valitydev/atomic-threat-coverage
14
0
Fork 0
mirror of https://github.com/valitydev/atomic-threat-coverage.git synced 2024-11-06 09:35:21 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

decrease verbosity

Browse Source
This commit is contained in:
Wydra Mateusz 2019-04-01 21:15:31 +02:00
parent 81a482d9a2
commit 86f88f6bb9
97 changed files with 124 additions and 105 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
Atomic_Threat_Coverage/Detection_Rules/powershell_malicious_commandlets.md
View File

@ -3,7 +3,7 @@
| Description | Detects Commandlet names from well-known PowerShell exploitation frameworks |
| ATT&amp;CK Tactic | <ul><li>[TA0002: Execution](https://attack.mitre.org/tactics/TA0002)</li></ul> |
| ATT&amp;CK Technique | <ul><li>[T1086: PowerShell](https://attack.mitre.org/techniques/T1086)</li></ul> |
| Data Needed | <ul><li>[DN_0036_4104_windows_powershell_script_block](../Data_Needed/DN_0036_4104_windows_powershell_script_block.md)</li><li>[DN_0037_4103_windows_powershell_executing_pipeline](../Data_Needed/DN_0037_4103_windows_powershell_executing_pipeline.md)</li></ul> |
| Data Needed | <ul><li>[DN_0037_4103_windows_powershell_executing_pipeline](../Data_Needed/DN_0037_4103_windows_powershell_executing_pipeline.md)</li><li>[DN_0036_4104_windows_powershell_script_block](../Data_Needed/DN_0036_4104_windows_powershell_script_block.md)</li></ul> |
| Trigger | <ul><li>[T1086: PowerShell](../Triggers/T1086.md)</li></ul> |
| Severity Level | high |
| False Positives | <ul><li>Penetration testing</li></ul> |

2
Atomic_Threat_Coverage/Detection_Rules/powershell_malicious_keywords.md
View File

@ -3,7 +3,7 @@
| Description | Detects keywords from well-known PowerShell exploitation frameworks |
| ATT&amp;CK Tactic | <ul><li>[TA0002: Execution](https://attack.mitre.org/tactics/TA0002)</li></ul> |
| ATT&amp;CK Technique | <ul><li>[T1086: PowerShell](https://attack.mitre.org/techniques/T1086)</li></ul> |
| Data Needed | <ul><li>[DN_0036_4104_windows_powershell_script_block](../Data_Needed/DN_0036_4104_windows_powershell_script_block.md)</li><li>[DN_0037_4103_windows_powershell_executing_pipeline](../Data_Needed/DN_0037_4103_windows_powershell_executing_pipeline.md)</li></ul> |
| Data Needed | <ul><li>[DN_0037_4103_windows_powershell_executing_pipeline](../Data_Needed/DN_0037_4103_windows_powershell_executing_pipeline.md)</li><li>[DN_0036_4104_windows_powershell_script_block](../Data_Needed/DN_0036_4104_windows_powershell_script_block.md)</li></ul> |
| Trigger | <ul><li>[T1086: PowerShell](../Triggers/T1086.md)</li></ul> |
| Severity Level | high |
| False Positives | <ul><li>Penetration tests</li></ul> |

2
Atomic_Threat_Coverage/Detection_Rules/powershell_ntfs_ads_access.md
View File

@ -3,7 +3,7 @@
| Description | Detects writing data into NTFS alternate data streams from powershell. Needs Script Block Logging. |
| ATT&amp;CK Tactic | <ul><li>[TA0005: Defense Evasion](https://attack.mitre.org/tactics/TA0005)</li></ul> |
| ATT&amp;CK Technique | <ul><li>[T1096: NTFS File Attributes](https://attack.mitre.org/techniques/T1096)</li></ul> |
| Data Needed | <ul><li>[DN_0036_4104_windows_powershell_script_block](../Data_Needed/DN_0036_4104_windows_powershell_script_block.md)</li><li>[DN_0037_4103_windows_powershell_executing_pipeline](../Data_Needed/DN_0037_4103_windows_powershell_executing_pipeline.md)</li></ul> |
| Data Needed | <ul><li>[DN_0037_4103_windows_powershell_executing_pipeline](../Data_Needed/DN_0037_4103_windows_powershell_executing_pipeline.md)</li><li>[DN_0036_4104_windows_powershell_script_block](../Data_Needed/DN_0036_4104_windows_powershell_script_block.md)</li></ul> |
| Trigger | <ul><li>[T1096: NTFS File Attributes](../Triggers/T1096.md)</li></ul> |
| Severity Level | high |
| False Positives | <ul><li>unknown</li></ul> |

2
Atomic_Threat_Coverage/Detection_Rules/powershell_suspicious_download.md
View File

@ -3,7 +3,7 @@
| Description | Detects suspicious PowerShell download command |
| ATT&amp;CK Tactic | <ul><li>[TA0002: Execution](https://attack.mitre.org/tactics/TA0002)</li></ul> |
| ATT&amp;CK Technique | <ul><li>[T1086: PowerShell](https://attack.mitre.org/techniques/T1086)</li></ul> |
| Data Needed | <ul><li>[DN_0036_4104_windows_powershell_script_block](../Data_Needed/DN_0036_4104_windows_powershell_script_block.md)</li><li>[DN_0037_4103_windows_powershell_executing_pipeline](../Data_Needed/DN_0037_4103_windows_powershell_executing_pipeline.md)</li></ul> |
| Data Needed | <ul><li>[DN_0037_4103_windows_powershell_executing_pipeline](../Data_Needed/DN_0037_4103_windows_powershell_executing_pipeline.md)</li><li>[DN_0036_4104_windows_powershell_script_block](../Data_Needed/DN_0036_4104_windows_powershell_script_block.md)</li></ul> |
| Trigger | <ul><li>[T1086: PowerShell](../Triggers/T1086.md)</li></ul> |
| Severity Level | medium |
| False Positives | <ul><li>PowerShell scripts that download content from the Internet</li></ul> |

2
Atomic_Threat_Coverage/Detection_Rules/powershell_suspicious_invocation_generic.md
View File

@ -3,7 +3,7 @@
| Description | Detects suspicious PowerShell invocation command parameters |
| ATT&amp;CK Tactic | <ul><li>[TA0002: Execution](https://attack.mitre.org/tactics/TA0002)</li></ul> |
| ATT&amp;CK Technique | <ul><li>[T1086: PowerShell](https://attack.mitre.org/techniques/T1086)</li></ul> |
| Data Needed | <ul><li>[DN_0036_4104_windows_powershell_script_block](../Data_Needed/DN_0036_4104_windows_powershell_script_block.md)</li><li>[DN_0037_4103_windows_powershell_executing_pipeline](../Data_Needed/DN_0037_4103_windows_powershell_executing_pipeline.md)</li></ul> |
| Data Needed | <ul><li>[DN_0037_4103_windows_powershell_executing_pipeline](../Data_Needed/DN_0037_4103_windows_powershell_executing_pipeline.md)</li><li>[DN_0036_4104_windows_powershell_script_block](../Data_Needed/DN_0036_4104_windows_powershell_script_block.md)</li></ul> |
| Trigger | <ul><li>[T1086: PowerShell](../Triggers/T1086.md)</li></ul> |
| Severity Level | high |
| False Positives | <ul><li>Penetration tests</li><li>Very special / sneaky PowerShell scripts</li></ul> |

2
Atomic_Threat_Coverage/Detection_Rules/powershell_suspicious_invocation_specific.md
View File

@ -3,7 +3,7 @@
| Description | Detects suspicious PowerShell invocation command parameters |
| ATT&amp;CK Tactic | <ul><li>[TA0002: Execution](https://attack.mitre.org/tactics/TA0002)</li></ul> |
| ATT&amp;CK Technique | <ul><li>[T1086: PowerShell](https://attack.mitre.org/techniques/T1086)</li></ul> |
| Data Needed | <ul><li>[DN_0036_4104_windows_powershell_script_block](../Data_Needed/DN_0036_4104_windows_powershell_script_block.md)</li><li>[DN_0037_4103_windows_powershell_executing_pipeline](../Data_Needed/DN_0037_4103_windows_powershell_executing_pipeline.md)</li></ul> |
| Data Needed | <ul><li>[DN_0037_4103_windows_powershell_executing_pipeline](../Data_Needed/DN_0037_4103_windows_powershell_executing_pipeline.md)</li><li>[DN_0036_4104_windows_powershell_script_block](../Data_Needed/DN_0036_4104_windows_powershell_script_block.md)</li></ul> |
| Trigger | <ul><li>[T1086: PowerShell](../Triggers/T1086.md)</li></ul> |
| Severity Level | high |
| False Positives | <ul><li>Penetration tests</li></ul> |

2
Atomic_Threat_Coverage/Detection_Rules/powershell_suspicious_keywords.md
View File

@ -3,7 +3,7 @@
| Description | Detects keywords that could indicate the use of some PowerShell exploitation framework |
| ATT&amp;CK Tactic | <ul><li>[TA0002: Execution](https://attack.mitre.org/tactics/TA0002)</li></ul> |
| ATT&amp;CK Technique | <ul><li>[T1086: PowerShell](https://attack.mitre.org/techniques/T1086)</li></ul> |
| Data Needed | <ul><li>[DN_0036_4104_windows_powershell_script_block](../Data_Needed/DN_0036_4104_windows_powershell_script_block.md)</li><li>[DN_0037_4103_windows_powershell_executing_pipeline](../Data_Needed/DN_0037_4103_windows_powershell_executing_pipeline.md)</li></ul> |
| Data Needed | <ul><li>[DN_0037_4103_windows_powershell_executing_pipeline](../Data_Needed/DN_0037_4103_windows_powershell_executing_pipeline.md)</li><li>[DN_0036_4104_windows_powershell_script_block](../Data_Needed/DN_0036_4104_windows_powershell_script_block.md)</li></ul> |
| Trigger | <ul><li>[T1086: PowerShell](../Triggers/T1086.md)</li></ul> |
| Severity Level | high |
| False Positives | <ul><li>Penetration tests</li></ul> |

2
Atomic_Threat_Coverage/Detection_Rules/powershell_xor_commandline.md
View File

@ -3,7 +3,7 @@
| Description | Detects suspicious powershell process which includes bxor command, alternatvide obfuscation method to b64 encoded commands. |
| ATT&amp;CK Tactic | <ul><li>[TA0002: Execution](https://attack.mitre.org/tactics/TA0002)</li></ul> |
| ATT&amp;CK Technique | <ul><li>[T1086: PowerShell](https://attack.mitre.org/techniques/T1086)</li></ul> |
| Data Needed | <ul><li>[DN_0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN_0002_4688_windows_process_creation_with_commandline.md)</li><li>[DN_0003_1_windows_sysmon_process_creation](../Data_Needed/DN_0003_1_windows_sysmon_process_creation.md)</li></ul> |
| Data Needed | <ul><li>[DN_0003_1_windows_sysmon_process_creation](../Data_Needed/DN_0003_1_windows_sysmon_process_creation.md)</li><li>[DN_0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN_0002_4688_windows_process_creation_with_commandline.md)</li></ul> |
| Trigger | <ul><li>[T1086: PowerShell](../Triggers/T1086.md)</li></ul> |
| Severity Level | medium |
| False Positives | <ul><li>unknown</li></ul> |

2
Atomic_Threat_Coverage/Detection_Rules/sysmon_cmstp_execution.md
View File

@ -3,7 +3,7 @@
| Description | Detects various indicators of Microsoft Connection Manager Profile Installer execution |
| ATT&amp;CK Tactic | <ul><li>[TA0005: Defense Evasion](https://attack.mitre.org/tactics/TA0005)</li><li>[TA0002: Execution](https://attack.mitre.org/tactics/TA0002)</li></ul> |
| ATT&amp;CK Technique | <ul><li>[T1191: CMSTP](https://attack.mitre.org/techniques/T1191)</li></ul> |
| Data Needed | <ul><li>[DN_0017_13_windows_sysmon_RegistryEvent](../Data_Needed/DN_0017_13_windows_sysmon_RegistryEvent.md)</li><li>[DN_0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN_0002_4688_windows_process_creation_with_commandline.md)</li><li>[DN_0014_10_windows_sysmon_ProcessAccess](../Data_Needed/DN_0014_10_windows_sysmon_ProcessAccess.md)</li><li>[DN_0016_12_windows_sysmon_RegistryEvent](../Data_Needed/DN_0016_12_windows_sysmon_RegistryEvent.md)</li><li>[DN_0003_1_windows_sysmon_process_creation](../Data_Needed/DN_0003_1_windows_sysmon_process_creation.md)</li></ul> |
| Data Needed | <ul><li>[DN_0017_13_windows_sysmon_RegistryEvent](../Data_Needed/DN_0017_13_windows_sysmon_RegistryEvent.md)</li><li>[DN_0016_12_windows_sysmon_RegistryEvent](../Data_Needed/DN_0016_12_windows_sysmon_RegistryEvent.md)</li><li>[DN_0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN_0002_4688_windows_process_creation_with_commandline.md)</li><li>[DN_0003_1_windows_sysmon_process_creation](../Data_Needed/DN_0003_1_windows_sysmon_process_creation.md)</li><li>[DN_0014_10_windows_sysmon_ProcessAccess](../Data_Needed/DN_0014_10_windows_sysmon_ProcessAccess.md)</li></ul> |
| Trigger | <ul><li>[T1191: CMSTP](../Triggers/T1191.md)</li></ul> |
| Severity Level | high |
| False Positives | <ul><li>Legitimate CMSTP use (unlikely in modern enterprise environments)</li></ul> |

2
Atomic_Threat_Coverage/Detection_Rules/sysmon_dns_serverlevelplugindll.md
View File

@ -3,7 +3,7 @@
| Description | Detects the installation of a plugin DLL via ServerLevelPluginDll parameter in Registry, which can be used to execute code in context of the DNS server (restart required) |
| ATT&amp;CK Tactic | <ul><li>[TA0005: Defense Evasion](https://attack.mitre.org/tactics/TA0005)</li></ul> |
| ATT&amp;CK Technique | <ul><li>[T1073: DLL Side-Loading](https://attack.mitre.org/techniques/T1073)</li></ul> |
| Data Needed | <ul><li>[DN_0017_13_windows_sysmon_RegistryEvent](../Data_Needed/DN_0017_13_windows_sysmon_RegistryEvent.md)</li><li>[DN_0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN_0002_4688_windows_process_creation_with_commandline.md)</li><li>[DN_0003_1_windows_sysmon_process_creation](../Data_Needed/DN_0003_1_windows_sysmon_process_creation.md)</li></ul> |
| Data Needed | <ul><li>[DN_0017_13_windows_sysmon_RegistryEvent](../Data_Needed/DN_0017_13_windows_sysmon_RegistryEvent.md)</li><li>[DN_0003_1_windows_sysmon_process_creation](../Data_Needed/DN_0003_1_windows_sysmon_process_creation.md)</li><li>[DN_0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN_0002_4688_windows_process_creation_with_commandline.md)</li></ul> |
| Trigger | <ul><li>[T1073: DLL Side-Loading](../Triggers/T1073.md)</li></ul> |
| Severity Level | high |
| False Positives | <ul><li>unknown</li></ul> |

2
Atomic_Threat_Coverage/Detection_Rules/sysmon_logon_scripts_userinitmprlogonscript.md
View File

@ -3,7 +3,7 @@
| Description | Detects creation or execution of UserInitMprLogonScript persistence method |
| ATT&amp;CK Tactic | <ul><li>[TA0003: Persistence](https://attack.mitre.org/tactics/TA0003)</li><li>[TA0008: Lateral Movement](https://attack.mitre.org/tactics/TA0008)</li></ul> |
| ATT&amp;CK Technique | <ul><li>[T1037: Logon Scripts](https://attack.mitre.org/techniques/T1037)</li></ul> |
| Data Needed | <ul><li>[DN_0015_11_windows_sysmon_FileCreate](../Data_Needed/DN_0015_11_windows_sysmon_FileCreate.md)</li><li>[DN_0017_13_windows_sysmon_RegistryEvent](../Data_Needed/DN_0017_13_windows_sysmon_RegistryEvent.md)</li><li>[DN_0018_14_windows_sysmon_RegistryEvent](../Data_Needed/DN_0018_14_windows_sysmon_RegistryEvent.md)</li><li>[DN_0016_12_windows_sysmon_RegistryEvent](../Data_Needed/DN_0016_12_windows_sysmon_RegistryEvent.md)</li><li>[DN_0003_1_windows_sysmon_process_creation](../Data_Needed/DN_0003_1_windows_sysmon_process_creation.md)</li></ul> |
| Data Needed | <ul><li>[DN_0017_13_windows_sysmon_RegistryEvent](../Data_Needed/DN_0017_13_windows_sysmon_RegistryEvent.md)</li><li>[DN_0018_14_windows_sysmon_RegistryEvent](../Data_Needed/DN_0018_14_windows_sysmon_RegistryEvent.md)</li><li>[DN_0016_12_windows_sysmon_RegistryEvent](../Data_Needed/DN_0016_12_windows_sysmon_RegistryEvent.md)</li><li>[DN_0015_11_windows_sysmon_FileCreate](../Data_Needed/DN_0015_11_windows_sysmon_FileCreate.md)</li><li>[DN_0003_1_windows_sysmon_process_creation](../Data_Needed/DN_0003_1_windows_sysmon_process_creation.md)</li></ul> |
| Trigger | <ul><li>[T1037: Logon Scripts](../Triggers/T1037.md)</li></ul> |
| Severity Level | high |
| False Positives | <ul><li>exclude legitimate logon scripts</li><li>penetration tests, red teaming</li></ul> |

