From ec827cccb634cf628a80062292dc86265ef909cb Mon Sep 17 00:00:00 2001 From: "github-actions[bot]" <41898282+github-actions[bot]@users.noreply.github.com> Date: Mon, 2 Jun 2025 13:29:48 +0200 Subject: [PATCH] Merge PR #5448 from @nasbench - Promote older rules status from `experimental` to `test` Co-authored-by: nasbench --- ...on_win_exploit_cve_2024_37085_esxi_admins_group_creation.yml | 2 +- .../win_security_exploit_cve_2024_37085_esxi_admins_group.yml | 2 +- ...age_load_malware_raspberry_robin_side_load_aclui_oleview.yml | 2 +- ...malware_raspberry_robin_internet_settings_zonemap_tamper.yml | 2 +- .../FIN7/proc_creation_win_apt_fin7_exploitation_indicators.yml | 2 +- .../file_event_win_apt_forest_blizzard_activity.yml | 2 +- .../process_creation/proc_creation_macos_pbpaste_execution.yml | 2 +- .../file_access_win_browsers_chromium_sensitive_files.yml | 2 +- .../file/file_access/file_access_win_browsers_credential.yml | 2 +- .../file_access_win_office_outlook_mail_credential.yml | 2 +- .../file/file_access/file_access_win_susp_reg_and_hive.yml | 2 +- .../file/file_access/file_access_win_susp_unattend_xml.yml | 2 +- .../windows/image_load/image_load_office_word_wll_load.yml | 2 +- .../process_creation/proc_creation_win_boinc_execution.yml | 2 +- .../proc_creation_win_conhost_headless_execution.yml | 2 +- ...c_creation_win_remote_access_tools_ammyy_admin_execution.yml | 2 +- ...oc_creation_win_remote_access_tools_anyviewer_shell_exec.yml | 2 +- .../audit/kubernetes_audit_change_admission_controller.yml | 2 +- .../kubernetes/audit/kubernetes_audit_cronjob_modification.yml | 2 +- .../audit/kubernetes_audit_rolebinding_modification.yml | 2 +- .../audit/kubernetes_audit_secrets_modified_or_deleted.yml | 2 +- .../aws/cloudtrail/aws_cloudtrail_imds_malicious_usage.yml | 2 +- .../cloud/aws/cloudtrail/aws_cloudtrail_ssm_malicious_usage.yml | 2 +- .../github/github_fork_private_repos_enabled_or_cleared.yml | 2 +- rules/cloud/github/github_repo_or_org_transferred.yml | 2 +- rules/cloud/github/github_secret_scanning_feature_disabled.yml | 2 +- rules/cloud/github/github_ssh_certificate_config_changed.yml | 2 +- .../create_remote_thread_win_susp_relevant_source_image.yml | 2 +- .../create_remote_thread_win_susp_target_shell_application.yml | 2 +- .../create_remote_thread_win_susp_uncommon_source_image.yml | 2 +- .../create_remote_thread_win_susp_uncommon_target_image.yml | 2 +- .../file_access_win_susp_credential_manager_access.yml | 2 +- .../windows/file/file_access/file_access_win_susp_credhist.yml | 2 +- .../file_access_win_susp_crypto_currency_wallets.yml | 2 +- .../file_access_win_susp_dpapi_master_key_access.yml | 2 +- .../windows/file/file_access/file_access_win_susp_gpo_files.yml | 2 +- .../file/file_access/file_access_win_teams_sensitive_files.yml | 2 +- .../file/file_event/file_event_win_regedit_print_as_pdf.yml | 2 +- rules/windows/image_load/image_load_side_load_dbgmodel.yml | 2 +- .../image_load_side_load_from_non_system_location.yml | 2 +- rules/windows/image_load/image_load_side_load_mpsvc.yml | 2 +- rules/windows/image_load/image_load_side_load_mscorsvc.yml | 2 +- .../net_connection_win_domain_azurewebsites.yml | 2 +- .../proc_creation_win_bitlockertogo_execution.yml | 2 +- .../proc_creation_win_conhost_headless_powershell.yml | 2 +- .../process_creation/proc_creation_win_renamed_boinc.yml | 2 +- .../process_creation/proc_creation_win_renamed_msteams.yml | 2 +- .../process_creation/proc_creation_win_susp_no_image_name.yml | 2 +- .../proc_creation_win_susp_system_exe_anomaly.yml | 2 +- .../registry/registry_set/registry_set_dsrm_tampering.yml | 2 +- 50 files changed, 50 insertions(+), 50 deletions(-) diff --git a/rules-emerging-threats/2024/Exploits/CVE-2024-37085/proc_creation_win_exploit_cve_2024_37085_esxi_admins_group_creation.yml b/rules-emerging-threats/2024/Exploits/CVE-2024-37085/proc_creation_win_exploit_cve_2024_37085_esxi_admins_group_creation.yml index 5837c6fd5..08dcb1f2d 100644 --- a/rules-emerging-threats/2024/Exploits/CVE-2024-37085/proc_creation_win_exploit_cve_2024_37085_esxi_admins_group_creation.yml +++ b/rules-emerging-threats/2024/Exploits/CVE-2024-37085/proc_creation_win_exploit_cve_2024_37085_esxi_admins_group_creation.yml @@ -1,6 +1,6 @@ title: Potential Exploitation of CVE-2024-37085 - Suspicious Creation Of ESX Admins Group id: c408acfe-2870-41df-8d2f-9f4daa4555ed -status: experimental +status: test description: | Detects execution of the "net.exe" command in order to add a group named "ESX Admins". This could indicates a potential exploitation attempt of CVE-2024-37085, which allows an attacker to elevate their privileges to full administrative access on an domain-joined ESXi hypervisor. diff --git a/rules-emerging-threats/2024/Exploits/CVE-2024-37085/win_security_exploit_cve_2024_37085_esxi_admins_group.yml b/rules-emerging-threats/2024/Exploits/CVE-2024-37085/win_security_exploit_cve_2024_37085_esxi_admins_group.yml index 5523d8faf..4651d4fdf 100644 --- a/rules-emerging-threats/2024/Exploits/CVE-2024-37085/win_security_exploit_cve_2024_37085_esxi_admins_group.yml +++ b/rules-emerging-threats/2024/Exploits/CVE-2024-37085/win_security_exploit_cve_2024_37085_esxi_admins_group.yml @@ -1,6 +1,6 @@ title: Potential Exploitation of CVE-2024-37085 - Suspicious ESX Admins Group Activity id: 47a1658b-67a4-48e2-8ab1-c10437fc0148 -status: experimental +status: test description: | Detects any creation or modification to a windows domain group with the name "ESX Admins". This could indicates a potential exploitation attempt of CVE-2024-37085, which allows an attacker to elevate their privileges to full administrative access on an domain-joined ESXi hypervisor. diff --git a/rules-emerging-threats/2024/Malware/Raspberry-Robin/image_load_malware_raspberry_robin_side_load_aclui_oleview.yml b/rules-emerging-threats/2024/Malware/Raspberry-Robin/image_load_malware_raspberry_robin_side_load_aclui_oleview.yml index 6997815dd..0281d3f9e 100644 --- a/rules-emerging-threats/2024/Malware/Raspberry-Robin/image_load_malware_raspberry_robin_side_load_aclui_oleview.yml +++ b/rules-emerging-threats/2024/Malware/Raspberry-Robin/image_load_malware_raspberry_robin_side_load_aclui_oleview.yml @@ -1,6 +1,6 @@ title: Potential Raspberry Robin Aclui Dll SideLoading id: 0f3a9db2-c17a-480e-a723-d1f1c547ab6a -status: experimental +status: test description: | Detects potential sideloading of malicious "aclui.dll" by OleView.This behavior was observed in Raspberry-Robin variants reported by chekpoint research on Feburary 2024. references: diff --git a/rules-emerging-threats/2024/Malware/Raspberry-Robin/registry_set_malware_raspberry_robin_internet_settings_zonemap_tamper.yml b/rules-emerging-threats/2024/Malware/Raspberry-Robin/registry_set_malware_raspberry_robin_internet_settings_zonemap_tamper.yml index 678fac216..fcd309079 100644 --- a/rules-emerging-threats/2024/Malware/Raspberry-Robin/registry_set_malware_raspberry_robin_internet_settings_zonemap_tamper.yml +++ b/rules-emerging-threats/2024/Malware/Raspberry-Robin/registry_set_malware_raspberry_robin_internet_settings_zonemap_tamper.yml @@ -1,6 +1,6 @@ title: Potential Raspberry Robin Registry Set Internet Settings ZoneMap id: 16a4c7b3-4681-49d0-8d58-3e9b796dcb43 -status: experimental +status: test description: | Detects registry modifications related to the proxy configuration of the system, potentially associated with the Raspberry Robin malware, as seen in campaigns running in Q1 2024. Raspberry Robin may alter proxy settings to circumvent security measures, ensuring unhindered connection with Command and Control servers for maintaining control over compromised systems if there are any proxy settings that are blocking connections. diff --git a/rules-emerging-threats/2024/TA/FIN7/proc_creation_win_apt_fin7_exploitation_indicators.yml b/rules-emerging-threats/2024/TA/FIN7/proc_creation_win_apt_fin7_exploitation_indicators.yml index d0d753755..b2eff8a83 100644 --- a/rules-emerging-threats/2024/TA/FIN7/proc_creation_win_apt_fin7_exploitation_indicators.yml +++ b/rules-emerging-threats/2024/TA/FIN7/proc_creation_win_apt_fin7_exploitation_indicators.yml @@ -1,6 +1,6 @@ title: Potential APT FIN7 Exploitation Activity id: 6676896b-2cce-422d-82af-5a1abe65e241 -status: experimental +status: test description: | Detects potential APT FIN7 exploitation activity as reported by Google. In order to obtain initial access, FIN7 used compromised Remote Desktop Protocol (RDP) credentials to login to a target server and initiate specific Windows process chains. diff --git a/rules-emerging-threats/2024/TA/Forest-Blizzard/file_event_win_apt_forest_blizzard_activity.yml b/rules-emerging-threats/2024/TA/Forest-Blizzard/file_event_win_apt_forest_blizzard_activity.yml index 0a1f2e98b..d2f700f99 100644 --- a/rules-emerging-threats/2024/TA/Forest-Blizzard/file_event_win_apt_forest_blizzard_activity.yml +++ b/rules-emerging-threats/2024/TA/Forest-Blizzard/file_event_win_apt_forest_blizzard_activity.yml @@ -1,6 +1,6 @@ title: Forest Blizzard APT - File Creation Activity id: b92d1d19-f5c9-4ed6-bbd5-7476709dc389 -status: experimental +status: test description: | Detects the creation of specific files inside of ProgramData directory. These files were seen being created by Forest Blizzard as described by MSFT. diff --git a/rules-threat-hunting/macos/process_creation/proc_creation_macos_pbpaste_execution.yml b/rules-threat-hunting/macos/process_creation/proc_creation_macos_pbpaste_execution.yml index 8e9e4a13f..5504cffa6 100644 --- a/rules-threat-hunting/macos/process_creation/proc_creation_macos_pbpaste_execution.yml +++ b/rules-threat-hunting/macos/process_creation/proc_creation_macos_pbpaste_execution.yml @@ -1,6 +1,6 @@ title: Clipboard Data Collection Via Pbpaste id: d8af0da1-2959-40f9-a3e4-37a6aa1228b7 -status: experimental +status: test description: | Detects execution of the "pbpaste" utility, which retrieves the contents of the clipboard (a.k.a. pasteboard) and writes them to the standard output (stdout). The utility is often used for creating new files with the clipboard content or for piping clipboard contents to other