valitydev/atomic-threat-coverage
14
0
Fork 0
mirror of https://github.com/valitydev/atomic-threat-coverage.git synced 2024-11-06 09:35:21 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

general update:

Browse Source 
- DN calc function updated, fixed incorrect calc for multiple DRs
- updated all LPs with a preparation for a new feature (sucess/fail LP config calculcation per DR/EID)
- all the stuff (md/confluence) has been updated according to changes

updated with a log source sample:

- DN_0046_1031_dhcp_service_callout_dll_file_has_caused_an_exception.yml
- DN_0047_1032_dhcp_service_callout_dll_file_has_caused_an_exception.yml
- DN_0049_1034_dhcp_service_failed_to_load_callout_dlls.yml

created:

- DN_0086_4720_user_account_was_created.yml
- DN_0087_5156_windows_filtering_platform_has_permitted_connection.yml
- DN_0088_4616_system_time_was_changed.yml
- DN_0089_56_terminal_server_security_layer_detected_an_error.yml
- DN_0090_50_terminal_server_security_layer_detected_an_error.yml
- LP_0045_windows_audit_filtering_platform_connection.yml
- LP_0046_windows_audit_security_state_change.yml
This commit is contained in:
yugoslavskiy 2019-07-12 06:38:49 +03:00
parent 0228f6db6b
commit 68d4929a53
156 changed files with 742 additions and 347 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
Atomic_Threat_Coverage/Detection_Rules/av_exploiting.md
View File

@ -8,7 +8,7 @@
| Trigger | <ul><li>[T1203: Exploitation for Client Execution](../Triggers/T1203.md)</li><li>[T1219: Remote Access Tools](../Triggers/T1219.md)</li></ul> |
| Severity Level | critical |
| False Positives | <ul><li>Unlikely</li></ul> |
| Development Status | Development Status for this Detection Rule has not been defined yet. |
| Development Status | Development Status wasn't defined for this Detection Rule yet |
| References | <ul><li>[https://www.nextron-systems.com/2018/09/08/antivirus-event-analysis-cheat-sheet-v1-4/](https://www.nextron-systems.com/2018/09/08/antivirus-event-analysis-cheat-sheet-v1-4/)</li></ul> |
| Author | Florian Roth |

2
Atomic_Threat_Coverage/Detection_Rules/av_password_dumper.md
View File

@ -8,7 +8,7 @@
| Trigger | <ul><li>[T1003: Credential Dumping](../Triggers/T1003.md)</li></ul> |
| Severity Level | critical |
| False Positives | <ul><li>Unlikely</li></ul> |
| Development Status | Development Status for this Detection Rule has not been defined yet. |
| Development Status | Development Status wasn't defined for this Detection Rule yet |
| References | <ul><li>[https://www.nextron-systems.com/2018/09/08/antivirus-event-analysis-cheat-sheet-v1-4/](https://www.nextron-systems.com/2018/09/08/antivirus-event-analysis-cheat-sheet-v1-4/)</li></ul> |
| Author | Florian Roth |

8
Atomic_Threat_Coverage/Detection_Rules/av_relevant_files.md
View File

@ -1,14 +1,14 @@
| Title | Antivirus Relevant File Paths Alerts |
|:---------------------|:------------------------------------------------------------------------------------------------------------------------------------------------------------|
| Description | Detects an Antivirus alert in a highly relevant file path or with a relevant file name |
| ATT&amp;CK Tactic | There is no documented ATT&amp;CK Tactic for this Detection Rule. |
| ATT&amp;CK Technique | There is no documented ATT&amp;CK Technique for this Detection Rule. |
| ATT&amp;CK Tactic | This Detection Rule wasn't mapped to ATT&amp;CK Tactic yet |
| ATT&amp;CK Technique | This Detection Rule wasn't mapped to ATT&amp;CK Technique yet |
| Data Needed | <ul><li>[DN_0084_av_alert](../Data_Needed/DN_0084_av_alert.md)</li></ul> |
| Enrichment | Data for this Detection Rule doesn't require any Enrichments. |
| Trigger | There is no Trigger for this technique yet. |
| Trigger | There is no documented Trigger for this Detection Rule yet |
| Severity Level | high |
| False Positives | <ul><li>Unlikely</li></ul> |
| Development Status | Development Status for this Detection Rule has not been defined yet. |
| Development Status | Development Status wasn't defined for this Detection Rule yet |
| References | <ul><li>[https://www.nextron-systems.com/2018/09/08/antivirus-event-analysis-cheat-sheet-v1-4/](https://www.nextron-systems.com/2018/09/08/antivirus-event-analysis-cheat-sheet-v1-4/)</li></ul> |
| Author | Florian Roth |

2
Atomic_Threat_Coverage/Detection_Rules/av_webshell.md
View File

@ -8,7 +8,7 @@
| Trigger | <ul><li>[T1100: Web Shell](../Triggers/T1100.md)</li></ul> |
| Severity Level | critical |
| False Positives | <ul><li>Unlikely</li></ul> |
| Development Status | Development Status for this Detection Rule has not been defined yet. |
| Development Status | Development Status wasn't defined for this Detection Rule yet |
| References | <ul><li>[https://www.nextron-systems.com/2018/09/08/antivirus-event-analysis-cheat-sheet-v1-4/](https://www.nextron-systems.com/2018/09/08/antivirus-event-analysis-cheat-sheet-v1-4/)</li></ul> |
| Author | Florian Roth |

2
Atomic_Threat_Coverage/Detection_Rules/powershell_malicious_commandlets.md
View File

@ -3,7 +3,7 @@
| Description | Detects Commandlet names from well-known PowerShell exploitation frameworks |
| ATT&amp;CK Tactic | <ul><li>[TA0002: Execution](https://attack.mitre.org/tactics/TA0002)</li></ul> |
| ATT&amp;CK Technique | <ul><li>[T1086: PowerShell](https://attack.mitre.org/techniques/T1086)</li></ul> |
| Data Needed | <ul><li>[DN_0037_4103_windows_powershell_executing_pipeline](../Data_Needed/DN_0037_4103_windows_powershell_executing_pipeline.md)</li><li>[DN_0036_4104_windows_powershell_script_block](../Data_Needed/DN_0036_4104_windows_powershell_script_block.md)</li></ul> |
| Data Needed | <ul><li>[DN_0036_4104_windows_powershell_script_block](../Data_Needed/DN_0036_4104_windows_powershell_script_block.md)</li><li>[DN_0037_4103_windows_powershell_executing_pipeline](../Data_Needed/DN_0037_4103_windows_powershell_executing_pipeline.md)</li></ul> |
| Enrichment | Data for this Detection Rule doesn't require any Enrichments. |
| Trigger | <ul><li>[T1086: PowerShell](../Triggers/T1086.md)</li></ul> |
| Severity Level | high |

2
Atomic_Threat_Coverage/Detection_Rules/powershell_malicious_keywords.md
View File

@ -3,7 +3,7 @@
| Description | Detects keywords from well-known PowerShell exploitation frameworks |
| ATT&amp;CK Tactic | <ul><li>[TA0002: Execution](https://attack.mitre.org/tactics/TA0002)</li></ul> |
| ATT&amp;CK Technique | <ul><li>[T1086: PowerShell](https://attack.mitre.org/techniques/T1086)</li></ul> |
| Data Needed | <ul><li>[DN_0037_4103_windows_powershell_executing_pipeline](../Data_Needed/DN_0037_4103_windows_powershell_executing_pipeline.md)</li><li>[DN_0036_4104_windows_powershell_script_block](../Data_Needed/DN_0036_4104_windows_powershell_script_block.md)</li></ul> |
| Data Needed | <ul><li>[DN_0036_4104_windows_powershell_script_block](../Data_Needed/DN_0036_4104_windows_powershell_script_block.md)</li><li>[DN_0037_4103_windows_powershell_executing_pipeline](../Data_Needed/DN_0037_4103_windows_powershell_executing_pipeline.md)</li></ul> |
| Enrichment | Data for this Detection Rule doesn't require any Enrichments. |
| Trigger | <ul><li>[T1086: PowerShell](../Triggers/T1086.md)</li></ul> |
| Severity Level | high |

2
Atomic_Threat_Coverage/Detection_Rules/powershell_ntfs_ads_access.md
View File

@ -3,7 +3,7 @@
| Description | Detects writing data into NTFS alternate data streams from powershell. Needs Script Block Logging. |
| ATT&amp;CK Tactic | <ul><li>[TA0005: Defense Evasion](https://attack.mitre.org/tactics/TA0005)</li></ul> |
| ATT&amp;CK Technique | <ul><li>[T1096: NTFS File Attributes](https://attack.mitre.org/techniques/T1096)</li></ul> |
| Data Needed | <ul><li>[DN_0037_4103_windows_powershell_executing_pipeline](../Data_Needed/DN_0037_4103_windows_powershell_executing_pipeline.md)</li><li>[DN_0036_4104_windows_powershell_script_block](../Data_Needed/DN_0036_4104_windows_powershell_script_block.md)</li></ul> |
| Data Needed | <ul><li>[DN_0036_4104_windows_powershell_script_block](../Data_Needed/DN_0036_4104_windows_powershell_script_block.md)</li><li>[DN_0037_4103_windows_powershell_executing_pipeline](../Data_Needed/DN_0037_4103_windows_powershell_executing_pipeline.md)</li></ul> |
| Enrichment | Data for this Detection Rule doesn't require any Enrichments. |
| Trigger | <ul><li>[T1096: NTFS File Attributes](../Triggers/T1096.md)</li></ul> |
| Severity Level | high |

4
Atomic_Threat_Coverage/Detection_Rules/powershell_suspicious_download.md
View File

@ -3,13 +3,13 @@
| Description | Detects suspicious PowerShell download command |
| ATT&amp;CK Tactic | <ul><li>[TA0002: Execution](https://attack.mitre.org/tactics/TA0002)</li></ul> |
| ATT&amp;CK Technique | <ul><li>[T1086: PowerShell](https://attack.mitre.org/techniques/T1086)</li></ul> |
| Data Needed | <ul><li>[DN_0037_4103_windows_powershell_executing_pipeline](../Data_Needed/DN_0037_4103_windows_powershell_executing_pipeline.md)</li><li>[DN_0036_4104_windows_powershell_script_block](../Data_Needed/DN_0036_4104_windows_powershell_script_block.md)</li></ul> |
| Data Needed | <ul><li>[DN_0036_4104_windows_powershell_script_block](../Data_Needed/DN_0036_4104_windows_powershell_script_block.md)</li><li>[DN_0037_4103_windows_powershell_executing_pipeline](../Data_Needed/DN_0037_4103_windows_powershell_executing_pipeline.md)</li></ul> |
| Enrichment | Data for this Detection Rule doesn't require any Enrichments. |
| Trigger | <ul><li>[T1086: PowerShell](../Triggers/T1086.md)</li></ul> |
| Severity Level | medium |
| False Positives | <ul><li>PowerShell scripts that download content from the Internet</li></ul> |
| Development Status | experimental |
| References | There are no documented References for this Detection Rule yet. |
| References | There are no documented References for this Detection Rule yet |
| Author | Florian Roth |

4
Atomic_Threat_Coverage/Detection_Rules/powershell_suspicious_invocation_generic.md
View File

@ -3,13 +3,13 @@
| Description | Detects suspicious PowerShell invocation command parameters |
| ATT&amp;CK Tactic | <ul><li>[TA0002: Execution](https://attack.mitre.org/tactics/TA0002)</li></ul> |
| ATT&amp;CK Technique | <ul><li>[T1086: PowerShell](https://attack.mitre.org/techniques/T1086)</li></ul> |
| Data Needed | <ul><li>[DN_0037_4103_windows_powershell_executing_pipeline](../Data_Needed/DN_0037_4103_windows_powershell_executing_pipeline.md)</li><li>[DN_0036_4104_windows_powershell_script_block](../Data_Needed/DN_0036_4104_windows_powershell_script_block.md)</li></ul> |
| Data Needed | <ul><li>[DN_0036_4104_windows_powershell_script_block](../Data_Needed/DN_0036_4104_windows_powershell_script_block.md)</li><li>[DN_0037_4103_windows_powershell_executing_pipeline](../Data_Needed/DN_0037_4103_windows_powershell_executing_pipeline.md)</li></ul> |
| Enrichment | Data for this Detection Rule doesn't require any Enrichments. |
| Trigger | <ul><li>[T1086: PowerShell](../Triggers/T1086.md)</li></ul> |
| Severity Level | high |
| False Positives | <ul><li>Penetration tests</li><li>Very special / sneaky PowerShell scripts</li></ul> |
| Development Status | experimental |
| References | There are no documented References for this Detection Rule yet. |
| References | There are no documented References for this Detection Rule yet |
| Author | Florian Roth (rule) |

4
Atomic_Threat_Coverage/Detection_Rules/powershell_suspicious_invocation_specific.md
View File

@ -3,13 +3,13 @@
| Description | Detects suspicious PowerShell invocation command parameters |
| ATT&amp;CK Tactic | <ul><li>[TA0002: Execution](https://attack.mitre.org/tactics/TA0002)</li></ul> |
| ATT&amp;CK Technique | <ul><li>[T1086: PowerShell](https://attack.mitre.org/techniques/T1086)</li></ul> |
| Data Needed | <ul><li>[DN_0037_4103_windows_powershell_executing_pipeline](../Data_Needed/DN_0037_4103_windows_powershell_executing_pipeline.md)</li><li>[DN_0036_4104_windows_powershell_script_block](../Data_Needed/DN_0036_4104_windows_powershell_script_block.md)</li></ul> |
| Data Needed | <ul><li>[DN_0036_4104_windows_powershell_script_block](../Data_Needed/DN_0036_4104_windows_powershell_script_block.md)</li><li>[DN_0037_4103_windows_powershell_executing_pipeline](../Data_Needed/DN_0037_4103_windows_powershell_executing_pipeline.md)</li></ul> |
| Enrichment | Data for this Detection Rule doesn't require any Enrichments. |
| Trigger | <ul><li>[T1086: PowerShell](../Triggers/T1086.md)</li></ul> |
| Severity Level | high |
| False Positives | <ul><li>Penetration tests</li></ul> |
| Development Status | experimental |
| References | There are no documented References for this Detection Rule yet. |
| References | There are no documented References for this Detection Rule yet |
| Author | Florian Roth (rule) |

