diff --git a/.github/workflows/pypi-publish.yml b/.github/workflows/pypi-publish.yml
new file mode 100644
index 00000000..efeff2dc
--- /dev/null
+++ b/.github/workflows/pypi-publish.yml
@@ -0,0 +1,27 @@
+# This workflows will upload a Python Package using Twine when a release is created
+# For more information see: https://help.github.com/en/actions/language-and-framework-guides/using-python-with-github-actions#publishing-to-package-registries
+
+name: Upload Sigmatools Package to PyPI
+on:
+ release:
+ types: [created]
+
+jobs:
+ deploy:
+ runs-on: ubuntu-latest
+ steps:
+ - uses: actions/checkout@v2
+ - name: Set up Python
+ uses: actions/setup-python@v1
+ with:
+ python-version: '3.x'
+ - name: Install dependencies
+ run: |
+ python -m pip install --upgrade pip
+ pip install setuptools wheel twine
+ - name: Build and publish
+ env:
+ TWINE_USERNAME: ${{ secrets.PYPI_USERNAME }}
+ TWINE_PASSWORD: ${{ secrets.PYPI_PASSWORD }}
+ run: |
+ make upload
diff --git a/.github/workflows/sigma-test.yml b/.github/workflows/sigma-test.yml
new file mode 100644
index 00000000..ee0c317a
--- /dev/null
+++ b/.github/workflows/sigma-test.yml
@@ -0,0 +1,40 @@
+# This workflow will install Python dependencies, run tests and lint with a single version of Python
+# For more information see: https://help.github.com/actions/language-and-framework-guides/using-python-with-github-actions
+
+name: Sigma Tools and Rule Tests
+
+on:
+ push:
+ branches:
+ - "*"
+ pull_request:
+ branches: [ master ]
+
+jobs:
+ test-sigma:
+ runs-on: ubuntu-latest
+ steps:
+ - uses: actions/checkout@v2
+ - name: Set up Python 3.8
+ uses: actions/setup-python@v1
+ with:
+ python-version: 3.8
+ - name: Install dependencies
+ run: |
+ python -m pip install --upgrade pip
+ pip install -r tools/requirements.txt -r tools/requirements-devel.txt
+ wget -qO - https://artifacts.elastic.co/GPG-KEY-elasticsearch | sudo apt-key add -
+ sudo apt install -y apt-transport-https
+ echo "deb https://artifacts.elastic.co/packages/7.x/apt stable main" | sudo tee -a /etc/apt/sources.list.d/elastic.list
+ sudo apt update
+ sudo apt install -y elasticsearch
+ sudo systemctl start elasticsearch
+ - name: Test Sigma Tools and Rules
+ run: |
+ make test
+ - name: Test Generated Elasticsearch Query Strings
+ run: |
+ make test-backend-es-qs
+ - name: Test SQL(ite) Backend
+ run: |
+ make test-backend-sql
diff --git a/.gitignore b/.gitignore
index bf7103a4..00a05562 100644
--- a/.gitignore
+++ b/.gitignore
@@ -94,3 +94,7 @@ settings.json
# VisualStudio
.vs/
+.vscode/launch.json
+
+# sigma2attack
+heatmap.json
diff --git a/.travis.yml b/.travis.yml
deleted file mode 100644
index 14362f64..00000000
--- a/.travis.yml
+++ /dev/null
@@ -1,25 +0,0 @@
-language: python
-dist: xenial
-python:
- # - 3.5 # Deactivated because Travis CI tests failed randomly (Travis's problem)
- - 3.6
- - 3.7
-sudo: true
-services:
- - elasticsearch
-cache: pip
-before_install:
- - curl -O https://artifacts.elastic.co/downloads/elasticsearch/elasticsearch-6.2.4.deb && sudo dpkg -i --force-confnew elasticsearch-6.2.4.deb && sudo service elasticsearch restart
-install:
- - pip install -r tools/requirements-devel.txt
- - pip install -r tests/requirements-test.txt
-script:
- - make test
- - make test-backend-es-qs
-notifications:
- email:
- recipients:
- - venom14@gmail.com
- - thomas@patzke.org
- on_success: change
- on_failure: always
diff --git a/CHANGELOG.md b/CHANGELOG.md
index b6f8b0e8..1c170825 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -6,18 +6,69 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html)
from version 0.14.0.
-## Unreleased
+## 0.17.0 - 2020-06-12
+
+### Added
+
+* LOGIQ Backend (logiq)
+* CarbonBlack backend (carbonblack) and field mappings
+* Elasticsearch detection rule backend (es-rule)
+* ee-outliers backend
+* CrowdStrike backend (crowdstrike)
+* Humio backend (humio)
+* Aggregations in SQL backend
+* SQLite backend (sqlite)
+* AWS Cloudtrail ECS mappings
+* Overrides
+* Zeek configurations for various backends
+* Case-insensitive matching for Elasticsearch
+* ECS proxy mappings
+* RuleName field mapping for Winlogbeat
+* sigma2attack tool
+
+### Changed
+
+* Improved usage of keyword fields for Elasticsearch-based backends
+* Splunk XML backend rule titles from sigma rule instead of file name
+* Moved backend option list to --help-backend
+* Microsoft Defender ATP schema improvements
+
+### Fixed
+
+* Splunx XML rule name is now set to rule title
+* Backend list deduplicated
+* Wrong escaping of wildcard at end of value when startswith modifier is used.
+* Direct execution of tools on Windows systems by addition of script entry points
+
+## 0.16.0 - 2020-02-25
### Added
* Proxy field names to ECS mapping (ecs-proxy) configuration
* False positives metadata to LimaCharlie backend
* Additional aggregation capabilitied for es-dsl backend.
+* Azure log analytics rule backend (ala-rule)
+* SQL backend
+* Splunk Zeek sourcetype mapping config
+* sigma2attack script
+* Carbon Black backend and configuration
+* ArcSight ESM backend
+* Elasticsearch detection rule backend
### Changed
* Kibana object id is now Sigma rule id if available. Else
the old naming scheme is used.
+* sigma2misp: replacement of deprecated method usage.
+* Various configuration updates
+* Extended ArcSight mapping
+
+### Fixed
+
+* Fixed aggregation queries for Elastalert backend
+* Fixed aggregation queries for es-dsl backend
+* Backend and configuration lists are sorted.
+* Escaping in ala backend
## 0.15.0 - 2019-12-06
@@ -66,7 +117,7 @@ from version 0.14.0.
### Added
* Index mappings for Sumologic
-* Malicious cmdlets in wdatp
+* Malicious cmdlets in mdatp
* QRadar support for keyword searches
* QRadar mapping improvements
* QRadar field selection
@@ -122,4 +173,4 @@ from version 0.14.0.
* Conditions in es-dsl backend
* Sumologic handling of null values
-* Ignore timeframe detection keyword in all/any of conditions
\ No newline at end of file
+* Ignore timeframe detection keyword in all/any of conditions
diff --git a/LICENSE.Detection.Rules.md b/LICENSE.Detection.Rules.md
new file mode 100644
index 00000000..2b801890
--- /dev/null
+++ b/LICENSE.Detection.Rules.md
@@ -0,0 +1,13 @@
+# Detection Rule License (DRL) 1.0
+
+Permission is hereby granted, free of charge, to any person obtaining a copy of this rule set and associated documentation files (the "Rules"), to deal in the Rules without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Rules, and to permit persons to whom the Rules are furnished to do so, subject to the following conditions:
+
+If you share the Rules (including in modified form), you must retain the following if it is supplied within the Rules:
+
+1. identification of the authors(s) ("author" field) of the Rule and any others designated to receive attribution, in any reasonable manner requested by the Rule author (including by pseudonym if designated).
+
+2. a URI or hyperlink to the Rule set or explicit Rule to the extent reasonably practicable
+
+3. indicate the Rules are licensed under this Detection Rule License, and include the text of, or the URI or hyperlink to, this Detection Rule License to the extent reasonably practicable
+
+THE RULES ARE PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE RULES OR THE USE OR OTHER DEALINGS IN THE RULES.
\ No newline at end of file
diff --git a/LICENSE.GPL.txt b/LICENSE.GPL.txt
deleted file mode 100644
index 9cecc1d4..00000000
--- a/LICENSE.GPL.txt
+++ /dev/null
@@ -1,674 +0,0 @@
- GNU GENERAL PUBLIC LICENSE
- Version 3, 29 June 2007
-
- Copyright (C) 2007 Free Software Foundation, Inc.
- Everyone is permitted to copy and distribute verbatim copies
- of this license document, but changing it is not allowed.
-
- Preamble
-
- The GNU General Public License is a free, copyleft license for
-software and other kinds of works.
-
- The licenses for most software and other practical works are designed
-to take away your freedom to share and change the works. By contrast,
-the GNU General Public License is intended to guarantee your freedom to
-share and change all versions of a program--to make sure it remains free
-software for all its users. We, the Free Software Foundation, use the
-GNU General Public License for most of our software; it applies also to
-any other work released this way by its authors. You can apply it to
-your programs, too.
-
- When we speak of free software, we are referring to freedom, not
-price. Our General Public Licenses are designed to make sure that you
-have the freedom to distribute copies of free software (and charge for
-them if you wish), that you receive source code or can get it if you
-want it, that you can change the software or use pieces of it in new
-free programs, and that you know you can do these things.
-
- To protect your rights, we need to prevent others from denying you
-these rights or asking you to surrender the rights. Therefore, you have
-certain responsibilities if you distribute copies of the software, or if
-you modify it: responsibilities to respect the freedom of others.
-
- For example, if you distribute copies of such a program, whether
-gratis or for a fee, you must pass on to the recipients the same
-freedoms that you received. You must make sure that they, too, receive
-or can get the source code. And you must show them these terms so they
-know their rights.
-
- Developers that use the GNU GPL protect your rights with two steps:
-(1) assert copyright on the software, and (2) offer you this License
-giving you legal permission to copy, distribute and/or modify it.
-
- For the developers' and authors' protection, the GPL clearly explains
-that there is no warranty for this free software. For both users' and
-authors' sake, the GPL requires that modified versions be marked as
-changed, so that their problems will not be attributed erroneously to
-authors of previous versions.
-
- Some devices are designed to deny users access to install or run
-modified versions of the software inside them, although the manufacturer
-can do so. This is fundamentally incompatible with the aim of
-protecting users' freedom to change the software. The systematic
-pattern of such abuse occurs in the area of products for individuals to
-use, which is precisely where it is most unacceptable. Therefore, we
-have designed this version of the GPL to prohibit the practice for those
-products. If such problems arise substantially in other domains, we
-stand ready to extend this provision to those domains in future versions
-of the GPL, as needed to protect the freedom of users.
-
- Finally, every program is threatened constantly by software patents.
-States should not allow patents to restrict development and use of
-software on general-purpose computers, but in those that do, we wish to
-avoid the special danger that patents applied to a free program could
-make it effectively proprietary. To prevent this, the GPL assures that
-patents cannot be used to render the program non-free.
-
- The precise terms and conditions for copying, distribution and
-modification follow.
-
- TERMS AND CONDITIONS
-
- 0. Definitions.
-
- "This License" refers to version 3 of the GNU General Public License.
-
- "Copyright" also means copyright-like laws that apply to other kinds of
-works, such as semiconductor masks.
-
- "The Program" refers to any copyrightable work licensed under this
-License. Each licensee is addressed as "you". "Licensees" and
-"recipients" may be individuals or organizations.
-
- To "modify" a work means to copy from or adapt all or part of the work
-in a fashion requiring copyright permission, other than the making of an
-exact copy. The resulting work is called a "modified version" of the
-earlier work or a work "based on" the earlier work.
-
- A "covered work" means either the unmodified Program or a work based
-on the Program.
-
- To "propagate" a work means to do anything with it that, without
-permission, would make you directly or secondarily liable for
-infringement under applicable copyright law, except executing it on a
-computer or modifying a private copy. Propagation includes copying,
-distribution (with or without modification), making available to the
-public, and in some countries other activities as well.
-
- To "convey" a work means any kind of propagation that enables other
-parties to make or receive copies. Mere interaction with a user through
-a computer network, with no transfer of a copy, is not conveying.
-
- An interactive user interface displays "Appropriate Legal Notices"
-to the extent that it includes a convenient and prominently visible
-feature that (1) displays an appropriate copyright notice, and (2)
-tells the user that there is no warranty for the work (except to the
-extent that warranties are provided), that licensees may convey the
-work under this License, and how to view a copy of this License. If
-the interface presents a list of user commands or options, such as a
-menu, a prominent item in the list meets this criterion.
-
- 1. Source Code.
-
- The "source code" for a work means the preferred form of the work
-for making modifications to it. "Object code" means any non-source
-form of a work.
-
- A "Standard Interface" means an interface that either is an official
-standard defined by a recognized standards body, or, in the case of
-interfaces specified for a particular programming language, one that
-is widely used among developers working in that language.
-
- The "System Libraries" of an executable work include anything, other
-than the work as a whole, that (a) is included in the normal form of
-packaging a Major Component, but which is not part of that Major
-Component, and (b) serves only to enable use of the work with that
-Major Component, or to implement a Standard Interface for which an
-implementation is available to the public in source code form. A
-"Major Component", in this context, means a major essential component
-(kernel, window system, and so on) of the specific operating system
-(if any) on which the executable work runs, or a compiler used to
-produce the work, or an object code interpreter used to run it.
-
- The "Corresponding Source" for a work in object code form means all
-the source code needed to generate, install, and (for an executable
-work) run the object code and to modify the work, including scripts to
-control those activities. However, it does not include the work's
-System Libraries, or general-purpose tools or generally available free
-programs which are used unmodified in performing those activities but
-which are not part of the work. For example, Corresponding Source
-includes interface definition files associated with source files for
-the work, and the source code for shared libraries and dynamically
-linked subprograms that the work is specifically designed to require,
-such as by intimate data communication or control flow between those
-subprograms and other parts of the work.
-
- The Corresponding Source need not include anything that users
-can regenerate automatically from other parts of the Corresponding
-Source.
-
- The Corresponding Source for a work in source code form is that
-same work.
-
- 2. Basic Permissions.
-
- All rights granted under this License are granted for the term of
-copyright on the Program, and are irrevocable provided the stated
-conditions are met. This License explicitly affirms your unlimited
-permission to run the unmodified Program. The output from running a
-covered work is covered by this License only if the output, given its
-content, constitutes a covered work. This License acknowledges your
-rights of fair use or other equivalent, as provided by copyright law.
-
- You may make, run and propagate covered works that you do not
-convey, without conditions so long as your license otherwise remains
-in force. You may convey covered works to others for the sole purpose
-of having them make modifications exclusively for you, or provide you
-with facilities for running those works, provided that you comply with
-the terms of this License in conveying all material for which you do
-not control copyright. Those thus making or running the covered works
-for you must do so exclusively on your behalf, under your direction
-and control, on terms that prohibit them from making any copies of
-your copyrighted material outside their relationship with you.
-
- Conveying under any other circumstances is permitted solely under
-the conditions stated below. Sublicensing is not allowed; section 10
-makes it unnecessary.
-
- 3. Protecting Users' Legal Rights From Anti-Circumvention Law.
-
- No covered work shall be deemed part of an effective technological
-measure under any applicable law fulfilling obligations under article
-11 of the WIPO copyright treaty adopted on 20 December 1996, or
-similar laws prohibiting or restricting circumvention of such
-measures.
-
- When you convey a covered work, you waive any legal power to forbid
-circumvention of technological measures to the extent such circumvention
-is effected by exercising rights under this License with respect to
-the covered work, and you disclaim any intention to limit operation or
-modification of the work as a means of enforcing, against the work's
-users, your or third parties' legal rights to forbid circumvention of
-technological measures.
-
- 4. Conveying Verbatim Copies.
-
- You may convey verbatim copies of the Program's source code as you
-receive it, in any medium, provided that you conspicuously and
-appropriately publish on each copy an appropriate copyright notice;
-keep intact all notices stating that this License and any
-non-permissive terms added in accord with section 7 apply to the code;
-keep intact all notices of the absence of any warranty; and give all
-recipients a copy of this License along with the Program.
-
- You may charge any price or no price for each copy that you convey,
-and you may offer support or warranty protection for a fee.
-
- 5. Conveying Modified Source Versions.
-
- You may convey a work based on the Program, or the modifications to
-produce it from the Program, in the form of source code under the
-terms of section 4, provided that you also meet all of these conditions:
-
- a) The work must carry prominent notices stating that you modified
- it, and giving a relevant date.
-
- b) The work must carry prominent notices stating that it is
- released under this License and any conditions added under section
- 7. This requirement modifies the requirement in section 4 to
- "keep intact all notices".
-
- c) You must license the entire work, as a whole, under this
- License to anyone who comes into possession of a copy. This
- License will therefore apply, along with any applicable section 7
- additional terms, to the whole of the work, and all its parts,
- regardless of how they are packaged. This License gives no
- permission to license the work in any other way, but it does not
- invalidate such permission if you have separately received it.
-
- d) If the work has interactive user interfaces, each must display
- Appropriate Legal Notices; however, if the Program has interactive
- interfaces that do not display Appropriate Legal Notices, your
- work need not make them do so.
-
- A compilation of a covered work with other separate and independent
-works, which are not by their nature extensions of the covered work,
-and which are not combined with it such as to form a larger program,
-in or on a volume of a storage or distribution medium, is called an
-"aggregate" if the compilation and its resulting copyright are not
-used to limit the access or legal rights of the compilation's users
-beyond what the individual works permit. Inclusion of a covered work
-in an aggregate does not cause this License to apply to the other
-parts of the aggregate.
-
- 6. Conveying Non-Source Forms.
-
- You may convey a covered work in object code form under the terms
-of sections 4 and 5, provided that you also convey the
-machine-readable Corresponding Source under the terms of this License,
-in one of these ways:
-
- a) Convey the object code in, or embodied in, a physical product
- (including a physical distribution medium), accompanied by the
- Corresponding Source fixed on a durable physical medium
- customarily used for software interchange.
-
- b) Convey the object code in, or embodied in, a physical product
- (including a physical distribution medium), accompanied by a
- written offer, valid for at least three years and valid for as
- long as you offer spare parts or customer support for that product
- model, to give anyone who possesses the object code either (1) a
- copy of the Corresponding Source for all the software in the
- product that is covered by this License, on a durable physical
- medium customarily used for software interchange, for a price no
- more than your reasonable cost of physically performing this
- conveying of source, or (2) access to copy the
- Corresponding Source from a network server at no charge.
-
- c) Convey individual copies of the object code with a copy of the
- written offer to provide the Corresponding Source. This
- alternative is allowed only occasionally and noncommercially, and
- only if you received the object code with such an offer, in accord
- with subsection 6b.
-
- d) Convey the object code by offering access from a designated
- place (gratis or for a charge), and offer equivalent access to the
- Corresponding Source in the same way through the same place at no
- further charge. You need not require recipients to copy the
- Corresponding Source along with the object code. If the place to
- copy the object code is a network server, the Corresponding Source
- may be on a different server (operated by you or a third party)
- that supports equivalent copying facilities, provided you maintain
- clear directions next to the object code saying where to find the
- Corresponding Source. Regardless of what server hosts the
- Corresponding Source, you remain obligated to ensure that it is
- available for as long as needed to satisfy these requirements.
-
- e) Convey the object code using peer-to-peer transmission, provided
- you inform other peers where the object code and Corresponding
- Source of the work are being offered to the general public at no
- charge under subsection 6d.
-
- A separable portion of the object code, whose source code is excluded
-from the Corresponding Source as a System Library, need not be
-included in conveying the object code work.
-
- A "User Product" is either (1) a "consumer product", which means any
-tangible personal property which is normally used for personal, family,
-or household purposes, or (2) anything designed or sold for incorporation
-into a dwelling. In determining whether a product is a consumer product,
-doubtful cases shall be resolved in favor of coverage. For a particular
-product received by a particular user, "normally used" refers to a
-typical or common use of that class of product, regardless of the status
-of the particular user or of the way in which the particular user
-actually uses, or expects or is expected to use, the product. A product
-is a consumer product regardless of whether the product has substantial
-commercial, industrial or non-consumer uses, unless such uses represent
-the only significant mode of use of the product.
-
- "Installation Information" for a User Product means any methods,
-procedures, authorization keys, or other information required to install
-and execute modified versions of a covered work in that User Product from
-a modified version of its Corresponding Source. The information must
-suffice to ensure that the continued functioning of the modified object
-code is in no case prevented or interfered with solely because
-modification has been made.
-
- If you convey an object code work under this section in, or with, or
-specifically for use in, a User Product, and the conveying occurs as
-part of a transaction in which the right of possession and use of the
-User Product is transferred to the recipient in perpetuity or for a
-fixed term (regardless of how the transaction is characterized), the
-Corresponding Source conveyed under this section must be accompanied
-by the Installation Information. But this requirement does not apply
-if neither you nor any third party retains the ability to install
-modified object code on the User Product (for example, the work has
-been installed in ROM).
-
- The requirement to provide Installation Information does not include a
-requirement to continue to provide support service, warranty, or updates
-for a work that has been modified or installed by the recipient, or for
-the User Product in which it has been modified or installed. Access to a
-network may be denied when the modification itself materially and
-adversely affects the operation of the network or violates the rules and
-protocols for communication across the network.
-
- Corresponding Source conveyed, and Installation Information provided,
-in accord with this section must be in a format that is publicly
-documented (and with an implementation available to the public in
-source code form), and must require no special password or key for
-unpacking, reading or copying.
-
- 7. Additional Terms.
-
- "Additional permissions" are terms that supplement the terms of this
-License by making exceptions from one or more of its conditions.
-Additional permissions that are applicable to the entire Program shall
-be treated as though they were included in this License, to the extent
-that they are valid under applicable law. If additional permissions
-apply only to part of the Program, that part may be used separately
-under those permissions, but the entire Program remains governed by
-this License without regard to the additional permissions.
-
- When you convey a copy of a covered work, you may at your option
-remove any additional permissions from that copy, or from any part of
-it. (Additional permissions may be written to require their own
-removal in certain cases when you modify the work.) You may place
-additional permissions on material, added by you to a covered work,
-for which you have or can give appropriate copyright permission.
-
- Notwithstanding any other provision of this License, for material you
-add to a covered work, you may (if authorized by the copyright holders of
-that material) supplement the terms of this License with terms:
-
- a) Disclaiming warranty or limiting liability differently from the
- terms of sections 15 and 16 of this License; or
-
- b) Requiring preservation of specified reasonable legal notices or
- author attributions in that material or in the Appropriate Legal
- Notices displayed by works containing it; or
-
- c) Prohibiting misrepresentation of the origin of that material, or
- requiring that modified versions of such material be marked in
- reasonable ways as different from the original version; or
-
- d) Limiting the use for publicity purposes of names of licensors or
- authors of the material; or
-
- e) Declining to grant rights under trademark law for use of some
- trade names, trademarks, or service marks; or
-
- f) Requiring indemnification of licensors and authors of that
- material by anyone who conveys the material (or modified versions of
- it) with contractual assumptions of liability to the recipient, for
- any liability that these contractual assumptions directly impose on
- those licensors and authors.
-
- All other non-permissive additional terms are considered "further
-restrictions" within the meaning of section 10. If the Program as you
-received it, or any part of it, contains a notice stating that it is
-governed by this License along with a term that is a further
-restriction, you may remove that term. If a license document contains
-a further restriction but permits relicensing or conveying under this
-License, you may add to a covered work material governed by the terms
-of that license document, provided that the further restriction does
-not survive such relicensing or conveying.
-
- If you add terms to a covered work in accord with this section, you
-must place, in the relevant source files, a statement of the
-additional terms that apply to those files, or a notice indicating
-where to find the applicable terms.
-
- Additional terms, permissive or non-permissive, may be stated in the
-form of a separately written license, or stated as exceptions;
-the above requirements apply either way.
-
- 8. Termination.
-
- You may not propagate or modify a covered work except as expressly
-provided under this License. Any attempt otherwise to propagate or
-modify it is void, and will automatically terminate your rights under
-this License (including any patent licenses granted under the third
-paragraph of section 11).
-
- However, if you cease all violation of this License, then your
-license from a particular copyright holder is reinstated (a)
-provisionally, unless and until the copyright holder explicitly and
-finally terminates your license, and (b) permanently, if the copyright
-holder fails to notify you of the violation by some reasonable means
-prior to 60 days after the cessation.
-
- Moreover, your license from a particular copyright holder is
-reinstated permanently if the copyright holder notifies you of the
-violation by some reasonable means, this is the first time you have
-received notice of violation of this License (for any work) from that
-copyright holder, and you cure the violation prior to 30 days after
-your receipt of the notice.
-
- Termination of your rights under this section does not terminate the
-licenses of parties who have received copies or rights from you under
-this License. If your rights have been terminated and not permanently
-reinstated, you do not qualify to receive new licenses for the same
-material under section 10.
-
- 9. Acceptance Not Required for Having Copies.
-
- You are not required to accept this License in order to receive or
-run a copy of the Program. Ancillary propagation of a covered work
-occurring solely as a consequence of using peer-to-peer transmission
-to receive a copy likewise does not require acceptance. However,
-nothing other than this License grants you permission to propagate or
-modify any covered work. These actions infringe copyright if you do
-not accept this License. Therefore, by modifying or propagating a
-covered work, you indicate your acceptance of this License to do so.
-
- 10. Automatic Licensing of Downstream Recipients.
-
- Each time you convey a covered work, the recipient automatically
-receives a license from the original licensors, to run, modify and
-propagate that work, subject to this License. You are not responsible
-for enforcing compliance by third parties with this License.
-
- An "entity transaction" is a transaction transferring control of an
-organization, or substantially all assets of one, or subdividing an
-organization, or merging organizations. If propagation of a covered
-work results from an entity transaction, each party to that
-transaction who receives a copy of the work also receives whatever
-licenses to the work the party's predecessor in interest had or could
-give under the previous paragraph, plus a right to possession of the
-Corresponding Source of the work from the predecessor in interest, if
-the predecessor has it or can get it with reasonable efforts.
-
- You may not impose any further restrictions on the exercise of the
-rights granted or affirmed under this License. For example, you may
-not impose a license fee, royalty, or other charge for exercise of
-rights granted under this License, and you may not initiate litigation
-(including a cross-claim or counterclaim in a lawsuit) alleging that
-any patent claim is infringed by making, using, selling, offering for
-sale, or importing the Program or any portion of it.
-
- 11. Patents.
-
- A "contributor" is a copyright holder who authorizes use under this
-License of the Program or a work on which the Program is based. The
-work thus licensed is called the contributor's "contributor version".
-
- A contributor's "essential patent claims" are all patent claims
-owned or controlled by the contributor, whether already acquired or
-hereafter acquired, that would be infringed by some manner, permitted
-by this License, of making, using, or selling its contributor version,
-but do not include claims that would be infringed only as a
-consequence of further modification of the contributor version. For
-purposes of this definition, "control" includes the right to grant
-patent sublicenses in a manner consistent with the requirements of
-this License.
-
- Each contributor grants you a non-exclusive, worldwide, royalty-free
-patent license under the contributor's essential patent claims, to
-make, use, sell, offer for sale, import and otherwise run, modify and
-propagate the contents of its contributor version.
-
- In the following three paragraphs, a "patent license" is any express
-agreement or commitment, however denominated, not to enforce a patent
-(such as an express permission to practice a patent or covenant not to
-sue for patent infringement). To "grant" such a patent license to a
-party means to make such an agreement or commitment not to enforce a
-patent against the party.
-
- If you convey a covered work, knowingly relying on a patent license,
-and the Corresponding Source of the work is not available for anyone
-to copy, free of charge and under the terms of this License, through a
-publicly available network server or other readily accessible means,
-then you must either (1) cause the Corresponding Source to be so
-available, or (2) arrange to deprive yourself of the benefit of the
-patent license for this particular work, or (3) arrange, in a manner
-consistent with the requirements of this License, to extend the patent
-license to downstream recipients. "Knowingly relying" means you have
-actual knowledge that, but for the patent license, your conveying the
-covered work in a country, or your recipient's use of the covered work
-in a country, would infringe one or more identifiable patents in that
-country that you have reason to believe are valid.
-
- If, pursuant to or in connection with a single transaction or
-arrangement, you convey, or propagate by procuring conveyance of, a
-covered work, and grant a patent license to some of the parties
-receiving the covered work authorizing them to use, propagate, modify
-or convey a specific copy of the covered work, then the patent license
-you grant is automatically extended to all recipients of the covered
-work and works based on it.
-
- A patent license is "discriminatory" if it does not include within
-the scope of its coverage, prohibits the exercise of, or is
-conditioned on the non-exercise of one or more of the rights that are
-specifically granted under this License. You may not convey a covered
-work if you are a party to an arrangement with a third party that is
-in the business of distributing software, under which you make payment
-to the third party based on the extent of your activity of conveying
-the work, and under which the third party grants, to any of the
-parties who would receive the covered work from you, a discriminatory
-patent license (a) in connection with copies of the covered work
-conveyed by you (or copies made from those copies), or (b) primarily
-for and in connection with specific products or compilations that
-contain the covered work, unless you entered into that arrangement,
-or that patent license was granted, prior to 28 March 2007.
-
- Nothing in this License shall be construed as excluding or limiting
-any implied license or other defenses to infringement that may
-otherwise be available to you under applicable patent law.
-
- 12. No Surrender of Others' Freedom.
-
- If conditions are imposed on you (whether by court order, agreement or
-otherwise) that contradict the conditions of this License, they do not
-excuse you from the conditions of this License. If you cannot convey a
-covered work so as to satisfy simultaneously your obligations under this
-License and any other pertinent obligations, then as a consequence you may
-not convey it at all. For example, if you agree to terms that obligate you
-to collect a royalty for further conveying from those to whom you convey
-the Program, the only way you could satisfy both those terms and this
-License would be to refrain entirely from conveying the Program.
-
- 13. Use with the GNU Affero General Public License.
-
- Notwithstanding any other provision of this License, you have
-permission to link or combine any covered work with a work licensed
-under version 3 of the GNU Affero General Public License into a single
-combined work, and to convey the resulting work. The terms of this
-License will continue to apply to the part which is the covered work,
-but the special requirements of the GNU Affero General Public License,
-section 13, concerning interaction through a network will apply to the
-combination as such.
-
- 14. Revised Versions of this License.
-
- The Free Software Foundation may publish revised and/or new versions of
-the GNU General Public License from time to time. Such new versions will
-be similar in spirit to the present version, but may differ in detail to
-address new problems or concerns.
-
- Each version is given a distinguishing version number. If the
-Program specifies that a certain numbered version of the GNU General
-Public License "or any later version" applies to it, you have the
-option of following the terms and conditions either of that numbered
-version or of any later version published by the Free Software
-Foundation. If the Program does not specify a version number of the
-GNU General Public License, you may choose any version ever published
-by the Free Software Foundation.
-
- If the Program specifies that a proxy can decide which future
-versions of the GNU General Public License can be used, that proxy's
-public statement of acceptance of a version permanently authorizes you
-to choose that version for the Program.
-
- Later license versions may give you additional or different
-permissions. However, no additional obligations are imposed on any
-author or copyright holder as a result of your choosing to follow a
-later version.
-
- 15. Disclaimer of Warranty.
-
- THERE IS NO WARRANTY FOR THE PROGRAM, TO THE EXTENT PERMITTED BY
-APPLICABLE LAW. EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT
-HOLDERS AND/OR OTHER PARTIES PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY
-OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO,
-THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
-PURPOSE. THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE PROGRAM
-IS WITH YOU. SHOULD THE PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF
-ALL NECESSARY SERVICING, REPAIR OR CORRECTION.
-
- 16. Limitation of Liability.
-
- IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING
-WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MODIFIES AND/OR CONVEYS
-THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, INCLUDING ANY
-GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE
-USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED TO LOSS OF
-DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD
-PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER PROGRAMS),
-EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF
-SUCH DAMAGES.
-
- 17. Interpretation of Sections 15 and 16.
-
- If the disclaimer of warranty and limitation of liability provided
-above cannot be given local legal effect according to their terms,
-reviewing courts shall apply local law that most closely approximates
-an absolute waiver of all civil liability in connection with the
-Program, unless a warranty or assumption of liability accompanies a
-copy of the Program in return for a fee.
-
- END OF TERMS AND CONDITIONS
-
- How to Apply These Terms to Your New Programs
-
- If you develop a new program, and you want it to be of the greatest
-possible use to the public, the best way to achieve this is to make it
-free software which everyone can redistribute and change under these terms.
-
- To do so, attach the following notices to the program. It is safest
-to attach them to the start of each source file to most effectively
-state the exclusion of warranty; and each file should have at least
-the "copyright" line and a pointer to where the full notice is found.
-
- {one line to give the program's name and a brief idea of what it does.}
- Copyright (C) {year} {name of author}
-
- This program is free software: you can redistribute it and/or modify
- it under the terms of the GNU General Public License as published by
- the Free Software Foundation, either version 3 of the License, or
- (at your option) any later version.
-
- This program is distributed in the hope that it will be useful,
- but WITHOUT ANY WARRANTY; without even the implied warranty of
- MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
- GNU General Public License for more details.
-
- You should have received a copy of the GNU General Public License
- along with this program. If not, see .
-
-Also add information on how to contact you by electronic and paper mail.
-
- If the program does terminal interaction, make it output a short
-notice like this when it starts in an interactive mode:
-
- {project} Copyright (C) {year} {fullname}
- This program comes with ABSOLUTELY NO WARRANTY; for details type `show w'.
- This is free software, and you are welcome to redistribute it
- under certain conditions; type `show c' for details.
-
-The hypothetical commands `show w' and `show c' should show the appropriate
-parts of the General Public License. Of course, your program's commands
-might be different; for a GUI interface, you would use an "about box".
-
- You should also get your employer (if you work as a programmer) or school,
-if any, to sign a "copyright disclaimer" for the program, if necessary.
-For more information on this, and how to apply and follow the GNU GPL, see
-.
-
- The GNU General Public License does not permit incorporating your program
-into proprietary programs. If your program is a subroutine library, you
-may consider it more useful to permit linking proprietary applications with
-the library. If this is what you want to do, use the GNU Lesser General
-Public License instead of this License. But first, please read
-.
diff --git a/Makefile b/Makefile
index d2998e79..a9a5a0f6 100644
--- a/Makefile
+++ b/Makefile
@@ -1,103 +1,125 @@
.PHONY: test test-rules test-sigmac test-sigma2attack
TMPOUT = $(shell tempfile||mktemp)
COVSCOPE = tools/sigma/*.py,tools/sigma/backends/*.py,tools/sigmac,tools/merge_sigma,tools/sigma2attack
+export COVERAGE = coverage
test: clearcov test-rules test-sigmac test-merge test-sigma2attack build finish
clearcov:
rm -f .coverage
finish:
- coverage report --fail-under=90
+ $(COVERAGE) report --fail-under=90
rm -f $(TMPOUT)
test-rules:
yamllint rules
tests/test_rules.py
- tools/sigma-uuid -Ver rules/
+ tools/sigma_uuid -Ver rules/
test-sigmac:
- coverage run -a --include=$(COVSCOPE) tools/sigmac
- coverage run -a --include=$(COVSCOPE) tools/sigmac -h
- coverage run -a --include=$(COVSCOPE) tools/sigmac -l
- ! coverage run -a --include=$(COVSCOPE) tools/sigmac -rvd -t es-qs rules/ > /dev/null
- ! coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t es-qs rules/ > /dev/null
- coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t es-qs --shoot-yourself-in-the-foot rules/ > /dev/null
- coverage run -a --include=$(COVSCOPE) tools/sigmac -t es-qs -c winlogbeat tests/test-modifiers.yml > /dev/null
- coverage run -a --include=$(COVSCOPE) tools/sigmac -O rulecomment -rvdI -c tools/config/winlogbeat.yml -t es-qs rules/ > /dev/null
- coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t kibana -c tools/config/winlogbeat.yml rules/ > /dev/null
- coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t graylog rules/ > /dev/null
- coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t xpack-watcher -O email,index,webhook -c tools/config/winlogbeat.yml rules/ > /dev/null
- coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t elastalert -c tools/config/winlogbeat.yml -O alert_methods=http_post,email -O emails=test@test.invalid -O http_post_url=http://test.invalid rules/ > /dev/null
- coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t elastalert-dsl -c tools/config/winlogbeat.yml -O alert_methods=http_post,email -O emails=test@test.invalid -O http_post_url=http://test.invalid rules/ > /dev/null
- ! coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t splunk rules/ > /dev/null
- coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t splunk -c tools/config/splunk-windows-index.yml rules/ > /dev/null
- coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t splunkxml -c tools/config/splunk-windows.yml rules/ > /dev/null
- coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t logpoint -c tools/config/logpoint-windows.yml rules/ > /dev/null
- coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t wdatp rules/ > /dev/null
- coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t ala rules/ > /dev/null
- coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t ala-rule rules/ > /dev/null
- coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t ala --backend-config tests/backend_config.yml rules/windows/process_creation/ > /dev/null
- coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t es-dsl -c tools/config/winlogbeat.yml rules/ > /dev/null
- coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t powershell -c tools/config/powershell.yml -Ocsv rules/ > /dev/null
- coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t arcsight -c tools/config/arcsight.yml rules/ > /dev/null
- coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t qradar -c tools/config/qradar.yml rules/ > /dev/null
- coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t limacharlie -c tools/config/limacharlie.yml rules/ > /dev/null
- coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t qualys -c tools/config/qualys.yml rules/ > /dev/null
- coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t netwitness -c tools/config/netwitness.yml rules/ > /dev/null
- coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t sumologic -O rulecomment -c tools/config/sumologic.yml rules/ > /dev/null
- coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t sql -O rulecomment -c sysmon rules/ > /dev/null
- coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t splunk -c tools/config/splunk-windows-index.yml -f 'level>=high,level<=critical,status=stable,logsource=windows,tag=attack.execution' rules/ > /dev/null
- ! coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t splunk -c tools/config/splunk-windows-index.yml -f 'level>=high,level<=critical,status=xstable,logsource=windows' rules/ > /dev/null
- ! coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t splunk -c tools/config/splunk-windows-index.yml -f 'level>=high,level<=xcritical,status=stable,logsource=windows' rules/ > /dev/null
- coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t splunk -c tools/config/splunk-windows-index.yml -f 'level=critical' rules/ > /dev/null
- ! coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t splunk -c tools/config/splunk-windows-index.yml -f 'level=xcritical' rules/ > /dev/null
- ! coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t splunk -c tools/config/splunk-windows-index.yml -f 'foo=bar' rules/ > /dev/null
- coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -c tools/config/logstash-windows.yml -t es-qs rules/ > /dev/null
- coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -c ecs-proxy -t es-qs rules/proxy > /dev/null
- coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -c sysmon -c logstash-windows -t es-qs rules/ > /dev/null
- ! coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -c sysmon -c logstash-windows -t splunk rules/ > /dev/null
- ! coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -c tools/config/logstash-windows.yml -c tools/config/generic/sysmon.yml -t es-qs rules/ > /dev/null
- coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -c tools/config/logstash-linux.yml -t es-qs rules/ > /dev/null
- coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -c tools/config/logstash-windows.yml -t kibana rules/ > /dev/null
- coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -c tools/config/logstash-windows.yml -Ooutput=curl -t kibana rules/ > /dev/null
- coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -c tools/config/logstash-linux.yml -t kibana rules/ > /dev/null
- coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -c tools/config/logstash-linux.yml -Ooutput=curl -t kibana rules/ > /dev/null
- coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -c tools/config/logstash-windows.yml -t xpack-watcher rules/ > /dev/null
- coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -c tools/config/logstash-linux.yml -t xpack-watcher rules/ > /dev/null
- coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -c tools/config/filebeat-defaultindex.yml -t xpack-watcher rules/ > /dev/null
- coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -c tools/config/splunk-windows.yml -t splunk rules/ > /dev/null
- coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -c tools/config/generic/sysmon.yml -c tools/config/splunk-windows.yml -t splunk rules/ > /dev/null
- coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t grep rules/ > /dev/null
- coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t fieldlist rules/ > /dev/null
- coverage run -a --include=$(COVSCOPE) tools/sigmac -t xpack-watcher -c tools/config/winlogbeat.yml -O output=plain -O es=es -O foobar rules/windows/builtin/win_susp_failed_logons_single_source.yml > /dev/null
- coverage run -a --include=$(COVSCOPE) tools/sigmac -t kibana -c tests/config-multiple_mapping.yml -c tests/config-multiple_mapping-2.yml tests/mapping-conditional-multi.yml > /dev/null
- coverage run -a --include=$(COVSCOPE) tools/sigmac -t xpack-watcher -c tools/config/winlogbeat.yml -O output=json -O es=es -O foobar rules/windows/builtin/win_susp_failed_logons_single_source.yml > /dev/null
- coverage run -a --include=$(COVSCOPE) tools/sigmac -t es-qs -c tools/config/winlogbeat.yml -o $(TMPOUT) - < tests/collection_repeat.yml > /dev/null
- ! coverage run -a --include=$(COVSCOPE) tools/sigmac -t xpack-watcher -c tools/config/winlogbeat.yml -O output=foobar -O es=es -O foobar rules/windows/builtin/win_susp_failed_logons_single_source.yml > /dev/null
- ! coverage run -a --include=$(COVSCOPE) tools/sigmac -t es-qs -c tools/config/winlogbeat.yml tests/not_existing.yml > /dev/null
- ! coverage run -a --include=$(COVSCOPE) tools/sigmac -t es-qs -c tools/config/winlogbeat.yml tests/invalid_yaml.yml > /dev/null
- ! coverage run -a --include=$(COVSCOPE) tools/sigmac -t es-qs -c tools/config/winlogbeat.yml tests/invalid_sigma-no_identifiers.yml > /dev/null
- ! coverage run -a --include=$(COVSCOPE) tools/sigmac -t es-qs -c tools/config/winlogbeat.yml tests/invalid_sigma-no_condition.yml > /dev/null
- ! coverage run -a --include=$(COVSCOPE) tools/sigmac -t es-qs -c tools/config/winlogbeat.yml tests/invalid_sigma-invalid_identifier_reference.yml > /dev/null
- ! coverage run -a --include=$(COVSCOPE) tools/sigmac -t es-qs -c tools/config/winlogbeat.yml tests/invalid_sigma-invalid_aggregation.yml > /dev/null
- ! coverage run -a --include=$(COVSCOPE) tools/sigmac -t es-qs -c tools/config/winlogbeat.yml tests/invalid_sigma-wrong_identifier_definition.yml > /dev/null
- ! coverage run -a --include=$(COVSCOPE) tools/sigmac -t es-qs -c tools/config/winlogbeat.yml rules/windows/builtin/win_susp_failed_logons_single_source.yml
- ! coverage run -a --include=$(COVSCOPE) tools/sigmac -t es-qs -c tools/config/winlogbeat.yml -o /not_possible rules/windows/sysmon/sysmon_mimikatz_detection_lsass.yml
- ! coverage run -a --include=$(COVSCOPE) tools/sigmac -t es-qs -c not_existing rules/windows/sysmon/sysmon_mimikatz_detection_lsass.yml
- ! coverage run -a --include=$(COVSCOPE) tools/sigmac -t es-qs -c tests/invalid_yaml.yml rules/windows/sysmon/sysmon_mimikatz_detection_lsass.yml
- ! coverage run -a --include=$(COVSCOPE) tools/sigmac -t es-qs -c tests/invalid_config.yml rules/windows/sysmon/sysmon_mimikatz_detection_lsass.yml
+ $(COVERAGE) run -a --include=$(COVSCOPE) tools/sigmac
+ $(COVERAGE) run -a --include=$(COVSCOPE) tools/sigmac -h
+ $(COVERAGE) run -a --include=$(COVSCOPE) tools/sigmac -l
+ $(COVERAGE) run -a --include=$(COVSCOPE) tools/sigmac --backend-help es-qs
+ ! $(COVERAGE) run -a --include=$(COVSCOPE) tools/sigmac -rvd -t es-qs rules/ > /dev/null
+ ! $(COVERAGE) run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t es-qs rules/ > /dev/null
+ $(COVERAGE) run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t es-qs --shoot-yourself-in-the-foot rules/ > /dev/null
+ $(COVERAGE) run -a --include=$(COVSCOPE) tools/sigmac -t es-qs -c winlogbeat tests/test-modifiers.yml > /dev/null
+ $(COVERAGE) run -a --include=$(COVSCOPE) tools/sigmac -O rulecomment -rvdI -c tools/config/winlogbeat.yml -t es-qs rules/ > /dev/null
+ $(COVERAGE) run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t kibana -c tools/config/winlogbeat.yml rules/ > /dev/null
+ $(COVERAGE) run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t graylog rules/ > /dev/null
+ $(COVERAGE) run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t xpack-watcher -O email,index,webhook -c tools/config/winlogbeat.yml rules/ > /dev/null
+ $(COVERAGE) run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t elastalert -c tools/config/winlogbeat.yml -O alert_methods=http_post,email -O emails=test@test.invalid -O http_post_url=http://test.invalid rules/ > /dev/null
+ $(COVERAGE) run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t elastalert-dsl -c tools/config/winlogbeat.yml -O alert_methods=http_post,email -O emails=test@test.invalid -O http_post_url=http://test.invalid rules/ > /dev/null
+ $(COVERAGE) run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t ee-outliers -c tools/config/winlogbeat.yml rules/ > /dev/null
+ $(COVERAGE) run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t es-qs -c sysmon -c winlogbeat -O case_insensitive_whitelist=* rules/windows/process_creation > /dev/null
+ $(COVERAGE) run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t es-qs -c tools/config/ecs-cloudtrail.yml rules/ > /dev/null
+ $(COVERAGE) run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t es-rule -c tools/config/ecs-cloudtrail.yml rules/ > /dev/null
+ $(COVERAGE) run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t kibana -c tools/config/ecs-cloudtrail.yml rules/ > /dev/null
+ $(COVERAGE) run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t xpack-watcher -c tools/config/ecs-cloudtrail.yml rules/ > /dev/null
+ $(COVERAGE) run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t elastalert -c tools/config/ecs-cloudtrail.yml rules/ > /dev/null
+ ! $(COVERAGE) run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t splunk rules/ > /dev/null
+ $(COVERAGE) run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t splunk -c tools/config/splunk-windows-index.yml rules/ > /dev/null
+ $(COVERAGE) run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t splunkxml -c tools/config/splunk-windows.yml rules/ > /dev/null
+ $(COVERAGE) run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t logpoint -c tools/config/logpoint-windows.yml rules/ > /dev/null
+ $(COVERAGE) run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t mdatp rules/ > /dev/null
+ $(COVERAGE) run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t ala rules/ > /dev/null
+ $(COVERAGE) run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t ala-rule rules/ > /dev/null
+ $(COVERAGE) run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t ala --backend-config tests/backend_config.yml rules/windows/process_creation/ > /dev/null
+ $(COVERAGE) run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t es-dsl -c tools/config/winlogbeat.yml rules/ > /dev/null
+ $(COVERAGE) run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t es-rule -c tools/config/winlogbeat.yml rules/ > /dev/null
+ $(COVERAGE) run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t powershell -c tools/config/powershell.yml -Ocsv rules/ > /dev/null
+ $(COVERAGE) run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t arcsight -c tools/config/arcsight.yml rules/ > /dev/null
+ $(COVERAGE) run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t arcsight-esm -c tools/config/arcsight.yml rules/ > /dev/null
+ $(COVERAGE) run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t qradar -c tools/config/qradar.yml rules/ > /dev/null
+ $(COVERAGE) run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t stix -c tools/config/stix.yml -c tools/config/stix-qradar.yml -c tools/config/stix-windows.yml rules/ > /dev/null
+ $(COVERAGE) run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t limacharlie -c tools/config/limacharlie.yml rules/ > /dev/null
+ $(COVERAGE) run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t carbonblack -c tools/config/carbon-black.yml rules/ > /dev/null
+ $(COVERAGE) run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t qualys -c tools/config/qualys.yml rules/ > /dev/null
+ $(COVERAGE) run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t netwitness -c tools/config/netwitness.yml rules/ > /dev/null
+ $(COVERAGE) run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t sumologic -O rulecomment -c tools/config/sumologic.yml rules/ > /dev/null
+ $(COVERAGE) run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t humio -O rulecomment -c tools/config/humio.yml rules/ > /dev/null
+ $(COVERAGE) run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t crowdstrike -O rulecomment -c tools/config/crowdstrike.yml rules/ > /dev/null
+ $(COVERAGE) run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t sql -c sysmon rules/ > /dev/null
+ $(COVERAGE) run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t sqlite -c sysmon rules/ > /dev/null
+ $(COVERAGE) run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t csharp -c sysmon rules/ > /dev/null
+ $(COVERAGE) run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t logiq -c sysmon rules/ > /dev/null
+ $(COVERAGE) run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t splunk -c tools/config/splunk-windows-index.yml -f 'level>=high,level<=critical,status=stable,logsource=windows,tag=attack.execution' rules/ > /dev/null
+ ! $(COVERAGE) run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t splunk -c tools/config/splunk-windows-index.yml -f 'level>=high,level<=critical,status=xstable,logsource=windows' rules/ > /dev/null
+ ! $(COVERAGE) run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t splunk -c tools/config/splunk-windows-index.yml -f 'level>=high,level<=xcritical,status=stable,logsource=windows' rules/ > /dev/null
+ $(COVERAGE) run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t splunk -c tools/config/splunk-windows-index.yml -f 'level=critical' rules/ > /dev/null
+ ! $(COVERAGE) run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t splunk -c tools/config/splunk-windows-index.yml -f 'level=xcritical' rules/ > /dev/null
+ ! $(COVERAGE) run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t splunk -c tools/config/splunk-windows-index.yml -f 'foo=bar' rules/ > /dev/null
+ $(COVERAGE) run -a --include=$(COVSCOPE) tools/sigmac -rvdI -c tools/config/logstash-windows.yml -t es-qs rules/ > /dev/null
+ $(COVERAGE) run -a --include=$(COVSCOPE) tools/sigmac -rvdI -c ecs-proxy -t es-qs rules/proxy > /dev/null
+ $(COVERAGE) run -a --include=$(COVSCOPE) tools/sigmac -rvdI -c sysmon -c logstash-windows -t es-qs rules/ > /dev/null
+ ! $(COVERAGE) run -a --include=$(COVSCOPE) tools/sigmac -rvdI -c sysmon -c logstash-windows -t splunk rules/ > /dev/null
+ ! $(COVERAGE) run -a --include=$(COVSCOPE) tools/sigmac -rvdI -c tools/config/logstash-windows.yml -c tools/config/generic/sysmon.yml -t es-qs rules/ > /dev/null
+ $(COVERAGE) run -a --include=$(COVSCOPE) tools/sigmac -rvdI -c tools/config/logstash-linux.yml -t es-qs rules/ > /dev/null
+ $(COVERAGE) run -a --include=$(COVSCOPE) tools/sigmac -rvdI -c tools/config/logstash-windows.yml -t kibana rules/ > /dev/null
+ $(COVERAGE) run -a --include=$(COVSCOPE) tools/sigmac -rvdI -c tools/config/logstash-windows.yml -Ooutput=curl -t kibana rules/ > /dev/null
+ $(COVERAGE) run -a --include=$(COVSCOPE) tools/sigmac -rvdI -c tools/config/logstash-linux.yml -t kibana rules/ > /dev/null
+ $(COVERAGE) run -a --include=$(COVSCOPE) tools/sigmac -rvdI -c tools/config/logstash-linux.yml -Ooutput=curl -t kibana rules/ > /dev/null
+ $(COVERAGE) run -a --include=$(COVSCOPE) tools/sigmac -rvdI -c tools/config/logstash-windows.yml -t xpack-watcher rules/ > /dev/null
+ $(COVERAGE) run -a --include=$(COVSCOPE) tools/sigmac -rvdI -c tools/config/logstash-linux.yml -t xpack-watcher rules/ > /dev/null
+ $(COVERAGE) run -a --include=$(COVSCOPE) tools/sigmac -rvdI -c tools/config/filebeat-defaultindex.yml -t xpack-watcher rules/ > /dev/null
+ $(COVERAGE) run -a --include=$(COVSCOPE) tools/sigmac -rvdI -c tools/config/splunk-windows.yml -t splunk rules/ > /dev/null
+ $(COVERAGE) run -a --include=$(COVSCOPE) tools/sigmac -rvdI -c tools/config/generic/sysmon.yml -c tools/config/splunk-windows.yml -t splunk rules/ > /dev/null
+ $(COVERAGE) run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t grep rules/ > /dev/null
+ $(COVERAGE) run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t fieldlist rules/ > /dev/null
+ $(COVERAGE) run -a --include=$(COVSCOPE) tools/sigmac -t xpack-watcher -c tools/config/winlogbeat.yml -O output=plain -O es=es -O foobar rules/windows/builtin/win_susp_failed_logons_single_source.yml > /dev/null
+ $(COVERAGE) run -a --include=$(COVSCOPE) tools/sigmac -t kibana -c tests/config-multiple_mapping.yml -c tests/config-multiple_mapping-2.yml tests/mapping-conditional-multi.yml > /dev/null
+ $(COVERAGE) run -a --include=$(COVSCOPE) tools/sigmac -t xpack-watcher -c tools/config/winlogbeat.yml -O output=json -O es=es -O foobar rules/windows/builtin/win_susp_failed_logons_single_source.yml > /dev/null
+ $(COVERAGE) run -a --include=$(COVSCOPE) tools/sigmac -t es-qs -c tools/config/winlogbeat.yml -o $(TMPOUT) - < tests/collection_repeat.yml > /dev/null
+ ! $(COVERAGE) run -a --include=$(COVSCOPE) tools/sigmac -t xpack-watcher -c tools/config/winlogbeat.yml -O output=foobar -O es=es -O foobar rules/windows/builtin/win_susp_failed_logons_single_source.yml > /dev/null
+ ! $(COVERAGE) run -a --include=$(COVSCOPE) tools/sigmac -t es-qs -c tools/config/winlogbeat.yml tests/not_existing.yml > /dev/null
+ ! $(COVERAGE) run -a --include=$(COVSCOPE) tools/sigmac -t es-qs -c tools/config/winlogbeat.yml tests/invalid_yaml.yml > /dev/null
+ ! $(COVERAGE) run -a --include=$(COVSCOPE) tools/sigmac -t es-qs -c tools/config/winlogbeat.yml tests/invalid_sigma-no_identifiers.yml > /dev/null
+ ! $(COVERAGE) run -a --include=$(COVSCOPE) tools/sigmac -t es-qs -c tools/config/winlogbeat.yml tests/invalid_sigma-no_condition.yml > /dev/null
+ ! $(COVERAGE) run -a --include=$(COVSCOPE) tools/sigmac -t es-qs -c tools/config/winlogbeat.yml tests/invalid_sigma-invalid_identifier_reference.yml > /dev/null
+ ! $(COVERAGE) run -a --include=$(COVSCOPE) tools/sigmac -t es-qs -c tools/config/winlogbeat.yml tests/invalid_sigma-invalid_aggregation.yml > /dev/null
+ ! $(COVERAGE) run -a --include=$(COVSCOPE) tools/sigmac -t es-qs -c tools/config/winlogbeat.yml tests/invalid_sigma-wrong_identifier_definition.yml > /dev/null
+ ! $(COVERAGE) run -a --include=$(COVSCOPE) tools/sigmac -t es-qs -c tools/config/winlogbeat.yml rules/windows/builtin/win_susp_failed_logons_single_source.yml
+ ! $(COVERAGE) run -a --include=$(COVSCOPE) tools/sigmac -t es-qs -c tools/config/winlogbeat.yml -o /not_possible rules/windows/sysmon/sysmon_mimikatz_detection_lsass.yml
+ ! $(COVERAGE) run -a --include=$(COVSCOPE) tools/sigmac -t es-qs -c not_existing rules/windows/sysmon/sysmon_mimikatz_detection_lsass.yml
+ ! $(COVERAGE) run -a --include=$(COVSCOPE) tools/sigmac -t es-qs -c tests/invalid_yaml.yml rules/windows/sysmon/sysmon_mimikatz_detection_lsass.yml
+ ! $(COVERAGE) run -a --include=$(COVSCOPE) tools/sigmac -t es-qs -c tests/invalid_config.yml rules/windows/sysmon/sysmon_mimikatz_detection_lsass.yml
test-merge:
tests/test-merge.sh
- ! coverage run -a --include=$(COVSCOPE) tools/merge_sigma tests/not_existing.yml > /dev/null
+ ! $(COVERAGE) run -a --include=$(COVSCOPE) tools/merge_sigma tests/not_existing.yml > /dev/null
test-backend-es-qs:
tests/test-backend-es-qs.py
-test-sigma2attack:
- coverage run -a --include=$(COVSCOPE) tools/sigma2attack
+test-backend-sql:
+ cd tools && python3 setup.py install
+ cd tools && $(COVERAGE) run -m pytest tests/test_backend_sql.py tests/test_backend_sqlite.py
-build: tools/sigmac tools/merge_sigma tools/sigma/*.py tools/setup.py tools/setup.cfg
+test-sigma2attack:
+ $(COVERAGE) run -a --include=$(COVSCOPE) tools/sigma2attack
+
+build: tools/sigma/*.py tools/setup.py tools/setup.cfg
cd tools && python3 setup.py bdist_wheel sdist
upload-test: build
diff --git a/Pipfile b/Pipfile
index 44b085f2..6b51f749 100644
--- a/Pipfile
+++ b/Pipfile
@@ -4,16 +4,19 @@ url = "https://pypi.org/simple"
verify_ssl = true
[dev-packages]
+coverage = "~=5.0"
+yamllint = "~=1.21"
+elasticsearch = "~=7.6"
+elasticsearch-async = "~=6.2"
+pytest = "~=5.4"
+colorama = "*"
[packages]
-coverage = ">=4.4.1"
-yamllint = ">=1.10.0"
-elasticsearch = "*"
-elasticsearch-async = "*"
-pymisp = "*"
-PyYAML = ">=3.11"
-progressbar2 = "*"
-colorama = "*"
+requests = "~=2.23"
+urllib3 = "~=1.25"
+progressbar2 = "~=3.47"
+pymisp = "~=2.4.123"
+PyYAML = "~=5.1"
[requires]
python_version = "3.6"
diff --git a/Pipfile.lock b/Pipfile.lock
index 634be436..3436ea04 100644
--- a/Pipfile.lock
+++ b/Pipfile.lock
@@ -1,7 +1,7 @@
{
"_meta": {
"hash": {
- "sha256": "c553c014d5959f8c30ffdb23d4648ff872dbffd5f6f982d8c029a5b4533a959d"
+ "sha256": "588c969e3c9cf945190a258f9607bbcc53ee9715d34e538b130a852459e4848a"
},
"pipfile-spec": 6,
"requires": {
@@ -16,6 +16,147 @@
]
},
"default": {
+ "attrs": {
+ "hashes": [
+ "sha256:08a96c641c3a74e44eb59afb61a24f2cb9f4d7188748e76ba4bb5edfa3cb7d1c",
+ "sha256:f7b7ce16570fe9965acd6d30101a28f62fb4a7f9e926b3bbc9b61f8b04247e72"
+ ],
+ "version": "==19.3.0"
+ },
+ "certifi": {
+ "hashes": [
+ "sha256:017c25db2a153ce562900032d5bc68e9f191e44e9a0f762f373977de9df1fbb3",
+ "sha256:25b64c7da4cd7479594d035c08c2d809eb4aab3a26e5a990ea98cc450c320f1f"
+ ],
+ "version": "==2019.11.28"
+ },
+ "chardet": {
+ "hashes": [
+ "sha256:84ab92ed1c4d4f16916e05906b6b75a6c0fb5db821cc65e70cbd64a3e2a5eaae",
+ "sha256:fc323ffcaeaed0e0a02bf4d117757b98aed530d9ed4531e3e15460124c106691"
+ ],
+ "version": "==3.0.4"
+ },
+ "deprecated": {
+ "hashes": [
+ "sha256:408038ab5fdeca67554e8f6742d1521cd3cd0ee0ff9d47f29318a4f4da31c308",
+ "sha256:8b6a5aa50e482d8244a62e5582b96c372e87e3a28e8b49c316e46b95c76a611d"
+ ],
+ "version": "==1.2.7"
+ },
+ "idna": {
+ "hashes": [
+ "sha256:7588d1c14ae4c77d74036e8c22ff447b26d0fde8f007354fd48a7814db15b7cb",
+ "sha256:a068a21ceac8a4d63dbfd964670474107f541babbd2250d61922f029858365fa"
+ ],
+ "version": "==2.9"
+ },
+ "importlib-metadata": {
+ "hashes": [
+ "sha256:2a688cbaa90e0cc587f1df48bdc97a6eadccdcd9c35fb3f976a09e3b5016d90f",
+ "sha256:34513a8a0c4962bc66d35b359558fd8a5e10cd472d37aec5f66858addef32c1e"
+ ],
+ "markers": "python_version < '3.8'",
+ "version": "==1.6.0"
+ },
+ "jsonschema": {
+ "hashes": [
+ "sha256:4e5b3cf8216f577bee9ce139cbe72eca3ea4f292ec60928ff24758ce626cd163",
+ "sha256:c8a85b28d377cc7737e46e2d9f2b4f44ee3c0e1deac6bf46ddefc7187d30797a"
+ ],
+ "version": "==3.2.0"
+ },
+ "progressbar2": {
+ "hashes": [
+ "sha256:2c21c14482016162852c8265da03886c2b4dea6f84e5a817ad9b39f6bd82a772",
+ "sha256:7849b84c01a39e4eddd2b369a129fed5e24dfb78d484ae63f9e08e58277a2928"
+ ],
+ "index": "pypi",
+ "version": "==3.50.1"
+ },
+ "pymisp": {
+ "hashes": [
+ "sha256:1d27bc81ed492b5e6e216d099dcadf943d5c0c09457d6464ed33db8da39d0fdd",
+ "sha256:318cb9cee371ce3918b3216e2c1a61938747203f89f9d42d4e4a51b40066f9b3"
+ ],
+ "index": "pypi",
+ "version": "==2.4.123"
+ },
+ "pyrsistent": {
+ "hashes": [
+ "sha256:28669905fe725965daa16184933676547c5bb40a5153055a8dee2a4bd7933ad3"
+ ],
+ "version": "==0.16.0"
+ },
+ "python-dateutil": {
+ "hashes": [
+ "sha256:73ebfe9dbf22e832286dafa60473e4cd239f8592f699aa5adaf10050e6e1823c",
+ "sha256:75bb3f31ea686f1197762692a9ee6a7550b59fc6ca3a1f4b5d7e32fb98e2da2a"
+ ],
+ "version": "==2.8.1"
+ },
+ "python-utils": {
+ "hashes": [
+ "sha256:ebaadab29d0cb9dca0a82eab9c405f5be5125dbbff35b8f32cc433fa498dbaa7",
+ "sha256:f21fc09ff58ea5ebd1fd2e8ef7f63e39d456336900f26bdc9334a03a3f7d8089"
+ ],
+ "version": "==2.4.0"
+ },
+ "pyyaml": {
+ "hashes": [
+ "sha256:1adecc22f88d38052fb787d959f003811ca858b799590a5eaa70e63dca50308c",
+ "sha256:436bc774ecf7c103814098159fbb84c2715d25980175292c648f2da143909f95",
+ "sha256:460a5a4248763f6f37ea225d19d5c205677d8d525f6a83357ca622ed541830c2",
+ "sha256:5a22a9c84653debfbf198d02fe592c176ea548cccce47553f35f466e15cf2fd4",
+ "sha256:7a5d3f26b89d688db27822343dfa25c599627bc92093e788956372285c6298ad",
+ "sha256:9372b04a02080752d9e6f990179a4ab840227c6e2ce15b95e1278456664cf2ba",
+ "sha256:a5dcbebee834eaddf3fa7366316b880ff4062e4bcc9787b78c7fbb4a26ff2dd1",
+ "sha256:aee5bab92a176e7cd034e57f46e9df9a9862a71f8f37cad167c6fc74c65f5b4e",
+ "sha256:c51f642898c0bacd335fc119da60baae0824f2cde95b0330b56c0553439f0673",
+ "sha256:c68ea4d3ba1705da1e0d85da6684ac657912679a649e8868bd850d2c299cce13",
+ "sha256:e23d0cc5299223dcc37885dae624f382297717e459ea24053709675a976a3e19"
+ ],
+ "index": "pypi",
+ "version": "==5.1"
+ },
+ "requests": {
+ "hashes": [
+ "sha256:43999036bfa82904b6af1d99e4882b560e5e2c68e5c4b0aa03b655f3d7d73fee",
+ "sha256:b3f43d496c6daba4493e7c431722aeb7dbc6288f52a6e04e7b6023b0247817e6"
+ ],
+ "index": "pypi",
+ "version": "==2.23.0"
+ },
+ "six": {
+ "hashes": [
+ "sha256:236bdbdce46e6e6a3d61a337c0f8b763ca1e8717c03b369e87a7ec7ce1319c0a",
+ "sha256:8f3cd2e254d8f793e7f3d6d9df77b92252b52637291d0f0da013c76ea2724b6c"
+ ],
+ "version": "==1.14.0"
+ },
+ "urllib3": {
+ "hashes": [
+ "sha256:2f3db8b19923a873b3e5256dc9c2dedfa883e33d87c690d9c7913e1f40673cdc",
+ "sha256:87716c2d2a7121198ebcb7ce7cccf6ce5e9ba539041cfbaeecfb641dc0bf6acc"
+ ],
+ "index": "pypi",
+ "version": "==1.25.8"
+ },
+ "wrapt": {
+ "hashes": [
+ "sha256:b62ffa81fb85f4332a4f609cab4ac40709470da05643a082ec1eb88e6d9b97d7"
+ ],
+ "version": "==1.12.1"
+ },
+ "zipp": {
+ "hashes": [
+ "sha256:aa36550ff0c0b7ef7fa639055d797116ee891440eac1a56f378e2d3179e0320b",
+ "sha256:c599e4d75c98f6798c509911d08a22e6c021d074469042177c8c86fb92eefd96"
+ ],
+ "version": "==3.1.0"
+ }
+ },
+ "develop": {
"aiohttp": {
"hashes": [
"sha256:1e984191d1ec186881ffaed4581092ba04f7c61582a177b187d3a2f07ed9719e",
@@ -47,13 +188,6 @@
],
"version": "==19.3.0"
},
- "certifi": {
- "hashes": [
- "sha256:017c25db2a153ce562900032d5bc68e9f191e44e9a0f762f373977de9df1fbb3",
- "sha256:25b64c7da4cd7479594d035c08c2d809eb4aab3a26e5a990ea98cc450c320f1f"
- ],
- "version": "==2019.11.28"
- },
"chardet": {
"hashes": [
"sha256:84ab92ed1c4d4f16916e05906b6b75a6c0fb5db821cc65e70cbd64a3e2a5eaae",
@@ -71,55 +205,48 @@
},
"coverage": {
"hashes": [
- "sha256:15cf13a6896048d6d947bf7d222f36e4809ab926894beb748fc9caa14605d9c3",
- "sha256:1daa3eceed220f9fdb80d5ff950dd95112cd27f70d004c7918ca6dfc6c47054c",
- "sha256:1e44a022500d944d42f94df76727ba3fc0a5c0b672c358b61067abb88caee7a0",
- "sha256:25dbf1110d70bab68a74b4b9d74f30e99b177cde3388e07cc7272f2168bd1477",
- "sha256:3230d1003eec018ad4a472d254991e34241e0bbd513e97a29727c7c2f637bd2a",
- "sha256:3dbb72eaeea5763676a1a1efd9b427a048c97c39ed92e13336e726117d0b72bf",
- "sha256:5012d3b8d5a500834783689a5d2292fe06ec75dc86ee1ccdad04b6f5bf231691",
- "sha256:51bc7710b13a2ae0c726f69756cf7ffd4362f4ac36546e243136187cfcc8aa73",
- "sha256:527b4f316e6bf7755082a783726da20671a0cc388b786a64417780b90565b987",
- "sha256:722e4557c8039aad9592c6a4213db75da08c2cd9945320220634f637251c3894",
- "sha256:76e2057e8ffba5472fd28a3a010431fd9e928885ff480cb278877c6e9943cc2e",
- "sha256:77afca04240c40450c331fa796b3eab6f1e15c5ecf8bf2b8bee9706cd5452fef",
- "sha256:7afad9835e7a651d3551eab18cbc0fdb888f0a6136169fbef0662d9cdc9987cf",
- "sha256:9bea19ac2f08672636350f203db89382121c9c2ade85d945953ef3c8cf9d2a68",
- "sha256:a8b8ac7876bc3598e43e2603f772d2353d9931709345ad6c1149009fd1bc81b8",
- "sha256:b0840b45187699affd4c6588286d429cd79a99d509fe3de0f209594669bb0954",
- "sha256:b26aaf69713e5674efbde4d728fb7124e429c9466aeaf5f4a7e9e699b12c9fe2",
- "sha256:b63dd43f455ba878e5e9f80ba4f748c0a2156dde6e0e6e690310e24d6e8caf40",
- "sha256:be18f4ae5a9e46edae3f329de2191747966a34a3d93046dbdf897319923923bc",
- "sha256:c312e57847db2526bc92b9bfa78266bfbaabac3fdcd751df4d062cd4c23e46dc",
- "sha256:c60097190fe9dc2b329a0eb03393e2e0829156a589bd732e70794c0dd804258e",
- "sha256:c62a2143e1313944bf4a5ab34fd3b4be15367a02e9478b0ce800cb510e3bbb9d",
- "sha256:cc1109f54a14d940b8512ee9f1c3975c181bbb200306c6d8b87d93376538782f",
- "sha256:cd60f507c125ac0ad83f05803063bed27e50fa903b9c2cfee3f8a6867ca600fc",
- "sha256:d513cc3db248e566e07a0da99c230aca3556d9b09ed02f420664e2da97eac301",
- "sha256:d649dc0bcace6fcdb446ae02b98798a856593b19b637c1b9af8edadf2b150bea",
- "sha256:d7008a6796095a79544f4da1ee49418901961c97ca9e9d44904205ff7d6aa8cb",
- "sha256:da93027835164b8223e8e5af2cf902a4c80ed93cb0909417234f4a9df3bcd9af",
- "sha256:e69215621707119c6baf99bda014a45b999d37602cb7043d943c76a59b05bf52",
- "sha256:ea9525e0fef2de9208250d6c5aeeee0138921057cd67fcef90fbed49c4d62d37",
- "sha256:fca1669d464f0c9831fd10be2eef6b86f5ebd76c724d1e0706ebdff86bb4adf0"
+ "sha256:03f630aba2b9b0d69871c2e8d23a69b7fe94a1e2f5f10df5049c0df99db639a0",
+ "sha256:046a1a742e66d065d16fb564a26c2a15867f17695e7f3d358d7b1ad8a61bca30",
+ "sha256:0a907199566269e1cfa304325cc3b45c72ae341fbb3253ddde19fa820ded7a8b",
+ "sha256:165a48268bfb5a77e2d9dbb80de7ea917332a79c7adb747bd005b3a07ff8caf0",
+ "sha256:1b60a95fc995649464e0cd48cecc8288bac5f4198f21d04b8229dc4097d76823",
+ "sha256:1f66cf263ec77af5b8fe14ef14c5e46e2eb4a795ac495ad7c03adc72ae43fafe",
+ "sha256:2e08c32cbede4a29e2a701822291ae2bc9b5220a971bba9d1e7615312efd3037",
+ "sha256:3844c3dab800ca8536f75ae89f3cf566848a3eb2af4d9f7b1103b4f4f7a5dad6",
+ "sha256:408ce64078398b2ee2ec08199ea3fcf382828d2f8a19c5a5ba2946fe5ddc6c31",
+ "sha256:443be7602c790960b9514567917af538cac7807a7c0c0727c4d2bbd4014920fd",
+ "sha256:4482f69e0701139d0f2c44f3c395d1d1d37abd81bfafbf9b6efbe2542679d892",
+ "sha256:4a8a259bf990044351baf69d3b23e575699dd60b18460c71e81dc565f5819ac1",
+ "sha256:513e6526e0082c59a984448f4104c9bf346c2da9961779ede1fc458e8e8a1f78",
+ "sha256:5f587dfd83cb669933186661a351ad6fc7166273bc3e3a1531ec5c783d997aac",
+ "sha256:62061e87071497951155cbccee487980524d7abea647a1b2a6eb6b9647df9006",
+ "sha256:641e329e7f2c01531c45c687efcec8aeca2a78a4ff26d49184dce3d53fc35014",
+ "sha256:65a7e00c00472cd0f59ae09d2fb8a8aaae7f4a0cf54b2b74f3138d9f9ceb9cb2",
+ "sha256:6ad6ca45e9e92c05295f638e78cd42bfaaf8ee07878c9ed73e93190b26c125f7",
+ "sha256:73aa6e86034dad9f00f4bbf5a666a889d17d79db73bc5af04abd6c20a014d9c8",
+ "sha256:7c9762f80a25d8d0e4ab3cb1af5d9dffbddb3ee5d21c43e3474c84bf5ff941f7",
+ "sha256:85596aa5d9aac1bf39fe39d9fa1051b0f00823982a1de5766e35d495b4a36ca9",
+ "sha256:86a0ea78fd851b313b2e712266f663e13b6bc78c2fb260b079e8b67d970474b1",
+ "sha256:8a620767b8209f3446197c0e29ba895d75a1e272a36af0786ec70fe7834e4307",
+ "sha256:922fb9ef2c67c3ab20e22948dcfd783397e4c043a5c5fa5ff5e9df5529074b0a",
+ "sha256:9fad78c13e71546a76c2f8789623eec8e499f8d2d799f4b4547162ce0a4df435",
+ "sha256:a37c6233b28e5bc340054cf6170e7090a4e85069513320275a4dc929144dccf0",
+ "sha256:c3fc325ce4cbf902d05a80daa47b645d07e796a80682c1c5800d6ac5045193e5",
+ "sha256:cda33311cb9fb9323958a69499a667bd728a39a7aa4718d7622597a44c4f1441",
+ "sha256:db1d4e38c9b15be1521722e946ee24f6db95b189d1447fa9ff18dd16ba89f732",
+ "sha256:eda55e6e9ea258f5e4add23bcf33dc53b2c319e70806e180aecbff8d90ea24de",
+ "sha256:f372cdbb240e09ee855735b9d85e7f50730dcfb6296b74b95a3e5dea0615c4c1"
],
"index": "pypi",
- "version": "==5.0.3"
- },
- "deprecated": {
- "hashes": [
- "sha256:408038ab5fdeca67554e8f6742d1521cd3cd0ee0ff9d47f29318a4f4da31c308",
- "sha256:8b6a5aa50e482d8244a62e5582b96c372e87e3a28e8b49c316e46b95c76a611d"
- ],
- "version": "==1.2.7"
+ "version": "==5.0.4"
},
"elasticsearch": {
"hashes": [
- "sha256:1815ee1377e7d3cf32770738a70785fe4ab1f05be28336a330ed71cb295a7c6c",
- "sha256:2a0ca516378ae9b87ac840e7bb529ec508f3010360dd9feed605dff2a898aff5"
+ "sha256:d228b2d37ac0865f7631335268172dbdaa426adec1da3ed006dddf05134f89c8",
+ "sha256:f4bb05cfe55cf369bdcb4d86d0129d39d66a91fd9517b13cd4e4231fbfcf5c81"
],
"index": "pypi",
- "version": "==7.5.1"
+ "version": "==7.6.0"
},
"elasticsearch-async": {
"hashes": [
@@ -131,10 +258,10 @@
},
"idna": {
"hashes": [
- "sha256:c357b3f628cf53ae2c4c05627ecc484553142ca23264e593d327bcde5e9c3407",
- "sha256:ea8b7f6188e6fa117537c3df7da9fc686d485087abf6ac197f9c46432f7e4a3c"
+ "sha256:7588d1c14ae4c77d74036e8c22ff447b26d0fde8f007354fd48a7814db15b7cb",
+ "sha256:a068a21ceac8a4d63dbfd964670474107f541babbd2250d61922f029858365fa"
],
- "version": "==2.8"
+ "version": "==2.9"
},
"idna-ssl": {
"hashes": [
@@ -145,40 +272,47 @@
},
"importlib-metadata": {
"hashes": [
- "sha256:06f5b3a99029c7134207dd882428a66992a9de2bef7c2b699b5641f9886c3302",
- "sha256:b97607a1a18a5100839aec1dc26a1ea17ee0d93b20b0f008d80a5a050afb200b"
+ "sha256:2a688cbaa90e0cc587f1df48bdc97a6eadccdcd9c35fb3f976a09e3b5016d90f",
+ "sha256:34513a8a0c4962bc66d35b359558fd8a5e10cd472d37aec5f66858addef32c1e"
],
"markers": "python_version < '3.8'",
- "version": "==1.5.0"
+ "version": "==1.6.0"
},
- "jsonschema": {
+ "more-itertools": {
"hashes": [
- "sha256:4e5b3cf8216f577bee9ce139cbe72eca3ea4f292ec60928ff24758ce626cd163",
- "sha256:c8a85b28d377cc7737e46e2d9f2b4f44ee3c0e1deac6bf46ddefc7187d30797a"
+ "sha256:5dd8bcf33e5f9513ffa06d5ad33d78f31e1931ac9a18f33d37e77a180d393a7c",
+ "sha256:b1ddb932186d8a6ac451e1d95844b382f55e12686d51ca0c68b6f61f2ab7a507"
],
- "version": "==3.2.0"
+ "version": "==8.2.0"
},
"multidict": {
"hashes": [
- "sha256:13f3ebdb5693944f52faa7b2065b751cb7e578b8dd0a5bb8e4ab05ad0188b85e",
- "sha256:26502cefa86d79b86752e96639352c7247846515c864d7c2eb85d036752b643c",
- "sha256:4fba5204d32d5c52439f88437d33ad14b5f228e25072a192453f658bddfe45a7",
- "sha256:527124ef435f39a37b279653ad0238ff606b58328ca7989a6df372fd75d7fe26",
- "sha256:5414f388ffd78c57e77bd253cf829373721f450613de53dc85a08e34d806e8eb",
- "sha256:5eee66f882ab35674944dfa0d28b57fa51e160b4dce0ce19e47f495fdae70703",
- "sha256:63810343ea07f5cd86ba66ab66706243a6f5af075eea50c01e39b4ad6bc3c57a",
- "sha256:6bd10adf9f0d6a98ccc792ab6f83d18674775986ba9bacd376b643fe35633357",
- "sha256:83c6ddf0add57c6b8a7de0bc7e2d656be3eefeff7c922af9a9aae7e49f225625",
- "sha256:93166e0f5379cf6cd29746989f8a594fa7204dcae2e9335ddba39c870a287e1c",
- "sha256:9a7b115ee0b9b92d10ebc246811d8f55d0c57e82dbb6a26b23c9a9a6ad40ce0c",
- "sha256:a38baa3046cce174a07a59952c9f876ae8875ef3559709639c17fdf21f7b30dd",
- "sha256:a6d219f49821f4b2c85c6d426346a5d84dab6daa6f85ca3da6c00ed05b54022d",
- "sha256:a8ed33e8f9b67e3b592c56567135bb42e7e0e97417a4b6a771e60898dfd5182b",
- "sha256:d7d428488c67b09b26928950a395e41cc72bb9c3d5abfe9f0521940ee4f796d4",
- "sha256:dcfed56aa085b89d644af17442cdc2debaa73388feba4b8026446d168ca8dad7",
- "sha256:f29b885e4903bd57a7789f09fe9d60b6475a6c1a4c0eca874d8558f00f9d4b51"
+ "sha256:317f96bc0950d249e96d8d29ab556d01dd38888fbe68324f46fd834b430169f1",
+ "sha256:42f56542166040b4474c0c608ed051732033cd821126493cf25b6c276df7dd35",
+ "sha256:4b7df040fb5fe826d689204f9b544af469593fb3ff3a069a6ad3409f742f5928",
+ "sha256:544fae9261232a97102e27a926019100a9db75bec7b37feedd74b3aa82f29969",
+ "sha256:620b37c3fea181dab09267cd5a84b0f23fa043beb8bc50d8474dd9694de1fa6e",
+ "sha256:6e6fef114741c4d7ca46da8449038ec8b1e880bbe68674c01ceeb1ac8a648e78",
+ "sha256:7774e9f6c9af3f12f296131453f7b81dabb7ebdb948483362f5afcaac8a826f1",
+ "sha256:85cb26c38c96f76b7ff38b86c9d560dea10cf3459bb5f4caf72fc1bb932c7136",
+ "sha256:a326f4240123a2ac66bb163eeba99578e9d63a8654a59f4688a79198f9aa10f8",
+ "sha256:ae402f43604e3b2bc41e8ea8b8526c7fa7139ed76b0d64fc48e28125925275b2",
+ "sha256:aee283c49601fa4c13adc64c09c978838a7e812f85377ae130a24d7198c0331e",
+ "sha256:b51249fdd2923739cd3efc95a3d6c363b67bbf779208e9f37fd5e68540d1a4d4",
+ "sha256:bb519becc46275c594410c6c28a8a0adc66fe24fef154a9addea54c1adb006f5",
+ "sha256:c2c37185fb0af79d5c117b8d2764f4321eeb12ba8c141a95d0aa8c2c1d0a11dd",
+ "sha256:dc561313279f9d05a3d0ffa89cd15ae477528ea37aa9795c4654588a3287a9ab",
+ "sha256:e439c9a10a95cb32abd708bb8be83b2134fa93790a4fb0535ca36db3dda94d20",
+ "sha256:fc3b4adc2ee8474cb3cd2a155305d5f8eda0a9c91320f83e55748e1fcb68f8e3"
],
- "version": "==4.7.4"
+ "version": "==4.7.5"
+ },
+ "packaging": {
+ "hashes": [
+ "sha256:3c292b474fda1671ec57d46d739d072bfd495a4f51ad01a055121d81e952b7a3",
+ "sha256:82f77b9bee21c1bafbf35a84905d604d5d1223801d639cf3ed140bd651c08752"
+ ],
+ "version": "==20.3"
},
"pathspec": {
"hashes": [
@@ -187,65 +321,51 @@
],
"version": "==0.7.0"
},
- "progressbar2": {
+ "pluggy": {
"hashes": [
- "sha256:7538d02045a1fd3aa2b2834bfda463da8755bd3ff050edc6c5ddff3bc616215f",
- "sha256:eb774d1e0d03ea4730f381c13c2c6ae7abb5ddfb14d8321d7a58a61aa708f0d0"
+ "sha256:15b2acde666561e1298d71b523007ed7364de07029219b604cf808bfa1c765b0",
+ "sha256:966c145cd83c96502c3c3868f50408687b38434af77734af1e9ca461a4081d2d"
+ ],
+ "version": "==0.13.1"
+ },
+ "py": {
+ "hashes": [
+ "sha256:5e27081401262157467ad6e7f851b7aa402c5852dbcb3dae06768434de5752aa",
+ "sha256:c20fdd83a5dbc0af9efd622bee9a5564e278f6380fffcacc43ba6f43db2813b0"
+ ],
+ "version": "==1.8.1"
+ },
+ "pyparsing": {
+ "hashes": [
+ "sha256:4c830582a84fb022400b85429791bc551f1f4871c33f23e44f353119e92f969f",
+ "sha256:c342dccb5250c08d45fd6f8b4a559613ca603b57498511740e65cd11a2e7dcec"
+ ],
+ "version": "==2.4.6"
+ },
+ "pytest": {
+ "hashes": [
+ "sha256:0e5b30f5cb04e887b91b1ee519fa3d89049595f428c1db76e73bd7f17b09b172",
+ "sha256:84dde37075b8805f3d1f392cc47e38a0e59518fb46a431cfdaf7cf1ce805f970"
],
"index": "pypi",
- "version": "==3.47.0"
- },
- "pymisp": {
- "hashes": [
- "sha256:4359953881c70d8c851ba847ebd41fe636ecc155ee92a6b653dcae2d241a6fef",
- "sha256:be4c2a2d311ba1aaeb73e1124e8a97ac4eec52a871e02d373c455936095aac72"
- ],
- "index": "pypi",
- "version": "==2.4.120"
- },
- "pyrsistent": {
- "hashes": [
- "sha256:cdc7b5e3ed77bed61270a47d35434a30617b9becdf2478af76ad2c6ade307280"
- ],
- "version": "==0.15.7"
- },
- "python-dateutil": {
- "hashes": [
- "sha256:73ebfe9dbf22e832286dafa60473e4cd239f8592f699aa5adaf10050e6e1823c",
- "sha256:75bb3f31ea686f1197762692a9ee6a7550b59fc6ca3a1f4b5d7e32fb98e2da2a"
- ],
- "version": "==2.8.1"
- },
- "python-utils": {
- "hashes": [
- "sha256:34aaf26b39b0b86628008f2ae0ac001b30e7986a8d303b61e1357dfcdad4f6d3",
- "sha256:e25f840564554eaded56eaa395bca507b0b9e9f0ae5ecb13a8cb785305c56d25"
- ],
- "version": "==2.3.0"
+ "version": "==5.4.1"
},
"pyyaml": {
"hashes": [
- "sha256:059b2ee3194d718896c0ad077dd8c043e5e909d9180f387ce42012662a4946d6",
- "sha256:1cf708e2ac57f3aabc87405f04b86354f66799c8e62c28c5fc5f88b5521b2dbf",
- "sha256:24521fa2890642614558b492b473bee0ac1f8057a7263156b02e8b14c88ce6f5",
- "sha256:4fee71aa5bc6ed9d5f116327c04273e25ae31a3020386916905767ec4fc5317e",
- "sha256:70024e02197337533eef7b85b068212420f950319cc8c580261963aefc75f811",
- "sha256:74782fbd4d4f87ff04159e986886931456a1894c61229be9eaf4de6f6e44b99e",
- "sha256:940532b111b1952befd7db542c370887a8611660d2b9becff75d39355303d82d",
- "sha256:cb1f2f5e426dc9f07a7681419fe39cee823bb74f723f36f70399123f439e9b20",
- "sha256:dbbb2379c19ed6042e8f11f2a2c66d39cceb8aeace421bfc29d085d93eda3689",
- "sha256:e3a057b7a64f1222b56e47bcff5e4b94c4f61faac04c7c4ecb1985e18caa3994",
- "sha256:e9f45bd5b92c7974e59bcd2dcc8631a6b6cc380a904725fce7bc08872e691615"
+ "sha256:1adecc22f88d38052fb787d959f003811ca858b799590a5eaa70e63dca50308c",
+ "sha256:436bc774ecf7c103814098159fbb84c2715d25980175292c648f2da143909f95",
+ "sha256:460a5a4248763f6f37ea225d19d5c205677d8d525f6a83357ca622ed541830c2",
+ "sha256:5a22a9c84653debfbf198d02fe592c176ea548cccce47553f35f466e15cf2fd4",
+ "sha256:7a5d3f26b89d688db27822343dfa25c599627bc92093e788956372285c6298ad",
+ "sha256:9372b04a02080752d9e6f990179a4ab840227c6e2ce15b95e1278456664cf2ba",
+ "sha256:a5dcbebee834eaddf3fa7366316b880ff4062e4bcc9787b78c7fbb4a26ff2dd1",
+ "sha256:aee5bab92a176e7cd034e57f46e9df9a9862a71f8f37cad167c6fc74c65f5b4e",
+ "sha256:c51f642898c0bacd335fc119da60baae0824f2cde95b0330b56c0553439f0673",
+ "sha256:c68ea4d3ba1705da1e0d85da6684ac657912679a649e8868bd850d2c299cce13",
+ "sha256:e23d0cc5299223dcc37885dae624f382297717e459ea24053709675a976a3e19"
],
"index": "pypi",
- "version": "==5.3"
- },
- "requests": {
- "hashes": [
- "sha256:11e007a8a2aa0323f5a921e9e6a2d7e4e67d9877e85773fba9ba6419025cbeb4",
- "sha256:9cf5292fcd0f598c671cfc1e0d7d1a7f13bb8085e9a590f48c010551dc6c4b31"
- ],
- "version": "==2.22.0"
+ "version": "==5.1"
},
"six": {
"hashes": [
@@ -268,21 +388,23 @@
"sha256:2f3db8b19923a873b3e5256dc9c2dedfa883e33d87c690d9c7913e1f40673cdc",
"sha256:87716c2d2a7121198ebcb7ce7cccf6ce5e9ba539041cfbaeecfb641dc0bf6acc"
],
+ "index": "pypi",
"version": "==1.25.8"
},
- "wrapt": {
+ "wcwidth": {
"hashes": [
- "sha256:565a021fd19419476b9362b05eeaa094178de64f8361e44468f9e9d7843901e1"
+ "sha256:cafe2186b3c009a04067022ce1dcd79cb38d8d65ee4f4791b8888d6599d1bbe1",
+ "sha256:ee73862862a156bf77ff92b09034fc4825dd3af9cf81bc5b360668d425f3c5f1"
],
- "version": "==1.11.2"
+ "version": "==0.1.9"
},
"yamllint": {
"hashes": [
- "sha256:7318e189027951983c3cb4d6bcaa1e75deef7c752320ca3ce84e407f2551e8ce",
- "sha256:76912b6262fd7e0815d7b14c4c2bb2642c754d0aa38f2d3e4b4e21c77872a3bf"
+ "sha256:09d554bafc57beb22b01619c94e1ba0e8fbb016fa9c1b35ddc68d7bfc16d177f",
+ "sha256:7e1e698b3d344b64bc46cbe8c4df7dfdfe7c00ed1a8d1c851ecd5b552d93d193"
],
"index": "pypi",
- "version": "==1.20.0"
+ "version": "==1.21.0"
},
"yarl": {
"hashes": [
@@ -308,11 +430,10 @@
},
"zipp": {
"hashes": [
- "sha256:ccc94ed0909b58ffe34430ea5451f07bc0c76467d7081619a454bf5c98b89e28",
- "sha256:feae2f18633c32fc71f2de629bfb3bd3c9325cd4419642b1f1da42ee488d9b98"
+ "sha256:aa36550ff0c0b7ef7fa639055d797116ee891440eac1a56f378e2d3179e0320b",
+ "sha256:c599e4d75c98f6798c509911d08a22e6c021d074469042177c8c86fb92eefd96"
],
- "version": "==2.1.0"
+ "version": "==3.1.0"
}
- },
- "develop": {}
+ }
}
diff --git a/README.md b/README.md
index 6d01612b..b2c6ba16 100644
--- a/README.md
+++ b/README.md
@@ -8,7 +8,7 @@ Generic Signature Format for SIEM Systems
# What is Sigma
-Sigma is a generic and open signature format that allows you to describe relevant log events in a straight forward manner. The rule format is very flexible, easy to write and applicable to any type of log file. The main purpose of this project is to provide a structured form in which researchers or analysts can describe their once developed detection methods and make them shareable with others.
+Sigma is a generic and open signature format that allows you to describe relevant log events in a straightforward manner. The rule format is very flexible, easy to write and applicable to any type of log file. The main purpose of this project is to provide a structured form in which researchers or analysts can describe their once developed detection methods and make them shareable with others.
Sigma is for log files what [Snort](https://www.snort.org/) is for network traffic and [YARA](https://github.com/VirusTotal/yara) is for files.
@@ -88,9 +88,9 @@ Sysmon: Web Shell Detection
Windows 'Security' Eventlog: Suspicious Number of Failed Logons from a Single Source Workstation
-# Sigma Tools
+# Sigma Tools
-## Sigmac
+## Sigmac
Sigmac converts sigma rules into queries or inputs of the supported targets listed below. It acts as a frontend to the
Sigma library that may be used to integrate Sigma support in other projects. Further, there's `merge_sigma.py` which
@@ -98,9 +98,9 @@ merges multiple YAML documents of a Sigma rule collection into simple Sigma rule
### Usage
-```
+```bash
usage: sigmac [-h] [--recurse] [--filter FILTER]
- [--target {arcsight,es-qs,es-dsl,kibana,xpack-watcher,elastalert,graylog,limacharlie,logpoint,grep,netwitness,powershell,qradar,qualys,splunk,splunkxml,sumologic,fieldlist,wdatp}]
+ [--target {arcsight,es-qs,es-dsl,kibana,xpack-watcher,elastalert,graylog,limacharlie,logpoint,grep,netwitness,powershell,qradar,qualys,splunk,splunkxml,sumologic,fieldlist,mdatp,ee-outliers}]
[--target-list] [--config CONFIG] [--output OUTPUT]
[--backend-option BACKEND_OPTION] [--defer-abort]
[--ignore-backend-errors] [--verbose] [--debug]
@@ -125,7 +125,7 @@ optional arguments:
tag that must appear in the rules tag list, case-
insensitive matching. Multiple log source
specifications are AND linked.
- --target {arcsight,es-qs,es-dsl,kibana,xpack-watcher,elastalert,graylog,limacharlie,logpoint,grep,netwitness,powershell,qradar,qualys,splunk,splunkxml,sumologic,fieldlist,wdatp}, -t {arcsight,es-qs,es-dsl,kibana,xpack-watcher,elastalert,graylog,limacharlie,logpoint,grep,netwitness,powershell,qradar,qualys,splunk,splunkxml,sumologic,fieldlist,wdatp}
+ --target {arcsight,es-qs,es-dsl,kibana,xpack-watcher,elastalert,graylog,limacharlie,logpoint,grep,netwitness,powershell,qradar,qualys,splunk,splunkxml,sumologic,fieldlist,mdatp}, -t {arcsight,es-qs,es-dsl,kibana,xpack-watcher,elastalert,graylog,limacharlie,logpoint,grep,netwitness,powershell,qradar,qualys,splunk,splunkxml,sumologic,fieldlist,mdatp}
Output target format
--target-list, -l List available output target formats
--config CONFIG, -c CONFIG
@@ -191,7 +191,7 @@ tools/sigmac -t splunk -c ~/my-splunk-mapping.yml -c tools/config/generic/window
* [Kibana](https://www.elastic.co/de/products/kibana)
* [Elastic X-Pack Watcher](https://www.elastic.co/guide/en/x-pack/current/xpack-alerting.html)
* [Logpoint](https://www.logpoint.com)
-* [Windows Defender Advanced Threat Protection (WDATP)](https://www.microsoft.com/en-us/windowsforbusiness/windows-atp)
+* [Microsoft Defender Advanced Threat Protection (MDATP)](https://www.microsoft.com/en-us/microsoft-365/windows/microsoft-defender-atp)
* [Azure Sentinel / Azure Log Analytics](https://azure.microsoft.com/en-us/services/azure-sentinel/)
* [Sumologic](https://www.sumologic.com/)
* [ArcSight](https://software.microfocus.com/en-us/products/siem-security-information-event-management/overview)
@@ -201,11 +201,13 @@ tools/sigmac -t splunk -c ~/my-splunk-mapping.yml -c tools/config/generic/window
* [PowerShell](https://docs.microsoft.com/en-us/powershell/scripting/getting-started/getting-started-with-windows-powershell?view=powershell-6)
* [Grep](https://www.gnu.org/software/grep/manual/grep.html) with Perl-compatible regular expression support
* [LimaCharlie](https://limacharlie.io)
+* [ee-outliers](https://github.com/NVISO-BE/ee-outliers)
+* [Structured Threat Information Expression (STIX)](https://oasis-open.github.io/cti-documentation/stix/intro.html)
Current work-in-progress
* [Splunk Data Models](https://docs.splunk.com/Documentation/Splunk/7.1.0/Knowledge/Aboutdatamodels)
-New targets are continuously developed. You can get a list of supported targets with `sigmac --target-list` or `sigmac -l`.
+New targets are continuously developed. You can get a list of supported targets with `sigmac --lists` or `sigmac -l`.
### Requirements
@@ -337,7 +339,7 @@ The content of this repository is released under the following licenses:
* The toolchain (everything under `tools/`) is licensed under the [GNU Lesser General Public License](https://www.gnu.org/licenses/lgpl-3.0.en.html).
* The [Sigma specification](https://github.com/Neo23x0/sigma/wiki) is public domain.
-* Everything else, especially the rules contained in the `rules/` directory is released under the [GNU General Public License](https://www.gnu.org/licenses/gpl-3.0.en.html).
+* Everything else, especially the rules contained in the `rules/` directory is released under the [Detection Rule License (DRL) 1.0](https://github.com/Neo23x0/sigma/blob/master/LICENSE.Detection.Rules.md).
# Credits
@@ -345,4 +347,8 @@ This is a private project mainly developed by Florian Roth and Thomas Patzke wit
# Info Graphic
+## Overview
+
+## Coverage Illustration
+
diff --git a/contrib/filter-uuid-patch b/contrib/filter-uuid-patch
index 19249598..bcce012e 100755
--- a/contrib/filter-uuid-patch
+++ b/contrib/filter-uuid-patch
@@ -1,10 +1,10 @@
#!/usr/bin/env python3
# Remove all hunks from a patch that don't add the id attribute to minimize the impact (removed
-# comments etc.) of sigma-uuid script.
+# comments etc.) of sigma_uuid script.
#
# Usually used as follows:
# 1. Add UUIDs to rules:
-# tools/sigma-uuid -er rules
+# tools/sigma_uuid -er rules
# 2. Generate and filter patch
# git diff | contrib/filter-uuid-patch > rule-uuid.diff
# 3. Reset to previous state
diff --git a/contrib/sigma2sumologic.py b/contrib/sigma2sumologic.py
index 4da29445..2180b5eb 100644
--- a/contrib/sigma2sumologic.py
+++ b/contrib/sigma2sumologic.py
@@ -124,7 +124,7 @@ def get_rule_as_sumologic(file):
return "".join(output)
if args.help:
- parser_print_help()
+ parser.print_help()
if args.conf:
with open(args.conf, 'r') as ymlfile:
diff --git a/images/Sigma_Coverage.png b/images/Sigma_Coverage.png
new file mode 100644
index 00000000..de012b86
Binary files /dev/null and b/images/Sigma_Coverage.png differ
diff --git a/images/sigma_infographic_hq.png b/images/sigma_infographic_hq.png
index c61bdbcb..cf0d2a60 100644
Binary files a/images/sigma_infographic_hq.png and b/images/sigma_infographic_hq.png differ
diff --git a/images/sigma_infographic_lq.png b/images/sigma_infographic_lq.png
index 56922383..f19d2c06 100644
Binary files a/images/sigma_infographic_lq.png and b/images/sigma_infographic_lq.png differ
diff --git a/other/godmode_sigma_rule.yml b/other/godmode_sigma_rule.yml
new file mode 100644
index 00000000..67969b7b
--- /dev/null
+++ b/other/godmode_sigma_rule.yml
@@ -0,0 +1,150 @@
+# _____ __ __ ___ __
+# / ___/__ ___/ / / |/ /__ ___/ /__
+# / (_ / _ \/ _ / / /|_/ / _ \/ _ / -_)
+# \___/\___/\_,_/ /_/ /_/\___/\_,_/\__/_
+# / __(_)__ ___ _ ___ _ / _ \__ __/ /__
+# _\ \/ / _ `/ ' \/ _ `/ / , _/ // / / -_)
+# /___/_/\_, /_/_/_/\_,_/ /_/|_|\_,_/_/\__/
+# /___/ IDDQD
+#
+# Florian Roth
+# May 2020
+# v0.3
+#
+# A Proof-of-Concept with the most effective search queries
+
+title: Godmode Sigma Rule
+id: def6caac-a999-4fc9-8800-cfeff700ba98
+description: 'PoC rule to detect malicious activity - following the principle: if you had only one shot, what would you look for?'
+status: experimental
+author: Florian Roth
+date: 2019/12/22
+modified: 2020/05/18
+level: high
+action: global
+---
+logsource:
+ category: process_creation
+ product: windows
+detection:
+ # Different suspicious or malicious command line parameters
+ selection_plain:
+ CommandLine|contains:
+ - ' -NoP ' # Often used in malicious PowerShell commands
+ - ' -W Hidden ' # Often used in malicious PowerShell commands
+ - ' -decode ' # Used with certutil
+ - ' /decode ' # Used with certutil
+ - ' -e* JAB' # PowerShell encoded commands
+ - ' -e* SUVYI' # PowerShell encoded commands
+ - ' -e* SQBFAFgA' # PowerShell encoded commands
+ - ' -e* aWV4I' # PowerShell encoded commands
+ - ' -e* IAB' # PowerShell encoded commands
+ - ' -e* PAA' # PowerShell encoded commands
+ - ' -e* aQBlAHgA' # PowerShell encoded commands
+ - 'vssadmin delete shadows' # Ransomware
+ - 'reg SAVE HKLM\SAM' # save registry SAM - syskey extraction
+ - ' -ma ' # ProcDump
+ - 'Microsoft\Windows\CurrentVersion\Run' # Run key in command line - often in combination with REG ADD
+ - '.downloadstring(' # PowerShell download command
+ - '.downloadfile(' # PowerShell download command
+ - ' /ticket:' # Rubeus
+ - ' sekurlsa' # Mimikatz
+ - ' p::d ' # Mimikatz
+ - ';iex(' # PowerShell IEX
+ - 'schtasks* /create *AppData' # Scheduled task creation pointing to AppData
+ - ' comsvcs.dll,MiniDump' # Process dumping method apart from procdump
+ - ' comsvcs.dll,#24' # Process dumping method apart from procdump
+ selection_parent_child:
+ ParentImage|contains:
+ # Office Dropper Detection
+ - '\WINWORD.EXE'
+ - '\EXCEL.EXE'
+ - '\POWERPNT.exe'
+ - '\MSPUB.exe'
+ - '\VISIO.exe'
+ - '\OUTLOOK.EXE'
+ Image|contains:
+ - '\cmd.exe'
+ - '\powershell.exe'
+ - '\wscript.exe'
+ - '\cscript.exe'
+ - '\schtasks.exe'
+ - '*\scrcons.exe'
+ - '\regsvr32.exe'
+ - '\hh.exe'
+ - '\wmic.exe'
+ - '\mshta.exe'
+ - '\msiexec.exe'
+ - '\forfiles.exe'
+ - '\AppData\'
+ selection_webshells:
+ Image|contains:
+ - '\apache*'
+ - '\tomcat*'
+ - '\w3wp.exe'
+ - '\php-cgi.exe'
+ - '\nginx.exe'
+ - '\httpd.exe'
+ CommandLine|contains:
+ - 'whoami'
+ - 'net user '
+ - 'ping -n '
+ - 'systeminfo'
+ - '&cd&echo'
+ - 'cd /d ' # https://www.computerhope.com/cdhlp.htm
+ # Running whoami as LOCAL_SYSTEM (usually after privilege escalation)
+ selection_whoami:
+ Image|contains: '\whoami.exe'
+ User: 'NT AUTHORITY\SYSTEM'
+ condition: 1 of them
+---
+logsource:
+ product: windows
+ service: sysmon
+detection:
+ selection_file_creation:
+ EventID: 11
+ TargetFilename|contains:
+ - '.dmp' # dump process memory
+ - 'Desktop\how' # Ransomware
+ - 'Desktop\decrypt' # Ransomware
+ selection_registry_modifications:
+ EventID:
+ - 12
+ - 13
+ TargetObject|contains:
+ - 'UserInitMprLogonScript' # persistence
+ - '\CurrentVersion\Image File Execution Options\' # persistence
+ selection_registry_run:
+ EventID:
+ - 12
+ - 13
+ TargetObject|contains:
+ - '\Microsoft\Windows\CurrentVersion\Run\' # persistence
+ - '\Microsoft\Windows\CurrentVersion\RunOnce\' # persistence
+ Details|contains:
+ - 'AppData'
+ - '\Users\Public\'
+ - '\Temp\'
+ - 'powershell'
+ - 'wscript'
+ - 'cscript'
+ condition: 1 of them
+---
+logsource:
+ product: windows
+ service: system
+detection:
+ # Malicious service installs
+ selection:
+ EventID: 7045
+ ServiceName|contains:
+ - 'WCESERVICE'
+ - 'WCE SERVICE'
+ - 'winexesvc'
+ - 'DumpSvc'
+ - 'pwdump'
+ - 'gsecdump'
+ - 'cachedump'
+ condition:
+ 1 of them
\ No newline at end of file
diff --git a/rules-unsupported/sysmon_process_reimaging.yml b/rules-unsupported/sysmon_process_reimaging.yml
index 9d557b06..3da02214 100644
--- a/rules-unsupported/sysmon_process_reimaging.yml
+++ b/rules-unsupported/sysmon_process_reimaging.yml
@@ -5,7 +5,7 @@ description: Detects process reimaging defense evasion technique
# where
# selection1: ImageFileName != selection1: OriginalFileName
# selection1: ParentProcessGuid = selection2: ProcessGuid
-# selection1: Image = selection2: TargetFileName
+# selection1: Image = selection2: TargetFilename
# and new field ImageFileName is coming from enrichment
# selection1: Image = ^.+\\$
# Rule must trigger if selection1 and selection2 both occurs in timeframe of 120 sec.
@@ -45,4 +45,4 @@ detection:
EventID: 11
fields:
- ProcessGuid
- - TargetFileName
+ - TargetFilename
diff --git a/rules/cloud/aws_cloudtrail_disable_logging.yml b/rules/cloud/aws_cloudtrail_disable_logging.yml
index 61b4cdb2..09f180ff 100644
--- a/rules/cloud/aws_cloudtrail_disable_logging.yml
+++ b/rules/cloud/aws_cloudtrail_disable_logging.yml
@@ -5,20 +5,22 @@ author: vitaliy0x1
date: 2020/01/21
description: Detects disabling, deleting and updating of a Trail
references:
- - https://docs.aws.amazon.com/awscloudtrail/latest/userguide/best-practices-security.html
+ - https://docs.aws.amazon.com/awscloudtrail/latest/userguide/best-practices-security.html
logsource:
- service: cloudtrail
+ service: cloudtrail
detection:
- selection_source:
- - eventSource: cloudtrail.amazonaws.com
- events:
- - eventName:
- - StopLogging
- - UpdateTrail
- - DeleteTrail
- condition: selection_source AND events
+ selection_source:
+ - eventSource: cloudtrail.amazonaws.com
+ events:
+ - eventName:
+ - StopLogging
+ - UpdateTrail
+ - DeleteTrail
+ condition: selection_source AND events
level: medium
falsepositives:
- Valid change in a Trail
tags:
- - attack.t1089
+ - attack.defense_evasion
+ - attack.t1089
+ - attack.t1562.001
diff --git a/rules/cloud/aws_config_disable_recording.yml b/rules/cloud/aws_config_disable_recording.yml
index cb0fc0a7..85bc6488 100644
--- a/rules/cloud/aws_config_disable_recording.yml
+++ b/rules/cloud/aws_config_disable_recording.yml
@@ -5,17 +5,19 @@ author: vitaliy0x1
date: 2020/01/21
description: Detects AWS Config Service disabling
logsource:
- service: cloudtrail
+ service: cloudtrail
detection:
- selection_source:
- - eventSource: config.amazonaws.com
- events:
- - eventName:
- - DeleteDeliveryChannel
- - StopConfigurationRecorder
- condition: selection_source AND events
+ selection_source:
+ - eventSource: config.amazonaws.com
+ events:
+ - eventName:
+ - DeleteDeliveryChannel
+ - StopConfigurationRecorder
+ condition: selection_source AND events
level: high
falsepositives:
- Valid change in AWS Config Service
tags:
- - attack.t1089
+ - attack.defense_evasion
+ - attack.t1089
+ - attack.t1562.001
diff --git a/rules/cloud/aws_ec2_startup_script_change.yml b/rules/cloud/aws_ec2_startup_script_change.yml
index dccb22f0..7edcff0b 100644
--- a/rules/cloud/aws_ec2_startup_script_change.yml
+++ b/rules/cloud/aws_ec2_startup_script_change.yml
@@ -21,3 +21,4 @@ falsepositives:
- Valid changes to the startup script
tags:
- attack.t1064
+ - attack.t1059
diff --git a/rules/cloud/aws_ec2_vm_export_failure.yml b/rules/cloud/aws_ec2_vm_export_failure.yml
new file mode 100644
index 00000000..a6db628c
--- /dev/null
+++ b/rules/cloud/aws_ec2_vm_export_failure.yml
@@ -0,0 +1,28 @@
+title: AWS EC2 VM Export Failure
+id: 54b9a76a-3c71-4673-b4b3-2edb4566ea7b
+status: experimental
+description: An attempt to export an AWS EC2 instance has been detected. A VM Export might indicate an attempt to extract information from an instance.
+references:
+ - https://docs.aws.amazon.com/vm-import/latest/userguide/vmexport.html#export-instance
+author: Diogo Braz
+date: 2020/04/16
+tags:
+ - attack.collection
+ - attack.t1005
+ - attack.exfiltration
+ - attack.t1537
+level: low
+logsource:
+ service: cloudtrail
+detection:
+ selection:
+ eventName: 'CreateInstanceExportTask'
+ eventSource: 'ec2.amazonaws.com'
+ filter1:
+ errorMessage: '*'
+ filter2:
+ errorCode: '*'
+ filter3:
+ eventName: 'ConsoleLogin'
+ responseElements: '*Failure*'
+ condition: selection and (filter1 or filter2 or filter3)
diff --git a/rules/cloud/aws_guardduty_disruption.yml b/rules/cloud/aws_guardduty_disruption.yml
index 61664662..53da70c9 100644
--- a/rules/cloud/aws_guardduty_disruption.yml
+++ b/rules/cloud/aws_guardduty_disruption.yml
@@ -18,4 +18,6 @@ level: high
falsepositives:
- Valid change in the GuardDuty (e.g. to ignore internal scanners)
tags:
+ - attack.defense_evasion
- attack.t1089
+ - attack.t1562.001
diff --git a/rules/compliance/cleartext_protocols.yml b/rules/compliance/cleartext_protocols.yml
index d1769800..fe0a367a 100644
--- a/rules/compliance/cleartext_protocols.yml
+++ b/rules/compliance/cleartext_protocols.yml
@@ -30,8 +30,6 @@ tags:
- NIST CSF 1.1 PR.AC-7
- NIST CSF 1.1 PR.DS-1
- NIST CSF 1.1 PR.DS-2
- - NIST CSF 1.1 PR.PT-3
- - NIST CSF 1.1 PR.PT-3
- ISO 27002-2013 A.9.2.1
- ISO 27002-2013 A.9.2.2
- ISO 27002-2013 A.9.2.3
diff --git a/rules/linux/auditd/lnx_auditd_alter_bash_profile.yml b/rules/linux/auditd/lnx_auditd_alter_bash_profile.yml
index 9094ded8..dff6bbf3 100644
--- a/rules/linux/auditd/lnx_auditd_alter_bash_profile.yml
+++ b/rules/linux/auditd/lnx_auditd_alter_bash_profile.yml
@@ -9,6 +9,7 @@ tags:
- attack.s0003
- attack.t1156
- attack.persistence
+ - attack.t1546.004
author: Peter Matkovski
logsource:
product: linux
diff --git a/rules/linux/auditd/lnx_auditd_auditing_config_change.yml b/rules/linux/auditd/lnx_auditd_auditing_config_change.yml
index 1aaa844e..d9fb2e40 100644
--- a/rules/linux/auditd/lnx_auditd_auditing_config_change.yml
+++ b/rules/linux/auditd/lnx_auditd_auditing_config_change.yml
@@ -11,6 +11,7 @@ references:
tags:
- attack.defense_evasion
- attack.t1054
+ - attack.t1562.006
author: Mikhail Larin, oscd.community
status: experimental
date: 2019/10/25
diff --git a/rules/linux/auditd/lnx_auditd_create_account.yml b/rules/linux/auditd/lnx_auditd_create_account.yml
new file mode 100644
index 00000000..14be30c0
--- /dev/null
+++ b/rules/linux/auditd/lnx_auditd_create_account.yml
@@ -0,0 +1,22 @@
+title: Creation Of An User Account
+id: 759d0d51-bc99-4b5e-9add-8f5b2c8e7512
+status: experimental
+description: Detects the creation of a new user account. According to MITRE ATT&CK, "such accounts may be used for persistence that do not require persistent remote access tools to be deployed on the system"
+references:
+ - 'MITRE Attack technique T1136; Create Account '
+date: 2020/05/18
+tags:
+ - attack.t1136
+ - attack.persistence
+author: Marie Euler
+logsource:
+ product: linux
+ service: auditd
+detection:
+ selection:
+ type: 'SYSCALL'
+ exe: '*/useradd'
+ condition: selection
+falsepositives:
+ - Admin activity
+level: medium
diff --git a/rules/linux/auditd/lnx_auditd_ld_so_preload_mod.yml b/rules/linux/auditd/lnx_auditd_ld_so_preload_mod.yml
index f561ba35..77e2e9b1 100644
--- a/rules/linux/auditd/lnx_auditd_ld_so_preload_mod.yml
+++ b/rules/linux/auditd/lnx_auditd_ld_so_preload_mod.yml
@@ -6,11 +6,11 @@ author: E.M. Anhaus (orignally from Atomic Blue Detections, Tony Lambert), oscd.
date: 2019/10/24
modified: 2019/11/11
references:
- - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1055/T1055.yaml
+ - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.006/T1574.006.yaml
- https://eqllib.readthedocs.io/en/latest/analytics/fd9b987a-1101-4ed3-bda6-a70300eaf57e.html
tags:
- attack.defense_evasion
- - attack.t1055
+ - attack.t1574.006
logsource:
product: linux
service: auditd
diff --git a/rules/linux/auditd/lnx_auditd_logging_config_change.yml b/rules/linux/auditd/lnx_auditd_logging_config_change.yml
index 4140aca7..b456805b 100644
--- a/rules/linux/auditd/lnx_auditd_logging_config_change.yml
+++ b/rules/linux/auditd/lnx_auditd_logging_config_change.yml
@@ -10,6 +10,7 @@ references:
tags:
- attack.defense_evasion
- attack.t1054
+ - attack.t1562.006
author: Mikhail Larin, oscd.community
status: experimental
date: 2019/10/25
diff --git a/rules/linux/auditd/lnx_auditd_masquerading_crond.yml b/rules/linux/auditd/lnx_auditd_masquerading_crond.yml
index 2b28bb7a..de7ecdfb 100644
--- a/rules/linux/auditd/lnx_auditd_masquerading_crond.yml
+++ b/rules/linux/auditd/lnx_auditd_masquerading_crond.yml
@@ -6,7 +6,10 @@ description: Masquerading occurs when the name or location of an executable, leg
author: Timur Zinniatullin, oscd.community
date: 2019/10/21
references:
- - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1036/T1036.yaml
+ - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1036.003/T1036.003.yaml
+tags:
+ - attack.defense_evasion
+ - attack.t1036.003
logsource:
product: linux
service: auditd
@@ -19,6 +22,3 @@ detection:
a3: '*/crond'
condition: selection
level: medium
-tags:
- - attack.defense_evasion
- - attack.t1036
diff --git a/rules/linux/auditd/lnx_auditd_susp_C2_commands.yml b/rules/linux/auditd/lnx_auditd_susp_C2_commands.yml
new file mode 100644
index 00000000..77971d06
--- /dev/null
+++ b/rules/linux/auditd/lnx_auditd_susp_C2_commands.yml
@@ -0,0 +1,21 @@
+title: Suspicious C2 Activities
+id: f7158a64-6204-4d6d-868a-6e6378b467e0
+status: experimental
+description: Detects suspicious activities as declared by Florian Roth in its 'Best Practice Auditd Configuration'. This includes the detection of the following commands; wget, curl, base64, nc, netcat, ncat, ssh, socat, wireshark, rawshark, rdesktop, nmap. These commands match a few techniques from the tactics "Command and Control", including not exhaustively the following; Application Layer Protocol (T1071), Non-Application Layer Protocol (T1095), Data Encoding (T1132)
+references:
+ - 'https://github.com/Neo23x0/auditd'
+date: 2020/05/18
+tags:
+ - attack.command_and_control
+author: Marie Euler
+logsource:
+ product: linux
+ service: auditd
+detection:
+ selection:
+ key:
+ - 'susp_activity'
+ condition: selection
+falsepositives:
+ - Admin or User activity
+level: medium
diff --git a/rules/linux/auditd/lnx_auditd_susp_cmds.yml b/rules/linux/auditd/lnx_auditd_susp_cmds.yml
index 01dec32c..1b18d682 100644
--- a/rules/linux/auditd/lnx_auditd_susp_cmds.yml
+++ b/rules/linux/auditd/lnx_auditd_susp_cmds.yml
@@ -4,6 +4,9 @@ status: experimental
description: Detects relevant commands often related to malware or hacking activity
references:
- Internal Research - mostly derived from exploit code including code in MSF
+tags:
+ - attack.execution
+ - attack.t1059.004
date: 2017/12/12
author: Florian Roth
logsource:
diff --git a/rules/linux/auditd/lnx_auditd_web_rce.yml b/rules/linux/auditd/lnx_auditd_web_rce.yml
index 28068f7a..bb464b90 100644
--- a/rules/linux/auditd/lnx_auditd_web_rce.yml
+++ b/rules/linux/auditd/lnx_auditd_web_rce.yml
@@ -4,7 +4,7 @@ status: experimental
description: Detects posible command execution by web application/web shell
tags:
- attack.persistence
- - attack.t1100
+ - attack.t1505.003
references:
- personal experience
author: Ilyas Ochkov, Beyu Denis, oscd.community
diff --git a/rules/linux/auditd/lnx_data_compressed.yml b/rules/linux/auditd/lnx_data_compressed.yml
index e22fc0d4..6e3ac919 100644
--- a/rules/linux/auditd/lnx_data_compressed.yml
+++ b/rules/linux/auditd/lnx_data_compressed.yml
@@ -1,13 +1,15 @@
title: Data Compressed
id: a3b5e3e9-1b49-4119-8b8e-0344a01f21ee
status: experimental
-description: An adversary may compress data (e.g., sensitive documents) that is collected prior to exfiltration in order to make it portable and minimize the amount
- of data sent over the network
+description: An adversary may compress data (e.g., sensitive documents) that is collected prior to exfiltration in order to make it portable and minimize the amount of data sent over the network
author: Timur Zinniatullin, oscd.community
date: 2019/10/21
modified: 2019/11/04
references:
- - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1002/T1002.yaml
+ - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1560.001/T1560.001.yaml
+tags:
+ - attack.exfiltration
+ - attack.t1560.001
logsource:
product: linux
service: auditd
@@ -27,6 +29,3 @@ detection:
falsepositives:
- Legitimate use of archiving tools by legitimate user
level: low
-tags:
- - attack.exfiltration
- - attack.t1002
diff --git a/rules/linux/lnx_apt_equationgroup_lnx.yml b/rules/linux/lnx_apt_equationgroup_lnx.yml
index 390d5967..73c8489b 100755
--- a/rules/linux/lnx_apt_equationgroup_lnx.yml
+++ b/rules/linux/lnx_apt_equationgroup_lnx.yml
@@ -6,7 +6,7 @@ references:
tags:
- attack.execution
- attack.g0020
- - attack.t1059
+ - attack.t1059.004
author: Florian Roth
date: 2017/04/09
logsource:
diff --git a/rules/linux/lnx_chattr_immutable_removal.yml b/rules/linux/lnx_chattr_immutable_removal.yml
index 70568f59..069ea56c 100644
--- a/rules/linux/lnx_chattr_immutable_removal.yml
+++ b/rules/linux/lnx_chattr_immutable_removal.yml
@@ -4,7 +4,7 @@ description: Detects removing immutable file attribute
status: experimental
tags:
- attack.defense_evasion
- - attack.t1222
+ - attack.t1222.002
author: Jakob Weinzettl, oscd.community
date: 2019/09/23
logsource:
@@ -20,4 +20,4 @@ falsepositives:
- Administrator interacting with immutable files (for instance backups)
level: medium
references:
- - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1222/T1222.yaml
+ - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1222.002/T1222.002.yaml
diff --git a/rules/linux/lnx_file_copy.yml b/rules/linux/lnx_file_copy.yml
new file mode 100644
index 00000000..5a9d1b32
--- /dev/null
+++ b/rules/linux/lnx_file_copy.yml
@@ -0,0 +1,27 @@
+title: Remote File Copy
+id: 7a14080d-a048-4de8-ae58-604ce58a795b
+description: Detects the use of tools that copy files from or to remote systems
+references:
+ - https://attack.mitre.org/techniques/T1105/
+author: Ömer Günal
+date: 2020/06/18
+tags:
+ - attack.command_and_control
+ - attack.lateral_movement
+ - attack.t1105
+level: low
+logsource:
+ product: linux
+detection:
+ keywords:
+ - Scp|contains:
+ - 'scp * *@*:*'
+ - 'scp *@*:* *'
+ - Rsync|contains:
+ - 'rsync -r *@*:* *'
+ - 'rsync -r * *@*:*'
+ - Sftp|contains:
+ - 'sftp *@*:* *'
+ condition: keywords
+falsepositives:
+ - Legitimate administration activities
diff --git a/rules/linux/lnx_file_or_folder_permissions.yml b/rules/linux/lnx_file_or_folder_permissions.yml
index bd2e29e5..c73c58b8 100644
--- a/rules/linux/lnx_file_or_folder_permissions.yml
+++ b/rules/linux/lnx_file_or_folder_permissions.yml
@@ -1,10 +1,10 @@
title: File or Folder Permissions Change
-description: Detects
+description: Detects
id: 74c01ace-0152-4094-8ae2-6fd776dd43e5
status: experimental
tags:
- attack.defense_evasion
- - attack.t1222
+ - attack.t1222.002
author: Jakob Weinzettl, oscd.community
date: 2019/09/23
logsource:
@@ -21,4 +21,4 @@ falsepositives:
- User interracting with files permissions (normal/daily behaviour)
level: low
references:
- - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1222/T1222.yaml
+ - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1222.002/T1222.002.yaml
diff --git a/rules/linux/lnx_pers_systemd_reload.yml b/rules/linux/lnx_pers_systemd_reload.yml
index 3cb5c916..0bf77a53 100644
--- a/rules/linux/lnx_pers_systemd_reload.yml
+++ b/rules/linux/lnx_pers_systemd_reload.yml
@@ -4,7 +4,7 @@ description: Detects a reload or a start of a service
status: experimental
tags:
- attack.persistence
- - attack.t1501
+ - attack.t1543.002
author: Jakob Weinzettl, oscd.community
date: 2019/09/23
logsource:
@@ -23,5 +23,5 @@ falsepositives:
- Legitimate reconfiguration of service
level: low
references:
- - https://attack.mitre.org/techniques/T1501/
- - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1501/T1501.yaml
+ - https://attack.mitre.org/techniques/T1543/002/
+ - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1543.002/T1543.002.yaml
diff --git a/rules/linux/lnx_shell_clear_cmd_history.yml b/rules/linux/lnx_shell_clear_cmd_history.yml
index 9ee72f09..f00443e2 100644
--- a/rules/linux/lnx_shell_clear_cmd_history.yml
+++ b/rules/linux/lnx_shell_clear_cmd_history.yml
@@ -2,19 +2,27 @@ title: Clear Command History
id: fdc88d25-96fb-4b7c-9633-c0e417fdbd4e
status: experimental
description: Clear command history in linux which is used for defense evasion.
+ # Example config for this one (place it in .bash_profile):
+ # (is_empty=false; inotifywait -m .bash_history | while read file; do if [ $(wc -l <.bash_history) -lt 1 ]; then if [ "$is_empty" = false ]; then logger -i -p local5.info -t empty_bash_history "$USER : ~/.bash_history is empty "; is_empty=true; fi; else is_empty=false; fi; done ) &
+ # It monitors the size of .bash_history and log the words "empty_bash_history" whenever a previously not empty bash_history becomes empty
+ # We define an empty file as a document with 0 or 1 lines (it can be a line with only one space character for example)
+ # It has two advantages over the version suggested by Patrick Bareiss :
+ # - it is not relative to the exact command used to clear .bash_history : for instance Caldera uses "> .bash_history" to clear the history and this is not one the commands listed here. We can't be exhaustive for all the possibilities !
+ # - the method suggested by Patrick Bareiss logs all the commands entered directly in a bash shell. therefore it may miss some events (for instance it doesn't log the commands launched from a Caldera agent). Here if .bash_history is cleared, it will always be detected
references:
- - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1146/T1146.yaml
- - https://attack.mitre.org/techniques/T1146/
+ - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.003/T1070.003.yaml
+ - https://attack.mitre.org/techniques/T1070/003/
- https://www.hackers-arise.com/single-post/2016/06/20/Covering-your-BASH-Shell-Tracks-AntiForensics
author: Patrick Bareiss
date: 2019/03/24
+modified: 2020/07/13
logsource:
product: linux
detection:
keywords:
- 'rm *bash_history'
- 'echo "" > *bash_history'
- - 'cat /dev/null > *bash_history'
+ - 'cat /dev/null > *bash_history'
- 'ln -sf /dev/null *bash_history'
- 'truncate -s0 *bash_history'
# - 'unset HISTFILE' # prone to false positives
@@ -22,10 +30,11 @@ detection:
- 'history -c'
- 'history -w'
- 'shred *bash_history'
+ - 'empty_bash_history'
condition: keywords
falsepositives:
- Unknown
level: high
tags:
- attack.defense_evasion
- - attack.t1146
+ - attack.t1070.003
diff --git a/rules/linux/lnx_shell_priv_esc_prep.yml b/rules/linux/lnx_shell_priv_esc_prep.yml
index 23df63e8..a07d0061 100644
--- a/rules/linux/lnx_shell_priv_esc_prep.yml
+++ b/rules/linux/lnx_shell_priv_esc_prep.yml
@@ -8,8 +8,8 @@ references:
author: Patrick Bareiss
date: 2019/04/05
tags:
- - attack.privilege_escalation
- - attack.t1068
+ - attack.execution
+ - attack.t1059.004
level: medium
logsource:
product: linux
diff --git a/rules/linux/lnx_shell_susp_commands.yml b/rules/linux/lnx_shell_susp_commands.yml
index 370cf980..22917c78 100644
--- a/rules/linux/lnx_shell_susp_commands.yml
+++ b/rules/linux/lnx_shell_susp_commands.yml
@@ -6,6 +6,9 @@ references:
- https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/multi/http/struts_code_exec_exception_delegator.rb#L121
- http://pastebin.com/FtygZ1cg
- https://artkond.com/2017/03/23/pivoting-guide/
+tags:
+ - attack.execution
+ - attack.t1059.004
author: Florian Roth
date: 2017/08/21
modified: 2019/02/05
@@ -24,11 +27,11 @@ detection:
- 'socat -O /tmp/*'
- 'socat tcp-connect*'
- '*echo binary >>*'
- # Malware
+ # Malware
- '*wget *; chmod +x*'
- '*wget *; chmod 777 *'
- '*cd /tmp || cd /var/run || cd /mnt*'
- # Apache Struts in-the-wild exploit codes
+ # Apache Struts in-the-wild exploit codes
- '*stop;service iptables stop;*'
- '*stop;SuSEfirewall2 stop;*'
- 'chmod 777 2020*'
diff --git a/rules/linux/lnx_shell_susp_rev_shells.yml b/rules/linux/lnx_shell_susp_rev_shells.yml
index e6feb1e9..095c6af1 100644
--- a/rules/linux/lnx_shell_susp_rev_shells.yml
+++ b/rules/linux/lnx_shell_susp_rev_shells.yml
@@ -4,6 +4,9 @@ status: experimental
description: Detects suspicious shell commands or program code that may be exected or used in command line to establish a reverse shell
references:
- https://alamot.github.io/reverse_shells/
+tags:
+ - attack.execution
+ - attack.t1059.004
author: Florian Roth
date: 2019/04/02
logsource:
diff --git a/rules/linux/lnx_susp_guacamole.yml b/rules/linux/lnx_susp_guacamole.yml
new file mode 100644
index 00000000..a224144a
--- /dev/null
+++ b/rules/linux/lnx_susp_guacamole.yml
@@ -0,0 +1,19 @@
+title: Guacamole Two Users Sharing Session Anomaly
+status: experimental
+id: 1edd77db-0669-4fef-9598-165bda82826d
+description: Detects suspicious session with two users present
+references:
+ - https://research.checkpoint.com/2020/apache-guacamole-rce/
+author: Florian Roth
+date: 2020/07/03
+logsource:
+ product: linux
+ service: guacamole
+detection:
+ selection:
+ - '(2 users now present)'
+ condition: selection
+falsepositives:
+ - Unknown
+level: high
+
diff --git a/rules/linux/lnx_susp_jexboss.yml b/rules/linux/lnx_susp_jexboss.yml
index 1cb8713a..4541a98a 100644
--- a/rules/linux/lnx_susp_jexboss.yml
+++ b/rules/linux/lnx_susp_jexboss.yml
@@ -3,12 +3,15 @@ id: 8ec2c8b4-557a-4121-b87c-5dfb3a602fae
description: Detects suspicious command sequence that JexBoss
references:
- https://www.us-cert.gov/ncas/analysis-reports/AR18-312A
+tags:
+ - attack.execution
+ - attack.t1059.004
author: Florian Roth
date: 2017/08/24
logsource:
product: linux
detection:
- selection1:
+ selection1:
- 'bash -c /bin/bash'
selection2:
- '&/dev/tcp/'
diff --git a/rules/linux/lnx_susp_ssh.yml b/rules/linux/lnx_susp_ssh.yml
index 23bb364c..6001335f 100644
--- a/rules/linux/lnx_susp_ssh.yml
+++ b/rules/linux/lnx_susp_ssh.yml
@@ -1,4 +1,4 @@
-title: Suspicious SSHD Error
+title: Suspicious OpenSSH Daemon Error
id: e76b413a-83d0-4b94-8e4c-85db4a5b8bdc
description: Detects suspicious SSH / SSHD error messages that indicate a fatal or suspicious error that could be caused by exploiting attempts
references:
@@ -6,6 +6,7 @@ references:
- https://github.com/ossec/ossec-hids/blob/master/etc/rules/sshd_rules.xml
author: Florian Roth
date: 2017/06/30
+modified: 2020/05/15
logsource:
product: linux
service: sshd
diff --git a/rules/network/cisco/aaa/cisco_cli_clear_logs.yml b/rules/network/cisco/aaa/cisco_cli_clear_logs.yml
index 0eb81291..e510c740 100644
--- a/rules/network/cisco/aaa/cisco_cli_clear_logs.yml
+++ b/rules/network/cisco/aaa/cisco_cli_clear_logs.yml
@@ -1,31 +1,32 @@
-title: Cisco Clear Logs
-id: ceb407f6-8277-439b-951f-e4210e3ed956
-status: experimental
-description: Clear command history in network OS which is used for defense evasion.
-references:
- - https://attack.mitre.org/techniques/T1146/
- - https://attack.mitre.org/techniques/T1070/
-author: Austin Clark
-date: 2019/08/12
-tags:
- - attack.defense_evasion
- - attack.t1146
- - attack.t1070
-logsource:
- product: cisco
- service: aaa
- category: accounting
-fields:
- - src
- - CmdSet
- - User
- - Privilege_Level
- - Remote_Address
-detection:
- keywords:
- - 'clear logging'
- - 'clear archive'
- condition: keywords
-falsepositives:
- - Legitimate administrators may run these commands.
-level: high
+title: Cisco Clear Logs
+id: ceb407f6-8277-439b-951f-e4210e3ed956
+status: experimental
+description: Clear command history in network OS which is used for defense evasion.
+references:
+ - https://attack.mitre.org/techniques/T1146/
+ - https://attack.mitre.org/techniques/T1070/
+author: Austin Clark
+date: 2019/08/12
+tags:
+ - attack.defense_evasion
+ - attack.t1146
+ - attack.t1070
+ - attack.t1070.003
+logsource:
+ product: cisco
+ service: aaa
+ category: accounting
+fields:
+ - src
+ - CmdSet
+ - User
+ - Privilege_Level
+ - Remote_Address
+detection:
+ keywords:
+ - 'clear logging'
+ - 'clear archive'
+ condition: keywords
+falsepositives:
+ - Legitimate administrators may run these commands.
+level: high
diff --git a/rules/network/cisco/aaa/cisco_cli_collect_data.yml b/rules/network/cisco/aaa/cisco_cli_collect_data.yml
index 0983875f..9944274b 100644
--- a/rules/network/cisco/aaa/cisco_cli_collect_data.yml
+++ b/rules/network/cisco/aaa/cisco_cli_collect_data.yml
@@ -1,39 +1,40 @@
-title: Cisco Collect Data
-id: cd072b25-a418-4f98-8ebc-5093fb38fe1a
-status: experimental
-description: Collect pertinent data from the configuration files
-references:
- - https://attack.mitre.org/techniques/T1087/
- - https://attack.mitre.org/techniques/T1003/
- - https://attack.mitre.org/techniques/T1081/
- - https://attack.mitre.org/techniques/T1005/
-author: Austin Clark
-date: 2019/08/11
-tags:
- - attack.discovery
- - attack.credential_access
- - attack.collection
- - attack.t1087
- - attack.t1003
- - attack.t1081
- - attack.t1005
-logsource:
- product: cisco
- service: aaa
- category: accounting
-fields:
- - src
- - CmdSet
- - User
- - Privilege_Level
- - Remote_Address
-detection:
- keywords:
- - 'show running-config'
- - 'show startup-config'
- - 'show archive config'
- - 'more'
- condition: keywords
-falsepositives:
- - Commonly run by administrators.
-level: low
+title: Cisco Collect Data
+id: cd072b25-a418-4f98-8ebc-5093fb38fe1a
+status: experimental
+description: Collect pertinent data from the configuration files
+references:
+ - https://attack.mitre.org/techniques/T1087/
+ - https://attack.mitre.org/techniques/T1003/
+ - https://attack.mitre.org/techniques/T1081/
+ - https://attack.mitre.org/techniques/T1005/
+author: Austin Clark
+date: 2019/08/11
+tags:
+ - attack.discovery
+ - attack.credential_access
+ - attack.collection
+ - attack.t1087
+ - attack.t1003
+ - attack.t1081
+ - attack.t1005
+ - attack.t1552.001
+logsource:
+ product: cisco
+ service: aaa
+ category: accounting
+fields:
+ - src
+ - CmdSet
+ - User
+ - Privilege_Level
+ - Remote_Address
+detection:
+ keywords:
+ - 'show running-config'
+ - 'show startup-config'
+ - 'show archive config'
+ - 'more'
+ condition: keywords
+falsepositives:
+ - Commonly run by administrators.
+level: low
diff --git a/rules/network/cisco/aaa/cisco_cli_crypto_actions.yml b/rules/network/cisco/aaa/cisco_cli_crypto_actions.yml
index 4cedb6de..81e1a3a1 100644
--- a/rules/network/cisco/aaa/cisco_cli_crypto_actions.yml
+++ b/rules/network/cisco/aaa/cisco_cli_crypto_actions.yml
@@ -1,33 +1,35 @@
-title: Cisco Crypto Commands
-id: 1f978c6a-4415-47fb-aca5-736a44d7ca3d
-status: experimental
-description: Show when private keys are being exported from the device, or when new certificates are installed.
-references:
- - https://attack.mitre.org/techniques/T1145/
- - https://attack.mitre.org/techniques/T1130/
-author: Austin Clark
-date: 2019/08/12
-tags:
- - attack.credential_access
- - attack.defense_evasion
- - attack.t1130
- - attack.t1145
-logsource:
- product: cisco
- service: aaa
- category: accounting
-fields:
- - src
- - CmdSet
- - User
- - Privilege_Level
- - Remote_Address
-detection:
- keywords:
- - 'crypto pki export'
- - 'crypto pki import'
- - 'crypto pki trustpoint'
- condition: keywords
-falsepositives:
- - Not commonly run by administrators. Also whitelist your known good certificates.
-level: high
+title: Cisco Crypto Commands
+id: 1f978c6a-4415-47fb-aca5-736a44d7ca3d
+status: experimental
+description: Show when private keys are being exported from the device, or when new certificates are installed.
+references:
+ - https://attack.mitre.org/techniques/T1145/
+ - https://attack.mitre.org/techniques/T1130/
+author: Austin Clark
+date: 2019/08/12
+tags:
+ - attack.credential_access
+ - attack.defense_evasion
+ - attack.t1130
+ - attack.t1145
+ - attack.t1553.004
+ - attack.t1552.004
+logsource:
+ product: cisco
+ service: aaa
+ category: accounting
+fields:
+ - src
+ - CmdSet
+ - User
+ - Privilege_Level
+ - Remote_Address
+detection:
+ keywords:
+ - 'crypto pki export'
+ - 'crypto pki import'
+ - 'crypto pki trustpoint'
+ condition: keywords
+falsepositives:
+ - Not commonly run by administrators. Also whitelist your known good certificates.
+level: high
diff --git a/rules/network/cisco/aaa/cisco_cli_disable_logging.yml b/rules/network/cisco/aaa/cisco_cli_disable_logging.yml
index d652b428..4bc95584 100644
--- a/rules/network/cisco/aaa/cisco_cli_disable_logging.yml
+++ b/rules/network/cisco/aaa/cisco_cli_disable_logging.yml
@@ -1,29 +1,30 @@
-title: Cisco Disabling Logging
-id: 9e8f6035-88bf-4a63-96b6-b17c0508257e
-status: experimental
-description: Turn off logging locally or remote
-references:
- - https://attack.mitre.org/techniques/T1089
-author: Austin Clark
-date: 2019/08/11
-tags:
- - attack.defense_evasion
- - attack.t1089
-logsource:
- product: cisco
- service: aaa
- category: accounting
-fields:
- - src
- - CmdSet
- - User
- - Privilege_Level
- - Remote_Address
-detection:
- keywords:
- - 'no logging'
- - 'no aaa new-model'
- condition: keywords
-falsepositives:
- - Unknown
-level: high
+title: Cisco Disabling Logging
+id: 9e8f6035-88bf-4a63-96b6-b17c0508257e
+status: experimental
+description: Turn off logging locally or remote
+references:
+ - https://attack.mitre.org/techniques/T1089
+author: Austin Clark
+date: 2019/08/11
+tags:
+ - attack.defense_evasion
+ - attack.t1089
+ - attack.t1562.001
+logsource:
+ product: cisco
+ service: aaa
+ category: accounting
+fields:
+ - src
+ - CmdSet
+ - User
+ - Privilege_Level
+ - Remote_Address
+detection:
+ keywords:
+ - 'no logging'
+ - 'no aaa new-model'
+ condition: keywords
+falsepositives:
+ - Unknown
+level: high
diff --git a/rules/network/cisco/aaa/cisco_cli_discovery.yml b/rules/network/cisco/aaa/cisco_cli_discovery.yml
index 19a88fa7..5bf64792 100644
--- a/rules/network/cisco/aaa/cisco_cli_discovery.yml
+++ b/rules/network/cisco/aaa/cisco_cli_discovery.yml
@@ -1,46 +1,46 @@
-title: Cisco Discovery
-id: 9705a6a1-6db6-4a16-a987-15b7151e299b
-status: experimental
-description: Find information about network devices that are not stored in config files.
-references:
- - https://attack.mitre.org/tactics/TA0007/
-author: Austin Clark
-date: 2019/08/12
-tags:
- - attack.discovery
- - attack.t1083
- - attack.t1201
- - attack.t1057
- - attack.t1018
- - attack.t1082
- - attack.t1016
- - attack.t1049
- - attack.t1033
- - attack.t1124
-logsource:
- product: cisco
- service: aaa
- category: accounting
-fields:
- - src
- - CmdSet
- - User
- - Privilege_Level
- - Remote_Address
-detection:
- keywords:
- - 'dir'
- - 'show processes'
- - 'show arp'
- - 'show cdp'
- - 'show version'
- - 'show ip route'
- - 'show ip interface'
- - 'show ip sockets'
- - 'show users'
- - 'show ssh'
- - 'show clock'
- condition: keywords
-falsepositives:
- - Commonly used by administrators for troubleshooting
-level: low
+title: Cisco Discovery
+id: 9705a6a1-6db6-4a16-a987-15b7151e299b
+status: experimental
+description: Find information about network devices that are not stored in config files.
+references:
+ - https://attack.mitre.org/tactics/TA0007/
+author: Austin Clark
+date: 2019/08/12
+tags:
+ - attack.discovery
+ - attack.t1083
+ - attack.t1201
+ - attack.t1057
+ - attack.t1018
+ - attack.t1082
+ - attack.t1016
+ - attack.t1049
+ - attack.t1033
+ - attack.t1124
+logsource:
+ product: cisco
+ service: aaa
+ category: accounting
+fields:
+ - src
+ - CmdSet
+ - User
+ - Privilege_Level
+ - Remote_Address
+detection:
+ keywords:
+ - 'dir'
+ - 'show processes'
+ - 'show arp'
+ - 'show cdp'
+ - 'show version'
+ - 'show ip route'
+ - 'show ip interface'
+ - 'show ip sockets'
+ - 'show users'
+ - 'show ssh'
+ - 'show clock'
+ condition: keywords
+falsepositives:
+ - Commonly used by administrators for troubleshooting
+level: low
diff --git a/rules/network/cisco/aaa/cisco_cli_dos.yml b/rules/network/cisco/aaa/cisco_cli_dos.yml
index 9d8c1a6c..847f0d21 100644
--- a/rules/network/cisco/aaa/cisco_cli_dos.yml
+++ b/rules/network/cisco/aaa/cisco_cli_dos.yml
@@ -1,28 +1,28 @@
-title: Cisco Denial of Service
-id: d94a35f0-7a29-45f6-90a0-80df6159967c
-status: experimental
-description: Detect a system being shutdown or put into different boot mode
-references:
- - https://attack.mitre.org/techniques/T1499/
- - https://attack.mitre.org/techniques/T1495/
-author: Austin Clark
-date: 2019/08/15
-tags:
- - attack.impact
- - attack.t1499
- - attack.t1495
-logsource:
- product: cisco
- service: aaa
- category: accounting
-fields:
- - CmdSet
-detection:
- keywords:
- - 'shutdown'
- - 'config-register 0x2100'
- - 'config-register 0x2142'
- condition: keywords
-falsepositives:
- - Legitimate administrators may run these commands, though rarely.
