mirror of
https://github.com/valitydev/atomic-threat-coverage.git
synced 2024-11-06 09:35:21 +00:00
Markdown template adds relative links to other pages
This commit is contained in:
Wydra Mateusz
parent
612dd6168e
commit
bb49626101
@ -1,8 +1,8 @@
|
||||
| Title | DN_0001_windows_process_creation_4688 |
|
||||
|:---------------|:------------------|
|
||||
| Description | Windows process creation log, not including command line. |
|
||||
| Logging Policy | <ul><li>LP_0001_windows_audit_process_creation</li></ul> |
|
||||
| References | <ul><li>https://github.com/MicrosoftDocs/windows-itpro-docs/blob/95b9d7c01805839c067e352d1d16702604b15f11/windows/security/threat-protection/auditing/event-4688.md</li></ul> |
|
||||
| Logging Policy | <ul><li>[LP_0001_windows_audit_process_creation](../Logging_Policies/LP_0001_windows_audit_process_creation.md)</li></ul> |
|
||||
| References | <ul><li>[https://github.com/MicrosoftDocs/windows-itpro-docs/blob/95b9d7c01805839c067e352d1d16702604b15f11/windows/security/threat-protection/auditing/event-4688.md](https://github.com/MicrosoftDocs/windows-itpro-docs/blob/95b9d7c01805839c067e352d1d16702604b15f11/windows/security/threat-protection/auditing/event-4688.md)</li></ul> |
|
||||
| Platform | Windows |
|
||||
| Type | Windows Log |
|
||||
| Channel | Security |
|
||||
|
||||
@ -1,8 +1,8 @@
|
||||
| Title | DN_0002_windows_process_creation_with_commandline_4688 |
|
||||
|:---------------|:------------------|
|
||||
| Description | Windows process creation log, including command line. |
|
||||
| Logging Policy | <ul><li>LP_0001_windows_audit_process_creation</li><li>LP_0002_windows_audit_process_creation_with_commandline</li></ul> |
|
||||
| References | <ul><li>https://github.com/MicrosoftDocs/windows-itpro-docs/blob/95b9d7c01805839c067e352d1d16702604b15f11/windows/security/threat-protection/auditing/event-4688.md</li></ul> |
|
||||
| Logging Policy | <ul><li>[LP_0001_windows_audit_process_creation](../Logging_Policies/LP_0001_windows_audit_process_creation.md)</li><li>[LP_0002_windows_audit_process_creation_with_commandline](../Logging_Policies/LP_0002_windows_audit_process_creation_with_commandline.md)</li></ul> |
|
||||
| References | <ul><li>[https://github.com/MicrosoftDocs/windows-itpro-docs/blob/95b9d7c01805839c067e352d1d16702604b15f11/windows/security/threat-protection/auditing/event-4688.md](https://github.com/MicrosoftDocs/windows-itpro-docs/blob/95b9d7c01805839c067e352d1d16702604b15f11/windows/security/threat-protection/auditing/event-4688.md)</li></ul> |
|
||||
| Platform | Windows |
|
||||
| Type | Windows Log |
|
||||
| Channel | Security |
|
||||
|
||||
@ -1,8 +1,8 @@
|
||||
| Title | DN_0003_windows_sysmon_process_creation_1 |
|
||||
|:---------------|:------------------|
|
||||
| Description | Windows process creation log, including command line. |
|
||||
| Logging Policy | <ul><li>LP_0001_windows_audit_process_creation</li><li>LP_0002_windows_audit_process_creation_with_commandline</li></ul> |
|
||||
| References | <ul><li>https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=90001</li></ul> |
|
||||
| Logging Policy | <ul><li>[LP_0001_windows_audit_process_creation](../Logging_Policies/LP_0001_windows_audit_process_creation.md)</li><li>[LP_0002_windows_audit_process_creation_with_commandline](../Logging_Policies/LP_0002_windows_audit_process_creation_with_commandline.md)</li></ul> |
|
||||
| References | <ul><li>[https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=90001](https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=90001)</li></ul> |
|
||||
| Platform | Windows |
|
||||
| Type | Windows Log |
|
||||
| Channel | Microsoft-Windows-Sysmon/Operational |
|
||||
|
||||
@ -1,8 +1,8 @@
|
||||
| Title | DN_0004_windows_account_logon_4624 |
|
||||
|:---------------|:------------------|
|
||||
| Description | An account was successfully logged on. |
|
||||
| Logging Policy | <ul><li>LP_0004_windows_audit_logon</li></ul> |
|
||||
| References | <ul><li>https://github.com/MicrosoftDocs/windows-itpro-docs/blob/95b9d7c01805839c067e352d1d16702604b15f11/windows/security/threat-protection/auditing/event-4688.md</li></ul> |
|
||||
| Logging Policy | <ul><li>[LP_0004_windows_audit_logon](../Logging_Policies/LP_0004_windows_audit_logon.md)</li></ul> |
