diff --git a/rules/linux/auditd/lnx_auditd_alter_bash_profile.yml b/rules/linux/auditd/lnx_auditd_alter_bash_profile.yml index dff6bbf3..e8bb866a 100644 --- a/rules/linux/auditd/lnx_auditd_alter_bash_profile.yml +++ b/rules/linux/auditd/lnx_auditd_alter_bash_profile.yml @@ -7,7 +7,7 @@ references: date: 2019/05/12 tags: - attack.s0003 - - attack.t1156 + - attack.t1156 # an old one - attack.persistence - attack.t1546.004 author: Peter Matkovski diff --git a/rules/linux/auditd/lnx_auditd_auditing_config_change.yml b/rules/linux/auditd/lnx_auditd_auditing_config_change.yml index d9fb2e40..ef36ca7c 100644 --- a/rules/linux/auditd/lnx_auditd_auditing_config_change.yml +++ b/rules/linux/auditd/lnx_auditd_auditing_config_change.yml @@ -10,7 +10,7 @@ references: - self experience tags: - attack.defense_evasion - - attack.t1054 + - attack.t1054 # an old one - attack.t1562.006 author: Mikhail Larin, oscd.community status: experimental diff --git a/rules/linux/auditd/lnx_auditd_create_account.yml b/rules/linux/auditd/lnx_auditd_create_account.yml index 14be30c0..f3ac6df9 100644 --- a/rules/linux/auditd/lnx_auditd_create_account.yml +++ b/rules/linux/auditd/lnx_auditd_create_account.yml @@ -1,12 +1,13 @@ title: Creation Of An User Account id: 759d0d51-bc99-4b5e-9add-8f5b2c8e7512 status: experimental -description: Detects the creation of a new user account. According to MITRE ATT&CK, "such accounts may be used for persistence that do not require persistent remote access tools to be deployed on the system" +description: Detects the creation of a new user account. According to MITRE ATT&CK, "such accounts may be used for persistence that do not require persistent remote access tools to be deployed on the system" references: - 'MITRE Attack technique T1136; Create Account ' date: 2020/05/18 tags: - - attack.t1136 + - attack.t1136 # an old one + - attack.t1136.001 - attack.persistence author: Marie Euler logsource: diff --git a/rules/linux/auditd/lnx_auditd_logging_config_change.yml b/rules/linux/auditd/lnx_auditd_logging_config_change.yml index b456805b..1657563b 100644 --- a/rules/linux/auditd/lnx_auditd_logging_config_change.yml +++ b/rules/linux/auditd/lnx_auditd_logging_config_change.yml @@ -9,7 +9,7 @@ references: - self experience tags: - attack.defense_evasion - - attack.t1054 + - attack.t1054 # an old one - attack.t1562.006 author: Mikhail Larin, oscd.community status: experimental diff --git a/rules/linux/lnx_susp_named.yml b/rules/linux/lnx_susp_named.yml index 11972f4d..7d1a6700 100644 --- a/rules/linux/lnx_susp_named.yml +++ b/rules/linux/lnx_susp_named.yml @@ -4,6 +4,9 @@ status: experimental description: Detects suspicious DNS error messages that indicate a fatal or suspicious error that could be caused by exploiting attempts references: - https://github.com/ossec/ossec-hids/blob/master/etc/rules/named_rules.xml +tags: + - attack.initial_access + - attack.t1190 author: Florian Roth date: 2018/02/20 logsource: @@ -18,4 +21,3 @@ detection: falsepositives: - Unknown level: high - diff --git a/rules/linux/lnx_susp_ssh.yml b/rules/linux/lnx_susp_ssh.yml index 6001335f..d9044d60 100644 --- a/rules/linux/lnx_susp_ssh.yml +++ b/rules/linux/lnx_susp_ssh.yml @@ -4,6 +4,9 @@ description: Detects suspicious SSH / SSHD error messages that indicate a fatal references: - https://github.com/openssh/openssh-portable/blob/master/ssherr.c - https://github.com/ossec/ossec-hids/blob/master/etc/rules/sshd_rules.xml +tags: + - attack.initial_access + - attack.t1190 author: Florian Roth date: 2017/06/30 modified: 2020/05/15 @@ -27,4 +30,3 @@ detection: falsepositives: - Unknown level: medium - diff --git a/rules/linux/lnx_susp_vsftp.yml b/rules/linux/lnx_susp_vsftp.yml index 3fb3eaf9..90de6e76 100644 --- a/rules/linux/lnx_susp_vsftp.yml +++ b/rules/linux/lnx_susp_vsftp.yml @@ -3,6 +3,9 @@ id: 377f33a1-4b36-4ee1-acee-1dbe4b43cfbe description: Detects suspicious VSFTPD error messages that indicate a fatal or suspicious error that could be caused by exploiting attempts references: - https://github.com/dagwieers/vsftpd/ +tags: + - attack.initial_access + - attack.t1190 author: Florian Roth date: 2017/07/05 logsource: diff --git a/rules/windows/process_creation/win_apt_unidentified_nov_18.yml b/rules/windows/process_creation/win_apt_unidentified_nov_18.yml