atc review

2024-11-06 17:35:19 +00:00 · 2019-03-06 05:25:12 +01:00 · 2019-03-06 05:25:12 +01:00 · 05cc7e455d
commit 05cc7e455d
parent 725ab99e90
22 changed files with 59 additions and 9 deletions
--- a/rules/windows/builtin/win_mal_creddumper.yml
+++ b/rules/windows/builtin/win_mal_creddumper.yml
@ -1,3 +1,5 @@
+---
+action: global
 title: Malicious Service Install
 description: This method detects well-known keywords of malicious services in the Windows System Eventlog 
 author: Florian Roth
@ -24,3 +26,10 @@ detection:
 falsepositives:
    - Unlikely
 level: high
+---
+logsource:
+    product: windows
+    service: security
+detection:
+    selection:
+        EventID: 4697
--- a/rules/windows/builtin/win_susp_dhcp_config.yml
+++ b/rules/windows/builtin/win_susp_dhcp_config.yml
@ -9,6 +9,7 @@ date: 2017/05/15
 author: Dimitrios Slamaris
 tags:
    - attack.defense_evasion
+    - attack.t1073
 logsource:
    product: windows
    service: system
--- a/rules/windows/builtin/win_susp_dns_config.yml
+++ b/rules/windows/builtin/win_susp_dns_config.yml
@ -6,6 +6,9 @@ references:
    - https://medium.com/@esnesenon/feature-not-bug-dnsadmin-to-dc-compromise-in-one-line-a0f779b8dc83
    - https://technet.microsoft.com/en-us/library/cc735829(v=ws.10).aspx
    - https://twitter.com/gentilkiwi/status/861641945944391680
+tags:
+    - attack.defense_evasion
+    - attack.t1073
 author: Florian Roth
 logsource:
    product: windows
--- a/rules/windows/builtin/win_susp_time_modification.yml
+++ b/rules/windows/builtin/win_susp_time_modification.yml
@ -7,6 +7,7 @@ references:
    - Live environment caused by malware
 date: 2019/02/05
 tags:
+    - attack.defense_evasion
    - attack.t1099
 logsource:
    product: windows
--- a/rules/windows/process_creation/win_exploit_cve_2017_8759.yml
+++ b/rules/windows/process_creation/win_exploit_cve_2017_8759.yml
@ -3,6 +3,9 @@ description: Detects Winword starting uncommon sub process csc.exe as used in ex
 references:
    - https://www.hybrid-analysis.com/sample/0b4ef455e385b750d9f90749f1467eaf00e46e8d6c2885c260e1b78211a51684?environmentId=100
    - https://www.reverse.it/sample/0b4ef455e385b750d9f90749f1467eaf00e46e8d6c2885c260e1b78211a51684?environmentId=100
+tags:
+    - attack.execution
+    - attack.t1203
 author: Florian Roth
 date: 15.09.2017
 logsource:
--- a/rules/windows/process_creation/win_lethalhta.yml
+++ b/rules/windows/process_creation/win_lethalhta.yml
@ -3,6 +3,10 @@ status: experimental
 description: Detects MSHTA.EXE spwaned by SVCHOST described in report
 references:
    - https://codewhitesec.blogspot.com/2018/07/lethalhta.html
+tags:
+    - attack.defense_evasion
+    - attack.execution
+    - attack.t1170
 author: Markus Neis
 date: 2018/06/07
 logsource:
--- a/rules/windows/process_creation/win_possible_applocker_bypass.yml
+++ b/rules/windows/process_creation/win_possible_applocker_bypass.yml
@ -7,7 +7,10 @@ references:
 author: juju4
 tags:
    - attack.defense_evasion
-    - attack.t1088
+    - attack.t1118
+    - attack.t1121
+    - attack.t1127
+    - attack.t1170
 logsource:
    category: process_creation
    product: windows
--- a/rules/windows/process_creation/win_sdbinst_shim_persistence.yml
+++ b/rules/windows/process_creation/win_sdbinst_shim_persistence.yml
