mirror of
https://github.com/valitydev/atomic-threat-coverage.git
synced 2024-11-06 09:35:21 +00:00
decrease verbosity
This commit is contained in:
parent
81a482d9a2
commit
86f88f6bb9
@ -3,7 +3,7 @@
|
||||
| Description | Detects Commandlet names from well-known PowerShell exploitation frameworks |
|
||||
| ATT&CK Tactic | <ul><li>[TA0002: Execution](https://attack.mitre.org/tactics/TA0002)</li></ul> |
|
||||
| ATT&CK Technique | <ul><li>[T1086: PowerShell](https://attack.mitre.org/techniques/T1086)</li></ul> |
|
||||
| Data Needed | <ul><li>[DN_0036_4104_windows_powershell_script_block](../Data_Needed/DN_0036_4104_windows_powershell_script_block.md)</li><li>[DN_0037_4103_windows_powershell_executing_pipeline](../Data_Needed/DN_0037_4103_windows_powershell_executing_pipeline.md)</li></ul> |
|
||||
| Data Needed | <ul><li>[DN_0037_4103_windows_powershell_executing_pipeline](../Data_Needed/DN_0037_4103_windows_powershell_executing_pipeline.md)</li><li>[DN_0036_4104_windows_powershell_script_block](../Data_Needed/DN_0036_4104_windows_powershell_script_block.md)</li></ul> |
|
||||
| Trigger | <ul><li>[T1086: PowerShell](../Triggers/T1086.md)</li></ul> |
|
||||
| Severity Level | high |
|
||||
| False Positives | <ul><li>Penetration testing</li></ul> |
|
||||
|
@ -3,7 +3,7 @@
|
||||
| Description | Detects keywords from well-known PowerShell exploitation frameworks |
|
||||
| ATT&CK Tactic | <ul><li>[TA0002: Execution](https://attack.mitre.org/tactics/TA0002)</li></ul> |
|
||||
| ATT&CK Technique | <ul><li>[T1086: PowerShell](https://attack.mitre.org/techniques/T1086)</li></ul> |
|
||||
| Data Needed | <ul><li>[DN_0036_4104_windows_powershell_script_block](../Data_Needed/DN_0036_4104_windows_powershell_script_block.md)</li><li>[DN_0037_4103_windows_powershell_executing_pipeline](../Data_Needed/DN_0037_4103_windows_powershell_executing_pipeline.md)</li></ul> |
|
||||
| Data Needed | <ul><li>[DN_0037_4103_windows_powershell_executing_pipeline](../Data_Needed/DN_0037_4103_windows_powershell_executing_pipeline.md)</li><li>[DN_0036_4104_windows_powershell_script_block](../Data_Needed/DN_0036_4104_windows_powershell_script_block.md)</li></ul> |
|
||||
| Trigger | <ul><li>[T1086: PowerShell](../Triggers/T1086.md)</li></ul> |
|
||||
| Severity Level | high |
|
||||
| False Positives | <ul><li>Penetration tests</li></ul> |
|
||||
|
@ -3,7 +3,7 @@
|
||||
| Description | Detects writing data into NTFS alternate data streams from powershell. Needs Script Block Logging. |
|
||||
| ATT&CK Tactic | <ul><li>[TA0005: Defense Evasion](https://attack.mitre.org/tactics/TA0005)</li></ul> |
|
||||
| ATT&CK Technique | <ul><li>[T1096: NTFS File Attributes](https://attack.mitre.org/techniques/T1096)</li></ul> |
|
||||
| Data Needed | <ul><li>[DN_0036_4104_windows_powershell_script_block](../Data_Needed/DN_0036_4104_windows_powershell_script_block.md)</li><li>[DN_0037_4103_windows_powershell_executing_pipeline](../Data_Needed/DN_0037_4103_windows_powershell_executing_pipeline.md)</li></ul> |
|
||||
| Data Needed | <ul><li>[DN_0037_4103_windows_powershell_executing_pipeline](../Data_Needed/DN_0037_4103_windows_powershell_executing_pipeline.md)</li><li>[DN_0036_4104_windows_powershell_script_block](../Data_Needed/DN_0036_4104_windows_powershell_script_block.md)</li></ul> |
|
||||
| Trigger | <ul><li>[T1096: NTFS File Attributes](../Triggers/T1096.md)</li></ul> |
|
||||
| Severity Level | high |
|
||||
| False Positives | <ul><li>unknown</li></ul> |
|
||||
|
@ -3,7 +3,7 @@
|
||||
| Description | Detects suspicious PowerShell download command |
|
||||
| ATT&CK Tactic | <ul><li>[TA0002: Execution](https://attack.mitre.org/tactics/TA0002)</li></ul> |
|
||||
| ATT&CK Technique | <ul><li>[T1086: PowerShell](https://attack.mitre.org/techniques/T1086)</li></ul> |
|
||||
| Data Needed | <ul><li>[DN_0036_4104_windows_powershell_script_block](../Data_Needed/DN_0036_4104_windows_powershell_script_block.md)</li><li>[DN_0037_4103_windows_powershell_executing_pipeline](../Data_Needed/DN_0037_4103_windows_powershell_executing_pipeline.md)</li></ul> |
|
||||
| Data Needed | <ul><li>[DN_0037_4103_windows_powershell_executing_pipeline](../Data_Needed/DN_0037_4103_windows_powershell_executing_pipeline.md)</li><li>[DN_0036_4104_windows_powershell_script_block](../Data_Needed/DN_0036_4104_windows_powershell_script_block.md)</li></ul> |
|
||||
| Trigger | <ul><li>[T1086: PowerShell](../Triggers/T1086.md)</li></ul> |
|
||||
| Severity Level | medium |
|
||||
| False Positives | <ul><li>PowerShell scripts that download content from the Internet</li></ul> |
|
||||
|
@ -3,7 +3,7 @@
|
||||
| Description | Detects suspicious PowerShell invocation command parameters |
|
||||
| ATT&CK Tactic | <ul><li>[TA0002: Execution](https://attack.mitre.org/tactics/TA0002)</li></ul> |
|
||||
| ATT&CK Technique | <ul><li>[T1086: PowerShell](https://attack.mitre.org/techniques/T1086)</li></ul> |
|
||||
| Data Needed | <ul><li>[DN_0036_4104_windows_powershell_script_block](../Data_Needed/DN_0036_4104_windows_powershell_script_block.md)</li><li>[DN_0037_4103_windows_powershell_executing_pipeline](../Data_Needed/DN_0037_4103_windows_powershell_executing_pipeline.md)</li></ul> |
|
||||
| Data Needed | <ul><li>[DN_0037_4103_windows_powershell_executing_pipeline](../Data_Needed/DN_0037_4103_windows_powershell_executing_pipeline.md)</li><li>[DN_0036_4104_windows_powershell_script_block](../Data_Needed/DN_0036_4104_windows_powershell_script_block.md)</li></ul> |
|
||||
| Trigger | <ul><li>[T1086: PowerShell](../Triggers/T1086.md)</li></ul> |
|
||||
| Severity Level | high |
|
||||
| False Positives | <ul><li>Penetration tests</li><li>Very special / sneaky PowerShell scripts</li></ul> |
|
||||
|
@ -3,7 +3,7 @@
|
||||
| Description | Detects suspicious PowerShell invocation command parameters |
|
||||
| ATT&CK Tactic | <ul><li>[TA0002: Execution](https://attack.mitre.org/tactics/TA0002)</li></ul> |
|
||||
| ATT&CK Technique | <ul><li>[T1086: PowerShell](https://attack.mitre.org/techniques/T1086)</li></ul> |
|
||||
| Data Needed | <ul><li>[DN_0036_4104_windows_powershell_script_block](../Data_Needed/DN_0036_4104_windows_powershell_script_block.md)</li><li>[DN_0037_4103_windows_powershell_executing_pipeline](../Data_Needed/DN_0037_4103_windows_powershell_executing_pipeline.md)</li></ul> |
|
||||
| Data Needed | <ul><li>[DN_0037_4103_windows_powershell_executing_pipeline](../Data_Needed/DN_0037_4103_windows_powershell_executing_pipeline.md)</li><li>[DN_0036_4104_windows_powershell_script_block](../Data_Needed/DN_0036_4104_windows_powershell_script_block.md)</li></ul> |
|
||||
| Trigger | <ul><li>[T1086: PowerShell](../Triggers/T1086.md)</li></ul> |
|
||||
| Severity Level | high |
|
||||
| False Positives | <ul><li>Penetration tests</li></ul> |
|
||||
|
@ -3,7 +3,7 @@
|
||||
| Description | Detects keywords that could indicate the use of some PowerShell exploitation framework |
|
||||
| ATT&CK Tactic | <ul><li>[TA0002: Execution](https://attack.mitre.org/tactics/TA0002)</li></ul> |
|
||||
| ATT&CK Technique | <ul><li>[T1086: PowerShell](https://attack.mitre.org/techniques/T1086)</li></ul> |
|
||||
| Data Needed | <ul><li>[DN_0036_4104_windows_powershell_script_block](../Data_Needed/DN_0036_4104_windows_powershell_script_block.md)</li><li>[DN_0037_4103_windows_powershell_executing_pipeline](../Data_Needed/DN_0037_4103_windows_powershell_executing_pipeline.md)</li></ul> |
|
||||
| Data Needed | <ul><li>[DN_0037_4103_windows_powershell_executing_pipeline](../Data_Needed/DN_0037_4103_windows_powershell_executing_pipeline.md)</li><li>[DN_0036_4104_windows_powershell_script_block](../Data_Needed/DN_0036_4104_windows_powershell_script_block.md)</li></ul> |
|
||||
| Trigger | <ul><li>[T1086: PowerShell](../Triggers/T1086.md)</li></ul> |
|
||||
| Severity Level | high |
|
||||
| False Positives | <ul><li>Penetration tests</li></ul> |
|
||||
|
@ -3,7 +3,7 @@
|
||||
| Description | Detects suspicious powershell process which includes bxor command, alternatvide obfuscation method to b64 encoded commands. |
|
||||
| ATT&CK Tactic | <ul><li>[TA0002: Execution](https://attack.mitre.org/tactics/TA0002)</li></ul> |
|
||||
| ATT&CK Technique | <ul><li>[T1086: PowerShell](https://attack.mitre.org/techniques/T1086)</li></ul> |
|
||||
| Data Needed | <ul><li>[DN_0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN_0002_4688_windows_process_creation_with_commandline.md)</li><li>[DN_0003_1_windows_sysmon_process_creation](../Data_Needed/DN_0003_1_windows_sysmon_process_creation.md)</li></ul> |
|
||||
| Data Needed | <ul><li>[DN_0003_1_windows_sysmon_process_creation](../Data_Needed/DN_0003_1_windows_sysmon_process_creation.md)</li><li>[DN_0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN_0002_4688_windows_process_creation_with_commandline.md)</li></ul> |
|
||||
| Trigger | <ul><li>[T1086: PowerShell](../Triggers/T1086.md)</li></ul> |
|
||||
| Severity Level | medium |
|
||||
| False Positives | <ul><li>unknown</li></ul> |
|
||||
|
@ -3,7 +3,7 @@
|
||||
| Description | Detects various indicators of Microsoft Connection Manager Profile Installer execution |
|
||||
| ATT&CK Tactic | <ul><li>[TA0005: Defense Evasion](https://attack.mitre.org/tactics/TA0005)</li><li>[TA0002: Execution](https://attack.mitre.org/tactics/TA0002)</li></ul> |
|
||||
| ATT&CK Technique | <ul><li>[T1191: CMSTP](https://attack.mitre.org/techniques/T1191)</li></ul> |
|
||||
| Data Needed | <ul><li>[DN_0017_13_windows_sysmon_RegistryEvent](../Data_Needed/DN_0017_13_windows_sysmon_RegistryEvent.md)</li><li>[DN_0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN_0002_4688_windows_process_creation_with_commandline.md)</li><li>[DN_0014_10_windows_sysmon_ProcessAccess](../Data_Needed/DN_0014_10_windows_sysmon_ProcessAccess.md)</li><li>[DN_0016_12_windows_sysmon_RegistryEvent](../Data_Needed/DN_0016_12_windows_sysmon_RegistryEvent.md)</li><li>[DN_0003_1_windows_sysmon_process_creation](../Data_Needed/DN_0003_1_windows_sysmon_process_creation.md)</li></ul> |
|
||||
| Data Needed | <ul><li>[DN_0017_13_windows_sysmon_RegistryEvent](../Data_Needed/DN_0017_13_windows_sysmon_RegistryEvent.md)</li><li>[DN_0016_12_windows_sysmon_RegistryEvent](../Data_Needed/DN_0016_12_windows_sysmon_RegistryEvent.md)</li><li>[DN_0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN_0002_4688_windows_process_creation_with_commandline.md)</li><li>[DN_0003_1_windows_sysmon_process_creation](../Data_Needed/DN_0003_1_windows_sysmon_process_creation.md)</li><li>[DN_0014_10_windows_sysmon_ProcessAccess](../Data_Needed/DN_0014_10_windows_sysmon_ProcessAccess.md)</li></ul> |
|
||||
| Trigger | <ul><li>[T1191: CMSTP](../Triggers/T1191.md)</li></ul> |
|
||||
| Severity Level | high |
|
||||
| False Positives | <ul><li>Legitimate CMSTP use (unlikely in modern enterprise environments)</li></ul> |
|
||||
|
@ -3,7 +3,7 @@
|
||||
| Description | Detects the installation of a plugin DLL via ServerLevelPluginDll parameter in Registry, which can be used to execute code in context of the DNS server (restart required) |
|
||||
| ATT&CK Tactic | <ul><li>[TA0005: Defense Evasion](https://attack.mitre.org/tactics/TA0005)</li></ul> |
|
||||
| ATT&CK Technique | <ul><li>[T1073: DLL Side-Loading](https://attack.mitre.org/techniques/T1073)</li></ul> |
|
||||
| Data Needed | <ul><li>[DN_0017_13_windows_sysmon_RegistryEvent](../Data_Needed/DN_0017_13_windows_sysmon_RegistryEvent.md)</li><li>[DN_0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN_0002_4688_windows_process_creation_with_commandline.md)</li><li>[DN_0003_1_windows_sysmon_process_creation](../Data_Needed/DN_0003_1_windows_sysmon_process_creation.md)</li></ul> |
|
||||
| Data Needed | <ul><li>[DN_0017_13_windows_sysmon_RegistryEvent](../Data_Needed/DN_0017_13_windows_sysmon_RegistryEvent.md)</li><li>[DN_0003_1_windows_sysmon_process_creation](../Data_Needed/DN_0003_1_windows_sysmon_process_creation.md)</li><li>[DN_0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN_0002_4688_windows_process_creation_with_commandline.md)</li></ul> |
|
||||
| Trigger | <ul><li>[T1073: DLL Side-Loading](../Triggers/T1073.md)</li></ul> |
|
||||
| Severity Level | high |
|
||||
| False Positives | <ul><li>unknown</li></ul> |
|
||||
|
@ -3,7 +3,7 @@
|
||||
| Description | Detects creation or execution of UserInitMprLogonScript persistence method |
|
||||
| ATT&CK Tactic | <ul><li>[TA0003: Persistence](https://attack.mitre.org/tactics/TA0003)</li><li>[TA0008: Lateral Movement](https://attack.mitre.org/tactics/TA0008)</li></ul> |
|
||||
| ATT&CK Technique | <ul><li>[T1037: Logon Scripts](https://attack.mitre.org/techniques/T1037)</li></ul> |
|
||||
| Data Needed | <ul><li>[DN_0015_11_windows_sysmon_FileCreate](../Data_Needed/DN_0015_11_windows_sysmon_FileCreate.md)</li><li>[DN_0017_13_windows_sysmon_RegistryEvent](../Data_Needed/DN_0017_13_windows_sysmon_RegistryEvent.md)</li><li>[DN_0018_14_windows_sysmon_RegistryEvent](../Data_Needed/DN_0018_14_windows_sysmon_RegistryEvent.md)</li><li>[DN_0016_12_windows_sysmon_RegistryEvent](../Data_Needed/DN_0016_12_windows_sysmon_RegistryEvent.md)</li><li>[DN_0003_1_windows_sysmon_process_creation](../Data_Needed/DN_0003_1_windows_sysmon_process_creation.md)</li></ul> |
|
||||
| Data Needed | <ul><li>[DN_0017_13_windows_sysmon_RegistryEvent](../Data_Needed/DN_0017_13_windows_sysmon_RegistryEvent.md)</li><li>[DN_0018_14_windows_sysmon_RegistryEvent](../Data_Needed/DN_0018_14_windows_sysmon_RegistryEvent.md)</li><li>[DN_0016_12_windows_sysmon_RegistryEvent](../Data_Needed/DN_0016_12_windows_sysmon_RegistryEvent.md)</li><li>[DN_0015_11_windows_sysmon_FileCreate](../Data_Needed/DN_0015_11_windows_sysmon_FileCreate.md)</li><li>[DN_0003_1_windows_sysmon_process_creation](../Data_Needed/DN_0003_1_windows_sysmon_process_creation.md)</li></ul> |
|
||||
| Trigger | <ul><li>[T1037: Logon Scripts](../Triggers/T1037.md)</li></ul> |
|
||||
| Severity Level | high |
|
||||
| False Positives | <ul><li>exclude legitimate logon scripts</li><li>penetration tests, red teaming</li></ul> |
|
||||
|
@ -3,7 +3,7 @@
|
||||
| Description | Detects the creation of a named pipe used by known APT malware |
|
||||
| ATT&CK Tactic | <ul><li>[TA0005: Defense Evasion](https://attack.mitre.org/tactics/TA0005)</li><li>[TA0004: Privilege Escalation](https://attack.mitre.org/tactics/TA0004)</li></ul> |
|
||||
| ATT&CK Technique | <ul><li>[T1055: Process Injection](https://attack.mitre.org/techniques/T1055)</li></ul> |
|
||||