|
||||
| References | <ul><li>[https://github.com/MicrosoftDocs/windows-itpro-docs/blob/95b9d7c01805839c067e352d1d16702604b15f11/windows/security/threat-protection/auditing/event-4688.md](https://github.com/MicrosoftDocs/windows-itpro-docs/blob/95b9d7c01805839c067e352d1d16702604b15f11/windows/security/threat-protection/auditing/event-4688.md)</li></ul> |
|
||||
| Platform | Windows |
|
||||
| Type | Windows Log |
|
||||
| Channel | Security |
|
||||
|
||||
@ -1,15 +1,15 @@
|
||||
| Title | Hurricane Panda Activity |
|
||||
|:-------------------|:------------------|
|
||||
| Description | Detects Hurricane Panda Activity |
|
||||
| Tags | attack.g0009 |
|
||||
| ATT&CK Tactic | ('Privilege Escalation', 'TA0004') |
|
||||
| ATT&CK Technique | T1068 |
|
||||
| Dataneeded | DN_0003_windows_sysmon_process_creation_1, DN_0002_windows_process_creation_with_commandline_4688 |
|
||||
| Triggering | T1068: No atomics trigger for this technique |
|
||||
| ATT&CK Tactic | <ul><li>[TA0004: Privilege Escalation](https://attack.mitre.org/tactics/TA0004)</li></ul> |
|
||||
| ATT&CK Technique | <ul><li>[T1068](https://attack.mitre.org/tactics/T1068)</li></ul> |
|
||||
| Other Tags | <ul><li>attack.g0009</li></ul> |
|
||||
| Dataneeded | <ul><li>[DN_0003_windows_sysmon_process_creation_1](../Data_Needed/DN_0003_windows_sysmon_process_creation_1.md)</li><li>[DN_0002_windows_process_creation_with_commandline_4688](../Data_Needed/DN_0002_windows_process_creation_with_commandline_4688.md)</li></ul> |
|
||||
| Triggering | <ul><li>[T1068: No atomics trigger for this technique](../Triggering/T1068: No atomics trigger for this technique.md)</li></ul> |
|
||||
| Severity Level | high |
|
||||
| False Positives | Unknown |
|
||||
| False Positives | <ul><li>Unknown</li></ul> |
|
||||
| Development Status | experimental |
|
||||
| References | https://www.crowdstrike.com/blog/crowdstrike-discovers-use-64-bit-zero-day-privilege-escalation-exploit-cve-2014-4113-hurricane-panda/ |
|
||||
| References | [https://www.crowdstrike.com/blog/crowdstrike-discovers-use-64-bit-zero-day-privilege-escalation-exploit-cve-2014-4113-hurricane-panda/](https://www.crowdstrike.com/blog/crowdstrike-discovers-use-64-bit-zero-day-privilege-escalation-exploit-cve-2014-4113-hurricane-panda/) |
|
||||
| Author | Florian Roth |
|
||||
|
||||
|
||||
|
||||
@ -1,15 +1,15 @@
|
||||
| Title | Admin User Remote Logon |
|
||||
|:-------------------|:------------------|
|
||||
| Description | Detect remote login by Administrator user depending on internal pattern |
|
||||
| Tags | |
|
||||
| ATT&CK Tactic | ('Lateral Movement', 'TA0008') |
|
||||
| ATT&CK Technique | T1078 |
|
||||
| Dataneeded | DN_0004_windows_account_logon_4624 |
|
||||
| Triggering | T1078: No atomics trigger for this technique |
|
||||
| ATT&CK Tactic | <ul><li>[TA0008: Lateral Movement](https://attack.mitre.org/tactics/TA0008)</li></ul> |
|
||||
| ATT&CK Technique | <ul><li>[T1078](https://attack.mitre.org/tactics/T1078)</li></ul> |
|
||||
| Other Tags | <ul></ul> |
|
||||
| Dataneeded | <ul><li>[DN_0004_windows_account_logon_4624](../Data_Needed/DN_0004_windows_account_logon_4624.md)</li></ul> |
|
||||
| Triggering | <ul><li>[T1078: No atomics trigger for this technique](../Triggering/T1078: No atomics trigger for this technique.md)</li></ul> |
|
||||
| Severity Level | low |
|
||||
| False Positives | Legitimate administrative activity |
|
||||
| False Positives | <ul><li>Legitimate administrative activity</li></ul> |
|
||||
| Development Status | experimental |
|
||||
| References | https://car.mitre.org/wiki/CAR-2016-04-005 |
|
||||
| References | [https://car.mitre.org/wiki/CAR-2016-04-005](https://car.mitre.org/wiki/CAR-2016-04-005) |
|
||||
| Author | juju4 |
|
||||
|
||||
|
||||
|
||||
@ -1,15 +1,15 @@
|
||||
| Title | Suspicious Process Start Locations |
|
||||
|:-------------------|:------------------|
|
||||
| Description | Detects suspicious process run from unusual locations |
|
||||
| Tags | |
|
||||
| ATT&CK Tactic | ('Defense Evasion', 'TA0005') |
|
||||
| ATT&CK Technique | T1036 |
|
||||
| Dataneeded | DN_0002_windows_process_creation_with_commandline_4688, DN_0003_windows_sysmon_process_creation_1 |
