mirror of
https://github.com/valitydev/SigmaHQ.git
synced 2024-11-07 17:58:52 +00:00
Merge pull request #1633 from leegengyu/art_convert_yaml_to_md
Convert ART reference links from .yaml to .md
This commit is contained in:
Florian Roth
GitHub
commit
ff0f1a0222
@ -6,7 +6,7 @@ author: E.M. Anhaus (originally from Atomic Blue Detections, Tony Lambert), oscd
|
||||
date: 2019/10/24
|
||||
modified: 2019/11/11
|
||||
references:
|
||||
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.006/T1574.006.yaml
|
||||
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.006/T1574.006.md
|
||||
- https://eqllib.readthedocs.io/en/latest/analytics/fd9b987a-1101-4ed3-bda6-a70300eaf57e.html
|
||||
logsource:
|
||||
product: linux
|
||||
@ -21,4 +21,4 @@ falsepositives:
|
||||
level: high
|
||||
tags:
|
||||
- attack.defense_evasion
|
||||
- attack.t1574.006
|
||||
- attack.t1574.006
|
||||
|
||||
@ -6,7 +6,7 @@ description: Masquerading occurs when the name or location of an executable, leg
|
||||
author: Timur Zinniatullin, oscd.community
|
||||
date: 2019/10/21
|
||||
references:
|
||||
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1036.003/T1036.003.yaml
|
||||
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1036.003/T1036.003.md
|
||||
logsource:
|
||||
product: linux
|
||||
service: auditd
|
||||
|
||||
@ -6,7 +6,7 @@ description: Adversaries may use the information from System Owner/User Discover
|
||||
author: Timur Zinniatullin, oscd.community
|
||||
date: 2019/10/21
|
||||
references:
|
||||
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1033/T1033.yaml
|
||||
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1033/T1033.md
|
||||
logsource:
|
||||
product: linux
|
||||
service: auditd
|
||||
|
||||
@ -1,12 +1,12 @@
|
||||
title: Data Compressed
|
||||
id: a3b5e3e9-1b49-4119-8b8e-0344a01f21ee
|
||||
status: experimental
|
||||
description: An adversary may compress data (e.g., sensitive documents) that is collected prior to exfiltration in order to make it portable and minimize the amount of data sent over the network
|
||||
description: An adversary may compress data (e.g., sensitive documents) that is collected prior to exfiltration in order to make it portable and minimize the amount of data sent over the network.
|
||||
author: Timur Zinniatullin, oscd.community
|
||||
date: 2019/10/21
|
||||
modified: 2019/11/04
|
||||
references:
|
||||
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1560.001/T1560.001.yaml
|
||||
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1560.001/T1560.001.md
|
||||
logsource:
|
||||
product: linux
|
||||
service: auditd
|
||||
@ -24,8 +24,8 @@ detection:
|
||||
a1|contains: '-c'
|
||||
condition: 1 of them
|
||||
falsepositives:
|
||||
- Legitimate use of archiving tools by legitimate user
|
||||
- Legitimate use of archiving tools by legitimate user.
|
||||
level: low
|
||||
tags:
|
||||
- attack.exfiltration
|
||||
- attack.t1560.001
|
||||
- attack.t1560.001
|
||||
|
||||
@ -7,7 +7,7 @@ author: Timur Zinniatullin, oscd.community
|
||||
date: 2019/10/21
|
||||
modified: 2019/11/04
|
||||
references:
|
||||
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1040/T1040.yaml
|
||||
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1040/T1040.md
|
||||
logsource:
|
||||
product: linux
|
||||
service: auditd
|
||||
@ -24,7 +24,7 @@ detection:
|
||||
a3: '-i'
|
||||
condition: selection1 or selection2
|
||||
falsepositives:
|
||||
- Legitimate administrator or user uses network sniffing tool for legitimate reason
|
||||
- Legitimate administrator or user uses network sniffing tool for legitimate reasons.