2
Atomic_Threat_Coverage/Detection_Rules/powershell_suspicious_keywords.md
View File

@ -3,7 +3,7 @@
| Description | Detects keywords that could indicate the use of some PowerShell exploitation framework |
| ATT&amp;CK Tactic | <ul><li>[TA0002: Execution](https://attack.mitre.org/tactics/TA0002)</li></ul> |
| ATT&amp;CK Technique | <ul><li>[T1086: PowerShell](https://attack.mitre.org/techniques/T1086)</li></ul> |
| Data Needed | <ul><li>[DN_0037_4103_windows_powershell_executing_pipeline](../Data_Needed/DN_0037_4103_windows_powershell_executing_pipeline.md)</li><li>[DN_0036_4104_windows_powershell_script_block](../Data_Needed/DN_0036_4104_windows_powershell_script_block.md)</li></ul> |
| Data Needed | <ul><li>[DN_0036_4104_windows_powershell_script_block](../Data_Needed/DN_0036_4104_windows_powershell_script_block.md)</li><li>[DN_0037_4103_windows_powershell_executing_pipeline](../Data_Needed/DN_0037_4103_windows_powershell_executing_pipeline.md)</li></ul> |
| Enrichment | Data for this Detection Rule doesn't require any Enrichments. |
| Trigger | <ul><li>[T1086: PowerShell](../Triggers/T1086.md)</li></ul> |
| Severity Level | high |

2
Atomic_Threat_Coverage/Detection_Rules/powershell_xor_commandline.md
View File

@ -9,7 +9,7 @@
| Severity Level | medium |
| False Positives | <ul><li>unknown</li></ul> |
| Development Status | experimental |
| References | There are no documented References for this Detection Rule yet. |
| References | There are no documented References for this Detection Rule yet |
| Author | Sami Ruohonen |

2
Atomic_Threat_Coverage/Detection_Rules/sysmon_cmstp_execution.md
View File

@ -3,7 +3,7 @@
| Description | Detects various indicators of Microsoft Connection Manager Profile Installer execution |
| ATT&amp;CK Tactic | <ul><li>[TA0005: Defense Evasion](https://attack.mitre.org/tactics/TA0005)</li><li>[TA0002: Execution](https://attack.mitre.org/tactics/TA0002)</li></ul> |
| ATT&amp;CK Technique | <ul><li>[T1191: CMSTP](https://attack.mitre.org/techniques/T1191)</li></ul> |
| Data Needed | <ul><li>[DN_0016_12_windows_sysmon_RegistryEvent](../Data_Needed/DN_0016_12_windows_sysmon_RegistryEvent.md)</li><li>[DN_0017_13_windows_sysmon_RegistryEvent](../Data_Needed/DN_0017_13_windows_sysmon_RegistryEvent.md)</li><li>[DN_0014_10_windows_sysmon_ProcessAccess](../Data_Needed/DN_0014_10_windows_sysmon_ProcessAccess.md)</li><li>[DN_0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN_0002_4688_windows_process_creation_with_commandline.md)</li><li>[DN_0003_1_windows_sysmon_process_creation](../Data_Needed/DN_0003_1_windows_sysmon_process_creation.md)</li></ul> |
| Data Needed | <ul><li>[DN_0003_1_windows_sysmon_process_creation](../Data_Needed/DN_0003_1_windows_sysmon_process_creation.md)</li><li>[DN_0014_10_windows_sysmon_ProcessAccess](../Data_Needed/DN_0014_10_windows_sysmon_ProcessAccess.md)</li><li>[DN_0016_12_windows_sysmon_RegistryEvent](../Data_Needed/DN_0016_12_windows_sysmon_RegistryEvent.md)</li><li>[DN_0017_13_windows_sysmon_RegistryEvent](../Data_Needed/DN_0017_13_windows_sysmon_RegistryEvent.md)</li><li>[DN_0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN_0002_4688_windows_process_creation_with_commandline.md)</li></ul> |
| Enrichment | Data for this Detection Rule doesn't require any Enrichments. |
| Trigger | <ul><li>[T1191: CMSTP](../Triggers/T1191.md)</li></ul> |
| Severity Level | high |

2
Atomic_Threat_Coverage/Detection_Rules/sysmon_dns_serverlevelplugindll.md
View File

@ -3,7 +3,7 @@
| Description | Detects the installation of a plugin DLL via ServerLevelPluginDll parameter in Registry, which can be used to execute code in context of the DNS server (restart required) |
| ATT&amp;CK Tactic | <ul><li>[TA0005: Defense Evasion](https://attack.mitre.org/tactics/TA0005)</li></ul> |
| ATT&amp;CK Technique | <ul><li>[T1073: DLL Side-Loading](https://attack.mitre.org/techniques/T1073)</li></ul> |
| Data Needed | <ul><li>[DN_0017_13_windows_sysmon_RegistryEvent](../Data_Needed/DN_0017_13_windows_sysmon_RegistryEvent.md)</li><li>[DN_0003_1_windows_sysmon_process_creation](../Data_Needed/DN_0003_1_windows_sysmon_process_creation.md)</li><li>[DN_0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN_0002_4688_windows_process_creation_with_commandline.md)</li></ul> |
| Data Needed | <ul><li>[DN_0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN_0002_4688_windows_process_creation_with_commandline.md)</li><li>[DN_0003_1_windows_sysmon_process_creation](../Data_Needed/DN_0003_1_windows_sysmon_process_creation.md)</li><li>[DN_0017_13_windows_sysmon_RegistryEvent](../Data_Needed/DN_0017_13_windows_sysmon_RegistryEvent.md)</li></ul> |
| Enrichment | Data for this Detection Rule doesn't require any Enrichments. |
| Trigger | <ul><li>[T1073: DLL Side-Loading](../Triggers/T1073.md)</li></ul> |
| Severity Level | high |

2
Atomic_Threat_Coverage/Detection_Rules/sysmon_logon_scripts_userinitmprlogonscript.md
View File

@ -3,7 +3,7 @@
| Description | Detects creation or execution of UserInitMprLogonScript persistence method |
| ATT&amp;CK Tactic | <ul><li>[TA0003: Persistence](https://attack.mitre.org/tactics/TA0003)</li><li>[TA0008: Lateral Movement](https://attack.mitre.org/tactics/TA0008)</li></ul> |
| ATT&amp;CK Technique | <ul><li>[T1037: Logon Scripts](https://attack.mitre.org/techniques/T1037)</li></ul> |
| Data Needed | <ul><li>[DN_0018_14_windows_sysmon_RegistryEvent](../Data_Needed/DN_0018_14_windows_sysmon_RegistryEvent.md)</li><li>[DN_0016_12_windows_sysmon_RegistryEvent](../Data_Needed/DN_0016_12_windows_sysmon_RegistryEvent.md)</li><li>[DN_0017_13_windows_sysmon_RegistryEvent](../Data_Needed/DN_0017_13_windows_sysmon_RegistryEvent.md)</li><li>[DN_0015_11_windows_sysmon_FileCreate](../Data_Needed/DN_0015_11_windows_sysmon_FileCreate.md)</li><li>[DN_0003_1_windows_sysmon_process_creation](../Data_Needed/DN_0003_1_windows_sysmon_process_creation.md)</li></ul> |
| Data Needed | <ul><li>[DN_0003_1_windows_sysmon_process_creation](../Data_Needed/DN_0003_1_windows_sysmon_process_creation.md)</li><li>[DN_0018_14_windows_sysmon_RegistryEvent](../Data_Needed/DN_0018_14_windows_sysmon_RegistryEvent.md)</li><li>[DN_0016_12_windows_sysmon_RegistryEvent](../Data_Needed/DN_0016_12_windows_sysmon_RegistryEvent.md)</li><li>[DN_0017_13_windows_sysmon_RegistryEvent](../Data_Needed/DN_0017_13_windows_sysmon_RegistryEvent.md)</li><li>[DN_0015_11_windows_sysmon_FileCreate](../Data_Needed/DN_0015_11_windows_sysmon_FileCreate.md)</li></ul> |
| Enrichment | Data for this Detection Rule doesn't require any Enrichments. |
| Trigger | <ul><li>[T1037: Logon Scripts](../Triggers/T1037.md)</li></ul> |
| Severity Level | high |

2
Atomic_Threat_Coverage/Detection_Rules/sysmon_mal_namedpipes.md
View File

@ -3,7 +3,7 @@
| Description | Detects the creation of a named pipe used by known APT malware |
| ATT&amp;CK Tactic | <ul><li>[TA0005: Defense Evasion](https://attack.mitre.org/tactics/TA0005)</li><li>[TA0004: Privilege Escalation](https://attack.mitre.org/tactics/TA0004)</li></ul> |
| ATT&amp;CK Technique | <ul><li>[T1055: Process Injection](https://attack.mitre.org/techniques/T1055)</li></ul> |
| Data Needed | <ul><li>[DN_0020_17_windows_sysmon_PipeEvent](../Data_Needed/DN_0020_17_windows_sysmon_PipeEvent.md)</li><li>[DN_0021_18_windows_sysmon_PipeEvent](../Data_Needed/DN_0021_18_windows_sysmon_PipeEvent.md)</li></ul> |
| Data Needed | <ul><li>[DN_0021_18_windows_sysmon_PipeEvent](../Data_Needed/DN_0021_18_windows_sysmon_PipeEvent.md)</li><li>[DN_0020_17_windows_sysmon_PipeEvent](../Data_Needed/DN_0020_17_windows_sysmon_PipeEvent.md)</li></ul> |
| Enrichment | Data for this Detection Rule doesn't require any Enrichments. |
| Trigger | <ul><li>[T1055: Process Injection](../Triggers/T1055.md)</li></ul> |
| Severity Level | critical |

2
Atomic_Threat_Coverage/Detection_Rules/sysmon_mimikatz_detection_lsass.md
View File

@ -10,7 +10,7 @@
| False Positives | <ul><li>unknown</li></ul> |
| Development Status | experimental |
| References | <ul><li>[https://onedrive.live.com/view.aspx?resid=D026B4699190F1E6!2843&ithint=file%2cpptx&app=PowerPoint&authkey=!AMvCRTKB_V1J5ow](https://onedrive.live.com/view.aspx?resid=D026B4699190F1E6!2843&ithint=file%2cpptx&app=PowerPoint&authkey=!AMvCRTKB_V1J5ow)</li><li>[https://cyberwardog.blogspot.com/2017/03/chronicles-of-threat-hunter-hunting-for_22.html](https://cyberwardog.blogspot.com/2017/03/chronicles-of-threat-hunter-hunting-for_22.html)</li></ul> |
| Author | Author of this Detection Rule haven't introduced himself. |
| Author | Author of this Detection Rule haven't introduced himself |
| Other Tags | <ul><li>attack.s0002</li><li>attack.s0002</li><li>car.2019-04-004</li><li>car.2019-04-004</li></ul> |
## Detection Rules

2
Atomic_Threat_Coverage/Detection_Rules/sysmon_mimikatz_inmemory_detection.md
View File

@ -10,7 +10,7 @@
| False Positives | <ul><li>unknown</li></ul> |
| Development Status | experimental |
| References | <ul><li>[https://securityriskadvisors.com/blog/post/detecting-in-memory-mimikatz/](https://securityriskadvisors.com/blog/post/detecting-in-memory-mimikatz/)</li></ul> |
| Author | Author of this Detection Rule haven't introduced himself. |
| Author | Author of this Detection Rule haven't introduced himself |
| Other Tags | <ul><li>attack.s0002</li><li>attack.s0002</li><li>car.2019-04-004</li><li>car.2019-04-004</li></ul> |
## Detection Rules

6
Atomic_Threat_Coverage/Detection_Rules/sysmon_rdp_settings_hijack.md
View File

@ -2,13 +2,13 @@
|:---------------------|:------------------------------------------------------------------------------------------------------------------------------------------------------------|
| Description | Detects changes to RDP terminal service sensitive settings |
| ATT&amp;CK Tactic | <ul><li>[TA0005: Defense Evasion](https://attack.mitre.org/tactics/TA0005)</li></ul> |
| ATT&amp;CK Technique | There is no documented ATT&amp;CK Technique for this Detection Rule. |
| ATT&amp;CK Technique | This Detection Rule wasn't mapped to ATT&amp;CK Technique yet |
| Data Needed | <ul><li>[DN_0017_13_windows_sysmon_RegistryEvent](../Data_Needed/DN_0017_13_windows_sysmon_RegistryEvent.md)</li></ul> |
| Enrichment | Data for this Detection Rule doesn't require any Enrichments. |
| Trigger | There is no Trigger for this technique yet. |
| Trigger | There is no documented Trigger for this Detection Rule yet |
| Severity Level | high |
| False Positives | <ul><li>unknown</li></ul> |
| Development Status | Development Status for this Detection Rule has not been defined yet. |
| Development Status | Development Status wasn't defined for this Detection Rule yet |
| References | <ul><li>[https://blog.menasec.net/2019/02/threat-hunting-rdp-hijacking-via.html](https://blog.menasec.net/2019/02/threat-hunting-rdp-hijacking-via.html)</li></ul> |
| Author | Samir Bousseaden |

6
Atomic_Threat_Coverage/Detection_Rules/sysmon_renamed_psexec.md
View File

@ -1,11 +1,11 @@
| Title | Renamed PsExec |
|:---------------------|:------------------------------------------------------------------------------------------------------------------------------------------------------------|
| Description | Detects the execution of a renamed PsExec often used by attackers or malware |
| ATT&amp;CK Tactic | There is no documented ATT&amp;CK Tactic for this Detection Rule. |
| ATT&amp;CK Technique | There is no documented ATT&amp;CK Technique for this Detection Rule. |
| ATT&amp;CK Tactic | This Detection Rule wasn't mapped to ATT&amp;CK Tactic yet |
| ATT&amp;CK Technique | This Detection Rule wasn't mapped to ATT&amp;CK Technique yet |
| Data Needed | <ul><li>[DN_0011_7_windows_sysmon_image_loaded](../Data_Needed/DN_0011_7_windows_sysmon_image_loaded.md)</li><li>[DN_0003_1_windows_sysmon_process_creation](../Data_Needed/DN_0003_1_windows_sysmon_process_creation.md)</li></ul> |
| Enrichment | Data for this Detection Rule doesn't require any Enrichments. |
| Trigger | There is no Trigger for this technique yet. |
| Trigger | There is no documented Trigger for this Detection Rule yet |
| Severity Level | high |
| False Positives | <ul><li>Software that illegaly integrates PsExec in a renamed form</li><li>Administrators that have renamed PsExec and no one knows why</li></ul> |
| Development Status | experimental |