| Data Needed | <ul><li>[DN_0021_18_windows_sysmon_PipeEvent](../Data_Needed/DN_0021_18_windows_sysmon_PipeEvent.md)</li><li>[DN_0020_17_windows_sysmon_PipeEvent](../Data_Needed/DN_0020_17_windows_sysmon_PipeEvent.md)</li></ul> |
|
||||
| Data Needed | <ul><li>[DN_0020_17_windows_sysmon_PipeEvent](../Data_Needed/DN_0020_17_windows_sysmon_PipeEvent.md)</li><li>[DN_0021_18_windows_sysmon_PipeEvent](../Data_Needed/DN_0021_18_windows_sysmon_PipeEvent.md)</li></ul> |
|
||||
| Trigger | <ul><li>[T1055: Process Injection](../Triggers/T1055.md)</li></ul> |
|
||||
| Severity Level | critical |
|
||||
| False Positives | <ul><li>Unkown</li></ul> |
|
||||
|
@ -3,7 +3,7 @@
|
||||
| Description | Detects the usage and installation of a backdoor that uses an option to register a malicious debugger for built-in tools that are accessible in the login screen |
|
||||
| ATT&CK Tactic | <ul><li>[TA0004: Privilege Escalation](https://attack.mitre.org/tactics/TA0004)</li><li>[TA0003: Persistence](https://attack.mitre.org/tactics/TA0003)</li></ul> |
|
||||
| ATT&CK Technique | <ul><li>[T1015: Accessibility Features](https://attack.mitre.org/techniques/T1015)</li></ul> |
|
||||
| Data Needed | <ul><li>[DN_0017_13_windows_sysmon_RegistryEvent](../Data_Needed/DN_0017_13_windows_sysmon_RegistryEvent.md)</li><li>[DN_0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN_0002_4688_windows_process_creation_with_commandline.md)</li><li>[DN_0003_1_windows_sysmon_process_creation](../Data_Needed/DN_0003_1_windows_sysmon_process_creation.md)</li></ul> |
|
||||
| Data Needed | <ul><li>[DN_0017_13_windows_sysmon_RegistryEvent](../Data_Needed/DN_0017_13_windows_sysmon_RegistryEvent.md)</li><li>[DN_0003_1_windows_sysmon_process_creation](../Data_Needed/DN_0003_1_windows_sysmon_process_creation.md)</li><li>[DN_0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN_0002_4688_windows_process_creation_with_commandline.md)</li></ul> |
|
||||
| Trigger | <ul><li>[T1015: Accessibility Features](../Triggers/T1015.md)</li></ul> |
|
||||
| Severity Level | critical |
|
||||
| False Positives | <ul><li>Unlikely</li></ul> |
|
||||
|
@ -3,7 +3,7 @@
|
||||
| Description | Detects the usage of Sysinternals Tools due to accepteula key beeing added to Registry |
|
||||
| ATT&CK Tactic | <ul></ul> |
|
||||
| ATT&CK Technique | <ul></ul> |
|
||||
| Data Needed | <ul><li>[DN_0017_13_windows_sysmon_RegistryEvent](../Data_Needed/DN_0017_13_windows_sysmon_RegistryEvent.md)</li><li>[DN_0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN_0002_4688_windows_process_creation_with_commandline.md)</li><li>[DN_0003_1_windows_sysmon_process_creation](../Data_Needed/DN_0003_1_windows_sysmon_process_creation.md)</li></ul> |
|
||||
| Data Needed | <ul><li>[DN_0017_13_windows_sysmon_RegistryEvent](../Data_Needed/DN_0017_13_windows_sysmon_RegistryEvent.md)</li><li>[DN_0003_1_windows_sysmon_process_creation](../Data_Needed/DN_0003_1_windows_sysmon_process_creation.md)</li><li>[DN_0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN_0002_4688_windows_process_creation_with_commandline.md)</li></ul> |
|
||||
| Trigger | There is no Trigger for this technique yet. |
|
||||
| Severity Level | low |
|
||||
| False Positives | <ul><li>Legitimate use of SysInternals tools</li><li>Programs that use the same Registry Key</li></ul> |
|
||||
|
@ -3,7 +3,7 @@
|
||||
| Description | Detects creation of WMI event subscription persistence method |
|
||||
| ATT&CK Tactic | <ul><li>[TA0003: Persistence](https://attack.mitre.org/tactics/TA0003)</li></ul> |
|
||||
| ATT&CK Technique | <ul><li>[T1084: Windows Management Instrumentation Event Subscription](https://attack.mitre.org/techniques/T1084)</li></ul> |
|
||||
| Data Needed | <ul><li>[DN_0022_19_windows_sysmon_WmiEvent](../Data_Needed/DN_0022_19_windows_sysmon_WmiEvent.md)</li><li>[DN_0024_21_windows_sysmon_WmiEvent](../Data_Needed/DN_0024_21_windows_sysmon_WmiEvent.md)</li><li>[DN_0023_20_windows_sysmon_WmiEvent](../Data_Needed/DN_0023_20_windows_sysmon_WmiEvent.md)</li></ul> |
|
||||
| Data Needed | <ul><li>[DN_0024_21_windows_sysmon_WmiEvent](../Data_Needed/DN_0024_21_windows_sysmon_WmiEvent.md)</li><li>[DN_0023_20_windows_sysmon_WmiEvent](../Data_Needed/DN_0023_20_windows_sysmon_WmiEvent.md)</li><li>[DN_0022_19_windows_sysmon_WmiEvent](../Data_Needed/DN_0022_19_windows_sysmon_WmiEvent.md)</li></ul> |
|
||||
| Trigger | <ul><li>[T1084: Windows Management Instrumentation Event Subscription](../Triggers/T1084.md)</li></ul> |
|
||||
| Severity Level | high |
|
||||
| False Positives | <ul><li>exclude legitimate (vetted) use of WMI event subscription in your network</li></ul> |
|
||||
|
File diff suppressed because one or more lines are too long
@ -3,7 +3,7 @@
|
||||
| Description | Detects usage of cmdkey to look for cached credentials |
|
||||
| ATT&CK Tactic | <ul><li>[TA0006: Credential Access](https://attack.mitre.org/tactics/TA0006)</li></ul> |
|
||||
| ATT&CK Technique | <ul><li>[T1003: Credential Dumping](https://attack.mitre.org/techniques/T1003)</li></ul> |
|
||||
| Data Needed | <ul><li>[DN_0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN_0002_4688_windows_process_creation_with_commandline.md)</li><li>[DN_0003_1_windows_sysmon_process_creation](../Data_Needed/DN_0003_1_windows_sysmon_process_creation.md)</li></ul> |
|
||||
| Data Needed | <ul><li>[DN_0003_1_windows_sysmon_process_creation](../Data_Needed/DN_0003_1_windows_sysmon_process_creation.md)</li><li>[DN_0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN_0002_4688_windows_process_creation_with_commandline.md)</li></ul> |
|
||||
| Trigger | <ul><li>[T1003: Credential Dumping](../Triggers/T1003.md)</li></ul> |
|
||||
| Severity Level | low |
|
||||
| False Positives | <ul><li>Legitimate administrative tasks.</li></ul> |
|
||||
|
@ -3,7 +3,7 @@
|
||||
| Description | Detects Winword starting uncommon sub process MicroScMgmt.exe as used in exploits for CVE-2015-1641 |
|
||||
| ATT&CK Tactic | <ul><li>[TA0005: Defense Evasion](https://attack.mitre.org/tactics/TA0005)</li></ul> |
|
||||
| ATT&CK Technique | <ul><li>[T1036: Masquerading](https://attack.mitre.org/techniques/T1036)</li></ul> |
|
||||
| Data Needed | <ul><li>[DN_0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN_0002_4688_windows_process_creation_with_commandline.md)</li><li>[DN_0003_1_windows_sysmon_process_creation](../Data_Needed/DN_0003_1_windows_sysmon_process_creation.md)</li></ul> |
|
||||
| Data Needed | <ul><li>[DN_0003_1_windows_sysmon_process_creation](../Data_Needed/DN_0003_1_windows_sysmon_process_creation.md)</li><li>[DN_0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN_0002_4688_windows_process_creation_with_commandline.md)</li></ul> |
|
||||
| Trigger | <ul><li>[T1036: Masquerading](../Triggers/T1036.md)</li></ul> |
|
||||
| Severity Level | critical |
|
||||
| False Positives | <ul><li>Unknown</li></ul> |
|
||||
|
@ -3,7 +3,7 @@
|
||||
| Description | Detects Winword starting uncommon sub process FLTLDR.exe as used in exploits for CVE-2017-0261 and CVE-2017-0262 |
|
||||
| ATT&CK Tactic | <ul><li>[TA0005: Defense Evasion](https://attack.mitre.org/tactics/TA0005)</li><li>[TA0004: Privilege Escalation](https://attack.mitre.org/tactics/TA0004)</li></ul> |
|
||||
| ATT&CK Technique | <ul><li>[T1055: Process Injection](https://attack.mitre.org/techniques/T1055)</li></ul> |
|
||||
| Data Needed | <ul><li>[DN_0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN_0002_4688_windows_process_creation_with_commandline.md)</li><li>[DN_0003_1_windows_sysmon_process_creation](../Data_Needed/DN_0003_1_windows_sysmon_process_creation.md)</li></ul> |
|
||||
| Data Needed | <ul><li>[DN_0003_1_windows_sysmon_process_creation](../Data_Needed/DN_0003_1_windows_sysmon_process_creation.md)</li><li>[DN_0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN_0002_4688_windows_process_creation_with_commandline.md)</li></ul> |
|
||||
| Trigger | <ul><li>[T1055: Process Injection](../Triggers/T1055.md)</li></ul> |
|
||||
| Severity Level | medium |
|
||||
| False Positives | <ul><li>Several false positives identified, check for suspicious file names or locations (e.g. Temp folders)</li></ul> |
|
||||
|
@ -3,7 +3,7 @@
|
||||
| Description | Detects exploits that use CVE-2017-11882 to start EQNEDT32.EXE and other sub processes like mshta.exe |
|
||||
| ATT&CK Tactic | <ul><li>[TA0005: Defense Evasion](https://attack.mitre.org/tactics/TA0005)</li></ul> |
|
||||
| ATT&CK Technique | <ul><li>[T1211: Exploitation for Defense Evasion](https://attack.mitre.org/techniques/T1211)</li></ul> |
|
||||
| Data Needed | <ul><li>[DN_0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN_0002_4688_windows_process_creation_with_commandline.md)</li><li>[DN_0003_1_windows_sysmon_process_creation](../Data_Needed/DN_0003_1_windows_sysmon_process_creation.md)</li></ul> |
|
||||
| Data Needed | <ul><li>[DN_0003_1_windows_sysmon_process_creation](../Data_Needed/DN_0003_1_windows_sysmon_process_creation.md)</li><li>[DN_0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN_0002_4688_windows_process_creation_with_commandline.md)</li></ul> |
|
||||
| Trigger | <ul><li>[T1211: Exploitation for Defense Evasion](../Triggers/T1211.md)</li></ul> |
|
||||
| Severity Level | critical |
|
||||
| False Positives | <ul><li>unknown</li></ul> |
|
||||
|
@ -3,7 +3,7 @@
|
||||
| Description | Detects Winword starting uncommon sub process csc.exe as used in exploits for CVE-2017-8759 |
|
||||
| ATT&CK Tactic | <ul><li>[TA0002: Execution](https://attack.mitre.org/tactics/TA0002)</li></ul> |
|
||||
| ATT&CK Technique | <ul><li>[T1203: Exploitation for Client Execution](https://attack.mitre.org/techniques/T1203)</li></ul> |
|
||||
| Data Needed | <ul><li>[DN_0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN_0002_4688_windows_process_creation_with_commandline.md)</li><li>[DN_0003_1_windows_sysmon_process_creation](../Data_Needed/DN_0003_1_windows_sysmon_process_creation.md)</li></ul> |
|
||||
| Data Needed | <ul><li>[DN_0003_1_windows_sysmon_process_creation](../Data_Needed/DN_0003_1_windows_sysmon_process_creation.md)</li><li>[DN_0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN_0002_4688_windows_process_creation_with_commandline.md)</li></ul> |
|
||||
| Trigger | <ul><li>[T1203: Exploitation for Client Execution](../Triggers/T1203.md)</li></ul> |
|
||||
| Severity Level | critical |
|
||||
| False Positives | <ul><li>Unknown</li></ul> |
|
||||
|
@ -3,7 +3,7 @@
|
||||
| Description | Detects command line parameters used by Rubeus hack tool |
|
||||
| ATT&CK Tactic | <ul><li>[TA0006: Credential Access](https://attack.mitre.org/tactics/TA0006)</li></ul> |
|
||||
| ATT&CK Technique | <ul><li>[T1003: Credential Dumping](https://attack.mitre.org/techniques/T1003)</li></ul> |
|
||||
| Data Needed | <ul><li>[DN_0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN_0002_4688_windows_process_creation_with_commandline.md)</li><li>[DN_0003_1_windows_sysmon_process_creation](../Data_Needed/DN_0003_1_windows_sysmon_process_creation.md)</li></ul> |
|
||||
| Data Needed | <ul><li>[DN_0003_1_windows_sysmon_process_creation](../Data_Needed/DN_0003_1_windows_sysmon_process_creation.md)</li><li>[DN_0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN_0002_4688_windows_process_creation_with_commandline.md)</li></ul> |
|
||||
| Trigger | <ul><li>[T1003: Credential Dumping](../Triggers/T1003.md)</li></ul> |
|
||||
| Severity Level | critical |
|
||||
| False Positives | <ul><li>unlikely</li></ul> |
|
||||
|
@ -3,7 +3,7 @@
|
||||
| Description | Detects MSHTA.EXE spwaned by SVCHOST described in report |
|
||||
| ATT&CK Tactic | <ul><li>[TA0005: Defense Evasion](https://attack.mitre.org/tactics/TA0005)</li><li>[TA0002: Execution](https://attack.mitre.org/tactics/TA0002)</li></ul> |
|
||||
| ATT&CK Technique | <ul><li>[T1170: Mshta](https://attack.mitre.org/techniques/T1170)</li></ul> |
|
||||
| Data Needed | <ul><li>[DN_0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN_0002_4688_windows_process_creation_with_commandline.md)</li><li>[DN_0003_1_windows_sysmon_process_creation](../Data_Needed/DN_0003_1_windows_sysmon_process_creation.md)</li></ul> |
|
||||
| Data Needed | <ul><li>[DN_0003_1_windows_sysmon_process_creation](../Data_Needed/DN_0003_1_windows_sysmon_process_creation.md)</li><li>[DN_0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN_0002_4688_windows_process_creation_with_commandline.md)</li></ul> |
|
||||
| Trigger | <ul><li>[T1170: Mshta](../Triggers/T1170.md)</li></ul> |
|
||||
| Severity Level | high |
|
||||
| False Positives | <ul><li>Unknown</li></ul> |
|
||||
|
@ -3,7 +3,7 @@
|
||||
| Description | Detects javaw.exe in AppData folder as used by Adwind / JRAT |
|
||||
| ATT&CK Tactic | <ul><li>[TA0002: Execution](https://attack.mitre.org/tactics/TA0002)</li></ul> |
|
||||
| ATT&CK Technique | <ul><li>[T1064: Scripting](https://attack.mitre.org/techniques/T1064)</li></ul> |
|
||||
| Data Needed | <ul><li>[DN_0015_11_windows_sysmon_FileCreate](../Data_Needed/DN_0015_11_windows_sysmon_FileCreate.md)</li><li>[DN_0017_13_windows_sysmon_RegistryEvent](../Data_Needed/DN_0017_13_windows_sysmon_RegistryEvent.md)</li><li>[DN_0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN_0002_4688_windows_process_creation_with_commandline.md)</li><li>[DN_0003_1_windows_sysmon_process_creation](../Data_Needed/DN_0003_1_windows_sysmon_process_creation.md)</li></ul> |
|
||||
| Data Needed | <ul><li>[DN_0015_11_windows_sysmon_FileCreate](../Data_Needed/DN_0015_11_windows_sysmon_FileCreate.md)</li><li>[DN_0017_13_windows_sysmon_RegistryEvent](../Data_Needed/DN_0017_13_windows_sysmon_RegistryEvent.md)</li><li>[DN_0003_1_windows_sysmon_process_creation](../Data_Needed/DN_0003_1_windows_sysmon_process_creation.md)</li><li>[DN_0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN_0002_4688_windows_process_creation_with_commandline.md)</li></ul> |
|
||||
| Trigger | <ul><li>[T1064: Scripting](../Triggers/T1064.md)</li></ul> |
|
||||
| Severity Level | high |
|
||||
| False Positives | <ul></ul> |
|
||||
|
@ -3,7 +3,7 @@
|
||||
| Description | This method detects well-known keywords of malicious services in the Windows System Eventlog |
|
||||
| ATT&CK Tactic | <ul><li>[TA0006: Credential Access](https://attack.mitre.org/tactics/TA0006)</li></ul> |
|
||||
| ATT&CK Technique | <ul><li>[T1003: Credential Dumping](https://attack.mitre.org/techniques/T1003)</li></ul> |
|
||||
| Data Needed | <ul><li>[DN_0005_7045_windows_service_insatalled](../Data_Needed/DN_0005_7045_windows_service_insatalled.md)</li><li>[DN_0063_4697_service_was_installed_in_the_system](../Data_Needed/DN_0063_4697_service_was_installed_in_the_system.md)</li><li>[DN_0083_16_access_history_in_hive_was_cleared](../Data_Needed/DN_0083_16_access_history_in_hive_was_cleared.md)</li></ul> |