@ -7,7 +7,7 @@ tags:
    - attack.persistence
    - attack.t1138
 author: Markus Neis
-date: 2018-08-03
+date: 2018/08/03
 logsource:
    category: process_creation
    product: windows
--- a/rules/windows/process_creation/win_susp_exec_folder.yml
+++ b/rules/windows/process_creation/win_susp_exec_folder.yml
@ -8,6 +8,9 @@ references:
    - https://github.com/mbevilacqua/appcompatprocessor/blob/master/AppCompatSearch.txt
    - https://www.secureworks.com/research/bronze-butler-targets-japanese-businesses
    - https://www.crowdstrike.com/resources/reports/2019-crowdstrike-global-threat-report/
+tags:
+    - attack.defense_evasion
+    - attack.t1036
 logsource:
    category: process_creation
    product: windows
--- a/rules/windows/process_creation/win_susp_execution_path.yml
+++ b/rules/windows/process_creation/win_susp_execution_path.yml
@ -2,6 +2,9 @@ title: Execution in Non-Executable Folder
 status: experimental
 description: Detects a suspicious exection from an uncommon folder
 author: Florian Roth
+tags:
+    - attack.defense_evasion
+    - attack.t1036
 logsource:
    category: process_creation
    product: windows
--- a/rules/windows/process_creation/win_susp_mmc_source.yml
+++ b/rules/windows/process_creation/win_susp_mmc_source.yml
@ -3,6 +3,9 @@ status: experimental
 description: Processes started by MMC could be a sign of lateral movement using MMC application COM object
 references:
    - https://enigma0x3.net/2017/01/05/lateral-movement-using-the-mmc20-application-com-object/
+tags:
+    - attack.lateral_movement
+    - attack.t1175
 logsource:
    category: process_creation
    product: windows
--- a/rules/windows/process_creation/win_susp_prog_location_process_starts.yml
+++ b/rules/windows/process_creation/win_susp_prog_location_process_starts.yml
@ -3,6 +3,9 @@ status: experimental
 description: Detects programs running in suspicious files system locations
 references:
    - https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo
+tags:
+    - attack.defense_evasion
+    - attack.t1036
 author: Florian Roth
 date: 2019/01/15
 logsource:
--- a/rules/windows/process_creation/win_susp_ps_appdata.yml
+++ b/rules/windows/process_creation/win_susp_ps_appdata.yml
@ -4,6 +4,9 @@ description: Detects a suspicious command line execution that invokes PowerShell
 references:
    - https://twitter.com/JohnLaTwC/status/1082851155481288706
    - https://app.any.run/tasks/f87f1c4e-47e2-4c46-9cf4-31454c06ce03
+tags:
+    - attack.execution
+    - attack.t1086
 author: Florian Roth
 date: 2019/01/09
 logsource:
--- a/rules/windows/process_creation/win_susp_sysprep_appdata.yml
+++ b/rules/windows/process_creation/win_susp_sysprep_appdata.yml
@ -4,6 +4,8 @@ description: Detects suspicious sysprep process start with AppData folder as tar
 references:
    - https://www.symantec.com/blogs/threat-intelligence/thrip-hits-satellite-telecoms-defense-targets
    - https://app.any.run/tasks/61a296bb-81ad-4fee-955f-3b399f4aaf4b
+tags:
+    - attack.execution
 author: Florian Roth
 date: 2018/06/22
 modified: 2018/12/11
--- a/rules/windows/process_creation/win_susp_taskmgr_localsystem.yml
+++ b/rules/windows/process_creation/win_susp_taskmgr_localsystem.yml
@ -1,6 +1,9 @@
 title: Taskmgr as LOCAL_SYSTEM
 status: experimental
 description: Detects the creation of taskmgr.exe process in context of LOCAL_SYSTEM
+tags:
+    - attack.defense_evasion
+    - attack.t1036
 author: Florian Roth
 date: 2018/03/18
 logsource:
--- a/rules/windows/process_creation/win_susp_taskmgr_parent.yml
+++ b/rules/windows/process_creation/win_susp_taskmgr_parent.yml
@ -1,6 +1,9 @@
 title: Taskmgr as Parent
 status: experimental
 description: Detects the creation of a process from Windows task manager
+tags:
+    - attack.defense_evasion
+    - attack.t1036
 author: Florian Roth
 date: 2018/03/13
 logsource:
--- a/rules/windows/process_creation/win_susp_tscon_rdp_redirect.yml
+++ b/rules/windows/process_creation/win_susp_tscon_rdp_redirect.yml
@ -4,6 +4,10 @@ description: Detects a suspicious RDP session redirect using tscon.exe
 references:
    - http://www.korznikov.com/2017/03/0-day-or-feature-privilege-escalation.html
    - https://medium.com/@networksecurity/rdp-hijacking-how-to-hijack-rds-and-remoteapp-sessions-transparently-to-move-through-an-da2a1e73a5f6
+tags:
+    - attack.lateral_movement
+    - attack.privilege_escalation
+    - attack.t1076
 author: Florian Roth
 date: 2018/03/17
 modified: 2018/12/11
--- a/rules/windows/sysmon/sysmon_cobaltstrike_process_injection.yml
+++ b/rules/windows/sysmon/sysmon_cobaltstrike_process_injection.yml
@ -2,6 +2,9 @@ title: CobaltStrike Process Injection
 description: Detects a possible remote threat creation with certain characteristics which are typical for Cobalt Strike beacons 
 references:
    - https://medium.com/@olafhartong/cobalt-strike-remote-threads-detection-206372d11d0f
+tags:
+    - attack.defense_evasion
+    - attack.t1055
 status: experimental
 author: Olaf Hartong, Florian Roth
 logsource:
@ -12,9 +15,6 @@ detection:
        EventID: 8
        TargetProcessAddress: '*0B80'
    condition: selection
-tags:
-    - attack.defense_evasion
-    - attack.t1055
 falsepositives:
    - unknown
 level: high
--- a/rules/windows/sysmon/sysmon_ghostpack_safetykatz.yml
+++ b/rules/windows/sysmon/sysmon_ghostpack_safetykatz.yml
@ -7,7 +7,7 @@ tags:
    - attack.credential_access
    - attack.t1003
 author: Markus Neis
-date: 2018/24/07
+date: 2018/07/24
 logsource:
    product: windows
    service: sysmon
--- a/rules/windows/sysmon/sysmon_mimikatz_detection_lsass.yml
+++ b/rules/windows/sysmon/sysmon_mimikatz_detection_lsass.yml
@ -6,7 +6,6 @@ references:
 tags:
    - attack.t1003
    - attack.s0002
-    - attack.lateral_movement
    - attack.credential_access
 logsource:
    product: windows
--- a/rules/windows/sysmon/sysmon_mimikatz_inmemory_detection.yml
+++ b/rules/windows/sysmon/sysmon_mimikatz_inmemory_detection.yml
@ -5,6 +5,7 @@ references:
    - https://securityriskadvisors.com/blog/post/detecting-in-memory-mimikatz/
 tags:
    - attack.s0002
+    - attack.t1003
    - attack.lateral_movement
    - attack.credential_access
 logsource:
--- a/rules/windows/sysmon/sysmon_susp_driver_load.yml
+++ b/rules/windows/sysmon/sysmon_susp_driver_load.yml
@ -2,9 +2,8 @@ title: Suspicious Driver Load from Temp
 description: Detects a driver load from a temporary directory
 author: Florian Roth
 tags: 
-  - attack.execution
  - attack.persistence
-  - attack.t1177
+  - attack.t1050
 logsource:
    product: windows
    service: sysmon