From 5cb42e796e022a23c8bc3814a58981053f1d5a2f Mon Sep 17 00:00:00 2001 From: Jean-Louis Huynen Date: Thu, 22 Aug 2024 16:46:56 +0200 Subject: [PATCH 01/36] add: [first-csirt] Initial commit for FIRST CSIRT Services Framework --- clusters/first-csirt-services-framework.json | 901 +++++++++++++++++++ galaxies/first-csirt-services-framework.json | 9 + tools/gen_csf.py | 125 +++ 3 files changed, 1035 insertions(+) create mode 100644 clusters/first-csirt-services-framework.json create mode 100644 galaxies/first-csirt-services-framework.json create mode 100644 tools/gen_csf.py diff --git a/clusters/first-csirt-services-framework.json b/clusters/first-csirt-services-framework.json new file mode 100644 index 0000000..ff160d4 --- /dev/null +++ b/clusters/first-csirt-services-framework.json @@ -0,0 +1,901 @@ +{ + "authors": [ + "FIRST", + "Jean-Louis Huynen" + ], + "category": "csirt", + "description": "The Computer Security Incident Response Team (CSIRT) Services Framework is a high-level document describing in a structured way a collection of cyber security services and associated functions that Computer Security Incident Response Teams and other teams providing incident management related services may provide", + "name": "FIRST CSIRT Services Framework", + "source": "https://www.first.org/standards/frameworks/csirts/csirt_services_framework_v2.1", + "type": "first-csirt-services-framework", + "uuid": "4a72488f-ef5b-4895-a5d9-c625dee663cb", + "values": [ + { + "description": "Purpose: Implement automated, continuous processing of a wide variety of information security event sources and contextual data in order to identify potential information security incidents, such as attacks, intrusions, data breaches or security policy violations.\nDescription: Based on logs, NetFlow data, IDS alerts, sensor networks, external sources, or other available information security event data, apply a range of methods from simple logic or pattern matching rules to the application of statistical models or machine learning in order to identify potential information security incidents. This can involve a vast amount of data and typically, but not necessarily, requires specialized tools such as Security Information and Event Management (SIEM) or big data platforms to process. An important objective of continuous improvement is to minimize the amount of false alarms that need to be analyzed as part of the Analyzing service.\nOutcome: Potential information security incidents are identified for analysis as part of the Analyzing service.", + "relationships": [], + "uuid": "d98bfbdf-c2f2-5a77-9d7e-0af1259e8652", + "value": "5.1 Service: Monitoring and detection" + }, + { + "description": "Purpose: Triage detected potential information security incidents and their qualification as information security incidents for escalation to the Information Security Incident Management service area or as false alarms.\nDescription: The flow of detected potential information security incidents must be triaged and each one qualified as an information security incident (true positive) or as a false alarm (false positive) using manual and/or automated analysis. This may require manual or automated gathering of additional information, depending on the detection use case. Priority should be given to the analysis of potentially more critical information security incidents to ensure timely reaction to what is most important. Structured qualification of detected potential information security incidents enables effective continuous improvement in a directed way by identifying detection use cases, data sources, or processes with quality issues.\nOutcome: Qualified and correlated information security incidents are available as input to the Information Security Incident Management service area and false positives are qualified for continuous improvement.", + "relationships": [], + "uuid": "1f57cd67-7f05-526d-8c89-ee3aa8d8fb50", + "value": "5.2 Service: Event analysis" + }, + { + "description": "Purpose: Receive and process reports of potential information security incidents from constituents, from Information Security Event Management services or third parties.\nDescription: For a CSIRT, the most important task is the acceptance of reports about information security events and potential information security incidents affecting networks, devices, components, users, organizations, or infrastructure—referred to as the “target”—inside the constituency. The CSIRT should anticipate that potential information security incidents may be reported from various sources in various formats, both manually and automatically.\nTo enable constituents to report information security incidents more effectively, the CSIRT should provide one or more mechanisms as well as guidance or instructions on what and how to securely report information security incidents. Reporting mechanisms can include email, a website, a dedicated information security incident reporting form or portal, or other appropriate methods to enable reports to be submitted safely and securely. Reporting guidance, if not included as part of an information security incidents reporting form itself, should be provided in separate documentation or via a webpage, and should list the specific information that is desirable for inclusion in the report.", + "relationships": [], + "uuid": "a297eda0-7a70-5e5c-90a2-033cf903e0d3", + "value": "6.1 Service: Information security incident report acceptance" + }, + { + "description": "Purpose: Analyze and gain an understanding of a confirmed information security incident.\nDescription: This service consists of functions to gain an understanding of the information security incident and its actual and potential impact to identify the underlying issues or vulnerabilities or weaknesses (root causes) that allowed the successful attack, compromise, or exploit.\nDetailed analysis is often complex and time-consuming. The objective is to identify and characterize the information security incident in as much detail as required or justified by the current understanding of its impact. Information security incidents can be characterized by scope, affected entities, tools, or attacks deployed, timelines, etc. This service may continue in parallel while the Information Security Incident Coordination service and functions are occurring or mitigation/recovery actions are taken.", + "relationships": [], + "uuid": "74b97c9c-c7f5-5c3b-810d-f6ed0fc47676", + "value": "6.2 Service: Information security incident analysis" + }, + { + "description": "Purpose: Analyze and gain an understanding of artefacts related to a confirmed information security incident, taking into consideration the need to preserve forensic evidence.\nDescription: The services related to the understanding of the capabilities and intent of artefacts (e.g., malware, exploits, volatile memory dumps or disk copies, applications codes, logs, documents), their delivery mechanisms, their propagation, their detection, their mitigation, and their disarming or neutralization. This applies to any formats and sources: hardware, firmware, memory, software, etc. Any artefact or evidence must be preserved and collected without any modification, and kept in isolation. As some artefacts and data may become evidence in the context of law enforcement activities, specific regulations or requirements may apply.\nEven without preserving a chain-of-custody, this service usually involves complex and time-consuming tasks, and requires expertise, setting up dedicated and monitored analysis environments--with or without external accesses from standard wired or wireless networks (such as performing the forensics activities in a sealed or Faraday room), logging of activities, and compliance with procedures.", + "relationships": [], + "uuid": "54c519b6-2299-5b21-b331-9b261832a52b", + "value": "6.3 Service: Artifact and forensic evidence analysis" + }, + { + "description": "Purpose: Contain the information security incident as much as possible to limit the number of victims, reduce the loss and to recover from damage, avoid further attacks and further losses by removing exploited vulnerabilities or weaknesses, and improve overall cyber security.\nDescription: Once the analysis has confirmed a potential information security incident and a response strategy has been developed, this must be turned over into a response plan. Even before a response plan can be finalized, ad-hoc measures may be taken. This service also includes the initiating and tracking of all activities which are performed until the information security incident can be considered closed or new information becomes available that requires further analysis and henceforth may also change the response strategy and plan.\nOutcome: The information security incident is mitigated and the cyber security posture is improved. Integrity of systems impacted by the underlying attack or activities of the attacker is restored, as well as serviceability of the network and systems compromised. Data is restored in case of data loss, if possible.", + "relationships": [], + "uuid": "6169cf22-e075-5528-9c4e-67d70d9743ca", + "value": "6.4 Service: Mitigation and recovery" + }, + { + "description": "Purpose: Ensure timely notifications and accurate information distribution; keep the information flow and track the status of activities of entities that are either tasked or requested to participate in responding to the information security incident; and make sure the response plan is carried out and deviations caused by both delays or new information are managed accordingly.\nDescription: Being notified and kept informed about the details and ongoing activities in relation to an information security incident is critical for all stakeholders and organizations involved. As some activities required for a successful mitigation and recovery might involve management approval, this requires suitable escalation and reporting functions established before any information security incident can be handled effectively and efficiently. As the CSIRT analyzes all information as it becomes available, coordination makes sure that notifications and information reach the right points of contact, track their responses and make sure that all parties carrying out activities report back to provide for accurate situational awareness until the information security incident is considered closed and requiring no further coordination.\nStakeholders should have avenues to submit questions, check the status of information security incidents, and report issues to the CSIRT. To engage internal stakeholders, the CSIRT should provide communications channels to advertise the remediation status of information security incidents. To engage external stakeholders, the CSIRT should maintain communications channels to other CSIRTs and CSIRT communities that might provide recommendations or technical support.", + "relationships": [], + "uuid": "102ab440-4e13-5544-ac34-5c3a68a014cf", + "value": "6.5 Service: Information security incident coordination" + }, + { + "description": "Purpose: Provide expertise and contacts to other security experts, CSIRTs, and CSIRT communities in order to help mitigate the crisis.\nDescription: While today’s information security incidents rarely constitute an organizational or national crisis, they have the potential to do so. But the response to a crisis is usually associated with an emergency that threatens the well-being of humans and society at large, or at least the existence of an organization. As it is established in crisis management, a high-ranking role will take over the responsibility of a crisis, thereby changing the usual line of command for the duration of the emergency.\nAs the systems and networks might contribute to emergencies or are required to be available to respond to a crisis situation, a CSIRT will usually be a critical resource for managing such situations and provide valuable experience but also the established services and networks of points of contacts.", + "relationships": [], + "uuid": "81b922e4-291c-5337-9cc2-910dbfc4bf92", + "value": "6.6 Service: Crisis management support" + }, + { + "description": "Purpose: Find, learn of, or search for new (previously unknown) vulnerabilities; vulnerabilities can be discovered by members of the vulnerability management service area or through other related CSIRT activities\nDescription: Discovery of a new vulnerability is a necessary first step that starts the overall vulnerability management lifecycle. This service includes those functions and activities that a CSIRT may actively perform through its own research or other services to discover a new vulnerability. Functions and activities related to the passive receipt of new vulnerability information from someone else are described later in the Vulnerability Report Intake service. Occasionally a new vulnerability may be discovered by a CSIRT during other activities, such as while analyzing or investigating an incident report. Another means of learning of a new vulnerability is through reading public sources (e.g., websites, mailing lists6), other external sources (e.g., premium services, subscriptions), or by actively looking for vulnerabilities through deliberate research (e.g., through fuzz testing, reverse engineering). Such discoveries should be documented and fed into the organization’s vulnerability handling processes, regardless of how the CSIRT discovered or learned of the vulnerability.\nOutcome: This service results in an increased discovery of potential vulnerabilities that were not reported directly to the CSIRT.", + "relationships": [], + "uuid": "c01835b0-8786-5dc8-af2c-b83793d6fc8c", + "value": "7.1 Service: Vulnerability discovery / research" + }, + { + "description": "Purpose: Receive and process vulnerability information reported from constituents or third parties.\nDescription: One of the primary sources of vulnerability information may be reports or questions sent from a CSIRT’s constituents or other third parties. The CSIRT should anticipate that vulnerabilities may be reported from these various sources, and provide a mechanism, a process, and guidance for vulnerability reporting. Reporting infrastructures may include email or a web-based vulnerability reporting form. Not all vulnerabilities are reported directly to a CSIRT by constituents or third parties through the established channels. Supporting guidance should include reporting guidelines, contact information, and any disclosure policies.\nTo enable constituents to report vulnerabilities more effectively, the CSIRT should provide one or more mechanisms as well as guidance or instructions on what and how to securely report vulnerabilities. Reporting mechanisms can include email, a website, a dedicated vulnerability reporting form or portal, or other appropriate methods to enable reports to be submitted safely and securely. Reporting guidance, if not included as part of a vulnerability reporting form itself, should be provided in separate documentation or via a web page, and should list the specific information that is desirable to be included in the report.", + "relationships": [], + "uuid": "8397d943-1507-5d38-a9fe-078549634320", + "value": "7.2 Service: Vulnerability report intake" + }, + { + "description": "Purpose: Analyze and gain understanding of a confirmed vulnerability.\nDescription: The Vulnerability Analysis service consists of functions aimed at gaining an understanding of the vulnerability and its potential impact, identifying the underlying issue or flaw (root cause) that allows the vulnerability to be exploited, and identifying one or more remediation or mitigation strategies to prevent or minimize the exploitation of the vulnerability.\nThe Vulnerability Analysis service and functions can continue in parallel while the Vulnerability Coordination service and functions occur with other participants in a coordinated vulnerability disclosure (CVD)7 process.", + "relationships": [], + "uuid": "dfdd8b20-7047-56d8-8956-339a1a9bd0ad", + "value": "7.3 Service: Vulnerability analysis" + }, + { + "description": "Purpose: Exchange information and coordinate the activities with participants involved in a coordinated vulnerability disclosure (CVD) process.\nDescription: The handling of most vulnerabilities involves notifying, working with, and coordinating the exchange of relevant information with multiple parties including vulnerability finders/reporters, affected vendors, developers, PSRITs, or other trusted experts (e.g., researchers, CSIRTs, vulnerability coordinators) who can work together to analyze and fix the vulnerability.\nOutcome: Information sharing with CVD participants who can assist in providing information to remediate/mitigate the vulnerability is effective and timely.", + "relationships": [], + "uuid": "576887a7-b5df-5632-a61f-a93190c65426", + "value": "7.4 Service: Vulnerability coordination" + }, + { + "description": "Purpose: Disseminate information about known vulnerabilities to constituents so that they can act upon that information to prevent, detect, and remediate/mitigate known vulnerabilities.\nDescription: Inform the constituents of any known vulnerabilities (potential entry points for attackers), so that their systems can be kept up to date and monitored for exploits. Disclosure methods may include publication of information through multiple communication channels (e.g., website, email, social media), a vulnerability database, or other media. This service often, but not always, occurs following Vulnerability Coordination.\nOutcome: Informed constituents can avoid the potential exploitation of known vulnerabilities prior to exploitation and can detect and mitigate vulnerabilities that already exist.", + "relationships": [], + "uuid": "76235018-30af-5431-a98d-7d03f718b241", + "value": "7.5 Service: Vulnerability disclosure" + }, + { + "description": "Purpose: Actively take information about known vulnerabilities and act upon that information to prevent, detect, and remediate/mitigate those vulnerabilities.\nDescription: The functions under this service are intended to determine whether a disclosed vulnerability exists on a constituent’s systems, often through the intentional act of looking for the presence of such vulnerabilities. The service can also include the follow-on actions to remediate or mitigate the vulnerability through the deployment of patches or workaround strategies.\nOutcome: Information was acted upon in order to detect the presence of a vulnerability, remediate/mitigate a disclosed vulnerability, and prevent the vulnerability from being exploited.", + "relationships": [], + "uuid": "586381d1-7a46-53af-a7dd-33a20aa18d9b", + "value": "7.6 Service: Vulnerability response8" + }, + { + "description": "Purpose: Collect data that will help increase visibility as to what internal and external activities are occurring that may affect the constituency’s security posture.\nDescription: Solicit, collect, determine, and satisfy the constituencies’ information requirements to achieve awareness of important internal and external relevant activities. This service includes the logistics of collecting relevant information including news of current events, scheduling future events, reports and feeds, filtering the collected information, organizing information for use in incident analysis, prevent, detection, or other activities (such as planning or trending), storing it for later use, improving its “searchability”, and more. Collected data will be used to determine the preventative measures needed and to help make informed decisions regarding incident management and information assurance activities. Without a basic perception of important environmental elements, the risk of other services forming an incorrect picture increases. CSIRTs will need to establish policy and procedures, and may employ technology to collect and vet information.\nOutcome: The following artefacts result from this service:", + "relationships": [], + "uuid": "7e82533f-ab87-5e9e-9a68-83bc3ed34e9b", + "value": "8.1 Service: Data acquisition" + }, + { + "description": "Purpose: Assess when the situation does not match with expectations (e.g., when specific assets may be about to experience a harmful event).\nDescription: The process of using current data, history, and analysis techniques to determine what is occurring that may impact the constituency assets and security posture, often done by determining an answer to a question or testing an intuition. Analysis may reveal when events do not match typical expected behavior, or may reveal information about the circumstance, nature, or origin of events or behaviors. Analysis may reveal implications to current and future situations. For example: a system may log that a user ID successfully logged into the system, but the system does not indicate whether the event was performed by a legitimate user. New sources (such as interviews with the user) will need to be incorporated into the analysis to provide the team with a more accurate picture to determine the legitimacy of the event. A variety of techniques may be used to analyze and interpret the collected data and its effect upon the constituency.\nOutcome: A set of conclusions about the probable historical, current, and/or likely future events within a constituency is produced. It may also include recommendations about certain decisions that a constituency is facing. Analysis should be supported by evidence such as observation data collected from sensors and other sources and the interpretation of that evidence by analysts through a variety of methods. The analysis may also include constituents that need to be told about the results, and what they need to be told.", + "relationships": [], + "uuid": "7c7c24ea-abb1-563b-b1a8-8d81cb540836", + "value": "8.2 Service: Analysis and synthesis" + }, + { + "description": "Purpose: Notify constituents or others in the security community about changes in risks to the situational picture.\nDescription: The knowledge obtained from situational awareness must be communicated to the constituency. This will allow it to react to observations and to take actions that will improve defensive situations, e.g., reducing third-party risk by improving the security environment at certain high-risk suppliers.\nOutcome: Accurate, actionable, and timely situational information is delivered to constituency so they can better understand their past and improve their current and future situational picture.", + "relationships": [], + "uuid": "9be0238e-c72b-540c-b316-22a382fe4a8a", + "value": "8.3 Service: Communication" + }, + { + "description": "Purpose: Increase the overall security posture of the constituency and help its members to detect, prevent, and recover from incidents; ensure that constituents are better prepared and educated.\nDescription: This service includes working with the constituency, experts, and trusted partners to raise the collective understanding of threats and actions that can be taken to prevent or mitigate the risks posed by these threats.\nOutcome: The constituency is provided with the necessary awareness of:", + "relationships": [], + "uuid": "ea5cb189-42c9-5949-a14e-cb9afa66f978", + "value": "9.1 Service: Awareness building" + }, + { + "description": "Purpose: Provide training and education to a CSIRT constituency (which may include organizational and CSIRT staff) on topics related to cybersecurity, information assurance and incident management.\nDescription: A training and education program can help the CSIRT to establish relationships and to improve the overall cybersecurity posture of its constituency, including the ability to prevent future incidents from happening. Such a program can\nThis can be done through various types of activities including documenting the knowledge, skills, and abilities (KSAs) required, developing educational and training materials, delivering content, mentoring, and professional and skill development. Each of these activities will collectively contribute to the constituency’s and the team’s capabilities.", + "relationships": [], + "uuid": "3ccbc324-98cf-585b-a9af-5282ec611130", + "value": "9.2 Service: Training and education" + }, + { + "description": "Purpose: Conduct exercises to assess and improve the effectiveness and efficiency of cybersecurity services and functions.\nDescription: Services are offered by the organization to constituents that support the design, execution, and evaluation of cyber exercises intended to train and/or evaluate the capabilities of individual constituents and the stakeholder community as a whole, including communications capabilities. These types of exercises can be used to\nThis service addresses both the needs of the organization and the needs of its constituents. More specifically, through the simulation of cybersecurity events/incidents, exercises can be used for one or several objectives:", + "relationships": [], + "uuid": "114aa684-808a-58d2-b325-b4fa54b70662", + "value": "9.3 Service: Exercises" + }, + { + "description": "Purpose: Ensure the constituency’s policies and procedures include appropriate incident management considerations and, ultimately, enable the constituency to better manage risks and threats, as well as enabling the CSIRT to be more effective.\nDescription: Support the CSIRT constituency and key stakeholders, internal or external to the constituency, in activities related to risk management and business continuity, providing technical advice as needed and contributing to the creation and implementation of the constituency’s policies, as well as influencing them to enable the CSIRT to be more effective. Policies are also important in legitimizing the services of a CSIRT.\nOutcome: A constituency is enabled to make organizational decisions based on operational security best practices that incorporate business continuity and disaster recovery best practices, while also understanding the need of including incident management teams, as trusted advisors, in business decisions where appropriate.", + "relationships": [], + "uuid": "1b3e9cf8-b553-51cb-9ba3-8ecb58a2fb6f", + "value": "9.4 Service: Technical and policy advisory" + }, + { + "description": "Purpose: Manage log sources and sensors.\nDescription: Sensors and log sources need operational management throughout their lifecycle. They must be deployed, onboarded, and decommissioned. Outages, data quality/scope, and configuration issues must be identified and resolved. Sensors that have some form of configuration such as pattern definitions need their configuration maintained in order to remain effective. Sensors may also include external detection services or Open Source Intelligence (OSINT) sources, if they form the basis for detection use cases.\nOutcome: A reliable stream of relevant information security events is available as input for detection use cases.", + "id": "5-1-1-Function-Log-and-sensor-management", + "relationships": { + "dest-uuid": "d98bfbdf-c2f2-5a77-9d7e-0af1259e8652", + "type": "involves" + }, + "uuid": "e19f3a4d-6bc7-5409-b423-f45d7c136f9c", + "value": "5.1.1 Function: Log and sensor management" + }, + { + "description": "Purpose: Manage the portfolio of detection use cases through their entire lifecycle.\nDescription: New detection approaches are developed, tested, and improved, and eventually onboarded into a detection use case in production. Instructions for analyst triage, qualification, and correlation need to be developed, for example in the form of playbooks and Standard Operating Procedures (SOPs). Use cases that do not perform well, i.e., that have an unfavorable benefit/effort ratio, need to be improved, redefined, or abandoned. The portfolio of detection use cases should be expanded in a risk-oriented way and in coordination with preventive controls.\nOutcome: A portfolio of effective detection use cases that are relevant to the constituency is developed.", + "id": "5-1-2-Function-Detection-use-case-management", + "relationships": { + "dest-uuid": "d98bfbdf-c2f2-5a77-9d7e-0af1259e8652", + "type": "involves" + }, + "uuid": "359af5c1-4d4e-59a8-ad46-0dd3538a3bb0", + "value": "5.1.2 Function: Detection use case management" + }, + { + "description": "Purpose: Manage of contextual data sources for detection and enrichment.\nDescription: The various contextual data sources that are involved in detection and enrichment need to be managed throughout their lifecycle. These can be live APIs to or exports from other IT systems such as a Configuration Management Database (CMDB), Identity and Access Management (IAM), or Threat Intel systems, or entirely separate data sets that need to be managed manually. The latter would be the case for indicator lists, watchlists and whitelists to suppress false positives.\nOutcome: Up to date contextual data is available for both detection and enrichment.", + "id": "5-1-3-Function-Contextual-data-management", + "relationships": { + "dest-uuid": "d98bfbdf-c2f2-5a77-9d7e-0af1259e8652", + "type": "involves" + }, + "uuid": "3f6cc41e-c733-57e5-8328-ff39a1fd2c7f", + "value": "5.1.3 Function: Contextual data management" + }, + { + "description": "Purpose: Identify events directly related to other potential or ongoing security incidents.\nDescription: Potential information security incidents pertaining to the same assets (e.g., systems, services, customers) or identities (e.g., users), or which are otherwise directly related to other potential information security incidents are grouped together and escalated as a single information security incident in order to avoid duplicate efforts. New potential information security incidents directly related to ongoing information security incidents are assigned to that information security incident instead of opening a new, separate information security incident.\nOutcome: Grouping of related potential information security incidents for combined qualification or updating to an existing information security incident already handled by the Information Security Incident Management service area is performed.", + "id": "5-2-1-Function-Correlation", + "relationships": { + "dest-uuid": "1f57cd67-7f05-526d-8c89-ee3aa8d8fb50", + "type": "involves" + }, + "uuid": "2a471554-bc25-5077-a5ce-12a2c67659f7", + "value": "5.2.1 Function: Correlation" + }, + { + "description": "Purpose: Triage and qualify detected potential information security incidents in order to identify, categorize, and prioritize true positives.\nDescription: Potential information security incidents need to be triaged and each qualified as an information security incident (true positive) or as a false alarm (false positive). Because analysts have a limited number of potential information security incidents they can analyze, and in order to avoid alert fatigue, automation is key. Mature tooling facilitates effective triage by enriching with context information, assigning risk scores based on the criticality of affected assets and identities and/or automatically identifying related information security events. Recurring cases that can be automated should be identified and automated. Potential information security incidents with higher criticality should be analyzed before less critical ones. In addition to qualification as true or false positives, a more fine-grained qualification is an important input for continuous improvement of detection use cases as well as the management of log sources, sensors, and contextual data sources. More fine-grained qualification can also support the definition of higher-quality KPIs for measuring the success of this service area.\nOutcome: Qualified potential information security incidents are available for handling as part of the Information Security Incident Management service area.", + "id": "5-2-2-Function-Qualification", + "relationships": { + "dest-uuid": "1f57cd67-7f05-526d-8c89-ee3aa8d8fb50", + "type": "involves" + }, + "uuid": "27748e0d-6270-5f78-a811-026f7c3a3b2b", + "value": "5.2.2 Function: Qualification" + }, + { + "description": "Purpose: Accept or receive information about an information security incident, as reported from constituents or third parties.\nDescription: Effective intake of information security incident reports requires mechanisms and processes to receive the reports from constituents, stakeholders, and third parties (e.g., finders, researchers, ISACs, other CSIRTs). Information security incident reports may include affected devices/networks/users/organizations, conditions already identified like exploited vulnerabilities, impact both on technical and business level, and actions that have been taken to start remediation and/or mitigation steps and potentially resolution. Occasionally, information security incident information may be received jointly as part of the input to other services, most namely the Vulnerability Report Intake (e.g., if an information security incident is reported that has been identified while analyzing a vulnerability report). Automatically submitted reports might or might not be acknowledged pending further choices of the implemented interfaces and protocols.\nOutcome: Information security incident reports are appropriately handled from constituents or third parties, including the initiation of documenting or tracking the reports", + "id": "6-1-1-Function-Information-security-incident-report-receipt", + "relationships": { + "dest-uuid": "a297eda0-7a70-5e5c-90a2-033cf903e0d3", + "type": "involves" + }, + "uuid": "5f035f21-2330-56bb-bb7e-b1fa0297cd36", + "value": "6.1.1 Function: Information security incident report receipt" + }, + { + "description": "Purpose: Initially review, categorize, prioritize, and process a reported information security incident.\nDescription: Information Security Incident Reports are reviewed and triaged to obtain an initial understanding of the information security incident in question. It is of particular importance whether it has a real information security impact on the target and can result (or has already resulted) in damage to the confidentiality, availability, integrity, and/or authenticity of information assets or other assets. Depending on the amount of detail and quality of the information provided in the initial report, it may or not be obvious whether a real information security incident has occurred or if there is a different reason—such as misconfiguration or hardware failure. The next step will be determined on the basis of the preliminary assessment (e.g., process the report for further analysis; seek additional information from the reporter or other sources; decide that the report needs no further action or is a false alarm).\nIt is possible that attacks may originate from within the constituency of a CSIRT, may target this constituency, or the constituency is affected by collateral effects only. If the CSIRT does not provide Information Security Management services for the identified targets, then the report should be forwarded securely to an external group for handling, such as the affected organization(s) or CSIRT(s).", + "id": "6-1-2-Function-Information-security-incident-triage-and-processing", + "relationships": { + "dest-uuid": "a297eda0-7a70-5e5c-90a2-033cf903e0d3", + "type": "involves" + }, + "uuid": "0b7c1b02-3238-5354-99ba-0bf86d13878f", + "value": "6.1.2 Function: Information security incident triage and processing" + }, + { + "description": "Purpose: Categorize, prioritize, and create an initial assessment of an information security incident.\nDescription: The Analyzing Information Security Incidents service begins with a review of the available information to categorize, prioritize, and assess the impact an information security incident has on the involved systems relevant to the CSIRT’s mandate. Some of this may have been documented during the Information Security Incident Report Triage and Processing function (of the Information Security Incident Report Intake service) if the information security incident was reported to the CSIRT by a constituent or third party.\nIf prior triage has not already been completed, the information security incident may be assigned to a subject matter expert who can provide technical confirmation that it has some impact on the involved systems and is relevant to the CSIRT’s mandate (i.e., a potential security impact on networks or systems that can result in damage to the confidentiality, availability, or integrity of information assets in an area the CSIRT according to its mandate).", + "id": "6-2-1-Function-Information-security-incident-triage-prioritization-and-categorization", + "relationships": { + "dest-uuid": "74b97c9c-c7f5-5c3b-810d-f6ed0fc47676", + "type": "involves" + }, + "uuid": "4380d80e-ae1d-5206-bf9d-6df5eb6ea4c1", + "value": "6.2.1 Function: Information security incident triage (prioritization and categorization)" + }, + { + "description": "Purpose: Intake, catalog, store, and track information related to the information security incident and all information security events that are considered to be part of it.\nDescription: Enable the collection of all valuable information to obtain the best understanding of the context, so that the origin and the content of the information can be appropriately evaluated and tagged to be used for any further processing.\nWhile collecting information, the agreed sharing policies and limitations of what data can be used in which context or for what form of processing must be accepted and adhered to. Also, the collection mechanisms and procedures must ensure that proper labeling and attribution of sources is used in order to later validate the origins as well as the appropriateness or authenticity.", + "id": "6-2-2-Function-Information-collection", + "relationships": { + "dest-uuid": "74b97c9c-c7f5-5c3b-810d-f6ed0fc47676", + "type": "involves" + }, + "uuid": "2f37051b-e575-52e5-a523-1268f4af8dc2", + "value": "6.2.2 Function: Information collection" + }, + { + "description": "Purpose: Initiate and track any other technical analysis in regard to an information security incident.\nDescription: As more detailed technical analysis may be required, such analysis may be executed by other experts (inside or outside the host organization or CSIRT) or other third parties (such as a service provider specialized in such analysis). This requires initiating and tracking such activities up to the successful delivery of the desired analysis.\nOutcome: A list of pending and—from the viewpoint of the incident handler coordinating the response to any given information security incident—outsourced analysis is available.", + "id": "6-2-3-Function-Detailed-analysis-coordination", + "relationships": { + "dest-uuid": "74b97c9c-c7f5-5c3b-810d-f6ed0fc47676", + "type": "involves" + }, + "uuid": "0189a652-52a5-559b-ba33-81a6e76c50e0", + "value": "6.2.3 Function: Detailed analysis coordination" + }, + { + "description": "Purpose: Identify the root cause of the information security incident, identifying the circumstances that allowed the exploited vulnerabilities to exist or that allowed the exploitation to succeed (including but not limited to user behavior).\nDescription: This function involves the process and actions required to understand the architecture, usage, or implementation flaw(s) that caused or exposed systems, networks, users, organizations, etc. to the kind of attack or exploit or compromise as exercised against the targets of an information security incident. It is also concerned with the circumstances in which an attacker could compromise more systems based on the initial access to gain further access.\nDepending on the nature of the information security incident, it may be difficult for a CSIRT to perform this function thoroughly. In many situations, this function may best be conducted by the affected target itself, as especially in the context of Coordinating CSIRTs no detailed technical knowledge is available about systems or networks that have been compromised.", + "id": "6-2-4-Function-Information-security-incident-root-cause-analysis", + "relationships": { + "dest-uuid": "74b97c9c-c7f5-5c3b-810d-f6ed0fc47676", + "type": "involves" + }, + "uuid": "261f9cb2-79ba-56a9-b100-cea2c2e2df88", + "value": "6.2.4 Function: Information security incident root cause analysis" + }, + { + "description": "Purpose: Enable the usage of all available information to get the best understanding of the context and detect interrelationships that otherwise would not have been recognized or acted upon.\nDescription: This function involves the correlation of available information about multiple information security incidents to determine interrelations, trends, or applicable mitigations from already closed information security incidents to improve the response to currently handled information security incidents.\nOutcome: The bigger picture is understood in terms of situational awareness based on a detailed knowledge about similarities and confirmed or suspected interrelationships of otherwise independent information security incidents.", + "id": "6-2-5-Function-Cross-incident-correlation", + "relationships": { + "dest-uuid": "74b97c9c-c7f5-5c3b-810d-f6ed0fc47676", + "type": "involves" + }, + "uuid": "b79d69f5-2ed6-57b2-8061-f7c1e5048de9", + "value": "6.2.5 Function: Cross-incident correlation" + }, + { + "description": "Purpose: Compare information gathered from the artefact with other public and private artefacts and/or signature repositories.\nDescription: This function involves identification and characterization of basic information and metadata about artefacts, including but not limited to file types, string outputs, cryptographic hashes, certificates, file sizes, file/directory names. As all available information is gathered and analyzed further, this may be used to review any public/open or private/closed source information repositories to learn more about the artefact or its behavior, as such information can be used to determine the next steps.\nOutcome: Identify Characteristics and/or the signature of digital artefact are identified and any information already known about the artefact including maliciousness, impact, and mitigation.", + "id": "6-3-1-Function-Media-or-surface-analysis", + "relationships": { + "dest-uuid": "54c519b6-2299-5b21-b331-9b261832a52b", + "type": "involves" + }, + "uuid": "eb8aa76f-5262-583f-8e2b-0ab51b602ab8", + "value": "6.3.1 Function: Media or surface analysis" + }, + { + "description": "Purpose: Perform in-depth static analysis of an artefact to determine its complete functionality, regardless of the environment within which it may be executed.\nDescription: To provide a deeper analysis of malware artefacts to include identifying hidden actions and triggering commands. Reverse engineering allows the analyst to dig past any obfuscation and compilation (for binaries) and identify the program, script, or code that makes up the malware, either by uncovering any source code or by disassembling the binary into assembly language and interpreting it. The analyst uncovers all of the machine language exposed functions and actions the malware can perform. Reverse engineering is a deeper analysis that is carried out when surface and runtime analysis do not provide the full information needed.\nOutcome: Complete functionality of a digital artefact is derived to understand how it operates, how it is triggered, related system weaknesses that can be exploited, its full impact, and potential damage, in order to develop solutions to mitigate against the artefact and, if appropriate, create a new signature for comparison with other samples.", + "id": "6-3-2-Function-Reverse-engineering", + "relationships": { + "dest-uuid": "54c519b6-2299-5b21-b331-9b261832a52b", + "type": "involves" + }, + "uuid": "5db0d1c6-53fe-5353-9921-318f31288b7d", + "value": "6.3.2 Function: Reverse engineering" + }, + { + "description": "Purpose: Provide insight into the artefact’s operation.\nDescription: This function involves understanding of an artifact’s capabilities via observation while running the sample in a real or emulated environment (e.g., sandbox, virtual environment, and hardware or software emulators).\nUse of a simulated environment captures changes to the host, network traffic, and output from execution. The basic premise is to try to see artefact in operation in as close to a real-life situation as possible.", + "id": "6-3-3-Function-Run-time-or-dynamic-analysis", + "relationships": { + "dest-uuid": "54c519b6-2299-5b21-b331-9b261832a52b", + "type": "involves" + }, + "uuid": "dc6c2dc3-0465-5c47-affb-8f2cd115adc0", + "value": "6.3.3 Function: Run time or dynamic analysis" + }, + { + "description": "Purpose: Perform an analysis focused on identifying common functionality or intent, including family analysis of catalogued artefacts.\nDescription: This function involves exploring an artefact’s relationship to other artefacts. This may identify similarities in code or modus operandi, targets, intent, and authors. Such similarities can be used to derive the scope of an attack (e.g., is there a larger target, has similar code been used before).\nComparative analysis techniques can include exact match comparisons or code similarity comparisons. Comparative analysis provides a broader view of how the artefact or similar versions of it were used and changed over time, helping to understand the evaluation of malware or other malicious types of artefacts.", + "id": "6-3-4-Function-Comparative-analysis", + "relationships": { + "dest-uuid": "54c519b6-2299-5b21-b331-9b261832a52b", + "type": "involves" + }, + "uuid": "3c9784d5-37bc-50a3-9900-d9fae8d7337d", + "value": "6.3.4 Function: Comparative analysis" + }, + { + "description": "Purpose: Define and enforce a plan to restore the integrity of affected systems and return the affected data, systems, and networks to a non-degraded operational state, restoring the impacted services to full functionality without recreating the context of enabling the original security issue to be exploited again.\nDescription: Without fully understanding the business impact and requirements to mitigate and recover, no meaningful response will be provided. As there is a conflict of interest—tracking the attack to gain more intelligence vs. containing the attack to avoid further losses—it is necessary to take all interests into consideration and work out a response plan that is plausible to address the known facts and provide the desired outcome within the required timeframe.\nAs with all plans, it must be considered that whenever new analysis results become available, the new findings need to be reviewed. Indeed, the response plan will usually need to be changed to provide continuous orientation and guidance. But without such plan—unless the response is handled by one small organizational group with little requirement of external interfaces or other entities—the activities might not be carried out effectively or efficiently due to a lack of coordination.", + "id": "6-4-1-Function-Response-plan-establishment", + "relationships": { + "dest-uuid": "6169cf22-e075-5528-9c4e-67d70d9743ca", + "type": "involves" + }, + "uuid": "37274e78-66b0-5766-9fb2-adfe91a96cae", + "value": "6.4.1 Function: Response plan establishment" + }, + { + "description": "Purpose: Implement measures that ensure an information security incident does not spread any further, i.e. remains confined to the currently affected system, users, and/or domains to ensure that no further losses (including leakage of documents, changes to databases or data, etc.) can occur.\nDescription: The immediate challenge in case of an information security incident is to stop it from spreading. While systems are compromised or malware is active on end user systems, further data losses and more compromises occur. It is usually the main objective of attacks to reach out to specific data and systems, including attacks (including but not limited to lateral movements) to other organizations both inside and outside the organization suffering from the information security incident. Stopping or at least limiting the extent of any malicious activities or further losses requires short-term actions such as blocking or filtering traffic and removing access to specific services or systems, and can also result in the disconnection of critical systems.\nDenying further access to potentially critical evidence data will allow a full analysis of such evidence. Denying further access to other systems and networks will also limit the exposure from liability as a result of damage done to other organizations.", + "id": "6-4-2-Function-Ad-hoc-measures-and-containment", + "relationships": { + "dest-uuid": "6169cf22-e075-5528-9c4e-67d70d9743ca", + "type": "involves" + }, + "uuid": "5176c3e8-4d3a-5029-8ab9-ce9f1e60b8a7", + "value": "6.4.2 Function: Ad hoc measures and containment" + }, + { + "description": "Purpose: Implement changes in the affected domain, infrastructure, or network necessary to fix and prevent this type of activity from reoccurring.\nDescription: Restore the integrity of affected systems and returning the affected data, systems, and networks to a non-degraded operational state, restoring the impacted services to full functionality. As business reality usually demands systems return to normal operation as soon as possible, there is a risk that not all means of unauthorized access have been removed successfully. Therefore, unless the analysis results are already available, even returned systems must be carefully monitored and managed. Especially if identified vulnerabilities and weaknesses cannot (yet) be eliminated, improved protection and detection mechanisms need to be applied to avoid the same or similar or types of information security incidents.\nOutcome: Measures are applied to restore the systems and services to full functionality as well as capacity. Measures are applied to close any detected vulnerabilities or weakness that contributed to the original information security incident. Detection and reaction measures are improved as recommended by the analysis and response plan.", + "id": "6-4-3-Function-System-restoration", + "relationships": { + "dest-uuid": "6169cf22-e075-5528-9c4e-67d70d9743ca", + "type": "involves" + }, + "uuid": "017a410c-ee1b-5e98-9f6c-5dc1517e2766", + "value": "6.4.3 Function: System restoration" + }, + { + "description": "Purpose: Enable the constituents to perform the required management and technical activities in order to successfully mitigate an information security incident and recover from it.\nDescription: A CSIRT may provide direct (onsite) assistance to help the constituents to recover from losses and to remove vulnerabilities. This might be a direct extension of offering analysis services on-site (see above). On the other hand, a CSIRT might choose to support the staff of the constituents responding to the information security incident with more detailed explanations, recommendations, etc.\nOutcome: Response of the constituents is improved and recovery is faster. By adding to the available body of knowledge the future effectiveness and efficiency of related activities may be strengthened. In addition, it helps to support those entities inside the constituency that are lacking detailed technical knowledge to carry out the necessary action to respond.", + "id": "6-4-4-Function-Other-information-security-entities-support", + "relationships": { + "dest-uuid": "6169cf22-e075-5528-9c4e-67d70d9743ca", + "type": "involves" + }, + "uuid": "6da607b8-da8d-5574-a049-351809d6505e", + "value": "6.4.4 Function: Other information security entities support" + }, + { + "description": "Purpose: Engage effectively with stakeholders and establish appropriate multiple communication channels providing the required confidentiality.\nDescription: A CSIRT must account for the most accurate audience as communications are crafted and released. In return, a CSIRT must also be equipped to receive incoming feedback, reports, comments, and questions from a variety of sources based on its own communication.\nThe security policy and the information sharing policy may require information to be handled in a strict manner. The CSIRT must be able to share with stakeholders in a reliable, secure, and private manner, both externally and internally.", + "id": "6-5-1-Function-Communication", + "relationships": { + "dest-uuid": "102ab440-4e13-5544-ac34-5c3a68a014cf", + "type": "involves" + }, + "uuid": "97155050-8e5e-5572-9544-f428386a03e3", + "value": "6.5.1 Function: Communication" + }, + { + "description": "Purpose: Alert entities impacted by the information security incident or those that can contribute to the response to it and provide those entities with the required information to understand their role of involvement and any expectations that might exist regarding their cooperation and support.\nDescription: A security incident touches on many internal and potentially external entities and, possibly, systems, and networks. As CSIRTs are a central point for receiving reports of potential information security incidents, they also serve as a hub for notifying authorized points of contact about them. The notification usually will provide not only the appropriate technical details but also information about the expected response and a point of contact for any fellow-up.\nOutcome: Information about an information security incident is available to entities required to either take part in the response or to be informed about it.", + "id": "6-5-2-Function-Notification-distribution", + "relationships": { + "dest-uuid": "102ab440-4e13-5544-ac34-5c3a68a014cf", + "type": "involves" + }, + "uuid": "8a7335ee-ac4a-557f-a6fa-862e64d08335", + "value": "6.5.2 Function: Notification distribution" + }, + { + "description": "Purpose: Keep communicating with the identified entities and provide a suitable flow of available information in order to enable those entities to benefit from available insights and lessons learned, to apply improved responses or take new ad-hoc measures.\nDescription: As the response to an information security incident progresses, more analysis results and reports from potentially other security experts, CSIRTs, or victims become available.\nIt may be helpful to pass some of the information and lessons learned on to the Knowledge Transfer Service Area (if supported) to improve training and technical documents as well as to help create appropriate awareness, especially if new attacks or incident trends are identified.", + "id": "6-5-3-Function-Relevant-information-distribution", + "relationships": { + "dest-uuid": "102ab440-4e13-5544-ac34-5c3a68a014cf", + "type": "involves" + }, + "uuid": "3d484cde-fb3a-5ffc-bcd2-5cc2e0e5965a", + "value": "6.5.3 Function: Relevant information distribution" + }, + { + "description": "Purpose: Track the status of all communication and activities.\nDescription: As many entities are potentially involved in responding to an information security incident, it is necessary to track the status of all communication and activities. This involves the actions requested by a CSIRT or requests for sharing of further information as well as requests for technical analysis of artefacts s or the sharing of indicators of compromise, information about other victims, etc. This primarily occurs when the CSIRT is reliant on expertise and resources outside of the direct control of the CSIRT to effectuate the actions necessary to mitigate an incident. But it also occurs inside larger organizations for which an internal CSIRT coordinates the mitigation and recovery activities.\nBy offering bilateral or multilateral coordination, the CSIRT participates in the exchange of information to enable those resources with the ability to take action to do so or to assist others in the detection, protection, or remediation of ongoing activities from attackers and help to close the information security incident.", + "id": "6-5-4-Function-Activities-coordination", + "relationships": { + "dest-uuid": "102ab440-4e13-5544-ac34-5c3a68a014cf", + "type": "involves" + }, + "uuid": "1f153ad2-d2ac-5845-a761-61773b2c0571", + "value": "6.5.4 Function: Activities coordination" + }, + { + "description": "Purpose: Ensure that all involved entities within a business have information about the status of current activities so that further decisions about the next steps to be taken are based on the best situational awareness available.\nDescription: Delivering concise and factual information about the current status of activities requested or carried out in response to an information security incident. Instead of waiting to be pulled for such information as part of an ongoing coordinated action as required for any successful response, timely reports are critical to enable effective coordination.\nOutcome: Internal stakeholders are apprised of the scope of current activities, actions already completed, and pending ones. The assessed impact of delays, recommendations and requested actions is also communicated, making it possible to understand the overall impact in regard to the selected response strategy and developed plan.", + "id": "6-5-5-Function-Reporting", + "relationships": { + "dest-uuid": "102ab440-4e13-5544-ac34-5c3a68a014cf", + "type": "involves" + }, + "uuid": "bda99f7b-109c-5dd3-8efd-8cabda9bc85d", + "value": "6.5.5 Function: Reporting" + }, + { + "description": "Purpose: Engage with the (public) media to be able to provide accurate and easy-to-understand factual information about ongoing events to avoid the spread of rumors and misleading information.\nDescription: Communicating with the media is unavailable in many cases. While CSIRTs usually try to avoid such contact, it is important to realize that the media can help to mitigate specific types of ongoing and large-scale attacks causing information security incidents. For this it is necessary to explain what is causing the information security incidents and explain the impact on users and/or organizations. In some cases, a CSIRT might choose to provide this information already in a manner suitable for release to the public, but this certainly requires specific skills inside the CSIRT not readily available in most. In any case, if a CSIRT communicates with the media, it must take great care to simplify the technical issues as much as possible and leave out all confidential information.\nOutcome: Factual information providing a clear summary of the ongoing information security incident is developed including steps to be taken by potential victims or outlining the chosen response strategy to recover from the information security incident.", + "id": "6-5-6-Function-Media-communication", + "relationships": { + "dest-uuid": "102ab440-4e13-5544-ac34-5c3a68a014cf", + "type": "involves" + }, + "uuid": "65aab371-c453-52cb-bee0-ac2c17612d74", + "value": "6.5.6 Function: Media communication" + }, + { + "description": "Purpose: Provide established communication resources to help respond to the crisis.\nDescription: As the response to a crisis progresses, information must be distributed and disseminated. As the CSIRT has established such resources for its own purposes, crisis management may see it as appropriate or necessary to use such resources.\nOutcome: Available information is distributed to constituents, benefiting from established trust relationships that help to reassure recipients of the accurateness of the information disseminated.", + "id": "6-6-1-Function-Information-distribution-to-constituents", + "relationships": { + "dest-uuid": "81b922e4-291c-5337-9cc2-910dbfc4bf92", + "type": "involves" + }, + "uuid": "614d0ac5-0e20-51f7-a035-e6554be58b17", + "value": "6.6.1 Function: Information distribution to constituents" + }, + { + "description": "Purpose: Ensure that the crisis management team has a complete overview of current information security incidents and known vulnerabilities to consider this as part of its overall priorities and strategies.\nDescription: The function involves delivering concise and factual information about the current status of cyber security inside the constituency. As a crisis might be used to start other attacks or as occurring attacks might be part of the overall activities leading this crisis, it is very important for the crisis management team to establish complete situational awareness.\nThe CSIRT can provide such situational awareness for its services and constituents. This may either be requested or is expected by standard policies in a time of crisis. In any case, as crisis management is only successful based on the established information flow as it depends on coordinate resources to address the most critical aspects of the crisis, reporting must be timely and accurate.", + "id": "6-6-2-Function-Information-security-status-reporting", + "relationships": { + "dest-uuid": "81b922e4-291c-5337-9cc2-910dbfc4bf92", + "type": "involves" + }, + "uuid": "264ccb1c-8a6e-50fe-8b62-b6f5638701f5", + "value": "6.6.2 Function: Information security status reporting" + }, + { + "description": "Purpose: Inform other entities in a timely manner about the impact caused by the crisis on currently open information security incidents.\nDescription: Informing other entities in a timely manner about the impact caused by the crisis on currently open information security incidents provides a clear understanding of what support can also be provided by the CSIRT during the duration of the crisis, and makes sure that entities understand what to expect. It also makes sure that other parties stop their support or interaction with the CSIRT as they might believe that the crisis is taking over.\nAs the crisis management team may decide to postpone the response to an actual information security incident due to a crisis, such decisions need to be communicated to all entities currently informed and participating. This is to avoid misunderstandings and further issues that may also lead to a loss of trust in the CSIRT and/or host organization.", + "id": "6-6-3-Function-Strategic-decisions-communication", + "relationships": { + "dest-uuid": "81b922e4-291c-5337-9cc2-910dbfc4bf92", + "type": "involves" + }, + "uuid": "b0f34860-8f83-5ad0-80e6-034ea4c4f8e6", + "value": "6.6.3 Function: Strategic decisions communication" + }, + { + "description": "Purpose: Identify a vulnerability that was exploited as part of a security incident.\nDescription: During the course of analyzing a security incident, information may be discovered that indicates that a vulnerability was exploited by the attacker. An incident may have been enabled through exploitation of a known vulnerability that was previously unpatched or unmitigated; or it may be due to a new (zero-day) vulnerability.\nSome of this vulnerability information might be received as an output from one of the services of the Information Security Incident Management service area if a vulnerability was exploited as part of an incident. The information can then be passed on to the Vulnerability Triage function or the Vulnerability Analysis service, as appropriate.", + "id": "7-1-1-Function-Incident-response-vulnerability-discovery", + "relationships": { + "dest-uuid": "c01835b0-8786-5dc8-af2c-b83793d6fc8c", + "type": "involves" + }, + "uuid": "45610cdd-eb2a-5bdd-b9a6-0072ad3a797f", + "value": "7.1.1 Function: Incident response vulnerability discovery" + }, + { + "description": "Purpose: Learn about a new vulnerability from reading public sources or other third-party sources.\nDescription: A CSIRT may initially learn about a new vulnerability from various public sources that announce such information. The sources can include vendor announcements, security websites, mailing lists, vulnerability databases, security conferences, social media, etc. This function may also learn of new vulnerabilities through other third-party sources that may not be completely open to the public, such as through paid subscriptions or premium services where information is shared with only a limited group. Staff may be assigned the responsibility to perform this function and collect information to organize it for further review and sharing. Similar vulnerability information might also be received from the services of the Situational Awareness service area.\nOutcome: New vulnerabilities are identified that have been disclosed through public or other external sources.", + "id": "7-1-2-Function-Public-source-vulnerability-discovery", + "relationships": { + "dest-uuid": "c01835b0-8786-5dc8-af2c-b83793d6fc8c", + "type": "involves" + }, + "uuid": "dd419b1f-403b-5880-b86d-c0868fe38819", + "value": "7.1.2 Function: Public source vulnerability discovery" + }, + { + "description": "Purpose: Discover or search for new vulnerabilities as a result of deliberate activities or research.\nDescription: This function includes the discovery of new vulnerabilities as a result of specific CSIRT activities, such as the testing of systems or software using fuzz testing (fuzzing), or through the reverse engineering of malware.\nThis function may also receive input from the service(s) of the Information Security Incident Management service area or the Situational Awareness service area that would initiate this function to look for suspected vulnerabilities.", + "id": "7-1-3-Function-Vulnerability-research", + "relationships": { + "dest-uuid": "c01835b0-8786-5dc8-af2c-b83793d6fc8c", + "type": "involves" + }, + "uuid": "78cfffca-9a7a-5a77-becd-0ae1c4a23cd7", + "value": "7.1.3 Function: Vulnerability research" + }, + { + "description": "Purpose: Accept or receive information about a vulnerability, as reported from constituents or third parties.\nDescription: Effective intake of vulnerability reports requires mechanisms and processes to receive the reports from constituents, stakeholders, and third parties (finders, researchers, vendors, PSIRTs, other CSIRTs or vulnerability coordinators, etc.). Vulnerability information may include affected devices, conditions necessary to exploit the vulnerability, impact (e.g., privilege escalation, data access, etc.), as well as actions taken to resolve the vulnerability, remediation and/or mitigation steps, and resolution. Occasionally, vulnerability information may be received jointly as part of the input to other services, most notably the Information Security Incident Report Intake (e.g., if a vulnerability is reported to be exploited as part of an incident report).\nOutcome: Vulnerability reports from constituents or third parties are appropriately handled, including the initiation of documenting or tracking the reports.", + "id": "7-2-1-Function-Vulnerability-report-receipt", + "relationships": { + "dest-uuid": "8397d943-1507-5d38-a9fe-078549634320", + "type": "involves" + }, + "uuid": "b6fd9a66-77d7-55c2-91e1-754612251b22", + "value": "7.2.1 Function: Vulnerability report receipt" + }, + { + "description": "Purpose: Initially review, categorize, prioritize, and process a vulnerability report.\nDescription: Vulnerability Reports are reviewed and triaged to obtain an initial understanding of the vulnerability in question and determine what to do next (e.g., process the vulnerability for further analysis, seek additional information from the reporter or other sources, decide that the vulnerability needs no further action). Depending on the amount of detail and quality of the information provided in the vulnerability report, it may or not be obvious whether a new vulnerability exists.\nUnless there is a reason to decline a vulnerability report, the report should be passed on to the Vulnerability Analysis service for further review, analysis, and handling. If the CSIRT does not provide a Vulnerability Analysis service, then the report should be securely forwarded to an external group for handling, such as the affected vendor(s), PSIRT(s), or a vulnerability coordinator.", + "id": "7-2-2-Function-Vulnerability-report-triage-and-processing", + "relationships": { + "dest-uuid": "8397d943-1507-5d38-a9fe-078549634320", + "type": "involves" + }, + "uuid": "c85a2e71-318b-592d-82b1-887044320e2a", + "value": "7.2.2 Function: Vulnerability report triage and processing" + }, + { + "description": "Purpose: Categorize, prioritize, and perform an initial assessment of a vulnerability.\nDescription: The Vulnerability Analysis service begins with a review of the available information to categorize, prioritize, and assess whether a vulnerability has some impact on the involved systems and is relevant to the CSIRT’s mandate. Some of this may have been documented during the Vulnerability Report Triage and Processing function (of the Vulnerability Report Intake service) if the vulnerability was reported to the CSIRT by a constituent or third party.\nIf prior triage has not already been completed, the vulnerability may be assigned to a subject matter expert who can provide technical confirmation that it has some impact on the involved systems and is relevant to the CSIRT’s mandate (i.e., the potential security impact on networks or systems that can result in damage to the confidentiality, availability, or integrity of information assets in an area of the CSIRT according to its mandate).", + "id": "7-3-1-Function-Vulnerability-triage-validation-and-categorization", + "relationships": { + "dest-uuid": "dfdd8b20-7047-56d8-8956-339a1a9bd0ad", + "type": "involves" + }, + "uuid": "ac49eb2e-a396-5945-8090-b17f6c053b25", + "value": "7.3.1 Function: Vulnerability triage (validation and categorization)" + }, + { + "description": "Purpose: Understand the design or implementation flaw that causes or exposes the vulnerability to exist.\nDescription: The goal of this analysis is to identify the root cause of the vulnerability, identifying the circumstances that allow a vulnerability to exist, and in which circumstances an attacker can consequently exploit the vulnerability. This analysis may also attempt to understand the weakness(es) leveraged to instigate an incident and the adversarial tradecraft utilized to leverage that weakness. Depending on the nature of the vulnerability, it may be difficult for a CSIRT to perform this function thoroughly. In some cases, this function may have already been performed by the finder or reporter of the vulnerability. In many situations, this function may best be conducted by the product vendor or developer of the affected software or system or their respective PSIRT. It is also possible that a vulnerability is present in more than one product, in which case multiple analyses may be needed of the affected software or systems, requiring coordination with multiple vendors, PSIRTs, or stakeholders.\nOutcome: Understanding of the vulnerability and the way in which malicious actors will be able to use this vulnerability is used to determine remediation or mitigation methods to minimize the risk of exposure or exploitation.", + "id": "7-3-2-Function-Vulnerability-root-cause-analysis", + "relationships": { + "dest-uuid": "dfdd8b20-7047-56d8-8956-339a1a9bd0ad", + "type": "involves" + }, + "uuid": "076812ef-36a6-52bb-800d-74c67a41abf3", + "value": "7.3.2 Function: Vulnerability root cause analysis" + }, + { + "description": "Purpose: Develop the steps necessary to fix (remediate) the underlying vulnerability or mitigate (reduce) the effects of the vulnerability from being exploited.\nDescription: This function will ideally identify a remediation or a fix for a vulnerability. If a vendor patch or fix is not available in a timely manner, a temporary solution or workaround, called a mitigation, may be recommended, such as disabling the affected software or making configuration changes, to minimize the potential negative effects of the vulnerability. Note that the actual application or deployment of a remediation (patch) or mitigation (workaround) is a function of a separate service, called Vulnerability Response in this framework.\nAs part of the Vulnerability Analysis service and Remediation Development, this function may optionally include other sub-functions or activities, such as validating the changing of a procedure or design, reviewing remediation by a third party, or identifying any new vulnerabilities introduced in the remediation steps. Vulnerabilities that are not remediated or mitigated should be documented as acceptable risks.", + "id": "7-3-3-Function-Vulnerability-remediation-development", + "relationships": { + "dest-uuid": "dfdd8b20-7047-56d8-8956-339a1a9bd0ad", + "type": "involves" + }, + "uuid": "e34a0555-baac-5bc3-b0f6-5ba99e7c0c5e", + "value": "7.3.3 Function: Vulnerability remediation development" + }, + { + "description": "Purpose: Initial share or report new vulnerability information with others who are to be involved in the CVD process.\nDescription: The handling of most vulnerabilities involves notifying, working with, and coordinating the exchange of relevant information with multiple parties including the affected vendors, developers, PSIRTs, or other trusted experts (e.g., researchers, CSIRTs, vulnerability coordinators) who can work together to analyze and fix the vulnerability.\nOutcome: Vendors (or other CVD participants) are informed about a vulnerability and can act to develop a remediation or mitigation solution.", + "id": "7-4-1-Function-Vulnerability-notification-reporting", + "relationships": { + "dest-uuid": "576887a7-b5df-5632-a61f-a93190c65426", + "type": "involves" + }, + "uuid": "4330ceb5-95d3-566e-bd2c-ed72fc20212d", + "value": "7.4.1 Function: Vulnerability notification/reporting" + }, + { + "description": "Purpose: Conduct follow-on coordination and sharing of information among the various stakeholders and participants involved in coordinated vulnerability disclosure (CVD) efforts.\nDescription: Coordinate the exchange of information among the finders/researchers, vendors, PSIRTS, and any other participants in the coordinate vulnerability disclosure (CVD) efforts to analyze and fix the vulnerability and prepare for the disclosure of the vulnerability. This coordination should also include agreement by participants on the timing and synchronization of the disclosure.\nOutcome: Vulnerability information is more effectively, timely, and responsibly shared among participants who can develop or announce a remediation/mitigation solution.", + "id": "7-4-2-Function-Vulnerability-stakeholder-coordination", + "relationships": { + "dest-uuid": "576887a7-b5df-5632-a61f-a93190c65426", + "type": "involves" + }, + "uuid": "d2f116ec-8632-552c-a958-e04cb2701ce3", + "value": "7.4.2 Function: Vulnerability stakeholder coordination" + }, + { + "description": "Purpose: Develop and maintain a policy that provides a framework and sets expectations for how a CSIRT handles and discloses vulnerabilities and the mechanism(s) used to disclose the vulnerability.\nDescription: CSIRTs that handle vulnerability reports should define their vulnerability disclosure policy and make that policy available to its constituents, stakeholders, and CVD participants, preferably by publishing it on the CSIRT’s website. The vulnerability disclosure policy will provide transparency to stakeholders and help to promote appropriate disclosure policies. Policies can range from no disclosure, where no vulnerability information is disclosed, to limited disclosure, where only some information is made available, to full disclosure, where all information is disclosed, which may include proof-of-concept exploits. The disclosure policy should include factors such as the scope of the policy, references to any reporting mechanisms and guidelines, and expected timeframes and mechanisms for the disclosure of the vulnerability.\nOutcome: Trust, collaboration, and control of the disclosure is increased and relationships and coordination with CVD participants is improved.", + "id": "7-5-1-Function-Vulnerability-disclosure-policy-and-infrastructure-maintenance", + "relationships": { + "dest-uuid": "76235018-30af-5431-a98d-7d03f718b241", + "type": "involves" + }, + "uuid": "6e90856e-cdc4-56ff-8be7-afd2fb10d813", + "value": "7.5.1 Function: Vulnerability disclosure policy and infrastructure maintenance" + }, + { + "description": "Purpose: Provide information to constituents (or the public) about a new vulnerability, so that they can detect, remediate or mitigate, and prevent future exploitation of the vulnerability.\nDescription: Disclose vulnerability information to defined constituents. The disclosure can be made through any or all of the mechanisms identified in the vulnerability disclosure policy. Dissemination mechanisms can vary depending on the needs or expectations of the target audience. The communication can be in the form of an announcement or security advisory distributed via email or text messaging, a publication posted to a website or social media channel, or other communication forms and channels as appropriate. Content to be included in the disclosure should follow a defined format, which typically can include information such as an overview or description, a unique vulnerability identifier, impact, severity, or CVSS score, resolution (remediation or mitigation), and supporting references or materials.\nOutcome: The vulnerability is prevented, detected, and remediated/mitigated by providing timely, high-quality, effective information to constituents (or public).", + "id": "7-5-2-Function-Vulnerability-announcement-communication-dissemination", + "relationships": { + "dest-uuid": "76235018-30af-5431-a98d-7d03f718b241", + "type": "involves" + }, + "uuid": "458ae77c-ae0e-548e-8db1-9195740162e9", + "value": "7.5.2 Function: Vulnerability announcement/communication/dissemination" + }, + { + "description": "Purpose: Receive and respond to questions or reports from constituents about a vulnerability disclosure or document.\nDescription: Following the disclosure of a new vulnerability, CSIRTs can expect to receive follow-on communications in the form of questions from some constituents about a vulnerability document. The questions may indicate a need for clarification, revision, or amendment of the vulnerability disclosure mechanism, if warranted. Information from constituents may simply be an acknowledgement or receipt of the vulnerability document, or the constituent may report an issue or difficulty in deploying the suggested remediation/mitigation. If the vulnerability was determined to have been already exploited, constituents may be reporting newly discovered incidents as a result of the vulnerability disclosure. Such reports should feed into the functions of the CSIRT’s Incident Reporting service.\nOutcome: Any questions or requests for assistance are responded to in a timely manner following a vulnerability disclosure.", + "id": "7-5-3-Function-Post-vulnerability-disclosure-feedback", + "relationships": { + "dest-uuid": "76235018-30af-5431-a98d-7d03f718b241", + "type": "involves" + }, + "uuid": "ad6eb2d4-ef88-5128-9ba2-83bd6f84eb5f", + "value": "7.5.3 Function: Post-vulnerability disclosure feedback" + }, + { + "description": "Purpose: Actively engage in searching for the presence of known vulnerabilities in deployed systems.\nDescription: The goal of this function is to detect any previously unpatched or unmitigated vulnerabilities before they are exploited or impact the network or devices. This function may be initiated in response to an announcement about a new vulnerability, or it may be achieved as part of a periodically scheduled scan for known vulnerabilities. In order to provide vulnerability detection effectively, it is useful to have a systems inventory. Having such an inventory that can be queried for software version information can enable an organization to quickly assess the likely prevalence of a newly reported vulnerability in its infrastructure.\nThis function may receive input or be triggered from other services and functions.\nOutcome: Vulnerabilities are detected through formal processes or tools designed to identify.", + "id": "7-6-1-Function-Vulnerability-detection-scanning", + "relationships": { + "dest-uuid": "586381d1-7a46-53af-a7dd-33a20aa18d9b", + "type": "involves" + }, + "uuid": "9dd2ac75-65ee-52c8-bc7e-6ac983b81211", + "value": "7.6.1 Function: Vulnerability detection / scanning" + }, + { + "description": "Purpose: Remediate or mitigate vulnerabilities to prevent them from being exploited, typically through the timely application of vendor-provided patches or other solutions.\nDescription: Vulnerability remediation is intended to resolve or eliminate a vulnerability. For software vulnerabilities, this typically occurs through the deployment and installation of vendor-provided solutions in the form of software updates or patches. When approved patches are unavailable or cannot be deployed, an alternative mitigation or workaround may be applied as a countermeasure to prevent exploitation of the vulnerability. This function often follows a positive identification of a vulnerability as the result of the Vulnerability Detection/Scanning/Hunting function.\nOutcome: Exposure to the threat of a vulnerability being exploited is prevented or reduced.", + "id": "7-6-2-Function-Vulnerability-remediation", + "relationships": { + "dest-uuid": "586381d1-7a46-53af-a7dd-33a20aa18d9b", + "type": "involves" + }, + "uuid": "782613e3-9030-5b00-96c5-7760a8c3dd15", + "value": "7.6.2 Function: Vulnerability remediation" + }, + { + "description": "Purpose: Establish the context with which the constituency and its assets should comply to know what should be occurring on the infrastructure.\nDescription: The collection, aggregation, and distillation of policy establishes the basis of acceptable normal activity. The end result is a context that establishes how the constituency and its infrastructure is supposed to be operating under acceptable conditions. For organizational CSIRTs, context includes understanding the organizations acceptable policies, plans, normal operating conditions, accepted risks, and tradeoffs. Understanding and context establish the basis against which observations can be evaluated.\nOutcome: The acceptable observations that are taking place in the constituency are understood. This understanding is focused upon changes or impacts to infrastructure and assets.", + "id": "8-1-1-Function-Policy-aggregation-distillation-and-guidance", + "relationships": { + "dest-uuid": "7e82533f-ab87-5e9e-9a68-83bc3ed34e9b", + "type": "involves" + }, + "uuid": "196cc90c-1439-51c6-b6f8-bdf3afc03f08", + "value": "8.1.1 Function: Policy aggregation, distillation, and guidance" + }, + { + "description": "Purpose: Provide knowledge of existing assets, ownership, baselines and expected activity supports analysis functions that identify abnormal situational observations.\nDescription: CSIRT teams need to understand the current cyber security state of a constituency, and have a good understanding of what is acceptable security. They may need to know:\nThis information helps establish prioritization of assets that are potentially at risk, which can provide context for incident management activities. The more precise the information available to CSIRT team, the easier it will be to infer security issues and do something about them. Precise information may mean the CSIRT having access to established security policies, current access controls, up-to-date hardware and software inventories, and detailed network diagrams.", + "id": "8-1-2-Function-Asset-mapping-to-functions-roles-actions-and-key-risks", + "relationships": { + "dest-uuid": "7e82533f-ab87-5e9e-9a68-83bc3ed34e9b", + "type": "involves" + }, + "uuid": "9b963f37-b790-5764-90bc-3d1ff9fd2d52", + "value": "8.1.2 Function: Asset mapping to functions, roles, actions, and key risks" + }, + { + "description": "Purpose: Collect of information to support the Analysis and Interpretation service and/or other CSIRT services.\nDescription: Information and data collection activities extend beyond feeds providing automated information. Collection includes identifying useful sources such as information-relevant external activities including news from other constituencies, media sources, and other CSIRTs or security organizations, internal activities (e.g., organizational changes), technology developments, external events, political events, attack trends, defensive trends, conferences, available training, and more.\nThe data collection function supports other services such as Security Event Management, Incident Management, and Knowledge Transfer. It also supports functions and activities within these services such as analysis, prediction, response, and risk mitigation. Newly collected information may reveal that an attack on a constituent is more likely than before. External events may expose information that identifies new risks to assets for a period of time or require heightened detection activities. Overall the information helps provide actionable information to aid in decision making and incident handling.", + "id": "8-1-3-Function-Collection", + "relationships": { + "dest-uuid": "7e82533f-ab87-5e9e-9a68-83bc3ed34e9b", + "type": "involves" + }, + "uuid": "0820d6eb-c7cd-5e3a-a50b-0ed3eff7537e", + "value": "8.1.3 Function: Collection" + }, + { + "description": "Purpose: Establish a reliable, consistent, and current set of data that can support CSIRT activities and the requirements of the analysis service.\nDescription: Data processing and preparation includes transformation, processing, normalization, and validation of a set of data. Sources of cybersecurity data need to be validated for accuracy often due to a high number of false positives. The relevant data also typically comes in different formats, and new data needs to be combined with historical data before a complete analysis can be performed. Some types of data (such as news articles) may need to be analyzed or processed as part of the preparation process. One example would be extracting relevant security information from a news article (e.g., names, dates, places, technical information, weaknesses, system names) and comparing it with internal data for potential impacts.\nSome analysis methods require data to be stored in the same format, or for files to have the same number of records. There are multiple processing steps that may be involved to prepare the data. Data augmentation (also called enrichment) is performed by including other available information related to a given piece of data from other internal and external sources. For example, teams may collect information related to internet protocol addresses (IP addresses) such as autonomous system identifiers, country codes, or geo-location data. For internal asset information, teams may enrich their asset inventory data with the name of the asset owner, their role, their permissions on other assets, their physical working location over time, and more.", + "id": "8-1-4-Function-Data-processing-and-preparation", + "relationships": { + "dest-uuid": "7e82533f-ab87-5e9e-9a68-83bc3ed34e9b", + "type": "involves" + }, + "uuid": "590df301-202c-5f0d-96b0-dd101a35713a", + "value": "8.1.4 Function: Data processing and preparation" + }, + { + "description": "Purpose: Analyze the information collected during data acquisition with the intent of identifying current or predicting future situational pictures.\nDescription: The process of inferring the current state of a situation and making predictions about the possible likely near-term pictures based on the status and dynamics of the collected data. Sometimes the data may quickly show a security issue.\nOutcome: The situational picture is updated along with knowledge about when a situational picture will change and how it might change.", + "id": "8-2-1-Function-Projection-and-inference", + "relationships": { + "dest-uuid": "7c7c24ea-abb1-563b-b1a8-8d81cb540836", + "type": "involves" + }, + "uuid": "211ab4e9-44fa-50de-bbc6-e2c564c40d47", + "value": "8.2.1 Function: Projection and inference" + }, + { + "description": "Purpose: Determine and confirm the details of the current situational picture for the constituency.\nDescription: The systematic and often directed searching for anomaly activity inside and outside of network boundaries based upon external and internal information and trends. To assist the constituency with analyzing its data from sensors and other sources to draw conclusions about its environment and situation. For example, if an anti-virus sensor sends an alert of a suspicious file, the team may analyze the system configuration, the sensor configuration, the file that was alerted, the user activity at the time, and more, to draw a conclusion about the severity of the observation. This function may receive significant input from the Security Event Management service area. The observations from sensors that are used to detect events may be shared among multiple services.\nCSIRT teams also need to determine the current situational picture based upon specific pieces of information about threats. This activity may sometimes be called “threat hunting.” Typically, threat hunting involves either preparing the environment to detect specific threat activity, or searching for specific threat activity that may already be present.", + "id": "8-2-2-Function-Event-detection-through-alerting-and-or-hunting", + "relationships": { + "dest-uuid": "7c7c24ea-abb1-563b-b1a8-8d81cb540836", + "type": "involves" + }, + "uuid": "6eb6ed02-3d30-5dcc-94fd-1a6fad36fe39", + "value": "8.2.2 Function: Event detection (through alerting and/or hunting)" + }, + { + "description": "Purpose: Identify new insights during incidents that may help limit damage, mitigate future risk, or identify a newly created weakness.