|
||||
| Data Needed | <ul><li>[DN_0063_4697_service_was_installed_in_the_system](../Data_Needed/DN_0063_4697_service_was_installed_in_the_system.md)</li><li>[DN_0005_7045_windows_service_insatalled](../Data_Needed/DN_0005_7045_windows_service_insatalled.md)</li><li>[DN_0083_16_access_history_in_hive_was_cleared](../Data_Needed/DN_0083_16_access_history_in_hive_was_cleared.md)</li></ul> |
|
||||
| Trigger | <ul><li>[T1003: Credential Dumping](../Triggers/T1003.md)</li></ul> |
|
||||
| Severity Level | high |
|
||||
| False Positives | <ul><li>Unlikely</li></ul> |
|
||||
|
@ -3,7 +3,7 @@
|
||||
| Description | Detects a command that clears the WMI trace log which indicates LockaerGoga ransomware activity |
|
||||
| ATT&CK Tactic | <ul><li>[TA0002: Execution](https://attack.mitre.org/tactics/TA0002)</li></ul> |
|
||||
| ATT&CK Technique | <ul><li>[T1064: Scripting](https://attack.mitre.org/techniques/T1064)</li></ul> |
|
||||
| Data Needed | <ul><li>[DN_0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN_0002_4688_windows_process_creation_with_commandline.md)</li><li>[DN_0003_1_windows_sysmon_process_creation](../Data_Needed/DN_0003_1_windows_sysmon_process_creation.md)</li></ul> |
|
||||
| Data Needed | <ul><li>[DN_0003_1_windows_sysmon_process_creation](../Data_Needed/DN_0003_1_windows_sysmon_process_creation.md)</li><li>[DN_0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN_0002_4688_windows_process_creation_with_commandline.md)</li></ul> |
|
||||
| Trigger | <ul><li>[T1064: Scripting](../Triggers/T1064.md)</li></ul> |
|
||||
| Severity Level | high |
|
||||
| False Positives | <ul></ul> |
|
||||
|
@ -3,7 +3,7 @@
|
||||
| Description | Detects WannaCry Ransomware Activity |
|
||||
| ATT&CK Tactic | <ul></ul> |
|
||||
| ATT&CK Technique | <ul></ul> |
|
||||
| Data Needed | <ul><li>[DN_0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN_0002_4688_windows_process_creation_with_commandline.md)</li><li>[DN_0003_1_windows_sysmon_process_creation](../Data_Needed/DN_0003_1_windows_sysmon_process_creation.md)</li></ul> |
|
||||
| Data Needed | <ul><li>[DN_0003_1_windows_sysmon_process_creation](../Data_Needed/DN_0003_1_windows_sysmon_process_creation.md)</li><li>[DN_0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN_0002_4688_windows_process_creation_with_commandline.md)</li></ul> |
|
||||
| Trigger | There is no Trigger for this technique yet. |
|
||||
| Severity Level | critical |
|
||||
| False Positives | <ul><li>Unknown</li></ul> |
|
||||
|
@ -3,7 +3,7 @@
|
||||
| Description | Detects typical Dridex process patterns |
|
||||
| ATT&CK Tactic | <ul><li>[TA0005: Defense Evasion](https://attack.mitre.org/tactics/TA0005)</li><li>[TA0004: Privilege Escalation](https://attack.mitre.org/tactics/TA0004)</li></ul> |
|
||||
| ATT&CK Technique | <ul><li>[T1055: Process Injection](https://attack.mitre.org/techniques/T1055)</li></ul> |
|
||||
| Data Needed | <ul><li>[DN_0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN_0002_4688_windows_process_creation_with_commandline.md)</li><li>[DN_0003_1_windows_sysmon_process_creation](../Data_Needed/DN_0003_1_windows_sysmon_process_creation.md)</li></ul> |
|
||||
| Data Needed | <ul><li>[DN_0003_1_windows_sysmon_process_creation](../Data_Needed/DN_0003_1_windows_sysmon_process_creation.md)</li><li>[DN_0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN_0002_4688_windows_process_creation_with_commandline.md)</li></ul> |
|
||||
| Trigger | <ul><li>[T1055: Process Injection](../Triggers/T1055.md)</li></ul> |
|
||||
| Severity Level | critical |
|
||||
| False Positives | <ul><li>Unlikely</li></ul> |
|
||||
|
@ -3,7 +3,7 @@
|
||||
| Description | Detects NotPetya ransomware activity in which the extracted passwords are passed back to the main module via named pipe, the file system journal of drive C is deleted and windows eventlogs are cleared using wevtutil |
|
||||
| ATT&CK Tactic | <ul><li>[TA0002: Execution](https://attack.mitre.org/tactics/TA0002)</li><li>[TA0006: Credential Access](https://attack.mitre.org/tactics/TA0006)</li><li>[TA0005: Defense Evasion](https://attack.mitre.org/tactics/TA0005)</li></ul> |
|
||||
| ATT&CK Technique | <ul><li>[T1085: Rundll32](https://attack.mitre.org/techniques/T1085)</li><li>[T1070: Indicator Removal on Host](https://attack.mitre.org/techniques/T1070)</li><li>[T1003: Credential Dumping](https://attack.mitre.org/techniques/T1003)</li></ul> |
|
||||
| Data Needed | <ul><li>[DN_0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN_0002_4688_windows_process_creation_with_commandline.md)</li><li>[DN_0003_1_windows_sysmon_process_creation](../Data_Needed/DN_0003_1_windows_sysmon_process_creation.md)</li></ul> |
|
||||
| Data Needed | <ul><li>[DN_0003_1_windows_sysmon_process_creation](../Data_Needed/DN_0003_1_windows_sysmon_process_creation.md)</li><li>[DN_0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN_0002_4688_windows_process_creation_with_commandline.md)</li></ul> |
|
||||
| Trigger | <ul><li>[T1085: Rundll32](../Triggers/T1085.md)</li><li>[T1070: Indicator Removal on Host](../Triggers/T1070.md)</li><li>[T1003: Credential Dumping](../Triggers/T1003.md)</li></ul> |
|
||||
| Severity Level | critical |
|
||||
| False Positives | <ul><li>Admin activity</li></ul> |
|
||||
|
@ -3,7 +3,7 @@
|
||||
| Description | Detects wscript/cscript executions of scripts located in user directories |
|
||||
| ATT&CK Tactic | <ul><li>[TA0005: Defense Evasion](https://attack.mitre.org/tactics/TA0005)</li><li>[TA0002: Execution](https://attack.mitre.org/tactics/TA0002)</li></ul> |
|
||||
| ATT&CK Technique | <ul><li>[T1064: Scripting](https://attack.mitre.org/techniques/T1064)</li></ul> |
|
||||
| Data Needed | <ul><li>[DN_0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN_0002_4688_windows_process_creation_with_commandline.md)</li><li>[DN_0003_1_windows_sysmon_process_creation](../Data_Needed/DN_0003_1_windows_sysmon_process_creation.md)</li></ul> |
|
||||
| Data Needed | <ul><li>[DN_0003_1_windows_sysmon_process_creation](../Data_Needed/DN_0003_1_windows_sysmon_process_creation.md)</li><li>[DN_0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN_0002_4688_windows_process_creation_with_commandline.md)</li></ul> |
|
||||
| Trigger | <ul><li>[T1064: Scripting](../Triggers/T1064.md)</li></ul> |
|
||||
| Severity Level | high |
|
||||
| False Positives | <ul><li>Winzip</li><li>Other self-extractors</li></ul> |
|
||||
|
@ -3,7 +3,7 @@
|
||||
| Description | Detects WannaCry ransomware activity via Sysmon |
|
||||
| ATT&CK Tactic | <ul></ul> |
|
||||
| ATT&CK Technique | <ul></ul> |
|
||||
| Data Needed | <ul><li>[DN_0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN_0002_4688_windows_process_creation_with_commandline.md)</li><li>[DN_0003_1_windows_sysmon_process_creation](../Data_Needed/DN_0003_1_windows_sysmon_process_creation.md)</li></ul> |
|
||||
| Data Needed | <ul><li>[DN_0003_1_windows_sysmon_process_creation](../Data_Needed/DN_0003_1_windows_sysmon_process_creation.md)</li><li>[DN_0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN_0002_4688_windows_process_creation_with_commandline.md)</li></ul> |
|
||||
| Trigger | There is no Trigger for this technique yet. |
|
||||
| Severity Level | critical |
|
||||
| False Positives | <ul><li>Diskpart.exe usage to manage partitions on the local hard drive</li></ul> |
|
||||
|
@ -3,7 +3,7 @@
|
||||
| Description | Detects process injection using the signed Windows tool Mavinject32.exe |
|
||||
| ATT&CK Tactic | <ul></ul> |
|
||||
| ATT&CK Technique | <ul><li>[T1055: Process Injection](https://attack.mitre.org/techniques/T1055)</li><li>[T1218: Signed Binary Proxy Execution](https://attack.mitre.org/techniques/T1218)</li></ul> |
|
||||
| Data Needed | <ul><li>[DN_0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN_0002_4688_windows_process_creation_with_commandline.md)</li><li>[DN_0003_1_windows_sysmon_process_creation](../Data_Needed/DN_0003_1_windows_sysmon_process_creation.md)</li></ul> |
|
||||
| Data Needed | <ul><li>[DN_0003_1_windows_sysmon_process_creation](../Data_Needed/DN_0003_1_windows_sysmon_process_creation.md)</li><li>[DN_0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN_0002_4688_windows_process_creation_with_commandline.md)</li></ul> |
|
||||
| Trigger | <ul><li>[T1055: Process Injection](../Triggers/T1055.md)</li><li>[T1218: Signed Binary Proxy Execution](../Triggers/T1218.md)</li></ul> |
|
||||
| Severity Level | critical |
|
||||
| False Positives | <ul><li>unknown</li></ul> |
|
||||
|
@ -3,7 +3,7 @@
|
||||
| Description | Detects a Windows command line executable started from MSHTA. |
|
||||
| ATT&CK Tactic | <ul><li>[TA0005: Defense Evasion](https://attack.mitre.org/tactics/TA0005)</li><li>[TA0002: Execution](https://attack.mitre.org/tactics/TA0002)</li></ul> |
|
||||
| ATT&CK Technique | <ul><li>[T1170: Mshta](https://attack.mitre.org/techniques/T1170)</li></ul> |
|
||||
| Data Needed | <ul><li>[DN_0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN_0002_4688_windows_process_creation_with_commandline.md)</li><li>[DN_0003_1_windows_sysmon_process_creation](../Data_Needed/DN_0003_1_windows_sysmon_process_creation.md)</li></ul> |
|
||||
| Data Needed | <ul><li>[DN_0003_1_windows_sysmon_process_creation](../Data_Needed/DN_0003_1_windows_sysmon_process_creation.md)</li><li>[DN_0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN_0002_4688_windows_process_creation_with_commandline.md)</li></ul> |
|
||||
| Trigger | <ul><li>[T1170: Mshta](../Triggers/T1170.md)</li></ul> |
|
||||
| Severity Level | high |
|
||||
| False Positives | <ul><li>Printer software / driver installations</li></ul> |
|
||||
|
@ -3,7 +3,7 @@
|
||||
| Description | Detects multiple suspicious process in a limited timeframe |
|
||||
| ATT&CK Tactic | <ul></ul> |
|
||||
| ATT&CK Technique | <ul></ul> |
|
||||
| Data Needed | <ul><li>[DN_0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN_0002_4688_windows_process_creation_with_commandline.md)</li><li>[DN_0003_1_windows_sysmon_process_creation](../Data_Needed/DN_0003_1_windows_sysmon_process_creation.md)</li></ul> |
|
||||
| Data Needed | <ul><li>[DN_0003_1_windows_sysmon_process_creation](../Data_Needed/DN_0003_1_windows_sysmon_process_creation.md)</li><li>[DN_0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN_0002_4688_windows_process_creation_with_commandline.md)</li></ul> |
|
||||
| Trigger | There is no Trigger for this technique yet. |
|
||||
| Severity Level | low |
|
||||
| False Positives | <ul><li>False positives depend on scripts and administrative tools used in the monitored environment</li></ul> |
|
||||
|
@ -3,7 +3,7 @@
|
||||
| Description | Detects netsh commands that configure a port forwarding |
|
||||
| ATT&CK Tactic | <ul><li>[TA0008: Lateral Movement](https://attack.mitre.org/tactics/TA0008)</li><li>[TA0011: Command and Control](https://attack.mitre.org/tactics/TA0011)</li></ul> |
|
||||
| ATT&CK Technique | <ul><li>[T1090: Connection Proxy](https://attack.mitre.org/techniques/T1090)</li></ul> |
|
||||
| Data Needed | <ul><li>[DN_0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN_0002_4688_windows_process_creation_with_commandline.md)</li><li>[DN_0003_1_windows_sysmon_process_creation](../Data_Needed/DN_0003_1_windows_sysmon_process_creation.md)</li></ul> |
|
||||
| Data Needed | <ul><li>[DN_0003_1_windows_sysmon_process_creation](../Data_Needed/DN_0003_1_windows_sysmon_process_creation.md)</li><li>[DN_0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN_0002_4688_windows_process_creation_with_commandline.md)</li></ul> |
|
||||
| Trigger | <ul><li>[T1090: Connection Proxy](../Triggers/T1090.md)</li></ul> |
|
||||
| Severity Level | medium |
|
||||
| False Positives | <ul><li>Legitimate administration</li></ul> |
|
||||
|
@ -3,7 +3,7 @@
|
||||
| Description | Detects netsh commands that configure a port forwarding of port 3389 used for RDP |
|
||||
| ATT&CK Tactic | <ul><li>[TA0008: Lateral Movement](https://attack.mitre.org/tactics/TA0008)</li></ul> |
|
||||
| ATT&CK Technique | <ul><li>[T1021: Remote Services](https://attack.mitre.org/techniques/T1021)</li></ul> |
|
||||
| Data Needed | <ul><li>[DN_0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN_0002_4688_windows_process_creation_with_commandline.md)</li><li>[DN_0003_1_windows_sysmon_process_creation](../Data_Needed/DN_0003_1_windows_sysmon_process_creation.md)</li></ul> |
|
||||
| Data Needed | <ul><li>[DN_0003_1_windows_sysmon_process_creation](../Data_Needed/DN_0003_1_windows_sysmon_process_creation.md)</li><li>[DN_0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN_0002_4688_windows_process_creation_with_commandline.md)</li></ul> |
|
||||
| Trigger | <ul><li>[T1021: Remote Services](../Triggers/T1021.md)</li></ul> |
|
||||
| Severity Level | high |
|
||||
| False Positives | <ul><li>Legitimate administration</li></ul> |
|
||||
|
@ -3,7 +3,7 @@
|
||||
| Description | Detects a Windows command line executable started from Microsoft Word, Excel, Powerpoint, Publisher and Visio. |
|
||||
| ATT&CK Tactic | <ul><li>[TA0002: Execution](https://attack.mitre.org/tactics/TA0002)</li><li>[TA0005: Defense Evasion](https://attack.mitre.org/tactics/TA0005)</li></ul> |
|
||||
| ATT&CK Technique | <ul><li>[T1059: Command-Line Interface](https://attack.mitre.org/techniques/T1059)</li><li>[T1202: Indirect Command Execution](https://attack.mitre.org/techniques/T1202)</li></ul> |
|
||||
| Data Needed | <ul><li>[DN_0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN_0002_4688_windows_process_creation_with_commandline.md)</li><li>[DN_0003_1_windows_sysmon_process_creation](../Data_Needed/DN_0003_1_windows_sysmon_process_creation.md)</li></ul> |
|
||||
| Data Needed | <ul><li>[DN_0003_1_windows_sysmon_process_creation](../Data_Needed/DN_0003_1_windows_sysmon_process_creation.md)</li><li>[DN_0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN_0002_4688_windows_process_creation_with_commandline.md)</li></ul> |
|
||||
| Trigger | <ul><li>[T1059: Command-Line Interface](../Triggers/T1059.md)</li><li>[T1202: Indirect Command Execution](../Triggers/T1202.md)</li></ul> |
|
||||
| Severity Level | high |
|
||||
| False Positives | <ul><li>unknown</li></ul> |
|
||||
|
@ -3,7 +3,7 @@
|
||||
| Description | Detects the execution of an executable that is typically used by PlugX for DLL side loading started from an uncommon location |
|