index 35df86b9..b36bd2f4 100644 --- a/rules/windows/process_creation/win_apt_unidentified_nov_18.yml +++ b/rules/windows/process_creation/win_apt_unidentified_nov_18.yml @@ -8,10 +8,11 @@ references: - https://twitter.com/DrunkBinary/status/1063075530180886529 author: '@41thexplorer, Microsoft Defender ATP' date: 2018/11/20 -modified: 2018/12/11 +modified: 2020/08/26 tags: - attack.execution - - attack.t1085 + - attack.t1218.011 + - attack.t1085 # an old one detection: condition: 1 of them level: high diff --git a/rules/windows/process_creation/win_apt_winnti_mal_hk_jan20.yml b/rules/windows/process_creation/win_apt_winnti_mal_hk_jan20.yml index ef29cd98..bf55b402 100644 --- a/rules/windows/process_creation/win_apt_winnti_mal_hk_jan20.yml +++ b/rules/windows/process_creation/win_apt_winnti_mal_hk_jan20.yml @@ -6,9 +6,9 @@ references: - https://www.welivesecurity.com/2020/01/31/winnti-group-targeting-universities-hong-kong/ tags: - attack.defense_evasion - - attack.t1073 - - attack.g0044 - attack.t1574.002 + - attack.t1073 # an old one + - attack.g0044 author: Florian Roth, Markus Neis date: 2020/02/01 logsource: diff --git a/rules/windows/process_creation/win_apt_winnti_pipemon.yml b/rules/windows/process_creation/win_apt_winnti_pipemon.yml index 9ae20d36..20e369df 100644 --- a/rules/windows/process_creation/win_apt_winnti_pipemon.yml +++ b/rules/windows/process_creation/win_apt_winnti_pipemon.yml @@ -6,9 +6,9 @@ references: - https://www.welivesecurity.com/2020/05/21/no-game-over-winnti-group/ tags: - attack.defense_evasion - - attack.t1073 - - attack.g0044 - attack.t1574.002 + - attack.t1073 # an old one + - attack.g0044 author: Florian Roth date: 2020/07/30 logsource: diff --git a/rules/windows/process_creation/win_apt_wocao.yml b/rules/windows/process_creation/win_apt_wocao.yml index 57b7dc9d..20307a72 100644 --- a/rules/windows/process_creation/win_apt_wocao.yml +++ b/rules/windows/process_creation/win_apt_wocao.yml @@ -7,7 +7,20 @@ description: Detects activity mentioned in Operation Wocao report references: - https://www.fox-it.com/en/news/whitepapers/operation-wocao-shining-a-light-on-one-of-chinas-hidden-hacking-groups/ - https://twitter.com/SBousseaden/status/1207671369963646976 +tags: + - attack.discovery + - attack.t1012 + - attack.defense_evasion + - attack.t1036.004 + - attack.t1036 # an old one + - attack.t1027 + - attack.execution + - attack.t1053.005 + - attack.t1053 # an old one + - attack.t1059.001 + - attack.t1086 # an old one date: 2019/12/20 +modified: 2020/08/26 falsepositives: - Administrators that use checkadmin.exe tool to enumerate local administrators level: high diff --git a/rules/windows/process_creation/win_apt_zxshell.yml b/rules/windows/process_creation/win_apt_zxshell.yml index 20858f85..fc17af95 100755 --- a/rules/windows/process_creation/win_apt_zxshell.yml +++ b/rules/windows/process_creation/win_apt_zxshell.yml @@ -3,15 +3,18 @@ id: f0b70adb-0075-43b0-9745-e82a1c608fcc description: Detects a ZxShell start by the called and well-known function name author: Florian Roth date: 2017/07/20 +modified: 2020/08/26 references: - https://www.hybrid-analysis.com/sample/5d2a4cde9fa7c2fdbf39b2e2ffd23378d0c50701a3095d1e91e3cf922d7b0b16?environmentId=100 tags: - - attack.g0001 - attack.execution - - attack.t1059 + - attack.t1059.003 + - attack.t1059 # an old one - attack.defense_evasion - - attack.t1085 - attack.t1218.011 + - attack.t1085 # an old one + - attack.s0412 + - attack.g0001 logsource: category: process_creation product: windows diff --git a/rules/windows/process_creation/win_attrib_hiding_files.yml b/rules/windows/process_creation/win_attrib_hiding_files.yml index 048ae435..9e403128 100644 --- a/rules/windows/process_creation/win_attrib_hiding_files.yml +++ b/rules/windows/process_creation/win_attrib_hiding_files.yml @@ -4,6 +4,7 @@ status: experimental description: Detects usage of attrib.exe to hide files from users. author: Sami Ruohonen date: 2019/01/16 +modified: 2020/08/27 logsource: category: process_creation product: windows @@ -24,9 +25,8 @@ fields: - User tags: - attack.defense_evasion - - attack.persistence - - attack.t1158 - attack.t1564.001 + - attack.t1158 # an old one falsepositives: - igfxCUIService.exe hiding *.cui files via .bat script (attrib.exe a child of