From f7288933644b8b4b609f47bb367c8c0e5928452f Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Sat, 18 Jun 2022 17:43:22 +0200 Subject: [PATCH] refactor: rule level adjustments - critical to high --- ...kernel_and_3rd_party_drivers_exploits_token_stealing.yml | 6 ++---- rules/application/antivirus/av_webshell.yml | 2 +- .../lnx_auditd_cve_2021_3156_sudo_buffer_overflow.yml | 2 +- ..._auditd_cve_2021_3156_sudo_buffer_overflow_brutforce.yml | 2 +- rules/linux/builtin/lnx_sudo_cve_2019_14287.yml | 2 +- ...roc_creation_lnx_cve_2022_26134_atlassian_confluence.yml | 2 +- rules/proxy/proxy_turla_comrat.yml | 2 +- rules/proxy/proxy_ursnif_malware_download_url.yml | 2 +- rules/web/web_cve_2020_28188_terramaster_rce_exploit.yml | 2 +- rules/web/web_unc2546_dewmode_php_webshell.yml | 2 +- rules/windows/builtin/dns_server/win_susp_dns_config.yml | 2 +- .../builtin/msexchange/win_exchange_cve_2021_42321.yml | 2 +- .../win_exploit_cve_2021_1675_printspooler_operational.yml | 2 +- .../builtin/security/win_dcom_iertutil_dll_hijack.yml | 2 +- .../security/win_dpapi_domain_backupkey_extraction.yml | 2 +- .../security/win_dpapi_domain_masterkey_backup_attempt.yml | 2 +- rules/windows/builtin/security/win_etw_modification.yml | 2 +- .../security/win_lsass_access_non_system_account.yml | 2 +- rules/windows/builtin/security/win_net_ntlm_downgrade.yml | 2 +- .../security/win_protected_storage_service_access.yml | 2 +- .../builtin/security/win_rdp_bluekeep_poc_scanner.yml | 2 +- .../security/win_register_new_logon_process_by_rubeus.yml | 2 +- .../security/win_sam_registry_hive_handle_request.yml | 2 +- .../security/win_samaccountname_spoofing_cve_2021_42287.yml | 2 +- .../builtin/security/win_scm_database_handle_failure.yml | 2 +- .../security/win_security_cobaltstrike_service_installs.yml | 2 +- .../windows/builtin/security/win_syskey_registry_access.yml | 2 +- .../security/win_sysmon_channel_reference_deletion.yml | 2 +- .../builtin/security/win_wmiprvse_wbemcomn_dll_hijack.yml | 2 +- rules/windows/builtin/system/win_ntfs_vuln_exploit.yml | 2 +- rules/windows/builtin/system/win_susp_dhcp_config.yml | 2 +- .../windows/builtin/system/win_susp_dhcp_config_failed.yml | 2 +- .../windefend/win_defender_tamper_protection_trigger.yml | 2 +- .../sysmon_createremotethread_loadlibrary.yml | 2 +- rules/windows/create_stream_hash/sysmon_ads_executable.yml | 2 +- .../file_event/file_event_win_cve_2021_26858_msexchange.yml | 2 +- .../file_event/file_event_win_webshell_creation_detect.yml | 2 +- .../file_event/file_event_win_winword_cve_2021_40444.yml | 2 +- .../image_load/image_load_wmiprvse_wbemcomn_dll_hijack.yml | 2 +- .../pipe_created/pipe_created_efspotato_namedpipe.yml | 2 +- .../posh_pc_delete_volume_shadow_copies.yml | 2 +- .../powershell/powershell_script/posh_ps_shellcode_b64.yml | 2 +- .../proc_access_win_direct_syscall_ntopenprocess.yml | 2 +- .../process_access/proc_access_win_svchost_cred_dump.yml | 2 +- .../proc_creation_win_apt_apt29_thinktanks.yml | 2 +- .../process_creation/proc_creation_win_apt_chafer_mar18.yml | 2 +- .../process_creation/proc_creation_win_apt_cloudhopper.yml | 2 +- .../proc_creation_win_apt_lazarus_activity_apr21.yml | 2 +- .../process_creation/proc_creation_win_apt_sofacy.yml | 2 +- .../process_creation/proc_creation_win_apt_taidoor.yml | 2 +- .../process_creation/proc_creation_win_apt_unc2452_cmds.yml | 2 +- .../proc_creation_win_cobaltstrike_load_by_rundll32.yml | 2 +- .../proc_creation_win_control_panel_item.yml | 2 +- .../proc_creation_win_crime_snatch_ransomware.yml | 2 +- .../proc_creation_win_cve_2021_26857_msexchange.yml | 4 ++-- .../proc_creation_win_encoded_frombase64string.yml | 2 +- .../process_creation/proc_creation_win_encoded_iex.yml | 2 +- .../proc_creation_win_etw_modification_cmdline.yml | 2 +- .../proc_creation_win_exploit_cve_2020_10189.yml | 2 +- .../process_creation/proc_creation_win_hack_adcspwn.yml | 2 +- .../windows/process_creation/proc_creation_win_hashcat.yml | 2 +- .../proc_creation_win_impacket_lateralization.yml | 2 +- .../process_creation/proc_creation_win_malware_emotet.yml | 2 +- .../process_creation/proc_creation_win_malware_formbook.yml | 2 +- .../process_creation/proc_creation_win_malware_ryuk.yml | 2 +- .../proc_creation_win_malware_trickbot_wermgr.yml | 2 +- .../proc_creation_win_mavinject_proc_inj.yml | 2 +- .../proc_creation_win_proxy_execution_wuauclt.yml | 2 +- .../proc_creation_win_renamed_powershell.yml | 2 +- .../process_creation/proc_creation_win_renamed_procdump.yml | 2 +- .../proc_creation_win_shadow_copies_deletion.yml | 2 +- .../proc_creation_win_susp_control_cve_2021_40444.yml | 2 +- .../proc_creation_win_susp_devtoolslauncher.yml | 2 +- .../proc_creation_win_susp_powershell_empire_launch.yml | 2 +- .../proc_creation_win_susp_procdump_lsass.yml | 2 +- .../proc_creation_win_susp_servu_process_pattern.yml | 2 +- .../proc_creation_win_susp_shell_spawn_from_mssql.yml | 2 +- .../proc_creation_win_susp_shimcache_flush.yml | 2 +- .../proc_creation_win_susp_svchost_no_cli.yml | 2 +- .../proc_creation_win_sysmon_uac_bypass_eventvwr.yml | 2 +- .../registry/registry_add/registry_add_mal_ursnif.yml | 2 +- .../registry_event_disable_wdigest_credential_guard.yml | 2 +- .../registry_event/registry_event_net_ntlm_downgrade.yml | 2 +- .../registry_event_persistence_recycle_bin.yml | 2 +- .../registry/registry_set/registry_set_etw_disabled.yml | 2 +- .../registry_set/registry_set_globalflags_persistence.yml | 4 ++-- .../registry_set/registry_set_uac_bypass_eventvwr.yml | 2 +- 87 files changed, 90 insertions(+), 92 deletions(-) diff --git a/rules-unsupported/win_kernel_and_3rd_party_drivers_exploits_token_stealing.yml b/rules-unsupported/win_kernel_and_3rd_party_drivers_exploits_token_stealing.yml index d31c5a55a..15ee148e8 100644 --- a/rules-unsupported/win_kernel_and_3rd_party_drivers_exploits_token_stealing.yml +++ b/rules-unsupported/win_kernel_and_3rd_party_drivers_exploits_token_stealing.yml @@ -21,7 +21,5 @@ detection: condition: selection falsepositives: - Unknown -level: critical -enrichment: - - EN_0001_cache_sysmon_event_id_1_info # http://bit.ly/314zc6x - - EN_0002_enrich_sysmon_event_id_1_with_parent_info # http://bit.ly/2KmSC0l +level: high + diff --git a/rules/application/antivirus/av_webshell.yml