|
||||
| Triggering | T1036 |
|
||||
| ATT&CK Tactic | <ul><li>[TA0005: Defense Evasion](https://attack.mitre.org/tactics/TA0005)</li></ul> |
|
||||
| ATT&CK Technique | <ul><li>[T1036](https://attack.mitre.org/tactics/T1036)</li></ul> |
|
||||
| Other Tags | <ul></ul> |
|
||||
| Dataneeded | <ul><li>[DN_0002_windows_process_creation_with_commandline_4688](../Data_Needed/DN_0002_windows_process_creation_with_commandline_4688.md)</li><li>[DN_0003_windows_sysmon_process_creation_1](../Data_Needed/DN_0003_windows_sysmon_process_creation_1.md)</li></ul> |
|
||||
| Triggering | <ul><li>[T1036](../Triggering/T1036.md)</li></ul> |
|
||||
| Severity Level | medium |
|
||||
| False Positives | False positives depend on scripts and administrative tools used in the monitored environment |
|
||||
| False Positives | <ul><li>False positives depend on scripts and administrative tools used in the monitored environment</li></ul> |
|
||||
| Development Status | experimental |
|
||||
| References | https://car.mitre.org/wiki/CAR-2013-05-002 |
|
||||
| References | [https://car.mitre.org/wiki/CAR-2013-05-002](https://car.mitre.org/wiki/CAR-2013-05-002) |
|
||||
| Author | juju4 |
|
||||
|
||||
|
||||
|
||||
@ -1,15 +1,15 @@
|
||||
| Title | Suspicious Commandline Escape |
|
||||
|:-------------------|:------------------|
|
||||
| Description | Detects suspicious process that use escape characters |
|
||||
| Tags | |
|
||||
| ATT&CK Tactic | ('Defense Evasion', 'TA0005') |
|
||||
| ATT&CK Technique | T1140 |
|
||||
| Dataneeded | DN_0002_windows_process_creation_with_commandline_4688, DN_0003_windows_sysmon_process_creation_1 |
|
||||
| Triggering | T1140 |
|
||||
| ATT&CK Tactic | <ul><li>[TA0005: Defense Evasion](https://attack.mitre.org/tactics/TA0005)</li></ul> |
|
||||
| ATT&CK Technique | <ul><li>[T1140](https://attack.mitre.org/tactics/T1140)</li></ul> |
|
||||
| Other Tags | <ul></ul> |
|
||||
| Dataneeded | <ul><li>[DN_0002_windows_process_creation_with_commandline_4688](../Data_Needed/DN_0002_windows_process_creation_with_commandline_4688.md)</li><li>[DN_0003_windows_sysmon_process_creation_1](../Data_Needed/DN_0003_windows_sysmon_process_creation_1.md)</li></ul> |
|
||||
| Triggering | <ul><li>[T1140](../Triggering/T1140.md)</li></ul> |
|
||||
| Severity Level | low |
|
||||
| False Positives | False positives depend on scripts and administrative tools used in the monitored environment |
|
||||
| False Positives | <ul><li>False positives depend on scripts and administrative tools used in the monitored environment</li></ul> |
|
||||
| Development Status | experimental |
|
||||
| References | https://twitter.com/vysecurity/status/885545634958385153, https://twitter.com/Hexacorn/status/885553465417756673, https://twitter.com/Hexacorn/status/885570278637678592, https://www.fireeye.com/blog/threat-research/2017/06/obfuscation-in-the-wild.html, http://www.windowsinspired.com/understanding-the-command-line-string-and-arguments-received-by-a-windows-program/ |
|
||||
| References | [https://twitter.com/vysecurity/status/885545634958385153](https://twitter.com/vysecurity/status/885545634958385153), [https://twitter.com/Hexacorn/status/885553465417756673](https://twitter.com/Hexacorn/status/885553465417756673), [https://twitter.com/Hexacorn/status/885570278637678592](https://twitter.com/Hexacorn/status/885570278637678592), [https://www.fireeye.com/blog/threat-research/2017/06/obfuscation-in-the-wild.html](https://www.fireeye.com/blog/threat-research/2017/06/obfuscation-in-the-wild.html), [http://www.windowsinspired.com/understanding-the-command-line-string-and-arguments-received-by-a-windows-program/](http://www.windowsinspired.com/understanding-the-command-line-string-and-arguments-received-by-a-windows-program/) |
|
||||
| Author | juju4 |
|
||||
|
||||
|
||||
|
||||
@ -1,15 +1,15 @@
|
||||
| Title | Reconnaissance Activity with Net Command |
|
||||
|:-------------------|:------------------|
|
||||
| Description | Detects a set of commands often used in recon stages by different attack groups |
|
||||
| Tags | |
|
||||
| ATT&CK Tactic | ('Discovery', 'TA0007') |
|
||||
| ATT&CK Technique | T1073, T1012 |
|
||||