commands. diff --git a/rules-threat-hunting/windows/file/file_access/file_access_win_browsers_chromium_sensitive_files.yml b/rules-threat-hunting/windows/file/file_access/file_access_win_browsers_chromium_sensitive_files.yml index a6091aabc..9935966df 100644 --- a/rules-threat-hunting/windows/file/file_access/file_access_win_browsers_chromium_sensitive_files.yml +++ b/rules-threat-hunting/windows/file/file_access/file_access_win_browsers_chromium_sensitive_files.yml @@ -1,6 +1,6 @@ title: Access To Chromium Browsers Sensitive Files By Uncommon Applications id: c5f37810-a85f-4186-81e9-33f23abb4141 -status: experimental +status: test description: | Detects file access requests to chromium based browser sensitive files by uncommon processes. Could indicate potential attempt of stealing sensitive information. diff --git a/rules-threat-hunting/windows/file/file_access/file_access_win_browsers_credential.yml b/rules-threat-hunting/windows/file/file_access/file_access_win_browsers_credential.yml index 55e297ba6..51423a65e 100644 --- a/rules-threat-hunting/windows/file/file_access/file_access_win_browsers_credential.yml +++ b/rules-threat-hunting/windows/file/file_access/file_access_win_browsers_credential.yml @@ -3,7 +3,7 @@ id: 91cb43db-302a-47e3-b3c8-7ede481e27bf related: - id: 4b60e527-ec73-4b47-8cb3-f02ad927ca65 type: similar -status: experimental +status: test description: | Detects file access requests to browser credential stores by uncommon processes. Could indicate potential attempt of credential stealing. diff --git a/rules-threat-hunting/windows/file/file_access/file_access_win_office_outlook_mail_credential.yml b/rules-threat-hunting/windows/file/file_access/file_access_win_office_outlook_mail_credential.yml index c5c62f3a4..b9860563c 100644 --- a/rules-threat-hunting/windows/file/file_access/file_access_win_office_outlook_mail_credential.yml +++ b/rules-threat-hunting/windows/file/file_access/file_access_win_office_outlook_mail_credential.yml @@ -1,6 +1,6 @@ title: Access To Windows Outlook Mail Files By Uncommon Applications id: fc3e237f-2fef-406c-b90d-b3ae7e02fa8f -status: experimental +status: test description: | Detects file access requests to Windows Outlook Mail by uncommon processes. Could indicate potential attempt of credential stealing. diff --git a/rules-threat-hunting/windows/file/file_access/file_access_win_susp_reg_and_hive.yml b/rules-threat-hunting/windows/file/file_access/file_access_win_susp_reg_and_hive.yml index 05bfeb775..3864c282a 100644 --- a/rules-threat-hunting/windows/file/file_access/file_access_win_susp_reg_and_hive.yml +++ b/rules-threat-hunting/windows/file/file_access/file_access_win_susp_reg_and_hive.yml @@ -1,6 +1,6 @@ title: Access To .Reg/.Hive Files By Uncommon Applications id: 337a31c6-46c4-46be-886a-260d7aa78cac -status: experimental +status: test description: Detects file access requests to files ending with either the ".hive"/".reg" extension, usually associated with Windows Registry backups. references: - https://github.com/tccontre/Reg-Restore-Persistence-Mole diff --git a/rules-threat-hunting/windows/file/file_access/file_access_win_susp_unattend_xml.yml b/rules-threat-hunting/windows/file/file_access/file_access_win_susp_unattend_xml.yml index f59209aae..391400d75 100644 --- a/rules-threat-hunting/windows/file/file_access/file_access_win_susp_unattend_xml.yml +++ b/rules-threat-hunting/windows/file/file_access/file_access_win_susp_unattend_xml.yml @@ -1,6 +1,6 @@ title: Unattend.XML File Access Attempt id: 76a26006-0942-430b-8249-bd51d448f8e5 -status: experimental +status: test description: | Detects attempts to access the "unattend.xml" file, where credentials might be stored. This file is used during the unattended windows install process. diff --git a/rules-threat-hunting/windows/image_load/image_load_office_word_wll_load.yml b/rules-threat-hunting/windows/image_load/image_load_office_word_wll_load.yml index 83216e9d3..bad8a6741 100644 --- a/rules-threat-hunting/windows/image_load/image_load_office_word_wll_load.yml +++ b/rules-threat-hunting/windows/image_load/image_load_office_word_wll_load.yml @@ -1,6 +1,6 @@ title: Microsoft Word Add-In Loaded id: 1337afba-d17d-4d23-bd55-29b927603b30 -status: experimental +status: test description: | Detects Microsoft Word loading an Add-In (.wll) file which can be used by threat actors for initial access or persistence. references: diff --git a/rules-threat-hunting/windows/process_creation/proc_creation_win_boinc_execution.yml b/rules-threat-hunting/windows/process_creation/proc_creation_win_boinc_execution.yml index b2778eabe..d660b2eac 100644 --- a/rules-threat-hunting/windows/process_creation/proc_creation_win_boinc_execution.yml +++ b/rules-threat-hunting/windows/process_creation/proc_creation_win_boinc_execution.yml @@ -1,6 +1,6 @@ title: Potential BOINC Software Execution (UC-Berkeley Signature) id: 0090b851-3543-42db-828c-02fee986ff0b -status: experimental +status: test description: | Detects the use of software that is related to the University of California, Berkeley via