Merge pull request #1974 from frack113/tags_pack2

Add missing Tags
2024-11-06 17:35:19 +00:00 · 2021-09-03 19:13:32 +02:00 · 2021-09-03 19:13:32 +02:00 · 6780182c37
commit 6780182c37
parent 2e474628fa 6f1f70ca5e
12 changed files with 37 additions and 2 deletions
--- a/rules/windows/file_event/sysmon_tsclient_filewrite_startup.yml
+++ b/rules/windows/file_event/sysmon_tsclient_filewrite_startup.yml
@ -15,3 +15,6 @@ detection:
 falsepositives:
    - unknown
 level: high
 tags:
    - attack.command_and_control
    - attack.t1219
--- a/rules/windows/other/win_defender_amsi_trigger.yml
+++ b/rules/windows/other/win_defender_amsi_trigger.yml
@ -17,4 +17,7 @@ detection:
    condition: selection
 falsepositives:
    - unlikely
-level: high
+level: high
 tags:
    - attack.execution
    - attack.t1059 
--- a/rules/windows/other/win_defender_threat.yml
+++ b/rules/windows/other/win_defender_threat.yml
@ -20,3 +20,6 @@ detection:
 falsepositives:
    - unlikely
 level: high
 tags:
    - attack.execution
    - attack.t1059 
--- a/rules/windows/process_creation/win_malware_conti_shadowcopy.yml
+++ b/rules/windows/process_creation/win_malware_conti_shadowcopy.yml
@ -23,3 +23,6 @@ detection:
 falsepositives:
    - Some rare backup scenarios
 level: medium
 tags:
    - attack.impact
    - attack.t1490 
--- a/rules/windows/process_creation/win_malware_dtrack.yml
+++ b/rules/windows/process_creation/win_malware_dtrack.yml
@ -21,3 +21,6 @@ fields:
 falsepositives:
    - Unlikely
 level: critical
 tags:
    - attack.impact
    - attack.t1490 
--- a/rules/windows/process_creation/win_susp_cmd_shadowcopy_access.yml
+++ b/rules/windows/process_creation/win_susp_cmd_shadowcopy_access.yml
@ -17,3 +17,6 @@ detection:
 falsepositives:
    - Some rare backup scenarios
 level: medium
 tags:
    - attack.impact
    - attack.t1490 
--- a/rules/windows/process_creation/win_susp_rundll32_inline_vbs.yml
+++ b/rules/windows/process_creation/win_susp_rundll32_inline_vbs.yml
@ -20,3 +20,6 @@ detection:
 falsepositives:
    - Unknown
 level: high
 tags:
    - attack.defense_evasion
    - attack.t1055
--- a/rules/windows/process_creation/win_susp_screenconnect_access.yml
+++ b/rules/windows/process_creation/win_susp_screenconnect_access.yml
@ -21,3 +21,6 @@ detection:
 falsepositives:
    - Legitimate use by administrative staff
 level: high
 tags:
    - attack.initial_access 
    - attack.t1133 
--- a/rules/windows/process_creation/win_susp_userinit_child.yml
+++ b/rules/windows/process_creation/win_susp_userinit_child.yml
@ -24,3 +24,6 @@ fields:
 falsepositives:
    - Administrative scripts
 level: medium
 tags:
    - attack.defense_evasion
    - attack.t1055
--- a/rules/windows/registry_event/sysmon_reg_vbs_payload_stored.yml
+++ b/rules/windows/registry_event/sysmon_reg_vbs_payload_stored.yml
@ -29,3 +29,6 @@ detection:
 falsepositives:
    - Unknown
 level: high
 tags:
    - attack.persistence
    - attack.t1547.001
--- a/rules/windows/registry_event/sysmon_suspicious_keyboard_layout_load.yml
+++ b/rules/windows/registry_event/sysmon_suspicious_keyboard_layout_load.yml
@ -25,4 +25,6 @@ detection:
 falsepositives:
    - "Administrators or users that actually use the selected keyboard layouts (heavily depends on the organisation's user base)"
 level: medium
-
+tags:
    - attack.resource_development
    - attack.t1588.002
--- a/rules/windows/registry_event/sysmon_sysinternals_eula_accepted.yml
+++ b/rules/windows/registry_event/sysmon_sysinternals_eula_accepted.yml
@ -11,6 +11,9 @@ falsepositives:
    - Legitimate use of SysInternals tools
    - Programs that use the same Registry Key
 level: low
 tags:
    - attack.resource_development 
    - attack.t1588.002 
 ---
 logsource:
    product: windows