4
Atomic_Threat_Coverage/Detection_Rules/sysmon_stickykey_like_backdoor.md
View File

@ -3,12 +3,12 @@
| Description | Detects the usage and installation of a backdoor that uses an option to register a malicious debugger for built-in tools that are accessible in the login screen |
| ATT&amp;CK Tactic | <ul><li>[TA0004: Privilege Escalation](https://attack.mitre.org/tactics/TA0004)</li><li>[TA0003: Persistence](https://attack.mitre.org/tactics/TA0003)</li></ul> |
| ATT&amp;CK Technique | <ul><li>[T1015: Accessibility Features](https://attack.mitre.org/techniques/T1015)</li></ul> |
| Data Needed | <ul><li>[DN_0017_13_windows_sysmon_RegistryEvent](../Data_Needed/DN_0017_13_windows_sysmon_RegistryEvent.md)</li><li>[DN_0003_1_windows_sysmon_process_creation](../Data_Needed/DN_0003_1_windows_sysmon_process_creation.md)</li><li>[DN_0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN_0002_4688_windows_process_creation_with_commandline.md)</li></ul> |
| Data Needed | <ul><li>[DN_0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN_0002_4688_windows_process_creation_with_commandline.md)</li><li>[DN_0003_1_windows_sysmon_process_creation](../Data_Needed/DN_0003_1_windows_sysmon_process_creation.md)</li><li>[DN_0017_13_windows_sysmon_RegistryEvent](../Data_Needed/DN_0017_13_windows_sysmon_RegistryEvent.md)</li></ul> |
| Enrichment | Data for this Detection Rule doesn't require any Enrichments. |
| Trigger | <ul><li>[T1015: Accessibility Features](../Triggers/T1015.md)</li></ul> |
| Severity Level | critical |
| False Positives | <ul><li>Unlikely</li></ul> |
| Development Status | Development Status for this Detection Rule has not been defined yet. |
| Development Status | Development Status wasn't defined for this Detection Rule yet |
| References | <ul><li>[https://blogs.technet.microsoft.com/jonathantrull/2016/10/03/detecting-sticky-key-backdoors/](https://blogs.technet.microsoft.com/jonathantrull/2016/10/03/detecting-sticky-key-backdoors/)</li></ul> |
| Author | Florian Roth, @twjackomo |
| Other Tags | <ul><li>car.2014-11-003</li><li>car.2014-11-003</li><li>car.2014-11-008</li><li>car.2014-11-008</li></ul> |

4
Atomic_Threat_Coverage/Detection_Rules/sysmon_susp_driver_load.md
View File

@ -8,8 +8,8 @@
| Trigger | <ul><li>[T1050: New Service](../Triggers/T1050.md)</li></ul> |
| Severity Level | medium |
| False Positives | <ul><li>there is a relevant set of false positives depending on applications in the environment</li></ul> |
| Development Status | Development Status for this Detection Rule has not been defined yet. |
| References | There are no documented References for this Detection Rule yet. |
| Development Status | Development Status wasn't defined for this Detection Rule yet |
| References | There are no documented References for this Detection Rule yet |
| Author | Florian Roth |

6
Atomic_Threat_Coverage/Detection_Rules/sysmon_susp_prog_location_network_connection.md
View File

@ -1,11 +1,11 @@
| Title | Suspicious Program Location with Network Connections |
|:---------------------|:------------------------------------------------------------------------------------------------------------------------------------------------------------|
| Description | Detects programs with network connections running in suspicious files system locations |
| ATT&amp;CK Tactic | There is no documented ATT&amp;CK Tactic for this Detection Rule. |
| ATT&amp;CK Technique | There is no documented ATT&amp;CK Technique for this Detection Rule. |
| ATT&amp;CK Tactic | This Detection Rule wasn't mapped to ATT&amp;CK Tactic yet |
| ATT&amp;CK Technique | This Detection Rule wasn't mapped to ATT&amp;CK Technique yet |
| Data Needed | <ul><li>[DN_0007_3_windows_sysmon_network_connection](../Data_Needed/DN_0007_3_windows_sysmon_network_connection.md)</li></ul> |
| Enrichment | Data for this Detection Rule doesn't require any Enrichments. |
| Trigger | There is no Trigger for this technique yet. |
| Trigger | There is no documented Trigger for this Detection Rule yet |
| Severity Level | high |
| False Positives | <ul><li>unknown</li></ul> |
| Development Status | experimental |

8
Atomic_Threat_Coverage/Detection_Rules/sysmon_sysinternals_eula_accepted.md
View File

@ -1,11 +1,11 @@
| Title | Usage of Sysinternals Tools |
|:---------------------|:------------------------------------------------------------------------------------------------------------------------------------------------------------|
| Description | Detects the usage of Sysinternals Tools due to accepteula key being added to Registry |
| ATT&amp;CK Tactic | There is no documented ATT&amp;CK Tactic for this Detection Rule. |
| ATT&amp;CK Technique | There is no documented ATT&amp;CK Technique for this Detection Rule. |
| Data Needed | <ul><li>[DN_0017_13_windows_sysmon_RegistryEvent](../Data_Needed/DN_0017_13_windows_sysmon_RegistryEvent.md)</li><li>[DN_0003_1_windows_sysmon_process_creation](../Data_Needed/DN_0003_1_windows_sysmon_process_creation.md)</li><li>[DN_0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN_0002_4688_windows_process_creation_with_commandline.md)</li></ul> |
| ATT&amp;CK Tactic | This Detection Rule wasn't mapped to ATT&amp;CK Tactic yet |
| ATT&amp;CK Technique | This Detection Rule wasn't mapped to ATT&amp;CK Technique yet |
| Data Needed | <ul><li>[DN_0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN_0002_4688_windows_process_creation_with_commandline.md)</li><li>[DN_0003_1_windows_sysmon_process_creation](../Data_Needed/DN_0003_1_windows_sysmon_process_creation.md)</li><li>[DN_0017_13_windows_sysmon_RegistryEvent](../Data_Needed/DN_0017_13_windows_sysmon_RegistryEvent.md)</li></ul> |
| Enrichment | Data for this Detection Rule doesn't require any Enrichments. |
| Trigger | There is no Trigger for this technique yet. |
| Trigger | There is no documented Trigger for this Detection Rule yet |
| Severity Level | low |
| False Positives | <ul><li>Legitimate use of SysInternals tools</li><li>Programs that use the same Registry Key</li></ul> |
| Development Status | experimental |

8
Atomic_Threat_Coverage/Detection_Rules/sysmon_tsclient_filewrite_startup.md
View File

@ -1,15 +1,15 @@
| Title | Hijack legit RDP session to move laterally |
|:---------------------|:------------------------------------------------------------------------------------------------------------------------------------------------------------|
| Description | Detects the usage of tsclient share to place a backdoor on the RDP source machine's startup folder |
| ATT&amp;CK Tactic | There is no documented ATT&amp;CK Tactic for this Detection Rule. |
| ATT&amp;CK Technique | There is no documented ATT&amp;CK Technique for this Detection Rule. |
| ATT&amp;CK Tactic | This Detection Rule wasn't mapped to ATT&amp;CK Tactic yet |
| ATT&amp;CK Technique | This Detection Rule wasn't mapped to ATT&amp;CK Technique yet |
| Data Needed | <ul><li>[DN_0015_11_windows_sysmon_FileCreate](../Data_Needed/DN_0015_11_windows_sysmon_FileCreate.md)</li></ul> |
| Enrichment | Data for this Detection Rule doesn't require any Enrichments. |
| Trigger | There is no Trigger for this technique yet. |
| Trigger | There is no documented Trigger for this Detection Rule yet |
| Severity Level | high |
| False Positives | <ul><li>unknown</li></ul> |
| Development Status | experimental |
| References | There are no documented References for this Detection Rule yet. |
| References | There are no documented References for this Detection Rule yet |
| Author | Samir Bousseaden |

2
Atomic_Threat_Coverage/Detection_Rules/sysmon_uac_bypass_eventvwr.md
View File

@ -3,7 +3,7 @@
| Description | Detects UAC bypass method using Windows event viewer |
| ATT&amp;CK Tactic | <ul><li>[TA0005: Defense Evasion](https://attack.mitre.org/tactics/TA0005)</li><li>[TA0004: Privilege Escalation](https://attack.mitre.org/tactics/TA0004)</li></ul> |
| ATT&amp;CK Technique | <ul><li>[T1088: Bypass User Account Control](https://attack.mitre.org/techniques/T1088)</li></ul> |
| Data Needed | <ul><li>[DN_0017_13_windows_sysmon_RegistryEvent](../Data_Needed/DN_0017_13_windows_sysmon_RegistryEvent.md)</li><li>[DN_0003_1_windows_sysmon_process_creation](../Data_Needed/DN_0003_1_windows_sysmon_process_creation.md)</li></ul> |
| Data Needed | <ul><li>[DN_0003_1_windows_sysmon_process_creation](../Data_Needed/DN_0003_1_windows_sysmon_process_creation.md)</li><li>[DN_0017_13_windows_sysmon_RegistryEvent](../Data_Needed/DN_0017_13_windows_sysmon_RegistryEvent.md)</li></ul> |
| Enrichment | Data for this Detection Rule doesn't require any Enrichments. |
| Trigger | <ul><li>[T1088: Bypass User Account Control](../Triggers/T1088.md)</li></ul> |
| Severity Level | critical |

2
Atomic_Threat_Coverage/Detection_Rules/sysmon_win_reg_persistence.md
View File

@ -8,7 +8,7 @@
| Trigger | <ul><li>[T1183: Image File Execution Options Injection](../Triggers/T1183.md)</li></ul> |
| Severity Level | critical |
| False Positives | <ul><li>unknown</li></ul> |
| Development Status | Development Status for this Detection Rule has not been defined yet. |
| Development Status | Development Status wasn't defined for this Detection Rule yet |
| References | <ul><li>[https://oddvar.moe/2018/04/10/persistence-using-globalflags-in-image-file-execution-options-hidden-from-autoruns-exe/](https://oddvar.moe/2018/04/10/persistence-using-globalflags-in-image-file-execution-options-hidden-from-autoruns-exe/)</li></ul> |
| Author | Karneades |
| Other Tags | <ul><li>car.2013-01-002</li><li>car.2013-01-002</li></ul> |

2
Atomic_Threat_Coverage/Detection_Rules/win_GPO_scheduledtasks.md
View File

@ -8,7 +8,7 @@
| Trigger | <ul><li>[T1053: Scheduled Task](../Triggers/T1053.md)</li></ul> |
| Severity Level | high |
| False Positives | <ul><li>if the source IP is not localhost then it's super suspicious, better to monitor both local and remote changes to GPO scheduledtasks</li></ul> |
| Development Status | Development Status for this Detection Rule has not been defined yet. |
| Development Status | Development Status wasn't defined for this Detection Rule yet |
| References | <ul><li>[https://twitter.com/menasec1/status/1106899890377052160](https://twitter.com/menasec1/status/1106899890377052160)</li></ul> |
| Author | Samir Bousseaden |

4
Atomic_Threat_Coverage/Detection_Rules/win_account_backdoor_dcsync_rights.md
View File

@ -2,10 +2,10 @@
|:---------------------|:------------------------------------------------------------------------------------------------------------------------------------------------------------|
| Description | backdooring domain object to grant the rights associated with DCSync to a regular user or machine account using Powerview\Add-DomainObjectAcl DCSync Extended Right cmdlet, will allow to re-obtain the pwd hashes of any user/computer |
| ATT&amp;CK Tactic | <ul><li>[TA0006: Credential Access](https://attack.mitre.org/tactics/TA0006)</li><li>[TA0003: Persistence](https://attack.mitre.org/tactics/TA0003)</li></ul> |
| ATT&amp;CK Technique | There is no documented ATT&amp;CK Technique for this Detection Rule. |
| ATT&amp;CK Technique | This Detection Rule wasn't mapped to ATT&amp;CK Technique yet |
| Data Needed | <ul><li>[DN_0026_5136_windows_directory_service_object_was_modified](../Data_Needed/DN_0026_5136_windows_directory_service_object_was_modified.md)</li></ul> |
| Enrichment | Data for this Detection Rule doesn't require any Enrichments. |
| Trigger | There is no Trigger for this technique yet. |
| Trigger | There is no documented Trigger for this Detection Rule yet |
| Severity Level | critical |
| False Positives | <ul><li>New Domain Controller computer account, check user SIDs witin the value attribute of event 5136 and verify if it's a regular user or DC computer account.</li></ul> |
| Development Status | experimental |

2
Atomic_Threat_Coverage/Detection_Rules/win_admin_share_access.md
View File

@ -9,7 +9,7 @@
| Severity Level | low |
| False Positives | <ul><li>Legitimate administrative activity</li></ul> |
| Development Status | experimental |
| References | There are no documented References for this Detection Rule yet. |
| References | There are no documented References for this Detection Rule yet |
| Author | Florian Roth |

2
Atomic_Threat_Coverage/Detection_Rules/win_alert_active_directory_user_control.md
View File

@ -8,7 +8,7 @@
| Trigger | <ul><li>[T1078: Valid Accounts](../Triggers/T1078.md)</li></ul> |
| Severity Level | high |
| False Positives | <ul><li>Unknown</li></ul> |
| Development Status | Development Status for this Detection Rule has not been defined yet. |
| Development Status | Development Status wasn't defined for this Detection Rule yet |
| References | <ul><li>[https://www.harmj0y.net/blog/activedirectory/the-most-dangerous-user-right-you-probably-have-never-heard-of/](https://www.harmj0y.net/blog/activedirectory/the-most-dangerous-user-right-you-probably-have-never-heard-of/)</li></ul> |
| Author | @neu5ron |

4
Atomic_Threat_Coverage/Detection_Rules/win_alert_ad_user_backdoors.md
View File

@ -3,12 +3,12 @@
| Description | Detects scenarios where one can control another users or computers account without having to use their credentials. |
| ATT&amp;CK Tactic | <ul><li>[TA0006: Credential Access](https://attack.mitre.org/tactics/TA0006)</li><li>[TA0003: Persistence](https://attack.mitre.org/tactics/TA0003)</li></ul> |
| ATT&amp;CK Technique | <ul><li>[T1098: Account Manipulation](https://attack.mitre.org/techniques/T1098)</li></ul> |
| Data Needed | <ul><li>[DN_0026_5136_windows_directory_service_object_was_modified](../Data_Needed/DN_0026_5136_windows_directory_service_object_was_modified.md)</li><li>[DN_0027_4738_user_account_was_changed](../Data_Needed/DN_0027_4738_user_account_was_changed.md)</li></ul> |
| Data Needed | <ul><li>[DN_0027_4738_user_account_was_changed](../Data_Needed/DN_0027_4738_user_account_was_changed.md)</li><li>[DN_0026_5136_windows_directory_service_object_was_modified](../Data_Needed/DN_0026_5136_windows_directory_service_object_was_modified.md)</li></ul> |
| Enrichment | Data for this Detection Rule doesn't require any Enrichments. |
| Trigger | <ul><li>[T1098: Account Manipulation](../Triggers/T1098.md)</li></ul> |
| Severity Level | high |
| False Positives | <ul><li>Unknown</li></ul> |
| Development Status | Development Status for this Detection Rule has not been defined yet. |
| Development Status | Development Status wasn't defined for this Detection Rule yet |
| References | <ul><li>[https://msdn.microsoft.com/en-us/library/cc220234.aspx](https://msdn.microsoft.com/en-us/library/cc220234.aspx)</li><li>[https://adsecurity.org/?p=3466](https://adsecurity.org/?p=3466)</li><li>[https://www.harmj0y.net/blog/redteaming/another-word-on-delegation/](https://www.harmj0y.net/blog/redteaming/another-word-on-delegation/)</li></ul> |
| Author | @neu5ron |