-level: medium
+title: Cisco Denial of Service
+id: d94a35f0-7a29-45f6-90a0-80df6159967c
+status: experimental
+description: Detect a system being shutdown or put into different boot mode
+references:
+ - https://attack.mitre.org/techniques/T1499/
+ - https://attack.mitre.org/techniques/T1495/
+author: Austin Clark
+date: 2019/08/15
+tags:
+ - attack.impact
+ - attack.t1499
+ - attack.t1495
+logsource:
+ product: cisco
+ service: aaa
+ category: accounting
+fields:
+ - CmdSet
+detection:
+ keywords:
+ - 'shutdown'
+ - 'config-register 0x2100'
+ - 'config-register 0x2142'
+ condition: keywords
+falsepositives:
+ - Legitimate administrators may run these commands, though rarely.
+level: medium
diff --git a/rules/network/cisco/aaa/cisco_cli_file_deletion.yml b/rules/network/cisco/aaa/cisco_cli_file_deletion.yml
index 5c82fa85..f248dd59 100644
--- a/rules/network/cisco/aaa/cisco_cli_file_deletion.yml
+++ b/rules/network/cisco/aaa/cisco_cli_file_deletion.yml
@@ -1,31 +1,34 @@
-title: Cisco Show Commands Input
-id: 71d65515-c436-43c0-841b-236b1f32c21e
-status: experimental
-description: See what files are being deleted from flash file systems
-references:
- - https://attack.mitre.org/techniques/T1107/
- - https://attack.mitre.org/techniques/T1488/
- - https://attack.mitre.org/techniques/T1487/
-author: Austin Clark
-date: 2019/08/12
-tags:
- - attack.defense_evasion
- - attack.impact
- - attack.t1107
- - attack.t1488
- - attack.t1487
-logsource:
- product: cisco
- service: aaa
- category: accounting
-fields:
- - CmdSet
-detection:
- keywords:
- - 'erase'
- - 'delete'
- - 'format'
- condition: keywords
-falsepositives:
- - Will be used sometimes by admins to clean up local flash space.
-level: medium
+title: Cisco Show Commands Input
+id: 71d65515-c436-43c0-841b-236b1f32c21e
+status: experimental
+description: See what files are being deleted from flash file systems
+references:
+ - https://attack.mitre.org/techniques/T1107/
+ - https://attack.mitre.org/techniques/T1488/
+ - https://attack.mitre.org/techniques/T1487/
+author: Austin Clark
+date: 2019/08/12
+tags:
+ - attack.defense_evasion
+ - attack.impact
+ - attack.t1107
+ - attack.t1488
+ - attack.t1487
+ - attack.t1561.002
+ - attack.t1070.004
+ - attack.t1561.001
+logsource:
+ product: cisco
+ service: aaa
+ category: accounting
+fields:
+ - CmdSet
+detection:
+ keywords:
+ - 'erase'
+ - 'delete'
+ - 'format'
+ condition: keywords
+falsepositives:
+ - Will be used sometimes by admins to clean up local flash space.
+level: medium
diff --git a/rules/network/cisco/aaa/cisco_cli_input_capture.yml b/rules/network/cisco/aaa/cisco_cli_input_capture.yml
index 98a240bd..d1bc266a 100644
--- a/rules/network/cisco/aaa/cisco_cli_input_capture.yml
+++ b/rules/network/cisco/aaa/cisco_cli_input_capture.yml
@@ -1,29 +1,30 @@
-title: Cisco Show Commands Input
-id: b094d9fb-b1ad-4650-9f1a-fb7be9f1d34b
-status: experimental
-description: See what commands are being input into the device by other people, full credentials can be in the history
-references:
- - https://attack.mitre.org/techniques/T1056/
- - https://attack.mitre.org/techniques/T1139/
-author: Austin Clark
-date: 2019/08/11
-tags:
- - attack.collection
- - attack.credential_access
- - attack.t1139
- - attack.t1056
-logsource:
- product: cisco
- service: aaa
- category: accounting
-fields:
- - CmdSet
-detection:
- keywords:
- - 'show history'
- - 'show history all'
- - 'show logging'
- condition: keywords
-falsepositives:
- - Not commonly run by administrators, especially if remote logging is configured.
-level: medium
+title: Cisco Show Commands Input
+id: b094d9fb-b1ad-4650-9f1a-fb7be9f1d34b
+status: experimental
+description: See what commands are being input into the device by other people, full credentials can be in the history
+references:
+ - https://attack.mitre.org/techniques/T1056/
+ - https://attack.mitre.org/techniques/T1139/
+author: Austin Clark
+date: 2019/08/11
+tags:
+ - attack.collection
+ - attack.credential_access
+ - attack.t1139
+ - attack.t1056
+ - attack.t1552.003
+logsource:
+ product: cisco
+ service: aaa
+ category: accounting
+fields:
+ - CmdSet
+detection:
+ keywords:
+ - 'show history'
+ - 'show history all'
+ - 'show logging'
+ condition: keywords
+falsepositives:
+ - Not commonly run by administrators, especially if remote logging is configured.
+level: medium
diff --git a/rules/network/cisco/aaa/cisco_cli_local_accounts.yml b/rules/network/cisco/aaa/cisco_cli_local_accounts.yml
index ddab7072..b563459f 100644
--- a/rules/network/cisco/aaa/cisco_cli_local_accounts.yml
+++ b/rules/network/cisco/aaa/cisco_cli_local_accounts.yml
@@ -1,27 +1,27 @@
-title: Cisco Local Accounts
-id: 6d844f0f-1c18-41af-8f19-33e7654edfc3
-status: experimental
-description: Find local accounts being created or modified as well as remote authentication configurations
-references:
- - https://attack.mitre.org/techniques/T1098/
- - https://attack.mitre.org/techniques/T1136/
-author: Austin Clark
-date: 2019/08/12
-tags:
- - attack.persistence
- - attack.t1136
- - attack.t1098
-logsource:
- product: cisco
- service: aaa
- category: accounting
-fields:
- - CmdSet
-detection:
- keywords:
- - 'username'
- - 'aaa'
- condition: keywords
-falsepositives:
- - When remote authentication is in place, this should not change often.
-level: high
+title: Cisco Local Accounts
+id: 6d844f0f-1c18-41af-8f19-33e7654edfc3
+status: experimental
+description: Find local accounts being created or modified as well as remote authentication configurations
+references:
+ - https://attack.mitre.org/techniques/T1098/
+ - https://attack.mitre.org/techniques/T1136/
+author: Austin Clark
+date: 2019/08/12
+tags:
+ - attack.persistence
+ - attack.t1136
+ - attack.t1098
+logsource:
+ product: cisco
+ service: aaa
+ category: accounting
+fields:
+ - CmdSet
+detection:
+ keywords:
+ - 'username'
+ - 'aaa'
+ condition: keywords
+falsepositives:
+ - When remote authentication is in place, this should not change often.
+level: high
diff --git a/rules/network/cisco/aaa/cisco_cli_modify_config.yml b/rules/network/cisco/aaa/cisco_cli_modify_config.yml
index b79eb053..6f98513e 100644
--- a/rules/network/cisco/aaa/cisco_cli_modify_config.yml
+++ b/rules/network/cisco/aaa/cisco_cli_modify_config.yml
@@ -1,38 +1,41 @@
-title: Cisco Modify Configuration
-id: 671ffc77-50a7-464f-9e3d-9ea2b493b26b
-status: experimental
-description: Modifications to a config that will serve an adversary's impacts or persistence
-references:
- - https://attack.mitre.org/techniques/T1100/
- - https://attack.mitre.org/techniques/T1168/
- - https://attack.mitre.org/techniques/T1493/
-author: Austin Clark
-date: 2019/08/12
-tags:
- - attack.persistence
- - attack.privilege_escalation
- - attack.impact
- - attack.t1493
- - attack.t1100
- - attack.t1168
- - attack.t1490
-logsource:
- product: cisco
- service: aaa
- category: accounting
-fields:
- - CmdSet
-detection:
- keywords:
- - 'ip http server'
- - 'ip https server'
- - 'kron policy-list'
- - 'kron occurrence'
- - 'policy-list'
- - 'access-list'
- - 'ip access-group'
- - 'archive maximum'
- condition: keywords
-falsepositives:
- - Legitimate administrators may run these commands.
-level: medium
+title: Cisco Modify Configuration
+id: 671ffc77-50a7-464f-9e3d-9ea2b493b26b
+status: experimental
+description: Modifications to a config that will serve an adversary's impacts or persistence
+references:
+ - https://attack.mitre.org/techniques/T1100/
+ - https://attack.mitre.org/techniques/T1168/
+ - https://attack.mitre.org/techniques/T1493/
+author: Austin Clark
+date: 2019/08/12
+tags:
+ - attack.persistence
+ - attack.privilege_escalation
+ - attack.impact
+ - attack.t1493
+ - attack.t1100
+ - attack.t1168
+ - attack.t1490
+ - attack.t1565.002
+ - attack.t1505
+ - attack.t1053
+logsource:
+ product: cisco
+ service: aaa
+ category: accounting
+fields:
+ - CmdSet
+detection:
+ keywords:
+ - 'ip http server'
+ - 'ip https server'
+ - 'kron policy-list'
+ - 'kron occurrence'
+ - 'policy-list'
+ - 'access-list'
+ - 'ip access-group'
+ - 'archive maximum'
+ condition: keywords
+falsepositives:
+ - Legitimate administrators may run these commands.
+level: medium
diff --git a/rules/network/cisco/aaa/cisco_cli_moving_data.yml b/rules/network/cisco/aaa/cisco_cli_moving_data.yml
index 0b603bca..924588a6 100644
--- a/rules/network/cisco/aaa/cisco_cli_moving_data.yml
+++ b/rules/network/cisco/aaa/cisco_cli_moving_data.yml
@@ -1,39 +1,41 @@
-title: Cisco Stage Data
-id: 5e51acb2-bcbe-435b-99c6-0e3cd5e2aa59
-status: experimental
-description: Various protocols maybe used to put data on the device for exfil or infil
-references:
- - https://attack.mitre.org/techniques/T1074/
- - https://attack.mitre.org/techniques/T1105/
- - https://attack.mitre.org/techniques/T1498/
- - https://attack.mitre.org/techniques/T1002/
-author: Austin Clark
-date: 2019/08/12
-tags:
- - attack.collection
- - attack.lateral_movement
- - attack.command_and_control
- - attack.exfiltration
- - attack.impact
- - attack.t1074
- - attack.t1105
- - attack.t1492
- - attack.t1002
-logsource:
- product: cisco
- service: aaa
- category: accounting
-fields:
- - CmdSet
-detection:
- keywords:
- - 'tftp'
- - 'rcp'
- - 'puts'
- - 'copy'
- - 'configure replace'
- - 'archive tar'
- condition: keywords
-falsepositives:
- - Generally used to copy configs or IOS images.
-level: low
+title: Cisco Stage Data
+id: 5e51acb2-bcbe-435b-99c6-0e3cd5e2aa59
+status: experimental
+description: Various protocols maybe used to put data on the device for exfil or infil
+references:
+ - https://attack.mitre.org/techniques/T1074/
+ - https://attack.mitre.org/techniques/T1105/
+ - https://attack.mitre.org/techniques/T1498/
+ - https://attack.mitre.org/techniques/T1002/
+author: Austin Clark
+date: 2019/08/12
+tags:
+ - attack.collection
+ - attack.lateral_movement
+ - attack.command_and_control
+ - attack.exfiltration
+ - attack.impact
+ - attack.t1074
+ - attack.t1105
+ - attack.t1492
+ - attack.t1002
+ - attack.t1560
+ - attack.t1565.001
+logsource:
+ product: cisco
+ service: aaa
+ category: accounting
+fields:
+ - CmdSet
+detection:
+ keywords:
+ - 'tftp'
+ - 'rcp'
+ - 'puts'
+ - 'copy'
+ - 'configure replace'
+ - 'archive tar'
+ condition: keywords
+falsepositives:
+ - Generally used to copy configs or IOS images.
+level: low
diff --git a/rules/network/cisco/aaa/cisco_cli_net_sniff.yml b/rules/network/cisco/aaa/cisco_cli_net_sniff.yml
index 3a329fce..3cc2a410 100644
--- a/rules/network/cisco/aaa/cisco_cli_net_sniff.yml
+++ b/rules/network/cisco/aaa/cisco_cli_net_sniff.yml
@@ -1,27 +1,27 @@
-title: Cisco Sniffing
-id: b9e1f193-d236-4451-aaae-2f3d2102120d
-status: experimental
-description: Show when a monitor or a span/rspan is setup or modified
-references:
- - https://attack.mitre.org/techniques/T1040
-author: Austin Clark
-date: 2019/08/11
-tags:
- - attack.credential_access
- - attack.discovery
- - attack.t1040
-logsource:
- product: cisco
- service: aaa
- category: accounting
-fields:
- - CmdSet
-detection:
- keywords:
- - 'monitor capture point'
- - 'set span'
- - 'set rspan'
- condition: keywords
-falsepositives:
- - Admins may setup new or modify old spans, or use a monitor for troubleshooting.
-level: medium
+title: Cisco Sniffing
+id: b9e1f193-d236-4451-aaae-2f3d2102120d
+status: experimental
+description: Show when a monitor or a span/rspan is setup or modified
+references:
+ - https://attack.mitre.org/techniques/T1040
+author: Austin Clark
+date: 2019/08/11
+tags:
+ - attack.credential_access
+ - attack.discovery
+ - attack.t1040
+logsource:
+ product: cisco
+ service: aaa
+ category: accounting
+fields:
+ - CmdSet
+detection:
+ keywords:
+ - 'monitor capture point'
+ - 'set span'
+ - 'set rspan'
+ condition: keywords
+falsepositives:
+ - Admins may setup new or modify old spans, or use a monitor for troubleshooting.
+level: medium
diff --git a/rules/network/net_susp_dns_txt_exec_strings.yml b/rules/network/net_susp_dns_txt_exec_strings.yml
index 42ee5e22..95492f1b 100644
--- a/rules/network/net_susp_dns_txt_exec_strings.yml
+++ b/rules/network/net_susp_dns_txt_exec_strings.yml
@@ -7,17 +7,18 @@ references:
- https://github.com/samratashok/nishang/blob/master/Backdoors/DNS_TXT_Pwnage.ps1
tags:
- attack.t1071
+ - attack.t1071.004
author: Markus Neis
date: 2018/08/08
logsource:
category: dns
detection:
selection:
- record_type: 'TXT'
- answer:
- - '*IEX*'
- - '*Invoke-Expression*'
- - '*cmd.exe*'
+ record_type: 'TXT'
+ answer:
+ - '*IEX*'
+ - '*Invoke-Expression*'
+ - '*cmd.exe*'
condition: selection
falsepositives:
- Unknown
diff --git a/rules/network/zeek/zeek-dce_rpc_domain_user_enumeration.yml b/rules/network/zeek/zeek-dce_rpc_domain_user_enumeration.yml
new file mode 100644
index 00000000..bfaa398f
--- /dev/null
+++ b/rules/network/zeek/zeek-dce_rpc_domain_user_enumeration.yml
@@ -0,0 +1,35 @@
+title: Domain User Enumeration Network Recon 01
+description: Domain user and group enumeration via network reconnaissance. Seen in APT 29 and other common tactics and actors. Detects a set of RPC (remote procedure calls) used to enumerate a domain controller. The rule was created based off the datasets and hackathon from https://github.com/OTRF/detection-hackathon-apt29
+id: 66a0bdc6-ee04-441a-9125-99d2eb547942
+references:
+ - "https://github.com/OTRF/detection-hackathon-apt29"
+ - "https://github.com/OTRF/detection-hackathon-apt29/issues/37"
+author: 'Nate Guagenti (@neu5ron), Open Threat Research (OTR)'
+date: 2020/05/03
+modified: 2020/05/03
+tags:
+ - attack.discovery
+ - attack.t1087
+ - attack.t1082
+logsource:
+ product: zeek
+ service: dce_rpc
+detection:
+ selection:
+ operation:
+ #- LsarEnumerateTrustedDomains #potentially too many FPs, removing. caused by netlogon
+ #- SamrEnumerateDomainsInSamServer #potentially too many FPs, removing. #method obtains a listing of all domains hosted by the server side of this protocol. This value is a cookie that the server can use to continue an enumeration on a subsequent call
+ - LsarLookupNames3 #method translates a batch of security principal names to their SID form
+ - LsarLookupSids3 #translates a batch of security principal SIDs to their name forms
+ - SamrGetGroupsForUser #obtains a listing of groups that a user is a member of
+ - SamrLookupIdsInDomain #method translates a set of RIDs into account names
+ - SamrLookupNamesInDomain #method translates a set of account names into a set of RIDs
+ - SamrQuerySecurityObject #method queries the access control on a server, domain, user, group, or alias object
+ - SamrQueryInformationGroup #obtains attributes from a group object
+ timeframe: 30s
+ condition: selection | count(operation) by src_ip > 4
+falsepositives:
+ - Devices that may do authentication like a VPN or a firewall that looksup IPs to username
+ - False positives depend on scripts and administrative tools used in the monitored environment
+level: medium
+status: experimental
\ No newline at end of file
diff --git a/rules/network/zeek/zeek_dce_rpc_mitre_bzar_execution.yml b/rules/network/zeek/zeek_dce_rpc_mitre_bzar_execution.yml
new file mode 100644
index 00000000..141a67dd
--- /dev/null
+++ b/rules/network/zeek/zeek_dce_rpc_mitre_bzar_execution.yml
@@ -0,0 +1,53 @@
+title: MITRE BZAR Indicators for ATT&CK Execution
+id: b640c0b8-87f8-4daa-aef8-95a24261dd1d
+description: 'Windows DCE-RPC functions which indicate an ATT&CK-like Execution techniques on the remote system. All credit for the Zeek mapping of the suspicious endpoint/operation field goes to MITRE.'
+author: '@neu5ron, SOC Prime'
+date: 2020/03/19
+references:
+ - https://github.com/mitre-attack/bzar#indicators-for-attck-execution
+tags:
+ - attack.execution
+ - attack.t1035
+ - attack.t1047
+ - attack.t1053
+ - attack.t1053.002
+ - attack.t1569.002
+logsource:
+ product: zeek
+ service: dce_rpc
+detection:
+ op1:
+ endpoint: 'JobAdd'
+ operation: 'atsvc'
+ op2:
+ endpoint: 'ITaskSchedulerService'
+ operation: 'SchRpcEnableTask'
+ op3:
+ endpoint: 'ITaskSchedulerService'
+ operation: 'SchRpcRegisterTask'
+ op4:
+ endpoint: 'ITaskSchedulerService'
+ operation: 'SchRpcRun'
+ op5:
+ endpoint: 'IWbemServices'
+ operation: 'ExecMethod'
+ op6:
+ endpoint: 'IWbemServices'
+ operation: 'ExecMethodAsync'
+ op7:
+ endpoint: 'svcctl'
+ operation: 'CreateServiceA'
+ op8:
+ endpoint: 'svcctl'
+ operation: 'CreateServiceW'
+ op9:
+ endpoint: 'svcctl'
+ operation: 'StartServiceA'
+ op10:
+ endpoint: 'svcctl'
+ operation: 'StartServiceW'
+ condition: 1 of them
+falsepositives:
+ - 'Windows administrator tasks or troubleshooting'
+ - 'Windows management scripts or software'
+level: medium
diff --git a/rules/network/zeek/zeek_dce_rpc_mitre_bzar_persistence.yml b/rules/network/zeek/zeek_dce_rpc_mitre_bzar_persistence.yml
new file mode 100644
index 00000000..4dd5fc5d
--- /dev/null
+++ b/rules/network/zeek/zeek_dce_rpc_mitre_bzar_persistence.yml
@@ -0,0 +1,38 @@
+title: MITRE BZAR Indicators for ATT&CK Persistence
+id: 53389db6-ba46-48e3-a94c-e0f2cefe1583
+description: 'Windows DCE-RPC functions which indicate an ATT&CK-like Persistence techniques on the remote system. All credit for the Zeek mapping of the suspicious endpoint/operation field goes to MITRE.'
+author: '@neu5ron, SOC Prime'
+date: 2020/03/19
+references:
+ - https://github.com/mitre-attack/bzar#indicators-for-attck-persistence
+tags:
+ - attack.persistence
+ - attack.t1004
+ - attack.t1547.004
+logsource:
+ product: zeek
+ service: dce_rpc
+detection:
+ op1:
+ endpoint: 'spoolss'
+ operation: 'RpcAddMonitor'
+ op2:
+ endpoint: 'spoolss'
+ operation: 'RpcAddPrintProcessor'
+ op3:
+ endpoint: 'IRemoteWinspool'
+ operation: 'RpcAsyncAddMonitor'
+ op4:
+ endpoint: 'IRemoteWinspool'
+ operation: 'RpcAsyncAddPrintProcessor'
+ op5:
+ endpoint: 'ISecLogon'
+ operation: 'SeclCreateProcessWithLogonW'
+ op6:
+ endpoint: 'ISecLogon'
+ operation: 'SeclCreateProcessWithLogonExW'
+ condition: 1 of them
+falsepositives:
+ - 'Windows administrator tasks or troubleshooting'
+ - 'Windows management scripts or software'
+level: medium
diff --git a/rules/network/zeek/zeek_http_executable_download_from_webdav.yml b/rules/network/zeek/zeek_http_executable_download_from_webdav.yml
new file mode 100644
index 00000000..55bc7898
--- /dev/null
+++ b/rules/network/zeek/zeek_http_executable_download_from_webdav.yml
@@ -0,0 +1,27 @@
+title: Executable from Webdav
+description: "Detects executable access via webdav6. Can be seen in APT 29 such as from the emulated APT 29 hackathon https://github.com/OTRF/detection-hackathon-apt29/"
+id: aac2fd97-bcba-491b-ad66-a6edf89c71bf
+author: 'SOC Prime, Adam Swan'
+references:
+ - http://carnal0wnage.attackresearch.com/2012/06/webdav-server-to-download-custom.html
+ - https://github.com/OTRF/detection-hackathon-apt29
+tags:
+ - attack.command_and_control
+ - attack.t1043
+ - attack.t1571
+logsource:
+ product: zeek
+ service: http
+date: 2020/05/01
+detection:
+ selection_webdav:
+ - c-useragent: '*WebDAV*'
+ - c-uri: '*webdav*'
+ selection_executable:
+ - resp_mime_types: '*dosexec*'
+ - c-uri: '*.exe'
+ condition: selection_webdav AND selection_executable
+falsepositives:
+ - unknown
+level: medium
+status: experimental
diff --git a/rules/network/zeek/zeek_smb_converted_win_atsvc_task.yml b/rules/network/zeek/zeek_smb_converted_win_atsvc_task.yml
new file mode 100644
index 00000000..5fb3eab7
--- /dev/null
+++ b/rules/network/zeek/zeek_smb_converted_win_atsvc_task.yml
@@ -0,0 +1,26 @@
+title: Remote Task Creation via ATSVC Named Pipe - Zeek
+id: dde85b37-40cd-4a94-b00c-0b8794f956b5
+description: Detects remote task creation via at.exe or API interacting with ATSVC namedpipe
+author: 'Samir Bousseaden, @neu5rn'
+date: 2020/04/03
+references:
+ - https://github.com/neo23x0/sigma/blob/d42e87edd741dd646db946f30964f331f92f50e6/rules/windows/builtin/win_atsvc_task.yml
+tags:
+ - attack.lateral_movement
+ - attack.persistence
+ - attack.t1053
+ - car.2013-05-004
+ - car.2015-04-001
+ - attack.t1053.002
+logsource:
+ product: zeek
+ service: smb_files
+detection:
+ selection:
+ path: \\*\IPC$
+ name: atsvc
+ #Accesses: '*WriteData*'
+ condition: selection
+falsepositives:
+ - unknown
+level: medium
diff --git a/rules/network/zeek/zeek_smb_converted_win_impacket_secretdump.yml b/rules/network/zeek/zeek_smb_converted_win_impacket_secretdump.yml
new file mode 100644
index 00000000..4a7fe93a
--- /dev/null
+++ b/rules/network/zeek/zeek_smb_converted_win_impacket_secretdump.yml
@@ -0,0 +1,24 @@
+title: Possible Impacket SecretDump Remote Activity - Zeek
+id: 92dae1ed-1c9d-4eff-a567-33acbd95b00e
+description: 'Detect AD credential dumping using impacket secretdump HKTL. Based on the SIGMA rules/windows/builtin/win_impacket_secretdump.yml'
+author: 'Samir Bousseaden, @neu5ron'
+date: 2020/03/19
+references:
+ - https://blog.menasec.net/2019/02/threat-huting-10-impacketsecretdump.html
+tags:
+ - attack.credential_access
+ - attack.t1003
+ - attack.t1003.002
+ - attack.t1003.004
+ - attack.t1003.003
+logsource:
+ product: zeek
+ service: smb_files
+detection:
+ selection:
+ path: '\\*ADMIN$'
+ name: '*SYSTEM32\\*.tmp'
+ condition: selection
+falsepositives:
+ - 'unknown'
+level: high
diff --git a/rules/network/zeek/zeek_smb_converted_win_lm_namedpipe.yml b/rules/network/zeek/zeek_smb_converted_win_lm_namedpipe.yml
new file mode 100644
index 00000000..c6649af6
--- /dev/null
+++ b/rules/network/zeek/zeek_smb_converted_win_lm_namedpipe.yml
@@ -0,0 +1,41 @@
+title: First Time Seen Remote Named Pipe - Zeek
+id: 021310d9-30a6-480a-84b7-eaa69aeb92bb
+description: This detection excludes known namped pipes accessible remotely and notify on newly observed ones, may help to detect lateral movement and remote exec using named pipes
+author: 'Samir Bousseaden, @neu5ron'
+date: 2020/04/02
+references:
+ - https://github.com/neo23x0/sigma/blob/d42e87edd741dd646db946f30964f331f92f50e6/rules/windows/builtin/win_lm_namedpipe.yml
+tags:
+ - attack.lateral_movement
+ - attack.t1077
+ - attack.t1021.002
+logsource:
+ product: zeek
+ service: smb_files
+detection:
+ selection1:
+ path: \\*\IPC$
+ selection2:
+ path: \\*\IPC$
+ name:
+ - 'atsvc'
+ - 'samr'
+ - 'lsarpc'
+ - 'winreg'
+ - 'netlogon'
+ - 'srvsvc'
+ - 'protected_storage'
+ - 'wkssvc'
+ - 'browser'
+ - 'netdfs'
+ - 'svcctl'
+ - 'spoolss'
+ - 'ntsvcs'
+ - 'LSM_API_service'
+ - 'HydraLsPipe'
+ - 'TermSrv_API_service'
+ - 'MsFteWds'
+ condition: selection1 and not selection2
+falsepositives:
+ - update the excluded named pipe to filter out any newly observed legit named pipe
+level: high
diff --git a/rules/network/zeek/zeek_smb_converted_win_susp_psexec.yml b/rules/network/zeek/zeek_smb_converted_win_susp_psexec.yml
new file mode 100644
index 00000000..79bd5115
--- /dev/null
+++ b/rules/network/zeek/zeek_smb_converted_win_susp_psexec.yml
@@ -0,0 +1,28 @@
+title: Suspicious PsExec Execution - Zeek
+id: f1b3a22a-45e6-4004-afb5-4291f9c21166
+description: detects execution of psexec or paexec with renamed service name, this rule helps to filter out the noise if psexec is used for legit purposes or if attacker uses a different psexec client other than sysinternal one
+author: 'Samir Bousseaden, @neu5ron'
+date: 2020/04/02
+references:
+ - https://github.com/neo23x0/sigma/blob/d42e87edd741dd646db946f30964f331f92f50e6/rules/windows/builtin/win_susp_psexec.yml
+tags:
+ - attack.lateral_movement
+ - attack.t1077
+ - attack.t1021.002
+logsource:
+ product: zeek
+ service: smb_files
+detection:
+ selection1:
+ path: \\*\IPC$
+ name:
+ - '*-stdin'
+ - '*-stdout'
+ - '*-stderr'
+ selection2:
+ name: \\*\IPC$
+ path: 'PSEXESVC*'
+ condition: selection1 and not selection2
+falsepositives:
+ - nothing observed so far
+level: high
diff --git a/rules/network/zeek/zeek_smb_converted_win_susp_raccess_sensitive_fext.yml b/rules/network/zeek/zeek_smb_converted_win_susp_raccess_sensitive_fext.yml
new file mode 100644
index 00000000..7e5880e0
--- /dev/null
+++ b/rules/network/zeek/zeek_smb_converted_win_susp_raccess_sensitive_fext.yml
@@ -0,0 +1,37 @@
+title: Suspicious Access to Sensitive File Extensions - Zeek
+id: 286b47ed-f6fe-40b3-b3a8-35129acd43bc
+description: Detects known sensitive file extensions via Zeek
+author: 'Samir Bousseaden, @neu5ron'
+date: 2020/04/02
+references:
+ - https://github.com/neo23x0/sigma/blob/d42e87edd741dd646db946f30964f331f92f50e6/rules/windows/builtin/win_susp_raccess_sensitive_fext.yml
+tags:
+ - attack.collection
+logsource:
+ product: zeek
+ service: smb_files
+detection:
+ selection:
+ name:
+ - '*.pst'
+ - '*.ost'
+ - '*.msg'
+ - '*.nst'
+ - '*.oab'
+ - '*.edb'
+ - '*.nsf'
+ - '*.bak'
+ - '*.dmp'
+ - '*.kirbi'
+ - '*\groups.xml'
+ - '*.rdp'
+ condition: selection
+fields:
+ - ComputerName
+ - SubjectDomainName
+ - SubjectUserName
+ - RelativeTargetName
+falsepositives:
+ - Help Desk operator doing backup or re-imaging end user machine or pentest or backup software
+ - Users working with these data types or exchanging message files
+level: medium
diff --git a/rules/network/zeek/zeek_smb_converted_win_transferring_files_with_credential_data.yml b/rules/network/zeek/zeek_smb_converted_win_transferring_files_with_credential_data.yml
new file mode 100644
index 00000000..503c9c8f
--- /dev/null
+++ b/rules/network/zeek/zeek_smb_converted_win_transferring_files_with_credential_data.yml
@@ -0,0 +1,32 @@
+title: Transferring Files with Credential Data via Network Shares - Zeek
+id: 2e69f167-47b5-4ae7-a390-47764529eff5
+description: Transferring files with well-known filenames (sensitive files with credential data) using network shares
+author: '@neu5ron, Teymur Kheirkhabarov, oscd.community'
+date: 2020/04/02
+references:
+ - https://github.com/neo23x0/sigma/blob/373424f14574facf9e261d5c822345a282b91479/rules/windows/builtin/win_transferring_files_with_credential_data_via_network_shares.yml
+tags:
+ - attack.credential_access
+ - attack.t1003
+ - attack.t1003.002
+ - attack.t1003.001
+ - attack.t1003.003
+logsource:
+ product: zeek
+ service: smb_files
+detection:
+ selection:
+ name:
+ - '\mimidrv'
+ - '\lsass'
+ - '\windows\minidump\'
+ - '\hiberfil'
+ - '\sqldmpr'
+ - '\sam'
+ - '\ntds.dit'
+ - '\security'
+ condition: selection
+falsepositives:
+ - Transferring sensitive files for legitimate administration work by legitimate administrator
+level: medium
+status: experimental
diff --git a/rules/network/zeek_susp_kerberos_rc4.yml b/rules/network/zeek/zeek_susp_kerberos_rc4.yml
similarity index 96%
rename from rules/network/zeek_susp_kerberos_rc4.yml
rename to rules/network/zeek/zeek_susp_kerberos_rc4.yml
index 456f8278..30b134ff 100644
--- a/rules/network/zeek_susp_kerberos_rc4.yml
+++ b/rules/network/zeek/zeek_susp_kerberos_rc4.yml
@@ -8,6 +8,7 @@ references:
tags:
- attack.credential_access
- attack.t1208
+ - attack.t1558.003
logsource:
product: zeek
service: kerberos
diff --git a/rules/proxy/proxy_empire_ua_uri_combos.yml b/rules/proxy/proxy_empire_ua_uri_combos.yml
new file mode 100644
index 00000000..7c3153a6
--- /dev/null
+++ b/rules/proxy/proxy_empire_ua_uri_combos.yml
@@ -0,0 +1,25 @@
+title: Empire UserAgent URI Combo
+id: b923f7d6-ac89-4a50-a71a-89fb846b4aa8
+status: experimental
+description: Detects user agent and URI paths used by empire agents
+references:
+ - https://github.com/BC-SECURITY/Empire
+author: Florian Roth
+date: 2020/07/13
+logsource:
+ category: proxy
+detection:
+ selection:
+ c-useragent: 'Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko'
+ cs-uri-query:
+ - '/admin/get.php'
+ - '/news.php'
+ - '/login/process.php'
+ cs-method: 'POST'
+ condition: selection
+fields:
+ - c-uri
+ - c-ip
+falsepositives:
+ - Valid requests with this exact user agent to server scripts of the defined names
+level: high
diff --git a/rules/proxy/proxy_pwndrop.yml b/rules/proxy/proxy_pwndrop.yml
new file mode 100644
index 00000000..9fe81dc1
--- /dev/null
+++ b/rules/proxy/proxy_pwndrop.yml
@@ -0,0 +1,21 @@
+title: PwnDrp Access
+id: 2b1ee7e4-89b6-4739-b7bb-b811b6607e5e
+status: experimental
+description: Detects downloads from PwnDrp web servers developed for red team testing and most likely also used for criminal activity
+references:
+ - https://breakdev.org/pwndrop/
+author: Florian Roth
+date: 2020/04/15
+logsource:
+ category: proxy
+detection:
+ selection:
+ c-uri|contains: '/pwndrop/'
+ condition: selection
+fields:
+ - ClientIP
+ - c-uri
+ - c-useragent
+falsepositives:
+ - Unknown
+level: critical
diff --git a/rules/proxy/proxy_raw_paste_service_access.yml b/rules/proxy/proxy_raw_paste_service_access.yml
index d5d21d3b..eba8c9a1 100644
--- a/rules/proxy/proxy_raw_paste_service_access.yml
+++ b/rules/proxy/proxy_raw_paste_service_access.yml
@@ -17,6 +17,7 @@ detection:
- '.paste.ee/r/'
- '.pastebin.com/raw/'
- '.hastebin.com/raw/'
+ - '.ghostbin.co/paste/*/raw/'
condition: selection
fields:
- ClientIP
diff --git a/rules/proxy/proxy_turla_comrat.yml b/rules/proxy/proxy_turla_comrat.yml
new file mode 100644
index 00000000..3a743adb
--- /dev/null
+++ b/rules/proxy/proxy_turla_comrat.yml
@@ -0,0 +1,19 @@
+title: Turla ComRAT
+id: 7857f021-007f-4928-8b2c-7aedbe64bb82
+status: experimental
+description: Detects Turla ComRAT patterns
+references:
+ - https://www.welivesecurity.com/wp-content/uploads/2020/05/ESET_Turla_ComRAT.pdf
+author: Florian Roth
+date: 2020/05/26
+tags:
+ - attack.g0010
+logsource:
+ category: proxy
+detection:
+ selection:
+ c-uri|contains: '/index/index.php?h='
+ condition: selection
+falsepositives:
+ - Unknown
+level: critical
diff --git a/rules/proxy/proxy_ua_apt.yml b/rules/proxy/proxy_ua_apt.yml
index af6baf85..0baf02b2 100644
--- a/rules/proxy/proxy_ua_apt.yml
+++ b/rules/proxy/proxy_ua_apt.yml
@@ -45,6 +45,8 @@ detection:
- 'Mozilla/5.0 (Windows NT 9; *' # Suspicious 'Windows NT 9' user agent - used by APT33 malware in 2018
- 'hots scot' # Unkown iOS zero-day implant https://twitter.com/craiu/status/1176437994288484352?s=20
- 'Mozilla/5.0 (compatible; MSIE 10.0; Windows NT)' # https://blog.telsy.com/meeting-powerband-the-apt33-net-powerton-variant/
+ - 'Mozilla/5.0 (Windows NT 6.1; WOW64) Chrome/28.0.1500.95 Safari/537.36' # Hidden Cobra malware
+ - 'Mozilla/5.0 (Windows NT 6.2; Win32; rv:47.0)' # Strong Pity loader https://twitter.com/VK_Intel/status/1264185981118406657
condition: selection
fields:
- ClientIP
diff --git a/rules/web/web_citrix_cve_2019_19781_exploit.yml b/rules/web/web_citrix_cve_2019_19781_exploit.yml
index 8f4cc5d0..1753d623 100644
--- a/rules/web/web_citrix_cve_2019_19781_exploit.yml
+++ b/rules/web/web_citrix_cve_2019_19781_exploit.yml
@@ -10,13 +10,13 @@ references:
author: Arnim Rupp, Florian Roth
status: experimental
date: 2020/01/02
-modified: 2020/01/15
+modified: 2020/03/14
logsource:
category: webserver
- description: 'Make sure that your Netscaler appliance logs all kinds of attacks (test with http://your-citrix-gw.net/robots.txt). The directory traversal with ../ might not be needed on certain cloud instances or for authenticated users, so we also check for direct paths. All scripts in portal/scripts are exploitable except logout.pl.'
+ definition: 'Make sure that your Netscaler appliance logs all kinds of attacks (test with http://your-citrix-gw.net/robots.txt). The directory traversal with ../ might not be needed on certain cloud instances or for authenticated users, so we also check for direct paths. All scripts in portal/scripts are exploitable except logout.pl.'
detection:
selection:
- c-uri-path:
+ c-uri:
- '*/../vpns/*'
- '*/vpns/cfg/smb.conf'
- '*/vpns/portal/scripts/*.pl*'
diff --git a/rules/web/web_citrix_cve_2020_8193_8195_exploit.yml b/rules/web/web_citrix_cve_2020_8193_8195_exploit.yml
new file mode 100644
index 00000000..7b8ad590
--- /dev/null
+++ b/rules/web/web_citrix_cve_2020_8193_8195_exploit.yml
@@ -0,0 +1,34 @@
+title: Citrix ADS Exploitation CVE-2020-8193 CVE-2020-8195
+description: Detects exploitation attempt against Citrix Netscaler, Application Delivery Controller (ADS) and Citrix Gateway exploiting vulnerabilities reported as CVE-2020-8193 and CVE-2020-8195
+id: 0d0d9a8a-a49e-4e27-b061-7ce4b936cfb7
+references:
+ - https://support.citrix.com/article/CTX276688
+ - https://research.nccgroup.com/2020/07/10/rift-citrix-adc-vulnerabilities-cve-2020-8193-cve-2020-8195-and-cve-2020-8196-intelligence/
+ - https://dmaasland.github.io/posts/citrix.html
+author: Florian Roth
+status: experimental
+date: 2020/07/10
+tags:
+ - attack.initial_access
+ - attack.t1190
+logsource:
+ category: webserver
+detection:
+ selection1:
+ c-uri|contains:
+ - '/rapi/filedownload?filter=path:%2F'
+ selection2:
+ c-uri|contains|all:
+ - '/pcidss/report'
+ - 'type=all_signatures'
+ - 'sig_name=_default_signature_'
+ condition: 1 of them
+fields:
+ - client_ip
+ - vhost
+ - url
+ - response
+falsepositives:
+ - Unknown
+level: critical
+
diff --git a/rules/web/web_cve_2018_2894_weblogic_exploit.yml b/rules/web/web_cve_2018_2894_weblogic_exploit.yml
index 4a2d6467..d086a2c4 100644
--- a/rules/web/web_cve_2018_2894_weblogic_exploit.yml
+++ b/rules/web/web_cve_2018_2894_weblogic_exploit.yml
@@ -1,8 +1,9 @@
title: Oracle WebLogic Exploit
id: 37e8369b-43bb-4bf8-83b6-6dd43bda2000
-description: Detects access to a webshell droped into a keytore folder on the WebLogic server
+description: Detects access to a webshell dropped into a keystore folder on the WebLogic server
author: Florian Roth
date: 2018/07/22
+modified: 2020/03/14
status: experimental
references:
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-2894
@@ -12,7 +13,7 @@ logsource:
category: webserver
detection:
selection:
- c-uri-path:
+ c-uri:
- '*/config/keystore/*.js*'
condition: selection
fields:
@@ -27,5 +28,6 @@ tags:
- attack.persistence
- attack.privilege_escalation
- cve.2018-2894
+ - attack.t1505
level: critical
diff --git a/rules/web/web_cve_2019_3398_confluence.yml b/rules/web/web_cve_2019_3398_confluence.yml
new file mode 100644
index 00000000..35252909
--- /dev/null
+++ b/rules/web/web_cve_2019_3398_confluence.yml
@@ -0,0 +1,27 @@
+title: Confluence Exploitation CVE-2019-3398
+id: e9bc39ae-978a-4e49-91ab-5bd481fc668b
+status: experimental
+description: Detects the exploitation of the Confluence vulnerability described in CVE-2019-3398
+references:
+ - https://devcentral.f5.com/s/articles/confluence-arbitrary-file-write-via-path-traversal-cve-2019-3398-34181
+author: Florian Roth
+date: 2020/05/26
+tags:
+ - attack.initial_access
+ - attack.t1190
+logsource:
+ category: webserver
+detection:
+ selection:
+ cs-method: 'POST'
+ c-uri|contains|all:
+ - '/upload.action'
+ - 'filename=../../../../'
+ condition: selection
+fields:
+ - c-ip
+ - c-dns
+falsepositives:
+ - Unknown
+level: critical
+
diff --git a/rules/web/web_cve_2020_0688_msexchange.yml b/rules/web/web_cve_2020_0688_msexchange.yml
new file mode 100644
index 00000000..6f934302
--- /dev/null
+++ b/rules/web/web_cve_2020_0688_msexchange.yml
@@ -0,0 +1,29 @@
+title: CVE-2020-0688 Exchange Exploitation via Web Log
+id: fce2c2e2-0fb5-41ab-a14c-5391e1fd70a5
+status: experimental
+description: Detects the exploitation of Microsoft Exchange vulnerability as described in CVE-2020-0688
+references:
+ - https://www.trustedsec.com/blog/detecting-cve-20200688-remote-code-execution-vulnerability-on-microsoft-exchange-server/
+author: Florian Roth
+date: 2020/02/29
+logsource:
+ category: webserver
+detection:
+ selection1:
+ cs-method: 'GET'
+ c-uri|contains:
+ - '/ecp/'
+ - '/owa/'
+ selection2:
+ c-uri|contains: '__VIEWSTATE='
+ condition: selection1 and selection2
+fields:
+ - c-ip
+ - c-dns
+falsepositives:
+ - Unknown
+tags:
+ - attack.initial_access
+ - attack.t1190
+level: critical
+
diff --git a/rules/web/web_cve_2020_5902_f5_bigip.yml b/rules/web/web_cve_2020_5902_f5_bigip.yml
new file mode 100644
index 00000000..c8ab6a36
--- /dev/null
+++ b/rules/web/web_cve_2020_5902_f5_bigip.yml
@@ -0,0 +1,34 @@
+title: CVE-2020-5902 F5 BIG-IP Exploitation Attempt
+id: 44b53b1c-e60f-4a7b-948e-3435a7918478
+status: experimental
+description: Detects the exploitation attempt of the vulnerability found in F5 BIG-IP and described in CVE-2020-5902
+references:
+ - https://support.f5.com/csp/article/K52145254
+ - https://www.ptsecurity.com/ww-en/about/news/f5-fixes-critical-vulnerability-discovered-by-positive-technologies-in-big-ip-application-delivery-controller/
+ - https://twitter.com/yorickkoster/status/1279709009151434754
+ - https://www.criticalstart.com/f5-big-ip-remote-code-execution-exploit/
+author: Florian Roth
+date: 2020/07/05
+modified: 2020/07/07
+logsource:
+ category: webserver
+detection:
+ selection_base:
+ c-uri|contains:
+ - '/tmui/'
+ - '/hsqldb'
+ selection_traversal:
+ c-uri|contains:
+ - '..;/'
+ - '.jsp/..'
+ condition: selection_base and selection_traversal
+fields:
+ - c-ip
+ - c-dns
+falsepositives:
+ - Unknown
+tags:
+ - attack.initial_access
+ - attack.t1190
+level: critical
+
diff --git a/rules/web/web_exchange_cve_2020_0688_exploit.yml b/rules/web/web_exchange_cve_2020_0688_exploit.yml
new file mode 100644
index 00000000..2f0cc29c
--- /dev/null
+++ b/rules/web/web_exchange_cve_2020_0688_exploit.yml
@@ -0,0 +1,22 @@
+title: CVE-2020-0688 Exploitation Attempt
+id: 7c64e577-d72e-4c3d-9d75-8de6d1f9146a
+status: experimental
+description: Detects CVE-2020-0688 Exploitation attempts
+references:
+ - https://github.com/Ridter/cve-2020-0688
+author: NVISO
+date: 2020/02/27
+tags:
+ - attack.t1210
+logsource:
+ category: webserver
+detection:
+ selection:
+ c-uri|contains|all:
+ - "/ecp/default.aspx"
+ - "__VIEWSTATEGENERATOR="
+ - "__VIEWSTATE="
+ condition: selection
+falsepositives:
+ - Unknown
+level: high
diff --git a/rules/web/web_multiple_suspicious_resp_codes_single_source.yml b/rules/web/web_multiple_suspicious_resp_codes_single_source.yml
index ea48353b..e6c7a474 100644
--- a/rules/web/web_multiple_suspicious_resp_codes_single_source.yml
+++ b/rules/web/web_multiple_suspicious_resp_codes_single_source.yml
@@ -3,11 +3,12 @@ id: 6fdfc796-06b3-46e8-af08-58f3505318af
description: Detects possible exploitation activity or bugs in a web application
author: Thomas Patzke
date: 2017/02/19
+modified: 2020/03/14
logsource:
category: webserver
detection:
selection:
- response:
+ sc-status:
- 400
- 401
- 403
diff --git a/rules/web/web_pulsesecure_cve-2019-11510.yml b/rules/web/web_pulsesecure_cve-2019-11510.yml
index b0124716..ac507361 100644
--- a/rules/web/web_pulsesecure_cve-2019-11510.yml
+++ b/rules/web/web_pulsesecure_cve-2019-11510.yml
@@ -5,11 +5,12 @@ references:
- https://www.exploit-db.com/exploits/47297
author: Florian Roth
date: 2019/11/18
+modified: 2020/03/14
logsource:
category: webserver
detection:
selection:
- c-uri-path: '*?/dana/html5acc/guacamole/*'
+ c-uri: '*?/dana/html5acc/guacamole/*'
condition: selection
fields:
- client_ip
diff --git a/rules/web/win_webshell_regeorg.yml b/rules/web/win_webshell_regeorg.yml
new file mode 100644
index 00000000..11ce335e
--- /dev/null
+++ b/rules/web/win_webshell_regeorg.yml
@@ -0,0 +1,37 @@
+title: Webshell ReGeorg Detection Via Web Logs
+id: 2ea44a60-cfda-11ea-87d0-0242ac130003
+status: experimental
+description: Certain strings in the uri_query field when combined with null referer and null user agent can indicate activity associated with the webshell ReGeorg.
+author: Cian Heasley
+reference:
+ - https://community.rsa.com/community/products/netwitness/blog/2019/02/19/web-shells-and-netwitness-part-3
+ - https://github.com/sensepost/reGeorg
+date: 2020/08/04
+tags:
+ - attack.privilege_escalation
+ - attack.persistence
+ - attack.t1100
+ - attack.t1505.003
+logsource:
+ category: webserver
+detection:
+ selection:
+ uri_query|contains:
+ - '*cmd=read*'
+ - '*connect&target*'
+ - '*cmd=connect*'
+ - '*cmd=disconnect*'
+ - '*cmd=forward*'
+ filter:
+ referer: null
+ useragent: null
+ method: POST
+ condition: selection and filter
+fields:
+ - uri_query
+ - referer
+ - method
+ - useragent
+falsepositives:
+ - web applications that use the same URL parameters as ReGeorg
+level: high
diff --git a/rules/windows/builtin/win_GPO_scheduledtasks.yml b/rules/windows/builtin/win_GPO_scheduledtasks.yml
index c2b61966..ade52cde 100644
--- a/rules/windows/builtin/win_GPO_scheduledtasks.yml
+++ b/rules/windows/builtin/win_GPO_scheduledtasks.yml
@@ -1,18 +1,20 @@
title: Persistence and Execution at Scale via GPO Scheduled Task
id: a8f29a7b-b137-4446-80a0-b804272f3da2
-description: Detect lateral movement using GPO scheduled task, ususally used to deploy ransomware at scale
+description: Detect lateral movement using GPO scheduled task, usually used to deploy ransomware at scale
author: Samir Bousseaden
date: 2019/04/03
references:
- https://twitter.com/menasec1/status/1106899890377052160
+ - https://www.secureworks.com/blog/ransomware-as-a-distraction
tags:
- attack.persistence
- attack.lateral_movement
- attack.t1053
+ - attack.t1053.005
logsource:
product: windows
service: security
- description: 'The advanced audit policy setting "Object Access > Audit Detailed File Share" must be configured for Success/Failure'
+ definition: 'The advanced audit policy setting "Object Access > Audit Detailed File Share" must be configured for Success/Failure'
detection:
selection:
EventID: 5145
diff --git a/rules/windows/builtin/win_ad_object_writedac_access.yml b/rules/windows/builtin/win_ad_object_writedac_access.yml
index 5f732c52..b1e89e40 100644
--- a/rules/windows/builtin/win_ad_object_writedac_access.yml
+++ b/rules/windows/builtin/win_ad_object_writedac_access.yml
@@ -16,7 +16,7 @@ detection:
selection:
EventID: 4662
ObjectServer: 'DS'
- AccessMask: 0x40000
+ AccessMask: '0x40000'
ObjectType:
- '19195a5b-6da0-11d0-afd3-00c04fd930c9'
- 'domainDNS'
diff --git a/rules/windows/builtin/win_ad_replication_non_machine_account.yml b/rules/windows/builtin/win_ad_replication_non_machine_account.yml
index 93580c59..60eab938 100644
--- a/rules/windows/builtin/win_ad_replication_non_machine_account.yml
+++ b/rules/windows/builtin/win_ad_replication_non_machine_account.yml
@@ -3,7 +3,7 @@ id: 17d619c1-e020-4347-957e-1d1207455c93
description: Detects potential abuse of Active Directory Replication Service (ADRS) from a non machine account to request credentials.
status: experimental
date: 2019/07/26
-modified: 2019/11/10
+modified: 2020/03/02
author: Roberto Rodriguez @Cyb3rWard0g
references:
- https://github.com/Cyb3rWard0g/ThreatHunter-Playbook/tree/master/playbooks/windows/06_credential_access/T1003_credential_dumping/ad_replication_non_machine_account.md
@@ -22,7 +22,8 @@ detection:
- '1131f6ad-9c07-11d1-f79f-00c04fc2dcd2'
- '89e95b76-444d-4c62-991a-0facbeda640c'
filter:
- SubjectUserName|endswith: '$'
+ - SubjectUserName|endswith: '$'
+ - SubjectUserName|startswith: 'MSOL_' #https://docs.microsoft.com/en-us/azure/active-directory/hybrid/reference-connect-accounts-permissions#ad-ds-connector-account
condition: selection and not filter
fields:
- ComputerName
diff --git a/rules/windows/builtin/win_ad_user_enumeration.yml b/rules/windows/builtin/win_ad_user_enumeration.yml
new file mode 100644
index 00000000..f8983d7a
--- /dev/null
+++ b/rules/windows/builtin/win_ad_user_enumeration.yml
@@ -0,0 +1,29 @@
+title: AD User Enumeration
+id: ab6bffca-beff-4baa-af11-6733f296d57a
+description: Detects access to a domain user from a non-machine account
+status: experimental
+date: 2020/03/30
+author: Maxime Thiebaut (@0xThiebaut)
+references:
+ - https://www.specterops.io/assets/resources/an_ace_up_the_sleeve.pdf
+ - http://www.stuffithoughtiknew.com/2019/02/detecting-bloodhound.html
+ - https://docs.microsoft.com/en-us/windows/win32/adschema/attributes-all # For further investigation of the accessed properties
+tags:
+ - attack.discovery
+ - attack.t1087
+logsource:
+ product: windows
+ service: security
+ definition: Requires the "Read all properties" permission on the user object to be audited for the "Everyone" principal
+detection:
+ selection:
+ EventID: 4662
+ ObjectType|contains: # Using contains as the data commonly is structured as "%{bf967aba-0de6-11d0-a285-00aa003049e2}"
+ - 'bf967aba-0de6-11d0-a285-00aa003049e2' # The user class (https://docs.microsoft.com/en-us/windows/win32/adschema/c-user)
+ filter:
+ - SubjectUserName|endswith: '$' # Exclude machine accounts
+ - SubjectUserName|startswith: 'MSOL_' # https://docs.microsoft.com/en-us/azure/active-directory/hybrid/reference-connect-accounts-permissions#ad-ds-connector-account
+ condition: selection and not filter
+falsepositives:
+ - Administrators configuring new users.
+level: medium
diff --git a/rules/windows/builtin/win_admin_share_access.yml b/rules/windows/builtin/win_admin_share_access.yml
index e489b78f..a922e0e0 100644
--- a/rules/windows/builtin/win_admin_share_access.yml
+++ b/rules/windows/builtin/win_admin_share_access.yml
@@ -4,6 +4,7 @@ description: Detects access to $ADMIN share
tags:
- attack.lateral_movement
- attack.t1077
+ - attack.t1021.002
status: experimental
author: Florian Roth
date: 2017/03/04
diff --git a/rules/windows/builtin/win_alert_ad_user_backdoors.yml b/rules/windows/builtin/win_alert_ad_user_backdoors.yml
index 217b73a4..b1fc6652 100644
--- a/rules/windows/builtin/win_alert_ad_user_backdoors.yml
+++ b/rules/windows/builtin/win_alert_ad_user_backdoors.yml
@@ -14,15 +14,15 @@ tags:
logsource:
product: windows
service: security
- definition1: 'Requirements: Audit Policy : Account Management > Audit User Account Management, Group Policy : Computer Configuration\Windows Settings\Security Settings\Advanced Audit Policy Configuration\Audit Policies\Account Management\Audit User Account Management'
- definition2: 'Requirements: Audit Policy : DS Access > Audit Directory Service Changes, Group Policy : Computer Configuration\Windows Settings\Security Settings\Advanced Audit Policy Configuration\Audit Policies\DS Access\Audit Directory Service Changes'
+ definition: 'Requirements: Audit Policy : Account Management > Audit User Account Management, Group Policy : Computer Configuration\Windows Settings\Security Settings\Advanced Audit Policy Configuration\Audit Policies\Account Management\Audit User Account Management,
+ DS Access > Audit Directory Service Changes, Group Policy : Computer Configuration\Windows Settings\Security Settings\Advanced Audit Policy Configuration\Audit Policies\DS Access\Audit Directory Service Changes'
detection:
selection1:
EventID: 4738
+ filter_null:
+ AllowedToDelegateTo: null
filter1:
- AllowedToDelegateTo:
- - null
- - '-'
+ AllowedToDelegateTo: '-'
selection2:
EventID: 5136
AttributeLDAPDisplayName: 'msDS-AllowedToDelegateTo'
@@ -33,7 +33,7 @@ detection:
selection4:
EventID: 5136
AttributeLDAPDisplayName: 'msDS-AllowedToActOnBehalfOfOtherIdentity'
- condition: (selection1 and not 1 of filter*) or selection2 or selection3 or selection4
+ condition: (selection1 and not filter1 and not filter_null) or selection2 or selection3 or selection4
falsepositives:
- Unknown
level: high
diff --git a/rules/windows/builtin/win_alert_enable_weak_encryption.yml b/rules/windows/builtin/win_alert_enable_weak_encryption.yml
index 906ac89b..5f77c777 100644
--- a/rules/windows/builtin/win_alert_enable_weak_encryption.yml
+++ b/rules/windows/builtin/win_alert_enable_weak_encryption.yml
@@ -9,6 +9,7 @@ date: 2017/07/30
tags:
- attack.defense_evasion
- attack.t1089
+ - attack.t1562.001
logsource:
product: windows
service: security
@@ -18,9 +19,9 @@ detection:
EventID: 4738
keywords:
Message:
- - '*DES*'
- - '*Preauth*'
- - '*Encrypted*'
+ - '*DES*'
+ - '*Preauth*'
+ - '*Encrypted*'
filters:
Message:
- '*Enabled*'
diff --git a/rules/windows/builtin/win_alert_lsass_access.yml b/rules/windows/builtin/win_alert_lsass_access.yml
index bcd7eae7..3ffde491 100644
--- a/rules/windows/builtin/win_alert_lsass_access.yml
+++ b/rules/windows/builtin/win_alert_lsass_access.yml
@@ -10,6 +10,7 @@ tags:
- attack.credential_access
- attack.t1003
# Defender Attack Surface Reduction
+ - attack.t1003.001
logsource:
product: windows_defender
definition: 'Requirements:Enabled Block credential stealing from the Windows local security authority subsystem (lsass.exe) from Attack Surface Reduction (GUID: 9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2)'
diff --git a/rules/windows/builtin/win_alert_mimikatz_keywords.yml b/rules/windows/builtin/win_alert_mimikatz_keywords.yml
index f6ad95c8..5a0783fd 100644
--- a/rules/windows/builtin/win_alert_mimikatz_keywords.yml
+++ b/rules/windows/builtin/win_alert_mimikatz_keywords.yml
@@ -1,7 +1,6 @@
title: Mimikatz Use
id: 06d71506-7beb-4f22-8888-e2e5e2ca7fd8
-description: This method detects mimikatz keywords in different Eventlogs (some of them only appear in older Mimikatz version that are however still used by different
- threat groups)
+description: This method detects mimikatz keywords in different Eventlogs (some of them only appear in older Mimikatz version that are however still used by different threat groups)
author: Florian Roth
date: 2017/01/10
modified: 2019/10/11
@@ -12,21 +11,25 @@ tags:
- attack.credential_access
- car.2013-07-001
- car.2019-04-004
+ - attack.t1003.002
+ - attack.t1003.004
+ - attack.t1003.001
+ - attack.t1003.006
logsource:
product: windows
detection:
keywords:
Message:
- - "* mimikatz *"
- - "* mimilib *"
- - "* <3 eo.oe *"
- - "* eo.oe.kiwi *"
- - "* privilege::debug *"
- - "* sekurlsa::logonpasswords *"
- - "* lsadump::sam *"
- - "* mimidrv.sys *"
- - "* p::d *"
- - "* s::l *"
+ - "* mimikatz *"
+ - "* mimilib *"
+ - "* <3 eo.oe *"
+ - "* eo.oe.kiwi *"
+ - "* privilege::debug *"
+ - "* sekurlsa::logonpasswords *"
+ - "* lsadump::sam *"
+ - "* mimidrv.sys *"
+ - "* p::d *"
+ - "* s::l *"
condition: keywords
falsepositives:
- Naughty administrators
diff --git a/rules/windows/builtin/win_alert_ruler.yml b/rules/windows/builtin/win_alert_ruler.yml
index 21a85472..603904ca 100644
--- a/rules/windows/builtin/win_alert_ruler.yml
+++ b/rules/windows/builtin/win_alert_ruler.yml
@@ -17,18 +17,19 @@ tags:
- attack.t1075
- attack.t1114
- attack.t1059
+ - attack.t1550.002
logsource:
product: windows
service: security
detection:
selection1:
- EventID:
- - 4776
+ EventID:
+ - 4776
Workstation: 'RULER'
selection2:
EventID:
- - 4624
- - 4625
+ - 4624
+ - 4625
WorkstationName: 'RULER'
condition: (1 of selection*)
falsepositives:
diff --git a/rules/windows/builtin/win_applocker_file_was_not_allowed_to_run.yml b/rules/windows/builtin/win_applocker_file_was_not_allowed_to_run.yml
new file mode 100644
index 00000000..561bf7ae
--- /dev/null
+++ b/rules/windows/builtin/win_applocker_file_was_not_allowed_to_run.yml
@@ -0,0 +1,37 @@
+title: File Was Not Allowed To Run
+id: 401e5d00-b944-11ea-8f9a-00163ecd60ae
+description: Detect run not allowed files. Applocker is a very useful tool, especially on servers where unprivileged users have access. For example terminal servers. You need configure applocker and log collect to receive these events.
+status: experimental
+tags:
+ - attack.execution
+ - attack.t1204
+ - attack.t1086
+ - attack.t1064
+ - attack.t1035
+references:
+ - https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/applocker/what-is-applocker
+ - https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/applocker/using-event-viewer-with-applocker
+ - https://nxlog.co/documentation/nxlog-user-guide/applocker.html
+author: Pushkarev Dmitry
+date: 2020/06/28
+logsource:
+ product: windows
+ service: applocker
+detection:
+ selection:
+ EventID:
+ - 8004
+ - 8007
+ condition: selection
+fields:
+ - PolicyName
+ - RuleId
+ - RuleName
+ - TargetUser
+ - TargetProcessId
+ - FilePath
+ - FileHash
+ - Fqbn
+falsepositives:
+ - need tuning applocker or add exceptions in SIEM
+level: medium
diff --git a/rules/windows/builtin/win_apt_carbonpaper_turla.yml b/rules/windows/builtin/win_apt_carbonpaper_turla.yml
index b16c0733..b819affb 100755
--- a/rules/windows/builtin/win_apt_carbonpaper_turla.yml
+++ b/rules/windows/builtin/win_apt_carbonpaper_turla.yml
@@ -7,6 +7,7 @@ tags:
- attack.persistence
- attack.g0010
- attack.t1050
+ - attack.t1543.003
date: 2017/03/31
author: Florian Roth
logsource:
diff --git a/rules/windows/builtin/win_apt_stonedrill.yml b/rules/windows/builtin/win_apt_stonedrill.yml
index 3db1bfe6..5ffa7528 100755
--- a/rules/windows/builtin/win_apt_stonedrill.yml
+++ b/rules/windows/builtin/win_apt_stonedrill.yml
@@ -9,6 +9,7 @@ tags:
- attack.persistence
- attack.g0064
- attack.t1050
+ - attack.t1543.003
logsource:
product: windows
service: system
diff --git a/rules/windows/builtin/win_apt_turla_service_png.yml b/rules/windows/builtin/win_apt_turla_service_png.yml
index 642809a5..467abba2 100644
--- a/rules/windows/builtin/win_apt_turla_service_png.yml
+++ b/rules/windows/builtin/win_apt_turla_service_png.yml
@@ -9,6 +9,7 @@ tags:
- attack.persistence
- attack.g0010
- attack.t1050
+ - attack.t1543.003
logsource:
product: windows
service: system
diff --git a/rules/windows/builtin/win_atsvc_task.yml b/rules/windows/builtin/win_atsvc_task.yml
index e896b3bc..b7ad1afd 100644
--- a/rules/windows/builtin/win_atsvc_task.yml
+++ b/rules/windows/builtin/win_atsvc_task.yml
@@ -11,10 +11,11 @@ tags:
- attack.t1053
- car.2013-05-004
- car.2015-04-001
+ - attack.t1053.002
logsource:
product: windows
service: security
- description: 'The advanced audit policy setting "Object Access > Audit Detailed File Share" must be configured for Success/Failure'
+ definition: 'The advanced audit policy setting "Object Access > Audit Detailed File Share" must be configured for Success/Failure'
detection:
selection:
EventID: 5145
diff --git a/rules/windows/builtin/win_dcsync.yml b/rules/windows/builtin/win_dcsync.yml
index f29e9a5f..1181f0e1 100644
--- a/rules/windows/builtin/win_dcsync.yml
+++ b/rules/windows/builtin/win_dcsync.yml
@@ -12,18 +12,19 @@ tags:
- attack.credential_access
- attack.s0002
- attack.t1003
+ - attack.t1003.006
logsource:
product: windows
service: security
detection:
selection:
EventID: 4662
- Properties:
+ Properties:
- '*Replicating Directory Changes All*'
- '*1131f6ad-9c07-11d1-f79f-00c04fc2dcd2*'
filter1:
SubjectDomainName: 'Window Manager'
- filter2:
+ filter2:
SubjectUserName:
- 'NT AUTHORITY*'
- '*$'
diff --git a/rules/windows/builtin/win_disable_event_logging.yml b/rules/windows/builtin/win_disable_event_logging.yml
index 20463e6a..788ac854 100644
--- a/rules/windows/builtin/win_disable_event_logging.yml
+++ b/rules/windows/builtin/win_disable_event_logging.yml
@@ -1,15 +1,12 @@
title: Disabling Windows Event Auditing
id: 69aeb277-f15f-4d2d-b32a-55e883609563
-description: 'Detects scenarios where system auditing (ie: windows event log auditing) is disabled. This may be used in a scenario where an entity would want to bypass
- local logging to evade detection when windows event logging is enabled and reviewed. Also, it is recommended to turn off "Local Group Policy Object Processing"
- via GPO, which will make sure that Active Directory GPOs take precedence over local/edited computer policies via something such as "gpedit.msc". Please note,
- that disabling "Local Group Policy Object Processing" may cause an issue in scenarios of one off specific GPO modifications -- however it is recommended to perform
- these modifications in Active Directory anyways.'
+description: 'Detects scenarios where system auditing (ie: windows event log auditing) is disabled. This may be used in a scenario where an entity would want to bypass local logging to evade detection when windows event logging is enabled and reviewed. Also, it is recommended to turn off "Local Group Policy Object Processing" via GPO, which will make sure that Active Directory GPOs take precedence over local/edited computer policies via something such as "gpedit.msc". Please note, that disabling "Local Group Policy Object Processing" may cause an issue in scenarios of one off specific GPO modifications -- however it is recommended to perform these modifications in Active Directory anyways.'
references:
- https://bit.ly/WinLogsZero2Hero
tags:
- attack.defense_evasion
- attack.t1054
+ - attack.t1562.006
author: '@neu5ron'
date: 2017/11/19
logsource:
diff --git a/rules/windows/builtin/win_dpapi_domain_backupkey_extraction.yml b/rules/windows/builtin/win_dpapi_domain_backupkey_extraction.yml
index 3093a086..fc70f3b1 100644
--- a/rules/windows/builtin/win_dpapi_domain_backupkey_extraction.yml
+++ b/rules/windows/builtin/win_dpapi_domain_backupkey_extraction.yml
@@ -9,11 +9,12 @@ references:
tags:
- attack.credential_access
- attack.t1003
+ - attack.t1003.004
logsource:
product: windows
service: security
detection:
- selection:
+ selection:
EventID: 4662
ObjectType: 'SecretObject'
AccessMask: '0x2'
@@ -21,4 +22,4 @@ detection:
condition: selection
falsepositives:
- Unknown
-level: critical
\ No newline at end of file
+level: critical
diff --git a/rules/windows/builtin/win_dpapi_domain_masterkey_backup_attempt.yml b/rules/windows/builtin/win_dpapi_domain_masterkey_backup_attempt.yml
index f488f98a..47ec4686 100644
--- a/rules/windows/builtin/win_dpapi_domain_masterkey_backup_attempt.yml
+++ b/rules/windows/builtin/win_dpapi_domain_masterkey_backup_attempt.yml
@@ -9,11 +9,12 @@ references:
tags:
- attack.credential_access
- attack.t1003
+ - attack.t1003.004
logsource:
product: windows
service: security
detection:
- selection:
+ selection:
EventID: 4692
condition: selection
fields:
diff --git a/rules/windows/builtin/win_etw_modification.yml b/rules/windows/builtin/win_etw_modification.yml
new file mode 100644
index 00000000..489bcd8d
--- /dev/null
+++ b/rules/windows/builtin/win_etw_modification.yml
@@ -0,0 +1,32 @@
+title: COMPlus_ETWEnabled Registry Modification
+id: a4c90ea1-2634-4ca0-adbb-35eae169b6fc
+status: experimental
+description: Potential adversaries stopping ETW providers recording loaded .NET assemblies.
+references:
+ - https://twitter.com/_xpn_/status/1268712093928378368
+ - https://social.msdn.microsoft.com/Forums/vstudio/en-US/0878832e-39d7-4eaf-8e16-a729c4c40975/what-can-i-use-e13c0d23ccbc4e12931bd9cc2eee27e4-for?forum=clr
+ - https://github.com/dotnet/runtime/blob/ee2355c801d892f2894b0f7b14a20e6cc50e0e54/docs/design/coreclr/jit/viewing-jit-dumps.md#setting-configuration-variables
+ - https://github.com/dotnet/runtime/blob/f62e93416a1799aecc6b0947adad55a0d9870732/src/coreclr/src/inc/clrconfigvalues.h#L35-L38
+ - https://github.com/dotnet/runtime/blob/7abe42dc1123722ed385218268bb9fe04556e3d3/src/coreclr/src/inc/clrconfig.h#L33-L39
+ - https://github.com/dotnet/runtime/search?p=1&q=COMPlus_&unscoped_q=COMPlus_
+ - https://bunnyinside.com/?term=f71e8cb9c76a
+ - http://managed670.rssing.com/chan-5590147/all_p1.html
+ - https://github.com/dotnet/runtime/blob/4f9ae42d861fcb4be2fcd5d3d55d5f227d30e723/docs/coding-guidelines/clr-jit-coding-conventions.md#1412-disabling-code
+author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
+date: 2020/06/05
+tags:
+ - attack.defense_evasion
+ - attack.t1112
+logsource:
+ product: windows
+ service: security
+detection:
+ selection:
+ EventID: 4657
+ ObjectName|endswith: '\SOFTWARE\Microsoft\.NETFramework'
+ ObjectValueName: 'ETWEnabled'
+ NewValue: '0'
+ condition: selection
+falsepositives:
+ - unknown
+level: critical
\ No newline at end of file
diff --git a/rules/windows/builtin/win_global_catalog_enumeration.yml b/rules/windows/builtin/win_global_catalog_enumeration.yml
new file mode 100644
index 00000000..d364688a
--- /dev/null
+++ b/rules/windows/builtin/win_global_catalog_enumeration.yml
@@ -0,0 +1,23 @@
+title: Enumeration via the Global Catalog
+description: Detects enumeration of the global catalog (that can be performed using BloodHound or others AD reconnaissance tools). Adjust Treshhold according to domain width.
+author: Chakib Gzenayi (@Chak092), Hosni Mribah
+id: 619b020f-0fd7-4f23-87db-3f51ef837a34
+date: 2020/05/11
+tags:
+ - attack.discovery
+ - attack.t1087
+logsource:
+ product: windows
+ service: system
+ definition: 'The advanced audit policy setting "Windows Filtering Platform > Filtering Platform Connection" must be configured for Success'
+detection:
+ selection:
+ EventID: 5156
+ DestinationPort:
+ - 3268
+ - 3269
+ timeframe: 1h
+ condition: selection | count() by SourceAddress > 2000
+falsepositives:
+ - Exclude known DCs.
+level: medium
diff --git a/rules/windows/builtin/win_hack_smbexec.yml b/rules/windows/builtin/win_hack_smbexec.yml
index bf335fbe..270419c1 100644
--- a/rules/windows/builtin/win_hack_smbexec.yml
+++ b/rules/windows/builtin/win_hack_smbexec.yml
@@ -10,6 +10,8 @@ tags:
- attack.execution
- attack.t1077
- attack.t1035
+ - attack.t1021
+ - attack.t1569.002
logsource:
product: windows
service: system
@@ -25,4 +27,4 @@ fields:
falsepositives:
- Penetration Test
- Unknown
-level: critical
\ No newline at end of file
+level: critical
diff --git a/rules/windows/builtin/win_impacket_secretdump.yml b/rules/windows/builtin/win_impacket_secretdump.yml
index 14d5060e..4b6f4dc2 100644
--- a/rules/windows/builtin/win_impacket_secretdump.yml
+++ b/rules/windows/builtin/win_impacket_secretdump.yml
@@ -8,10 +8,13 @@ references:
tags:
- attack.credential_access
- attack.t1003
+ - attack.t1003.002
+ - attack.t1003.004
+ - attack.t1003.003
logsource:
product: windows
service: security
- description: 'The advanced audit policy setting "Object Access > Audit Detailed File Share" must be configured for Success/Failure'
+ definition: 'The advanced audit policy setting "Object Access > Audit Detailed File Share" must be configured for Success/Failure'
detection:
selection:
EventID: 5145
diff --git a/rules/windows/builtin/win_invoke_obfuscation_obfuscated_iex_services.yml b/rules/windows/builtin/win_invoke_obfuscation_obfuscated_iex_services.yml
index 6874d23e..e02bb5d0 100644
--- a/rules/windows/builtin/win_invoke_obfuscation_obfuscated_iex_services.yml
+++ b/rules/windows/builtin/win_invoke_obfuscation_obfuscated_iex_services.yml
@@ -12,7 +12,7 @@ falsepositives:
- Unknown
level: high
detection:
- selection:
+ selection_1:
- ImagePath|re: '\$PSHome\[\s*\d{1,3}\s*\]\s*\+\s*\$PSHome\['
- ImagePath|re: '\$ShellId\[\s*\d{1,3}\s*\]\s*\+\s*\$ShellId\['
- ImagePath|re: '\$env:Public\[\s*\d{1,3}\s*\]\s*\+\s*\$env:Public\['
@@ -20,7 +20,7 @@ detection:
- ImagePath|re: '\*mdr\*\W\s*\)\.Name'
- ImagePath|re: '\$VerbosePreference\.ToString\('
- ImagePath|re: '\String\]\s*\$VerbosePreference'
- condition: selection
+ condition: selection and selection_1
---
logsource:
product: windows
diff --git a/rules/windows/builtin/win_lm_namedpipe.yml b/rules/windows/builtin/win_lm_namedpipe.yml
index 90dca9c1..33612fe9 100644
--- a/rules/windows/builtin/win_lm_namedpipe.yml
+++ b/rules/windows/builtin/win_lm_namedpipe.yml
@@ -1,7 +1,6 @@
title: First Time Seen Remote Named Pipe
id: 52d8b0c6-53d6-439a-9e41-52ad442ad9ad
-description: This detection excludes known namped pipes accessible remotely and notify on newly observed ones, may help to detect lateral movement and remote exec
- using named pipes
+description: This detection excludes known namped pipes accessible remotely and notify on newly observed ones, may help to detect lateral movement and remote exec using named pipes
author: Samir Bousseaden
date: 2019/04/03
references:
@@ -9,10 +8,11 @@ references:
tags:
- attack.lateral_movement
- attack.t1077
+ - attack.t1021.002
logsource:
product: windows
service: security
- description: 'The advanced audit policy setting "Object Access > Audit Detailed File Share" must be configured for Success/Failure'
+ definition: 'The advanced audit policy setting "Object Access > Audit Detailed File Share" must be configured for Success/Failure'
detection:
selection1:
EventID: 5145
@@ -21,23 +21,23 @@ detection:
EventID: 5145
ShareName: \\*\IPC$
RelativeTargetName:
- - 'atsvc'
- - 'samr'
- - 'lsarpc'
- - 'winreg'
- - 'netlogon'
- - 'srvsvc'
- - 'protected_storage'
- - 'wkssvc'
- - 'browser'
- - 'netdfs'
- - 'svcctl'
- - 'spoolss'
- - 'ntsvcs'
- - 'LSM_API_service'
- - 'HydraLsPipe'
- - 'TermSrv_API_service'
- - 'MsFteWds'
+ - 'atsvc'
+ - 'samr'
+ - 'lsarpc'
+ - 'winreg'
+ - 'netlogon'
+ - 'srvsvc'
+ - 'protected_storage'
+ - 'wkssvc'
+ - 'browser'
+ - 'netdfs'
+ - 'svcctl'
+ - 'spoolss'
+ - 'ntsvcs'
+ - 'LSM_API_service'
+ - 'HydraLsPipe'
+ - 'TermSrv_API_service'
+ - 'MsFteWds'
condition: selection1 and not selection2
falsepositives:
- update the excluded named pipe to filter out any newly observed legit named pipe
diff --git a/rules/windows/builtin/win_lsass_access_non_system_account.yml b/rules/windows/builtin/win_lsass_access_non_system_account.yml
index adb3f7a6..9f0bd07f 100644
--- a/rules/windows/builtin/win_lsass_access_non_system_account.yml
+++ b/rules/windows/builtin/win_lsass_access_non_system_account.yml
@@ -10,11 +10,12 @@ references:
tags:
- attack.credential_access
- attack.t1003
+ - attack.t1003.001
logsource:
product: windows
service: security
detection:
- selection:
+ selection:
EventID:
- 4663
- 4656
diff --git a/rules/windows/builtin/win_mal_service_installs.yml b/rules/windows/builtin/win_mal_service_installs.yml
index d2bb06fe..8fe19151 100644
--- a/rules/windows/builtin/win_mal_service_installs.yml
+++ b/rules/windows/builtin/win_mal_service_installs.yml
@@ -11,6 +11,8 @@ tags:
- attack.t1035
- attack.t1050
- car.2013-09-005
+ - attack.t1543.003
+ - attack.t1569.002
logsource:
product: windows
service: system
@@ -24,6 +26,6 @@ detection:
malsvc_persistence:
ServiceFileName|contains: 'net user'
condition: selection and 1 of malsvc_*
-falsepositives:
+falsepositives:
- Penetration testing
level: critical
diff --git a/rules/windows/builtin/win_metasploit_authentication.yml b/rules/windows/builtin/win_metasploit_authentication.yml
new file mode 100644
index 00000000..35561e55
--- /dev/null
+++ b/rules/windows/builtin/win_metasploit_authentication.yml
@@ -0,0 +1,29 @@
+title: Metasploit SMB Authentication
+description: Alerts on Metasploit host's authentications on the domain.
+id: 72124974-a68b-4366-b990-d30e0b2a190d
+author: Chakib Gzenayi (@Chak092), Hosni Mribah
+date: 2020/05/06
+references:
+ - https://github.com/rapid7/metasploit-framework/blob/master/lib/rex/proto/smb/client.rb
+tags:
+ - attack.credential_access
+ - attack.t1110
+logsource:
+ product: windows
+ service: security
+detection:
+ selection1:
+ EventID:
+ - 4625
+ - 4624
+ LogonType: 3
+ AuthenticationPackage: 'NTLM'
+ WorkstationName|re: '^[A-Za-z0-9]{16}$'
+ selection2:
+ ProcessName:
+ EventID: 4776
+ SourceWorkstation|re: '^[A-Za-z0-9]{16}$'
+ condition: selection1 OR selection2
+falsepositives:
+ - Linux hostnames composed of 16 characters.
+level: high
diff --git a/rules/windows/builtin/win_meterpreter_or_cobaltstrike_getsystem_service_installation.yml b/rules/windows/builtin/win_meterpreter_or_cobaltstrike_getsystem_service_installation.yml
index f37f4640..b230163f 100644
--- a/rules/windows/builtin/win_meterpreter_or_cobaltstrike_getsystem_service_installation.yml
+++ b/rules/windows/builtin/win_meterpreter_or_cobaltstrike_getsystem_service_installation.yml
@@ -2,9 +2,9 @@ action: global
title: Meterpreter or Cobalt Strike Getsystem Service Installation
id: 843544a7-56e0-4dcc-a44f-5cc266dd97d6
description: Detects the use of getsystem Meterpreter/Cobalt Strike command by detecting a specific service installation
-author: Teymur Kheirkhabarov
+author: Teymur Kheirkhabarov, Ecco
date: 2019/10/26
-modified: 2019/11/11
+modified: 2020/05/15
references:
- https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment
- https://blog.cobaltstrike.com/2014/04/02/what-happens-when-i-type-getsystem/
@@ -12,10 +12,7 @@ tags:
- attack.privilege_escalation
- attack.t1134
detection:
- selection:
- - ServiceFileName|contains:
- - 'cmd'
- - 'comspec'
+ selection_1:
# meterpreter getsystem technique 1: cmd.exe /c echo 559891bb017 > \\.\pipe\5e120a
- ServiceFileName|contains|all:
- 'cmd'
@@ -33,7 +30,7 @@ detection:
- 'rundll32'
- '.dll,a'
- '/p:'
- condition: selection
+ condition: selection and selection_1
fields:
- ComputerName
- SubjectDomainName
diff --git a/rules/windows/builtin/win_mmc20_lateral_movement.yml b/rules/windows/builtin/win_mmc20_lateral_movement.yml
new file mode 100644
index 00000000..b6ee82fb
--- /dev/null
+++ b/rules/windows/builtin/win_mmc20_lateral_movement.yml
@@ -0,0 +1,25 @@
+title: MMC20 Lateral Movement
+id: f1f3bf22-deb2-418d-8cce-e1a45e46a5bd
+description: Detects MMC20.Application Lateral Movement; specifically looks for the spawning of the parent MMC.exe with a command line of "-Embedding" as a child of svchost.exe
+author: '@2xxeformyshirt (Security Risk Advisors)'
+date: 2020/03/04
+references:
+ - https://enigma0x3.net/2017/01/05/lateral-movement-using-the-mmc20-application-com-object/
+ - https://drive.google.com/file/d/1lKya3_mLnR3UQuCoiYruO3qgu052_iS_/view?usp=sharing
+tags:
+ - attack.execution
+ - attack.t1175
+ - attack.t1021.003
+ - attack.t1559.001
+logsource:
+ category: process_creation
+ product: windows
+detection:
+ selection:
+ ParentImage: '*\svchost.exe'
+ Image: '*\mmc.exe'
+ CommandLine: '*-Embedding*'
+ condition: selection
+falsepositives:
+ - Unlikely
+level: high
diff --git a/rules/windows/builtin/win_net_ntlm_downgrade.yml b/rules/windows/builtin/win_net_ntlm_downgrade.yml
index 8418f4ec..90d2c333 100644
--- a/rules/windows/builtin/win_net_ntlm_downgrade.yml
+++ b/rules/windows/builtin/win_net_ntlm_downgrade.yml
@@ -23,8 +23,8 @@ detection:
EventID: 13
TargetObject:
- '*SYSTEM\\*ControlSet*\Control\Lsa\lmcompatibilitylevel'
- - '*SYSTEM\\*ControlSet*\Control\Lsa\NtlmMinClientSec'
- - '*SYSTEM\\*ControlSet*\Control\Lsa\RestrictSendingNTLMTraffic'
+ - '*SYSTEM\\*ControlSet*\Control\Lsa*\NtlmMinClientSec'
+ - '*SYSTEM\\*ControlSet*\Control\Lsa*\RestrictSendingNTLMTraffic'
---
# Windows Security Eventlog: Process Creation with Full Command Line
logsource:
@@ -34,7 +34,7 @@ logsource:
detection:
selection2:
EventID: 4657
- ObjectName: '\REGISTRY\MACHINE\SYSTEM\\*ControlSet*\Control\Lsa'
+ ObjectName: '\REGISTRY\MACHINE\SYSTEM\\*ControlSet*\Control\Lsa*'
ObjectValueName:
- 'LmCompatibilityLevel'
- 'NtlmMinClientSec'
diff --git a/rules/windows/builtin/win_not_allowed_rdp_access.yml b/rules/windows/builtin/win_not_allowed_rdp_access.yml
new file mode 100644
index 00000000..99a0c991
--- /dev/null
+++ b/rules/windows/builtin/win_not_allowed_rdp_access.yml
@@ -0,0 +1,27 @@
+title: Denied Access To Remote Desktop
+id: 8e5c03fa-b7f0-11ea-b242-07e0576828d9
+description: This event is generated when an authenticated user who is not allowed to log on remotely attempts to connect to this computer through Remote Desktop.
+ Often, this event can be generated by attackers when searching for available windows servers in the network.
+status: experimental
+tags:
+ - attack.lateral_movement
+ - attack.t1076
+ - attack.t1021.001
+references:
+ - https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4825
+author: Pushkarev Dmitry
+date: 2020/06/27
+logsource:
+ product: windows
+ service: security
+detection:
+ selection:
+ EventID: 4825
+ condition: selection
+fields:
+ - EventCode
+ - AccountName
+ - ClientAddress
+falsepositives:
+ - Valid user was not added to RDP group
+level: medium
diff --git a/rules/windows/builtin/win_overpass_the_hash.yml b/rules/windows/builtin/win_overpass_the_hash.yml
index f909666e..11f2afb8 100644
--- a/rules/windows/builtin/win_overpass_the_hash.yml
+++ b/rules/windows/builtin/win_overpass_the_hash.yml
@@ -10,6 +10,7 @@ tags:
- attack.lateral_movement
- attack.t1075
- attack.s0002
+ - attack.t1550.002
logsource:
product: windows
service: security
diff --git a/rules/windows/builtin/win_pass_the_hash.yml b/rules/windows/builtin/win_pass_the_hash.yml
index 582a77b9..c6aaae74 100644
--- a/rules/windows/builtin/win_pass_the_hash.yml
+++ b/rules/windows/builtin/win_pass_the_hash.yml
@@ -10,6 +10,7 @@ tags:
- attack.lateral_movement
- attack.t1075
- car.2016-04-004
+ - attack.t1550.002
logsource:
product: windows
service: security
diff --git a/rules/windows/builtin/win_pass_the_hash_2.yml b/rules/windows/builtin/win_pass_the_hash_2.yml
index 6930ee9c..d003fd71 100644
--- a/rules/windows/builtin/win_pass_the_hash_2.yml
+++ b/rules/windows/builtin/win_pass_the_hash_2.yml
@@ -1,6 +1,6 @@
title: Pass the Hash Activity 2
id: 8eef149c-bd26-49f2-9e5a-9b00e3af499b
-status: production
+status: stable
description: Detects the attack technique pass the hash which is used to move laterally inside the network
references:
- https://github.com/iadgov/Event-Forwarding-Guidance/tree/master/Events
@@ -11,6 +11,7 @@ date: 2019/06/14
tags:
- attack.lateral_movement
- attack.t1075
+ - attack.t1550.002
logsource:
product: windows
service: security
diff --git a/rules/windows/builtin/win_possible_dc_sync.yml b/rules/windows/builtin/win_possible_dc_shadow.yml
similarity index 61%
rename from rules/windows/builtin/win_possible_dc_sync.yml
rename to rules/windows/builtin/win_possible_dc_shadow.yml
index e736e09d..f1d63af7 100644
--- a/rules/windows/builtin/win_possible_dc_sync.yml
+++ b/rules/windows/builtin/win_possible_dc_shadow.yml
@@ -1,25 +1,29 @@
-title: Possible DC Sync
+title: Possible DC Shadow
id: 32e19d25-4aed-4860-a55a-be99cb0bf7ed
description: Detects DC sync via create new SPN
status: experimental
-author: Ilyas Ochkov, oscd.community
+author: Ilyas Ochkov, oscd.community, Chakib Gzenayi (@Chak092), Hosni Mribah
date: 2019/10/25
references:
- https://github.com/Neo23x0/sigma/blob/ec5bb710499caae6667c7f7311ca9e92c03b9039/rules/windows/builtin/win_dcsync.yml
- https://twitter.com/gentilkiwi/status/1003236624925413376
- https://gist.github.com/gentilkiwi/dcc132457408cf11ad2061340dcb53c2
- - https://jsecurity101.com/2019/Syncing-into-the-Shadows/
+ - https://blog.alsid.eu/dcshadow-explained-4510f52fc19d
tags:
- attack.credential_access
- - attack.t1003
+ - attack.t1207
logsource:
product: windows
service: security
detection:
- selection:
+ selection1:
EventID: 4742
ServicePrincipalNames: '*GC/*'
- condition: selection
+ selection2:
+ EventID: 5136
+ LDAPDisplayName: servicePrincipalName
+ Value: 'GC/*'
+ condition: selection1 OR selection2
falsepositives:
- - Unkown
+ - Exclude known DCs
level: high
diff --git a/rules/windows/builtin/win_quarkspwdump_clearing_hive_access_history.yml b/rules/windows/builtin/win_quarkspwdump_clearing_hive_access_history.yml
index 8484a1f3..b20672ad 100644
--- a/rules/windows/builtin/win_quarkspwdump_clearing_hive_access_history.yml
+++ b/rules/windows/builtin/win_quarkspwdump_clearing_hive_access_history.yml
@@ -8,6 +8,7 @@ modified: 2019/11/13
tags:
- attack.credential_access
- attack.t1003
+ - attack.t1003.002
level: critical
logsource:
product: windows
diff --git a/rules/windows/builtin/win_rare_schtasks_creations.yml b/rules/windows/builtin/win_rare_schtasks_creations.yml
index 669c5373..de8a93f8 100644
--- a/rules/windows/builtin/win_rare_schtasks_creations.yml
+++ b/rules/windows/builtin/win_rare_schtasks_creations.yml
@@ -1,7 +1,6 @@
title: Rare Schtasks Creations
id: b0d77106-7bb0-41fe-bd94-d1752164d066
-description: Detects rare scheduled tasks creations that only appear a few times per time frame and could reveal password dumpers, backdoor installs or other types
- of malicious code
+description: Detects rare scheduled tasks creations that only appear a few times per time frame and could reveal password dumpers, backdoor installs or other types of malicious code
status: experimental
author: Florian Roth
date: 2017/03/23
@@ -11,6 +10,7 @@ tags:
- attack.persistence
- attack.t1053
- car.2013-08-001
+ - attack.t1053.005
logsource:
product: windows
service: security
diff --git a/rules/windows/builtin/win_rare_service_installs.yml b/rules/windows/builtin/win_rare_service_installs.yml
index c6469c4a..14b4ecf8 100644
--- a/rules/windows/builtin/win_rare_service_installs.yml
+++ b/rules/windows/builtin/win_rare_service_installs.yml
@@ -1,7 +1,6 @@
title: Rare Service Installs
id: 66bfef30-22a5-4fcd-ad44-8d81e60922ae
-description: Detects rare service installs that only appear a few times per time frame and could reveal password dumpers, backdoor installs or other types of malicious
- services
+description: Detects rare service installs that only appear a few times per time frame and could reveal password dumpers, backdoor installs or other types of malicious services
status: experimental
author: Florian Roth
date: 2017/03/08
@@ -10,6 +9,7 @@ tags:
- attack.privilege_escalation
- attack.t1050
- car.2013-09-005
+ - attack.t1543.003
logsource:
product: windows
service: system
diff --git a/rules/windows/builtin/win_rdp_localhost_login.yml b/rules/windows/builtin/win_rdp_localhost_login.yml
index 3f269fe7..a2b4842d 100644
--- a/rules/windows/builtin/win_rdp_localhost_login.yml
+++ b/rules/windows/builtin/win_rdp_localhost_login.yml
@@ -9,6 +9,7 @@ tags:
- attack.lateral_movement
- attack.t1076
- car.2013-07-002
+ - attack.t1021.001
status: experimental
author: Thomas Patzke
logsource:
diff --git a/rules/windows/builtin/win_rdp_reverse_tunnel.yml b/rules/windows/builtin/win_rdp_reverse_tunnel.yml
index d18e5200..a68d5745 100644
--- a/rules/windows/builtin/win_rdp_reverse_tunnel.yml
+++ b/rules/windows/builtin/win_rdp_reverse_tunnel.yml
@@ -14,6 +14,7 @@ tags:
- attack.t1076
- attack.t1090
- car.2013-07-002
+ - attack.t1021
logsource:
product: windows
service: security
diff --git a/rules/windows/builtin/win_register_new_logon_process_by_rubeus.yml b/rules/windows/builtin/win_register_new_logon_process_by_rubeus.yml
index 9fb4e644..25e6180c 100644
--- a/rules/windows/builtin/win_register_new_logon_process_by_rubeus.yml
+++ b/rules/windows/builtin/win_register_new_logon_process_by_rubeus.yml
@@ -8,6 +8,7 @@ tags:
- attack.lateral_movement
- attack.privilege_escalation
- attack.t1208
+ - attack.t1558.003
author: Roberto Rodriguez (source), Ilyas Ochkov (rule), oscd.community
date: 2019/10/24
logsource:
diff --git a/rules/windows/builtin/win_remote_powershell_session.yml b/rules/windows/builtin/win_remote_powershell_session.yml
index d0e395e4..1167c97f 100644
--- a/rules/windows/builtin/win_remote_powershell_session.yml
+++ b/rules/windows/builtin/win_remote_powershell_session.yml
@@ -9,11 +9,12 @@ references:
tags:
- attack.execution
- attack.t1086
+ - attack.t1059.001
logsource:
product: windows
service: security
detection:
- selection:
+ selection:
EventID: 5156
DestPort:
- 5985
diff --git a/rules/windows/builtin/win_susp_add_sid_history.yml b/rules/windows/builtin/win_susp_add_sid_history.yml
index 21ac8c61..1eb679dc 100644
--- a/rules/windows/builtin/win_susp_add_sid_history.yml
+++ b/rules/windows/builtin/win_susp_add_sid_history.yml
@@ -10,6 +10,7 @@ tags:
- attack.persistence
- attack.privilege_escalation
- attack.t1178
+ - attack.t1134.005
logsource:
product: windows
service: security
@@ -24,7 +25,9 @@ detection:
SidHistory:
- '-'
- '%%1793'
- condition: selection1 or (selection2 and not selection3)
+ filter_null:
+ SidHistory:
+ condition: selection1 or (selection2 and not selection3 and not filter_null)
falsepositives:
- Migration of an account into a new domain
level: medium
diff --git a/rules/windows/builtin/win_susp_backup_delete.yml b/rules/windows/builtin/win_susp_backup_delete.yml
index 7741c3eb..d58d1d60 100644
--- a/rules/windows/builtin/win_susp_backup_delete.yml
+++ b/rules/windows/builtin/win_susp_backup_delete.yml
@@ -10,13 +10,14 @@ date: 2017/05/12
tags:
- attack.defense_evasion
- attack.t1107
+ - attack.t1070.004
logsource:
product: windows
service: application
detection:
selection:
EventID: 524
- Source: Backup
+ Source: Microsoft-Windows-Backup
condition: selection
falsepositives:
- Unknown
diff --git a/rules/windows/builtin/win_susp_codeintegrity_check_failure.yml b/rules/windows/builtin/win_susp_codeintegrity_check_failure.yml
index 34331edc..e5afc8f7 100644
--- a/rules/windows/builtin/win_susp_codeintegrity_check_failure.yml
+++ b/rules/windows/builtin/win_susp_codeintegrity_check_failure.yml
@@ -7,6 +7,7 @@ date: 2019/12/03
tags:
- attack.defense_evasion
- attack.t1009
+ - attack.t1027
logsource:
product: windows
service: security
diff --git a/rules/windows/builtin/win_susp_dhcp_config.yml b/rules/windows/builtin/win_susp_dhcp_config.yml
index 564801d1..0c357fc9 100644
--- a/rules/windows/builtin/win_susp_dhcp_config.yml
+++ b/rules/windows/builtin/win_susp_dhcp_config.yml
@@ -11,13 +11,15 @@ author: Dimitrios Slamaris
tags:
- attack.defense_evasion
- attack.t1073
+ - attack.t1574.002
logsource:
product: windows
service: system
detection:
selection:
EventID: 1033
+ Source: Microsoft-Windows-DHCP-Server
condition: selection
-falsepositives:
+falsepositives:
- Unknown
level: critical
diff --git a/rules/windows/builtin/win_susp_dhcp_config_failed.yml b/rules/windows/builtin/win_susp_dhcp_config_failed.yml
index f3c4f36e..8dc62e80 100644
--- a/rules/windows/builtin/win_susp_dhcp_config_failed.yml
+++ b/rules/windows/builtin/win_susp_dhcp_config_failed.yml
@@ -11,18 +11,19 @@ modified: 2019/07/17
tags:
- attack.defense_evasion
- attack.t1073
+ - attack.t1574.002
author: "Dimitrios Slamaris, @atc_project (fix)"
logsource:
product: windows
service: system
detection:
selection:
- EventID:
+ EventID:
- 1031
- 1032
- 1034
- Source: Microsoft-Windows-DHCP-Server
+ Source: Microsoft-Windows-DHCP-Server
condition: selection
-falsepositives:
+falsepositives:
- Unknown
level: critical
diff --git a/rules/windows/builtin/win_susp_dns_config.yml b/rules/windows/builtin/win_susp_dns_config.yml
index df7ffe3f..8ef63d9c 100644
--- a/rules/windows/builtin/win_susp_dns_config.yml
+++ b/rules/windows/builtin/win_susp_dns_config.yml
@@ -10,17 +10,18 @@ references:
tags:
- attack.defense_evasion
- attack.t1073
+ - attack.t1574.002
author: Florian Roth
logsource:
product: windows
service: dns-server
detection:
selection:
- EventID:
+ EventID:
- 150
- 770
condition: selection
-falsepositives:
+falsepositives:
- Unknown
level: critical
diff --git a/rules/windows/builtin/win_susp_failed_logon_source.yml b/rules/windows/builtin/win_susp_failed_logon_source.yml
new file mode 100644
index 00000000..f522ea5e
--- /dev/null
+++ b/rules/windows/builtin/win_susp_failed_logon_source.yml
@@ -0,0 +1,51 @@
+title: Failed Logon From Public IP
+id: f88e112a-21aa-44bd-9b01-6ee2a2bbbed1
+description: A login from a public IP can indicate a misconfigured firewall or network boundary.
+author: NVISO
+date: 2020/05/06
+tags:
+ - attack.initial_access
+ - attack.persistence
+ - attack.t1078
+ - attack.t1190
+ - attack.t1133
+logsource:
+ product: windows
+ service: security
+detection:
+ selection:
+ EventID: 4625
+ unknown:
+ IpAddress|contains: '-'
+ privatev4:
+ IpAddress|startswith:
+ - '10.' #10.0.0.0/8
+ - '192.168.' #192.168.0.0/16
+ - '172.16.' #172.16.0.0/12
+ - '172.17.'
+ - '172.18.'
+ - '172.19.'
+ - '172.20.'
+ - '172.21.'
+ - '172.22.'
+ - '172.23.'
+ - '172.24.'
+ - '172.25.'
+ - '172.26.'
+ - '172.27.'
+ - '172.28.'
+ - '172.29.'
+ - '172.30.'
+ - '172.31.'
+ - '127.' #127.0.0.0/8
+ - '169.254.' #169.254.0.0/16
+ privatev6:
+ - IpAddress: '::1' #loopback
+ - IpAddress|startswith:
+ - 'fe80::' #link-local
+ - 'fc00::' #unique local
+ condition: selection and not (unknown or privatev4 or privatev6)
+falsepositives:
+ - Legitimate logon attempts over the internet
+ - IPv4-to-IPv6 mapped IPs
+level: medium
diff --git a/rules/windows/builtin/win_susp_ldap_dataexchange.yml b/rules/windows/builtin/win_susp_ldap_dataexchange.yml
new file mode 100644
index 00000000..7d1dfca5
--- /dev/null
+++ b/rules/windows/builtin/win_susp_ldap_dataexchange.yml
@@ -0,0 +1,28 @@
+title: Suspicious LDAP-Attributes Used
+id: d00a9a72-2c09-4459-ad03-5e0a23351e36
+description: detects the usage of particular AttributeLDAPDisplayNames, which are known for data exchange via LDAP by the tool LDAPFragger and are additionally not commonly used in companies.
+status: experimental
+date: 2019/03/24
+author: xknow @xknow_infosec
+references:
+ - https://medium.com/@ivecodoe/detecting-ldapfragger-a-newly-released-cobalt-strike-beacon-using-ldap-for-c2-communication-c274a7f00961
+ - https://blog.fox-it.com/2020/03/19/ldapfragger-command-and-control-over-ldap-attributes/
+ - https://github.com/fox-it/LDAPFragger
+tags:
+ - attack.t1041
+ - attack.persistence
+logsource:
+ product: windows
+ service: security
+detection:
+ selection:
+ EventID: 5136
+ AttributeValue: '*'
+ AttributeLDAPDisplayName:
+ - 'primaryInternationalISDNNumber'
+ - 'otherFacsimileTelephoneNumber'
+ - 'primaryTelexNumber'
+ condition: selection
+falsepositives:
+ - Companies, who may use these default LDAP-Attributes for personal information
+level: high
diff --git a/rules/windows/builtin/win_susp_lsass_dump.yml b/rules/windows/builtin/win_susp_lsass_dump.yml
index 52921441..b3b39f7b 100644
--- a/rules/windows/builtin/win_susp_lsass_dump.yml
+++ b/rules/windows/builtin/win_susp_lsass_dump.yml
@@ -8,6 +8,7 @@ references:
tags:
- attack.credential_access
- attack.t1003
+ - attack.t1003.001
logsource:
product: windows
service: security
diff --git a/rules/windows/builtin/win_susp_lsass_dump_generic.yml b/rules/windows/builtin/win_susp_lsass_dump_generic.yml
index 604c2f41..fa536e26 100644
--- a/rules/windows/builtin/win_susp_lsass_dump_generic.yml
+++ b/rules/windows/builtin/win_susp_lsass_dump_generic.yml
@@ -12,6 +12,7 @@ tags:
- attack.credential_access
- attack.t1003
- car.2019-04-004
+ - attack.t1003.001
logsource:
product: windows
service: security
@@ -40,7 +41,7 @@ detection:
- '4484'
- '4416'
filter:
- ProcessName|endswith:
+ ProcessName|endswith:
- '\wmiprvse.exe'
- '\taskmgr.exe'
- '\procexp64.exe'
diff --git a/rules/windows/builtin/win_susp_mshta_execution.yml b/rules/windows/builtin/win_susp_mshta_execution.yml
index b1599fba..eeadccde 100644
--- a/rules/windows/builtin/win_susp_mshta_execution.yml
+++ b/rules/windows/builtin/win_susp_mshta_execution.yml
@@ -2,8 +2,8 @@ title: MSHTA Suspicious Execution 01
id: cc7abbd0-762b-41e3-8a26-57ad50d2eea3
status: experimental
description: Detection for mshta.exe suspicious execution patterns sometimes involving file polyglotism
-date: 22/02/2019
-modified: 22/02/2019
+date: 2019/02/22
+modified: 2019/02/22
author: Diego Perez (@darkquassar), Markus Neis, Swisscom (Improve Rule)
references:
- http://blog.sevagas.com/?Hacking-around-HTA-files
diff --git a/rules/windows/builtin/win_susp_msmpeng_crash.yml b/rules/windows/builtin/win_susp_msmpeng_crash.yml
index 3e6f6fcb..4ce48ead 100644
--- a/rules/windows/builtin/win_susp_msmpeng_crash.yml
+++ b/rules/windows/builtin/win_susp_msmpeng_crash.yml
@@ -5,6 +5,7 @@ tags:
- attack.defense_evasion
- attack.t1089
- attack.t1211
+ - attack.t1562.001
status: experimental
date: 2017/05/09
references:
diff --git a/rules/windows/builtin/win_susp_ntlm_auth.yml b/rules/windows/builtin/win_susp_ntlm_auth.yml
index f8ea778c..3e4a2fb9 100644
--- a/rules/windows/builtin/win_susp_ntlm_auth.yml
+++ b/rules/windows/builtin/win_susp_ntlm_auth.yml
@@ -10,6 +10,7 @@ date: 2018/06/08
tags:
- attack.lateral_movement
- attack.t1075
+ - attack.t1550.002
logsource:
product: windows
service: ntlm
diff --git a/rules/windows/builtin/win_susp_ntlm_rdp.yml b/rules/windows/builtin/win_susp_ntlm_rdp.yml
new file mode 100644
index 00000000..bed9e568
--- /dev/null
+++ b/rules/windows/builtin/win_susp_ntlm_rdp.yml
@@ -0,0 +1,30 @@
+title: Potential Remote Desktop Connection to Non-Domain Host
+id: ce5678bb-b9aa-4fb5-be4b-e57f686256ad
+status: experimental
+description: Detects logons using NTLM to hosts that are potentially not part of the domain.
+references:
+ - n/a
+author: James Pemberton
+date: 2020/05/22
+tags:
+ - attack.command_and_control
+ - attack.t1219
+logsource:
+ product: windows
+ service: ntlm
+ definition: Requires events from Microsoft-Windows-NTLM/Operational
+detection:
+ selection:
+ EventID: 8001
+ TargetName: TERMSRV*
+ condition: selection
+fields:
+ - Computer
+ - UserName
+ - DomainName
+ - TargetName
+falsepositives:
+ - Host connections to valid domains, exclude these.
+ - Host connections not using host FQDN.
+ - Host connections to external legitimate domains.
+level: medium
diff --git a/rules/windows/builtin/win_susp_psexec.yml b/rules/windows/builtin/win_susp_psexec.yml
index f48f593b..6c8ff078 100644
--- a/rules/windows/builtin/win_susp_psexec.yml
+++ b/rules/windows/builtin/win_susp_psexec.yml
@@ -1,7 +1,6 @@
title: Suspicious PsExec Execution
id: c462f537-a1e3-41a6-b5fc-b2c2cef9bf82
-description: detects execution of psexec or paexec with renamed service name, this rule helps to filter out the noise if psexec is used for legit purposes or if attacker
- uses a different psexec client other than sysinternal one
+description: detects execution of psexec or paexec with renamed service name, this rule helps to filter out the noise if psexec is used for legit purposes or if attacker uses a different psexec client other than sysinternal one
author: Samir Bousseaden
date: 2019/04/03
references:
@@ -9,18 +8,19 @@ references:
tags:
- attack.lateral_movement
- attack.t1077
+ - attack.t1021.002
logsource:
product: windows
service: security
- description: 'The advanced audit policy setting "Object Access > Audit Detailed File Share" must be configured for Success/Failure'
+ definition: 'The advanced audit policy setting "Object Access > Audit Detailed File Share" must be configured for Success/Failure'
detection:
selection1:
EventID: 5145
ShareName: \\*\IPC$
RelativeTargetName:
- - '*-stdin'
- - '*-stdout'
- - '*-stderr'
+ - '*-stdin'
+ - '*-stdout'
+ - '*-stderr'
selection2:
EventID: 5145
ShareName: \\*\IPC$
diff --git a/rules/windows/builtin/win_susp_rc4_kerberos.yml b/rules/windows/builtin/win_susp_rc4_kerberos.yml
index 534151c4..56bea540 100644
--- a/rules/windows/builtin/win_susp_rc4_kerberos.yml
+++ b/rules/windows/builtin/win_susp_rc4_kerberos.yml
@@ -7,6 +7,7 @@ references:
tags:
- attack.credential_access
- attack.t1208
+ - attack.t1558.003
description: Detects service ticket requests using RC4 encryption type
author: Florian Roth
date: 2017/02/06
diff --git a/rules/windows/builtin/win_susp_rottenpotato.yml b/rules/windows/builtin/win_susp_rottenpotato.yml
index 1e7d58b2..c6df3410 100644
--- a/rules/windows/builtin/win_susp_rottenpotato.yml
+++ b/rules/windows/builtin/win_susp_rottenpotato.yml
@@ -10,6 +10,7 @@ tags:
- attack.privilege_escalation
- attack.credential_access
- attack.t1171
+ - attack.t1557.001
logsource:
product: windows
service: security
diff --git a/rules/windows/builtin/win_susp_sam_dump.yml b/rules/windows/builtin/win_susp_sam_dump.yml
index 930531db..117fa49b 100644
--- a/rules/windows/builtin/win_susp_sam_dump.yml
+++ b/rules/windows/builtin/win_susp_sam_dump.yml
@@ -5,6 +5,7 @@ description: Detects suspicious SAM dump activity as cause by QuarksPwDump and o
tags:
- attack.credential_access
- attack.t1003
+ - attack.t1003.002
author: Florian Roth
date: 2018/01/27
logsource:
diff --git a/rules/windows/builtin/win_susp_sdelete.yml b/rules/windows/builtin/win_susp_sdelete.yml
index 5f8df21e..540a0953 100644
--- a/rules/windows/builtin/win_susp_sdelete.yml
+++ b/rules/windows/builtin/win_susp_sdelete.yml
@@ -13,6 +13,8 @@ tags:
- attack.t1107
- attack.t1066
- attack.s0195
+ - attack.t1070.004
+ - attack.t1027
logsource:
product: windows
service: security
diff --git a/rules/windows/builtin/win_susp_time_modification.yml b/rules/windows/builtin/win_susp_time_modification.yml
index 628f4a7f..e015c025 100644
--- a/rules/windows/builtin/win_susp_time_modification.yml
+++ b/rules/windows/builtin/win_susp_time_modification.yml
@@ -11,6 +11,7 @@ midified: 2020/01/27
tags:
- attack.defense_evasion
- attack.t1099
+ - attack.t1070.006
logsource:
product: windows
service: security
diff --git a/rules/windows/builtin/win_suspicious_outbound_kerberos_connection.yml b/rules/windows/builtin/win_suspicious_outbound_kerberos_connection.yml
index 7eca151e..921c558e 100644
--- a/rules/windows/builtin/win_suspicious_outbound_kerberos_connection.yml
+++ b/rules/windows/builtin/win_suspicious_outbound_kerberos_connection.yml
@@ -10,6 +10,7 @@ modified: 2019/11/13
tags:
- attack.lateral_movement
- attack.t1208
+ - attack.t1558.003
logsource:
product: windows
service: security
@@ -23,7 +24,7 @@ detection:
- '\opera.exe'
- '\chrome.exe'
- '\firefox.exe'
- condition: selection and not filter
+ condition: selection and not filter
falsepositives:
- Other browsers
level: high
diff --git a/rules/windows/builtin/win_svcctl_remote_service.yml b/rules/windows/builtin/win_svcctl_remote_service.yml
index eaffe17d..013f834e 100644
--- a/rules/windows/builtin/win_svcctl_remote_service.yml
+++ b/rules/windows/builtin/win_svcctl_remote_service.yml
@@ -11,7 +11,7 @@ tags:
logsource:
product: windows
service: security
- description: 'The advanced audit policy setting "Object Access > Audit Detailed File Share" must be configured for Success/Failure'
+ definition: 'The advanced audit policy setting "Object Access > Audit Detailed File Share" must be configured for Success/Failure'
detection:
selection:
EventID: 5145
diff --git a/rules/windows/builtin/win_tap_driver_installation.yml b/rules/windows/builtin/win_tap_driver_installation.yml
index d2fbb562..42d05509 100644
--- a/rules/windows/builtin/win_tap_driver_installation.yml
+++ b/rules/windows/builtin/win_tap_driver_installation.yml
@@ -12,9 +12,9 @@ falsepositives:
- Legitimate OpenVPN TAP insntallation
level: medium
detection:
- selection:
+ selection_1:
ImagePath|contains: 'tap0901'
- condition: selection
+ condition: selection and selection_1
---
logsource:
product: windows
diff --git a/rules/windows/builtin/win_transferring_files_with_credential_data_via_network_shares.yml b/rules/windows/builtin/win_transferring_files_with_credential_data_via_network_shares.yml
index 15a91884..9084a2cb 100644
--- a/rules/windows/builtin/win_transferring_files_with_credential_data_via_network_shares.yml
+++ b/rules/windows/builtin/win_transferring_files_with_credential_data_via_network_shares.yml
@@ -8,6 +8,9 @@ references:
tags:
- attack.credential_access
- attack.t1003
+ - attack.t1003.002
+ - attack.t1003.001
+ - attack.t1003.003
logsource:
product: windows
service: security
diff --git a/rules/windows/builtin/win_user_couldnt_call_privileged_service_lsaregisterlogonprocess.yml b/rules/windows/builtin/win_user_couldnt_call_privileged_service_lsaregisterlogonprocess.yml
index 319250a1..3bea7e2a 100644
--- a/rules/windows/builtin/win_user_couldnt_call_privileged_service_lsaregisterlogonprocess.yml
+++ b/rules/windows/builtin/win_user_couldnt_call_privileged_service_lsaregisterlogonprocess.yml
@@ -1,7 +1,6 @@
title: User Couldn't Call a Privileged Service 'LsaRegisterLogonProcess'
id: 6daac7fc-77d1-449a-a71a-e6b4d59a0e54
-description: The 'LsaRegisterLogonProcess' function verifies that the application making the function call is a logon process by checking that it has the SeTcbPrivilege
- privilege set. Possible Rubeus tries to get a handle to LSA.
+description: The 'LsaRegisterLogonProcess' function verifies that the application making the function call is a logon process by checking that it has the SeTcbPrivilege privilege set. Possible Rubeus tries to get a handle to LSA.
status: experimental
references:
- https://posts.specterops.io/hunting-in-active-directory-unconstrained-delegation-forests-trusts-71f2b33688e1
@@ -9,6 +8,7 @@ tags:
- attack.lateral_movement
- attack.privilege_escalation
- attack.t1208
+ - attack.t1558.003
author: Roberto Rodriguez (source), Ilyas Ochkov (rule), oscd.community
date: 2019/10/24
logsource:
@@ -18,7 +18,7 @@ detection:
selection:
- EventID: 4673
Service: 'LsaRegisterLogonProcess()'
- Keywords: '0x8010000000000000' #failure
+ Keywords: '0x8010000000000000' #failure
condition: selection
falsepositives:
- Unkown
diff --git a/rules/windows/builtin/win_user_driver_loaded.yml b/rules/windows/builtin/win_user_driver_loaded.yml
new file mode 100644
index 00000000..ad7fcc27
--- /dev/null
+++ b/rules/windows/builtin/win_user_driver_loaded.yml
@@ -0,0 +1,39 @@
+title: Suspicious Driver Loaded By User
+id: f63508a0-c809-4435-b3be-ed819394d612
+description: Detects the loading of drivers via 'SeLoadDriverPrivilege' required to load or unload a device driver. With this privilege, the user can dynamically load and unload device drivers or other code in to kernel mode. This user right does not apply to Plug and Play device drivers. If you exclude privileged users/admins and processes, which are allowed to do so, you are maybe left with bad programs trying to load malicious kernel drivers. This will detect Ghost-In-The-Logs (https://github.com/bats3c/Ghost-In-The-Logs) and the usage of Sysinternals and various other tools. So you have to work with a whitelist to find the bad stuff.
+status: experimental
+references:
+ - https://blog.dylan.codes/evading-sysmon-and-windows-event-logging/
+ - https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4673
+tags:
+ - attack.t1089
+ - attack.defense_evasion
+ - attack.t1562.001
+date: 2019/04/08
+author: xknow (@xknow_infosec), xorxes (@xor_xes)
+logsource:
+ product: windows
+ service: security
+detection:
+ selection_1:
+ EventID: 4673
+ PrivilegeList: 'SeLoadDriverPrivilege'
+ Service: '-'
+ selection_2:
+ ProcessName|contains:
+ - '*\Windows\System32\Dism.exe'
+ - '*\Windows\System32\rundll32.exe'
+ - '*\Windows\System32\fltMC.exe'
+ - '*\Windows\HelpPane.exe'
+ - '*\Windows\System32\mmc.exe'
+ - '*\Windows\System32\svchost.exe'
+ - '*\Windows\System32\wimserv.exe'
+ - '*\procexp64.exe'
+ - '*\procexp.exe'
+ - '*\procmon64.exe'
+ - '*\procmon.exe'
+ - '*\Google\Chrome\Application\chrome.exe'
+ condition: selection_1 and not selection_2
+falsepositives:
+ - 'Other legimate tools loading drivers. There are some: Sysinternals, CPU-Z, AVs etc. - but not much. You have to baseline this according to your used products and allowed tools. Also try to exclude users, which are allowed to load drivers.'
+level: medium
diff --git a/rules/windows/builtin/win_vul_cve_2020_0688.yml b/rules/windows/builtin/win_vul_cve_2020_0688.yml
new file mode 100644
index 00000000..38b8e95e
--- /dev/null
+++ b/rules/windows/builtin/win_vul_cve_2020_0688.yml
@@ -0,0 +1,25 @@
+title: CVE-2020-0688 Exploitation via Eventlog
+id: d6266bf5-935e-4661-b477-78772735a7cb
+status: experimental
+description: Detects the exploitation of Microsoft Exchange vulnerability as described in CVE-2020-0688
+references:
+ - https://www.trustedsec.com/blog/detecting-cve-20200688-remote-code-execution-vulnerability-on-microsoft-exchange-server/
+author: Florian Roth
+date: 2020/02/29
+tags:
+ - attack.initial_access
+ - attack.t1190
+logsource:
+ product: windows
+ service: application
+detection:
+ selection1:
+ EventID: 4
+ Source: MSExchange Control Panel
+ Level: Error
+ selection2:
+ - '*&__VIEWSTATE=*'
+ condition: selection1 and selection2
+falsepositives:
+ - Unknown
+level: high
diff --git a/rules/windows/deprecated/win_susp_esentutl_activity.yml b/rules/windows/deprecated/win_susp_esentutl_activity.yml
new file mode 100644
index 00000000..1e3e62db
--- /dev/null
+++ b/rules/windows/deprecated/win_susp_esentutl_activity.yml
@@ -0,0 +1,29 @@
+title: Suspicious Esentutl Use
+id: 56a8189f-11b2-48c8-8ca7-c54b03c2fbf7
+status: experimental
+description: Detects flags often used with the LOLBAS Esentutl for malicious activity. It could be used in rare cases by administrators to access locked files or during maintenance.
+author: Florian Roth
+date: 2020/05/23
+references:
+ - https://lolbas-project.github.io/
+ - https://twitter.com/chadtilbury/status/1264226341408452610
+tags:
+ - attack.defense_evasion
+ - attack.execution
+ - attack.s0404
+ - attack.t1218
+logsource:
+ category: process_creation
+ product: windows
+detection:
+ selection:
+ CommandLine|contains|all:
+ - ' /vss '
+ - ' /y '
+ condition: selection
+fields:
+ - CommandLine
+ - ParentCommandLine
+falsepositives:
+ - Administrative activity
+level: high
diff --git a/rules/windows/sysmon/sysmon_susp_driver_load.yml b/rules/windows/driver_load/sysmon_susp_driver_load.yml
old mode 100644
new mode 100755
similarity index 89%
rename from rules/windows/sysmon/sysmon_susp_driver_load.yml
rename to rules/windows/driver_load/sysmon_susp_driver_load.yml
index 1bfec5e1..56eb89c4
--- a/rules/windows/sysmon/sysmon_susp_driver_load.yml
+++ b/rules/windows/driver_load/sysmon_susp_driver_load.yml
@@ -7,11 +7,10 @@ tags:
- attack.persistence
- attack.t1050
logsource:
+ category: driver_load
product: windows
- service: sysmon
detection:
- selection:
- EventID: 6
+ selection:
ImageLoaded: '*\Temp\\*'
condition: selection
falsepositives:
diff --git a/rules/windows/file_event/sysmon_creation_system_file.yml b/rules/windows/file_event/sysmon_creation_system_file.yml
new file mode 100755
index 00000000..1bef84c6
--- /dev/null
+++ b/rules/windows/file_event/sysmon_creation_system_file.yml
@@ -0,0 +1,56 @@
+title: File Created with System Process Name
+id: d5866ddf-ce8f-4aea-b28e-d96485a20d3d
+status: experimental
+description: Detects the creation of a executable with a sytem process name in a suspicious folder
+references:
+ - https://attack.mitre.org/techniques/T1036/
+author: Sander Wiebing
+date: 2020/05/26
+tags:
+ - attack.defense_evasion
+ - attack.t1036
+logsource:
+ category: file_event
+ product: windows
+detection:
+ selection:
+ TargetFilename:
+ - '*\svchost.exe'
+ - '*\rundll32.exe'
+ - '*\services.exe'
+ - '*\powershell.exe'
+ - '*\regsvr32.exe'
+ - '*\spoolsv.exe'
+ - '*\lsass.exe'
+ - '*\smss.exe'
+ - '*\csrss.exe'
+ - '*\conhost.exe'
+ - '*\wininit.exe'
+ - '*\lsm.exe'
+ - '*\winlogon.exe'
+ - '*\explorer.exe'
+ - '*\taskhost.exe'
+ - '*\Taskmgr.exe'
+ - '*\taskmgr.exe'
+ - '*\sihost.exe'
+ - '*\RuntimeBroker.exe'
+ - '*\runtimebroker.exe'
+ - '*\smartscreen.exe'
+ - '*\dllhost.exe'
+ - '*\audiodg.exe'
+ - '*\wlanext.exe'
+ filter:
+ TargetFilename:
+ - 'C:\Windows\System32\\*'
+ - 'C:\Windows\system32\\*'
+ - 'C:\Windows\SysWow64\\*'
+ - 'C:\Windows\SysWOW64\\*'
+ - 'C:\Windows\winsxs\\*'
+ - 'C:\Windows\WinSxS\\*'
+ - '\SystemRoot\System32\\*'
+ condition: selection and not filter
+fields:
+ - Image
+falsepositives:
+ - System processes copied outside the default folder
+level: high
diff --git a/rules/windows/sysmon/sysmon_cred_dump_tools_dropped_files.yml b/rules/windows/file_event/sysmon_cred_dump_tools_dropped_files.yml
old mode 100644
new mode 100755
similarity index 94%
rename from rules/windows/sysmon/sysmon_cred_dump_tools_dropped_files.yml
rename to rules/windows/file_event/sysmon_cred_dump_tools_dropped_files.yml
index 0295398f..a3517bc7
--- a/rules/windows/sysmon/sysmon_cred_dump_tools_dropped_files.yml
+++ b/rules/windows/file_event/sysmon_cred_dump_tools_dropped_files.yml
@@ -10,11 +10,10 @@ tags:
- attack.credential_access
- attack.t1003
logsource:
+ category: file_event
product: windows
- service: sysmon
detection:
- selection:
- EventID: 11
+ selection:
TargetFilename|contains:
- '\pwdump'
- '\kirbi'
@@ -40,6 +39,7 @@ detection:
- '\servpw.exe'
- '\servpw64.exe'
- '\pwdump.exe'
+ - '\procdump64.exe'
condition: selection
falsepositives:
- Legitimate Administrator using tool for password recovery
diff --git a/rules/windows/sysmon/sysmon_ghostpack_safetykatz.yml b/rules/windows/file_event/sysmon_ghostpack_safetykatz.yml
old mode 100644
new mode 100755
similarity index 89%
rename from rules/windows/sysmon/sysmon_ghostpack_safetykatz.yml
rename to rules/windows/file_event/sysmon_ghostpack_safetykatz.yml
index cfa37cb8..29648630
--- a/rules/windows/sysmon/sysmon_ghostpack_safetykatz.yml
+++ b/rules/windows/file_event/sysmon_ghostpack_safetykatz.yml
@@ -10,11 +10,10 @@ tags:
author: Markus Neis
date: 2018/07/24
logsource:
+ category: file_event
product: windows
- service: sysmon
detection:
- selection:
- EventID: 11
+ selection:
TargetFilename: '*\Temp\debug.bin'
condition: selection
falsepositives:
diff --git a/rules/windows/sysmon/sysmon_hack_dumpert.yml b/rules/windows/file_event/sysmon_hack_dumpert.yml
old mode 100644
new mode 100755
similarity index 85%
rename from rules/windows/sysmon/sysmon_hack_dumpert.yml
rename to rules/windows/file_event/sysmon_hack_dumpert.yml
index 329cc720..ac53c204
--- a/rules/windows/sysmon/sysmon_hack_dumpert.yml
+++ b/rules/windows/file_event/sysmon_hack_dumpert.yml
@@ -10,9 +10,6 @@ date: 2020/02/04
tags:
- attack.credential_access
- attack.t1003
-logsource:
- product: windows
- service: sysmon
falsepositives:
- Very unlikely
level: critical
@@ -26,10 +23,9 @@ detection:
condition: selection
---
logsource:
+ category: file_event
product: windows
- service: sysmon
detection:
- selection:
- EventID: 11
+ selection:
TargetFilename: C:\Windows\Temp\dumpert.dmp
- condition: selection
\ No newline at end of file
+ condition: selection
diff --git a/rules/windows/sysmon/sysmon_lsass_memory_dump_file_creation.yml b/rules/windows/file_event/sysmon_lsass_memory_dump_file_creation.yml
old mode 100644
new mode 100755
similarity index 95%
rename from rules/windows/sysmon/sysmon_lsass_memory_dump_file_creation.yml
rename to rules/windows/file_event/sysmon_lsass_memory_dump_file_creation.yml
index 0f6036df..578fdb84
--- a/rules/windows/sysmon/sysmon_lsass_memory_dump_file_creation.yml
+++ b/rules/windows/file_event/sysmon_lsass_memory_dump_file_creation.yml
@@ -10,11 +10,10 @@ tags:
- attack.credential_access
- attack.t1003
logsource:
+ category: file_event
product: windows
- service: sysmon
detection:
selection:
- EventID: 11
TargetFilename|contains: 'lsass'
TargetFilename|endswith: 'dmp'
condition: selection
diff --git a/rules/windows/file_event/sysmon_office_persistence.yml b/rules/windows/file_event/sysmon_office_persistence.yml
new file mode 100644
index 00000000..d8ced8d0
--- /dev/null
+++ b/rules/windows/file_event/sysmon_office_persistence.yml
@@ -0,0 +1,30 @@
+title: Microsoft Office Add-In Loading
+id: 8e1cb247-6cf6-42fa-b440-3f27d57e9936
+status: experimental
+description: Detects add-ins that load when Microsoft Word or Excel starts (.wll/.xll are simply .dll fit for Word or Excel).
+references:
+ - Internal Research
+tags:
+ - attack.persistence
+ - attack.t1137
+author: NVISO
+date: 2020/05/11
+logsource:
+ category: file_event
+ product: windows
+detection:
+ wlldropped:
+ TargetFilename|contains: \Microsoft\Word\Startup\
+ TargetFilename|endswith: .wll
+ xlldropped:
+ TargetFilename|contains: \Microsoft\Excel\Startup\
+ TargetFilename|endswith: .xll
+ generic:
+ TargetFilename|contains: \Microsoft\Addins\
+ TargetFilename|endswith:
+ - .xlam
+ - .xla
+ condition: (wlldropped or xlldropped or generic)
+falsepositives:
+ - Legitimate add-ins
+level: high
diff --git a/rules/windows/sysmon/sysmon_powershell_exploit_scripts.yml b/rules/windows/file_event/sysmon_powershell_exploit_scripts.yml
old mode 100644
new mode 100755
similarity index 98%
rename from rules/windows/sysmon/sysmon_powershell_exploit_scripts.yml
rename to rules/windows/file_event/sysmon_powershell_exploit_scripts.yml
index d7a6df7a..d9379cee
--- a/rules/windows/sysmon/sysmon_powershell_exploit_scripts.yml
+++ b/rules/windows/file_event/sysmon_powershell_exploit_scripts.yml
@@ -7,14 +7,14 @@ references:
tags:
- attack.execution
- attack.t1086
+ - attack.t1059.001
author: Markus Neis
date: 2018/04/07
logsource:
+ category: file_event
product: windows
- service: sysmon
detection:
selection:
- EventID: 11
TargetFilename:
- '*\Invoke-DllInjection.ps1'
- '*\Invoke-WmiCommand.ps1'
@@ -115,4 +115,3 @@ detection:
falsepositives:
- Penetration Tests
level: high
-
diff --git a/rules/windows/sysmon/sysmon_quarkspw_filedump.yml b/rules/windows/file_event/sysmon_quarkspw_filedump.yml
old mode 100644
new mode 100755
similarity index 93%
rename from rules/windows/sysmon/sysmon_quarkspw_filedump.yml
rename to rules/windows/file_event/sysmon_quarkspw_filedump.yml
index 5b712d9c..c1ee66a7
--- a/rules/windows/sysmon/sysmon_quarkspw_filedump.yml
+++ b/rules/windows/file_event/sysmon_quarkspw_filedump.yml
@@ -11,14 +11,12 @@ tags:
- attack.t1003
level: critical
logsource:
+ category: file_event
product: windows
- service: sysmon
detection:
selection:
# Sysmon: File Creation (ID 11)
- EventID: 11
TargetFilename: '*\AppData\Local\Temp\SAM-*.dmp*'
condition: selection
falsepositives:
- Unknown
-
diff --git a/rules/windows/file_event/sysmon_redmimicry_winnti_filedrop.yml b/rules/windows/file_event/sysmon_redmimicry_winnti_filedrop.yml
new file mode 100644
index 00000000..00e042ac
--- /dev/null
+++ b/rules/windows/file_event/sysmon_redmimicry_winnti_filedrop.yml
@@ -0,0 +1,23 @@
+title: RedMimicry Winnti Playbook Dropped File
+id: 130c9e58-28ac-4f83-8574-0a4cc913b97e
+description: Detects actions caused by the RedMimicry Winnti playbook
+references:
+ - https://redmimicry.com
+author: Alexander Rausch
+date: 2020/06/24
+tags:
+ - attack.defense_evasion
+ - attack.t1027
+logsource:
+ product: windows
+ category: file_event
+detection:
+ selection:
+ TargetFilename|contains:
+ - gthread-3.6.dll
+ - sigcmm-2.4.dll
+ - \Windows\Temp\tmp.bat
+ condition: selection
+falsepositives:
+ - Unknown
+level: high
diff --git a/rules/windows/file_event/sysmon_susp_adsi_cache_usage.yml b/rules/windows/file_event/sysmon_susp_adsi_cache_usage.yml
new file mode 100755
index 00000000..5a892af9
--- /dev/null
+++ b/rules/windows/file_event/sysmon_susp_adsi_cache_usage.yml
@@ -0,0 +1,29 @@
+title: Suspicious ADSI-Cache Usage By Unknown Tool
+id: 75bf09fa-1dd7-4d18-9af9-dd9e492562eb
+description: detects the usage of ADSI (LDAP) operations by tools. This may also detect tools like LDAPFragger.
+status: experimental
+date: 2019/03/24
+author: xknow @xknow_infosec
+references:
+ - https://medium.com/@ivecodoe/detecting-ldapfragger-a-newly-released-cobalt-strike-beacon-using-ldap-for-c2-communication-c274a7f00961
+ - https://blog.fox-it.com/2020/03/19/ldapfragger-command-and-control-over-ldap-attributes/
+ - https://github.com/fox-it/LDAPFragger
+tags:
+ - attack.t1041
+ - attack.persistence
+logsource:
+ product: windows
+ category: file_event
+detection:
+ selection_1:
+ TargetFilename: '*\Local\Microsoft\Windows\SchCache\\*.sch'
+ selection_2:
+ Image|contains:
+ - 'C:\windows\system32\svchost.exe'
+ - 'C:\windows\system32\dllhost.exe'
+ - 'C:\windows\system32\mmc.exe'
+ - 'C:\windows\system32\WindowsPowerShell\v1.0\powershell.exe'
+ condition: selection_1 and not selection_2
+falsepositives:
+ - Other legimate tools, which do ADSI (LDAP) operations, e.g. any remoting activity by MMC, Powershell, Windows etc.
+level: high
diff --git a/rules/windows/file_event/sysmon_susp_desktop_ini.yml b/rules/windows/file_event/sysmon_susp_desktop_ini.yml
new file mode 100755
index 00000000..c55114cf
--- /dev/null
+++ b/rules/windows/file_event/sysmon_susp_desktop_ini.yml
@@ -0,0 +1,26 @@
+title: Suspicious desktop.ini Action
+id: 81315b50-6b60-4d8f-9928-3466e1022515
+status: experimental
+description: Detects unusual processes accessing desktop.ini, which can be leveraged to alter how Explorer displays a folder's content (i.e. renaming files) without changing them on disk.
+references:
+ - https://isc.sans.edu/forums/diary/Desktopini+as+a+postexploitation+tool/25912/
+author: Maxime Thiebaut (@0xThiebaut)
+date: 2020/03/19
+tags:
+ - attack.persistence
+ - attack.t1023
+logsource:
+ product: windows
+ category: file_event
+detection:
+ filter:
+ Image:
+ - 'C:\Windows\explorer.exe'
+ - 'C:\Windows\System32\msiexec.exe'
+ - 'C:\Windows\System32\mmc.exe'
+ selection:
+ TargetFilename|endswith: '\desktop.ini'
+ condition: selection and not filter
+falsepositives:
+ - Operations performed through Windows SCCM or equivalent
+level: medium
diff --git a/rules/windows/file_event/sysmon_susp_procexplorer_driver_created_in_tmp_folder.yml b/rules/windows/file_event/sysmon_susp_procexplorer_driver_created_in_tmp_folder.yml
new file mode 100755
index 00000000..574a12f6
--- /dev/null
+++ b/rules/windows/file_event/sysmon_susp_procexplorer_driver_created_in_tmp_folder.yml
@@ -0,0 +1,28 @@
+title: Suspicious PROCEXP152.sys File Created In TMP
+id: 3da70954-0f2c-4103-adff-b7440368f50e
+description: Detects the creation of the PROCEXP152.sys file in the application-data local temporary folder. This driver is used by Sysinternals Process Explorer but also by KDU (https://github.com/hfiref0x/KDU) or Ghost-In-The-Logs (https://github.com/bats3c/Ghost-In-The-Logs), which uses KDU.
+status: experimental
+date: 2019/04/08
+author: xknow (@xknow_infosec), xorxes (@xor_xes)
+references:
+ - https://blog.dylan.codes/evading-sysmon-and-windows-event-logging/
+tags:
+ - attack.t1089
+ - attack.t1562.001
+ - attack.defense_evasion
+logsource:
+ product: windows
+ category: file_event
+detection:
+ selection_1:
+ TargetFilename: '*\AppData\Local\Temp\\*\PROCEXP152.sys'
+ selection_2:
+ Image|contains:
+ - '*\procexp64.exe'
+ - '*\procexp.exe'
+ - '*\procmon64.exe'
+ - '*\procmon.exe'
+ condition: selection_1 and not selection_2
+falsepositives:
+ - Other legimate tools using this driver and filename (like Sysinternals). Note - Clever attackers may easily bypass this detection by just renaming the driver filename. Therefore just Medium-level and don't rely on it.
+level: medium
diff --git a/rules/windows/sysmon/sysmon_tsclient_filewrite_startup.yml b/rules/windows/file_event/sysmon_tsclient_filewrite_startup.yml
old mode 100644
new mode 100755
similarity index 80%
rename from rules/windows/sysmon/sysmon_tsclient_filewrite_startup.yml
rename to rules/windows/file_event/sysmon_tsclient_filewrite_startup.yml
index c26821f2..194b7558
--- a/rules/windows/sysmon/sysmon_tsclient_filewrite_startup.yml
+++ b/rules/windows/file_event/sysmon_tsclient_filewrite_startup.yml
@@ -6,12 +6,11 @@ date: 2019/02/21
author: Samir Bousseaden
logsource:
product: windows
- service: sysmon
+ category: file_event
detection:
selection:
- EventID: 11
Image: '*\mstsc.exe'
- TargetFileName: '*\Microsoft\Windows\Start Menu\Programs\Startup\\*'
+ TargetFilename: '*\Microsoft\Windows\Start Menu\Programs\Startup\\*'
condition: selection
falsepositives:
- unknown
diff --git a/rules/windows/sysmon/sysmon_webshell_creation_detect.yml b/rules/windows/file_event/sysmon_webshell_creation_detect.yml
old mode 100644
new mode 100755
similarity index 54%
rename from rules/windows/sysmon/sysmon_webshell_creation_detect.yml
rename to rules/windows/file_event/sysmon_webshell_creation_detect.yml
index 6973e019..86000b3a
--- a/rules/windows/sysmon/sysmon_webshell_creation_detect.yml
+++ b/rules/windows/file_event/sysmon_webshell_creation_detect.yml
@@ -1,22 +1,20 @@
title: Windows Webshell Creation
id: 39f1f9f2-9636-45de-98f6-a4046aa8e4b9
status: experimental
-description: Posible webshell file creation on a static web site
+description: Possible webshell file creation on a static web site
references:
- PT ESC rule and personal experience
author: Beyu Denis, oscd.community
date: 2019/10/22
-modified: 2019/11/04
+modified: 2020/05/18
tags:
- attack.persistence
- attack.t1100
level: critical
logsource:
product: windows
- service: sysmon
+ category: file_event
detection:
- selection_1:
- EventID: 11
selection_2:
TargetFilename|contains: '\inetpub\wwwroot\'
selection_3:
@@ -32,14 +30,16 @@ detection:
selection_5:
TargetFilename|contains: '.ph'
selection_6:
- - TargetFilename|contains|all:
- - '\'
- - '.jsp'
+ - TargetFilename|endswith: '.jsp'
- TargetFilename|contains|all:
- '\cgi-bin\'
- '.pl'
- condition: selection_1 and ( selection_2 and selection_3 ) or
- selection_1 and ( selection_4 and selection_5 ) or
- selection_1 and selection_6
+ false_positives: # false positives when unpacking some executables in $TEMP
+ TargetFilename|contains:
+ - '\AppData\Local\Temp\'
+ - '\Windows\Temp\'
+ # kind of ugly but sigmac seems not to handle double parenthesis "(("
+ # we shold prefer something like : selection_1 and not false_positives and ((selection_2 and selection_3) or (selection_4 and selection_5) or selection_6)
+ condition: (selection_2 and selection_3 and not false_positives) or (selection_4 and selection_5 and not false_positives) or (selection_6 and not false_positives)
falsepositives:
- Legitimate administrator or developer creating legitimate executable files in a web application folder
diff --git a/rules/windows/sysmon/sysmon_wmi_persistence_script_event_consumer_write.yml b/rules/windows/file_event/sysmon_wmi_persistence_script_event_consumer_write.yml
old mode 100644
new mode 100755
similarity index 82%
rename from rules/windows/sysmon/sysmon_wmi_persistence_script_event_consumer_write.yml
rename to rules/windows/file_event/sysmon_wmi_persistence_script_event_consumer_write.yml
index 907a2873..389af946
--- a/rules/windows/sysmon/sysmon_wmi_persistence_script_event_consumer_write.yml
+++ b/rules/windows/file_event/sysmon_wmi_persistence_script_event_consumer_write.yml
@@ -11,12 +11,11 @@ tags:
- attack.persistence
logsource:
product: windows
- service: sysmon
+ category: file_event
detection:
selection:
- EventID: 11
Image: 'C:\WINDOWS\system32\wbem\scrcons.exe'
condition: selection
falsepositives:
- - Unknown (data set is too small; further testing needed)
+ - Dell Power Manager (C:\Program Files\Dell\PowerManager\DpmPowerPlanSetup.exe)
level: high
diff --git a/rules/windows/file_event/win_susp_desktopimgdownldr_file.yml b/rules/windows/file_event/win_susp_desktopimgdownldr_file.yml
new file mode 100644
index 00000000..21d65214
--- /dev/null
+++ b/rules/windows/file_event/win_susp_desktopimgdownldr_file.yml
@@ -0,0 +1,33 @@
+title: Suspicious Desktopimgdownldr Target File
+id: fc4f4817-0c53-4683-a4ee-b17a64bc1039
+status: experimental
+description: Detects a suspicious Microsoft desktopimgdownldr file creation that stores a file to a suspicious location or contains a file with a suspicious extension
+author: Florian Roth
+date: 2020/07/03
+references:
+ - https://labs.sentinelone.com/living-off-windows-land-a-new-native-file-downldr/
+ - https://twitter.com/SBousseaden/status/1278977301745741825
+logsource:
+ product: windows
+ category: file_event
+tags:
+ - attack.defense_evasion
+ - attack.t1105
+detection:
+ selection:
+ Image|endswith: svchost.exe
+ TargetFilename|contains: '\Personalization\LockScreenImage\'
+ filter1:
+ TargetFilename|contains: 'C:\Windows\'
+ filter2:
+ TargetFilename|contains:
+ - '.jpg'
+ - '.jpeg'
+ - '.png'
+ condition: selection and not filter1 and not filter2
+fields:
+ - CommandLine
+ - ParentCommandLine
+falsepositives:
+ - False positives depend on scripts and administrative tools used in the monitored environment
+level: high
diff --git a/rules/windows/sysmon/sysmon_in_memory_powershell.yml b/rules/windows/image_load/sysmon_in_memory_powershell.yml
old mode 100644
new mode 100755
similarity index 78%
rename from rules/windows/sysmon/sysmon_in_memory_powershell.yml
rename to rules/windows/image_load/sysmon_in_memory_powershell.yml
index d6108e16..623a8c01
--- a/rules/windows/sysmon/sysmon_in_memory_powershell.yml
+++ b/rules/windows/image_load/sysmon_in_memory_powershell.yml
@@ -10,21 +10,23 @@ references:
- https://github.com/p3nt4/PowerShdll
tags:
- attack.t1086
+ - attack.t1059.001
- attack.execution
logsource:
+ category: image_load
product: windows
- service: sysmon
detection:
selection:
- EventID: 7
ImageLoaded|endswith:
- '\System.Management.Automation.Dll'
- '\System.Management.Automation.ni.Dll'
filter:
Image|endswith:
- '\powershell.exe'
+ - '\powershell_ise.exe'
- '\WINDOWS\System32\sdiagnhost.exe'
- User: 'NT AUTHORITY\SYSTEM'
+ - '\mscorsvw.exe' # c:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsw.exe for instance
+ # User: 'NT AUTHORITY\SYSTEM' # if set, matches all powershell processes not launched by SYSTEM
condition: selection and not filter
falsepositives:
- Used by some .NET binaries, minimal on user workstation.
diff --git a/rules/windows/sysmon/sysmon_mimikatz_inmemory_detection.yml b/rules/windows/image_load/sysmon_mimikatz_inmemory_detection.yml
old mode 100644
new mode 100755
similarity index 96%
rename from rules/windows/sysmon/sysmon_mimikatz_inmemory_detection.yml
rename to rules/windows/image_load/sysmon_mimikatz_inmemory_detection.yml
index 58f1cf58..50568b56
--- a/rules/windows/sysmon/sysmon_mimikatz_inmemory_detection.yml
+++ b/rules/windows/image_load/sysmon_mimikatz_inmemory_detection.yml
@@ -11,12 +11,11 @@ tags:
- attack.credential_access
- car.2019-04-004
logsource:
+ category: image_load
product: windows
- service: sysmon
date: 2017/03/13
detection:
selector:
- EventID: 7
Image: 'C:\Windows\System32\rundll32.exe'
dllload1:
ImageLoaded: '*\vaultcli.dll'
diff --git a/rules/windows/sysmon/sysmon_powershell_execution_moduleload.yml b/rules/windows/image_load/sysmon_powershell_execution_moduleload.yml
old mode 100644
new mode 100755
similarity index 93%
rename from rules/windows/sysmon/sysmon_powershell_execution_moduleload.yml
rename to rules/windows/image_load/sysmon_powershell_execution_moduleload.yml
index 124c8312..7b3449c2
--- a/rules/windows/sysmon/sysmon_powershell_execution_moduleload.yml
+++ b/rules/windows/image_load/sysmon_powershell_execution_moduleload.yml
@@ -8,14 +8,14 @@ author: Roberto Rodriguez @Cyb3rWard0g
references:
- https://github.com/hunters-forge/ThreatHunter-Playbook/blob/8869b7a58dba1cff63bae1d7ab923974b8c0539b/playbooks/WIN-190410151110.yaml
logsource:
+ category: image_load
product: windows
- service: sysmon
tags:
- attack.execution
- attack.t1086
+ - attack.t1059.001
detection:
selection:
- EventID: 7
Description: 'system.management.automation'
ImageLoaded|contains: 'system.management.automation'
condition: selection
diff --git a/rules/windows/image_load/sysmon_susp_fax_dll.yml b/rules/windows/image_load/sysmon_susp_fax_dll.yml
new file mode 100644
index 00000000..0b1f247d
--- /dev/null
+++ b/rules/windows/image_load/sysmon_susp_fax_dll.yml
@@ -0,0 +1,33 @@
+title: Fax Service DLL Search Order Hijack
+id: 828af599-4c53-4ed2-ba4a-a9f835c434ea
+status: experimental
+description: The Fax service attempts to load ualapi.dll, which is non-existent. An attacker can then (side)load their own malicious DLL using this service.
