diff --git a/rules/cloud/aws_cloudtrail_disable_logging.yml b/rules/cloud/aws_cloudtrail_disable_logging.yml index 61b4cdb26ae..e7df801db3b 100644 --- a/rules/cloud/aws_cloudtrail_disable_logging.yml +++ b/rules/cloud/aws_cloudtrail_disable_logging.yml @@ -5,20 +5,21 @@ author: vitaliy0x1 date: 2020/01/21 description: Detects disabling, deleting and updating of a Trail references: - - https://docs.aws.amazon.com/awscloudtrail/latest/userguide/best-practices-security.html + - https://docs.aws.amazon.com/awscloudtrail/latest/userguide/best-practices-security.html logsource: - service: cloudtrail + service: cloudtrail detection: - selection_source: - - eventSource: cloudtrail.amazonaws.com - events: - - eventName: - - StopLogging - - UpdateTrail - - DeleteTrail - condition: selection_source AND events + selection_source: + - eventSource: cloudtrail.amazonaws.com + events: + - eventName: + - StopLogging + - UpdateTrail + - DeleteTrail + condition: selection_source AND events level: medium falsepositives: - Valid change in a Trail tags: - - attack.t1089 + - attack.t1089 + - attack.t1562.001 diff --git a/rules/cloud/aws_config_disable_recording.yml b/rules/cloud/aws_config_disable_recording.yml index cb0fc0a798f..8eebaa67fbb 100644 --- a/rules/cloud/aws_config_disable_recording.yml +++ b/rules/cloud/aws_config_disable_recording.yml @@ -5,17 +5,18 @@ author: vitaliy0x1 date: 2020/01/21 description: Detects AWS Config Service disabling logsource: - service: cloudtrail + service: cloudtrail detection: - selection_source: - - eventSource: config.amazonaws.com - events: - - eventName: - - DeleteDeliveryChannel - - StopConfigurationRecorder - condition: selection_source AND events + selection_source: + - eventSource: config.amazonaws.com + events: + - eventName: + - DeleteDeliveryChannel + - StopConfigurationRecorder + condition: selection_source AND events level: high falsepositives: - Valid change in AWS Config Service tags: - - attack.t1089 + - attack.t1089 + - attack.t1562.001 diff --git a/rules/cloud/aws_ec2_startup_script_change.yml b/rules/cloud/aws_ec2_startup_script_change.yml index dccb22f0005..7edcff0bc0c 100644 --- a/rules/cloud/aws_ec2_startup_script_change.yml +++ b/rules/cloud/aws_ec2_startup_script_change.yml @@ -21,3 +21,4 @@ falsepositives: - Valid changes to the startup script tags: - attack.t1064 + - attack.t1059 diff --git a/rules/cloud/aws_guardduty_disruption.yml b/rules/cloud/aws_guardduty_disruption.yml index 61664662484..7491d4b24d7 100644 --- a/rules/cloud/aws_guardduty_disruption.yml +++ b/rules/cloud/aws_guardduty_disruption.yml @@ -19,3 +19,4 @@ falsepositives: - Valid change in the GuardDuty (e.g. to ignore internal scanners) tags: - attack.t1089 + - attack.t1562.001 diff --git a/rules/linux/auditd/lnx_auditd_alter_bash_profile.yml b/rules/linux/auditd/lnx_auditd_alter_bash_profile.yml index 9094ded86a4..dff6bbf3eaa 100644 --- a/rules/linux/auditd/lnx_auditd_alter_bash_profile.yml +++ b/rules/linux/auditd/lnx_auditd_alter_bash_profile.yml @@ -9,6 +9,7 @@ tags: - attack.s0003 - attack.t1156 - attack.persistence + - attack.t1546.004 author: Peter Matkovski logsource: product: linux diff --git a/rules/linux/auditd/lnx_auditd_auditing_config_change.yml b/rules/linux/auditd/lnx_auditd_auditing_config_change.yml index 1aaa844e6da..d9fb2e403f3 100644 --- a/rules/linux/auditd/lnx_auditd_auditing_config_change.yml +++ b/rules/linux/auditd/lnx_auditd_auditing_config_change.yml @@ -11,6 +11,7 @@ references: tags: - attack.defense_evasion - attack.t1054 + - attack.t1562.006 author: Mikhail Larin, oscd.community status: experimental date: 2019/10/25 diff --git a/rules/linux/auditd/lnx_auditd_logging_config_change.yml b/rules/linux/auditd/lnx_auditd_logging_config_change.yml index 4140aca781d..b456805b1f2 100644 --- a/rules/linux/auditd/lnx_auditd_logging_config_change.yml +++ b/rules/linux/auditd/lnx_auditd_logging_config_change.yml @@ -10,6 +10,7 @@ references: tags: - attack.defense_evasion - attack.t1054 + - attack.t1562.006 author: Mikhail Larin, oscd.community status: experimental date: 2019/10/25 diff --git a/rules/linux/auditd/lnx_auditd_web_rce.yml b/rules/linux/auditd/lnx_auditd_web_rce.yml index 28068f7ab2d..2c537ddfb77 100644 --- a/rules/linux/auditd/lnx_auditd_web_rce.yml +++ b/rules/linux/auditd/lnx_auditd_web_rce.yml @@ -5,6 +5,7 @@ description: Detects posible command execution by web application/web shell tags: - attack.persistence - attack.t1100 + - attack.t1505.003 references: - personal experience author: Ilyas Ochkov, Beyu Denis, oscd.community diff --git a/rules/linux/auditd/lnx_data_compressed.yml b/rules/linux/auditd/lnx_data_compressed.yml index e22fc0d4b48..e923e8ec78a 100644 --- a/rules/linux/auditd/lnx_data_compressed.yml +++ b/rules/linux/auditd/lnx_data_compressed.yml @@ -1,8 +1,7 @@ title: Data Compressed id: a3b5e3e9-1b49-4119-8b8e-0344a01f21ee status: experimental -description: An adversary may compress data (e.g., sensitive documents) that is collected prior to exfiltration in order to make it portable and minimize the amount - of data sent over the network +description: An adversary may compress data (e.g., sensitive documents) that is collected prior to exfiltration in order to make it portable and minimize the amount of data sent over the network author: Timur Zinniatullin, oscd.community date: 2019/10/21 modified: 2019/11/04 @@ -30,3 +29,4 @@ level: low tags: - attack.exfiltration - attack.t1002 + - attack.t1560 diff --git a/rules/linux/lnx_pers_systemd_reload.yml b/rules/linux/lnx_pers_systemd_reload.yml index 3cb5c916865..326b28b3088 100644 --- a/rules/linux/lnx_pers_systemd_reload.yml +++ b/rules/linux/lnx_pers_systemd_reload.yml @@ -5,6 +5,7 @@ status: experimental tags: - attack.persistence - attack.t1501 + - attack.t1543.002 author: Jakob Weinzettl, oscd.community date: 2019/09/23 logsource: diff --git a/rules/linux/lnx_shell_clear_cmd_history.yml b/rules/linux/lnx_shell_clear_cmd_history.yml index 97379f6aafd..68e9773c283 100644 --- a/rules/linux/lnx_shell_clear_cmd_history.yml +++ b/rules/linux/lnx_shell_clear_cmd_history.yml @@ -22,7 +22,7 @@ detection: keywords: - 'rm *bash_history' - 'echo "" > *bash_history' - - 'cat /dev/null > *bash_history' + - 'cat /dev/null > *bash_history' - 'ln -sf /dev/null *bash_history' - 'truncate -s0 *bash_history' # - 'unset HISTFILE' # prone to false positives @@ -38,3 +38,4 @@ level: high tags: - attack.defense_evasion - attack.t1146 + - attack.t1551.003 diff --git a/rules/network/cisco/aaa/cisco_cli_clear_logs.yml b/rules/network/cisco/aaa/cisco_cli_clear_logs.yml index 457744c35bd..244bdeadedf 100644 --- a/rules/network/cisco/aaa/cisco_cli_clear_logs.yml +++ b/rules/network/cisco/aaa/cisco_cli_clear_logs.yml @@ -11,6 +11,8 @@ tags: - attack.defense_evasion - attack.t1146 - attack.t1070 + - attack.t1551.003 + - attack.t1551 logsource: product: cisco service: aaa diff --git a/rules/network/cisco/aaa/cisco_cli_collect_data.yml b/rules/network/cisco/aaa/cisco_cli_collect_data.yml index 99a6378a0d8..9944274b89b 100644 --- a/rules/network/cisco/aaa/cisco_cli_collect_data.yml +++ b/rules/network/cisco/aaa/cisco_cli_collect_data.yml @@ -17,6 +17,7 @@ tags: - attack.t1003 - attack.t1081 - attack.t1005 + - attack.t1552.001 logsource: product: cisco service: aaa diff --git a/rules/network/cisco/aaa/cisco_cli_crypto_actions.yml b/rules/network/cisco/aaa/cisco_cli_crypto_actions.yml index a032c9d48cc..81e1a3a1906 100644 --- a/rules/network/cisco/aaa/cisco_cli_crypto_actions.yml +++ b/rules/network/cisco/aaa/cisco_cli_crypto_actions.yml @@ -12,6 +12,8 @@ tags: - attack.defense_evasion - attack.t1130 - attack.t1145 + - attack.t1553.004 + - attack.t1552.004 logsource: product: cisco service: aaa diff --git a/rules/network/cisco/aaa/cisco_cli_disable_logging.yml b/rules/network/cisco/aaa/cisco_cli_disable_logging.yml index b81e265ba41..4bc95584a8c 100644 --- a/rules/network/cisco/aaa/cisco_cli_disable_logging.yml +++ b/rules/network/cisco/aaa/cisco_cli_disable_logging.yml @@ -9,6 +9,7 @@ date: 2019/08/11 tags: - attack.defense_evasion - attack.t1089 + - attack.t1562.001 logsource: product: cisco service: aaa diff --git a/rules/network/cisco/aaa/cisco_cli_file_deletion.yml b/rules/network/cisco/aaa/cisco_cli_file_deletion.yml index cc6155e1bf1..ec6b4e1ef7a 100644 --- a/rules/network/cisco/aaa/cisco_cli_file_deletion.yml +++ b/rules/network/cisco/aaa/cisco_cli_file_deletion.yml @@ -14,6 +14,9 @@ tags: - attack.t1107 - attack.t1488 - attack.t1487 + - attack.t1561.002 + - attack.t1551.004 + - attack.t1561.001 logsource: product: cisco service: aaa diff --git a/rules/network/cisco/aaa/cisco_cli_input_capture.yml b/rules/network/cisco/aaa/cisco_cli_input_capture.yml index 51467f57968..d1bc266a722 100644 --- a/rules/network/cisco/aaa/cisco_cli_input_capture.yml +++ b/rules/network/cisco/aaa/cisco_cli_input_capture.yml @@ -12,6 +12,7 @@ tags: - attack.credential_access - attack.t1139 - attack.t1056 + - attack.t1552.003 logsource: product: cisco service: aaa diff --git a/rules/network/cisco/aaa/cisco_cli_modify_config.yml b/rules/network/cisco/aaa/cisco_cli_modify_config.yml index bc11ecafc7b..6f98513ed4d 100644 --- a/rules/network/cisco/aaa/cisco_cli_modify_config.yml +++ b/rules/network/cisco/aaa/cisco_cli_modify_config.yml @@ -16,6 +16,9 @@ tags: - attack.t1100 - attack.t1168 - attack.t1490 + - attack.t1565.002 + - attack.t1505 + - attack.t1053 logsource: product: cisco service: aaa diff --git a/rules/network/cisco/aaa/cisco_cli_moving_data.yml b/rules/network/cisco/aaa/cisco_cli_moving_data.yml index f9aa4c8474d..924588a6808 100644 --- a/rules/network/cisco/aaa/cisco_cli_moving_data.yml +++ b/rules/network/cisco/aaa/cisco_cli_moving_data.yml @@ -19,6 +19,8 @@ tags: - attack.t1105 - attack.t1492 - attack.t1002 + - attack.t1560 + - attack.t1565.001 logsource: product: cisco service: aaa diff --git a/rules/network/net_susp_dns_txt_exec_strings.yml b/rules/network/net_susp_dns_txt_exec_strings.yml index 42ee5e22f80..95492f1b275 100644 --- a/rules/network/net_susp_dns_txt_exec_strings.yml +++ b/rules/network/net_susp_dns_txt_exec_strings.yml @@ -7,17 +7,18 @@ references: - https://github.com/samratashok/nishang/blob/master/Backdoors/DNS_TXT_Pwnage.ps1 tags: - attack.t1071 + - attack.t1071.004 author: Markus Neis date: 2018/08/08 logsource: category: dns detection: selection: - record_type: 'TXT' - answer: - - '*IEX*' - - '*Invoke-Expression*' - - '*cmd.exe*' + record_type: 'TXT' + answer: + - '*IEX*' + - '*Invoke-Expression*' + - '*cmd.exe*' condition: selection falsepositives: - Unknown diff --git a/rules/network/zeek/zeek_dce_rpc_mitre_bzar_execution.yml b/rules/network/zeek/zeek_dce_rpc_mitre_bzar_execution.yml index 4e79ed023e7..141a67ddc6c 100644 --- a/rules/network/zeek/zeek_dce_rpc_mitre_bzar_execution.yml +++ b/rules/network/zeek/zeek_dce_rpc_mitre_bzar_execution.yml @@ -6,46 +6,48 @@ date: 2020/03/19 references: - https://github.com/mitre-attack/bzar#indicators-for-attck-execution tags: - - attack.execution - - attack.t1035 - - attack.t1047 - - attack.t1053 + - attack.execution + - attack.t1035 + - attack.t1047 + - attack.t1053 + - attack.t1053.002 + - attack.t1569.002 logsource: - product: zeek - service: dce_rpc + product: zeek + service: dce_rpc detection: - op1: - endpoint: 'JobAdd' - operation: 'atsvc' - op2: - endpoint: 'ITaskSchedulerService' - operation: 'SchRpcEnableTask' - op3: - endpoint: 'ITaskSchedulerService' - operation: 'SchRpcRegisterTask' - op4: - endpoint: 'ITaskSchedulerService' - operation: 'SchRpcRun' - op5: - endpoint: 'IWbemServices' - operation: 'ExecMethod' - op6: - endpoint: 'IWbemServices' - operation: 'ExecMethodAsync' - op7: - endpoint: 'svcctl' - operation: 'CreateServiceA' - op8: - endpoint: 'svcctl' - operation: 'CreateServiceW' - op9: - endpoint: 'svcctl' - operation: 'StartServiceA' - op10: - endpoint: 'svcctl' - operation: 'StartServiceW' - condition: 1 of them + op1: + endpoint: 'JobAdd' + operation: 'atsvc' + op2: + endpoint: 'ITaskSchedulerService' + operation: 'SchRpcEnableTask' + op3: + endpoint: 'ITaskSchedulerService' + operation: 'SchRpcRegisterTask' + op4: + endpoint: 'ITaskSchedulerService' + operation: 'SchRpcRun' + op5: + endpoint: 'IWbemServices' + operation: 'ExecMethod' + op6: + endpoint: 'IWbemServices' + operation: 'ExecMethodAsync' + op7: + endpoint: 'svcctl' + operation: 'CreateServiceA' + op8: + endpoint: 'svcctl' + operation: 'CreateServiceW' + op9: + endpoint: 'svcctl' + operation: 'StartServiceA' + op10: + endpoint: 'svcctl' + operation: 'StartServiceW' + condition: 1 of them falsepositives: - 'Windows administrator tasks or troubleshooting' - 'Windows management scripts or software' -level: medium \ No newline at end of file +level: medium diff --git a/rules/network/zeek/zeek_dce_rpc_mitre_bzar_persistence.yml b/rules/network/zeek/zeek_dce_rpc_mitre_bzar_persistence.yml index 3cce80d46d5..4dd5fc5d452 100644 --- a/rules/network/zeek/zeek_dce_rpc_mitre_bzar_persistence.yml +++ b/rules/network/zeek/zeek_dce_rpc_mitre_bzar_persistence.yml @@ -8,30 +8,31 @@ references: tags: - attack.persistence - attack.t1004 + - attack.t1547.004 logsource: - product: zeek - service: dce_rpc + product: zeek + service: dce_rpc detection: - op1: - endpoint: 'spoolss' - operation: 'RpcAddMonitor' - op2: - endpoint: 'spoolss' - operation: 'RpcAddPrintProcessor' - op3: - endpoint: 'IRemoteWinspool' - operation: 'RpcAsyncAddMonitor' - op4: - endpoint: 'IRemoteWinspool' - operation: 'RpcAsyncAddPrintProcessor' - op5: - endpoint: 'ISecLogon' - operation: 'SeclCreateProcessWithLogonW' - op6: - endpoint: 'ISecLogon' - operation: 'SeclCreateProcessWithLogonExW' - condition: 1 of them + op1: + endpoint: 'spoolss' + operation: 'RpcAddMonitor' + op2: + endpoint: 'spoolss' + operation: 'RpcAddPrintProcessor' + op3: + endpoint: 'IRemoteWinspool' + operation: 'RpcAsyncAddMonitor' + op4: + endpoint: 'IRemoteWinspool' + operation: 'RpcAsyncAddPrintProcessor' + op5: + endpoint: 'ISecLogon' + operation: 'SeclCreateProcessWithLogonW' + op6: + endpoint: 'ISecLogon' + operation: 'SeclCreateProcessWithLogonExW' + condition: 1 of them falsepositives: - 'Windows administrator tasks or troubleshooting' - 'Windows management scripts or software' -level: medium \ No newline at end of file +level: medium diff --git a/rules/network/zeek/zeek_http_executable_download_from_webdav.yml b/rules/network/zeek/zeek_http_executable_download_from_webdav.yml index 47cfdcbf23e..55bc7898e3e 100644 --- a/rules/network/zeek/zeek_http_executable_download_from_webdav.yml +++ b/rules/network/zeek/zeek_http_executable_download_from_webdav.yml @@ -8,9 +8,10 @@ references: tags: - attack.command_and_control - attack.t1043 + - attack.t1571 logsource: - product: zeek - service: http + product: zeek + service: http date: 2020/05/01 detection: selection_webdav: @@ -23,4 +24,4 @@ detection: falsepositives: - unknown level: medium -status: experimental \ No newline at end of file +status: experimental diff --git a/rules/network/zeek/zeek_smb_converted_win_atsvc_task.yml b/rules/network/zeek/zeek_smb_converted_win_atsvc_task.yml index 17a3704f56a..12e1eb4d9a6 100644 --- a/rules/network/zeek/zeek_smb_converted_win_atsvc_task.yml +++ b/rules/network/zeek/zeek_smb_converted_win_atsvc_task.yml @@ -11,6 +11,7 @@ tags: - attack.t1053 - car.2013-05-004 - car.2015-04-001 + - attack.t1053.002 logsource: product: zeek service: smb_files diff --git a/rules/network/zeek/zeek_smb_converted_win_impacket_secretdump.yml b/rules/network/zeek/zeek_smb_converted_win_impacket_secretdump.yml index 16e2f3188b3..4a7fe93adbc 100644 --- a/rules/network/zeek/zeek_smb_converted_win_impacket_secretdump.yml +++ b/rules/network/zeek/zeek_smb_converted_win_impacket_secretdump.yml @@ -8,14 +8,17 @@ references: tags: - attack.credential_access - attack.t1003 + - attack.t1003.002 + - attack.t1003.004 + - attack.t1003.003 logsource: product: zeek service: smb_files detection: - selection: - path: '\\*ADMIN$' - name: '*SYSTEM32\\*.tmp' - condition: selection + selection: + path: '\\*ADMIN$' + name: '*SYSTEM32\\*.tmp' + condition: selection falsepositives: - 'unknown' level: high diff --git a/rules/network/zeek/zeek_smb_converted_win_lm_namedpipe.yml b/rules/network/zeek/zeek_smb_converted_win_lm_namedpipe.yml index eecef7a99db..34b90aa1ef6 100644 --- a/rules/network/zeek/zeek_smb_converted_win_lm_namedpipe.yml +++ b/rules/network/zeek/zeek_smb_converted_win_lm_namedpipe.yml @@ -1,14 +1,14 @@ title: First Time Seen Remote Named Pipe - Zeek id: 52d8b0c6-53d6-439a-9e41-52ad442ad9ad -description: This detection excludes known namped pipes accessible remotely and notify on newly observed ones, may help to detect lateral movement and remote exec - using named pipes +description: This detection excludes known namped pipes accessible remotely and notify on newly observed ones, may help to detect lateral movement and remote exec using named pipes author: 'Samir Bousseaden, @neu5ron' date: 2020/04/02 references: - https://github.com/neo23x0/sigma/blob/d42e87edd741dd646db946f30964f331f92f50e6/rules/windows/builtin/win_lm_namedpipe.yml -tags: +tags: - attack.lateral_movement - attack.t1077 + - attack.t1021.002 logsource: product: zeek service: smb_files @@ -18,23 +18,23 @@ detection: selection2: path: \\*\IPC$ name: - - 'atsvc' - - 'samr' - - 'lsarpc' - - 'winreg' - - 'netlogon' - - 'srvsvc' - - 'protected_storage' - - 'wkssvc' - - 'browser' - - 'netdfs' - - 'svcctl' - - 'spoolss' - - 'ntsvcs' - - 'LSM_API_service' - - 'HydraLsPipe' - - 'TermSrv_API_service' - - 'MsFteWds' + - 'atsvc' + - 'samr' + - 'lsarpc' + - 'winreg' + - 'netlogon' + - 'srvsvc' + - 'protected_storage' + - 'wkssvc' + - 'browser' + - 'netdfs' + - 'svcctl' + - 'spoolss' + - 'ntsvcs' + - 'LSM_API_service' + - 'HydraLsPipe' + - 'TermSrv_API_service' + - 'MsFteWds' condition: selection1 and not selection2 falsepositives: - update the excluded named pipe to filter out any newly observed legit named pipe diff --git a/rules/network/zeek/zeek_smb_converted_win_susp_psexec.yml b/rules/network/zeek/zeek_smb_converted_win_susp_psexec.yml index 044d6f966a0..79bd51153f3 100644 --- a/rules/network/zeek/zeek_smb_converted_win_susp_psexec.yml +++ b/rules/network/zeek/zeek_smb_converted_win_susp_psexec.yml @@ -8,6 +8,7 @@ references: tags: - attack.lateral_movement - attack.t1077 + - attack.t1021.002 logsource: product: zeek service: smb_files @@ -15,9 +16,9 @@ detection: selection1: path: \\*\IPC$ name: - - '*-stdin' - - '*-stdout' - - '*-stderr' + - '*-stdin' + - '*-stdout' + - '*-stderr' selection2: name: \\*\IPC$ path: 'PSEXESVC*' diff --git a/rules/network/zeek/zeek_smb_converted_win_transferring_files_with_credential_data.yml b/rules/network/zeek/zeek_smb_converted_win_transferring_files_with_credential_data.yml index 060189f4080..503c9c8f845 100644 --- a/rules/network/zeek/zeek_smb_converted_win_transferring_files_with_credential_data.yml +++ b/rules/network/zeek/zeek_smb_converted_win_transferring_files_with_credential_data.yml @@ -4,26 +4,29 @@ description: Transferring files with well-known filenames (sensitive files with author: '@neu5ron, Teymur Kheirkhabarov, oscd.community' date: 2020/04/02 references: - - https://github.com/neo23x0/sigma/blob/373424f14574facf9e261d5c822345a282b91479/rules/windows/builtin/win_transferring_files_with_credential_data_via_network_shares.yml + - https://github.com/neo23x0/sigma/blob/373424f14574facf9e261d5c822345a282b91479/rules/windows/builtin/win_transferring_files_with_credential_data_via_network_shares.yml tags: - - attack.credential_access - - attack.t1003 + - attack.credential_access + - attack.t1003 + - attack.t1003.002 + - attack.t1003.001 + - attack.t1003.003 logsource: - product: zeek - service: smb_files + product: zeek + service: smb_files detection: - selection: - name: - - '\mimidrv' - - '\lsass' - - '\windows\minidump\' - - '\hiberfil' - - '\sqldmpr' - - '\sam' - - '\ntds.dit' - - '\security' - condition: selection + selection: + name: + - '\mimidrv' + - '\lsass' + - '\windows\minidump\' + - '\hiberfil' + - '\sqldmpr' + - '\sam' + - '\ntds.dit' + - '\security' + condition: selection falsepositives: - Transferring sensitive files for legitimate administration work by legitimate administrator level: medium -status: experimental \ No newline at end of file +status: experimental diff --git a/rules/network/zeek/zeek_susp_kerberos_rc4.yml b/rules/network/zeek/zeek_susp_kerberos_rc4.yml index 456f827866a..30b134ff746 100644 --- a/rules/network/zeek/zeek_susp_kerberos_rc4.yml +++ b/rules/network/zeek/zeek_susp_kerberos_rc4.yml @@ -8,6 +8,7 @@ references: tags: - attack.credential_access - attack.t1208 + - attack.t1558.003 logsource: product: zeek service: kerberos diff --git a/rules/web/web_cve_2018_2894_weblogic_exploit.yml b/rules/web/web_cve_2018_2894_weblogic_exploit.yml index 5bc8b193e59..d086a2c4549 100644 --- a/rules/web/web_cve_2018_2894_weblogic_exploit.yml +++ b/rules/web/web_cve_2018_2894_weblogic_exploit.yml @@ -13,7 +13,7 @@ logsource: category: webserver detection: selection: - c-uri: + c-uri: - '*/config/keystore/*.js*' condition: selection fields: @@ -28,5 +28,6 @@ tags: - attack.persistence - attack.privilege_escalation - cve.2018-2894 + - attack.t1505 level: critical diff --git a/rules/windows/builtin/win_GPO_scheduledtasks.yml b/rules/windows/builtin/win_GPO_scheduledtasks.yml index 6403ab720be..75dfa1b0c8f 100644 --- a/rules/windows/builtin/win_GPO_scheduledtasks.yml +++ b/rules/windows/builtin/win_GPO_scheduledtasks.yml @@ -10,6 +10,7 @@ tags: - attack.persistence - attack.lateral_movement - attack.t1053 + - attack.t1053.005 logsource: product: windows service: security diff --git a/rules/windows/builtin/win_admin_share_access.yml b/rules/windows/builtin/win_admin_share_access.yml index e489b78f676..a922e0e0102 100644 --- a/rules/windows/builtin/win_admin_share_access.yml +++ b/rules/windows/builtin/win_admin_share_access.yml @@ -4,6 +4,7 @@ description: Detects access to $ADMIN share tags: - attack.lateral_movement - attack.t1077 + - attack.t1021.002 status: experimental author: Florian Roth date: 2017/03/04 diff --git a/rules/windows/builtin/win_alert_enable_weak_encryption.yml b/rules/windows/builtin/win_alert_enable_weak_encryption.yml index 906ac89bb16..5f77c7776c5 100644 --- a/rules/windows/builtin/win_alert_enable_weak_encryption.yml +++ b/rules/windows/builtin/win_alert_enable_weak_encryption.yml @@ -9,6 +9,7 @@ date: 2017/07/30 tags: - attack.defense_evasion - attack.t1089 + - attack.t1562.001 logsource: product: windows service: security @@ -18,9 +19,9 @@ detection: EventID: 4738 keywords: Message: - - '*DES*' - - '*Preauth*' - - '*Encrypted*' + - '*DES*' + - '*Preauth*' + - '*Encrypted*' filters: Message: - '*Enabled*' diff --git a/rules/windows/builtin/win_alert_lsass_access.yml b/rules/windows/builtin/win_alert_lsass_access.yml index bcd7eae7aa6..3ffde491a29 100644 --- a/rules/windows/builtin/win_alert_lsass_access.yml +++ b/rules/windows/builtin/win_alert_lsass_access.yml @@ -10,6 +10,7 @@ tags: - attack.credential_access - attack.t1003 # Defender Attack Surface Reduction + - attack.t1003.001 logsource: product: windows_defender definition: 'Requirements:Enabled