metadata information. This indicates it may be related to BOINC software and can be used maliciously if unauthorized. diff --git a/rules-threat-hunting/windows/process_creation/proc_creation_win_conhost_headless_execution.yml b/rules-threat-hunting/windows/process_creation/proc_creation_win_conhost_headless_execution.yml index d87ce4179..802c15cb8 100644 --- a/rules-threat-hunting/windows/process_creation/proc_creation_win_conhost_headless_execution.yml +++ b/rules-threat-hunting/windows/process_creation/proc_creation_win_conhost_headless_execution.yml @@ -3,7 +3,7 @@ id: 00ca75ab-d5ce-43be-b86c-55ff39c6abfc related: - id: 056c7317-9a09-4bd4-9067-d051312752ea type: derived -status: experimental +status: test description: | Detects the launch of a child process via "conhost.exe" with the "--headless" flag. The "--headless" flag hides the windows from the user upon execution. diff --git a/rules-threat-hunting/windows/process_creation/proc_creation_win_remote_access_tools_ammyy_admin_execution.yml b/rules-threat-hunting/windows/process_creation/proc_creation_win_remote_access_tools_ammyy_admin_execution.yml index e1373fbde..fd4967f1c 100644 --- a/rules-threat-hunting/windows/process_creation/proc_creation_win_remote_access_tools_ammyy_admin_execution.yml +++ b/rules-threat-hunting/windows/process_creation/proc_creation_win_remote_access_tools_ammyy_admin_execution.yml @@ -1,6 +1,6 @@ title: Remote Access Tool - Ammy Admin Agent Execution id: 7da7809e-f3d5-47a3-9d5d-fc9d019caf14 -status: experimental +status: test description: Detects the execution of the Ammy Admin RMM agent for remote management. references: - https://www.ammyy.com/en/admin_features.html diff --git a/rules-threat-hunting/windows/process_creation/proc_creation_win_remote_access_tools_anyviewer_shell_exec.yml b/rules-threat-hunting/windows/process_creation/proc_creation_win_remote_access_tools_anyviewer_shell_exec.yml index 6cb7249e6..1d20c0409 100644 --- a/rules-threat-hunting/windows/process_creation/proc_creation_win_remote_access_tools_anyviewer_shell_exec.yml +++ b/rules-threat-hunting/windows/process_creation/proc_creation_win_remote_access_tools_anyviewer_shell_exec.yml @@ -1,6 +1,6 @@ title: Remote Access Tool - Cmd.EXE Execution via AnyViewer id: bc533330-fc29-44c0-b245-7dc6e5939c87 -status: experimental +status: test description: | Detects execution of "cmd.exe" via the AnyViewer RMM agent on a remote management sessions. references: diff --git a/rules/application/kubernetes/audit/kubernetes_audit_change_admission_controller.yml b/rules/application/kubernetes/audit/kubernetes_audit_change_admission_controller.yml index 49a309442..ac3e76663 100644 --- a/rules/application/kubernetes/audit/kubernetes_audit_change_admission_controller.yml +++ b/rules/application/kubernetes/audit/kubernetes_audit_change_admission_controller.yml @@ -3,7 +3,7 @@ id: eed82177-38f5-4299-8a76-098d50d225ab related: - id: 6ad91e31-53df-4826-bd27-0166171c8040 type: similar -status: experimental +status: test description: | Detects when a modification (create, update or replace) action is taken that affects mutating or validating webhook configurations, as they can be used by an adversary to achieve persistence or exfiltrate access credentials. references: diff --git a/rules/application/kubernetes/audit/kubernetes_audit_cronjob_modification.yml b/rules/application/kubernetes/audit/kubernetes_audit_cronjob_modification.yml index bba854189..74799fda0 100644 --- a/rules/application/kubernetes/audit/kubernetes_audit_cronjob_modification.yml +++ b/rules/application/kubernetes/audit/kubernetes_audit_cronjob_modification.yml @@ -3,7 +3,7 @@ id: 0c9b3bda-41a6-4442-9345-356ae86343dc related: - id: cd3a808c-c7b7-4c50-a2f3-f4cfcd436435 type: similar -status: experimental +status: test description: | Detects when a Kubernetes CronJob or Job is created or modified. A Kubernetes Job creates one or more pods to accomplish a specific task, and a CronJob creates Jobs on a recurring schedule. diff --git a/rules/application/kubernetes/audit/kubernetes_audit_rolebinding_modification.yml b/rules/application/kubernetes/audit/kubernetes_audit_rolebinding_modification.yml index d1f141b0c..898a2124a 100644 --- a/rules/application/kubernetes/audit/kubernetes_audit_rolebinding_modification.yml +++ b/rules/application/kubernetes/audit/kubernetes_audit_rolebinding_modification.yml @@ -3,7 +3,7 @@ id: 10b97915-ec8d-455f-a815-9a78926585f6 related: - id: 0322d9f2-289a-47c2-b5e1-b63c90901a3e type: similar -status: experimental +status: test description: | Detects when a Kubernetes Rolebinding is created or modified. references: diff --git a/rules/application/kubernetes/audit/kubernetes_audit_secrets_modified_or_deleted.yml b/rules/application/kubernetes/audit/kubernetes_audit_secrets_modified_or_deleted.yml index 2dda1ef23..790cec58b 100644 --- a/rules/application/kubernetes/audit/kubernetes_audit_secrets_modified_or_deleted.yml +++ b/rules/application/kubernetes/audit/kubernetes_audit_secrets_modified_or_deleted.yml @@ -3,7 +3,7 @@ id: 58d31a75-a4f8-4c40-985b-373d58162ca2 