|
||||
level: low
|
||||
tags:
|
||||
- attack.credential_access
|
||||
|
||||
@ -1,11 +1,11 @@
|
||||
title: Remove Immutable File Attribute
|
||||
id: a5b977d6-8a81-4475-91b9-49dbfcd941f7
|
||||
status: experimental
|
||||
description: Detects removing immutable file attribute
|
||||
description: Detects removing immutable file attribute.
|
||||
author: Jakob Weinzettl, oscd.community
|
||||
date: 2019/09/23
|
||||
references:
|
||||
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1222.002/T1222.002.yaml
|
||||
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1222.002/T1222.002.md
|
||||
logsource:
|
||||
product: linux
|
||||
service: auditd
|
||||
@ -16,8 +16,8 @@ detection:
|
||||
a1|contains: '-i'
|
||||
condition: selection
|
||||
falsepositives:
|
||||
- Administrator interacting with immutable files (for instance backups)
|
||||
- Administrator interacting with immutable files (e.g. for instance backups).
|
||||
level: medium
|
||||
tags:
|
||||
- attack.defense_evasion
|
||||
- attack.t1222.002
|
||||
- attack.t1222.002
|
||||
|
||||
@ -1,11 +1,11 @@
|
||||
title: Overwriting the File with Dev Zero or Null
|
||||
id: 37222991-11e9-4b6d-8bdf-60fbe48f753e
|
||||
status: stable
|
||||
description: Detects overwriting (effectively wiping/deleting) the file
|
||||
description: Detects overwriting (effectively wiping/deleting) of a file.
|
||||
author: Jakob Weinzettl, oscd.community
|
||||
date: 2019/10/23
|
||||
references:
|
||||
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1485/T1485.yaml
|
||||
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1485/T1485.md
|
||||
logsource:
|
||||
product: linux
|
||||
service: auditd
|
||||
@ -18,10 +18,10 @@ detection:
|
||||
- 'if=/dev/zero'
|
||||
condition: selection
|
||||
falsepositives:
|
||||
- Appending null bytes to files
|
||||
- Legitimate overwrite of files
|
||||
- Appending null bytes to files.
|
||||
- Legitimate overwrite of files.
|
||||
level: low
|
||||
|
||||
tags:
|
||||
- attack.impact
|
||||
- attack.t1485
|
||||
- attack.t1485
|
||||
|
||||
@ -1,11 +1,11 @@
|
||||
title: File or Folder Permissions Change
|
||||
id: 74c01ace-0152-4094-8ae2-6fd776dd43e5
|
||||
status: experimental
|
||||
description: Detects file and folder permission changes
|
||||
description: Detects file and folder permission changes.
|
||||
author: Jakob Weinzettl, oscd.community
|
||||
date: 2019/09/23
|
||||
references:
|
||||
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1222.002/T1222.002.yaml
|
||||
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1222.002/T1222.002.md
|
||||
logsource:
|
||||
product: linux
|
||||
service: auditd
|
||||
@ -17,8 +17,8 @@ detection:
|
||||
- 'chown'
|
||||
condition: selection
|
||||
falsepositives:
|
||||
- User interacting with files permissions (normal/daily behaviour)
|
||||
- User interacting with files permissions (normal/daily behaviour).
|
||||
level: low
|
||||
tags:
|
||||
- attack.defense_evasion
|
||||
- attack.t1222.002
|
||||
- attack.t1222.002
|
||||
|
||||
@ -1,12 +1,12 @@
|
||||
title: Systemd Service Reload or Start
|
||||
id: 2625cc59-0634-40d0-821e-cb67382a3dd7
|
||||
status: experimental
|
||||
description: Detects a reload or a start of a service
|
||||
description: Detects a reload or a start of a service.