\nDescription: Performing analysis of specific evidence assists in identifying insights to support incident resolution. Sometimes, CSIRTs may focus their situational analysis to support a specific desired outcome such as incident resolution. Certain responses to an incident may affect a situational picture differently, and responders may ask for analysis (e.g., impact, cost, risk of failure) of choices. The decision-making needs of the constituency may change as their situational picture evolves, and the CSIRT team may initiate new analysis processes to assist them. This activity is related to the Incident Management Service Area. Incident Management functions are supported by Situational Awareness and the situational picture may change based upon Incident Management activities.\nOutcome: Situational awareness is enhanced for incident management functions based upon new observations. Updated situational picture based upon incident management activities.", + "id": "8-2-3-Function-Information-security-incident-management-decision-support", + "relationships": { + "dest-uuid": "7c7c24ea-abb1-563b-b1a8-8d81cb540836", + "type": "involves" + }, + "uuid": "846332ed-ee2c-59d7-b16b-8f764f798efd", + "value": "8.2.3 Function: Information security incident management decision support" + }, + { + "description": "Purpose: Determine the expected potential impact of a given observation or possible observation to a situational picture.\nDescription: This function identifies the impact a projection or inference may have upon a current or near-term future situation. An impact may include raising or lowering certain risks such as data loss, system downtime, or effects on data confidentiality/availability/integrity.\nOutcome: An analysis is produced of the likely possible impact that an inference or projection may have upon a situation.", + "id": "8-2-4-Function-Situational-impact", + "relationships": { + "dest-uuid": "7c7c24ea-abb1-563b-b1a8-8d81cb540836", + "type": "involves" + }, + "uuid": "4860e244-36dc-5b88-b001-1f5c1ad679fd", + "value": "8.2.4 Function: Situational impact" + }, + { + "description": "Purpose: Inform constituents (and others) of the current situational picture and how it may be changing.\nDescription: Once the results of Analyze and Interpret are complete, they can be used to improve decision-making via both internal and external communication processes. Specific pieces of information are distributed based upon who needs to know them. Communication includes the method of delivery and the content that is being delivered. A CSIRT team might communicate new information and how it will change the situational picture. An example of this would be reporting the expected change a new malicious technique it has observed during an incident would have upon a constituent member. It may also include trend information such as the most useful sources of enrichment data and steps in which constituents can use it to improve their own situational awareness.\nOutcome: Constituents are better informed and are prepared to take actions or make decisions that will improve their security or situation.", + "id": "8-3-1-Function-Internal-and-external-communication", + "relationships": { + "dest-uuid": "9be0238e-c72b-540c-b316-22a382fe4a8a", + "type": "involves" + }, + "uuid": "075998fd-b4fb-526d-a70f-4f8cfad99950", + "value": "8.3.1 Function: Internal and external communication" + }, + { + "description": "Purpose: Create results, artefacts, or findings that communicate critical information discovered or created during analysis to audiences in a manner and format that they will understand.\nDescription: Reports and recommendations should clearly indicate the choices and actions faced by constituents, and include analysis of the expected consequences of each choice or action. Communication of findings should include a list of evidence supporting the analysis and the recommendation (if a recommendation is made). The methods used to create the findings should be clearly explained to the audience so they can also judge the claims presented. The CSIRT team may create reports on a single event, a series of events, trends, patterns, possible events, or more to support the needs for their constituency to understand a situational picture.\nOutcome: The capability to provide accurate, timely, and complete reports on the situational picture, the evidence that supports the conclusions, and/or recommendations on possible courses of action and their potential effects to the constituency is improved.", + "id": "8-3-2-Function-Reporting-and-recommendations", + "relationships": { + "dest-uuid": "9be0238e-c72b-540c-b316-22a382fe4a8a", + "type": "involves" + }, + "uuid": "cc7e641f-9832-5741-9d66-31e16da22395", + "value": "8.3.2 Function: Reporting and recommendations" + }, + { + "description": "Purpose: Adapt the constituent environment based on communications to be more prepared for or react to changes in the situational picture.\nDescription: In some instances, a CSIRT team may also perform the recommended adjustments to parts of the security infrastructure, for example changing the firewall rules on a particular honey pot based upon situational analysis.\nOutcome: A course of action is performed or a change to the infrastructure is implemented by constituents based upon received communications containing analysis, projections, and/or recommendations.", + "id": "8-3-3-Function-Implementation", + "relationships": { + "dest-uuid": "9be0238e-c72b-540c-b316-22a382fe4a8a", + "type": "involves" + }, + "uuid": "12d1b92a-7085-5363-9cf2-49d7d496adf1", + "value": "8.3.3 Function: Implementation" + }, + { + "description": "Purpose: Assemble, normalize, and prepare information and then share it with constituents and others outside the constituency.\nDescription: This function may include the following sub-functions:\nOutcome: Situational Awareness Analysis outputs are used as inputs (both internally and among constituents) into in key decision processes e.g., threat hunting, incident analysis, resolution. Outputs are disseminated as part of handling or detecting incidents. Information and data coming from Situational Awareness can also become Best Practices, Reports, Training and Awareness Material through the Knowledge Transfer service area.", + "id": "8-3-4-Function-Dissemination-integration-information-sharing", + "relationships": { + "dest-uuid": "9be0238e-c72b-540c-b316-22a382fe4a8a", + "type": "involves" + }, + "uuid": "5eec9a44-81e6-52fc-b4ac-b22056b5cbae", + "value": "8.3.4 Function: Dissemination / integration / information sharing" + }, + { + "description": "Purpose: Ensure transfer of information is successful and useable.\nDescription: This function may include the following sub-functions:\nOutcome: Assurance is provided that the right information is being shared, and that once shared, it is received by partners, constituents, and other community members. Reports are provided on sharing activity.", + "id": "8-3-5-Function-Management-of-information-sharing", + "relationships": { + "dest-uuid": "9be0238e-c72b-540c-b316-22a382fe4a8a", + "type": "involves" + }, + "uuid": "5f79b6cb-7bf3-545f-8165-15e16b521d87", + "value": "8.3.5 Function: Management of information sharing" + }, + { + "description": "Purpose: Improve the quality, timeliness, accuracy, and relevance of the data being received from internal and external sources.\nDescription: This function involves providing and receiving feedback on information provided, received, and used by the constituency, other service providers or other stakeholders. Was the information received accurate, applicable, timely, strategic, new/novel, etc.? Was it helpful in resolving an investigation? Did it lead to a new insight? This may mean providing information also to other CSIRT (as an external source) on the usefulness of or changes to signatures, honeypot findings, IOCs, warnings, threat information, mitigations, etc. This activity may also be performed by the Knowledge Transfer service area. If so, the results should be communicated back to the Situational Awareness service area.\nOutcome: Observations and feedback is provided to internal and external sources in order to improve the accuracy, timeliness, quality, and usefulness of information received.", + "id": "8-3-6-Function-Feedback", + "relationships": { + "dest-uuid": "9be0238e-c72b-540c-b316-22a382fe4a8a", + "type": "involves" + }, + "uuid": "37c13f13-934c-58cb-a19e-d4943c296500", + "value": "8.3.6 Function: Feedback" + }, + { + "description": "Purpose: Aggregate, collate, and prioritize information that can be disseminated to the constituency for the improvement of the security posture and prevention and mitigation of risks.\nDescription: This function involves researching and aggregating information relevant for building awareness materials and reports, including from outcomes of other services/functions, especially from the Security Event Management, Incident Management, and Situational Awareness service areas.\nOutcome: Information about relevant trends, ongoing incidents, and best practices, is aggregated and can be used to develop reports and awareness materials for varied audiences.", + "id": "9-1-1-Function-Research-and-information-aggregation", + "relationships": { + "dest-uuid": "ea5cb189-42c9-5949-a14e-cb9afa66f978", + "type": "involves" + }, + "uuid": "09ad25f5-0d1d-5e1d-927f-0f4b41e08817", + "value": "9.1.1 Function: Research and information aggregation" + }, + { + "description": "Purpose: Use the information aggregated and researched as being relevant to produce materials in different media with the goal of reaching different audiences or delivering specific content in the best way possible.\nDescription: This function involves developing materials for diverse audiences (technical staff, management, end users, etc.) and in various formats, such as presentations, short videos, cartoons, booklets, technical analysis, trend reports, and annual reports.\nOutcome: CSIRT reports and awareness materials of adequate quality are developed to meet the needs of the constituency utilizing varied and effective delivery techniques and platforms.", + "id": "9-1-2-Function-Reports-and-awareness-materials-development", + "relationships": { + "dest-uuid": "ea5cb189-42c9-5949-a14e-cb9afa66f978", + "type": "involves" + }, + "uuid": "56c482ba-9666-512a-ae1f-b8a0206747c2", + "value": "9.1.2 Function: Reports and awareness materials development" + }, + { + "description": "Purpose: Disseminate security-related information to improve awareness and implementation of security practices.\nDescription: The function involves implementing a process of information dissemination that can help the CSIRT to best deliver its reports and awareness materials to its constituency based on the characteristics of different audiences and content.\nOutcome: Information dissemination framework is implemented to enables the CSIRT’s constituency to have access to timely and relevant information through different methods, including podcasts, blog posts, social media posts and videos, press releases, advertisements, campaigns, public reports, etc.", + "id": "9-1-3-Function-Information-dissemination", + "relationships": { + "dest-uuid": "ea5cb189-42c9-5949-a14e-cb9afa66f978", + "type": "involves" + }, + "uuid": "2b11da11-89a8-5045-ab7a-cc18fdde397a", + "value": "9.1.3 Function: Information dissemination" + }, + { + "description": "Purpose: Develop and maintain relationships with experts or organizations that may help or be part of the execution of the mission of the CSIRT.\nDescription: This function involves building partnerships, promoting cooperation, and engaging key stakeholders, internal or external to the constituency, with the goal of: disseminating awareness and best practices; helping the constituency and external stakeholders understand the services and benefits a CSIRT can provide; helping the CSIRT to better understand constituents’ needs; and enabling the realization of CSIRT’s mission. This may involve ensuring interoperability or fostering collaboration between or across organizations.\nOutcome: Active and consistent outreach activities are performed that may include, but are not limited to, meeting with key stakeholders, participating in sector meetings, presenting at conferences, and organizing conferences.", + "id": "9-1-4-Function-Outreach", + "relationships": { + "dest-uuid": "ea5cb189-42c9-5949-a14e-cb9afa66f978", + "type": "involves" + }, + "uuid": "7b3c6d93-b3b9-5e12-88bf-3ea893bb3534", + "value": "9.1.4 Function: Outreach" + }, + { + "description": "Purpose: Properly assess, identify, and document what the constituency needs are in terms of requisite KSAs, to develop appropriate training and education materials and improve its skill level.\nDescription: The function involves collecting knowledge, skill, and ability (KSA) needs and the competence of a constituency in regard to determining what training and education should be provided.\nOutcome: Constituency KSA needs are characterized and documented to be used as basis for developing relevant education and training materials.", + "id": "9-2-1-Function-Knowledge-skill-and-ability-requirements-gathering", + "relationships": { + "dest-uuid": "3ccbc324-98cf-585b-a9af-5282ec611130", + "type": "involves" + }, + "uuid": "2aed30ce-0f9a-52be-b2e4-1db9768a9b2e", + "value": "9.2.1 Function: Knowledge, skill, and ability requirements gathering" + }, + { + "description": "Purpose: Develop, using the constituency’s KSA needs as a basis, educational, instructional, and training material that is appropriate to the delivery methods identified as the best to reach different audiences or deliver specific content.\nDescription: This function involves building or acquiring content of educational and training materials such as presentations, lectures, demonstrations, simulations, videos, books, booklets, etc.\nOutcome: CSIRT training and education materials utilizing varied and effective presentation techniques and platforms are developed that are of appropriate quality and that meet the needs of the constituency.", + "id": "9-2-2-Function-Educational-and-training-materials-development", + "relationships": { + "dest-uuid": "3ccbc324-98cf-585b-a9af-5282ec611130", + "type": "involves" + }, + "uuid": "73d70e3f-d17d-59c8-9777-1789f5546ee2", + "value": "9.2.2 Function: Educational and training materials development" + }, + { + "description": "Purpose: Develop a formal process for content delivery that can help the CSIRT to best deliver the content to its constituency, based on the characteristics of different audiences and content.\nDescription: This function involves the transfer of knowledge and content to “students.” This can occur via various methods, such as computer-based/online training (CBT/WBT), instructor-led, virtual, conferences, presentations, labs, capture the flag (CTF) competitions, books, online videos, etc.\nOutcome: A content delivery framework has been designed to help the constituency learn technical and soft skills and processes, using all alternative approaches, including books, booklets, online videos, presentations, hands-on labs, CTFs, CBT/WBT, in-person training, etc. This results in constituency members who understand the content delivered.", + "id": "9-2-3-Function-Content-delivery", + "relationships": { + "dest-uuid": "3ccbc324-98cf-585b-a9af-5282ec611130", + "type": "involves" + }, + "uuid": "0020fe87-a46c-5d8f-b367-1c2e3e0e3680", + "value": "9.2.3 Function: Content delivery" + }, + { + "description": "Purpose: Develop a program for CSIRT staff, constituency members, or external trusted partners to learn from experienced staff through an established relationship.\nDescription: A Mentoring program can help provide a formal as well as informal mechanism for the mentor to share with the mentee about education and skill development, insights, and life and career experiences outside of the official reporting relationship and structure of the team. This can involve on-site visits, rotation (exchange), shadowing, and discussing rationale for specific decisions and actions.\nOutcome: Retention, loyalty, confidence, and overall ability to make sound decisions has been increased in the CSIRT team. Constituents have improved skill levels and a better relationship with its CSIRT. Improved capacity and capability of the constituency and the CSIRT team members, including the development of trusted relationships.", + "id": "9-2-4-Function-Mentoring", + "relationships": { + "dest-uuid": "3ccbc324-98cf-585b-a9af-5282ec611130", + "type": "involves" + }, + "uuid": "464fcd48-9373-5bc2-87b7-41329d3f17e3", + "value": "9.2.4 Function: Mentoring" + }, + { + "description": "Purpose: Help staff members successfully and appropriately plan and develop their careers.\nDescription: Once the appropriate skills have been identified, professional development is used by a CSIRT to promote a continuous process of securing new knowledge, skills, and abilities that relate to the security profession, unique job responsibilities, and the overall Team environment. This can include attending conferences, advanced training, and cross-training activities, among others.\nOutcome: Developed and trained staff are available with the requisite technical and soft skills and process understanding, and who are up to date based on the job roles and needs. CSIRT members are ready to address the daily operational challenges, supporting both the team and its customers.", + "id": "9-2-5-Function-CSIRT-staff-professional-development", + "relationships": { + "dest-uuid": "3ccbc324-98cf-585b-a9af-5282ec611130", + "type": "involves" + }, + "uuid": "aa25755a-b579-5e32-b56d-de22f27a1093", + "value": "9.2.5 Function: CSIRT staff professional development" + }, + { + "description": "Purpose: Ensure an effective outcome of the exercise by concentrating on specific issues for the given scope and focus of the exercise.\nDescription: Determine the learning objectives and scope of the exercise. Define the specific services, capabilities, and topics to be covered by the exercise. Ensure exercise includes activities and topics that relate to required or desired skills needed by the participants, as well as the processes that should be tested.\nOutcome: A description of the purpose of the exercise is determined, along with an outline of the learning objectives to be met.", + "id": "9-3-1-Function-Requirements-analysis", + "relationships": { + "dest-uuid": "114aa684-808a-58d2-b325-b4fa54b70662", + "type": "involves" + }, + "uuid": "ee6162f7-21ea-5cdd-a0fc-545d8091230e", + "value": "9.3.1 Function: Requirements analysis" + }, + { + "description": "Purpose: Specify and determine the internal and external resources and infrastructure needed to conduct the exercise.\nDescription: Define the format and platform needed to meet the objectives and deliver the expected outcomes of the exercise.\nOutcome: The type of exercise (table top, hands-on, simulation, etc.) is identified, as well as the internal and external resources needed to conduct the exercise.", + "id": "9-3-2-Function-Format-and-environment-development", + "relationships": { + "dest-uuid": "114aa684-808a-58d2-b325-b4fa54b70662", + "type": "involves" + }, + "uuid": "ac9504da-24b6-5c81-9fe1-f7a431e4f923", + "value": "9.3.2 Function: Format and environment development" + }, + { + "description": "Purpose: Provide an opportunity for the target audience to improve the efficiency and effectiveness of its services and functions, and its skills, knowledge, and abilities, through the handling of simulated cybersecurity events/incidents, including communications aspects.\nDescription: Development of exercise scenarios in support of stakeholder objectives. Deliverables also include instructions and guidance to the participants and exercise managers; these instructions include recommended actions for the participants detailing some/all scenario steps.\nOutcome: A main scenario with variants and various types of formalized injects is developed, along with tasks and role allocation to the exercise management team.", + "id": "9-3-3-Function-Scenario-development", + "relationships": { + "dest-uuid": "114aa684-808a-58d2-b325-b4fa54b70662", + "type": "involves" + }, + "uuid": "56758ca4-2097-5595-9cdc-4e96a5a2d393", + "value": "9.3.3 Function: Scenario development" + }, + { + "description": "Purpose: Conduct drills/exercises allowing a CSIRT team to increase its confidence in the validity of an organization’s CSIRT plan and its ability for execution.\nDescription: The function involves performing readiness testing of constituent “students” to test their ability to apply training and perform job or task functions. Can be in the form of real or virtual environments, simulations, field tests, table tops, mock scenarios, or a combination, with injects being provided in a structured manner. This will also help determine the level at which the team is operating, as well as if and where it has room for improvement.\nOutcome: A CSIRT has assessed its preparedness and readiness, ensuring the KSAs, key processes, and execution all work successfully together, or must be adapted/improved.", + "id": "9-3-4-Function-Exercises-execution", + "relationships": { + "dest-uuid": "114aa684-808a-58d2-b325-b4fa54b70662", + "type": "involves" + }, + "uuid": "0f53da26-438b-589e-9312-1306817aadc5", + "value": "9.3.4 Function: Exercises execution" + }, + { + "description": "Purpose: Perform a formal and objective analysis of the exercise, based on factual observations.\nDescription: Develop an after-action report which includes lessons learned or findings/best practices from the exercise, and provide an assessment to the stakeholders/management.\nOutcome: Deliverables are created highlighting the success of the exercise, areas for improvement, general findings, and recommended actions to take in order to improve: the organization incident management capabilities, the CSIRT’s team processes, and the capabilities of individual constituents and of the stakeholder community as a whole, including communications capabilities and procedures.", + "id": "9-3-5-Function-Exercise-outcome-review", + "relationships": { + "dest-uuid": "114aa684-808a-58d2-b325-b4fa54b70662", + "type": "involves" + }, + "uuid": "6756295a-0996-5335-9775-5e0817d6452e", + "value": "9.3.5 Function: Exercise outcome review" + }, + { + "description": "Purpose: Improve the identification of opportunities and threats, improve controls, improve loss prevention and incident management in conjunction with information security and other relevant functions.\nDescription: Support to activities related to assessing risk or compliance. This may include conducting an actual assessment or providing support to evaluate the results of an assessment.\nOutcome: The constituency is able to identify risks and threats and select relevant risk management options, including appropriate and effective incident management strategies, security controls, or threat mitigations.", + "id": "9-4-1-Function-Risk-management-support", + "relationships": { + "dest-uuid": "1b3e9cf8-b553-51cb-9ba3-8ecb58a2fb6f", + "type": "involves" + }, + "uuid": "00c5701f-981f-552c-9570-e64c34f2e2dc", + "value": "9.4.1 Function: Risk management support" + }, + { + "description": "Purpose: Act as a trusted advisor on business continuity and disaster recovery by providing impartial, fact-based advice, considering the environment in which the advice may be used and any resource constraints that apply.\nDescription: Support the constituency in the activities related to organizational resilience, based on risks identified.\nOutcome: The constituency is able to appropriately implement business continuity and disaster recovery plans that include and align with the incident management strategies.", + "id": "9-4-2-Function-Business-continuity-and-disaster-recovery-planning-support", + "relationships": { + "dest-uuid": "1b3e9cf8-b553-51cb-9ba3-8ecb58a2fb6f", + "type": "involves" + }, + "uuid": "3ff56d44-888a-5283-91eb-78d7780520ff", + "value": "9.4.2 Function: Business continuity and disaster recovery planning support" + }, + { + "description": "Purpose: Act as a trusted advisor on the development and implementation of policies by providing impartial, fact-based advice, considering the environment in which the advice may be used and any resource constraints that apply.\nDescription: This function supports the constituency in the development, maintenance, institutionalization, and enforcement of policies, while ensuring they enable and support incident management activities. For internal CSIRTs, this typically includes support for information security and other operating policies. For coordinating and National CSIRTs, this might include support for public policies and new legislation.\nOutcome: The constituency is able to develop effective policies, institutionalize policies, and enable effective incident management strategies.", + "id": "9-4-3-Function-Policy-support", + "relationships": { + "dest-uuid": "1b3e9cf8-b553-51cb-9ba3-8ecb58a2fb6f", + "type": "involves" + }, + "uuid": "4edbd01e-5a3f-590d-8710-c4415de25da4", + "value": "9.4.3 Function: Policy support" + }, + { + "description": "Purpose: Provide technical advice that can help the constituency to better manage risks and threats and implement current operational and security best practices, while enabling effective incident handling activities.\nDescription: This function provides support and recommendations for the improvement of cybersecurity related infrastructures, tools, and services for its constituency, with the goal of improving the security posture and incident management overall.\nThis might include advice on", + "id": "9-4-4-Function-Technical-advice", + "relationships": { + "dest-uuid": "1b3e9cf8-b553-51cb-9ba3-8ecb58a2fb6f", + "type": "involves" + }, + "uuid": "f5e364b6-f790-5727-af91-0b979ef6b967", + "value": "9.4.4 Function: Technical advice" + } + ], + "version": 1 +} diff --git a/galaxies/first-csirt-services-framework.json b/galaxies/first-csirt-services-framework.json new file mode 100644 index 0000000..91152f9 --- /dev/null +++ b/galaxies/first-csirt-services-framework.json @@ -0,0 +1,9 @@ +{ + "description": "The Computer Security Incident Response Team (CSIRT) Services Framework is a high-level document describing in a structured way a collection of cyber security services and associated functions that Computer Security Incident Response Teams and other teams providing incident management related services may provide", + "icon": "user", + "name": "FIRST CSIRT Services Framework", + "namespace": "first", + "type": "first-csirt-services-framework", + "uuid": "4a72488f-ef5b-4895-a5d9-c625dee663cb", + "version": 1 +} diff --git a/tools/gen_csf.py b/tools/gen_csf.py new file mode 100644 index 0000000..13413aa --- /dev/null +++ b/tools/gen_csf.py @@ -0,0 +1,125 @@ +#!/usr/bin/env python3 +# -*- coding: utf-8 -*- +# +# A simple convertor script to generate galaxies from the MITRE NICE framework +# https://niccs.cisa.gov/workforce-development/nice-framework +# Copyright (C) 2024 Jean-Louis Huynen +# +# This program is free software: you can redistribute it and/or modify +# it under the terms of the GNU Affero General Public License as +# published by the Free Software Foundation, either version 3 of the +# License, or (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU Affero General Public License for more details. +# +# You should have received a copy of the GNU Affero General Public License +# along with this program. If not, see . + +import requests +import json +import os +import uuid +import re +from bs4 import BeautifulSoup + +# uuidv4 generated to be concatenated in v5: 43803a9f-9ea6-4ebc-9cb5-68ccdc2c23e0 + +galaxy = { + "namespace": "first", + "type": "first-csirt-services-framework", + "name": "FIRST CSIRT Services Framework", + "description": "The Computer Security Incident Response Team (CSIRT) Services Framework is a high-level document describing in a structured way a collection of cyber security services and associated functions that Computer Security Incident Response Teams and other teams providing incident management related services may provide", + "uuid": "4a72488f-ef5b-4895-a5d9-c625dee663cb", + "version": 1, + "icon": 'user' +} + +cluster = { + 'authors': ["FIRST", "CIRCL", "Jean-Louis Huynen"], + 'category': 'csirt', + "type": "first-csirt-services-framework", + "name": "FIRST CSIRT Services Framework", + "description": "The Computer Security Incident Response Team (CSIRT) Services Framework is a high-level document describing in a structured way a collection of cyber security services and associated functions that Computer Security Incident Response Teams and other teams providing incident management related services may provide", + "uuid": "4a72488f-ef5b-4895-a5d9-c625dee663cb", + 'source': 'https://www.first.org/standards/frameworks/csirts/csirt_services_framework_v2.1', + 'values': [], + 'version': 1 +} + +# URL to download +url = "https://www.first.org/standards/frameworks/csirts/csirt_services_framework_v2.1#5-Service-Area-Information-Security-Event-Management" + +# Send a GET request to the webpage +response = requests.get(url) + +def extract_text(element): + content = element.find_next_siblings('p', limit=3) + content_text = "" + for i, elm in enumerate(content): + if i !=0 : + content_text += "\n" + elm.text.strip() + else: + content_text += elm.text.strip() + return content_text + +def remove_heading(input_string): + return re.sub(r'^\d+(\.\d+)*\s+', '', input_string) + +# Check if the request was successful +if response.status_code == 200: + # Parse the page content with BeautifulSoup + soup = BeautifulSoup(response.content, 'html.parser') + + # Extract the section titled "4 CSIRT Services Framework Structure" + section_header = soup.find('h2', id="5-Service-Area-Information-Security-Event-Management") + if section_header: + + services = section_header.find_next_siblings('h3') + functions = section_header.find_next_siblings('h4') + + for service in services: + name = remove_heading(service.text.strip()) + suuid = str(uuid.uuid5(uuid.UUID("43803a9f-9ea6-4ebc-9cb5-68ccdc2c23e0"), name)) + cluster["values"].append( + { + "description": extract_text(service), + "uuid" : suuid, + "value": name, + "related": [] + } + ) + + for function in functions: + # get the parent service + parent_service = function.find_previous('h3') + relationship = { + "dest-uuid": str(uuid.uuid5(uuid.UUID("43803a9f-9ea6-4ebc-9cb5-68ccdc2c23e0"), remove_heading(parent_service.text.strip()))), + "type": "used-by" + } + + name = remove_heading(function.text.strip()) + + cluster["values"].append( + { + "description": extract_text(function), + "uuid" : str(uuid.uuid5(uuid.UUID("43803a9f-9ea6-4ebc-9cb5-68ccdc2c23e0"), name)), + "value": name, + "related": [relationship] + } + ) + + with open(os.path.join(os.path.dirname(__file__), '..', 'galaxies', f'first-csirt-services-framework.json'), 'w') as f: + json.dump(galaxy, f, indent=2, sort_keys=True, ensure_ascii=False) + f.write('\n') # only needed for the beauty and to be compliant with jq_all_the_things + + with open(os.path.join(os.path.dirname(__file__), '..', 'clusters', f'first-csirt-services-framework.json'), 'w') as f: + json.dump(cluster, f, indent=2, sort_keys=True, ensure_ascii=False) + f.write('\n') # only needed for the beauty and to be compliant with jq_all_the_things + + else: + print("Couldn't find the section header.") +else: + print(f"Failed to download the webpage. Status code: {response.status_code}") From e39ef72be24e5bb479eba72bdc46e5c7a9017ebf Mon Sep 17 00:00:00 2001 From: Jean-Louis Huynen Date: Thu, 22 Aug 2024 16:51:23 +0200 Subject: [PATCH 02/36] add: [first-csirt] with correct cluster file --- clusters/first-csirt-services-framework.json | 1267 ++++++++++-------- 1 file changed, 672 insertions(+), 595 deletions(-) diff --git a/clusters/first-csirt-services-framework.json b/clusters/first-csirt-services-framework.json index ff160d4..205b5d9 100644 --- a/clusters/first-csirt-services-framework.json +++ b/clusters/first-csirt-services-framework.json @@ -1,6 +1,7 @@ { "authors": [ "FIRST", + "CIRCL", "Jean-Louis Huynen" ], "category": "csirt", @@ -12,889 +13,965 @@ "values": [ { "description": "Purpose: Implement automated, continuous processing of a wide variety of information security event sources and contextual data in order to identify potential information security incidents, such as attacks, intrusions, data breaches or security policy violations.\nDescription: Based on logs, NetFlow data, IDS alerts, sensor networks, external sources, or other available information security event data, apply a range of methods from simple logic or pattern matching rules to the application of statistical models or machine learning in order to identify potential information security incidents. This can involve a vast amount of data and typically, but not necessarily, requires specialized tools such as Security Information and Event Management (SIEM) or big data platforms to process. An important objective of continuous improvement is to minimize the amount of false alarms that need to be analyzed as part of the Analyzing service.\nOutcome: Potential information security incidents are identified for analysis as part of the Analyzing service.", - "relationships": [], - "uuid": "d98bfbdf-c2f2-5a77-9d7e-0af1259e8652", - "value": "5.1 Service: Monitoring and detection" + "related": [], + "uuid": "0c165743-b9fa-528b-95df-2fce12ca302c", + "value": "Service: Monitoring and detection" }, { "description": "Purpose: Triage detected potential information security incidents and their qualification as information security incidents for escalation to the Information Security Incident Management service area or as false alarms.\nDescription: The flow of detected potential information security incidents must be triaged and each one qualified as an information security incident (true positive) or as a false alarm (false positive) using manual and/or automated analysis. This may require manual or automated gathering of additional information, depending on the detection use case. Priority should be given to the analysis of potentially more critical information security incidents to ensure timely reaction to what is most important. Structured qualification of detected potential information security incidents enables effective continuous improvement in a directed way by identifying detection use cases, data sources, or processes with quality issues.\nOutcome: Qualified and correlated information security incidents are available as input to the Information Security Incident Management service area and false positives are qualified for continuous improvement.", - "relationships": [], - "uuid": "1f57cd67-7f05-526d-8c89-ee3aa8d8fb50", - "value": "5.2 Service: Event analysis" + "related": [], + "uuid": "3818f4f7-4d89-5ca1-b129-4c31640b130c", + "value": "Service: Event analysis" }, { "description": "Purpose: Receive and process reports of potential information security incidents from constituents, from Information Security Event Management services or third parties.\nDescription: For a CSIRT, the most important task is the acceptance of reports about information security events and potential information security incidents affecting networks, devices, components, users, organizations, or infrastructure—referred to as the “target”—inside the constituency. The CSIRT should anticipate that potential information security incidents may be reported from various sources in various formats, both manually and automatically.\nTo enable constituents to report information security incidents more effectively, the CSIRT should provide one or more mechanisms as well as guidance or instructions on what and how to securely report information security incidents. Reporting mechanisms can include email, a website, a dedicated information security incident reporting form or portal, or other appropriate methods to enable reports to be submitted safely and securely. Reporting guidance, if not included as part of an information security incidents reporting form itself, should be provided in separate documentation or via a webpage, and should list the specific information that is desirable for inclusion in the report.", - "relationships": [], - "uuid": "a297eda0-7a70-5e5c-90a2-033cf903e0d3", - "value": "6.1 Service: Information security incident report acceptance" + "related": [], + "uuid": "75b0b609-defa-5302-9354-2e21c1ccfa3e", + "value": "Service: Information security incident report acceptance" }, { "description": "Purpose: Analyze and gain an understanding of a confirmed information security incident.\nDescription: This service consists of functions to gain an understanding of the information security incident and its actual and potential impact to identify the underlying issues or vulnerabilities or weaknesses (root causes) that allowed the successful attack, compromise, or exploit.\nDetailed analysis is often complex and time-consuming. The objective is to identify and characterize the information security incident in as much detail as required or justified by the current understanding of its impact. Information security incidents can be characterized by scope, affected entities, tools, or attacks deployed, timelines, etc. This service may continue in parallel while the Information Security Incident Coordination service and functions are occurring or mitigation/recovery actions are taken.", - "relationships": [], - "uuid": "74b97c9c-c7f5-5c3b-810d-f6ed0fc47676", - "value": "6.2 Service: Information security incident analysis" + "related": [], + "uuid": "005c1e64-40dd-5b83-a5b0-15927707e58a", + "value": "Service: Information security incident analysis" }, { "description": "Purpose: Analyze and gain an understanding of artefacts related to a confirmed information security incident, taking into consideration the need to preserve forensic evidence.\nDescription: The services related to the understanding of the capabilities and intent of artefacts (e.g., malware, exploits, volatile memory dumps or disk copies, applications codes, logs, documents), their delivery mechanisms, their propagation, their detection, their mitigation, and their disarming or neutralization. This applies to any formats and sources: hardware, firmware, memory, software, etc. Any artefact or evidence must be preserved and collected without any modification, and kept in isolation. As some artefacts and data may become evidence in the context of law enforcement activities, specific regulations or requirements may apply.\nEven without preserving a chain-of-custody, this service usually involves complex and time-consuming tasks, and requires expertise, setting up dedicated and monitored analysis environments--with or without external accesses from standard wired or wireless networks (such as performing the forensics activities in a sealed or Faraday room), logging of activities, and compliance with procedures.", - "relationships": [], - "uuid": "54c519b6-2299-5b21-b331-9b261832a52b", - "value": "6.3 Service: Artifact and forensic evidence analysis" + "related": [], + "uuid": "eda3b2d9-4a66-5803-98c7-e87bb8068b97", + "value": "Service: Artifact and forensic evidence analysis" }, { "description": "Purpose: Contain the information security incident as much as possible to limit the number of victims, reduce the loss and to recover from damage, avoid further attacks and further losses by removing exploited vulnerabilities or weaknesses, and improve overall cyber security.\nDescription: Once the analysis has confirmed a potential information security incident and a response strategy has been developed, this must be turned over into a response plan. Even before a response plan can be finalized, ad-hoc measures may be taken. This service also includes the initiating and tracking of all activities which are performed until the information security incident can be considered closed or new information becomes available that requires further analysis and henceforth may also change the response strategy and plan.\nOutcome: The information security incident is mitigated and the cyber security posture is improved. Integrity of systems impacted by the underlying attack or activities of the attacker is restored, as well as serviceability of the network and systems compromised. Data is restored in case of data loss, if possible.", - "relationships": [], - "uuid": "6169cf22-e075-5528-9c4e-67d70d9743ca", - "value": "6.4 Service: Mitigation and recovery" + "related": [], + "uuid": "d153b816-a767-5bc6-9d78-89f6f49dc11a", + "value": "Service: Mitigation and recovery" }, { "description": "Purpose: Ensure timely notifications and accurate information distribution; keep the information flow and track the status of activities of entities that are either tasked or requested to participate in responding to the information security incident; and make sure the response plan is carried out and deviations caused by both delays or new information are managed accordingly.\nDescription: Being notified and kept informed about the details and ongoing activities in relation to an information security incident is critical for all stakeholders and organizations involved. As some activities required for a successful mitigation and recovery might involve management approval, this requires suitable escalation and reporting functions established before any information security incident can be handled effectively and efficiently. As the CSIRT analyzes all information as it becomes available, coordination makes sure that notifications and information reach the right points of contact, track their responses and make sure that all parties carrying out activities report back to provide for accurate situational awareness until the information security incident is considered closed and requiring no further coordination.\nStakeholders should have avenues to submit questions, check the status of information security incidents, and report issues to the CSIRT. To engage internal stakeholders, the CSIRT should provide communications channels to advertise the remediation status of information security incidents. To engage external stakeholders, the CSIRT should maintain communications channels to other CSIRTs and CSIRT communities that might provide recommendations or technical support.", - "relationships": [], - "uuid": "102ab440-4e13-5544-ac34-5c3a68a014cf", - "value": "6.5 Service: Information security incident coordination" + "related": [], + "uuid": "fdbe09c5-09a1-538a-80bf-f784e68a5a70", + "value": "Service: Information security incident coordination" }, { "description": "Purpose: Provide expertise and contacts to other security experts, CSIRTs, and CSIRT communities in order to help mitigate the crisis.\nDescription: While today’s information security incidents rarely constitute an organizational or national crisis, they have the potential to do so. But the response to a crisis is usually associated with an emergency that threatens the well-being of humans and society at large, or at least the existence of an organization. As it is established in crisis management, a high-ranking role will take over the responsibility of a crisis, thereby changing the usual line of command for the duration of the emergency.\nAs the systems and networks might contribute to emergencies or are required to be available to respond to a crisis situation, a CSIRT will usually be a critical resource for managing such situations and provide valuable experience but also the established services and networks of points of contacts.", - "relationships": [], - "uuid": "81b922e4-291c-5337-9cc2-910dbfc4bf92", - "value": "6.6 Service: Crisis management support" + "related": [], + "uuid": "ee34661b-0cb2-5933-8f19-47d9a0d106fd", + "value": "Service: Crisis management support" }, { "description": "Purpose: Find, learn of, or search for new (previously unknown) vulnerabilities; vulnerabilities can be discovered by members of the vulnerability management service area or through other related CSIRT activities\nDescription: Discovery of a new vulnerability is a necessary first step that starts the overall vulnerability management lifecycle. This service includes those functions and activities that a CSIRT may actively perform through its own research or other services to discover a new vulnerability. Functions and activities related to the passive receipt of new vulnerability information from someone else are described later in the Vulnerability Report Intake service. Occasionally a new vulnerability may be discovered by a CSIRT during other activities, such as while analyzing or investigating an incident report. Another means of learning of a new vulnerability is through reading public sources (e.g., websites, mailing lists6), other external sources (e.g., premium services, subscriptions), or by actively looking for vulnerabilities through deliberate research (e.g., through fuzz testing, reverse engineering). Such discoveries should be documented and fed into the organization’s vulnerability handling processes, regardless of how the CSIRT discovered or learned of the vulnerability.\nOutcome: This service results in an increased discovery of potential vulnerabilities that were not reported directly to the CSIRT.", - "relationships": [], - "uuid": "c01835b0-8786-5dc8-af2c-b83793d6fc8c", - "value": "7.1 Service: Vulnerability discovery / research" + "related": [], + "uuid": "e43c7bab-34c9-5ee1-9e40-915d265ccd70", + "value": "Service: Vulnerability discovery / research" }, { "description": "Purpose: Receive and process vulnerability information reported from constituents or third parties.\nDescription: One of the primary sources of vulnerability information may be reports or questions sent from a CSIRT’s constituents or other third parties. The CSIRT should anticipate that vulnerabilities may be reported from these various sources, and provide a mechanism, a process, and guidance for vulnerability reporting. Reporting infrastructures may include email or a web-based vulnerability reporting form. Not all vulnerabilities are reported directly to a CSIRT by constituents or third parties through the established channels. Supporting guidance should include reporting guidelines, contact information, and any disclosure policies.\nTo enable constituents to report vulnerabilities more effectively, the CSIRT should provide one or more mechanisms as well as guidance or instructions on what and how to securely report vulnerabilities. Reporting mechanisms can include email, a website, a dedicated vulnerability reporting form or portal, or other appropriate methods to enable reports to be submitted safely and securely. Reporting guidance, if not included as part of a vulnerability reporting form itself, should be provided in separate documentation or via a web page, and should list the specific information that is desirable to be included in the report.", - "relationships": [], - "uuid": "8397d943-1507-5d38-a9fe-078549634320", - "value": "7.2 Service: Vulnerability report intake" + "related": [], + "uuid": "e3226442-c563-51ef-9a89-76041f970fec", + "value": "Service: Vulnerability report intake" }, { "description": "Purpose: Analyze and gain understanding of a confirmed vulnerability.\nDescription: The Vulnerability Analysis service consists of functions aimed at gaining an understanding of the vulnerability and its potential impact, identifying the underlying issue or flaw (root cause) that allows the vulnerability to be exploited, and identifying one or more remediation or mitigation strategies to prevent or minimize the exploitation of the vulnerability.\nThe Vulnerability Analysis service and functions can continue in parallel while the Vulnerability Coordination service and functions occur with other participants in a coordinated vulnerability disclosure (CVD)7 process.", - "relationships": [], - "uuid": "dfdd8b20-7047-56d8-8956-339a1a9bd0ad", - "value": "7.3 Service: Vulnerability analysis" + "related": [], + "uuid": "e428df3a-7353-5854-b967-fbbb47079ff6", + "value": "Service: Vulnerability analysis" }, { "description": "Purpose: Exchange information and coordinate the activities with participants involved in a coordinated vulnerability disclosure (CVD) process.\nDescription: The handling of most vulnerabilities involves notifying, working with, and coordinating the exchange of relevant information with multiple parties including vulnerability finders/reporters, affected vendors, developers, PSRITs, or other trusted experts (e.g., researchers, CSIRTs, vulnerability coordinators) who can work together to analyze and fix the vulnerability.\nOutcome: Information sharing with CVD participants who can assist in providing information to remediate/mitigate the vulnerability is effective and timely.", - "relationships": [], - "uuid": "576887a7-b5df-5632-a61f-a93190c65426", - "value": "7.4 Service: Vulnerability coordination" + "related": [], + "uuid": "1613a204-9a27-5e3e-83d1-d459fb697ea2", + "value": "Service: Vulnerability coordination" }, { "description": "Purpose: Disseminate information about known vulnerabilities to constituents so that they can act upon that information to prevent, detect, and remediate/mitigate known vulnerabilities.\nDescription: Inform the constituents of any known vulnerabilities (potential entry points for attackers), so that their systems can be kept up to date and monitored for exploits. Disclosure methods may include publication of information through multiple communication channels (e.g., website, email, social media), a vulnerability database, or other media. This service often, but not always, occurs following Vulnerability Coordination.\nOutcome: Informed constituents can avoid the potential exploitation of known vulnerabilities prior to exploitation and can detect and mitigate vulnerabilities that already exist.", - "relationships": [], - "uuid": "76235018-30af-5431-a98d-7d03f718b241", - "value": "7.5 Service: Vulnerability disclosure" + "related": [], + "uuid": "b797cc28-547c-5347-add9-b69a48676e25", + "value": "Service: Vulnerability disclosure" }, { "description": "Purpose: Actively take information about known vulnerabilities and act upon that information to prevent, detect, and remediate/mitigate those vulnerabilities.\nDescription: The functions under this service are intended to determine whether a disclosed vulnerability exists on a constituent’s systems, often through the intentional act of looking for the presence of such vulnerabilities. The service can also include the follow-on actions to remediate or mitigate the vulnerability through the deployment of patches or workaround strategies.\nOutcome: Information was acted upon in order to detect the presence of a vulnerability, remediate/mitigate a disclosed vulnerability, and prevent the vulnerability from being exploited.", - "relationships": [], - "uuid": "586381d1-7a46-53af-a7dd-33a20aa18d9b", - "value": "7.6 Service: Vulnerability response8" + "related": [], + "uuid": "7bed8224-c2b4-56af-bd69-1fb1f8e1a0b5", + "value": "Service: Vulnerability response8" }, { "description": "Purpose: Collect data that will help increase visibility as to what internal and external activities are occurring that may affect the constituency’s security posture.\nDescription: Solicit, collect, determine, and satisfy the constituencies’ information requirements to achieve awareness of important internal and external relevant activities. This service includes the logistics of collecting relevant information including news of current events, scheduling future events, reports and feeds, filtering the collected information, organizing information for use in incident analysis, prevent, detection, or other activities (such as planning or trending), storing it for later use, improving its “searchability”, and more. Collected data will be used to determine the preventative measures needed and to help make informed decisions regarding incident management and information assurance activities. Without a basic perception of important environmental elements, the risk of other services forming an incorrect picture increases. CSIRTs will need to establish policy and procedures, and may employ technology to collect and vet information.\nOutcome: The following artefacts result from this service:", - "relationships": [], - "uuid": "7e82533f-ab87-5e9e-9a68-83bc3ed34e9b", - "value": "8.1 Service: Data acquisition" + "related": [], + "uuid": "b06d204e-4c27-55cb-8770-79e2259c8e12", + "value": "Service: Data acquisition" }, { "description": "Purpose: Assess when the situation does not match with expectations (e.g., when specific assets may be about to experience a harmful event).\nDescription: The process of using current data, history, and analysis techniques to determine what is occurring that may impact the constituency assets and security posture, often done by determining an answer to a question or testing an intuition. Analysis may reveal when events do not match typical expected behavior, or may reveal information about the circumstance, nature, or origin of events or behaviors. Analysis may reveal implications to current and future situations. For example: a system may log that a user ID successfully logged into the system, but the system does not indicate whether the event was performed by a legitimate user. New sources (such as interviews with the user) will need to be incorporated into the analysis to provide the team with a more accurate picture to determine the legitimacy of the event. A variety of techniques may be used to analyze and interpret the collected data and its effect upon the constituency.\nOutcome: A set of conclusions about the probable historical, current, and/or likely future events within a constituency is produced. It may also include recommendations about certain decisions that a constituency is facing. Analysis should be supported by evidence such as observation data collected from sensors and other sources and the interpretation of that evidence by analysts through a variety of methods. The analysis may also include constituents that need to be told about the results, and what they need to be told.", - "relationships": [], - "uuid": "7c7c24ea-abb1-563b-b1a8-8d81cb540836", - "value": "8.2 Service: Analysis and synthesis" + "related": [], + "uuid": "9d622922-93a1-5528-82f2-e75b181bc8e4", + "value": "Service: Analysis and synthesis" }, { "description": "Purpose: Notify constituents or others in the security community about changes in risks to the situational picture.\nDescription: The knowledge obtained from situational awareness must be communicated to the constituency. This will allow it to react to observations and to take actions that will improve defensive situations, e.g., reducing third-party risk by improving the security environment at certain high-risk suppliers.\nOutcome: Accurate, actionable, and timely situational information is delivered to constituency so they can better understand their past and improve their current and future situational picture.", - "relationships": [], - "uuid": "9be0238e-c72b-540c-b316-22a382fe4a8a", - "value": "8.3 Service: Communication" + "related": [], + "uuid": "ddfea37e-0234-5d9d-b6ca-981c7e0fa114", + "value": "Service: Communication" }, { "description": "Purpose: Increase the overall security posture of the constituency and help its members to detect, prevent, and recover from incidents; ensure that constituents are better prepared and educated.\nDescription: This service includes working with the constituency, experts, and trusted partners to raise the collective understanding of threats and actions that can be taken to prevent or mitigate the risks posed by these threats.\nOutcome: The constituency is provided with the necessary awareness of:", - "relationships": [], - "uuid": "ea5cb189-42c9-5949-a14e-cb9afa66f978", - "value": "9.1 Service: Awareness building" + "related": [], + "uuid": "895987fb-db75-5840-8aac-363ac47f106f", + "value": "Service: Awareness building" }, { "description": "Purpose: Provide training and education to a CSIRT constituency (which may include organizational and CSIRT staff) on topics related to cybersecurity, information assurance and incident management.\nDescription: A training and education program can help the CSIRT to establish relationships and to improve the overall cybersecurity posture of its constituency, including the ability to prevent future incidents from happening. Such a program can\nThis can be done through various types of activities including documenting the knowledge, skills, and abilities (KSAs) required, developing educational and training materials, delivering content, mentoring, and professional and skill development. Each of these activities will collectively contribute to the constituency’s and the team’s capabilities.", - "relationships": [], - "uuid": "3ccbc324-98cf-585b-a9af-5282ec611130", - "value": "9.2 Service: Training and education" + "related": [], + "uuid": "373ea683-406a-589a-b031-d960b3ab2f01", + "value": "Service: Training and education" }, { "description": "Purpose: Conduct exercises to assess and improve the effectiveness and efficiency of cybersecurity services and functions.\nDescription: Services are offered by the organization to constituents that support the design, execution, and evaluation of cyber exercises intended to train and/or evaluate the capabilities of individual constituents and the stakeholder community as a whole, including communications capabilities. These types of exercises can be used to\nThis service addresses both the needs of the organization and the needs of its constituents. More specifically, through the simulation of cybersecurity events/incidents, exercises can be used for one or several objectives:", - "relationships": [], - "uuid": "114aa684-808a-58d2-b325-b4fa54b70662", - "value": "9.3 Service: Exercises" + "related": [], + "uuid": "111c542b-54ae-5dda-91cc-81907c7cd6b9", + "value": "Service: Exercises" }, { "description": "Purpose: Ensure the constituency’s policies and procedures include appropriate incident management considerations and, ultimately, enable the constituency to better manage risks and threats, as well as enabling the CSIRT to be more effective.\nDescription: Support the CSIRT constituency and key stakeholders, internal or external to the constituency, in activities related to risk management and business continuity, providing technical advice as needed and contributing to the creation and implementation of the constituency’s policies, as well as influencing them to enable the CSIRT to be more effective. Policies are also important in legitimizing the services of a CSIRT.\nOutcome: A constituency is enabled to make organizational decisions based on operational security best practices that incorporate business continuity and disaster recovery best practices, while also understanding the need of including incident management teams, as trusted advisors, in business decisions where appropriate.", - "relationships": [], - "uuid": "1b3e9cf8-b553-51cb-9ba3-8ecb58a2fb6f", - "value": "9.4 Service: Technical and policy advisory" + "related": [], + "uuid": "23e3a936-6f5d-553a-be67-e1938f84bbcf", + "value": "Service: Technical and policy advisory" }, { "description": "Purpose: Manage log sources and sensors.\nDescription: Sensors and log sources need operational management throughout their lifecycle. They must be deployed, onboarded, and decommissioned. Outages, data quality/scope, and configuration issues must be identified and resolved. Sensors that have some form of configuration such as pattern definitions need their configuration maintained in order to remain effective. Sensors may also include external detection services or Open Source Intelligence (OSINT) sources, if they form the basis for detection use cases.\nOutcome: A reliable stream of relevant information security events is available as input for detection use cases.", - "id": "5-1-1-Function-Log-and-sensor-management", - "relationships": { - "dest-uuid": "d98bfbdf-c2f2-5a77-9d7e-0af1259e8652", - "type": "involves" - }, - "uuid": "e19f3a4d-6bc7-5409-b423-f45d7c136f9c", - "value": "5.1.1 Function: Log and sensor management" + "related": [ + { + "dest-uuid": "0c165743-b9fa-528b-95df-2fce12ca302c", + "type": "used-by" + } + ], + "uuid": "d9acc29a-7c55-5645-8604-40303717d2ab", + "value": "Function: Log and sensor management" }, { "description": "Purpose: Manage the portfolio of detection use cases through their entire lifecycle.\nDescription: New detection approaches are developed, tested, and improved, and eventually onboarded into a detection use case in production. Instructions for analyst triage, qualification, and correlation need to be developed, for example in the form of playbooks and Standard Operating Procedures (SOPs). Use cases that do not perform well, i.e., that have an unfavorable benefit/effort ratio, need to be improved, redefined, or abandoned. The portfolio of detection use cases should be expanded in a risk-oriented way and in coordination with preventive controls.\nOutcome: A portfolio of effective detection use cases that are relevant to the constituency is developed.", - "id": "5-1-2-Function-Detection-use-case-management", - "relationships": { - "dest-uuid": "d98bfbdf-c2f2-5a77-9d7e-0af1259e8652", - "type": "involves" - }, - "uuid": "359af5c1-4d4e-59a8-ad46-0dd3538a3bb0", - "value": "5.1.2 Function: Detection use case management" + "related": [ + { + "dest-uuid": "0c165743-b9fa-528b-95df-2fce12ca302c", + "type": "used-by" + } + ], + "uuid": "9d870f77-0bbf-523b-b757-8672a6262cef", + "value": "Function: Detection use case management" }, { "description": "Purpose: Manage of contextual data sources for detection and enrichment.\nDescription: The various contextual data sources that are involved in detection and enrichment need to be managed throughout their lifecycle. These can be live APIs to or exports from other IT systems such as a Configuration Management Database (CMDB), Identity and Access Management (IAM), or Threat Intel systems, or entirely separate data sets that need to be managed manually. The latter would be the case for indicator lists, watchlists and whitelists to suppress false positives.\nOutcome: Up to date contextual data is available for both detection and enrichment.", - "id": "5-1-3-Function-Contextual-data-management", - "relationships": { - "dest-uuid": "d98bfbdf-c2f2-5a77-9d7e-0af1259e8652", - "type": "involves" - }, - "uuid": "3f6cc41e-c733-57e5-8328-ff39a1fd2c7f", - "value": "5.1.3 Function: Contextual data management" + "related": [ + { + "dest-uuid": "0c165743-b9fa-528b-95df-2fce12ca302c", + "type": "used-by" + } + ], + "uuid": "c359f86a-71da-57d3-8edb-256694b41584", + "value": "Function: Contextual data management" }, { "description": "Purpose: Identify events directly related to other potential or ongoing security incidents.\nDescription: Potential information security incidents pertaining to the same assets (e.g., systems, services, customers) or identities (e.g., users), or which are otherwise directly related to other potential information security incidents are grouped together and escalated as a single information security incident in order to avoid duplicate efforts. New potential information security incidents directly related to ongoing information security incidents are assigned to that information security incident instead of opening a new, separate information security incident.\nOutcome: Grouping of related potential information security incidents for combined qualification or updating to an existing information security incident already handled by the Information Security Incident Management service area is performed.", - "id": "5-2-1-Function-Correlation", - "relationships": { - "dest-uuid": "1f57cd67-7f05-526d-8c89-ee3aa8d8fb50", - "type": "involves" - }, - "uuid": "2a471554-bc25-5077-a5ce-12a2c67659f7", - "value": "5.2.1 Function: Correlation" + "related": [ + { + "dest-uuid": "3818f4f7-4d89-5ca1-b129-4c31640b130c", + "type": "used-by" + } + ], + "uuid": "c9cc1b42-6487-59c6-8e5b-9258b2f33865", + "value": "Function: Correlation" }, { "description": "Purpose: Triage and qualify detected potential information security incidents in order to identify, categorize, and prioritize true positives.\nDescription: Potential information security incidents need to be triaged and each qualified as an information security incident (true positive) or as a false alarm (false positive). Because analysts have a limited number of potential information security incidents they can analyze, and in order to avoid alert fatigue, automation is key. Mature tooling facilitates effective triage by enriching with context information, assigning risk scores based on the criticality of affected assets and identities and/or automatically identifying related information security events. Recurring cases that can be automated should be identified and automated. Potential information security incidents with higher criticality should be analyzed before less critical ones. In addition to qualification as true or false positives, a more fine-grained qualification is an important input for continuous improvement of detection use cases as well as the management of log sources, sensors, and contextual data sources. More fine-grained qualification can also support the definition of higher-quality KPIs for measuring the success of this service area.\nOutcome: Qualified potential information security incidents are available for handling as part of the Information Security Incident Management service area.", - "id": "5-2-2-Function-Qualification", - "relationships": { - "dest-uuid": "1f57cd67-7f05-526d-8c89-ee3aa8d8fb50", - "type": "involves" - }, - "uuid": "27748e0d-6270-5f78-a811-026f7c3a3b2b", - "value": "5.2.2 Function: Qualification" + "related": [ + { + "dest-uuid": "3818f4f7-4d89-5ca1-b129-4c31640b130c", + "type": "used-by" + } + ], + "uuid": "660ce9c7-4897-557e-b47a-3cea1c93a473", + "value": "Function: Qualification" }, { "description": "Purpose: Accept or receive information about an information security incident, as reported from constituents or third parties.\nDescription: Effective intake of information security incident reports requires mechanisms and processes to receive the reports from constituents, stakeholders, and third parties (e.g., finders, researchers, ISACs, other CSIRTs). Information security incident reports may include affected devices/networks/users/organizations, conditions already identified like exploited vulnerabilities, impact both on technical and business level, and actions that have been taken to start remediation and/or mitigation steps and potentially resolution. Occasionally, information security incident information may be received jointly as part of the input to other services, most namely the Vulnerability Report Intake (e.g., if an information security incident is reported that has been identified while analyzing a vulnerability report). Automatically submitted reports might or might not be acknowledged pending further choices of the implemented interfaces and protocols.\nOutcome: Information security incident reports are appropriately handled from constituents or third parties, including the initiation of documenting or tracking the reports", - "id": "6-1-1-Function-Information-security-incident-report-receipt", - "relationships": { - "dest-uuid": "a297eda0-7a70-5e5c-90a2-033cf903e0d3", - "type": "involves" - }, - "uuid": "5f035f21-2330-56bb-bb7e-b1fa0297cd36", - "value": "6.1.1 Function: Information security incident report receipt" + "related": [ + { + "dest-uuid": "75b0b609-defa-5302-9354-2e21c1ccfa3e", + "type": "used-by" + } + ], + "uuid": "3010eca9-c35d-5439-a38e-b8f3734d9b95", + "value": "Function: Information security incident report receipt" }, { "description": "Purpose: Initially review, categorize, prioritize, and process a reported information security incident.\nDescription: Information Security Incident Reports are reviewed and triaged to obtain an initial understanding of the information security incident in question. It is of particular importance whether it has a real information security impact on the target and can result (or has already resulted) in damage to the confidentiality, availability, integrity, and/or authenticity of information assets or other assets. Depending on the amount of detail and quality of the information provided in the initial report, it may or not be obvious whether a real information security incident has occurred or if there is a different reason—such as misconfiguration or hardware failure. The next step will be determined on the basis of the preliminary assessment (e.g., process the report for further analysis; seek additional information from the reporter or other sources; decide that the report needs no further action or is a false alarm).\nIt is possible that attacks may originate from within the constituency of a CSIRT, may target this constituency, or the constituency is affected by collateral effects only. If the CSIRT does not provide Information Security Management services for the identified targets, then the report should be forwarded securely to an external group for handling, such as the affected organization(s) or CSIRT(s).", - "id": "6-1-2-Function-Information-security-incident-triage-and-processing", - "relationships": { - "dest-uuid": "a297eda0-7a70-5e5c-90a2-033cf903e0d3", - "type": "involves" - }, - "uuid": "0b7c1b02-3238-5354-99ba-0bf86d13878f", - "value": "6.1.2 Function: Information security incident triage and processing" + "related": [ + { + "dest-uuid": "75b0b609-defa-5302-9354-2e21c1ccfa3e", + "type": "used-by" + } + ], + "uuid": "b906d2a9-6697-5d12-99ee-2b3c74133a98", + "value": "Function: Information security incident triage and processing" }, { "description": "Purpose: Categorize, prioritize, and create an initial assessment of an information security incident.\nDescription: The Analyzing Information Security Incidents service begins with a review of the available information to categorize, prioritize, and assess the impact an information security incident has on the involved systems relevant to the CSIRT’s mandate. Some of this may have been documented during the Information Security Incident Report Triage and Processing function (of the Information Security Incident Report Intake service) if the information security incident was reported to the CSIRT by a constituent or third party.\nIf prior triage has not already been completed, the information security incident may be assigned to a subject matter expert who can provide technical confirmation that it has some impact on the involved systems and is relevant to the CSIRT’s mandate (i.e., a potential security impact on networks or systems that can result in damage to the confidentiality, availability, or integrity of information assets in an area the CSIRT according to its mandate).", - "id": "6-2-1-Function-Information-security-incident-triage-prioritization-and-categorization", - "relationships": { - "dest-uuid": "74b97c9c-c7f5-5c3b-810d-f6ed0fc47676", - "type": "involves" - }, - "uuid": "4380d80e-ae1d-5206-bf9d-6df5eb6ea4c1", - "value": "6.2.1 Function: Information security incident triage (prioritization and categorization)" + "related": [ + { + "dest-uuid": "005c1e64-40dd-5b83-a5b0-15927707e58a", + "type": "used-by" + } + ], + "uuid": "e999f7cd-d109-5155-a096-733845fc085f", + "value": "Function: Information security incident triage (prioritization and categorization)" }, { "description": "Purpose: Intake, catalog, store, and track information related to the information security incident and all information security events that are considered to be part of it.\nDescription: Enable the collection of all valuable information to obtain the best understanding of the context, so that the origin and the content of the information can be appropriately evaluated and tagged to be used for any further processing.\nWhile collecting information, the agreed sharing policies and limitations of what data can be used in which context or for what form of processing must be accepted and adhered to. Also, the collection mechanisms and procedures must ensure that proper labeling and attribution of sources is used in order to later validate the origins as well as the appropriateness or authenticity.", - "id": "6-2-2-Function-Information-collection", - "relationships": { - "dest-uuid": "74b97c9c-c7f5-5c3b-810d-f6ed0fc47676", - "type": "involves" - }, - "uuid": "2f37051b-e575-52e5-a523-1268f4af8dc2", - "value": "6.2.2 Function: Information collection" + "related": [ + { + "dest-uuid": "005c1e64-40dd-5b83-a5b0-15927707e58a", + "type": "used-by" + } + ], + "uuid": "073074bd-6262-573f-b2cb-ac9b5566dda7", + "value": "Function: Information collection" }, { "description": "Purpose: Initiate and track any other technical analysis in regard to an information security incident.\nDescription: As more detailed technical analysis may be required, such analysis may be executed by other experts (inside or outside the host organization or CSIRT) or other third parties (such as a service provider specialized in such analysis). This requires initiating and tracking such activities up to the successful delivery of the desired analysis.\nOutcome: A list of pending and—from the viewpoint of the incident handler coordinating the response to any given information security incident—outsourced analysis is available.", - "id": "6-2-3-Function-Detailed-analysis-coordination", - "relationships": { - "dest-uuid": "74b97c9c-c7f5-5c3b-810d-f6ed0fc47676", - "type": "involves" - }, - "uuid": "0189a652-52a5-559b-ba33-81a6e76c50e0", - "value": "6.2.3 Function: Detailed analysis coordination" + "related": [ + { + "dest-uuid": "005c1e64-40dd-5b83-a5b0-15927707e58a", + "type": "used-by" + } + ], + "uuid": "4810f533-ce30-53a7-bff9-6dade2d41be7", + "value": "Function: Detailed analysis coordination" }, { "description": "Purpose: Identify the root cause of the information security incident, identifying the circumstances that allowed the exploited vulnerabilities to exist or that allowed the exploitation to succeed (including but not limited to user behavior).\nDescription: This function involves the process and actions required to understand the architecture, usage, or implementation flaw(s) that caused or exposed systems, networks, users, organizations, etc. to the kind of attack or exploit or compromise as exercised against the targets of an information security incident. It is also concerned with the circumstances in which an attacker could compromise more systems based on the initial access to gain further access.\nDepending on the nature of the information security incident, it may be difficult for a CSIRT to perform this function thoroughly. In many situations, this function may best be conducted by the affected target itself, as especially in the context of Coordinating CSIRTs no detailed technical knowledge is available about systems or networks that have been compromised.", - "id": "6-2-4-Function-Information-security-incident-root-cause-analysis", - "relationships": { - "dest-uuid": "74b97c9c-c7f5-5c3b-810d-f6ed0fc47676", - "type": "involves" - }, - "uuid": "261f9cb2-79ba-56a9-b100-cea2c2e2df88", - "value": "6.2.4 Function: Information security incident root cause analysis" + "related": [ + { + "dest-uuid": "005c1e64-40dd-5b83-a5b0-15927707e58a", + "type": "used-by" + } + ], + "uuid": "d83afb89-203e-57ae-81d4-ded2000b30ed", + "value": "Function: Information security incident root cause analysis" }, { "description": "Purpose: Enable the usage of all available information to get the best understanding of the context and detect interrelationships that otherwise would not have been recognized or acted upon.\nDescription: This function involves the correlation of available information about multiple information security incidents to determine interrelations, trends, or applicable mitigations from already closed information security incidents to improve the response to currently handled information security incidents.\nOutcome: The bigger picture is understood in terms of situational awareness based on a detailed knowledge about similarities and confirmed or suspected interrelationships of otherwise independent information security incidents.", - "id": "6-2-5-Function-Cross-incident-correlation", - "relationships": { - "dest-uuid": "74b97c9c-c7f5-5c3b-810d-f6ed0fc47676", - "type": "involves" - }, - "uuid": "b79d69f5-2ed6-57b2-8061-f7c1e5048de9", - "value": "6.2.5 Function: Cross-incident correlation" + "related": [ + { + "dest-uuid": "005c1e64-40dd-5b83-a5b0-15927707e58a", + "type": "used-by" + } + ], + "uuid": "1eb8496d-9383-5b95-909b-59670113537f", + "value": "Function: Cross-incident correlation" }, { "description": "Purpose: Compare information gathered from the artefact with other public and private artefacts and/or signature repositories.\nDescription: This function involves identification and characterization of basic information and metadata about artefacts, including but not limited to file types, string outputs, cryptographic hashes, certificates, file sizes, file/directory names. As all available information is gathered and analyzed further, this may be used to review any public/open or private/closed source information repositories to learn more about the artefact or its behavior, as such information can be used to determine the next steps.\nOutcome: Identify Characteristics and/or the signature of digital artefact are identified and any information already known about the artefact including maliciousness, impact, and mitigation.", - "id": "6-3-1-Function-Media-or-surface-analysis", - "relationships": { - "dest-uuid": "54c519b6-2299-5b21-b331-9b261832a52b", - "type": "involves" - }, - "uuid": "eb8aa76f-5262-583f-8e2b-0ab51b602ab8", - "value": "6.3.1 Function: Media or surface analysis" + "related": [ + { + "dest-uuid": "eda3b2d9-4a66-5803-98c7-e87bb8068b97", + "type": "used-by" + } + ], + "uuid": "7b910715-e5fa-5204-8636-fae5470e7d1e", + "value": "Function: Media or surface analysis" }, { "description": "Purpose: Perform in-depth static analysis of an artefact to determine its complete functionality, regardless of the environment within which it may be executed.\nDescription: To provide a deeper analysis of malware artefacts to include identifying hidden actions and triggering commands. Reverse engineering allows the analyst to dig past any obfuscation and compilation (for binaries) and identify the program, script, or code that makes up the malware, either by uncovering any source code or by disassembling the binary into assembly language and interpreting it. The analyst uncovers all of the machine language exposed functions and actions the malware can perform. Reverse engineering is a deeper analysis that is carried out when surface and runtime analysis do not provide the full information needed.\nOutcome: Complete functionality of a digital artefact is derived to understand how it operates, how it is triggered, related system weaknesses that can be exploited, its full impact, and potential damage, in order to develop solutions to mitigate against the artefact and, if appropriate, create a new signature for comparison with other samples.", - "id": "6-3-2-Function-Reverse-engineering", - "relationships": { - "dest-uuid": "54c519b6-2299-5b21-b331-9b261832a52b", - "type": "involves" - }, - "uuid": "5db0d1c6-53fe-5353-9921-318f31288b7d", - "value": "6.3.2 Function: Reverse engineering" + "related": [ + { + "dest-uuid": "eda3b2d9-4a66-5803-98c7-e87bb8068b97", + "type": "used-by" + } + ], + "uuid": "679596e0-afd5-5e54-ba56-716d47e1a1aa", + "value": "Function: Reverse engineering" }, { "description": "Purpose: Provide insight into the artefact’s operation.\nDescription: This function involves understanding of an artifact’s capabilities via observation while running the sample in a real or emulated environment (e.g., sandbox, virtual environment, and hardware or software emulators).\nUse of a simulated environment captures changes to the host, network traffic, and output from execution. The basic premise is to try to see artefact in operation in as close to a real-life situation as possible.", - "id": "6-3-3-Function-Run-time-or-dynamic-analysis", - "relationships": { - "dest-uuid": "54c519b6-2299-5b21-b331-9b261832a52b", - "type": "involves" - }, - "uuid": "dc6c2dc3-0465-5c47-affb-8f2cd115adc0", - "value": "6.3.3 Function: Run time or dynamic analysis" + "related": [ + { + "dest-uuid": "eda3b2d9-4a66-5803-98c7-e87bb8068b97", + "type": "used-by" + } + ], + "uuid": "7410a6c8-3dd9-5c31-9ca1-1929f00acc61", + "value": "Function: Run time or dynamic analysis" }, { "description": "Purpose: Perform an analysis focused on identifying common functionality or intent, including family analysis of catalogued artefacts.\nDescription: This function involves exploring an artefact’s relationship to other artefacts. This may identify similarities in code or modus operandi, targets, intent, and authors. Such similarities can be used to derive the scope of an attack (e.g., is there a larger target, has similar code been used before).\nComparative analysis techniques can include exact match comparisons or code similarity comparisons. Comparative analysis provides a broader view of how the artefact or similar versions of it were used and changed over time, helping to understand the evaluation of malware or other malicious types of artefacts.", - "id": "6-3-4-Function-Comparative-analysis", - "relationships": { - "dest-uuid": "54c519b6-2299-5b21-b331-9b261832a52b", - "type": "involves" - }, - "uuid": "3c9784d5-37bc-50a3-9900-d9fae8d7337d", - "value": "6.3.4 Function: Comparative analysis" + "related": [ + { + "dest-uuid": "eda3b2d9-4a66-5803-98c7-e87bb8068b97", + "type": "used-by" + } + ], + "uuid": "38014864-0c08-5bbd-8d28-3bde1727d50d", + "value": "Function: Comparative analysis" }, { "description": "Purpose: Define and enforce a plan to restore the integrity of affected systems and return the affected data, systems, and networks to a non-degraded operational state, restoring the impacted services to full functionality without recreating the context of enabling the original security issue to be exploited again.\nDescription: Without fully understanding the business impact and requirements to mitigate and recover, no meaningful response will be provided. As there is a conflict of interest—tracking the attack to gain more intelligence vs. containing the attack to avoid further losses—it is necessary to take all interests into consideration and work out a response plan that is plausible to address the known facts and provide the desired outcome within the required timeframe.\nAs with all plans, it must be considered that whenever new analysis results become available, the new findings need to be reviewed. Indeed, the response plan will usually need to be changed to provide continuous orientation and guidance. But without such plan—unless the response is handled by one small organizational group with little requirement of external interfaces or other entities—the activities might not be carried out effectively or efficiently due to a lack of coordination.", - "id": "6-4-1-Function-Response-plan-establishment", - "relationships": { - "dest-uuid": "6169cf22-e075-5528-9c4e-67d70d9743ca", - "type": "involves" - }, - "uuid": "37274e78-66b0-5766-9fb2-adfe91a96cae", - "value": "6.4.1 Function: Response plan establishment" + "related": [ + { + "dest-uuid": "d153b816-a767-5bc6-9d78-89f6f49dc11a", + "type": "used-by" + } + ], + "uuid": "5b155f76-0772-5475-b622-8871d004d94a", + "value": "Function: Response plan establishment" }, { "description": "Purpose: Implement measures that ensure an information security incident does not spread any further, i.e. remains confined to the currently affected system, users, and/or domains to ensure that no further losses (including leakage of documents, changes to databases or data, etc.) can occur.\nDescription: The immediate challenge in case of an information security incident is to stop it from spreading. While systems are compromised or malware is active on end user systems, further data losses and more compromises occur. It is usually the main objective of attacks to reach out to specific data and systems, including attacks (including but not limited to lateral movements) to other organizations both inside and outside the organization suffering from the information security incident. Stopping or at least limiting the extent of any malicious activities or further losses requires short-term actions such as blocking or filtering traffic and removing access to specific services or systems, and can also result in the disconnection of critical systems.\nDenying further access to potentially critical evidence data will allow a full analysis of such evidence. Denying further access to other systems and networks will also limit the exposure from liability as a result of damage done to other organizations.", - "id": "6-4-2-Function-Ad-hoc-measures-and-containment", - "relationships": { - "dest-uuid": "6169cf22-e075-5528-9c4e-67d70d9743ca", - "type": "involves" - }, - "uuid": "5176c3e8-4d3a-5029-8ab9-ce9f1e60b8a7", - "value": "6.4.2 Function: Ad hoc measures and containment" + "related": [ + { + "dest-uuid": "d153b816-a767-5bc6-9d78-89f6f49dc11a", + "type": "used-by" + } + ], + "uuid": "33646116-25db-59e4-b1a6-c40d96432797", + "value": "Function: Ad hoc measures and containment" }, { "description": "Purpose: Implement changes in the affected domain, infrastructure, or network necessary to fix and prevent this type of activity from reoccurring.\nDescription: Restore the integrity of affected systems and returning the affected data, systems, and networks to a non-degraded operational state, restoring the impacted services to full functionality. As business reality usually demands systems return to normal operation as soon as possible, there is a risk that not all means of unauthorized access have been removed successfully. Therefore, unless the analysis results are already available, even returned systems must be carefully monitored and managed. Especially if identified vulnerabilities and weaknesses cannot (yet) be eliminated, improved protection and detection mechanisms need to be applied to avoid the same or similar or types of information security incidents.\nOutcome: Measures are applied to restore the systems and services to full functionality as well as capacity. Measures are applied to close any detected vulnerabilities or weakness that contributed to the original information security incident. Detection and reaction measures are improved as recommended by the analysis and response plan.", - "id": "6-4-3-Function-System-restoration", - "relationships": { - "dest-uuid": "6169cf22-e075-5528-9c4e-67d70d9743ca", - "type": "involves" - }, - "uuid": "017a410c-ee1b-5e98-9f6c-5dc1517e2766", - "value": "6.4.3 Function: System restoration" + "related": [ + { + "dest-uuid": "d153b816-a767-5bc6-9d78-89f6f49dc11a", + "type": "used-by" + } + ], + "uuid": "c23fdfc5-660d-515b-80d9-8e3f6bfb31e4", + "value": "Function: System restoration" }, { "description": "Purpose: Enable the constituents to perform the required management and technical activities in order to successfully mitigate an information security incident and recover from it.\nDescription: A CSIRT may provide direct (onsite) assistance to help the constituents to recover from losses and to remove vulnerabilities. This might be a direct extension of offering analysis services on-site (see above). On the other hand, a CSIRT might choose to support the staff of the constituents responding to the information security incident with more detailed explanations, recommendations, etc.\nOutcome: Response of the constituents is improved and recovery is faster. By adding to the available body of knowledge the future effectiveness and efficiency of related activities may be strengthened. In addition, it helps to support those entities inside the constituency that are lacking detailed technical knowledge to carry out the necessary action to respond.", - "id": "6-4-4-Function-Other-information-security-entities-support", - "relationships": { - "dest-uuid": "6169cf22-e075-5528-9c4e-67d70d9743ca", - "type": "involves" - }, - "uuid": "6da607b8-da8d-5574-a049-351809d6505e", - "value": "6.4.4 Function: Other information security entities support" + "related": [ + { + "dest-uuid": "d153b816-a767-5bc6-9d78-89f6f49dc11a", + "type": "used-by" + } + ], + "uuid": "ad062821-b88e-54cc-ac56-14ed4d20aeb7", + "value": "Function: Other information security entities support" }, { "description": "Purpose: Engage effectively with stakeholders and establish appropriate multiple communication channels providing the required confidentiality.\nDescription: A CSIRT must account for the most accurate audience as communications are crafted and released. In return, a CSIRT must also be equipped to receive incoming feedback, reports, comments, and questions from a variety of sources based on its own communication.\nThe security policy and the information sharing policy may require information to be handled in a strict manner. The CSIRT must be able to share with stakeholders in a reliable, secure, and private manner, both externally and internally.", - "id": "6-5-1-Function-Communication", - "relationships": { - "dest-uuid": "102ab440-4e13-5544-ac34-5c3a68a014cf", - "type": "involves" - }, - "uuid": "97155050-8e5e-5572-9544-f428386a03e3", - "value": "6.5.1 Function: Communication" + "related": [ + { + "dest-uuid": "fdbe09c5-09a1-538a-80bf-f784e68a5a70", + "type": "used-by" + } + ], + "uuid": "cb18913e-ed20-55c8-875b-3c9e522a6167", + "value": "Function: Communication" }, { "description": "Purpose: Alert entities impacted by the information security incident or those that can contribute to the response to it and provide those entities with the required information to understand their role of involvement and any expectations that might exist regarding their cooperation and support.