Merge branch 'master' of https://github.com/oscd-initiative/sigma

rules/linux/auditd/lnx_auditd_alter_bash_profile.yml

@@ -7,7 +7,7 @@ references:
 date: 2019/05/12
 tags:
     - attack.s0003
-    - attack.t1156
+    - attack.t1156    # an old one
     - attack.persistence
     - attack.t1546.004
 author: Peter Matkovski

rules/linux/auditd/lnx_auditd_auditing_config_change.yml

@@ -10,7 +10,7 @@ references:
     - self experience
 tags:
     - attack.defense_evasion
-    - attack.t1054
+    - attack.t1054    # an old one
     - attack.t1562.006
 author: Mikhail Larin, oscd.community
 status: experimental

rules/linux/auditd/lnx_auditd_create_account.yml

@@ -1,12 +1,13 @@
 title: Creation Of An User Account
 id: 759d0d51-bc99-4b5e-9add-8f5b2c8e7512
 status: experimental
-description: Detects the creation of a new user account. According to MITRE ATT&CK, "such accounts may be used for persistence that do not require persistent remote access tools to be deployed on the system" 
+description: Detects the creation of a new user account. According to MITRE ATT&CK, "such accounts may be used for persistence that do not require persistent remote access tools to be deployed on the system"
 references:
     - 'MITRE Attack technique T1136; Create Account '
 date: 2020/05/18
 tags:
-    - attack.t1136
+    - attack.t1136    # an old one
+    - attack.t1136.001
     - attack.persistence
 author: Marie Euler
 logsource:

rules/linux/auditd/lnx_auditd_logging_config_change.yml

@@ -9,7 +9,7 @@ references:
     - self experience
 tags:
     - attack.defense_evasion
-    - attack.t1054
+    - attack.t1054    # an old one
     - attack.t1562.006
 author: Mikhail Larin, oscd.community
 status: experimental

rules/linux/lnx_susp_named.yml

@@ -4,6 +4,9 @@ status: experimental
 description: Detects suspicious DNS error messages that indicate a fatal or suspicious error that could be caused by exploiting attempts
 references:
     - https://github.com/ossec/ossec-hids/blob/master/etc/rules/named_rules.xml
+tags:
+    - attack.initial_access
+    - attack.t1190
 author: Florian Roth
 date: 2018/02/20
 logsource:
@@ -18,4 +21,3 @@ detection:
 falsepositives:
     - Unknown
 level: high
-

rules/linux/lnx_susp_ssh.yml

@@ -4,6 +4,9 @@ description: Detects suspicious SSH / SSHD error messages that indicate a fatal
 references:
     - https://github.com/openssh/openssh-portable/blob/master/ssherr.c
     - https://github.com/ossec/ossec-hids/blob/master/etc/rules/sshd_rules.xml
+tags:
+    - attack.initial_access
+    - attack.t1190
 author: Florian Roth
 date: 2017/06/30
 modified: 2020/05/15
@@ -27,4 +30,3 @@ detection:
 falsepositives:
     - Unknown
 level: medium
-

rules/linux/lnx_susp_vsftp.yml

@@ -3,6 +3,9 @@ id: 377f33a1-4b36-4ee1-acee-1dbe4b43cfbe
 description: Detects suspicious VSFTPD error messages that indicate a fatal or suspicious error that could be caused by exploiting attempts
 references:
     - https://github.com/dagwieers/vsftpd/
+tags:
+    - attack.initial_access
+    - attack.t1190
 author: Florian Roth
 date: 2017/07/05
 logsource:

rules/windows/process_creation/win_apt_unidentified_nov_18.yml

@@ -8,10 +8,11 @@ references:
     - https://twitter.com/DrunkBinary/status/1063075530180886529
 author: '@41thexplorer, Microsoft Defender ATP'
 date: 2018/11/20
-modified: 2018/12/11
+modified: 2020/08/26
 tags:
     - attack.execution
-    - attack.t1085
+    - attack.t1218.011
+    - attack.t1085  # an old one
 detection:
     condition: 1 of them
 level: high