|
||||
author: Jakob Weinzettl, oscd.community
|
||||
date: 2019/09/23
|
||||
references:
|
||||
- https://attack.mitre.org/techniques/T1543/002/
|
||||
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1543.002/T1543.002.yaml
|
||||
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1543.002/T1543.002.md
|
||||
logsource:
|
||||
product: linux
|
||||
service: auditd
|
||||
@ -19,9 +19,9 @@ detection:
|
||||
- 'start'
|
||||
condition: selection
|
||||
falsepositives:
|
||||
- Installation of legitimate service
|
||||
- Legitimate reconfiguration of service
|
||||
- Installation of legitimate service.
|
||||
- Legitimate reconfiguration of service.
|
||||
level: low
|
||||
tags:
|
||||
- attack.persistence
|
||||
- attack.t1543.002
|
||||
- attack.t1543.002
|
||||
|
||||
@ -13,7 +13,7 @@ author: Patrick Bareiss
|
||||
date: 2019/03/24
|
||||
modified: 2020/07/13
|
||||
references:
|
||||
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.003/T1070.003.yaml
|
||||
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.003/T1070.003.md
|
||||
- https://attack.mitre.org/techniques/T1070/003/
|
||||
- https://www.hackers-arise.com/single-post/2016/06/20/Covering-your-BASH-Shell-Tracks-AntiForensics
|
||||
logsource:
|
||||
|
||||
@ -6,7 +6,7 @@ author: Timur Zinniatullin, oscd.community
|
||||
date: 2019/10/21
|
||||
modified: 2020/12/01
|
||||
references:
|
||||
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1004/T1004.yaml
|
||||
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.004/T1547.004.md
|
||||
logsource:
|
||||
product: windows
|
||||
service: powershell
|
||||
|
||||
@ -7,7 +7,7 @@ author: E.M. Anhaus (originally from Atomic Blue Detections, Endgame), oscd.comm
|
||||
date: 2019/10/24
|
||||
modified: 2019/11/11
|
||||
references:
|
||||
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1490/T1490.yaml
|
||||
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1490/T1490.md
|
||||
- https://eqllib.readthedocs.io/en/latest/analytics/c4732632-9c1d-4980-9fa8-1d98c93f918e.html
|
||||
tags:
|
||||
- attack.impact
|
||||
|
||||
@ -6,7 +6,7 @@ author: Timur Zinniatullin, oscd.community
|
||||
date: 2019/10/21
|
||||
modified: 2019/11/04
|
||||
references:
|
||||
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1042/T1042.yaml
|
||||
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.001/T1546.001.md
|
||||
logsource:
|
||||
category: process_creation
|
||||
product: windows
|
||||
|
||||
@ -1,12 +1,12 @@
|
||||
title: Data Compressed - rar.exe
|
||||
id: 6f3e2987-db24-4c78-a860-b4f4095a7095
|
||||
status: experimental
|
||||
description: An adversary may compress data (e.g., sensitive documents) that is collected prior to exfiltration in order to make it portable and minimize the amount of data sent over the network
|
||||
description: An adversary may compress data (e.g., sensitive documents) that is collected prior to exfiltration in order to make it portable and minimize the amount of data sent over the network.
|
||||
author: Timur Zinniatullin, E.M. Anhaus, oscd.community
|
||||
date: 2019/10/21
|
||||
modified: 2020/08/29
|
||||
references:
|
||||
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1002/T1002.yaml
|
||||
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1560.001/T1560.001.md
|
||||
- https://eqllib.readthedocs.io/en/latest/analytics/1ec33c93-3d0b-4a28-8014-dbdaae5c60ae.html
|
||||
logsource:
|
||||
category: process_creation
|
||||
@ -25,7 +25,7 @@ fields:
|
||||
- ParentProcessGuid
|
||||
- ParentCommandLine
|
||||
falsepositives:
|
||||
- highly likely if rar is default archiver in the monitored environment
|
||||
- Highly likely if rar is a default archiver in the monitored environment.
|
||||
level: low
|
||||
tags:
|
||||
- attack.exfiltration # an old one
|
||||
|
||||
@ -1,9 +1,9 @@
|
||||
title: Domain Trust Discovery
|
||||
id: 77815820-246c-47b8-9741-e0def3f57308
|
||||
status: experimental
|
||||
description: Detects a discovery of domain trusts
|
||||
description: Detects a discovery of domain trusts.
