Merge pull request #989 from oscd-initiative/master

[OSCD Initiative][ATT&CK tags update]
This commit is contained in:
Florian Roth 2020-09-08 13:27:58 +02:00 committed by GitHub
commit de5444a81e
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
513 changed files with 1672 additions and 799 deletions

View File

@ -3,6 +3,10 @@ id: 19aefed0-ffd4-47dc-a7fc-f8b1425e84f9
description: Generic rule for SQL exceptions in Python according to PEP 249
author: Thomas Patzke
date: 2017/08/12
modified: 2020/09/01
tags:
- attack.initial_access
- attack.t1190
references:
- https://www.python.org/dev/peps/pep-0249/#exceptions
logsource:

View File

@ -4,6 +4,10 @@ status: experimental
description: Detects SQL error messages that indicate probing for an injection attack
author: Bjoern Kimminich
date: 2017/11/27
modified: 2020/09/01
tags:
- attack.initial_access
- attack.t1190
references:
- http://www.sqlinjection.net/errors
logsource:

View File

@ -3,6 +3,10 @@ id: fd435618-981e-4a7c-81f8-f78ce480d616
description: Detects suspicious Django web application framework exceptions that could indicate exploitation attempts
author: Thomas Patzke
date: 2017/08/05
modified: 2020/09/01
tags:
- attack.initial_access
- attack.t1190
references:
- https://docs.djangoproject.com/en/1.11/ref/exceptions/
- https://docs.djangoproject.com/en/1.11/topics/logging/#django-security

View File

@ -3,6 +3,10 @@ id: 0d2c3d4c-4b48-4ac3-8f23-ea845746bb1a
description: Detects suspicious Ruby on Rails exceptions that could indicate exploitation attempts
author: Thomas Patzke
date: 2017/08/06
modified: 2020/09/01
tags:
- attack.initial_access
- attack.t1190
references:
- http://edgeguides.rubyonrails.org/security.html
- http://guides.rubyonrails.org/action_controller_overview.html

View File

@ -3,6 +3,10 @@ id: ae48ab93-45f7-4051-9dfe-5d30a3f78e33
description: Detects suspicious Spring framework exceptions that could indicate exploitation attempts
author: Thomas Patzke
date: 2017/08/06
modified: 2020/09/01
tags:
- attack.initial_access
- attack.t1190
references:
- https://docs.spring.io/spring-security/site/docs/current/apidocs/overview-tree.html
logsource:

View File

@ -4,9 +4,16 @@ status: experimental
description: Detects Silence downloader. These commands are hardcoded into the binary.
author: Alina Stepchenkova, Roman Rezvukhin, Group-IB, oscd.community
date: 2019/11/01
modified: 2019/11/22
modified: 2020/09/01
tags:
- attack.persistence
- attack.t1547.001
- attack.t1060 # an old one
- attack.discovery
- attack.t1057
- attack.t1082
- attack.t1016
- attack.t1033
- attack.g0091
logsource:
category: process_creation

View File

@ -4,8 +4,17 @@ status: experimental
description: Detects Silence empireDNSagent
author: Alina Stepchenkova, Group-IB, oscd.community
date: 2019/11/01
modified: 2019/11/20
modified: 2020/09/01
tags:
- attack.execution
- attack.t1059.001
- attack.t1086 # an old one
- attack.command_and_control
- attack.t1071.004
- attack.t1071 # an old one
- attack.t1572
- attack.impact
- attack.t1529
- attack.g0091
- attack.s0363
logsource:

View File

@ -22,5 +22,5 @@ falsepositives:
- Valid change in a Trail
tags:
- attack.defense_evasion
- attack.t1089
- attack.t1562.001
- attack.t1089 # an old one

View File

@ -19,5 +19,5 @@ falsepositives:
- Valid change in AWS Config Service
tags:
- attack.defense_evasion
- attack.t1089
- attack.t1562.001
- attack.t1089 # an old one

View File

@ -3,6 +3,7 @@ id: 26ff4080-194e-47e7-9889-ef7602efed0c
status: experimental
author: faloker
date: 2020/02/11
modified: 2020/09/01
description: Detects bulk downloading of User Data associated with AWS EC2 instances. Instance User Data may include installation scripts and hard-coded secrets for deployment.
references:
- https://github.com/RhinoSecurityLabs/pacu/blob/master/modules/ec2__download_userdata/main.py#L24
@ -21,4 +22,5 @@ level: medium
falsepositives:
- Assets management software like device42
tags:
- attack.exfiltration
- attack.t1020

View File

@ -3,6 +3,7 @@ id: 1ab3c5ed-5baf-417b-bb6b-78ca33f6c3df
status: experimental
author: faloker
date: 2020/02/12
modified: 2020/09/01
description: Detects changes to the EC2 instance startup script. The shell script will be executed as root/SYSTEM everytime the specific instances are booted up.
references:
- https://github.com/RhinoSecurityLabs/pacu/blob/master/modules/ec2__startup_shell_script/main.py#L9
@ -20,5 +21,10 @@ level: high
falsepositives:
- Valid changes to the startup script
tags:
- attack.t1064
- attack.t1059
- attack.execution
- attack.t1059.001
- attack.t1086 # an old one
- attack.t1059.003
- attack.t1059.004
- attack.t1059 # an old one
- attack.t1064 # an old one

View File

@ -19,5 +19,5 @@ falsepositives:
- Valid change in the GuardDuty (e.g. to ignore internal scanners)
tags:
- attack.defense_evasion
- attack.t1089
- attack.t1562.001
- attack.t1089 # an old one

View File

@ -3,6 +3,7 @@ id: 0a5177f4-6ca9-44c2-aacf-d3f3d8b6e4d2
status: experimental
author: faloker
date: 2020/02/12
modified: 2020/09/01
description: Detects AWS API key creation for a user by another user. Backdoored users can be used to obtain persistence in the AWS environment. Also with this alert, you can detect a flow of AWS keys in your org.
references:
- https://github.com/RhinoSecurityLabs/pacu/blob/master/modules/iam__backdoor_users_keys/main.py#L6
@ -26,4 +27,5 @@ falsepositives:
- Adding user keys to their own accounts (the filter cannot cover all possible variants of user naming)
- AWS API keys legitimate exchange workflows
tags:
- attack.persistence
- attack.t1098