b/rules/application/antivirus/av_webshell.yml index 3d759a76b..d8f2f4465 100644 --- a/rules/application/antivirus/av_webshell.yml +++ b/rules/application/antivirus/av_webshell.yml @@ -72,4 +72,4 @@ fields: - User falsepositives: - Unlikely -level: critical +level: high diff --git a/rules/linux/auditd/lnx_auditd_cve_2021_3156_sudo_buffer_overflow.yml b/rules/linux/auditd/lnx_auditd_cve_2021_3156_sudo_buffer_overflow.yml index e4d19520a..e2f5e16f0 100644 --- a/rules/linux/auditd/lnx_auditd_cve_2021_3156_sudo_buffer_overflow.yml +++ b/rules/linux/auditd/lnx_auditd_cve_2021_3156_sudo_buffer_overflow.yml @@ -39,4 +39,4 @@ detection: condition: selection and (cmd1 or cmd2 or cmd3 or cmd4) and (cmd5 or cmd6 or cmd7 or cmd8) | count() by host > 50 falsepositives: - Unknown -level: critical \ No newline at end of file +level: high \ No newline at end of file diff --git a/rules/linux/auditd/lnx_auditd_cve_2021_3156_sudo_buffer_overflow_brutforce.yml b/rules/linux/auditd/lnx_auditd_cve_2021_3156_sudo_buffer_overflow_brutforce.yml index 959262999..b125fa602 100644 --- a/rules/linux/auditd/lnx_auditd_cve_2021_3156_sudo_buffer_overflow_brutforce.yml +++ b/rules/linux/auditd/lnx_auditd_cve_2021_3156_sudo_buffer_overflow_brutforce.yml @@ -26,4 +26,4 @@ detection: condition: selection | count() by host > 50 falsepositives: - Unknown -level: critical \ No newline at end of file +level: high \ No newline at end of file diff --git a/rules/linux/builtin/lnx_sudo_cve_2019_14287.yml b/rules/linux/builtin/lnx_sudo_cve_2019_14287.yml index 2b1d7f6cd..b059c59d0 100644 --- a/rules/linux/builtin/lnx_sudo_cve_2019_14287.yml +++ b/rules/linux/builtin/lnx_sudo_cve_2019_14287.yml @@ -22,4 +22,4 @@ detection: condition: selection_keywords falsepositives: - Unlikely -level: critical \ No newline at end of file +level: high \ No newline at end of file diff --git a/rules/linux/process_creation/proc_creation_lnx_cve_2022_26134_atlassian_confluence.yml b/rules/linux/process_creation/proc_creation_lnx_cve_2022_26134_atlassian_confluence.yml index 32a4b6da7..8fa4944dc 100644 --- a/rules/linux/process_creation/proc_creation_lnx_cve_2022_26134_atlassian_confluence.yml +++ b/rules/linux/process_creation/proc_creation_lnx_cve_2022_26134_atlassian_confluence.yml @@ -37,4 +37,4 @@ detection: condition: selection falsepositives: - Unknown -level: critical +level: high diff --git a/rules/proxy/proxy_turla_comrat.yml b/rules/proxy/proxy_turla_comrat.yml index 41b3aa242..c546ddb69 100644 --- a/rules/proxy/proxy_turla_comrat.yml +++ b/rules/proxy/proxy_turla_comrat.yml @@ -15,7 +15,7 @@ detection: condition: selection falsepositives: - Unknown -level: critical +level: high tags: - attack.defense_evasion - attack.command_and_control diff --git a/rules/proxy/proxy_ursnif_malware_download_url.yml b/rules/proxy/proxy_ursnif_malware_download_url.yml index 764eabfb6..a320ba350 100644 --- a/rules/proxy/proxy_ursnif_malware_download_url.yml +++ b/rules/proxy/proxy_ursnif_malware_download_url.yml @@ -22,4 +22,4 @@ fields: - c-ua falsepositives: - Unknown -level: critical \ No newline at end of file +level: high \ No newline at end of file diff --git a/rules/web/web_cve_2020_28188_terramaster_rce_exploit.yml b/rules/web/web_cve_2020_28188_terramaster_rce_exploit.yml index 1061b978c..1412d23d8 100644 --- a/rules/web/web_cve_2020_28188_terramaster_rce_exploit.yml +++ b/rules/web/web_cve_2020_28188_terramaster_rce_exploit.yml @@ -29,7 +29,7 @@ fields: - c-dns falsepositives: - Unknown -level: critical +level: high tags: - attack.t1190 - attack.initial_access diff --git a/rules/web/web_unc2546_dewmode_php_webshell.yml b/rules/web/web_unc2546_dewmode_php_webshell.yml index 2bf1fa7d1..3904369b9 100644 --- a/rules/web/web_unc2546_dewmode_php_webshell.yml +++ b/rules/web/web_unc2546_dewmode_php_webshell.yml @@ -28,4 +28,4 @@ fields: - response falsepositives: - Unknown -level: critical \ No newline at end of file +level: high \ No newline at end of file diff --git a/rules/windows/builtin/dns_server/win_susp_dns_config.yml b/rules/windows/builtin/dns_server/win_susp_dns_config.yml index 9a90fb155..4fa2be81d 100644 --- a/rules/windows/builtin/dns_server/win_susp_dns_config.yml +++ b/rules/windows/builtin/dns_server/win_susp_dns_config.yml @@ -20,7 +20,7 @@ detection: condition: selection falsepositives: - Unknown -level: critical +level: high tags: - attack.defense_evasion - attack.t1574.002 diff --git a/rules/windows/builtin/msexchange/win_exchange_cve_2021_42321.yml b/rules/windows/builtin/msexchange/win_exchange_cve_2021_42321.yml index ada32d571..baaab06e8 100644 --- a/rules/windows/builtin/msexchange/win_exchange_cve_2021_42321.yml +++ b/rules/windows/builtin/msexchange/win_exchange_cve_2021_42321.yml @@ -20,7 +20,7 @@ detection: condition: selection and keywords falsepositives: - Unknown, please report false positives via https://github.com/SigmaHQ/sigma/issues -level: critical +level: high tags: - attack.lateral_movement - attack.t1210 \ No newline at end of file diff --git a/rules/windows/builtin/printservice/win_exploit_cve_2021_1675_printspooler_operational.yml b/rules/windows/builtin/printservice/win_exploit_cve_2021_1675_printspooler_operational.yml index b10629f3c..5564f0358 100644 --- a/rules/windows/builtin/printservice/win_exploit_cve_2021_1675_printspooler_operational.yml +++ b/rules/windows/builtin/printservice/win_exploit_cve_2021_1675_printspooler_operational.yml @@ -3,7 +3,6 @@ id: f34d942d-c8c4-4f1f-b196-22471aecf10a description: Detects driver load events print service operational log that are a sign of successful exploitation attempts against print spooler vulnerability CVE-2021-1675 author: Florian Roth status: experimental -level: critical references: - https://twitter.com/MalwareJake/status/1410421967463731200 date: 2021/07/01 @@ -27,3 +26,4 @@ fields: - DriverAdded falsepositives: - Unknown +level: critical diff --git a/rules/windows/builtin/security/win_dcom_iertutil_dll_hijack.yml b/rules/windows/builtin/security/win_dcom_iertutil_dll_hijack.yml index 293fa0aad..3870e393c 100644 --- a/rules/windows/builtin/security/win_dcom_iertutil_dll_hijack.yml +++ b/rules/windows/builtin/security/win_dcom_iertutil_dll_hijack.yml @@ -19,7 +19,7 @@ detection: condition: selection and not filter falsepositives: - Unknown -level: critical +level: high tags: - attack.lateral_movement - attack.t1021.002 diff --git a/rules/windows/builtin/security/win_dpapi_domain_backupkey_extraction.yml b/rules/windows/builtin/security/win_dpapi_domain_backupkey_extraction.yml index d9be671c8..653f15b89 100644 --- a/rules/windows/builtin/security/win_dpapi_domain_backupkey_extraction.yml +++ b/rules/windows/builtin/security/win_dpapi_domain_backupkey_extraction.yml @@ -19,7 +19,7 @@ detection: condition: selection falsepositives: - Unknown -level: critical +level: high tags: - attack.credential_access - attack.t1003.004 diff --git a/rules/windows/builtin/security/win_dpapi_domain_masterkey_backup_attempt.yml b/rules/windows/builtin/security/win_dpapi_domain_masterkey_backup_attempt.yml index 919d985b3..0b560a2a8 100644 --- a/rules/windows/builtin/security/win_dpapi_domain_masterkey_backup_attempt.yml +++ b/rules/windows/builtin/security/win_dpapi_domain_masterkey_backup_attempt.yml @@ -20,7 +20,7 @@ fields: - SubjectUserName falsepositives: - Unknown -level: critical +level: high tags: - attack.credential_access - attack.t1003.004 diff --git a/rules/windows/builtin/security/win_etw_modification.yml b/rules/windows/builtin/security/win_etw_modification.yml index d4135914f..efb89f471 100644 --- a/rules/windows/builtin/security/win_etw_modification.yml +++ b/rules/windows/builtin/security/win_etw_modification.yml @@ -27,7 +27,7 @@ detection: condition: selection falsepositives: - Unknown -level: critical +level: high tags: - attack.defense_evasion - attack.t1112 diff --git a/rules/windows/builtin/security/win_lsass_access_non_system_account.yml b/rules/windows/builtin/security/win_lsass_access_non_system_account.yml index 0fd9ca77a..4db2ccc9e 100644 --- a/rules/windows/builtin/security/win_lsass_access_non_system_account.yml +++ b/rules/windows/builtin/security/win_lsass_access_non_system_account.yml @@ -59,4 +59,4 @@ fields: - ProcessName falsepositives: - Unknown -level: critical +level: high diff --git a/rules/windows/builtin/security/win_net_ntlm_downgrade.yml b/rules/windows/builtin/security/win_net_ntlm_downgrade.yml index 731069c17..59519734f 100644 --- a/rules/windows/builtin/security/win_net_ntlm_downgrade.yml +++ b/rules/windows/builtin/security/win_net_ntlm_downgrade.yml @@ -33,4 +33,4 @@ detection: condition: selection falsepositives: - Unknown -level: critical +level: high diff --git a/rules/windows/builtin/security/win_protected_storage_service_access.yml b/rules/windows/builtin/security/win_protected_storage_service_access.yml index 006a8a330..46c9b9bcb 100644 --- a/rules/windows/builtin/security/win_protected_storage_service_access.yml +++ b/rules/windows/builtin/security/win_protected_storage_service_access.yml @@ -18,7 +18,7 @@ detection: condition: selection falsepositives: - Unknown -level: critical +level: high tags: - attack.lateral_movement - attack.t1021.002 diff --git a/rules/windows/builtin/security/win_rdp_bluekeep_poc_scanner.yml b/rules/windows/builtin/security/win_rdp_bluekeep_poc_scanner.yml index b19f45340..09e0d6da2 100644 --- a/rules/windows/builtin/security/win_rdp_bluekeep_poc_scanner.yml +++ b/rules/windows/builtin/security/win_rdp_bluekeep_poc_scanner.yml @@ -22,4 +22,4 @@ detection: condition: selection falsepositives: - Unlikely -level: critical +level: high diff --git a/rules/windows/builtin/security/win_register_new_logon_process_by_rubeus.yml b/rules/windows/builtin/security/win_register_new_logon_process_by_rubeus.yml index 05f1fe83e..b74afc4c3 100644 --- a/rules/windows/builtin/security/win_register_new_logon_process_by_rubeus.yml +++ b/rules/windows/builtin/security/win_register_new_logon_process_by_rubeus.yml @@ -21,4 +21,4 @@ detection: condition: selection falsepositives: - Unknown -level: critical +level: high diff --git a/rules/windows/builtin/security/win_sam_registry_hive_handle_request.yml b/rules/windows/builtin/security/win_sam_registry_hive_handle_request.yml index ed1ec811b..4eea92ea9 100644 --- a/rules/windows/builtin/security/win_sam_registry_hive_handle_request.yml +++ b/rules/windows/builtin/security/win_sam_registry_hive_handle_request.yml @@ -24,7 +24,7 @@ fields: - ObjectName falsepositives: - Unknown -level: critical +level: high tags: - attack.discovery - attack.t1012 diff --git a/rules/windows/builtin/security/win_samaccountname_spoofing_cve_2021_42287.yml b/rules/windows/builtin/security/win_samaccountname_spoofing_cve_2021_42287.yml index 00da452b2..67f05345d 100644 --- a/rules/windows/builtin/security/win_samaccountname_spoofing_cve_2021_42287.yml +++ b/rules/windows/builtin/security/win_samaccountname_spoofing_cve_2021_42287.yml @@ -21,4 +21,4 @@ fields: - SubjectUserName falsepositives: - Unknown -level: critical +level: high diff --git a/rules/windows/builtin/security/win_scm_database_handle_failure.yml b/rules/windows/builtin/security/win_scm_database_handle_failure.yml index a664dac6e..8c4b4c652 100644 --- a/rules/windows/builtin/security/win_scm_database_handle_failure.yml +++ b/rules/windows/builtin/security/win_scm_database_handle_failure.yml @@ -24,4 +24,4 @@ detection: condition: selection and not filter falsepositives: - Unknown -level: critical +level: high diff --git a/rules/windows/builtin/security/win_security_cobaltstrike_service_installs.yml b/rules/windows/builtin/security/win_security_cobaltstrike_service_installs.yml index a43b13e25..fde145255 100644 --- a/rules/windows/builtin/security/win_security_cobaltstrike_service_installs.yml +++ b/rules/windows/builtin/security/win_security_cobaltstrike_service_installs.yml @@ -41,4 +41,4 @@ detection: condition: event_id and 1 of selection* falsepositives: - Unknown -level: critical \ No newline at end of file +level: high \ No newline at end of file diff --git a/rules/windows/builtin/security/win_syskey_registry_access.yml b/rules/windows/builtin/security/win_syskey_registry_access.yml index dd972ae9e..5f93a98ad 100644 --- a/rules/windows/builtin/security/win_syskey_registry_access.yml +++ b/rules/windows/builtin/security/win_syskey_registry_access.yml @@ -24,7 +24,7 @@ detection: condition: selection falsepositives: - Unknown -level: critical +level: high tags: - attack.discovery - attack.t1012 diff --git a/rules/windows/builtin/security/win_sysmon_channel_reference_deletion.yml