2
Atomic_Threat_Coverage/Detection_Rules/win_alert_enable_weak_encryption.md
View File

@ -8,7 +8,7 @@
| Trigger | <ul><li>[T1089: Disabling Security Tools](../Triggers/T1089.md)</li></ul> |
| Severity Level | high |
| False Positives | <ul><li>Unknown</li></ul> |
| Development Status | Development Status for this Detection Rule has not been defined yet. |
| Development Status | Development Status wasn't defined for this Detection Rule yet |
| References | <ul><li>[https://adsecurity.org/?p=2053](https://adsecurity.org/?p=2053)</li><li>[https://www.harmj0y.net/blog/activedirectory/roasting-as-reps/](https://www.harmj0y.net/blog/activedirectory/roasting-as-reps/)</li></ul> |
| Author | @neu5ron |

6
Atomic_Threat_Coverage/Detection_Rules/win_alert_hacktool_use.md
View File

@ -3,13 +3,13 @@
| Description | This method detects well-known keywords, certain field combination that appear in Windows Eventlog when certain hack tools are used |
| ATT&amp;CK Tactic | <ul><li>[TA0007: Discovery](https://attack.mitre.org/tactics/TA0007)</li><li>[TA0002: Execution](https://attack.mitre.org/tactics/TA0002)</li></ul> |
| ATT&amp;CK Technique | <ul><li>[T1087: Account Discovery](https://attack.mitre.org/techniques/T1087)</li><li>[T1075: Pass the Hash](https://attack.mitre.org/techniques/T1075)</li><li>[T1114: Email Collection](https://attack.mitre.org/techniques/T1114)</li><li>[T1059: Command-Line Interface](https://attack.mitre.org/techniques/T1059)</li></ul> |
| Data Needed | <ul><li>[DN_0057_4625_account_failed_to_logon](../Data_Needed/DN_0057_4625_account_failed_to_logon.md)</li><li>[DN_0079_4776_computer_attempted_to_validate_the_credentials_for_an_account](../Data_Needed/DN_0079_4776_computer_attempted_to_validate_the_credentials_for_an_account.md)</li><li>[DN_0004_4624_windows_account_logon](../Data_Needed/DN_0004_4624_windows_account_logon.md)</li></ul> |
| Data Needed | <ul><li>[DN_0057_4625_account_failed_to_logon](../Data_Needed/DN_0057_4625_account_failed_to_logon.md)</li><li>[DN_0004_4624_windows_account_logon](../Data_Needed/DN_0004_4624_windows_account_logon.md)</li><li>[DN_0079_4776_computer_attempted_to_validate_the_credentials_for_an_account](../Data_Needed/DN_0079_4776_computer_attempted_to_validate_the_credentials_for_an_account.md)</li></ul> |
| Enrichment | Data for this Detection Rule doesn't require any Enrichments. |
| Trigger | <ul><li>[T1087: Account Discovery](../Triggers/T1087.md)</li><li>[T1075: Pass the Hash](../Triggers/T1075.md)</li><li>[T1114: Email Collection](../Triggers/T1114.md)</li><li>[T1059: Command-Line Interface](../Triggers/T1059.md)</li></ul> |
| Severity Level | critical |
| False Positives | <ul><li>Unlikely</li></ul> |
| Development Status | Development Status for this Detection Rule has not been defined yet. |
| References | There are no documented References for this Detection Rule yet. |
| Development Status | Development Status wasn't defined for this Detection Rule yet |
| References | There are no documented References for this Detection Rule yet |
| Author | Florian Roth |

2
Atomic_Threat_Coverage/Detection_Rules/win_alert_lsass_access.md
View File

@ -3,7 +3,7 @@
| Description | Detects Access to LSASS Process |
| ATT&amp;CK Tactic | <ul><li>[TA0006: Credential Access](https://attack.mitre.org/tactics/TA0006)</li></ul> |
| ATT&amp;CK Technique | <ul><li>[T1003: Credential Dumping](https://attack.mitre.org/techniques/T1003)</li></ul> |
| Data Needed | There is no documented Data Needed for this Detection Rule yet. |
| Data Needed | There is no documented Data Needed for this Detection Rule yet |
| Enrichment | Data for this Detection Rule doesn't require any Enrichments. |
| Trigger | <ul><li>[T1003: Credential Dumping](../Triggers/T1003.md)</li></ul> |
| Severity Level | high |

6
Atomic_Threat_Coverage/Detection_Rules/win_alert_mimikatz_keywords.md
View File

File diff suppressed because one or more lines are too long

2
Atomic_Threat_Coverage/Detection_Rules/win_atsvc_task.md
View File

@ -8,7 +8,7 @@
| Trigger | <ul><li>[T1053: Scheduled Task](../Triggers/T1053.md)</li></ul> |
| Severity Level | medium |
| False Positives | <ul><li>pentesting</li></ul> |
| Development Status | Development Status for this Detection Rule has not been defined yet. |
| Development Status | Development Status wasn't defined for this Detection Rule yet |
| References | <ul><li>[https://blog.menasec.net/2019/03/threat-hunting-25-scheduled-tasks-for.html](https://blog.menasec.net/2019/03/threat-hunting-25-scheduled-tasks-for.html)</li></ul> |
| Author | Samir Bousseaden |
| Other Tags | <ul><li>car.2013-05-004</li><li>car.2013-05-004</li><li>car.2015-04-001</li><li>car.2015-04-001</li></ul> |

2
Atomic_Threat_Coverage/Detection_Rules/win_attrib_hiding_files.md
View File

@ -9,7 +9,7 @@
| Severity Level | low |
| False Positives | <ul><li>igfxCUIService.exe hiding *.cui files via .bat script (attrib.exe a child of cmd.exe and igfxCUIService.exe is the parent of the cmd.exe)</li><li>msiexec.exe hiding desktop.ini</li></ul> |
| Development Status | experimental |
| References | There are no documented References for this Detection Rule yet. |
| References | There are no documented References for this Detection Rule yet |
| Author | Sami Ruohonen |

12
Atomic_Threat_Coverage/Detection_Rules/win_av_relevant_match.md
View File

@ -1,15 +1,15 @@
| Title | Relevant Anti-Virus Event |
|:---------------------|:------------------------------------------------------------------------------------------------------------------------------------------------------------|
| Description | This detection method points out highly relevant Antivirus events |
| ATT&amp;CK Tactic | There is no documented ATT&amp;CK Tactic for this Detection Rule. |
| ATT&amp;CK Technique | There is no documented ATT&amp;CK Technique for this Detection Rule. |
| Data Needed | There is no documented Data Needed for this Detection Rule yet. |
| ATT&amp;CK Tactic | This Detection Rule wasn't mapped to ATT&amp;CK Tactic yet |
| ATT&amp;CK Technique | This Detection Rule wasn't mapped to ATT&amp;CK Technique yet |
| Data Needed | There is no documented Data Needed for this Detection Rule yet |
| Enrichment | Data for this Detection Rule doesn't require any Enrichments. |
| Trigger | There is no Trigger for this technique yet. |
| Trigger | There is no documented Trigger for this Detection Rule yet |
| Severity Level | high |
| False Positives | <ul><li>Some software piracy tools (key generators, cracks) are classified as hack tools</li></ul> |
| Development Status | Development Status for this Detection Rule has not been defined yet. |
| References | There are no documented References for this Detection Rule yet. |
| Development Status | Development Status wasn't defined for this Detection Rule yet |
| References | There are no documented References for this Detection Rule yet |
| Author | Florian Roth |

2
Atomic_Threat_Coverage/Detection_Rules/win_disable_event_logging.md
View File

@ -8,7 +8,7 @@
| Trigger | <ul><li>[T1054: Indicator Blocking](../Triggers/T1054.md)</li></ul> |
| Severity Level | high |
| False Positives | <ul><li>Unknown</li></ul> |
| Development Status | Development Status for this Detection Rule has not been defined yet. |
| Development Status | Development Status wasn't defined for this Detection Rule yet |
| References | <ul><li>[https://bit.ly/WinLogsZero2Hero](https://bit.ly/WinLogsZero2Hero)</li></ul> |
| Author | @neu5ron |

4
Atomic_Threat_Coverage/Detection_Rules/win_etw_trace_evasion.md
View File

@ -7,8 +7,8 @@
| Enrichment | Data for this Detection Rule doesn't require any Enrichments. |
| Trigger | <ul><li>[T1070: Indicator Removal on Host](../Triggers/T1070.md)</li></ul> |
| Severity Level | high |
| False Positives | There are no documented False Positives for this Detection Rule yet. |
| Development Status | Development Status for this Detection Rule has not been defined yet. |
| False Positives | There are no documented False Positives for this Detection Rule yet |
| Development Status | Development Status wasn't defined for this Detection Rule yet |
| References | <ul><li>[https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/wevtutil](https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/wevtutil)</li><li>[https://github.com/Neo23x0/sigma/blob/master/rules/windows/process_creation/win_mal_lockergoga.yml](https://github.com/Neo23x0/sigma/blob/master/rules/windows/process_creation/win_mal_lockergoga.yml)</li><li>[https://abuse.io/lockergoga.txt](https://abuse.io/lockergoga.txt)</li></ul> |
| Author | @neu5ron, Florian Roth |
| Other Tags | <ul><li>car.2016-04-002</li><li>car.2016-04-002</li></ul> |

2
Atomic_Threat_Coverage/Detection_Rules/win_exploit_cve_2017_8759.md
View File

@ -8,7 +8,7 @@
| Trigger | <ul><li>[T1203: Exploitation for Client Execution](../Triggers/T1203.md)</li></ul> |
| Severity Level | critical |
| False Positives | <ul><li>Unknown</li></ul> |
| Development Status | Development Status for this Detection Rule has not been defined yet. |
| Development Status | Development Status wasn't defined for this Detection Rule yet |
| References | <ul><li>[https://www.hybrid-analysis.com/sample/0b4ef455e385b750d9f90749f1467eaf00e46e8d6c2885c260e1b78211a51684?environmentId=100](https://www.hybrid-analysis.com/sample/0b4ef455e385b750d9f90749f1467eaf00e46e8d6c2885c260e1b78211a51684?environmentId=100)</li><li>[https://www.reverse.it/sample/0b4ef455e385b750d9f90749f1467eaf00e46e8d6c2885c260e1b78211a51684?environmentId=100](https://www.reverse.it/sample/0b4ef455e385b750d9f90749f1467eaf00e46e8d6c2885c260e1b78211a51684?environmentId=100)</li></ul> |
| Author | Florian Roth |

2
Atomic_Threat_Coverage/Detection_Rules/win_hack_rubeus.md
View File

@ -8,7 +8,7 @@
| Trigger | <ul><li>[T1003: Credential Dumping](../Triggers/T1003.md)</li></ul> |
| Severity Level | critical |
| False Positives | <ul><li>unlikely</li></ul> |
| Development Status | Development Status for this Detection Rule has not been defined yet. |
| Development Status | Development Status wasn't defined for this Detection Rule yet |
| References | <ul><li>[https://www.harmj0y.net/blog/redteaming/from-kekeo-to-rubeus/](https://www.harmj0y.net/blog/redteaming/from-kekeo-to-rubeus/)</li></ul> |
| Author | Florian Roth |
| Other Tags | <ul><li>attack.s0005</li><li>attack.s0005</li></ul> |

2
Atomic_Threat_Coverage/Detection_Rules/win_hack_smbexec.md
View File

@ -8,7 +8,7 @@
| Trigger | <ul><li>[T1077: Windows Admin Shares](../Triggers/T1077.md)</li><li>[T1035: Service Execution](../Triggers/T1035.md)</li></ul> |
| Severity Level | critical |
| False Positives | <ul><li>Penetration Test</li><li>Unknown</li></ul> |
| Development Status | Development Status for this Detection Rule has not been defined yet. |
| Development Status | Development Status wasn't defined for this Detection Rule yet |
| References | <ul><li>[https://blog.ropnop.com/using-credentials-to-own-windows-boxes-part-2-psexec-and-services/](https://blog.ropnop.com/using-credentials-to-own-windows-boxes-part-2-psexec-and-services/)</li></ul> |
| Author | Omer Faruk Celik |

2
Atomic_Threat_Coverage/Detection_Rules/win_impacket_secretdump.md
View File

@ -8,7 +8,7 @@
| Trigger | <ul><li>[T1003: Credential Dumping](../Triggers/T1003.md)</li></ul> |
| Severity Level | high |
| False Positives | <ul><li>pentesting</li></ul> |
| Development Status | Development Status for this Detection Rule has not been defined yet. |
| Development Status | Development Status wasn't defined for this Detection Rule yet |
| References | <ul><li>[https://blog.menasec.net/2019/02/threat-huting-10-impacketsecretdump.html](https://blog.menasec.net/2019/02/threat-huting-10-impacketsecretdump.html)</li></ul> |
| Author | Samir Bousseaden |

2
Atomic_Threat_Coverage/Detection_Rules/win_lm_namedpipe.md
View File

@ -8,7 +8,7 @@
| Trigger | <ul><li>[T1077: Windows Admin Shares](../Triggers/T1077.md)</li></ul> |
| Severity Level | high |
| False Positives | <ul><li>update the excluded named pipe to filter out any newly observed legit named pipe</li></ul> |
| Development Status | Development Status for this Detection Rule has not been defined yet. |
| Development Status | Development Status wasn't defined for this Detection Rule yet |
| References | <ul><li>[https://twitter.com/menasec1/status/1104489274387451904](https://twitter.com/menasec1/status/1104489274387451904)</li></ul> |
| Author | Samir Bousseaden |

4
Atomic_Threat_Coverage/Detection_Rules/win_mal_adwind.md
View File

@ -3,11 +3,11 @@
| Description | Detects javaw.exe in AppData folder as used by Adwind / JRAT |
| ATT&amp;CK Tactic | <ul><li>[TA0002: Execution](https://attack.mitre.org/tactics/TA0002)</li></ul> |
| ATT&amp;CK Technique | <ul><li>[T1064: Scripting](https://attack.mitre.org/techniques/T1064)</li></ul> |
| Data Needed | <ul><li>[DN_0017_13_windows_sysmon_RegistryEvent](../Data_Needed/DN_0017_13_windows_sysmon_RegistryEvent.md)</li><li>[DN_0003_1_windows_sysmon_process_creation](../Data_Needed/DN_0003_1_windows_sysmon_process_creation.md)</li><li>[DN_0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN_0002_4688_windows_process_creation_with_commandline.md)</li><li>[DN_0015_11_windows_sysmon_FileCreate](../Data_Needed/DN_0015_11_windows_sysmon_FileCreate.md)</li></ul> |
| Data Needed | <ul><li>[DN_0017_13_windows_sysmon_RegistryEvent](../Data_Needed/DN_0017_13_windows_sysmon_RegistryEvent.md)</li><li>[DN_0015_11_windows_sysmon_FileCreate](../Data_Needed/DN_0015_11_windows_sysmon_FileCreate.md)</li><li>[DN_0003_1_windows_sysmon_process_creation](../Data_Needed/DN_0003_1_windows_sysmon_process_creation.md)</li><li>[DN_0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN_0002_4688_windows_process_creation_with_commandline.md)</li></ul> |
| Enrichment | Data for this Detection Rule doesn't require any Enrichments. |
| Trigger | <ul><li>[T1064: Scripting](../Triggers/T1064.md)</li></ul> |
| Severity Level | high |
| False Positives | There are no documented False Positives for this Detection Rule yet. |
| False Positives | There are no documented False Positives for this Detection Rule yet |
| Development Status | experimental |
| References | <ul><li>[https://www.hybrid-analysis.com/sample/ba86fa0d4b6af2db0656a88b1dd29f36fe362473ae8ad04255c4e52f214a541c?environmentId=100](https://www.hybrid-analysis.com/sample/ba86fa0d4b6af2db0656a88b1dd29f36fe362473ae8ad04255c4e52f214a541c?environmentId=100)</li><li>[https://www.first.org/resources/papers/conf2017/Advanced-Incident-Detection-and-Threat-Hunting-using-Sysmon-and-Splunk.pdf](https://www.first.org/resources/papers/conf2017/Advanced-Incident-Detection-and-Threat-Hunting-using-Sysmon-and-Splunk.pdf)</li></ul> |
| Author | Florian Roth, Tom Ueltschi |