||||
| ATT&CK Tactic | <ul><li>[TA0005: Defense Evasion](https://attack.mitre.org/tactics/TA0005)</li></ul> |
|
||||
| ATT&CK Technique | <ul><li>[T1073: DLL Side-Loading](https://attack.mitre.org/techniques/T1073)</li></ul> |
|
||||
| Data Needed | <ul><li>[DN_0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN_0002_4688_windows_process_creation_with_commandline.md)</li><li>[DN_0003_1_windows_sysmon_process_creation](../Data_Needed/DN_0003_1_windows_sysmon_process_creation.md)</li><li>[DN_0001_4688_windows_process_creation](../Data_Needed/DN_0001_4688_windows_process_creation.md)</li></ul> |
|
||||
| Data Needed | <ul><li>[DN_0003_1_windows_sysmon_process_creation](../Data_Needed/DN_0003_1_windows_sysmon_process_creation.md)</li><li>[DN_0001_4688_windows_process_creation](../Data_Needed/DN_0001_4688_windows_process_creation.md)</li><li>[DN_0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN_0002_4688_windows_process_creation_with_commandline.md)</li></ul> |
|
||||
| Trigger | <ul><li>[T1073: DLL Side-Loading](../Triggers/T1073.md)</li></ul> |
|
||||
| Severity Level | high |
|
||||
| False Positives | <ul><li>Unknown</li></ul> |
|
||||
|
@ -3,7 +3,7 @@
|
||||
| Description | Detects execution of executables that can be used to bypass Applocker whitelisting |
|
||||
| ATT&CK Tactic | <ul><li>[TA0005: Defense Evasion](https://attack.mitre.org/tactics/TA0005)</li></ul> |
|
||||
| ATT&CK Technique | <ul><li>[T1118: InstallUtil](https://attack.mitre.org/techniques/T1118)</li><li>[T1121: Regsvcs/Regasm](https://attack.mitre.org/techniques/T1121)</li><li>[T1127: Trusted Developer Utilities](https://attack.mitre.org/techniques/T1127)</li><li>[T1170: Mshta](https://attack.mitre.org/techniques/T1170)</li></ul> |
|
||||
| Data Needed | <ul><li>[DN_0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN_0002_4688_windows_process_creation_with_commandline.md)</li><li>[DN_0003_1_windows_sysmon_process_creation](../Data_Needed/DN_0003_1_windows_sysmon_process_creation.md)</li></ul> |
|
||||
| Data Needed | <ul><li>[DN_0003_1_windows_sysmon_process_creation](../Data_Needed/DN_0003_1_windows_sysmon_process_creation.md)</li><li>[DN_0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN_0002_4688_windows_process_creation_with_commandline.md)</li></ul> |
|
||||
| Trigger | <ul><li>[T1118: InstallUtil](../Triggers/T1118.md)</li><li>[T1121: Regsvcs/Regasm](../Triggers/T1121.md)</li><li>[T1127: Trusted Developer Utilities](../Triggers/T1127.md)</li><li>[T1170: Mshta](../Triggers/T1170.md)</li></ul> |
|
||||
| Severity Level | low |
|
||||
| False Positives | <ul><li>False positives depend on scripts and administrative tools used in the monitored environment</li><li>Using installutil to add features for .NET applications (primarly would occur in developer environments)</li></ul> |
|
||||
|
@ -3,7 +3,7 @@
|
||||
| Description | Detects Request to amsiInitFailed that can be used to disable AMSI Scanning |
|
||||
| ATT&CK Tactic | <ul><li>[TA0002: Execution](https://attack.mitre.org/tactics/TA0002)</li><li>[TA0005: Defense Evasion](https://attack.mitre.org/tactics/TA0005)</li></ul> |
|
||||
| ATT&CK Technique | <ul><li>[T1086: PowerShell](https://attack.mitre.org/techniques/T1086)</li></ul> |
|
||||
| Data Needed | <ul><li>[DN_0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN_0002_4688_windows_process_creation_with_commandline.md)</li><li>[DN_0003_1_windows_sysmon_process_creation](../Data_Needed/DN_0003_1_windows_sysmon_process_creation.md)</li></ul> |
|
||||
| Data Needed | <ul><li>[DN_0003_1_windows_sysmon_process_creation](../Data_Needed/DN_0003_1_windows_sysmon_process_creation.md)</li><li>[DN_0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN_0002_4688_windows_process_creation_with_commandline.md)</li></ul> |
|
||||
| Trigger | <ul><li>[T1086: PowerShell](../Triggers/T1086.md)</li></ul> |
|
||||
| Severity Level | high |
|
||||
| False Positives | <ul></ul> |
|
||||
|
@ -3,7 +3,7 @@
|
||||
| Description | Detects Base64 encoded Shellcode |
|
||||
| ATT&CK Tactic | <ul><li>[TA0005: Defense Evasion](https://attack.mitre.org/tactics/TA0005)</li></ul> |
|
||||
| ATT&CK Technique | <ul><li>[T1036: Masquerading](https://attack.mitre.org/techniques/T1036)</li></ul> |
|
||||
| Data Needed | <ul><li>[DN_0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN_0002_4688_windows_process_creation_with_commandline.md)</li><li>[DN_0003_1_windows_sysmon_process_creation](../Data_Needed/DN_0003_1_windows_sysmon_process_creation.md)</li></ul> |
|
||||
| Data Needed | <ul><li>[DN_0003_1_windows_sysmon_process_creation](../Data_Needed/DN_0003_1_windows_sysmon_process_creation.md)</li><li>[DN_0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN_0002_4688_windows_process_creation_with_commandline.md)</li></ul> |
|
||||
| Trigger | <ul><li>[T1036: Masquerading](../Triggers/T1036.md)</li></ul> |
|
||||
| Severity Level | critical |
|
||||
| False Positives | <ul><li>Unknown</li></ul> |
|
||||
|
@ -3,7 +3,7 @@
|
||||
| Description | Detects a Powershell process that contains download commands in its command line string |
|
||||
| ATT&CK Tactic | <ul><li>[TA0002: Execution](https://attack.mitre.org/tactics/TA0002)</li></ul> |
|
||||
| ATT&CK Technique | <ul><li>[T1086: PowerShell](https://attack.mitre.org/techniques/T1086)</li></ul> |
|
||||
| Data Needed | <ul><li>[DN_0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN_0002_4688_windows_process_creation_with_commandline.md)</li><li>[DN_0003_1_windows_sysmon_process_creation](../Data_Needed/DN_0003_1_windows_sysmon_process_creation.md)</li></ul> |
|
||||
| Data Needed | <ul><li>[DN_0003_1_windows_sysmon_process_creation](../Data_Needed/DN_0003_1_windows_sysmon_process_creation.md)</li><li>[DN_0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN_0002_4688_windows_process_creation_with_commandline.md)</li></ul> |
|
||||
| Trigger | <ul><li>[T1086: PowerShell](../Triggers/T1086.md)</li></ul> |
|
||||
| Severity Level | medium |
|
||||
| False Positives | <ul><li>unknown</li></ul> |
|
||||
|
@ -3,7 +3,7 @@
|
||||
| Description | Detects suspicious PowerShell invocation with a parameter substring |
|
||||
| ATT&CK Tactic | <ul><li>[TA0002: Execution](https://attack.mitre.org/tactics/TA0002)</li></ul> |
|
||||
| ATT&CK Technique | <ul><li>[T1086: PowerShell](https://attack.mitre.org/techniques/T1086)</li></ul> |
|
||||
| Data Needed | <ul><li>[DN_0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN_0002_4688_windows_process_creation_with_commandline.md)</li><li>[DN_0003_1_windows_sysmon_process_creation](../Data_Needed/DN_0003_1_windows_sysmon_process_creation.md)</li></ul> |
|
||||
| Data Needed | <ul><li>[DN_0003_1_windows_sysmon_process_creation](../Data_Needed/DN_0003_1_windows_sysmon_process_creation.md)</li><li>[DN_0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN_0002_4688_windows_process_creation_with_commandline.md)</li></ul> |
|
||||
| Trigger | <ul><li>[T1086: PowerShell](../Triggers/T1086.md)</li></ul> |
|
||||
| Severity Level | high |
|
||||
| False Positives | <ul><li>Penetration tests</li></ul> |
|
||||
|
@ -3,7 +3,7 @@
|
||||
| Description | Detects usage of bitsadmin downloading a file |
|
||||
| ATT&CK Tactic | <ul><li>[TA0005: Defense Evasion](https://attack.mitre.org/tactics/TA0005)</li><li>[TA0003: Persistence](https://attack.mitre.org/tactics/TA0003)</li></ul> |
|
||||
| ATT&CK Technique | <ul><li>[T1197: BITS Jobs](https://attack.mitre.org/techniques/T1197)</li></ul> |
|
||||
| Data Needed | <ul><li>[DN_0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN_0002_4688_windows_process_creation_with_commandline.md)</li><li>[DN_0003_1_windows_sysmon_process_creation](../Data_Needed/DN_0003_1_windows_sysmon_process_creation.md)</li></ul> |
|
||||
| Data Needed | <ul><li>[DN_0003_1_windows_sysmon_process_creation](../Data_Needed/DN_0003_1_windows_sysmon_process_creation.md)</li><li>[DN_0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN_0002_4688_windows_process_creation_with_commandline.md)</li></ul> |
|
||||
| Trigger | <ul><li>[T1197: BITS Jobs](../Triggers/T1197.md)</li></ul> |
|
||||
| Severity Level | medium |
|
||||
| False Positives | <ul><li>Some legitimate apps use this, but limited.</li></ul> |
|
||||
|
@ -3,7 +3,7 @@
|
||||
| Description | Detects execution of sdbinst writing to default shim database path C:\Windows\AppPatch\* |
|
||||
| ATT&CK Tactic | <ul><li>[TA0003: Persistence](https://attack.mitre.org/tactics/TA0003)</li></ul> |
|
||||
| ATT&CK Technique | <ul><li>[T1138: Application Shimming](https://attack.mitre.org/techniques/T1138)</li></ul> |
|
||||
| Data Needed | <ul><li>[DN_0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN_0002_4688_windows_process_creation_with_commandline.md)</li><li>[DN_0003_1_windows_sysmon_process_creation](../Data_Needed/DN_0003_1_windows_sysmon_process_creation.md)</li></ul> |
|
||||
| Data Needed | <ul><li>[DN_0003_1_windows_sysmon_process_creation](../Data_Needed/DN_0003_1_windows_sysmon_process_creation.md)</li><li>[DN_0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN_0002_4688_windows_process_creation_with_commandline.md)</li></ul> |
|
||||
| Trigger | <ul><li>[T1138: Application Shimming](../Triggers/T1138.md)</li></ul> |
|
||||
| Severity Level | high |
|
||||
| False Positives | <ul><li>Unknown</li></ul> |
|
||||
|
@ -3,7 +3,7 @@
|
||||
| Description | Detects suspicious use of calc.exe with command line parameters or in a suspicious directory, which is likely caused by some PoC or detection evasion |
|
||||
| ATT&CK Tactic | <ul><li>[TA0005: Defense Evasion](https://attack.mitre.org/tactics/TA0005)</li></ul> |
|
||||
| ATT&CK Technique | <ul><li>[T1036: Masquerading](https://attack.mitre.org/techniques/T1036)</li></ul> |
|
||||
| Data Needed | <ul><li>[DN_0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN_0002_4688_windows_process_creation_with_commandline.md)</li><li>[DN_0003_1_windows_sysmon_process_creation](../Data_Needed/DN_0003_1_windows_sysmon_process_creation.md)</li></ul> |
|
||||
| Data Needed | <ul><li>[DN_0003_1_windows_sysmon_process_creation](../Data_Needed/DN_0003_1_windows_sysmon_process_creation.md)</li><li>[DN_0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN_0002_4688_windows_process_creation_with_commandline.md)</li></ul> |
|
||||
| Trigger | <ul><li>[T1036: Masquerading](../Triggers/T1036.md)</li></ul> |
|
||||
| Severity Level | high |
|
||||
| False Positives | <ul><li>Unknown</li></ul> |
|
||||
|
@ -3,7 +3,7 @@
|
||||
| Description | Detects a suspicious Microsoft certutil execution with sub commands like 'decode' sub command, which is sometimes used to decode malicious code with the built-in certutil utility |
|
||||
| ATT&CK Tactic | <ul><li>[TA0005: Defense Evasion](https://attack.mitre.org/tactics/TA0005)</li></ul> |
|
||||
| ATT&CK Technique | <ul><li>[T1140: Deobfuscate/Decode Files or Information](https://attack.mitre.org/techniques/T1140)</li><li>[T1105: Remote File Copy](https://attack.mitre.org/techniques/T1105)</li></ul> |
|
||||
| Data Needed | <ul><li>[DN_0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN_0002_4688_windows_process_creation_with_commandline.md)</li><li>[DN_0003_1_windows_sysmon_process_creation](../Data_Needed/DN_0003_1_windows_sysmon_process_creation.md)</li></ul> |
|
||||
| Data Needed | <ul><li>[DN_0003_1_windows_sysmon_process_creation](../Data_Needed/DN_0003_1_windows_sysmon_process_creation.md)</li><li>[DN_0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN_0002_4688_windows_process_creation_with_commandline.md)</li></ul> |
|
||||
| Trigger | <ul><li>[T1140: Deobfuscate/Decode Files or Information](../Triggers/T1140.md)</li><li>[T1105: Remote File Copy](../Triggers/T1105.md)</li></ul> |
|
||||
| Severity Level | high |
|
||||
| False Positives | <ul><li>False positives depend on scripts and administrative tools used in the monitored environment</li></ul> |
|
||||
|
@ -3,7 +3,7 @@
|
||||
| Description | Detects suspicious a certutil command that used to encode files, which is sometimes used for data exfiltration |
|
||||
| ATT&CK Tactic | <ul></ul> |
|
||||
| ATT&CK Technique | <ul></ul> |
|
||||
| Data Needed | <ul><li>[DN_0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN_0002_4688_windows_process_creation_with_commandline.md)</li><li>[DN_0003_1_windows_sysmon_process_creation](../Data_Needed/DN_0003_1_windows_sysmon_process_creation.md)</li></ul> |
|
||||
| Data Needed | <ul><li>[DN_0003_1_windows_sysmon_process_creation](../Data_Needed/DN_0003_1_windows_sysmon_process_creation.md)</li><li>[DN_0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN_0002_4688_windows_process_creation_with_commandline.md)</li></ul> |
|
||||
| Trigger | There is no Trigger for this technique yet. |
|
||||
| Severity Level | medium |
|
||||
| False Positives | <ul><li>unknown</li></ul> |
|
||||
|
@ -3,7 +3,7 @@
|
||||
| Description | Detects suspicious process that use escape characters |
|
||||
| ATT&CK Tactic | <ul><li>[TA0005: Defense Evasion](https://attack.mitre.org/tactics/TA0005)</li></ul> |
|
||||
| ATT&CK Technique | <ul><li>[T1140: Deobfuscate/Decode Files or Information](https://attack.mitre.org/techniques/T1140)</li></ul> |
|
||||
| Data Needed | <ul><li>[DN_0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN_0002_4688_windows_process_creation_with_commandline.md)</li><li>[DN_0003_1_windows_sysmon_process_creation](../Data_Needed/DN_0003_1_windows_sysmon_process_creation.md)</li></ul> |
|
||||
| Data Needed | <ul><li>[DN_0003_1_windows_sysmon_process_creation](../Data_Needed/DN_0003_1_windows_sysmon_process_creation.md)</li><li>[DN_0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN_0002_4688_windows_process_creation_with_commandline.md)</li></ul> |
|
||||
| Trigger | <ul><li>[T1140: Deobfuscate/Decode Files or Information](../Triggers/T1140.md)</li></ul> |
|
||||
| Severity Level | low |
|
||||
| False Positives | <ul><li>False positives depend on scripts and administrative tools used in the monitored environment</li></ul> |
|
||||
|
@ -3,7 +3,7 @@
|
||||
| Description | Detects a suspicious command line execution that includes an URL and AppData string in the command line parameters as used by several droppers (js/vbs > powershell) |
|
||||
| ATT&CK Tactic | <ul><li>[TA0002: Execution](https://attack.mitre.org/tactics/TA0002)</li></ul> |
|
||||
| ATT&CK Technique | <ul><li>[T1059: Command-Line Interface](https://attack.mitre.org/techniques/T1059)</li></ul> |
|
||||