2
Atomic_Threat_Coverage/Detection_Rules/sysmon_mal_namedpipes.md
View File

@ -3,7 +3,7 @@
| Description | Detects the creation of a named pipe used by known APT malware |
| ATT&amp;CK Tactic | <ul><li>[TA0005: Defense Evasion](https://attack.mitre.org/tactics/TA0005)</li><li>[TA0004: Privilege Escalation](https://attack.mitre.org/tactics/TA0004)</li></ul> |
| ATT&amp;CK Technique | <ul><li>[T1055: Process Injection](https://attack.mitre.org/techniques/T1055)</li></ul> |
| Data Needed | <ul><li>[DN_0021_18_windows_sysmon_PipeEvent](../Data_Needed/DN_0021_18_windows_sysmon_PipeEvent.md)</li><li>[DN_0020_17_windows_sysmon_PipeEvent](../Data_Needed/DN_0020_17_windows_sysmon_PipeEvent.md)</li></ul> |
| Data Needed | <ul><li>[DN_0020_17_windows_sysmon_PipeEvent](../Data_Needed/DN_0020_17_windows_sysmon_PipeEvent.md)</li><li>[DN_0021_18_windows_sysmon_PipeEvent](../Data_Needed/DN_0021_18_windows_sysmon_PipeEvent.md)</li></ul> |
| Trigger | <ul><li>[T1055: Process Injection](../Triggers/T1055.md)</li></ul> |
| Severity Level | critical |
| False Positives | <ul><li>Unkown</li></ul> |

2
Atomic_Threat_Coverage/Detection_Rules/sysmon_stickykey_like_backdoor.md
View File

@ -3,7 +3,7 @@
| Description | Detects the usage and installation of a backdoor that uses an option to register a malicious debugger for built-in tools that are accessible in the login screen |
| ATT&amp;CK Tactic | <ul><li>[TA0004: Privilege Escalation](https://attack.mitre.org/tactics/TA0004)</li><li>[TA0003: Persistence](https://attack.mitre.org/tactics/TA0003)</li></ul> |
| ATT&amp;CK Technique | <ul><li>[T1015: Accessibility Features](https://attack.mitre.org/techniques/T1015)</li></ul> |
| Data Needed | <ul><li>[DN_0017_13_windows_sysmon_RegistryEvent](../Data_Needed/DN_0017_13_windows_sysmon_RegistryEvent.md)</li><li>[DN_0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN_0002_4688_windows_process_creation_with_commandline.md)</li><li>[DN_0003_1_windows_sysmon_process_creation](../Data_Needed/DN_0003_1_windows_sysmon_process_creation.md)</li></ul> |
| Data Needed | <ul><li>[DN_0017_13_windows_sysmon_RegistryEvent](../Data_Needed/DN_0017_13_windows_sysmon_RegistryEvent.md)</li><li>[DN_0003_1_windows_sysmon_process_creation](../Data_Needed/DN_0003_1_windows_sysmon_process_creation.md)</li><li>[DN_0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN_0002_4688_windows_process_creation_with_commandline.md)</li></ul> |
| Trigger | <ul><li>[T1015: Accessibility Features](../Triggers/T1015.md)</li></ul> |
| Severity Level | critical |
| False Positives | <ul><li>Unlikely</li></ul> |

2
Atomic_Threat_Coverage/Detection_Rules/sysmon_sysinternals_eula_accepted.md
View File

@ -3,7 +3,7 @@
| Description | Detects the usage of Sysinternals Tools due to accepteula key beeing added to Registry |
| ATT&amp;CK Tactic | <ul></ul> |
| ATT&amp;CK Technique | <ul></ul> |
| Data Needed | <ul><li>[DN_0017_13_windows_sysmon_RegistryEvent](../Data_Needed/DN_0017_13_windows_sysmon_RegistryEvent.md)</li><li>[DN_0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN_0002_4688_windows_process_creation_with_commandline.md)</li><li>[DN_0003_1_windows_sysmon_process_creation](../Data_Needed/DN_0003_1_windows_sysmon_process_creation.md)</li></ul> |
| Data Needed | <ul><li>[DN_0017_13_windows_sysmon_RegistryEvent](../Data_Needed/DN_0017_13_windows_sysmon_RegistryEvent.md)</li><li>[DN_0003_1_windows_sysmon_process_creation](../Data_Needed/DN_0003_1_windows_sysmon_process_creation.md)</li><li>[DN_0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN_0002_4688_windows_process_creation_with_commandline.md)</li></ul> |
| Trigger | There is no Trigger for this technique yet. |
| Severity Level | low |
| False Positives | <ul><li>Legitimate use of SysInternals tools</li><li>Programs that use the same Registry Key</li></ul> |

2
Atomic_Threat_Coverage/Detection_Rules/sysmon_wmi_event_subscription.md
View File

@ -3,7 +3,7 @@
| Description | Detects creation of WMI event subscription persistence method |
| ATT&amp;CK Tactic | <ul><li>[TA0003: Persistence](https://attack.mitre.org/tactics/TA0003)</li></ul> |
| ATT&amp;CK Technique | <ul><li>[T1084: Windows Management Instrumentation Event Subscription](https://attack.mitre.org/techniques/T1084)</li></ul> |
| Data Needed | <ul><li>[DN_0022_19_windows_sysmon_WmiEvent](../Data_Needed/DN_0022_19_windows_sysmon_WmiEvent.md)</li><li>[DN_0024_21_windows_sysmon_WmiEvent](../Data_Needed/DN_0024_21_windows_sysmon_WmiEvent.md)</li><li>[DN_0023_20_windows_sysmon_WmiEvent](../Data_Needed/DN_0023_20_windows_sysmon_WmiEvent.md)</li></ul> |
| Data Needed | <ul><li>[DN_0024_21_windows_sysmon_WmiEvent](../Data_Needed/DN_0024_21_windows_sysmon_WmiEvent.md)</li><li>[DN_0023_20_windows_sysmon_WmiEvent](../Data_Needed/DN_0023_20_windows_sysmon_WmiEvent.md)</li><li>[DN_0022_19_windows_sysmon_WmiEvent](../Data_Needed/DN_0022_19_windows_sysmon_WmiEvent.md)</li></ul> |
| Trigger | <ul><li>[T1084: Windows Management Instrumentation Event Subscription](../Triggers/T1084.md)</li></ul> |
| Severity Level | high |
| False Positives | <ul><li>exclude legitimate (vetted) use of WMI event subscription in your network</li></ul> |

2
Atomic_Threat_Coverage/Detection_Rules/win_alert_mimikatz_keywords.md
View File

File diff suppressed because one or more lines are too long

2
Atomic_Threat_Coverage/Detection_Rules/win_cmdkey_recon.md
View File

@ -3,7 +3,7 @@
| Description | Detects usage of cmdkey to look for cached credentials |
| ATT&amp;CK Tactic | <ul><li>[TA0006: Credential Access](https://attack.mitre.org/tactics/TA0006)</li></ul> |
| ATT&amp;CK Technique | <ul><li>[T1003: Credential Dumping](https://attack.mitre.org/techniques/T1003)</li></ul> |
| Data Needed | <ul><li>[DN_0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN_0002_4688_windows_process_creation_with_commandline.md)</li><li>[DN_0003_1_windows_sysmon_process_creation](../Data_Needed/DN_0003_1_windows_sysmon_process_creation.md)</li></ul> |
| Data Needed | <ul><li>[DN_0003_1_windows_sysmon_process_creation](../Data_Needed/DN_0003_1_windows_sysmon_process_creation.md)</li><li>[DN_0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN_0002_4688_windows_process_creation_with_commandline.md)</li></ul> |
| Trigger | <ul><li>[T1003: Credential Dumping](../Triggers/T1003.md)</li></ul> |
| Severity Level | low |
| False Positives | <ul><li>Legitimate administrative tasks.</li></ul> |

2
Atomic_Threat_Coverage/Detection_Rules/win_exploit_cve_2015_1641.md
View File

@ -3,7 +3,7 @@
| Description | Detects Winword starting uncommon sub process MicroScMgmt.exe as used in exploits for CVE-2015-1641 |
| ATT&amp;CK Tactic | <ul><li>[TA0005: Defense Evasion](https://attack.mitre.org/tactics/TA0005)</li></ul> |
| ATT&amp;CK Technique | <ul><li>[T1036: Masquerading](https://attack.mitre.org/techniques/T1036)</li></ul> |
| Data Needed | <ul><li>[DN_0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN_0002_4688_windows_process_creation_with_commandline.md)</li><li>[DN_0003_1_windows_sysmon_process_creation](../Data_Needed/DN_0003_1_windows_sysmon_process_creation.md)</li></ul> |
| Data Needed | <ul><li>[DN_0003_1_windows_sysmon_process_creation](../Data_Needed/DN_0003_1_windows_sysmon_process_creation.md)</li><li>[DN_0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN_0002_4688_windows_process_creation_with_commandline.md)</li></ul> |
| Trigger | <ul><li>[T1036: Masquerading](../Triggers/T1036.md)</li></ul> |
| Severity Level | critical |
| False Positives | <ul><li>Unknown</li></ul> |

2
Atomic_Threat_Coverage/Detection_Rules/win_exploit_cve_2017_0261.md
View File

@ -3,7 +3,7 @@
| Description | Detects Winword starting uncommon sub process FLTLDR.exe as used in exploits for CVE-2017-0261 and CVE-2017-0262 |
| ATT&amp;CK Tactic | <ul><li>[TA0005: Defense Evasion](https://attack.mitre.org/tactics/TA0005)</li><li>[TA0004: Privilege Escalation](https://attack.mitre.org/tactics/TA0004)</li></ul> |
| ATT&amp;CK Technique | <ul><li>[T1055: Process Injection](https://attack.mitre.org/techniques/T1055)</li></ul> |
| Data Needed | <ul><li>[DN_0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN_0002_4688_windows_process_creation_with_commandline.md)</li><li>[DN_0003_1_windows_sysmon_process_creation](../Data_Needed/DN_0003_1_windows_sysmon_process_creation.md)</li></ul> |
| Data Needed | <ul><li>[DN_0003_1_windows_sysmon_process_creation](../Data_Needed/DN_0003_1_windows_sysmon_process_creation.md)</li><li>[DN_0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN_0002_4688_windows_process_creation_with_commandline.md)</li></ul> |
| Trigger | <ul><li>[T1055: Process Injection](../Triggers/T1055.md)</li></ul> |
| Severity Level | medium |
| False Positives | <ul><li>Several false positives identified, check for suspicious file names or locations (e.g. Temp folders)</li></ul> |

2
Atomic_Threat_Coverage/Detection_Rules/win_exploit_cve_2017_11882.md
View File

@ -3,7 +3,7 @@
| Description | Detects exploits that use CVE-2017-11882 to start EQNEDT32.EXE and other sub processes like mshta.exe |
| ATT&amp;CK Tactic | <ul><li>[TA0005: Defense Evasion](https://attack.mitre.org/tactics/TA0005)</li></ul> |
| ATT&amp;CK Technique | <ul><li>[T1211: Exploitation for Defense Evasion](https://attack.mitre.org/techniques/T1211)</li></ul> |
| Data Needed | <ul><li>[DN_0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN_0002_4688_windows_process_creation_with_commandline.md)</li><li>[DN_0003_1_windows_sysmon_process_creation](../Data_Needed/DN_0003_1_windows_sysmon_process_creation.md)</li></ul> |
| Data Needed | <ul><li>[DN_0003_1_windows_sysmon_process_creation](../Data_Needed/DN_0003_1_windows_sysmon_process_creation.md)</li><li>[DN_0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN_0002_4688_windows_process_creation_with_commandline.md)</li></ul> |
| Trigger | <ul><li>[T1211: Exploitation for Defense Evasion](../Triggers/T1211.md)</li></ul> |
| Severity Level | critical |
| False Positives | <ul><li>unknown</li></ul> |

2
Atomic_Threat_Coverage/Detection_Rules/win_exploit_cve_2017_8759.md
View File

@ -3,7 +3,7 @@
| Description | Detects Winword starting uncommon sub process csc.exe as used in exploits for CVE-2017-8759 |
| ATT&amp;CK Tactic | <ul><li>[TA0002: Execution](https://attack.mitre.org/tactics/TA0002)</li></ul> |
| ATT&amp;CK Technique | <ul><li>[T1203: Exploitation for Client Execution](https://attack.mitre.org/techniques/T1203)</li></ul> |
| Data Needed | <ul><li>[DN_0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN_0002_4688_windows_process_creation_with_commandline.md)</li><li>[DN_0003_1_windows_sysmon_process_creation](../Data_Needed/DN_0003_1_windows_sysmon_process_creation.md)</li></ul> |
| Data Needed | <ul><li>[DN_0003_1_windows_sysmon_process_creation](../Data_Needed/DN_0003_1_windows_sysmon_process_creation.md)</li><li>[DN_0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN_0002_4688_windows_process_creation_with_commandline.md)</li></ul> |
| Trigger | <ul><li>[T1203: Exploitation for Client Execution](../Triggers/T1203.md)</li></ul> |
| Severity Level | critical |
| False Positives | <ul><li>Unknown</li></ul> |

2
Atomic_Threat_Coverage/Detection_Rules/win_hack_rubeus.md
View File

@ -3,7 +3,7 @@
| Description | Detects command line parameters used by Rubeus hack tool |
| ATT&amp;CK Tactic | <ul><li>[TA0006: Credential Access](https://attack.mitre.org/tactics/TA0006)</li></ul> |
| ATT&amp;CK Technique | <ul><li>[T1003: Credential Dumping](https://attack.mitre.org/techniques/T1003)</li></ul> |
| Data Needed | <ul><li>[DN_0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN_0002_4688_windows_process_creation_with_commandline.md)</li><li>[DN_0003_1_windows_sysmon_process_creation](../Data_Needed/DN_0003_1_windows_sysmon_process_creation.md)</li></ul> |
| Data Needed | <ul><li>[DN_0003_1_windows_sysmon_process_creation](../Data_Needed/DN_0003_1_windows_sysmon_process_creation.md)</li><li>[DN_0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN_0002_4688_windows_process_creation_with_commandline.md)</li></ul> |
| Trigger | <ul><li>[T1003: Credential Dumping](../Triggers/T1003.md)</li></ul> |
| Severity Level | critical |
| False Positives | <ul><li>unlikely</li></ul> |

2
Atomic_Threat_Coverage/Detection_Rules/win_lethalhta.md
View File

@ -3,7 +3,7 @@
| Description | Detects MSHTA.EXE spwaned by SVCHOST described in report |
| ATT&amp;CK Tactic | <ul><li>[TA0005: Defense Evasion](https://attack.mitre.org/tactics/TA0005)</li><li>[TA0002: Execution](https://attack.mitre.org/tactics/TA0002)</li></ul> |
| ATT&amp;CK Technique | <ul><li>[T1170: Mshta](https://attack.mitre.org/techniques/T1170)</li></ul> |
| Data Needed | <ul><li>[DN_0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN_0002_4688_windows_process_creation_with_commandline.md)</li><li>[DN_0003_1_windows_sysmon_process_creation](../Data_Needed/DN_0003_1_windows_sysmon_process_creation.md)</li></ul> |
| Data Needed | <ul><li>[DN_0003_1_windows_sysmon_process_creation](../Data_Needed/DN_0003_1_windows_sysmon_process_creation.md)</li><li>[DN_0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN_0002_4688_windows_process_creation_with_commandline.md)</li></ul> |
| Trigger | <ul><li>[T1170: Mshta](../Triggers/T1170.md)</li></ul> |
| Severity Level | high |
| False Positives | <ul><li>Unknown</li></ul> |