b/rules/windows/builtin/security/win_sysmon_channel_reference_deletion.yml index 3b2c04657..bd21549a4 100644 --- a/rules/windows/builtin/security/win_sysmon_channel_reference_deletion.yml +++ b/rules/windows/builtin/security/win_sysmon_channel_reference_deletion.yml @@ -30,7 +30,7 @@ detection: condition: selection1 or selection2 falsepositives: - Unknown -level: critical +level: high tags: - attack.defense_evasion - attack.t1112 diff --git a/rules/windows/builtin/security/win_wmiprvse_wbemcomn_dll_hijack.yml b/rules/windows/builtin/security/win_wmiprvse_wbemcomn_dll_hijack.yml index 2d6b84363..bf1aa6f62 100644 --- a/rules/windows/builtin/security/win_wmiprvse_wbemcomn_dll_hijack.yml +++ b/rules/windows/builtin/security/win_wmiprvse_wbemcomn_dll_hijack.yml @@ -20,7 +20,7 @@ detection: condition: selection and not filter falsepositives: - Unknown -level: critical +level: high tags: - attack.execution - attack.t1047 diff --git a/rules/windows/builtin/system/win_ntfs_vuln_exploit.yml b/rules/windows/builtin/system/win_ntfs_vuln_exploit.yml index 598d337da..98d0f2b8d 100644 --- a/rules/windows/builtin/system/win_ntfs_vuln_exploit.yml +++ b/rules/windows/builtin/system/win_ntfs_vuln_exploit.yml @@ -23,7 +23,7 @@ detection: condition: selection falsepositives: - Unlikely -level: critical +level: high tags: - attack.impact - attack.t1499.001 \ No newline at end of file diff --git a/rules/windows/builtin/system/win_susp_dhcp_config.yml b/rules/windows/builtin/system/win_susp_dhcp_config.yml index 43daa66bb..64e0bc6a1 100644 --- a/rules/windows/builtin/system/win_susp_dhcp_config.yml +++ b/rules/windows/builtin/system/win_susp_dhcp_config.yml @@ -22,4 +22,4 @@ detection: condition: selection falsepositives: - Unknown -level: critical +level: high diff --git a/rules/windows/builtin/system/win_susp_dhcp_config_failed.yml b/rules/windows/builtin/system/win_susp_dhcp_config_failed.yml index 1a1d87fbd..b911aba68 100644 --- a/rules/windows/builtin/system/win_susp_dhcp_config_failed.yml +++ b/rules/windows/builtin/system/win_susp_dhcp_config_failed.yml @@ -25,4 +25,4 @@ detection: condition: selection falsepositives: - Unknown -level: critical +level: high diff --git a/rules/windows/builtin/windefend/win_defender_tamper_protection_trigger.yml b/rules/windows/builtin/windefend/win_defender_tamper_protection_trigger.yml index a87228d9f..39a621373 100644 --- a/rules/windows/builtin/windefend/win_defender_tamper_protection_trigger.yml +++ b/rules/windows/builtin/windefend/win_defender_tamper_protection_trigger.yml @@ -11,7 +11,7 @@ tags: - attack.t1562.001 falsepositives: - Administrator actions -level: critical +level: high logsource: product: windows service: windefend diff --git a/rules/windows/create_remote_thread/sysmon_createremotethread_loadlibrary.yml b/rules/windows/create_remote_thread/sysmon_createremotethread_loadlibrary.yml index 041904e8b..37df67399 100644 --- a/rules/windows/create_remote_thread/sysmon_createremotethread_loadlibrary.yml +++ b/rules/windows/create_remote_thread/sysmon_createremotethread_loadlibrary.yml @@ -17,7 +17,7 @@ detection: condition: selection falsepositives: - Unknown -level: critical +level: high tags: - attack.defense_evasion - attack.t1055.001 diff --git a/rules/windows/create_stream_hash/sysmon_ads_executable.yml b/rules/windows/create_stream_hash/sysmon_ads_executable.yml index 5e02d5760..d88203acf 100644 --- a/rules/windows/create_stream_hash/sysmon_ads_executable.yml +++ b/rules/windows/create_stream_hash/sysmon_ads_executable.yml @@ -22,7 +22,7 @@ fields: - Image falsepositives: - Unknown -level: critical +level: high tags: - attack.defense_evasion - attack.s0139 diff --git a/rules/windows/file_event/file_event_win_cve_2021_26858_msexchange.yml b/rules/windows/file_event/file_event_win_cve_2021_26858_msexchange.yml index bff4e18a4..07cbb1170 100644 --- a/rules/windows/file_event/file_event_win_cve_2021_26858_msexchange.yml +++ b/rules/windows/file_event/file_event_win_cve_2021_26858_msexchange.yml @@ -31,4 +31,4 @@ fields: - TargetFilename falsepositives: - Unknown -level: critical \ No newline at end of file +level: high \ No newline at end of file diff --git a/rules/windows/file_event/file_event_win_webshell_creation_detect.yml b/rules/windows/file_event/file_event_win_webshell_creation_detect.yml index 499a1afaf..f7fb6b938 100755 --- a/rules/windows/file_event/file_event_win_webshell_creation_detect.yml +++ b/rules/windows/file_event/file_event_win_webshell_creation_detect.yml @@ -39,7 +39,7 @@ detection: condition: (selection_2 and selection_3 and not false_positive1) or (selection_4 and selection_5 and not false_positive1) or (selection_6 and not false_positive1) and not false_positive2 falsepositives: - Legitimate administrator or developer creating legitimate executable files in a web application folder -level: critical +level: high tags: - attack.persistence - attack.t1505.003 diff --git a/rules/windows/file_event/file_event_win_winword_cve_2021_40444.yml b/rules/windows/file_event/file_event_win_winword_cve_2021_40444.yml index 3f7f2eaec..c926bb5fb 100644 --- a/rules/windows/file_event/file_event_win_winword_cve_2021_40444.yml +++ b/rules/windows/file_event/file_event_win_winword_cve_2021_40444.yml @@ -26,7 +26,7 @@ fields: - TargetFilename falsepositives: - Unknown -level: critical +level: high tags: - attack.resource_development - attack.t1587 diff --git a/rules/windows/image_load/image_load_wmiprvse_wbemcomn_dll_hijack.yml b/rules/windows/image_load/image_load_wmiprvse_wbemcomn_dll_hijack.yml index 5eeb2e833..46a28be56 100644 --- a/rules/windows/image_load/image_load_wmiprvse_wbemcomn_dll_hijack.yml +++ b/rules/windows/image_load/image_load_wmiprvse_wbemcomn_dll_hijack.yml @@ -22,4 +22,4 @@ detection: condition: selection falsepositives: - Unknown -level: critical +level: high diff --git a/rules/windows/pipe_created/pipe_created_efspotato_namedpipe.yml b/rules/windows/pipe_created/pipe_created_efspotato_namedpipe.yml index 850a6f68c..b2622395a 100644 --- a/rules/windows/pipe_created/pipe_created_efspotato_namedpipe.yml +++ b/rules/windows/pipe_created/pipe_created_efspotato_namedpipe.yml @@ -23,4 +23,4 @@ tags: - attack.t1055 falsepositives: - Unknown -level: critical +level: high diff --git a/rules/windows/powershell/powershell_classic/posh_pc_delete_volume_shadow_copies.yml b/rules/windows/powershell/powershell_classic/posh_pc_delete_volume_shadow_copies.yml index 72e2672f7..80319180c 100644 --- a/rules/windows/powershell/powershell_classic/posh_pc_delete_volume_shadow_copies.yml +++ b/rules/windows/powershell/powershell_classic/posh_pc_delete_volume_shadow_copies.yml @@ -30,4 +30,4 @@ fields: - HostApplication falsepositives: - Legitimate Administrator deletes Shadow Copies using operating systems utilities for legitimate reason -level: critical +level: high diff --git a/rules/windows/powershell/powershell_script/posh_ps_shellcode_b64.yml b/rules/windows/powershell/powershell_script/posh_ps_shellcode_b64.yml index d916707fe..105e1a82f 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_shellcode_b64.