rules/windows/process_creation/win_apt_winnti_mal_hk_jan20.yml

@@ -6,9 +6,9 @@ references:
     - https://www.welivesecurity.com/2020/01/31/winnti-group-targeting-universities-hong-kong/
 tags:
     - attack.defense_evasion
-    - attack.t1073
-    - attack.g0044
     - attack.t1574.002
+    - attack.t1073  # an old one
+    - attack.g0044
 author: Florian Roth, Markus Neis
 date: 2020/02/01
 logsource:

rules/windows/process_creation/win_apt_winnti_pipemon.yml

@@ -6,9 +6,9 @@ references:
     - https://www.welivesecurity.com/2020/05/21/no-game-over-winnti-group/
 tags:
     - attack.defense_evasion
-    - attack.t1073
-    - attack.g0044
     - attack.t1574.002
+    - attack.t1073  # an old one
+    - attack.g0044
 author: Florian Roth
 date: 2020/07/30
 logsource:

rules/windows/process_creation/win_apt_wocao.yml

@@ -7,7 +7,20 @@ description: Detects activity mentioned in Operation Wocao report
 references:
     - https://www.fox-it.com/en/news/whitepapers/operation-wocao-shining-a-light-on-one-of-chinas-hidden-hacking-groups/
     - https://twitter.com/SBousseaden/status/1207671369963646976
+tags:
+    - attack.discovery 
+    - attack.t1012
+    - attack.defense_evasion
+    - attack.t1036.004
+    - attack.t1036  # an old one
+    - attack.t1027
+    - attack.execution
+    - attack.t1053.005
+    - attack.t1053  # an old one
+    - attack.t1059.001
+    - attack.t1086  # an old one
 date: 2019/12/20
+modified: 2020/08/26
 falsepositives:
     - Administrators that use checkadmin.exe tool to enumerate local administrators
 level: high

rules/windows/process_creation/win_apt_zxshell.yml

@@ -3,15 +3,18 @@ id: f0b70adb-0075-43b0-9745-e82a1c608fcc
 description: Detects a ZxShell start by the called and well-known function name
 author: Florian Roth
 date: 2017/07/20
+modified: 2020/08/26
 references:
     - https://www.hybrid-analysis.com/sample/5d2a4cde9fa7c2fdbf39b2e2ffd23378d0c50701a3095d1e91e3cf922d7b0b16?environmentId=100
 tags:
-    - attack.g0001
     - attack.execution
-    - attack.t1059
+    - attack.t1059.003
+    - attack.t1059  # an old one
     - attack.defense_evasion
-    - attack.t1085
     - attack.t1218.011
+    - attack.t1085  # an old one
+    - attack.s0412
+    - attack.g0001
 logsource:
     category: process_creation
     product: windows

rules/windows/process_creation/win_attrib_hiding_files.yml

@@ -4,6 +4,7 @@ status: experimental
 description: Detects usage of attrib.exe to hide files from users.
 author: Sami Ruohonen
 date: 2019/01/16
+modified: 2020/08/27
 logsource:
     category: process_creation
     product: windows
@@ -24,9 +25,8 @@ fields:
     - User
 tags:
     - attack.defense_evasion
-    - attack.persistence
-    - attack.t1158
     - attack.t1564.001
+    - attack.t1158  # an old one
 falsepositives:
     - igfxCUIService.exe hiding *.cui files via .bat script (attrib.exe a child of cmd.exe and igfxCUIService.exe is the parent of the cmd.exe)
     - msiexec.exe hiding desktop.ini

rules/windows/process_creation/win_bypass_squiblytwo.yml

@@ -8,8 +8,14 @@ references:
 tags:
     - attack.defense_evasion
     - attack.t1047
+    - attack.t1220
+    - attack.execution
+    - attack.t1059.005
+    - attack.t1059.007
+    - attack.t1059  # an old one
 author: Markus Neis / Florian Roth
 date: 2019/01/16
+modified: 2020/08/27
 falsepositives:
     - Unknown
 level: medium

rules/windows/process_creation/win_change_default_file_association.yml

@@ -30,5 +30,5 @@ fields:
 level: low
 tags:
     - attack.persistence
-    - attack.t1042
     - attack.t1546.001
+    - attack.t1042  # an old one

