mirror of
https://github.com/valitydev/atomic-threat-coverage.git
synced 2024-11-06 17:45:23 +00:00
More fixes
This commit is contained in:
mrblacyk
parent
b36ab8a526
commit
179961a9cd
@ -1,7 +1,7 @@
|
||||
| Title | DN_0005_7045_windows_service_insatalled |
|
||||
|:---------------|:-----------------------------------------------------------------------------------------------------------------|
|
||||
| Description | A service was installed in the system |
|
||||
| Logging Policy | <ul><li>[None](../Logging_Policies/None.md)</li></ul> |
|
||||
| Logging Policy | <ul><li>[None](</li></ul> |
|
||||
| References | <ul><li>[None](None)</li></ul> |
|
||||
| Platform | Windows |
|
||||
| Type | Windows Log |
|
||||
|
||||
@ -1,7 +1,7 @@
|
||||
| Title | DN_0006_2_windows_sysmon_process_changed_a_file_creation_time |
|
||||
|:---------------|:-----------------------------------------------------------------------------------------------------------------|
|
||||
| Description | Explicit modification of file creation timestamp by a process |
|
||||
| Logging Policy | <ul><li>[None](../Logging_Policies/None.md)</li></ul> |
|
||||
| Logging Policy | <ul><li>[None](</li></ul> |
|
||||
| References | <ul><li>[https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=90002](https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=90002)</li><li>[https://github.com/Cyb3rWard0g/OSSEM/blob/master/data_dictionaries/windows/sysmon/event-2.md](https://github.com/Cyb3rWard0g/OSSEM/blob/master/data_dictionaries/windows/sysmon/event-2.md)</li></ul> |
|
||||
| Platform | Windows |
|
||||
| Type | Applications and Services Logs |
|
||||
|
||||
@ -1,7 +1,7 @@
|
||||
| Title | DN_0008_4_windows_sysmon_sysmon_service_state_changed |
|
||||
|:---------------|:-----------------------------------------------------------------------------------------------------------------|
|
||||
| Description | Sysmon service changed status |
|
||||
| Logging Policy | <ul><li>[None](../Logging_Policies/None.md)</li></ul> |
|
||||
| Logging Policy | <ul><li>[None](</li></ul> |
|
||||
| References | <ul><li>[https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=90004](https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=90004)</li><li>[https://github.com/Cyb3rWard0g/OSSEM/blob/master/data_dictionaries/windows/sysmon/event-4.md](https://github.com/Cyb3rWard0g/OSSEM/blob/master/data_dictionaries/windows/sysmon/event-4.md)</li></ul> |
|
||||
| Platform | Windows |
|
||||
| Type | Applications and Services Logs |
|
||||
|
||||
@ -1,7 +1,7 @@
|
||||
| Title | DN_0009_5_windows_sysmon_process_terminated |
|
||||
|:---------------|:-----------------------------------------------------------------------------------------------------------------|
|
||||
| Description | Process has been terminated |
|
||||
| Logging Policy | <ul><li>[None](../Logging_Policies/None.md)</li></ul> |
|
||||
| Logging Policy | <ul><li>[None](</li></ul> |
|
||||
| References | <ul><li>[https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=90005](https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=90005)</li></ul> |
|
||||
| Platform | Windows |
|
||||
| Type | Applications and Services Logs |
|
||||
|
||||
@ -1,7 +1,7 @@
|
||||
| Title | DN_0010_6_windows_sysmon_driver_loaded |
|
||||
|:---------------|:-----------------------------------------------------------------------------------------------------------------|
|
||||
| Description | The driver loaded events provides information about a driver being loaded on the system. The configured hashes are provided as well as signature information |
|
||||
| Logging Policy | <ul><li>[None](../Logging_Policies/None.md)</li></ul> |
|
||||
| Logging Policy | <ul><li>[None](</li></ul> |
|
||||
| References | <ul><li>[https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=90006](https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=90006)</li><li>[https://github.com/Cyb3rWard0g/OSSEM/blob/master/data_dictionaries/windows/sysmon/event-6.md](https://github.com/Cyb3rWard0g/OSSEM/blob/master/data_dictionaries/windows/sysmon/event-6.md)</li></ul> |
|
||||
| Platform | Windows |
|
||||
| Type | Applications and Services Logs |
|
||||
|
||||
@ -1,7 +1,7 @@
|
||||
| Title | DN_0012_8_windows_sysmon_CreateRemoteThread |
|
||||