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_shellcode_b64.yml @@ -27,4 +27,4 @@ detection: condition: selection and selection2 falsepositives: - Unknown -level: critical +level: high diff --git a/rules/windows/process_access/proc_access_win_direct_syscall_ntopenprocess.yml b/rules/windows/process_access/proc_access_win_direct_syscall_ntopenprocess.yml index 219ef24db..445232602 100755 --- a/rules/windows/process_access/proc_access_win_direct_syscall_ntopenprocess.yml +++ b/rules/windows/process_access/proc_access_win_direct_syscall_ntopenprocess.yml @@ -31,7 +31,7 @@ detection: condition: selection and not 1 of falsepositive* falsepositives: - Unknown -level: critical +level: high tags: - attack.execution - attack.t1106 diff --git a/rules/windows/process_access/proc_access_win_svchost_cred_dump.yml b/rules/windows/process_access/proc_access_win_svchost_cred_dump.yml index abfab2e52..167885c57 100644 --- a/rules/windows/process_access/proc_access_win_svchost_cred_dump.yml +++ b/rules/windows/process_access/proc_access_win_svchost_cred_dump.yml @@ -21,4 +21,4 @@ detection: condition: selection_process and selection_memory and not filter_trusted_process_access falsepositives: - Non identified legit exectubale -level: critical +level: high diff --git a/rules/windows/process_creation/proc_creation_win_apt_apt29_thinktanks.yml b/rules/windows/process_creation/proc_creation_win_apt_apt29_thinktanks.yml index 73c815892..e50e8f8a4 100644 --- a/rules/windows/process_creation/proc_creation_win_apt_apt29_thinktanks.yml +++ b/rules/windows/process_creation/proc_creation_win_apt_apt29_thinktanks.yml @@ -21,7 +21,7 @@ detection: condition: selection falsepositives: - Unknown -level: critical +level: high tags: - attack.execution - attack.g0016 diff --git a/rules/windows/process_creation/proc_creation_win_apt_chafer_mar18.yml b/rules/windows/process_creation/proc_creation_win_apt_chafer_mar18.yml index 78e7457a4..a831dbe8d 100644 --- a/rules/windows/process_creation/proc_creation_win_apt_chafer_mar18.yml +++ b/rules/windows/process_creation/proc_creation_win_apt_chafer_mar18.yml @@ -43,4 +43,4 @@ detection: condition: 1 of selection* falsepositives: - Unknown -level: critical +level: high diff --git a/rules/windows/process_creation/proc_creation_win_apt_cloudhopper.yml b/rules/windows/process_creation/proc_creation_win_apt_cloudhopper.yml index 0134a29c8..3cf033ac6 100755 --- a/rules/windows/process_creation/proc_creation_win_apt_cloudhopper.yml +++ b/rules/windows/process_creation/proc_creation_win_apt_cloudhopper.yml @@ -22,7 +22,7 @@ fields: - ParentCommandLine falsepositives: - Unlikely -level: critical +level: high tags: - attack.execution - attack.g0045 diff --git a/rules/windows/process_creation/proc_creation_win_apt_lazarus_activity_apr21.yml b/rules/windows/process_creation/proc_creation_win_apt_lazarus_activity_apr21.yml index 43aa1fd55..b6c6b6aef 100644 --- a/rules/windows/process_creation/proc_creation_win_apt_lazarus_activity_apr21.yml +++ b/rules/windows/process_creation/proc_creation_win_apt_lazarus_activity_apr21.yml @@ -28,4 +28,4 @@ detection: condition: 1 of selection* falsepositives: - Should not be any false positives -level: critical \ No newline at end of file +level: high \ No newline at end of file diff --git a/rules/windows/process_creation/proc_creation_win_apt_sofacy.yml b/rules/windows/process_creation/proc_creation_win_apt_sofacy.yml index 5fd5cf07d..905069d60 100755 --- a/rules/windows/process_creation/proc_creation_win_apt_sofacy.yml +++ b/rules/windows/process_creation/proc_creation_win_apt_sofacy.yml @@ -33,4 +33,4 @@ detection: condition: selection1 and selection2 falsepositives: - Unknown -level: critical +level: high diff --git a/rules/windows/process_creation/proc_creation_win_apt_taidoor.yml b/rules/windows/process_creation/proc_creation_win_apt_taidoor.yml index 443cace83..2cbe34daa 100644 --- a/rules/windows/process_creation/proc_creation_win_apt_taidoor.yml +++ b/rules/windows/process_creation/proc_creation_win_apt_taidoor.yml @@ -22,7 +22,7 @@ detection: condition: selection1 or ( selection2a and selection2b ) falsepositives: - Unknown -level: critical +level: high tags: - attack.execution - attack.t1055.001 diff --git a/rules/windows/process_creation/proc_creation_win_apt_unc2452_cmds.yml b/rules/windows/process_creation/proc_creation_win_apt_unc2452_cmds.yml index 58d0e330c..86ddd5b56 100644 --- a/rules/windows/process_creation/proc_creation_win_apt_unc2452_cmds.yml +++ b/rules/windows/process_creation/proc_creation_win_apt_unc2452_cmds.yml @@ -44,4 +44,4 @@ detection: condition: selection1 or selection2 or selection3 or selection4 or ( specific1 and not filter1 ) falsepositives: - Unknown -level: critical \ No newline at end of file +level: high \ No newline at end of file diff --git a/rules/windows/process_creation/proc_creation_win_cobaltstrike_load_by_rundll32.yml b/rules/windows/process_creation/proc_creation_win_cobaltstrike_load_by_rundll32.yml index 073bf8d03..fa318be5f 100644 --- a/rules/windows/process_creation/proc_creation_win_cobaltstrike_load_by_rundll32.yml +++ b/rules/windows/process_creation/proc_creation_win_cobaltstrike_load_by_rundll32.yml @@ -26,4 +26,4 @@ detection: condition: selection falsepositives: - Unknown -level: critical +level: high diff --git a/rules/windows/process_creation/proc_creation_win_control_panel_item.yml b/rules/windows/process_creation/proc_creation_win_control_panel_item.yml