2
Atomic_Threat_Coverage/Detection_Rules/win_mal_adwind.md
View File

@ -3,7 +3,7 @@
| Description | Detects javaw.exe in AppData folder as used by Adwind / JRAT |
| ATT&amp;CK Tactic | <ul><li>[TA0002: Execution](https://attack.mitre.org/tactics/TA0002)</li></ul> |
| ATT&amp;CK Technique | <ul><li>[T1064: Scripting](https://attack.mitre.org/techniques/T1064)</li></ul> |
| Data Needed | <ul><li>[DN_0015_11_windows_sysmon_FileCreate](../Data_Needed/DN_0015_11_windows_sysmon_FileCreate.md)</li><li>[DN_0017_13_windows_sysmon_RegistryEvent](../Data_Needed/DN_0017_13_windows_sysmon_RegistryEvent.md)</li><li>[DN_0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN_0002_4688_windows_process_creation_with_commandline.md)</li><li>[DN_0003_1_windows_sysmon_process_creation](../Data_Needed/DN_0003_1_windows_sysmon_process_creation.md)</li></ul> |
| Data Needed | <ul><li>[DN_0015_11_windows_sysmon_FileCreate](../Data_Needed/DN_0015_11_windows_sysmon_FileCreate.md)</li><li>[DN_0017_13_windows_sysmon_RegistryEvent](../Data_Needed/DN_0017_13_windows_sysmon_RegistryEvent.md)</li><li>[DN_0003_1_windows_sysmon_process_creation](../Data_Needed/DN_0003_1_windows_sysmon_process_creation.md)</li><li>[DN_0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN_0002_4688_windows_process_creation_with_commandline.md)</li></ul> |
| Trigger | <ul><li>[T1064: Scripting](../Triggers/T1064.md)</li></ul> |
| Severity Level | high |
| False Positives | <ul></ul> |

2
Atomic_Threat_Coverage/Detection_Rules/win_mal_creddumper.md
View File

@ -3,7 +3,7 @@
| Description | This method detects well-known keywords of malicious services in the Windows System Eventlog |
| ATT&amp;CK Tactic | <ul><li>[TA0006: Credential Access](https://attack.mitre.org/tactics/TA0006)</li></ul> |
| ATT&amp;CK Technique | <ul><li>[T1003: Credential Dumping](https://attack.mitre.org/techniques/T1003)</li></ul> |
| Data Needed | <ul><li>[DN_0005_7045_windows_service_insatalled](../Data_Needed/DN_0005_7045_windows_service_insatalled.md)</li><li>[DN_0063_4697_service_was_installed_in_the_system](../Data_Needed/DN_0063_4697_service_was_installed_in_the_system.md)</li><li>[DN_0083_16_access_history_in_hive_was_cleared](../Data_Needed/DN_0083_16_access_history_in_hive_was_cleared.md)</li></ul> |
| Data Needed | <ul><li>[DN_0063_4697_service_was_installed_in_the_system](../Data_Needed/DN_0063_4697_service_was_installed_in_the_system.md)</li><li>[DN_0005_7045_windows_service_insatalled](../Data_Needed/DN_0005_7045_windows_service_insatalled.md)</li><li>[DN_0083_16_access_history_in_hive_was_cleared](../Data_Needed/DN_0083_16_access_history_in_hive_was_cleared.md)</li></ul> |
| Trigger | <ul><li>[T1003: Credential Dumping](../Triggers/T1003.md)</li></ul> |
| Severity Level | high |
| False Positives | <ul><li>Unlikely</li></ul> |

2
Atomic_Threat_Coverage/Detection_Rules/win_mal_lockergoga.md
View File

@ -3,7 +3,7 @@
| Description | Detects a command that clears the WMI trace log which indicates LockaerGoga ransomware activity |
| ATT&amp;CK Tactic | <ul><li>[TA0002: Execution](https://attack.mitre.org/tactics/TA0002)</li></ul> |
| ATT&amp;CK Technique | <ul><li>[T1064: Scripting](https://attack.mitre.org/techniques/T1064)</li></ul> |
| Data Needed | <ul><li>[DN_0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN_0002_4688_windows_process_creation_with_commandline.md)</li><li>[DN_0003_1_windows_sysmon_process_creation](../Data_Needed/DN_0003_1_windows_sysmon_process_creation.md)</li></ul> |
| Data Needed | <ul><li>[DN_0003_1_windows_sysmon_process_creation](../Data_Needed/DN_0003_1_windows_sysmon_process_creation.md)</li><li>[DN_0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN_0002_4688_windows_process_creation_with_commandline.md)</li></ul> |
| Trigger | <ul><li>[T1064: Scripting](../Triggers/T1064.md)</li></ul> |
| Severity Level | high |
| False Positives | <ul></ul> |

2
Atomic_Threat_Coverage/Detection_Rules/win_mal_wannacry.md
View File

@ -3,7 +3,7 @@
| Description | Detects WannaCry Ransomware Activity |
| ATT&amp;CK Tactic | <ul></ul> |
| ATT&amp;CK Technique | <ul></ul> |
| Data Needed | <ul><li>[DN_0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN_0002_4688_windows_process_creation_with_commandline.md)</li><li>[DN_0003_1_windows_sysmon_process_creation](../Data_Needed/DN_0003_1_windows_sysmon_process_creation.md)</li></ul> |
| Data Needed | <ul><li>[DN_0003_1_windows_sysmon_process_creation](../Data_Needed/DN_0003_1_windows_sysmon_process_creation.md)</li><li>[DN_0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN_0002_4688_windows_process_creation_with_commandline.md)</li></ul> |
| Trigger | There is no Trigger for this technique yet. |
| Severity Level | critical |
| False Positives | <ul><li>Unknown</li></ul> |

2
Atomic_Threat_Coverage/Detection_Rules/win_malware_dridex.md
View File

@ -3,7 +3,7 @@
| Description | Detects typical Dridex process patterns |
| ATT&amp;CK Tactic | <ul><li>[TA0005: Defense Evasion](https://attack.mitre.org/tactics/TA0005)</li><li>[TA0004: Privilege Escalation](https://attack.mitre.org/tactics/TA0004)</li></ul> |
| ATT&amp;CK Technique | <ul><li>[T1055: Process Injection](https://attack.mitre.org/techniques/T1055)</li></ul> |
| Data Needed | <ul><li>[DN_0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN_0002_4688_windows_process_creation_with_commandline.md)</li><li>[DN_0003_1_windows_sysmon_process_creation](../Data_Needed/DN_0003_1_windows_sysmon_process_creation.md)</li></ul> |
| Data Needed | <ul><li>[DN_0003_1_windows_sysmon_process_creation](../Data_Needed/DN_0003_1_windows_sysmon_process_creation.md)</li><li>[DN_0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN_0002_4688_windows_process_creation_with_commandline.md)</li></ul> |
| Trigger | <ul><li>[T1055: Process Injection](../Triggers/T1055.md)</li></ul> |
| Severity Level | critical |
| False Positives | <ul><li>Unlikely</li></ul> |

2
Atomic_Threat_Coverage/Detection_Rules/win_malware_notpetya.md
View File

@ -3,7 +3,7 @@
| Description | Detects NotPetya ransomware activity in which the extracted passwords are passed back to the main module via named pipe, the file system journal of drive C is deleted and windows eventlogs are cleared using wevtutil |
| ATT&amp;CK Tactic | <ul><li>[TA0002: Execution](https://attack.mitre.org/tactics/TA0002)</li><li>[TA0006: Credential Access](https://attack.mitre.org/tactics/TA0006)</li><li>[TA0005: Defense Evasion](https://attack.mitre.org/tactics/TA0005)</li></ul> |
| ATT&amp;CK Technique | <ul><li>[T1085: Rundll32](https://attack.mitre.org/techniques/T1085)</li><li>[T1070: Indicator Removal on Host](https://attack.mitre.org/techniques/T1070)</li><li>[T1003: Credential Dumping](https://attack.mitre.org/techniques/T1003)</li></ul> |
| Data Needed | <ul><li>[DN_0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN_0002_4688_windows_process_creation_with_commandline.md)</li><li>[DN_0003_1_windows_sysmon_process_creation](../Data_Needed/DN_0003_1_windows_sysmon_process_creation.md)</li></ul> |
| Data Needed | <ul><li>[DN_0003_1_windows_sysmon_process_creation](../Data_Needed/DN_0003_1_windows_sysmon_process_creation.md)</li><li>[DN_0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN_0002_4688_windows_process_creation_with_commandline.md)</li></ul> |
| Trigger | <ul><li>[T1085: Rundll32](../Triggers/T1085.md)</li><li>[T1070: Indicator Removal on Host](../Triggers/T1070.md)</li><li>[T1003: Credential Dumping](../Triggers/T1003.md)</li></ul> |
| Severity Level | critical |
| False Positives | <ul><li>Admin activity</li></ul> |

2
Atomic_Threat_Coverage/Detection_Rules/win_malware_script_dropper.md
View File

@ -3,7 +3,7 @@
| Description | Detects wscript/cscript executions of scripts located in user directories |
| ATT&amp;CK Tactic | <ul><li>[TA0005: Defense Evasion](https://attack.mitre.org/tactics/TA0005)</li><li>[TA0002: Execution](https://attack.mitre.org/tactics/TA0002)</li></ul> |
| ATT&amp;CK Technique | <ul><li>[T1064: Scripting](https://attack.mitre.org/techniques/T1064)</li></ul> |
| Data Needed | <ul><li>[DN_0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN_0002_4688_windows_process_creation_with_commandline.md)</li><li>[DN_0003_1_windows_sysmon_process_creation](../Data_Needed/DN_0003_1_windows_sysmon_process_creation.md)</li></ul> |
| Data Needed | <ul><li>[DN_0003_1_windows_sysmon_process_creation](../Data_Needed/DN_0003_1_windows_sysmon_process_creation.md)</li><li>[DN_0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN_0002_4688_windows_process_creation_with_commandline.md)</li></ul> |
| Trigger | <ul><li>[T1064: Scripting](../Triggers/T1064.md)</li></ul> |
| Severity Level | high |
| False Positives | <ul><li>Winzip</li><li>Other self-extractors</li></ul> |

2
Atomic_Threat_Coverage/Detection_Rules/win_malware_wannacry.md
View File

@ -3,7 +3,7 @@
| Description | Detects WannaCry ransomware activity via Sysmon |
| ATT&amp;CK Tactic | <ul></ul> |
| ATT&amp;CK Technique | <ul></ul> |
| Data Needed | <ul><li>[DN_0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN_0002_4688_windows_process_creation_with_commandline.md)</li><li>[DN_0003_1_windows_sysmon_process_creation](../Data_Needed/DN_0003_1_windows_sysmon_process_creation.md)</li></ul> |
| Data Needed | <ul><li>[DN_0003_1_windows_sysmon_process_creation](../Data_Needed/DN_0003_1_windows_sysmon_process_creation.md)</li><li>[DN_0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN_0002_4688_windows_process_creation_with_commandline.md)</li></ul> |
| Trigger | There is no Trigger for this technique yet. |
| Severity Level | critical |
| False Positives | <ul><li>Diskpart.exe usage to manage partitions on the local hard drive</li></ul> |

2
Atomic_Threat_Coverage/Detection_Rules/win_mavinject_proc_inj.md
View File

@ -3,7 +3,7 @@
| Description | Detects process injection using the signed Windows tool Mavinject32.exe |
| ATT&amp;CK Tactic | <ul></ul> |
| ATT&amp;CK Technique | <ul><li>[T1055: Process Injection](https://attack.mitre.org/techniques/T1055)</li><li>[T1218: Signed Binary Proxy Execution](https://attack.mitre.org/techniques/T1218)</li></ul> |
| Data Needed | <ul><li>[DN_0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN_0002_4688_windows_process_creation_with_commandline.md)</li><li>[DN_0003_1_windows_sysmon_process_creation](../Data_Needed/DN_0003_1_windows_sysmon_process_creation.md)</li></ul> |
| Data Needed | <ul><li>[DN_0003_1_windows_sysmon_process_creation](../Data_Needed/DN_0003_1_windows_sysmon_process_creation.md)</li><li>[DN_0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN_0002_4688_windows_process_creation_with_commandline.md)</li></ul> |
| Trigger | <ul><li>[T1055: Process Injection](../Triggers/T1055.md)</li><li>[T1218: Signed Binary Proxy Execution](../Triggers/T1218.md)</li></ul> |
| Severity Level | critical |
| False Positives | <ul><li>unknown</li></ul> |

2
Atomic_Threat_Coverage/Detection_Rules/win_mshta_spawn_shell.md
View File

@ -3,7 +3,7 @@
| Description | Detects a Windows command line executable started from MSHTA. |
| ATT&amp;CK Tactic | <ul><li>[TA0005: Defense Evasion](https://attack.mitre.org/tactics/TA0005)</li><li>[TA0002: Execution](https://attack.mitre.org/tactics/TA0002)</li></ul> |
| ATT&amp;CK Technique | <ul><li>[T1170: Mshta](https://attack.mitre.org/techniques/T1170)</li></ul> |
| Data Needed | <ul><li>[DN_0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN_0002_4688_windows_process_creation_with_commandline.md)</li><li>[DN_0003_1_windows_sysmon_process_creation](../Data_Needed/DN_0003_1_windows_sysmon_process_creation.md)</li></ul> |
| Data Needed | <ul><li>[DN_0003_1_windows_sysmon_process_creation](../Data_Needed/DN_0003_1_windows_sysmon_process_creation.md)</li><li>[DN_0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN_0002_4688_windows_process_creation_with_commandline.md)</li></ul> |
| Trigger | <ul><li>[T1170: Mshta](../Triggers/T1170.md)</li></ul> |
| Severity Level | high |
| False Positives | <ul><li>Printer software / driver installations</li></ul> |

2
Atomic_Threat_Coverage/Detection_Rules/win_multiple_suspicious_cli.md
View File

@ -3,7 +3,7 @@
| Description | Detects multiple suspicious process in a limited timeframe |
| ATT&amp;CK Tactic | <ul></ul> |
| ATT&amp;CK Technique | <ul></ul> |
| Data Needed | <ul><li>[DN_0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN_0002_4688_windows_process_creation_with_commandline.md)</li><li>[DN_0003_1_windows_sysmon_process_creation](../Data_Needed/DN_0003_1_windows_sysmon_process_creation.md)</li></ul> |
| Data Needed | <ul><li>[DN_0003_1_windows_sysmon_process_creation](../Data_Needed/DN_0003_1_windows_sysmon_process_creation.md)</li><li>[DN_0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN_0002_4688_windows_process_creation_with_commandline.md)</li></ul> |
| Trigger | There is no Trigger for this technique yet. |
| Severity Level | low |
| False Positives | <ul><li>False positives depend on scripts and administrative tools used in the monitored environment</li></ul> |

2
Atomic_Threat_Coverage/Detection_Rules/win_netsh_port_fwd.md
View File

@ -3,7 +3,7 @@
| Description | Detects netsh commands that configure a port forwarding |
| ATT&amp;CK Tactic | <ul><li>[TA0008: Lateral Movement](https://attack.mitre.org/tactics/TA0008)</li><li>[TA0011: Command and Control](https://attack.mitre.org/tactics/TA0011)</li></ul> |
| ATT&amp;CK Technique | <ul><li>[T1090: Connection Proxy](https://attack.mitre.org/techniques/T1090)</li></ul> |
| Data Needed | <ul><li>[DN_0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN_0002_4688_windows_process_creation_with_commandline.md)</li><li>[DN_0003_1_windows_sysmon_process_creation](../Data_Needed/DN_0003_1_windows_sysmon_process_creation.md)</li></ul> |
| Data Needed | <ul><li>[DN_0003_1_windows_sysmon_process_creation](../Data_Needed/DN_0003_1_windows_sysmon_process_creation.md)</li><li>[DN_0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN_0002_4688_windows_process_creation_with_commandline.md)</li></ul> |
| Trigger | <ul><li>[T1090: Connection Proxy](../Triggers/T1090.md)</li></ul> |
| Severity Level | medium |
| False Positives | <ul><li>Legitimate administration</li></ul> |

2
Atomic_Threat_Coverage/Detection_Rules/win_netsh_port_fwd_3389.md
View File

@ -3,7 +3,7 @@
| Description | Detects netsh commands that configure a port forwarding of port 3389 used for RDP |
| ATT&amp;CK Tactic | <ul><li>[TA0008: Lateral Movement](https://attack.mitre.org/tactics/TA0008)</li></ul> |
| ATT&amp;CK Technique | <ul><li>[T1021: Remote Services](https://attack.mitre.org/techniques/T1021)</li></ul> |
| Data Needed | <ul><li>[DN_0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN_0002_4688_windows_process_creation_with_commandline.md)</li><li>[DN_0003_1_windows_sysmon_process_creation](../Data_Needed/DN_0003_1_windows_sysmon_process_creation.md)</li></ul> |
| Data Needed | <ul><li>[DN_0003_1_windows_sysmon_process_creation](../Data_Needed/DN_0003_1_windows_sysmon_process_creation.md)</li><li>[DN_0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN_0002_4688_windows_process_creation_with_commandline.md)</li></ul> |
| Trigger | <ul><li>[T1021: Remote Services](../Triggers/T1021.md)</li></ul> |
| Severity Level | high |
| False Positives | <ul><li>Legitimate administration</li></ul> |