+references:
+ - https://windows-internals.com/faxing-your-way-to-system/
+author: NVISO
+date: 2020/05/04
+modified: 2020/07/01
+tags:
+ - attack.persistence
+ - attack.defense_evasion
+ - attack.t1073
+ - attack.t1038
+ - attack.t1112
+ - attack.t1574.001
+ - attack.t1574.002
+logsource:
+ category: image_load
+ product: windows
+detection:
+ selection:
+ Image|endswith:
+ - fxssvc.exe
+ ImageLoaded|endswith:
+ - ualapi.dll
+ filter:
+ ImageLoaded|startswith:
+ - C:\Windows\WinSxS\
+ condition: selection and not filter
+falsepositives:
+ - Unlikely
+level: high
diff --git a/rules/windows/sysmon/sysmon_susp_image_load.yml b/rules/windows/image_load/sysmon_susp_image_load.yml
old mode 100644
new mode 100755
similarity index 94%
rename from rules/windows/sysmon/sysmon_susp_image_load.yml
rename to rules/windows/image_load/sysmon_susp_image_load.yml
index 577f9610..828c939e
--- a/rules/windows/sysmon/sysmon_susp_image_load.yml
+++ b/rules/windows/image_load/sysmon_susp_image_load.yml
@@ -10,11 +10,10 @@ tags:
- attack.defense_evasion
- attack.t1073
logsource:
+ category: image_load
product: windows
- service: sysmon
detection:
selection:
- EventID: 7
Image:
- '*\notepad.exe'
ImageLoaded:
diff --git a/rules/windows/image_load/sysmon_susp_office_dotnet_assembly_dll_load.yml b/rules/windows/image_load/sysmon_susp_office_dotnet_assembly_dll_load.yml
new file mode 100755
index 00000000..ca5714da
--- /dev/null
+++ b/rules/windows/image_load/sysmon_susp_office_dotnet_assembly_dll_load.yml
@@ -0,0 +1,27 @@
+title: dotNET DLL Loaded Via Office Applications
+id: ff0f2b05-09db-4095-b96d-1b75ca24894a
+status: experimental
+description: Detects any assembly DLL being loaded by an Office Product
+references:
+ - https://medium.com/threatpunter/detecting-adversary-tradecraft-with-image-load-event-logging-and-eql-8de93338c16
+author: Antonlovesdnb
+date: 2020/02/19
+tags:
+ - attack.initial_access
+ - attack.t1193
+logsource:
+ category: image_load
+ product: windows
+detection:
+ selection:
+ Image:
+ - '*\winword.exe'
+ - '*\powerpnt.exe'
+ - '*\excel.exe'
+ - '*\outlook.exe'
+ ImageLoaded:
+ - 'C:\Windows\assembly\\*'
+ condition: selection
+falsepositives:
+ - Alerts on legitimate macro usage as well, will need to filter as appropriate
+level: high
diff --git a/rules/windows/image_load/sysmon_susp_office_dotnet_clr_dll_load.yml b/rules/windows/image_load/sysmon_susp_office_dotnet_clr_dll_load.yml
new file mode 100755
index 00000000..c38e4136
--- /dev/null
+++ b/rules/windows/image_load/sysmon_susp_office_dotnet_clr_dll_load.yml
@@ -0,0 +1,27 @@
+title: CLR DLL Loaded Via Office Applications
+id: d13c43f0-f66b-4279-8b2c-5912077c1780
+status: experimental
+description: Detects CLR DLL being loaded by an Office Product
+references:
+ - https://medium.com/threatpunter/detecting-adversary-tradecraft-with-image-load-event-logging-and-eql-8de93338c16
+author: Antonlovesdnb
+date: 2020/02/19
+tags:
+ - attack.initial_access
+ - attack.t1193
+logsource:
+ category: image_load
+ product: windows
+detection:
+ selection:
+ Image:
+ - '*\winword.exe'
+ - '*\powerpnt.exe'
+ - '*\excel.exe'
+ - '*\outlook.exe'
+ ImageLoaded:
+ - '*\clr.dll*'
+ condition: selection
+falsepositives:
+ - Alerts on legitimate macro usage as well, will need to filter as appropriate
+level: high
diff --git a/rules/windows/image_load/sysmon_susp_office_dotnet_gac_dll_load.yml b/rules/windows/image_load/sysmon_susp_office_dotnet_gac_dll_load.yml
new file mode 100755
index 00000000..5ad0b02d
--- /dev/null
+++ b/rules/windows/image_load/sysmon_susp_office_dotnet_gac_dll_load.yml
@@ -0,0 +1,27 @@
+title: GAC DLL Loaded Via Office Applications
+id: 90217a70-13fc-48e4-b3db-0d836c5824ac
+status: experimental
+description: Detects any GAC DLL being loaded by an Office Product
+references:
+ - https://medium.com/threatpunter/detecting-adversary-tradecraft-with-image-load-event-logging-and-eql-8de93338c16
+author: Antonlovesdnb
+date: 2020/02/19
+tags:
+ - attack.initial_access
+ - attack.t1193
+logsource:
+ category: image_load
+ product: windows
+detection:
+ selection:
+ Image:
+ - '*\winword.exe'
+ - '*\powerpnt.exe'
+ - '*\excel.exe'
+ - '*\outlook.exe'
+ ImageLoaded:
+ - 'C:\Windows\Microsoft.NET\assembly\GAC_MSIL*'
+ condition: selection
+falsepositives:
+ - Alerts on legitimate macro usage as well, will need to filter as appropriate
+level: high
diff --git a/rules/windows/image_load/sysmon_susp_office_dsparse_dll_load.yml b/rules/windows/image_load/sysmon_susp_office_dsparse_dll_load.yml
new file mode 100755
index 00000000..01f4c5a9
--- /dev/null
+++ b/rules/windows/image_load/sysmon_susp_office_dsparse_dll_load.yml
@@ -0,0 +1,27 @@
+title: Active Directory Parsing DLL Loaded Via Office Applications
+id: a2a3b925-7bb0-433b-b508-db9003263cc4
+status: experimental
+description: Detects DSParse DLL being loaded by an Office Product
+references:
+ - https://medium.com/threatpunter/detecting-adversary-tradecraft-with-image-load-event-logging-and-eql-8de93338c16
+author: Antonlovesdnb
+date: 2020/02/19
+tags:
+ - attack.initial_access
+ - attack.t1193
+logsource:
+ category: image_load
+ product: windows
+detection:
+ selection:
+ Image:
+ - '*\winword.exe'
+ - '*\powerpnt.exe'
+ - '*\excel.exe'
+ - '*\outlook.exe'
+ ImageLoaded:
+ - '*\dsparse.dll*'
+ condition: selection
+falsepositives:
+ - Alerts on legitimate macro usage as well, will need to filter as appropriate
+level: high
diff --git a/rules/windows/image_load/sysmon_susp_office_kerberos_dll_load.yml b/rules/windows/image_load/sysmon_susp_office_kerberos_dll_load.yml
new file mode 100755
index 00000000..c9a12264
--- /dev/null
+++ b/rules/windows/image_load/sysmon_susp_office_kerberos_dll_load.yml
@@ -0,0 +1,27 @@
+title: Active Directory Kerberos DLL Loaded Via Office Applications
+id: 7417e29e-c2e7-4cf6-a2e8-767228c64837
+status: experimental
+description: Detects Kerberos DLL being loaded by an Office Product
+references:
+ - https://medium.com/threatpunter/detecting-adversary-tradecraft-with-image-load-event-logging-and-eql-8de93338c16
+author: Antonlovesdnb
+date: 2020/02/19
+tags:
+ - attack.initial_access
+ - attack.t1193
+logsource:
+ category: image_load
+ product: windows
+detection:
+ selection:
+ Image:
+ - '*\winword.exe'
+ - '*\powerpnt.exe'
+ - '*\excel.exe'
+ - '*\outlook.exe'
+ ImageLoaded:
+ - '*\kerberos.dll'
+ condition: selection
+falsepositives:
+ - Alerts on legitimate macro usage as well, will need to filter as appropriate
+level: high
diff --git a/rules/windows/image_load/sysmon_susp_winword_vbadll_load.yml b/rules/windows/image_load/sysmon_susp_winword_vbadll_load.yml
new file mode 100755
index 00000000..b52627d1
--- /dev/null
+++ b/rules/windows/image_load/sysmon_susp_winword_vbadll_load.yml
@@ -0,0 +1,29 @@
+title: VBA DLL Loaded Via Microsoft Word
+id: e6ce8457-68b1-485b-9bdd-3c2b5d679aa9
+status: experimental
+description: Detects DLL's Loaded Via Word Containing VBA Macros
+references:
+ - https://medium.com/threatpunter/detecting-adversary-tradecraft-with-image-load-event-logging-and-eql-8de93338c16
+author: Antonlovesdnb
+date: 2020/02/19
+tags:
+ - attack.initial_access
+ - attack.t1193
+logsource:
+ category: image_load
+ product: windows
+detection:
+ selection:
+ Image:
+ - '*\winword.exe'
+ - '*\powerpnt.exe'
+ - '*\excel.exe'
+ - '*\outlook.exe'
+ ImageLoaded:
+ - '*\VBE7.DLL'
+ - '*\VBEUI.DLL'
+ - '*\VBE7INTL.DLL'
+ condition: selection
+falsepositives:
+ - Alerts on legitimate macro usage as well, will need to filter as appropriate
+level: high
diff --git a/rules/windows/sysmon/sysmon_susp_winword_wmidll_load.yml b/rules/windows/image_load/sysmon_susp_winword_wmidll_load.yml
old mode 100644
new mode 100755
similarity index 96%
rename from rules/windows/sysmon/sysmon_susp_winword_wmidll_load.yml
rename to rules/windows/image_load/sysmon_susp_winword_wmidll_load.yml
index 38914687..c2d9e429
--- a/rules/windows/sysmon/sysmon_susp_winword_wmidll_load.yml
+++ b/rules/windows/image_load/sysmon_susp_winword_wmidll_load.yml
@@ -12,11 +12,10 @@ tags:
- attack.execution
- attack.t1047
logsource:
+ category: image_load
product: windows
- service: sysmon
detection:
selection:
- EventID: 7
Image:
- '*\winword.exe'
- '*\powerpnt.exe'
diff --git a/rules/windows/sysmon/sysmon_minidumwritedump_lsass.yml b/rules/windows/image_load/sysmon_suspicious_dbghelp_dbgcore_load.yml
old mode 100644
new mode 100755
similarity index 76%
rename from rules/windows/sysmon/sysmon_minidumwritedump_lsass.yml
rename to rules/windows/image_load/sysmon_suspicious_dbghelp_dbgcore_load.yml
index 4b40451f..20b873c5
--- a/rules/windows/sysmon/sysmon_minidumwritedump_lsass.yml
+++ b/rules/windows/image_load/sysmon_suspicious_dbghelp_dbgcore_load.yml
@@ -1,12 +1,12 @@
-title: Dumping Lsass.exe Memory with MiniDumpWriteDump API
-id: dd5ab153-beaa-4315-9647-65abc5f71541
+title: Load of dbghelp/dbgcore DLL from Suspicious Process
+id: 0e277796-5f23-4e49-a490-483131d4f6e1
status: experimental
-description: Detects the use of MiniDumpWriteDump API for dumping lsass.exe memory in a stealth way. Tools like ProcessHacker and some attacker tradecract use this
+description: Detects the load of dbghelp/dbgcore DLL (used to make memory dumps) by suspicious processes. Tools like ProcessHacker and some attacker tradecract use MiniDumpWriteDump
API found in dbghelp.dll or dbgcore.dll. As an example, SilentTrynity C2 Framework has a module that leverages this API to dump the contents of Lsass.exe and
transfer it over the network back to the attacker's machine.
-date: 27/10/2019
-modified: 2019/11/13
-author: Perez Diego (@darkquassar), oscd.community
+date: 2019/10/27
+modified: 2020/05/23
+author: Perez Diego (@darkquassar), oscd.community, Ecco
references:
- https://docs.microsoft.com/en-us/windows/win32/api/minidumpapiset/nf-minidumpapiset-minidumpwritedump
- https://www.pinvoke.net/default.aspx/dbghelp/MiniDumpWriteDump.html
@@ -15,11 +15,10 @@ tags:
- attack.credential_access
- attack.t1003
logsource:
+ category: image_load
product: windows
- service: sysmon
detection:
signedprocess:
- EventID: 7
ImageLoaded|endswith:
- '\dbghelp.dll'
- '\dbgcore.dll'
@@ -35,7 +34,7 @@ detection:
- '\outlook.exe'
- '\monitoringhost.exe'
- '\wmic.exe'
- - '\msiexec.exe'
+ # - '\msiexec.exe' an installer installing a program using one of those DLL will raise an alert
- '\bash.exe'
- '\wscript.exe'
- '\cscript.exe'
@@ -47,7 +46,6 @@ detection:
- '\sc.exe'
- '\scriptrunner.exe'
unsignedprocess:
- EventID: 7
ImageLoaded|endswith:
- '\dbghelp.dll'
- '\dbgcore.dll'
@@ -62,4 +60,4 @@ fields:
- ImageLoaded
falsepositives:
- Penetration tests
-level: critical
+level: high
diff --git a/rules/windows/sysmon/sysmon_svchost_dll_search_order_hijack.yml b/rules/windows/image_load/sysmon_svchost_dll_search_order_hijack.yml
old mode 100644
new mode 100755
similarity index 86%
rename from rules/windows/sysmon/sysmon_svchost_dll_search_order_hijack.yml
rename to rules/windows/image_load/sysmon_svchost_dll_search_order_hijack.yml
index ef3fc978..e8176c24
--- a/rules/windows/sysmon/sysmon_svchost_dll_search_order_hijack.yml
+++ b/rules/windows/image_load/sysmon_svchost_dll_search_order_hijack.yml
@@ -15,11 +15,10 @@ tags:
- attack.t1038
- attack.t1112
logsource:
+ category: image_load
product: windows
- service: sysmon
detection:
selection:
- EventID: 7
Image:
- '*\svchost.exe'
ImageLoaded:
@@ -27,12 +26,9 @@ detection:
- '*\tsvipsrv.dll'
- '*\wlbsctrl.dll'
filter:
- EventID: 7
- Image:
- - '*\svchost.exe'
ImageLoaded:
- - 'C:\Windows\WinSxS\*'
+ - 'C:\Windows\WinSxS\\*'
condition: selection and not filter
falsepositives:
- Pentest
-level: high
\ No newline at end of file
+level: high
diff --git a/rules/windows/sysmon/sysmon_unsigned_image_loaded_into_lsass.yml b/rules/windows/image_load/sysmon_unsigned_image_loaded_into_lsass.yml
old mode 100644
new mode 100755
similarity index 94%
rename from rules/windows/sysmon/sysmon_unsigned_image_loaded_into_lsass.yml
rename to rules/windows/image_load/sysmon_unsigned_image_loaded_into_lsass.yml
index c88a6d4c..3a66c4dd
--- a/rules/windows/sysmon/sysmon_unsigned_image_loaded_into_lsass.yml
+++ b/rules/windows/image_load/sysmon_unsigned_image_loaded_into_lsass.yml
@@ -10,11 +10,10 @@ tags:
- attack.credential_access
- attack.t1003
logsource:
+ category: image_load
product: windows
- service: sysmon
detection:
selection:
- EventID: 7
Image|endswith: '\lsass.exe'
Signed: 'false'
condition: selection
@@ -22,3 +21,4 @@ falsepositives:
- Valid user connecting using RDP
status: experimental
level: medium
+
diff --git a/rules/windows/sysmon/sysmon_wmi_module_load.yml b/rules/windows/image_load/sysmon_wmi_module_load.yml
old mode 100644
new mode 100755
similarity index 70%
rename from rules/windows/sysmon/sysmon_wmi_module_load.yml
rename to rules/windows/image_load/sysmon_wmi_module_load.yml
index dd91364c..6b46e7b0
--- a/rules/windows/sysmon/sysmon_wmi_module_load.yml
+++ b/rules/windows/image_load/sysmon_wmi_module_load.yml
@@ -11,11 +11,10 @@ tags:
- attack.execution
- attack.t1047
logsource:
+ category: image_load
product: windows
- service: sysmon
detection:
selection:
- EventID: 7
ImageLoaded|endswith:
- '\wmiclnt.dll'
- '\WmiApRpl.dll'
@@ -31,6 +30,13 @@ detection:
- '\WmiPrvSe.exe'
- '\WmiAPsrv.exe'
- '\svchost.exe'
+ - '\DeviceCensus.exe'
+ - '\CompatTelRunner.exe'
+ - '\sdiagnhost.exe'
+ - '\SIHClient.exe'
+ - '\ngentask.exe' # c:\Windows\Microsoft.NET\Framework(64)\ngentask.exe
+ - '\windows\system32\taskhostw.exe' # c:\windows\system32\taskhostw.exe
+ - '\windows\system32\MoUsoCoreWorker.exe' # c:\windows\System32\MoUsoCoreWorker.exe on win10 20H04 at least
condition: selection and not filter
fields:
- ComputerName
@@ -40,3 +46,4 @@ fields:
falsepositives:
- Unknown
level: high
+
diff --git a/rules/windows/sysmon/sysmon_wmi_persistence_commandline_event_consumer.yml b/rules/windows/image_load/sysmon_wmi_persistence_commandline_event_consumer.yml
old mode 100644
new mode 100755
similarity index 88%
rename from rules/windows/sysmon/sysmon_wmi_persistence_commandline_event_consumer.yml
rename to rules/windows/image_load/sysmon_wmi_persistence_commandline_event_consumer.yml
index 9349ff72..c1655c2e
--- a/rules/windows/sysmon/sysmon_wmi_persistence_commandline_event_consumer.yml
+++ b/rules/windows/image_load/sysmon_wmi_persistence_commandline_event_consumer.yml
@@ -10,13 +10,12 @@ tags:
- attack.t1084
- attack.persistence
logsource:
+ category: image_load
product: windows
- service: sysmon
detection:
selection:
- EventID: 7
Image: 'C:\Windows\System32\wbem\WmiPrvSE.exe'
- ImageLoaded: 'wbemcons.dll'
+ ImageLoaded|endswith: '\wbemcons.dll'
condition: selection
falsepositives:
- Unknown (data set is too small; further testing needed)
diff --git a/rules/windows/malware/av_password_dumper.yml b/rules/windows/malware/av_password_dumper.yml
index 52854854..168d357e 100644
--- a/rules/windows/malware/av_password_dumper.yml
+++ b/rules/windows/malware/av_password_dumper.yml
@@ -9,11 +9,14 @@ references:
tags:
- attack.credential_access
- attack.t1003
+ - attack.t1558
+ - attack.t1003.001
+ - attack.t1003.002
logsource:
product: antivirus
detection:
selection:
- Signature:
+ Signature:
- "*DumpCreds*"
- "*Mimikatz*"
- "*PWCrack*"
diff --git a/rules/windows/malware/av_webshell.yml b/rules/windows/malware/av_webshell.yml
index b041fda8..11f8eb0b 100644
--- a/rules/windows/malware/av_webshell.yml
+++ b/rules/windows/malware/av_webshell.yml
@@ -9,11 +9,12 @@ references:
tags:
- attack.persistence
- attack.t1100
+ - attack.t1505.003
logsource:
product: antivirus
detection:
selection:
- Signature:
+ Signature:
- "PHP/Backdoor*"
- "JSP/Backdoor*"
- "ASP/Backdoor*"
diff --git a/rules/windows/malware/mal_azorult_reg.yml b/rules/windows/malware/mal_azorult_reg.yml
new file mode 100644
index 00000000..d99e7c47
--- /dev/null
+++ b/rules/windows/malware/mal_azorult_reg.yml
@@ -0,0 +1,29 @@
+title: Registy Entries For Azorult Malware
+id: f7f9ab88-7557-4a69-b30e-0a8f91b3a0e7
+description: Detects the presence of a registry key created during Azorult execution
+status: experimental
+references:
+ - https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/trojan.win32.azoruit.a
+author: Trent Liffick
+date: 2020/05/08
+tags:
+ - attack.execution
+ - attack.t1112
+logsource:
+ product: windows
+ service: sysmon
+detection:
+ selection:
+ EventID:
+ - 12
+ - 13
+ TargetObject:
+ - '*SYSTEM\\*\services\localNETService'
+ condition: selection
+fields:
+ - Image
+ - TargetObject
+ - TargetDetails
+falsepositives:
+ - unknown
+level: critical
diff --git a/rules/windows/malware/win_mal_blue_mockingbird.yml b/rules/windows/malware/win_mal_blue_mockingbird.yml
new file mode 100644
index 00000000..c40f28d7
--- /dev/null
+++ b/rules/windows/malware/win_mal_blue_mockingbird.yml
@@ -0,0 +1,45 @@
+action: global
+title: Blue Mockingbird
+id: c3198a27-23a0-4c2c-af19-e5328d49680e
+status: experimental
+description: Attempts to detect system changes made by Blue Mockingbird
+references:
+ - https://redcanary.com/blog/blue-mockingbird-cryptominer/
+tags:
+ - attack.execution
+ - attack.t1112
+ - attack.t1047
+author: Trent Liffick (@tliffick)
+date: 2020/05/14
+falsepositives:
+ - unknown
+level: high
+detection:
+ condition: 1 of them
+---
+logsource:
+ category: process_creation
+ product: windows
+detection:
+ exec_selection:
+ Image|endswith: '\cmd.exe'
+ CommandLine|contains|all:
+ - 'sc config'
+ - 'wercplsupporte.dll'
+---
+logsource:
+ category: process_creation
+ product: windows
+detection:
+ wmic_cmd:
+ Image|endswith: '\wmic.exe'
+ CommandLine|endswith: 'COR_PROFILER'
+---
+logsource:
+ product: windows
+ service: sysmon
+detection:
+ mod_reg:
+ EventID: 13
+ TargetObject|endswith:
+ - '\CurrentControlSet\Services\wercplsupport\Parameters\ServiceDll'
diff --git a/rules/windows/malware/win_mal_flowcloud.yml b/rules/windows/malware/win_mal_flowcloud.yml
new file mode 100644
index 00000000..37e315f9
--- /dev/null
+++ b/rules/windows/malware/win_mal_flowcloud.yml
@@ -0,0 +1,28 @@
+title: FlowCloud Malware
+id: 5118765f-6657-4ddb-a487-d7bd673abbf1
+status: experimental
+description: Detects FlowCloud malware from threat group TA410.
+references:
+ - https://www.proofpoint.com/us/blog/threat-insight/ta410-group-behind-lookback-attacks-against-us-utilities-sector-returns-new
+author: NVISO
+tags:
+ - attack.persistence
+ - attack.t1112
+date: 2020/06/09
+logsource:
+ product: windows
+ service: sysmon
+detection:
+ selection:
+ EventID:
+ - 12 # key create
+ - 13 # value set
+ TargetObject:
+ - 'HKLM\HARDWARE\{804423C2-F490-4ac3-BFA5-13DEDE63A71A}'
+ - 'HKLM\HARDWARE\{A5124AF5-DF23-49bf-B0ED-A18ED3DEA027}'
+ - 'HKLM\HARDWARE\{2DB80286-1784-48b5-A751-B6ED1F490303}'
+ - 'HKLM\SYSTEM\Setup\PrintResponsor\\*'
+ condition: selection
+falsepositives:
+ - Unknown
+level: critical
diff --git a/rules/windows/malware/win_mal_octopus_scanner.yml b/rules/windows/malware/win_mal_octopus_scanner.yml
new file mode 100644
index 00000000..0c710eae
--- /dev/null
+++ b/rules/windows/malware/win_mal_octopus_scanner.yml
@@ -0,0 +1,25 @@
+title: Octopus Scanner Malware
+id: 805c55d9-31e6-4846-9878-c34c75054fe9
+status: experimental
+description: Detects Octopus Scanner Malware.
+references:
+ - https://securitylab.github.com/research/octopus-scanner-malware-open-source-supply-chain
+tags:
+ - attack.t1195
+ - attack.t1195.001
+author: NVISO
+date: 2020/06/09
+logsource:
+ product: windows
+ service: sysmon
+detection:
+ filecreate:
+ EventID: 11
+ selection:
+ TargetFilename|endswith:
+ - '\AppData\Local\Microsoft\Cache134.dat'
+ - '\AppData\Local\Microsoft\ExplorerSync.db'
+ condition: filecreate and selection
+falsepositives:
+ - Unknown
+level: high
\ No newline at end of file
diff --git a/rules/windows/network_connection/sysmon_dllhost_net_connections.yml b/rules/windows/network_connection/sysmon_dllhost_net_connections.yml
new file mode 100644
index 00000000..40a52547
--- /dev/null
+++ b/rules/windows/network_connection/sysmon_dllhost_net_connections.yml
@@ -0,0 +1,43 @@
+title: Dllhost Internet Connection
+id: cfed2f44-16df-4bf3-833a-79405198b277
+status: experimental
+description: Detects Dllhost that communicates with public IP addresses
+references:
+ - https://github.com/Neo23x0/sigma/blob/master/rules/windows/network_connection/sysmon_rundll32_net_connections.yml
+author: bartblaze
+date: 2020/07/13
+tags:
+ - attack.defense_evasion
+ - attack.execution
+logsource:
+ category: network_connection
+ product: windows
+detection:
+ selection:
+ Image: '*\dllhost.exe'
+ Initiated: 'true'
+ filter:
+ DestinationIp:
+ - '10.*'
+ - '192.168.*'
+ - '172.16.*'
+ - '172.17.*'
+ - '172.18.*'
+ - '172.19.*'
+ - '172.20.*'
+ - '172.21.*'
+ - '172.22.*'
+ - '172.23.*'
+ - '172.24.*'
+ - '172.25.*'
+ - '172.26.*'
+ - '172.27.*'
+ - '172.28.*'
+ - '172.29.*'
+ - '172.30.*'
+ - '172.31.*'
+ - '127.*'
+ condition: selection and not filter
+falsepositives:
+ - Communication to other corporate systems that use IP addresses from public address spaces
+level: medium
diff --git a/rules/windows/sysmon/sysmon_malware_backconnect_ports.yml b/rules/windows/network_connection/sysmon_malware_backconnect_ports.yml
old mode 100644
new mode 100755
similarity index 98%
rename from rules/windows/sysmon/sysmon_malware_backconnect_ports.yml
rename to rules/windows/network_connection/sysmon_malware_backconnect_ports.yml
index 953c8610..9c8b1f89
--- a/rules/windows/sysmon/sysmon_malware_backconnect_ports.yml
+++ b/rules/windows/network_connection/sysmon_malware_backconnect_ports.yml
@@ -10,12 +10,11 @@ tags:
- attack.command_and_control
- attack.t1043
logsource:
+ category: network_connection
product: windows
- service: sysmon
definition: 'Use the following config to generate the necessary Event ID 10 Process Access events: VBE7.DLLUNKNOWN'
detection:
selection:
- EventID: 3
Initiated: 'true'
DestinationPort:
- '4443'
diff --git a/rules/windows/network_connection/sysmon_notepad_network_connection.yml b/rules/windows/network_connection/sysmon_notepad_network_connection.yml
new file mode 100755
index 00000000..49dbcdf7
--- /dev/null
+++ b/rules/windows/network_connection/sysmon_notepad_network_connection.yml
@@ -0,0 +1,24 @@
+title: Notepad Making Network Connection
+id: e81528db-fc02-45e8-8e98-4e84aba1f10b
+status: experimental
+description: Detects suspicious network connection by Notepad
+references:
+ - https://www.sans.org/cyber-security-summit/archives/file/summit-archive-1492186586.pdf
+ - https://blog.cobaltstrike.com/2013/08/08/why-is-notepad-exe-connecting-to-the-internet/
+tags:
+ - attack.command_and_control
+ - attack.execution
+author: EagleEye Team
+logsource:
+ category: network_connection
+ product: windows
+date: 2020/05/14
+detection:
+ selection:
+ Image: '*\notepad.exe'
+ filter:
+ DestinationPort: '9100'
+ condition: selection and not filter
+falsepositives:
+ - None observed so far
+level: high
diff --git a/rules/windows/sysmon/sysmon_powershell_network_connection.yml b/rules/windows/network_connection/sysmon_powershell_network_connection.yml
old mode 100644
new mode 100755
similarity index 95%
rename from rules/windows/sysmon/sysmon_powershell_network_connection.yml
rename to rules/windows/network_connection/sysmon_powershell_network_connection.yml
index 55f83462..9600a61d
--- a/rules/windows/sysmon/sysmon_powershell_network_connection.yml
+++ b/rules/windows/network_connection/sysmon_powershell_network_connection.yml
@@ -10,12 +10,12 @@ references:
tags:
- attack.execution
- attack.t1086
+ - attack.t1059.001
logsource:
+ category: network_connection
product: windows
- service: sysmon
detection:
selection:
- EventID: 3
Image: '*\powershell.exe'
Initiated: 'true'
filter:
diff --git a/rules/windows/sysmon/sysmon_rdp_reverse_tunnel.yml b/rules/windows/network_connection/sysmon_rdp_reverse_tunnel.yml
old mode 100644
new mode 100755
similarity index 94%
rename from rules/windows/sysmon/sysmon_rdp_reverse_tunnel.yml
rename to rules/windows/network_connection/sysmon_rdp_reverse_tunnel.yml
index ee2e85ea..289594ae
--- a/rules/windows/sysmon/sysmon_rdp_reverse_tunnel.yml
+++ b/rules/windows/network_connection/sysmon_rdp_reverse_tunnel.yml
@@ -12,11 +12,10 @@ tags:
- attack.t1076
- car.2013-07-002
logsource:
+ category: network_connection
product: windows
- service: sysmon
detection:
selection:
- EventID: 3
Image: '*\svchost.exe'
Initiated: 'true'
SourcePort: 3389
diff --git a/rules/windows/sysmon/sysmon_regsvr32_network_activity.yml b/rules/windows/network_connection/sysmon_regsvr32_network_activity.yml
similarity index 84%
rename from rules/windows/sysmon/sysmon_regsvr32_network_activity.yml
rename to rules/windows/network_connection/sysmon_regsvr32_network_activity.yml
index 9722b7a7..98c32003 100644
--- a/rules/windows/sysmon/sysmon_regsvr32_network_activity.yml
+++ b/rules/windows/network_connection/sysmon_regsvr32_network_activity.yml
@@ -1,3 +1,4 @@
+action: global
title: Regsvr32 Network Activity
id: c7e91a02-d771-4a6d-a700-42587e0b1095
description: Detects network connections and DNS queries initiated by Regsvr32.exe
@@ -9,18 +10,13 @@ tags:
- attack.execution
- attack.defense_evasion
- attack.t1117
+ - attack.t1218.010
author: Dmitriy Lifanov, oscd.community
status: experimental
date: 2019/10/25
-modified: 2019/11/10
-logsource:
- product: windows
- service: sysmon
+modified: 2020/07/01
detection:
selection:
- EventID:
- - 3
- - 22
Image|endswith: '\regsvr32.exe'
condition: selection
fields:
@@ -32,3 +28,11 @@ fields:
falsepositives:
- unknown
level: high
+---
+logsource:
+ category: network_connection
+ product: windows
+---
+logsource:
+ category: dns_query
+ product: windows
diff --git a/rules/windows/sysmon/sysmon_remote_powershell_session_network.yml b/rules/windows/network_connection/sysmon_remote_powershell_session_network.yml
old mode 100644
new mode 100755
similarity index 93%
rename from rules/windows/sysmon/sysmon_remote_powershell_session_network.yml
rename to rules/windows/network_connection/sysmon_remote_powershell_session_network.yml
index 805f7db5..15ae994e
--- a/rules/windows/sysmon/sysmon_remote_powershell_session_network.yml
+++ b/rules/windows/network_connection/sysmon_remote_powershell_session_network.yml
@@ -9,12 +9,12 @@ references:
tags:
- attack.execution
- attack.t1086
+ - attack.t1059.001
logsource:
+ category: network_connection
product: windows
- service: sysmon
detection:
selection:
- EventID: 3
DestinationPort:
- 5985
- 5986
diff --git a/rules/windows/sysmon/sysmon_rundll32_net_connections.yml b/rules/windows/network_connection/sysmon_rundll32_net_connections.yml
old mode 100644
new mode 100755
similarity index 96%
rename from rules/windows/sysmon/sysmon_rundll32_net_connections.yml
rename to rules/windows/network_connection/sysmon_rundll32_net_connections.yml
index c02164f3..40ca4c42
--- a/rules/windows/sysmon/sysmon_rundll32_net_connections.yml
+++ b/rules/windows/network_connection/sysmon_rundll32_net_connections.yml
@@ -11,11 +11,10 @@ tags:
- attack.defense_evasion
- attack.execution
logsource:
+ category: network_connection
product: windows
- service: sysmon
detection:
selection:
- EventID: 3
Image: '*\rundll32.exe'
Initiated: 'true'
filter:
diff --git a/rules/windows/sysmon/sysmon_susp_prog_location_network_connection.yml b/rules/windows/network_connection/sysmon_susp_prog_location_network_connection.yml
old mode 100644
new mode 100755
similarity index 96%
rename from rules/windows/sysmon/sysmon_susp_prog_location_network_connection.yml
rename to rules/windows/network_connection/sysmon_susp_prog_location_network_connection.yml
index c80ca7cb..9b152411
--- a/rules/windows/sysmon/sysmon_susp_prog_location_network_connection.yml
+++ b/rules/windows/network_connection/sysmon_susp_prog_location_network_connection.yml
@@ -7,12 +7,11 @@ references:
author: Florian Roth
date: 2017/03/19
logsource:
+ category: network_connection
product: windows
- service: sysmon
definition: 'Use the following config to generate the necessary Event ID 3 Network Connection events'
detection:
selection:
- EventID: 3
Image:
# - '*\ProgramData\\*' # too many false positives, e.g. with Webex for Windows
- '*\$Recycle.bin'
diff --git a/rules/windows/sysmon/sysmon_susp_rdp.yml b/rules/windows/network_connection/sysmon_susp_rdp.yml
old mode 100644
new mode 100755
similarity index 97%
rename from rules/windows/sysmon/sysmon_susp_rdp.yml
rename to rules/windows/network_connection/sysmon_susp_rdp.yml
index 327b8446..00ab16ac
--- a/rules/windows/sysmon/sysmon_susp_rdp.yml
+++ b/rules/windows/network_connection/sysmon_susp_rdp.yml
@@ -11,11 +11,10 @@ tags:
- attack.t1210
- car.2013-07-002
logsource:
+ category: network_connection
product: windows
- service: sysmon
detection:
selection:
- EventID: 3
DestinationPort: 3389
Initiated: 'true'
filter:
diff --git a/rules/windows/sysmon/sysmon_suspicious_outbound_kerberos_connection.yml b/rules/windows/network_connection/sysmon_suspicious_outbound_kerberos_connection.yml
old mode 100644
new mode 100755
similarity index 95%
rename from rules/windows/sysmon/sysmon_suspicious_outbound_kerberos_connection.yml
rename to rules/windows/network_connection/sysmon_suspicious_outbound_kerberos_connection.yml
index 353034a7..e1984104
--- a/rules/windows/sysmon/sysmon_suspicious_outbound_kerberos_connection.yml
+++ b/rules/windows/network_connection/sysmon_suspicious_outbound_kerberos_connection.yml
@@ -11,11 +11,10 @@ tags:
- attack.lateral_movement
- attack.t1208
logsource:
+ category: network_connection
product: windows
- service: sysmon
detection:
selection:
- EventID: 3
DestinationPort: 88
Initiated: 'true'
filter:
diff --git a/rules/windows/sysmon/sysmon_win_binary_github_com.yml b/rules/windows/network_connection/sysmon_win_binary_github_com.yml
old mode 100644
new mode 100755
similarity index 95%
rename from rules/windows/sysmon/sysmon_win_binary_github_com.yml
rename to rules/windows/network_connection/sysmon_win_binary_github_com.yml
index 0f6cd497..8a0ac2af
--- a/rules/windows/sysmon/sysmon_win_binary_github_com.yml
+++ b/rules/windows/network_connection/sysmon_win_binary_github_com.yml
@@ -11,11 +11,10 @@ tags:
- attack.lateral_movement
- attack.t1105
logsource:
+ category: network_connection
product: windows
- service: sysmon
detection:
selection:
- EventID: 3
Initiated: 'true'
DestinationHostname:
- '*.github.com'
diff --git a/rules/windows/sysmon/sysmon_win_binary_susp_com.yml b/rules/windows/network_connection/sysmon_win_binary_susp_com.yml
old mode 100644
new mode 100755
similarity index 95%
rename from rules/windows/sysmon/sysmon_win_binary_susp_com.yml
rename to rules/windows/network_connection/sysmon_win_binary_susp_com.yml
index 3bcf4704..6e324b9c
--- a/rules/windows/sysmon/sysmon_win_binary_susp_com.yml
+++ b/rules/windows/network_connection/sysmon_win_binary_susp_com.yml
@@ -11,11 +11,10 @@ tags:
- attack.lateral_movement
- attack.t1105
logsource:
+ category: network_connection
product: windows
- service: sysmon
detection:
selection:
- EventID: 3
Initiated: 'true'
DestinationHostname:
- '*dl.dropboxusercontent.com'
@@ -26,4 +25,3 @@ detection:
falsepositives:
- 'Unknown'
level: high
-
diff --git a/rules/windows/other/win_defender_bypass.yml b/rules/windows/other/win_defender_bypass.yml
index 0dc75366..f70b847e 100644
--- a/rules/windows/other/win_defender_bypass.yml
+++ b/rules/windows/other/win_defender_bypass.yml
@@ -1,26 +1,27 @@
-title: Windows Defender Exclusion Set
-id: e9c8808f-4cfb-4ba9-97d4-e5f3beaa244d
-description: 'Detects scenarios where an windows defender exclusion was added in registry where an entity would want to bypass antivirus scanning from windows defender'
-references:
- - https://www.bleepingcomputer.com/news/security/gootkit-malware-bypasses-windows-defender-by-setting-path-exclusions/
-tags:
- - attack.defense_evasion
- - attack.t1089
-author: "@BarryShooshooga"
-date: 2019/10/26
-logsource:
- product: windows
- service: security
- definition: 'Requirements: Audit Policy : Security Settings/Local Policies/Audit Policy, Registry System Access Control (SACL): Auditing/User'
-detection:
- selection:
- EventID:
- - 4657
- - 4656
- - 4660
- - 4663
- ObjectName|contains: '\Microsoft\Windows Defender\Exclusions\'
- condition: selection
-falsepositives:
- - Intended inclusions by administrator
-level: high
+title: Windows Defender Exclusion Set
+id: e9c8808f-4cfb-4ba9-97d4-e5f3beaa244d
+description: 'Detects scenarios where an windows defender exclusion was added in registry where an entity would want to bypass antivirus scanning from windows defender'
+references:
+ - https://www.bleepingcomputer.com/news/security/gootkit-malware-bypasses-windows-defender-by-setting-path-exclusions/
+tags:
+ - attack.defense_evasion
+ - attack.t1089
+ - attack.t1562.001
+author: "@BarryShooshooga"
+date: 2019/10/26
+logsource:
+ product: windows
+ service: security
+ definition: 'Requirements: Audit Policy : Security Settings/Local Policies/Audit Policy, Registry System Access Control (SACL): Auditing/User'
+detection:
+ selection:
+ EventID:
+ - 4657
+ - 4656
+ - 4660
+ - 4663
+ ObjectName|contains: '\Microsoft\Windows Defender\Exclusions\'
+ condition: selection
+falsepositives:
+ - Intended inclusions by administrator
+level: high
diff --git a/rules/windows/other/win_defender_disabled.yml b/rules/windows/other/win_defender_disabled.yml
new file mode 100644
index 00000000..705c23d3
--- /dev/null
+++ b/rules/windows/other/win_defender_disabled.yml
@@ -0,0 +1,32 @@
+title: Windows Defender Threat Detection Disabled
+id: fe34868f-6e0e-4882-81f6-c43aa8f15b62
+description: Detects disabling Windows Defender threat protection
+date: 2020/07/28
+author: Ján Trenčanský
+references:
+ - https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-antivirus/troubleshoot-windows-defender-antivirus
+status: stable
+tags:
+ - attack.defense_evasion
+ - attack.t1089
+ - attack.t1562.001
+logsource:
+ product: windows
+ service: windefend
+detection:
+ selection:
+ EventID:
+ - 5001
+ - 5010
+ - 5012
+ - 5101
+ selection2:
+ TargetObject:
+ - HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinDefend
+ - HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender
+ - HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender
+ Details: 'DWORD (0x00000001)'
+ condition: 1 of them
+falsepositives:
+ - Administrator actions
+level: high
diff --git a/rules/windows/other/win_defender_threat.yml b/rules/windows/other/win_defender_threat.yml
new file mode 100644
index 00000000..9721af7b
--- /dev/null
+++ b/rules/windows/other/win_defender_threat.yml
@@ -0,0 +1,22 @@
+title: Windows Defender Threat Detected
+id: 57b649ef-ff42-4fb0-8bf6-62da243a1708
+description: Detects all actions taken by Windows Defender malware detection engines
+date: 2020/07/28
+author: Ján Trenčanský
+references:
+ - https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-antivirus/troubleshoot-windows-defender-antivirus
+status: stable
+logsource:
+ product: windows
+ service: windefend
+detection:
+ selection:
+ EventID:
+ - 1006
+ - 1116
+ - 1015
+ - 1117
+ condition: selection
+falsepositives:
+ - unlikely
+level: high
diff --git a/rules/windows/other/win_pcap_drivers.yml b/rules/windows/other/win_pcap_drivers.yml
new file mode 100644
index 00000000..c24d0410
--- /dev/null
+++ b/rules/windows/other/win_pcap_drivers.yml
@@ -0,0 +1,39 @@
+title: Windows Pcap Drivers
+id: 7b687634-ab20-11ea-bb37-0242ac130002
+status: experimental
+description: Detects Windows Pcap driver installation based on a list of associated .sys files.
+author: Cian Heasley
+date: 2020/06/10
+references:
+ - https://ragged-lab.blogspot.com/2020/06/capturing-pcap-driver-installations.html#more
+tags:
+ - attack.discovery
+ - attack.credential_access
+ - attack.t1040
+logsource:
+ product: windows
+ service: system
+detection:
+ selection:
+ EventID: 4697
+ ServiceFileName:
+ - '*pcap*'
+ - '*npcap*'
+ - '*npf*'
+ - '*nm3*'
+ - '*ndiscap*'
+ - '*nmnt*'
+ - '*windivert*'
+ - '*USBPcap*'
+ - '*pktmon*'
+ condition: selection
+fields:
+ - EventID
+ - ServiceFileName
+ - Account_Name
+ - Computer_Name
+ - Originating_Computer
+ - ServiceName
+falsepositives:
+ - unknown
+level: medium
diff --git a/rules/windows/other/win_rare_schtask_creation.yml b/rules/windows/other/win_rare_schtask_creation.yml
index 2992ab30..1329e32f 100644
--- a/rules/windows/other/win_rare_schtask_creation.yml
+++ b/rules/windows/other/win_rare_schtask_creation.yml
@@ -1,12 +1,12 @@
title: Rare Scheduled Task Creations
id: b20f6158-9438-41be-83da-a5a16ac90c2b
status: experimental
-description: This rule detects rare scheduled task creations. Typically software gets installed on multiple systems and not only on a few. The aggregation and count
- function selects tasks with rare names.
+description: This rule detects rare scheduled task creations. Typically software gets installed on multiple systems and not only on a few. The aggregation and count function selects tasks with rare names.
tags:
- attack.persistence
- attack.t1053
- attack.s0111
+ - attack.t1053.005
author: Florian Roth
date: 2017/03/17
logsource:
diff --git a/rules/windows/powershell/powershell_alternate_powershell_hosts.yml b/rules/windows/powershell/powershell_alternate_powershell_hosts.yml
index 7cad1809..07b87d01 100644
--- a/rules/windows/powershell/powershell_alternate_powershell_hosts.yml
+++ b/rules/windows/powershell/powershell_alternate_powershell_hosts.yml
@@ -3,17 +3,19 @@ id: 64e8e417-c19a-475a-8d19-98ea705394cc
description: Detects alternate PowerShell hosts potentially bypassing detections looking for powershell.exe
status: experimental
date: 2019/08/11
+modified: 2020/02/25
author: Roberto Rodriguez @Cyb3rWard0g
references:
- https://github.com/Cyb3rWard0g/ThreatHunter-Playbook/tree/master/playbooks/windows/02_execution/T1086_powershell/alternate_signed_powershell_hosts.md
tags:
- attack.execution
- attack.t1086
+ - attack.t1059.001
logsource:
product: windows
service: powershell
detection:
- selection:
+ selection:
EventID:
- 4103
- 400
@@ -25,5 +27,7 @@ detection:
# can't be referred directly as event field.
condition: selection and not filter
falsepositives:
- - Programs using PowerShell directly without invocation of a dedicated interpreter.
-level: high
+ - Programs using PowerShell directly without invocation of a dedicated interpreter
+ - MSP Detection Searcher
+ - Citrix ConfigSync.ps1
+level: medium
diff --git a/rules/windows/powershell/powershell_clear_powershell_history.yml b/rules/windows/powershell/powershell_clear_powershell_history.yml
index d6c42d03..db298c67 100644
--- a/rules/windows/powershell/powershell_clear_powershell_history.yml
+++ b/rules/windows/powershell/powershell_clear_powershell_history.yml
@@ -9,6 +9,7 @@ references:
tags:
- attack.defense_evasion
- attack.t1146
+ - attack.t1070.003
logsource:
product: windows
service: powershell
diff --git a/rules/windows/powershell/powershell_create_local_user.yml b/rules/windows/powershell/powershell_create_local_user.yml
new file mode 100644
index 00000000..d479cb48
--- /dev/null
+++ b/rules/windows/powershell/powershell_create_local_user.yml
@@ -0,0 +1,26 @@
+title: PowerShell Create Local User
+id: 243de76f-4725-4f2e-8225-a8a69b15ad61
+status: experimental
+description: Detects creation of a local user via PowerShell
+references:
+ - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1136/T1136.md
+tags:
+ - attack.execution
+ - attack.t1086
+ - attack.persistence
+ - attack.t1136
+ - attack.t1059.001
+author: '@ROxPinTeddy'
+date: 2020/04/11
+logsource:
+ product: windows
+ service: powershell
+detection:
+ selection:
+ EventID: 4104
+ Message|contains:
+ - 'New-LocalUser'
+ condition: selection
+falsepositives:
+ - Legitimate user creation
+level: medium
diff --git a/rules/windows/powershell/powershell_data_compressed.yml b/rules/windows/powershell/powershell_data_compressed.yml
index 9af0feff..89c927b0 100644
--- a/rules/windows/powershell/powershell_data_compressed.yml
+++ b/rules/windows/powershell/powershell_data_compressed.yml
@@ -1,8 +1,7 @@
title: Data Compressed - Powershell
id: 6dc5d284-69ea-42cf-9311-fb1c3932a69a
status: experimental
-description: An adversary may compress data (e.g., sensitive documents) that is collected prior to exfiltration in order to make it portable and minimize the amount
- of data sent over the network
+description: An adversary may compress data (e.g., sensitive documents) that is collected prior to exfiltration in order to make it portable and minimize the amount of data sent over the network
author: Timur Zinniatullin, oscd.community
date: 2019/10/21
modified: 2019/11/04
@@ -11,11 +10,11 @@ references:
logsource:
product: windows
service: powershell
- description: 'Script block logging must be enabled'
+ definition: 'Script block logging must be enabled'
detection:
selection:
EventID: 4104
- keywords|contains|all:
+ keywords|contains|all:
- '-Recurse'
- '|'
- 'Compress-Archive'
@@ -26,3 +25,4 @@ level: low
tags:
- attack.exfiltration
- attack.t1002
+ - attack.t1560
diff --git a/rules/windows/powershell/powershell_downgrade_attack.yml b/rules/windows/powershell/powershell_downgrade_attack.yml
index b136b156..d14ef31a 100644
--- a/rules/windows/powershell/powershell_downgrade_attack.yml
+++ b/rules/windows/powershell/powershell_downgrade_attack.yml
@@ -8,17 +8,19 @@ tags:
- attack.defense_evasion
- attack.execution
- attack.t1086
-author: Florian Roth (rule), Lee Holmes (idea)
+ - attack.t1059.001
+author: Florian Roth (rule), Lee Holmes (idea), Harish Segar (improvements)
date: 2017/03/22
+modified: 2020/03/20
logsource:
product: windows
service: powershell-classic
detection:
selection:
EventID: 400
- EngineVersion: '2.*'
+ EngineVersion|startswith: '2.'
filter:
- HostVersion: '2.*'
+ HostVersion|startswith: '2.'
condition: selection and not filter
falsepositives:
- Penetration Test
diff --git a/rules/windows/powershell/powershell_exe_calling_ps.yml b/rules/windows/powershell/powershell_exe_calling_ps.yml
index 28448cc5..9a921aa8 100644
--- a/rules/windows/powershell/powershell_exe_calling_ps.yml
+++ b/rules/windows/powershell/powershell_exe_calling_ps.yml
@@ -8,6 +8,7 @@ tags:
- attack.defense_evasion
- attack.execution
- attack.t1086
+ - attack.t1059.001
author: Sean Metcalf (source), Florian Roth (rule)
date: 2017/03/05
logsource:
diff --git a/rules/windows/powershell/powershell_malicious_commandlets.yml b/rules/windows/powershell/powershell_malicious_commandlets.yml
index 04c495ef..e232d1bf 100644
--- a/rules/windows/powershell/powershell_malicious_commandlets.yml
+++ b/rules/windows/powershell/powershell_malicious_commandlets.yml
@@ -8,6 +8,7 @@ references:
tags:
- attack.execution
- attack.t1086
+ - attack.t1059.001
author: Sean Metcalf (source), Florian Roth (rule)
date: 2017/03/05
logsource:
diff --git a/rules/windows/powershell/powershell_malicious_keywords.yml b/rules/windows/powershell/powershell_malicious_keywords.yml
index 1fb45807..a0131ff6 100644
--- a/rules/windows/powershell/powershell_malicious_keywords.yml
+++ b/rules/windows/powershell/powershell_malicious_keywords.yml
@@ -8,6 +8,7 @@ references:
tags:
- attack.execution
- attack.t1086
+ - attack.t1059.001
author: Sean Metcalf (source), Florian Roth (rule)
date: 2017/03/05
logsource:
diff --git a/rules/windows/powershell/powershell_nishang_malicious_commandlets.yml b/rules/windows/powershell/powershell_nishang_malicious_commandlets.yml
index 26074603..e7d075a5 100644
--- a/rules/windows/powershell/powershell_nishang_malicious_commandlets.yml
+++ b/rules/windows/powershell/powershell_nishang_malicious_commandlets.yml
@@ -8,6 +8,7 @@ references:
tags:
- attack.execution
- attack.t1086
+ - attack.t1059.001
author: Alec Costello
logsource:
product: windows
diff --git a/rules/windows/powershell/powershell_ntfs_ads_access.yml b/rules/windows/powershell/powershell_ntfs_ads_access.yml
index 422ed4ea..bf4c81ea 100644
--- a/rules/windows/powershell/powershell_ntfs_ads_access.yml
+++ b/rules/windows/powershell/powershell_ntfs_ads_access.yml
@@ -7,6 +7,7 @@ references:
tags:
- attack.defense_evasion
- attack.t1096
+ - attack.t1564.004
author: Sami Ruohonen
date: 2018/07/24
logsource:
@@ -16,6 +17,7 @@ logsource:
detection:
keyword1:
- "set-content"
+ - "add-content"
keyword2:
- "-stream"
condition: keyword1 and keyword2
diff --git a/rules/windows/powershell/powershell_prompt_credentials.yml b/rules/windows/powershell/powershell_prompt_credentials.yml
index 9b810c4b..c4c4d5f2 100644
--- a/rules/windows/powershell/powershell_prompt_credentials.yml
+++ b/rules/windows/powershell/powershell_prompt_credentials.yml
@@ -9,6 +9,7 @@ tags:
- attack.execution
- attack.credential_access
- attack.t1086
+ - attack.t1059.001
author: John Lambert (idea), Florian Roth (rule)
date: 2017/04/09
logsource:
diff --git a/rules/windows/powershell/powershell_psattack.yml b/rules/windows/powershell/powershell_psattack.yml
index c955031d..9ca1ffa5 100644
--- a/rules/windows/powershell/powershell_psattack.yml
+++ b/rules/windows/powershell/powershell_psattack.yml
@@ -7,6 +7,7 @@ references:
tags:
- attack.execution
- attack.t1086
+ - attack.t1059.001
author: Sean Metcalf (source), Florian Roth (rule)
date: 2017/03/05
logsource:
diff --git a/rules/windows/powershell/powershell_remote_powershell_session.yml b/rules/windows/powershell/powershell_remote_powershell_session.yml
index 2da0f0f3..c5b9e3cf 100644
--- a/rules/windows/powershell/powershell_remote_powershell_session.yml
+++ b/rules/windows/powershell/powershell_remote_powershell_session.yml
@@ -10,11 +10,12 @@ references:
tags:
- attack.execution
- attack.t1086
+ - attack.t1059.001
logsource:
product: windows
service: powershell
detection:
- selection:
+ selection:
EventID:
- 4103
- 400
diff --git a/rules/windows/powershell/powershell_shellcode_b64.yml b/rules/windows/powershell/powershell_shellcode_b64.yml
index f705329d..15c7fc9e 100644
--- a/rules/windows/powershell/powershell_shellcode_b64.yml
+++ b/rules/windows/powershell/powershell_shellcode_b64.yml
@@ -9,18 +9,19 @@ tags:
- attack.execution
- attack.t1055
- attack.t1086
+ - attack.t1059
author: David Ledbetter (shellcode), Florian Roth (rule)
date: 2018/11/17
logsource:
product: windows
service: powershell
- description: 'Script block logging must be enabled'
+ definition: 'Script block logging must be enabled'
detection:
selection:
EventID: 4104
- keyword1:
+ keyword1:
- '*AAAAYInlM*'
- keyword2:
+ keyword2:
- '*OiCAAAAYInlM*'
- '*OiJAAAAYInlM*'
condition: selection and keyword1 and keyword2
diff --git a/rules/windows/powershell/powershell_suspicious_download.yml b/rules/windows/powershell/powershell_suspicious_download.yml
index 2ab91194..6d8fe1b1 100644
--- a/rules/windows/powershell/powershell_suspicious_download.yml
+++ b/rules/windows/powershell/powershell_suspicious_download.yml
@@ -5,17 +5,23 @@ description: Detects suspicious PowerShell download command
tags:
- attack.execution
- attack.t1086
+ - attack.t1059.001
author: Florian Roth
date: 2017/03/05
+modified: 2020/03/25
logsource:
product: windows
service: powershell
detection:
- keywords:
- Message:
- - '*System.Net.WebClient).DownloadString(*'
- - '*system.net.webclient).downloadfile(*'
- condition: keywords
+ downloadfile:
+ Message|contains|all:
+ - 'System.Net.WebClient'
+ - '.DownloadFile('
+ downloadstring:
+ Message|contains|all:
+ - 'System.Net.WebClient'
+ - '.DownloadString('
+ condition: downloadfile or downloadstring
falsepositives:
- PowerShell scripts that download content from the Internet
level: medium
diff --git a/rules/windows/powershell/powershell_suspicious_invocation_generic.yml b/rules/windows/powershell/powershell_suspicious_invocation_generic.yml
index df1c4876..8f6637cc 100644
--- a/rules/windows/powershell/powershell_suspicious_invocation_generic.yml
+++ b/rules/windows/powershell/powershell_suspicious_invocation_generic.yml
@@ -5,6 +5,7 @@ description: Detects suspicious PowerShell invocation command parameters
tags:
- attack.execution
- attack.t1086
+ - attack.t1059.001
author: Florian Roth (rule)
date: 2017/03/12
logsource:
@@ -17,7 +18,7 @@ detection:
hidden:
- ' -w hidden '
- ' -window hidden '
- - ' - windowstyle hidden '
+ - ' -windowstyle hidden '
noninteractive:
- ' -noni '
- ' -noninteractive '
diff --git a/rules/windows/powershell/powershell_suspicious_invocation_specific.yml b/rules/windows/powershell/powershell_suspicious_invocation_specific.yml
index 41b6f78b..bfdbad36 100644
--- a/rules/windows/powershell/powershell_suspicious_invocation_specific.yml
+++ b/rules/windows/powershell/powershell_suspicious_invocation_specific.yml
@@ -5,6 +5,7 @@ description: Detects suspicious PowerShell invocation command parameters
tags:
- attack.execution
- attack.t1086
+ - attack.t1059.001
author: Florian Roth (rule)
date: 2017/03/05
logsource:
diff --git a/rules/windows/powershell/powershell_suspicious_keywords.yml b/rules/windows/powershell/powershell_suspicious_keywords.yml
index fa90f0eb..0f2b8c49 100644
--- a/rules/windows/powershell/powershell_suspicious_keywords.yml
+++ b/rules/windows/powershell/powershell_suspicious_keywords.yml
@@ -11,6 +11,7 @@ references:
tags:
- attack.execution
- attack.t1086
+ - attack.t1059.001
logsource:
product: windows
service: powershell
diff --git a/rules/windows/powershell/powershell_suspicious_profile_create.yml b/rules/windows/powershell/powershell_suspicious_profile_create.yml
new file mode 100644
index 00000000..de6a3897
--- /dev/null
+++ b/rules/windows/powershell/powershell_suspicious_profile_create.yml
@@ -0,0 +1,30 @@
+title: Powershell Profile.ps1 Modification
+id: b5b78988-486d-4a80-b991-930eff3ff8bf
+status: experimental
+description: Detects a change in profile.ps1 of the Powershell profile
+references:
+ - https://www.welivesecurity.com/2019/05/29/turla-powershell-usage/
+author: HieuTT35
+date: 2019/10/24
+modified: 2020/04/03
+logsource:
+ product: windows
+ service: sysmon
+detection:
+ event:
+ EventID: 11
+ target1:
+ TargetFilename|contains|all:
+ - '\My Documents\PowerShell\'
+ - '\profile.ps1'
+ target2:
+ TargetFilename|contains|all:
+ - 'C:\Windows\System32\WindowsPowerShell\v1.0\'
+ - '\profile.ps1'
+ condition: event and (target1 or target2)
+falsepositives:
+ - System administrator create Powershell profile manually
+level: high
+tags:
+ - attack.persistence
+ - attack.privilege_escalation
diff --git a/rules/windows/powershell/powershell_winlogon_helper_dll.yml b/rules/windows/powershell/powershell_winlogon_helper_dll.yml
index fd1378f4..7736fe84 100644
--- a/rules/windows/powershell/powershell_winlogon_helper_dll.yml
+++ b/rules/windows/powershell/powershell_winlogon_helper_dll.yml
@@ -1,10 +1,7 @@
title: Winlogon Helper DLL
id: 851c506b-6b7c-4ce2-8802-c703009d03c0
status: experimental
-description: Winlogon.exe is a Windows component responsible for actions at logon/logoff as well as the secure attention sequence (SAS) triggered by Ctrl-Alt-Delete.
- Registry entries in HKLM\Software[Wow6432Node]Microsoft\Windows NT\CurrentVersion\Winlogon\ and HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\ are
- used to manage additional helper programs and functionalities that support Winlogon. Malicious modifications to these Registry keys may cause Winlogon to load
- and execute malicious DLLs and/or executables.
+description: Winlogon.exe is a Windows component responsible for actions at logon/logoff as well as the secure attention sequence (SAS) triggered by Ctrl-Alt-Delete. Registry entries in HKLM\Software[Wow6432Node]Microsoft\Windows NT\CurrentVersion\Winlogon\ and HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\ are used to manage additional helper programs and functionalities that support Winlogon. Malicious modifications to these Registry keys may cause Winlogon to load and execute malicious DLLs and/or executables.
author: Timur Zinniatullin, oscd.community
date: 2019/10/21
modified: 2019/11/04
@@ -13,14 +10,14 @@ references:
logsource:
product: windows
service: powershell
- description: 'Script block logging must be enabled'
+ definition: 'Script block logging must be enabled'
detection:
selection:
EventID: 4104
- keyword1:
+ keyword1:
- '*Set-ItemProperty*'
- '*New-Item*'
- keyword2:
+ keyword2:
- '*CurrentVersion\Winlogon*'
condition: selection and ( keyword1 and keyword2 )
falsepositives:
@@ -29,3 +26,4 @@ level: medium
tags:
- attack.persistence
- attack.t1004
+ - attack.t1547.004
diff --git a/rules/windows/powershell/powershell_wmimplant.yml b/rules/windows/powershell/powershell_wmimplant.yml
new file mode 100644
index 00000000..2bb8f63d
--- /dev/null
+++ b/rules/windows/powershell/powershell_wmimplant.yml
@@ -0,0 +1,43 @@
+title: WMImplant Hack Tool
+id: 8028c2c3-e25a-46e3-827f-bbb5abf181d7
+status: experimental
+description: Detects parameters used by WMImplant
+references:
+ - https://github.com/FortyNorthSecurity/WMImplant
+tags:
+ - attack.execution
+ - attack.t1047
+author: NVISO
+date: 2020/03/26
+logsource:
+ product: windows
+ service: powershell
+ definition: "Script block logging must be enabled"
+detection:
+ selection:
+ ScriptBlockText|contains:
+ - "WMImplant"
+ - " change_user "
+ - " gen_cli "
+ - " command_exec "
+ - " disable_wdigest "
+ - " disable_winrm "
+ - " enable_wdigest "
+ - " enable_winrm "
+ - " registry_mod "
+ - " remote_posh "
+ - " sched_job "
+ - " service_mod "
+ - " process_kill "
+ # - " process_start "
+ - " active_users "
+ - " basic_info "
+ # - " drive_list "
+ # - " installed_programs "
+ - " power_off "
+ - " vacant_system "
+ - " logon_events "
+ condition: selection
+falsepositives:
+ - Administrative scripts that use the same keywords.
+level: high
diff --git a/rules/windows/powershell/powershell_xor_commandline.yml b/rules/windows/powershell/powershell_xor_commandline.yml
new file mode 100644
index 00000000..1f311f26
--- /dev/null
+++ b/rules/windows/powershell/powershell_xor_commandline.yml
@@ -0,0 +1,26 @@
+title: Suspicious XOR Encoded PowerShell Command Line
+id: 812837bb-b17f-45e9-8bd0-0ec35d2e3bd6
+description: Detects suspicious powershell process which includes bxor command, alternative obfuscation method to b64 encoded commands.
+status: experimental
+author: Teymur Kheirkhabarov, Harish Segar (rule)
+date: 2020/06/29
+tags:
+ - attack.execution
+ - attack.t1086
+ - attack.t1059.001
+logsource:
+ product: windows
+ service: powershell-classic
+detection:
+ selection:
+ EventID: 400
+ HostName: "ConsoleHost"
+ filter:
+ CommandLine|contains:
+ - "bxor"
+ - "join"
+ - "char"
+ condition: selection and filter
+falsepositives:
+ - unknown
+level: medium
diff --git a/rules/windows/powershell/win_powershell_web_request.yml b/rules/windows/powershell/win_powershell_web_request.yml
new file mode 100644
index 00000000..6ab26850
--- /dev/null
+++ b/rules/windows/powershell/win_powershell_web_request.yml
@@ -0,0 +1,46 @@
+action: global
+title: Windows PowerShell Web Request
+id: 9fc51a3c-81b3-4fa7-b35f-7c02cf10fd2d
+status: experimental
+description: Detects the use of various web request methods (including aliases) via Windows PowerShell
+references:
+ - https://4sysops.com/archives/use-powershell-to-download-a-file-with-http-https-and-ftp/
+ - https://blog.jourdant.me/post/3-ways-to-download-files-with-powershell
+author: James Pemberton / @4A616D6573
+date: 2019/10/24
+tags:
+ - attack.execution
+ - attack.t1059
+ - attack.t1086
+detection:
+ condition: selection
+falsepositives:
+ - Use of Get-Command and Get-Help modules to reference Invoke-WebRequest and Start-BitsTransfer.
+level: medium
+---
+logsource:
+ category: process_creation
+ product: windows
+detection:
+ selection:
+ CommandLine|contains:
+ - 'Invoke-WebRequest'
+ - 'iwr '
+ - 'wget '
+ - 'curl '
+ - 'Net.WebClient'
+ - 'Start-BitsTransfer'
+---
+logsource:
+ product: windows
+ service: powershell
+detection:
+ selection:
+ EventID: 4104
+ ScriptBlockText|contains:
+ - 'Invoke-WebRequest'
+ - 'iwr '
+ - 'wget '
+ - 'curl '
+ - 'Net.WebClient'
+ - 'Start-BitsTransfer'
diff --git a/rules/windows/process_access/sysmon_cmstp_execution.yml b/rules/windows/process_access/sysmon_cmstp_execution.yml
new file mode 100755
index 00000000..294afe07
--- /dev/null
+++ b/rules/windows/process_access/sysmon_cmstp_execution.yml
@@ -0,0 +1,47 @@
+action: global
+title: CMSTP Execution
+id: 9d26fede-b526-4413-b069-6e24b6d07167
+status: stable
+description: Detects various indicators of Microsoft Connection Manager Profile Installer execution
+tags:
+ - attack.defense_evasion
+ - attack.execution
+ - attack.t1191
+ - attack.g0069
+ - car.2019-04-001
+author: Nik Seetharaman
+date: 2018/07/16
+references:
+ - https://web.archive.org/web/20190720093911/http://www.endurant.io/cmstp/detecting-cmstp-enabled-code-execution-and-uac-bypass-with-sysmon/
+fields:
+ - CommandLine
+ - ParentCommandLine
+ - Details
+falsepositives:
+ - Legitimate CMSTP use (unlikely in modern enterprise environments)
+level: high
+---
+logsource:
+ product: windows
+ category: registry_event
+detection:
+ # Registry Object Add
+ selection2:
+ TargetObject: '*\cmmgr32.exe*'
+ EventType: 'CreateKey'
+ # Registry Object Value Set
+ selection3:
+ TargetObject: '*\cmmgr32.exe*'
+ # Process Access Call Trace
+ selection4:
+ CallTrace: '*cmlua.dll*'
+ condition: 1 of them
+---
+logsource:
+ category: process_creation
+ product: windows
+detection:
+ # CMSTP Spawning Child Process
+ selection1:
+ ParentImage: '*\cmstp.exe'
+ condition: 1 of them
diff --git a/rules/windows/sysmon/sysmon_cred_dump_lsass_access.yml b/rules/windows/process_access/sysmon_cred_dump_lsass_access.yml
old mode 100644
new mode 100755
similarity index 98%
rename from rules/windows/sysmon/sysmon_cred_dump_lsass_access.yml
rename to rules/windows/process_access/sysmon_cred_dump_lsass_access.yml
index f91ffabc..cb3bf8b5
--- a/rules/windows/sysmon/sysmon_cred_dump_lsass_access.yml
+++ b/rules/windows/process_access/sysmon_cred_dump_lsass_access.yml
@@ -17,11 +17,10 @@ tags:
- attack.credential_access
- car.2019-04-004
logsource:
+ category: process_access
product: windows
- service: sysmon
detection:
selection:
- EventID: 10
TargetImage|endswith: '\lsass.exe'
GrantedAccess|contains:
- '0x40'
diff --git a/rules/windows/sysmon/sysmon_in_memory_assembly_execution.yml b/rules/windows/process_access/sysmon_in_memory_assembly_execution.yml
old mode 100644
new mode 100755
similarity index 90%
rename from rules/windows/sysmon/sysmon_in_memory_assembly_execution.yml
rename to rules/windows/process_access/sysmon_in_memory_assembly_execution.yml
index 73771eea..714ca5c2
--- a/rules/windows/sysmon/sysmon_in_memory_assembly_execution.yml
+++ b/rules/windows/process_access/sysmon_in_memory_assembly_execution.yml
@@ -6,7 +6,7 @@ description: Detects the access to processes by other suspicious processes which
few calls in the stack (ntdll.dll --> kernelbase.dll --> unknown) which essentially means that most of the functions required by the process to execute certain
routines are already present in memory, not requiring any calls to external libraries. The latter should also be considered suspicious.
status: experimental
-date: 27/10/2019
+date: 2019/10/27
author: Perez Diego (@darkquassar), oscd.community
references:
- https://azure.microsoft.com/en-ca/blog/detecting-in-memory-attacks-with-sysmon-and-azure-security-center/
@@ -14,16 +14,14 @@ tags:
- attack.privilege_escalation
- attack.t1055
logsource:
+ category: process_access
product: windows
- service: sysmon
detection:
- selection_01:
- EventID: 10
+ selection1:
CallTrace:
- "C:\\Windows\\SYSTEM32\\ntdll.dll+*|C:\\Windows\\System32\\KERNELBASE.dll+*|UNKNOWN(*)"
- "*UNKNOWN(*)|UNKNOWN(*)"
- selection_02:
- EventID: 10
+ selection2:
CallTrace: "*UNKNOWN*"
granted_access:
GrantedAccess:
@@ -35,7 +33,7 @@ detection:
- "0x1F2FFF"
- "0x1F3FFF"
- "0x1FFFFF"
- condition: selection_01 OR (selection_02 AND granted_access)
+ condition: selection1 OR (selection2 AND granted_access)
fields:
- ComputerName
- User
diff --git a/rules/windows/sysmon/sysmon_invoke_phantom.yml b/rules/windows/process_access/sysmon_invoke_phantom.yml
old mode 100644
new mode 100755
similarity index 93%
rename from rules/windows/sysmon/sysmon_invoke_phantom.yml
rename to rules/windows/process_access/sysmon_invoke_phantom.yml
index 5ed1498c..fd32409c
--- a/rules/windows/sysmon/sysmon_invoke_phantom.yml
+++ b/rules/windows/process_access/sysmon_invoke_phantom.yml
@@ -9,13 +9,13 @@ references:
- https://twitter.com/timbmsft/status/900724491076214784
tags:
- attack.t1089
+ - attck.t1562.001
- attack.defense_evasion
logsource:
+ category: process_access
product: windows
- service: sysmon
detection:
selection:
- EventID: 10
TargetImage: '*\windows\system32\svchost.exe'
GrantedAccess: '0x1f3fff'
CallTrace:
diff --git a/rules/windows/sysmon/sysmon_lsass_memdump.yml b/rules/windows/process_access/sysmon_lsass_memdump.yml
old mode 100644
new mode 100755
similarity index 94%
rename from rules/windows/sysmon/sysmon_lsass_memdump.yml
rename to rules/windows/process_access/sysmon_lsass_memdump.yml
index d6e7d045..62f6a959
--- a/rules/windows/sysmon/sysmon_lsass_memdump.yml
+++ b/rules/windows/process_access/sysmon_lsass_memdump.yml
@@ -11,11 +11,10 @@ tags:
- attack.s0002
- attack.credential_access
logsource:
+ category: process_access
product: windows
- service: sysmon
detection:
selection:
- EventID: 10
TargetImage: 'C:\windows\system32\lsass.exe'
GrantedAccess: '0x1fffff'
CallTrace:
diff --git a/rules/windows/sysmon/sysmon_malware_verclsid_shellcode.yml b/rules/windows/process_access/sysmon_malware_verclsid_shellcode.yml
old mode 100644
new mode 100755
similarity index 96%
rename from rules/windows/sysmon/sysmon_malware_verclsid_shellcode.yml
rename to rules/windows/process_access/sysmon_malware_verclsid_shellcode.yml
index 0e4c4282..2224ad19
--- a/rules/windows/sysmon/sysmon_malware_verclsid_shellcode.yml
+++ b/rules/windows/process_access/sysmon_malware_verclsid_shellcode.yml
@@ -11,12 +11,11 @@ tags:
author: John Lambert (tech), Florian Roth (rule)
date: 2017/03/04
logsource:
+ category: process_access
product: windows
- service: sysmon
definition: 'Use the following config to generate the necessary Event ID 10 Process Access events: VBE7.DLLUNKNOWN'
detection:
selection:
- EventID: 10
TargetImage: '*\verclsid.exe'
GrantedAccess: '0x1FFFFF'
combination1:
@@ -28,5 +27,3 @@ detection:
falsepositives:
- unknown
level: high
-
-
diff --git a/rules/windows/sysmon/sysmon_mimikatz_trough_winrm.yml b/rules/windows/process_access/sysmon_mimikatz_trough_winrm.yml
old mode 100644
new mode 100755
similarity index 94%
rename from rules/windows/sysmon/sysmon_mimikatz_trough_winrm.yml
rename to rules/windows/process_access/sysmon_mimikatz_trough_winrm.yml
index 871724ab..9444b2a4
--- a/rules/windows/sysmon/sysmon_mimikatz_trough_winrm.yml
+++ b/rules/windows/process_access/sysmon_mimikatz_trough_winrm.yml
@@ -7,11 +7,10 @@ status: stable
author: Patryk Prauze - ING Tech
date: 2019/05/20
logsource:
+ category: process_access
product: windows
- service: sysmon
detection:
selection:
- EventID: 10
TargetImage: 'C:\windows\system32\lsass.exe'
SourceImage: 'C:\Windows\system32\wsmprovhost.exe'
condition: selection
diff --git a/rules/windows/process_creation/sysmon_apt_muddywater_dnstunnel.yml b/rules/windows/process_creation/sysmon_apt_muddywater_dnstunnel.yml
new file mode 100644
index 00000000..f5b6e57d
--- /dev/null
+++ b/rules/windows/process_creation/sysmon_apt_muddywater_dnstunnel.yml
@@ -0,0 +1,28 @@
+title: DNS Tunnel Technique from MuddyWater
+id: 36222790-0d43-4fe8-86e4-674b27809543
+description: Detecting DNS tunnel activity for Muddywater actor
+author: '@caliskanfurkan_'
+status: experimental
+date: 2020/06/04
+references:
+ - https://www.virustotal.com/gui/file/5ad401c3a568bd87dd13f8a9ddc4e450ece61cd9ce4d1b23f68ce0b1f3c190b7/
+ - https://www.vmray.com/analyses/5ad401c3a568/report/overview.html
+tags:
+ - attack.command_and_control
+ - attack.t1071
+ - attack.t1071.004
+logsource:
+ category: process_creation
+ product: windows
+detection:
+ selection:
+ Image|endswith:
+ - '\powershell.exe'
+ ParentImage|endswith:
+ - '\excel.exe'
+ CommandLine|contains:
+ - 'DataExchange.dll'
+ condition: selection
+falsepositives:
+ - Unkown
+level: critical
diff --git a/rules/windows/sysmon/sysmon_hack_wce.yml b/rules/windows/process_creation/sysmon_hack_wce.yml
similarity index 77%
rename from rules/windows/sysmon/sysmon_hack_wce.yml
rename to rules/windows/process_creation/sysmon_hack_wce.yml
index 6432ea86..1c8a2234 100644
--- a/rules/windows/sysmon/sysmon_hack_wce.yml
+++ b/rules/windows/process_creation/sysmon_hack_wce.yml
@@ -1,4 +1,3 @@
-action: global
title: Windows Credential Editor
id: 7aa7009a-28b9-4344-8c1f-159489a390df
description: Detects the use of Windows Credential Editor (WCE)
@@ -6,14 +5,11 @@ author: Florian Roth
references:
- https://www.ampliasecurity.com/research/windows-credentials-editor/
date: 2019/12/31
+modified: 2020/07/01
tags:
- attack.credential_access
- attack.t1003
- attack.s0005
-falsepositives:
- - 'Another service that uses a single -s command line switch'
-level: critical
----
logsource:
category: process_creation
product: windows
@@ -26,12 +22,6 @@ detection:
CommandLine|endswith: '.exe -S'
ParentImage|endswith: '\services.exe'
condition: 1 of them
----
-logsource:
- product: windows
- service: sysmon
-detection:
- selection:
- EventID: 13
- TargetObject|contains: Services\WCESERVICE\Start
- condition: selection
+falsepositives:
+ - 'Another service that uses a single -s command line switch'
+level: critical
\ No newline at end of file
diff --git a/rules/windows/sysmon/sysmon_logon_scripts_userinitmprlogonscript.yml b/rules/windows/process_creation/sysmon_logon_scripts_userinitmprlogonscript_proc.yml
similarity index 55%
rename from rules/windows/sysmon/sysmon_logon_scripts_userinitmprlogonscript.yml
rename to rules/windows/process_creation/sysmon_logon_scripts_userinitmprlogonscript_proc.yml
index 3aaa7490..f1ec0c66 100644
--- a/rules/windows/sysmon/sysmon_logon_scripts_userinitmprlogonscript.yml
+++ b/rules/windows/process_creation/sysmon_logon_scripts_userinitmprlogonscript_proc.yml
@@ -1,4 +1,3 @@
-action: global
title: Logon Scripts (UserInitMprLogonScript)
id: 0a98a10c-685d-4ab0-bddc-b6bdd1d48458
status: experimental
@@ -7,15 +6,12 @@ references:
- https://attack.mitre.org/techniques/T1037/
tags:
- attack.t1037
+ - attack.t1037.001
- attack.persistence
- attack.lateral_movement
author: Tom Ueltschi (@c_APT_ure)
date: 2019/01/12
-falsepositives:
- - exclude legitimate logon scripts
- - penetration tests, red teaming
-level: high
----
+modified: 2020/07/01
logsource:
category: process_creation
product: windows
@@ -25,29 +21,13 @@ detection:
exec_exclusion1:
Image: '*\explorer.exe'
exec_exclusion2:
- CommandLine:
- - '*\netlogon.bat'
- - '*\UsrLogon.cmd'
- condition: exec_selection and not exec_exclusion1 and not exec_exclusion2
----
-logsource:
- category: process_creation
- product: windows
-detection:
+ CommandLine|contains:
+ - 'netlogon.bat'
+ - 'UsrLogon.cmd'
create_keywords_cli:
CommandLine: '*UserInitMprLogonScript*'
- condition: create_keywords_cli
----
-logsource:
- product: windows
- service: sysmon
-detection:
- create_selection_reg:
- EventID:
- - 11
- - 12
- - 13
- - 14
- create_keywords_reg:
- TargetObject: '*UserInitMprLogonScript*'
- condition: create_selection_reg and create_keywords_reg
+ condition: ( exec_selection and not exec_exclusion1 and not exec_exclusion2 ) or create_keywords_cli
+falsepositives:
+ - exclude legitimate logon scripts
+ - penetration tests, red teaming
+level: high
\ No newline at end of file
diff --git a/rules/windows/process_creation/win_advanced_ip_scanner.yml b/rules/windows/process_creation/win_advanced_ip_scanner.yml
new file mode 100644
index 00000000..4f3e9324
--- /dev/null
+++ b/rules/windows/process_creation/win_advanced_ip_scanner.yml
@@ -0,0 +1,22 @@
+title: Advanced IP Scanner
+id: bef37fa2-f205-4a7b-b484-0759bfd5f86f
+status: experimental
+description: Detects the use of Advanced IP Scanner. Seems to be a popular tool for ransomware groups.
+references:
+ - https://news.sophos.com/en-us/2019/12/09/snatch-ransomware-reboots-pcs-into-safe-mode-to-bypass-protection/
+ - https://www.fireeye.com/blog/threat-research/2020/05/tactics-techniques-procedures-associated-with-maze-ransomware-incidents.html
+author: '@ROxPinTeddy'
+date: 2020/05/12
+tags:
+ - attack.discovery
+ - attack.t1046
+logsource:
+ category: process_creation
+ product: windows
+detection:
+ selection:
+ Image|contains: '\advanced_ip_scanner'
+ condition: selection
+falsepositives:
+ - Legitimate administrative use
+level: medium
diff --git a/rules/windows/process_creation/win_apt_apt29_thinktanks.yml b/rules/windows/process_creation/win_apt_apt29_thinktanks.yml
index fe907c49..d4f12292 100644
--- a/rules/windows/process_creation/win_apt_apt29_thinktanks.yml
+++ b/rules/windows/process_creation/win_apt_apt29_thinktanks.yml
@@ -7,8 +7,9 @@ tags:
- attack.execution
- attack.g0016
- attack.t1086
+ - attack.t1059.001
author: Florian Roth
-date: 2018/12/04
+date: 2018/12/04
logsource:
category: process_creation
product: windows
diff --git a/rules/windows/process_creation/win_apt_babyshark.yml b/rules/windows/process_creation/win_apt_babyshark.yml
index fe7bc28c..cf40e92f 100644
--- a/rules/windows/process_creation/win_apt_babyshark.yml
+++ b/rules/windows/process_creation/win_apt_babyshark.yml
@@ -12,6 +12,9 @@ tags:
- attack.t1012
- attack.defense_evasion
- attack.t1170
+ - attack.t1218
+ - attack.t1059.003
+ - attack.t1059.001
logsource:
category: process_creation
product: windows
diff --git a/rules/windows/process_creation/win_apt_bear_activity_gtr19.yml b/rules/windows/process_creation/win_apt_bear_activity_gtr19.yml
index b8062c12..d629b491 100644
--- a/rules/windows/process_creation/win_apt_bear_activity_gtr19.yml
+++ b/rules/windows/process_creation/win_apt_bear_activity_gtr19.yml
@@ -1,4 +1,4 @@
-title: Judgement Panda Exfil Activity
+title: Judgement Panda Credential Access Activity
id: b83f5166-9237-4b5e-9cd4-7b5d52f4d8ee
description: Detects Russian group activity as described in Global Threat Report 2019 by Crowdstrike
references:
@@ -9,6 +9,7 @@ tags:
- attack.credential_access
- attack.t1081
- attack.t1003
+ - attack.t1552.001
logsource:
category: process_creation
product: windows
diff --git a/rules/windows/process_creation/win_apt_bluemashroom.yml b/rules/windows/process_creation/win_apt_bluemashroom.yml
index 231f2bb8..ab58aaff 100644
--- a/rules/windows/process_creation/win_apt_bluemashroom.yml
+++ b/rules/windows/process_creation/win_apt_bluemashroom.yml
@@ -7,6 +7,7 @@ references:
tags:
- attack.defense_evasion
- attack.t1117
+ - attack.t1218.010
author: Florian Roth
date: 2019/10/02
logsource:
@@ -14,7 +15,7 @@ logsource:
product: windows
detection:
selection:
- CommandLine:
+ CommandLine:
- '*\regsvr32*\AppData\Local\\*'
- '*\AppData\Local\\*,DllEntry*'
condition: selection
diff --git a/rules/windows/process_creation/win_apt_cloudhopper.yml b/rules/windows/process_creation/win_apt_cloudhopper.yml
index 3e94043f..51a72fe6 100755
--- a/rules/windows/process_creation/win_apt_cloudhopper.yml
+++ b/rules/windows/process_creation/win_apt_cloudhopper.yml
@@ -9,6 +9,7 @@ tags:
- attack.execution
- attack.g0045
- attack.t1064
+ - attack.t1059.005
logsource:
category: process_creation
product: windows
diff --git a/rules/windows/process_creation/win_apt_empiremonkey.yml b/rules/windows/process_creation/win_apt_empiremonkey.yml
index 5e82be5d..fbace080 100644
--- a/rules/windows/process_creation/win_apt_empiremonkey.yml
+++ b/rules/windows/process_creation/win_apt_empiremonkey.yml
@@ -6,6 +6,7 @@ references:
- https://app.any.run/tasks/a4107649-8cb0-41af-ad75-113152d4d57b
tags:
- attack.t1086
+ - attack.t1059.001
- attack.execution
date: 2019/04/02
author: Markus Neis
diff --git a/rules/windows/process_creation/win_apt_equationgroup_dll_u_load.yml b/rules/windows/process_creation/win_apt_equationgroup_dll_u_load.yml
index 8cfc979a..2cb176b2 100755
--- a/rules/windows/process_creation/win_apt_equationgroup_dll_u_load.yml
+++ b/rules/windows/process_creation/win_apt_equationgroup_dll_u_load.yml
@@ -13,6 +13,7 @@ tags:
- attack.t1059
- attack.defense_evasion
- attack.t1085
+ - attack.t1218.011
logsource:
category: process_creation
product: windows
diff --git a/rules/windows/process_creation/win_apt_evilnum_jul20.yml b/rules/windows/process_creation/win_apt_evilnum_jul20.yml
new file mode 100644
index 00000000..2a469e90
--- /dev/null
+++ b/rules/windows/process_creation/win_apt_evilnum_jul20.yml
@@ -0,0 +1,23 @@
+title: EvilNum Golden Chickens Deployment via OCX Files
+id: 8acf3cfa-1e8c-4099-83de-a0c4038e18f0
+status: experimental
+description: Detects Golden Chickens deployment method as used by Evilnum in report published in July 2020
+references:
+ - https://www.welivesecurity.com/2020/07/09/more-evil-deep-look-evilnum-toolset/
+ - https://app.any.run/tasks/33d37fdf-158d-4930-aa68-813e1d5eb8ba/
+author: Florian Roth
+date: 2020/07/10
+logsource:
+ category: process_creation
+ product: windows
+detection:
+ selection:
+ CommandLine|contains|all:
+ - 'regsvr32'
+ - ' /s /i '
+ - '\AppData\Roaming\'
+ - '.ocx'
+ condition: selection
+falsepositives:
+ - Unknown
+level: critical
diff --git a/rules/windows/process_creation/win_apt_greenbug_may20.yml b/rules/windows/process_creation/win_apt_greenbug_may20.yml
new file mode 100644
index 00000000..8c630baa
--- /dev/null
+++ b/rules/windows/process_creation/win_apt_greenbug_may20.yml
@@ -0,0 +1,47 @@
+title: Greenbug Campaign Indicators
+id: 3711eee4-a808-4849-8a14-faf733da3612
+status: experimental
+description: Detects tools and process executions as observed in a Greenbug campaign in May 2020
+references:
+ - https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/greenbug-espionage-telco-south-asia
+author: Florian Roth
+date: 2020/05/20
+modified: 2020/05/21
+tags:
+ - attack.g0049
+logsource:
+ category: process_creation
+ product: windows
+detection:
+ selection1:
+ CommandLine|contains|all:
+ - 'bitsadmin /transfer'
+ - 'CSIDL_APPDATA'
+ selection2:
+ CommandLine|contains:
+ - 'CSIDL_SYSTEM_DRIVE'
+ selection3:
+ CommandLine|contains:
+ - '\msf.ps1'
+ - '8989 -e cmd.exe'
+ - 'system.Data.SqlClient.SqlDataAdapter($cmd); [void]$da.fill'
+ - '-nop -w hidden -c $k=new-object'
+ - '[Net.CredentialCache]::DefaultCredentials;IEX '
+ - ' -nop -w hidden -c $m=new-object net.webclient;$m'
+ - '-noninteractive -executionpolicy bypass whoami'
+ - '-noninteractive -executionpolicy bypass netstat -a'
+ - 'L3NlcnZlc' # base64 encoded '/server='
+ selection4:
+ Image|endswith:
+ - '\adobe\Adobe.exe'
+ - '\oracle\local.exe'
+ - '\revshell.exe'
+ - 'infopagesbackup\ncat.exe'
+ - 'CSIDL_SYSTEM\cmd.exe'
+ - '\programdata\oracle\java.exe'
+ - 'CSIDL_COMMON_APPDATA\comms\comms.exe'
+ - '\Programdata\VMware\Vmware.exe'
+ condition: 1 of them
+falsepositives:
+ - Unknown
+level: critical
diff --git a/rules/windows/process_creation/win_apt_judgement_panda_gtr19.yml b/rules/windows/process_creation/win_apt_judgement_panda_gtr19.yml
index a9924f6e..e781f65b 100644
--- a/rules/windows/process_creation/win_apt_judgement_panda_gtr19.yml
+++ b/rules/windows/process_creation/win_apt_judgement_panda_gtr19.yml
@@ -12,6 +12,7 @@ tags:
- attack.t1098
- attack.exfiltration
- attack.t1002
+ - attack.t1560
logsource:
category: process_creation
product: windows
diff --git a/rules/windows/process_creation/win_apt_ke3chang_regadd.yml b/rules/windows/process_creation/win_apt_ke3chang_regadd.yml
new file mode 100644
index 00000000..84bacc8f
--- /dev/null
+++ b/rules/windows/process_creation/win_apt_ke3chang_regadd.yml
@@ -0,0 +1,32 @@
+title: Ke3chang Registry Key Modifications
+id: 7b544661-69fc-419f-9a59-82ccc328f205
+status: experimental
+description: Detects Registry modifcations performaed by Ke3chang malware in campaigns running in 2019 and 2020
+references:
+ - https://www.verfassungsschutz.de/embed/broschuere-2020-06-bfv-cyber-brief-2020-01.pdf
+ - https://unit42.paloaltonetworks.com/operation-ke3chang-resurfaces-with-new-tidepool-malware/
+tags:
+ - attack.g0004
+ - attack.t1059
+ - attack.t1089
+ - attack.t1562.001
+author: Markus Neis, Swisscom
+date: 2020/06/18
+logsource:
+ category: process_creation
+ product: windows
+detection:
+ selection1:
+ # Ke3chang and TidePool both modify the IEHarden registry key, as well as the following list of keys.
+ # Setting these registry keys is unique to the Ke3chang and TidePool malware families.
+ # HKCU\Software\Microsoft\Internet Explorer\Main\Check_Associations
+ # HKCU\Software\Microsoft\Internet Explorer\Main\DisableFirstRunCustomize
+ # HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IEharden
+ CommandLine|contains:
+ - '-Property DWORD -name DisableFirstRunCustomize -value 2 -Force'
+ - '-Property String -name Check_Associations -value'
+ - '-Property DWORD -name IEHarden -value 0 -Force'
+ condition: selection1
+falsepositives:
+ - Will need to be looked for combinations of those processes
+level: critical
diff --git a/rules/windows/process_creation/win_apt_lazarus_session_highjack.yml b/rules/windows/process_creation/win_apt_lazarus_session_highjack.yml
new file mode 100644
index 00000000..299c767e
--- /dev/null
+++ b/rules/windows/process_creation/win_apt_lazarus_session_highjack.yml
@@ -0,0 +1,28 @@
+title: Lazarus Session Highjacker
+id: 3f7f5b0b-5b16-476c-a85f-ab477f6dd24b
+description: Detects executables launched outside their default directories as used by Lazarus Group (Bluenoroff)
+status: experimental
+references:
+ - https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/07180244/Lazarus_Under_The_Hood_PDF_final.pdf
+tags:
+ - attack.defense_evasion
+ - attack.t1036
+ - attack.t1036.005
+author: Trent Liffick (@tliffick)
+date: 2020/06/03
+logsource:
+ category: process_creation
+ product: windows
+detection:
+ selection:
+ Image:
+ - '*\mstdc.exe'
+ - '*\gpvc.exe'
+ filter:
+ Image:
+ - 'C:\Windows\System32\\*'
+ - 'C:\Windows\SysWOW64\\*'
+ condition: selection and not filter
+falsepositives:
+ - unknown
+level: high
diff --git a/rules/windows/process_creation/win_apt_mustangpanda.yml b/rules/windows/process_creation/win_apt_mustangpanda.yml
index 57990579..28fa6692 100644
--- a/rules/windows/process_creation/win_apt_mustangpanda.yml
+++ b/rules/windows/process_creation/win_apt_mustangpanda.yml
@@ -16,7 +16,7 @@ detection:
CommandLine:
- '*Temp\wtask.exe /create*'
- '*%windir:~-3,1%%PUBLIC:~-9,1%*'
- - '*/E:vbscript * C:\Users\*.txt" /F'
+ - '*/E:vbscript * C:\Users\\*.txt" /F'
- '*/tn "Security Script *'
- '*%windir:~-1,1%*'
selection2:
diff --git a/rules/windows/process_creation/win_apt_sofacy.yml b/rules/windows/process_creation/win_apt_sofacy.yml
index 15963070..2124e236 100755
--- a/rules/windows/process_creation/win_apt_sofacy.yml
+++ b/rules/windows/process_creation/win_apt_sofacy.yml
@@ -15,6 +15,7 @@ tags:
- attack.defense_evasion
- attack.t1085
- car.2013-10-002
+ - attack.t1218.011
logsource:
category: process_creation
product: windows
diff --git a/rules/windows/process_creation/win_apt_taidoor.yml b/rules/windows/process_creation/win_apt_taidoor.yml
new file mode 100644
index 00000000..a64bf77f
--- /dev/null
+++ b/rules/windows/process_creation/win_apt_taidoor.yml
@@ -0,0 +1,29 @@
+title: TAIDOOR RAT DLL Load
+id: d1aa3382-abab-446f-96ea-4de52908210b
+status: experimental
+description: Detects specific process characteristics of Chinese TAIDOOR RAT malware load
+references:
+ - https://us-cert.cisa.gov/ncas/analysis-reports/ar20-216a
+author: Florian Roth
+date: 2020/07/30
+tags:
+ - attack.execution
+ - attack.t1055.001
+logsource:
+ category: process_creation
+ product: windows
+detection:
+ selection1:
+ CommandLine|contains:
+ - 'dll,MyStart'
+ - 'dll MyStart'
+ selection2a:
+ CommandLine|endswith:
+ - ' MyStart'
+ selection2b:
+ CommandLine|contains:
+ - 'rundll32.exe'
+ condition: selection1 or ( selection2a and selection2b )
+falsepositives:
+ - Unknown
+level: critical
diff --git a/rules/windows/process_creation/win_apt_tropictrooper.yml b/rules/windows/process_creation/win_apt_tropictrooper.yml
index 6c0c932d..7bf80dfb 100644
--- a/rules/windows/process_creation/win_apt_tropictrooper.yml
+++ b/rules/windows/process_creation/win_apt_tropictrooper.yml
@@ -1,6 +1,6 @@
title: TropicTrooper Campaign November 2018
id: 8c7090c3-e0a0-4944-bd08-08c3a0cecf79
-author: '@41thexplorer, Windows Defender ATP'
+author: '@41thexplorer, Microsoft Defender ATP'
status: stable
date: 2019/11/12
description: Detects TropicTrooper activity, an actor who targeted high-profile organizations in the energy and food and beverage sectors in Asia
@@ -9,6 +9,7 @@ references:
tags:
- attack.execution
- attack.t1085
+ - attack.t1218.011
logsource:
category: process_creation
product: windows
diff --git a/rules/windows/process_creation/win_apt_turla_comrat_may20.yml b/rules/windows/process_creation/win_apt_turla_comrat_may20.yml
new file mode 100644
index 00000000..23bfc182
--- /dev/null
+++ b/rules/windows/process_creation/win_apt_turla_comrat_may20.yml
@@ -0,0 +1,34 @@
+title: Turla Group Commands May 2020
+id: 9e2e51c5-c699-4794-ba5a-29f5da40ac0c
+status: experimental
+description: Detects commands used by Turla group as reported by ESET in May 2020
+references:
+ - https://www.welivesecurity.com/wp-content/uploads/2020/05/ESET_Turla_ComRAT.pdf
+tags:
+ - attack.g0010
+ - attack.execution
+ - attack.t1086
+ - attack.t1053
+ - attack.t1027
+ - attack.discovery
+ - attack.t1016
+ - attack.t1059.001
+author: Florian Roth
+date: 2020/05/26
+logsource:
+ category: process_creation
+ product: windows
+falsepositives:
+ - Unknown
+detection:
+ selection1:
+ CommandLine|contains:
+ - 'tracert -h 10 yahoo.com'
+ - '.WSqmCons))|iex;'
+ - 'Fr`omBa`se6`4Str`ing'
+ selection2:
+ CommandLine|contains|all:
+ - 'net use https://docs.live.net'
+ - '@aol.co.uk'
+ condition: 1 of them
+level: critical
diff --git a/rules/windows/process_creation/win_apt_unidentified_nov_18.yml b/rules/windows/process_creation/win_apt_unidentified_nov_18.yml
index 57352b80..35df86b9 100644
--- a/rules/windows/process_creation/win_apt_unidentified_nov_18.yml
+++ b/rules/windows/process_creation/win_apt_unidentified_nov_18.yml
@@ -6,7 +6,7 @@ description: A sigma rule detecting an unidetefied attacker who used phishing em
YYTRIUM/APT29 campaign in 2016.
references:
- https://twitter.com/DrunkBinary/status/1063075530180886529
-author: '@41thexplorer, Windows Defender ATP'
+author: '@41thexplorer, Microsoft Defender ATP'
date: 2018/11/20
modified: 2018/12/11
tags:
diff --git a/rules/windows/process_creation/win_apt_winnti_mal_hk_jan20.yml b/rules/windows/process_creation/win_apt_winnti_mal_hk_jan20.yml
index ed6e7b42..ef29cd98 100644
--- a/rules/windows/process_creation/win_apt_winnti_mal_hk_jan20.yml
+++ b/rules/windows/process_creation/win_apt_winnti_mal_hk_jan20.yml
@@ -8,6 +8,7 @@ tags:
- attack.defense_evasion
- attack.t1073
- attack.g0044
+ - attack.t1574.002
author: Florian Roth, Markus Neis
date: 2020/02/01
logsource:
@@ -15,9 +16,9 @@ logsource:
product: windows
detection:
selection1:
- ParentImage|contains:
- - 'C:\Windows\Temp'
- - '\hpqhvind.exe'
+ ParentImage|contains:
+ - 'C:\Windows\Temp'
+ - '\hpqhvind.exe'
Image|startswith: 'C:\ProgramData\DRM'
selection2:
ParentImage|startswith: 'C:\ProgramData\DRM'
diff --git a/rules/windows/process_creation/win_apt_winnti_pipemon.yml b/rules/windows/process_creation/win_apt_winnti_pipemon.yml
new file mode 100644
index 00000000..9ae20d36
--- /dev/null
+++ b/rules/windows/process_creation/win_apt_winnti_pipemon.yml
@@ -0,0 +1,29 @@
+title: Winnti Pipemon Characteristics
+id: 73d70463-75c9-4258-92c6-17500fe972f2
+status: experimental
+description: Detects specific process characteristics of Winnti Pipemon malware reported by ESET
+references:
+ - https://www.welivesecurity.com/2020/05/21/no-game-over-winnti-group/
+tags:
+ - attack.defense_evasion
+ - attack.t1073
+ - attack.g0044
+ - attack.t1574.002
+author: Florian Roth
+date: 2020/07/30
+logsource:
+ category: process_creation
+ product: windows
+detection:
+ selection1:
+ CommandLine|contains:
+ - 'setup0.exe -p'
+ selection2:
+ CommandLine|endswith:
+ - 'setup.exe -x:0'
+ - 'setup.exe -x:1'
+ - 'setup.exe -x:2'
+ condition: 1 of them
+falsepositives:
+ - Legitimate setups that use similar flags
+level: critical
diff --git a/rules/windows/process_creation/win_apt_wocao.yml b/rules/windows/process_creation/win_apt_wocao.yml
index e0332f64..57b7dc9d 100644
--- a/rules/windows/process_creation/win_apt_wocao.yml
+++ b/rules/windows/process_creation/win_apt_wocao.yml
@@ -37,5 +37,5 @@ detection:
- ' -exec bypass -enc JgAg'
- 'type *keepass\KeePass.config.xml'
- 'iie.exe iie.txt'
- - 'reg query HKEY_CURRENT_USER\Software\*\PuTTY\Sessions\'
+ - 'reg query HKEY_CURRENT_USER\Software\\*\PuTTY\Sessions\'
condition: selection
\ No newline at end of file
diff --git a/rules/windows/process_creation/win_apt_zxshell.yml b/rules/windows/process_creation/win_apt_zxshell.yml
index af5e6122..20858f85 100755
--- a/rules/windows/process_creation/win_apt_zxshell.yml
+++ b/rules/windows/process_creation/win_apt_zxshell.yml
@@ -11,12 +11,13 @@ tags:
- attack.t1059
- attack.defense_evasion
- attack.t1085
+ - attack.t1218.011
logsource:
category: process_creation
product: windows
detection:
selection:
- Command:
+ CommandLine|contains:
- 'rundll32.exe *,zxFunction*'
- 'rundll32.exe *,RemoteDiskXXXXX'
condition: selection
diff --git a/rules/windows/process_creation/win_attrib_hiding_files.yml b/rules/windows/process_creation/win_attrib_hiding_files.yml
index ec753dcf..048ae435 100644
--- a/rules/windows/process_creation/win_attrib_hiding_files.yml
+++ b/rules/windows/process_creation/win_attrib_hiding_files.yml
@@ -26,6 +26,7 @@ tags:
- attack.defense_evasion
- attack.persistence
- attack.t1158
+ - attack.t1564.001
falsepositives:
- igfxCUIService.exe hiding *.cui files via .bat script (attrib.exe a child of cmd.exe and igfxCUIService.exe is the parent of the cmd.exe)
- msiexec.exe hiding desktop.ini
diff --git a/rules/windows/process_creation/win_bootconf_mod.yml b/rules/windows/process_creation/win_bootconf_mod.yml
index 818e3605..4faa43bc 100644
--- a/rules/windows/process_creation/win_bootconf_mod.yml
+++ b/rules/windows/process_creation/win_bootconf_mod.yml
@@ -18,7 +18,7 @@ logsource:
detection:
selection1:
Image|endswith: \bcdedit.exe
- CommandLine: set
+ CommandLine|contains: set
selection2:
- CommandLine|contains|all:
- bootstatuspolicy
diff --git a/rules/windows/process_creation/win_change_default_file_association.yml b/rules/windows/process_creation/win_change_default_file_association.yml
index c01a933c..db1a6be5 100644
--- a/rules/windows/process_creation/win_change_default_file_association.yml
+++ b/rules/windows/process_creation/win_change_default_file_association.yml
@@ -1,9 +1,7 @@
title: Change Default File Association
id: 3d3aa6cd-6272-44d6-8afc-7e88dfef7061
status: experimental
-description: When a file is opened, the default program used to open the file (also called the file association or handler) is checked. File association selections
- are stored in the Windows Registry and can be edited by users, administrators, or programs that have Registry access or by administrators using the built-in assoc
- utility. Applications can modify the file association for a given file extension to call an arbitrary program when a file with the given extension is opened.
+description: When a file is opened, the default program used to open the file (also called the file association or handler) is checked. File association selections are stored in the Windows Registry and can be edited by users, administrators, or programs that have Registry access or by administrators using the built-in assoc utility. Applications can modify the file association for a given file extension to call an arbitrary program when a file with the given extension is opened.
author: Timur Zinniatullin, oscd.community
date: 2019/10/21
modified: 2019/11/04
@@ -15,9 +13,9 @@ logsource:
detection:
selection:
CommandLine|contains|all:
- - 'cmd'
- - '/c'
- - 'assoc'
+ - 'cmd'
+ - '/c'
+ - 'assoc'
condition: selection
falsepositives:
- Admin activity
@@ -33,3 +31,4 @@ level: low
tags:
- attack.persistence
- attack.t1042
+ - attack.t1546.001
diff --git a/rules/windows/process_creation/win_cmdkey_recon.yml b/rules/windows/process_creation/win_cmdkey_recon.yml
index 9a880199..86b9126f 100644
--- a/rules/windows/process_creation/win_cmdkey_recon.yml
+++ b/rules/windows/process_creation/win_cmdkey_recon.yml
@@ -10,6 +10,7 @@ date: 2019/01/16
tags:
- attack.credential_access
- attack.t1003
+ - attack.t1003.005
logsource:
category: process_creation
product: windows
diff --git a/rules/windows/process_creation/win_cmstp_com_object_access.yml b/rules/windows/process_creation/win_cmstp_com_object_access.yml
index 67f9fe09..0a4be843 100644
--- a/rules/windows/process_creation/win_cmstp_com_object_access.yml
+++ b/rules/windows/process_creation/win_cmstp_com_object_access.yml
@@ -10,22 +10,24 @@ tags:
- attack.t1191
- attack.g0069
- car.2019-04-001
+ - attack.t1548.002
+ - attack.t1218
author: Nik Seetharaman
modified: 2019/07/31
date: 2019/01/16
references:
- - http://www.endurant.io/cmstp/detecting-cmstp-enabled-code-execution-and-uac-bypass-with-sysmon/
+ - https://web.archive.org/web/20190720093911/http://www.endurant.io/cmstp/detecting-cmstp-enabled-code-execution-and-uac-bypass-with-sysmon/
- https://twitter.com/hFireF0X/status/897640081053364225
logsource:
category: process_creation
product: windows
detection:
selection1:
- ParentCommandLine: '*\DllHost.exe'
+ ParentCommandLine|contains: '\DllHost.exe '
selection2:
- ParentCommandLine:
- - '*{3E5FC7F9-9A51-4367-9063-A120244FBEC7}'
- - '*{3E000D72-A845-4CD9-BD83-80C07C3B881F}'
+ ParentCommandLine|endswith:
+ - '{3E5FC7F9-9A51-4367-9063-A120244FBEC7}'
+ - '{3E000D72-A845-4CD9-BD83-80C07C3B881F}'
condition: selection1 and selection2
fields:
- CommandLine
diff --git a/rules/windows/process_creation/win_commandline_path_traversal.yml b/rules/windows/process_creation/win_commandline_path_traversal.yml
new file mode 100644
index 00000000..c1594ad9
--- /dev/null
+++ b/rules/windows/process_creation/win_commandline_path_traversal.yml
@@ -0,0 +1,24 @@
+title: Cmd.exe CommandLine Path Traversal
+id: 087790e3-3287-436c-bccf-cbd0184a7db1
+description: detects the usage of path traversal in cmd.exe indicating possible command/argument confusion/hijacking
+status: experimental
+date: 2020/06/11
+author: xknow @xknow_infosec
+references:
+ - https://hackingiscool.pl/cmdhijack-command-argument-confusion-with-path-traversal-in-cmd-exe/
+ - https://twitter.com/Oddvarmoe/status/1270633613449723905
+tags:
+ - attack.t1059
+ - attack.t1059.003
+ - attack.execution
+logsource:
+ category: process_creation
+ product: windows
+detection:
+ selection:
+ ParentCommandLine|contains: 'cmd*/c'
+ CommandLine|contains: '/../../'
+ condition: selection
+falsepositives:
+ - (not much) some benign Java tools may product false-positive commandlines for loading libraries
+level: high
\ No newline at end of file
diff --git a/rules/windows/process_creation/win_control_panel_item.yml b/rules/windows/process_creation/win_control_panel_item.yml
index ead8d17a..214171b0 100644
--- a/rules/windows/process_creation/win_control_panel_item.yml
+++ b/rules/windows/process_creation/win_control_panel_item.yml
@@ -1,26 +1,34 @@
title: Control Panel Items
id: 0ba863e6-def5-4e50-9cea-4dd8c7dc46a4
status: experimental
-description: Detects the use of a control panel item (.cpl) outside of the System32 folder
+description: Detects the malicious use of a control panel item
reference:
- https://attack.mitre.org/techniques/T1196/
+ - https://ired.team/offensive-security/code-execution/code-execution-through-control-panel-add-ins
tags:
- attack.execution
- attack.t1196
- attack.defense_evasion
-author: Kyaw Min Thein
-date: 2019/08/27
+ - attack.t1218
+author: Kyaw Min Thein, Furkan Caliskan (@caliskanfurkan_)
+date: 2020/06/22
level: critical
logsource:
product: windows
category: process_creation
detection:
- selection:
+ selection1:
CommandLine: '*.cpl'
filter:
CommandLine:
- '*\System32\\*'
- '*%System%*'
- condition: selection and not filter
+ selection2:
+ CommandLine:
+ - '*reg add*'
+ selection3:
+ CommandLine:
+ - '*CurrentVersion\\Control Panel\\CPLs*'
+ condition: (selection1 and not filter) or (selection2 and selection3)
falsepositives:
- Unknown
diff --git a/rules/windows/process_creation/win_copying_sensitive_files_with_credential_data.yml b/rules/windows/process_creation/win_copying_sensitive_files_with_credential_data.yml
index 4b3adbbb..eb7818e2 100644
--- a/rules/windows/process_creation/win_copying_sensitive_files_with_credential_data.yml
+++ b/rules/windows/process_creation/win_copying_sensitive_files_with_credential_data.yml
@@ -13,6 +13,8 @@ tags:
- attack.credential_access
- attack.t1003
- car.2013-07-001
+ - attack.t1003.002
+ - attack.t1003.003
logsource:
category: process_creation
product: windows
@@ -21,13 +23,13 @@ detection:
- Image|endswith: '\esentutl.exe'
CommandLine|contains:
- 'vss'
- - '/m'
- - '/y'
+ - ' /m '
+ - ' /y '
- CommandLine|contains:
- '\windows\ntds\ntds.dit'
- '\config\sam'
- '\config\security'
- - '\config\system'
+ - '\config\system ' # space needed to avoid false positives with \config\systemprofile\
- '\repair\sam'
- '\repair\system'
- '\repair\security'
diff --git a/rules/windows/process_creation/win_crime_fireball.yml b/rules/windows/process_creation/win_crime_fireball.yml
index 8c714f37..3fca4131 100755
--- a/rules/windows/process_creation/win_crime_fireball.yml
+++ b/rules/windows/process_creation/win_crime_fireball.yml
@@ -12,6 +12,7 @@ tags:
- attack.t1059
- attack.defense_evasion
- attack.t1085
+ - attack.t1218.011
logsource:
category: process_creation
product: windows
diff --git a/rules/windows/process_creation/win_crime_maze_ransomware.yml b/rules/windows/process_creation/win_crime_maze_ransomware.yml
new file mode 100644
index 00000000..9f7d3d64
--- /dev/null
+++ b/rules/windows/process_creation/win_crime_maze_ransomware.yml
@@ -0,0 +1,40 @@
+title: Maze Ransomware
+id: 29fd07fc-9cfd-4331-b7fd-cc18dfa21052
+status: experimental
+description: Detects specific process characteristics of Maze ransomware word document droppers
+references:
+ - https://www.fireeye.com/blog/threat-research/2020/05/tactics-techniques-procedures-associated-with-maze-ransomware-incidents.html
+ - https://app.any.run/tasks/51e7185c-52d7-4efb-ac0d-e86340053473/
+ - https://app.any.run/tasks/65a79440-373a-4725-8d74-77db9f2abda4/
+author: Florian Roth
+date: 2020/05/08
+tags:
+ - attack.execution
+ - attack.t1204
+logsource:
+ category: process_creation
+ product: windows
+detection:
+ # Dropper
+ selection1:
+ ParentImage|endswith:
+ - '\WINWORD.exe'
+ Image|endswith:
+ - '*.tmp'
+ # Binary Execution
+ selection2:
+ Image|endswith: '\wmic.exe'
+ ParentImage|contains: '\Temp\'
+ CommandLine|endswith: 'shadowcopy delete'
+ # Specific Pattern
+ selection3:
+ CommandLine|endswith: 'shadowcopy delete'
+ CommandLine|contains: '\..\..\system32'
+ condition: 1 of them
+fields:
+ - ComputerName
+ - User
+ - Image
+falsepositives:
+ - Unlikely
+level: critical
diff --git a/rules/windows/process_creation/win_data_compressed_with_rar.yml b/rules/windows/process_creation/win_data_compressed_with_rar.yml
index b499999d..b7ed701e 100644
--- a/rules/windows/process_creation/win_data_compressed_with_rar.yml
+++ b/rules/windows/process_creation/win_data_compressed_with_rar.yml
@@ -29,4 +29,5 @@ falsepositives:
level: low
tags:
- attack.exfiltration
- - attack.t1002
\ No newline at end of file
+ - attack.t1002
+ - attack.t1560
diff --git a/rules/windows/process_creation/win_encoded_frombase64string.yml b/rules/windows/process_creation/win_encoded_frombase64string.yml
index 9a480ec0..92087ad2 100644
--- a/rules/windows/process_creation/win_encoded_frombase64string.yml
+++ b/rules/windows/process_creation/win_encoded_frombase64string.yml
@@ -9,6 +9,7 @@ tags:
- attack.t1140
- attack.execution
- attack.defense_evasion
+ - attack.t1059.001
logsource:
category: process_creation
product: windows
diff --git a/rules/windows/process_creation/win_encoded_iex.yml b/rules/windows/process_creation/win_encoded_iex.yml
index 61bff8ab..e3740b9b 100644
--- a/rules/windows/process_creation/win_encoded_iex.yml
+++ b/rules/windows/process_creation/win_encoded_iex.yml
@@ -8,16 +8,17 @@ tags:
- attack.t1086
- attack.t1140
- attack.execution
+ - attack.t1059.003
logsource:
category: process_creation
product: windows
detection:
selection:
- CommandLine|base64offset|contains:
- - 'IEX (['
- - 'iex (['
- - 'iex (New'
- - 'IEX (New'
+ CommandLine|base64offset|contains:
+ - 'IEX (['
+ - 'iex (['
+ - 'iex (New'
+ - 'IEX (New'
condition: selection
fields:
- CommandLine
diff --git a/rules/windows/process_creation/win_etw_modification_cmdline.yml b/rules/windows/process_creation/win_etw_modification_cmdline.yml
new file mode 100644
index 00000000..7a7750fa
--- /dev/null
+++ b/rules/windows/process_creation/win_etw_modification_cmdline.yml
@@ -0,0 +1,28 @@
+title: COMPlus_ETWEnabled Command Line Arguments
+id: 41421f44-58f9-455d-838a-c398859841d4
+status: experimental
+description: Potential adversaries stopping ETW providers recording loaded .NET assemblies.
+references:
+ - https://twitter.com/_xpn_/status/1268712093928378368
+ - https://social.msdn.microsoft.com/Forums/vstudio/en-US/0878832e-39d7-4eaf-8e16-a729c4c40975/what-can-i-use-e13c0d23ccbc4e12931bd9cc2eee27e4-for?forum=clr
+ - https://github.com/dotnet/runtime/blob/ee2355c801d892f2894b0f7b14a20e6cc50e0e54/docs/design/coreclr/jit/viewing-jit-dumps.md#setting-configuration-variables
+ - https://github.com/dotnet/runtime/blob/f62e93416a1799aecc6b0947adad55a0d9870732/src/coreclr/src/inc/clrconfigvalues.h#L35-L38
+ - https://github.com/dotnet/runtime/blob/7abe42dc1123722ed385218268bb9fe04556e3d3/src/coreclr/src/inc/clrconfig.h#L33-L39
+ - https://github.com/dotnet/runtime/search?p=1&q=COMPlus_&unscoped_q=COMPlus_
+ - https://bunnyinside.com/?term=f71e8cb9c76a
+ - http://managed670.rssing.com/chan-5590147/all_p1.html
+ - https://github.com/dotnet/runtime/blob/4f9ae42d861fcb4be2fcd5d3d55d5f227d30e723/docs/coding-guidelines/clr-jit-coding-conventions.md#1412-disabling-code
+author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
+date: 2020/05/02
+tags:
+ - attack.defense_evasion
+logsource:
+ category: process_creation
+ product: windows
+detection:
+ selection:
+ CommandLine|contains: 'COMPlus_ETWEnabled=0'
+ condition: selection
+falsepositives:
+ - unknown
+level: critical
\ No newline at end of file
diff --git a/rules/windows/process_creation/win_etw_trace_evasion.yml b/rules/windows/process_creation/win_etw_trace_evasion.yml
index a3f07bec..b3f2b401 100644
--- a/rules/windows/process_creation/win_etw_trace_evasion.yml
+++ b/rules/windows/process_creation/win_etw_trace_evasion.yml
@@ -1,6 +1,7 @@
title: Disable of ETW Trace
id: a238b5d0-ce2d-4414-a676-7a531b3d13d6
description: Detects a command that clears or disables any ETW trace log which could indicate a logging evasion.
+status: experimental
references:
- https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/wevtutil
- https://github.com/Neo23x0/sigma/blob/master/rules/windows/process_creation/win_mal_lockergoga.yml
@@ -9,8 +10,8 @@ author: '@neu5ron, Florian Roth'
date: 2019/03/22
tags:
- attack.execution
- - attack.t1070
- - car.2016-04-002
+ - attack.t1070
+ - car.2016-04-002
level: high
logsource:
category: process_creation
@@ -25,3 +26,5 @@ detection:
selection_disable_2:
CommandLine: '* set-log* /e:false*'
condition: selection_clear_1 or selection_clear_2 or selection_disable_1 or selection_disable_2
+falsepositives:
+ - Unknown
diff --git a/rules/windows/process_creation/win_exfiltration_and_tunneling_tools_execution.yml b/rules/windows/process_creation/win_exfiltration_and_tunneling_tools_execution.yml
index 57bcdd0e..231813ee 100644
--- a/rules/windows/process_creation/win_exfiltration_and_tunneling_tools_execution.yml
+++ b/rules/windows/process_creation/win_exfiltration_and_tunneling_tools_execution.yml
@@ -12,7 +12,7 @@ logsource:
product: windows
detection:
selection:
- NewProcessName|endswith:
+ Image|endswith:
- '\plink.exe'
- '\socat.exe'
- '\stunnel.exe'
diff --git a/rules/windows/process_creation/win_exploit_cve_2015_1641.yml b/rules/windows/process_creation/win_exploit_cve_2015_1641.yml
index ed4fa987..2a5fb7d4 100644
--- a/rules/windows/process_creation/win_exploit_cve_2015_1641.yml
+++ b/rules/windows/process_creation/win_exploit_cve_2015_1641.yml
@@ -16,7 +16,7 @@ logsource:
detection:
selection:
ParentImage: '*\WINWORD.EXE'
- Image: '*\MicroScMgmt.exe '
+ Image: '*\MicroScMgmt.exe'
condition: selection
falsepositives:
- Unknown
diff --git a/rules/windows/process_creation/win_exploit_cve_2020_10189.yml b/rules/windows/process_creation/win_exploit_cve_2020_10189.yml
new file mode 100644
index 00000000..33a9d8ee
--- /dev/null
+++ b/rules/windows/process_creation/win_exploit_cve_2020_10189.yml
@@ -0,0 +1,28 @@
+title: Exploited CVE-2020-10189 Zoho ManageEngine
+id: 846b866e-2a57-46ee-8e16-85fa92759be7
+status: experimental
+description: Detects the exploitation of Zoho ManageEngine Desktop Central Java Deserialization vulnerability reported as CVE-2020-10189
+references:
+ - https://www.fireeye.com/blog/threat-research/2020/03/apt41-initiates-global-intrusion-campaign-using-multiple-exploits.html
+ - https://nvd.nist.gov/vuln/detail/CVE-2020-10189
+ - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-10189
+ - https://vulmon.com/exploitdetails?qidtp=exploitdb&qid=48224
+author: Florian Roth
+date: 2020/03/25
+tags:
+ - attack.initial_access
+ - attack.t1190
+logsource:
+ category: process_creation
+ product: windows
+detection:
+ selection:
+ ParentImage|endswith: 'DesktopCentral_Server\jre\bin\java.exe'
+ Image|endswith:
+ - '*\cmd.exe'
+ - '*\powershell.exe'
+ - '*\bitsadmin.exe'
+ condition: selection
+falsepositives:
+ - Unknown
+level: critical
diff --git a/rules/windows/process_creation/win_exploit_cve_2020_1048.yml b/rules/windows/process_creation/win_exploit_cve_2020_1048.yml
new file mode 100644
index 00000000..9f11649f
--- /dev/null
+++ b/rules/windows/process_creation/win_exploit_cve_2020_1048.yml
@@ -0,0 +1,31 @@
+title: Suspicious PrinterPorts Creation (CVE-2020-1048)
+id: cc08d590-8b90-413a-aff6-31d1a99678d7
+status: experimental
+description: Detects new commands that add new printer port which point to suspicious file
+author: EagleEye Team, Florian Roth
+date: 2020/05/13
+modified: 2020/05/23
+references:
+ - https://windows-internals.com/printdemon-cve-2020-1048/
+tags:
+ - attack.persistence
+ - attack.execution
+logsource:
+ category: process_creation
+ product: windows
+detection:
+ selection1:
+ CommandLine|contains:
+ - 'Add-PrinterPort -Name'
+ selection2:
+ CommandLine|contains:
+ - '.exe'
+ - '.dll'
+ - '.bat'
+ selection3:
+ CommandLine|contains:
+ - 'Generic / Text Only'
+ condition: ( selection1 and selection2 ) or selection3
+falsepositives:
+ - New printer port install on host
+level: high
diff --git a/rules/windows/process_creation/win_exploit_cve_2020_1350.yml b/rules/windows/process_creation/win_exploit_cve_2020_1350.yml
new file mode 100644
index 00000000..ec82fbc6
--- /dev/null
+++ b/rules/windows/process_creation/win_exploit_cve_2020_1350.yml
@@ -0,0 +1,29 @@
+title: DNS RCE CVE-2020-1350
+id: b5281f31-f9cc-4d0d-95d0-45b91c45b487
+status: experimental
+description: Detects exploitation of DNS RCE bug reported in CVE-2020-1350 by the detection of suspicious sub process
+references:
+ - https://research.checkpoint.com/2020/resolving-your-way-into-domain-admin-exploiting-a-17-year-old-bug-in-windows-dns-servers/
+ - https://blog.menasec.net/2019/02/threat-hunting-24-microsoft-windows-dns.html
+author: Florian Roth
+date: 2020/07/15
+tags:
+ - attack.initial_access
+ - attack.t1190
+ - attack.execution
+ - attack.t1569.002
+logsource:
+ category: process_creation
+ product: windows
+detection:
+ selection:
+ ParentImage|endswith: '\System32\dns.exe'
+ filter:
+ Image|endswith:
+ - '\System32\werfault.exe'
+ - '\System32\conhost.exe'
+ - '\System32\dnscmd.exe'
+ condition: selection and not filter
+falsepositives:
+ - Unknown but benign sub processes of the Windows DNS service dns.exe
+level: critical
diff --git a/rules/windows/process_creation/win_grabbing_sensitive_hives_via_reg.yml b/rules/windows/process_creation/win_grabbing_sensitive_hives_via_reg.yml
index b085214d..c7a4b601 100644
--- a/rules/windows/process_creation/win_grabbing_sensitive_hives_via_reg.yml
+++ b/rules/windows/process_creation/win_grabbing_sensitive_hives_via_reg.yml
@@ -11,17 +11,18 @@ tags:
- attack.credential_access
- attack.t1003
- car.2013-07-001
+ - attack.t1003.002
logsource:
category: process_creation
product: windows
detection:
selection_1:
- NewProcessName: '*\reg.exe'
- CommandLine|contains:
+ Image: '*\reg.exe'
+ CommandLine|contains:
- 'save'
- 'export'
selection_2:
- CommandLine|contains:
+ CommandLine|contains:
- 'hklm'
- 'hkey_local_machine'
selection_3:
diff --git a/rules/windows/process_creation/win_hack_koadic.yml b/rules/windows/process_creation/win_hack_koadic.yml
new file mode 100644
index 00000000..a012eb57
--- /dev/null
+++ b/rules/windows/process_creation/win_hack_koadic.yml
@@ -0,0 +1,28 @@
+title: Koadic Execution
+id: 5cddf373-ef00-4112-ad72-960ac29bac34
+status: experimental
+description: Detects command line parameters used by Koadic hack tool
+references:
+ - https://unit42.paloaltonetworks.com/unit42-sofacy-groups-parallel-attacks/
+ - https://github.com/zerosum0x0/koadic/blob/master/data/stager/js/stdlib.js#L955
+ - https://blog.f-secure.com/hunting-for-koadic-a-com-based-rootkit/
+tags:
+ - attack.execution
+ - attack.t1170
+ - attack.t1218.005
+date: 2020/01/12
+author: wagga
+logsource:
+ category: process_creation
+ product: windows
+detection:
+ selection1:
+ CommandLine:
+ - '*cmd.exe* /q /c chcp *'
+ condition: selection1
+fields:
+ - CommandLine
+ - ParentCommandLine
+falsepositives:
+ - Pentest
+level: high
diff --git a/rules/windows/process_creation/win_hack_rubeus.yml b/rules/windows/process_creation/win_hack_rubeus.yml
index 9c63c07d..df77011c 100644
--- a/rules/windows/process_creation/win_hack_rubeus.yml
+++ b/rules/windows/process_creation/win_hack_rubeus.yml
@@ -9,6 +9,8 @@ tags:
- attack.credential_access
- attack.t1003
- attack.s0005
+ - attack.t1558
+ - attack.t1558.003
logsource:
category: process_creation
product: windows
diff --git a/rules/windows/process_creation/win_hh_chm.yml b/rules/windows/process_creation/win_hh_chm.yml
index bbc69068..82d1791d 100644
--- a/rules/windows/process_creation/win_hh_chm.yml
+++ b/rules/windows/process_creation/win_hh_chm.yml
@@ -12,6 +12,7 @@ tags:
- attack.defense_evasion
- attack.execution
- attack.t1223
+ - attack.t1218.001
logsource:
category: process_creation
product: windows
diff --git a/rules/windows/process_creation/win_hktl_createminidump.yml b/rules/windows/process_creation/win_hktl_createminidump.yml
index a0e556d8..aaecdcbd 100644
--- a/rules/windows/process_creation/win_hktl_createminidump.yml
+++ b/rules/windows/process_creation/win_hktl_createminidump.yml
@@ -9,6 +9,7 @@ date: 2019/12/22
tags:
- attack.credential_access
- attack.t1003
+ - attack.t1003.001
falsepositives:
- Unknown
level: high
@@ -29,5 +30,5 @@ logsource:
detection:
selection:
EventID: 11
- TargetFileName|contains: '*\lsass.dmp'
+ TargetFilename|contains: '*\lsass.dmp'
condition: 1 of them
diff --git a/rules/windows/process_creation/win_html_help_spawn.yml b/rules/windows/process_creation/win_html_help_spawn.yml
new file mode 100644
index 00000000..ce841312
--- /dev/null
+++ b/rules/windows/process_creation/win_html_help_spawn.yml
@@ -0,0 +1,35 @@
+title: HTML Help Shell Spawn
+id: 52cad028-0ff0-4854-8f67-d25dfcbc78b4
+status: experimental
+description: Detects a suspicious child process of a Microsoft HTML Help system when executing compiled HTML files (.chm)
+references:
+ - https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/chm-badness-delivers-a-banking-trojan/
+author: Maxim Pavlunin
+date: 2020/04/01
+modified: 2020/04/03
+tags:
+ - attack.execution
+ - attack.defense_evasion
+ - attack.t1223
+ - attack.t1218.001
+logsource:
+ category: process_creation
+ product: windows
+detection:
+ selection:
+ ParentImage: 'C:\Windows\hh.exe'
+ Image|endswith:
+ - '\cmd.exe'
+ - '\powershell.exe'
+ - '\wscript.exe'
+ - '\cscript.exe'
+ - '\regsvr32.exe'
+ - '\wmic.exe'
+ - '\rundll32.exe'
+ condition: selection
+fields:
+ - CommandLine
+ - ParentCommandLine
+falsepositives:
+ - unknown
+level: high
diff --git a/rules/windows/process_creation/win_hwp_exploits.yml b/rules/windows/process_creation/win_hwp_exploits.yml
index d9002353..24a96f3e 100644
--- a/rules/windows/process_creation/win_hwp_exploits.yml
+++ b/rules/windows/process_creation/win_hwp_exploits.yml
@@ -16,6 +16,7 @@ tags:
- attack.t1202
- attack.t1193
- attack.g0032
+ - attack.t1566.001
author: Florian Roth
date: 2019/10/24
logsource:
diff --git a/rules/windows/process_creation/win_impacket_lateralization.yml b/rules/windows/process_creation/win_impacket_lateralization.yml
index 52149935..c56855d6 100644
--- a/rules/windows/process_creation/win_impacket_lateralization.yml
+++ b/rules/windows/process_creation/win_impacket_lateralization.yml
@@ -53,6 +53,7 @@ tags:
- attack.lateral_movement
- attack.t1047
- attack.t1175
+ - attack.t1021
falsepositives:
- pentesters
level: critical
diff --git a/rules/windows/process_creation/win_install_reg_debugger_backdoor.yml b/rules/windows/process_creation/win_install_reg_debugger_backdoor.yml
index e04fb312..34f7d609 100644
--- a/rules/windows/process_creation/win_install_reg_debugger_backdoor.yml
+++ b/rules/windows/process_creation/win_install_reg_debugger_backdoor.yml
@@ -8,6 +8,7 @@ tags:
- attack.persistence
- attack.privilege_escalation
- attack.t1015
+ - attack.t1546.008
author: Florian Roth
date: 2019/09/06
logsource:
@@ -27,4 +28,4 @@ detection:
falsepositives:
- Penetration Tests
level: high
-
+
diff --git a/rules/windows/process_creation/win_interactive_at.yml b/rules/windows/process_creation/win_interactive_at.yml
index 3c7e0009..b28ba32e 100644
--- a/rules/windows/process_creation/win_interactive_at.yml
+++ b/rules/windows/process_creation/win_interactive_at.yml
@@ -11,6 +11,7 @@ modified: 2019/11/11
tags:
- attack.privilege_escalation
- attack.t1053
+ - attack.t1053.002
logsource:
category: process_creation
product: windows
diff --git a/rules/windows/process_creation/win_invoke_obfuscation_obfuscated_iex_commandline.yml b/rules/windows/process_creation/win_invoke_obfuscation_obfuscated_iex_commandline.yml
index 9557a02f..0ac9132e 100644
--- a/rules/windows/process_creation/win_invoke_obfuscation_obfuscated_iex_commandline.yml
+++ b/rules/windows/process_creation/win_invoke_obfuscation_obfuscated_iex_commandline.yml
@@ -8,8 +8,8 @@ tags:
- attack.defense_evasion
- attack.t1027
logsource:
+ category: process_creation
product: windows
- service: process_creation
detection:
selection:
- CommandLine|re: '\$PSHome\[\s*\d{1,3}\s*\]\s*\+\s*\$PSHome\['
diff --git a/rules/windows/process_creation/win_lethalhta.yml b/rules/windows/process_creation/win_lethalhta.yml
index 80496bc9..331c64c0 100644
--- a/rules/windows/process_creation/win_lethalhta.yml
+++ b/rules/windows/process_creation/win_lethalhta.yml
@@ -8,6 +8,7 @@ tags:
- attack.defense_evasion
- attack.execution
- attack.t1170
+ - attack.t1218.005
author: Markus Neis
date: 2018/06/07
logsource:
diff --git a/rules/windows/process_creation/win_local_system_owner_account_discovery.yml b/rules/windows/process_creation/win_local_system_owner_account_discovery.yml
index 68b4618d..a46f9b19 100644
--- a/rules/windows/process_creation/win_local_system_owner_account_discovery.yml
+++ b/rules/windows/process_creation/win_local_system_owner_account_discovery.yml
@@ -25,7 +25,7 @@ detection:
- Image|endswith: '\cmd.exe'
CommandLine|contains|all:
- '/c'
- - 'dir'
+ - 'dir '
- '\Users\'
filter_1:
CommandLine|contains:
diff --git a/rules/windows/process_creation/win_lsass_dump.yml b/rules/windows/process_creation/win_lsass_dump.yml
index 7514fe9c..de0ee64e 100644
--- a/rules/windows/process_creation/win_lsass_dump.yml
+++ b/rules/windows/process_creation/win_lsass_dump.yml
@@ -1,7 +1,6 @@
title: LSASS Memory Dumping
id: ffa6861c-4461-4f59-8a41-578c39f3f23e
-description: Detect creation of dump files containing the memory space of lsass.exe, which contains sensitive credentials. Identifies usage of Sysinternals procdump.exe
- to export the memory space of lsass.exe which contains sensitive credentials.