rules/windows/process_creation/win_cmdkey_recon.yml

@@ -9,8 +9,8 @@ author: jmallette
 date: 2019/01/16
 tags:
     - attack.credential_access
-    - attack.t1003
     - attack.t1003.005
+    - attack.t1003  # an old one
 logsource:
     category: process_creation
     product: windows

rules/windows/process_creation/win_cmstp_com_object_access.yml

@@ -3,15 +3,15 @@ id: 4b60e6f2-bf39-47b4-b4ea-398e33cfe253
 status: stable
 description: Detects UAC Bypass Attempt Using Microsoft Connection Manager Profile Installer Autoelevate-capable COM Objects
 tags:
+    - attack.execution
     - attack.defense_evasion
     - attack.privilege_escalation
-    - attack.execution
-    - attack.t1088
-    - attack.t1191
+    - attack.t1548.002
+    - attack.t1088  # an old one
+    - attack.t1218.003
+    - attack.t1191  # an old one
     - attack.g0069
     - car.2019-04-001
-    - attack.t1548.002
-    - attack.t1218
 author: Nik Seetharaman
 modified: 2019/07/31
 date: 2019/01/16

rules/windows/process_creation/win_commandline_path_traversal.yml

@@ -8,9 +8,9 @@ references:
     - https://hackingiscool.pl/cmdhijack-command-argument-confusion-with-path-traversal-in-cmd-exe/
     - https://twitter.com/Oddvarmoe/status/1270633613449723905
 tags:
-    - attack.t1059
-    - attack.t1059.003
     - attack.execution
+    - attack.t1059.003
+    - attack.t1059  # an old one
 logsource:
     category: process_creation
     product: windows

rules/windows/process_creation/win_control_panel_item.yml

@@ -7,11 +7,14 @@ reference:
     - https://ired.team/offensive-security/code-execution/code-execution-through-control-panel-add-ins
 tags:
     - attack.execution
-    - attack.t1196
     - attack.defense_evasion
-    - attack.t1218
+    - attack.t1218.002
+    - attack.t1196  # an old one
+    - attack.persistence
+    - attack.t1546
 author: Kyaw Min Thein, Furkan Caliskan (@caliskanfurkan_)
 date: 2020/06/22
+modified: 2020/08/29
 level: critical
 logsource:
     product: windows

rules/windows/process_creation/win_copying_sensitive_files_with_credential_data.yml

@@ -11,10 +11,11 @@ references:
     - https://dfironthemountain.wordpress.com/2018/12/06/locked-file-access-using-esentutl-exe/
 tags:
     - attack.credential_access
-    - attack.t1003
-    - car.2013-07-001
     - attack.t1003.002
     - attack.t1003.003
+    - attack.t1003  # an old one
+    - car.2013-07-001
+    - attack.s0404
 logsource:
     category: process_creation
     product: windows

rules/windows/process_creation/win_crime_fireball.yml

@@ -4,15 +4,15 @@ status: experimental
 description: Detects Archer malware invocation via rundll32
 author: Florian Roth
 date: 2017/06/03
+modified: 2020/08/29
 references:
     - https://www.virustotal.com/en/file/9b4971349ae85aa09c0a69852ed3e626c954954a3927b3d1b6646f139b930022/analysis/
     - https://www.hybrid-analysis.com/sample/9b4971349ae85aa09c0a69852ed3e626c954954a3927b3d1b6646f139b930022?environmentId=100
 tags:
     - attack.execution
-    - attack.t1059
     - attack.defense_evasion
-    - attack.t1085
     - attack.t1218.011
+    - attack.t1085  # an old one
 logsource:
     category: process_creation
     product: windows

rules/windows/process_creation/win_crime_maze_ransomware.yml

@@ -8,9 +8,14 @@ references:
     - https://app.any.run/tasks/65a79440-373a-4725-8d74-77db9f2abda4/
 author: Florian Roth
 date: 2020/05/08
+modified: 2020/08/29
 tags:
     - attack.execution
-    - attack.t1204
+    - attack.t1204.002
+    - attack.t1204  # an old one
+    - attack.t1047
+    - attack.impact
+    - attack.t1490
 logsource:
     category: process_creation
     product: windows