Block credential stealing from the Windows local security authority subsystem (lsass.exe) from Attack Surface Reduction (GUID: 9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2)' diff --git a/rules/windows/builtin/win_alert_mimikatz_keywords.yml b/rules/windows/builtin/win_alert_mimikatz_keywords.yml index f6ad95c8c4f..5a0783fdcae 100644 --- a/rules/windows/builtin/win_alert_mimikatz_keywords.yml +++ b/rules/windows/builtin/win_alert_mimikatz_keywords.yml @@ -1,7 +1,6 @@ title: Mimikatz Use id: 06d71506-7beb-4f22-8888-e2e5e2ca7fd8 -description: This method detects mimikatz keywords in different Eventlogs (some of them only appear in older Mimikatz version that are however still used by different - threat groups) +description: This method detects mimikatz keywords in different Eventlogs (some of them only appear in older Mimikatz version that are however still used by different threat groups) author: Florian Roth date: 2017/01/10 modified: 2019/10/11 @@ -12,21 +11,25 @@ tags: - attack.credential_access - car.2013-07-001 - car.2019-04-004 + - attack.t1003.002 + - attack.t1003.004 + - attack.t1003.001 + - attack.t1003.006 logsource: product: windows detection: keywords: Message: - - "* mimikatz *" - - "* mimilib *" - - "* <3 eo.oe *" - - "* eo.oe.kiwi *" - - "* privilege::debug *" - - "* sekurlsa::logonpasswords *" - - "* lsadump::sam *" - - "* mimidrv.sys *" - - "* p::d *" - - "* s::l *" + - "* mimikatz *" + - "* mimilib *" + - "* <3 eo.oe *" + - "* eo.oe.kiwi *" + - "* privilege::debug *" + - "* sekurlsa::logonpasswords *" + - "* lsadump::sam *" + - "* mimidrv.sys *" + - "* p::d *" + - "* s::l *" condition: keywords falsepositives: - Naughty administrators diff --git a/rules/windows/builtin/win_alert_ruler.yml b/rules/windows/builtin/win_alert_ruler.yml index 21a85472a83..603904ca8b0 100644 --- a/rules/windows/builtin/win_alert_ruler.yml +++ b/rules/windows/builtin/win_alert_ruler.yml @@ -17,18 +17,19 @@ tags: - attack.t1075 - attack.t1114 - attack.t1059 + - attack.t1550.002 logsource: product: windows service: security detection: selection1: - EventID: - - 4776 + EventID: + - 4776 Workstation: 'RULER' selection2: EventID: - - 4624 - - 4625 + - 4624 + - 4625 WorkstationName: 'RULER' condition: (1 of selection*) falsepositives: diff --git a/rules/windows/builtin/win_apt_carbonpaper_turla.yml b/rules/windows/builtin/win_apt_carbonpaper_turla.yml index b16c0733b88..b819affb4d8 100755 --- a/rules/windows/builtin/win_apt_carbonpaper_turla.yml +++ b/rules/windows/builtin/win_apt_carbonpaper_turla.yml @@ -7,6 +7,7 @@ tags: - attack.persistence - attack.g0010 - attack.t1050 + - attack.t1543.003 date: 2017/03/31 author: Florian Roth logsource: diff --git a/rules/windows/builtin/win_apt_stonedrill.yml b/rules/windows/builtin/win_apt_stonedrill.yml index 3db1bfe6b87..5ffa75289b8 100755 --- a/rules/windows/builtin/win_apt_stonedrill.yml +++ b/rules/windows/builtin/win_apt_stonedrill.yml @@ -9,6 +9,7 @@ tags: - attack.persistence - attack.g0064 - attack.t1050 + - attack.t1543.003 logsource: product: windows service: system diff --git a/rules/windows/builtin/win_apt_turla_service_png.yml b/rules/windows/builtin/win_apt_turla_service_png.yml index 642809a5c83..467abba2e53 100644 --- a/rules/windows/builtin/win_apt_turla_service_png.yml +++ b/rules/windows/builtin/win_apt_turla_service_png.yml @@ -9,6 +9,7 @@ tags: - attack.persistence - attack.g0010 - attack.t1050 + - attack.t1543.003 logsource: product: windows service: system diff --git a/rules/windows/builtin/win_atsvc_task.yml b/rules/windows/builtin/win_atsvc_task.yml index e896b3bc4eb..bb4ce41a752 100644 --- a/rules/windows/builtin/win_atsvc_task.yml +++ b/rules/windows/builtin/win_atsvc_task.yml @@ -11,6 +11,7 @@ tags: - attack.t1053 - car.2013-05-004 - car.2015-04-001 + - attack.t1053.002 logsource: product: windows service: security diff --git a/rules/windows/builtin/win_dcsync.yml b/rules/windows/builtin/win_dcsync.yml index f29e9a5fe2c..1181f0e1897 100644 --- a/rules/windows/builtin/win_dcsync.yml +++ b/rules/windows/builtin/win_dcsync.yml @@ -12,18 +12,19 @@ tags: - attack.credential_access - attack.s0002 - attack.t1003 + - attack.t1003.006 logsource: product: windows service: security detection: selection: EventID: 4662 - Properties: + Properties: - '*Replicating Directory Changes All*' - '*1131f6ad-9c07-11d1-f79f-00c04fc2dcd2*' filter1: SubjectDomainName: 'Window Manager' - filter2: + filter2: SubjectUserName: - 'NT AUTHORITY*' - '*$' diff --git a/rules/windows/builtin/win_disable_event_logging.yml b/rules/windows/builtin/win_disable_event_logging.yml index 20463e6a8f9..788ac85446e 100644 --- a/rules/windows/builtin/win_disable_event_logging.yml +++ b/rules/windows/builtin/win_disable_event_logging.yml @@ -1,15 +1,12 @@ title: Disabling Windows Event Auditing id: 69aeb277-f15f-4d2d-b32a-55e883609563 -description: 'Detects scenarios where system auditing (ie: windows event log auditing) is disabled. This may be used in a scenario where an entity would want to bypass - local logging to evade detection when windows event logging is enabled and reviewed. Also, it is recommended to turn off "Local Group Policy Object Processing" - via GPO, which will make sure that Active Directory GPOs take precedence over local/edited computer policies via something such as "gpedit.msc". Please note, - that disabling "Local Group Policy Object Processing" may cause an issue in scenarios of one off specific GPO modifications -- however it is recommended to perform - these modifications in Active Directory anyways.' +description: 'Detects scenarios where system auditing (ie: windows event log auditing) is disabled. This may be used in a scenario where an entity would want to bypass local logging to evade detection when windows event logging is enabled and reviewed. Also, it is recommended to turn off "Local Group Policy Object Processing" via GPO, which will make sure that Active Directory GPOs take precedence over local/edited computer policies via something such as "gpedit.msc". Please note, that disabling "Local Group Policy Object Processing" may cause an issue in scenarios of one off specific GPO modifications -- however it is recommended to perform these modifications in Active Directory anyways.' references: - https://bit.ly/WinLogsZero2Hero tags: - attack.defense_evasion - attack.t1054 + - attack.t1562.006 author: '@neu5ron' date: 2017/11/19 logsource: diff --git a/rules/windows/builtin/win_dpapi_domain_backupkey_extraction.yml b/rules/windows/builtin/win_dpapi_domain_backupkey_extraction.yml index 3093a086430..fc70f3b1fc3 100644 --- a/rules/windows/builtin/win_dpapi_domain_backupkey_extraction.yml +++ b/rules/windows/builtin/win_dpapi_domain_backupkey_extraction.yml @@ -9,11 +9,12 @@ references: tags: - attack.credential_access - attack.t1003 + - attack.t1003.004 logsource: product: windows service: security detection: - selection: + selection: EventID: 4662 ObjectType: 'SecretObject' AccessMask: '0x2' @@ -21,4 +22,4 @@ detection: condition: selection falsepositives: - Unknown -level: critical \ No newline at end of file +level: critical diff --git a/rules/windows/builtin/win_dpapi_domain_masterkey_backup_attempt.yml b/rules/windows/builtin/win_dpapi_domain_masterkey_backup_attempt.yml index f488f98a329..47ec4686cb7 100644 --- a/rules/windows/builtin/win_dpapi_domain_masterkey_backup_attempt.yml +++ b/rules/windows/builtin/win_dpapi_domain_masterkey_backup_attempt.yml @@ -9,11 +9,12 @@ references: tags: - attack.credential_access - attack.t1003 + - attack.t1003.004 logsource: product: windows service: security detection: - selection: + selection: EventID: 4692 condition: selection fields: diff --git a/rules/windows/builtin/win_hack_smbexec.yml b/rules/windows/builtin/win_hack_smbexec.yml index bf335fbeb09..270419c1b88 100644 --- a/rules/windows/builtin/win_hack_smbexec.yml +++ b/rules/windows/builtin/win_hack_smbexec.yml @@ -10,6 +10,8 @@ tags: - attack.execution - attack.t1077 - attack.t1035 + - attack.t1021 + - attack.t1569.002 logsource: product: windows service: system @@ -25,4 +27,4 @@ fields: falsepositives: - Penetration Test - Unknown -level: critical \ No newline at end of file +level: critical diff --git a/rules/windows/builtin/win_impacket_secretdump.yml b/rules/windows/builtin/win_impacket_secretdump.yml index 14d5060e051..ca4effe5b34 100644 --- a/rules/windows/builtin/win_impacket_secretdump.yml +++ b/rules/windows/builtin/win_impacket_secretdump.yml @@ -8,6 +8,9 @@ references: tags: - attack.credential_access - attack.t1003 + - attack.t1003.002 + - attack.t1003.004 + - attack.t1003.003 logsource: product: windows service: security diff --git a/rules/windows/builtin/win_lm_namedpipe.yml b/rules/windows/builtin/win_lm_namedpipe.yml index 90dca9c1005..8bbbbc1a2f9 100644 --- a/rules/windows/builtin/win_lm_namedpipe.yml +++ b/rules/windows/builtin/win_lm_namedpipe.yml @@ -1,7 +1,6 @@ title: First Time Seen Remote Named Pipe id: 52d8b0c6-53d6-439a-9e41-52ad442ad9ad -description: This detection excludes known namped pipes accessible remotely and notify on newly observed ones, may help to detect lateral movement and remote exec - using named pipes +description: This detection excludes known namped pipes accessible remotely and notify on newly observed ones, may help to detect lateral movement and remote exec using named pipes author: Samir Bousseaden date: 2019/04/03 references: @@ -9,6 +8,7 @@ references: tags: - attack.lateral_movement - attack.t1077 + - attack.t1021.002 logsource: product: windows service: security @@ -21,23 +21,23 @@ detection: EventID: 5145 ShareName: \\*\IPC$ RelativeTargetName: - - 'atsvc' - - 'samr' - - 'lsarpc' - - 'winreg' - - 'netlogon' - - 'srvsvc' - - 'protected_storage' - - 'wkssvc' - - 'browser' - - 'netdfs' - - 'svcctl' - - 'spoolss' - - 'ntsvcs' - - 'LSM_API_service' - - 'HydraLsPipe' - - 'TermSrv_API_service' - - 'MsFteWds' + - 'atsvc' + - 'samr' + - 'lsarpc' + - 'winreg' + - 'netlogon' + - 'srvsvc' + - 'protected_storage' + - 'wkssvc' + - 'browser' + - 'netdfs' + - 'svcctl' + - 'spoolss' + - 'ntsvcs' + - 'LSM_API_service' + - 'HydraLsPipe' + - 'TermSrv_API_service' + - 'MsFteWds' condition: selection1 and not selection2 falsepositives: - update the excluded named pipe to filter out any newly observed legit named pipe diff --git a/rules/windows/builtin/win_lsass_access_non_system_account.yml b/rules/windows/builtin/win_lsass_access_non_system_account.yml index adb3f7a62dc..9f0bd07fb5f 100644 --- a/rules/windows/builtin/win_lsass_access_non_system_account.yml +++ b/rules/windows/builtin/win_lsass_access_non_system_account.yml @@ -10,11 +10,12 @@ references: tags: - attack.credential_access - attack.t1003 + - attack.t1003.001 logsource: product: windows service: security detection: - selection: + selection: EventID: - 4663 - 4656 diff --git a/rules/windows/builtin/win_mal_service_installs.yml b/rules/windows/builtin/win_mal_service_installs.yml index d2bb06fe951..8fe191511f2 100644 --- a/rules/windows/builtin/win_mal_service_installs.yml +++ b/rules/windows/builtin/win_mal_service_installs.yml @@ -11,6 +11,8 @@ tags: - attack.t1035 - attack.t1050 - car.2013-09-005 + - attack.t1543.003 + - attack.t1569.002 logsource: product: windows service: system @@ -24,6 +26,6 @@ detection: malsvc_persistence: ServiceFileName|contains: 'net user' condition: selection and 1 of malsvc_* -falsepositives: +falsepositives: - Penetration testing level: critical diff --git a/rules/windows/builtin/win_mmc20_lateral_movement.yml b/rules/windows/builtin/win_mmc20_lateral_movement.yml index baaaca7f9f2..b6ee82fbc92 100644 --- a/rules/windows/builtin/win_mmc20_lateral_movement.yml +++ b/rules/windows/builtin/win_mmc20_lateral_movement.yml @@ -1,23 +1,25 @@ title: MMC20 Lateral Movement id: f1f3bf22-deb2-418d-8cce-e1a45e46a5bd -description: Detects MMC20.Application Lateral Movement; specifically looks for the spawning of the parent MMC.exe with a command line of "-Embedding" as a child of svchost.exe +description: Detects MMC20.Application Lateral Movement; specifically looks for the spawning of the parent MMC.exe with a command line of "-Embedding" as a child of svchost.exe author: '@2xxeformyshirt (Security Risk Advisors)' date: 2020/03/04 references: - - https://enigma0x3.net/2017/01/05/lateral-movement-using-the-mmc20-application-com-object/ - - https://drive.google.com/file/d/1lKya3_mLnR3UQuCoiYruO3qgu052_iS_/view?usp=sharing + - https://enigma0x3.net/2017/01/05/lateral-movement-using-the-mmc20-application-com-object/ + - https://drive.google.com/file/d/1lKya3_mLnR3UQuCoiYruO3qgu052_iS_/view?usp=sharing tags: - - attack.execution - - attack.t1175 + - attack.execution + - attack.t1175 + - attack.t1021.003 + - attack.t1559.001 logsource: - category: process_creation - product: windows + category: process_creation + product: windows detection: - selection: - ParentImage: '*\svchost.exe' - Image: '*\mmc.exe' - CommandLine: '*-Embedding*' - condition: selection + selection: + ParentImage: '*\svchost.exe' + Image: '*\mmc.exe' + CommandLine: '*-Embedding*' + condition: selection falsepositives: - - Unlikely + - Unlikely level: high diff --git a/rules/windows/builtin/win_overpass_the_hash.yml b/rules/windows/builtin/win_overpass_the_hash.yml index f909666e583..11f2afb8fc1 100644 --- a/rules/windows/builtin/win_overpass_the_hash.yml +++ b/rules/windows/builtin/win_overpass_the_hash.yml @@ -10,6 +10,7 @@ tags: - attack.lateral_movement - attack.t1075 - attack.s0002 + - attack.t1550.002 logsource: product: windows service: security diff --git a/rules/windows/builtin/win_pass_the_hash.yml b/rules/windows/builtin/win_pass_the_hash.yml index 582a77b97fd..c6aaae74cdf 100644 --- a/rules/windows/builtin/win_pass_the_hash.yml +++ b/rules/windows/builtin/win_pass_the_hash.yml @@ -10,6 +10,7 @@ tags: - attack.lateral_movement - attack.t1075 - car.2016-04-004 + - attack.t1550.002 logsource: product: windows service: security diff --git a/rules/windows/builtin/win_pass_the_hash_2.yml b/rules/windows/builtin/win_pass_the_hash_2.yml index 6930ee9c2f1..722637eb221 100644 --- a/rules/windows/builtin/win_pass_the_hash_2.yml +++ b/rules/windows/builtin/win_pass_the_hash_2.yml @@ -11,6 +11,7 @@ date: 2019/06/14 tags: - attack.lateral_movement - attack.t1075 + - attack.t1550.002 logsource: product: windows service: security diff --git a/rules/windows/builtin/win_quarkspwdump_clearing_hive_access_history.yml b/rules/windows/builtin/win_quarkspwdump_clearing_hive_access_history.yml index 8484a1f3e66..b20672adb79 100644 --- a/rules/windows/builtin/win_quarkspwdump_clearing_hive_access_history.yml +++ b/rules/windows/builtin/win_quarkspwdump_clearing_hive_access_history.yml @@ -8,6 +8,7 @@ modified: 2019/11/13 tags: - attack.credential_access - attack.t1003 + - attack.t1003.002 level: critical logsource: product: windows diff --git a/rules/windows/builtin/win_rare_schtasks_creations.yml b/rules/windows/builtin/win_rare_schtasks_creations.yml index bbd45c5022f..de8a93f87dd 100644 --- a/rules/windows/builtin/win_rare_schtasks_creations.yml +++ b/rules/windows/builtin/win_rare_schtasks_creations.yml @@ -10,6 +10,7 @@ tags: - attack.persistence - attack.t1053 - car.2013-08-001 + - attack.t1053.005 logsource: product: windows service: security diff --git a/rules/windows/builtin/win_rare_service_installs.yml b/rules/windows/builtin/win_rare_service_installs.yml index acd55cb6087..14b4ecf8ad4 100644 --- a/rules/windows/builtin/win_rare_service_installs.yml +++ b/rules/windows/builtin/win_rare_service_installs.yml @@ -9,6 +9,7 @@ tags: - attack.privilege_escalation - attack.t1050 - car.2013-09-005 + - attack.t1543.003 logsource: product: windows service: system diff --git a/rules/windows/builtin/win_rdp_localhost_login.yml b/rules/windows/builtin/win_rdp_localhost_login.yml index 3f269fe72c7..165bd12f7d3 100644 --- a/rules/windows/builtin/win_rdp_localhost_login.yml +++ b/rules/windows/builtin/win_rdp_localhost_login.yml @@ -9,6 +9,7 @@ tags: - attack.lateral_movement - attack.t1076 - car.2013-07-002 + - attack.t1021 status: experimental author: Thomas Patzke logsource: diff --git a/rules/windows/builtin/win_rdp_reverse_tunnel.yml b/rules/windows/builtin/win_rdp_reverse_tunnel.yml index d18e52004e0..a68d5745477 100644 --- a/rules/windows/builtin/win_rdp_reverse_tunnel.yml +++ b/rules/windows/builtin/win_rdp_reverse_tunnel.yml @@ -14,6 +14,7 @@ tags: - attack.t1076 - attack.t1090 - car.2013-07-002 + - attack.t1021 logsource: product: windows service: security diff --git a/rules/windows/builtin/win_register_new_logon_process_by_rubeus.yml b/rules/windows/builtin/win_register_new_logon_process_by_rubeus.yml index 9fb4e64470e..25e6180c65b 100644 --- a/rules/windows/builtin/win_register_new_logon_process_by_rubeus.yml +++ b/rules/windows/builtin/win_register_new_logon_process_by_rubeus.yml @@ -8,6 +8,7 @@ tags: - attack.lateral_movement - attack.privilege_escalation - attack.t1208 + - attack.t1558.003 author: Roberto Rodriguez (source), Ilyas Ochkov (rule), oscd.community date: 2019/10/24 logsource: diff --git a/rules/windows/builtin/win_remote_powershell_session.yml b/rules/windows/builtin/win_remote_powershell_session.yml index d0e395e4ffd..1167c97fbf7 100644 --- a/rules/windows/builtin/win_remote_powershell_session.yml +++ b/rules/windows/builtin/win_remote_powershell_session.yml @@ -9,11 +9,12 @@ references: tags: - attack.execution - attack.t1086 + - attack.t1059.001 logsource: product: windows service: security detection: - selection: + selection: EventID: 5156 DestPort: - 5985 diff --git a/rules/windows/builtin/win_susp_add_sid_history.yml b/rules/windows/builtin/win_susp_add_sid_history.yml index 0a407a6e0b3..1eb679dc046 100644 --- a/rules/windows/builtin/win_susp_add_sid_history.yml +++ b/rules/windows/builtin/win_susp_add_sid_history.yml @@ -10,6 +10,7 @@ tags: - attack.persistence - attack.privilege_escalation - attack.t1178 + - attack.t1134.005 logsource: product: windows service: security @@ -25,7 +26,7 @@ detection: - '-' - '%%1793' filter_null: - SidHistory: null + SidHistory: condition: selection1 or (selection2 and not selection3 and not filter_null) falsepositives: - Migration of an account into a new domain diff --git a/rules/windows/builtin/win_susp_backup_delete.yml b/rules/windows/builtin/win_susp_backup_delete.yml index 32dfb5d00a6..332b6c806b4 100644 --- a/rules/windows/builtin/win_susp_backup_delete.yml +++ b/rules/windows/builtin/win_susp_backup_delete.yml @@ -10,6 +10,7 @@ date: 2017/05/12 tags: - attack.defense_evasion - attack.t1107 + - attack.t1551.004 logsource: product: windows service: application diff --git a/rules/windows/builtin/win_susp_codeintegrity_check_failure.yml b/rules/windows/builtin/win_susp_codeintegrity_check_failure.yml index 34331edc513..e5afc8f7c00 100644 --- a/rules/windows/builtin/win_susp_codeintegrity_check_failure.yml +++ b/rules/windows/builtin/win_susp_codeintegrity_check_failure.yml @@ -7,6 +7,7 @@ date: 2019/12/03 tags: - attack.defense_evasion - attack.t1009 + - attack.t1027 logsource: product: windows service: security diff --git a/rules/windows/builtin/win_susp_dhcp_config.yml b/rules/windows/builtin/win_susp_dhcp_config.yml index a7090b8df19..0c357fc9200 100644 --- a/rules/windows/builtin/win_susp_dhcp_config.yml +++ b/rules/windows/builtin/win_susp_dhcp_config.yml @@ -11,6 +11,7 @@ author: Dimitrios Slamaris tags: - attack.defense_evasion - attack.t1073 + - attack.t1574.002 logsource: product: windows service: system @@ -19,6 +20,6 @@ detection: EventID: 1033 Source: Microsoft-Windows-DHCP-Server condition: selection -falsepositives: +falsepositives: - Unknown level: critical diff --git a/rules/windows/builtin/win_susp_dhcp_config_failed.yml b/rules/windows/builtin/win_susp_dhcp_config_failed.yml index f3c4f36ec5e..8dc62e8003e 100644 --- a/rules/windows/builtin/win_susp_dhcp_config_failed.yml +++ b/rules/windows/builtin/win_susp_dhcp_config_failed.yml @@ -11,18 +11,19 @@ modified: 2019/07/17 tags: - attack.defense_evasion - attack.t1073 + - attack.t1574.002 author: "Dimitrios Slamaris, @atc_project (fix)" logsource: product: windows service: system detection: selection: - EventID: + EventID: - 1031 - 1032 - 1034 - Source: Microsoft-Windows-DHCP-Server + Source: Microsoft-Windows-DHCP-Server condition: selection -falsepositives: +falsepositives: - Unknown level: critical diff --git a/rules/windows/builtin/win_susp_dns_config.yml b/rules/windows/builtin/win_susp_dns_config.yml index df7ffe3f903..8ef63d9caf6 100644 --- a/rules/windows/builtin/win_susp_dns_config.yml +++ b/rules/windows/builtin/win_susp_dns_config.yml @@ -10,17 +10,18 @@ references: tags: - attack.defense_evasion - attack.t1073 + - attack.t1574.002 author: Florian Roth logsource: product: windows service: dns-server detection: selection: - EventID: + EventID: - 150 - 770 condition: selection -falsepositives: +falsepositives: - Unknown level: critical diff --git a/rules/windows/builtin/win_susp_eventlog_cleared.yml b/rules/windows/builtin/win_susp_eventlog_cleared.yml index ec1981f549b..b0698a1cbe6 100644 --- a/rules/windows/builtin/win_susp_eventlog_cleared.yml +++ b/rules/windows/builtin/win_susp_eventlog_cleared.yml @@ -10,6 +10,7 @@ tags: - attack.defense_evasion - attack.t1070 - car.2016-04-002 + - attack.t1551 logsource: product: windows service: system diff --git a/rules/windows/builtin/win_susp_lsass_dump.yml b/rules/windows/builtin/win_susp_lsass_dump.yml index 52921441c0a..b3b39f7b660 100644 --- a/rules/windows/builtin/win_susp_lsass_dump.yml +++ b/rules/windows/builtin/win_susp_lsass_dump.yml @@ -8,6 +8,7 @@ references: tags: - attack.credential_access - attack.t1003 + - attack.t1003.001 logsource: product: windows service: security diff --git a/rules/windows/builtin/win_susp_lsass_dump_generic.yml b/rules/windows/builtin/win_susp_lsass_dump_generic.yml index 604c2f41552..fa536e26bd5 100644 --- a/rules/windows/builtin/win_susp_lsass_dump_generic.yml +++ b/rules/windows/builtin/win_susp_lsass_dump_generic.yml @@ -12,6 +12,7 @@ tags: - attack.credential_access - attack.t1003 - car.2019-04-004 + - attack.t1003.001 logsource: product: windows service: security @@ -40,7 +41,7 @@ detection: - '4484' - '4416' filter: - ProcessName|endswith: + ProcessName|endswith: - '\wmiprvse.exe' - '\taskmgr.exe' - '\procexp64.exe' diff --git a/rules/windows/builtin/win_susp_msmpeng_crash.yml b/rules/windows/builtin/win_susp_msmpeng_crash.yml index 3e6f6fcba01..4ce48ead3eb 100644 --- a/rules/windows/builtin/win_susp_msmpeng_crash.yml +++ b/rules/windows/builtin/win_susp_msmpeng_crash.yml @@ -5,6 +5,7 @@ tags: - attack.defense_evasion - attack.t1089 - attack.t1211 + - attack.t1562.001 status: experimental date: 2017/05/09 references: diff --git a/rules/windows/builtin/win_susp_ntlm_auth.yml b/rules/windows/builtin/win_susp_ntlm_auth.yml index f8ea778c00a..3e4a2fb968e 100644 --- a/rules/windows/builtin/win_susp_ntlm_auth.yml +++ b/rules/windows/builtin/win_susp_ntlm_auth.yml @@ -10,6 +10,7 @@ date: 2018/06/08 tags: - attack.lateral_movement - attack.t1075 + - attack.t1550.002 logsource: product: windows service: ntlm diff --git a/rules/windows/builtin/win_susp_psexec.yml