2
Atomic_Threat_Coverage/Detection_Rules/win_office_shell.md
View File

@ -3,7 +3,7 @@
| Description | Detects a Windows command line executable started from Microsoft Word, Excel, Powerpoint, Publisher and Visio. |
| ATT&amp;CK Tactic | <ul><li>[TA0002: Execution](https://attack.mitre.org/tactics/TA0002)</li><li>[TA0005: Defense Evasion](https://attack.mitre.org/tactics/TA0005)</li></ul> |
| ATT&amp;CK Technique | <ul><li>[T1059: Command-Line Interface](https://attack.mitre.org/techniques/T1059)</li><li>[T1202: Indirect Command Execution](https://attack.mitre.org/techniques/T1202)</li></ul> |
| Data Needed | <ul><li>[DN_0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN_0002_4688_windows_process_creation_with_commandline.md)</li><li>[DN_0003_1_windows_sysmon_process_creation](../Data_Needed/DN_0003_1_windows_sysmon_process_creation.md)</li></ul> |
| Data Needed | <ul><li>[DN_0003_1_windows_sysmon_process_creation](../Data_Needed/DN_0003_1_windows_sysmon_process_creation.md)</li><li>[DN_0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN_0002_4688_windows_process_creation_with_commandline.md)</li></ul> |
| Trigger | <ul><li>[T1059: Command-Line Interface](../Triggers/T1059.md)</li><li>[T1202: Indirect Command Execution](../Triggers/T1202.md)</li></ul> |
| Severity Level | high |
| False Positives | <ul><li>unknown</li></ul> |

2
Atomic_Threat_Coverage/Detection_Rules/win_plugx_susp_exe_locations.md
View File

@ -3,7 +3,7 @@
| Description | Detects the execution of an executable that is typically used by PlugX for DLL side loading started from an uncommon location |
| ATT&amp;CK Tactic | <ul><li>[TA0005: Defense Evasion](https://attack.mitre.org/tactics/TA0005)</li></ul> |
| ATT&amp;CK Technique | <ul><li>[T1073: DLL Side-Loading](https://attack.mitre.org/techniques/T1073)</li></ul> |
| Data Needed | <ul><li>[DN_0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN_0002_4688_windows_process_creation_with_commandline.md)</li><li>[DN_0003_1_windows_sysmon_process_creation](../Data_Needed/DN_0003_1_windows_sysmon_process_creation.md)</li><li>[DN_0001_4688_windows_process_creation](../Data_Needed/DN_0001_4688_windows_process_creation.md)</li></ul> |
| Data Needed | <ul><li>[DN_0003_1_windows_sysmon_process_creation](../Data_Needed/DN_0003_1_windows_sysmon_process_creation.md)</li><li>[DN_0001_4688_windows_process_creation](../Data_Needed/DN_0001_4688_windows_process_creation.md)</li><li>[DN_0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN_0002_4688_windows_process_creation_with_commandline.md)</li></ul> |
| Trigger | <ul><li>[T1073: DLL Side-Loading](../Triggers/T1073.md)</li></ul> |
| Severity Level | high |
| False Positives | <ul><li>Unknown</li></ul> |

2
Atomic_Threat_Coverage/Detection_Rules/win_possible_applocker_bypass.md
View File

@ -3,7 +3,7 @@
| Description | Detects execution of executables that can be used to bypass Applocker whitelisting |
| ATT&amp;CK Tactic | <ul><li>[TA0005: Defense Evasion](https://attack.mitre.org/tactics/TA0005)</li></ul> |
| ATT&amp;CK Technique | <ul><li>[T1118: InstallUtil](https://attack.mitre.org/techniques/T1118)</li><li>[T1121: Regsvcs/Regasm](https://attack.mitre.org/techniques/T1121)</li><li>[T1127: Trusted Developer Utilities](https://attack.mitre.org/techniques/T1127)</li><li>[T1170: Mshta](https://attack.mitre.org/techniques/T1170)</li></ul> |
| Data Needed | <ul><li>[DN_0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN_0002_4688_windows_process_creation_with_commandline.md)</li><li>[DN_0003_1_windows_sysmon_process_creation](../Data_Needed/DN_0003_1_windows_sysmon_process_creation.md)</li></ul> |
| Data Needed | <ul><li>[DN_0003_1_windows_sysmon_process_creation](../Data_Needed/DN_0003_1_windows_sysmon_process_creation.md)</li><li>[DN_0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN_0002_4688_windows_process_creation_with_commandline.md)</li></ul> |
| Trigger | <ul><li>[T1118: InstallUtil](../Triggers/T1118.md)</li><li>[T1121: Regsvcs/Regasm](../Triggers/T1121.md)</li><li>[T1127: Trusted Developer Utilities](../Triggers/T1127.md)</li><li>[T1170: Mshta](../Triggers/T1170.md)</li></ul> |
| Severity Level | low |
| False Positives | <ul><li>False positives depend on scripts and administrative tools used in the monitored environment</li><li>Using installutil to add features for .NET applications (primarly would occur in developer environments)</li></ul> |

2
Atomic_Threat_Coverage/Detection_Rules/win_powershell_amsi_bypass.md
View File

@ -3,7 +3,7 @@
| Description | Detects Request to amsiInitFailed that can be used to disable AMSI Scanning |
| ATT&amp;CK Tactic | <ul><li>[TA0002: Execution](https://attack.mitre.org/tactics/TA0002)</li><li>[TA0005: Defense Evasion](https://attack.mitre.org/tactics/TA0005)</li></ul> |
| ATT&amp;CK Technique | <ul><li>[T1086: PowerShell](https://attack.mitre.org/techniques/T1086)</li></ul> |
| Data Needed | <ul><li>[DN_0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN_0002_4688_windows_process_creation_with_commandline.md)</li><li>[DN_0003_1_windows_sysmon_process_creation](../Data_Needed/DN_0003_1_windows_sysmon_process_creation.md)</li></ul> |
| Data Needed | <ul><li>[DN_0003_1_windows_sysmon_process_creation](../Data_Needed/DN_0003_1_windows_sysmon_process_creation.md)</li><li>[DN_0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN_0002_4688_windows_process_creation_with_commandline.md)</li></ul> |
| Trigger | <ul><li>[T1086: PowerShell](../Triggers/T1086.md)</li></ul> |
| Severity Level | high |
| False Positives | <ul></ul> |

2
Atomic_Threat_Coverage/Detection_Rules/win_powershell_b64_shellcode.md
View File

@ -3,7 +3,7 @@
| Description | Detects Base64 encoded Shellcode |
| ATT&amp;CK Tactic | <ul><li>[TA0005: Defense Evasion](https://attack.mitre.org/tactics/TA0005)</li></ul> |
| ATT&amp;CK Technique | <ul><li>[T1036: Masquerading](https://attack.mitre.org/techniques/T1036)</li></ul> |
| Data Needed | <ul><li>[DN_0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN_0002_4688_windows_process_creation_with_commandline.md)</li><li>[DN_0003_1_windows_sysmon_process_creation](../Data_Needed/DN_0003_1_windows_sysmon_process_creation.md)</li></ul> |
| Data Needed | <ul><li>[DN_0003_1_windows_sysmon_process_creation](../Data_Needed/DN_0003_1_windows_sysmon_process_creation.md)</li><li>[DN_0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN_0002_4688_windows_process_creation_with_commandline.md)</li></ul> |
| Trigger | <ul><li>[T1036: Masquerading](../Triggers/T1036.md)</li></ul> |
| Severity Level | critical |
| False Positives | <ul><li>Unknown</li></ul> |

2
Atomic_Threat_Coverage/Detection_Rules/win_powershell_download.md
View File

@ -3,7 +3,7 @@
| Description | Detects a Powershell process that contains download commands in its command line string |
| ATT&amp;CK Tactic | <ul><li>[TA0002: Execution](https://attack.mitre.org/tactics/TA0002)</li></ul> |
| ATT&amp;CK Technique | <ul><li>[T1086: PowerShell](https://attack.mitre.org/techniques/T1086)</li></ul> |
| Data Needed | <ul><li>[DN_0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN_0002_4688_windows_process_creation_with_commandline.md)</li><li>[DN_0003_1_windows_sysmon_process_creation](../Data_Needed/DN_0003_1_windows_sysmon_process_creation.md)</li></ul> |
| Data Needed | <ul><li>[DN_0003_1_windows_sysmon_process_creation](../Data_Needed/DN_0003_1_windows_sysmon_process_creation.md)</li><li>[DN_0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN_0002_4688_windows_process_creation_with_commandline.md)</li></ul> |
| Trigger | <ul><li>[T1086: PowerShell](../Triggers/T1086.md)</li></ul> |
| Severity Level | medium |
| False Positives | <ul><li>unknown</li></ul> |

2
Atomic_Threat_Coverage/Detection_Rules/win_powershell_suspicious_parameter_variation.md
View File

@ -3,7 +3,7 @@
| Description | Detects suspicious PowerShell invocation with a parameter substring |
| ATT&amp;CK Tactic | <ul><li>[TA0002: Execution](https://attack.mitre.org/tactics/TA0002)</li></ul> |
| ATT&amp;CK Technique | <ul><li>[T1086: PowerShell](https://attack.mitre.org/techniques/T1086)</li></ul> |
| Data Needed | <ul><li>[DN_0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN_0002_4688_windows_process_creation_with_commandline.md)</li><li>[DN_0003_1_windows_sysmon_process_creation](../Data_Needed/DN_0003_1_windows_sysmon_process_creation.md)</li></ul> |
| Data Needed | <ul><li>[DN_0003_1_windows_sysmon_process_creation](../Data_Needed/DN_0003_1_windows_sysmon_process_creation.md)</li><li>[DN_0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN_0002_4688_windows_process_creation_with_commandline.md)</li></ul> |
| Trigger | <ul><li>[T1086: PowerShell](../Triggers/T1086.md)</li></ul> |
| Severity Level | high |
| False Positives | <ul><li>Penetration tests</li></ul> |

2
Atomic_Threat_Coverage/Detection_Rules/win_process_creation_bitsadmin_download.md
View File

@ -3,7 +3,7 @@
| Description | Detects usage of bitsadmin downloading a file |
| ATT&amp;CK Tactic | <ul><li>[TA0005: Defense Evasion](https://attack.mitre.org/tactics/TA0005)</li><li>[TA0003: Persistence](https://attack.mitre.org/tactics/TA0003)</li></ul> |
| ATT&amp;CK Technique | <ul><li>[T1197: BITS Jobs](https://attack.mitre.org/techniques/T1197)</li></ul> |
| Data Needed | <ul><li>[DN_0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN_0002_4688_windows_process_creation_with_commandline.md)</li><li>[DN_0003_1_windows_sysmon_process_creation](../Data_Needed/DN_0003_1_windows_sysmon_process_creation.md)</li></ul> |
| Data Needed | <ul><li>[DN_0003_1_windows_sysmon_process_creation](../Data_Needed/DN_0003_1_windows_sysmon_process_creation.md)</li><li>[DN_0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN_0002_4688_windows_process_creation_with_commandline.md)</li></ul> |
| Trigger | <ul><li>[T1197: BITS Jobs](../Triggers/T1197.md)</li></ul> |
| Severity Level | medium |
| False Positives | <ul><li>Some legitimate apps use this, but limited.</li></ul> |

2
Atomic_Threat_Coverage/Detection_Rules/win_sdbinst_shim_persistence.md
View File

@ -3,7 +3,7 @@
| Description | Detects execution of sdbinst writing to default shim database path C:\Windows\AppPatch\* |
| ATT&amp;CK Tactic | <ul><li>[TA0003: Persistence](https://attack.mitre.org/tactics/TA0003)</li></ul> |
| ATT&amp;CK Technique | <ul><li>[T1138: Application Shimming](https://attack.mitre.org/techniques/T1138)</li></ul> |
| Data Needed | <ul><li>[DN_0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN_0002_4688_windows_process_creation_with_commandline.md)</li><li>[DN_0003_1_windows_sysmon_process_creation](../Data_Needed/DN_0003_1_windows_sysmon_process_creation.md)</li></ul> |
| Data Needed | <ul><li>[DN_0003_1_windows_sysmon_process_creation](../Data_Needed/DN_0003_1_windows_sysmon_process_creation.md)</li><li>[DN_0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN_0002_4688_windows_process_creation_with_commandline.md)</li></ul> |
| Trigger | <ul><li>[T1138: Application Shimming](../Triggers/T1138.md)</li></ul> |
| Severity Level | high |
| False Positives | <ul><li>Unknown</li></ul> |

2
Atomic_Threat_Coverage/Detection_Rules/win_susp_calc.md
View File

@ -3,7 +3,7 @@
| Description | Detects suspicious use of calc.exe with command line parameters or in a suspicious directory, which is likely caused by some PoC or detection evasion |
| ATT&amp;CK Tactic | <ul><li>[TA0005: Defense Evasion](https://attack.mitre.org/tactics/TA0005)</li></ul> |
| ATT&amp;CK Technique | <ul><li>[T1036: Masquerading](https://attack.mitre.org/techniques/T1036)</li></ul> |
| Data Needed | <ul><li>[DN_0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN_0002_4688_windows_process_creation_with_commandline.md)</li><li>[DN_0003_1_windows_sysmon_process_creation](../Data_Needed/DN_0003_1_windows_sysmon_process_creation.md)</li></ul> |
| Data Needed | <ul><li>[DN_0003_1_windows_sysmon_process_creation](../Data_Needed/DN_0003_1_windows_sysmon_process_creation.md)</li><li>[DN_0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN_0002_4688_windows_process_creation_with_commandline.md)</li></ul> |
| Trigger | <ul><li>[T1036: Masquerading](../Triggers/T1036.md)</li></ul> |
| Severity Level | high |
| False Positives | <ul><li>Unknown</li></ul> |

2
Atomic_Threat_Coverage/Detection_Rules/win_susp_certutil_command.md
View File

@ -3,7 +3,7 @@
| Description | Detects a suspicious Microsoft certutil execution with sub commands like 'decode' sub command, which is sometimes used to decode malicious code with the built-in certutil utility |
| ATT&amp;CK Tactic | <ul><li>[TA0005: Defense Evasion](https://attack.mitre.org/tactics/TA0005)</li></ul> |
| ATT&amp;CK Technique | <ul><li>[T1140: Deobfuscate/Decode Files or Information](https://attack.mitre.org/techniques/T1140)</li><li>[T1105: Remote File Copy](https://attack.mitre.org/techniques/T1105)</li></ul> |
| Data Needed | <ul><li>[DN_0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN_0002_4688_windows_process_creation_with_commandline.md)</li><li>[DN_0003_1_windows_sysmon_process_creation](../Data_Needed/DN_0003_1_windows_sysmon_process_creation.md)</li></ul> |
| Data Needed | <ul><li>[DN_0003_1_windows_sysmon_process_creation](../Data_Needed/DN_0003_1_windows_sysmon_process_creation.md)</li><li>[DN_0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN_0002_4688_windows_process_creation_with_commandline.md)</li></ul> |
| Trigger | <ul><li>[T1140: Deobfuscate/Decode Files or Information](../Triggers/T1140.md)</li><li>[T1105: Remote File Copy](../Triggers/T1105.md)</li></ul> |
| Severity Level | high |
| False Positives | <ul><li>False positives depend on scripts and administrative tools used in the monitored environment</li></ul> |

2
Atomic_Threat_Coverage/Detection_Rules/win_susp_certutil_encode.md
View File

@ -3,7 +3,7 @@
| Description | Detects suspicious a certutil command that used to encode files, which is sometimes used for data exfiltration |
| ATT&amp;CK Tactic | <ul></ul> |
| ATT&amp;CK Technique | <ul></ul> |
| Data Needed | <ul><li>[DN_0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN_0002_4688_windows_process_creation_with_commandline.md)</li><li>[DN_0003_1_windows_sysmon_process_creation](../Data_Needed/DN_0003_1_windows_sysmon_process_creation.md)</li></ul> |
| Data Needed | <ul><li>[DN_0003_1_windows_sysmon_process_creation](../Data_Needed/DN_0003_1_windows_sysmon_process_creation.md)</li><li>[DN_0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN_0002_4688_windows_process_creation_with_commandline.md)</li></ul> |
| Trigger | There is no Trigger for this technique yet. |
| Severity Level | medium |
| False Positives | <ul><li>unknown</li></ul> |

