From b2d66c41f321a7115450c02b07cc22a5fa0856e7 Mon Sep 17 00:00:00 2001 From: frack113 <62423083+frack113@users.noreply.github.com> Date: Fri, 29 Oct 2021 06:53:24 +0200 Subject: [PATCH] change to unsupported status --- .../driver_load_invoke_obfuscation_clip+_services.yml | 2 +- .../driver_load_invoke_obfuscation_obfuscated_iex_services.yml | 2 +- .../driver_load_invoke_obfuscation_stdin+_services.yml | 2 +- .../driver_load_invoke_obfuscation_var+_services.yml | 2 +- .../driver_load_invoke_obfuscation_via_compress_services.yml | 2 +- .../driver_load_invoke_obfuscation_via_rundll_services.yml | 2 +- .../driver_load_invoke_obfuscation_via_stdin_services.yml | 2 +- .../driver_load_invoke_obfuscation_via_use_clip_services.yml | 2 +- .../driver_load_invoke_obfuscation_via_use_mshta_services.yml | 2 +- ...river_load_invoke_obfuscation_via_use_rundll32_services.yml | 2 +- .../driver_load_invoke_obfuscation_via_var++_services.yml | 2 +- rules-unsupported/driver_load_tap_driver_installation.yml | 2 +- rules-unsupported/net_dns_high_subdomain_rate.yml | 2 +- rules-unsupported/net_dns_large_domain_name.yml | 2 +- rules-unsupported/net_possible_dns_rebinding.yml | 2 +- ...evated_msi_spawned_cmd_and_powershell_spawned_processes.yml | 2 +- .../sysmon_always_install_elevated_parent_child_correlated.yml | 2 +- rules-unsupported/sysmon_process_reimaging.yml | 2 +- .../win_access_fake_files_with_stored_credentials.yml | 2 +- rules-unsupported/win_apt_apt29_tor.yml | 3 ++- rules-unsupported/win_dumping_ntdsdit_via_dcsync.yml | 2 +- rules-unsupported/win_dumping_ntdsdit_via_netsync.yml | 2 +- ...in_kernel_and_3rd_party_drivers_exploits_token_stealing.yml | 2 +- rules-unsupported/win_mal_service_installs.yml | 3 ++- .../win_metasploit_or_impacket_smb_psexec_service_install.yml | 3 ++- .../win_possible_privilege_escalation_using_rotten_potato.yml | 2 +- rules-unsupported/win_remote_schtask.yml | 2 +- rules-unsupported/win_remote_service.yml | 2 +- 28 files changed, 31 insertions(+), 28 deletions(-) diff --git a/rules-unsupported/driver_load_invoke_obfuscation_clip+_services.yml b/rules-unsupported/driver_load_invoke_obfuscation_clip+_services.yml index 8d2dea05..aafd2587 100644 --- a/rules-unsupported/driver_load_invoke_obfuscation_clip+_services.yml +++ b/rules-unsupported/driver_load_invoke_obfuscation_clip+_services.yml @@ -4,7 +4,7 @@ related: - id: f7385ee2-0e0c-11eb-adc1-0242ac120002 type: derived description: Detects Obfuscated use of Clip.exe to execute PowerShell -status: experimental +status: unsupported author: Jonathan Cheong, oscd.community date: 2020/10/13 modified: 2021/09/16 diff --git a/rules-unsupported/driver_load_invoke_obfuscation_obfuscated_iex_services.yml b/rules-unsupported/driver_load_invoke_obfuscation_obfuscated_iex_services.yml index 98fcddc6..797b7d89 100644 --- a/rules-unsupported/driver_load_invoke_obfuscation_obfuscated_iex_services.yml +++ b/rules-unsupported/driver_load_invoke_obfuscation_obfuscated_iex_services.yml @@ -4,7 +4,7 @@ related: - id: 51aa9387-1c53-4153-91cc-d73c59ae1ca9 type: derived description: "Detects all variations of obfuscated powershell IEX invocation code generated by Invoke-Obfuscation framework from the following code block \u2014 https://github.com/danielbohannon/Invoke-Obfuscation/blob/master/Out-ObfuscatedStringCommand.ps1#L873-L888" -status: experimental +status: unsupported author: Daniel Bohannon (@Mandiant/@FireEye), oscd.community date: 2019/11/08 modified: 2021/09/16 diff --git a/rules-unsupported/driver_load_invoke_obfuscation_stdin+_services.yml b/rules-unsupported/driver_load_invoke_obfuscation_stdin+_services.yml index 1d7b40b0..e4e33145 100644 --- a/rules-unsupported/driver_load_invoke_obfuscation_stdin+_services.yml +++ b/rules-unsupported/driver_load_invoke_obfuscation_stdin+_services.yml @@ -4,7 +4,7 @@ related: - id: 72862bf2-0eb1-11eb-adc1-0242ac120002 type: derived description: Detects Obfuscated use of stdin to execute PowerShell -status: experimental +status: unsupported author: Jonathan Cheong, oscd.community date: 2020/10/15 modified: 2021/09/17 diff --git a/rules-unsupported/driver_load_invoke_obfuscation_var+_services.yml b/rules-unsupported/driver_load_invoke_obfuscation_var+_services.yml index 2619bc83..1c2bdb56 100644 --- a/rules-unsupported/driver_load_invoke_obfuscation_var+_services.yml +++ b/rules-unsupported/driver_load_invoke_obfuscation_var+_services.yml @@ -4,7 +4,7 @@ related: - id: 8ca7004b-e620-4ecb-870e-86129b5b8e75 type: derived description: Detects Obfuscated use of Environment Variables to execute PowerShell -status: experimental +status: unsupported author: Jonathan Cheong, oscd.community date: 2020/10/15 modified: 2021/09/17 diff --git a/rules-unsupported/driver_load_invoke_obfuscation_via_compress_services.yml b/rules-unsupported/driver_load_invoke_obfuscation_via_compress_services.yml index 5b5b569c..8860d993 100644 --- a/rules-unsupported/driver_load_invoke_obfuscation_via_compress_services.yml +++ b/rules-unsupported/driver_load_invoke_obfuscation_via_compress_services.yml @@ -4,7 +4,7 @@ related: - id: 175997c5-803c-4b08-8bb0-70b099f47595 type: derived description: Detects Obfuscated Powershell via COMPRESS OBFUSCATION -status: experimental +status: unsupported author: Timur Zinniatullin, oscd.community date: 2020/10/18 modified: 2021/09/18 diff --git a/rules-unsupported/driver_load_invoke_obfuscation_via_rundll_services.yml b/rules-unsupported/driver_load_invoke_obfuscation_via_rundll_services.yml index 3ab2295d..99de9dcc 100644 --- a/rules-unsupported/driver_load_invoke_obfuscation_via_rundll_services.yml +++ b/rules-unsupported/driver_load_invoke_obfuscation_via_rundll_services.yml @@ -4,7 +4,7 @@ related: - id: 11b52f18-aaec-4d60-9143-5dd8cc4706b9 type: derived description: Detects Obfuscated Powershell via RUNDLL LAUNCHER -status: experimental +status: unsupported author: Timur Zinniatullin, oscd.community date: 2020/10/18 modified: 2021/09/18 diff --git a/rules-unsupported/driver_load_invoke_obfuscation_via_stdin_services.yml b/rules-unsupported/driver_load_invoke_obfuscation_via_stdin_services.yml index cb3a4f6c..fa683462 100644 --- a/rules-unsupported/driver_load_invoke_obfuscation_via_stdin_services.yml +++ b/rules-unsupported/driver_load_invoke_obfuscation_via_stdin_services.yml @@ -4,7 +4,7 @@ related: - id: 487c7524-f892-4054-b263-8a0ace63fc25 type: derived description: Detects Obfuscated Powershell via Stdin in Scripts -status: experimental +status: unsupported author: Nikita Nazarov, oscd.community date: 2020/10/12 modified: 2021/09/18 diff --git a/rules-unsupported/driver_load_invoke_obfuscation_via_use_clip_services.yml b/rules-unsupported/driver_load_invoke_obfuscation_via_use_clip_services.yml index a305c28b..1d3a652f 100644 --- a/rules-unsupported/driver_load_invoke_obfuscation_via_use_clip_services.yml +++ b/rules-unsupported/driver_load_invoke_obfuscation_via_use_clip_services.yml @@ -4,7 +4,7 @@ related: - id: 63e3365d-4824-42d8-8b82-e56810fefa0c type: derived description: Detects Obfuscated Powershell via use Clip.exe in Scripts -status: experimental +status: unsupported author: Nikita Nazarov, oscd.community date: 2020/10/09 modified: 2021/09/18 diff --git a/rules-unsupported/driver_load_invoke_obfuscation_via_use_mshta_services.yml b/rules-unsupported/driver_load_invoke_obfuscation_via_use_mshta_services.yml index 85dcade5..3f8b975f 100644 --- a/rules-unsupported/driver_load_invoke_obfuscation_via_use_mshta_services.yml +++ b/rules-unsupported/driver_load_invoke_obfuscation_via_use_mshta_services.yml @@ -4,7 +4,7 @@ related: - id: 7e9c7999-0f9b-4d4a-a6ed-af6d553d4af4 type: derived description: Detects Obfuscated Powershell via use MSHTA in Scripts -status: experimental +status: unsupported author: Nikita Nazarov, oscd.community date: 2020/10/09 modified: 2021/09/18 diff --git a/rules-unsupported/driver_load_invoke_obfuscation_via_use_rundll32_services.yml b/rules-unsupported/driver_load_invoke_obfuscation_via_use_rundll32_services.yml index 16bd38f5..9212ee14 100644 --- a/rules-unsupported/driver_load_invoke_obfuscation_via_use_rundll32_services.yml +++ b/rules-unsupported/driver_load_invoke_obfuscation_via_use_rundll32_services.yml @@ -4,7 +4,7 @@ related: - id: 641a4bfb-c017-44f7-800c-2aee0184ce9b type: derived description: Detects Obfuscated Powershell via use Rundll32 in Scripts -status: experimental +status: unsupported author: Nikita Nazarov, oscd.community date: 2020/10/09 modified: 2021/09/18 diff --git a/rules-unsupported/driver_load_invoke_obfuscation_via_var++_services.yml b/rules-unsupported/driver_load_invoke_obfuscation_via_var++_services.yml index 749214cf..96f08ddf 100644 --- a/rules-unsupported/driver_load_invoke_obfuscation_via_var++_services.yml +++ b/rules-unsupported/driver_load_invoke_obfuscation_via_var++_services.yml @@ -4,7 +4,7 @@ related: - id: 14bcba49-a428-42d9-b943-e2ce0f0f7ae6 type: derived description: Detects Obfuscated Powershell via VAR++ LAUNCHER -status: experimental +status: unsupported author: Timur Zinniatullin, oscd.community date: 2020/10/13 modified: 2021/09/18 diff --git a/rules-unsupported/driver_load_tap_driver_installation.yml b/rules-unsupported/driver_load_tap_driver_installation.yml index 8e9b1be1..aaf4ad74 100644 --- a/rules-unsupported/driver_load_tap_driver_installation.yml +++ b/rules-unsupported/driver_load_tap_driver_installation.yml @@ -4,7 +4,7 @@ related: - id: 8e4cf0e5-aa5d-4dc3-beff-dc26917744a9 type: derived description: Well-known TAP software installation. Possible preparation for data exfiltration using tunnelling techniques -status: experimental +status: unsupported author: Daniil Yugoslavskiy, Ian Davis, oscd.community date: 2019/10/24 modified: 2021/09/21 diff --git a/rules-unsupported/net_dns_high_subdomain_rate.yml b/rules-unsupported/net_dns_high_subdomain_rate.yml index 9fe286d5..a7b0deaf 100644 --- a/rules-unsupported/net_dns_high_subdomain_rate.yml +++ b/rules-unsupported/net_dns_high_subdomain_rate.yml @@ -39,4 +39,4 @@ detection: falsepositives: - Legitimate domain name requested, which should be added to whitelist level: high -status: experimental +status: unsupported diff --git a/rules-unsupported/net_dns_large_domain_name.yml b/rules-unsupported/net_dns_large_domain_name.yml index afaf481d..308ad0e3 100644 --- a/rules-unsupported/net_dns_large_domain_name.yml +++ b/rules-unsupported/net_dns_large_domain_name.yml @@ -34,4 +34,4 @@ detection: falsepositives: - Legitimate domain name requested, which should be added to whitelist level: high -status: experimental \ No newline at end of file +status: unsupported \ No newline at end of file diff --git a/rules-unsupported/net_possible_dns_rebinding.yml b/rules-unsupported/net_possible_dns_rebinding.yml index 2da861a2..e52da4c6 100644 --- a/rules-unsupported/net_possible_dns_rebinding.yml +++ b/rules-unsupported/net_possible_dns_rebinding.yml @@ -1,6 +1,6 @@ title: Possible DNS Rebinding id: ec5b8711-b550-4879-9660-568aaae2c3ea -status: experimental +status: unsupported description: 'Detects DNS-answer with TTL <10.' date: 2019/10/25 author: Ilyas Ochkov, oscd.community diff --git a/rules-unsupported/sysmon_always_install_elevated_msi_spawned_cmd_and_powershell_spawned_processes.yml b/rules-unsupported/sysmon_always_install_elevated_msi_spawned_cmd_and_powershell_spawned_processes.yml index 931cae2c..0fe996cd 100644 --- a/rules-unsupported/sysmon_always_install_elevated_msi_spawned_cmd_and_powershell_spawned_processes.yml +++ b/rules-unsupported/sysmon_always_install_elevated_msi_spawned_cmd_and_powershell_spawned_processes.yml @@ -1,7 +1,7 @@ title: MSI Spawned Cmd and Powershell Spawned Processes id: 38cf8340-461b-4857-bf99-23a41f772b18 description: This rule will looks for Windows Installer service (msiexec.exe) spawned command line and/or powershell that spawned other processes -status: experimental +status: unsupported author: Teymur Kheirkhabarov (idea), Mangatas Tondang (rule), oscd.community date: 2020/10/13 references: diff --git a/rules-unsupported/sysmon_always_install_elevated_parent_child_correlated.yml b/rules-unsupported/sysmon_always_install_elevated_parent_child_correlated.yml index 07ca9c1a..955ce84c 100644 --- a/rules-unsupported/sysmon_always_install_elevated_parent_child_correlated.yml +++ b/rules-unsupported/sysmon_always_install_elevated_parent_child_correlated.yml @@ -3,7 +3,7 @@ id: 078235c5-6ec5-48e7-94b2-f8b5474379ea description: This rule will looks any process with low privilege launching Windows Installer service (msiexec.exe) that tries to install MSI packages with SYSTEM privilege #look for MSI start by low privilege user, write the process guid to the suspicious_guid variable #look for child process from the suspicious_guid, alert if it's Windows Installer trying to install package with SYSTEM privilege -status: experimental +status: unsupported author: Teymur Kheirkhabarov (idea), Mangatas Tondang (rule), oscd.community date: 2020/10/13 references: diff --git a/rules-unsupported/sysmon_process_reimaging.yml b/rules-unsupported/sysmon_process_reimaging.yml index 3da02214..3caa875e 100644 --- a/rules-unsupported/sysmon_process_reimaging.yml +++ b/rules-unsupported/sysmon_process_reimaging.yml @@ -11,7 +11,7 @@ description: Detects process reimaging defense evasion technique # Rule must trigger if selection1 and selection2 both occurs in timeframe of 120 sec. # Rule logic is currently not supported by SIGMA. # Sysmon v.10.0 or newer is required for proper detection. -status: experimental +status: unsupported author: Alexey Balandin, oscd.community references: - https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/in-ntdll-i-trust-process-reimaging-and-endpoint-security-solution-bypass/ diff --git a/rules-unsupported/win_access_fake_files_with_stored_credentials.yml b/rules-unsupported/win_access_fake_files_with_stored_credentials.yml index c8f95ed7..40485658 100644 --- a/rules-unsupported/win_access_fake_files_with_stored_credentials.yml +++ b/rules-unsupported/win_access_fake_files_with_stored_credentials.yml @@ -1,7 +1,7 @@ title: Stored Credentials in Fake Files id: 692b979c-f747-41dc-ad72-1f11c01b110e description: Search for accessing of fake files with stored credentials -status: experimental +status: unsupported author: Teymur Kheirkhabarov (idea), Ryan Plas (rule), oscd.community date: 2020/10/05 references: diff --git a/rules-unsupported/win_apt_apt29_tor.yml b/rules-unsupported/win_apt_apt29_tor.yml index 60622027..83e2fa41 100644 --- a/rules-unsupported/win_apt_apt29_tor.yml +++ b/rules-unsupported/win_apt_apt29_tor.yml @@ -11,7 +11,8 @@ tags: - attack.t1543.003 date: 2017/11/01 modified: 2020/08/23 -author: Thomas Patzke +author: Thomas Patzke +status: unsupported logsource: product: windows service: system diff --git a/rules-unsupported/win_dumping_ntdsdit_via_dcsync.yml b/rules-unsupported/win_dumping_ntdsdit_via_dcsync.yml index 89358fe1..6e8edac1 100644 --- a/rules-unsupported/win_dumping_ntdsdit_via_dcsync.yml +++ b/rules-unsupported/win_dumping_ntdsdit_via_dcsync.yml @@ -31,4 +31,4 @@ detection: falsepositives: - Legitimate administrator adding new domain controller to already