| Dataneeded | DN_0003_windows_sysmon_process_creation_1, DN_0002_windows_process_creation_with_commandline_4688 |
|
||||
| Triggering | T1073: No atomics trigger for this technique, T1012 |
|
||||
| ATT&CK Tactic | <ul><li>[TA0007: Discovery](https://attack.mitre.org/tactics/TA0007)</li></ul> |
|
||||
| ATT&CK Technique | <ul><li>[T1073](https://attack.mitre.org/tactics/T1073)</li><li>[T1012](https://attack.mitre.org/tactics/T1012)</li></ul> |
|
||||
| Other Tags | <ul></ul> |
|
||||
| Dataneeded | <ul><li>[DN_0003_windows_sysmon_process_creation_1](../Data_Needed/DN_0003_windows_sysmon_process_creation_1.md)</li><li>[DN_0002_windows_process_creation_with_commandline_4688](../Data_Needed/DN_0002_windows_process_creation_with_commandline_4688.md)</li></ul> |
|
||||
| Triggering | <ul><li>[T1073: No atomics trigger for this technique](../Triggering/T1073: No atomics trigger for this technique.md)</li><li>[T1012](../Triggering/T1012.md)</li></ul> |
|
||||
| Severity Level | medium |
|
||||
| False Positives | False positives depend on scripts and administrative tools used in the monitored environment |
|
||||
| False Positives | <ul><li>False positives depend on scripts and administrative tools used in the monitored environment</li></ul> |
|
||||
| Development Status | experimental |
|
||||
| References | https://twitter.com/haroonmeer/status/939099379834658817, https://twitter.com/c_APT_ure/status/939475433711722497, https://www.fireeye.com/blog/threat-research/2016/05/targeted_attacksaga.html |
|
||||
| References | [https://twitter.com/haroonmeer/status/939099379834658817](https://twitter.com/haroonmeer/status/939099379834658817), [https://twitter.com/c_APT_ure/status/939475433711722497](https://twitter.com/c_APT_ure/status/939475433711722497), [https://www.fireeye.com/blog/threat-research/2016/05/targeted_attacksaga.html](https://www.fireeye.com/blog/threat-research/2016/05/targeted_attacksaga.html) |
|
||||
| Author | Florian Roth, Markus Neis |
|
||||
|
||||
|
||||
|
||||
@ -1,15 +1,15 @@
|
||||
| Title | IIS Native-Code Module Command Line Installation |
|
||||
|:-------------------|:------------------|
|
||||
| Description | Detects suspicious IIS native-code module installations via command line |
|
||||
| Tags | |
|
||||
| ATT&CK Tactic | ('Persistence', 'TA0003') |
|
||||
| ATT&CK Technique | T1100 |
|
||||
| Dataneeded | DN_0003_windows_sysmon_process_creation_1, DN_0002_windows_process_creation_with_commandline_4688 |
|
||||
| Triggering | T1100: No atomics trigger for this technique |
|
||||
| ATT&CK Tactic | <ul><li>[TA0003: Persistence](https://attack.mitre.org/tactics/TA0003)</li></ul> |
|
||||
| ATT&CK Technique | <ul><li>[T1100](https://attack.mitre.org/tactics/T1100)</li></ul> |
|
||||
| Other Tags | <ul></ul> |
|
||||
| Dataneeded | <ul><li>[DN_0003_windows_sysmon_process_creation_1](../Data_Needed/DN_0003_windows_sysmon_process_creation_1.md)</li><li>[DN_0002_windows_process_creation_with_commandline_4688](../Data_Needed/DN_0002_windows_process_creation_with_commandline_4688.md)</li></ul> |
|
||||
| Triggering | <ul><li>[T1100: No atomics trigger for this technique](../Triggering/T1100: No atomics trigger for this technique.md)</li></ul> |
|
||||
| Severity Level | medium |
|
||||
| False Positives | Unknown as it may vary from organisation to arganisation how admins use to install IIS modules |
|
||||
| False Positives | <ul><li>Unknown as it may vary from organisation to arganisation how admins use to install IIS modules</li></ul> |
|
||||
| Development Status | experimental |
|
||||
| References | https://researchcenter.paloaltonetworks.com/2018/01/unit42-oilrig-uses-rgdoor-iis-backdoor-targets-middle-east/ |
|
||||
| References | [https://researchcenter.paloaltonetworks.com/2018/01/unit42-oilrig-uses-rgdoor-iis-backdoor-targets-middle-east/](https://researchcenter.paloaltonetworks.com/2018/01/unit42-oilrig-uses-rgdoor-iis-backdoor-targets-middle-east/) |
|
||||
| Author | Florian Roth |
|
||||
|
||||
|
||||
|
||||
@ -1,15 +1,15 @@
|
||||
| Title | Invocation of Active Directory Diagnostic Tool (ntdsutil.exe) |
|
||||
|:-------------------|:------------------|
|
||||
| Description | Detects execution of ntdsutil.exe, which can be used for various attacks against the NTDS database (NTDS.DIT) |