+description: Detect creation of dump files containing the memory space of lsass.exe, which contains sensitive credentials. Identifies usage of Sysinternals procdump.exe to export the memory space of lsass.exe which contains sensitive credentials.
status: experimental
author: E.M. Anhaus (orignally from Atomic Blue Detections, Tony Lambert), oscd.community
date: 2019/10/24
@@ -13,6 +12,7 @@ references:
tags:
- attack.credential_access
- attack.t1003
+ - attack.t1003.001
logsource:
category: process_creation
product: windows
diff --git a/rules/windows/process_creation/win_mal_adwind.yml b/rules/windows/process_creation/win_mal_adwind.yml
index d007e070..d7f30acc 100644
--- a/rules/windows/process_creation/win_mal_adwind.yml
+++ b/rules/windows/process_creation/win_mal_adwind.yml
@@ -12,6 +12,7 @@ modified: 2018/12/11
tags:
- attack.execution
- attack.t1064
+ - attack.t1059.005
detection:
condition: selection
level: high
@@ -41,5 +42,5 @@ logsource:
detection:
selection:
EventID: 13
- TargetObject: \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run*
+ TargetObject: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run*
Details: '%AppData%\Roaming\Oracle\bin\\*'
diff --git a/rules/windows/process_creation/win_malware_notpetya.yml b/rules/windows/process_creation/win_malware_notpetya.yml
index d294395c..7f253f7c 100644
--- a/rules/windows/process_creation/win_malware_notpetya.yml
+++ b/rules/windows/process_creation/win_malware_notpetya.yml
@@ -1,8 +1,7 @@
title: NotPetya Ransomware Activity
id: 79aeeb41-8156-4fac-a0cd-076495ab82a1
status: experimental
-description: Detects NotPetya ransomware activity in which the extracted passwords are passed back to the main module via named pipe, the file system journal of drive
- C is deleted and windows eventlogs are cleared using wevtutil
+description: Detects NotPetya ransomware activity in which the extracted passwords are passed back to the main module via named pipe, the file system journal of drive C is deleted and windows eventlogs are cleared using wevtutil
author: Florian Roth, Tom Ueltschi
date: 2019/01/16
references:
@@ -16,6 +15,7 @@ tags:
- attack.t1070
- attack.t1003
- car.2016-04-002
+ - attack.t1218.011
logsource:
category: process_creation
product: windows
diff --git a/rules/windows/process_creation/win_malware_script_dropper.yml b/rules/windows/process_creation/win_malware_script_dropper.yml
index 251a3a0a..0dda1360 100644
--- a/rules/windows/process_creation/win_malware_script_dropper.yml
+++ b/rules/windows/process_creation/win_malware_script_dropper.yml
@@ -8,6 +8,7 @@ tags:
- attack.defense_evasion
- attack.execution
- attack.t1064
+ - attack.t1059.005
logsource:
category: process_creation
product: windows
diff --git a/rules/windows/process_creation/win_malware_trickbot_recon_activity.yml b/rules/windows/process_creation/win_malware_trickbot_recon_activity.yml
index 9ac70a65..a2a2546f 100644
--- a/rules/windows/process_creation/win_malware_trickbot_recon_activity.yml
+++ b/rules/windows/process_creation/win_malware_trickbot_recon_activity.yml
@@ -5,7 +5,7 @@ description: Trickbot enumerates domain/network topology and executes certain co
references:
- https://www.sneakymonkey.net/2019/05/22/trickbot-analysis/
author: David Burkett
-date: 12/28/2019
+date: 2019/12/28
tags:
- attack.t1482
logsource:
diff --git a/rules/windows/process_creation/win_meterpreter_or_cobaltstrike_getsystem_service_start.yml b/rules/windows/process_creation/win_meterpreter_or_cobaltstrike_getsystem_service_start.yml
index 4907ea2d..e28d9ca9 100644
--- a/rules/windows/process_creation/win_meterpreter_or_cobaltstrike_getsystem_service_start.yml
+++ b/rules/windows/process_creation/win_meterpreter_or_cobaltstrike_getsystem_service_start.yml
@@ -1,9 +1,9 @@
title: Meterpreter or Cobalt Strike Getsystem Service Start
id: 15619216-e993-4721-b590-4c520615a67d
description: Detects the use of getsystem Meterpreter/Cobalt Strike command by detecting a specific service starting
-author: Teymur Kheirkhabarov
+author: Teymur Kheirkhabarov, Ecco
date: 2019/10/26
-modified: 2019/11/11
+modified: 2020/05/15
references:
- https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment
- https://blog.cobaltstrike.com/2014/04/02/what-happens-when-i-type-getsystem/
@@ -17,9 +17,6 @@ detection:
selection_1:
ParentImage|endswith: '\services.exe'
selection_2:
- - CommandLine|contains:
- - 'cmd'
- - 'comspec'
# meterpreter getsystem technique 1: cmd.exe /c echo 559891bb017 > \\.\pipe\5e120a
- CommandLine|contains|all:
- 'cmd'
@@ -37,7 +34,9 @@ detection:
- 'rundll32'
- '.dll,a'
- '/p:'
- condition: selection_1 and selection_2
+ filter1:
+ CommandLine|contains: 'MpCmdRun'
+ condition: selection_1 and selection_2 and not filter1
fields:
- ComputerName
- User
diff --git a/rules/windows/process_creation/win_mimikatz_command_line.yml b/rules/windows/process_creation/win_mimikatz_command_line.yml
index 11b6aa84..90ab5245 100644
--- a/rules/windows/process_creation/win_mimikatz_command_line.yml
+++ b/rules/windows/process_creation/win_mimikatz_command_line.yml
@@ -8,6 +8,10 @@ references:
tags:
- attack.credential_access
- attack.t1003
+ - attack.t1003.002
+ - attack.t1003.004
+ - attack.t1003.001
+ - attack.t1003.006
logsource:
category: process_creation
product: windows
@@ -30,8 +34,7 @@ detection:
selection_3:
CommandLine|contains:
- '::'
- condition: selection_1 or
- selection_2 and selection_3
+ condition: selection_1 or selection_2 and selection_3
falsepositives:
- Legitimate Administrator using tool for password recovery
level: medium
diff --git a/rules/windows/process_creation/win_mmc_spawn_shell.yml b/rules/windows/process_creation/win_mmc_spawn_shell.yml
index bf207beb..dc0dfb5a 100644
--- a/rules/windows/process_creation/win_mmc_spawn_shell.yml
+++ b/rules/windows/process_creation/win_mmc_spawn_shell.yml
@@ -7,6 +7,10 @@ date: 2019/08/05
tags:
- attack.lateral_movement
- attack.t1175
+ - attack.t1059.004
+ - attack.t1059.005
+ - attack.t1059.003
+ - attack.t1059.001
logsource:
category: process_creation
product: windows
diff --git a/rules/windows/process_creation/win_mshta_javascript.yml b/rules/windows/process_creation/win_mshta_javascript.yml
index a52c88d1..62b7d608 100644
--- a/rules/windows/process_creation/win_mshta_javascript.yml
+++ b/rules/windows/process_creation/win_mshta_javascript.yml
@@ -12,6 +12,7 @@ tags:
- attack.execution
- attack.defense_evasion
- attack.t1170
+ - attack.t1218.005
logsource:
category: process_creation
product: windows
diff --git a/rules/windows/process_creation/win_mshta_spawn_shell.yml b/rules/windows/process_creation/win_mshta_spawn_shell.yml
index 3909f721..f6900f53 100644
--- a/rules/windows/process_creation/win_mshta_spawn_shell.yml
+++ b/rules/windows/process_creation/win_mshta_spawn_shell.yml
@@ -33,6 +33,7 @@ tags:
- car.2013-02-003
- car.2013-03-001
- car.2014-04-003
+ - attack.t1218
falsepositives:
- Printer software / driver installations
- HP software
diff --git a/rules/windows/process_creation/win_net_enum.yml b/rules/windows/process_creation/win_net_enum.yml
index 5df7c054..7cc35686 100644
--- a/rules/windows/process_creation/win_net_enum.yml
+++ b/rules/windows/process_creation/win_net_enum.yml
@@ -21,7 +21,7 @@ detection:
- '\net1.exe'
CommandLine|contains: 'view'
filter:
- CommandLine|contains: '\\'
+ CommandLine|contains: \\\
condition: selection and not filter
fields:
- ComputerName
diff --git a/rules/windows/process_creation/win_netsh_allow_port_rdp.yml b/rules/windows/process_creation/win_netsh_allow_port_rdp.yml
new file mode 100644
index 00000000..def36dc7
--- /dev/null
+++ b/rules/windows/process_creation/win_netsh_allow_port_rdp.yml
@@ -0,0 +1,32 @@
+title: Netsh RDP Port Opening
+id: 01aeb693-138d-49d2-9403-c4f52d7d3d62
+description: Detects netsh commands that opens the port 3389 used for RDP, used in Sarwent Malware
+references:
+ - https://labs.sentinelone.com/sarwent-malware-updates-command-detonation/
+date: 2020/05/23
+tags:
+ - attack.command_and_control
+ - attack.t1076
+ - attack.t1021.001
+status: experimental
+author: Sander Wiebing
+logsource:
+ category: process_creation
+ product: windows
+detection:
+ selection1:
+ CommandLine|contains|all:
+ - netsh
+ - firewall add portopening
+ - tcp 3389
+ selection2:
+ CommandLine|contains|all:
+ - netsh
+ - advfirewall firewall add rule
+ - action=allow
+ - protocol=TCP
+ - localport=3389
+ condition: 1 of them
+falsepositives:
+ - Legitimate administration
+level: high
diff --git a/rules/windows/process_creation/win_netsh_fw_add.yml b/rules/windows/process_creation/win_netsh_fw_add.yml
index 7657dd25..59c3361f 100644
--- a/rules/windows/process_creation/win_netsh_fw_add.yml
+++ b/rules/windows/process_creation/win_netsh_fw_add.yml
@@ -1,4 +1,4 @@
-title: Netsh
+title: Netsh Port or Application Allowed
id: cd5cfd80-aa5f-44c0-9c20-108c4ae12e3c
description: Allow Incoming Connections by Port or Application on Windows Firewall
references:
@@ -10,15 +10,18 @@ tags:
- attack.command_and_control
- attack.t1090
status: experimental
-author: Markus Neis
+author: Markus Neis, Sander Wiebing
logsource:
category: process_creation
product: windows
detection:
- selection:
+ selection1:
CommandLine:
- - '*netsh firewall add*'
- condition: selection
+ - '*netsh*'
+ selection2:
+ CommandLine:
+ - '*firewall add*'
+ condition: selection1 and selection2
falsepositives:
- Legitimate administration
level: medium
diff --git a/rules/windows/process_creation/win_netsh_fw_add_susp_image.yml b/rules/windows/process_creation/win_netsh_fw_add_susp_image.yml
new file mode 100644
index 00000000..bc54696c
--- /dev/null
+++ b/rules/windows/process_creation/win_netsh_fw_add_susp_image.yml
@@ -0,0 +1,54 @@
+title: Netsh Program Allowed with Suspcious Location
+id: a35f5a72-f347-4e36-8895-9869b0d5fc6d
+description: Detects Netsh commands that allows a suspcious application location on Windows Firewall
+references:
+ - https://www.virusradar.com/en/Win32_Kasidet.AD/description
+ - https://www.hybrid-analysis.com/sample/07e789f4f2f3259e7559fdccb36e96814c2dbff872a21e1fa03de9ee377d581f?environmentId=100
+date: 2020/05/25
+tags:
+ - attack.lateral_movement
+ - attack.command_and_control
+ - attack.t1090
+status: experimental
+author: Sander Wiebing
+logsource:
+ category: process_creation
+ product: windows
+detection:
+ selection1:
+ CommandLine|contains|all:
+ - 'netsh'
+ - 'firewall add allowedprogram'
+ selection2:
+ CommandLine|contains|all:
+ - netsh
+ - advfirewall firewall add rule
+ - action=allow
+ - program=
+ susp_image:
+ CommandLine|contains:
+ - '*%TEMP%*'
+ - '*:\RECYCLER\\*'
+ - '*C:\$Recycle.bin\\*'
+ - '*:\SystemVolumeInformation\\*'
+ - 'C:\\Windows\\Tasks\\*'
+ - 'C:\\Windows\\debug\\*'
+ - 'C:\\Windows\\fonts\\*'
+ - 'C:\\Windows\\help\\*'
+ - 'C:\\Windows\\drivers\\*'
+ - 'C:\\Windows\\addins\\*'
+ - 'C:\\Windows\\cursors\\*'
+ - 'C:\\Windows\\system32\tasks\\*'
+ - '*C:\Windows\Temp\\*'
+ - '*C:\Temp\\*'
+ - '*C:\Users\Public\\*'
+ - '%Public%\\*'
+ - '*C:\Users\Default\\*'
+ - '*C:\Users\Desktop\\*'
+ - '*\Downloads\\*'
+ - '*\Temporary Internet Files\Content.Outlook\\*'
+ - '*\Local Settings\Temporary Internet Files\\*'
+ condition: (selection1 or selection2) and susp_image
+falsepositives:
+ - Legitimate administration
+level: high
diff --git a/rules/windows/process_creation/win_netsh_wifi_credential_harvesting.yml b/rules/windows/process_creation/win_netsh_wifi_credential_harvesting.yml
new file mode 100644
index 00000000..c2aab4dc
--- /dev/null
+++ b/rules/windows/process_creation/win_netsh_wifi_credential_harvesting.yml
@@ -0,0 +1,22 @@
+title: Harvesting of Wifi Credentials Using netsh.exe
+id: 42b1a5b8-353f-4f10-b256-39de4467faff
+status: experimental
+description: Detect the harvesting of wifi credentials using netsh.exe
+references:
+ - https://blog.malwarebytes.com/threat-analysis/2020/04/new-agenttesla-variant-steals-wifi-credentials/
+author: Andreas Hunkeler (@Karneades)
+date: 2020/04/20
+tags:
+ - attack.discovery
+ - attack.t1040
+logsource:
+ category: process_creation
+ product: windows
+detection:
+ selection:
+ CommandLine:
+ - 'netsh wlan s* p* k*=clear'
+ condition: selection
+falsepositives:
+ - Legitimate administrator or user uses netsh.exe wlan functionality for legitimate reason
+level: medium
diff --git a/rules/windows/process_creation/win_new_service_creation.yml b/rules/windows/process_creation/win_new_service_creation.yml
index 67d6ae36..59ee6041 100644
--- a/rules/windows/process_creation/win_new_service_creation.yml
+++ b/rules/windows/process_creation/win_new_service_creation.yml
@@ -9,6 +9,7 @@ tags:
- attack.persistence
- attack.privilege_escalation
- attack.t1050
+ - attack.t1543.003
references:
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1050/T1050.yaml
logsource:
@@ -16,12 +17,12 @@ logsource:
product: windows
detection:
selection:
- - Image|endswith: '\sc.exe'
- CommandLine|contains|all:
+ - Image|endswith: '\sc.exe'
+ CommandLine|contains|all:
- 'create'
- 'binpath'
- - Image|endswith: '\powershell.exe'
- CommandLine|contains: 'new-service'
+ - Image|endswith: '\powershell.exe'
+ CommandLine|contains: 'new-service'
condition: selection
falsepositives:
- Legitimate administrator or user creates a service for legitimate reason
diff --git a/rules/windows/process_creation/win_non_interactive_powershell.yml b/rules/windows/process_creation/win_non_interactive_powershell.yml
index 0333dde0..7855ea3a 100644
--- a/rules/windows/process_creation/win_non_interactive_powershell.yml
+++ b/rules/windows/process_creation/win_non_interactive_powershell.yml
@@ -10,11 +10,12 @@ references:
tags:
- attack.execution
- attack.t1086
+ - attack.t1059.001
logsource:
category: process_creation
product: windows
detection:
- selection:
+ selection:
Image|endswith: '\powershell.exe'
filter:
ParentImage|endswith: '\explorer.exe'
diff --git a/rules/windows/process_creation/win_office_shell.yml b/rules/windows/process_creation/win_office_shell.yml
index aa29383e..537def03 100644
--- a/rules/windows/process_creation/win_office_shell.yml
+++ b/rules/windows/process_creation/win_office_shell.yml
@@ -12,6 +12,7 @@ tags:
- attack.t1202
- car.2013-02-003
- car.2014-04-003
+ - attack.t1059.003
author: Michael Haag, Florian Roth, Markus Neis
date: 2018/04/06
logsource:
diff --git a/rules/windows/process_creation/win_plugx_susp_exe_locations.yml b/rules/windows/process_creation/win_plugx_susp_exe_locations.yml
index 5d8a8035..64c87d03 100644
--- a/rules/windows/process_creation/win_plugx_susp_exe_locations.yml
+++ b/rules/windows/process_creation/win_plugx_susp_exe_locations.yml
@@ -11,6 +11,7 @@ tags:
- attack.s0013
- attack.defense_evasion
- attack.t1073
+ - attack.t1574.002
logsource:
category: process_creation
product: windows
@@ -84,10 +85,7 @@ detection:
- '*\Windows Kit*'
- '*\Windows Resource Kit\\*'
- '*\Microsoft.NET\\*'
- condition: ( selection_cammute and not filter_cammute ) or ( selection_chrome_frame and not filter_chrome_frame ) or ( selection_devemu and not filter_devemu )
- or ( selection_gadget and not filter_gadget ) or ( selection_hcc and not filter_hcc ) or ( selection_hkcmd and not filter_hkcmd ) or ( selection_mc and not filter_mc
- ) or ( selection_msmpeng and not filter_msmpeng ) or ( selection_msseces and not filter_msseces ) or ( selection_oinfo and not filter_oinfo ) or ( selection_oleview
- and not filter_oleview ) or ( selection_rc and not filter_rc )
+ condition: ( selection_cammute and not filter_cammute ) or ( selection_chrome_frame and not filter_chrome_frame ) or ( selection_devemu and not filter_devemu ) or ( selection_gadget and not filter_gadget ) or ( selection_hcc and not filter_hcc ) or ( selection_hkcmd and not filter_hkcmd ) or ( selection_mc and not filter_mc ) or ( selection_msmpeng and not filter_msmpeng ) or ( selection_msseces and not filter_msseces ) or ( selection_oinfo and not filter_oinfo ) or ( selection_oleview and not filter_oleview ) or ( selection_rc and not filter_rc )
fields:
- CommandLine
- ParentCommandLine
diff --git a/rules/windows/process_creation/win_possible_applocker_bypass.yml b/rules/windows/process_creation/win_possible_applocker_bypass.yml
index 65b988f8..b0b0853a 100644
--- a/rules/windows/process_creation/win_possible_applocker_bypass.yml
+++ b/rules/windows/process_creation/win_possible_applocker_bypass.yml
@@ -13,6 +13,7 @@ tags:
- attack.t1121
- attack.t1127
- attack.t1170
+ - attack.t1218
logsource:
category: process_creation
product: windows
diff --git a/rules/windows/process_creation/win_powershell_amsi_bypass.yml b/rules/windows/process_creation/win_powershell_amsi_bypass.yml
index 708f50ec..335aadc3 100644
--- a/rules/windows/process_creation/win_powershell_amsi_bypass.yml
+++ b/rules/windows/process_creation/win_powershell_amsi_bypass.yml
@@ -9,6 +9,7 @@ tags:
- attack.execution
- attack.defense_evasion
- attack.t1086
+ - attack.t1059.001
author: Markus Neis
date: 2018/08/17
logsource:
@@ -22,6 +23,6 @@ detection:
CommandLine:
- '*amsiInitFailed*'
condition: selection1 and selection2
- falsepositives:
- - Potential Admin Activity
+falsepositives:
+ - Potential Admin Activity
level: high
diff --git a/rules/windows/process_creation/win_powershell_dll_execution.yml b/rules/windows/process_creation/win_powershell_dll_execution.yml
index 4cb036d6..1e8ff007 100644
--- a/rules/windows/process_creation/win_powershell_dll_execution.yml
+++ b/rules/windows/process_creation/win_powershell_dll_execution.yml
@@ -8,6 +8,7 @@ tags:
- attack.execution
- attack.t1086
- car.2014-04-003
+ - attack.t1059.001
author: Markus Neis
date: 2018/08/25
logsource:
diff --git a/rules/windows/process_creation/win_powershell_downgrade_attack.yml b/rules/windows/process_creation/win_powershell_downgrade_attack.yml
new file mode 100644
index 00000000..12a8b950
--- /dev/null
+++ b/rules/windows/process_creation/win_powershell_downgrade_attack.yml
@@ -0,0 +1,34 @@
+title: PowerShell Downgrade Attack
+id: b3512211-c67e-4707-bedc-66efc7848863
+related:
+ - id: 6331d09b-4785-4c13-980f-f96661356249
+ type: derived
+status: experimental
+description: Detects PowerShell downgrade attack by comparing the host versions with the actually used engine version 2.0
+references:
+ - http://www.leeholmes.com/blog/2017/03/17/detecting-and-preventing-powershell-downgrade-attacks/
+tags:
+ - attack.defense_evasion
+ - attack.execution
+ - attack.t1086
+ - attack.t1059.001
+author: Harish Segar (rule)
+date: 2020/03/20
+falsepositives:
+ - Penetration Test
+ - Unknown
+level: medium
+logsource:
+ category: process_creation
+ product: windows
+detection:
+ selection:
+ CommandLine|contains:
+ - ' -version 2 '
+ - ' -versio 2 '
+ - ' -versi 2 '
+ - ' -vers 2 '
+ - ' -ver 2 '
+ - ' -ve 2 '
+ Image|endswith: '\powershell.exe'
+ condition: selection
diff --git a/rules/windows/process_creation/win_powershell_download.yml b/rules/windows/process_creation/win_powershell_download.yml
index 83b93e13..813a45bf 100644
--- a/rules/windows/process_creation/win_powershell_download.yml
+++ b/rules/windows/process_creation/win_powershell_download.yml
@@ -7,6 +7,7 @@ date: 2019/01/16
tags:
- attack.t1086
- attack.execution
+ - attack.t1059.001
logsource:
category: process_creation
product: windows
diff --git a/rules/windows/process_creation/win_powershell_suspicious_parameter_variation.yml b/rules/windows/process_creation/win_powershell_suspicious_parameter_variation.yml
index 41a0f1cd..620edf36 100644
--- a/rules/windows/process_creation/win_powershell_suspicious_parameter_variation.yml
+++ b/rules/windows/process_creation/win_powershell_suspicious_parameter_variation.yml
@@ -7,16 +7,18 @@ references:
tags:
- attack.execution
- attack.t1086
+ - attack.t1059.001
author: Florian Roth (rule), Daniel Bohannon (idea), Roberto Rodriguez (Fix)
date: 2019/01/16
+modified: 2020/07/14
logsource:
category: process_creation
product: windows
detection:
selection:
- Image:
- - '*\Powershell.exe'
- CommandLine:
+ Image|endswith:
+ - '\Powershell.exe'
+ CommandLine|contains:
- ' -windowstyle h '
- ' -windowstyl h'
- ' -windowsty h'
diff --git a/rules/windows/process_creation/win_powershell_xor_commandline.yml b/rules/windows/process_creation/win_powershell_xor_commandline.yml
index c7d39c95..fa333189 100644
--- a/rules/windows/process_creation/win_powershell_xor_commandline.yml
+++ b/rules/windows/process_creation/win_powershell_xor_commandline.yml
@@ -1,20 +1,27 @@
title: Suspicious XOR Encoded PowerShell Command Line
id: bb780e0c-16cf-4383-8383-1e5471db6cf9
-description: Detects suspicious powershell process which includes bxor command, alternatvide obfuscation method to b64 encoded commands.
+description: Detects suspicious powershell process which includes bxor command, alternative obfuscation method to b64 encoded commands.
status: experimental
-author: Sami Ruohonen
+author: Sami Ruohonen, Harish Segar (improvement)
date: 2018/09/05
+modified: 2020/06/29
tags:
- attack.execution
- attack.t1086
-detection:
- selection:
- CommandLine:
- - '* -bxor*'
- condition: selection
-falsepositives:
- - unknown
-level: medium
+ - attack.t1059.001
logsource:
category: process_creation
product: windows
+detection:
+ selection:
+ - Description: "Windows PowerShell"
+ - Product: "PowerShell Core 6"
+ filter:
+ CommandLine|contains:
+ - "bxor"
+ - "join"
+ - "char"
+ condition: selection and filter
+falsepositives:
+ - unknown
+level: medium
diff --git a/rules/windows/process_creation/win_powersploit_empire_schtasks.yml b/rules/windows/process_creation/win_powersploit_empire_schtasks.yml
index e6f689ca..a3094b5b 100644
--- a/rules/windows/process_creation/win_powersploit_empire_schtasks.yml
+++ b/rules/windows/process_creation/win_powersploit_empire_schtasks.yml
@@ -31,6 +31,8 @@ tags:
- attack.g0022
- attack.g0060
- car.2013-08-001
+ - attack.t1053.005
+ - attack.t1059.001
falsepositives:
- False positives are possible, depends on organisation and processes
level: high
diff --git a/rules/windows/process_creation/win_process_dump_rundll32_comsvcs.yml b/rules/windows/process_creation/win_process_dump_rundll32_comsvcs.yml
index 88e15976..5d85fbdf 100644
--- a/rules/windows/process_creation/win_process_dump_rundll32_comsvcs.yml
+++ b/rules/windows/process_creation/win_process_dump_rundll32_comsvcs.yml
@@ -12,6 +12,7 @@ tags:
- attack.credential_access
- attack.t1003
- car.2013-05-009
+ - attack.t1003.001
logsource:
category: process_creation
product: windows
diff --git a/rules/windows/process_creation/win_psexesvc_start.yml b/rules/windows/process_creation/win_psexesvc_start.yml
index 9eca4861..a2c3dbf1 100644
--- a/rules/windows/process_creation/win_psexesvc_start.yml
+++ b/rules/windows/process_creation/win_psexesvc_start.yml
@@ -8,12 +8,13 @@ tags:
- attack.execution
- attack.t1035
- attack.s0029
+ - attack.t1569.002
logsource:
category: process_creation
product: windows
detection:
selection:
- ProcessCommandLine: C:\Windows\PSEXESVC.exe
+ CommandLine: C:\Windows\PSEXESVC.exe
condition: selection
falsepositives:
- Administrative activity
diff --git a/rules/windows/process_creation/win_rdp_hijack_shadowing.yml b/rules/windows/process_creation/win_rdp_hijack_shadowing.yml
index f08c5f3f..9285babd 100644
--- a/rules/windows/process_creation/win_rdp_hijack_shadowing.yml
+++ b/rules/windows/process_creation/win_rdp_hijack_shadowing.yml
@@ -1,7 +1,7 @@
title: MSTSC Shadowing
id: 6ba5a05f-b095-4f0a-8654-b825f4f16334
-status: Detects RDP session hijacking by using MSTSC shadowing
-description:
+description: Detects RDP session hijacking by using MSTSC shadowing
+status: experimental
author: Florian Roth
date: 2020/01/24
references:
diff --git a/rules/windows/process_creation/win_redmimicry_winnti_proc.yml b/rules/windows/process_creation/win_redmimicry_winnti_proc.yml
new file mode 100644
index 00000000..d7f7e9a5
--- /dev/null
+++ b/rules/windows/process_creation/win_redmimicry_winnti_proc.yml
@@ -0,0 +1,27 @@
+title: RedMimicry Winnti Playbook Execute
+id: 95022b85-ff2a-49fa-939a-d7b8f56eeb9b
+description: Detects actions caused by the RedMimicry Winnti playbook
+references:
+ - https://redmimicry.com
+author: Alexander Rausch
+date: 2020/06/24
+tags:
+ - attack.execution
+ - attack.t1059
+ - attack.t1106
+logsource:
+ product: windows
+ category: process_creation
+detection:
+ selection:
+ Image|contains:
+ - rundll32.exe
+ - cmd.exe
+ CommandLine|contains:
+ - gthread-3.6.dll
+ - \Windows\Temp\tmp.bat
+ - sigcmm-2.4.dll
+ condition: selection
+falsepositives:
+ - Unknown
+level: high
diff --git a/rules/windows/process_creation/win_remote_powershell_session_process.yml b/rules/windows/process_creation/win_remote_powershell_session_process.yml
index 26a604ed..5509721e 100644
--- a/rules/windows/process_creation/win_remote_powershell_session_process.yml
+++ b/rules/windows/process_creation/win_remote_powershell_session_process.yml
@@ -10,6 +10,7 @@ references:
tags:
- attack.execution
- attack.t1086
+ - attack.t1059.001
logsource:
category: process_creation
product: windows
@@ -24,4 +25,4 @@ fields:
- CommandLine
falsepositives:
- Legitimate usage of remote Powershell, e.g. for monitoring purposes
-level: high
+level: medium
diff --git a/rules/windows/process_creation/win_renamed_binary.yml b/rules/windows/process_creation/win_renamed_binary.yml
index bcac5d58..7d50a905 100644
--- a/rules/windows/process_creation/win_renamed_binary.yml
+++ b/rules/windows/process_creation/win_renamed_binary.yml
@@ -2,7 +2,7 @@ title: Renamed Binary
id: 36480ae1-a1cb-4eaa-a0d6-29801d7e9142
status: experimental
description: Detects the execution of a renamed binary often used by attackers or malware leveraging new Sysmon OriginalFileName datapoint.
-author: Matthew Green - @mgreen27, Ecco, James Pemberton / @4A616D6573, oscd.community (improvements)
+author: Matthew Green - @mgreen27, Ecco, James Pemberton / @4A616D6573, oscd.community (improvements), Andreas Hunkeler (@Karneades)
date: 2019/06/15
modified: 2019/11/11
references:
@@ -37,6 +37,7 @@ detection:
- 'wevtutil.exe'
- 'net.exe'
- 'net1.exe'
+ - 'netsh.exe'
filter:
Image|endswith:
- '\cmd.exe'
@@ -58,6 +59,7 @@ detection:
- '\wevtutil.exe'
- '\net.exe'
- '\net1.exe'
+ - '\netsh.exe'
condition: selection and not filter
falsepositives:
- Custom applications use renamed binaries adding slight change to binary name. Typically this is easy to spot and add to whitelist
diff --git a/rules/windows/sysmon/sysmon_renamed_jusched.yml b/rules/windows/process_creation/win_renamed_jusched.yml
similarity index 91%
rename from rules/windows/sysmon/sysmon_renamed_jusched.yml
rename to rules/windows/process_creation/win_renamed_jusched.yml
index a43d93bf..7e03d04a 100644
--- a/rules/windows/sysmon/sysmon_renamed_jusched.yml
+++ b/rules/windows/process_creation/win_renamed_jusched.yml
@@ -1,26 +1,26 @@
-title: Renamed jusched.exe
-status: experimental
-id: edd8a48c-1b9f-4ba1-83aa-490338cd1ccb
-description: Detects renamed jusched.exe used by cobalt group
-references:
- - https://www.bitdefender.com/files/News/CaseStudies/study/262/Bitdefender-WhitePaper-An-APT-Blueprint-Gaining-New-Visibility-into-Financial-Threats-interactive.pdf
-tags:
- - attack.t1036
- - attack.execution
-author: Markus Neis, Swisscom
-date: 2019/06/04
-logsource:
- category: process_creation
- product: windows
-detection:
- selection1:
- Description: Java Update Scheduler
- selection2:
- Description: Java(TM) Update Scheduler
- filter:
- Image:
- - '*\\jusched.exe'
- condition: (selection1 or selection2) and not filter
-falsepositives:
- - penetration tests, red teaming
-level: high
+title: Renamed jusched.exe
+status: experimental
+id: edd8a48c-1b9f-4ba1-83aa-490338cd1ccb
+description: Detects renamed jusched.exe used by cobalt group
+references:
+ - https://www.bitdefender.com/files/News/CaseStudies/study/262/Bitdefender-WhitePaper-An-APT-Blueprint-Gaining-New-Visibility-into-Financial-Threats-interactive.pdf
+tags:
+ - attack.t1036
+ - attack.execution
+author: Markus Neis, Swisscom
+date: 2019/06/04
+logsource:
+ category: process_creation
+ product: windows
+detection:
+ selection1:
+ Description: Java Update Scheduler
+ selection2:
+ Description: Java(TM) Update Scheduler
+ filter:
+ Image|endswith:
+ - '\jusched.exe'
+ condition: (selection1 or selection2) and not filter
+falsepositives:
+ - penetration tests, red teaming
+level: high
diff --git a/rules/windows/sysmon/sysmon_renamed_powershell.yml b/rules/windows/process_creation/win_renamed_powershell.yml
similarity index 95%
rename from rules/windows/sysmon/sysmon_renamed_powershell.yml
rename to rules/windows/process_creation/win_renamed_powershell.yml
index 157f5876..9522fcee 100644
--- a/rules/windows/sysmon/sysmon_renamed_powershell.yml
+++ b/rules/windows/process_creation/win_renamed_powershell.yml
@@ -10,7 +10,7 @@ tags:
- car.2013-05-009
logsource:
product: windows
- service: sysmon
+ category: process_creation
detection:
selection:
Description: 'Windows PowerShell'
diff --git a/rules/windows/sysmon/sysmon_renamed_procdump.yml b/rules/windows/process_creation/win_renamed_procdump.yml
similarity index 95%
rename from rules/windows/sysmon/sysmon_renamed_procdump.yml
rename to rules/windows/process_creation/win_renamed_procdump.yml
index 803ad339..2fbe3a4a 100644
--- a/rules/windows/sysmon/sysmon_renamed_procdump.yml
+++ b/rules/windows/process_creation/win_renamed_procdump.yml
@@ -11,7 +11,7 @@ tags:
- attack.t1036
logsource:
product: windows
- service: sysmon
+ category: process_creation
detection:
selection:
OriginalFileName: 'procdump'
diff --git a/rules/windows/sysmon/sysmon_renamed_psexec.yml b/rules/windows/process_creation/win_renamed_psexec.yml
similarity index 96%
rename from rules/windows/sysmon/sysmon_renamed_psexec.yml
rename to rules/windows/process_creation/win_renamed_psexec.yml
index 75d5838a..208af0d3 100644
--- a/rules/windows/sysmon/sysmon_renamed_psexec.yml
+++ b/rules/windows/process_creation/win_renamed_psexec.yml
@@ -10,7 +10,7 @@ tags:
- car.2013-05-009
logsource:
product: windows
- service: sysmon
+ category: process_creation
detection:
selection:
Description: 'Execute processes remotely'
diff --git a/rules/windows/process_creation/win_run_powershell_script_from_ads.yml b/rules/windows/process_creation/win_run_powershell_script_from_ads.yml
index b4a03177..eaa76e6c 100644
--- a/rules/windows/process_creation/win_run_powershell_script_from_ads.yml
+++ b/rules/windows/process_creation/win_run_powershell_script_from_ads.yml
@@ -9,6 +9,7 @@ date: 2019/10/30
tags:
- attack.defense_evasion
- attack.t1096
+ - attack.t1564.004
logsource:
category: process_creation
product: windows
@@ -16,9 +17,9 @@ detection:
selection:
ParentImage|endswith: '\powershell.exe'
Image|endswith: '\powershell.exe'
- CommandLine|contains|all:
- - 'Get-Content'
- - '-Stream'
+ CommandLine|contains|all:
+ - 'Get-Content'
+ - '-Stream'
condition: selection
falsepositives:
- Unknown
diff --git a/rules/windows/process_creation/win_sdbinst_shim_persistence.yml b/rules/windows/process_creation/win_sdbinst_shim_persistence.yml
index 1509516e..b98a0c86 100644
--- a/rules/windows/process_creation/win_sdbinst_shim_persistence.yml
+++ b/rules/windows/process_creation/win_sdbinst_shim_persistence.yml
@@ -7,6 +7,7 @@ references:
tags:
- attack.persistence
- attack.t1138
+ - attack.t1546.011
author: Markus Neis
date: 2019/01/16
logsource:
diff --git a/rules/windows/process_creation/win_service_execution.yml b/rules/windows/process_creation/win_service_execution.yml
index 865e7a22..72b3903f 100644
--- a/rules/windows/process_creation/win_service_execution.yml
+++ b/rules/windows/process_creation/win_service_execution.yml
@@ -12,7 +12,7 @@ logsource:
product: windows
detection:
selection:
- Image|endswith:
+ Image|endswith:
- '\net.exe'
- '\net1.exe'
CommandLine|contains: ' start ' # space character after the 'start' keyword indicates that a service name follows, in contrast to `net start` discovery expression
@@ -23,3 +23,4 @@ level: low
tags:
- attack.execution
- attack.t1035
+ - attack.t1569.002
diff --git a/rules/windows/process_creation/win_shadow_copies_access_symlink.yml b/rules/windows/process_creation/win_shadow_copies_access_symlink.yml
index 17c6d56d..45149619 100644
--- a/rules/windows/process_creation/win_shadow_copies_access_symlink.yml
+++ b/rules/windows/process_creation/win_shadow_copies_access_symlink.yml
@@ -8,14 +8,16 @@ references:
tags:
- attack.credential_access
- attack.t1003
+ - attack.t1003.002
+ - attack.t1003.003
logsource:
category: process_creation
product: windows
detection:
selection:
- CommandLine|contains|all:
- - mklink
- - HarddiskVolumeShadowCopy
+ CommandLine|contains|all:
+ - mklink
+ - HarddiskVolumeShadowCopy
condition: selection
falsepositives:
- Legitimate administrator working with shadow copies, access for backup purposes
diff --git a/rules/windows/process_creation/win_shadow_copies_creation.yml b/rules/windows/process_creation/win_shadow_copies_creation.yml
index 77bdb977..578c1ba1 100644
--- a/rules/windows/process_creation/win_shadow_copies_creation.yml
+++ b/rules/windows/process_creation/win_shadow_copies_creation.yml
@@ -9,12 +9,14 @@ references:
tags:
- attack.credential_access
- attack.t1003
+ - attack.t1003.002
+ - attack.t1003.003
logsource:
category: process_creation
product: windows
detection:
selection:
- NewProcessName|endswith:
+ Image|endswith:
- '\powershell.exe'
- '\wmic.exe'
- '\vssadmin.exe'
diff --git a/rules/windows/process_creation/win_shadow_copies_deletion.yml b/rules/windows/process_creation/win_shadow_copies_deletion.yml
index 05029298..43bdfd90 100644
--- a/rules/windows/process_creation/win_shadow_copies_deletion.yml
+++ b/rules/windows/process_creation/win_shadow_copies_deletion.yml
@@ -20,12 +20,12 @@ logsource:
product: windows
detection:
selection:
- NewProcessName|endswith:
+ Image|endswith:
- '\powershell.exe'
- '\wmic.exe'
- '\vssadmin.exe'
CommandLine|contains|all:
- - shadow
+ - shadow # will mach "delete shadows" and "shadowcopy delete"
- delete
condition: selection
fields:
diff --git a/rules/windows/process_creation/win_shell_spawn_susp_program.yml b/rules/windows/process_creation/win_shell_spawn_susp_program.yml
index 1a77be48..17968c3b 100644
--- a/rules/windows/process_creation/win_shell_spawn_susp_program.yml
+++ b/rules/windows/process_creation/win_shell_spawn_susp_program.yml
@@ -11,6 +11,8 @@ tags:
- attack.execution
- attack.defense_evasion
- attack.t1064
+ - attack.t1059.005
+ - attack.t1059.001
logsource:
category: process_creation
product: windows
diff --git a/rules/windows/process_creation/win_spn_enum.yml b/rules/windows/process_creation/win_spn_enum.yml
index 21638ae3..7bc87568 100644
--- a/rules/windows/process_creation/win_spn_enum.yml
+++ b/rules/windows/process_creation/win_spn_enum.yml
@@ -9,6 +9,7 @@ date: 2018/11/14
tags:
- attack.credential_access
- attack.t1208
+ - attack.t1558.003
logsource:
category: process_creation
product: windows
diff --git a/rules/windows/process_creation/win_susp_bcdedit.yml b/rules/windows/process_creation/win_susp_bcdedit.yml
index 3281b161..e87d9a38 100644
--- a/rules/windows/process_creation/win_susp_bcdedit.yml
+++ b/rules/windows/process_creation/win_susp_bcdedit.yml
@@ -11,13 +11,14 @@ tags:
- attack.t1070
- attack.persistence
- attack.t1067
+ - attack.t1542.003
logsource:
category: process_creation
product: windows
detection:
selection:
- NewProcessName: '*\bcdedit.exe'
- ProcessCommandLine:
+ Image: '*\bcdedit.exe'
+ CommandLine:
- '*delete*'
- '*deletevalue*'
- '*import*'
diff --git a/rules/windows/process_creation/win_susp_cli_escape.yml b/rules/windows/process_creation/win_susp_cli_escape.yml
index c40ebfd7..019d2fcf 100644
--- a/rules/windows/process_creation/win_susp_cli_escape.yml
+++ b/rules/windows/process_creation/win_susp_cli_escape.yml
@@ -10,6 +10,7 @@ references:
- http://www.windowsinspired.com/understanding-the-command-line-string-and-arguments-received-by-a-windows-program/
author: juju4
date: 2018/12/11
+modified: 2020/03/14
tags:
- attack.defense_evasion
- attack.t1140
@@ -20,8 +21,8 @@ detection:
selection:
CommandLine:
# - # no TAB modifier in sigmac yet, so this matches (or TAB in elasticsearch backends without DSL queries)
- - ^h^t^t^p
- - h"t"t"p
+ - '*h^t^t^p*'
+ - '*h"t"t"p*'
condition: selection
falsepositives:
- False positives depend on scripts and administrative tools used in the monitored environment
diff --git a/rules/windows/process_creation/win_susp_cmd_http_appdata.yml b/rules/windows/process_creation/win_susp_cmd_http_appdata.yml
index 92445f87..64efc023 100644
--- a/rules/windows/process_creation/win_susp_cmd_http_appdata.yml
+++ b/rules/windows/process_creation/win_susp_cmd_http_appdata.yml
@@ -1,8 +1,7 @@
title: Command Line Execution with Suspicious URL and AppData Strings
id: 1ac8666b-046f-4201-8aba-1951aaec03a3
status: experimental
-description: Detects a suspicious command line execution that includes an URL and AppData string in the command line parameters as used by several droppers (js/vbs
- > powershell)
+description: Detects a suspicious command line execution that includes an URL and AppData string in the command line parameters as used by several droppers (js/vbs > powershell)
references:
- https://www.hybrid-analysis.com/sample/3a1f01206684410dbe8f1900bbeaaa543adfcd07368ba646b499fa5274b9edf6?environmentId=100
- https://www.hybrid-analysis.com/sample/f16c729aad5c74f19784a24257236a8bbe27f7cdc4a89806031ec7f1bebbd475?environmentId=100
@@ -11,6 +10,8 @@ date: 2019/01/16
tags:
- attack.execution
- attack.t1059
+ - attack.t1059.005
+ - attack.t1059.001
logsource:
category: process_creation
product: windows
diff --git a/rules/windows/process_creation/win_susp_compression_params.yml b/rules/windows/process_creation/win_susp_compression_params.yml
index e3e5c980..cb5a3cc9 100644
--- a/rules/windows/process_creation/win_susp_compression_params.yml
+++ b/rules/windows/process_creation/win_susp_compression_params.yml
@@ -8,6 +8,7 @@ tags:
- attack.exfiltration
- attack.t1020
- attack.t1002
+ - attack.t1560
author: Florian Roth, Samir Bousseaden
date: 2019/10/15
logsource:
diff --git a/rules/windows/process_creation/win_susp_comsvcs_procdump.yml b/rules/windows/process_creation/win_susp_comsvcs_procdump.yml
index bcab5a8e..be58a43a 100644
--- a/rules/windows/process_creation/win_susp_comsvcs_procdump.yml
+++ b/rules/windows/process_creation/win_susp_comsvcs_procdump.yml
@@ -26,6 +26,7 @@ fields:
tags:
- attack.credential_access
- attack.t1003
+ - attack.t1003.001
falsepositives:
- unknown
level: medium
diff --git a/rules/windows/process_creation/win_susp_control_dll_load.yml b/rules/windows/process_creation/win_susp_control_dll_load.yml
index 00eaf7a6..cc049031 100644
--- a/rules/windows/process_creation/win_susp_control_dll_load.yml
+++ b/rules/windows/process_creation/win_susp_control_dll_load.yml
@@ -11,6 +11,8 @@ tags:
- attack.t1073
- attack.t1085
- car.2013-10-002
+ - attack.t1218
+ - attack.t1574.002
logsource:
category: process_creation
product: windows
diff --git a/rules/windows/process_creation/win_susp_copy_lateral_movement.yml b/rules/windows/process_creation/win_susp_copy_lateral_movement.yml
index 6d56fec2..59b5ec8d 100644
--- a/rules/windows/process_creation/win_susp_copy_lateral_movement.yml
+++ b/rules/windows/process_creation/win_susp_copy_lateral_movement.yml
@@ -2,22 +2,23 @@ title: Copy from Admin Share
id: 855bc8b5-2ae8-402e-a9ed-b889e6df1900
status: experimental
description: Detects a suspicious copy command from a remote C$ or ADMIN$ share
-references:
- - https://twitter.com/SBousseaden/status/1211636381086339073
+references:
+ - https://twitter.com/SBousseaden/status/1211636381086339073
author: Florian Roth
date: 2019/12/30
tags:
- attack.lateral_movement
- attack.t1077
- attack.t1105
+ - attack.t1021.002
logsource:
category: process_creation
product: windows
detection:
selection:
- CommandLine|contains:
- - 'copy *\c$'
- - 'copy *\ADMIN$'
+ CommandLine|contains:
+ - 'copy *\c$'
+ - 'copy *\ADMIN$'
condition: selection
fields:
- CommandLine
diff --git a/rules/windows/process_creation/win_susp_copy_system32.yml b/rules/windows/process_creation/win_susp_copy_system32.yml
new file mode 100644
index 00000000..9c8f8b41
--- /dev/null
+++ b/rules/windows/process_creation/win_susp_copy_system32.yml
@@ -0,0 +1,26 @@
+title: Suspicious Copy From or To System32
+id: fff9d2b7-e11c-4a69-93d3-40ef66189767
+status: experimental
+description: Detects a suspicious copy command that copies a system program from System32 to another directory on disk - sometimes used to use LOLBINs like certutil or desktopimgdownldr to a different location with a different name
+author: Florian Roth, Markus Neis
+date: 2020/07/03
+references:
+ - https://www.hybrid-analysis.com/sample/8da5b75b6380a41eee3a399c43dfe0d99eeefaa1fd21027a07b1ecaa4cd96fdd?environmentId=120
+logsource:
+ category: process_creation
+ product: windows
+tags:
+ - attack.defense_evasion
+detection:
+ selection:
+ CommandLine|contains:
+ - ' /c copy *\System32\'
+ - 'xcopy*\System32\'
+ condition: selection
+fields:
+ - CommandLine
+ - ParentCommandLine
+falsepositives:
+ - False positives depend on scripts and administrative tools used in the monitored environment
+ - Admin scripts like https://www.itexperience.net/sccm-batch-files-and-32-bits-processes-on-64-bits-os/
+level: medium
diff --git a/rules/windows/process_creation/win_susp_covenant.yml b/rules/windows/process_creation/win_susp_covenant.yml
new file mode 100644
index 00000000..b73909f7
--- /dev/null
+++ b/rules/windows/process_creation/win_susp_covenant.yml
@@ -0,0 +1,26 @@
+title: Covenant Launcher Indicators
+id: c260b6db-48ba-4b4a-a76f-2f67644e99d2
+description: Detects suspicious command lines used in Covenant luanchers
+status: experimental
+references:
+ - https://posts.specterops.io/covenant-v0-5-eee0507b85ba
+author: Florian Roth
+date: 2020/06/04
+tags:
+ - attack.execution
+ - attack.t1086
+ - attack.t1059.001
+logsource:
+ category: process_creation
+ product: windows
+detection:
+ selection:
+ CommandLine|contains:
+ - ' -Sta -Nop -Window Hidden -Command '
+ - ' -Sta -Nop -Window Hidden -EncodedCommand '
+ - 'sv o (New-Object IO.MemorySteam);sv d '
+ - 'mshta file.hta'
+ - 'GruntHTTP'
+ - '-EncodedCommand cwB2ACAAbwAgA'
+ condition: selection
+level: high
diff --git a/rules/windows/process_creation/win_susp_crackmapexec_execution.yml b/rules/windows/process_creation/win_susp_crackmapexec_execution.yml
new file mode 100644
index 00000000..98071a31
--- /dev/null
+++ b/rules/windows/process_creation/win_susp_crackmapexec_execution.yml
@@ -0,0 +1,39 @@
+title: CrackMapExec Command Execution
+id: 058f4380-962d-40a5-afce-50207d36d7e2
+status: experimental
+description: Detect various execution methods of the CrackMapExec pentesting framework
+references:
+ - https://github.com/byt3bl33d3r/CrackMapExec
+tags:
+ - attack.execution
+ - attack.t1047
+ - attack.t1053
+ - attack.t1086
+ - attack.t1059.003
+ - attack.t1059.001
+author: Thomas Patzke
+date: 2020/05/22
+logsource:
+ category: process_creation
+ product: windows
+detection:
+ selection:
+ CommandLine:
+ # cme/protocols/smb/wmiexec.py (generalized execute_remote and execute_fileless)
+ - '*cmd.exe /Q /c * 1> \\\\*\\*\\* 2>&1'
+ # cme/protocols/smb/atexec.py:109 (fileless output via share)
+ - '*cmd.exe /C * > \\\\*\\*\\* 2>&1'
+ # cme/protocols/smb/atexec.py:111 (fileless output via share)
+ - '*cmd.exe /C * > *\\Temp\\* 2>&1'
+ # cme/helpers/powershell.py:139 (PowerShell execution with obfuscation)
+ - '*powershell.exe -exec bypass -noni -nop -w 1 -C "*'
+ # cme/helpers/powershell.py:149 (PowerShell execution without obfuscation)
+ - '*powershell.exe -noni -nop -w 1 -enc *'
+ condition: selection
+fields:
+ - ComputerName
+ - User
+ - CommandLine
+falsepositives:
+ - Unknown
+level: high
diff --git a/rules/windows/process_creation/win_susp_crackmapexec_powershell_obfuscation.yml b/rules/windows/process_creation/win_susp_crackmapexec_powershell_obfuscation.yml
new file mode 100644
index 00000000..20bb2c13
--- /dev/null
+++ b/rules/windows/process_creation/win_susp_crackmapexec_powershell_obfuscation.yml
@@ -0,0 +1,38 @@
+title: CrackMapExec PowerShell Obfuscation
+id: 6f8b3439-a203-45dc-a88b-abf57ea15ccf
+status: experimental
+description: The CrachMapExec pentesting framework implements a PowerShell obfuscation with some static strings detected by this rule.
+references:
+ - https://github.com/byt3bl33d3r/CrackMapExec
+ - https://github.com/byt3bl33d3r/CrackMapExec/blob/0a49f75347b625e81ee6aa8c33d3970b5515ea9e/cme/helpers/powershell.py#L242
+tags:
+ - attack.execution
+ - attack.t1086
+ - attack.defense_evasion
+ - attack.t1027
+ - attack.t1059.001
+author: Thomas Patzke
+date: 2020/05/22
+logsource:
+ category: process_creation
+ product: windows
+detection:
+ powershell_execution:
+ CommandLine|contains: 'powershell.exe'
+ snippets:
+ CommandLine|contains:
+ - 'join*split'
+ # Line 343ff
+ - "( $ShellId[1]+$ShellId[13]+'x')"
+ - '( $PSHome[*]+$PSHOME[*]+'
+ - "( $env:Public[13]+$env:Public[5]+'x')"
+ - "( $env:ComSpec[4,*,25]-Join'')"
+ - "[1,3]+'x'-Join'')"
+ condition: powershell_execution and snippets
+fields:
+ - ComputerName
+ - User
+ - CommandLine
+falsepositives:
+ - Unknown
+level: high
diff --git a/rules/windows/process_creation/win_susp_csc_folder.yml b/rules/windows/process_creation/win_susp_csc_folder.yml
index fb2a5fdf..9752e5ff 100644
--- a/rules/windows/process_creation/win_susp_csc_folder.yml
+++ b/rules/windows/process_creation/win_susp_csc_folder.yml
@@ -13,17 +13,18 @@ modified: 2019/12/17
tags:
- attack.defense_evasion
- attack.t1500
+ - attack.t1027
logsource:
category: process_creation
product: windows
detection:
selection:
Image: '*\csc.exe'
- CommandLine:
+ CommandLine:
- '*\AppData\\*'
- '*\Windows\Temp\\*'
filter:
- ParentImage:
+ ParentImage:
- 'C:\Program Files*' # https://twitter.com/gN3mes1s/status/1206874118282448897
- '*\sdiagnhost.exe' # https://twitter.com/gN3mes1s/status/1206874118282448897
- '*\w3wp.exe' # https://twitter.com/gabriele_pippi/status/1206907900268072962
diff --git a/rules/windows/process_creation/win_susp_curl_download.yml b/rules/windows/process_creation/win_susp_curl_download.yml
new file mode 100644
index 00000000..9580d77b
--- /dev/null
+++ b/rules/windows/process_creation/win_susp_curl_download.yml
@@ -0,0 +1,29 @@
+title: Suspicious Curl Usage on Windows
+id: e218595b-bbe7-4ee5-8a96-f32a24ad3468
+status: experimental
+description: Detects a suspicious curl process start on Windows and outputs the requested document to a local file
+author: Florian Roth
+date: 2020/07/03
+references:
+ - https://twitter.com/reegun21/status/1222093798009790464
+logsource:
+ category: process_creation
+ product: windows
+tags:
+ - attack.defense_evasion
+ - attack.t1105
+detection:
+ selection1:
+ Image|endswith: '\curl.exe'
+ selection2:
+ Product: 'The curl executable'
+ selection3:
+ CommandLine|contains: ' -O '
+ condition: ( selection1 or selection2 ) and selection3
+fields:
+ - CommandLine
+ - ParentCommandLine
+falsepositives:
+ - Scripts created by developers and admins
+ - Administrative activity
+level: medium
diff --git a/rules/windows/process_creation/win_susp_curl_fileupload.yml b/rules/windows/process_creation/win_susp_curl_fileupload.yml
new file mode 100644
index 00000000..c1b8f104
--- /dev/null
+++ b/rules/windows/process_creation/win_susp_curl_fileupload.yml
@@ -0,0 +1,26 @@
+title: Suspicious Curl File Upload
+id: 00bca14a-df4e-4649-9054-3f2aa676bc04
+status: experimental
+description: Detects a suspicious curl process start the adds a file to a web request
+author: Florian Roth
+date: 2020/07/03
+references:
+ - https://twitter.com/d1r4c/status/1279042657508081664
+ - https://medium.com/@petehouston/upload-files-with-curl-93064dcccc76
+logsource:
+ category: process_creation
+ product: windows
+tags:
+ - attack.defense_evasion
+ - attack.t1105
+detection:
+ selection:
+ Image|endswith: '\curl.exe'
+ CommandLine|contains: ' -F '
+ condition: selection
+fields:
+ - CommandLine
+ - ParentCommandLine
+falsepositives:
+ - Scripts created by developers and admins
+level: medium
diff --git a/rules/windows/process_creation/win_susp_curl_start_combo.yml b/rules/windows/process_creation/win_susp_curl_start_combo.yml
index ddc53c6a..c65cfc27 100644
--- a/rules/windows/process_creation/win_susp_curl_start_combo.yml
+++ b/rules/windows/process_creation/win_susp_curl_start_combo.yml
@@ -1,24 +1,24 @@
-title: Curl Start Combination
-id: 21dd6d38-2b18-4453-9404-a0fe4a0cc288
-status: experimental
-description: Adversaries can use curl to download payloads remotely and execute them. Curl is included by default in Windows 10 build 17063 and later.
-references:
- - https://medium.com/@reegun/curl-exe-is-the-new-rundll32-exe-lolbin-3f79c5f35983
-author: Sreeman
-date: 2020/01/13
-tags:
- - attack.execution
- - attack.t1218
-logsource:
- category: process_creation
- product: windows
-detection:
- condition: selection
- selection:
- CommandLine|contains: 'curl* start '
-falsepositives:
- - Administrative scripts (installers)
-fields:
- - ParentImage
- - CommandLine
-level: medium
+title: Curl Start Combination
+id: 21dd6d38-2b18-4453-9404-a0fe4a0cc288
+status: experimental
+description: Adversaries can use curl to download payloads remotely and execute them. Curl is included by default in Windows 10 build 17063 and later.
+references:
+ - https://medium.com/@reegun/curl-exe-is-the-new-rundll32-exe-lolbin-3f79c5f35983
+author: Sreeman
+date: 2020/01/13
+tags:
+ - attack.execution
+ - attack.t1218
+logsource:
+ category: process_creation
+ product: windows
+detection:
+ condition: selection
+ selection:
+ CommandLine|contains: 'curl* start '
+falsepositives:
+ - Administrative scripts (installers)
+fields:
+ - ParentImage
+ - CommandLine
+level: medium
diff --git a/rules/windows/process_creation/win_susp_desktopimgdownldr.yml b/rules/windows/process_creation/win_susp_desktopimgdownldr.yml
new file mode 100644
index 00000000..bf66b5ff
--- /dev/null
+++ b/rules/windows/process_creation/win_susp_desktopimgdownldr.yml
@@ -0,0 +1,34 @@
+title: Suspicious Desktopimgdownldr Command
+id: bb58aa4a-b80b-415a-a2c0-2f65a4c81009
+status: experimental
+description: Detects a suspicious Microsoft desktopimgdownldr execution with parameters used to download files from the Internet
+author: Florian Roth
+date: 2020/07/03
+references:
+ - https://labs.sentinelone.com/living-off-windows-land-a-new-native-file-downldr/
+ - https://twitter.com/SBousseaden/status/1278977301745741825
+logsource:
+ category: process_creation
+ product: windows
+tags:
+ - attack.defense_evasion
+ - attack.t1105
+detection:
+ selection1:
+ CommandLine|contains: ' /lockscreenurl:'
+ selection1_filter:
+ CommandLine|contains:
+ - '.jpg'
+ - '.jpeg'
+ - '.png'
+ selection_reg:
+ CommandLine|contains|all:
+ - 'reg delete'
+ - '\PersonalizationCSP'
+ condition: ( selection1 and not selection1_filter ) or selection_reg
+fields:
+ - CommandLine
+ - ParentCommandLine
+falsepositives:
+ - False positives depend on scripts and administrative tools used in the monitored environment
+level: high
diff --git a/rules/windows/process_creation/win_susp_direct_asep_reg_keys_modification.yml b/rules/windows/process_creation/win_susp_direct_asep_reg_keys_modification.yml
index 3a6bf756..490884fe 100644
--- a/rules/windows/process_creation/win_susp_direct_asep_reg_keys_modification.yml
+++ b/rules/windows/process_creation/win_susp_direct_asep_reg_keys_modification.yml
@@ -7,6 +7,7 @@ references:
tags:
- attack.persistence
- attack.t1060
+ - attack.t1547.001
date: 2019/10/25
modified: 2019/11/10
author: Victor Sergeev, Daniil Yugoslavskiy, oscd.community
diff --git a/rules/windows/process_creation/win_susp_disable_ie_features.yml b/rules/windows/process_creation/win_susp_disable_ie_features.yml
new file mode 100644
index 00000000..a3214200
--- /dev/null
+++ b/rules/windows/process_creation/win_susp_disable_ie_features.yml
@@ -0,0 +1,32 @@
+title: Disabled IE Security Features
+id: fb50eb7a-5ab1-43ae-bcc9-091818cb8424
+status: experimental
+description: Detects command lines that indicate unwanted modifications to registry keys that disable important Internet Explorer security features
+references:
+ - https://unit42.paloaltonetworks.com/operation-ke3chang-resurfaces-with-new-tidepool-malware/
+tags:
+ - attack.defense_evasion
+ - attack.t1089
+ - attack.t1562.001
+author: Florian Roth
+date: 2020/06/19
+logsource:
+ category: process_creation
+ product: windows
+detection:
+ selection1:
+ CommandLine|contains|all:
+ - ' -name IEHarden '
+ - ' -value 0 '
+ selection2:
+ CommandLine|contains|all:
+ - ' -name DEPOff '
+ - ' -value 1 '
+ selection3:
+ CommandLine|contains|all:
+ - ' -name DisableFirstRunCustomize '
+ - ' -value 2 '
+ condition: 1 of them
+falsepositives:
+ - Unknown, maybe some security software installer disables these features temporarily
+level: high
diff --git a/rules/windows/process_creation/win_susp_ditsnap.yml b/rules/windows/process_creation/win_susp_ditsnap.yml
new file mode 100644
index 00000000..b279a6ef
--- /dev/null
+++ b/rules/windows/process_creation/win_susp_ditsnap.yml
@@ -0,0 +1,26 @@
+title: DIT Snapshot Viewer Use
+id: d3b70aad-097e-409c-9df2-450f80dc476b
+status: experimental
+description: Detects the use of Ditsnap tool. Seems to be a tool for ransomware groups.
+references:
+ - https://thedfirreport.com/2020/06/21/snatch-ransomware/
+ - https://github.com/yosqueoy/ditsnap
+author: 'Furkan Caliskan (@caliskanfurkan_)'
+date: 2020/07/04
+tags:
+ - attack.credential_access
+ - attack.t1003
+logsource:
+ category: process_creation
+ product: windows
+detection:
+ selection:
+ Image|endswith:
+ - '\ditsnap.exe'
+ selection2:
+ CommandLine|contains:
+ - 'ditsnap.exe'
+ condition: selection or selection2
+falsepositives:
+ - Legitimate admin usage
+level: high
diff --git a/rules/windows/process_creation/win_susp_double_extension.yml b/rules/windows/process_creation/win_susp_double_extension.yml
index 95a5a0e3..8b6ca56a 100644
--- a/rules/windows/process_creation/win_susp_double_extension.yml
+++ b/rules/windows/process_creation/win_susp_double_extension.yml
@@ -1,7 +1,6 @@
title: Suspicious Double Extension
id: 1cdd9a09-06c9-4769-99ff-626e2b3991b8
-description: Detects suspicious use of an .exe extension after a non-executable file extension like .pdf.exe, a set of spaces or underlines to cloak the executable
- file in spear phishing campaigns
+description: Detects suspicious use of an .exe extension after a non-executable file extension like .pdf.exe, a set of spaces or underlines to cloak the executable file in spear phishing campaigns
references:
- https://blu3-team.blogspot.com/2019/06/misleading-extensions-xlsexe-docexe.html
- https://twitter.com/blackorbird/status/1140519090961825792
@@ -10,12 +9,13 @@ date: 2019/06/26
tags:
- attack.initial_access
- attack.t1193
+ - attack.t1566.001
logsource:
category: process_creation
product: windows
detection:
selection:
- Image:
+ Image:
- '*.doc.exe'
- '*.docx.exe'
- '*.xls.exe'
@@ -28,6 +28,6 @@ detection:
- '* .exe'
- '*______.exe'
condition: selection
-falsepositives:
+falsepositives:
- Unknown
level: critical
diff --git a/rules/windows/process_creation/win_susp_eventlog_clear.yml b/rules/windows/process_creation/win_susp_eventlog_clear.yml
index 8a26e744..42c20df7 100644
--- a/rules/windows/process_creation/win_susp_eventlog_clear.yml
+++ b/rules/windows/process_creation/win_susp_eventlog_clear.yml
@@ -19,20 +19,20 @@ detection:
selection_wevtutil_binary:
Image|endswith: '\wevtutil.exe'
selection_wevtutil_command:
- CommandLine|contains:
- - 'clear-log' # clears specified log
- - 'cl' # short version of 'clear-log'
+ CommandLine|contains:
+ - 'clear-log' # clears specified log
+ - ' cl ' # short version of 'clear-log'
- 'set-log' # modifies config of specified log. could be uset to set it to a tiny size
- - 'sl' # short version of 'set-log'
+ - ' sl ' # short version of 'set-log'
selection_other_ps:
Image|endswith: '\powershell.exe'
- CommandLine|contains:
+ CommandLine|contains:
- 'Clear-EventLog'
- 'Remove-EventLog'
- 'Limit-EventLog'
selection_other_wmic:
Image|endswith: '\wmic.exe'
- CommandLine|contains: 'ClearEventLog'
+ CommandLine|contains: ' ClearEventLog '
condition: 1 of selection_other_* or (selection_wevtutil_binary and selection_wevtutil_command)
falsepositives:
- Admin activity
diff --git a/rules/windows/process_creation/win_susp_execution_path_webserver.yml b/rules/windows/process_creation/win_susp_execution_path_webserver.yml
index be5af625..8398dc4c 100644
--- a/rules/windows/process_creation/win_susp_execution_path_webserver.yml
+++ b/rules/windows/process_creation/win_susp_execution_path_webserver.yml
@@ -7,6 +7,7 @@ date: 2019/01/16
tags:
- attack.persistence
- attack.t1100
+ - attack.t1505.003
logsource:
category: process_creation
product: windows
diff --git a/rules/windows/process_creation/win_susp_explorer_break_proctree.yml b/rules/windows/process_creation/win_susp_explorer_break_proctree.yml
new file mode 100644
index 00000000..49c22c09
--- /dev/null
+++ b/rules/windows/process_creation/win_susp_explorer_break_proctree.yml
@@ -0,0 +1,23 @@
+title: Explorer Root Flag Process Tree Break
+id: 949f1ffb-6e85-4f00-ae1e-c3c5b190d605
+description: Detects a command line process that uses explorer.exe /root, which is similar to cmd.exe /c, only it breaks the process tree and makes its parent a new instance of explorer
+status: experimental
+references:
+ - https://twitter.com/CyberRaiju/status/1273597319322058752
+ - https://twitter.com/bohops/status/1276357235954909188?s=12
+author: Florian Roth
+date: 2019/06/29
+tags:
+ - attack.defense_evasion
+logsource:
+ category: process_creation
+ product: windows
+detection:
+ selection:
+ CommandLine|contains|all:
+ - 'explorer.exe'
+ - ' /root,'
+ condition: selection
+falsepositives:
+ - Unknown how many legitimate software products use that method
+level: medium
diff --git a/rules/windows/sysmon/sysmon_susp_file_characteristics.yml b/rules/windows/process_creation/win_susp_file_characteristics.yml
similarity index 67%
rename from rules/windows/sysmon/sysmon_susp_file_characteristics.yml
rename to rules/windows/process_creation/win_susp_file_characteristics.yml
index 27359b18..cb900eee 100644
--- a/rules/windows/sysmon/sysmon_susp_file_characteristics.yml
+++ b/rules/windows/process_creation/win_susp_file_characteristics.yml
@@ -1,20 +1,21 @@
title: Suspicious File Characteristics Due to Missing Fields
id: 9637e8a5-7131-4f7f-bdc7-2b05d8670c43
-description: Detects Executables without FileVersion,Description,Product,Company likely created with py2exe
+description: Detects Executables in the Downloads folder without FileVersion,Description,Product,Company likely created with py2exe
status: experimental
references:
- https://securelist.com/muddywater/88059/
- https://www.virustotal.com/#/file/276a765a10f98cda1a38d3a31e7483585ca3722ecad19d784441293acf1b7beb/detection
-author: Markus Neis
+author: Markus Neis, Sander Wiebing
date: 2018/11/22
-modified: 2019/11/09
+modified: 2020/05/26
tags:
- attack.defense_evasion
- attack.execution
- attack.t1064
+ - attack.t1059.006
logsource:
product: windows
- service: sysmon
+ category: process_creation
detection:
selection1:
Description: '\?'
@@ -25,7 +26,9 @@ detection:
selection3:
Description: '\?'
Company: '\?'
- condition: 1 of them
+ folder:
+ Image: '*\Downloads\\*'
+ condition: (selection1 or selection2 or selection3) and folder
fields:
- CommandLine
- ParentCommandLine
diff --git a/rules/windows/process_creation/win_susp_findstr_lnk.yml b/rules/windows/process_creation/win_susp_findstr_lnk.yml
new file mode 100644
index 00000000..dd594f67
--- /dev/null
+++ b/rules/windows/process_creation/win_susp_findstr_lnk.yml
@@ -0,0 +1,26 @@
+title: Findstr Launching .lnk File
+id: 33339be3-148b-4e16-af56-ad16ec6c7e7b
+description: Detects usage of findstr to identify and execute a lnk file as seen within the HHS redirect attack
+status: experimental
+references:
+ - https://www.bleepingcomputer.com/news/security/hhsgov-open-redirect-used-by-coronavirus-phishing-to-spread-malware/
+tags:
+ - attack.defense_evasion
+ - attack.t1202
+author: Trent Liffick
+date: 2020/05/01
+logsource:
+ category: process_creation
+ product: windows
+detection:
+ selection:
+ Image: '*\findstr.exe'
+ CommandLine: '*.lnk'
+ condition: selection
+fields:
+ - Image
+ - CommandLine
+ - ParentCommandLine
+falsepositives:
+ - unknown
+level: medium
diff --git a/rules/windows/process_creation/win_susp_fsutil_usage.yml b/rules/windows/process_creation/win_susp_fsutil_usage.yml
index e204a9d7..e725a197 100644
--- a/rules/windows/process_creation/win_susp_fsutil_usage.yml
+++ b/rules/windows/process_creation/win_susp_fsutil_usage.yml
@@ -21,7 +21,7 @@ detection:
binary_2:
OriginalFileName: 'fsutil.exe'
selection:
- CommandLine|contains:
+ CommandLine|contains:
- 'deletejournal' # usn deletejournal ==> generally ransomware or attacker
- 'createjournal' # usn createjournal ==> can modify config to set it to a tiny size
condition: (1 of binary_*) and selection
diff --git a/rules/windows/process_creation/win_susp_gup.yml b/rules/windows/process_creation/win_susp_gup.yml
index e9fbbc95..1fd19502 100644
--- a/rules/windows/process_creation/win_susp_gup.yml
+++ b/rules/windows/process_creation/win_susp_gup.yml
@@ -7,6 +7,7 @@ references:
tags:
- attack.defense_evasion
- attack.t1073
+ - attack.t1574.002
author: Florian Roth
date: 2019/02/06
logsource:
diff --git a/rules/windows/process_creation/win_susp_iss_module_install.yml b/rules/windows/process_creation/win_susp_iss_module_install.yml
index d9b0a18e..7970eaf4 100644
--- a/rules/windows/process_creation/win_susp_iss_module_install.yml
+++ b/rules/windows/process_creation/win_susp_iss_module_install.yml
@@ -9,6 +9,7 @@ date: 2012/12/11
tags:
- attack.persistence
- attack.t1100
+ - attack.t1505.003
logsource:
category: process_creation
product: windows
diff --git a/rules/windows/process_creation/win_susp_net_execution.yml b/rules/windows/process_creation/win_susp_net_execution.yml
index fa11306c..21f8f346 100644
--- a/rules/windows/process_creation/win_susp_net_execution.yml
+++ b/rules/windows/process_creation/win_susp_net_execution.yml
@@ -18,6 +18,7 @@ tags:
- attack.lateral_movement
- attack.discovery
- attack.defense_evasion
+ - attack.t1021
logsource:
category: process_creation
product: windows
diff --git a/rules/windows/process_creation/win_susp_netsh_dll_persistence.yml b/rules/windows/process_creation/win_susp_netsh_dll_persistence.yml
index 12bcc7a8..102e607b 100644
--- a/rules/windows/process_creation/win_susp_netsh_dll_persistence.yml
+++ b/rules/windows/process_creation/win_susp_netsh_dll_persistence.yml
@@ -1,18 +1,19 @@
title: Suspicious Netsh DLL Persistence
id: 56321594-9087-49d9-bf10-524fe8479452
description: Detects persitence via netsh helper
-status: test
+status: testing
references:
- - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1060/T1060.yaml
+ - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1128/T1128.md
tags:
- attack.persistence
- - attack.t1060
+ - attack.t1128
+ - attack.t1546.007
date: 2019/10/25
modified: 2019/10/25
author: Victor Sergeev, oscd.community
logsource:
category: process_creation
- product: windows
+ product: windows
detection:
selection:
Image|endswith: '\netsh.exe'
@@ -26,5 +27,5 @@ fields:
- CommandLine
- ParentCommandLine
falsepositives:
- - Unkown
+ - Unknown
level: high
diff --git a/rules/windows/process_creation/win_susp_ntdsutil.yml b/rules/windows/process_creation/win_susp_ntdsutil.yml
index a8c2f6fd..ba0e49e3 100644
--- a/rules/windows/process_creation/win_susp_ntdsutil.yml
+++ b/rules/windows/process_creation/win_susp_ntdsutil.yml
@@ -9,6 +9,7 @@ date: 2019/01/16
tags:
- attack.credential_access
- attack.t1003
+ - attack.t1003.003
logsource:
category: process_creation
product: windows
diff --git a/rules/windows/process_creation/win_susp_outlook_temp.yml b/rules/windows/process_creation/win_susp_outlook_temp.yml
index b841940b..19a11004 100644
--- a/rules/windows/process_creation/win_susp_outlook_temp.yml
+++ b/rules/windows/process_creation/win_susp_outlook_temp.yml
@@ -7,6 +7,7 @@ date: 2019/10/01
tags:
- attack.initial_access
- attack.t1193
+ - attack.t1566.001
logsource:
category: process_creation
product: windows
diff --git a/rules/windows/process_creation/win_susp_powershell_empire_launch.yml b/rules/windows/process_creation/win_susp_powershell_empire_launch.yml
index a45c4801..84d9adf1 100644
--- a/rules/windows/process_creation/win_susp_powershell_empire_launch.yml
+++ b/rules/windows/process_creation/win_susp_powershell_empire_launch.yml
@@ -9,17 +9,22 @@ references:
- https://github.com/EmpireProject/Empire/blob/e37fb2eef8ff8f5a0a689f1589f424906fe13055/data/module_source/privesc/Invoke-EventVwrBypass.ps1#L64
author: Florian Roth
date: 2019/04/20
+modified: 2020/07/13
tags:
- - attack.execution
- - attack.t1086
+ - attack.execution
+ - attack.t1086
+ - attack.t1059.001
logsource:
category: process_creation
product: windows
detection:
selection:
- CommandLine:
- - '* -NoP -sta -NonI -W Hidden -Enc *'
- - '* -noP -sta -w 1 -enc *'
- - '* -NoP -NonI -W Hidden -enc *'
+ CommandLine|contains:
+ - ' -NoP -sta -NonI -W Hidden -Enc '
+ - ' -noP -sta -w 1 -enc '
+ - ' -NoP -NonI -W Hidden -enc '
+ - ' -noP -sta -w 1 -enc'
+ - ' -enc SQB'
+ - ' -nop -exec bypass -EncodedCommand SQB'
condition: selection
level: critical
diff --git a/rules/windows/process_creation/win_susp_powershell_empire_uac_bypass.yml b/rules/windows/process_creation/win_susp_powershell_empire_uac_bypass.yml
index 0d662e28..493e7220 100644
--- a/rules/windows/process_creation/win_susp_powershell_empire_uac_bypass.yml
+++ b/rules/windows/process_creation/win_susp_powershell_empire_uac_bypass.yml
@@ -24,6 +24,7 @@ tags:
- attack.privilege_escalation
- attack.t1088
- car.2019-04-001
+ - attack.t1548.002
falsepositives:
- unknown
level: critical
diff --git a/rules/windows/process_creation/win_susp_powershell_enc_cmd.yml b/rules/windows/process_creation/win_susp_powershell_enc_cmd.yml
index e6ccc632..feb5a72d 100644
--- a/rules/windows/process_creation/win_susp_powershell_enc_cmd.yml
+++ b/rules/windows/process_creation/win_susp_powershell_enc_cmd.yml
@@ -8,8 +8,9 @@ author: Florian Roth, Markus Neis
date: 2018/09/03
modified: 2019/12/16
tags:
- - attack.execution
- - attack.t1086
+ - attack.execution
+ - attack.t1086
+ - attack.t1059.001
logsource:
category: process_creation
product: windows
diff --git a/rules/windows/process_creation/win_susp_powershell_encoded_param.yml b/rules/windows/process_creation/win_susp_powershell_encoded_param.yml
new file mode 100644
index 00000000..88c0107e
--- /dev/null
+++ b/rules/windows/process_creation/win_susp_powershell_encoded_param.yml
@@ -0,0 +1,24 @@
+title: PowerShell Encoded Character Syntax
+id: e312efd0-35a1-407f-8439-b8d434b438a6
+status: experimental
+description: Detects suspicious encoded character syntax often used for defense evasion
+references:
+ - https://twitter.com/0gtweet/status/1281103918693482496
+tags:
+ - attack.execution
+ - attack.defense_evasion
+ - attack.t1027
+ - attack.t1086
+ - attack.t1059.001
+author: Florian Roth
+date: 2020/07/09
+logsource:
+ category: process_creation
+ product: windows
+detection:
+ selection:
+ CommandLine|contains: '(WCHAR)0x'
+ condition: selection
+falsepositives:
+ - Unknown
+level: high
diff --git a/rules/windows/process_creation/win_susp_powershell_hidden_b64_cmd.yml b/rules/windows/process_creation/win_susp_powershell_hidden_b64_cmd.yml
index 7da4d36d..417c37dc 100644
--- a/rules/windows/process_creation/win_susp_powershell_hidden_b64_cmd.yml
+++ b/rules/windows/process_creation/win_susp_powershell_hidden_b64_cmd.yml
@@ -7,6 +7,7 @@ references:
tags:
- attack.execution
- attack.t1086
+ - attack.t1059.001
author: John Lambert (rule)
date: 2019/01/16
logsource:
diff --git a/rules/windows/process_creation/win_susp_powershell_parent_combo.yml b/rules/windows/process_creation/win_susp_powershell_parent_combo.yml
index 32e9e296..dfb15868 100644
--- a/rules/windows/process_creation/win_susp_powershell_parent_combo.yml
+++ b/rules/windows/process_creation/win_susp_powershell_parent_combo.yml
@@ -9,6 +9,7 @@ references:
tags:
- attack.execution
- attack.t1086
+ - attack.t1059.001
logsource:
category: process_creation
product: windows
diff --git a/rules/windows/process_creation/win_susp_powershell_parent_process.yml b/rules/windows/process_creation/win_susp_powershell_parent_process.yml
new file mode 100644
index 00000000..018e510b
--- /dev/null
+++ b/rules/windows/process_creation/win_susp_powershell_parent_process.yml
@@ -0,0 +1,59 @@
+title: Suspicious PowerShell Parent Process
+id: 754ed792-634f-40ae-b3bc-e0448d33f695
+description: Detects a suspicious parents of powershell.exe
+status: experimental
+references:
+ - https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=26
+author: Teymur Kheirkhabarov, Harish Segar (rule)
+date: 2020/03/20
+tags:
+ - attack.execution
+ - attack.t1086
+ - attack.t1059.001
+logsource:
+ category: process_creation
+ product: windows
+detection:
+ selection_image1:
+ - ParentImage|endswith:
+ - '\mshta.exe'
+ - '\rundll32.exe'
+ - '\regsvr32.exe'
+ - '\services.exe'
+ - '\winword.exe'
+ - '\wmiprvse.exe'
+ - '\powerpnt.exe'
+ - '\excel.exe'
+ - '\msaccess.exe'
+ - '\mspub.exe'
+ - '\visio.exe'
+ - '\outlook.exe'
+ - '\amigo.exe'
+ - '\chrome.exe'
+ - '\firefox.exe'
+ - '\iexplore.exe'
+ - '\microsoftedgecp.exe'
+ - '\microsoftedge.exe'
+ - '\browser.exe'
+ - '\vivaldi.exe'
+ - '\safari.exe'
+ - '\sqlagent.exe'
+ - '\sqlserver.exe'
+ - '\sqlservr.exe'
+ - '\w3wp.exe'
+ - '\httpd.exe'
+ - '\nginx.exe'
+ - '\php-cgi.exe'
+ - '\jbosssvc.exe'
+ - "MicrosoftEdgeSH.exe"
+ - ParentImage|contains: "tomcat"
+ selection_powershell:
+ - CommandLine|contains:
+ - "powershell"
+ - "pwsh"
+ - Description: "Windows PowerShell"
+ - Product: "PowerShell Core 6"
+ condition: all of them
+falsepositives:
+ - Other scripts
+level: medium
diff --git a/rules/windows/process_creation/win_susp_procdump.yml b/rules/windows/process_creation/win_susp_procdump.yml
index a450ce4b..bfa3d6ff 100644
--- a/rules/windows/process_creation/win_susp_procdump.yml
+++ b/rules/windows/process_creation/win_susp_procdump.yml
@@ -13,6 +13,7 @@ tags:
- attack.credential_access
- attack.t1003
- car.2013-05-009
+ - attack.t1003.001
logsource:
category: process_creation
product: windows
diff --git a/rules/windows/process_creation/win_susp_ps_appdata.yml b/rules/windows/process_creation/win_susp_ps_appdata.yml
index b4663c8f..13c16b3a 100644
--- a/rules/windows/process_creation/win_susp_ps_appdata.yml
+++ b/rules/windows/process_creation/win_susp_ps_appdata.yml
@@ -8,6 +8,7 @@ references:
tags:
- attack.execution
- attack.t1086
+ - attack.t1059.001
author: Florian Roth
date: 2019/01/09
logsource:
diff --git a/rules/windows/process_creation/win_susp_ps_downloadfile.yml b/rules/windows/process_creation/win_susp_ps_downloadfile.yml
new file mode 100644
index 00000000..f2440a8a
--- /dev/null
+++ b/rules/windows/process_creation/win_susp_ps_downloadfile.yml
@@ -0,0 +1,25 @@
+title: PowerShell DownloadFile
+id: 8f70ac5f-1f6f-4f8e-b454-db19561216c5
+status: experimental
+description: Detects the execution of powershell, a WebClient object creation and the invocation of DownloadFile in a single command line
+references:
+ - https://www.fireeye.com/blog/threat-research/2020/03/apt41-initiates-global-intrusion-campaign-using-multiple-exploits.html
+author: Florian Roth
+date: 2020/03/25
+tags:
+ - attack.execution
+ - attack.t1086
+ - attack.t1059.001
+logsource:
+ category: process_creation
+ product: windows
+detection:
+ selection:
+ CommandLine|contains|all:
+ - 'powershell'
+ - '.DownloadFile'
+ - 'System.Net.WebClient'
+ condition: selection
+falsepositives:
+ - Unknown
+level: high
diff --git a/rules/windows/process_creation/win_susp_rar_flags.yml b/rules/windows/process_creation/win_susp_rar_flags.yml
new file mode 100644
index 00000000..3ae37c20
--- /dev/null
+++ b/rules/windows/process_creation/win_susp_rar_flags.yml
@@ -0,0 +1,24 @@
+title: Rar with Password or Compression Level
+id: faa48cae-6b25-4f00-a094-08947fef582f
+status: experimental
+description: Detects the use of rar.exe, on the command line, to create an archive with password protection or with a specific compression level. This is pretty indicative of malicious actions.
+references:
+ - https://labs.sentinelone.com/the-anatomy-of-an-apt-attack-and-cobaltstrike-beacons-encoded-configuration/
+author: '@ROxPinTeddy'
+date: 2020/05/12
+tags:
+ - attack.exfiltration
+ - attack.t1002
+logsource:
+ category: process_creation
+ product: windows
+detection:
+ selection:
+ CommandLine|contains|all:
+ - ' -hp'
+ - ' -m'
+ condition: selection
+falsepositives:
+ - Legitimate use of Winrar command line version
+ - Other command line tools, that use these flags
+level: medium
\ No newline at end of file
diff --git a/rules/windows/process_creation/win_susp_rasdial_activity.yml b/rules/windows/process_creation/win_susp_rasdial_activity.yml
index 6a4b0233..e9959628 100644
--- a/rules/windows/process_creation/win_susp_rasdial_activity.yml
+++ b/rules/windows/process_creation/win_susp_rasdial_activity.yml
@@ -10,6 +10,7 @@ tags:
- attack.defense_evasion
- attack.execution
- attack.t1064
+ - attack.t1059
logsource:
category: process_creation
product: windows
diff --git a/rules/windows/process_creation/win_susp_regsvr32_anomalies.yml b/rules/windows/process_creation/win_susp_regsvr32_anomalies.yml
index ce51e4b7..a19bdbf7 100644
--- a/rules/windows/process_creation/win_susp_regsvr32_anomalies.yml
+++ b/rules/windows/process_creation/win_susp_regsvr32_anomalies.yml
@@ -12,6 +12,7 @@ tags:
- attack.execution
- car.2019-04-002
- car.2019-04-003
+ - attack.t1218
logsource:
category: process_creation
product: windows
diff --git a/rules/windows/process_creation/win_susp_regsvr32_flags_anomaly.yml b/rules/windows/process_creation/win_susp_regsvr32_flags_anomaly.yml
new file mode 100644
index 00000000..f0064816
--- /dev/null
+++ b/rules/windows/process_creation/win_susp_regsvr32_flags_anomaly.yml
@@ -0,0 +1,28 @@
+title: Regsvr32 Flags Anomaly
+id: b236190c-1c61-41e9-84b3-3fe03f6d76b0
+status: experimental
+description: Detects a flag anomaly in which regsvr32.exe uses a /i flag without using a /n flag at the same time
+author: Florian Roth
+date: 2019/07/13
+references:
+ - https://twitter.com/sbousseaden/status/1282441816986484737?s=12
+tags:
+ - attack.t1117
+ - attack.defense_evasion
+ - attack.t1218.010
+logsource:
+ category: process_creation
+ product: windows
+detection:
+ selection:
+ Image|endswith: '\regsvr32.exe'
+ CommandLine|contains: ' /i:'
+ filter:
+ CommandLine|contains: ' /n '
+ condition: selection and not filter
+fields:
+ - CommandLine
+ - ParentCommandLine
+falsepositives:
+ - Unknown
+level: high
diff --git a/rules/windows/process_creation/win_susp_renamed_debugview.yml b/rules/windows/process_creation/win_susp_renamed_debugview.yml
new file mode 100644
index 00000000..dcab5bd6
--- /dev/null
+++ b/rules/windows/process_creation/win_susp_renamed_debugview.yml
@@ -0,0 +1,23 @@
+title: Renamed SysInternals Debug View
+id: cd764533-2e07-40d6-a718-cfeec7f2da7f
+status: experimental
+description: Detects suspicious renamed SysInternals DebugView execution
+references:
+ - https://www.epicturla.com/blog/sysinturla
+author: Florian Roth
+date: 2020/05/28
+logsource:
+ category: process_creation
+ product: windows
+detection:
+ selection:
+ Product:
+ - 'Sysinternals DebugView'
+ - 'Sysinternals Debugview'
+ filter:
+ OriginalFilename: 'Dbgview.exe'
+ Image|endswith: '\Dbgview.exe'
+ condition: selection and not filter
+falsepositives:
+ - Unknown
+level: high
diff --git a/rules/windows/process_creation/win_susp_rundll32_activity.yml b/rules/windows/process_creation/win_susp_rundll32_activity.yml
index c388da17..a7dedd20 100644
--- a/rules/windows/process_creation/win_susp_rundll32_activity.yml
+++ b/rules/windows/process_creation/win_susp_rundll32_activity.yml
@@ -10,6 +10,7 @@ tags:
- attack.defense_evasion
- attack.execution
- attack.t1085
+ - attack.t1218.011
author: juju4
date: 2019/01/16
logsource:
diff --git a/rules/windows/process_creation/win_susp_rundll32_by_ordinal.yml b/rules/windows/process_creation/win_susp_rundll32_by_ordinal.yml
index 44f830c9..0867f34b 100644
--- a/rules/windows/process_creation/win_susp_rundll32_by_ordinal.yml
+++ b/rules/windows/process_creation/win_susp_rundll32_by_ordinal.yml
@@ -10,6 +10,7 @@ tags:
- attack.defense_evasion
- attack.execution
- attack.t1085
+ - attack.t1218.011
author: Florian Roth
date: 2019/10/22
logsource:
diff --git a/rules/windows/process_creation/win_susp_schtask_creation.yml b/rules/windows/process_creation/win_susp_schtask_creation.yml
index 7c2d3fa6..9a33912a 100644
--- a/rules/windows/process_creation/win_susp_schtask_creation.yml
+++ b/rules/windows/process_creation/win_susp_schtask_creation.yml
@@ -24,6 +24,7 @@ tags:
- attack.t1053
- attack.s0111
- car.2013-08-001
+ - attack.t1053.005
falsepositives:
- Administrative activity
- Software installation
diff --git a/rules/windows/process_creation/win_susp_script_execution.yml b/rules/windows/process_creation/win_susp_script_execution.yml
index 2ca05799..2e7ad48d 100644
--- a/rules/windows/process_creation/win_susp_script_execution.yml
+++ b/rules/windows/process_creation/win_susp_script_execution.yml
@@ -7,19 +7,20 @@ date: 2019/01/16
tags:
- attack.execution
- attack.t1064
+ - attack.t1059.005
logsource:
category: process_creation
product: windows
detection:
selection:
- Image:
- - '*\wscript.exe'
- - '*\cscript.exe'
- CommandLine:
- - '*.jse'
- - '*.vbe'
- - '*.js'
- - '*.vba'
+ Image|endswith:
+ - '\wscript.exe'
+ - '\cscript.exe'
+ CommandLine|contains:
+ - '.jse'
+ - '.vbe'
+ - '.js'
+ - '.vba'
condition: selection
fields:
- CommandLine
diff --git a/rules/windows/process_creation/win_susp_service_path_modification.yml b/rules/windows/process_creation/win_susp_service_path_modification.yml
index 6a3dbabd..6e6504ba 100644
--- a/rules/windows/process_creation/win_susp_service_path_modification.yml
+++ b/rules/windows/process_creation/win_susp_service_path_modification.yml
@@ -7,6 +7,7 @@ references:
tags:
- attack.persistence
- attack.t1031
+ - attack.t1543.003
date: 2019/10/21
modified: 2019/11/10
author: Victor Sergeev, oscd.community
diff --git a/rules/windows/process_creation/win_susp_svchost_no_cli.yml b/rules/windows/process_creation/win_susp_svchost_no_cli.yml
index e4829b14..4da570b7 100644
--- a/rules/windows/process_creation/win_susp_svchost_no_cli.yml
+++ b/rules/windows/process_creation/win_susp_svchost_no_cli.yml
@@ -5,7 +5,8 @@ description: It is extremely abnormal for svchost.exe to spawn without any CLI a
references:
- https://securitybytes.io/blue-team-fundamentals-part-two-windows-processes-759fe15965e2
author: David Burkett
-date: 12/28/2019
+date: 2019/12/28
+modified: 2020/07/23
tags:
- attack.t1055
logsource:
@@ -13,13 +14,13 @@ logsource:
product: windows
detection:
selection1:
- CommandLine: null
+ CommandLine|endswith: 'svchost.exe'
selection2:
- Image: '*\svchost.exe'
+ Image|endswith: '\svchost.exe'
filter:
- ParentImage:
- - '*\rpcnet.exe'
- - '*\rpcnetp.exe'
+ ParentImage|endswith:
+ - '\rpcnet.exe'
+ - '\rpcnetp.exe'
condition: (selection1 and selection2) and not filter
fields:
- CommandLine
diff --git a/rules/windows/process_creation/win_susp_tscon_rdp_redirect.yml b/rules/windows/process_creation/win_susp_tscon_rdp_redirect.yml
index dceac89d..128bb364 100644
--- a/rules/windows/process_creation/win_susp_tscon_rdp_redirect.yml
+++ b/rules/windows/process_creation/win_susp_tscon_rdp_redirect.yml
@@ -10,6 +10,7 @@ tags:
- attack.privilege_escalation
- attack.t1076
- car.2013-07-002
+ - attack.t1021.001
author: Florian Roth
date: 2018/03/17
modified: 2018/12/11
diff --git a/rules/windows/process_creation/win_susp_use_of_csharp_console.yml b/rules/windows/process_creation/win_susp_use_of_csharp_console.yml
new file mode 100644
index 00000000..906cec3e
--- /dev/null
+++ b/rules/windows/process_creation/win_susp_use_of_csharp_console.yml
@@ -0,0 +1,23 @@
+title: Suspicious Use of CSharp Interactive Console
+id: a9e416a8-e613-4f8b-88b8-a7d1d1af2f61
+status: experimental
+description: Detects the execution of CSharp interactive console by PowerShell
+references:
+ - https://redcanary.com/blog/detecting-attacks-leveraging-the-net-framework/
+author: Michael R. (@nahamike01)
+date: 2020/03/08
+tags:
+ - attack.execution
+ - attack.t1127
+logsource:
+ category: process_creation
+ product: windows
+detection:
+ selection:
+ Image|endswith: '\csi.exe'
+ ParentImage|endswith: '\powershell.exe'
+ OriginalFileName: 'csi.exe'
+ condition: selection
+falsepositives:
+ - Possible depending on environment. Pair with other factors such as net connections, command-line args, etc.
+level: high
diff --git a/rules/windows/process_creation/win_sysmon_driver_unload.yml b/rules/windows/process_creation/win_sysmon_driver_unload.yml
index 8989f412..c2c429b7 100644
--- a/rules/windows/process_creation/win_sysmon_driver_unload.yml
+++ b/rules/windows/process_creation/win_sysmon_driver_unload.yml
@@ -17,7 +17,8 @@ detection:
- 'unload'
- 'sys'
condition: selection
-falsepositives: Unknown
+falsepositives:
+ - Unknown
level: high
fields:
- CommandLine
diff --git a/rules/windows/process_creation/win_system_exe_anomaly.yml b/rules/windows/process_creation/win_system_exe_anomaly.yml
index 4cebbe25..809970e8 100644
--- a/rules/windows/process_creation/win_system_exe_anomaly.yml
+++ b/rules/windows/process_creation/win_system_exe_anomaly.yml
@@ -29,10 +29,18 @@ detection:
- '*\lsm.exe'
- '*\winlogon.exe'
- '*\explorer.exe'
- - '*\taskhost.exe'
+ - '*\taskhost.exe'
+ - '*\Taskmgr.exe'
+ - '*\sihost.exe'
+ - '*\RuntimeBroker.exe'
+ - '*\smartscreen.exe'
+ - '*\dllhost.exe'
+ - '*\audiodg.exe'
+ - '*\wlanext.exe'
filter:
Image:
- 'C:\Windows\System32\\*'
+ - 'C:\Windows\system32\\*'
- 'C:\Windows\SysWow64\\*'
- 'C:\Windows\SysWOW64\\*'
- 'C:\Windows\explorer.exe'
diff --git a/rules/windows/process_creation/win_task_folder_evasion.yml b/rules/windows/process_creation/win_task_folder_evasion.yml
index 988342f7..e7844c4f 100644
--- a/rules/windows/process_creation/win_task_folder_evasion.yml
+++ b/rules/windows/process_creation/win_task_folder_evasion.yml
@@ -1,36 +1,36 @@
-title: Tasks Folder Evasion
-id: cc4e02ba-9c06-48e2-b09e-2500cace9ae0
-status: experimental
-description: The Tasks folder in system32 and syswow64 are globally writable paths. Adversaries can take advantage of this and load or influence any script hosts or ANY .NET Application in Tasks to load and execute a custom assembly into cscript, wscript, regsvr32, mshta, eventvwr
-references:
- - https://twitter.com/subTee/status/1216465628946563073
- - https://gist.github.com/am0nsec/8378da08f848424e4ab0cc5b317fdd26
-date: 2020/13/01
-author: Sreeman
-tags:
- - attack.t1064
- - attack.t1211
- - attack.t1059
- - attack.defense_evasion
- - attack.persistence
-logsource:
- product: Windows
-detection:
- selection1:
- CommandLine|contains:
- - 'echo '
- - 'copy '
- - 'type '
- - 'file createnew'
- selection2:
- CommandLine|contains:
- - ' C:\Windows\System32\Tasks\'
- - ' C:\Windows\SysWow64\Tasks\'
- condition: selection1 and selection2
-fields:
- - CommandLine
- - ParentProcess
- - CommandLine
-falsepositives:
- - Unknown
-level: high
+title: Tasks Folder Evasion
+id: cc4e02ba-9c06-48e2-b09e-2500cace9ae0
+status: experimental
+description: The Tasks folder in system32 and syswow64 are globally writable paths. Adversaries can take advantage of this and load or influence any script hosts or ANY .NET Application in Tasks to load and execute a custom assembly into cscript, wscript, regsvr32, mshta, eventvwr
+references:
+ - https://twitter.com/subTee/status/1216465628946563073
+ - https://gist.github.com/am0nsec/8378da08f848424e4ab0cc5b317fdd26
+date: 2020/01/13
+author: Sreeman
+tags:
+ - attack.t1064
+ - attack.t1211
+ - attack.t1059
+ - attack.defense_evasion
+ - attack.persistence
+ - attack.t1059.005
+logsource:
+ product: Windows
+detection:
+ selection1:
+ CommandLine|contains:
+ - 'echo '
+ - 'copy '
+ - 'type '
+ - 'file createnew'
+ selection2:
+ CommandLine|contains:
+ - ' C:\Windows\System32\Tasks\'
+ - ' C:\Windows\SysWow64\Tasks\'
+ condition: selection1 and selection2
+fields:
+ - CommandLine
+ - ParentProcess
+falsepositives:
+ - Unknown
+level: high
diff --git a/rules/windows/process_creation/win_uac_cmstp.yml b/rules/windows/process_creation/win_uac_cmstp.yml
index b10c9195..1c234bfe 100644
--- a/rules/windows/process_creation/win_uac_cmstp.yml
+++ b/rules/windows/process_creation/win_uac_cmstp.yml
@@ -13,13 +13,15 @@ tags:
- attack.execution
- attack.t1191
- attack.t1088
+ - attack.t1548.002
+ - attack.t1218
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith: '\cmstp.exe'
- CommandLine|contains:
+ CommandLine|contains:
- '/s'
- '/au'
condition: selection
diff --git a/rules/windows/process_creation/win_uac_fodhelper.yml b/rules/windows/process_creation/win_uac_fodhelper.yml
index d3ce1690..31f1181d 100644
--- a/rules/windows/process_creation/win_uac_fodhelper.yml
+++ b/rules/windows/process_creation/win_uac_fodhelper.yml
@@ -11,6 +11,7 @@ references:
tags:
- attack.privilege_escalation
- attack.t1088
+ - attack.t1548.002
logsource:
category: process_creation
product: windows
diff --git a/rules/windows/process_creation/win_uac_wsreset.yml b/rules/windows/process_creation/win_uac_wsreset.yml
index 1296b8e4..ff41e342 100644
--- a/rules/windows/process_creation/win_uac_wsreset.yml
+++ b/rules/windows/process_creation/win_uac_wsreset.yml
@@ -10,6 +10,7 @@ references:
tags:
- attack.privilege_escalation
- attack.t1088
+ - attack.t1548.002
logsource:
category: process_creation
product: windows
diff --git a/rules/windows/process_creation/win_webshell_detection.yml b/rules/windows/process_creation/win_webshell_detection.yml
index fc41f0f5..1437d0a6 100644
--- a/rules/windows/process_creation/win_webshell_detection.yml
+++ b/rules/windows/process_creation/win_webshell_detection.yml
@@ -10,6 +10,7 @@ tags:
- attack.privilege_escalation
- attack.persistence
- attack.t1100
+ - attack.t1505.003
logsource:
category: process_creation
product: windows
diff --git a/rules/windows/process_creation/win_webshell_recon_detection.yml b/rules/windows/process_creation/win_webshell_recon_detection.yml
new file mode 100644
index 00000000..4cfba51d
--- /dev/null
+++ b/rules/windows/process_creation/win_webshell_recon_detection.yml
@@ -0,0 +1,40 @@
+title: Webshell Recon Detection Via CommandLine & Processes
+id: f64e5c19-879c-4bae-b471-6d84c8339677
+status: experimental
+description: Looking for processes spawned by web server components that indicate reconnaissance by popular public domain webshells for whether perl, python or wget are installed.
+author: Cian Heasley
+reference:
+ - https://ragged-lab.blogspot.com/2020/07/webshells-automating-reconnaissance.html
+date: 2020/07/22
+tags:
+ - attack.privilege_escalation
+ - attack.persistence
+ - attack.t1100
+ - attack.t1505.003
+logsource:
+ category: process_creation
+ product: windows
+detection:
+ selection:
+ ParentImage|contains:
+ - '*\apache*'
+ - '*\tomcat*'
+ - '*\w3wp.exe'
+ - '*\php-cgi.exe'
+ - '*\nginx.exe'
+ - '*\httpd.exe'
+ Image|endswith:
+ - '*\cmd.exe'
+ CommandLine|contains:
+ - '*perl --help*'
+ - '*python --help*'
+ - '*wget --help*'
+ - '*perl -h*'
+ condition: selection
+fields:
+ - Image
+ - CommandLine
+ - ParentCommandLine
+falsepositives:
+ - unknown
+level: high
diff --git a/rules/windows/process_creation/win_webshell_spawn.yml b/rules/windows/process_creation/win_webshell_spawn.yml
index b287f94a..3d5888fe 100644
--- a/rules/windows/process_creation/win_webshell_spawn.yml
+++ b/rules/windows/process_creation/win_webshell_spawn.yml
@@ -4,6 +4,7 @@ status: experimental
description: Web servers that spawn shell processes could be the result of a successfully placed web shell or an other attack
author: Thomas Patzke
date: 2019/01/16
+modified: 2020/03/25
logsource:
category: process_creation
product: windows
@@ -14,11 +15,13 @@ detection:
- '*\httpd.exe'
- '*\nginx.exe'
- '*\php-cgi.exe'
+ - '*\tomcat.exe'
Image:
- '*\cmd.exe'
- '*\sh.exe'
- '*\bash.exe'
- '*\powershell.exe'
+ - '*\bitsadmin.exe'
condition: selection
fields:
- CommandLine
@@ -27,6 +30,7 @@ tags:
- attack.privilege_escalation
- attack.persistence
- attack.t1100
+ - attack.t1505.003
falsepositives:
- Particular web applications may spawn a shell process legitimately
level: high
diff --git a/rules/windows/process_creation/win_win10_sched_task_0day.yml b/rules/windows/process_creation/win_win10_sched_task_0day.yml
index 60534f54..312fb4cd 100644
--- a/rules/windows/process_creation/win_win10_sched_task_0day.yml
+++ b/rules/windows/process_creation/win_win10_sched_task_0day.yml
@@ -11,7 +11,7 @@ logsource:
product: windows
detection:
selection:
- Image: schtasks.exe
+ Image|endswith: '\schtasks.exe'
CommandLine: '*/change*/TN*/RU*/RP*'
condition: selection
falsepositives:
@@ -21,4 +21,5 @@ tags:
- attack.execution
- attack.t1053
- car.2013-08-001
+ - attack.t1053.005
level: high
diff --git a/rules/windows/process_creation/win_wmi_backdoor_exchange_transport_agent.yml b/rules/windows/process_creation/win_wmi_backdoor_exchange_transport_agent.yml
index 0d5761e9..b5fa97cb 100644
--- a/rules/windows/process_creation/win_wmi_backdoor_exchange_transport_agent.yml
+++ b/rules/windows/process_creation/win_wmi_backdoor_exchange_transport_agent.yml
@@ -13,8 +13,9 @@ logsource:
tags:
- attack.persistence
- attack.t1084
+ - attack.t1546.003
detection:
- selection:
+ selection:
ParentImage: '*\EdgeTransport.exe'
condition: selection
falsepositives:
diff --git a/rules/windows/process_creation/win_wmi_spwns_powershell.yml b/rules/windows/process_creation/win_wmi_spwns_powershell.yml
index abe55079..91a69ec6 100644
--- a/rules/windows/process_creation/win_wmi_spwns_powershell.yml
+++ b/rules/windows/process_creation/win_wmi_spwns_powershell.yml
@@ -11,6 +11,7 @@ tags:
- attack.execution
- attack.defense_evasion
- attack.t1064
+ - attack.t1059.001
logsource:
category: process_creation
product: windows
diff --git a/rules/windows/process_creation/win_wmiprvse_spawning_process.yml b/rules/windows/process_creation/win_wmiprvse_spawning_process.yml
index a292011c..fcabfdb7 100644
--- a/rules/windows/process_creation/win_wmiprvse_spawning_process.yml
+++ b/rules/windows/process_creation/win_wmiprvse_spawning_process.yml
@@ -17,7 +17,8 @@ detection:
selection:
ParentImage|endswith: '\WmiPrvSe.exe'
filter:
- LogonId: '0x3e7'
+ - LogonId: '0x3e7' # LUID 999 for SYSTEM
+ - User: 'NT AUTHORITY\SYSTEM' # if we don't have LogonId data, fallback on username detection
condition: selection and not filter
falsepositives:
- Unknown
diff --git a/rules/windows/process_creation/win_wsreset_uac_bypass.yml b/rules/windows/process_creation/win_wsreset_uac_bypass.yml
index 02d0398e..61622933 100644
--- a/rules/windows/process_creation/win_wsreset_uac_bypass.yml
+++ b/rules/windows/process_creation/win_wsreset_uac_bypass.yml
@@ -1,7 +1,7 @@
title: Wsreset UAC Bypass
id: bdc8918e-a1d5-49d1-9db7-ea0fd91aa2ae
status: experimental
-description: Detects a method that uses Wsreset.exe tool that can be used to reset the Windows Store to bypass UAC
+description: Detects a method that uses Wsreset.exe tool that can be used to reset the Windows Store to bypass UAC
references:
- https://lolbas-project.github.io/lolbas/Binaries/Wsreset/
- https://www.activecyber.us/activelabs/windows-uac-bypass
@@ -12,6 +12,7 @@ tags:
- attack.defense_evasion
- attack.execution
- attack.t1088
+ - attack.t1548.002
logsource:
category: process_creation
product: windows
diff --git a/rules/windows/registry_event/sysmon_apt_leviathan.yml b/rules/windows/registry_event/sysmon_apt_leviathan.yml
new file mode 100644
index 00000000..41274051
--- /dev/null
+++ b/rules/windows/registry_event/sysmon_apt_leviathan.yml
@@ -0,0 +1,19 @@
+title: Leviathan Registry Key Activity
+id: 70d43542-cd2d-483c-8f30-f16b436fd7db
+status: experimental
+description: Detects registry key used by Leviathan APT in Malaysian focused campaign
+references:
+ - https://www.elastic.co/blog/advanced-techniques-used-in-malaysian-focused-apt-campaign
+tags:
+ - attack.persistence
+ - attack.t1060
+author: Aidan Bracher
+date: 2020/07/07
+logsource:
+ category: registry_event
+ product: windows
+detection:
+ selection:
+ TargetObject: 'HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\ntkd'
+ condition: selection
+level: critical
diff --git a/rules/windows/sysmon/sysmon_apt_oceanlotus_registry.yml b/rules/windows/registry_event/sysmon_apt_oceanlotus_registry.yml
old mode 100644
new mode 100755
similarity index 58%
rename from rules/windows/sysmon/sysmon_apt_oceanlotus_registry.yml
rename to rules/windows/registry_event/sysmon_apt_oceanlotus_registry.yml
index a4af84cf..e9500d79
--- a/rules/windows/sysmon/sysmon_apt_oceanlotus_registry.yml
+++ b/rules/windows/registry_event/sysmon_apt_oceanlotus_registry.yml
@@ -9,19 +9,26 @@ tags:
author: megan201296
date: 2019/04/14
logsource:
+ category: registry_event
product: windows
- service: sysmon
detection:
- selection:
- EventID: 13
+ selection:
TargetObject:
- - '*\SOFTWARE\Classes\CLSID\{E08A0F4B-1F65-4D4D-9A09-BD4625B9C5A1}\Model'
+ - 'HKCR\CLSID\{E08A0F4B-1F65-4D4D-9A09-BD4625B9C5A1}\Model'
+ - 'HKU\\*_Classes\CLSID\{E08A0F4B-1F65-4D4D-9A09-BD4625B9C5A1}\Model'
+ # covers HKU\* and HKLM..
- '*\SOFTWARE\App\AppXbf13d4ea2945444d8b13e2121cb6b663\Application'
- '*\SOFTWARE\App\AppXbf13d4ea2945444d8b13e2121cb6b663\DefaultIcon'
- '*\SOFTWARE\App\AppX70162486c7554f7f80f481985d67586d\Application'
- '*\SOFTWARE\App\AppX70162486c7554f7f80f481985d67586d\DefaultIcon'
- '*\SOFTWARE\App\AppX37cc7fdccd644b4f85f4b22d5a3f105a\Application'
- '*\SOFTWARE\App\AppX37cc7fdccd644b4f85f4b22d5a3f105a\DefaultIcon'
+ # HKCU\SOFTWARE\Classes\AppXc52346ec40fb4061ad96be0e6cb7d16a\
+ - 'HKU\\*_Classes\AppXc52346ec40fb4061ad96be0e6cb7d16a\\*'
+ # HKCU\SOFTWARE\Classes\AppX3bbba44c6cae4d9695755183472171e2\
+ - 'HKU\\*_Classes\AppX3bbba44c6cae4d9695755183472171e2\\*'
+ # HKCU\SOFTWARE\Classes\CLSID\{E3517E26-8E93-458D-A6DF-8030BC80528B}\
+ - 'HKU\\*_Classes\CLSID\{E3517E26-8E93-458D-A6DF-8030BC80528B}\\*'
condition: selection
falsepositives:
- Unknown
diff --git a/rules/windows/sysmon/sysmon_apt_pandemic.yml b/rules/windows/registry_event/sysmon_apt_pandemic.yml
similarity index 65%
rename from rules/windows/sysmon/sysmon_apt_pandemic.yml
rename to rules/windows/registry_event/sysmon_apt_pandemic.yml
index 69e393e8..f53bf33c 100755
--- a/rules/windows/sysmon/sysmon_apt_pandemic.yml
+++ b/rules/windows/registry_event/sysmon_apt_pandemic.yml
@@ -11,8 +11,6 @@ tags:
- attack.t1105
author: Florian Roth
date: 2017/06/01
-detection:
- condition: 1 of them
fields:
- EventID
- CommandLine
@@ -25,19 +23,17 @@ falsepositives:
level: critical
---
logsource:
+ category: registry_event
product: windows
- service: sysmon
detection:
- selection1:
- EventID: 13
- TargetObject:
- - '\REGISTRY\MACHINE\SYSTEM\CurrentControlSet\services\null\Instance*'
- - '\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\null\Instance*'
- - '\REGISTRY\MACHINE\SYSTEM\ControlSet002\services\null\Instance*'
+ selection1:
+ TargetObject|contains: '\SYSTEM\CurrentControlSet\services\null\Instance'
+ condition: 1 of them
---
logsource:
category: process_creation
product: windows
detection:
selection2:
- Command: 'loaddll -a *'
+ CommandLine|contains: 'loaddll -a '
+ condition: 1 of them
diff --git a/rules/windows/sysmon/sysmon_asep_reg_keys_modification.yml b/rules/windows/registry_event/sysmon_asep_reg_keys_modification.yml
old mode 100644
new mode 100755
similarity index 97%
rename from rules/windows/sysmon/sysmon_asep_reg_keys_modification.yml
rename to rules/windows/registry_event/sysmon_asep_reg_keys_modification.yml
index 09e94d15..94b91d64
--- a/rules/windows/sysmon/sysmon_asep_reg_keys_modification.yml
+++ b/rules/windows/registry_event/sysmon_asep_reg_keys_modification.yml
@@ -11,11 +11,10 @@ date: 2019/10/21
modified: 2019/11/10
author: Victor Sergeev, Daniil Yugoslavskiy, oscd.community
logsource:
+ category: registry_event
product: windows
- service: sysmon
detection:
selection:
- EventID: 13
TargetObject|contains:
- '\software\Microsoft\Windows\CurrentVersion\Run'
- '\software\Microsoft\Windows\CurrentVersion\RunOnce'
diff --git a/rules/windows/registry_event/sysmon_cmstp_execution.yml b/rules/windows/registry_event/sysmon_cmstp_execution.yml
new file mode 100755
index 00000000..daf6faa1
--- /dev/null
+++ b/rules/windows/registry_event/sysmon_cmstp_execution.yml
@@ -0,0 +1,47 @@
+action: global
+title: CMSTP Execution
+id: 9d26fede-b526-4413-b069-6e24b6d07167
+status: stable
+description: Detects various indicators of Microsoft Connection Manager Profile Installer execution
+tags:
+ - attack.defense_evasion
+ - attack.execution
+ - attack.t1191
+ - attack.g0069
+ - car.2019-04-001
+author: Nik Seetharaman
+date: 2018/07/16
+references:
+ - https://web.archive.org/web/20190720093911/http://www.endurant.io/cmstp/detecting-cmstp-enabled-code-execution-and-uac-bypass-with-sysmon/
+fields:
+ - CommandLine
+ - ParentCommandLine
+ - Details
+falsepositives:
+ - Legitimate CMSTP use (unlikely in modern enterprise environments)
+level: high
+---
+logsource:
+ category: process_creation,registry_event
+ product: windows
+detection:
+ # Registry Object Add
+ selection2:
+ TargetObject: '*\cmmgr32.exe*'
+ EventType: 'CreateKey'
+ # Registry Object Value Set
+ selection3:
+ TargetObject: '*\cmmgr32.exe*'
+ # Process Access Call Trace
+ selection4:
+ CallTrace: '*cmlua.dll*'
+ condition: 1 of them
+---
+detection:
+ # CMSTP Spawning Child Process
+ selection1:
+ ParentImage: '*\cmstp.exe'
+ condition: 1 of them
+logsource:
+ category: process_creation
+ product: windows
diff --git a/rules/windows/registry_event/sysmon_cve-2020-1048.yml b/rules/windows/registry_event/sysmon_cve-2020-1048.yml
new file mode 100644
index 00000000..59f79bc3
--- /dev/null
+++ b/rules/windows/registry_event/sysmon_cve-2020-1048.yml
@@ -0,0 +1,32 @@
+title: Suspicious New Printer Ports in Registry (CVE-2020-1048)
+id: 7ec912f2-5175-4868-b811-ec13ad0f8567
+status: experimental
+description: Detects a new and suspicious printer port creation in Registry that could be an attempt to exploit CVE-2020-1048
+author: EagleEye Team, Florian Roth, NVISO
+date: 2020/05/13
+modified: 2020/05/26
+references:
+ - https://windows-internals.com/printdemon-cve-2020-1048/
+tags:
+ - attack.persistence
+ - attack.execution
+logsource:
+ product: windows
+ category: registry_event
+detection:
+ selection:
+ TargetObject|startswith: 'HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Ports'
+ EventType:
+ - SetValue
+ - DeleteValue
+ - CreateValue
+ Details|contains:
+ - '.dll'
+ - '.exe'
+ - '.bat'
+ - '.com'
+ - 'C:'
+ condition: selection
+falsepositives:
+ - New printer port install on host
+level: high
\ No newline at end of file
diff --git a/rules/windows/sysmon/sysmon_dhcp_calloutdll.yml b/rules/windows/registry_event/sysmon_dhcp_calloutdll.yml
old mode 100644
new mode 100755
similarity index 95%
rename from rules/windows/sysmon/sysmon_dhcp_calloutdll.yml
rename to rules/windows/registry_event/sysmon_dhcp_calloutdll.yml
index 3432e7c2..e568b4d0
--- a/rules/windows/sysmon/sysmon_dhcp_calloutdll.yml
+++ b/rules/windows/registry_event/sysmon_dhcp_calloutdll.yml
@@ -14,11 +14,11 @@ tags:
- attack.t1073
- attack.t1112
logsource:
+ category: registry_event
product: windows
- service: sysmon
detection:
selection:
- EventID: 13
+
TargetObject:
- '*\Services\DHCPServer\Parameters\CalloutDlls'
- '*\Services\DHCPServer\Parameters\CalloutEnabled'
diff --git a/rules/windows/sysmon/sysmon_disable_security_events_logging_adding_reg_key_minint.yml b/rules/windows/registry_event/sysmon_disable_security_events_logging_adding_reg_key_minint.yml
old mode 100644
new mode 100755
similarity index 64%
rename from rules/windows/sysmon/sysmon_disable_security_events_logging_adding_reg_key_minint.yml
rename to rules/windows/registry_event/sysmon_disable_security_events_logging_adding_reg_key_minint.yml
index aee409cd..ae54ffc7
--- a/rules/windows/sysmon/sysmon_disable_security_events_logging_adding_reg_key_minint.yml
+++ b/rules/windows/registry_event/sysmon_disable_security_events_logging_adding_reg_key_minint.yml
@@ -7,20 +7,20 @@ references:
tags:
- attack.defense_evasion
- attack.t1089
+ - attack.t1562.001
author: Ilyas Ochkov, oscd.community
date: 2019/10/25
modified: 2019/11/13
logsource:
+ category: registry_event
product: windows
- service: sysmon
detection:
selection:
- - EventID: 12 # key create
- TargetObject|contains: '\SYSTEM\'
- TargetObject|endswith: '\Control\MiniNt'
- - EventID: 14 # key rename
- NewName|contains: '\SYSTEM\'
- NewName|endswith: '\Control\MiniNt'
+ - # Sysmon gives us HKLM\SYSTEM\CurrentControlSet\.. if ControlSetXX is the selected one
+ TargetObject: 'HKLM\SYSTEM\CurrentControlSet\Control\MiniNt'
+ EventType: 'CreateKey' # we don't want deletekey
+ - # key rename
+ NewName: 'HKLM\SYSTEM\CurrentControlSet\Control\MiniNt'
condition: selection
fields:
- EventID
diff --git a/rules/windows/sysmon/sysmon_dns_serverlevelplugindll.yml b/rules/windows/registry_event/sysmon_dns_serverlevelplugindll.yml
old mode 100644
new mode 100755
similarity index 93%
rename from rules/windows/sysmon/sysmon_dns_serverlevelplugindll.yml
rename to rules/windows/registry_event/sysmon_dns_serverlevelplugindll.yml
index 7abb9ced..c1610b60
--- a/rules/windows/sysmon/sysmon_dns_serverlevelplugindll.yml
+++ b/rules/windows/registry_event/sysmon_dns_serverlevelplugindll.yml
@@ -11,8 +11,6 @@ author: Florian Roth
tags:
- attack.defense_evasion
- attack.t1073
-detection:
- condition: 1 of them
fields:
- EventID
- CommandLine
@@ -26,15 +24,16 @@ level: high
---
logsource:
product: windows
- service: sysmon
+ category: registry_event
detection:
- dnsregmod:
- EventID: 13
+ dnsregmod:
TargetObject: '*\services\DNS\Parameters\ServerLevelPluginDll'
+ condition: 1 of them
---
logsource:
category: process_creation
product: windows
detection:
dnsadmin:
- CommandLine: 'dnscmd.exe /config /serverlevelplugindll *'
\ No newline at end of file
+ CommandLine: 'dnscmd.exe /config /serverlevelplugindll *'
+ condition: 1 of them
\ No newline at end of file
diff --git a/rules/windows/registry_event/sysmon_etw_disabled.yml b/rules/windows/registry_event/sysmon_etw_disabled.yml
new file mode 100644
index 00000000..03e3bbd4
--- /dev/null
+++ b/rules/windows/registry_event/sysmon_etw_disabled.yml
@@ -0,0 +1,30 @@
+title: COMPlus_ETWEnabled Registry Modification
+id: bf4fc428-dcc3-4bbd-99fe-2422aeee2544
+status: experimental
+description: Potential adversaries stopping ETW providers recording loaded .NET assemblies.
+references:
+ - https://twitter.com/_xpn_/status/1268712093928378368
+ - https://social.msdn.microsoft.com/Forums/vstudio/en-US/0878832e-39d7-4eaf-8e16-a729c4c40975/what-can-i-use-e13c0d23ccbc4e12931bd9cc2eee27e4-for?forum=clr
+ - https://github.com/dotnet/runtime/blob/ee2355c801d892f2894b0f7b14a20e6cc50e0e54/docs/design/coreclr/jit/viewing-jit-dumps.md#setting-configuration-variables
+ - https://github.com/dotnet/runtime/blob/f62e93416a1799aecc6b0947adad55a0d9870732/src/coreclr/src/inc/clrconfigvalues.h#L35-L38
+ - https://github.com/dotnet/runtime/blob/7abe42dc1123722ed385218268bb9fe04556e3d3/src/coreclr/src/inc/clrconfig.h#L33-L39
+ - https://github.com/dotnet/runtime/search?p=1&q=COMPlus_&unscoped_q=COMPlus_
+ - https://bunnyinside.com/?term=f71e8cb9c76a
+ - http://managed670.rssing.com/chan-5590147/all_p1.html
+ - https://github.com/dotnet/runtime/blob/4f9ae42d861fcb4be2fcd5d3d55d5f227d30e723/docs/coding-guidelines/clr-jit-coding-conventions.md#1412-disabling-code
+author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
+date: 2020/06/05
+tags:
+ - attack.defense_evasion
+ - attack.t1112
+logsource:
+ product: windows
+ category: registry_event
+detection:
+ selection:
+ TargetObject|endswith: 'SOFTWARE\Microsoft\.NETFramework\ETWEnabled'
+ Details: 'DWORD (0x00000000)'
+ condition: selection
+falsepositives:
+ - unknown
+level: critical
\ No newline at end of file
diff --git a/rules/windows/registry_event/sysmon_hack_wce_reg.yml b/rules/windows/registry_event/sysmon_hack_wce_reg.yml
new file mode 100755
index 00000000..81c19231
--- /dev/null
+++ b/rules/windows/registry_event/sysmon_hack_wce_reg.yml
@@ -0,0 +1,21 @@
+title: Windows Credential Editor Registry
+id: a6b33c02-8305-488f-8585-03cb2a7763f2
+description: Detects the use of Windows Credential Editor (WCE)
+author: Florian Roth
+references:
+ - https://www.ampliasecurity.com/research/windows-credentials-editor/
+date: 2019/12/31
+tags:
+ - attack.credential_access
+ - attack.t1003
+ - attack.s0005
+logsource:
+ category: registry_event
+ product: windows
+detection:
+ selection:
+ TargetObject|contains: Services\WCESERVICE\Start
+ condition: selection
+falsepositives:
+ - 'Another service that uses a single -s command line switch'
+level: critical
\ No newline at end of file
diff --git a/rules/windows/registry_event/sysmon_logon_scripts_userinitmprlogonscript_reg.yml b/rules/windows/registry_event/sysmon_logon_scripts_userinitmprlogonscript_reg.yml
new file mode 100644
index 00000000..35024372
--- /dev/null
+++ b/rules/windows/registry_event/sysmon_logon_scripts_userinitmprlogonscript_reg.yml
@@ -0,0 +1,25 @@
+title: Logon Scripts (UserInitMprLogonScript) Registry
+id: 9ace0707-b560-49b8-b6ca-5148b42f39fb
+status: experimental
+description: Detects creation or execution of UserInitMprLogonScript persistence method
+references:
+ - https://attack.mitre.org/techniques/T1037/
+tags:
+ - attack.t1037
+ - attack.t1037.001
+ - attack.persistence
+ - attack.lateral_movement
+author: Tom Ueltschi (@c_APT_ure)
+date: 2019/01/12
+modified: 2020/07/01
+logsource:
+ category: registry_event
+ product: windows
+detection:
+ create_keywords_reg:
+ TargetObject: '*UserInitMprLogonScript*'
+ condition: create_keywords_reg
+falsepositives:
+ - exclude legitimate logon scripts
+ - penetration tests, red teaming
+level: high
\ No newline at end of file
diff --git a/rules/windows/sysmon/sysmon_narrator_feedback_persistance.yml b/rules/windows/registry_event/sysmon_narrator_feedback_persistance.yml
old mode 100644
new mode 100755
similarity index 92%
rename from rules/windows/sysmon/sysmon_narrator_feedback_persistance.yml
rename to rules/windows/registry_event/sysmon_narrator_feedback_persistance.yml
index 44389267..f7a0c353
--- a/rules/windows/sysmon/sysmon_narrator_feedback_persistance.yml
+++ b/rules/windows/registry_event/sysmon_narrator_feedback_persistance.yml
@@ -11,15 +11,13 @@ status: experimental
date: 2019/10/25
modified: 2019/11/10
logsource:
+ category: registry_event
product: windows
- service: sysmon
detection:
selection1:
- EventID: 12
EventType: DeleteValue
TargetObject|endswith: '\AppXypsaf9f1qserqevf0sws76dx4k9a5206\Shell\open\command\DelegateExecute'
selection2:
- EventID: 13
TargetObject|endswith: '\AppXypsaf9f1qserqevf0sws76dx4k9a5206\Shell\open\command\(Default)'
condition: 1 of them
falsepositives:
diff --git a/rules/windows/sysmon/sysmon_new_dll_added_to_appcertdlls_registry_key.yml b/rules/windows/registry_event/sysmon_new_dll_added_to_appcertdlls_registry_key.yml
old mode 100644
new mode 100755
similarity index 71%
rename from rules/windows/sysmon/sysmon_new_dll_added_to_appcertdlls_registry_key.yml
rename to rules/windows/registry_event/sysmon_new_dll_added_to_appcertdlls_registry_key.yml
index 62012fad..00ff3e06
--- a/rules/windows/sysmon/sysmon_new_dll_added_to_appcertdlls_registry_key.yml
+++ b/rules/windows/registry_event/sysmon_new_dll_added_to_appcertdlls_registry_key.yml
@@ -13,18 +13,14 @@ author: Ilyas Ochkov, oscd.community
date: 2019/10/25
modified: 2019/11/13
logsource:
+ category: registry_event
product: windows
- service: sysmon
detection:
selection:
- - EventID:
- - 12 # key create
- - 13 # value set
- TargetObject|contains: '\SYSTEM\'
- TargetObject|endswith: '\Control\Session Manager\AppCertDlls'
- - EventID: 14 # key rename
- NewName|contains: '\SYSTEM\'
- NewName|endswith: '\Control\Session Manager\AppCertDlls'
+ - # Sysmon gives us HKLM\SYSTEM\CurrentControlSet\.. if ControlSetXX is the selected one
+ TargetObject: 'HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\AppCertDlls'
+ - # key rename
+ NewName: 'HKLM\SYSTEM\CurentControlSet\Control\Session Manager\AppCertDlls'
condition: selection
fields:
- EventID
diff --git a/rules/windows/sysmon/sysmon_new_dll_added_to_appinit_dlls_registry_key.yml b/rules/windows/registry_event/sysmon_new_dll_added_to_appinit_dlls_registry_key.yml
old mode 100644
new mode 100755
similarity index 61%
rename from rules/windows/sysmon/sysmon_new_dll_added_to_appinit_dlls_registry_key.yml
rename to rules/windows/registry_event/sysmon_new_dll_added_to_appinit_dlls_registry_key.yml
index cf4805a7..58aa613d
--- a/rules/windows/sysmon/sysmon_new_dll_added_to_appinit_dlls_registry_key.yml
+++ b/rules/windows/registry_event/sysmon_new_dll_added_to_appinit_dlls_registry_key.yml
@@ -12,18 +12,17 @@ author: Ilyas Ochkov, oscd.community
date: 2019/10/25
modified: 2019/11/13
logsource:
+ category: registry_event
product: windows
- service: sysmon
detection:
selection:
- - EventID:
- - 12 # key create
- - 13 # value set
- TargetObject|contains: '\SOFTWARE\'
- TargetObject|endswith: '\Windows\AppInit_Dlls'
- - EventID: 14 # key rename
- NewName|contains: '\SOFTWARE\'
- NewName|endswith: '\Windows\AppInit_Dlls'
+ - TargetObject:
+ - '*\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_Dlls'
+ - '*\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_Dlls'
+ - # key rename
+ NewName:
+ - '*\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_Dlls'
+ - '*\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_Dlls'
condition: selection
fields:
- EventID
diff --git a/rules/windows/sysmon/sysmon_possible_privilege_escalation_via_service_registry_permissions_weakness.yml b/rules/windows/registry_event/sysmon_possible_privilege_escalation_via_service_registry_permissions_weakness.yml
old mode 100644
new mode 100755
similarity index 96%
rename from rules/windows/sysmon/sysmon_possible_privilege_escalation_via_service_registry_permissions_weakness.yml
rename to rules/windows/registry_event/sysmon_possible_privilege_escalation_via_service_registry_permissions_weakness.yml
index 6251dd07..a465568c
--- a/rules/windows/sysmon/sysmon_possible_privilege_escalation_via_service_registry_permissions_weakness.yml
+++ b/rules/windows/registry_event/sysmon_possible_privilege_escalation_via_service_registry_permissions_weakness.yml
@@ -13,10 +13,10 @@ date: 2019/10/26
modified: 2019/11/11
logsource:
product: windows
- service: sysmon
+ category: registry_event
detection:
selection:
- EventID: 13
+
IntegrityLevel: 'Medium'
TargetObject|contains: '\services\'
TargetObject|endswith:
diff --git a/rules/windows/sysmon/sysmon_rdp_registry_modification.yml b/rules/windows/registry_event/sysmon_rdp_registry_modification.yml
old mode 100644
new mode 100755
similarity index 96%
rename from rules/windows/sysmon/sysmon_rdp_registry_modification.yml
rename to rules/windows/registry_event/sysmon_rdp_registry_modification.yml
index 5e6c02ee..3fe7d6cd
--- a/rules/windows/sysmon/sysmon_rdp_registry_modification.yml
+++ b/rules/windows/registry_event/sysmon_rdp_registry_modification.yml
@@ -11,11 +11,10 @@ tags:
- attack.defense_evasion
- attack.t1112
logsource:
+ category: registry_event
product: windows
- service: sysmon
detection:
selection:
- EventID: 13
TargetObject|endswith:
- '\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp\UserAuthentication'
- '\CurrentControlSet\Control\Terminal Server\fDenyTSConnections'
diff --git a/rules/windows/sysmon/sysmon_rdp_settings_hijack.yml b/rules/windows/registry_event/sysmon_rdp_settings_hijack.yml
old mode 100644
new mode 100755
similarity index 94%
rename from rules/windows/sysmon/sysmon_rdp_settings_hijack.yml
rename to rules/windows/registry_event/sysmon_rdp_settings_hijack.yml
index 4d8f534c..48e48f6d
--- a/rules/windows/sysmon/sysmon_rdp_settings_hijack.yml
+++ b/rules/windows/registry_event/sysmon_rdp_settings_hijack.yml
@@ -6,11 +6,10 @@ references:
date: 2019/04/03
author: Samir Bousseaden
logsource:
+ category: registry_event
product: windows
- service: sysmon
detection:
selection_reg:
- EventID: 13
TargetObject:
- '*\services\TermService\Parameters\ServiceDll*'
- '*\Control\Terminal Server\fSingleSessionPerUser*'
diff --git a/rules/windows/registry_event/sysmon_redmimicry_winnti_reg.yml b/rules/windows/registry_event/sysmon_redmimicry_winnti_reg.yml
new file mode 100644
index 00000000..e1a83679
--- /dev/null
+++ b/rules/windows/registry_event/sysmon_redmimicry_winnti_reg.yml
@@ -0,0 +1,20 @@
+title: RedMimicry Winnti Playbook Registry Manipulation
+id: 5b175490-b652-4b02-b1de-5b5b4083c5f8
+description: Detects actions caused by the RedMimicry Winnti playbook
+references:
+ - https://redmimicry.com
+author: Alexander Rausch
+date: 2020/06/24
+tags:
+ - attack.defense_evasion
+ - attack.t1112
+logsource:
+ product: windows
+ category: registry_event
+detection:
+ selection:
+ TargetObject|contains: HKLM\SOFTWARE\Microsoft\HTMLHelp\data
+ condition: selection
+falsepositives:
+ - Unknown
+level: high
diff --git a/rules/windows/registry_event/sysmon_reg_office_security.yml b/rules/windows/registry_event/sysmon_reg_office_security.yml
new file mode 100644
index 00000000..8e538be8
--- /dev/null
+++ b/rules/windows/registry_event/sysmon_reg_office_security.yml
@@ -0,0 +1,29 @@
+title: Office Security Settings Changed
+id: a166f74e-bf44-409d-b9ba-ea4b2dd8b3cd
+status: experimental
+description: Detects registry changes to Office macro settings
+author: Trent Liffick (@tliffick)
+date: 2020/05/22
+modified: 2020/07/01
+references:
+ - Internal Research
+tags:
+ - attack.defense_evasion
+ - attack.t1112
+logsource:
+ category: registry_event
+ product: windows
+detection:
+ sec_settings:
+ TargetObject|endswith:
+ - '*\Security\Trusted Documents\TrustRecords'
+ - '*\Security\AccessVBOM'
+ - '*\Security\VBAWarnings'
+ EventType:
+ - SetValue
+ - DeleteValue
+ - CreateValue
+ condition: sec_settings
+falsepositives:
+ - Valid Macros and/or internal documents
+level: high
\ No newline at end of file
diff --git a/rules/windows/sysmon/sysmon_registry_persistence_key_linking.yml b/rules/windows/registry_event/sysmon_registry_persistence_key_linking.yml
old mode 100644
new mode 100755
similarity index 78%
rename from rules/windows/sysmon/sysmon_registry_persistence_key_linking.yml
rename to rules/windows/registry_event/sysmon_registry_persistence_key_linking.yml
index 3ee5decf..2e2abe6b
--- a/rules/windows/sysmon/sysmon_registry_persistence_key_linking.yml
+++ b/rules/windows/registry_event/sysmon_registry_persistence_key_linking.yml
@@ -11,14 +11,12 @@ tags:
- attack.persistence
- attack.t1122
logsource:
+ category: registry_event
product: windows
- service: sysmon
detection:
selection:
- EventID: 12
- TargetObject|startswith: 'HKU\'
- TargetObject|contains: '_Classes\CLSID\'
- TargetObject|endswith: '\TreatAs'
+ EventType: 'CreateKey' # don't want DeleteKey events
+ TargetObject: 'HKU\\*_Classes\CLSID\\*\TreatAs'
condition: selection
falsepositives:
- Maybe some system utilities in rare cases use linking keys for backward compability
diff --git a/rules/windows/registry_event/sysmon_registry_persistence_search_order.yml b/rules/windows/registry_event/sysmon_registry_persistence_search_order.yml
new file mode 100755
index 00000000..ecb01ec8
--- /dev/null
+++ b/rules/windows/registry_event/sysmon_registry_persistence_search_order.yml
@@ -0,0 +1,28 @@
+title: Windows Registry Persistence COM Search Order Hijacking
+id: a0ff33d8-79e4-4cef-b4f3-9dc4133ccd12
+status: experimental
+description: Detects potential COM object hijacking leveraging the COM Search Order
+references:
+ - https://www.cyberbit.com/blog/endpoint-security/com-hijacking-windows-overlooked-security-vulnerability/
+author: Maxime Thiebaut (@0xThiebaut)
+date: 2020/04/14
+tags:
+ - attack.persistence
+ - attack.t1038
+logsource:
+ category: registry_event
+ product: windows
+detection:
+ selection: # Detect new COM servers in the user hive
+ TargetObject: 'HKU\\*_Classes\CLSID\\*\InProcServer32\(Default)'
+ filter:
+ Details: # Exclude privileged directories and observed FPs
+ - '%%systemroot%%\system32\\*'
+ - '%%systemroot%%\SysWow64\\*'
+ - '*\AppData\Local\Microsoft\OneDrive\\*\FileCoAuthLib64.dll'
+ - '*\AppData\Local\Microsoft\OneDrive\\*\FileSyncShell64.dll'
+ - '*\AppData\Local\Microsoft\TeamsMeetingAddin\\*\Microsoft.Teams.AddinLoader.dll'
+ condition: selection and not filter
+falsepositives:
+ - Some installed utilities (i.e. OneDrive) may serve new COM objects at user-level
+level: medium
diff --git a/rules/windows/registry_event/sysmon_registry_trust_record_modification.yml b/rules/windows/registry_event/sysmon_registry_trust_record_modification.yml
new file mode 100755
index 00000000..3771c3b0
--- /dev/null
+++ b/rules/windows/registry_event/sysmon_registry_trust_record_modification.yml
@@ -0,0 +1,23 @@
+title: Windows Registry Trust Record Modification
+id: 295a59c1-7b79-4b47-a930-df12c15fc9c2
+status: experimental
+description: Alerts on trust record modification within the registry, indicating usage of macros
+references:
+ - https://outflank.nl/blog/2018/01/16/hunting-for-evil-detect-macros-being-executed/
+ - http://az4n6.blogspot.com/2016/02/more-on-trust-records-macros-and.html
+author: Antonlovesdnb
+date: 2020/02/19
+modified: 2020/02/19
+tags:
+ - attack.initial_access
+ - attack.t1193
+logsource:
+ category: registry_event
+ product: windows
+detection:
+ selection:
+ TargetObject|contains: 'TrustRecords'
+ condition: selection
+falsepositives:
+ - Alerts on legitimate macro usage as well, will need to filter as appropriate
+level: medium
diff --git a/rules/windows/sysmon/sysmon_ssp_added_lsa_config.yml b/rules/windows/registry_event/sysmon_ssp_added_lsa_config.yml
old mode 100644
new mode 100755
similarity index 96%
rename from rules/windows/sysmon/sysmon_ssp_added_lsa_config.yml
rename to rules/windows/registry_event/sysmon_ssp_added_lsa_config.yml
index b98841db..60547d1c
--- a/rules/windows/sysmon/sysmon_ssp_added_lsa_config.yml
+++ b/rules/windows/registry_event/sysmon_ssp_added_lsa_config.yml
@@ -11,11 +11,10 @@ tags:
author: iwillkeepwatch
date: 2019/01/18
logsource:
+ category: registry_event
product: windows
- service: sysmon
detection:
selection_registry:
- EventID: 13
TargetObject:
- 'HKLM\System\CurrentControlSet\Control\Lsa\Security Packages'
- 'HKLM\System\CurrentControlSet\Control\Lsa\OSConfig\Security Packages'
diff --git a/rules/windows/sysmon/sysmon_stickykey_like_backdoor.yml b/rules/windows/registry_event/sysmon_stickykey_like_backdoor.yml
old mode 100644
new mode 100755
similarity index 94%
rename from rules/windows/sysmon/sysmon_stickykey_like_backdoor.yml
rename to rules/windows/registry_event/sysmon_stickykey_like_backdoor.yml
index 23ac4ef0..d769ef85
--- a/rules/windows/sysmon/sysmon_stickykey_like_backdoor.yml
+++ b/rules/windows/registry_event/sysmon_stickykey_like_backdoor.yml
@@ -12,19 +12,16 @@ tags:
- car.2014-11-003
- car.2014-11-008
author: Florian Roth, @twjackomo
-date: 2018/03/15
-detection:
- condition: 1 of them
+date: 2018/03/15
falsepositives:
- Unlikely
level: critical
---
logsource:
+ category: registry_event
product: windows
- service: sysmon
detection:
- selection_registry:
- EventID: 13
+ selection_registry:
TargetObject:
- '*\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe\Debugger'
- '*\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\utilman.exe\Debugger'
@@ -33,6 +30,7 @@ detection:
- '*\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Narrator.exe\Debugger'
- '*\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DisplaySwitch.exe\Debugger'
EventType: 'SetValue'
+ condition: 1 of them
---
logsource:
category: process_creation
@@ -48,3 +46,4 @@ detection:
- '*cmd.exe Magnify.exe *'
- '*cmd.exe Narrator.exe *'
- '*cmd.exe DisplaySwitch.exe *'
+ condition: 1 of them
diff --git a/rules/windows/sysmon/sysmon_susp_download_run_key.yml b/rules/windows/registry_event/sysmon_susp_download_run_key.yml
old mode 100644
new mode 100755
similarity index 94%
rename from rules/windows/sysmon/sysmon_susp_download_run_key.yml
rename to rules/windows/registry_event/sysmon_susp_download_run_key.yml
index 5f1bad94..7f18d8c8
--- a/rules/windows/sysmon/sysmon_susp_download_run_key.yml
+++ b/rules/windows/registry_event/sysmon_susp_download_run_key.yml
@@ -10,11 +10,10 @@ tags:
- attack.persistence
- attack.t1060
logsource:
+ category: registry_event
product: windows
- service: sysmon
detection:
selection:
- EventID: 13
Image:
- '*\Downloads\\*'
- '*\Temporary Internet Files\Content.Outlook\\*'
@@ -23,4 +22,4 @@ detection:
condition: selection
falsepositives:
- Software installers downloaded and used by users
-level: high
\ No newline at end of file
+level: high
diff --git a/rules/windows/sysmon/sysmon_susp_lsass_dll_load.yml b/rules/windows/registry_event/sysmon_susp_lsass_dll_load.yml
similarity index 87%
rename from rules/windows/sysmon/sysmon_susp_lsass_dll_load.yml
rename to rules/windows/registry_event/sysmon_susp_lsass_dll_load.yml
index 78cf4bf7..b9358ced 100644
--- a/rules/windows/sysmon/sysmon_susp_lsass_dll_load.yml
+++ b/rules/windows/registry_event/sysmon_susp_lsass_dll_load.yml
@@ -4,24 +4,23 @@ status: experimental
description: Detects a method to load DLL via LSASS process using an undocumented Registry key
author: Florian Roth
date: 2019/10/16
+modified: 2020/07/01
references:
- https://blog.xpnsec.com/exploring-mimikatz-part-1/
- https://twitter.com/SBousseaden/status/1183745981189427200
logsource:
+ category: registry_event
product: windows
- service: sysmon
detection:
selection:
- EventID:
- - 12
- - 13
- TargetObject:
+ TargetObject:
- '*\CurrentControlSet\Services\NTDS\DirectoryServiceExtPt*'
- '*\CurrentControlSet\Services\NTDS\LsaDbExtPt*'
condition: selection
tags:
- attack.execution
- attack.t1177
+ - attack.t1547.008
falsepositives:
- Unknown
level: high
diff --git a/rules/windows/registry_event/sysmon_susp_mic_cam_access.yml b/rules/windows/registry_event/sysmon_susp_mic_cam_access.yml
new file mode 100644
index 00000000..66d0e60a
--- /dev/null
+++ b/rules/windows/registry_event/sysmon_susp_mic_cam_access.yml
@@ -0,0 +1,34 @@
+title: Suspicious Camera and Microphone Access
+id: 62120148-6b7a-42be-8b91-271c04e281a3
+description: Detects Processes accessing the camera and microphone from suspicious folder
+author: Den Iuzvyk
+date: 2020/06/07
+reference:
+ - https://medium.com/@7a616368/can-you-track-processes-accessing-the-camera-and-microphone-7e6885b37072
+tags:
+ - attack.collection
+ - attack.t1125
+ - attack.t1123
+logsource:
+ category: registry_event
+ product: windows
+detection:
+ selection_1:
+ TargetObject|contains:
+ - \Software\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\\*\NonPackaged
+ selection_2:
+ TargetObject|contains:
+ - microphone
+ - webcam
+ selection_3:
+ TargetObject|contains:
+ - '#C:#Windows#Temp#'
+ - '#C:#$Recycle.bin#'
+ - '#C:#Temp#'
+ - '#C:#Users#Public#'
+ - '#C:#Users#Default#'
+ - '#C:#Users#Desktop#'
+ condition: all of selection_*
+falsepositives:
+ - Unlikely, there could be conferencing software running from a Temp folder accessing the devices
+level: high
\ No newline at end of file
diff --git a/rules/windows/sysmon/sysmon_susp_reg_persist_explorer_run.yml b/rules/windows/registry_event/sysmon_susp_reg_persist_explorer_run.yml
old mode 100644
new mode 100755
similarity index 89%
rename from rules/windows/sysmon/sysmon_susp_reg_persist_explorer_run.yml
rename to rules/windows/registry_event/sysmon_susp_reg_persist_explorer_run.yml
index cc2d5fed..36bb3fca
--- a/rules/windows/sysmon/sysmon_susp_reg_persist_explorer_run.yml
+++ b/rules/windows/registry_event/sysmon_susp_reg_persist_explorer_run.yml
@@ -1,17 +1,16 @@
title: Registry Persistence via Explorer Run Key
id: b7916c2a-fa2f-4795-9477-32b731f70f11
status: experimental
-description: Detects a possible persistence mechanism using RUN key for Windows Explorer and poiting to a suspicious folder
+description: Detects a possible persistence mechanism using RUN key for Windows Explorer and pointing to a suspicious folder
author: Florian Roth
date: 2018/07/18
references:
- https://researchcenter.paloaltonetworks.com/2018/07/unit42-upatre-continues-evolve-new-anti-analysis-techniques/
logsource:
+ category: registry_event
product: windows
- service: sysmon
detection:
selection:
- EventID: 13
TargetObject: '*\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run'
Details:
- 'C:\Windows\Temp\\*'
@@ -32,4 +31,3 @@ fields:
falsepositives:
- Unknown
level: high
-
diff --git a/rules/windows/registry_event/sysmon_susp_run_key_img_folder.yml b/rules/windows/registry_event/sysmon_susp_run_key_img_folder.yml
new file mode 100755
index 00000000..68584e9c
--- /dev/null
+++ b/rules/windows/registry_event/sysmon_susp_run_key_img_folder.yml
@@ -0,0 +1,36 @@
+title: New RUN Key Pointing to Suspicious Folder
+id: 02ee49e2-e294-4d0f-9278-f5b3212fc588
+status: experimental
+description: Detects suspicious new RUN key element pointing to an executable in a suspicious folder
+references:
+ - https://www.fireeye.com/blog/threat-research/2018/08/fin7-pursuing-an-enigmatic-and-evasive-global-criminal-operation.html
+author: Florian Roth, Markus Neis, Sander Wiebing
+tags:
+ - attack.persistence
+ - attack.t1060
+date: 2018/08/25
+modified: 2020/05/24
+logsource:
+ category: registry_event
+ product: windows
+detection:
+ selection:
+ TargetObject:
+ - '*\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\*'
+ - '*\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\\*'
+ Details:
+ - '*C:\Windows\Temp\\*'
+ - '*C:\$Recycle.bin\\*'
+ - '*C:\Temp\\*'
+ - '*C:\Users\Public\\*'
+ - '%Public%\\*'
+ - '*C:\Users\Default\\*'
+ - '*C:\Users\Desktop\\*'
+ - 'wscript*'
+ - 'cscript*'
+ condition: selection
+fields:
+ - Image
+falsepositives:
+ - Software using weird folders for updates
+level: high
diff --git a/rules/windows/registry_event/sysmon_susp_service_installed.yml b/rules/windows/registry_event/sysmon_susp_service_installed.yml
new file mode 100755
index 00000000..a2e1f24c
--- /dev/null
+++ b/rules/windows/registry_event/sysmon_susp_service_installed.yml
@@ -0,0 +1,33 @@
+title: Suspicious Service Installed
+id: f2485272-a156-4773-82d7-1d178bc4905b
+description: Detects installation of NalDrv or PROCEXP152 services via registry-keys to non-system32 folders. Both services are used in the tool Ghost-In-The-Logs (https://github.com/bats3c/Ghost-In-The-Logs), which uses KDU (https://github.com/hfiref0x/KDU)
+status: experimental
+date: 2019/04/08
+author: xknow (@xknow_infosec), xorxes (@xor_xes)
+references:
+ - https://blog.dylan.codes/evading-sysmon-and-windows-event-logging/
+tags:
+ - attack.t1089
+ - attack.t1562.001
+ - attack.defense_evasion
+logsource:
+ category: registry_event
+ product: windows
+detection:
+ selection_1:
+ TargetObject:
+ - 'HKLM\System\CurrentControlSet\Services\NalDrv\ImagePath'
+ - 'HKLM\System\CurrentControlSet\Services\PROCEXP152\ImagePath'
+ selection_2:
+ Image|contains:
+ - '*\procexp64.exe'
+ - '*\procexp.exe'
+ - '*\procmon64.exe'
+ - '*\procmon.exe'
+ selection_3:
+ Details|contains:
+ - '*\WINDOWS\system32\Drivers\PROCEXP152.SYS'
+ condition: selection_1 and not selection_2 and not selection_3
+falsepositives:
+ - Other legimate tools using this service names and drivers. Note - clever attackers may easily bypass this detection by just renaming the services. Therefore just Medium-level and don't rely on it.