View File

@ -3,6 +3,7 @@ id: 8a63cdd4-6207-414a-85bc-7e032bd3c1a2
status: experimental
author: faloker
date: 2020/02/12
modified: 2020/09/01
description: Detects the change of database master password. It may be a part of data exfiltration.
references:
- https://github.com/RhinoSecurityLabs/pacu/blob/master/modules/rds__explore_snapshots/main.py#L10
@ -20,4 +21,5 @@ level: medium
falsepositives:
- Benign changes to a db instance
tags:
- attack.exfiltration
- attack.t1020

View File

@ -3,6 +3,7 @@ id: c3f265c7-ff03-4056-8ab2-d486227b4599
status: experimental
author: faloker
date: 2020/02/12
modified: 2020/09/01
description: Detects the recovery of a new public database instance from a snapshot. It may be a part of data exfiltration.
references:
- https://github.com/RhinoSecurityLabs/pacu/blob/master/modules/rds__explore_snapshots/main.py#L10
@ -20,4 +21,5 @@ level: high
falsepositives:
- unknown
tags:
- attack.exfiltration
- attack.t1020

View File

@ -3,6 +3,7 @@ id: 8ad1600d-e9dc-4251-b0ee-a65268f29add
status: experimental
author: vitaliy0x1
date: 2020/01/21
modified: 2020/09/01
description: Detects AWS root account usage
references:
- https://docs.aws.amazon.com/IAM/latest/UserGuide/id_root-user.html
@ -16,6 +17,8 @@ detection:
condition: selection_usertype AND NOT selection_eventtype
level: medium
falsepositives:
- AWS Tasks That Require AWS Account Root User Credentials https://docs.aws.amazon.com/general/latest/gr/aws_tasks-that-require-root.html
- AWS Tasks That Require AWS Account Root User Credentials https://docs.aws.amazon.com/general/latest/gr/aws_tasks-that-require-root.html
tags:
- attack.t1078
- attack.privilege_escalation
- attack.t1078.004
- attack.t1078 # an old one

View File

@ -2,9 +2,11 @@ title: Brute Force
id: 53c7cca0-2901-493a-95db-d00d6fcf0a37
description: Detects many authentication failures from one source to one destination which is may indicate Brute Force activity
tags:
- attack.credential_access
- attack.t1110
author: Aleksandr Akhremchik, oscd.community
date: 2019/10/25
modified: 2020/09/01
status: experimental
logsource:
category: authentication

View File

@ -7,7 +7,7 @@ references:
date: 2019/05/12
tags:
- attack.s0003
- attack.t1156
- attack.t1156 # an old one
- attack.persistence
- attack.t1546.004
author: Peter Matkovski

View File

@ -10,7 +10,7 @@ references:
- self experience
tags:
- attack.defense_evasion
- attack.t1054
- attack.t1054 # an old one
- attack.t1562.006
author: Mikhail Larin, oscd.community
status: experimental

View File

@ -1,12 +1,13 @@
title: Creation Of An User Account
id: 759d0d51-bc99-4b5e-9add-8f5b2c8e7512
status: experimental
description: Detects the creation of a new user account. According to MITRE ATT&CK, "such accounts may be used for persistence that do not require persistent remote access tools to be deployed on the system"
description: Detects the creation of a new user account. According to MITRE ATT&CK, "such accounts may be used for persistence that do not require persistent remote access tools to be deployed on the system"
references:
- 'MITRE Attack technique T1136; Create Account '
date: 2020/05/18
tags:
- attack.t1136
- attack.t1136 # an old one
- attack.t1136.001
- attack.persistence
author: Marie Euler
logsource:

View File

@ -9,7 +9,7 @@ references:
- self experience
tags:
- attack.defense_evasion
- attack.t1054
- attack.t1054 # an old one
- attack.t1562.006
author: Mikhail Larin, oscd.community
status: experimental

View File

@ -4,6 +4,9 @@ status: experimental
description: Detects suspicious DNS error messages that indicate a fatal or suspicious error that could be caused by exploiting attempts
references:
- https://github.com/ossec/ossec-hids/blob/master/etc/rules/named_rules.xml
tags:
- attack.initial_access
- attack.t1190
author: Florian Roth
date: 2018/02/20
logsource:
@ -18,4 +21,3 @@ detection:
falsepositives:
- Unknown
level: high

View File

@ -4,6 +4,9 @@ description: Detects suspicious SSH / SSHD error messages that indicate a fatal
references:
- https://github.com/openssh/openssh-portable/blob/master/ssherr.c
- https://github.com/ossec/ossec-hids/blob/master/etc/rules/sshd_rules.xml
tags:
- attack.initial_access
- attack.t1190
author: Florian Roth
date: 2017/06/30
modified: 2020/05/15
@ -27,4 +30,3 @@ detection:
falsepositives:
- Unknown
level: medium

View File

@ -3,6 +3,9 @@ id: 377f33a1-4b36-4ee1-acee-1dbe4b43cfbe
description: Detects suspicious VSFTPD error messages that indicate a fatal or suspicious error that could be caused by exploiting attempts
references:
- https://github.com/dagwieers/vsftpd/
tags:
- attack.initial_access
- attack.t1190
author: Florian Roth
date: 2017/07/05
logsource:

View File

@ -1,16 +1,13 @@
title: Cisco Clear Logs
id: ceb407f6-8277-439b-951f-e4210e3ed956
status: experimental
description: Clear command history in network OS which is used for defense evasion.
references:
- https://attack.mitre.org/techniques/T1146/
- https://attack.mitre.org/techniques/T1070/
description: Clear command history in network OS which is used for defense evasion
author: Austin Clark
date: 2019/08/12
modified: 2020/09/02
tags:
- attack.defense_evasion
- attack.t1146
- attack.t1070
- attack.t1146 # an old one
- attack.t1070.003
logsource:
product: cisco
@ -28,5 +25,5 @@ detection:
- 'clear archive'
condition: keywords
falsepositives:
- Legitimate administrators may run these commands.
- Legitimate administrators may run these commands
level: high

View File

@ -2,22 +2,19 @@ title: Cisco Collect Data
id: cd072b25-a418-4f98-8ebc-5093fb38fe1a
status: experimental
description: Collect pertinent data from the configuration files
references:
- https://attack.mitre.org/techniques/T1087/
- https://attack.mitre.org/techniques/T1003/
- https://attack.mitre.org/techniques/T1081/
- https://attack.mitre.org/techniques/T1005/
author: Austin Clark
date: 2019/08/11
modified: 2020/09/02
tags:
- attack.discovery
- attack.credential_access
- attack.collection
- attack.t1087
- attack.t1003
- attack.t1081
- attack.t1005
- attack.t1087 # an old one
- attack.t1087.001
- attack.t1003 # an old one
- attack.t1081 # an old one
- attack.t1552.001
- attack.t1005
logsource:
product: cisco
service: aaa
@ -36,5 +33,5 @@ detection:
- 'more'
condition: keywords
falsepositives:
- Commonly run by administrators.
- Commonly run by administrators
level: low

View File

@ -1,18 +1,15 @@
title: Cisco Crypto Commands
id: 1f978c6a-4415-47fb-aca5-736a44d7ca3d
status: experimental
description: Show when private keys are being exported from the device, or when new certificates are installed.
references:
- https://attack.mitre.org/techniques/T1145/
- https://attack.mitre.org/techniques/T1130/
description: Show when private keys are being exported from the device, or when new certificates are installed
author: Austin Clark
date: 2019/08/12
tags:
- attack.credential_access
- attack.defense_evasion
- attack.t1130
- attack.t1145
- attack.t1130 # an old one
- attack.t1553.004
- attack.t1145 # an old one
- attack.t1552.004
logsource:
product: cisco
@ -31,5 +28,5 @@ detection:
- 'crypto pki trustpoint'
condition: keywords
falsepositives:
- Not commonly run by administrators. Also whitelist your known good certificates.
- Not commonly run by administrators. Also whitelist your known good certificates
level: high

View File

@ -2,13 +2,11 @@ title: Cisco Disabling Logging
id: 9e8f6035-88bf-4a63-96b6-b17c0508257e
status: experimental
description: Turn off logging locally or remote
references:
- https://attack.mitre.org/techniques/T1089
author: Austin Clark
date: 2019/08/11
tags:
- attack.defense_evasion
- attack.t1089
- attack.t1089 # an old one
- attack.t1562.001
logsource:
product: cisco

View File

@ -1,9 +1,7 @@
title: Cisco Discovery
id: 9705a6a1-6db6-4a16-a987-15b7151e299b
status: experimental
description: Find information about network devices that are not stored in config files.
references:
- https://attack.mitre.org/tactics/TA0007/
description: Find information about network devices that is not stored in config files
author: Austin Clark
date: 2019/08/12
tags:

View File

@ -2,15 +2,15 @@ title: Cisco Denial of Service
id: d94a35f0-7a29-45f6-90a0-80df6159967c
status: experimental
description: Detect a system being shutdown or put into different boot mode
references:
- https://attack.mitre.org/techniques/T1499/
- https://attack.mitre.org/techniques/T1495/
author: Austin Clark
date: 2019/08/15
modified: 2020/09/02
tags:
- attack.impact
- attack.t1499
- attack.t1495
- attack.t1529
- attack.t1492 # an old one
- attack.t1565.001
logsource:
product: cisco
service: aaa

View File

@ -1,22 +1,18 @@
title: Cisco Show Commands Input
title: Cisco File Deletion
id: 71d65515-c436-43c0-841b-236b1f32c21e
status: experimental
description: See what files are being deleted from flash file systems
references:
- https://attack.mitre.org/techniques/T1107/
- https://attack.mitre.org/techniques/T1488/
- https://attack.mitre.org/techniques/T1487/
author: Austin Clark
date: 2019/08/12
tags:
- attack.defense_evasion
- attack.impact
- attack.t1107
- attack.t1488
- attack.t1487
- attack.t1561.002
- attack.t1107 # an old one
- attack.t1070.004
- attack.t1488 # an old one
- attack.t1561.001
- attack.t1487 # an old one
- attack.t1561.002
logsource:
product: cisco
service: aaa
@ -30,5 +26,5 @@ detection:
- 'format'
condition: keywords
falsepositives:
- Will be used sometimes by admins to clean up local flash space.
- Will be used sometimes by admins to clean up local flash space
level: medium

View File

@ -2,16 +2,12 @@ title: Cisco Show Commands Input
id: b094d9fb-b1ad-4650-9f1a-fb7be9f1d34b
status: experimental
description: See what commands are being input into the device by other people, full credentials can be in the history
references:
- https://attack.mitre.org/techniques/T1056/
- https://attack.mitre.org/techniques/T1139/
author: Austin Clark
date: 2019/08/11
modified: 2020/09/02
tags:
- attack.collection
- attack.credential_access
- attack.t1139
- attack.t1056
- attack.t1139 # an old one
- attack.t1552.003
logsource:
product: cisco
@ -26,5 +22,5 @@ detection:
- 'show logging'
condition: keywords
falsepositives:
- Not commonly run by administrators, especially if remote logging is configured.
- Not commonly run by administrators, especially if remote logging is configured
level: medium

View File

@ -2,14 +2,13 @@ title: Cisco Local Accounts
id: 6d844f0f-1c18-41af-8f19-33e7654edfc3
status: experimental
description: Find local accounts being created or modified as well as remote authentication configurations
references:
- https://attack.mitre.org/techniques/T1098/
- https://attack.mitre.org/techniques/T1136/
author: Austin Clark
date: 2019/08/12
modified: 2020/09/02
tags:
- attack.persistence
- attack.t1136
- attack.t1136 # an old one
- attack.t1136.001
- attack.t1098
logsource:
product: cisco
@ -23,5 +22,5 @@ detection:
- 'aaa'
condition: keywords
falsepositives:
- When remote authentication is in place, this should not change often.
- When remote authentication is in place, this should not change often
level: high

View File

@ -2,22 +2,17 @@ title: Cisco Modify Configuration
id: 671ffc77-50a7-464f-9e3d-9ea2b493b26b
status: experimental
description: Modifications to a config that will serve an adversary's impacts or persistence
references:
- https://attack.mitre.org/techniques/T1100/
- https://attack.mitre.org/techniques/T1168/
- https://attack.mitre.org/techniques/T1493/
author: Austin Clark
date: 2019/08/12
modified: 2020/09/02
tags:
- attack.persistence
- attack.privilege_escalation
- attack.impact
- attack.t1493
- attack.t1100
- attack.t1168
- attack.t1490
- attack.t1565.002
- attack.t1505
- attack.t1493 # an old one
- attack.t1565.002
- attack.t1168 # an old one
- attack.t1053
logsource:
product: cisco
@ -37,5 +32,5 @@ detection:
- 'archive maximum'
condition: keywords
falsepositives:
- Legitimate administrators may run these commands.
- Legitimate administrators may run these commands
level: medium

View File

@ -2,25 +2,18 @@ title: Cisco Stage Data
id: 5e51acb2-bcbe-435b-99c6-0e3cd5e2aa59
status: experimental
description: Various protocols maybe used to put data on the device for exfil or infil
references:
- https://attack.mitre.org/techniques/T1074/
- https://attack.mitre.org/techniques/T1105/
- https://attack.mitre.org/techniques/T1498/
- https://attack.mitre.org/techniques/T1002/
author: Austin Clark
date: 2019/08/12
modified: 2020/09/02
tags:
- attack.collection
- attack.lateral_movement
- attack.command_and_control
- attack.exfiltration
- attack.impact
- attack.t1074
- attack.t1105
- attack.t1492
- attack.t1002
- attack.t1560
- attack.t1565.001
- attack.t1002 # an old one
- attack.t1560.001
logsource:
product: cisco
service: aaa
@ -37,5 +30,5 @@ detection:
- 'archive tar'
condition: keywords
falsepositives:
- Generally used to copy configs or IOS images.
- Generally used to copy configs or IOS images
level: low

View File

@ -2,8 +2,6 @@ title: Cisco Sniffing
id: b9e1f193-d236-4451-aaae-2f3d2102120d
status: experimental
description: Show when a monitor or a span/rspan is setup or modified
references:
- https://attack.mitre.org/techniques/T1040
author: Austin Clark
date: 2019/08/11
tags:
@ -23,5 +21,5 @@ detection:
- 'set rspan'
condition: keywords
falsepositives:
- Admins may setup new or modify old spans, or use a monitor for troubleshooting.
- Admins may setup new or modify old spans, or use a monitor for troubleshooting
level: medium

View File

@ -8,6 +8,14 @@ references:
- https://patrick-bareiss.com/detect-c2-traffic-over-dns-using-sigma/
author: Patrick Bareiss
date: 2019/04/07
modified: 2020/08/27
tags:
- attack.command_and_control
- attack.t1071 # an old one
- attack.t1071.004
- attack.exfiltration
- attack.t1048 # an old one
- attack.t1048.003
logsource:
category: dns
detection:
@ -17,6 +25,3 @@ detection:
falsepositives:
- Valid software, which uses dns for transferring data
level: high
tags:
- attack.t1048
- attack.exfiltration

View File

@ -5,9 +5,11 @@ description: High DNS queries bytes amount from host per short period of time
status: experimental
author: Daniil Yugoslavskiy, oscd.community
date: 2019/10/24
modified: 2020/08/27
tags:
- attack.exfiltration
- attack.t1048
- attack.t1048 # an old one
- attack.t1048.003
falsepositives:
- Legitimate high DNS bytes out rate to domain name which should be added to whitelist
level: medium

View File

@ -5,9 +5,14 @@ description: High DNS requests amount from host per short period of time
status: experimental
author: Daniil Yugoslavskiy, oscd.community
date: 2019/10/24
modified: 2020/08/27
tags:
- attack.exfiltration
- attack.t1048
- attack.t1048 # an old one
- attack.t1048.003
- attack.command_and_control
- attack.t1071 # an old one
- attack.t1071.004
falsepositives:
- Legitimate high DNS requests rate to domain name which should be added to whitelist
level: medium

View File

@ -4,9 +4,14 @@ description: Extremely high rate of NULL record type DNS requests from host per
status: experimental
author: Daniil Yugoslavskiy, oscd.community
date: 2019/10/24
modified: 2020/08/27
tags:
- attack.exfiltration
- attack.t1048
- attack.t1048 # an old one
- attack.t1048.003
- attack.command_and_control
- attack.t1071 # an old one
- attack.t1071.004
logsource:
category: dns
detection:

View File

@ -4,9 +4,14 @@ description: Extremely high rate of TXT record type DNS requests from host per s
status: experimental
author: Daniil Yugoslavskiy, oscd.community
date: 2019/10/24
modified: 2020/08/27
tags:
- attack.exfiltration
- attack.t1048
- attack.t1048 # an old one
- attack.t1048.003
- attack.command_and_control
- attack.t1071 # an old one
- attack.t1071.004
logsource:
category: dns
detection:

View File

@ -6,6 +6,11 @@ references:
- https://www.icebrg.io/blog/footprints-of-fin7-tracking-actor-patterns
author: Florian Roth
date: 2018/05/10
modified: 2020/08/27
tags:
- attack.command_and_control
- attack.t1071 # an old one
- attack.t1071.004
logsource:
category: dns
detection:

View File

@ -6,6 +6,14 @@ references:
- https://github.com/krmaxwell/dns-exfiltration
author: Florian Roth
date: 2018/05/10
modified: 2020/08/27
tags:
- attack.exfiltration
- attack.t1048 # an old one
- attack.t1048.003
- attack.command_and_control
- attack.t1071 # an old one
- attack.t1071.004
logsource:
category: dns
detection:

View File

@ -6,10 +6,12 @@ references:
- https://twitter.com/stvemillertime/status/1024707932447854592
- https://github.com/samratashok/nishang/blob/master/Backdoors/DNS_TXT_Pwnage.ps1
tags:
- attack.t1071
- attack.command_and_control
- attack.t1071 # an old one
- attack.t1071.004
author: Markus Neis
date: 2018/08/08
modified: 2020/08/27
logsource:
category: dns
detection:

View File

@ -3,6 +3,10 @@ id: fab0ddf0-b8a9-4d70-91ce-a20547209afb
description: Detects many failed connection attempts to different ports or hosts
author: Thomas Patzke
date: 2017/02/19
modified: 2020/08/27
tags:
- attack.discovery
- attack.t1046
logsource:
category: firewall
detection:

View File

@ -9,6 +9,11 @@ references:
- https://www.welivesecurity.com/2016/12/13/rise-telebots-analyzing-disruptive-killdisk-attacks/
author: Florian Roth
date: 2018/06/05
modified: 2020/08/27
tags:
- attack.command_and_control
- attack.t1102 # an old one
- attack.t1102.002
logsource:
category: dns
detection:

View File

@ -6,10 +6,11 @@ references:
- "https://github.com/OTRF/detection-hackathon-apt29/issues/37"
author: 'Nate Guagenti (@neu5ron), Open Threat Research (OTR)'
date: 2020/05/03
modified: 2020/05/03
modified: 2020/09/02
tags:
- attack.discovery
- attack.t1087
- attack.t1087 # an old one
- attack.t1087.002
- attack.t1082
logsource:
product: zeek

View File

@ -7,9 +7,9 @@ references:
- https://github.com/mitre-attack/bzar#indicators-for-attck-execution
tags:
- attack.execution
- attack.t1035
- attack.t1035 # an old one
- attack.t1047
- attack.t1053
- attack.t1053 # an old one
- attack.t1053.002
- attack.t1569.002
logsource:

View File

@ -7,7 +7,7 @@ references:
- https://github.com/mitre-attack/bzar#indicators-for-attck-persistence
tags:
- attack.persistence
- attack.t1004
- attack.t1004 # an old one
- attack.t1547.004
logsource:
product: zeek

View File

@ -7,12 +7,12 @@ references:
- https://github.com/OTRF/detection-hackathon-apt29
tags:
- attack.command_and_control
- attack.t1043
- attack.t1571
- attack.t1105
logsource:
product: zeek
service: http
date: 2020/05/01
modified: 2020/09/02
detection:
selection_webdav:
- c-useragent: '*WebDAV*'

View File

@ -5,7 +5,7 @@ description: Detects connections from routable IPs to an RDP listener - which is
references:
- https://attack.mitre.org/techniques/T1021/001/
tags:
- attack.t1021
- attack.t1021 # an old one
- attack.t1021.001
author: 'Josh Brower @DefensiveDepth'
date: 2020/08/22

View File

@ -8,7 +8,7 @@ references:
tags:
- attack.lateral_movement
- attack.persistence
- attack.t1053
- attack.t1053 # an old one
- car.2013-05-004
- car.2015-04-001
- attack.t1053.002

View File

@ -7,7 +7,7 @@ references:
- https://blog.menasec.net/2019/02/threat-huting-10-impacketsecretdump.html
tags:
- attack.credential_access
- attack.t1003
- attack.t1003 # an old one
- attack.t1003.002
- attack.t1003.004
- attack.t1003.003

View File

@ -7,7 +7,7 @@ references:
- https://github.com/neo23x0/sigma/blob/d42e87edd741dd646db946f30964f331f92f50e6/rules/windows/builtin/win_lm_namedpipe.yml
tags:
- attack.lateral_movement
- attack.t1077
- attack.t1077 # an old one
- attack.t1021.002
logsource:
product: zeek

View File

@ -7,7 +7,7 @@ references:
- https://github.com/neo23x0/sigma/blob/d42e87edd741dd646db946f30964f331f92f50e6/rules/windows/builtin/win_susp_psexec.yml
tags:
- attack.lateral_movement
- attack.t1077
- attack.t1077 # an old one
- attack.t1021.002
logsource:
product: zeek

View File

@ -7,7 +7,7 @@ references:
- https://github.com/neo23x0/sigma/blob/373424f14574facf9e261d5c822345a282b91479/rules/windows/builtin/win_transferring_files_with_credential_data_via_network_shares.yml
tags:
- attack.credential_access
- attack.t1003
- attack.t1003 # an old one
- attack.t1003.002
- attack.t1003.001
- attack.t1003.003

View File

@ -7,7 +7,7 @@ references:
- https://adsecurity.org/?p=3458
tags:
- attack.credential_access
- attack.t1208
- attack.t1208 # an old one
- attack.t1558.003
logsource:
product: zeek

View File

@ -6,6 +6,14 @@ references:
- Internal research from Florian Roth
author: Thomas Patzke
date: 2019/11/12
modified: 2020/09/02
tags:
- attack.command_and_control
- attack.t1071.001
- attack.t1043 # an old one
- attack.exfiltration
- attack.t1567.002
- attack.t1048 # an old one
logsource:
category: proxy
detection:

View File

@ -6,6 +6,10 @@ references:
- https://securelist.com/chafer-used-remexi-malware/89538/
author: Florian Roth
date: 2019/01/31
tags:
- attack.command_and_control
- attack.t1071.001
- attack.t1043 # an old one
logsource:
category: proxy
detection:

View File

@ -7,8 +7,12 @@ references:
- https://www.hybrid-analysis.com/sample/ee5eca8648e45e2fea9dac0d920ef1a1792d8690c41ee7f20343de1927cc88b9?environmentId=100
author: Markus Neis
date: 2019/11/12
modified: 2020/09/02
tags:
- attack.t1102
- attack.defense_evasion
- attack.command_and_control
- attack.t1071.001
- attack.t1043 # an old one
logsource:
category: proxy
detection:

View File

@ -6,8 +6,12 @@ references:
- https://github.com/rsmudge/Malleable-C2-Profiles/blob/master/normal/ocsp.profile
author: Markus Neis
date: 2019/11/12
modified: 2020/09/02
tags:
- attack.t1102
- attack.defense_evasion
- attack.command_and_control
- attack.t1071.001
- attack.t1043 # an old one
logsource:
category: proxy
detection:

View File

@ -6,8 +6,12 @@ references:
- https://github.com/rsmudge/Malleable-C2-Profiles/blob/master/normal/onedrive_getonly.profile
author: Markus Neis
date: 2019/11/12
modified: 2020/09/02
tags:
- attack.t1102
- attack.defense_evasion
- attack.command_and_control
- attack.t1071.001
- attack.t1043 # an old one
logsource:
category: proxy
detection:

View File

@ -6,6 +6,12 @@ references:
- https://www.alienvault.com/blogs/security-essentials/dynamic-dns-security-and-potential-threats
author: Florian Roth
date: 2017/11/08
modified: 2020/09/03
tags:
- attack.defense_evasion
- attack.command_and_control
- attack.t1105
- attack.t1568
logsource:
category: proxy
detection:

View File

@ -9,7 +9,14 @@ references:
- https://krebsonsecurity.com/2018/06/bad-men-at-work-please-dont-click/
author: Florian Roth
date: 2017/11/07
modified: 2018/06/13
modified: 2020/09/03
tags:
- attack.initial_access
- attack.t1566
- attack.execution
- attack.t1203
- attack.t1204.002
- attack.t1204 # an old one
logsource:
category: proxy
detection:

View File

@ -4,6 +4,14 @@ status: experimental
description: Detects executable downloads from suspicious remote systems
author: Florian Roth
date: 2017/03/13
modified: 2020/09/03
tags:
- attack.initial_access
- attack.t1566
- attack.execution
- attack.t1203
- attack.t1204.002
- attack.t1204 # an old one
logsource:
category: proxy
detection:

View File

@ -6,6 +6,11 @@ references:
- https://mgreen27.github.io/posts/2018/04/02/DownloadCradle.html
author: Florian Roth
date: 2018/04/06
modified: 2020/09/03
tags:
- attack.command_and_control
- attack.t1071.001
- attack.t1043 # an old one
logsource:
category: proxy
detection:

View File

@ -6,6 +6,12 @@ references:
- https://github.com/BC-SECURITY/Empire
author: Florian Roth
date: 2020/07/13
modified: 2020/09/03
tags:
- attack.defense_evasion
- attack.command_and_control
- attack.t1071.001
- attack.t1043 # an old one
logsource:
category: proxy
detection:

View File

@ -6,6 +6,11 @@ references:
- https://twitter.com/Carlos_Perez/status/883455096645931008
author: Florian Roth
date: 2017/07/08
modified: 2020/09/03
tags:
- attack.defense_evasion
- attack.command_and_control
- attack.t1071.001
logsource:
category: proxy
detection:

View File

@ -7,6 +7,17 @@ references:
- https://twitter.com/craiu/status/1167358457344925696
author: Florian Roth
date: 2019/08/30
modified: 2020/09/03
tags:
- attack.execution
- attack.t1203
- attack.collection
- attack.t1005
- attack.t1119
- attack.credential_access
- attack.t1528
- attack.t1552.001
- attack.t1081 # an old one
logsource:
category: proxy
detection:

View File

@ -6,6 +6,11 @@ references:
- https://msdn.microsoft.com/powershell/reference/5.1/microsoft.powershell.utility/Invoke-WebRequest
author: Florian Roth
date: 2017/03/13
modified: 2020/09/03
tags:
- attack.defense_evasion
- attack.command_and_control
- attack.t1071.001
logsource:
category: proxy
detection:

View File

@ -6,6 +6,14 @@ references:
- https://breakdev.org/pwndrop/
author: Florian Roth
date: 2020/04/15
modified: 2020/09/03
tags:
- attack.command_and_control
- attack.t1071.001
- attack.t1043 # an old one
- attack.t1102.001
- attack.t1102.003
- attack.t1102 # an old one
logsource:
category: proxy
detection:

View File

@ -6,9 +6,15 @@ references:
- https://www.virustotal.com/gui/domain/paste.ee/relations
author: Florian Roth
date: 2019/12/05
modified: 2020/09/03
tags:
- attack.t1102
- attack.defense_evasion
- attack.command_and_control
- attack.t1071.001
- attack.t1043 # an old one
- attack.t1102.001
- attack.t1102.003
- attack.defense_evasion
- attack.t1102 # an old one
logsource:
category: proxy
detection:

View File

@ -6,6 +6,15 @@ references:
- https://gist.github.com/roycewilliams/a723aaf8a6ac3ba4f817847610935cfb
author: Florian Roth
date: 2017/10/25
tags:
- attack.initial_access
- attack.t1189
- attack.execution
- attack.t1204.002
- attack.t1204 # an old one
- attack.defense_evasion
- attack.t1036.005
- attack.t1036 # an old one
logsource:
category: proxy
detection:

View File

@ -8,6 +8,14 @@ references:
- https://www.welivesecurity.com/2016/12/13/rise-telebots-analyzing-disruptive-killdisk-attacks/
author: Florian Roth
date: 2018/06/05
modified: 2020/09/03
tags:
- attack.defense_evasion
- attack.command_and_control
- attack.t1071.001
- attack.t1043 # an old one
- attack.t1102.002
- attack.t1102 # an old one
logsource:
category: proxy
detection:

View File

@ -6,7 +6,12 @@ references:
- https://www.welivesecurity.com/wp-content/uploads/2020/05/ESET_Turla_ComRAT.pdf
author: Florian Roth
date: 2020/05/26
modified: 2020/09/03
tags:
- attack.defense_evasion
- attack.command_and_control
- attack.t1071.001
- attack.t1043 # an old one
- attack.g0010
logsource:
category: proxy

View File

@ -6,6 +6,10 @@ references:
- Internal Research
author: Florian Roth, Markus Neis
date: 2019/11/12
modified: 2020/09/03
tags:
- attack.command_and_control
- attack.t1071.001
logsource:
category: proxy
detection:

View File

@ -4,6 +4,14 @@ status: experimental
description: Detects Bitsadmin connections to domains with uncommon TLDs - https://twitter.com/jhencinski/status/1102695118455349248 - https://isc.sans.edu/forums/diary/Investigating+Microsoft+BITS+Activity/23281/
author: Florian Roth
date: 2019/03/07
modified: 2020/09/03
tags:
- attack.command_and_control
- attack.t1071.001
- attack.defense_evasion
- attack.persistence
- attack.t1197
- attack.s0190
logsource:
category: proxy
detection:

View File

@ -7,6 +7,10 @@ references:
- https://github.com/xmrig/xmrig/blob/427b6516e0550200c17ca28675118f0fffcc323f/src/version.h
author: Florian Roth
date: 2019/10/21
modified: 2020/09/03
tags:
- attack.command_and_control
- attack.t1071.001
logsource:
category: proxy
detection:

View File

@ -6,6 +6,10 @@ references:
- https://blog.didierstevens.com/2015/03/16/quickpost-metasploit-user-agent-strings/
author: Florian Roth
date: 2017/07/08
modified: 2020/09/03
tags:
- attack.command_and_control
- attack.t1071.001
logsource:
category: proxy
detection:

View File

@ -7,6 +7,12 @@ references:
- http://rules.emergingthreats.net/open/snort-2.9.0/rules/emerging-user_agents.rules
author: Florian Roth
date: 2017/07/08
modified: 2020/09/03
tags:
- attack.initial_access
- attack.t1190
- attack.credential_access
- attack.t1110
logsource:
category: proxy
detection:

View File

@ -10,6 +10,10 @@ references:
- https://www.bluecoat.com/en-gb/security-blog/2015-05-05/know-your-agents
author: Florian Roth
date: 2017/07/08
modified: 2020/09/03
tags:
- attack.command_and_control
- attack.t1071.001
logsource:
category: proxy
detection:

View File

@ -6,6 +6,10 @@ references:
- https://github.com/fastly/waf_testbed/blob/master/templates/default/scanners-user-agents.data.erb
author: Florian Roth
date: 2017/07/08
modified: 2020/09/03
tags:
- attack.command_and_control
- attack.t1071.001
logsource:
category: proxy
detection:

View File

@ -4,6 +4,16 @@ status: stable
description: Detects download of Ursnif malware done by dropper documents.
author: Thomas Patzke
date: 2019/12/19
modified: 2020/09/03
tags:
- attack.initial_access
- attack.t1566.001
- attack.t1193 # an old one
- attack.execution
- attack.t1204.002
- attack.t1204 # an old one
- attack.command_and_control
- attack.t1071.001
logsource:
category: proxy
detection:
@ -27,6 +37,12 @@ description: Detects Ursnif C2 traffic.
references:
- https://www.fortinet.com/blog/threat-research/ursnif-variant-spreading-word-document.html
author: Thomas Patzke
tags:
- attack.command_and_control
- attack.t1071.001
- attack.t1132
- attack.defense_evasion
- attack.t1027
logsource:
category: proxy
detection:

View File

@ -1,8 +1,13 @@
title: Apache Segmentation Fault
id: 1da8ce0b-855d-4004-8860-7d64d42063b1
description: Detects a segmentation fault error message caused by a creashing apacke worker process
description: Detects a segmentation fault error message caused by a creashing apache worker process
author: Florian Roth
date: 2017/02/28
modified: 2020/09/03
tags:
- attack.impact
- attack.t1499 # an old one
- attack.t1499.004
references:
- http://www.securityfocus.com/infocus/1633
logsource:

View File

@ -10,7 +10,10 @@ references:
author: Arnim Rupp, Florian Roth
status: experimental
date: 2020/01/02
modified: 2020/03/14
modified: 2020/09/03
tags:
- attack.initial_access
- attack.t1190
logsource:
category: webserver
definition: 'Make sure that your Netscaler appliance logs all kinds of attacks (test with http://your-citrix-gw.net/robots.txt). The directory traversal with ../ might not be needed on certain cloud instances or for authenticated users, so we also check for direct paths. All scripts in portal/scripts are exploitable except logout.pl.'

View File

@ -3,7 +3,7 @@ id: 37e8369b-43bb-4bf8-83b6-6dd43bda2000
description: Detects access to a webshell dropped into a keystore folder on the WebLogic server
author: Florian Roth
date: 2018/07/22
modified: 2020/03/14
modified: 2020/09/03
status: experimental
references:
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-2894
@ -22,12 +22,11 @@ fields:
falsepositives:
- Unknown
tags:
- attack.t1100
- attack.t1100 # an old one
- attack.t1190
- attack.initial_access
- attack.persistence
- attack.privilege_escalation
- cve.2018-2894
- attack.t1505
- attack.t1505.003
level: critical

View File

@ -6,8 +6,10 @@ references:
- https://github.com/Ridter/cve-2020-0688
author: NVISO
date: 2020/02/27
modified: 2020/09/03
tags:
- attack.t1210
- attack.initial_access
- attack.t1190
logsource:
category: webserver
detection:

View File

@ -3,7 +3,10 @@ id: 6fdfc796-06b3-46e8-af08-58f3505318af
description: Detects possible exploitation activity or bugs in a web application
author: Thomas Patzke
date: 2017/02/19
modified: 2020/03/14
modified: 2020/09/03
tags:
- attack.initial_access
- attack.t1190
logsource:
category: webserver
detection:

View File

@ -5,7 +5,10 @@ references:
- https://www.exploit-db.com/exploits/47297
author: Florian Roth
date: 2019/11/18
modified: 2020/03/14
modified: 2020/09/03
tags:
- attack.initial_access
- attack.t1190
logsource:
category: webserver
detection:

View File

@ -3,6 +3,10 @@ id: 953d460b-f810-420a-97a2-cfca4c98e602
description: Detects source code enumeration that use GET requests by keyword searches in URL strings
author: James Ahearn
date: 2019/06/08
modified: 2020/09/03
tags:
- attack.discovery
- attack.t1083
references:
- https://pentester.land/tutorials/2018/10/25/source-code-disclosure-via-exposed-git-folder.html
- https://medium.com/@logicbomb_1/bugbounty-how-i-was-able-to-download-the-source-code-of-indias-largest-telecom-service-52cf5c5640a1

View File

@ -3,6 +3,11 @@ id: 7ff9db12-1b94-4a79-ba68-a2402c5d6729
description: Detects webshells that use GET requests by keyword searches in URL strings
author: Florian Roth
date: 2017/02/19
modified: 2020/09/03
tags:
- attack.persistence
- attack.t1100 # an old one
- attack.t1505.003
logsource:
category: webserver
detection:

View File

@ -7,8 +7,8 @@ reference:
- https://community.rsa.com/community/products/netwitness/blog/2019/02/19/web-shells-and-netwitness-part-3
- https://github.com/sensepost/reGeorg
date: 2020/08/04
modified: 2020/09/03
tags:
- attack.privilege_escalation
- attack.persistence
- attack.t1100
- attack.t1505.003

View File

@ -9,7 +9,7 @@ references:
tags:
- attack.persistence
- attack.lateral_movement
- attack.t1053
- attack.t1053 # an old one
- attack.t1053.005
logsource:
product: windows

View File

@ -4,13 +4,14 @@ description: backdooring domain object to grant the rights associated with DCSyn
Extended Right cmdlet, will allow to re-obtain the pwd hashes of any user/computer
status: experimental
date: 2019/04/03
modified: 2020/08/23
author: Samir Bousseaden; Roberto Rodriguez @Cyb3rWard0g; oscd.community
references:
- https://twitter.com/menasec1/status/1111556090137903104
- https://www.specterops.io/assets/resources/an_ace_up_the_sleeve.pdf
tags:
- attack.credential_access
- attack.persistence
- attack.t1098
logsource:
product: windows
service: security

View File

@ -5,10 +5,12 @@ references:
- https://blog.menasec.net/2019/02/threat-hunting-5-detecting-enumeration.html
tags:
- attack.discovery
- attack.t1087
- attack.t1087 # an old one
- attack.t1087.002
status: experimental
author: Samir Bousseaden
date: 2019/04/03
modified: 2020/08/23
logsource:
product: windows
service: security

View File

@ -8,7 +8,8 @@ references:
- https://github.com/Cyb3rWard0g/ThreatHunter-Playbook/tree/master/playbooks/windows/05_defense_evasion/T1222_file_permissions_modification/ad_replication_user_backdoor.md
tags:
- attack.defense_evasion
- attack.t1222
- attack.t1222 # an old one
- attack.t1222.001
logsource:
product: windows
service: security

View File

@ -3,13 +3,14 @@ id: 17d619c1-e020-4347-957e-1d1207455c93
description: Detects potential abuse of Active Directory Replication Service (ADRS) from a non machine account to request credentials.
status: experimental
date: 2019/07/26
modified: 2020/03/02
modified: 2020/08/23
author: Roberto Rodriguez @Cyb3rWard0g
references:
- https://github.com/Cyb3rWard0g/ThreatHunter-Playbook/tree/master/playbooks/windows/06_credential_access/T1003_credential_dumping/ad_replication_non_machine_account.md
tags:
- attack.credential_access
- attack.t1003
- attack.t1003 # an old one
- attack.t1003.006
logsource:
product: windows
service: security

View File

@ -3,6 +3,7 @@ id: ab6bffca-beff-4baa-af11-6733f296d57a
description: Detects access to a domain user from a non-machine account
status: experimental
date: 2020/03/30
modified: 2020/08/23
author: Maxime Thiebaut (@0xThiebaut)
references:
- https://www.specterops.io/assets/resources/an_ace_up_the_sleeve.pdf
@ -10,7 +11,8 @@ references:
- https://docs.microsoft.com/en-us/windows/win32/adschema/attributes-all # For further investigation of the accessed properties
tags:
- attack.discovery
- attack.t1087
- attack.t1087 # an old one
- attack.t1087.002
logsource:
product: windows
service: security

View File

@ -5,11 +5,15 @@ references:
- https://car.mitre.org/wiki/CAR-2016-04-005
tags:
- attack.lateral_movement
- attack.t1078
- attack.t1078 # an old one
- attack.t1078.001
- attack.t1078.002
- attack.t1078.003
- car.2016-04-005
status: experimental
author: juju4
date: 2017/10/29
modified: 2020/08/23
logsource:
product: windows
service: security

View File

@ -3,11 +3,12 @@ id: 098d7118-55bc-4912-a836-dc6483a8d150
description: Detects access to $ADMIN share
tags:
- attack.lateral_movement
- attack.t1077
- attack.t1077 # an old one
- attack.t1021.002
status: experimental
author: Florian Roth
date: 2017/03/04
modified: 2020/08/23
logsource:
product: windows
service: security

Some files were not shown because too many files have changed in this diff Show More