6
Atomic_Threat_Coverage/Detection_Rules/win_mal_creddumper.md
View File

@ -3,13 +3,13 @@
| Description | This method detects well-known keywords of malicious services in the Windows System Eventlog |
| ATT&amp;CK Tactic | <ul><li>[TA0006: Credential Access](https://attack.mitre.org/tactics/TA0006)</li></ul> |
| ATT&amp;CK Technique | <ul><li>[T1003: Credential Dumping](https://attack.mitre.org/techniques/T1003)</li></ul> |
| Data Needed | <ul><li>[DN_0063_4697_service_was_installed_in_the_system](../Data_Needed/DN_0063_4697_service_was_installed_in_the_system.md)</li><li>[DN_0083_16_access_history_in_hive_was_cleared](../Data_Needed/DN_0083_16_access_history_in_hive_was_cleared.md)</li><li>[DN_0005_7045_windows_service_insatalled](../Data_Needed/DN_0005_7045_windows_service_insatalled.md)</li></ul> |
| Data Needed | <ul><li>[DN_0005_7045_windows_service_insatalled](../Data_Needed/DN_0005_7045_windows_service_insatalled.md)</li><li>[DN_0063_4697_service_was_installed_in_the_system](../Data_Needed/DN_0063_4697_service_was_installed_in_the_system.md)</li><li>[DN_0083_16_access_history_in_hive_was_cleared](../Data_Needed/DN_0083_16_access_history_in_hive_was_cleared.md)</li></ul> |
| Enrichment | Data for this Detection Rule doesn't require any Enrichments. |
| Trigger | <ul><li>[T1003: Credential Dumping](../Triggers/T1003.md)</li></ul> |
| Severity Level | high |
| False Positives | <ul><li>Unlikely</li></ul> |
| Development Status | Development Status for this Detection Rule has not been defined yet. |
| References | There are no documented References for this Detection Rule yet. |
| Development Status | Development Status wasn't defined for this Detection Rule yet |
| References | There are no documented References for this Detection Rule yet |
| Author | Florian Roth |
| Other Tags | <ul><li>attack.s0005</li><li>attack.s0005</li></ul> |

4
Atomic_Threat_Coverage/Detection_Rules/win_mal_lockergoga.md
View File

@ -7,8 +7,8 @@
| Enrichment | Data for this Detection Rule doesn't require any Enrichments. |
| Trigger | <ul><li>[T1064: Scripting](../Triggers/T1064.md)</li></ul> |
| Severity Level | high |
| False Positives | There are no documented False Positives for this Detection Rule yet. |
| Development Status | Development Status for this Detection Rule has not been defined yet. |
| False Positives | There are no documented False Positives for this Detection Rule yet |
| Development Status | Development Status wasn't defined for this Detection Rule yet |
| References | <ul><li>[https://abuse.io/lockergoga.txt](https://abuse.io/lockergoga.txt)</li></ul> |
| Author | Florian Roth |

4
Atomic_Threat_Coverage/Detection_Rules/win_mal_service_installs.md
View File

@ -8,8 +8,8 @@
| Trigger | <ul><li>[T1050: New Service](../Triggers/T1050.md)</li></ul> |
| Severity Level | critical |
| False Positives | <ul><li>Penetration testing</li></ul> |
| Development Status | Development Status for this Detection Rule has not been defined yet. |
| References | There are no documented References for this Detection Rule yet. |
| Development Status | Development Status wasn't defined for this Detection Rule yet |
| References | There are no documented References for this Detection Rule yet |
| Author | Florian Roth |
| Other Tags | <ul><li>car.2013-09-005</li><li>car.2013-09-005</li></ul> |

2
Atomic_Threat_Coverage/Detection_Rules/win_mal_wceaux_dll.md
View File

@ -3,7 +3,7 @@
| Description | Detects wceaux.dll access while WCE pass-the-hash remote command execution on source host |
| ATT&amp;CK Tactic | <ul><li>[TA0006: Credential Access](https://attack.mitre.org/tactics/TA0006)</li></ul> |
| ATT&amp;CK Technique | <ul><li>[T1003: Credential Dumping](https://attack.mitre.org/techniques/T1003)</li></ul> |
| Data Needed | <ul><li>[DN_0061_4660_object_was_deleted](../Data_Needed/DN_0061_4660_object_was_deleted.md)</li><li>[DN_0058_4656_handle_to_an_object_was_requested](../Data_Needed/DN_0058_4656_handle_to_an_object_was_requested.md)</li><li>[DN_0060_4658_handle_to_an_object_was_closed](../Data_Needed/DN_0060_4658_handle_to_an_object_was_closed.md)</li><li>[DN_0062_4663_attempt_was_made_to_access_an_object](../Data_Needed/DN_0062_4663_attempt_was_made_to_access_an_object.md)</li></ul> |
| Data Needed | <ul><li>[DN_0060_4658_handle_to_an_object_was_closed](../Data_Needed/DN_0060_4658_handle_to_an_object_was_closed.md)</li><li>[DN_0058_4656_handle_to_an_object_was_requested](../Data_Needed/DN_0058_4656_handle_to_an_object_was_requested.md)</li><li>[DN_0061_4660_object_was_deleted](../Data_Needed/DN_0061_4660_object_was_deleted.md)</li><li>[DN_0062_4663_attempt_was_made_to_access_an_object](../Data_Needed/DN_0062_4663_attempt_was_made_to_access_an_object.md)</li></ul> |
| Enrichment | Data for this Detection Rule doesn't require any Enrichments. |
| Trigger | <ul><li>[T1003: Credential Dumping](../Triggers/T1003.md)</li></ul> |
| Severity Level | critical |

2
Atomic_Threat_Coverage/Detection_Rules/win_malware_script_dropper.md
View File

@ -9,7 +9,7 @@
| Severity Level | high |
| False Positives | <ul><li>Winzip</li><li>Other self-extractors</li></ul> |
| Development Status | experimental |
| References | There are no documented References for this Detection Rule yet. |
| References | There are no documented References for this Detection Rule yet |
| Author | Margaritis Dimitrios (idea), Florian Roth (rule) |

6
Atomic_Threat_Coverage/Detection_Rules/win_malware_wannacry.md
View File

@ -1,11 +1,11 @@
| Title | WannaCry Ransomware |
|:---------------------|:------------------------------------------------------------------------------------------------------------------------------------------------------------|
| Description | Detects WannaCry ransomware activity |
| ATT&amp;CK Tactic | There is no documented ATT&amp;CK Tactic for this Detection Rule. |
| ATT&amp;CK Technique | There is no documented ATT&amp;CK Technique for this Detection Rule. |
| ATT&amp;CK Tactic | This Detection Rule wasn't mapped to ATT&amp;CK Tactic yet |
| ATT&amp;CK Technique | This Detection Rule wasn't mapped to ATT&amp;CK Technique yet |
| Data Needed | <ul><li>[DN_0003_1_windows_sysmon_process_creation](../Data_Needed/DN_0003_1_windows_sysmon_process_creation.md)</li><li>[DN_0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN_0002_4688_windows_process_creation_with_commandline.md)</li></ul> |
| Enrichment | Data for this Detection Rule doesn't require any Enrichments. |
| Trigger | There is no Trigger for this technique yet. |
| Trigger | There is no documented Trigger for this Detection Rule yet |
| Severity Level | critical |
| False Positives | <ul><li>Diskpart.exe usage to manage partitions on the local hard drive</li></ul> |
| Development Status | experimental |

2
Atomic_Threat_Coverage/Detection_Rules/win_mavinject_proc_inj.md
View File

@ -1,7 +1,7 @@
| Title | MavInject Process Injection |
|:---------------------|:------------------------------------------------------------------------------------------------------------------------------------------------------------|
| Description | Detects process injection using the signed Windows tool Mavinject32.exe |
| ATT&amp;CK Tactic | There is no documented ATT&amp;CK Tactic for this Detection Rule. |
| ATT&amp;CK Tactic | This Detection Rule wasn't mapped to ATT&amp;CK Tactic yet |
| ATT&amp;CK Technique | <ul><li>[T1055: Process Injection](https://attack.mitre.org/techniques/T1055)</li><li>[T1218: Signed Binary Proxy Execution](https://attack.mitre.org/techniques/T1218)</li></ul> |
| Data Needed | <ul><li>[DN_0003_1_windows_sysmon_process_creation](../Data_Needed/DN_0003_1_windows_sysmon_process_creation.md)</li><li>[DN_0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN_0002_4688_windows_process_creation_with_commandline.md)</li></ul> |
| Enrichment | Data for this Detection Rule doesn't require any Enrichments. |

6
Atomic_Threat_Coverage/Detection_Rules/win_multiple_suspicious_cli.md
View File

@ -1,11 +1,11 @@
| Title | Quick Execution of a Series of Suspicious Commands |
|:---------------------|:------------------------------------------------------------------------------------------------------------------------------------------------------------|
| Description | Detects multiple suspicious process in a limited timeframe |
| ATT&amp;CK Tactic | There is no documented ATT&amp;CK Tactic for this Detection Rule. |
| ATT&amp;CK Technique | There is no documented ATT&amp;CK Technique for this Detection Rule. |
| ATT&amp;CK Tactic | This Detection Rule wasn't mapped to ATT&amp;CK Tactic yet |
| ATT&amp;CK Technique | This Detection Rule wasn't mapped to ATT&amp;CK Technique yet |
| Data Needed | <ul><li>[DN_0003_1_windows_sysmon_process_creation](../Data_Needed/DN_0003_1_windows_sysmon_process_creation.md)</li><li>[DN_0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN_0002_4688_windows_process_creation_with_commandline.md)</li></ul> |
| Enrichment | Data for this Detection Rule doesn't require any Enrichments. |
| Trigger | There is no Trigger for this technique yet. |
| Trigger | There is no documented Trigger for this Detection Rule yet |
| Severity Level | low |
| False Positives | <ul><li>False positives depend on scripts and administrative tools used in the monitored environment</li></ul> |
| Development Status | experimental |

4
Atomic_Threat_Coverage/Detection_Rules/win_net_ntlm_downgrade.md
View File

@ -3,12 +3,12 @@
| Description | Detects post exploitation using NetNTLM downgrade attacks |
| ATT&amp;CK Tactic | <ul><li>[TA0006: Credential Access](https://attack.mitre.org/tactics/TA0006)</li></ul> |
| ATT&amp;CK Technique | <ul><li>[T1212: Exploitation for Credential Access](https://attack.mitre.org/techniques/T1212)</li></ul> |
| Data Needed | <ul><li>[DN_0017_13_windows_sysmon_RegistryEvent](../Data_Needed/DN_0017_13_windows_sysmon_RegistryEvent.md)</li><li>[DN_0059_4657_registry_value_was_modified](../Data_Needed/DN_0059_4657_registry_value_was_modified.md)</li></ul> |
| Data Needed | <ul><li>[DN_0059_4657_registry_value_was_modified](../Data_Needed/DN_0059_4657_registry_value_was_modified.md)</li><li>[DN_0017_13_windows_sysmon_RegistryEvent](../Data_Needed/DN_0017_13_windows_sysmon_RegistryEvent.md)</li></ul> |
| Enrichment | Data for this Detection Rule doesn't require any Enrichments. |
| Trigger | <ul><li>[T1212: Exploitation for Credential Access](../Triggers/T1212.md)</li></ul> |
| Severity Level | critical |
| False Positives | <ul><li>Unknown</li></ul> |
| Development Status | Development Status for this Detection Rule has not been defined yet. |
| Development Status | Development Status wasn't defined for this Detection Rule yet |
| References | <ul><li>[https://www.optiv.com/blog/post-exploitation-using-netntlm-downgrade-attacks](https://www.optiv.com/blog/post-exploitation-using-netntlm-downgrade-attacks)</li></ul> |
| Author | Florian Roth |

2
Atomic_Threat_Coverage/Detection_Rules/win_pass_the_hash.md
View File

@ -3,7 +3,7 @@
| Description | Detects the attack technique pass the hash which is used to move laterally inside the network |
| ATT&amp;CK Tactic | <ul><li>[TA0008: Lateral Movement](https://attack.mitre.org/tactics/TA0008)</li></ul> |
| ATT&amp;CK Technique | <ul><li>[T1075: Pass the Hash](https://attack.mitre.org/techniques/T1075)</li></ul> |
| Data Needed | There is no documented Data Needed for this Detection Rule yet. |
| Data Needed | <ul><li>[DN_0057_4625_account_failed_to_logon](../Data_Needed/DN_0057_4625_account_failed_to_logon.md)</li><li>[DN_0004_4624_windows_account_logon](../Data_Needed/DN_0004_4624_windows_account_logon.md)</li></ul> |
| Enrichment | Data for this Detection Rule doesn't require any Enrichments. |
| Trigger | <ul><li>[T1075: Pass the Hash](../Triggers/T1075.md)</li></ul> |
| Severity Level | medium |

2
Atomic_Threat_Coverage/Detection_Rules/win_pass_the_hash_2.md
View File

@ -3,7 +3,7 @@
| Description | Detects the attack technique pass the hash which is used to move laterally inside the network |
| ATT&amp;CK Tactic | <ul><li>[TA0008: Lateral Movement](https://attack.mitre.org/tactics/TA0008)</li></ul> |
| ATT&amp;CK Technique | <ul><li>[T1075: Pass the Hash](https://attack.mitre.org/techniques/T1075)</li></ul> |
| Data Needed | There is no documented Data Needed for this Detection Rule yet. |
| Data Needed | <ul><li>[DN_0004_4624_windows_account_logon](../Data_Needed/DN_0004_4624_windows_account_logon.md)</li></ul> |
| Enrichment | Data for this Detection Rule doesn't require any Enrichments. |
| Trigger | <ul><li>[T1075: Pass the Hash](../Triggers/T1075.md)</li></ul> |
| Severity Level | medium |