|
||||
| Tags | |
|
||||
| ATT&CK Tactic | ('Credential Access', 'TA0006') |
|
||||
| ATT&CK Technique | T1003 |
|
||||
| Dataneeded | DN_0003_windows_sysmon_process_creation_1, DN_0002_windows_process_creation_with_commandline_4688 |
|
||||
| Triggering | T1003 |
|
||||
| ATT&CK Tactic | <ul><li>[TA0006: Credential Access](https://attack.mitre.org/tactics/TA0006)</li></ul> |
|
||||
| ATT&CK Technique | <ul><li>[T1003](https://attack.mitre.org/tactics/T1003)</li></ul> |
|
||||
| Other Tags | <ul></ul> |
|
||||
| Dataneeded | <ul><li>[DN_0003_windows_sysmon_process_creation_1](../Data_Needed/DN_0003_windows_sysmon_process_creation_1.md)</li><li>[DN_0002_windows_process_creation_with_commandline_4688](../Data_Needed/DN_0002_windows_process_creation_with_commandline_4688.md)</li></ul> |
|
||||
| Triggering | <ul><li>[T1003](../Triggering/T1003.md)</li></ul> |
|
||||
| Severity Level | high |
|
||||
| False Positives | NTDS maintenance |
|
||||
| False Positives | <ul><li>NTDS maintenance</li></ul> |
|
||||
| Development Status | experimental |
|
||||
| References | https://jpcertcc.github.io/ToolAnalysisResultSheet/details/ntdsutil.htm |
|
||||
| References | [https://jpcertcc.github.io/ToolAnalysisResultSheet/details/ntdsutil.htm](https://jpcertcc.github.io/ToolAnalysisResultSheet/details/ntdsutil.htm) |
|
||||
| Author | Thomas Patzke |
|
||||
|
||||
|
||||
|
||||
@ -1,15 +1,15 @@
|
||||
| Title | Malicious Base64 encoded PowerShell Keywords in command lines |
|
||||
|:-------------------|:------------------|
|
||||
| Description | Detects base64 encoded strings used in hidden malicious PowerShell command lines |
|
||||
| Tags | |
|
||||
| ATT&CK Tactic | ('Execution', 'TA0002') |
|
||||
| ATT&CK Technique | T1086 |
|
||||
| Dataneeded | DN_0002_windows_process_creation_with_commandline_4688 |
|
||||
| Triggering | T1086 |
|
||||
| ATT&CK Tactic | <ul><li>[TA0002: Execution](https://attack.mitre.org/tactics/TA0002)</li></ul> |
|
||||
| ATT&CK Technique | <ul><li>[T1086](https://attack.mitre.org/tactics/T1086)</li></ul> |
|
||||
| Other Tags | <ul></ul> |
|
||||
| Dataneeded | <ul><li>[DN_0002_windows_process_creation_with_commandline_4688](../Data_Needed/DN_0002_windows_process_creation_with_commandline_4688.md)</li></ul> |
|
||||
| Triggering | <ul><li>[T1086](../Triggering/T1086.md)</li></ul> |
|
||||
| Severity Level | high |
|
||||
| False Positives | Penetration tests |
|
||||
| False Positives | <ul><li>Penetration tests</li></ul> |
|
||||
| Development Status | experimental |
|
||||
| References | http://www.leeholmes.com/blog/2017/09/21/searching-for-content-in-base-64-strings/ |
|
||||
| References | [http://www.leeholmes.com/blog/2017/09/21/searching-for-content-in-base-64-strings/](http://www.leeholmes.com/blog/2017/09/21/searching-for-content-in-base-64-strings/) |
|
||||
| Author | John Lambert (rule) |
|
||||
|
||||
|
||||
|
||||
@ -1,15 +1,15 @@
|
||||
| Title | Suspicious Process Start Locations |
|
||||
|:-------------------|:------------------|
|
||||
| Description | Detects suspicious process run from unusual locations |
|
||||
| Tags | |
|
||||
| ATT&CK Tactic | ('Defense Evasion', 'TA0005') |
|
||||
| ATT&CK Technique | T1036 |
|
||||
| Dataneeded | DN_0002_windows_process_creation_with_commandline_4688, DN_0003_windows_sysmon_process_creation_1 |
|
||||
| Triggering | T1036 |
|
||||
| ATT&CK Tactic | <ul><li>[TA0005: Defense Evasion](https://attack.mitre.org/tactics/TA0005)</li></ul> |
|
||||
| ATT&CK Technique | <ul><li>[T1036](https://attack.mitre.org/tactics/T1036)</li></ul> |
|
||||
| Other Tags | <ul></ul> |
|
||||
| Dataneeded | <ul><li>[DN_0002_windows_process_creation_with_commandline_4688](../Data_Needed/DN_0002_windows_process_creation_with_commandline_4688.md)</li><li>[DN_0003_windows_sysmon_process_creation_1](../Data_Needed/DN_0003_windows_sysmon_process_creation_1.md)</li></ul> |
|
||||
| Triggering | <ul><li>[T1036](../Triggering/T1036.md)</li></ul> |
|
||||
| Severity Level | medium |
|
||||
| False Positives | False positives depend on scripts and administrative tools used in the monitored environment |
|
||||