|:---------------|:-----------------------------------------------------------------------------------------------------------------|
|
||||
| Description | The CreateRemoteThread event detects when a process creates a thread in another process |
|
||||
| Logging Policy | <ul><li>[None](../Logging_Policies/None.md)</li></ul> |
|
||||
| Logging Policy | <ul><li>[None](</li></ul> |
|
||||
| References | <ul><li>[https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=90008](https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=90008)</li><li>[https://github.com/Cyb3rWard0g/OSSEM/blob/master/data_dictionaries/windows/sysmon/event-8.md](https://github.com/Cyb3rWard0g/OSSEM/blob/master/data_dictionaries/windows/sysmon/event-8.md)</li></ul> |
|
||||
| Platform | Windows |
|
||||
| Type | Applications and Services Logs |
|
||||
|
||||
@ -1,7 +1,7 @@
|
||||
| Title | DN_0013_9_windows_sysmon_RawAccessRead |
|
||||
|:---------------|:-----------------------------------------------------------------------------------------------------------------|
|
||||
| Description | The RawAccessRead event detects when a process conducts reading operations from the drive using the \\.\ denotation |
|
||||
| Logging Policy | <ul><li>[None](../Logging_Policies/None.md)</li></ul> |
|
||||
| Logging Policy | <ul><li>[None](</li></ul> |
|
||||
| References | <ul><li>[https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=90009](https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=90009)</li><li>[https://github.com/Cyb3rWard0g/OSSEM/blob/master/data_dictionaries/windows/sysmon/event-9.md](https://github.com/Cyb3rWard0g/OSSEM/blob/master/data_dictionaries/windows/sysmon/event-9.md)</li></ul> |
|
||||
| Platform | Windows |
|
||||
| Type | Applications and Services Logs |
|
||||
|
||||
@ -1,7 +1,7 @@
|
||||
| Title | DN_0016_12_windows_sysmon_RegistryEvent |
|
||||
|:---------------|:-----------------------------------------------------------------------------------------------------------------|
|
||||
| Description | Registry key and value create and delete operations map to this event type, which can be useful for monitoring for changes to Registry autostart locations, or specific malware registry modifications |
|
||||
| Logging Policy | <ul><li>[None](../Logging_Policies/None.md)</li></ul> |
|
||||
| Logging Policy | <ul><li>[None](</li></ul> |
|
||||
| References | <ul><li>[https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=90012](https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=90012)</li><li>[https://github.com/Cyb3rWard0g/OSSEM/blob/master/data_dictionaries/windows/sysmon/event-12.md](https://github.com/Cyb3rWard0g/OSSEM/blob/master/data_dictionaries/windows/sysmon/event-12.md)</li></ul> |
|
||||
| Platform | Windows |
|
||||
| Type | Applications and Services Logs |
|
||||
|
||||
@ -1,7 +1,7 @@
|
||||
| Title | DN_0016_13_windows_sysmon_RegistryEvent |
|
||||
|:---------------|:-----------------------------------------------------------------------------------------------------------------|
|
||||
| Description | This Registry event type identifies Registry value modifications. The event records the value written for Registry values of type DWORD and QWORD |
|
||||
| Logging Policy | <ul><li>[None](../Logging_Policies/None.md)</li></ul> |
|
||||
| Logging Policy | <ul><li>[None](</li></ul> |
|
||||
| References | <ul><li>[https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=90013](https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=90013)</li><li>[https://github.com/Cyb3rWard0g/OSSEM/blob/master/data_dictionaries/windows/sysmon/event-13.md](https://github.com/Cyb3rWard0g/OSSEM/blob/master/data_dictionaries/windows/sysmon/event-13.md)</li></ul> |
|
||||
| Platform | Windows |
|
||||
| Type | Applications and Services Logs |
|
||||
|
||||
@ -1,7 +1,7 @@
|
||||
| Title | DN_0018_14_windows_sysmon_RegistryEvent |
|
||||
|:---------------|:-----------------------------------------------------------------------------------------------------------------|
|
||||
| Description | Registry key and value rename operations map to this event type, recording the new name of the key or value that was renamed |
|
||||
| Logging Policy | <ul><li>[None](../Logging_Policies/None.md)</li></ul> |
|
||||
| Logging Policy | <ul><li>[None](</li></ul> |
|
||||