\nDescription: A security incident touches on many internal and potentially external entities and, possibly, systems, and networks. As CSIRTs are a central point for receiving reports of potential information security incidents, they also serve as a hub for notifying authorized points of contact about them. The notification usually will provide not only the appropriate technical details but also information about the expected response and a point of contact for any fellow-up.\nOutcome: Information about an information security incident is available to entities required to either take part in the response or to be informed about it.", - "id": "6-5-2-Function-Notification-distribution", - "relationships": { - "dest-uuid": "102ab440-4e13-5544-ac34-5c3a68a014cf", - "type": "involves" - }, - "uuid": "8a7335ee-ac4a-557f-a6fa-862e64d08335", - "value": "6.5.2 Function: Notification distribution" + "related": [ + { + "dest-uuid": "fdbe09c5-09a1-538a-80bf-f784e68a5a70", + "type": "used-by" + } + ], + "uuid": "661ad685-bc5e-5522-84a2-a93f22704f24", + "value": "Function: Notification distribution" }, { "description": "Purpose: Keep communicating with the identified entities and provide a suitable flow of available information in order to enable those entities to benefit from available insights and lessons learned, to apply improved responses or take new ad-hoc measures.\nDescription: As the response to an information security incident progresses, more analysis results and reports from potentially other security experts, CSIRTs, or victims become available.\nIt may be helpful to pass some of the information and lessons learned on to the Knowledge Transfer Service Area (if supported) to improve training and technical documents as well as to help create appropriate awareness, especially if new attacks or incident trends are identified.", - "id": "6-5-3-Function-Relevant-information-distribution", - "relationships": { - "dest-uuid": "102ab440-4e13-5544-ac34-5c3a68a014cf", - "type": "involves" - }, - "uuid": "3d484cde-fb3a-5ffc-bcd2-5cc2e0e5965a", - "value": "6.5.3 Function: Relevant information distribution" + "related": [ + { + "dest-uuid": "fdbe09c5-09a1-538a-80bf-f784e68a5a70", + "type": "used-by" + } + ], + "uuid": "c0d34fe0-118b-5b45-9f39-39ae30d6cfeb", + "value": "Function: Relevant information distribution" }, { "description": "Purpose: Track the status of all communication and activities.\nDescription: As many entities are potentially involved in responding to an information security incident, it is necessary to track the status of all communication and activities. This involves the actions requested by a CSIRT or requests for sharing of further information as well as requests for technical analysis of artefacts s or the sharing of indicators of compromise, information about other victims, etc. This primarily occurs when the CSIRT is reliant on expertise and resources outside of the direct control of the CSIRT to effectuate the actions necessary to mitigate an incident. But it also occurs inside larger organizations for which an internal CSIRT coordinates the mitigation and recovery activities.\nBy offering bilateral or multilateral coordination, the CSIRT participates in the exchange of information to enable those resources with the ability to take action to do so or to assist others in the detection, protection, or remediation of ongoing activities from attackers and help to close the information security incident.", - "id": "6-5-4-Function-Activities-coordination", - "relationships": { - "dest-uuid": "102ab440-4e13-5544-ac34-5c3a68a014cf", - "type": "involves" - }, - "uuid": "1f153ad2-d2ac-5845-a761-61773b2c0571", - "value": "6.5.4 Function: Activities coordination" + "related": [ + { + "dest-uuid": "fdbe09c5-09a1-538a-80bf-f784e68a5a70", + "type": "used-by" + } + ], + "uuid": "495754cd-2ffe-5e9c-aca3-8a88a773d416", + "value": "Function: Activities coordination" }, { "description": "Purpose: Ensure that all involved entities within a business have information about the status of current activities so that further decisions about the next steps to be taken are based on the best situational awareness available.\nDescription: Delivering concise and factual information about the current status of activities requested or carried out in response to an information security incident. Instead of waiting to be pulled for such information as part of an ongoing coordinated action as required for any successful response, timely reports are critical to enable effective coordination.\nOutcome: Internal stakeholders are apprised of the scope of current activities, actions already completed, and pending ones. The assessed impact of delays, recommendations and requested actions is also communicated, making it possible to understand the overall impact in regard to the selected response strategy and developed plan.", - "id": "6-5-5-Function-Reporting", - "relationships": { - "dest-uuid": "102ab440-4e13-5544-ac34-5c3a68a014cf", - "type": "involves" - }, - "uuid": "bda99f7b-109c-5dd3-8efd-8cabda9bc85d", - "value": "6.5.5 Function: Reporting" + "related": [ + { + "dest-uuid": "fdbe09c5-09a1-538a-80bf-f784e68a5a70", + "type": "used-by" + } + ], + "uuid": "67b7b51d-9502-5363-837e-221602d71b43", + "value": "Function: Reporting" }, { "description": "Purpose: Engage with the (public) media to be able to provide accurate and easy-to-understand factual information about ongoing events to avoid the spread of rumors and misleading information.\nDescription: Communicating with the media is unavailable in many cases. While CSIRTs usually try to avoid such contact, it is important to realize that the media can help to mitigate specific types of ongoing and large-scale attacks causing information security incidents. For this it is necessary to explain what is causing the information security incidents and explain the impact on users and/or organizations. In some cases, a CSIRT might choose to provide this information already in a manner suitable for release to the public, but this certainly requires specific skills inside the CSIRT not readily available in most. In any case, if a CSIRT communicates with the media, it must take great care to simplify the technical issues as much as possible and leave out all confidential information.\nOutcome: Factual information providing a clear summary of the ongoing information security incident is developed including steps to be taken by potential victims or outlining the chosen response strategy to recover from the information security incident.", - "id": "6-5-6-Function-Media-communication", - "relationships": { - "dest-uuid": "102ab440-4e13-5544-ac34-5c3a68a014cf", - "type": "involves" - }, - "uuid": "65aab371-c453-52cb-bee0-ac2c17612d74", - "value": "6.5.6 Function: Media communication" + "related": [ + { + "dest-uuid": "fdbe09c5-09a1-538a-80bf-f784e68a5a70", + "type": "used-by" + } + ], + "uuid": "eb400206-1fe8-5528-8a98-00391f140514", + "value": "Function: Media communication" }, { "description": "Purpose: Provide established communication resources to help respond to the crisis.\nDescription: As the response to a crisis progresses, information must be distributed and disseminated. As the CSIRT has established such resources for its own purposes, crisis management may see it as appropriate or necessary to use such resources.\nOutcome: Available information is distributed to constituents, benefiting from established trust relationships that help to reassure recipients of the accurateness of the information disseminated.", - "id": "6-6-1-Function-Information-distribution-to-constituents", - "relationships": { - "dest-uuid": "81b922e4-291c-5337-9cc2-910dbfc4bf92", - "type": "involves" - }, - "uuid": "614d0ac5-0e20-51f7-a035-e6554be58b17", - "value": "6.6.1 Function: Information distribution to constituents" + "related": [ + { + "dest-uuid": "ee34661b-0cb2-5933-8f19-47d9a0d106fd", + "type": "used-by" + } + ], + "uuid": "a90dd689-1625-5993-8737-15181e520683", + "value": "Function: Information distribution to constituents" }, { "description": "Purpose: Ensure that the crisis management team has a complete overview of current information security incidents and known vulnerabilities to consider this as part of its overall priorities and strategies.\nDescription: The function involves delivering concise and factual information about the current status of cyber security inside the constituency. As a crisis might be used to start other attacks or as occurring attacks might be part of the overall activities leading this crisis, it is very important for the crisis management team to establish complete situational awareness.\nThe CSIRT can provide such situational awareness for its services and constituents. This may either be requested or is expected by standard policies in a time of crisis. In any case, as crisis management is only successful based on the established information flow as it depends on coordinate resources to address the most critical aspects of the crisis, reporting must be timely and accurate.", - "id": "6-6-2-Function-Information-security-status-reporting", - "relationships": { - "dest-uuid": "81b922e4-291c-5337-9cc2-910dbfc4bf92", - "type": "involves" - }, - "uuid": "264ccb1c-8a6e-50fe-8b62-b6f5638701f5", - "value": "6.6.2 Function: Information security status reporting" + "related": [ + { + "dest-uuid": "ee34661b-0cb2-5933-8f19-47d9a0d106fd", + "type": "used-by" + } + ], + "uuid": "a1915495-7312-5fbb-a9c5-ecc15c4dc45e", + "value": "Function: Information security status reporting" }, { "description": "Purpose: Inform other entities in a timely manner about the impact caused by the crisis on currently open information security incidents.\nDescription: Informing other entities in a timely manner about the impact caused by the crisis on currently open information security incidents provides a clear understanding of what support can also be provided by the CSIRT during the duration of the crisis, and makes sure that entities understand what to expect. It also makes sure that other parties stop their support or interaction with the CSIRT as they might believe that the crisis is taking over.\nAs the crisis management team may decide to postpone the response to an actual information security incident due to a crisis, such decisions need to be communicated to all entities currently informed and participating. This is to avoid misunderstandings and further issues that may also lead to a loss of trust in the CSIRT and/or host organization.", - "id": "6-6-3-Function-Strategic-decisions-communication", - "relationships": { - "dest-uuid": "81b922e4-291c-5337-9cc2-910dbfc4bf92", - "type": "involves" - }, - "uuid": "b0f34860-8f83-5ad0-80e6-034ea4c4f8e6", - "value": "6.6.3 Function: Strategic decisions communication" + "related": [ + { + "dest-uuid": "ee34661b-0cb2-5933-8f19-47d9a0d106fd", + "type": "used-by" + } + ], + "uuid": "1ac12b60-af3e-58f0-8a45-61ea0a06f476", + "value": "Function: Strategic decisions communication" }, { "description": "Purpose: Identify a vulnerability that was exploited as part of a security incident.\nDescription: During the course of analyzing a security incident, information may be discovered that indicates that a vulnerability was exploited by the attacker. An incident may have been enabled through exploitation of a known vulnerability that was previously unpatched or unmitigated; or it may be due to a new (zero-day) vulnerability.\nSome of this vulnerability information might be received as an output from one of the services of the Information Security Incident Management service area if a vulnerability was exploited as part of an incident. The information can then be passed on to the Vulnerability Triage function or the Vulnerability Analysis service, as appropriate.", - "id": "7-1-1-Function-Incident-response-vulnerability-discovery", - "relationships": { - "dest-uuid": "c01835b0-8786-5dc8-af2c-b83793d6fc8c", - "type": "involves" - }, - "uuid": "45610cdd-eb2a-5bdd-b9a6-0072ad3a797f", - "value": "7.1.1 Function: Incident response vulnerability discovery" + "related": [ + { + "dest-uuid": "e43c7bab-34c9-5ee1-9e40-915d265ccd70", + "type": "used-by" + } + ], + "uuid": "776f8c85-cd4e-5c93-b57e-fae183d54868", + "value": "Function: Incident response vulnerability discovery" }, { "description": "Purpose: Learn about a new vulnerability from reading public sources or other third-party sources.\nDescription: A CSIRT may initially learn about a new vulnerability from various public sources that announce such information. The sources can include vendor announcements, security websites, mailing lists, vulnerability databases, security conferences, social media, etc. This function may also learn of new vulnerabilities through other third-party sources that may not be completely open to the public, such as through paid subscriptions or premium services where information is shared with only a limited group. Staff may be assigned the responsibility to perform this function and collect information to organize it for further review and sharing. Similar vulnerability information might also be received from the services of the Situational Awareness service area.\nOutcome: New vulnerabilities are identified that have been disclosed through public or other external sources.", - "id": "7-1-2-Function-Public-source-vulnerability-discovery", - "relationships": { - "dest-uuid": "c01835b0-8786-5dc8-af2c-b83793d6fc8c", - "type": "involves" - }, - "uuid": "dd419b1f-403b-5880-b86d-c0868fe38819", - "value": "7.1.2 Function: Public source vulnerability discovery" + "related": [ + { + "dest-uuid": "e43c7bab-34c9-5ee1-9e40-915d265ccd70", + "type": "used-by" + } + ], + "uuid": "9ff2dcf3-7b42-5114-9fb9-0d9cd7037845", + "value": "Function: Public source vulnerability discovery" }, { "description": "Purpose: Discover or search for new vulnerabilities as a result of deliberate activities or research.\nDescription: This function includes the discovery of new vulnerabilities as a result of specific CSIRT activities, such as the testing of systems or software using fuzz testing (fuzzing), or through the reverse engineering of malware.\nThis function may also receive input from the service(s) of the Information Security Incident Management service area or the Situational Awareness service area that would initiate this function to look for suspected vulnerabilities.", - "id": "7-1-3-Function-Vulnerability-research", - "relationships": { - "dest-uuid": "c01835b0-8786-5dc8-af2c-b83793d6fc8c", - "type": "involves" - }, - "uuid": "78cfffca-9a7a-5a77-becd-0ae1c4a23cd7", - "value": "7.1.3 Function: Vulnerability research" + "related": [ + { + "dest-uuid": "e43c7bab-34c9-5ee1-9e40-915d265ccd70", + "type": "used-by" + } + ], + "uuid": "d4914b89-870a-5045-a1c9-13e9fc9fd2e0", + "value": "Function: Vulnerability research" }, { "description": "Purpose: Accept or receive information about a vulnerability, as reported from constituents or third parties.\nDescription: Effective intake of vulnerability reports requires mechanisms and processes to receive the reports from constituents, stakeholders, and third parties (finders, researchers, vendors, PSIRTs, other CSIRTs or vulnerability coordinators, etc.). Vulnerability information may include affected devices, conditions necessary to exploit the vulnerability, impact (e.g., privilege escalation, data access, etc.), as well as actions taken to resolve the vulnerability, remediation and/or mitigation steps, and resolution. Occasionally, vulnerability information may be received jointly as part of the input to other services, most notably the Information Security Incident Report Intake (e.g., if a vulnerability is reported to be exploited as part of an incident report).\nOutcome: Vulnerability reports from constituents or third parties are appropriately handled, including the initiation of documenting or tracking the reports.", - "id": "7-2-1-Function-Vulnerability-report-receipt", - "relationships": { - "dest-uuid": "8397d943-1507-5d38-a9fe-078549634320", - "type": "involves" - }, - "uuid": "b6fd9a66-77d7-55c2-91e1-754612251b22", - "value": "7.2.1 Function: Vulnerability report receipt" + "related": [ + { + "dest-uuid": "e3226442-c563-51ef-9a89-76041f970fec", + "type": "used-by" + } + ], + "uuid": "951ffc54-483f-5484-8ce4-53dd30534e6a", + "value": "Function: Vulnerability report receipt" }, { "description": "Purpose: Initially review, categorize, prioritize, and process a vulnerability report.\nDescription: Vulnerability Reports are reviewed and triaged to obtain an initial understanding of the vulnerability in question and determine what to do next (e.g., process the vulnerability for further analysis, seek additional information from the reporter or other sources, decide that the vulnerability needs no further action). Depending on the amount of detail and quality of the information provided in the vulnerability report, it may or not be obvious whether a new vulnerability exists.\nUnless there is a reason to decline a vulnerability report, the report should be passed on to the Vulnerability Analysis service for further review, analysis, and handling. If the CSIRT does not provide a Vulnerability Analysis service, then the report should be securely forwarded to an external group for handling, such as the affected vendor(s), PSIRT(s), or a vulnerability coordinator.", - "id": "7-2-2-Function-Vulnerability-report-triage-and-processing", - "relationships": { - "dest-uuid": "8397d943-1507-5d38-a9fe-078549634320", - "type": "involves" - }, - "uuid": "c85a2e71-318b-592d-82b1-887044320e2a", - "value": "7.2.2 Function: Vulnerability report triage and processing" + "related": [ + { + "dest-uuid": "e3226442-c563-51ef-9a89-76041f970fec", + "type": "used-by" + } + ], + "uuid": "bbf8cea3-869a-56e5-a5cc-a5e0a35f76d5", + "value": "Function: Vulnerability report triage and processing" }, { "description": "Purpose: Categorize, prioritize, and perform an initial assessment of a vulnerability.\nDescription: The Vulnerability Analysis service begins with a review of the available information to categorize, prioritize, and assess whether a vulnerability has some impact on the involved systems and is relevant to the CSIRT’s mandate. Some of this may have been documented during the Vulnerability Report Triage and Processing function (of the Vulnerability Report Intake service) if the vulnerability was reported to the CSIRT by a constituent or third party.\nIf prior triage has not already been completed, the vulnerability may be assigned to a subject matter expert who can provide technical confirmation that it has some impact on the involved systems and is relevant to the CSIRT’s mandate (i.e., the potential security impact on networks or systems that can result in damage to the confidentiality, availability, or integrity of information assets in an area of the CSIRT according to its mandate).", - "id": "7-3-1-Function-Vulnerability-triage-validation-and-categorization", - "relationships": { - "dest-uuid": "dfdd8b20-7047-56d8-8956-339a1a9bd0ad", - "type": "involves" - }, - "uuid": "ac49eb2e-a396-5945-8090-b17f6c053b25", - "value": "7.3.1 Function: Vulnerability triage (validation and categorization)" + "related": [ + { + "dest-uuid": "e428df3a-7353-5854-b967-fbbb47079ff6", + "type": "used-by" + } + ], + "uuid": "5abf9c46-780f-5f4a-8e53-e3f7db6afd5a", + "value": "Function: Vulnerability triage (validation and categorization)" }, { "description": "Purpose: Understand the design or implementation flaw that causes or exposes the vulnerability to exist.\nDescription: The goal of this analysis is to identify the root cause of the vulnerability, identifying the circumstances that allow a vulnerability to exist, and in which circumstances an attacker can consequently exploit the vulnerability. This analysis may also attempt to understand the weakness(es) leveraged to instigate an incident and the adversarial tradecraft utilized to leverage that weakness. Depending on the nature of the vulnerability, it may be difficult for a CSIRT to perform this function thoroughly. In some cases, this function may have already been performed by the finder or reporter of the vulnerability. In many situations, this function may best be conducted by the product vendor or developer of the affected software or system or their respective PSIRT. It is also possible that a vulnerability is present in more than one product, in which case multiple analyses may be needed of the affected software or systems, requiring coordination with multiple vendors, PSIRTs, or stakeholders.\nOutcome: Understanding of the vulnerability and the way in which malicious actors will be able to use this vulnerability is used to determine remediation or mitigation methods to minimize the risk of exposure or exploitation.", - "id": "7-3-2-Function-Vulnerability-root-cause-analysis", - "relationships": { - "dest-uuid": "dfdd8b20-7047-56d8-8956-339a1a9bd0ad", - "type": "involves" - }, - "uuid": "076812ef-36a6-52bb-800d-74c67a41abf3", - "value": "7.3.2 Function: Vulnerability root cause analysis" + "related": [ + { + "dest-uuid": "e428df3a-7353-5854-b967-fbbb47079ff6", + "type": "used-by" + } + ], + "uuid": "7999a479-b614-5c8f-835c-05f83ccca337", + "value": "Function: Vulnerability root cause analysis" }, { "description": "Purpose: Develop the steps necessary to fix (remediate) the underlying vulnerability or mitigate (reduce) the effects of the vulnerability from being exploited.\nDescription: This function will ideally identify a remediation or a fix for a vulnerability. If a vendor patch or fix is not available in a timely manner, a temporary solution or workaround, called a mitigation, may be recommended, such as disabling the affected software or making configuration changes, to minimize the potential negative effects of the vulnerability. Note that the actual application or deployment of a remediation (patch) or mitigation (workaround) is a function of a separate service, called Vulnerability Response in this framework.\nAs part of the Vulnerability Analysis service and Remediation Development, this function may optionally include other sub-functions or activities, such as validating the changing of a procedure or design, reviewing remediation by a third party, or identifying any new vulnerabilities introduced in the remediation steps. Vulnerabilities that are not remediated or mitigated should be documented as acceptable risks.", - "id": "7-3-3-Function-Vulnerability-remediation-development", - "relationships": { - "dest-uuid": "dfdd8b20-7047-56d8-8956-339a1a9bd0ad", - "type": "involves" - }, - "uuid": "e34a0555-baac-5bc3-b0f6-5ba99e7c0c5e", - "value": "7.3.3 Function: Vulnerability remediation development" + "related": [ + { + "dest-uuid": "e428df3a-7353-5854-b967-fbbb47079ff6", + "type": "used-by" + } + ], + "uuid": "3282999a-09d1-5d99-9d23-4773611775be", + "value": "Function: Vulnerability remediation development" }, { "description": "Purpose: Initial share or report new vulnerability information with others who are to be involved in the CVD process.\nDescription: The handling of most vulnerabilities involves notifying, working with, and coordinating the exchange of relevant information with multiple parties including the affected vendors, developers, PSIRTs, or other trusted experts (e.g., researchers, CSIRTs, vulnerability coordinators) who can work together to analyze and fix the vulnerability.\nOutcome: Vendors (or other CVD participants) are informed about a vulnerability and can act to develop a remediation or mitigation solution.", - "id": "7-4-1-Function-Vulnerability-notification-reporting", - "relationships": { - "dest-uuid": "576887a7-b5df-5632-a61f-a93190c65426", - "type": "involves" - }, - "uuid": "4330ceb5-95d3-566e-bd2c-ed72fc20212d", - "value": "7.4.1 Function: Vulnerability notification/reporting" + "related": [ + { + "dest-uuid": "1613a204-9a27-5e3e-83d1-d459fb697ea2", + "type": "used-by" + } + ], + "uuid": "109f1de0-3697-57de-9a27-0786bf3f4c0a", + "value": "Function: Vulnerability notification/reporting" }, { "description": "Purpose: Conduct follow-on coordination and sharing of information among the various stakeholders and participants involved in coordinated vulnerability disclosure (CVD) efforts.\nDescription: Coordinate the exchange of information among the finders/researchers, vendors, PSIRTS, and any other participants in the coordinate vulnerability disclosure (CVD) efforts to analyze and fix the vulnerability and prepare for the disclosure of the vulnerability. This coordination should also include agreement by participants on the timing and synchronization of the disclosure.\nOutcome: Vulnerability information is more effectively, timely, and responsibly shared among participants who can develop or announce a remediation/mitigation solution.", - "id": "7-4-2-Function-Vulnerability-stakeholder-coordination", - "relationships": { - "dest-uuid": "576887a7-b5df-5632-a61f-a93190c65426", - "type": "involves" - }, - "uuid": "d2f116ec-8632-552c-a958-e04cb2701ce3", - "value": "7.4.2 Function: Vulnerability stakeholder coordination" + "related": [ + { + "dest-uuid": "1613a204-9a27-5e3e-83d1-d459fb697ea2", + "type": "used-by" + } + ], + "uuid": "4fb4bb5b-9da7-5b77-8b21-536442585547", + "value": "Function: Vulnerability stakeholder coordination" }, { "description": "Purpose: Develop and maintain a policy that provides a framework and sets expectations for how a CSIRT handles and discloses vulnerabilities and the mechanism(s) used to disclose the vulnerability.\nDescription: CSIRTs that handle vulnerability reports should define their vulnerability disclosure policy and make that policy available to its constituents, stakeholders, and CVD participants, preferably by publishing it on the CSIRT’s website. The vulnerability disclosure policy will provide transparency to stakeholders and help to promote appropriate disclosure policies. Policies can range from no disclosure, where no vulnerability information is disclosed, to limited disclosure, where only some information is made available, to full disclosure, where all information is disclosed, which may include proof-of-concept exploits. The disclosure policy should include factors such as the scope of the policy, references to any reporting mechanisms and guidelines, and expected timeframes and mechanisms for the disclosure of the vulnerability.\nOutcome: Trust, collaboration, and control of the disclosure is increased and relationships and coordination with CVD participants is improved.", - "id": "7-5-1-Function-Vulnerability-disclosure-policy-and-infrastructure-maintenance", - "relationships": { - "dest-uuid": "76235018-30af-5431-a98d-7d03f718b241", - "type": "involves" - }, - "uuid": "6e90856e-cdc4-56ff-8be7-afd2fb10d813", - "value": "7.5.1 Function: Vulnerability disclosure policy and infrastructure maintenance" + "related": [ + { + "dest-uuid": "b797cc28-547c-5347-add9-b69a48676e25", + "type": "used-by" + } + ], + "uuid": "3699e27e-0ff9-5fb0-ba84-90e94406f774", + "value": "Function: Vulnerability disclosure policy and infrastructure maintenance" }, { "description": "Purpose: Provide information to constituents (or the public) about a new vulnerability, so that they can detect, remediate or mitigate, and prevent future exploitation of the vulnerability.\nDescription: Disclose vulnerability information to defined constituents. The disclosure can be made through any or all of the mechanisms identified in the vulnerability disclosure policy. Dissemination mechanisms can vary depending on the needs or expectations of the target audience. The communication can be in the form of an announcement or security advisory distributed via email or text messaging, a publication posted to a website or social media channel, or other communication forms and channels as appropriate. Content to be included in the disclosure should follow a defined format, which typically can include information such as an overview or description, a unique vulnerability identifier, impact, severity, or CVSS score, resolution (remediation or mitigation), and supporting references or materials.\nOutcome: The vulnerability is prevented, detected, and remediated/mitigated by providing timely, high-quality, effective information to constituents (or public).", - "id": "7-5-2-Function-Vulnerability-announcement-communication-dissemination", - "relationships": { - "dest-uuid": "76235018-30af-5431-a98d-7d03f718b241", - "type": "involves" - }, - "uuid": "458ae77c-ae0e-548e-8db1-9195740162e9", - "value": "7.5.2 Function: Vulnerability announcement/communication/dissemination" + "related": [ + { + "dest-uuid": "b797cc28-547c-5347-add9-b69a48676e25", + "type": "used-by" + } + ], + "uuid": "6e847ac3-774a-5654-b09f-4a6ebcb91e47", + "value": "Function: Vulnerability announcement/communication/dissemination" }, { "description": "Purpose: Receive and respond to questions or reports from constituents about a vulnerability disclosure or document.\nDescription: Following the disclosure of a new vulnerability, CSIRTs can expect to receive follow-on communications in the form of questions from some constituents about a vulnerability document. The questions may indicate a need for clarification, revision, or amendment of the vulnerability disclosure mechanism, if warranted. Information from constituents may simply be an acknowledgement or receipt of the vulnerability document, or the constituent may report an issue or difficulty in deploying the suggested remediation/mitigation. If the vulnerability was determined to have been already exploited, constituents may be reporting newly discovered incidents as a result of the vulnerability disclosure. Such reports should feed into the functions of the CSIRT’s Incident Reporting service.\nOutcome: Any questions or requests for assistance are responded to in a timely manner following a vulnerability disclosure.", - "id": "7-5-3-Function-Post-vulnerability-disclosure-feedback", - "relationships": { - "dest-uuid": "76235018-30af-5431-a98d-7d03f718b241", - "type": "involves" - }, - "uuid": "ad6eb2d4-ef88-5128-9ba2-83bd6f84eb5f", - "value": "7.5.3 Function: Post-vulnerability disclosure feedback" + "related": [ + { + "dest-uuid": "b797cc28-547c-5347-add9-b69a48676e25", + "type": "used-by" + } + ], + "uuid": "2228959a-1fc7-54a1-879c-fb17d02947a7", + "value": "Function: Post-vulnerability disclosure feedback" }, { "description": "Purpose: Actively engage in searching for the presence of known vulnerabilities in deployed systems.\nDescription: The goal of this function is to detect any previously unpatched or unmitigated vulnerabilities before they are exploited or impact the network or devices. This function may be initiated in response to an announcement about a new vulnerability, or it may be achieved as part of a periodically scheduled scan for known vulnerabilities. In order to provide vulnerability detection effectively, it is useful to have a systems inventory. Having such an inventory that can be queried for software version information can enable an organization to quickly assess the likely prevalence of a newly reported vulnerability in its infrastructure.\nThis function may receive input or be triggered from other services and functions.\nOutcome: Vulnerabilities are detected through formal processes or tools designed to identify.", - "id": "7-6-1-Function-Vulnerability-detection-scanning", - "relationships": { - "dest-uuid": "586381d1-7a46-53af-a7dd-33a20aa18d9b", - "type": "involves" - }, - "uuid": "9dd2ac75-65ee-52c8-bc7e-6ac983b81211", - "value": "7.6.1 Function: Vulnerability detection / scanning" + "related": [ + { + "dest-uuid": "7bed8224-c2b4-56af-bd69-1fb1f8e1a0b5", + "type": "used-by" + } + ], + "uuid": "eab009bc-d429-503f-bdfb-61a067bbee62", + "value": "Function: Vulnerability detection / scanning" }, { "description": "Purpose: Remediate or mitigate vulnerabilities to prevent them from being exploited, typically through the timely application of vendor-provided patches or other solutions.\nDescription: Vulnerability remediation is intended to resolve or eliminate a vulnerability. For software vulnerabilities, this typically occurs through the deployment and installation of vendor-provided solutions in the form of software updates or patches. When approved patches are unavailable or cannot be deployed, an alternative mitigation or workaround may be applied as a countermeasure to prevent exploitation of the vulnerability. This function often follows a positive identification of a vulnerability as the result of the Vulnerability Detection/Scanning/Hunting function.\nOutcome: Exposure to the threat of a vulnerability being exploited is prevented or reduced.", - "id": "7-6-2-Function-Vulnerability-remediation", - "relationships": { - "dest-uuid": "586381d1-7a46-53af-a7dd-33a20aa18d9b", - "type": "involves" - }, - "uuid": "782613e3-9030-5b00-96c5-7760a8c3dd15", - "value": "7.6.2 Function: Vulnerability remediation" + "related": [ + { + "dest-uuid": "7bed8224-c2b4-56af-bd69-1fb1f8e1a0b5", + "type": "used-by" + } + ], + "uuid": "06f12023-6c0c-5997-9983-42d9c6473b1b", + "value": "Function: Vulnerability remediation" }, { "description": "Purpose: Establish the context with which the constituency and its assets should comply to know what should be occurring on the infrastructure.\nDescription: The collection, aggregation, and distillation of policy establishes the basis of acceptable normal activity. The end result is a context that establishes how the constituency and its infrastructure is supposed to be operating under acceptable conditions. For organizational CSIRTs, context includes understanding the organizations acceptable policies, plans, normal operating conditions, accepted risks, and tradeoffs. Understanding and context establish the basis against which observations can be evaluated.\nOutcome: The acceptable observations that are taking place in the constituency are understood. This understanding is focused upon changes or impacts to infrastructure and assets.", - "id": "8-1-1-Function-Policy-aggregation-distillation-and-guidance", - "relationships": { - "dest-uuid": "7e82533f-ab87-5e9e-9a68-83bc3ed34e9b", - "type": "involves" - }, - "uuid": "196cc90c-1439-51c6-b6f8-bdf3afc03f08", - "value": "8.1.1 Function: Policy aggregation, distillation, and guidance" + "related": [ + { + "dest-uuid": "b06d204e-4c27-55cb-8770-79e2259c8e12", + "type": "used-by" + } + ], + "uuid": "0f6fbbcc-1bfc-5a32-94fc-ce5f46019005", + "value": "Function: Policy aggregation, distillation, and guidance" }, { "description": "Purpose: Provide knowledge of existing assets, ownership, baselines and expected activity supports analysis functions that identify abnormal situational observations.\nDescription: CSIRT teams need to understand the current cyber security state of a constituency, and have a good understanding of what is acceptable security. They may need to know:\nThis information helps establish prioritization of assets that are potentially at risk, which can provide context for incident management activities. The more precise the information available to CSIRT team, the easier it will be to infer security issues and do something about them. Precise information may mean the CSIRT having access to established security policies, current access controls, up-to-date hardware and software inventories, and detailed network diagrams.", - "id": "8-1-2-Function-Asset-mapping-to-functions-roles-actions-and-key-risks", - "relationships": { - "dest-uuid": "7e82533f-ab87-5e9e-9a68-83bc3ed34e9b", - "type": "involves" - }, - "uuid": "9b963f37-b790-5764-90bc-3d1ff9fd2d52", - "value": "8.1.2 Function: Asset mapping to functions, roles, actions, and key risks" + "related": [ + { + "dest-uuid": "b06d204e-4c27-55cb-8770-79e2259c8e12", + "type": "used-by" + } + ], + "uuid": "7094091e-8c9f-539c-a943-78139840bf22", + "value": "Function: Asset mapping to functions, roles, actions, and key risks" }, { "description": "Purpose: Collect of information to support the Analysis and Interpretation service and/or other CSIRT services.\nDescription: Information and data collection activities extend beyond feeds providing automated information. Collection includes identifying useful sources such as information-relevant external activities including news from other constituencies, media sources, and other CSIRTs or security organizations, internal activities (e.g., organizational changes), technology developments, external events, political events, attack trends, defensive trends, conferences, available training, and more.\nThe data collection function supports other services such as Security Event Management, Incident Management, and Knowledge Transfer. It also supports functions and activities within these services such as analysis, prediction, response, and risk mitigation. Newly collected information may reveal that an attack on a constituent is more likely than before. External events may expose information that identifies new risks to assets for a period of time or require heightened detection activities. Overall the information helps provide actionable information to aid in decision making and incident handling.", - "id": "8-1-3-Function-Collection", - "relationships": { - "dest-uuid": "7e82533f-ab87-5e9e-9a68-83bc3ed34e9b", - "type": "involves" - }, - "uuid": "0820d6eb-c7cd-5e3a-a50b-0ed3eff7537e", - "value": "8.1.3 Function: Collection" + "related": [ + { + "dest-uuid": "b06d204e-4c27-55cb-8770-79e2259c8e12", + "type": "used-by" + } + ], + "uuid": "08183021-1832-52b3-88ff-f6d02497a362", + "value": "Function: Collection" }, { "description": "Purpose: Establish a reliable, consistent, and current set of data that can support CSIRT activities and the requirements of the analysis service.\nDescription: Data processing and preparation includes transformation, processing, normalization, and validation of a set of data. Sources of cybersecurity data need to be validated for accuracy often due to a high number of false positives. The relevant data also typically comes in different formats, and new data needs to be combined with historical data before a complete analysis can be performed. Some types of data (such as news articles) may need to be analyzed or processed as part of the preparation process. One example would be extracting relevant security information from a news article (e.g., names, dates, places, technical information, weaknesses, system names) and comparing it with internal data for potential impacts.\nSome analysis methods require data to be stored in the same format, or for files to have the same number of records. There are multiple processing steps that may be involved to prepare the data. Data augmentation (also called enrichment) is performed by including other available information related to a given piece of data from other internal and external sources. For example, teams may collect information related to internet protocol addresses (IP addresses) such as autonomous system identifiers, country codes, or geo-location data. For internal asset information, teams may enrich their asset inventory data with the name of the asset owner, their role, their permissions on other assets, their physical working location over time, and more.", - "id": "8-1-4-Function-Data-processing-and-preparation", - "relationships": { - "dest-uuid": "7e82533f-ab87-5e9e-9a68-83bc3ed34e9b", - "type": "involves" - }, - "uuid": "590df301-202c-5f0d-96b0-dd101a35713a", - "value": "8.1.4 Function: Data processing and preparation" + "related": [ + { + "dest-uuid": "b06d204e-4c27-55cb-8770-79e2259c8e12", + "type": "used-by" + } + ], + "uuid": "0e21609b-98b9-5f58-9be2-b7e627353c51", + "value": "Function: Data processing and preparation" }, { "description": "Purpose: Analyze the information collected during data acquisition with the intent of identifying current or predicting future situational pictures.\nDescription: The process of inferring the current state of a situation and making predictions about the possible likely near-term pictures based on the status and dynamics of the collected data. Sometimes the data may quickly show a security issue.\nOutcome: The situational picture is updated along with knowledge about when a situational picture will change and how it might change.", - "id": "8-2-1-Function-Projection-and-inference", - "relationships": { - "dest-uuid": "7c7c24ea-abb1-563b-b1a8-8d81cb540836", - "type": "involves" - }, - "uuid": "211ab4e9-44fa-50de-bbc6-e2c564c40d47", - "value": "8.2.1 Function: Projection and inference" + "related": [ + { + "dest-uuid": "9d622922-93a1-5528-82f2-e75b181bc8e4", + "type": "used-by" + } + ], + "uuid": "6e5f9ddc-2790-5a94-bf97-c42b02c13dd7", + "value": "Function: Projection and inference" }, { "description": "Purpose: Determine and confirm the details of the current situational picture for the constituency.\nDescription: The systematic and often directed searching for anomaly activity inside and outside of network boundaries based upon external and internal information and trends. To assist the constituency with analyzing its data from sensors and other sources to draw conclusions about its environment and situation. For example, if an anti-virus sensor sends an alert of a suspicious file, the team may analyze the system configuration, the sensor configuration, the file that was alerted, the user activity at the time, and more, to draw a conclusion about the severity of the observation. This function may receive significant input from the Security Event Management service area. The observations from sensors that are used to detect events may be shared among multiple services.\nCSIRT teams also need to determine the current situational picture based upon specific pieces of information about threats. This activity may sometimes be called “threat hunting.” Typically, threat hunting involves either preparing the environment to detect specific threat activity, or searching for specific threat activity that may already be present.", - "id": "8-2-2-Function-Event-detection-through-alerting-and-or-hunting", - "relationships": { - "dest-uuid": "7c7c24ea-abb1-563b-b1a8-8d81cb540836", - "type": "involves" - }, - "uuid": "6eb6ed02-3d30-5dcc-94fd-1a6fad36fe39", - "value": "8.2.2 Function: Event detection (through alerting and/or hunting)" + "related": [ + { + "dest-uuid": "9d622922-93a1-5528-82f2-e75b181bc8e4", + "type": "used-by" + } + ], + "uuid": "724ef355-21f4-5a11-92f5-c5ac725f6820", + "value": "Function: Event detection (through alerting and/or hunting)" }, { "description": "Purpose: Identify new insights during incidents that may help limit damage, mitigate future risk, or identify a newly created weakness.\nDescription: Performing analysis of specific evidence assists in identifying insights to support incident resolution. Sometimes, CSIRTs may focus their situational analysis to support a specific desired outcome such as incident resolution. Certain responses to an incident may affect a situational picture differently, and responders may ask for analysis (e.g., impact, cost, risk of failure) of choices. The decision-making needs of the constituency may change as their situational picture evolves, and the CSIRT team may initiate new analysis processes to assist them. This activity is related to the Incident Management Service Area. Incident Management functions are supported by Situational Awareness and the situational picture may change based upon Incident Management activities.\nOutcome: Situational awareness is enhanced for incident management functions based upon new observations. Updated situational picture based upon incident management activities.", - "id": "8-2-3-Function-Information-security-incident-management-decision-support", - "relationships": { - "dest-uuid": "7c7c24ea-abb1-563b-b1a8-8d81cb540836", - "type": "involves" - }, - "uuid": "846332ed-ee2c-59d7-b16b-8f764f798efd", - "value": "8.2.3 Function: Information security incident management decision support" + "related": [ + { + "dest-uuid": "9d622922-93a1-5528-82f2-e75b181bc8e4", + "type": "used-by" + } + ], + "uuid": "7b9ff2e5-e1f7-5421-985e-0b4024fd0bcc", + "value": "Function: Information security incident management decision support" }, { "description": "Purpose: Determine the expected potential impact of a given observation or possible observation to a situational picture.\nDescription: This function identifies the impact a projection or inference may have upon a current or near-term future situation. An impact may include raising or lowering certain risks such as data loss, system downtime, or effects on data confidentiality/availability/integrity.\nOutcome: An analysis is produced of the likely possible impact that an inference or projection may have upon a situation.", - "id": "8-2-4-Function-Situational-impact", - "relationships": { - "dest-uuid": "7c7c24ea-abb1-563b-b1a8-8d81cb540836", - "type": "involves" - }, - "uuid": "4860e244-36dc-5b88-b001-1f5c1ad679fd", - "value": "8.2.4 Function: Situational impact" + "related": [ + { + "dest-uuid": "9d622922-93a1-5528-82f2-e75b181bc8e4", + "type": "used-by" + } + ], + "uuid": "1aefb16b-05a5-5183-9a98-a5c5536a2846", + "value": "Function: Situational impact" }, { "description": "Purpose: Inform constituents (and others) of the current situational picture and how it may be changing.\nDescription: Once the results of Analyze and Interpret are complete, they can be used to improve decision-making via both internal and external communication processes. Specific pieces of information are distributed based upon who needs to know them. Communication includes the method of delivery and the content that is being delivered. A CSIRT team might communicate new information and how it will change the situational picture. An example of this would be reporting the expected change a new malicious technique it has observed during an incident would have upon a constituent member. It may also include trend information such as the most useful sources of enrichment data and steps in which constituents can use it to improve their own situational awareness.\nOutcome: Constituents are better informed and are prepared to take actions or make decisions that will improve their security or situation.", - "id": "8-3-1-Function-Internal-and-external-communication", - "relationships": { - "dest-uuid": "9be0238e-c72b-540c-b316-22a382fe4a8a", - "type": "involves" - }, - "uuid": "075998fd-b4fb-526d-a70f-4f8cfad99950", - "value": "8.3.1 Function: Internal and external communication" + "related": [ + { + "dest-uuid": "ddfea37e-0234-5d9d-b6ca-981c7e0fa114", + "type": "used-by" + } + ], + "uuid": "df014610-1a6e-5d81-b183-0e6a4af4aa5d", + "value": "Function: Internal and external communication" }, { "description": "Purpose: Create results, artefacts, or findings that communicate critical information discovered or created during analysis to audiences in a manner and format that they will understand.\nDescription: Reports and recommendations should clearly indicate the choices and actions faced by constituents, and include analysis of the expected consequences of each choice or action. Communication of findings should include a list of evidence supporting the analysis and the recommendation (if a recommendation is made). The methods used to create the findings should be clearly explained to the audience so they can also judge the claims presented. The CSIRT team may create reports on a single event, a series of events, trends, patterns, possible events, or more to support the needs for their constituency to understand a situational picture.\nOutcome: The capability to provide accurate, timely, and complete reports on the situational picture, the evidence that supports the conclusions, and/or recommendations on possible courses of action and their potential effects to the constituency is improved.", - "id": "8-3-2-Function-Reporting-and-recommendations", - "relationships": { - "dest-uuid": "9be0238e-c72b-540c-b316-22a382fe4a8a", - "type": "involves" - }, - "uuid": "cc7e641f-9832-5741-9d66-31e16da22395", - "value": "8.3.2 Function: Reporting and recommendations" + "related": [ + { + "dest-uuid": "ddfea37e-0234-5d9d-b6ca-981c7e0fa114", + "type": "used-by" + } + ], + "uuid": "a3a2e61d-3586-5dac-950b-45180d57a060", + "value": "Function: Reporting and recommendations" }, { "description": "Purpose: Adapt the constituent environment based on communications to be more prepared for or react to changes in the situational picture.\nDescription: In some instances, a CSIRT team may also perform the recommended adjustments to parts of the security infrastructure, for example changing the firewall rules on a particular honey pot based upon situational analysis.\nOutcome: A course of action is performed or a change to the infrastructure is implemented by constituents based upon received communications containing analysis, projections, and/or recommendations.", - "id": "8-3-3-Function-Implementation", - "relationships": { - "dest-uuid": "9be0238e-c72b-540c-b316-22a382fe4a8a", - "type": "involves" - }, - "uuid": "12d1b92a-7085-5363-9cf2-49d7d496adf1", - "value": "8.3.3 Function: Implementation" + "related": [ + { + "dest-uuid": "ddfea37e-0234-5d9d-b6ca-981c7e0fa114", + "type": "used-by" + } + ], + "uuid": "400175ae-104f-57bc-ae0a-b2bf0b7eabd5", + "value": "Function: Implementation" }, { "description": "Purpose: Assemble, normalize, and prepare information and then share it with constituents and others outside the constituency.\nDescription: This function may include the following sub-functions:\nOutcome: Situational Awareness Analysis outputs are used as inputs (both internally and among constituents) into in key decision processes e.g., threat hunting, incident analysis, resolution. Outputs are disseminated as part of handling or detecting incidents. Information and data coming from Situational Awareness can also become Best Practices, Reports, Training and Awareness Material through the Knowledge Transfer service area.", - "id": "8-3-4-Function-Dissemination-integration-information-sharing", - "relationships": { - "dest-uuid": "9be0238e-c72b-540c-b316-22a382fe4a8a", - "type": "involves" - }, - "uuid": "5eec9a44-81e6-52fc-b4ac-b22056b5cbae", - "value": "8.3.4 Function: Dissemination / integration / information sharing" + "related": [ + { + "dest-uuid": "ddfea37e-0234-5d9d-b6ca-981c7e0fa114", + "type": "used-by" + } + ], + "uuid": "03b4f249-1dba-5257-a39c-d85720be4657", + "value": "Function: Dissemination / integration / information sharing" }, { "description": "Purpose: Ensure transfer of information is successful and useable.\nDescription: This function may include the following sub-functions:\nOutcome: Assurance is provided that the right information is being shared, and that once shared, it is received by partners, constituents, and other community members. Reports are provided on sharing activity.", - "id": "8-3-5-Function-Management-of-information-sharing", - "relationships": { - "dest-uuid": "9be0238e-c72b-540c-b316-22a382fe4a8a", - "type": "involves" - }, - "uuid": "5f79b6cb-7bf3-545f-8165-15e16b521d87", - "value": "8.3.5 Function: Management of information sharing" + "related": [ + { + "dest-uuid": "ddfea37e-0234-5d9d-b6ca-981c7e0fa114", + "type": "used-by" + } + ], + "uuid": "320fe47b-f419-5f15-abfa-98dd8f98a397", + "value": "Function: Management of information sharing" }, { "description": "Purpose: Improve the quality, timeliness, accuracy, and relevance of the data being received from internal and external sources.\nDescription: This function involves providing and receiving feedback on information provided, received, and used by the constituency, other service providers or other stakeholders. Was the information received accurate, applicable, timely, strategic, new/novel, etc.? Was it helpful in resolving an investigation? Did it lead to a new insight? This may mean providing information also to other CSIRT (as an external source) on the usefulness of or changes to signatures, honeypot findings, IOCs, warnings, threat information, mitigations, etc. This activity may also be performed by the Knowledge Transfer service area. If so, the results should be communicated back to the Situational Awareness service area.\nOutcome: Observations and feedback is provided to internal and external sources in order to improve the accuracy, timeliness, quality, and usefulness of information received.", - "id": "8-3-6-Function-Feedback", - "relationships": { - "dest-uuid": "9be0238e-c72b-540c-b316-22a382fe4a8a", - "type": "involves" - }, - "uuid": "37c13f13-934c-58cb-a19e-d4943c296500", - "value": "8.3.6 Function: Feedback" + "related": [ + { + "dest-uuid": "ddfea37e-0234-5d9d-b6ca-981c7e0fa114", + "type": "used-by" + } + ], + "uuid": "36be4fe3-7c44-5934-8457-9949eb8dfcd3", + "value": "Function: Feedback" }, { "description": "Purpose: Aggregate, collate, and prioritize information that can be disseminated to the constituency for the improvement of the security posture and prevention and mitigation of risks.\nDescription: This function involves researching and aggregating information relevant for building awareness materials and reports, including from outcomes of other services/functions, especially from the Security Event Management, Incident Management, and Situational Awareness service areas.\nOutcome: Information about relevant trends, ongoing incidents, and best practices, is aggregated and can be used to develop reports and awareness materials for varied audiences.", - "id": "9-1-1-Function-Research-and-information-aggregation", - "relationships": { - "dest-uuid": "ea5cb189-42c9-5949-a14e-cb9afa66f978", - "type": "involves" - }, - "uuid": "09ad25f5-0d1d-5e1d-927f-0f4b41e08817", - "value": "9.1.1 Function: Research and information aggregation" + "related": [ + { + "dest-uuid": "895987fb-db75-5840-8aac-363ac47f106f", + "type": "used-by" + } + ], + "uuid": "23a450ef-d219-5ff0-b9b4-228bc883254c", + "value": "Function: Research and information aggregation" }, { "description": "Purpose: Use the information aggregated and researched as being relevant to produce materials in different media with the goal of reaching different audiences or delivering specific content in the best way possible.\nDescription: This function involves developing materials for diverse audiences (technical staff, management, end users, etc.) and in various formats, such as presentations, short videos, cartoons, booklets, technical analysis, trend reports, and annual reports.\nOutcome: CSIRT reports and awareness materials of adequate quality are developed to meet the needs of the constituency utilizing varied and effective delivery techniques and platforms.", - "id": "9-1-2-Function-Reports-and-awareness-materials-development", - "relationships": { - "dest-uuid": "ea5cb189-42c9-5949-a14e-cb9afa66f978", - "type": "involves" - }, - "uuid": "56c482ba-9666-512a-ae1f-b8a0206747c2", - "value": "9.1.2 Function: Reports and awareness materials development" + "related": [ + { + "dest-uuid": "895987fb-db75-5840-8aac-363ac47f106f", + "type": "used-by" + } + ], + "uuid": "fa81e0ba-5c23-55c1-80af-83ad70db539c", + "value": "Function: Reports and awareness materials development" }, { "description": "Purpose: Disseminate security-related information to improve awareness and implementation of security practices.\nDescription: The function involves implementing a process of information dissemination that can help the CSIRT to best deliver its reports and awareness materials to its constituency based on the characteristics of different audiences and content.\nOutcome: Information dissemination framework is implemented to enables the CSIRT’s constituency to have access to timely and relevant information through different methods, including podcasts, blog posts, social media posts and videos, press releases, advertisements, campaigns, public reports, etc.", - "id": "9-1-3-Function-Information-dissemination", - "relationships": { - "dest-uuid": "ea5cb189-42c9-5949-a14e-cb9afa66f978", - "type": "involves" - }, - "uuid": "2b11da11-89a8-5045-ab7a-cc18fdde397a", - "value": "9.1.3 Function: Information dissemination" + "related": [ + { + "dest-uuid": "895987fb-db75-5840-8aac-363ac47f106f", + "type": "used-by" + } + ], + "uuid": "1f390acc-5b6e-5dfd-a76d-d771e8ca2f36", + "value": "Function: Information dissemination" }, { "description": "Purpose: Develop and maintain relationships with experts or organizations that may help or be part of the execution of the mission of the CSIRT.\nDescription: This function involves building partnerships, promoting cooperation, and engaging key stakeholders, internal or external to the constituency, with the goal of: disseminating awareness and best practices; helping the constituency and external stakeholders understand the services and benefits a CSIRT can provide; helping the CSIRT to better understand constituents’ needs; and enabling the realization of CSIRT’s mission. This may involve ensuring interoperability or fostering collaboration between or across organizations.\nOutcome: Active and consistent outreach activities are performed that may include, but are not limited to, meeting with key stakeholders, participating in sector meetings, presenting at conferences, and organizing conferences.", - "id": "9-1-4-Function-Outreach", - "relationships": { - "dest-uuid": "ea5cb189-42c9-5949-a14e-cb9afa66f978", - "type": "involves" - }, - "uuid": "7b3c6d93-b3b9-5e12-88bf-3ea893bb3534", - "value": "9.1.4 Function: Outreach" + "related": [ + { + "dest-uuid": "895987fb-db75-5840-8aac-363ac47f106f", + "type": "used-by" + } + ], + "uuid": "113ba1d6-e172-5282-8c83-b8c505510ea4", + "value": "Function: Outreach" }, { "description": "Purpose: Properly assess, identify, and document what the constituency needs are in terms of requisite KSAs, to develop appropriate training and education materials and improve its skill level.\nDescription: The function involves collecting knowledge, skill, and ability (KSA) needs and the competence of a constituency in regard to determining what training and education should be provided.\nOutcome: Constituency KSA needs are characterized and documented to be used as basis for developing relevant education and training materials.", - "id": "9-2-1-Function-Knowledge-skill-and-ability-requirements-gathering", - "relationships": { - "dest-uuid": "3ccbc324-98cf-585b-a9af-5282ec611130", - "type": "involves" - }, - "uuid": "2aed30ce-0f9a-52be-b2e4-1db9768a9b2e", - "value": "9.2.1 Function: Knowledge, skill, and ability requirements gathering" + "related": [ + { + "dest-uuid": "373ea683-406a-589a-b031-d960b3ab2f01", + "type": "used-by" + } + ], + "uuid": "2892afcd-adab-5306-8cbd-90e807973385", + "value": "Function: Knowledge, skill, and ability requirements gathering" }, { "description": "Purpose: Develop, using the constituency’s KSA needs as a basis, educational, instructional, and training material that is appropriate to the delivery methods identified as the best to reach different audiences or deliver specific content.\nDescription: This function involves building or acquiring content of educational and training materials such as presentations, lectures, demonstrations, simulations, videos, books, booklets, etc.\nOutcome: CSIRT training and education materials utilizing varied and effective presentation techniques and platforms are developed that are of appropriate quality and that meet the needs of the constituency.", - "id": "9-2-2-Function-Educational-and-training-materials-development", - "relationships": { - "dest-uuid": "3ccbc324-98cf-585b-a9af-5282ec611130", - "type": "involves" - }, - "uuid": "73d70e3f-d17d-59c8-9777-1789f5546ee2", - "value": "9.2.2 Function: Educational and training materials development" + "related": [ + { + "dest-uuid": "373ea683-406a-589a-b031-d960b3ab2f01", + "type": "used-by" + } + ], + "uuid": "cf478ca0-f677-5b9b-9998-b490c823ccce", + "value": "Function: Educational and training materials development" }, { "description": "Purpose: Develop a formal process for content delivery that can help the CSIRT to best deliver the content to its constituency, based on the characteristics of different audiences and content.\nDescription: This function involves the transfer of knowledge and content to “students.” This can occur via various methods, such as computer-based/online training (CBT/WBT), instructor-led, virtual, conferences, presentations, labs, capture the flag (CTF) competitions, books, online videos, etc.\nOutcome: A content delivery framework has been designed to help the constituency learn technical and soft skills and processes, using all alternative approaches, including books, booklets, online videos, presentations, hands-on labs, CTFs, CBT/WBT, in-person training, etc. This results in constituency members who understand the content delivered.", - "id": "9-2-3-Function-Content-delivery", - "relationships": { - "dest-uuid": "3ccbc324-98cf-585b-a9af-5282ec611130", - "type": "involves" - }, - "uuid": "0020fe87-a46c-5d8f-b367-1c2e3e0e3680", - "value": "9.2.3 Function: Content delivery" + "related": [ + { + "dest-uuid": "373ea683-406a-589a-b031-d960b3ab2f01", + "type": "used-by" + } + ], + "uuid": "470bc89e-0dc2-53c9-99cf-6c420eaaa78f", + "value": "Function: Content delivery" }, { "description": "Purpose: Develop a program for CSIRT staff, constituency members, or external trusted partners to learn from experienced staff through an established relationship.\nDescription: A Mentoring program can help provide a formal as well as informal mechanism for the mentor to share with the mentee about education and skill development, insights, and life and career experiences outside of the official reporting relationship and structure of the team. This can involve on-site visits, rotation (exchange), shadowing, and discussing rationale for specific decisions and actions.\nOutcome: Retention, loyalty, confidence, and overall ability to make sound decisions has been increased in the CSIRT team. Constituents have improved skill levels and a better relationship with its CSIRT. Improved capacity and capability of the constituency and the CSIRT team members, including the development of trusted relationships.", - "id": "9-2-4-Function-Mentoring", - "relationships": { - "dest-uuid": "3ccbc324-98cf-585b-a9af-5282ec611130", - "type": "involves" - }, - "uuid": "464fcd48-9373-5bc2-87b7-41329d3f17e3", - "value": "9.2.4 Function: Mentoring" + "related": [ + { + "dest-uuid": "373ea683-406a-589a-b031-d960b3ab2f01", + "type": "used-by" + } + ], + "uuid": "17770bf4-d76d-5fb6-80a8-9382e6fe64a8", + "value": "Function: Mentoring" }, { "description": "Purpose: Help staff members successfully and appropriately plan and develop their careers.\nDescription: Once the appropriate skills have been identified, professional development is used by a CSIRT to promote a continuous process of securing new knowledge, skills, and abilities that relate to the security profession, unique job responsibilities, and the overall Team environment. This can include attending conferences, advanced training, and cross-training activities, among others.\nOutcome: Developed and trained staff are available with the requisite technical and soft skills and process understanding, and who are up to date based on the job roles and needs. CSIRT members are ready to address the daily operational challenges, supporting both the team and its customers.", - "id": "9-2-5-Function-CSIRT-staff-professional-development", - "relationships": { - "dest-uuid": "3ccbc324-98cf-585b-a9af-5282ec611130", - "type": "involves" - }, - "uuid": "aa25755a-b579-5e32-b56d-de22f27a1093", - "value": "9.2.5 Function: CSIRT staff professional development" + "related": [ + { + "dest-uuid": "373ea683-406a-589a-b031-d960b3ab2f01", + "type": "used-by" + } + ], + "uuid": "2d1ae674-4a3c-5a68-8339-955d39a0dd0a", + "value": "Function: CSIRT staff professional development" }, { "description": "Purpose: Ensure an effective outcome of the exercise by concentrating on specific issues for the given scope and focus of the exercise.\nDescription: Determine the learning objectives and scope of the exercise. Define the specific services, capabilities, and topics to be covered by the exercise. Ensure exercise includes activities and topics that relate to required or desired skills needed by the participants, as well as the processes that should be tested.\nOutcome: A description of the purpose of the exercise is determined, along with an outline of the learning objectives to be met.", - "id": "9-3-1-Function-Requirements-analysis", - "relationships": { - "dest-uuid": "114aa684-808a-58d2-b325-b4fa54b70662", - "type": "involves" - }, - "uuid": "ee6162f7-21ea-5cdd-a0fc-545d8091230e", - "value": "9.3.1 Function: Requirements analysis" + "related": [ + { + "dest-uuid": "111c542b-54ae-5dda-91cc-81907c7cd6b9", + "type": "used-by" + } + ], + "uuid": "35fcac47-9aed-5ba2-9662-2824c49bf400", + "value": "Function: Requirements analysis" }, { "description": "Purpose: Specify and determine the internal and external resources and infrastructure needed to conduct the exercise.\nDescription: Define the format and platform needed to meet the objectives and deliver the expected outcomes of the exercise.\nOutcome: The type of exercise (table top, hands-on, simulation, etc.) is identified, as well as the internal and external resources needed to conduct the exercise.", - "id": "9-3-2-Function-Format-and-environment-development", - "relationships": { - "dest-uuid": "114aa684-808a-58d2-b325-b4fa54b70662", - "type": "involves" - }, - "uuid": "ac9504da-24b6-5c81-9fe1-f7a431e4f923", - "value": "9.3.2 Function: Format and environment development" + "related": [ + { + "dest-uuid": "111c542b-54ae-5dda-91cc-81907c7cd6b9", + "type": "used-by" + } + ], + "uuid": "51ea374c-e93a-5d20-b0f0-a04770ca0505", + "value": "Function: Format and environment development" }, { "description": "Purpose: Provide an opportunity for the target audience to improve the efficiency and effectiveness of its services and functions, and its skills, knowledge, and abilities, through the handling of simulated cybersecurity events/incidents, including communications aspects.\nDescription: Development of exercise scenarios in support of stakeholder objectives. Deliverables also include instructions and guidance to the participants and exercise managers; these instructions include recommended actions for the participants detailing some/all scenario steps.\nOutcome: A main scenario with variants and various types of formalized injects is developed, along with tasks and role allocation to the exercise management team.", - "id": "9-3-3-Function-Scenario-development", - "relationships": { - "dest-uuid": "114aa684-808a-58d2-b325-b4fa54b70662", - "type": "involves" - }, - "uuid": "56758ca4-2097-5595-9cdc-4e96a5a2d393", - "value": "9.3.3 Function: Scenario development" + "related": [ + { + "dest-uuid": "111c542b-54ae-5dda-91cc-81907c7cd6b9", + "type": "used-by" + } + ], + "uuid": "8ca29e0d-5103-511d-81bc-b09f6a38327b", + "value": "Function: Scenario development" }, { "description": "Purpose: Conduct drills/exercises allowing a CSIRT team to increase its confidence in the validity of an organization’s CSIRT plan and its ability for execution.\nDescription: The function involves performing readiness testing of constituent “students” to test their ability to apply training and perform job or task functions. Can be in the form of real or virtual environments, simulations, field tests, table tops, mock scenarios, or a combination, with injects being provided in a structured manner. This will also help determine the level at which the team is operating, as well as if and where it has room for improvement.\nOutcome: A CSIRT has assessed its preparedness and readiness, ensuring the KSAs, key processes, and execution all work successfully together, or must be adapted/improved.", - "id": "9-3-4-Function-Exercises-execution", - "relationships": { - "dest-uuid": "114aa684-808a-58d2-b325-b4fa54b70662", - "type": "involves" - }, - "uuid": "0f53da26-438b-589e-9312-1306817aadc5", - "value": "9.3.4 Function: Exercises execution" + "related": [ + { + "dest-uuid": "111c542b-54ae-5dda-91cc-81907c7cd6b9", + "type": "used-by" + } + ], + "uuid": "72e0a7ef-76b6-5d3a-b500-7d59782dd35d", + "value": "Function: Exercises execution" }, { "description": "Purpose: Perform a formal and objective analysis of the exercise, based on factual observations.\nDescription: Develop an after-action report which includes lessons learned or findings/best practices from the exercise, and provide an assessment to the stakeholders/management.\nOutcome: Deliverables are created highlighting the success of the exercise, areas for improvement, general findings, and recommended actions to take in order to improve: the organization incident management capabilities, the CSIRT’s team processes, and the capabilities of individual constituents and of the stakeholder community as a whole, including communications capabilities and procedures.", - "id": "9-3-5-Function-Exercise-outcome-review", - "relationships": { - "dest-uuid": "114aa684-808a-58d2-b325-b4fa54b70662", - "type": "involves" - }, - "uuid": "6756295a-0996-5335-9775-5e0817d6452e", - "value": "9.3.5 Function: Exercise outcome review" + "related": [ + { + "dest-uuid": "111c542b-54ae-5dda-91cc-81907c7cd6b9", + "type": "used-by" + } + ], + "uuid": "fe9a6ab7-7350-5189-bfba-d06ebe090bba", + "value": "Function: Exercise outcome review" }, { "description": "Purpose: Improve the identification of opportunities and threats, improve controls, improve loss prevention and incident management in conjunction with information security and other relevant functions.\nDescription: Support to activities related to assessing risk or compliance. This may include conducting an actual assessment or providing support to evaluate the results of an assessment.\nOutcome: The constituency is able to identify risks and threats and select relevant risk management options, including appropriate and effective incident management strategies, security controls, or threat mitigations.", - "id": "9-4-1-Function-Risk-management-support", - "relationships": { - "dest-uuid": "1b3e9cf8-b553-51cb-9ba3-8ecb58a2fb6f", - "type": "involves" - }, - "uuid": "00c5701f-981f-552c-9570-e64c34f2e2dc", - "value": "9.4.1 Function: Risk management support" + "related": [ + { + "dest-uuid": "23e3a936-6f5d-553a-be67-e1938f84bbcf", + "type": "used-by" + } + ], + "uuid": "6af40391-f850-5420-917a-966b8bf58ef5", + "value": "Function: Risk management support" }, { "description": "Purpose: Act as a trusted advisor on business continuity and disaster recovery by providing impartial, fact-based advice, considering the environment in which the advice may be used and any resource constraints that apply.\nDescription: Support the constituency in the activities related to organizational resilience, based on risks identified.\nOutcome: The constituency is able to appropriately implement business continuity and disaster recovery plans that include and align with the incident management strategies.", - "id": "9-4-2-Function-Business-continuity-and-disaster-recovery-planning-support", - "relationships": { - "dest-uuid": "1b3e9cf8-b553-51cb-9ba3-8ecb58a2fb6f", - "type": "involves" - }, - "uuid": "3ff56d44-888a-5283-91eb-78d7780520ff", - "value": "9.4.2 Function: Business continuity and disaster recovery planning support" + "related": [ + { + "dest-uuid": "23e3a936-6f5d-553a-be67-e1938f84bbcf", + "type": "used-by" + } + ], + "uuid": "f3639b43-c283-51be-948c-29c6b6b16613", + "value": "Function: Business continuity and disaster recovery planning support" }, { "description": "Purpose: Act as a trusted advisor on the development and implementation of policies by providing impartial, fact-based advice, considering the environment in which the advice may be used and any resource constraints that apply.\nDescription: This function supports the constituency in the development, maintenance, institutionalization, and enforcement of policies, while ensuring they enable and support incident management activities. For internal CSIRTs, this typically includes support for information security and other operating policies. For coordinating and National CSIRTs, this might include support for public policies and new legislation.\nOutcome: The constituency is able to develop effective policies, institutionalize policies, and enable effective incident management strategies.", - "id": "9-4-3-Function-Policy-support", - "relationships": { - "dest-uuid": "1b3e9cf8-b553-51cb-9ba3-8ecb58a2fb6f", - "type": "involves" - }, - "uuid": "4edbd01e-5a3f-590d-8710-c4415de25da4", - "value": "9.4.3 Function: Policy support" + "related": [ + { + "dest-uuid": "23e3a936-6f5d-553a-be67-e1938f84bbcf", + "type": "used-by" + } + ], + "uuid": "f2ee7038-d049-54c5-a023-5a529eee5e43", + "value": "Function: Policy support" }, { "description": "Purpose: Provide technical advice that can help the constituency to better manage risks and threats and implement current operational and security best practices, while enabling effective incident handling activities.\nDescription: This function provides support and recommendations for the improvement of cybersecurity related infrastructures, tools, and services for its constituency, with the goal of improving the security posture and incident management overall.\nThis might include advice on", - "id": "9-4-4-Function-Technical-advice", - "relationships": { - "dest-uuid": "1b3e9cf8-b553-51cb-9ba3-8ecb58a2fb6f", - "type": "involves" - }, - "uuid": "f5e364b6-f790-5727-af91-0b979ef6b967", - "value": "9.4.4 Function: Technical advice" + "related": [ + { + "dest-uuid": "23e3a936-6f5d-553a-be67-e1938f84bbcf", + "type": "used-by" + } + ], + "uuid": "2ca32179-9eed-5e0b-9567-e8a6040fb863", + "value": "Function: Technical advice" } ], "version": 1 From 9004c387c03baead15388487b9f690aaa9ce1746 Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Fri, 23 Aug 2024 09:12:26 +0200 Subject: [PATCH 03/36] chg: [ransomware] update the description of ransomware galaxy which is now fully maintained by MISP project --- clusters/ransomware.json | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/clusters/ransomware.json b/clusters/ransomware.json index b75a5cc..fd58993 100644 --- a/clusters/ransomware.json +++ b/clusters/ransomware.json @@ -3,10 +3,11 @@ "https://docs.google.com/spreadsheets/d/1TWS238xacAto-fLKh1n5uTsdijWdCEsGIM0Y0Hvmc5g/pubhtml", "http://pastebin.com/raw/GHgpWjar", "MISP Project", - "https://id-ransomware.blogspot.com/2016/07/ransomware-list.html" + "https://id-ransomware.blogspot.com/2016/07/ransomware-list.html", + "ransomlook.io" ], "category": "tool", - "description": "Ransomware galaxy based on https://docs.google.com/spreadsheets/d/1TWS238xacAto-fLKh1n5uTsdijWdCEsGIM0Y0Hvmc5g/pubhtml and http://pastebin.com/raw/GHgpWjar", + "description": "Ransomware galaxy based on different sources and maintained by the MISP Project.", "name": "Ransomware", "source": "Various", "type": "ransomware", From 933365fb42192b7cb46c40b905443c8b8732aeff Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Fri, 23 Aug 2024 09:16:08 +0200 Subject: [PATCH 04/36] chg: [ransomware] updated --- README.md | 4 ++-- clusters/ransomware.json | 40 +++++++++++++++++++++++++++++++++++----- 2 files changed, 37 insertions(+), 7 deletions(-) diff --git a/README.md b/README.md index 336517e..6e545b2 100644 --- a/README.md +++ b/README.md @@ -485,9 +485,9 @@ Category: *actor* - source: *MISP Project* - total: *33* elements ## Ransomware -[Ransomware](https://www.misp-galaxy.org/ransomware) - Ransomware galaxy based on https://docs.google.com/spreadsheets/d/1TWS238xacAto-fLKh1n5uTsdijWdCEsGIM0Y0Hvmc5g/pubhtml and http://pastebin.com/raw/GHgpWjar +[Ransomware](https://www.misp-galaxy.org/ransomware) - Ransomware galaxy based on different sources and maintained by the MISP Project. -Category: *tool* - source: *Various* - total: *1799* elements +Category: *tool* - source: *Various* - total: *1801* elements [[HTML](https://www.misp-galaxy.org/ransomware)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/ransomware.json)] diff --git a/clusters/ransomware.json b/clusters/ransomware.json index fd58993..1145615 100644 --- a/clusters/ransomware.json +++ b/clusters/ransomware.json @@ -28152,7 +28152,8 @@ "http://3slz4povugieoi3tw7sblxoowxhbzxeju427cffsst5fo2tizepwatid.onion", "http://h3reihqb2y7woqdary2g3bmk3apgtxuyhx4j2ftovbhe3l5svev7bdyd.onion", "http://h3reihqb2y7woqdary2g3bmk3apgtxuyhx4j2ftovbhe3l5svev7bdyd.onion/stm.html", - "http://pdcizqzjitsgfcgqeyhuee5u6uki6zy5slzioinlhx6xjnsw25irdgqd.onion" + "http://pdcizqzjitsgfcgqeyhuee5u6uki6zy5slzioinlhx6xjnsw25irdgqd.onion", + "http://6sf5xa7eso3e3vk46i5tpcqhnlayczztj7zjktzaztlotyy75zs6j7qd.onion" ], "refs": [ "https://www.ransomlook.io/group/stormous" @@ -28415,7 +28416,8 @@ "meta": { "links": [ "https://hunters55rdxciehoqzwv7vgyv6nt37tbwax2reroyzxhou7my5ejyid.onion", - "https://hunters33mmcwww7ek7q5ndahul6nmzmrsumfs6aenicbqon6mxfiqyd.onion/login" + "https://hunters33mmcwww7ek7q5ndahul6nmzmrsumfs6aenicbqon6mxfiqyd.onion/login", + "https://huntersinternational.net" ], "refs": [ "https://www.ransomlook.io/group/hunters" @@ -29473,7 +29475,11 @@ "links": [ "http://e27z5kd2rjsern2gpgukhcioysqlfquxgf7rxpvcwepxl4lfc736piyd.onion", "http://cybertube.video/web/index.html#!/details?id=0c3b52f6e73709725dc6e12b30b139d9&serverId=2be5e68176ff4f8fbb930fe66321ab72", - "http://e27z5kd2rjsern2gpgukhcioysqlfquxgf7rxpvcwepxl4lfc736piyd.onion/back/getallblogs" + "http://e27z5kd2rjsern2gpgukhcioysqlfquxgf7rxpvcwepxl4lfc736piyd.onion/back/getallblogs", + "http://dispossessor.com", + "http://dispossessor-cloud.com", + "http://cybernewsint.com", + "http://redhotcypher.com" ], "refs": [ "https://www.ransomlook.io/group/dispossessor" @@ -29596,7 +29602,31 @@ }, "uuid": "5cc68850-aeb0-507f-a981-9457bcf37c0c", "value": "rtm locker" + }, + { + "value": "radar", + "meta": { + "links": [ + "http://radar.ltd" + ], + "refs": [ + "https://www.ransomlook.io/group/radar" + ] + }, + "uuid": "0b0e39f8-1a22-58da-98ea-96f4819a68fa" + }, + { + "value": "helldown", + "meta": { + "links": [ + "http://onyxcgfg4pjevvp5h34zvhaj45kbft3dg5r33j5vu3nyp7xic3vrzvad.onion/" + ], + "refs": [ + "https://www.ransomlook.io/group/helldown" + ] + }, + "uuid": "1fe17577-91bb-581b-8189-c61f05cf35aa" } ], - "version": 130 -} + "version": 131 +} \ No newline at end of file From 50b3fe1b73b64391867225f07c161fecab2edf9f Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Fri, 23 Aug 2024 09:17:52 +0200 Subject: [PATCH 05/36] chg: [ransomware] jq all the things --- clusters/ransomware.json | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/clusters/ransomware.json b/clusters/ransomware.json index 1145615..602c7a3 100644 --- a/clusters/ransomware.json +++ b/clusters/ransomware.json @@ -29604,7 +29604,6 @@ "value": "rtm locker" }, { - "value": "radar", "meta": { "links": [ "http://radar.ltd" @@ -29613,10 +29612,10 @@ "https://www.ransomlook.io/group/radar" ] }, - "uuid": "0b0e39f8-1a22-58da-98ea-96f4819a68fa" + "uuid": "0b0e39f8-1a22-58da-98ea-96f4819a68fa", + "value": "radar" }, { - "value": "helldown", "meta": { "links": [ "http://onyxcgfg4pjevvp5h34zvhaj45kbft3dg5r33j5vu3nyp7xic3vrzvad.onion/" @@ -29625,8 +29624,9 @@ "https://www.ransomlook.io/group/helldown" ] }, - "uuid": "1fe17577-91bb-581b-8189-c61f05cf35aa" + "uuid": "1fe17577-91bb-581b-8189-c61f05cf35aa", + "value": "helldown" } ], "version": 131 -} \ No newline at end of file +} From 1882171086b9dd725acc21a6a86475f7dc33f92c Mon Sep 17 00:00:00 2001 From: Jean-Louis Huynen Date: Fri, 23 Aug 2024 15:36:38 +0200 Subject: [PATCH 06/36] add: [first-csirt] implement @Delta-Sierra comments --- README.md | 8 + clusters/first-csirt-services-framework.json | 734 ++++++++++++++----- tools/gen_csf.py | 78 +- 3 files changed, 636 insertions(+), 184 deletions(-) diff --git a/README.md b/README.md index 6e545b2..9afca7b 100644 --- a/README.md +++ b/README.md @@ -203,6 +203,14 @@ Category: *firearm* - source: *https://www.impactguns.com* - total: *5953* eleme [[HTML](https://www.misp-galaxy.org/firearms)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/firearms.json)] +## FIRST CSIRT Services Framework + +[FIRST CSIRT Services Framework](https://www.misp-galaxy.org/first-csirt-services-framework) - The Computer Security Incident Response Team (CSIRT) Services Framework is a high-level document describing in a structured way a collection of cyber security services and associated functions that Computer Security Incident Response Teams and other teams providing incident management related services may provide + +Category: *csirt* - source: *https://www.first.org/standards/frameworks/csirts/csirt_services_framework_v2.1* - total: *97* elements + +[[HTML](https://www.misp-galaxy.org/first-csirt-services-framework)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/first-csirt-services-framework.json)] + ## FIRST DNS Abuse Techniques Matrix [FIRST DNS Abuse Techniques Matrix](https://www.misp-galaxy.org/first-dns) - The Domain Name System (DNS) is a critical part of the Internet, including mapping domain names to IP addresses. Malicious threat actors use domain names, their corresponding technical resources, and other parts of the DNS infrastructure, including its protocols, for their malicious cyber operations. CERTs are confronted with reported DNS abuse on a continuous basis, and rely heavily on DNS analysis and infrastructure to protect their constituencies. Understanding the international customary norms applicable for detecting and mitigating DNS abuse from the perspective of the global incident response community is critical for the open Internet’s stability, security and resiliency. See also https://www.first.org/global/sigs/dns/ for more information. diff --git a/clusters/first-csirt-services-framework.json b/clusters/first-csirt-services-framework.json index 205b5d9..b9104a3 100644 --- a/clusters/first-csirt-services-framework.json +++ b/clusters/first-csirt-services-framework.json @@ -12,962 +12,1350 @@ "uuid": "4a72488f-ef5b-4895-a5d9-c625dee663cb", "values": [ { - "description": "Purpose: Implement automated, continuous processing of a wide variety of information security event sources and contextual data in order to identify potential information security incidents, such as attacks, intrusions, data breaches or security policy violations.\nDescription: Based on logs, NetFlow data, IDS alerts, sensor networks, external sources, or other available information security event data, apply a range of methods from simple logic or pattern matching rules to the application of statistical models or machine learning in order to identify potential information security incidents. This can involve a vast amount of data and typically, but not necessarily, requires specialized tools such as Security Information and Event Management (SIEM) or big data platforms to process. An important objective of continuous improvement is to minimize the amount of false alarms that need to be analyzed as part of the Analyzing service.\nOutcome: Potential information security incidents are identified for analysis as part of the Analyzing service.", + "description": " Based on logs, NetFlow data, IDS alerts, sensor networks, external sources, or other available information security event data, apply a range of methods from simple logic or pattern matching rules to the application of statistical models or machine learning in order to identify potential information security incidents. This can involve a vast amount of data and typically, but not necessarily, requires specialized tools such as Security Information and Event Management (SIEM) or big data platforms to process. An important objective of continuous improvement is to minimize the amount of false alarms that need to be analyzed as part of the Analyzing service.", + "meta": { + "outcome": " Potential information security incidents are identified for analysis as part of the Analyzing service. The following functions are considered to be part of the implementation of this service: Log and sensor management\nDetection use case management\nContextual data management", + "purpose": " Implement automated, continuous processing of a wide variety of information security event sources and contextual data in order to identify potential information security incidents, such as attacks, intrusions, data breaches or security policy violations." + }, "related": [], "uuid": "0c165743-b9fa-528b-95df-2fce12ca302c", "value": "Service: Monitoring and detection" }, { - "description": "Purpose: Triage detected potential information security incidents and their qualification as information security incidents for escalation to the Information Security Incident Management service area or as false alarms.\nDescription: The flow of detected potential information security incidents must be triaged and each one qualified as an information security incident (true positive) or as a false alarm (false positive) using manual and/or automated analysis. This may require manual or automated gathering of additional information, depending on the detection use case. Priority should be given to the analysis of potentially more critical information security incidents to ensure timely reaction to what is most important. Structured qualification of detected potential information security incidents enables effective continuous improvement in a directed way by identifying detection use cases, data sources, or processes with quality issues.\nOutcome: Qualified and correlated information security incidents are available as input to the Information Security Incident Management service area and false positives are qualified for continuous improvement.", + "description": "The flow of detected potential information security incidents must be triaged and each one qualified as an information security incident (true positive) or as a false alarm (false positive) using manual and/or automated analysis. This may require manual or automated gathering of additional information, depending on the detection use case. Priority should be given to the analysis of potentially more critical information security incidents to ensure timely reaction to what is most important. Structured qualification of detected potential information security incidents enables effective continuous improvement in a directed way by identifying detection use cases, data sources, or processes with quality issues.", + "meta": { + "outcome": "Qualified and correlated information security incidents are available as input to the Information Security Incident Management service area and false positives are qualified for continuous improvement. The following functions are considered to be part of the implementation of this service: Correlation\nQualification", + "purpose": "Triage detected potential information security incidents and their qualification as information security incidents for escalation to the Information Security Incident Management service area or as false alarms." + }, "related": [], "uuid": "3818f4f7-4d89-5ca1-b129-4c31640b130c", "value": "Service: Event analysis" }, { - "description": "Purpose: Receive and process reports of potential information security incidents from constituents, from Information Security Event Management services or third parties.\nDescription: For a CSIRT, the most important task is the acceptance of reports about information security events and potential information security incidents affecting networks, devices, components, users, organizations, or infrastructure—referred to as the “target”—inside the constituency. The CSIRT should anticipate that potential information security incidents may be reported from various sources in various formats, both manually and automatically.\nTo enable constituents to report information security incidents more effectively, the CSIRT should provide one or more mechanisms as well as guidance or instructions on what and how to securely report information security incidents. Reporting mechanisms can include email, a website, a dedicated information security incident reporting form or portal, or other appropriate methods to enable reports to be submitted safely and securely. Reporting guidance, if not included as part of an information security incidents reporting form itself, should be provided in separate documentation or via a webpage, and should list the specific information that is desirable for inclusion in the report.", + "description": "For a CSIRT, the most important task is the acceptance of reports about information security events and potential information security incidents affecting networks, devices, components, users, organizations, or infrastructure—referred to as the “target”—inside the constituency. The CSIRT should anticipate that potential information security incidents may be reported from various sources in various formats, both manually and automatically. To enable constituents to report information security incidents more effectively, the CSIRT should provide one or more mechanisms as well as guidance or instructions on what and how to securely report information security incidents. Reporting mechanisms can include email, a website, a dedicated information security incident reporting form or portal, or other appropriate methods to enable reports to be submitted safely and securely. Reporting guidance, if not included as part of an information security incidents reporting form itself, should be provided in separate documentation or via a webpage, and should list the specific information that is desirable for inclusion in the report. Due to the potentially large number of automatically escalated potential information security incidents detected via an Information Security Event Management service, this must be planned for in advance of adopting such interfaces or authorizing constituents to use them.5", + "meta": { + "outcome": "The information security incident report is received with professional and consistent intake of each report as well as its initial validation and classification. The following functions are considered to be part of the implementation of this service: Information Security Incident Report Receipt\nInformation Security Incident Triage and Processing", + "purpose": "Receive and process reports of potential information security incidents from constituents, from Information Security Event Management services or third parties." + }, "related": [], "uuid": "75b0b609-defa-5302-9354-2e21c1ccfa3e", "value": "Service: Information security incident report acceptance" }, { - "description": "Purpose: Analyze and gain an understanding of a confirmed information security incident.