|
||||
references:
|
||||
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1482/T1482.yaml
|
||||
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1482/T1482.md
|
||||
author: Jakob Weinzettl, oscd.community
|
||||
date: 2019/10/23
|
||||
modified: 2019/11/08
|
||||
@ -23,5 +23,5 @@ detection:
|
||||
CommandLine|contains: 'domain_trusts'
|
||||
condition: selection
|
||||
falsepositives:
|
||||
- Administration of systems
|
||||
- Administration of systems.
|
||||
level: medium
|
||||
|
||||
@ -1,15 +1,16 @@
|
||||
title: File or Folder Permissions Modifications
|
||||
id: 37ae075c-271b-459b-8d7b-55ad5f993dd8
|
||||
status: experimental
|
||||
description: Detects a file or folder permissions modifications
|
||||
description: Detects a file or folder's permissions being modified.
|
||||
references:
|
||||
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1222/T1222.yaml
|
||||
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1222.001/T1222.001.md
|
||||
author: Jakob Weinzettl, oscd.community
|
||||
date: 2019/10/23
|
||||
modified: 2019/11/08
|
||||
tags:
|
||||
- attack.defense_evasion
|
||||
- attack.t1222
|
||||
- attack.t1222.001
|
||||
- attack.t1222 # an old one
|
||||
logsource:
|
||||
category: process_creation
|
||||
product: windows
|
||||
@ -28,5 +29,5 @@ fields:
|
||||
- User
|
||||
- CommandLine
|
||||
falsepositives:
|
||||
- Users interacting with the files on their own (unlikely unless power users)
|
||||
- Users interacting with the files on their own (unlikely unless privileged users).
|
||||
level: medium
|
||||
|
||||
@ -4,7 +4,7 @@ description: Identifies usage of hh.exe executing recently modified .chm files.
|
||||
status: experimental
|
||||
author: E.M. Anhaus (originally from Atomic Blue Detections, Dan Beavin), oscd.community
|
||||
references:
|
||||
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1223/T1223.yaml
|
||||
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.001/T1218.001.md
|
||||
- https://eqllib.readthedocs.io/en/latest/analytics/b25aa548-7937-11e9-8f5c-d46d6d62a49e.html
|
||||
date: 2019/10/24
|
||||
modified: 2019/11/11
|
||||
|
||||
@ -1,10 +1,10 @@
|
||||
title: Indirect Command Execution
|
||||
id: fa47597e-90e9-41cd-ab72-c3b74cfb0d02
|
||||
description: Detect indirect command execution via Program Compatibility Assistant pcalua.exe or forfiles.exe
|
||||
description: Detect indirect command execution via Program Compatibility Assistant (pcalua.exe or forfiles.exe).
|
||||
status: experimental
|
||||
author: E.M. Anhaus (originally from Atomic Blue Detections, Endgame), oscd.community
|
||||
references:
|
||||
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1202/T1202.yaml
|
||||
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1202/T1202.md
|
||||
- https://eqllib.readthedocs.io/en/latest/analytics/884a7ccd-7305-4130-82d0-d4f90bc118b6.html
|
||||
date: 2019/10/24
|
||||
modified: 2019/11/11
|
||||
@ -26,6 +26,6 @@ fields:
|
||||
- ParentCommandLine
|
||||
- CommandLine
|
||||
falsepositives:
|
||||
- Need to use extra processing with 'unique_count' / 'filter' to focus on outliers as opposed to commonly seen artifacts
|
||||
- Legit usage of scripts
|
||||
- Need to use extra processing with 'unique_count' / 'filter' to focus on outliers as opposed to commonly seen artifacts.
|
||||
- Legitimate usage of scripts.