+level: medium
diff --git a/rules/windows/sysmon/sysmon_suspicious_keyboard_layout_load.yml b/rules/windows/registry_event/sysmon_suspicious_keyboard_layout_load.yml
old mode 100644
new mode 100755
similarity index 88%
rename from rules/windows/sysmon/sysmon_suspicious_keyboard_layout_load.yml
rename to rules/windows/registry_event/sysmon_suspicious_keyboard_layout_load.yml
index a12d8e22..125d927d
--- a/rules/windows/sysmon/sysmon_suspicious_keyboard_layout_load.yml
+++ b/rules/windows/registry_event/sysmon_suspicious_keyboard_layout_load.yml
@@ -9,16 +9,15 @@ author: Florian Roth
date: 2019/10/12
modified: 2019/10/15
logsource:
+ category: registry_event
product: windows
- service: sysmon
definition: 'Requirements: Sysmon config that monitors \Keyboard Layout\Preload subkey of the HKLU hives - see https://github.com/SwiftOnSecurity/sysmon-config/pull/92/files'
detection:
selection_registry:
- EventID: 13
TargetObject:
- - '*\Keyboard Layout\Preload\*'
- - '*\Keyboard Layout\Substitutes\*'
- Details:
+ - '*\Keyboard Layout\Preload\\*'
+ - '*\Keyboard Layout\Substitutes\\*'
+ Details|contains:
- 00000429 # Persian (Iran)
- 00050429 # Persian (Iran)
- 0000042a # Vietnamese
@@ -26,3 +25,4 @@ detection:
falsepositives:
- "Administrators or users that actually use the selected keyboard layouts (heavily depends on the organisation's user base)"
level: medium
+
diff --git a/rules/windows/sysmon/sysmon_sysinternals_eula_accepted.yml b/rules/windows/registry_event/sysmon_sysinternals_eula_accepted.yml
old mode 100644
new mode 100755
similarity index 87%
rename from rules/windows/sysmon/sysmon_sysinternals_eula_accepted.yml
rename to rules/windows/registry_event/sysmon_sysinternals_eula_accepted.yml
index 9b601372..056d98d4
--- a/rules/windows/sysmon/sysmon_sysinternals_eula_accepted.yml
+++ b/rules/windows/registry_event/sysmon_sysinternals_eula_accepted.yml
@@ -7,8 +7,6 @@ references:
- https://twitter.com/Moti_B/status/1008587936735035392
date: 2017/08/28
author: Markus Neis
-detection:
- condition: 1 of them
falsepositives:
- Legitimate use of SysInternals tools
- Programs that use the same Registry Key
@@ -16,15 +14,16 @@ level: low
---
logsource:
product: windows
- service: sysmon
+ category: registry_event
detection:
selection1:
- EventID: 13
TargetObject: '*\EulaAccepted'
+ condition: 1 of them
---
logsource:
category: process_creation
product: windows
detection:
selection2:
- CommandLine: '* -accepteula*'
\ No newline at end of file
+ CommandLine: '* -accepteula*'
+ condition: 1 of them
\ No newline at end of file
diff --git a/rules/windows/sysmon/sysmon_uac_bypass_eventvwr.yml b/rules/windows/registry_event/sysmon_uac_bypass_eventvwr.yml
old mode 100644
new mode 100755
similarity index 75%
rename from rules/windows/sysmon/sysmon_uac_bypass_eventvwr.yml
rename to rules/windows/registry_event/sysmon_uac_bypass_eventvwr.yml
index 02b5ffab..6eef0088
--- a/rules/windows/sysmon/sysmon_uac_bypass_eventvwr.yml
+++ b/rules/windows/registry_event/sysmon_uac_bypass_eventvwr.yml
@@ -1,3 +1,4 @@
+action: global
title: UAC Bypass via Event Viewer
id: 7c81fec3-1c1d-43b0-996a-46753041b1b6
status: experimental
@@ -7,22 +8,6 @@ references:
- https://www.hybrid-analysis.com/sample/e122bc8bf291f15cab182a5d2d27b8db1e7019e4e96bb5cdbd1dfe7446f3f51f?environmentId=100
author: Florian Roth
date: 2017/03/19
-logsource:
- product: windows
- service: sysmon
-detection:
- methregistry:
- EventID: 13
- TargetObject: 'HKEY_USERS\\*\mscfile\shell\open\command'
- methprocess:
- EventID: 1 # Migration to process_creation requires multipart YAML
- ParentImage: '*\eventvwr.exe'
- filterprocess:
- Image: '*\mmc.exe'
- condition: methregistry or ( methprocess and not filterprocess )
-fields:
- - CommandLine
- - ParentCommandLine
tags:
- attack.defense_evasion
- attack.privilege_escalation
@@ -31,3 +16,24 @@ tags:
falsepositives:
- unknown
level: critical
+---
+logsource:
+ product: windows
+ category: registry_event
+detection:
+ methregistry:
+ TargetObject: 'HKU\\*\mscfile\shell\open\command'
+ condition: methregistry
+---
+logsource:
+ category: process_creation
+ product: windows
+detection:
+ methprocess:
+ ParentImage: '*\eventvwr.exe'
+ filterprocess:
+ Image: '*\mmc.exe'
+ condition: methprocess and not filterprocess
+fields:
+ - CommandLine
+ - ParentCommandLine
diff --git a/rules/windows/sysmon/sysmon_uac_bypass_sdclt.yml b/rules/windows/registry_event/sysmon_uac_bypass_sdclt.yml
old mode 100644
new mode 100755
similarity index 76%
rename from rules/windows/sysmon/sysmon_uac_bypass_sdclt.yml
rename to rules/windows/registry_event/sysmon_uac_bypass_sdclt.yml
index 12b73f3a..2d3a025f
--- a/rules/windows/sysmon/sysmon_uac_bypass_sdclt.yml
+++ b/rules/windows/registry_event/sysmon_uac_bypass_sdclt.yml
@@ -7,12 +7,12 @@ references:
author: Omer Yampel
date: 2017/03/17
logsource:
+ category: registry_event
product: windows
- service: sysmon
detection:
selection:
- EventID: 13
- TargetObject: 'HKEY_USERS\\*\Classes\exefile\shell\runas\command\isolatedCommand'
+ # usrclass.dat is mounted on HKU\USERSID_Classes\...
+ TargetObject: 'HKU\\*_Classes\exefile\shell\runas\command\isolatedCommand'
condition: selection
tags:
- attack.defense_evasion
diff --git a/rules/windows/sysmon/sysmon_win_reg_persistence.yml b/rules/windows/registry_event/sysmon_win_reg_persistence.yml
old mode 100644
new mode 100755
similarity index 95%
rename from rules/windows/sysmon/sysmon_win_reg_persistence.yml
rename to rules/windows/registry_event/sysmon_win_reg_persistence.yml
index 06a18db8..9ca5a020
--- a/rules/windows/sysmon/sysmon_win_reg_persistence.yml
+++ b/rules/windows/registry_event/sysmon_win_reg_persistence.yml
@@ -6,11 +6,10 @@ references:
date: 2018/04/11
author: Karneades
logsource:
+ category: registry_event
product: windows
- service: sysmon
detection:
selection_reg1:
- EventID: 13
TargetObject:
- '*\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\\*\GlobalFlag'
- '*\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SilentProcessExit\\*\ReportingMode'
diff --git a/rules/windows/sysmon/sysmon_abusing_azure_browser_sso.yml b/rules/windows/sysmon/sysmon_abusing_azure_browser_sso.yml
new file mode 100644
index 00000000..2a25beef
--- /dev/null
+++ b/rules/windows/sysmon/sysmon_abusing_azure_browser_sso.yml
@@ -0,0 +1,29 @@
+title: Avusing Azure Browser SSO
+id: 50f852e6-af22-4c78-9ede-42ef36aa3453
+description: Detects abusing Azure Browser SSO by requesting OAuth 2.0 refresh tokens for an Azure-AD-authenticated Windows user (i.e. the machine is joined to Azure AD and a user logs in with their Azure AD account) wanting to perform SSO authentication in the browser. An attacker can use this to authenticate to Azure AD in a browser as that user.
+author: Den Iuzvyk
+reference:
+ - https://posts.specterops.io/requesting-azure-ad-request-tokens-on-azure-ad-joined-machines-for-browser-sso-2b0409caad30
+date: 2020/07/15
+logsource:
+ category: sysmon
+ product: windows
+status: experimental
+tags:
+ - attack.defense_evasion
+ - attack.privilege_escalation
+ - attack.t1073
+detection:
+ condition: selection_dll and not filter_legit
+ selection_dll:
+ EventID: 7
+ ImageLoaded|endswith: MicrosoftAccountTokenProvider.dll
+ filter_legit:
+ Image|endswith:
+ - BackgroundTaskHost.exe
+ - devenv.exe
+ - iexplore.exe
+ - MicrosoftEdge.exe
+falsepositives:
+ - unknown
+level: high
diff --git a/rules/windows/sysmon/sysmon_ads_executable.yml b/rules/windows/sysmon/sysmon_ads_executable.yml
index 7e111015..dbb055ad 100644
--- a/rules/windows/sysmon/sysmon_ads_executable.yml
+++ b/rules/windows/sysmon/sysmon_ads_executable.yml
@@ -17,11 +17,11 @@ logsource:
detection:
selection:
EventID: 15
- filter:
- Imphash:
- - '00000000000000000000000000000000'
- - null
- condition: selection and not filter
+ filter1:
+ Imphash: '00000000000000000000000000000000'
+ filter2:
+ Imphash: null
+ condition: selection and not 1 of filter*
fields:
- TargetFilename
- Image
diff --git a/rules/windows/sysmon/sysmon_alternate_powershell_hosts_moduleload.yml b/rules/windows/sysmon/sysmon_alternate_powershell_hosts_moduleload.yml
deleted file mode 100644
index a9b4243f..00000000
--- a/rules/windows/sysmon/sysmon_alternate_powershell_hosts_moduleload.yml
+++ /dev/null
@@ -1,26 +0,0 @@
-title: Alternate PowerShell Hosts
-id: f67f6c57-257d-4919-a416-69cd31f9aac3
-description: Detects alternate PowerShell hosts potentially bypassing detections looking for powershell.exe
-status: experimental
-date: 2019/09/12
-modified: 2019/11/10
-author: Roberto Rodriguez @Cyb3rWard0g
-references:
- - https://github.com/Cyb3rWard0g/ThreatHunter-Playbook/tree/master/playbooks/windows/02_execution/T1086_powershell/alternate_signed_powershell_hosts.md
-tags:
- - attack.execution
- - attack.t1086
-logsource:
- product: windows
- service: sysmon
-detection:
- selection:
- EventID: 7
- Description: 'system.management.automation'
- ImageLoaded|contains: 'system.management.automation'
- filter:
- Image|endswith: '\powershell.exe'
- condition: selection and not filter
-falsepositives:
- - Programs using PowerShell directly without invocation of a dedicated interpreter.
-level: high
diff --git a/rules/windows/sysmon/sysmon_alternate_powershell_hosts_pipe.yml b/rules/windows/sysmon/sysmon_alternate_powershell_hosts_pipe.yml
index b96fcf27..da710320 100644
--- a/rules/windows/sysmon/sysmon_alternate_powershell_hosts_pipe.yml
+++ b/rules/windows/sysmon/sysmon_alternate_powershell_hosts_pipe.yml
@@ -1,4 +1,4 @@
-title: Alternate PowerShell Hosts
+title: Alternate PowerShell Hosts Pipe
id: 58cb02d5-78ce-4692-b3e1-dce850aae41a
description: Detects alternate PowerShell hosts potentially bypassing detections looking for powershell.exe
status: experimental
@@ -10,15 +10,18 @@ references:
tags:
- attack.execution
- attack.t1086
+ - attack.t1059.001
logsource:
product: windows
service: sysmon
detection:
- selection:
+ selection:
EventID: 17
PipeName|startswith: '\PSHost'
filter:
- Image|endswith: '\powershell.exe'
+ Image|endswith:
+ - '\powershell.exe'
+ - '\powershell_ise.exe'
condition: selection and not filter
fields:
- ComputerName
diff --git a/rules/windows/sysmon/sysmon_cmstp_execution.yml b/rules/windows/sysmon/sysmon_cmstp_execution.yml
index 37a9827c..c6154de4 100644
--- a/rules/windows/sysmon/sysmon_cmstp_execution.yml
+++ b/rules/windows/sysmon/sysmon_cmstp_execution.yml
@@ -12,7 +12,7 @@ tags:
author: Nik Seetharaman
date: 2018/07/16
references:
- - http://www.endurant.io/cmstp/detecting-cmstp-enabled-code-execution-and-uac-bypass-with-sysmon/
+ - https://web.archive.org/web/20190720093911/http://www.endurant.io/cmstp/detecting-cmstp-enabled-code-execution-and-uac-bypass-with-sysmon/
detection:
condition: 1 of them
fields:
@@ -31,6 +31,7 @@ detection:
selection2:
EventID: 12
TargetObject: '*\cmmgr32.exe*'
+ EventType: 'CreateKey'
# Registry Object Value Set
selection3:
EventID: 13
diff --git a/rules/windows/sysmon/sysmon_cred_dump_tools_named_pipes.yml b/rules/windows/sysmon/sysmon_cred_dump_tools_named_pipes.yml
index f0036118..78c45714 100644
--- a/rules/windows/sysmon/sysmon_cred_dump_tools_named_pipes.yml
+++ b/rules/windows/sysmon/sysmon_cred_dump_tools_named_pipes.yml
@@ -8,6 +8,9 @@ references:
tags:
- attack.credential_access
- attack.t1003
+ - attack.t1003.002
+ - attack.t1003.004
+ - attack.t1003.006
logsource:
product: windows
service: sysmon
diff --git a/rules/windows/sysmon/sysmon_password_dumper_lsass.yml b/rules/windows/sysmon/sysmon_password_dumper_lsass.yml
index 70a4246e..c17ba4e9 100644
--- a/rules/windows/sysmon/sysmon_password_dumper_lsass.yml
+++ b/rules/windows/sysmon/sysmon_password_dumper_lsass.yml
@@ -1,7 +1,6 @@
title: Password Dumper Remote Thread in LSASS
id: f239b326-2f41-4d6b-9dfa-c846a60ef505
-description: Detects password dumper activity by monitoring remote thread creation EventID 8 in combination with the lsass.exe process as TargetImage. The process
- in field Process is the malicious program. A single execution can lead to hundreds of events.
+description: Detects password dumper activity by monitoring remote thread creation EventID 8 in combination with the lsass.exe process as TargetImage. The process in field Process is the malicious program. A single execution can lead to hundreds of events.
references:
- https://jpcertcc.github.io/ToolAnalysisResultSheet/details/WCE.htm
status: stable
@@ -14,12 +13,13 @@ detection:
selection:
EventID: 8
TargetImage: 'C:\Windows\System32\lsass.exe'
- StartModule: null
+ StartModule: ''
condition: selection
tags:
- attack.credential_access
- attack.t1003
- attack.s0005
+ - attack.t1003.001
falsepositives:
- unknown
level: high
diff --git a/rules/windows/sysmon/sysmon_possible_dns_rebinding.yml b/rules/windows/sysmon/sysmon_possible_dns_rebinding.yml
index 9845263a..6070a673 100644
--- a/rules/windows/sysmon/sysmon_possible_dns_rebinding.yml
+++ b/rules/windows/sysmon/sysmon_possible_dns_rebinding.yml
@@ -1,8 +1,7 @@
title: Possible DNS Rebinding
id: eb07e747-2552-44cd-af36-b659ae0958e4
status: experimental
-description: Detects several different DNS-answers by one domain with IPs from internal and external networks. Normally, DNS-answer contain TTL >100. (DNS-record
- will saved in host cache for a while TTL).
+description: Detects several different DNS-answers by one domain with IPs from internal and external networks. Normally, DNS-answer contain TTL >100. (DNS-record will saved in host cache for a while TTL).
date: 2019/10/25
modified: 2019/11/13
author: Ilyas Ochkov, oscd.community
@@ -11,6 +10,7 @@ references:
tags:
- attack.command_and_control
- attack.t1043
+ - attack.t1571
logsource:
product: windows
service: sysmon
@@ -18,9 +18,9 @@ detection:
dns_answer:
EventID: 22
QueryName: '*'
- QueryStatus: '0'
+ QueryStatus: '0'
filter_int_ip:
- QueryResults|startswith:
+ QueryResults|startswith:
- '(::ffff:)?10.'
- '(::ffff:)?192.168.'
- '(::ffff:)?172.16.'
@@ -39,7 +39,7 @@ detection:
- '(::ffff:)?172.29.'
- '(::ffff:)?172.30.'
- '(::ffff:)?172.31.'
- - '(::ffff:)?127.'
+ - '(::ffff:)?127.'
timeframe: 30s
condition: (dns_answer and filter_int_ip) and (dns_answer and not filter_int_ip) | count(QueryName) by ComputerName > 3
level: medium
diff --git a/rules/windows/sysmon/sysmon_susp_powershell_rundll32.yml b/rules/windows/sysmon/sysmon_susp_powershell_rundll32.yml
index 58ec943c..d989a010 100644
--- a/rules/windows/sysmon/sysmon_susp_powershell_rundll32.yml
+++ b/rules/windows/sysmon/sysmon_susp_powershell_rundll32.yml
@@ -20,6 +20,8 @@ tags:
- attack.execution
- attack.t1085
- attack.t1086
+ - attack.t1218.011
+ - attack.t1059.001
falsepositives:
- Unkown
level: high
diff --git a/rules/windows/sysmon/sysmon_susp_run_key_img_folder.yml b/rules/windows/sysmon/sysmon_susp_run_key_img_folder.yml
deleted file mode 100644
index 5d5dbd17..00000000
--- a/rules/windows/sysmon/sysmon_susp_run_key_img_folder.yml
+++ /dev/null
@@ -1,39 +0,0 @@
-title: New RUN Key Pointing to Suspicious Folder
-id: 02ee49e2-e294-4d0f-9278-f5b3212fc588
-status: experimental
-description: Detects suspicious new RUN key element pointing to an executable in a suspicious folder
-references:
- - https://www.fireeye.com/blog/threat-research/2018/08/fin7-pursuing-an-enigmatic-and-evasive-global-criminal-operation.html
-author: Florian Roth, Markus Neis
-tags:
- - attack.persistence
- - attack.t1060
-date: 2018/25/08
-modified: 2019/10/01
-logsource:
- product: windows
- service: sysmon
-detection:
- selection:
- EventID: 13
- TargetObject:
- - '*\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\*'
- - '*\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\\*'
- Details:
- - '*C:\Windows\Temp\\*'
- - '*\AppData\\*'
- - '%AppData%\\*'
- - '*C:\$Recycle.bin\\*'
- - '*C:\Temp\\*'
- - '*C:\Users\Public\\*'
- - '%Public%\\*'
- - '*C:\Users\Default\\*'
- - '*C:\Users\Desktop\\*'
- - 'wscript*'
- - 'cscript*'
- condition: selection
-fields:
- - Image
-falsepositives:
- - Software with rare behaviour
-level: high
diff --git a/rules/windows/sysmon/sysmon_suspicious_remote_thread.yml b/rules/windows/sysmon/sysmon_suspicious_remote_thread.yml
index c940f99f..00d51a6a 100644
--- a/rules/windows/sysmon/sysmon_suspicious_remote_thread.yml
+++ b/rules/windows/sysmon/sysmon_suspicious_remote_thread.yml
@@ -6,7 +6,7 @@ description: Offensive tradecraft is switching away from using APIs like "Create
notes:
- MonitoringHost.exe is a process that loads .NET CLR by default and thus a favorite for process injection for .NET in-memory offensive tools.
status: experimental
-date: 27/10/2019
+date: 2019/10/27
modified: 2019/11/13
author: Perez Diego (@darkquassar), oscd.community
references:
@@ -59,7 +59,7 @@ detection:
- '\schtasks.exe'
- '\smartscreen.exe'
- '\spoolsv.exe'
- - '\taskhost.exe'
+ # - '\taskhost.exe' # disabled due to false positives
- '\tstheme.exe'
- '\userinit.exe'
- '\vssadmin.exe'
diff --git a/rules/windows/sysmon/sysmon_wmi_event_subscription.yml b/rules/windows/sysmon/sysmon_wmi_event_subscription.yml
index 34db9562..6862faf3 100644
--- a/rules/windows/sysmon/sysmon_wmi_event_subscription.yml
+++ b/rules/windows/sysmon/sysmon_wmi_event_subscription.yml
@@ -7,6 +7,7 @@ references:
tags:
- attack.t1084
- attack.persistence
+ - attack.t1546.003
author: Tom Ueltschi (@c_APT_ure)
date: 2019/01/12
logsource:
diff --git a/rules/windows/sysmon/sysmon_wmi_susp_scripting.yml b/rules/windows/sysmon/sysmon_wmi_susp_scripting.yml
index d6d05986..ad5c4132 100644
--- a/rules/windows/sysmon/sysmon_wmi_susp_scripting.yml
+++ b/rules/windows/sysmon/sysmon_wmi_susp_scripting.yml
@@ -10,9 +10,10 @@ date: 2019/04/15
tags:
- attack.t1086
- attack.execution
+ - attack.t1059.005
logsource:
- product: windows
- service: sysmon
+ product: windows
+ service: sysmon
detection:
selection:
EventID: 20
diff --git a/tests/mapping-conditional-multi.yml b/tests/mapping-conditional-multi.yml
index 1eca3e10..1959018e 100644
--- a/tests/mapping-conditional-multi.yml
+++ b/tests/mapping-conditional-multi.yml
@@ -1,5 +1,5 @@
title: Contional mapping with multiple targets
-status: test
+status: testing
description: Logpoint configuration causes conditional mapping with multiple results
author: Thomas Patzke
logsource:
diff --git a/tests/requirements-test.txt b/tests/requirements-test.txt
deleted file mode 100644
index 3d90aaa5..00000000
--- a/tests/requirements-test.txt
+++ /dev/null
@@ -1 +0,0 @@
-colorama
\ No newline at end of file
diff --git a/tests/test-merge.sh b/tests/test-merge.sh
index 2fa51896..0e5075eb 100755
--- a/tests/test-merge.sh
+++ b/tests/test-merge.sh
@@ -1,9 +1,11 @@
#!/bin/bash
+COVERAGE=${COVERAGE:-coverage}
+
for f in $(find rules/ -type f -name '*.yml')
do
echo -n .
- if ! coverage run -a --include=tools/* tools/merge_sigma $f > /dev/null
+ if ! $COVERAGE run -a --include=tools/* tools/merge_sigma $f > /dev/null
then
exit 1
fi
diff --git a/tests/test_rules.py b/tests/test_rules.py
index c8ab9d32..d5021f42 100755
--- a/tests/test_rules.py
+++ b/tests/test_rules.py
@@ -10,284 +10,13 @@ import os
import unittest
import yaml
import re
+from attackcti import attack_client
from colorama import init
from colorama import Fore
class TestRules(unittest.TestCase):
- MITRE_TECHNIQUES = [
- "t1001",
- "t1002",
- "t1003",
- "t1004",
- "t1005",
- "t1006",
- "t1007",
- "t1008",
- "t1009",
- "t1010",
- "t1011",
- "t1012",
- "t1013",
- "t1014",
- "t1015",
- "t1016",
- "t1017",
- "t1018",
- "t1019",
- "t1020",
- "t1021",
- "t1022",
- "t1023",
- "t1024",
- "t1025",
- "t1026",
- "t1027",
- "t1028",
- "t1029",
- "t1030",
- "t1031",
- "t1032",
- "t1033",
- "t1034",
- "t1035",
- "t1036",
- "t1037",
- "t1038",
- "t1039",
- "t1040",
- "t1041",
- "t1042",
- "t1043",
- "t1044",
- "t1045",
- "t1046",
- "t1047",
- "t1048",
- "t1049",
- "t1050",
- "t1051",
- "t1052",
- "t1053",
- "t1054",
- "t1055",
- "t1056",
- "t1057",
- "t1058",
- "t1059",
- "t1060",
- "t1061",
- "t1062",
- "t1063",
- "t1064",
- "t1065",
- "t1066",
- "t1067",
- "t1068",
- "t1069",
- "t1070",
- "t1071",
- "t1072",
- "t1073",
- "t1074",
- "t1075",
- "t1076",
- "t1077",
- "t1078",
- "t1079",
- "t1080",
- "t1081",
- "t1082",
- "t1083",
- "t1084",
- "t1085",
- "t1086",
- "t1087",
- "t1088",
- "t1089",
- "t1090",
- "t1091",
- "t1092",
- "t1093",
- "t1094",
- "t1095",
- "t1096",
- "t1097",
- "t1098",
- "t1099",
- "t1100",
- "t1101",
- "t1102",
- "t1103",
- "t1104",
- "t1105",
- "t1106",
- "t1107",
- "t1108",
- "t1109",
- "t1110",
- "t1111",
- "t1112",
- "t1113",
- "t1114",
- "t1115",
- "t1116",
- "t1117",
- "t1118",
- "t1119",
- "t1120",
- "t1121",
- "t1122",
- "t1123",
- "t1124",
- "t1125",
- "t1126",
- "t1127",
- "t1128",
- "t1129",
- "t1130",
- "t1131",
- "t1132",
- "t1133",
- "t1134",
- "t1135",
- "t1136",
- "t1137",
- "t1138",
- "t1139",
- "t1140",
- "t1141",
- "t1142",
- "t1143",
- "t1144",
- "t1145",
- "t1146",
- "t1147",
- "t1148",
- "t1149",
- "t1150",
- "t1151",
- "t1152",
- "t1153",
- "t1154",
- "t1155",
- "t1156",
- "t1157",
- "t1158",
- "t1159",
- "t1160",
- "t1161",
- "t1162",
- "t1163",
- "t1164",
- "t1165",
- "t1166",
- "t1167",
- "t1168",
- "t1169",
- "t1170",
- "t1171",
- "t1172",
- "t1173",
- "t1174",
- "t1175",
- "t1176",
- "t1177",
- "t1178",
- "t1179",
- "t1180",
- "t1181",
- "t1182",
- "t1183",
- "t1184",
- "t1185",
- "t1186",
- "t1187",
- "t1188",
- "t1189",
- "t1190",
- "t1191",
- "t1192",
- "t1193",
- "t1194",
- "t1195",
- "t1196",
- "t1197",
- "t1198",
- "t1199",
- "t1200",
- "t1201",
- "t1202",
- "t1203",
- "t1204",
- "t1205",
- "t1206",
- "t1207",
- "t1208",
- "t1209",
- "t1210",
- "t1211",
- "t1212",
- "t1213",
- "t1214",
- "t1215",
- "t1216",
- "t1217",
- "t1218",
- "t1219",
- "t1220",
- "t1221",
- "t1222",
- "t1223",
- "t1480",
- "t1482",
- "t1482",
- "t1483",
- "t1484",
- "t1485",
- "t1486",
- "t1487",
- "t1488",
- "t1489",
- "t1490",
- "t1491",
- "t1492",
- "t1493",
- "t1494",
- "t1495",
- "t1496",
- "t1497",
- "t1498",
- "t1499",
- "t1500",
- "t1501",
- "t1502",
- "t1503",
- "t1504",
- "t1505",
- "t1506",
- "t1514",
- "t1518",
- "t1519",
- "t1522",
- "t1525",
- "t1526",
- "t1527",
- "t1528",
- "t1529",
- "t1530",
- "t1531",
- "t1534",
- "t1535",
- "t1536",
- "t1537",
- "t1538",
- "t1539",
-]
MITRE_TECHNIQUE_NAMES = ["process_injection", "signed_binary_proxy_execution", "process_injection"] # incomplete list
- MITRE_TACTICS = ["initial_access", "execution", "persistence", "privilege_escalation", "defense_evasion", "credential_access", "discovery", "lateral_movement", "collection", "exfiltration", "command_and_control", "impact"]
- MITRE_GROUPS = ["g0001", "g0002", "g0003", "g0004", "g0005", "g0006", "g0007", "g0008", "g0009", "g0010", "g0011", "g0012", "g0013", "g0014", "g0015", "g0016", "g0017", "g0018", "g0019", "g0020", "g0021", "g0022", "g0023", "g0024", "g0025", "g0026", "g0027", "g0028", "g0029", "g0030", "g0031", "g0032", "g0033", "g0034", "g0035", "g0036", "g0037", "g0038", "g0039", "g0040", "g0041", "g0042", "g0043", "g0044", "g0045", "g0046", "g0047", "g0048", "g0049", "g0050", "g0051", "g0052", "g0053", "g0054", "g0055", "g0056", "g0057", "g0058", "g0059", "g0060", "g0061", "g0062", "g0063", "g0064", "g0065", "g0066", "g0067", "g0068", "g0069", "g0070", "g0071", "g0072", "g0073", "g0074", "g0075", "g0076", "g0077", "g0078", "g0079", "g0080", "g0081", "g0082", "g0083", "g0084", "g0085", "g0086", "g0087", "g0088", "g0089", "g0090", "g0091", "g0092", "g0093", "g0094", "g0095", "g0096"]
- MITRE_SOFTWARE = ["s0001", "s0002", "s0003", "s0004", "s0005", "s0006", "s0007", "s0008", "s0009", "s0010", "s0011", "s0012", "s0013", "s0014", "s0015", "s0016", "s0017", "s0018", "s0019", "s0020", "s0021", "s0022", "s0023", "s0024", "s0025", "s0026", "s0027", "s0028", "s0029", "s0030", "s0031", "s0032", "s0033", "s0034", "s0035", "s0036", "s0037", "s0038", "s0039", "s0040", "s0041", "s0042", "s0043", "s0044", "s0045", "s0046", "s0047", "s0048", "s0049", "s0050", "s0051", "s0052", "s0053", "s0054", "s0055", "s0056", "s0057", "s0058", "s0059", "s0060", "s0061", "s0062", "s0063", "s0064", "s0065", "s0066", "s0067", "s0068", "s0069", "s0070", "s0071", "s0072", "s0073", "s0074", "s0075", "s0076", "s0077", "s0078", "s0079", "s0080", "s0081", "s0082", "s0083", "s0084", "s0085", "s0086", "s0087", "s0088", "s0089", "s0090", "s0091", "s0092", "s0093", "s0094", "s0095", "s0096", "s0097", "s0098", "s0099", "s0100", "s0101", "s0102", "s0103", "s0104", "s0105", "s0106", "s0107", "s0108", "s0109", "s0110", "s0111", "s0112", "s0113", "s0114", "s0115", "s0116", "s0117", "s0118", "s0119", "s0120", "s0121", "s0122", "s0123", "s0124", "s0125", "s0126", "s0127", "s0128", "s0129", "s0130", "s0131", "s0132", "s0133", "s0134", "s0135", "s0136", "s0137", "s0138", "s0139", "s0140", "s0141", "s0142", "s0143", "s0144", "s0145", "s0146", "s0147", "s0148", "s0149", "s0150", "s0151", "s0152", "s0153", "s0154", "s0155", "s0156", "s0157", "s0158", "s0159", "s0160", "s0161", "s0162", "s0163", "s0164", "s0165", "s0166", "s0167", "s0168", "s0169", "s0170", "s0171", "s0172", "s0173", "s0174", "s0175", "s0176", "s0177", "s0178", "s0179", "s0180", "s0181", "s0182", "s0183", "s0184", "s0185", "s0186", "s0187", "s0188", "s0189", "s0190", "s0191", "s0192", "s0193", "s0194", "s0195", "s0196", "s0197", "s0198", "s0199", "s0200", "s0201", "s0202", "s0203", "s0204", "s0205", "s0206", "s0207", "s0208", "s0209", "s0210", "s0211", "s0212", "s0213", "s0214", "s0215", "s0216", "s0217", "s0218", "s0219", "s0220", "s0221", "s0222", "s0223", "s0224", "s0225", "s0226", "s0227", "s0228", "s0229", "s0230", "s0231", "s0232", "s0233", "s0234", "s0235", "s0236", "s0237", "s0238", "s0239", "s0240", "s0241", "s0242", "s0243", "s0244", "s0245", "s0246", "s0247", "s0248", "s0249", "s0250", "s0251", "s0252", "s0253", "s0254", "s0255", "s0256", "s0257", "s0258", "s0259", "s0260", "s0261", "s0262", "s0263", "s0264", "s0265", "s0266", "s0267", "s0268", "s0269", "s0270", "s0271", "s0272", "s0273", "s0274", "s0275", "s0276", "s0277", "s0278", "s0279", "s0280", "s0281", "s0282", "s0283", "s0284", "s0330", "s0331", "s0332", "s0333", "s0334", "s0335", "s0336", "s0337", "s0338", "s0339", "s0340", "s0341", "s0342", "s0343", "s0344", "s0345", "s0346", "s0347", "s0348", "s0349", "s0350", "s0351", "s0352", "s0353", "s0354", "s0355", "s0356", "s0357", "s0358", "s0359", "s0360", "s0361", "s0362", "s0363", "s0364", "s0365", "s0366", "s0367", "s0368", "s0369", "s0370", "s0371", "s0372", "s0373", "s0374", "s0375", "s0376", "s0377", "s0378", "s0379", "s0380", "s0381", "s0382", "s0383", "s0384", "s0385", "s0386", "s0387", "s0388", "s0389", "s0390", "s0391", "s0393", "s0394", "s0395", "s0396", "s0397", "s0398", "s0400", "s0401", "s0402", "s0404", "s0409", "s0410", "s0412", "s0413", "s0414", "s0415", "s0416", "s0417"]
- MITRE_ALL = ["attack." + item for item in MITRE_TECHNIQUES + MITRE_TACTICS + MITRE_GROUPS + MITRE_SOFTWARE]
+ MITRE_TACTICS = ["initial_access", "execution", "persistence", "privilege_escalation", "defense_evasion", "credential_access", "discovery", "lateral_movement", "collection", "exfiltration", "command_and_control", "impact", "launch"]
path_to_rules = "rules"
@@ -336,12 +65,29 @@ class TestRules(unittest.TestCase):
tags = self.get_rule_part(file_path=file, part_name="tags")
if tags:
for tag in tags:
- if tag not in self.MITRE_ALL and tag.startswith("attack."):
+ if tag not in MITRE_ALL and tag.startswith("attack."):
print(Fore.RED + "Rule {} has the following incorrect tag {}".format(file, tag))
files_with_incorrect_mitre_tags.append(file)
self.assertEqual(files_with_incorrect_mitre_tags, [], Fore.RED +
- "There are rules with incorrect MITRE Tags. (please inform us about new tags that are not yet supported in our tests) Check the correct tags here: https://attack.mitre.org/ ")
+ "There are rules with incorrect/unknown MITRE Tags. (please inform us about new tags that are not yet supported in our tests) and check the correct tags here: https://attack.mitre.org/ ")
+
+ def test_duplicate_tags(self):
+ files_with_incorrect_mitre_tags = []
+
+ for file in self.yield_next_rule_file_path(self.path_to_rules):
+ tags = self.get_rule_part(file_path=file, part_name="tags")
+ if tags:
+ known_tags = []
+ for tag in tags:
+ if tag in known_tags:
+ print(Fore.RED + "Rule {} has the duplicate tag {}".format(file, tag))
+ files_with_incorrect_mitre_tags.append(file)
+ else:
+ known_tags.append(tag)
+
+ self.assertEqual(files_with_incorrect_mitre_tags, [], Fore.RED +
+ "There are rules with duplicate tags")
def test_look_for_duplicate_filters(self):
def check_list_or_recurse_on_dict(item, depth:int) -> None:
@@ -485,6 +231,25 @@ class TestRules(unittest.TestCase):
self.assertEqual(faulty_rules, [], Fore.RED +
"There are rules with missing or malformed 'id' fields. Create an id (e.g. here: https://www.uuidgenerator.net/version4) and add it to the reported rule(s).")
+ def test_sysmon_rule_without_eventid(self):
+ faulty_rules = []
+ for file in self.yield_next_rule_file_path(self.path_to_rules):
+ logsource = self.get_rule_part(file_path=file, part_name="logsource")
+ service = logsource.get('service', '')
+ if service.lower() == 'sysmon':
+ with open(file) as f:
+ found = False
+ for line in f:
+ if re.search(r'.*EventID:.*$', line): # might be on a single line or in multiple lines
+ found = True
+ break
+ if not found:
+ faulty_rules.append(file)
+
+ self.assertEqual(faulty_rules, [], Fore.RED +
+ "There are rules using sysmon events but with no EventID specified")
+
+
def test_missing_date(self):
faulty_rules = []
for file in self.yield_next_rule_file_path(self.path_to_rules):
@@ -499,6 +264,35 @@ class TestRules(unittest.TestCase):
self.assertEqual(faulty_rules, [], Fore.RED +
"There are rules with missing or malformed 'date' fields. (create one, e.g. date: 2019/01/14)")
+ def test_references(self):
+ faulty_rules = []
+ for file in self.yield_next_rule_file_path(self.path_to_rules):
+ references = self.get_rule_part(file_path=file, part_name="references")
+ # Reference field doesn't exist
+ #if not references:
+ #print(Fore.YELLOW + "Rule {} has no field 'references'.".format(file))
+ #faulty_rules.append(file)
+ if references:
+ # it exists but isn't a list
+ if not isinstance(references, list):
+ print(Fore.YELLOW + "Rule {} has a references field that isn't a list.".format(file))
+ faulty_rules.append(file)
+
+ self.assertEqual(faulty_rules, [], Fore.RED +
+ "There are rules with malformed 'references' fields. (has to be a list of values even if it contains only a single value)")
+
+ def test_file_names(self):
+ faulty_rules = []
+ filename_pattern = re.compile('[a-z0-9_]{10,70}\.yml')
+ for file in self.yield_next_rule_file_path(self.path_to_rules):
+ filename = os.path.basename(file)
+ if not filename_pattern.match(filename) and not '_' in filename:
+ print(Fore.YELLOW + "Rule {} has a file name that doesn't match our standard.".format(file))
+ faulty_rules.append(file)
+
+ self.assertEqual(faulty_rules, [], Fore.RED +
+ "There are rules with malformed file names (too short, too long, uppercase letters, a minus sign etc.). Please see the file names used in our repository and adjust your file names accordingly. The pattern for a valid file name is '[a-z0-9_]{10,70}\.yml' and it has to contain at least an underline character.")
+
def test_title(self):
faulty_rules = []
allowed_lowercase_words = [
@@ -537,7 +331,7 @@ class TestRules(unittest.TestCase):
faulty_rules.append(file)
wrong_casing = []
for word in title.split(" "):
- if word.islower() and not word.lower() in allowed_lowercase_words and not "." in word and not word[0].isdigit():
+ if word.islower() and not word.lower() in allowed_lowercase_words and not "." in word and not "/" in word and not word[0].isdigit():
wrong_casing.append(word)
if len(wrong_casing) > 0:
print(Fore.RED + "Rule {} has a title that has not title capitalization. Words: '{}'".format(file, ", ".join(wrong_casing)))
@@ -546,6 +340,61 @@ class TestRules(unittest.TestCase):
self.assertEqual(faulty_rules, [], Fore.RED +
"There are rules with non-conform 'title' fields. Please check: https://github.com/Neo23x0/sigma/wiki/Rule-Creation-Guide#title")
+ def test_invalid_logsource_attributes(self):
+ faulty_rules = []
+ for file in self.yield_next_rule_file_path(self.path_to_rules):
+ logsource = self.get_rule_part(file_path=file, part_name="logsource")
+ for key in logsource:
+ if key.lower() not in ['category', 'product', 'service', 'definition']:
+ print(Fore.RED + "Rule {} has a logsource with an invalid field ({})".format(file, key))
+def get_mitre_data():
+ """
+ Generate tags from live MITRE ATT&CK TAXI service to get up-to-date data
+ """
+ # Get MITRE ATT&CK information
+ lift = attack_client()
+ # Techniques
+ MITRE_TECHNIQUES = []
+ MITRE_TECHNIQUE_NAMES = []
+ MITRE_PHASE_NAMES = set()
+ MITRE_TOOLS = []
+ MITRE_GROUPS = []
+ # Techniques
+ enterprise_techniques = lift.get_enterprise_techniques()
+ for t in enterprise_techniques:
+ MITRE_TECHNIQUE_NAMES.append(t['name'].lower().replace(' ', '_').replace('-', '_'))
+ for r in t.external_references:
+ if 'external_id' in r:
+ MITRE_TECHNIQUES.append(r['external_id'].lower())
+ if 'kill_chain_phases' in t:
+ for kc in t['kill_chain_phases']:
+ if 'phase_name' in kc:
+ MITRE_PHASE_NAMES.add(kc['phase_name'].replace('-','_'))
+ # Tools / Malware
+ enterprise_tools = lift.get_enterprise_tools()
+ for t in enterprise_tools:
+ for r in t.external_references:
+ if 'external_id' in r:
+ MITRE_TOOLS.append(r['external_id'].lower())
+ enterprise_malware = lift.get_enterprise_malware()
+ for m in enterprise_malware:
+ for r in m.external_references:
+ if 'external_id' in r:
+ MITRE_TOOLS.append(r['external_id'].lower())
+ # Groups
+ enterprise_groups = lift.get_enterprise_groups()
+ for g in enterprise_groups:
+ for r in g.external_references:
+ if 'external_id' in r:
+ MITRE_GROUPS.append(r['external_id'].lower())
+
+ # Combine all IDs to a big tag list
+ return ["attack." + item for item in MITRE_TECHNIQUES + MITRE_TECHNIQUE_NAMES + list(MITRE_PHASE_NAMES) + MITRE_GROUPS + MITRE_TOOLS]
+
+
if __name__ == "__main__":
init(autoreset=True)
+ # Get Current Data from MITRE on ATT&CK
+ MITRE_ALL = get_mitre_data()
+ # Run the tests
unittest.main()
diff --git a/tools/README.md b/tools/README.md
index f5d09d1a..55bf887e 100644
--- a/tools/README.md
+++ b/tools/README.md
@@ -1,11 +1,332 @@
-This package contains libraries for processing of [Sigma rules](https://github.com/Neo23x0/sigma) and the following
-command line tools:
+# Sigma Tools
-* *sigmac*: converter between Sigma rules and SIEM queries:
- * Elasticsearch query strings
- * Kibana JSON with searches
- * Splunk SPL queries
- * Elasticsearch X-Pack Watcher
- * Logpoint queries
+This folder contains libraries and the following command line tools:
+
+* *sigmac*: converter between Sigma rules and SIEM queries
* *merge_sigma*: Merge Sigma collections into simple Sigma rules.
* *sigma2misp*: Import Sigma rules to MISP events.
+
+# Sigmac
+
+The Sigmac is one of the most important files, as this is what sets the correct fields that your backend/database will use after being translated from the (original) log source's field names.
+Please read below to understand how a SIGMAC is constructed. Additionally, see [Choosing the Right Sigmac](#choosing-the-right-sigmac) for an idea of which file and command line options (if applicable) that will best suite your environment.
+
+## Configuration File
+
+The configuration file contains mappings for the target environments:
+
+* between generic Sigma field names and those used in the target environment
+* between log source identifiers from Sigma and...
+ * ...index names from target
+ * ...conditions that should be added to generated expression (e.g. EventLog: Microsoft-Windows-Sysmon) with AND.
+* between placeholders in sigma rules and lists that describe their values in the target environment
+
+The mappings are configured in a YAML file with the following format:
+
+```yaml
+title: short description of configuration
+order: numeric value
+backends:
+ - backend_1
+ - backend_2
+ - ...
+fieldmappings:
+ sigma_fieldname_1: target_fieldname # Simple mapping
+ sigma_fieldname_2: # Multiple mappings
+ - target_fieldname_1
+ - target_fieldname_2
+ sigma_fieldname_3: # Conditional mapping
+ field1=value1:
+ field2=value2:
+ - target_fieldname_1
+ - target_fieldname_2
+logsources:
+ sigma_logsource:
+ category: ...
+ product: ...
+ service: ...
+ index:
+ - target_indexname1
+ - target_indexname2
+ conditions:
+ field1: value1
+ field2: value2
+logsourcemerging: and/or
+defaultindex: indexname
+placeholders:
+ name1:
+ - value1
+ - value2
+ name2: value
+```
+
+## Metadata
+
+A configuration should contain the following attributes:
+
+* **title**: Short description of configuration shown in list printed by converter on request.
+* **order**: Numeric value that determines allowed order of usage. A configuration *B* can only be applied after another configuration *A* if order of B is higher or equal to order of A. The Sigma converter enforces this. Convention:
+ * 10: Configurations for generic log sources
+ * 20: Backend-specific configuration
+* **backends**: List of backend names. The configuration can't be used with backends not listed here. Don't define for generic configurations.
+
+## Field Mappings
+
+Field mappings in the *fieldmappings* section map between Sigma field names and field names used in target SIEM systems. There are three types of field mappings:
+
+* Simple: the source field name corresponds to exactly one target field name given as string. Exmaple: `EventID: EventCode` for translation of Windows event identifiers between Sigma and Splunk.
+* Multiple: a source field corresponds to a list of target fields. Sigmac generates an OR condition that covers all field names. This can be useful in configuration change and migration scenarios, when field names change. A further use case is when the SIEM normalizes one source field name into different target field names and the exact rules are unknown.
+* Conditional: a source field is translated to one or multiple target field names depending on values from other fields in specific rules. This is useful in scenarios where the SIEM maps the same Sigma field to different target field names depending on the event or log type, like Logpoint.
+
+While simple and multiple mapping type are quite straightforward, conditional mappings require further explanation. The mapping is provided as map where the keys have the following format:
+
+* field=value: condition that must be fulfilled for execution of the given translation
+* default: mapping that is used if no condition matches.
+
+Sigmac applies conditional mappings as follows:
+
+1. All conditions are mapped against all field:value pairs of the rule. It merges all pairs into one table and is therefore not able to distinguish between different definitions. Matching mappings are collected in a list.
+2. If the list is empty, the default mapping is used.
+3. The result set of target field name mappings is translated into an OR condition, similar to multiple field mappings. If no mapping could be determined, the Sigma field name is used.
+
+Use the *fieldlist* backend to determine all field names used by rules. Example:
+
+```bash
+$ tools/sigmac.py -r -t fieldlist rules/windows/ 2>/dev/null | sort -u
+AccessMask
+CallTrace
+CommandLine
+[...]
+TicketOptions
+Type
+```
+
+## Log Source Mappings
+
+Each log source definition must contain at least one category, product or service element that corresponds to the same fields in the logsources part of sigma rules. If more than one field is given, all must match (AND).
+
+The *index* field can contain a string or a list of strings. They a converted to the target expression language in a way that the rule is searched in all given index patterns.
+
+The conditions part can be used to define *field: value* conditions if only a subset of the given indices is relevant. All fields are linked with logical AND and the resulting expression is also lined with AND against the expression generated from the sigma rule.
+
+Example: a logstash configuration passes all Windows logs in one index. For Sysmon only events that match *EventLog:"Microsoft-Windows-Sysmon" are relevant. The config looks as follows:
+
+```yaml
+...
+logsources:
+ sysmon:
+ product: sysmon
+ index: logstash-windows-*
+ conditions:
+ EventLog: Microsoft-Windows-Sysmon
+...
+```
+
+If multiple log source definitions match, the result is merged from all matching rules. The parameter *logsourcemerging* determines how conditions are merged. The following methods are supported:
+
+* and (default): merge all conditions with logical AND.
+* or: merge all conditions with logical OR.
+
+This enables to define logsources hierarchically, e.g.:
+
+```yaml
+logsources:
+ windows:
+ product: windows
+ index: logstash-windows-*
+ windows-application:
+ product: windows
+ service: application
+ conditions:
+ EventLog: Application
+ windows-security:
+ product: windows
+ service: security
+ conditions:
+ EventLog: Security
+```
+
+Log source windows configures an index name. Log sources windows-application and windows-security define additional conditions for matching events in the windows indices.
+
+The keyword defaultindex defines one or multiple index patterns that are used if the above calculation doesn't results in at least one index name.
+
+## Addition of Target Formats
+
+Addition of a target format is done by development of a backend class. A backend class gets a parse tree as input and must translate parse tree nodes into the target format.
+
+## Translation Process
+
+1. Parsing YAML
+2. Parsing of Condition
+3. Internal representation of condition as parse tree
+4. Attachment of definitions into corresponding parse tree nodes
+5. Translation of field and log source identifiers into target names
+6. Translation of parse tree into target format (backend classes)
+
+## Backend Configuration Files
+
+You can also pass backend options from a configuration file, which simplifies the CLI usage.
+
+One can specify both individual backend options (--backend-option) and specify a configuration file as well - in this case, options are merged, and priority is given to the options passed via the CLI.
+
+Sample usages:
+
+```yaml
+# Backend configuration file (here for Elastalert)
+$ cat backend_config.yml
+alert_methods: email
+emails: alerts@mydomain.tld
+smtp_host: smtp.google.com
+from_addr: noreply@mydomain.tld
+expo_realert_time: 10m
+
+# Rule to compile
+$ RULE=rules/windows/builtin/win_susp_sam_dump.yml
+
+# Generate an elastalert rule and take options from the configuration file
+$ python3 tools/sigmac $RULE -t elastalert --backend-config backend_config.yml
+alert:
+- email
+description: Detects suspicious SAM dump activity as cause by QuarksPwDump and other
+ password dumpers
+email:
+- alerts@mydomain.tld
+filter:
+- query:
+ query_string:
+ query: (EventID:"16" AND "*\\AppData\\Local\\Temp\\SAM\-*.dmp\ *")
+from_addr: noreply@mydomain.tld
+index: logstash-*
+name: SAM-Dump-to-AppData_0
+priority: 2
+realert:
+ minutes: 0
+smtp_host: smtp.google.com
+type: any
+
+# Override an option from the configuration file via the CLI
+$ python3 tools/sigmac $RULE -t elastalert --backend-config backend_config.yml --backend-option smtp_host=smtp.mailgun.com
+alert:
+- email
+description: Detects suspicious SAM dump activity as cause by QuarksPwDump and other
+ password dumpers
+email:
+- alerts@mydomain.tld
+filter:
+- query:
+ query_string:
+ query: (EventID:"16" AND "*\\AppData\\Local\\Temp\\SAM\-*.dmp\ *")
+from_addr: noreply@mydomain.tld
+index: logstash-*
+name: SAM-Dump-to-AppData_0
+priority: 2
+realert:
+ minutes: 0
+smtp_host: smtp.mailgun.com
+type: any
+```
+
+## Choosing the right SIGMAC
+
+The section will show you which `-c` option (the Sigmac) and which `--backend-option`(s) to use. The rest of SIGMA should be run as normal.
+For example, run the rest of the command as you normally would, regarding the `-t` (target backend) and which rule(s) you are performing SIGMA on.
+
+If the target backend/database does not do a lot of field renaming/normalization than the selection of which Sigmac to use is easier to determine. However, this section will help guide you in this decision.
+
+### Elasticsearch or ELK
+
+For this backend, there are two very important components. One is the field name and the other is the the way the value for the field name are analyzed AKA searchable in the Elasticsearch database. If you are interested in understand how this is important, you can read more [here](https://socprime.com/blog/elastic-for-security-analysts-part-1-searching-strings/) to understand the impact between `keyword` types and `text` types.
+You have a few different variations of what could be the correct Sigmac to use. Based on the version of Elasticsearch, using ECS or not, using certain Beat's settings enabled or not, and so on.
+
+In order to aide in the decision of the correct Sigmac there are a few quick questions to ask yourself and based on those answers will be which one to use.
+Please note the answer to each question. It is OK to not know the answer to each question and in fact is very common (that's OK).
+
+1. What version of [Filebeat](https://www.elastic.co/beats/filebeat) are you using (you may not be using this at all).
+2. Are you using [Elastic Common Schema (ECS)](https://www.elastic.co/guide/en/ecs/current/index.html)?
+3. What index do your store the log source's data in? Some examples:
+ * Window's logs are most likely in `winlogbeat-*`
+ * Linux logs are most likely in `filebeat-*`
+ * Zeek/Bro data is most likely in `filebeat-*`
+ * If you are using logstash, data is most likely in `logstash-*`
+4. If you are using Filebeat, are you using the module enabled? Here is link showing the description for Windows log [Security Channel](https://www.elastic.co/guide/en/beats/winlogbeat/current/winlogbeat-module-security.html)
+
+Now choose your data source:
+* [Windows Event Logs](#elastic-windows-event-log--sysmon-data-configurations)
+* [Zeek](#elastic---zeek-fka-bro--corelight-data)
+
+### Elastic - Zeek (FKA Bro) / Corelight Data
+
+* Corelight's implementation of ECS:
+`-c tools/config/ecs-zeek-corelight.yml --backend-option keyword_base_fields="*" --backend-option analyzed_sub_field_name=".text" --backend-option keyword_whitelist="event.dataset,source.ip,destination.ip,source.port,destination.port,*bytes*"`
+example of the full command running on all the proxy rules converting to a Kibana (lucene) query:
+`tools/sigmac -t es-qs -c tools/config/ecs-zeek-corelight.yml --backend-option keyword_base_fields="*" --backend-option analyzed_sub_field_name=".text" --backend-option keyword_whitelist="event.dataset,source.ip,destination.ip,source.port,destination.port,*bytes*" rules/proxy/*`
+* Filebeat version 7 or higher and or Elastic's implementation:
+`-c tools/config/ecs-zeek-elastic-beats-implementation.yml --backend-option keyword_base_fields="*"`
+* Using logstash and NOT using ECS:
+`-c tools/config/logstash-zeek-default-json.yml`
+
+### Elastic Windows Event Log / Sysmon Data Configurations
+
+**index templates**
+
+If you are able, because this will be one of the best ways to determine which options to use - run the following command. Take the output from question 3 and replace in the example command `winlogbeat` with index. You can run this from the CLI against your Elasticsearch instance or from Kibana Dev Tools.
+You will only need to use the first index template pattern. Look under the section `dynamic_templates` and then look for `strings_as_keyword`. Under that section, is there a `strings_as_keyword` ? If so take note.
+
+`curl -XGET "http://127.0.0.1:9200/winlogbeat-*/_mapping/?filter_path=*.mappings.dynamic_templates*,*.index_patterns"`
+
+The next question to ask yourself, is do you want easily bypassable queries due to case sensitive searches? Take note of yes/no.
+
+Now lets determine which options and Sigmac to use.
+
+**Sigmac's `-c` option**
+
+1. Using winlogbeat version 6 or less `-c tools/config/winlogbeat-old.yml`
+2. Using winlogbeat version 7 or higher without modules enabled (answer from **question 4**) and `strings_as_keyword` does not contain `text` `-c tools/config/winlogbeat-old.yml`
+3. Using winlogbeat version 7 or higher with modules enabled (answer from **question 4**) `-c tools/config/winlogbeat-modules-enabled.yml`
+
+**Backend options `--backend-option`**
+You can add the following depending on additional information from your answers/input above.
+
+1. If you are using ECS, your data is going to `winlogbeat-*` index, or your default field is a keyword type then add the following to your SIGMA command: `--backend-option keyword_field="" `
+ * If you want to prevent case sensitive bypasses you can add the following to your command: `--backend-option case_insensitive_whitelist="*"`
+ * If you want to prevent case sensitive bypasses but only for certain fields, you can use an option like this: `-backend-option keyword_field="" --backend-option case_insensitive_whitelist="*CommandLine*, *ProcessName*, *Image*, process.*, *FileName*, *Path*, *ServiceName*, *ShareName*, file.*, *Directory*, *directory*, *hash*, *Hash*, *Object*, ComputerName, *Subject*, *Target*, *Service*"`
+
+2. If you are using analyzed (text) fields or your index template portion of `strings_as_keyword` contains `text` then you can add the following:
+
+```bash
+--backend-option keyword_base_fields="*" --backend-option analyzed_sub_field_name=".text"
+```
+
+3. If you only have some analyzed fields then you would use an example like this:
+
+```bash
+--backend-option keyword_base_fields="*" --backend-option analyzed_sub_field_name=".text" --backend-option analyzed_sub_fields="TargetUserName, SourceUserName, TargetHostName, CommandLine, ProcessName, ParentProcessName, ParentImage, Image"
+```
+
+### Elastic - Some Final Examples
+
+So putting it all together to help show everything from above, here are some "full" examples:
+
+* base field keyword & no analyzed field w/ case insensitivity (covers elastic 7 with beats/ecs (default)mappings) and using winlogbeat with modules enabled. Also, keeps `winlog.channel` from making case insensitive as is not necessary (ie: the `keyword_whitelist` option)
+
+```bash
+sigma -t es-qs -c tools/config/winlogbeat-modules-enabled.yml --backend-option keyword_field="" --backend-option case_insensitive_whitelist="*" --backend-option keyword_whitelist="winlog.channel" rules/windows/process_creation/win_office_shell.yml
+```
+
+* base field keyword & subfield is analyzed(.text) and winlogbeat with modules enabled
+
+```bash
+sigma -t es-qs -c tools/config/winlogbeat-modules-enabled.yml --backend-option keyword_base_fields="*" --backend-option analyzed_sub_field_name=".text" rules/windows/process_creation/win_office_shell.yml
+```
+
+* base field keyword & only some analyzed fields and winlogbeat without modules enabled
+
+```bash
+tools/sigmac -t es-dsl -c tools/config/winlogbeat.yml --backend-option keyword_base_fields="*" --backend-option analyzed_sub_field_name=".text" --backend-option analyzed_sub_fields="TargetUserName, SourceUserName, TargetHostName, CommandLine, ProcessName, ParentProcessName, ParentImage, Image" rules/windows/process_creation/win_office_shell.yml
+```
+
+* using beats/ecs Elastic 7 with case insensitive and some .text fields and winlogbeat without modules enabled
+
+```bash
+tools/sigmac -t es-dsl -c tools/config/winlogbeat.yml --backend-option keyword_base_fields="*" --backend-option analyzed_sub_field_name=".text" --backend-option keyword_whitelist="winlog.channel,winlog.event_id" --backend-option case_insensitive_whitelist="*" --backend-option analyzed_sub_fields="TargetUserName, SourceUserName, TargetHostName, CommandLine, ProcessName, ParentProcessName, ParentImage, Image" rules/windows/process_creation/win_office_shell.yml
+```
\ No newline at end of file
diff --git a/tools/config/arcsight-zeek.yml b/tools/config/arcsight-zeek.yml
index f902641d..f9544552 100644
--- a/tools/config/arcsight-zeek.yml
+++ b/tools/config/arcsight-zeek.yml
@@ -1167,4 +1167,4 @@ fieldmappings:
web.status: deviceSeverity
Web.status: deviceSeverity
web_uri: requestUrl
- web_url: requestUrl
\ No newline at end of file
+ web_url: requestUrl
diff --git a/tools/config/arcsight.yml b/tools/config/arcsight.yml
index d9dd1d7b..3532e7b1 100644
--- a/tools/config/arcsight.yml
+++ b/tools/config/arcsight.yml
@@ -60,6 +60,11 @@ logsources:
service: powershell
conditions:
deviceVendor: Microsoft
+ windows-ntlm:
+ product: windows
+ service: ntlm
+ conditions:
+ deviceVendor: Microsoft
windows-dhcp:
product: windows
service: dhcp
@@ -94,6 +99,12 @@ logsources:
service: application
conditions:
deviceVendor: Microsoft
+ windows-applocker:
+ product: windows
+ service: applocker
+ conditions:
+ deviceVendor: Microsoft
+ deviceProduct: AppLocker
proxy:
category: proxy
conditions:
@@ -477,4 +488,4 @@ fieldmappings:
TicketEncryptionType: deviceCustomString1
TicketOptions: deviceCustomString1
winlog.channel: deviceCustomString1
- WorkstationName: deviceCustomString1
\ No newline at end of file
+ WorkstationName: deviceCustomString1
diff --git a/tools/config/carbon-black.yml b/tools/config/carbon-black.yml
index 6b034c6e..fbc71ee4 100644
--- a/tools/config/carbon-black.yml
+++ b/tools/config/carbon-black.yml
@@ -2,6 +2,7 @@ title: CarbonBlack field mapping
order: 20
backends:
- carbonblack
+ - cb
fieldmappings:
AccountName: username
CommandLine: cmdline
@@ -15,14 +16,34 @@ fieldmappings:
Image: process_name
ImageLoaded: modload
ImagePath: path
- NewProcessName: process_name
+ #NewProcessName: process_name
#ParentCommandLine: NONE??
ParentProcessName: parent_name
ParentImage: parent_name
Path: path
ProcessCommandLine: cmdline
ProcessName: process_name
- Signature: digsig_result
+ #Signature: digsig_result
+ SourceIp: ipaddr
+ DestinationAddress: ipaddr
+ DestinationPort: ipport
+ DestPort: ipport
+ TargetObject: regmod
+ TargetFilename: filemod
+ TargetFileName: filemod
+ Targetfilename: filemod
+ SourceImage: parent_name
+ TargetImage: childproc_name
+ NewProcessName: childproc_name
+ Product: product_name
+ Signature: digsig_publisher
+ CallTrace: modload
+ DestinationHostname: domain
+ User: username
+ StartModule: modload
+ Company: company_name
+ Description: file_desc
+ FileVersion: file_version
@@ -72,3 +93,6 @@ fieldmappings:
excludedfields:
- EventID
- Robot2
+ - TargetObject
+ - CallTrace
+ - Imphash
diff --git a/tools/config/ecs-cloudtrail.yml b/tools/config/ecs-cloudtrail.yml
new file mode 100644
index 00000000..fe9419bd
--- /dev/null
+++ b/tools/config/ecs-cloudtrail.yml
@@ -0,0 +1,60 @@
+title: Elastic Common Schema And Elastic Exported Fields Mapping For AWS CloudTrail Logs
+order: 20
+backends:
+ - es-qs
+ - es-dsl
+ - es-rule
+ - kibana
+ - xpack-watcher
+ - elastalert
+ - elastalert-dsl
+fieldmappings:
+ additionalEventdata: aws.cloudtrail.additional_eventdata
+ apiVersion: aws.cloudtrail.api_version
+ awsRegion: cloud.region
+ errorCode: aws.cloudtrail.error_code
+ errorMessage: aws.cloudtrail.error_message
+ eventID: event.id
+ eventName: event.action
+ eventSource: event.provider
+ eventTime: '@timestamp'
+ eventType: aws.cloudtrail.event_type
+ eventVersion: aws.cloudtrail.event_version
+ managementEvent: aws.cloudtrail.management_event
+ readOnly: aws.cloudtrail.read_only
+ requestID: aws.cloudtrail.request_id
+ requestParameters: aws.cloudtrail.request_parameters
+ resources.accountId: aws.cloudtrail.resources.account_id
+ resources.ARN: aws.cloudtrail.resources.arn
+ resources.type: aws.cloudtrail.resources.type
+ responseElements: aws.cloudtrail.response_elements
+ serviceEventDetails: aws.cloudtrail.service_event_details
+ sharedEventId: aws.cloudtrail.shared_event_id
+ sourceIPAddress: source.address
+ userAgent: user_agent
+ userIdentity.accessKeyId: aws.cloudtrail.user_identity.access_key_id
+ userIdentity.accountId: cloud.account.id
+ userIdentity.arn: aws.cloudtrail.user_identity.arn
+ userIdentity.invokedBy: aws.cloudtrail.user_identity.invoked_by
+ userIdentity.principalId: user.id
+ userIdentity.sessionContext.attributes.creationDate: aws.cloudtrail.user_identity.session_context.creation_date
+ userIdentity.sessionContext.attributes.mfaAuthenticated: aws.cloudtrail.user_identity.session_context.mfa_authenticated
+ userIdentity.type: aws.cloudtrail.user_identity.type
+ userIdentity.userName: user.name
+ vpcEndpointId: aws.cloudtrail.vpc_endpoint_id
+overrides:
+ - field: event.outcome
+ value: failure
+ regexes:
+ - (\(\(aws.cloudtrail.error_message.keyword:.* event.action:\"ConsoleLogin\"\)\))
+ - (\(\(aws.cloudtrail.error_code.keyword:.* event.action:\"ConsoleLogin\"\)\))
+ - (\(\(aws.cloudtrail.error_message.keyword:.* aws.cloudtrail.response_elements.keyword:\*Failure\*\)\))
+ - (\(\(aws.cloudtrail.error_code.keyword:.* aws.cloudtrail.response_elements.keyword:\*Failure\*\)\))
+ - (\(\(event.action:\"ConsoleLogin\".* aws.cloudtrail.error_message.keyword:\*\)\))
+ - (\(\(event.action:\"ConsoleLogin\".* aws.cloudtrail.error_code.keyword:\*\)\))
+ - (\(\(aws.cloudtrail.response_elements.keyword:\*Failure\*.* aws.cloudtrail.error_message.keyword:\*\)\))
+ - (\(\(aws.cloudtrail.response_elements.keyword:\*Failure\*.* aws.cloudtrail.error_code.keyword:\*\)\))
+ - field: event.outcome
+ value: success
+ literals:
+ - 'NOT (event.outcome:failure)'
\ No newline at end of file
diff --git a/tools/config/ecs-proxy.yml b/tools/config/ecs-proxy.yml
index b618fc53..0659f7c3 100644
--- a/tools/config/ecs-proxy.yml
+++ b/tools/config/ecs-proxy.yml
@@ -3,42 +3,15 @@ order: 20
backends:
- es-qs
- es-dsl
- - elasticsearch-rule
+ - es-rule
+ - corelight_elasticsearch-rule
- kibana
- xpack-watcher
- elastalert
- elastalert-dsl
-# logsources:
- # proxy:
- # category: proxy
- # index:
- # - "filebeat-*"
- # - "*ecs-*"
- #zeek-category-proxy:
- # category: proxy
- # rewrite:
- # product: zeek
- # service: http
- #zeek-category-webserver:
- # category: webserver
- # conditions:
- # event.dataset: http
- # rewrite:
- # product: zeek
- # service: http
- # zeek-http:
- # product: zeek
- # service: http
- # conditions:
- # event.dataset: http
- # zeek-http2:
- # product: zeek
- # service: http2
- # conditions:
- # event.dataset: http2
+ - ee-outliers
defaultindex:
- filebeat-*
-# logsourcemerging: or
fieldmappings:
# All Logs Applied Mapping & Taxonomy
dst:
@@ -63,6 +36,7 @@ fieldmappings:
c-uri-stem: url.original
c-uri: url.original
c-useragent: user_agent.original
+ cs-bytes: http.request.body.bytes
cs-cookie: http.cookie
cs-host:
- url.domain
@@ -245,4 +219,4 @@ fieldmappings:
trans_depth: http.trans_depth
uri_vars: http.uri_vars
username: source.user.name
- version: http.version
\ No newline at end of file
+ version: http.version
diff --git a/tools/config/ecs-zeek-corelight.yml b/tools/config/ecs-zeek-corelight.yml
index 57849671..0707a7f7 100644
--- a/tools/config/ecs-zeek-corelight.yml
+++ b/tools/config/ecs-zeek-corelight.yml
@@ -13,6 +13,7 @@ backends:
- corelight_xpack-watcher
- elastalert
- elastalert-dsl
+ - ee-outliers
logsources:
zeek:
product: zeek
@@ -696,7 +697,6 @@ fieldmappings:
# DNS
AA: dns.AA
#addl: dns.addl
- #auth: dns.auth
answers: dns.answers.name
TTLs: dns.answers.ttl
RA: dns.RA
@@ -1287,4 +1287,4 @@ fieldmappings:
web.status: http.response.status_code
Web.status: http.response.status_code
web_uri: url.original
- web_url: url.original
\ No newline at end of file
+ web_url: url.original
diff --git a/tools/config/ecs-zeek-elastic-beats-implementation.yml b/tools/config/ecs-zeek-elastic-beats-implementation.yml
new file mode 100644
index 00000000..cd999bb5
--- /dev/null
+++ b/tools/config/ecs-zeek-elastic-beats-implementation.yml
@@ -0,0 +1,1018 @@
+title: Elastic Common Schema (ECS) implementation for Zeek using filebeat modules enabled based on version 7.6.1
+order: 20
+backends:
+ - es-qs
+ - es-dsl
+ - elasticsearch-rule
+ - kibana
+ - xpack-watcher
+ - elastalert
+ - elastalert-dsl
+ - ee-outliers
+logsources:
+ zeek:
+ product: zeek
+ index: 'filebeat*'
+ zeek-category-accounting:
+ category: accounting
+ rewrite:
+ product: zeek
+ service: syslog
+ zeek-category-firewall:
+ category: firewall
+ rewrite:
+ product: zeek
+ service: conn
+ zeek-category-dns:
+ category: dns
+ rewrite:
+ product: zeek
+ service: dns
+ zeek-category-proxy:
+ category: proxy
+ rewrite:
+ product: zeek
+ service: http
+ zeek-category-webserver:
+ category: webserver
+ rewrite:
+ product: zeek
+ service: http
+ zeek-conn:
+ product: zeek
+ service: conn
+ conditions:
+ event.dataset: zeek.conn
+ zeek-conn_long:
+ product: zeek
+ service: conn_long
+ conditions:
+ event.dataset: zeek.conn_long
+ zeek-dce_rpc:
+ product: zeek
+ service: dce_rpc
+ conditions:
+ event.dataset: zeek.dce_rpc
+ zeek-dns:
+ product: zeek
+ service: dns
+ conditions:
+ event.dataset: zeek.dns
+ zeek-dnp3:
+ product: zeek
+ service: dnp3
+ conditions:
+ event.dataset: zeek.dnp3
+ zeek-dpd:
+ product: zeek
+ service: dpd
+ conditions:
+ event.dataset: zeek.dpd
+ zeek-files:
+ product: zeek
+ service: files
+ conditions:
+ event.dataset: zeek.files
+ zeek-ftp:
+ product: zeek
+ service: ftp
+ conditions:
+ event.dataset: zeek.ftp
+ zeek-gquic:
+ product: zeek
+ service: gquic
+ conditions:
+ event.dataset: zeek.gquic
+ zeek-http:
+ product: zeek
+ service: http
+ conditions:
+ event.dataset: zeek.http
+ zeek-http2:
+ product: zeek
+ service: http2
+ conditions:
+ event.dataset: zeek.http2
+ zeek-intel:
+ product: zeek
+ service: intel
+ conditions:
+ event.dataset: zeek.intel
+ zeek-irc:
+ product: zeek
+ service: irc
+ conditions:
+ event.dataset: zeek.irc
+ zeek-kerberos:
+ product: zeek
+ service: kerberos
+ conditions:
+ event.dataset: zeek.kerberos
+ zeek-known_certs:
+ product: zeek
+ service: known_certs
+ conditions:
+ event.dataset: zeek.known_certs
+ zeek-known_hosts:
+ product: zeek
+ service: known_hosts
+ conditions:
+ event.dataset: zeek.known_hosts
+ zeek-known_modbus:
+ product: zeek
+ service: known_modbus
+ conditions:
+ event.dataset: zeek.known_modbus
+ zeek-known_services:
+ product: zeek
+ service: known_services
+ conditions:
+ event.dataset: zeek.known_services
+ zeek-modbus:
+ product: zeek
+ service: modbus
+ conditions:
+ event.dataset: zeek.modbus
+ zeek-modbus_register_change:
+ product: zeek
+ service: modbus_register_change
+ conditions:
+ event.dataset: zeek.modbus_register_change
+ zeek-mqtt_connect:
+ product: zeek
+ service: mqtt_connect
+ conditions:
+ event.dataset: zeek.mqtt_connect
+ zeek-mqtt_publish:
+ product: zeek
+ service: mqtt_publish
+ conditions:
+ event.dataset: zeek.mqtt_publish
+ zeek-mqtt_subscribe:
+ product: zeek
+ service: mqtt_subscribe
+ conditions:
+ event.dataset: zeek.mqtt_subscribe
+ zeek-mysql:
+ product: zeek
+ service: mysql
+ conditions:
+ event.dataset: zeek.mysql
+ zeek-notice:
+ product: zeek
+ service: notice
+ conditions:
+ event.dataset: zeek.notice
+ zeek-ntlm:
+ product: zeek
+ service: ntlm
+ conditions:
+ event.dataset: zeek.ntlm
+ zeek-ntp:
+ product: zeek
+ service: ntp
+ conditions:
+ event.dataset: zeek.ntp
+ zeek-ocsp:
+ product: zeek
+ service: ntp
+ conditions:
+ event.dataset: zeek.ocsp
+ zeek-pe:
+ product: zeek
+ service: pe
+ conditions:
+ event.dataset: zeek.pe
+ zeek-pop3:
+ product: zeek
+ service: pop3
+ conditions:
+ event.dataset: zeek.pop3
+ zeek-radius:
+ product: zeek
+ service: radius
+ conditions:
+ event.dataset: zeek.radius
+ zeek-rdp:
+ product: zeek
+ service: rdp
+ conditions:
+ event.dataset: zeek.rdp
+ zeek-rfb:
+ product: zeek
+ service: rfb
+ conditions:
+ event.dataset: zeek.rfb
+ zeek-sip:
+ product: zeek
+ service: sip
+ conditions:
+ event.dataset: zeek.sip
+ zeek-smb_files:
+ product: zeek
+ service: smb_files
+ conditions:
+ event.dataset: zeek.smb_files
+ zeek-smb_mapping:
+ product: zeek
+ service: smb_mapping
+ conditions:
+ event.dataset: zeek.smb_mapping
+ zeek-smtp:
+ product: zeek
+ service: smtp
+ conditions:
+ event.dataset: zeek.smtp
+ zeek-smtp_links:
+ product: zeek
+ service: smtp_links
+ conditions:
+ event.dataset: zeek.smtp_links
+ zeek-snmp:
+ product: zeek
+ service: snmp
+ conditions:
+ event.dataset: zeek.snmp
+ zeek-socks:
+ product: zeek
+ service: socks
+ conditions:
+ event.dataset: zeek.socks
+ zeek-software:
+ product: zeek
+ service: software
+ conditions:
+ event.dataset: zeek.software
+ zeek-ssh:
+ product: zeek
+ service: ssh
+ conditions:
+ event.dataset: zeek.ssh
+ zeek-ssl:
+ product: zeek
+ service: ssl
+ conditions:
+ event.dataset: zeek.tls
+ zeek-tls: # In case people call it TLS even though orig log is called ssl, but dataset is tls so may cause confusion so cover that
+ product: zeek
+ service: tls
+ conditions:
+ event.dataset: zeek.tls
+ zeek-syslog:
+ product: zeek
+ service: syslog
+ conditions:
+ event.dataset: zeek.syslog
+ zeek-tunnel:
+ product: zeek
+ service: tunnel
+ conditions:
+ event.dataset: zeek.tunnel
+ zeek-traceroute:
+ product: zeek
+ service: traceroute
+ conditions:
+ event.dataset: zeek.traceroute
+ zeek-weird:
+ product: zeek
+ service: weird
+ conditions:
+ event.dataset: zeek.weird
+ zeek-x509:
+ product: zeek
+ service: x509
+ conditions:
+ event.dataset: zeek.x509
+ zeek-ip_search:
+ product: zeek
+ service: network
+ conditions:
+ event.dataset:
+ - connection
+ #- conn_long
+ - dce_rpc
+ - dhcp
+ - dnp3
+ - dns
+ - ftp
+ - gquic
+ - http
+ - irc
+ - kerberos
+ - modbus
+ - mqtt_connect
+ - mqtt_publish
+ - mqtt_subscribe
+ - mysql
+ - ntlm
+ - ntp
+ - radius
+ - rfb
+ - sip
+ - smb_files
+ - smb_mapping
+ - smtp
+ - smtp_links
+ - snmp
+ - socks
+ - ssh
+ - tls #SSL
+ - tunnel
+ - weird
+defaultindex: 'filebeat*'
+fieldmappings:
+ # All Logs Applied Mapping & Taxonomy
+ dst:
+ - destination.address
+ - destination.ip
+ dst_ip:
+ - destination.address
+ - destination.ip
+ dst_port: destination.port
+ #host: host.ip # Not implemented by Elastic (Beats) yet
+ #inner_vlan: network.vlan.inner.id # Not implemented by Elastic (Beats) yet
+ #mac: source.mac
+ #mime_type: file.mime_type # Not implemented by Elastic (Beats) yet
+ network_application: network.protocol
+ network_community_id: network.community_id
+ network_protocol: network.transport
+ #password: source.user.password
+ #port_num: labels.known.port
+ proto: network.transport
+ #result: event.outcome # Not implemented by Elastic (Beats) yet
+ #rtt: event.duration # Not implemented by Elastic (Beats) yet
+ #server_name: destination.domain
+ src:
+ - source.address
+ - source.ip
+ src_ip: source.ip
+ src_port: source.port
+ #success: event.outcome # Not implemented by Elastic (Beats) yet
+ #uri: url.original
+ #user: source.user.name
+ #username: source.user.name # Not complete by Elastic (Beats) yet
+ #user_agent: user_agent.original
+ #vlan: network.vlan.id # Not implemented by Elastic (Beats) yet
+ # Overlapping fields/mappings (aka: shared fields)
+ action: 'zeek.smb_files.action'
+ mqtt_action: smb.action
+ smb_action: smb.action
+ tunnel_action: tunnel.action
+ addl: 'zeek.weird.additional_info'
+ dns_addl: zeek.dns.addl
+ weird_addl: zeek.weird.additional_info
+ arg: 'zeek.*.arg'
+ ftp_arg: zeek.ftp.arg
+ mysql_arg: zeek.mysql.arg
+ pop3_arg: zeek.pop3.arg
+ auth: 'zeek.*.auth*'
+ cipher: 'zeek.*.cipher'
+ kerberos_cipher: zeek.kerberos.cipher
+ ssl_cipher: zeek.ssl.cipher
+ tls_cipher: zeek.ssl.cipher
+ client: 'zeek.*.client*'
+ command: 'zeek.*.command'
+ ftp_command: zeek.irc.command
+ irc_command: zeek.ftp.command
+ pop3_command: zeek.pop3.command
+ date: 'zeek.*.date'
+ duration: event.duration
+ from: 'zeek.*.from'
+ kerberos_from: zeek.smtp.from
+ smtp_from: zeek.kerberos.valid.from
+ is_orig: 'zeek.*.is_orig'
+ local_orig: 'zeek.*.local_orig'
+ method: http.request.method
+ http_method: http.request.method
+ sip_method: zeek.sip.sequence.method
+ name: 'zeek.smb_files.name'
+ smb_files_name: zeek.smb_files.name
+ software_name: zeek.software.name
+ weird_name: zeek.weird.name
+ path: 'zeek.*.path'
+ smb_mapping_path: zeek.smb_mapping.path
+ smb_files_path: zeek.smb_files.path
+ smtp_files_path: zeek.smtp.path
+ password: 'zeek.*.password'
+ reply_msg: 'zeek.*.reply*msg'
+ reply_to: 'zeek.*.reply_to'
+ response_body_len: http.response.body.bytes
+ request_body_len: http.request.body.bytes
+ rtt: event.duration
+ status_code: 'http.response.status_code'
+ status_msg: 'zeek.*status*msg'
+ #_service:
+ service: 'zeek.*.service'
+ kerberos_service: zeek.kerberos.service
+ smb_mapping_kerberos: zeek.smb_mapping.service
+ #_subject:
+ subject:
+ - 'zeek.*.subject'
+ known_certs_subject: zeek.known_certs.subject
+ sip_subject: zeek.sip.subject
+ smtp_subject: zeek.smtp.subject
+ ssl_subject: zeek.ssl.subject
+ trans_depth: 'zeek.*.trans*depth'
+ username: 'zeek.*.username'
+ uri: 'url.original'
+ user: 'zeek.*user*'
+ #_user_agent
+ user_agent:
+ - 'zeek.*user_agent*'
+ http_user_agent: user_agent.original
+ gquic_user_agent: zeek.gquic.user_agent
+ sip_user_agent: zeek.sip.user_agent
+ smtp_user_agent: zeek.smtp.user_agent
+ #_version
+ version: 'zeek.*.version'
+ gquic_version: zeek.gquic.version
+ http_version: http.version
+ ntp_version: zeek.ntp.version
+ socks_version: zeek.socks.version
+ snmp_version: zeek.snmp.version
+ ssh_version: zeek.ssh.version
+ tls_version: zeek.ssl.version
+ # DNS matching Taxonomy & DNS Category
+ answer: dns.answers.name
+ question_length: labels.dns.query_length
+ record_type: dns.question.type
+ parent_domain: dns.question.registered_domain
+ # HTTP matching Taxonomy & Web/Proxy Category
+ cs-bytes: http.request.body.bytes
+ cs-cookie: http.cookie_vars
+ r-dns:
+ - url.domain
+ - destination.domain
+ sc-bytes: http.response.body.bytes
+ sc-status: http.response.status_code
+ c-uri: url.original
+ c-uri-extension: url.extension
+ c-uri-query: url.query
+ c-uri-stem: url.original
+ c-useragent: user_agent.original
+ cs-host:
+ - url.domain
+ - destination.domain
+ cs-method: http.request.method
+ cs-referrer: http.request.referrer
+ cs-version: http.version
+ uid: zeek.session_id
+ # Conn
+ cache_add_rx_ev: zeek.connection.cache_add_rx_ev
+ cache_add_rx_mpg: zeek.connection.cache_add_rx_mpg
+ cache_add_rx_new: zeek.connection.cache_add_rx_new
+ cache_add_tx_ev: zeek.connection.cache_add_tx_ev
+ cache_add_tx_mpg: zeek.connection.cache_add_tx_mpg
+ cache_del_mpg: zeek.connection.cache_del_mpg
+ cache_entries: zeek.connection.cache_entries
+ conn_state: zeek.connection.conn_state
+ conn_uids: zeek.files.session_ids
+ corelight_shunted: zeek.connection.corelight_shunted
+ history: zeek.connection.history
+ id.orig_h.name_src: zeek.connection.id.orig_h_name.src
+ id.orig_h.names_vals: zeek.connection.id.orig_h_names.vals
+ id.resp_h.name_src: zeek.connection.id.resp_h_name.src
+ id.resp_h.name_vals: zeek.connection.id.resp_h_name.vals
+ #local_orig: zeek.connection.local_orig
+ local_resp: zeek.connection.local_resp
+ missed_bytes: zeek.connection.missed_bytes
+ orig_bytes: source.bytes
+ orig_cc: source.geo.country_iso_code
+ orig_ip_bytes: zeek.connection.orig_ip_bytes
+ orig_l2_addr: source.mac
+ orig_pkts: source.packets
+ resp_bytes: destination.bytes
+ resp_cc: destination.geo.country_iso_code
+ resp_ip_bytes: zeek.connection.resp.ip_bytes
+ resp_l2_addr: destination.mac
+ resp_pkts: destination.packets
+ # DCE-RPC Specific
+ endpoint: zeek.dce_rpc.endpoint
+ named_pipe: zeek.dce_rpc.named_pipe
+ operation: zeek.dce_rpc.operation
+ #rtt: zeek.dce_rpc.rtt
+ # DHCP
+ domain: zeek.dhcp.domain
+ host_name: zeek.dhcp.hostname
+ lease_time: zeek.dhcp.lease_time
+ agent_remote_id: zeek.dhcp.agent_remote_id
+ assigned_addr: zeek.dhcp.assigned_addr
+ circuit_id: zeek.dhcp.circuit_id
+ client_message: zeek.dhcp.client_message
+ client_software: zeek.dhcp.client_software
+ client_fqdn: zeek.dhcp.client_fqdn
+ #mac: source.mac
+ msg_orig: zeek.dhcp.msg_orig
+ msg_types: zeek.dhcp.msg_types
+ requested_addr: zeek.dhcp.requested_addr
+ server_addr: destination.ip
+ server_message: zeek.dhcp.server_message
+ server_software: zeek.dhcp.server_software
+ subscriber_id: zeek.dhcp.subscriber_id
+ #zeek.zeek.dhcp.client_port: Elastic has this, but is not actually a zeek log field for dhcp
+ #zeek.zeek.dhcp.server_port: Elastic has this, but is not actually a zeek log field for dhcp
+ # DNS
+ AA: zeek.dns.AA
+ #addl: zeek.dns.addl
+ #auth: zeek.dns.auth
+ answers: dns.answers.name
+ TTLs: dns.answers.ttl
+ RA: zeek.dns.RA
+ RD: zeek.dns.RD
+ rejected: zeek.dns.rejected
+ TC: zeek.dns.TC
+ Z: zeek.dns.Z
+ qclass: zeek.dns.qclass
+ qclass_name: dns.question.class
+ qtype: zeek.dns.qtype
+ qtype_name: dns.question.type
+ query: dns.question.name
+ rcode_name: dns.response_code
+ rcode: zeek.dns.rcode
+ #rtt: zeek.dns.rtt
+ trans_id: dns.id
+ # DNP3
+ fc_reply: dnp3.function.reply
+ fc_request: dnp3.function.request
+ iin: dnp3.inn
+ # DPD
+ #analyzer: dpd.analyzer
+ failure_reason: dpd.failure_reason
+ packet_segment: dpd.packet_segment
+ # Files
+ rx_hosts: zeek.files.rx_host
+ tx_hosts: zeek.files.tx_host
+ #analyzer: zeek.files.analyzer
+ depth: zeek.files.depth
+ #duration: zeek.files.duration
+ extracted: zeek.files.extracted
+ extracted_cutoff: zeek.files.extracted_cutoff
+ extracted_size: zeek.files.extracted_size
+ entropy: zeek.files.entropy
+ md5: zeek.files.md5
+ sha1: zeek.files.sha1
+ sha256: zeek.files.sha256
+ #is_orig: zeek.files.is_orig
+ #local_orig: zeek.files.local_orig
+ missing_bytes: zeek.files.missing_bytes
+ filename: zeek.files.filename
+ overflow_bytes: zeek.files.overflow_bytes
+ seen_bytes: zeek.files.seen_bytes
+ total_bytes: zeek.files.total_bytes
+ timedout: zeek.files.timedout
+ # GQUIC/QUIC
+ cyu: gquic.cyu
+ cyutags: gquic.cyutags
+ #server_name: destination.domain
+ tag_count: gquic.tag_count
+ #user_agent: user_agent.original
+ #version: gquic.version
+ # FTP
+ #arg: zeek.ftp.arg
+ #command: zeek.ftp.command
+ cwd: zeek.ftp.cwd
+ data_channel.passive: zeek.ftp.data_channel.passive
+ data_channel.orig_h: zeek.ftp.data_channel.originating_host
+ data_channel.resp_h: zeek.ftp.data_channel.response_host
+ data_channel.resp_p: zeek.ftp.data_channel.response_port
+ file_size: zeek.ftp.file.size
+ passive: zeek.ftp.passive
+ #password: zeek.ftp.password
+ reply_code: zeek.ftp.reply.code
+ #reply_msg: zeek.ftp.reply.msg
+ #user: zeek.ftp.user.name
+ # HTTP
+ client_header_names: zeek.http.client_header_names
+ cookie_vars: zeek.http.cookie_vars
+ flash_version: zeek.http.flash_version
+ info_code: zeek.http.info_code
+ info_msg: zeek.http.info_msg
+ #method: http.request.method
+ omniture: zeek.http.omniture
+ orig_filenames: zeek.http.orig_filenames
+ orig_mime_types: zeek.http.orig_mime_types
+ origin: zeek.http.origin
+ #password: zeek.http.password
+ #response_body_len: http.response.body.bytes
+ #request_body_len: http.request.body.bytes
+ referrer: http.request.referrer
+ post_body: zeek.http.post_body
+ proxied: zeek.http.proxied
+ resp_filenames: zeek.http.resp_filenames
+ resp_mime_types: zeek.http.resp_mime_types
+ server_header_names: zeek.http.server_header_names
+ #status_msg: zeek.http.status_msg
+ #trans_depth: zeek.http.trans_depth
+ #uri: url.original
+ uri_vars: zeek.http.uri_vars
+ #user_agent: user_agent.original
+ #username: source.user.name
+ #version: http.version
+ # Intel
+ file_mime_type: zeek.intel.mime_type
+ file_desc: zeek.intel.file_desc
+ host: zeek.intel.seen.host
+ matched: zeek.intel.matched
+ indicator: zeek.intel.seen.indicator
+ indicator_type: zeek.intel.seen.indicator_type
+ node: zeek.intel.seen.node
+ where: zeek.intel.seen.where
+ sources: zeek.intel.seen.sources
+ # IRC
+ dcc_file_name: zeek.irc.dcc.file.name
+ dcc_file_size: zeek.irc.dcc.file.size
+ dcc_mime_type: zeek.irc.dcc.mime_type
+ #command: zeek.irc.command
+ nick: zeek.irc.nick
+ #user: zeek.irc.username
+ value: zeek.irc.command
+ # Kerberos
+ auth_ticket: zeek.kerberos.ticket.auth
+ #cipher: zeek.kerberos.cipher
+ #client: zeek.kerberos.cert.client.value
+ client_cert_subject: zeek.kerberos.cert.client.subject
+ error_code: zeek.kerberos.error.code
+ error_msg: zeek.kerberos.error.msg
+ forwardable: zeek.kerberos.forwardable
+ #from: zeek.kerberos.valid.from
+ new_ticket: zeek.kerberos.ticket.new
+ renewable: zeek.kerberos.renewable
+ request_type: zeek.kerberos.request_type
+ #service: zeek.kerberos.service
+ success: zeek.kerberos.success
+ server_cert_subject: zeek.kerberos.cert.server.subject
+ till: zeek.kerberos.valid.until
+ # Known_Certs
+ #host: host.ip # known_services not in Elastic Beats at all
+ #issuer_subject: known_certs.issuer_subject # known_services not in Elastic Beats at all
+ #port_num: labels.known.port # known_services not in Elastic Beats at all
+ #serial: known_certs.serial # known_services not in Elastic Beats at all
+ #subject: known_certs.subject # known_services not in Elastic Beats at all
+ # Known_Modbus
+ #host: host.ip # known_services not in Elastic Beats at all
+ #device_type: known_modbus.device_type # known_services not in Elastic Beats at all
+ # Known_Services
+ #port_proto: network.transport # known_services not in Elastic Beats at all
+ #port_num: labels.known.port # known_services not in Elastic Beats at all
+ # Modbus
+ delta: zeek.modbus.delta
+ new_val: zeek.modbus.new_val
+ old_val: zeek.modbus.old_val
+ register: zeek.modbus.register
+ func: zeek.modbus.function
+ exception: zeek.modbus.exception
+ track_address: zeek.modbus.track_address
+ # ModBus_Register_Change
+ #delta: modbus.delta # modbus_register_change not in Elastic Beats at all
+ #new_val: modbus.new_val # modbus_register_change not in Elastic Beats at all
+ #old_val: modbus.old_val # modbus_register_change not in Elastic Beats at all
+ #register: modbus.register # modbus_register_change not in Elastic Beats at all
+ # MQTT_Connect , MQTT_Publish, MQTT_Subscribe
+ #ack: mqtt.ack # mqtt logs not in Elastic Beats at all
+ #action: mqtt.action # mqtt logs not in Elastic Beats at all
+ #client_id: mqtt.client_id # mqtt logs not in Elastic Beats at all
+ #connect_status: mqtt.connect_status # mqtt logs not in Elastic Beats at all
+ #from_client: mqtt.from_client # mqtt logs not in Elastic Beats at all
+ #granted_qos_level: mqtt.granted_qos_level # mqtt logs not in Elastic Beats at all
+ #payload: mqtt.payload # mqtt logs not in Elastic Beats at all
+ #payload_len: mqtt.payload_len # mqtt logs not in Elastic Beats at all
+ #proto_name: mqtt.proto_name # mqtt logs not in Elastic Beats at all
+ #proto_version: mqtt.proto_version # mqtt logs not in Elastic Beats at all
+ #qos: mqtt.qos # mqtt logs not in Elastic Beats at all
+ #qos_levels: mqtt.qos_levels # mqtt logs not in Elastic Beats at all
+ #retain: mqtt.retain # mqtt logs not in Elastic Beats at all
+ ##status: mqtt.status # mqtt logs not in Elastic Beats at all
+ #topic: mqtt.topic # mqtt logs not in Elastic Beats at all
+ #topics: mqtt.topics # mqtt logs not in Elastic Beats at all
+ #will_payload: mqtt.will_payload # mqtt logs not in Elastic Beats at all
+ #will_topic: mqtt.will_topic # mqtt logs not in Elastic Beats at all
+ # MYSQL
+ #arg: mysql.arg
+ cmd: zeek.mysql.cmd
+ response: zeek.mysql.response
+ rows: zeek.mysql.rows
+ #success: event.outcome
+ # Notice
+ actions: zeek.notice.actions
+ #conn: # Not an actual field logged, but Beats has it
+ #iconn: # Not an actual field logged, but Beats has it
+ dropped: zeek.notice.dropped
+ #dst: destination.ip
+ email_body_sections: zeek.notice.email_body_sections
+ email_delay_tokens: zeek.notice.email_delay_tokens
+ identifier: zeek.notice.identifier
+ msg: zeek.notice.msg
+ n: zeek.notice.n
+ note: zeek.notice.note
+ p: destination.port
+ peer_descr: zeek.notice.peer_descr
+ peer_name: zeek.notice.peer_name
+ #proto: network.transport
+ #src: source.ip
+ sub: zeek.notice.sub
+ subpress_for: zeek.notice.subpress_for
+ # NTLM
+ domainname: zeek.ntlm.domain
+ hostname: zeek.ntlm.hostname
+ #username: notice.username
+ server_nb_computer_name: zeek.ntlm.server.name.netbios
+ server_tree_name: zeek.ntlm.server.name.tree
+ #success: event.outcome
+ server_dns_computer_name: zeek.ntlm.server.name.dns
+ # NTP
+ #mode: ntp.mode # ntp not in Elastic Beats at all
+ #num_exts: ntp.num_exts # ntp not in Elastic Beats at all
+ #org_time: ntp.org_time # ntp not in Elastic Beats at all
+ #poll: ntp.poll # ntp not in Elastic Beats at all
+ #precision: ntp.precision # ntp not in Elastic Beats at all
+ #rec_time: ntp.rec_time # ntp not in Elastic Beats at all
+ #ref_id: ntp.ref_id # ntp not in Elastic Beats at all
+ #ref_time: ntp.ref_time # ntp not in Elastic Beats at all
+ #root_delay: ntp.root_delay # ntp not in Elastic Beats at all
+ #root_disp: ntp.root_disp # ntp not in Elastic Beats at all
+ #stratum: ntp.stratum # ntp not in Elastic Beats at all
+ ##version: ntp.version # ntp not in Elastic Beats at all
+ #xmt_time: ntp.xmt_time # ntp not in Elastic Beats at all
+ # OCSP
+ certStatus: zeek.ocsp.status
+ hashAlgorithm: zeek.ocsp.hash.algorithm
+ issuerKeyHash: zeek.ocsp.hash.issuer.key
+ issuerNameHash: zeek.ocsp.hash.issuer.name
+ nextUpdate: zeek.ocsp.update.next
+ revokereason: zeek.ocsp.revoke.reason
+ revoketime: zeek.ocsp.revoke.date
+ serialNumber: zeek.ocsp.serial_number
+ thisUpdate: zeek.ocsp.update.this
+ # PE
+ compile_ts: zeek.pe.compile_time
+ has_cert_table: zeek.pe.has_cert_table
+ has_debug_data: zeek.pe.has_debug_data
+ has_import_table: zeek.pe.has_import_table
+ has_export_table: zeek.pe.has_export_table
+ is_64bit: zeek.pe.is_64bit
+ is_exe: zeek.pe.is_exe
+ machine: zeek.pe.machine
+ os: zeek.pe.os
+ section_names: zeek.pe.section_names
+ subsystem: zeek.pe.subsystem
+ uses_aslr: zeek.pe.uses_aslr
+ uses_code_integrity: zeek.pe.uses_code_integrity
+ uses_dep: zeek.pe.uses_dep
+ uses_seh: zeek.pe.uses_seh
+ # POP3
+ #arg: pop3.arg # pop3 not in Elastic Beats at all
+ #command: pop3.command # pop3 not in Elastic Beats at all
+ #current_request: pop3.current_request # pop3 not in Elastic Beats at all
+ #current_response: pop3.current_response # pop3 not in Elastic Beats at all
+ #data: pop3.data # pop3 not in Elastic Beats at all
+ #failed_commands: pop3.failed_commands # pop3 not in Elastic Beats at all
+ #has_client_activity: pop3.has_client_activity # pop3 not in Elastic Beats at all
+ #is_orig: pop3.is_orig # pop3 not in Elastic Beats at all
+ #msg: pop3.msg # pop3 not in Elastic Beats at all
+ #password: source.user.password # pop3 not in Elastic Beats at all
+ #pending: pop3.pending # pop3 not in Elastic Beats at all
+ #status: pop3.status # pop3 not in Elastic Beats at all
+ #successful_commands: pop3.successful_commands # pop3 not in Elastic Beats at all
+ #username: pop3.username # pop3 not in Elastic Beats at all
+ # Radius
+ connect_info: zeek.radius.connect_info
+ framed_addr: zeek.radius.framed_addr
+ mac: zeek.radius.mac
+ #reply_msg: zeek.radius.reply_msg
+ result: zeek.radius.result
+ ttl: zeek.radius.ttl
+ tunnel_client: zeek.radius.tunnel_client
+ #username: zeek.radius.username
+ # RDP
+ #result: event.outcome
+ cert_count: zeek.rdp.cert.count
+ cert_permanent: zeek.rdp.cert.permanent
+ cert_type: zeek.rdp.cert.type
+ client_build: zeek.rdp.client.build
+ client_dig_product_id: zeek.rdp.client.product_id
+ client_name: zeek.rdp.client.name
+ cookie: zeek.rdp.cookie
+ desktop_height: zeek.rdp.desktop.height
+ desktop_width: zeek.rdp.desktop.width
+ encryption_level: zeek.rdp.encryption.level
+ encryption_method: zeek.rdp.encryption.method
+ keyboard_layout: zeek.rdp.keyboard_layout
+ requested_color_depth: zeek.rdp.desktop.color_depth
+ security_protocol: zeek.rdp.security_protocol
+ ssl: zeek.rdp.ssl
+ # RFB
+ #auth: zeek.rfb.auth.success
+ authentication_method: zeek.rfb.auth.method
+ client_major_version: zeek.rfb.version.client.major
+ client_minor_version: zeek.rfb.version.client.minor
+ desktop_name: zeek.rfb.desktop_name
+ height: zeek.rfb.height
+ server_major_version: zeek.rfb.version.server.major
+ server_minor_version: zeek.rfb.version.server.minor
+ share_flag: zeek.rfb.share_flag
+ width: zeek.rfb.width
+ # SIP
+ call_id: zeek.sip.call_id
+ content_type: zeek.sip.content_type
+ #date: zeek.sip.date
+ #method: zeek.sip.sequence.method
+ #reply_to: zeek.sip.reply_to
+ #request_body_len: zeek.sip.response.body_length
+ request_from: zeek.sip.request.from
+ request_path: zeek.sip.request.path
+ request_to: zeek.sip.request.to
+ #response_body_len: zeek.sip.request.body_length
+ response_from: zeek.sip.response.from
+ response_path: zeek.sip.response.path
+ response_to: zeek.sip.response.to
+ seq: zeek.sip.seq
+ #status_code: zeek.sip.status.code
+ #status_msg: zeek.sip.status.msg
+ #subject: zeek.sip.subject
+ #trans_depth: zeek.sip.transaction_depth
+ #uri: zeek.sip.uri
+ warning: zeek.sip.warning
+ #user_agent: zeek.sip.user_agent
+ # SMB_Files
+ #action: zeek.smb_files.action
+ #name: zeek.smb_files.name
+ #path: zeek.smb_files.path
+ prev_name: zeek.smb_files.prev_name
+ size: zeek.smb_files.size
+ times_accessed: zeek.smb_files.accessed
+ times_changed: zeek.smb_files.ctime
+ times_created: zeek.smb_files.created
+ times_modified: zeek.smb_files.mtime
+ # SMB_Mapping
+ native_file_system: zeek.smb_mapping.native_file_system
+ #path: zeek.smb_mapping.path
+ share_type: zeek.smb_mapping.share_type
+ #service: zeek.smb_mapping.service
+ # SMTP
+ cc: zeek.smtp.cc
+ #date: zeek.smtp.date
+ first_received: zeek.smtp.first_received
+ #from: zeek.smtp.from
+ helo: zeek.smtp.helo
+ in_reply_to: zeek.smtp.in_reply_to
+ is_webmail: zeek.smtp.is_webmail
+ last_reply: zeek.smtp.last_reply
+ mailfrom: zeek.smtp.mail_from
+ msg_id: zeek.smtp.msg_id
+ #path: zeek.smtp.path
+ rcptto: zeek.smtp.rcpt_to
+ #reply_to: zeek.smtp.reply_to
+ second_received: zeek.smtp.second_received
+ #subject: zeek.smtp.subject
+ tls: zeek.smtp.tls
+ to: zeek.smtp.to
+ #trans_depth: zeek.smtp.transaction_depth
+ x_originating_ip: zeek.smtp.x_originating_ip
+ #user_agent: zeek.smtp.user_agent
+ # SMTP_Links
+ #cs-host: url.domain # smtp_links not in Elastic Beats at all
+ #c-uri: url.original # smtp_links not in Elastic Beats at all
+ # SNMP
+ #duration: zeek.snmp.duration
+ community: zeek.snmp.community
+ display_string: zeek.snmp.display_string
+ get_bulk_requests: zeek.snmp.get.bulk_requests
+ #get_responses: # this is in Elastic Beats, but not an actual zeek field for snmp
+ get_requests: zeek.snmp.get.requests
+ set_requests: zeek.snmp.set.requests
+ up_since: zeek.snmp.up_since
+ #version: zeek.snmp.version
+ # Socks
+ #password: zeek.socks.password
+ bound_host: zeek.socks.bound_host
+ bound_name: zeek.socks.bound_name
+ bound_p: zeek.socks.bound.port
+ request_host: zeek.socks.request_host
+ request_name: zeek.socks.request.host
+ request_p: zeek.socks.request.port
+ status: zeek.socks.status
+ #version: zeek.socks.version
+ # Software
+ ##host: host.ip # software not in Elastic Beats at all
+ #host_p: software.host_port # software not in Elastic Beats at all
+ #version.major: software.version.major # software not in Elastic Beats at all
+ #version.minor: software.version.minor # software not in Elastic Beats at all
+ #version.minor2: software.version.minor2 # software not in Elastic Beats at all
+ #version.minor3: software.version.minor3 # software not in Elastic Beats at all
+ ##name: software.name # software not in Elastic Beats at all
+ #unparsed_version: software.unparsed_version # software not in Elastic Beats at all
+ #software_type: software.software_type # software not in Elastic Beats at all
+ ##url: url.original # software not in Elastic Beats at all
+ # SSH
+ auth_attempts: zeek.ssh.auth.attempts
+ auth_success: zeek.ssh.auth.success
+ cipher_alg: zeek.ssh.algorithm.cipher
+ #client: zeek.ssh.client
+ compression_alg: zeek.ssh.algorithm.compression
+ cshka: zeek.ssh.cshka
+ direction: zeek.ssh.direction
+ hassh: zeek.ssh.hassh
+ hasshAlgorithms: zeek.ssh.hasshAlgorithms
+ hasshServer: zeek.ssh.hasshServer
+ hasshServerAlgorithms: zeek.ssh.hasshServerAlgorithms
+ hasshVersion: zeek.ssh.hasshVersion
+ host_key: zeek.ssh.host_key
+ host_key_alg: zeek.ssh.algorithm.host_key
+ kex_alg: zeek.ssh.algorithm.key_exchange
+ mac_alg: zeek.ssh.algorithm.mac
+ server: zeek.ssh.server
+ #version: zeek.ssh.version
+ # SSL / TLS
+ #cert_chain # Does not exist in ssl log but Elastic Beats has it
+ #cipher: tls.cipher # Not implemented in Elastic Beats
+ #cipher: zeek.ssl.cipher
+ #client_issuer: tls.client.issuer # Not implemented in Elastic Beats
+ client_issuer: zeek.ssl.client_issuer
+ #client_subject: tls.client.subject # Not implemented in Elastic Beats
+ client_subject: zeek.ssl.client_subject
+ #curve: tls.curve # Not implemented in Elastic Beats
+ curve: zeek.ssl.curve
+ #established: tls.established # Not implemented in Elastic Beats
+ established: zeek.ssl.established
+ #issuer: tls.server.issuer # Not implemented in Elastic Beats
+ issuer: zeek.ssl.issuer
+ #ja3: tls.client.ja3 # Not implemented in Elastic Beats
+ ja3: zeek.ssl.ja3
+ #ja3s: tls.client.ja3s # Not implemented in Elastic Beats
+ ja3s: zeek.ssl.ja3s
+ last_alert: zeek.ssl.last_alert
+ #next_protocol: tls.next_protocol # Not implemented in Elastic Beats
+ next_protocol: zeek.ssl.next_protocol
+ notary: zeek.ssl.notary
+ ocsp_status: zeek.ssl.oscp_status
+ #orig_certificate_sha1: tls.client.hash.sha1 # Not implemented in Elastic Beats
+ orig_certificate_sha1: zeek.ssl.orig_certificate_sha1
+ #resp_certificate_sha1: tls.server.hash.sha1 # Not implemented in Elastic Beats
+ resp_certificate_sha1: zeek.ssl.resp_certificate_sha1
+ #resumed: tls.resumed # Not implemented in Elastic Beats
+ resumed: zeek.ssl.resumed
+ #server_name: tls.client.server_name # Not implemented in Elastic Beats
+ server_name: zeek.ssl.server.name
+ #subject: tls.server.subject # Not implemented in Elastic Beats
+ #subject: zeek.ssl.subject
+ valid_ct_logs: zeek.ssl.valid_ct_logs
+ valid_ct_operators: zeek.ssl.validct_operators
+ valid_ct_operators_list: zeek.ssl.valid_ct_operators_list
+ #validation_code # Does not exist in ssl log but Elastic Beats has it
+ validation_status: zeek.ssl.validation_status
+ #version: tls.version # Not implemented in Elastic Beats
+ #version: zeek.ssl.version
+ version_num: zeek.ssl.version_num
+ # Syslog
+ #facility: log.syslog.facility.name # Not implemented in Elastic Beats
+ facility: zeek.syslog.facility
+ #severity: log.syslog.severity.name # Not implemented in Elastic Beats
+ severity: zeek.syslog.severity
+ #message: syslog.message # Not implemented in Elastic Beats
+ message: zeek.syslog.msg # why did Elastic beats do this
+ # Traceroute
+ #proto: network.transport
+ #dst: destination.ip
+ #src: source.ip
+ # Tunnel
+ #action: zeek.tunnel.action
+ tunnel_type: zeek.tunnel.type
+ # Weird
+ #addl: zeek.weird.additional_info
+ #name: zeek.weird.name
+ notice: zeek.weird.notice
+ peer: zeek.weird.peer
+ # X509
+ basic_constraints.ca: zeek.x509.certificate.basic_constraints.certificate_authority
+ basic_constraints.path_len: zeek.x509.certificate.basic_constraints.path_length
+ certificate.cn: zeek.x509.certificate.common_name
+ certificate.curve: zeek.x509.certificate.curve
+ certificate.exponent: zeek.x509.certificate.exponent
+ certificate.issuer: zeek.x509.certificate.iss # why did Elastic beats do this
+ certificate.key_alg: zeek.x509.certificate.key.algorithm
+ certificate.key_length: zeek.x509.certificate.key.length
+ certificate.key_type: zeek.x509.certificate.key.type
+ certificate.not_valid_after: zeek.x509.certificate.valid.until
+ certificate.not_valid_before: zeek.x509.certificate.valid.from
+ certificate.serial: zeek.x509.certificate.serial
+ certificate.sig_alg: zeek.x509.certificate.signature_algorithm
+ certificate.subject: zeek.x509.certificate.sub # why did Elastic beats do this
+ certificate.version: zeek.x509.certificate.version
+ logcert: zeek.x509.logcert
+ san.dns: zeek.x509.san.dns
+ san.email: zeek.x509.san.email
+ san.ip: zeek.x509.san.ip
+ san.uri: zeek.x509.san.url
+ # Temporary one off rule name's people have written
+ agent.version: version
+ c-cookie: http.cookie_vars
+ c-ip: source.ip
+ cs-uri: url.original
+ clientip: source.ip
+ clientIP: source.io
+ dest_domain:
+ - query
+ - host
+ - server_name
+ dest_ip: destination.ip
+ dest_port: destination.port
\ No newline at end of file
diff --git a/tools/config/elk-defaultindex-filebeat.yml b/tools/config/elk-defaultindex-filebeat.yml
index 24f52574..8f23586c 100644
--- a/tools/config/elk-defaultindex-filebeat.yml
+++ b/tools/config/elk-defaultindex-filebeat.yml
@@ -1,2 +1,3 @@
+title: ELK default indices filebeat-*
defaultindex:
- filebeat-*
diff --git a/tools/config/elk-defaultindex-logstash.yml b/tools/config/elk-defaultindex-logstash.yml
index 7c826199..27d438de 100644
--- a/tools/config/elk-defaultindex-logstash.yml
+++ b/tools/config/elk-defaultindex-logstash.yml
@@ -1,2 +1,3 @@
+title: ELK default indices logstash-*
defaultindex:
- logstash-*
diff --git a/tools/config/elk-defaultindex.yml b/tools/config/elk-defaultindex.yml
index 99a94b8f..f1f20d72 100644
--- a/tools/config/elk-defaultindex.yml
+++ b/tools/config/elk-defaultindex.yml
@@ -1,3 +1,4 @@
+title: ELK default indices logstash-* and filebeat-*
defaultindex:
- logstash-*
- filebeat-*
diff --git a/tools/config/elk-linux.yml b/tools/config/elk-linux.yml
index 9b2d4808..381e5af7 100644
--- a/tools/config/elk-linux.yml
+++ b/tools/config/elk-linux.yml
@@ -1,3 +1,4 @@
+title: ELK Linux Indices and Mappings
logsources:
apache:
category: webserver
diff --git a/tools/config/elk-windows.yml b/tools/config/elk-windows.yml
index a408123c..0714d769 100644
--- a/tools/config/elk-windows.yml
+++ b/tools/config/elk-windows.yml
@@ -1,3 +1,4 @@
+title: ELK Windows Indices and Mappings
logsources:
windows:
product: windows
@@ -26,5 +27,19 @@ logsources:
product: windows
service: driver-framework
conditions:
- source: 'Microsoft-Windows-DriverFrameworks-UserMode/Operational'
+ EventLog: 'Microsoft-Windows-DriverFrameworks-UserMode/Operational'
+ windows-ntlm:
+ product: windows
+ service: ntlm
+ conditions:
+ EventLog: 'Microsoft-Windows-NTLM/Operational'
+ windows-applocker:
+ product: windows
+ service: applocker
+ conditions:
+ EventLog:
+ - 'Microsoft-Windows-AppLocker/MSI and Script'
+ - 'Microsoft-Windows-AppLocker/EXE and DLL'
+ - 'Microsoft-Windows-AppLocker/Packaged app-Deployment'
+ - 'Microsoft-Windows-AppLocker/Packaged app-Execution'
defaultindex: logstash-*
diff --git a/tools/config/elk-winlogbeat-sp.yml b/tools/config/elk-winlogbeat-sp.yml
index f1abce0a..078f6802 100644
--- a/tools/config/elk-winlogbeat-sp.yml
+++ b/tools/config/elk-winlogbeat-sp.yml
@@ -1,8 +1,8 @@
+title: ELK Ingested with Winlogbeat
logsources:
windows:
product: windows
index:
-
windows-application:
product: windows
service: application
@@ -27,7 +27,21 @@ logsources:
product: windows
service: driver-framework
conditions:
- source: 'Microsoft-Windows-DriverFrameworks-UserMode/Operational'
+ log_name: 'Microsoft-Windows-DriverFrameworks-UserMode/Operational'
+ windows-ntlm:
+ product: windows
+ service: ntlm
+ conditions:
+ log_name: 'Microsoft-Windows-NTLM/Operational'
+ windows-applocker:
+ product: windows
+ service: applocker
+ conditions:
+ log_name:
+ - 'Microsoft-Windows-AppLocker/MSI and Script'
+ - 'Microsoft-Windows-AppLocker/EXE and DLL'
+ - 'Microsoft-Windows-AppLocker/Packaged app-Deployment'
+ - 'Microsoft-Windows-AppLocker/Packaged app-Execution'
defaultindex:
# Extract all field names qith yq:
# yq -r '.detection | del(.condition) | map(keys) | .[][]' $(find sigma/rules/windows -name '*.yml') | sort -u | grep -v ^EventID$ | sed 's/^\(.*\)/ \1: event_data.\1/g'
diff --git a/tools/config/elk-winlogbeat.yml b/tools/config/elk-winlogbeat.yml
index 20bf500f..9c77653f 100644
--- a/tools/config/elk-winlogbeat.yml
+++ b/tools/config/elk-winlogbeat.yml
@@ -1,3 +1,4 @@
+title: ELK Ingested with Winlogbeat
logsources:
windows:
product: windows
@@ -26,7 +27,21 @@ logsources:
product: windows
service: driver-framework
conditions:
- source: 'Microsoft-Windows-DriverFrameworks-UserMode/Operational'
+ log_name: 'Microsoft-Windows-DriverFrameworks-UserMode/Operational'
+ windows-ntlm:
+ product: windows
+ service: ntlm
+ conditions:
+ log_name: 'Microsoft-Windows-NTLM/Operational'
+ windows-applocker:
+ product: windows
+ service: applocker
+ conditions:
+ log_name:
+ - 'Microsoft-Windows-AppLocker/MSI and Script'
+ - 'Microsoft-Windows-AppLocker/EXE and DLL'
+ - 'Microsoft-Windows-AppLocker/Packaged app-Deployment'
+ - 'Microsoft-Windows-AppLocker/Packaged app-Execution'
defaultindex: winlogbeat-*
# Extract all field names qith yq:
# yq -r '.detection | del(.condition) | map(keys) | .[][]' $(find sigma/rules/windows -name '*.yml') | sort -u | grep -v ^EventID$ | sed 's/^\(.*\)/ \1: event_data.\1/g'
diff --git a/tools/config/filebeat-defaultindex.yml b/tools/config/filebeat-defaultindex.yml
index 16e1ff0e..940e34f9 100644
--- a/tools/config/filebeat-defaultindex.yml
+++ b/tools/config/filebeat-defaultindex.yml
@@ -3,9 +3,11 @@ order: 20
backends:
- es-qs
- es-dsl
+ - es-rule
- kibana
- xpack-watcher
- elastalert
- elastalert-dsl
+ - ee-outliers
defaultindex:
- filebeat-*
diff --git a/tools/config/filebeat-zeek-ecs.yml b/tools/config/filebeat-zeek-ecs.yml
deleted file mode 100644
index 9000db4f..00000000
--- a/tools/config/filebeat-zeek-ecs.yml
+++ /dev/null
@@ -1,468 +0,0 @@
-title: Zeek field mappings for default collection of JSON logs with no parsing/normalization done and sending into logstash-*index
-order: 20
-backends:
- - es-qs
- - es-dsl
- - elasticsearch-rule
- - kibana
- - xpack-watcher
- - elastalert
- - elastalert-dsl
-logsources:
- zeek:
- product: zeek
- index: 'logstash*'
- zeek-category-accounting:
- category: accounting
- rewrite:
- product: zeek
- service: syslog
- zeek-category-firewall:
- category: firewall
- conditions:
- '@stream': conn
- zeek-category-dns:
- category: dns
- conditions:
- '@stream': dns
- zeek-category-proxy:
- category: proxy
- rewrite:
- product: zeek
- service: http
- zeek-category-webserver:
- category: webserver
- conditions:
- '@stream': http
- rewrite:
- product: zeek
- service: http
- zeek-conn:
- product: zeek
- service: conn
- conditions:
- '@stream': conn
- zeek-conn_long:
- product: zeek
- service: conn_long
- conditions:
- '@stream': conn_long
- zeek-dce_rpc:
- product: zeek
- service: dce_rpc
- conditions:
- '@stream': dce_rpc
- zeek-dns:
- product: zeek
- service: dns
- conditions:
- '@stream': dns
- zeek-dnp3:
- product: zeek
- service: dnp3
- conditions:
- '@stream': dnp3
- zeek-dpd:
- product: zeek
- service: dpd
- conditions:
- '@stream': dpd
- zeek-files:
- product: zeek
- service: files
- conditions:
- '@stream': files
- zeek-ftp:
- product: zeek
- service: ftp
- conditions:
- '@stream': ftp
- zeek-gquic:
- product: zeek
- service: gquic
- conditions:
- '@stream': gquic
- zeek-http:
- product: zeek
- service: http
- conditions:
- '@stream': http
- zeek-http2:
- product: zeek
- service: http2
- conditions:
- '@stream': http2
- zeek-intel:
- product: zeek
- service: intel
- conditions:
- '@stream': intel
- zeek-irc:
- product: zeek
- service: irc
- conditions:
- '@stream': irc
- zeek-kerberos:
- product: zeek
- service: kerberos
- conditions:
- '@stream': kerberos
- zeek-known_certs:
- product: zeek
- service: known_certs
- conditions:
- '@stream': known_certs
- zeek-known_hosts:
- product: zeek
- service: known_hosts
- conditions:
- '@stream': known_hosts
- zeek-known_modbus:
- product: zeek
- service: known_modbus
- conditions:
- '@stream': known_modbus
- zeek-known_services:
- product: zeek
- service: known_services
- conditions:
- '@stream': known_services
- zeek-modbus:
- product: zeek
- service: modbus
- conditions:
- '@stream': modbus
- zeek-modbus_register_change:
- product: zeek
- service: modbus_register_change
- conditions:
- '@stream': modbus_register_change
- zeek-mqtt_connect:
- product: zeek
- service: mqtt_connect
- conditions:
- '@stream': mqtt_connect
- zeek-mqtt_publish:
- product: zeek
- service: mqtt_publish
- conditions:
- '@stream': mqtt_publish
- zeek-mqtt_subscribe:
- product: zeek
- service: mqtt_subscribe
- conditions:
- '@stream': mqtt_subscribe
- zeek-mysql:
- product: zeek
- service: mysql
- conditions:
- '@stream': mysql
- zeek-notice:
- product: zeek
- service: notice
- conditions:
- '@stream': notice
- zeek-ntlm:
- product: zeek
- service: ntlm
- conditions:
- '@stream': ntlm
- zeek-ntp:
- product: zeek
- service: ntp
- conditions:
- '@stream': ntp
- zeek-ocsp:
- product: zeek
- service: ntp
- conditions:
- '@stream': ocsp
- zeek-pe:
- product: zeek
- service: pe
- conditions:
- '@stream': pe
- zeek-pop3:
- product: zeek
- service: pop3
- conditions:
- '@stream': pop3
- zeek-radius:
- product: zeek
- service: radius
- conditions:
- '@stream': radius
- zeek-rdp:
- product: zeek
- service: rdp
- conditions:
- '@stream': rdp
- zeek-rfb:
- product: zeek
- service: rfb
- conditions:
- '@stream': rfb
- zeek-sip:
- product: zeek
- service: sip
- conditions:
- '@stream': sip
- zeek-smb_files:
- product: zeek
- service: smb_files
- conditions:
- '@stream': smb_files
- zeek-smb_mapping:
- product: zeek
- service: smb_mapping
- conditions:
- '@stream': smb_mapping
- zeek-smtp:
- product: zeek
- service: smtp
- conditions:
- '@stream': smtp
- zeek-smtp_links:
- product: zeek
- service: smtp_links
- conditions:
- '@stream': smtp_links
- zeek-snmp:
- product: zeek
- service: snmp
- conditions:
- '@stream': snmp
- zeek-socks:
- product: zeek
- service: socks
- conditions:
- '@stream': socks
- zeek-software:
- product: zeek
- service: software
- conditions:
- '@stream': software
- zeek-ssh:
- product: zeek
- service: ssh
- conditions:
- '@stream': ssh
- zeek-ssl:
- product: zeek
- service: ssl
- conditions:
- '@stream': ssl
- zeek-tls: # In case people call it TLS even though orig log is called ssl
- product: zeek
- service: tls
- conditions:
- '@stream': ssl
- zeek-syslog:
- product: zeek
- service: syslog
- conditions:
- '@stream': syslog
- zeek-tunnel:
- product: zeek
- service: tunnel
- conditions:
- '@stream': tunnel
- zeek-traceroute:
- product: zeek
- service: traceroute
- conditions:
- '@stream': traceroute
- zeek-weird:
- product: zeek
- service: weird
- conditions:
- '@stream': weird
- zeek-x509:
- product: zeek
- service: x509
- conditions:
- '@stream': x509
- zeek-ip_search:
- product: zeek
- service: network
- conditions:
- '@stream':
- - conn
- - conn_long
- - dce_rpc
- - dhcp
- - dnp3
- - dns
- - ftp
- - gquic
- - http
- - irc
- - kerberos
- - modbus
- - mqtt_connect
- - mqtt_publish
- - mqtt_subscribe
- - mysql
- - ntlm
- - ntp
- - radius
- - rfb
- - sip
- - smb_files
- - smb_mapping
- - smtp
- - smtp_links
- - snmp
- - socks
- - ssh
- - tls #SSL
- - tunnel
- - weird
-defaultindex: 'logstash-*'
-fieldmappings:
- # All Logs Applied Mapping & Taxonomy
- dst_ip: id.resp_h
- dst_port: id.resp_p
- network_protocol: proto
- src_ip: id.orig_h
- src_port: id.orig_p
- # DNS matching Taxonomy & DNS Category
- answer: answers
- #question_length: # Does not exist in open source version
- record_type: qtype_name
- #parent_domain: # Does not exist in open source version
- # HTTP matching Taxonomy & Web/Proxy Category
- cs-bytes: request_body_len
- cs-cookie: cookie
- r-dns: host
- sc-bytes: response_body_len
- sc-status: status_code
- c-uri: uri
- c-uri-extension: uri
- c-uri-query: uri
- c-uri-stem: uri
- c-useragent: user_agent
- cs-host: host
- cs-method: method
- cs-referrer: referrer
- cs-version: version
- # Temporary one off rule name fields
- agent.version: version
- c-cookie: cookie
- c-ip: id.orig_h
- cs-uri: uri
- clientip: id.orig_h
- clientIP: id.orig_h
- dest_domain:
- - query
- - host
- - server_name
- dest_ip: id.resp_h
- dest_port: id.resp_p
- #TODO:WhatShouldThisBe?==dest:
- #TODO:WhatShouldThisBe?==destination:
- #TODO:WhatShouldThisBe?==Destination:
- destination.hostname:
- - query
- - host
- - server_name
- DestinationAddress:
- DestinationHostname:
- - host
- - query
- - server_name
- DestinationIp: id.resp_h
- DestinationIP: id.resp_h
- DestinationPort: id.resp_p
- dst-ip: id.resp_h
- dstip: id.resp_h
- dstport: id.resp_p
- Host:
- - host
- - query
- - server_name
- HostVersion: http.version
- http_host:
- - host
- - query
- - server_name
- http_uri: uri
- http_url: uri
- http_user_agent: user_agent
- http.request.url-query-params: uri
- HttpMethod: method
- in_url: uri
- # parent_domain: # Not in open source zeek
- post_url_parameter: uri
- Request Url: uri
- request_url: uri
- request_URL: uri
- RequestUrl: uri
- #response: status_code
- resource.url: uri
- resource.URL: uri
- sc_status: status_code
- sender_domain:
- - query
- - server_name
- service.response_code: status_code
- source: id.orig_h
- SourceAddr: id.orig_h
- SourceAddress: id.orig_h
- SourceIP: id.orig_h
- SourceIp: id.orig_h
- SourceNetworkAddress: id.orig_h
- SourcePort: id.orig_p
- srcip: id.orig_h
- Status: status_code
- status: status_code
- url: uri
- URL: uri
- url_query: uri
- url.query: uri
- uri_path: uri
- user_agent: user_agent
- user_agent.name: user_agent
- user-agent: user_agent
- User-Agent: user_agent
- useragent: user_agent
- UserAgent: user_agent
- User Agent: user_agent
- web_dest:
- - host
- - query
- - server_name
- web.dest:
- - host
- - query
- - server_name
- Web.dest:
- - host
- - query
- - server_name
- web.host:
- - host
- - query
- - server_name
- Web.host:
- - host
- - query
- - server_name
- web_method: method
- Web_method: method
- web.method: method
- Web.method: method
- web_src: id.orig_h
- web_status: status_code
- Web_status: status_code
- web.status: status_code
- Web.status: status_code
- web_uri: uri
- web_url: uri
- # Most are in ECS, but for things not using Elastic - these need renamed
- destination.ip: id.resp_h
- destination.port: id.resp_p
- http.request.body.content: post_body
- #source.domain:
- source.ip: id.orig_h
- source.port: id.orig_p
\ No newline at end of file
diff --git a/tools/config/generic/sysmon.yml b/tools/config/generic/sysmon.yml
index 63097f0d..2d650f70 100644
--- a/tools/config/generic/sysmon.yml
+++ b/tools/config/generic/sysmon.yml
@@ -1,4 +1,4 @@
-title: Conversion of generic rules into Sysmon
+title: Conversion of Generic Rules into Sysmon Specific Rules
order: 10
logsources:
process_creation:
@@ -9,3 +9,71 @@ logsources:
rewrite:
product: windows
service: sysmon
+ network_connection:
+ category: network_connection
+ product: windows
+ conditions:
+ EventID: 3
+ rewrite:
+ product: windows
+ service: sysmon
+ dns_query:
+ category: dns_query
+ product: windows
+ conditions:
+ EventID: 22
+ rewrite:
+ product: windows
+ service: sysmon
+ registry_event:
+ category: registry_event
+ product: windows
+ conditions:
+ EventID:
+ - 12
+ - 13
+ - 14
+ rewrite:
+ product: windows
+ service: sysmon
+ file_creation:
+ category: file_event
+ product: windows
+ conditions:
+ EventID: 11
+ rewrite:
+ product: windows
+ service: sysmon
+ process_access:
+ category: process_access
+ product: windows
+ conditions:
+ EventID: 10
+ rewrite:
+ product: windows
+ service: sysmon
+ image_loaded:
+ category: image_load
+ product: windows
+ conditions:
+ EventID: 7
+ rewrite:
+ product: windows
+ service: sysmon
+ driver_loaded:
+ category: driver_load
+ product: windows
+ conditions:
+ EventID: 6
+ rewrite:
+ product: windows
+ service: sysmon
+ process_terminated:
+ category: process_termination
+ product: windows
+ conditions:
+ EventID: 5
+ rewrite:
+ product: windows
+ service: sysmon
+
diff --git a/tools/config/helk.yml b/tools/config/helk.yml
index c0a65036..7042b25f 100644
--- a/tools/config/helk.yml
+++ b/tools/config/helk.yml
@@ -3,6 +3,7 @@ order: 20
backends:
- es-qs
- es-dsl
+ - es-rule
- kibana
- xpack-watcher
- elastalert
@@ -173,4 +174,4 @@ fieldmappings:
Version:
EventID=4: sysmon_version
Workstation: src_host_name
- WorkstationName: src_host_name
\ No newline at end of file
+ WorkstationName: src_host_name
diff --git a/tools/config/logpoint-windows.yml b/tools/config/logpoint-windows.yml
index ad7b425f..1dfb74aa 100644
--- a/tools/config/logpoint-windows.yml
+++ b/tools/config/logpoint-windows.yml
@@ -22,12 +22,26 @@ logsources:
product: windows
service: driver-framework
conditions:
- source: 'Microsoft-Windows-DriverFrameworks-UserMode/Operational'
+ event_source: 'Microsoft-Windows-DriverFrameworks-UserMode/Operational'
windows-dhcp:
product: windows
service: dhcp
conditions:
- source: 'Microsoft-Windows-DHCP-Server/Operational'
+ event_source: 'Microsoft-Windows-DHCP-Server/Operational'
+ windows-ntlm:
+ product: windows
+ service: ntlm
+ conditions:
+ event_source: 'Microsoft-Windows-NTLM/Operational'
+ windows-applocker:
+ product: windows
+ service: applocker
+ conditions:
+ event_source:
+ - 'Microsoft-Windows-AppLocker/MSI and Script'
+ - 'Microsoft-Windows-AppLocker/EXE and DLL'
+ - 'Microsoft-Windows-AppLocker/Packaged app-Deployment'
+ - 'Microsoft-Windows-AppLocker/Packaged app-Execution'
fieldmappings:
EventID: event_id
diff --git a/tools/config/logstash-defaultindex.yml b/tools/config/logstash-defaultindex.yml
index 49613971..eb566f04 100644
--- a/tools/config/logstash-defaultindex.yml
+++ b/tools/config/logstash-defaultindex.yml
@@ -3,9 +3,11 @@ order: 20
backends:
- es-qs
- es-dsl
+ - es-rule
- kibana
- xpack-watcher
- elastalert
- elastalert-dsl
+ - ee-outliers
defaultindex:
- logstash-*
diff --git a/tools/config/logstash-linux.yml b/tools/config/logstash-linux.yml
index 9eace7fe..e15e2050 100644
--- a/tools/config/logstash-linux.yml
+++ b/tools/config/logstash-linux.yml
@@ -3,10 +3,12 @@ order: 20
backends:
- es-qs
- es-dsl
+ - es-rule
- kibana
- xpack-watcher
- elastalert
- elastalert-dsl
+ - ee-outliers
logsources:
apache:
category: webserver
diff --git a/tools/config/logstash-windows.yml b/tools/config/logstash-windows.yml
index ed94fc3d..d21a846b 100644
--- a/tools/config/logstash-windows.yml
+++ b/tools/config/logstash-windows.yml
@@ -3,10 +3,12 @@ order: 20
backends:
- es-qs
- es-dsl
+ - es-rule
- kibana
- xpack-watcher
- elastalert
- elastalert-dsl
+ - ee-outliers
logsources:
windows:
product: windows
@@ -41,4 +43,23 @@ logsources:
service: dhcp
conditions:
Channel: 'Microsoft-Windows-DHCP-Server/Operational'
+ windows-defender:
+ product: windows
+ service: windefend
+ conditions:
+ Channel: 'Microsoft-Windows-Windows Defender/Operational'
+ windows-ntlm:
+ product: windows
+ service: ntlm
+ conditions:
+ Channel: 'Microsoft-Windows-NTLM/Operational'
+ windows-applocker:
+ product: windows
+ service: applocker
+ conditions:
+ Channel:
+ - 'Microsoft-Windows-AppLocker/MSI and Script'
+ - 'Microsoft-Windows-AppLocker/EXE and DLL'
+ - 'Microsoft-Windows-AppLocker/Packaged app-Deployment'
+ - 'Microsoft-Windows-AppLocker/Packaged app-Execution'
defaultindex: logstash-*
diff --git a/tools/config/logstash-zeek-default-json.yml b/tools/config/logstash-zeek-default-json.yml
index df219c60..6915fe14 100644
--- a/tools/config/logstash-zeek-default-json.yml
+++ b/tools/config/logstash-zeek-default-json.yml
@@ -470,4 +470,4 @@ fieldmappings:
http.request.body.content: post_body
#source.domain:
source.ip: id.orig_h
- source.port: id.orig_p
\ No newline at end of file
+ source.port: id.orig_p
diff --git a/tools/config/mitre/tactics.json b/tools/config/mitre/tactics.json
index e5549d8f..9e90fabe 100644
--- a/tools/config/mitre/tactics.json
+++ b/tools/config/mitre/tactics.json
@@ -1,202 +1,207 @@
[
- {
- "external_id": "TA0040",
- "url": "https://attack.mitre.org/tactics/TA0040",
- "tactic": "Impact"
- },
- {
- "external_id": "TA0009",
- "url": "https://attack.mitre.org/tactics/TA0009",
- "tactic": "Collection"
- },
- {
- "external_id": "TA0011",
- "url": "https://attack.mitre.org/tactics/TA0011",
- "tactic": "Command and Control"
- },
- {
- "external_id": "TA0006",
- "url": "https://attack.mitre.org/tactics/TA0006",
- "tactic": "Credential Access"
- },
- {
- "external_id": "TA0007",
- "url": "https://attack.mitre.org/tactics/TA0007",
- "tactic": "Discovery"
- },
- {
- "external_id": "TA0005",
- "url": "https://attack.mitre.org/tactics/TA0005",
- "tactic": "Defense Evasion"
- },
- {
- "external_id": "TA0010",
- "url": "https://attack.mitre.org/tactics/TA0010",
- "tactic": "Exfiltration"
- },
- {
- "external_id": "TA0002",
- "url": "https://attack.mitre.org/tactics/TA0002",
- "tactic": "Execution"
- },
- {
- "external_id": "TA0008",
- "url": "https://attack.mitre.org/tactics/TA0008",
- "tactic": "Lateral Movement"
- },
- {
- "external_id": "TA0003",
- "url": "https://attack.mitre.org/tactics/TA0003",
- "tactic": "Persistence"
- },
- {
- "external_id": "TA0004",
- "url": "https://attack.mitre.org/tactics/TA0004",
- "tactic": "Privilege Escalation"
- },
- {
- "external_id": "TA0001",
- "url": "https://attack.mitre.org/tactics/TA0001",
- "tactic": "Initial Access"
- },
- {
- "external_id": "TA0020",
- "url": "https://attack.mitre.org/tactics/TA0020",
- "tactic": "Organizational Weakness Identification"
- },
- {
- "external_id": "TA0012",
- "url": "https://attack.mitre.org/tactics/TA0012",
- "tactic": "Priority Definition Planning"
- },
- {
- "external_id": "TA0025",
- "url": "https://attack.mitre.org/tactics/TA0025",
- "tactic": "Test Capabilities"
- },
- {
- "external_id": "TA0017",
- "url": "https://attack.mitre.org/tactics/TA0017",
- "tactic": "Organizational Information Gathering"
- },
- {
- "external_id": "TA0013",
- "url": "https://attack.mitre.org/tactics/TA0013",
- "tactic": "Priority Definition Direction"
- },
- {
- "external_id": "TA0018",
- "url": "https://attack.mitre.org/tactics/TA0018",
- "tactic": "Technical Weakness Identification"
- },
- {
- "external_id": "TA0022",
- "url": "https://attack.mitre.org/tactics/TA0022",
- "tactic": "Establish & Maintain Infrastructure"
- },
- {
- "external_id": "TA0023",
- "url": "https://attack.mitre.org/tactics/TA0023",
- "tactic": "Persona Development"
- },
- {
- "external_id": "TA0015",
- "url": "https://attack.mitre.org/tactics/TA0015",
- "tactic": "Technical Information Gathering"
- },
- {
- "external_id": "TA0021",
- "url": "https://attack.mitre.org/tactics/TA0021",
- "tactic": "Adversary OPSEC"
- },
- {
- "external_id": "TA0016",
- "url": "https://attack.mitre.org/tactics/TA0016",
- "tactic": "People Information Gathering"
- },
- {
- "external_id": "TA0026",
- "url": "https://attack.mitre.org/tactics/TA0026",
- "tactic": "Stage Capabilities"
- },
- {
- "external_id": "TA0024",
- "url": "https://attack.mitre.org/tactics/TA0024",
- "tactic": "Build Capabilities"
- },
- {
- "external_id": "TA0019",
- "url": "https://attack.mitre.org/tactics/TA0019",
- "tactic": "People Weakness Identification"
- },
- {
- "external_id": "TA0014",
- "url": "https://attack.mitre.org/tactics/TA0014",
- "tactic": "Target Selection"
- },
- {
- "external_id": "TA0035",
- "url": "https://attack.mitre.org/tactics/TA0035",
- "tactic": "Collection"
- },
- {
- "external_id": "TA0036",
- "url": "https://attack.mitre.org/tactics/TA0036",
- "tactic": "Exfiltration"
- },
- {
- "external_id": "TA0028",
- "url": "https://attack.mitre.org/tactics/TA0028",
- "tactic": "Persistence"
- },
- {
- "external_id": "TA0032",
- "url": "https://attack.mitre.org/tactics/TA0032",
- "tactic": "Discovery"
- },
- {
- "external_id": "TA0038",
- "url": "https://attack.mitre.org/tactics/TA0038",
- "tactic": "Network Effects"
- },
- {
- "external_id": "TA0030",
- "url": "https://attack.mitre.org/tactics/TA0030",
- "tactic": "Defense Evasion"
- },
- {
- "external_id": "TA0033",
- "url": "https://attack.mitre.org/tactics/TA0033",
- "tactic": "Lateral Movement"
- },
- {
- "external_id": "TA0031",
- "url": "https://attack.mitre.org/tactics/TA0031",
- "tactic": "Credential Access"
- },
- {
- "external_id": "TA0027",
- "url": "https://attack.mitre.org/tactics/TA0027",
- "tactic": "Initial Access"
- },
- {
- "external_id": "TA0039",
- "url": "https://attack.mitre.org/tactics/TA0039",
- "tactic": "Remote Service Effects"
- },
- {
- "external_id": "TA0037",
- "url": "https://attack.mitre.org/tactics/TA0037",
- "tactic": "Command and Control"
- },
- {
- "external_id": "TA0034",
- "url": "https://attack.mitre.org/tactics/TA0034",
- "tactic": "Impact"
- },
- {
- "external_id": "TA0029",
- "url": "https://attack.mitre.org/tactics/TA0029",
- "tactic": "Privilege Escalation"
- }
+ {
+ "external_id": "TA0001",
+ "url": "https://attack.mitre.org/tactics/TA0001",
+ "tactic": "Initial Access"
+ },
+ {
+ "external_id": "TA0002",
+ "url": "https://attack.mitre.org/tactics/TA0002",
+ "tactic": "Execution"
+ },
+ {
+ "external_id": "TA0003",
+ "url": "https://attack.mitre.org/tactics/TA0003",
+ "tactic": "Persistence"
+ },
+ {
+ "external_id": "TA0004",
+ "url": "https://attack.mitre.org/tactics/TA0004",
+ "tactic": "Privilege Escalation"
+ },
+ {
+ "external_id": "TA0005",
+ "url": "https://attack.mitre.org/tactics/TA0005",
+ "tactic": "Defense Evasion"
+ },
+ {
+ "external_id": "TA0006",
+ "url": "https://attack.mitre.org/tactics/TA0006",
+ "tactic": "Credential Access"
+ },
+ {
+ "external_id": "TA0007",
+ "url": "https://attack.mitre.org/tactics/TA0007",
+ "tactic": "Discovery"
+ },
+ {
+ "external_id": "TA0008",
+ "url": "https://attack.mitre.org/tactics/TA0008",
+ "tactic": "Lateral Movement"
+ },
+ {
+ "external_id": "TA0009",
+ "url": "https://attack.mitre.org/tactics/TA0009",
+ "tactic": "Collection"
+ },
+ {
+ "external_id": "TA0010",
+ "url": "https://attack.mitre.org/tactics/TA0010",
+ "tactic": "Exfiltration"
+ },
+ {
+ "external_id": "TA0011",
+ "url": "https://attack.mitre.org/tactics/TA0011",
+ "tactic": "Command and Control"
+ },
+ {
+ "external_id": "TA0012",
+ "url": "https://attack.mitre.org/tactics/TA0012",
+ "tactic": "Priority Definition Planning"
+ },
+ {
+ "external_id": "TA0013",
+ "url": "https://attack.mitre.org/tactics/TA0013",
+ "tactic": "Priority Definition Direction"
+ },
+ {
+ "external_id": "TA0014",
+ "url": "https://attack.mitre.org/tactics/TA0014",
+ "tactic": "Target Selection"
+ },
+ {
+ "external_id": "TA0015",
+ "url": "https://attack.mitre.org/tactics/TA0015",
+ "tactic": "Technical Information Gathering"
+ },
+ {
+ "external_id": "TA0016",
+ "url": "https://attack.mitre.org/tactics/TA0016",
+ "tactic": "People Information Gathering"
+ },
+ {
+ "external_id": "TA0017",
+ "url": "https://attack.mitre.org/tactics/TA0017",
+ "tactic": "Organizational Information Gathering"
+ },
+ {
+ "external_id": "TA0018",
+ "url": "https://attack.mitre.org/tactics/TA0018",
+ "tactic": "Technical Weakness Identification"
+ },
+ {
+ "external_id": "TA0019",
+ "url": "https://attack.mitre.org/tactics/TA0019",
+ "tactic": "People Weakness Identification"
+ },
+ {
+ "external_id": "TA0020",
+ "url": "https://attack.mitre.org/tactics/TA0020",
+ "tactic": "Organizational Weakness Identification"
+ },
+ {
+ "external_id": "TA0021",
+ "url": "https://attack.mitre.org/tactics/TA0021",
+ "tactic": "Adversary OPSEC"
+ },
+ {
+ "external_id": "TA0022",
+ "url": "https://attack.mitre.org/tactics/TA0022",
+ "tactic": "Establish & Maintain Infrastructure"
+ },
+ {
+ "external_id": "TA0023",
+ "url": "https://attack.mitre.org/tactics/TA0023",
+ "tactic": "Persona Development"
+ },
+ {
+ "external_id": "TA0024",
+ "url": "https://attack.mitre.org/tactics/TA0024",
+ "tactic": "Build Capabilities"
+ },
+ {
+ "external_id": "TA0025",
+ "url": "https://attack.mitre.org/tactics/TA0025",
+ "tactic": "Test Capabilities"
+ },
+ {
+ "external_id": "TA0026",
+ "url": "https://attack.mitre.org/tactics/TA0026",
+ "tactic": "Stage Capabilities"
+ },
+ {
+ "external_id": "TA0027",
+ "url": "https://attack.mitre.org/tactics/TA0027",
+ "tactic": "Initial Access"