index b0773efe7..bb69fd182 100644 --- a/rules/windows/process_creation/proc_creation_win_control_panel_item.yml +++ b/rules/windows/process_creation/proc_creation_win_control_panel_item.yml @@ -31,7 +31,7 @@ detection: condition: (selection1 and not filter and not fp1_igfx) or (selection2 and selection3) falsepositives: - Unknown -level: critical +level: high tags: - attack.execution - attack.defense_evasion diff --git a/rules/windows/process_creation/proc_creation_win_crime_snatch_ransomware.yml b/rules/windows/process_creation/proc_creation_win_crime_snatch_ransomware.yml index b229d8dcf..ddea6a389 100644 --- a/rules/windows/process_creation/proc_creation_win_crime_snatch_ransomware.yml +++ b/rules/windows/process_creation/proc_creation_win_crime_snatch_ransomware.yml @@ -23,7 +23,7 @@ fields: - Image falsepositives: - Scripts that shutdown the system immediately and reboot them in safe mode are unlikely -level: critical +level: high tags: - attack.execution - attack.t1204 diff --git a/rules/windows/process_creation/proc_creation_win_cve_2021_26857_msexchange.yml b/rules/windows/process_creation/proc_creation_win_cve_2021_26857_msexchange.yml index db3ea7c8a..33380fd97 100644 --- a/rules/windows/process_creation/proc_creation_win_cve_2021_26857_msexchange.yml +++ b/rules/windows/process_creation/proc_creation_win_cve_2021_26857_msexchange.yml @@ -1,10 +1,10 @@ title: CVE-2021-26857 Exchange Exploitation id: cd479ccc-d8f0-4c66-ba7d-e06286f3f887 description: Detects possible successful exploitation for vulnerability described in CVE-2021-26857 by looking for | - abnormal subprocesses spawning by Exchange Server’s Unified Messaging service + abnormal subprocesses spawning by Exchange Server's Unified Messaging service author: Bhabesh Raj status: stable -level: critical +level: high references: - https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/ date: 2021/03/03 diff --git a/rules/windows/process_creation/proc_creation_win_encoded_frombase64string.yml b/rules/windows/process_creation/proc_creation_win_encoded_frombase64string.yml index 6d48a11f0..8a938e06d 100644 --- a/rules/windows/process_creation/proc_creation_win_encoded_frombase64string.yml +++ b/rules/windows/process_creation/proc_creation_win_encoded_frombase64string.yml @@ -22,7 +22,7 @@ fields: - ParentCommandLine falsepositives: - Unknown -level: critical +level: high tags: - attack.defense_evasion - attack.t1140 diff --git a/rules/windows/process_creation/proc_creation_win_encoded_iex.yml b/rules/windows/process_creation/proc_creation_win_encoded_iex.yml index c22669b2e..4b3fb8cb3 100644 --- a/rules/windows/process_creation/proc_creation_win_encoded_iex.yml +++ b/rules/windows/process_creation/proc_creation_win_encoded_iex.yml @@ -35,7 +35,7 @@ fields: - ParentCommandLine falsepositives: - Unknown -level: critical +level: high tags: - attack.execution - attack.t1059.001 diff --git a/rules/windows/process_creation/proc_creation_win_etw_modification_cmdline.yml b/rules/windows/process_creation/proc_creation_win_etw_modification_cmdline.yml index 4717c23c2..60264bd95 100644 --- a/rules/windows/process_creation/proc_creation_win_etw_modification_cmdline.yml +++ b/rules/windows/process_creation/proc_creation_win_etw_modification_cmdline.yml @@ -24,7 +24,7 @@ detection: condition: selection falsepositives: - Unknown -level: critical +level: high tags: - attack.defense_evasion - attack.t1562 diff --git a/rules/windows/process_creation/proc_creation_win_exploit_cve_2020_10189.yml b/rules/windows/process_creation/proc_creation_win_exploit_cve_2020_10189.yml index 68b2c5466..44fe3fc99 100644 --- a/rules/windows/process_creation/proc_creation_win_exploit_cve_2020_10189.yml +++ b/rules/windows/process_creation/proc_creation_win_exploit_cve_2020_10189.yml @@ -21,7 +21,7 @@ detection: condition: selection falsepositives: - Unknown -level: critical +level: high tags: - attack.initial_access - attack.t1190 diff --git a/rules/windows/process_creation/proc_creation_win_hack_adcspwn.yml b/rules/windows/process_creation/proc_creation_win_hack_adcspwn.yml index 2eee3f156..8ee0ec67a 100644 --- a/rules/windows/process_creation/proc_creation_win_hack_adcspwn.yml +++ b/rules/windows/process_creation/proc_creation_win_hack_adcspwn.yml @@ -20,4 +20,4 @@ detection: condition: selection falsepositives: - Unlikely -level: critical +level: high diff --git a/rules/windows/process_creation/proc_creation_win_hashcat.yml b/rules/windows/process_creation/proc_creation_win_hashcat.yml index b67737246..6ab07705f 100644 --- a/rules/windows/process_creation/proc_creation_win_hashcat.yml +++ b/rules/windows/process_creation/proc_creation_win_hashcat.yml @@ -22,7 +22,7 @@ detection: condition: 1 of hashcat_* falsepositives: - Tools that accidentally use the same command line flags and values -level: critical +level: high tags: - attack.credential_access - attack.t1110.002 diff --git a/rules/windows/process_creation/proc_creation_win_impacket_lateralization.yml b/rules/windows/process_creation/proc_creation_win_impacket_lateralization.yml index e263a3a3b..093089c52 100644 --- a/rules/windows/process_creation/proc_creation_win_impacket_lateralization.yml +++ b/rules/windows/process_creation/proc_creation_win_impacket_lateralization.yml @@ -59,7 +59,7 @@ fields: - ParentCommandLine falsepositives: - Unknown -level: critical +level: high tags: - attack.execution - attack.t1047 diff --git a/rules/windows/process_creation/proc_creation_win_malware_emotet.yml b/rules/windows/process_creation/proc_creation_win_malware_emotet.yml index 9a21dcb0d..c0ba595f8 100644 --- a/rules/windows/process_creation/proc_creation_win_malware_emotet.yml +++ b/rules/windows/process_creation/proc_creation_win_malware_emotet.yml @@ -38,5 +38,5 @@ fields: - ParentCommandLine falsepositives: - Unlikely -level: critical +level: high diff --git a/rules/windows/process_creation/proc_creation_win_malware_formbook.yml b/rules/windows/process_creation/proc_creation_win_malware_formbook.yml index 1d8f28bbe..00ad7170e 100644 --- a/rules/windows/process_creation/proc_creation_win_malware_formbook.yml +++ b/rules/windows/process_creation/proc_creation_win_malware_formbook.yml @@ -46,7 +46,7 @@ fields: - ParentCommandLine falsepositives: - Unknown -level: critical +level: high tags: - attack.develop_capabilities - attack.t1587.001 diff --git a/rules/windows/process_creation/proc_creation_win_malware_ryuk.yml b/rules/windows/process_creation/proc_creation_win_malware_ryuk.yml index ff15b27d1..380f4050f 100644 --- a/rules/windows/process_creation/proc_creation_win_malware_ryuk.yml +++ b/rules/windows/process_creation/proc_creation_win_malware_ryuk.yml @@ -21,7 +21,7 @@ fields: - ParentCommandLine falsepositives: - Unlikely -level: critical +level: high tags: - attack.persistence - attack.t1547.001 diff --git a/rules/windows/process_creation/proc_creation_win_malware_trickbot_wermgr.yml b/rules/windows/process_creation/proc_creation_win_malware_trickbot_wermgr.yml index 8dd7d3d8f..f5ff1884b 100644 --- a/rules/windows/process_creation/proc_creation_win_malware_trickbot_wermgr.yml +++ b/rules/windows/process_creation/proc_creation_win_malware_trickbot_wermgr.yml @@ -19,7 +19,7 @@ detection: condition: selection falsepositives: - Unknown -level: critical +level: high tags: - attack.execution - attack.t1559 diff --git a/rules/windows/process_creation/proc_creation_win_mavinject_proc_inj.yml b/rules/windows/process_creation/proc_creation_win_mavinject_proc_inj.yml index d2b3ffb7a..632e3ef71 100644 --- a/rules/windows/process_creation/proc_creation_win_mavinject_proc_inj.yml +++ b/rules/windows/process_creation/proc_creation_win_mavinject_proc_inj.yml @@ -18,7 +18,7 @@ detection: condition: selection falsepositives: - Unknown -level: critical +level: high tags: - attack.t1055.001 - attack.t1218 diff --git a/rules/windows/process_creation/proc_creation_win_proxy_execution_wuauclt.yml b/rules/windows/process_creation/proc_creation_win_proxy_execution_wuauclt.yml index e2d127812..0cc35a0af 100644 --- a/rules/windows/process_creation/proc_creation_win_proxy_execution_wuauclt.yml +++ b/rules/windows/process_creation/proc_creation_win_proxy_execution_wuauclt.yml @@ -36,4 +36,4 @@ detection: condition: selection_one and selection_two and not filter falsepositives: - Unknown -level: critical +level: high diff --git a/rules/windows/process_creation/proc_creation_win_renamed_powershell.yml b/rules/windows/process_creation/proc_creation_win_renamed_powershell.yml index 0d2bef833..60d1140d0 100644 --- a/rules/windows/process_creation/proc_creation_win_renamed_powershell.yml +++ b/rules/windows/process_creation/proc_creation_win_renamed_powershell.yml @@ -28,4 +28,4 @@ detection: condition: selection and not filter falsepositives: - Unknown -level: critical +level: high diff --git a/rules/windows/process_creation/proc_creation_win_renamed_procdump.yml b/rules/windows/process_creation/proc_creation_win_renamed_procdump.yml index 6df5aff79..87107e01e 100644 --- a/rules/windows/process_creation/proc_creation_win_renamed_procdump.yml +++ b/rules/windows/process_creation/proc_creation_win_renamed_procdump.yml @@ -32,4 +32,4 @@ detection: falsepositives: - Procdump illegaly bundled with legitimate software - Weird admins who renamed binaries -level: critical +level: high diff --git a/rules/windows/process_creation/proc_creation_win_shadow_copies_deletion.yml b/rules/windows/process_creation/proc_creation_win_shadow_copies_deletion.yml index 69f9f0eec..69534c4f4 100644 --- a/rules/windows/process_creation/proc_creation_win_shadow_copies_deletion.yml +++ b/rules/windows/process_creation/proc_creation_win_shadow_copies_deletion.yml @@ -61,4 +61,4 @@ fields: falsepositives: - Legitimate Administrator deletes Shadow Copies using operating systems utilities for legitimate reason - LANDesk LDClient Ivanti-PSModule (PS EncodedCommand) -level: critical +level: high diff --git a/rules/windows/process_creation/proc_creation_win_susp_control_cve_2021_40444.yml b/rules/windows/process_creation/proc_creation_win_susp_control_cve_2021_40444.yml index 6663f3dfe..f23a6c746 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_control_cve_2021_40444.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_control_cve_2021_40444.yml @@ -26,7 +26,7 @@ detection: condition: selection and not filter falsepositives: - Unknown -level: critical +level: high tags: - attack.execution - attack.t1059 diff --git a/rules/windows/process_creation/proc_creation_win_susp_devtoolslauncher.yml b/rules/windows/process_creation/proc_creation_win_susp_devtoolslauncher.yml index 9b2ab10a9..9dfc4ab19 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_devtoolslauncher.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_devtoolslauncher.yml @@ -18,7 +18,7 @@ detection: condition: selection falsepositives: - Legitimate use of devtoolslauncher.exe by legitimate user -level: critical +level: high tags: - attack.defense_evasion - attack.t1218 diff --git a/rules/windows/process_creation/proc_creation_win_susp_powershell_empire_launch.yml b/rules/windows/process_creation/proc_creation_win_susp_powershell_empire_launch.yml index f8ed94c4f..a9154e9af 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_powershell_empire_launch.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_powershell_empire_launch.yml @@ -25,7 +25,7 @@ detection: condition: selection falsepositives: - Other tools that incidentally use the same command line parameters -level: critical +level: high tags: - attack.execution - attack.t1059.001 diff --git a/rules/windows/process_creation/proc_creation_win_susp_procdump_lsass.yml b/rules/windows/process_creation/proc_creation_win_susp_procdump_lsass.yml index e4c434977..fbefa0c1f 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_procdump_lsass.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_procdump_lsass.yml @@ -29,4 +29,4 @@ detection: falsepositives: - Unlikely, because no one should dump an lsass process memory - Another tool that uses the command line switches of Procdump -level: critical +level: high diff --git a/rules/windows/process_creation/proc_creation_win_susp_servu_process_pattern.yml b/rules/windows/process_creation/proc_creation_win_susp_servu_process_pattern.yml index 7fbc22dea..9e057ebfc 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_servu_process_pattern.