\nDescription: This service consists of functions to gain an understanding of the information security incident and its actual and potential impact to identify the underlying issues or vulnerabilities or weaknesses (root causes) that allowed the successful attack, compromise, or exploit.\nDetailed analysis is often complex and time-consuming. The objective is to identify and characterize the information security incident in as much detail as required or justified by the current understanding of its impact. Information security incidents can be characterized by scope, affected entities, tools, or attacks deployed, timelines, etc. This service may continue in parallel while the Information Security Incident Coordination service and functions are occurring or mitigation/recovery actions are taken.", + "description": "This service consists of functions to gain an understanding of the information security incident and its actual and potential impact to identify the underlying issues or vulnerabilities or weaknesses (root causes) that allowed the successful attack, compromise, or exploit. Detailed analysis is often complex and time-consuming. The objective is to identify and characterize the information security incident in as much detail as required or justified by the current understanding of its impact. Information security incidents can be characterized by scope, affected entities, tools, or attacks deployed, timelines, etc. This service may continue in parallel while the Information Security Incident Coordination service and functions are occurring or mitigation/recovery actions are taken. The CSIRT may use other information and its own analysis (see below for some options) or knowledge available from vendors and product security teams or security researchers to better understand what has happened and what steps to take to remedy losses or damage.", + "meta": { + "outcome": "Knowledge is increased of the key details of an information security incident (e.g., description, impact, scope, attacks/exploits, and remedies). The following functions are considered to be part of the implementation of this service: Information security incident triage (prioritization and categorization)\nInformation collection\nDetailed analysis coordination\nInformation security incident root cause analysis\nCross-incident correlation", + "purpose": "Analyze and gain an understanding of a confirmed information security incident." + }, "related": [], "uuid": "005c1e64-40dd-5b83-a5b0-15927707e58a", "value": "Service: Information security incident analysis" }, { - "description": "Purpose: Analyze and gain an understanding of artefacts related to a confirmed information security incident, taking into consideration the need to preserve forensic evidence.\nDescription: The services related to the understanding of the capabilities and intent of artefacts (e.g., malware, exploits, volatile memory dumps or disk copies, applications codes, logs, documents), their delivery mechanisms, their propagation, their detection, their mitigation, and their disarming or neutralization. This applies to any formats and sources: hardware, firmware, memory, software, etc. Any artefact or evidence must be preserved and collected without any modification, and kept in isolation. As some artefacts and data may become evidence in the context of law enforcement activities, specific regulations or requirements may apply.\nEven without preserving a chain-of-custody, this service usually involves complex and time-consuming tasks, and requires expertise, setting up dedicated and monitored analysis environments--with or without external accesses from standard wired or wireless networks (such as performing the forensics activities in a sealed or Faraday room), logging of activities, and compliance with procedures.", + "description": "The services related to the understanding of the capabilities and intent of artefacts (e.g., malware, exploits, volatile memory dumps or disk copies, applications codes, logs, documents), their delivery mechanisms, their propagation, their detection, their mitigation, and their disarming or neutralization. This applies to any formats and sources: hardware, firmware, memory, software, etc. Any artefact or evidence must be preserved and collected without any modification, and kept in isolation. As some artefacts and data may become evidence in the context of law enforcement activities, specific regulations or requirements may apply. Even without preserving a chain-of-custody, this service usually involves complex and time-consuming tasks, and requires expertise, setting up dedicated and monitored analysis environments--with or without external accesses from standard wired or wireless networks (such as performing the forensics activities in a sealed or Faraday room), logging of activities, and compliance with procedures. As part of the handling of information security incidents, digital artefacts may be found on affected systems or malware distribution sites. Artefacts may be the remnants of an intruder attack, such as executables, scripts, files, images, configuration files, tools, tool outputs, logs, live or dormant pieces of code, etc. The analysis is carried out in order to find out some or all of the information listed below, which is not considered to be a complete list: The context required of the artefact to run and to perform its intended tasks, whether malicious or not\nHow the artefacts may have been utilized for the attack: uploaded, downloaded, copied, executed, or created within an organization’s environments or components\nWhich systems have been involved locally and remotely to support the distribution and actions\nWhat an intruder did once to access to the system, network, organization, or infrastructure was established: from passively collecting data, to actively scanning and transmitting data for exfiltration purposes, or collecting new action requests, updating itself or making a lateral movement inside a compromised (local) network\nWhat a user, user process, or user system did once the user account or user device was compromised\nWhat behavior characterizes the artefacts or compromised systems, either in standalone mode, in conjunction with artefacts or components, connected to a local network or the Internet, or in any combination\nHow the artefacts or compromised systems establish connectivity with the target (e.g., intrusion path, initial target, or detection evasion techniques);\nWhat communication architecture (peer-to-peer, command-and-control, both) has been utilized\nWhat were the actions of the threat actors, what is their network and systems footprint\nHow the intruders or artefacts evaded detection (even over long periods of time which may include reboot or reinitialization) This can be achieved through various types of activities including media or surface analysis\nreverse engineering\nruntime or dynamic analysis\ncomparative analysis Each activity provides additional information about the artefacts. Analysis methods include but are not limited to identification of type and characteristics of artefacts, comparison with known artefacts, observation of artefact execution in a runtime or a live environment, and disassembling and interpreting binary artefacts. In carrying out an analysis of the artefacts, an analyst attempts to reconstruct and determine what the intruder did, in order to detect the exploited vulnerability, assess damages, develop solutions to mitigate against the artefacts, and provide information to constituents and other researchers.", + "meta": { + "outcome": "The nature of recovered digital artefacts and analyzed forensic evidence is understood along with the relationship to other artefacts, internal or external objects or components, attacks on frameworks, tools, and exploited vulnerabilities. Working assumptions or proof of what the threat actor did, and how the artefacts behaved. This knowledge is critical to assess losses, damages, business impacts, etc. and to develop containment and mitigation or recovery strategies. The tactics, techniques, and procedures used by attackers or intruders to compromise systems, users, networks, organizations and/or infrastructures is understood. This includes those tactics, techniques, and procedures used to propagate, exfiltrate, update, modify, or fake its behavior, data, auto-delete traces of its own activities, or carry out additional malicious activities. List of functions which are considered to be part of the implementation of this service: Media or surface analysis\nReverse engineering\nRuntime and/or dynamic analysis\nComparative analysis", + "purpose": "Analyze and gain an understanding of artefacts related to a confirmed information security incident, taking into consideration the need to preserve forensic evidence." + }, "related": [], "uuid": "eda3b2d9-4a66-5803-98c7-e87bb8068b97", "value": "Service: Artifact and forensic evidence analysis" }, { - "description": "Purpose: Contain the information security incident as much as possible to limit the number of victims, reduce the loss and to recover from damage, avoid further attacks and further losses by removing exploited vulnerabilities or weaknesses, and improve overall cyber security.\nDescription: Once the analysis has confirmed a potential information security incident and a response strategy has been developed, this must be turned over into a response plan. Even before a response plan can be finalized, ad-hoc measures may be taken. This service also includes the initiating and tracking of all activities which are performed until the information security incident can be considered closed or new information becomes available that requires further analysis and henceforth may also change the response strategy and plan.\nOutcome: The information security incident is mitigated and the cyber security posture is improved. Integrity of systems impacted by the underlying attack or activities of the attacker is restored, as well as serviceability of the network and systems compromised. Data is restored in case of data loss, if possible.", + "description": "Once the analysis has confirmed a potential information security incident and a response strategy has been developed, this must be turned over into a response plan. Even before a response plan can be finalized, ad-hoc measures may be taken. This service also includes the initiating and tracking of all activities which are performed until the information security incident can be considered closed or new information becomes available that requires further analysis and henceforth may also change the response strategy and plan.", + "meta": { + "outcome": "The information security incident is mitigated and the cyber security posture is improved. Integrity of systems impacted by the underlying attack or activities of the attacker is restored, as well as serviceability of the network and systems compromised. Data is restored in case of data loss, if possible. The following functions are considered to be part of the implementation of this service: Response plan established \nAd hoc measures and containment\nSystems restoration\nOther information security entities support In the case of a coordinating CSIRT, not all functions will be provided. While “supporting other information security entities” is an activity such teams provide, they sometimes also help with “establishing a response plan.”", + "purpose": "Contain the information security incident as much as possible to limit the number of victims, reduce the loss and to recover from damage, avoid further attacks and further losses by removing exploited vulnerabilities or weaknesses, and improve overall cyber security." + }, "related": [], "uuid": "d153b816-a767-5bc6-9d78-89f6f49dc11a", "value": "Service: Mitigation and recovery" }, { - "description": "Purpose: Ensure timely notifications and accurate information distribution; keep the information flow and track the status of activities of entities that are either tasked or requested to participate in responding to the information security incident; and make sure the response plan is carried out and deviations caused by both delays or new information are managed accordingly.\nDescription: Being notified and kept informed about the details and ongoing activities in relation to an information security incident is critical for all stakeholders and organizations involved. As some activities required for a successful mitigation and recovery might involve management approval, this requires suitable escalation and reporting functions established before any information security incident can be handled effectively and efficiently. As the CSIRT analyzes all information as it becomes available, coordination makes sure that notifications and information reach the right points of contact, track their responses and make sure that all parties carrying out activities report back to provide for accurate situational awareness until the information security incident is considered closed and requiring no further coordination.\nStakeholders should have avenues to submit questions, check the status of information security incidents, and report issues to the CSIRT. To engage internal stakeholders, the CSIRT should provide communications channels to advertise the remediation status of information security incidents. To engage external stakeholders, the CSIRT should maintain communications channels to other CSIRTs and CSIRT communities that might provide recommendations or technical support.", + "description": "Being notified and kept informed about the details and ongoing activities in relation to an information security incident is critical for all stakeholders and organizations involved. As some activities required for a successful mitigation and recovery might involve management approval, this requires suitable escalation and reporting functions established before any information security incident can be handled effectively and efficiently. As the CSIRT analyzes all information as it becomes available, coordination makes sure that notifications and information reach the right points of contact, track their responses and make sure that all parties carrying out activities report back to provide for accurate situational awareness until the information security incident is considered closed and requiring no further coordination. Stakeholders should have avenues to submit questions, check the status of information security incidents, and report issues to the CSIRT. To engage internal stakeholders, the CSIRT should provide communications channels to advertise the remediation status of information security incidents. To engage external stakeholders, the CSIRT should maintain communications channels to other CSIRTs and CSIRT communities that might provide recommendations or technical support.", + "meta": { + "outcome": "The response is successfully coordinated based on well-informed entities that contribute to the response to an information security incident. The following functions are considered to be part of the implementation of this service: Communication\nNotification distribution\nRelevant information distribution\nActivities coordination \nReporting\nMedia communication", + "purpose": "Ensure timely notifications and accurate information distribution; keep the information flow and track the status of activities of entities that are either tasked or requested to participate in responding to the information security incident; and make sure the response plan is carried out and deviations caused by both delays or new information are managed accordingly." + }, "related": [], "uuid": "fdbe09c5-09a1-538a-80bf-f784e68a5a70", "value": "Service: Information security incident coordination" }, { - "description": "Purpose: Provide expertise and contacts to other security experts, CSIRTs, and CSIRT communities in order to help mitigate the crisis.\nDescription: While today’s information security incidents rarely constitute an organizational or national crisis, they have the potential to do so. But the response to a crisis is usually associated with an emergency that threatens the well-being of humans and society at large, or at least the existence of an organization. As it is established in crisis management, a high-ranking role will take over the responsibility of a crisis, thereby changing the usual line of command for the duration of the emergency.\nAs the systems and networks might contribute to emergencies or are required to be available to respond to a crisis situation, a CSIRT will usually be a critical resource for managing such situations and provide valuable experience but also the established services and networks of points of contacts.", + "description": "While today’s information security incidents rarely constitute an organizational or national crisis, they have the potential to do so. But the response to a crisis is usually associated with an emergency that threatens the well-being of humans and society at large, or at least the existence of an organization. As it is established in crisis management, a high-ranking role will take over the responsibility of a crisis, thereby changing the usual line of command for the duration of the emergency. As the systems and networks might contribute to emergencies or are required to be available to respond to a crisis situation, a CSIRT will usually be a critical resource for managing such situations and provide valuable experience but also the established services and networks of points of contacts.", + "meta": { + "outcome": "The crisis management team can use the CSIRT’s resources to address the cyber security aspects of the current crisis. At the same time, the CSIRT’s communication resources can be utilized to reach out to constituents and external parties to ask for specific support actions or help. It can also be used to communicate in a trusted way towards constituents, using established communication means and trusted networks. The following functions are considered to be part of the implementation of this service: Information distribution to constituents\nInformation security status reporting\nStrategic decisions communication", + "purpose": "Provide expertise and contacts to other security experts, CSIRTs, and CSIRT communities in order to help mitigate the crisis." + }, "related": [], "uuid": "ee34661b-0cb2-5933-8f19-47d9a0d106fd", "value": "Service: Crisis management support" }, { - "description": "Purpose: Find, learn of, or search for new (previously unknown) vulnerabilities; vulnerabilities can be discovered by members of the vulnerability management service area or through other related CSIRT activities\nDescription: Discovery of a new vulnerability is a necessary first step that starts the overall vulnerability management lifecycle. This service includes those functions and activities that a CSIRT may actively perform through its own research or other services to discover a new vulnerability. Functions and activities related to the passive receipt of new vulnerability information from someone else are described later in the Vulnerability Report Intake service. Occasionally a new vulnerability may be discovered by a CSIRT during other activities, such as while analyzing or investigating an incident report. Another means of learning of a new vulnerability is through reading public sources (e.g., websites, mailing lists6), other external sources (e.g., premium services, subscriptions), or by actively looking for vulnerabilities through deliberate research (e.g., through fuzz testing, reverse engineering). Such discoveries should be documented and fed into the organization’s vulnerability handling processes, regardless of how the CSIRT discovered or learned of the vulnerability.\nOutcome: This service results in an increased discovery of potential vulnerabilities that were not reported directly to the CSIRT.", + "description": "Discovery of a new vulnerability is a necessary first step that starts the overall vulnerability management lifecycle. This service includes those functions and activities that a CSIRT may actively perform through its own research or other services to discover a new vulnerability. Functions and activities related to the passive receipt of new vulnerability information from someone else are described later in the Vulnerability Report Intake service. Occasionally a new vulnerability may be discovered by a CSIRT during other activities, such as while analyzing or investigating an incident report. Another means of learning of a new vulnerability is through reading public sources (e.g., websites, mailing lists6), other external sources (e.g., premium services, subscriptions), or by actively looking for vulnerabilities through deliberate research (e.g., through fuzz testing, reverse engineering). Such discoveries should be documented and fed into the organization’s vulnerability handling processes, regardless of how the CSIRT discovered or learned of the vulnerability.", + "meta": { + "outcome": "This service results in an increased discovery of potential vulnerabilities that were not reported directly to the CSIRT. The following functions are considered to be part of the implementation of this service: Incident response vulnerability discovery \nPublic source vulnerability discovery \nVulnerability research These functions may be services (or functions) performed by others (e.g., researchers, vendors, PSIRTs, or third-party specialists) instead of the CSIRT.", + "purpose": "Find, learn of, or search for new (previously unknown) vulnerabilities; vulnerabilities can be discovered by members of the vulnerability management service area or through other related CSIRT activities" + }, "related": [], "uuid": "e43c7bab-34c9-5ee1-9e40-915d265ccd70", "value": "Service: Vulnerability discovery / research" }, { - "description": "Purpose: Receive and process vulnerability information reported from constituents or third parties.\nDescription: One of the primary sources of vulnerability information may be reports or questions sent from a CSIRT’s constituents or other third parties. The CSIRT should anticipate that vulnerabilities may be reported from these various sources, and provide a mechanism, a process, and guidance for vulnerability reporting. Reporting infrastructures may include email or a web-based vulnerability reporting form. Not all vulnerabilities are reported directly to a CSIRT by constituents or third parties through the established channels. Supporting guidance should include reporting guidelines, contact information, and any disclosure policies.\nTo enable constituents to report vulnerabilities more effectively, the CSIRT should provide one or more mechanisms as well as guidance or instructions on what and how to securely report vulnerabilities. Reporting mechanisms can include email, a website, a dedicated vulnerability reporting form or portal, or other appropriate methods to enable reports to be submitted safely and securely. Reporting guidance, if not included as part of a vulnerability reporting form itself, should be provided in separate documentation or via a web page, and should list the specific information that is desirable to be included in the report.", + "description": "One of the primary sources of vulnerability information may be reports or questions sent from a CSIRT’s constituents or other third parties. The CSIRT should anticipate that vulnerabilities may be reported from these various sources, and provide a mechanism, a process, and guidance for vulnerability reporting. Reporting infrastructures may include email or a web-based vulnerability reporting form. Not all vulnerabilities are reported directly to a CSIRT by constituents or third parties through the established channels. Supporting guidance should include reporting guidelines, contact information, and any disclosure policies. To enable constituents to report vulnerabilities more effectively, the CSIRT should provide one or more mechanisms as well as guidance or instructions on what and how to securely report vulnerabilities. Reporting mechanisms can include email, a website, a dedicated vulnerability reporting form or portal, or other appropriate methods to enable reports to be submitted safely and securely. Reporting guidance, if not included as part of a vulnerability reporting form itself, should be provided in separate documentation or via a web page, and should list the specific information that is desirable to be included in the report.", + "meta": { + "outcome": "The vulnerability report is received with professional and consistent intake of each report as well as its initial validation and classification. The following functions are considered to be part of the implementation of this service: Vulnerability report receipt\nVulnerability report triage and processing", + "purpose": "Receive and process vulnerability information reported from constituents or third parties." + }, "related": [], "uuid": "e3226442-c563-51ef-9a89-76041f970fec", "value": "Service: Vulnerability report intake" }, { - "description": "Purpose: Analyze and gain understanding of a confirmed vulnerability.\nDescription: The Vulnerability Analysis service consists of functions aimed at gaining an understanding of the vulnerability and its potential impact, identifying the underlying issue or flaw (root cause) that allows the vulnerability to be exploited, and identifying one or more remediation or mitigation strategies to prevent or minimize the exploitation of the vulnerability.\nThe Vulnerability Analysis service and functions can continue in parallel while the Vulnerability Coordination service and functions occur with other participants in a coordinated vulnerability disclosure (CVD)7 process.", + "description": "The Vulnerability Analysis service consists of functions aimed at gaining an understanding of the vulnerability and its potential impact, identifying the underlying issue or flaw (root cause) that allows the vulnerability to be exploited, and identifying one or more remediation or mitigation strategies to prevent or minimize the exploitation of the vulnerability. The Vulnerability Analysis service and functions can continue in parallel while the Vulnerability Coordination service and functions occur with other participants in a coordinated vulnerability disclosure (CVD)7 process.", + "meta": { + "outcome": "Knowledge of the key details of a vulnerability (e.g., description, impact, resolution) is increased.\nThe following functions are considered to be part of the implementation of this service: Vulnerability triage (validation and categorization)\nVulnerability root cause analysis\nVulnerability remediation development", + "purpose": "Analyze and gain understanding of a confirmed vulnerability." + }, "related": [], "uuid": "e428df3a-7353-5854-b967-fbbb47079ff6", "value": "Service: Vulnerability analysis" }, { - "description": "Purpose: Exchange information and coordinate the activities with participants involved in a coordinated vulnerability disclosure (CVD) process.\nDescription: The handling of most vulnerabilities involves notifying, working with, and coordinating the exchange of relevant information with multiple parties including vulnerability finders/reporters, affected vendors, developers, PSRITs, or other trusted experts (e.g., researchers, CSIRTs, vulnerability coordinators) who can work together to analyze and fix the vulnerability.\nOutcome: Information sharing with CVD participants who can assist in providing information to remediate/mitigate the vulnerability is effective and timely.", + "description": "The handling of most vulnerabilities involves notifying, working with, and coordinating the exchange of relevant information with multiple parties including vulnerability finders/reporters, affected vendors, developers, PSRITs, or other trusted experts (e.g., researchers, CSIRTs, vulnerability coordinators) who can work together to analyze and fix the vulnerability.", + "meta": { + "outcome": "Information sharing with CVD participants who can assist in providing information to remediate/mitigate the vulnerability is effective and timely. The following functions are considered to be part of the implementation of this service: Vulnerability notification/reporting\nVulnerability stakeholder coordination", + "purpose": "Exchange information and coordinate the activities with participants involved in a coordinated vulnerability disclosure (CVD) process." + }, "related": [], "uuid": "1613a204-9a27-5e3e-83d1-d459fb697ea2", "value": "Service: Vulnerability coordination" }, { - "description": "Purpose: Disseminate information about known vulnerabilities to constituents so that they can act upon that information to prevent, detect, and remediate/mitigate known vulnerabilities.\nDescription: Inform the constituents of any known vulnerabilities (potential entry points for attackers), so that their systems can be kept up to date and monitored for exploits. Disclosure methods may include publication of information through multiple communication channels (e.g., website, email, social media), a vulnerability database, or other media. This service often, but not always, occurs following Vulnerability Coordination.\nOutcome: Informed constituents can avoid the potential exploitation of known vulnerabilities prior to exploitation and can detect and mitigate vulnerabilities that already exist.", + "description": "Inform the constituents of any known vulnerabilities (potential entry points for attackers), so that their systems can be kept up to date and monitored for exploits. Disclosure methods may include publication of information through multiple communication channels (e.g., website, email, social media), a vulnerability database, or other media. This service often, but not always, occurs following Vulnerability Coordination.", + "meta": { + "outcome": "Informed constituents can avoid the potential exploitation of known vulnerabilities prior to exploitation and can detect and mitigate vulnerabilities that already exist. The following functions are considered to be part of the implementation of this service: Vulnerability disclosure policy and infrastructure maintenance\nVulnerability announcements/communication/dissemination\nPost-vulnerability disclosure feedback", + "purpose": "Disseminate information about known vulnerabilities to constituents so that they can act upon that information to prevent, detect, and remediate/mitigate known vulnerabilities." + }, "related": [], "uuid": "b797cc28-547c-5347-add9-b69a48676e25", "value": "Service: Vulnerability disclosure" }, { - "description": "Purpose: Actively take information about known vulnerabilities and act upon that information to prevent, detect, and remediate/mitigate those vulnerabilities.\nDescription: The functions under this service are intended to determine whether a disclosed vulnerability exists on a constituent’s systems, often through the intentional act of looking for the presence of such vulnerabilities. The service can also include the follow-on actions to remediate or mitigate the vulnerability through the deployment of patches or workaround strategies.\nOutcome: Information was acted upon in order to detect the presence of a vulnerability, remediate/mitigate a disclosed vulnerability, and prevent the vulnerability from being exploited.", + "description": "The functions under this service are intended to determine whether a disclosed vulnerability exists on a constituent’s systems, often through the intentional act of looking for the presence of such vulnerabilities. The service can also include the follow-on actions to remediate or mitigate the vulnerability through the deployment of patches or workaround strategies.", + "meta": { + "outcome": "Information was acted upon in order to detect the presence of a vulnerability, remediate/mitigate a disclosed vulnerability, and prevent the vulnerability from being exploited. The following functions are considered to be part of the implementation of this service: Vulnerability detection / scanning\nVulnerability remediation This Vulnerability Response service and its related functions are usually performed by other specialized groups within an organization, typically not the CSIRT. This service is also unlikely to be provided by a Coordinating CSIRT.", + "purpose": "Actively take information about known vulnerabilities and act upon that information to prevent, detect, and remediate/mitigate those vulnerabilities." + }, "related": [], "uuid": "7bed8224-c2b4-56af-bd69-1fb1f8e1a0b5", "value": "Service: Vulnerability response8" }, { - "description": "Purpose: Collect data that will help increase visibility as to what internal and external activities are occurring that may affect the constituency’s security posture.\nDescription: Solicit, collect, determine, and satisfy the constituencies’ information requirements to achieve awareness of important internal and external relevant activities. This service includes the logistics of collecting relevant information including news of current events, scheduling future events, reports and feeds, filtering the collected information, organizing information for use in incident analysis, prevent, detection, or other activities (such as planning or trending), storing it for later use, improving its “searchability”, and more. Collected data will be used to determine the preventative measures needed and to help make informed decisions regarding incident management and information assurance activities. Without a basic perception of important environmental elements, the risk of other services forming an incorrect picture increases. CSIRTs will need to establish policy and procedures, and may employ technology to collect and vet information.\nOutcome: The following artefacts result from this service:", + "description": "Solicit, collect, determine, and satisfy the constituencies’ information requirements to achieve awareness of important internal and external relevant activities. This service includes the logistics of collecting relevant information including news of current events, scheduling future events, reports and feeds, filtering the collected information, organizing information for use in incident analysis, prevent, detection, or other activities (such as planning or trending), storing it for later use, improving its “searchability”, and more. Collected data will be used to determine the preventative measures needed and to help make informed decisions regarding incident management and information assurance activities. Without a basic perception of important environmental elements, the risk of other services forming an incorrect picture increases. CSIRTs will need to establish policy and procedures, and may employ technology to collect and vet information.", + "meta": { + "outcome": "The following artefacts result from this service: a set of data collection requirements that identifies situational awareness needs, and then maps those requirements to the types of information to be collected in order to meet those objectives\ninformation about the current and expected future status of constituency assets and activities\ninformation about external events or trends that provides insight into the constituency’s surroundings and current environment, including new technologies, methods, practices, risks, and threats \nproperly formatted information readied for analysis and detection activities The following functions are considered to be part of the implementation of this service: Policy aggregation, distillation, and guidance\nAsset mappings of assets to functions, roles, actions, and key risks\nCollection\nData processing and preparation", + "purpose": "Collect data that will help increase visibility as to what internal and external activities are occurring that may affect the constituency’s security posture." + }, "related": [], "uuid": "b06d204e-4c27-55cb-8770-79e2259c8e12", "value": "Service: Data acquisition" }, { - "description": "Purpose: Assess when the situation does not match with expectations (e.g., when specific assets may be about to experience a harmful event).\nDescription: The process of using current data, history, and analysis techniques to determine what is occurring that may impact the constituency assets and security posture, often done by determining an answer to a question or testing an intuition. Analysis may reveal when events do not match typical expected behavior, or may reveal information about the circumstance, nature, or origin of events or behaviors. Analysis may reveal implications to current and future situations. For example: a system may log that a user ID successfully logged into the system, but the system does not indicate whether the event was performed by a legitimate user. New sources (such as interviews with the user) will need to be incorporated into the analysis to provide the team with a more accurate picture to determine the legitimacy of the event. A variety of techniques may be used to analyze and interpret the collected data and its effect upon the constituency.\nOutcome: A set of conclusions about the probable historical, current, and/or likely future events within a constituency is produced. It may also include recommendations about certain decisions that a constituency is facing. Analysis should be supported by evidence such as observation data collected from sensors and other sources and the interpretation of that evidence by analysts through a variety of methods. The analysis may also include constituents that need to be told about the results, and what they need to be told.", + "description": "The process of using current data, history, and analysis techniques to determine what is occurring that may impact the constituency assets and security posture, often done by determining an answer to a question or testing an intuition. Analysis may reveal when events do not match typical expected behavior, or may reveal information about the circumstance, nature, or origin of events or behaviors. Analysis may reveal implications to current and future situations. For example: a system may log that a user ID successfully logged into the system, but the system does not indicate whether the event was performed by a legitimate user. New sources (such as interviews with the user) will need to be incorporated into the analysis to provide the team with a more accurate picture to determine the legitimacy of the event. A variety of techniques may be used to analyze and interpret the collected data and its effect upon the constituency.", + "meta": { + "outcome": "A set of conclusions about the probable historical, current, and/or likely future events within a constituency is produced. It may also include recommendations about certain decisions that a constituency is facing. Analysis should be supported by evidence such as observation data collected from sensors and other sources and the interpretation of that evidence by analysts through a variety of methods. The analysis may also include constituents that need to be told about the results, and what they need to be told. The following functions are considered to be part of the implementation of this service: Projection and inference\nEvent detection (through alerting and/or hunting)\nSituational impact", + "purpose": "Assess when the situation does not match with expectations (e.g., when specific assets may be about to experience a harmful event)." + }, "related": [], "uuid": "9d622922-93a1-5528-82f2-e75b181bc8e4", "value": "Service: Analysis and synthesis" }, { - "description": "Purpose: Notify constituents or others in the security community about changes in risks to the situational picture.\nDescription: The knowledge obtained from situational awareness must be communicated to the constituency. This will allow it to react to observations and to take actions that will improve defensive situations, e.g., reducing third-party risk by improving the security environment at certain high-risk suppliers.\nOutcome: Accurate, actionable, and timely situational information is delivered to constituency so they can better understand their past and improve their current and future situational picture.", + "description": "The knowledge obtained from situational awareness must be communicated to the constituency. This will allow it to react to observations and to take actions that will improve defensive situations, e.g., reducing third-party risk by improving the security environment at certain high-risk suppliers.", + "meta": { + "outcome": "Accurate, actionable, and timely situational information is delivered to constituency so they can better understand their past and improve their current and future situational picture. The following functions are considered to be part of the implementation of this service: Internal and external communication\nReporting and recommendations\nImplementation \nDissemination / integration / information sharing\nManagement of information sharing", + "purpose": "Notify constituents or others in the security community about changes in risks to the situational picture." + }, "related": [], "uuid": "ddfea37e-0234-5d9d-b6ca-981c7e0fa114", "value": "Service: Communication" }, { - "description": "Purpose: Increase the overall security posture of the constituency and help its members to detect, prevent, and recover from incidents; ensure that constituents are better prepared and educated.\nDescription: This service includes working with the constituency, experts, and trusted partners to raise the collective understanding of threats and actions that can be taken to prevent or mitigate the risks posed by these threats.\nOutcome: The constituency is provided with the necessary awareness of:", + "description": "This service includes working with the constituency, experts, and trusted partners to raise the collective understanding of threats and actions that can be taken to prevent or mitigate the risks posed by these threats.", + "meta": { + "outcome": "The constituency is provided with the necessary awareness of: events, activities, and trends that may affect its ability to operate in a timely and secure manner\nsteps to take to detect, prevent and mitigate threats and malicious activity\nsecurity and operational best practices The following functions are considered to be part of the implementation of this service: Research and information aggregation\nReport and awareness materials development\nInformation dissemination\nOutreach", + "purpose": "Increase the overall security posture of the constituency and help its members to detect, prevent, and recover from incidents; ensure that constituents are better prepared and educated." + }, "related": [], "uuid": "895987fb-db75-5840-8aac-363ac47f106f", "value": "Service: Awareness building" }, { - "description": "Purpose: Provide training and education to a CSIRT constituency (which may include organizational and CSIRT staff) on topics related to cybersecurity, information assurance and incident management.\nDescription: A training and education program can help the CSIRT to establish relationships and to improve the overall cybersecurity posture of its constituency, including the ability to prevent future incidents from happening. Such a program can\nThis can be done through various types of activities including documenting the knowledge, skills, and abilities (KSAs) required, developing educational and training materials, delivering content, mentoring, and professional and skill development. Each of these activities will collectively contribute to the constituency’s and the team’s capabilities.", + "description": "A training and education program can help the CSIRT to establish relationships and to improve the overall cybersecurity posture of its constituency, including the ability to prevent future incidents from happening. Such a program can help maintain user awareness\nhelp the constituency understand the changing landscape and threats\nfacilitate information exchange between the CSIRT and its constituency\ntrain the constituency on tools, processes and procedures related to security and incident management. This can be done through various types of activities including documenting the knowledge, skills, and abilities (KSAs) required, developing educational and training materials, delivering content, mentoring, and professional and skill development. Each of these activities will collectively contribute to the constituency’s and the team’s capabilities.", + "meta": { + "outcome": "A consistent training and education program is provided that enables the CSIRTs’ constituency to appropriately acquire methods to detect, prevent or respond to threats\ntools and practices to help protect critical assets\nunderstanding about incident management processes and how to get assistance The following functions are considered to be part of the implementation of this service: Knowledge, skill, and ability requirements gathering \nEducational and training materials development\nContent delivery\nMentoring\nCSIRT staff professional development", + "purpose": "Provide training and education to a CSIRT constituency (which may include organizational and CSIRT staff) on topics related to cybersecurity, information assurance and incident management." + }, "related": [], "uuid": "373ea683-406a-589a-b031-d960b3ab2f01", "value": "Service: Training and education" }, { - "description": "Purpose: Conduct exercises to assess and improve the effectiveness and efficiency of cybersecurity services and functions.\nDescription: Services are offered by the organization to constituents that support the design, execution, and evaluation of cyber exercises intended to train and/or evaluate the capabilities of individual constituents and the stakeholder community as a whole, including communications capabilities. These types of exercises can be used to\nThis service addresses both the needs of the organization and the needs of its constituents. More specifically, through the simulation of cybersecurity events/incidents, exercises can be used for one or several objectives:", + "description": "Services are offered by the organization to constituents that support the design, execution, and evaluation of cyber exercises intended to train and/or evaluate the capabilities of individual constituents and the stakeholder community as a whole, including communications capabilities. These types of exercises can be used to test policies and procedures: assess whether there are sufficient policies and procedures in place to effectively detect, respond and mitigate incidents. This is, generally, a paper/table-top exercise.\ntest operational readiness: assess whether the organization has an incident management capability that is able to detect, respond to and mitigate incidents in a timely and successful manner, as well as to test whether the right people are in place, directories are up-to-date, and if procedures are executed correctly. This service addresses both the needs of the organization and the needs of its constituents. More specifically, through the simulation of cybersecurity events/incidents, exercises can be used for one or several objectives: Demonstrate: Illustrate cybersecurity services and functions, as well as vulnerabilities, threats, and risks, in order to raise awareness.\nTrain: Instruct staff on new tools, techniques, and procedures:\n\nExercise: Provide an opportunity for staff to use tools, techniques, and procedures they are expected to be knowledgeable about. Exercising is necessary for perishable skills and helps improve and maintain efficiency.\nAssess: Analyze and understand the level of effectiveness and efficiency of cybersecurity services and functions, as well as the level of staff preparedness.\nVerify: Determine whether a specified level of effectiveness and/or efficiency can be achieved for cybersecurity services and functions.", + "meta": { + "outcome": "The effectiveness and efficiency of cybersecurity services and functions is improved and opportunities for further improvements are identified. Depending on the specific objective(s) of an exercise, cybersecurity may also be demonstrated to internal or external stakeholders, staff can be trained, and the efficiency and effectiveness of tools, services, and functions can be assessed and/or verified. Lessons for improving future exercises can also be identified and a report delivered to management or other key stakeholders. The following functions are considered to be part of the implementation of this service: Requirements analysis\nFormat and environment development\nScenario development\nExercises execution\nExercise outcome review", + "purpose": "Conduct exercises to assess and improve the effectiveness and efficiency of cybersecurity services and functions." + }, "related": [], "uuid": "111c542b-54ae-5dda-91cc-81907c7cd6b9", "value": "Service: Exercises" }, { - "description": "Purpose: Ensure the constituency’s policies and procedures include appropriate incident management considerations and, ultimately, enable the constituency to better manage risks and threats, as well as enabling the CSIRT to be more effective.\nDescription: Support the CSIRT constituency and key stakeholders, internal or external to the constituency, in activities related to risk management and business continuity, providing technical advice as needed and contributing to the creation and implementation of the constituency’s policies, as well as influencing them to enable the CSIRT to be more effective. Policies are also important in legitimizing the services of a CSIRT.\nOutcome: A constituency is enabled to make organizational decisions based on operational security best practices that incorporate business continuity and disaster recovery best practices, while also understanding the need of including incident management teams, as trusted advisors, in business decisions where appropriate.", + "description": "Support the CSIRT constituency and key stakeholders, internal or external to the constituency, in activities related to risk management and business continuity, providing technical advice as needed and contributing to the creation and implementation of the constituency’s policies, as well as influencing them to enable the CSIRT to be more effective. Policies are also important in legitimizing the services of a CSIRT.", + "meta": { + "outcome": "A constituency is enabled to make organizational decisions based on operational security best practices that incorporate business continuity and disaster recovery best practices, while also understanding the need of including incident management teams, as trusted advisors, in business decisions where appropriate. The following functions are considered to be part of the implementation of this service: Risk management support\nBusiness continuity and disaster recovery planning support\nPolicy support\nTechnical advice", + "purpose": "Ensure the constituency’s policies and procedures include appropriate incident management considerations and, ultimately, enable the constituency to better manage risks and threats, as well as enabling the CSIRT to be more effective." + }, "related": [], "uuid": "23e3a936-6f5d-553a-be67-e1938f84bbcf", "value": "Service: Technical and policy advisory" }, { - "description": "Purpose: Manage log sources and sensors.\nDescription: Sensors and log sources need operational management throughout their lifecycle. They must be deployed, onboarded, and decommissioned. Outages, data quality/scope, and configuration issues must be identified and resolved. Sensors that have some form of configuration such as pattern definitions need their configuration maintained in order to remain effective. Sensors may also include external detection services or Open Source Intelligence (OSINT) sources, if they form the basis for detection use cases.\nOutcome: A reliable stream of relevant information security events is available as input for detection use cases.", + "description": "Sensors and log sources need operational management throughout their lifecycle. They must be deployed, onboarded, and decommissioned. Outages, data quality/scope, and configuration issues must be identified and resolved. Sensors that have some form of configuration such as pattern definitions need their configuration maintained in order to remain effective. Sensors may also include external detection services or Open Source Intelligence (OSINT) sources, if they form the basis for detection use cases.", + "meta": { + "outcome": "A reliable stream of relevant information security events is available as input for detection use cases.", + "purpose": "Manage log sources and sensors." + }, "related": [ { "dest-uuid": "0c165743-b9fa-528b-95df-2fce12ca302c", - "type": "used-by" + "type": "part-of" } ], "uuid": "d9acc29a-7c55-5645-8604-40303717d2ab", "value": "Function: Log and sensor management" }, { - "description": "Purpose: Manage the portfolio of detection use cases through their entire lifecycle.\nDescription: New detection approaches are developed, tested, and improved, and eventually onboarded into a detection use case in production. Instructions for analyst triage, qualification, and correlation need to be developed, for example in the form of playbooks and Standard Operating Procedures (SOPs). Use cases that do not perform well, i.e., that have an unfavorable benefit/effort ratio, need to be improved, redefined, or abandoned. The portfolio of detection use cases should be expanded in a risk-oriented way and in coordination with preventive controls.\nOutcome: A portfolio of effective detection use cases that are relevant to the constituency is developed.", + "description": "New detection approaches are developed, tested, and improved, and eventually onboarded into a detection use case in production. Instructions for analyst triage, qualification, and correlation need to be developed, for example in the form of playbooks and Standard Operating Procedures (SOPs). Use cases that do not perform well, i.e., that have an unfavorable benefit/effort ratio, need to be improved, redefined, or abandoned. The portfolio of detection use cases should be expanded in a risk-oriented way and in coordination with preventive controls.", + "meta": { + "outcome": "A portfolio of effective detection use cases that are relevant to the constituency is developed.", + "purpose": "Manage the portfolio of detection use cases through their entire lifecycle." + }, "related": [ { "dest-uuid": "0c165743-b9fa-528b-95df-2fce12ca302c", - "type": "used-by" + "type": "part-of" } ], "uuid": "9d870f77-0bbf-523b-b757-8672a6262cef", "value": "Function: Detection use case management" }, { - "description": "Purpose: Manage of contextual data sources for detection and enrichment.\nDescription: The various contextual data sources that are involved in detection and enrichment need to be managed throughout their lifecycle. These can be live APIs to or exports from other IT systems such as a Configuration Management Database (CMDB), Identity and Access Management (IAM), or Threat Intel systems, or entirely separate data sets that need to be managed manually. The latter would be the case for indicator lists, watchlists and whitelists to suppress false positives.\nOutcome: Up to date contextual data is available for both detection and enrichment.", + "description": "The various contextual data sources that are involved in detection and enrichment need to be managed throughout their lifecycle. These can be live APIs to or exports from other IT systems such as a Configuration Management Database (CMDB), Identity and Access Management (IAM), or Threat Intel systems, or entirely separate data sets that need to be managed manually. The latter would be the case for indicator lists, watchlists and whitelists to suppress false positives.", + "meta": { + "outcome": "Up to date contextual data is available for both detection and enrichment. 5.2 Service: Event analysis Purpose: Triage detected potential information security incidents and their qualification as information security incidents for escalation to the Information Security Incident Management service area or as false alarms. Description: The flow of detected potential information security incidents must be triaged and each one qualified as an information security incident (true positive) or as a false alarm (false positive) using manual and/or automated analysis. This may require manual or automated gathering of additional information, depending on the detection use case. Priority should be given to the analysis of potentially more critical information security incidents to ensure timely reaction to what is most important. Structured qualification of detected potential information security incidents enables effective continuous improvement in a directed way by identifying detection use cases, data sources, or processes with quality issues. Outcome: Qualified and correlated information security incidents are available as input to the Information Security Incident Management service area and false positives are qualified for continuous improvement. The following functions are considered to be part of the implementation of this service: Correlation\nQualification", + "purpose": "Manage of contextual data sources for detection and enrichment." + }, "related": [ { "dest-uuid": "0c165743-b9fa-528b-95df-2fce12ca302c", - "type": "used-by" + "type": "part-of" } ], "uuid": "c359f86a-71da-57d3-8edb-256694b41584", "value": "Function: Contextual data management" }, { - "description": "Purpose: Identify events directly related to other potential or ongoing security incidents.\nDescription: Potential information security incidents pertaining to the same assets (e.g., systems, services, customers) or identities (e.g., users), or which are otherwise directly related to other potential information security incidents are grouped together and escalated as a single information security incident in order to avoid duplicate efforts. New potential information security incidents directly related to ongoing information security incidents are assigned to that information security incident instead of opening a new, separate information security incident.\nOutcome: Grouping of related potential information security incidents for combined qualification or updating to an existing information security incident already handled by the Information Security Incident Management service area is performed.", + "description": "Potential information security incidents pertaining to the same assets (e.g., systems, services, customers) or identities (e.g., users), or which are otherwise directly related to other potential information security incidents are grouped together and escalated as a single information security incident in order to avoid duplicate efforts. New potential information security incidents directly related to ongoing information security incidents are assigned to that information security incident instead of opening a new, separate information security incident.", + "meta": { + "outcome": "Grouping of related potential information security incidents for combined qualification or updating to an existing information security incident already handled by the Information Security Incident Management service area is performed.", + "purpose": "Identify events directly related to other potential or ongoing security incidents." + }, "related": [ { "dest-uuid": "3818f4f7-4d89-5ca1-b129-4c31640b130c", - "type": "used-by" + "type": "part-of" } ], "uuid": "c9cc1b42-6487-59c6-8e5b-9258b2f33865", "value": "Function: Correlation" }, { - "description": "Purpose: Triage and qualify detected potential information security incidents in order to identify, categorize, and prioritize true positives.\nDescription: Potential information security incidents need to be triaged and each qualified as an information security incident (true positive) or as a false alarm (false positive). Because analysts have a limited number of potential information security incidents they can analyze, and in order to avoid alert fatigue, automation is key. Mature tooling facilitates effective triage by enriching with context information, assigning risk scores based on the criticality of affected assets and identities and/or automatically identifying related information security events. Recurring cases that can be automated should be identified and automated. Potential information security incidents with higher criticality should be analyzed before less critical ones. In addition to qualification as true or false positives, a more fine-grained qualification is an important input for continuous improvement of detection use cases as well as the management of log sources, sensors, and contextual data sources. More fine-grained qualification can also support the definition of higher-quality KPIs for measuring the success of this service area.\nOutcome: Qualified potential information security incidents are available for handling as part of the Information Security Incident Management service area.", + "description": "Potential information security incidents need to be triaged and each qualified as an information security incident (true positive) or as a false alarm (false positive). Because analysts have a limited number of potential information security incidents they can analyze, and in order to avoid alert fatigue, automation is key. Mature tooling facilitates effective triage by enriching with context information, assigning risk scores based on the criticality of affected assets and identities and/or automatically identifying related information security events. Recurring cases that can be automated should be identified and automated. Potential information security incidents with higher criticality should be analyzed before less critical ones. In addition to qualification as true or false positives, a more fine-grained qualification is an important input for continuous improvement of detection use cases as well as the management of log sources, sensors, and contextual data sources. More fine-grained qualification can also support the definition of higher-quality KPIs for measuring the success of this service area.", + "meta": { + "outcome": "Qualified potential information security incidents are available for handling as part of the Information Security Incident Management service area. 6 Service Area: Information Security Incident Management This service area is at the heart of any CSIRT and consists of services that are vital in helping constituents during an attack or incident. CSIRTs must be prepared to help and support. Through this unique position and expertise, they are able to not only collect and evaluate information security incident reports, but also to analyze relevant data and perform detailed technical analysis of the incident itself and any artefacts used. From this analysis, mitigation and steps to recover from the incident can be recommended, and constituents will be supported in applying the recommendations. This also requires a coordination effort with external entities such as peer CSIRTs or security experts, vendors, or PSIRTs to address all aspects and reduce the number of successful attacks later on. The special expertise CSIRTs can provide is also critical in addressing (information security) crises. While in many instances a CSIRT will not handle the crisis management, it can support any such activity. Making its contacts available, for example, can greatly improve the application of required mitigation steps or better protection mechanisms. Applying the knowledge and the available infrastructure to support its constituency is key to improving overall information security incident management. The following services are considered as potential offerings of this service area: Information security incident report acceptance\nInformation security incidents analysis\nArtefact and forensic evidence analysis\nMitigation and recovery\nInformation security incident coordination\nCrisis management support 6.1 Service: Information security incident report acceptance Purpose: Receive and process reports of potential information security incidents from constituents, from Information Security Event Management services or third parties. Description: For a CSIRT, the most important task is the acceptance of reports about information security events and potential information security incidents affecting networks, devices, components, users, organizations, or infrastructure—referred to as the “target”—inside the constituency. The CSIRT should anticipate that potential information security incidents may be reported from various sources in various formats, both manually and automatically. To enable constituents to report information security incidents more effectively, the CSIRT should provide one or more mechanisms as well as guidance or instructions on what and how to securely report information security incidents. Reporting mechanisms can include email, a website, a dedicated information security incident reporting form or portal, or other appropriate methods to enable reports to be submitted safely and securely. Reporting guidance, if not included as part of an information security incidents reporting form itself, should be provided in separate documentation or via a webpage, and should list the specific information that is desirable for inclusion in the report. Due to the potentially large number of automatically escalated potential information security incidents detected via an Information Security Event Management service, this must be planned for in advance of adopting such interfaces or authorizing constituents to use them.5 Outcome: The information security incident report is received with professional and consistent intake of each report as well as its initial validation and classification. The following functions are considered to be part of the implementation of this service: Information Security Incident Report Receipt\nInformation Security Incident Triage and Processing", + "purpose": "Triage and qualify detected potential information security incidents in order to identify, categorize, and prioritize true positives." + }, "related": [ { "dest-uuid": "3818f4f7-4d89-5ca1-b129-4c31640b130c", - "type": "used-by" + "type": "part-of" } ], "uuid": "660ce9c7-4897-557e-b47a-3cea1c93a473", "value": "Function: Qualification" }, { - "description": "Purpose: Accept or receive information about an information security incident, as reported from constituents or third parties.\nDescription: Effective intake of information security incident reports requires mechanisms and processes to receive the reports from constituents, stakeholders, and third parties (e.g., finders, researchers, ISACs, other CSIRTs). Information security incident reports may include affected devices/networks/users/organizations, conditions already identified like exploited vulnerabilities, impact both on technical and business level, and actions that have been taken to start remediation and/or mitigation steps and potentially resolution. Occasionally, information security incident information may be received jointly as part of the input to other services, most namely the Vulnerability Report Intake (e.g., if an information security incident is reported that has been identified while analyzing a vulnerability report). Automatically submitted reports might or might not be acknowledged pending further choices of the implemented interfaces and protocols.\nOutcome: Information security incident reports are appropriately handled from constituents or third parties, including the initiation of documenting or tracking the reports", + "description": "Effective intake of information security incident reports requires mechanisms and processes to receive the reports from constituents, stakeholders, and third parties (e.g., finders, researchers, ISACs, other CSIRTs). Information security incident reports may include affected devices/networks/users/organizations, conditions already identified like exploited vulnerabilities, impact both on technical and business level, and actions that have been taken to start remediation and/or mitigation steps and potentially resolution. Occasionally, information security incident information may be received jointly as part of the input to other services, most namely the Vulnerability Report Intake (e.g., if an information security incident is reported that has been identified while analyzing a vulnerability report). Automatically submitted reports might or might not be acknowledged pending further choices of the implemented interfaces and protocols.", + "meta": { + "outcome": "Information security incident reports are appropriately handled from constituents or third parties, including the initiation of documenting or tracking the reports The following sub-functions are considered to be part of this function: Monitoring communications channels regularly and check whether the advertised means of contacting the CSIRT are operational and reports can be submitted\nReporting initial acknowledgement to the submitter of the information security incident report, requesting additional information if needed, and setting expectations with the reporter", + "purpose": "Accept or receive information about an information security incident, as reported from constituents or third parties." + }, "related": [ { "dest-uuid": "75b0b609-defa-5302-9354-2e21c1ccfa3e", - "type": "used-by" + "type": "part-of" } ], "uuid": "3010eca9-c35d-5439-a38e-b8f3734d9b95", "value": "Function: Information security incident report receipt" }, { - "description": "Purpose: Initially review, categorize, prioritize, and process a reported information security incident.\nDescription: Information Security Incident Reports are reviewed and triaged to obtain an initial understanding of the information security incident in question. It is of particular importance whether it has a real information security impact on the target and can result (or has already resulted) in damage to the confidentiality, availability, integrity, and/or authenticity of information assets or other assets. Depending on the amount of detail and quality of the information provided in the initial report, it may or not be obvious whether a real information security incident has occurred or if there is a different reason—such as misconfiguration or hardware failure. The next step will be determined on the basis of the preliminary assessment (e.g., process the report for further analysis; seek additional information from the reporter or other sources; decide that the report needs no further action or is a false alarm).\nIt is possible that attacks may originate from within the constituency of a CSIRT, may target this constituency, or the constituency is affected by collateral effects only. If the CSIRT does not provide Information Security Management services for the identified targets, then the report should be forwarded securely to an external group for handling, such as the affected organization(s) or CSIRT(s).", + "description": "Information Security Incident Reports are reviewed and triaged to obtain an initial understanding of the information security incident in question. It is of particular importance whether it has a real information security impact on the target and can result (or has already resulted) in damage to the confidentiality, availability, integrity, and/or authenticity of information assets or other assets. Depending on the amount of detail and quality of the information provided in the initial report, it may or not be obvious whether a real information security incident has occurred or if there is a different reason—such as misconfiguration or hardware failure. The next step will be determined on the basis of the preliminary assessment (e.g., process the report for further analysis; seek additional information from the reporter or other sources; decide that the report needs no further action or is a false alarm). It is possible that attacks may originate from within the constituency of a CSIRT, may target this constituency, or the constituency is affected by collateral effects only. If the CSIRT does not provide Information Security Management services for the identified targets, then the report should be forwarded securely to an external group for handling, such as the affected organization(s) or CSIRT(s). Unless there is a reason to decline an information security incident report or the report has been forwarded to another entity responsible for its handling, the report should be passed on to the Vulnerability Analysis service for further review, analysis, and handling.", + "meta": { + "outcome": "It can be determined if a reported matter is indeed an information security incident that needs to be handled by the CSIRT or passed on to a relevant entity. The following sub-functions are considered to be part of the implementation of this service: Processing reports and submitted data including artefacts or materials in isolation to protect the integrity of the working environment and avoid successful attacks on the CSIRT by such means\nUpdating acknowledgement of reports by providing some feedback on further steps based on categorization or prioritization results available\nMerging new information about already handled information security incidents to the available data to allow a consistent analysis and processing 6.2 Service: Information security incident analysis Purpose: Analyze and gain an understanding of a confirmed information security incident. Description: This service consists of functions to gain an understanding of the information security incident and its actual and potential impact to identify the underlying issues or vulnerabilities or weaknesses (root causes) that allowed the successful attack, compromise, or exploit. Detailed analysis is often complex and time-consuming. The objective is to identify and characterize the information security incident in as much detail as required or justified by the current understanding of its impact. Information security incidents can be characterized by scope, affected entities, tools, or attacks deployed, timelines, etc. This service may continue in parallel while the Information Security Incident Coordination service and functions are occurring or mitigation/recovery actions are taken. The CSIRT may use other information and its own analysis (see below for some options) or knowledge available from vendors and product security teams or security researchers to better understand what has happened and what steps to take to remedy losses or damage. Outcome: Knowledge is increased of the key details of an information security incident (e.g., description, impact, scope, attacks/exploits, and remedies). The following functions are considered to be part of the implementation of this service: Information security incident triage (prioritization and categorization)\nInformation collection\nDetailed analysis coordination\nInformation security incident root cause analysis\nCross-incident correlation", + "purpose": "Initially review, categorize, prioritize, and process a reported information security incident." + }, "related": [ { "dest-uuid": "75b0b609-defa-5302-9354-2e21c1ccfa3e", - "type": "used-by" + "type": "part-of" } ], "uuid": "b906d2a9-6697-5d12-99ee-2b3c74133a98", "value": "Function: Information security incident triage and processing" }, { - "description": "Purpose: Categorize, prioritize, and create an initial assessment of an information security incident.\nDescription: The Analyzing Information Security Incidents service begins with a review of the available information to categorize, prioritize, and assess the impact an information security incident has on the involved systems relevant to the CSIRT’s mandate. Some of this may have been documented during the Information Security Incident Report Triage and Processing function (of the Information Security Incident Report Intake service) if the information security incident was reported to the CSIRT by a constituent or third party.\nIf prior triage has not already been completed, the information security incident may be assigned to a subject matter expert who can provide technical confirmation that it has some impact on the involved systems and is relevant to the CSIRT’s mandate (i.e., a potential security impact on networks or systems that can result in damage to the confidentiality, availability, or integrity of information assets in an area the CSIRT according to its mandate).", + "description": "The Analyzing Information Security Incidents service begins with a review of the available information to categorize, prioritize, and assess the impact an information security incident has on the involved systems relevant to the CSIRT’s mandate. Some of this may have been documented during the Information Security Incident Report Triage and Processing function (of the Information Security Incident Report Intake service) if the information security incident was reported to the CSIRT by a constituent or third party. If prior triage has not already been completed, the information security incident may be assigned to a subject matter expert who can provide technical confirmation that it has some impact on the involved systems and is relevant to the CSIRT’s mandate (i.e., a potential security impact on networks or systems that can result in damage to the confidentiality, availability, or integrity of information assets in an area the CSIRT according to its mandate).", + "meta": { + "outcome": "The information record of an information security incident is categorized, prioritized, and updated.", + "purpose": "Categorize, prioritize, and create an initial assessment of an information security incident." + }, "related": [ { "dest-uuid": "005c1e64-40dd-5b83-a5b0-15927707e58a", - "type": "used-by" + "type": "part-of" } ], "uuid": "e999f7cd-d109-5155-a096-733845fc085f", "value": "Function: Information security incident triage (prioritization and categorization)" }, { - "description": "Purpose: Intake, catalog, store, and track information related to the information security incident and all information security events that are considered to be part of it.\nDescription: Enable the collection of all valuable information to obtain the best understanding of the context, so that the origin and the content of the information can be appropriately evaluated and tagged to be used for any further processing.\nWhile collecting information, the agreed sharing policies and limitations of what data can be used in which context or for what form of processing must be accepted and adhered to. Also, the collection mechanisms and procedures must ensure that proper labeling and attribution of sources is used in order to later validate the origins as well as the appropriateness or authenticity.", + "description": "Enable the collection of all valuable information to obtain the best understanding of the context, so that the origin and the content of the information can be appropriately evaluated and tagged to be used for any further processing. While collecting information, the agreed sharing policies and limitations of what data can be used in which context or for what form of processing must be accepted and adhered to. Also, the collection mechanisms and procedures must ensure that proper labeling and attribution of sources is used in order to later validate the origins as well as the appropriateness or authenticity.", + "meta": { + "outcome": "Structured information about collected digital and non-digital data or metadata is available, with tracking information and points of control of the integrity of both handling and storage. Depending whether the results will be used for future (informal) analysis or law enforcement activities, different requirements exist in regard to establishing a formal chain of custody that can be defended in court at some later stage. The following sub-functions are considered to be part of the implementation of this function: Evaluation and validation of information sources providing data and information\nCollection of reports regarding malicious or suspicious events, information security events, escalated potential information security incidents, and/or information security incident reports from constituents and third parties (such as other security teams or commercial intelligence feeds), whether manual, automated, or machine-readable forms\nGathering and cataloging of digital data that may be, but are not guaranteed to be, useful in understanding incident activity (e.g., disk and memory images, files with metadata or checksums, network architecture characteristics, logs); this includes but is not limited to artefacts believed to be remnants of adversary activity\nGathering and cataloging of non-digital data (e.g., physical sign-in sheets, architecture diagrams, business models, site assessment data, policies, enterprise risk frameworks)\nGathering and cataloging of metadata regarding the source, method of collection, persons having handled data or objects, owner, and custody information especially as it may be viewed as evidence for forensic analysis or law enforcement activities later on", + "purpose": "Intake, catalog, store, and track information related to the information security incident and all information security events that are considered to be part of it." + }, "related": [ { "dest-uuid": "005c1e64-40dd-5b83-a5b0-15927707e58a", - "type": "used-by" + "type": "part-of" } ], "uuid": "073074bd-6262-573f-b2cb-ac9b5566dda7", "value": "Function: Information collection" }, { - "description": "Purpose: Initiate and track any other technical analysis in regard to an information security incident.\nDescription: As more detailed technical analysis may be required, such analysis may be executed by other experts (inside or outside the host organization or CSIRT) or other third parties (such as a service provider specialized in such analysis). This requires initiating and tracking such activities up to the successful delivery of the desired analysis.\nOutcome: A list of pending and—from the viewpoint of the incident handler coordinating the response to any given information security incident—outsourced analysis is available.", + "description": "As more detailed technical analysis may be required, such analysis may be executed by other experts (inside or outside the host organization or CSIRT) or other third parties (such as a service provider specialized in such analysis). This requires initiating and tracking such activities up to the successful delivery of the desired analysis.", + "meta": { + "outcome": "A list of pending and—from the viewpoint of the incident handler coordinating the response to any given information security incident—outsourced analysis is available.", + "purpose": "Initiate and track any other technical analysis in regard to an information security incident." + }, "related": [ { "dest-uuid": "005c1e64-40dd-5b83-a5b0-15927707e58a", - "type": "used-by" + "type": "part-of" } ], "uuid": "4810f533-ce30-53a7-bff9-6dade2d41be7", "value": "Function: Detailed analysis coordination" }, { - "description": "Purpose: Identify the root cause of the information security incident, identifying the circumstances that allowed the exploited vulnerabilities to exist or that allowed the exploitation to succeed (including but not limited to user behavior).\nDescription: This function involves the process and actions required to understand the architecture, usage, or implementation flaw(s) that caused or exposed systems, networks, users, organizations, etc. to the kind of attack or exploit or compromise as exercised against the targets of an information security incident. It is also concerned with the circumstances in which an attacker could compromise more systems based on the initial access to gain further access.\nDepending on the nature of the information security incident, it may be difficult for a CSIRT to perform this function thoroughly. In many situations, this function may best be conducted by the affected target itself, as especially in the context of Coordinating CSIRTs no detailed technical knowledge is available about systems or networks that have been compromised.", + "description": "This function involves the process and actions required to understand the architecture, usage, or implementation flaw(s) that caused or exposed systems, networks, users, organizations, etc. to the kind of attack or exploit or compromise as exercised against the targets of an information security incident. It is also concerned with the circumstances in which an attacker could compromise more systems based on the initial access to gain further access. Depending on the nature of the information security incident, it may be difficult for a CSIRT to perform this function thoroughly. In many situations, this function may best be conducted by the affected target itself, as especially in the context of Coordinating CSIRTs no detailed technical knowledge is available about systems or networks that have been compromised.", + "meta": { + "outcome": "The information security incident and the way in which malicious actors initially gained access and used it further on is understood so that remediation or mitigation methods can be determined to minimize the risk of future exposure or exploitation by eliminating the root causes.", + "purpose": "Identify the root cause of the information security incident, identifying the circumstances that allowed the exploited vulnerabilities to exist or that allowed the exploitation to succeed (including but not limited to user behavior)." + }, "related": [ { "dest-uuid": "005c1e64-40dd-5b83-a5b0-15927707e58a", - "type": "used-by" + "type": "part-of" } ], "uuid": "d83afb89-203e-57ae-81d4-ded2000b30ed", "value": "Function: Information security incident root cause analysis" }, { - "description": "Purpose: Enable the usage of all available information to get the best understanding of the context and detect interrelationships that otherwise would not have been recognized or acted upon.\nDescription: This function involves the correlation of available information about multiple information security incidents to determine interrelations, trends, or applicable mitigations from already closed information security incidents to improve the response to currently handled information security incidents.\nOutcome: The bigger picture is understood in terms of situational awareness based on a detailed knowledge about similarities and confirmed or suspected interrelationships of otherwise independent information security incidents.", + "description": "This function involves the correlation of available information about multiple information security incidents to determine interrelations, trends, or applicable mitigations from already closed information security incidents to improve the response to currently handled information security incidents.", + "meta": { + "outcome": "The bigger picture is understood in terms of situational awareness based on a detailed knowledge about similarities and confirmed or suspected interrelationships of otherwise independent information security incidents. 