b/rules/windows/builtin/win_usb_device_plugged.yml index d64947202..a61f460da 100644 --- a/rules/windows/builtin/win_usb_device_plugged.yml +++ b/rules/windows/builtin/win_usb_device_plugged.yml @@ -6,6 +6,7 @@ references: - https://www.techrepublic.com/article/how-to-track-down-usb-flash-drive-usage-in-windows-10s-event-viewer/ status: experimental author: Florian Roth +date: 2017/11/09 tags: - attack.initial_access - attack.t1200 @@ -14,11 +15,11 @@ logsource: service: driver-framework detection: selection: - EventID: + EventID: - 2003 # Loading drivers - 2100 # Pnp or power management - 2102 # Pnp or power management condition: selection -falsepositives: +falsepositives: - Legitimate administrative activity level: low diff --git a/rules/windows/builtin/win_user_added_to_local_administrators.yml b/rules/windows/builtin/win_user_added_to_local_administrators.yml index 3cf70e705..4e0575255 100644 --- a/rules/windows/builtin/win_user_added_to_local_administrators.yml +++ b/rules/windows/builtin/win_user_added_to_local_administrators.yml @@ -4,6 +4,7 @@ description: This rule triggers on user accounts that are added to the local Adm activity status: stable author: Florian Roth +date: 2017/03/14 tags: - attack.privilege_escalation - attack.t1078 diff --git a/rules/windows/builtin/win_user_creation.yml b/rules/windows/builtin/win_user_creation.yml index d2042cdf4..f639370f6 100644 --- a/rules/windows/builtin/win_user_creation.yml +++ b/rules/windows/builtin/win_user_creation.yml @@ -9,6 +9,7 @@ tags: references: - https://patrick-bareiss.com/detecting-local-user-creation-in-ad-with-sigma/ author: Patrick Bareiss +date: 2019/04/18 logsource: product: windows service: security @@ -20,9 +21,7 @@ fields: - EventCode - AccountName - AccountDomain -falsepositives: +falsepositives: - Domain Controller Logs - Local accounts managed by privileged account management tools level: low - - diff --git a/rules/windows/other/win_rare_schtask_creation.yml b/rules/windows/other/win_rare_schtask_creation.yml index f0a58825b..2992ab30c 100644 --- a/rules/windows/other/win_rare_schtask_creation.yml +++ b/rules/windows/other/win_rare_schtask_creation.yml @@ -8,6 +8,7 @@ tags: - attack.t1053 - attack.s0111 author: Florian Roth +date: 2017/03/17 logsource: product: windows service: taskscheduler @@ -15,7 +16,7 @@ detection: selection: EventID: 106 timeframe: 7d - condition: selection | count() by TaskName < 5 + condition: selection | count() by TaskName < 5 falsepositives: - Software installation level: low diff --git a/rules/windows/other/win_tool_psexec.yml b/rules/windows/other/win_tool_psexec.yml index 5fc09919e..e5e2a57a2 100644 --- a/rules/windows/other/win_tool_psexec.yml +++ b/rules/windows/other/win_tool_psexec.yml @@ -4,6 +4,7 @@ id: 42c575ea-e41e-41f1-b248-8093c3e82a28 status: experimental description: Detects PsExec service installation and execution events (service and Sysmon) author: Thomas Patzke +date: 2017/06/12 references: - https://www.jpcert.or.jp/english/pub/sr/ir_research.html - https://jpcertcc.github.io/ToolAnalysisResultSheet @@ -42,4 +43,3 @@ detection: sysmon_processcreation: Image: '*\PSEXESVC.exe' User: 'NT AUTHORITY\SYSTEM' - diff --git a/rules/windows/other/win_wmi_persistence.yml b/rules/windows/other/win_wmi_persistence.yml index 7c81200d5..31c991944 100644 --- a/rules/windows/other/win_wmi_persistence.yml +++ b/rules/windows/other/win_wmi_persistence.yml @@ -3,6 +3,7 @@ id: 0b7889b4-5577-4521-a60a-3376ee7f9f7b status: experimental description: Detects suspicious WMI event filter and command line event consumer based on event id 5861 and 5859 (Windows 10, 2012 and higher) author: Florian Roth +date: 2017/08/22 references: - https://twitter.com/mattifestation/status/899646620148539397 - https://www.eideon.com/2018-03-02-THL03-WMIBackdoors/ @@ -28,4 +29,3 @@ detection: falsepositives: - Unknown (data set is too small; further testing needed) level: medium - diff --git a/rules/windows/powershell/powershell_downgrade_attack.yml b/rules/windows/powershell/powershell_downgrade_attack.yml index 746017ee8..b136b1566 100644 --- a/rules/windows/powershell/powershell_downgrade_attack.yml +++ b/rules/windows/powershell/powershell_downgrade_attack.yml @@ -9,6 +9,7 @@ tags: - attack.execution - attack.t1086 author: Florian Roth (rule), Lee Holmes (idea) +date: 2017/03/22 logsource: product: windows service: powershell-classic @@ -17,7 +18,7 @@ detection: EventID: 400 EngineVersion: '2.*' filter: - HostVersion: '2.*' + HostVersion: '2.*' condition: selection and not filter falsepositives: - Penetration Test diff --git a/rules/windows/powershell/powershell_exe_calling_ps.yml b/rules/windows/powershell/powershell_exe_calling_ps.yml index a85fc0a76..531404d2e 100644 --- a/rules/windows/powershell/powershell_exe_calling_ps.yml +++ b/rules/windows/powershell/powershell_exe_calling_ps.yml @@ -9,13 +9,14 @@ tags: - attack.execution - attack.t1086 author: Sean Metcalf (source), Florian Roth (rule) +date: 2017/03/05 logsource: product: windows service: powershell-classic detection: selection1: EventID: 400 - EngineVersion: + EngineVersion: - '2.