2
Atomic_Threat_Coverage/Detection_Rules/win_plugx_susp_exe_locations.md
View File

@ -3,7 +3,7 @@
| Description | Detects the execution of an executable that is typically used by PlugX for DLL side loading started from an uncommon location |
| ATT&amp;CK Tactic | <ul><li>[TA0005: Defense Evasion](https://attack.mitre.org/tactics/TA0005)</li></ul> |
| ATT&amp;CK Technique | <ul><li>[T1073: DLL Side-Loading](https://attack.mitre.org/techniques/T1073)</li></ul> |
| Data Needed | <ul><li>[DN_0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN_0002_4688_windows_process_creation_with_commandline.md)</li><li>[DN_0001_4688_windows_process_creation](../Data_Needed/DN_0001_4688_windows_process_creation.md)</li><li>[DN_0003_1_windows_sysmon_process_creation](../Data_Needed/DN_0003_1_windows_sysmon_process_creation.md)</li></ul> |
| Data Needed | <ul><li>[DN_0003_1_windows_sysmon_process_creation](../Data_Needed/DN_0003_1_windows_sysmon_process_creation.md)</li><li>[DN_0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN_0002_4688_windows_process_creation_with_commandline.md)</li><li>[DN_0001_4688_windows_process_creation](../Data_Needed/DN_0001_4688_windows_process_creation.md)</li></ul> |
| Enrichment | Data for this Detection Rule doesn't require any Enrichments. |
| Trigger | <ul><li>[T1073: DLL Side-Loading](../Triggers/T1073.md)</li></ul> |
| Severity Level | high |

2
Atomic_Threat_Coverage/Detection_Rules/win_powershell_amsi_bypass.md
View File

@ -7,7 +7,7 @@
| Enrichment | Data for this Detection Rule doesn't require any Enrichments. |
| Trigger | <ul><li>[T1086: PowerShell](../Triggers/T1086.md)</li></ul> |
| Severity Level | high |
| False Positives | There are no documented False Positives for this Detection Rule yet. |
| False Positives | There are no documented False Positives for this Detection Rule yet |
| Development Status | experimental |
| References | <ul><li>[https://twitter.com/mattifestation/status/735261176745988096](https://twitter.com/mattifestation/status/735261176745988096)</li><li>[https://www.hybrid-analysis.com/sample/0ced17419e01663a0cd836c9c2eb925e3031ffb5b18ccf35f4dea5d586d0203e?environmentId=120](https://www.hybrid-analysis.com/sample/0ced17419e01663a0cd836c9c2eb925e3031ffb5b18ccf35f4dea5d586d0203e?environmentId=120)</li></ul> |
| Author | Markus Neis |

2
Atomic_Threat_Coverage/Detection_Rules/win_powershell_download.md
View File

@ -9,7 +9,7 @@
| Severity Level | medium |
| False Positives | <ul><li>unknown</li></ul> |
| Development Status | experimental |
| References | There are no documented References for this Detection Rule yet. |
| References | There are no documented References for this Detection Rule yet |
| Author | Florian Roth |

4
Atomic_Threat_Coverage/Detection_Rules/win_psexesvc_start.md
View File

@ -8,8 +8,8 @@
| Trigger | <ul><li>[T1035: Service Execution](../Triggers/T1035.md)</li></ul> |
| Severity Level | low |
| False Positives | <ul><li>Administrative activity</li></ul> |
| Development Status | Development Status for this Detection Rule has not been defined yet. |
| References | There are no documented References for this Detection Rule yet. |
| Development Status | Development Status wasn't defined for this Detection Rule yet |
| References | There are no documented References for this Detection Rule yet |
| Author | Florian Roth |
| Other Tags | <ul><li>attack.s0029</li><li>attack.s0029</li></ul> |

6
Atomic_Threat_Coverage/Detection_Rules/win_ransomware_shadowcopy.md
View File

@ -1,11 +1,11 @@
| Title | Ransomware Deleting Shadow Volume Copies |
|:---------------------|:------------------------------------------------------------------------------------------------------------------------------------------------------------|
| Description | Detects a command that deletes all local shadow volume copies as often used by Ransomware |
| ATT&amp;CK Tactic | There is no documented ATT&amp;CK Tactic for this Detection Rule. |
| ATT&amp;CK Technique | There is no documented ATT&amp;CK Technique for this Detection Rule. |
| ATT&amp;CK Tactic | This Detection Rule wasn't mapped to ATT&amp;CK Tactic yet |
| ATT&amp;CK Technique | This Detection Rule wasn't mapped to ATT&amp;CK Technique yet |
| Data Needed | <ul><li>[DN_0003_1_windows_sysmon_process_creation](../Data_Needed/DN_0003_1_windows_sysmon_process_creation.md)</li><li>[DN_0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN_0002_4688_windows_process_creation_with_commandline.md)</li></ul> |
| Enrichment | Data for this Detection Rule doesn't require any Enrichments. |
| Trigger | There is no Trigger for this technique yet. |
| Trigger | There is no documented Trigger for this Detection Rule yet |
| Severity Level | critical |
| False Positives | <ul><li>Adminsitrative scripts - e.g. to prepare image for golden image creation</li></ul> |
| Development Status | experimental |

2
Atomic_Threat_Coverage/Detection_Rules/win_rare_schtask_creation.md
View File

@ -9,7 +9,7 @@
| Severity Level | low |
| False Positives | <ul><li>Software installation</li></ul> |
| Development Status | experimental |
| References | There are no documented References for this Detection Rule yet. |
| References | There are no documented References for this Detection Rule yet |
| Author | Florian Roth |
| Other Tags | <ul><li>attack.s0111</li><li>attack.s0111</li></ul> |

2
Atomic_Threat_Coverage/Detection_Rules/win_rare_schtasks_creations.md
View File

@ -9,7 +9,7 @@
| Severity Level | low |
| False Positives | <ul><li>Software installation</li><li>Software updates</li></ul> |
| Development Status | experimental |
| References | There are no documented References for this Detection Rule yet. |
| References | There are no documented References for this Detection Rule yet |
| Author | Florian Roth |
| Other Tags | <ul><li>car.2013-08-001</li><li>car.2013-08-001</li></ul> |

2
Atomic_Threat_Coverage/Detection_Rules/win_rare_service_installs.md
View File

@ -9,7 +9,7 @@
| Severity Level | low |
| False Positives | <ul><li>Software installation</li><li>Software updates</li></ul> |
| Development Status | experimental |
| References | There are no documented References for this Detection Rule yet. |
| References | There are no documented References for this Detection Rule yet |
| Author | Florian Roth |
| Other Tags | <ul><li>car.2013-09-005</li><li>car.2013-09-005</li></ul> |

2
Atomic_Threat_Coverage/Detection_Rules/win_rdp_bluekeep_poc_scanner.md
View File

@ -8,7 +8,7 @@
| Trigger | <ul><li>[T1210: Exploitation of Remote Services](../Triggers/T1210.md)</li></ul> |
| Severity Level | critical |
| False Positives | <ul><li>Unlikely</li></ul> |
| Development Status | Development Status for this Detection Rule has not been defined yet. |
| Development Status | Development Status wasn't defined for this Detection Rule yet |
| References | <ul><li>[https://twitter.com/AdamTheAnalyst/status/1134394070045003776](https://twitter.com/AdamTheAnalyst/status/1134394070045003776)</li><li>[https://github.com/zerosum0x0/CVE-2019-0708](https://github.com/zerosum0x0/CVE-2019-0708)</li></ul> |
| Author | Florian Roth (rule), Adam Bradbury (idea) |
| Other Tags | <ul><li>car.2013-07-002</li><li>car.2013-07-002</li></ul> |

6
Atomic_Threat_Coverage/Detection_Rules/win_rdp_potential_cve-2019-0708.md
View File

@ -2,10 +2,10 @@
|:---------------------|:------------------------------------------------------------------------------------------------------------------------------------------------------------|
| Description | Detect suspicious error on protocol RDP, potential CVE-2019-0708 |
| ATT&amp;CK Tactic | <ul><li>[TA0001: Initial Access](https://attack.mitre.org/tactics/TA0001)</li></ul> |
| ATT&amp;CK Technique | There is no documented ATT&amp;CK Technique for this Detection Rule. |
| Data Needed | There is no documented Data Needed for this Detection Rule yet. |
| ATT&amp;CK Technique | This Detection Rule wasn't mapped to ATT&amp;CK Technique yet |
| Data Needed | There is no documented Data Needed for this Detection Rule yet |
| Enrichment | Data for this Detection Rule doesn't require any Enrichments. |
| Trigger | There is no Trigger for this technique yet. |
| Trigger | There is no documented Trigger for this Detection Rule yet |
| Severity Level | high |
| False Positives | <ul><li>Bad connections or network interruptions</li></ul> |
| Development Status | experimental |

2
Atomic_Threat_Coverage/Detection_Rules/win_rdp_reverse_tunnel.md
View File

@ -3,7 +3,7 @@
| Description | Detects svchost hosting RDP termsvcs communicating with the loopback address and on TCP port 3389 |
| ATT&amp;CK Tactic | <ul><li>[TA0005: Defense Evasion](https://attack.mitre.org/tactics/TA0005)</li><li>[TA0011: Command and Control](https://attack.mitre.org/tactics/TA0011)</li></ul> |
| ATT&amp;CK Technique | <ul><li>[T1076: Remote Desktop Protocol](https://attack.mitre.org/techniques/T1076)</li></ul> |
| Data Needed | There is no documented Data Needed for this Detection Rule yet. |
| Data Needed | There is no documented Data Needed for this Detection Rule yet |
| Enrichment | Data for this Detection Rule doesn't require any Enrichments. |
| Trigger | <ul><li>[T1076: Remote Desktop Protocol](../Triggers/T1076.md)</li></ul> |
| Severity Level | high |

2
Atomic_Threat_Coverage/Detection_Rules/win_susp_add_sid_history.md
View File

@ -3,7 +3,7 @@
| Description | An attacker can use the SID history attribute to gain additional privileges. |
| ATT&amp;CK Tactic | <ul><li>[TA0004: Privilege Escalation](https://attack.mitre.org/tactics/TA0004)</li></ul> |
| ATT&amp;CK Technique | <ul><li>[T1178: SID-History Injection](https://attack.mitre.org/techniques/T1178)</li></ul> |
| Data Needed | There is no documented Data Needed for this Detection Rule yet. |
| Data Needed | There is no documented Data Needed for this Detection Rule yet |
| Enrichment | Data for this Detection Rule doesn't require any Enrichments. |
| Trigger | <ul><li>[T1178: SID-History Injection](../Triggers/T1178.md)</li></ul> |
| Severity Level | medium |

2
Atomic_Threat_Coverage/Detection_Rules/win_susp_backup_delete.md
View File

@ -3,7 +3,7 @@
| Description | Detects backup catalog deletions |
| ATT&amp;CK Tactic | <ul><li>[TA0005: Defense Evasion](https://attack.mitre.org/tactics/TA0005)</li></ul> |
| ATT&amp;CK Technique | <ul><li>[T1107: File Deletion](https://attack.mitre.org/techniques/T1107)</li></ul> |
| Data Needed | There is no documented Data Needed for this Detection Rule yet. |
| Data Needed | There is no documented Data Needed for this Detection Rule yet |
| Enrichment | Data for this Detection Rule doesn't require any Enrichments. |
| Trigger | <ul><li>[T1107: File Deletion](../Triggers/T1107.md)</li></ul> |
| Severity Level | medium |

2
Atomic_Threat_Coverage/Detection_Rules/win_susp_bcdedit.md
View File

@ -7,7 +7,7 @@
| Enrichment | Data for this Detection Rule doesn't require any Enrichments. |
| Trigger | <ul><li>[T1070: Indicator Removal on Host](../Triggers/T1070.md)</li><li>[T1067: Bootkit](../Triggers/T1067.md)</li></ul> |
| Severity Level | medium |
| False Positives | There are no documented False Positives for this Detection Rule yet. |
| False Positives | There are no documented False Positives for this Detection Rule yet |
| Development Status | experimental |
| References | <ul><li>[https://docs.microsoft.com/en-us/windows-hardware/drivers/devtest/bcdedit--set](https://docs.microsoft.com/en-us/windows-hardware/drivers/devtest/bcdedit--set)</li></ul> |
| Author | @neu5ron |

6
Atomic_Threat_Coverage/Detection_Rules/win_susp_certutil_encode.md
View File

@ -1,11 +1,11 @@
| Title | Certutil Encode |
|:---------------------|:------------------------------------------------------------------------------------------------------------------------------------------------------------|
| Description | Detects suspicious a certutil command that used to encode files, which is sometimes used for data exfiltration |
| ATT&amp;CK Tactic | There is no documented ATT&amp;CK Tactic for this Detection Rule. |
| ATT&amp;CK Technique | There is no documented ATT&amp;CK Technique for this Detection Rule. |
| ATT&amp;CK Tactic | This Detection Rule wasn't mapped to ATT&amp;CK Tactic yet |
| ATT&amp;CK Technique | This Detection Rule wasn't mapped to ATT&amp;CK Technique yet |
| Data Needed | <ul><li>[DN_0003_1_windows_sysmon_process_creation](../Data_Needed/DN_0003_1_windows_sysmon_process_creation.md)</li><li>[DN_0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN_0002_4688_windows_process_creation_with_commandline.md)</li></ul> |
| Enrichment | Data for this Detection Rule doesn't require any Enrichments. |
| Trigger | There is no Trigger for this technique yet. |
| Trigger | There is no documented Trigger for this Detection Rule yet |
| Severity Level | medium |
| False Positives | <ul><li>unknown</li></ul> |
| Development Status | experimental |

2
Atomic_Threat_Coverage/Detection_Rules/win_susp_dhcp_config_failed.md
View File

@ -3,7 +3,7 @@
| Description | This rule detects a DHCP server error in which a specified Callout DLL (in registry) could not be loaded |
| ATT&amp;CK Tactic | <ul><li>[TA0005: Defense Evasion](https://attack.mitre.org/tactics/TA0005)</li></ul> |
| ATT&amp;CK Technique | <ul><li>[T1073: DLL Side-Loading](https://attack.mitre.org/techniques/T1073)</li></ul> |
| Data Needed | There is no documented Data Needed for this Detection Rule yet. |
| Data Needed | There is no documented Data Needed for this Detection Rule yet |
| Enrichment | Data for this Detection Rule doesn't require any Enrichments. |
| Trigger | <ul><li>[T1073: DLL Side-Loading](../Triggers/T1073.md)</li></ul> |
| Severity Level | critical |