rules/windows/process_creation/win_data_compressed_with_rar.yml

@@ -4,7 +4,7 @@ status: experimental
 description: An adversary may compress data (e.g., sensitive documents) that is collected prior to exfiltration in order to make it portable and minimize the amount of data sent over the network
 author: Timur Zinniatullin, E.M. Anhaus, oscd.community
 date: 2019/10/21
-modified: 2019/11/04
+modified: 2020/08/29
 references:
     - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1002/T1002.yaml
     - https://eqllib.readthedocs.io/en/latest/analytics/1ec33c93-3d0b-4a28-8014-dbdaae5c60ae.html
@@ -28,6 +28,7 @@ falsepositives:
     - highly likely if rar is default archiver in the monitored environment
 level: low
 tags:
-    - attack.exfiltration
-    - attack.t1002
-    - attack.t1560
+    - attack.exfiltration  # an old one
+    - attack.t1002  # an old one
+    - attack.collection
+    - attack.t1560.001

rules/windows/process_creation/win_dns_exfiltration_tools_execution.yml

@@ -4,9 +4,16 @@ description: Well-known DNS Exfiltration tools execution
 status: experimental
 author: Daniil Yugoslavskiy, oscd.community
 date: 2019/10/24
+modified: 2020/08/29
 tags:
     - attack.exfiltration
-    - attack.t1048
+    - attack.t1048.001
+    - attack.t1048  # an old one
+    - attack.command_and_control
+    - attack.t1071.004
+    - attack.t1071  # an old one
+    - attack.t1132.001
+    - attack.t1132  # an old one
 logsource:
     category: process_creation
     product: windows

rules/windows/process_creation/win_encoded_frombase64string.yml

@@ -5,11 +5,11 @@ description: Detects a base64 encoded FromBase64String keyword in a process comm
 author: Florian Roth
 date: 2019/08/24
 tags:
-    - attack.t1086
+    - attack.defense_evasion
     - attack.t1140
     - attack.execution
-    - attack.defense_evasion
     - attack.t1059.001
+    - attack.t1086  # an old one
 logsource:
     category: process_creation
     product: windows

rules/windows/process_creation/win_encoded_iex.yml

@@ -4,11 +4,11 @@ status: experimental
 description: Detects a base64 encoded IEX command string in a process command line
 author: Florian Roth
 date: 2019/08/23
+modified: 2020/08/29
 tags:
-    - attack.t1086
-    - attack.t1140
     - attack.execution
-    - attack.t1059.003
+    - attack.t1059.001
+    - attack.t1086  # an old one
 logsource:
     category: process_creation
     product: windows

rules/windows/process_creation/win_etw_modification_cmdline.yml

@@ -14,8 +14,10 @@ references:
   - https://github.com/dotnet/runtime/blob/4f9ae42d861fcb4be2fcd5d3d55d5f227d30e723/docs/coding-guidelines/clr-jit-coding-conventions.md#1412-disabling-code
 author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
 date: 2020/05/02
+modified: 2020/08/29
 tags:
     - attack.defense_evasion
+    - attack.t1562
 logsource:
     category: process_creation
     product: windows

rules/windows/process_creation/win_etw_trace_evasion.yml

@@ -9,8 +9,9 @@ references:
 author: '@neu5ron, Florian Roth'
 date: 2019/03/22
 tags:
-    - attack.execution
+    - attack.defense_evasion
     - attack.t1070
+    - attack.t1562
     - car.2016-04-002
 level: high
 logsource:

rules/windows/process_creation/win_exfiltration_and_tunneling_tools_execution.yml