2
Atomic_Threat_Coverage/Detection_Rules/win_susp_cli_escape.md
View File

@ -3,7 +3,7 @@
| Description | Detects suspicious process that use escape characters |
| ATT&amp;CK Tactic | <ul><li>[TA0005: Defense Evasion](https://attack.mitre.org/tactics/TA0005)</li></ul> |
| ATT&amp;CK Technique | <ul><li>[T1140: Deobfuscate/Decode Files or Information](https://attack.mitre.org/techniques/T1140)</li></ul> |
| Data Needed | <ul><li>[DN_0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN_0002_4688_windows_process_creation_with_commandline.md)</li><li>[DN_0003_1_windows_sysmon_process_creation](../Data_Needed/DN_0003_1_windows_sysmon_process_creation.md)</li></ul> |
| Data Needed | <ul><li>[DN_0003_1_windows_sysmon_process_creation](../Data_Needed/DN_0003_1_windows_sysmon_process_creation.md)</li><li>[DN_0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN_0002_4688_windows_process_creation_with_commandline.md)</li></ul> |
| Trigger | <ul><li>[T1140: Deobfuscate/Decode Files or Information](../Triggers/T1140.md)</li></ul> |
| Severity Level | low |
| False Positives | <ul><li>False positives depend on scripts and administrative tools used in the monitored environment</li></ul> |

2
Atomic_Threat_Coverage/Detection_Rules/win_susp_cmd_http_appdata.md
View File

@ -3,7 +3,7 @@
| Description | Detects a suspicious command line execution that includes an URL and AppData string in the command line parameters as used by several droppers (js/vbs > powershell) |
| ATT&amp;CK Tactic | <ul><li>[TA0002: Execution](https://attack.mitre.org/tactics/TA0002)</li></ul> |
| ATT&amp;CK Technique | <ul><li>[T1059: Command-Line Interface](https://attack.mitre.org/techniques/T1059)</li></ul> |
| Data Needed | <ul><li>[DN_0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN_0002_4688_windows_process_creation_with_commandline.md)</li><li>[DN_0003_1_windows_sysmon_process_creation](../Data_Needed/DN_0003_1_windows_sysmon_process_creation.md)</li></ul> |
| Data Needed | <ul><li>[DN_0003_1_windows_sysmon_process_creation](../Data_Needed/DN_0003_1_windows_sysmon_process_creation.md)</li><li>[DN_0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN_0002_4688_windows_process_creation_with_commandline.md)</li></ul> |
| Trigger | <ul><li>[T1059: Command-Line Interface](../Triggers/T1059.md)</li></ul> |
| Severity Level | medium |
| False Positives | <ul><li>High</li></ul> |

2
Atomic_Threat_Coverage/Detection_Rules/win_susp_commands_recon_activity.md
View File

@ -3,7 +3,7 @@
| Description | Detects a set of commands often used in recon stages by different attack groups |
| ATT&amp;CK Tactic | <ul><li>[TA0007: Discovery](https://attack.mitre.org/tactics/TA0007)</li></ul> |
| ATT&amp;CK Technique | <ul><li>[T1087: Account Discovery](https://attack.mitre.org/techniques/T1087)</li><li>[T1082: System Information Discovery](https://attack.mitre.org/techniques/T1082)</li></ul> |
| Data Needed | <ul><li>[DN_0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN_0002_4688_windows_process_creation_with_commandline.md)</li><li>[DN_0003_1_windows_sysmon_process_creation](../Data_Needed/DN_0003_1_windows_sysmon_process_creation.md)</li></ul> |
| Data Needed | <ul><li>[DN_0003_1_windows_sysmon_process_creation](../Data_Needed/DN_0003_1_windows_sysmon_process_creation.md)</li><li>[DN_0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN_0002_4688_windows_process_creation_with_commandline.md)</li></ul> |
| Trigger | <ul><li>[T1087: Account Discovery](../Triggers/T1087.md)</li><li>[T1082: System Information Discovery](../Triggers/T1082.md)</li></ul> |
| Severity Level | medium |
| False Positives | <ul><li>False positives depend on scripts and administrative tools used in the monitored environment</li></ul> |

2
Atomic_Threat_Coverage/Detection_Rules/win_susp_control_dll_load.md
View File

@ -3,7 +3,7 @@
| Description | Detects suspicious Rundll32 execution from control.exe as used by Equation Group and Exploit Kits |
| ATT&amp;CK Tactic | <ul><li>[TA0005: Defense Evasion](https://attack.mitre.org/tactics/TA0005)</li></ul> |
| ATT&amp;CK Technique | <ul><li>[T1073: DLL Side-Loading](https://attack.mitre.org/techniques/T1073)</li><li>[T1085: Rundll32](https://attack.mitre.org/techniques/T1085)</li></ul> |
| Data Needed | <ul><li>[DN_0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN_0002_4688_windows_process_creation_with_commandline.md)</li><li>[DN_0003_1_windows_sysmon_process_creation](../Data_Needed/DN_0003_1_windows_sysmon_process_creation.md)</li></ul> |
| Data Needed | <ul><li>[DN_0003_1_windows_sysmon_process_creation](../Data_Needed/DN_0003_1_windows_sysmon_process_creation.md)</li><li>[DN_0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN_0002_4688_windows_process_creation_with_commandline.md)</li></ul> |
| Trigger | <ul><li>[T1073: DLL Side-Loading](../Triggers/T1073.md)</li><li>[T1085: Rundll32](../Triggers/T1085.md)</li></ul> |
| Severity Level | high |
| False Positives | <ul><li>Unknown</li></ul> |

2
Atomic_Threat_Coverage/Detection_Rules/win_susp_csc.md
View File

@ -3,7 +3,7 @@
| Description | Detects a suspicious parent of csc.exe, which could by a sign of payload delivery |
| ATT&amp;CK Tactic | <ul><li>[TA0005: Defense Evasion](https://attack.mitre.org/tactics/TA0005)</li></ul> |
| ATT&amp;CK Technique | <ul><li>[T1036: Masquerading](https://attack.mitre.org/techniques/T1036)</li></ul> |
| Data Needed | <ul><li>[DN_0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN_0002_4688_windows_process_creation_with_commandline.md)</li><li>[DN_0003_1_windows_sysmon_process_creation](../Data_Needed/DN_0003_1_windows_sysmon_process_creation.md)</li></ul> |
| Data Needed | <ul><li>[DN_0003_1_windows_sysmon_process_creation](../Data_Needed/DN_0003_1_windows_sysmon_process_creation.md)</li><li>[DN_0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN_0002_4688_windows_process_creation_with_commandline.md)</li></ul> |
| Trigger | <ul><li>[T1036: Masquerading](../Triggers/T1036.md)</li></ul> |
| Severity Level | high |
| False Positives | <ul><li>Unkown</li></ul> |

2
Atomic_Threat_Coverage/Detection_Rules/win_susp_exec_folder.md
View File

@ -3,7 +3,7 @@
| Description | Detects process starts of binaries from a suspicious folder |
| ATT&amp;CK Tactic | <ul><li>[TA0005: Defense Evasion](https://attack.mitre.org/tactics/TA0005)</li></ul> |
| ATT&amp;CK Technique | <ul><li>[T1036: Masquerading](https://attack.mitre.org/techniques/T1036)</li></ul> |
| Data Needed | <ul><li>[DN_0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN_0002_4688_windows_process_creation_with_commandline.md)</li><li>[DN_0003_1_windows_sysmon_process_creation](../Data_Needed/DN_0003_1_windows_sysmon_process_creation.md)</li><li>[DN_0001_4688_windows_process_creation](../Data_Needed/DN_0001_4688_windows_process_creation.md)</li></ul> |
| Data Needed | <ul><li>[DN_0003_1_windows_sysmon_process_creation](../Data_Needed/DN_0003_1_windows_sysmon_process_creation.md)</li><li>[DN_0001_4688_windows_process_creation](../Data_Needed/DN_0001_4688_windows_process_creation.md)</li><li>[DN_0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN_0002_4688_windows_process_creation_with_commandline.md)</li></ul> |
| Trigger | <ul><li>[T1036: Masquerading](../Triggers/T1036.md)</li></ul> |
| Severity Level | high |
| False Positives | <ul><li>Unknown</li></ul> |

2
Atomic_Threat_Coverage/Detection_Rules/win_susp_execution_path.md
View File

@ -3,7 +3,7 @@
| Description | Detects a suspicious exection from an uncommon folder |
| ATT&amp;CK Tactic | <ul><li>[TA0005: Defense Evasion](https://attack.mitre.org/tactics/TA0005)</li></ul> |
| ATT&amp;CK Technique | <ul><li>[T1036: Masquerading](https://attack.mitre.org/techniques/T1036)</li></ul> |
| Data Needed | <ul><li>[DN_0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN_0002_4688_windows_process_creation_with_commandline.md)</li><li>[DN_0003_1_windows_sysmon_process_creation](../Data_Needed/DN_0003_1_windows_sysmon_process_creation.md)</li><li>[DN_0001_4688_windows_process_creation](../Data_Needed/DN_0001_4688_windows_process_creation.md)</li></ul> |
| Data Needed | <ul><li>[DN_0003_1_windows_sysmon_process_creation](../Data_Needed/DN_0003_1_windows_sysmon_process_creation.md)</li><li>[DN_0001_4688_windows_process_creation](../Data_Needed/DN_0001_4688_windows_process_creation.md)</li><li>[DN_0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN_0002_4688_windows_process_creation_with_commandline.md)</li></ul> |
| Trigger | <ul><li>[T1036: Masquerading](../Triggers/T1036.md)</li></ul> |
| Severity Level | high |
| False Positives | <ul><li>Unknown</li></ul> |

2
Atomic_Threat_Coverage/Detection_Rules/win_susp_execution_path_webserver.md
View File

@ -3,7 +3,7 @@
| Description | Detects a suspicious program execution in a web service root folder (filter out false positives) |
| ATT&amp;CK Tactic | <ul><li>[TA0003: Persistence](https://attack.mitre.org/tactics/TA0003)</li></ul> |
| ATT&amp;CK Technique | <ul><li>[T1100: Web Shell](https://attack.mitre.org/techniques/T1100)</li></ul> |
| Data Needed | <ul><li>[DN_0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN_0002_4688_windows_process_creation_with_commandline.md)</li><li>[DN_0003_1_windows_sysmon_process_creation](../Data_Needed/DN_0003_1_windows_sysmon_process_creation.md)</li></ul> |
| Data Needed | <ul><li>[DN_0003_1_windows_sysmon_process_creation](../Data_Needed/DN_0003_1_windows_sysmon_process_creation.md)</li><li>[DN_0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN_0002_4688_windows_process_creation_with_commandline.md)</li></ul> |
| Trigger | <ul><li>[T1100: Web Shell](../Triggers/T1100.md)</li></ul> |
| Severity Level | medium |
| False Positives | <ul><li>Various applications</li><li>Tools that include ping or nslookup command invocations</li></ul> |

2
Atomic_Threat_Coverage/Detection_Rules/win_susp_gup.md
View File

@ -3,7 +3,7 @@
| Description | Detects execution of the Notepad++ updater in a suspicious directory, which is often used in DLL side-loading attacks |
| ATT&amp;CK Tactic | <ul><li>[TA0005: Defense Evasion](https://attack.mitre.org/tactics/TA0005)</li></ul> |
| ATT&amp;CK Technique | <ul><li>[T1073: DLL Side-Loading](https://attack.mitre.org/techniques/T1073)</li></ul> |
| Data Needed | <ul><li>[DN_0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN_0002_4688_windows_process_creation_with_commandline.md)</li><li>[DN_0003_1_windows_sysmon_process_creation](../Data_Needed/DN_0003_1_windows_sysmon_process_creation.md)</li><li>[DN_0001_4688_windows_process_creation](../Data_Needed/DN_0001_4688_windows_process_creation.md)</li></ul> |
| Data Needed | <ul><li>[DN_0003_1_windows_sysmon_process_creation](../Data_Needed/DN_0003_1_windows_sysmon_process_creation.md)</li><li>[DN_0001_4688_windows_process_creation](../Data_Needed/DN_0001_4688_windows_process_creation.md)</li><li>[DN_0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN_0002_4688_windows_process_creation_with_commandline.md)</li></ul> |
| Trigger | <ul><li>[T1073: DLL Side-Loading](../Triggers/T1073.md)</li></ul> |
| Severity Level | high |
| False Positives | <ul><li>Execution of tools named GUP.exe and located in folders different than Notepad++\updater</li></ul> |

2
Atomic_Threat_Coverage/Detection_Rules/win_susp_iss_module_install.md
View File

@ -3,7 +3,7 @@
| Description | Detects suspicious IIS native-code module installations via command line |
| ATT&amp;CK Tactic | <ul><li>[TA0003: Persistence](https://attack.mitre.org/tactics/TA0003)</li></ul> |
| ATT&amp;CK Technique | <ul><li>[T1100: Web Shell](https://attack.mitre.org/techniques/T1100)</li></ul> |
| Data Needed | <ul><li>[DN_0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN_0002_4688_windows_process_creation_with_commandline.md)</li><li>[DN_0003_1_windows_sysmon_process_creation](../Data_Needed/DN_0003_1_windows_sysmon_process_creation.md)</li></ul> |
| Data Needed | <ul><li>[DN_0003_1_windows_sysmon_process_creation](../Data_Needed/DN_0003_1_windows_sysmon_process_creation.md)</li><li>[DN_0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN_0002_4688_windows_process_creation_with_commandline.md)</li></ul> |
| Trigger | <ul><li>[T1100: Web Shell](../Triggers/T1100.md)</li></ul> |
| Severity Level | medium |
| False Positives | <ul><li>Unknown as it may vary from organisation to arganisation how admins use to install IIS modules</li></ul> |

2
Atomic_Threat_Coverage/Detection_Rules/win_susp_mmc_source.md
View File

@ -3,7 +3,7 @@
| Description | Processes started by MMC could be a sign of lateral movement using MMC application COM object |
| ATT&amp;CK Tactic | <ul><li>[TA0008: Lateral Movement](https://attack.mitre.org/tactics/TA0008)</li></ul> |
| ATT&amp;CK Technique | <ul><li>[T1175: Distributed Component Object Model](https://attack.mitre.org/techniques/T1175)</li></ul> |
| Data Needed | <ul><li>[DN_0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN_0002_4688_windows_process_creation_with_commandline.md)</li><li>[DN_0003_1_windows_sysmon_process_creation](../Data_Needed/DN_0003_1_windows_sysmon_process_creation.md)</li></ul> |
| Data Needed | <ul><li>[DN_0003_1_windows_sysmon_process_creation](../Data_Needed/DN_0003_1_windows_sysmon_process_creation.md)</li><li>[DN_0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN_0002_4688_windows_process_creation_with_commandline.md)</li></ul> |
| Trigger | <ul><li>[T1175: Distributed Component Object Model](../Triggers/T1175.md)</li></ul> |
| Severity Level | medium |
| False Positives | <ul><li>unknown</li></ul> |

2
Atomic_Threat_Coverage/Detection_Rules/win_susp_mshta_execution.md
View File

@ -3,7 +3,7 @@
| Description | Detection for mshta.exe suspicious execution patterns sometimes involving file polyglotism |
| ATT&amp;CK Tactic | <ul><li>[TA0005: Defense Evasion](https://attack.mitre.org/tactics/TA0005)</li></ul> |
| ATT&amp;CK Technique | <ul><li>[T1140: Deobfuscate/Decode Files or Information](https://attack.mitre.org/techniques/T1140)</li></ul> |
| Data Needed | <ul><li>[DN_0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN_0002_4688_windows_process_creation_with_commandline.md)</li><li>[DN_0003_1_windows_sysmon_process_creation](../Data_Needed/DN_0003_1_windows_sysmon_process_creation.md)</li></ul> |
| Data Needed | <ul><li>[DN_0003_1_windows_sysmon_process_creation](../Data_Needed/DN_0003_1_windows_sysmon_process_creation.md)</li><li>[DN_0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN_0002_4688_windows_process_creation_with_commandline.md)</li></ul> |
| Trigger | <ul><li>[T1140: Deobfuscate/Decode Files or Information](../Triggers/T1140.md)</li></ul> |
| Severity Level | high |
| False Positives | <ul><li>False positives depend on scripts and administrative tools used in the monitored environment</li></ul> |