*' - '4.*' - '5.*' diff --git a/rules/windows/powershell/powershell_malicious_commandlets.yml b/rules/windows/powershell/powershell_malicious_commandlets.yml index b2fb35698..04c495efe 100644 --- a/rules/windows/powershell/powershell_malicious_commandlets.yml +++ b/rules/windows/powershell/powershell_malicious_commandlets.yml @@ -9,6 +9,7 @@ tags: - attack.execution - attack.t1086 author: Sean Metcalf (source), Florian Roth (rule) +date: 2017/03/05 logsource: product: windows service: powershell diff --git a/rules/windows/powershell/powershell_malicious_keywords.yml b/rules/windows/powershell/powershell_malicious_keywords.yml index 997a44d36..1fb45807c 100644 --- a/rules/windows/powershell/powershell_malicious_keywords.yml +++ b/rules/windows/powershell/powershell_malicious_keywords.yml @@ -9,6 +9,7 @@ tags: - attack.execution - attack.t1086 author: Sean Metcalf (source), Florian Roth (rule) +date: 2017/03/05 logsource: product: windows service: powershell diff --git a/rules/windows/powershell/powershell_ntfs_ads_access.yml b/rules/windows/powershell/powershell_ntfs_ads_access.yml index 126b95114..422ed4ead 100644 --- a/rules/windows/powershell/powershell_ntfs_ads_access.yml +++ b/rules/windows/powershell/powershell_ntfs_ads_access.yml @@ -8,6 +8,7 @@ tags: - attack.defense_evasion - attack.t1096 author: Sami Ruohonen +date: 2018/07/24 logsource: product: windows service: powershell diff --git a/rules/windows/powershell/powershell_prompt_credentials.yml b/rules/windows/powershell/powershell_prompt_credentials.yml index 832480a2e..9b810c4b6 100644 --- a/rules/windows/powershell/powershell_prompt_credentials.yml +++ b/rules/windows/powershell/powershell_prompt_credentials.yml @@ -7,9 +7,10 @@ references: - https://t.co/ezOTGy1a1G tags: - attack.execution - - attack.credential_access + - attack.credential_access - attack.t1086 author: John Lambert (idea), Florian Roth (rule) +date: 2017/04/09 logsource: product: windows service: powershell diff --git a/rules/windows/powershell/powershell_psattack.yml b/rules/windows/powershell/powershell_psattack.yml index c6fc8a2ad..c955031d0 100644 --- a/rules/windows/powershell/powershell_psattack.yml +++ b/rules/windows/powershell/powershell_psattack.yml @@ -8,6 +8,7 @@ tags: - attack.execution - attack.t1086 author: Sean Metcalf (source), Florian Roth (rule) +date: 2017/03/05 logsource: product: windows service: powershell @@ -15,7 +16,7 @@ logsource: detection: selection: EventID: 4103 - keyword: + keyword: - 'PS ATTACK!!!' condition: all of them falsepositives: diff --git a/rules/windows/powershell/powershell_suspicious_download.yml b/rules/windows/powershell/powershell_suspicious_download.yml index d5cd90fdc..2ab91194c 100644 --- a/rules/windows/powershell/powershell_suspicious_download.yml +++ b/rules/windows/powershell/powershell_suspicious_download.yml @@ -6,6 +6,7 @@ tags: - attack.execution - attack.t1086 author: Florian Roth +date: 2017/03/05 logsource: product: windows service: powershell diff --git a/rules/windows/powershell/powershell_suspicious_invocation_generic.yml b/rules/windows/powershell/powershell_suspicious_invocation_generic.yml index c621ce4a0..df1c48764 100644 --- a/rules/windows/powershell/powershell_suspicious_invocation_generic.yml +++ b/rules/windows/powershell/powershell_suspicious_invocation_generic.yml @@ -6,6 +6,7 @@ tags: - attack.execution - attack.t1086 author: Florian Roth (rule) +date: 2017/03/12 logsource: product: windows service: powershell @@ -25,4 +26,3 @@ falsepositives: - Penetration tests - Very special / sneaky PowerShell scripts level: high - diff --git a/rules/windows/powershell/powershell_suspicious_invocation_specific.yml b/rules/windows/powershell/powershell_suspicious_invocation_specific.yml index 849ff7386..41b6f78bc 100644 --- a/rules/windows/powershell/powershell_suspicious_invocation_specific.yml +++ b/rules/windows/powershell/powershell_suspicious_invocation_specific.yml @@ -6,6 +6,7 @@ tags: - attack.execution - attack.t1086 author: Florian Roth (rule) +date: 2017/03/05 logsource: product: windows service: powershell diff --git a/rules/windows/process_creation/win_attrib_hiding_files.yml b/rules/windows/process_creation/win_attrib_hiding_files.yml index 52f584eff..f6aebbc9a 100644 --- a/rules/windows/process_creation/win_attrib_hiding_files.yml +++ b/rules/windows/process_creation/win_attrib_hiding_files.yml @@ -3,6 +3,7 @@ id: 4281cb20-2994-4580-aa63-c8b86d019934 status: experimental description: Detects usage of attrib.exe to hide files from users. author: Sami Ruohonen +date: 2019/01/16 logsource: category: process_creation product: windows diff --git a/rules/windows/process_creation/win_bypass_squiblytwo.yml b/rules/windows/process_creation/win_bypass_squiblytwo.yml index c1ce08bc2..6bd553745 100644 --- a/rules/windows/process_creation/win_bypass_squiblytwo.yml +++ b/rules/windows/process_creation/win_bypass_squiblytwo.yml @@ -9,6 +9,7 @@ tags: - attack.defense_evasion - attack.t1047 