b/rules/windows/builtin/win_susp_psexec.yml index f48f593b671..62216f2e959 100644 --- a/rules/windows/builtin/win_susp_psexec.yml +++ b/rules/windows/builtin/win_susp_psexec.yml @@ -1,7 +1,6 @@ title: Suspicious PsExec Execution id: c462f537-a1e3-41a6-b5fc-b2c2cef9bf82 -description: detects execution of psexec or paexec with renamed service name, this rule helps to filter out the noise if psexec is used for legit purposes or if attacker - uses a different psexec client other than sysinternal one +description: detects execution of psexec or paexec with renamed service name, this rule helps to filter out the noise if psexec is used for legit purposes or if attacker uses a different psexec client other than sysinternal one author: Samir Bousseaden date: 2019/04/03 references: @@ -9,6 +8,7 @@ references: tags: - attack.lateral_movement - attack.t1077 + - attack.t1021.002 logsource: product: windows service: security @@ -18,9 +18,9 @@ detection: EventID: 5145 ShareName: \\*\IPC$ RelativeTargetName: - - '*-stdin' - - '*-stdout' - - '*-stderr' + - '*-stdin' + - '*-stdout' + - '*-stderr' selection2: EventID: 5145 ShareName: \\*\IPC$ diff --git a/rules/windows/builtin/win_susp_rc4_kerberos.yml b/rules/windows/builtin/win_susp_rc4_kerberos.yml index 534151c458e..56bea540b09 100644 --- a/rules/windows/builtin/win_susp_rc4_kerberos.yml +++ b/rules/windows/builtin/win_susp_rc4_kerberos.yml @@ -7,6 +7,7 @@ references: tags: - attack.credential_access - attack.t1208 + - attack.t1558.003 description: Detects service ticket requests using RC4 encryption type author: Florian Roth date: 2017/02/06 diff --git a/rules/windows/builtin/win_susp_rottenpotato.yml b/rules/windows/builtin/win_susp_rottenpotato.yml index 1e7d58b2885..c6df34101aa 100644 --- a/rules/windows/builtin/win_susp_rottenpotato.yml +++ b/rules/windows/builtin/win_susp_rottenpotato.yml @@ -10,6 +10,7 @@ tags: - attack.privilege_escalation - attack.credential_access - attack.t1171 + - attack.t1557.001 logsource: product: windows service: security diff --git a/rules/windows/builtin/win_susp_sam_dump.yml b/rules/windows/builtin/win_susp_sam_dump.yml index 930531db237..117fa49b855 100644 --- a/rules/windows/builtin/win_susp_sam_dump.yml +++ b/rules/windows/builtin/win_susp_sam_dump.yml @@ -5,6 +5,7 @@ description: Detects suspicious SAM dump activity as cause by QuarksPwDump and o tags: - attack.credential_access - attack.t1003 + - attack.t1003.002 author: Florian Roth date: 2018/01/27 logsource: diff --git a/rules/windows/builtin/win_susp_sdelete.yml b/rules/windows/builtin/win_susp_sdelete.yml index 5f8df21e5bb..8483f0265f1 100644 --- a/rules/windows/builtin/win_susp_sdelete.yml +++ b/rules/windows/builtin/win_susp_sdelete.yml @@ -13,6 +13,8 @@ tags: - attack.t1107 - attack.t1066 - attack.s0195 + - attack.t1551.004 + - attack.t1027 logsource: product: windows service: security diff --git a/rules/windows/builtin/win_susp_security_eventlog_cleared.yml b/rules/windows/builtin/win_susp_security_eventlog_cleared.yml index 7b0b7dccf81..d31a49b424e 100644 --- a/rules/windows/builtin/win_susp_security_eventlog_cleared.yml +++ b/rules/windows/builtin/win_susp_security_eventlog_cleared.yml @@ -5,6 +5,7 @@ tags: - attack.defense_evasion - attack.t1070 - car.2016-04-002 + - attack.t1551 author: Florian Roth date: 2017/02/19 logsource: diff --git a/rules/windows/builtin/win_susp_time_modification.yml b/rules/windows/builtin/win_susp_time_modification.yml index 628f4a7fb7c..c457b28e56f 100644 --- a/rules/windows/builtin/win_susp_time_modification.yml +++ b/rules/windows/builtin/win_susp_time_modification.yml @@ -11,6 +11,7 @@ midified: 2020/01/27 tags: - attack.defense_evasion - attack.t1099 + - attack.t1551.006 logsource: product: windows service: security diff --git a/rules/windows/builtin/win_suspicious_outbound_kerberos_connection.yml b/rules/windows/builtin/win_suspicious_outbound_kerberos_connection.yml index 7eca151e289..921c558eb6c 100644 --- a/rules/windows/builtin/win_suspicious_outbound_kerberos_connection.yml +++ b/rules/windows/builtin/win_suspicious_outbound_kerberos_connection.yml @@ -10,6 +10,7 @@ modified: 2019/11/13 tags: - attack.lateral_movement - attack.t1208 + - attack.t1558.003 logsource: product: windows service: security @@ -23,7 +24,7 @@ detection: - '\opera.exe' - '\chrome.exe' - '\firefox.exe' - condition: selection and not filter + condition: selection and not filter falsepositives: - Other browsers level: high diff --git a/rules/windows/builtin/win_transferring_files_with_credential_data_via_network_shares.yml b/rules/windows/builtin/win_transferring_files_with_credential_data_via_network_shares.yml index 15a9188457b..9084a2cb6bb 100644 --- a/rules/windows/builtin/win_transferring_files_with_credential_data_via_network_shares.yml +++ b/rules/windows/builtin/win_transferring_files_with_credential_data_via_network_shares.yml @@ -8,6 +8,9 @@ references: tags: - attack.credential_access - attack.t1003 + - attack.t1003.002 + - attack.t1003.001 + - attack.t1003.003 logsource: product: windows service: security diff --git a/rules/windows/builtin/win_user_couldnt_call_privileged_service_lsaregisterlogonprocess.yml b/rules/windows/builtin/win_user_couldnt_call_privileged_service_lsaregisterlogonprocess.yml index 319250a10ec..3bea7e2adc6 100644 --- a/rules/windows/builtin/win_user_couldnt_call_privileged_service_lsaregisterlogonprocess.yml +++ b/rules/windows/builtin/win_user_couldnt_call_privileged_service_lsaregisterlogonprocess.yml @@ -1,7 +1,6 @@ title: User Couldn't Call a Privileged Service 'LsaRegisterLogonProcess' id: 6daac7fc-77d1-449a-a71a-e6b4d59a0e54 -description: The 'LsaRegisterLogonProcess' function verifies that the application making the function call is a logon process by checking that it has the SeTcbPrivilege - privilege set. Possible Rubeus tries to get a handle to LSA. +description: The 'LsaRegisterLogonProcess' function verifies that the application making the function call is a logon process by checking that it has the SeTcbPrivilege privilege set. Possible Rubeus tries to get a handle to LSA. status: experimental references: - https://posts.specterops.io/hunting-in-active-directory-unconstrained-delegation-forests-trusts-71f2b33688e1 @@ -9,6 +8,7 @@ tags: - attack.lateral_movement - attack.privilege_escalation - attack.t1208 + - attack.t1558.003 author: Roberto Rodriguez (source), Ilyas Ochkov (rule), oscd.community date: 2019/10/24 logsource: @@ -18,7 +18,7 @@ detection: selection: - EventID: 4673 Service: 'LsaRegisterLogonProcess()' - Keywords: '0x8010000000000000' #failure + Keywords: '0x8010000000000000' #failure condition: selection falsepositives: - Unkown diff --git a/rules/windows/builtin/win_user_driver_loaded.yml b/rules/windows/builtin/win_user_driver_loaded.yml index e993a8d4fd1..9d3ae187fe2 100644 --- a/rules/windows/builtin/win_user_driver_loaded.yml +++ b/rules/windows/builtin/win_user_driver_loaded.yml @@ -8,6 +8,7 @@ references: tags: - attack.t1089 - attack.defense_evasion + - attack.t1562.001 date: 2019/04/08 author: xknow (@xknow_infosec), xorxes (@xor_xes) logsource: diff --git a/rules/windows/malware/av_password_dumper.yml b/rules/windows/malware/av_password_dumper.yml index 528548545d0..168d357ee94 100644 --- a/rules/windows/malware/av_password_dumper.yml +++ b/rules/windows/malware/av_password_dumper.yml @@ -9,11 +9,14 @@ references: tags: - attack.credential_access - attack.t1003 + - attack.t1558 + - attack.t1003.001 + - attack.t1003.002 logsource: product: antivirus detection: selection: - Signature: + Signature: - "*DumpCreds*" - "*Mimikatz*" - "*PWCrack*" diff --git a/rules/windows/malware/av_webshell.yml b/rules/windows/malware/av_webshell.yml index b041fda85d1..11f8eb0ba9c 100644 --- a/rules/windows/malware/av_webshell.yml +++ b/rules/windows/malware/av_webshell.yml @@ -9,11 +9,12 @@ references: tags: - attack.persistence - attack.t1100 + - attack.t1505.003 logsource: product: antivirus detection: selection: - Signature: + Signature: - "PHP/Backdoor*" - "JSP/Backdoor*" - "ASP/Backdoor*" diff --git a/rules/windows/malware/win_mal_octopus_scanner.yml b/rules/windows/malware/win_mal_octopus_scanner.yml index 4e7a5888340..0c710eae5be 100644 --- a/rules/windows/malware/win_mal_octopus_scanner.yml +++ b/rules/windows/malware/win_mal_octopus_scanner.yml @@ -6,6 +6,7 @@ references: - https://securitylab.github.com/research/octopus-scanner-malware-open-source-supply-chain tags: - attack.t1195 + - attack.t1195.001 author: NVISO date: 2020/06/09 logsource: diff --git a/rules/windows/other/win_defender_bypass.yml b/rules/windows/other/win_defender_bypass.yml index cc4fb5b8668..f70b847e814 100644 --- a/rules/windows/other/win_defender_bypass.yml +++ b/rules/windows/other/win_defender_bypass.yml @@ -6,6 +6,7 @@ references: tags: - attack.defense_evasion - attack.t1089 + - attack.t1562.001 author: "@BarryShooshooga" date: 2019/10/26 logsource: @@ -14,13 +15,13 @@ logsource: definition: 'Requirements: Audit Policy : Security Settings/Local Policies/Audit Policy, Registry System Access Control (SACL): Auditing/User' detection: selection: - EventID: + EventID: - 4657 - 4656 - 4660 - 4663 ObjectName|contains: '\Microsoft\Windows Defender\Exclusions\' condition: selection -falsepositives: +falsepositives: - Intended inclusions by administrator level: high diff --git a/rules/windows/other/win_rare_schtask_creation.yml b/rules/windows/other/win_rare_schtask_creation.yml index 2992ab30cee..1329e32f00c 100644 --- a/rules/windows/other/win_rare_schtask_creation.yml +++ b/rules/windows/other/win_rare_schtask_creation.yml @@ -1,12 +1,12 @@ title: Rare Scheduled Task Creations id: b20f6158-9438-41be-83da-a5a16ac90c2b status: experimental -description: This rule detects rare scheduled task creations. Typically software gets installed on multiple systems and not only on a few. The aggregation and count - function selects tasks with rare names. +description: This rule detects rare scheduled task creations. Typically software gets installed on multiple systems and not only on a few. The aggregation and count function selects tasks with rare names. tags: - attack.persistence - attack.t1053 - attack.s0111 + - attack.t1053.005 author: Florian Roth date: 2017/03/17 logsource: diff --git a/rules/windows/powershell/powershell_alternate_powershell_hosts.yml b/rules/windows/powershell/powershell_alternate_powershell_hosts.yml index 37f10827471..07b87d019ae 100644 --- a/rules/windows/powershell/powershell_alternate_powershell_hosts.yml +++ b/rules/windows/powershell/powershell_alternate_powershell_hosts.yml @@ -10,11 +10,12 @@ references: tags: - attack.execution - attack.t1086 + - attack.t1059.001 logsource: product: windows service: powershell detection: - selection: + selection: EventID: - 4103 - 400 diff --git a/rules/windows/powershell/powershell_clear_powershell_history.yml b/rules/windows/powershell/powershell_clear_powershell_history.yml index d6c42d039a2..4f52faecf0b 100644 --- a/rules/windows/powershell/powershell_clear_powershell_history.yml +++ b/rules/windows/powershell/powershell_clear_powershell_history.yml @@ -9,6 +9,7 @@ references: tags: - attack.defense_evasion - attack.t1146 + - attack.t1551.003 logsource: product: windows service: powershell diff --git a/rules/windows/powershell/powershell_create_local_user.yml b/rules/windows/powershell/powershell_create_local_user.yml index 279826f9601..d479cb48880 100644 --- a/rules/windows/powershell/powershell_create_local_user.yml +++ b/rules/windows/powershell/powershell_create_local_user.yml @@ -1,6 +1,6 @@ title: PowerShell Create Local User id: 243de76f-4725-4f2e-8225-a8a69b15ad61 -status: experimental +status: experimental description: Detects creation of a local user via PowerShell references: - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1136/T1136.md @@ -9,8 +9,9 @@ tags: - attack.t1086 - attack.persistence - attack.t1136 -author: '@ROxPinTeddy' -date: 2020/04/11 + - attack.t1059.001 +author: '@ROxPinTeddy' +date: 2020/04/11 logsource: product: windows service: powershell @@ -19,7 +20,7 @@ detection: EventID: 4104 Message|contains: - 'New-LocalUser' - condition: selection + condition: selection falsepositives: - - Legitimate user creation + - Legitimate user creation level: medium diff --git a/rules/windows/powershell/powershell_data_compressed.yml b/rules/windows/powershell/powershell_data_compressed.yml index 9af0feff249..ebd3a1c0c25 100644 --- a/rules/windows/powershell/powershell_data_compressed.yml +++ b/rules/windows/powershell/powershell_data_compressed.yml @@ -1,8 +1,7 @@ title: Data Compressed - Powershell id: 6dc5d284-69ea-42cf-9311-fb1c3932a69a status: experimental -description: An adversary may compress data (e.g., sensitive documents) that is collected prior to exfiltration in order to make it portable and minimize the amount - of data sent over the network +description: An adversary may compress data (e.g., sensitive documents) that is collected prior to exfiltration in order to make it portable and minimize the amount of data sent over the network author: Timur Zinniatullin, oscd.community date: 2019/10/21 modified: 2019/11/04 @@ -15,7 +14,7 @@ logsource: detection: selection: EventID: 4104 - keywords|contains|all: + keywords|contains|all: - '-Recurse' - '|' - 'Compress-Archive' @@ -26,3 +25,4 @@ level: low tags: - attack.exfiltration - attack.t1002 + - attack.t1560 diff --git a/rules/windows/powershell/powershell_downgrade_attack.yml b/rules/windows/powershell/powershell_downgrade_attack.yml index 8071fcb46cb..d14ef31afd3 100644 --- a/rules/windows/powershell/powershell_downgrade_attack.yml +++ b/rules/windows/powershell/powershell_downgrade_attack.yml @@ -8,6 +8,7 @@ tags: - attack.defense_evasion - attack.execution - attack.t1086 + - attack.t1059.001 author: Florian Roth (rule), Lee Holmes (idea), Harish Segar (improvements) date: 2017/03/22 modified: 2020/03/20 @@ -24,4 +25,4 @@ detection: falsepositives: - Penetration Test - Unknown -level: medium \ No newline at end of file +level: medium diff --git a/rules/windows/powershell/powershell_exe_calling_ps.yml b/rules/windows/powershell/powershell_exe_calling_ps.yml index 28448cc5853..9a921aa8ce3 100644 --- a/rules/windows/powershell/powershell_exe_calling_ps.yml +++ b/rules/windows/powershell/powershell_exe_calling_ps.yml @@ -8,6 +8,7 @@ tags: - attack.defense_evasion - attack.execution - attack.t1086 + - attack.t1059.001 author: Sean Metcalf (source), Florian Roth (rule) date: 2017/03/05 logsource: diff --git a/rules/windows/powershell/powershell_malicious_commandlets.yml b/rules/windows/powershell/powershell_malicious_commandlets.yml index 04c495efe56..e232d1bf4dd 100644 --- a/rules/windows/powershell/powershell_malicious_commandlets.yml +++ b/rules/windows/powershell/powershell_malicious_commandlets.yml @@ -8,6 +8,7 @@ references: tags: - attack.execution - attack.t1086 + - attack.t1059.001 author: Sean Metcalf (source), Florian Roth (rule) date: 2017/03/05 logsource: diff --git a/rules/windows/powershell/powershell_malicious_keywords.yml b/rules/windows/powershell/powershell_malicious_keywords.yml index 1fb45807c77..a0131ff6d5a 100644 --- a/rules/windows/powershell/powershell_malicious_keywords.yml +++ b/rules/windows/powershell/powershell_malicious_keywords.yml @@ -8,6 +8,7 @@ references: tags: - attack.execution - attack.t1086 + - attack.t1059.001 author: Sean Metcalf (source), Florian Roth (rule) date: 2017/03/05 logsource: diff --git a/rules/windows/powershell/powershell_nishang_malicious_commandlets.yml b/rules/windows/powershell/powershell_nishang_malicious_commandlets.yml index 26074603aa1..e7d075a5670 100644 --- a/rules/windows/powershell/powershell_nishang_malicious_commandlets.yml +++ b/rules/windows/powershell/powershell_nishang_malicious_commandlets.yml @@ -8,6 +8,7 @@ references: tags: - attack.execution - attack.t1086 + - attack.t1059.001 author: Alec Costello logsource: product: windows diff --git a/rules/windows/powershell/powershell_ntfs_ads_access.yml b/rules/windows/powershell/powershell_ntfs_ads_access.yml index e2c531b76e5..bf4c81ea03b 100644 --- a/rules/windows/powershell/powershell_ntfs_ads_access.yml +++ b/rules/windows/powershell/powershell_ntfs_ads_access.yml @@ -7,6 +7,7 @@ references: tags: - attack.defense_evasion - attack.t1096 + - attack.t1564.004 author: Sami Ruohonen date: 2018/07/24 logsource: diff --git a/rules/windows/powershell/powershell_prompt_credentials.yml b/rules/windows/powershell/powershell_prompt_credentials.yml index 9b810c4b607..c4c4d5f2622 100644 --- a/rules/windows/powershell/powershell_prompt_credentials.yml +++ b/rules/windows/powershell/powershell_prompt_credentials.yml @@ -9,6 +9,7 @@ tags: - attack.execution - attack.credential_access - attack.t1086 + - attack.t1059.001 author: John Lambert (idea), Florian Roth (rule) date: 2017/04/09 logsource: diff --git a/rules/windows/powershell/powershell_psattack.yml b/rules/windows/powershell/powershell_psattack.yml index c955031d0ef..9ca1ffa51e7 100644 --- a/rules/windows/powershell/powershell_psattack.yml +++ b/rules/windows/powershell/powershell_psattack.yml @@ -7,6 +7,7 @@ references: tags: - attack.execution - attack.t1086 + - attack.t1059.001 author: Sean Metcalf (source), Florian Roth (rule) date: 2017/03/05 logsource: diff --git a/rules/windows/powershell/powershell_remote_powershell_session.yml b/rules/windows/powershell/powershell_remote_powershell_session.yml index 2da0f0f3434..c5b9e3cf25a 100644 --- a/rules/windows/powershell/powershell_remote_powershell_session.yml +++ b/rules/windows/powershell/powershell_remote_powershell_session.yml @@ -10,11 +10,12 @@ references: tags: - attack.execution - attack.t1086 + - attack.t1059.001 logsource: product: windows service: powershell detection: - selection: + selection: EventID: - 4103 - 400 diff --git a/rules/windows/powershell/powershell_shellcode_b64.yml b/rules/windows/powershell/powershell_shellcode_b64.yml index f705329d05b..fabff88ac07 100644 --- a/rules/windows/powershell/powershell_shellcode_b64.yml +++ b/rules/windows/powershell/powershell_shellcode_b64.yml @@ -9,6 +9,7 @@ tags: - attack.execution - attack.t1055 - attack.t1086 + - attack.t1059 author: David Ledbetter (shellcode), Florian Roth (rule) date: 2018/11/17 logsource: @@ -18,9 +19,9 @@ logsource: detection: selection: EventID: 4104 - keyword1: + keyword1: - '*AAAAYInlM*' - keyword2: + keyword2: - '*OiCAAAAYInlM*' - '*OiJAAAAYInlM*' condition: selection and keyword1 and keyword2 diff --git a/rules/windows/powershell/powershell_suspicious_download.yml b/rules/windows/powershell/powershell_suspicious_download.yml index cc735186454..6d8fe1b1341 100644 --- a/rules/windows/powershell/powershell_suspicious_download.yml +++ b/rules/windows/powershell/powershell_suspicious_download.yml @@ -5,6 +5,7 @@ description: Detects suspicious PowerShell download command tags: - attack.execution - attack.t1086 + - attack.t1059.001 author: Florian Roth date: 2017/03/05 modified: 2020/03/25 diff --git a/rules/windows/powershell/powershell_suspicious_invocation_generic.yml b/rules/windows/powershell/powershell_suspicious_invocation_generic.yml index 6127e1f7688..8f6637ccfa5 100644 --- a/rules/windows/powershell/powershell_suspicious_invocation_generic.yml +++ b/rules/windows/powershell/powershell_suspicious_invocation_generic.yml @@ -5,6 +5,7 @@ description: Detects suspicious PowerShell invocation command parameters tags: - attack.execution - attack.t1086 + - attack.t1059.001 author: Florian Roth (rule) date: 2017/03/12 logsource: diff --git a/rules/windows/powershell/powershell_suspicious_invocation_specific.yml b/rules/windows/powershell/powershell_suspicious_invocation_specific.yml index 41b6f78bc6a..bfdbad36f6f 100644 --- a/rules/windows/powershell/powershell_suspicious_invocation_specific.yml +++ b/rules/windows/powershell/powershell_suspicious_invocation_specific.yml @@ -5,6 +5,7 @@ description: Detects suspicious PowerShell invocation command parameters tags: - attack.execution - attack.t1086 + - attack.t1059.001 author: Florian Roth (rule) date: 2017/03/05 logsource: diff --git a/rules/windows/powershell/powershell_suspicious_keywords.yml b/rules/windows/powershell/powershell_suspicious_keywords.yml index fa90f0eb585..0f2b8c49717 100644 --- a/rules/windows/powershell/powershell_suspicious_keywords.yml +++ b/rules/windows/powershell/powershell_suspicious_keywords.yml @@ -11,6 +11,7 @@ references: tags: - attack.execution - attack.t1086 + - attack.t1059.001 logsource: product: windows service: powershell diff --git a/rules/windows/powershell/powershell_winlogon_helper_dll.yml b/rules/windows/powershell/powershell_winlogon_helper_dll.yml index fd1378f4944..bc5c334e0da 100644 --- a/rules/windows/powershell/powershell_winlogon_helper_dll.yml +++ b/rules/windows/powershell/powershell_winlogon_helper_dll.yml @@ -1,10 +1,7 @@ title: Winlogon Helper DLL id: 851c506b-6b7c-4ce2-8802-c703009d03c0 status: experimental -description: Winlogon.exe is a Windows component responsible for actions at logon/logoff as well as the secure attention sequence (SAS) triggered by Ctrl-Alt-Delete. - Registry entries in HKLM\Software[Wow6432Node]Microsoft\Windows NT\CurrentVersion\Winlogon\ and HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\ are - used to manage additional helper programs and functionalities that support Winlogon. Malicious modifications to these Registry keys may cause Winlogon to load - and execute malicious DLLs and/or executables. +description: Winlogon.exe is a Windows component responsible for actions at logon/logoff as well as the secure attention sequence (SAS) triggered by Ctrl-Alt-Delete. Registry entries in HKLM\Software[Wow6432Node]Microsoft\Windows NT\CurrentVersion\Winlogon\ and HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\ are used to manage additional helper programs and functionalities that support Winlogon. Malicious modifications to these Registry keys may cause Winlogon to load and execute malicious DLLs and/or executables. author: Timur Zinniatullin, oscd.community date: 2019/10/21 modified: 2019/11/04 @@ -17,10 +14,10 @@ logsource: detection: selection: EventID: 4104 - keyword1: + keyword1: - '*Set-ItemProperty*' - '*New-Item*' - keyword2: + keyword2: - '*CurrentVersion\Winlogon*' condition: selection and ( keyword1 and keyword2 ) falsepositives: @@ -29,3 +26,4 @@ level: medium tags: - attack.persistence - attack.t1004 + - attack.t1547.004 diff --git a/rules/windows/process_creation/win_apt_apt29_thinktanks.yml b/rules/windows/process_creation/win_apt_apt29_thinktanks.yml index fe907c4906b..d4f122923f6 100644 --- a/rules/windows/process_creation/win_apt_apt29_thinktanks.yml +++ b/rules/windows/process_creation/win_apt_apt29_thinktanks.yml @@ -7,8 +7,9 @@ tags: - attack.execution - attack.g0016 - attack.t1086 + - attack.t1059.001 author: Florian Roth -date: 2018/12/04 +date: 2018/12/04 logsource: category: process_creation product: windows diff --git a/rules/windows/process_creation/win_apt_babyshark.yml b/rules/windows/process_creation/win_apt_babyshark.yml index fe7bc28c57d..cf40e92fd8a 100644 --- a/rules/windows/process_creation/win_apt_babyshark.yml +++ b/rules/windows/process_creation/win_apt_babyshark.yml @@ -12,6 +12,9 @@ tags: - attack.t1012 - attack.defense_evasion - attack.t1170 + - attack.t1218 + - attack.t1059.003 + - attack.t1059.001 logsource: category: process_creation product: windows diff --git a/rules/windows/process_creation/win_apt_bear_activity_gtr19.yml b/rules/windows/process_creation/win_apt_bear_activity_gtr19.yml index d3d160ee3e0..d629b49130e 100644 --- a/rules/windows/process_creation/win_apt_bear_activity_gtr19.yml +++ b/rules/windows/process_creation/win_apt_bear_activity_gtr19.yml @@ -9,6 +9,7 @@ tags: - attack.credential_access - attack.t1081 - attack.t1003 + - attack.t1552.001 logsource: category: process_creation product: windows diff --git a/rules/windows/process_creation/win_apt_bluemashroom.yml b/rules/windows/process_creation/win_apt_bluemashroom.yml index 231f2bb8ba1..ab58aaff714 100644 --- a/rules/windows/process_creation/win_apt_bluemashroom.yml +++ b/rules/windows/process_creation/win_apt_bluemashroom.yml @@ -7,6 +7,7 @@ references: tags: - attack.defense_evasion - attack.t1117 + - attack.t1218.010 author: Florian Roth date: 2019/10/02 logsource: @@ -14,7 +15,7 @@ logsource: product: windows detection: selection: - CommandLine: + CommandLine: - '*\regsvr32*\AppData\Local\\*' - '*\AppData\Local\\*,DllEntry*' condition: selection diff --git a/rules/windows/process_creation/win_apt_cloudhopper.yml b/rules/windows/process_creation/win_apt_cloudhopper.yml index 3e94043ff58..51a72fe6e19 100755 --- a/rules/windows/process_creation/win_apt_cloudhopper.yml +++ b/rules/windows/process_creation/win_apt_cloudhopper.yml @@ -9,6 +9,7 @@ tags: - attack.execution - attack.g0045 - attack.t1064 + - attack.t1059.005 logsource: category: process_creation product: windows diff --git a/rules/windows/process_creation/win_apt_equationgroup_dll_u_load.yml b/rules/windows/process_creation/win_apt_equationgroup_dll_u_load.yml index 8cfc979a52d..2cb176b29b2 100755 --- a/rules/windows/process_creation/win_apt_equationgroup_dll_u_load.yml +++ b/rules/windows/process_creation/win_apt_equationgroup_dll_u_load.yml @@ -13,6 +13,7 @@ tags: - attack.t1059 - attack.defense_evasion - attack.t1085 + - attack.t1218.011 logsource: category: process_creation product: windows diff --git a/rules/windows/process_creation/win_apt_judgement_panda_gtr19.yml b/rules/windows/process_creation/win_apt_judgement_panda_gtr19.yml index a9924f6e8f7..e781f65bb0f 100644 --- a/rules/windows/process_creation/win_apt_judgement_panda_gtr19.yml +++ b/rules/windows/process_creation/win_apt_judgement_panda_gtr19.yml @@ -12,6 +12,7 @@ tags: - attack.t1098 - attack.exfiltration - attack.t1002 + - attack.t1560 logsource: category: process_creation product: windows diff --git a/rules/windows/process_creation/win_apt_lazarus_session_highjack.yml b/rules/windows/process_creation/win_apt_lazarus_session_highjack.yml index 7f07463703a..299c767e11c 100644 --- a/rules/windows/process_creation/win_apt_lazarus_session_highjack.yml +++ b/rules/windows/process_creation/win_apt_lazarus_session_highjack.yml @@ -7,6 +7,7 @@ references: tags: - attack.defense_evasion - attack.t1036 + - attack.t1036.005 author: Trent Liffick (@tliffick) date: 2020/06/03 logsource: diff --git a/rules/windows/process_creation/win_apt_sofacy.yml b/rules/windows/process_creation/win_apt_sofacy.yml index 15963070d3d..2124e236e1e 100755 --- a/rules/windows/process_creation/win_apt_sofacy.yml +++ b/rules/windows/process_creation/win_apt_sofacy.yml @@ -15,6 +15,7 @@ tags: - attack.defense_evasion - attack.t1085 - car.2013-10-002 + - attack.t1218.011 logsource: category: process_creation product: windows diff --git a/rules/windows/process_creation/win_apt_tropictrooper.yml b/rules/windows/process_creation/win_apt_tropictrooper.yml index 6969751152c..7bf80dfb587 100644 --- a/rules/windows/process_creation/win_apt_tropictrooper.yml +++ b/rules/windows/process_creation/win_apt_tropictrooper.yml @@ -9,6 +9,7 @@ references: tags: - attack.execution - attack.t1085 + - attack.t1218.011 logsource: category: process_creation product: windows diff --git a/rules/windows/process_creation/win_apt_turla_comrat_may20.yml b/rules/windows/process_creation/win_apt_turla_comrat_may20.yml index c2b7bf877b6..23bfc18238a 100644 --- a/rules/windows/process_creation/win_apt_turla_comrat_may20.yml +++ b/rules/windows/process_creation/win_apt_turla_comrat_may20.yml @@ -12,6 +12,7 @@ tags: - attack.t1027 - attack.discovery - attack.t1016 + - attack.t1059.001 author: Florian Roth date: 2020/05/26 logsource: diff --git a/rules/windows/process_creation/win_apt_winnti_mal_hk_jan20.yml b/rules/windows/process_creation/win_apt_winnti_mal_hk_jan20.yml index ed6e7b42e3b..ef29cd98984 100644 --- a/rules/windows/process_creation/win_apt_winnti_mal_hk_jan20.yml +++ b/rules/windows/process_creation/win_apt_winnti_mal_hk_jan20.yml @@ -8,6 +8,7 @@ tags: - attack.defense_evasion - attack.t1073 - attack.g0044 + - attack.t1574.002 author: Florian Roth, Markus Neis date: 2020/02/01 logsource: @@ -15,9 +16,9 @@ logsource: product: windows detection: selection1: - ParentImage|contains: - - 'C:\Windows\Temp' - - '\hpqhvind.exe' + ParentImage|contains: + - 'C:\Windows\Temp' + - '\hpqhvind.exe' Image|startswith: 'C:\ProgramData\DRM' selection2: ParentImage|startswith: 'C:\ProgramData\DRM' diff --git a/rules/windows/process_creation/win_apt_zxshell.yml b/rules/windows/process_creation/win_apt_zxshell.yml index af5e6122701..47a5b4f7613 100755 --- a/rules/windows/process_creation/win_apt_zxshell.yml +++ b/rules/windows/process_creation/win_apt_zxshell.yml @@ -11,6 +11,7 @@ tags: - attack.t1059 - attack.defense_evasion - attack.t1085 + - attack.t1218.011 logsource: category: process_creation product: windows diff --git a/rules/windows/process_creation/win_attrib_hiding_files.yml b/rules/windows/process_creation/win_attrib_hiding_files.yml index ec753dcfd97..048ae435889 100644 --- a/rules/windows/process_creation/win_attrib_hiding_files.yml +++ b/rules/windows/process_creation/win_attrib_hiding_files.yml @@ -26,6 +26,7 @@ tags: - attack.defense_evasion - attack.persistence - attack.t1158 + - attack.t1564.001 falsepositives: - igfxCUIService.exe hiding *.cui files via .bat script (attrib.exe a child of cmd.exe and igfxCUIService.exe is the parent of the cmd.exe) - msiexec.exe hiding desktop.ini diff --git a/rules/windows/process_creation/win_change_default_file_association.yml b/rules/windows/process_creation/win_change_default_file_association.yml index c01a933cc8d..db1a6be52ac 100644 --- a/rules/windows/process_creation/win_change_default_file_association.yml +++ b/rules/windows/process_creation/win_change_default_file_association.yml @@ -1,9 +1,7 @@ title: Change Default File Association id: 3d3aa6cd-6272-44d6-8afc-7e88dfef7061 status: experimental -description: When a file is opened, the default program used to open the file (also called the file association or handler) is checked. File association selections - are stored in the Windows Registry and can be edited by users, administrators, or programs that have Registry access or by administrators using the built-in assoc - utility. Applications can modify the file association for a given file extension to call an arbitrary program when a file with the given extension is opened. +description: When a file is opened, the default program used to open the file (also called the file association or handler) is checked. File association selections are stored in the Windows Registry and can be edited by users, administrators, or programs that have Registry access or by administrators using the built-in assoc utility. Applications can modify the file association for a given file extension to call an arbitrary program when a file with the given extension is opened. author: Timur Zinniatullin, oscd.community date: 2019/10/21 modified: 2019/11/04 @@ -15,9 +13,9 @@ logsource: detection: selection: CommandLine|contains|all: - - 'cmd' - - '/c' - - 'assoc' + - 'cmd' + - '/c' + - 'assoc' condition: selection falsepositives: - Admin activity @@ -33,3 +31,4 @@ level: low tags: - attack.persistence - attack.t1042 + - attack.t1546.001 diff --git a/rules/windows/process_creation/win_cmdkey_recon.yml b/rules/windows/process_creation/win_cmdkey_recon.yml index 9a880199aea..86b9126f034 100644 --- a/rules/windows/process_creation/win_cmdkey_recon.yml +++ b/rules/windows/process_creation/win_cmdkey_recon.yml @@ -10,6 +10,7 @@ date: 2019/01/16 tags: - attack.credential_access - attack.t1003 + - attack.t1003.005 logsource: category: process_creation product: windows diff --git a/rules/windows/process_creation/win_cmstp_com_object_access.yml b/rules/windows/process_creation/win_cmstp_com_object_access.yml index 67f9fe097cd..ffa1d6f5c8a 100644 --- a/rules/windows/process_creation/win_cmstp_com_object_access.yml +++ b/rules/windows/process_creation/win_cmstp_com_object_access.yml @@ -10,6 +10,8 @@ tags: - attack.t1191 - attack.g0069 - car.2019-04-001 + - attack.t1548.002 + - attack.t1218 author: Nik Seetharaman modified: 2019/07/31 date: 2019/01/16 diff --git a/rules/windows/process_creation/win_commandline_path_traversal.yml b/rules/windows/process_creation/win_commandline_path_traversal.yml index 772a615c73d..c1594ad99d7 100644 --- a/rules/windows/process_creation/win_commandline_path_traversal.yml +++ b/rules/windows/process_creation/win_commandline_path_traversal.yml @@ -9,6 +9,7 @@ references: - https://twitter.com/Oddvarmoe/status/1270633613449723905 tags: - attack.t1059 + - attack.t1059.003 - attack.execution logsource: category: process_creation diff --git a/rules/windows/process_creation/win_control_panel_item.yml b/rules/windows/process_creation/win_control_panel_item.yml index ead8d17aeec..f1b50d7e412 100644 --- a/rules/windows/process_creation/win_control_panel_item.yml +++ b/rules/windows/process_creation/win_control_panel_item.yml @@ -8,6 +8,7 @@ tags: - attack.execution - attack.t1196 - attack.defense_evasion + - attack.t1218 author: Kyaw Min Thein date: 2019/08/27 level: critical diff --git a/rules/windows/process_creation/win_copying_sensitive_files_with_credential_data.yml b/rules/windows/process_creation/win_copying_sensitive_files_with_credential_data.yml index f7b43d2da9b..eb7818e2fd9 100644 --- a/rules/windows/process_creation/win_copying_sensitive_files_with_credential_data.yml +++ b/rules/windows/process_creation/win_copying_sensitive_files_with_credential_data.yml @@ -13,6 +13,8 @@ tags: - attack.credential_access - attack.t1003 - car.2013-07-001 + - attack.t1003.002 + - attack.t1003.003 logsource: category: process_creation product: windows diff --git a/rules/windows/process_creation/win_crime_fireball.yml b/rules/windows/process_creation/win_crime_fireball.yml index 8c714f371a3..3fca41312e7 100755 --- a/rules/windows/process_creation/win_crime_fireball.yml +++ b/rules/windows/process_creation/win_crime_fireball.yml @@ -12,6 +12,7 @@ tags: - attack.t1059 - attack.defense_evasion - attack.t1085 + - attack.t1218.011 logsource: category: process_creation product: windows diff --git a/rules/windows/process_creation/win_data_compressed_with_rar.yml b/rules/windows/process_creation/win_data_compressed_with_rar.yml index b499999d856..b7ed701ee5b 100644 --- a/rules/windows/process_creation/win_data_compressed_with_rar.yml +++ b/rules/windows/process_creation/win_data_compressed_with_rar.yml @@ -29,4 +29,5 @@ falsepositives: level: low tags: - attack.exfiltration - - attack.t1002 \ No newline at end of file + - attack.t1002 + - attack.t1560 diff --git a/rules/windows/process_creation/win_encoded_frombase64string.yml b/rules/windows/process_creation/win_encoded_frombase64string.yml index 9a480ec0c40..92087ad2530 100644 --- a/rules/windows/process_creation/win_encoded_frombase64string.yml +++ b/rules/windows/process_creation/win_encoded_frombase64string.yml @@ -9,6 +9,7 @@ tags: - attack.t1140 - attack.execution - attack.defense_evasion + - attack.t1059.001 logsource: category: process_creation product: windows diff --git a/rules/windows/process_creation/win_encoded_iex.yml b/rules/windows/process_creation/win_encoded_iex.yml index 61bff8ab36c..e3740b9b865 100644 --- a/rules/windows/process_creation/win_encoded_iex.yml +++ b/rules/windows/process_creation/win_encoded_iex.yml @@ -8,16 +8,17 @@ tags: - attack.t1086 - attack.t1140 - attack.execution + - attack.t1059.003 logsource: category: process_creation product: windows detection: selection: - CommandLine|base64offset|contains: - - 'IEX ([' - - 'iex ([' - - 'iex (New' - - 'IEX (New' + CommandLine|base64offset|contains: + - 'IEX ([' + - 'iex ([' + - 'iex (New' + - 'IEX (New' condition: selection fields: - CommandLine diff --git a/rules/windows/process_creation/win_etw_trace_evasion.yml b/rules/windows/process_creation/win_etw_trace_evasion.yml index 1a04a8dda23..6b6e182fae1 100644 --- a/rules/windows/process_creation/win_etw_trace_evasion.yml +++ b/rules/windows/process_creation/win_etw_trace_evasion.yml @@ -10,8 +10,9 @@ author: '@neu5ron, Florian Roth' date: 2019/03/22 tags: - attack.execution - - attack.t1070 - - car.2016-04-002 + - attack.t1070 + - car.2016-04-002 + - attack.t1551 level: high logsource: category: process_creation diff --git a/rules/windows/process_creation/win_grabbing_sensitive_hives_via_reg.yml b/rules/windows/process_creation/win_grabbing_sensitive_hives_via_reg.yml index a8377a19c26..c7a4b601956 100644 --- a/rules/windows/process_creation/win_grabbing_sensitive_hives_via_reg.yml +++ b/rules/windows/process_creation/win_grabbing_sensitive_hives_via_reg.yml @@ -11,17 +11,18 @@ tags: - attack.credential_access - attack.t1003 - car.2013-07-001 + - attack.t1003.002 logsource: category: process_creation product: windows detection: selection_1: Image: '*\reg.exe' - CommandLine|contains: + CommandLine|contains: - 'save' - 'export' selection_2: - CommandLine|contains: + CommandLine|contains: - 'hklm' - 'hkey_local_machine' selection_3: diff --git a/rules/windows/process_creation/win_hack_koadic.yml b/rules/windows/process_creation/win_hack_koadic.yml index 9e8b46fa8d2..a012eb57635 100644 --- a/rules/windows/process_creation/win_hack_koadic.yml +++ b/rules/windows/process_creation/win_hack_koadic.yml @@ -1,7 +1,7 @@ title: Koadic Execution id: 5cddf373-ef00-4112-ad72-960ac29bac34 status: experimental -description: Detects command line parameters used by Koadic hack tool +description: Detects command line parameters used by Koadic hack tool references: - https://unit42.paloaltonetworks.com/unit42-sofacy-groups-parallel-attacks/ - https://github.com/zerosum0x0/koadic/blob/master/data/stager/js/stdlib.js#L955 @@ -9,6 +9,7 @@ references: tags: - attack.execution - attack.t1170 + - attack.t1218.005 date: 2020/01/12 author: wagga logsource: diff --git a/rules/windows/process_creation/win_hack_rubeus.yml b/rules/windows/process_creation/win_hack_rubeus.yml index 9c63c07dd93..df77011c82d 100644 --- a/rules/windows/process_creation/win_hack_rubeus.yml +++ b/rules/windows/process_creation/win_hack_rubeus.yml @@ -9,6 +9,8 @@ tags: - attack.credential_access - attack.t1003 - attack.s0005 + - attack.t1558 + - attack.t1558.003 logsource: category: process_creation product: windows diff --git a/rules/windows/process_creation/win_hh_chm.yml b/rules/windows/process_creation/win_hh_chm.yml index bbc69068251..82d1791d77a 100644 --- a/rules/windows/process_creation/win_hh_chm.yml +++ b/rules/windows/process_creation/win_hh_chm.yml @@ -12,6 +12,7 @@ tags: - attack.defense_evasion - attack.execution - attack.t1223 + - attack.t1218.001 logsource: category: process_creation product: windows diff --git a/rules/windows/process_creation/win_hktl_createminidump.yml b/rules/windows/process_creation/win_hktl_createminidump.yml index 6129c97a2bc..aaecdcbd23d 100644 --- a/rules/windows/process_creation/win_hktl_createminidump.yml +++ b/rules/windows/process_creation/win_hktl_createminidump.yml @@ -9,6 +9,7 @@ date: 2019/12/22 tags: - attack.credential_access - attack.t1003 + - attack.t1003.001 falsepositives: - Unknown level: high diff --git a/rules/windows/process_creation/win_html_help_spawn.yml b/rules/windows/process_creation/win_html_help_spawn.yml index ed18c5c0f4d..ce841312062 100644 --- a/rules/windows/process_creation/win_html_help_spawn.yml +++ b/rules/windows/process_creation/win_html_help_spawn.yml @@ -11,6 +11,7 @@ tags: - attack.execution - attack.defense_evasion - attack.t1223 + - attack.t1218.001 logsource: category: process_creation product: windows diff --git a/rules/windows/process_creation/win_hwp_exploits.yml b/rules/windows/process_creation/win_hwp_exploits.yml index d9002353e17..24a96f3e6f8 100644 --- a/rules/windows/process_creation/win_hwp_exploits.yml +++ b/rules/windows/process_creation/win_hwp_exploits.yml @@ -16,6 +16,7 @@ tags: - attack.t1202 - attack.t1193 - attack.g0032 + - attack.t1566.001 author: Florian Roth date: 2019/10/24 logsource: diff --git a/rules/windows/process_creation/win_impacket_lateralization.yml b/rules/windows/process_creation/win_impacket_lateralization.yml index 52149935ea0..c56855d6950 100644 --- a/rules/windows/process_creation/win_impacket_lateralization.yml +++ b/rules/windows/process_creation/win_impacket_lateralization.yml @@ -53,6 +53,7 @@ tags: - attack.lateral_movement - attack.t1047 - attack.t1175 + - attack.t1021 falsepositives: - pentesters level: critical diff --git a/rules/windows/process_creation/win_install_reg_debugger_backdoor.yml b/rules/windows/process_creation/win_install_reg_debugger_backdoor.yml index e04fb3128a5..34f7d609274 100644 --- a/rules/windows/process_creation/win_install_reg_debugger_backdoor.yml +++ b/rules/windows/process_creation/win_install_reg_debugger_backdoor.yml @@ -8,6 +8,7 @@ tags: - attack.persistence - attack.privilege_escalation - attack.t1015 + - attack.t1546.008 author: Florian Roth date: 2019/09/06 logsource: @@ -27,4 +28,4 @@ detection: falsepositives: - Penetration Tests level: high - + diff --git a/rules/windows/process_creation/win_interactive_at.yml b/rules/windows/process_creation/win_interactive_at.yml index 3c7e0009d0b..b28ba32e2ab 100644 --- a/rules/windows/process_creation/win_interactive_at.yml +++ b/rules/windows/process_creation/win_interactive_at.yml @@ -11,6 +11,7 @@ modified: 2019/11/11 tags: - attack.privilege_escalation - attack.t1053 + - attack.t1053.002 logsource: category: process_creation product: windows diff --git a/rules/windows/process_creation/win_lethalhta.yml b/rules/windows/process_creation/win_lethalhta.yml index 80496bc9cd5..331c64c0b38 100644 --- a/rules/windows/process_creation/win_lethalhta.yml +++ b/rules/windows/process_creation/win_lethalhta.yml @@ -8,6 +8,7 @@ tags: - attack.defense_evasion - attack.execution - attack.t1170 + - attack.t1218.005 author: Markus Neis date: 2018/06/07 logsource: diff --git a/rules/windows/process_creation/win_lsass_dump.yml b/rules/windows/process_creation/win_lsass_dump.yml index 7514fe9c4e5..de0ee64e4aa 100644 --- a/rules/windows/process_creation/win_lsass_dump.yml +++ b/rules/windows/process_creation/win_lsass_dump.yml @@ -1,7 +1,6 @@ title: LSASS Memory Dumping id: ffa6861c-4461-4f59-8a41-578c39f3f23e -description: Detect creation of dump files containing the memory space of lsass.exe, which contains sensitive credentials. Identifies usage of Sysinternals procdump.exe - to export the memory space of lsass.exe which contains sensitive credentials. +description: Detect creation of dump files containing the memory space of lsass.exe, which contains sensitive credentials. Identifies usage of Sysinternals procdump.exe to export the memory space of lsass.exe which contains sensitive credentials. status: experimental author: E.M. Anhaus (orignally from Atomic Blue Detections, Tony Lambert), oscd.community date: 2019/10/24 @@ -13,6 +12,7 @@ references: tags: - attack.credential_access - attack.t1003 + - attack.t1003.001 logsource: category: process_creation product: windows diff --git a/rules/windows/process_creation/win_mal_adwind.yml b/rules/windows/process_creation/win_mal_adwind.yml index 68cea191f7b..d7f30acc0b2 100644 --- a/rules/windows/process_creation/win_mal_adwind.yml +++ b/rules/windows/process_creation/win_mal_adwind.yml @@ -12,6 +12,7 @@ modified: 2018/12/11 tags: - attack.execution - attack.t1064 + - attack.t1059.005 detection: condition: selection level: high diff --git a/rules/windows/process_creation/win_malware_notpetya.yml b/rules/windows/process_creation/win_malware_notpetya.yml index d294395c69b..10ecc8a76f4 100644 --- a/rules/windows/process_creation/win_malware_notpetya.yml +++ b/rules/windows/process_creation/win_malware_notpetya.yml @@ -1,8 +1,7 @@ title: NotPetya Ransomware Activity id: 79aeeb41-8156-4fac-a0cd-076495ab82a1 status: experimental -description: Detects NotPetya ransomware activity in which the extracted passwords are passed back to the main module via named pipe, the file system journal of drive - C is deleted and windows eventlogs are cleared using wevtutil +description: Detects NotPetya ransomware activity in which the extracted passwords are passed back to the main module via named pipe, the file system journal of drive C is deleted and windows eventlogs are cleared using wevtutil author: Florian Roth, Tom Ueltschi date: 2019/01/16 references: @@ -16,6 +15,8 @@ tags: - attack.t1070 - attack.t1003 - car.2016-04-002 + - attack.t1218.011 + - attack.t1551 logsource: category: process_creation product: windows diff --git a/rules/windows/process_creation/win_malware_script_dropper.yml b/rules/windows/process_creation/win_malware_script_dropper.yml index 251a3a0a6fa..0dda13608c8 100644 --- a/rules/windows/process_creation/win_malware_script_dropper.yml +++ b/rules/windows/process_creation/win_malware_script_dropper.yml @@ -8,6 +8,7 @@ tags: - attack.defense_evasion - attack.execution - attack.t1064 + - attack.t1059.005 logsource: category: process_creation product: windows diff --git a/rules/windows/process_creation/win_mimikatz_command_line.yml b/rules/windows/process_creation/win_mimikatz_command_line.yml index 11b6aa84dec..90ab5245776 100644 --- a/rules/windows/process_creation/win_mimikatz_command_line.yml +++ b/rules/windows/process_creation/win_mimikatz_command_line.yml @@ -8,6 +8,10 @@ references: tags: - attack.credential_access - attack.t1003 + - attack.t1003.002 + - attack.t1003.004 + - attack.t1003.001 + - attack.t1003.006 logsource: category: process_creation product: windows @@ -30,8 +34,7 @@ detection: selection_3: CommandLine|contains: - '::' - condition: selection_1 or - selection_2 and selection_3 + condition: selection_1 or selection_2 and selection_3 falsepositives: - Legitimate Administrator using tool for password recovery level: medium diff --git a/rules/windows/process_creation/win_mmc_spawn_shell.yml b/rules/windows/process_creation/win_mmc_spawn_shell.yml index bf207bebff6..dc0dfb5a4e5 100644 --- a/rules/windows/process_creation/win_mmc_spawn_shell.yml +++ b/rules/windows/process_creation/win_mmc_spawn_shell.yml @@ -7,6 +7,10 @@ date: 2019/08/05 tags: - attack.lateral_movement - attack.t1175 + - attack.t1059.004 + - attack.t1059.005 + - attack.t1059.003 + - attack.t1059.001 