| False Positives | <ul><li>False positives depend on scripts and administrative tools used in the monitored environment</li></ul> |
|
||||
| Development Status | experimental |
|
||||
| References | https://car.mitre.org/wiki/CAR-2013-05-002 |
|
||||
| References | [https://car.mitre.org/wiki/CAR-2013-05-002](https://car.mitre.org/wiki/CAR-2013-05-002) |
|
||||
| Author | juju4 |
|
||||
|
||||
|
||||
|
||||
@ -1,15 +1,15 @@
|
||||
| Title | Suspicious Rundll32 Activity |
|
||||
|:-------------------|:------------------|
|
||||
| Description | Detects suspicious process related to rundll32 based on arguments |
|
||||
| Tags | |
|
||||
| ATT&CK Tactic | ('Defense Evasion', 'TA0005'), ('Execution', 'TA0002') |
|
||||
| ATT&CK Technique | T1085 |
|
||||
| Dataneeded | DN_0002_windows_process_creation_with_commandline_4688, DN_0003_windows_sysmon_process_creation_1 |
|
||||
| Triggering | T1085 |
|
||||
| ATT&CK Tactic | <ul><li>[TA0005: Defense Evasion](https://attack.mitre.org/tactics/TA0005)</li><li>[TA0002: Execution](https://attack.mitre.org/tactics/TA0002)</li></ul> |
|
||||
| ATT&CK Technique | <ul><li>[T1085](https://attack.mitre.org/tactics/T1085)</li></ul> |
|
||||
| Other Tags | <ul></ul> |
|
||||
| Dataneeded | <ul><li>[DN_0002_windows_process_creation_with_commandline_4688](../Data_Needed/DN_0002_windows_process_creation_with_commandline_4688.md)</li><li>[DN_0003_windows_sysmon_process_creation_1](../Data_Needed/DN_0003_windows_sysmon_process_creation_1.md)</li></ul> |
|
||||
| Triggering | <ul><li>[T1085](../Triggering/T1085.md)</li></ul> |
|
||||
| Severity Level | |
|
||||
| False Positives | False positives depend on scripts and administrative tools used in the monitored environment |
|
||||
| False Positives | <ul><li>False positives depend on scripts and administrative tools used in the monitored environment</li></ul> |
|
||||
| Development Status | experimental |
|
||||
| References | http://www.hexacorn.com/blog/2017/05/01/running-programs-via-proxy-jumping-on-a-edr-bypass-trampoline/, https://twitter.com/Hexacorn/status/885258886428725250, https://gist.github.com/ryhanson/227229866af52e2d963cf941af135a52 |
|
||||
| References | [http://www.hexacorn.com/blog/2017/05/01/running-programs-via-proxy-jumping-on-a-edr-bypass-trampoline/](http://www.hexacorn.com/blog/2017/05/01/running-programs-via-proxy-jumping-on-a-edr-bypass-trampoline/), [https://twitter.com/Hexacorn/status/885258886428725250](https://twitter.com/Hexacorn/status/885258886428725250), [https://gist.github.com/ryhanson/227229866af52e2d963cf941af135a52](https://gist.github.com/ryhanson/227229866af52e2d963cf941af135a52) |
|
||||
| Author | juju4 |
|
||||
|
||||
|
||||
|
||||
@ -1,15 +1,15 @@
|
||||
| Title | Suspicious SYSVOL Domain Group Policy Access |
|
||||
|:-------------------|:------------------|
|
||||
| Description | Detects Access to Domain Group Policies stored in SYSVOL |
|
||||
| Tags | |
|
||||
| ATT&CK Tactic | ('Credential Access', 'TA0006') |
|
||||
| ATT&CK Technique | T1003 |
|
||||
| Dataneeded | DN_0003_windows_sysmon_process_creation_1, DN_0002_windows_process_creation_with_commandline_4688 |
|
||||
| Triggering | T1003 |
|
||||
| ATT&CK Tactic | <ul><li>[TA0006: Credential Access](https://attack.mitre.org/tactics/TA0006)</li></ul> |
|
||||
| ATT&CK Technique | <ul><li>[T1003](https://attack.mitre.org/tactics/T1003)</li></ul> |
|
||||
| Other Tags | <ul></ul> |
|
||||
| Dataneeded | <ul><li>[DN_0003_windows_sysmon_process_creation_1](../Data_Needed/DN_0003_windows_sysmon_process_creation_1.md)</li><li>[DN_0002_windows_process_creation_with_commandline_4688](../Data_Needed/DN_0002_windows_process_creation_with_commandline_4688.md)</li></ul> |
|
||||
| Triggering | <ul><li>[T1003](../Triggering/T1003.md)</li></ul> |
|
||||
| Severity Level | medium |
|
||||
| False Positives | administrative activity |
|
||||
| False Positives | <ul><li>administrative activity</li></ul> |
|
||||
| Development Status | experimental |
|
||||
| References | https://adsecurity.org/?p=2288, https://www.hybrid-analysis.com/sample/f2943f5e45befa52fb12748ca7171d30096e1d4fc3c365561497c618341299d5?environmentId=100 |
|
||||