author: Markus Neis / Florian Roth +date: 2019/01/16 falsepositives: - Unknown level: medium diff --git a/rules/windows/process_creation/win_cmdkey_recon.yml b/rules/windows/process_creation/win_cmdkey_recon.yml index ed6784abb..9a880199a 100644 --- a/rules/windows/process_creation/win_cmdkey_recon.yml +++ b/rules/windows/process_creation/win_cmdkey_recon.yml @@ -6,6 +6,7 @@ references: - https://www.peew.pw/blog/2017/11/26/exploring-cmdkey-an-edge-case-for-privilege-escalation - https://technet.microsoft.com/en-us/library/cc754243(v=ws.11).aspx author: jmallette +date: 2019/01/16 tags: - attack.credential_access - attack.t1003 diff --git a/rules/windows/process_creation/win_cmstp_com_object_access.yml b/rules/windows/process_creation/win_cmstp_com_object_access.yml index d3609b0a3..67f9fe097 100644 --- a/rules/windows/process_creation/win_cmstp_com_object_access.yml +++ b/rules/windows/process_creation/win_cmstp_com_object_access.yml @@ -12,6 +12,7 @@ tags: - car.2019-04-001 author: Nik Seetharaman modified: 2019/07/31 +date: 2019/01/16 references: - http://www.endurant.io/cmstp/detecting-cmstp-enabled-code-execution-and-uac-bypass-with-sysmon/ - https://twitter.com/hFireF0X/status/897640081053364225 diff --git a/rules/windows/process_creation/win_malware_notpetya.yml b/rules/windows/process_creation/win_malware_notpetya.yml index 3e9b73c2f..d294395c6 100644 --- a/rules/windows/process_creation/win_malware_notpetya.yml +++ b/rules/windows/process_creation/win_malware_notpetya.yml @@ -4,6 +4,7 @@ status: experimental description: Detects NotPetya ransomware activity in which the extracted passwords are passed back to the main module via named pipe, the file system journal of drive C is deleted and windows eventlogs are cleared using wevtutil author: Florian Roth, Tom Ueltschi +date: 2019/01/16 references: - https://securelist.com/schroedingers-petya/78870/ - https://www.hybrid-analysis.com/sample/64b0b58a2c030c77fdb2b537b2fcc4af432bc55ffb36599a31d418c7c69e94b1?environmentId=100 diff --git a/rules/windows/process_creation/win_malware_script_dropper.yml b/rules/windows/process_creation/win_malware_script_dropper.yml index e0c054a4f..251a3a0a6 100644 --- a/rules/windows/process_creation/win_malware_script_dropper.yml +++ b/rules/windows/process_creation/win_malware_script_dropper.yml @@ -3,6 +3,7 @@ id: cea72823-df4d-4567-950c-0b579eaf0846 status: experimental description: Detects wscript/cscript executions of scripts located in user directories author: Margaritis Dimitrios (idea), Florian Roth (rule) +date: 2019/01/16 tags: - attack.defense_evasion - attack.execution diff --git a/rules/windows/process_creation/win_malware_wannacry.yml b/rules/windows/process_creation/win_malware_wannacry.yml index 3ad40d5f4..4f515c017 100644 --- a/rules/windows/process_creation/win_malware_wannacry.yml +++ b/rules/windows/process_creation/win_malware_wannacry.yml @@ -5,6 +5,7 @@ description: Detects WannaCry ransomware activity references: - https://www.hybrid-analysis.com/sample/ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa?environmentId=100 author: Florian Roth (rule), Tom U. @c_APT_ure (collection) +date: 2019/01/16 logsource: category: process_creation product: windows diff --git a/rules/windows/process_creation/win_mmc_spawn_shell.yml b/rules/windows/process_creation/win_mmc_spawn_shell.yml index 44cf45358..bf207bebf 100644 --- a/rules/windows/process_creation/win_mmc_spawn_shell.yml +++ b/rules/windows/process_creation/win_mmc_spawn_shell.yml @@ -3,6 +3,7 @@ id: 05a2ab7e-ce11-4b63-86db-ab32e763e11d status: experimental description: Detects a Windows command line executable started from MMC. author: Karneades, Swisscom CSIRT +date: 2019/08/05 tags: - attack.lateral_movement - attack.t1175 diff --git a/rules/windows/process_creation/win_mshta_spawn_shell.yml b/rules/windows/process_creation/win_mshta_spawn_shell.yml index 09c629cf9..3909f7213 100644 --- a/rules/windows/process_creation/win_mshta_spawn_shell.yml +++ b/rules/windows/process_creation/win_mshta_spawn_shell.yml @@ -5,6 +5,7 @@ description: Detects a Windows command line executable started from MSHTA. references: - https://www.trustedsec.com/july-2015/malicious-htas/ author: Michael Haag +date: 2019/01/16 logsource: category: process_creation product: windows diff --git a/rules/windows/process_creation/win_multiple_suspicious_cli.yml b/rules/windows/process_creation/win_multiple_suspicious_cli.yml index 07a134d85..7ff7f8368 100644 --- a/rules/windows/process_creation/win_multiple_suspicious_cli.yml +++ b/rules/windows/process_creation/win_multiple_suspicious_cli.yml @@ -5,7 +5,7 @@ status: experimental references: - https://car.mitre.org/wiki/CAR-2013-04-002 author: juju4 -modified: 2012/12/11 +date: 2019/01/16 tags: - car.2013-04-002 logsource: diff --git a/rules/windows/process_creation/win_possible_applocker_bypass.yml b/rules/windows/process_creation/win_possible_applocker_bypass.yml index 32949bb0b..65b988f85 100644 --- a/rules/windows/process_creation/win_possible_applocker_bypass.yml +++ b/rules/windows/process_creation/win_possible_applocker_bypass.yml @@ -6,6 +6,7 @@ references: - https://github.com/subTee/ApplicationWhitelistBypassTechniques/blob/master/TheList.txt - https://room362.com/post/2014/2014-01-16-application-whitelist-bypass-using-ieexec-dot-exe/ author: juju4 +date: 2019/01/16 tags: - attack.defense_evasion - attack.t1118 diff --git a/rules/windows/process_creation/win_powershell_download.yml b/rules/windows/process_creation/win_powershell_download.yml index 8b33fab1e..83b93e133 100644 --- a/rules/windows/process_creation/win_powershell_download.yml +++ b/rules/windows/process_creation/win_powershell_download.yml @@ -3,6 +3,7 @@ id: 3b6ab547-8ec2-4991-b9d2-2b06702a48d7 status: experimental description: Detects a Powershell process that contains download commands in its command line string author: Florian Roth +date: 2019/01/16 tags: - attack.t1086 - attack.execution diff --git a/rules/windows/process_creation/win_powershell_suspicious_parameter_variation.yml b/rules/windows/process_creation/win_powershell_suspicious_parameter_variation.yml index 6c86a60a0..41a0f1cdc 100644 --- a/rules/windows/process_creation/win_powershell_suspicious_parameter_variation.yml +++ b/rules/windows/process_creation/win_powershell_suspicious_parameter_variation.yml @@ -8,6 +8,7 @@ tags: - attack.execution - attack.t1086 author: Florian Roth (rule), Daniel Bohannon (idea), Roberto Rodriguez (Fix) +date: 2019/01/16 logsource: category: process_creation product: windows diff --git a/rules/windows/process_creation/win_sdbinst_shim_persistence.yml b/rules/windows/process_creation/win_sdbinst_shim_persistence.yml index fa3c44ae4..1509516e8 100644 --- a/rules/windows/process_creation/win_sdbinst_shim_persistence.yml +++ b/rules/windows/process_creation/win_sdbinst_shim_persistence.yml @@ -8,6 +8,7 @@ tags: - attack.persistence - attack.t1138 author: Markus Neis +date: 2019/01/16 logsource: category: process_creation product: windows diff --git a/rules/windows/process_creation/win_susp_certutil_command.yml b/rules/windows/process_creation/win_susp_certutil_command.yml index 02e99ab96..789ca30b3 100644 --- a/rules/windows/process_creation/win_susp_certutil_command.yml +++ b/rules/windows/process_creation/win_susp_certutil_command.yml @@ -5,6 +5,7 @@ description: Detects a suspicious Microsoft certutil execution with sub commands the built-in certutil utility author: Florian Roth, juju4, keepwatch modified: 2019/01/22 +date: 2019/01/16 references: - https://twitter.com/JohnLaTwC/status/835149808817991680 - https://twitter.com/subTee/status/888102593838362624 diff --git a/rules/windows/process_creation/win_susp_cli_escape.yml b/rules/windows/process_creation/win_susp_cli_escape.yml index b76cf2779..c40ebfd72 100644 --- a/rules/windows/process_creation/win_susp_cli_escape.yml +++ b/rules/windows/process_creation/win_susp_cli_escape.yml @@ -9,7 +9,7 @@ references: - https://www.fireeye.com/blog/threat-research/2017/06/obfuscation-in-the-wild.html - http://www.windowsinspired.com/understanding-the-command-line-string-and-arguments-received-by-a-windows-program/ author: juju4 -modified: 2018/12/11 +date: 2018/12/11 tags: - attack.defense_evasion - attack.t1140 diff --git a/rules/windows/process_creation/win_susp_cmd_http_appdata.yml b/rules/windows/process_creation/win_susp_cmd_http_appdata.yml index cd30ec714..8b07ae043 100644 --- a/rules/windows/process_creation/win_susp_cmd_http_appdata.yml +++ b/rules/windows/process_creation/win_susp_cmd_http_appdata.yml @@ -7,6 +7,7 @@ references: - https://www.hybrid-analysis.com/sample/3a1f01206684410dbe8f1900bbeaaa543adfcd07368ba646b499fa5274b9edf6?environmentId=100 - https://www.hybrid-analysis.com/sample/f16c729aad5c74f19784a24257236a8bbe27f7cdc4a89806031ec7f1bebbd475?environmentId=100 author: Florian Roth +date: 2019/01/16 tags: - attack.execution - attack.t1059 diff --git a/rules/windows/process_creation/win_susp_execution_path.yml b/rules/windows/process_creation/win_susp_execution_path.yml index b694706f6..9e4136cd9 100644 --- a/rules/windows/process_creation/win_susp_execution_path.yml +++ b/rules/windows/process_creation/win_susp_execution_path.yml @@ -3,6 +3,7 @@ id: 3dfd06d2-eaf4-4532-9555-68aca59f57c4 status: experimental description: Detects a suspicious exection from an uncommon folder author: Florian Roth +date: 2019/01/16 tags: - attack.defense_evasion - attack.t1036 diff --git a/rules/windows/process_creation/win_susp_execution_path_webserver.yml b/rules/windows/process_creation/win_susp_execution_path_webserver.yml index 5f6cc31a1..be5af6256 100644 --- a/rules/windows/process_creation/win_susp_execution_path_webserver.yml +++ b/rules/windows/process_creation/win_susp_execution_path_webserver.yml @@ -3,6 +3,7 @@ id: 35efb964-e6a5-47ad-bbcd-19661854018d status: experimental description: Detects a suspicious program execution in a web service root folder (filter out false positives) author: Florian Roth +date: 2019/01/16 tags: - attack.persistence - attack.t1100 diff --git