| References | <ul><li>[https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=90014](https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=90014)</li><li>[https://github.com/Cyb3rWard0g/OSSEM/blob/master/data_dictionaries/windows/sysmon/event-14.md](https://github.com/Cyb3rWard0g/OSSEM/blob/master/data_dictionaries/windows/sysmon/event-14.md)</li></ul> |
|
||||
| Platform | Windows |
|
||||
| Type | Applications and Services Logs |
|
||||
|
||||
@ -1,7 +1,7 @@
|
||||
| Title | DN_0019_15_windows_sysmon_FileCreateStreamHash |
|
||||
|:---------------|:-----------------------------------------------------------------------------------------------------------------|
|
||||
| Description | This event logs when a named file stream is created, and it generates events that log the hash of the contents of the file to which the stream is assigned (the unnamed stream), as well as the contents of the named stream |
|
||||
| Logging Policy | <ul><li>[None](../Logging_Policies/None.md)</li></ul> |
|
||||
| Logging Policy | <ul><li>[None](</li></ul> |
|
||||
| References | <ul><li>[https://github.com/Cyb3rWard0g/OSSEM/blob/master/data_dictionaries/windows/sysmon/event-15.md](https://github.com/Cyb3rWard0g/OSSEM/blob/master/data_dictionaries/windows/sysmon/event-15.md)</li><li>[https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=90015](https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=90015)</li></ul> |
|
||||
| Platform | Windows |
|
||||
| Type | Applications and Services Logs |
|
||||
|
||||
@ -1,7 +1,7 @@
|
||||
| Title | DN_0031_7036_service_started_stopped |
|
||||
|:---------------|:-----------------------------------------------------------------------------------------------------------------|
|
||||
| Description | Service entered the running/stopped state |
|
||||
| Logging Policy | <ul><li>[None](../Logging_Policies/None.md)</li></ul> |
|
||||
| Logging Policy | <ul><li>[None](</li></ul> |
|
||||
| References | <ul><li>[http://www.eventid.net/display-eventid-7036-source-Service%20Control%20Manager-eventno-1529-phase-1.htm](http://www.eventid.net/display-eventid-7036-source-Service%20Control%20Manager-eventno-1529-phase-1.htm)</li></ul> |
|
||||
| Platform | Windows |
|
||||
| Type | Windows Log |
|
||||
|
||||
@ -1,7 +1,7 @@
|
||||
| Title | DN_0034_104_log_file_was_cleared |
|
||||
|:---------------|:-----------------------------------------------------------------------------------------------------------------|
|
||||
| Description | Windows log file was cleared |
|
||||
| Logging Policy | <ul><li>[None](../Logging_Policies/None.md)</li></ul> |
|
||||
| Logging Policy | <ul><li>[None](</li></ul> |
|
||||
| References | <ul><li>[http://kb.eventtracker.com/evtpass/evtpages/EventId_104_Microsoft-Windows-Eventlog_64337.asp](http://kb.eventtracker.com/evtpass/evtpages/EventId_104_Microsoft-Windows-Eventlog_64337.asp)</li></ul> |
|
||||
| Platform | Windows |
|
||||
| Type | Windows Log |
|
||||
|
||||
@ -1,7 +1,7 @@
|
||||
| Title | DN_0035_106_task_scheduler_task_registered |
|
||||
|:---------------|:-----------------------------------------------------------------------------------------------------------------|
|
||||
| Description | General Windows Task Registration |
|
||||
| Logging Policy | <ul><li>[None](../Logging_Policies/None.md)</li></ul> |
|
||||
| Logging Policy | <ul><li>[None](</li></ul> |
|
||||
| References | <ul><li>[https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc774938(v=ws.10)](https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc774938(v=ws.10))</li></ul> |
|
||||
| Platform | Windows |
|
||||
| Type | Applications and Services Logs |
|
||||
|
||||
@ -1,7 +1,7 @@
|
||||
| Title | DN_0036_150_dns_server_could_not_load_dll |
|
||||
|:---------------|:-----------------------------------------------------------------------------------------------------------------|
|
||||
| Description | Windows DNS server could not load or initialize the plug-in DLL |
|
||||
| Logging Policy | <ul><li>[None](../Logging_Policies/None.md)</li></ul> |
|
||||
| Logging Policy | <ul><li>[None](</li></ul> |
|
||||
| References | <ul><li>[https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc735829(v=ws.10)](https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc735829(v=ws.10))</li></ul> |
|
||||
| Platform | Windows |
|
||||
| Type | Applications and Services Logs |
|
||||
|
||||
@ -1,7 +1,7 @@
|
||||