+ },
+ {
+ "external_id": "TA0028",
+ "url": "https://attack.mitre.org/tactics/TA0028",
+ "tactic": "Persistence"
+ },
+ {
+ "external_id": "TA0029",
+ "url": "https://attack.mitre.org/tactics/TA0029",
+ "tactic": "Privilege Escalation"
+ },
+ {
+ "external_id": "TA0030",
+ "url": "https://attack.mitre.org/tactics/TA0030",
+ "tactic": "Defense Evasion"
+ },
+ {
+ "external_id": "TA0031",
+ "url": "https://attack.mitre.org/tactics/TA0031",
+ "tactic": "Credential Access"
+ },
+ {
+ "external_id": "TA0032",
+ "url": "https://attack.mitre.org/tactics/TA0032",
+ "tactic": "Discovery"
+ },
+ {
+ "external_id": "TA0033",
+ "url": "https://attack.mitre.org/tactics/TA0033",
+ "tactic": "Lateral Movement"
+ },
+ {
+ "external_id": "TA0034",
+ "url": "https://attack.mitre.org/tactics/TA0034",
+ "tactic": "Impact"
+ },
+ {
+ "external_id": "TA0035",
+ "url": "https://attack.mitre.org/tactics/TA0035",
+ "tactic": "Collection"
+ },
+ {
+ "external_id": "TA0036",
+ "url": "https://attack.mitre.org/tactics/TA0036",
+ "tactic": "Exfiltration"
+ },
+ {
+ "external_id": "TA0037",
+ "url": "https://attack.mitre.org/tactics/TA0037",
+ "tactic": "Command and Control"
+ },
+ {
+ "external_id": "TA0038",
+ "url": "https://attack.mitre.org/tactics/TA0038",
+ "tactic": "Network Effects"
+ },
+ {
+ "external_id": "TA0039",
+ "url": "https://attack.mitre.org/tactics/TA0039",
+ "tactic": "Remote Service Effects"
+ },
+ {
+ "external_id": "TA0040",
+ "url": "https://attack.mitre.org/tactics/TA0040",
+ "tactic": "Impact"
+ },
+ {
+ "external_id": "TA0041",
+ "url": "https://attack.mitre.org/tactics/TA0041",
+ "tactic": "Execution"
+ }
]
\ No newline at end of file
diff --git a/tools/config/mitre/techniques.json b/tools/config/mitre/techniques.json
index 22541bb2..811a52e0 100644
--- a/tools/config/mitre/techniques.json
+++ b/tools/config/mitre/techniques.json
@@ -1,4353 +1,4529 @@
[
- {
- "technique_id": "T1531",
- "technique": "Account Access Removal",
- "url": "https://attack.mitre.org/techniques/T1531",
- "tactic": [
- "Impact"
- ]
- },
- {
- "technique_id": "T1506",
- "technique": "Web Session Cookie",
- "url": "https://attack.mitre.org/techniques/T1506",
- "tactic": [
- "Defense Evasion",
- "Lateral Movement"
- ]
- },
- {
- "technique_id": "T1539",
- "technique": "Steal Web Session Cookie",
- "url": "https://attack.mitre.org/techniques/T1539",
- "tactic": [
- "Credential Access"
- ]
- },
- {
- "technique_id": "T1529",
- "technique": "System Shutdown/Reboot",
- "url": "https://attack.mitre.org/techniques/T1529",
- "tactic": [
- "Impact"
- ]
- },
- {
- "technique_id": "T1519",
- "technique": "Emond",
- "url": "https://attack.mitre.org/techniques/T1519",
- "tactic": [
- "Persistence",
- "Privilege Escalation"
- ]
- },
- {
- "technique_id": "T1518",
- "technique": "Software Discovery",
- "url": "https://attack.mitre.org/techniques/T1518",
- "tactic": [
- "Discovery"
- ]
- },
- {
- "technique_id": "T1534",
- "technique": "Internal Spearphishing",
- "url": "https://attack.mitre.org/techniques/T1534",
- "tactic": [
- "Lateral Movement"
- ]
- },
- {
- "technique_id": "T1528",
- "technique": "Steal Application Access Token",
- "url": "https://attack.mitre.org/techniques/T1528",
- "tactic": [
- "Credential Access"
- ]
- },
- {
- "technique_id": "T1522",
- "technique": "Cloud Instance Metadata API",
- "url": "https://attack.mitre.org/techniques/T1522",
- "tactic": [
- "Credential Access"
- ]
- },
- {
- "technique_id": "T1536",
- "technique": "Revert Cloud Instance",
- "url": "https://attack.mitre.org/techniques/T1536",
- "tactic": [
- "Defense Evasion"
- ]
- },
- {
- "technique_id": "T1535",
- "technique": "Unused/Unsupported Cloud Regions",
- "url": "https://attack.mitre.org/techniques/T1535",
- "tactic": [
- "Defense Evasion"
- ]
- },
- {
- "technique_id": "T1525",
- "technique": "Implant Container Image",
- "url": "https://attack.mitre.org/techniques/T1525",
- "tactic": [
- "Persistence"
- ]
- },
- {
- "technique_id": "T1538",
- "technique": "Cloud Service Dashboard",
- "url": "https://attack.mitre.org/techniques/T1538",
- "tactic": [
- "Discovery"
- ]
- },
- {
- "technique_id": "T1530",
- "technique": "Data from Cloud Storage Object",
- "url": "https://attack.mitre.org/techniques/T1530",
- "tactic": [
- "Collection"
- ]
- },
- {
- "technique_id": "T1537",
- "technique": "Transfer Data to Cloud Account",
- "url": "https://attack.mitre.org/techniques/T1537",
- "tactic": [
- "Exfiltration"
- ]
- },
- {
- "technique_id": "T1526",
- "technique": "Cloud Service Discovery",
- "url": "https://attack.mitre.org/techniques/T1526",
- "tactic": [
- "Discovery"
- ]
- },
- {
- "technique_id": "T1527",
- "technique": "Application Access Token",
- "url": "https://attack.mitre.org/techniques/T1527",
- "tactic": [
- "Defense Evasion",
- "Lateral Movement"
- ]
- },
- {
- "technique_id": "T1514",
- "technique": "Elevated Execution with Prompt",
- "url": "https://attack.mitre.org/techniques/T1514",
- "tactic": [
- "Privilege Escalation"
- ]
- },
- {
- "technique_id": "T1505",
- "technique": "Server Software Component",
- "url": "https://attack.mitre.org/techniques/T1505",
- "tactic": [
- "Persistence"
- ]
- },
- {
- "technique_id": "T1503",
- "technique": "Credentials from Web Browsers",
- "url": "https://attack.mitre.org/techniques/T1503",
- "tactic": [
- "Credential Access"
- ]
- },
- {
- "technique_id": "T1504",
- "technique": "PowerShell Profile",
- "url": "https://attack.mitre.org/techniques/T1504",
- "tactic": [
- "Persistence",
- "Privilege Escalation"
- ]
- },
- {
- "technique_id": "T1502",
- "technique": "Parent PID Spoofing",
- "url": "https://attack.mitre.org/techniques/T1502",
- "tactic": [
- "Defense Evasion",
- "Privilege Escalation"
- ]
- },
- {
- "technique_id": "T1500",
- "technique": "Compile After Delivery",
- "url": "https://attack.mitre.org/techniques/T1500",
- "tactic": [
- "Defense Evasion"
- ]
- },
- {
- "technique_id": "T1501",
- "technique": "Systemd Service",
- "url": "https://attack.mitre.org/techniques/T1501",
- "tactic": [
- "Persistence"
- ]
- },
- {
- "technique_id": "T1499",
- "technique": "Endpoint Denial of Service",
- "url": "https://attack.mitre.org/techniques/T1499",
- "tactic": [
- "Impact"
- ]
- },
- {
- "technique_id": "T1497",
- "technique": "Virtualization/Sandbox Evasion",
- "url": "https://attack.mitre.org/techniques/T1497",
- "tactic": [
- "Defense Evasion",
- "Discovery"
- ]
- },
- {
- "technique_id": "T1498",
- "technique": "Network Denial of Service",
- "url": "https://attack.mitre.org/techniques/T1498",
- "tactic": [
- "Impact"
- ]
- },
- {
- "technique_id": "T1496",
- "technique": "Resource Hijacking",
- "url": "https://attack.mitre.org/techniques/T1496",
- "tactic": [
- "Impact"
- ]
- },
- {
- "technique_id": "T1495",
- "technique": "Firmware Corruption",
- "url": "https://attack.mitre.org/techniques/T1495",
- "tactic": [
- "Impact"
- ]
- },
- {
- "technique_id": "T1494",
- "technique": "Runtime Data Manipulation",
- "url": "https://attack.mitre.org/techniques/T1494",
- "tactic": [
- "Impact"
- ]
- },
- {
- "technique_id": "T1493",
- "technique": "Transmitted Data Manipulation",
- "url": "https://attack.mitre.org/techniques/T1493",
- "tactic": [
- "Impact"
- ]
- },
- {
- "technique_id": "T1492",
- "technique": "Stored Data Manipulation",
- "url": "https://attack.mitre.org/techniques/T1492",
- "tactic": [
- "Impact"
- ]
- },
- {
- "technique_id": "T1491",
- "technique": "Defacement",
- "url": "https://attack.mitre.org/techniques/T1491",
- "tactic": [
- "Impact"
- ]
- },
- {
- "technique_id": "T1490",
- "technique": "Inhibit System Recovery",
- "url": "https://attack.mitre.org/techniques/T1490",
- "tactic": [
- "Impact"
- ]
- },
- {
- "technique_id": "T1489",
- "technique": "Service Stop",
- "url": "https://attack.mitre.org/techniques/T1489",
- "tactic": [
- "Impact"
- ]
- },
- {
- "technique_id": "T1488",
- "technique": "Disk Content Wipe",
- "url": "https://attack.mitre.org/techniques/T1488",
- "tactic": [
- "Impact"
- ]
- },
- {
- "technique_id": "T1487",
- "technique": "Disk Structure Wipe",
- "url": "https://attack.mitre.org/techniques/T1487",
- "tactic": [
- "Impact"
- ]
- },
- {
- "technique_id": "T1486",
- "technique": "Data Encrypted for Impact",
- "url": "https://attack.mitre.org/techniques/T1486",
- "tactic": [
- "Impact"
- ]
- },
- {
- "technique_id": "T1485",
- "technique": "Data Destruction",
- "url": "https://attack.mitre.org/techniques/T1485",
- "tactic": [
- "Impact"
- ]
- },
- {
- "technique_id": "T1484",
- "technique": "Group Policy Modification",
- "url": "https://attack.mitre.org/techniques/T1484",
- "tactic": [
- "Defense Evasion"
- ]
- },
- {
- "technique_id": "T1483",
- "technique": "Domain Generation Algorithms",
- "url": "https://attack.mitre.org/techniques/T1483",
- "tactic": [
- "Command And Control"
- ]
- },
- {
- "technique_id": "T1482",
- "technique": "Domain Trust Discovery",
- "url": "https://attack.mitre.org/techniques/T1482",
- "tactic": [
- "Discovery"
- ]
- },
- {
- "technique_id": "T1480",
- "technique": "Execution Guardrails",
- "url": "https://attack.mitre.org/techniques/T1480",
- "tactic": [
- "Defense Evasion"
- ]
- },
- {
- "technique_id": "T1222",
- "technique": "File and Directory Permissions Modification",
- "url": "https://attack.mitre.org/techniques/T1222",
- "tactic": [
- "Defense Evasion"
- ]
- },
- {
- "technique_id": "T1223",
- "technique": "Compiled HTML File",
- "url": "https://attack.mitre.org/techniques/T1223",
- "tactic": [
- "Defense Evasion",
- "Execution"
- ]
- },
- {
- "technique_id": "T1221",
- "technique": "Template Injection",
- "url": "https://attack.mitre.org/techniques/T1221",
- "tactic": [
- "Defense Evasion"
- ]
- },
- {
- "technique_id": "T1220",
- "technique": "XSL Script Processing",
- "url": "https://attack.mitre.org/techniques/T1220",
- "tactic": [
- "Defense Evasion",
- "Execution"
- ]
- },
- {
- "technique_id": "T1217",
- "technique": "Browser Bookmark Discovery",
- "url": "https://attack.mitre.org/techniques/T1217",
- "tactic": [
- "Discovery"
- ]
- },
- {
- "technique_id": "T1213",
- "technique": "Data from Information Repositories",
- "url": "https://attack.mitre.org/techniques/T1213",
- "tactic": [
- "Collection"
- ]
- },
- {
- "technique_id": "T1190",
- "technique": "Exploit Public-Facing Application",
- "url": "https://attack.mitre.org/techniques/T1190",
- "tactic": [
- "Initial Access"
- ]
- },
- {
- "technique_id": "T1210",
- "technique": "Exploitation of Remote Services",
- "url": "https://attack.mitre.org/techniques/T1210",
- "tactic": [
- "Lateral Movement"
- ]
- },
- {
- "technique_id": "T1200",
- "technique": "Hardware Additions",
- "url": "https://attack.mitre.org/techniques/T1200",
- "tactic": [
- "Initial Access"
- ]
- },
- {
- "technique_id": "T1202",
- "technique": "Indirect Command Execution",
- "url": "https://attack.mitre.org/techniques/T1202",
- "tactic": [
- "Defense Evasion"
- ]
- },
- {
- "technique_id": "T1194",
- "technique": "Spearphishing via Service",
- "url": "https://attack.mitre.org/techniques/T1194",
- "tactic": [
- "Initial Access"
- ]
- },
- {
- "technique_id": "T1209",
- "technique": "Time Providers",
- "url": "https://attack.mitre.org/techniques/T1209",
- "tactic": [
- "Persistence"
- ]
- },
- {
- "technique_id": "T1199",
- "technique": "Trusted Relationship",
- "url": "https://attack.mitre.org/techniques/T1199",
- "tactic": [
- "Initial Access"
- ]
- },
- {
- "technique_id": "T1191",
- "technique": "CMSTP",
- "url": "https://attack.mitre.org/techniques/T1191",
- "tactic": [
- "Defense Evasion",
- "Execution"
- ]
- },
- {
- "technique_id": "T1207",
- "technique": "DCShadow",
- "url": "https://attack.mitre.org/techniques/T1207",
- "tactic": [
- "Defense Evasion"
- ]
- },
- {
- "technique_id": "T1189",
- "technique": "Drive-by Compromise",
- "url": "https://attack.mitre.org/techniques/T1189",
- "tactic": [
- "Initial Access"
- ]
- },
- {
- "technique_id": "T1211",
- "technique": "Exploitation for Defense Evasion",
- "url": "https://attack.mitre.org/techniques/T1211",
- "tactic": [
- "Defense Evasion"
- ]
- },
- {
- "technique_id": "T1218",
- "technique": "Signed Binary Proxy Execution",
- "url": "https://attack.mitre.org/techniques/T1218",
- "tactic": [
- "Defense Evasion",
- "Execution"
- ]
- },
- {
- "technique_id": "T1193",
- "technique": "Spearphishing Attachment",
- "url": "https://attack.mitre.org/techniques/T1193",
- "tactic": [
- "Initial Access"
- ]
- },
- {
- "technique_id": "T1195",
- "technique": "Supply Chain Compromise",
- "url": "https://attack.mitre.org/techniques/T1195",
- "tactic": [
- "Initial Access"
- ]
- },
- {
- "technique_id": "T1204",
- "technique": "User Execution",
- "url": "https://attack.mitre.org/techniques/T1204",
- "tactic": [
- "Execution"
- ]
- },
- {
- "technique_id": "T1196",
- "technique": "Control Panel Items",
- "url": "https://attack.mitre.org/techniques/T1196",
- "tactic": [
- "Defense Evasion",
- "Execution"
- ]
- },
- {
- "technique_id": "T1212",
- "technique": "Exploitation for Credential Access",
- "url": "https://attack.mitre.org/techniques/T1212",
- "tactic": [
- "Credential Access"
- ]
- },
- {
- "technique_id": "T1215",
- "technique": "Kernel Modules and Extensions",
- "url": "https://attack.mitre.org/techniques/T1215",
- "tactic": [
- "Persistence"
- ]
- },
- {
- "technique_id": "T1197",
- "technique": "BITS Jobs",
- "url": "https://attack.mitre.org/techniques/T1197",
- "tactic": [
- "Defense Evasion",
- "Persistence"
- ]
- },
- {
- "technique_id": "T1214",
- "technique": "Credentials in Registry",
- "url": "https://attack.mitre.org/techniques/T1214",
- "tactic": [
- "Credential Access"
- ]
- },
- {
- "technique_id": "T1216",
- "technique": "Signed Script Proxy Execution",
- "url": "https://attack.mitre.org/techniques/T1216",
- "tactic": [
- "Defense Evasion",
- "Execution"
- ]
- },
- {
- "technique_id": "T1192",
- "technique": "Spearphishing Link",
- "url": "https://attack.mitre.org/techniques/T1192",
- "tactic": [
- "Initial Access"
- ]
- },
- {
- "technique_id": "T1198",
- "technique": "SIP and Trust Provider Hijacking",
- "url": "https://attack.mitre.org/techniques/T1198",
- "tactic": [
- "Defense Evasion",
- "Persistence"
- ]
- },
- {
- "technique_id": "T1206",
- "technique": "Sudo Caching",
- "url": "https://attack.mitre.org/techniques/T1206",
- "tactic": [
- "Privilege Escalation"
- ]
- },
- {
- "technique_id": "T1203",
- "technique": "Exploitation for Client Execution",
- "url": "https://attack.mitre.org/techniques/T1203",
- "tactic": [
- "Execution"
- ]
- },
- {
- "technique_id": "T1208",
- "technique": "Kerberoasting",
- "url": "https://attack.mitre.org/techniques/T1208",
- "tactic": [
- "Credential Access"
- ]
- },
- {
- "technique_id": "T1201",
- "technique": "Password Policy Discovery",
- "url": "https://attack.mitre.org/techniques/T1201",
- "tactic": [
- "Discovery"
- ]
- },
- {
- "technique_id": "T1205",
- "technique": "Port Knocking",
- "url": "https://attack.mitre.org/techniques/T1205",
- "tactic": [
- "Defense Evasion",
- "Persistence",
- "Command And Control"
- ]
- },
- {
- "technique_id": "T1219",
- "technique": "Remote Access Tools",
- "url": "https://attack.mitre.org/techniques/T1219",
- "tactic": [
- "Command And Control"
- ]
- },
- {
- "technique_id": "T1172",
- "technique": "Domain Fronting",
- "url": "https://attack.mitre.org/techniques/T1172",
- "tactic": [
- "Command And Control"
- ]
- },
- {
- "technique_id": "T1173",
- "technique": "Dynamic Data Exchange",
- "url": "https://attack.mitre.org/techniques/T1173",
- "tactic": [
- "Execution"
- ]
- },
- {
- "technique_id": "T1187",
- "technique": "Forced Authentication",
- "url": "https://attack.mitre.org/techniques/T1187",
- "tactic": [
- "Credential Access"
- ]
- },
- {
- "technique_id": "T1188",
- "technique": "Multi-hop Proxy",
- "url": "https://attack.mitre.org/techniques/T1188",
- "tactic": [
- "Command And Control"
- ]
- },
- {
- "technique_id": "T1174",
- "technique": "Password Filter DLL",
- "url": "https://attack.mitre.org/techniques/T1174",
- "tactic": [
- "Credential Access"
- ]
- },
- {
- "technique_id": "T1175",
- "technique": "Component Object Model and Distributed COM",
- "url": "https://attack.mitre.org/techniques/T1175",
- "tactic": [
- "Lateral Movement",
- "Execution"
- ]
- },
- {
- "technique_id": "T1170",
- "technique": "Mshta",
- "url": "https://attack.mitre.org/techniques/T1170",
- "tactic": [
- "Defense Evasion",
- "Execution"
- ]
- },
- {
- "technique_id": "T1179",
- "technique": "Hooking",
- "url": "https://attack.mitre.org/techniques/T1179",
- "tactic": [
- "Persistence",
- "Privilege Escalation",
- "Credential Access"
- ]
- },
- {
- "technique_id": "T1184",
- "technique": "SSH Hijacking",
- "url": "https://attack.mitre.org/techniques/T1184",
- "tactic": [
- "Lateral Movement"
- ]
- },
- {
- "technique_id": "T1181",
- "technique": "Extra Window Memory Injection",
- "url": "https://attack.mitre.org/techniques/T1181",
- "tactic": [
- "Defense Evasion",
- "Privilege Escalation"
- ]
- },
- {
- "technique_id": "T1177",
- "technique": "LSASS Driver",
- "url": "https://attack.mitre.org/techniques/T1177",
- "tactic": [
- "Execution",
- "Persistence"
- ]
- },
- {
- "technique_id": "T1182",
- "technique": "AppCert DLLs",
- "url": "https://attack.mitre.org/techniques/T1182",
- "tactic": [
- "Persistence",
- "Privilege Escalation"
- ]
- },
- {
- "technique_id": "T1176",
- "technique": "Browser Extensions",
- "url": "https://attack.mitre.org/techniques/T1176",
- "tactic": [
- "Persistence"
- ]
- },
- {
- "technique_id": "T1185",
- "technique": "Man in the Browser",
- "url": "https://attack.mitre.org/techniques/T1185",
- "tactic": [
- "Collection"
- ]
- },
- {
- "technique_id": "T1180",
- "technique": "Screensaver",
- "url": "https://attack.mitre.org/techniques/T1180",
- "tactic": [
- "Persistence"
- ]
- },
- {
- "technique_id": "T1183",
- "technique": "Image File Execution Options Injection",
- "url": "https://attack.mitre.org/techniques/T1183",
- "tactic": [
- "Privilege Escalation",
- "Persistence",
- "Defense Evasion"
- ]
- },
- {
- "technique_id": "T1171",
- "technique": "LLMNR/NBT-NS Poisoning and Relay",
- "url": "https://attack.mitre.org/techniques/T1171",
- "tactic": [
- "Credential Access"
- ]
- },
- {
- "technique_id": "T1186",
- "technique": "Process Doppelg\\u00e4nging",
- "url": "https://attack.mitre.org/techniques/T1186",
- "tactic": [
- "Defense Evasion"
- ]
- },
- {
- "technique_id": "T1178",
- "technique": "SID-History Injection",
- "url": "https://attack.mitre.org/techniques/T1178",
- "tactic": [
- "Privilege Escalation"
- ]
- },
- {
- "technique_id": "T1138",
- "technique": "Application Shimming",
- "url": "https://attack.mitre.org/techniques/T1138",
- "tactic": [
- "Persistence",
- "Privilege Escalation"
- ]
- },
- {
- "technique_id": "T1140",
- "technique": "Deobfuscate/Decode Files or Information",
- "url": "https://attack.mitre.org/techniques/T1140",
- "tactic": [
- "Defense Evasion"
- ]
- },
- {
- "technique_id": "T1149",
- "technique": "LC_MAIN Hijacking",
- "url": "https://attack.mitre.org/techniques/T1149",
- "tactic": [
- "Defense Evasion"
- ]
- },
- {
- "technique_id": "T1152",
- "technique": "Launchctl",
- "url": "https://attack.mitre.org/techniques/T1152",
- "tactic": [
- "Defense Evasion",
- "Execution",
- "Persistence"
- ]
- },
- {
- "technique_id": "T1150",
- "technique": "Plist Modification",
- "url": "https://attack.mitre.org/techniques/T1150",
- "tactic": [
- "Defense Evasion",
- "Persistence",
- "Privilege Escalation"
- ]
- },
- {
- "technique_id": "T1163",
- "technique": "Rc.common",
- "url": "https://attack.mitre.org/techniques/T1163",
- "tactic": [
- "Persistence"
- ]
- },
- {
- "technique_id": "T1166",
- "technique": "Setuid and Setgid",
- "url": "https://attack.mitre.org/techniques/T1166",
- "tactic": [
- "Privilege Escalation",
- "Persistence"
- ]
- },
- {
- "technique_id": "T1157",
- "technique": "Dylib Hijacking",
- "url": "https://attack.mitre.org/techniques/T1157",
- "tactic": [
- "Persistence",
- "Privilege Escalation"
- ]
- },
- {
- "technique_id": "T1155",
- "technique": "AppleScript",
- "url": "https://attack.mitre.org/techniques/T1155",
- "tactic": [
- "Execution",
- "Lateral Movement"
- ]
- },
- {
- "technique_id": "T1136",
- "technique": "Create Account",
- "url": "https://attack.mitre.org/techniques/T1136",
- "tactic": [
- "Persistence"
- ]
- },
- {
- "technique_id": "T1143",
- "technique": "Hidden Window",
- "url": "https://attack.mitre.org/techniques/T1143",
- "tactic": [
- "Defense Evasion"
- ]
- },
- {
- "technique_id": "T1141",
- "technique": "Input Prompt",
- "url": "https://attack.mitre.org/techniques/T1141",
- "tactic": [
- "Credential Access"
- ]
- },
- {
- "technique_id": "T1142",
- "technique": "Keychain",
- "url": "https://attack.mitre.org/techniques/T1142",
- "tactic": [
- "Credential Access"
- ]
- },
- {
- "technique_id": "T1159",
- "technique": "Launch Agent",
- "url": "https://attack.mitre.org/techniques/T1159",
- "tactic": [
- "Persistence"
- ]
- },
- {
- "technique_id": "T1135",
- "technique": "Network Share Discovery",
- "url": "https://attack.mitre.org/techniques/T1135",
- "tactic": [
- "Discovery"
- ]
- },
- {
- "technique_id": "T1148",
- "technique": "HISTCONTROL",
- "url": "https://attack.mitre.org/techniques/T1148",
- "tactic": [
- "Defense Evasion"
- ]
- },
- {
- "technique_id": "T1161",
- "technique": "LC_LOAD_DYLIB Addition",
- "url": "https://attack.mitre.org/techniques/T1161",
- "tactic": [
- "Persistence"
- ]
- },
- {
- "technique_id": "T1154",
- "technique": "Trap",
- "url": "https://attack.mitre.org/techniques/T1154",
- "tactic": [
- "Execution",
- "Persistence"
- ]
- },
- {
- "technique_id": "T1134",
- "technique": "Access Token Manipulation",
- "url": "https://attack.mitre.org/techniques/T1134",
- "tactic": [
- "Defense Evasion",
- "Privilege Escalation"
- ]
- },
- {
- "technique_id": "T1139",
- "technique": "Bash History",
- "url": "https://attack.mitre.org/techniques/T1139",
- "tactic": [
- "Credential Access"
- ]
- },
- {
- "technique_id": "T1147",
- "technique": "Hidden Users",
- "url": "https://attack.mitre.org/techniques/T1147",
- "tactic": [
- "Defense Evasion"
- ]
- },
- {
- "technique_id": "T1156",
- "technique": ".bash_profile and .bashrc",
- "url": "https://attack.mitre.org/techniques/T1156",
- "tactic": [
- "Persistence"
- ]
- },
- {
- "technique_id": "T1146",
- "technique": "Clear Command History",
- "url": "https://attack.mitre.org/techniques/T1146",
- "tactic": [
- "Defense Evasion"
- ]
- },
- {
- "technique_id": "T1160",
- "technique": "Launch Daemon",
- "url": "https://attack.mitre.org/techniques/T1160",
- "tactic": [
- "Persistence",
- "Privilege Escalation"
- ]
- },
- {
- "technique_id": "T1145",
- "technique": "Private Keys",
- "url": "https://attack.mitre.org/techniques/T1145",
- "tactic": [
- "Credential Access"
- ]
- },
- {
- "technique_id": "T1165",
- "technique": "Startup Items",
- "url": "https://attack.mitre.org/techniques/T1165",
- "tactic": [
- "Persistence",
- "Privilege Escalation"
- ]
- },
- {
- "technique_id": "T1162",
- "technique": "Login Item",
- "url": "https://attack.mitre.org/techniques/T1162",
- "tactic": [
- "Persistence"
- ]
- },
- {
- "technique_id": "T1137",
- "technique": "Office Application Startup",
- "url": "https://attack.mitre.org/techniques/T1137",
- "tactic": [
- "Persistence"
- ]
- },
- {
- "technique_id": "T1151",
- "technique": "Space after Filename",
- "url": "https://attack.mitre.org/techniques/T1151",
- "tactic": [
- "Defense Evasion",
- "Execution"
- ]
- },
- {
- "technique_id": "T1144",
- "technique": "Gatekeeper Bypass",
- "url": "https://attack.mitre.org/techniques/T1144",
- "tactic": [
- "Defense Evasion"
- ]
- },
- {
- "technique_id": "T1158",
- "technique": "Hidden Files and Directories",
- "url": "https://attack.mitre.org/techniques/T1158",
- "tactic": [
- "Defense Evasion",
- "Persistence"
- ]
- },
- {
- "technique_id": "T1168",
- "technique": "Local Job Scheduling",
- "url": "https://attack.mitre.org/techniques/T1168",
- "tactic": [
- "Persistence",
- "Execution"
- ]
- },
- {
- "technique_id": "T1164",
- "technique": "Re-opened Applications",
- "url": "https://attack.mitre.org/techniques/T1164",
- "tactic": [
- "Persistence"
- ]
- },
- {
- "technique_id": "T1167",
- "technique": "Securityd Memory",
- "url": "https://attack.mitre.org/techniques/T1167",
- "tactic": [
- "Credential Access"
- ]
- },
- {
- "technique_id": "T1153",
- "technique": "Source",
- "url": "https://attack.mitre.org/techniques/T1153",
- "tactic": [
- "Execution"
- ]
- },
- {
- "technique_id": "T1169",
- "technique": "Sudo",
- "url": "https://attack.mitre.org/techniques/T1169",
- "tactic": [
- "Privilege Escalation"
- ]
- },
- {
- "technique_id": "T1133",
- "technique": "External Remote Services",
- "url": "https://attack.mitre.org/techniques/T1133",
- "tactic": [
- "Persistence",
- "Initial Access"
- ]
- },
- {
- "technique_id": "T1132",
- "technique": "Data Encoding",
- "url": "https://attack.mitre.org/techniques/T1132",
- "tactic": [
- "Command And Control"
- ]
- },
- {
- "technique_id": "T1131",
- "technique": "Authentication Package",
- "url": "https://attack.mitre.org/techniques/T1131",
- "tactic": [
- "Persistence"
- ]
- },
- {
- "technique_id": "T1130",
- "technique": "Install Root Certificate",
- "url": "https://attack.mitre.org/techniques/T1130",
- "tactic": [
- "Defense Evasion"
- ]
- },
- {
- "technique_id": "T1129",
- "technique": "Execution through Module Load",
- "url": "https://attack.mitre.org/techniques/T1129",
- "tactic": [
- "Execution"
- ]
- },
- {
- "technique_id": "T1128",
- "technique": "Netsh Helper DLL",
- "url": "https://attack.mitre.org/techniques/T1128",
- "tactic": [
- "Persistence"
- ]
- },
- {
- "technique_id": "T1127",
- "technique": "Trusted Developer Utilities",
- "url": "https://attack.mitre.org/techniques/T1127",
- "tactic": [
- "Defense Evasion",
- "Execution"
- ]
- },
- {
- "technique_id": "T1126",
- "technique": "Network Share Connection Removal",
- "url": "https://attack.mitre.org/techniques/T1126",
- "tactic": [
- "Defense Evasion"
- ]
- },
- {
- "technique_id": "T1125",
- "technique": "Video Capture",
- "url": "https://attack.mitre.org/techniques/T1125",
- "tactic": [
- "Collection"
- ]
- },
- {
- "technique_id": "T1124",
- "technique": "System Time Discovery",
- "url": "https://attack.mitre.org/techniques/T1124",
- "tactic": [
- "Discovery"
- ]
- },
- {
- "technique_id": "T1123",
- "technique": "Audio Capture",
- "url": "https://attack.mitre.org/techniques/T1123",
- "tactic": [
- "Collection"
- ]
- },
- {
- "technique_id": "T1122",
- "technique": "Component Object Model Hijacking",
- "url": "https://attack.mitre.org/techniques/T1122",
- "tactic": [
- "Defense Evasion",
- "Persistence"
- ]
- },
- {
- "technique_id": "T1121",
- "technique": "Regsvcs/Regasm",
- "url": "https://attack.mitre.org/techniques/T1121",
- "tactic": [
- "Defense Evasion",
- "Execution"
- ]
- },
- {
- "technique_id": "T1120",
- "technique": "Peripheral Device Discovery",
- "url": "https://attack.mitre.org/techniques/T1120",
- "tactic": [
- "Discovery"
- ]
- },
- {
- "technique_id": "T1119",
- "technique": "Automated Collection",
- "url": "https://attack.mitre.org/techniques/T1119",
- "tactic": [
- "Collection"
- ]
- },
- {
- "technique_id": "T1118",
- "technique": "InstallUtil",
- "url": "https://attack.mitre.org/techniques/T1118",
- "tactic": [
- "Defense Evasion",
- "Execution"
- ]
- },
- {
- "technique_id": "T1117",
- "technique": "Regsvr32",
- "url": "https://attack.mitre.org/techniques/T1117",
- "tactic": [
- "Defense Evasion",
- "Execution"
- ]
- },
- {
- "technique_id": "T1116",
- "technique": "Code Signing",
- "url": "https://attack.mitre.org/techniques/T1116",
- "tactic": [
- "Defense Evasion"
- ]
- },
- {
- "technique_id": "T1115",
- "technique": "Clipboard Data",
- "url": "https://attack.mitre.org/techniques/T1115",
- "tactic": [
- "Collection"
- ]
- },
- {
- "technique_id": "T1114",
- "technique": "Email Collection",
- "url": "https://attack.mitre.org/techniques/T1114",
- "tactic": [
- "Collection"
- ]
- },
- {
- "technique_id": "T1113",
- "technique": "Screen Capture",
- "url": "https://attack.mitre.org/techniques/T1113",
- "tactic": [
- "Collection"
- ]
- },
- {
- "technique_id": "T1112",
- "technique": "Modify Registry",
- "url": "https://attack.mitre.org/techniques/T1112",
- "tactic": [
- "Defense Evasion"
- ]
- },
- {
- "technique_id": "T1111",
- "technique": "Two-Factor Authentication Interception",
- "url": "https://attack.mitre.org/techniques/T1111",
- "tactic": [
- "Credential Access"
- ]
- },
- {
- "technique_id": "T1110",
- "technique": "Brute Force",
- "url": "https://attack.mitre.org/techniques/T1110",
- "tactic": [
- "Credential Access"
- ]
- },
- {
- "technique_id": "T1109",
- "technique": "Component Firmware",
- "url": "https://attack.mitre.org/techniques/T1109",
- "tactic": [
- "Defense Evasion",
- "Persistence"
- ]
- },
- {
- "technique_id": "T1108",
- "technique": "Redundant Access",
- "url": "https://attack.mitre.org/techniques/T1108",
- "tactic": [
- "Defense Evasion",
- "Persistence"
- ]
- },
- {
- "technique_id": "T1107",
- "technique": "File Deletion",
- "url": "https://attack.mitre.org/techniques/T1107",
- "tactic": [
- "Defense Evasion"
- ]
- },
- {
- "technique_id": "T1106",
- "technique": "Execution through API",
- "url": "https://attack.mitre.org/techniques/T1106",
- "tactic": [
- "Execution"
- ]
- },
- {
- "technique_id": "T1105",
- "technique": "Remote File Copy",
- "url": "https://attack.mitre.org/techniques/T1105",
- "tactic": [
- "Command And Control",
- "Lateral Movement"
- ]
- },
- {
- "technique_id": "T1104",
- "technique": "Multi-Stage Channels",
- "url": "https://attack.mitre.org/techniques/T1104",
- "tactic": [
- "Command And Control"
- ]
- },
- {
- "technique_id": "T1103",
- "technique": "AppInit DLLs",
- "url": "https://attack.mitre.org/techniques/T1103",
- "tactic": [
- "Persistence",
- "Privilege Escalation"
- ]
- },
- {
- "technique_id": "T1102",
- "technique": "Web Service",
- "url": "https://attack.mitre.org/techniques/T1102",
- "tactic": [
- "Command And Control",
- "Defense Evasion"
- ]
- },
- {
- "technique_id": "T1101",
- "technique": "Security Support Provider",
- "url": "https://attack.mitre.org/techniques/T1101",
- "tactic": [
- "Persistence"
- ]
- },
- {
- "technique_id": "T1100",
- "technique": "Web Shell",
- "url": "https://attack.mitre.org/techniques/T1100",
- "tactic": [
- "Persistence",
- "Privilege Escalation"
- ]
- },
- {
- "technique_id": "T1099",
- "technique": "Timestomp",
- "url": "https://attack.mitre.org/techniques/T1099",
- "tactic": [
- "Defense Evasion"
- ]
- },
- {
- "technique_id": "T1098",
- "technique": "Account Manipulation",
- "url": "https://attack.mitre.org/techniques/T1098",
- "tactic": [
- "Credential Access",
- "Persistence"
- ]
- },
- {
- "technique_id": "T1097",
- "technique": "Pass the Ticket",
- "url": "https://attack.mitre.org/techniques/T1097",
- "tactic": [
- "Lateral Movement"
- ]
- },
- {
- "technique_id": "T1096",
- "technique": "NTFS File Attributes",
- "url": "https://attack.mitre.org/techniques/T1096",
- "tactic": [
- "Defense Evasion"
- ]
- },
- {
- "technique_id": "T1095",
- "technique": "Standard Non-Application Layer Protocol",
- "url": "https://attack.mitre.org/techniques/T1095",
- "tactic": [
- "Command And Control"
- ]
- },
- {
- "technique_id": "T1094",
- "technique": "Custom Command and Control Protocol",
- "url": "https://attack.mitre.org/techniques/T1094",
- "tactic": [
- "Command And Control"
- ]
- },
- {
- "technique_id": "T1093",
- "technique": "Process Hollowing",
- "url": "https://attack.mitre.org/techniques/T1093",
- "tactic": [
- "Defense Evasion"
- ]
- },
- {
- "technique_id": "T1092",
- "technique": "Communication Through Removable Media",
- "url": "https://attack.mitre.org/techniques/T1092",
- "tactic": [
- "Command And Control"
- ]
- },
- {
- "technique_id": "T1091",
- "technique": "Replication Through Removable Media",
- "url": "https://attack.mitre.org/techniques/T1091",
- "tactic": [
- "Lateral Movement",
- "Initial Access"
- ]
- },
- {
- "technique_id": "T1090",
- "technique": "Connection Proxy",
- "url": "https://attack.mitre.org/techniques/T1090",
- "tactic": [
- "Command And Control",
- "Defense Evasion"
- ]
- },
- {
- "technique_id": "T1089",
- "technique": "Disabling Security Tools",
- "url": "https://attack.mitre.org/techniques/T1089",
- "tactic": [
- "Defense Evasion"
- ]
- },
- {
- "technique_id": "T1088",
- "technique": "Bypass User Account Control",
- "url": "https://attack.mitre.org/techniques/T1088",
- "tactic": [
- "Defense Evasion",
- "Privilege Escalation"
- ]
- },
- {
- "technique_id": "T1087",
- "technique": "Account Discovery",
- "url": "https://attack.mitre.org/techniques/T1087",
- "tactic": [
- "Discovery"
- ]
- },
- {
- "technique_id": "T1086",
- "technique": "PowerShell",
- "url": "https://attack.mitre.org/techniques/T1086",
- "tactic": [
- "Execution"
- ]
- },
- {
- "technique_id": "T1085",
- "technique": "Rundll32",
- "url": "https://attack.mitre.org/techniques/T1085",
- "tactic": [
- "Defense Evasion",
- "Execution"
- ]
- },
- {
- "technique_id": "T1084",
- "technique": "Windows Management Instrumentation Event Subscription",
- "url": "https://attack.mitre.org/techniques/T1084",
- "tactic": [
- "Persistence"
- ]
- },
- {
- "technique_id": "T1083",
- "technique": "File and Directory Discovery",
- "url": "https://attack.mitre.org/techniques/T1083",
- "tactic": [
- "Discovery"
- ]
- },
- {
- "technique_id": "T1082",
- "technique": "System Information Discovery",
- "url": "https://attack.mitre.org/techniques/T1082",
- "tactic": [
- "Discovery"
- ]
- },
- {
- "technique_id": "T1081",
- "technique": "Credentials in Files",
- "url": "https://attack.mitre.org/techniques/T1081",
- "tactic": [
- "Credential Access"
- ]
- },
- {
- "technique_id": "T1080",
- "technique": "Taint Shared Content",
- "url": "https://attack.mitre.org/techniques/T1080",
- "tactic": [
- "Lateral Movement"
- ]
- },
- {
- "technique_id": "T1079",
- "technique": "Multilayer Encryption",
- "url": "https://attack.mitre.org/techniques/T1079",
- "tactic": [
- "Command And Control"
- ]
- },
- {
- "technique_id": "T1078",
- "technique": "Valid Accounts",
- "url": "https://attack.mitre.org/techniques/T1078",
- "tactic": [
- "Defense Evasion",
- "Persistence",
- "Privilege Escalation",
- "Initial Access"
- ]
- },
- {
- "technique_id": "T1077",
- "technique": "Windows Admin Shares",
- "url": "https://attack.mitre.org/techniques/T1077",
- "tactic": [
- "Lateral Movement"
- ]
- },
- {
- "technique_id": "T1076",
- "technique": "Remote Desktop Protocol",
- "url": "https://attack.mitre.org/techniques/T1076",
- "tactic": [
- "Lateral Movement"
- ]
- },
- {
- "technique_id": "T1075",
- "technique": "Pass the Hash",
- "url": "https://attack.mitre.org/techniques/T1075",
- "tactic": [
- "Lateral Movement"
- ]
- },
- {
- "technique_id": "T1074",
- "technique": "Data Staged",
- "url": "https://attack.mitre.org/techniques/T1074",
- "tactic": [
- "Collection"
- ]
- },
- {
- "technique_id": "T1073",
- "technique": "DLL Side-Loading",
- "url": "https://attack.mitre.org/techniques/T1073",
- "tactic": [
- "Defense Evasion"
- ]
- },
- {
- "technique_id": "T1072",
- "technique": "Third-party Software",
- "url": "https://attack.mitre.org/techniques/T1072",
- "tactic": [
- "Execution",
- "Lateral Movement"
- ]
- },
- {
- "technique_id": "T1071",
- "technique": "Standard Application Layer Protocol",
- "url": "https://attack.mitre.org/techniques/T1071",
- "tactic": [
- "Command And Control"
- ]
- },
- {
- "technique_id": "T1070",
- "technique": "Indicator Removal on Host",
- "url": "https://attack.mitre.org/techniques/T1070",
- "tactic": [
- "Defense Evasion"
- ]
- },
- {
- "technique_id": "T1069",
- "technique": "Permission Groups Discovery",
- "url": "https://attack.mitre.org/techniques/T1069",
- "tactic": [
- "Discovery"
- ]
- },
- {
- "technique_id": "T1068",
- "technique": "Exploitation for Privilege Escalation",
- "url": "https://attack.mitre.org/techniques/T1068",
- "tactic": [
- "Privilege Escalation"
- ]
- },
- {
- "technique_id": "T1067",
- "technique": "Bootkit",
- "url": "https://attack.mitre.org/techniques/T1067",
- "tactic": [
- "Persistence"
- ]
- },
- {
- "technique_id": "T1066",
- "technique": "Indicator Removal from Tools",
- "url": "https://attack.mitre.org/techniques/T1066",
- "tactic": [
- "Defense Evasion"
- ]
- },
- {
- "technique_id": "T1065",
- "technique": "Uncommonly Used Port",
- "url": "https://attack.mitre.org/techniques/T1065",
- "tactic": [
- "Command And Control"
- ]
- },
- {
- "technique_id": "T1064",
- "technique": "Scripting",
- "url": "https://attack.mitre.org/techniques/T1064",
- "tactic": [
- "Defense Evasion",
- "Execution"
- ]
- },
- {
- "technique_id": "T1063",
- "technique": "Security Software Discovery",
- "url": "https://attack.mitre.org/techniques/T1063",
- "tactic": [
- "Discovery"
- ]
- },
- {
- "technique_id": "T1062",
- "technique": "Hypervisor",
- "url": "https://attack.mitre.org/techniques/T1062",
- "tactic": [
- "Persistence"
- ]
- },
- {
- "technique_id": "T1061",
- "technique": "Graphical User Interface",
- "url": "https://attack.mitre.org/techniques/T1061",
- "tactic": [
- "Execution"
- ]
- },
- {
- "technique_id": "T1060",
- "technique": "Registry Run Keys / Startup Folder",
- "url": "https://attack.mitre.org/techniques/T1060",
- "tactic": [
- "Persistence"
- ]
- },
- {
- "technique_id": "T1059",
- "technique": "Command-Line Interface",
- "url": "https://attack.mitre.org/techniques/T1059",
- "tactic": [
- "Execution"
- ]
- },
- {
- "technique_id": "T1058",
- "technique": "Service Registry Permissions Weakness",
- "url": "https://attack.mitre.org/techniques/T1058",
- "tactic": [
- "Persistence",
- "Privilege Escalation"
- ]
- },
- {
- "technique_id": "T1057",
- "technique": "Process Discovery",
- "url": "https://attack.mitre.org/techniques/T1057",
- "tactic": [
- "Discovery"
- ]
- },
- {
- "technique_id": "T1056",
- "technique": "Input Capture",
- "url": "https://attack.mitre.org/techniques/T1056",
- "tactic": [
- "Collection",
- "Credential Access"
- ]
- },
- {
- "technique_id": "T1055",
- "technique": "Process Injection",
- "url": "https://attack.mitre.org/techniques/T1055",
- "tactic": [
- "Defense Evasion",
- "Privilege Escalation"
- ]
- },
- {
- "technique_id": "T1054",
- "technique": "Indicator Blocking",
- "url": "https://attack.mitre.org/techniques/T1054",
- "tactic": [
- "Defense Evasion"
- ]
- },
- {
- "technique_id": "T1053",
- "technique": "Scheduled Task",
- "url": "https://attack.mitre.org/techniques/T1053",
- "tactic": [
- "Execution",
- "Persistence",
- "Privilege Escalation"
- ]
- },
- {
- "technique_id": "T1052",
- "technique": "Exfiltration Over Physical Medium",
- "url": "https://attack.mitre.org/techniques/T1052",
- "tactic": [
- "Exfiltration"
- ]
- },
- {
- "technique_id": "T1051",
- "technique": "Shared Webroot",
- "url": "https://attack.mitre.org/techniques/T1051",
- "tactic": [
- "Lateral Movement"
- ]
- },
- {
- "technique_id": "T1050",
- "technique": "New Service",
- "url": "https://attack.mitre.org/techniques/T1050",
- "tactic": [
- "Persistence",
- "Privilege Escalation"
- ]
- },
- {
- "technique_id": "T1049",
- "technique": "System Network Connections Discovery",
- "url": "https://attack.mitre.org/techniques/T1049",
- "tactic": [
- "Discovery"
- ]
- },
- {
- "technique_id": "T1048",
- "technique": "Exfiltration Over Alternative Protocol",
- "url": "https://attack.mitre.org/techniques/T1048",
- "tactic": [
- "Exfiltration"
- ]
- },
- {
- "technique_id": "T1047",
- "technique": "Windows Management Instrumentation",
- "url": "https://attack.mitre.org/techniques/T1047",
- "tactic": [
- "Execution"
- ]
- },
- {
- "technique_id": "T1046",
- "technique": "Network Service Scanning",
- "url": "https://attack.mitre.org/techniques/T1046",
- "tactic": [
- "Discovery"
- ]
- },
- {
- "technique_id": "T1045",
- "technique": "Software Packing",
- "url": "https://attack.mitre.org/techniques/T1045",
- "tactic": [
- "Defense Evasion"
- ]
- },
- {
- "technique_id": "T1044",
- "technique": "File System Permissions Weakness",
- "url": "https://attack.mitre.org/techniques/T1044",
- "tactic": [
- "Persistence",
- "Privilege Escalation"
- ]
- },
- {
- "technique_id": "T1043",
- "technique": "Commonly Used Port",
- "url": "https://attack.mitre.org/techniques/T1043",
- "tactic": [
- "Command And Control"
- ]
- },
- {
- "technique_id": "T1042",
- "technique": "Change Default File Association",
- "url": "https://attack.mitre.org/techniques/T1042",
- "tactic": [
- "Persistence"
- ]
- },
- {
- "technique_id": "T1041",
- "technique": "Exfiltration Over Command and Control Channel",
- "url": "https://attack.mitre.org/techniques/T1041",
- "tactic": [
- "Exfiltration"
- ]
- },
- {
- "technique_id": "T1040",
- "technique": "Network Sniffing",
- "url": "https://attack.mitre.org/techniques/T1040",
- "tactic": [
- "Credential Access",
- "Discovery"
- ]
- },
- {
- "technique_id": "T1039",
- "technique": "Data from Network Shared Drive",
- "url": "https://attack.mitre.org/techniques/T1039",
- "tactic": [
- "Collection"
- ]
- },
- {
- "technique_id": "T1038",
- "technique": "DLL Search Order Hijacking",
- "url": "https://attack.mitre.org/techniques/T1038",
- "tactic": [
- "Persistence",
- "Privilege Escalation",
- "Defense Evasion"
- ]
- },
- {
- "technique_id": "T1037",
- "technique": "Logon Scripts",
- "url": "https://attack.mitre.org/techniques/T1037",
- "tactic": [
- "Lateral Movement",
- "Persistence"
- ]
- },
- {
- "technique_id": "T1036",
- "technique": "Masquerading",
- "url": "https://attack.mitre.org/techniques/T1036",
- "tactic": [
- "Defense Evasion"
- ]
- },
- {
- "technique_id": "T1035",
- "technique": "Service Execution",
- "url": "https://attack.mitre.org/techniques/T1035",
- "tactic": [
- "Execution"
- ]
- },
- {
- "technique_id": "T1034",
- "technique": "Path Interception",
- "url": "https://attack.mitre.org/techniques/T1034",
- "tactic": [
- "Persistence",
- "Privilege Escalation"
- ]
- },
- {
- "technique_id": "T1033",
- "technique": "System Owner/User Discovery",
- "url": "https://attack.mitre.org/techniques/T1033",
- "tactic": [
- "Discovery"
- ]
- },
- {
- "technique_id": "T1032",
- "technique": "Standard Cryptographic Protocol",
- "url": "https://attack.mitre.org/techniques/T1032",
- "tactic": [
- "Command And Control"
- ]
- },
- {
- "technique_id": "T1031",
- "technique": "Modify Existing Service",
- "url": "https://attack.mitre.org/techniques/T1031",
- "tactic": [
- "Persistence"
- ]
- },
- {
- "technique_id": "T1030",
- "technique": "Data Transfer Size Limits",
- "url": "https://attack.mitre.org/techniques/T1030",
- "tactic": [
- "Exfiltration"
- ]
- },
- {
- "technique_id": "T1029",
- "technique": "Scheduled Transfer",
- "url": "https://attack.mitre.org/techniques/T1029",
- "tactic": [
- "Exfiltration"
- ]
- },
- {
- "technique_id": "T1028",
- "technique": "Windows Remote Management",
- "url": "https://attack.mitre.org/techniques/T1028",
- "tactic": [
- "Execution",
- "Lateral Movement"
- ]
- },
- {
- "technique_id": "T1027",
- "technique": "Obfuscated Files or Information",
- "url": "https://attack.mitre.org/techniques/T1027",
- "tactic": [
- "Defense Evasion"
- ]
- },
- {
- "technique_id": "T1026",
- "technique": "Multiband Communication",
- "url": "https://attack.mitre.org/techniques/T1026",
- "tactic": [
- "Command And Control"
- ]
- },
- {
- "technique_id": "T1025",
- "technique": "Data from Removable Media",
- "url": "https://attack.mitre.org/techniques/T1025",
- "tactic": [
- "Collection"
- ]
- },
- {
- "technique_id": "T1024",
- "technique": "Custom Cryptographic Protocol",
- "url": "https://attack.mitre.org/techniques/T1024",
- "tactic": [
- "Command And Control"
- ]
- },
- {
- "technique_id": "T1023",
- "technique": "Shortcut Modification",
- "url": "https://attack.mitre.org/techniques/T1023",
- "tactic": [
- "Persistence"
- ]
- },
- {
- "technique_id": "T1022",
- "technique": "Data Encrypted",
- "url": "https://attack.mitre.org/techniques/T1022",
- "tactic": [
- "Exfiltration"
- ]
- },
- {
- "technique_id": "T1021",
- "technique": "Remote Services",
- "url": "https://attack.mitre.org/techniques/T1021",
- "tactic": [
- "Lateral Movement"
- ]
- },
- {
- "technique_id": "T1020",
- "technique": "Automated Exfiltration",
- "url": "https://attack.mitre.org/techniques/T1020",
- "tactic": [
- "Exfiltration"
- ]
- },
- {
- "technique_id": "T1019",
- "technique": "System Firmware",
- "url": "https://attack.mitre.org/techniques/T1019",
- "tactic": [
- "Persistence"
- ]
- },
- {
- "technique_id": "T1018",
- "technique": "Remote System Discovery",
- "url": "https://attack.mitre.org/techniques/T1018",
- "tactic": [
- "Discovery"
- ]
- },
- {
- "technique_id": "T1017",
- "technique": "Application Deployment Software",
- "url": "https://attack.mitre.org/techniques/T1017",
- "tactic": [
- "Lateral Movement"
- ]
- },
- {
- "technique_id": "T1016",
- "technique": "System Network Configuration Discovery",
- "url": "https://attack.mitre.org/techniques/T1016",
- "tactic": [
- "Discovery"
- ]
- },
- {
- "technique_id": "T1015",
- "technique": "Accessibility Features",
- "url": "https://attack.mitre.org/techniques/T1015",
- "tactic": [
- "Persistence",
- "Privilege Escalation"
- ]
- },
- {
- "technique_id": "T1014",
- "technique": "Rootkit",
- "url": "https://attack.mitre.org/techniques/T1014",
- "tactic": [
- "Defense Evasion"
- ]
- },
- {
- "technique_id": "T1013",
- "technique": "Port Monitors",
- "url": "https://attack.mitre.org/techniques/T1013",
- "tactic": [
- "Persistence",
- "Privilege Escalation"
- ]
- },
- {
- "technique_id": "T1012",
- "technique": "Query Registry",
- "url": "https://attack.mitre.org/techniques/T1012",
- "tactic": [
- "Discovery"
- ]
- },
- {
- "technique_id": "T1011",
- "technique": "Exfiltration Over Other Network Medium",
- "url": "https://attack.mitre.org/techniques/T1011",
- "tactic": [
- "Exfiltration"
- ]
- },
- {
- "technique_id": "T1010",
- "technique": "Application Window Discovery",
- "url": "https://attack.mitre.org/techniques/T1010",
- "tactic": [
- "Discovery"
- ]
- },
- {
- "technique_id": "T1009",
- "technique": "Binary Padding",
- "url": "https://attack.mitre.org/techniques/T1009",
- "tactic": [
- "Defense Evasion"
- ]
- },
- {
- "technique_id": "T1008",
- "technique": "Fallback Channels",
- "url": "https://attack.mitre.org/techniques/T1008",
- "tactic": [
- "Command And Control"
- ]
- },
- {
- "technique_id": "T1007",
- "technique": "System Service Discovery",
- "url": "https://attack.mitre.org/techniques/T1007",
- "tactic": [
- "Discovery"
- ]
- },
- {
- "technique_id": "T1006",
- "technique": "File System Logical Offsets",
- "url": "https://attack.mitre.org/techniques/T1006",
- "tactic": [
- "Defense Evasion"
- ]
- },
- {
- "technique_id": "T1005",
- "technique": "Data from Local System",
- "url": "https://attack.mitre.org/techniques/T1005",
- "tactic": [
- "Collection"
- ]
- },
- {
- "technique_id": "T1004",
- "technique": "Winlogon Helper DLL",
- "url": "https://attack.mitre.org/techniques/T1004",
- "tactic": [
- "Persistence"
- ]
- },
- {
- "technique_id": "T1003",
- "technique": "Credential Dumping",
- "url": "https://attack.mitre.org/techniques/T1003",
- "tactic": [
- "Credential Access"
- ]
- },
- {
- "technique_id": "T1002",
- "technique": "Data Compressed",
- "url": "https://attack.mitre.org/techniques/T1002",
- "tactic": [
- "Exfiltration"
- ]
- },
- {
- "technique_id": "T1001",
- "technique": "Data Obfuscation",
- "url": "https://attack.mitre.org/techniques/T1001",
- "tactic": [
- "Command And Control"
- ]
- },
- {
- "technique_id": "T1397",
- "technique": "Spearphishing for Information",
- "url": "https://attack.mitre.org/techniques/T1397",
- "tactic": [
- "Technical Information Gathering"
- ]
- },
- {
- "technique_id": "T1307",
- "technique": "Acquire and/or use 3rd party infrastructure services",
- "url": "https://attack.mitre.org/techniques/T1307",
- "tactic": [
- "Adversary Opsec"
- ]
- },
- {
- "technique_id": "T1275",
- "technique": "Aggregate individual's digital footprint",
- "url": "https://attack.mitre.org/techniques/T1275",
- "tactic": [
- "People Information Gathering"
- ]
- },
- {
- "technique_id": "T1294",
- "technique": "Analyze hardware/software security defensive capabilities",
- "url": "https://attack.mitre.org/techniques/T1294",
- "tactic": [
- "Technical Weakness Identification"
- ]
- },
- {
- "technique_id": "T1295",
- "technique": "Analyze social and business relationships, interests, and affiliations",
- "url": "https://attack.mitre.org/techniques/T1295",
- "tactic": [
- "People Weakness Identification"
- ]
- },
- {
- "technique_id": "T1299",
- "technique": "Assess opportunities created by business deals",
- "url": "https://attack.mitre.org/techniques/T1299",
- "tactic": [
- "Organizational Weakness Identification"
- ]
- },
- {
- "technique_id": "T1228",
- "technique": "Assign KITs/KIQs into categories",
- "url": "https://attack.mitre.org/techniques/T1228",
- "tactic": [
- "Priority Definition Planning"
- ]
- },
- {
- "technique_id": "T1349",
- "technique": "Build or acquire exploits",
- "url": "https://attack.mitre.org/techniques/T1349",
- "tactic": [
- "Build Capabilities"
- ]
- },
- {
- "technique_id": "T1343",
- "technique": "Choose pre-compromised persona and affiliated accounts",
- "url": "https://attack.mitre.org/techniques/T1343",
- "tactic": [
- "Persona Development"
- ]
- },
- {
- "technique_id": "T1388",
- "technique": "Compromise of externally facing system",
- "url": "https://attack.mitre.org/techniques/T1388",
- "tactic": [
- "Compromise"
- ]
- },
- {
- "technique_id": "T1268",
- "technique": "Conduct social engineering",
- "url": "https://attack.mitre.org/techniques/T1268",
- "tactic": [
- "People Information Gathering"
- ]
- },
- {
- "technique_id": "T1345",
- "technique": "Create custom payloads",
- "url": "https://attack.mitre.org/techniques/T1345",
- "tactic": [
- "Build Capabilities"
- ]
- },
- {
- "technique_id": "T1382",
- "technique": "DNS poisoning",
- "url": "https://attack.mitre.org/techniques/T1382",
- "tactic": [
- "Launch"
- ]
- },
- {
- "technique_id": "T1284",
- "technique": "Determine 3rd party infrastructure services",
- "url": "https://attack.mitre.org/techniques/T1284",
- "tactic": [
- "Organizational Information Gathering"
- ]
- },
- {
- "technique_id": "T1259",
- "technique": "Determine external network trust dependencies",
- "url": "https://attack.mitre.org/techniques/T1259",
- "tactic": [
- "Technical Information Gathering"
- ]
- },
- {
- "technique_id": "T1244",
- "technique": "Determine secondary level tactical element",
- "url": "https://attack.mitre.org/techniques/T1244",
- "tactic": [
- "Target Selection"
- ]
- },
- {
- "technique_id": "T1255",
- "technique": "Discover target logon/email address format",
- "url": "https://attack.mitre.org/techniques/T1255",
- "tactic": [
- "Technical Information Gathering"
- ]
- },
- {
- "technique_id": "T1286",
- "technique": "Dumpster dive",
- "url": "https://attack.mitre.org/techniques/T1286",
- "tactic": [
- "Organizational Information Gathering"
- ]
- },
- {
- "technique_id": "T1377",
- "technique": "Exploit public-facing application",
- "url": "https://attack.mitre.org/techniques/T1377",
- "tactic": [
- "Launch"
- ]
- },
- {
- "technique_id": "T1365",
- "technique": "Hardware or software supply chain implant",
- "url": "https://attack.mitre.org/techniques/T1365",
- "tactic": [
- "Stage Capabilities"
- ]
- },
- {
- "technique_id": "T1272",
- "technique": "Identify business relationships",
- "url": "https://attack.mitre.org/techniques/T1272",
- "tactic": [
- "People Information Gathering"
- ]
- },
- {
- "technique_id": "T1278",
- "technique": "Identify job postings and needs/gaps",
- "url": "https://attack.mitre.org/techniques/T1278",
- "tactic": [
- "Organizational Information Gathering"
- ]
- },
- {
- "technique_id": "T1263",
- "technique": "Identify security defensive capabilities",
- "url": "https://attack.mitre.org/techniques/T1263",
- "tactic": [
- "Technical Information Gathering"
- ]
- },
- {
- "technique_id": "T1264",
- "technique": "Identify technology usage patterns",
- "url": "https://attack.mitre.org/techniques/T1264",
- "tactic": [
- "Technical Information Gathering"
- ]
- },
- {
- "technique_id": "T1252",
- "technique": "Map network topology",
- "url": "https://attack.mitre.org/techniques/T1252",
- "tactic": [
- "Technical Information Gathering"
- ]
- },
- {
- "technique_id": "T1316",
- "technique": "Non-traditional or less attributable payment options",
- "url": "https://attack.mitre.org/techniques/T1316",
- "tactic": [
- "Adversary Opsec"
- ]
- },
- {
- "technique_id": "T1319",
- "technique": "Obfuscate or encrypt code",
- "url": "https://attack.mitre.org/techniques/T1319",
- "tactic": [
- "Adversary Opsec"
- ]
- },
- {
- "technique_id": "T1281",
- "technique": "Obtain templates/branding materials",
- "url": "https://attack.mitre.org/techniques/T1281",
- "tactic": [
- "Organizational Information Gathering"
- ]
- },
- {
- "technique_id": "T1335",
- "technique": "Procure required equipment and software",
- "url": "https://attack.mitre.org/techniques/T1335",
- "tactic": [
- "Establish & Maintain Infrastructure"
- ]
- },
- {
- "technique_id": "T1351",
- "technique": "Remote access tool development",
- "url": "https://attack.mitre.org/techniques/T1351",
- "tactic": [
- "Build Capabilities"
- ]
- },
- {
- "technique_id": "T1395",
- "technique": "Runtime code download and execution",
- "url": "https://attack.mitre.org/techniques/T1395",
- "tactic": [
- "Launch"
- ]
- },
- {
- "technique_id": "T1367",
- "technique": "Spear phishing messages with malicious attachments",
- "url": "https://attack.mitre.org/techniques/T1367",
- "tactic": [
- "Launch"
- ]
- },
- {
- "technique_id": "T1371",
- "technique": "Targeted client-side exploitation",
- "url": "https://attack.mitre.org/techniques/T1371",
- "tactic": [
- "Launch"
- ]
- },
- {
- "technique_id": "T1357",
- "technique": "Test malware in various execution environments",
- "url": "https://attack.mitre.org/techniques/T1357",
- "tactic": [
- "Test Capabilities"
- ]
- },
- {
- "technique_id": "T1387",
- "technique": "Unauthorized user introduces compromise delivery mechanism",
- "url": "https://attack.mitre.org/techniques/T1387",
- "tactic": [
- "Compromise"
- ]
- },
- {
- "technique_id": "T1329",
- "technique": "Acquire and/or use 3rd party infrastructure services",
- "url": "https://attack.mitre.org/techniques/T1329",
- "tactic": [
- "Establish & Maintain Infrastructure"
- ]
- },
- {
- "technique_id": "T1332",
- "technique": "Acquire or compromise 3rd party signing certificates",
- "url": "https://attack.mitre.org/techniques/T1332",
- "tactic": [
- "Establish & Maintain Infrastructure"
- ]
- },
- {
- "technique_id": "T1287",
- "technique": "Analyze data collected",
- "url": "https://attack.mitre.org/techniques/T1287",
- "tactic": [
- "Technical Weakness Identification"
- ]
- },
- {
- "technique_id": "T1303",
- "technique": "Analyze presence of outsourced capabilities",
- "url": "https://attack.mitre.org/techniques/T1303",
- "tactic": [
- "Organizational Weakness Identification"
- ]
- },
- {
- "technique_id": "T1224",
- "technique": "Assess leadership areas of interest",
- "url": "https://attack.mitre.org/techniques/T1224",
- "tactic": [
- "Priority Definition Planning"
- ]
- },
- {
- "technique_id": "T1238",
- "technique": "Assign KITs, KIQs, and/or intelligence requirements",
- "url": "https://attack.mitre.org/techniques/T1238",
- "tactic": [
- "Priority Definition Direction"
- ]
- },
- {
- "technique_id": "T1347",
- "technique": "Build and configure delivery systems",
- "url": "https://attack.mitre.org/techniques/T1347",
- "tactic": [
- "Build Capabilities"
- ]
- },
- {
- "technique_id": "T1391",
- "technique": "Choose pre-compromised mobile app developer account credentials or signing keys",
- "url": "https://attack.mitre.org/techniques/T1391",
- "tactic": [
- "Persona Development"
- ]
- },
- {
- "technique_id": "T1354",
- "technique": "Compromise 3rd party or closed-source vulnerability/exploit information",
- "url": "https://attack.mitre.org/techniques/T1354",
- "tactic": [
- "Build Capabilities"
- ]
- },
- {
- "technique_id": "T1279",
- "technique": "Conduct social engineering",
- "url": "https://attack.mitre.org/techniques/T1279",
- "tactic": [
- "Organizational Information Gathering"
- ]
- },
- {
- "technique_id": "T1339",
- "technique": "Create backup infrastructure",
- "url": "https://attack.mitre.org/techniques/T1339",
- "tactic": [
- "Establish & Maintain Infrastructure"
- ]
- },
- {
- "technique_id": "T1374",
- "technique": "Credential pharming",
- "url": "https://attack.mitre.org/techniques/T1374",
- "tactic": [
- "Launch"
- ]
- },
- {
- "technique_id": "T1230",
- "technique": "Derive intelligence requirements",
- "url": "https://attack.mitre.org/techniques/T1230",
- "tactic": [
- "Priority Definition Planning"
- ]
- },
- {
- "technique_id": "T1250",
- "technique": "Determine domain and IP address space",
- "url": "https://attack.mitre.org/techniques/T1250",
- "tactic": [
- "Technical Information Gathering"
- ]
- },
- {
- "technique_id": "T1282",
- "technique": "Determine physical locations",
- "url": "https://attack.mitre.org/techniques/T1282",
- "tactic": [
- "Organizational Information Gathering"
- ]
- },
- {
- "technique_id": "T1350",
- "technique": "Discover new exploits and monitor exploit-provider forums",
- "url": "https://attack.mitre.org/techniques/T1350",
- "tactic": [
- "Build Capabilities"
- ]
- },
- {
- "technique_id": "T1326",
- "technique": "Domain registration hijacking",
- "url": "https://attack.mitre.org/techniques/T1326",
- "tactic": [
- "Establish & Maintain Infrastructure"
- ]
- },
- {
- "technique_id": "T1261",
- "technique": "Enumerate externally facing software applications technologies, languages, and dependencies",
- "url": "https://attack.mitre.org/techniques/T1261",
- "tactic": [
- "Technical Information Gathering"
- ]
- },
- {
- "technique_id": "T1234",
- "technique": "Generate analyst intelligence requirements",
- "url": "https://attack.mitre.org/techniques/T1234",
- "tactic": [
- "Priority Definition Planning"
- ]
- },
- {
- "technique_id": "T1280",
- "technique": "Identify business processes/tempo",
- "url": "https://attack.mitre.org/techniques/T1280",
- "tactic": [
- "Organizational Information Gathering"
- ]
- },
- {
- "technique_id": "T1248",
- "technique": "Identify job postings and needs/gaps",
- "url": "https://attack.mitre.org/techniques/T1248",
- "tactic": [
- "Technical Information Gathering"
- ]
- },
- {
- "technique_id": "T1348",
- "technique": "Identify resources required to build capabilities",
- "url": "https://attack.mitre.org/techniques/T1348",
- "tactic": [
- "Build Capabilities"
- ]
- },
- {
- "technique_id": "T1265",
- "technique": "Identify supply chains",
- "url": "https://attack.mitre.org/techniques/T1265",
- "tactic": [
- "People Information Gathering"
- ]
- },
- {
- "technique_id": "T1375",
- "technique": "Leverage compromised 3rd party resources",
- "url": "https://attack.mitre.org/techniques/T1375",
- "tactic": [
- "Launch"
- ]
- },
- {
- "technique_id": "T1315",
- "technique": "Network-based hiding techniques",
- "url": "https://attack.mitre.org/techniques/T1315",
- "tactic": [
- "Adversary Opsec"
- ]
- },
- {
- "technique_id": "T1318",
- "technique": "Obfuscate operational infrastructure",
- "url": "https://attack.mitre.org/techniques/T1318",
- "tactic": [
- "Adversary Opsec"
- ]
- },
- {
- "technique_id": "T1251",
- "technique": "Obtain domain/IP registration information",
- "url": "https://attack.mitre.org/techniques/T1251",
- "tactic": [
- "Technical Information Gathering"
- ]
- },
- {
- "technique_id": "T1305",
- "technique": "Private whois services",
- "url": "https://attack.mitre.org/techniques/T1305",
- "tactic": [
- "Adversary Opsec"
- ]
- },
- {
- "technique_id": "T1235",
- "technique": "Receive operator KITs/KIQs tasking",
- "url": "https://attack.mitre.org/techniques/T1235",
- "tactic": [
- "Priority Definition Planning"
- ]
- },
- {
- "technique_id": "T1358",
- "technique": "Review logs and residual traces",
- "url": "https://attack.mitre.org/techniques/T1358",
- "tactic": [
- "Test Capabilities"
- ]
- },
- {
- "technique_id": "T1340",
- "technique": "Shadow DNS",
- "url": "https://attack.mitre.org/techniques/T1340",
- "tactic": [
- "Establish & Maintain Infrastructure"
- ]
- },
- {
- "technique_id": "T1237",
- "technique": "Submit KITs, KIQs, and intelligence requirements",
- "url": "https://attack.mitre.org/techniques/T1237",
- "tactic": [
- "Priority Definition Direction"
- ]
- },
- {
- "technique_id": "T1356",
- "technique": "Test callback functionality",
- "url": "https://attack.mitre.org/techniques/T1356",
- "tactic": [
- "Test Capabilities"
- ]
- },
- {
- "technique_id": "T1361",
- "technique": "Test signature detection for file upload/email filters",
- "url": "https://attack.mitre.org/techniques/T1361",
- "tactic": [
- "Test Capabilities"
- ]
- },
- {
- "technique_id": "T1327",
- "technique": "Use multiple DNS infrastructures",
- "url": "https://attack.mitre.org/techniques/T1327",
- "tactic": [
- "Establish & Maintain Infrastructure"
- ]
- },
- {
- "technique_id": "T1277",
- "technique": "Acquire OSINT data sets and information",
- "url": "https://attack.mitre.org/techniques/T1277",
- "tactic": [
- "Organizational Information Gathering"
- ]
- },
- {
- "technique_id": "T1310",
- "technique": "Acquire or compromise 3rd party signing certificates",
- "url": "https://attack.mitre.org/techniques/T1310",
- "tactic": [
- "Adversary Opsec"
- ]
- },
- {
- "technique_id": "T1301",
- "technique": "Analyze business processes",
- "url": "https://attack.mitre.org/techniques/T1301",
- "tactic": [
- "Organizational Weakness Identification"
- ]
- },
- {
- "technique_id": "T1297",
- "technique": "Analyze organizational skillsets and deficiencies",
- "url": "https://attack.mitre.org/techniques/T1297",
- "tactic": [
- "People Weakness Identification"
- ]
- },
- {
- "technique_id": "T1236",
- "technique": "Assess current holdings, needs, and wants",
- "url": "https://attack.mitre.org/techniques/T1236",
- "tactic": [
- "Priority Definition Planning"
- ]
- },
- {
- "technique_id": "T1298",
- "technique": "Assess vulnerability of 3rd party vendors",
- "url": "https://attack.mitre.org/techniques/T1298",
- "tactic": [
- "Organizational Weakness Identification"
- ]
- },
- {
- "technique_id": "T1384",
- "technique": "Automated system performs requested action",
- "url": "https://attack.mitre.org/techniques/T1384",
- "tactic": [
- "Compromise"
- ]
- },
- {
- "technique_id": "T1352",
- "technique": "C2 protocol development",
- "url": "https://attack.mitre.org/techniques/T1352",
- "tactic": [
- "Build Capabilities"
- ]
- },
- {
- "technique_id": "T1334",
- "technique": "Compromise 3rd party infrastructure to support delivery",
- "url": "https://attack.mitre.org/techniques/T1334",
- "tactic": [
- "Establish & Maintain Infrastructure"
- ]
- },
- {
- "technique_id": "T1253",
- "technique": "Conduct passive scanning",
- "url": "https://attack.mitre.org/techniques/T1253",
- "tactic": [
- "Technical Information Gathering"
- ]
- },
- {
- "technique_id": "T1383",
- "technique": "Confirmation of launched compromise achieved",
- "url": "https://attack.mitre.org/techniques/T1383",
- "tactic": [
- "Compromise"
- ]
- },
- {
- "technique_id": "T1231",
- "technique": "Create strategic plan",
- "url": "https://attack.mitre.org/techniques/T1231",
- "tactic": [
- "Priority Definition Planning"
- ]
- },
- {
- "technique_id": "T1380",
- "technique": "Deploy exploit using advertising",
- "url": "https://attack.mitre.org/techniques/T1380",
- "tactic": [
- "Launch"
- ]
- },
- {
- "technique_id": "T1285",
- "technique": "Determine centralization of IT management",
- "url": "https://attack.mitre.org/techniques/T1285",
- "tactic": [
- "Organizational Information Gathering"
- ]
- },
- {
- "technique_id": "T1242",
- "technique": "Determine operational element",
- "url": "https://attack.mitre.org/techniques/T1242",
- "tactic": [
- "Target Selection"
- ]
- },
- {
- "technique_id": "T1342",
- "technique": "Develop social network persona digital footprint",
- "url": "https://attack.mitre.org/techniques/T1342",
- "tactic": [
- "Persona Development"
- ]
- },
- {
- "technique_id": "T1323",
- "technique": "Domain Generation Algorithms (DGA)",
- "url": "https://attack.mitre.org/techniques/T1323",
- "tactic": [
- "Adversary Opsec"
- ]
- },
- {
- "technique_id": "T1262",
- "technique": "Enumerate client configurations",
- "url": "https://attack.mitre.org/techniques/T1262",
- "tactic": [
- "Technical Information Gathering"
- ]
- },
- {
- "technique_id": "T1364",
- "technique": "Friend/Follow/Connect to targets of interest",
- "url": "https://attack.mitre.org/techniques/T1364",
- "tactic": [
- "Stage Capabilities"
- ]
- },
- {
- "technique_id": "T1233",
- "technique": "Identify analyst level gaps",
- "url": "https://attack.mitre.org/techniques/T1233",
- "tactic": [
- "Priority Definition Planning"
- ]
- },
- {
- "technique_id": "T1270",
- "technique": "Identify groups/roles",
- "url": "https://attack.mitre.org/techniques/T1270",
- "tactic": [
- "People Information Gathering"
- ]
- },
- {
- "technique_id": "T1271",
- "technique": "Identify personnel with an authority/privilege",
- "url": "https://attack.mitre.org/techniques/T1271",
- "tactic": [
- "People Information Gathering"
- ]
- },
- {
- "technique_id": "T1246",
- "technique": "Identify supply chains",
- "url": "https://attack.mitre.org/techniques/T1246",
- "tactic": [
- "Technical Information Gathering"
- ]
- },
- {
- "technique_id": "T1336",
- "technique": "Install and configure hardware, network, and systems",
- "url": "https://attack.mitre.org/techniques/T1336",
- "tactic": [
- "Establish & Maintain Infrastructure"
- ]
- },
- {
- "technique_id": "T1322",
- "technique": "Misattributable credentials",
- "url": "https://attack.mitre.org/techniques/T1322",
- "tactic": [
- "Adversary Opsec"
- ]
- },
- {
- "technique_id": "T1331",
- "technique": "Obfuscate infrastructure",
- "url": "https://attack.mitre.org/techniques/T1331",
- "tactic": [
- "Establish & Maintain Infrastructure"
- ]
- },
- {
- "technique_id": "T1396",
- "technique": "Obtain booter/stressor subscription",
- "url": "https://attack.mitre.org/techniques/T1396",
- "tactic": [
- "Establish & Maintain Infrastructure"
- ]
- },
- {
- "technique_id": "T1353",
- "technique": "Post compromise tool development",
- "url": "https://attack.mitre.org/techniques/T1353",
- "tactic": [
- "Build Capabilities"
- ]
- },
- {
- "technique_id": "T1239",
- "technique": "Receive KITs/KIQs and determine requirements",
- "url": "https://attack.mitre.org/techniques/T1239",
- "tactic": [
- "Priority Definition Direction"
- ]
- },
- {
- "technique_id": "T1290",
- "technique": "Research visibility gap of security vendors",
- "url": "https://attack.mitre.org/techniques/T1290",
- "tactic": [
- "Technical Weakness Identification"
- ]
- },
- {
- "technique_id": "T1317",
- "technique": "Secure and protect infrastructure",
- "url": "https://attack.mitre.org/techniques/T1317",
- "tactic": [
- "Adversary Opsec"
- ]
- },
- {
- "technique_id": "T1393",
- "technique": "Test ability to evade automated mobile application security analysis performed by app stores",
- "url": "https://attack.mitre.org/techniques/T1393",
- "tactic": [
- "Test Capabilities"
- ]
- },
- {
- "technique_id": "T1292",
- "technique": "Test signature detection",
- "url": "https://attack.mitre.org/techniques/T1292",
- "tactic": [
- "Technical Weakness Identification"
- ]
- },
- {
- "technique_id": "T1362",
- "technique": "Upload, install, and configure software/tools",
- "url": "https://attack.mitre.org/techniques/T1362",
- "tactic": [
- "Stage Capabilities"
- ]
- },
- {
- "technique_id": "T1266",
- "technique": "Acquire OSINT data sets and information",
- "url": "https://attack.mitre.org/techniques/T1266",
- "tactic": [
- "People Information Gathering"
- ]
- },
- {
- "technique_id": "T1308",
- "technique": "Acquire and/or use 3rd party software services",
- "url": "https://attack.mitre.org/techniques/T1308",
- "tactic": [
- "Adversary Opsec"
- ]
- },
- {
- "technique_id": "T1293",
- "technique": "Analyze application security posture",
- "url": "https://attack.mitre.org/techniques/T1293",
- "tactic": [
- "Technical Weakness Identification"
- ]
- },
- {
- "technique_id": "T1300",
- "technique": "Analyze organizational skillsets and deficiencies",
- "url": "https://attack.mitre.org/techniques/T1300",
- "tactic": [
- "Organizational Weakness Identification"
- ]
- },
- {
- "technique_id": "T1306",
- "technique": "Anonymity services",
- "url": "https://attack.mitre.org/techniques/T1306",
- "tactic": [
- "Adversary Opsec"
- ]
- },
- {
- "technique_id": "T1302",
- "technique": "Assess security posture of physical locations",
- "url": "https://attack.mitre.org/techniques/T1302",
- "tactic": [
- "Organizational Weakness Identification"
- ]
- },
- {
- "technique_id": "T1381",
- "technique": "Authentication attempt",
- "url": "https://attack.mitre.org/techniques/T1381",
- "tactic": [
- "Launch"
- ]
- },
- {
- "technique_id": "T1341",
- "technique": "Build social network persona",
- "url": "https://attack.mitre.org/techniques/T1341",
- "tactic": [
- "Persona Development"
- ]
- },
- {
- "technique_id": "T1321",
- "technique": "Common, high volume protocols and software",
- "url": "https://attack.mitre.org/techniques/T1321",
- "tactic": [
- "Adversary Opsec"
- ]
- },
- {
- "technique_id": "T1254",
- "technique": "Conduct active scanning",
- "url": "https://attack.mitre.org/techniques/T1254",
- "tactic": [
- "Technical Information Gathering"
- ]
- },
- {
- "technique_id": "T1249",
- "technique": "Conduct social engineering",
- "url": "https://attack.mitre.org/techniques/T1249",
- "tactic": [
- "Technical Information Gathering"
- ]
- },
- {
- "technique_id": "T1232",
- "technique": "Create implementation plan",
- "url": "https://attack.mitre.org/techniques/T1232",
- "tactic": [
- "Priority Definition Planning"
- ]
- },
- {
- "technique_id": "T1324",
- "technique": "DNSCalc",
- "url": "https://attack.mitre.org/techniques/T1324",
- "tactic": [
- "Adversary Opsec"
- ]
- },
- {
- "technique_id": "T1260",
- "technique": "Determine 3rd party infrastructure services",
- "url": "https://attack.mitre.org/techniques/T1260",
- "tactic": [
- "Technical Information Gathering"
- ]
- },
- {
- "technique_id": "T1258",
- "technique": "Determine firmware version",
- "url": "https://attack.mitre.org/techniques/T1258",
- "tactic": [
- "Technical Information Gathering"
- ]
- },
- {
- "technique_id": "T1241",
- "technique": "Determine strategic target",
- "url": "https://attack.mitre.org/techniques/T1241",
- "tactic": [
- "Target Selection"
- ]
- },
- {
- "technique_id": "T1379",
- "technique": "Disseminate removable media",
- "url": "https://attack.mitre.org/techniques/T1379",
- "tactic": [
- "Stage Capabilities"
- ]
- },
- {
- "technique_id": "T1311",
- "technique": "Dynamic DNS",
- "url": "https://attack.mitre.org/techniques/T1311",
- "tactic": [
- "Adversary Opsec"
- ]
- },
- {
- "technique_id": "T1325",
- "technique": "Fast Flux DNS",
- "url": "https://attack.mitre.org/techniques/T1325",
- "tactic": [
- "Adversary Opsec"
- ]
- },
- {
- "technique_id": "T1314",
- "technique": "Host-based hiding techniques",
- "url": "https://attack.mitre.org/techniques/T1314",
- "tactic": [
- "Adversary Opsec"
- ]
- },
- {
- "technique_id": "T1283",
- "technique": "Identify business relationships",
- "url": "https://attack.mitre.org/techniques/T1283",
- "tactic": [
- "Organizational Information Gathering"
- ]
- },
- {
- "technique_id": "T1267",
- "technique": "Identify job postings and needs/gaps",
- "url": "https://attack.mitre.org/techniques/T1267",
- "tactic": [
- "People Information Gathering"
- ]
- },
- {
- "technique_id": "T1274",
- "technique": "Identify sensitive personnel information",
- "url": "https://attack.mitre.org/techniques/T1274",
- "tactic": [
- "People Information Gathering"
- ]
- },
- {
- "technique_id": "T1389",
- "technique": "Identify vulnerabilities in third-party software libraries",
- "url": "https://attack.mitre.org/techniques/T1389",
- "tactic": [
- "Technical Weakness Identification"
- ]
- },
- {
- "technique_id": "T1273",
- "technique": "Mine social media",
- "url": "https://attack.mitre.org/techniques/T1273",
- "tactic": [
- "People Information Gathering"
- ]
- },
- {
- "technique_id": "T1390",
- "technique": "OS-vendor provided communication channels",
- "url": "https://attack.mitre.org/techniques/T1390",
- "tactic": [
- "Adversary Opsec"
- ]
- },
- {
- "technique_id": "T1313",
- "technique": "Obfuscation or cryptography",
- "url": "https://attack.mitre.org/techniques/T1313",
- "tactic": [
- "Adversary Opsec"
- ]
- },
- {
- "technique_id": "T1247",
- "technique": "Acquire OSINT data sets and information",
- "url": "https://attack.mitre.org/techniques/T1247",
- "tactic": [
- "Technical Information Gathering"
- ]
- },
- {
- "technique_id": "T1346",
- "technique": "Obtain/re-use payloads",
- "url": "https://attack.mitre.org/techniques/T1346",
- "tactic": [
- "Build Capabilities"
- ]
- },
- {
- "technique_id": "T1330",
- "technique": "Acquire and/or use 3rd party software services",
- "url": "https://attack.mitre.org/techniques/T1330",
- "tactic": [
- "Establish & Maintain Infrastructure"
- ]
- },
- {
- "technique_id": "T1288",
- "technique": "Analyze architecture and configuration posture",
- "url": "https://attack.mitre.org/techniques/T1288",
- "tactic": [
- "Technical Weakness Identification"
- ]
- },
- {
- "technique_id": "T1304",
- "technique": "Proxy/protocol relays",
- "url": "https://attack.mitre.org/techniques/T1304",
- "tactic": [
- "Adversary Opsec"
- ]
- },
- {
- "technique_id": "T1289",
- "technique": "Analyze organizational skillsets and deficiencies",
- "url": "https://attack.mitre.org/techniques/T1289",
- "tactic": [
- "Technical Weakness Identification"
- ]
- },
- {
- "technique_id": "T1378",
- "technique": "Replace legitimate binary with malware",
- "url": "https://attack.mitre.org/techniques/T1378",
- "tactic": [
- "Launch"
- ]
- },
- {
- "technique_id": "T1229",
- "technique": "Assess KITs/KIQs benefits",
- "url": "https://attack.mitre.org/techniques/T1229",
- "tactic": [
- "Priority Definition Planning"
- ]
- },
- {
- "technique_id": "T1337",
- "technique": "SSL certificate acquisition for domain",
- "url": "https://attack.mitre.org/techniques/T1337",
- "tactic": [
- "Establish & Maintain Infrastructure"
- ]
- },
- {
- "technique_id": "T1296",
- "technique": "Assess targeting options",
- "url": "https://attack.mitre.org/techniques/T1296",
- "tactic": [
- "People Weakness Identification"
- ]
- },
- {
- "technique_id": "T1386",
- "technique": "Authorized user performs requested cyber action",
- "url": "https://attack.mitre.org/techniques/T1386",
- "tactic": [
- "Compromise"
- ]
- },
- {
- "technique_id": "T1369",
- "technique": "Spear phishing messages with malicious links",
- "url": "https://attack.mitre.org/techniques/T1369",
- "tactic": [
- "Launch"
- ]
- },
- {
- "technique_id": "T1328",
- "technique": "Buy domain name",
- "url": "https://attack.mitre.org/techniques/T1328",
- "tactic": [
- "Establish & Maintain Infrastructure"
- ]
- },
- {
- "technique_id": "T1366",
- "technique": "Targeted social media phishing",
- "url": "https://attack.mitre.org/techniques/T1366",
- "tactic": [
- "Launch"
- ]
- },
- {
- "technique_id": "T1312",
- "technique": "Compromise 3rd party infrastructure to support delivery",
- "url": "https://attack.mitre.org/techniques/T1312",
- "tactic": [
- "Adversary Opsec"
- ]
- },
- {
- "technique_id": "T1359",
- "technique": "Test malware to evade detection",
- "url": "https://attack.mitre.org/techniques/T1359",
- "tactic": [
- "Test Capabilities"
- ]
- },
- {
- "technique_id": "T1226",
- "technique": "Conduct cost/benefit analysis",
- "url": "https://attack.mitre.org/techniques/T1226",
- "tactic": [
- "Priority Definition Planning"
- ]
- },
- {
- "technique_id": "T1376",
- "technique": "Conduct social engineering or HUMINT operation",
- "url": "https://attack.mitre.org/techniques/T1376",
- "tactic": [
- "Launch"
- ]
- },
- {
- "technique_id": "T1355",
- "technique": "Create infected removable media",
- "url": "https://attack.mitre.org/techniques/T1355",
- "tactic": [
- "Build Capabilities"
- ]
- },
- {
- "technique_id": "T1320",
- "technique": "Data Hiding",
- "url": "https://attack.mitre.org/techniques/T1320",
- "tactic": [
- "Adversary Opsec"
- ]
- },
- {
- "technique_id": "T1245",
- "technique": "Determine approach/attack vector",
- "url": "https://attack.mitre.org/techniques/T1245",
- "tactic": [
- "Target Selection"
- ]
- },
- {
- "technique_id": "T1243",
- "technique": "Determine highest level tactical element",
- "url": "https://attack.mitre.org/techniques/T1243",
- "tactic": [
- "Target Selection"
- ]
- },
- {
- "technique_id": "T1227",
- "technique": "Develop KITs/KIQs",
- "url": "https://attack.mitre.org/techniques/T1227",
- "tactic": [
- "Priority Definition Planning"
- ]
- },
- {
- "technique_id": "T1394",
- "technique": "Distribute malicious software development tools",
- "url": "https://attack.mitre.org/techniques/T1394",
- "tactic": [
- "Stage Capabilities"
- ]
- },
- {
- "technique_id": "T1333",
- "technique": "Dynamic DNS",
- "url": "https://attack.mitre.org/techniques/T1333",
- "tactic": [
- "Establish & Maintain Infrastructure"
- ]
- },
- {
- "technique_id": "T1344",
- "technique": "Friend/Follow/Connect to targets of interest",
- "url": "https://attack.mitre.org/techniques/T1344",
- "tactic": [
- "Persona Development"
- ]
- },
- {
- "technique_id": "T1385",
- "technique": "Human performs requested action of physical nature",
- "url": "https://attack.mitre.org/techniques/T1385",
- "tactic": [
- "Compromise"
- ]
- },
- {
- "technique_id": "T1225",
- "technique": "Identify gap areas",
- "url": "https://attack.mitre.org/techniques/T1225",
- "tactic": [
- "Priority Definition Planning"
- ]
- },
- {
- "technique_id": "T1269",
- "technique": "Identify people of interest",
- "url": "https://attack.mitre.org/techniques/T1269",
- "tactic": [
- "People Information Gathering"
- ]
- },
- {
- "technique_id": "T1276",
- "technique": "Identify supply chains",
- "url": "https://attack.mitre.org/techniques/T1276",
- "tactic": [
- "Organizational Information Gathering"
- ]
- },
- {
- "technique_id": "T1256",
- "technique": "Identify web defensive services",
- "url": "https://attack.mitre.org/techniques/T1256",
- "tactic": [
- "Technical Information Gathering"
- ]
- },
- {
- "technique_id": "T1257",
- "technique": "Mine technical blogs/forums",
- "url": "https://attack.mitre.org/techniques/T1257",
- "tactic": [
- "Technical Information Gathering"
- ]
- },
- {
- "technique_id": "T1309",
- "technique": "Obfuscate infrastructure",
- "url": "https://attack.mitre.org/techniques/T1309",
- "tactic": [
- "Adversary Opsec"
- ]
- },
- {
- "technique_id": "T1392",
- "technique": "Obtain Apple iOS enterprise distribution key pair and certificate",
- "url": "https://attack.mitre.org/techniques/T1392",
- "tactic": [
- "Persona Development"
- ]
- },
- {
- "technique_id": "T1363",
- "technique": "Port redirector",
- "url": "https://attack.mitre.org/techniques/T1363",
- "tactic": [
- "Stage Capabilities"
- ]
- },
- {
- "technique_id": "T1373",
- "technique": "Push-notification client-side exploit",
- "url": "https://attack.mitre.org/techniques/T1373",
- "tactic": [
- "Launch"
- ]
- },
- {
- "technique_id": "T1291",
- "technique": "Research relevant vulnerabilities/CVEs",
- "url": "https://attack.mitre.org/techniques/T1291",
- "tactic": [
- "Technical Weakness Identification"
- ]
- },
- {
- "technique_id": "T1338",
- "technique": "SSL certificate acquisition for trust breaking",
- "url": "https://attack.mitre.org/techniques/T1338",
- "tactic": [
- "Establish & Maintain Infrastructure"
- ]
- },
- {
- "technique_id": "T1368",
- "technique": "Spear phishing messages with text only",
- "url": "https://attack.mitre.org/techniques/T1368",
- "tactic": [
- "Launch"
- ]
- },
- {
- "technique_id": "T1240",
- "technique": "Task requirements",
- "url": "https://attack.mitre.org/techniques/T1240",
- "tactic": [
- "Priority Definition Direction"
- ]
- },
- {
- "technique_id": "T1360",
- "technique": "Test physical access",
- "url": "https://attack.mitre.org/techniques/T1360",
- "tactic": [
- "Test Capabilities"
- ]
- },
- {
- "technique_id": "T1370",
- "technique": "Untargeted client-side exploitation",
- "url": "https://attack.mitre.org/techniques/T1370",
- "tactic": [
- "Launch"
- ]
- },
- {
- "technique_id": "T1372",
- "technique": "Unconditional client-side exploitation/Injected Website/Driveby",
- "url": "https://attack.mitre.org/techniques/T1372",
- "tactic": [
- "Launch"
- ]
- },
- {
- "technique_id": "T1533",
- "technique": "Data from Local System",
- "url": "https://attack.mitre.org/techniques/T1533",
- "tactic": [
- "Collection"
- ]
- },
- {
- "technique_id": "T1532",
- "technique": "Data Encrypted",
- "url": "https://attack.mitre.org/techniques/T1532",
- "tactic": [
- "Exfiltration"
- ]
- },
- {
- "technique_id": "T1523",
- "technique": "Evade Analysis Environment",
- "url": "https://attack.mitre.org/techniques/T1523",
- "tactic": [
- "Defense Evasion",
- "Discovery"
- ]
- },
- {
- "technique_id": "T1521",
- "technique": "Standard Cryptographic Protocol",
- "url": "https://attack.mitre.org/techniques/T1521",
- "tactic": [
- "Command And Control"
- ]
- },
- {
- "technique_id": "T1520",
- "technique": "Domain Generation Algorithms",
- "url": "https://attack.mitre.org/techniques/T1520",
- "tactic": [
- "Command And Control"
- ]
- },
- {
- "technique_id": "T1516",
- "technique": "Input Injection",
- "url": "https://attack.mitre.org/techniques/T1516",
- "tactic": [
- "Defense Evasion",
- "Impact"
- ]
- },
- {
- "technique_id": "T1517",
- "technique": "Access Notifications",
- "url": "https://attack.mitre.org/techniques/T1517",
- "tactic": [
- "Collection",
- "Credential Access"
- ]
- },
- {
- "technique_id": "T1512",
- "technique": "Capture Camera",
- "url": "https://attack.mitre.org/techniques/T1512",
- "tactic": [
- "Collection"
- ]
- },
- {
- "technique_id": "T1513",
- "technique": "Screen Capture",
- "url": "https://attack.mitre.org/techniques/T1513",
- "tactic": [
- "Collection"
- ]
- },
- {
- "technique_id": "T1509",
- "technique": "Uncommonly Used Port",
- "url": "https://attack.mitre.org/techniques/T1509",
- "tactic": [
- "Command And Control"
- ]
- },
- {
- "technique_id": "T1510",
- "technique": "Clipboard Modification",
- "url": "https://attack.mitre.org/techniques/T1510",
- "tactic": [
- "Impact"
- ]
- },
- {
- "technique_id": "T1508",
- "technique": "Suppress Application Icon",
- "url": "https://attack.mitre.org/techniques/T1508",
- "tactic": [
- "Defense Evasion"
- ]
- },
- {
- "technique_id": "T1507",
- "technique": "Network Information Discovery",
- "url": "https://attack.mitre.org/techniques/T1507",
- "tactic": [
- "Collection"
- ]
- },
- {
- "technique_id": "T1481",
- "technique": "Web Service",
- "url": "https://attack.mitre.org/techniques/T1481",
- "tactic": [
- "Command And Control"
- ]
- },
- {
- "technique_id": "T1476",
- "technique": "Deliver Malicious App via Other Means",
- "url": "https://attack.mitre.org/techniques/T1476",
- "tactic": [
- "Initial Access"
- ]
- },
- {
- "technique_id": "T1475",
- "technique": "Deliver Malicious App via Authorized App Store",
- "url": "https://attack.mitre.org/techniques/T1475",
- "tactic": [
- "Initial Access"
- ]
- },
- {
- "technique_id": "T1474",
- "technique": "Supply Chain Compromise",
- "url": "https://attack.mitre.org/techniques/T1474",
- "tactic": [
- "Initial Access"
- ]
- },
- {
- "technique_id": "T1477",
- "technique": "Exploit via Radio Interfaces",
- "url": "https://attack.mitre.org/techniques/T1477",
- "tactic": [
- "Initial Access"
- ]
- },
- {
- "technique_id": "T1478",
- "technique": "Install Insecure or Malicious Configuration",
- "url": "https://attack.mitre.org/techniques/T1478",
- "tactic": [
- "Defense Evasion",
- "Initial Access"
- ]
- },
- {
- "technique_id": "T1444",
- "technique": "Masquerade as Legitimate Application",
- "url": "https://attack.mitre.org/techniques/T1444",
- "tactic": [
- "Initial Access"
- ]
- },
- {
- "technique_id": "T1443",
- "technique": "Remotely Install Application",
- "url": "https://attack.mitre.org/techniques/T1443",
- "tactic": []
- },
- {
- "technique_id": "T1411",
- "technique": "Input Prompt",
- "url": "https://attack.mitre.org/techniques/T1411",
- "tactic": [
- "Credential Access"
- ]
- },
- {
- "technique_id": "T1424",
- "technique": "Process Discovery",
- "url": "https://attack.mitre.org/techniques/T1424",
- "tactic": [
- "Discovery"
- ]
- },
- {
- "technique_id": "T1421",
- "technique": "System Network Connections Discovery",
- "url": "https://attack.mitre.org/techniques/T1421",
- "tactic": [
- "Discovery"
- ]
- },
- {
- "technique_id": "T1437",
- "technique": "Standard Application Layer Protocol",
- "url": "https://attack.mitre.org/techniques/T1437",
- "tactic": [
- "Command And Control",
- "Exfiltration"
- ]
- },
- {
- "technique_id": "T1422",
- "technique": "System Network Configuration Discovery",
- "url": "https://attack.mitre.org/techniques/T1422",
- "tactic": [
- "Discovery"
- ]
- },
- {
- "technique_id": "T1406",
- "technique": "Obfuscated Files or Information",
- "url": "https://attack.mitre.org/techniques/T1406",
- "tactic": [
- "Defense Evasion"
- ]
- },
- {
- "technique_id": "T1416",
- "technique": "Android Intent Hijacking",
- "url": "https://attack.mitre.org/techniques/T1416",
- "tactic": [
- "Credential Access"
- ]
- },
- {
- "technique_id": "T1447",
- "technique": "Delete Device Data",
- "url": "https://attack.mitre.org/techniques/T1447",
- "tactic": [
- "Impact"
- ]
- },
- {
- "technique_id": "T1398",
- "technique": "Modify OS Kernel or Boot Partition",
- "url": "https://attack.mitre.org/techniques/T1398",
- "tactic": [
- "Defense Evasion",
- "Persistence"
- ]
- },
- {
- "technique_id": "T1400",
- "technique": "Modify System Partition",
- "url": "https://attack.mitre.org/techniques/T1400",
- "tactic": [
- "Defense Evasion",
- "Persistence",
- "Impact"
- ]
- },
- {
- "technique_id": "T1425",
- "technique": "Insecure Third-Party Libraries",
- "url": "https://attack.mitre.org/techniques/T1425",
- "tactic": []
- },
- {
- "technique_id": "T1402",
- "technique": "App Auto-Start at Device Boot",
- "url": "https://attack.mitre.org/techniques/T1402",
- "tactic": [
- "Persistence"
- ]
- },
- {
- "technique_id": "T1401",
- "technique": "Abuse Device Administrator Access to Prevent Removal",
- "url": "https://attack.mitre.org/techniques/T1401",
- "tactic": [
- "Persistence"
- ]
- },
- {
- "technique_id": "T1404",
- "technique": "Exploit OS Vulnerability",
- "url": "https://attack.mitre.org/techniques/T1404",
- "tactic": [
- "Privilege Escalation"
- ]
- },
- {
- "technique_id": "T1403",
- "technique": "Modify Cached Executable Code",
- "url": "https://attack.mitre.org/techniques/T1403",
- "tactic": [
- "Persistence"
- ]
- },
- {
- "technique_id": "T1442",
- "technique": "Fake Developer Accounts",
- "url": "https://attack.mitre.org/techniques/T1442",
- "tactic": []
- },
- {
- "technique_id": "T1419",
- "technique": "Device Type Discovery",
- "url": "https://attack.mitre.org/techniques/T1419",
- "tactic": [
- "Discovery"
- ]
- },
- {
- "technique_id": "T1418",
- "technique": "Application Discovery",
- "url": "https://attack.mitre.org/techniques/T1418",
- "tactic": [
- "Defense Evasion",
- "Discovery"
- ]
- },
- {
- "technique_id": "T1417",
- "technique": "Input Capture",
- "url": "https://attack.mitre.org/techniques/T1417",
- "tactic": [
- "Collection",
- "Credential Access"
- ]
- },
- {
- "technique_id": "T1438",
- "technique": "Alternate Network Mediums",
- "url": "https://attack.mitre.org/techniques/T1438",
- "tactic": [
- "Command And Control",
- "Exfiltration"
- ]
- },
- {
- "technique_id": "T1423",
- "technique": "Network Service Scanning",
- "url": "https://attack.mitre.org/techniques/T1423",
- "tactic": [
- "Discovery"
- ]
- },
- {
- "technique_id": "T1440",
- "technique": "Detect App Analysis Environment",
- "url": "https://attack.mitre.org/techniques/T1440",
- "tactic": []
- },
- {
- "technique_id": "T1439",
- "technique": "Eavesdrop on Insecure Network Communication",
- "url": "https://attack.mitre.org/techniques/T1439",
- "tactic": [
- "Network Effects"
- ]
- },
- {
- "technique_id": "T1464",
- "technique": "Jamming or Denial of Service",
- "url": "https://attack.mitre.org/techniques/T1464",
- "tactic": [
- "Network Effects"
- ]
- },
- {
- "technique_id": "T1463",
- "technique": "Manipulate Device Communication",
- "url": "https://attack.mitre.org/techniques/T1463",
- "tactic": [
- "Network Effects"
- ]
- },
- {
- "technique_id": "T1462",
- "technique": "Malicious Software Development Tools",
- "url": "https://attack.mitre.org/techniques/T1462",
- "tactic": []
- },
- {
- "technique_id": "T1461",
- "technique": "Lockscreen Bypass",
- "url": "https://attack.mitre.org/techniques/T1461",
- "tactic": [
- "Initial Access"
- ]
- },
- {
- "technique_id": "T1460",
- "technique": "Biometric Spoofing",
- "url": "https://attack.mitre.org/techniques/T1460",
- "tactic": []
- },
- {
- "technique_id": "T1459",
- "technique": "Device Unlock Code Guessing or Brute Force",
- "url": "https://attack.mitre.org/techniques/T1459",
- "tactic": []
- },
- {
- "technique_id": "T1458",
- "technique": "Exploit via Charging Station or PC",
- "url": "https://attack.mitre.org/techniques/T1458",
- "tactic": [
- "Initial Access"
- ]
- },
- {
- "technique_id": "T1405",
- "technique": "Exploit TEE Vulnerability",
- "url": "https://attack.mitre.org/techniques/T1405",
- "tactic": [
- "Credential Access",
- "Privilege Escalation"
- ]
- },
- {
- "technique_id": "T1467",
- "technique": "Rogue Cellular Base Station",
- "url": "https://attack.mitre.org/techniques/T1467",
- "tactic": [
- "Network Effects"
- ]
- },
- {
- "technique_id": "T1420",
- "technique": "File and Directory Discovery",
- "url": "https://attack.mitre.org/techniques/T1420",
- "tactic": [
- "Discovery"
- ]
- },
- {
- "technique_id": "T1466",
- "technique": "Downgrade to Insecure Protocols",
- "url": "https://attack.mitre.org/techniques/T1466",
- "tactic": [
- "Network Effects"
- ]
- },
- {
- "technique_id": "T1465",
- "technique": "Rogue Wi-Fi Access Points",
- "url": "https://attack.mitre.org/techniques/T1465",
- "tactic": [
- "Network Effects"
- ]
- },
- {
- "technique_id": "T1468",
- "technique": "Remotely Track Device Without Authorization",
- "url": "https://attack.mitre.org/techniques/T1468",
- "tactic": [
- "Remote Service Effects"
- ]
- },
- {
- "technique_id": "T1435",
- "technique": "Access Calendar Entries",
- "url": "https://attack.mitre.org/techniques/T1435",
- "tactic": [
- "Collection"
- ]
- },
- {
- "technique_id": "T1451",
- "technique": "SIM Card Swap",
- "url": "https://attack.mitre.org/techniques/T1451",
- "tactic": [
- "Network Effects"
- ]
- },
- {
- "technique_id": "T1414",
- "technique": "Capture Clipboard Data",
- "url": "https://attack.mitre.org/techniques/T1414",
- "tactic": [
- "Collection",
- "Credential Access"
- ]
- },
- {
- "technique_id": "T1457",
- "technique": "Malicious Media Content",
- "url": "https://attack.mitre.org/techniques/T1457",
- "tactic": []
- },
- {
- "technique_id": "T1426",
- "technique": "System Information Discovery",
- "url": "https://attack.mitre.org/techniques/T1426",
- "tactic": [
- "Discovery"
- ]
- },
- {
- "technique_id": "T1472",
- "technique": "Generate Fraudulent Advertising Revenue",
- "url": "https://attack.mitre.org/techniques/T1472",
- "tactic": [
- "Impact"
- ]
- },
- {
- "technique_id": "T1399",
- "technique": "Modify Trusted Execution Environment",
- "url": "https://attack.mitre.org/techniques/T1399",
- "tactic": [
- "Defense Evasion",
- "Persistence"
- ]
- },
- {
- "technique_id": "T1470",
- "technique": "Obtain Device Cloud Backups",
- "url": "https://attack.mitre.org/techniques/T1470",
- "tactic": [
- "Remote Service Effects"
- ]
- },
- {
- "technique_id": "T1446",
- "technique": "Device Lockout",
- "url": "https://attack.mitre.org/techniques/T1446",
- "tactic": [
- "Impact",
- "Defense Evasion"
- ]
- },
- {
- "technique_id": "T1415",
- "technique": "URL Scheme Hijacking",
- "url": "https://attack.mitre.org/techniques/T1415",
- "tactic": [
- "Credential Access"
- ]
- },
- {
- "technique_id": "T1413",
- "technique": "Access Sensitive Data in Device Logs",
- "url": "https://attack.mitre.org/techniques/T1413",
- "tactic": [
- "Collection",
- "Credential Access"
- ]
- },
- {
- "technique_id": "T1436",
- "technique": "Commonly Used Port",
- "url": "https://attack.mitre.org/techniques/T1436",
- "tactic": [
- "Command And Control",
- "Exfiltration"
- ]
- },
- {
- "technique_id": "T1445",
- "technique": "Abuse of iOS Enterprise App Signing Key",
- "url": "https://attack.mitre.org/techniques/T1445",
- "tactic": []
- },
- {
- "technique_id": "T1412",
- "technique": "Capture SMS Messages",
- "url": "https://attack.mitre.org/techniques/T1412",
- "tactic": [
- "Collection",
- "Credential Access"
- ]
- },
- {
- "technique_id": "T1409",
- "technique": "Access Stored Application Data",
- "url": "https://attack.mitre.org/techniques/T1409",
- "tactic": [
- "Collection",
- "Credential Access"
- ]
- },
- {
- "technique_id": "T1410",
- "technique": "Network Traffic Capture or Redirection",
- "url": "https://attack.mitre.org/techniques/T1410",
- "tactic": [
- "Collection",
- "Credential Access"
- ]
- },
- {
- "technique_id": "T1407",
- "technique": "Download New Code at Runtime",
- "url": "https://attack.mitre.org/techniques/T1407",
- "tactic": [
- "Defense Evasion"
- ]
- },
- {
- "technique_id": "T1408",
- "technique": "Disguise Root/Jailbreak Indicators",
- "url": "https://attack.mitre.org/techniques/T1408",
- "tactic": [
- "Defense Evasion"
- ]
- },
- {
- "technique_id": "T1427",
- "technique": "Attack PC via USB Connection",
- "url": "https://attack.mitre.org/techniques/T1427",
- "tactic": [
- "Lateral Movement"
- ]
- },
- {
- "technique_id": "T1428",
- "technique": "Exploit Enterprise Resources",
- "url": "https://attack.mitre.org/techniques/T1428",
- "tactic": [
- "Lateral Movement"
- ]
- },
- {
- "technique_id": "T1429",
- "technique": "Capture Audio",
- "url": "https://attack.mitre.org/techniques/T1429",
- "tactic": [
- "Collection"
- ]
- },
- {
- "technique_id": "T1430",
- "technique": "Location Tracking",
- "url": "https://attack.mitre.org/techniques/T1430",
- "tactic": [
- "Collection",
- "Discovery"
- ]
- },
- {
- "technique_id": "T1431",
- "technique": "App Delivered via Web Download",
- "url": "https://attack.mitre.org/techniques/T1431",
- "tactic": []
- },
- {
- "technique_id": "T1432",
- "technique": "Access Contact List",
- "url": "https://attack.mitre.org/techniques/T1432",
- "tactic": [
- "Collection"
- ]
- },
- {
- "technique_id": "T1433",
- "technique": "Access Call Log",
- "url": "https://attack.mitre.org/techniques/T1433",
- "tactic": [
- "Collection"
- ]
- },
- {
- "technique_id": "T1434",
- "technique": "App Delivered via Email Attachment",
- "url": "https://attack.mitre.org/techniques/T1434",
- "tactic": []
- },
- {
- "technique_id": "T1471",
- "technique": "Data Encrypted for Impact",
- "url": "https://attack.mitre.org/techniques/T1471",
- "tactic": [
- "Impact"
- ]
- },
- {
- "technique_id": "T1450",
- "technique": "Exploit SS7 to Track Device Location",
- "url": "https://attack.mitre.org/techniques/T1450",
- "tactic": [
- "Network Effects"
- ]
- },
- {
- "technique_id": "T1473",
- "technique": "Malicious or Vulnerable Built-in Device Functionality",
- "url": "https://attack.mitre.org/techniques/T1473",
- "tactic": []
- },
- {
- "technique_id": "T1448",
- "technique": "Premium SMS Toll Fraud",
- "url": "https://attack.mitre.org/techniques/T1448",
- "tactic": [
- "Impact"
- ]
- },
- {
- "technique_id": "T1453",
- "technique": "Abuse Accessibility Features",
- "url": "https://attack.mitre.org/techniques/T1453",
- "tactic": [
- "Collection",
- "Credential Access",
- "Impact",
- "Defense Evasion"
- ]
- },
- {
- "technique_id": "T1454",
- "technique": "Malicious SMS Message",
- "url": "https://attack.mitre.org/techniques/T1454",
- "tactic": []
- },
- {
- "technique_id": "T1469",
- "technique": "Remotely Wipe Data Without Authorization",
- "url": "https://attack.mitre.org/techniques/T1469",
- "tactic": [
- "Remote Service Effects"
- ]
- },
- {
- "technique_id": "T1452",
- "technique": "Manipulate App Store Rankings or Ratings",
- "url": "https://attack.mitre.org/techniques/T1452",
- "tactic": [
- "Impact"
- ]
- },
- {
- "technique_id": "T1455",
- "technique": "Exploit Baseband Vulnerability",
- "url": "https://attack.mitre.org/techniques/T1455",
- "tactic": []
- },
- {
- "technique_id": "T1456",
- "technique": "Drive-by Compromise",
- "url": "https://attack.mitre.org/techniques/T1456",
- "tactic": [
- "Initial Access"
- ]
- },
- {
- "technique_id": "T1449",
- "technique": "Exploit SS7 to Redirect Phone Calls/SMS",
- "url": "https://attack.mitre.org/techniques/T1449",
- "tactic": [
- "Network Effects"
- ]
- },
- {
- "technique_id": "T1441",
- "technique": "Stolen Developer Credentials or Signing Keys",
- "url": "https://attack.mitre.org/techniques/T1441",
- "tactic": []
- }
+ {
+ "technique_id": "T1001",
+ "technique": "Data Obfuscation",
+ "url": "https://attack.mitre.org/techniques/T1001",
+ "tactic": [
+ "Command and Control"
+ ]
+ },
+ {
+ "technique_id": "T1001.001",
+ "technique": "Data Obfuscation : Junk Data",
+ "url": "https://attack.mitre.org/techniques/T1001/001"
+ },
+ {
+ "technique_id": "T1001.002",
+ "technique": "Data Obfuscation : Steganography",
+ "url": "https://attack.mitre.org/techniques/T1001/002"
+ },
+ {
+ "technique_id": "T1001.003",
+ "technique": "Data Obfuscation : Protocol Impersonation",
+ "url": "https://attack.mitre.org/techniques/T1001/003"
+ },
+ {
+ "technique_id": "T1003",
+ "technique": "OS Credential Dumping",
+ "url": "https://attack.mitre.org/techniques/T1003",
+ "tactic": [
+ "Credential Access"
+ ]
+ },
+ {
+ "technique_id": "T1003.001",
+ "technique": "OS Credential Dumping : LSASS Memory",
+ "url": "https://attack.mitre.org/techniques/T1003/001"
+ },
+ {
+ "technique_id": "T1003.002",
+ "technique": "OS Credential Dumping : Security Account Manager",
+ "url": "https://attack.mitre.org/techniques/T1003/002"
+ },
+ {
+ "technique_id": "T1003.003",
+ "technique": "OS Credential Dumping : NTDS",
+ "url": "https://attack.mitre.org/techniques/T1003/003"
+ },
+ {
+ "technique_id": "T1003.004",
+ "technique": "OS Credential Dumping : LSA Secrets",
+ "url": "https://attack.mitre.org/techniques/T1003/004"
+ },
+ {
+ "technique_id": "T1003.005",
+ "technique": "OS Credential Dumping : Cached Domain Credentials",
+ "url": "https://attack.mitre.org/techniques/T1003/005"
+ },
+ {
+ "technique_id": "T1003.006",
+ "technique": "OS Credential Dumping : DCSync",
+ "url": "https://attack.mitre.org/techniques/T1003/006"
+ },
+ {
+ "technique_id": "T1003.007",
+ "technique": "OS Credential Dumping : Proc Filesystem",
+ "url": "https://attack.mitre.org/techniques/T1003/007"
+ },
+ {
+ "technique_id": "T1003.008",
+ "technique": "OS Credential Dumping : /etc/passwd and /etc/shadow",
+ "url": "https://attack.mitre.org/techniques/T1003/008"
+ },
+ {
+ "technique_id": "T1005",
+ "technique": "Data from Local System",
+ "url": "https://attack.mitre.org/techniques/T1005",
+ "tactic": [
+ "Collection"
+ ]
+ },
+ {
+ "technique_id": "T1006",
+ "technique": "Direct Volume Access",
+ "url": "https://attack.mitre.org/techniques/T1006",
+ "tactic": [
+ "Defense Evasion"
+ ]
+ },
+ {
+ "technique_id": "T1007",
+ "technique": "System Service Discovery",
+ "url": "https://attack.mitre.org/techniques/T1007",
+ "tactic": [
+ "Discovery"
+ ]
+ },
+ {
+ "technique_id": "T1008",
+ "technique": "Fallback Channels",
+ "url": "https://attack.mitre.org/techniques/T1008",
+ "tactic": [
+ "Command and Control"
+ ]
+ },
+ {
+ "technique_id": "T1010",
+ "technique": "Application Window Discovery",
+ "url": "https://attack.mitre.org/techniques/T1010",
+ "tactic": [
+ "Discovery"
+ ]
+ },
+ {
+ "technique_id": "T1011",
+ "technique": "Exfiltration Over Other Network Medium",
+ "url": "https://attack.mitre.org/techniques/T1011",
+ "tactic": [
+ "Exfiltration"
+ ]
+ },
+ {
+ "technique_id": "T1011.001",
+ "technique": "Exfiltration Over Other Network Medium : Exfiltration Over Bluetooth",
+ "url": "https://attack.mitre.org/techniques/T1011/001"
+ },
+ {
+ "technique_id": "T1012",
+ "technique": "Query Registry",
+ "url": "https://attack.mitre.org/techniques/T1012",
+ "tactic": [
+ "Discovery"
+ ]
+ },
+ {
+ "technique_id": "T1014",
+ "technique": "Rootkit",
+ "url": "https://attack.mitre.org/techniques/T1014",
+ "tactic": [
+ "Defense Evasion"
+ ]
+ },
+ {
+ "technique_id": "T1016",
+ "technique": "System Network Configuration Discovery",
+ "url": "https://attack.mitre.org/techniques/T1016",
+ "tactic": [
+ "Discovery"
+ ]
+ },
+ {
+ "technique_id": "T1018",
+ "technique": "Remote System Discovery",
+ "url": "https://attack.mitre.org/techniques/T1018",
+ "tactic": [
+ "Discovery"
+ ]
+ },
+ {
+ "technique_id": "T1020",
+ "technique": "Automated Exfiltration",
+ "url": "https://attack.mitre.org/techniques/T1020",
+ "tactic": [
+ "Exfiltration"
+ ]
+ },
+ {
+ "technique_id": "T1021",
+ "technique": "Remote Services",
+ "url": "https://attack.mitre.org/techniques/T1021",
+ "tactic": [
+ "Lateral Movement"
+ ]
+ },
+ {
+ "technique_id": "T1021.001",
+ "technique": "Remote Services : Remote Desktop Protocol",
+ "url": "https://attack.mitre.org/techniques/T1021/001"
+ },
+ {
+ "technique_id": "T1021.002",
+ "technique": "Remote Services : SMB/Windows Admin Shares",
+ "url": "https://attack.mitre.org/techniques/T1021/002"
+ },
+ {
+ "technique_id": "T1021.003",
+ "technique": "Remote Services : Distributed Component Object Model",
+ "url": "https://attack.mitre.org/techniques/T1021/003"
+ },
+ {
+ "technique_id": "T1021.004",
+ "technique": "Remote Services : SSH",
+ "url": "https://attack.mitre.org/techniques/T1021/004"
+ },
+ {
+ "technique_id": "T1021.005",
+ "technique": "Remote Services : VNC",
+ "url": "https://attack.mitre.org/techniques/T1021/005"
+ },
+ {
+ "technique_id": "T1021.006",
+ "technique": "Remote Services : Windows Remote Management",
+ "url": "https://attack.mitre.org/techniques/T1021/006"
+ },
+ {
+ "technique_id": "T1025",
+ "technique": "Data from Removable Media",
+ "url": "https://attack.mitre.org/techniques/T1025",
+ "tactic": [
+ "Collection"
+ ]
+ },
+ {
+ "technique_id": "T1027",
+ "technique": "Obfuscated Files or Information",
+ "url": "https://attack.mitre.org/techniques/T1027",
+ "tactic": [
+ "Defense Evasion"
+ ]
+ },
+ {
+ "technique_id": "T1027.001",
+ "technique": "Obfuscated Files or Information : Binary Padding",
+ "url": "https://attack.mitre.org/techniques/T1027/001"
+ },
+ {
+ "technique_id": "T1027.002",
+ "technique": "Obfuscated Files or Information : Software Packing",
+ "url": "https://attack.mitre.org/techniques/T1027/002"
+ },
+ {
+ "technique_id": "T1027.003",
+ "technique": "Obfuscated Files or Information : Steganography",
+ "url": "https://attack.mitre.org/techniques/T1027/003"
+ },
+ {
+ "technique_id": "T1027.004",
+ "technique": "Obfuscated Files or Information : Compile After Delivery",
+ "url": "https://attack.mitre.org/techniques/T1027/004"
+ },
+ {
+ "technique_id": "T1027.005",
+ "technique": "Obfuscated Files or Information : Indicator Removal from Tools",
+ "url": "https://attack.mitre.org/techniques/T1027/005"
+ },
+ {
+ "technique_id": "T1029",
+ "technique": "Scheduled Transfer",
+ "url": "https://attack.mitre.org/techniques/T1029",
+ "tactic": [
+ "Exfiltration"
+ ]
+ },
+ {
+ "technique_id": "T1030",
+ "technique": "Data Transfer Size Limits",
+ "url": "https://attack.mitre.org/techniques/T1030",
+ "tactic": [
+ "Exfiltration"
+ ]
+ },
+ {
+ "technique_id": "T1033",
+ "technique": "System Owner/User Discovery",
+ "url": "https://attack.mitre.org/techniques/T1033",
+ "tactic": [
+ "Discovery"
+ ]
+ },
+ {
+ "technique_id": "T1036",
+ "technique": "Masquerading",
+ "url": "https://attack.mitre.org/techniques/T1036",
+ "tactic": [
+ "Defense Evasion"
+ ]
+ },
+ {
+ "technique_id": "T1036.001",
+ "technique": "Masquerading : Invalid Code Signature",
+ "url": "https://attack.mitre.org/techniques/T1036/001"
+ },
+ {
+ "technique_id": "T1036.002",
+ "technique": "Masquerading : Right-to-Left Override",
+ "url": "https://attack.mitre.org/techniques/T1036/002"
+ },
+ {
+ "technique_id": "T1036.003",
+ "technique": "Masquerading : Rename System Utilities",
+ "url": "https://attack.mitre.org/techniques/T1036/003"
+ },
+ {
+ "technique_id": "T1036.004",
+ "technique": "Masquerading : Masquerade Task or Service",
+ "url": "https://attack.mitre.org/techniques/T1036/004"
+ },
+ {
+ "technique_id": "T1036.005",
+ "technique": "Masquerading : Match Legitimate Name or Location",
+ "url": "https://attack.mitre.org/techniques/T1036/005"
+ },
+ {
+ "technique_id": "T1036.006",
+ "technique": "Masquerading : Space after Filename",
+ "url": "https://attack.mitre.org/techniques/T1036/006"
+ },
+ {
+ "technique_id": "T1037",
+ "technique": "Boot or Logon Initialization Scripts",
+ "url": "https://attack.mitre.org/techniques/T1037",
+ "tactic": [
+ "Persistence",
+ "Privilege Escalation"
+ ]
+ },
+ {
+ "technique_id": "T1037.001",
+ "technique": "Boot or Logon Initialization Scripts : Logon Script (Windows)",
+ "url": "https://attack.mitre.org/techniques/T1037/001"
+ },
+ {
+ "technique_id": "T1037.002",
+ "technique": "Boot or Logon Initialization Scripts : Logon Script (Mac)",
+ "url": "https://attack.mitre.org/techniques/T1037/002"
+ },
+ {
+ "technique_id": "T1037.003",
+ "technique": "Boot or Logon Initialization Scripts : Network Logon Script",
+ "url": "https://attack.mitre.org/techniques/T1037/003"
+ },
+ {
+ "technique_id": "T1037.004",
+ "technique": "Boot or Logon Initialization Scripts : Rc.common",
+ "url": "https://attack.mitre.org/techniques/T1037/004"
+ },
+ {
+ "technique_id": "T1037.005",
+ "technique": "Boot or Logon Initialization Scripts : Startup Items",
+ "url": "https://attack.mitre.org/techniques/T1037/005"
+ },
+ {
+ "technique_id": "T1039",
+ "technique": "Data from Network Shared Drive",
+ "url": "https://attack.mitre.org/techniques/T1039",
+ "tactic": [
+ "Collection"
+ ]
+ },
+ {
+ "technique_id": "T1040",
+ "technique": "Network Sniffing",
+ "url": "https://attack.mitre.org/techniques/T1040",
+ "tactic": [
+ "Credential Access",
+ "Discovery"
+ ]
+ },
+ {
+ "technique_id": "T1041",
+ "technique": "Exfiltration Over C2 Channel",
+ "url": "https://attack.mitre.org/techniques/T1041",
+ "tactic": [
+ "Exfiltration"
+ ]
+ },
+ {
+ "technique_id": "T1046",
+ "technique": "Network Service Scanning",
+ "url": "https://attack.mitre.org/techniques/T1046",
+ "tactic": [
+ "Discovery"
+ ]
+ },
+ {
+ "technique_id": "T1047",
+ "technique": "Windows Management Instrumentation",
+ "url": "https://attack.mitre.org/techniques/T1047",
+ "tactic": [
+ "Execution"
+ ]
+ },
+ {
+ "technique_id": "T1048",
+ "technique": "Exfiltration Over Alternative Protocol",
+ "url": "https://attack.mitre.org/techniques/T1048",
+ "tactic": [
+ "Exfiltration"
+ ]
+ },
+ {
+ "technique_id": "T1048.001",
+ "technique": "Exfiltration Over Alternative Protocol : Exfiltration Over Symmetric Encrypted Non-C2 Protocol",
+ "url": "https://attack.mitre.org/techniques/T1048/001"
+ },
+ {
+ "technique_id": "T1048.002",
+ "technique": "Exfiltration Over Alternative Protocol : Exfiltration Over Asymmetric Encrypted Non-C2 Protocol",
+ "url": "https://attack.mitre.org/techniques/T1048/002"
+ },
+ {
+ "technique_id": "T1048.003",
+ "technique": "Exfiltration Over Alternative Protocol : Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol",
+ "url": "https://attack.mitre.org/techniques/T1048/003"
+ },
+ {
+ "technique_id": "T1049",
+ "technique": "System Network Connections Discovery",
+ "url": "https://attack.mitre.org/techniques/T1049",
+ "tactic": [
+ "Discovery"
+ ]
+ },
+ {
+ "technique_id": "T1052",
+ "technique": "Exfiltration Over Physical Medium",
+ "url": "https://attack.mitre.org/techniques/T1052",
+ "tactic": [
+ "Exfiltration"
+ ]
+ },
+ {
+ "technique_id": "T1052.001",
+ "technique": "Exfiltration Over Physical Medium : Exfiltration over USB",
+ "url": "https://attack.mitre.org/techniques/T1052/001"
+ },
+ {
+ "technique_id": "T1053",
+ "technique": "Scheduled Task/Job",
+ "url": "https://attack.mitre.org/techniques/T1053",
+ "tactic": [
+ "Execution",
+ "Persistence",
+ "Privilege Escalation"
+ ]
+ },
+ {
+ "technique_id": "T1053.001",
+ "technique": "Scheduled Task/Job : At (Linux)",
+ "url": "https://attack.mitre.org/techniques/T1053/001"
+ },
+ {
+ "technique_id": "T1053.002",
+ "technique": "Scheduled Task/Job : At (Windows)",
+ "url": "https://attack.mitre.org/techniques/T1053/002"
+ },
+ {
+ "technique_id": "T1053.003",
+ "technique": "Scheduled Task/Job : Cron",
+ "url": "https://attack.mitre.org/techniques/T1053/003"
+ },
+ {
+ "technique_id": "T1053.004",
+ "technique": "Scheduled Task/Job : Launchd",
+ "url": "https://attack.mitre.org/techniques/T1053/004"
+ },
+ {
+ "technique_id": "T1053.005",
+ "technique": "Scheduled Task/Job : Scheduled Task",
+ "url": "https://attack.mitre.org/techniques/T1053/005"
+ },
+ {
+ "technique_id": "T1055",
+ "technique": "Process Injection",
+ "url": "https://attack.mitre.org/techniques/T1055",
+ "tactic": [
+ "Defense Evasion",
+ "Privilege Escalation"
+ ]
+ },
+ {
+ "technique_id": "T1055.001",
+ "technique": "Process Injection : Dynamic-link Library Injection",
+ "url": "https://attack.mitre.org/techniques/T1055/001"
+ },
+ {
+ "technique_id": "T1055.002",
+ "technique": "Process Injection : Portable Executable Injection",
+ "url": "https://attack.mitre.org/techniques/T1055/002"
+ },
+ {
+ "technique_id": "T1055.003",
+ "technique": "Process Injection : Thread Execution Hijacking",
+ "url": "https://attack.mitre.org/techniques/T1055/003"
+ },
+ {
+ "technique_id": "T1055.004",
+ "technique": "Process Injection : Asynchronous Procedure Call",
+ "url": "https://attack.mitre.org/techniques/T1055/004"
+ },
+ {
+ "technique_id": "T1055.005",
+ "technique": "Process Injection : Thread Local Storage",
+ "url": "https://attack.mitre.org/techniques/T1055/005"
+ },
+ {
+ "technique_id": "T1055.008",
+ "technique": "Process Injection : Ptrace System Calls",
+ "url": "https://attack.mitre.org/techniques/T1055/008"
+ },
+ {
+ "technique_id": "T1055.009",
+ "technique": "Process Injection : Proc Memory",
+ "url": "https://attack.mitre.org/techniques/T1055/009"
+ },
+ {
+ "technique_id": "T1055.011",
+ "technique": "Process Injection : Extra Window Memory Injection",
+ "url": "https://attack.mitre.org/techniques/T1055/011"
+ },
+ {
+ "technique_id": "T1055.012",
+ "technique": "Process Injection : Process Hollowing",
+ "url": "https://attack.mitre.org/techniques/T1055/012"
+ },
+ {
+ "technique_id": "T1055.013",
+ "technique": "Process Injection : Process Doppelg\u00e4nging",
+ "url": "https://attack.mitre.org/techniques/T1055/013"
+ },
+ {
+ "technique_id": "T1055.014",
+ "technique": "Process Injection : VDSO Hijacking",
+ "url": "https://attack.mitre.org/techniques/T1055/014"
+ },
+ {
+ "technique_id": "T1056",
+ "technique": "Input Capture",
+ "url": "https://attack.mitre.org/techniques/T1056",
+ "tactic": [
+ "Collection",
+ "Credential Access"
+ ]
+ },
+ {
+ "technique_id": "T1056.001",
+ "technique": "Input Capture : Keylogging",
+ "url": "https://attack.mitre.org/techniques/T1056/001"
+ },
+ {
+ "technique_id": "T1056.002",
+ "technique": "Input Capture : GUI Input Capture",
+ "url": "https://attack.mitre.org/techniques/T1056/002"
+ },
+ {
+ "technique_id": "T1056.003",
+ "technique": "Input Capture : Web Portal Capture",
+ "url": "https://attack.mitre.org/techniques/T1056/003"
+ },
+ {
+ "technique_id": "T1056.004",
+ "technique": "Input Capture : Credential API Hooking",
+ "url": "https://attack.mitre.org/techniques/T1056/004"
+ },
+ {
+ "technique_id": "T1057",
+ "technique": "Process Discovery",
+ "url": "https://attack.mitre.org/techniques/T1057",
+ "tactic": [
+ "Discovery"
+ ]
+ },
+ {
+ "technique_id": "T1059",
+ "technique": "Command and Scripting Interpreter",
+ "url": "https://attack.mitre.org/techniques/T1059",
+ "tactic": [
+ "Execution"
+ ]
+ },
+ {
+ "technique_id": "T1059.001",
+ "technique": "Command and Scripting Interpreter : PowerShell",
+ "url": "https://attack.mitre.org/techniques/T1059/001"
+ },
+ {
+ "technique_id": "T1059.002",
+ "technique": "Command and Scripting Interpreter : AppleScript",
+ "url": "https://attack.mitre.org/techniques/T1059/002"
+ },
+ {
+ "technique_id": "T1059.003",
+ "technique": "Command and Scripting Interpreter : Windows Command Shell",
+ "url": "https://attack.mitre.org/techniques/T1059/003"
+ },
+ {
+ "technique_id": "T1059.004",
+ "technique": "Command and Scripting Interpreter : Unix Shell",
+ "url": "https://attack.mitre.org/techniques/T1059/004"
+ },
+ {
+ "technique_id": "T1059.005",
+ "technique": "Command and Scripting Interpreter : Visual Basic",
+ "url": "https://attack.mitre.org/techniques/T1059/005"
+ },
+ {
+ "technique_id": "T1059.006",
+ "technique": "Command and Scripting Interpreter : Python",
+ "url": "https://attack.mitre.org/techniques/T1059/006"
+ },
+ {
+ "technique_id": "T1059.007",
+ "technique": "Command and Scripting Interpreter : JavaScript/JScript",
+ "url": "https://attack.mitre.org/techniques/T1059/007"
+ },
+ {
+ "technique_id": "T1068",
+ "technique": "Exploitation for Privilege Escalation",
+ "url": "https://attack.mitre.org/techniques/T1068",
+ "tactic": [
+ "Privilege Escalation"
+ ]
+ },
+ {
+ "technique_id": "T1069",
+ "technique": "Permission Groups Discovery",
+ "url": "https://attack.mitre.org/techniques/T1069",
+ "tactic": [
+ "Discovery"
+ ]
+ },
+ {
+ "technique_id": "T1069.001",
+ "technique": "Permission Groups Discovery : Local Groups",
+ "url": "https://attack.mitre.org/techniques/T1069/001"
+ },
+ {
+ "technique_id": "T1069.002",
+ "technique": "Permission Groups Discovery : Domain Groups",
+ "url": "https://attack.mitre.org/techniques/T1069/002"
+ },
+ {
+ "technique_id": "T1069.003",
+ "technique": "Permission Groups Discovery : Cloud Groups",
+ "url": "https://attack.mitre.org/techniques/T1069/003"
+ },
+ {
+ "technique_id": "T1070",
+ "technique": "Indicator Removal on Host",
+ "url": "https://attack.mitre.org/techniques/T1070",
+ "tactic": [
+ "Defense Evasion"
+ ]
+ },
+ {
+ "technique_id": "T1070.001",
+ "technique": "Indicator Removal on Host : Clear Windows Event Logs",
+ "url": "https://attack.mitre.org/techniques/T1070/001"
+ },
+ {
+ "technique_id": "T1070.002",
+ "technique": "Indicator Removal on Host : Clear Linux or Mac System Logs",
+ "url": "https://attack.mitre.org/techniques/T1070/002"
+ },
+ {
+ "technique_id": "T1070.003",
+ "technique": "Indicator Removal on Host : Clear Command History",
+ "url": "https://attack.mitre.org/techniques/T1070/003"
+ },
+ {
+ "technique_id": "T1070.004",
+ "technique": "Indicator Removal on Host : File Deletion",
+ "url": "https://attack.mitre.org/techniques/T1070/004"
+ },
+ {
+ "technique_id": "T1070.005",
+ "technique": "Indicator Removal on Host : Network Share Connection Removal",
+ "url": "https://attack.mitre.org/techniques/T1070/005"
+ },
+ {
+ "technique_id": "T1070.006",
+ "technique": "Indicator Removal on Host : Timestomp",
+ "url": "https://attack.mitre.org/techniques/T1070/006"
+ },
+ {
+ "technique_id": "T1071",
+ "technique": "Application Layer Protocol",
+ "url": "https://attack.mitre.org/techniques/T1071",
+ "tactic": [
+ "Command and Control"
+ ]
+ },
+ {
+ "technique_id": "T1071.001",
+ "technique": "Application Layer Protocol : Web Protocols",
+ "url": "https://attack.mitre.org/techniques/T1071/001"
+ },
+ {
+ "technique_id": "T1071.002",
+ "technique": "Application Layer Protocol : File Transfer Protocols",
+ "url": "https://attack.mitre.org/techniques/T1071/002"
+ },
+ {
+ "technique_id": "T1071.003",
+ "technique": "Application Layer Protocol : Mail Protocols",
+ "url": "https://attack.mitre.org/techniques/T1071/003"
+ },
+ {
+ "technique_id": "T1071.004",
+ "technique": "Application Layer Protocol : DNS",
+ "url": "https://attack.mitre.org/techniques/T1071/004"
+ },
+ {
+ "technique_id": "T1072",
+ "technique": "Software Deployment Tools",
+ "url": "https://attack.mitre.org/techniques/T1072",
+ "tactic": [
+ "Execution",
+ "Lateral Movement"
+ ]
+ },
+ {
+ "technique_id": "T1074",
+ "technique": "Data Staged",
+ "url": "https://attack.mitre.org/techniques/T1074",
+ "tactic": [
+ "Collection"
+ ]
+ },
+ {
+ "technique_id": "T1074.001",
+ "technique": "Data Staged : Local Data Staging",
+ "url": "https://attack.mitre.org/techniques/T1074/001"
+ },
+ {
+ "technique_id": "T1074.002",
+ "technique": "Data Staged : Remote Data Staging",
+ "url": "https://attack.mitre.org/techniques/T1074/002"
+ },
+ {
+ "technique_id": "T1078",
+ "technique": "Valid Accounts",
+ "url": "https://attack.mitre.org/techniques/T1078",
+ "tactic": [
+ "Defense Evasion",
+ "Persistence",
+ "Privilege Escalation",
+ "Initial Access"
+ ]
+ },
+ {
+ "technique_id": "T1078.001",
+ "technique": "Valid Accounts : Default Accounts",
+ "url": "https://attack.mitre.org/techniques/T1078/001"
+ },
+ {
+ "technique_id": "T1078.002",
+ "technique": "Valid Accounts : Domain Accounts",
+ "url": "https://attack.mitre.org/techniques/T1078/002"
+ },
+ {
+ "technique_id": "T1078.003",
+ "technique": "Valid Accounts : Local Accounts",
+ "url": "https://attack.mitre.org/techniques/T1078/003"
+ },
+ {
+ "technique_id": "T1078.004",
+ "technique": "Valid Accounts : Cloud Accounts",
+ "url": "https://attack.mitre.org/techniques/T1078/004"
+ },
+ {
+ "technique_id": "T1080",
+ "technique": "Taint Shared Content",
+ "url": "https://attack.mitre.org/techniques/T1080",
+ "tactic": [
+ "Lateral Movement"
+ ]
+ },
+ {
+ "technique_id": "T1082",
+ "technique": "System Information Discovery",
+ "url": "https://attack.mitre.org/techniques/T1082",
+ "tactic": [
+ "Discovery"
+ ]
+ },
+ {
+ "technique_id": "T1083",
+ "technique": "File and Directory Discovery",
+ "url": "https://attack.mitre.org/techniques/T1083",
+ "tactic": [
+ "Discovery"
+ ]
+ },
+ {
+ "technique_id": "T1087",
+ "technique": "Account Discovery",
+ "url": "https://attack.mitre.org/techniques/T1087",
+ "tactic": [
+ "Discovery"
+ ]
+ },
+ {
+ "technique_id": "T1087.001",
+ "technique": "Account Discovery : Local Account",
+ "url": "https://attack.mitre.org/techniques/T1087/001"
+ },
+ {
+ "technique_id": "T1087.002",
+ "technique": "Account Discovery : Domain Account",
+ "url": "https://attack.mitre.org/techniques/T1087/002"
+ },
+ {
+ "technique_id": "T1087.003",
+ "technique": "Account Discovery : Email Account",
+ "url": "https://attack.mitre.org/techniques/T1087/003"
+ },
+ {
+ "technique_id": "T1087.004",
+ "technique": "Account Discovery : Cloud Account",
+ "url": "https://attack.mitre.org/techniques/T1087/004"
+ },
+ {
+ "technique_id": "T1090",
+ "technique": "Proxy",