a/rules/windows/process_creation/win_susp_iss_module_install.yml b/rules/windows/process_creation/win_susp_iss_module_install.yml index 2047cc8ba..d9b0a18e9 100644 --- a/rules/windows/process_creation/win_susp_iss_module_install.yml +++ b/rules/windows/process_creation/win_susp_iss_module_install.yml @@ -5,7 +5,7 @@ status: experimental references: - https://researchcenter.paloaltonetworks.com/2018/01/unit42-oilrig-uses-rgdoor-iis-backdoor-targets-middle-east/ author: Florian Roth -modified: 2012/12/11 +date: 2012/12/11 tags: - attack.persistence - attack.t1100 diff --git a/rules/windows/process_creation/win_susp_net_execution.yml b/rules/windows/process_creation/win_susp_net_execution.yml index e33184b6a..bee85020a 100644 --- a/rules/windows/process_creation/win_susp_net_execution.yml +++ b/rules/windows/process_creation/win_susp_net_execution.yml @@ -5,6 +5,7 @@ description: Detects execution of Net.exe, whether suspicious or benign. references: - https://pentest.blog/windows-privilege-escalation-methods-for-pentesters/ author: Michael Haag, Mark Woan (improvements) +date: 2019/01/16 tags: - attack.s0039 - attack.lateral_movement diff --git a/rules/windows/process_creation/win_susp_ntdsutil.yml b/rules/windows/process_creation/win_susp_ntdsutil.yml index 73204eff2..a8c2f6fd3 100644 --- a/rules/windows/process_creation/win_susp_ntdsutil.yml +++ b/rules/windows/process_creation/win_susp_ntdsutil.yml @@ -5,6 +5,7 @@ status: experimental references: - https://jpcertcc.github.io/ToolAnalysisResultSheet/details/ntdsutil.htm author: Thomas Patzke +date: 2019/01/16 tags: - attack.credential_access - attack.t1003 diff --git a/rules/windows/process_creation/win_susp_powershell_hidden_b64_cmd.yml b/rules/windows/process_creation/win_susp_powershell_hidden_b64_cmd.yml index eeed06ee1..4476b047d 100644 --- a/rules/windows/process_creation/win_susp_powershell_hidden_b64_cmd.yml +++ b/rules/windows/process_creation/win_susp_powershell_hidden_b64_cmd.yml @@ -8,6 +8,7 @@ tags: - attack.execution - attack.t1086 author: John Lambert (rule) +date: 2019/01/16 logsource: category: process_creation product: windows diff --git a/rules/windows/process_creation/win_susp_powershell_parent_combo.yml b/rules/windows/process_creation/win_susp_powershell_parent_combo.yml index 005103626..6ffb5b18c 100644 --- a/rules/windows/process_creation/win_susp_powershell_parent_combo.yml +++ b/rules/windows/process_creation/win_susp_powershell_parent_combo.yml @@ -3,6 +3,7 @@ id: 95eadcb2-92e4-4ed1-9031-92547773a6db status: experimental description: Detects suspicious powershell invocations from interpreters or unusual programs author: Florian Roth +date: 2019/01/16 references: - https://www.carbonblack.com/2017/03/15/attackers-leverage-excel-powershell-dns-latest-non-malware-attack/ tags: diff --git a/rules/windows/process_creation/win_susp_process_creations.yml b/rules/windows/process_creation/win_susp_process_creations.yml index e3a04345e..03bbaaf51 100644 --- a/rules/windows/process_creation/win_susp_process_creations.yml +++ b/rules/windows/process_creation/win_susp_process_creations.yml @@ -15,6 +15,7 @@ references: - https://twitter.com/vector_sec/status/896049052642533376 - http://security-research.dyndns.org/pub/slides/FIRST-TC-2018/FIRST-TC-2018_Tom-Ueltschi_Sysmon_PUBLIC.pdf author: Florian Roth +date: 2018/01/01 modified: 2018/12/11 tags: - car.2013-07-001 diff --git a/rules/windows/process_creation/win_susp_rasdial_activity.yml b/rules/windows/process_creation/win_susp_rasdial_activity.yml index b6b0645ef..6a4b02334 100644 --- a/rules/windows/process_creation/win_susp_rasdial_activity.yml +++ b/rules/windows/process_creation/win_susp_rasdial_activity.yml @@ -5,6 +5,7 @@ status: experimental references: - https://twitter.com/subTee/status/891298217907830785 author: juju4 +date: 2019/01/16 tags: - attack.defense_evasion - attack.execution diff --git a/rules/windows/process_creation/win_susp_recon_activity.yml b/rules/windows/process_creation/win_susp_recon_activity.yml index 416df94e1..e85a02859 100644 --- a/rules/windows/process_creation/win_susp_recon_activity.yml +++ b/rules/windows/process_creation/win_susp_recon_activity.yml @@ -3,6 +3,7 @@ id: d95de845-b83c-4a9a-8a6a-4fc802ebf6c0 status: experimental description: Detects suspicious command line activity on Windows systems author: Florian Roth +date: 2019/01/16 tags: - attack.discovery - attack.t1087 diff --git a/rules/windows/process_creation/win_susp_regsvr32_anomalies.yml b/rules/windows/process_creation/win_susp_regsvr32_anomalies.yml index 728a335ad..ce51e4b7b 100644 --- a/rules/windows/process_creation/win_susp_regsvr32_anomalies.yml +++ b/rules/windows/process_creation/win_susp_regsvr32_anomalies.yml @@ -3,6 +3,7 @@ id: 8e2b24c9-4add-46a0-b4bb-0057b4e6187d status: experimental description: Detects various anomalies in relation to regsvr32.exe author: Florian Roth +date: 2019/01/16 references: - https://subt0x10.blogspot.de/2017/04/bypass-application-whitelisting-script.html tags: diff --git a/rules/windows/process_creation/win_susp_run_locations.yml