update global id

2024-11-06 17:35:19 +00:00 · 2021-09-02 21:03:25 +02:00 · 2021-09-02 21:03:25 +02:00 · f90c7558a7
commit f90c7558a7
parent ac90ee0002
8 changed files with 22 additions and 9 deletions
--- a/rules/windows/builtin/win_powershell_script_installed_as_service.yml
+++ b/rules/windows/builtin/win_powershell_script_installed_as_service.yml
@ -1,6 +1,5 @@
 action: global
 title: PowerShell Scripts Installed as Services
-id: a2e5019d-a658-4c6a-92bf-7197b54e2cae
 description: Detects powershell script installed as a Service
 status: experimental
 author: oscd.community, Natalia Shornikova
@ -21,6 +20,7 @@ falsepositives:
    - Unknown
 level: high
 ---
+id: a2e5019d-a658-4c6a-92bf-7197b54e2cae
 logsource:
    product: windows
    service: system
@ -28,6 +28,7 @@ detection:
    service_creation:
        EventID: 7045
 ---
+id: 46deb5e1-28c9-4905-b2df-51cdcc9e6073
 logsource:
    product: windows
    service: sysmon
@ -35,6 +36,7 @@ detection:
    service_creation:
        EventID: 6
 ---
+id: 2a926e6a-4b81-4011-8a96-e36cc8c04302
 logsource:
    product: windows
    service: security
--- a/rules/windows/builtin/win_software_discovery.yml
+++ b/rules/windows/builtin/win_software_discovery.yml
@ -1,6 +1,5 @@
 action: global
 title: Detected Windows Software Discovery
-id: 2650dd1a-eb2a-412d-ac36-83f06c4f2282
 description: Adversaries may attempt to enumerate software for a variety of reasons, such as figuring out what security measures are present or if the compromised system has a version of software that is vulnerable.
 status: experimental
 author: Nikita Nazarov, oscd.community
@ -17,6 +16,7 @@ falsepositives:
 detection:
    condition: 1 of them
 ---
+id: 2650dd1a-eb2a-412d-ac36-83f06c4f2282
 logsource:
    product: windows
    service: powershell
@ -30,6 +30,7 @@ detection:
          - 'select-object'
          - 'format-table'
 ---
+id: e13f668e-7f95-443d-98d2-1816a7648a7b
 logsource:
    category: process_creation
    product: windows
--- a/rules/windows/network_connection/sysmon_regsvr32_network_activity.yml
+++ b/rules/windows/network_connection/sysmon_regsvr32_network_activity.yml
@ -1,6 +1,5 @@
 action: global
 title: Regsvr32 Network Activity
-id: c7e91a02-d771-4a6d-a700-42587e0b1095
 description: Detects network connections and DNS queries initiated by Regsvr32.exe
 references:
    - https://pentestlab.blog/2017/05/11/applocker-bypass-regsvr32/
@ -31,10 +30,12 @@ falsepositives:
    - unknown
 level: high
 ---
+id: c7e91a02-d771-4a6d-a700-42587e0b1095
 logsource:
    category: network_connection
    product: windows
 ---
+id: 36e037c4-c228-4866-b6a3-48eb292b9955
 logsource:
    category: dns_query
    product: windows
--- a/rules/windows/other/win_defender_disabled.yml
+++ b/rules/windows/other/win_defender_disabled.yml
@ -1,6 +1,5 @@
 action: global
 title: Windows Defender Threat Detection Disabled
-id: fe34868f-6e0e-4882-81f6-c43aa8f15b62
 description: Detects disabling Windows Defender threat protection
 date: 2020/07/28
 modified: 2021/07/05
@ -16,7 +15,8 @@ tags:
 falsepositives:
    - Administrator actions
 level: high
---    
+---
+id: fe34868f-6e0e-4882-81f6-c43aa8f15b62
 logsource:
    product: windows
    service: windefend
@ -35,6 +35,7 @@ detection:
        Details: 'DWORD (0x00000001)'
    condition: 1 of them
 ---
+id: a64e4198-c1c8-46a5-bc9c-324c86455fd4
 logsource:
    product: windows
    category: registry_event
@ -45,6 +46,7 @@ detection:
        Details: 'DWORD (0x00000001)'
    condition: tamper_registry
 ---
+id: 6c0a7755-6d31-44fa-80e1-133e57752680
 logsource:
    product: windows
    category: system
--- a/rules/windows/other/win_tool_psexec.yml
+++ b/rules/windows/other/win_tool_psexec.yml
@ -1,6 +1,5 @@
 action: global
 title: PsExec Tool Execution
-id: 42c575ea-e41e-41f1-b248-8093c3e82a28
 status: experimental
 description: Detects PsExec service installation and execution events (service and Sysmon)
 author: Thomas Patzke
@ -28,6 +27,7 @@ falsepositives:
    - unknown
 level: low
 ---
+id: 42c575ea-e41e-41f1-b248-8093c3e82a28
 logsource:
    product: windows
    service: system
@ -40,6 +40,7 @@ detection:
        EventID: 7036
        ServiceName: 'PSEXESVC'
 ---
+id: fa91cc36-24c9-41ce-b3c8-3bbc3f2f67ba
 logsource:
    category: process_creation
    product: windows
@ -50,6 +51,7 @@ detection:
            - 'NT AUTHORITY\SYSTEM'
            - 'AUTORITE NT\Sys' # French language settings
 ---
+id: f3f3a972-f982-40ad-b63c-bca6afdfad7c
 logsource:
     category: pipe_created
     product: windows
@ -57,6 +59,7 @@ detection:
     sysmon_pipecreated:
         PipeName: '\PSEXESVC'
 ---
+id: 259e5a6a-b8d2-4c38-86e2-26c5e651361d
 logsource:
     category: file_event
     product: windows
--- a/rules/windows/other/win_wmi_persistence.yml
+++ b/rules/windows/other/win_wmi_persistence.yml
@ -1,6 +1,5 @@
 action: global
 title: WMI Persistence
-id: 0b7889b4-5577-4521-a60a-3376ee7f9f7b
 status: experimental
 description: Detects suspicious WMI event filter and command line event consumer based on WMI and Security Logs.
 author: Florian Roth, Gleb Sukhodolskiy, Timur Zinniatullin oscd.community
@ -18,6 +17,7 @@ falsepositives:
    - Unknown (data set is too small; further testing needed)
 level: medium
 ---
+id: 0b7889b4-5577-4521-a60a-3376ee7f9f7b
 logsource:
    product: windows
    service: wmi #native windows detection
@ -34,6 +34,7 @@ detection:
        EventID: 5859
    condition: (wmi_filter_to_consumer_binding and consumer_keywords) or (wmi_filter_registration)
 ---
+id: f033f3f3-fd24-4995-97d8-a3bb17550a88
 logsource:
    product: windows
    service: security
--- a/rules/windows/sysmon/sysmon_abusing_windows_telemetry_for_persistence.yml
+++ b/rules/windows/sysmon/sysmon_abusing_windows_telemetry_for_persistence.yml
@ -1,6 +1,5 @@
 action: global
 title: Abusing Windows Telemetry For Persistence
-id: 4e8d5fd3-c959-441f-a941-f73d0cdcdca5
 status: experimental
 description: Windows telemetry makes use of the binary CompatTelRunner.exe to run a variety of commands and perform the actual telemetry collections. This binary was created to be easily extensible, and to that end, it relies on the registry to instruct on which commands to run. The problem is, it will run any arbitrary command without restriction of location or type.
 references:
@ -22,6 +21,7 @@ falsepositives:
    - none
 level: high
 ---
+id: 4e8d5fd3-c959-441f-a941-f73d0cdcdca5
 logsource:
    product: windows
    category: registry_event
@ -32,6 +32,7 @@ detection:
        Details|re: '.*(.sh|.exe|.dll|.bin|.bat|.cmd|.js|.ps|.vb|.jar|.hta|.msi|.vbs)$'
    condition: selection
 ---
+id: f548a603-c9f2-4c89-b511-b089f7e94549
 logsource:
    product: windows
    category: process_creation
--- a/rules/windows/sysmon/sysmon_pingback_backdoor.yml
+++ b/rules/windows/sysmon/sysmon_pingback_backdoor.yml
@ -1,6 +1,5 @@
 action: global
 title: Pingback Backdoor
-id: 2bd63d53-84d4-4210-80ff-bf0658f1bf78
 status: experimental
 description: Detects the use of Pingback backdoor that creates ICMP tunnel for C2 as described in the trustwave report
 author: Bhabesh Raj
@ -15,6 +14,7 @@ tags:
    - attack.persistence
    - attack.t1574.001
 ---
+id: 2bd63d53-84d4-4210-80ff-bf0658f1bf78
 logsource:
    product: windows
    category: file_event
@ -24,6 +24,7 @@ detection:
        TargetFilename: 'C:\Windows\oci.dll'
    condition: selection
 ---
+id: 35a7dc42-bc6f-46e0-9f83-81f8e56c8d4b
 logsource:
    product: windows
    category: image_load
@ -33,6 +34,7 @@ detection:
        ImageLoaded: 'C:\Windows\oci.dll'
    condition: selection
 ---
+id: b2400ffb-7680-47c0-b08a-098a7de7e7a9
 logsource:
    product: windows
    category: process_creation