|
||||
level: low
|
||||
|
||||
@ -1,10 +1,10 @@
|
||||
title: Interactive AT Job
|
||||
id: 60fc936d-2eb0-4543-8a13-911c750a1dfc
|
||||
description: Detect an interactive AT job, which may be used as a form of privilege escalation
|
||||
description: Detect an interactive AT job, which may be used as a form of privilege escalation.
|
||||
status: experimental
|
||||
author: E.M. Anhaus (originally from Atomic Blue Detections, Endgame), oscd.community
|
||||
references:
|
||||
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053/T1053.yaml
|
||||
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.002/T1053.002.md
|
||||
- https://eqllib.readthedocs.io/en/latest/analytics/d8db43cf-ed52-4f5c-9fb3-c9a4b95a0b56.html
|
||||
date: 2019/10/24
|
||||
modified: 2019/11/11
|
||||
|
||||
@ -6,7 +6,7 @@ author: Timur Zinniatullin, Daniil Yugoslavskiy, oscd.community
|
||||
date: 2019/10/21
|
||||
modified: 2020/09/01
|
||||
references:
|
||||
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1033/T1033.yaml
|
||||
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1033/T1033.md
|
||||
logsource:
|
||||
category: process_creation
|
||||
product: windows
|
||||
@ -46,7 +46,7 @@ detection:
|
||||
- '/scriptpath' # discovery only
|
||||
- '/times' # discovery only
|
||||
- '/workstations' # discovery only
|
||||
condition: (selection_1 and not filter_1) or ( selection_2 and not filter_2)
|
||||
condition: (selection_1 and not filter_1) or (selection_2 and not filter_2)
|
||||
fields:
|
||||
- Image
|
||||
- CommandLine
|
||||
|
||||
@ -8,7 +8,7 @@ modified: 2019/11/11
|
||||
references:
|
||||
- https://eqllib.readthedocs.io/en/latest/analytics/1e1ef6be-12fc-11e9-8d76-4d6bb837cda4.html
|
||||
- https://eqllib.readthedocs.io/en/latest/analytics/210b4ea4-12fc-11e9-8d76-4d6bb837cda4.html
|
||||
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003/T1003.yaml
|
||||
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003/T1003.md
|
||||
tags:
|
||||
- attack.credential_access
|
||||
- attack.t1003.001
|
||||
|
||||
@ -1,13 +1,13 @@
|
||||
title: Mshta JavaScript Execution
|
||||
id: 67f113fa-e23d-4271-befa-30113b3e08b1
|
||||
description: Identifies suspicious mshta.exe commands
|
||||
description: Identifies suspicious mshta.exe commands.
|
||||
status: experimental
|
||||
author: E.M. Anhaus (originally from Atomic Blue Detections, Endgame), oscd.community
|
||||
date: 2019/10/24
|
||||
modified: 2020/09/01
|
||||
references:
|
||||
- https://eqllib.readthedocs.io/en/latest/analytics/6bc283c4-21f2-4aed-a05c-a9a3ffa95dd4.html
|
||||
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1170/T1170.yaml
|
||||
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.005/T1218.005.md
|
||||
tags:
|
||||
- attack.defense_evasion
|
||||
- attack.t1170 # an old one
|
||||
|
||||
@ -4,7 +4,7 @@ status: stable
|
||||
description: Identifies attempts to enumerate hosts in a network using the built-in Windows net.exe tool.
|
||||
references:
|
||||
- https://eqllib.readthedocs.io/en/latest/analytics/b8a94d2f-dc75-4630-9d73-1edc6bd26fff.html
|
||||
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1018/T1018.yaml
|
||||
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1018/T1018.md
|
||||
author: Endgame, JHasenbusch (ported for oscd.community)
|
||||
date: 2018/10/30
|
||||
modified: 2019/11/11
|
||||
|
||||
@ -1,11 +1,11 @@
|
||||
title: Net.exe User Account Creation
|
||||
id: cd219ff3-fa99-45d4-8380-a7d15116c6dc
|
||||
status: experimental
|
||||
description: Identifies creation of local users via the net.exe command
|
||||
description: Identifies creation of local users via the net.exe command.