| References | [https://adsecurity.org/?p=2288](https://adsecurity.org/?p=2288), [https://www.hybrid-analysis.com/sample/f2943f5e45befa52fb12748ca7171d30096e1d4fc3c365561497c618341299d5?environmentId=100](https://www.hybrid-analysis.com/sample/f2943f5e45befa52fb12748ca7171d30096e1d4fc3c365561497c618341299d5?environmentId=100) |
|
||||
| Author | Markus Neis |
|
||||
|
||||
|
||||
|
||||
@ -1,15 +1,15 @@
|
||||
| Title | WMI Persistence - Script Event Consumer |
|
||||
|:-------------------|:------------------|
|
||||
| Description | Detects WMI script event consumers |
|
||||
| Tags | |
|
||||
| ATT&CK Tactic | ('Execution', 'TA0002'), ('Persistence', 'TA0003') |
|
||||
| ATT&CK Technique | T1047 |
|
||||
| Dataneeded | , , DN_0002_windows_process_creation_with_commandline_4688DN_0001_windows_process_creation_4688, DN_0002_windows_process_creation_with_commandline_4688DN_0001_windows_process_creation_4688 |
|
||||
| Triggering | T1047 |
|
||||
| ATT&CK Tactic | <ul><li>[TA0002: Execution](https://attack.mitre.org/tactics/TA0002)</li><li>[TA0003: Persistence](https://attack.mitre.org/tactics/TA0003)</li></ul> |
|
||||
| ATT&CK Technique | <ul><li>[T1047](https://attack.mitre.org/tactics/T1047)</li></ul> |
|
||||
| Other Tags | <ul></ul> |
|
||||
| Dataneeded | <ul><li>[](../Data_Needed/.md)</li><li>[](../Data_Needed/.md)</li><li>[DN_0002_windows_process_creation_with_commandline_4688DN_0001_windows_process_creation_4688](../Data_Needed/DN_0002_windows_process_creation_with_commandline_4688DN_0001_windows_process_creation_4688.md)</li><li>[DN_0002_windows_process_creation_with_commandline_4688DN_0001_windows_process_creation_4688](../Data_Needed/DN_0002_windows_process_creation_with_commandline_4688DN_0001_windows_process_creation_4688.md)</li></ul> |
|
||||
| Triggering | <ul><li>[T1047](../Triggering/T1047.md)</li></ul> |
|
||||
| Severity Level | high |
|
||||
| False Positives | Legitimate event consumers |
|
||||
| False Positives | <ul><li>Legitimate event consumers</li></ul> |
|
||||
| Development Status | experimental |
|
||||
| References | https://www.eideon.com/2018-03-02-THL03-WMIBackdoors/ |
|
||||
| References | [https://www.eideon.com/2018-03-02-THL03-WMIBackdoors/](https://www.eideon.com/2018-03-02-THL03-WMIBackdoors/) |
|
||||
| Author | Thomas Patzke |
|
||||
|
||||
|
||||
|
||||
@ -4,7 +4,7 @@
|
||||
| Default | Not configured |
|
||||
| Event Volume | Medium |
|
||||
| EventID | <ul><li>4688</li><li>4696</li></ul> |
|
||||
| References | <ul><li>https://github.com/MicrosoftDocs/windows-itpro-docs/blob/95b9d7c01805839c067e352d1d16702604b15f11/windows/security/threat-protection/auditing/audit-process-creation.md</li></ul> |
|
||||
| References | <ul><li>[https://github.com/MicrosoftDocs/windows-itpro-docs/blob/95b9d7c01805839c067e352d1d16702604b15f11/windows/security/threat-protection/auditing/audit-process-creation.md](https://github.com/MicrosoftDocs/windows-itpro-docs/blob/95b9d7c01805839c067e352d1d16702604b15f11/windows/security/threat-protection/auditing/audit-process-creation.md)</li></ul> |
|
||||
|
||||
|
||||
|
||||
|
||||
@ -4,7 +4,7 @@
|
||||
| Default | Not configured |
|
||||
| Event Volume | Medium |
|
||||
| EventID | <ul><li>4688</li></ul> |
|
||||
| References | <ul><li>https://github.com/MicrosoftDocs/windows-itpro-docs/blob/95b9d7c01805839c067e352d1d16702604b15f11/windows/security/threat-protection/auditing/audit-process-creation.md</li><li>https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/manage/component-updates/command-line-process-auditing</li></ul> |
|
||||
| References | <ul><li>[https://github.com/MicrosoftDocs/windows-itpro-docs/blob/95b9d7c01805839c067e352d1d16702604b15f11/windows/security/threat-protection/auditing/audit-process-creation.md](https://github.com/MicrosoftDocs/windows-itpro-docs/blob/95b9d7c01805839c067e352d1d16702604b15f11/windows/security/threat-protection/auditing/audit-process-creation.md)</li><li>[https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/manage/component-updates/command-line-process-auditing](https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/manage/component-updates/command-line-process-auditing)</li></ul> |
|
||||
|
||||
|
||||
|
||||
|
||||
@ -4,7 +4,7 @@
|
||||
| Default | Partially (Other) |
|
||||
| Event Volume | Medium |
|
||||
| EventID | <ul><li>1</li></ul> |