2
Atomic_Threat_Coverage/Detection_Rules/win_susp_msiexec_web_install.md
View File

@ -3,7 +3,7 @@
| Description | Detects suspicious msiexec process starts with web addreses as parameter |
| ATT&amp;CK Tactic | <ul><li>[TA0005: Defense Evasion](https://attack.mitre.org/tactics/TA0005)</li></ul> |
| ATT&amp;CK Technique | <ul></ul> |
| Data Needed | <ul><li>[DN_0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN_0002_4688_windows_process_creation_with_commandline.md)</li><li>[DN_0003_1_windows_sysmon_process_creation](../Data_Needed/DN_0003_1_windows_sysmon_process_creation.md)</li></ul> |
| Data Needed | <ul><li>[DN_0003_1_windows_sysmon_process_creation](../Data_Needed/DN_0003_1_windows_sysmon_process_creation.md)</li><li>[DN_0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN_0002_4688_windows_process_creation_with_commandline.md)</li></ul> |
| Trigger | There is no Trigger for this technique yet. |
| Severity Level | medium |
| False Positives | <ul><li>False positives depend on scripts and administrative tools used in the monitored environment</li></ul> |

2
Atomic_Threat_Coverage/Detection_Rules/win_susp_net_execution.md
View File

@ -3,7 +3,7 @@
| Description | Detects execution of Net.exe, whether suspicious or benign. |
| ATT&amp;CK Tactic | <ul><li>[TA0008: Lateral Movement](https://attack.mitre.org/tactics/TA0008)</li><li>[TA0007: Discovery](https://attack.mitre.org/tactics/TA0007)</li></ul> |
| ATT&amp;CK Technique | <ul></ul> |
| Data Needed | <ul><li>[DN_0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN_0002_4688_windows_process_creation_with_commandline.md)</li><li>[DN_0003_1_windows_sysmon_process_creation](../Data_Needed/DN_0003_1_windows_sysmon_process_creation.md)</li></ul> |
| Data Needed | <ul><li>[DN_0003_1_windows_sysmon_process_creation](../Data_Needed/DN_0003_1_windows_sysmon_process_creation.md)</li><li>[DN_0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN_0002_4688_windows_process_creation_with_commandline.md)</li></ul> |
| Trigger | There is no Trigger for this technique yet. |
| Severity Level | low |
| False Positives | <ul><li>Will need to be tuned. If using Splunk, I recommend | stats count by Computer,CommandLine following the search for easy hunting by computer/CommandLine.</li></ul> |

2
Atomic_Threat_Coverage/Detection_Rules/win_susp_ntdsutil.md
View File

@ -3,7 +3,7 @@
| Description | Detects execution of ntdsutil.exe, which can be used for various attacks against the NTDS database (NTDS.DIT) |
| ATT&amp;CK Tactic | <ul><li>[TA0006: Credential Access](https://attack.mitre.org/tactics/TA0006)</li></ul> |
| ATT&amp;CK Technique | <ul><li>[T1003: Credential Dumping](https://attack.mitre.org/techniques/T1003)</li></ul> |
| Data Needed | <ul><li>[DN_0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN_0002_4688_windows_process_creation_with_commandline.md)</li><li>[DN_0003_1_windows_sysmon_process_creation](../Data_Needed/DN_0003_1_windows_sysmon_process_creation.md)</li></ul> |
| Data Needed | <ul><li>[DN_0003_1_windows_sysmon_process_creation](../Data_Needed/DN_0003_1_windows_sysmon_process_creation.md)</li><li>[DN_0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN_0002_4688_windows_process_creation_with_commandline.md)</li></ul> |
| Trigger | <ul><li>[T1003: Credential Dumping](../Triggers/T1003.md)</li></ul> |
| Severity Level | high |
| False Positives | <ul><li>NTDS maintenance</li></ul> |

2
Atomic_Threat_Coverage/Detection_Rules/win_susp_outlook.md
View File

@ -3,7 +3,7 @@
| Description | Detects EnableUnsafeClientMailRules used for Script Execution from Outlook |
| ATT&amp;CK Tactic | <ul><li>[TA0002: Execution](https://attack.mitre.org/tactics/TA0002)</li></ul> |
| ATT&amp;CK Technique | <ul><li>[T1059: Command-Line Interface](https://attack.mitre.org/techniques/T1059)</li><li>[T1202: Indirect Command Execution](https://attack.mitre.org/techniques/T1202)</li></ul> |
| Data Needed | <ul><li>[DN_0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN_0002_4688_windows_process_creation_with_commandline.md)</li><li>[DN_0003_1_windows_sysmon_process_creation](../Data_Needed/DN_0003_1_windows_sysmon_process_creation.md)</li></ul> |
| Data Needed | <ul><li>[DN_0003_1_windows_sysmon_process_creation](../Data_Needed/DN_0003_1_windows_sysmon_process_creation.md)</li><li>[DN_0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN_0002_4688_windows_process_creation_with_commandline.md)</li></ul> |
| Trigger | <ul><li>[T1059: Command-Line Interface](../Triggers/T1059.md)</li><li>[T1202: Indirect Command Execution](../Triggers/T1202.md)</li></ul> |
| Severity Level | high |
| False Positives | <ul><li>unknown</li></ul> |

2
Atomic_Threat_Coverage/Detection_Rules/win_susp_ping_hex_ip.md
View File

@ -3,7 +3,7 @@
| Description | Detects a ping command that uses a hex encoded IP address |
| ATT&amp;CK Tactic | <ul><li>[TA0005: Defense Evasion](https://attack.mitre.org/tactics/TA0005)</li></ul> |
| ATT&amp;CK Technique | <ul><li>[T1140: Deobfuscate/Decode Files or Information](https://attack.mitre.org/techniques/T1140)</li><li>[T1027: Obfuscated Files or Information](https://attack.mitre.org/techniques/T1027)</li></ul> |
| Data Needed | <ul><li>[DN_0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN_0002_4688_windows_process_creation_with_commandline.md)</li><li>[DN_0003_1_windows_sysmon_process_creation](../Data_Needed/DN_0003_1_windows_sysmon_process_creation.md)</li></ul> |
| Data Needed | <ul><li>[DN_0003_1_windows_sysmon_process_creation](../Data_Needed/DN_0003_1_windows_sysmon_process_creation.md)</li><li>[DN_0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN_0002_4688_windows_process_creation_with_commandline.md)</li></ul> |
| Trigger | <ul><li>[T1140: Deobfuscate/Decode Files or Information](../Triggers/T1140.md)</li><li>[T1027: Obfuscated Files or Information](../Triggers/T1027.md)</li></ul> |
| Severity Level | high |
| False Positives | <ul><li>Unlikely, because no sane admin pings IP addresses in a hexadecimal form</li></ul> |

2
Atomic_Threat_Coverage/Detection_Rules/win_susp_powershell_enc_cmd.md
View File

@ -3,7 +3,7 @@
| Description | Detects suspicious powershell process starts with base64 encoded commands |
| ATT&amp;CK Tactic | <ul><li>[TA0002: Execution](https://attack.mitre.org/tactics/TA0002)</li></ul> |
| ATT&amp;CK Technique | <ul><li>[T1086: PowerShell](https://attack.mitre.org/techniques/T1086)</li></ul> |
| Data Needed | <ul><li>[DN_0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN_0002_4688_windows_process_creation_with_commandline.md)</li><li>[DN_0003_1_windows_sysmon_process_creation](../Data_Needed/DN_0003_1_windows_sysmon_process_creation.md)</li></ul> |
| Data Needed | <ul><li>[DN_0003_1_windows_sysmon_process_creation](../Data_Needed/DN_0003_1_windows_sysmon_process_creation.md)</li><li>[DN_0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN_0002_4688_windows_process_creation_with_commandline.md)</li></ul> |
| Trigger | <ul><li>[T1086: PowerShell](../Triggers/T1086.md)</li></ul> |
| Severity Level | high |
| False Positives | <ul><li>GRR powershell hacks</li><li>PowerSponse Deployments</li></ul> |

2
Atomic_Threat_Coverage/Detection_Rules/win_susp_powershell_hidden_b64_cmd.md
View File

@ -3,7 +3,7 @@
| Description | Detects base64 encoded strings used in hidden malicious PowerShell command lines |
| ATT&amp;CK Tactic | <ul><li>[TA0002: Execution](https://attack.mitre.org/tactics/TA0002)</li></ul> |
| ATT&amp;CK Technique | <ul><li>[T1086: PowerShell](https://attack.mitre.org/techniques/T1086)</li></ul> |
| Data Needed | <ul><li>[DN_0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN_0002_4688_windows_process_creation_with_commandline.md)</li><li>[DN_0003_1_windows_sysmon_process_creation](../Data_Needed/DN_0003_1_windows_sysmon_process_creation.md)</li></ul> |
| Data Needed | <ul><li>[DN_0003_1_windows_sysmon_process_creation](../Data_Needed/DN_0003_1_windows_sysmon_process_creation.md)</li><li>[DN_0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN_0002_4688_windows_process_creation_with_commandline.md)</li></ul> |
| Trigger | <ul><li>[T1086: PowerShell](../Triggers/T1086.md)</li></ul> |
| Severity Level | high |
| False Positives | <ul><li>Penetration tests</li></ul> |

2
Atomic_Threat_Coverage/Detection_Rules/win_susp_procdump.md
View File

@ -3,7 +3,7 @@
| Description | Detects suspicious uses of the SysInternals Procdump utility by using a special command line parameter in combination with the lsass.exe process. This way we're also able to catch cases in which the attacker has renamed the procdump executable. |
| ATT&amp;CK Tactic | <ul><li>[TA0005: Defense Evasion](https://attack.mitre.org/tactics/TA0005)</li><li>[TA0006: Credential Access](https://attack.mitre.org/tactics/TA0006)</li></ul> |
| ATT&amp;CK Technique | <ul><li>[T1036: Masquerading](https://attack.mitre.org/techniques/T1036)</li><li>[T1003: Credential Dumping](https://attack.mitre.org/techniques/T1003)</li></ul> |
| Data Needed | <ul><li>[DN_0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN_0002_4688_windows_process_creation_with_commandline.md)</li><li>[DN_0003_1_windows_sysmon_process_creation](../Data_Needed/DN_0003_1_windows_sysmon_process_creation.md)</li></ul> |
| Data Needed | <ul><li>[DN_0003_1_windows_sysmon_process_creation](../Data_Needed/DN_0003_1_windows_sysmon_process_creation.md)</li><li>[DN_0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN_0002_4688_windows_process_creation_with_commandline.md)</li></ul> |
| Trigger | <ul><li>[T1036: Masquerading](../Triggers/T1036.md)</li><li>[T1003: Credential Dumping](../Triggers/T1003.md)</li></ul> |
| Severity Level | medium |
| False Positives | <ul><li>Unlikely, because no one should dump an lsass process memory</li><li>Another tool that uses the command line switches of Procdump</li></ul> |

2
Atomic_Threat_Coverage/Detection_Rules/win_susp_process_creations.md
View File

@ -3,7 +3,7 @@
| Description | Detects suspicious process starts on Windows systems based on keywords |
| ATT&amp;CK Tactic | <ul></ul> |
| ATT&amp;CK Technique | <ul></ul> |
| Data Needed | <ul><li>[DN_0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN_0002_4688_windows_process_creation_with_commandline.md)</li><li>[DN_0003_1_windows_sysmon_process_creation](../Data_Needed/DN_0003_1_windows_sysmon_process_creation.md)</li></ul> |
| Data Needed | <ul><li>[DN_0003_1_windows_sysmon_process_creation](../Data_Needed/DN_0003_1_windows_sysmon_process_creation.md)</li><li>[DN_0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN_0002_4688_windows_process_creation_with_commandline.md)</li></ul> |
| Trigger | There is no Trigger for this technique yet. |
| Severity Level | medium |
| False Positives | <ul><li>False positives depend on scripts and administrative tools used in the monitored environment</li></ul> |

2
Atomic_Threat_Coverage/Detection_Rules/win_susp_prog_location_process_starts.md
View File

@ -3,7 +3,7 @@
| Description | Detects programs running in suspicious files system locations |
| ATT&amp;CK Tactic | <ul><li>[TA0005: Defense Evasion](https://attack.mitre.org/tactics/TA0005)</li></ul> |
| ATT&amp;CK Technique | <ul><li>[T1036: Masquerading](https://attack.mitre.org/techniques/T1036)</li></ul> |
| Data Needed | <ul><li>[DN_0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN_0002_4688_windows_process_creation_with_commandline.md)</li><li>[DN_0003_1_windows_sysmon_process_creation](../Data_Needed/DN_0003_1_windows_sysmon_process_creation.md)</li><li>[DN_0001_4688_windows_process_creation](../Data_Needed/DN_0001_4688_windows_process_creation.md)</li></ul> |
| Data Needed | <ul><li>[DN_0003_1_windows_sysmon_process_creation](../Data_Needed/DN_0003_1_windows_sysmon_process_creation.md)</li><li>[DN_0001_4688_windows_process_creation](../Data_Needed/DN_0001_4688_windows_process_creation.md)</li><li>[DN_0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN_0002_4688_windows_process_creation_with_commandline.md)</li></ul> |
| Trigger | <ul><li>[T1036: Masquerading](../Triggers/T1036.md)</li></ul> |
| Severity Level | high |
| False Positives | <ul><li>unknown</li></ul> |

2
Atomic_Threat_Coverage/Detection_Rules/win_susp_ps_appdata.md
View File

@ -3,7 +3,7 @@
| Description | Detects a suspicious command line execution that invokes PowerShell with reference to an AppData folder |
| ATT&amp;CK Tactic | <ul><li>[TA0002: Execution](https://attack.mitre.org/tactics/TA0002)</li></ul> |
| ATT&amp;CK Technique | <ul><li>[T1086: PowerShell](https://attack.mitre.org/techniques/T1086)</li></ul> |
| Data Needed | <ul><li>[DN_0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN_0002_4688_windows_process_creation_with_commandline.md)</li><li>[DN_0003_1_windows_sysmon_process_creation](../Data_Needed/DN_0003_1_windows_sysmon_process_creation.md)</li></ul> |
| Data Needed | <ul><li>[DN_0003_1_windows_sysmon_process_creation](../Data_Needed/DN_0003_1_windows_sysmon_process_creation.md)</li><li>[DN_0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN_0002_4688_windows_process_creation_with_commandline.md)</li></ul> |
| Trigger | <ul><li>[T1086: PowerShell](../Triggers/T1086.md)</li></ul> |
| Severity Level | medium |
| False Positives | <ul><li>Administrative scripts</li></ul> |

2
Atomic_Threat_Coverage/Detection_Rules/win_susp_rasdial_activity.md
View File

@ -3,7 +3,7 @@
| Description | Detects suspicious process related to rasdial.exe |
| ATT&amp;CK Tactic | <ul><li>[TA0005: Defense Evasion](https://attack.mitre.org/tactics/TA0005)</li><li>[TA0002: Execution](https://attack.mitre.org/tactics/TA0002)</li></ul> |
| ATT&amp;CK Technique | <ul><li>[T1064: Scripting](https://attack.mitre.org/techniques/T1064)</li></ul> |
| Data Needed | <ul><li>[DN_0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN_0002_4688_windows_process_creation_with_commandline.md)</li><li>[DN_0003_1_windows_sysmon_process_creation](../Data_Needed/DN_0003_1_windows_sysmon_process_creation.md)</li></ul> |
| Data Needed | <ul><li>[DN_0003_1_windows_sysmon_process_creation](../Data_Needed/DN_0003_1_windows_sysmon_process_creation.md)</li><li>[DN_0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN_0002_4688_windows_process_creation_with_commandline.md)</li></ul> |
| Trigger | <ul><li>[T1064: Scripting](../Triggers/T1064.md)</li></ul> |
| Severity Level | medium |
| False Positives | <ul><li>False positives depend on scripts and administrative tools used in the monitored environment</li></ul> |

2
Atomic_Threat_Coverage/Detection_Rules/win_susp_recon_activity.md
View File

@ -3,7 +3,7 @@
| Description | Detects suspicious command line activity on Windows systems |
| ATT&amp;CK Tactic | <ul><li>[TA0007: Discovery](https://attack.mitre.org/tactics/TA0007)</li></ul> |
| ATT&amp;CK Technique | <ul><li>[T1087: Account Discovery](https://attack.mitre.org/techniques/T1087)</li></ul> |
| Data Needed | <ul><li>[DN_0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN_0002_4688_windows_process_creation_with_commandline.md)</li><li>[DN_0003_1_windows_sysmon_process_creation](../Data_Needed/DN_0003_1_windows_sysmon_process_creation.md)</li></ul> |
| Data Needed | <ul><li>[DN_0003_1_windows_sysmon_process_creation](../Data_Needed/DN_0003_1_windows_sysmon_process_creation.md)</li><li>[DN_0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN_0002_4688_windows_process_creation_with_commandline.md)</li></ul> |
| Trigger | <ul><li>[T1087: Account Discovery](../Triggers/T1087.md)</li></ul> |
| Severity Level | medium |
| False Positives | <ul><li>Inventory tool runs</li><li>Penetration tests</li><li>Administrative activity</li></ul> |