existing domain level: medium -status: experimental +status: unsupported diff --git a/rules-unsupported/win_dumping_ntdsdit_via_netsync.yml b/rules-unsupported/win_dumping_ntdsdit_via_netsync.yml index 8ace6381..88459889 100644 --- a/rules-unsupported/win_dumping_ntdsdit_via_netsync.yml +++ b/rules-unsupported/win_dumping_ntdsdit_via_netsync.yml @@ -27,4 +27,4 @@ detection: falsepositives: - Legitimate administrator adding new domain controller to already existing domain level: medium -status: experimental +status: unsupported diff --git a/rules-unsupported/win_kernel_and_3rd_party_drivers_exploits_token_stealing.yml b/rules-unsupported/win_kernel_and_3rd_party_drivers_exploits_token_stealing.yml index cd2ce7d8..d31c5a55 100644 --- a/rules-unsupported/win_kernel_and_3rd_party_drivers_exploits_token_stealing.yml +++ b/rules-unsupported/win_kernel_and_3rd_party_drivers_exploits_token_stealing.yml @@ -6,7 +6,7 @@ references: tags: - attack.privilege_escalation - attack.t1068 -status: experimental +status: unsupported author: Teymur Kheirkhabarov (source), Daniil Yugoslavskiy (rule) date: 2019/06/03 logsource: diff --git a/rules-unsupported/win_mal_service_installs.yml b/rules-unsupported/win_mal_service_installs.yml index 5afed9f9..7e53f75b 100644 --- a/rules-unsupported/win_mal_service_installs.yml +++ b/rules-unsupported/win_mal_service_installs.yml @@ -34,4 +34,5 @@ detection: condition: selection and 1 of malsvc_* falsepositives: - Penetration testing -level: critical \ No newline at end of file +level: critical +status: unsupported \ No newline at end of file diff --git a/rules-unsupported/win_metasploit_or_impacket_smb_psexec_service_install.yml b/rules-unsupported/win_metasploit_or_impacket_smb_psexec_service_install.yml index 2c386e11..3461d755 100644 --- a/rules-unsupported/win_metasploit_or_impacket_smb_psexec_service_install.yml +++ b/rules-unsupported/win_metasploit_or_impacket_smb_psexec_service_install.yml @@ -34,4 +34,5 @@ fields: - ServiceFileName falsepositives: - Possible, different agents with a 8 character binary and a 4, 8 or 16 character service name -level: high \ No newline at end of file +level: high +status: unsupported \ No newline at end of file diff --git a/rules-unsupported/win_possible_privilege_escalation_using_rotten_potato.yml b/rules-unsupported/win_possible_privilege_escalation_using_rotten_potato.yml index 94c1560f..e23e9749 100644 --- a/rules-unsupported/win_possible_privilege_escalation_using_rotten_potato.yml +++ b/rules-unsupported/win_possible_privilege_escalation_using_rotten_potato.yml @@ -8,7 +8,7 @@ tags: - attack.privilege_escalation - attack.t1134 # an old one - attack.t1134.002 -status: experimental +status: unsupported author: Teymur Kheirkhabarov date: 2019/10/26 modified: 2020/09/01 diff --git a/rules-unsupported/win_remote_schtask.yml b/rules-unsupported/win_remote_schtask.yml index 5730b930..8a75470a 100644 --- a/rules-unsupported/win_remote_schtask.yml +++ b/rules-unsupported/win_remote_schtask.yml @@ -1,6 +1,6 @@ title: Remote Schtasks Creation id: cf349c4b-99af-40fa-a051-823aa2307a84 -status: experimental +status: unsupported description: Detects remote execution via scheduled task creation or update on the destination host author: Jai Minton, oscd.community date: 2020/10/05 diff --git a/rules-unsupported/win_remote_service.yml b/rules-unsupported/win_remote_service.yml index 75654260..3a8f351e 100644 --- a/rules-unsupported/win_remote_service.yml +++ b/rules-unsupported/win_remote_service.yml @@ -1,7 +1,7 @@ action: global title: Remote Service Creation id: 4a3a2b96-d7fc-4cb9-80e4-4a545fe95f46 -status: experimental +status: unsupported description: Detects remote execution via service creation on the destination host author: Jai Minton, oscd.community date: 2020/10/05