|
||||
| References | <ul><li>https://docs.microsoft.com/en-us/sysinternals/downloads/sysmon</li></ul> |
|
||||
| References | <ul><li>[https://docs.microsoft.com/en-us/sysinternals/downloads/sysmon](https://docs.microsoft.com/en-us/sysinternals/downloads/sysmon)</li></ul> |
|
||||
|
||||
|
||||
|
||||
|
||||
@ -4,7 +4,7 @@
|
||||
| Default | Partially (Success) |
|
||||
| Event Volume | Medium |
|
||||
| EventID | <ul><li>4624</li><li>4625</li><li>4648</li><li>4675</li></ul> |
|
||||
| References | <ul><li>https://github.com/MicrosoftDocs/windows-itpro-docs/blob/master/windows/security/threat-protection/auditing/audit-logon.md</li></ul> |
|
||||
| References | <ul><li>[https://github.com/MicrosoftDocs/windows-itpro-docs/blob/master/windows/security/threat-protection/auditing/audit-logon.md](https://github.com/MicrosoftDocs/windows-itpro-docs/blob/master/windows/security/threat-protection/auditing/audit-logon.md)</li></ul> |
|
||||
|
||||
|
||||
|
||||
|
||||
@ -1,15 +1,15 @@
|
||||
| Title | {{ title }} |
|
||||
|:-------------------|:------------------|
|
||||
| Description | {{ description }} |
|
||||
| Tags | {% for tag in other_tags -%}{{ tag }}{{ ", " if not loop.last }}{% endfor %} |
|
||||
| ATT&CK Tactic | {% for tactic in tactics -%}{{ tactic }}{{ ", " if not loop.last }}{% endfor %} |
|
||||
| ATT&CK Technique | {% for technique in techniques -%}{{ technique }}{{ ", " if not loop.last }}{% endfor %} |
|
||||
| Dataneeded | {% for data in data_needed -%}{{ data }}{{ ", " if not loop.last }}{% endfor %} |
|
||||
| Triggering | {% for trigger in triggers -%}{{ trigger }}{{ ", " if not loop.last }}{% endfor %} |
|
||||
| ATT&CK Tactic | <ul>{% for tactic_name, tactic_id in tactics %}<li>[{{tactic_id}}: {{tactic_name}}](https://attack.mitre.org/tactics/{{tactic_id}})</li>{% endfor %}</ul> |
|
||||
| ATT&CK Technique | <ul>{% for technique in techniques %}<li>[{{technique}}](https://attack.mitre.org/tactics/{{technique}})</li>{% endfor %}</ul> |
|
||||
| Other Tags | <ul>{% for tag in other_tags %}<li>{{ tag }}</li>{% endfor %}</ul> |
|
||||
| Dataneeded | <ul>{% for data in data_needed %}<li>[{{ data }}](../Data_Needed/{{data}}.md)</li>{% endfor %}</ul> |
|
||||
| Triggering | <ul>{% for trigger in triggers %}<li>[{{ trigger }}](../Triggering/{{trigger}}.md)</li>{% endfor %}</ul> |
|
||||
| Severity Level | {{ level }} |
|
||||
| False Positives | {% for falsepositive in falsepositives -%}{{ falsepositive }}{{ ", " if not loop.last }}{% endfor %} |
|
||||
| False Positives | <ul>{% for falsepositive in falsepositives %}<li>{{ falsepositive }}</li>{% endfor %}</ul> |
|
||||
| Development Status | {{ status }} |
|
||||
| References | {% for reference in references -%}{{ reference }}{{ ", " if not loop.last }}{% endfor %} |
|
||||
| References | {% for reference in references -%}[{{ reference }}]({{ reference }}){{ ", " if not loop.last }}{% endfor %} |
|
||||
| Author | {{ author }} |
|
||||
|
||||
{% if sigma_rule is defined and sigma_rule|length %}
|
||||
|
||||
@ -1,8 +1,8 @@
|
||||
| Title | {{ title }} |
|
||||
|:---------------|:------------------|
|
||||
| Description | {{ description }} |
|
||||
| Logging Policy | <ul>{% for policy in loggingpolicy %}<li>{{ policy }}</li>{% endfor %}</ul> |
|
||||
| References | <ul>{% for ref in references %}<li>{{ ref }}</li>{% endfor %}</ul> |
|
||||
| Logging Policy | <ul>{% for policy in loggingpolicy %}<li>[{{ policy }}](../Logging_Policies/{{policy}}.md)</li>{% endfor %}</ul> |
|
||||
| References | <ul>{% for ref in references %}<li>[{{ ref }}]({{ ref }})</li>{% endfor %}</ul> |
|
||||
| Platform | {{ platform }} |
|
||||
| Type | {{ type }} |
|
||||
| Channel | {{ channel }} |
|
||||
|
||||
@ -4,7 +4,7 @@
|
||||
| Default | {{ default }} |
|
||||
| Event Volume | {{ volume }} |
|
||||
| EventID | <ul>{% for eventid in eventID %}<li>{{ eventid }}</li>{% endfor %}</ul> |
|
||||
| References | <ul>{% for ref in references %}<li>{{ ref }}</li>{% endfor %}</ul> |
|
||||
| References | <ul>{% for ref in references %}<li>[{{ ref }}]({{ ref }})</li>{% endfor %}</ul> |
|
||||
|
||||
{% if configuration is defined and configuration|length %}
|
||||
|
||||
|
||||
Loading…
Reference in New Issue
Block a user