From c99dc9f64340c507e6e7caadf99a9dc6131649a7 Mon Sep 17 00:00:00 2001
From: ntim <niggemann.tim@googlemai.com>
Date: Tue, 24 Jul 2018 10:56:41 +0200
Subject: [PATCH] Tagged windows powershell, other and malware rules.

---
 rules/windows/malware/sysmon_malware_notpetya.yml          | 7 +++++++
 rules/windows/other/win_rare_schtask_creation.yml          | 3 +++
 rules/windows/other/win_tool_psexec.yml                    | 4 ++++
 rules/windows/other/win_wmi_persistence.yml                | 4 ++++
 rules/windows/powershell/powershell_downgrade_attack.yml   | 4 ++++
 rules/windows/powershell/powershell_exe_calling_ps.yml     | 4 ++++
 .../powershell/powershell_malicious_commandlets.yml        | 3 +++
 rules/windows/powershell/powershell_malicious_keywords.yml | 3 +++
 rules/windows/powershell/powershell_prompt_credentials.yml | 4 ++++
 rules/windows/powershell/powershell_psattack.yml           | 3 +++
 .../windows/powershell/powershell_suspicious_download.yml  | 3 +++
 .../powershell_suspicious_invocation_generic.yml           | 3 +++
 .../powershell_suspicious_invocation_specific.yml          | 3 +++
 13 files changed, 48 insertions(+)

diff --git a/rules/windows/malware/sysmon_malware_notpetya.yml b/rules/windows/malware/sysmon_malware_notpetya.yml
index 5ccc6190..b6d8e50d 100644
--- a/rules/windows/malware/sysmon_malware_notpetya.yml
+++ b/rules/windows/malware/sysmon_malware_notpetya.yml
@@ -5,6 +5,13 @@ author: Florian Roth, Tom Ueltschi
 references:
     - https://securelist.com/schroedingers-petya/78870/
     - https://www.hybrid-analysis.com/sample/64b0b58a2c030c77fdb2b537b2fcc4af432bc55ffb36599a31d418c7c69e94b1?environmentId=100
+tags:
+    - attack.execution
+    - attack.credential_access
+    - attack.defense_evasion
+    - attack.t1085
+    - attack.t1070
+    - attack.t1003
 logsource:
     product: windows
     service: sysmon
diff --git a/rules/windows/other/win_rare_schtask_creation.yml b/rules/windows/other/win_rare_schtask_creation.yml
index d7ed2eb7..2bbb9f64 100644
--- a/rules/windows/other/win_rare_schtask_creation.yml
+++ b/rules/windows/other/win_rare_schtask_creation.yml
@@ -1,6 +1,9 @@
 title: Rare Scheduled Task Creations
 status: experimental
 description: This rule detects rare scheduled task creations. Typically software gets installed on multiple systems and not only on a few. The aggregation and count function selects tasks with rare names. 
+tags:
+    - attack.t1053
+    - attack.s0111
 author: Florian Roth
 logsource:
     product: windows
diff --git a/rules/windows/other/win_tool_psexec.yml b/rules/windows/other/win_tool_psexec.yml
index ad226427..5bf00ca4 100644
--- a/rules/windows/other/win_tool_psexec.yml
+++ b/rules/windows/other/win_tool_psexec.yml
@@ -5,6 +5,10 @@ author: Thomas Patzke
 references:
     - https://www.jpcert.or.jp/english/pub/sr/ir_research.html
     - https://jpcertcc.github.io/ToolAnalysisResultSheet
+tags:
+    - attack.execution
+    - attack.t1035
+    - attack.s0029
 logsource:
     product: windows
 detection:
diff --git a/rules/windows/other/win_wmi_persistence.yml b/rules/windows/other/win_wmi_persistence.yml
index 111a6b6d..6372e252 100644
--- a/rules/windows/other/win_wmi_persistence.yml
+++ b/rules/windows/other/win_wmi_persistence.yml
@@ -5,6 +5,10 @@ author: Florian Roth
 references:
     - https://twitter.com/mattifestation/status/899646620148539397
     - https://www.eideon.com/2018-03-02-THL03-WMIBackdoors/
+tags:
+    - attack.execution
+    - attack.persistence
+    - attack.t1047
 logsource:
     product: windows
     service: wmi
diff --git a/rules/windows/powershell/powershell_downgrade_attack.yml b/rules/windows/powershell/powershell_downgrade_attack.yml
index 728c1b54..c8a647dc 100644
--- a/rules/windows/powershell/powershell_downgrade_attack.yml
+++ b/rules/windows/powershell/powershell_downgrade_attack.yml
@@ -3,6 +3,10 @@ status: experimental
 description: Detects PowerShell downgrade attack by comparing the host versions with the actually used engine version 2.0
 references:
     - http://www.leeholmes.com/blog/2017/03/17/detecting-and-preventing-powershell-downgrade-attacks/
+tags:
+    - attack.defense_evasion
+    - attack.execution
+    - attack.t1086
 author: Florian Roth (rule), Lee Holmes (idea)
 logsource:
     product: windows
diff --git a/rules/windows/powershell/powershell_exe_calling_ps.yml b/rules/windows/powershell/powershell_exe_calling_ps.yml
index dee93074..bac67132 100644
--- a/rules/windows/powershell/powershell_exe_calling_ps.yml
+++ b/rules/windows/powershell/powershell_exe_calling_ps.yml