cmd.exe and igfxCUIService.exe is the parent of the cmd.exe) - msiexec.exe hiding desktop.ini diff --git a/rules/windows/process_creation/win_bypass_squiblytwo.yml b/rules/windows/process_creation/win_bypass_squiblytwo.yml index 6bd55374..87c001ab 100644 --- a/rules/windows/process_creation/win_bypass_squiblytwo.yml +++ b/rules/windows/process_creation/win_bypass_squiblytwo.yml @@ -8,8 +8,14 @@ references: tags: - attack.defense_evasion - attack.t1047 + - attack.t1220 + - attack.execution + - attack.t1059.005 + - attack.t1059.007 + - attack.t1059 # an old one author: Markus Neis / Florian Roth date: 2019/01/16 +modified: 2020/08/27 falsepositives: - Unknown level: medium diff --git a/rules/windows/process_creation/win_change_default_file_association.yml b/rules/windows/process_creation/win_change_default_file_association.yml index db1a6be5..f832f07c 100644 --- a/rules/windows/process_creation/win_change_default_file_association.yml +++ b/rules/windows/process_creation/win_change_default_file_association.yml @@ -30,5 +30,5 @@ fields: level: low tags: - attack.persistence - - attack.t1042 - attack.t1546.001 + - attack.t1042 # an old one diff --git a/rules/windows/process_creation/win_cmdkey_recon.yml b/rules/windows/process_creation/win_cmdkey_recon.yml index 86b9126f..ca801d0e 100644 --- a/rules/windows/process_creation/win_cmdkey_recon.yml +++ b/rules/windows/process_creation/win_cmdkey_recon.yml @@ -9,8 +9,8 @@ author: jmallette date: 2019/01/16 tags: - attack.credential_access - - attack.t1003 - attack.t1003.005 + - attack.t1003 # an old one logsource: category: process_creation product: windows diff --git a/rules/windows/process_creation/win_cmstp_com_object_access.yml b/rules/windows/process_creation/win_cmstp_com_object_access.yml index 0a4be843..877d398a 100644 --- a/rules/windows/process_creation/win_cmstp_com_object_access.yml +++ b/rules/windows/process_creation/win_cmstp_com_object_access.yml @@ -3,15 +3,15 @@ id: 4b60e6f2-bf39-47b4-b4ea-398e33cfe253 status: stable description: Detects UAC Bypass Attempt Using Microsoft Connection Manager Profile Installer Autoelevate-capable COM Objects tags: + - attack.execution - attack.defense_evasion - attack.privilege_escalation - - attack.execution - - attack.t1088 - - attack.t1191 + - attack.t1548.002 + - attack.t1088 # an old one + - attack.t1218.003 + - attack.t1191 # an old one - attack.g0069 - car.2019-04-001 - - attack.t1548.002 - - attack.t1218 author: Nik Seetharaman modified: 2019/07/31 date: 2019/01/16 diff --git a/rules/windows/process_creation/win_commandline_path_traversal.yml b/rules/windows/process_creation/win_commandline_path_traversal.yml index c1594ad9..5a42c7f5 100644 --- a/rules/windows/process_creation/win_commandline_path_traversal.yml +++ b/rules/windows/process_creation/win_commandline_path_traversal.yml @@ -8,9 +8,9 @@ references: - https://hackingiscool.pl/cmdhijack-command-argument-confusion-with-path-traversal-in-cmd-exe/ - https://twitter.com/Oddvarmoe/status/1270633613449723905 tags: - - attack.t1059 - - attack.t1059.003 - attack.execution + - attack.t1059.003 + - attack.t1059 # an old one logsource: category: process_creation product: windows diff --git a/rules/windows/process_creation/win_control_panel_item.yml b/rules/windows/process_creation/win_control_panel_item.yml index 214171b0..eda30b84 100644 --- a/rules/windows/process_creation/win_control_panel_item.yml +++ b/rules/windows/process_creation/win_control_panel_item.yml @@ -7,11 +7,14 @@ reference: - https://ired.team/offensive-security/code-execution/code-execution-through-control-panel-add-ins tags: - attack.execution - - attack.t1196 - attack.defense_evasion - - attack.t1218 + - attack.t1218.002 + - attack.t1196 # an old one + - attack.persistence + - attack.t1546 author: Kyaw Min Thein, Furkan Caliskan (@caliskanfurkan_) date: 2020/06/22 +modified: 2020/08/29 level: critical logsource: product: windows diff --git a/rules/windows/process_creation/win_copying_sensitive_files_with_credential_data.yml b/rules/windows/process_creation/win_copying_sensitive_files_with_credential_data.yml index eb7818e2..5056d8c6 100644 --- a/rules/windows/process_creation/win_copying_sensitive_files_with_credential_data.yml +++ b/rules/windows/process_creation/win_copying_sensitive_files_with_credential_data.yml @@ -11,10 +11,11 @@ references: - https://dfironthemountain.wordpress.com/2018/12/06/locked-file-access-using-esentutl-exe/ tags: - attack.credential_access - - attack.t1003 - - car.2013-07-001 - attack.t1003.002 - attack.t1003.003 + - attack.t1003 # an old one + - car.2013-07-001 + - attack.s0404 logsource: category: process_creation product: windows diff --git a/rules/windows/process_creation/win_crime_fireball.yml b/rules/windows/process_creation/win_crime_fireball.yml index 3fca4131..c21b53e8 100755 --- a/rules/windows/process_creation/win_crime_fireball.yml +++ b/rules/windows/process_creation/win_crime_fireball.yml @@ -4,15 +4,15 @@ status: experimental description: Detects Archer malware invocation via rundll32 author: Florian Roth date: 2017/06/03 +modified: 2020/08/29 references: - https://www.virustotal.com/en/file/9b4971349ae85aa09c0a69852ed3e626c954954a3927b3d1b6646f139b930022/analysis/ - https://www.hybrid-analysis.com/sample/9b4971349ae85aa09c0a69852ed3e626c954954a3927b3d1b6646f139b930022?environmentId=100 tags: - attack.execution - - attack.t1059 - attack.defense_evasion - - attack.t1085 - attack.t1218.011 + - attack.t1085 # an old one logsource: category: process_creation product: windows diff --git a/rules/windows/process_creation/win_crime_maze_ransomware.yml b/rules/windows/process_creation/win_crime_maze_ransomware.yml index 9f7d3d64..356fead6 100644 --- a/rules/windows/process_creation/win_crime_maze_ransomware.yml +++ b/rules/windows/process_creation/win_crime_maze_ransomware.yml @@ -8,9 +8,14 @@ references: - https://app.any.run/tasks/65a79440-373a-4725-8d74-77db9f2abda4/ author: Florian Roth date: 2020/05/08 +modified: 2020/08/29 tags: - attack.execution - - attack.t1204 + - attack.t1204.002 + - attack.t1204 # an old one + - attack.t1047 + - attack.impact + - attack.t1490 logsource: category: process_creation product: windows diff --git a/rules/windows/process_creation/win_data_compressed_with_rar.yml b/rules/windows/process_creation/win_data_compressed_with_rar.yml index b7ed701e..01367c2f 100644 --- a/rules/windows/process_creation/win_data_compressed_with_rar.yml +++ b/rules/windows/process_creation/win_data_compressed_with_rar.yml @@ -4,7 +4,7 @@ status: experimental description: An adversary may compress data (e.g., sensitive documents) that is collected prior to exfiltration in order to make it portable and minimize the amount of data sent over the network author: Timur Zinniatullin, E.M. Anhaus, oscd.community date: 2019/10/21 -modified: 2019/11/04 +modified: 2020/08/29 references: - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1002/T1002.yaml - https://eqllib.readthedocs.io/en/latest/analytics/1ec33c93-3d0b-4a28-8014-dbdaae5c60ae.html @@ -28,6 +28,7 @@ falsepositives: - highly likely if rar is default archiver in the monitored environment level: low tags: - - attack.exfiltration - - attack.t1002 - - attack.t1560 + - attack.exfiltration # an old one + - attack.t1002 # an old one + - attack.collection + - attack.t1560.001 diff --git a/rules/windows/process_creation/win_dns_exfiltration_tools_execution.yml b/rules/windows/process_creation/win_dns_exfiltration_tools_execution.yml index 3192631b..526797bd 100644 --- a/rules/windows/process_creation/win_dns_exfiltration_tools_execution.yml +++ b/rules/windows/process_creation/win_dns_exfiltration_tools_execution.yml @@ -4,9 +4,16 @@ description: Well-known DNS Exfiltration tools execution status: experimental author: Daniil Yugoslavskiy, oscd.community date: 2019/10/24 +modified: 2020/08/29 tags: - attack.exfiltration - - attack.t1048 + - attack.t1048.001 + - attack.t1048 # an old one + - attack.command_and_control + - attack.t1071.004 + - attack.t1071 # an old one + - attack.t1132.001 + - attack.t1132 # an old one logsource: category: process_creation product: windows diff --git a/rules/windows/process_creation/win_encoded_frombase64string.yml b/rules/windows/process_creation/win_encoded_frombase64string.yml index 92087ad2..d031d9b1 100644 --- a/rules/windows/process_creation/win_encoded_frombase64string.yml +++ b/rules/windows/process_creation/win_encoded_frombase64string.yml @@ -5,11 +5,11 @@ description: Detects a base64 encoded FromBase64String keyword in a process comm author: Florian Roth date: 2019/08/24 tags: - - attack.t1086 + - attack.defense_evasion - attack.t1140 - attack.execution - - attack.defense_evasion - attack.t1059.001 + - attack.t1086 # an old one logsource: category: process_creation product: windows diff --git a/rules/windows/process_creation/win_encoded_iex.yml b/rules/windows/process_creation/win_encoded_iex.yml index e3740b9b..969bb661 100644 --- a/rules/windows/process_creation/win_encoded_iex.yml +++ b/rules/windows/process_creation/win_encoded_iex.yml @@ -4,11 +4,11 @@ status: experimental description: Detects a base64 encoded IEX command string in a process command line author: Florian Roth date: 2019/08/23 +modified: 2020/08/29 tags: - - attack.t1086 - - attack.t1140 - attack.execution - - attack.t1059.003 + - attack.t1059.001 + - attack.t1086 # an old one logsource: category: process_creation product: windows diff --git a/rules/windows/process_creation/win_etw_modification_cmdline.yml b/rules/windows/process_creation/win_etw_modification_cmdline.yml index 7a7750fa..7a75421d 100644 --- a/rules/windows/process_creation/win_etw_modification_cmdline.yml +++ b/rules/windows/process_creation/win_etw_modification_cmdline.yml @@ -14,8 +14,10 @@ references: - https://github.com/dotnet/runtime/blob/4f9ae42d861fcb4be2fcd5d3d55d5f227d30e723/docs/coding-guidelines/clr-jit-coding-conventions.md#1412-disabling-code author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) date: 2020/05/02 +modified: 2020/08/29 tags: - attack.defense_evasion + - attack.t1562 logsource: category: process_creation product: windows diff --git a/rules/windows/process_creation/win_etw_trace_evasion.yml b/rules/windows/process_creation/win_etw_trace_evasion.yml index b3f2b401..84c4fa7b 100644 --- a/rules/windows/process_creation/win_etw_trace_evasion.yml +++ b/rules/windows/process_creation/win_etw_trace_evasion.yml @@ -9,8 +9,9 @@ references: author: '@neu5ron, Florian Roth' date: 2019/03/22 tags: - - attack.execution + - attack.defense_evasion - attack.t1070 + - attack.t1562 - car.2016-04-002 level: high logsource: diff --git a/rules/windows/process_creation/win_exfiltration_and_tunneling_tools_execution.yml b/rules/windows/process_creation/win_exfiltration_and_tunneling_tools_execution.yml index 231813ee..d09343a9 100644 --- a/rules/windows/process_creation/win_exfiltration_and_tunneling_tools_execution.yml +++ b/rules/windows/process_creation/win_exfiltration_and_tunneling_tools_execution.yml @@ -4,9 +4,12 @@ description: Execution of well known tools for data exfiltration and tunneling status: experimental author: Daniil Yugoslavskiy, oscd.community date: 2019/10/24 +modified: 2020/08/29 tags: - attack.exfiltration - - attack.t1020 + - attack.command_and_control + - attack.t1572 + - attack.t1071.001 logsource: category: process_creation product: windows diff --git a/rules/windows/process_creation/win_exploit_cve_2015_1641.yml b/rules/windows/process_creation/win_exploit_cve_2015_1641.yml index 2a5fb7d4..c2a463b9 100644 --- a/rules/windows/process_creation/win_exploit_cve_2015_1641.yml +++ b/rules/windows/process_creation/win_exploit_cve_2015_1641.yml @@ -9,7 +9,8 @@ author: Florian Roth date: 2018/02/22 tags: - attack.defense_evasion - - attack.t1036 + - attack.t1036.005 + - attack.t1036 # an old one logsource: category: process_creation product: windows diff --git a/rules/windows/process_creation/win_exploit_cve_2017_0261.yml b/rules/windows/process_creation/win_exploit_cve_2017_0261.yml index 3595f199..1e17dad1 100644 --- a/rules/windows/process_creation/win_exploit_cve_2017_0261.yml +++ b/rules/windows/process_creation/win_exploit_cve_2017_0261.yml @@ -6,10 +6,15 @@ references: - https://www.fireeye.com/blog/threat-research/2017/05/eps-processing-zero-days.html author: Florian Roth date: 2018/02/22 +modified: 2020/08/29 tags: - - attack.defense_evasion - - attack.privilege_escalation - - attack.t1055 + - attack.execution + - attack.t1203 + - attack.t1204.002 + - attack.t1204 # an old one + - attack.initial_access + - attack.t1566.001 + - attack.t1193 # an old one logsource: category: process_creation product: windows diff --git a/rules/windows/process_creation/win_exploit_cve_2017_11882.yml b/rules/windows/process_creation/win_exploit_cve_2017_11882.yml index 2f0d8d08..02ea8340 100644 --- a/rules/windows/process_creation/win_exploit_cve_2017_11882.yml +++ b/rules/windows/process_creation/win_exploit_cve_2017_11882.yml @@ -7,9 +7,15 @@ references: - https://www.google.com/url?hl=en&q=https://embedi.com/blog/skeleton-closet-ms-office-vulnerability-you-didnt-know-about&source=gmail&ust=1511481120837000&usg=AFQjCNGdL7gVwLXaNSl2Td8ylDYbSJFmPw author: Florian Roth date: 2017/11/23 +modified: 2020/08/29 tags: - - attack.defense_evasion - - attack.t1211 + - attack.execution + - attack.t1203 + - attack.t1204.002 + - attack.t1204 # an old one + - attack.initial_access + - attack.t1566.001 + - attack.t1193 # an old one logsource: category: process_creation product: windows diff --git a/rules/windows/process_creation/win_exploit_cve_2017_8759.yml b/rules/windows/process_creation/win_exploit_cve_2017_8759.yml index edac9c27..337b97c0 100644 --- a/rules/windows/process_creation/win_exploit_cve_2017_8759.yml +++ b/rules/windows/process_creation/win_exploit_cve_2017_8759.yml @@ -7,8 +7,14 @@ references: tags: - attack.execution - attack.t1203 + - attack.t1204.002 + - attack.t1204 # an old one + - attack.initial_access + - attack.t1566.001 + - attack.t1193 # an old one author: Florian Roth date: 2017/09/15 +modified: 2020/08/29 logsource: category: process_creation product: windows diff --git a/rules/windows/process_creation/win_exploit_cve_2019_1378.yml b/rules/windows/process_creation/win_exploit_cve_2019_1378.yml index a6bc907f..33b575a8 100644 --- a/rules/windows/process_creation/win_exploit_cve_2019_1378.yml +++ b/rules/windows/process_creation/win_exploit_cve_2019_1378.yml @@ -6,10 +6,14 @@ references: - https://www.embercybersecurity.com/blog/cve-2019-1378-exploiting-an-access-control-privilege-escalation-vulnerability-in-windows-10-update-assistant-wua author: Florian Roth date: 2019/11/15 +modified: 2020/08/29 tags: - - attack.defense_evasion - attack.privilege_escalation - - attack.t1055 + - attack.t1068 + - attack.execution + - attack.t1059.003 + - attack.t1059 # an old one + - attack.t1574 logsource: category: process_creation product: windows diff --git a/rules/windows/process_creation/win_exploit_cve_2020_1048.yml b/rules/windows/process_creation/win_exploit_cve_2020_1048.yml index 9f11649f..f9669fcb 100644 --- a/rules/windows/process_creation/win_exploit_cve_2020_1048.yml +++ b/rules/windows/process_creation/win_exploit_cve_2020_1048.yml @@ -10,6 +10,8 @@ references: tags: - attack.persistence - attack.execution + - attack.t1059.001 + - attack.t1086 #an old one logsource: category: process_creation product: windows diff --git a/rules/windows/process_creation/win_susp_sysvol_access.yml b/rules/windows/process_creation/win_susp_sysvol_access.yml index 810684f8..3c8c2be8 100644 --- a/rules/windows/process_creation/win_susp_sysvol_access.yml +++ b/rules/windows/process_creation/win_susp_sysvol_access.yml @@ -1,4 +1,4 @@ - title: Suspicious SYSVOL Domain Group Policy Access +title: Suspicious SYSVOL Domain Group Policy Access id: 05f3c945-dcc8-4393-9f3d-af65077a8f86 status: experimental description: Detects Access to Domain Group Policies stored in SYSVOL diff --git a/rules/windows/sysmon/sysmon_abusing_azure_browser_sso.yml b/rules/windows/sysmon/sysmon_abusing_azure_browser_sso.yml index 2a25beef..69f18bf0 100644 --- a/rules/windows/sysmon/sysmon_abusing_azure_browser_sso.yml +++ b/rules/windows/sysmon/sysmon_abusing_azure_browser_sso.yml @@ -5,6 +5,7 @@ author: Den Iuzvyk reference: - https://posts.specterops.io/requesting-azure-ad-request-tokens-on-azure-ad-joined-machines-for-browser-sso-2b0409caad30 date: 2020/07/15 +modified: 2020/08/26 logsource: category: sysmon product: windows @@ -12,7 +13,8 @@ status: experimental tags: - attack.defense_evasion - attack.privilege_escalation - - attack.t1073 + - attack.t1073 # an old one + - attack.t1574.002 detection: condition: selection_dll and not filter_legit selection_dll: diff --git a/rules/windows/sysmon/sysmon_ads_executable.yml b/rules/windows/sysmon/sysmon_ads_executable.yml index dbb055ad..7eaed87c 100644 --- a/rules/windows/sysmon/sysmon_ads_executable.yml +++ b/rules/windows/sysmon/sysmon_ads_executable.yml @@ -6,10 +6,12 @@ references: - https://twitter.com/0xrawsec/status/1002478725605273600?s=21 tags: - attack.defense_evasion - - attack.t1027 + - attack.t1027 # an old one - attack.s0139 + - attack.t1564.004 author: Florian Roth, @0xrawsec date: 2018/06/03 +modified: 2020/08/26 logsource: product: windows service: sysmon diff --git a/rules/windows/sysmon/sysmon_alternate_powershell_hosts_pipe.yml b/rules/windows/sysmon/sysmon_alternate_powershell_hosts_pipe.yml index da710320..4e064bc8 100644 --- a/rules/windows/sysmon/sysmon_alternate_powershell_hosts_pipe.yml +++ b/rules/windows/sysmon/sysmon_alternate_powershell_hosts_pipe.yml @@ -9,7 +9,7 @@ references: - https://github.com/Cyb3rWard0g/ThreatHunter-Playbook/tree/master/playbooks/windows/02_execution/T1086_powershell/alternate_signed_powershell_hosts.md tags: - attack.execution - - attack.t1086 + - attack.t1086 # an old one - attack.t1059.001 logsource: product: windows diff --git a/rules/windows/sysmon/sysmon_cactustorch.yml b/rules/windows/sysmon/sysmon_cactustorch.yml index 676d077a..9b8b5ec9 100644 --- a/rules/windows/sysmon/sysmon_cactustorch.yml +++ b/rules/windows/sysmon/sysmon_cactustorch.yml @@ -7,6 +7,7 @@ references: status: experimental author: '@SBousseaden (detection), Thomas Patzke (rule)' date: 2019/02/01 +modified: 2020/08/28 logsource: product: windows service: sysmon @@ -23,9 +24,14 @@ detection: StartModule: null condition: selection tags: + - attack.defense_evasion + - attack.t1093 # an old one + - attack.t1055.012 - attack.execution - - attack.t1055 - - attack.t1064 + - attack.t1064 # an old one + - attack.t1059.005 + - attack.t1059.007 + - attack.t1218.005 falsepositives: - unknown level: high diff --git a/rules/windows/sysmon/sysmon_cmstp_execution.yml b/rules/windows/sysmon/sysmon_cmstp_execution.yml index c6154de4..5bf2897c 100644 --- a/rules/windows/sysmon/sysmon_cmstp_execution.yml +++ b/rules/windows/sysmon/sysmon_cmstp_execution.yml @@ -6,11 +6,13 @@ description: Detects various indicators of Microsoft Connection Manager Profile tags: - attack.defense_evasion - attack.execution - - attack.t1191 + - attack.t1191 # an old one + - attack.t1218.003 - attack.g0069 - car.2019-04-001 author: Nik Seetharaman date: 2018/07/16 +modified: 2020/08/28 references: - https://web.archive.org/web/20190720093911/http://www.endurant.io/cmstp/detecting-cmstp-enabled-code-execution-and-uac-bypass-with-sysmon/ detection: diff --git a/rules/windows/sysmon/sysmon_cobaltstrike_process_injection.yml b/rules/windows/sysmon/sysmon_cobaltstrike_process_injection.yml index ab600b30..e2b97224 100644 --- a/rules/windows/sysmon/sysmon_cobaltstrike_process_injection.yml +++ b/rules/windows/sysmon/sysmon_cobaltstrike_process_injection.yml @@ -6,11 +6,12 @@ references: - https://blog.cobaltstrike.com/2018/04/09/cobalt-strike-3-11-the-snake-that-eats-its-tail/ tags: - attack.defense_evasion - - attack.t1055 + - attack.t1055 # an old one + - attack.t1055.001 status: experimental author: Olaf Hartong, Florian Roth, Aleksey Potapov, oscd.community date: 2018/11/30 -modified: 2019/11/08 +modified: 2020/08/28 logsource: product: windows service: sysmon diff --git a/rules/windows/sysmon/sysmon_createremotethread_loadlibrary.yml b/rules/windows/sysmon/sysmon_createremotethread_loadlibrary.yml index 5c560981..bf831b32 100644 --- a/rules/windows/sysmon/sysmon_createremotethread_loadlibrary.yml +++ b/rules/windows/sysmon/sysmon_createremotethread_loadlibrary.yml @@ -3,13 +3,14 @@ id: 052ec6f6-1adc-41e6-907a-f1c813478bee description: Detects potential use of CreateRemoteThread api and LoadLibrary function to inject DLL into a process status: experimental date: 2019/08/11 -modified: 2019/11/10 +modified: 2020/08/28 author: Roberto Rodriguez @Cyb3rWard0g references: - https://github.com/Cyb3rWard0g/ThreatHunter-Playbook/tree/master/playbooks/windows/05_defense_evasion/T1055_process_injection/dll_injection_createremotethread_loadlibrary.md tags: - attack.defense_evasion - - attack.t1055 + - attack.t1055 # an old one + - attack.t1055.001 logsource: product: windows service: sysmon diff --git a/rules/windows/sysmon/sysmon_cred_dump_tools_named_pipes.yml b/rules/windows/sysmon/sysmon_cred_dump_tools_named_pipes.yml index 78c45714..393aa87b 100644 --- a/rules/windows/sysmon/sysmon_cred_dump_tools_named_pipes.yml +++ b/rules/windows/sysmon/sysmon_cred_dump_tools_named_pipes.yml @@ -3,14 +3,16 @@ id: 961d0ba2-3eea-4303-a930-2cf78bbfcc5e description: Detects well-known