| Data Needed | <ul><li>[DN_0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN_0002_4688_windows_process_creation_with_commandline.md)</li><li>[DN_0003_1_windows_sysmon_process_creation](../Data_Needed/DN_0003_1_windows_sysmon_process_creation.md)</li></ul> |
|
||||
| Data Needed | <ul><li>[DN_0003_1_windows_sysmon_process_creation](../Data_Needed/DN_0003_1_windows_sysmon_process_creation.md)</li><li>[DN_0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN_0002_4688_windows_process_creation_with_commandline.md)</li></ul> |
|
||||
| Trigger | <ul><li>[T1059: Command-Line Interface](../Triggers/T1059.md)</li></ul> |
|
||||
| Severity Level | medium |
|
||||
| False Positives | <ul><li>High</li></ul> |
|
||||
|
@ -3,7 +3,7 @@
|
||||
| Description | Detects a set of commands often used in recon stages by different attack groups |
|
||||
| ATT&CK Tactic | <ul><li>[TA0007: Discovery](https://attack.mitre.org/tactics/TA0007)</li></ul> |
|
||||
| ATT&CK Technique | <ul><li>[T1087: Account Discovery](https://attack.mitre.org/techniques/T1087)</li><li>[T1082: System Information Discovery](https://attack.mitre.org/techniques/T1082)</li></ul> |
|
||||
| Data Needed | <ul><li>[DN_0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN_0002_4688_windows_process_creation_with_commandline.md)</li><li>[DN_0003_1_windows_sysmon_process_creation](../Data_Needed/DN_0003_1_windows_sysmon_process_creation.md)</li></ul> |
|
||||
| Data Needed | <ul><li>[DN_0003_1_windows_sysmon_process_creation](../Data_Needed/DN_0003_1_windows_sysmon_process_creation.md)</li><li>[DN_0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN_0002_4688_windows_process_creation_with_commandline.md)</li></ul> |
|
||||
| Trigger | <ul><li>[T1087: Account Discovery](../Triggers/T1087.md)</li><li>[T1082: System Information Discovery](../Triggers/T1082.md)</li></ul> |
|
||||
| Severity Level | medium |
|
||||
| False Positives | <ul><li>False positives depend on scripts and administrative tools used in the monitored environment</li></ul> |
|
||||
|
@ -3,7 +3,7 @@
|
||||
| Description | Detects suspicious Rundll32 execution from control.exe as used by Equation Group and Exploit Kits |
|
||||
| ATT&CK Tactic | <ul><li>[TA0005: Defense Evasion](https://attack.mitre.org/tactics/TA0005)</li></ul> |
|
||||
| ATT&CK Technique | <ul><li>[T1073: DLL Side-Loading](https://attack.mitre.org/techniques/T1073)</li><li>[T1085: Rundll32](https://attack.mitre.org/techniques/T1085)</li></ul> |
|
||||
| Data Needed | <ul><li>[DN_0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN_0002_4688_windows_process_creation_with_commandline.md)</li><li>[DN_0003_1_windows_sysmon_process_creation](../Data_Needed/DN_0003_1_windows_sysmon_process_creation.md)</li></ul> |
|
||||
| Data Needed | <ul><li>[DN_0003_1_windows_sysmon_process_creation](../Data_Needed/DN_0003_1_windows_sysmon_process_creation.md)</li><li>[DN_0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN_0002_4688_windows_process_creation_with_commandline.md)</li></ul> |
|
||||
| Trigger | <ul><li>[T1073: DLL Side-Loading](../Triggers/T1073.md)</li><li>[T1085: Rundll32](../Triggers/T1085.md)</li></ul> |
|
||||
| Severity Level | high |
|
||||
| False Positives | <ul><li>Unknown</li></ul> |
|
||||
|
@ -3,7 +3,7 @@
|
||||
| Description | Detects a suspicious parent of csc.exe, which could by a sign of payload delivery |
|
||||
| ATT&CK Tactic | <ul><li>[TA0005: Defense Evasion](https://attack.mitre.org/tactics/TA0005)</li></ul> |
|
||||
| ATT&CK Technique | <ul><li>[T1036: Masquerading](https://attack.mitre.org/techniques/T1036)</li></ul> |
|
||||
| Data Needed | <ul><li>[DN_0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN_0002_4688_windows_process_creation_with_commandline.md)</li><li>[DN_0003_1_windows_sysmon_process_creation](../Data_Needed/DN_0003_1_windows_sysmon_process_creation.md)</li></ul> |
|
||||
| Data Needed | <ul><li>[DN_0003_1_windows_sysmon_process_creation](../Data_Needed/DN_0003_1_windows_sysmon_process_creation.md)</li><li>[DN_0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN_0002_4688_windows_process_creation_with_commandline.md)</li></ul> |
|
||||
| Trigger | <ul><li>[T1036: Masquerading](../Triggers/T1036.md)</li></ul> |
|
||||
| Severity Level | high |
|
||||
| False Positives | <ul><li>Unkown</li></ul> |
|
||||
|
@ -3,7 +3,7 @@
|
||||
| Description | Detects process starts of binaries from a suspicious folder |
|
||||
| ATT&CK Tactic | <ul><li>[TA0005: Defense Evasion](https://attack.mitre.org/tactics/TA0005)</li></ul> |
|
||||
| ATT&CK Technique | <ul><li>[T1036: Masquerading](https://attack.mitre.org/techniques/T1036)</li></ul> |
|
||||
| Data Needed | <ul><li>[DN_0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN_0002_4688_windows_process_creation_with_commandline.md)</li><li>[DN_0003_1_windows_sysmon_process_creation](../Data_Needed/DN_0003_1_windows_sysmon_process_creation.md)</li><li>[DN_0001_4688_windows_process_creation](../Data_Needed/DN_0001_4688_windows_process_creation.md)</li></ul> |
|
||||
| Data Needed | <ul><li>[DN_0003_1_windows_sysmon_process_creation](../Data_Needed/DN_0003_1_windows_sysmon_process_creation.md)</li><li>[DN_0001_4688_windows_process_creation](../Data_Needed/DN_0001_4688_windows_process_creation.md)</li><li>[DN_0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN_0002_4688_windows_process_creation_with_commandline.md)</li></ul> |
|
||||
| Trigger | <ul><li>[T1036: Masquerading](../Triggers/T1036.md)</li></ul> |
|
||||
| Severity Level | high |
|
||||
| False Positives | <ul><li>Unknown</li></ul> |
|
||||
|
@ -3,7 +3,7 @@
|
||||
| Description | Detects a suspicious exection from an uncommon folder |
|
||||
| ATT&CK Tactic | <ul><li>[TA0005: Defense Evasion](https://attack.mitre.org/tactics/TA0005)</li></ul> |
|
||||
| ATT&CK Technique | <ul><li>[T1036: Masquerading](https://attack.mitre.org/techniques/T1036)</li></ul> |
|
||||
| Data Needed | <ul><li>[DN_0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN_0002_4688_windows_process_creation_with_commandline.md)</li><li>[DN_0003_1_windows_sysmon_process_creation](../Data_Needed/DN_0003_1_windows_sysmon_process_creation.md)</li><li>[DN_0001_4688_windows_process_creation](../Data_Needed/DN_0001_4688_windows_process_creation.md)</li></ul> |
|
||||
| Data Needed | <ul><li>[DN_0003_1_windows_sysmon_process_creation](../Data_Needed/DN_0003_1_windows_sysmon_process_creation.md)</li><li>[DN_0001_4688_windows_process_creation](../Data_Needed/DN_0001_4688_windows_process_creation.md)</li><li>[DN_0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN_0002_4688_windows_process_creation_with_commandline.md)</li></ul> |
|
||||
| Trigger | <ul><li>[T1036: Masquerading](../Triggers/T1036.md)</li></ul> |
|
||||
| Severity Level | high |
|
||||
| False Positives | <ul><li>Unknown</li></ul> |
|
||||
|
@ -3,7 +3,7 @@
|
||||
| Description | Detects a suspicious program execution in a web service root folder (filter out false positives) |
|
||||
| ATT&CK Tactic | <ul><li>[TA0003: Persistence](https://attack.mitre.org/tactics/TA0003)</li></ul> |
|
||||
| ATT&CK Technique | <ul><li>[T1100: Web Shell](https://attack.mitre.org/techniques/T1100)</li></ul> |
|
||||
| Data Needed | <ul><li>[DN_0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN_0002_4688_windows_process_creation_with_commandline.md)</li><li>[DN_0003_1_windows_sysmon_process_creation](../Data_Needed/DN_0003_1_windows_sysmon_process_creation.md)</li></ul> |
|
||||
| Data Needed | <ul><li>[DN_0003_1_windows_sysmon_process_creation](../Data_Needed/DN_0003_1_windows_sysmon_process_creation.md)</li><li>[DN_0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN_0002_4688_windows_process_creation_with_commandline.md)</li></ul> |
|
||||
| Trigger | <ul><li>[T1100: Web Shell](../Triggers/T1100.md)</li></ul> |
|
||||
| Severity Level | medium |
|
||||
| False Positives | <ul><li>Various applications</li><li>Tools that include ping or nslookup command invocations</li></ul> |
|
||||
|
@ -3,7 +3,7 @@
|
||||
| Description | Detects execution of the Notepad++ updater in a suspicious directory, which is often used in DLL side-loading attacks |
|
||||
| ATT&CK Tactic | <ul><li>[TA0005: Defense Evasion](https://attack.mitre.org/tactics/TA0005)</li></ul> |
|
||||
| ATT&CK Technique | <ul><li>[T1073: DLL Side-Loading](https://attack.mitre.org/techniques/T1073)</li></ul> |
|
||||
| Data Needed | <ul><li>[DN_0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN_0002_4688_windows_process_creation_with_commandline.md)</li><li>[DN_0003_1_windows_sysmon_process_creation](../Data_Needed/DN_0003_1_windows_sysmon_process_creation.md)</li><li>[DN_0001_4688_windows_process_creation](../Data_Needed/DN_0001_4688_windows_process_creation.md)</li></ul> |
|
||||
| Data Needed | <ul><li>[DN_0003_1_windows_sysmon_process_creation](../Data_Needed/DN_0003_1_windows_sysmon_process_creation.md)</li><li>[DN_0001_4688_windows_process_creation](../Data_Needed/DN_0001_4688_windows_process_creation.md)</li><li>[DN_0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN_0002_4688_windows_process_creation_with_commandline.md)</li></ul> |
|
||||
| Trigger | <ul><li>[T1073: DLL Side-Loading](../Triggers/T1073.md)</li></ul> |
|
||||
| Severity Level | high |
|
||||
| False Positives | <ul><li>Execution of tools named GUP.exe and located in folders different than Notepad++\updater</li></ul> |
|
||||
|
@ -3,7 +3,7 @@
|
||||
| Description | Detects suspicious IIS native-code module installations via command line |
|
||||
| ATT&CK Tactic | <ul><li>[TA0003: Persistence](https://attack.mitre.org/tactics/TA0003)</li></ul> |
|
||||
| ATT&CK Technique | <ul><li>[T1100: Web Shell](https://attack.mitre.org/techniques/T1100)</li></ul> |
|
||||
| Data Needed | <ul><li>[DN_0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN_0002_4688_windows_process_creation_with_commandline.md)</li><li>[DN_0003_1_windows_sysmon_process_creation](../Data_Needed/DN_0003_1_windows_sysmon_process_creation.md)</li></ul> |
|
||||
| Data Needed | <ul><li>[DN_0003_1_windows_sysmon_process_creation](../Data_Needed/DN_0003_1_windows_sysmon_process_creation.md)</li><li>[DN_0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN_0002_4688_windows_process_creation_with_commandline.md)</li></ul> |
|
||||
| Trigger | <ul><li>[T1100: Web Shell](../Triggers/T1100.md)</li></ul> |
|
||||
| Severity Level | medium |
|
||||
| False Positives | <ul><li>Unknown as it may vary from organisation to arganisation how admins use to install IIS modules</li></ul> |
|
||||
|
@ -3,7 +3,7 @@
|
||||
| Description | Processes started by MMC could be a sign of lateral movement using MMC application COM object |
|
||||
| ATT&CK Tactic | <ul><li>[TA0008: Lateral Movement](https://attack.mitre.org/tactics/TA0008)</li></ul> |
|
||||
| ATT&CK Technique | <ul><li>[T1175: Distributed Component Object Model](https://attack.mitre.org/techniques/T1175)</li></ul> |
|
||||
| Data Needed | <ul><li>[DN_0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN_0002_4688_windows_process_creation_with_commandline.md)</li><li>[DN_0003_1_windows_sysmon_process_creation](../Data_Needed/DN_0003_1_windows_sysmon_process_creation.md)</li></ul> |
|
||||
| Data Needed | <ul><li>[DN_0003_1_windows_sysmon_process_creation](../Data_Needed/DN_0003_1_windows_sysmon_process_creation.md)</li><li>[DN_0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN_0002_4688_windows_process_creation_with_commandline.md)</li></ul> |
|
||||
| Trigger | <ul><li>[T1175: Distributed Component Object Model](../Triggers/T1175.md)</li></ul> |
|
||||
| Severity Level | medium |
|
||||
| False Positives | <ul><li>unknown</li></ul> |
|
||||
|
@ -3,7 +3,7 @@
|
||||
| Description | Detection for mshta.exe suspicious execution patterns sometimes involving file polyglotism |
|
||||
| ATT&CK Tactic | <ul><li>[TA0005: Defense Evasion](https://attack.mitre.org/tactics/TA0005)</li></ul> |
|
||||
| ATT&CK Technique | <ul><li>[T1140: Deobfuscate/Decode Files or Information](https://attack.mitre.org/techniques/T1140)</li></ul> |
|
||||
| Data Needed | <ul><li>[DN_0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN_0002_4688_windows_process_creation_with_commandline.md)</li><li>[DN_0003_1_windows_sysmon_process_creation](../Data_Needed/DN_0003_1_windows_sysmon_process_creation.md)</li></ul> |
|
||||
| Data Needed | <ul><li>[DN_0003_1_windows_sysmon_process_creation](../Data_Needed/DN_0003_1_windows_sysmon_process_creation.md)</li><li>[DN_0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN_0002_4688_windows_process_creation_with_commandline.md)</li></ul> |
|
||||
| Trigger | <ul><li>[T1140: Deobfuscate/Decode Files or Information](../Triggers/T1140.md)</li></ul> |
|
||||
| Severity Level | high |
|
||||
| False Positives | <ul><li>False positives depend on scripts and administrative tools used in the monitored environment</li></ul> |
|
||||
|
@ -3,7 +3,7 @@
|
||||
| Description | Detects suspicious msiexec process starts with web addreses as parameter |
|
||||
| ATT&CK Tactic | <ul><li>[TA0005: Defense Evasion](https://attack.mitre.org/tactics/TA0005)</li></ul> |
|
||||
| ATT&CK Technique | <ul></ul> |
|
||||
| Data Needed | <ul><li>[DN_0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN_0002_4688_windows_process_creation_with_commandline.md)</li><li>[DN_0003_1_windows_sysmon_process_creation](../Data_Needed/DN_0003_1_windows_sysmon_process_creation.md)</li></ul> |
|
||||
| Data Needed | <ul><li>[DN_0003_1_windows_sysmon_process_creation](../Data_Needed/DN_0003_1_windows_sysmon_process_creation.md)</li><li>[DN_0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN_0002_4688_windows_process_creation_with_commandline.md)</li></ul> |
|
||||
| Trigger | There is no Trigger for this technique yet. |
|
||||
| Severity Level | medium |
|
||||
| False Positives | <ul><li>False positives depend on scripts and administrative tools used in the monitored environment</li></ul> |
|
||||
|
@ -3,7 +3,7 @@
|
||||
| Description | Detects execution of Net.exe, whether suspicious or benign. |
|
||||
| ATT&CK Tactic | <ul><li>[TA0008: Lateral Movement](https://attack.mitre.org/tactics/TA0008)</li><li>[TA0007: Discovery](https://attack.mitre.org/tactics/TA0007)</li></ul> |
|
||||
| ATT&CK Technique | <ul></ul> |
|
||||
| Data Needed | <ul><li>[DN_0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN_0002_4688_windows_process_creation_with_commandline.md)</li><li>[DN_0003_1_windows_sysmon_process_creation](../Data_Needed/DN_0003_1_windows_sysmon_process_creation.md)</li></ul> |
|
||||