6.3 Service: Artifact and forensic evidence analysis Purpose: Analyze and gain an understanding of artefacts related to a confirmed information security incident, taking into consideration the need to preserve forensic evidence. Description: The services related to the understanding of the capabilities and intent of artefacts (e.g., malware, exploits, volatile memory dumps or disk copies, applications codes, logs, documents), their delivery mechanisms, their propagation, their detection, their mitigation, and their disarming or neutralization. This applies to any formats and sources: hardware, firmware, memory, software, etc. Any artefact or evidence must be preserved and collected without any modification, and kept in isolation. As some artefacts and data may become evidence in the context of law enforcement activities, specific regulations or requirements may apply. Even without preserving a chain-of-custody, this service usually involves complex and time-consuming tasks, and requires expertise, setting up dedicated and monitored analysis environments--with or without external accesses from standard wired or wireless networks (such as performing the forensics activities in a sealed or Faraday room), logging of activities, and compliance with procedures. As part of the handling of information security incidents, digital artefacts may be found on affected systems or malware distribution sites. Artefacts may be the remnants of an intruder attack, such as executables, scripts, files, images, configuration files, tools, tool outputs, logs, live or dormant pieces of code, etc. The analysis is carried out in order to find out some or all of the information listed below, which is not considered to be a complete list: The context required of the artefact to run and to perform its intended tasks, whether malicious or not\nHow the artefacts may have been utilized for the attack: uploaded, downloaded, copied, executed, or created within an organization’s environments or components\nWhich systems have been involved locally and remotely to support the distribution and actions\nWhat an intruder did once to access to the system, network, organization, or infrastructure was established: from passively collecting data, to actively scanning and transmitting data for exfiltration purposes, or collecting new action requests, updating itself or making a lateral movement inside a compromised (local) network\nWhat a user, user process, or user system did once the user account or user device was compromised\nWhat behavior characterizes the artefacts or compromised systems, either in standalone mode, in conjunction with artefacts or components, connected to a local network or the Internet, or in any combination\nHow the artefacts or compromised systems establish connectivity with the target (e.g., intrusion path, initial target, or detection evasion techniques);\nWhat communication architecture (peer-to-peer, command-and-control, both) has been utilized\nWhat were the actions of the threat actors, what is their network and systems footprint\nHow the intruders or artefacts evaded detection (even over long periods of time which may include reboot or reinitialization) This can be achieved through various types of activities including media or surface analysis\nreverse engineering\nruntime or dynamic analysis\ncomparative analysis Each activity provides additional information about the artefacts. Analysis methods include but are not limited to identification of type and characteristics of artefacts, comparison with known artefacts, observation of artefact execution in a runtime or a live environment, and disassembling and interpreting binary artefacts. In carrying out an analysis of the artefacts, an analyst attempts to reconstruct and determine what the intruder did, in order to detect the exploited vulnerability, assess damages, develop solutions to mitigate against the artefacts, and provide information to constituents and other researchers. Outcome: The nature of recovered digital artefacts and analyzed forensic evidence is understood along with the relationship to other artefacts, internal or external objects or components, attacks on frameworks, tools, and exploited vulnerabilities. Working assumptions or proof of what the threat actor did, and how the artefacts behaved. This knowledge is critical to assess losses, damages, business impacts, etc. and to develop containment and mitigation or recovery strategies. The tactics, techniques, and procedures used by attackers or intruders to compromise systems, users, networks, organizations and/or infrastructures is understood. This includes those tactics, techniques, and procedures used to propagate, exfiltrate, update, modify, or fake its behavior, data, auto-delete traces of its own activities, or carry out additional malicious activities. List of functions which are considered to be part of the implementation of this service: Media or surface analysis\nReverse engineering\nRuntime and/or dynamic analysis\nComparative analysis", + "purpose": "Enable the usage of all available information to get the best understanding of the context and detect interrelationships that otherwise would not have been recognized or acted upon." + }, "related": [ { "dest-uuid": "005c1e64-40dd-5b83-a5b0-15927707e58a", - "type": "used-by" + "type": "part-of" } ], "uuid": "1eb8496d-9383-5b95-909b-59670113537f", "value": "Function: Cross-incident correlation" }, { - "description": "Purpose: Compare information gathered from the artefact with other public and private artefacts and/or signature repositories.\nDescription: This function involves identification and characterization of basic information and metadata about artefacts, including but not limited to file types, string outputs, cryptographic hashes, certificates, file sizes, file/directory names. As all available information is gathered and analyzed further, this may be used to review any public/open or private/closed source information repositories to learn more about the artefact or its behavior, as such information can be used to determine the next steps.\nOutcome: Identify Characteristics and/or the signature of digital artefact are identified and any information already known about the artefact including maliciousness, impact, and mitigation.", + "description": "This function involves identification and characterization of basic information and metadata about artefacts, including but not limited to file types, string outputs, cryptographic hashes, certificates, file sizes, file/directory names. As all available information is gathered and analyzed further, this may be used to review any public/open or private/closed source information repositories to learn more about the artefact or its behavior, as such information can be used to determine the next steps.", + "meta": { + "outcome": "Identify Characteristics and/or the signature of digital artefact are identified and any information already known about the artefact including maliciousness, impact, and mitigation.", + "purpose": "Compare information gathered from the artefact with other public and private artefacts and/or signature repositories." + }, "related": [ { "dest-uuid": "eda3b2d9-4a66-5803-98c7-e87bb8068b97", - "type": "used-by" + "type": "part-of" } ], "uuid": "7b910715-e5fa-5204-8636-fae5470e7d1e", "value": "Function: Media or surface analysis" }, { - "description": "Purpose: Perform in-depth static analysis of an artefact to determine its complete functionality, regardless of the environment within which it may be executed.\nDescription: To provide a deeper analysis of malware artefacts to include identifying hidden actions and triggering commands. Reverse engineering allows the analyst to dig past any obfuscation and compilation (for binaries) and identify the program, script, or code that makes up the malware, either by uncovering any source code or by disassembling the binary into assembly language and interpreting it. The analyst uncovers all of the machine language exposed functions and actions the malware can perform. Reverse engineering is a deeper analysis that is carried out when surface and runtime analysis do not provide the full information needed.\nOutcome: Complete functionality of a digital artefact is derived to understand how it operates, how it is triggered, related system weaknesses that can be exploited, its full impact, and potential damage, in order to develop solutions to mitigate against the artefact and, if appropriate, create a new signature for comparison with other samples.", + "description": "To provide a deeper analysis of malware artefacts to include identifying hidden actions and triggering commands. Reverse engineering allows the analyst to dig past any obfuscation and compilation (for binaries) and identify the program, script, or code that makes up the malware, either by uncovering any source code or by disassembling the binary into assembly language and interpreting it. The analyst uncovers all of the machine language exposed functions and actions the malware can perform. Reverse engineering is a deeper analysis that is carried out when surface and runtime analysis do not provide the full information needed.", + "meta": { + "outcome": "Complete functionality of a digital artefact is derived to understand how it operates, how it is triggered, related system weaknesses that can be exploited, its full impact, and potential damage, in order to develop solutions to mitigate against the artefact and, if appropriate, create a new signature for comparison with other samples. The following sub-functions are considered to be part of the implementation of this function: Static analysis\nCode reverse engineering\nPotential behavior analysis and description\nPotential signature design", + "purpose": "Perform in-depth static analysis of an artefact to determine its complete functionality, regardless of the environment within which it may be executed." + }, "related": [ { "dest-uuid": "eda3b2d9-4a66-5803-98c7-e87bb8068b97", - "type": "used-by" + "type": "part-of" } ], "uuid": "679596e0-afd5-5e54-ba56-716d47e1a1aa", "value": "Function: Reverse engineering" }, { - "description": "Purpose: Provide insight into the artefact’s operation.\nDescription: This function involves understanding of an artifact’s capabilities via observation while running the sample in a real or emulated environment (e.g., sandbox, virtual environment, and hardware or software emulators).\nUse of a simulated environment captures changes to the host, network traffic, and output from execution. The basic premise is to try to see artefact in operation in as close to a real-life situation as possible.", + "description": "This function involves understanding of an artifact’s capabilities via observation while running the sample in a real or emulated environment (e.g., sandbox, virtual environment, and hardware or software emulators). Use of a simulated environment captures changes to the host, network traffic, and output from execution. The basic premise is to try to see artefact in operation in as close to a real-life situation as possible.", + "meta": { + "outcome": "Additional insight is gained into a digital artefact’s operation by observing its behavior during execution to determine the changes to the affected host system, other system interaction, and resulting network traffic in order to better understand the system damage and impact, create new artefact signature(s), and determine mitigation steps. Note Not all functionality is apparent from runtime analysis, since not all code sections may be triggered. Runtime analysis only allows the analyst to see what the malware does in the test situation, not what it is fully capable of doing. The following sub-functions are considered to be part of the implementation of this function: Preparing an analysis environment (live/restricted/closed, emulated/simulated)\nPreparing collectors, sensors and/or probes\nCollecting initial behavior data and metadata\nProbing the artefact at multiple times in various contexts\nCarry out a systems and/or network behavior analysis, both short-term and long-term\nDrawing conclusions by evaluating all results and data gathered, comparing the various results and researching available knowledge bases for existing technical results matching the findings", + "purpose": "Provide insight into the artefact’s operation." + }, "related": [ { "dest-uuid": "eda3b2d9-4a66-5803-98c7-e87bb8068b97", - "type": "used-by" + "type": "part-of" } ], "uuid": "7410a6c8-3dd9-5c31-9ca1-1929f00acc61", "value": "Function: Run time or dynamic analysis" }, { - "description": "Purpose: Perform an analysis focused on identifying common functionality or intent, including family analysis of catalogued artefacts.\nDescription: This function involves exploring an artefact’s relationship to other artefacts. This may identify similarities in code or modus operandi, targets, intent, and authors. Such similarities can be used to derive the scope of an attack (e.g., is there a larger target, has similar code been used before).\nComparative analysis techniques can include exact match comparisons or code similarity comparisons. Comparative analysis provides a broader view of how the artefact or similar versions of it were used and changed over time, helping to understand the evaluation of malware or other malicious types of artefacts.", + "description": "This function involves exploring an artefact’s relationship to other artefacts. This may identify similarities in code or modus operandi, targets, intent, and authors. Such similarities can be used to derive the scope of an attack (e.g., is there a larger target, has similar code been used before). Comparative analysis techniques can include exact match comparisons or code similarity comparisons. Comparative analysis provides a broader view of how the artefact or similar versions of it were used and changed over time, helping to understand the evaluation of malware or other malicious types of artefacts.", + "meta": { + "outcome": "Any commonalities or relationships to other artefacts are derived in order to identify trends or similarities that may provide additional insights or understanding of a digital artefact’s functionality, impact, and mitigation. The following sub-functions are considered to be part of the implementation of this function: Defining a baseline of characteristics and observed behaviors\nSearching for the same or similar characteristics in available repositories/knowledge bases\nUpdating available repositories/knowledge bases regarding newly observed or previously unknown symptoms, behaviors, and/or signatures which can be used to further categorize the researched artefact. 6.4 Service: Mitigation and recovery Purpose: Contain the information security incident as much as possible to limit the number of victims, reduce the loss and to recover from damage, avoid further attacks and further losses by removing exploited vulnerabilities or weaknesses, and improve overall cyber security. Description: Once the analysis has confirmed a potential information security incident and a response strategy has been developed, this must be turned over into a response plan. Even before a response plan can be finalized, ad-hoc measures may be taken. This service also includes the initiating and tracking of all activities which are performed until the information security incident can be considered closed or new information becomes available that requires further analysis and henceforth may also change the response strategy and plan. Outcome: The information security incident is mitigated and the cyber security posture is improved. Integrity of systems impacted by the underlying attack or activities of the attacker is restored, as well as serviceability of the network and systems compromised. Data is restored in case of data loss, if possible. The following functions are considered to be part of the implementation of this service: Response plan established \nAd hoc measures and containment\nSystems restoration\nOther information security entities support In the case of a coordinating CSIRT, not all functions will be provided. While “supporting other information security entities” is an activity such teams provide, they sometimes also help with “establishing a response plan.”", + "purpose": "Perform an analysis focused on identifying common functionality or intent, including family analysis of catalogued artefacts." + }, "related": [ { "dest-uuid": "eda3b2d9-4a66-5803-98c7-e87bb8068b97", - "type": "used-by" + "type": "part-of" } ], "uuid": "38014864-0c08-5bbd-8d28-3bde1727d50d", "value": "Function: Comparative analysis" }, { - "description": "Purpose: Define and enforce a plan to restore the integrity of affected systems and return the affected data, systems, and networks to a non-degraded operational state, restoring the impacted services to full functionality without recreating the context of enabling the original security issue to be exploited again.\nDescription: Without fully understanding the business impact and requirements to mitigate and recover, no meaningful response will be provided. As there is a conflict of interest—tracking the attack to gain more intelligence vs. containing the attack to avoid further losses—it is necessary to take all interests into consideration and work out a response plan that is plausible to address the known facts and provide the desired outcome within the required timeframe.\nAs with all plans, it must be considered that whenever new analysis results become available, the new findings need to be reviewed. Indeed, the response plan will usually need to be changed to provide continuous orientation and guidance. But without such plan—unless the response is handled by one small organizational group with little requirement of external interfaces or other entities—the activities might not be carried out effectively or efficiently due to a lack of coordination.", + "description": "Without fully understanding the business impact and requirements to mitigate and recover, no meaningful response will be provided. As there is a conflict of interest—tracking the attack to gain more intelligence vs. containing the attack to avoid further losses—it is necessary to take all interests into consideration and work out a response plan that is plausible to address the known facts and provide the desired outcome within the required timeframe. As with all plans, it must be considered that whenever new analysis results become available, the new findings need to be reviewed. Indeed, the response plan will usually need to be changed to provide continuous orientation and guidance. But without such plan—unless the response is handled by one small organizational group with little requirement of external interfaces or other entities—the activities might not be carried out effectively or efficiently due to a lack of coordination.", + "meta": { + "outcome": "An agreed response plan that meets business requirements if aided by available resources and support, which will then be executed. Tracking and coordination by a CSIRT would be provided by the “Coordination” service. The following sub-functions are considered to be part of the implementation of this function: Determine the business impact of the information security incident\nDetermine the business requirements and timeframe for a successful recovery\nDefine decision processes and criteria (if not already defined by policies)\nIdentify the objects to be recovered: environments, systems, applications, systems, transversal functions, etc.\nIdentify required support and actions by internal and external entities\nDetermine a response plan that provides for a meaningful response within the desired business requirements and timeframe based on available resources and the technical scope of required actions", + "purpose": "Define and enforce a plan to restore the integrity of affected systems and return the affected data, systems, and networks to a non-degraded operational state, restoring the impacted services to full functionality without recreating the context of enabling the original security issue to be exploited again." + }, "related": [ { "dest-uuid": "d153b816-a767-5bc6-9d78-89f6f49dc11a", - "type": "used-by" + "type": "part-of" } ], "uuid": "5b155f76-0772-5475-b622-8871d004d94a", "value": "Function: Response plan establishment" }, { - "description": "Purpose: Implement measures that ensure an information security incident does not spread any further, i.e. remains confined to the currently affected system, users, and/or domains to ensure that no further losses (including leakage of documents, changes to databases or data, etc.) can occur.\nDescription: The immediate challenge in case of an information security incident is to stop it from spreading. While systems are compromised or malware is active on end user systems, further data losses and more compromises occur. It is usually the main objective of attacks to reach out to specific data and systems, including attacks (including but not limited to lateral movements) to other organizations both inside and outside the organization suffering from the information security incident. Stopping or at least limiting the extent of any malicious activities or further losses requires short-term actions such as blocking or filtering traffic and removing access to specific services or systems, and can also result in the disconnection of critical systems.\nDenying further access to potentially critical evidence data will allow a full analysis of such evidence. Denying further access to other systems and networks will also limit the exposure from liability as a result of damage done to other organizations.", + "description": "The immediate challenge in case of an information security incident is to stop it from spreading. While systems are compromised or malware is active on end user systems, further data losses and more compromises occur. It is usually the main objective of attacks to reach out to specific data and systems, including attacks (including but not limited to lateral movements) to other organizations both inside and outside the organization suffering from the information security incident. Stopping or at least limiting the extent of any malicious activities or further losses requires short-term actions such as blocking or filtering traffic and removing access to specific services or systems, and can also result in the disconnection of critical systems. Denying further access to potentially critical evidence data will allow a full analysis of such evidence. Denying further access to other systems and networks will also limit the exposure from liability as a result of damage done to other organizations. Stopping immediate damage and limiting the extent of malicious activity through short-term tactical actions (for example, blocking or filtering traffic) can also involve regaining control of systems. As long as attackers or active malware have ready access to more systems or networks, no return to normal operation will be possible.", + "meta": { + "outcome": "Control of systems and networks involved is regained. Access is denied for attackers and malware to data, systems, and networks in order to avoid more attacks and/or compromised systems and data. The following sub-functions might be part of the implementation of this function: Temporarily remove access for users/systems/services/networks\nTemporarily disconnect systems or networks from networks or backbones\nTemporarily disable services\nRequire users to change their passwords or crypto credentials\nMonitor for signs of intrusions and indicators of compromise\nVerify that all users/systems/services/networks are unaffected", + "purpose": "Implement measures that ensure an information security incident does not spread any further, i.e. remains confined to the currently affected system, users, and/or domains to ensure that no further losses (including leakage of documents, changes to databases or data, etc.) can occur." + }, "related": [ { "dest-uuid": "d153b816-a767-5bc6-9d78-89f6f49dc11a", - "type": "used-by" + "type": "part-of" } ], "uuid": "33646116-25db-59e4-b1a6-c40d96432797", "value": "Function: Ad hoc measures and containment" }, { - "description": "Purpose: Implement changes in the affected domain, infrastructure, or network necessary to fix and prevent this type of activity from reoccurring.\nDescription: Restore the integrity of affected systems and returning the affected data, systems, and networks to a non-degraded operational state, restoring the impacted services to full functionality. As business reality usually demands systems return to normal operation as soon as possible, there is a risk that not all means of unauthorized access have been removed successfully. Therefore, unless the analysis results are already available, even returned systems must be carefully monitored and managed. Especially if identified vulnerabilities and weaknesses cannot (yet) be eliminated, improved protection and detection mechanisms need to be applied to avoid the same or similar or types of information security incidents.\nOutcome: Measures are applied to restore the systems and services to full functionality as well as capacity. Measures are applied to close any detected vulnerabilities or weakness that contributed to the original information security incident. Detection and reaction measures are improved as recommended by the analysis and response plan.", + "description": "Restore the integrity of affected systems and returning the affected data, systems, and networks to a non-degraded operational state, restoring the impacted services to full functionality. As business reality usually demands systems return to normal operation as soon as possible, there is a risk that not all means of unauthorized access have been removed successfully. Therefore, unless the analysis results are already available, even returned systems must be carefully monitored and managed. Especially if identified vulnerabilities and weaknesses cannot (yet) be eliminated, improved protection and detection mechanisms need to be applied to avoid the same or similar or types of information security incidents.", + "meta": { + "outcome": "Measures are applied to restore the systems and services to full functionality as well as capacity. Measures are applied to close any detected vulnerabilities or weakness that contributed to the original information security incident. Detection and reaction measures are improved as recommended by the analysis and response plan. The following sub-functions are considered to be part of the implementation of this function: Restore user/system data from trusted backup media\nRestore configurations from trusted backup media or recreated content\nEnable disabled services and re-establish access for users/systems/networks\nPerform functional tests to validate the capacity and capability of systems/services/networks both on an infrastructure and application level", + "purpose": "Implement changes in the affected domain, infrastructure, or network necessary to fix and prevent this type of activity from reoccurring." + }, "related": [ { "dest-uuid": "d153b816-a767-5bc6-9d78-89f6f49dc11a", - "type": "used-by" + "type": "part-of" } ], "uuid": "c23fdfc5-660d-515b-80d9-8e3f6bfb31e4", "value": "Function: System restoration" }, { - "description": "Purpose: Enable the constituents to perform the required management and technical activities in order to successfully mitigate an information security incident and recover from it.\nDescription: A CSIRT may provide direct (onsite) assistance to help the constituents to recover from losses and to remove vulnerabilities. This might be a direct extension of offering analysis services on-site (see above). On the other hand, a CSIRT might choose to support the staff of the constituents responding to the information security incident with more detailed explanations, recommendations, etc.\nOutcome: Response of the constituents is improved and recovery is faster. By adding to the available body of knowledge the future effectiveness and efficiency of related activities may be strengthened. In addition, it helps to support those entities inside the constituency that are lacking detailed technical knowledge to carry out the necessary action to respond.", + "description": "A CSIRT may provide direct (onsite) assistance to help the constituents to recover from losses and to remove vulnerabilities. This might be a direct extension of offering analysis services on-site (see above). On the other hand, a CSIRT might choose to support the staff of the constituents responding to the information security incident with more detailed explanations, recommendations, etc.", + "meta": { + "outcome": "Response of the constituents is improved and recovery is faster. By adding to the available body of knowledge the future effectiveness and efficiency of related activities may be strengthened. In addition, it helps to support those entities inside the constituency that are lacking detailed technical knowledge to carry out the necessary action to respond. 6.5 Service: Information security incident coordination Purpose: Ensure timely notifications and accurate information distribution; keep the information flow and track the status of activities of entities that are either tasked or requested to participate in responding to the information security incident; and make sure the response plan is carried out and deviations caused by both delays or new information are managed accordingly. Description: Being notified and kept informed about the details and ongoing activities in relation to an information security incident is critical for all stakeholders and organizations involved. As some activities required for a successful mitigation and recovery might involve management approval, this requires suitable escalation and reporting functions established before any information security incident can be handled effectively and efficiently. As the CSIRT analyzes all information as it becomes available, coordination makes sure that notifications and information reach the right points of contact, track their responses and make sure that all parties carrying out activities report back to provide for accurate situational awareness until the information security incident is considered closed and requiring no further coordination. Stakeholders should have avenues to submit questions, check the status of information security incidents, and report issues to the CSIRT. To engage internal stakeholders, the CSIRT should provide communications channels to advertise the remediation status of information security incidents. To engage external stakeholders, the CSIRT should maintain communications channels to other CSIRTs and CSIRT communities that might provide recommendations or technical support. Outcome: The response is successfully coordinated based on well-informed entities that contribute to the response to an information security incident. The following functions are considered to be part of the implementation of this service: Communication\nNotification distribution\nRelevant information distribution\nActivities coordination \nReporting\nMedia communication", + "purpose": "Enable the constituents to perform the required management and technical activities in order to successfully mitigate an information security incident and recover from it." + }, "related": [ { "dest-uuid": "d153b816-a767-5bc6-9d78-89f6f49dc11a", - "type": "used-by" + "type": "part-of" } ], "uuid": "ad062821-b88e-54cc-ac56-14ed4d20aeb7", "value": "Function: Other information security entities support" }, { - "description": "Purpose: Engage effectively with stakeholders and establish appropriate multiple communication channels providing the required confidentiality.\nDescription: A CSIRT must account for the most accurate audience as communications are crafted and released. In return, a CSIRT must also be equipped to receive incoming feedback, reports, comments, and questions from a variety of sources based on its own communication.\nThe security policy and the information sharing policy may require information to be handled in a strict manner. The CSIRT must be able to share with stakeholders in a reliable, secure, and private manner, both externally and internally.", + "description": "A CSIRT must account for the most accurate audience as communications are crafted and released. In return, a CSIRT must also be equipped to receive incoming feedback, reports, comments, and questions from a variety of sources based on its own communication. The security policy and the information sharing policy may require information to be handled in a strict manner. The CSIRT must be able to share with stakeholders in a reliable, secure, and private manner, both externally and internally. Non-disclosure agreements must be set up as far in advance as possible and communication resources set up accordingly. As an extension, the concept of “information under embargo” can also be used. Hence, a retention policy must also be established to ensure that both the data used to craft the information and the information itself are properly handled, shared, and kept based on constraints—such as time—until these constraints become void or the information is publicly disclosed. Communication channels can take multiple forms based upon the needs of stakeholders and constituents. All information communicated must be tagged according to the information sharing policy. Traffic Light Protocol may be utilized.", + "meta": { + "outcome": "All communication channels are available according to the security requirements of all receiving and sending parties.\nThe following sub-functions are considered to be part of the implementation of this function: Provide internal communication channels\nProvide external communication channels", + "purpose": "Engage effectively with stakeholders and establish appropriate multiple communication channels providing the required confidentiality." + }, "related": [ { "dest-uuid": "fdbe09c5-09a1-538a-80bf-f784e68a5a70", - "type": "used-by" + "type": "part-of" } ], "uuid": "cb18913e-ed20-55c8-875b-3c9e522a6167", "value": "Function: Communication" }, { - "description": "Purpose: Alert entities impacted by the information security incident or those that can contribute to the response to it and provide those entities with the required information to understand their role of involvement and any expectations that might exist regarding their cooperation and support.\nDescription: A security incident touches on many internal and potentially external entities and, possibly, systems, and networks. As CSIRTs are a central point for receiving reports of potential information security incidents, they also serve as a hub for notifying authorized points of contact about them. The notification usually will provide not only the appropriate technical details but also information about the expected response and a point of contact for any fellow-up.\nOutcome: Information about an information security incident is available to entities required to either take part in the response or to be informed about it.", + "description": "A security incident touches on many internal and potentially external entities and, possibly, systems, and networks. As CSIRTs are a central point for receiving reports of potential information security incidents, they also serve as a hub for notifying authorized points of contact about them. The notification usually will provide not only the appropriate technical details but also information about the expected response and a point of contact for any fellow-up.", + "meta": { + "outcome": "Information about an information security incident is available to entities required to either take part in the response or to be informed about it.", + "purpose": "Alert entities impacted by the information security incident or those that can contribute to the response to it and provide those entities with the required information to understand their role of involvement and any expectations that might exist regarding their cooperation and support." + }, "related": [ { "dest-uuid": "fdbe09c5-09a1-538a-80bf-f784e68a5a70", - "type": "used-by" + "type": "part-of" } ], "uuid": "661ad685-bc5e-5522-84a2-a93f22704f24", "value": "Function: Notification distribution" }, { - "description": "Purpose: Keep communicating with the identified entities and provide a suitable flow of available information in order to enable those entities to benefit from available insights and lessons learned, to apply improved responses or take new ad-hoc measures.\nDescription: As the response to an information security incident progresses, more analysis results and reports from potentially other security experts, CSIRTs, or victims become available.\nIt may be helpful to pass some of the information and lessons learned on to the Knowledge Transfer Service Area (if supported) to improve training and technical documents as well as to help create appropriate awareness, especially if new attacks or incident trends are identified.", + "description": "As the response to an information security incident progresses, more analysis results and reports from potentially other security experts, CSIRTs, or victims become available. It may be helpful to pass some of the information and lessons learned on to the Knowledge Transfer Service Area (if supported) to improve training and technical documents as well as to help create appropriate awareness, especially if new attacks or incident trends are identified.", + "meta": { + "outcome": "Available information is distributed to those either responsible for taking part in the response or requiring to be kept informed about the progress and current status.", + "purpose": "Keep communicating with the identified entities and provide a suitable flow of available information in order to enable those entities to benefit from available insights and lessons learned, to apply improved responses or take new ad-hoc measures." + }, "related": [ { "dest-uuid": "fdbe09c5-09a1-538a-80bf-f784e68a5a70", - "type": "used-by" + "type": "part-of" } ], "uuid": "c0d34fe0-118b-5b45-9f39-39ae30d6cfeb", "value": "Function: Relevant information distribution" }, { - "description": "Purpose: Track the status of all communication and activities.\nDescription: As many entities are potentially involved in responding to an information security incident, it is necessary to track the status of all communication and activities. This involves the actions requested by a CSIRT or requests for sharing of further information as well as requests for technical analysis of artefacts s or the sharing of indicators of compromise, information about other victims, etc. This primarily occurs when the CSIRT is reliant on expertise and resources outside of the direct control of the CSIRT to effectuate the actions necessary to mitigate an incident. But it also occurs inside larger organizations for which an internal CSIRT coordinates the mitigation and recovery activities.\nBy offering bilateral or multilateral coordination, the CSIRT participates in the exchange of information to enable those resources with the ability to take action to do so or to assist others in the detection, protection, or remediation of ongoing activities from attackers and help to close the information security incident.", + "description": "As many entities are potentially involved in responding to an information security incident, it is necessary to track the status of all communication and activities. This involves the actions requested by a CSIRT or requests for sharing of further information as well as requests for technical analysis of artefacts s or the sharing of indicators of compromise, information about other victims, etc. This primarily occurs when the CSIRT is reliant on expertise and resources outside of the direct control of the CSIRT to effectuate the actions necessary to mitigate an incident. But it also occurs inside larger organizations for which an internal CSIRT coordinates the mitigation and recovery activities. By offering bilateral or multilateral coordination, the CSIRT participates in the exchange of information to enable those resources with the ability to take action to do so or to assist others in the detection, protection, or remediation of ongoing activities from attackers and help to close the information security incident.", + "meta": { + "outcome": "Situational awareness is developed of the current status of all activities and status of the entities that take part in the response.", + "purpose": "Track the status of all communication and activities." + }, "related": [ { "dest-uuid": "fdbe09c5-09a1-538a-80bf-f784e68a5a70", - "type": "used-by" + "type": "part-of" } ], "uuid": "495754cd-2ffe-5e9c-aca3-8a88a773d416", "value": "Function: Activities coordination" }, { - "description": "Purpose: Ensure that all involved entities within a business have information about the status of current activities so that further decisions about the next steps to be taken are based on the best situational awareness available.\nDescription: Delivering concise and factual information about the current status of activities requested or carried out in response to an information security incident. Instead of waiting to be pulled for such information as part of an ongoing coordinated action as required for any successful response, timely reports are critical to enable effective coordination.\nOutcome: Internal stakeholders are apprised of the scope of current activities, actions already completed, and pending ones. The assessed impact of delays, recommendations and requested actions is also communicated, making it possible to understand the overall impact in regard to the selected response strategy and developed plan.", + "description": "Delivering concise and factual information about the current status of activities requested or carried out in response to an information security incident. Instead of waiting to be pulled for such information as part of an ongoing coordinated action as required for any successful response, timely reports are critical to enable effective coordination.", + "meta": { + "outcome": "Internal stakeholders are apprised of the scope of current activities, actions already completed, and pending ones. The assessed impact of delays, recommendations and requested actions is also communicated, making it possible to understand the overall impact in regard to the selected response strategy and developed plan.", + "purpose": "Ensure that all involved entities within a business have information about the status of current activities so that further decisions about the next steps to be taken are based on the best situational awareness available." + }, "related": [ { "dest-uuid": "fdbe09c5-09a1-538a-80bf-f784e68a5a70", - "type": "used-by" + "type": "part-of" } ], "uuid": "67b7b51d-9502-5363-837e-221602d71b43", "value": "Function: Reporting" }, { - "description": "Purpose: Engage with the (public) media to be able to provide accurate and easy-to-understand factual information about ongoing events to avoid the spread of rumors and misleading information.\nDescription: Communicating with the media is unavailable in many cases. While CSIRTs usually try to avoid such contact, it is important to realize that the media can help to mitigate specific types of ongoing and large-scale attacks causing information security incidents. For this it is necessary to explain what is causing the information security incidents and explain the impact on users and/or organizations. In some cases, a CSIRT might choose to provide this information already in a manner suitable for release to the public, but this certainly requires specific skills inside the CSIRT not readily available in most. In any case, if a CSIRT communicates with the media, it must take great care to simplify the technical issues as much as possible and leave out all confidential information.\nOutcome: Factual information providing a clear summary of the ongoing information security incident is developed including steps to be taken by potential victims or outlining the chosen response strategy to recover from the information security incident.", + "description": "Communicating with the media is unavailable in many cases. While CSIRTs usually try to avoid such contact, it is important to realize that the media can help to mitigate specific types of ongoing and large-scale attacks causing information security incidents. For this it is necessary to explain what is causing the information security incidents and explain the impact on users and/or organizations. In some cases, a CSIRT might choose to provide this information already in a manner suitable for release to the public, but this certainly requires specific skills inside the CSIRT not readily available in most. In any case, if a CSIRT communicates with the media, it must take great care to simplify the technical issues as much as possible and leave out all confidential information.", + "meta": { + "outcome": "Factual information providing a clear summary of the ongoing information security incident is developed including steps to be taken by potential victims or outlining the chosen response strategy to recover from the information security incident. 6.6 Service: Crisis management support Purpose: Provide expertise and contacts to other security experts, CSIRTs, and CSIRT communities in order to help mitigate the crisis. Description: While today’s information security incidents rarely constitute an organizational or national crisis, they have the potential to do so. But the response to a crisis is usually associated with an emergency that threatens the well-being of humans and society at large, or at least the existence of an organization. As it is established in crisis management, a high-ranking role will take over the responsibility of a crisis, thereby changing the usual line of command for the duration of the emergency. As the systems and networks might contribute to emergencies or are required to be available to respond to a crisis situation, a CSIRT will usually be a critical resource for managing such situations and provide valuable experience but also the established services and networks of points of contacts. Outcome: The crisis management team can use the CSIRT’s resources to address the cyber security aspects of the current crisis. At the same time, the CSIRT’s communication resources can be utilized to reach out to constituents and external parties to ask for specific support actions or help. It can also be used to communicate in a trusted way towards constituents, using established communication means and trusted networks. The following functions are considered to be part of the implementation of this service: Information distribution to constituents\nInformation security status reporting\nStrategic decisions communication", + "purpose": "Engage with the (public) media to be able to provide accurate and easy-to-understand factual information about ongoing events to avoid the spread of rumors and misleading information." + }, "related": [ { "dest-uuid": "fdbe09c5-09a1-538a-80bf-f784e68a5a70", - "type": "used-by" + "type": "part-of" } ], "uuid": "eb400206-1fe8-5528-8a98-00391f140514", "value": "Function: Media communication" }, { - "description": "Purpose: Provide established communication resources to help respond to the crisis.\nDescription: As the response to a crisis progresses, information must be distributed and disseminated. As the CSIRT has established such resources for its own purposes, crisis management may see it as appropriate or necessary to use such resources.\nOutcome: Available information is distributed to constituents, benefiting from established trust relationships that help to reassure recipients of the accurateness of the information disseminated.", + "description": "As the response to a crisis progresses, information must be distributed and disseminated. As the CSIRT has established such resources for its own purposes, crisis management may see it as appropriate or necessary to use such resources.", + "meta": { + "outcome": "Available information is distributed to constituents, benefiting from established trust relationships that help to reassure recipients of the accurateness of the information disseminated.", + "purpose": "Provide established communication resources to help respond to the crisis." + }, "related": [ { "dest-uuid": "ee34661b-0cb2-5933-8f19-47d9a0d106fd", - "type": "used-by" + "type": "part-of" } ], "uuid": "a90dd689-1625-5993-8737-15181e520683", "value": "Function: Information distribution to constituents" }, { - "description": "Purpose: Ensure that the crisis management team has a complete overview of current information security incidents and known vulnerabilities to consider this as part of its overall priorities and strategies.\nDescription: The function involves delivering concise and factual information about the current status of cyber security inside the constituency. As a crisis might be used to start other attacks or as occurring attacks might be part of the overall activities leading this crisis, it is very important for the crisis management team to establish complete situational awareness.\nThe CSIRT can provide such situational awareness for its services and constituents. This may either be requested or is expected by standard policies in a time of crisis. In any case, as crisis management is only successful based on the established information flow as it depends on coordinate resources to address the most critical aspects of the crisis, reporting must be timely and accurate.", + "description": "The function involves delivering concise and factual information about the current status of cyber security inside the constituency. As a crisis might be used to start other attacks or as occurring attacks might be part of the overall activities leading this crisis, it is very important for the crisis management team to establish complete situational awareness. The CSIRT can provide such situational awareness for its services and constituents. This may either be requested or is expected by standard policies in a time of crisis. In any case, as crisis management is only successful based on the established information flow as it depends on coordinate resources to address the most critical aspects of the crisis, reporting must be timely and accurate. As ongoing information security incidents will require resources to handle them, a decision must be taken to either discontinue the response for the duration of the incident (and allocate the now available resources to other areas) or to carry on. Reasonable decisions can only be taken based on the best situational awareness available.", + "meta": { + "outcome": "The crisis management team will be apprised of the scope of current activities, actions already completed, and pending ones. The assessed impact of delays, recommendations and requested actions are also communicated, allowing to understand the overall impact in regard to the selected strategy to address the current crisis.", + "purpose": "Ensure that the crisis management team has a complete overview of current information security incidents and known vulnerabilities to consider this as part of its overall priorities and strategies." + }, "related": [ { "dest-uuid": "ee34661b-0cb2-5933-8f19-47d9a0d106fd", - "type": "used-by" + "type": "part-of" } ], "uuid": "a1915495-7312-5fbb-a9c5-ecc15c4dc45e", "value": "Function: Information security status reporting" }, { - "description": "Purpose: Inform other entities in a timely manner about the impact caused by the crisis on currently open information security incidents.\nDescription: Informing other entities in a timely manner about the impact caused by the crisis on currently open information security incidents provides a clear understanding of what support can also be provided by the CSIRT during the duration of the crisis, and makes sure that entities understand what to expect. It also makes sure that other parties stop their support or interaction with the CSIRT as they might believe that the crisis is taking over.\nAs the crisis management team may decide to postpone the response to an actual information security incident due to a crisis, such decisions need to be communicated to all entities currently informed and participating. This is to avoid misunderstandings and further issues that may also lead to a loss of trust in the CSIRT and/or host organization.", + "description": "Informing other entities in a timely manner about the impact caused by the crisis on currently open information security incidents provides a clear understanding of what support can also be provided by the CSIRT during the duration of the crisis, and makes sure that entities understand what to expect. It also makes sure that other parties stop their support or interaction with the CSIRT as they might believe that the crisis is taking over. As the crisis management team may decide to postpone the response to an actual information security incident due to a crisis, such decisions need to be communicated to all entities currently informed and participating. This is to avoid misunderstandings and further issues that may also lead to a loss of trust in the CSIRT and/or host organization.", + "meta": { + "outcome": "Information of the crisis impact on the CSIRT operation is distributed to constituents and other entities involved with responding to open information security incidents. The expectations of the CSIRT towards such entities are clearly described and ensure that the information needs of the CSIRT are clearly communicated. 7 Service Area: Vulnerability Management The Vulnerability Management Service Area includes services related to the discovery, analysis, and handling of new or reported security vulnerabilities in information systems. The Vulnerability Management Service Area also includes services related to the detection of and response to known vulnerabilities in order to prevent them from being exploited. Therefore, this service area encompasses services related to both new and known vulnerabilities. Although the term “vulnerability management” is sometimes used to refer to the process of simply preventing known vulnerabilities from being exploited (e.g., “scan and patch”), in this CSIRT Services Framework, those activities are considered as functions and sub-functions under a service called Vulnerability Response, which is just one possible service that a CSIRT might provide. For many CSIRTs, those vulnerability response functions are the responsibility of other roles that scan for and remediate security vulnerabilities. The following services are considered offerings of this service area: Vulnerability discovery / research\nVulnerability report intake\nVulnerability analysis\nVulnerability coordination\nVulnerability disclosure\nVulnerability response Few CSIRTs will provide all of these services, but instead will provide only those services in their realm of responsibility. For example, a CSIRT may limit its services to learning of a new vulnerability from public sources (Vulnerability Discovery/Research) or from third parties (Vulnerability Report Intake) and then issue a security advisory to its constituents (Vulnerability Disclosure) when needed, without necessarily participating in any coordination efforts with product vendors or others who develop a solution (Vulnerability Coordination), or being involved in directly deploying a fix (Vulnerability Response). 7.1 Service: Vulnerability discovery / research Purpose: Find, learn of, or search for new (previously unknown) vulnerabilities; vulnerabilities can be discovered by members of the vulnerability management service area or through other related CSIRT activities Description: Discovery of a new vulnerability is a necessary first step that starts the overall vulnerability management lifecycle. This service includes those functions and activities that a CSIRT may actively perform through its own research or other services to discover a new vulnerability. Functions and activities related to the passive receipt of new vulnerability information from someone else are described later in the Vulnerability Report Intake service. Occasionally a new vulnerability may be discovered by a CSIRT during other activities, such as while analyzing or investigating an incident report. Another means of learning of a new vulnerability is through reading public sources (e.g., websites, mailing lists6), other external sources (e.g., premium services, subscriptions), or by actively looking for vulnerabilities through deliberate research (e.g., through fuzz testing, reverse engineering). Such discoveries should be documented and fed into the organization’s vulnerability handling processes, regardless of how the CSIRT discovered or learned of the vulnerability. Outcome: This service results in an increased discovery of potential vulnerabilities that were not reported directly to the CSIRT. The following functions are considered to be part of the implementation of this service: Incident response vulnerability discovery \nPublic source vulnerability discovery \nVulnerability research These functions may be services (or functions) performed by others (e.g., researchers, vendors, PSIRTs, or third-party specialists) instead of the CSIRT.", + "purpose": "Inform other entities in a timely manner about the impact caused by the crisis on currently open information security incidents." + }, "related": [ { "dest-uuid": "ee34661b-0cb2-5933-8f19-47d9a0d106fd", - "type": "used-by" + "type": "part-of" } ], "uuid": "1ac12b60-af3e-58f0-8a45-61ea0a06f476", "value": "Function: Strategic decisions communication" }, { - "description": "Purpose: Identify a vulnerability that was exploited as part of a security incident.\nDescription: During the course of analyzing a security incident, information may be discovered that indicates that a vulnerability was exploited by the attacker. An incident may have been enabled through exploitation of a known vulnerability that was previously unpatched or unmitigated; or it may be due to a new (zero-day) vulnerability.\nSome of this vulnerability information might be received as an output from one of the services of the Information Security Incident Management service area if a vulnerability was exploited as part of an incident. The information can then be passed on to the Vulnerability Triage function or the Vulnerability Analysis service, as appropriate.", + "description": "During the course of analyzing a security incident, information may be discovered that indicates that a vulnerability was exploited by the attacker. An incident may have been enabled through exploitation of a known vulnerability that was previously unpatched or unmitigated; or it may be due to a new (zero-day) vulnerability. Some of this vulnerability information might be received as an output from one of the services of the Information Security Incident Management service area if a vulnerability was exploited as part of an incident. The information can then be passed on to the Vulnerability Triage function or the Vulnerability Analysis service, as appropriate.", + "meta": { + "outcome": "Information about a vulnerability that is suspected to have been exploited as part of a security incident is passed on to the Vulnerability Management service area.", + "purpose": "Identify a vulnerability that was exploited as part of a security incident." + }, "related": [ { "dest-uuid": "e43c7bab-34c9-5ee1-9e40-915d265ccd70", - "type": "used-by" + "type": "part-of" } ], "uuid": "776f8c85-cd4e-5c93-b57e-fae183d54868", "value": "Function: Incident response vulnerability discovery" }, { - "description": "Purpose: Learn about a new vulnerability from reading public sources or other third-party sources.\nDescription: A CSIRT may initially learn about a new vulnerability from various public sources that announce such information. The sources can include vendor announcements, security websites, mailing lists, vulnerability databases, security conferences, social media, etc. This function may also learn of new vulnerabilities through other third-party sources that may not be completely open to the public, such as through paid subscriptions or premium services where information is shared with only a limited group. Staff may be assigned the responsibility to perform this function and collect information to organize it for further review and sharing. Similar vulnerability information might also be received from the services of the Situational Awareness service area.\nOutcome: New vulnerabilities are identified that have been disclosed through public or other external sources.", + "description": "A CSIRT may initially learn about a new vulnerability from various public sources that announce such information. The sources can include vendor announcements, security websites, mailing lists, vulnerability databases, security conferences, social media, etc. This function may also learn of new vulnerabilities through other third-party sources that may not be completely open to the public, such as through paid subscriptions or premium services where information is shared with only a limited group. Staff may be assigned the responsibility to perform this function and collect information to organize it for further review and sharing. Similar vulnerability information might also be received from the services of the Situational Awareness service area.", + "meta": { + "outcome": "New vulnerabilities are identified that have been disclosed through public or other external sources.", + "purpose": "Learn about a new vulnerability from reading public sources or other third-party sources." + }, "related": [ { "dest-uuid": "e43c7bab-34c9-5ee1-9e40-915d265ccd70", - "type": "used-by" + "type": "part-of" } ], "uuid": "9ff2dcf3-7b42-5114-9fb9-0d9cd7037845", "value": "Function: Public source vulnerability discovery" }, { - "description": "Purpose: Discover or search for new vulnerabilities as a result of deliberate activities or research.\nDescription: This function includes the discovery of new vulnerabilities as a result of specific CSIRT activities, such as the testing of systems or software using fuzz testing (fuzzing), or through the reverse engineering of malware.\nThis function may also receive input from the service(s) of the Information Security Incident Management service area or the Situational Awareness service area that would initiate this function to look for suspected vulnerabilities.", + "description": "This function includes the discovery of new vulnerabilities as a result of specific CSIRT activities, such as the testing of systems or software using fuzz testing (fuzzing), or through the reverse engineering of malware. This function may also receive input from the service(s) of the Information Security Incident Management service area or the Situational Awareness service area that would initiate this function to look for suspected vulnerabilities. The discovery of a new vulnerability as a result of this vulnerability research function may become input to the Incident Response service, Vulnerability Detection function (see sub-functions for Vulnerability Scanning and Vulnerability Penetration Testing).", + "meta": { + "outcome": "New vulnerabilities are identified through research. 7.2 Service: Vulnerability report intake Purpose: Receive and process vulnerability information reported from constituents or third parties. Description: One of the primary sources of vulnerability information may be reports or questions sent from a CSIRT’s constituents or other third parties. The CSIRT should anticipate that vulnerabilities may be reported from these various sources, and provide a mechanism, a process, and guidance for vulnerability reporting. Reporting infrastructures may include email or a web-based vulnerability reporting form. Not all vulnerabilities are reported directly to a CSIRT by constituents or third parties through the established channels. Supporting guidance should include reporting guidelines, contact information, and any disclosure policies. To enable constituents to report vulnerabilities more effectively, the CSIRT should provide one or more mechanisms as well as guidance or instructions on what and how to securely report vulnerabilities. Reporting mechanisms can include email, a website, a dedicated vulnerability reporting form or portal, or other appropriate methods to enable reports to be submitted safely and securely. Reporting guidance, if not included as part of a vulnerability reporting form itself, should be provided in separate documentation or via a web page, and should list the specific information that is desirable to be included in the report. Outcome: The vulnerability report is received with professional and consistent intake of each report as well as its initial validation and classification. The following functions are considered to be part of the implementation of this service: Vulnerability report receipt\nVulnerability report triage and processing", + "purpose": "Discover or search for new vulnerabilities as a result of deliberate activities or research." + }, "related": [ { "dest-uuid": "e43c7bab-34c9-5ee1-9e40-915d265ccd70", - "type": "used-by" + "type": "part-of" } ], "uuid": "d4914b89-870a-5045-a1c9-13e9fc9fd2e0", "value": "Function: Vulnerability research" }, { - "description": "Purpose: Accept or receive information about a vulnerability, as reported from constituents or third parties.\nDescription: Effective intake of vulnerability reports requires mechanisms and processes to receive the reports from constituents, stakeholders, and third parties (finders, researchers, vendors, PSIRTs, other CSIRTs or vulnerability coordinators, etc.). Vulnerability information may include affected devices, conditions necessary to exploit the vulnerability, impact (e.g., privilege escalation, data access, etc.), as well as actions taken to resolve the vulnerability, remediation and/or mitigation steps, and resolution. Occasionally, vulnerability information may be received jointly as part of the input to other services, most notably the Information Security Incident Report Intake (e.g., if a vulnerability is reported to be exploited as part of an incident report).\nOutcome: Vulnerability reports from constituents or third parties are appropriately handled, including the initiation of documenting or tracking the reports.", + "description": "Effective intake of vulnerability reports requires mechanisms and processes to receive the reports from constituents, stakeholders, and third parties (finders, researchers, vendors, PSIRTs, other CSIRTs or vulnerability coordinators, etc.). Vulnerability information may include affected devices, conditions necessary to exploit the vulnerability, impact (e.g., privilege escalation, data access, etc.), as well as actions taken to resolve the vulnerability, remediation and/or mitigation steps, and resolution. Occasionally, vulnerability information may be received jointly as part of the input to other services, most notably the Information Security Incident Report Intake (e.g., if a vulnerability is reported to be exploited as part of an incident report).", + "meta": { + "outcome": "Vulnerability reports from constituents or third parties are appropriately handled, including the initiation of documenting or tracking the reports. The following sub-functions are considered to be part of this function: Monitor communications channels regularly and check whether the advertised means of contacting the CSIRT are operational and reports can be submitted.\nReport initial acknowledgement to the submitter of the vulnerability report, request additional information if needed, and set expectations with the reporter.", + "purpose": "Accept or receive information about a vulnerability, as reported from constituents or third parties." + }, "related": [ { "dest-uuid": "e3226442-c563-51ef-9a89-76041f970fec", - "type": "used-by" + "type": "part-of" } ], "uuid": "951ffc54-483f-5484-8ce4-53dd30534e6a", "value": "Function: Vulnerability report receipt" }, { - "description": "Purpose: Initially review, categorize, prioritize, and process a vulnerability report.\nDescription: Vulnerability Reports are reviewed and triaged to obtain an initial understanding of the vulnerability in question and determine what to do next (e.g., process the vulnerability for further analysis, seek additional information from the reporter or other sources, decide that the vulnerability needs no further action). Depending on the amount of detail and quality of the information provided in the vulnerability report, it may or not be obvious whether a new vulnerability exists.\nUnless there is a reason to decline a vulnerability report, the report should be passed on to the Vulnerability Analysis service for further review, analysis, and handling. If the CSIRT does not provide a Vulnerability Analysis service, then the report should be securely forwarded to an external group for handling, such as the affected vendor(s), PSIRT(s), or a vulnerability coordinator.", + "description": "Vulnerability Reports are reviewed and triaged to obtain an initial understanding of the vulnerability in question and determine what to do next (e.g., process the vulnerability for further analysis, seek additional information from the reporter or other sources, decide that the vulnerability needs no further action). Depending on the amount of detail and quality of the information provided in the vulnerability report, it may or not be obvious whether a new vulnerability exists. Unless there is a reason to decline a vulnerability report, the report should be passed on to the Vulnerability Analysis service for further review, analysis, and handling. If the CSIRT does not provide a Vulnerability Analysis service, then the report should be securely forwarded to an external group for handling, such as the affected vendor(s), PSIRT(s), or a vulnerability coordinator.", + "meta": { + "outcome": "Available information is identified to determine what to do next. The following sub-functions are considered to be part of the implementation of this service: Process reports and submitted data including artefacts or materials in isolation to protect the integrity of the working environment and avoid successful attacks on the CSIRT by such means.\nUpdate acknowledgement of reports by providing some feedback on further steps based on categorization or prioritization results available.\nMerge new information about a vulnerability already being handled with the available data to allow consistent analysis and processing. 7.3 Service: Vulnerability analysis Purpose: Analyze and gain understanding of a confirmed vulnerability. Description: The Vulnerability Analysis service consists of functions aimed at gaining an understanding of the vulnerability and its potential impact, identifying the underlying issue or flaw (root cause) that allows the vulnerability to be exploited, and identifying one or more remediation or mitigation strategies to prevent or minimize the exploitation of the vulnerability. The Vulnerability Analysis service and functions can continue in parallel while the Vulnerability Coordination service and functions occur with other participants in a coordinated vulnerability disclosure (CVD)7 process. Outcome: Knowledge of the key details of a vulnerability (e.g., description, impact, resolution) is increased.\nThe following functions are considered to be part of the implementation of this service: Vulnerability triage (validation and categorization)\nVulnerability root cause analysis\nVulnerability remediation development", + "purpose": "Initially review, categorize, prioritize, and process a vulnerability report." + }, "related": [ { "dest-uuid": "e3226442-c563-51ef-9a89-76041f970fec", - "type": "used-by" + "type": "part-of" } ], "uuid": "bbf8cea3-869a-56e5-a5cc-a5e0a35f76d5", "value": "Function: Vulnerability report triage and processing" }, { - "description": "Purpose: Categorize, prioritize, and perform an initial assessment of a vulnerability.\nDescription: The Vulnerability Analysis service begins with a review of the available information to categorize, prioritize, and assess whether a vulnerability has some impact on the involved systems and is relevant to the CSIRT’s mandate. Some of this may have been documented during the Vulnerability Report Triage and Processing function (of the Vulnerability Report Intake service) if the vulnerability was reported to the CSIRT by a constituent or third party.\nIf prior triage has not already been completed, the vulnerability may be assigned to a subject matter expert who can provide technical confirmation that it has some impact on the involved systems and is relevant to the CSIRT’s mandate (i.e., the potential security impact on networks or systems that can result in damage to the confidentiality, availability, or integrity of information assets in an area of the CSIRT according to its mandate).", + "description": "The Vulnerability Analysis service begins with a review of the available information to categorize, prioritize, and assess whether a vulnerability has some impact on the involved systems and is relevant to the CSIRT’s mandate. Some of this may have been documented during the Vulnerability Report Triage and Processing function (of the Vulnerability Report Intake service) if the vulnerability was reported to the CSIRT by a constituent or third party. If prior triage has not already been completed, the vulnerability may be assigned to a subject matter expert who can provide technical confirmation that it has some impact on the involved systems and is relevant to the CSIRT’s mandate (i.e., the potential security impact on networks or systems that can result in damage to the confidentiality, availability, or integrity of information assets in an area of the CSIRT according to its mandate).", + "meta": { + "outcome": "The information record of a vulnerability is categorized, prioritized, and updated.", + "purpose": "Categorize, prioritize, and perform an initial assessment of a vulnerability." + }, "related": [ { "dest-uuid": "e428df3a-7353-5854-b967-fbbb47079ff6", - "type": "used-by" + "type": "part-of" } ], "uuid": "5abf9c46-780f-5f4a-8e53-e3f7db6afd5a", "value": "Function: Vulnerability triage (validation and categorization)" }, { - "description": "Purpose: Understand the design or implementation flaw that causes or exposes the vulnerability to exist.\nDescription: The goal of this analysis is to identify the root cause of the vulnerability, identifying the circumstances that allow a vulnerability to exist, and in which circumstances an attacker can consequently exploit the vulnerability. This analysis may also attempt to understand the weakness(es) leveraged to instigate an incident and the adversarial tradecraft utilized to leverage that weakness. Depending on the nature of the vulnerability, it may be difficult for a CSIRT to perform this function thoroughly. In some cases, this function may have already been performed by the finder or reporter of the vulnerability. In many situations, this function may best be conducted by the product vendor or developer of the affected software or system or their respective PSIRT. It is also possible that a vulnerability is present in more than one product, in which case multiple analyses may be needed of the affected software or systems, requiring coordination with multiple vendors, PSIRTs, or stakeholders.\nOutcome: Understanding of the vulnerability and the way in which malicious actors will be able to use this vulnerability is used to determine remediation or mitigation methods to minimize the risk of exposure or exploitation.", + "description": "The goal of this analysis is to identify the root cause of the vulnerability, identifying the circumstances that allow a vulnerability to exist, and in which circumstances an attacker can consequently exploit the vulnerability. This analysis may also attempt to understand the weakness(es) leveraged to instigate an incident and the adversarial tradecraft utilized to leverage that weakness. Depending on the nature of the vulnerability, it may be difficult for a CSIRT to perform this function thoroughly. In some cases, this function may have already been performed by the finder or reporter of the vulnerability. In many situations, this function may best be conducted by the product vendor or developer of the affected software or system or their respective PSIRT. It is also possible that a vulnerability is present in more than one product, in which case multiple analyses may be needed of the affected software or systems, requiring coordination with multiple vendors, PSIRTs, or stakeholders.", + "meta": { + "outcome": "Understanding of the vulnerability and the way in which malicious actors will be able to use this vulnerability is used to determine remediation or mitigation methods to minimize the risk of exposure or exploitation.", + "purpose": "Understand the design or implementation flaw that causes or exposes the vulnerability to exist." + }, "related": [ { "dest-uuid": "e428df3a-7353-5854-b967-fbbb47079ff6", - "type": "used-by" + "type": "part-of" } ], "uuid": "7999a479-b614-5c8f-835c-05f83ccca337", "value": "Function: Vulnerability root cause analysis" }, { - "description": "Purpose: Develop the steps necessary to fix (remediate) the underlying vulnerability or mitigate (reduce) the effects of the vulnerability from being exploited.\nDescription: This function will ideally identify a remediation or a fix for a vulnerability. If a vendor patch or fix is not available in a timely manner, a temporary solution or workaround, called a mitigation, may be recommended, such as disabling the affected software or making configuration changes, to minimize the potential negative effects of the vulnerability. Note that the actual application or deployment of a remediation (patch) or mitigation (workaround) is a function of a separate service, called Vulnerability Response in this framework.\nAs part of the Vulnerability Analysis service and Remediation Development, this function may optionally include other sub-functions or activities, such as validating the changing of a procedure or design, reviewing remediation by a third party, or identifying any new vulnerabilities introduced in the remediation steps. Vulnerabilities that are not remediated or mitigated should be documented as acceptable risks.", + "description": "This function will ideally identify a remediation or a fix for a vulnerability. If a vendor patch or fix is not available in a timely manner, a temporary solution or workaround, called a mitigation, may be recommended, such as disabling the affected software or making configuration changes, to minimize the potential negative effects of the vulnerability. Note that the actual application or deployment of a remediation (patch) or mitigation (workaround) is a function of a separate service, called Vulnerability Response in this framework. As part of the Vulnerability Analysis service and Remediation Development, this function may optionally include other sub-functions or activities, such as validating the changing of a procedure or design, reviewing remediation by a third party, or identifying any new vulnerabilities introduced in the remediation steps. Vulnerabilities that are not remediated or mitigated should be documented as acceptable risks. This function will often receive information or input from the affected product’s vendor(s), sometimes as part of the initial report or announcement handled by other services or functions.", + "meta": { + "outcome": "A plan is established to change (patch) the software code, implement a workaround, or to improve processes, infrastructures, and/or designs to close the specific attack vector and to prevent the vulnerability from being exploited.\nThe following sub-functions are considered to be part of this function: Vulnerability remediation/patch development\nVulnerability mitigation development This function is typically performed by other entities (e.g., product vendors, PSIRTs). 7.4 Service: Vulnerability coordination Purpose: Exchange information and coordinate the activities with participants involved in a coordinated vulnerability disclosure (CVD) process. Description: The handling of most vulnerabilities involves notifying, working with, and coordinating the exchange of relevant information with multiple parties including vulnerability finders/reporters, affected vendors, developers, PSRITs, or other trusted experts (e.g., researchers, CSIRTs, vulnerability coordinators) who can work together to analyze and fix the vulnerability. Outcome: Information sharing with CVD participants who can assist in providing information to remediate/mitigate the vulnerability is effective and timely. The following functions are considered to be part of the implementation of this service: Vulnerability notification/reporting\nVulnerability stakeholder coordination", + "purpose": "Develop the steps necessary to fix (remediate) the underlying vulnerability or mitigate (reduce) the effects of the vulnerability from being exploited." + }, "related": [ { "dest-uuid": "e428df3a-7353-5854-b967-fbbb47079ff6", - "type": "used-by" + "type": "part-of" } ], "uuid": "3282999a-09d1-5d99-9d23-4773611775be", "value": "Function: Vulnerability remediation development" }, { - "description": "Purpose: Initial share or report new vulnerability information with others who are to be involved in the CVD process.\nDescription: The handling of most vulnerabilities involves notifying, working with, and coordinating the exchange of relevant information with multiple parties including the affected vendors, developers, PSIRTs, or other trusted experts (e.g., researchers, CSIRTs, vulnerability coordinators) who can work together to analyze and fix the vulnerability.\nOutcome: Vendors (or other CVD participants) are informed about a vulnerability and can act to develop a remediation or mitigation solution.", + "description": "The handling of most vulnerabilities involves notifying, working with, and coordinating the exchange of relevant information with multiple parties including the affected vendors, developers, PSIRTs, or other trusted experts (e.g., researchers, CSIRTs, vulnerability coordinators) who can work together to analyze and fix the vulnerability.", + "meta": { + "outcome": "Vendors (or other CVD participants) are informed about a vulnerability and can act to develop a remediation or mitigation solution.", + "purpose": "Initial share or report new vulnerability information with others who are to be involved in the CVD process." + }, "related": [ { "dest-uuid": "1613a204-9a27-5e3e-83d1-d459fb697ea2", - "type": "used-by" + "type": "part-of" } ], "uuid": "109f1de0-3697-57de-9a27-0786bf3f4c0a", "value": "Function: Vulnerability notification/reporting" }, { - "description": "Purpose: Conduct follow-on coordination and sharing of information among the various stakeholders and participants involved in coordinated vulnerability disclosure (CVD) efforts.\nDescription: Coordinate the exchange of information among the finders/researchers, vendors, PSIRTS, and any other participants in the coordinate vulnerability disclosure (CVD) efforts to analyze and fix the vulnerability and prepare for the disclosure of the vulnerability. This coordination should also include agreement by participants on the timing and synchronization of the disclosure.\nOutcome: Vulnerability information is more effectively, timely, and responsibly shared among participants who can develop or announce a remediation/mitigation solution.", + "description": "Coordinate the exchange of information among the finders/researchers, vendors, PSIRTS, and any other participants in the coordinate vulnerability disclosure (CVD) efforts to analyze and fix the vulnerability and prepare for the disclosure of the vulnerability. This coordination should also include agreement by participants on the timing and synchronization of the disclosure.", + "meta": { + "outcome": "Vulnerability information is more effectively, timely, and responsibly shared among participants who can develop or announce a remediation/mitigation solution. The following sub-functions are considered to be part of this function: Vulnerability publication development 7.5 Service: Vulnerability disclosure Purpose: Disseminate information about known vulnerabilities to constituents so that they can act upon that information to prevent, detect, and remediate/mitigate known vulnerabilities. Description: Inform the constituents of any known vulnerabilities (potential entry points for attackers), so that their systems can be kept up to date and monitored for exploits. Disclosure methods may include publication of information through multiple communication channels (e.g., website, email, social media), a vulnerability database, or other media. This service often, but not always, occurs following Vulnerability Coordination. Outcome: Informed constituents can avoid the potential exploitation of known vulnerabilities prior to exploitation and can detect and mitigate vulnerabilities that already exist. The following functions are considered to be part of the implementation of this service: Vulnerability disclosure policy and infrastructure maintenance\nVulnerability announcements/communication/dissemination\nPost-vulnerability disclosure feedback", + "purpose": "Conduct follow-on coordination and sharing of information among the various stakeholders and participants involved in coordinated vulnerability disclosure (CVD) efforts." + }, "related": [ { "dest-uuid": "1613a204-9a27-5e3e-83d1-d459fb697ea2", - "type": "used-by" + "type": "part-of" } ], "uuid": "4fb4bb5b-9da7-5b77-8b21-536442585547", "value": "Function: Vulnerability stakeholder coordination" }, { - "description": "Purpose: Develop and maintain a policy that provides a framework and sets expectations for how a CSIRT handles and discloses vulnerabilities and the mechanism(s) used to disclose the vulnerability.\nDescription: CSIRTs that handle vulnerability reports should define their vulnerability disclosure policy and make that policy available to its constituents, stakeholders, and CVD participants, preferably by publishing it on the CSIRT’s website. The vulnerability disclosure policy will provide transparency to stakeholders and help to promote appropriate disclosure policies. Policies can range from no disclosure, where no vulnerability information is disclosed, to limited disclosure, where only some information is made available, to full disclosure, where all information is disclosed, which may include proof-of-concept exploits. The disclosure policy should include factors such as the scope of the policy, references to any reporting mechanisms and guidelines, and expected timeframes and mechanisms for the disclosure of the vulnerability.\nOutcome: Trust, collaboration, and control of the disclosure is increased and relationships and coordination with CVD participants is improved.", + "description": "CSIRTs that handle vulnerability reports should define their vulnerability disclosure policy and make that policy available to its constituents, stakeholders, and CVD participants, preferably by publishing it on the CSIRT’s website. The vulnerability disclosure policy will provide transparency to stakeholders and help to promote appropriate disclosure policies. Policies can range from no disclosure, where no vulnerability information is disclosed, to limited disclosure, where only some information is made available, to full disclosure, where all information is disclosed, which may include proof-of-concept exploits. The disclosure policy should include factors such as the scope of the policy, references to any reporting mechanisms and guidelines, and expected timeframes and mechanisms for the disclosure of the vulnerability.", + "meta": { + "outcome": "Trust, collaboration, and control of the disclosure is increased and relationships and coordination with CVD participants is improved.", + "purpose": "Develop and maintain a policy that provides a framework and sets expectations for how a CSIRT handles and discloses vulnerabilities and the mechanism(s) used to disclose the vulnerability." + }, "related": [ { "dest-uuid": "b797cc28-547c-5347-add9-b69a48676e25", - "type": "used-by" + "type": "part-of" } ], "uuid": "3699e27e-0ff9-5fb0-ba84-90e94406f774", "value": "Function: Vulnerability disclosure policy and infrastructure maintenance" }, { - "description": "Purpose: Provide information to constituents (or the public) about a new vulnerability, so that they can detect, remediate or mitigate, and prevent future exploitation of the vulnerability.\nDescription: Disclose vulnerability information to defined constituents. The disclosure can be made through any or all of the mechanisms identified in the vulnerability disclosure policy. Dissemination mechanisms can vary depending on the needs or expectations of the target audience. The communication can be in the form of an announcement or security advisory distributed via email or text messaging, a publication posted to a website or social media channel, or other communication forms and channels as appropriate. Content to be included in the disclosure should follow a defined format, which typically can include information such as an overview or description, a unique vulnerability identifier, impact, severity, or CVSS score, resolution (remediation or mitigation), and supporting references or materials.\nOutcome: The vulnerability is prevented, detected, and remediated/mitigated by providing timely, high-quality, effective information to constituents (or public).", + "description": "Disclose vulnerability information to defined constituents. The disclosure can be made through any or all of the mechanisms identified in the vulnerability disclosure policy. Dissemination mechanisms can vary depending on the needs or expectations of the target audience. The communication can be in the form of an announcement or security advisory distributed via email or text messaging, a publication posted to a website or social media channel, or other communication forms and channels as appropriate. Content to be included in the disclosure should follow a defined format, which typically can include information such as an overview or description, a unique vulnerability identifier, impact, severity, or CVSS score, resolution (remediation or mitigation), and supporting references or materials.", + "meta": { + "outcome": "The vulnerability is prevented, detected, and remediated/mitigated by providing timely, high-quality, effective information to constituents (or public).", + "purpose": "Provide information to constituents (or the public) about a new vulnerability, so that they can detect, remediate or mitigate, and prevent future exploitation of the vulnerability." + }, "related": [ { "dest-uuid": "b797cc28-547c-5347-add9-b69a48676e25", - "type": "used-by" + "type": "part-of" } ], "uuid": "6e847ac3-774a-5654-b09f-4a6ebcb91e47", "value": "Function: Vulnerability announcement/communication/dissemination" }, { - "description": "Purpose: Receive and respond to questions or reports from constituents about a vulnerability disclosure or document.