@@ -4,9 +4,12 @@ description: Execution of well known tools for data exfiltration and tunneling
 status: experimental
 author: Daniil Yugoslavskiy, oscd.community
 date: 2019/10/24
+modified: 2020/08/29
 tags:
     - attack.exfiltration
-    - attack.t1020
+    - attack.command_and_control
+    - attack.t1572
+    - attack.t1071.001
 logsource:
     category: process_creation
     product: windows

rules/windows/process_creation/win_exploit_cve_2015_1641.yml

@@ -9,7 +9,8 @@ author: Florian Roth
 date: 2018/02/22
 tags:
     - attack.defense_evasion
-    - attack.t1036
+    - attack.t1036.005
+    - attack.t1036  # an old one
 logsource:
     category: process_creation
     product: windows

rules/windows/process_creation/win_exploit_cve_2017_0261.yml

@@ -6,10 +6,15 @@ references:
     - https://www.fireeye.com/blog/threat-research/2017/05/eps-processing-zero-days.html
 author: Florian Roth
 date: 2018/02/22
+modified: 2020/08/29
 tags:
-  - attack.defense_evasion
-  - attack.privilege_escalation
-  - attack.t1055
+  - attack.execution
+  - attack.t1203
+  - attack.t1204.002
+  - attack.t1204  # an old one
+  - attack.initial_access
+  - attack.t1566.001
+  - attack.t1193  # an old one
 logsource:
     category: process_creation
     product: windows

rules/windows/process_creation/win_exploit_cve_2017_11882.yml

@@ -7,9 +7,15 @@ references:
     - https://www.google.com/url?hl=en&q=https://embedi.com/blog/skeleton-closet-ms-office-vulnerability-you-didnt-know-about&source=gmail&ust=1511481120837000&usg=AFQjCNGdL7gVwLXaNSl2Td8ylDYbSJFmPw
 author: Florian Roth
 date: 2017/11/23
+modified: 2020/08/29
 tags:
-    - attack.defense_evasion
-    - attack.t1211
+    - attack.execution
+    - attack.t1203
+    - attack.t1204.002
+    - attack.t1204  # an old one
+    - attack.initial_access
+    - attack.t1566.001
+    - attack.t1193  # an old one
 logsource:
     category: process_creation
     product: windows

rules/windows/process_creation/win_exploit_cve_2017_8759.yml

@@ -7,8 +7,14 @@ references:
 tags:
     - attack.execution
     - attack.t1203
+    - attack.t1204.002
+    - attack.t1204  # an old one
+    - attack.initial_access
+    - attack.t1566.001
+    - attack.t1193  # an old one
 author: Florian Roth
 date: 2017/09/15
+modified: 2020/08/29
 logsource:
     category: process_creation
     product: windows

rules/windows/process_creation/win_exploit_cve_2019_1378.yml

@@ -6,10 +6,14 @@ references:
     - https://www.embercybersecurity.com/blog/cve-2019-1378-exploiting-an-access-control-privilege-escalation-vulnerability-in-windows-10-update-assistant-wua
 author: Florian Roth
 date: 2019/11/15
+modified: 2020/08/29
 tags:
-  - attack.defense_evasion
   - attack.privilege_escalation
-  - attack.t1055
+  - attack.t1068
+  - attack.execution
+  - attack.t1059.003
+  - attack.t1059  # an old one
+  - attack.t1574
 logsource:
     category: process_creation
     product: windows

rules/windows/process_creation/win_exploit_cve_2020_1048.yml

@@ -10,6 +10,8 @@ references:
 tags:
     - attack.persistence
     - attack.execution
+    - attack.t1059.001
+    - attack.t1086  #an old one
 logsource:
     category: process_creation
     product: windows

rules/windows/process_creation/win_susp_sysvol_access.yml

@@ -1,4 +1,4 @@
- title: Suspicious SYSVOL Domain Group Policy Access
+title: Suspicious SYSVOL Domain Group Policy Access
 id: 05f3c945-dcc8-4393-9f3d-af65077a8f86
 status: experimental
 description: Detects Access to Domain Group Policies stored in SYSVOL