b/rules/windows/process_creation/win_susp_run_locations.yml index d98d1a934..c00c297d4 100644 --- a/rules/windows/process_creation/win_susp_run_locations.yml +++ b/rules/windows/process_creation/win_susp_run_locations.yml @@ -5,6 +5,7 @@ status: experimental references: - https://car.mitre.org/wiki/CAR-2013-05-002 author: juju4 +date: 2019/01/16 tags: - attack.defense_evasion - attack.t1036 @@ -25,7 +26,7 @@ detection: - 'C:\\Windows\\addins\\*' - 'C:\\Windows\\cursors\\*' - 'C:\\Windows\\system32\tasks\\*' - + condition: selection falsepositives: - False positives depend on scripts and administrative tools used in the monitored environment diff --git a/rules/windows/process_creation/win_susp_rundll32_activity.yml b/rules/windows/process_creation/win_susp_rundll32_activity.yml index 5f6ce9221..c388da171 100644 --- a/rules/windows/process_creation/win_susp_rundll32_activity.yml +++ b/rules/windows/process_creation/win_susp_rundll32_activity.yml @@ -11,6 +11,7 @@ tags: - attack.execution - attack.t1085 author: juju4 +date: 2019/01/16 logsource: category: process_creation product: windows diff --git a/rules/windows/process_creation/win_susp_schtask_creation.yml b/rules/windows/process_creation/win_susp_schtask_creation.yml index 56bd486c3..7c2d3fa6e 100644 --- a/rules/windows/process_creation/win_susp_schtask_creation.yml +++ b/rules/windows/process_creation/win_susp_schtask_creation.yml @@ -3,6 +3,7 @@ id: 92626ddd-662c-49e3-ac59-f6535f12d189 status: experimental description: Detects the creation of scheduled tasks in user session author: Florian Roth +date: 2019/01/16 logsource: category: process_creation product: windows diff --git a/rules/windows/process_creation/win_susp_script_execution.yml b/rules/windows/process_creation/win_susp_script_execution.yml index 49a8b5d85..2ca057993 100644 --- a/rules/windows/process_creation/win_susp_script_execution.yml +++ b/rules/windows/process_creation/win_susp_script_execution.yml @@ -3,6 +3,7 @@ id: 1e33157c-53b1-41ad-bbcc-780b80b58288 status: experimental description: Detects suspicious file execution by wscript and cscript author: Michael Haag +date: 2019/01/16 tags: - attack.execution - attack.t1064 diff --git a/rules/windows/process_creation/win_susp_squirrel_lolbin.yml b/rules/windows/process_creation/win_susp_squirrel_lolbin.yml index 7e0152106..05353f260 100644 --- a/rules/windows/process_creation/win_susp_squirrel_lolbin.yml +++ b/rules/windows/process_creation/win_susp_squirrel_lolbin.yml @@ -8,6 +8,7 @@ references: tags: - attack.execution author: Karneades / Markus Neis +date: 2019/11/12 falsepositives: - 1Clipboard - Beaker Browser @@ -53,6 +54,4 @@ detection: - '*--processStart*.exe*' - '*--processStartAndWait*.exe*' - '*–createShortcut*.exe*' - condition: selection - - + condition: selection diff --git a/rules/windows/process_creation/win_susp_vssadmin_ntds_activity.yml b/rules/windows/process_creation/win_susp_vssadmin_ntds_activity.yml index 2fa53df60..1cb98e715 100644 --- a/rules/windows/process_creation/win_susp_vssadmin_ntds_activity.yml +++ b/rules/windows/process_creation/win_susp_vssadmin_ntds_activity.yml @@ -3,6 +3,7 @@ id: b932b60f-fdda-4d53-8eda-a170c1d97bbd status: experimental description: Detects suspicious commands that could be related to activity that uses volume shadow copy to steal and retrieve hashes from the NTDS.dit file remotely author: Florian Roth, Michael Haag +date: 2019/01/16 references: - https://www.swordshield.com/2015/07/getting-hashes-from-ntds-dit-file/ - https://room362.com/post/2013/2013-06-10-volume-shadow-copy-ntdsdit-domain-hashes-remotely-part-1/ diff --git a/rules/windows/process_creation/win_susp_wmi_execution.yml b/rules/windows/process_creation/win_susp_wmi_execution.yml index cb433e1f5..dd9091e4d 100644 --- a/rules/windows/process_creation/win_susp_wmi_execution.yml +++ b/rules/windows/process_creation/win_susp_wmi_execution.yml @@ -7,6 +7,7 @@ references: - https://www.hybrid-analysis.com/sample/4be06ecd234e2110bd615649fe4a6fa95403979acf889d7e45a78985eb50acf9?environmentId=1 - https://blog.malwarebytes.com/threat-analysis/2016/04/rokku-ransomware/ author: Michael Haag, Florian Roth, juju4 +date: 2019/01/16 logsource: category: process_creation product: windows diff --git a/rules/windows/process_creation/win_vul_java_remote_debugging.yml b/rules/windows/process_creation/win_vul_java_remote_debugging.yml index 7734060b3..db262a82b 100644 --- a/rules/windows/process_creation/win_vul_java_remote_debugging.yml +++ b/rules/windows/process_creation/win_vul_java_remote_debugging.yml @@ -2,6 +2,7 @@ title: Java Running with Remote Debugging id: 8f88e3f6-2a49-48f5-a5c4-2f7eedf78710 description: Detects a JAVA process running with remote debugging allowing more than just localhost to connect author: Florian Roth +date: 2019/01/16 tags: - attack.discovery - attack.t1046 diff --git a/rules/windows/process_creation/win_webshell_spawn.yml b/rules/windows/process_creation/win_webshell_spawn.yml index 60194d327..b287f94a9 100644 --- a/rules/windows/process_creation/win_webshell_spawn.yml +++ b/rules/windows/process_creation/win_webshell_spawn.yml @@ -3,6 +3,7 @@ id: 8202070f-edeb-4d31-a010-a26c72ac5600 status: experimental description: Web servers that spawn shell processes could be the result of a successfully placed web shell or an other attack author: Thomas Patzke +date: 2019/01/16 logsource: category: process_creation product: windows diff --git a/rules/windows/process_creation/win_workflow_compiler.yml b/rules/windows/process_creation/win_workflow_compiler.yml index 7c5549c84..496138fde 100644 --- a/rules/windows/process_creation/win_workflow_compiler.yml +++ b/rules/windows/process_creation/win_workflow_compiler.yml @@ -7,6 +7,7 @@ tags: - attack.execution - attack.t1127 author: Nik Seetharaman +date: 2019/01/16 references: - https://posts.specterops.io/arbitrary-unsigned-code-execution-vector-in-microsoft-workflow-compiler-exe-3d9294bc5efb logsource: diff --git a/rules/windows/sysmon/sysmon_cactustorch.yml b/rules/windows/sysmon/sysmon_cactustorch.yml index 8c2dde9f5..676d077ae 100644 --- a/rules/windows/sysmon/sysmon_cactustorch.yml +++ b/rules/windows/sysmon/sysmon_cactustorch.yml @@ -6,6 +6,7 @@ references: - https://github.com/mdsecactivebreach/CACTUSTORCH status: experimental author: '@SBousseaden (detection), Thomas Patzke (rule)' +date: 2019/02/01 logsource: product: windows service: sysmon diff --git a/rules/windows/sysmon/sysmon_cmstp_execution.yml b/rules/windows/sysmon/sysmon_cmstp_execution.yml index e2024ce79..37a9827c4 100644 --- a/rules/windows/sysmon/sysmon_cmstp_execution.yml +++ b/rules/windows/sysmon/sysmon_cmstp_execution.yml @@ -10,6 +10,7 @@ tags: - attack.g0069 - car.2019-04-001 author: Nik Seetharaman +date: 2018/07/16 references: - http://www.endurant.io/cmstp/detecting-cmstp-enabled-code-execution-and-uac-bypass-with-sysmon/ detection: @@ -45,4 +46,4 @@ logsource: detection: # CMSTP Spawning Child Process selection1: - ParentImage: '*\cmstp.exe' \ No newline at end of file + ParentImage: '*\cmstp.exe' diff --git a/rules/windows/sysmon/sysmon_invoke_phantom.yml b/rules/windows/sysmon/sysmon_invoke_phantom.yml index bcc268eb0..622ad5aed 100644 --- a/rules/windows/sysmon/sysmon_invoke_phantom.yml +++ b/rules/windows/sysmon/sysmon_invoke_phantom.yml @@ -3,6 +3,7 @@ id: 166e9c50-8cd9-44af-815d-d1f0c0e90dde status: experimental description: Detects suspect access to svchost process memory such as that used by Invoke-Phantom to kill the winRM windows event logging service. author: Tim Burrell +date: 2020/01/02 references: - https://github.com/hlldz/Invoke-Phant0m - https://twitter.com/timbmsft/status/900724491076214784 diff --git a/rules/windows/sysmon/sysmon_logon_scripts_userinitmprlogonscript.yml b/rules/windows/sysmon/sysmon_logon_scripts_userinitmprlogonscript.yml index 1e99dc4fd..3aaa74908 100644 --- a/rules/windows/sysmon/sysmon_logon_scripts_userinitmprlogonscript.yml +++ b/rules/windows/sysmon/sysmon_logon_scripts_userinitmprlogonscript.yml @@ -10,6 +10,7 @@ tags: - attack.persistence - attack.lateral_movement author: Tom Ueltschi (@c_APT_ure) +date: 2019/01/12 falsepositives: - exclude legitimate logon scripts - penetration tests, red teaming @@ -24,7 +25,7 @@ detection: exec_exclusion1: Image: '*\explorer.exe' exec_exclusion2: - CommandLine: + CommandLine: - '*\netlogon.bat' - '*\UsrLogon.cmd' condition: exec_selection and not exec_exclusion1 and not exec_exclusion2 diff --git a/rules/windows/sysmon/sysmon_lsass_memdump.yml b/rules/windows/sysmon/sysmon_lsass_memdump.yml index 1e7177f3b..d6e7d045a 100644 --- a/rules/windows/sysmon/sysmon_lsass_memdump.yml +++ b/rules/windows/sysmon/sysmon_lsass_memdump.yml @@ -3,6 +3,7 @@ id: 5ef9853e-4d0e-4a70-846f-a9ca37d876da status: experimental description: Detects process LSASS memory dump using procdump or taskmgr based on the CallTrace pointing to dbghelp.dll or dbgcore.dll for win10 author: Samir Bousseaden +date: 2019/04/03 references: - https://blog.menasec.net/2019/02/threat-hunting-21-procdump-or-taskmgr.html tags: diff --git a/rules/windows/sysmon/sysmon_mimikatz_detection_lsass.yml b/rules/windows/sysmon/sysmon_mimikatz_detection_lsass.yml index 3d071cf93..c157917ec 100644 --- a/rules/windows/sysmon/sysmon_mimikatz_detection_lsass.yml +++ b/rules/windows/sysmon/sysmon_mimikatz_detection_lsass.yml @@ -11,6 +11,8 @@ tags: - attack.s0002 - attack.credential_access - car.2019-04-004 +author: Sherif Eldeeb +date: 2017/10/18 logsource: product: windows service: sysmon @@ -19,8 +21,8 @@ detection: EventID: 10 TargetImage: 'C:\windows\system32\lsass.exe' GrantedAccess: - - '0x1410' - - '0x1010' + - '0x1410' + - '0x1010' condition: selection falsepositives: - unknown diff --git a/rules/windows/sysmon/sysmon_mimikatz_inmemory_detection.yml b/rules/windows/sysmon/sysmon_mimikatz_inmemory_detection.yml index 881f90581..58f1cf585 100644 --- a/rules/windows/sysmon/sysmon_mimikatz_inmemory_detection.yml +++ b/rules/windows/sysmon/sysmon_mimikatz_inmemory_detection.yml @@ -13,6 +13,7 @@ tags: logsource: product: windows service: sysmon +date: 