\nDescription: Following the disclosure of a new vulnerability, CSIRTs can expect to receive follow-on communications in the form of questions from some constituents about a vulnerability document. The questions may indicate a need for clarification, revision, or amendment of the vulnerability disclosure mechanism, if warranted. Information from constituents may simply be an acknowledgement or receipt of the vulnerability document, or the constituent may report an issue or difficulty in deploying the suggested remediation/mitigation. If the vulnerability was determined to have been already exploited, constituents may be reporting newly discovered incidents as a result of the vulnerability disclosure. Such reports should feed into the functions of the CSIRT’s Incident Reporting service.\nOutcome: Any questions or requests for assistance are responded to in a timely manner following a vulnerability disclosure.", + "description": "Following the disclosure of a new vulnerability, CSIRTs can expect to receive follow-on communications in the form of questions from some constituents about a vulnerability document. The questions may indicate a need for clarification, revision, or amendment of the vulnerability disclosure mechanism, if warranted. Information from constituents may simply be an acknowledgement or receipt of the vulnerability document, or the constituent may report an issue or difficulty in deploying the suggested remediation/mitigation. If the vulnerability was determined to have been already exploited, constituents may be reporting newly discovered incidents as a result of the vulnerability disclosure. Such reports should feed into the functions of the CSIRT’s Incident Reporting service.", + "meta": { + "outcome": "Any questions or requests for assistance are responded to in a timely manner following a vulnerability disclosure. 7.6 Service: Vulnerability response8 Purpose: Actively take information about known vulnerabilities and act upon that information to prevent, detect, and remediate/mitigate those vulnerabilities. Description: The functions under this service are intended to determine whether a disclosed vulnerability exists on a constituent’s systems, often through the intentional act of looking for the presence of such vulnerabilities. The service can also include the follow-on actions to remediate or mitigate the vulnerability through the deployment of patches or workaround strategies. Outcome: Information was acted upon in order to detect the presence of a vulnerability, remediate/mitigate a disclosed vulnerability, and prevent the vulnerability from being exploited. The following functions are considered to be part of the implementation of this service: Vulnerability detection / scanning\nVulnerability remediation This Vulnerability Response service and its related functions are usually performed by other specialized groups within an organization, typically not the CSIRT. This service is also unlikely to be provided by a Coordinating CSIRT.", + "purpose": "Receive and respond to questions or reports from constituents about a vulnerability disclosure or document." + }, "related": [ { "dest-uuid": "b797cc28-547c-5347-add9-b69a48676e25", - "type": "used-by" + "type": "part-of" } ], "uuid": "2228959a-1fc7-54a1-879c-fb17d02947a7", "value": "Function: Post-vulnerability disclosure feedback" }, { - "description": "Purpose: Actively engage in searching for the presence of known vulnerabilities in deployed systems.\nDescription: The goal of this function is to detect any previously unpatched or unmitigated vulnerabilities before they are exploited or impact the network or devices. This function may be initiated in response to an announcement about a new vulnerability, or it may be achieved as part of a periodically scheduled scan for known vulnerabilities. In order to provide vulnerability detection effectively, it is useful to have a systems inventory. Having such an inventory that can be queried for software version information can enable an organization to quickly assess the likely prevalence of a newly reported vulnerability in its infrastructure.\nThis function may receive input or be triggered from other services and functions.\nOutcome: Vulnerabilities are detected through formal processes or tools designed to identify.", + "description": "The goal of this function is to detect any previously unpatched or unmitigated vulnerabilities before they are exploited or impact the network or devices. This function may be initiated in response to an announcement about a new vulnerability, or it may be achieved as part of a periodically scheduled scan for known vulnerabilities. In order to provide vulnerability detection effectively, it is useful to have a systems inventory. Having such an inventory that can be queried for software version information can enable an organization to quickly assess the likely prevalence of a newly reported vulnerability in its infrastructure.", + "meta": { + "outcome": "Exposure to the threat of a vulnerability being exploited is prevented or reduced. The following sub-functions are considered to be part of this function: Vulnerability remediation (patch management)\nVulnerability mitigation This function is typically performed by others (e.g., IT, SOC, system owners), not the CSIRT. 8 Service Area: Situational Awareness Situational Awareness comprises the ability to identify, process, comprehend, and communicate the critical elements of what is happening in and around the CSIRT’s area of responsibility that may affect the operation or mission of its constituency. Situational awareness includes being aware of the current state, and identifying or anticipating potential changes to that state. This service area includes determining how to gather relevant information from different areas, how to integrate that information, and how to disseminate it in a timely manner to help constituents make more informed decisions. Some organizations may establish a separate team to provide Situational Awareness, but for others, the CSIRT team provides this function based on its visibility, understanding of context, technical capabilities, access to assets, external connections, and mission to prevent incidents. Situational awareness is not solely focused on responding to incidents, it is a service that ensures that data, analysis, and actions are available to other services such as Security Event Management, Incident Management, and Knowledge Transfer. It also ensures that information coming from those other services areas is properly integrated together and delivered back to appropriate constituents in a timely manner. The following services are offerings of this service area: Data acquisition\nAnalysis and synthesis\nCommunication 8.1 Service: Data acquisition Purpose: Collect data that will help increase visibility as to what internal and external activities are occurring that may affect the constituency’s security posture. Description: Solicit, collect, determine, and satisfy the constituencies’ information requirements to achieve awareness of important internal and external relevant activities. This service includes the logistics of collecting relevant information including news of current events, scheduling future events, reports and feeds, filtering the collected information, organizing information for use in incident analysis, prevent, detection, or other activities (such as planning or trending), storing it for later use, improving its “searchability”, and more. Collected data will be used to determine the preventative measures needed and to help make informed decisions regarding incident management and information assurance activities. Without a basic perception of important environmental elements, the risk of other services forming an incorrect picture increases. CSIRTs will need to establish policy and procedures, and may employ technology to collect and vet information. Outcome: The following artefacts result from this service: a set of data collection requirements that identifies situational awareness needs, and then maps those requirements to the types of information to be collected in order to meet those objectives\ninformation about the current and expected future status of constituency assets and activities\ninformation about external events or trends that provides insight into the constituency’s surroundings and current environment, including new technologies, methods, practices, risks, and threats \nproperly formatted information readied for analysis and detection activities The following functions are considered to be part of the implementation of this service: Policy aggregation, distillation, and guidance\nAsset mappings of assets to functions, roles, actions, and key risks\nCollection\nData processing and preparation", + "purpose": "Actively engage in searching for the presence of known vulnerabilities in deployed systems." + }, "related": [ { "dest-uuid": "7bed8224-c2b4-56af-bd69-1fb1f8e1a0b5", - "type": "used-by" + "type": "part-of" } ], "uuid": "eab009bc-d429-503f-bdfb-61a067bbee62", "value": "Function: Vulnerability detection / scanning" }, { - "description": "Purpose: Remediate or mitigate vulnerabilities to prevent them from being exploited, typically through the timely application of vendor-provided patches or other solutions.\nDescription: Vulnerability remediation is intended to resolve or eliminate a vulnerability. For software vulnerabilities, this typically occurs through the deployment and installation of vendor-provided solutions in the form of software updates or patches. When approved patches are unavailable or cannot be deployed, an alternative mitigation or workaround may be applied as a countermeasure to prevent exploitation of the vulnerability. This function often follows a positive identification of a vulnerability as the result of the Vulnerability Detection/Scanning/Hunting function.\nOutcome: Exposure to the threat of a vulnerability being exploited is prevented or reduced.", + "description": "Vulnerability remediation is intended to resolve or eliminate a vulnerability. For software vulnerabilities, this typically occurs through the deployment and installation of vendor-provided solutions in the form of software updates or patches. When approved patches are unavailable or cannot be deployed, an alternative mitigation or workaround may be applied as a countermeasure to prevent exploitation of the vulnerability. This function often follows a positive identification of a vulnerability as the result of the Vulnerability Detection/Scanning/Hunting function.", + "meta": { + "outcome": "Exposure to the threat of a vulnerability being exploited is prevented or reduced. The following sub-functions are considered to be part of this function: Vulnerability remediation (patch management)\nVulnerability mitigation This function is typically performed by others (e.g., IT, SOC, system owners), not the CSIRT. 8 Service Area: Situational Awareness Situational Awareness comprises the ability to identify, process, comprehend, and communicate the critical elements of what is happening in and around the CSIRT’s area of responsibility that may affect the operation or mission of its constituency. Situational awareness includes being aware of the current state, and identifying or anticipating potential changes to that state. This service area includes determining how to gather relevant information from different areas, how to integrate that information, and how to disseminate it in a timely manner to help constituents make more informed decisions. Some organizations may establish a separate team to provide Situational Awareness, but for others, the CSIRT team provides this function based on its visibility, understanding of context, technical capabilities, access to assets, external connections, and mission to prevent incidents. Situational awareness is not solely focused on responding to incidents, it is a service that ensures that data, analysis, and actions are available to other services such as Security Event Management, Incident Management, and Knowledge Transfer. It also ensures that information coming from those other services areas is properly integrated together and delivered back to appropriate constituents in a timely manner. The following services are offerings of this service area: Data acquisition\nAnalysis and synthesis\nCommunication 8.1 Service: Data acquisition Purpose: Collect data that will help increase visibility as to what internal and external activities are occurring that may affect the constituency’s security posture. Description: Solicit, collect, determine, and satisfy the constituencies’ information requirements to achieve awareness of important internal and external relevant activities. This service includes the logistics of collecting relevant information including news of current events, scheduling future events, reports and feeds, filtering the collected information, organizing information for use in incident analysis, prevent, detection, or other activities (such as planning or trending), storing it for later use, improving its “searchability”, and more. Collected data will be used to determine the preventative measures needed and to help make informed decisions regarding incident management and information assurance activities. Without a basic perception of important environmental elements, the risk of other services forming an incorrect picture increases. CSIRTs will need to establish policy and procedures, and may employ technology to collect and vet information. Outcome: The following artefacts result from this service: a set of data collection requirements that identifies situational awareness needs, and then maps those requirements to the types of information to be collected in order to meet those objectives\ninformation about the current and expected future status of constituency assets and activities\ninformation about external events or trends that provides insight into the constituency’s surroundings and current environment, including new technologies, methods, practices, risks, and threats \nproperly formatted information readied for analysis and detection activities The following functions are considered to be part of the implementation of this service: Policy aggregation, distillation, and guidance\nAsset mappings of assets to functions, roles, actions, and key risks\nCollection\nData processing and preparation", + "purpose": "Remediate or mitigate vulnerabilities to prevent them from being exploited, typically through the timely application of vendor-provided patches or other solutions." + }, "related": [ { "dest-uuid": "7bed8224-c2b4-56af-bd69-1fb1f8e1a0b5", - "type": "used-by" + "type": "part-of" } ], "uuid": "06f12023-6c0c-5997-9983-42d9c6473b1b", "value": "Function: Vulnerability remediation" }, { - "description": "Purpose: Establish the context with which the constituency and its assets should comply to know what should be occurring on the infrastructure.\nDescription: The collection, aggregation, and distillation of policy establishes the basis of acceptable normal activity. The end result is a context that establishes how the constituency and its infrastructure is supposed to be operating under acceptable conditions. For organizational CSIRTs, context includes understanding the organizations acceptable policies, plans, normal operating conditions, accepted risks, and tradeoffs. Understanding and context establish the basis against which observations can be evaluated.\nOutcome: The acceptable observations that are taking place in the constituency are understood. This understanding is focused upon changes or impacts to infrastructure and assets.", + "description": "The collection, aggregation, and distillation of policy establishes the basis of acceptable normal activity. The end result is a context that establishes how the constituency and its infrastructure is supposed to be operating under acceptable conditions. For organizational CSIRTs, context includes understanding the organizations acceptable policies, plans, normal operating conditions, accepted risks, and tradeoffs. Understanding and context establish the basis against which observations can be evaluated.", + "meta": { + "outcome": "The acceptable observations that are taking place in the constituency are understood. This understanding is focused upon changes or impacts to infrastructure and assets.", + "purpose": "Establish the context with which the constituency and its assets should comply to know what should be occurring on the infrastructure." + }, "related": [ { "dest-uuid": "b06d204e-4c27-55cb-8770-79e2259c8e12", - "type": "used-by" + "type": "part-of" } ], "uuid": "0f6fbbcc-1bfc-5a32-94fc-ce5f46019005", "value": "Function: Policy aggregation, distillation, and guidance" }, { - "description": "Purpose: Provide knowledge of existing assets, ownership, baselines and expected activity supports analysis functions that identify abnormal situational observations.\nDescription: CSIRT teams need to understand the current cyber security state of a constituency, and have a good understanding of what is acceptable security. They may need to know:\nThis information helps establish prioritization of assets that are potentially at risk, which can provide context for incident management activities. The more precise the information available to CSIRT team, the easier it will be to infer security issues and do something about them. Precise information may mean the CSIRT having access to established security policies, current access controls, up-to-date hardware and software inventories, and detailed network diagrams.", + "description": "CSIRT teams need to understand the current cyber security state of a constituency, and have a good understanding of what is acceptable security. They may need to know: Legitimate users of internal and public-facing systems and devices\nAuthorized devices and what they are used for\nApproved processes and applications, where they are allowed, and how they serve the constituency This information helps establish prioritization of assets that are potentially at risk, which can provide context for incident management activities. The more precise the information available to CSIRT team, the easier it will be to infer security issues and do something about them. Precise information may mean the CSIRT having access to established security policies, current access controls, up-to-date hardware and software inventories, and detailed network diagrams.", + "meta": { + "outcome": "The following lists result from this function: A list of key functions and the assets that support them; some assets may support multiple functions\nA list of the roles which perform each function and their equivalent digital role on the asset\nA list of generally permissible actions by each role\nA list of the key risks facing the assets and the functions. These lists will evolve based upon situational changes.", + "purpose": "Provide knowledge of existing assets, ownership, baselines and expected activity supports analysis functions that identify abnormal situational observations." + }, "related": [ { "dest-uuid": "b06d204e-4c27-55cb-8770-79e2259c8e12", - "type": "used-by" + "type": "part-of" } ], "uuid": "7094091e-8c9f-539c-a943-78139840bf22", "value": "Function: Asset mapping to functions, roles, actions, and key risks" }, { - "description": "Purpose: Collect of information to support the Analysis and Interpretation service and/or other CSIRT services.\nDescription: Information and data collection activities extend beyond feeds providing automated information. Collection includes identifying useful sources such as information-relevant external activities including news from other constituencies, media sources, and other CSIRTs or security organizations, internal activities (e.g., organizational changes), technology developments, external events, political events, attack trends, defensive trends, conferences, available training, and more.\nThe data collection function supports other services such as Security Event Management, Incident Management, and Knowledge Transfer. It also supports functions and activities within these services such as analysis, prediction, response, and risk mitigation. Newly collected information may reveal that an attack on a constituent is more likely than before. External events may expose information that identifies new risks to assets for a period of time or require heightened detection activities. Overall the information helps provide actionable information to aid in decision making and incident handling.", + "description": "Information and data collection activities extend beyond feeds providing automated information. Collection includes identifying useful sources such as information-relevant external activities including news from other constituencies, media sources, and other CSIRTs or security organizations, internal activities (e.g., organizational changes), technology developments, external events, political events, attack trends, defensive trends, conferences, available training, and more. The data collection function supports other services such as Security Event Management, Incident Management, and Knowledge Transfer. It also supports functions and activities within these services such as analysis, prediction, response, and risk mitigation. Newly collected information may reveal that an attack on a constituent is more likely than before. External events may expose information that identifies new risks to assets for a period of time or require heightened detection activities. Overall the information helps provide actionable information to aid in decision making and incident handling.", + "meta": { + "outcome": "Data and datasets are collected and produced to provide an operational or environmental context that can be used by other services and functions, including analysis, to create a situational picture for the constituency, identify alerts, or plan for mitigating increased areas of risk to assets and supporting infrastructures.", + "purpose": "Collect of information to support the Analysis and Interpretation service and/or other CSIRT services." + }, "related": [ { "dest-uuid": "b06d204e-4c27-55cb-8770-79e2259c8e12", - "type": "used-by" + "type": "part-of" } ], "uuid": "08183021-1832-52b3-88ff-f6d02497a362", "value": "Function: Collection" }, { - "description": "Purpose: Establish a reliable, consistent, and current set of data that can support CSIRT activities and the requirements of the analysis service.\nDescription: Data processing and preparation includes transformation, processing, normalization, and validation of a set of data. Sources of cybersecurity data need to be validated for accuracy often due to a high number of false positives. The relevant data also typically comes in different formats, and new data needs to be combined with historical data before a complete analysis can be performed. Some types of data (such as news articles) may need to be analyzed or processed as part of the preparation process. One example would be extracting relevant security information from a news article (e.g., names, dates, places, technical information, weaknesses, system names) and comparing it with internal data for potential impacts.\nSome analysis methods require data to be stored in the same format, or for files to have the same number of records. There are multiple processing steps that may be involved to prepare the data. Data augmentation (also called enrichment) is performed by including other available information related to a given piece of data from other internal and external sources. For example, teams may collect information related to internet protocol addresses (IP addresses) such as autonomous system identifiers, country codes, or geo-location data. For internal asset information, teams may enrich their asset inventory data with the name of the asset owner, their role, their permissions on other assets, their physical working location over time, and more.", + "description": "Data processing and preparation includes transformation, processing, normalization, and validation of a set of data. Sources of cybersecurity data need to be validated for accuracy often due to a high number of false positives. The relevant data also typically comes in different formats, and new data needs to be combined with historical data before a complete analysis can be performed. Some types of data (such as news articles) may need to be analyzed or processed as part of the preparation process. One example would be extracting relevant security information from a news article (e.g., names, dates, places, technical information, weaknesses, system names) and comparing it with internal data for potential impacts. Some analysis methods require data to be stored in the same format, or for files to have the same number of records. There are multiple processing steps that may be involved to prepare the data. Data augmentation (also called enrichment) is performed by including other available information related to a given piece of data from other internal and external sources. For example, teams may collect information related to internet protocol addresses (IP addresses) such as autonomous system identifiers, country codes, or geo-location data. For internal asset information, teams may enrich their asset inventory data with the name of the asset owner, their role, their permissions on other assets, their physical working location over time, and more.", + "meta": { + "outcome": "Data is available and ready to be used by other services or functions. 8.2 Service: Analysis and synthesis Purpose: Assess when the situation does not match with expectations (e.g., when specific assets may be about to experience a harmful event). Description: The process of using current data, history, and analysis techniques to determine what is occurring that may impact the constituency assets and security posture, often done by determining an answer to a question or testing an intuition. Analysis may reveal when events do not match typical expected behavior, or may reveal information about the circumstance, nature, or origin of events or behaviors. Analysis may reveal implications to current and future situations. For example: a system may log that a user ID successfully logged into the system, but the system does not indicate whether the event was performed by a legitimate user. New sources (such as interviews with the user) will need to be incorporated into the analysis to provide the team with a more accurate picture to determine the legitimacy of the event. A variety of techniques may be used to analyze and interpret the collected data and its effect upon the constituency. Outcome: A set of conclusions about the probable historical, current, and/or likely future events within a constituency is produced. It may also include recommendations about certain decisions that a constituency is facing. Analysis should be supported by evidence such as observation data collected from sensors and other sources and the interpretation of that evidence by analysts through a variety of methods. The analysis may also include constituents that need to be told about the results, and what they need to be told. The following functions are considered to be part of the implementation of this service: Projection and inference\nEvent detection (through alerting and/or hunting)\nSituational impact", + "purpose": "Establish a reliable, consistent, and current set of data that can support CSIRT activities and the requirements of the analysis service." + }, "related": [ { "dest-uuid": "b06d204e-4c27-55cb-8770-79e2259c8e12", - "type": "used-by" + "type": "part-of" } ], "uuid": "0e21609b-98b9-5f58-9be2-b7e627353c51", "value": "Function: Data processing and preparation" }, { - "description": "Purpose: Analyze the information collected during data acquisition with the intent of identifying current or predicting future situational pictures.\nDescription: The process of inferring the current state of a situation and making predictions about the possible likely near-term pictures based on the status and dynamics of the collected data. Sometimes the data may quickly show a security issue.\nOutcome: The situational picture is updated along with knowledge about when a situational picture will change and how it might change.", + "description": "The process of inferring the current state of a situation and making predictions about the possible likely near-term pictures based on the status and dynamics of the collected data. Sometimes the data may quickly show a security issue.", + "meta": { + "outcome": "The situational picture is updated along with knowledge about when a situational picture will change and how it might change.", + "purpose": "Analyze the information collected during data acquisition with the intent of identifying current or predicting future situational pictures." + }, "related": [ { "dest-uuid": "9d622922-93a1-5528-82f2-e75b181bc8e4", - "type": "used-by" + "type": "part-of" } ], "uuid": "6e5f9ddc-2790-5a94-bf97-c42b02c13dd7", "value": "Function: Projection and inference" }, { - "description": "Purpose: Determine and confirm the details of the current situational picture for the constituency.\nDescription: The systematic and often directed searching for anomaly activity inside and outside of network boundaries based upon external and internal information and trends. To assist the constituency with analyzing its data from sensors and other sources to draw conclusions about its environment and situation. For example, if an anti-virus sensor sends an alert of a suspicious file, the team may analyze the system configuration, the sensor configuration, the file that was alerted, the user activity at the time, and more, to draw a conclusion about the severity of the observation. This function may receive significant input from the Security Event Management service area. The observations from sensors that are used to detect events may be shared among multiple services.\nCSIRT teams also need to determine the current situational picture based upon specific pieces of information about threats. This activity may sometimes be called “threat hunting.” Typically, threat hunting involves either preparing the environment to detect specific threat activity, or searching for specific threat activity that may already be present.", + "description": "The systematic and often directed searching for anomaly activity inside and outside of network boundaries based upon external and internal information and trends. To assist the constituency with analyzing its data from sensors and other sources to draw conclusions about its environment and situation. For example, if an anti-virus sensor sends an alert of a suspicious file, the team may analyze the system configuration, the sensor configuration, the file that was alerted, the user activity at the time, and more, to draw a conclusion about the severity of the observation. This function may receive significant input from the Security Event Management service area. The observations from sensors that are used to detect events may be shared among multiple services. CSIRT teams also need to determine the current situational picture based upon specific pieces of information about threats. This activity may sometimes be called “threat hunting.” Typically, threat hunting involves either preparing the environment to detect specific threat activity, or searching for specific threat activity that may already be present.", + "meta": { + "outcome": "A situational picture is updated based upon the detection of events in the constituency.", + "purpose": "Determine and confirm the details of the current situational picture for the constituency." + }, "related": [ { "dest-uuid": "9d622922-93a1-5528-82f2-e75b181bc8e4", - "type": "used-by" + "type": "part-of" } ], "uuid": "724ef355-21f4-5a11-92f5-c5ac725f6820", "value": "Function: Event detection (through alerting and/or hunting)" }, { - "description": "Purpose: Identify new insights during incidents that may help limit damage, mitigate future risk, or identify a newly created weakness.\nDescription: Performing analysis of specific evidence assists in identifying insights to support incident resolution. Sometimes, CSIRTs may focus their situational analysis to support a specific desired outcome such as incident resolution. Certain responses to an incident may affect a situational picture differently, and responders may ask for analysis (e.g., impact, cost, risk of failure) of choices. The decision-making needs of the constituency may change as their situational picture evolves, and the CSIRT team may initiate new analysis processes to assist them. This activity is related to the Incident Management Service Area. Incident Management functions are supported by Situational Awareness and the situational picture may change based upon Incident Management activities.\nOutcome: Situational awareness is enhanced for incident management functions based upon new observations. Updated situational picture based upon incident management activities.", + "description": "Performing analysis of specific evidence assists in identifying insights to support incident resolution. Sometimes, CSIRTs may focus their situational analysis to support a specific desired outcome such as incident resolution. Certain responses to an incident may affect a situational picture differently, and responders may ask for analysis (e.g., impact, cost, risk of failure) of choices. The decision-making needs of the constituency may change as their situational picture evolves, and the CSIRT team may initiate new analysis processes to assist them. This activity is related to the Incident Management Service Area. Incident Management functions are supported by Situational Awareness and the situational picture may change based upon Incident Management activities.", + "meta": { + "outcome": "Situational awareness is enhanced for incident management functions based upon new observations. Updated situational picture based upon incident management activities.", + "purpose": "Identify new insights during incidents that may help limit damage, mitigate future risk, or identify a newly created weakness." + }, "related": [ { "dest-uuid": "9d622922-93a1-5528-82f2-e75b181bc8e4", - "type": "used-by" + "type": "part-of" } ], "uuid": "7b9ff2e5-e1f7-5421-985e-0b4024fd0bcc", "value": "Function: Information security incident management decision support" }, { - "description": "Purpose: Determine the expected potential impact of a given observation or possible observation to a situational picture.\nDescription: This function identifies the impact a projection or inference may have upon a current or near-term future situation. An impact may include raising or lowering certain risks such as data loss, system downtime, or effects on data confidentiality/availability/integrity.\nOutcome: An analysis is produced of the likely possible impact that an inference or projection may have upon a situation.", + "description": "This function identifies the impact a projection or inference may have upon a current or near-term future situation. An impact may include raising or lowering certain risks such as data loss, system downtime, or effects on data confidentiality/availability/integrity.", + "meta": { + "outcome": "An analysis is produced of the likely possible impact that an inference or projection may have upon a situation. 8.3 Service: Communication Purpose: Notify constituents or others in the security community about changes in risks to the situational picture. Description: The knowledge obtained from situational awareness must be communicated to the constituency. This will allow it to react to observations and to take actions that will improve defensive situations, e.g., reducing third-party risk by improving the security environment at certain high-risk suppliers. Outcome: Accurate, actionable, and timely situational information is delivered to constituency so they can better understand their past and improve their current and future situational picture. The following functions are considered to be part of the implementation of this service: Internal and external communication\nReporting and recommendations\nImplementation \nDissemination / integration / information sharing\nManagement of information sharing", + "purpose": "Determine the expected potential impact of a given observation or possible observation to a situational picture." + }, "related": [ { "dest-uuid": "9d622922-93a1-5528-82f2-e75b181bc8e4", - "type": "used-by" + "type": "part-of" } ], "uuid": "1aefb16b-05a5-5183-9a98-a5c5536a2846", "value": "Function: Situational impact" }, { - "description": "Purpose: Inform constituents (and others) of the current situational picture and how it may be changing.\nDescription: Once the results of Analyze and Interpret are complete, they can be used to improve decision-making via both internal and external communication processes. Specific pieces of information are distributed based upon who needs to know them. Communication includes the method of delivery and the content that is being delivered. A CSIRT team might communicate new information and how it will change the situational picture. An example of this would be reporting the expected change a new malicious technique it has observed during an incident would have upon a constituent member. It may also include trend information such as the most useful sources of enrichment data and steps in which constituents can use it to improve their own situational awareness.\nOutcome: Constituents are better informed and are prepared to take actions or make decisions that will improve their security or situation.", + "description": "Once the results of Analyze and Interpret are complete, they can be used to improve decision-making via both internal and external communication processes. Specific pieces of information are distributed based upon who needs to know them. Communication includes the method of delivery and the content that is being delivered. A CSIRT team might communicate new information and how it will change the situational picture. An example of this would be reporting the expected change a new malicious technique it has observed during an incident would have upon a constituent member. It may also include trend information such as the most useful sources of enrichment data and steps in which constituents can use it to improve their own situational awareness.", + "meta": { + "outcome": "Constituents are better informed and are prepared to take actions or make decisions that will improve their security or situation.", + "purpose": "Inform constituents (and others) of the current situational picture and how it may be changing." + }, "related": [ { "dest-uuid": "ddfea37e-0234-5d9d-b6ca-981c7e0fa114", - "type": "used-by" + "type": "part-of" } ], "uuid": "df014610-1a6e-5d81-b183-0e6a4af4aa5d", "value": "Function: Internal and external communication" }, { - "description": "Purpose: Create results, artefacts, or findings that communicate critical information discovered or created during analysis to audiences in a manner and format that they will understand.\nDescription: Reports and recommendations should clearly indicate the choices and actions faced by constituents, and include analysis of the expected consequences of each choice or action. Communication of findings should include a list of evidence supporting the analysis and the recommendation (if a recommendation is made). The methods used to create the findings should be clearly explained to the audience so they can also judge the claims presented. The CSIRT team may create reports on a single event, a series of events, trends, patterns, possible events, or more to support the needs for their constituency to understand a situational picture.\nOutcome: The capability to provide accurate, timely, and complete reports on the situational picture, the evidence that supports the conclusions, and/or recommendations on possible courses of action and their potential effects to the constituency is improved.", + "description": "Reports and recommendations should clearly indicate the choices and actions faced by constituents, and include analysis of the expected consequences of each choice or action. Communication of findings should include a list of evidence supporting the analysis and the recommendation (if a recommendation is made). The methods used to create the findings should be clearly explained to the audience so they can also judge the claims presented. The CSIRT team may create reports on a single event, a series of events, trends, patterns, possible events, or more to support the needs for their constituency to understand a situational picture.", + "meta": { + "outcome": "The capability to provide accurate, timely, and complete reports on the situational picture, the evidence that supports the conclusions, and/or recommendations on possible courses of action and their potential effects to the constituency is improved.", + "purpose": "Create results, artefacts, or findings that communicate critical information discovered or created during analysis to audiences in a manner and format that they will understand." + }, "related": [ { "dest-uuid": "ddfea37e-0234-5d9d-b6ca-981c7e0fa114", - "type": "used-by" + "type": "part-of" } ], "uuid": "a3a2e61d-3586-5dac-950b-45180d57a060", "value": "Function: Reporting and recommendations" }, { - "description": "Purpose: Adapt the constituent environment based on communications to be more prepared for or react to changes in the situational picture.\nDescription: In some instances, a CSIRT team may also perform the recommended adjustments to parts of the security infrastructure, for example changing the firewall rules on a particular honey pot based upon situational analysis.\nOutcome: A course of action is performed or a change to the infrastructure is implemented by constituents based upon received communications containing analysis, projections, and/or recommendations.", + "description": "In some instances, a CSIRT team may also perform the recommended adjustments to parts of the security infrastructure, for example changing the firewall rules on a particular honey pot based upon situational analysis.", + "meta": { + "outcome": "A course of action is performed or a change to the infrastructure is implemented by constituents based upon received communications containing analysis, projections, and/or recommendations.", + "purpose": "Adapt the constituent environment based on communications to be more prepared for or react to changes in the situational picture." + }, "related": [ { "dest-uuid": "ddfea37e-0234-5d9d-b6ca-981c7e0fa114", - "type": "used-by" + "type": "part-of" } ], "uuid": "400175ae-104f-57bc-ae0a-b2bf0b7eabd5", "value": "Function: Implementation" }, { - "description": "Purpose: Assemble, normalize, and prepare information and then share it with constituents and others outside the constituency.\nDescription: This function may include the following sub-functions:\nOutcome: Situational Awareness Analysis outputs are used as inputs (both internally and among constituents) into in key decision processes e.g., threat hunting, incident analysis, resolution. Outputs are disseminated as part of handling or detecting incidents. Information and data coming from Situational Awareness can also become Best Practices, Reports, Training and Awareness Material through the Knowledge Transfer service area.", + "description": "This function may include the following sub-functions: using the results of the analysis service in internal and external planning and decision-making processes\nidentifying the right targets to receive the information\nmaking the analysis results available\nensuring the delivery is successful\ntracking and reporting on the sharing of information\nsending relevant information to the Knowledge Transfer service for further use and dissemination", + "meta": { + "outcome": "Situational Awareness Analysis outputs are used as inputs (both internally and among constituents) into in key decision processes e.g., threat hunting, incident analysis, resolution. Outputs are disseminated as part of handling or detecting incidents. Information and data coming from Situational Awareness can also become Best Practices, Reports, Training and Awareness Material through the Knowledge Transfer service area.", + "purpose": "Assemble, normalize, and prepare information and then share it with constituents and others outside the constituency." + }, "related": [ { "dest-uuid": "ddfea37e-0234-5d9d-b6ca-981c7e0fa114", - "type": "used-by" + "type": "part-of" } ], "uuid": "03b4f249-1dba-5257-a39c-d85720be4657", "value": "Function: Dissemination / integration / information sharing" }, { - "description": "Purpose: Ensure transfer of information is successful and useable.\nDescription: This function may include the following sub-functions:\nOutcome: Assurance is provided that the right information is being shared, and that once shared, it is received by partners, constituents, and other community members. Reports are provided on sharing activity.", + "description": "This function may include the following sub-functions: providing information to other groups.\nformatting information for transfer.\ntracking transfer process and its outcome.", + "meta": { + "outcome": "Assurance is provided that the right information is being shared, and that once shared, it is received by partners, constituents, and other community members. Reports are provided on sharing activity.", + "purpose": "Ensure transfer of information is successful and useable." + }, "related": [ { "dest-uuid": "ddfea37e-0234-5d9d-b6ca-981c7e0fa114", - "type": "used-by" + "type": "part-of" } ], "uuid": "320fe47b-f419-5f15-abfa-98dd8f98a397", "value": "Function: Management of information sharing" }, { - "description": "Purpose: Improve the quality, timeliness, accuracy, and relevance of the data being received from internal and external sources.\nDescription: This function involves providing and receiving feedback on information provided, received, and used by the constituency, other service providers or other stakeholders. Was the information received accurate, applicable, timely, strategic, new/novel, etc.? Was it helpful in resolving an investigation? Did it lead to a new insight? This may mean providing information also to other CSIRT (as an external source) on the usefulness of or changes to signatures, honeypot findings, IOCs, warnings, threat information, mitigations, etc. This activity may also be performed by the Knowledge Transfer service area. If so, the results should be communicated back to the Situational Awareness service area.\nOutcome: Observations and feedback is provided to internal and external sources in order to improve the accuracy, timeliness, quality, and usefulness of information received.", + "description": "This function involves providing and receiving feedback on information provided, received, and used by the constituency, other service providers or other stakeholders. Was the information received accurate, applicable, timely, strategic, new/novel, etc.? Was it helpful in resolving an investigation? Did it lead to a new insight? This may mean providing information also to other CSIRT (as an external source) on the usefulness of or changes to signatures, honeypot findings, IOCs, warnings, threat information, mitigations, etc. This activity may also be performed by the Knowledge Transfer service area. If so, the results should be communicated back to the Situational Awareness service area.", + "meta": { + "outcome": "Observations and feedback is provided to internal and external sources in order to improve the accuracy, timeliness, quality, and usefulness of information received. 9 Service Area: Knowledge Transfer Through the nature of their services CSIRTs, are in a unique position to collect relevant data, perform detailed analysis, and identify threats, trends, and risks, as well as to create best current operational practices to help organizations to detect, prevent, and respond to security incidents. Transferring this knowledge to their constituents is key to improving overall cybersecurity. The following services are considered as offerings of this particular service area: Awareness building\nTraining and education\nExercises\nTechnical and policy advisory 9.1 Service: Awareness building Purpose: Increase the overall security posture of the constituency and help its members to detect, prevent, and recover from incidents; ensure that constituents are better prepared and educated. Description: This service includes working with the constituency, experts, and trusted partners to raise the collective understanding of threats and actions that can be taken to prevent or mitigate the risks posed by these threats. Outcome: The constituency is provided with the necessary awareness of: events, activities, and trends that may affect its ability to operate in a timely and secure manner\nsteps to take to detect, prevent and mitigate threats and malicious activity\nsecurity and operational best practices The following functions are considered to be part of the implementation of this service: Research and information aggregation\nReport and awareness materials development\nInformation dissemination\nOutreach", + "purpose": "Improve the quality, timeliness, accuracy, and relevance of the data being received from internal and external sources." + }, "related": [ { "dest-uuid": "ddfea37e-0234-5d9d-b6ca-981c7e0fa114", - "type": "used-by" + "type": "part-of" } ], "uuid": "36be4fe3-7c44-5934-8457-9949eb8dfcd3", "value": "Function: Feedback" }, { - "description": "Purpose: Aggregate, collate, and prioritize information that can be disseminated to the constituency for the improvement of the security posture and prevention and mitigation of risks.\nDescription: This function involves researching and aggregating information relevant for building awareness materials and reports, including from outcomes of other services/functions, especially from the Security Event Management, Incident Management, and Situational Awareness service areas.\nOutcome: Information about relevant trends, ongoing incidents, and best practices, is aggregated and can be used to develop reports and awareness materials for varied audiences.", + "description": "This function involves researching and aggregating information relevant for building awareness materials and reports, including from outcomes of other services/functions, especially from the Security Event Management, Incident Management, and Situational Awareness service areas.", + "meta": { + "outcome": "Information about relevant trends, ongoing incidents, and best practices, is aggregated and can be used to develop reports and awareness materials for varied audiences.", + "purpose": "Aggregate, collate, and prioritize information that can be disseminated to the constituency for the improvement of the security posture and prevention and mitigation of risks." + }, "related": [ { "dest-uuid": "895987fb-db75-5840-8aac-363ac47f106f", - "type": "used-by" + "type": "part-of" } ], "uuid": "23a450ef-d219-5ff0-b9b4-228bc883254c", "value": "Function: Research and information aggregation" }, { - "description": "Purpose: Use the information aggregated and researched as being relevant to produce materials in different media with the goal of reaching different audiences or delivering specific content in the best way possible.\nDescription: This function involves developing materials for diverse audiences (technical staff, management, end users, etc.) and in various formats, such as presentations, short videos, cartoons, booklets, technical analysis, trend reports, and annual reports.\nOutcome: CSIRT reports and awareness materials of adequate quality are developed to meet the needs of the constituency utilizing varied and effective delivery techniques and platforms.", + "description": "This function involves developing materials for diverse audiences (technical staff, management, end users, etc.) and in various formats, such as presentations, short videos, cartoons, booklets, technical analysis, trend reports, and annual reports.", + "meta": { + "outcome": "CSIRT reports and awareness materials of adequate quality are developed to meet the needs of the constituency utilizing varied and effective delivery techniques and platforms.", + "purpose": "Use the information aggregated and researched as being relevant to produce materials in different media with the goal of reaching different audiences or delivering specific content in the best way possible." + }, "related": [ { "dest-uuid": "895987fb-db75-5840-8aac-363ac47f106f", - "type": "used-by" + "type": "part-of" } ], "uuid": "fa81e0ba-5c23-55c1-80af-83ad70db539c", "value": "Function: Reports and awareness materials development" }, { - "description": "Purpose: Disseminate security-related information to improve awareness and implementation of security practices.\nDescription: The function involves implementing a process of information dissemination that can help the CSIRT to best deliver its reports and awareness materials to its constituency based on the characteristics of different audiences and content.\nOutcome: Information dissemination framework is implemented to enables the CSIRT’s constituency to have access to timely and relevant information through different methods, including podcasts, blog posts, social media posts and videos, press releases, advertisements, campaigns, public reports, etc.", + "description": "The function involves implementing a process of information dissemination that can help the CSIRT to best deliver its reports and awareness materials to its constituency based on the characteristics of different audiences and content.", + "meta": { + "outcome": "Information dissemination framework is implemented to enables the CSIRT’s constituency to have access to timely and relevant information through different methods, including podcasts, blog posts, social media posts and videos, press releases, advertisements, campaigns, public reports, etc.", + "purpose": "Disseminate security-related information to improve awareness and implementation of security practices." + }, "related": [ { "dest-uuid": "895987fb-db75-5840-8aac-363ac47f106f", - "type": "used-by" + "type": "part-of" } ], "uuid": "1f390acc-5b6e-5dfd-a76d-d771e8ca2f36", "value": "Function: Information dissemination" }, { - "description": "Purpose: Develop and maintain relationships with experts or organizations that may help or be part of the execution of the mission of the CSIRT.\nDescription: This function involves building partnerships, promoting cooperation, and engaging key stakeholders, internal or external to the constituency, with the goal of: disseminating awareness and best practices; helping the constituency and external stakeholders understand the services and benefits a CSIRT can provide; helping the CSIRT to better understand constituents’ needs; and enabling the realization of CSIRT’s mission. This may involve ensuring interoperability or fostering collaboration between or across organizations.\nOutcome: Active and consistent outreach activities are performed that may include, but are not limited to, meeting with key stakeholders, participating in sector meetings, presenting at conferences, and organizing conferences.", + "description": "This function involves building partnerships, promoting cooperation, and engaging key stakeholders, internal or external to the constituency, with the goal of: disseminating awareness and best practices; helping the constituency and external stakeholders understand the services and benefits a CSIRT can provide; helping the CSIRT to better understand constituents’ needs; and enabling the realization of CSIRT’s mission. This may involve ensuring interoperability or fostering collaboration between or across organizations.", + "meta": { + "outcome": "Active and consistent outreach activities are performed that may include, but are not limited to, meeting with key stakeholders, participating in sector meetings, presenting at conferences, and organizing conferences. 9.2 Service: Training and education Purpose: Provide training and education to a CSIRT constituency (which may include organizational and CSIRT staff) on topics related to cybersecurity, information assurance and incident management. Description: A training and education program can help the CSIRT to establish relationships and to improve the overall cybersecurity posture of its constituency, including the ability to prevent future incidents from happening. Such a program can help maintain user awareness\nhelp the constituency understand the changing landscape and threats\nfacilitate information exchange between the CSIRT and its constituency\ntrain the constituency on tools, processes and procedures related to security and incident management. This can be done through various types of activities including documenting the knowledge, skills, and abilities (KSAs) required, developing educational and training materials, delivering content, mentoring, and professional and skill development. Each of these activities will collectively contribute to the constituency’s and the team’s capabilities. Outcome: A consistent training and education program is provided that enables the CSIRTs’ constituency to appropriately acquire methods to detect, prevent or respond to threats\ntools and practices to help protect critical assets\nunderstanding about incident management processes and how to get assistance The following functions are considered to be part of the implementation of this service: Knowledge, skill, and ability requirements gathering \nEducational and training materials development\nContent delivery\nMentoring\nCSIRT staff professional development", + "purpose": "Develop and maintain relationships with experts or organizations that may help or be part of the execution of the mission of the CSIRT." + }, "related": [ { "dest-uuid": "895987fb-db75-5840-8aac-363ac47f106f", - "type": "used-by" + "type": "part-of" } ], "uuid": "113ba1d6-e172-5282-8c83-b8c505510ea4", "value": "Function: Outreach" }, { - "description": "Purpose: Properly assess, identify, and document what the constituency needs are in terms of requisite KSAs, to develop appropriate training and education materials and improve its skill level.\nDescription: The function involves collecting knowledge, skill, and ability (KSA) needs and the competence of a constituency in regard to determining what training and education should be provided.\nOutcome: Constituency KSA needs are characterized and documented to be used as basis for developing relevant education and training materials.", + "description": "The function involves collecting knowledge, skill, and ability (KSA) needs and the competence of a constituency in regard to determining what training and education should be provided.", + "meta": { + "outcome": "Constituency KSA needs are characterized and documented to be used as basis for developing relevant education and training materials.", + "purpose": "Properly assess, identify, and document what the constituency needs are in terms of requisite KSAs, to develop appropriate training and education materials and improve its skill level." + }, "related": [ { "dest-uuid": "373ea683-406a-589a-b031-d960b3ab2f01", - "type": "used-by" + "type": "part-of" } ], "uuid": "2892afcd-adab-5306-8cbd-90e807973385", "value": "Function: Knowledge, skill, and ability requirements gathering" }, { - "description": "Purpose: Develop, using the constituency’s KSA needs as a basis, educational, instructional, and training material that is appropriate to the delivery methods identified as the best to reach different audiences or deliver specific content.\nDescription: This function involves building or acquiring content of educational and training materials such as presentations, lectures, demonstrations, simulations, videos, books, booklets, etc.\nOutcome: CSIRT training and education materials utilizing varied and effective presentation techniques and platforms are developed that are of appropriate quality and that meet the needs of the constituency.", + "description": "This function involves building or acquiring content of educational and training materials such as presentations, lectures, demonstrations, simulations, videos, books, booklets, etc.", + "meta": { + "outcome": "CSIRT training and education materials utilizing varied and effective presentation techniques and platforms are developed that are of appropriate quality and that meet the needs of the constituency.", + "purpose": "Develop, using the constituency’s KSA needs as a basis, educational, instructional, and training material that is appropriate to the delivery methods identified as the best to reach different audiences or deliver specific content." + }, "related": [ { "dest-uuid": "373ea683-406a-589a-b031-d960b3ab2f01", - "type": "used-by" + "type": "part-of" } ], "uuid": "cf478ca0-f677-5b9b-9998-b490c823ccce", "value": "Function: Educational and training materials development" }, { - "description": "Purpose: Develop a formal process for content delivery that can help the CSIRT to best deliver the content to its constituency, based on the characteristics of different audiences and content.\nDescription: This function involves the transfer of knowledge and content to “students.” This can occur via various methods, such as computer-based/online training (CBT/WBT), instructor-led, virtual, conferences, presentations, labs, capture the flag (CTF) competitions, books, online videos, etc.\nOutcome: A content delivery framework has been designed to help the constituency learn technical and soft skills and processes, using all alternative approaches, including books, booklets, online videos, presentations, hands-on labs, CTFs, CBT/WBT, in-person training, etc. This results in constituency members who understand the content delivered.", + "description": "This function involves the transfer of knowledge and content to “students.” This can occur via various methods, such as computer-based/online training (CBT/WBT), instructor-led, virtual, conferences, presentations, labs, capture the flag (CTF) competitions, books, online videos, etc.", + "meta": { + "outcome": "A content delivery framework has been designed to help the constituency learn technical and soft skills and processes, using all alternative approaches, including books, booklets, online videos, presentations, hands-on labs, CTFs, CBT/WBT, in-person training, etc. This results in constituency members who understand the content delivered.", + "purpose": "Develop a formal process for content delivery that can help the CSIRT to best deliver the content to its constituency, based on the characteristics of different audiences and content." + }, "related": [ { "dest-uuid": "373ea683-406a-589a-b031-d960b3ab2f01", - "type": "used-by" + "type": "part-of" } ], "uuid": "470bc89e-0dc2-53c9-99cf-6c420eaaa78f", "value": "Function: Content delivery" }, { - "description": "Purpose: Develop a program for CSIRT staff, constituency members, or external trusted partners to learn from experienced staff through an established relationship.\nDescription: A Mentoring program can help provide a formal as well as informal mechanism for the mentor to share with the mentee about education and skill development, insights, and life and career experiences outside of the official reporting relationship and structure of the team. This can involve on-site visits, rotation (exchange), shadowing, and discussing rationale for specific decisions and actions.\nOutcome: Retention, loyalty, confidence, and overall ability to make sound decisions has been increased in the CSIRT team. Constituents have improved skill levels and a better relationship with its CSIRT. Improved capacity and capability of the constituency and the CSIRT team members, including the development of trusted relationships.", + "description": "A Mentoring program can help provide a formal as well as informal mechanism for the mentor to share with the mentee about education and skill development, insights, and life and career experiences outside of the official reporting relationship and structure of the team. This can involve on-site visits, rotation (exchange), shadowing, and discussing rationale for specific decisions and actions.", + "meta": { + "outcome": "Retention, loyalty, confidence, and overall ability to make sound decisions has been increased in the CSIRT team. Constituents have improved skill levels and a better relationship with its CSIRT. Improved capacity and capability of the constituency and the CSIRT team members, including the development of trusted relationships.", + "purpose": "Develop a program for CSIRT staff, constituency members, or external trusted partners to learn from experienced staff through an established relationship." + }, "related": [ { "dest-uuid": "373ea683-406a-589a-b031-d960b3ab2f01", - "type": "used-by" + "type": "part-of" } ], "uuid": "17770bf4-d76d-5fb6-80a8-9382e6fe64a8", "value": "Function: Mentoring" }, { - "description": "Purpose: Help staff members successfully and appropriately plan and develop their careers.\nDescription: Once the appropriate skills have been identified, professional development is used by a CSIRT to promote a continuous process of securing new knowledge, skills, and abilities that relate to the security profession, unique job responsibilities, and the overall Team environment. This can include attending conferences, advanced training, and cross-training activities, among others.\nOutcome: Developed and trained staff are available with the requisite technical and soft skills and process understanding, and who are up to date based on the job roles and needs. CSIRT members are ready to address the daily operational challenges, supporting both the team and its customers.", + "description": "Once the appropriate skills have been identified, professional development is used by a CSIRT to promote a continuous process of securing new knowledge, skills, and abilities that relate to the security profession, unique job responsibilities, and the overall Team environment. This can include attending conferences, advanced training, and cross-training activities, among others.", + "meta": { + "outcome": "Developed and trained staff are available with the requisite technical and soft skills and process understanding, and who are up to date based on the job roles and needs. CSIRT members are ready to address the daily operational challenges, supporting both the team and its customers. 9.3 Service: Exercises Purpose: Conduct exercises to assess and improve the effectiveness and efficiency of cybersecurity services and functions. Description: Services are offered by the organization to constituents that support the design, execution, and evaluation of cyber exercises intended to train and/or evaluate the capabilities of individual constituents and the stakeholder community as a whole, including communications capabilities. These types of exercises can be used to test policies and procedures: assess whether there are sufficient policies and procedures in place to effectively detect, respond and mitigate incidents. This is, generally, a paper/table-top exercise.\ntest operational readiness: assess whether the organization has an incident management capability that is able to detect, respond to and mitigate incidents in a timely and successful manner, as well as to test whether the right people are in place, directories are up-to-date, and if procedures are executed correctly. This service addresses both the needs of the organization and the needs of its constituents. More specifically, through the simulation of cybersecurity events/incidents, exercises can be used for one or several objectives: Demonstrate: Illustrate cybersecurity services and functions, as well as vulnerabilities, threats, and risks, in order to raise awareness.\nTrain: Instruct staff on new tools, techniques, and procedures:\n\nExercise: Provide an opportunity for staff to use tools, techniques, and procedures they are expected to be knowledgeable about. Exercising is necessary for perishable skills and helps improve and maintain efficiency.\nAssess: Analyze and understand the level of effectiveness and efficiency of cybersecurity services and functions, as well as the level of staff preparedness.\nVerify: Determine whether a specified level of effectiveness and/or efficiency can be achieved for cybersecurity services and functions. Outcome: The effectiveness and efficiency of cybersecurity services and functions is improved and opportunities for further improvements are identified. Depending on the specific objective(s) of an exercise, cybersecurity may also be demonstrated to internal or external stakeholders, staff can be trained, and the efficiency and effectiveness of tools, services, and functions can be assessed and/or verified. Lessons for improving future exercises can also be identified and a report delivered to management or other key stakeholders. The following functions are considered to be part of the implementation of this service: Requirements analysis\nFormat and environment development\nScenario development\nExercises execution\nExercise outcome review", + "purpose": "Help staff members successfully and appropriately plan and develop their careers." + }, "related": [ { "dest-uuid": "373ea683-406a-589a-b031-d960b3ab2f01", - "type": "used-by" + "type": "part-of" } ], "uuid": "2d1ae674-4a3c-5a68-8339-955d39a0dd0a", "value": "Function: CSIRT staff professional development" }, { - "description": "Purpose: Ensure an effective outcome of the exercise by concentrating on specific issues for the given scope and focus of the exercise.\nDescription: Determine the learning objectives and scope of the exercise. Define the specific services, capabilities, and topics to be covered by the exercise. Ensure exercise includes activities and topics that relate to required or desired skills needed by the participants, as well as the processes that should be tested.\nOutcome: A description of the purpose of the exercise is determined, along with an outline of the learning objectives to be met.", + "description": "Determine the learning objectives and scope of the exercise. Define the specific services, capabilities, and topics to be covered by the exercise. Ensure exercise includes activities and topics that relate to required or desired skills needed by the participants, as well as the processes that should be tested.", + "meta": { + "outcome": "A description of the purpose of the exercise is determined, along with an outline of the learning objectives to be met.", + "purpose": "Ensure an effective outcome of the exercise by concentrating on specific issues for the given scope and focus of the exercise." + }, "related": [ { "dest-uuid": "111c542b-54ae-5dda-91cc-81907c7cd6b9", - "type": "used-by" + "type": "part-of" } ], "uuid": "35fcac47-9aed-5ba2-9662-2824c49bf400", "value": "Function: Requirements analysis" }, { - "description": "Purpose: Specify and determine the internal and external resources and infrastructure needed to conduct the exercise.\nDescription: Define the format and platform needed to meet the objectives and deliver the expected outcomes of the exercise.\nOutcome: The type of exercise (table top, hands-on, simulation, etc.) is identified, as well as the internal and external resources needed to conduct the exercise.", + "description": "Define the format and platform needed to meet the objectives and deliver the expected outcomes of the exercise.", + "meta": { + "outcome": "The type of exercise (table top, hands-on, simulation, etc.) is identified, as well as the internal and external resources needed to conduct the exercise.", + "purpose": "Specify and determine the internal and external resources and infrastructure needed to conduct the exercise." + }, "related": [ { "dest-uuid": "111c542b-54ae-5dda-91cc-81907c7cd6b9", - "type": "used-by" + "type": "part-of" } ], "uuid": "51ea374c-e93a-5d20-b0f0-a04770ca0505", "value": "Function: Format and environment development" }, { - "description": "Purpose: Provide an opportunity for the target audience to improve the efficiency and effectiveness of its services and functions, and its skills, knowledge, and abilities, through the handling of simulated cybersecurity events/incidents, including communications aspects.\nDescription: Development of exercise scenarios in support of stakeholder objectives. Deliverables also include instructions and guidance to the participants and exercise managers; these instructions include recommended actions for the participants detailing some/all scenario steps.\nOutcome: A main scenario with variants and various types of formalized injects is developed, along with tasks and role allocation to the exercise management team.", + "description": "Development of exercise scenarios in support of stakeholder objectives. Deliverables also include instructions and guidance to the participants and exercise managers; these instructions include recommended actions for the participants detailing some/all scenario steps.", + "meta": { + "outcome": "A main scenario with variants and various types of formalized injects is developed, along with tasks and role allocation to the exercise management team.", + "purpose": "Provide an opportunity for the target audience to improve the efficiency and effectiveness of its services and functions, and its skills, knowledge, and abilities, through the handling of simulated cybersecurity events/incidents, including communications aspects." + }, "related": [ { "dest-uuid": "111c542b-54ae-5dda-91cc-81907c7cd6b9", - "type": "used-by" + "type": "part-of" } ], "uuid": "8ca29e0d-5103-511d-81bc-b09f6a38327b", "value": "Function: Scenario development" }, { - "description": "Purpose: Conduct drills/exercises allowing a CSIRT team to increase its confidence in the validity of an organization’s CSIRT plan and its ability for execution.\nDescription: The function involves performing readiness testing of constituent “students” to test their ability to apply training and perform job or task functions. Can be in the form of real or virtual environments, simulations, field tests, table tops, mock scenarios, or a combination, with injects being provided in a structured manner. This will also help determine the level at which the team is operating, as well as if and where it has room for improvement.\nOutcome: A CSIRT has assessed its preparedness and readiness, ensuring the KSAs, key processes, and execution all work successfully together, or must be adapted/improved.", + "description": "The function involves performing readiness testing of constituent “students” to test their ability to apply training and perform job or task functions. Can be in the form of real or virtual environments, simulations, field tests, table tops, mock scenarios, or a combination, with injects being provided in a structured manner. This will also help determine the level at which the team is operating, as well as if and where it has room for improvement.", + "meta": { + "outcome": "A CSIRT has assessed its preparedness and readiness, ensuring the KSAs, key processes, and execution all work successfully together, or must be adapted/improved.", + "purpose": "Conduct drills/exercises allowing a CSIRT team to increase its confidence in the validity of an organization’s CSIRT plan and its ability for execution." + }, "related": [ { "dest-uuid": "111c542b-54ae-5dda-91cc-81907c7cd6b9", - "type": "used-by" + "type": "part-of" } ], "uuid": "72e0a7ef-76b6-5d3a-b500-7d59782dd35d", "value": "Function: Exercises execution" }, { - "description": "Purpose: Perform a formal and objective analysis of the exercise, based on factual observations.\nDescription: Develop an after-action report which includes lessons learned or findings/best practices from the exercise, and provide an assessment to the stakeholders/management.\nOutcome: Deliverables are created highlighting the success of the exercise, areas for improvement, general findings, and recommended actions to take in order to improve: the organization incident management capabilities, the CSIRT’s team processes, and the capabilities of individual constituents and of the stakeholder community as a whole, including communications capabilities and procedures.", + "description": "Develop an after-action report which includes lessons learned or findings/best practices from the exercise, and provide an assessment to the stakeholders/management.", + "meta": { + "outcome": "Deliverables are created highlighting the success of the exercise, areas for improvement, general findings, and recommended actions to take in order to improve: the organization incident management capabilities, the CSIRT’s team processes, and the capabilities of individual constituents and of the stakeholder community as a whole, including communications capabilities and procedures. 9.4 Service: Technical and policy advisory Purpose: Ensure the constituency’s policies and procedures include appropriate incident management considerations and, ultimately, enable the constituency to better manage risks and threats, as well as enabling the CSIRT to be more effective. Description: Support the CSIRT constituency and key stakeholders, internal or external to the constituency, in activities related to risk management and business continuity, providing technical advice as needed and contributing to the creation and implementation of the constituency’s policies, as well as influencing them to enable the CSIRT to be more effective. Policies are also important in legitimizing the services of a CSIRT. Outcome: A constituency is enabled to make organizational decisions based on operational security best practices that incorporate business continuity and disaster recovery best practices, while also understanding the need of including incident management teams, as trusted advisors, in business decisions where appropriate. The following functions are considered to be part of the implementation of this service: Risk management support\nBusiness continuity and disaster recovery planning support\nPolicy support\nTechnical advice", + "purpose": "Perform a formal and objective analysis of the exercise, based on factual observations." + }, "related": [ { "dest-uuid": "111c542b-54ae-5dda-91cc-81907c7cd6b9", - "type": "used-by" + "type": "part-of" } ], "uuid": "fe9a6ab7-7350-5189-bfba-d06ebe090bba", "value": "Function: Exercise outcome review" }, { - "description": "Purpose: Improve the identification of opportunities and threats, improve controls, improve loss prevention and incident management in conjunction with information security and other relevant functions.\nDescription: Support to activities related to assessing risk or compliance. This may include conducting an actual assessment or providing support to evaluate the results of an assessment.\nOutcome: The constituency is able to identify risks and threats and select relevant risk management options, including appropriate and effective incident management strategies, security controls, or threat mitigations.", + "description": "Support to activities related to assessing risk or compliance. This may include conducting an actual assessment or providing support to evaluate the results of an assessment.", + "meta": { + "outcome": "The constituency is able to identify risks and threats and select relevant risk management options, including appropriate and effective incident management strategies, security controls, or threat mitigations.", + "purpose": "Improve the identification of opportunities and threats, improve controls, improve loss prevention and incident management in conjunction with information security and other relevant functions." + }, "related": [ { "dest-uuid": "23e3a936-6f5d-553a-be67-e1938f84bbcf", - "type": "used-by" + "type": "part-of" } ], "uuid": "6af40391-f850-5420-917a-966b8bf58ef5", "value": "Function: Risk management support" }, { - "description": "Purpose: Act as a trusted advisor on business continuity and disaster recovery by providing impartial, fact-based advice, considering the environment in which the advice may be used and any resource constraints that apply.\nDescription: Support the constituency in the activities related to organizational resilience, based on risks identified.\nOutcome: The constituency is able to appropriately implement business continuity and disaster recovery plans that include and align with the incident management strategies.", + "description": "Support the constituency in the activities related to organizational resilience, based on risks identified.", + "meta": { + "outcome": "The constituency is able to appropriately implement business continuity and disaster recovery plans that include and align with the incident management strategies.", + "purpose": "Act as a trusted advisor on business continuity and disaster recovery by providing impartial, fact-based advice, considering the environment in which the advice may be used and any resource constraints that apply." + }, "related": [ { "dest-uuid": "23e3a936-6f5d-553a-be67-e1938f84bbcf", - "type": "used-by" + "type": "part-of" } ], "uuid": "f3639b43-c283-51be-948c-29c6b6b16613", "value": "Function: Business continuity and disaster recovery planning support" }, { - "description": "Purpose: Act as a trusted advisor on the development and implementation of policies by providing impartial, fact-based advice, considering the environment in which the advice may be used and any resource constraints that apply.\nDescription: This function supports the constituency in the development, maintenance, institutionalization, and enforcement of policies, while ensuring they enable and support incident management activities. For internal CSIRTs, this typically includes support for information security and other operating policies. For coordinating and National CSIRTs, this might include support for public policies and new legislation.\nOutcome: The constituency is able to develop effective policies, institutionalize policies, and enable effective incident management strategies.", + "description": "This function supports the constituency in the development, maintenance, institutionalization, and enforcement of policies, while ensuring they enable and support incident management activities. For internal CSIRTs, this typically includes support for information security and other operating policies. For coordinating and National CSIRTs, this might include support for public policies and new legislation.", + "meta": { + "outcome": "The constituency is able to develop effective policies, institutionalize policies, and enable effective incident management strategies.", + "purpose": "Act as a trusted advisor on the development and implementation of policies by providing impartial, fact-based advice, considering the environment in which the advice may be used and any resource constraints that apply." + }, "related": [ { "dest-uuid": "23e3a936-6f5d-553a-be67-e1938f84bbcf", - "type": "used-by" + "type": "part-of" } ], "uuid": "f2ee7038-d049-54c5-a023-5a529eee5e43", "value": "Function: Policy support" }, { - "description": "Purpose: Provide technical advice that can help the constituency to better manage risks and threats and implement current operational and security best practices, while enabling effective incident handling activities.\nDescription: This function provides support and recommendations for the improvement of cybersecurity related infrastructures, tools, and services for its constituency, with the goal of improving the security posture and incident management overall.\nThis might include advice on", + "description": "This function provides support and recommendations for the improvement of cybersecurity related infrastructures, tools, and services for its constituency, with the goal of improving the security posture and incident management overall. This might include advice on security considerations for acquisition, compliance verification, maintenance, and upgrades\ninternal and external audits of cybersecurity related infrastructures and tools\nsecure software development requirements and secure coding", + "meta": { + "outcome": "Support is provided to design, acquire, manage, operate and maintain the constituency’s infrastructure and systems and tools, as well as assist in building the capability, capacity, and maturity of incident management activities. ANNEX 1: Acknowledgments The following volunteers from the CSIRT communities contributed significantly to this version of the CSIRT Services Framework. They have been listed in alphabetical order by their last name, without title but with affiliation, role, and country: Vilius Benetis, NRD CIRT (LT)\nOlivier Caleff (Service Area Coordinator), openCSIRT Foundation (FR)\nCristine Hoepers (Service Area Coordinator), CERT.br (BR) \nAngela Horneman, CERT/CC, SEI, CMU (US) \nAllen Householder, CERT/CC, SEI, CMU (US) \nKlaus-Peter Kossakowski (Editor), Hamburg University of Applied Sciences (DE)\nArt Manion, CERT/CC, SEI, CMU (US)\nAmanda Mullens (Co-Service Area Coordinator), CISCO (US)\nSamuel Perl (Service Area Coordinator), CERT/CC, SEI, CMU (US)\nDaniel Roethlisberger (Service Area Coordinator), Swisscom (CH) \nSigitas Rokas, NRD CIRT (LT) \nMary Rossell, Intel (US)\nRobin M. Ruefle (Co-Service Area Coordinator), CERT/CC, SEI, CMU (US)\nDésirée Sacher, Finanz Informatik (DE) \nKrassimir T. Tzvetanov, Fastly (US) \nMark Zajicek (Co-Service Area Coordinator), CERT/CC, SEI, CMU (US)\n \nANNEX 2: Terms and Definitions This section defines certain terms used in the CSIRT Services Framework. Action- The description of how something is done at varying levels of detail.\n\n\nAdvisory9- An announcement or bulletin that serves to inform, advise, and warn about the vulnerability of a product. \n\n\nCapability- A measurable activity that may be performed as part of an organization’s roles and responsibilities. For the purposes of the FIRST services framework, the capabilities can either be defined as the broader services or as the requisite functions.\n\n\nCapacity- The number of simultaneous process-occurrences of a particular capability that an organization can execute before they achieve some form of resource exhaustion.\n\n\nCommon Vulnerability Exposures (CVE)10- A list of entries containing an identification number, a description, and at least one public reference for publicly known vulnerabilities. Serves as a standard identifier to reference vulnerabilities. \n\n\nCommon Vulnerability Scoring System (CVSS)11- A numerical score that reflects a vulnerability’s severity. \n\n\nCommon Weakness Enumeration (CWE)12- A formal list of software weakness types created to serve as a common language for describing software security weakness in architecture, design, or code; serve as a standard measuring stick for software security tools targeting these weaknesses; and provide a common baseline standard for weakness identification, mitigation, and prevention efforts. \n\n\nConstituency- A specific group of people and/or organizations that have access to a specific set of services offered by a CSIRT.\n\n\nContextual Data Source- A source of contextual data that gives context to data points, for example to an identity, an asset, or an information security event. Specific examples include user databases, asset inventories, IP repudiation services, or threat intelligence data.\n\n\nCoordinated vulnerability disclosure- A term used to denote a disclosure process that includes coordination. Source: ISO/IEC 29147:2018, Terms and definitions.\n\n\nCoordinator13- An optional participant who can assist vendors and finders in handling and disclosing vulnerability information. \n\n\nDetection Use Case- A specific condition to be detected by an Information Security Event Management service area. The terminology originates in software engineering, but is now widely used in detection engineering.\n\n\nEmbargo- A hold on the publication of vulnerability details until affected vendors are able to release security updates or mitigations and workarounds to protect customers.\n\n\nFinder14- An individual or organization that identifies a potential vulnerability in a product or online service. Please note that finders can be researchers, reporters, security companies, hackers, users, governments, or coordinators.\n\n\nFunction- An activity or set of activities aimed at fulfilling the purpose of a particular service. Other definitions include: a group of related actions15; to perform a specified action or activity, work, operate.16\n\n\nInformation Security Event- An observable event in an IT environment that is relevant to security; for example, a user logon or an IDS alert. Information security events typically produce some kind of evidence, such as an audit record or an entry in a log file, that can be collected and analyzed as part of the Information Security Event Management service area.\n\n\nInformation Security Incident17- Any adverse information security event (or set of information security events) which indicates a compromise of some aspect of user, system, organization, and/or network information security. The definition of an information security incident may vary between organizations, but at least the following categories are generally applicable:\n\nLoss of confidentiality of information\nCompromise of integrity of information\nDenial of service\nMisuse of service, systems or information\nDamage to systems\n\nAttacks, even if they failed because of proper protection, can be regarded as information security incident.