logsource: category: process_creation product: windows diff --git a/rules/windows/process_creation/win_mshta_javascript.yml b/rules/windows/process_creation/win_mshta_javascript.yml index a52c88d11e4..62b7d608440 100644 --- a/rules/windows/process_creation/win_mshta_javascript.yml +++ b/rules/windows/process_creation/win_mshta_javascript.yml @@ -12,6 +12,7 @@ tags: - attack.execution - attack.defense_evasion - attack.t1170 + - attack.t1218.005 logsource: category: process_creation product: windows diff --git a/rules/windows/process_creation/win_mshta_spawn_shell.yml b/rules/windows/process_creation/win_mshta_spawn_shell.yml index 3909f7213c0..f6900f53281 100644 --- a/rules/windows/process_creation/win_mshta_spawn_shell.yml +++ b/rules/windows/process_creation/win_mshta_spawn_shell.yml @@ -33,6 +33,7 @@ tags: - car.2013-02-003 - car.2013-03-001 - car.2014-04-003 + - attack.t1218 falsepositives: - Printer software / driver installations - HP software diff --git a/rules/windows/process_creation/win_netsh_allow_port_rdp.yml b/rules/windows/process_creation/win_netsh_allow_port_rdp.yml index f2fc0607cdc..def36dc73c1 100644 --- a/rules/windows/process_creation/win_netsh_allow_port_rdp.yml +++ b/rules/windows/process_creation/win_netsh_allow_port_rdp.yml @@ -1,5 +1,5 @@ title: Netsh RDP Port Opening -id: 01aeb693-138d-49d2-9403-c4f52d7d3d62 +id: 01aeb693-138d-49d2-9403-c4f52d7d3d62 description: Detects netsh commands that opens the port 3389 used for RDP, used in Sarwent Malware references: - https://labs.sentinelone.com/sarwent-malware-updates-command-detonation/ @@ -7,6 +7,7 @@ date: 2020/05/23 tags: - attack.command_and_control - attack.t1076 + - attack.t1021.001 status: experimental author: Sander Wiebing logsource: diff --git a/rules/windows/process_creation/win_new_service_creation.yml b/rules/windows/process_creation/win_new_service_creation.yml index 67d6ae36fa0..59ee60417a4 100644 --- a/rules/windows/process_creation/win_new_service_creation.yml +++ b/rules/windows/process_creation/win_new_service_creation.yml @@ -9,6 +9,7 @@ tags: - attack.persistence - attack.privilege_escalation - attack.t1050 + - attack.t1543.003 references: - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1050/T1050.yaml logsource: @@ -16,12 +17,12 @@ logsource: product: windows detection: selection: - - Image|endswith: '\sc.exe' - CommandLine|contains|all: + - Image|endswith: '\sc.exe' + CommandLine|contains|all: - 'create' - 'binpath' - - Image|endswith: '\powershell.exe' - CommandLine|contains: 'new-service' + - Image|endswith: '\powershell.exe' + CommandLine|contains: 'new-service' condition: selection falsepositives: - Legitimate administrator or user creates a service for legitimate reason diff --git a/rules/windows/process_creation/win_non_interactive_powershell.yml b/rules/windows/process_creation/win_non_interactive_powershell.yml index 0333dde0099..7855ea3a8a5 100644 --- a/rules/windows/process_creation/win_non_interactive_powershell.yml +++ b/rules/windows/process_creation/win_non_interactive_powershell.yml @@ -10,11 +10,12 @@ references: tags: - attack.execution - attack.t1086 + - attack.t1059.001 logsource: category: process_creation product: windows detection: - selection: + selection: Image|endswith: '\powershell.exe' filter: ParentImage|endswith: '\explorer.exe' diff --git a/rules/windows/process_creation/win_office_shell.yml b/rules/windows/process_creation/win_office_shell.yml index aa29383e95e..537def0332f 100644 --- a/rules/windows/process_creation/win_office_shell.yml +++ b/rules/windows/process_creation/win_office_shell.yml @@ -12,6 +12,7 @@ tags: - attack.t1202 - car.2013-02-003 - car.2014-04-003 + - attack.t1059.003 author: Michael Haag, Florian Roth, Markus Neis date: 2018/04/06 logsource: diff --git a/rules/windows/process_creation/win_plugx_susp_exe_locations.yml b/rules/windows/process_creation/win_plugx_susp_exe_locations.yml index 5d8a803584d..64c87d03495 100644 --- a/rules/windows/process_creation/win_plugx_susp_exe_locations.yml +++ b/rules/windows/process_creation/win_plugx_susp_exe_locations.yml @@ -11,6 +11,7 @@ tags: - attack.s0013 - attack.defense_evasion - attack.t1073 + - attack.t1574.002 logsource: category: process_creation product: windows @@ -84,10 +85,7 @@ detection: - '*\Windows Kit*' - '*\Windows Resource Kit\\*' - '*\Microsoft.NET\\*' - condition: ( selection_cammute and not filter_cammute ) or ( selection_chrome_frame and not filter_chrome_frame ) or ( selection_devemu and not filter_devemu ) - or ( selection_gadget and not filter_gadget ) or ( selection_hcc and not filter_hcc ) or ( selection_hkcmd and not filter_hkcmd ) or ( selection_mc and not filter_mc - ) or ( selection_msmpeng and not filter_msmpeng ) or ( selection_msseces and not filter_msseces ) or ( selection_oinfo and not filter_oinfo ) or ( selection_oleview - and not filter_oleview ) or ( selection_rc and not filter_rc ) + condition: ( selection_cammute and not filter_cammute ) or ( selection_chrome_frame and not filter_chrome_frame ) or ( selection_devemu and not filter_devemu ) or ( selection_gadget and not filter_gadget ) or ( selection_hcc and not filter_hcc ) or ( selection_hkcmd and not filter_hkcmd ) or ( selection_mc and not filter_mc ) or ( selection_msmpeng and not filter_msmpeng ) or ( selection_msseces and not filter_msseces ) or ( selection_oinfo and not filter_oinfo ) or ( selection_oleview and not filter_oleview ) or ( selection_rc and not filter_rc ) fields: - CommandLine - ParentCommandLine diff --git a/rules/windows/process_creation/win_possible_applocker_bypass.yml b/rules/windows/process_creation/win_possible_applocker_bypass.yml index 65b988f852d..b0b0853a4b0 100644 --- a/rules/windows/process_creation/win_possible_applocker_bypass.yml +++ b/rules/windows/process_creation/win_possible_applocker_bypass.yml @@ -13,6 +13,7 @@ tags: - attack.t1121 - attack.t1127 - attack.t1170 + - attack.t1218 logsource: category: process_creation product: windows diff --git a/rules/windows/process_creation/win_powershell_amsi_bypass.yml b/rules/windows/process_creation/win_powershell_amsi_bypass.yml index 0211555b799..335aadc3aa6 100644 --- a/rules/windows/process_creation/win_powershell_amsi_bypass.yml +++ b/rules/windows/process_creation/win_powershell_amsi_bypass.yml @@ -9,6 +9,7 @@ tags: - attack.execution - attack.defense_evasion - attack.t1086 + - attack.t1059.001 author: Markus Neis date: 2018/08/17 logsource: diff --git a/rules/windows/process_creation/win_powershell_dll_execution.yml b/rules/windows/process_creation/win_powershell_dll_execution.yml index 4cb036d6070..1e8ff007cc5 100644 --- a/rules/windows/process_creation/win_powershell_dll_execution.yml +++ b/rules/windows/process_creation/win_powershell_dll_execution.yml @@ -8,6 +8,7 @@ tags: - attack.execution - attack.t1086 - car.2014-04-003 + - attack.t1059.001 author: Markus Neis date: 2018/08/25 logsource: diff --git a/rules/windows/process_creation/win_powershell_downgrade_attack.yml b/rules/windows/process_creation/win_powershell_downgrade_attack.yml index d9781724afc..12a8b95073e 100644 --- a/rules/windows/process_creation/win_powershell_downgrade_attack.yml +++ b/rules/windows/process_creation/win_powershell_downgrade_attack.yml @@ -1,8 +1,8 @@ title: PowerShell Downgrade Attack id: b3512211-c67e-4707-bedc-66efc7848863 related: - - id: 6331d09b-4785-4c13-980f-f96661356249 - type: derived + - id: 6331d09b-4785-4c13-980f-f96661356249 + type: derived status: experimental description: Detects PowerShell downgrade attack by comparing the host versions with the actually used engine version 2.0 references: @@ -11,6 +11,7 @@ tags: - attack.defense_evasion - attack.execution - attack.t1086 + - attack.t1059.001 author: Harish Segar (rule) date: 2020/03/20 falsepositives: @@ -22,12 +23,12 @@ logsource: product: windows detection: selection: - CommandLine|contains: + CommandLine|contains: - ' -version 2 ' - ' -versio 2 ' - ' -versi 2 ' - ' -vers 2 ' - ' -ver 2 ' - - ' -ve 2 ' + - ' -ve 2 ' Image|endswith: '\powershell.exe' condition: selection diff --git a/rules/windows/process_creation/win_powershell_download.yml b/rules/windows/process_creation/win_powershell_download.yml index 83b93e1337a..813a45bfd5d 100644 --- a/rules/windows/process_creation/win_powershell_download.yml +++ b/rules/windows/process_creation/win_powershell_download.yml @@ -7,6 +7,7 @@ date: 2019/01/16 tags: - attack.t1086 - attack.execution + - attack.t1059.001 logsource: category: process_creation product: windows diff --git a/rules/windows/process_creation/win_powershell_suspicious_parameter_variation.yml b/rules/windows/process_creation/win_powershell_suspicious_parameter_variation.yml index 41a0f1cdc2c..1410005997d 100644 --- a/rules/windows/process_creation/win_powershell_suspicious_parameter_variation.yml +++ b/rules/windows/process_creation/win_powershell_suspicious_parameter_variation.yml @@ -7,6 +7,7 @@ references: tags: - attack.execution - attack.t1086 + - attack.t1059.001 author: Florian Roth (rule), Daniel Bohannon (idea), Roberto Rodriguez (Fix) date: 2019/01/16 logsource: diff --git a/rules/windows/process_creation/win_powershell_xor_commandline.yml b/rules/windows/process_creation/win_powershell_xor_commandline.yml index c7d39c9527f..150a13e788b 100644 --- a/rules/windows/process_creation/win_powershell_xor_commandline.yml +++ b/rules/windows/process_creation/win_powershell_xor_commandline.yml @@ -7,6 +7,7 @@ date: 2018/09/05 tags: - attack.execution - attack.t1086 + - attack.t1059.001 detection: selection: CommandLine: diff --git a/rules/windows/process_creation/win_powersploit_empire_schtasks.yml b/rules/windows/process_creation/win_powersploit_empire_schtasks.yml index e6f689cacff..a3094b5bf07 100644 --- a/rules/windows/process_creation/win_powersploit_empire_schtasks.yml +++ b/rules/windows/process_creation/win_powersploit_empire_schtasks.yml @@ -31,6 +31,8 @@ tags: - attack.g0022 - attack.g0060 - car.2013-08-001 + - attack.t1053.005 + - attack.t1059.001 falsepositives: - False positives are possible, depends on organisation and processes level: high diff --git a/rules/windows/process_creation/win_process_dump_rundll32_comsvcs.yml b/rules/windows/process_creation/win_process_dump_rundll32_comsvcs.yml index 88e15976c97..5d85fbdf70b 100644 --- a/rules/windows/process_creation/win_process_dump_rundll32_comsvcs.yml +++ b/rules/windows/process_creation/win_process_dump_rundll32_comsvcs.yml @@ -12,6 +12,7 @@ tags: - attack.credential_access - attack.t1003 - car.2013-05-009 + - attack.t1003.001 logsource: category: process_creation product: windows diff --git a/rules/windows/process_creation/win_psexesvc_start.yml b/rules/windows/process_creation/win_psexesvc_start.yml index 5c77a450ee6..a2c3dbf17fe 100644 --- a/rules/windows/process_creation/win_psexesvc_start.yml +++ b/rules/windows/process_creation/win_psexesvc_start.yml @@ -8,12 +8,13 @@ tags: - attack.execution - attack.t1035 - attack.s0029 + - attack.t1569.002 logsource: category: process_creation product: windows detection: selection: - CommandLine: C:\Windows\PSEXESVC.exe + CommandLine: C:\Windows\PSEXESVC.exe condition: selection falsepositives: - Administrative activity diff --git a/rules/windows/process_creation/win_remote_powershell_session_process.yml b/rules/windows/process_creation/win_remote_powershell_session_process.yml index cdd0ce0d5ff..5509721e286 100644 --- a/rules/windows/process_creation/win_remote_powershell_session_process.yml +++ b/rules/windows/process_creation/win_remote_powershell_session_process.yml @@ -10,6 +10,7 @@ references: tags: - attack.execution - attack.t1086 + - attack.t1059.001 logsource: category: process_creation product: windows diff --git a/rules/windows/process_creation/win_run_powershell_script_from_ads.yml b/rules/windows/process_creation/win_run_powershell_script_from_ads.yml index b4a03177cca..eaa76e6c74b 100644 --- a/rules/windows/process_creation/win_run_powershell_script_from_ads.yml +++ b/rules/windows/process_creation/win_run_powershell_script_from_ads.yml @@ -9,6 +9,7 @@ date: 2019/10/30 tags: - attack.defense_evasion - attack.t1096 + - attack.t1564.004 logsource: category: process_creation product: windows @@ -16,9 +17,9 @@ detection: selection: ParentImage|endswith: '\powershell.exe' Image|endswith: '\powershell.exe' - CommandLine|contains|all: - - 'Get-Content' - - '-Stream' + CommandLine|contains|all: + - 'Get-Content' + - '-Stream' condition: selection falsepositives: - Unknown diff --git a/rules/windows/process_creation/win_sdbinst_shim_persistence.yml b/rules/windows/process_creation/win_sdbinst_shim_persistence.yml index 1509516e8bb..b98a0c8669b 100644 --- a/rules/windows/process_creation/win_sdbinst_shim_persistence.yml +++ b/rules/windows/process_creation/win_sdbinst_shim_persistence.yml @@ -7,6 +7,7 @@ references: tags: - attack.persistence - attack.t1138 + - attack.t1546.011 author: Markus Neis date: 2019/01/16 logsource: diff --git a/rules/windows/process_creation/win_service_execution.yml b/rules/windows/process_creation/win_service_execution.yml index 865e7a22677..72b3903f697 100644 --- a/rules/windows/process_creation/win_service_execution.yml +++ b/rules/windows/process_creation/win_service_execution.yml @@ -12,7 +12,7 @@ logsource: product: windows detection: selection: - Image|endswith: + Image|endswith: - '\net.exe' - '\net1.exe' CommandLine|contains: ' start ' # space character after the 'start' keyword indicates that a service name follows, in contrast to `net start` discovery expression @@ -23,3 +23,4 @@ level: low tags: - attack.execution - attack.t1035 + - attack.t1569.002 diff --git a/rules/windows/process_creation/win_shadow_copies_access_symlink.yml b/rules/windows/process_creation/win_shadow_copies_access_symlink.yml index 17c6d56d976..45149619b25 100644 --- a/rules/windows/process_creation/win_shadow_copies_access_symlink.yml +++ b/rules/windows/process_creation/win_shadow_copies_access_symlink.yml @@ -8,14 +8,16 @@ references: tags: - attack.credential_access - attack.t1003 + - attack.t1003.002 + - attack.t1003.003 logsource: category: process_creation product: windows detection: selection: - CommandLine|contains|all: - - mklink - - HarddiskVolumeShadowCopy + CommandLine|contains|all: + - mklink + - HarddiskVolumeShadowCopy condition: selection falsepositives: - Legitimate administrator working with shadow copies, access for backup purposes diff --git a/rules/windows/process_creation/win_shadow_copies_creation.yml b/rules/windows/process_creation/win_shadow_copies_creation.yml index 828c54a5a6c..578c1ba118c 100644 --- a/rules/windows/process_creation/win_shadow_copies_creation.yml +++ b/rules/windows/process_creation/win_shadow_copies_creation.yml @@ -9,6 +9,8 @@ references: tags: - attack.credential_access - attack.t1003 + - attack.t1003.002 + - attack.t1003.003 logsource: category: process_creation product: windows diff --git a/rules/windows/process_creation/win_shadow_copies_deletion.yml b/rules/windows/process_creation/win_shadow_copies_deletion.yml index 43bdfd90cc3..d017b359689 100644 --- a/rules/windows/process_creation/win_shadow_copies_deletion.yml +++ b/rules/windows/process_creation/win_shadow_copies_deletion.yml @@ -15,6 +15,7 @@ tags: - attack.impact - attack.t1070 - attack.t1490 + - attack.t1551 logsource: category: process_creation product: windows diff --git a/rules/windows/process_creation/win_shell_spawn_susp_program.yml b/rules/windows/process_creation/win_shell_spawn_susp_program.yml index 1a77be480f8..17968c3b42a 100644 --- a/rules/windows/process_creation/win_shell_spawn_susp_program.yml +++ b/rules/windows/process_creation/win_shell_spawn_susp_program.yml @@ -11,6 +11,8 @@ tags: - attack.execution - attack.defense_evasion - attack.t1064 + - attack.t1059.005 + - attack.t1059.001 logsource: category: process_creation product: windows diff --git a/rules/windows/process_creation/win_spn_enum.yml b/rules/windows/process_creation/win_spn_enum.yml index 21638ae3533..7bc87568828 100644 --- a/rules/windows/process_creation/win_spn_enum.yml +++ b/rules/windows/process_creation/win_spn_enum.yml @@ -9,6 +9,7 @@ date: 2018/11/14 tags: - attack.credential_access - attack.t1208 + - attack.t1558.003 logsource: category: process_creation product: windows diff --git a/rules/windows/process_creation/win_susp_bcdedit.yml b/rules/windows/process_creation/win_susp_bcdedit.yml index 47b52713259..7b74bef443e 100644 --- a/rules/windows/process_creation/win_susp_bcdedit.yml +++ b/rules/windows/process_creation/win_susp_bcdedit.yml @@ -11,6 +11,8 @@ tags: - attack.t1070 - attack.persistence - attack.t1067 + - attack.t1551 + - attack.t1542.003 logsource: category: process_creation product: windows diff --git a/rules/windows/process_creation/win_susp_cmd_http_appdata.yml b/rules/windows/process_creation/win_susp_cmd_http_appdata.yml index 92445f877b9..64efc023a51 100644 --- a/rules/windows/process_creation/win_susp_cmd_http_appdata.yml +++ b/rules/windows/process_creation/win_susp_cmd_http_appdata.yml @@ -1,8 +1,7 @@ title: Command Line Execution with Suspicious URL and AppData Strings id: 1ac8666b-046f-4201-8aba-1951aaec03a3 status: experimental -description: Detects a suspicious command line execution that includes an URL and AppData string in the command line parameters as used by several droppers (js/vbs - > powershell) +description: Detects a suspicious command line execution that includes an URL and AppData string in the command line parameters as used by several droppers (js/vbs > powershell) references: - https://www.hybrid-analysis.com/sample/3a1f01206684410dbe8f1900bbeaaa543adfcd07368ba646b499fa5274b9edf6?environmentId=100 - https://www.hybrid-analysis.com/sample/f16c729aad5c74f19784a24257236a8bbe27f7cdc4a89806031ec7f1bebbd475?environmentId=100 @@ -11,6 +10,8 @@ date: 2019/01/16 tags: - attack.execution - attack.t1059 + - attack.t1059.005 + - attack.t1059.001 logsource: category: process_creation product: windows diff --git a/rules/windows/process_creation/win_susp_compression_params.yml b/rules/windows/process_creation/win_susp_compression_params.yml index e3e5c980905..cb5a3cc9b4a 100644 --- a/rules/windows/process_creation/win_susp_compression_params.yml +++ b/rules/windows/process_creation/win_susp_compression_params.yml @@ -8,6 +8,7 @@ tags: - attack.exfiltration - attack.t1020 - attack.t1002 + - attack.t1560 author: Florian Roth, Samir Bousseaden date: 2019/10/15 logsource: diff --git a/rules/windows/process_creation/win_susp_comsvcs_procdump.yml b/rules/windows/process_creation/win_susp_comsvcs_procdump.yml index bcab5a8ec35..be58a43a7f8 100644 --- a/rules/windows/process_creation/win_susp_comsvcs_procdump.yml +++ b/rules/windows/process_creation/win_susp_comsvcs_procdump.yml @@ -26,6 +26,7 @@ fields: tags: - attack.credential_access - attack.t1003 + - attack.t1003.001 falsepositives: - unknown level: medium diff --git a/rules/windows/process_creation/win_susp_control_dll_load.yml b/rules/windows/process_creation/win_susp_control_dll_load.yml index 00eaf7a644e..cc04903136b 100644 --- a/rules/windows/process_creation/win_susp_control_dll_load.yml +++ b/rules/windows/process_creation/win_susp_control_dll_load.yml @@ -11,6 +11,8 @@ tags: - attack.t1073 - attack.t1085 - car.2013-10-002 + - attack.t1218 + - attack.t1574.002 logsource: category: process_creation product: windows diff --git a/rules/windows/process_creation/win_susp_copy_lateral_movement.yml b/rules/windows/process_creation/win_susp_copy_lateral_movement.yml index 6d56fec2f6a..10b5661323b 100644 --- a/rules/windows/process_creation/win_susp_copy_lateral_movement.yml +++ b/rules/windows/process_creation/win_susp_copy_lateral_movement.yml @@ -2,22 +2,23 @@ title: Copy from Admin Share id: 855bc8b5-2ae8-402e-a9ed-b889e6df1900 status: experimental description: Detects a suspicious copy command from a remote C$ or ADMIN$ share -references: - - https://twitter.com/SBousseaden/status/1211636381086339073 +references: + - https://twitter.com/SBousseaden/status/1211636381086339073 author: Florian Roth date: 2019/12/30 tags: - attack.lateral_movement - attack.t1077 - attack.t1105 + - attack.t1021 logsource: category: process_creation product: windows detection: selection: - CommandLine|contains: - - 'copy *\c$' - - 'copy *\ADMIN$' + CommandLine|contains: + - 'copy *\c$' + - 'copy *\ADMIN$' condition: selection fields: - CommandLine diff --git a/rules/windows/process_creation/win_susp_covenant.yml b/rules/windows/process_creation/win_susp_covenant.yml index 8f0f92a6f1a..b73909f71c7 100644 --- a/rules/windows/process_creation/win_susp_covenant.yml +++ b/rules/windows/process_creation/win_susp_covenant.yml @@ -9,6 +9,7 @@ date: 2020/06/04 tags: - attack.execution - attack.t1086 + - attack.t1059.001 logsource: category: process_creation product: windows diff --git a/rules/windows/process_creation/win_susp_crackmapexec_execution.yml b/rules/windows/process_creation/win_susp_crackmapexec_execution.yml index ed8904ba238..98071a310a0 100644 --- a/rules/windows/process_creation/win_susp_crackmapexec_execution.yml +++ b/rules/windows/process_creation/win_susp_crackmapexec_execution.yml @@ -9,6 +9,8 @@ tags: - attack.t1047 - attack.t1053 - attack.t1086 + - attack.t1059.003 + - attack.t1059.001 author: Thomas Patzke date: 2020/05/22 logsource: diff --git a/rules/windows/process_creation/win_susp_crackmapexec_powershell_obfuscation.yml b/rules/windows/process_creation/win_susp_crackmapexec_powershell_obfuscation.yml index 0d94370385b..20bb2c1326c 100644 --- a/rules/windows/process_creation/win_susp_crackmapexec_powershell_obfuscation.yml +++ b/rules/windows/process_creation/win_susp_crackmapexec_powershell_obfuscation.yml @@ -10,6 +10,7 @@ tags: - attack.t1086 - attack.defense_evasion - attack.t1027 + - attack.t1059.001 author: Thomas Patzke date: 2020/05/22 logsource: diff --git a/rules/windows/process_creation/win_susp_csc_folder.yml b/rules/windows/process_creation/win_susp_csc_folder.yml index fb2a5fdf24d..9752e5ffab8 100644 --- a/rules/windows/process_creation/win_susp_csc_folder.yml +++ b/rules/windows/process_creation/win_susp_csc_folder.yml @@ -13,17 +13,18 @@ modified: 2019/12/17 tags: - attack.defense_evasion - attack.t1500 + - attack.t1027 logsource: category: process_creation product: windows detection: selection: Image: '*\csc.exe' - CommandLine: + CommandLine: - '*\AppData\\*' - '*\Windows\Temp\\*' filter: - ParentImage: + ParentImage: - 'C:\Program Files*' # https://twitter.com/gN3mes1s/status/1206874118282448897 - '*\sdiagnhost.exe' # https://twitter.com/gN3mes1s/status/1206874118282448897 - '*\w3wp.exe' # https://twitter.com/gabriele_pippi/status/1206907900268072962 diff --git a/rules/windows/process_creation/win_susp_direct_asep_reg_keys_modification.yml b/rules/windows/process_creation/win_susp_direct_asep_reg_keys_modification.yml index 3a6bf756101..490884fecab 100644 --- a/rules/windows/process_creation/win_susp_direct_asep_reg_keys_modification.yml +++ b/rules/windows/process_creation/win_susp_direct_asep_reg_keys_modification.yml @@ -7,6 +7,7 @@ references: tags: - attack.persistence - attack.t1060 + - attack.t1547.001 date: 2019/10/25 modified: 2019/11/10 author: Victor Sergeev, Daniil Yugoslavskiy, oscd.community diff --git a/rules/windows/process_creation/win_susp_double_extension.yml b/rules/windows/process_creation/win_susp_double_extension.yml index 95a5a0e3c7e..8b6ca56aa17 100644 --- a/rules/windows/process_creation/win_susp_double_extension.yml +++ b/rules/windows/process_creation/win_susp_double_extension.yml @@ -1,7 +1,6 @@ title: Suspicious Double Extension id: 1cdd9a09-06c9-4769-99ff-626e2b3991b8 -description: Detects suspicious use of an .exe extension after a non-executable file extension like .pdf.exe, a set of spaces or underlines to cloak the executable - file in spear phishing campaigns +description: Detects suspicious use of an .exe extension after a non-executable file extension like .pdf.exe, a set of spaces or underlines to cloak the executable file in spear phishing campaigns references: - https://blu3-team.blogspot.com/2019/06/misleading-extensions-xlsexe-docexe.html - https://twitter.com/blackorbird/status/1140519090961825792 @@ -10,12 +9,13 @@ date: 2019/06/26 tags: - attack.initial_access - attack.t1193 + - attack.t1566.001 logsource: category: process_creation product: windows detection: selection: - Image: + Image: - '*.doc.exe' - '*.docx.exe' - '*.xls.exe' @@ -28,6 +28,6 @@ detection: - '* .exe' - '*______.exe' condition: selection -falsepositives: +falsepositives: - Unknown level: critical diff --git a/rules/windows/process_creation/win_susp_eventlog_clear.yml b/rules/windows/process_creation/win_susp_eventlog_clear.yml index 8100a2e4c75..b0e27546a5b 100644 --- a/rules/windows/process_creation/win_susp_eventlog_clear.yml +++ b/rules/windows/process_creation/win_susp_eventlog_clear.yml @@ -11,6 +11,7 @@ tags: - attack.defense_evasion - attack.t1070 - car.2016-04-002 + - attack.t1551 level: high logsource: category: process_creation @@ -19,14 +20,14 @@ detection: selection_wevtutil_binary: Image|endswith: '\wevtutil.exe' selection_wevtutil_command: - CommandLine|contains: + CommandLine|contains: - 'clear-log' # clears specified log - ' cl ' # short version of 'clear-log' - 'set-log' # modifies config of specified log. could be uset to set it to a tiny size - ' sl ' # short version of 'set-log' selection_other_ps: Image|endswith: '\powershell.exe' - CommandLine|contains: + CommandLine|contains: - 'Clear-EventLog' - 'Remove-EventLog' - 'Limit-EventLog' diff --git a/rules/windows/process_creation/win_susp_execution_path_webserver.yml b/rules/windows/process_creation/win_susp_execution_path_webserver.yml index be5af6256c6..8398dc4ca0c 100644 --- a/rules/windows/process_creation/win_susp_execution_path_webserver.yml +++ b/rules/windows/process_creation/win_susp_execution_path_webserver.yml @@ -7,6 +7,7 @@ date: 2019/01/16 tags: - attack.persistence - attack.t1100 + - attack.t1505.003 logsource: category: process_creation product: windows diff --git a/rules/windows/process_creation/win_susp_file_characteristics.yml b/rules/windows/process_creation/win_susp_file_characteristics.yml index 8243fe88737..cb900eee147 100644 --- a/rules/windows/process_creation/win_susp_file_characteristics.yml +++ b/rules/windows/process_creation/win_susp_file_characteristics.yml @@ -12,6 +12,7 @@ tags: - attack.defense_evasion - attack.execution - attack.t1064 + - attack.t1059.006 logsource: product: windows category: process_creation diff --git a/rules/windows/process_creation/win_susp_fsutil_usage.yml b/rules/windows/process_creation/win_susp_fsutil_usage.yml index e204a9d7ebb..e7a3d0c9a55 100644 --- a/rules/windows/process_creation/win_susp_fsutil_usage.yml +++ b/rules/windows/process_creation/win_susp_fsutil_usage.yml @@ -12,6 +12,7 @@ references: tags: - attack.defense_evasion - attack.t1070 + - attack.t1551 logsource: category: process_creation product: windows @@ -21,7 +22,7 @@ detection: binary_2: OriginalFileName: 'fsutil.exe' selection: - CommandLine|contains: + CommandLine|contains: - 'deletejournal' # usn deletejournal ==> generally ransomware or attacker - 'createjournal' # usn createjournal ==> can modify config to set it to a tiny size condition: (1 of binary_*) and selection diff --git a/rules/windows/process_creation/win_susp_gup.yml b/rules/windows/process_creation/win_susp_gup.yml index e9fbbc95466..1fd19502998 100644 --- a/rules/windows/process_creation/win_susp_gup.yml +++ b/rules/windows/process_creation/win_susp_gup.yml @@ -7,6 +7,7 @@ references: tags: - attack.defense_evasion - attack.t1073 + - attack.t1574.002 author: Florian Roth date: 2019/02/06 logsource: diff --git a/rules/windows/process_creation/win_susp_iss_module_install.yml b/rules/windows/process_creation/win_susp_iss_module_install.yml index d9b0a18e94e..7970eaf4e6d 100644 --- a/rules/windows/process_creation/win_susp_iss_module_install.yml +++ b/rules/windows/process_creation/win_susp_iss_module_install.yml @@ -9,6 +9,7 @@ date: 2012/12/11 tags: - attack.persistence - attack.t1100 + - attack.t1505.003 logsource: category: process_creation product: windows diff --git a/rules/windows/process_creation/win_susp_net_execution.yml b/rules/windows/process_creation/win_susp_net_execution.yml index fa11306c4b6..21f8f346b21 100644 --- a/rules/windows/process_creation/win_susp_net_execution.yml +++ b/rules/windows/process_creation/win_susp_net_execution.yml @@ -18,6 +18,7 @@ tags: - attack.lateral_movement - attack.discovery - attack.defense_evasion + - attack.t1021 logsource: category: process_creation product: windows diff --git a/rules/windows/process_creation/win_susp_netsh_dll_persistence.yml b/rules/windows/process_creation/win_susp_netsh_dll_persistence.yml index 885268c5027..102e607b955 100644 --- a/rules/windows/process_creation/win_susp_netsh_dll_persistence.yml +++ b/rules/windows/process_creation/win_susp_netsh_dll_persistence.yml @@ -7,12 +7,13 @@ references: tags: - attack.persistence - attack.t1128 + - attack.t1546.007 date: 2019/10/25 modified: 2019/10/25 author: Victor Sergeev, oscd.community logsource: category: process_creation - product: windows + product: windows detection: selection: Image|endswith: '\netsh.exe' diff --git a/rules/windows/process_creation/win_susp_ntdsutil.yml b/rules/windows/process_creation/win_susp_ntdsutil.yml index a8c2f6fd357..ba0e49e3b87 100644 --- a/rules/windows/process_creation/win_susp_ntdsutil.yml +++ b/rules/windows/process_creation/win_susp_ntdsutil.yml @@ -9,6 +9,7 @@ date: 2019/01/16 tags: - attack.credential_access - attack.t1003 + - attack.t1003.003 logsource: category: process_creation product: windows diff --git a/rules/windows/process_creation/win_susp_outlook_temp.yml b/rules/windows/process_creation/win_susp_outlook_temp.yml index b841940b7ae..19a11004557 100644 --- a/rules/windows/process_creation/win_susp_outlook_temp.yml +++ b/rules/windows/process_creation/win_susp_outlook_temp.yml @@ -7,6 +7,7 @@ date: 2019/10/01 tags: - attack.initial_access - attack.t1193 + - attack.t1566.001 logsource: category: process_creation product: windows diff --git a/rules/windows/process_creation/win_susp_powershell_empire_launch.yml b/rules/windows/process_creation/win_susp_powershell_empire_launch.yml index a45c48015c2..1097603f8b9 100644 --- a/rules/windows/process_creation/win_susp_powershell_empire_launch.yml +++ b/rules/windows/process_creation/win_susp_powershell_empire_launch.yml @@ -10,8 +10,9 @@ references: author: Florian Roth date: 2019/04/20 tags: - - attack.execution - - attack.t1086 + - attack.execution + - attack.t1086 + - attack.t1059.001 logsource: category: process_creation product: windows diff --git a/rules/windows/process_creation/win_susp_powershell_empire_uac_bypass.yml b/rules/windows/process_creation/win_susp_powershell_empire_uac_bypass.yml index 0d662e28cce..493e7220dd8 100644 --- a/rules/windows/process_creation/win_susp_powershell_empire_uac_bypass.yml +++ b/rules/windows/process_creation/win_susp_powershell_empire_uac_bypass.yml @@ -24,6 +24,7 @@ tags: - attack.privilege_escalation - attack.t1088 - car.2019-04-001 + - attack.t1548.002 falsepositives: - unknown level: critical diff --git a/rules/windows/process_creation/win_susp_powershell_enc_cmd.yml b/rules/windows/process_creation/win_susp_powershell_enc_cmd.yml index e6ccc632feb..feb5a72dcdf 100644 --- a/rules/windows/process_creation/win_susp_powershell_enc_cmd.yml +++ b/rules/windows/process_creation/win_susp_powershell_enc_cmd.yml @@ -8,8 +8,9 @@ author: Florian Roth, Markus Neis date: 2018/09/03 modified: 2019/12/16 tags: - - attack.execution - - attack.t1086 + - attack.execution + - attack.t1086 + - attack.t1059.001 logsource: category: process_creation product: windows diff --git a/rules/windows/process_creation/win_susp_powershell_hidden_b64_cmd.yml b/rules/windows/process_creation/win_susp_powershell_hidden_b64_cmd.yml index 7da4d36d5d7..417c37dcf5a 100644 --- a/rules/windows/process_creation/win_susp_powershell_hidden_b64_cmd.yml +++ b/rules/windows/process_creation/win_susp_powershell_hidden_b64_cmd.yml @@ -7,6 +7,7 @@ references: tags: - attack.execution - attack.t1086 + - attack.t1059.001 author: John Lambert (rule) date: 2019/01/16 logsource: diff --git a/rules/windows/process_creation/win_susp_powershell_parent_combo.yml b/rules/windows/process_creation/win_susp_powershell_parent_combo.yml index 32e9e29699c..dfb15868a98 100644 --- a/rules/windows/process_creation/win_susp_powershell_parent_combo.yml +++ b/rules/windows/process_creation/win_susp_powershell_parent_combo.yml @@ -9,6 +9,7 @@ references: tags: - attack.execution - attack.t1086 + - attack.t1059.001 logsource: category: process_creation product: windows diff --git a/rules/windows/process_creation/win_susp_procdump.yml b/rules/windows/process_creation/win_susp_procdump.yml index a450ce4b312..bfa3d6ff10a 100644 --- a/rules/windows/process_creation/win_susp_procdump.yml +++ b/rules/windows/process_creation/win_susp_procdump.yml @@ -13,6 +13,7 @@ tags: - attack.credential_access - attack.t1003 - car.2013-05-009 + - attack.t1003.001 logsource: category: process_creation product: windows diff --git a/rules/windows/process_creation/win_susp_ps_appdata.yml b/rules/windows/process_creation/win_susp_ps_appdata.yml index b4663c8f7e7..13c16b3acfa 100644 --- a/rules/windows/process_creation/win_susp_ps_appdata.yml +++ b/rules/windows/process_creation/win_susp_ps_appdata.yml @@ -8,6 +8,7 @@ references: tags: - attack.execution - attack.t1086 + - attack.t1059.001 author: Florian Roth date: 2019/01/09 logsource: diff --git a/rules/windows/process_creation/win_susp_ps_downloadfile.yml b/rules/windows/process_creation/win_susp_ps_downloadfile.yml index 5fe3001d25b..f2440a8ae06 100644 --- a/rules/windows/process_creation/win_susp_ps_downloadfile.yml +++ b/rules/windows/process_creation/win_susp_ps_downloadfile.yml @@ -9,12 +9,13 @@ date: 2020/03/25 tags: - attack.execution - attack.t1086 + - attack.t1059.001 logsource: category: process_creation product: windows detection: selection: - CommandLine|contains|all: + CommandLine|contains|all: - 'powershell' - '.DownloadFile' - 'System.Net.WebClient' diff --git a/rules/windows/process_creation/win_susp_rasdial_activity.yml b/rules/windows/process_creation/win_susp_rasdial_activity.yml index 6a4b023342b..e995962874e 100644 --- a/rules/windows/process_creation/win_susp_rasdial_activity.yml +++ b/rules/windows/process_creation/win_susp_rasdial_activity.yml @@ -10,6 +10,7 @@ tags: - attack.defense_evasion - attack.execution - attack.t1064 + - attack.t1059 logsource: category: process_creation product: windows diff --git a/rules/windows/process_creation/win_susp_regsvr32_anomalies.yml b/rules/windows/process_creation/win_susp_regsvr32_anomalies.yml index ce51e4b7bcf..a19bdbf7d60 100644 --- a/rules/windows/process_creation/win_susp_regsvr32_anomalies.yml +++ b/rules/windows/process_creation/win_susp_regsvr32_anomalies.yml @@ -12,6 +12,7 @@ tags: - attack.execution - car.2019-04-002 - car.2019-04-003 + - attack.t1218 logsource: category: process_creation product: windows diff --git a/rules/windows/process_creation/win_susp_rundll32_activity.yml b/rules/windows/process_creation/win_susp_rundll32_activity.yml index c388da171c3..a7dedd202ff 100644 --- a/rules/windows/process_creation/win_susp_rundll32_activity.yml +++ b/rules/windows/process_creation/win_susp_rundll32_activity.yml @@ -10,6 +10,7 @@ tags: - attack.defense_evasion - attack.execution - attack.t1085 + - attack.t1218.011 author: juju4 date: 2019/01/16 logsource: diff --git a/rules/windows/process_creation/win_susp_rundll32_by_ordinal.yml b/rules/windows/process_creation/win_susp_rundll32_by_ordinal.yml index 44f830c92d3..0867f34b855 100644 --- a/rules/windows/process_creation/win_susp_rundll32_by_ordinal.yml +++ b/rules/windows/process_creation/win_susp_rundll32_by_ordinal.yml @@ -10,6 +10,7 @@ tags: - attack.defense_evasion - attack.execution - attack.t1085 + - attack.t1218.011 author: Florian Roth date: 2019/10/22 logsource: diff --git a/rules/windows/process_creation/win_susp_schtask_creation.yml b/rules/windows/process_creation/win_susp_schtask_creation.yml index 7c2d3fa6e0a..9a33912af6c 100644 --- a/rules/windows/process_creation/win_susp_schtask_creation.yml +++ b/rules/windows/process_creation/win_susp_schtask_creation.yml @@ -24,6 +24,7 @@ tags: - attack.t1053 - attack.s0111 - car.2013-08-001 + - attack.t1053.005 falsepositives: - Administrative activity - Software installation diff --git a/rules/windows/process_creation/win_susp_script_execution.yml b/rules/windows/process_creation/win_susp_script_execution.yml index 2404edc44cf..2e7ad48da8b 100644 --- a/rules/windows/process_creation/win_susp_script_execution.yml +++ b/rules/windows/process_creation/win_susp_script_execution.yml @@ -7,6 +7,7 @@ date: 2019/01/16 tags: - attack.execution - attack.t1064 + - attack.t1059.005 logsource: category: process_creation product: windows diff --git a/rules/windows/process_creation/win_susp_service_path_modification.yml b/rules/windows/process_creation/win_susp_service_path_modification.yml index 6a3dbabd4e0..6e6504ba3d1 100644 --- a/rules/windows/process_creation/win_susp_service_path_modification.yml +++ b/rules/windows/process_creation/win_susp_service_path_modification.yml @@ -7,6 +7,7 @@ references: tags: - attack.persistence - attack.t1031 + - attack.t1543.003 date: 2019/10/21 modified: 2019/11/10 author: Victor Sergeev, oscd.community diff --git a/rules/windows/process_creation/win_susp_tscon_rdp_redirect.yml b/rules/windows/process_creation/win_susp_tscon_rdp_redirect.yml index dceac89d8f6..fb2f5d65ef3 100644 --- a/rules/windows/process_creation/win_susp_tscon_rdp_redirect.yml +++ b/rules/windows/process_creation/win_susp_tscon_rdp_redirect.yml @@ -10,6 +10,7 @@ tags: - attack.privilege_escalation - attack.t1076 - car.2013-07-002 + - attack.t1021 author: Florian Roth date: 2018/03/17 modified: 2018/12/11 diff --git a/rules/windows/process_creation/win_task_folder_evasion.yml b/rules/windows/process_creation/win_task_folder_evasion.yml index dfe043a892f..e7844c4fe2f 100644 --- a/rules/windows/process_creation/win_task_folder_evasion.yml +++ b/rules/windows/process_creation/win_task_folder_evasion.yml @@ -1,8 +1,8 @@ title: Tasks Folder Evasion id: cc4e02ba-9c06-48e2-b09e-2500cace9ae0 status: experimental -description: The Tasks folder in system32 and syswow64 are globally writable paths. Adversaries can take advantage of this and load or influence any script hosts or ANY .NET Application in Tasks to load and execute a custom assembly into cscript, wscript, regsvr32, mshta, eventvwr -references: +description: The Tasks folder in system32 and syswow64 are globally writable paths. Adversaries can take advantage of this and load or influence any script hosts or ANY .NET Application in Tasks to load and execute a custom assembly into cscript, wscript, regsvr32, mshta, eventvwr +references: - https://twitter.com/subTee/status/1216465628946563073 - https://gist.github.com/am0nsec/8378da08f848424e4ab0cc5b317fdd26 date: 2020/01/13 @@ -13,6 +13,7 @@ tags: - attack.t1059 - attack.defense_evasion - attack.persistence + - attack.t1059.005 logsource: product: Windows detection: diff --git a/rules/windows/process_creation/win_uac_cmstp.yml b/rules/windows/process_creation/win_uac_cmstp.yml index b10c9195b56..1c234bfebd1 100644 --- a/rules/windows/process_creation/win_uac_cmstp.yml +++ b/rules/windows/process_creation/win_uac_cmstp.yml @@ -13,13 +13,15 @@ tags: - attack.execution - attack.t1191 - attack.t1088 + - attack.t1548.002 + - attack.t1218 logsource: category: process_creation product: windows detection: selection: Image|endswith: '\cmstp.exe' - CommandLine|contains: + CommandLine|contains: - '/s' - '/au' condition: selection diff --git a/rules/windows/process_creation/win_uac_fodhelper.yml b/rules/windows/process_creation/win_uac_fodhelper.yml index d3ce1690a2b..31f1181daed 100644 --- a/rules/windows/process_creation/win_uac_fodhelper.yml +++ b/rules/windows/process_creation/win_uac_fodhelper.yml @@ -11,6 +11,7 @@ references: tags: - attack.privilege_escalation - attack.t1088 + - attack.t1548.002 logsource: category: process_creation product: windows diff --git a/rules/windows/process_creation/win_uac_wsreset.yml b/rules/windows/process_creation/win_uac_wsreset.yml index 1296b8e47da..ff41e342f3f 100644 --- a/rules/windows/process_creation/win_uac_wsreset.yml +++ b/rules/windows/process_creation/win_uac_wsreset.yml @@ -10,6 +10,7 @@ references: tags: - attack.privilege_escalation - attack.t1088 + - attack.t1548.002 logsource: category: process_creation product: windows diff --git a/rules/windows/process_creation/win_webshell_detection.yml b/rules/windows/process_creation/win_webshell_detection.yml index fc41f0f55d0..1437d0a686e 100644 --- a/rules/windows/process_creation/win_webshell_detection.yml +++ b/rules/windows/process_creation/win_webshell_detection.yml @@ -10,6 +10,7 @@ tags: - attack.privilege_escalation - attack.persistence - attack.t1100 + - attack.t1505.003 logsource: category: process_creation product: windows diff --git a/rules/windows/process_creation/win_webshell_spawn.yml b/rules/windows/process_creation/win_webshell_spawn.yml index 0f119262515..3d5888fe1c4 100644 --- a/rules/windows/process_creation/win_webshell_spawn.yml +++ b/rules/windows/process_creation/win_webshell_spawn.yml @@ -30,6 +30,7 @@ tags: - attack.privilege_escalation - attack.persistence - attack.t1100 + - attack.t1505.003 falsepositives: - Particular web applications may spawn a shell process legitimately level: high diff --git a/rules/windows/process_creation/win_win10_sched_task_0day.yml b/rules/windows/process_creation/win_win10_sched_task_0day.yml index 555c7132554..312fb4cd433 100644 --- a/rules/windows/process_creation/win_win10_sched_task_0day.yml +++ b/rules/windows/process_creation/win_win10_sched_task_0day.yml @@ -21,4 +21,5 @@ tags: - attack.execution - attack.t1053 - car.2013-08-001 + - attack.t1053.005 level: high diff --git a/rules/windows/process_creation/win_wmi_backdoor_exchange_transport_agent.yml b/rules/windows/process_creation/win_wmi_backdoor_exchange_transport_agent.yml index 0d5761e9c8d..b5fa97cb7e9 100644 --- a/rules/windows/process_creation/win_wmi_backdoor_exchange_transport_agent.yml +++ b/rules/windows/process_creation/win_wmi_backdoor_exchange_transport_agent.yml @@ -13,8 +13,9 @@ logsource: tags: - attack.persistence - attack.t1084 + - attack.t1546.003 detection: - selection: + selection: ParentImage: '*\EdgeTransport.exe' condition: selection falsepositives: diff --git a/rules/windows/process_creation/win_wmi_spwns_powershell.yml b/rules/windows/process_creation/win_wmi_spwns_powershell.yml index abe55079f0c..91a69ec6736 100644 --- a/rules/windows/process_creation/win_wmi_spwns_powershell.yml +++ b/rules/windows/process_creation/win_wmi_spwns_powershell.yml @@ -11,6 +11,7 @@ tags: - attack.execution - attack.defense_evasion - attack.t1064 + - attack.t1059.001 logsource: category: process_creation product: windows diff --git a/rules/windows/process_creation/win_wsreset_uac_bypass.yml b/rules/windows/process_creation/win_wsreset_uac_bypass.yml index 02d0398ed26..61622933d4b 100644 --- a/rules/windows/process_creation/win_wsreset_uac_bypass.yml +++ b/rules/windows/process_creation/win_wsreset_uac_bypass.yml @@ -1,7 +1,7 @@ title: Wsreset UAC Bypass id: bdc8918e-a1d5-49d1-9db7-ea0fd91aa2ae status: experimental -description: Detects a method that uses Wsreset.exe tool that can be used to reset the Windows Store to bypass UAC +description: Detects a method that uses Wsreset.exe tool that can be used to reset the Windows Store to bypass UAC references: - https://lolbas-project.github.io/lolbas/Binaries/Wsreset/ - https://www.activecyber.us/activelabs/windows-uac-bypass @@ -12,6 +12,7 @@ tags: - attack.defense_evasion - attack.execution - attack.t1088 + - attack.t1548.002 logsource: category: process_creation product: windows diff --git a/rules/windows/sysmon/sysmon_alternate_powershell_hosts_pipe.yml b/rules/windows/sysmon/sysmon_alternate_powershell_hosts_pipe.yml index 067cd37097e..da710320d32 100644 --- a/rules/windows/sysmon/sysmon_alternate_powershell_hosts_pipe.yml +++ b/rules/windows/sysmon/sysmon_alternate_powershell_hosts_pipe.yml @@ -10,17 +10,18 @@ references: tags: - attack.execution - attack.t1086 + - attack.t1059.001 logsource: product: windows service: sysmon detection: - selection: + selection: EventID: 17 PipeName|startswith: '\PSHost' filter: Image|endswith: - - '\powershell.exe' - - '\powershell_ise.exe' + - '\powershell.exe' + - '\powershell_ise.exe' condition: selection and not filter fields: - ComputerName diff --git a/rules/windows/sysmon/sysmon_apt_muddywater_dnstunnel.yml b/rules/windows/sysmon/sysmon_apt_muddywater_dnstunnel.yml index 3bb4c1aae3b..f5b6e57dd4f 100644 --- a/rules/windows/sysmon/sysmon_apt_muddywater_dnstunnel.yml +++ b/rules/windows/sysmon/sysmon_apt_muddywater_dnstunnel.yml @@ -10,6 +10,7 @@ references: tags: - attack.command_and_control - attack.t1071 + - attack.t1071.004 logsource: category: process_creation product: windows diff --git a/rules/windows/sysmon/sysmon_asep_reg_keys_modification.yml b/rules/windows/sysmon/sysmon_asep_reg_keys_modification.yml index 09e94d15624..72f08c5eda7 100644 --- a/rules/windows/sysmon/sysmon_asep_reg_keys_modification.yml +++ b/rules/windows/sysmon/sysmon_asep_reg_keys_modification.yml @@ -7,6 +7,7 @@ references: tags: - attack.persistence - attack.t1060 + - attack.t1547.001 date: 2019/10/21 modified: 2019/11/10 author: Victor Sergeev, Daniil Yugoslavskiy, oscd.community diff --git a/rules/windows/sysmon/sysmon_cred_dump_lsass_access.yml b/rules/windows/sysmon/sysmon_cred_dump_lsass_access.yml index f91ffabce9d..5e05ea71bca 100644 --- a/rules/windows/sysmon/sysmon_cred_dump_lsass_access.yml +++ b/rules/windows/sysmon/sysmon_cred_dump_lsass_access.yml @@ -2,8 +2,7 @@ title: Credentials Dumping Tools Accessing LSASS Memory id: 32d0d3e2-e58d-4d41-926b-18b520b2b32d status: experimental description: Detects process access LSASS memory which is typical for credentials dumping tools -author: Florian Roth, Roberto Rodriguez, Dimitrios Slamaris, Mark Russinovich, Thomas Patzke, Teymur Kheirkhabarov, Sherif Eldeeb, James