2017/03/13 detection: selector: EventID: 7 @@ -20,7 +21,7 @@ detection: dllload1: ImageLoaded: '*\vaultcli.dll' dllload2: - ImageLoaded: '*\wlanapi.dll' + ImageLoaded: '*\wlanapi.dll' exclusion: ImageLoaded: - 'ntdsapi.dll' diff --git a/rules/windows/sysmon/sysmon_mimikatz_trough_winrm.yml b/rules/windows/sysmon/sysmon_mimikatz_trough_winrm.yml index 6da688007..871724ab2 100644 --- a/rules/windows/sysmon/sysmon_mimikatz_trough_winrm.yml +++ b/rules/windows/sysmon/sysmon_mimikatz_trough_winrm.yml @@ -5,6 +5,7 @@ references: - https://pentestlab.blog/2018/05/15/lateral-movement-winrm/ status: stable author: Patryk Prauze - ING Tech +date: 2019/05/20 logsource: product: windows service: sysmon diff --git a/rules/windows/sysmon/sysmon_password_dumper_lsass.yml b/rules/windows/sysmon/sysmon_password_dumper_lsass.yml index bb2597a46..70a4246e7 100644 --- a/rules/windows/sysmon/sysmon_password_dumper_lsass.yml +++ b/rules/windows/sysmon/sysmon_password_dumper_lsass.yml @@ -6,6 +6,7 @@ references: - https://jpcertcc.github.io/ToolAnalysisResultSheet/details/WCE.htm status: stable author: Thomas Patzke +date: 2017/02/19 logsource: product: windows service: sysmon diff --git a/rules/windows/sysmon/sysmon_powershell_network_connection.yml b/rules/windows/sysmon/sysmon_powershell_network_connection.yml index 95ee587fc..55f834625 100644 --- a/rules/windows/sysmon/sysmon_powershell_network_connection.yml +++ b/rules/windows/sysmon/sysmon_powershell_network_connection.yml @@ -4,6 +4,7 @@ status: experimental description: Detects a Powershell process that opens network connections - check for suspicious target ports and target systems - adjust to your environment (e.g. extend filters with company's ip range') author: Florian Roth +date: 2017/03/13 references: - https://www.youtube.com/watch?v=DLtJTxMWZ2o tags: @@ -18,7 +19,7 @@ detection: Image: '*\powershell.exe' Initiated: 'true' filter: - DestinationIp: + DestinationIp: - '10.*' - '192.168.*' - '172.16.*' diff --git a/rules/windows/sysmon/sysmon_susp_driver_load.yml b/rules/windows/sysmon/sysmon_susp_driver_load.yml index 5ffb6c7e3..1bfec5e13 100644 --- a/rules/windows/sysmon/sysmon_susp_driver_load.yml +++ b/rules/windows/sysmon/sysmon_susp_driver_load.yml @@ -2,6 +2,7 @@ title: Suspicious Driver Load from Temp id: 2c4523d5-d481-4ed0-8ec3-7fbf0cb41a75 description: Detects a driver load from a temporary directory author: Florian Roth +date: 2017/02/12 tags: - attack.persistence - attack.t1050 @@ -14,5 +15,5 @@ detection: ImageLoaded: '*\Temp\\*' condition: selection falsepositives: - - there is a relevant set of false positives depending on applications in the environment + - there is a relevant set of false positives depending on applications in the environment level: medium diff --git a/rules/windows/sysmon/sysmon_uac_bypass_eventvwr.yml b/rules/windows/sysmon/sysmon_uac_bypass_eventvwr.yml index dc341febe..02b5ffab3 100644 --- a/rules/windows/sysmon/sysmon_uac_bypass_eventvwr.yml +++ b/rules/windows/sysmon/sysmon_uac_bypass_eventvwr.yml @@ -6,6 +6,7 @@ references: - https://enigma0x3.net/2016/08/15/fileless-uac-bypass-using-eventvwr-exe-and-registry-hijacking/ - https://www.hybrid-analysis.com/sample/e122bc8bf291f15cab182a5d2d27b8db1e7019e4e96bb5cdbd1dfe7446f3f51f?environmentId=100 author: Florian Roth +date: 2017/03/19 logsource: product: windows service: sysmon @@ -29,4 +30,4 @@ tags: - car.2019-04-001 falsepositives: - unknown -level: critical \ No newline at end of file +level: critical diff --git a/rules/windows/sysmon/sysmon_uac_bypass_sdclt.yml b/rules/windows/sysmon/sysmon_uac_bypass_sdclt.yml index 9a612b739..2bc390154 100644 --- a/rules/windows/sysmon/sysmon_uac_bypass_sdclt.yml +++ b/rules/windows/sysmon/sysmon_uac_bypass_sdclt.yml @@ -5,12 +5,13 @@ description: Detects changes to HKCU:\Software\Classes\exefile\shell\runas\comma references: - https://enigma0x3.net/2017/03/17/fileless-uac-bypass-using-sdclt-exe/ author: Omer Yampel +date: 2017/03/17 logsource: product: windows service: sysmon detection: selection: - EventID: 13 + EventID: 13 TargetObject: 'HKEY_USERS\\*\Classes\exefile\shell\runas\command\isolatedCommand' condition: selection tags: @@ -21,4 +22,3 @@ tags: falsepositives: - unknown level: high - diff --git a/rules/windows/sysmon/sysmon_win_binary_github_com.yml b/rules/windows/sysmon/sysmon_win_binary_github_com.yml index 808b3e193..0f6cd4975 100644 --- a/rules/windows/sysmon/sysmon_win_binary_github_com.yml +++ b/rules/windows/sysmon/sysmon_win_binary_github_com.yml @@ -6,6 +6,7 @@ references: - https://twitter.com/M_haggis/status/900741347035889665 - https://twitter.com/M_haggis/status/1032799638213066752 author: Michael Haag (idea), Florian Roth (rule) +date: 2017/08/24 tags: - attack.lateral_movement - attack.t1105 @@ -16,7 +17,7 @@ detection: selection: EventID: 3 Initiated: 'true' - DestinationHostname: + DestinationHostname: - '*.github.com' - '*.githubusercontent.com' Image: 'C:\Windows\\*' @@ -25,4 +26,3 @@ falsepositives: - 'Unknown' - '@subTee in your network' level: high -