related: - id: 2f0bae2d-bf20-4465-be86-1311addebaa3 type: similar -status: experimental +status: test description: | Detects when Kubernetes Secrets are Modified or Deleted. references: diff --git a/rules/cloud/aws/cloudtrail/aws_cloudtrail_imds_malicious_usage.yml b/rules/cloud/aws/cloudtrail/aws_cloudtrail_imds_malicious_usage.yml index 9cd318eba..7f7367ce8 100644 --- a/rules/cloud/aws/cloudtrail/aws_cloudtrail_imds_malicious_usage.yml +++ b/rules/cloud/aws/cloudtrail/aws_cloudtrail_imds_malicious_usage.yml @@ -1,6 +1,6 @@ title: Malicious Usage Of IMDS Credentials Outside Of AWS Infrastructure id: 352a918a-34d8-4882-8470-44830c507aa3 -status: experimental +status: test description: | Detects when an instance identity has taken an action that isn't inside SSM. This can indicate that a compromised EC2 instance is being used as a pivot point. diff --git a/rules/cloud/aws/cloudtrail/aws_cloudtrail_ssm_malicious_usage.yml b/rules/cloud/aws/cloudtrail/aws_cloudtrail_ssm_malicious_usage.yml index 2a29d3cb0..76d7601fb 100644 --- a/rules/cloud/aws/cloudtrail/aws_cloudtrail_ssm_malicious_usage.yml +++ b/rules/cloud/aws/cloudtrail/aws_cloudtrail_ssm_malicious_usage.yml @@ -1,6 +1,6 @@ title: Potential Malicious Usage of CloudTrail System Manager id: 38e7f511-3f74-41d4-836e-f57dfa18eead -status: experimental +status: test description: | Detect when System Manager successfully executes commands against an instance. references: diff --git a/rules/cloud/github/github_fork_private_repos_enabled_or_cleared.yml b/rules/cloud/github/github_fork_private_repos_enabled_or_cleared.yml index 0f4e0ceec..b7efbb07f 100644 --- a/rules/cloud/github/github_fork_private_repos_enabled_or_cleared.yml +++ b/rules/cloud/github/github_fork_private_repos_enabled_or_cleared.yml @@ -1,6 +1,6 @@ title: Github Fork Private Repositories Setting Enabled/Cleared id: 69b3bd1e-b38a-462f-9a23-fbdbf63d2294 -status: experimental +status: test description: | Detects when the policy allowing forks of private and internal repositories is changed (enabled or cleared). references: diff --git a/rules/cloud/github/github_repo_or_org_transferred.yml b/rules/cloud/github/github_repo_or_org_transferred.yml index 17bb54e72..8fe904c39 100644 --- a/rules/cloud/github/github_repo_or_org_transferred.yml +++ b/rules/cloud/github/github_repo_or_org_transferred.yml @@ -1,6 +1,6 @@ title: Github Repository/Organization Transferred id: 04ad83ef-1a37-4c10-b57a-81092164bf33 -status: experimental +status: test description: Detects when a repository or an organization is being transferred to another location. references: - https://docs.github.com/en/repositories/creating-and-managing-repositories/transferring-a-repository diff --git a/rules/cloud/github/github_secret_scanning_feature_disabled.yml b/rules/cloud/github/github_secret_scanning_feature_disabled.yml index a0a258a0d..248a304e4 100644 --- a/rules/cloud/github/github_secret_scanning_feature_disabled.yml +++ b/rules/cloud/github/github_secret_scanning_feature_disabled.yml @@ -1,6 +1,6 @@ title: Github Secret Scanning Feature Disabled id: 3883d9a0-fd0f-440f-afbb-445a2a799bb8 -status: experimental +status: test description: Detects if the secret scanning feature is disabled for an enterprise or repository. references: - https://docs.github.com/en/enterprise-cloud@latest/code-security/secret-scanning/about-secret-scanning diff --git a/rules/cloud/github/github_ssh_certificate_config_changed.yml b/rules/cloud/github/github_ssh_certificate_config_changed.yml index 4cd9733ad..03f8a0b2c 100644 --- a/rules/cloud/github/github_ssh_certificate_config_changed.yml +++ b/rules/cloud/github/github_ssh_certificate_config_changed.yml @@ -1,6 +1,6 @@ title: Github SSH Certificate Configuration Changed id: 2f575940-d85e-4ddc-af13-17dad6f1a0ef -status: experimental +status: test description: Detects when changes are made to the SSH certificate configuration of the organization. references: - https://docs.github.com/en/enterprise-cloud@latest/organizations/managing-git-access-to-your-organizations-repositories/about-ssh-certificate-authorities diff --git a/rules/windows/create_remote_thread/create_remote_thread_win_susp_relevant_source_image.yml b/rules/windows/create_remote_thread/create_remote_thread_win_susp_relevant_source_image.yml index 99cbf4cf9..ea1923a06 100644 --- a/rules/windows/create_remote_thread/create_remote_thread_win_susp_relevant_source_image.yml +++ b/rules/windows/create_remote_thread/create_remote_thread_win_susp_relevant_source_image.yml @@ -3,7 +3,7 @@ id: 02d1d718-dd13-41af-989d-ea85c7fab93f related: - id: 66d31e5f-52d6-40a4-9615-002d3789a119 type: derived -status: experimental +status: test description: Detects uncommon processes creating remote threads. references: - Personal research, statistical analysis diff --git a/rules/windows/create_remote_thread/create_remote_thread_win_susp_target_shell_application.yml b/rules/windows/create_remote_thread/create_remote_thread_win_susp_target_shell_application.yml index 646644329..f896763ea 100644 --- a/rules/windows/create_remote_thread/create_remote_thread_win_susp_target_shell_application.yml +++ b/rules/windows/create_remote_thread/create_remote_thread_win_susp_target_shell_application.yml @@ -1,6 +1,6 @@ title: Remote Thread Created In Shell Application id: a9d4d3fa-8fc0-41bc-80b1-30b9fda79d6f -status: experimental +status: test description: | Detects remote thread creation in command shell applications, such as "Cmd.EXE" and "PowerShell.EXE". It is a common technique used by malware, such as IcedID, to inject malicious code and execute it within legitimate processes. diff --git a/rules/windows/create_remote_thread/create_remote_thread_win_susp_uncommon_source_image.yml b/rules/windows/create_remote_thread/create_remote_thread_win_susp_uncommon_source_image.yml index ea5eeaeb6..1d91f4726 100644 --- a/rules/windows/create_remote_thread/create_remote_thread_win_susp_uncommon_source_image.yml +++ b/rules/windows/create_remote_thread/create_remote_thread_win_susp_uncommon_source_image.yml @@ -3,7 +3,7 @@ id: 66d31e5f-52d6-40a4-9615-002d3789a119 related: - id: 02d1d718-dd13-41af-989d-ea85c7fab93f type: derived -status: experimental +status: test description: Detects uncommon processes creating remote threads. references: - Personal research, statistical analysis diff --git a/rules/windows/create_remote_thread/create_remote_thread_win_susp_uncommon_target_image.yml b/rules/windows/create_remote_thread/create_remote_thread_win_susp_uncommon_target_image.yml index e822c90b8..5c59f4cf8 100644 --- a/rules/windows/create_remote_thread/create_remote_thread_win_susp_uncommon_target_image.yml +++ b/rules/windows/create_remote_thread/create_remote_thread_win_susp_uncommon_target_image.yml @@ -3,7 +3,7 @@ id: a1a144b7-5c9b-4853-a559-2172be8d4a03 related: - id: f016c716-754a-467f-a39e-63c06f773987 type: obsolete -status: experimental +status: test description: Detects uncommon target processes for remote thread creation references: - https://web.archive.org/web/20220319032520/https://blog.redbluepurple.io/offensive-research/bypassing-injection-detection diff --git a/rules/windows/file/file_access/file_access_win_susp_credential_manager_access.yml b/rules/windows/file/file_access/file_access_win_susp_credential_manager_access.yml index 2a4c3e495..277e9a8f6 100644 --- a/rules/windows/file/file_access/file_access_win_susp_credential_manager_access.yml +++ b/rules/windows/file/file_access/file_access_win_susp_credential_manager_access.yml @@ -1,6 +1,6 @@ title: Credential Manager Access By Uncommon Applications id: 407aecb1-e762-4acf-8c7b-d087bcff3bb6 -status: experimental +status: test description: | Detects suspicious processes based on name and location that access the windows credential manager and vault. Which can be a sign of credential stealing. Example case would be usage of mimikatz "dpapi::cred" function diff --git a/rules/windows/file/file_access/file_access_win_susp_credhist.yml b/rules/windows/file/file_access/file_access_win_susp_credhist.yml index 6f4f6cf95..f129c4b04 100644 --- a/rules/windows/file/file_access/file_access_win_susp_credhist.yml +++ b/rules/windows/file/file_access/file_access_win_susp_credhist.yml @@ -1,6 +1,6 @@ title: Access To Windows Credential History File By Uncommon Applications id: 7a2a22ea-a203-4cd3-9abf-20eb1c5c6cd2 -status: experimental +status: test description: | Detects file access requests to the Windows Credential History File by an uncommon application. This can be a sign of credential stealing. Example case would be usage of mimikatz "dpapi::credhist" function diff --git a/rules/windows/file/file_access/file_access_win_susp_crypto_currency_wallets.yml b/rules/windows/file/file_access/file_access_win_susp_crypto_currency_wallets.yml index cbb3fe648..2ff5e893b 100644 --- a/rules/windows/file/file_access/file_access_win_susp_crypto_currency_wallets.yml +++ b/rules/windows/file/file_access/file_access_win_susp_crypto_currency_wallets.yml @@ -1,6 +1,6 @@ title: Access To Crypto Currency Wallets By Uncommon Applications id: f41b0311-44f9-44f0-816d-dd45e39d4bc8 -status: experimental +status: test description: | Detects file access requests to crypto currency files by uncommon processes. Could indicate potential attempt of crypto currency wallet stealing. diff --git a/rules/windows/file/file_access/file_access_win_susp_dpapi_master_key_access.yml b/rules/windows/file/file_access/file_access_win_susp_dpapi_master_key_access.yml index 13f0cc587..63602eca5 100644 --- a/rules/windows/file/file_access/file_access_win_susp_dpapi_master_key_access.yml +++ b/rules/windows/file/file_access/file_access_win_susp_dpapi_master_key_access.yml @@ -1,6 +1,6 @@ title: Access To Windows DPAPI Master Keys By Uncommon Applications id: 46612ae6-86be-4802-bc07-39b59feb1309 -status: experimental +status: test description: | Detects file access requests to the the Windows Data Protection API Master keys by an uncommon application. This can be a sign of credential stealing. Example case would be usage of mimikatz "dpapi::masterkey" function diff --git a/rules/windows/file/file_access/file_access_win_susp_gpo_files.yml