| Data Needed | <ul><li>[DN_0003_1_windows_sysmon_process_creation](../Data_Needed/DN_0003_1_windows_sysmon_process_creation.md)</li><li>[DN_0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN_0002_4688_windows_process_creation_with_commandline.md)</li></ul> |
|
||||
| Trigger | There is no Trigger for this technique yet. |
|
||||
| Severity Level | low |
|
||||
| False Positives | <ul><li>Will need to be tuned. If using Splunk, I recommend | stats count by Computer,CommandLine following the search for easy hunting by computer/CommandLine.</li></ul> |
|
||||
|
@ -3,7 +3,7 @@
|
||||
| Description | Detects execution of ntdsutil.exe, which can be used for various attacks against the NTDS database (NTDS.DIT) |
|
||||
| ATT&CK Tactic | <ul><li>[TA0006: Credential Access](https://attack.mitre.org/tactics/TA0006)</li></ul> |
|
||||
| ATT&CK Technique | <ul><li>[T1003: Credential Dumping](https://attack.mitre.org/techniques/T1003)</li></ul> |
|
||||
| Data Needed | <ul><li>[DN_0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN_0002_4688_windows_process_creation_with_commandline.md)</li><li>[DN_0003_1_windows_sysmon_process_creation](../Data_Needed/DN_0003_1_windows_sysmon_process_creation.md)</li></ul> |
|
||||
| Data Needed | <ul><li>[DN_0003_1_windows_sysmon_process_creation](../Data_Needed/DN_0003_1_windows_sysmon_process_creation.md)</li><li>[DN_0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN_0002_4688_windows_process_creation_with_commandline.md)</li></ul> |
|
||||
| Trigger | <ul><li>[T1003: Credential Dumping](../Triggers/T1003.md)</li></ul> |
|
||||
| Severity Level | high |
|
||||
| False Positives | <ul><li>NTDS maintenance</li></ul> |
|
||||
|
@ -3,7 +3,7 @@
|
||||
| Description | Detects EnableUnsafeClientMailRules used for Script Execution from Outlook |
|
||||
| ATT&CK Tactic | <ul><li>[TA0002: Execution](https://attack.mitre.org/tactics/TA0002)</li></ul> |
|
||||
| ATT&CK Technique | <ul><li>[T1059: Command-Line Interface](https://attack.mitre.org/techniques/T1059)</li><li>[T1202: Indirect Command Execution](https://attack.mitre.org/techniques/T1202)</li></ul> |
|
||||
| Data Needed | <ul><li>[DN_0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN_0002_4688_windows_process_creation_with_commandline.md)</li><li>[DN_0003_1_windows_sysmon_process_creation](../Data_Needed/DN_0003_1_windows_sysmon_process_creation.md)</li></ul> |
|
||||
| Data Needed | <ul><li>[DN_0003_1_windows_sysmon_process_creation](../Data_Needed/DN_0003_1_windows_sysmon_process_creation.md)</li><li>[DN_0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN_0002_4688_windows_process_creation_with_commandline.md)</li></ul> |
|
||||
| Trigger | <ul><li>[T1059: Command-Line Interface](../Triggers/T1059.md)</li><li>[T1202: Indirect Command Execution](../Triggers/T1202.md)</li></ul> |
|
||||
| Severity Level | high |
|
||||
| False Positives | <ul><li>unknown</li></ul> |
|
||||
|
@ -3,7 +3,7 @@
|
||||
| Description | Detects a ping command that uses a hex encoded IP address |
|
||||
| ATT&CK Tactic | <ul><li>[TA0005: Defense Evasion](https://attack.mitre.org/tactics/TA0005)</li></ul> |
|
||||
| ATT&CK Technique | <ul><li>[T1140: Deobfuscate/Decode Files or Information](https://attack.mitre.org/techniques/T1140)</li><li>[T1027: Obfuscated Files or Information](https://attack.mitre.org/techniques/T1027)</li></ul> |
|
||||
| Data Needed | <ul><li>[DN_0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN_0002_4688_windows_process_creation_with_commandline.md)</li><li>[DN_0003_1_windows_sysmon_process_creation](../Data_Needed/DN_0003_1_windows_sysmon_process_creation.md)</li></ul> |
|
||||
| Data Needed | <ul><li>[DN_0003_1_windows_sysmon_process_creation](../Data_Needed/DN_0003_1_windows_sysmon_process_creation.md)</li><li>[DN_0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN_0002_4688_windows_process_creation_with_commandline.md)</li></ul> |
|
||||
| Trigger | <ul><li>[T1140: Deobfuscate/Decode Files or Information](../Triggers/T1140.md)</li><li>[T1027: Obfuscated Files or Information](../Triggers/T1027.md)</li></ul> |
|
||||
| Severity Level | high |
|
||||
| False Positives | <ul><li>Unlikely, because no sane admin pings IP addresses in a hexadecimal form</li></ul> |
|
||||
|
@ -3,7 +3,7 @@
|
||||
| Description | Detects suspicious powershell process starts with base64 encoded commands |
|
||||
| ATT&CK Tactic | <ul><li>[TA0002: Execution](https://attack.mitre.org/tactics/TA0002)</li></ul> |
|
||||
| ATT&CK Technique | <ul><li>[T1086: PowerShell](https://attack.mitre.org/techniques/T1086)</li></ul> |
|
||||
| Data Needed | <ul><li>[DN_0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN_0002_4688_windows_process_creation_with_commandline.md)</li><li>[DN_0003_1_windows_sysmon_process_creation](../Data_Needed/DN_0003_1_windows_sysmon_process_creation.md)</li></ul> |
|
||||
| Data Needed | <ul><li>[DN_0003_1_windows_sysmon_process_creation](../Data_Needed/DN_0003_1_windows_sysmon_process_creation.md)</li><li>[DN_0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN_0002_4688_windows_process_creation_with_commandline.md)</li></ul> |
|
||||
| Trigger | <ul><li>[T1086: PowerShell](../Triggers/T1086.md)</li></ul> |
|
||||
| Severity Level | high |
|
||||
| False Positives | <ul><li>GRR powershell hacks</li><li>PowerSponse Deployments</li></ul> |
|
||||
|
@ -3,7 +3,7 @@
|
||||
| Description | Detects base64 encoded strings used in hidden malicious PowerShell command lines |
|
||||
| ATT&CK Tactic | <ul><li>[TA0002: Execution](https://attack.mitre.org/tactics/TA0002)</li></ul> |
|
||||
| ATT&CK Technique | <ul><li>[T1086: PowerShell](https://attack.mitre.org/techniques/T1086)</li></ul> |
|
||||
| Data Needed | <ul><li>[DN_0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN_0002_4688_windows_process_creation_with_commandline.md)</li><li>[DN_0003_1_windows_sysmon_process_creation](../Data_Needed/DN_0003_1_windows_sysmon_process_creation.md)</li></ul> |
|
||||
| Data Needed | <ul><li>[DN_0003_1_windows_sysmon_process_creation](../Data_Needed/DN_0003_1_windows_sysmon_process_creation.md)</li><li>[DN_0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN_0002_4688_windows_process_creation_with_commandline.md)</li></ul> |
|
||||
| Trigger | <ul><li>[T1086: PowerShell](../Triggers/T1086.md)</li></ul> |
|
||||
| Severity Level | high |
|
||||
| False Positives | <ul><li>Penetration tests</li></ul> |
|
||||
|
@ -3,7 +3,7 @@
|
||||
| Description | Detects suspicious uses of the SysInternals Procdump utility by using a special command line parameter in combination with the lsass.exe process. This way we're also able to catch cases in which the attacker has renamed the procdump executable. |
|
||||
| ATT&CK Tactic | <ul><li>[TA0005: Defense Evasion](https://attack.mitre.org/tactics/TA0005)</li><li>[TA0006: Credential Access](https://attack.mitre.org/tactics/TA0006)</li></ul> |
|
||||
| ATT&CK Technique | <ul><li>[T1036: Masquerading](https://attack.mitre.org/techniques/T1036)</li><li>[T1003: Credential Dumping](https://attack.mitre.org/techniques/T1003)</li></ul> |
|
||||
| Data Needed | <ul><li>[DN_0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN_0002_4688_windows_process_creation_with_commandline.md)</li><li>[DN_0003_1_windows_sysmon_process_creation](../Data_Needed/DN_0003_1_windows_sysmon_process_creation.md)</li></ul> |
|
||||
| Data Needed | <ul><li>[DN_0003_1_windows_sysmon_process_creation](../Data_Needed/DN_0003_1_windows_sysmon_process_creation.md)</li><li>[DN_0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN_0002_4688_windows_process_creation_with_commandline.md)</li></ul> |
|
||||
| Trigger | <ul><li>[T1036: Masquerading](../Triggers/T1036.md)</li><li>[T1003: Credential Dumping](../Triggers/T1003.md)</li></ul> |
|
||||
| Severity Level | medium |
|
||||
| False Positives | <ul><li>Unlikely, because no one should dump an lsass process memory</li><li>Another tool that uses the command line switches of Procdump</li></ul> |
|
||||
|
@ -3,7 +3,7 @@
|
||||
| Description | Detects suspicious process starts on Windows systems based on keywords |
|
||||
| ATT&CK Tactic | <ul></ul> |
|
||||
| ATT&CK Technique | <ul></ul> |
|
||||
| Data Needed | <ul><li>[DN_0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN_0002_4688_windows_process_creation_with_commandline.md)</li><li>[DN_0003_1_windows_sysmon_process_creation](../Data_Needed/DN_0003_1_windows_sysmon_process_creation.md)</li></ul> |
|
||||
| Data Needed | <ul><li>[DN_0003_1_windows_sysmon_process_creation](../Data_Needed/DN_0003_1_windows_sysmon_process_creation.md)</li><li>[DN_0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN_0002_4688_windows_process_creation_with_commandline.md)</li></ul> |
|
||||
| Trigger | There is no Trigger for this technique yet. |
|
||||
| Severity Level | medium |
|
||||
| False Positives | <ul><li>False positives depend on scripts and administrative tools used in the monitored environment</li></ul> |
|
||||
|
@ -3,7 +3,7 @@
|
||||
| Description | Detects programs running in suspicious files system locations |
|
||||
| ATT&CK Tactic | <ul><li>[TA0005: Defense Evasion](https://attack.mitre.org/tactics/TA0005)</li></ul> |
|
||||
| ATT&CK Technique | <ul><li>[T1036: Masquerading](https://attack.mitre.org/techniques/T1036)</li></ul> |
|
||||
| Data Needed | <ul><li>[DN_0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN_0002_4688_windows_process_creation_with_commandline.md)</li><li>[DN_0003_1_windows_sysmon_process_creation](../Data_Needed/DN_0003_1_windows_sysmon_process_creation.md)</li><li>[DN_0001_4688_windows_process_creation](../Data_Needed/DN_0001_4688_windows_process_creation.md)</li></ul> |
|
||||
| Data Needed | <ul><li>[DN_0003_1_windows_sysmon_process_creation](../Data_Needed/DN_0003_1_windows_sysmon_process_creation.md)</li><li>[DN_0001_4688_windows_process_creation](../Data_Needed/DN_0001_4688_windows_process_creation.md)</li><li>[DN_0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN_0002_4688_windows_process_creation_with_commandline.md)</li></ul> |
|
||||
| Trigger | <ul><li>[T1036: Masquerading](../Triggers/T1036.md)</li></ul> |
|
||||
| Severity Level | high |
|
||||
| False Positives | <ul><li>unknown</li></ul> |
|
||||
|
@ -3,7 +3,7 @@
|
||||
| Description | Detects a suspicious command line execution that invokes PowerShell with reference to an AppData folder |
|
||||
| ATT&CK Tactic | <ul><li>[TA0002: Execution](https://attack.mitre.org/tactics/TA0002)</li></ul> |
|
||||
| ATT&CK Technique | <ul><li>[T1086: PowerShell](https://attack.mitre.org/techniques/T1086)</li></ul> |
|
||||
| Data Needed | <ul><li>[DN_0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN_0002_4688_windows_process_creation_with_commandline.md)</li><li>[DN_0003_1_windows_sysmon_process_creation](../Data_Needed/DN_0003_1_windows_sysmon_process_creation.md)</li></ul> |
|
||||
| Data Needed | <ul><li>[DN_0003_1_windows_sysmon_process_creation](../Data_Needed/DN_0003_1_windows_sysmon_process_creation.md)</li><li>[DN_0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN_0002_4688_windows_process_creation_with_commandline.md)</li></ul> |
|
||||
| Trigger | <ul><li>[T1086: PowerShell](../Triggers/T1086.md)</li></ul> |
|
||||
| Severity Level | medium |
|
||||
| False Positives | <ul><li>Administrative scripts</li></ul> |
|
||||
|
@ -3,7 +3,7 @@
|
||||
| Description | Detects suspicious process related to rasdial.exe |
|
||||
| ATT&CK Tactic | <ul><li>[TA0005: Defense Evasion](https://attack.mitre.org/tactics/TA0005)</li><li>[TA0002: Execution](https://attack.mitre.org/tactics/TA0002)</li></ul> |
|
||||
| ATT&CK Technique | <ul><li>[T1064: Scripting](https://attack.mitre.org/techniques/T1064)</li></ul> |
|
||||
| Data Needed | <ul><li>[DN_0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN_0002_4688_windows_process_creation_with_commandline.md)</li><li>[DN_0003_1_windows_sysmon_process_creation](../Data_Needed/DN_0003_1_windows_sysmon_process_creation.md)</li></ul> |
|
||||
| Data Needed | <ul><li>[DN_0003_1_windows_sysmon_process_creation](../Data_Needed/DN_0003_1_windows_sysmon_process_creation.md)</li><li>[DN_0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN_0002_4688_windows_process_creation_with_commandline.md)</li></ul> |
|
||||
| Trigger | <ul><li>[T1064: Scripting](../Triggers/T1064.md)</li></ul> |
|
||||
| Severity Level | medium |
|
||||
| False Positives | <ul><li>False positives depend on scripts and administrative tools used in the monitored environment</li></ul> |
|
||||
|
@ -3,7 +3,7 @@
|
||||
| Description | Detects suspicious command line activity on Windows systems |
|
||||
| ATT&CK Tactic | <ul><li>[TA0007: Discovery](https://attack.mitre.org/tactics/TA0007)</li></ul> |
|
||||
| ATT&CK Technique | <ul><li>[T1087: Account Discovery](https://attack.mitre.org/techniques/T1087)</li></ul> |
|
||||
| Data Needed | <ul><li>[DN_0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN_0002_4688_windows_process_creation_with_commandline.md)</li><li>[DN_0003_1_windows_sysmon_process_creation](../Data_Needed/DN_0003_1_windows_sysmon_process_creation.md)</li></ul> |
|
||||
| Data Needed | <ul><li>[DN_0003_1_windows_sysmon_process_creation](../Data_Needed/DN_0003_1_windows_sysmon_process_creation.md)</li><li>[DN_0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN_0002_4688_windows_process_creation_with_commandline.md)</li></ul> |
|
||||
| Trigger | <ul><li>[T1087: Account Discovery](../Triggers/T1087.md)</li></ul> |
|
||||
| Severity Level | medium |
|
||||
| False Positives | <ul><li>Inventory tool runs</li><li>Penetration tests</li><li>Administrative activity</li></ul> |
|
||||
|
@ -3,7 +3,7 @@
|
||||
| Description | Detects various anomalies in relation to regsvr32.exe |
|
||||
| ATT&CK Tactic | <ul><li>[TA0005: Defense Evasion](https://attack.mitre.org/tactics/TA0005)</li><li>[TA0002: Execution](https://attack.mitre.org/tactics/TA0002)</li></ul> |
|
||||
| ATT&CK Technique | <ul><li>[T1117: Regsvr32](https://attack.mitre.org/techniques/T1117)</li></ul> |
|
||||
| Data Needed | <ul><li>[DN_0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN_0002_4688_windows_process_creation_with_commandline.md)</li><li>[DN_0003_1_windows_sysmon_process_creation](../Data_Needed/DN_0003_1_windows_sysmon_process_creation.md)</li></ul> |
|
||||
| Data Needed | <ul><li>[DN_0003_1_windows_sysmon_process_creation](../Data_Needed/DN_0003_1_windows_sysmon_process_creation.md)</li><li>[DN_0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN_0002_4688_windows_process_creation_with_commandline.md)</li></ul> |
|
||||
| Trigger | <ul><li>[T1117: Regsvr32](../Triggers/T1117.md)</li></ul> |