rules/windows/sysmon/sysmon_abusing_azure_browser_sso.yml

@@ -5,6 +5,7 @@ author: Den Iuzvyk
 reference:
    - https://posts.specterops.io/requesting-azure-ad-request-tokens-on-azure-ad-joined-machines-for-browser-sso-2b0409caad30
 date: 2020/07/15
+modified: 2020/08/26
 logsource:
    category: sysmon
    product: windows
@@ -12,7 +13,8 @@ status: experimental
 tags:
    - attack.defense_evasion
    - attack.privilege_escalation
-   - attack.t1073
+   - attack.t1073          # an old one
+   - attack.t1574.002
 detection:
    condition: selection_dll and not filter_legit
    selection_dll:

rules/windows/sysmon/sysmon_ads_executable.yml

@@ -6,10 +6,12 @@ references:
     - https://twitter.com/0xrawsec/status/1002478725605273600?s=21
 tags:
     - attack.defense_evasion
-    - attack.t1027
+    - attack.t1027          # an old one
     - attack.s0139
+    - attack.t1564.004
 author: Florian Roth, @0xrawsec
 date: 2018/06/03
+modified: 2020/08/26
 logsource:
     product: windows
     service: sysmon

rules/windows/sysmon/sysmon_alternate_powershell_hosts_pipe.yml

@@ -9,7 +9,7 @@ references:
     - https://github.com/Cyb3rWard0g/ThreatHunter-Playbook/tree/master/playbooks/windows/02_execution/T1086_powershell/alternate_signed_powershell_hosts.md
 tags:
     - attack.execution
-    - attack.t1086
+    - attack.t1086          # an old one
     - attack.t1059.001
 logsource:
     product: windows

rules/windows/sysmon/sysmon_cactustorch.yml

@@ -7,6 +7,7 @@ references:
 status: experimental
 author: '@SBousseaden (detection), Thomas Patzke (rule)'
 date: 2019/02/01
+modified: 2020/08/28
 logsource:
     product: windows
     service: sysmon
@@ -23,9 +24,14 @@ detection:
         StartModule: null
     condition: selection
 tags:
+    - attack.defense_evasion
+    - attack.t1093          # an old one
+    - attack.t1055.012
     - attack.execution
-    - attack.t1055
-    - attack.t1064
+    - attack.t1064          # an old one
+    - attack.t1059.005
+    - attack.t1059.007
+    - attack.t1218.005
 falsepositives:
     - unknown
 level: high

rules/windows/sysmon/sysmon_cmstp_execution.yml

@@ -6,11 +6,13 @@ description: Detects various indicators of Microsoft Connection Manager Profile
 tags:
     - attack.defense_evasion
     - attack.execution
-    - attack.t1191
+    - attack.t1191          # an old one
+    - attack.t1218.003
     - attack.g0069
     - car.2019-04-001
 author: Nik Seetharaman
 date: 2018/07/16
+modified: 2020/08/28
 references:
     - https://web.archive.org/web/20190720093911/http://www.endurant.io/cmstp/detecting-cmstp-enabled-code-execution-and-uac-bypass-with-sysmon/
 detection:

rules/windows/sysmon/sysmon_cobaltstrike_process_injection.yml

@@ -6,11 +6,12 @@ references:
     - https://blog.cobaltstrike.com/2018/04/09/cobalt-strike-3-11-the-snake-that-eats-its-tail/
 tags:
     - attack.defense_evasion
-    - attack.t1055
+    - attack.t1055          # an old one
+    - attack.t1055.001
 status: experimental
 author: Olaf Hartong, Florian Roth, Aleksey Potapov, oscd.community
 date: 2018/11/30
-modified: 2019/11/08
+modified: 2020/08/28
 logsource:
     product: windows
     service: sysmon

rules/windows/sysmon/sysmon_createremotethread_loadlibrary.yml

@@ -3,13 +3,14 @@ id: 052ec6f6-1adc-41e6-907a-f1c813478bee
 description: Detects potential use of CreateRemoteThread api and LoadLibrary function to inject DLL into a process
 status: experimental
 date: 2019/08/11
-modified: 2019/11/10
+modified: 2020/08/28
 author: Roberto Rodriguez @Cyb3rWard0g
 references:
     - https://github.com/Cyb3rWard0g/ThreatHunter-Playbook/tree/master/playbooks/windows/05_defense_evasion/T1055_process_injection/dll_injection_createremotethread_loadlibrary.md
 tags:
     - attack.defense_evasion
-    - attack.t1055
+    - attack.t1055          # an old one
+    - attack.t1055.001
 logsource:
     product: windows
     service: sysmon