@@ -3,6 +3,10 @@ status: experimental
 description: Detects PowerShell called from an executable by the version mismatch method
 references:
     - https://adsecurity.org/?p=2921
+tags:
+    - attack.defense_evasion
+    - attack.execution
+    - attack.t1086
 author: Sean Metcalf (source), Florian Roth (rule)
 logsource:
     product: windows
diff --git a/rules/windows/powershell/powershell_malicious_commandlets.yml b/rules/windows/powershell/powershell_malicious_commandlets.yml
index e41ed4d9..23cbfa15 100644
--- a/rules/windows/powershell/powershell_malicious_commandlets.yml
+++ b/rules/windows/powershell/powershell_malicious_commandlets.yml
@@ -3,6 +3,9 @@ status: experimental
 description: Detects Commandlet names from well-known PowerShell exploitation frameworks
 references:
     - https://adsecurity.org/?p=2921
+tags:
+    - attack.execution
+    - attack.t1086
 author: Sean Metcalf (source), Florian Roth (rule)
 logsource:
     product: windows
diff --git a/rules/windows/powershell/powershell_malicious_keywords.yml b/rules/windows/powershell/powershell_malicious_keywords.yml
index 917761a2..6d15b692 100644
--- a/rules/windows/powershell/powershell_malicious_keywords.yml
+++ b/rules/windows/powershell/powershell_malicious_keywords.yml
@@ -3,6 +3,9 @@ status: experimental
 description: Detects keywords from well-known PowerShell exploitation frameworks
 references:
     - https://adsecurity.org/?p=2921
+tags:
+    - attack.execution
+    - attack.1086
 author: Sean Metcalf (source), Florian Roth (rule)
 logsource:
     product: windows
diff --git a/rules/windows/powershell/powershell_prompt_credentials.yml b/rules/windows/powershell/powershell_prompt_credentials.yml
index c04eed4c..c86db1cf 100644
--- a/rules/windows/powershell/powershell_prompt_credentials.yml
+++ b/rules/windows/powershell/powershell_prompt_credentials.yml
@@ -4,6 +4,10 @@ description: Detects PowerShell calling a credential prompt
 references:
     - https://twitter.com/JohnLaTwC/status/850381440629981184
     - https://t.co/ezOTGy1a1G
+tags:
+    - attack.execution
+    - attack.credential_access    
+    - attack.t1086
 author: John Lambert (idea), Florian Roth (rule)
 logsource:
     product: windows
diff --git a/rules/windows/powershell/powershell_psattack.yml b/rules/windows/powershell/powershell_psattack.yml
index c79cba8b..d2eb7ece 100644
--- a/rules/windows/powershell/powershell_psattack.yml
+++ b/rules/windows/powershell/powershell_psattack.yml
@@ -3,6 +3,9 @@ status: experimental
 description: Detects the use of PSAttack PowerShell hack tool
 references:
     - https://adsecurity.org/?p=2921
+tags:
+    - attack.execution
+    - attack.t1086
 author: Sean Metcalf (source), Florian Roth (rule)
 logsource:
     product: windows
diff --git a/rules/windows/powershell/powershell_suspicious_download.yml b/rules/windows/powershell/powershell_suspicious_download.yml
index e9997d1e..ad8ff90b 100644
--- a/rules/windows/powershell/powershell_suspicious_download.yml
+++ b/rules/windows/powershell/powershell_suspicious_download.yml
@@ -1,6 +1,9 @@
 title: Suspicious PowerShell Download
 status: experimental
 description: Detects suspicious PowerShell download command
+tags:
+    - attack.execution
+    - attack.t1086
 author: Florian Roth
 logsource:
     product: windows
diff --git a/rules/windows/powershell/powershell_suspicious_invocation_generic.yml b/rules/windows/powershell/powershell_suspicious_invocation_generic.yml
index 5b5225e4..28dcd75a 100644
--- a/rules/windows/powershell/powershell_suspicious_invocation_generic.yml
+++ b/rules/windows/powershell/powershell_suspicious_invocation_generic.yml
@@ -1,6 +1,9 @@
 title: Suspicious PowerShell Invocations - Generic
 status: experimental
 description: Detects suspicious PowerShell invocation command parameters
+tags:
+    - attack.execution
+    - attack.t1086
 author: Florian Roth (rule)
 logsource:
     product: windows
diff --git a/rules/windows/powershell/powershell_suspicious_invocation_specific.yml b/rules/windows/powershell/powershell_suspicious_invocation_specific.yml
index 1ed95f75..84ddfe55 100644
--- a/rules/windows/powershell/powershell_suspicious_invocation_specific.yml
+++ b/rules/windows/powershell/powershell_suspicious_invocation_specific.yml
@@ -1,6 +1,9 @@
 title: Suspicious PowerShell Invocations - Specific
 status: experimental
 description: Detects suspicious PowerShell invocation command parameters
+tags:
+    - attack.execution
+    - attack.t1086
 author: Florian Roth (rule)
 logsource:
     product: windows