| Title | DN_0080_5859_wmi_activity |
|
||||
|:---------------|:-----------------------------------------------------------------------------------------------------------------|
|
||||
| Description | WMI Event which provide ability to catch Timer-based WMI Events and provide usefult information for identification of suspicious WMI activity |
|
||||
| Logging Policy | <ul><li>[None](../Logging_Policies/None.md)</li></ul> |
|
||||
| Logging Policy | <ul><li>[None](</li></ul> |
|
||||
| References | <ul><li>[https://www.darkoperator.com/blog/2017/10/14/basics-of-tracking-wmi-activity](https://www.darkoperator.com/blog/2017/10/14/basics-of-tracking-wmi-activity)</li><li>[https://www.eideon.com/2018-03-02-THL03-WMIBackdoors/](https://www.eideon.com/2018-03-02-THL03-WMIBackdoors/)</li></ul> |
|
||||
| Platform | Windows |
|
||||
| Type | Applications and Services Logs |
|
||||
|
||||
@ -1,7 +1,7 @@
|
||||
| Title | DN_0081_5861_wmi_activity |
|
||||
|:---------------|:-----------------------------------------------------------------------------------------------------------------|
|
||||
| Description | WMI Event which provide ability to catch Timer-based WMI Events and provide usefult information for identification of suspicious WMI activity |
|
||||
| Logging Policy | <ul><li>[None](../Logging_Policies/None.md)</li></ul> |
|
||||
| Logging Policy | <ul><li>[None](</li></ul> |
|
||||
| References | <ul><li>[https://www.darkoperator.com/blog/2017/10/14/basics-of-tracking-wmi-activity](https://www.darkoperator.com/blog/2017/10/14/basics-of-tracking-wmi-activity)</li><li>[https://www.eideon.com/2018-03-02-THL03-WMIBackdoors/](https://www.eideon.com/2018-03-02-THL03-WMIBackdoors/)</li></ul> |
|
||||
| Platform | Windows |
|
||||
| Type | Applications and Services Logs |
|
||||
|
||||
@ -3,7 +3,7 @@
|
||||
| Description | Detects WMI script event consumers |
|
||||
| ATT&CK Tactic | <ul><li>[TA0002: Execution](https://attack.mitre.org/tactics/TA0002)</li><li>[TA0003: Persistence](https://attack.mitre.org/tactics/TA0003)</li></ul> |
|
||||
| ATT&CK Technique | <ul><li>[T1047](https://attack.mitre.org/tactics/T1047)</li></ul> |
|
||||
| Data Needed | <ul><li>[DN_0001_4688_windows_process_creation](../Data_Needed/DN_0001_4688_windows_process_creation.md)</li><li>[DN_0003_1_windows_sysmon_process_creation](../Data_Needed/DN_0003_1_windows_sysmon_process_creation.md)</li><li>[DN_0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN_0002_4688_windows_process_creation_with_commandline.md)</li></ul> |
|
||||
| Data Needed | <ul><li>[DN_0003_1_windows_sysmon_process_creation](../Data_Needed/DN_0003_1_windows_sysmon_process_creation.md)</li><li>[DN_0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN_0002_4688_windows_process_creation_with_commandline.md)</li><li>[DN_0001_4688_windows_process_creation](../Data_Needed/DN_0001_4688_windows_process_creation.md)</li></ul> |
|
||||
| Trigger | <ul><li>[T1047](../Triggering/T1047.md)</li></ul> |
|
||||
| Severity Level | high |
|
||||
| False Positives | <ul><li>Legitimate event consumers</li></ul> |
|
||||
|
||||
@ -102,6 +102,9 @@ class DataNeeded:
|
||||
|
||||
logging_policies = self.dn_fields.get("loggingpolicy")
|
||||
|
||||
if not logging_policies:
|
||||
logging_policies = ["None", ]
|
||||
|
||||
logging_policies_with_id = []
|
||||
|
||||
for lp in logging_policies:
|
||||
|
||||
@ -1,10 +1,10 @@
|
||||
| Title | {{ title }} |
|
||||
|:---------------|:-----------------------------------------------------------------------------------------------------------------|
|
||||
| Description | {{ description }} |
|
||||
| Logging Policy | <ul>{% for policy in loggingpolicy %}<li>[{{ policy }}](../Logging_Policies/{{policy}}.md)</li>{% endfor %}</ul> |
|
||||
| Logging Policy | <ul>{% for policy in loggingpolicy %}<li>{% if policy != "None" %}[{{ policy }}](../Logging_Policies/{{policy}}.md){% else %} Not existing {% endif %}</li>{% endfor %}</ul> |
|
||||
| References | <ul>{% for ref in references %}<li>[{{ ref }}]({{ ref }})</li>{% endfor %}</ul> |
|
||||
| Platform | {{ platform }} |
|
||||
| Type | {{ type }} |
|
||||
| Type | {{ type }} |
|
||||
| Channel | {{ channel }} |
|
||||
| Provider | {{ provider }} |
|
||||
| Fields | <ul>{% for field in fields %}<li>{{ field }}</li>{% endfor %}</ul> |
|
||||
|
||||
Loading…
Reference in New Issue
Block a user