|
||||
references:
|
||||
- https://eqllib.readthedocs.io/en/latest/analytics/014c3f51-89c6-40f1-ac9c-5688f26090ab.html
|
||||
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1136/T1136.yaml
|
||||
author: Endgame, JHasenbusch (adapted to sigma for oscd.community)
|
||||
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1136.001/T1136.001.md
|
||||
author: Endgame, JHasenbusch (adapted to Sigma for oscd.community)
|
||||
date: 2018/10/30
|
||||
modified: 2020/09/01
|
||||
tags:
|
||||
@ -29,6 +29,6 @@ fields:
|
||||
- User
|
||||
- CommandLine
|
||||
falsepositives:
|
||||
- Legit user creation
|
||||
- Better use event ids for user creation rather than command line rules
|
||||
- Legitimate user creation.
|
||||
- Better use event IDs for user creation rather than command line rules.
|
||||
level: medium
|
||||
|
||||
@ -7,7 +7,7 @@ author: Timur Zinniatullin, oscd.community
|
||||
date: 2019/10/21
|
||||
modified: 2019/11/04
|
||||
references:
|
||||
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1040/T1040.yaml
|
||||
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1040/T1040.md
|
||||
logsource:
|
||||
category: process_creation
|
||||
product: windows
|
||||
|
||||
@ -1,7 +1,7 @@
|
||||
title: New Service Creation
|
||||
id: 7fe71fc9-de3b-432a-8d57-8c809efc10ab
|
||||
status: experimental
|
||||
description: Detects creation of a new service
|
||||
description: Detects creation of a new service.
|
||||
author: Timur Zinniatullin, Daniil Yugoslavskiy, oscd.community
|
||||
date: 2019/10/21
|
||||
modified: 2019/11/04
|
||||
@ -11,7 +11,7 @@ tags:
|
||||
- attack.t1050 # an old one
|
||||
- attack.t1543.003
|
||||
references:
|
||||
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1050/T1050.yaml
|
||||
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1543.003/T1543.003.md
|
||||
logsource:
|
||||
category: process_creation
|
||||
product: windows
|
||||
@ -25,5 +25,5 @@ detection:
|
||||
CommandLine|contains: 'new-service'
|
||||
condition: selection
|
||||
falsepositives:
|
||||
- Legitimate administrator or user creates a service for legitimate reason
|
||||
- Legitimate administrator or user creates a service for legitimate reasons.
|
||||
level: low
|
||||
|
||||
@ -1,12 +1,12 @@
|
||||
title: Audio Capture via PowerShell
|
||||
id: 932fb0d8-692b-4b0f-a26e-5643a50fe7d6
|
||||
description: Detects audio capture via PowerShell Cmdlet
|
||||
description: Detects audio capture via PowerShell Cmdlet.
|
||||
status: experimental
|
||||
author: E.M. Anhaus (originally from Atomic Blue Detections, Endgame), oscd.community
|
||||
date: 2019/10/24
|
||||
modified: 2019/11/11
|
||||
references:
|
||||
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1123/T1123.yaml
|
||||
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1123/T1123.md
|
||||
- https://eqllib.readthedocs.io/en/latest/analytics/ab7a6ef4-0983-4275-a4f1-5c6bd3c31c23.html
|
||||
tags:
|
||||
- attack.collection
|
||||
@ -16,7 +16,7 @@ detection:
|
||||
CommandLine|contains: 'WindowsAudioDevice-Powershell-Cmdlet'
|
||||
condition: selection
|
||||
falsepositives:
|
||||
- Legitimate audio capture by legitimate user
|
||||
- Legitimate audio capture by legitimate user.