\n\n\nKey Performance Indicator (KPI)18- A measurable value that demonstrates how effectively a company is achieving key business objectives. Organizations use KPIs at multiple levels to evaluate their success at reaching targets.\n\n\nMaturity- How effectively an organization executes a particular capability within the mission and authorities of the organization. It is a level of proficiency attained either in executing specific functions or in an aggregate of functions or services. The ability of an organization will be determined by the extent and quality of established policies and documentation and the ability to execute a set process.\n\n\nOpen Source- Works that are licensed in such a way that they may be freely redistributed and modified, where the source code is made available publicly, and is freely distributed and does not discriminate against any persons, groups, or fields of endeavor, and is technology-neutral. Open source software is often maintained by a community of individuals and entities who collaboratively create and maintain it.\n\n\nProduct19- A system implemented or developed for sale or to be offered for free.\n\n\nRemediation (or Remedy)20- A change made to a product or online service to remove or mitigate a vulnerability. A remediation typically takes the form of a binary file replacement, configuration change, or source code patch and recompile. Different terms used for “remediation” include patch, fix, update, hotfix, and upgrade. Mitigations are also called workarounds or countermeasures.\n\n\nResponsible Disclosure- A term which is used to refer to a process or model where a vulnerability is disclosed only after a period of time that allows a remediation (fix or patch) to be made available. This term is not necessarily the same as “coordinated vulnerability disclosure.”\n\n\nRisk21- The “effect of uncertainty on objectives.” In this definition, uncertainties include events (which may or may not happen) and uncertainties caused by ambiguity or a lack of information.\n\n\nRisk Acceptance22- A risk response strategy whereby the project team decides to acknowledge the risk and not take any action unless the risk occurs.\n\n\nRisk Register23- A document in which the results of risk analysis and risk response planning are recorded.\n\n\nService- A service is a set of recognizable, coherent functions towards a specific result. Such results might be expected or required by constituents or on behalf of or for the stakeholder of an entity. \n\n\nService Level Agreement (SLA)- A contract between a service provider (either internal or external) and the end user that defines the level of service expected from the service provider. \n\n\nStakeholders24- Individuals or groups that define and modify the service areas or services and ensure an appropriate service communication strategy and groups who can benefit from services offered. \n\n\nTasks- the list of actions that must be performed to complete a specific function.\n\n\nVendor25- A person or organization that developed the product or service or is responsible for maintaining it.\n\n\nVulnerability26- A weakness in software, hardware, or an online service that can be exploited. ANNEX 3: Supporting Resources Alberts, David S., et.al. Understanding information age warfare. In DOD Command and Control Research Program Publication Series. ADA395859. Booz Allen & Hamilton, McLean, VA. 2001.\nhttps://apps.dtic.mil/docs/citations/ADA395859 Barford P., et al. (2010) Cyber SA: Situational Awareness for Cyber Defense. In: Jajodia S., Liu P., Swarup V., Wang C. (eds) Cyber Situational Awareness. Advances in Information Security, vol 46. Springer, 2010. Boston, MA. ISBN 978-1-4419-0140-8_1\nhttps://link.springer.com/chapter/10.1007/978-1-4419-0140-8_1 Boyd, John R. Destruction and Creation. Goal Systems International. September 3, 1976.\nhttp://www.goalsys.com/books/documents/DESTRUCTION_AND_CREATION.pdf Cartwright, James E. Joint Concept of Operations for Global Information Grid NetOps. United States Strategic Command. PDF August 10, 2005. Homeland Security Digital Library. August 10, 2005.\nhttps://www.hsdl.org/?view&did=685398 Committee on National Security Systems Instruction CNSSI 4009. Committee on National Security Systems Website. June 23, 2019 [accessed].\nhttps://www.cnss.gov/cnss/ Cybersecurity Situation Awareness. The MITRE Corporation Website. June 25, 2019 [accessed].\nhttps://www.mitre.org/capabilities/cybersecurity/situation-awareness Endsley, Mica R. Toward a theory of situation awareness in dynamic systems. Human factors Volume 37. Number 1. March 1995 Pages 32-64.\nhttps://journals.sagepub.com/doi/10.1518/001872095779049543 FIRST Product Security Incident Response Team (PSIRT) Services Framework, Version 1.0, 2018. North Carolina: First.org, 2018\nhttps://www.first.org/education/FIRST_PSIRT_Service_Framework_v1.0 FIRST Vulnerability Reporting and Data eXchange SIG (VRDX-SIG). 2013-2015. North Carolina: First.org, 2015\nhttps://www.first.org/global/sigs/vrdx/ Guidelines and Practices for Multi-Party Vulnerability Coordination and Disclosure, Version 1.0, 2017. North Carolina: First.org, 2017\nhttps://www.first.org/global/sigs/vulnerability-coordination/multiparty/guidelines-v1.0 Hawk, Robert. Situational Awareness in Cyber Security. [blog post]. Hawk’s Posts: Security Essentials from Robert Hawk. June 11, 2015.\nhttps://www.alienvault.com/blogs/security-essentials/situational-awareness-in-cyber-security Householder, Allen D.; Wassermann, Garret; Manion, Art; King, Christopher. The CERT® Guide to Coordinated Vulnerability Disclosure. CMU/SEI-2017-SR-022. Software Engineering Institute, Carnegie Mellon University. 2017\nhttps://resources.sei.cmu.edu/library/asset-view.cfm?assetid=503330 Householder, Alan. Vulnerability Discovery for Emerging Networked Systems [blog post]. Vulnerability discovery techniques. November 20, 2014.\nhttps://insights.sei.cmu.edu/cert/2014/11/-vulnerability-discovery-for-emerging-networked-systems.html International Organization for Standardization. Information technology -- Security techniques -- Vulnerability disclosure. Second Edition. ISO/IEC 29147:2018. Geneva, Switzerland: ISO: IEC. 2018\nhttps://www.iso.org/standard/72311.html International Organization for Standardization. Information technology -- Security techniques -- Vulnerability handling processes. First Edition. ISO/IEC 30111:2013. Geneva, Switzerland: ISO: IEC. 2013\nhttps://www.iso.org/standard/53231.html Jajodia, Sushil, et al., (Eds.). Cyber Situational Awareness: Issues and Research. Part of the Advances in Information Security book series (ADIS, volume 46). 2010. ISBN 978-1-4419-0140-8\nhttps://link.springer.com/book/10.1007/978-1-4419-0140-8 Kossakowski, Klaus-Peter. Information Technology Incident Response Capabilities. Hamburg: Books on Demand, 2001. ISBN: 9783831100590. Kossakowski; Klaus-Peter & Stikvoort, Don. A Trusted CSIRT Introducer in Europe. Amersfoort, Netherlands: M&I/Stelvio, February, 2000.\nhttp://www.ti.terena.nl/process/ti-v2.pdf Manion, Art & Householder, Alan. Vulnerability Analysis. CERT Coordination Center (CERT/CC). May 30, 2019.\nhttps://vuls.cert.org/ McGuinness, B. &, Foy, L. A subjective measure of SA: The crew awareness rating scale (cars). In Kaber, D.B.; Endsley, M.R.; p. 286-291. Proceedings of the First Human Performance, situation awareness and automation conference; user-centered design for the new millennium. Savannah, Georgia, October 2000. Salerno, John; Hinman, Michael & Boulware, Douglas. Situation awareness model applied to multiple domains. In Proceedings of the Defense and Security Conference, Orlando, FL, March 2005.\nhttps://www.spiedigitallibrary.org/conference-proceedings-of-spie/5813/0000/A-situation-awareness-model-applied-to-multiple-domains/10.1117/12.603735.full?SSO=1 Stone, Steve. Data to Decisions for Cyberspace Operations. The MITRE Corporation Website. January 2016\nhttps://www.mitre.org/publications/technical-papers/data-to-decisions-for-cyberspace-operations Tadda G.P., Salerno J.S. (2010) Overview of Cyber Situation Awareness. In: Jajodia S., Liu P., Swarup V., Wang C. (eds) Cyber Situational Awareness. Advances in Information Security, vol 46. Springer, Boston, MA. 2010. ISBN 978-1-4419-0140-8\nhttps://link.springer.com/chapter/10.1007/978-1-4419-0140-8_2 West-Brown, Moira J.; Stikvoort, Don; & Kossakowski, Klaus-Peter. Handbook for Computer Security Incident Response Teams (CSIRTs). CMU/SEI-98-HB-001. Software Engineering Institute, Carnegie Mellon University. 1998.\nhttp://www.sei.cmu.edu/publications/documents/98.reports/98hb001/98hb001abstract.html ANNEX 4: Overview of all CSIRT Services and related Functions https://www.first.org/standards/frameworks/csirts/ for CSIRT related materials ^\nCheck [Kossakowski 2001] for a discussion of internal support services and its relationship to other services ^\nA FIRST Special Interest Group (SIG) has been established to steer the “CSIRT Framework Development”. ^\nAlthough this services framework does not aim to define a SOC services framework, it is certainly expected that services from both Information Security Event and Incident Management areas will be useful and directly applicable while defining SOC services. ^\nAs is to be expected for all services related to the intake of information and data, there are many similarities. It is therefore common to combine such services from several service areas offered into one service/function. As this is not mandatory and there is no set combination of service areas, we have chosen to keep such services separate within the CSIRT Services Framework, although each team is free to choose the best organizational model for its own setup. ^\nNew vulnerability information received by email may be considered to be an activity of either the Vulnerability Discovery service, Public Source Vulnerability Discovery function, Vulnerability Report Intake service, or of the Vulnerability Report Receipt function, depending on the CSIRT’s internal processes or on how broadly the vulnerability information was distributed. ^\nSee the Vulnerability Coordination and Vulnerability Disclosure service areas for related information on coordinated vulnerability disclosure (CVD). ^\nAlthough the function and sub-functions for detecting vulnerabilities are sometimes referred to as “vulnerability management,” this CSIRT Services Framework instead refers to these as part of this Vulnerability Response service, which is part of the larger service area named Vulnerability Management in this framework. ^\nISO/IEC 29147:2014 Information technology—Security techniques — Vulnerability disclosure- Terms/Definitions 3.1^\nhttps://cve.mitre.org/ ^\nhttps://www.first.org/cvss/ ^\nhttps://cwe.mitre.org/about/index.html ^\nISO/IEC 30111:2013 Information technology—Security techniques—Vulnerability handling processes-Terms/Definitions 3.1^\nISO/IEC 29147:2014 Information technology—Security techniques — Vulnerability disclosure- Terms/Definitions 3.3^\nSource: https://www.merriam-webster.com/dictionary/function ^\nSource: https://www.dictionary.com/browse/function ^\nBased on RFC2350 by considering „information security“ instead of „IT security“, https://tools.ietf.org/html/rfc2350. ^\nhttps://www.klipfolio.com/resources/articles/what-is-a-key-performance-indicator ^\nISO/IEC 29147:2014 Information technology—Security techniques—Vulnerability disclosure-Terms/Definitions 3.5 ^\nISO/IEC 29147:2014 Information technology—Security techniques—Vulnerability disclosure-Terms/Definitions 3.6 ^\nISO 31000:2009/ ISO Guide 73:2002 Risk management — Principles and guidelines- Terms/Definitions 2.1 ^\nThe Project Management Body of Knowledge (PMBOK) Guide and Standards ^\nThe Project Management Body of Knowledge (PMBOK) Guide and Standards ^\nArchitecture Content Framework ^\nISO/IEC 30111:2013 Information technology—Security techniques—Vulnerability handling processes-Terms/Definitions 3.7 ^\nISO/IEC 30111:2013 Information technology—Security techniques—Vulnerability handling processes-Terms/Definitions 3.8^", + "purpose": "Provide technical advice that can help the constituency to better manage risks and threats and implement current operational and security best practices, while enabling effective incident handling activities." + }, "related": [ { "dest-uuid": "23e3a936-6f5d-553a-be67-e1938f84bbcf", - "type": "used-by" + "type": "part-of" } ], "uuid": "2ca32179-9eed-5e0b-9567-e8a6040fb863", diff --git a/tools/gen_csf.py b/tools/gen_csf.py index 13413aa..0be27b7 100644 --- a/tools/gen_csf.py +++ b/tools/gen_csf.py @@ -18,6 +18,7 @@ # You should have received a copy of the GNU Affero General Public License # along with this program. If not, see . +import pdb import requests import json import os @@ -55,15 +56,57 @@ url = "https://www.first.org/standards/frameworks/csirts/csirt_services_framewor # Send a GET request to the webpage response = requests.get(url) -def extract_text(element): +def extract_nostrong_content(element): content = element.find_next_siblings('p', limit=3) - content_text = "" - for i, elm in enumerate(content): - if i !=0 : - content_text += "\n" + elm.text.strip() - else: - content_text += elm.text.strip() - return content_text + extracted = {} + + extracted["purpose"] = content[0].text.strip()[8:] + for sibling in content[0].find_next_siblings(): + if "Description:" in sibling.text: + break + extracted["purpose"] += f" {sibling.text.strip()}" + + + extracted["description"] = content[1].text.strip()[12:] + for sibling in content[1].find_next_siblings(): + if "Outcome:" in sibling.text: + break + extracted["description"] += f" {sibling.text.strip()}" + + extracted["outcome"] = content[2].text.strip()[8:] + for sibling in content[2].find_next_siblings(): + if sibling.name =="h4": + break + extracted["outcome"] += f" {sibling.text.strip()}" + + return extracted + +def extract_content(element): + content = {} + description_title = element.find_next("em", string=lambda text: "Description:" in text) + purpose_title = element.find_next("em", string=lambda text: "Purpose:" in text) + outcome_title = element.find_next("em", string=lambda text: "Outcome:" in text) + + + content["purpose"] = purpose_title.parent.parent.get_text(strip=True).replace("Purpose:", "").strip() + for sibling in purpose_title.parent.parent.find_next_siblings(): + if "Description:" in sibling.text: + break + content["purpose"] += f" {sibling.text.strip()}" + + content["description"] = description_title.parent.parent.get_text(strip=True).replace("Description:", "").strip() + for sibling in description_title.parent.parent.find_next_siblings(): + if "Outcome:" in sibling.text: + break + content["description"] += f" {sibling.text.strip()}" + + content["outcome"] = outcome_title.parent.parent.get_text(strip=True).replace("Outcome:", "").strip() + for sibling in outcome_title.parent.parent.find_next_siblings(): + if sibling.name =="h4": + break + content["outcome"] += f" {sibling.text.strip()}" + + return content def remove_heading(input_string): return re.sub(r'^\d+(\.\d+)*\s+', '', input_string) @@ -81,11 +124,19 @@ if response.status_code == 200: functions = section_header.find_next_siblings('h4') for service in services: + if "Monitoring and detection" in service.text: + content = extract_nostrong_content(service) + else: + content = extract_content(service) name = remove_heading(service.text.strip()) suuid = str(uuid.uuid5(uuid.UUID("43803a9f-9ea6-4ebc-9cb5-68ccdc2c23e0"), name)) cluster["values"].append( { - "description": extract_text(service), + "description": content["description"], + "meta": { + "purpose": content["purpose"], + "outcome": content["outcome"] + }, "uuid" : suuid, "value": name, "related": [] @@ -93,18 +144,23 @@ if response.status_code == 200: ) for function in functions: + content = extract_content(function) # get the parent service parent_service = function.find_previous('h3') relationship = { "dest-uuid": str(uuid.uuid5(uuid.UUID("43803a9f-9ea6-4ebc-9cb5-68ccdc2c23e0"), remove_heading(parent_service.text.strip()))), - "type": "used-by" + "type": "part-of" } name = remove_heading(function.text.strip()) cluster["values"].append( { - "description": extract_text(function), + "description": content["description"], + "meta": { + "purpose": content["purpose"], + "outcome": content["outcome"] + }, "uuid" : str(uuid.uuid5(uuid.UUID("43803a9f-9ea6-4ebc-9cb5-68ccdc2c23e0"), name)), "value": name, "related": [relationship] From a31ee53715e56d1ed74133d6f6608a581b113200 Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Fri, 23 Aug 2024 15:49:44 +0200 Subject: [PATCH 07/36] chg: [gen_csf] updated --- tools/gen_csf.py | 103 ++++++++++++++++++++++++++++++++++------------- 1 file changed, 74 insertions(+), 29 deletions(-) diff --git a/tools/gen_csf.py b/tools/gen_csf.py index 0be27b7..fb3cc52 100644 --- a/tools/gen_csf.py +++ b/tools/gen_csf.py @@ -3,7 +3,7 @@ # # A simple convertor script to generate galaxies from the MITRE NICE framework # https://niccs.cisa.gov/workforce-development/nice-framework -# Copyright (C) 2024 Jean-Louis Huynen +# Copyright (C) 2024 Jean-Louis Huynen # # This program is free software: you can redistribute it and/or modify # it under the terms of the GNU Affero General Public License as @@ -35,7 +35,7 @@ galaxy = { "description": "The Computer Security Incident Response Team (CSIRT) Services Framework is a high-level document describing in a structured way a collection of cyber security services and associated functions that Computer Security Incident Response Teams and other teams providing incident management related services may provide", "uuid": "4a72488f-ef5b-4895-a5d9-c625dee663cb", "version": 1, - "icon": 'user' + "icon": 'user', } cluster = { @@ -47,7 +47,7 @@ cluster = { "uuid": "4a72488f-ef5b-4895-a5d9-c625dee663cb", 'source': 'https://www.first.org/standards/frameworks/csirts/csirt_services_framework_v2.1', 'values': [], - 'version': 1 + 'version': 1, } # URL to download @@ -56,6 +56,7 @@ url = "https://www.first.org/standards/frameworks/csirts/csirt_services_framewor # Send a GET request to the webpage response = requests.get(url) + def extract_nostrong_content(element): content = element.find_next_siblings('p', limit=3) extracted = {} @@ -66,58 +67,71 @@ def extract_nostrong_content(element): break extracted["purpose"] += f" {sibling.text.strip()}" - extracted["description"] = content[1].text.strip()[12:] for sibling in content[1].find_next_siblings(): if "Outcome:" in sibling.text: - break + break extracted["description"] += f" {sibling.text.strip()}" extracted["outcome"] = content[2].text.strip()[8:] for sibling in content[2].find_next_siblings(): - if sibling.name =="h4": + if sibling.name == "h4": break extracted["outcome"] += f" {sibling.text.strip()}" return extracted + def extract_content(element): content = {} - description_title = element.find_next("em", string=lambda text: "Description:" in text) + description_title = element.find_next( + "em", string=lambda text: "Description:" in text + ) purpose_title = element.find_next("em", string=lambda text: "Purpose:" in text) outcome_title = element.find_next("em", string=lambda text: "Outcome:" in text) - - content["purpose"] = purpose_title.parent.parent.get_text(strip=True).replace("Purpose:", "").strip() + content["purpose"] = ( + purpose_title.parent.parent.get_text(strip=True).replace("Purpose:", "").strip() + ) for sibling in purpose_title.parent.parent.find_next_siblings(): if "Description:" in sibling.text: break content["purpose"] += f" {sibling.text.strip()}" - content["description"] = description_title.parent.parent.get_text(strip=True).replace("Description:", "").strip() + content["description"] = ( + description_title.parent.parent.get_text(strip=True) + .replace("Description:", "") + .strip() + ) for sibling in description_title.parent.parent.find_next_siblings(): if "Outcome:" in sibling.text: - break + break content["description"] += f" {sibling.text.strip()}" - content["outcome"] = outcome_title.parent.parent.get_text(strip=True).replace("Outcome:", "").strip() + content["outcome"] = ( + outcome_title.parent.parent.get_text(strip=True).replace("Outcome:", "").strip() + ) for sibling in outcome_title.parent.parent.find_next_siblings(): - if sibling.name =="h4": + if sibling.name == "h4": break content["outcome"] += f" {sibling.text.strip()}" return content + def remove_heading(input_string): return re.sub(r'^\d+(\.\d+)*\s+', '', input_string) + # Check if the request was successful if response.status_code == 200: # Parse the page content with BeautifulSoup soup = BeautifulSoup(response.content, 'html.parser') # Extract the section titled "4 CSIRT Services Framework Structure" - section_header = soup.find('h2', id="5-Service-Area-Information-Security-Event-Management") + section_header = soup.find( + 'h2', id="5-Service-Area-Information-Security-Event-Management" + ) if section_header: services = section_header.find_next_siblings('h3') @@ -129,17 +143,19 @@ if response.status_code == 200: else: content = extract_content(service) name = remove_heading(service.text.strip()) - suuid = str(uuid.uuid5(uuid.UUID("43803a9f-9ea6-4ebc-9cb5-68ccdc2c23e0"), name)) + suuid = str( + uuid.uuid5(uuid.UUID("43803a9f-9ea6-4ebc-9cb5-68ccdc2c23e0"), name) + ) cluster["values"].append( { "description": content["description"], "meta": { "purpose": content["purpose"], - "outcome": content["outcome"] + "outcome": content["outcome"], }, - "uuid" : suuid, + "uuid": suuid, "value": name, - "related": [] + "related": [], } ) @@ -148,8 +164,13 @@ if response.status_code == 200: # get the parent service parent_service = function.find_previous('h3') relationship = { - "dest-uuid": str(uuid.uuid5(uuid.UUID("43803a9f-9ea6-4ebc-9cb5-68ccdc2c23e0"), remove_heading(parent_service.text.strip()))), - "type": "part-of" + "dest-uuid": str( + uuid.uuid5( + uuid.UUID("43803a9f-9ea6-4ebc-9cb5-68ccdc2c23e0"), + remove_heading(parent_service.text.strip()), + ) + ), + "type": "part-of", } name = remove_heading(function.text.strip()) @@ -159,21 +180,45 @@ if response.status_code == 200: "description": content["description"], "meta": { "purpose": content["purpose"], - "outcome": content["outcome"] + "outcome": content["outcome"], }, - "uuid" : str(uuid.uuid5(uuid.UUID("43803a9f-9ea6-4ebc-9cb5-68ccdc2c23e0"), name)), + "uuid": str( + uuid.uuid5( + uuid.UUID("43803a9f-9ea6-4ebc-9cb5-68ccdc2c23e0"), name + ) + ), "value": name, - "related": [relationship] + "related": [relationship], } ) - - with open(os.path.join(os.path.dirname(__file__), '..', 'galaxies', f'first-csirt-services-framework.json'), 'w') as f: - json.dump(galaxy, f, indent=2, sort_keys=True, ensure_ascii=False) - f.write('\n') # only needed for the beauty and to be compliant with jq_all_the_things - with open(os.path.join(os.path.dirname(__file__), '..', 'clusters', f'first-csirt-services-framework.json'), 'w') as f: + with open( + os.path.join( + os.path.dirname(__file__), + '..', + 'galaxies', + f'first-csirt-services-framework.json', + ), + 'w', + ) as f: + json.dump(galaxy, f, indent=2, sort_keys=True, ensure_ascii=False) + f.write( + '\n' + ) # only needed for the beauty and to be compliant with jq_all_the_things + + with open( + os.path.join( + os.path.dirname(__file__), + '..', + 'clusters', + f'first-csirt-services-framework.json', + ), + 'w', + ) as f: json.dump(cluster, f, indent=2, sort_keys=True, ensure_ascii=False) - f.write('\n') # only needed for the beauty and to be compliant with jq_all_the_things + f.write( + '\n' + ) # only needed for the beauty and to be compliant with jq_all_the_things else: print("Couldn't find the section header.") From 2e6fe8ea16fd7f6bcfa639cfb37cfd927d84a53f Mon Sep 17 00:00:00 2001 From: Delta-Sierra Date: Fri, 30 Aug 2024 09:45:34 +0200 Subject: [PATCH 08/36] alternate/modified script to generate first csirt services framework galaxy --- clusters/first-csirt-services-framework.json | 100 ++++---- tools/gen_csf_alt.py | 228 +++++++++++++++++++ 2 files changed, 278 insertions(+), 50 deletions(-) create mode 100644 tools/gen_csf_alt.py diff --git a/clusters/first-csirt-services-framework.json b/clusters/first-csirt-services-framework.json index b9104a3..3ce3c96 100644 --- a/clusters/first-csirt-services-framework.json +++ b/clusters/first-csirt-services-framework.json @@ -14,7 +14,7 @@ { "description": " Based on logs, NetFlow data, IDS alerts, sensor networks, external sources, or other available information security event data, apply a range of methods from simple logic or pattern matching rules to the application of statistical models or machine learning in order to identify potential information security incidents. This can involve a vast amount of data and typically, but not necessarily, requires specialized tools such as Security Information and Event Management (SIEM) or big data platforms to process. An important objective of continuous improvement is to minimize the amount of false alarms that need to be analyzed as part of the Analyzing service.", "meta": { - "outcome": " Potential information security incidents are identified for analysis as part of the Analyzing service. The following functions are considered to be part of the implementation of this service: Log and sensor management\nDetection use case management\nContextual data management", + "outcome": " Potential information security incidents are identified for analysis as part of the Analyzing service.", "purpose": " Implement automated, continuous processing of a wide variety of information security event sources and contextual data in order to identify potential information security incidents, such as attacks, intrusions, data breaches or security policy violations." }, "related": [], @@ -24,7 +24,7 @@ { "description": "The flow of detected potential information security incidents must be triaged and each one qualified as an information security incident (true positive) or as a false alarm (false positive) using manual and/or automated analysis. This may require manual or automated gathering of additional information, depending on the detection use case. Priority should be given to the analysis of potentially more critical information security incidents to ensure timely reaction to what is most important. Structured qualification of detected potential information security incidents enables effective continuous improvement in a directed way by identifying detection use cases, data sources, or processes with quality issues.", "meta": { - "outcome": "Qualified and correlated information security incidents are available as input to the Information Security Incident Management service area and false positives are qualified for continuous improvement. The following functions are considered to be part of the implementation of this service: Correlation\nQualification", + "outcome": "Qualified and correlated information security incidents are available as input to the Information Security Incident Management service area and false positives are qualified for continuous improvement.", "purpose": "Triage detected potential information security incidents and their qualification as information security incidents for escalation to the Information Security Incident Management service area or as false alarms." }, "related": [], @@ -32,9 +32,9 @@ "value": "Service: Event analysis" }, { - "description": "For a CSIRT, the most important task is the acceptance of reports about information security events and potential information security incidents affecting networks, devices, components, users, organizations, or infrastructure—referred to as the “target”—inside the constituency. The CSIRT should anticipate that potential information security incidents may be reported from various sources in various formats, both manually and automatically. To enable constituents to report information security incidents more effectively, the CSIRT should provide one or more mechanisms as well as guidance or instructions on what and how to securely report information security incidents. Reporting mechanisms can include email, a website, a dedicated information security incident reporting form or portal, or other appropriate methods to enable reports to be submitted safely and securely. Reporting guidance, if not included as part of an information security incidents reporting form itself, should be provided in separate documentation or via a webpage, and should list the specific information that is desirable for inclusion in the report. Due to the potentially large number of automatically escalated potential information security incidents detected via an Information Security Event Management service, this must be planned for in advance of adopting such interfaces or authorizing constituents to use them.5", + "description": "For a CSIRT, the most important task is the acceptance of reports about information security events and potential information security incidents affecting networks, devices, components, users, organizations, or infrastructure—referred to as the “target”—inside the constituency. The CSIRT should anticipate that potential information security incidents may be reported from various sources in various formats, both manually and automatically. To enable constituents to report information security incidents more effectively, the CSIRT should provide one or more mechanisms as well as guidance or instructions on what and how to securely report information security incidents. Reporting mechanisms can include email, a website, a dedicated information security incident reporting form or portal, or other appropriate methods to enable reports to be submitted safely and securely. Reporting guidance, if not included as part of an information security incidents reporting form itself, should be provided in separate documentation or via a webpage, and should list the specific information that is desirable for inclusion in the report. Due to the potentially large number of automatically escalated potential information security incidents detected via an Information Security Event Management service, this must be planned for in advance of adopting such interfaces or authorizing constituents to use them.", "meta": { - "outcome": "The information security incident report is received with professional and consistent intake of each report as well as its initial validation and classification. The following functions are considered to be part of the implementation of this service: Information Security Incident Report Receipt\nInformation Security Incident Triage and Processing", + "outcome": "The information security incident report is received with professional and consistent intake of each report as well as its initial validation and classification.", "purpose": "Receive and process reports of potential information security incidents from constituents, from Information Security Event Management services or third parties." }, "related": [], @@ -44,7 +44,7 @@ { "description": "This service consists of functions to gain an understanding of the information security incident and its actual and potential impact to identify the underlying issues or vulnerabilities or weaknesses (root causes) that allowed the successful attack, compromise, or exploit. Detailed analysis is often complex and time-consuming. The objective is to identify and characterize the information security incident in as much detail as required or justified by the current understanding of its impact. Information security incidents can be characterized by scope, affected entities, tools, or attacks deployed, timelines, etc. This service may continue in parallel while the Information Security Incident Coordination service and functions are occurring or mitigation/recovery actions are taken. The CSIRT may use other information and its own analysis (see below for some options) or knowledge available from vendors and product security teams or security researchers to better understand what has happened and what steps to take to remedy losses or damage.", "meta": { - "outcome": "Knowledge is increased of the key details of an information security incident (e.g., description, impact, scope, attacks/exploits, and remedies). The following functions are considered to be part of the implementation of this service: Information security incident triage (prioritization and categorization)\nInformation collection\nDetailed analysis coordination\nInformation security incident root cause analysis\nCross-incident correlation", + "outcome": "Knowledge is increased of the key details of an information security incident (e.g., description, impact, scope, attacks/exploits, and remedies).", "purpose": "Analyze and gain an understanding of a confirmed information security incident." }, "related": [], @@ -54,7 +54,7 @@ { "description": "The services related to the understanding of the capabilities and intent of artefacts (e.g., malware, exploits, volatile memory dumps or disk copies, applications codes, logs, documents), their delivery mechanisms, their propagation, their detection, their mitigation, and their disarming or neutralization. This applies to any formats and sources: hardware, firmware, memory, software, etc. Any artefact or evidence must be preserved and collected without any modification, and kept in isolation. As some artefacts and data may become evidence in the context of law enforcement activities, specific regulations or requirements may apply. Even without preserving a chain-of-custody, this service usually involves complex and time-consuming tasks, and requires expertise, setting up dedicated and monitored analysis environments--with or without external accesses from standard wired or wireless networks (such as performing the forensics activities in a sealed or Faraday room), logging of activities, and compliance with procedures. As part of the handling of information security incidents, digital artefacts may be found on affected systems or malware distribution sites. Artefacts may be the remnants of an intruder attack, such as executables, scripts, files, images, configuration files, tools, tool outputs, logs, live or dormant pieces of code, etc. The analysis is carried out in order to find out some or all of the information listed below, which is not considered to be a complete list: The context required of the artefact to run and to perform its intended tasks, whether malicious or not\nHow the artefacts may have been utilized for the attack: uploaded, downloaded, copied, executed, or created within an organization’s environments or components\nWhich systems have been involved locally and remotely to support the distribution and actions\nWhat an intruder did once to access to the system, network, organization, or infrastructure was established: from passively collecting data, to actively scanning and transmitting data for exfiltration purposes, or collecting new action requests, updating itself or making a lateral movement inside a compromised (local) network\nWhat a user, user process, or user system did once the user account or user device was compromised\nWhat behavior characterizes the artefacts or compromised systems, either in standalone mode, in conjunction with artefacts or components, connected to a local network or the Internet, or in any combination\nHow the artefacts or compromised systems establish connectivity with the target (e.g., intrusion path, initial target, or detection evasion techniques);\nWhat communication architecture (peer-to-peer, command-and-control, both) has been utilized\nWhat were the actions of the threat actors, what is their network and systems footprint\nHow the intruders or artefacts evaded detection (even over long periods of time which may include reboot or reinitialization) This can be achieved through various types of activities including media or surface analysis\nreverse engineering\nruntime or dynamic analysis\ncomparative analysis Each activity provides additional information about the artefacts. Analysis methods include but are not limited to identification of type and characteristics of artefacts, comparison with known artefacts, observation of artefact execution in a runtime or a live environment, and disassembling and interpreting binary artefacts. In carrying out an analysis of the artefacts, an analyst attempts to reconstruct and determine what the intruder did, in order to detect the exploited vulnerability, assess damages, develop solutions to mitigate against the artefacts, and provide information to constituents and other researchers.", "meta": { - "outcome": "The nature of recovered digital artefacts and analyzed forensic evidence is understood along with the relationship to other artefacts, internal or external objects or components, attacks on frameworks, tools, and exploited vulnerabilities. Working assumptions or proof of what the threat actor did, and how the artefacts behaved. This knowledge is critical to assess losses, damages, business impacts, etc. and to develop containment and mitigation or recovery strategies. The tactics, techniques, and procedures used by attackers or intruders to compromise systems, users, networks, organizations and/or infrastructures is understood. This includes those tactics, techniques, and procedures used to propagate, exfiltrate, update, modify, or fake its behavior, data, auto-delete traces of its own activities, or carry out additional malicious activities. List of functions which are considered to be part of the implementation of this service: Media or surface analysis\nReverse engineering\nRuntime and/or dynamic analysis\nComparative analysis", + "outcome": "The nature of recovered digital artefacts and analyzed forensic evidence is understood along with the relationship to other artefacts, internal or external objects or components, attacks on frameworks, tools, and exploited vulnerabilities. Working assumptions or proof of what the threat actor did, and how the artefacts behaved. This knowledge is critical to assess losses, damages, business impacts, etc. and to develop containment and mitigation or recovery strategies. The tactics, techniques, and procedures used by attackers or intruders to compromise systems, users, networks, organizations and/or infrastructures is understood. This includes those tactics, techniques, and procedures used to propagate, exfiltrate, update, modify, or fake its behavior, data, auto-delete traces of its own activities, or carry out additional malicious activities.", "purpose": "Analyze and gain an understanding of artefacts related to a confirmed information security incident, taking into consideration the need to preserve forensic evidence." }, "related": [], @@ -64,7 +64,7 @@ { "description": "Once the analysis has confirmed a potential information security incident and a response strategy has been developed, this must be turned over into a response plan. Even before a response plan can be finalized, ad-hoc measures may be taken. This service also includes the initiating and tracking of all activities which are performed until the information security incident can be considered closed or new information becomes available that requires further analysis and henceforth may also change the response strategy and plan.", "meta": { - "outcome": "The information security incident is mitigated and the cyber security posture is improved. Integrity of systems impacted by the underlying attack or activities of the attacker is restored, as well as serviceability of the network and systems compromised. Data is restored in case of data loss, if possible. The following functions are considered to be part of the implementation of this service: Response plan established \nAd hoc measures and containment\nSystems restoration\nOther information security entities support In the case of a coordinating CSIRT, not all functions will be provided. While “supporting other information security entities” is an activity such teams provide, they sometimes also help with “establishing a response plan.”", + "outcome": "The information security incident is mitigated and the cyber security posture is improved. Integrity of systems impacted by the underlying attack or activities of the attacker is restored, as well as serviceability of the network and systems compromised. Data is restored in case of data loss, if possible.", "purpose": "Contain the information security incident as much as possible to limit the number of victims, reduce the loss and to recover from damage, avoid further attacks and further losses by removing exploited vulnerabilities or weaknesses, and improve overall cyber security." }, "related": [], @@ -74,7 +74,7 @@ { "description": "Being notified and kept informed about the details and ongoing activities in relation to an information security incident is critical for all stakeholders and organizations involved. As some activities required for a successful mitigation and recovery might involve management approval, this requires suitable escalation and reporting functions established before any information security incident can be handled effectively and efficiently. As the CSIRT analyzes all information as it becomes available, coordination makes sure that notifications and information reach the right points of contact, track their responses and make sure that all parties carrying out activities report back to provide for accurate situational awareness until the information security incident is considered closed and requiring no further coordination. Stakeholders should have avenues to submit questions, check the status of information security incidents, and report issues to the CSIRT. To engage internal stakeholders, the CSIRT should provide communications channels to advertise the remediation status of information security incidents. To engage external stakeholders, the CSIRT should maintain communications channels to other CSIRTs and CSIRT communities that might provide recommendations or technical support.", "meta": { - "outcome": "The response is successfully coordinated based on well-informed entities that contribute to the response to an information security incident. The following functions are considered to be part of the implementation of this service: Communication\nNotification distribution\nRelevant information distribution\nActivities coordination \nReporting\nMedia communication", + "outcome": "The response is successfully coordinated based on well-informed entities that contribute to the response to an information security incident.", "purpose": "Ensure timely notifications and accurate information distribution; keep the information flow and track the status of activities of entities that are either tasked or requested to participate in responding to the information security incident; and make sure the response plan is carried out and deviations caused by both delays or new information are managed accordingly." }, "related": [], @@ -84,7 +84,7 @@ { "description": "While today’s information security incidents rarely constitute an organizational or national crisis, they have the potential to do so. But the response to a crisis is usually associated with an emergency that threatens the well-being of humans and society at large, or at least the existence of an organization. As it is established in crisis management, a high-ranking role will take over the responsibility of a crisis, thereby changing the usual line of command for the duration of the emergency. As the systems and networks might contribute to emergencies or are required to be available to respond to a crisis situation, a CSIRT will usually be a critical resource for managing such situations and provide valuable experience but also the established services and networks of points of contacts.", "meta": { - "outcome": "The crisis management team can use the CSIRT’s resources to address the cyber security aspects of the current crisis. At the same time, the CSIRT’s communication resources can be utilized to reach out to constituents and external parties to ask for specific support actions or help. It can also be used to communicate in a trusted way towards constituents, using established communication means and trusted networks. The following functions are considered to be part of the implementation of this service: Information distribution to constituents\nInformation security status reporting\nStrategic decisions communication", + "outcome": "The crisis management team can use the CSIRT’s resources to address the cyber security aspects of the current crisis. At the same time, the CSIRT’s communication resources can be utilized to reach out to constituents and external parties to ask for specific support actions or help. It can also be used to communicate in a trusted way towards constituents, using established communication means and trusted networks.", "purpose": "Provide expertise and contacts to other security experts, CSIRTs, and CSIRT communities in order to help mitigate the crisis." }, "related": [], @@ -92,9 +92,9 @@ "value": "Service: Crisis management support" }, { - "description": "Discovery of a new vulnerability is a necessary first step that starts the overall vulnerability management lifecycle. This service includes those functions and activities that a CSIRT may actively perform through its own research or other services to discover a new vulnerability. Functions and activities related to the passive receipt of new vulnerability information from someone else are described later in the Vulnerability Report Intake service. Occasionally a new vulnerability may be discovered by a CSIRT during other activities, such as while analyzing or investigating an incident report. Another means of learning of a new vulnerability is through reading public sources (e.g., websites, mailing lists6), other external sources (e.g., premium services, subscriptions), or by actively looking for vulnerabilities through deliberate research (e.g., through fuzz testing, reverse engineering). Such discoveries should be documented and fed into the organization’s vulnerability handling processes, regardless of how the CSIRT discovered or learned of the vulnerability.", + "description": "Discovery of a new vulnerability is a necessary first step that starts the overall vulnerability management lifecycle. This service includes those functions and activities that a CSIRT may actively perform through its own research or other services to discover a new vulnerability. Functions and activities related to the passive receipt of new vulnerability information from someone else are described later in the Vulnerability Report Intake service. Occasionally a new vulnerability may be discovered by a CSIRT during other activities, such as while analyzing or investigating an incident report. Another means of learning of a new vulnerability is through reading public sources (e.g., websites, mailing lists), other external sources (e.g., premium services, subscriptions), or by actively looking for vulnerabilities through deliberate research (e.g., through fuzz testing, reverse engineering). Such discoveries should be documented and fed into the organization’s vulnerability handling processes, regardless of how the CSIRT discovered or learned of the vulnerability.", "meta": { - "outcome": "This service results in an increased discovery of potential vulnerabilities that were not reported directly to the CSIRT. The following functions are considered to be part of the implementation of this service: Incident response vulnerability discovery \nPublic source vulnerability discovery \nVulnerability research These functions may be services (or functions) performed by others (e.g., researchers, vendors, PSIRTs, or third-party specialists) instead of the CSIRT.", + "outcome": "This service results in an increased discovery of potential vulnerabilities that were not reported directly to the CSIRT.", "purpose": "Find, learn of, or search for new (previously unknown) vulnerabilities; vulnerabilities can be discovered by members of the vulnerability management service area or through other related CSIRT activities" }, "related": [], @@ -104,7 +104,7 @@ { "description": "One of the primary sources of vulnerability information may be reports or questions sent from a CSIRT’s constituents or other third parties. The CSIRT should anticipate that vulnerabilities may be reported from these various sources, and provide a mechanism, a process, and guidance for vulnerability reporting. Reporting infrastructures may include email or a web-based vulnerability reporting form. Not all vulnerabilities are reported directly to a CSIRT by constituents or third parties through the established channels. Supporting guidance should include reporting guidelines, contact information, and any disclosure policies. To enable constituents to report vulnerabilities more effectively, the CSIRT should provide one or more mechanisms as well as guidance or instructions on what and how to securely report vulnerabilities. Reporting mechanisms can include email, a website, a dedicated vulnerability reporting form or portal, or other appropriate methods to enable reports to be submitted safely and securely. Reporting guidance, if not included as part of a vulnerability reporting form itself, should be provided in separate documentation or via a web page, and should list the specific information that is desirable to be included in the report.", "meta": { - "outcome": "The vulnerability report is received with professional and consistent intake of each report as well as its initial validation and classification. The following functions are considered to be part of the implementation of this service: Vulnerability report receipt\nVulnerability report triage and processing", + "outcome": "The vulnerability report is received with professional and consistent intake of each report as well as its initial validation and classification.", "purpose": "Receive and process vulnerability information reported from constituents or third parties." }, "related": [], @@ -112,9 +112,9 @@ "value": "Service: Vulnerability report intake" }, { - "description": "The Vulnerability Analysis service consists of functions aimed at gaining an understanding of the vulnerability and its potential impact, identifying the underlying issue or flaw (root cause) that allows the vulnerability to be exploited, and identifying one or more remediation or mitigation strategies to prevent or minimize the exploitation of the vulnerability. The Vulnerability Analysis service and functions can continue in parallel while the Vulnerability Coordination service and functions occur with other participants in a coordinated vulnerability disclosure (CVD)7 process.", + "description": "The Vulnerability Analysis service consists of functions aimed at gaining an understanding of the vulnerability and its potential impact, identifying the underlying issue or flaw (root cause) that allows the vulnerability to be exploited, and identifying one or more remediation or mitigation strategies to prevent or minimize the exploitation of the vulnerability. The Vulnerability Analysis service and functions can continue in parallel while the Vulnerability Coordination service and functions occur with other participants in a coordinated vulnerability disclosure (CVD) process.", "meta": { - "outcome": "Knowledge of the key details of a vulnerability (e.g., description, impact, resolution) is increased.\nThe following functions are considered to be part of the implementation of this service: Vulnerability triage (validation and categorization)\nVulnerability root cause analysis\nVulnerability remediation development", + "outcome": "Knowledge of the key details of a vulnerability (e.g., description, impact, resolution) is increased.", "purpose": "Analyze and gain understanding of a confirmed vulnerability." }, "related": [], @@ -124,7 +124,7 @@ { "description": "The handling of most vulnerabilities involves notifying, working with, and coordinating the exchange of relevant information with multiple parties including vulnerability finders/reporters, affected vendors, developers, PSRITs, or other trusted experts (e.g., researchers, CSIRTs, vulnerability coordinators) who can work together to analyze and fix the vulnerability.", "meta": { - "outcome": "Information sharing with CVD participants who can assist in providing information to remediate/mitigate the vulnerability is effective and timely. The following functions are considered to be part of the implementation of this service: Vulnerability notification/reporting\nVulnerability stakeholder coordination", + "outcome": "Information sharing with CVD participants who can assist in providing information to remediate/mitigate the vulnerability is effective and timely.", "purpose": "Exchange information and coordinate the activities with participants involved in a coordinated vulnerability disclosure (CVD) process." }, "related": [], @@ -134,7 +134,7 @@ { "description": "Inform the constituents of any known vulnerabilities (potential entry points for attackers), so that their systems can be kept up to date and monitored for exploits. Disclosure methods may include publication of information through multiple communication channels (e.g., website, email, social media), a vulnerability database, or other media. This service often, but not always, occurs following Vulnerability Coordination.", "meta": { - "outcome": "Informed constituents can avoid the potential exploitation of known vulnerabilities prior to exploitation and can detect and mitigate vulnerabilities that already exist. The following functions are considered to be part of the implementation of this service: Vulnerability disclosure policy and infrastructure maintenance\nVulnerability announcements/communication/dissemination\nPost-vulnerability disclosure feedback", + "outcome": "Informed constituents can avoid the potential exploitation of known vulnerabilities prior to exploitation and can detect and mitigate vulnerabilities that already exist.", "purpose": "Disseminate information about known vulnerabilities to constituents so that they can act upon that information to prevent, detect, and remediate/mitigate known vulnerabilities." }, "related": [], @@ -144,17 +144,17 @@ { "description": "The functions under this service are intended to determine whether a disclosed vulnerability exists on a constituent’s systems, often through the intentional act of looking for the presence of such vulnerabilities. The service can also include the follow-on actions to remediate or mitigate the vulnerability through the deployment of patches or workaround strategies.", "meta": { - "outcome": "Information was acted upon in order to detect the presence of a vulnerability, remediate/mitigate a disclosed vulnerability, and prevent the vulnerability from being exploited. The following functions are considered to be part of the implementation of this service: Vulnerability detection / scanning\nVulnerability remediation This Vulnerability Response service and its related functions are usually performed by other specialized groups within an organization, typically not the CSIRT. This service is also unlikely to be provided by a Coordinating CSIRT.", + "outcome": "Information was acted upon in order to detect the presence of a vulnerability, remediate/mitigate a disclosed vulnerability, and prevent the vulnerability from being exploited.", "purpose": "Actively take information about known vulnerabilities and act upon that information to prevent, detect, and remediate/mitigate those vulnerabilities." }, "related": [], - "uuid": "7bed8224-c2b4-56af-bd69-1fb1f8e1a0b5", - "value": "Service: Vulnerability response8" + "uuid": "8b6e3cc9-2f15-5502-9cbb-0a4c1aaf59d6", + "value": "Service: Vulnerability response" }, { "description": "Solicit, collect, determine, and satisfy the constituencies’ information requirements to achieve awareness of important internal and external relevant activities. This service includes the logistics of collecting relevant information including news of current events, scheduling future events, reports and feeds, filtering the collected information, organizing information for use in incident analysis, prevent, detection, or other activities (such as planning or trending), storing it for later use, improving its “searchability”, and more. Collected data will be used to determine the preventative measures needed and to help make informed decisions regarding incident management and information assurance activities. Without a basic perception of important environmental elements, the risk of other services forming an incorrect picture increases. CSIRTs will need to establish policy and procedures, and may employ technology to collect and vet information.", "meta": { - "outcome": "The following artefacts result from this service: a set of data collection requirements that identifies situational awareness needs, and then maps those requirements to the types of information to be collected in order to meet those objectives\ninformation about the current and expected future status of constituency assets and activities\ninformation about external events or trends that provides insight into the constituency’s surroundings and current environment, including new technologies, methods, practices, risks, and threats \nproperly formatted information readied for analysis and detection activities The following functions are considered to be part of the implementation of this service: Policy aggregation, distillation, and guidance\nAsset mappings of assets to functions, roles, actions, and key risks\nCollection\nData processing and preparation", + "outcome": "The following artefacts result from this service: a set of data collection requirements that identifies situational awareness needs, and then maps those requirements to the types of information to be collected in order to meet those objectives\ninformation about the current and expected future status of constituency assets and activities\ninformation about external events or trends that provides insight into the constituency’s surroundings and current environment, including new technologies, methods, practices, risks, and threats \nproperly formatted information readied for analysis and detection activities", "purpose": "Collect data that will help increase visibility as to what internal and external activities are occurring that may affect the constituency’s security posture." }, "related": [], @@ -164,7 +164,7 @@ { "description": "The process of using current data, history, and analysis techniques to determine what is occurring that may impact the constituency assets and security posture, often done by determining an answer to a question or testing an intuition. Analysis may reveal when events do not match typical expected behavior, or may reveal information about the circumstance, nature, or origin of events or behaviors. Analysis may reveal implications to current and future situations. For example: a system may log that a user ID successfully logged into the system, but the system does not indicate whether the event was performed by a legitimate user. New sources (such as interviews with the user) will need to be incorporated into the analysis to provide the team with a more accurate picture to determine the legitimacy of the event. A variety of techniques may be used to analyze and interpret the collected data and its effect upon the constituency.", "meta": { - "outcome": "A set of conclusions about the probable historical, current, and/or likely future events within a constituency is produced. It may also include recommendations about certain decisions that a constituency is facing. Analysis should be supported by evidence such as observation data collected from sensors and other sources and the interpretation of that evidence by analysts through a variety of methods. The analysis may also include constituents that need to be told about the results, and what they need to be told. The following functions are considered to be part of the implementation of this service: Projection and inference\nEvent detection (through alerting and/or hunting)\nSituational impact", + "outcome": "A set of conclusions about the probable historical, current, and/or likely future events within a constituency is produced. It may also include recommendations about certain decisions that a constituency is facing. Analysis should be supported by evidence such as observation data collected from sensors and other sources and the interpretation of that evidence by analysts through a variety of methods. The analysis may also include constituents that need to be told about the results, and what they need to be told.", "purpose": "Assess when the situation does not match with expectations (e.g., when specific assets may be about to experience a harmful event)." }, "related": [], @@ -174,7 +174,7 @@ { "description": "The knowledge obtained from situational awareness must be communicated to the constituency. This will allow it to react to observations and to take actions that will improve defensive situations, e.g., reducing third-party risk by improving the security environment at certain high-risk suppliers.", "meta": { - "outcome": "Accurate, actionable, and timely situational information is delivered to constituency so they can better understand their past and improve their current and future situational picture. The following functions are considered to be part of the implementation of this service: Internal and external communication\nReporting and recommendations\nImplementation \nDissemination / integration / information sharing\nManagement of information sharing", + "outcome": "Accurate, actionable, and timely situational information is delivered to constituency so they can better understand their past and improve their current and future situational picture.", "purpose": "Notify constituents or others in the security community about changes in risks to the situational picture." }, "related": [], @@ -184,7 +184,7 @@ { "description": "This service includes working with the constituency, experts, and trusted partners to raise the collective understanding of threats and actions that can be taken to prevent or mitigate the risks posed by these threats.", "meta": { - "outcome": "The constituency is provided with the necessary awareness of: events, activities, and trends that may affect its ability to operate in a timely and secure manner\nsteps to take to detect, prevent and mitigate threats and malicious activity\nsecurity and operational best practices The following functions are considered to be part of the implementation of this service: Research and information aggregation\nReport and awareness materials development\nInformation dissemination\nOutreach", + "outcome": "The constituency is provided with the necessary awareness of: events, activities, and trends that may affect its ability to operate in a timely and secure manner\nsteps to take to detect, prevent and mitigate threats and malicious activity\nsecurity and operational best practices", "purpose": "Increase the overall security posture of the constituency and help its members to detect, prevent, and recover from incidents; ensure that constituents are better prepared and educated." }, "related": [], @@ -194,7 +194,7 @@ { "description": "A training and education program can help the CSIRT to establish relationships and to improve the overall cybersecurity posture of its constituency, including the ability to prevent future incidents from happening. Such a program can help maintain user awareness\nhelp the constituency understand the changing landscape and threats\nfacilitate information exchange between the CSIRT and its constituency\ntrain the constituency on tools, processes and procedures related to security and incident management. This can be done through various types of activities including documenting the knowledge, skills, and abilities (KSAs) required, developing educational and training materials, delivering content, mentoring, and professional and skill development. Each of these activities will collectively contribute to the constituency’s and the team’s capabilities.", "meta": { - "outcome": "A consistent training and education program is provided that enables the CSIRTs’ constituency to appropriately acquire methods to detect, prevent or respond to threats\ntools and practices to help protect critical assets\nunderstanding about incident management processes and how to get assistance The following functions are considered to be part of the implementation of this service: Knowledge, skill, and ability requirements gathering \nEducational and training materials development\nContent delivery\nMentoring\nCSIRT staff professional development", + "outcome": "A consistent training and education program is provided that enables the CSIRTs’ constituency to appropriately acquire methods to detect, prevent or respond to threats\ntools and practices to help protect critical assets\nunderstanding about incident management processes and how to get assistance", "purpose": "Provide training and education to a CSIRT constituency (which may include organizational and CSIRT staff) on topics related to cybersecurity, information assurance and incident management." }, "related": [], @@ -204,7 +204,7 @@ { "description": "Services are offered by the organization to constituents that support the design, execution, and evaluation of cyber exercises intended to train and/or evaluate the capabilities of individual constituents and the stakeholder community as a whole, including communications capabilities. These types of exercises can be used to test policies and procedures: assess whether there are sufficient policies and procedures in place to effectively detect, respond and mitigate incidents. This is, generally, a paper/table-top exercise.\ntest operational readiness: assess whether the organization has an incident management capability that is able to detect, respond to and mitigate incidents in a timely and successful manner, as well as to test whether the right people are in place, directories are up-to-date, and if procedures are executed correctly. This service addresses both the needs of the organization and the needs of its constituents. More specifically, through the simulation of cybersecurity events/incidents, exercises can be used for one or several objectives: Demonstrate: Illustrate cybersecurity services and functions, as well as vulnerabilities, threats, and risks, in order to raise awareness.\nTrain: Instruct staff on new tools, techniques, and procedures:\n\nExercise: Provide an opportunity for staff to use tools, techniques, and procedures they are expected to be knowledgeable about. Exercising is necessary for perishable skills and helps improve and maintain efficiency.\nAssess: Analyze and understand the level of effectiveness and efficiency of cybersecurity services and functions, as well as the level of staff preparedness.\nVerify: Determine whether a specified level of effectiveness and/or efficiency can be achieved for cybersecurity services and functions.", "meta": { - "outcome": "The effectiveness and efficiency of cybersecurity services and functions is improved and opportunities for further improvements are identified. Depending on the specific objective(s) of an exercise, cybersecurity may also be demonstrated to internal or external stakeholders, staff can be trained, and the efficiency and effectiveness of tools, services, and functions can be assessed and/or verified. Lessons for improving future exercises can also be identified and a report delivered to management or other key stakeholders. The following functions are considered to be part of the implementation of this service: Requirements analysis\nFormat and environment development\nScenario development\nExercises execution\nExercise outcome review", + "outcome": "The effectiveness and efficiency of cybersecurity services and functions is improved and opportunities for further improvements are identified. Depending on the specific objective(s) of an exercise, cybersecurity may also be demonstrated to internal or external stakeholders, staff can be trained, and the efficiency and effectiveness of tools, services, and functions can be assessed and/or verified. Lessons for improving future exercises can also be identified and a report delivered to management or other key stakeholders.", "purpose": "Conduct exercises to assess and improve the effectiveness and efficiency of cybersecurity services and functions." }, "related": [], @@ -214,7 +214,7 @@ { "description": "Support the CSIRT constituency and key stakeholders, internal or external to the constituency, in activities related to risk management and business continuity, providing technical advice as needed and contributing to the creation and implementation of the constituency’s policies, as well as influencing them to enable the CSIRT to be more effective. Policies are also important in legitimizing the services of a CSIRT.", "meta": { - "outcome": "A constituency is enabled to make organizational decisions based on operational security best practices that incorporate business continuity and disaster recovery best practices, while also understanding the need of including incident management teams, as trusted advisors, in business decisions where appropriate. The following functions are considered to be part of the implementation of this service: Risk management support\nBusiness continuity and disaster recovery planning support\nPolicy support\nTechnical advice", + "outcome": "A constituency is enabled to make organizational decisions based on operational security best practices that incorporate business continuity and disaster recovery best practices, while also understanding the need of including incident management teams, as trusted advisors, in business decisions where appropriate.", "purpose": "Ensure the constituency’s policies and procedures include appropriate incident management considerations and, ultimately, enable the constituency to better manage risks and threats, as well as enabling the CSIRT to be more effective." }, "related": [], @@ -254,7 +254,7 @@ { "description": "The various contextual data sources that are involved in detection and enrichment need to be managed throughout their lifecycle. These can be live APIs to or exports from other IT systems such as a Configuration Management Database (CMDB), Identity and Access Management (IAM), or Threat Intel systems, or entirely separate data sets that need to be managed manually. The latter would be the case for indicator lists, watchlists and whitelists to suppress false positives.", "meta": { - "outcome": "Up to date contextual data is available for both detection and enrichment. 5.2 Service: Event analysis Purpose: Triage detected potential information security incidents and their qualification as information security incidents for escalation to the Information Security Incident Management service area or as false alarms. Description: The flow of detected potential information security incidents must be triaged and each one qualified as an information security incident (true positive) or as a false alarm (false positive) using manual and/or automated analysis. This may require manual or automated gathering of additional information, depending on the detection use case. Priority should be given to the analysis of potentially more critical information security incidents to ensure timely reaction to what is most important. Structured qualification of detected potential information security incidents enables effective continuous improvement in a directed way by identifying detection use cases, data sources, or processes with quality issues. Outcome: Qualified and correlated information security incidents are available as input to the Information Security Incident Management service area and false positives are qualified for continuous improvement. The following functions are considered to be part of the implementation of this service: Correlation\nQualification", + "outcome": "Up to date contextual data is available for both detection and enrichment.", "purpose": "Manage of contextual data sources for detection and enrichment." }, "related": [ @@ -284,7 +284,7 @@ { "description": "Potential information security incidents need to be triaged and each qualified as an information security incident (true positive) or as a false alarm (false positive). Because analysts have a limited number of potential information security incidents they can analyze, and in order to avoid alert fatigue, automation is key. Mature tooling facilitates effective triage by enriching with context information, assigning risk scores based on the criticality of affected assets and identities and/or automatically identifying related information security events. Recurring cases that can be automated should be identified and automated. Potential information security incidents with higher criticality should be analyzed before less critical ones. In addition to qualification as true or false positives, a more fine-grained qualification is an important input for continuous improvement of detection use cases as well as the management of log sources, sensors, and contextual data sources. More fine-grained qualification can also support the definition of higher-quality KPIs for measuring the success of this service area.", "meta": { - "outcome": "Qualified potential information security incidents are available for handling as part of the Information Security Incident Management service area. 6 Service Area: Information Security Incident Management This service area is at the heart of any CSIRT and consists of services that are vital in helping constituents during an attack or incident. CSIRTs must be prepared to help and support. Through this unique position and expertise, they are able to not only collect and evaluate information security incident reports, but also to analyze relevant data and perform detailed technical analysis of the incident itself and any artefacts used. From this analysis, mitigation and steps to recover from the incident can be recommended, and constituents will be supported in applying the recommendations. This also requires a coordination effort with external entities such as peer CSIRTs or security experts, vendors, or PSIRTs to address all aspects and reduce the number of successful attacks later on. The special expertise CSIRTs can provide is also critical in addressing (information security) crises. While in many instances a CSIRT will not handle the crisis management, it can support any such activity. Making its contacts available, for example, can greatly improve the application of required mitigation steps or better protection mechanisms. Applying the knowledge and the available infrastructure to support its constituency is key to improving overall information security incident management. The following services are considered as potential offerings of this service area: Information security incident report acceptance\nInformation security incidents analysis\nArtefact and forensic evidence analysis\nMitigation and recovery\nInformation security incident coordination\nCrisis management support 6.1 Service: Information security incident report acceptance Purpose: Receive and process reports of potential information security incidents from constituents, from Information Security Event Management services or third parties. Description: For a CSIRT, the most important task is the acceptance of reports about information security events and potential information security incidents affecting networks, devices, components, users, organizations, or infrastructure—referred to as the “target”—inside the constituency. The CSIRT should anticipate that potential information security incidents may be reported from various sources in various formats, both manually and automatically. To enable constituents to report information security incidents more effectively, the CSIRT should provide one or more mechanisms as well as guidance or instructions on what and how to securely report information security incidents. Reporting mechanisms can include email, a website, a dedicated information security incident reporting form or portal, or other appropriate methods to enable reports to be submitted safely and securely. Reporting guidance, if not included as part of an information security incidents reporting form itself, should be provided in separate documentation or via a webpage, and should list the specific information that is desirable for inclusion in the report. Due to the potentially large number of automatically escalated potential information security incidents detected via an Information Security Event Management service, this must be planned for in advance of adopting such interfaces or authorizing constituents to use them.5 Outcome: The information security incident report is received with professional and consistent intake of each report as well as its initial validation and classification. The following functions are considered to be part of the implementation of this service: Information Security Incident Report Receipt\nInformation Security Incident Triage and Processing", + "outcome": "Qualified potential information security incidents are available for handling as part of the Information Security Incident Management service area.", "purpose": "Triage and qualify detected potential information security incidents in order to identify, categorize, and prioritize true positives." }, "related": [ @@ -314,7 +314,7 @@ { "description": "Information Security Incident Reports are reviewed and triaged to obtain an initial understanding of the information security incident in question. It is of particular importance whether it has a real information security impact on the target and can result (or has already resulted) in damage to the confidentiality, availability, integrity, and/or authenticity of information assets or other assets. Depending on the amount of detail and quality of the information provided in the initial report, it may or not be obvious whether a real information security incident has occurred or if there is a different reason—such as misconfiguration or hardware failure. The next step will be determined on the basis of the preliminary assessment (e.g., process the report for further analysis; seek additional information from the reporter or other sources; decide that the report needs no further action or is a false alarm). It is possible that attacks may originate from within the constituency of a CSIRT, may target this constituency, or the constituency is affected by collateral effects only. If the CSIRT does not provide Information Security Management services for the identified targets, then the report should be forwarded securely to an external group for handling, such as the affected organization(s) or CSIRT(s). Unless there is a reason to decline an information security incident report or the report has been forwarded to another entity responsible for its handling, the report should be passed on to the Vulnerability Analysis service for further review, analysis, and handling.", "meta": { - "outcome": "It can be determined if a reported matter is indeed an information security incident that needs to be handled by the CSIRT or passed on to a relevant entity. The following sub-functions are considered to be part of the implementation of this service: Processing reports and submitted data including artefacts or materials in isolation to protect the integrity of the working environment and avoid successful attacks on the CSIRT by such means\nUpdating acknowledgement of reports by providing some feedback on further steps based on categorization or prioritization results available\nMerging new information about already handled information security incidents to the available data to allow a consistent analysis and processing 6.2 Service: Information security incident analysis Purpose: Analyze and gain an understanding of a confirmed information security incident. Description: This service consists of functions to gain an understanding of the information security incident and its actual and potential impact to identify the underlying issues or vulnerabilities or weaknesses (root causes) that allowed the successful attack, compromise, or exploit. Detailed analysis is often complex and time-consuming. The objective is to identify and characterize the information security incident in as much detail as required or justified by the current understanding of its impact. Information security incidents can be characterized by scope, affected entities, tools, or attacks deployed, timelines, etc. This service may continue in parallel while the Information Security Incident Coordination service and functions are occurring or mitigation/recovery actions are taken. The CSIRT may use other information and its own analysis (see below for some options) or knowledge available from vendors and product security teams or security researchers to better understand what has happened and what steps to take to remedy losses or damage. Outcome: Knowledge is increased of the key details of an information security incident (e.g., description, impact, scope, attacks/exploits, and remedies). The following functions are considered to be part of the implementation of this service: Information security incident triage (prioritization and categorization)\nInformation collection\nDetailed analysis coordination\nInformation security incident root cause analysis\nCross-incident correlation", + "outcome": "It can be determined if a reported matter is indeed an information security incident that needs to be handled by the CSIRT or passed on to a relevant entity. The following sub-functions are considered to be part of the implementation of this service: Processing reports and submitted data including artefacts or materials in isolation to protect the integrity of the working environment and avoid successful attacks on the CSIRT by such means\nUpdating acknowledgement of reports by providing some feedback on further steps based on categorization or prioritization results available\nMerging new information about already handled information security incidents to the available data to allow a consistent analysis and processing", "purpose": "Initially review, categorize, prioritize, and process a reported information security incident." }, "related": [ @@ -389,7 +389,7 @@ { "description": "This function involves the correlation of available information about multiple information security incidents to determine interrelations, trends, or applicable mitigations from already closed information security incidents to improve the response to currently handled information security incidents.", "meta": { - "outcome": "The bigger picture is understood in terms of situational awareness based on a detailed knowledge about similarities and confirmed or suspected interrelationships of otherwise independent information security incidents. 6.3 Service: Artifact and forensic evidence analysis Purpose: Analyze and gain an understanding of artefacts related to a confirmed information security incident, taking into consideration the need to preserve forensic evidence. Description: The services related to the understanding of the capabilities and intent of artefacts (e.g., malware, exploits, volatile memory dumps or disk copies, applications codes, logs, documents), their delivery mechanisms, their propagation, their detection, their mitigation, and their disarming or neutralization. This applies to any formats and sources: hardware, firmware, memory, software, etc. Any artefact or evidence must be preserved and collected without any modification, and kept in isolation. As some artefacts and data may become evidence in the context of law enforcement activities, specific regulations or requirements may apply. Even without preserving a chain-of-custody, this service usually involves complex and time-consuming tasks, and requires expertise, setting up dedicated and monitored analysis environments--with or without external accesses from standard wired or wireless networks (such as performing the forensics activities in a sealed or Faraday room), logging of activities, and compliance with procedures. As part of the handling of information security incidents, digital artefacts may be found on affected systems or malware distribution sites. Artefacts may be the remnants of an intruder attack, such as executables, scripts, files, images, configuration files, tools, tool outputs, logs, live or dormant pieces of code, etc. The analysis is carried out in order to find out some or all of the information listed below, which is not considered to be a complete list: The context required of the artefact to run and to perform its intended tasks, whether malicious or not\nHow the artefacts may have been utilized for the attack: uploaded, downloaded, copied, executed, or created within an organization’s environments or components\nWhich systems have been involved locally and remotely to support the distribution and actions\nWhat an intruder did once to access to the system, network, organization, or infrastructure was established: from passively collecting data, to actively scanning and transmitting data for exfiltration purposes, or collecting new action requests, updating itself or making a lateral movement inside a compromised (local) network\nWhat a user, user process, or user system did once the user account or user device was compromised\nWhat behavior characterizes the artefacts or compromised systems, either in standalone mode, in conjunction with artefacts or components, connected to a local network or the Internet, or in any combination\nHow the artefacts or compromised systems establish connectivity with the target (e.g., intrusion path, initial target, or detection evasion techniques);\nWhat communication architecture (peer-to-peer, command-and-control, both) has been utilized\nWhat were the actions of the threat actors, what is their network and systems footprint\nHow the intruders or artefacts evaded detection (even over long periods of time which may include reboot or reinitialization) This can be achieved through various types of activities including media or surface analysis\nreverse engineering\nruntime or dynamic analysis\ncomparative analysis Each activity provides additional information about the artefacts. Analysis methods include but are not limited to identification of type and characteristics of artefacts, comparison with known artefacts, observation of artefact execution in a runtime or a live environment, and disassembling and interpreting binary artefacts. In carrying out an analysis of the artefacts, an analyst attempts to reconstruct and determine what the intruder did, in order to detect the exploited vulnerability, assess damages, develop solutions to mitigate against the artefacts, and provide information to constituents and other researchers. Outcome: The nature of recovered digital artefacts and analyzed forensic evidence is understood along with the relationship to other artefacts, internal or external objects or components, attacks on frameworks, tools, and exploited vulnerabilities. Working assumptions or proof of what the threat actor did, and how the artefacts behaved. This knowledge is critical to assess losses, damages, business impacts, etc. and to develop containment and mitigation or recovery strategies. The tactics, techniques, and procedures used by attackers or intruders to compromise systems, users, networks, organizations and/or infrastructures is understood. This includes those tactics, techniques, and procedures used to propagate, exfiltrate, update, modify, or fake its behavior, data, auto-delete traces of its own activities, or carry out additional malicious activities. List of functions which are considered to be part of the implementation of this service: Media or surface analysis\nReverse engineering\nRuntime and/or dynamic analysis\nComparative analysis", + "outcome": "The bigger picture is understood in terms of situational awareness based on a detailed knowledge about similarities and confirmed or suspected interrelationships of otherwise independent information security incidents.", "purpose": "Enable the usage of all available information to get the best understanding of the context and detect interrelationships that otherwise would not have been recognized or acted upon." }, "related": [ @@ -449,7 +449,7 @@ { "description": "This function involves exploring an artefact’s relationship to other artefacts. This may identify similarities in code or modus operandi, targets, intent, and authors. Such similarities can be used to derive the scope of an attack (e.g., is there a larger target, has similar code been used before). Comparative analysis techniques can include exact match comparisons or code similarity comparisons. Comparative analysis provides a broader view of how the artefact or similar versions of it were used and changed over time, helping to understand the evaluation of malware or other malicious types of artefacts.", "meta": { - "outcome": "Any commonalities or relationships to other artefacts are derived in order to identify trends or similarities that may provide additional insights or understanding of a digital artefact’s functionality, impact, and mitigation. The following sub-functions are considered to be part of the implementation of this function: Defining a baseline of characteristics and observed behaviors\nSearching for the same or similar characteristics in available repositories/knowledge bases\nUpdating available repositories/knowledge bases regarding newly observed or previously unknown symptoms, behaviors, and/or signatures which can be used to further categorize the researched artefact. 