b/rules/windows/file/file_access/file_access_win_susp_gpo_files.yml index c872d1b21..70019aa4d 100644 --- a/rules/windows/file/file_access/file_access_win_susp_gpo_files.yml +++ b/rules/windows/file/file_access/file_access_win_susp_gpo_files.yml @@ -3,7 +3,7 @@ id: d51694fe-484a-46ac-92d6-969e76d60d10 related: - id: 8344c19f-a023-45ff-ad63-a01c5396aea0 type: derived -status: experimental +status: test description: Detects file access requests to potentially sensitive files hosted on the Windows Sysvol share. references: - https://github.com/vletoux/pingcastle diff --git a/rules/windows/file/file_access/file_access_win_teams_sensitive_files.yml b/rules/windows/file/file_access/file_access_win_teams_sensitive_files.yml index 0600f8ec8..967a4f5d6 100644 --- a/rules/windows/file/file_access/file_access_win_teams_sensitive_files.yml +++ b/rules/windows/file/file_access/file_access_win_teams_sensitive_files.yml @@ -1,6 +1,6 @@ title: Microsoft Teams Sensitive File Access By Uncommon Applications id: 65744385-8541-44a6-8630-ffc824d7d4cc -status: experimental +status: test description: | Detects file access attempts to sensitive Microsoft teams files (leveldb, cookies) by an uncommon process. references: diff --git a/rules/windows/file/file_event/file_event_win_regedit_print_as_pdf.yml b/rules/windows/file/file_event/file_event_win_regedit_print_as_pdf.yml index ee665d939..d2f962112 100644 --- a/rules/windows/file/file_event/file_event_win_regedit_print_as_pdf.yml +++ b/rules/windows/file/file_event/file_event_win_regedit_print_as_pdf.yml @@ -1,6 +1,6 @@ title: PDF File Created By RegEdit.EXE id: 145095eb-e273-443b-83d0-f9b519b7867b -status: experimental +status: test description: | Detects the creation of a file with the ".pdf" extension by the "RegEdit.exe" process. This indicates that a user is trying to print/save a registry key as a PDF in order to potentially extract sensitive information and bypass defenses. diff --git a/rules/windows/image_load/image_load_side_load_dbgmodel.yml b/rules/windows/image_load/image_load_side_load_dbgmodel.yml index 12381fca7..d53e57dd0 100644 --- a/rules/windows/image_load/image_load_side_load_dbgmodel.yml +++ b/rules/windows/image_load/image_load_side_load_dbgmodel.yml @@ -1,6 +1,6 @@ title: Potential DLL Sideloading Of DbgModel.DLL id: fef394cd-f44d-4040-9b18-95d92fe278c0 -status: experimental +status: test description: Detects potential DLL sideloading of "DbgModel.dll" references: - https://hijacklibs.net/entries/microsoft/built-in/dbgmodel.html diff --git a/rules/windows/image_load/image_load_side_load_from_non_system_location.yml b/rules/windows/image_load/image_load_side_load_from_non_system_location.yml index 865b0c272..4676c0b39 100644 --- a/rules/windows/image_load/image_load_side_load_from_non_system_location.yml +++ b/rules/windows/image_load/image_load_side_load_from_non_system_location.yml @@ -1,6 +1,6 @@ title: Potential System DLL Sideloading From Non System Locations id: 4fc0deee-0057-4998-ab31-d24e46e0aba4 -status: experimental +status: test description: Detects DLL sideloading of DLLs usually located in system locations (System32, SysWOW64, etc.). references: - https://hijacklibs.net/ # For list of DLLs that could be sideloaded (search for dlls mentioned here in there). Wietze Beukema (project and research) diff --git a/rules/windows/image_load/image_load_side_load_mpsvc.yml b/rules/windows/image_load/image_load_side_load_mpsvc.yml index 07edf5456..66b2298b5 100644 --- a/rules/windows/image_load/image_load_side_load_mpsvc.yml +++ b/rules/windows/image_load/image_load_side_load_mpsvc.yml @@ -1,6 +1,6 @@ title: Potential DLL Sideloading Of MpSvc.DLL id: 5ba243e5-8165-4cf7-8c69-e1d3669654c1 -status: experimental +status: test description: Detects potential DLL sideloading of "MpSvc.dll". references: - https://hijacklibs.net/entries/microsoft/built-in/mpsvc.html diff --git a/rules/windows/image_load/image_load_side_load_mscorsvc.yml b/rules/windows/image_load/image_load_side_load_mscorsvc.yml index ce48661e5..4e9c022c0 100644 --- a/rules/windows/image_load/image_load_side_load_mscorsvc.yml +++ b/rules/windows/image_load/image_load_side_load_mscorsvc.yml @@ -1,6 +1,6 @@ title: Potential DLL Sideloading Of MsCorSvc.DLL id: cdb15e19-c2d0-432a-928e-e49c8c60dcf2 -status: experimental +status: test description: Detects potential DLL sideloading of "mscorsvc.dll". references: - https://hijacklibs.net/entries/microsoft/built-in/mscorsvc.html diff --git a/rules/windows/network_connection/net_connection_win_domain_azurewebsites.yml b/rules/windows/network_connection/net_connection_win_domain_azurewebsites.yml index 84e2304f9..248cf0add 100644 --- a/rules/windows/network_connection/net_connection_win_domain_azurewebsites.yml +++ b/rules/windows/network_connection/net_connection_win_domain_azurewebsites.yml @@ -3,7 +3,7 @@ id: 5c80b618-0dbb-46e6-acbb-03d90bcb6d83 related: - id: e043f529-8514-4205-8ab0-7f7d2927b400 type: derived -status: experimental +status: test description: | Detects an initiated network connection