4
Atomic_Threat_Coverage/Detection_Rules/win_susp_double_extension.md
View File

@ -3,12 +3,12 @@
| Description | Detects suspicious use of an .exe extension after a non-executable file extension like .pdf.exe, a set of spaces or underlines to cloak the executable file in spear phishing campaigns |
| ATT&amp;CK Tactic | <ul><li>[TA0001: Initial Access](https://attack.mitre.org/tactics/TA0001)</li></ul> |
| ATT&amp;CK Technique | <ul><li>[T1193: Spearphishing Attachment](https://attack.mitre.org/techniques/T1193)</li></ul> |
| Data Needed | <ul><li>[DN_0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN_0002_4688_windows_process_creation_with_commandline.md)</li><li>[DN_0001_4688_windows_process_creation](../Data_Needed/DN_0001_4688_windows_process_creation.md)</li><li>[DN_0003_1_windows_sysmon_process_creation](../Data_Needed/DN_0003_1_windows_sysmon_process_creation.md)</li></ul> |
| Data Needed | <ul><li>[DN_0003_1_windows_sysmon_process_creation](../Data_Needed/DN_0003_1_windows_sysmon_process_creation.md)</li><li>[DN_0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN_0002_4688_windows_process_creation_with_commandline.md)</li><li>[DN_0001_4688_windows_process_creation](../Data_Needed/DN_0001_4688_windows_process_creation.md)</li></ul> |
| Enrichment | Data for this Detection Rule doesn't require any Enrichments. |
| Trigger | <ul><li>[T1193: Spearphishing Attachment](../Triggers/T1193.md)</li></ul> |
| Severity Level | critical |
| False Positives | <ul><li>Unknown</li></ul> |
| Development Status | Development Status for this Detection Rule has not been defined yet. |
| Development Status | Development Status wasn't defined for this Detection Rule yet |
| References | <ul><li>[https://blu3-team.blogspot.com/2019/06/misleading-extensions-xlsexe-docexe.html](https://blu3-team.blogspot.com/2019/06/misleading-extensions-xlsexe-docexe.html)</li><li>[https://twitter.com/blackorbird/status/1140519090961825792](https://twitter.com/blackorbird/status/1140519090961825792)</li></ul> |
| Author | Florian Roth (rule), @blu3_team (idea) |

2
Atomic_Threat_Coverage/Detection_Rules/win_susp_eventlog_cleared.md
View File

@ -8,7 +8,7 @@
| Trigger | <ul><li>[T1070: Indicator Removal on Host](../Triggers/T1070.md)</li></ul> |
| Severity Level | medium |
| False Positives | <ul><li>Unknown</li></ul> |
| Development Status | Development Status for this Detection Rule has not been defined yet. |
| Development Status | Development Status wasn't defined for this Detection Rule yet |
| References | <ul><li>[https://twitter.com/deviouspolack/status/832535435960209408](https://twitter.com/deviouspolack/status/832535435960209408)</li><li>[https://www.hybrid-analysis.com/sample/027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745?environmentId=100](https://www.hybrid-analysis.com/sample/027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745?environmentId=100)</li></ul> |
| Author | Florian Roth |
| Other Tags | <ul><li>car.2016-04-002</li><li>car.2016-04-002</li></ul> |

2
Atomic_Threat_Coverage/Detection_Rules/win_susp_exec_folder.md
View File

@ -3,7 +3,7 @@
| Description | Detects process starts of binaries from a suspicious folder |
| ATT&amp;CK Tactic | <ul><li>[TA0005: Defense Evasion](https://attack.mitre.org/tactics/TA0005)</li></ul> |
| ATT&amp;CK Technique | <ul><li>[T1036: Masquerading](https://attack.mitre.org/techniques/T1036)</li></ul> |
| Data Needed | <ul><li>[DN_0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN_0002_4688_windows_process_creation_with_commandline.md)</li><li>[DN_0001_4688_windows_process_creation](../Data_Needed/DN_0001_4688_windows_process_creation.md)</li><li>[DN_0003_1_windows_sysmon_process_creation](../Data_Needed/DN_0003_1_windows_sysmon_process_creation.md)</li></ul> |
| Data Needed | <ul><li>[DN_0003_1_windows_sysmon_process_creation](../Data_Needed/DN_0003_1_windows_sysmon_process_creation.md)</li><li>[DN_0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN_0002_4688_windows_process_creation_with_commandline.md)</li><li>[DN_0001_4688_windows_process_creation](../Data_Needed/DN_0001_4688_windows_process_creation.md)</li></ul> |
| Enrichment | Data for this Detection Rule doesn't require any Enrichments. |
| Trigger | <ul><li>[T1036: Masquerading](../Triggers/T1036.md)</li></ul> |
| Severity Level | high |

4
Atomic_Threat_Coverage/Detection_Rules/win_susp_execution_path.md
View File

@ -3,13 +3,13 @@
| Description | Detects a suspicious exection from an uncommon folder |
| ATT&amp;CK Tactic | <ul><li>[TA0005: Defense Evasion](https://attack.mitre.org/tactics/TA0005)</li></ul> |
| ATT&amp;CK Technique | <ul><li>[T1036: Masquerading](https://attack.mitre.org/techniques/T1036)</li></ul> |
| Data Needed | <ul><li>[DN_0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN_0002_4688_windows_process_creation_with_commandline.md)</li><li>[DN_0001_4688_windows_process_creation](../Data_Needed/DN_0001_4688_windows_process_creation.md)</li><li>[DN_0003_1_windows_sysmon_process_creation](../Data_Needed/DN_0003_1_windows_sysmon_process_creation.md)</li></ul> |
| Data Needed | <ul><li>[DN_0003_1_windows_sysmon_process_creation](../Data_Needed/DN_0003_1_windows_sysmon_process_creation.md)</li><li>[DN_0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN_0002_4688_windows_process_creation_with_commandline.md)</li><li>[DN_0001_4688_windows_process_creation](../Data_Needed/DN_0001_4688_windows_process_creation.md)</li></ul> |
| Enrichment | Data for this Detection Rule doesn't require any Enrichments. |
| Trigger | <ul><li>[T1036: Masquerading](../Triggers/T1036.md)</li></ul> |
| Severity Level | high |
| False Positives | <ul><li>Unknown</li></ul> |
| Development Status | experimental |
| References | There are no documented References for this Detection Rule yet. |
| References | There are no documented References for this Detection Rule yet |
| Author | Florian Roth |

2
Atomic_Threat_Coverage/Detection_Rules/win_susp_execution_path_webserver.md
View File

@ -9,7 +9,7 @@
| Severity Level | medium |
| False Positives | <ul><li>Various applications</li><li>Tools that include ping or nslookup command invocations</li></ul> |
| Development Status | experimental |
| References | There are no documented References for this Detection Rule yet. |
| References | There are no documented References for this Detection Rule yet |
| Author | Florian Roth |

2
Atomic_Threat_Coverage/Detection_Rules/win_susp_failed_logon_reasons.md
View File

@ -8,7 +8,7 @@
| Trigger | <ul><li>[T1078: Valid Accounts](../Triggers/T1078.md)</li></ul> |
| Severity Level | high |
| False Positives | <ul><li>User using a disabled account</li></ul> |
| Development Status | Development Status for this Detection Rule has not been defined yet. |
| Development Status | Development Status wasn't defined for this Detection Rule yet |
| References | <ul><li>[https://twitter.com/SBousseaden/status/1101431884540710913](https://twitter.com/SBousseaden/status/1101431884540710913)</li></ul> |
| Author | Florian Roth |

4
Atomic_Threat_Coverage/Detection_Rules/win_susp_failed_logons_single_source.md
View File

@ -8,8 +8,8 @@
| Trigger | <ul><li>[T1078: Valid Accounts](../Triggers/T1078.md)</li></ul> |
| Severity Level | medium |
| False Positives | <ul><li>Terminal servers</li><li>Jump servers</li><li>Other multiuser systems like Citrix server farms</li><li>Workstations with frequently changing users</li></ul> |
| Development Status | Development Status for this Detection Rule has not been defined yet. |
| References | There are no documented References for this Detection Rule yet. |
| Development Status | Development Status wasn't defined for this Detection Rule yet |
| References | There are no documented References for this Detection Rule yet |
| Author | Florian Roth |

2
Atomic_Threat_Coverage/Detection_Rules/win_susp_gup.md
View File

@ -3,7 +3,7 @@
| Description | Detects execution of the Notepad++ updater in a suspicious directory, which is often used in DLL side-loading attacks |
| ATT&amp;CK Tactic | <ul><li>[TA0005: Defense Evasion](https://attack.mitre.org/tactics/TA0005)</li></ul> |
| ATT&amp;CK Technique | <ul><li>[T1073: DLL Side-Loading](https://attack.mitre.org/techniques/T1073)</li></ul> |
| Data Needed | <ul><li>[DN_0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN_0002_4688_windows_process_creation_with_commandline.md)</li><li>[DN_0001_4688_windows_process_creation](../Data_Needed/DN_0001_4688_windows_process_creation.md)</li><li>[DN_0003_1_windows_sysmon_process_creation](../Data_Needed/DN_0003_1_windows_sysmon_process_creation.md)</li></ul> |
| Data Needed | <ul><li>[DN_0003_1_windows_sysmon_process_creation](../Data_Needed/DN_0003_1_windows_sysmon_process_creation.md)</li><li>[DN_0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN_0002_4688_windows_process_creation_with_commandline.md)</li><li>[DN_0001_4688_windows_process_creation](../Data_Needed/DN_0001_4688_windows_process_creation.md)</li></ul> |
| Enrichment | Data for this Detection Rule doesn't require any Enrichments. |
| Trigger | <ul><li>[T1073: DLL Side-Loading](../Triggers/T1073.md)</li></ul> |
| Severity Level | high |

4
Atomic_Threat_Coverage/Detection_Rules/win_susp_interactive_logons.md
View File

@ -8,8 +8,8 @@
| Trigger | <ul><li>[T1078: Valid Accounts](../Triggers/T1078.md)</li></ul> |
| Severity Level | medium |
| False Positives | <ul><li>Administrative activity via KVM or ILO board</li></ul> |
| Development Status | Development Status for this Detection Rule has not been defined yet. |
| References | There are no documented References for this Detection Rule yet. |
| Development Status | Development Status wasn't defined for this Detection Rule yet |
| References | There are no documented References for this Detection Rule yet |
| Author | Florian Roth |

6
Atomic_Threat_Coverage/Detection_Rules/win_susp_kerberos_manipulation.md
View File

@ -3,13 +3,13 @@
| Description | This method triggers on rare Kerberos Failure Codes caused by manipulations of Kerberos messages |
| ATT&amp;CK Tactic | <ul><li>[TA0006: Credential Access](https://attack.mitre.org/tactics/TA0006)</li></ul> |
| ATT&amp;CK Technique | <ul><li>[T1212: Exploitation for Credential Access](https://attack.mitre.org/techniques/T1212)</li></ul> |
| Data Needed | <ul><li>[DN_0076_4768_kerberos_authentication_ticket_was_requested](../Data_Needed/DN_0076_4768_kerberos_authentication_ticket_was_requested.md)</li><li>[DN_0078_4771_kerberos_pre_authentication_failed](../Data_Needed/DN_0078_4771_kerberos_pre_authentication_failed.md)</li><li>[DN_0077_4769_kerberos_service_ticket_was_requested](../Data_Needed/DN_0077_4769_kerberos_service_ticket_was_requested.md)</li></ul> |
| Data Needed | <ul><li>[DN_0078_4771_kerberos_pre_authentication_failed](../Data_Needed/DN_0078_4771_kerberos_pre_authentication_failed.md)</li><li>[DN_0077_4769_kerberos_service_ticket_was_requested](../Data_Needed/DN_0077_4769_kerberos_service_ticket_was_requested.md)</li><li>[DN_0076_4768_kerberos_authentication_ticket_was_requested](../Data_Needed/DN_0076_4768_kerberos_authentication_ticket_was_requested.md)</li></ul> |
| Enrichment | Data for this Detection Rule doesn't require any Enrichments. |
| Trigger | <ul><li>[T1212: Exploitation for Credential Access](../Triggers/T1212.md)</li></ul> |
| Severity Level | high |
| False Positives | <ul><li>Faulty legacy applications</li></ul> |
| Development Status | Development Status for this Detection Rule has not been defined yet. |
| References | There are no documented References for this Detection Rule yet. |
| Development Status | Development Status wasn't defined for this Detection Rule yet |
| References | There are no documented References for this Detection Rule yet |
| Author | Florian Roth |

2
Atomic_Threat_Coverage/Detection_Rules/win_susp_lsass_dump.md
View File

@ -10,7 +10,7 @@
| False Positives | <ul><li>Unkown</li></ul> |
| Development Status | experimental |
| References | <ul><li>[https://twitter.com/jackcr/status/807385668833968128](https://twitter.com/jackcr/status/807385668833968128)</li></ul> |
| Author | Author of this Detection Rule haven't introduced himself. |
| Author | Author of this Detection Rule haven't introduced himself |
## Detection Rules

2
Atomic_Threat_Coverage/Detection_Rules/win_susp_mmc_source.md
View File

@ -10,7 +10,7 @@
| False Positives | <ul><li>unknown</li></ul> |
| Development Status | experimental |
| References | <ul><li>[https://enigma0x3.net/2017/01/05/lateral-movement-using-the-mmc20-application-com-object/](https://enigma0x3.net/2017/01/05/lateral-movement-using-the-mmc20-application-com-object/)</li></ul> |
| Author | Author of this Detection Rule haven't introduced himself. |
| Author | Author of this Detection Rule haven't introduced himself |
| Other Tags | <ul><li>car.2013-02-003</li><li>car.2013-02-003</li></ul> |
## Detection Rules

4
Atomic_Threat_Coverage/Detection_Rules/win_susp_msiexec_web_install.md
View File

@ -2,10 +2,10 @@
|:---------------------|:------------------------------------------------------------------------------------------------------------------------------------------------------------|
| Description | Detects suspicious msiexec process starts with web addreses as parameter |
| ATT&amp;CK Tactic | <ul><li>[TA0005: Defense Evasion](https://attack.mitre.org/tactics/TA0005)</li></ul> |
| ATT&amp;CK Technique | There is no documented ATT&amp;CK Technique for this Detection Rule. |
| ATT&amp;CK Technique | This Detection Rule wasn't mapped to ATT&amp;CK Technique yet |
| Data Needed | <ul><li>[DN_0003_1_windows_sysmon_process_creation](../Data_Needed/DN_0003_1_windows_sysmon_process_creation.md)</li><li>[DN_0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN_0002_4688_windows_process_creation_with_commandline.md)</li></ul> |
| Enrichment | Data for this Detection Rule doesn't require any Enrichments. |
| Trigger | There is no Trigger for this technique yet. |
| Trigger | There is no documented Trigger for this Detection Rule yet |
| Severity Level | medium |
| False Positives | <ul><li>False positives depend on scripts and administrative tools used in the monitored environment</li></ul> |
| Development Status | experimental |

2
Atomic_Threat_Coverage/Detection_Rules/win_susp_msmpeng_crash.md
View File

@ -3,7 +3,7 @@
| Description | This rule detects a suspicious crash of the Microsoft Malware Protection Engine |
| ATT&amp;CK Tactic | <ul><li>[TA0005: Defense Evasion](https://attack.mitre.org/tactics/TA0005)</li></ul> |
| ATT&amp;CK Technique | <ul><li>[T1089: Disabling Security Tools](https://attack.mitre.org/techniques/T1089)</li><li>[T1211: Exploitation for Defense Evasion](https://attack.mitre.org/techniques/T1211)</li></ul> |
| Data Needed | There is no documented Data Needed for this Detection Rule yet. |
| Data Needed | There is no documented Data Needed for this Detection Rule yet |
| Enrichment | Data for this Detection Rule doesn't require any Enrichments. |
| Trigger | <ul><li>[T1089: Disabling Security Tools](../Triggers/T1089.md)</li><li>[T1211: Exploitation for Defense Evasion](../Triggers/T1211.md)</li></ul> |
| Severity Level | high |

4
Atomic_Threat_Coverage/Detection_Rules/win_susp_net_execution.md
View File

@ -2,10 +2,10 @@
|:---------------------|:------------------------------------------------------------------------------------------------------------------------------------------------------------|
| Description | Detects execution of Net.exe, whether suspicious or benign. |
| ATT&amp;CK Tactic | <ul><li>[TA0008: Lateral Movement](https://attack.mitre.org/tactics/TA0008)</li><li>[TA0007: Discovery](https://attack.mitre.org/tactics/TA0007)</li></ul> |
| ATT&amp;CK Technique | There is no documented ATT&amp;CK Technique for this Detection Rule. |
| ATT&amp;CK Technique | This Detection Rule wasn't mapped to ATT&amp;CK Technique yet |
| Data Needed | <ul><li>[DN_0003_1_windows_sysmon_process_creation](../Data_Needed/DN_0003_1_windows_sysmon_process_creation.md)</li><li>[DN_0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN_0002_4688_windows_process_creation_with_commandline.md)</li></ul> |
| Enrichment | Data for this Detection Rule doesn't require any Enrichments. |
| Trigger | There is no Trigger for this technique yet. |
| Trigger | There is no documented Trigger for this Detection Rule yet |
| Severity Level | low |
| False Positives | <ul><li>Will need to be tuned. If using Splunk, I recommend | stats count by Computer,CommandLine following the search for easy hunting by computer/CommandLine.</li></ul> |
| Development Status | experimental |

2
Atomic_Threat_Coverage/Detection_Rules/win_susp_net_recon_activity.md
View File

@ -3,7 +3,7 @@
| Description | Detects activity as "net user administrator /domain" and "net group domain admins /domain" |
| ATT&amp;CK Tactic | <ul><li>[TA0007: Discovery](https://attack.mitre.org/tactics/TA0007)</li></ul> |
| ATT&amp;CK Technique | <ul><li>[T1087: Account Discovery](https://attack.mitre.org/techniques/T1087)</li><li>[T1069: Permission Groups Discovery](https://attack.mitre.org/techniques/T1069)</li></ul> |
| Data Needed | There is no documented Data Needed for this Detection Rule yet. |
| Data Needed | <ul><li>[DN_0029_4661_handle_to_an_object_was_requested](../Data_Needed/DN_0029_4661_handle_to_an_object_was_requested.md)</li></ul> |
| Enrichment | Data for this Detection Rule doesn't require any Enrichments. |
| Trigger | <ul><li>[T1087: Account Discovery](../Triggers/T1087.md)</li><li>[T1069: Permission Groups Discovery](../Triggers/T1069.md)</li></ul> |
| Severity Level | high |

2
Atomic_Threat_Coverage/Detection_Rules/win_susp_ping_hex_ip.md
View File

@ -8,7 +8,7 @@
| Trigger | <ul><li>[T1140: Deobfuscate/Decode Files or Information](../Triggers/T1140.md)</li><li>[T1027: Obfuscated Files or Information](../Triggers/T1027.md)</li></ul> |
| Severity Level | high |
| False Positives | <ul><li>Unlikely, because no sane admin pings IP addresses in a hexadecimal form</li></ul> |
| Development Status | Development Status for this Detection Rule has not been defined yet. |
| Development Status | Development Status wasn't defined for this Detection Rule yet |
| References | <ul><li>[https://github.com/vysec/Aggressor-VYSEC/blob/master/ping.cna](https://github.com/vysec/Aggressor-VYSEC/blob/master/ping.cna)</li><li>[https://twitter.com/vysecurity/status/977198418354491392](https://twitter.com/vysecurity/status/977198418354491392)</li></ul> |
| Author | Florian Roth |

2
Atomic_Threat_Coverage/Detection_Rules/win_susp_powershell_empire_lanuch.md
View File

@ -7,7 +7,7 @@
| Enrichment | Data for this Detection Rule doesn't require any Enrichments. |
| Trigger | <ul><li>[T1086: PowerShell](../Triggers/T1086.md)</li></ul> |
| Severity Level | critical |
| False Positives | There are no documented False Positives for this Detection Rule yet. |
| False Positives | There are no documented False Positives for this Detection Rule yet |
| Development Status | experimental |
| References | <ul><li>[https://github.com/EmpireProject/Empire/blob/c2ba61ca8d2031dad0cfc1d5770ba723e8b710db/lib/common/helpers.py#L165](https://github.com/EmpireProject/Empire/blob/c2ba61ca8d2031dad0cfc1d5770ba723e8b710db/lib/common/helpers.py#L165)</li><li>[https://github.com/EmpireProject/Empire/blob/e37fb2eef8ff8f5a0a689f1589f424906fe13055/lib/modules/powershell/persistence/powerbreach/deaduser.py#L191](https://github.com/EmpireProject/Empire/blob/e37fb2eef8ff8f5a0a689f1589f424906fe13055/lib/modules/powershell/persistence/powerbreach/deaduser.py#L191)</li><li>[https://github.com/EmpireProject/Empire/blob/e37fb2eef8ff8f5a0a689f1589f424906fe13055/lib/modules/powershell/persistence/powerbreach/resolver.py#L178](https://github.com/EmpireProject/Empire/blob/e37fb2eef8ff8f5a0a689f1589f424906fe13055/lib/modules/powershell/persistence/powerbreach/resolver.py#L178)</li></ul> |
| Author | Florian Roth |

2
Atomic_Threat_Coverage/Detection_Rules/win_susp_powershell_enc_cmd.md
View File

@ -7,7 +7,7 @@
| Enrichment | Data for this Detection Rule doesn't require any Enrichments. |
| Trigger | <ul><li>[T1086: PowerShell](../Triggers/T1086.md)</li></ul> |
| Severity Level | high |
| False Positives | There are no documented False Positives for this Detection Rule yet. |
| False Positives | There are no documented False Positives for this Detection Rule yet |
| Development Status | experimental |
| References | <ul><li>[https://app.any.run/tasks/6217d77d-3189-4db2-a957-8ab239f3e01e](https://app.any.run/tasks/6217d77d-3189-4db2-a957-8ab239f3e01e)</li></ul> |
| Author | Florian Roth, Markus Neis |

6
Atomic_Threat_Coverage/Detection_Rules/win_susp_process_creations.md
View File

@ -1,11 +1,11 @@
| Title | Suspicious Process Creation |
|:---------------------|:------------------------------------------------------------------------------------------------------------------------------------------------------------|
| Description | Detects suspicious process starts on Windows systems based on keywords |
| ATT&amp;CK Tactic | There is no documented ATT&amp;CK Tactic for this Detection Rule. |
| ATT&amp;CK Technique | There is no documented ATT&amp;CK Technique for this Detection Rule. |
| ATT&amp;CK Tactic | This Detection Rule wasn't mapped to ATT&amp;CK Tactic yet |
| ATT&amp;CK Technique | This Detection Rule wasn't mapped to ATT&amp;CK Technique yet |
| Data Needed | <ul><li>[DN_0003_1_windows_sysmon_process_creation](../Data_Needed/DN_0003_1_windows_sysmon_process_creation.md)</li><li>[DN_0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN_0002_4688_windows_process_creation_with_commandline.md)</li></ul> |
| Enrichment | Data for this Detection Rule doesn't require any Enrichments. |
| Trigger | There is no Trigger for this technique yet. |
| Trigger | There is no documented Trigger for this Detection Rule yet |
| Severity Level | medium |
| False Positives | <ul><li>False positives depend on scripts and administrative tools used in the monitored environment</li></ul> |
| Development Status | experimental |

2
Atomic_Threat_Coverage/Detection_Rules/win_susp_prog_location_process_starts.md
View File

@ -3,7 +3,7 @@
| Description | Detects programs running in suspicious files system locations |
| ATT&amp;CK Tactic | <ul><li>[TA0005: Defense Evasion](https://attack.mitre.org/tactics/TA0005)</li></ul> |
| ATT&amp;CK Technique | <ul><li>[T1036: Masquerading](https://attack.mitre.org/techniques/T1036)</li></ul> |
| Data Needed | <ul><li>[DN_0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN_0002_4688_windows_process_creation_with_commandline.md)</li><li>[DN_0001_4688_windows_process_creation](../Data_Needed/DN_0001_4688_windows_process_creation.md)</li><li>[DN_0003_1_windows_sysmon_process_creation](../Data_Needed/DN_0003_1_windows_sysmon_process_creation.md)</li></ul> |
| Data Needed | <ul><li>[DN_0003_1_windows_sysmon_process_creation](../Data_Needed/DN_0003_1_windows_sysmon_process_creation.md)</li><li>[DN_0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN_0002_4688_windows_process_creation_with_commandline.md)</li><li>[DN_0001_4688_windows_process_creation](../Data_Needed/DN_0001_4688_windows_process_creation.md)</li></ul> |
| Enrichment | Data for this Detection Rule doesn't require any Enrichments. |
| Trigger | <ul><li>[T1036: Masquerading](../Triggers/T1036.md)</li></ul> |
| Severity Level | high |

2
Atomic_Threat_Coverage/Detection_Rules/win_susp_psexec.md
View File

@ -8,7 +8,7 @@
| Trigger | <ul><li>[T1077: Windows Admin Shares](../Triggers/T1077.md)</li></ul> |
| Severity Level | high |
| False Positives | <ul><li>nothing observed so far</li></ul> |
| Development Status | Development Status for this Detection Rule has not been defined yet. |
| Development Status | Development Status wasn't defined for this Detection Rule yet |
| References | <ul><li>[https://blog.menasec.net/2019/02/threat-hunting-3-detecting-psexec.html](https://blog.menasec.net/2019/02/threat-hunting-3-detecting-psexec.html)</li></ul> |
| Author | Samir Bousseaden |

8
Atomic_Threat_Coverage/Detection_Rules/win_susp_raccess_sensitive_fext.md
View File

@ -2,14 +2,14 @@
|:---------------------|:------------------------------------------------------------------------------------------------------------------------------------------------------------|
| Description | Detects known sensitive file extensions |
| ATT&amp;CK Tactic | <ul><li>[TA0009: Collection](https://attack.mitre.org/tactics/TA0009)</li></ul> |
| ATT&amp;CK Technique | There is no documented ATT&amp;CK Technique for this Detection Rule. |
| ATT&amp;CK Technique | This Detection Rule wasn't mapped to ATT&amp;CK Technique yet |
| Data Needed | <ul><li>[DN_0032_5145_network_share_object_was_accessed_detailed](../Data_Needed/DN_0032_5145_network_share_object_was_accessed_detailed.md)</li></ul> |
| Enrichment | Data for this Detection Rule doesn't require any Enrichments. |
| Trigger | There is no Trigger for this technique yet. |
| Trigger | There is no documented Trigger for this Detection Rule yet |
| Severity Level | high |
| False Positives | <ul><li>Help Desk operator doing backup or re-imaging end user machine or pentest or backup software</li></ul> |
| Development Status | Development Status for this Detection Rule has not been defined yet. |
| References | There are no documented References for this Detection Rule yet. |
| Development Status | Development Status wasn't defined for this Detection Rule yet |
| References | There are no documented References for this Detection Rule yet |
| Author | Samir Bousseaden |

2
Atomic_Threat_Coverage/Detection_Rules/win_susp_rc4_kerberos.md
View File

@ -10,7 +10,7 @@
| False Positives | <ul><li>Service accounts used on legacy systems (e.g. NetApp)</li><li>Windows Domains with DFL 2003 and legacy systems</li></ul> |
| Development Status | experimental |
| References | <ul><li>[https://adsecurity.org/?p=3458](https://adsecurity.org/?p=3458)</li><li>[https://www.trimarcsecurity.com/single-post/TrimarcResearch/Detecting-Kerberoasting-Activity](https://www.trimarcsecurity.com/single-post/TrimarcResearch/Detecting-Kerberoasting-Activity)</li></ul> |
| Author | Author of this Detection Rule haven't introduced himself. |
| Author | Author of this Detection Rule haven't introduced himself |
## Detection Rules

2
Atomic_Threat_Coverage/Detection_Rules/win_susp_recon_activity.md
View File

@ -9,7 +9,7 @@
| Severity Level | medium |
| False Positives | <ul><li>Inventory tool runs</li><li>Penetration tests</li><li>Administrative activity</li></ul> |
| Development Status | experimental |
| References | There are no documented References for this Detection Rule yet. |
| References | There are no documented References for this Detection Rule yet |
| Author | Florian Roth |

2
Atomic_Threat_Coverage/Detection_Rules/win_susp_run_locations.md
View File

@ -3,7 +3,7 @@
| Description | Detects suspicious process run from unusual locations |
| ATT&amp;CK Tactic | <ul><li>[TA0005: Defense Evasion](https://attack.mitre.org/tactics/TA0005)</li></ul> |
| ATT&amp;CK Technique | <ul><li>[T1036: Masquerading](https://attack.mitre.org/techniques/T1036)</li></ul> |
| Data Needed | <ul><li>[DN_0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN_0002_4688_windows_process_creation_with_commandline.md)</li><li>[DN_0001_4688_windows_process_creation](../Data_Needed/DN_0001_4688_windows_process_creation.md)</li><li>[DN_0003_1_windows_sysmon_process_creation](../Data_Needed/DN_0003_1_windows_sysmon_process_creation.md)</li></ul> |
| Data Needed | <ul><li>[DN_0003_1_windows_sysmon_process_creation](../Data_Needed/DN_0003_1_windows_sysmon_process_creation.md)</li><li>[DN_0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN_0002_4688_windows_process_creation_with_commandline.md)</li><li>[DN_0001_4688_windows_process_creation](../Data_Needed/DN_0001_4688_windows_process_creation.md)</li></ul> |
| Enrichment | Data for this Detection Rule doesn't require any Enrichments. |
| Trigger | <ul><li>[T1036: Masquerading](../Triggers/T1036.md)</li></ul> |
| Severity Level | medium |

Some files were not shown because too many files have changed in this diff Show More