+ "url": "https://attack.mitre.org/techniques/T1090",
+ "tactic": [
+ "Command and Control"
+ ]
+ },
+ {
+ "technique_id": "T1090.001",
+ "technique": "Proxy : Internal Proxy",
+ "url": "https://attack.mitre.org/techniques/T1090/001"
+ },
+ {
+ "technique_id": "T1090.002",
+ "technique": "Proxy : External Proxy",
+ "url": "https://attack.mitre.org/techniques/T1090/002"
+ },
+ {
+ "technique_id": "T1090.003",
+ "technique": "Proxy : Multi-hop Proxy",
+ "url": "https://attack.mitre.org/techniques/T1090/003"
+ },
+ {
+ "technique_id": "T1090.004",
+ "technique": "Proxy : Domain Fronting",
+ "url": "https://attack.mitre.org/techniques/T1090/004"
+ },
+ {
+ "technique_id": "T1091",
+ "technique": "Replication Through Removable Media",
+ "url": "https://attack.mitre.org/techniques/T1091",
+ "tactic": [
+ "Lateral Movement",
+ "Initial Access"
+ ]
+ },
+ {
+ "technique_id": "T1092",
+ "technique": "Communication Through Removable Media",
+ "url": "https://attack.mitre.org/techniques/T1092",
+ "tactic": [
+ "Command and Control"
+ ]
+ },
+ {
+ "technique_id": "T1095",
+ "technique": "Non-Application Layer Protocol",
+ "url": "https://attack.mitre.org/techniques/T1095",
+ "tactic": [
+ "Command and Control"
+ ]
+ },
+ {
+ "technique_id": "T1098",
+ "technique": "Account Manipulation",
+ "url": "https://attack.mitre.org/techniques/T1098",
+ "tactic": [
+ "Persistence"
+ ]
+ },
+ {
+ "technique_id": "T1098.001",
+ "technique": "Account Manipulation : Additional Azure Service Principal Credentials",
+ "url": "https://attack.mitre.org/techniques/T1098/001"
+ },
+ {
+ "technique_id": "T1098.002",
+ "technique": "Account Manipulation : Exchange Email Delegate Permissions",
+ "url": "https://attack.mitre.org/techniques/T1098/002"
+ },
+ {
+ "technique_id": "T1098.003",
+ "technique": "Account Manipulation : Add Office 365 Global Administrator Role",
+ "url": "https://attack.mitre.org/techniques/T1098/003"
+ },
+ {
+ "technique_id": "T1098.004",
+ "technique": "Account Manipulation : SSH Authorized Keys",
+ "url": "https://attack.mitre.org/techniques/T1098/004"
+ },
+ {
+ "technique_id": "T1102",
+ "technique": "Web Service",
+ "url": "https://attack.mitre.org/techniques/T1102",
+ "tactic": [
+ "Command and Control"
+ ]
+ },
+ {
+ "technique_id": "T1102.001",
+ "technique": "Web Service : Dead Drop Resolver",
+ "url": "https://attack.mitre.org/techniques/T1102/001"
+ },
+ {
+ "technique_id": "T1102.002",
+ "technique": "Web Service : Bidirectional Communication",
+ "url": "https://attack.mitre.org/techniques/T1102/002"
+ },
+ {
+ "technique_id": "T1102.003",
+ "technique": "Web Service : One-Way Communication",
+ "url": "https://attack.mitre.org/techniques/T1102/003"
+ },
+ {
+ "technique_id": "T1104",
+ "technique": "Multi-Stage Channels",
+ "url": "https://attack.mitre.org/techniques/T1104",
+ "tactic": [
+ "Command and Control"
+ ]
+ },
+ {
+ "technique_id": "T1105",
+ "technique": "Ingress Tool Transfer",
+ "url": "https://attack.mitre.org/techniques/T1105",
+ "tactic": [
+ "Command and Control"
+ ]
+ },
+ {
+ "technique_id": "T1106",
+ "technique": "Native API",
+ "url": "https://attack.mitre.org/techniques/T1106",
+ "tactic": [
+ "Execution"
+ ]
+ },
+ {
+ "technique_id": "T1110",
+ "technique": "Brute Force",
+ "url": "https://attack.mitre.org/techniques/T1110",
+ "tactic": [
+ "Credential Access"
+ ]
+ },
+ {
+ "technique_id": "T1110.001",
+ "technique": "Brute Force : Password Guessing",
+ "url": "https://attack.mitre.org/techniques/T1110/001"
+ },
+ {
+ "technique_id": "T1110.002",
+ "technique": "Brute Force : Password Cracking",
+ "url": "https://attack.mitre.org/techniques/T1110/002"
+ },
+ {
+ "technique_id": "T1110.003",
+ "technique": "Brute Force : Password Spraying",
+ "url": "https://attack.mitre.org/techniques/T1110/003"
+ },
+ {
+ "technique_id": "T1110.004",
+ "technique": "Brute Force : Credential Stuffing",
+ "url": "https://attack.mitre.org/techniques/T1110/004"
+ },
+ {
+ "technique_id": "T1111",
+ "technique": "Two-Factor Authentication Interception",
+ "url": "https://attack.mitre.org/techniques/T1111",
+ "tactic": [
+ "Credential Access"
+ ]
+ },
+ {
+ "technique_id": "T1112",
+ "technique": "Modify Registry",
+ "url": "https://attack.mitre.org/techniques/T1112",
+ "tactic": [
+ "Defense Evasion"
+ ]
+ },
+ {
+ "technique_id": "T1113",
+ "technique": "Screen Capture",
+ "url": "https://attack.mitre.org/techniques/T1113",
+ "tactic": [
+ "Collection"
+ ]
+ },
+ {
+ "technique_id": "T1114",
+ "technique": "Email Collection",
+ "url": "https://attack.mitre.org/techniques/T1114",
+ "tactic": [
+ "Collection"
+ ]
+ },
+ {
+ "technique_id": "T1114.001",
+ "technique": "Email Collection : Local Email Collection",
+ "url": "https://attack.mitre.org/techniques/T1114/001"
+ },
+ {
+ "technique_id": "T1114.002",
+ "technique": "Email Collection : Remote Email Collection",
+ "url": "https://attack.mitre.org/techniques/T1114/002"
+ },
+ {
+ "technique_id": "T1114.003",
+ "technique": "Email Collection : Email Forwarding Rule",
+ "url": "https://attack.mitre.org/techniques/T1114/003"
+ },
+ {
+ "technique_id": "T1115",
+ "technique": "Clipboard Data",
+ "url": "https://attack.mitre.org/techniques/T1115",
+ "tactic": [
+ "Collection"
+ ]
+ },
+ {
+ "technique_id": "T1119",
+ "technique": "Automated Collection",
+ "url": "https://attack.mitre.org/techniques/T1119",
+ "tactic": [
+ "Collection"
+ ]
+ },
+ {
+ "technique_id": "T1120",
+ "technique": "Peripheral Device Discovery",
+ "url": "https://attack.mitre.org/techniques/T1120",
+ "tactic": [
+ "Discovery"
+ ]
+ },
+ {
+ "technique_id": "T1123",
+ "technique": "Audio Capture",
+ "url": "https://attack.mitre.org/techniques/T1123",
+ "tactic": [
+ "Collection"
+ ]
+ },
+ {
+ "technique_id": "T1124",
+ "technique": "System Time Discovery",
+ "url": "https://attack.mitre.org/techniques/T1124",
+ "tactic": [
+ "Discovery"
+ ]
+ },
+ {
+ "technique_id": "T1125",
+ "technique": "Video Capture",
+ "url": "https://attack.mitre.org/techniques/T1125",
+ "tactic": [
+ "Collection"
+ ]
+ },
+ {
+ "technique_id": "T1127",
+ "technique": "Trusted Developer Utilities Proxy Execution",
+ "url": "https://attack.mitre.org/techniques/T1127",
+ "tactic": [
+ "Defense Evasion"
+ ]
+ },
+ {
+ "technique_id": "T1127.001",
+ "technique": "Trusted Developer Utilities Proxy Execution : MSBuild",
+ "url": "https://attack.mitre.org/techniques/T1127/001"
+ },
+ {
+ "technique_id": "T1129",
+ "technique": "Shared Modules",
+ "url": "https://attack.mitre.org/techniques/T1129",
+ "tactic": [
+ "Execution"
+ ]
+ },
+ {
+ "technique_id": "T1132",
+ "technique": "Data Encoding",
+ "url": "https://attack.mitre.org/techniques/T1132",
+ "tactic": [
+ "Command and Control"
+ ]
+ },
+ {
+ "technique_id": "T1132.001",
+ "technique": "Data Encoding : Standard Encoding",
+ "url": "https://attack.mitre.org/techniques/T1132/001"
+ },
+ {
+ "technique_id": "T1132.002",
+ "technique": "Data Encoding : Non-Standard Encoding",
+ "url": "https://attack.mitre.org/techniques/T1132/002"
+ },
+ {
+ "technique_id": "T1133",
+ "technique": "External Remote Services",
+ "url": "https://attack.mitre.org/techniques/T1133",
+ "tactic": [
+ "Persistence",
+ "Initial Access"
+ ]
+ },
+ {
+ "technique_id": "T1134",
+ "technique": "Access Token Manipulation",
+ "url": "https://attack.mitre.org/techniques/T1134",
+ "tactic": [
+ "Defense Evasion",
+ "Privilege Escalation"
+ ]
+ },
+ {
+ "technique_id": "T1134.001",
+ "technique": "Access Token Manipulation : Token Impersonation/Theft",
+ "url": "https://attack.mitre.org/techniques/T1134/001"
+ },
+ {
+ "technique_id": "T1134.002",
+ "technique": "Access Token Manipulation : Create Process with Token",
+ "url": "https://attack.mitre.org/techniques/T1134/002"
+ },
+ {
+ "technique_id": "T1134.003",
+ "technique": "Access Token Manipulation : Make and Impersonate Token",
+ "url": "https://attack.mitre.org/techniques/T1134/003"
+ },
+ {
+ "technique_id": "T1134.004",
+ "technique": "Access Token Manipulation : Parent PID Spoofing",
+ "url": "https://attack.mitre.org/techniques/T1134/004"
+ },
+ {
+ "technique_id": "T1134.005",
+ "technique": "Access Token Manipulation : SID-History Injection",
+ "url": "https://attack.mitre.org/techniques/T1134/005"
+ },
+ {
+ "technique_id": "T1135",
+ "technique": "Network Share Discovery",
+ "url": "https://attack.mitre.org/techniques/T1135",
+ "tactic": [
+ "Discovery"
+ ]
+ },
+ {
+ "technique_id": "T1136",
+ "technique": "Create Account",
+ "url": "https://attack.mitre.org/techniques/T1136",
+ "tactic": [
+ "Persistence"
+ ]
+ },
+ {
+ "technique_id": "T1136.001",
+ "technique": "Create Account : Local Account",
+ "url": "https://attack.mitre.org/techniques/T1136/001"
+ },
+ {
+ "technique_id": "T1136.002",
+ "technique": "Create Account : Domain Account",
+ "url": "https://attack.mitre.org/techniques/T1136/002"
+ },
+ {
+ "technique_id": "T1136.003",
+ "technique": "Create Account : Cloud Account",
+ "url": "https://attack.mitre.org/techniques/T1136/003"
+ },
+ {
+ "technique_id": "T1137",
+ "technique": "Office Application Startup",
+ "url": "https://attack.mitre.org/techniques/T1137",
+ "tactic": [
+ "Persistence"
+ ]
+ },
+ {
+ "technique_id": "T1137.001",
+ "technique": "Office Application Startup : Office Template Macros",
+ "url": "https://attack.mitre.org/techniques/T1137/001"
+ },
+ {
+ "technique_id": "T1137.002",
+ "technique": "Office Application Startup : Office Test",
+ "url": "https://attack.mitre.org/techniques/T1137/002"
+ },
+ {
+ "technique_id": "T1137.003",
+ "technique": "Office Application Startup : Outlook Forms",
+ "url": "https://attack.mitre.org/techniques/T1137/003"
+ },
+ {
+ "technique_id": "T1137.004",
+ "technique": "Office Application Startup : Outlook Home Page",
+ "url": "https://attack.mitre.org/techniques/T1137/004"
+ },
+ {
+ "technique_id": "T1137.005",
+ "technique": "Office Application Startup : Outlook Rules",
+ "url": "https://attack.mitre.org/techniques/T1137/005"
+ },
+ {
+ "technique_id": "T1137.006",
+ "technique": "Office Application Startup : Add-ins",
+ "url": "https://attack.mitre.org/techniques/T1137/006"
+ },
+ {
+ "technique_id": "T1140",
+ "technique": "Deobfuscate/Decode Files or Information",
+ "url": "https://attack.mitre.org/techniques/T1140",
+ "tactic": [
+ "Defense Evasion"
+ ]
+ },
+ {
+ "technique_id": "T1176",
+ "technique": "Browser Extensions",
+ "url": "https://attack.mitre.org/techniques/T1176",
+ "tactic": [
+ "Persistence"
+ ]
+ },
+ {
+ "technique_id": "T1185",
+ "technique": "Man in the Browser",
+ "url": "https://attack.mitre.org/techniques/T1185",
+ "tactic": [
+ "Collection"
+ ]
+ },
+ {
+ "technique_id": "T1187",
+ "technique": "Forced Authentication",
+ "url": "https://attack.mitre.org/techniques/T1187",
+ "tactic": [
+ "Credential Access"
+ ]
+ },
+ {
+ "technique_id": "T1189",
+ "technique": "Drive-by Compromise",
+ "url": "https://attack.mitre.org/techniques/T1189",
+ "tactic": [
+ "Initial Access"
+ ]
+ },
+ {
+ "technique_id": "T1190",
+ "technique": "Exploit Public-Facing Application",
+ "url": "https://attack.mitre.org/techniques/T1190",
+ "tactic": [
+ "Initial Access"
+ ]
+ },
+ {
+ "technique_id": "T1195",
+ "technique": "Supply Chain Compromise",
+ "url": "https://attack.mitre.org/techniques/T1195",
+ "tactic": [
+ "Initial Access"
+ ]
+ },
+ {
+ "technique_id": "T1195.001",
+ "technique": "Supply Chain Compromise : Compromise Software Dependencies and Development Tools",
+ "url": "https://attack.mitre.org/techniques/T1195/001"
+ },
+ {
+ "technique_id": "T1195.002",
+ "technique": "Supply Chain Compromise : Compromise Software Supply Chain",
+ "url": "https://attack.mitre.org/techniques/T1195/002"
+ },
+ {
+ "technique_id": "T1195.003",
+ "technique": "Supply Chain Compromise : Compromise Hardware Supply Chain",
+ "url": "https://attack.mitre.org/techniques/T1195/003"
+ },
+ {
+ "technique_id": "T1197",
+ "technique": "BITS Jobs",
+ "url": "https://attack.mitre.org/techniques/T1197",
+ "tactic": [
+ "Defense Evasion",
+ "Persistence"
+ ]
+ },
+ {
+ "technique_id": "T1199",
+ "technique": "Trusted Relationship",
+ "url": "https://attack.mitre.org/techniques/T1199",
+ "tactic": [
+ "Initial Access"
+ ]
+ },
+ {
+ "technique_id": "T1200",
+ "technique": "Hardware Additions",
+ "url": "https://attack.mitre.org/techniques/T1200",
+ "tactic": [
+ "Initial Access"
+ ]
+ },
+ {
+ "technique_id": "T1201",
+ "technique": "Password Policy Discovery",
+ "url": "https://attack.mitre.org/techniques/T1201",
+ "tactic": [
+ "Discovery"
+ ]
+ },
+ {
+ "technique_id": "T1202",
+ "technique": "Indirect Command Execution",
+ "url": "https://attack.mitre.org/techniques/T1202",
+ "tactic": [
+ "Defense Evasion"
+ ]
+ },
+ {
+ "technique_id": "T1203",
+ "technique": "Exploitation for Client Execution",
+ "url": "https://attack.mitre.org/techniques/T1203",
+ "tactic": [
+ "Execution"
+ ]
+ },
+ {
+ "technique_id": "T1204",
+ "technique": "User Execution",
+ "url": "https://attack.mitre.org/techniques/T1204",
+ "tactic": [
+ "Execution"
+ ]
+ },
+ {
+ "technique_id": "T1204.001",
+ "technique": "User Execution : Malicious Link",
+ "url": "https://attack.mitre.org/techniques/T1204/001"
+ },
+ {
+ "technique_id": "T1204.002",
+ "technique": "User Execution : Malicious File",
+ "url": "https://attack.mitre.org/techniques/T1204/002"
+ },
+ {
+ "technique_id": "T1205",
+ "technique": "Traffic Signaling",
+ "url": "https://attack.mitre.org/techniques/T1205",
+ "tactic": [
+ "Defense Evasion",
+ "Persistence",
+ "Command and Control"
+ ]
+ },
+ {
+ "technique_id": "T1205.001",
+ "technique": "Traffic Signaling : Port Knocking",
+ "url": "https://attack.mitre.org/techniques/T1205/001"
+ },
+ {
+ "technique_id": "T1207",
+ "technique": "Rogue Domain Controller",
+ "url": "https://attack.mitre.org/techniques/T1207",
+ "tactic": [
+ "Defense Evasion"
+ ]
+ },
+ {
+ "technique_id": "T1210",
+ "technique": "Exploitation of Remote Services",
+ "url": "https://attack.mitre.org/techniques/T1210",
+ "tactic": [
+ "Lateral Movement"
+ ]
+ },
+ {
+ "technique_id": "T1211",
+ "technique": "Exploitation for Defense Evasion",
+ "url": "https://attack.mitre.org/techniques/T1211",
+ "tactic": [
+ "Defense Evasion"
+ ]
+ },
+ {
+ "technique_id": "T1212",
+ "technique": "Exploitation for Credential Access",
+ "url": "https://attack.mitre.org/techniques/T1212",
+ "tactic": [
+ "Credential Access"
+ ]
+ },
+ {
+ "technique_id": "T1213",
+ "technique": "Data from Information Repositories",
+ "url": "https://attack.mitre.org/techniques/T1213",
+ "tactic": [
+ "Collection"
+ ]
+ },
+ {
+ "technique_id": "T1213.001",
+ "technique": "Data from Information Repositories : Confluence",
+ "url": "https://attack.mitre.org/techniques/T1213/001"
+ },
+ {
+ "technique_id": "T1213.002",
+ "technique": "Data from Information Repositories : Sharepoint",
+ "url": "https://attack.mitre.org/techniques/T1213/002"
+ },
+ {
+ "technique_id": "T1216",
+ "technique": "Signed Script Proxy Execution",
+ "url": "https://attack.mitre.org/techniques/T1216",
+ "tactic": [
+ "Defense Evasion"
+ ]
+ },
+ {
+ "technique_id": "T1216.001",
+ "technique": "Signed Script Proxy Execution : PubPrn",
+ "url": "https://attack.mitre.org/techniques/T1216/001"
+ },
+ {
+ "technique_id": "T1217",
+ "technique": "Browser Bookmark Discovery",
+ "url": "https://attack.mitre.org/techniques/T1217",
+ "tactic": [
+ "Discovery"
+ ]
+ },
+ {
+ "technique_id": "T1218",
+ "technique": "Signed Binary Proxy Execution",
+ "url": "https://attack.mitre.org/techniques/T1218",
+ "tactic": [
+ "Defense Evasion"
+ ]
+ },
+ {
+ "technique_id": "T1218.001",
+ "technique": "Signed Binary Proxy Execution : Compiled HTML File",
+ "url": "https://attack.mitre.org/techniques/T1218/001"
+ },
+ {
+ "technique_id": "T1218.002",
+ "technique": "Signed Binary Proxy Execution : Control Panel",
+ "url": "https://attack.mitre.org/techniques/T1218/002"
+ },
+ {
+ "technique_id": "T1218.003",
+ "technique": "Signed Binary Proxy Execution : CMSTP",
+ "url": "https://attack.mitre.org/techniques/T1218/003"
+ },
+ {
+ "technique_id": "T1218.004",
+ "technique": "Signed Binary Proxy Execution : InstallUtil",
+ "url": "https://attack.mitre.org/techniques/T1218/004"
+ },
+ {
+ "technique_id": "T1218.005",
+ "technique": "Signed Binary Proxy Execution : Mshta",
+ "url": "https://attack.mitre.org/techniques/T1218/005"
+ },
+ {
+ "technique_id": "T1218.007",
+ "technique": "Signed Binary Proxy Execution : Msiexec",
+ "url": "https://attack.mitre.org/techniques/T1218/007"
+ },
+ {
+ "technique_id": "T1218.008",
+ "technique": "Signed Binary Proxy Execution : Odbcconf",
+ "url": "https://attack.mitre.org/techniques/T1218/008"
+ },
+ {
+ "technique_id": "T1218.009",
+ "technique": "Signed Binary Proxy Execution : Regsvcs/Regasm",
+ "url": "https://attack.mitre.org/techniques/T1218/009"
+ },
+ {
+ "technique_id": "T1218.010",
+ "technique": "Signed Binary Proxy Execution : Regsvr32",
+ "url": "https://attack.mitre.org/techniques/T1218/010"
+ },
+ {
+ "technique_id": "T1218.011",
+ "technique": "Signed Binary Proxy Execution : Rundll32",
+ "url": "https://attack.mitre.org/techniques/T1218/011"
+ },
+ {
+ "technique_id": "T1219",
+ "technique": "Remote Access Software",
+ "url": "https://attack.mitre.org/techniques/T1219",
+ "tactic": [
+ "Command and Control"
+ ]
+ },
+ {
+ "technique_id": "T1220",
+ "technique": "XSL Script Processing",
+ "url": "https://attack.mitre.org/techniques/T1220",
+ "tactic": [
+ "Defense Evasion"
+ ]
+ },
+ {
+ "technique_id": "T1221",
+ "technique": "Template Injection",
+ "url": "https://attack.mitre.org/techniques/T1221",
+ "tactic": [
+ "Defense Evasion"
+ ]
+ },
+ {
+ "technique_id": "T1222",
+ "technique": "File and Directory Permissions Modification",
+ "url": "https://attack.mitre.org/techniques/T1222",
+ "tactic": [
+ "Defense Evasion"
+ ]
+ },
+ {
+ "technique_id": "T1222.001",
+ "technique": "File and Directory Permissions Modification : Windows File and Directory Permissions Modification",
+ "url": "https://attack.mitre.org/techniques/T1222/001"
+ },
+ {
+ "technique_id": "T1222.002",
+ "technique": "File and Directory Permissions Modification : Linux and Mac File and Directory Permissions Modification",
+ "url": "https://attack.mitre.org/techniques/T1222/002"
+ },
+ {
+ "technique_id": "T1224",
+ "technique": "Assess leadership areas of interest",
+ "url": "https://attack.mitre.org/techniques/T1224",
+ "tactic": [
+ "Priority Definition Planning"
+ ]
+ },
+ {
+ "technique_id": "T1225",
+ "technique": "Identify gap areas",
+ "url": "https://attack.mitre.org/techniques/T1225",
+ "tactic": [
+ "Priority Definition Planning"
+ ]
+ },
+ {
+ "technique_id": "T1226",
+ "technique": "Conduct cost/benefit analysis",
+ "url": "https://attack.mitre.org/techniques/T1226",
+ "tactic": [
+ "Priority Definition Planning"
+ ]
+ },
+ {
+ "technique_id": "T1227",
+ "technique": "Develop KITs/KIQs",
+ "url": "https://attack.mitre.org/techniques/T1227",
+ "tactic": [
+ "Priority Definition Planning"
+ ]
+ },
+ {
+ "technique_id": "T1228",
+ "technique": "Assign KITs/KIQs into categories",
+ "url": "https://attack.mitre.org/techniques/T1228",
+ "tactic": [
+ "Priority Definition Planning"
+ ]
+ },
+ {
+ "technique_id": "T1229",
+ "technique": "Assess KITs/KIQs benefits",
+ "url": "https://attack.mitre.org/techniques/T1229",
+ "tactic": [
+ "Priority Definition Planning"
+ ]
+ },
+ {
+ "technique_id": "T1230",
+ "technique": "Derive intelligence requirements",
+ "url": "https://attack.mitre.org/techniques/T1230",
+ "tactic": [
+ "Priority Definition Planning"
+ ]
+ },
+ {
+ "technique_id": "T1231",
+ "technique": "Create strategic plan",
+ "url": "https://attack.mitre.org/techniques/T1231",
+ "tactic": [
+ "Priority Definition Planning"
+ ]
+ },
+ {
+ "technique_id": "T1232",
+ "technique": "Create implementation plan",
+ "url": "https://attack.mitre.org/techniques/T1232",
+ "tactic": [
+ "Priority Definition Planning"
+ ]
+ },
+ {
+ "technique_id": "T1233",
+ "technique": "Identify analyst level gaps",
+ "url": "https://attack.mitre.org/techniques/T1233",
+ "tactic": [
+ "Priority Definition Planning"
+ ]
+ },
+ {
+ "technique_id": "T1234",
+ "technique": "Generate analyst intelligence requirements",
+ "url": "https://attack.mitre.org/techniques/T1234",
+ "tactic": [
+ "Priority Definition Planning"
+ ]
+ },
+ {
+ "technique_id": "T1235",
+ "technique": "Receive operator KITs/KIQs tasking",
+ "url": "https://attack.mitre.org/techniques/T1235",
+ "tactic": [
+ "Priority Definition Planning"
+ ]
+ },
+ {
+ "technique_id": "T1236",
+ "technique": "Assess current holdings, needs, and wants",
+ "url": "https://attack.mitre.org/techniques/T1236",
+ "tactic": [
+ "Priority Definition Planning"
+ ]
+ },
+ {
+ "technique_id": "T1237",
+ "technique": "Submit KITs, KIQs, and intelligence requirements",
+ "url": "https://attack.mitre.org/techniques/T1237",
+ "tactic": [
+ "Priority Definition Direction"
+ ]
+ },
+ {
+ "technique_id": "T1238",
+ "technique": "Assign KITs, KIQs, and/or intelligence requirements",
+ "url": "https://attack.mitre.org/techniques/T1238",
+ "tactic": [
+ "Priority Definition Direction"
+ ]
+ },
+ {
+ "technique_id": "T1239",
+ "technique": "Receive KITs/KIQs and determine requirements",
+ "url": "https://attack.mitre.org/techniques/T1239",
+ "tactic": [
+ "Priority Definition Direction"
+ ]
+ },
+ {
+ "technique_id": "T1240",
+ "technique": "Task requirements",
+ "url": "https://attack.mitre.org/techniques/T1240",
+ "tactic": [
+ "Priority Definition Direction"
+ ]
+ },
+ {
+ "technique_id": "T1241",
+ "technique": "Determine strategic target",
+ "url": "https://attack.mitre.org/techniques/T1241",
+ "tactic": [
+ "Target Selection"
+ ]
+ },
+ {
+ "technique_id": "T1242",
+ "technique": "Determine operational element",
+ "url": "https://attack.mitre.org/techniques/T1242",
+ "tactic": [
+ "Target Selection"
+ ]
+ },
+ {
+ "technique_id": "T1243",
+ "technique": "Determine highest level tactical element",
+ "url": "https://attack.mitre.org/techniques/T1243",
+ "tactic": [
+ "Target Selection"
+ ]
+ },
+ {
+ "technique_id": "T1244",
+ "technique": "Determine secondary level tactical element",
+ "url": "https://attack.mitre.org/techniques/T1244",
+ "tactic": [
+ "Target Selection"
+ ]
+ },
+ {
+ "technique_id": "T1245",
+ "technique": "Determine approach/attack vector",
+ "url": "https://attack.mitre.org/techniques/T1245",
+ "tactic": [
+ "Target Selection"
+ ]
+ },
+ {
+ "technique_id": "T1246",
+ "technique": "Identify supply chains",
+ "url": "https://attack.mitre.org/techniques/T1246",
+ "tactic": [
+ "Technical Information Gathering"
+ ]
+ },
+ {
+ "technique_id": "T1247",
+ "technique": "Acquire OSINT data sets and information",
+ "url": "https://attack.mitre.org/techniques/T1247",
+ "tactic": [
+ "Technical Information Gathering"
+ ]
+ },
+ {
+ "technique_id": "T1248",
+ "technique": "Identify job postings and needs/gaps",
+ "url": "https://attack.mitre.org/techniques/T1248",
+ "tactic": [
+ "Technical Information Gathering"
+ ]
+ },
+ {
+ "technique_id": "T1249",
+ "technique": "Conduct social engineering",
+ "url": "https://attack.mitre.org/techniques/T1249",
+ "tactic": [
+ "Technical Information Gathering"
+ ]
+ },
+ {
+ "technique_id": "T1250",
+ "technique": "Determine domain and IP address space",
+ "url": "https://attack.mitre.org/techniques/T1250",
+ "tactic": [
+ "Technical Information Gathering"
+ ]
+ },
+ {
+ "technique_id": "T1251",
+ "technique": "Obtain domain/IP registration information",
+ "url": "https://attack.mitre.org/techniques/T1251",
+ "tactic": [
+ "Technical Information Gathering"
+ ]
+ },
+ {
+ "technique_id": "T1252",
+ "technique": "Map network topology",
+ "url": "https://attack.mitre.org/techniques/T1252",
+ "tactic": [
+ "Technical Information Gathering"
+ ]
+ },
+ {
+ "technique_id": "T1253",
+ "technique": "Conduct passive scanning",
+ "url": "https://attack.mitre.org/techniques/T1253",
+ "tactic": [
+ "Technical Information Gathering"
+ ]
+ },
+ {
+ "technique_id": "T1254",
+ "technique": "Conduct active scanning",
+ "url": "https://attack.mitre.org/techniques/T1254",
+ "tactic": [
+ "Technical Information Gathering"
+ ]
+ },
+ {
+ "technique_id": "T1255",
+ "technique": "Discover target logon/email address format",
+ "url": "https://attack.mitre.org/techniques/T1255",
+ "tactic": [
+ "Technical Information Gathering"
+ ]
+ },
+ {
+ "technique_id": "T1256",
+ "technique": "Identify web defensive services",
+ "url": "https://attack.mitre.org/techniques/T1256",
+ "tactic": [
+ "Technical Information Gathering"
+ ]
+ },
+ {
+ "technique_id": "T1257",
+ "technique": "Mine technical blogs/forums",
+ "url": "https://attack.mitre.org/techniques/T1257",
+ "tactic": [
+ "Technical Information Gathering"
+ ]
+ },
+ {
+ "technique_id": "T1258",
+ "technique": "Determine firmware version",
+ "url": "https://attack.mitre.org/techniques/T1258",
+ "tactic": [
+ "Technical Information Gathering"
+ ]
+ },
+ {
+ "technique_id": "T1259",
+ "technique": "Determine external network trust dependencies",
+ "url": "https://attack.mitre.org/techniques/T1259",
+ "tactic": [
+ "Technical Information Gathering"
+ ]
+ },
+ {
+ "technique_id": "T1260",
+ "technique": "Determine 3rd party infrastructure services",
+ "url": "https://attack.mitre.org/techniques/T1260",
+ "tactic": [
+ "Technical Information Gathering"
+ ]
+ },
+ {
+ "technique_id": "T1261",
+ "technique": "Enumerate externally facing software applications technologies, languages, and dependencies",
+ "url": "https://attack.mitre.org/techniques/T1261",
+ "tactic": [
+ "Technical Information Gathering"
+ ]
+ },
+ {
+ "technique_id": "T1262",
+ "technique": "Enumerate client configurations",
+ "url": "https://attack.mitre.org/techniques/T1262",
+ "tactic": [
+ "Technical Information Gathering"
+ ]
+ },
+ {
+ "technique_id": "T1263",
+ "technique": "Identify security defensive capabilities",
+ "url": "https://attack.mitre.org/techniques/T1263",
+ "tactic": [
+ "Technical Information Gathering"
+ ]
+ },
+ {
+ "technique_id": "T1264",
+ "technique": "Identify technology usage patterns",
+ "url": "https://attack.mitre.org/techniques/T1264",
+ "tactic": [
+ "Technical Information Gathering"
+ ]
+ },
+ {
+ "technique_id": "T1265",
+ "technique": "Identify supply chains",
+ "url": "https://attack.mitre.org/techniques/T1265",
+ "tactic": [
+ "People Information Gathering"
+ ]
+ },
+ {
+ "technique_id": "T1266",
+ "technique": "Acquire OSINT data sets and information",
+ "url": "https://attack.mitre.org/techniques/T1266",
+ "tactic": [
+ "People Information Gathering"
+ ]
+ },
+ {
+ "technique_id": "T1267",
+ "technique": "Identify job postings and needs/gaps",
+ "url": "https://attack.mitre.org/techniques/T1267",
+ "tactic": [
+ "People Information Gathering"
+ ]
+ },
+ {
+ "technique_id": "T1268",
+ "technique": "Conduct social engineering",
+ "url": "https://attack.mitre.org/techniques/T1268",
+ "tactic": [
+ "People Information Gathering"
+ ]
+ },
+ {
+ "technique_id": "T1269",
+ "technique": "Identify people of interest",
+ "url": "https://attack.mitre.org/techniques/T1269",
+ "tactic": [
+ "People Information Gathering"
+ ]
+ },
+ {
+ "technique_id": "T1270",
+ "technique": "Identify groups/roles",
+ "url": "https://attack.mitre.org/techniques/T1270",
+ "tactic": [
+ "People Information Gathering"
+ ]
+ },
+ {
+ "technique_id": "T1271",
+ "technique": "Identify personnel with an authority/privilege",
+ "url": "https://attack.mitre.org/techniques/T1271",
+ "tactic": [
+ "People Information Gathering"
+ ]
+ },
+ {
+ "technique_id": "T1272",
+ "technique": "Identify business relationships",
+ "url": "https://attack.mitre.org/techniques/T1272",
+ "tactic": [
+ "People Information Gathering"
+ ]
+ },
+ {
+ "technique_id": "T1273",
+ "technique": "Mine social media",
+ "url": "https://attack.mitre.org/techniques/T1273",
+ "tactic": [
+ "People Information Gathering"
+ ]
+ },
+ {
+ "technique_id": "T1274",
+ "technique": "Identify sensitive personnel information",
+ "url": "https://attack.mitre.org/techniques/T1274",
+ "tactic": [
+ "People Information Gathering"
+ ]
+ },
+ {
+ "technique_id": "T1275",
+ "technique": "Aggregate individual's digital footprint",
+ "url": "https://attack.mitre.org/techniques/T1275",
+ "tactic": [
+ "People Information Gathering"
+ ]
+ },
+ {
+ "technique_id": "T1276",
+ "technique": "Identify supply chains",
+ "url": "https://attack.mitre.org/techniques/T1276",
+ "tactic": [
+ "Organizational Information Gathering"
+ ]
+ },
+ {
+ "technique_id": "T1277",
+ "technique": "Acquire OSINT data sets and information",
+ "url": "https://attack.mitre.org/techniques/T1277",
+ "tactic": [
+ "Organizational Information Gathering"
+ ]
+ },
+ {
+ "technique_id": "T1278",
+ "technique": "Identify job postings and needs/gaps",
+ "url": "https://attack.mitre.org/techniques/T1278",
+ "tactic": [
+ "Organizational Information Gathering"
+ ]
+ },
+ {
+ "technique_id": "T1279",
+ "technique": "Conduct social engineering",
+ "url": "https://attack.mitre.org/techniques/T1279",
+ "tactic": [
+ "Organizational Information Gathering"
+ ]
+ },
+ {
+ "technique_id": "T1280",
+ "technique": "Identify business processes/tempo",
+ "url": "https://attack.mitre.org/techniques/T1280",
+ "tactic": [
+ "Organizational Information Gathering"
+ ]
+ },
+ {
+ "technique_id": "T1281",
+ "technique": "Obtain templates/branding materials",
+ "url": "https://attack.mitre.org/techniques/T1281",
+ "tactic": [
+ "Organizational Information Gathering"
+ ]
+ },
+ {
+ "technique_id": "T1282",
+ "technique": "Determine physical locations",
+ "url": "https://attack.mitre.org/techniques/T1282",
+ "tactic": [
+ "Organizational Information Gathering"
+ ]
+ },
+ {
+ "technique_id": "T1283",
+ "technique": "Identify business relationships",
+ "url": "https://attack.mitre.org/techniques/T1283",
+ "tactic": [
+ "Organizational Information Gathering"
+ ]
+ },
+ {
+ "technique_id": "T1284",
+ "technique": "Determine 3rd party infrastructure services",
+ "url": "https://attack.mitre.org/techniques/T1284",
+ "tactic": [
+ "Organizational Information Gathering"
+ ]
+ },
+ {
+ "technique_id": "T1285",
+ "technique": "Determine centralization of IT management",
+ "url": "https://attack.mitre.org/techniques/T1285",
+ "tactic": [
+ "Organizational Information Gathering"
+ ]
+ },
+ {
+ "technique_id": "T1286",
+ "technique": "Dumpster dive",
+ "url": "https://attack.mitre.org/techniques/T1286",
+ "tactic": [
+ "Organizational Information Gathering"
+ ]
+ },
+ {
+ "technique_id": "T1287",
+ "technique": "Analyze data collected",
+ "url": "https://attack.mitre.org/techniques/T1287",
+ "tactic": [
+ "Technical Weakness Identification"
+ ]
+ },
+ {
+ "technique_id": "T1288",
+ "technique": "Analyze architecture and configuration posture",
+ "url": "https://attack.mitre.org/techniques/T1288",
+ "tactic": [
+ "Technical Weakness Identification"
+ ]
+ },
+ {
+ "technique_id": "T1289",
+ "technique": "Analyze organizational skillsets and deficiencies",
+ "url": "https://attack.mitre.org/techniques/T1289",
+ "tactic": [
+ "Technical Weakness Identification"
+ ]
+ },
+ {
+ "technique_id": "T1290",
+ "technique": "Research visibility gap of security vendors",
+ "url": "https://attack.mitre.org/techniques/T1290",
+ "tactic": [
+ "Technical Weakness Identification"
+ ]
+ },
+ {
+ "technique_id": "T1291",
+ "technique": "Research relevant vulnerabilities/CVEs",
+ "url": "https://attack.mitre.org/techniques/T1291",
+ "tactic": [
+ "Technical Weakness Identification"
+ ]
+ },
+ {
+ "technique_id": "T1292",
+ "technique": "Test signature detection",
+ "url": "https://attack.mitre.org/techniques/T1292",
+ "tactic": [
+ "Technical Weakness Identification"
+ ]
+ },
+ {
+ "technique_id": "T1293",
+ "technique": "Analyze application security posture",
+ "url": "https://attack.mitre.org/techniques/T1293",
+ "tactic": [
+ "Technical Weakness Identification"
+ ]
+ },
+ {
+ "technique_id": "T1294",
+ "technique": "Analyze hardware/software security defensive capabilities",
+ "url": "https://attack.mitre.org/techniques/T1294",
+ "tactic": [
+ "Technical Weakness Identification"
+ ]
+ },
+ {
+ "technique_id": "T1295",
+ "technique": "Analyze social and business relationships, interests, and affiliations",
+ "url": "https://attack.mitre.org/techniques/T1295",
+ "tactic": [
+ "People Weakness Identification"
+ ]
+ },
+ {
+ "technique_id": "T1296",
+ "technique": "Assess targeting options",
+ "url": "https://attack.mitre.org/techniques/T1296",
+ "tactic": [
+ "People Weakness Identification"
+ ]
+ },
+ {
+ "technique_id": "T1297",
+ "technique": "Analyze organizational skillsets and deficiencies",
+ "url": "https://attack.mitre.org/techniques/T1297",
+ "tactic": [
+ "People Weakness Identification"
+ ]
+ },
+ {
+ "technique_id": "T1298",
+ "technique": "Assess vulnerability of 3rd party vendors",
+ "url": "https://attack.mitre.org/techniques/T1298",
+ "tactic": [
+ "Organizational Weakness Identification"
+ ]
+ },
+ {
+ "technique_id": "T1299",
+ "technique": "Assess opportunities created by business deals",
+ "url": "https://attack.mitre.org/techniques/T1299",
+ "tactic": [
+ "Organizational Weakness Identification"
+ ]
+ },
+ {
+ "technique_id": "T1300",
+ "technique": "Analyze organizational skillsets and deficiencies",
+ "url": "https://attack.mitre.org/techniques/T1300",
+ "tactic": [
+ "Organizational Weakness Identification"
+ ]
+ },
+ {
+ "technique_id": "T1301",
+ "technique": "Analyze business processes",
+ "url": "https://attack.mitre.org/techniques/T1301",
+ "tactic": [
+ "Organizational Weakness Identification"
+ ]
+ },
+ {
+ "technique_id": "T1302",
+ "technique": "Assess security posture of physical locations",
+ "url": "https://attack.mitre.org/techniques/T1302",
+ "tactic": [
+ "Organizational Weakness Identification"
+ ]
+ },
+ {
+ "technique_id": "T1303",
+ "technique": "Analyze presence of outsourced capabilities",
+ "url": "https://attack.mitre.org/techniques/T1303",
+ "tactic": [
+ "Organizational Weakness Identification"
+ ]
+ },
+ {
+ "technique_id": "T1304",
+ "technique": "Proxy/protocol relays",
+ "url": "https://attack.mitre.org/techniques/T1304",
+ "tactic": [
+ "Adversary OPSEC"
+ ]
+ },
+ {
+ "technique_id": "T1305",
+ "technique": "Private whois services",
+ "url": "https://attack.mitre.org/techniques/T1305",
+ "tactic": [
+ "Adversary OPSEC"
+ ]
+ },
+ {
+ "technique_id": "T1306",
+ "technique": "Anonymity services",
+ "url": "https://attack.mitre.org/techniques/T1306",
+ "tactic": [
+ "Adversary OPSEC"
+ ]
+ },
+ {
+ "technique_id": "T1307",
+ "technique": "Acquire and/or use 3rd party infrastructure services",
+ "url": "https://attack.mitre.org/techniques/T1307",
+ "tactic": [
+ "Adversary OPSEC"
+ ]
+ },
+ {
+ "technique_id": "T1308",
+ "technique": "Acquire and/or use 3rd party software services",
+ "url": "https://attack.mitre.org/techniques/T1308",
+ "tactic": [
+ "Adversary OPSEC"
+ ]
+ },
+ {
+ "technique_id": "T1309",
+ "technique": "Obfuscate infrastructure",
+ "url": "https://attack.mitre.org/techniques/T1309",
+ "tactic": [
+ "Adversary OPSEC"
+ ]
+ },
+ {
+ "technique_id": "T1310",
+ "technique": "Acquire or compromise 3rd party signing certificates",
+ "url": "https://attack.mitre.org/techniques/T1310",
+ "tactic": [
+ "Adversary OPSEC"
+ ]
+ },
+ {
+ "technique_id": "T1311",
+ "technique": "Dynamic DNS",
+ "url": "https://attack.mitre.org/techniques/T1311",
+ "tactic": [
+ "Adversary OPSEC"
+ ]
+ },
+ {
+ "technique_id": "T1312",
+ "technique": "Compromise 3rd party infrastructure to support delivery",
+ "url": "https://attack.mitre.org/techniques/T1312",
+ "tactic": [
+ "Adversary OPSEC"
+ ]
+ },
+ {
+ "technique_id": "T1313",
+ "technique": "Obfuscation or cryptography",
+ "url": "https://attack.mitre.org/techniques/T1313",
+ "tactic": [
+ "Adversary OPSEC"
+ ]
+ },
+ {
+ "technique_id": "T1314",
+ "technique": "Host-based hiding techniques",
+ "url": "https://attack.mitre.org/techniques/T1314",
+ "tactic": [
+ "Adversary OPSEC"
+ ]
+ },
+ {
+ "technique_id": "T1315",
+ "technique": "Network-based hiding techniques",
+ "url": "https://attack.mitre.org/techniques/T1315",
+ "tactic": [
+ "Adversary OPSEC"
+ ]
+ },
+ {
+ "technique_id": "T1316",
+ "technique": "Non-traditional or less attributable payment options",
+ "url": "https://attack.mitre.org/techniques/T1316",
+ "tactic": [
+ "Adversary OPSEC"
+ ]
+ },
+ {
+ "technique_id": "T1317",
+ "technique": "Secure and protect infrastructure",
+ "url": "https://attack.mitre.org/techniques/T1317",
+ "tactic": [
+ "Adversary OPSEC"
+ ]
+ },
+ {
+ "technique_id": "T1318",
+ "technique": "Obfuscate operational infrastructure",
+ "url": "https://attack.mitre.org/techniques/T1318",
+ "tactic": [
+ "Adversary OPSEC"
+ ]
+ },
+ {
+ "technique_id": "T1319",
+ "technique": "Obfuscate or encrypt code",
+ "url": "https://attack.mitre.org/techniques/T1319",
+ "tactic": [
+ "Adversary OPSEC"
+ ]
+ },
+ {
+ "technique_id": "T1320",
+ "technique": "Data Hiding",
+ "url": "https://attack.mitre.org/techniques/T1320",
+ "tactic": [
+ "Adversary OPSEC"
+ ]
+ },
+ {
+ "technique_id": "T1321",
+ "technique": "Common, high volume protocols and software",
+ "url": "https://attack.mitre.org/techniques/T1321",
+ "tactic": [
+ "Adversary OPSEC"
+ ]
+ },
+ {
+ "technique_id": "T1322",
+ "technique": "Misattributable credentials",
+ "url": "https://attack.mitre.org/techniques/T1322",
+ "tactic": [
+ "Adversary OPSEC"
+ ]
+ },
+ {
+ "technique_id": "T1326",
+ "technique": "Domain registration hijacking",
+ "url": "https://attack.mitre.org/techniques/T1326",
+ "tactic": [
+ "Establish & Maintain Infrastructure"
+ ]
+ },
+ {
+ "technique_id": "T1327",
+ "technique": "Use multiple DNS infrastructures",
+ "url": "https://attack.mitre.org/techniques/T1327",
+ "tactic": [
+ "Establish & Maintain Infrastructure"
+ ]
+ },
+ {
+ "technique_id": "T1328",
+ "technique": "Buy domain name",
+ "url": "https://attack.mitre.org/techniques/T1328",
+ "tactic": [
+ "Establish & Maintain Infrastructure"
+ ]
+ },
+ {
+ "technique_id": "T1329",
+ "technique": "Acquire and/or use 3rd party infrastructure services",
+ "url": "https://attack.mitre.org/techniques/T1329",
+ "tactic": [
+ "Establish & Maintain Infrastructure"
+ ]
+ },
+ {
+ "technique_id": "T1330",
+ "technique": "Acquire and/or use 3rd party software services",
+ "url": "https://attack.mitre.org/techniques/T1330",
+ "tactic": [
+ "Establish & Maintain Infrastructure"
+ ]
+ },
+ {
+ "technique_id": "T1331",
+ "technique": "Obfuscate infrastructure",
+ "url": "https://attack.mitre.org/techniques/T1331",
+ "tactic": [
+ "Establish & Maintain Infrastructure"
+ ]
+ },
+ {
+ "technique_id": "T1332",
+ "technique": "Acquire or compromise 3rd party signing certificates",
+ "url": "https://attack.mitre.org/techniques/T1332",
+ "tactic": [
+ "Establish & Maintain Infrastructure"
+ ]
+ },
+ {
+ "technique_id": "T1333",
+ "technique": "Dynamic DNS",
+ "url": "https://attack.mitre.org/techniques/T1333",
+ "tactic": [
+ "Establish & Maintain Infrastructure"
+ ]
+ },
+ {
+ "technique_id": "T1334",
+ "technique": "Compromise 3rd party infrastructure to support delivery",
+ "url": "https://attack.mitre.org/techniques/T1334",
+ "tactic": [
+ "Establish & Maintain Infrastructure"
+ ]
+ },
+ {
+ "technique_id": "T1335",
+ "technique": "Procure required equipment and software",
+ "url": "https://attack.mitre.org/techniques/T1335",
+ "tactic": [
+ "Establish & Maintain Infrastructure"
+ ]
+ },
+ {
+ "technique_id": "T1336",
+ "technique": "Install and configure hardware, network, and systems",
+ "url": "https://attack.mitre.org/techniques/T1336",
+ "tactic": [
+ "Establish & Maintain Infrastructure"
+ ]
+ },
+ {
+ "technique_id": "T1337",
+ "technique": "SSL certificate acquisition for domain",
+ "url": "https://attack.mitre.org/techniques/T1337",
+ "tactic": [
+ "Establish & Maintain Infrastructure"
+ ]
+ },
+ {
+ "technique_id": "T1338",
+ "technique": "SSL certificate acquisition for trust breaking",
+ "url": "https://attack.mitre.org/techniques/T1338",
+ "tactic": [
+ "Establish & Maintain Infrastructure"
+ ]
+ },
+ {
+ "technique_id": "T1339",
+ "technique": "Create backup infrastructure",
+ "url": "https://attack.mitre.org/techniques/T1339",
+ "tactic": [
+ "Establish & Maintain Infrastructure"
+ ]
+ },
+ {
+ "technique_id": "T1340",
+ "technique": "Shadow DNS",
+ "url": "https://attack.mitre.org/techniques/T1340",
+ "tactic": [
+ "Establish & Maintain Infrastructure"
+ ]
+ },
+ {
+ "technique_id": "T1341",
+ "technique": "Build social network persona",
+ "url": "https://attack.mitre.org/techniques/T1341",
+ "tactic": [
+ "Persona Development"
+ ]
+ },
+ {
+ "technique_id": "T1342",
+ "technique": "Develop social network persona digital footprint",
+ "url": "https://attack.mitre.org/techniques/T1342",
+ "tactic": [
+ "Persona Development"
+ ]
+ },
+ {
+ "technique_id": "T1343",
+ "technique": "Choose pre-compromised persona and affiliated accounts",
+ "url": "https://attack.mitre.org/techniques/T1343",
+ "tactic": [
+ "Persona Development"
+ ]
+ },
+ {
+ "technique_id": "T1344",
+ "technique": "Friend/Follow/Connect to targets of interest",
+ "url": "https://attack.mitre.org/techniques/T1344",
+ "tactic": [
+ "Persona Development"
+ ]
+ },
+ {
+ "technique_id": "T1345",
+ "technique": "Create custom payloads",
+ "url": "https://attack.mitre.org/techniques/T1345",
+ "tactic": [
+ "Build Capabilities"
+ ]
+ },
+ {
+ "technique_id": "T1346",
+ "technique": "Obtain/re-use payloads",
+ "url": "https://attack.mitre.org/techniques/T1346",
+ "tactic": [
+ "Build Capabilities"
+ ]
+ },
+ {
+ "technique_id": "T1347",
+ "technique": "Build and configure delivery systems",
+ "url": "https://attack.mitre.org/techniques/T1347",
+ "tactic": [
+ "Build Capabilities"
+ ]
+ },
+ {
+ "technique_id": "T1348",
+ "technique": "Identify resources required to build capabilities",
+ "url": "https://attack.mitre.org/techniques/T1348",
+ "tactic": [
+ "Build Capabilities"
+ ]
+ },
+ {
+ "technique_id": "T1349",
+ "technique": "Build or acquire exploits",
+ "url": "https://attack.mitre.org/techniques/T1349",
+ "tactic": [
+ "Build Capabilities"
+ ]
+ },
+ {
+ "technique_id": "T1350",
+ "technique": "Discover new exploits and monitor exploit-provider forums",
+ "url": "https://attack.mitre.org/techniques/T1350",
+ "tactic": [
+ "Build Capabilities"
+ ]
+ },
+ {
+ "technique_id": "T1351",
+ "technique": "Remote access tool development",
+ "url": "https://attack.mitre.org/techniques/T1351",
+ "tactic": [
+ "Build Capabilities"
+ ]
+ },
+ {
+ "technique_id": "T1352",
+ "technique": "C2 protocol development",
+ "url": "https://attack.mitre.org/techniques/T1352",
+ "tactic": [
+ "Build Capabilities"
+ ]
+ },
+ {
+ "technique_id": "T1353",
+ "technique": "Post compromise tool development",
+ "url": "https://attack.mitre.org/techniques/T1353",
+ "tactic": [
+ "Build Capabilities"
+ ]
+ },
+ {
+ "technique_id": "T1354",
+ "technique": "Compromise 3rd party or closed-source vulnerability/exploit information",
+ "url": "https://attack.mitre.org/techniques/T1354",
+ "tactic": [
+ "Build Capabilities"
+ ]
+ },
+ {
+ "technique_id": "T1355",
+ "technique": "Create infected removable media",
+ "url": "https://attack.mitre.org/techniques/T1355",
+ "tactic": [
+ "Build Capabilities"
+ ]
+ },
+ {
+ "technique_id": "T1356",
+ "technique": "Test callback functionality",
+ "url": "https://attack.mitre.org/techniques/T1356",
+ "tactic": [
+ "Test Capabilities"
+ ]
+ },
+ {
+ "technique_id": "T1357",
+ "technique": "Test malware in various execution environments",
+ "url": "https://attack.mitre.org/techniques/T1357",
+ "tactic": [
+ "Test Capabilities"
+ ]
+ },
+ {
+ "technique_id": "T1358",
+ "technique": "Review logs and residual traces",
+ "url": "https://attack.mitre.org/techniques/T1358",
+ "tactic": [
+ "Test Capabilities"
+ ]
+ },
+ {
+ "technique_id": "T1359",
+ "technique": "Test malware to evade detection",
+ "url": "https://attack.mitre.org/techniques/T1359",
+ "tactic": [
+ "Test Capabilities"
+ ]
+ },
+ {
+ "technique_id": "T1360",
+ "technique": "Test physical access",
+ "url": "https://attack.mitre.org/techniques/T1360",
+ "tactic": [
+ "Test Capabilities"
+ ]
+ },
+ {
+ "technique_id": "T1361",
+ "technique": "Test signature detection for file upload/email filters",
+ "url": "https://attack.mitre.org/techniques/T1361",
+ "tactic": [
+ "Test Capabilities"
+ ]
+ },
+ {
+ "technique_id": "T1362",
+ "technique": "Upload, install, and configure software/tools",
+ "url": "https://attack.mitre.org/techniques/T1362",
+ "tactic": [
+ "Stage Capabilities"
+ ]
+ },
+ {
+ "technique_id": "T1363",
+ "technique": "Port redirector",
+ "url": "https://attack.mitre.org/techniques/T1363",
+ "tactic": [
+ "Stage Capabilities"
+ ]
+ },
+ {
+ "technique_id": "T1364",
+ "technique": "Friend/Follow/Connect to targets of interest",
+ "url": "https://attack.mitre.org/techniques/T1364",
+ "tactic": [
+ "Stage Capabilities"
+ ]
+ },
+ {
+ "technique_id": "T1365",
+ "technique": "Hardware or software supply chain implant",
+ "url": "https://attack.mitre.org/techniques/T1365",
+ "tactic": [
+ "Stage Capabilities"
+ ]
+ },
+ {
+ "technique_id": "T1379",
+ "technique": "Disseminate removable media",
+ "url": "https://attack.mitre.org/techniques/T1379",
+ "tactic": [
+ "Stage Capabilities"
+ ]
+ },
+ {
+ "technique_id": "T1389",
+ "technique": "Identify vulnerabilities in third-party software libraries",
+ "url": "https://attack.mitre.org/techniques/T1389",
+ "tactic": [
+ "Technical Weakness Identification"
+ ]
+ },
+ {
+ "technique_id": "T1390",
+ "technique": "OS-vendor provided communication channels",
+ "url": "https://attack.mitre.org/techniques/T1390",
+ "tactic": [
+ "Adversary OPSEC"
+ ]
+ },
+ {
+ "technique_id": "T1391",
+ "technique": "Choose pre-compromised mobile app developer account credentials or signing keys",
+ "url": "https://attack.mitre.org/techniques/T1391",
+ "tactic": [
+ "Persona Development"
+ ]
+ },
+ {
+ "technique_id": "T1392",
+ "technique": "Obtain Apple iOS enterprise distribution key pair and certificate",
+ "url": "https://attack.mitre.org/techniques/T1392",
+ "tactic": [
+ "Persona Development"
+ ]
+ },
+ {
+ "technique_id": "T1393",
+ "technique": "Test ability to evade automated mobile application security analysis performed by app stores",
+ "url": "https://attack.mitre.org/techniques/T1393",
+ "tactic": [
+ "Test Capabilities"
+ ]
+ },
+ {
+ "technique_id": "T1394",
+ "technique": "Distribute malicious software development tools",
+ "url": "https://attack.mitre.org/techniques/T1394",
+ "tactic": [
+ "Stage Capabilities"
+ ]
+ },
+ {
+ "technique_id": "T1396",
+ "technique": "Obtain booter/stressor subscription",
+ "url": "https://attack.mitre.org/techniques/T1396",
+ "tactic": [
+ "Establish & Maintain Infrastructure"
+ ]
+ },
+ {
+ "technique_id": "T1397",
+ "technique": "Spearphishing for Information",
+ "url": "https://attack.mitre.org/techniques/T1397",
+ "tactic": [
+ "Technical Information Gathering"
+ ]
+ },
+ {
+ "technique_id": "T1398",
+ "technique": "Modify OS Kernel or Boot Partition",
+ "url": "https://attack.mitre.org/techniques/T1398",
+ "tactic": [
+ "Defense Evasion",
+ "Persistence"
+ ]
+ },
+ {
+ "technique_id": "T1399",
+ "technique": "Modify Trusted Execution Environment",
+ "url": "https://attack.mitre.org/techniques/T1399",
+ "tactic": [
+ "Defense Evasion",
+ "Persistence"
+ ]
+ },
+ {
+ "technique_id": "T1400",
+ "technique": "Modify System Partition",
+ "url": "https://attack.mitre.org/techniques/T1400",
+ "tactic": [
+ "Defense Evasion",
+ "Persistence",
+ "Impact"
+ ]
+ },
+ {
+ "technique_id": "T1401",
+ "technique": "Abuse Device Administrator Access to Prevent Removal",
+ "url": "https://attack.mitre.org/techniques/T1401",
+ "tactic": [
+ "Persistence"
+ ]
+ },
+ {
+ "technique_id": "T1402",
+ "technique": "Broadcast Receivers",
+ "url": "https://attack.mitre.org/techniques/T1402",
+ "tactic": [
+ "Persistence",
+ "Execution"
+ ]
+ },
+ {
+ "technique_id": "T1403",
+ "technique": "Modify Cached Executable Code",
+ "url": "https://attack.mitre.org/techniques/T1403",
+ "tactic": [
+ "Persistence"
+ ]
+ },
+ {
+ "technique_id": "T1404",
+ "technique": "Exploit OS Vulnerability",
+ "url": "https://attack.mitre.org/techniques/T1404",
+ "tactic": [
+ "Privilege Escalation"
+ ]
+ },
+ {
+ "technique_id": "T1405",
+ "technique": "Exploit TEE Vulnerability",
+ "url": "https://attack.mitre.org/techniques/T1405",
+ "tactic": [
+ "Credential Access",
+ "Privilege Escalation"
+ ]
+ },
+ {
+ "technique_id": "T1406",
+ "technique": "Obfuscated Files or Information",
+ "url": "https://attack.mitre.org/techniques/T1406",
+ "tactic": [
+ "Defense Evasion"
+ ]
+ },
+ {
+ "technique_id": "T1407",
+ "technique": "Download New Code at Runtime",
+ "url": "https://attack.mitre.org/techniques/T1407",
+ "tactic": [
+ "Defense Evasion"
+ ]
+ },
+ {
+ "technique_id": "T1408",
+ "technique": "Disguise Root/Jailbreak Indicators",
+ "url": "https://attack.mitre.org/techniques/T1408",
+ "tactic": [
+ "Defense Evasion"
+ ]
+ },
+ {
+ "technique_id": "T1409",
+ "technique": "Access Stored Application Data",
+ "url": "https://attack.mitre.org/techniques/T1409",
+ "tactic": [
+ "Collection",
+ "Credential Access"
+ ]
+ },
+ {
+ "technique_id": "T1410",
+ "technique": "Network Traffic Capture or Redirection",
+ "url": "https://attack.mitre.org/techniques/T1410",
+ "tactic": [
+ "Collection",
+ "Credential Access"
+ ]
+ },
+ {
+ "technique_id": "T1411",
+ "technique": "Input Prompt",
+ "url": "https://attack.mitre.org/techniques/T1411",
+ "tactic": [
+ "Credential Access"
+ ]
+ },
+ {
+ "technique_id": "T1412",
+ "technique": "Capture SMS Messages",
+ "url": "https://attack.mitre.org/techniques/T1412",
+ "tactic": [
+ "Collection",
+ "Credential Access"
+ ]
+ },
+ {
+ "technique_id": "T1413",
+ "technique": "Access Sensitive Data in Device Logs",
+ "url": "https://attack.mitre.org/techniques/T1413",
+ "tactic": [
+ "Collection",
+ "Credential Access"
+ ]
+ },
+ {
+ "technique_id": "T1414",
+ "technique": "Capture Clipboard Data",
+ "url": "https://attack.mitre.org/techniques/T1414",
+ "tactic": [
+ "Collection",
+ "Credential Access"
+ ]
+ },
+ {
+ "technique_id": "T1415",
+ "technique": "URL Scheme Hijacking",
+ "url": "https://attack.mitre.org/techniques/T1415",
+ "tactic": [
+ "Credential Access"
+ ]
+ },
+ {
+ "technique_id": "T1416",
+ "technique": "Android Intent Hijacking",
+ "url": "https://attack.mitre.org/techniques/T1416",
+ "tactic": [
+ "Credential Access"
+ ]
+ },
+ {
+ "technique_id": "T1417",
+ "technique": "Input Capture",
+ "url": "https://attack.mitre.org/techniques/T1417",
+ "tactic": [
+ "Collection",
+ "Credential Access"
+ ]
+ },
+ {
+ "technique_id": "T1418",
+ "technique": "Application Discovery",
+ "url": "https://attack.mitre.org/techniques/T1418",
+ "tactic": [
+ "Defense Evasion",
+ "Discovery"
+ ]
+ },
+ {
+ "technique_id": "T1420",
+ "technique": "File and Directory Discovery",
+ "url": "https://attack.mitre.org/techniques/T1420",
+ "tactic": [
+ "Discovery"
+ ]
+ },
+ {
+ "technique_id": "T1421",
+ "technique": "System Network Connections Discovery",
+ "url": "https://attack.mitre.org/techniques/T1421",
+ "tactic": [
+ "Discovery"
+ ]
+ },
+ {
+ "technique_id": "T1422",
+ "technique": "System Network Configuration Discovery",
+ "url": "https://attack.mitre.org/techniques/T1422",
+ "tactic": [
+ "Discovery"
+ ]
+ },
+ {
+ "technique_id": "T1423",
+ "technique": "Network Service Scanning",
+ "url": "https://attack.mitre.org/techniques/T1423",
+ "tactic": [
+ "Discovery"
+ ]
+ },
+ {
+ "technique_id": "T1424",
+ "technique": "Process Discovery",
+ "url": "https://attack.mitre.org/techniques/T1424",
+ "tactic": [
+ "Discovery"
+ ]
+ },
+ {
+ "technique_id": "T1426",
+ "technique": "System Information Discovery",
+ "url": "https://attack.mitre.org/techniques/T1426",
+ "tactic": [
+ "Discovery"
+ ]
+ },
+ {
+ "technique_id": "T1427",
+ "technique": "Attack PC via USB Connection",
+ "url": "https://attack.mitre.org/techniques/T1427",
+ "tactic": [
+ "Lateral Movement"
+ ]
+ },
+ {
+ "technique_id": "T1428",
+ "technique": "Exploit Enterprise Resources",
+ "url": "https://attack.mitre.org/techniques/T1428",
+ "tactic": [
+ "Lateral Movement"
+ ]
+ },
+ {
+ "technique_id": "T1429",
+ "technique": "Capture Audio",
+ "url": "https://attack.mitre.org/techniques/T1429",
+ "tactic": [
+ "Collection"
+ ]
+ },
+ {
+ "technique_id": "T1430",
+ "technique": "Location Tracking",
+ "url": "https://attack.mitre.org/techniques/T1430",
+ "tactic": [
+ "Collection",
+ "Discovery"
+ ]
+ },
+ {
+ "technique_id": "T1432",
+ "technique": "Access Contact List",
+ "url": "https://attack.mitre.org/techniques/T1432",
+ "tactic": [
+ "Collection"
+ ]
+ },
+ {
+ "technique_id": "T1433",
+ "technique": "Access Call Log",
+ "url": "https://attack.mitre.org/techniques/T1433",
+ "tactic": [
+ "Collection"
+ ]
+ },
+ {
+ "technique_id": "T1435",
+ "technique": "Access Calendar Entries",
+ "url": "https://attack.mitre.org/techniques/T1435",
+ "tactic": [
+ "Collection"
+ ]
+ },
+ {
+ "technique_id": "T1436",
+ "technique": "Commonly Used Port",
+ "url": "https://attack.mitre.org/techniques/T1436",
+ "tactic": [
+ "Command and Control",
+ "Exfiltration"
+ ]
+ },
+ {
+ "technique_id": "T1437",
+ "technique": "Standard Application Layer Protocol",
+ "url": "https://attack.mitre.org/techniques/T1437",
+ "tactic": [
+ "Command and Control",
+ "Exfiltration"
+ ]
+ },
+ {
+ "technique_id": "T1438",
+ "technique": "Alternate Network Mediums",
+ "url": "https://attack.mitre.org/techniques/T1438",
+ "tactic": [
+ "Command and Control",
+ "Exfiltration"
+ ]
+ },
+ {
+ "technique_id": "T1439",
+ "technique": "Eavesdrop on Insecure Network Communication",
+ "url": "https://attack.mitre.org/techniques/T1439",
+ "tactic": [
+ "Network Effects"
+ ]
+ },
+ {
+ "technique_id": "T1444",
+ "technique": "Masquerade as Legitimate Application",
+ "url": "https://attack.mitre.org/techniques/T1444",
+ "tactic": [
+ "Initial Access",
+ "Defense Evasion"
+ ]
+ },
+ {
+ "technique_id": "T1446",
+ "technique": "Device Lockout",
+ "url": "https://attack.mitre.org/techniques/T1446",
+ "tactic": [
+ "Impact",
+ "Defense Evasion"
+ ]
+ },
+ {
+ "technique_id": "T1447",
+ "technique": "Delete Device Data",
+ "url": "https://attack.mitre.org/techniques/T1447",
+ "tactic": [
+ "Impact"
+ ]
+ },
+ {
+ "technique_id": "T1448",
+ "technique": "Carrier Billing Fraud",
+ "url": "https://attack.mitre.org/techniques/T1448",
+ "tactic": [
+ "Impact"
+ ]
+ },
+ {
+ "technique_id": "T1449",
+ "technique": "Exploit SS7 to Redirect Phone Calls/SMS",
+ "url": "https://attack.mitre.org/techniques/T1449",
+ "tactic": [
+ "Network Effects"
+ ]
+ },
+ {
+ "technique_id": "T1450",
+ "technique": "Exploit SS7 to Track Device Location",
+ "url": "https://attack.mitre.org/techniques/T1450",
+ "tactic": [
+ "Network Effects"
+ ]
+ },
+ {
+ "technique_id": "T1451",
+ "technique": "SIM Card Swap",
+ "url": "https://attack.mitre.org/techniques/T1451",
+ "tactic": [
+ "Network Effects"
+ ]
+ },
+ {
+ "technique_id": "T1452",
+ "technique": "Manipulate App Store Rankings or Ratings",
+ "url": "https://attack.mitre.org/techniques/T1452",
+ "tactic": [
+ "Impact"
+ ]
+ },
+ {
+ "technique_id": "T1456",
+ "technique": "Drive-by Compromise",
+ "url": "https://attack.mitre.org/techniques/T1456",
+ "tactic": [
+ "Initial Access"
+ ]
+ },
+ {
+ "technique_id": "T1458",
+ "technique": "Exploit via Charging Station or PC",
+ "url": "https://attack.mitre.org/techniques/T1458",
+ "tactic": [
+ "Initial Access"
+ ]
+ },
+ {
+ "technique_id": "T1461",
+ "technique": "Lockscreen Bypass",
+ "url": "https://attack.mitre.org/techniques/T1461",
+ "tactic": [
+ "Initial Access"
+ ]
+ },
+ {
+ "technique_id": "T1463",
+ "technique": "Manipulate Device Communication",
+ "url": "https://attack.mitre.org/techniques/T1463",
+ "tactic": [
+ "Network Effects"
+ ]
+ },
+ {
+ "technique_id": "T1464",
+ "technique": "Jamming or Denial of Service",
+ "url": "https://attack.mitre.org/techniques/T1464",
+ "tactic": [
+ "Network Effects"
+ ]
+ },
+ {
+ "technique_id": "T1465",
+ "technique": "Rogue Wi-Fi Access Points",
+ "url": "https://attack.mitre.org/techniques/T1465",
+ "tactic": [
+ "Network Effects"
+ ]
+ },
+ {
+ "technique_id": "T1466",
+ "technique": "Downgrade to Insecure Protocols",
+ "url": "https://attack.mitre.org/techniques/T1466",
+ "tactic": [
+ "Network Effects"
+ ]
+ },
+ {
+ "technique_id": "T1467",
+ "technique": "Rogue Cellular Base Station",
+ "url": "https://attack.mitre.org/techniques/T1467",
+ "tactic": [
+ "Network Effects"
+ ]
+ },
+ {
+ "technique_id": "T1468",
+ "technique": "Remotely Track Device Without Authorization",
+ "url": "https://attack.mitre.org/techniques/T1468",
+ "tactic": [
+ "Remote Service Effects"
+ ]
+ },
+ {
+ "technique_id": "T1469",
+ "technique": "Remotely Wipe Data Without Authorization",
+ "url": "https://attack.mitre.org/techniques/T1469",
+ "tactic": [
+ "Remote Service Effects"
+ ]
+ },
+ {
+ "technique_id": "T1470",
+ "technique": "Obtain Device Cloud Backups",
+ "url": "https://attack.mitre.org/techniques/T1470",
+ "tactic": [
+ "Remote Service Effects"
+ ]
+ },
+ {
+ "technique_id": "T1471",
+ "technique": "Data Encrypted for Impact",
+ "url": "https://attack.mitre.org/techniques/T1471",
+ "tactic": [
+ "Impact"
+ ]
+ },
+ {
+ "technique_id": "T1472",
+ "technique": "Generate Fraudulent Advertising Revenue",
+ "url": "https://attack.mitre.org/techniques/T1472",
+ "tactic": [
+ "Impact"
+ ]
+ },
+ {
+ "technique_id": "T1474",
+ "technique": "Supply Chain Compromise",
+ "url": "https://attack.mitre.org/techniques/T1474",
+ "tactic": [
+ "Initial Access"
+ ]
+ },
+ {
+ "technique_id": "T1475",
+ "technique": "Deliver Malicious App via Authorized App Store",
+ "url": "https://attack.mitre.org/techniques/T1475",
+ "tactic": [
+ "Initial Access"
+ ]
+ },
+ {
+ "technique_id": "T1476",
+ "technique": "Deliver Malicious App via Other Means",
+ "url": "https://attack.mitre.org/techniques/T1476",
+ "tactic": [
+ "Initial Access"
+ ]
+ },
+ {
+ "technique_id": "T1477",
+ "technique": "Exploit via Radio Interfaces",
+ "url": "https://attack.mitre.org/techniques/T1477",
+ "tactic": [
+ "Initial Access"
+ ]
+ },
+ {
+ "technique_id": "T1478",
+ "technique": "Install Insecure or Malicious Configuration",
+ "url": "https://attack.mitre.org/techniques/T1478",
+ "tactic": [
+ "Defense Evasion",
+ "Initial Access"
+ ]
+ },
+ {
+ "technique_id": "T1480",
+ "technique": "Execution Guardrails",
+ "url": "https://attack.mitre.org/techniques/T1480",
+ "tactic": [
+ "Defense Evasion"
+ ]
+ },
+ {
+ "technique_id": "T1480.001",
+ "technique": "Execution Guardrails : Environmental Keying",
+ "url": "https://attack.mitre.org/techniques/T1480/001"
+ },
+ {
+ "technique_id": "T1481",
+ "technique": "Web Service",
+ "url": "https://attack.mitre.org/techniques/T1481",
+ "tactic": [
+ "Command and Control"
+ ]
+ },
+ {
+ "technique_id": "T1482",
+ "technique": "Domain Trust Discovery",
+ "url": "https://attack.mitre.org/techniques/T1482",
+ "tactic": [
+ "Discovery"
+ ]
+ },
+ {
+ "technique_id": "T1484",
+ "technique": "Group Policy Modification",
+ "url": "https://attack.mitre.org/techniques/T1484",
+ "tactic": [
+ "Defense Evasion",
+ "Privilege Escalation"
+ ]
+ },
+ {
+ "technique_id": "T1485",
+ "technique": "Data Destruction",
+ "url": "https://attack.mitre.org/techniques/T1485",
+ "tactic": [
+ "Impact"
+ ]
+ },
+ {
+ "technique_id": "T1486",
+ "technique": "Data Encrypted for Impact",
+ "url": "https://attack.mitre.org/techniques/T1486",
+ "tactic": [
+ "Impact"
+ ]
+ },
+ {
+ "technique_id": "T1489",
+ "technique": "Service Stop",
+ "url": "https://attack.mitre.org/techniques/T1489",
+ "tactic": [
+ "Impact"
+ ]
+ },
+ {
+ "technique_id": "T1490",
+ "technique": "Inhibit System Recovery",
+ "url": "https://attack.mitre.org/techniques/T1490",
+ "tactic": [
+ "Impact"
+ ]
+ },
+ {
+ "technique_id": "T1491",
+ "technique": "Defacement",
+ "url": "https://attack.mitre.org/techniques/T1491",
+ "tactic": [
+ "Impact"
+ ]
+ },
+ {
+ "technique_id": "T1491.001",
+ "technique": "Defacement : Internal Defacement",
+ "url": "https://attack.mitre.org/techniques/T1491/001"
+ },
+ {
+ "technique_id": "T1491.002",
+ "technique": "Defacement : External Defacement",
+ "url": "https://attack.mitre.org/techniques/T1491/002"
+ },
+ {
+ "technique_id": "T1495",
+ "technique": "Firmware Corruption",
+ "url": "https://attack.mitre.org/techniques/T1495",
+ "tactic": [
+ "Impact"
+ ]
+ },
+ {
+ "technique_id": "T1496",
+ "technique": "Resource Hijacking",
+ "url": "https://attack.mitre.org/techniques/T1496",
+ "tactic": [
+ "Impact"
+ ]
+ },
+ {
+ "technique_id": "T1497",
+ "technique": "Virtualization/Sandbox Evasion",
+ "url": "https://attack.mitre.org/techniques/T1497",
+ "tactic": [
+ "Defense Evasion",
+ "Discovery"
+ ]
+ },
+ {
+ "technique_id": "T1497.001",
+ "technique": "Virtualization/Sandbox Evasion : System Checks",
+ "url": "https://attack.mitre.org/techniques/T1497/001"
+ },
+ {
+ "technique_id": "T1497.002",
+ "technique": "Virtualization/Sandbox Evasion : User Activity Based Checks",
+ "url": "https://attack.mitre.org/techniques/T1497/002"
+ },
+ {
+ "technique_id": "T1497.003",
+ "technique": "Virtualization/Sandbox Evasion : Time Based Evasion",
+ "url": "https://attack.mitre.org/techniques/T1497/003"
+ },
+ {
+ "technique_id": "T1498",
+ "technique": "Network Denial of Service",
+ "url": "https://attack.mitre.org/techniques/T1498",
+ "tactic": [
+ "Impact"
+ ]
+ },
+ {
+ "technique_id": "T1498.001",
+ "technique": "Network Denial of Service : Direct Network Flood",
+ "url": "https://attack.mitre.org/techniques/T1498/001"
+ },
+ {
+ "technique_id": "T1498.002",
+ "technique": "Network Denial of Service : Reflection Amplification",
+ "url": "https://attack.mitre.org/techniques/T1498/002"
+ },
+ {
+ "technique_id": "T1499",
+ "technique": "Endpoint Denial of Service",
+ "url": "https://attack.mitre.org/techniques/T1499",
+ "tactic": [
+ "Impact"
+ ]
+ },
+ {
+ "technique_id": "T1499.001",
+ "technique": "Endpoint Denial of Service : OS Exhaustion Flood",
+ "url": "https://attack.mitre.org/techniques/T1499/001"
+ },
+ {
+ "technique_id": "T1499.002",
+ "technique": "Endpoint Denial of Service : Service Exhaustion Flood",
+ "url": "https://attack.mitre.org/techniques/T1499/002"
+ },
+ {
+ "technique_id": "T1499.003",
+ "technique": "Endpoint Denial of Service : Application Exhaustion Flood",
+ "url": "https://attack.mitre.org/techniques/T1499/003"
+ },
+ {
+ "technique_id": "T1499.004",
+ "technique": "Endpoint Denial of Service : Application or System Exploitation",
+ "url": "https://attack.mitre.org/techniques/T1499/004"
+ },
+ {
+ "technique_id": "T1505",
+ "technique": "Server Software Component",
+ "url": "https://attack.mitre.org/techniques/T1505",
+ "tactic": [
+ "Persistence"
+ ]
+ },
+ {
+ "technique_id": "T1505.001",
+ "technique": "Server Software Component : SQL Stored Procedures",
+ "url": "https://attack.mitre.org/techniques/T1505/001"
+ },
+ {
+ "technique_id": "T1505.002",
+ "technique": "Server Software Component : Transport Agent",
+ "url": "https://attack.mitre.org/techniques/T1505/002"
+ },
+ {
+ "technique_id": "T1505.003",
+ "technique": "Server Software Component : Web Shell",
+ "url": "https://attack.mitre.org/techniques/T1505/003"
+ },
+ {
+ "technique_id": "T1507",
+ "technique": "Network Information Discovery",
+ "url": "https://attack.mitre.org/techniques/T1507",
+ "tactic": [
+ "Collection"
+ ]
+ },
+ {
+ "technique_id": "T1508",
+ "technique": "Suppress Application Icon",
+ "url": "https://attack.mitre.org/techniques/T1508",
+ "tactic": [
+ "Defense Evasion"
+ ]
+ },
+ {
+ "technique_id": "T1509",
+ "technique": "Uncommonly Used Port",
+ "url": "https://attack.mitre.org/techniques/T1509",
+ "tactic": [
+ "Command and Control"
+ ]
+ },
+ {
+ "technique_id": "T1510",
+ "technique": "Clipboard Modification",
+ "url": "https://attack.mitre.org/techniques/T1510",
+ "tactic": [
+ "Impact"
+ ]
+ },
+ {
+ "technique_id": "T1512",
+ "technique": "Capture Camera",
+ "url": "https://attack.mitre.org/techniques/T1512",
+ "tactic": [
+ "Collection"
+ ]
+ },
+ {
+ "technique_id": "T1513",
+ "technique": "Screen Capture",
+ "url": "https://attack.mitre.org/techniques/T1513",
+ "tactic": [
+ "Collection"
+ ]
+ },
+ {
+ "technique_id": "T1516",
+ "technique": "Input Injection",
+ "url": "https://attack.mitre.org/techniques/T1516",
+ "tactic": [
+ "Defense Evasion",
+ "Impact"
+ ]
+ },
+ {
+ "technique_id": "T1517",
+ "technique": "Access Notifications",
+ "url": "https://attack.mitre.org/techniques/T1517",
+ "tactic": [
+ "Collection",
+ "Credential Access"
+ ]
+ },
+ {
+ "technique_id": "T1518",
+ "technique": "Software Discovery",
+ "url": "https://attack.mitre.org/techniques/T1518",
+ "tactic": [
+ "Discovery"
+ ]
+ },
+ {
+ "technique_id": "T1518.001",
+ "technique": "Software Discovery : Security Software Discovery",
+ "url": "https://attack.mitre.org/techniques/T1518/001"
+ },
+ {
+ "technique_id": "T1520",
+ "technique": "Domain Generation Algorithms",
+ "url": "https://attack.mitre.org/techniques/T1520",
+ "tactic": [
+ "Command and Control"
+ ]
+ },
+ {
+ "technique_id": "T1521",
+ "technique": "Standard Cryptographic Protocol",
+ "url": "https://attack.mitre.org/techniques/T1521",
+ "tactic": [
+ "Command and Control"
+ ]
+ },
+ {
+ "technique_id": "T1523",
+ "technique": "Evade Analysis Environment",
+ "url": "https://attack.mitre.org/techniques/T1523",
+ "tactic": [
+ "Defense Evasion",
+ "Discovery"
+ ]
+ },
+ {
+ "technique_id": "T1525",
+ "technique": "Implant Container Image",
+ "url": "https://attack.mitre.org/techniques/T1525",
+ "tactic": [
+ "Persistence"
+ ]
+ },
+ {
+ "technique_id": "T1526",
+ "technique": "Cloud Service Discovery",
+ "url": "https://attack.mitre.org/techniques/T1526",
+ "tactic": [
+ "Discovery"
+ ]
+ },
+ {
+ "technique_id": "T1528",
+ "technique": "Steal Application Access Token",
+ "url": "https://attack.mitre.org/techniques/T1528",
+ "tactic": [
+ "Credential Access"
+ ]
+ },
+ {
+ "technique_id": "T1529",
+ "technique": "System Shutdown/Reboot",
+ "url": "https://attack.mitre.org/techniques/T1529",
+ "tactic": [
+ "Impact"
+ ]
+ },
+ {
+ "technique_id": "T1530",
+ "technique": "Data from Cloud Storage Object",
+ "url": "https://attack.mitre.org/techniques/T1530",
+ "tactic": [
+ "Collection"
+ ]
+ },
+ {
+ "technique_id": "T1531",
+ "technique": "Account Access Removal",
+ "url": "https://attack.mitre.org/techniques/T1531",
+ "tactic": [
+ "Impact"
+ ]
+ },
+ {
+ "technique_id": "T1532",
+ "technique": "Data Encrypted",
+ "url": "https://attack.mitre.org/techniques/T1532",
+ "tactic": [
+ "Exfiltration"
+ ]
+ },
+ {
+ "technique_id": "T1533",
+ "technique": "Data from Local System",
+ "url": "https://attack.mitre.org/techniques/T1533",
+ "tactic": [
+ "Collection"
+ ]
+ },
+ {
+ "technique_id": "T1534",
+ "technique": "Internal Spearphishing",
+ "url": "https://attack.mitre.org/techniques/T1534",
+ "tactic": [
+ "Lateral Movement"
+ ]
+ },
+ {
+ "technique_id": "T1535",
+ "technique": "Unused/Unsupported Cloud Regions",
+ "url": "https://attack.mitre.org/techniques/T1535",
+ "tactic": [
+ "Defense Evasion"
+ ]
+ },
+ {
+ "technique_id": "T1537",
+ "technique": "Transfer Data to Cloud Account",
+ "url": "https://attack.mitre.org/techniques/T1537",
+ "tactic": [
+ "Exfiltration"
+ ]
+ },
+ {
+ "technique_id": "T1538",
+ "technique": "Cloud Service Dashboard",
+ "url": "https://attack.mitre.org/techniques/T1538",
+ "tactic": [
+ "Discovery"
+ ]
+ },
+ {
+ "technique_id": "T1539",
+ "technique": "Steal Web Session Cookie",
+ "url": "https://attack.mitre.org/techniques/T1539",
+ "tactic": [
+ "Credential Access"
+ ]
+ },
+ {
+ "technique_id": "T1540",
+ "technique": "Code Injection",
+ "url": "https://attack.mitre.org/techniques/T1540",
+ "tactic": [
+ "Persistence",
+ "Privilege Escalation",
+ "Defense Evasion"
+ ]
+ },
+ {
+ "technique_id": "T1541",
+ "technique": "Foreground Persistence",
+ "url": "https://attack.mitre.org/techniques/T1541",
+ "tactic": [
+ "Collection",
+ "Persistence"
+ ]
+ },
+ {
+ "technique_id": "T1542",
+ "technique": "Pre-OS Boot",
+ "url": "https://attack.mitre.org/techniques/T1542",
+ "tactic": [
+ "Defense Evasion",
+ "Persistence"
+ ]
+ },
+ {
+ "technique_id": "T1542.001",
+ "technique": "Pre-OS Boot : System Firmware",
+ "url": "https://attack.mitre.org/techniques/T1542/001"
+ },
+ {
+ "technique_id": "T1542.002",
+ "technique": "Pre-OS Boot : Component Firmware",
+ "url": "https://attack.mitre.org/techniques/T1542/002"
+ },
+ {
+ "technique_id": "T1542.003",
+ "technique": "Pre-OS Boot : Bootkit",
+ "url": "https://attack.mitre.org/techniques/T1542/003"
+ },
+ {
+ "technique_id": "T1543",
+ "technique": "Create or Modify System Process",
+ "url": "https://attack.mitre.org/techniques/T1543",
+ "tactic": [
+ "Persistence",
+ "Privilege Escalation"
+ ]
+ },
+ {
+ "technique_id": "T1543.001",
+ "technique": "Create or Modify System Process : Launch Agent",
+ "url": "https://attack.mitre.org/techniques/T1543/001"
+ },
+ {
+ "technique_id": "T1543.002",
+ "technique": "Create or Modify System Process : Systemd Service",
+ "url": "https://attack.mitre.org/techniques/T1543/002"
+ },
+ {
+ "technique_id": "T1543.003",
+ "technique": "Create or Modify System Process : Windows Service",
+ "url": "https://attack.mitre.org/techniques/T1543/003"
+ },
+ {
+ "technique_id": "T1543.004",
+ "technique": "Create or Modify System Process : Launch Daemon",
+ "url": "https://attack.mitre.org/techniques/T1543/004"
+ },
+ {
+ "technique_id": "T1544",
+ "technique": "Remote File Copy",
+ "url": "https://attack.mitre.org/techniques/T1544",
+ "tactic": [
+ "Command and Control"
+ ]
+ },
+ {
+ "technique_id": "T1546",
+ "technique": "Event Triggered Execution",
+ "url": "https://attack.mitre.org/techniques/T1546",
+ "tactic": [
+ "Privilege Escalation",
+ "Persistence"
+ ]
+ },
+ {
+ "technique_id": "T1546.001",
+ "technique": "Event Triggered Execution : Change Default File Association",
+ "url": "https://attack.mitre.org/techniques/T1546/001"
+ },
+ {
+ "technique_id": "T1546.002",
+ "technique": "Event Triggered Execution : Screensaver",
+ "url": "https://attack.mitre.org/techniques/T1546/002"
+ },
+ {
+ "technique_id": "T1546.003",
+ "technique": "Event Triggered Execution : Windows Management Instrumentation Event Subscription",
+ "url": "https://attack.mitre.org/techniques/T1546/003"
+ },
+ {
+ "technique_id": "T1546.004",
+ "technique": "Event Triggered Execution : .bash_profile and .bashrc",
+ "url": "https://attack.mitre.org/techniques/T1546/004"
+ },
+ {
+ "technique_id": "T1546.005",
+ "technique": "Event Triggered Execution : Trap",
+ "url": "https://attack.mitre.org/techniques/T1546/005"
+ },
+ {
+ "technique_id": "T1546.006",
+ "technique": "Event Triggered Execution : LC_LOAD_DYLIB Addition",
+ "url": "https://attack.mitre.org/techniques/T1546/006"
+ },
+ {
+ "technique_id": "T1546.007",
+ "technique": "Event Triggered Execution : Netsh Helper DLL",
+ "url": "https://attack.mitre.org/techniques/T1546/007"
+ },
+ {
+ "technique_id": "T1546.008",
+ "technique": "Event Triggered Execution : Accessibility Features",
+ "url": "https://attack.mitre.org/techniques/T1546/008"
+ },
+ {
+ "technique_id": "T1546.009",
+ "technique": "Event Triggered Execution : AppCert DLLs",
+ "url": "https://attack.mitre.org/techniques/T1546/009"
+ },
+ {
+ "technique_id": "T1546.010",
+ "technique": "Event Triggered Execution : AppInit DLLs",
+ "url": "https://attack.mitre.org/techniques/T1546/010"
+ },
+ {
+ "technique_id": "T1546.011",
+ "technique": "Event Triggered Execution : Application Shimming",
+ "url": "https://attack.mitre.org/techniques/T1546/011"
+ },
+ {
+ "technique_id": "T1546.012",
+ "technique": "Event Triggered Execution : Image File Execution Options Injection",
+ "url": "https://attack.mitre.org/techniques/T1546/012"
+ },
+ {
+ "technique_id": "T1546.013",
+ "technique": "Event Triggered Execution : PowerShell Profile",
+ "url": "https://attack.mitre.org/techniques/T1546/013"
+ },
+ {
+ "technique_id": "T1546.014",
+ "technique": "Event Triggered Execution : Emond",
+ "url": "https://attack.mitre.org/techniques/T1546/014"
+ },
+ {
+ "technique_id": "T1546.015",
+ "technique": "Event Triggered Execution : Component Object Model Hijacking",
+ "url": "https://attack.mitre.org/techniques/T1546/015"
+ },
+ {
+ "technique_id": "T1547",
+ "technique": "Boot or Logon Autostart Execution",
+ "url": "https://attack.mitre.org/techniques/T1547",
+ "tactic": [
+ "Persistence",
+ "Privilege Escalation"
+ ]
+ },
+ {
+ "technique_id": "T1547.001",
+ "technique": "Boot or Logon Autostart Execution : Registry Run Keys / Startup Folder",
+ "url": "https://attack.mitre.org/techniques/T1547/001"
+ },
+ {
+ "technique_id": "T1547.002",
+ "technique": "Boot or Logon Autostart Execution : Authentication Package",
+ "url": "https://attack.mitre.org/techniques/T1547/002"
+ },
+ {
+ "technique_id": "T1547.003",
+ "technique": "Boot or Logon Autostart Execution : Time Providers",
+ "url": "https://attack.mitre.org/techniques/T1547/003"
+ },
+ {
+ "technique_id": "T1547.004",
+ "technique": "Boot or Logon Autostart Execution : Winlogon Helper DLL",
+ "url": "https://attack.mitre.org/techniques/T1547/004"
+ },
+ {
+ "technique_id": "T1547.005",
+ "technique": "Boot or Logon Autostart Execution : Security Support Provider",
+ "url": "https://attack.mitre.org/techniques/T1547/005"
+ },
+ {
+ "technique_id": "T1547.006",
+ "technique": "Boot or Logon Autostart Execution : Kernel Modules and Extensions",
+ "url": "https://attack.mitre.org/techniques/T1547/006"
+ },
+ {
+ "technique_id": "T1547.007",
+ "technique": "Boot or Logon Autostart Execution : Re-opened Applications",
+ "url": "https://attack.mitre.org/techniques/T1547/007"
+ },
+ {
+ "technique_id": "T1547.008",
+ "technique": "Boot or Logon Autostart Execution : LSASS Driver",
+ "url": "https://attack.mitre.org/techniques/T1547/008"
+ },
+ {
+ "technique_id": "T1547.009",
+ "technique": "Boot or Logon Autostart Execution : Shortcut Modification",
+ "url": "https://attack.mitre.org/techniques/T1547/009"
+ },
+ {
+ "technique_id": "T1547.010",
+ "technique": "Boot or Logon Autostart Execution : Port Monitors",
+ "url": "https://attack.mitre.org/techniques/T1547/010"
+ },
+ {
+ "technique_id": "T1547.011",
+ "technique": "Boot or Logon Autostart Execution : Plist Modification",
+ "url": "https://attack.mitre.org/techniques/T1547/011"
+ },
+ {
+ "technique_id": "T1548",
+ "technique": "Abuse Elevation Control Mechanism",
+ "url": "https://attack.mitre.org/techniques/T1548",
+ "tactic": [
+ "Privilege Escalation",
+ "Defense Evasion"
+ ]
+ },
+ {
+ "technique_id": "T1548.001",
+ "technique": "Abuse Elevation Control Mechanism : Setuid and Setgid",
+ "url": "https://attack.mitre.org/techniques/T1548/001"
+ },
+ {
+ "technique_id": "T1548.002",
+ "technique": "Abuse Elevation Control Mechanism : Bypass User Access Control",
+ "url": "https://attack.mitre.org/techniques/T1548/002"
+ },
+ {
+ "technique_id": "T1548.003",
+ "technique": "Abuse Elevation Control Mechanism : Sudo and Sudo Caching",
+ "url": "https://attack.mitre.org/techniques/T1548/003"
+ },
+ {
+ "technique_id": "T1548.004",
+ "technique": "Abuse Elevation Control Mechanism : Elevated Execution with Prompt",
+ "url": "https://attack.mitre.org/techniques/T1548/004"
+ },
+ {
+ "technique_id": "T1550",
+ "technique": "Use Alternate Authentication Material",
+ "url": "https://attack.mitre.org/techniques/T1550",
+ "tactic": [
+ "Defense Evasion",
+ "Lateral Movement"
+ ]
+ },
+ {
+ "technique_id": "T1550.001",
+ "technique": "Use Alternate Authentication Material : Application Access Token",
+ "url": "https://attack.mitre.org/techniques/T1550/001"
+ },
+ {
+ "technique_id": "T1550.002",
+ "technique": "Use Alternate Authentication Material : Pass the Hash",
+ "url": "https://attack.mitre.org/techniques/T1550/002"
+ },
+ {
+ "technique_id": "T1550.003",
+ "technique": "Use Alternate Authentication Material : Pass the Ticket",
+ "url": "https://attack.mitre.org/techniques/T1550/003"
+ },
+ {
+ "technique_id": "T1550.004",
+ "technique": "Use Alternate Authentication Material : Web Session Cookie",
+ "url": "https://attack.mitre.org/techniques/T1550/004"
+ },
+ {
+ "technique_id": "T1552",
+ "technique": "Unsecured Credentials",
+ "url": "https://attack.mitre.org/techniques/T1552",
+ "tactic": [
+ "Credential Access"
+ ]
+ },
+ {
+ "technique_id": "T1552.001",
+ "technique": "Unsecured Credentials : Credentials In Files",
+ "url": "https://attack.mitre.org/techniques/T1552/001"
+ },
+ {
+ "technique_id": "T1552.002",
+ "technique": "Unsecured Credentials : Credentials in Registry",
+ "url": "https://attack.mitre.org/techniques/T1552/002"
+ },
+ {
+ "technique_id": "T1552.003",
+ "technique": "Unsecured Credentials : Bash History",
+ "url": "https://attack.mitre.org/techniques/T1552/003"
+ },
+ {
+ "technique_id": "T1552.004",
+ "technique": "Unsecured Credentials : Private Keys",
+ "url": "https://attack.mitre.org/techniques/T1552/004"
+ },
+ {
+ "technique_id": "T1552.005",
+ "technique": "Unsecured Credentials : Cloud Instance Metadata API",
+ "url": "https://attack.mitre.org/techniques/T1552/005"
+ },
+ {
+ "technique_id": "T1552.006",
+ "technique": "Unsecured Credentials : Group Policy Preferences",
+ "url": "https://attack.mitre.org/techniques/T1552/006"
+ },
+ {
+ "technique_id": "T1553",
+ "technique": "Subvert Trust Controls",
+ "url": "https://attack.mitre.org/techniques/T1553",
+ "tactic": [
+ "Defense Evasion"
+ ]
+ },
+ {
+ "technique_id": "T1553.001",
+ "technique": "Subvert Trust Controls : Gatekeeper Bypass",
+ "url": "https://attack.mitre.org/techniques/T1553/001"
+ },
+ {
+ "technique_id": "T1553.002",
+ "technique": "Subvert Trust Controls : Code Signing",
+ "url": "https://attack.mitre.org/techniques/T1553/002"
+ },
+ {
+ "technique_id": "T1553.003",
+ "technique": "Subvert Trust Controls : SIP and Trust Provider Hijacking",
+ "url": "https://attack.mitre.org/techniques/T1553/003"
+ },
+ {
+ "technique_id": "T1553.004",
+ "technique": "Subvert Trust Controls : Install Root Certificate",
+ "url": "https://attack.mitre.org/techniques/T1553/004"
+ },
+ {
+ "technique_id": "T1554",
+ "technique": "Compromise Client Software Binary",
+ "url": "https://attack.mitre.org/techniques/T1554",
+ "tactic": [
+ "Persistence"
+ ]
+ },
+ {
+ "technique_id": "T1555",
+ "technique": "Credentials from Password Stores",
+ "url": "https://attack.mitre.org/techniques/T1555",
+ "tactic": [
+ "Credential Access"
+ ]
+ },
+ {
+ "technique_id": "T1555.001",
+ "technique": "Credentials from Password Stores : Keychain",
+ "url": "https://attack.mitre.org/techniques/T1555/001"
+ },
+ {
+ "technique_id": "T1555.002",
+ "technique": "Credentials from Password Stores : Securityd Memory",
+ "url": "https://attack.mitre.org/techniques/T1555/002"
+ },
+ {
+ "technique_id": "T1555.003",
+ "technique": "Credentials from Password Stores : Credentials from Web Browsers",
+ "url": "https://attack.mitre.org/techniques/T1555/003"
+ },
+ {
+ "technique_id": "T1556",
+ "technique": "Modify Authentication Process",
+ "url": "https://attack.mitre.org/techniques/T1556",
+ "tactic": [
+ "Credential Access",
+ "Defense Evasion"
+ ]
+ },
+ {
+ "technique_id": "T1556.001",
+ "technique": "Modify Authentication Process : Domain Controller Authentication",
+ "url": "https://attack.mitre.org/techniques/T1556/001"
+ },
+ {
+ "technique_id": "T1556.002",
+ "technique": "Modify Authentication Process : Password Filter DLL",
+ "url": "https://attack.mitre.org/techniques/T1556/002"
+ },
+ {
+ "technique_id": "T1556.003",
+ "technique": "Modify Authentication Process : Pluggable Authentication Modules",
+ "url": "https://attack.mitre.org/techniques/T1556/003"
+ },
+ {
+ "technique_id": "T1557",
+ "technique": "Man-in-the-Middle",
+ "url": "https://attack.mitre.org/techniques/T1557",
+ "tactic": [
+ "Credential Access",
+ "Collection"
+ ]
+ },
+ {
+ "technique_id": "T1557.001",
+ "technique": "Man-in-the-Middle : LLMNR/NBT-NS Poisoning and SMB Relay",
+ "url": "https://attack.mitre.org/techniques/T1557/001"
+ },
+ {
+ "technique_id": "T1558",
+ "technique": "Steal or Forge Kerberos Tickets",
+ "url": "https://attack.mitre.org/techniques/T1558",
+ "tactic": [
+ "Credential Access"
+ ]
+ },
+ {
+ "technique_id": "T1558.001",
+ "technique": "Steal or Forge Kerberos Tickets : Golden Ticket",
+ "url": "https://attack.mitre.org/techniques/T1558/001"
+ },
+ {
+ "technique_id": "T1558.002",
+ "technique": "Steal or Forge Kerberos Tickets : Silver Ticket",
+ "url": "https://attack.mitre.org/techniques/T1558/002"
+ },
+ {
+ "technique_id": "T1558.003",
+ "technique": "Steal or Forge Kerberos Tickets : Kerberoasting",
+ "url": "https://attack.mitre.org/techniques/T1558/003"
+ },
+ {
+ "technique_id": "T1559",
+ "technique": "Inter-Process Communication",
+ "url": "https://attack.mitre.org/techniques/T1559",
+ "tactic": [
+ "Execution"
+ ]
+ },
+ {
+ "technique_id": "T1559.001",
+ "technique": "Inter-Process Communication : Component Object Model",
+ "url": "https://attack.mitre.org/techniques/T1559/001"
+ },
+ {
+ "technique_id": "T1559.002",
+ "technique": "Inter-Process Communication : Dynamic Data Exchange",
+ "url": "https://attack.mitre.org/techniques/T1559/002"
+ },
+ {
+ "technique_id": "T1560",
+ "technique": "Archive Collected Data",
+ "url": "https://attack.mitre.org/techniques/T1560",
+ "tactic": [
+ "Collection"
+ ]
+ },
+ {
+ "technique_id": "T1560.001",
+ "technique": "Archive Collected Data : Archive via Utility",
+ "url": "https://attack.mitre.org/techniques/T1560/001"
+ },
+ {
+ "technique_id": "T1560.002",
+ "technique": "Archive Collected Data : Archive via Library",
+ "url": "https://attack.mitre.org/techniques/T1560/002"
+ },
+ {
+ "technique_id": "T1560.003",
+ "technique": "Archive Collected Data : Archive via Custom Method",
+ "url": "https://attack.mitre.org/techniques/T1560/003"
+ },
+ {
+ "technique_id": "T1561",
+ "technique": "Disk Wipe",
+ "url": "https://attack.mitre.org/techniques/T1561",
+ "tactic": [
+ "Impact"
+ ]
+ },
+ {
+ "technique_id": "T1561.001",
+ "technique": "Disk Wipe : Disk Content Wipe",
+ "url": "https://attack.mitre.org/techniques/T1561/001"
+ },
+ {
+ "technique_id": "T1561.002",
+ "technique": "Disk Wipe : Disk Structure Wipe",
+ "url": "https://attack.mitre.org/techniques/T1561/002"
+ },
+ {
+ "technique_id": "T1562",
+ "technique": "Impair Defenses",
+ "url": "https://attack.mitre.org/techniques/T1562",
+ "tactic": [
+ "Defense Evasion"
+ ]
+ },
+ {
+ "technique_id": "T1562.001",
+ "technique": "Impair Defenses : Disable or Modify Tools",
+ "url": "https://attack.mitre.org/techniques/T1562/001"
+ },
+ {
+ "technique_id": "T1562.002",
+ "technique": "Impair Defenses : Disable Windows Event Logging",
+ "url": "https://attack.mitre.org/techniques/T1562/002"
+ },
+ {
+ "technique_id": "T1562.003",
+ "technique": "Impair Defenses : HISTCONTROL",
+ "url": "https://attack.mitre.org/techniques/T1562/003"
+ },
+ {
+ "technique_id": "T1562.004",
+ "technique": "Impair Defenses : Disable or Modify System Firewall",
+ "url": "https://attack.mitre.org/techniques/T1562/004"
+ },
+ {
+ "technique_id": "T1562.006",
+ "technique": "Impair Defenses : Indicator Blocking",
+ "url": "https://attack.mitre.org/techniques/T1562/006"
+ },
+ {
+ "technique_id": "T1562.007",
+ "technique": "Impair Defenses : Disable or Modify Cloud Firewall",
+ "url": "https://attack.mitre.org/techniques/T1562/007"
+ },
+ {
+ "technique_id": "T1563",
+ "technique": "Remote Service Session Hijacking",
+ "url": "https://attack.mitre.org/techniques/T1563",
+ "tactic": [
+ "Lateral Movement"
+ ]
+ },
+ {
+ "technique_id": "T1563.001",
+ "technique": "Remote Service Session Hijacking : SSH Hijacking",
+ "url": "https://attack.mitre.org/techniques/T1563/001"
+ },
+ {
+ "technique_id": "T1563.002",
+ "technique": "Remote Service Session Hijacking : RDP Hijacking",
+ "url": "https://attack.mitre.org/techniques/T1563/002"
+ },
+ {
+ "technique_id": "T1564",
+ "technique": "Hide Artifacts",
+ "url": "https://attack.mitre.org/techniques/T1564",
+ "tactic": [
+ "Defense Evasion"
+ ]
+ },
+ {
+ "technique_id": "T1564.001",
+ "technique": "Hide Artifacts : Hidden Files and Directories",
+ "url": "https://attack.mitre.org/techniques/T1564/001"
+ },
+ {
+ "technique_id": "T1564.002",
+ "technique": "Hide Artifacts : Hidden Users",
+ "url": "https://attack.mitre.org/techniques/T1564/002"
+ },
+ {
+ "technique_id": "T1564.003",
+ "technique": "Hide Artifacts : Hidden Window",
+ "url": "https://attack.mitre.org/techniques/T1564/003"
+ },
+ {
+ "technique_id": "T1564.004",
+ "technique": "Hide Artifacts : NTFS File Attributes",
+ "url": "https://attack.mitre.org/techniques/T1564/004"
+ },
+ {
+ "technique_id": "T1564.005",
+ "technique": "Hide Artifacts : Hidden File System",
+ "url": "https://attack.mitre.org/techniques/T1564/005"
+ },
+ {
+ "technique_id": "T1564.006",
+ "technique": "Hide Artifacts : Run Virtual Instance",
+ "url": "https://attack.mitre.org/techniques/T1564/006"
+ },
+ {
+ "technique_id": "T1565",
+ "technique": "Data Manipulation",
+ "url": "https://attack.mitre.org/techniques/T1565",
+ "tactic": [
+ "Impact"
+ ]
+ },
+ {
+ "technique_id": "T1565.001",
+ "technique": "Data Manipulation : Stored Data Manipulation",
+ "url": "https://attack.mitre.org/techniques/T1565/001"
+ },
+ {
+ "technique_id": "T1565.002",
+ "technique": "Data Manipulation : Transmitted Data Manipulation",
+ "url": "https://attack.mitre.org/techniques/T1565/002"
+ },
+ {
+ "technique_id": "T1565.003",
+ "technique": "Data Manipulation : Runtime Data Manipulation",
+ "url": "https://attack.mitre.org/techniques/T1565/003"
+ },
+ {
+ "technique_id": "T1566",
+ "technique": "Phishing",
+ "url": "https://attack.mitre.org/techniques/T1566",
+ "tactic": [
+ "Initial Access"
+ ]
+ },
+ {
+ "technique_id": "T1566.001",
+ "technique": "Phishing : Spearphishing Attachment",
+ "url": "https://attack.mitre.org/techniques/T1566/001"
+ },
+ {
+ "technique_id": "T1566.002",
+ "technique": "Phishing : Spearphishing Link",
+ "url": "https://attack.mitre.org/techniques/T1566/002"
+ },
+ {
+ "technique_id": "T1566.003",
+ "technique": "Phishing : Spearphishing via Service",
+ "url": "https://attack.mitre.org/techniques/T1566/003"
+ },
+ {
+ "technique_id": "T1567",
+ "technique": "Exfiltration Over Web Service",
+ "url": "https://attack.mitre.org/techniques/T1567",
+ "tactic": [
+ "Exfiltration"
+ ]
+ },
+ {
+ "technique_id": "T1567.001",
+ "technique": "Exfiltration Over Web Service : Exfiltration to Code Repository",
+ "url": "https://attack.mitre.org/techniques/T1567/001"
+ },
+ {
+ "technique_id": "T1567.002",
+ "technique": "Exfiltration Over Web Service : Exfiltration to Cloud Storage",
+ "url": "https://attack.mitre.org/techniques/T1567/002"
+ },
+ {
+ "technique_id": "T1568",
+ "technique": "Dynamic Resolution",
+ "url": "https://attack.mitre.org/techniques/T1568",
+ "tactic": [
+ "Command and Control"
+ ]
+ },
+ {
+ "technique_id": "T1568.001",
+ "technique": "Dynamic Resolution : Fast Flux DNS",
+ "url": "https://attack.mitre.org/techniques/T1568/001"
+ },
+ {
+ "technique_id": "T1568.002",
+ "technique": "Dynamic Resolution : Domain Generation Algorithms",
+ "url": "https://attack.mitre.org/techniques/T1568/002"
+ },
+ {
+ "technique_id": "T1568.003",
+ "technique": "Dynamic Resolution : DNS Calculation",
+ "url": "https://attack.mitre.org/techniques/T1568/003"
+ },
+ {
+ "technique_id": "T1569",
+ "technique": "System Services",
+ "url": "https://attack.mitre.org/techniques/T1569",
+ "tactic": [
+ "Execution"
+ ]
+ },
+ {
+ "technique_id": "T1569.001",
+ "technique": "System Services : Launchctl",
+ "url": "https://attack.mitre.org/techniques/T1569/001"
+ },
+ {
+ "technique_id": "T1569.002",
+ "technique": "System Services : Service Execution",
+ "url": "https://attack.mitre.org/techniques/T1569/002"
+ },
+ {
+ "technique_id": "T1570",
+ "technique": "Lateral Tool Transfer",
+ "url": "https://attack.mitre.org/techniques/T1570",
+ "tactic": [
+ "Lateral Movement"
+ ]
+ },
+ {
+ "technique_id": "T1571",
+ "technique": "Non-Standard Port",
+ "url": "https://attack.mitre.org/techniques/T1571",
+ "tactic": [
+ "Command and Control"
+ ]
+ },
+ {
+ "technique_id": "T1572",
+ "technique": "Protocol Tunneling",
+ "url": "https://attack.mitre.org/techniques/T1572",
+ "tactic": [
+ "Command and Control"
+ ]
+ },
+ {
+ "technique_id": "T1573",
+ "technique": "Encrypted Channel",
+ "url": "https://attack.mitre.org/techniques/T1573",
+ "tactic": [
+ "Command and Control"
+ ]
+ },
+ {
+ "technique_id": "T1573.001",
+ "technique": "Encrypted Channel : Symmetric Cryptography",
+ "url": "https://attack.mitre.org/techniques/T1573/001"
+ },
+ {
+ "technique_id": "T1573.002",
+ "technique": "Encrypted Channel : Asymmetric Cryptography",
+ "url": "https://attack.mitre.org/techniques/T1573/002"
+ },
+ {
+ "technique_id": "T1574",
+ "technique": "Hijack Execution Flow",
+ "url": "https://attack.mitre.org/techniques/T1574",
+ "tactic": [
+ "Persistence",
+ "Privilege Escalation",
+ "Defense Evasion"
+ ]
+ },
+ {
+ "technique_id": "T1574.001",
+ "technique": "Hijack Execution Flow : DLL Search Order Hijacking",
+ "url": "https://attack.mitre.org/techniques/T1574/001"
+ },
+ {
+ "technique_id": "T1574.002",
+ "technique": "Hijack Execution Flow : DLL Side-Loading",
+ "url": "https://attack.mitre.org/techniques/T1574/002"
+ },
+ {
+ "technique_id": "T1574.004",
+ "technique": "Hijack Execution Flow : Dylib Hijacking",
+ "url": "https://attack.mitre.org/techniques/T1574/004"
+ },
+ {
+ "technique_id": "T1574.005",
+ "technique": "Hijack Execution Flow : Executable Installer File Permissions Weakness",
+ "url": "https://attack.mitre.org/techniques/T1574/005"
+ },
+ {
+ "technique_id": "T1574.006",
+ "technique": "Hijack Execution Flow : LD_PRELOAD",
+ "url": "https://attack.mitre.org/techniques/T1574/006"
+ },
+ {
+ "technique_id": "T1574.007",
+ "technique": "Hijack Execution Flow : Path Interception by PATH Environment Variable",
+ "url": "https://attack.mitre.org/techniques/T1574/007"
+ },
+ {
+ "technique_id": "T1574.008",
+ "technique": "Hijack Execution Flow : Path Interception by Search Order Hijacking",
+ "url": "https://attack.mitre.org/techniques/T1574/008"
+ },
+ {
+ "technique_id": "T1574.009",
+ "technique": "Hijack Execution Flow : Path Interception by Unquoted Path",
+ "url": "https://attack.mitre.org/techniques/T1574/009"
+ },
+ {
+ "technique_id": "T1574.010",
+ "technique": "Hijack Execution Flow : Services File Permissions Weakness",
+ "url": "https://attack.mitre.org/techniques/T1574/010"
+ },
+ {
+ "technique_id": "T1574.011",
+ "technique": "Hijack Execution Flow : Services Registry Permissions Weakness",
+ "url": "https://attack.mitre.org/techniques/T1574/011"
+ },
+ {
+ "technique_id": "T1574.012",
+ "technique": "Hijack Execution Flow : COR_PROFILER",
+ "url": "https://attack.mitre.org/techniques/T1574/012"
+ },
+ {
+ "technique_id": "T1575",
+ "technique": "Native Code",
+ "url": "https://attack.mitre.org/techniques/T1575",
+ "tactic": [
+ "Defense Evasion",
+ "Execution"
+ ]
+ },
+ {
+ "technique_id": "T1576",
+ "technique": "Uninstall Malicious Application",
+ "url": "https://attack.mitre.org/techniques/T1576",
+ "tactic": [
+ "Defense Evasion"
+ ]
+ },
+ {
+ "technique_id": "T1577",
+ "technique": "Compromise Application Executable",
+ "url": "https://attack.mitre.org/techniques/T1577",
+ "tactic": [
+ "Persistence"
+ ]
+ },
+ {
+ "technique_id": "T1578",
+ "technique": "Modify Cloud Compute Infrastructure",
+ "url": "https://attack.mitre.org/techniques/T1578",
+ "tactic": [
+ "Defense Evasion"
+ ]
+ },
+ {
+ "technique_id": "T1578.001",
+ "technique": "Modify Cloud Compute Infrastructure : Create Snapshot",
+ "url": "https://attack.mitre.org/techniques/T1578/001"
+ },
+ {
+ "technique_id": "T1578.002",
+ "technique": "Modify Cloud Compute Infrastructure : Create Cloud Instance",
+ "url": "https://attack.mitre.org/techniques/T1578/002"
+ },
+ {
+ "technique_id": "T1578.003",
+ "technique": "Modify Cloud Compute Infrastructure : Delete Cloud Instance",
+ "url": "https://attack.mitre.org/techniques/T1578/003"
+ },
+ {
+ "technique_id": "T1578.004",
+ "technique": "Modify Cloud Compute Infrastructure : Revert Cloud Instance",
+ "url": "https://attack.mitre.org/techniques/T1578/004"
+ },
+ {
+ "technique_id": "T1579",
+ "technique": "Keychain",
+ "url": "https://attack.mitre.org/techniques/T1579",
+ "tactic": [
+ "Credential Access"
+ ]
+ }
]
\ No newline at end of file
diff --git a/tools/config/mitre/update_mitre.py b/tools/config/mitre/update_mitre.py
new file mode 100644
index 00000000..176a9239
--- /dev/null
+++ b/tools/config/mitre/update_mitre.py
@@ -0,0 +1,127 @@
+# Updates the Mitre Tactics & Techniques from Mitre CTI Pre, Enterprise & Mobile Attack
+# Copyright 2020 Scott Dermott
+
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU Lesser General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU Lesser General Public License for more details.
+
+# You should have received a copy of the GNU Lesser General Public License
+# along with this program. If not, see .
+
+import os
+import json
+import urllib.request
+
+mitre_update_urls = [
+ 'https://raw.githubusercontent.com/mitre/cti/master/pre-attack/pre-attack.json',
+ 'https://raw.githubusercontent.com/mitre/cti/master/enterprise-attack/enterprise-attack.json',
+ 'https://raw.githubusercontent.com/mitre/cti/master/mobile-attack/mobile-attack.json'
+]
+mitre_source_types = list([
+ 'mitre-pre-attack',
+ 'mitre-attack',
+ 'mitre-mobile-attack'
+])
+tactics_list = []
+techniques_list = []
+
+def get_external_id(obj):
+ return obj.get('external_id')
+
+def get_technique_id(obj):
+ return obj.get('technique_id')
+
+def revoked_or_deprecated(entry):
+ if "revoked" in entry.keys() and entry['revoked'] or "x_mitre_deprecated" in entry.keys() and entry['x_mitre_deprecated']:
+ return True
+ return False
+
+for url in mitre_update_urls:
+ with urllib.request.urlopen(url) as cti_json:
+ mitre_json = json.loads(cti_json.read().decode())
+ url_type = url.rsplit('/',1)[1].split('.')[0].title()
+ techniques = []
+ tactics = []
+ tactic_map = {}
+ technique_map = {}
+
+ # Map the tatics
+ for entry in mitre_json['objects']:
+ if not entry['type'] == "x-mitre-tactic" or revoked_or_deprecated(entry):
+ continue
+ for ref in entry['external_references']:
+ if ref['source_name'] in mitre_source_types:
+ tactic_map[entry['x_mitre_shortname']] = entry['name']
+ tactics.append({
+ "external_id": ref['external_id'],
+ "url": ref['url'],
+ "tactic": entry['name']
+ })
+ break
+
+ # Map the techniques
+ for entry in mitre_json['objects']:
+ if not entry['type'] == "attack-pattern" or revoked_or_deprecated(entry):
+ continue
+ if "x_mitre_is_subtechnique" in entry.keys() and entry['x_mitre_is_subtechnique']:
+ continue
+ for ref in entry['external_references']:
+ if ref['source_name'] in mitre_source_types:
+ technique_map[ref['external_id']] = entry['name']
+ sub_tactics = []
+ # Get Mitre Tactics (Kill-Chains)
+ for tactic in entry['kill_chain_phases']:
+ if tactic['kill_chain_name'] in mitre_source_types:
+ # Map the short phase_name to tactic name
+ sub_tactics.append(tactic_map[tactic['phase_name']])
+ techniques.append({
+ "technique_id": ref['external_id'],
+ "technique": entry['name'],
+ "url": ref['url'],
+ "tactic" : sub_tactics
+ })
+ break
+
+ ## Map the sub-techniques
+ for entry in mitre_json['objects']:
+ if not entry['type'] == "attack-pattern" or revoked_or_deprecated(entry):
+ continue
+ if "x_mitre_is_subtechnique" in entry.keys() and entry['x_mitre_is_subtechnique']:
+ for ref in entry['external_references']:
+ if ref['source_name'] in mitre_source_types:
+ sub_technique_id = ref['external_id']
+ sub_technique_name = entry['name']
+ parent_technique_name = technique_map[sub_technique_id.split('.')[0]]
+ sub_technique_name = '{} : {}'.format(parent_technique_name, sub_technique_name)
+ techniques.append({
+ "technique_id": ref['external_id'],
+ "technique": sub_technique_name,
+ "url": ref['url'],
+ })
+ break
+
+ print("Updating from : {}".format(url))
+ print("{} Mitre Bundle ID : {} ".format(url_type, mitre_json['id']))
+ print("{} Tactics : {} ".format(url_type, len(tactic_map)))
+ print("{} Techniques : {} ".format(url_type, len(technique_map)))
+ print("{} Sub-Techniques : {} ".format(url_type, len(techniques) - len(technique_map)))
+ print("-------------------------------------------------")
+ tactics_list.extend(tactics)
+ techniques_list.extend(techniques)
+
+print("Total Mitre Tactics : {} ".format(len(tactics_list)))
+print("Total Mitre Techniques : {} ".format(len(techniques_list)))
+## Create the output files
+with open('tactics.json', 'w') as json_file:
+ tactics_list.sort(key=get_external_id)
+ json.dump(tactics_list, json_file, sort_keys=False, indent=2)
+
+with open('techniques.json', 'w') as json_file:
+ techniques_list.sort(key=get_technique_id)
+ json.dump(techniques_list, json_file, sort_keys=False, indent=2)
\ No newline at end of file
diff --git a/tools/config/powershell-windows-all.yml b/tools/config/powershell-windows-all.yml
index 8464ade0..e7bf8ae9 100644
--- a/tools/config/powershell-windows-all.yml
+++ b/tools/config/powershell-windows-all.yml
@@ -60,3 +60,12 @@ logsources:
service: ntlm
conditions:
LogName: 'Microsoft-Windows-NTLM/Operational'
+ windows-applocker:
+ product: windows
+ service: applocker
+ conditions:
+ LogName:
+ - 'Microsoft-Windows-AppLocker/MSI and Script'
+ - 'Microsoft-Windows-AppLocker/EXE and DLL'
+ - 'Microsoft-Windows-AppLocker/Packaged app-Deployment'
+ - 'Microsoft-Windows-AppLocker/Packaged app-Execution'
diff --git a/tools/config/powershell.yml b/tools/config/powershell.yml
index 5cb0ea75..e116f0cd 100644
--- a/tools/config/powershell.yml
+++ b/tools/config/powershell.yml
@@ -69,3 +69,17 @@ logsources:
service: dhcp
conditions:
LogName: 'Microsoft-Windows-DHCP-Server/Operational'
+ windows-defender:
+ product: windows
+ service: windefend
+ conditions:
+ LogName: 'Microsoft-Windows-Windows Defender/Operational'
+ windows-applocker:
+ product: windows
+ service: applocker
+ conditions:
+ LogName:
+ - 'Microsoft-Windows-AppLocker/MSI and Script'
+ - 'Microsoft-Windows-AppLocker/EXE and DLL'
+ - 'Microsoft-Windows-AppLocker/Packaged app-Deployment'
+ - 'Microsoft-Windows-AppLocker/Packaged app-Execution'
diff --git a/tools/config/splunk-windows.yml b/tools/config/splunk-windows.yml
index f1373489..3c298599 100644
--- a/tools/config/splunk-windows.yml
+++ b/tools/config/splunk-windows.yml
@@ -70,5 +70,14 @@ logsources:
service: dhcp
conditions:
source: 'Microsoft-Windows-DHCP-Server/Operational'
+ windows-applocker:
+ product: windows
+ service: applocker
+ conditions:
+ source:
+ - 'Microsoft-Windows-AppLocker/MSI and Script'
+ - 'Microsoft-Windows-AppLocker/EXE and DLL'
+ - 'Microsoft-Windows-AppLocker/Packaged app-Deployment'
+ - 'Microsoft-Windows-AppLocker/Packaged app-Execution'
fieldmappings:
EventID: EventCode
diff --git a/tools/config/splunk-zeek.yml b/tools/config/splunk-zeek.yml
index fbb6e679..1cefcca7 100644
--- a/tools/config/splunk-zeek.yml
+++ b/tools/config/splunk-zeek.yml
@@ -466,4 +466,4 @@ fieldmappings:
- query
- server_name
source.ip: id.orig_h
- source.port: id.orig_p
\ No newline at end of file
+ source.port: id.orig_p
diff --git a/tools/config/stix-linux.yml b/tools/config/stix-linux.yml
new file mode 100644
index 00000000..3bab2072
--- /dev/null
+++ b/tools/config/stix-linux.yml
@@ -0,0 +1,36 @@
+title: STIX for Linux Logs
+backends:
+ - stix
+order: 40
+logsources:
+ linux:
+ product: linux
+fieldmappings:
+ type:
+ - x-event:action
+ keywords:
+ - artifact:payload_bin
+ a0:
+ - process:command_line
+ a1:
+ - process:command_line
+ name:
+ - file:name
+ a3:
+ - process:command_line
+ key:
+ - x-sigma:keywords
+ exe:
+ - file:name
+ a2:
+ - process:command_line
+ SYSCALL:
+ - x-event:action
+ pam_message:
+ - x-event:action
+ pam_user:
+ - user-account:user_id
+ pam_rhost:
+ - x-host:name
+ USER:
+ - user-account:user_id
\ No newline at end of file
diff --git a/tools/config/stix-qradar.yml b/tools/config/stix-qradar.yml
new file mode 100644
index 00000000..cd78c190
--- /dev/null
+++ b/tools/config/stix-qradar.yml
@@ -0,0 +1,51 @@
+title: STIX for QRadar
+backends:
+ - stix
+order: 30
+fieldmappings:
+ categoryid:
+ - x-ibm-ariel:category_id
+ categoryname:
+ - x-ibm-ariel:category_name
+ credescription:
+ - x-ibm-finding:description
+ Description:
+ - x-ibm-finding:description
+ credibility:
+ - x-ibm-ariel:credibility
+ crename:
+ - x-ibm-finding:name
+ devicetype:
+ - x-ibm-ariel:device_type
+ Device:
+ - x-ibm-ariel:device_type
+ direction:
+ - x-ibm-ariel:direction
+ domainid:
+ - x-ibm-ariel:domain_id
+ geographic:
+ - x-ibm-ariel:geographic
+ high_level_category_id:
+ - x-ibm-ariel:high_level_category_id
+ high_level_category_name:
+ - x-ibm-ariel:high_level_category_name
+ identityhostname:
+ - x-ibm-ariel:identity_host_name
+ logsourceid:
+ - x-ibm-ariel:log_source_id
+ logsourcename:
+ - x-ibm-ariel:log_source_name
+ logsourcetypename:
+ - x-ibm-ariel:log_source_type_name
+ magnitude:
+ - x-ibm-ariel:magnitude
+ qid:
+ - x-ibm-ariel:qid
+ qidname:
+ - x-ibm-ariel:event_name
+ relevance:
+ - x-ibm-ariel:relevance
+ rulenames:
+ - x-ibm-ariel:rule_names[*]
+ severity:
+ - x-ibm-ariel:severity
diff --git a/tools/config/stix-windows.yml b/tools/config/stix-windows.yml
new file mode 100644
index 00000000..6a9de243
--- /dev/null
+++ b/tools/config/stix-windows.yml
@@ -0,0 +1,269 @@
+title: STIX for Windows Logs
+backends:
+ - stix
+order: 40
+logsources:
+ windows:
+ product: windows
+fieldmappings:
+ AccessMask:
+ - x-windows:accessmask
+ Accesses:
+ - x-windows:accesses
+ AccountDomain:
+ - user-account:x_domain
+ AccountID:
+ - user-account:user_id
+ AccountName:
+ - user-account:account_login
+ - user-account:display_name
+ AccountSecurityID:
+ - user-account:x_security_id
+ CallTrace:
+ - x-windows:calltrace
+ ClientIP:
+ - ipv4-addr:value
+ - ipv6-addr:value
+ - network-traffic:src_ref.value
+ ComputerName:
+ - x-host:name
+ Description:
+ - x-event:action
+ DestinationIsIpv6:
+ - x-windows:destisipv6
+ DestinationHostname:
+ - network-traffic:dst_ref.value
+ Device:
+ - file:name
+ ErrorCode:
+ - x-error:code
+ Event-ID:
+ - x-event:id
+ - x-event:code
+ EventID:
+ - x-event:id
+ - x-event:code
+ Event_ID:
+ - x-event:id
+ - x-event:code
+ EventType:
+ - x-event:action
+ ExtendedErrorCode:
+ - x-error:code
+ - x-error:id
+ FileDirectory:
+ - directory:path
+ FileExtension:
+ - file:x_extension
+ FileHash:
+ - file:hashes.SHA-256
+ - file:hashes.MD5
+ - file:hashes.SHA-1
+ FilePath:
+ - file:name
+ Filename:
+ - file:name
+ GrantedAccess:
+ - x-windows:grantedaccess
+ GroupDomain:
+ - x-group:domain
+ GroupID:
+ - x-group:id
+ GroupName:
+ - x-group:name
+ GroupSecurityID:
+ - x-group:security_id
+ HomeDirectory:
+ - directory:path
+ IMPHash:
+ - x-windows:imphash
+ Imphash:
+ - x-windows:imphash
+ Image:
+ - process:image_ref.name
+ ImageLoadedTempPath:
+ - process:extensions.'windows-service-ext'.service_dll_refs[*].x_temp_path
+ ImageName:
+ - process:image_ref.name
+ ImagePath:
+ - process:image_ref.name
+ ImageTempPath:
+ - process:image_ref.x_temp_path
+ InitiatedConnection:
+ - x-windows:initiatedconnection
+ Initiated:
+ - x-windows:initiatedconnection
+ InitiatorUserName:
+ - user-account:user_id
+ - user-account:account_login
+ IntegrityLevel:
+ - x-windows:integritylevel
+ LoadedImage:
+ - process:extensions.'windows-service-ext'.service_dll_refs[*].name
+ LoadedImageName:
+ - process:extensions.'windows-service-ext'.service_dll_refs[*].name
+ LogonType:
+ - x-windows:logontype
+ MD5Hash:
+ - file:hashes.MD5
+ Message:
+ - x-event:original
+ NewName:
+ - windows-registry-key:key
+ ObjectName:
+ - x-windows:objectname
+ ObjectType:
+ - x-windows:objecttype
+ ParentCommandLine:
+ - process:parent_ref.command_line
+ ParentImage:
+ - process:parent_ref.image_ref.name
+ ParentImageName:
+ - process:parent_ref.image_ref.name
+ ParentProcessGuid:
+ - process:parent_ref.x_guid
+ ParentProcessName:
+ - process:parent_ref.image_ref.name
+ ParentProcessPath:
+ - process:parent_ref.image_ref.name
+ PipeName:
+ - x-windows:pipename
+ ProcessCommandLine:
+ - process:command_line
+ Command:
+ - process:command_line
+ CommandLine:
+ - process:command_line
+ ProcessGuid:
+ - process:x_guid
+ ProcessId:
+ - process:pid
+ ProcessName:
+ - process:image_ref.name
+ ProcessPath:
+ - process:image_ref.name
+ QueryName:
+ - x-windows:queryname
+ QueryResults:
+ - x-windows:queryresults
+ QueryStatus:
+ - x-windows:querystatus
+ RegistryKey:
+ - windows-registry-key:key
+ RegistryValueData:
+ - windows-registry-key:values[*].data
+ RegistryValueName:
+ - windows-registry-key:values[*].name
+ SAMAccountName:
+ - user-account:account_login
+ - user-account:display_name
+ SHA1Hash:
+ - file:hashes.SHA-1
+ SHA256Hash:
+ - file:hashes.SHA-256
+ ServiceFileName:
+ - process:extensions.'windows-service-ext'.service_dll_refs[*].name
+ ServiceName:
+ - process:extensions.'windows-service-ext'.service_name
+ ShareName:
+ - x-windows:sharename
+ SharePath:
+ - x-windows:sharepath
+ Signature:
+ - x-windows:signature
+ SignatureStatus:
+ - x-windows:signaturestatus
+ Signed:
+ - x-windows:signed
+ SourceImage:
+ - x-windows:sourceimage
+ SourceImageTempPath:
+ - x-windows:sourceimagetemppath
+ SourceWorkstation:
+ - x-windows:sourceworkstation
+ StartAddress:
+ - x-windows:startaddress
+ StartFunction:
+ - x-windows:startfunction
+ StartModule:
+ - x-windows:startmodule
+ TargetAccountSecurityID:
+ - x-windows:targetaccountsecurityid
+ TargetComputerDomain:
+ - x-windows:targetcomputerdomain
+ TargetComputerName:
+ - x-windows:targetcomputername
+ TargetDetails:
+ - x-windows:targetdetails
+ Details:
+ - windows-registry-key:values[*].data
+ - x-event:original
+ TargetFilename:
+ - file:name
+ TargetImage:
+ - x-windows:targetimage
+ TargetImageName:
+ - x-windows:targetimagename
+ TargetObject:
+ - windows-registry-key:key
+ TargetProcessGuid:
+ - x-windows:targetprocessguid
+ TargetProcessAddress:
+ - x-windows:startaddress
+ TargetUserDomain:
+ - x-windows:targetuserdomain
+ TargetUserName:
+ - x-windows:targetusername
+ TaskName:
+ - x-windows:taskname
+ TicketEncryptionType:
+ - x-windows:ticketencryptiontype
+ User:
+ - user-account:user_id
+ UserDomain:
+ - user-account:x_domain
+ event-id:
+ - x-event:id
+ eventId:
+ - x-event:id
+ event_data.FileName:
+ - file:name
+ event_data.Image:
+ - process:image_ref.name
+ event_data.ImageLoaded:
+ - process:extensions.'windows-service-ext'.service_dll_refs[*].name
+ ImageLoaded:
+ - process:extensions.'windows-service-ext'.service_dll_refs[*].name
+ event_data.ImagePath:
+ - process:image_ref.name
+ event_data.ParentCommandLine:
+ - process:parent_ref.command_line
+ event_data.ParentImage:
+ - process:parent_ref.image_ref.name
+ event_data.ParentProcessName:
+ - process:parent_ref.image_ref.name
+ event_data.PipeName:
+ - x-windows:pipename
+ event_data.ServiceFileName:
+ - process:extensions.'windows-service-ext'.service_dll_refs[*].name
+ event_data.ShareName:
+ - x-windows:sharename
+ event_data.Signature:
+ - x-windows:signature
+ event_data.SourceImage:
+ - x-windows:sourceimage
+ event_data.StartModule:
+ - x-windows:startmodule
+ event_data.SubjectUserName:
+ - user-account:user_id
+ - user-account:account_login
+ event_data.TargetFilename:
+ - file:name
+ event_data.TargetImage:
+ - x-windows:targetimage
+ event_data.User:
+ - user-account:user_id
+ event_id:
+ - x-event:id
+ eventid:
+ - x-event:id
\ No newline at end of file
diff --git a/tools/config/stix.yml b/tools/config/stix.yml
new file mode 100644
index 00000000..88b37fba
--- /dev/null
+++ b/tools/config/stix.yml
@@ -0,0 +1,175 @@
+title: Basic STIX
+backends:
+ - stix
+order: 20
+fieldmappings:
+ action:
+ - x-event:action
+ User:
+ - user-account:user_id
+ c-ip:
+ - ipv4-addr:value
+ - ipv6-addr:value
+ - network-traffic:src_ref.value
+ cs-ip:
+ - ipv4-addr:value
+ - ipv6-addr:value
+ - network-traffic:src_ref.value
+ destinationip:
+ - ipv4-addr:value
+ - ipv6-addr:value
+ - network-traffic:dst_ref.value
+ destinationmac:
+ - mac-addr:value
+ - network-traffic:dst_ref.value
+ destinationport:
+ - network-traffic:dst_port
+ dst_port:
+ - network-traffic:dst_port
+ domainname:
+ - domain-name:value
+ dst:
+ - ipv4-addr:value
+ - ipv6-addr:value
+ - network-traffic:dst_ref.value
+ dst_ip:
+ - ipv4-addr:value
+ - ipv6-addr:value
+ - network-traffic:dst_ref.value
+ endtime:
+ - network-traffic:end
+ event_data.DestinationIp:
+ - ipv4-addr:value
+ - ipv6-addr:value
+ - network-traffic:dst_ref.value
+ DestinationIp:
+ - ipv4-addr:value
+ - ipv6-addr:value
+ - network-traffic:dst_ref.value
+ event_data.DestinationPort:
+ - network-traffic:dst_port
+ DestinationPort:
+ - network-traffic:dst_port
+ destination.port:
+ - network-traffic:dst_port
+ event_data.SubjectUserName:
+ - user-account:user_id
+ event_data.User:
+ - user-account:user_id
+ filehash:
+ - file:hashes.SHA-256
+ - file:hashes.MD5
+ - file:hashes.SHA-1
+ filename:
+ - file:name
+ filepath:
+ - file:parent_directory_ref
+ - directory:path
+ identityip:
+ - ipv4-addr:value
+ protocolid:
+ - network-traffic:protocols[*]
+ sourceip:
+ - ipv4-addr:value
+ - ipv6-addr:value
+ - network-traffic:src_ref.value
+ sourcemac:
+ - mac-addr:value
+ - network-traffic:src_ref.value
+ sourceport:
+ - network-traffic:src_port
+ SourcePort:
+ - network-traffic:src_port
+ src:
+ - ipv4-addr:value
+ - ipv6-addr:value
+ - network-traffic:src_ref.value
+ src_ip:
+ - ipv4-addr:value
+ - ipv6-addr:value
+ - network-traffic:src_ref.value
+ starttime:
+ - network-traffic:start
+ url:
+ - url:value
+ user:
+ - user-account:user_id
+ username:
+ - user-account:user_id
+ utf8_payload:
+ - artifact:payload_bin
+
+ # Web + Proxy mapping
+ c-uri:
+ - network-traffic:extensions.'http-request-ext'.request_value
+ - url:value
+ c-uri-query:
+ - network-traffic:extensions.'http-request-ext'.request_value
+ - url:value
+ c-uri-stem:
+ - network-traffic:extensions.'http-request-ext'.request_value
+ - url:value
+ keywords:
+ - artifact:payload_bin
+ cs-method:
+ - network-traffic:extensions.'http-request-ext'.request_method
+ sc-status:
+ - x-web:status_code
+ clientip:
+ - ipv4-addr:value
+ - ipv6-addr:value
+ - network-traffic:src_ref.value
+ c-useragent:
+ - network-traffic:extensions.'http-request-ext'.request_header.'User-Agent'
+ r-dns:
+ - domain-name:value
+ - url:value
+ - x-dns:query
+ cs-host:
+ - x-host:name
+ - domain-name:value
+ cs-cookie:
+ - network-traffic:extensions.'http-request-ext'.request_header.Cookie
+ query:
+ - domain-name:value
+ - url:value
+ - x-dns:query
+ record_type:
+ - x-dns:record_type
+ operation:
+ - x-event:action
+
+ # Compliance mapping
+ event.category:
+ - x-event:action
+ host.scan.vuln_name:
+ - vulnerability:name
+ host.scan.vuln:
+ - vulnerability:external_references[*].external_id
+
+ # Cloud mapping
+ eventSource:
+ - x-host:name
+ eventName:
+ - x-event:action
+ requestParameters.attribute:
+ - x-cloud:request_parameters
+ responseElements.publiclyAccessible:
+ - x-cloud:publicly_accessible
+ errorMessage:
+ - x-error:message
+ errorCode:
+ - x-error:code
+ responseElements:
+ - x-cloud:response_elements
+ requestParameters.userData:
+ - x-cloud:request_parameters
+ userIdentity.type:
+ - user-account:account_login
+ eventType:
+ - x-event:action
+ userIdentity.arn:
+ - user-account:account_login
+ - user-account:display_name
+ responseElements.pendingModifiedValues.masterUserPassword:
+ - user-account:credential
diff --git a/tools/config/sumologic.yml b/tools/config/sumologic.yml
index 09e83fbb..27355be0 100644
--- a/tools/config/sumologic.yml
+++ b/tools/config/sumologic.yml
@@ -57,6 +57,11 @@ logsources:
conditions:
EventChannel: Microsoft-Windows-DHCP-Server
index: WINDOWS
+ windows-ntlm:
+ product: windows
+ service: ntlm
+ conditions:
+ EventChannel: 'Microsoft-Windows-NTLM/Operational'
apache:
product: apache
service: apache
diff --git a/tools/config/thor.yml b/tools/config/thor.yml
index 7cfe5299..37163f42 100644
--- a/tools/config/thor.yml
+++ b/tools/config/thor.yml
@@ -41,6 +41,11 @@ logsources:
service: system
sources:
- 'WinEventLog:System'
+ windows-ntlm:
+ product: windows
+ service: ntlm
+ sources:
+ - 'WinEventLog:Microsoft-Windows-NTLM/Operational'
windows-sysmon:
product: windows
service: sysmon
@@ -66,6 +71,15 @@ logsources:
service: dhcp
sources:
- 'WinEventLog:Microsoft-Windows-DHCP-Server/Operational'
+ windows-applocker:
+ product: windows
+ service: applocker
+ conditions:
+ sources:
+ - 'Microsoft-Windows-AppLocker/MSI and Script'
+ - 'Microsoft-Windows-AppLocker/EXE and DLL'
+ - 'Microsoft-Windows-AppLocker/Packaged app-Deployment'
+ - 'Microsoft-Windows-AppLocker/Packaged app-Execution'
apache:
category: webserver
sources:
diff --git a/tools/config/winlogbeat-modules-enabled.yml b/tools/config/winlogbeat-modules-enabled.yml
index 01a63a59..4009a9bd 100644
--- a/tools/config/winlogbeat-modules-enabled.yml
+++ b/tools/config/winlogbeat-modules-enabled.yml
@@ -3,11 +3,13 @@ order: 20
backends:
- es-qs
- es-dsl
+ - es-rule
- kibana
- xpack-watcher
- elastalert
- elastalert-dsl
- elasticsearch-rule
+ - ee-outliers
logsources:
windows:
product: windows
@@ -42,6 +44,25 @@ logsources:
service: dhcp
conditions:
winlog.provider_name: 'Microsoft-Windows-DHCP-Server/Operational'
+ windows-ntlm:
+ product: windows
+ service: ntlm
+ conditions:
+ winlog.provider_name: 'Microsoft-Windows-NTLM/Operational'
+ windows-defender:
+ product: windows
+ service: windefend
+ conditions:
+ winlog.channel: 'Microsoft-Windows-Windows Defender/Operational'
+ windows-applocker:
+ product: windows
+ service: applocker
+ conditions:
+ winlog.channel:
+ - 'Microsoft-Windows-AppLocker/MSI and Script'
+ - 'Microsoft-Windows-AppLocker/EXE and DLL'
+ - 'Microsoft-Windows-AppLocker/Packaged app-Deployment'
+ - 'Microsoft-Windows-AppLocker/Packaged app-Execution'
defaultindex: winlogbeat-*
# Extract all field names qith yq:
# yq -r '.detection | del(.condition) | map(keys) | .[][]' $(find sigma/rules/windows -name '*.yml') | sort -u | grep -v ^EventID$ | sed 's/^\(.*\)/ \1: winlog.event_data.\1/g'
@@ -106,6 +127,7 @@ fieldmappings:
ProcessCommandLine: winlog.event_data.ProcessCommandLine
ProcessName: process.executable
Properties: winlog.event_data.Properties
+ RuleName: winlog.event_data.RuleName
SecurityID: winlog.event_data.SecurityID
ServiceFileName: winlog.event_data.ServiceFileName
ServiceName: winlog.event_data.ServiceName
@@ -146,4 +168,4 @@ fieldmappings:
OnexEnabled: winlog.event_data.OnexEnabled
PHYType: winlog.event_data.PHYType
ProfileName: winlog.event_data.ProfileName
- SSID: winlog.event_data.SSID
\ No newline at end of file
+ SSID: winlog.event_data.SSID
diff --git a/tools/config/winlogbeat-old.yml b/tools/config/winlogbeat-old.yml
index 3cfe76bb..f60c49b8 100644
--- a/tools/config/winlogbeat-old.yml
+++ b/tools/config/winlogbeat-old.yml
@@ -3,10 +3,12 @@ order: 20
backends:
- es-qs
- es-dsl
+ - es-rule
- kibana
- xpack-watcher
- elastalert
- elastalert-dsl
+ - ee-outliers
logsources:
windows:
product: windows
@@ -35,12 +37,31 @@ logsources:
product: windows
service: driver-framework
conditions:
- source: 'Microsoft-Windows-DriverFrameworks-UserMode/Operational'
+ log_name: 'Microsoft-Windows-DriverFrameworks-UserMode/Operational'
windows-dhcp:
product: windows
service: dhcp
conditions:
- source: 'Microsoft-Windows-DHCP-Server/Operational'
+ log_name: 'Microsoft-Windows-DHCP-Server/Operational'
+ windows-ntlm:
+ product: windows
+ service: ntlm
+ conditions:
+ log_name: 'Microsoft-Windows-NTLM/Operational'
+ windows-defender:
+ product: windows
+ service: windefend
+ conditions:
+ log_name: 'Microsoft-Windows-Windows Defender/Operational'
+ windows-applocker:
+ product: windows
+ service: applocker
+ conditions:
+ log_name:
+ - 'Microsoft-Windows-AppLocker/MSI and Script'
+ - 'Microsoft-Windows-AppLocker/EXE and DLL'
+ - 'Microsoft-Windows-AppLocker/Packaged app-Deployment'
+ - 'Microsoft-Windows-AppLocker/Packaged app-Execution'
defaultindex: winlogbeat-*
# Extract all field names qith yq:
# yq -r '.detection | del(.condition) | map(keys) | .[][]' $(find sigma/rules/windows -name '*.yml') | sort -u | grep -v ^EventID$ | sed 's/^\(.*\)/ \1: event_data.\1/g'
diff --git a/tools/config/winlogbeat.yml b/tools/config/winlogbeat.yml
index ff5a0d6d..3bc1824e 100644
--- a/tools/config/winlogbeat.yml
+++ b/tools/config/winlogbeat.yml
@@ -3,10 +3,12 @@ order: 20
backends:
- es-qs
- es-dsl
+ - es-rule
- kibana
- xpack-watcher
- elastalert
- elastalert-dsl
+ - ee-outliers
logsources:
windows:
product: windows
@@ -35,12 +37,31 @@ logsources:
product: windows
service: driver-framework
conditions:
- winlog.provider_name: 'Microsoft-Windows-DriverFrameworks-UserMode/Operational'
+ winlog.channel: 'Microsoft-Windows-DriverFrameworks-UserMode/Operational'
windows-dhcp:
product: windows
service: dhcp
conditions:
- winlog.provider_name: 'Microsoft-Windows-DHCP-Server/Operational'
+ winlog.channel: 'Microsoft-Windows-DHCP-Server/Operational'
+ windows-ntlm:
+ product: windows
+ service: ntlm
+ conditions:
+ winlog.channel: 'Microsoft-Windows-NTLM/Operational'
+ windows-defender:
+ product: windows
+ service: windefend
+ conditions:
+ winlog.channel: 'Microsoft-Windows-Windows Defender/Operational'
+ windows-applocker:
+ product: windows
+ service: applocker
+ conditions:
+ winlog.channel:
+ - 'Microsoft-Windows-AppLocker/MSI and Script'
+ - 'Microsoft-Windows-AppLocker/EXE and DLL'
+ - 'Microsoft-Windows-AppLocker/Packaged app-Deployment'
+ - 'Microsoft-Windows-AppLocker/Packaged app-Execution'
defaultindex: winlogbeat-*
# Extract all field names qith yq:
# yq -r '.detection | del(.condition) | map(keys) | .[][]' $(find sigma/rules/windows -name '*.yml') | sort -u | grep -v ^EventID$ | sed 's/^\(.*\)/ \1: winlog.event_data.\1/g'
@@ -98,6 +119,7 @@ fieldmappings:
ProcessCommandLine: winlog.event_data.ProcessCommandLine
ProcessName: winlog.event_data.ProcessName
Properties: winlog.event_data.Properties
+ RuleName: winlog.event_data.RuleName
SecurityID: winlog.event_data.SecurityID
ServiceFileName: winlog.event_data.ServiceFileName
ServiceName: winlog.event_data.ServiceName
@@ -107,6 +129,8 @@ fieldmappings:
SourceImage: winlog.event_data.SourceImage
SourceIp: winlog.event_data.SourceIp
src_ip: winlog.event_data.SourceIp
+ SourcePort: winlog.event_data.SourcePort
+ src_port: winlog.event_data.SourcePort
StartModule: winlog.event_data.StartModule
Status: winlog.event_data.Status
SubjectUserName: winlog.event_data.SubjectUserName
diff --git a/tools/merge_sigma b/tools/merge_sigma
index e043a35c..4bbf3cb3 100755
--- a/tools/merge_sigma
+++ b/tools/merge_sigma
@@ -1,38 +1,5 @@
#!/usr/bin/env python3
-# Merge a Sigma rule collection into full Sigma rules
-# Copyright 2017 Thomas Patzke
-# This program is free software: you can redistribute it and/or modify
-# it under the terms of the GNU Lesser General Public License as published by
-# the Free Software Foundation, either version 3 of the License, or
-# (at your option) any later version.