Dickenson, Aleksey Potapov, - oscd.community (update) +author: Florian Roth, Roberto Rodriguez, Dimitrios Slamaris, Mark Russinovich, Thomas Patzke, Teymur Kheirkhabarov, Sherif Eldeeb, James Dickenson, Aleksey Potapov, oscd.community (update) date: 2017/02/16 modified: 2019/11/08 references: @@ -16,6 +15,7 @@ tags: - attack.s0002 - attack.credential_access - car.2019-04-004 + - attack.t1003.001 logsource: product: windows service: sysmon diff --git a/rules/windows/sysmon/sysmon_cred_dump_tools_dropped_files.yml b/rules/windows/sysmon/sysmon_cred_dump_tools_dropped_files.yml index 4ea0955c918..6a76bfa6ed1 100644 --- a/rules/windows/sysmon/sysmon_cred_dump_tools_dropped_files.yml +++ b/rules/windows/sysmon/sysmon_cred_dump_tools_dropped_files.yml @@ -9,20 +9,23 @@ references: tags: - attack.credential_access - attack.t1003 + - attack.t1003.002 + - attack.t1003.001 + - attack.t1003.003 logsource: product: windows service: sysmon detection: selection: EventID: 11 - TargetFilename|contains: + TargetFilename|contains: - '\pwdump' - '\kirbi' - '\pwhashes' - '\wce_ccache' - '\wce_krbtkts' - '\fgdump-log' - TargetFilename|endswith: + TargetFilename|endswith: - '\test.pwd' - '\lsremora64.dll' - '\lsremora.dll' diff --git a/rules/windows/sysmon/sysmon_cred_dump_tools_named_pipes.yml b/rules/windows/sysmon/sysmon_cred_dump_tools_named_pipes.yml index f0036118085..78c45714f2b 100644 --- a/rules/windows/sysmon/sysmon_cred_dump_tools_named_pipes.yml +++ b/rules/windows/sysmon/sysmon_cred_dump_tools_named_pipes.yml @@ -8,6 +8,9 @@ references: tags: - attack.credential_access - attack.t1003 + - attack.t1003.002 + - attack.t1003.004 + - attack.t1003.006 logsource: product: windows service: sysmon diff --git a/rules/windows/sysmon/sysmon_dhcp_calloutdll.yml b/rules/windows/sysmon/sysmon_dhcp_calloutdll.yml index 3432e7c236d..0375f26792d 100644 --- a/rules/windows/sysmon/sysmon_dhcp_calloutdll.yml +++ b/rules/windows/sysmon/sysmon_dhcp_calloutdll.yml @@ -1,8 +1,7 @@ title: DHCP Callout DLL Installation id: 9d3436ef-9476-4c43-acca-90ce06bdf33a status: experimental -description: Detects the installation of a Callout DLL via CalloutDlls and CalloutEnabled parameter in Registry, which can be used to execute code in context of the - DHCP server (restart required) +description: Detects the installation of a Callout DLL via CalloutDlls and CalloutEnabled parameter in Registry, which can be used to execute code in context of the DHCP server (restart required) references: - https://blog.3or.de/mimilib-dhcp-server-callout-dll-injection.html - https://technet.microsoft.com/en-us/library/cc726884(v=ws.10).aspx @@ -13,6 +12,7 @@ tags: - attack.defense_evasion - attack.t1073 - attack.t1112 + - attack.t1574.002 logsource: product: windows service: sysmon diff --git a/rules/windows/sysmon/sysmon_disable_security_events_logging_adding_reg_key_minint.yml b/rules/windows/sysmon/sysmon_disable_security_events_logging_adding_reg_key_minint.yml index ea7a4ea477d..bf53e1c8852 100644 --- a/rules/windows/sysmon/sysmon_disable_security_events_logging_adding_reg_key_minint.yml +++ b/rules/windows/sysmon/sysmon_disable_security_events_logging_adding_reg_key_minint.yml @@ -7,6 +7,7 @@ references: tags: - attack.defense_evasion - attack.t1089 + - attack.t1562.001 author: Ilyas Ochkov, oscd.community date: 2019/10/25 modified: 2019/11/13 @@ -15,12 +16,12 @@ logsource: service: sysmon detection: selection: - - EventID: 12 # key create - # Sysmon gives us HKLM\SYSTEM\CurrentControlSet\.. if ControlSetXX is the selected one - TargetObject: 'HKLM\SYSTEM\CurrentControlSet\Control\MiniNt' - EventType: 'CreateKey' # we don't want deletekey - - EventID: 14 # key rename - NewName: 'HKLM\SYSTEM\CurrentControlSet\Control\MiniNt' + - EventID: 12 # key create + # Sysmon gives us HKLM\SYSTEM\CurrentControlSet\.. if ControlSetXX is the selected one + TargetObject: 'HKLM\SYSTEM\CurrentControlSet\Control\MiniNt' + EventType: 'CreateKey' # we don't want deletekey + - EventID: 14 # key rename + NewName: 'HKLM\SYSTEM\CurrentControlSet\Control\MiniNt' condition: selection fields: - EventID diff --git a/rules/windows/sysmon/sysmon_ghostpack_safetykatz.yml b/rules/windows/sysmon/sysmon_ghostpack_safetykatz.yml index cfa37cb8120..1dc20497a34 100644 --- a/rules/windows/sysmon/sysmon_ghostpack_safetykatz.yml +++ b/rules/windows/sysmon/sysmon_ghostpack_safetykatz.yml @@ -7,6 +7,7 @@ references: tags: - attack.credential_access - attack.t1003 + - attack.t1003.001 author: Markus Neis date: 2018/07/24 logsource: diff --git a/rules/windows/sysmon/sysmon_hack_dumpert.yml b/rules/windows/sysmon/sysmon_hack_dumpert.yml index 329cc7201dd..443c8bf37c7 100644 --- a/rules/windows/sysmon/sysmon_hack_dumpert.yml +++ b/rules/windows/sysmon/sysmon_hack_dumpert.yml @@ -10,6 +10,7 @@ date: 2020/02/04 tags: - attack.credential_access - attack.t1003 + - attack.t1003.001 logsource: product: windows service: sysmon diff --git a/rules/windows/sysmon/sysmon_hack_wce.yml b/rules/windows/sysmon/sysmon_hack_wce.yml index 6432ea86d31..43fb3a4726d 100644 --- a/rules/windows/sysmon/sysmon_hack_wce.yml +++ b/rules/windows/sysmon/sysmon_hack_wce.yml @@ -9,6 +9,7 @@ date: 2019/12/31 tags: - attack.credential_access - attack.t1003 + - attack.t1558 - attack.s0005 falsepositives: - 'Another service that uses a single -s command line switch' diff --git a/rules/windows/sysmon/sysmon_in_memory_powershell.yml b/rules/windows/sysmon/sysmon_in_memory_powershell.yml index 56e6e453014..55b1f0582d2 100644 --- a/rules/windows/sysmon/sysmon_in_memory_powershell.yml +++ b/rules/windows/sysmon/sysmon_in_memory_powershell.yml @@ -11,6 +11,7 @@ references: tags: - attack.t1086 - attack.execution + - attack.t1059.001 logsource: product: windows service: sysmon diff --git a/rules/windows/sysmon/sysmon_invoke_phantom.yml b/rules/windows/sysmon/sysmon_invoke_phantom.yml index 5ed1498c82e..9dda2195bbe 100644 --- a/rules/windows/sysmon/sysmon_invoke_phantom.yml +++ b/rules/windows/sysmon/sysmon_invoke_phantom.yml @@ -10,6 +10,7 @@ references: tags: - attack.t1089 - attack.defense_evasion + - attack.t1562.001 logsource: product: windows service: sysmon @@ -19,7 +20,7 @@ detection: TargetImage: '*\windows\system32\svchost.exe' GrantedAccess: '0x1f3fff' CallTrace: - - '*unknown*' + - '*unknown*' condition: selection falsepositives: - unknown diff --git a/rules/windows/sysmon/sysmon_logon_scripts_userinitmprlogonscript.yml b/rules/windows/sysmon/sysmon_logon_scripts_userinitmprlogonscript.yml index 4efaaca3d6e..1480db087f8 100644 --- a/rules/windows/sysmon/sysmon_logon_scripts_userinitmprlogonscript.yml +++ b/rules/windows/sysmon/sysmon_logon_scripts_userinitmprlogonscript.yml @@ -7,6 +7,7 @@ references: - https://attack.mitre.org/techniques/T1037/ tags: - attack.t1037 + - attack.t1037.001 - attack.persistence - attack.lateral_movement author: Tom Ueltschi (@c_APT_ure) diff --git a/rules/windows/sysmon/sysmon_lsass_memdump.yml b/rules/windows/sysmon/sysmon_lsass_memdump.yml index d6e7d045a25..2a59dc1a151 100644 --- a/rules/windows/sysmon/sysmon_lsass_memdump.yml +++ b/rules/windows/sysmon/sysmon_lsass_memdump.yml @@ -10,6 +10,7 @@ tags: - attack.t1003 - attack.s0002 - attack.credential_access + - attack.t1003.001 logsource: product: windows service: sysmon @@ -19,8 +20,8 @@ detection: TargetImage: 'C:\windows\system32\lsass.exe' GrantedAccess: '0x1fffff' CallTrace: - - '*dbghelp.dll*' - - '*dbgcore.dll*' + - '*dbghelp.dll*' + - '*dbgcore.dll*' condition: selection falsepositives: - unknown diff --git a/rules/windows/sysmon/sysmon_lsass_memory_dump_file_creation.yml b/rules/windows/sysmon/sysmon_lsass_memory_dump_file_creation.yml index 54f7e04fe7a..f5d8963fee8 100644 --- a/rules/windows/sysmon/sysmon_lsass_memory_dump_file_creation.yml +++ b/rules/windows/sysmon/sysmon_lsass_memory_dump_file_creation.yml @@ -9,6 +9,7 @@ modified: 2019/11/13 tags: - attack.credential_access - attack.t1003 + - attack.t1003.001 logsource: product: windows service: sysmon diff --git a/rules/windows/sysmon/sysmon_malware_backconnect_ports.yml b/rules/windows/sysmon/sysmon_malware_backconnect_ports.yml index 953c8610492..a69294b3bd0 100644 --- a/rules/windows/sysmon/sysmon_malware_backconnect_ports.yml +++ b/rules/windows/sysmon/sysmon_malware_backconnect_ports.yml @@ -9,6 +9,7 @@ date: 2017/03/19 tags: - attack.command_and_control - attack.t1043 + - attack.t1571 logsource: product: windows service: sysmon @@ -71,7 +72,7 @@ detection: filter1: Image: '*\Program Files*' filter2: - DestinationIp: + DestinationIp: - '10.*' - '192.168.*' - '172.16.*' diff --git a/rules/windows/sysmon/sysmon_mimikatz_inmemory_detection.yml b/rules/windows/sysmon/sysmon_mimikatz_inmemory_detection.yml index 58f1cf58501..a98325060b3 100644 --- a/rules/windows/sysmon/sysmon_mimikatz_inmemory_detection.yml +++ b/rules/windows/sysmon/sysmon_mimikatz_inmemory_detection.yml @@ -10,6 +10,10 @@ tags: - attack.lateral_movement - attack.credential_access - car.2019-04-004 + - attack.t1003.002 + - attack.t1003.004 + - attack.t1003.001 + - attack.t1003.006 logsource: product: windows service: sysmon diff --git a/rules/windows/sysmon/sysmon_mimikatz_trough_winrm.yml b/rules/windows/sysmon/sysmon_mimikatz_trough_winrm.yml index 871724ab2d9..693cdeef559 100644 --- a/rules/windows/sysmon/sysmon_mimikatz_trough_winrm.yml +++ b/rules/windows/sysmon/sysmon_mimikatz_trough_winrm.yml @@ -21,6 +21,8 @@ tags: - attack.t1003 - attack.t1028 - attack.s0005 + - attack.t1003.001 + - attack.t1021.006 falsepositives: - low level: high diff --git a/rules/windows/sysmon/sysmon_narrator_feedback_persistance.yml b/rules/windows/sysmon/sysmon_narrator_feedback_persistance.yml index 44389267a8e..7c88604c042 100644 --- a/rules/windows/sysmon/sysmon_narrator_feedback_persistance.yml +++ b/rules/windows/sysmon/sysmon_narrator_feedback_persistance.yml @@ -6,6 +6,7 @@ references: tags: - attack.persistence - attack.t1060 + - attack.t1547.001 author: Dmitriy Lifanov, oscd.community status: experimental date: 2019/10/25 diff --git a/rules/windows/sysmon/sysmon_new_dll_added_to_appcertdlls_registry_key.yml b/rules/windows/sysmon/sysmon_new_dll_added_to_appcertdlls_registry_key.yml index 79202088d33..1ea9cafc0b1 100644 --- a/rules/windows/sysmon/sysmon_new_dll_added_to_appcertdlls_registry_key.yml +++ b/rules/windows/sysmon/sysmon_new_dll_added_to_appcertdlls_registry_key.yml @@ -1,14 +1,14 @@ title: New DLL Added to AppCertDlls Registry Key id: 6aa1d992-5925-4e9f-a49b-845e51d1de01 status: experimental -description: Dynamic-link libraries (DLLs) that are specified in the AppCertDLLs value in the Registry key can be abused to obtain persistence and privilege escalation - by causing a malicious DLL to be loaded and run in the context of separate processes on the computer. +description: Dynamic-link libraries (DLLs) that are specified in the AppCertDLLs value in the Registry key can be abused to obtain persistence and privilege escalation by causing a malicious DLL to be loaded and run in the context of separate processes on the computer. references: - http://www.hexacorn.com/blog/2013/01/19/beyond-good-ol-run-key-part-3/ - https://eqllib.readthedocs.io/en/latest/analytics/14f90406-10a0-4d36-a672-31cabe149f2f.html tags: - attack.persistence - attack.t1182 + - attack.t1546.009 author: Ilyas Ochkov, oscd.community date: 2019/10/25 modified: 2019/11/13 @@ -17,13 +17,13 @@ logsource: service: sysmon detection: selection: - - EventID: + - EventID: - 12 # key create - 13 # value set # Sysmon gives us HKLM\SYSTEM\CurrentControlSet\.. if ControlSetXX is the selected one - TargetObject: 'HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\AppCertDlls' - - EventID: 14 # key rename - NewName: 'HKLM\SYSTEM\CurentControlSet\Control\Session Manager\AppCertDlls' + TargetObject: 'HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\AppCertDlls' + - EventID: 14 # key rename + NewName: 'HKLM\SYSTEM\CurentControlSet\Control\Session Manager\AppCertDlls' condition: selection fields: - EventID diff --git a/rules/windows/sysmon/sysmon_new_dll_added_to_appinit_dlls_registry_key.yml b/rules/windows/sysmon/sysmon_new_dll_added_to_appinit_dlls_registry_key.yml index 604cc1eb9ee..78e61989883 100644 --- a/rules/windows/sysmon/sysmon_new_dll_added_to_appinit_dlls_registry_key.yml +++ b/rules/windows/sysmon/sysmon_new_dll_added_to_appinit_dlls_registry_key.yml @@ -7,6 +7,7 @@ references: tags: - attack.persistence - attack.t1103 + - attack.t1546.010 author: Ilyas Ochkov, oscd.community date: 2019/10/25 modified: 2019/11/13 @@ -15,16 +16,16 @@ logsource: service: sysmon detection: selection: - - EventID: + - EventID: - 12 # key create - 13 # value set - TargetObject: - - '*\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_Dlls' - - '*\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_Dlls' - - EventID: 14 # key rename - NewName: - - '*\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_Dlls' - - '*\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_Dlls' + TargetObject: + - '*\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_Dlls' + - '*\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_Dlls' + - EventID: 14 # key rename + NewName: + - '*\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_Dlls' + - '*\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_Dlls' condition: selection fields: - EventID diff --git a/rules/windows/sysmon/sysmon_password_dumper_lsass.yml b/rules/windows/sysmon/sysmon_password_dumper_lsass.yml index 70a4246e7db..f5632f4dce7 100644 --- a/rules/windows/sysmon/sysmon_password_dumper_lsass.yml +++ b/rules/windows/sysmon/sysmon_password_dumper_lsass.yml @@ -1,7 +1,6 @@ title: Password Dumper Remote Thread in LSASS id: f239b326-2f41-4d6b-9dfa-c846a60ef505 -description: Detects password dumper activity by monitoring remote thread creation EventID 8 in combination with the lsass.exe process as TargetImage. The process - in field Process is the malicious program. A single execution can lead to hundreds of events. +description: Detects password dumper activity by monitoring remote thread creation EventID 8 in combination with the lsass.exe process as TargetImage. The process in field Process is the malicious program. A single execution can lead to hundreds of events. references: - https://jpcertcc.github.io/ToolAnalysisResultSheet/details/WCE.htm status: stable @@ -14,12 +13,13 @@ detection: selection: EventID: 8 TargetImage: 'C:\Windows\System32\lsass.exe' - StartModule: null + StartModule: condition: selection tags: - attack.credential_access - attack.t1003 - attack.s0005 + - attack.t1003.001 falsepositives: - unknown level: high diff --git a/rules/windows/sysmon/sysmon_possible_dns_rebinding.yml b/rules/windows/sysmon/sysmon_possible_dns_rebinding.yml index 9845263a0e4..6070a673855 100644 --- a/rules/windows/sysmon/sysmon_possible_dns_rebinding.yml +++ b/rules/windows/sysmon/sysmon_possible_dns_rebinding.yml @@ -1,8 +1,7 @@ title: Possible DNS Rebinding id: eb07e747-2552-44cd-af36-b659ae0958e4 status: experimental -description: Detects several different DNS-answers by one domain with IPs from internal and external networks. Normally, DNS-answer contain TTL >100. (DNS-record - will saved in host cache for a while TTL). +description: Detects several different DNS-answers by one domain with IPs from internal and external networks. Normally, DNS-answer contain TTL >100. (DNS-record will saved in host cache for a while TTL). date: 2019/10/25 modified: 2019/11/13 author: Ilyas Ochkov, oscd.community @@ -11,6 +10,7 @@ references: tags: - attack.command_and_control - attack.t1043 + - attack.t1571 logsource: product: windows service: sysmon @@ -18,9 +18,9 @@ detection: dns_answer: EventID: 22 QueryName: '*' - QueryStatus: '0' + QueryStatus: '0' filter_int_ip: - QueryResults|startswith: + QueryResults|startswith: - '(::ffff:)?10.' - '(::ffff:)?192.168.' - '(::ffff:)?172.16.' @@ -39,7 +39,7 @@ detection: - '(::ffff:)?172.29.' - '(::ffff:)?172.30.' - '(::ffff:)?172.31.' - - '(::ffff:)?127.' + - '(::ffff:)?127.' timeframe: 30s condition: (dns_answer and filter_int_ip) and (dns_answer and not filter_int_ip) | count(QueryName) by ComputerName > 3 level: medium diff --git a/rules/windows/sysmon/sysmon_possible_privilege_escalation_via_service_registry_permissions_weakness.yml b/rules/windows/sysmon/sysmon_possible_privilege_escalation_via_service_registry_permissions_weakness.yml index 6251dd07cae..89ab529752f 100644 --- a/rules/windows/sysmon/sysmon_possible_privilege_escalation_via_service_registry_permissions_weakness.yml +++ b/rules/windows/sysmon/sysmon_possible_privilege_escalation_via_service_registry_permissions_weakness.yml @@ -7,6 +7,7 @@ references: tags: - attack.privilege_escalation - attack.t1058 + - attack.t1574.011 status: experimental author: Teymur Kheirkhabarov date: 2019/10/26 diff --git a/rules/windows/sysmon/sysmon_powershell_execution_moduleload.yml b/rules/windows/sysmon/sysmon_powershell_execution_moduleload.yml index 124c8312b69..9d93c4c0ea7 100644 --- a/rules/windows/sysmon/sysmon_powershell_execution_moduleload.yml +++ b/rules/windows/sysmon/sysmon_powershell_execution_moduleload.yml @@ -13,8 +13,9 @@ logsource: tags: - attack.execution - attack.t1086 + - attack.t1059.001 detection: - selection: + selection: EventID: 7 Description: 'system.management.automation' ImageLoaded|contains: 'system.management.automation' diff --git a/rules/windows/sysmon/sysmon_powershell_exploit_scripts.yml b/rules/windows/sysmon/sysmon_powershell_exploit_scripts.yml index d7a6df7a6fd..60028363e0c 100644 --- a/rules/windows/sysmon/sysmon_powershell_exploit_scripts.yml +++ b/rules/windows/sysmon/sysmon_powershell_exploit_scripts.yml @@ -7,6 +7,7 @@ references: tags: - attack.execution - attack.t1086 + - attack.t1059.001 author: Markus Neis date: 2018/04/07 logsource: @@ -16,7 +17,7 @@ detection: selection: EventID: 11 TargetFilename: - - '*\Invoke-DllInjection.ps1' + - '*\Invoke-DllInjection.ps1' - '*\Invoke-WmiCommand.ps1' - '*\Get-GPPPassword.ps1' - '*\Get-Keystrokes.ps1' @@ -115,4 +116,4 @@ detection: falsepositives: - Penetration Tests level: high - + diff --git a/rules/windows/sysmon/sysmon_powershell_network_connection.yml b/rules/windows/sysmon/sysmon_powershell_network_connection.yml index 55f8346257c..0dd64587734 100644 --- a/rules/windows/sysmon/sysmon_powershell_network_connection.yml +++ b/rules/windows/sysmon/sysmon_powershell_network_connection.yml @@ -1,8 +1,7 @@ title: PowerShell Network Connections id: 1f21ec3f-810d-4b0e-8045-322202e22b4b status: experimental -description: Detects a Powershell process that opens network connections - check for suspicious target ports and target systems - adjust to your environment (e.g. - extend filters with company's ip range') +description: Detects a Powershell process that opens network connections - check for suspicious target ports and target systems - adjust to your environment (e.g. extend filters with company's ip range') author: Florian Roth date: 2017/03/13 references: @@ -10,6 +9,7 @@ references: tags: - attack.execution - attack.t1086 + - attack.t1059.001 logsource: product: windows service: sysmon diff --git a/rules/windows/sysmon/sysmon_quarkspw_filedump.yml b/rules/windows/sysmon/sysmon_quarkspw_filedump.yml index 5b712d9ce0a..135b66b995a 100644 --- a/rules/windows/sysmon/sysmon_quarkspw_filedump.yml +++ b/rules/windows/sysmon/sysmon_quarkspw_filedump.yml @@ -7,8 +7,9 @@ references: author: Florian Roth date: 2018/02/10 tags: - - attack.credential_access - - attack.t1003 + - attack.credential_access + - attack.t1003 + - attack.t1003.002 level: critical logsource: product: windows diff --git a/rules/windows/sysmon/sysmon_rdp_reverse_tunnel.yml b/rules/windows/sysmon/sysmon_rdp_reverse_tunnel.yml index ee2e85eaccf..f7979bd6a23 100644 --- a/rules/windows/sysmon/sysmon_rdp_reverse_tunnel.yml +++ b/rules/windows/sysmon/sysmon_rdp_reverse_tunnel.yml @@ -11,6 +11,7 @@ tags: - attack.command_and_control - attack.t1076 - car.2013-07-002 + - attack.t1021 logsource: product: windows service: sysmon diff --git a/rules/windows/sysmon/sysmon_registry_persistence_key_linking.yml b/rules/windows/sysmon/sysmon_registry_persistence_key_linking.yml index e0131f927f8..e4087c05161 100644 --- a/rules/windows/sysmon/sysmon_registry_persistence_key_linking.yml +++ b/rules/windows/sysmon/sysmon_registry_persistence_key_linking.yml @@ -10,6 +10,7 @@ modified: 2019/11/07 tags: - attack.persistence - attack.t1122 + - attack.t1546.015 logsource: product: windows service: sysmon diff --git a/rules/windows/sysmon/sysmon_registry_persistence_search_order.yml b/rules/windows/sysmon/sysmon_registry_persistence_search_order.yml index 6e8aae23452..5d6a6e8e57d 100644 --- a/rules/windows/sysmon/sysmon_registry_persistence_search_order.yml +++ b/rules/windows/sysmon/sysmon_registry_persistence_search_order.yml @@ -9,6 +9,7 @@ date: 2020/04/14 tags: - attack.persistence - attack.t1038 + - attack.t1574.001 logsource: product: windows service: sysmon diff --git a/rules/windows/sysmon/sysmon_registry_trust_record_modification.yml b/rules/windows/sysmon/sysmon_registry_trust_record_modification.yml index eec9375aed8..22b7bc790e2 100644 --- a/rules/windows/sysmon/sysmon_registry_trust_record_modification.yml +++ b/rules/windows/sysmon/sysmon_registry_trust_record_modification.yml @@ -11,6 +11,7 @@ modified: 2020/02/19 tags: - attack.initial_access - attack.t1193 + - attack.t1566.001 logsource: product: windows service: sysmon diff --git a/rules/windows/sysmon/sysmon_regsvr32_network_activity.yml b/rules/windows/sysmon/sysmon_regsvr32_network_activity.yml index 9722b7a7e36..71c7903c32a 100644 --- a/rules/windows/sysmon/sysmon_regsvr32_network_activity.yml +++ b/rules/windows/sysmon/sysmon_regsvr32_network_activity.yml @@ -9,6 +9,7 @@ tags: - attack.execution - attack.defense_evasion - attack.t1117 + - attack.t1218.010 author: Dmitriy Lifanov, oscd.community status: experimental date: 2019/10/25 @@ -19,8 +20,8 @@ logsource: detection: selection: EventID: - - 3 - - 22 + - 3 + - 22 Image|endswith: '\regsvr32.exe' condition: selection fields: diff --git a/rules/windows/sysmon/sysmon_remote_powershell_session_network.yml b/rules/windows/sysmon/sysmon_remote_powershell_session_network.yml index 805f7db5611..b0695d7a0a9 100644 --- a/rules/windows/sysmon/sysmon_remote_powershell_session_network.yml +++ b/rules/windows/sysmon/sysmon_remote_powershell_session_network.yml @@ -9,11 +9,12 @@ references: tags: - attack.execution - attack.t1086 + - attack.t1059.001 logsource: product: windows service: sysmon detection: - selection: + selection: EventID: 3 DestinationPort: - 5985 diff --git a/rules/windows/sysmon/sysmon_rundll32_net_connections.yml b/rules/windows/sysmon/sysmon_rundll32_net_connections.yml index c02164f3136..c7f6e7b9a42 100644 --- a/rules/windows/sysmon/sysmon_rundll32_net_connections.yml +++ b/rules/windows/sysmon/sysmon_rundll32_net_connections.yml @@ -10,6 +10,7 @@ tags: - attack.t1085 - attack.defense_evasion - attack.execution + - attack.t1218 logsource: product: windows service: sysmon @@ -19,7 +20,7 @@ detection: Image: '*\rundll32.exe' Initiated: 'true' filter: - DestinationIp: + DestinationIp: - '10.