rules/windows/sysmon/sysmon_cred_dump_tools_named_pipes.yml

@@ -3,14 +3,16 @@ id: 961d0ba2-3eea-4303-a930-2cf78bbfcc5e
 description: Detects well-known credential dumping tools execution via specific named pipes
 author: Teymur Kheirkhabarov, oscd.community
 date: 2019/11/01
+modified: 2020/08/28
 references:
     - https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment
 tags:
     - attack.credential_access
-    - attack.t1003
+    - attack.t1003          # an old one
+    - attack.t1003.001
     - attack.t1003.002
     - attack.t1003.004
-    - attack.t1003.006
+    - attack.t1003.005
 logsource:
     product: windows
     service: sysmon

rules/windows/sysmon/sysmon_password_dumper_lsass.yml

@@ -17,7 +17,7 @@ detection:
     condition: selection
 tags:
     - attack.credential_access
-    - attack.t1003
+    - attack.t1003          # an old one
     - attack.s0005
     - attack.t1003.001
 falsepositives:

rules/windows/sysmon/sysmon_possible_dns_rebinding.yml

@@ -3,14 +3,13 @@ id: eb07e747-2552-44cd-af36-b659ae0958e4
 status: experimental
 description: Detects several different DNS-answers by one domain with IPs from internal and external networks. Normally, DNS-answer contain TTL >100. (DNS-record will saved in host cache for a while TTL).
 date: 2019/10/25
-modified: 2019/11/13
+modified: 2020/08/28
 author: Ilyas Ochkov, oscd.community
 references:
     - https://medium.com/@brannondorsey/attacking-private-networks-from-the-internet-with-dns-rebinding-ea7098a2d325
 tags:
-    - attack.command_and_control
-    - attack.t1043
-    - attack.t1571
+    - attack.initial_access
+    - attack.t1189
 logsource:
     product: windows
     service: sysmon

rules/windows/sysmon/sysmon_susp_powershell_rundll32.yml

@@ -18,9 +18,9 @@ detection:
 tags:
     - attack.defense_evasion
     - attack.execution
-    - attack.t1085
-    - attack.t1086
+    - attack.t1085          # an old one
     - attack.t1218.011
+    - attack.t1086          # an old one
     - attack.t1059.001
 falsepositives:
     - Unkown

rules/windows/sysmon/sysmon_suspicious_remote_thread.yml

@@ -7,7 +7,7 @@ notes:
     - MonitoringHost.exe is a process that loads .NET CLR by default and thus a favorite for process injection for .NET in-memory offensive tools.
 status: experimental
 date: 2019/10/27
-modified: 2019/11/13
+modified: 2020/08/28
 author: Perez Diego (@darkquassar), oscd.community
 references:
     - Personal research, statistical analysis
@@ -17,6 +17,7 @@ logsource:
     service: sysmon
 tags:
     - attack.privilege_escalation
+    - attack.defense_evasion
     - attack.t1055
 detection:
     selection: 

rules/windows/sysmon/sysmon_wmi_event_subscription.yml

@@ -2,10 +2,8 @@ title: WMI Event Subscription
 id: 0f06a3a5-6a09-413f-8743-e6cf35561297
 status: experimental
 description: Detects creation of WMI event subscription persistence method
-references:
-    - https://attack.mitre.org/techniques/T1084/
 tags:
-    - attack.t1084
+    - attack.t1084          # an old one
     - attack.persistence
     - attack.t1546.003
 author: Tom Ueltschi (@c_APT_ure)

rules/windows/sysmon/sysmon_wmi_susp_scripting.yml

@@ -8,7 +8,7 @@ references:
     - https://github.com/Neo23x0/signature-base/blob/master/yara/gen_susp_lnk_files.yar#L19
 date: 2019/04/15
 tags:
-    - attack.t1086
+    - attack.t1086          # an old one
     - attack.execution
     - attack.t1059.005
 logsource: