Merge pull request #989 from oscd-initiative/master

[OSCD Initiative][ATT&CK tags update]

rules/application/app_python_sql_exceptions.yml

@@ -3,6 +3,10 @@ id: 19aefed0-ffd4-47dc-a7fc-f8b1425e84f9
 description: Generic rule for SQL exceptions in Python according to PEP 249
 author: Thomas Patzke
 date: 2017/08/12
+modified: 2020/09/01
+tags:
+    - attack.initial_access
+    - attack.t1190
 references:
     - https://www.python.org/dev/peps/pep-0249/#exceptions
 logsource:

rules/application/app_sqlinjection_errors.yml

@@ -4,6 +4,10 @@ status: experimental
 description: Detects SQL error messages that indicate probing for an injection attack
 author: Bjoern Kimminich
 date: 2017/11/27
+modified: 2020/09/01
+tags:
+    - attack.initial_access
+    - attack.t1190
 references:
     - http://www.sqlinjection.net/errors
 logsource:

rules/application/appframework_django_exceptions.yml

@@ -3,6 +3,10 @@ id: fd435618-981e-4a7c-81f8-f78ce480d616
 description: Detects suspicious Django web application framework exceptions that could indicate exploitation attempts
 author: Thomas Patzke
 date: 2017/08/05
+modified: 2020/09/01
+tags:
+    - attack.initial_access
+    - attack.t1190
 references:
     - https://docs.djangoproject.com/en/1.11/ref/exceptions/
     - https://docs.djangoproject.com/en/1.11/topics/logging/#django-security

rules/application/appframework_ruby_on_rails_exceptions.yml

@@ -3,6 +3,10 @@ id: 0d2c3d4c-4b48-4ac3-8f23-ea845746bb1a
 description: Detects suspicious Ruby on Rails exceptions that could indicate exploitation attempts
 author: Thomas Patzke
 date: 2017/08/06
+modified: 2020/09/01
+tags:
+    - attack.initial_access
+    - attack.t1190
 references:
     - http://edgeguides.rubyonrails.org/security.html
     - http://guides.rubyonrails.org/action_controller_overview.html

rules/application/appframework_spring_exceptions.yml

@@ -3,6 +3,10 @@ id: ae48ab93-45f7-4051-9dfe-5d30a3f78e33
 description: Detects suspicious Spring framework exceptions that could indicate exploitation attempts
 author: Thomas Patzke
 date: 2017/08/06
+modified: 2020/09/01
+tags:
+    - attack.initial_access
+    - attack.t1190
 references:
     - https://docs.spring.io/spring-security/site/docs/current/apidocs/overview-tree.html
 logsource:

rules/apt/apt_silence_downloader_v3.yml

@@ -4,9 +4,16 @@ status: experimental
 description: Detects Silence downloader. These commands are hardcoded into the binary.
 author: Alina Stepchenkova, Roman Rezvukhin, Group-IB, oscd.community
 date: 2019/11/01
-modified: 2019/11/22
+modified: 2020/09/01
 tags:
     - attack.persistence
+    - attack.t1547.001
+    - attack.t1060  # an old one
+    - attack.discovery
+    - attack.t1057
+    - attack.t1082
+    - attack.t1016
+    - attack.t1033
     - attack.g0091
 logsource:
     category: process_creation

rules/apt/apt_silence_eda.yml

@@ -4,8 +4,17 @@ status: experimental
 description: Detects Silence empireDNSagent
 author: Alina Stepchenkova, Group-IB, oscd.community
 date: 2019/11/01
-modified: 2019/11/20
+modified: 2020/09/01
 tags:
+    - attack.execution
+    - attack.t1059.001
+    - attack.t1086  # an old one
+    - attack.command_and_control
+    - attack.t1071.004
+    - attack.t1071  # an old one
+    - attack.t1572
+    - attack.impact
+    - attack.t1529
     - attack.g0091
     - attack.s0363
 logsource:

rules/cloud/aws_cloudtrail_disable_logging.yml

@@ -22,5 +22,5 @@ falsepositives:
     - Valid change in a Trail
 tags:
     - attack.defense_evasion
-    - attack.t1089
     - attack.t1562.001
+    - attack.t1089  # an old one

rules/cloud/aws_config_disable_recording.yml

@@ -19,5 +19,5 @@ falsepositives:
     - Valid change in AWS Config Service
 tags:
     - attack.defense_evasion
-    - attack.t1089
     - attack.t1562.001
+    - attack.t1089  # an old one

rules/cloud/aws_ec2_download_userdata.yml

@@ -3,6 +3,7 @@ id: 26ff4080-194e-47e7-9889-ef7602efed0c
 status: experimental
 author: faloker
 date: 2020/02/11
+modified: 2020/09/01
 description: Detects bulk downloading of User Data associated with AWS EC2 instances. Instance User Data may include installation scripts and hard-coded secrets for deployment.
 references:
     - https://github.com/RhinoSecurityLabs/pacu/blob/master/modules/ec2__download_userdata/main.py#L24
@@ -21,4 +22,5 @@ level: medium
 falsepositives:
     - Assets management software like device42
 tags:
+    - attack.exfiltration 
     - attack.t1020

rules/cloud/aws_ec2_startup_script_change.yml

@@ -3,6 +3,7 @@ id: 1ab3c5ed-5baf-417b-bb6b-78ca33f6c3df
 status: experimental
 author: faloker
 date: 2020/02/12
+modified: 2020/09/01
 description: Detects changes to the EC2 instance startup script. The shell script will be executed as root/SYSTEM everytime the specific instances are booted up.
 references:
     - https://github.com/RhinoSecurityLabs/pacu/blob/master/modules/ec2__startup_shell_script/main.py#L9
@@ -20,5 +21,10 @@ level: high
 falsepositives:
     - Valid changes to the startup script
 tags:
-    - attack.t1064
-    - attack.t1059
+    - attack.execution
+    - attack.t1059.001
+    - attack.t1086  # an old one
+    - attack.t1059.003
+    - attack.t1059.004
+    - attack.t1059  # an old one
+    - attack.t1064  # an old one

rules/cloud/aws_guardduty_disruption.yml

@@ -19,5 +19,5 @@ falsepositives:
     - Valid change in the GuardDuty (e.g. to ignore internal scanners)
 tags:
     - attack.defense_evasion
-    - attack.t1089
     - attack.t1562.001
+    - attack.t1089  # an old one

rules/cloud/aws_iam_backdoor_users_keys.yml

@@ -3,6 +3,7 @@ id: 0a5177f4-6ca9-44c2-aacf-d3f3d8b6e4d2
 status: experimental
 author: faloker
 date: 2020/02/12
+modified: 2020/09/01
 description: Detects AWS API key creation for a user by another user. Backdoored users can be used to obtain persistence in the AWS environment. Also with this alert, you can detect a flow of AWS keys in your org.
 references:
     - https://github.com/RhinoSecurityLabs/pacu/blob/master/modules/iam__backdoor_users_keys/main.py#L6
@@ -26,4 +27,5 @@ falsepositives:
     - Adding user keys to their own accounts (the filter cannot cover all possible variants of user naming)
     - AWS API keys legitimate exchange workflows
 tags:
+    - attack.persistence
     - attack.t1098

rules/cloud/aws_rds_change_master_password.yml

@@ -3,6 +3,7 @@ id: 8a63cdd4-6207-414a-85bc-7e032bd3c1a2
 status: experimental
 author: faloker
 date: 2020/02/12
+modified: 2020/09/01
 description: Detects the change of database master password. It may be a part of data exfiltration.
 references:
     - https://github.com/RhinoSecurityLabs/pacu/blob/master/modules/rds__explore_snapshots/main.py#L10
@@ -20,4 +21,5 @@ level: medium
 falsepositives:
     - Benign changes to a db instance
 tags:
+    - attack.exfiltration
     - attack.t1020

rules/cloud/aws_rds_public_db_restore.yml

@@ -3,6 +3,7 @@ id: c3f265c7-ff03-4056-8ab2-d486227b4599
 status: experimental
 author: faloker
 date: 2020/02/12
+modified: 2020/09/01
 description: Detects the recovery of a new public database instance from a snapshot. It may be a part of data exfiltration.
 references:
     - https://github.com/RhinoSecurityLabs/pacu/blob/master/modules/rds__explore_snapshots/main.py#L10
@@ -20,4 +21,5 @@ level: high
 falsepositives:
     - unknown
 tags:
+    - attack.exfiltration
     - attack.t1020

rules/cloud/aws_root_account_usage.yml

@@ -3,6 +3,7 @@ id: 8ad1600d-e9dc-4251-b0ee-a65268f29add
 status: experimental
 author: vitaliy0x1
 date: 2020/01/21
+modified: 2020/09/01
 description: Detects AWS root account usage
 references:
   - https://docs.aws.amazon.com/IAM/latest/UserGuide/id_root-user.html
@@ -18,4 +19,6 @@ level: medium
 falsepositives:
   - AWS Tasks That Require AWS Account Root User Credentials https://docs.aws.amazon.com/general/latest/gr/aws_tasks-that-require-root.html
 tags:
-  - attack.t1078
+  - attack.privilege_escalation
+  - attack.t1078.004
+  - attack.t1078  # an old one

rules/generic/generic_brute_force.yml

@@ -2,9 +2,11 @@ title: Brute Force
 id: 53c7cca0-2901-493a-95db-d00d6fcf0a37
 description: Detects many authentication failures from one source to one destination which is may indicate Brute Force activity
 tags:
+    - attack.credential_access
     - attack.t1110
 author: Aleksandr Akhremchik, oscd.community
 date: 2019/10/25
+modified: 2020/09/01
 status: experimental
 logsource:
     category: authentication

rules/linux/auditd/lnx_auditd_alter_bash_profile.yml

@@ -7,7 +7,7 @@ references:
 date: 2019/05/12
 tags:
     - attack.s0003
-    - attack.t1156
+    - attack.t1156    # an old one
     - attack.persistence
     - attack.t1546.004
 author: Peter Matkovski

rules/linux/auditd/lnx_auditd_auditing_config_change.yml

@@ -10,7 +10,7 @@ references:
     - self experience
 tags:
     - attack.defense_evasion
-    - attack.t1054
+    - attack.t1054    # an old one
     - attack.t1562.006
 author: Mikhail Larin, oscd.community
 status: experimental

rules/linux/auditd/lnx_auditd_create_account.yml

@@ -6,7 +6,8 @@ references:
     - 'MITRE Attack technique T1136; Create Account '
 date: 2020/05/18
 tags:
-    - attack.t1136
+    - attack.t1136    # an old one
+    - attack.t1136.001
     - attack.persistence
 author: Marie Euler
 logsource:

rules/linux/auditd/lnx_auditd_logging_config_change.yml

@@ -9,7 +9,7 @@ references:
     - self experience
 tags:
     - attack.defense_evasion
-    - attack.t1054
+    - attack.t1054    # an old one
     - attack.t1562.006
 author: Mikhail Larin, oscd.community
 status: experimental

rules/linux/lnx_susp_named.yml

@@ -4,6 +4,9 @@ status: experimental
 description: Detects suspicious DNS error messages that indicate a fatal or suspicious error that could be caused by exploiting attempts
 references:
     - https://github.com/ossec/ossec-hids/blob/master/etc/rules/named_rules.xml
+tags:
+    - attack.initial_access
+    - attack.t1190
 author: Florian Roth
 date: 2018/02/20
 logsource:
@@ -18,4 +21,3 @@ detection:
 falsepositives:
     - Unknown
 level: high
-

rules/linux/lnx_susp_ssh.yml

@@ -4,6 +4,9 @@ description: Detects suspicious SSH / SSHD error messages that indicate a fatal
 references:
     - https://github.com/openssh/openssh-portable/blob/master/ssherr.c
     - https://github.com/ossec/ossec-hids/blob/master/etc/rules/sshd_rules.xml
+tags:
+    - attack.initial_access
+    - attack.t1190
 author: Florian Roth
 date: 2017/06/30
 modified: 2020/05/15
@@ -27,4 +30,3 @@ detection:
 falsepositives:
     - Unknown
 level: medium
-

rules/linux/lnx_susp_vsftp.yml

@@ -3,6 +3,9 @@ id: 377f33a1-4b36-4ee1-acee-1dbe4b43cfbe
 description: Detects suspicious VSFTPD error messages that indicate a fatal or suspicious error that could be caused by exploiting attempts
 references:
     - https://github.com/dagwieers/vsftpd/
+tags:
+    - attack.initial_access
+    - attack.t1190
 author: Florian Roth
 date: 2017/07/05
 logsource:

rules/network/cisco/aaa/cisco_cli_clear_logs.yml

@@ -1,16 +1,13 @@
 title: Cisco Clear Logs
 id: ceb407f6-8277-439b-951f-e4210e3ed956
 status: experimental
-description: Clear command history in network OS which is used for defense evasion.
-references:
-    - https://attack.mitre.org/techniques/T1146/
-    - https://attack.mitre.org/techniques/T1070/
+description: Clear command history in network OS which is used for defense evasion
 author: Austin Clark
 date: 2019/08/12
+modified: 2020/09/02
 tags:
     - attack.defense_evasion
-    - attack.t1146
-    - attack.t1070
+    - attack.t1146          # an old one
     - attack.t1070.003
 logsource:
     product: cisco
@@ -28,5 +25,5 @@ detection:
         - 'clear archive'
     condition: keywords
 falsepositives:
-    - Legitimate administrators may run these commands.
+    - Legitimate administrators may run these commands
 level: high

rules/network/cisco/aaa/cisco_cli_collect_data.yml

@@ -2,22 +2,19 @@ title: Cisco Collect Data
 id: cd072b25-a418-4f98-8ebc-5093fb38fe1a
 status: experimental
 description: Collect pertinent data from the configuration files
-references:
-    - https://attack.mitre.org/techniques/T1087/
-    - https://attack.mitre.org/techniques/T1003/
-    - https://attack.mitre.org/techniques/T1081/
-    - https://attack.mitre.org/techniques/T1005/
 author: Austin Clark
 date: 2019/08/11
+modified: 2020/09/02
 tags:
     - attack.discovery
     - attack.credential_access
     - attack.collection
-    - attack.t1087
-    - attack.t1003
-    - attack.t1081
-    - attack.t1005
+    - attack.t1087           # an old one
+    - attack.t1087.001
+    - attack.t1003           # an old one
+    - attack.t1081           # an old one
     - attack.t1552.001
+    - attack.t1005
 logsource:
     product: cisco
     service: aaa
@@ -36,5 +33,5 @@ detection:
         - 'more'
     condition: keywords
 falsepositives:
-    - Commonly run by administrators.
+    - Commonly run by administrators
 level: low

rules/network/cisco/aaa/cisco_cli_crypto_actions.yml

@@ -1,18 +1,15 @@
 title: Cisco Crypto Commands
 id: 1f978c6a-4415-47fb-aca5-736a44d7ca3d
 status: experimental
-description: Show when private keys are being exported from the device, or when new certificates are installed.
-references:
-    - https://attack.mitre.org/techniques/T1145/
-    - https://attack.mitre.org/techniques/T1130/
+description: Show when private keys are being exported from the device, or when new certificates are installed
 author: Austin Clark
 date: 2019/08/12
 tags:
     - attack.credential_access
     - attack.defense_evasion
-    - attack.t1130
-    - attack.t1145
+    - attack.t1130          # an old one
     - attack.t1553.004
+    - attack.t1145          # an old one
     - attack.t1552.004
 logsource:
     product: cisco
@@ -31,5 +28,5 @@ detection:
         - 'crypto pki trustpoint'
     condition: keywords
 falsepositives:
-    - Not commonly run by administrators.  Also whitelist your known good certificates.
+    - Not commonly run by administrators. Also whitelist your known good certificates
 level: high

rules/network/cisco/aaa/cisco_cli_disable_logging.yml

@@ -2,13 +2,11 @@ title: Cisco Disabling Logging
 id: 9e8f6035-88bf-4a63-96b6-b17c0508257e
 status: experimental
 description: Turn off logging locally or remote
-references:
-    - https://attack.mitre.org/techniques/T1089
 author: Austin Clark
 date: 2019/08/11
 tags:
     - attack.defense_evasion
-    - attack.t1089
+    - attack.t1089          # an old one
     - attack.t1562.001
 logsource:
     product: cisco

rules/network/cisco/aaa/cisco_cli_discovery.yml

@@ -1,9 +1,7 @@
 title: Cisco Discovery
 id: 9705a6a1-6db6-4a16-a987-15b7151e299b
 status: experimental
-description: Find information about network devices that are not stored in config files.
-references:
-    - https://attack.mitre.org/tactics/TA0007/
+description: Find information about network devices that is not stored in config files
 author: Austin Clark
 date: 2019/08/12
 tags:

rules/network/cisco/aaa/cisco_cli_dos.yml

@@ -2,15 +2,15 @@ title: Cisco Denial of Service
 id: d94a35f0-7a29-45f6-90a0-80df6159967c
 status: experimental
 description: Detect a system being shutdown or put into different boot mode
-references:
-    - https://attack.mitre.org/techniques/T1499/
-    - https://attack.mitre.org/techniques/T1495/
 author: Austin Clark
 date: 2019/08/15
+modified: 2020/09/02
 tags:
     - attack.impact
-    - attack.t1499
     - attack.t1495
+    - attack.t1529
+    - attack.t1492          # an old one
+    - attack.t1565.001
 logsource:
     product: cisco
     service: aaa

rules/network/cisco/aaa/cisco_cli_file_deletion.yml

@@ -1,22 +1,18 @@
-title: Cisco Show Commands Input
+title: Cisco File Deletion
 id: 71d65515-c436-43c0-841b-236b1f32c21e
 status: experimental
 description: See what files are being deleted from flash file systems
-references:
-    - https://attack.mitre.org/techniques/T1107/
-    - https://attack.mitre.org/techniques/T1488/
-    - https://attack.mitre.org/techniques/T1487/
 author: Austin Clark
 date: 2019/08/12
 tags:
     - attack.defense_evasion
     - attack.impact
-    - attack.t1107
-    - attack.t1488
-    - attack.t1487
-    - attack.t1561.002
+    - attack.t1107          # an old one
     - attack.t1070.004
+    - attack.t1488          # an old one
     - attack.t1561.001
+    - attack.t1487          # an old one
+    - attack.t1561.002
 logsource:
     product: cisco
     service: aaa
@@ -30,5 +26,5 @@ detection:
         - 'format'
     condition: keywords
 falsepositives:
-    - Will be used sometimes by admins to clean up local flash space.
+    - Will be used sometimes by admins to clean up local flash space
 level: medium

rules/network/cisco/aaa/cisco_cli_input_capture.yml

@@ -2,16 +2,12 @@ title: Cisco Show Commands Input
 id: b094d9fb-b1ad-4650-9f1a-fb7be9f1d34b
 status: experimental
 description: See what commands are being input into the device by other people, full credentials can be in the history
-references:
-    - https://attack.mitre.org/techniques/T1056/
-    - https://attack.mitre.org/techniques/T1139/
 author: Austin Clark
 date: 2019/08/11
+modified: 2020/09/02
 tags:
-    - attack.collection
     - attack.credential_access
-    - attack.t1139
-    - attack.t1056
+    - attack.t1139          # an old one
     - attack.t1552.003
 logsource:
     product: cisco
@@ -26,5 +22,5 @@ detection:
         - 'show logging'
     condition: keywords
 falsepositives:
-    - Not commonly run by administrators, especially if remote logging is configured.
+    - Not commonly run by administrators, especially if remote logging is configured
 level: medium

rules/network/cisco/aaa/cisco_cli_local_accounts.yml

@@ -2,14 +2,13 @@ title: Cisco Local Accounts
 id: 6d844f0f-1c18-41af-8f19-33e7654edfc3
 status: experimental
 description: Find local accounts being created or modified as well as remote authentication configurations
-references:
-    - https://attack.mitre.org/techniques/T1098/
-    - https://attack.mitre.org/techniques/T1136/
 author: Austin Clark
 date: 2019/08/12
+modified: 2020/09/02
 tags:
     - attack.persistence
-    - attack.t1136
+    - attack.t1136          # an old one
+    - attack.t1136.001
     - attack.t1098
 logsource:
     product: cisco
@@ -23,5 +22,5 @@ detection:
         - 'aaa'
     condition: keywords
 falsepositives:
-    - When remote authentication is in place, this should not change often.
+    - When remote authentication is in place, this should not change often
 level: high

rules/network/cisco/aaa/cisco_cli_modify_config.yml

@@ -2,22 +2,17 @@ title: Cisco Modify Configuration
 id: 671ffc77-50a7-464f-9e3d-9ea2b493b26b
 status: experimental
 description: Modifications to a config that will serve an adversary's impacts or persistence
-references:
-    - https://attack.mitre.org/techniques/T1100/
-    - https://attack.mitre.org/techniques/T1168/
-    - https://attack.mitre.org/techniques/T1493/
 author: Austin Clark
 date: 2019/08/12
+modified: 2020/09/02
 tags:
     - attack.persistence
-    - attack.privilege_escalation
     - attack.impact
-    - attack.t1493
-    - attack.t1100
-    - attack.t1168
     - attack.t1490
-    - attack.t1565.002
     - attack.t1505
+    - attack.t1493          # an old one
+    - attack.t1565.002
+    - attack.t1168          # an old one
     - attack.t1053
 logsource:
     product: cisco
@@ -37,5 +32,5 @@ detection:
         - 'archive maximum'
     condition: keywords
 falsepositives:
-    - Legitimate administrators may run these commands.
+    - Legitimate administrators may run these commands
 level: medium

rules/network/cisco/aaa/cisco_cli_moving_data.yml

@@ -2,25 +2,18 @@ title: Cisco Stage Data
 id: 5e51acb2-bcbe-435b-99c6-0e3cd5e2aa59
 status: experimental
 description: Various protocols maybe used to put data on the device for exfil or infil
-references:
-    - https://attack.mitre.org/techniques/T1074/
-    - https://attack.mitre.org/techniques/T1105/
-    - https://attack.mitre.org/techniques/T1498/
-    - https://attack.mitre.org/techniques/T1002/
 author: Austin Clark
 date: 2019/08/12
+modified: 2020/09/02
 tags:
     - attack.collection
     - attack.lateral_movement
     - attack.command_and_control
     - attack.exfiltration
-    - attack.impact
     - attack.t1074
     - attack.t1105
-    - attack.t1492
-    - attack.t1002
-    - attack.t1560
-    - attack.t1565.001
+    - attack.t1002          # an old one
+    - attack.t1560.001
 logsource:
     product: cisco
     service: aaa
@@ -37,5 +30,5 @@ detection:
         - 'archive tar'
     condition: keywords
 falsepositives:
-    - Generally used to copy configs or IOS images.
+    - Generally used to copy configs or IOS images
 level: low

rules/network/cisco/aaa/cisco_cli_net_sniff.yml

@@ -2,8 +2,6 @@ title: Cisco Sniffing
 id: b9e1f193-d236-4451-aaae-2f3d2102120d
 status: experimental
 description: Show when a monitor or a span/rspan is setup or modified
-references:
-    - https://attack.mitre.org/techniques/T1040
 author: Austin Clark
 date: 2019/08/11
 tags:
@@ -23,5 +21,5 @@ detection:
         - 'set rspan'
     condition: keywords
 falsepositives:
-    - Admins may setup new or modify old spans, or use a monitor for troubleshooting.
+    - Admins may setup new or modify old spans, or use a monitor for troubleshooting
 level: medium

rules/network/net_dns_c2_detection.yml

@@ -8,6 +8,14 @@ references:
     - https://patrick-bareiss.com/detect-c2-traffic-over-dns-using-sigma/
 author: Patrick Bareiss
 date: 2019/04/07
+modified: 2020/08/27
+tags:
+    - attack.command_and_control
+    - attack.t1071 # an old one
+    - attack.t1071.004
+    - attack.exfiltration
+    - attack.t1048 # an old one
+    - attack.t1048.003
 logsource:
     category: dns
 detection:
@@ -17,6 +25,3 @@ detection:
 falsepositives:
     - Valid software, which uses dns for transferring data
 level: high
-tags:
-    - attack.t1048
-    - attack.exfiltration

rules/network/net_high_dns_bytes_out.yml

@@ -5,9 +5,11 @@ description: High DNS queries bytes amount from host per short period of time
 status: experimental
 author: Daniil Yugoslavskiy, oscd.community
 date: 2019/10/24
+modified: 2020/08/27
 tags:
     - attack.exfiltration
-    - attack.t1048
+    - attack.t1048 # an old one
+    - attack.t1048.003
 falsepositives:
     - Legitimate high DNS bytes out rate to domain name which should be added to whitelist
 level: medium

rules/network/net_high_dns_requests_rate.yml

@@ -5,9 +5,14 @@ description: High DNS requests amount from host per short period of time
 status: experimental
 author: Daniil Yugoslavskiy, oscd.community
 date: 2019/10/24
+modified: 2020/08/27
 tags:
     - attack.exfiltration
-    - attack.t1048
+    - attack.t1048 # an old one
+    - attack.t1048.003
+    - attack.command_and_control
+    - attack.t1071 # an old one
+    - attack.t1071.004
 falsepositives:
     - Legitimate high DNS requests rate to domain name which should be added to whitelist
 level: medium

rules/network/net_high_null_records_requests_rate.yml

@@ -4,9 +4,14 @@ description: Extremely high rate of NULL record type DNS requests from host per
 status: experimental
 author: Daniil Yugoslavskiy, oscd.community
 date: 2019/10/24
+modified: 2020/08/27
 tags:
     - attack.exfiltration
-    - attack.t1048
+    - attack.t1048 # an old one
+    - attack.t1048.003
+    - attack.command_and_control
+    - attack.t1071 # an old one
+    - attack.t1071.004
 logsource:
     category: dns
 detection:

rules/network/net_high_txt_records_requests_rate.yml

@@ -4,9 +4,14 @@ description: Extremely high rate of TXT record type DNS requests from host per s
 status: experimental
 author: Daniil Yugoslavskiy, oscd.community
 date: 2019/10/24
+modified: 2020/08/27
 tags:
     - attack.exfiltration
-    - attack.t1048
+    - attack.t1048 # an old one
+    - attack.t1048.003
+    - attack.command_and_control
+    - attack.t1071 # an old one
+    - attack.t1071.004
 logsource:
     category: dns
 detection:

rules/network/net_mal_dns_cobaltstrike.yml

@@ -6,6 +6,11 @@ references:
     - https://www.icebrg.io/blog/footprints-of-fin7-tracking-actor-patterns
 author: Florian Roth
 date: 2018/05/10
+modified: 2020/08/27
+tags:
+    - attack.command_and_control
+    - attack.t1071 # an old one
+    - attack.t1071.004
 logsource:
     category: dns
 detection:

rules/network/net_susp_dns_b64_queries.yml

@@ -6,6 +6,14 @@ references:
     - https://github.com/krmaxwell/dns-exfiltration
 author: Florian Roth
 date: 2018/05/10
+modified: 2020/08/27
+tags:
+    - attack.exfiltration
+    - attack.t1048 # an old one
+    - attack.t1048.003
+    - attack.command_and_control
+    - attack.t1071 # an old one
+    - attack.t1071.004
 logsource:
     category: dns
 detection:

rules/network/net_susp_dns_txt_exec_strings.yml

@@ -6,10 +6,12 @@ references:
     - https://twitter.com/stvemillertime/status/1024707932447854592
     - https://github.com/samratashok/nishang/blob/master/Backdoors/DNS_TXT_Pwnage.ps1
 tags:
-    - attack.t1071
+    - attack.command_and_control
+    - attack.t1071 # an old one
     - attack.t1071.004
 author: Markus Neis
 date: 2018/08/08
+modified: 2020/08/27
 logsource:
     category: dns
 detection:

rules/network/net_susp_network_scan.yml

@@ -3,6 +3,10 @@ id: fab0ddf0-b8a9-4d70-91ce-a20547209afb
 description: Detects many failed connection attempts to different ports or hosts
 author: Thomas Patzke
 date: 2017/02/19
+modified: 2020/08/27
+tags:
+    - attack.discovery
+    - attack.t1046
 logsource:
     category: firewall
 detection:

rules/network/net_susp_telegram_api.yml

@@ -9,6 +9,11 @@ references:
     - https://www.welivesecurity.com/2016/12/13/rise-telebots-analyzing-disruptive-killdisk-attacks/
 author: Florian Roth
 date: 2018/06/05
+modified: 2020/08/27
+tags:
+    - attack.command_and_control
+    - attack.t1102 # an old one
+    - attack.t1102.002
 logsource:
     category: dns
 detection:

rules/network/zeek/zeek-dce_rpc_domain_user_enumeration.yml

@@ -6,10 +6,11 @@ references:
     - "https://github.com/OTRF/detection-hackathon-apt29/issues/37"
 author: 'Nate Guagenti (@neu5ron), Open Threat Research (OTR)'
 date: 2020/05/03
-modified: 2020/05/03
+modified: 2020/09/02
 tags:
     - attack.discovery
-    - attack.t1087
+    - attack.t1087 # an old one
+    - attack.t1087.002
     - attack.t1082
 logsource:
     product: zeek

rules/network/zeek/zeek_dce_rpc_mitre_bzar_execution.yml

@@ -7,9 +7,9 @@ references:
     - https://github.com/mitre-attack/bzar#indicators-for-attck-execution
 tags:
     - attack.execution
-    - attack.t1035
+    - attack.t1035 # an old one
     - attack.t1047
-    - attack.t1053
+    - attack.t1053 # an old one
     - attack.t1053.002
     - attack.t1569.002
 logsource:

rules/network/zeek/zeek_dce_rpc_mitre_bzar_persistence.yml

@@ -7,7 +7,7 @@ references:
     - https://github.com/mitre-attack/bzar#indicators-for-attck-persistence
 tags:
     - attack.persistence
-    - attack.t1004
+    - attack.t1004 # an old one
     - attack.t1547.004
 logsource:
     product: zeek

rules/network/zeek/zeek_http_executable_download_from_webdav.yml

@@ -7,12 +7,12 @@ references:
     - https://github.com/OTRF/detection-hackathon-apt29
 tags:
     - attack.command_and_control
-    - attack.t1043
-    - attack.t1571
+    - attack.t1105
 logsource:
     product: zeek
     service: http
 date: 2020/05/01
+modified: 2020/09/02
 detection:
     selection_webdav:
         - c-useragent: '*WebDAV*'

rules/network/zeek/zeek_rdp_public_listener.yml

@@ -5,7 +5,7 @@ description: Detects connections from routable IPs to an RDP listener - which is
 references:
     - https://attack.mitre.org/techniques/T1021/001/
 tags:
-    - attack.t1021
+    - attack.t1021 # an old one
     - attack.t1021.001
 author: 'Josh Brower @DefensiveDepth'
 date: 2020/08/22 

rules/network/zeek/zeek_smb_converted_win_atsvc_task.yml

@@ -8,7 +8,7 @@ references:
 tags:
     - attack.lateral_movement
     - attack.persistence
-    - attack.t1053
+    - attack.t1053 # an old one
     - car.2013-05-004
     - car.2015-04-001
     - attack.t1053.002

rules/network/zeek/zeek_smb_converted_win_impacket_secretdump.yml

@@ -7,7 +7,7 @@ references:
     - https://blog.menasec.net/2019/02/threat-huting-10-impacketsecretdump.html
 tags:
     - attack.credential_access
-    - attack.t1003
+    - attack.t1003 # an old one
     - attack.t1003.002
     - attack.t1003.004
     - attack.t1003.003

rules/network/zeek/zeek_smb_converted_win_lm_namedpipe.yml

@@ -7,7 +7,7 @@ references:
     - https://github.com/neo23x0/sigma/blob/d42e87edd741dd646db946f30964f331f92f50e6/rules/windows/builtin/win_lm_namedpipe.yml
 tags:
     - attack.lateral_movement
-    - attack.t1077
+    - attack.t1077 # an old one
     - attack.t1021.002
 logsource:
     product: zeek

rules/network/zeek/zeek_smb_converted_win_susp_psexec.yml

@@ -7,7 +7,7 @@ references:
     - https://github.com/neo23x0/sigma/blob/d42e87edd741dd646db946f30964f331f92f50e6/rules/windows/builtin/win_susp_psexec.yml
 tags:
     - attack.lateral_movement
-    - attack.t1077
+    - attack.t1077 # an old one
     - attack.t1021.002
 logsource:
     product: zeek

rules/network/zeek/zeek_smb_converted_win_transferring_files_with_credential_data.yml

@@ -7,7 +7,7 @@ references:
     - https://github.com/neo23x0/sigma/blob/373424f14574facf9e261d5c822345a282b91479/rules/windows/builtin/win_transferring_files_with_credential_data_via_network_shares.yml
 tags:
     - attack.credential_access
-    - attack.t1003
+    - attack.t1003 # an old one
     - attack.t1003.002
     - attack.t1003.001
     - attack.t1003.003

rules/network/zeek/zeek_susp_kerberos_rc4.yml

@@ -7,7 +7,7 @@ references:
     - https://adsecurity.org/?p=3458
 tags:
     - attack.credential_access
-    - attack.t1208
+    - attack.t1208 # an old one
     - attack.t1558.003
 logsource:
     product: zeek

rules/proxy/proxy_apt40.yml

@@ -6,6 +6,14 @@ references:
     - Internal research from Florian Roth
 author: Thomas Patzke
 date: 2019/11/12
+modified: 2020/09/02
+tags:
+    - attack.command_and_control
+    - attack.t1071.001
+    - attack.t1043  # an old one
+    - attack.exfiltration
+    - attack.t1567.002
+    - attack.t1048  # an old one 
 logsource:
     category: proxy
 detection:

rules/proxy/proxy_chafer_malware.yml

@@ -6,6 +6,10 @@ references:
     - https://securelist.com/chafer-used-remexi-malware/89538/
 author: Florian Roth
 date: 2019/01/31
+tags:
+    - attack.command_and_control
+    - attack.t1071.001
+    - attack.t1043  # an old one
 logsource:
     category: proxy
 detection:

rules/proxy/proxy_cobalt_amazon.yml

@@ -7,8 +7,12 @@ references:
   - https://www.hybrid-analysis.com/sample/ee5eca8648e45e2fea9dac0d920ef1a1792d8690c41ee7f20343de1927cc88b9?environmentId=100
 author: Markus Neis
 date: 2019/11/12
+modified: 2020/09/02
 tags:
-  - attack.t1102
+  - attack.defense_evasion
+  - attack.command_and_control
+  - attack.t1071.001
+  - attack.t1043  # an old one
 logsource:
   category: proxy
 detection:

rules/proxy/proxy_cobalt_ocsp.yml

@@ -6,8 +6,12 @@ references:
     - https://github.com/rsmudge/Malleable-C2-Profiles/blob/master/normal/ocsp.profile
 author: Markus Neis
 date: 2019/11/12
+modified: 2020/09/02
 tags:
-    - attack.t1102
+    - attack.defense_evasion
+    - attack.command_and_control
+    - attack.t1071.001
+    - attack.t1043  # an old one
 logsource:
     category: proxy
 detection:

rules/proxy/proxy_cobalt_onedrive.yml

@@ -6,8 +6,12 @@ references:
     - https://github.com/rsmudge/Malleable-C2-Profiles/blob/master/normal/onedrive_getonly.profile
 author: Markus Neis
 date: 2019/11/12
+modified: 2020/09/02
 tags:
-    - attack.t1102
+    - attack.defense_evasion
+    - attack.command_and_control
+    - attack.t1071.001
+    - attack.t1043  # an old one
 logsource:
     category: proxy
 detection:

rules/proxy/proxy_download_susp_dyndns.yml

@@ -6,6 +6,12 @@ references:
     - https://www.alienvault.com/blogs/security-essentials/dynamic-dns-security-and-potential-threats
 author: Florian Roth
 date: 2017/11/08
+modified: 2020/09/03
+tags:
+    - attack.defense_evasion
+    - attack.command_and_control
+    - attack.t1105
+    - attack.t1568
 logsource:
     category: proxy
 detection:

rules/proxy/proxy_download_susp_tlds_blacklist.yml

@@ -9,7 +9,14 @@ references:
     - https://krebsonsecurity.com/2018/06/bad-men-at-work-please-dont-click/
 author: Florian Roth
 date: 2017/11/07
-modified: 2018/06/13
+modified: 2020/09/03
+tags:
+    - attack.initial_access
+    - attack.t1566
+    - attack.execution
+    - attack.t1203
+    - attack.t1204.002
+    - attack.t1204  # an old one
 logsource:
     category: proxy
 detection:

rules/proxy/proxy_download_susp_tlds_whitelist.yml

@@ -4,6 +4,14 @@ status: experimental
 description: Detects executable downloads from suspicious remote systems
 author: Florian Roth
 date: 2017/03/13
+modified: 2020/09/03
+tags:
+    - attack.initial_access
+    - attack.t1566
+    - attack.execution
+    - attack.t1203
+    - attack.t1204.002
+    - attack.t1204  # an old one
 logsource:
     category: proxy
 detection:

rules/proxy/proxy_downloadcradle_webdav.yml

@@ -6,6 +6,11 @@ references:
     - https://mgreen27.github.io/posts/2018/04/02/DownloadCradle.html
 author: Florian Roth
 date: 2018/04/06
+modified: 2020/09/03
+tags:
+    - attack.command_and_control
+    - attack.t1071.001
+    - attack.t1043  # an old one
 logsource:
     category: proxy
 detection:

rules/proxy/proxy_empire_ua_uri_combos.yml

@@ -6,6 +6,12 @@ references:
     - https://github.com/BC-SECURITY/Empire
 author: Florian Roth
 date: 2020/07/13
+modified: 2020/09/03
+tags:
+  - attack.defense_evasion
+  - attack.command_and_control
+  - attack.t1071.001
+  - attack.t1043  # an old one
 logsource:
     category: proxy
 detection:

rules/proxy/proxy_empty_ua.yml

@@ -6,6 +6,11 @@ references:
     - https://twitter.com/Carlos_Perez/status/883455096645931008
 author: Florian Roth
 date: 2017/07/08
+modified: 2020/09/03
+tags:
+  - attack.defense_evasion
+  - attack.command_and_control
+  - attack.t1071.001
 logsource:
     category: proxy
 detection:

rules/proxy/proxy_ios_implant.yml

@@ -7,6 +7,17 @@ references:
     - https://twitter.com/craiu/status/1167358457344925696
 author: Florian Roth
 date: 2019/08/30
+modified: 2020/09/03
+tags:
+    - attack.execution
+    - attack.t1203
+    - attack.collection
+    - attack.t1005
+    - attack.t1119
+    - attack.credential_access
+    - attack.t1528
+    - attack.t1552.001
+    - attack.t1081  # an old one
 logsource:
     category: proxy
 detection:

rules/proxy/proxy_powershell_ua.yml

@@ -6,6 +6,11 @@ references:
     - https://msdn.microsoft.com/powershell/reference/5.1/microsoft.powershell.utility/Invoke-WebRequest
 author: Florian Roth
 date: 2017/03/13
+modified: 2020/09/03
+tags:
+  - attack.defense_evasion
+  - attack.command_and_control
+  - attack.t1071.001
 logsource:
     category: proxy
 detection:

rules/proxy/proxy_pwndrop.yml

@@ -6,6 +6,14 @@ references:
     - https://breakdev.org/pwndrop/
 author: Florian Roth
 date: 2020/04/15
+modified: 2020/09/03
+tags:
+    - attack.command_and_control
+    - attack.t1071.001
+    - attack.t1043  # an old one
+    - attack.t1102.001
+    - attack.t1102.003
+    - attack.t1102  # an old one
 logsource:
     category: proxy
 detection:

rules/proxy/proxy_raw_paste_service_access.yml

@@ -6,9 +6,15 @@ references:
     - https://www.virustotal.com/gui/domain/paste.ee/relations
 author: Florian Roth
 date: 2019/12/05
+modified: 2020/09/03
 tags:
-  - attack.t1102
+    - attack.command_and_control
+    - attack.t1071.001
+    - attack.t1043  # an old one
+    - attack.t1102.001
+    - attack.t1102.003
     - attack.defense_evasion
+    - attack.t1102  # an old one
 logsource:
     category: proxy
 detection:

rules/proxy/proxy_susp_flash_download_loc.yml

@@ -6,6 +6,15 @@ references:
     - https://gist.github.com/roycewilliams/a723aaf8a6ac3ba4f817847610935cfb
 author: Florian Roth
 date: 2017/10/25
+tags:
+    - attack.initial_access
+    - attack.t1189
+    - attack.execution
+    - attack.t1204.002
+    - attack.t1204  # an old one
+    - attack.defense_evasion
+    - attack.t1036.005
+    - attack.t1036  # an old one
 logsource:
     category: proxy
 detection:

rules/proxy/proxy_telegram_api.yml

@@ -8,6 +8,14 @@ references:
     - https://www.welivesecurity.com/2016/12/13/rise-telebots-analyzing-disruptive-killdisk-attacks/
 author: Florian Roth
 date: 2018/06/05
+modified: 2020/09/03
+tags:
+    - attack.defense_evasion
+    - attack.command_and_control
+    - attack.t1071.001
+    - attack.t1043  # an old one
+    - attack.t1102.002
+    - attack.t1102  # an old one
 logsource:
     category: proxy
 detection:

rules/proxy/proxy_turla_comrat.yml

@@ -6,7 +6,12 @@ references:
     - https://www.welivesecurity.com/wp-content/uploads/2020/05/ESET_Turla_ComRAT.pdf
 author: Florian Roth
 date: 2020/05/26
+modified: 2020/09/03
 tags:
+    - attack.defense_evasion
+    - attack.command_and_control
+    - attack.t1071.001
+    - attack.t1043  # an old one
     - attack.g0010
 logsource:
     category: proxy

rules/proxy/proxy_ua_apt.yml

@@ -6,6 +6,10 @@ references:
     - Internal Research
 author: Florian Roth, Markus Neis
 date: 2019/11/12
+modified: 2020/09/03
+tags:
+    - attack.command_and_control
+    - attack.t1071.001
 logsource:
     category: proxy
 detection:

rules/proxy/proxy_ua_bitsadmin_susp_tld.yml

@@ -4,6 +4,14 @@ status: experimental
 description: Detects Bitsadmin connections to domains with uncommon TLDs - https://twitter.com/jhencinski/status/1102695118455349248 - https://isc.sans.edu/forums/diary/Investigating+Microsoft+BITS+Activity/23281/
 author: Florian Roth
 date: 2019/03/07
+modified: 2020/09/03
+tags:
+    - attack.command_and_control
+    - attack.t1071.001
+    - attack.defense_evasion
+    - attack.persistence
+    - attack.t1197
+    - attack.s0190
 logsource:
     category: proxy
 detection:

rules/proxy/proxy_ua_cryptominer.yml

@@ -7,6 +7,10 @@ references:
     - https://github.com/xmrig/xmrig/blob/427b6516e0550200c17ca28675118f0fffcc323f/src/version.h
 author: Florian Roth
 date: 2019/10/21
+modified: 2020/09/03
+tags:
+    - attack.command_and_control
+    - attack.t1071.001
 logsource:
     category: proxy
 detection:

rules/proxy/proxy_ua_frameworks.yml

@@ -6,6 +6,10 @@ references:
     - https://blog.didierstevens.com/2015/03/16/quickpost-metasploit-user-agent-strings/
 author: Florian Roth
 date: 2017/07/08
+modified: 2020/09/03
+tags:
+    - attack.command_and_control
+    - attack.t1071.001
 logsource:
     category: proxy
 detection:

rules/proxy/proxy_ua_hacktool.yml

@@ -7,6 +7,12 @@ references:
     - http://rules.emergingthreats.net/open/snort-2.9.0/rules/emerging-user_agents.rules
 author: Florian Roth
 date: 2017/07/08
+modified: 2020/09/03
+tags:
+    - attack.initial_access
+    - attack.t1190
+    - attack.credential_access
+    - attack.t1110
 logsource:
     category: proxy
 detection:

rules/proxy/proxy_ua_malware.yml

@@ -10,6 +10,10 @@ references:
     - https://www.bluecoat.com/en-gb/security-blog/2015-05-05/know-your-agents
 author: Florian Roth
 date: 2017/07/08
+modified: 2020/09/03
+tags:
+    - attack.command_and_control
+    - attack.t1071.001
 logsource:
     category: proxy
 detection:

rules/proxy/proxy_ua_suspicious.yml

@@ -6,6 +6,10 @@ references:
     - https://github.com/fastly/waf_testbed/blob/master/templates/default/scanners-user-agents.data.erb
 author: Florian Roth
 date: 2017/07/08
+modified: 2020/09/03
+tags:
+    - attack.command_and_control
+    - attack.t1071.001
 logsource:
     category: proxy
 detection:

rules/proxy/proxy_ursnif_malware.yml

@@ -4,6 +4,16 @@ status: stable
 description: Detects download of Ursnif malware done by dropper documents.
 author: Thomas Patzke
 date: 2019/12/19
+modified: 2020/09/03
+tags:
+    - attack.initial_access
+    - attack.t1566.001
+    - attack.t1193  # an old one
+    - attack.execution
+    - attack.t1204.002
+    - attack.t1204  # an old one
+    - attack.command_and_control
+    - attack.t1071.001
 logsource:
   category: proxy
 detection:
@@ -27,6 +37,12 @@ description: Detects Ursnif C2 traffic.
 references:
   - https://www.fortinet.com/blog/threat-research/ursnif-variant-spreading-word-document.html
 author: Thomas Patzke
+tags:
+  - attack.command_and_control
+  - attack.t1071.001
+  - attack.t1132
+  - attack.defense_evasion
+  - attack.t1027
 logsource:
   category: proxy
 detection:

rules/web/web_apache_segfault.yml

@@ -1,8 +1,13 @@
 title: Apache Segmentation Fault
 id: 1da8ce0b-855d-4004-8860-7d64d42063b1
-description: Detects a segmentation fault error message caused by a creashing apacke worker process
+description: Detects a segmentation fault error message caused by a creashing apache worker process
 author: Florian Roth
 date: 2017/02/28
+modified: 2020/09/03
+tags:
+    - attack.impact
+    - attack.t1499 # an old one
+    - attack.t1499.004
 references:
     - http://www.securityfocus.com/infocus/1633
 logsource:

rules/web/web_citrix_cve_2019_19781_exploit.yml

@@ -10,7 +10,10 @@ references:
 author: Arnim Rupp, Florian Roth
 status: experimental
 date: 2020/01/02
-modified: 2020/03/14
+modified: 2020/09/03
+tags:
+    - attack.initial_access
+    - attack.t1190
 logsource:
     category: webserver
     definition: 'Make sure that your Netscaler appliance logs all kinds of attacks (test with http://your-citrix-gw.net/robots.txt). The directory traversal with ../ might not be needed on certain cloud instances or for authenticated users, so we also check for direct paths. All scripts in portal/scripts are exploitable except logout.pl.'

rules/web/web_cve_2018_2894_weblogic_exploit.yml

@@ -3,7 +3,7 @@ id: 37e8369b-43bb-4bf8-83b6-6dd43bda2000
 description: Detects access to a webshell dropped into a keystore folder on the WebLogic server
 author: Florian Roth
 date: 2018/07/22
-modified: 2020/03/14
+modified: 2020/09/03
 status: experimental
 references:
     - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-2894
@@ -22,12 +22,11 @@ fields:
 falsepositives:
     - Unknown
 tags:
-    - attack.t1100
+    - attack.t1100 # an old one
     - attack.t1190
     - attack.initial_access
     - attack.persistence
-    - attack.privilege_escalation
     - cve.2018-2894
-    - attack.t1505
+    - attack.t1505.003
 level: critical
 

rules/web/web_exchange_cve_2020_0688_exploit.yml

@@ -6,8 +6,10 @@ references:
   - https://github.com/Ridter/cve-2020-0688
 author: NVISO
 date: 2020/02/27
+modified: 2020/09/03
 tags:
-  - attack.t1210
+    - attack.initial_access
+    - attack.t1190
 logsource:
   category: webserver
 detection:

rules/web/web_multiple_suspicious_resp_codes_single_source.yml

@@ -3,7 +3,10 @@ id: 6fdfc796-06b3-46e8-af08-58f3505318af
 description: Detects possible exploitation activity or bugs in a web application
 author: Thomas Patzke
 date: 2017/02/19
-modified: 2020/03/14
+modified: 2020/09/03
+tags:
+    - attack.initial_access
+    - attack.t1190
 logsource:
     category: webserver
 detection:

rules/web/web_pulsesecure_cve-2019-11510.yml

@@ -5,7 +5,10 @@ references:
     - https://www.exploit-db.com/exploits/47297
 author: Florian Roth
 date: 2019/11/18
-modified: 2020/03/14
+modified: 2020/09/03
+tags:
+    - attack.initial_access
+    - attack.t1190
 logsource:
     category: webserver
 detection:

rules/web/web_source_code_enumeration.yml

@@ -3,6 +3,10 @@ id: 953d460b-f810-420a-97a2-cfca4c98e602
 description: Detects source code enumeration that use GET requests by keyword searches in URL strings
 author: James Ahearn
 date: 2019/06/08
+modified: 2020/09/03
+tags:
+    - attack.discovery
+    - attack.t1083
 references:
     - https://pentester.land/tutorials/2018/10/25/source-code-disclosure-via-exposed-git-folder.html
     - https://medium.com/@logicbomb_1/bugbounty-how-i-was-able-to-download-the-source-code-of-indias-largest-telecom-service-52cf5c5640a1

rules/web/web_webshell_keyword.yml

@@ -3,6 +3,11 @@ id: 7ff9db12-1b94-4a79-ba68-a2402c5d6729
 description: Detects webshells that use GET requests by keyword searches in URL strings
 author: Florian Roth
 date: 2017/02/19
+modified: 2020/09/03
+tags:
+    - attack.persistence
+    - attack.t1100 # an old one
+    - attack.t1505.003
 logsource:
     category: webserver
 detection:

rules/web/win_webshell_regeorg.yml

@@ -7,8 +7,8 @@ reference:
     - https://community.rsa.com/community/products/netwitness/blog/2019/02/19/web-shells-and-netwitness-part-3
     - https://github.com/sensepost/reGeorg
 date: 2020/08/04
+modified: 2020/09/03
 tags:
-    - attack.privilege_escalation
     - attack.persistence
     - attack.t1100
     - attack.t1505.003

rules/windows/builtin/win_GPO_scheduledtasks.yml

@@ -9,7 +9,7 @@ references:
 tags:
     - attack.persistence
     - attack.lateral_movement
-    - attack.t1053
+    - attack.t1053          # an old one
     - attack.t1053.005
 logsource:
     product: windows

rules/windows/builtin/win_account_backdoor_dcsync_rights.yml

@@ -4,13 +4,14 @@ description: backdooring domain object to grant the rights associated with DCSyn
     Extended Right cmdlet, will allow to re-obtain the pwd hashes of any user/computer
 status: experimental
 date: 2019/04/03
+modified: 2020/08/23
 author: Samir Bousseaden; Roberto Rodriguez @Cyb3rWard0g; oscd.community
 references:
     - https://twitter.com/menasec1/status/1111556090137903104
     - https://www.specterops.io/assets/resources/an_ace_up_the_sleeve.pdf
 tags:
-    - attack.credential_access
     - attack.persistence
+    - attack.t1098
 logsource:
     product: windows
     service: security

rules/windows/builtin/win_account_discovery.yml

@@ -5,10 +5,12 @@ references:
     - https://blog.menasec.net/2019/02/threat-hunting-5-detecting-enumeration.html
 tags:
     - attack.discovery
-    - attack.t1087
+    - attack.t1087          # an old one
+    - attack.t1087.002
 status: experimental
 author: Samir Bousseaden
 date: 2019/04/03
+modified: 2020/08/23
 logsource:
     product: windows
     service: security

rules/windows/builtin/win_ad_object_writedac_access.yml

@@ -8,7 +8,8 @@ references:
     - https://github.com/Cyb3rWard0g/ThreatHunter-Playbook/tree/master/playbooks/windows/05_defense_evasion/T1222_file_permissions_modification/ad_replication_user_backdoor.md
 tags:
     - attack.defense_evasion
-    - attack.t1222
+    - attack.t1222          # an old one
+    - attack.t1222.001
 logsource:
     product: windows
     service: security

rules/windows/builtin/win_ad_replication_non_machine_account.yml

@@ -3,13 +3,14 @@ id: 17d619c1-e020-4347-957e-1d1207455c93
 description: Detects potential abuse of Active Directory Replication Service (ADRS) from a non machine account to request credentials.
 status: experimental
 date: 2019/07/26
-modified: 2020/03/02
+modified: 2020/08/23
 author: Roberto Rodriguez @Cyb3rWard0g
 references:
     - https://github.com/Cyb3rWard0g/ThreatHunter-Playbook/tree/master/playbooks/windows/06_credential_access/T1003_credential_dumping/ad_replication_non_machine_account.md
 tags:
     - attack.credential_access
-    - attack.t1003
+    - attack.t1003          # an old one
+    - attack.t1003.006
 logsource:
     product: windows
     service: security

rules/windows/builtin/win_ad_user_enumeration.yml

@@ -3,6 +3,7 @@ id: ab6bffca-beff-4baa-af11-6733f296d57a
 description: Detects access to a domain user from a non-machine account
 status: experimental
 date: 2020/03/30
+modified: 2020/08/23
 author: Maxime Thiebaut (@0xThiebaut)
 references:
     - https://www.specterops.io/assets/resources/an_ace_up_the_sleeve.pdf
@@ -10,7 +11,8 @@ references:
     - https://docs.microsoft.com/en-us/windows/win32/adschema/attributes-all # For further investigation of the accessed properties
 tags:
     - attack.discovery
-    - attack.t1087
+    - attack.t1087          # an old one
+    - attack.t1087.002
 logsource:
     product: windows
     service: security

rules/windows/builtin/win_admin_rdp_login.yml

@@ -5,11 +5,15 @@ references:
     - https://car.mitre.org/wiki/CAR-2016-04-005
 tags:
     - attack.lateral_movement
-    - attack.t1078
+    - attack.t1078          # an old one
+    - attack.t1078.001
+    - attack.t1078.002
+    - attack.t1078.003
     - car.2016-04-005
 status: experimental
 author: juju4
 date: 2017/10/29
+modified: 2020/08/23
 logsource:
     product: windows
     service: security

rules/windows/builtin/win_admin_share_access.yml

@@ -3,11 +3,12 @@ id: 098d7118-55bc-4912-a836-dc6483a8d150
 description: Detects access to $ADMIN share
 tags:
     - attack.lateral_movement
-    - attack.t1077
+    - attack.t1077          # an old one
     - attack.t1021.002
 status: experimental
 author: Florian Roth
 date: 2017/03/04
+modified: 2020/08/23
 logsource:
     product: windows
     service: security