2
Atomic_Threat_Coverage/Detection_Rules/win_susp_regsvr32_anomalies.md
View File

@ -3,7 +3,7 @@
| Description | Detects various anomalies in relation to regsvr32.exe |
| ATT&amp;CK Tactic | <ul><li>[TA0005: Defense Evasion](https://attack.mitre.org/tactics/TA0005)</li><li>[TA0002: Execution](https://attack.mitre.org/tactics/TA0002)</li></ul> |
| ATT&amp;CK Technique | <ul><li>[T1117: Regsvr32](https://attack.mitre.org/techniques/T1117)</li></ul> |
| Data Needed | <ul><li>[DN_0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN_0002_4688_windows_process_creation_with_commandline.md)</li><li>[DN_0003_1_windows_sysmon_process_creation](../Data_Needed/DN_0003_1_windows_sysmon_process_creation.md)</li></ul> |
| Data Needed | <ul><li>[DN_0003_1_windows_sysmon_process_creation](../Data_Needed/DN_0003_1_windows_sysmon_process_creation.md)</li><li>[DN_0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN_0002_4688_windows_process_creation_with_commandline.md)</li></ul> |
| Trigger | <ul><li>[T1117: Regsvr32](../Triggers/T1117.md)</li></ul> |
| Severity Level | high |
| False Positives | <ul><li>Unknown</li></ul> |

2
Atomic_Threat_Coverage/Detection_Rules/win_susp_run_locations.md
View File

@ -3,7 +3,7 @@
| Description | Detects suspicious process run from unusual locations |
| ATT&amp;CK Tactic | <ul><li>[TA0005: Defense Evasion](https://attack.mitre.org/tactics/TA0005)</li></ul> |
| ATT&amp;CK Technique | <ul><li>[T1036: Masquerading](https://attack.mitre.org/techniques/T1036)</li></ul> |
| Data Needed | <ul><li>[DN_0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN_0002_4688_windows_process_creation_with_commandline.md)</li><li>[DN_0003_1_windows_sysmon_process_creation](../Data_Needed/DN_0003_1_windows_sysmon_process_creation.md)</li></ul> |
| Data Needed | <ul><li>[DN_0003_1_windows_sysmon_process_creation](../Data_Needed/DN_0003_1_windows_sysmon_process_creation.md)</li><li>[DN_0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN_0002_4688_windows_process_creation_with_commandline.md)</li></ul> |
| Trigger | <ul><li>[T1036: Masquerading](../Triggers/T1036.md)</li></ul> |
| Severity Level | medium |
| False Positives | <ul><li>False positives depend on scripts and administrative tools used in the monitored environment</li></ul> |

2
Atomic_Threat_Coverage/Detection_Rules/win_susp_rundll32_activity.md
View File

@ -3,7 +3,7 @@
| Description | Detects suspicious process related to rundll32 based on arguments |
| ATT&amp;CK Tactic | <ul><li>[TA0005: Defense Evasion](https://attack.mitre.org/tactics/TA0005)</li><li>[TA0002: Execution](https://attack.mitre.org/tactics/TA0002)</li></ul> |
| ATT&amp;CK Technique | <ul><li>[T1085: Rundll32](https://attack.mitre.org/techniques/T1085)</li></ul> |
| Data Needed | <ul><li>[DN_0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN_0002_4688_windows_process_creation_with_commandline.md)</li><li>[DN_0003_1_windows_sysmon_process_creation](../Data_Needed/DN_0003_1_windows_sysmon_process_creation.md)</li></ul> |
| Data Needed | <ul><li>[DN_0003_1_windows_sysmon_process_creation](../Data_Needed/DN_0003_1_windows_sysmon_process_creation.md)</li><li>[DN_0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN_0002_4688_windows_process_creation_with_commandline.md)</li></ul> |
| Trigger | <ul><li>[T1085: Rundll32](../Triggers/T1085.md)</li></ul> |
| Severity Level | medium |
| False Positives | <ul><li>False positives depend on scripts and administrative tools used in the monitored environment</li></ul> |

2
Atomic_Threat_Coverage/Detection_Rules/win_susp_script_execution.md
View File

@ -3,7 +3,7 @@
| Description | Detects suspicious file execution by wscript and cscript |
| ATT&amp;CK Tactic | <ul><li>[TA0002: Execution](https://attack.mitre.org/tactics/TA0002)</li></ul> |
| ATT&amp;CK Technique | <ul><li>[T1064: Scripting](https://attack.mitre.org/techniques/T1064)</li></ul> |
| Data Needed | <ul><li>[DN_0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN_0002_4688_windows_process_creation_with_commandline.md)</li><li>[DN_0003_1_windows_sysmon_process_creation](../Data_Needed/DN_0003_1_windows_sysmon_process_creation.md)</li></ul> |
| Data Needed | <ul><li>[DN_0003_1_windows_sysmon_process_creation](../Data_Needed/DN_0003_1_windows_sysmon_process_creation.md)</li><li>[DN_0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN_0002_4688_windows_process_creation_with_commandline.md)</li></ul> |
| Trigger | <ul><li>[T1064: Scripting](../Triggers/T1064.md)</li></ul> |
| Severity Level | medium |
| False Positives | <ul><li>Will need to be tuned. I recommend adding the user profile path in CommandLine if it is getting too noisy.</li></ul> |

2
Atomic_Threat_Coverage/Detection_Rules/win_susp_svchost.md
View File

@ -3,7 +3,7 @@
| Description | Detects a suspicious svchost process start |
| ATT&amp;CK Tactic | <ul><li>[TA0005: Defense Evasion](https://attack.mitre.org/tactics/TA0005)</li></ul> |
| ATT&amp;CK Technique | <ul><li>[T1036: Masquerading](https://attack.mitre.org/techniques/T1036)</li></ul> |
| Data Needed | <ul><li>[DN_0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN_0002_4688_windows_process_creation_with_commandline.md)</li><li>[DN_0003_1_windows_sysmon_process_creation](../Data_Needed/DN_0003_1_windows_sysmon_process_creation.md)</li></ul> |
| Data Needed | <ul><li>[DN_0003_1_windows_sysmon_process_creation](../Data_Needed/DN_0003_1_windows_sysmon_process_creation.md)</li><li>[DN_0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN_0002_4688_windows_process_creation_with_commandline.md)</li></ul> |
| Trigger | <ul><li>[T1036: Masquerading](../Triggers/T1036.md)</li></ul> |
| Severity Level | high |
| False Positives | <ul><li>Unknown</li></ul> |

2
Atomic_Threat_Coverage/Detection_Rules/win_susp_sysprep_appdata.md
View File

@ -3,7 +3,7 @@
| Description | Detects suspicious sysprep process start with AppData folder as target (as used by Trojan Syndicasec in Thrip report by Symantec) |
| ATT&amp;CK Tactic | <ul><li>[TA0002: Execution](https://attack.mitre.org/tactics/TA0002)</li></ul> |
| ATT&amp;CK Technique | <ul></ul> |
| Data Needed | <ul><li>[DN_0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN_0002_4688_windows_process_creation_with_commandline.md)</li><li>[DN_0003_1_windows_sysmon_process_creation](../Data_Needed/DN_0003_1_windows_sysmon_process_creation.md)</li></ul> |
| Data Needed | <ul><li>[DN_0003_1_windows_sysmon_process_creation](../Data_Needed/DN_0003_1_windows_sysmon_process_creation.md)</li><li>[DN_0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN_0002_4688_windows_process_creation_with_commandline.md)</li></ul> |
| Trigger | There is no Trigger for this technique yet. |
| Severity Level | medium |
| False Positives | <ul><li>False positives depend on scripts and administrative tools used in the monitored environment</li></ul> |

2
Atomic_Threat_Coverage/Detection_Rules/win_susp_sysvol_access.md
View File

@ -3,7 +3,7 @@
| Description | Detects Access to Domain Group Policies stored in SYSVOL |
| ATT&amp;CK Tactic | <ul><li>[TA0006: Credential Access](https://attack.mitre.org/tactics/TA0006)</li></ul> |
| ATT&amp;CK Technique | <ul><li>[T1003: Credential Dumping](https://attack.mitre.org/techniques/T1003)</li></ul> |
| Data Needed | <ul><li>[DN_0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN_0002_4688_windows_process_creation_with_commandline.md)</li><li>[DN_0003_1_windows_sysmon_process_creation](../Data_Needed/DN_0003_1_windows_sysmon_process_creation.md)</li></ul> |
| Data Needed | <ul><li>[DN_0003_1_windows_sysmon_process_creation](../Data_Needed/DN_0003_1_windows_sysmon_process_creation.md)</li><li>[DN_0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN_0002_4688_windows_process_creation_with_commandline.md)</li></ul> |
| Trigger | <ul><li>[T1003: Credential Dumping](../Triggers/T1003.md)</li></ul> |
| Severity Level | medium |
| False Positives | <ul><li>administrative activity</li></ul> |

2
Atomic_Threat_Coverage/Detection_Rules/win_susp_taskmgr_parent.md
View File

@ -3,7 +3,7 @@
| Description | Detects the creation of a process from Windows task manager |
| ATT&amp;CK Tactic | <ul><li>[TA0005: Defense Evasion](https://attack.mitre.org/tactics/TA0005)</li></ul> |
| ATT&amp;CK Technique | <ul><li>[T1036: Masquerading](https://attack.mitre.org/techniques/T1036)</li></ul> |
| Data Needed | <ul><li>[DN_0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN_0002_4688_windows_process_creation_with_commandline.md)</li><li>[DN_0003_1_windows_sysmon_process_creation](../Data_Needed/DN_0003_1_windows_sysmon_process_creation.md)</li></ul> |
| Data Needed | <ul><li>[DN_0003_1_windows_sysmon_process_creation](../Data_Needed/DN_0003_1_windows_sysmon_process_creation.md)</li><li>[DN_0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN_0002_4688_windows_process_creation_with_commandline.md)</li></ul> |
| Trigger | <ul><li>[T1036: Masquerading](../Triggers/T1036.md)</li></ul> |
| Severity Level | low |
| False Positives | <ul><li>Administrative activity</li></ul> |

2
Atomic_Threat_Coverage/Detection_Rules/win_susp_tscon_rdp_redirect.md
View File

@ -3,7 +3,7 @@
| Description | Detects a suspicious RDP session redirect using tscon.exe |
| ATT&amp;CK Tactic | <ul><li>[TA0008: Lateral Movement](https://attack.mitre.org/tactics/TA0008)</li><li>[TA0004: Privilege Escalation](https://attack.mitre.org/tactics/TA0004)</li></ul> |
| ATT&amp;CK Technique | <ul><li>[T1076: Remote Desktop Protocol](https://attack.mitre.org/techniques/T1076)</li></ul> |
| Data Needed | <ul><li>[DN_0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN_0002_4688_windows_process_creation_with_commandline.md)</li><li>[DN_0003_1_windows_sysmon_process_creation](../Data_Needed/DN_0003_1_windows_sysmon_process_creation.md)</li></ul> |
| Data Needed | <ul><li>[DN_0003_1_windows_sysmon_process_creation](../Data_Needed/DN_0003_1_windows_sysmon_process_creation.md)</li><li>[DN_0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN_0002_4688_windows_process_creation_with_commandline.md)</li></ul> |
| Trigger | <ul><li>[T1076: Remote Desktop Protocol](../Triggers/T1076.md)</li></ul> |
| Severity Level | high |
| False Positives | <ul><li>Unknown</li></ul> |

2
Atomic_Threat_Coverage/Detection_Rules/win_susp_vssadmin_ntds_activity.md
View File

@ -3,7 +3,7 @@
| Description | Detects suspicious commands that could be related to activity that uses volume shadow copy to steal and retrieve hashes from the NTDS.dit file remotely |
| ATT&amp;CK Tactic | <ul><li>[TA0006: Credential Access](https://attack.mitre.org/tactics/TA0006)</li></ul> |
| ATT&amp;CK Technique | <ul><li>[T1003: Credential Dumping](https://attack.mitre.org/techniques/T1003)</li></ul> |
| Data Needed | <ul><li>[DN_0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN_0002_4688_windows_process_creation_with_commandline.md)</li><li>[DN_0003_1_windows_sysmon_process_creation](../Data_Needed/DN_0003_1_windows_sysmon_process_creation.md)</li></ul> |
| Data Needed | <ul><li>[DN_0003_1_windows_sysmon_process_creation](../Data_Needed/DN_0003_1_windows_sysmon_process_creation.md)</li><li>[DN_0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN_0002_4688_windows_process_creation_with_commandline.md)</li></ul> |
| Trigger | <ul><li>[T1003: Credential Dumping](../Triggers/T1003.md)</li></ul> |
| Severity Level | high |
| False Positives | <ul><li>Administrative activity</li></ul> |

2
Atomic_Threat_Coverage/Detection_Rules/win_susp_whoami.md
View File

@ -3,7 +3,7 @@
| Description | Detects the execution of whoami, which is often used by attackers after exloitation / privilege escalation but rarely used by administrators |
| ATT&amp;CK Tactic | <ul><li>[TA0007: Discovery](https://attack.mitre.org/tactics/TA0007)</li></ul> |
| ATT&amp;CK Technique | <ul><li>[T1033: System Owner/User Discovery](https://attack.mitre.org/techniques/T1033)</li></ul> |
| Data Needed | <ul><li>[DN_0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN_0002_4688_windows_process_creation_with_commandline.md)</li><li>[DN_0003_1_windows_sysmon_process_creation](../Data_Needed/DN_0003_1_windows_sysmon_process_creation.md)</li></ul> |
| Data Needed | <ul><li>[DN_0003_1_windows_sysmon_process_creation](../Data_Needed/DN_0003_1_windows_sysmon_process_creation.md)</li><li>[DN_0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN_0002_4688_windows_process_creation_with_commandline.md)</li></ul> |
| Trigger | <ul><li>[T1033: System Owner/User Discovery](../Triggers/T1033.md)</li></ul> |
| Severity Level | high |
| False Positives | <ul><li>Admin activity</li><li>Scripts and administrative tools used in the monitored environment</li></ul> |

2
Atomic_Threat_Coverage/Detection_Rules/win_susp_wmi_execution.md
View File

@ -3,7 +3,7 @@
| Description | Detects WMI executing suspicious commands |
| ATT&amp;CK Tactic | <ul><li>[TA0002: Execution](https://attack.mitre.org/tactics/TA0002)</li></ul> |
| ATT&amp;CK Technique | <ul><li>[T1047: Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047)</li></ul> |
| Data Needed | <ul><li>[DN_0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN_0002_4688_windows_process_creation_with_commandline.md)</li><li>[DN_0003_1_windows_sysmon_process_creation](../Data_Needed/DN_0003_1_windows_sysmon_process_creation.md)</li></ul> |
| Data Needed | <ul><li>[DN_0003_1_windows_sysmon_process_creation](../Data_Needed/DN_0003_1_windows_sysmon_process_creation.md)</li><li>[DN_0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN_0002_4688_windows_process_creation_with_commandline.md)</li></ul> |
| Trigger | <ul><li>[T1047: Windows Management Instrumentation](../Triggers/T1047.md)</li></ul> |
| Severity Level | medium |
| False Positives | <ul><li>Will need to be tuned</li><li>If using Splunk, I recommend | stats count by Computer,CommandLine following for easy hunting by Computer/CommandLine.</li></ul> |

2
Atomic_Threat_Coverage/Detection_Rules/win_system_exe_anomaly.md
View File

@ -3,7 +3,7 @@
| Description | Detects a Windows program executable started in a suspicious folder |
| ATT&amp;CK Tactic | <ul><li>[TA0005: Defense Evasion](https://attack.mitre.org/tactics/TA0005)</li></ul> |
| ATT&amp;CK Technique | <ul><li>[T1036: Masquerading](https://attack.mitre.org/techniques/T1036)</li></ul> |
| Data Needed | <ul><li>[DN_0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN_0002_4688_windows_process_creation_with_commandline.md)</li><li>[DN_0003_1_windows_sysmon_process_creation](../Data_Needed/DN_0003_1_windows_sysmon_process_creation.md)</li><li>[DN_0001_4688_windows_process_creation](../Data_Needed/DN_0001_4688_windows_process_creation.md)</li></ul> |
| Data Needed | <ul><li>[DN_0003_1_windows_sysmon_process_creation](../Data_Needed/DN_0003_1_windows_sysmon_process_creation.md)</li><li>[DN_0001_4688_windows_process_creation](../Data_Needed/DN_0001_4688_windows_process_creation.md)</li><li>[DN_0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN_0002_4688_windows_process_creation_with_commandline.md)</li></ul> |
| Trigger | <ul><li>[T1036: Masquerading](../Triggers/T1036.md)</li></ul> |
| Severity Level | high |
| False Positives | <ul><li>Exotic software</li></ul> |