by a non browser process on the system to "azurewebsites.net". The latter was often used by threat actors as a malware hosting and exfiltration site. references: diff --git a/rules/windows/process_creation/proc_creation_win_bitlockertogo_execution.yml b/rules/windows/process_creation/proc_creation_win_bitlockertogo_execution.yml index 11e43cab3..0addfb2d4 100644 --- a/rules/windows/process_creation/proc_creation_win_bitlockertogo_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_bitlockertogo_execution.yml @@ -1,6 +1,6 @@ title: BitLockerTogo.EXE Execution id: 7f2376f9-42ee-4dfc-9360-fecff9a88fc8 -status: experimental +status: test description: | Detects the execution of "BitLockerToGo.EXE". BitLocker To Go is BitLocker Drive Encryption on removable data drives. This feature includes the encryption of, USB flash drives, SD cards, External hard disk drives, Other drives that are formatted by using the NTFS, FAT16, FAT32, or exFAT file system. diff --git a/rules/windows/process_creation/proc_creation_win_conhost_headless_powershell.yml b/rules/windows/process_creation/proc_creation_win_conhost_headless_powershell.yml index b8bd90059..175c2c0c4 100644 --- a/rules/windows/process_creation/proc_creation_win_conhost_headless_powershell.yml +++ b/rules/windows/process_creation/proc_creation_win_conhost_headless_powershell.yml @@ -3,7 +3,7 @@ id: 056c7317-9a09-4bd4-9067-d051312752ea related: - id: 00ca75ab-d5ce-43be-b86c-55ff39c6abfc type: derived -status: experimental +status: test description: | Detects the use of powershell commands from headless ConHost window. The "--headless" flag hides the windows from the user upon execution. diff --git a/rules/windows/process_creation/proc_creation_win_renamed_boinc.yml b/rules/windows/process_creation/proc_creation_win_renamed_boinc.yml index 8cef62847..29dfd682c 100644 --- a/rules/windows/process_creation/proc_creation_win_renamed_boinc.yml +++ b/rules/windows/process_creation/proc_creation_win_renamed_boinc.yml @@ -1,6 +1,6 @@ title: Renamed BOINC Client Execution id: 30d07da2-83ab-45d8-ae75-ec7c0edcaffc -status: experimental +status: test description: Detects the execution of a renamed BOINC binary. references: - https://boinc.berkeley.edu/ diff --git a/rules/windows/process_creation/proc_creation_win_renamed_msteams.yml b/rules/windows/process_creation/proc_creation_win_renamed_msteams.yml index c72c7ddbc..65fd63328 100644 --- a/rules/windows/process_creation/proc_creation_win_renamed_msteams.yml +++ b/rules/windows/process_creation/proc_creation_win_renamed_msteams.yml @@ -1,6 +1,6 @@ title: Renamed Microsoft Teams Execution id: 88f46b67-14d4-4f45-ac2c-d66984f22191 -status: experimental +status: test description: Detects the execution of a renamed Microsoft Teams binary. references: - Internal Research diff --git a/rules/windows/process_creation/proc_creation_win_susp_no_image_name.yml b/rules/windows/process_creation/proc_creation_win_susp_no_image_name.yml index 90915ed40..7a095964b 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_no_image_name.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_no_image_name.yml @@ -1,6 +1,6 @@ title: Process Launched Without Image Name id: f208d6d8-d83a-4c2c-960d-877c37da84e5 -status: experimental +status: test description: Detect the use of processes with no name (".exe"), which can be used to evade Image-based detections. references: - https://www.huntress.com/blog/fake-browser-updates-lead-to-boinc-volunteer-computing-software diff --git a/rules/windows/process_creation/proc_creation_win_susp_system_exe_anomaly.yml b/rules/windows/process_creation/proc_creation_win_susp_system_exe_anomaly.yml index c1ac8bf19..d18fd88d9 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_system_exe_anomaly.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_system_exe_anomaly.yml @@ -3,7 +3,7 @@ id: e4a6b256-3e47-40fc-89d2-7a477edd6915 related: - id: be58d2e2-06c8-4f58-b666-b99f6dc3b6cd # Dedicated SvcHost rule type: derived -status: experimental +status: test description: | Detects the execution of a Windows system binary that is usually located in the system folder from an uncommon location. references: diff --git a/rules/windows/registry/registry_set/registry_set_dsrm_tampering.yml b/rules/windows/registry/registry_set/registry_set_dsrm_tampering.yml index 2570713f8..7dfbbebd5 100644 --- a/rules/windows/registry/registry_set/registry_set_dsrm_tampering.yml +++ b/rules/windows/registry/registry_set/registry_set_dsrm_tampering.yml @@ -3,7 +3,7 @@ id: b61e87c0-50db-4b2e-8986-6a2be94b33b0 related: - id: 53ad8e36-f573-46bf-97e4-15ba5bf4bb51 type: similar -status: experimental +status: test description: | Detects changes to "DsrmAdminLogonBehavior" registry value. During a Domain Controller (DC) promotion, administrators create a Directory Services Restore Mode (DSRM) local administrator account with a password that rarely changes. The DSRM account is an “Administrator” account that logs in with the DSRM mode when the server is booting up to restore AD backups or recover the server from a failure.