|
||||
| Severity Level | high |
|
||||
| False Positives | <ul><li>Unknown</li></ul> |
|
||||
|
@ -3,7 +3,7 @@
|
||||
| Description | Detects suspicious process run from unusual locations |
|
||||
| ATT&CK Tactic | <ul><li>[TA0005: Defense Evasion](https://attack.mitre.org/tactics/TA0005)</li></ul> |
|
||||
| ATT&CK Technique | <ul><li>[T1036: Masquerading](https://attack.mitre.org/techniques/T1036)</li></ul> |
|
||||
| Data Needed | <ul><li>[DN_0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN_0002_4688_windows_process_creation_with_commandline.md)</li><li>[DN_0003_1_windows_sysmon_process_creation](../Data_Needed/DN_0003_1_windows_sysmon_process_creation.md)</li></ul> |
|
||||
| Data Needed | <ul><li>[DN_0003_1_windows_sysmon_process_creation](../Data_Needed/DN_0003_1_windows_sysmon_process_creation.md)</li><li>[DN_0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN_0002_4688_windows_process_creation_with_commandline.md)</li></ul> |
|
||||
| Trigger | <ul><li>[T1036: Masquerading](../Triggers/T1036.md)</li></ul> |
|
||||
| Severity Level | medium |
|
||||
| False Positives | <ul><li>False positives depend on scripts and administrative tools used in the monitored environment</li></ul> |
|
||||
|
@ -3,7 +3,7 @@
|
||||
| Description | Detects suspicious process related to rundll32 based on arguments |
|
||||
| ATT&CK Tactic | <ul><li>[TA0005: Defense Evasion](https://attack.mitre.org/tactics/TA0005)</li><li>[TA0002: Execution](https://attack.mitre.org/tactics/TA0002)</li></ul> |
|
||||
| ATT&CK Technique | <ul><li>[T1085: Rundll32](https://attack.mitre.org/techniques/T1085)</li></ul> |
|
||||
| Data Needed | <ul><li>[DN_0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN_0002_4688_windows_process_creation_with_commandline.md)</li><li>[DN_0003_1_windows_sysmon_process_creation](../Data_Needed/DN_0003_1_windows_sysmon_process_creation.md)</li></ul> |
|
||||
| Data Needed | <ul><li>[DN_0003_1_windows_sysmon_process_creation](../Data_Needed/DN_0003_1_windows_sysmon_process_creation.md)</li><li>[DN_0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN_0002_4688_windows_process_creation_with_commandline.md)</li></ul> |
|
||||
| Trigger | <ul><li>[T1085: Rundll32](../Triggers/T1085.md)</li></ul> |
|
||||
| Severity Level | medium |
|
||||
| False Positives | <ul><li>False positives depend on scripts and administrative tools used in the monitored environment</li></ul> |
|
||||
|
@ -3,7 +3,7 @@
|
||||
| Description | Detects suspicious file execution by wscript and cscript |
|
||||
| ATT&CK Tactic | <ul><li>[TA0002: Execution](https://attack.mitre.org/tactics/TA0002)</li></ul> |
|
||||
| ATT&CK Technique | <ul><li>[T1064: Scripting](https://attack.mitre.org/techniques/T1064)</li></ul> |
|
||||
| Data Needed | <ul><li>[DN_0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN_0002_4688_windows_process_creation_with_commandline.md)</li><li>[DN_0003_1_windows_sysmon_process_creation](../Data_Needed/DN_0003_1_windows_sysmon_process_creation.md)</li></ul> |
|
||||
| Data Needed | <ul><li>[DN_0003_1_windows_sysmon_process_creation](../Data_Needed/DN_0003_1_windows_sysmon_process_creation.md)</li><li>[DN_0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN_0002_4688_windows_process_creation_with_commandline.md)</li></ul> |
|
||||
| Trigger | <ul><li>[T1064: Scripting](../Triggers/T1064.md)</li></ul> |
|
||||
| Severity Level | medium |
|
||||
| False Positives | <ul><li>Will need to be tuned. I recommend adding the user profile path in CommandLine if it is getting too noisy.</li></ul> |
|
||||
|
@ -3,7 +3,7 @@
|
||||
| Description | Detects a suspicious svchost process start |
|
||||
| ATT&CK Tactic | <ul><li>[TA0005: Defense Evasion](https://attack.mitre.org/tactics/TA0005)</li></ul> |
|
||||
| ATT&CK Technique | <ul><li>[T1036: Masquerading](https://attack.mitre.org/techniques/T1036)</li></ul> |
|
||||
| Data Needed | <ul><li>[DN_0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN_0002_4688_windows_process_creation_with_commandline.md)</li><li>[DN_0003_1_windows_sysmon_process_creation](../Data_Needed/DN_0003_1_windows_sysmon_process_creation.md)</li></ul> |
|
||||
| Data Needed | <ul><li>[DN_0003_1_windows_sysmon_process_creation](../Data_Needed/DN_0003_1_windows_sysmon_process_creation.md)</li><li>[DN_0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN_0002_4688_windows_process_creation_with_commandline.md)</li></ul> |
|
||||
| Trigger | <ul><li>[T1036: Masquerading](../Triggers/T1036.md)</li></ul> |
|
||||
| Severity Level | high |
|
||||
| False Positives | <ul><li>Unknown</li></ul> |
|
||||
|
@ -3,7 +3,7 @@
|
||||
| Description | Detects suspicious sysprep process start with AppData folder as target (as used by Trojan Syndicasec in Thrip report by Symantec) |
|
||||
| ATT&CK Tactic | <ul><li>[TA0002: Execution](https://attack.mitre.org/tactics/TA0002)</li></ul> |
|
||||
| ATT&CK Technique | <ul></ul> |
|
||||
| Data Needed | <ul><li>[DN_0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN_0002_4688_windows_process_creation_with_commandline.md)</li><li>[DN_0003_1_windows_sysmon_process_creation](../Data_Needed/DN_0003_1_windows_sysmon_process_creation.md)</li></ul> |
|
||||
| Data Needed | <ul><li>[DN_0003_1_windows_sysmon_process_creation](../Data_Needed/DN_0003_1_windows_sysmon_process_creation.md)</li><li>[DN_0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN_0002_4688_windows_process_creation_with_commandline.md)</li></ul> |
|
||||
| Trigger | There is no Trigger for this technique yet. |
|
||||
| Severity Level | medium |
|
||||
| False Positives | <ul><li>False positives depend on scripts and administrative tools used in the monitored environment</li></ul> |
|
||||
|
@ -3,7 +3,7 @@
|
||||
| Description | Detects Access to Domain Group Policies stored in SYSVOL |
|
||||
| ATT&CK Tactic | <ul><li>[TA0006: Credential Access](https://attack.mitre.org/tactics/TA0006)</li></ul> |
|
||||
| ATT&CK Technique | <ul><li>[T1003: Credential Dumping](https://attack.mitre.org/techniques/T1003)</li></ul> |
|
||||
| Data Needed | <ul><li>[DN_0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN_0002_4688_windows_process_creation_with_commandline.md)</li><li>[DN_0003_1_windows_sysmon_process_creation](../Data_Needed/DN_0003_1_windows_sysmon_process_creation.md)</li></ul> |
|
||||
| Data Needed | <ul><li>[DN_0003_1_windows_sysmon_process_creation](../Data_Needed/DN_0003_1_windows_sysmon_process_creation.md)</li><li>[DN_0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN_0002_4688_windows_process_creation_with_commandline.md)</li></ul> |
|
||||
| Trigger | <ul><li>[T1003: Credential Dumping](../Triggers/T1003.md)</li></ul> |
|
||||
| Severity Level | medium |
|
||||
| False Positives | <ul><li>administrative activity</li></ul> |
|
||||
|
@ -3,7 +3,7 @@
|
||||
| Description | Detects the creation of a process from Windows task manager |
|
||||
| ATT&CK Tactic | <ul><li>[TA0005: Defense Evasion](https://attack.mitre.org/tactics/TA0005)</li></ul> |
|
||||
| ATT&CK Technique | <ul><li>[T1036: Masquerading](https://attack.mitre.org/techniques/T1036)</li></ul> |
|
||||
| Data Needed | <ul><li>[DN_0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN_0002_4688_windows_process_creation_with_commandline.md)</li><li>[DN_0003_1_windows_sysmon_process_creation](../Data_Needed/DN_0003_1_windows_sysmon_process_creation.md)</li></ul> |
|
||||
| Data Needed | <ul><li>[DN_0003_1_windows_sysmon_process_creation](../Data_Needed/DN_0003_1_windows_sysmon_process_creation.md)</li><li>[DN_0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN_0002_4688_windows_process_creation_with_commandline.md)</li></ul> |
|
||||
| Trigger | <ul><li>[T1036: Masquerading](../Triggers/T1036.md)</li></ul> |
|
||||
| Severity Level | low |
|
||||
| False Positives | <ul><li>Administrative activity</li></ul> |
|
||||
|
@ -3,7 +3,7 @@
|
||||
| Description | Detects a suspicious RDP session redirect using tscon.exe |
|
||||
| ATT&CK Tactic | <ul><li>[TA0008: Lateral Movement](https://attack.mitre.org/tactics/TA0008)</li><li>[TA0004: Privilege Escalation](https://attack.mitre.org/tactics/TA0004)</li></ul> |
|
||||
| ATT&CK Technique | <ul><li>[T1076: Remote Desktop Protocol](https://attack.mitre.org/techniques/T1076)</li></ul> |
|
||||
| Data Needed | <ul><li>[DN_0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN_0002_4688_windows_process_creation_with_commandline.md)</li><li>[DN_0003_1_windows_sysmon_process_creation](../Data_Needed/DN_0003_1_windows_sysmon_process_creation.md)</li></ul> |
|
||||
| Data Needed | <ul><li>[DN_0003_1_windows_sysmon_process_creation](../Data_Needed/DN_0003_1_windows_sysmon_process_creation.md)</li><li>[DN_0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN_0002_4688_windows_process_creation_with_commandline.md)</li></ul> |
|
||||
| Trigger | <ul><li>[T1076: Remote Desktop Protocol](../Triggers/T1076.md)</li></ul> |
|
||||
| Severity Level | high |
|
||||
| False Positives | <ul><li>Unknown</li></ul> |
|
||||
|
@ -3,7 +3,7 @@
|
||||
| Description | Detects suspicious commands that could be related to activity that uses volume shadow copy to steal and retrieve hashes from the NTDS.dit file remotely |
|
||||
| ATT&CK Tactic | <ul><li>[TA0006: Credential Access](https://attack.mitre.org/tactics/TA0006)</li></ul> |
|
||||
| ATT&CK Technique | <ul><li>[T1003: Credential Dumping](https://attack.mitre.org/techniques/T1003)</li></ul> |
|
||||
| Data Needed | <ul><li>[DN_0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN_0002_4688_windows_process_creation_with_commandline.md)</li><li>[DN_0003_1_windows_sysmon_process_creation](../Data_Needed/DN_0003_1_windows_sysmon_process_creation.md)</li></ul> |
|
||||
| Data Needed | <ul><li>[DN_0003_1_windows_sysmon_process_creation](../Data_Needed/DN_0003_1_windows_sysmon_process_creation.md)</li><li>[DN_0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN_0002_4688_windows_process_creation_with_commandline.md)</li></ul> |
|
||||
| Trigger | <ul><li>[T1003: Credential Dumping](../Triggers/T1003.md)</li></ul> |
|
||||
| Severity Level | high |
|
||||
| False Positives | <ul><li>Administrative activity</li></ul> |
|
||||
|
@ -3,7 +3,7 @@
|
||||
| Description | Detects the execution of whoami, which is often used by attackers after exloitation / privilege escalation but rarely used by administrators |
|
||||
| ATT&CK Tactic | <ul><li>[TA0007: Discovery](https://attack.mitre.org/tactics/TA0007)</li></ul> |
|
||||
| ATT&CK Technique | <ul><li>[T1033: System Owner/User Discovery](https://attack.mitre.org/techniques/T1033)</li></ul> |
|
||||
| Data Needed | <ul><li>[DN_0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN_0002_4688_windows_process_creation_with_commandline.md)</li><li>[DN_0003_1_windows_sysmon_process_creation](../Data_Needed/DN_0003_1_windows_sysmon_process_creation.md)</li></ul> |
|
||||
| Data Needed | <ul><li>[DN_0003_1_windows_sysmon_process_creation](../Data_Needed/DN_0003_1_windows_sysmon_process_creation.md)</li><li>[DN_0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN_0002_4688_windows_process_creation_with_commandline.md)</li></ul> |
|
||||
| Trigger | <ul><li>[T1033: System Owner/User Discovery](../Triggers/T1033.md)</li></ul> |
|
||||
| Severity Level | high |
|
||||
| False Positives | <ul><li>Admin activity</li><li>Scripts and administrative tools used in the monitored environment</li></ul> |
|
||||
|
@ -3,7 +3,7 @@
|
||||
| Description | Detects WMI executing suspicious commands |
|
||||
| ATT&CK Tactic | <ul><li>[TA0002: Execution](https://attack.mitre.org/tactics/TA0002)</li></ul> |
|
||||
| ATT&CK Technique | <ul><li>[T1047: Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047)</li></ul> |
|
||||
| Data Needed | <ul><li>[DN_0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN_0002_4688_windows_process_creation_with_commandline.md)</li><li>[DN_0003_1_windows_sysmon_process_creation](../Data_Needed/DN_0003_1_windows_sysmon_process_creation.md)</li></ul> |
|
||||
| Data Needed | <ul><li>[DN_0003_1_windows_sysmon_process_creation](../Data_Needed/DN_0003_1_windows_sysmon_process_creation.md)</li><li>[DN_0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN_0002_4688_windows_process_creation_with_commandline.md)</li></ul> |
|
||||
| Trigger | <ul><li>[T1047: Windows Management Instrumentation](../Triggers/T1047.md)</li></ul> |
|
||||
| Severity Level | medium |
|
||||
| False Positives | <ul><li>Will need to be tuned</li><li>If using Splunk, I recommend | stats count by Computer,CommandLine following for easy hunting by Computer/CommandLine.</li></ul> |
|
||||
|
@ -3,7 +3,7 @@
|
||||
| Description | Detects a Windows program executable started in a suspicious folder |
|
||||
| ATT&CK Tactic | <ul><li>[TA0005: Defense Evasion](https://attack.mitre.org/tactics/TA0005)</li></ul> |
|
||||
| ATT&CK Technique | <ul><li>[T1036: Masquerading](https://attack.mitre.org/techniques/T1036)</li></ul> |
|
||||
| Data Needed | <ul><li>[DN_0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN_0002_4688_windows_process_creation_with_commandline.md)</li><li>[DN_0003_1_windows_sysmon_process_creation](../Data_Needed/DN_0003_1_windows_sysmon_process_creation.md)</li><li>[DN_0001_4688_windows_process_creation](../Data_Needed/DN_0001_4688_windows_process_creation.md)</li></ul> |
|
||||
| Data Needed | <ul><li>[DN_0003_1_windows_sysmon_process_creation](../Data_Needed/DN_0003_1_windows_sysmon_process_creation.md)</li><li>[DN_0001_4688_windows_process_creation](../Data_Needed/DN_0001_4688_windows_process_creation.md)</li><li>[DN_0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN_0002_4688_windows_process_creation_with_commandline.md)</li></ul> |
|
||||
| Trigger | <ul><li>[T1036: Masquerading](../Triggers/T1036.md)</li></ul> |
|
||||
| Severity Level | high |
|
||||
| False Positives | <ul><li>Exotic software</li></ul> |
|
||||
|
@ -3,7 +3,7 @@
|
||||
| Description | Detects PsExec service installation and execution events (service and Sysmon) |
|
||||
| ATT&CK Tactic | <ul><li>[TA0002: Execution](https://attack.mitre.org/tactics/TA0002)</li></ul> |
|
||||
| ATT&CK Technique | <ul><li>[T1035: Service Execution](https://attack.mitre.org/techniques/T1035)</li></ul> |
|
||||
| Data Needed | <ul><li>[DN_0031_7036_service_started_stopped](../Data_Needed/DN_0031_7036_service_started_stopped.md)</li><li>[DN_0005_7045_windows_service_insatalled](../Data_Needed/DN_0005_7045_windows_service_insatalled.md)</li><li>[DN_0003_1_windows_sysmon_process_creation](../Data_Needed/DN_0003_1_windows_sysmon_process_creation.md)</li></ul> |