*' - '192.168.*' - '172.16.*' diff --git a/rules/windows/sysmon/sysmon_susp_desktop_ini.yml b/rules/windows/sysmon/sysmon_susp_desktop_ini.yml index 606076a2934..ec1df92c1bd 100644 --- a/rules/windows/sysmon/sysmon_susp_desktop_ini.yml +++ b/rules/windows/sysmon/sysmon_susp_desktop_ini.yml @@ -9,6 +9,7 @@ date: 2020/03/19 tags: - attack.persistence - attack.t1023 + - attack.t1547.009 logsource: product: windows service: sysmon diff --git a/rules/windows/sysmon/sysmon_susp_download_run_key.yml b/rules/windows/sysmon/sysmon_susp_download_run_key.yml index 5f1bad94989..14f5d5ca0c0 100644 --- a/rules/windows/sysmon/sysmon_susp_download_run_key.yml +++ b/rules/windows/sysmon/sysmon_susp_download_run_key.yml @@ -9,13 +9,14 @@ date: 2019/10/01 tags: - attack.persistence - attack.t1060 + - attack.t1547.001 logsource: product: windows service: sysmon detection: selection: EventID: 13 - Image: + Image: - '*\Downloads\\*' - '*\Temporary Internet Files\Content.Outlook\\*' - '*\Local Settings\Temporary Internet Files\\*' @@ -23,4 +24,4 @@ detection: condition: selection falsepositives: - Software installers downloaded and used by users -level: high \ No newline at end of file +level: high diff --git a/rules/windows/sysmon/sysmon_susp_driver_load.yml b/rules/windows/sysmon/sysmon_susp_driver_load.yml index 1bfec5e13a9..c353d7e938f 100644 --- a/rules/windows/sysmon/sysmon_susp_driver_load.yml +++ b/rules/windows/sysmon/sysmon_susp_driver_load.yml @@ -6,6 +6,7 @@ date: 2017/02/12 tags: - attack.persistence - attack.t1050 + - attack.t1543.003 logsource: product: windows service: sysmon diff --git a/rules/windows/sysmon/sysmon_susp_fax_dll.yml b/rules/windows/sysmon/sysmon_susp_fax_dll.yml index 58fe49eeeb5..14b91c1a590 100644 --- a/rules/windows/sysmon/sysmon_susp_fax_dll.yml +++ b/rules/windows/sysmon/sysmon_susp_fax_dll.yml @@ -12,6 +12,8 @@ tags: - attack.t1073 - attack.t1038 - attack.t1112 + - attack.t1574.001 + - attack.t1574.002 logsource: product: windows service: sysmon diff --git a/rules/windows/sysmon/sysmon_susp_image_load.yml b/rules/windows/sysmon/sysmon_susp_image_load.yml index 577f96108ef..11a696b09c3 100644 --- a/rules/windows/sysmon/sysmon_susp_image_load.yml +++ b/rules/windows/sysmon/sysmon_susp_image_load.yml @@ -9,6 +9,7 @@ date: 2018/01/07 tags: - attack.defense_evasion - attack.t1073 + - attack.t1574.002 logsource: product: windows service: sysmon diff --git a/rules/windows/sysmon/sysmon_susp_lsass_dll_load.yml b/rules/windows/sysmon/sysmon_susp_lsass_dll_load.yml index 78cf4bf7c7b..44a1020dcd7 100644 --- a/rules/windows/sysmon/sysmon_susp_lsass_dll_load.yml +++ b/rules/windows/sysmon/sysmon_susp_lsass_dll_load.yml @@ -13,15 +13,16 @@ logsource: detection: selection: EventID: - - 12 + - 12 - 13 - TargetObject: + TargetObject: - '*\CurrentControlSet\Services\NTDS\DirectoryServiceExtPt*' - '*\CurrentControlSet\Services\NTDS\LsaDbExtPt*' condition: selection tags: - attack.execution - attack.t1177 + - attack.t1547.008 falsepositives: - Unknown level: high diff --git a/rules/windows/sysmon/sysmon_susp_office_dotnet_assembly_dll_load.yml b/rules/windows/sysmon/sysmon_susp_office_dotnet_assembly_dll_load.yml index 47036525dd8..f3d5acd92bc 100644 --- a/rules/windows/sysmon/sysmon_susp_office_dotnet_assembly_dll_load.yml +++ b/rules/windows/sysmon/sysmon_susp_office_dotnet_assembly_dll_load.yml @@ -9,6 +9,7 @@ date: 2020/02/19 tags: - attack.initial_access - attack.t1193 + - attack.t1566.001 logsource: product: windows service: sysmon diff --git a/rules/windows/sysmon/sysmon_susp_office_dotnet_clr_dll_load.yml b/rules/windows/sysmon/sysmon_susp_office_dotnet_clr_dll_load.yml index bd58c23b19c..e76e29d5fe4 100644 --- a/rules/windows/sysmon/sysmon_susp_office_dotnet_clr_dll_load.yml +++ b/rules/windows/sysmon/sysmon_susp_office_dotnet_clr_dll_load.yml @@ -9,6 +9,7 @@ date: 2020/02/19 tags: - attack.initial_access - attack.t1193 + - attack.t1566.001 logsource: product: windows service: sysmon diff --git a/rules/windows/sysmon/sysmon_susp_office_dotnet_gac_dll_load.yml b/rules/windows/sysmon/sysmon_susp_office_dotnet_gac_dll_load.yml index 354d7e8a478..670a55525f5 100644 --- a/rules/windows/sysmon/sysmon_susp_office_dotnet_gac_dll_load.yml +++ b/rules/windows/sysmon/sysmon_susp_office_dotnet_gac_dll_load.yml @@ -9,6 +9,7 @@ date: 2020/02/19 tags: - attack.initial_access - attack.t1193 + - attack.t1566.001 logsource: product: windows service: sysmon diff --git a/rules/windows/sysmon/sysmon_susp_office_dsparse_dll_load.yml b/rules/windows/sysmon/sysmon_susp_office_dsparse_dll_load.yml index e46824e6dd7..24afa4ca877 100644 --- a/rules/windows/sysmon/sysmon_susp_office_dsparse_dll_load.yml +++ b/rules/windows/sysmon/sysmon_susp_office_dsparse_dll_load.yml @@ -9,6 +9,7 @@ date: 2020/02/19 tags: - attack.initial_access - attack.t1193 + - attack.t1566.001 logsource: product: windows service: sysmon diff --git a/rules/windows/sysmon/sysmon_susp_office_kerberos_dll_load.yml b/rules/windows/sysmon/sysmon_susp_office_kerberos_dll_load.yml index 77aaf326251..d55fe9947cb 100644 --- a/rules/windows/sysmon/sysmon_susp_office_kerberos_dll_load.yml +++ b/rules/windows/sysmon/sysmon_susp_office_kerberos_dll_load.yml @@ -9,6 +9,7 @@ date: 2020/02/19 tags: - attack.initial_access - attack.t1193 + - attack.t1566.001 logsource: product: windows service: sysmon diff --git a/rules/windows/sysmon/sysmon_susp_powershell_rundll32.yml b/rules/windows/sysmon/sysmon_susp_powershell_rundll32.yml index 58ec943cf76..d989a010e4f 100644 --- a/rules/windows/sysmon/sysmon_susp_powershell_rundll32.yml +++ b/rules/windows/sysmon/sysmon_susp_powershell_rundll32.yml @@ -20,6 +20,8 @@ tags: - attack.execution - attack.t1085 - attack.t1086 + - attack.t1218.011 + - attack.t1059.001 falsepositives: - Unkown level: high diff --git a/rules/windows/sysmon/sysmon_susp_procexplorer_driver_created_in_tmp_folder.yml b/rules/windows/sysmon/sysmon_susp_procexplorer_driver_created_in_tmp_folder.yml index b73320b3847..25ee0df763b 100644 --- a/rules/windows/sysmon/sysmon_susp_procexplorer_driver_created_in_tmp_folder.yml +++ b/rules/windows/sysmon/sysmon_susp_procexplorer_driver_created_in_tmp_folder.yml @@ -9,6 +9,7 @@ references: tags: - attack.t1089 - attack.defense_evasion + - attack.t1562.001 logsource: product: windows service: sysmon diff --git a/rules/windows/sysmon/sysmon_susp_reg_persist_explorer_run.yml b/rules/windows/sysmon/sysmon_susp_reg_persist_explorer_run.yml index e57863951b5..0dc20e161dd 100644 --- a/rules/windows/sysmon/sysmon_susp_reg_persist_explorer_run.yml +++ b/rules/windows/sysmon/sysmon_susp_reg_persist_explorer_run.yml @@ -13,7 +13,7 @@ detection: selection: EventID: 13 TargetObject: '*\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run' - Details: + Details: - 'C:\Windows\Temp\\*' - 'C:\ProgramData\\*' - '*\AppData\\*' @@ -26,6 +26,7 @@ tags: - attack.persistence - attack.t1060 - capec.270 + - attack.t1547.001 fields: - Image - ParentImage diff --git a/rules/windows/sysmon/sysmon_susp_run_key_img_folder.yml b/rules/windows/sysmon/sysmon_susp_run_key_img_folder.yml index 43c5990a155..7798f552526 100644 --- a/rules/windows/sysmon/sysmon_susp_run_key_img_folder.yml +++ b/rules/windows/sysmon/sysmon_susp_run_key_img_folder.yml @@ -8,6 +8,7 @@ author: Florian Roth, Markus Neis, Sander Wiebing tags: - attack.persistence - attack.t1060 + - attack.t1547.001 date: 2018/08/25 modified: 2020/05/24 logsource: @@ -16,7 +17,7 @@ logsource: detection: selection: EventID: 13 - TargetObject: + TargetObject: - '*\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\*' - '*\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\\*' Details: diff --git a/rules/windows/sysmon/sysmon_susp_service_installed.yml b/rules/windows/sysmon/sysmon_susp_service_installed.yml index 39efbfaa4bf..c15a8c948f9 100644 --- a/rules/windows/sysmon/sysmon_susp_service_installed.yml +++ b/rules/windows/sysmon/sysmon_susp_service_installed.yml @@ -9,6 +9,7 @@ references: tags: - attack.t1089 - attack.defense_evasion + - attack.t1562.001 logsource: product: windows service: sysmon diff --git a/rules/windows/sysmon/sysmon_susp_winword_vbadll_load.yml b/rules/windows/sysmon/sysmon_susp_winword_vbadll_load.yml index c792c8c2144..1006e84593b 100644 --- a/rules/windows/sysmon/sysmon_susp_winword_vbadll_load.yml +++ b/rules/windows/sysmon/sysmon_susp_winword_vbadll_load.yml @@ -9,6 +9,7 @@ date: 2020/02/19 tags: - attack.initial_access - attack.t1193 + - attack.t1566.001 logsource: product: windows service: sysmon diff --git a/rules/windows/sysmon/sysmon_suspicious_dbghelp_dbgcore_load.yml b/rules/windows/sysmon/sysmon_suspicious_dbghelp_dbgcore_load.yml index b5f36b4e44c..09cb9dfb4c5 100644 --- a/rules/windows/sysmon/sysmon_suspicious_dbghelp_dbgcore_load.yml +++ b/rules/windows/sysmon/sysmon_suspicious_dbghelp_dbgcore_load.yml @@ -1,9 +1,7 @@ title: Load of dbghelp/dbgcore DLL from Suspicious Process id: 0e277796-5f23-4e49-a490-483131d4f6e1 status: experimental -description: Detects the load of dbghelp/dbgcore DLL (used to make memory dumps) by suspicious processes. Tools like ProcessHacker and some attacker tradecract use MiniDumpWriteDump - API found in dbghelp.dll or dbgcore.dll. As an example, SilentTrynity C2 Framework has a module that leverages this API to dump the contents of Lsass.exe and - transfer it over the network back to the attacker's machine. +description: Detects the load of dbghelp/dbgcore DLL (used to make memory dumps) by suspicious processes. Tools like ProcessHacker and some attacker tradecract use MiniDumpWriteDump API found in dbghelp.dll or dbgcore.dll. As an example, SilentTrynity C2 Framework has a module that leverages this API to dump the contents of Lsass.exe and transfer it over the network back to the attacker's machine. date: 2019/10/27 modified: 2020/05/23 author: Perez Diego (@darkquassar), oscd.community, Ecco @@ -14,6 +12,7 @@ references: tags: - attack.credential_access - attack.t1003 + - attack.t1003.001 logsource: product: windows service: sysmon @@ -23,7 +22,7 @@ detection: ImageLoaded|endswith: - '\dbghelp.dll' - '\dbgcore.dll' - Image|endswith: + Image|endswith: - '\msbuild.exe' - '\cmd.exe' - '\svchost.exe' diff --git a/rules/windows/sysmon/sysmon_suspicious_outbound_kerberos_connection.yml b/rules/windows/sysmon/sysmon_suspicious_outbound_kerberos_connection.yml index 353034a74b6..3b1fd52bcfb 100644 --- a/rules/windows/sysmon/sysmon_suspicious_outbound_kerberos_connection.yml +++ b/rules/windows/sysmon/sysmon_suspicious_outbound_kerberos_connection.yml @@ -10,6 +10,7 @@ modified: 2019/11/13 tags: - attack.lateral_movement - attack.t1208 + - attack.t1558.003 logsource: product: windows service: sysmon @@ -24,7 +25,7 @@ detection: - '\opera.exe' - '\chrome.exe' - '\firefox.exe' - condition: selection and not filter + condition: selection and not filter falsepositives: - Other browsers level: high diff --git a/rules/windows/sysmon/sysmon_svchost_dll_search_order_hijack.yml b/rules/windows/sysmon/sysmon_svchost_dll_search_order_hijack.yml index f06a1e20814..1773855c8c6 100644 --- a/rules/windows/sysmon/sysmon_svchost_dll_search_order_hijack.yml +++ b/rules/windows/sysmon/sysmon_svchost_dll_search_order_hijack.yml @@ -1,9 +1,7 @@ title: Svchost DLL Search Order Hijack id: 602a1f13-c640-4d73-b053-be9a2fa58b77 status: experimental -description: IKEEXT and SessionEnv service, as they call LoadLibrary on files that do not exist within C:\Windows\System32\ by default. An attacker can place their - malicious logic within the PROCESS_ATTACH block of their library and restart the aforementioned services "svchost.exe -k netsvcs" to gain code execution on a - remote machine. +description: IKEEXT and SessionEnv service, as they call LoadLibrary on files that do not exist within C:\Windows\System32\ by default. An attacker can place their malicious logic within the PROCESS_ATTACH block of their library and restart the aforementioned services "svchost.exe -k netsvcs" to gain code execution on a remote machine. references: - https://posts.specterops.io/lateral-movement-scm-and-dll-hijacking-primer-d2f61e8ab992 author: SBousseaden @@ -14,6 +12,8 @@ tags: - attack.t1073 - attack.t1038 - attack.t1112 + - attack.t1574.002 + - attack.t1574.001 logsource: product: windows service: sysmon @@ -28,7 +28,7 @@ detection: - '*\wlbsctrl.dll' filter: ImageLoaded: - - 'C:\Windows\WinSxS\\*' + - 'C:\Windows\WinSxS\\*' condition: selection and not filter falsepositives: - Pentest diff --git a/rules/windows/sysmon/sysmon_uac_bypass_eventvwr.yml b/rules/windows/sysmon/sysmon_uac_bypass_eventvwr.yml index c91f0abdba6..ded431bf6af 100644 --- a/rules/windows/sysmon/sysmon_uac_bypass_eventvwr.yml +++ b/rules/windows/sysmon/sysmon_uac_bypass_eventvwr.yml @@ -28,6 +28,7 @@ tags: - attack.privilege_escalation - attack.t1088 - car.2019-04-001 + - attack.t1548.002 falsepositives: - unknown level: critical diff --git a/rules/windows/sysmon/sysmon_uac_bypass_sdclt.yml b/rules/windows/sysmon/sysmon_uac_bypass_sdclt.yml index 042c1477e32..2e8f8c363dc 100644 --- a/rules/windows/sysmon/sysmon_uac_bypass_sdclt.yml +++ b/rules/windows/sysmon/sysmon_uac_bypass_sdclt.yml @@ -20,6 +20,7 @@ tags: - attack.privilege_escalation - attack.t1088 - car.2019-04-001 + - attack.t1548.002 falsepositives: - unknown level: high diff --git a/rules/windows/sysmon/sysmon_unsigned_image_loaded_into_lsass.yml b/rules/windows/sysmon/sysmon_unsigned_image_loaded_into_lsass.yml index c88a6d4cf06..cba4a5e0d99 100644 --- a/rules/windows/sysmon/sysmon_unsigned_image_loaded_into_lsass.yml +++ b/rules/windows/sysmon/sysmon_unsigned_image_loaded_into_lsass.yml @@ -9,6 +9,7 @@ references: tags: - attack.credential_access - attack.t1003 + - attack.t1003.001 logsource: product: windows service: sysmon diff --git a/rules/windows/sysmon/sysmon_webshell_creation_detect.yml b/rules/windows/sysmon/sysmon_webshell_creation_detect.yml index 7f94a42590c..64a99889d40 100644 --- a/rules/windows/sysmon/sysmon_webshell_creation_detect.yml +++ b/rules/windows/sysmon/sysmon_webshell_creation_detect.yml @@ -10,6 +10,7 @@ modified: 2020/05/18 tags: - attack.persistence - attack.t1100 + - attack.t1505.003 level: critical logsource: product: windows diff --git a/rules/windows/sysmon/sysmon_win_reg_persistence.yml b/rules/windows/sysmon/sysmon_win_reg_persistence.yml index 06a18db8b88..a2d5512cf99 100644 --- a/rules/windows/sysmon/sysmon_win_reg_persistence.yml +++ b/rules/windows/sysmon/sysmon_win_reg_persistence.yml @@ -23,6 +23,7 @@ tags: - attack.defense_evasion - attack.t1183 - car.2013-01-002 + - attack.t1546.012 falsepositives: - unknown level: critical diff --git a/rules/windows/sysmon/sysmon_wmi_event_subscription.yml b/rules/windows/sysmon/sysmon_wmi_event_subscription.yml index 34db9562c27..6862faf3e65 100644 --- a/rules/windows/sysmon/sysmon_wmi_event_subscription.yml +++ b/rules/windows/sysmon/sysmon_wmi_event_subscription.yml @@ -7,6 +7,7 @@ references: tags: - attack.t1084 - attack.persistence + - attack.t1546.003 author: Tom Ueltschi (@c_APT_ure) date: 2019/01/12 logsource: diff --git a/rules/windows/sysmon/sysmon_wmi_persistence_commandline_event_consumer.yml b/rules/windows/sysmon/sysmon_wmi_persistence_commandline_event_consumer.yml index c87d2af65f4..52672a95309 100644 --- a/rules/windows/sysmon/sysmon_wmi_persistence_commandline_event_consumer.yml +++ b/rules/windows/sysmon/sysmon_wmi_persistence_commandline_event_consumer.yml @@ -9,6 +9,7 @@ date: 2018/03/07 tags: - attack.t1084 - attack.persistence + - attack.t1546.003 logsource: product: windows service: sysmon @@ -18,6 +19,6 @@ detection: Image: 'C:\Windows\System32\wbem\WmiPrvSE.exe' ImageLoaded|endswith: '\wbemcons.dll' condition: selection -falsepositives: +falsepositives: - Unknown (data set is too small; further testing needed) level: high diff --git a/rules/windows/sysmon/sysmon_wmi_persistence_script_event_consumer_write.yml b/rules/windows/sysmon/sysmon_wmi_persistence_script_event_consumer_write.yml index 907a28738b1..7095ec85508 100644 --- a/rules/windows/sysmon/sysmon_wmi_persistence_script_event_consumer_write.yml +++ b/rules/windows/sysmon/sysmon_wmi_persistence_script_event_consumer_write.yml @@ -9,6 +9,7 @@ date: 2018/03/07 tags: - attack.t1084 - attack.persistence + - attack.t1546.003 logsource: product: windows service: sysmon @@ -17,6 +18,6 @@ detection: EventID: 11 Image: 'C:\WINDOWS\system32\wbem\scrcons.exe' condition: selection -falsepositives: +falsepositives: - Unknown (data set is too small; further testing needed) level: high diff --git a/rules/windows/sysmon/sysmon_wmi_susp_scripting.yml b/rules/windows/sysmon/sysmon_wmi_susp_scripting.yml index d6d059861d0..ad5c41329c7 100644 --- a/rules/windows/sysmon/sysmon_wmi_susp_scripting.yml +++ b/rules/windows/sysmon/sysmon_wmi_susp_scripting.yml @@ -10,9 +10,10 @@ date: 2019/04/15 tags: - attack.t1086 - attack.execution + - attack.t1059.005 logsource: - product: windows - service: sysmon + product: windows + service: sysmon detection: selection: EventID: 20 diff --git a/tests/test_rules.py b/tests/test_rules.py index 752611ed047..9b2e40d8ea3 100755 --- a/tests/test_rules.py +++ b/tests/test_rules.py @@ -15,274 +15,219 @@ class TestRules(unittest.TestCase): MITRE_TECHNIQUES = [ - "t1001", - "t1002", - "t1003", - "t1004", - "t1005", - "t1006", - "t1007", - "t1008", - "t1009", - "t1010", - "t1011", - "t1012", - "t1013", - "t1014", - "t1015", - "t1016", - "t1017", - "t1018", - "t1019", - "t1020", - "t1021", - "t1022", - "t1023", - "t1024", - "t1025", - "t1026", - "t1027", - "t1028", - "t1029", - "t1030", - "t1031", - "t1032", - "t1033", - "t1034", - "t1035", - "t1036", - "t1037", - "t1038", - "t1039", - "t1040", - "t1041", - "t1042", - "t1043", - "t1044", - "t1045", - "t1046", - "t1047", - "t1048", - "t1049", - "t1050", - "t1051", - "t1052", - "t1053", - "t1054", - "t1055", - "t1056", - "t1057", - "t1058", - "t1059", - "t1060", - "t1061", - "t1062", - "t1063", - "t1064", - "t1065", - "t1066", - "t1067", - "t1068", - "t1069", - "t1070", - "t1071", - "t1072", - "t1073", - "t1074", - "t1075", - "t1076", - "t1077", - "t1078", - "t1079", - "t1080", - "t1081", - "t1082", - "t1083", - "t1084", - "t1085", - "t1086", - "t1087", - "t1088", - "t1089", - "t1090", - "t1091", - "t1092", - "t1093", - "t1094", - "t1095", - "t1096", - "t1097", - "t1098", - "t1099", - "t1100", - "t1101", - "t1102", - "t1103", - "t1104", - "t1105", - "t1106", - "t1107", - "t1108", - "t1109", - "t1110", - "t1111", - "t1112", - "t1113", - "t1114", - "t1115", - "t1116", - "t1117", - "t1118", - "t1119", - "t1120", - "t1121", - "t1122", - "t1123", - "t1124", - "t1125", - "t1126", - "t1127", - "t1128", - "t1129", - "t1130", - "t1131", - "t1132", - "t1133", - "t1134", - "t1135", - "t1136", - "t1137", - "t1138", - "t1139", - "t1140", - "t1141", - "t1142", - "t1143", - "t1144", - "t1145", - "t1146", - "t1147", - "t1148", - "t1149", - "t1150", - "t1151", - "t1152", - "t1153", - "t1154", - "t1155", - "t1156", - "t1157", - "t1158", - "t1159", - "t1160", - "t1161", - "t1162", - "t1163", - "t1164", - "t1165", - "t1166", - "t1167", - "t1168", - "t1169", - "t1170", - "t1171", - "t1172", - "t1173", - "t1174", - "t1175", - "t1176", - "t1177", - "t1178", - "t1179", - "t1180", - "t1181", - "t1182", - "t1183", - "t1184", - "t1185", - "t1186", - "t1187", - "t1188", - "t1189", - "t1190", - "t1191", - "t1192", - "t1193", - "t1194", - "t1195", - "t1196", - "t1197", - "t1198", - "t1199", - "t1200", - "t1201", - "t1202", - "t1203", - "t1204", - "t1205", - "t1206", - "t1207", - "t1208", - "t1209", - "t1210", - "t1211", - "t1212", - "t1213", - "t1214", - "t1215", - "t1216", - "t1217", - "t1218", - "t1219", - "t1220", - "t1221", - "t1222", - "t1223", - "t1377", - "t1480", - "t1482", - "t1482", - "t1483", - "t1484", - "t1485", - "t1486", - "t1487", - "t1488", - "t1489", - "t1490", - "t1491", - "t1492", - "t1493", - "t1494", - "t1495", - "t1496", - "t1497", - "t1498", - "t1499", - "t1500", - "t1501", - "t1502", - "t1503", - "t1504", - "t1505", - "t1506", - "t1514", - "t1518", - "t1519", - "t1522", - "t1525", - "t1526", - "t1527", - "t1528", - "t1529", - "t1530", - "t1531", - "t1534", - "t1535", - "t1536", - "t1537", - "t1538", - "t1539", + "t1002", + "t1003", + "t1003.001", + "t1003.002", + "t1003.003", + "t1003.004", + "t1003.005", + "t1003.006", + "t1004", + "t1005", + "t1006", + "t1007", + "t1009", + "t1011", + "t1012", + "t1015", + "t1016", + "t1018", + "t1020", + "t1021", + "t1021.001", + "t1021.002", + "t1021.003", + "t1021.006", + "t1023", + "t1027", + "t1028", + "t1031", + "t1033", + "t1035", + "t1036", + "t1036.005", + "t1037", + "t1037.001", + "t1038", + "t1040", + "t1041", + "t1042", + "t1043", + "t1046", + "t1047", + "t1048", + "t1049", + "t1050", + "t1053", + "t1053.002", + "t1053.005", + "t1054", + "t1055", + "t1056", + "t1057", + "t1058", + "t1059", + "t1059.001", + "t1059.003", + "t1059.004", + "t1059.005", + "t1059.006", + "t1060", + "t1064", + "t1066", + "t1067", + "t1068", + "t1069", + "t1070", + "t1071", + "t1071.004", + "t1073", + "t1074", + "t1075", + "t1076", + "t1077", + "t1078", + "t1081", + "t1082", + "t1083", + "t1084", + "t1085", + "t1086", + "t1087", + "t1088", + "t1089", + "t1090", + "t1091", + "t1096", + "t1098", + "t1099", + "t1100", + "t1102", + "t1103", + "t1105", + "t1107", + "t1110", + "t1112", + "t1114", + "t1117", + "t1118", + "t1121", + "t1122", + "t1123", + "t1124", + "t1127", + "t1128", + "t1130", + "t1133", + "t1134", + "t1134.005", + "t1135", + "t1136", + "t1137", + "t1138", + "t1139", + "t1140", + "t1145", + "t1146", + "t1156", + "t1158", + "t1168", + "t1169", + "t1170", + "t1171", + "t1175", + "t1177", + "t1178", + "t1182", + "t1183", + "t1190", + "t1191", + "t1193", + "t1195", + "t1195.001", + "t1196", + "t1197", + "t1200", + "t1201", + "t1202", + "t1203", + "t1204", + "t1207", + "t1208", + "t1210", + "t1211", + "t1212", + "t1218", + "t1218.001", + "t1218.005", + "t1218.010", + "t1218.011", + "t1219", + "t1220", + "t1222", + "t1223", + "t1482", + "t1485", + "t1487", + "t1488", + "t1489", + "t1490", + "t1492", + "t1493", + "t1495", + "t1499", + "t1500", + "t1501", + "t1505", + "t1505.003", + "t1537", + "t1542.003", + "t1543.002", + "t1543.003", + "t1546.001", + "t1546.003", + "t1546.004", + "t1546.007", + "t1546.008", + "t1546.009", + "t1546.010", + "t1546.011", + "t1546.012", + "t1546.015", + "t1547.001", + "t1547.004", + "t1547.008", + "t1547.009", + "t1548.002", + "t1550.002", + "t1551", + "t1551.003", + "t1551.004", + "t1551.006", + "t1552.001", + "t1552.003", + "t1552.004", + "t1553.004", + "t1557.001", + "t1558", + "t1558.003", + "t1559.001", + "t1560", + "t1561.001", + "t1561.002", + "t1562.001", + "t1562.006", + "t1564.001", + "t1564.004", + "t1565.001", + "t1565.002", + "t1566.001", + "t1569.002", + "t1571", + "t1574.001", + "t1574.002", + "t1574.011", ] MITRE_TECHNIQUE_NAMES = ["process_injection", "signed_binary_proxy_execution", "process_injection"] # incomplete list MITRE_TACTICS = ["initial_access", "execution", "persistence", "privilege_escalation", "defense_evasion", "credential_access", "discovery", "lateral_movement", "collection", "exfiltration", "command_and_control", "impact", "launch"]