From b343df222577e3780048d42003f245a8cdf46948 Mon Sep 17 00:00:00 2001 From: Ivan Kirillov Date: Wed, 17 Jun 2020 11:31:40 -0600 Subject: [PATCH] Further subtechnique updates --- rules/windows/malware/win_mal_octopus_scanner.yml | 1 + .../process_creation/win_apt_lazarus_session_highjack.yml | 1 + .../windows/process_creation/win_commandline_path_traversal.yml | 1 + rules/windows/process_creation/win_hktl_createminidump.yml | 1 + rules/windows/process_creation/win_mal_adwind.yml | 1 + rules/windows/process_creation/win_susp_covenant.yml | 1 + rules/windows/sysmon/sysmon_apt_muddywater_dnstunnel.yml | 1 + rules/windows/sysmon/sysmon_hack_dumpert.yml | 1 + rules/windows/sysmon/sysmon_hack_wce.yml | 1 + .../sysmon/sysmon_logon_scripts_userinitmprlogonscript.yml | 1 + rules/windows/sysmon/sysmon_susp_fax_dll.yml | 2 ++ 11 files changed, 12 insertions(+) diff --git a/rules/windows/malware/win_mal_octopus_scanner.yml b/rules/windows/malware/win_mal_octopus_scanner.yml index 4e7a5888..0c710eae 100644 --- a/rules/windows/malware/win_mal_octopus_scanner.yml +++ b/rules/windows/malware/win_mal_octopus_scanner.yml @@ -6,6 +6,7 @@ references: - https://securitylab.github.com/research/octopus-scanner-malware-open-source-supply-chain tags: - attack.t1195 + - attack.t1195.001 author: NVISO date: 2020/06/09 logsource: diff --git a/rules/windows/process_creation/win_apt_lazarus_session_highjack.yml b/rules/windows/process_creation/win_apt_lazarus_session_highjack.yml index 7f074637..299c767e 100644 --- a/rules/windows/process_creation/win_apt_lazarus_session_highjack.yml +++ b/rules/windows/process_creation/win_apt_lazarus_session_highjack.yml @@ -7,6 +7,7 @@ references: tags: - attack.defense_evasion - attack.t1036 + - attack.t1036.005 author: Trent Liffick (@tliffick) date: 2020/06/03 logsource: diff --git a/rules/windows/process_creation/win_commandline_path_traversal.yml b/rules/windows/process_creation/win_commandline_path_traversal.yml index 772a615c..c1594ad9 100644 --- a/rules/windows/process_creation/win_commandline_path_traversal.yml +++ b/rules/windows/process_creation/win_commandline_path_traversal.yml @@ -9,6 +9,7 @@ references: - https://twitter.com/Oddvarmoe/status/1270633613449723905 tags: - attack.t1059 + - attack.t1059.003 - attack.execution logsource: category: process_creation diff --git a/rules/windows/process_creation/win_hktl_createminidump.yml b/rules/windows/process_creation/win_hktl_createminidump.yml index 6129c97a..aaecdcbd 100644 --- a/rules/windows/process_creation/win_hktl_createminidump.yml +++ b/rules/windows/process_creation/win_hktl_createminidump.yml @@ -9,6 +9,7 @@ date: 2019/12/22 tags: - attack.credential_access - attack.t1003 + - attack.t1003.001 falsepositives: - Unknown level: high diff --git a/rules/windows/process_creation/win_mal_adwind.yml b/rules/windows/process_creation/win_mal_adwind.yml index 68cea191..d7f30acc 100644 --- a/rules/windows/process_creation/win_mal_adwind.yml +++ b/rules/windows/process_creation/win_mal_adwind.yml @@ -12,6 +12,7 @@ modified: 2018/12/11 tags: - attack.execution - attack.t1064 + - attack.t1059.005 detection: condition: selection level: high diff --git a/rules/windows/process_creation/win_susp_covenant.yml b/rules/windows/process_creation/win_susp_covenant.yml index 8f0f92a6..b73909f7 100644 --- a/rules/windows/process_creation/win_susp_covenant.yml +++ b/rules/windows/process_creation/win_susp_covenant.yml @@ -9,6 +9,7 @@ date: 2020/06/04 tags: - attack.execution - attack.t1086 + - attack.t1059.001 logsource: category: process_creation product: windows diff --git a/rules/windows/sysmon/sysmon_apt_muddywater_dnstunnel.yml b/rules/windows/sysmon/sysmon_apt_muddywater_dnstunnel.yml index 3bb4c1aa..f5b6e57d 100644 --- a/rules/windows/sysmon/sysmon_apt_muddywater_dnstunnel.yml +++ b/rules/windows/sysmon/sysmon_apt_muddywater_dnstunnel.yml @@ -10,6 +10,7 @@ references: tags: - attack.command_and_control - attack.t1071 + - attack.t1071.004 logsource: category: process_creation product: windows diff --git a/rules/windows/sysmon/sysmon_hack_dumpert.yml b/rules/windows/sysmon/sysmon_hack_dumpert.yml index 329cc720..443c8bf3 100644 --- a/rules/windows/sysmon/sysmon_hack_dumpert.yml +++ b/rules/windows/sysmon/sysmon_hack_dumpert.yml @@ -10,6 +10,7 @@ date: 2020/02/04 tags: - attack.credential_access - attack.t1003 + - attack.t1003.001 logsource: product: windows service: sysmon diff --git a/rules/windows/sysmon/sysmon_hack_wce.yml b/rules/windows/sysmon/sysmon_hack_wce.yml index 6432ea86..43fb3a47 100644 --- a/rules/windows/sysmon/sysmon_hack_wce.yml +++ b/rules/windows/sysmon/sysmon_hack_wce.yml @@ -9,6 +9,7 @@ date: 2019/12/31 tags: - attack.credential_access - attack.t1003 + - attack.t1558 - attack.s0005 falsepositives: - 'Another service that uses a single -s command line switch' diff --git a/rules/windows/sysmon/sysmon_logon_scripts_userinitmprlogonscript.yml b/rules/windows/sysmon/sysmon_logon_scripts_userinitmprlogonscript.yml index 4efaaca3..1480db08 100644 --- a/rules/windows/sysmon/sysmon_logon_scripts_userinitmprlogonscript.yml +++ b/rules/windows/sysmon/sysmon_logon_scripts_userinitmprlogonscript.yml @@ -7,6 +7,7 @@ references: - https://attack.mitre.org/techniques/T1037/ tags: - attack.t1037 + - attack.t1037.001 - attack.persistence - attack.lateral_movement author: Tom Ueltschi (@c_APT_ure) diff --git a/rules/windows/sysmon/sysmon_susp_fax_dll.yml b/rules/windows/sysmon/sysmon_susp_fax_dll.yml index 58fe49ee..14b91c1a 100644 --- a/rules/windows/sysmon/sysmon_susp_fax_dll.yml +++ b/rules/windows/sysmon/sysmon_susp_fax_dll.yml @@ -12,6 +12,8 @@ tags: - attack.t1073 - attack.t1038 - attack.t1112 + - attack.t1574.001 + - attack.t1574.002 logsource: product: windows service: sysmon