+from sigma.merge_sigma import main
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-# GNU Lesser General Public License for more details.
-
-# You should have received a copy of the GNU Lesser General Public License
-# along with this program. If not, see .
-
-import sys
-import argparse
-import yaml
-
-from sigma.parser.collection import SigmaCollectionParser
-
-argparser = argparse.ArgumentParser(description="Convert Sigma rules into SIEM signatures.")
-argparser.add_argument("input", help="Sigma input file")
-cmdargs = argparser.parse_args()
-
-try:
- f = open(cmdargs.input, "r")
-except IOError as e:
- print("Error while opening input file: %s" % str(e), file=sys.stderr)
- sys.exit(1)
-
-content = "".join(f.readlines())
-f.close()
-sc = SigmaCollectionParser(content)
-
-print(yaml.dump_all(sc, default_flow_style=False))
+main()
diff --git a/tools/requirements-devel.txt b/tools/requirements-devel.txt
index a946d533..3665b6ee 100644
--- a/tools/requirements-devel.txt
+++ b/tools/requirements-devel.txt
@@ -1,9 +1,10 @@
-coverage>=4.4.1
-PyYAML>=3.11
-yamllint>=1.10.0
-elasticsearch
-elasticsearch-async
+coverage~=5.0
+yamllint~=1.21
+elasticsearch~=7.6
+elasticsearch-async~=6.2
setuptools
wheel
-pymisp
-pytest
+pytest~=5.4
+colorama
+stix2
+attackcti
\ No newline at end of file
diff --git a/tools/requirements-misp.txt b/tools/requirements-misp.txt
deleted file mode 100644
index 3529f881..00000000
--- a/tools/requirements-misp.txt
+++ /dev/null
@@ -1 +0,0 @@
-pymisp
diff --git a/tools/requirements.txt b/tools/requirements.txt
index c3c4fc71..3debba0b 100644
--- a/tools/requirements.txt
+++ b/tools/requirements.txt
@@ -1 +1,5 @@
-PyYAML>=3.11
+pyyaml>=4.2b1
+requests~=2.23
+urllib3~=1.25
+progressbar2~=3.47
+pymisp~=2.4.123
diff --git a/tools/setup.py b/tools/setup.py
index b9d37db1..2fe63655 100644
--- a/tools/setup.py
+++ b/tools/setup.py
@@ -4,6 +4,7 @@ from setuptools import setup, find_packages
# To use a consistent encoding
from codecs import open
from os import path
+from pathlib import Path
here = path.abspath(path.dirname(__file__))
@@ -13,7 +14,7 @@ with open(path.join(here, 'README.md'), encoding='utf-8') as f:
setup(
name='sigmatools',
- version='0.15.0',
+ version='0.17.0',
description='Tools for the Generic Signature Format for SIEM Systems',
long_description=long_description,
long_description_content_type="text/markdown",
@@ -22,7 +23,7 @@ setup(
author_email='thomas@patzke.org',
license='LGPLv3',
classifiers=[
- 'Development Status :: 4 - Beta',
+ 'Development Status :: 5 - Production/Stable',
'Intended Audience :: Developers',
'Intended Audience :: Information Technology',
'Intended Audience :: System Administrators',
@@ -31,6 +32,7 @@ setup(
'License :: OSI Approved :: GNU Lesser General Public License v3 (LGPLv3)',
'Programming Language :: Python :: 3.6',
'Programming Language :: Python :: 3.7',
+ 'Programming Language :: Python :: 3.8',
'Environment :: Console',
],
keywords='security monitoring siem logging signatures elasticsearch splunk ids sysmon',
@@ -47,37 +49,16 @@ setup(
'test': ['coverage', 'yamllint'],
},
data_files=[
- ('etc/sigma', [
- 'config/sumologic.yml',
- 'config/logstash-defaultindex.yml',
- 'config/powershell.yml',
- 'config/logstash-windows.yml',
- 'config/splunk-windows.yml',
- 'config/splunk-windows-index.yml',
- 'config/netwitness.yml',
- 'config/arcsight.yml',
- 'config/qualys.yml',
- 'config/logstash-linux.yml',
- 'config/thor.yml',
- 'config/filebeat-defaultindex.yml',
- 'config/logpoint-windows.yml',
- 'config/helk.yml',
- 'config/qradar.yml',
- 'config/winlogbeat-modules-enabled.yml',
- 'config/winlogbeat.yml',
- 'config/winlogbeat-old.yml',
- 'config/ecs-proxy.yml',
- 'config/limacharlie.yml',
- ]),
- ('etc/sigma/generic', [
- 'config/generic/sysmon.yml',
- 'config/generic/windows-audit.yml',
- ])],
- scripts=[
- 'sigmac',
- 'merge_sigma',
- 'sigma2misp',
- 'sigma-similarity',
- 'sigma-uuid',
- ]
+ ('etc/sigma', [ str(p) for p in Path('config/').glob('*.yml') ]),
+ ('etc/sigma/generic', [ str(p) for p in Path('config/generic/').glob('*.yml') ])],
+ entry_points={
+ 'console_scripts': [
+ 'sigmac = sigma.sigmac:main',
+ 'merge_sigma = sigma.merge_sigma:main',
+ 'sigma2misp = sigma.sigma2misp:main',
+ 'sigma2attack = sigma.sigma2attack:main',
+ 'sigma_similarity = sigma.sigma_similarity:main',
+ 'sigma_uuid = sigma.sigma_uuid:main',
+ ],
+ },
)
diff --git a/tools/sigma/backends/ala.py b/tools/sigma/backends/ala.py
index e3f1fd9f..3bbbec54 100644
--- a/tools/sigma/backends/ala.py
+++ b/tools/sigma/backends/ala.py
@@ -33,29 +33,7 @@ from sigma.parser.modifiers.transform import SigmaContainsModifier, SigmaStartsw
from .data import sysmon_schema
from .exceptions import NotSupportedError
-class DeepFieldMappingMixin(object):
-
- def fieldNameMapping(self, fieldname, value):
- if isinstance(fieldname, str):
- get_config = self.sigmaconfig.fieldmappings.get(fieldname)
- if not get_config and '|' in fieldname:
- fieldname = fieldname.split('|', 1)[0]
- get_config = self.sigmaconfig.fieldmappings.get(fieldname)
- if isinstance(get_config, ConditionalFieldMapping):
- condition = self.sigmaconfig.fieldmappings.get(fieldname).conditions
- for key, item in self.logsource.items():
- if condition.get(key) and condition.get(key, {}).get(item):
- new_fieldname = condition.get(key, {}).get(item)
- if any(new_fieldname):
- return super().fieldNameMapping(new_fieldname[0], value)
- return super().fieldNameMapping(fieldname, value)
-
-
- def generate(self, sigmaparser):
- self.logsource = sigmaparser.parsedyaml.get("logsource", {})
- return super().generate(sigmaparser)
-
-class AzureLogAnalyticsBackend(DeepFieldMappingMixin, SingleTextQueryBackend):
+class AzureLogAnalyticsBackend(SingleTextQueryBackend):
"""Converts Sigma rule into Azure Log Analytics Queries."""
identifier = "ala"
active = True
@@ -111,10 +89,6 @@ class AzureLogAnalyticsBackend(DeepFieldMappingMixin, SingleTextQueryBackend):
else:
self._field_map = {}
- def id_mapping(self, src):
- """Identity mapping, source == target field name"""
- return src
-
def map_sysmon_schema(self, eventid):
schema_keys = []
try:
@@ -154,14 +128,9 @@ class AzureLogAnalyticsBackend(DeepFieldMappingMixin, SingleTextQueryBackend):
def generate(self, sigmaparser):
self.table = None
- try:
- self.category = sigmaparser.parsedyaml['logsource'].setdefault('category', None)
- self.product = sigmaparser.parsedyaml['logsource'].setdefault('product', None)
- self.service = sigmaparser.parsedyaml['logsource'].setdefault('service', None)
- except KeyError:
- self.category = None
- self.product = None
- self.service = None
+ self.category = sigmaparser.parsedyaml['logsource'].setdefault('category', None)
+ self.product = sigmaparser.parsedyaml['logsource'].setdefault('product', None)
+ self.service = sigmaparser.parsedyaml['logsource'].setdefault('service', None)
detection = sigmaparser.parsedyaml.get("detection", {})
if "keywords" in detection.keys():
@@ -324,36 +293,6 @@ class AzureLogAnalyticsBackend(DeepFieldMappingMixin, SingleTextQueryBackend):
)
)
- def generateAfter(self, parsed):
- del parsed
- if self._fields:
- all_fields = list(self._fields)
- if self._agg_var:
- all_fields = set(all_fields + [self._agg_var])
- project_fields = self._map_fields(all_fields)
- project_list = ", ".join(str(fld) for fld in set(project_fields))
- return " | project " + project_list
- return ""
-
- def _map_fields(self, fields):
- for field in fields:
- mapped_field = self._map_field(field)
- if isinstance(mapped_field, str):
- yield mapped_field
- elif isinstance(mapped_field, list):
- for subfield in mapped_field:
- yield subfield
-
- def _map_field(self, fieldname):
- mapping = self.sigmaconfig.fieldmappings.get(fieldname)
- if isinstance(mapping, ConditionalFieldMapping):
- fieldname = self._map_conditional_field(fieldname)
- elif isinstance(mapping, MultiFieldMapping):
- fieldname = mapping.resolve_fieldname(fieldname, self._parser)
- elif isinstance(mapping, SimpleFieldMapping):
- fieldname = mapping.resolve_fieldname(fieldname, self._parser)
- return fieldname
-
def _map_conditional_field(self, fieldname):
mapping = self.sigmaconfig.fieldmappings.get(fieldname)
# if there is a conditional mapping for this fieldname
diff --git a/tools/sigma/backends/base.py b/tools/sigma/backends/base.py
index 40a5ef36..1ef7e175 100644
--- a/tools/sigma/backends/base.py
+++ b/tools/sigma/backends/base.py
@@ -18,6 +18,7 @@ import sys
import sigma
import yaml
+import re
from sigma.backends.exceptions import NotSupportedError
from .mixins import RulenameCommentMixin, QuoteCharMixin
@@ -91,6 +92,7 @@ class BaseBackend:
options = tuple() # a list of tuples with following elements: option name, default value, help text, target attribute name (option name if None)
config_required = True
default_config = None
+ mapExpression = ""
def __init__(self, sigmaconfig, backend_options=dict()):
"""
@@ -131,29 +133,48 @@ class BaseBackend:
result = self.generateNode(parsed.parsedSearch)
if parsed.parsedAgg:
result += self.generateAggregation(parsed.parsedAgg)
+ #result = self.applyOverrides(result)
return result
+ def applyOverrides(self, query):
+ try:
+ if 'overrides' in self.sigmaconfig.config and isinstance(query, str):
+ for expression in self.sigmaconfig.config['overrides']:
+ if 'regexes' in expression:
+ for x in expression['regexes']:
+ sub = expression['field']
+ value = expression['value']
+ query = re.sub(x, self.mapExpression % (sub, value), query)
+ if 'literals' in expression:
+ for x in expression['literals']:
+ sub = expression['field']
+ value = expression['value']
+ query = query.replace(x, self.mapExpression % (sub, value))
+ except Exception:
+ pass
+ return query
+
def generateNode(self, node):
if type(node) == sigma.parser.condition.ConditionAND:
- return self.generateANDNode(node)
+ return self.applyOverrides(self.generateANDNode(node))
elif type(node) == sigma.parser.condition.ConditionOR:
- return self.generateORNode(node)
+ return self.applyOverrides(self.generateORNode(node))
elif type(node) == sigma.parser.condition.ConditionNOT:
- return self.generateNOTNode(node)
+ return self.applyOverrides(self.generateNOTNode(node))
elif type(node) == sigma.parser.condition.ConditionNULLValue:
- return self.generateNULLValueNode(node)
+ return self.applyOverrides(self.generateNULLValueNode(node))
elif type(node) == sigma.parser.condition.ConditionNotNULLValue:
- return self.generateNotNULLValueNode(node)
+ return self.applyOverrides(self.generateNotNULLValueNode(node))
elif type(node) == sigma.parser.condition.NodeSubexpression:
- return self.generateSubexpressionNode(node)
+ return self.applyOverrides(self.generateSubexpressionNode(node))
elif type(node) == tuple:
- return self.generateMapItemNode(node)
+ return self.applyOverrides(self.generateMapItemNode(node))
elif type(node) in (str, int):
- return self.generateValueNode(node)
+ return self.applyOverrides(self.generateValueNode(node))
elif type(node) == list:
- return self.generateListNode(node)
+ return self.applyOverrides(self.generateListNode(node))
elif isinstance(node, SigmaTypeModifier):
- return self.generateTypedValueNode(node)
+ return self.applyOverrides(self.generateTypedValueNode(node))
else:
raise TypeError("Node type %s was not expected in Sigma parse tree" % (str(type(node))))
@@ -307,34 +328,3 @@ class SingleTextQueryBackend(RulenameCommentMixin, BaseBackend, QuoteCharMixin):
transformed from the original name given in the Sigma rule.
"""
return fieldname
-
-class CorelightQueryBackend:
-
- def generate(self, sigmaparser):
- lgs = sigmaparser.parsedyaml.get("logsource")
- allow_types = {
- 'category':
- [
- 'proxy', 'firewall', 'webserver', 'accounting', 'dns'
- ],
- 'product':
- [
- 'zeek', 'apache', 'netflow', 'firewall'
- ],
- 'service': [
- 'radius', 'kerberos', 'pe', 'ntlm', 'sip', 'syslog', 'ntp',
- 'mqtt_subscribe', 'smb_files', 'irc', 'http2', 'rfb',
- 'tunnel', 'socks', 'mqtt_publish', 'network', 'weird',
- 'known_certs', 'traceroute', 'modbus', 'smtp_links',
- 'ssl', 'known_hosts', 'software', 'smtp', 'tls', 'intel',
- 'ssh', 'dce_rpc', 'x509', 'known_services', 'http', 'files',
- 'gquic', 'ftp', 'dns', 'conn', 'dnp3', 'rdp', 'dpd',
- 'known_modbus', 'conn_long', 'modbus_register_change',
- 'mqtt_connect', 'pop3', 'mysql', 'notice', 'snmp', 'smb_mapping'
- ]
- }
- for logsource_type, value in lgs.items():
- if allow_types.get(logsource_type) and value.lower() in allow_types.get(logsource_type):
- return super().generate(sigmaparser)
- lgs_text = ", ".join(["%s: %s" % (key, lgs.get(key)) for key in lgs.keys()])
- raise NotSupportedError("Corelight backend not supported logsources: %s." % lgs_text)
\ No newline at end of file
diff --git a/tools/sigma/backends/carbonblack.py b/tools/sigma/backends/carbonblack.py
index a06af826..8d987fc1 100644
--- a/tools/sigma/backends/carbonblack.py
+++ b/tools/sigma/backends/carbonblack.py
@@ -54,7 +54,7 @@ class CarbonBlackQueryBackend(CarbonBlackWildcardHandlingMixin, SingleTextQueryB
orToken = " OR "
notToken = " -"
subExpression = "(%s)"
- listExpression = "%s"
+ listExpression = "(%s)"
listSeparator = " OR "
valueExpression = '%s'
typedValueExpression = {
diff --git a/tools/sigma/backends/csharp.py b/tools/sigma/backends/csharp.py
new file mode 100644
index 00000000..388b72ca
--- /dev/null
+++ b/tools/sigma/backends/csharp.py
@@ -0,0 +1,165 @@
+# Output backends for sigmac
+# Copyright 2020 Danijel Grah (dgrah@nil.com)
+
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU Lesser General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU Lesser General Public License for more details.
+
+# You should have received a copy of the GNU Lesser General Public License
+# along with this program. If not, see .
+
+# How to use it in your CSharp program:
+# public Dictionary sigmas = new Dictionary();
+# Dictionary evnt = new Dictionary();
+# this.evnt.Add(Key, Value);
+# sigmas["rules/windows/process_creation/win_cmdkey_recon.yml"] = THE OUTPUT OF csharp BACKEND
+
+import re
+import sigma
+from .base import SingleTextQueryBackend
+from .mixins import MultiRuleOutputMixin
+
+class CSharpBackend(SingleTextQueryBackend):
+ """Converts Sigma rule into CSharp Regex in LINQ query."""
+ identifier = "csharp"
+ active = True
+ config_required = False
+ default_config = ["sysmon"]
+
+
+ reEscape = re.compile('((?.
+
+from .elasticsearch import ElasticsearchDSLBackend
+import json
+import logging
+import configparser
+from .mixins import MultiRuleOutputMixin
+from io import StringIO
+
+
+class OutliersBackend(ElasticsearchDSLBackend, MultiRuleOutputMixin):
+ """ee-outliers backend"""
+ identifier = 'ee-outliers'
+ active = True
+
+ def generate(self, sigmaparser):
+ super().generate(sigmaparser)
+
+ self.tags = sigmaparser.parsedyaml.setdefault("tags", "")
+
+ if len(self.queries) == 1:
+ dsl = json.dumps(self.queries[0])
+ else:
+ dsl = json.dumps(self.queries)
+
+ self.queries = []
+
+ use_case_name = self.getRuleName(sigmaparser)
+
+ index = ''
+ if self.indices is not None and len(self.indices) == 1:
+ index = self.indices[0]
+
+ types = ["Sigma hit"]
+ types.extend(self.tags)
+
+ config_data = {
+ "es_dsl_filter": dsl,
+ "es_index": index,
+ "outlier_type": ", ".join(types),
+ "outlier_reason": "Sigma hit - " + self.title,
+ "outlier_summary": "Sigma hit - " + self.title,
+ "run_model": 1,
+ "test_model": 0
+ }
+
+ config = configparser.ConfigParser(interpolation=None)
+ config["simplequery_sigma_" + use_case_name] = config_data
+
+ output = StringIO()
+ config.write(output)
+ result = output.getvalue()
+ output.close()
+
+ return result
+
+ def finalize(self):
+ """
+ Is called after the last file was processed with generate(). The right place if this backend is not intended to
+ look isolated at each rule, but generates an output which incorporates multiple rules, e.g. dashboards.
+ """
+ pass
diff --git a/tools/sigma/backends/elasticsearch.py b/tools/sigma/backends/elasticsearch.py
index f94c9cf1..997b196f 100644
--- a/tools/sigma/backends/elasticsearch.py
+++ b/tools/sigma/backends/elasticsearch.py
@@ -23,17 +23,15 @@ from random import randrange
import sigma
import yaml
-from sigma.parser.modifiers.type import SigmaRegularExpressionModifier
+from sigma.parser.modifiers.type import SigmaRegularExpressionModifier, SigmaTypeModifier
from sigma.parser.condition import ConditionOR, ConditionAND, NodeSubexpression
from sigma.config.mapping import ConditionalFieldMapping
-from .base import BaseBackend, SingleTextQueryBackend, CorelightQueryBackend
+from .base import BaseBackend, SingleTextQueryBackend
from .mixins import RulenameCommentMixin, MultiRuleOutputMixin
from .exceptions import NotSupportedError
-
class DeepFieldMappingMixin(object):
-
def fieldNameMapping(self, fieldname, value):
if isinstance(fieldname, str):
get_config = self.sigmaconfig.fieldmappings.get(fieldname)
@@ -49,13 +47,10 @@ class DeepFieldMappingMixin(object):
return super().fieldNameMapping(new_fieldname[0], value)
return super().fieldNameMapping(fieldname, value)
-
def generate(self, sigmaparser):
self.logsource = sigmaparser.parsedyaml.get("logsource", {})
return super().generate(sigmaparser)
-
-
class ElasticsearchWildcardHandlingMixin(object):
"""
Determine field mapping to keyword subfields depending on existence of wildcards in search values. Further,
@@ -119,7 +114,10 @@ class ElasticsearchWildcardHandlingMixin(object):
if isinstance(value, list):
res = []
for item in value:
- res.extend([item.lower(), item.upper()])
+ try:
+ res.extend([item.lower(), item.upper()])
+ except AttributeError: # not a string (something that doesn't support upper/lower casing)
+ res.append(item)
value = res
elif isinstance(value, str):
value = [value.upper(), value.lower()]
@@ -230,14 +228,12 @@ class ElasticsearchWildcardHandlingMixin(object):
else:
return { 'is_regex': False, 'value': value }
-
class ElasticsearchQuerystringBackend(DeepFieldMappingMixin, ElasticsearchWildcardHandlingMixin, SingleTextQueryBackend):
"""Converts Sigma rule into Elasticsearch query string. Only searches, no aggregations."""
identifier = "es-qs"
active = True
reEscape = re.compile("([\s+\\-=!(){}\\[\\]^\"~:/]|(?]")
andToken = " AND "
orToken = " OR "
notToken = "NOT "
@@ -296,11 +292,6 @@ class ElasticsearchQuerystringBackend(DeepFieldMappingMixin, ElasticsearchWildca
else:
return super().generateSubexpressionNode(node)
-
-class ElasticsearchCorelightBackend(CorelightQueryBackend, ElasticsearchQuerystringBackend):
- identifier = "corelight_es-qs"
-
-
class ElasticsearchDSLBackend(DeepFieldMappingMixin, RulenameCommentMixin, ElasticsearchWildcardHandlingMixin, BaseBackend):
"""ElasticSearch DSL backend"""
identifier = 'es-dsl'
@@ -311,6 +302,7 @@ class ElasticsearchDSLBackend(DeepFieldMappingMixin, RulenameCommentMixin, Elast
)
interval = None
title = None
+ reEscape = re.compile( "([\s+\\-=!(){}\\[\\]^\"~:/]|(?", str(v)))
+ value_cleaned = make_ci.get('value')
+ if not make_ci.get( 'is_regex' ): # Determine if still should be a regex
+ queryType = 'wildcard'
+ value_cleaned = self.escapeSlashes( self.cleanValue( str( v ) ) )
+ else:
+ queryType = 'wildcard'
+ value_cleaned = self.escapeSlashes(self.cleanValue(str(v)))
else:
queryType = 'match_phrase'
value_cleaned = self.cleanValue(str(v))
-
res['bool']['should'].append({queryType: {key_mapped: value_cleaned}})
return res
elif value is None:
@@ -395,9 +394,17 @@ class ElasticsearchDSLBackend(DeepFieldMappingMixin, RulenameCommentMixin, Elast
return { "bool": { "must_not": { "exists": { "field": key_mapped } } } }
elif type(value) in (str, int):
key_mapped = self.fieldNameMapping(key, value)
- if self.matchKeyword: # searches against keyowrd fields are wildcard searches, phrases otherwise
- queryType = 'wildcard'
- value_cleaned = self.escapeSlashes(self.cleanValue(str(value)))
+ if self.matchKeyword: # searches against keyword fields are wildcard searches, phrases otherwise
+ if self.CaseInSensitiveField:
+ queryType = 'regexp'
+ make_ci = self.makeCaseInSensitiveValue( self.reEscape.sub( "\\\\\g<1>", str( value ) ) )
+ value_cleaned = make_ci.get( 'value' )
+ if not make_ci.get( 'is_regex' ): # Determine if still should be a regex
+ queryType = 'wildcard'
+ value_cleaned = self.escapeSlashes( self.cleanValue( str( value ) ) )
+ else:
+ queryType = 'wildcard'
+ value_cleaned = self.escapeSlashes(self.cleanValue(str(value)))
else:
queryType = 'match_phrase'
value_cleaned = self.cleanValue(str(value))
@@ -644,11 +651,6 @@ class KibanaBackend(ElasticsearchQuerystringBackend, MultiRuleOutputMixin):
def index_variable_name(self, index):
return "index_" + index.replace("-", "__").replace("*", "X")
-
-class KibanaCorelightBackend(CorelightQueryBackend, KibanaBackend):
- identifier = "corelight_kibana"
-
-
class XPackWatcherBackend(ElasticsearchQuerystringBackend, MultiRuleOutputMixin):
"""Converts Sigma Rule into X-Pack Watcher JSON for alerting"""
identifier = "xpack-watcher"
@@ -659,10 +661,13 @@ class XPackWatcherBackend(ElasticsearchQuerystringBackend, MultiRuleOutputMixin)
("es", "localhost:9200", "Host and port of Elasticsearch instance", None),
("watcher_url", "watcher", "Watcher URL: watcher (default)=_watcher/..., xpack=_xpack/wacher/... (deprecated)", None),
("filter_range","30m","Watcher time filter",None),
+ ("action_throttle_period","15m","Throttle time of the action",None),
("alert_methods", "email", "Alert method(s) to use when the rule triggers, comma separated. Supported: " + ', '.join(supported_alert_methods), None),
# Options for Email Action
("mail", "root@localhost", "Mail address for Watcher notification (only logging if not set)", None),
+ ("mail_from", "root@localhost", "Mail address for Watcher notification (only logging if not set)", None),
+ ("mail_profile", "standard", "Watcher provides three email profiles that control how MIME messages are structured: standard (default), gmail, and outlook.", None),
# Options for WebHook Action
("http_host", "localhost", "Webhook host used for alert notification", None),
@@ -808,14 +813,20 @@ class XPackWatcherBackend(ElasticsearchQuerystringBackend, MultiRuleOutputMixin)
if 'email' in alert_methods:
# mail notification if mail address is given
email = self.mail
+ mail_profile = self.mail_profile
+ mail_from = self.mail_from
+ action_throttle_period = self.action_throttle_period
eaction = {
"send_email": {
+ "throttle_period": action_throttle_period,
"email": {
- "to": email,
- "subject": action_subject,
+ "profile": mail_profile,
+ "from": mail_from,
+ "to": email,
+ "subject": action_subject,
"body": action_body,
- "attachments": {
- "data.json": {
+ "attachments": {
+ "data.json": {
"data": {
"format": "json"
}
@@ -955,10 +966,6 @@ class XPackWatcherBackend(ElasticsearchQuerystringBackend, MultiRuleOutputMixin)
raise NotImplementedError("Output type '%s' not supported" % self.output_type)
return result
-class XPackWatcherCorelightBackend(CorelightQueryBackend, XPackWatcherBackend):
- identifier = "corelight_xpack-watcher"
-
-
class ElastalertBackend(DeepFieldMappingMixin, MultiRuleOutputMixin):
"""Elastalert backend"""
active = True
@@ -990,6 +997,7 @@ class ElastalertBackend(DeepFieldMappingMixin, MultiRuleOutputMixin):
self.fields = []
def generate(self, sigmaparser):
+ self.logsource = sigmaparser.parsedyaml.get("logsource", {})
rulename = self.getRuleName(sigmaparser)
title = sigmaparser.parsedyaml.setdefault("title", "")
description = sigmaparser.parsedyaml.setdefault("description", "")
@@ -1170,10 +1178,9 @@ class ElastalertBackendQs(ElastalertBackend, ElasticsearchQuerystringBackend):
#Generate ES QS Query
return [{ 'query' : { 'query_string' : { 'query' : super().generateQuery(parsed) } } }]
-
-
class ElasticSearchRuleBackend(ElasticsearchQuerystringBackend):
- identifier = "elasticsearch-rule"
+ """Elasticsearch detection rule backend"""
+ identifier = "es-rule"
active = True
def __init__(self, *args, **kwargs):
@@ -1181,7 +1188,6 @@ class ElasticSearchRuleBackend(ElasticsearchQuerystringBackend):
self.tactics = self._load_mitre_file("tactics")
self.techniques = self._load_mitre_file("techniques")
-
def _load_mitre_file(self, mitre_type):
try:
backend_dir = os.path.normpath(os.path.join(os.path.dirname(os.path.abspath(__file__)), "..", "..", "config", "mitre"))
@@ -1207,7 +1213,6 @@ class ElasticSearchRuleBackend(ElasticsearchQuerystringBackend):
rule = self.create_rule(configs, index)
return rule
-
def create_threat_description(self, tactics_list, techniques_list):
threat_list = list()
for tactic in tactics_list:
@@ -1320,6 +1325,3 @@ class ElasticSearchRuleBackend(ElasticsearchQuerystringBackend):
if references:
rule.update({"references": references})
return json.dumps(rule)
-
-class ElasticSearchRuleCorelightBackend(CorelightQueryBackend, ElasticSearchRuleBackend):
- identifier = "corelight_elasticsearch-rule"
diff --git a/tools/sigma/backends/logiq.py b/tools/sigma/backends/logiq.py
new file mode 100644
index 00000000..f359fcc9
--- /dev/null
+++ b/tools/sigma/backends/logiq.py
@@ -0,0 +1,61 @@
+import re
+from .base import SingleTextQueryBackend
+import json
+
+class LogiqBackend(SingleTextQueryBackend):
+ """Converts Sigma rule into LOGIQ event rule api payload """
+ identifier = "logiq"
+ config_required = False
+ active = True
+ reEscape = re.compile('(")')
+ reClear = None
+ andToken = " && "
+ orToken = " || "
+ notToken = " !~ "
+ subExpression = "%s"
+ listExpression = "%s"
+ listSeparator = ", "
+ valueExpression = "message =~ \'%s\'"
+ keyExpression = "%s"
+ nullExpression = "!~ %s"
+ notNullExpression = "!%s"
+ mapExpression = "(%s=%s)"
+ mapListsSpecialHandling = True
+
+ reEscape = re.compile("([\\|()\[\]{}.^$+])")
+
+ def generate(self, sigmaparser):
+ """Method is called for each sigma rule and receives the parsed rule (SigmaParser)"""
+
+ eventRule = dict()
+ eventRule["name"] = sigmaparser.parsedyaml["title"]
+ eventRule["groupName"] = sigmaparser.parsedyaml["logsource"].get("product", "")
+ eventRule["description"] = sigmaparser.parsedyaml["description"]
+ eventRule["condition"] = sigmaparser.parsedyaml["detection"]
+ eventRule["level"] = sigmaparser.parsedyaml["level"]
+
+ for parsed in sigmaparser.condparsed:
+ query = self.generateQuery(parsed)
+ before = self.generateBefore(parsed)
+ after = self.generateAfter(parsed)
+
+ eventRule["condition"] = ""
+ if before is not None:
+ eventRule["condition"] = before
+ if query is not None:
+ eventRule["condition"] += query
+ if after is not None:
+ eventRule["condition"] += after
+
+ return json.dumps(eventRule)
+
+ def cleanValue(self, val):
+ if val.startswith('*'):
+ val = val.replace("*","/*")
+
+ return val
+
+ def generateListNode(self, node):
+ if not set([type(value) for value in node]).issubset({str, int}):
+ raise TypeError("List values must be strings or numbers")
+ return self.generateORNode(node)
diff --git a/tools/sigma/backends/mdatp.py b/tools/sigma/backends/mdatp.py
index f31c5c01..ad5d0960 100644
--- a/tools/sigma/backends/mdatp.py
+++ b/tools/sigma/backends/mdatp.py
@@ -19,7 +19,6 @@ from functools import wraps
from .base import SingleTextQueryBackend
from .exceptions import NotSupportedError
-
def wrapper(method):
@wraps(method)
def _impl(self, method_args):
@@ -33,7 +32,6 @@ def wrapper(method):
return
return _impl
-
class WindowsDefenderATPBackend(SingleTextQueryBackend):
"""Converts Sigma rule into Microsoft Defender ATP Hunting Queries."""
identifier = "mdatp"
@@ -72,32 +70,67 @@ class WindowsDefenderATPBackend(SingleTextQueryBackend):
"""Initialize field mappings"""
super().__init__(*args, **kwargs)
self.fieldMappings = { # mapping between Sigma and ATP field names
- # Supported values:
- # (field name mapping, value mapping): distinct mappings for field name and value, may be a string (direct mapping) or function maps name/value to ATP target value
- # (mapping function,): receives field name and value as parameter, return list of 2 element tuples (destination field name and value)
- # (replacement, ): Replaces field occurrence with static string
- "AccountName" : (self.id_mapping, self.default_value_mapping),
- "CommandLine" : ("ProcessCommandLine", self.default_value_mapping),
- "DeviceName" : (self.id_mapping, self.default_value_mapping),
- "DestinationHostname" : ("RemoteUrl", self.default_value_mapping),
- "DestinationIp" : ("RemoteIP", self.default_value_mapping),
- "DestinationIsIpv6" : ("RemoteIP has \":\"", ),
- "DestinationPort" : ("RemotePort", self.default_value_mapping),
- "Protocol" : ("RemoteProtocol", self.default_value_mapping),
- "Details" : ("RegistryValueData", self.default_value_mapping),
- "EventType" : ("ActionType", self.default_value_mapping),
- "Image" : ("FolderPath", self.default_value_mapping),
- "ImageLoaded" : ("FolderPath", self.default_value_mapping),
- "LogonType" : (self.id_mapping, self.logontype_mapping),
- "NewProcessName" : ("FolderPath", self.default_value_mapping),
- "ObjectValueName" : ("RegistryValueName", self.default_value_mapping),
- "ParentImage" : ("InitiatingProcessFolderPath", self.default_value_mapping),
- "SourceImage" : ("InitiatingProcessFolderPath", self.default_value_mapping),
- "TargetFilename" : ("FolderPath", self.default_value_mapping),
- "TargetImage" : ("FolderPath", self.default_value_mapping),
- "TargetObject" : ("RegistryKey", self.default_value_mapping),
- "User" : (self.decompose_user, ),
- }
+ # Supported values:
+ # (field name mapping, value mapping): distinct mappings for field name and value, may be a string (direct mapping) or function maps name/value to ATP target value
+ # (mapping function,): receives field name and value as parameter, return list of 2 element tuples (destination field name and value)
+ # (replacement, ): Replaces field occurrence with static string
+ "DeviceProcessEvents": {
+ "AccountName": (self.id_mapping, self.default_value_mapping),
+ "CommandLine": ("ProcessCommandLine", self.default_value_mapping),
+ "Command": ("ProcessCommandLine", self.default_value_mapping),
+ "DeviceName": (self.id_mapping, self.default_value_mapping),
+ "EventType": ("ActionType", self.default_value_mapping),
+ "Image": ("FolderPath", self.default_value_mapping),
+ "ImageLoaded": ("FolderPath", self.default_value_mapping),
+ "LogonType": (self.id_mapping, self.logontype_mapping),
+ "NewProcessName": ("FolderPath", self.default_value_mapping),
+ "ParentImage": ("InitiatingProcessFolderPath", self.default_value_mapping),
+ "SourceImage": ("InitiatingProcessFolderPath", self.default_value_mapping),
+ "TargetImage": ("FolderPath", self.default_value_mapping),
+ "User": (self.decompose_user, ),
+ },
+ "DeviceEvents": {
+ "TargetFilename": ("FolderPath", self.default_value_mapping),
+ "TargetImage": ("FolderPath", self.default_value_mapping),
+
+ "Image": ("InitiatingProcessFolderPath", self.default_value_mapping),
+ "User": (self.decompose_user, ),
+ },
+ "DeviceRegistryEvents": {
+ "TargetObject": ("RegistryKey", self.default_value_mapping),
+ "ObjectValueName": ("RegistryValueName", self.default_value_mapping),
+ "Details": ("RegistryValueData", self.default_value_mapping),
+ "EventType": ("ActionType", self.default_value_mapping),
+ "Image": ("InitiatingProcessFolderPath", self.default_value_mapping),
+ "User": (self.decompose_user, ),
+ },
+ "DeviceFileEvents": {
+ "TargetFilename": ("FolderPath", self.default_value_mapping),
+ "TargetFileName": ("FolderPath", self.default_value_mapping),
+
+ "Image": ("InitiatingProcessFolderPath", self.default_value_mapping),
+ "User": (self.decompose_user, ),
+ },
+ "DeviceNetworkEvents": {
+ "Initiated": ("RemotePort", self.default_value_mapping),
+ "Protocol": ("RemoteProtocol", self.default_value_mapping),
+ "DestinationPort": ("RemotePort", self.default_value_mapping),
+ "DestinationIp": ("RemoteIP", self.default_value_mapping),
+ "DestinationIsIpv6": ("RemoteIP has \":\"", ),
+ "SourcePort": ("LocalPort", self.default_value_mapping),
+ "SourceIp": ("LocalIP", self.default_value_mapping),
+ "DestinationHostname": ("RemoteUrl", self.default_value_mapping),
+ "EventType": ("ActionType", self.default_value_mapping),
+ "Image": ("InitiatingProcessFolderPath", self.default_value_mapping),
+ "User": (self.decompose_user, ),
+ },
+ "DeviceImageLoadEvents": {
+ "ImageLoaded": ("FolderPath", self.default_value_mapping),
+ "EventType": ("ActionType", self.default_value_mapping),
+ "Image": ("InitiatingProcessFolderPath", self.default_value_mapping),
+ "User": (self.decompose_user, ),
+ }
+ }
def id_mapping(self, src):
"""Identity mapping, source == target field name"""
@@ -127,16 +160,16 @@ class WindowsDefenderATPBackend(SingleTextQueryBackend):
def logontype_mapping(self, src):
"""Value mapping for logon events to reduced ATP LogonType set"""
logontype_mapping = {
- 2: "Interactive",
- 3: "Network",
- 4: "Batch",
- 5: "Service",
- 7: "Interactive", # unsure
- 8: "Network",
- 9: "Interactive", # unsure
- 10: "Remote interactive (RDP) logons", # really the value?
- 11: "Interactive"
- }
+ 2: "Interactive",
+ 3: "Network",
+ 4: "Batch",
+ 5: "Service",
+ 7: "Interactive", # unsure
+ 8: "Network",
+ 9: "Interactive", # unsure
+ 10: "Remote interactive (RDP) logons", # really the value?
+ 11: "Interactive"
+ }
try:
return logontype_mapping[int(src)]
except KeyError:
@@ -148,20 +181,15 @@ class WindowsDefenderATPBackend(SingleTextQueryBackend):
m = reUser.match(src_value)
if m:
domain, user = m.groups()
- return (("InitiatingProcessAccountDomain", domain), ("InititatingProcessAccountName", user))
+ return (("InitiatingProcessAccountDomain", self.default_value_mapping(domain)), ("InititatingProcessAccountName", self.default_value_mapping(user)))
else: # assume only user name is given if backslash is missing
- return (("InititatingProcessAccountName", src_value),)
+ return (("InititatingProcessAccountName", self.default_value_mapping(src_value)))
def generate(self, sigmaparser):
self.table = None
- try:
- self.category = sigmaparser.parsedyaml['logsource'].setdefault('category', None)
- self.product = sigmaparser.parsedyaml['logsource'].setdefault('product', None)
- self.service = sigmaparser.parsedyaml['logsource'].setdefault('service', None)
- except KeyError:
- self.category = None
- self.product = None
- self.service = None
+ self.category = sigmaparser.parsedyaml['logsource'].get('category')
+ self.product = sigmaparser.parsedyaml['logsource'].get('product')
+ self.service = sigmaparser.parsedyaml['logsource'].get('service')
if (self.category, self.product, self.service) == ("process_creation", "windows", None):
self.table = "DeviceProcessEvents"
@@ -185,54 +213,61 @@ class WindowsDefenderATPBackend(SingleTextQueryBackend):
and creates an appropriate table reference.
"""
key, value = node
- if type(value) == list: # handle map items with values list like multiple OR-chained conditions
- return self.generateORNode(
- [(key, v) for v in value]
- )
+ # handle map items with values list like multiple OR-chained conditions
+ if type(value) == list:
+ return self.generateORNode([(key, v) for v in value])
elif key == "EventID": # EventIDs are not reflected in condition but in table selection
if self.product == "windows":
if self.service == "sysmon" and value == 1 \
- or self.service == "security" and value == 4688: # Process Execution
+ or self.service == "security" and value == 4688: # Process Execution
self.table = "DeviceProcessEvents"
return None
- elif self.service == "sysmon" and value == 3: # Network Connection
+ elif self.service == "sysmon" and value == 3: # Network Connection
self.table = "DeviceNetworkEvents"
return None
- elif self.service == "sysmon" and value == 7: # Image Load
+ elif self.service == "sysmon" and value == 7: # Image Load
self.table = "DeviceImageLoadEvents"
return None
- elif self.service == "sysmon" and value == 8: # Create Remote Thread
+ elif self.service == "sysmon" and value == 8: # Create Remote Thread
self.table = "DeviceEvents"
return "ActionType == \"CreateRemoteThreadApiCall\""
- elif self.service == "sysmon" and value == 11: # File Creation
+ elif self.service == "sysmon" and value == 11: # File Creation
self.table = "DeviceFileEvents"
+ return "ActionType == \"FileCreated\""
+ elif self.service == "sysmon" and value == 23: # File Deletion
+ self.table = "DeviceFileEvents"
+ return "ActionType == \"FileDeleted\""
+ elif self.service == "sysmon" and value == 12: # Create/Delete Registry Value
+ self.table = "DeviceRegistryEvents"
return None
elif self.service == "sysmon" and value == 13 \
- or self.service == "security" and value == 4657: # Set Registry Value
+ or self.service == "security" and value == 4657: # Set Registry Value
self.table = "DeviceRegistryEvents"
return "ActionType == \"RegistryValueSet\""
elif self.service == "security" and value == 4624:
self.table = "DeviceLogonEvents"
return None
+ else:
+ if not self.table:
+ raise NotSupportedError("No sysmon Event ID provided")
+ else:
+ raise NotSupportedError("No mapping for Event ID %s" % value)
elif type(value) in (str, int): # default value processing
try:
- mapping = self.fieldMappings[key]
+ mapping = self.fieldMappings[self.table][key]
except KeyError:
- raise NotSupportedError("No mapping defined for field '%s'" % key)
+ raise NotSupportedError("No mapping defined for field '%s' in '%s'" % (key, self.table))
if len(mapping) == 1:
mapping = mapping[0]
if type(mapping) == str:
return mapping
elif callable(mapping):
conds = mapping(key, value)
- return self.generateSubexpressionNode(
- self.generateANDNode(
- [cond for cond in mapping(key, value)]
- )
- )
+ return self.andToken.join(["{} {}".format(*cond) for cond in conds])
elif len(mapping) == 2:
result = list()
- for mapitem, val in zip(mapping, node): # iterate mapping and mapping source value synchronously over key and value
+ # iterate mapping and mapping source value synchronously over key and value
+ for mapitem, val in zip(mapping, node):
if type(mapitem) == str:
result.append(mapitem)
elif callable(mapitem):
diff --git a/tools/sigma/backends/powershell.py b/tools/sigma/backends/powershell.py
index a4de4f9d..192e5369 100644
--- a/tools/sigma/backends/powershell.py
+++ b/tools/sigma/backends/powershell.py
@@ -118,7 +118,10 @@ class PowerShellBackend(SingleTextQueryBackend):
return self.mapExpression % (key, self.generateValueNode(value, True))
elif type(value) == str and "*" in value:
value = value.replace("*", ".*")
- return "$_.message -match %s" % (self.generateValueNode(key + ".*" + value, True))
+ if key == "Message":
+ return "$_.message -match %s" % (self.generateValueNode(value, True))
+ else:
+ return "$_.message -match %s" % (self.generateValueNode(key + ".*" + value, True))
elif type(value) in (str, int):
return '$_.message -match %s' % (self.generateValueNode(key + ".*" +str(value), True))
else:
@@ -139,7 +142,10 @@ class PowerShellBackend(SingleTextQueryBackend):
itemslist.append(self.mapExpression % (key, self.generateValueNode(item, True)))
elif type(item) == str and "*" in item:
item = item.replace("*", ".*")
- itemslist.append('$_.message -match %s' % (self.generateValueNode(key + ".*" +item, True)))
+ if key == "Message":
+ itemslist.append('$_.message -match %s' % (self.generateValueNode(item, True)))
+ else:
+ itemslist.append('$_.message -match %s' % (self.generateValueNode(key + ".*" +item, True)))
else:
itemslist.append('$_.message -match %s' % (self.generateValueNode(item, True)))
return '('+" -or ".join(itemslist)+')'
diff --git a/tools/sigma/backends/qradar.py b/tools/sigma/backends/qradar.py
index 455a368f..f29024af 100644
--- a/tools/sigma/backends/qradar.py
+++ b/tools/sigma/backends/qradar.py
@@ -120,7 +120,7 @@ class QRadarBackend(SingleTextQueryBackend):
regex = regex + '.*'
return "%s imatches %s" % (self.cleanKey(fieldname), self.generateValueNode(regex, True))
else:
- raise NotImplementedError("Type modifier '{}' is not supported by backend".format(node.identifier))
+ raise NotImplementedError("Type modifier '{}' is not supported by backend".format(value.identifier))
def generateValueNode(self, node, keypresent):
if keypresent == False:
diff --git a/tools/sigma/backends/splunk.py b/tools/sigma/backends/splunk.py
index 614173f1..75658343 100644
--- a/tools/sigma/backends/splunk.py
+++ b/tools/sigma/backends/splunk.py
@@ -16,7 +16,7 @@
import re
import sigma
-from .base import SingleTextQueryBackend, CorelightQueryBackend
+from .base import SingleTextQueryBackend
from .mixins import MultiRuleOutputMixin
class SplunkBackend(SingleTextQueryBackend):
@@ -172,12 +172,6 @@ class SplunkXMLBackend(SingleTextQueryBackend, MultiRuleOutputMixin):
self.queries += self.dash_suf
return self.queries
-
-class SplunkCorelightBackend(CorelightQueryBackend, SplunkBackend):
- identifier = "corelight_splunk"
-
-
-
class CrowdStrikeBackend(SplunkBackend):
"""Converts Sigma rule into CrowdStrike Search Processing Language (SPL)."""
identifier = "crowdstrike"
@@ -189,18 +183,21 @@ class CrowdStrikeBackend(SplunkBackend):
detections = sigmaparser.definitions
all_fields = dict()
for det in detections.values():
- for field, value in det.items():
- if "|" in field:
- field = field.split("|")[0]
- if any([item for item in fieldmappings.keys() if field == item]):
- if field == "EventID" and str(value) == str(1) and lgs.get("service") == "sysmon":
- all_fields.update(det)
- elif field != "EventID":
- all_fields.update(det)
+ try:
+ for field, value in det.items():
+ if "|" in field:
+ field = field.split("|")[0]
+ if any([item for item in fieldmappings.keys() if field == item]):
+ if field == "EventID" and str(value) == str(1) and lgs.get("service") == "sysmon":
+ all_fields.update(det)
+ elif field != "EventID":
+ all_fields.update(det)
+ else:
+ raise NotImplementedError("Not supported fields!")
else:
raise NotImplementedError("Not supported fields!")
- else:
- raise NotImplementedError("Not supported fields!")
+ except AttributeError: # ignore if detection is not a dict
+ pass
table_fields = sigmaparser.parsedyaml.get("fields", [])
res_table_fields = []
@@ -210,4 +207,4 @@ class CrowdStrikeBackend(SplunkBackend):
sigmaparser.parsedyaml["fields"] = res_table_fields
return super().generate(sigmaparser)
else:
- raise NotImplementedError("Not supported logsources!")
\ No newline at end of file
+ raise NotImplementedError("Not supported logsources!")
diff --git a/tools/sigma/backends/sql.py b/tools/sigma/backends/sql.py
index b3149c01..5b446a6f 100644
--- a/tools/sigma/backends/sql.py
+++ b/tools/sigma/backends/sql.py
@@ -1,5 +1,6 @@
# Output backends for sigmac
# Copyright 2019 Jayden Zheng
+# Copyright 2020 Jonas Hagg
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU Lesser General Public License as published by
@@ -16,7 +17,9 @@
import re
import sigma
-from .base import SingleTextQueryBackend
+from sigma.backends.base import SingleTextQueryBackend
+from sigma.parser.condition import SigmaAggregationParser, NodeSubexpression, ConditionAND, ConditionOR, ConditionNOT
+from sigma.parser.exceptions import SigmaParseError
class SQLBackend(SingleTextQueryBackend):
"""Converts Sigma rule into SQL query"""
@@ -34,12 +37,16 @@ class SQLBackend(SingleTextQueryBackend):
notNullExpression = "%s=*" # Expression of queries for not null values. %s is field name
mapExpression = "%s = %s" # Syntax for field/value conditions. First %s is fieldname, second is value
mapMulti = "%s IN %s" # Syntax for field/value conditions. First %s is fieldname, second is value
- mapWildcard = "%s LIKE %s" # Syntax for swapping wildcard conditions.
+ mapWildcard = "%s LIKE %s ESCAPE \'\\\'"# Syntax for swapping wildcard conditions: Adding \ as escape character
mapSource = "%s=%s" # Syntax for sourcetype
mapListsSpecialHandling = False # Same handling for map items with list values as for normal values (strings, integers) if True, generateMapItemListNode method is called with node
mapListValueExpression = "%s OR %s" # Syntax for field/value condititons where map value is a list
mapLength = "(%s %s)"
+ def __init__(self, sigmaconfig, table):
+ super().__init__(sigmaconfig)
+ self.table = table
+
def generateANDNode(self, node):
generated = [ self.generateNode(val) for val in node ]
filtered = [ g for g in generated if g is not None ]
@@ -78,29 +85,32 @@ class SQLBackend(SingleTextQueryBackend):
def generateMapItemNode(self, node):
fieldname, value = node
transformed_fieldname = self.fieldNameMapping(fieldname, value)
- if "," in self.generateNode(value) and "%" not in self.generateNode(value):
+
+ has_wildcard = re.search(r"((\\(\*|\?|\\))|\*|\?|_|%)", self.generateNode(value))
+
+ if "," in self.generateNode(value) and not has_wildcard:
return self.mapMulti % (transformed_fieldname, self.generateNode(value))
elif "LENGTH" in transformed_fieldname:
return self.mapLength % (transformed_fieldname, value)
elif type(value) == list:
return self.generateMapItemListNode(transformed_fieldname, value)
elif self.mapListsSpecialHandling == False and type(value) in (str, int, list) or self.mapListsSpecialHandling == True and type(value) in (str, int):
- if "%" in self.generateNode(value):
+ if has_wildcard:
return self.mapWildcard % (transformed_fieldname, self.generateNode(value))
else:
return self.mapExpression % (transformed_fieldname, self.generateNode(value))
elif "sourcetype" in transformed_fieldname:
return self.mapSource % (transformed_fieldname, self.generateNode(value))
- elif "*" in str(value):
+ elif has_wildcard:
return self.mapWildcard % (transformed_fieldname, self.generateNode(value))
else:
raise TypeError("Backend does not support map values of type " + str(type(value)))
def generateMapItemListNode(self, key, value):
- return "(" + (" OR ".join(['%s LIKE %s' % (key, self.generateValueNode(item)) for item in value])) + ")"
-
+ return "(" + (" OR ".join([self.mapWildcard % (key, self.generateValueNode(item)) for item in value])) + ")"
+
def generateValueNode(self, node):
- return self.valueExpression % (self.cleanValue(str(node)))
+ return self.valueExpression % (self.cleanValue(str(node)))
def generateNULLValueNode(self, node):
return self.nullExpression % (node.item)
@@ -117,10 +127,97 @@ class SQLBackend(SingleTextQueryBackend):
return fieldname
def cleanValue(self, val):
- if "*" == val:
- pass
- elif "*.*.*" in val:
- val = val.replace("*.*.*", "%")
- elif re.search(r'\*', val):
- val = re.sub(r'\*', '%', val)
+ if not isinstance(val, str):
+ return str(val)
+
+ #Single backlashes which are not in front of * or ? are doulbed
+ val = re.sub(r"(? full text search
+ #False: no subexpression found, where a full text search is needed
+
+ def _evaluateCondition(condition):
+ #Helper function to evaulate condtions
+ if type(condition) not in [ConditionAND, ConditionOR, ConditionNOT]:
+ raise NotImplementedError("Error in recursive Search logic")
+
+ results = []
+ for elem in condition.items:
+ if isinstance(elem, NodeSubexpression):
+ results.append(self._recursiveFtsSearch(elem))
+ if isinstance(elem, ConditionNOT):
+ results.append(_evaluateCondition(elem))
+ if isinstance(elem, tuple):
+ results.append(False)
+ if type(elem) in (str, int, list):
+ return True
+ return any(results)
+
+ if type(subexpression) in [str, int, list]:
+ return True
+ elif type(subexpression) in [tuple]:
+ return False
+
+ if not isinstance(subexpression, NodeSubexpression):
+ raise NotImplementedError("Error in recursive Search logic")
+
+ if isinstance(subexpression.items, NodeSubexpression):
+ return self._recursiveFtsSearch(subexpression.items)
+ elif type(subexpression.items) in [ConditionAND, ConditionOR, ConditionNOT]:
+ return _evaluateCondition(subexpression.items)
\ No newline at end of file
diff --git a/tools/sigma/backends/sqlite.py b/tools/sigma/backends/sqlite.py
new file mode 100644
index 00000000..8eec13ea
--- /dev/null
+++ b/tools/sigma/backends/sqlite.py
@@ -0,0 +1,123 @@
+# Output backends for sigmac
+# Copyright 2020 Jonas Hagg
+
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU Lesser General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU Lesser General Public License for more details.
+
+# You should have received a copy of the GNU Lesser General Public License
+# along with this program. If not, see .
+
+from sigma.backends.sql import SQLBackend
+from sigma.parser.condition import NodeSubexpression, ConditionAND, ConditionOR, ConditionNOT
+import re
+
+
+class SQLiteBackend(SQLBackend):
+ """Converts Sigma rule into SQL query for SQLite"""
+ identifier = "sqlite"
+ active = True
+
+ mapFullTextSearch = "%s MATCH ('\"%s\"')"
+
+ def __init__(self, sigmaconfig, table):
+ super().__init__(sigmaconfig, table)
+ self.mappingItem = False
+
+ def requireFTS(self, node):
+ return (not self.mappingItem and
+ (type(node) in (int, str) or all(isinstance(val, str) for val in node) or all(isinstance(val, int) for val in node)))
+
+ def generateFTS(self, value):
+ if re.search(r"((\\(\*|\?|\\))|\*|\?|_|%)", value):
+ raise NotImplementedError(
+ "Wildcards in SQlite Full Text Search not implemented")
+ self.countFTS += 1
+ return self.mapFullTextSearch % (self.table, value)
+
+ def generateANDNode(self, node):
+
+ if self.requireFTS(node):
+ fts = str('"' + self.andToken + '"').join(self.cleanValue(val)
+ for val in node)
+ return self.generateFTS(fts)
+
+ generated = [self.generateNode(val) for val in node]
+ filtered = [g for g in generated if g is not None]
+ if filtered:
+ return self.andToken.join(filtered)
+ else:
+ return None
+
+ def generateORNode(self, node):
+
+ if self.requireFTS(node):
+ fts = str('"' + self.orToken + '"').join(self.cleanValue(val)
+ for val in node)
+ return self.generateFTS(fts)
+
+ generated = [self.generateNode(val) for val in node]
+ filtered = [g for g in generated if g is not None]
+ if filtered:
+ return self.orToken.join(filtered)
+ else:
+ return None
+
+ def generateMapItemNode(self, node):
+ try:
+ self.mappingItem = True
+ fieldname, value = node
+ transformed_fieldname = self.fieldNameMapping(fieldname, value)
+
+ has_wildcard = re.search(
+ r"((\\(\*|\?|\\))|\*|\?|_|%)", self.generateNode(value))
+
+ if "," in self.generateNode(value) and not has_wildcard:
+ return self.mapMulti % (transformed_fieldname, self.generateNode(value))
+ elif "LENGTH" in transformed_fieldname:
+ return self.mapLength % (transformed_fieldname, value)
+ elif type(value) == list:
+ return self.generateMapItemListNode(transformed_fieldname, value)
+ elif self.mapListsSpecialHandling == False and type(value) in (str, int, list) or self.mapListsSpecialHandling == True and type(value) in (str, int):
+
+ if has_wildcard:
+ return self.mapWildcard % (transformed_fieldname, self.generateNode(value))
+ else:
+ return self.mapExpression % (transformed_fieldname, self.generateNode(value))
+
+ elif "sourcetype" in transformed_fieldname:
+ return self.mapSource % (transformed_fieldname, self.generateNode(value))
+ elif has_wildcard:
+ return self.mapWildcard % (transformed_fieldname, self.generateNode(value))
+ else:
+ raise TypeError(
+ "Backend does not support map values of type " + str(type(value)))
+ finally:
+ self.mappingItem = False
+
+ def generateValueNode(self, node):
+ if self.mappingItem:
+ return self.valueExpression % (self.cleanValue(str(node)))
+ else:
+ return self.generateFTS(self.cleanValue(str(node)))
+
+ def generateQuery(self, parsed):
+ self.countFTS = 0
+ result = self.generateNode(parsed.parsedSearch)
+ if self.countFTS > 1:
+ raise NotImplementedError(
+ "Match operator ({}) is allowed only once in SQLite, parse rule in a different way:\n{}".format(self.countFTS, result))
+ self.countFTS = 0
+
+ if parsed.parsedAgg:
+ # Handle aggregation
+ fro, whe = self.generateAggregation(parsed.parsedAgg, result)
+ return "SELECT * FROM {} WHERE {}".format(fro, whe)
+
+ return "SELECT * FROM {} WHERE {}".format(self.table, result)
diff --git a/tools/sigma/backends/stix.py b/tools/sigma/backends/stix.py
new file mode 100644
index 00000000..03191d8b
--- /dev/null
+++ b/tools/sigma/backends/stix.py
@@ -0,0 +1,169 @@
+import sigma
+from sigma.parser.modifiers.base import SigmaTypeModifier
+from sigma.parser.modifiers.type import SigmaRegularExpressionModifier
+from .base import SingleTextQueryBackend
+
+
+class STIXBackend(SingleTextQueryBackend):
+ """Converts Sigma rule into STIX pattern."""
+ identifier = "stix"
+ active = True
+ andToken = " AND "
+ orToken = " OR "
+ notToken = "NOT "
+ subExpression = "(%s)"
+ valueExpression = "\'%s\'"
+ mapExpression = "%s = %s"
+ notMapExpression = "%s != %s"
+ mapListsSpecialHandling = True
+ sigmaSTIXObjectName = "x-sigma"
+
+ def cleanKey(self, key):
+ if key is None:
+ raise TypeError("Backend does not support empty key " + str(key))
+ else:
+ return key
+
+ def cleanValue(self, value):
+ return value
+
+ def generateANDNode(self, node, currently_within_NOT_node=False):
+ generated = [self.generateNode(val, currently_within_NOT_node) for val in node]
+ filtered = [g for g in generated if g is not None]
+ if filtered:
+ if self.sort_condition_lists:
+ filtered = sorted(filtered)
+ return self.andToken.join(filtered)
+ else:
+ return None
+
+ def generateORNode(self, node, currently_within_NOT_node=False):
+ generated = [self.generateNode(val, currently_within_NOT_node) for val in node]
+ filtered = [g for g in generated if g is not None]
+ if filtered:
+ if self.sort_condition_lists:
+ filtered = sorted(filtered)
+ return self.orToken.join(filtered)
+ else:
+ return None
+
+ def generateNOTNode(self, node, currently_within_NOT_node=False):
+ currently_within_NOT_node = not(currently_within_NOT_node)
+ generated = self.generateNode(node.item, currently_within_NOT_node)
+ if generated is not None:
+ return generated
+ else:
+ return None
+
+ def generateSubexpressionNode(self, node, currently_within_NOT_node=False):
+ generated = self.generateNode(node.items, currently_within_NOT_node)
+ if generated:
+ return self.subExpression % generated
+ else:
+ return None
+
+ def generateMapItemNode(self, node, currently_within_NOT_node=False):
+ fieldname, value = node
+
+ transformed_fieldname = self.fieldNameMapping(fieldname, value)
+ if self.mapListsSpecialHandling == False and type(value) in (str, int, list) or self.mapListsSpecialHandling == True and type(value) in (str, int):
+ if currently_within_NOT_node:
+ return self.notMapExpression % (transformed_fieldname, self.generateNode(value))
+ return self.mapExpression % (transformed_fieldname, self.generateNode(value))
+ elif type(value) == list:
+ return self.generateMapItemListNode(transformed_fieldname, value, currently_within_NOT_node)
+ elif isinstance(value, SigmaTypeModifier):
+ return self.generateMapItemTypedNode(transformed_fieldname, value)
+ elif value is None:
+ return self.nullExpression % (transformed_fieldname, )
+ else:
+ raise TypeError("Backend does not support map values of type " + str(type(value)))
+
+ def generateMapItemListNode(self, key, value, currently_within_NOT_node=False):
+ items_list = list()
+ for item in value:
+ if type(item) == str and "*" in item:
+ item = item.replace("*", "%")
+ if currently_within_NOT_node:
+ items_list.append('%s NOT LIKE %s' % (self.cleanKey(key), self.generateValueNode(item)))
+ else:
+ items_list.append('%s LIKE %s' % (self.cleanKey(key), self.generateValueNode(item)))
+ else:
+ if currently_within_NOT_node:
+ items_list.append('%s != %s' % (self.cleanKey(key), self.generateValueNode(item)))
+ else:
+ items_list.append('%s = %s' % (self.cleanKey(key), self.generateValueNode(item)))
+ if currently_within_NOT_node:
+ return '(' + " AND ".join(items_list) + ')'
+ else:
+ return '('+" OR ".join(items_list)+')'
+
+ def generateMapItemTypedNode(self, key, value):
+ if type(value) == SigmaRegularExpressionModifier:
+ regex = str(value)
+ # Regular Expressions have to match the full value in QRadar
+ if not (regex.startswith('^') or regex.startswith('.*')):
+ regex = '.*' + regex
+ if not (regex.endswith('$') or regex.endswith('.*')):
+ regex = regex + '.*'
+ return "%s MATCHES %s" % (self.cleanKey(key), self.generateValueNode(regex))
+ else:
+ raise NotImplementedError("Type modifier '{}' is not supported by backend".format(value.identifier))
+
+ def generateMapItemNode(self, node, currently_within_NOT_node=False):
+ key, value = node
+ if ":" not in key:
+ key = "%s:%s" % (self.sigmaSTIXObjectName, str(key).lower())
+ if self.mapListsSpecialHandling == False and type(value) in (str, int, list) or self.mapListsSpecialHandling == True and type(value) in (str, int):
+ if type(value) == str and "*" in value:
+ value = value.replace("*", "%")
+ if currently_within_NOT_node:
+ return "%s NOT LIKE %s" % (self.cleanKey(key), self.generateValueNode(value))
+ return "%s LIKE %s" % (self.cleanKey(key), self.generateValueNode(value))
+ elif type(value) in (str, int):
+ if currently_within_NOT_node:
+ return self.notMapExpression % (self.cleanKey(key), self.generateValueNode(value))
+ return self.mapExpression % (self.cleanKey(key), self.generateValueNode(value))
+ elif type(value) == list:
+ return self.generateMapItemListNode(key, value, currently_within_NOT_node)
+ elif isinstance(value, SigmaTypeModifier):
+ return self.generateMapItemTypedNode(key, value)
+ else:
+ raise TypeError("Backend does not support map values of type " + str(type(value)))
+
+ def generateValueNode(self, node, keypresent=True):
+ if keypresent == False:
+ if type(node) == str and "*" in node:
+ node = node.replace("*", "%")
+ return "artifact:payload_bin LIKE \'{0}\'".format(self.cleanValue(str(node)))
+ else:
+ return self.valueExpression % (self.cleanValue(str(node)))
+
+ def generateNode(self, node, currently_within_NOT_node=False):
+ if type(node) == sigma.parser.condition.ConditionAND:
+ if currently_within_NOT_node:
+ return self.generateORNode(node, currently_within_NOT_node)
+ return self.generateANDNode(node, currently_within_NOT_node)
+ elif type(node) == sigma.parser.condition.ConditionOR:
+ if currently_within_NOT_node:
+ return self.generateANDNode(node, currently_within_NOT_node)
+ return self.generateORNode(node, currently_within_NOT_node)
+ elif type(node) == sigma.parser.condition.ConditionNOT:
+ return self.generateNOTNode(node, currently_within_NOT_node)
+ elif type(node) == sigma.parser.condition.NodeSubexpression:
+ return self.generateSubexpressionNode(node, currently_within_NOT_node)
+ elif type(node) == tuple:
+ return self.generateMapItemNode(node, currently_within_NOT_node)
+ elif type(node) in (str, int):
+ return self.generateValueNode(node, keypresent=False)
+ else:
+ raise TypeError("Node type %s was not expected in Sigma parse tree" % (str(type(node))))
+
+ def generate(self, sigmaparser):
+ for parsed in sigmaparser.condparsed:
+ query = self.generateQuery(parsed, sigmaparser)
+ return "[" + query + "]"
+
+ def generateQuery(self, parsed, sigmaparser):
+ result = self.generateNode(parsed.parsedSearch)
+ return result
diff --git a/tools/sigma/config/eventdict.py b/tools/sigma/config/eventdict.py
new file mode 100644
index 00000000..c6f52286
--- /dev/null
+++ b/tools/sigma/config/eventdict.py
@@ -0,0 +1,24 @@
+event = {
+ 1: ('childproc_count','[1 to *]'),
+ # 2: Change time,
+ 3: ('netconn_count','[1 to *]'),
+ # 4: sysmon state change
+ # 5: Process termincated
+ 6: ('modload_count','[1 to *]'),
+ 7: ('modload_count','[1 to *]'),
+ 8: ('crossproc_count', '[1 to *]'),
+ # 9: Raw Access Read
+ 10: ('crossproc_count', '[1 to *]'),
+ 11: ('filemod_count','[1 to *]'),
+ 12: ('regmod_count','[1 to *]'),
+ 13: ('regmod_count','[1 to *]'),
+ 14: ('',''),
+ 15: ('',''),
+ 16: ('',''),
+ 17: ('',''),
+ 18: ('',''),
+ 19: ('',''),
+ 20: ('',''),
+ 21: ('',''),
+ # 15 File create stream hash
+}
\ No newline at end of file
diff --git a/tools/sigma/config/mapping.py b/tools/sigma/config/mapping.py
index 7d337416..a0397683 100644
--- a/tools/sigma/config/mapping.py
+++ b/tools/sigma/config/mapping.py
@@ -125,9 +125,9 @@ class ConditionalFieldMapping(SimpleFieldMapping):
if len(targets) == 1: # result set contains only one target, return mapped item (like SimpleFieldMapping)
if value is None:
- return ConditionNULLValue(val=targets.pop())
+ return ConditionNULLValue(val=list(targets)[0])
else:
- return (targets.pop(), value)
+ return (list(targets)[0], value)
elif len(targets) > 1: # result set contains multiple targets, return all linked as OR condition (like MultiFieldMapping)
cond = ConditionOR()
for target in targets:
diff --git a/tools/sigma/merge_sigma.py b/tools/sigma/merge_sigma.py
new file mode 100755
index 00000000..1a266913
--- /dev/null
+++ b/tools/sigma/merge_sigma.py
@@ -0,0 +1,42 @@
+#!/usr/bin/env python3
+# Merge a Sigma rule collection into full Sigma rules
+# Copyright 2017 Thomas Patzke
+
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU Lesser General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU Lesser General Public License for more details.
+
+# You should have received a copy of the GNU Lesser General Public License
+# along with this program. If not, see .
+
+import sys
+import argparse
+import yaml
+
+from sigma.parser.collection import SigmaCollectionParser
+
+def main():
+ argparser = argparse.ArgumentParser(description="Convert Sigma rules into SIEM signatures.")
+ argparser.add_argument("input", help="Sigma input file")
+ cmdargs = argparser.parse_args()
+
+ try:
+ f = open(cmdargs.input, "r")
+ except IOError as e:
+ print("Error while opening input file: %s" % str(e), file=sys.stderr)
+ sys.exit(1)
+
+ content = "".join(f.readlines())
+ f.close()
+ sc = SigmaCollectionParser(content)
+
+ print(yaml.dump_all(sc, default_flow_style=False))
+
+if __name__ == "__main__":
+ main()
diff --git a/tools/sigma/parser/collection.py b/tools/sigma/parser/collection.py
index 93aa1e54..7de47cce 100644
--- a/tools/sigma/parser/collection.py
+++ b/tools/sigma/parser/collection.py
@@ -15,6 +15,7 @@
# along with this program. If not, see .
import yaml
+from .exceptions import SigmaCollectionParseError
from .rule import SigmaParser
class SigmaCollectionParser:
diff --git a/tools/sigma/parser/modifiers/transform.py b/tools/sigma/parser/modifiers/transform.py
index c30f92da..8af35417 100644
--- a/tools/sigma/parser/modifiers/transform.py
+++ b/tools/sigma/parser/modifiers/transform.py
@@ -28,7 +28,10 @@ class SigmaContainsModifier(ListOrStringModifierMixin, SigmaTransformModifier):
if not val.startswith("*"):
val = "*" + val
if not val.endswith("*"):
- val += "*"
+ if val.endswith("\\"):
+ val += "\\*"
+ else:
+ val += "*"
return val
class SigmaStartswithModifier(ListOrStringModifierMixin, SigmaTransformModifier):
@@ -38,7 +41,10 @@ class SigmaStartswithModifier(ListOrStringModifierMixin, SigmaTransformModifier)
def apply_str(self, val : str):
if not val.endswith("*"):
- val += "*"
+ if val.endswith("\\"):
+ val += "\\*"
+ else:
+ val += "*"
return val
class SigmaEndswithModifier(ListOrStringModifierMixin, SigmaTransformModifier):
@@ -48,7 +54,7 @@ class SigmaEndswithModifier(ListOrStringModifierMixin, SigmaTransformModifier):
def apply_str(self, val : str):
if not val.startswith("*"):
- val = "*" + val
+ val = '*' + val
return val
class SigmaAllValuesModifier(SigmaTransformModifier):
diff --git a/tools/sigma-similarity b/tools/sigma/sigma-similarity.py
similarity index 100%
rename from tools/sigma-similarity
rename to tools/sigma/sigma-similarity.py
diff --git a/tools/sigma-uuid b/tools/sigma/sigma-uuid.py
similarity index 100%
rename from tools/sigma-uuid
rename to tools/sigma/sigma-uuid.py
diff --git a/tools/sigma/sigma2attack.py b/tools/sigma/sigma2attack.py
new file mode 100755
index 00000000..5543d6ee
--- /dev/null
+++ b/tools/sigma/sigma2attack.py
@@ -0,0 +1,73 @@
+#!/usr/bin/env python3
+
+import argparse
+import glob
+import json
+import os
+import sys
+
+import yaml
+
+def main():
+ parser = argparse.ArgumentParser(formatter_class=argparse.ArgumentDefaultsHelpFormatter)
+ parser.add_argument("--rules-directory", "-d", dest="rules_dir", default="rules", help="Directory to read rules from")
+ parser.add_argument("--out-file", "-o", dest="out_file", default="heatmap.json", help="File to write the JSON layer to")
+ parser.add_argument("--no-comment", dest="no_comment", action="store_true", help="Don't store rule names in comments")
+ args = parser.parse_args()
+
+ rule_files = glob.glob(os.path.join(args.rules_dir, "**/*.yml"), recursive=True)
+ techniques_to_rules = {}
+ curr_max_technique_count = 0
+ num_rules_used = 0
+ for rule_file in rule_files:
+ try:
+ rule = yaml.safe_load(open(rule_file).read())
+ except yaml.YAMLError:
+ sys.stderr.write("Ignoring rule " + rule_file + " (parsing failed)\n")
+ continue
+ if "tags" not in rule:
+ sys.stderr.write("Ignoring rule " + rule_file + " (no tags)\n")
+ continue
+ tags = rule["tags"]
+ for tag in tags:
+ if tag.lower().startswith("attack.t"):
+ technique_id = tag[len("attack."):].upper()
+ num_rules_used += 1
+ if technique_id not in techniques_to_rules:
+ techniques_to_rules[technique_id] = []
+ techniques_to_rules[technique_id].append(os.path.basename(rule_file))
+ curr_max_technique_count = max(curr_max_technique_count, len(techniques_to_rules[technique_id]))
+
+
+ scores = []
+ for technique in techniques_to_rules:
+ entry = {
+ "techniqueID": technique,
+ "score": len(techniques_to_rules[technique]),
+ }
+ if not args.no_comment:
+ entry["comment"] = "\n".join(techniques_to_rules[technique])
+
+ scores.append(entry)
+
+ output = {
+ "domain": "mitre-enterprise",
+ "name": "Sigma rules heatmap",
+ "gradient": {
+ "colors": [
+ "#ffffff",
+ "#ff6666"
+ ],
+ "maxValue": curr_max_technique_count,
+ "minValue": 0
+ },
+ "version": "2.2",
+ "techniques": scores,
+ }
+
+ with open(args.out_file, "w") as f:
+ f.write(json.dumps(output))
+ print("[*] Layer file written in " + args.out_file + " (" + str(num_rules_used) + " rules)")
+
+if __name__ == "__main__":
+ main()
diff --git a/tools/sigma2genericsigma b/tools/sigma/sigma2genericsigma.py
similarity index 100%
rename from tools/sigma2genericsigma
rename to tools/sigma/sigma2genericsigma.py
diff --git a/tools/sigma/sigma2misp.py b/tools/sigma/sigma2misp.py
new file mode 100755
index 00000000..fc102931
--- /dev/null
+++ b/tools/sigma/sigma2misp.py
@@ -0,0 +1,73 @@
+#!/usr/bin/env python3
+# Import given Sigma rules to MISP
+
+import argparse
+import pathlib
+import urllib3
+urllib3.disable_warnings()
+from pymisp import PyMISP
+
+def create_new_event(args, misp):
+ if hasattr(misp, "new_event"):
+ return misp.new_event(info=args.info)["Event"]["id"]
+
+ event = misp.MISPEvent()
+ event.info = args.info
+ return misp.add_event(event)["Event"]["id"]
+
+
+class MISPImportArgumentParser(argparse.ArgumentParser):
+ def __init__(self, *args, **kwargs):
+ super().__init__(
+ description="Import Sigma rules into MISP events",
+ epilog="Parameters can be read from a file by a @filename parameter. The file should contain one parameter per line. Dashes may be omitted.",
+ fromfile_prefix_chars="@",
+ )
+
+ def convert_arg_line_to_args(self, line : str):
+ return ("--" + line.lstrip("--")).split()
+
+def main():
+ argparser = MISPImportArgumentParser()
+ argparser.add_argument("--url", "-u", default="https://localhost", help="URL of MISP instance")
+ argparser.add_argument("--key", "-k", required=True, help="API key")
+ argparser.add_argument("--insecure", "-I", action="store_false", help="Disable TLS certifcate validation.")
+ argparser.add_argument("--event", "-e", type=int, help="Add Sigma rule to event with this ID. If not set, create new event.")
+ argparser.add_argument("--same-event", "-s", action="store_true", help="Import all Sigma rules to the same event, if no event is set.")
+ argparser.add_argument("--info", "-i", default="Sigma import", help="Event Information field for newly created MISP event.")
+ argparser.add_argument("--recursive", "-r", action="store_true", help="Recursive traversal of directory")
+ argparser.add_argument("sigma", nargs="+", help="Sigma rule file that should be imported")
+ args = argparser.parse_args()
+
+ if args.recursive:
+ paths = [ p for pathname in args.sigma for p in pathlib.Path(pathname).glob("**/*") if p.is_file() ]
+ else:
+ paths = [ pathlib.Path(sigma) for sigma in args.sigma ]
+
+ misp = PyMISP(args.url, args.key, args.insecure)
+ if args.event:
+ if hasattr(misp, "get"):
+ eventid = misp.get(args.event)["Event"]["id"]
+ else:
+ eventid = misp.get_event(args.event)["Event"]["id"]
+
+ first = True
+
+ for sigma in paths:
+ if not args.event and (first or not args.same_event):
+ eventid = create_new_event(args, misp)
+ print("Importing Sigma rule {} into MISP event {}...".format(sigma, eventid, end=""))
+ f = sigma.open("rt")
+
+ if hasattr(misp, "add_named_attribute"):
+ misp.add_named_attribute(eventid, "sigma", f.read())
+ else:
+ event = misp.get_event(eventid, pythonify=True)
+ event.add_attribute("sigma", f.read())
+ misp.update_event(event)
+
+ f.close()
+ first = False
+
+if __name__ == "__main__":
+ main()
diff --git a/tools/sigma/sigma_similarity.py b/tools/sigma/sigma_similarity.py
new file mode 100755
index 00000000..38a74d8a
--- /dev/null
+++ b/tools/sigma/sigma_similarity.py
@@ -0,0 +1,105 @@
+#!/usr/bin/env python3
+# Calculates similarity of Sigma rules by transformation into a normalized
+# string form and calculation of a string distance.
+
+import argparse
+import pathlib
+import itertools
+import difflib
+
+import progressbar
+
+from sigma.parser.collection import SigmaCollectionParser
+from sigma.backends.base import SingleTextQueryBackend
+from sigma.configuration import SigmaConfiguration
+
+argparser = argparse.ArgumentParser(description="Calculate a similarity score between Sigma rules.")
+argparser.add_argument("--recursive", "-r", action="store_true", help="Recurse into directories")
+argparser.add_argument("--verbose", "-v", action="count", help="Be verbose. Use once more for debug output.")
+argparser.add_argument("--top", "-t", type=int, help="Only output the n most similar rule pairs.")
+argparser.add_argument("--min-similarity", "-m", type=int, help="Only output pairs with a similarity above this threshold (percent)")
+argparser.add_argument("--primary", "-p", help="File with list of paths to primary rules. If given, only rule combinations with at leat one primary rule are compared. Primary rules must also be contained in input rule set.")
+argparser.add_argument("inputs", nargs="+", help="Sigma input files")
+args = argparser.parse_args()
+
+def print_verbose(level, *args, **kwargs):
+ if args.verbose >= level:
+ print(*args, **kwargs)
+
+class SigmaNormalizationBackend(SingleTextQueryBackend):
+ """Normalization of a Sigma rule into a non-existing query language that supports all Sigma features"""
+ andToken = " AND "
+ orToken = " OR "
+ notToken = " NOT "
+ subExpression = "(%s)"
+ listExpression = "[%s]"
+ listSeparator = ","
+ valueExpression = "%s"
+ typedValueExpression = dict()
+ nullExpression = "NULL(%s)"
+ notNullExpression = "NOTNULL(%s)"
+ mapExpression = "{'%s':'%s'}"
+
+ sort_condition_lists = True
+
+ def generateListNode(self, node):
+ """Return sorted list"""
+ return super().generateListNode(list(sorted([ str(item) for item in node ])))
+
+ def generateTypedValueNode(self, node):
+ """Return normalized form of typed values"""
+ return "type_{}({})".format(node.identifier, str(node))
+
+ def generateAggregation(self, agg):
+ if agg.aggfunc_notrans == "near":
+ return " near in={} ex={}".format(str(agg.include), str(agg.exclude))
+ else:
+ return " | {}({}) by {} {} {}".format(agg.aggfunc_notrans, agg.aggfield, agg.groupfield, agg.cond_op, agg.condition)
+
+def main():
+ backend = SigmaNormalizationBackend(SigmaConfiguration())
+
+ if args.recursive:
+ paths = [ p for pathname in args.inputs for p in pathlib.Path(pathname).glob("**/*") if p.is_file() ]
+ else:
+ paths = [ pathlib.Path(pathname) for pathname in args.inputs ]
+
+ primary_paths = None
+ if args.primary:
+ with open(args.primary, "r") as f:
+ primary_paths = { pathname.strip() for pathname in f.readlines() }
+
+ parsed = {
+ str(path): SigmaCollectionParser(path.open().read())
+ for path in paths
+ }
+ converted = {
+ str(path): list(sigma_collection.generate(backend))
+ for path, sigma_collection in parsed.items()
+ }
+ converted_flat = (
+ (path, i, normalized)
+ for path, nlist in converted.items()
+ for i, normalized in zip(range(len(nlist)), nlist)
+ )
+ converted_pairs_iter = itertools.combinations(converted_flat, 2)
+ if primary_paths:
+ converted_pairs = [ pair for pair in converted_pairs_iter if pair[0][0] in primary_paths or pair[1][0] in paths ]
+ else:
+ converted_pairs = list(converted_pairs_iter)
+ similarities = [
+ (item1[:2], item2[:2], difflib.SequenceMatcher(None, item1[2], item2[2]).ratio())
+ for item1, item2 in progressbar.progressbar(converted_pairs)
+ ]
+
+ i = 0
+ for similarity in sorted(similarities, key=lambda s: s[2], reverse=True):
+ if args.min_similarity and similarity[2] * 100 < args.min_similarity: # finish after similarity drops below minimum
+ break
+ print("{:70} | {:2} | {:70} | {:2} | {:>3.2%}".format(*similarity[0], *similarity[1], similarity[2]))
+ i += 1
+ if args.top and i >= args.top: # end after $top pairs
+ break
+
+if __name__ == "__main__":
+ main()
diff --git a/tools/sigma/sigma_uuid.py b/tools/sigma/sigma_uuid.py
new file mode 100755
index 00000000..2a8b003c
--- /dev/null
+++ b/tools/sigma/sigma_uuid.py
@@ -0,0 +1,89 @@
+#!/usr/bin/env python3
+# Assign UUIDs to Sigma rules and verify UUID assignment for a Sigma rule repository
+
+from argparse import ArgumentParser
+from pathlib import Path
+from uuid import uuid4, UUID
+import yaml
+from sigma.output import SigmaYAMLDumper
+
+def print_verbose(*arg, **kwarg):
+ print(*arg, **kwarg)
+
+# Define order-preserving representer from dicts/maps
+def yaml_preserve_order(self, dict_data):
+ return self.represent_mapping("tag:yaml.org,2002:map", dict_data.items())
+
+def main():
+ argparser = ArgumentParser(description="Assign and verfify UUIDs of Sigma rules")
+ argparser.add_argument("--verify", "-V", action="store_true", help="Verify existence and uniqueness of UUID assignments. Exits with error code if verification fails.")
+ argparser.add_argument("--verbose", "-v", action="store_true", help="Be verbose.")
+ argparser.add_argument("--recursive", "-r", action="store_true", help="Recurse into directories.")
+ argparser.add_argument("--error", "-e", action="store_true", help="Exit with error code 10 on verification failures.")
+ argparser.add_argument("inputs", nargs="+", help="Sigma rule files or repository directories")
+ args = argparser.parse_args()
+
+ if args.verbose:
+ print_verbose()
+
+ if args.recursive:
+ paths = [ p for pathname in args.inputs for p in Path(pathname).glob("**/*") if p.is_file() ]
+ else:
+ paths = [ Path(pathname) for pathname in args.inputs ]
+
+ yaml.add_representer(dict, yaml_preserve_order)
+
+ uuids = set()
+ passed = True
+ for path in paths:
+ print_verbose("Rule {}".format(str(path)))
+ with path.open("r") as f:
+ rules = list(yaml.safe_load_all(f))
+
+ if args.verify:
+ i = 1
+ for rule in rules:
+ if "title" in rule: # Rule with a title should also have a UUID
+ try:
+ UUID(rule["id"])
+ except ValueError: # id is not a valid UUID
+ print("Rule {} in file {} has a malformed UUID '{}'.".format(i, str(path), rule["id"]))
+ passed = False
+ except KeyError: # rule has no id
+ print("Rule {} in file {} has no UUID.".format(i, str(path)))
+ passed = False
+ i += 1
+ else:
+ newrules = list()
+ changed = False
+ i = 1
+ for rule in rules:
+ if "title" in rule and "id" not in rule: # only assign id to rules that have a title and no id
+ newrule = dict()
+ changed = True
+ for k, v in rule.items():
+ newrule[k] = v
+ if k == "title": # insert id after title
+ uuid = uuid4()
+ newrule["id"] = str(uuid)
+ print("Assigned UUID '{}' to rule {} in file {}.".format(uuid, i, str(path)))
+ newrules.append(newrule)
+ else:
+ newrules.append(rule)
+ i += 1
+
+ if changed:
+ with path.open("w") as f:
+ yaml.dump_all(newrules, f, Dumper=SigmaYAMLDumper, indent=4, width=160, default_flow_style=False)
+
+ if not passed:
+ print("The Sigma rules listed above don't have an ID. The ID must be:")
+ print("* Contained in the 'id' attribute")
+ print("* a valid UUIDv4 (randomly generated)")
+ print("* Unique in this repository")
+ print("Please generate one with the sigma_uuid tool or here: https://www.uuidgenerator.net/version4")
+ if args.error:
+ exit(10)
+
+if __name__ == "__main__":
+ main()
diff --git a/tools/sigma/sigmac.py b/tools/sigma/sigmac.py
new file mode 100755
index 00000000..81832262
--- /dev/null
+++ b/tools/sigma/sigmac.py
@@ -0,0 +1,297 @@
+#!/usr/bin/env python3
+# A Sigma to SIEM converter
+# Copyright 2016-2017 Thomas Patzke, Florian Roth
+
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU Lesser General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU Lesser General Public License for more details.
+
+# You should have received a copy of the GNU Lesser General Public License
+# along with this program. If not, see .
+
+import sys
+import argparse
+import yaml
+import json
+import pathlib
+import itertools
+import logging
+from sigma.parser.collection import SigmaCollectionParser
+from sigma.parser.exceptions import SigmaCollectionParseError, SigmaParseError
+from sigma.configuration import SigmaConfiguration, SigmaConfigurationChain
+from sigma.config.collection import SigmaConfigurationManager
+from sigma.config.exceptions import SigmaConfigParseError, SigmaRuleFilterParseException
+from sigma.filter import SigmaRuleFilter
+import sigma.backends.discovery as backends
+from sigma.backends.base import BackendOptions
+from sigma.backends.exceptions import BackendError, NotSupportedError, PartialMatchError, FullMatchError
+from sigma.parser.modifiers import modifiers
+import codecs
+
+sys.stdout = codecs.getwriter('utf-8')(sys.stdout.detach())
+
+# Error codes
+
+ERR_OUTPUT = 1
+ERR_INVALID_YAML = 3
+ERR_SIGMA_PARSING = 4
+ERR_OPEN_SIGMA_RULE = 5
+ERR_OPEN_CONFIG_FILE = 5
+ERR_CONFIG_INVALID_YAML = 6
+ERR_CONFIG_PARSING = 6
+ERR_BACKEND = 8
+ERR_NOT_SUPPORTED = 9
+ERR_NO_TARGET = 10
+ERR_RULE_FILTER_PARSING = 11
+ERR_CONFIG_REQUIRED = 20
+ERR_CONFIG_ORDER = 21
+ERR_CONFIG_BACKEND = 22
+ERR_NOT_IMPLEMENTED = 42
+ERR_PARTIAL_FIELD_MATCH = 80
+ERR_FULL_FIELD_MATCH = 90
+
+def alliter(path):
+ for sub in path.iterdir():
+ if sub.name.startswith("."):
+ continue
+ if sub.is_dir():
+ yield from alliter(sub)
+ else:
+ yield sub
+
+def get_inputs(paths, recursive):
+ if paths == ['-']:
+ return [sys.stdin]
+
+ if recursive:
+ return list(itertools.chain.from_iterable([list(alliter(pathlib.Path(p))) for p in paths]))
+ else:
+ return [pathlib.Path(p) for p in paths]
+
+class ActionBackendHelp(argparse.Action):
+ def __call__(self, parser, ns, vals, opt):
+ backend = backends.getBackend(vals)
+ if len(backend.options) > 0:
+ helptext = "Backend options for " + backend.identifier + "\n"
+ for option, default, help, _ in backend.options:
+ helptext += " {:10}: {} (default: {})".format(option, help, default) + "\n"
+
+ print(helptext)
+ exit(0)
+
+def set_argparser():
+ """Sets up and parses the command line arguments for Sigmac.
+ Returns the argparser"""
+ argparser = argparse.ArgumentParser(description="Convert Sigma rules into SIEM signatures.")
+ argparser.add_argument("--recurse", "-r", action="store_true", help="Use directory as input (recurse into subdirectories is not implemented yet)")
+ argparser.add_argument("--filter", "-f", help="""
+ Define comma-separated filters that must match (AND-linked) to rule to be processed.
+ Valid filters: level<=x, level>=x, level=x, status=y, logsource=z, tag=t.
+ x is one of: low, medium, high, critical.
+ y is one of: experimental, testing, stable.
+ z is a word appearing in an arbitrary log source attribute.
+ t is a tag that must appear in the rules tag list, case-insensitive matching.
+ Multiple log source specifications are AND linked.
+ """)
+ argparser.add_argument("--target", "-t", choices=backends.getBackendDict().keys(), help="Output target format")
+ argparser.add_argument("--lists", "-l", action="store_true", help="List available output target formats and configurations")
+ argparser.add_argument("--config", "-c", action="append", help="Configurations with field name and index mapping for target environment. Multiple configurations are merged into one. Last config is authorative in case of conflicts.")
+ argparser.add_argument("--output", "-o", default=None, help="Output file or filename prefix if multiple files are generated")
+ argparser.add_argument("--backend-option", "-O", action="append", help="Options and switches that are passed to the backend")
+ argparser.add_argument("--backend-config", "-C", help="Configuration file (YAML format) containing options to pass to the backend")
+ argparser.add_argument("--backend-help", action=ActionBackendHelp, help="Print backend options")
+ argparser.add_argument("--defer-abort", "-d", action="store_true", help="Don't abort on parse or conversion errors, proceed with next rule. The exit code from the last error is returned")
+ argparser.add_argument("--ignore-backend-errors", "-I", action="store_true", help="Only return error codes for parse errors and ignore errors for rules that cause backend errors. Useful, when you want to get as much queries as possible.")
+ argparser.add_argument("--shoot-yourself-in-the-foot", action="store_true", help=argparse.SUPPRESS)
+ argparser.add_argument("--verbose", "-v", action="store_true", help="Be verbose")
+ argparser.add_argument("--debug", "-D", action="store_true", help="Debugging output")
+ argparser.add_argument("inputs", nargs="*", help="Sigma input files ('-' for stdin)")
+
+ return argparser
+
+def list_backends(debug):
+ for backend in sorted(backends.getBackendList(), key=lambda backend: backend.identifier):
+ if debug:
+ print("{:>15} : {} ({})".format(backend.identifier, backend.__doc__, backend.__name__))
+ else:
+ print("{:>15} : {}".format(backend.identifier, backend.__doc__))
+
+def list_configurations(backend=None, scm=None):
+ for conf_id, title, backends in sorted(scm.list(), key=lambda config: config[0]):
+ if backend is not None and backend in backends or backend is None or len(backends) == 0:
+ print("{:>30} : {}".format(conf_id, title))
+
+def list_modifiers(modifiers):
+ for modifier_id, modifier in modifiers.items():
+ print("{:>10} : {}".format(modifier_id, modifier.__doc__))
+
+def main():
+ argparser = set_argparser()
+ cmdargs = argparser.parse_args()
+
+ scm = SigmaConfigurationManager()
+
+ logger = logging.getLogger(__name__)
+ if cmdargs.debug: # pragma: no cover
+ logger.setLevel(logging.DEBUG)
+
+ if cmdargs.lists:
+ print("Backends (Targets):")
+ list_backends(cmdargs.debug)
+
+ print()
+ print("Configurations (Sources):")
+ list_configurations(backend=cmdargs.target, scm=scm)
+
+ print()
+ print("Modifiers:")
+ list_modifiers(modifiers=modifiers)
+ sys.exit(0)
+ elif len(cmdargs.inputs) == 0:
+ print("Nothing to do!")
+ argparser.print_usage()
+ sys.exit(0)
+
+ if cmdargs.target is None:
+ print("No target selected, select one with -t/--target")
+ argparser.print_usage()
+ sys.exit(ERR_NO_TARGET)
+
+ rulefilter = None
+ if cmdargs.filter:
+ try:
+ rulefilter = SigmaRuleFilter(cmdargs.filter)
+ except SigmaRuleFilterParseException as e:
+ print("Parse error in Sigma rule filter expression: %s" % str(e), file=sys.stderr)
+ sys.exit(ERR_RULE_FILTER_PARSING)
+
+ sigmaconfigs = SigmaConfigurationChain()
+ backend_class = backends.getBackend(cmdargs.target)
+ if cmdargs.config is None:
+ if backend_class.config_required and not cmdargs.shoot_yourself_in_the_foot:
+ print("The backend you want to use usually requires a configuration to generate valid results. Please provide one with --config/-c.", file=sys.stderr)
+ print("Available choices for this backend (get complete list with --lists/-l):")
+ list_configurations(backend=cmdargs.target, scm=scm)
+ sys.exit(ERR_CONFIG_REQUIRED)
+ if backend_class.default_config is not None:
+ cmdargs.config = backend_class.default_config
+
+ if cmdargs.config:
+ order = 0
+ for conf_name in cmdargs.config:
+ try:
+ sigmaconfig = scm.get(conf_name)
+ if sigmaconfig.order is not None:
+ if sigmaconfig.order <= order and not cmdargs.shoot_yourself_in_the_foot:
+ print("The configurations were provided in the wrong order (order key check in config file)", file=sys.stderr)
+ sys.exit(ERR_CONFIG_ORDER)
+ order = sigmaconfig.order
+
+ try:
+ if cmdargs.target not in sigmaconfig.config["backends"]:
+ print("The configuration '{}' is not valid for backend '{}'. Valid choices are: {}".format(conf_name, cmdargs.target, ", ".join(sigmaconfig.config["backends"])), file=sys.stderr)
+ sys.exit(ERR_CONFIG_ORDER)
+ except KeyError:
+ pass
+
+ sigmaconfigs.append(sigmaconfig)
+ except OSError as e:
+ print("Failed to open Sigma configuration file %s: %s" % (conf_name, str(e)), file=sys.stderr)
+ exit(ERR_OPEN_CONFIG_FILE)
+ except (yaml.parser.ParserError, yaml.scanner.ScannerError) as e:
+ print("Sigma configuration file %s is no valid YAML: %s" % (conf_name, str(e)), file=sys.stderr)
+ exit(ERR_CONFIG_INVALID_YAML)
+ except SigmaConfigParseError as e:
+ print("Sigma configuration parse error in %s: %s" % (conf_name, str(e)), file=sys.stderr)
+ exit(ERR_CONFIG_PARSING)
+
+ backend_options = BackendOptions(cmdargs.backend_option, cmdargs.backend_config)
+ backend = backend_class(sigmaconfigs, backend_options)
+
+ filename = cmdargs.output
+ if filename:
+ try:
+ out = open(filename, "w", encoding='utf-8')
+ except (IOError, OSError) as e:
+ print("Failed to open output file '%s': %s" % (filename, str(e)), file=sys.stderr)
+ exit(ERR_OUTPUT)
+ else:
+ out = sys.stdout
+
+ error = 0
+ for sigmafile in get_inputs(cmdargs.inputs, cmdargs.recurse):
+ logger.debug("* Processing Sigma input %s" % (sigmafile))
+ try:
+ if cmdargs.inputs == ['-']:
+ f = sigmafile
+ else:
+ f = sigmafile.open(encoding='utf-8')
+ parser = SigmaCollectionParser(f, sigmaconfigs, rulefilter)
+ results = parser.generate(backend)
+ for result in results:
+ print(result, file=out)
+ except OSError as e:
+ print("Failed to open Sigma file %s: %s" % (sigmafile, str(e)), file=sys.stderr)
+ error = ERR_OPEN_SIGMA_RULE
+ except (yaml.parser.ParserError, yaml.scanner.ScannerError) as e:
+ print("Sigma file %s is no valid YAML: %s" % (sigmafile, str(e)), file=sys.stderr)
+ error = ERR_INVALID_YAML
+ if not cmdargs.defer_abort:
+ sys.exit(error)
+ except (SigmaParseError, SigmaCollectionParseError) as e:
+ print("Sigma parse error in %s: %s" % (sigmafile, str(e)), file=sys.stderr)
+ error = ERR_SIGMA_PARSING
+ if not cmdargs.defer_abort:
+ sys.exit(error)
+ except NotSupportedError as e:
+ print("The Sigma rule requires a feature that is not supported by the target system: " + str(e), file=sys.stderr)
+ if not cmdargs.ignore_backend_errors:
+ error = ERR_NOT_SUPPORTED
+ if not cmdargs.defer_abort:
+ sys.exit(error)
+ except BackendError as e:
+ print("Backend error in %s: %s" % (sigmafile, str(e)), file=sys.stderr)
+ if not cmdargs.ignore_backend_errors:
+ error = ERR_BACKEND
+ if not cmdargs.defer_abort:
+ sys.exit(error)
+ except (NotImplementedError, TypeError) as e:
+ print("An unsupported feature is required for this Sigma rule (%s): " % (sigmafile) + str(e), file=sys.stderr)
+ print("Feel free to contribute for fun and fame, this is open source :) -> https://github.com/Neo23x0/sigma", file=sys.stderr)
+ if not cmdargs.ignore_backend_errors:
+ error = ERR_NOT_IMPLEMENTED
+ if not cmdargs.defer_abort:
+ sys.exit(error)
+ except PartialMatchError as e:
+ print("Partial field match error: %s" % str(e), file=sys.stderr)
+ if not cmdargs.ignore_backend_errors:
+ error = ERR_PARTIAL_FIELD_MATCH
+ if not cmdargs.defer_abort:
+ sys.exit(error)
+ except FullMatchError as e:
+ print("Full field match error", file=sys.stderr)
+ if not cmdargs.ignore_backend_errors:
+ error = ERR_FULL_FIELD_MATCH
+ if not cmdargs.defer_abort:
+ sys.exit(error)
+ finally:
+ try:
+ f.close()
+ except:
+ pass
+
+ result = backend.finalize()
+ if result:
+ print(result, file=out)
+ out.close()
+
+ sys.exit(error)
+
+if __name__ == "__main__":
+ main()
diff --git a/tools/sigma/tools.py b/tools/sigma/tools.py
index c60c8dcd..1bdce530 100644
--- a/tools/sigma/tools.py
+++ b/tools/sigma/tools.py
@@ -19,12 +19,12 @@ import importlib
def getAllSubclasses(path, import_base, base_class):
"""Return list of all classes derived from a superclass contained in a module."""
- classes = list()
+ classes = set()
for finder, name, ispkg in pkgutil.iter_modules([ path ]):
module = importlib.import_module(".{}.{}".format(import_base, name), __package__)
for name, cls in vars(module).items():
if type(cls) == type and issubclass(cls, base_class) and cls.active:
- classes.append(cls)
+ classes.add(cls)
return classes
def getClassDict(clss):
diff --git a/tools/sigma2attack b/tools/sigma2attack
index 5a5ea20a..622243e1 100755
--- a/tools/sigma2attack
+++ b/tools/sigma2attack
@@ -1,69 +1,5 @@
#!/usr/bin/env python3
-import argparse
-import glob
-import json
-import os
-import sys
+from sigma.sigma2attack import main
-import yaml
-
-parser = argparse.ArgumentParser(formatter_class=argparse.ArgumentDefaultsHelpFormatter)
-parser.add_argument("--rules-directory", "-d", dest="rules_dir", default="rules", help="Directory to read rules from")
-parser.add_argument("--out-file", "-o", dest="out_file", default="heatmap.json", help="File to write the JSON layer to")
-parser.add_argument("--no-comment", dest="no_comment", action="store_true", help="Don't store rule names in comments")
-args = parser.parse_args()
-
-rule_files = glob.glob(os.path.join(args.rules_dir, "**/*.yml"), recursive=True)
-techniques_to_rules = {}
-curr_max_technique_count = 0
-num_rules_used = 0
-for rule_file in rule_files:
- try:
- rule = yaml.safe_load(open(rule_file).read())
- except yaml.YAMLError:
- sys.stderr.write("Ignoring rule " + rule_file + " (parsing failed)\n")
- continue
- if "tags" not in rule:
- sys.stderr.write("Ignoring rule " + rule_file + " (no tags)\n")
- continue
- tags = rule["tags"]
- for tag in tags:
- if tag.lower().startswith("attack.t"):
- technique_id = tag[len("attack."):].upper()
- num_rules_used += 1
- if technique_id not in techniques_to_rules:
- techniques_to_rules[technique_id] = []
- techniques_to_rules[technique_id].append(os.path.basename(rule_file))
- curr_max_technique_count = max(curr_max_technique_count, len(techniques_to_rules[technique_id]))
-
-
-scores = []
-for technique in techniques_to_rules:
- entry = {
- "techniqueID": technique,
- "score": len(techniques_to_rules[technique]),
- }
- if not args.no_comment:
- entry["comment"] = "\n".join(techniques_to_rules[technique])
-
- scores.append(entry)
-
-output = {
- "domain": "mitre-enterprise",
- "name": "Sigma rules heatmap",
- "gradient": {
- "colors": [
- "#ffffff",
- "#ff6666"
- ],
- "maxValue": curr_max_technique_count,
- "minValue": 0
- },
- "version": "2.2",
- "techniques": scores,
-}
-
-with open(args.out_file, "w") as f:
- f.write(json.dumps(output))
- print("[*] Layer file written in " + args.out_file + " (" + str(num_rules_used) + " rules)")
\ No newline at end of file
+main()
diff --git a/tools/sigma2misp b/tools/sigma2misp
index 5229c338..b8510166 100755
--- a/tools/sigma2misp
+++ b/tools/sigma2misp
@@ -1,69 +1,5 @@
#!/usr/bin/env python3
-# Import given Sigma rules to MISP
-import argparse
-import pathlib
-import urllib3
-urllib3.disable_warnings()
-from pymisp import PyMISP
+from sigma.sigma2misp import main
-def create_new_event():
- if hasattr(misp, "new_event"):
- return misp.new_event(info=args.info)["Event"]["id"]
-
- event = misp.MISPEvent()
- event.info = args.info
- return misp.add_event(event)["Event"]["id"]
-
-
-class MISPImportArgumentParser(argparse.ArgumentParser):
- def __init__(self, *args, **kwargs):
- super().__init__(
- description="Import Sigma rules into MISP events",
- epilog="Parameters can be read from a file by a @filename parameter. The file should contain one parameter per line. Dashes may be omitted.",
- fromfile_prefix_chars="@",
- )
-
- def convert_arg_line_to_args(self, line : str):
- return ("--" + line.lstrip("--")).split()
-
-argparser = MISPImportArgumentParser()
-argparser.add_argument("--url", "-u", default="https://localhost", help="URL of MISP instance")
-argparser.add_argument("--key", "-k", required=True, help="API key")
-argparser.add_argument("--insecure", "-I", action="store_false", help="Disable TLS certifcate validation.")
-argparser.add_argument("--event", "-e", type=int, help="Add Sigma rule to event with this ID. If not set, create new event.")
-argparser.add_argument("--same-event", "-s", action="store_true", help="Import all Sigma rules to the same event, if no event is set.")
-argparser.add_argument("--info", "-i", default="Sigma import", help="Event Information field for newly created MISP event.")
-argparser.add_argument("--recursive", "-r", action="store_true", help="Recursive traversal of directory")
-argparser.add_argument("sigma", nargs="+", help="Sigma rule file that should be imported")
-args = argparser.parse_args()
-
-if args.recursive:
- paths = [ p for pathname in args.sigma for p in pathlib.Path(pathname).glob("**/*") if p.is_file() ]
-else:
- paths = [ pathlib.Path(sigma) for sigma in args.sigma ]
-
-misp = PyMISP(args.url, args.key, args.insecure)
-if args.event:
- if hasattr(misp, "get"):
- eventid = misp.get(args.event)["Event"]["id"]
- else:
- eventid = misp.get_event(args.event)["Event"]["id"]
-
-first = True
-
-for sigma in paths:
- if not args.event and (first or not args.same_event):
- eventid = create_new_event()
- print("Importing Sigma rule {} into MISP event {}...".format(sigma, eventid, end=""))
- f = sigma.open("rt")
-
- if hasattr(misp, "add_named_attribute"):
- misp.add_named_attribute(eventid, "sigma", f.read())
- else:
- event = misp.get_event(eventid, pythonify=True)
- event.add_attribute("sigma", f.read())
- misp.update_event(event)
-
- f.close()
- first = False
+main()
diff --git a/tools/sigma_similarity b/tools/sigma_similarity
new file mode 100755
index 00000000..782531b5
--- /dev/null
+++ b/tools/sigma_similarity
@@ -0,0 +1,5 @@
+#!/usr/bin/env python3
+
+from sigma.sigmac import main
+
+main()
diff --git a/tools/sigma_uuid b/tools/sigma_uuid
new file mode 100755
index 00000000..9a28a5ed
--- /dev/null
+++ b/tools/sigma_uuid
@@ -0,0 +1,5 @@
+#!/usr/bin/env python3
+
+from sigma.sigma_uuid import main
+
+main()
diff --git a/tools/sigmac b/tools/sigmac
index a8e54dbd..782531b5 100755
--- a/tools/sigmac
+++ b/tools/sigmac
@@ -1,293 +1,5 @@
#!/usr/bin/env python3
-# A Sigma to SIEM converter
-# Copyright 2016-2017 Thomas Patzke, Florian Roth
-# This program is free software: you can redistribute it and/or modify
-# it under the terms of the GNU Lesser General Public License as published by
-# the Free Software Foundation, either version 3 of the License, or
-# (at your option) any later version.
+from sigma.sigmac import main
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-# GNU Lesser General Public License for more details.
-
-# You should have received a copy of the GNU Lesser General Public License
-# along with this program. If not, see .
-
-import sys
-import argparse
-import yaml
-import json
-import pathlib
-import itertools
-import logging
-from sigma.parser.collection import SigmaCollectionParser
-from sigma.parser.exceptions import SigmaCollectionParseError, SigmaParseError
-from sigma.configuration import SigmaConfiguration, SigmaConfigurationChain
-from sigma.config.collection import SigmaConfigurationManager
-from sigma.config.exceptions import SigmaConfigParseError, SigmaRuleFilterParseException
-from sigma.filter import SigmaRuleFilter
-import sigma.backends.discovery as backends
-from sigma.backends.base import BackendOptions
-from sigma.backends.exceptions import BackendError, NotSupportedError, PartialMatchError, FullMatchError
-from sigma.parser.modifiers import modifiers
-import codecs
-
-sys.stdout = codecs.getwriter('utf-8')(sys.stdout.detach())
-
-# Error codes
-
-ERR_OUTPUT = 1
-ERR_INVALID_YAML = 3
-ERR_SIGMA_PARSING = 4
-ERR_OPEN_SIGMA_RULE = 5
-ERR_OPEN_CONFIG_FILE = 5
-ERR_CONFIG_INVALID_YAML = 6
-ERR_CONFIG_PARSING = 6
-ERR_BACKEND = 8
-ERR_NOT_SUPPORTED = 9
-ERR_NO_TARGET = 10
-ERR_RULE_FILTER_PARSING = 11
-ERR_CONFIG_REQUIRED = 20
-ERR_CONFIG_ORDER = 21
-ERR_CONFIG_BACKEND = 22
-ERR_NOT_IMPLEMENTED = 42
-ERR_PARTIAL_FIELD_MATCH = 80
-ERR_FULL_FIELD_MATCH = 90
-
-def alliter(path):
- for sub in path.iterdir():
- if sub.name.startswith("."):
- continue
- if sub.is_dir():
- yield from alliter(sub)
- else:
- yield sub
-
-def get_inputs(paths, recursive):
- if paths == ['-']:
- return [sys.stdin]
-
- if recursive:
- return list(itertools.chain.from_iterable([list(alliter(pathlib.Path(p))) for p in paths]))
- else:
- return [pathlib.Path(p) for p in paths]
-
-class SigmacArgumentParser(argparse.ArgumentParser):
- def format_help(self):
- helptext = super().format_help() + "\nBackend options:\n"
-
- for backend in backends.getBackendList():
- if len(backend.options) > 0:
- helptext += " " + backend.identifier + "\n"
- for option, default, help, _ in backend.options:
- helptext += " {:10}: {} (default: {})".format(option, help, default) + "\n"
-
- return helptext
-
-def set_argparser():
- """Sets up and parses the command line arguments for Sigmac.
- Returns the argparser"""
- argparser = SigmacArgumentParser(description="Convert Sigma rules into SIEM signatures.")
- argparser.add_argument("--recurse", "-r", action="store_true", help="Use directory as input (recurse into subdirectories is not implemented yet)")
- argparser.add_argument("--filter", "-f", help="""
- Define comma-separated filters that must match (AND-linked) to rule to be processed.
- Valid filters: level<=x, level>=x, level=x, status=y, logsource=z, tag=t.
- x is one of: low, medium, high, critical.
- y is one of: experimental, testing, stable.
- z is a word appearing in an arbitrary log source attribute.
- t is a tag that must appear in the rules tag list, case-insensitive matching.
- Multiple log source specifications are AND linked.
- """)
- argparser.add_argument("--target", "-t", choices=backends.getBackendDict().keys(), help="Output target format")
- argparser.add_argument("--lists", "-l", action="store_true", help="List available output target formats and configurations")
- argparser.add_argument("--config", "-c", action="append", help="Configurations with field name and index mapping for target environment. Multiple configurations are merged into one. Last config is authorative in case of conflicts.")
- argparser.add_argument("--output", "-o", default=None, help="Output file or filename prefix if multiple files are generated")
- argparser.add_argument("--backend-option", "-O", action="append", help="Options and switches that are passed to the backend")
- argparser.add_argument("--backend-config", "-C", help="Configuration file (YAML format) containing options to pass to the backend")
- argparser.add_argument("--defer-abort", "-d", action="store_true", help="Don't abort on parse or conversion errors, proceed with next rule. The exit code from the last error is returned")
- argparser.add_argument("--ignore-backend-errors", "-I", action="store_true", help="Only return error codes for parse errors and ignore errors for rules that cause backend errors. Useful, when you want to get as much queries as possible.")
- argparser.add_argument("--shoot-yourself-in-the-foot", action="store_true", help=argparse.SUPPRESS)
- argparser.add_argument("--verbose", "-v", action="store_true", help="Be verbose")
- argparser.add_argument("--debug", "-D", action="store_true", help="Debugging output")
- argparser.add_argument("inputs", nargs="*", help="Sigma input files ('-' for stdin)")
-
- return argparser
-
-argparser = set_argparser()
-cmdargs = argparser.parse_args()
-
-scm = SigmaConfigurationManager()
-
-logger = logging.getLogger(__name__)
-if cmdargs.debug: # pragma: no cover
- logger.setLevel(logging.DEBUG)
-
-def list_backends():
- for backend in backends.getBackendList():
- if cmdargs.debug:
- print("{:>15} : {} ({})".format(backend.identifier, backend.__doc__, backend.__name__))
- else:
- print("{:>15} : {}".format(backend.identifier, backend.__doc__))
-
-def list_configurations(backend=None):
- for conf_id, title, backends in scm.list():
- if backend is not None and backend in backends or backend is None or len(backends) == 0:
- print("{:>30} : {}".format(conf_id, title))
-
-def list_modifiers():
- for modifier_id, modifier in modifiers.items():
- print("{:>10} : {}".format(modifier_id, modifier.__doc__))
-
-if cmdargs.lists:
- print("Backends:")
- list_backends()
-
- print()
- print("Configurations:")
- list_configurations(cmdargs.target)
-
- print()
- print("Modifiers:")
- list_modifiers()
- sys.exit(0)
-elif len(cmdargs.inputs) == 0:
- print("Nothing to do!")
- argparser.print_usage()
- sys.exit(0)
-
-if cmdargs.target is None:
- print("No target selected, select one with -t/--target")
- argparser.print_usage()
- sys.exit(ERR_NO_TARGET)
-
-rulefilter = None
-if cmdargs.filter:
- try:
- rulefilter = SigmaRuleFilter(cmdargs.filter)
- except SigmaRuleFilterParseException as e:
- print("Parse error in Sigma rule filter expression: %s" % str(e), file=sys.stderr)
- sys.exit(ERR_RULE_FILTER_PARSING)
-
-sigmaconfigs = SigmaConfigurationChain()
-backend_class = backends.getBackend(cmdargs.target)
-if cmdargs.config is None:
- if backend_class.config_required and not cmdargs.shoot_yourself_in_the_foot:
- print("The backend you want to use usually requires a configuration to generate valid results. Please provide one with --config/-c.", file=sys.stderr)
- print("Available choices for this backend (get complete list with --lists/-l):")
- list_configurations(cmdargs.target)
- sys.exit(ERR_CONFIG_REQUIRED)
- if backend_class.default_config is not None:
- cmdargs.config = backend_class.default_config
-
-if cmdargs.config:
- order = 0
- for conf_name in cmdargs.config:
- try:
- sigmaconfig = scm.get(conf_name)
- if sigmaconfig.order is not None:
- if sigmaconfig.order <= order and not cmdargs.shoot_yourself_in_the_foot:
- print("The configurations were provided in the wrong order (order key check in config file)", file=sys.stderr)
- sys.exit(ERR_CONFIG_ORDER)
- order = sigmaconfig.order
-
- try:
- if cmdargs.target not in sigmaconfig.config["backends"]:
- print("The configuration '{}' is not valid for backend '{}'. Valid choices are: {}".format(conf_name, cmdargs.target, ", ".join(sigmaconfig.config["backends"])), file=sys.stderr)
- sys.exit(ERR_CONFIG_ORDER)
- except KeyError:
- pass
-
- sigmaconfigs.append(sigmaconfig)
- except OSError as e:
- print("Failed to open Sigma configuration file %s: %s" % (conf_name, str(e)), file=sys.stderr)
- exit(ERR_OPEN_CONFIG_FILE)
- except (yaml.parser.ParserError, yaml.scanner.ScannerError) as e:
- print("Sigma configuration file %s is no valid YAML: %s" % (conf_name, str(e)), file=sys.stderr)
- exit(ERR_CONFIG_INVALID_YAML)
- except SigmaConfigParseError as e:
- print("Sigma configuration parse error in %s: %s" % (conf_name, str(e)), file=sys.stderr)
- exit(ERR_CONFIG_PARSING)
-
-backend_options = BackendOptions(cmdargs.backend_option, cmdargs.backend_config)
-backend = backend_class(sigmaconfigs, backend_options)
-
-filename = cmdargs.output
-if filename:
- try:
- out = open(filename, "w", encoding='utf-8')
- except (IOError, OSError) as e:
- print("Failed to open output file '%s': %s" % (filename, str(e)), file=sys.stderr)
- exit(ERR_OUTPUT)
-else:
- out = sys.stdout
-
-error = 0
-for sigmafile in get_inputs(cmdargs.inputs, cmdargs.recurse):
- logger.debug("* Processing Sigma input %s" % (sigmafile))
- try:
- if cmdargs.inputs == ['-']:
- f = sigmafile
- else:
- f = sigmafile.open(encoding='utf-8')
- parser = SigmaCollectionParser(f, sigmaconfigs, rulefilter)
- results = parser.generate(backend)
- for result in results:
- print(result, file=out)
- except OSError as e:
- print("Failed to open Sigma file %s: %s" % (sigmafile, str(e)), file=sys.stderr)
- error = ERR_OPEN_SIGMA_RULE
- except (yaml.parser.ParserError, yaml.scanner.ScannerError) as e:
- print("Sigma file %s is no valid YAML: %s" % (sigmafile, str(e)), file=sys.stderr)
- error = ERR_INVALID_YAML
- if not cmdargs.defer_abort:
- sys.exit(error)
- except (SigmaParseError, SigmaCollectionParseError) as e:
- print("Sigma parse error in %s: %s" % (sigmafile, str(e)), file=sys.stderr)
- error = ERR_SIGMA_PARSING
- if not cmdargs.defer_abort:
- sys.exit(error)
- except NotSupportedError as e:
- print("The Sigma rule requires a feature that is not supported by the target system: " + str(e), file=sys.stderr)
- if not cmdargs.ignore_backend_errors:
- error = ERR_NOT_SUPPORTED
- if not cmdargs.defer_abort:
- sys.exit(error)
- except BackendError as e:
- print("Backend error in %s: %s" % (sigmafile, str(e)), file=sys.stderr)
- if not cmdargs.ignore_backend_errors:
- error = ERR_BACKEND
- if not cmdargs.defer_abort:
- sys.exit(error)
- except (NotImplementedError, TypeError) as e:
- print("An unsupported feature is required for this Sigma rule (%s): " % (sigmafile) + str(e), file=sys.stderr)
- print("Feel free to contribute for fun and fame, this is open source :) -> https://github.com/Neo23x0/sigma", file=sys.stderr)
- if not cmdargs.ignore_backend_errors:
- error = ERR_NOT_IMPLEMENTED
- if not cmdargs.defer_abort:
- sys.exit(error)
- except PartialMatchError as e:
- print("Partial field match error: %s" % str(e), file=sys.stderr)
- if not cmdargs.ignore_backend_errors:
- error = ERR_PARTIAL_FIELD_MATCH
- if not cmdargs.defer_abort:
- sys.exit(error)
- except FullMatchError as e:
- print("Full field match error", file=sys.stderr)
- if not cmdargs.ignore_backend_errors:
- error = ERR_FULL_FIELD_MATCH
- if not cmdargs.defer_abort:
- sys.exit(error)
- finally:
- try:
- f.close()
- except:
- pass
-
-result = backend.finalize()
-if result:
- print(result, file=out)
-out.close()
-
-sys.exit(error)
+main()
diff --git a/tools/tests/test_backend_sql.py b/tools/tests/test_backend_sql.py
new file mode 100644
index 00000000..b4bd8202
--- /dev/null
+++ b/tools/tests/test_backend_sql.py
@@ -0,0 +1,334 @@
+# Test output backends for sigmac
+# Copyright 2020 Jonas Hagg
+
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU Lesser General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU Lesser General Public License for more details.
+
+# You should have received a copy of the GNU Lesser General Public License
+# along with this program. If not, see .
+
+import unittest
+from unittest.mock import patch
+
+from sigma.backends.sql import SQLBackend
+
+from sigma.parser.collection import SigmaCollectionParser
+from sigma.config.mapping import FieldMapping
+from sigma.configuration import SigmaConfiguration
+
+class TestGenerateQuery(unittest.TestCase):
+
+ def setUp(self):
+ self.basic_rule = {"title": "Test", "level": "testing"}
+ self.table = "eventlog"
+
+ def test_regular_queries(self):
+ # Test regular queries
+ detection = {"selection": {"fieldname": "test1"},
+ "condition": "selection"}
+ expected_result = 'SELECT * FROM {} WHERE fieldname = "test1"'.format(
+ self.table)
+ self.validate(detection, expected_result)
+
+ detection = {"selection": {"fieldname": 4}, "condition": "selection"}
+ expected_result = 'SELECT * FROM {} WHERE fieldname = "4"'.format(
+ self.table)
+ self.validate(detection, expected_result)
+
+ detection = {"selection": {"fieldname": [
+ "test1", "test2"]}, "condition": "selection"}
+ expected_result = 'SELECT * FROM {} WHERE fieldname IN ("test1", "test2")'.format(
+ self.table)
+ self.validate(detection, expected_result)
+
+ detection = {"selection": {
+ "fieldname": [3, 4]}, "condition": "selection"}
+ expected_result = 'SELECT * FROM {} WHERE fieldname IN ("3", "4")'.format(
+ self.table)
+ self.validate(detection, expected_result)
+
+ detection = {"selection": {"fieldname1": "test1", "fieldname2": [
+ "test2", "test3"]}, "condition": "selection"}
+ expected_result = 'SELECT * FROM {} WHERE (fieldname1 = "test1" AND fieldname2 IN ("test2", "test3"))'.format(
+ self.table)
+ self.validate(detection, expected_result)
+
+ detection = {"selection": {"fieldname": "test1"}, "filter": {
+ "fieldname2": "whatever"}, "condition": "selection and filter"}
+ expected_result = 'SELECT * FROM {} WHERE (fieldname = "test1" AND fieldname2 = "whatever")'.format(
+ self.table)
+ self.validate(detection, expected_result)
+
+ detection = {"selection": {"fieldname": "test1"}, "filter": {
+ "fieldname2": "whatever"}, "condition": "selection or filter"}
+ expected_result = 'SELECT * FROM {} WHERE (fieldname = "test1" OR fieldname2 = "whatever")'.format(
+ self.table)
+ self.validate(detection, expected_result)
+
+ detection = {"selection": {"fieldname": "test1"}, "filter": {
+ "fieldname2": "whatever"}, "condition": "selection and not filter"}
+ expected_result = 'SELECT * FROM {} WHERE (fieldname = "test1" AND NOT (fieldname2 = "whatever"))'.format(
+ self.table)
+ self.validate(detection, expected_result)
+
+ detection = {"selection": {"fieldname1": "test1"}, "filter": {
+ "fieldname2": "test2"}, "condition": "1 of them"}
+ expected_result = 'SELECT * FROM {} WHERE (fieldname1 = "test1" OR fieldname2 = "test2")'.format(
+ self.table)
+ self.validate(detection, expected_result)
+
+ detection = {"selection": {"fieldname1": "test1"}, "filter": {
+ "fieldname2": "test2"}, "condition": "all of them"}
+ expected_result = 'SELECT * FROM {} WHERE (fieldname1 = "test1" AND fieldname2 = "test2")'.format(
+ self.table)
+ self.validate(detection, expected_result)
+
+ def test_modifiers(self):
+
+ # contains
+ detection = {"selection": {"fieldname|contains": "test"},
+ "condition": "selection"}
+ expected_result = 'SELECT * FROM {} WHERE fieldname LIKE "%test%" ESCAPE \'\\\''.format(
+ self.table)
+ self.validate(detection, expected_result)
+
+ # all
+ detection = {"selection": {"fieldname|all": [
+ "test1", "test2"]}, "condition": "selection"}
+ expected_result = 'SELECT * FROM {} WHERE (fieldname = "test1" AND fieldname = "test2")'.format(
+ self.table)
+ self.validate(detection, expected_result)
+
+ # endswith
+ detection = {"selection": {"fieldname|endswith": "test"},
+ "condition": "selection"}
+ expected_result = 'SELECT * FROM {} WHERE fieldname LIKE "%test" ESCAPE \'\\\''.format(
+ self.table)
+ self.validate(detection, expected_result)
+
+ # startswith
+ detection = {"selection": {"fieldname|startswith": "test"},
+ "condition": "selection"}
+ expected_result = 'SELECT * FROM {} WHERE fieldname LIKE "test%" ESCAPE \'\\\''.format(
+ self.table)
+ self.validate(detection, expected_result)
+
+ def test_aggregations(self):
+
+ # count
+ detection = {"selection": {"fieldname": "test"},
+ "condition": "selection | count() > 5"}
+ inner_query = 'SELECT count(*) AS agg FROM {} WHERE fieldname = "test"'.format(
+ self.table)
+ expected_result = 'SELECT * FROM ({}) WHERE agg > 5'.format(inner_query)
+ self.validate(detection, expected_result)
+
+ # min
+ detection = {"selection": {"fieldname1": "test"},
+ "condition": "selection | min(fieldname2) > 5"}
+ inner_query = 'SELECT min(fieldname2) AS agg FROM {} WHERE fieldname1 = "test"'.format(
+ self.table)
+ expected_result = 'SELECT * FROM ({}) WHERE agg > 5'.format(inner_query)
+ self.validate(detection, expected_result)
+
+ # max
+ detection = {"selection": {"fieldname1": "test"},
+ "condition": "selection | max(fieldname2) > 5"}
+ inner_query = 'SELECT max(fieldname2) AS agg FROM {} WHERE fieldname1 = "test"'.format(
+ self.table)
+ expected_result = 'SELECT * FROM ({}) WHERE agg > 5'.format(inner_query)
+ self.validate(detection, expected_result)
+
+ # avg
+ detection = {"selection": {"fieldname1": "test"},
+ "condition": "selection | avg(fieldname2) > 5"}
+ inner_query = 'SELECT avg(fieldname2) AS agg FROM {} WHERE fieldname1 = "test"'.format(
+ self.table)
+ expected_result = 'SELECT * FROM ({}) WHERE agg > 5'.format(inner_query)
+ self.validate(detection, expected_result)
+
+ # sum
+ detection = {"selection": {"fieldname1": "test"},
+ "condition": "selection | sum(fieldname2) > 5"}
+ inner_query = 'SELECT sum(fieldname2) AS agg FROM {} WHERE fieldname1 = "test"'.format(
+ self.table)
+ expected_result = 'SELECT * FROM ({}) WHERE agg > 5'.format(inner_query)
+ self.validate(detection, expected_result)
+
+ # <
+ detection = {"selection": {"fieldname1": "test"},
+ "condition": "selection | sum(fieldname2) < 5"}
+ inner_query = 'SELECT sum(fieldname2) AS agg FROM {} WHERE fieldname1 = "test"'.format(
+ self.table)
+ expected_result = 'SELECT * FROM ({}) WHERE agg < 5'.format(inner_query)
+ self.validate(detection, expected_result)
+
+ # ==
+ detection = {"selection": {"fieldname1": "test"},
+ "condition": "selection | sum(fieldname2) == 5"}
+ inner_query = 'SELECT sum(fieldname2) AS agg FROM {} WHERE fieldname1 = "test"'.format(
+ self.table)
+ expected_result = 'SELECT * FROM ({}) WHERE agg == 5'.format(inner_query)
+ self.validate(detection, expected_result)
+
+ # group by
+ detection = {"selection": {"fieldname1": "test"},
+ "condition": "selection | sum(fieldname2) by fieldname3 == 5"}
+ inner_query = 'SELECT sum(fieldname2) AS agg FROM {} WHERE fieldname1 = "test" GROUP BY fieldname3'.format(
+ self.table)
+ expected_result = 'SELECT * FROM ({}) WHERE agg == 5'.format(inner_query)
+ self.validate(detection, expected_result)
+
+ # multiple conditions
+ detection = {"selection": {"fieldname1": "test"}, "filter": {
+ "fieldname2": "tessst"}, "condition": "selection OR filter | sum(fieldname2) == 5"}
+ inner_query = 'SELECT sum(fieldname2) AS agg FROM {} WHERE (fieldname1 = "test" OR fieldname2 = "tessst")'.format(
+ self.table)
+ expected_result = 'SELECT * FROM ({}) WHERE agg == 5'.format(inner_query)
+ self.validate(detection, expected_result)
+
+ def test_wildcards(self):
+
+ # wildcard: *
+ detection = {"selection": {"fieldname": "test*"},
+ "condition": "selection"}
+ expected_result = 'SELECT * FROM {} WHERE fieldname LIKE '.format(
+ self.table) + r'"test%"' + r" ESCAPE '\'"
+ self.validate(detection, expected_result)
+
+ # wildcard: ?
+ detection = {"selection": {"fieldname": "test?"},
+ "condition": "selection"}
+ expected_result = 'SELECT * FROM {} WHERE fieldname LIKE '.format(
+ self.table) + r'"test_"' + r" ESCAPE '\'"
+ self.validate(detection, expected_result)
+
+ # escaping:
+ detection = {"selection": {"fieldname": r"test\?"},
+ "condition": "selection"}
+ expected_result = 'SELECT * FROM {} WHERE fieldname LIKE '.format(
+ self.table) + r'"test\?"' + r" ESCAPE '\'"
+ self.validate(detection, expected_result)
+
+ detection = {"selection": {"fieldname": r"test\\*"},
+ "condition": "selection"}
+ expected_result = 'SELECT * FROM {} WHERE fieldname LIKE '.format(
+ self.table) + r'"test\\%"' + r" ESCAPE '\'"
+ self.validate(detection, expected_result)
+
+ detection = {"selection": {"fieldname": r"test\*"},
+ "condition": "selection"}
+ expected_result = 'SELECT * FROM {} WHERE fieldname LIKE '.format(
+ self.table) + r'"test\*"' + r" ESCAPE '\'"
+ self.validate(detection, expected_result)
+
+ detection = {"selection": {"fieldname": r"test\\"},
+ "condition": "selection"}
+ expected_result = 'SELECT * FROM {} WHERE fieldname LIKE '.format(
+ self.table) + r'"test\\"' + r" ESCAPE '\'"
+ self.validate(detection, expected_result)
+
+ detection = {"selection": {"fieldname": r"test\abc"},
+ "condition": "selection"}
+ expected_result = 'SELECT * FROM {} WHERE fieldname LIKE '.format(
+ self.table) + r'"test\\abc"' + r" ESCAPE '\'"
+ self.validate(detection, expected_result)
+
+ detection = {"selection": {"fieldname": r"test%"},
+ "condition": "selection"}
+ expected_result = 'SELECT * FROM {} WHERE fieldname LIKE '.format(
+ self.table) + r'"test\%"' + r" ESCAPE '\'"
+ self.validate(detection, expected_result)
+
+ detection = {"selection": {"fieldname": r"test_"},
+ "condition": "selection"}
+ expected_result = 'SELECT * FROM {} WHERE fieldname LIKE '.format(
+ self.table) + r'"test\_"' + r" ESCAPE '\'"
+ self.validate(detection, expected_result)
+
+ # multiple options
+ detection = {"selection": {"fieldname": [
+ "test*", "*test"]}, "condition": "selection"}
+ opt1 = 'fieldname LIKE ' + r'"test%"' + r" ESCAPE '\'"
+ opt2 = 'fieldname LIKE ' + r'"%test"' + r" ESCAPE '\'"
+ expected_result = 'SELECT * FROM {} WHERE ({} OR {})'.format(
+ self.table, opt1, opt2)
+ self.validate(detection, expected_result)
+
+ detection = {"selection": {"fieldname|all": [
+ "test*", "*test"]}, "condition": "selection"}
+ opt1 = 'fieldname LIKE ' + r'"test%"' + r" ESCAPE '\'"
+ opt2 = 'fieldname LIKE ' + r'"%test"' + r" ESCAPE '\'"
+ expected_result = 'SELECT * FROM {} WHERE ({} AND {})'.format(
+ self.table, opt1, opt2)
+ self.validate(detection, expected_result)
+
+ def test_fieldname_mapping(self):
+ detection = {"selection": {"fieldname": "test1"},
+ "condition": "selection"}
+ expected_result = 'SELECT * FROM {} WHERE mapped_fieldname = "test1"'.format(
+ self.table)
+
+ # configure mapping
+ config = SigmaConfiguration()
+ config.fieldmappings["fieldname"] = FieldMapping(
+ "fieldname", "mapped_fieldname")
+
+ self.basic_rule["detection"] = detection
+
+ with patch("yaml.safe_load_all", return_value=[self.basic_rule]):
+ parser = SigmaCollectionParser("any sigma io", config, None)
+ backend = SQLBackend(config, self.table)
+
+ assert len(parser.parsers) == 1
+
+ for p in parser.parsers:
+ self.assertEqual(expected_result, backend.generate(p))
+
+ def test_not_implemented(self):
+ # near aggregation not implemented
+ detection = {"selection": {"fieldname": "test"}, "filter": {
+ "fieldname": "test2"}, "condition": "selection | near selection and filter"}
+ expected_result = NotImplementedError()
+ self.validate(detection, expected_result)
+
+ # re modifier is not implemented
+ detection = {"selection": {"fieldname|re": "test"},
+ "condition": "selection"}
+ expected_result = NotImplementedError()
+ self.validate(detection, expected_result)
+
+ #Full Text Search is not implemented
+ detection = {"selection": ["test1"], "condition": "selection"}
+ expected_result = NotImplementedError()
+ self.validate(detection, expected_result)
+
+
+ def validate(self, detection, expectation):
+
+ config = SigmaConfiguration()
+
+ self.basic_rule["detection"] = detection
+
+ with patch("yaml.safe_load_all", return_value=[self.basic_rule]):
+ parser = SigmaCollectionParser("any sigma io", config, None)
+ backend = SQLBackend(config, self.table)
+
+ assert len(parser.parsers) == 1
+
+ for p in parser.parsers:
+ if isinstance(expectation, str):
+ self.assertEqual(expectation, backend.generate(p))
+ elif isinstance(expectation, Exception):
+ self.assertRaises(type(expectation), backend.generate, p)
+
+
+if __name__ == '__main__':
+ unittest.main()
diff --git a/tools/tests/test_backend_sqlite.py b/tools/tests/test_backend_sqlite.py
new file mode 100644
index 00000000..66fc6812
--- /dev/null
+++ b/tools/tests/test_backend_sqlite.py
@@ -0,0 +1,148 @@
+# Test output backends for sigmac
+# Copyright 2020 Jonas Hagg
+
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU Lesser General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU Lesser General Public License for more details.
+
+# You should have received a copy of the GNU Lesser General Public License
+# along with this program. If not, see .
+
+import unittest
+from unittest.mock import patch
+
+from sigma.backends.sqlite import SQLiteBackend
+
+from sigma.parser.collection import SigmaCollectionParser
+from sigma.config.mapping import FieldMapping
+from sigma.configuration import SigmaConfiguration
+
+class TestFullTextSearch(unittest.TestCase):
+
+ def setUp(self):
+ self.basic_rule = {"title": "Test", "level": "testing"}
+ self.table = "eventlog"
+
+ def test_full_text_search(self):
+ detection = {"selection": ["test1"], "condition": "selection"}
+ expected_result = 'SELECT * FROM {0} WHERE {0} MATCH (\'"test1"\')'.format(
+ self.table)
+ self.validate(detection, expected_result)
+
+ detection = {"selection": [5], "condition": "selection"}
+ expected_result = 'SELECT * FROM {0} WHERE {0} MATCH (\'"5"\')'.format(
+ self.table)
+ self.validate(detection, expected_result)
+
+ detection = {"selection": ["test1", "test2"], "condition": "selection"}
+ expected_result = 'SELECT * FROM {0} WHERE ({0} MATCH (\'"test1" OR "test2"\'))'.format(
+ self.table)
+ self.validate(detection, expected_result)
+
+ detection = {"selection": ["test1"], "filter":["test2"], "condition": "selection and filter"}
+ expected_result = 'SELECT * FROM {0} WHERE ({0} MATCH (\'"test1" AND "test2"\'))'.format(
+ self.table)
+ self.validate(detection, expected_result)
+
+ detection = {"selection": [5, 6], "condition": "selection"}
+ expected_result = 'SELECT * FROM {0} WHERE ({0} MATCH (\'"5" OR "6"\'))'.format(
+ self.table)
+ self.validate(detection, expected_result)
+
+ detection = {"selection": ["test1"], "filter": [
+ "test2"], "condition": "selection or filter"}
+ expected_result = 'SELECT * FROM {0} WHERE ({0} MATCH (\'"test1" OR "test2"\'))'.format(
+ self.table)
+ self.validate(detection, expected_result)
+
+ detection = {"selection": ["test1"], "filter": [
+ "test2"], "condition": "selection and filter"}
+ expected_result = 'SELECT * FROM {0} WHERE ({0} MATCH (\'"test1" AND "test2"\'))'.format(
+ self.table)
+ self.validate(detection, expected_result)
+
+ def test_full_text_search_aggregation(self):
+ # aggregation with fts
+ detection = {"selection": ["test"],
+ "condition": "selection | count() > 5"}
+ inner_query = 'SELECT count(*) AS agg FROM {0} WHERE {0} MATCH (\'"test"\')'.format(
+ self.table)
+ expected_result = 'SELECT * FROM ({}) WHERE agg > 5'.format(inner_query)
+ self.validate(detection, expected_result)
+
+ detection = {"selection": ["test1", "test2"],
+ "condition": "selection | count() > 5"}
+ inner_query = 'SELECT count(*) AS agg FROM {0} WHERE ({0} MATCH (\'"test1" OR "test2"\'))'.format(
+ self.table)
+ expected_result = 'SELECT * FROM ({}) WHERE agg > 5'.format(inner_query)
+ self.validate(detection, expected_result)
+
+ # aggregation + group by + fts
+ detection = {"selection": ["test1", "test2"],
+ "condition": "selection | count() by fieldname > 5"}
+ inner_query = 'SELECT count(*) AS agg FROM {0} WHERE ({0} MATCH (\'"test1" OR "test2"\')) GROUP BY fieldname'.format(
+ self.table)
+ expected_result = 'SELECT * FROM ({}) WHERE agg > 5'.format(inner_query)
+ self.validate(detection, expected_result)
+
+ def test_not_implemented(self):
+ # fts not implemented with wildcards
+ detection = {"selection": ["test*"], "condition": "selection"}
+ expected_result = NotImplementedError()
+ self.validate(detection, expected_result)
+
+ detection = {"selection": ["test?"], "condition": "selection"}
+ expected_result = NotImplementedError()
+ self.validate(detection, expected_result)
+
+ detection = {"selection": ["test\\"], "condition": "selection"}
+ expected_result = NotImplementedError()
+ self.validate(detection, expected_result)
+
+
+ # fts is not implemented for nested condtions
+ detection = {"selection": ["test"], "filter": [
+ "test2"], "condition": "selection and filter"} # this is ok
+ detection = {"selection": ["test"], "filter": [
+ "test2"], "condition": "selection or filter"} # this is ok
+ detection = {"selection": ["test"], "filter": [
+ "test2"], "condition": "selection and not filter"} # this is already nested
+ expected_result = NotImplementedError()
+ self.validate(detection, expected_result)
+
+ detection = {"selection": ["test"], "filter": [
+ "test2"], "condition": "selection and filter and filter"} # this is nested
+ expected_result = NotImplementedError()
+ self.validate(detection, expected_result)
+
+ detection = {"selection": ["test"], "filter": [
+ "test2"], "condition": "selection and filter or filter"} # this is nested
+ expected_result = NotImplementedError()
+ self.validate(detection, expected_result)
+
+ def validate(self, detection, expectation):
+
+ config = SigmaConfiguration()
+
+ self.basic_rule["detection"] = detection
+
+ with patch("yaml.safe_load_all", return_value=[self.basic_rule]):
+ parser = SigmaCollectionParser("any sigma io", config, None)
+ backend = SQLiteBackend(config, self.table)
+
+ assert len(parser.parsers) == 1
+
+ for p in parser.parsers:
+ if isinstance(expectation, str):
+ self.assertEqual(expectation, backend.generate(p))
+ elif isinstance(expectation, Exception):
+ self.assertRaises(type(expectation), backend.generate, p)
+
+if __name__ == '__main__':
+ unittest.main()
\ No newline at end of file