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_servu_process_pattern.yml @@ -34,4 +34,4 @@ detection: condition: selection falsepositives: - Legitimate uses in which users or programs use the SSH service of Serv-U for remote command execution -level: critical +level: high diff --git a/rules/windows/process_creation/proc_creation_win_susp_shell_spawn_from_mssql.yml b/rules/windows/process_creation/proc_creation_win_susp_shell_spawn_from_mssql.yml index 57f2b588a..e7212e135 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_shell_spawn_from_mssql.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_shell_spawn_from_mssql.yml @@ -29,4 +29,4 @@ detection: Image: 'C:\Windows\System32\cmd.exe' CommandLine|startswith: '"C:\Windows\system32\cmd.exe" ' condition: selection and not 1 of filter* -level: critical +level: high diff --git a/rules/windows/process_creation/proc_creation_win_susp_shimcache_flush.yml b/rules/windows/process_creation/proc_creation_win_susp_shimcache_flush.yml index 4e228977b..6ae87a7ae 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_shimcache_flush.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_shimcache_flush.yml @@ -36,4 +36,4 @@ fields: - ParentCommandLine falsepositives: - Unknown -level: critical +level: high diff --git a/rules/windows/process_creation/proc_creation_win_susp_svchost_no_cli.yml b/rules/windows/process_creation/proc_creation_win_susp_svchost_no_cli.yml index 66137f852..a4265e7d7 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_svchost_no_cli.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_svchost_no_cli.yml @@ -30,4 +30,4 @@ fields: - ParentCommandLine falsepositives: - Rpcnet.exe / rpcnetp.exe which is a lojack style software. https://www.blackhat.com/docs/us-14/materials/us-14-Kamlyuk-Kamluk-Computrace-Backdoor-Revisited.pdf -level: critical +level: high diff --git a/rules/windows/process_creation/proc_creation_win_sysmon_uac_bypass_eventvwr.yml b/rules/windows/process_creation/proc_creation_win_sysmon_uac_bypass_eventvwr.yml index 32e4c292e..b461488fb 100644 --- a/rules/windows/process_creation/proc_creation_win_sysmon_uac_bypass_eventvwr.yml +++ b/rules/windows/process_creation/proc_creation_win_sysmon_uac_bypass_eventvwr.yml @@ -30,4 +30,4 @@ fields: - ParentCommandLine falsepositives: - Unknown -level: critical \ No newline at end of file +level: high \ No newline at end of file diff --git a/rules/windows/registry/registry_add/registry_add_mal_ursnif.yml b/rules/windows/registry/registry_add/registry_add_mal_ursnif.yml index d4e54e40a..c3abe799e 100644 --- a/rules/windows/registry/registry_add/registry_add_mal_ursnif.yml +++ b/rules/windows/registry/registry_add/registry_add_mal_ursnif.yml @@ -23,7 +23,7 @@ detection: condition: selection and not filter falsepositives: - Unknown -level: critical +level: high tags: - attack.execution - attack.t1112 \ No newline at end of file diff --git a/rules/windows/registry/registry_event/registry_event_disable_wdigest_credential_guard.yml b/rules/windows/registry/registry_event/registry_event_disable_wdigest_credential_guard.yml index 4e9dc3168..eded7cdd9 100644 --- a/rules/windows/registry/registry_event/registry_event_disable_wdigest_credential_guard.yml +++ b/rules/windows/registry/registry_event/registry_event_disable_wdigest_credential_guard.yml @@ -16,7 +16,7 @@ detection: condition: selection falsepositives: - Unknown -level: critical +level: high tags: - attack.defense_evasion - attack.t1112 diff --git a/rules/windows/registry/registry_event/registry_event_net_ntlm_downgrade.yml b/rules/windows/registry/registry_event/registry_event_net_ntlm_downgrade.yml index 597e33ad0..0e70d3dfd 100644 --- a/rules/windows/registry/registry_event/registry_event_net_ntlm_downgrade.yml +++ b/rules/windows/registry/registry_event/registry_event_net_ntlm_downgrade.yml @@ -27,4 +27,4 @@ detection: condition: selection falsepositives: - Unknown -level: critical \ No newline at end of file +level: high \ No newline at end of file diff --git a/rules/windows/registry/registry_event/registry_event_persistence_recycle_bin.yml b/rules/windows/registry/registry_event/registry_event_persistence_recycle_bin.yml index 02885d46f..1ff0dd3e1 100644 --- a/rules/windows/registry/registry_event/registry_event_persistence_recycle_bin.yml +++ b/rules/windows/registry/registry_event/registry_event_persistence_recycle_bin.yml @@ -22,4 +22,4 @@ tags: - attack.t1547 falsepositives: - Unknown -level: critical +level: high diff --git a/rules/windows/registry/registry_set/registry_set_etw_disabled.yml b/rules/windows/registry/registry_set/registry_set_etw_disabled.yml index 2c2769047..582540079 100644 --- a/rules/windows/registry/registry_set/registry_set_etw_disabled.yml +++ b/rules/windows/registry/registry_set/registry_set_etw_disabled.yml @@ -26,7 +26,7 @@ detection: condition: selection falsepositives: - Unknown -level: critical +level: high tags: - attack.defense_evasion - attack.t1112 diff --git a/rules/windows/registry/registry_set/registry_set_globalflags_persistence.yml b/rules/windows/registry/registry_set/registry_set_globalflags_persistence.yml index c86fbee0c..ec2ae7a02 100755 --- a/rules/windows/registry/registry_set/registry_set_globalflags_persistence.yml +++ b/rules/windows/registry/registry_set/registry_set_globalflags_persistence.yml @@ -1,7 +1,7 @@ title: GlobalFlags Registry Persistence Mechanisms id: 36803969-5421-41ec-b92f-8500f79c23b0 status: test -description: Detects persistence registry keys +description: Detects persistence using GlobalFlags in image file executiobn options author: Karneades, Jonhnathan Ribeiro references: - https://oddvar.moe/2018/04/10/persistence-using-globalflags-in-image-file-execution-options-hidden-from-autoruns-exe/ @@ -26,7 +26,7 @@ detection: condition: selection_reg1 and selection_reg2 falsepositives: - Unknown -level: critical +level: high tags: - attack.privilege_escalation - attack.persistence diff --git a/rules/windows/registry/registry_set/registry_set_uac_bypass_eventvwr.yml b/rules/windows/registry/registry_set/registry_set_uac_bypass_eventvwr.yml index 30966acd5..a8577c8f6 100755 --- a/rules/windows/registry/registry_set/registry_set_uac_bypass_eventvwr.yml +++ b/rules/windows/registry/registry_set/registry_set_uac_bypass_eventvwr.yml @@ -18,7 +18,7 @@ detection: condition: selection falsepositives: - Unknown -level: critical +level: high tags: - attack.defense_evasion - attack.privilege_escalation