credential dumping tools execution via specific named pipes author: Teymur Kheirkhabarov, oscd.community date: 2019/11/01 +modified: 2020/08/28 references: - https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment tags: - attack.credential_access - - attack.t1003 + - attack.t1003 # an old one + - attack.t1003.001 - attack.t1003.002 - attack.t1003.004 - - attack.t1003.006 + - attack.t1003.005 logsource: product: windows service: sysmon diff --git a/rules/windows/sysmon/sysmon_password_dumper_lsass.yml b/rules/windows/sysmon/sysmon_password_dumper_lsass.yml index c17ba4e9..a8d8db9b 100644 --- a/rules/windows/sysmon/sysmon_password_dumper_lsass.yml +++ b/rules/windows/sysmon/sysmon_password_dumper_lsass.yml @@ -17,7 +17,7 @@ detection: condition: selection tags: - attack.credential_access - - attack.t1003 + - attack.t1003 # an old one - attack.s0005 - attack.t1003.001 falsepositives: diff --git a/rules/windows/sysmon/sysmon_possible_dns_rebinding.yml b/rules/windows/sysmon/sysmon_possible_dns_rebinding.yml index 6070a673..5284ec12 100644 --- a/rules/windows/sysmon/sysmon_possible_dns_rebinding.yml +++ b/rules/windows/sysmon/sysmon_possible_dns_rebinding.yml @@ -3,14 +3,13 @@ id: eb07e747-2552-44cd-af36-b659ae0958e4 status: experimental description: Detects several different DNS-answers by one domain with IPs from internal and external networks. Normally, DNS-answer contain TTL >100. (DNS-record will saved in host cache for a while TTL). date: 2019/10/25 -modified: 2019/11/13 +modified: 2020/08/28 author: Ilyas Ochkov, oscd.community references: - https://medium.com/@brannondorsey/attacking-private-networks-from-the-internet-with-dns-rebinding-ea7098a2d325 tags: - - attack.command_and_control - - attack.t1043 - - attack.t1571 + - attack.initial_access + - attack.t1189 logsource: product: windows service: sysmon diff --git a/rules/windows/sysmon/sysmon_susp_powershell_rundll32.yml b/rules/windows/sysmon/sysmon_susp_powershell_rundll32.yml index d989a010..652da06f 100644 --- a/rules/windows/sysmon/sysmon_susp_powershell_rundll32.yml +++ b/rules/windows/sysmon/sysmon_susp_powershell_rundll32.yml @@ -18,9 +18,9 @@ detection: tags: - attack.defense_evasion - attack.execution - - attack.t1085 - - attack.t1086 + - attack.t1085 # an old one - attack.t1218.011 + - attack.t1086 # an old one - attack.t1059.001 falsepositives: - Unkown diff --git a/rules/windows/sysmon/sysmon_suspicious_remote_thread.yml b/rules/windows/sysmon/sysmon_suspicious_remote_thread.yml index 00d51a6a..fe2dee61 100644 --- a/rules/windows/sysmon/sysmon_suspicious_remote_thread.yml +++ b/rules/windows/sysmon/sysmon_suspicious_remote_thread.yml @@ -7,7 +7,7 @@ notes: - MonitoringHost.exe is a process that loads .NET CLR by default and thus a favorite for process injection for .NET in-memory offensive tools. status: experimental date: 2019/10/27 -modified: 2019/11/13 +modified: 2020/08/28 author: Perez Diego (@darkquassar), oscd.community references: - Personal research, statistical analysis @@ -17,6 +17,7 @@ logsource: service: sysmon tags: - attack.privilege_escalation + - attack.defense_evasion - attack.t1055 detection: selection: diff --git a/rules/windows/sysmon/sysmon_wmi_event_subscription.yml b/rules/windows/sysmon/sysmon_wmi_event_subscription.yml index 6862faf3..df6b6e44 100644 --- a/rules/windows/sysmon/sysmon_wmi_event_subscription.yml +++ b/rules/windows/sysmon/sysmon_wmi_event_subscription.yml @@ -2,10 +2,8 @@ title: WMI Event Subscription id: 0f06a3a5-6a09-413f-8743-e6cf35561297 status: experimental description: Detects creation of WMI event subscription persistence method -references: - - https://attack.mitre.org/techniques/T1084/ tags: - - attack.t1084 + - attack.t1084 # an old one - attack.persistence - attack.t1546.003 author: Tom Ueltschi (@c_APT_ure) diff --git a/rules/windows/sysmon/sysmon_wmi_susp_scripting.yml b/rules/windows/sysmon/sysmon_wmi_susp_scripting.yml index ad5c4132..e1f150b7 100644 --- a/rules/windows/sysmon/sysmon_wmi_susp_scripting.yml +++ b/rules/windows/sysmon/sysmon_wmi_susp_scripting.yml @@ -8,7 +8,7 @@ references: - https://github.com/Neo23x0/signature-base/blob/master/yara/gen_susp_lnk_files.yar#L19 date: 2019/04/15 tags: - - attack.t1086 + - attack.t1086 # an old one - attack.execution - attack.t1059.005 logsource: