diff --git a/rules/windows/malware/sysmon_malware_notpetya.yml b/rules/windows/malware/sysmon_malware_notpetya.yml index 5ccc6190..b6d8e50d 100644 --- a/rules/windows/malware/sysmon_malware_notpetya.yml +++ b/rules/windows/malware/sysmon_malware_notpetya.yml @@ -5,6 +5,13 @@ author: Florian Roth, Tom Ueltschi references: - https://securelist.com/schroedingers-petya/78870/ - https://www.hybrid-analysis.com/sample/64b0b58a2c030c77fdb2b537b2fcc4af432bc55ffb36599a31d418c7c69e94b1?environmentId=100 +tags: + - attack.execution + - attack.credential_access + - attack.defense_evasion + - attack.t1085 + - attack.t1070 + - attack.t1003 logsource: product: windows service: sysmon diff --git a/rules/windows/other/win_rare_schtask_creation.yml b/rules/windows/other/win_rare_schtask_creation.yml index d7ed2eb7..2bbb9f64 100644 --- a/rules/windows/other/win_rare_schtask_creation.yml +++ b/rules/windows/other/win_rare_schtask_creation.yml @@ -1,6 +1,9 @@ title: Rare Scheduled Task Creations status: experimental description: This rule detects rare scheduled task creations. Typically software gets installed on multiple systems and not only on a few. The aggregation and count function selects tasks with rare names. +tags: + - attack.t1053 + - attack.s0111 author: Florian Roth logsource: product: windows diff --git a/rules/windows/other/win_tool_psexec.yml b/rules/windows/other/win_tool_psexec.yml index ad226427..5bf00ca4 100644 --- a/rules/windows/other/win_tool_psexec.yml +++ b/rules/windows/other/win_tool_psexec.yml @@ -5,6 +5,10 @@ author: Thomas Patzke references: - https://www.jpcert.or.jp/english/pub/sr/ir_research.html - https://jpcertcc.github.io/ToolAnalysisResultSheet +tags: + - attack.execution + - attack.t1035 + - attack.s0029 logsource: product: windows detection: diff --git a/rules/windows/other/win_wmi_persistence.yml b/rules/windows/other/win_wmi_persistence.yml index 111a6b6d..6372e252 100644 --- a/rules/windows/other/win_wmi_persistence.yml +++ b/rules/windows/other/win_wmi_persistence.yml @@ -5,6 +5,10 @@ author: Florian Roth references: - https://twitter.com/mattifestation/status/899646620148539397 - https://www.eideon.com/2018-03-02-THL03-WMIBackdoors/ +tags: + - attack.execution + - attack.persistence + - attack.t1047 logsource: product: windows service: wmi diff --git a/rules/windows/powershell/powershell_downgrade_attack.yml b/rules/windows/powershell/powershell_downgrade_attack.yml index 728c1b54..c8a647dc 100644 --- a/rules/windows/powershell/powershell_downgrade_attack.yml +++ b/rules/windows/powershell/powershell_downgrade_attack.yml @@ -3,6 +3,10 @@ status: experimental description: Detects PowerShell downgrade attack by comparing the host versions with the actually used engine version 2.0 references: - http://www.leeholmes.com/blog/2017/03/17/detecting-and-preventing-powershell-downgrade-attacks/ +tags: + - attack.defense_evasion + - attack.execution + - attack.t1086 author: Florian Roth (rule), Lee Holmes (idea) logsource: product: windows diff --git a/rules/windows/powershell/powershell_exe_calling_ps.yml b/rules/windows/powershell/powershell_exe_calling_ps.yml index dee93074..bac67132 100644 --- a/rules/windows/powershell/powershell_exe_calling_ps.yml +++ b/rules/windows/powershell/powershell_exe_calling_ps.yml @@ -3,6 +3,10 @@ status: experimental description: Detects PowerShell called from an executable by the version mismatch method references: - https://adsecurity.org/?p=2921 +tags: + - attack.defense_evasion + - attack.execution + - attack.t1086 author: Sean Metcalf (source), Florian Roth (rule) logsource: product: windows diff --git a/rules/windows/powershell/powershell_malicious_commandlets.yml b/rules/windows/powershell/powershell_malicious_commandlets.yml index e41ed4d9..23cbfa15 100644 --- a/rules/windows/powershell/powershell_malicious_commandlets.yml +++ b/rules/windows/powershell/powershell_malicious_commandlets.yml @@ -3,6 +3,9 @@ status: experimental description: Detects Commandlet names from well-known PowerShell exploitation frameworks references: - https://adsecurity.org/?p=2921 +tags: + - attack.execution + - attack.t1086 author: Sean Metcalf (source), Florian Roth (rule) logsource: product: windows diff --git a/rules/windows/powershell/powershell_malicious_keywords.yml b/rules/windows/powershell/powershell_malicious_keywords.yml index 917761a2..6d15b692 100644 --- a/rules/windows/powershell/powershell_malicious_keywords.yml +++ b/rules/windows/powershell/powershell_malicious_keywords.yml @@ -3,6 +3,9 @@ status: experimental description: Detects keywords from well-known PowerShell exploitation frameworks references: - https://adsecurity.org/?p=2921 +tags: + - attack.execution + - attack.1086 author: Sean Metcalf (source), Florian Roth (rule) logsource: product: windows diff --git a/rules/windows/powershell/powershell_prompt_credentials.yml b/rules/windows/powershell/powershell_prompt_credentials.yml index c04eed4c..c86db1cf 100644 --- a/rules/windows/powershell/powershell_prompt_credentials.yml +++ b/rules/windows/powershell/powershell_prompt_credentials.yml @@ -4,6 +4,10 @@ description: Detects PowerShell calling a credential prompt references: - https://twitter.com/JohnLaTwC/status/850381440629981184 - https://t.co/ezOTGy1a1G +tags: + - attack.execution + - attack.credential_access + - attack.t1086 author: John Lambert (idea), Florian Roth (rule) logsource: product: windows diff --git a/rules/windows/powershell/powershell_psattack.yml b/rules/windows/powershell/powershell_psattack.yml index c79cba8b..d2eb7ece 100644 --- a/rules/windows/powershell/powershell_psattack.yml +++ b/rules/windows/powershell/powershell_psattack.yml @@ -3,6 +3,9 @@ status: experimental description: Detects the use of PSAttack PowerShell hack tool references: - https://adsecurity.org/?p=2921 +tags: + - attack.execution + - attack.t1086 author: Sean Metcalf (source), Florian Roth (rule) logsource: product: windows diff --git a/rules/windows/powershell/powershell_suspicious_download.yml b/rules/windows/powershell/powershell_suspicious_download.yml index e9997d1e..ad8ff90b 100644 --- a/rules/windows/powershell/powershell_suspicious_download.yml +++ b/rules/windows/powershell/powershell_suspicious_download.yml @@ -1,6 +1,9 @@ title: Suspicious PowerShell Download status: experimental description: Detects suspicious PowerShell download command +tags: + - attack.execution + - attack.t1086 author: Florian Roth logsource: product: windows diff --git a/rules/windows/powershell/powershell_suspicious_invocation_generic.yml b/rules/windows/powershell/powershell_suspicious_invocation_generic.yml index 5b5225e4..28dcd75a 100644 --- a/rules/windows/powershell/powershell_suspicious_invocation_generic.yml +++ b/rules/windows/powershell/powershell_suspicious_invocation_generic.yml @@ -1,6 +1,9 @@ title: Suspicious PowerShell Invocations - Generic status: experimental description: Detects suspicious PowerShell invocation command parameters +tags: + - attack.execution + - attack.t1086 author: Florian Roth (rule) logsource: product: windows diff --git a/rules/windows/powershell/powershell_suspicious_invocation_specific.yml b/rules/windows/powershell/powershell_suspicious_invocation_specific.yml index 1ed95f75..84ddfe55 100644 --- a/rules/windows/powershell/powershell_suspicious_invocation_specific.yml +++ b/rules/windows/powershell/powershell_suspicious_invocation_specific.yml @@ -1,6 +1,9 @@ title: Suspicious PowerShell Invocations - Specific status: experimental description: Detects suspicious PowerShell invocation command parameters +tags: + - attack.execution + - attack.t1086 author: Florian Roth (rule) logsource: product: windows