2
Atomic_Threat_Coverage/Detection_Rules/win_tool_psexec.md
View File

@ -3,7 +3,7 @@
| Description | Detects PsExec service installation and execution events (service and Sysmon) |
| ATT&amp;CK Tactic | <ul><li>[TA0002: Execution](https://attack.mitre.org/tactics/TA0002)</li></ul> |
| ATT&amp;CK Technique | <ul><li>[T1035: Service Execution](https://attack.mitre.org/techniques/T1035)</li></ul> |
| Data Needed | <ul><li>[DN_0031_7036_service_started_stopped](../Data_Needed/DN_0031_7036_service_started_stopped.md)</li><li>[DN_0005_7045_windows_service_insatalled](../Data_Needed/DN_0005_7045_windows_service_insatalled.md)</li><li>[DN_0003_1_windows_sysmon_process_creation](../Data_Needed/DN_0003_1_windows_sysmon_process_creation.md)</li></ul> |
| Data Needed | <ul><li>[DN_0031_7036_service_started_stopped](../Data_Needed/DN_0031_7036_service_started_stopped.md)</li><li>[DN_0003_1_windows_sysmon_process_creation](../Data_Needed/DN_0003_1_windows_sysmon_process_creation.md)</li><li>[DN_0005_7045_windows_service_insatalled](../Data_Needed/DN_0005_7045_windows_service_insatalled.md)</li></ul> |
| Trigger | <ul><li>[T1035: Service Execution](../Triggers/T1035.md)</li></ul> |
| Severity Level | low |
| False Positives | <ul><li>unknown</li></ul> |

2
Atomic_Threat_Coverage/Detection_Rules/win_vul_java_remote_debugging.md
View File

@ -3,7 +3,7 @@
| Description | Detects a JAVA process running with remote debugging allowing more than just localhost to connect |
| ATT&amp;CK Tactic | <ul><li>[TA0007: Discovery](https://attack.mitre.org/tactics/TA0007)</li></ul> |
| ATT&amp;CK Technique | <ul><li>[T1046: Network Service Scanning](https://attack.mitre.org/techniques/T1046)</li></ul> |
| Data Needed | <ul><li>[DN_0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN_0002_4688_windows_process_creation_with_commandline.md)</li><li>[DN_0003_1_windows_sysmon_process_creation](../Data_Needed/DN_0003_1_windows_sysmon_process_creation.md)</li></ul> |
| Data Needed | <ul><li>[DN_0003_1_windows_sysmon_process_creation](../Data_Needed/DN_0003_1_windows_sysmon_process_creation.md)</li><li>[DN_0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN_0002_4688_windows_process_creation_with_commandline.md)</li></ul> |
| Trigger | <ul><li>[T1046: Network Service Scanning](../Triggers/T1046.md)</li></ul> |
| Severity Level | medium |
| False Positives | <ul><li>unknown</li></ul> |

2
Atomic_Threat_Coverage/Detection_Rules/win_webshell_detection.md
View File

@ -3,7 +3,7 @@
| Description | Detects certain command line parameters often used during reconnaissance activity via web shells |
| ATT&amp;CK Tactic | <ul><li>[TA0004: Privilege Escalation](https://attack.mitre.org/tactics/TA0004)</li><li>[TA0003: Persistence](https://attack.mitre.org/tactics/TA0003)</li></ul> |
| ATT&amp;CK Technique | <ul><li>[T1100: Web Shell](https://attack.mitre.org/techniques/T1100)</li></ul> |
| Data Needed | <ul><li>[DN_0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN_0002_4688_windows_process_creation_with_commandline.md)</li><li>[DN_0003_1_windows_sysmon_process_creation](../Data_Needed/DN_0003_1_windows_sysmon_process_creation.md)</li></ul> |
| Data Needed | <ul><li>[DN_0003_1_windows_sysmon_process_creation](../Data_Needed/DN_0003_1_windows_sysmon_process_creation.md)</li><li>[DN_0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN_0002_4688_windows_process_creation_with_commandline.md)</li></ul> |
| Trigger | <ul><li>[T1100: Web Shell](../Triggers/T1100.md)</li></ul> |
| Severity Level | high |
| False Positives | <ul><li>unknown</li></ul> |

2
Atomic_Threat_Coverage/Detection_Rules/win_webshell_spawn.md
View File

@ -3,7 +3,7 @@
| Description | Web servers that spawn shell processes could be the result of a successfully placed web shell or an other attack |
| ATT&amp;CK Tactic | <ul><li>[TA0004: Privilege Escalation](https://attack.mitre.org/tactics/TA0004)</li><li>[TA0003: Persistence](https://attack.mitre.org/tactics/TA0003)</li></ul> |
| ATT&amp;CK Technique | <ul><li>[T1100: Web Shell](https://attack.mitre.org/techniques/T1100)</li></ul> |
| Data Needed | <ul><li>[DN_0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN_0002_4688_windows_process_creation_with_commandline.md)</li><li>[DN_0003_1_windows_sysmon_process_creation](../Data_Needed/DN_0003_1_windows_sysmon_process_creation.md)</li></ul> |
| Data Needed | <ul><li>[DN_0003_1_windows_sysmon_process_creation](../Data_Needed/DN_0003_1_windows_sysmon_process_creation.md)</li><li>[DN_0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN_0002_4688_windows_process_creation_with_commandline.md)</li></ul> |
| Trigger | <ul><li>[T1100: Web Shell](../Triggers/T1100.md)</li></ul> |
| Severity Level | high |
| False Positives | <ul><li>Particular web applications may spawn a shell process legitimately</li></ul> |

2
Atomic_Threat_Coverage/Detection_Rules/win_wmi_persistence.md
View File

@ -3,7 +3,7 @@
| Description | Detects suspicious WMI event filter and command line event consumer based on event id 5861 and 5859 (Windows 10, 2012 and higher) |
| ATT&amp;CK Tactic | <ul><li>[TA0002: Execution](https://attack.mitre.org/tactics/TA0002)</li><li>[TA0003: Persistence](https://attack.mitre.org/tactics/TA0003)</li></ul> |
| ATT&amp;CK Technique | <ul><li>[T1047: Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047)</li></ul> |
| Data Needed | <ul><li>[DN_0081_5861_wmi_activity](../Data_Needed/DN_0081_5861_wmi_activity.md)</li><li>[DN_0080_5859_wmi_activity](../Data_Needed/DN_0080_5859_wmi_activity.md)</li></ul> |
| Data Needed | <ul><li>[DN_0080_5859_wmi_activity](../Data_Needed/DN_0080_5859_wmi_activity.md)</li><li>[DN_0081_5861_wmi_activity](../Data_Needed/DN_0081_5861_wmi_activity.md)</li></ul> |
| Trigger | <ul><li>[T1047: Windows Management Instrumentation](../Triggers/T1047.md)</li></ul> |
| Severity Level | high |
| False Positives | <ul><li>Unknown (data set is too small; further testing needed)</li></ul> |

2
Atomic_Threat_Coverage/Detection_Rules/win_wmi_persistence_script_event_consumer.md
View File

@ -3,7 +3,7 @@
| Description | Detects WMI script event consumers |
| ATT&amp;CK Tactic | <ul><li>[TA0002: Execution](https://attack.mitre.org/tactics/TA0002)</li><li>[TA0003: Persistence](https://attack.mitre.org/tactics/TA0003)</li></ul> |
| ATT&amp;CK Technique | <ul><li>[T1047: Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047)</li></ul> |
| Data Needed | <ul><li>[DN_0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN_0002_4688_windows_process_creation_with_commandline.md)</li><li>[DN_0003_1_windows_sysmon_process_creation](../Data_Needed/DN_0003_1_windows_sysmon_process_creation.md)</li></ul> |
| Data Needed | <ul><li>[DN_0003_1_windows_sysmon_process_creation](../Data_Needed/DN_0003_1_windows_sysmon_process_creation.md)</li><li>[DN_0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN_0002_4688_windows_process_creation_with_commandline.md)</li></ul> |
| Trigger | <ul><li>[T1047: Windows Management Instrumentation](../Triggers/T1047.md)</li></ul> |
| Severity Level | high |
| False Positives | <ul><li>Legitimate event consumers</li></ul> |

2
Atomic_Threat_Coverage/Detection_Rules/win_workflow_compiler.md
View File

@ -3,7 +3,7 @@
| Description | Detects invocation of Microsoft Workflow Compiler, which may permit the execution of arbitrary unsigned code. |
| ATT&amp;CK Tactic | <ul><li>[TA0005: Defense Evasion](https://attack.mitre.org/tactics/TA0005)</li><li>[TA0002: Execution](https://attack.mitre.org/tactics/TA0002)</li></ul> |
| ATT&amp;CK Technique | <ul><li>[T1127: Trusted Developer Utilities](https://attack.mitre.org/techniques/T1127)</li></ul> |
| Data Needed | <ul><li>[DN_0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN_0002_4688_windows_process_creation_with_commandline.md)</li><li>[DN_0003_1_windows_sysmon_process_creation](../Data_Needed/DN_0003_1_windows_sysmon_process_creation.md)</li><li>[DN_0001_4688_windows_process_creation](../Data_Needed/DN_0001_4688_windows_process_creation.md)</li></ul> |
| Data Needed | <ul><li>[DN_0003_1_windows_sysmon_process_creation](../Data_Needed/DN_0003_1_windows_sysmon_process_creation.md)</li><li>[DN_0001_4688_windows_process_creation](../Data_Needed/DN_0001_4688_windows_process_creation.md)</li><li>[DN_0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN_0002_4688_windows_process_creation_with_commandline.md)</li></ul> |
| Trigger | <ul><li>[T1127: Trusted Developer Utilities](../Triggers/T1127.md)</li></ul> |
| Severity Level | high |
| False Positives | <ul><li>Legitimate MWC use (unlikely in modern enterprise environments)</li></ul> |

8
scripts/detectionrule.py
View File

@ -80,7 +80,8 @@ class DetectionRule:
# prepare command to execute from shell
# (yes, we know)
cmd = ATCconfig.get('sigmac_path') + " -t " + \
query + " --ignore-backend-errors " + self.yaml_file
query + " --ignore-backend-errors " + self.yaml_file + \
" 2> /dev/null"
p = subprocess.Popen(cmd, stdout=subprocess.PIPE, shell=True)
@ -95,7 +96,7 @@ class DetectionRule:
e.g es-qs throws error 'no es variable'
"""
det_queries[query] = str(query2)[2:-3]
# Update detection rules
self.fields.update({"det_queries": det_queries})
self.fields.update({"queries": queries})
@ -179,7 +180,8 @@ class DetectionRule:
for output in outputs:
cmd = ATCconfig.get('sigmac_path') + " -t " + \
output + " --ignore-backend-errors " + self.yaml_file
output + " --ignore-backend-errors " + self.yaml_file + \
" 2> /dev/null"
p = subprocess.Popen(cmd, stdout=subprocess.PIPE, shell=True)
(query, err) = p.communicate()
# Wait for date to terminate. Get return returncode ##

15
scripts/populateconfluence.py
View File

@ -20,7 +20,6 @@ import sys
import traceback
import os
ATCconfig = ATCutils.load_config("config.yml")
@ -136,7 +135,7 @@ class PopulateConfluence:
ATCutils.push_to_confluence(confluence_data, self.apipath,
self.auth)
print("Done: ", tg.fields["attack_technique"])
# print("Done: ", tg.fields["attack_technique"])
except Exception as err:
print(tg_file + " failed")
print("Err message: %s" % err)
@ -170,7 +169,7 @@ class PopulateConfluence:
ATCutils.push_to_confluence(confluence_data, self.apipath,
self.auth)
print("Done: ", lp.fields['title'])
# print("Done: ", lp.fields['title'])
except Exception as err:
print(lp_file + " failed")
print("Err message: %s" % err)
@ -204,7 +203,7 @@ class PopulateConfluence:
ATCutils.push_to_confluence(confluence_data, self.apipath,
self.auth)
print("Done: ", dn.dn_fields['title'])
# print("Done: ", dn.dn_fields['title'])
except Exception as err:
print(dn_file + " failed")
print("Err message: %s" % err)
@ -280,7 +279,7 @@ class PopulateConfluence:
ATCutils.push_to_confluence(confluence_data, self.apipath,
self.auth)
print("Done: ", en.en_parsed_file['title'])
# print("Done: ", en.en_parsed_file['title'])
except Exception as err:
print(en_file + " failed")
print("Err message: %s" % err)
@ -314,7 +313,7 @@ class PopulateConfluence:
ATCutils.push_to_confluence(confluence_data, self.apipath,
self.auth)
print("Done: ", ra.ra_parsed_file['title'])
# print("Done: ", ra.ra_parsed_file['title'])
except Exception as err:
print(ra_file + " failed")
print("Err message: %s" % err)
@ -352,7 +351,7 @@ class PopulateConfluence:
ATCutils.push_to_confluence(confluence_data, self.apipath,
self.auth)
print("Done: ", rp.rp_parsed_file['title'])
# print("Done: ", rp.rp_parsed_file['title'])
except Exception as err:
print(rp_file + " failed")
print("Err message: %s" % err)
@ -388,7 +387,7 @@ class PopulateConfluence:
ATCutils.push_to_confluence(confluence_data, self.apipath,
self.auth)
print("Done: ", cu.title)
# print("Done: ", cu.title)
except Exception as err:
print(cu_file + " failed")
print("Err message: %s" % err)

18
scripts/populatemarkdown.py
View File

@ -100,6 +100,7 @@ class PopulateMarkdown:
def triggers(self, tg_path):
"""Populate triggers"""
print("Populating Triggers..")
if self.art_dir and self.atc_dir:
r = ATCutils.populate_tg_markdown(art_dir=self.art_dir,
atc_dir=self.atc_dir)
@ -113,11 +114,13 @@ class PopulateMarkdown:
else:
r = ATCutils.populate_tg_markdown()
print("Triggers populated!")
return r
def logging_policy(self, lp_path):
"""Desc"""
print("Populating Logging Policies..")
if lp_path:
lp_list = glob.glob(lp_path + '*.yml')
else:
@ -135,9 +138,12 @@ class PopulateMarkdown:
traceback.print_exc(file=sys.stdout)
print('-' * 60)
print("Logging Policies populated!")
def data_needed(self, dn_path):
"""Desc"""
print("Populating Data Needed..")
if dn_path:
dn_list = glob.glob(dn_path + '*.yml')
else:
@ -154,9 +160,12 @@ class PopulateMarkdown:
print('-' * 60)
traceback.print_exc(file=sys.stdout)
print('-' * 60)
print("Data Needed populated!")
def detection_rule(self, dr_path):
"""Desc"""
print("Populating Detection Rules..")
if dr_path:
dr_list = glob.glob(dr_path + '*.yml')
else:
@ -180,10 +189,12 @@ class PopulateMarkdown:
print('-' * 60)
traceback.print_exc(file=sys.stdout)
print('-' * 60)
print("Detection Rules populated!")
def enrichment(self, en_path):
"""Nothing here yet"""
print("Populating Enrichments..")
if en_path:
en_list = glob.glob(en_path + '*.yml')
else:
@ -200,10 +211,12 @@ class PopulateMarkdown:
print('-' * 60)
traceback.print_exc(file=sys.stdout)
print('-' * 60)
print("Enrichments populated!")
def response_action(self, ra_path):
"""Nothing here yet"""
print("Populating Response Actions..")
if ra_path:
ra_list = glob.glob(ra_path + '*.yml')
else:
@ -220,10 +233,12 @@ class PopulateMarkdown:
print('-' * 60)
traceback.print_exc(file=sys.stdout)
print('-' * 60)
print("Response Actions populated!")
def response_playbook(self, rp_path):
"""Nothing here yet"""
print("Populating Response Playbooks..")
if rp_path:
rp_list = glob.glob(rp_path + '*.yml')
else:
@ -240,10 +255,12 @@ class PopulateMarkdown:
print('-' * 60)
traceback.print_exc(file=sys.stdout)
print('-' * 60)
print("Response Playbooks populated!")
def customer(self, cu_path):
"""Nothing here yet"""
print("Populating Customers..")
if cu_path:
cu_list = glob.glob(cu_path + '*.yml')
else:
@ -261,3 +278,4 @@ class PopulateMarkdown:
print('-' * 60)
traceback.print_exc(file=sys.stdout)
print('-' * 60)
print("Customers populated!")

2
triggers/atomic-red-team

@ -1 +1 @@
Subproject commit d2581114020d2f38f0a72e6a30176bb6cdcee69c
Subproject commit 16f6b633ce6dfbd50187a8969e746953365b3613