|
||||
| Data Needed | <ul><li>[DN_0031_7036_service_started_stopped](../Data_Needed/DN_0031_7036_service_started_stopped.md)</li><li>[DN_0003_1_windows_sysmon_process_creation](../Data_Needed/DN_0003_1_windows_sysmon_process_creation.md)</li><li>[DN_0005_7045_windows_service_insatalled](../Data_Needed/DN_0005_7045_windows_service_insatalled.md)</li></ul> |
|
||||
| Trigger | <ul><li>[T1035: Service Execution](../Triggers/T1035.md)</li></ul> |
|
||||
| Severity Level | low |
|
||||
| False Positives | <ul><li>unknown</li></ul> |
|
||||
|
@ -3,7 +3,7 @@
|
||||
| Description | Detects a JAVA process running with remote debugging allowing more than just localhost to connect |
|
||||
| ATT&CK Tactic | <ul><li>[TA0007: Discovery](https://attack.mitre.org/tactics/TA0007)</li></ul> |
|
||||
| ATT&CK Technique | <ul><li>[T1046: Network Service Scanning](https://attack.mitre.org/techniques/T1046)</li></ul> |
|
||||
| Data Needed | <ul><li>[DN_0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN_0002_4688_windows_process_creation_with_commandline.md)</li><li>[DN_0003_1_windows_sysmon_process_creation](../Data_Needed/DN_0003_1_windows_sysmon_process_creation.md)</li></ul> |
|
||||
| Data Needed | <ul><li>[DN_0003_1_windows_sysmon_process_creation](../Data_Needed/DN_0003_1_windows_sysmon_process_creation.md)</li><li>[DN_0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN_0002_4688_windows_process_creation_with_commandline.md)</li></ul> |
|
||||
| Trigger | <ul><li>[T1046: Network Service Scanning](../Triggers/T1046.md)</li></ul> |
|
||||
| Severity Level | medium |
|
||||
| False Positives | <ul><li>unknown</li></ul> |
|
||||
|
@ -3,7 +3,7 @@
|
||||
| Description | Detects certain command line parameters often used during reconnaissance activity via web shells |
|
||||
| ATT&CK Tactic | <ul><li>[TA0004: Privilege Escalation](https://attack.mitre.org/tactics/TA0004)</li><li>[TA0003: Persistence](https://attack.mitre.org/tactics/TA0003)</li></ul> |
|
||||
| ATT&CK Technique | <ul><li>[T1100: Web Shell](https://attack.mitre.org/techniques/T1100)</li></ul> |
|
||||
| Data Needed | <ul><li>[DN_0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN_0002_4688_windows_process_creation_with_commandline.md)</li><li>[DN_0003_1_windows_sysmon_process_creation](../Data_Needed/DN_0003_1_windows_sysmon_process_creation.md)</li></ul> |
|
||||
| Data Needed | <ul><li>[DN_0003_1_windows_sysmon_process_creation](../Data_Needed/DN_0003_1_windows_sysmon_process_creation.md)</li><li>[DN_0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN_0002_4688_windows_process_creation_with_commandline.md)</li></ul> |
|
||||
| Trigger | <ul><li>[T1100: Web Shell](../Triggers/T1100.md)</li></ul> |
|
||||
| Severity Level | high |
|
||||
| False Positives | <ul><li>unknown</li></ul> |
|
||||
|
@ -3,7 +3,7 @@
|
||||
| Description | Web servers that spawn shell processes could be the result of a successfully placed web shell or an other attack |
|
||||
| ATT&CK Tactic | <ul><li>[TA0004: Privilege Escalation](https://attack.mitre.org/tactics/TA0004)</li><li>[TA0003: Persistence](https://attack.mitre.org/tactics/TA0003)</li></ul> |
|
||||
| ATT&CK Technique | <ul><li>[T1100: Web Shell](https://attack.mitre.org/techniques/T1100)</li></ul> |
|
||||
| Data Needed | <ul><li>[DN_0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN_0002_4688_windows_process_creation_with_commandline.md)</li><li>[DN_0003_1_windows_sysmon_process_creation](../Data_Needed/DN_0003_1_windows_sysmon_process_creation.md)</li></ul> |
|
||||
| Data Needed | <ul><li>[DN_0003_1_windows_sysmon_process_creation](../Data_Needed/DN_0003_1_windows_sysmon_process_creation.md)</li><li>[DN_0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN_0002_4688_windows_process_creation_with_commandline.md)</li></ul> |
|
||||
| Trigger | <ul><li>[T1100: Web Shell](../Triggers/T1100.md)</li></ul> |
|
||||
| Severity Level | high |
|
||||
| False Positives | <ul><li>Particular web applications may spawn a shell process legitimately</li></ul> |
|
||||
|
@ -3,7 +3,7 @@
|
||||
| Description | Detects suspicious WMI event filter and command line event consumer based on event id 5861 and 5859 (Windows 10, 2012 and higher) |
|
||||
| ATT&CK Tactic | <ul><li>[TA0002: Execution](https://attack.mitre.org/tactics/TA0002)</li><li>[TA0003: Persistence](https://attack.mitre.org/tactics/TA0003)</li></ul> |
|
||||
| ATT&CK Technique | <ul><li>[T1047: Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047)</li></ul> |
|
||||
| Data Needed | <ul><li>[DN_0081_5861_wmi_activity](../Data_Needed/DN_0081_5861_wmi_activity.md)</li><li>[DN_0080_5859_wmi_activity](../Data_Needed/DN_0080_5859_wmi_activity.md)</li></ul> |
|
||||
| Data Needed | <ul><li>[DN_0080_5859_wmi_activity](../Data_Needed/DN_0080_5859_wmi_activity.md)</li><li>[DN_0081_5861_wmi_activity](../Data_Needed/DN_0081_5861_wmi_activity.md)</li></ul> |
|
||||
| Trigger | <ul><li>[T1047: Windows Management Instrumentation](../Triggers/T1047.md)</li></ul> |
|
||||
| Severity Level | high |
|
||||
| False Positives | <ul><li>Unknown (data set is too small; further testing needed)</li></ul> |
|
||||
|
@ -3,7 +3,7 @@
|
||||
| Description | Detects WMI script event consumers |
|
||||
| ATT&CK Tactic | <ul><li>[TA0002: Execution](https://attack.mitre.org/tactics/TA0002)</li><li>[TA0003: Persistence](https://attack.mitre.org/tactics/TA0003)</li></ul> |
|
||||
| ATT&CK Technique | <ul><li>[T1047: Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047)</li></ul> |
|
||||
| Data Needed | <ul><li>[DN_0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN_0002_4688_windows_process_creation_with_commandline.md)</li><li>[DN_0003_1_windows_sysmon_process_creation](../Data_Needed/DN_0003_1_windows_sysmon_process_creation.md)</li></ul> |
|
||||
| Data Needed | <ul><li>[DN_0003_1_windows_sysmon_process_creation](../Data_Needed/DN_0003_1_windows_sysmon_process_creation.md)</li><li>[DN_0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN_0002_4688_windows_process_creation_with_commandline.md)</li></ul> |
|
||||
| Trigger | <ul><li>[T1047: Windows Management Instrumentation](../Triggers/T1047.md)</li></ul> |
|
||||
| Severity Level | high |
|
||||
| False Positives | <ul><li>Legitimate event consumers</li></ul> |
|
||||
|
@ -3,7 +3,7 @@
|
||||
| Description | Detects invocation of Microsoft Workflow Compiler, which may permit the execution of arbitrary unsigned code. |
|
||||
| ATT&CK Tactic | <ul><li>[TA0005: Defense Evasion](https://attack.mitre.org/tactics/TA0005)</li><li>[TA0002: Execution](https://attack.mitre.org/tactics/TA0002)</li></ul> |
|
||||
| ATT&CK Technique | <ul><li>[T1127: Trusted Developer Utilities](https://attack.mitre.org/techniques/T1127)</li></ul> |
|
||||
| Data Needed | <ul><li>[DN_0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN_0002_4688_windows_process_creation_with_commandline.md)</li><li>[DN_0003_1_windows_sysmon_process_creation](../Data_Needed/DN_0003_1_windows_sysmon_process_creation.md)</li><li>[DN_0001_4688_windows_process_creation](../Data_Needed/DN_0001_4688_windows_process_creation.md)</li></ul> |
|
||||
| Data Needed | <ul><li>[DN_0003_1_windows_sysmon_process_creation](../Data_Needed/DN_0003_1_windows_sysmon_process_creation.md)</li><li>[DN_0001_4688_windows_process_creation](../Data_Needed/DN_0001_4688_windows_process_creation.md)</li><li>[DN_0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN_0002_4688_windows_process_creation_with_commandline.md)</li></ul> |
|
||||
| Trigger | <ul><li>[T1127: Trusted Developer Utilities](../Triggers/T1127.md)</li></ul> |
|
||||
| Severity Level | high |
|
||||
| False Positives | <ul><li>Legitimate MWC use (unlikely in modern enterprise environments)</li></ul> |
|
||||
|
@ -80,7 +80,8 @@ class DetectionRule:
|
||||
# prepare command to execute from shell
|
||||
# (yes, we know)
|
||||
cmd = ATCconfig.get('sigmac_path') + " -t " + \
|
||||
query + " --ignore-backend-errors " + self.yaml_file
|
||||
query + " --ignore-backend-errors " + self.yaml_file + \
|
||||
" 2> /dev/null"
|
||||
|
||||
p = subprocess.Popen(cmd, stdout=subprocess.PIPE, shell=True)
|
||||
|
||||
@ -179,7 +180,8 @@ class DetectionRule:
|
||||
|
||||
for output in outputs:
|
||||
cmd = ATCconfig.get('sigmac_path') + " -t " + \
|
||||
output + " --ignore-backend-errors " + self.yaml_file
|
||||
output + " --ignore-backend-errors " + self.yaml_file + \
|
||||
" 2> /dev/null"
|
||||
p = subprocess.Popen(cmd, stdout=subprocess.PIPE, shell=True)
|
||||
(query, err) = p.communicate()
|
||||
# Wait for date to terminate. Get return returncode ##
|
||||
|
@ -20,7 +20,6 @@ import sys
|
||||
import traceback
|
||||
import os
|
||||
|
||||
|
||||
ATCconfig = ATCutils.load_config("config.yml")
|
||||
|
||||
|
||||
@ -136,7 +135,7 @@ class PopulateConfluence:
|
||||
|
||||
ATCutils.push_to_confluence(confluence_data, self.apipath,
|
||||
self.auth)
|
||||
print("Done: ", tg.fields["attack_technique"])
|
||||
# print("Done: ", tg.fields["attack_technique"])
|
||||
except Exception as err:
|
||||
print(tg_file + " failed")
|
||||
print("Err message: %s" % err)
|
||||
@ -170,7 +169,7 @@ class PopulateConfluence:
|
||||
|
||||
ATCutils.push_to_confluence(confluence_data, self.apipath,
|
||||
self.auth)
|
||||
print("Done: ", lp.fields['title'])
|
||||
# print("Done: ", lp.fields['title'])
|
||||
except Exception as err:
|
||||
print(lp_file + " failed")
|
||||
print("Err message: %s" % err)
|
||||
@ -204,7 +203,7 @@ class PopulateConfluence:
|
||||
ATCutils.push_to_confluence(confluence_data, self.apipath,
|
||||
self.auth)
|
||||
|
||||
print("Done: ", dn.dn_fields['title'])
|
||||
# print("Done: ", dn.dn_fields['title'])
|
||||
except Exception as err:
|
||||
print(dn_file + " failed")
|
||||
print("Err message: %s" % err)
|
||||
@ -280,7 +279,7 @@ class PopulateConfluence:
|
||||
|
||||
ATCutils.push_to_confluence(confluence_data, self.apipath,
|
||||
self.auth)
|
||||
print("Done: ", en.en_parsed_file['title'])
|
||||
# print("Done: ", en.en_parsed_file['title'])
|
||||
except Exception as err:
|
||||
print(en_file + " failed")
|
||||
print("Err message: %s" % err)
|
||||
@ -314,7 +313,7 @@ class PopulateConfluence:
|
||||
|
||||
ATCutils.push_to_confluence(confluence_data, self.apipath,
|
||||
self.auth)
|
||||
print("Done: ", ra.ra_parsed_file['title'])
|
||||
# print("Done: ", ra.ra_parsed_file['title'])
|
||||
except Exception as err:
|
||||
print(ra_file + " failed")
|
||||
print("Err message: %s" % err)
|
||||
@ -352,7 +351,7 @@ class PopulateConfluence:
|
||||
|
||||
ATCutils.push_to_confluence(confluence_data, self.apipath,
|
||||
self.auth)
|
||||
print("Done: ", rp.rp_parsed_file['title'])
|
||||
# print("Done: ", rp.rp_parsed_file['title'])
|
||||
except Exception as err:
|
||||
print(rp_file + " failed")
|
||||
print("Err message: %s" % err)
|
||||
@ -388,7 +387,7 @@ class PopulateConfluence:
|
||||
|
||||
ATCutils.push_to_confluence(confluence_data, self.apipath,
|
||||
self.auth)
|
||||
print("Done: ", cu.title)
|
||||
# print("Done: ", cu.title)
|
||||
except Exception as err:
|
||||
print(cu_file + " failed")
|
||||
print("Err message: %s" % err)
|
||||
|
@ -100,6 +100,7 @@ class PopulateMarkdown:
|
||||
def triggers(self, tg_path):
|
||||
"""Populate triggers"""
|
||||
|
||||
print("Populating Triggers..")
|
||||
if self.art_dir and self.atc_dir:
|
||||
r = ATCutils.populate_tg_markdown(art_dir=self.art_dir,
|
||||
atc_dir=self.atc_dir)
|
||||
@ -113,11 +114,13 @@ class PopulateMarkdown:
|
||||
else:
|
||||
r = ATCutils.populate_tg_markdown()
|
||||
|
||||
print("Triggers populated!")
|
||||
return r
|
||||
|
||||
def logging_policy(self, lp_path):
|
||||
"""Desc"""
|
||||
|
||||
print("Populating Logging Policies..")
|
||||
if lp_path:
|
||||
lp_list = glob.glob(lp_path + '*.yml')
|
||||
else:
|
||||
@ -135,9 +138,12 @@ class PopulateMarkdown:
|
||||
traceback.print_exc(file=sys.stdout)
|
||||
print('-' * 60)
|
||||
|
||||
print("Logging Policies populated!")
|
||||
|
||||
def data_needed(self, dn_path):
|
||||
"""Desc"""
|
||||
|
||||
print("Populating Data Needed..")
|
||||
if dn_path:
|
||||
dn_list = glob.glob(dn_path + '*.yml')
|
||||
else:
|
||||
@ -154,9 +160,12 @@ class PopulateMarkdown:
|
||||
print('-' * 60)
|
||||
traceback.print_exc(file=sys.stdout)
|
||||
print('-' * 60)
|
||||
print("Data Needed populated!")
|
||||
|
||||
def detection_rule(self, dr_path):
|
||||
"""Desc"""
|
||||
|
||||
print("Populating Detection Rules..")
|
||||
if dr_path:
|
||||
dr_list = glob.glob(dr_path + '*.yml')
|
||||
else:
|
||||
@ -180,10 +189,12 @@ class PopulateMarkdown:
|
||||
print('-' * 60)
|
||||
traceback.print_exc(file=sys.stdout)
|
||||
print('-' * 60)
|
||||
print("Detection Rules populated!")
|
||||
|
||||
def enrichment(self, en_path):
|
||||
"""Nothing here yet"""
|
||||
|
||||
print("Populating Enrichments..")
|
||||
if en_path:
|
||||
en_list = glob.glob(en_path + '*.yml')
|
||||
else:
|
||||
@ -200,10 +211,12 @@ class PopulateMarkdown:
|
||||
print('-' * 60)
|
||||
traceback.print_exc(file=sys.stdout)
|
||||
print('-' * 60)
|
||||
print("Enrichments populated!")
|
||||
|
||||
def response_action(self, ra_path):
|
||||
"""Nothing here yet"""
|
||||
|
||||
print("Populating Response Actions..")
|
||||
if ra_path:
|
||||
ra_list = glob.glob(ra_path + '*.yml')
|
||||
else:
|
||||
@ -220,10 +233,12 @@ class PopulateMarkdown:
|
||||
print('-' * 60)
|
||||
traceback.print_exc(file=sys.stdout)
|
||||
print('-' * 60)
|
||||
print("Response Actions populated!")
|
||||
|
||||
def response_playbook(self, rp_path):
|
||||
"""Nothing here yet"""
|
||||
|
||||
print("Populating Response Playbooks..")
|
||||
if rp_path:
|
||||
rp_list = glob.glob(rp_path + '*.yml')
|
||||
else:
|
||||
@ -240,10 +255,12 @@ class PopulateMarkdown:
|
||||
print('-' * 60)
|
||||
traceback.print_exc(file=sys.stdout)
|
||||
print('-' * 60)
|
||||
print("Response Playbooks populated!")
|
||||
|
||||
def customer(self, cu_path):
|
||||
"""Nothing here yet"""
|
||||
|
||||
print("Populating Customers..")
|
||||
if cu_path:
|
||||
cu_list = glob.glob(cu_path + '*.yml')
|
||||
else:
|
||||
@ -261,3 +278,4 @@ class PopulateMarkdown:
|
||||
print('-' * 60)
|
||||
traceback.print_exc(file=sys.stdout)
|
||||
print('-' * 60)
|
||||
print("Customers populated!")
|
||||
|
@ -1 +1 @@
|
||||
Subproject commit d2581114020d2f38f0a72e6a30176bb6cdcee69c
|
||||
Subproject commit 16f6b633ce6dfbd50187a8969e746953365b3613
|
Loading…
Reference in New Issue
Block a user