Merge pull request #133 from james0d0a/attack_tags

added a few mitre attack tags to windows sysmon rules
2024-11-08 02:08:54 +00:00 · 2018-07-27 07:55:56 +02:00 · 2018-07-27 07:55:56 +02:00 · db07648f33
commit db07648f33
parent cad6e8d314 5fc118dcac
8 changed files with 30 additions and 0 deletions
--- a/rules/windows/sysmon/sysmon_mimikatz_detection_lsass.yml
+++ b/rules/windows/sysmon/sysmon_mimikatz_detection_lsass.yml
@ -3,6 +3,10 @@ status: experimental
 description: Detects process access to LSASS which is typical for Mimikatz (0x1000 PROCESS_QUERY_ LIMITED_INFORMATION, 0x0400 PROCESS_QUERY_ INFORMATION, 0x0010 PROCESS_VM_READ)
 references:
    - https://onedrive.live.com/view.aspx?resid=D026B4699190F1E6!2843&ithint=file%2cpptx&app=PowerPoint&authkey=!AMvCRTKB_V1J5ow
+tags:
+    - attack.s0002
+    - attack.lateral_movement
+    - attack.credential_access
 logsource:
    product: windows
    service: sysmon
--- a/rules/windows/sysmon/sysmon_mimikatz_inmemory_detection.yml
+++ b/rules/windows/sysmon/sysmon_mimikatz_inmemory_detection.yml
@ -3,6 +3,10 @@ status: experimental
 description: Detects certain DLL loads when Mimikatz gets executed
 references:
    - https://securityriskadvisors.com/blog/post/detecting-in-memory-mimikatz/
+tags:
+    - attack.s0002
+    - attack.lateral_movement
+    - attack.credential_access
 logsource:
    product: windows
    service: sysmon
--- a/rules/windows/sysmon/sysmon_powershell_download.yml
+++ b/rules/windows/sysmon/sysmon_powershell_download.yml
@ -2,6 +2,9 @@ title: PowerShell Download from URL
 status: experimental
 description: Detects a Powershell process that contains download commands in its command line string
 author: Florian Roth
+tags:
+    - attack.t1086
+    - attack.execution
 logsource:
    product: windows
    service: sysmon
--- a/rules/windows/sysmon/sysmon_rundll32_net_connections.yml
+++ b/rules/windows/sysmon/sysmon_rundll32_net_connections.yml
@ -5,6 +5,10 @@ references:
    - https://www.hybrid-analysis.com/sample/759fb4c0091a78c5ee035715afe3084686a8493f39014aea72dae36869de9ff6?environmentId=100
 author: Florian Roth
 date: 2017/11/04
+tags:
+    - attack.t1085
+    - attack.defense_evasion
+    - attack.execution
 logsource:
    product: windows
    service: sysmon
--- a/rules/windows/sysmon/sysmon_susp_net_execution.yml
+++ b/rules/windows/sysmon/sysmon_susp_net_execution.yml
@ -4,6 +4,11 @@ description: Detects execution of Net.exe, whether suspicious or benign.
 references:
    - https://pentest.blog/windows-privilege-escalation-methods-for-pentesters/
 author: Michael Haag, Mark Woan (improvements)
+tags:
+    - attack.s0039
+    - attack.lateral_movement
+    - attack.discovery
+
 logsource:
    product: windows
    service: sysmon
--- a/rules/windows/sysmon/sysmon_susp_regsvr32_anomalies.yml
+++ b/rules/windows/sysmon/sysmon_susp_regsvr32_anomalies.yml
@ -4,6 +4,10 @@ description: Detects various anomalies in relation to regsvr32.exe
 author: Florian Roth
 references:
    - https://subt0x10.blogspot.de/2017/04/bypass-application-whitelisting-script.html
+tags:
+    - attack.t1117
+    - attack.defense_evasion
+    - attack.execution
 logsource:
    product: windows
    service: sysmon
--- a/rules/windows/sysmon/sysmon_wmi_persistence_commandline_event_consumer.yml
+++ b/rules/windows/sysmon/sysmon_wmi_persistence_commandline_event_consumer.yml
@ -5,6 +5,9 @@ references:
    - https://www.eideon.com/2018-03-02-THL03-WMIBackdoors/
 author: Thomas Patzke
 date: 2018/03/07
+tags:
+    - attack.t1084
+    - attack.persistence
 logsource:
    product: windows
    service: sysmon
--- a/rules/windows/sysmon/sysmon_wmi_persistence_script_event_consumer_write.yml
+++ b/rules/windows/sysmon/sysmon_wmi_persistence_script_event_consumer_write.yml
@ -5,6 +5,9 @@ references:
    - https://www.eideon.com/2018-03-02-THL03-WMIBackdoors/
 author: Thomas Patzke
 date: 2018/03/07
+tags:
+    - attack.t1084
+    - attack.persistence
 logsource:
    product: windows
    service: sysmon