|
||||
level: medium
|
||||
logsource:
|
||||
category: process_creation
|
||||
|
||||
@ -6,7 +6,7 @@ author: Timur Zinniatullin, oscd.community
|
||||
date: 2019/10/21
|
||||
modified: 2019/11/04
|
||||
references:
|
||||
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1012/T1012.yaml
|
||||
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1012/T1012.md
|
||||
logsource:
|
||||
category: process_creation
|
||||
product: windows
|
||||
|
||||
@ -1,12 +1,12 @@
|
||||
title: Service Execution
|
||||
id: 2a072a96-a086-49fa-bcb5-15cc5a619093
|
||||
status: experimental
|
||||
description: Detects manual service execution (start) via system utilities
|
||||
description: Detects manual service execution (start) via system utilities.
|
||||
author: Timur Zinniatullin, Daniil Yugoslavskiy, oscd.community
|
||||
date: 2019/10/21
|
||||
modified: 2019/11/04
|
||||
references:
|
||||
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1035/T1035.yaml
|
||||
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1569.002/T1569.002.md
|
||||
logsource:
|
||||
category: process_creation
|
||||
product: windows
|
||||
@ -18,7 +18,7 @@ detection:
|
||||
CommandLine|contains: ' start ' # space character after the 'start' keyword indicates that a service name follows, in contrast to `net start` discovery expression
|
||||
condition: selection
|
||||
falsepositives:
|
||||
- Legitimate administrator or user executes a service for legitimate reason
|
||||
- Legitimate administrator or user executes a service for legitimate reasons.
|
||||
level: low
|
||||
tags:
|
||||
- attack.execution
|
||||
|
||||
@ -1,12 +1,12 @@
|
||||
title: Audio Capture via SoundRecorder
|
||||
id: 83865853-59aa-449e-9600-74b9d89a6d6e
|
||||
description: Detect attacker collecting audio via SoundRecorder application
|
||||
description: Detect attacker collecting audio via SoundRecorder application.
|
||||
status: experimental
|
||||
author: E.M. Anhaus (originally from Atomic Blue Detections, Endgame), oscd.community
|
||||
date: 2019/10/24
|
||||
modified: 2019/11/11
|
||||
references:
|
||||
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1123/T1123.yaml
|
||||
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1123/T1123.md
|
||||
- https://eqllib.readthedocs.io/en/latest/analytics/f72a98cb-7b3d-4100-99c3-a138b6e9ff6e.html
|
||||
tags:
|
||||
- attack.collection
|
||||
@ -20,5 +20,5 @@ detection:
|
||||
CommandLine|contains: '/FILE'
|
||||
condition: selection
|
||||
falsepositives:
|
||||
- Legitimate audio capture by legitimate user
|
||||
- Legitimate audio capture by legitimate user.
|
||||
level: medium
|
||||
|
||||
@ -3,7 +3,7 @@ id: 24357373-078f-44ed-9ac4-6d334a668a11
|
||||
description: Detects direct modification of autostart extensibility point (ASEP) in registry using reg.exe.
|
||||
status: experimental
|
||||
references:
|
||||
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1060/T1060.yaml
|
||||
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.001/T1547.001.md
|
||||
tags:
|
||||
- attack.persistence
|
||||
- attack.t1547.001
|
||||
@ -35,6 +35,6 @@ fields:
|
||||
- CommandLine
|
||||
- ParentCommandLine
|
||||
falsepositives:
|
||||
- Legitimate software automatically (mostly, during installation) sets up autorun keys for legitimate reason
|
||||
- Legitimate administrator sets up autorun keys for legitimate reason
|
||||
- Legitimate software automatically (mostly, during installation) sets up autorun keys for legitimate reasons.
|
||||
- Legitimate administrator sets up autorun keys for legitimate reasons.
|
||||
level: medium
|
||||
|
||||
@ -1,9 +1,9 @@
|
||||
title: Suspicious Eventlog Clear or Configuration Using Wevtutil
|
||||
id: cc36992a-4671-4f21-a91d-6c2b72a2edf5
|
||||
description: Detects clearing or configuration of eventlogs uwing wevtutil, powershell and wmic. Might be used by ransomwares during the attack (seen by NotPetya and others)
|
||||
description: Detects clearing or configuration of eventlogs using wevtutil, powershell and wmic. Might be used by ransomwares during the attack (seen by NotPetya and others).
|
||||
author: Ecco, Daniil Yugoslavskiy, oscd.community
|
||||
references:
|
||||
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070/T1070.yaml
|
||||
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.001/T1070.001.md
|
||||
- https://eqllib.readthedocs.io/en/latest/analytics/5b223758-07d6-4100-9e11-238cfdd0fe97.html
|
||||
date: 2019/09/26
|
||||
modified: 2019/11/11
|
||||
|
||||
@ -1,13 +1,13 @@
|
||||
title: Fsutil Suspicious Invocation
|
||||
id: add64136-62e5-48ea-807e-88638d02df1e
|
||||
description: Detects suspicious parameters of fsutil (deleting USN journal, configuring it with small size..). Might be used by ransomwares during the attack (seen by NotPetya and others)
|
||||
description: Detects suspicious parameters of fsutil (deleting USN journal, configuring it with small size, etc). Might be used by ransomwares during the attack (seen by NotPetya and others).
|
||||
author: Ecco, E.M. Anhaus, oscd.community
|
||||
date: 2019/09/26
|
||||
modified: 2019/11/11
|
||||
level: high
|
||||
references:
|
||||
- https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/fsutil-usn
|
||||
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070/T1070.yaml
|
||||
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070/T1070.md
|
||||
- https://eqllib.readthedocs.io/en/latest/analytics/c91f422a-5214-4b17-8664-c5fcf115c0a2.html
|
||||
tags:
|
||||
- attack.defense_evasion
|
||||
|
||||
@ -1,9 +1,9 @@
|
||||
title: Suspicious Service Path Modification
|
||||
id: 138d3531-8793-4f50-a2cd-f291b2863d78
|
||||
description: Detects service path modification to powershell/cmd
|
||||
description: Detects service path modification to PowerShell or cmd.
|
||||
status: experimental
|
||||
references:
|
||||
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1031/T1031.yaml
|
||||
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1543.003/T1543.003.md
|
||||
tags:
|
||||
- attack.persistence
|
||||
- attack.privilege_escalation
|
||||
|
||||
@ -1,13 +1,13 @@
|
||||
title: XSL Script Processing
|
||||
id: 05c36dd6-79d6-4a9a-97da-3db20298ab2d
|
||||
status: experimental
|
||||
description: Extensible Stylesheet Language (XSL) files are commonly used to describe the processing and rendering of data within XML files, rule detects when adversaries
|
||||
abuse this functionality to execute arbitrary files while potentially bypassing application whitelisting defenses
|
||||
description: Extensible Stylesheet Language (XSL) files are commonly used to describe the processing and rendering of data within XML files. Rule detects when adversaries
|
||||
abuse this functionality to execute arbitrary files while potentially bypassing application whitelisting defenses.
|
||||
author: Timur Zinniatullin, oscd.community
|
||||
date: 2019/10/21
|
||||
modified: 2019/11/04
|
||||
references:
|
||||
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1220/T1220.yaml
|
||||
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1220/T1220.md
|
||||
logsource:
|
||||
category: process_creation
|
||||
product: windows
|
||||
@ -18,8 +18,8 @@ detection:
|
||||
- Image|endswith: '\msxsl.exe'
|
||||
condition: selection
|
||||
falsepositives:
|
||||
- WMIC.exe FP depend on scripts and administrative methods used in the monitored environment
|
||||
- msxsl.exe is not installed by default so unlikely.
|
||||
- WMIC.exe FP depend on scripts and administrative methods used in the monitored environment.
|
||||
- msxsl.exe is not installed by default, so unlikely.
|
||||
level: medium
|
||||
tags:
|
||||
- attack.defense_evasion
|
||||
|
||||
Loading…
Reference in New Issue
Block a user