6.4 Service: Mitigation and recovery Purpose: Contain the information security incident as much as possible to limit the number of victims, reduce the loss and to recover from damage, avoid further attacks and further losses by removing exploited vulnerabilities or weaknesses, and improve overall cyber security. Description: Once the analysis has confirmed a potential information security incident and a response strategy has been developed, this must be turned over into a response plan. Even before a response plan can be finalized, ad-hoc measures may be taken. This service also includes the initiating and tracking of all activities which are performed until the information security incident can be considered closed or new information becomes available that requires further analysis and henceforth may also change the response strategy and plan. Outcome: The information security incident is mitigated and the cyber security posture is improved. Integrity of systems impacted by the underlying attack or activities of the attacker is restored, as well as serviceability of the network and systems compromised. Data is restored in case of data loss, if possible. The following functions are considered to be part of the implementation of this service: Response plan established \nAd hoc measures and containment\nSystems restoration\nOther information security entities support In the case of a coordinating CSIRT, not all functions will be provided. While “supporting other information security entities” is an activity such teams provide, they sometimes also help with “establishing a response plan.”", + "outcome": "Any commonalities or relationships to other artefacts are derived in order to identify trends or similarities that may provide additional insights or understanding of a digital artefact’s functionality, impact, and mitigation. The following sub-functions are considered to be part of the implementation of this function: Defining a baseline of characteristics and observed behaviors\nSearching for the same or similar characteristics in available repositories/knowledge bases\nUpdating available repositories/knowledge bases regarding newly observed or previously unknown symptoms, behaviors, and/or signatures which can be used to further categorize the researched artefact.", "purpose": "Perform an analysis focused on identifying common functionality or intent, including family analysis of catalogued artefacts." }, "related": [ @@ -509,7 +509,7 @@ { "description": "A CSIRT may provide direct (onsite) assistance to help the constituents to recover from losses and to remove vulnerabilities. This might be a direct extension of offering analysis services on-site (see above). On the other hand, a CSIRT might choose to support the staff of the constituents responding to the information security incident with more detailed explanations, recommendations, etc.", "meta": { - "outcome": "Response of the constituents is improved and recovery is faster. By adding to the available body of knowledge the future effectiveness and efficiency of related activities may be strengthened. In addition, it helps to support those entities inside the constituency that are lacking detailed technical knowledge to carry out the necessary action to respond. 6.5 Service: Information security incident coordination Purpose: Ensure timely notifications and accurate information distribution; keep the information flow and track the status of activities of entities that are either tasked or requested to participate in responding to the information security incident; and make sure the response plan is carried out and deviations caused by both delays or new information are managed accordingly. Description: Being notified and kept informed about the details and ongoing activities in relation to an information security incident is critical for all stakeholders and organizations involved. As some activities required for a successful mitigation and recovery might involve management approval, this requires suitable escalation and reporting functions established before any information security incident can be handled effectively and efficiently. As the CSIRT analyzes all information as it becomes available, coordination makes sure that notifications and information reach the right points of contact, track their responses and make sure that all parties carrying out activities report back to provide for accurate situational awareness until the information security incident is considered closed and requiring no further coordination. Stakeholders should have avenues to submit questions, check the status of information security incidents, and report issues to the CSIRT. To engage internal stakeholders, the CSIRT should provide communications channels to advertise the remediation status of information security incidents. To engage external stakeholders, the CSIRT should maintain communications channels to other CSIRTs and CSIRT communities that might provide recommendations or technical support. Outcome: The response is successfully coordinated based on well-informed entities that contribute to the response to an information security incident. The following functions are considered to be part of the implementation of this service: Communication\nNotification distribution\nRelevant information distribution\nActivities coordination \nReporting\nMedia communication", + "outcome": "Response of the constituents is improved and recovery is faster. By adding to the available body of knowledge the future effectiveness and efficiency of related activities may be strengthened. In addition, it helps to support those entities inside the constituency that are lacking detailed technical knowledge to carry out the necessary action to respond.", "purpose": "Enable the constituents to perform the required management and technical activities in order to successfully mitigate an information security incident and recover from it." }, "related": [ @@ -599,7 +599,7 @@ { "description": "Communicating with the media is unavailable in many cases. While CSIRTs usually try to avoid such contact, it is important to realize that the media can help to mitigate specific types of ongoing and large-scale attacks causing information security incidents. For this it is necessary to explain what is causing the information security incidents and explain the impact on users and/or organizations. In some cases, a CSIRT might choose to provide this information already in a manner suitable for release to the public, but this certainly requires specific skills inside the CSIRT not readily available in most. In any case, if a CSIRT communicates with the media, it must take great care to simplify the technical issues as much as possible and leave out all confidential information.", "meta": { - "outcome": "Factual information providing a clear summary of the ongoing information security incident is developed including steps to be taken by potential victims or outlining the chosen response strategy to recover from the information security incident. 6.6 Service: Crisis management support Purpose: Provide expertise and contacts to other security experts, CSIRTs, and CSIRT communities in order to help mitigate the crisis. Description: While today’s information security incidents rarely constitute an organizational or national crisis, they have the potential to do so. But the response to a crisis is usually associated with an emergency that threatens the well-being of humans and society at large, or at least the existence of an organization. As it is established in crisis management, a high-ranking role will take over the responsibility of a crisis, thereby changing the usual line of command for the duration of the emergency. As the systems and networks might contribute to emergencies or are required to be available to respond to a crisis situation, a CSIRT will usually be a critical resource for managing such situations and provide valuable experience but also the established services and networks of points of contacts. Outcome: The crisis management team can use the CSIRT’s resources to address the cyber security aspects of the current crisis. At the same time, the CSIRT’s communication resources can be utilized to reach out to constituents and external parties to ask for specific support actions or help. It can also be used to communicate in a trusted way towards constituents, using established communication means and trusted networks. The following functions are considered to be part of the implementation of this service: Information distribution to constituents\nInformation security status reporting\nStrategic decisions communication", + "outcome": "Factual information providing a clear summary of the ongoing information security incident is developed including steps to be taken by potential victims or outlining the chosen response strategy to recover from the information security incident.", "purpose": "Engage with the (public) media to be able to provide accurate and easy-to-understand factual information about ongoing events to avoid the spread of rumors and misleading information." }, "related": [ @@ -644,7 +644,7 @@ { "description": "Informing other entities in a timely manner about the impact caused by the crisis on currently open information security incidents provides a clear understanding of what support can also be provided by the CSIRT during the duration of the crisis, and makes sure that entities understand what to expect. It also makes sure that other parties stop their support or interaction with the CSIRT as they might believe that the crisis is taking over. As the crisis management team may decide to postpone the response to an actual information security incident due to a crisis, such decisions need to be communicated to all entities currently informed and participating. This is to avoid misunderstandings and further issues that may also lead to a loss of trust in the CSIRT and/or host organization.", "meta": { - "outcome": "Information of the crisis impact on the CSIRT operation is distributed to constituents and other entities involved with responding to open information security incidents. The expectations of the CSIRT towards such entities are clearly described and ensure that the information needs of the CSIRT are clearly communicated. 7 Service Area: Vulnerability Management The Vulnerability Management Service Area includes services related to the discovery, analysis, and handling of new or reported security vulnerabilities in information systems. The Vulnerability Management Service Area also includes services related to the detection of and response to known vulnerabilities in order to prevent them from being exploited. Therefore, this service area encompasses services related to both new and known vulnerabilities. Although the term “vulnerability management” is sometimes used to refer to the process of simply preventing known vulnerabilities from being exploited (e.g., “scan and patch”), in this CSIRT Services Framework, those activities are considered as functions and sub-functions under a service called Vulnerability Response, which is just one possible service that a CSIRT might provide. For many CSIRTs, those vulnerability response functions are the responsibility of other roles that scan for and remediate security vulnerabilities. The following services are considered offerings of this service area: Vulnerability discovery / research\nVulnerability report intake\nVulnerability analysis\nVulnerability coordination\nVulnerability disclosure\nVulnerability response Few CSIRTs will provide all of these services, but instead will provide only those services in their realm of responsibility. For example, a CSIRT may limit its services to learning of a new vulnerability from public sources (Vulnerability Discovery/Research) or from third parties (Vulnerability Report Intake) and then issue a security advisory to its constituents (Vulnerability Disclosure) when needed, without necessarily participating in any coordination efforts with product vendors or others who develop a solution (Vulnerability Coordination), or being involved in directly deploying a fix (Vulnerability Response). 7.1 Service: Vulnerability discovery / research Purpose: Find, learn of, or search for new (previously unknown) vulnerabilities; vulnerabilities can be discovered by members of the vulnerability management service area or through other related CSIRT activities Description: Discovery of a new vulnerability is a necessary first step that starts the overall vulnerability management lifecycle. This service includes those functions and activities that a CSIRT may actively perform through its own research or other services to discover a new vulnerability. Functions and activities related to the passive receipt of new vulnerability information from someone else are described later in the Vulnerability Report Intake service. Occasionally a new vulnerability may be discovered by a CSIRT during other activities, such as while analyzing or investigating an incident report. Another means of learning of a new vulnerability is through reading public sources (e.g., websites, mailing lists6), other external sources (e.g., premium services, subscriptions), or by actively looking for vulnerabilities through deliberate research (e.g., through fuzz testing, reverse engineering). Such discoveries should be documented and fed into the organization’s vulnerability handling processes, regardless of how the CSIRT discovered or learned of the vulnerability. Outcome: This service results in an increased discovery of potential vulnerabilities that were not reported directly to the CSIRT. The following functions are considered to be part of the implementation of this service: Incident response vulnerability discovery \nPublic source vulnerability discovery \nVulnerability research These functions may be services (or functions) performed by others (e.g., researchers, vendors, PSIRTs, or third-party specialists) instead of the CSIRT.", + "outcome": "Information of the crisis impact on the CSIRT operation is distributed to constituents and other entities involved with responding to open information security incidents. The expectations of the CSIRT towards such entities are clearly described and ensure that the information needs of the CSIRT are clearly communicated.", "purpose": "Inform other entities in a timely manner about the impact caused by the crisis on currently open information security incidents." }, "related": [ @@ -689,7 +689,7 @@ { "description": "This function includes the discovery of new vulnerabilities as a result of specific CSIRT activities, such as the testing of systems or software using fuzz testing (fuzzing), or through the reverse engineering of malware. This function may also receive input from the service(s) of the Information Security Incident Management service area or the Situational Awareness service area that would initiate this function to look for suspected vulnerabilities. The discovery of a new vulnerability as a result of this vulnerability research function may become input to the Incident Response service, Vulnerability Detection function (see sub-functions for Vulnerability Scanning and Vulnerability Penetration Testing).", "meta": { - "outcome": "New vulnerabilities are identified through research. 7.2 Service: Vulnerability report intake Purpose: Receive and process vulnerability information reported from constituents or third parties. Description: One of the primary sources of vulnerability information may be reports or questions sent from a CSIRT’s constituents or other third parties. The CSIRT should anticipate that vulnerabilities may be reported from these various sources, and provide a mechanism, a process, and guidance for vulnerability reporting. Reporting infrastructures may include email or a web-based vulnerability reporting form. Not all vulnerabilities are reported directly to a CSIRT by constituents or third parties through the established channels. Supporting guidance should include reporting guidelines, contact information, and any disclosure policies. To enable constituents to report vulnerabilities more effectively, the CSIRT should provide one or more mechanisms as well as guidance or instructions on what and how to securely report vulnerabilities. Reporting mechanisms can include email, a website, a dedicated vulnerability reporting form or portal, or other appropriate methods to enable reports to be submitted safely and securely. Reporting guidance, if not included as part of a vulnerability reporting form itself, should be provided in separate documentation or via a web page, and should list the specific information that is desirable to be included in the report. Outcome: The vulnerability report is received with professional and consistent intake of each report as well as its initial validation and classification. The following functions are considered to be part of the implementation of this service: Vulnerability report receipt\nVulnerability report triage and processing", + "outcome": "New vulnerabilities are identified through research.", "purpose": "Discover or search for new vulnerabilities as a result of deliberate activities or research." }, "related": [ @@ -719,7 +719,7 @@ { "description": "Vulnerability Reports are reviewed and triaged to obtain an initial understanding of the vulnerability in question and determine what to do next (e.g., process the vulnerability for further analysis, seek additional information from the reporter or other sources, decide that the vulnerability needs no further action). Depending on the amount of detail and quality of the information provided in the vulnerability report, it may or not be obvious whether a new vulnerability exists. Unless there is a reason to decline a vulnerability report, the report should be passed on to the Vulnerability Analysis service for further review, analysis, and handling. If the CSIRT does not provide a Vulnerability Analysis service, then the report should be securely forwarded to an external group for handling, such as the affected vendor(s), PSIRT(s), or a vulnerability coordinator.", "meta": { - "outcome": "Available information is identified to determine what to do next. The following sub-functions are considered to be part of the implementation of this service: Process reports and submitted data including artefacts or materials in isolation to protect the integrity of the working environment and avoid successful attacks on the CSIRT by such means.\nUpdate acknowledgement of reports by providing some feedback on further steps based on categorization or prioritization results available.\nMerge new information about a vulnerability already being handled with the available data to allow consistent analysis and processing. 7.3 Service: Vulnerability analysis Purpose: Analyze and gain understanding of a confirmed vulnerability. Description: The Vulnerability Analysis service consists of functions aimed at gaining an understanding of the vulnerability and its potential impact, identifying the underlying issue or flaw (root cause) that allows the vulnerability to be exploited, and identifying one or more remediation or mitigation strategies to prevent or minimize the exploitation of the vulnerability. The Vulnerability Analysis service and functions can continue in parallel while the Vulnerability Coordination service and functions occur with other participants in a coordinated vulnerability disclosure (CVD)7 process. Outcome: Knowledge of the key details of a vulnerability (e.g., description, impact, resolution) is increased.\nThe following functions are considered to be part of the implementation of this service: Vulnerability triage (validation and categorization)\nVulnerability root cause analysis\nVulnerability remediation development", + "outcome": "Available information is identified to determine what to do next. The following sub-functions are considered to be part of the implementation of this service: Process reports and submitted data including artefacts or materials in isolation to protect the integrity of the working environment and avoid successful attacks on the CSIRT by such means.\nUpdate acknowledgement of reports by providing some feedback on further steps based on categorization or prioritization results available.\nMerge new information about a vulnerability already being handled with the available data to allow consistent analysis and processing.", "purpose": "Initially review, categorize, prioritize, and process a vulnerability report." }, "related": [ @@ -764,7 +764,7 @@ { "description": "This function will ideally identify a remediation or a fix for a vulnerability. If a vendor patch or fix is not available in a timely manner, a temporary solution or workaround, called a mitigation, may be recommended, such as disabling the affected software or making configuration changes, to minimize the potential negative effects of the vulnerability. Note that the actual application or deployment of a remediation (patch) or mitigation (workaround) is a function of a separate service, called Vulnerability Response in this framework. As part of the Vulnerability Analysis service and Remediation Development, this function may optionally include other sub-functions or activities, such as validating the changing of a procedure or design, reviewing remediation by a third party, or identifying any new vulnerabilities introduced in the remediation steps. Vulnerabilities that are not remediated or mitigated should be documented as acceptable risks. This function will often receive information or input from the affected product’s vendor(s), sometimes as part of the initial report or announcement handled by other services or functions.", "meta": { - "outcome": "A plan is established to change (patch) the software code, implement a workaround, or to improve processes, infrastructures, and/or designs to close the specific attack vector and to prevent the vulnerability from being exploited.\nThe following sub-functions are considered to be part of this function: Vulnerability remediation/patch development\nVulnerability mitigation development This function is typically performed by other entities (e.g., product vendors, PSIRTs). 7.4 Service: Vulnerability coordination Purpose: Exchange information and coordinate the activities with participants involved in a coordinated vulnerability disclosure (CVD) process. Description: The handling of most vulnerabilities involves notifying, working with, and coordinating the exchange of relevant information with multiple parties including vulnerability finders/reporters, affected vendors, developers, PSRITs, or other trusted experts (e.g., researchers, CSIRTs, vulnerability coordinators) who can work together to analyze and fix the vulnerability. Outcome: Information sharing with CVD participants who can assist in providing information to remediate/mitigate the vulnerability is effective and timely. The following functions are considered to be part of the implementation of this service: Vulnerability notification/reporting\nVulnerability stakeholder coordination", + "outcome": "A plan is established to change (patch) the software code, implement a workaround, or to improve processes, infrastructures, and/or designs to close the specific attack vector and to prevent the vulnerability from being exploited.\nThe following sub-functions are considered to be part of this function: Vulnerability remediation/patch development\nVulnerability mitigation development This function is typically performed by other entities (e.g., product vendors, PSIRTs).", "purpose": "Develop the steps necessary to fix (remediate) the underlying vulnerability or mitigate (reduce) the effects of the vulnerability from being exploited." }, "related": [ @@ -794,7 +794,7 @@ { "description": "Coordinate the exchange of information among the finders/researchers, vendors, PSIRTS, and any other participants in the coordinate vulnerability disclosure (CVD) efforts to analyze and fix the vulnerability and prepare for the disclosure of the vulnerability. This coordination should also include agreement by participants on the timing and synchronization of the disclosure.", "meta": { - "outcome": "Vulnerability information is more effectively, timely, and responsibly shared among participants who can develop or announce a remediation/mitigation solution. The following sub-functions are considered to be part of this function: Vulnerability publication development 7.5 Service: Vulnerability disclosure Purpose: Disseminate information about known vulnerabilities to constituents so that they can act upon that information to prevent, detect, and remediate/mitigate known vulnerabilities. Description: Inform the constituents of any known vulnerabilities (potential entry points for attackers), so that their systems can be kept up to date and monitored for exploits. Disclosure methods may include publication of information through multiple communication channels (e.g., website, email, social media), a vulnerability database, or other media. This service often, but not always, occurs following Vulnerability Coordination. Outcome: Informed constituents can avoid the potential exploitation of known vulnerabilities prior to exploitation and can detect and mitigate vulnerabilities that already exist. The following functions are considered to be part of the implementation of this service: Vulnerability disclosure policy and infrastructure maintenance\nVulnerability announcements/communication/dissemination\nPost-vulnerability disclosure feedback", + "outcome": "Vulnerability information is more effectively, timely, and responsibly shared among participants who can develop or announce a remediation/mitigation solution. The following sub-functions are considered to be part of this function: Vulnerability publication development", "purpose": "Conduct follow-on coordination and sharing of information among the various stakeholders and participants involved in coordinated vulnerability disclosure (CVD) efforts." }, "related": [ @@ -839,7 +839,7 @@ { "description": "Following the disclosure of a new vulnerability, CSIRTs can expect to receive follow-on communications in the form of questions from some constituents about a vulnerability document. The questions may indicate a need for clarification, revision, or amendment of the vulnerability disclosure mechanism, if warranted. Information from constituents may simply be an acknowledgement or receipt of the vulnerability document, or the constituent may report an issue or difficulty in deploying the suggested remediation/mitigation. If the vulnerability was determined to have been already exploited, constituents may be reporting newly discovered incidents as a result of the vulnerability disclosure. Such reports should feed into the functions of the CSIRT’s Incident Reporting service.", "meta": { - "outcome": "Any questions or requests for assistance are responded to in a timely manner following a vulnerability disclosure. 7.6 Service: Vulnerability response8 Purpose: Actively take information about known vulnerabilities and act upon that information to prevent, detect, and remediate/mitigate those vulnerabilities. Description: The functions under this service are intended to determine whether a disclosed vulnerability exists on a constituent’s systems, often through the intentional act of looking for the presence of such vulnerabilities. The service can also include the follow-on actions to remediate or mitigate the vulnerability through the deployment of patches or workaround strategies. Outcome: Information was acted upon in order to detect the presence of a vulnerability, remediate/mitigate a disclosed vulnerability, and prevent the vulnerability from being exploited. The following functions are considered to be part of the implementation of this service: Vulnerability detection / scanning\nVulnerability remediation This Vulnerability Response service and its related functions are usually performed by other specialized groups within an organization, typically not the CSIRT. This service is also unlikely to be provided by a Coordinating CSIRT.", + "outcome": "Any questions or requests for assistance are responded to in a timely manner following a vulnerability disclosure.", "purpose": "Receive and respond to questions or reports from constituents about a vulnerability disclosure or document." }, "related": [ @@ -854,12 +854,12 @@ { "description": "The goal of this function is to detect any previously unpatched or unmitigated vulnerabilities before they are exploited or impact the network or devices. This function may be initiated in response to an announcement about a new vulnerability, or it may be achieved as part of a periodically scheduled scan for known vulnerabilities. In order to provide vulnerability detection effectively, it is useful to have a systems inventory. Having such an inventory that can be queried for software version information can enable an organization to quickly assess the likely prevalence of a newly reported vulnerability in its infrastructure.", "meta": { - "outcome": "Exposure to the threat of a vulnerability being exploited is prevented or reduced. The following sub-functions are considered to be part of this function: Vulnerability remediation (patch management)\nVulnerability mitigation This function is typically performed by others (e.g., IT, SOC, system owners), not the CSIRT. 8 Service Area: Situational Awareness Situational Awareness comprises the ability to identify, process, comprehend, and communicate the critical elements of what is happening in and around the CSIRT’s area of responsibility that may affect the operation or mission of its constituency. Situational awareness includes being aware of the current state, and identifying or anticipating potential changes to that state. This service area includes determining how to gather relevant information from different areas, how to integrate that information, and how to disseminate it in a timely manner to help constituents make more informed decisions. Some organizations may establish a separate team to provide Situational Awareness, but for others, the CSIRT team provides this function based on its visibility, understanding of context, technical capabilities, access to assets, external connections, and mission to prevent incidents. Situational awareness is not solely focused on responding to incidents, it is a service that ensures that data, analysis, and actions are available to other services such as Security Event Management, Incident Management, and Knowledge Transfer. It also ensures that information coming from those other services areas is properly integrated together and delivered back to appropriate constituents in a timely manner. The following services are offerings of this service area: Data acquisition\nAnalysis and synthesis\nCommunication 8.1 Service: Data acquisition Purpose: Collect data that will help increase visibility as to what internal and external activities are occurring that may affect the constituency’s security posture. Description: Solicit, collect, determine, and satisfy the constituencies’ information requirements to achieve awareness of important internal and external relevant activities. This service includes the logistics of collecting relevant information including news of current events, scheduling future events, reports and feeds, filtering the collected information, organizing information for use in incident analysis, prevent, detection, or other activities (such as planning or trending), storing it for later use, improving its “searchability”, and more. Collected data will be used to determine the preventative measures needed and to help make informed decisions regarding incident management and information assurance activities. Without a basic perception of important environmental elements, the risk of other services forming an incorrect picture increases. CSIRTs will need to establish policy and procedures, and may employ technology to collect and vet information. Outcome: The following artefacts result from this service: a set of data collection requirements that identifies situational awareness needs, and then maps those requirements to the types of information to be collected in order to meet those objectives\ninformation about the current and expected future status of constituency assets and activities\ninformation about external events or trends that provides insight into the constituency’s surroundings and current environment, including new technologies, methods, practices, risks, and threats \nproperly formatted information readied for analysis and detection activities The following functions are considered to be part of the implementation of this service: Policy aggregation, distillation, and guidance\nAsset mappings of assets to functions, roles, actions, and key risks\nCollection\nData processing and preparation", + "outcome": "Exposure to the threat of a vulnerability being exploited is prevented or reduced. The following sub-functions are considered to be part of this function: Vulnerability remediation (patch management)\nVulnerability mitigation This function is typically performed by others (e.g., IT, SOC, system owners), not the CSIRT.", "purpose": "Actively engage in searching for the presence of known vulnerabilities in deployed systems." }, "related": [ { - "dest-uuid": "7bed8224-c2b4-56af-bd69-1fb1f8e1a0b5", + "dest-uuid": "8b6e3cc9-2f15-5502-9cbb-0a4c1aaf59d6", "type": "part-of" } ], @@ -869,12 +869,12 @@ { "description": "Vulnerability remediation is intended to resolve or eliminate a vulnerability. For software vulnerabilities, this typically occurs through the deployment and installation of vendor-provided solutions in the form of software updates or patches. When approved patches are unavailable or cannot be deployed, an alternative mitigation or workaround may be applied as a countermeasure to prevent exploitation of the vulnerability. This function often follows a positive identification of a vulnerability as the result of the Vulnerability Detection/Scanning/Hunting function.", "meta": { - "outcome": "Exposure to the threat of a vulnerability being exploited is prevented or reduced. The following sub-functions are considered to be part of this function: Vulnerability remediation (patch management)\nVulnerability mitigation This function is typically performed by others (e.g., IT, SOC, system owners), not the CSIRT. 8 Service Area: Situational Awareness Situational Awareness comprises the ability to identify, process, comprehend, and communicate the critical elements of what is happening in and around the CSIRT’s area of responsibility that may affect the operation or mission of its constituency. Situational awareness includes being aware of the current state, and identifying or anticipating potential changes to that state. This service area includes determining how to gather relevant information from different areas, how to integrate that information, and how to disseminate it in a timely manner to help constituents make more informed decisions. Some organizations may establish a separate team to provide Situational Awareness, but for others, the CSIRT team provides this function based on its visibility, understanding of context, technical capabilities, access to assets, external connections, and mission to prevent incidents. Situational awareness is not solely focused on responding to incidents, it is a service that ensures that data, analysis, and actions are available to other services such as Security Event Management, Incident Management, and Knowledge Transfer. It also ensures that information coming from those other services areas is properly integrated together and delivered back to appropriate constituents in a timely manner. The following services are offerings of this service area: Data acquisition\nAnalysis and synthesis\nCommunication 8.1 Service: Data acquisition Purpose: Collect data that will help increase visibility as to what internal and external activities are occurring that may affect the constituency’s security posture. Description: Solicit, collect, determine, and satisfy the constituencies’ information requirements to achieve awareness of important internal and external relevant activities. This service includes the logistics of collecting relevant information including news of current events, scheduling future events, reports and feeds, filtering the collected information, organizing information for use in incident analysis, prevent, detection, or other activities (such as planning or trending), storing it for later use, improving its “searchability”, and more. Collected data will be used to determine the preventative measures needed and to help make informed decisions regarding incident management and information assurance activities. Without a basic perception of important environmental elements, the risk of other services forming an incorrect picture increases. CSIRTs will need to establish policy and procedures, and may employ technology to collect and vet information. Outcome: The following artefacts result from this service: a set of data collection requirements that identifies situational awareness needs, and then maps those requirements to the types of information to be collected in order to meet those objectives\ninformation about the current and expected future status of constituency assets and activities\ninformation about external events or trends that provides insight into the constituency’s surroundings and current environment, including new technologies, methods, practices, risks, and threats \nproperly formatted information readied for analysis and detection activities The following functions are considered to be part of the implementation of this service: Policy aggregation, distillation, and guidance\nAsset mappings of assets to functions, roles, actions, and key risks\nCollection\nData processing and preparation", + "outcome": "Exposure to the threat of a vulnerability being exploited is prevented or reduced. The following sub-functions are considered to be part of this function: Vulnerability remediation (patch management)\nVulnerability mitigation This function is typically performed by others (e.g., IT, SOC, system owners), not the CSIRT.", "purpose": "Remediate or mitigate vulnerabilities to prevent them from being exploited, typically through the timely application of vendor-provided patches or other solutions." }, "related": [ { - "dest-uuid": "7bed8224-c2b4-56af-bd69-1fb1f8e1a0b5", + "dest-uuid": "8b6e3cc9-2f15-5502-9cbb-0a4c1aaf59d6", "type": "part-of" } ], @@ -929,7 +929,7 @@ { "description": "Data processing and preparation includes transformation, processing, normalization, and validation of a set of data. Sources of cybersecurity data need to be validated for accuracy often due to a high number of false positives. The relevant data also typically comes in different formats, and new data needs to be combined with historical data before a complete analysis can be performed. Some types of data (such as news articles) may need to be analyzed or processed as part of the preparation process. One example would be extracting relevant security information from a news article (e.g., names, dates, places, technical information, weaknesses, system names) and comparing it with internal data for potential impacts. Some analysis methods require data to be stored in the same format, or for files to have the same number of records. There are multiple processing steps that may be involved to prepare the data. Data augmentation (also called enrichment) is performed by including other available information related to a given piece of data from other internal and external sources. For example, teams may collect information related to internet protocol addresses (IP addresses) such as autonomous system identifiers, country codes, or geo-location data. For internal asset information, teams may enrich their asset inventory data with the name of the asset owner, their role, their permissions on other assets, their physical working location over time, and more.", "meta": { - "outcome": "Data is available and ready to be used by other services or functions. 8.2 Service: Analysis and synthesis Purpose: Assess when the situation does not match with expectations (e.g., when specific assets may be about to experience a harmful event). Description: The process of using current data, history, and analysis techniques to determine what is occurring that may impact the constituency assets and security posture, often done by determining an answer to a question or testing an intuition. Analysis may reveal when events do not match typical expected behavior, or may reveal information about the circumstance, nature, or origin of events or behaviors. Analysis may reveal implications to current and future situations. For example: a system may log that a user ID successfully logged into the system, but the system does not indicate whether the event was performed by a legitimate user. New sources (such as interviews with the user) will need to be incorporated into the analysis to provide the team with a more accurate picture to determine the legitimacy of the event. A variety of techniques may be used to analyze and interpret the collected data and its effect upon the constituency. Outcome: A set of conclusions about the probable historical, current, and/or likely future events within a constituency is produced. It may also include recommendations about certain decisions that a constituency is facing. Analysis should be supported by evidence such as observation data collected from sensors and other sources and the interpretation of that evidence by analysts through a variety of methods. The analysis may also include constituents that need to be told about the results, and what they need to be told. The following functions are considered to be part of the implementation of this service: Projection and inference\nEvent detection (through alerting and/or hunting)\nSituational impact", + "outcome": "Data is available and ready to be used by other services or functions.", "purpose": "Establish a reliable, consistent, and current set of data that can support CSIRT activities and the requirements of the analysis service." }, "related": [ @@ -989,7 +989,7 @@ { "description": "This function identifies the impact a projection or inference may have upon a current or near-term future situation. An impact may include raising or lowering certain risks such as data loss, system downtime, or effects on data confidentiality/availability/integrity.", "meta": { - "outcome": "An analysis is produced of the likely possible impact that an inference or projection may have upon a situation. 8.3 Service: Communication Purpose: Notify constituents or others in the security community about changes in risks to the situational picture. Description: The knowledge obtained from situational awareness must be communicated to the constituency. This will allow it to react to observations and to take actions that will improve defensive situations, e.g., reducing third-party risk by improving the security environment at certain high-risk suppliers. Outcome: Accurate, actionable, and timely situational information is delivered to constituency so they can better understand their past and improve their current and future situational picture. The following functions are considered to be part of the implementation of this service: Internal and external communication\nReporting and recommendations\nImplementation \nDissemination / integration / information sharing\nManagement of information sharing", + "outcome": "An analysis is produced of the likely possible impact that an inference or projection may have upon a situation.", "purpose": "Determine the expected potential impact of a given observation or possible observation to a situational picture." }, "related": [ @@ -1079,7 +1079,7 @@ { "description": "This function involves providing and receiving feedback on information provided, received, and used by the constituency, other service providers or other stakeholders. Was the information received accurate, applicable, timely, strategic, new/novel, etc.? Was it helpful in resolving an investigation? Did it lead to a new insight? This may mean providing information also to other CSIRT (as an external source) on the usefulness of or changes to signatures, honeypot findings, IOCs, warnings, threat information, mitigations, etc. This activity may also be performed by the Knowledge Transfer service area. If so, the results should be communicated back to the Situational Awareness service area.", "meta": { - "outcome": "Observations and feedback is provided to internal and external sources in order to improve the accuracy, timeliness, quality, and usefulness of information received. 9 Service Area: Knowledge Transfer Through the nature of their services CSIRTs, are in a unique position to collect relevant data, perform detailed analysis, and identify threats, trends, and risks, as well as to create best current operational practices to help organizations to detect, prevent, and respond to security incidents. Transferring this knowledge to their constituents is key to improving overall cybersecurity. The following services are considered as offerings of this particular service area: Awareness building\nTraining and education\nExercises\nTechnical and policy advisory 9.1 Service: Awareness building Purpose: Increase the overall security posture of the constituency and help its members to detect, prevent, and recover from incidents; ensure that constituents are better prepared and educated. Description: This service includes working with the constituency, experts, and trusted partners to raise the collective understanding of threats and actions that can be taken to prevent or mitigate the risks posed by these threats. Outcome: The constituency is provided with the necessary awareness of: events, activities, and trends that may affect its ability to operate in a timely and secure manner\nsteps to take to detect, prevent and mitigate threats and malicious activity\nsecurity and operational best practices The following functions are considered to be part of the implementation of this service: Research and information aggregation\nReport and awareness materials development\nInformation dissemination\nOutreach", + "outcome": "Observations and feedback is provided to internal and external sources in order to improve the accuracy, timeliness, quality, and usefulness of information received.", "purpose": "Improve the quality, timeliness, accuracy, and relevance of the data being received from internal and external sources." }, "related": [ @@ -1139,7 +1139,7 @@ { "description": "This function involves building partnerships, promoting cooperation, and engaging key stakeholders, internal or external to the constituency, with the goal of: disseminating awareness and best practices; helping the constituency and external stakeholders understand the services and benefits a CSIRT can provide; helping the CSIRT to better understand constituents’ needs; and enabling the realization of CSIRT’s mission. This may involve ensuring interoperability or fostering collaboration between or across organizations.", "meta": { - "outcome": "Active and consistent outreach activities are performed that may include, but are not limited to, meeting with key stakeholders, participating in sector meetings, presenting at conferences, and organizing conferences. 9.2 Service: Training and education Purpose: Provide training and education to a CSIRT constituency (which may include organizational and CSIRT staff) on topics related to cybersecurity, information assurance and incident management. Description: A training and education program can help the CSIRT to establish relationships and to improve the overall cybersecurity posture of its constituency, including the ability to prevent future incidents from happening. Such a program can help maintain user awareness\nhelp the constituency understand the changing landscape and threats\nfacilitate information exchange between the CSIRT and its constituency\ntrain the constituency on tools, processes and procedures related to security and incident management. This can be done through various types of activities including documenting the knowledge, skills, and abilities (KSAs) required, developing educational and training materials, delivering content, mentoring, and professional and skill development. Each of these activities will collectively contribute to the constituency’s and the team’s capabilities. Outcome: A consistent training and education program is provided that enables the CSIRTs’ constituency to appropriately acquire methods to detect, prevent or respond to threats\ntools and practices to help protect critical assets\nunderstanding about incident management processes and how to get assistance The following functions are considered to be part of the implementation of this service: Knowledge, skill, and ability requirements gathering \nEducational and training materials development\nContent delivery\nMentoring\nCSIRT staff professional development", + "outcome": "Active and consistent outreach activities are performed that may include, but are not limited to, meeting with key stakeholders, participating in sector meetings, presenting at conferences, and organizing conferences.", "purpose": "Develop and maintain relationships with experts or organizations that may help or be part of the execution of the mission of the CSIRT." }, "related": [ @@ -1214,7 +1214,7 @@ { "description": "Once the appropriate skills have been identified, professional development is used by a CSIRT to promote a continuous process of securing new knowledge, skills, and abilities that relate to the security profession, unique job responsibilities, and the overall Team environment. This can include attending conferences, advanced training, and cross-training activities, among others.", "meta": { - "outcome": "Developed and trained staff are available with the requisite technical and soft skills and process understanding, and who are up to date based on the job roles and needs. CSIRT members are ready to address the daily operational challenges, supporting both the team and its customers. 9.3 Service: Exercises Purpose: Conduct exercises to assess and improve the effectiveness and efficiency of cybersecurity services and functions. Description: Services are offered by the organization to constituents that support the design, execution, and evaluation of cyber exercises intended to train and/or evaluate the capabilities of individual constituents and the stakeholder community as a whole, including communications capabilities. These types of exercises can be used to test policies and procedures: assess whether there are sufficient policies and procedures in place to effectively detect, respond and mitigate incidents. This is, generally, a paper/table-top exercise.\ntest operational readiness: assess whether the organization has an incident management capability that is able to detect, respond to and mitigate incidents in a timely and successful manner, as well as to test whether the right people are in place, directories are up-to-date, and if procedures are executed correctly. This service addresses both the needs of the organization and the needs of its constituents. More specifically, through the simulation of cybersecurity events/incidents, exercises can be used for one or several objectives: Demonstrate: Illustrate cybersecurity services and functions, as well as vulnerabilities, threats, and risks, in order to raise awareness.\nTrain: Instruct staff on new tools, techniques, and procedures:\n\nExercise: Provide an opportunity for staff to use tools, techniques, and procedures they are expected to be knowledgeable about. Exercising is necessary for perishable skills and helps improve and maintain efficiency.\nAssess: Analyze and understand the level of effectiveness and efficiency of cybersecurity services and functions, as well as the level of staff preparedness.\nVerify: Determine whether a specified level of effectiveness and/or efficiency can be achieved for cybersecurity services and functions. Outcome: The effectiveness and efficiency of cybersecurity services and functions is improved and opportunities for further improvements are identified. Depending on the specific objective(s) of an exercise, cybersecurity may also be demonstrated to internal or external stakeholders, staff can be trained, and the efficiency and effectiveness of tools, services, and functions can be assessed and/or verified. Lessons for improving future exercises can also be identified and a report delivered to management or other key stakeholders. The following functions are considered to be part of the implementation of this service: Requirements analysis\nFormat and environment development\nScenario development\nExercises execution\nExercise outcome review", + "outcome": "Developed and trained staff are available with the requisite technical and soft skills and process understanding, and who are up to date based on the job roles and needs. CSIRT members are ready to address the daily operational challenges, supporting both the team and its customers.", "purpose": "Help staff members successfully and appropriately plan and develop their careers." }, "related": [ @@ -1289,7 +1289,7 @@ { "description": "Develop an after-action report which includes lessons learned or findings/best practices from the exercise, and provide an assessment to the stakeholders/management.", "meta": { - "outcome": "Deliverables are created highlighting the success of the exercise, areas for improvement, general findings, and recommended actions to take in order to improve: the organization incident management capabilities, the CSIRT’s team processes, and the capabilities of individual constituents and of the stakeholder community as a whole, including communications capabilities and procedures. 9.4 Service: Technical and policy advisory Purpose: Ensure the constituency’s policies and procedures include appropriate incident management considerations and, ultimately, enable the constituency to better manage risks and threats, as well as enabling the CSIRT to be more effective. Description: Support the CSIRT constituency and key stakeholders, internal or external to the constituency, in activities related to risk management and business continuity, providing technical advice as needed and contributing to the creation and implementation of the constituency’s policies, as well as influencing them to enable the CSIRT to be more effective. Policies are also important in legitimizing the services of a CSIRT. Outcome: A constituency is enabled to make organizational decisions based on operational security best practices that incorporate business continuity and disaster recovery best practices, while also understanding the need of including incident management teams, as trusted advisors, in business decisions where appropriate. The following functions are considered to be part of the implementation of this service: Risk management support\nBusiness continuity and disaster recovery planning support\nPolicy support\nTechnical advice", + "outcome": "Deliverables are created highlighting the success of the exercise, areas for improvement, general findings, and recommended actions to take in order to improve: the organization incident management capabilities, the CSIRT’s team processes, and the capabilities of individual constituents and of the stakeholder community as a whole, including communications capabilities and procedures.", "purpose": "Perform a formal and objective analysis of the exercise, based on factual observations." }, "related": [ @@ -1349,7 +1349,7 @@ { "description": "This function provides support and recommendations for the improvement of cybersecurity related infrastructures, tools, and services for its constituency, with the goal of improving the security posture and incident management overall. This might include advice on security considerations for acquisition, compliance verification, maintenance, and upgrades\ninternal and external audits of cybersecurity related infrastructures and tools\nsecure software development requirements and secure coding", "meta": { - "outcome": "Support is provided to design, acquire, manage, operate and maintain the constituency’s infrastructure and systems and tools, as well as assist in building the capability, capacity, and maturity of incident management activities. ANNEX 1: Acknowledgments The following volunteers from the CSIRT communities contributed significantly to this version of the CSIRT Services Framework. They have been listed in alphabetical order by their last name, without title but with affiliation, role, and country: Vilius Benetis, NRD CIRT (LT)\nOlivier Caleff (Service Area Coordinator), openCSIRT Foundation (FR)\nCristine Hoepers (Service Area Coordinator), CERT.br (BR) \nAngela Horneman, CERT/CC, SEI, CMU (US) \nAllen Householder, CERT/CC, SEI, CMU (US) \nKlaus-Peter Kossakowski (Editor), Hamburg University of Applied Sciences (DE)\nArt Manion, CERT/CC, SEI, CMU (US)\nAmanda Mullens (Co-Service Area Coordinator), CISCO (US)\nSamuel Perl (Service Area Coordinator), CERT/CC, SEI, CMU (US)\nDaniel Roethlisberger (Service Area Coordinator), Swisscom (CH) \nSigitas Rokas, NRD CIRT (LT) \nMary Rossell, Intel (US)\nRobin M. Ruefle (Co-Service Area Coordinator), CERT/CC, SEI, CMU (US)\nDésirée Sacher, Finanz Informatik (DE) \nKrassimir T. Tzvetanov, Fastly (US) \nMark Zajicek (Co-Service Area Coordinator), CERT/CC, SEI, CMU (US)\n \nANNEX 2: Terms and Definitions This section defines certain terms used in the CSIRT Services Framework. Action- The description of how something is done at varying levels of detail.\n\n\nAdvisory9- An announcement or bulletin that serves to inform, advise, and warn about the vulnerability of a product. \n\n\nCapability- A measurable activity that may be performed as part of an organization’s roles and responsibilities. For the purposes of the FIRST services framework, the capabilities can either be defined as the broader services or as the requisite functions.\n\n\nCapacity- The number of simultaneous process-occurrences of a particular capability that an organization can execute before they achieve some form of resource exhaustion.\n\n\nCommon Vulnerability Exposures (CVE)10- A list of entries containing an identification number, a description, and at least one public reference for publicly known vulnerabilities. Serves as a standard identifier to reference vulnerabilities. \n\n\nCommon Vulnerability Scoring System (CVSS)11- A numerical score that reflects a vulnerability’s severity. \n\n\nCommon Weakness Enumeration (CWE)12- A formal list of software weakness types created to serve as a common language for describing software security weakness in architecture, design, or code; serve as a standard measuring stick for software security tools targeting these weaknesses; and provide a common baseline standard for weakness identification, mitigation, and prevention efforts. \n\n\nConstituency- A specific group of people and/or organizations that have access to a specific set of services offered by a CSIRT.\n\n\nContextual Data Source- A source of contextual data that gives context to data points, for example to an identity, an asset, or an information security event. Specific examples include user databases, asset inventories, IP repudiation services, or threat intelligence data.\n\n\nCoordinated vulnerability disclosure- A term used to denote a disclosure process that includes coordination. Source: ISO/IEC 29147:2018, Terms and definitions.\n\n\nCoordinator13- An optional participant who can assist vendors and finders in handling and disclosing vulnerability information. \n\n\nDetection Use Case- A specific condition to be detected by an Information Security Event Management service area. The terminology originates in software engineering, but is now widely used in detection engineering.\n\n\nEmbargo- A hold on the publication of vulnerability details until affected vendors are able to release security updates or mitigations and workarounds to protect customers.\n\n\nFinder14- An individual or organization that identifies a potential vulnerability in a product or online service. Please note that finders can be researchers, reporters, security companies, hackers, users, governments, or coordinators.\n\n\nFunction- An activity or set of activities aimed at fulfilling the purpose of a particular service. Other definitions include: a group of related actions15; to perform a specified action or activity, work, operate.16\n\n\nInformation Security Event- An observable event in an IT environment that is relevant to security; for example, a user logon or an IDS alert. Information security events typically produce some kind of evidence, such as an audit record or an entry in a log file, that can be collected and analyzed as part of the Information Security Event Management service area.\n\n\nInformation Security Incident17- Any adverse information security event (or set of information security events) which indicates a compromise of some aspect of user, system, organization, and/or network information security. The definition of an information security incident may vary between organizations, but at least the following categories are generally applicable:\n\nLoss of confidentiality of information\nCompromise of integrity of information\nDenial of service\nMisuse of service, systems or information\nDamage to systems\n\nAttacks, even if they failed because of proper protection, can be regarded as information security incident.\n\n\nKey Performance Indicator (KPI)18- A measurable value that demonstrates how effectively a company is achieving key business objectives. Organizations use KPIs at multiple levels to evaluate their success at reaching targets.\n\n\nMaturity- How effectively an organization executes a particular capability within the mission and authorities of the organization. It is a level of proficiency attained either in executing specific functions or in an aggregate of functions or services. The ability of an organization will be determined by the extent and quality of established policies and documentation and the ability to execute a set process.\n\n\nOpen Source- Works that are licensed in such a way that they may be freely redistributed and modified, where the source code is made available publicly, and is freely distributed and does not discriminate against any persons, groups, or fields of endeavor, and is technology-neutral. Open source software is often maintained by a community of individuals and entities who collaboratively create and maintain it.\n\n\nProduct19- A system implemented or developed for sale or to be offered for free.\n\n\nRemediation (or Remedy)20- A change made to a product or online service to remove or mitigate a vulnerability. A remediation typically takes the form of a binary file replacement, configuration change, or source code patch and recompile. Different terms used for “remediation” include patch, fix, update, hotfix, and upgrade. Mitigations are also called workarounds or countermeasures.\n\n\nResponsible Disclosure- A term which is used to refer to a process or model where a vulnerability is disclosed only after a period of time that allows a remediation (fix or patch) to be made available. This term is not necessarily the same as “coordinated vulnerability disclosure.”\n\n\nRisk21- The “effect of uncertainty on objectives.” In this definition, uncertainties include events (which may or may not happen) and uncertainties caused by ambiguity or a lack of information.\n\n\nRisk Acceptance22- A risk response strategy whereby the project team decides to acknowledge the risk and not take any action unless the risk occurs.\n\n\nRisk Register23- A document in which the results of risk analysis and risk response planning are recorded.\n\n\nService- A service is a set of recognizable, coherent functions towards a specific result. Such results might be expected or required by constituents or on behalf of or for the stakeholder of an entity. \n\n\nService Level Agreement (SLA)- A contract between a service provider (either internal or external) and the end user that defines the level of service expected from the service provider. \n\n\nStakeholders24- Individuals or groups that define and modify the service areas or services and ensure an appropriate service communication strategy and groups who can benefit from services offered. \n\n\nTasks- the list of actions that must be performed to complete a specific function.\n\n\nVendor25- A person or organization that developed the product or service or is responsible for maintaining it.\n\n\nVulnerability26- A weakness in software, hardware, or an online service that can be exploited. ANNEX 3: Supporting Resources Alberts, David S., et.al. Understanding information age warfare. In DOD Command and Control Research Program Publication Series. ADA395859. Booz Allen & Hamilton, McLean, VA. 2001.\nhttps://apps.dtic.mil/docs/citations/ADA395859 Barford P., et al. (2010) Cyber SA: Situational Awareness for Cyber Defense. In: Jajodia S., Liu P., Swarup V., Wang C. (eds) Cyber Situational Awareness. Advances in Information Security, vol 46. Springer, 2010. Boston, MA. ISBN 978-1-4419-0140-8_1\nhttps://link.springer.com/chapter/10.1007/978-1-4419-0140-8_1 Boyd, John R. Destruction and Creation. Goal Systems International. September 3, 1976.\nhttp://www.goalsys.com/books/documents/DESTRUCTION_AND_CREATION.pdf Cartwright, James E. Joint Concept of Operations for Global Information Grid NetOps. United States Strategic Command. PDF August 10, 2005. Homeland Security Digital Library. August 10, 2005.\nhttps://www.hsdl.org/?view&did=685398 Committee on National Security Systems Instruction CNSSI 4009. Committee on National Security Systems Website. June 23, 2019 [accessed].\nhttps://www.cnss.gov/cnss/ Cybersecurity Situation Awareness. The MITRE Corporation Website. June 25, 2019 [accessed].\nhttps://www.mitre.org/capabilities/cybersecurity/situation-awareness Endsley, Mica R. Toward a theory of situation awareness in dynamic systems. Human factors Volume 37. Number 1. March 1995 Pages 32-64.\nhttps://journals.sagepub.com/doi/10.1518/001872095779049543 FIRST Product Security Incident Response Team (PSIRT) Services Framework, Version 1.0, 2018. North Carolina: First.org, 2018\nhttps://www.first.org/education/FIRST_PSIRT_Service_Framework_v1.0 FIRST Vulnerability Reporting and Data eXchange SIG (VRDX-SIG). 2013-2015. North Carolina: First.org, 2015\nhttps://www.first.org/global/sigs/vrdx/ Guidelines and Practices for Multi-Party Vulnerability Coordination and Disclosure, Version 1.0, 2017. North Carolina: First.org, 2017\nhttps://www.first.org/global/sigs/vulnerability-coordination/multiparty/guidelines-v1.0 Hawk, Robert. Situational Awareness in Cyber Security. [blog post]. Hawk’s Posts: Security Essentials from Robert Hawk. June 11, 2015.\nhttps://www.alienvault.com/blogs/security-essentials/situational-awareness-in-cyber-security Householder, Allen D.; Wassermann, Garret; Manion, Art; King, Christopher. The CERT® Guide to Coordinated Vulnerability Disclosure. CMU/SEI-2017-SR-022. Software Engineering Institute, Carnegie Mellon University. 2017\nhttps://resources.sei.cmu.edu/library/asset-view.cfm?assetid=503330 Householder, Alan. Vulnerability Discovery for Emerging Networked Systems [blog post]. Vulnerability discovery techniques. November 20, 2014.\nhttps://insights.sei.cmu.edu/cert/2014/11/-vulnerability-discovery-for-emerging-networked-systems.html International Organization for Standardization. Information technology -- Security techniques -- Vulnerability disclosure. Second Edition. ISO/IEC 29147:2018. Geneva, Switzerland: ISO: IEC. 2018\nhttps://www.iso.org/standard/72311.html International Organization for Standardization. Information technology -- Security techniques -- Vulnerability handling processes. First Edition. ISO/IEC 30111:2013. Geneva, Switzerland: ISO: IEC. 2013\nhttps://www.iso.org/standard/53231.html Jajodia, Sushil, et al., (Eds.). Cyber Situational Awareness: Issues and Research. Part of the Advances in Information Security book series (ADIS, volume 46). 2010. ISBN 978-1-4419-0140-8\nhttps://link.springer.com/book/10.1007/978-1-4419-0140-8 Kossakowski, Klaus-Peter. Information Technology Incident Response Capabilities. Hamburg: Books on Demand, 2001. ISBN: 9783831100590. Kossakowski; Klaus-Peter & Stikvoort, Don. A Trusted CSIRT Introducer in Europe. Amersfoort, Netherlands: M&I/Stelvio, February, 2000.\nhttp://www.ti.terena.nl/process/ti-v2.pdf Manion, Art & Householder, Alan. Vulnerability Analysis. CERT Coordination Center (CERT/CC). May 30, 2019.\nhttps://vuls.cert.org/ McGuinness, B. &, Foy, L. A subjective measure of SA: The crew awareness rating scale (cars). In Kaber, D.B.; Endsley, M.R.; p. 286-291. Proceedings of the First Human Performance, situation awareness and automation conference; user-centered design for the new millennium. Savannah, Georgia, October 2000. Salerno, John; Hinman, Michael & Boulware, Douglas. Situation awareness model applied to multiple domains. In Proceedings of the Defense and Security Conference, Orlando, FL, March 2005.\nhttps://www.spiedigitallibrary.org/conference-proceedings-of-spie/5813/0000/A-situation-awareness-model-applied-to-multiple-domains/10.1117/12.603735.full?SSO=1 Stone, Steve. Data to Decisions for Cyberspace Operations. The MITRE Corporation Website. January 2016\nhttps://www.mitre.org/publications/technical-papers/data-to-decisions-for-cyberspace-operations Tadda G.P., Salerno J.S. (2010) Overview of Cyber Situation Awareness. In: Jajodia S., Liu P., Swarup V., Wang C. (eds) Cyber Situational Awareness. Advances in Information Security, vol 46. Springer, Boston, MA. 2010. ISBN 978-1-4419-0140-8\nhttps://link.springer.com/chapter/10.1007/978-1-4419-0140-8_2 West-Brown, Moira J.; Stikvoort, Don; & Kossakowski, Klaus-Peter. Handbook for Computer Security Incident Response Teams (CSIRTs). CMU/SEI-98-HB-001. Software Engineering Institute, Carnegie Mellon University. 1998.\nhttp://www.sei.cmu.edu/publications/documents/98.reports/98hb001/98hb001abstract.html ANNEX 4: Overview of all CSIRT Services and related Functions https://www.first.org/standards/frameworks/csirts/ for CSIRT related materials ^\nCheck [Kossakowski 2001] for a discussion of internal support services and its relationship to other services ^\nA FIRST Special Interest Group (SIG) has been established to steer the “CSIRT Framework Development”. ^\nAlthough this services framework does not aim to define a SOC services framework, it is certainly expected that services from both Information Security Event and Incident Management areas will be useful and directly applicable while defining SOC services. ^\nAs is to be expected for all services related to the intake of information and data, there are many similarities. It is therefore common to combine such services from several service areas offered into one service/function. As this is not mandatory and there is no set combination of service areas, we have chosen to keep such services separate within the CSIRT Services Framework, although each team is free to choose the best organizational model for its own setup. ^\nNew vulnerability information received by email may be considered to be an activity of either the Vulnerability Discovery service, Public Source Vulnerability Discovery function, Vulnerability Report Intake service, or of the Vulnerability Report Receipt function, depending on the CSIRT’s internal processes or on how broadly the vulnerability information was distributed. ^\nSee the Vulnerability Coordination and Vulnerability Disclosure service areas for related information on coordinated vulnerability disclosure (CVD). ^\nAlthough the function and sub-functions for detecting vulnerabilities are sometimes referred to as “vulnerability management,” this CSIRT Services Framework instead refers to these as part of this Vulnerability Response service, which is part of the larger service area named Vulnerability Management in this framework. ^\nISO/IEC 29147:2014 Information technology—Security techniques — Vulnerability disclosure- Terms/Definitions 3.1^\nhttps://cve.mitre.org/ ^\nhttps://www.first.org/cvss/ ^\nhttps://cwe.mitre.org/about/index.html ^\nISO/IEC 30111:2013 Information technology—Security techniques—Vulnerability handling processes-Terms/Definitions 3.1^\nISO/IEC 29147:2014 Information technology—Security techniques — Vulnerability disclosure- Terms/Definitions 3.3^\nSource: https://www.merriam-webster.com/dictionary/function ^\nSource: https://www.dictionary.com/browse/function ^\nBased on RFC2350 by considering „information security“ instead of „IT security“, https://tools.ietf.org/html/rfc2350. ^\nhttps://www.klipfolio.com/resources/articles/what-is-a-key-performance-indicator ^\nISO/IEC 29147:2014 Information technology—Security techniques—Vulnerability disclosure-Terms/Definitions 3.5 ^\nISO/IEC 29147:2014 Information technology—Security techniques—Vulnerability disclosure-Terms/Definitions 3.6 ^\nISO 31000:2009/ ISO Guide 73:2002 Risk management — Principles and guidelines- Terms/Definitions 2.1 ^\nThe Project Management Body of Knowledge (PMBOK) Guide and Standards ^\nThe Project Management Body of Knowledge (PMBOK) Guide and Standards ^\nArchitecture Content Framework ^\nISO/IEC 30111:2013 Information technology—Security techniques—Vulnerability handling processes-Terms/Definitions 3.7 ^\nISO/IEC 30111:2013 Information technology—Security techniques—Vulnerability handling processes-Terms/Definitions 3.8^", + "outcome": "Support is provided to design, acquire, manage, operate and maintain the constituency’s infrastructure and systems and tools, as well as assist in building the capability, capacity, and maturity of incident management activities.", "purpose": "Provide technical advice that can help the constituency to better manage risks and threats and implement current operational and security best practices, while enabling effective incident handling activities." }, "related": [ diff --git a/tools/gen_csf_alt.py b/tools/gen_csf_alt.py new file mode 100644 index 0000000..4eeb54c --- /dev/null +++ b/tools/gen_csf_alt.py @@ -0,0 +1,228 @@ +#!/usr/bin/env python3 +# -*- coding: utf-8 -*- +# +# A simple convertor script to generate galaxies from the MITRE NICE framework +# https://niccs.cisa.gov/workforce-development/nice-framework +# Copyright (C) 2024 Jean-Louis Huynen +# +# This program is free software: you can redistribute it and/or modify +# it under the terms of the GNU Affero General Public License as +# published by the Free Software Foundation, either version 3 of the +# License, or (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU Affero General Public License for more details. +# +# You should have received a copy of the GNU Affero General Public License +# along with this program. If not, see . + +import pdb +import requests +import json +import os +import uuid +import re +from bs4 import BeautifulSoup + +# uuidv4 generated to be concatenated in v5: 43803a9f-9ea6-4ebc-9cb5-68ccdc2c23e0 + +galaxy = { + "namespace": "first", + "type": "first-csirt-services-framework", + "name": "FIRST CSIRT Services Framework", + "description": "The Computer Security Incident Response Team (CSIRT) Services Framework is a high-level document describing in a structured way a collection of cyber security services and associated functions that Computer Security Incident Response Teams and other teams providing incident management related services may provide", + "uuid": "4a72488f-ef5b-4895-a5d9-c625dee663cb", + "version": 1, + "icon": 'user', +} + +cluster = { + 'authors': ["FIRST", "CIRCL", "Jean-Louis Huynen"], + 'category': 'csirt', + "type": "first-csirt-services-framework", + "name": "FIRST CSIRT Services Framework", + "description": "The Computer Security Incident Response Team (CSIRT) Services Framework is a high-level document describing in a structured way a collection of cyber security services and associated functions that Computer Security Incident Response Teams and other teams providing incident management related services may provide", + "uuid": "4a72488f-ef5b-4895-a5d9-c625dee663cb", + 'source': 'https://www.first.org/standards/frameworks/csirts/csirt_services_framework_v2.1', + 'values': [], + 'version': 1, +} + +# URL to download +url = "https://www.first.org/standards/frameworks/csirts/csirt_services_framework_v2.1#5-Service-Area-Information-Security-Event-Management" + +# Send a GET request to the webpage +response = requests.get(url) + +def extract_nostrong_content(element): + content = element.find_next_siblings('p', limit=3) + extracted = {} + + extracted["purpose"] = content[0].text.strip()[8:] + for sibling in content[0].find_next_siblings(): + if "Description:" in sibling.text: + break + extracted["purpose"] += f" {sibling.text.strip()}" + + extracted["description"] = content[1].text.strip()[12:] + for sibling in content[1].find_next_siblings(): + if "Outcome:" in sibling.text: + break + extracted["description"] += f" {sibling.text.strip()}" + + extracted["outcome"] = content[2].text.strip()[8:] + for sibling in content[2].find_next_siblings(): + if sibling.name in ["h2", "h3", "h4"] or any(substring in sibling.text for substring in ["The following functions", "List of functions"]): + break + extracted["outcome"] += f" {sibling.text.strip()}" + return extracted + +def extract_content(element): + content = {} + description_title = element.find_next( + "em", string=lambda text: "Description:" in text + ) + purpose_title = element.find_next("em", string=lambda text: "Purpose:" in text) + outcome_title = element.find_next("em", string=lambda text: "Outcome:" in text) + + content["purpose"] = ( + purpose_title.parent.parent.get_text(strip=True).replace("Purpose:", "").strip() + ) + for sibling in purpose_title.parent.parent.find_next_siblings(): + if "Description:" in sibling.text: + break + content["purpose"] += f" {sibling.text.strip()}" + + content["description"] = ( + description_title.parent.parent.get_text(strip=True) + .replace("Description:", "") + .strip() + ) + + for sibling in description_title.parent.parent.find_next_siblings(): + if "Outcome:" in sibling.text: + break + content["description"] += f" {sibling.text.strip()}" + + content["outcome"] = ( + outcome_title.parent.parent.get_text(strip=True).replace("Outcome:", "").strip() + ) + for sibling in outcome_title.parent.parent.find_next_siblings(): + if sibling.name in ["h2", "h3", "h4"] or any(substring in sibling.text for substring in ["The following functions", "List of functions"]): + break + content["outcome"] += f" {sibling.text.strip()}" + content["outcome"] = content["outcome"].split("The following functions")[0].strip() + return content + + +def remove_heading(input_string): + return re.sub(r'^\d+(\.\d+)*\s+', '', input_string) + +# Check if the request was successful +if response.status_code == 200: + # Parse the page content with BeautifulSoup + soup = BeautifulSoup(response.content, 'html.parser') + + # Removing all links + for a in soup.find_all('a', href=True): + if a['href'].startswith('#'): + a.decompose() + + # Extract the section titled "4 CSIRT Services Framework Structure" + section_header = soup.find( + 'h2', id="5-Service-Area-Information-Security-Event-Management" + ) + if section_header: + + services = section_header.find_next_siblings('h3') + functions = section_header.find_next_siblings('h4') + + for service in services: + if "Monitoring and detection" in service.text: + content = extract_nostrong_content(service) + else: + content = extract_content(service) + name = remove_heading(service.text.strip()) + suuid = str( + uuid.uuid5(uuid.UUID("43803a9f-9ea6-4ebc-9cb5-68ccdc2c23e0"), name) + ) + cluster["values"].append( + { + "description": content["description"], + "meta": { + "purpose": content["purpose"], + "outcome": content["outcome"], + }, + "uuid": suuid, + "value": name, + "related": [], + } + ) + + for function in functions: + content = extract_content(function) + # get the parent service + parent_service = function.find_previous('h3') + relationship = { + "dest-uuid": str( + uuid.uuid5( + uuid.UUID("43803a9f-9ea6-4ebc-9cb5-68ccdc2c23e0"), + remove_heading(parent_service.text.strip()), + ) + ), + "type": "part-of", + } + + name = remove_heading(function.text.strip()) + + cluster["values"].append( + { + "description": content["description"], + "meta": { + "purpose": content["purpose"], + "outcome": content["outcome"], + }, + "uuid": str( + uuid.uuid5( + uuid.UUID("43803a9f-9ea6-4ebc-9cb5-68ccdc2c23e0"), name + ) + ), + "value": name, + "related": [relationship], + } + ) + + with open( + os.path.join( + os.path.dirname(__file__), + '..', + 'galaxies', + f'first-csirt-services-framework.json', + ), + 'w', + ) as f: + json.dump(galaxy, f, indent=2, sort_keys=True, ensure_ascii=False) + f.write( + '\n' + ) # only needed for the beauty and to be compliant with jq_all_the_things + + with open( + os.path.join( + os.path.dirname(__file__), + '..', + 'clusters', + f'first-csirt-services-framework.json', + ), + 'w', + ) as f: + json.dump(cluster, f, indent=2, sort_keys=True, ensure_ascii=False) + f.write( + '\n' + ) # only needed for the beauty and to be compliant with jq_all_the_things + + else: + print("Couldn't find the section header.") +else: + print(f"Failed to download the webpage. Status code: {response.status_code}") From 7258dd683ca7f777a8ac71a8547cedb8454afa6b Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Mon, 2 Sep 2024 10:16:50 +0200 Subject: [PATCH 09/36] chg: [sigma] updated to the latest version --- clusters/sigma-rules.json | 4168 +++++++++++++++++++++---------------- 1 file changed, 2348 insertions(+), 1820 deletions(-) diff --git a/clusters/sigma-rules.json b/clusters/sigma-rules.json index 987e20b..17d0966 100644 --- a/clusters/sigma-rules.json +++ b/clusters/sigma-rules.json @@ -23,10 +23,10 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://oddvar.moe/2018/03/21/persistence-using-runonceex-hidden-from-autoruns-exe/", "https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md", "https://learn.microsoft.com/en-us/sysinternals/downloads/autoruns", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md", + "https://oddvar.moe/2018/03/21/persistence-using-runonceex-hidden-from-autoruns-exe/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_currentversion.yml" ], "tags": [ @@ -59,8 +59,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1546.015/T1546.015.md", "https://www.youtube.com/watch?v=3gz1QmiMhss&t=1251s", + "https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1546.015/T1546.015.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_treatas_persistence.yml" ], "tags": [ @@ -149,10 +149,10 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://twitter.com/jamieantisocial/status/1304520651248668673", "https://www.sans.org/cyber-security-summit/archives", - "https://www.slideshare.net/JamieWilliams130/started-from-the-bottom-exploiting-data-sources-to-uncover-attck-behaviors", "https://learn.microsoft.com/en-us/dotnet/core/runtime-config/debugging-profiling", + "https://www.slideshare.net/JamieWilliams130/started-from-the-bottom-exploiting-data-sources-to-uncover-attck-behaviors", + "https://twitter.com/jamieantisocial/status/1304520651248668673", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_enabling_cor_profiler_env_variables.yml" ], "tags": [ @@ -189,8 +189,8 @@ "logsource.product": "windows", "refs": [ "https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md", "https://learn.microsoft.com/en-us/sysinternals/downloads/autoruns", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_system_scripts.yml" ], "tags": [ @@ -223,8 +223,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/outlook/troubleshoot/security/information-about-email-security-settings", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1137/T1137.md", + "https://learn.microsoft.com/en-us/outlook/troubleshoot/security/information-about-email-security-settings", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_office_outlook_security_settings.yml" ], "tags": [ @@ -258,10 +258,10 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://oddvar.moe/2018/03/21/persistence-using-runonceex-hidden-from-autoruns-exe/", "https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md", "https://learn.microsoft.com/en-us/sysinternals/downloads/autoruns", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md", + "https://oddvar.moe/2018/03/21/persistence-using-runonceex-hidden-from-autoruns-exe/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_wow6432node.yml" ], "tags": [ @@ -395,8 +395,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://persistence-info.github.io/Data/aedebug.html", "https://learn.microsoft.com/en-us/windows/win32/debug/configuring-automatic-debugging", + "https://persistence-info.github.io/Data/aedebug.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_aedebug_persistence.yml" ], "tags": [ @@ -466,10 +466,10 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://www.trendmicro.com/en_us/research/19/i/purple-fox-fileless-malware-with-rookit-component-delivered-by-rig-exploit-kit-now-abuses-powershell.html", "https://any.run/report/3ecd4763ffc944fdc67a9027e459cd4f448b1a8d1b36147977afaf86bbf2a261/64b0ba45-e7ce-423b-9a1d-5b4ea59521e6", - "https://www.trendmicro.com/en_us/research/21/j/purplefox-adds-new-backdoor-that-uses-websockets.html", "https://devblogs.microsoft.com/scripting/determine-pending-reboot-statuspowershell-style-part-1/", + "https://www.trendmicro.com/en_us/research/21/j/purplefox-adds-new-backdoor-that-uses-websockets.html", + "https://www.trendmicro.com/en_us/research/19/i/purple-fox-fileless-malware-with-rookit-component-delivered-by-rig-exploit-kit-now-abuses-powershell.html", "https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-2000-server/cc960241(v=technet.10)?redirectedfrom=MSDN", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_susp_pendingfilerenameoperations.yml" ], @@ -564,8 +564,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://thedfirreport.com/2022/07/11/select-xmrig-from-sqlserver/", "https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1564.002/T1564.002.md", + "https://thedfirreport.com/2022/07/11/select-xmrig-from-sqlserver/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_special_accounts.yml" ], "tags": [ @@ -682,8 +682,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://social.technet.microsoft.com/wiki/contents/articles/32905.remote-desktop-services-enable-restricted-admin-mode.aspx", "https://github.com/redcanaryco/atomic-red-team/blob/a8e3cf63e97b973a25903d3df9fd55da6252e564/atomics/T1112/T1112.md", + "https://social.technet.microsoft.com/wiki/contents/articles/32905.remote-desktop-services-enable-restricted-admin-mode.aspx", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_lsa_disablerestrictedadmin.yml" ], "tags": [ @@ -751,8 +751,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://github.com/AaLl86/WindowsInternals/blob/070dc4f317726dfb6ffd2b7a7c121a33a8659b5e/Slides/Hypervisor-enforced%20Paging%20Translation%20-%20The%20end%20of%20non%20data-driven%20Kernel%20Exploits%20(Recon2024).pdf", "https://twitter.com/standa_t/status/1808868985678803222", + "https://github.com/AaLl86/WindowsInternals/blob/070dc4f317726dfb6ffd2b7a7c121a33a8659b5e/Slides/Hypervisor-enforced%20Paging%20Translation%20-%20The%20end%20of%20non%20data-driven%20Kernel%20Exploits%20(Recon2024).pdf", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_deviceguard_hypervisorenforcedpagingtranslation_disabled.yml" ], "tags": [ @@ -786,8 +786,8 @@ "logsource.product": "windows", "refs": [ "https://threathunterplaybook.com/hunts/windows/190510-RegModWDigestDowngrade/notebook.html", - "https://support.microsoft.com/en-us/topic/microsoft-security-advisory-update-to-improve-credentials-protection-and-management-may-13-2014-93434251-04ac-b7f3-52aa-9f951c14b649", "https://github.com/redcanaryco/atomic-red-team/blob/73fcfa1d4863f6a4e17f90e54401de6e30a312bb/atomics/T1112/T1112.md#atomic-test-3---modify-registry-to-store-logon-credentials", + "https://support.microsoft.com/en-us/topic/microsoft-security-advisory-update-to-improve-credentials-protection-and-management-may-13-2014-93434251-04ac-b7f3-52aa-9f951c14b649", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_wdigest_enable_uselogoncredential.yml" ], "tags": [ @@ -820,9 +820,9 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://technet.microsoft.com/en-us/library/cc726884(v=ws.10).aspx", - "https://msdn.microsoft.com/de-de/library/windows/desktop/aa363389(v=vs.85).aspx", "https://blog.3or.de/mimilib-dhcp-server-callout-dll-injection.html", + "https://msdn.microsoft.com/de-de/library/windows/desktop/aa363389(v=vs.85).aspx", + "https://technet.microsoft.com/en-us/library/cc726884(v=ws.10).aspx", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_dhcp_calloutdll.yml" ], "tags": [ @@ -899,8 +899,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://github.com/OTRF/ThreatHunter-Playbook/blob/2d4257f630f4c9770f78d0c1df059f891ffc3fec/docs/evals/apt29/detections/1.A.1_DFD6A782-9BDB-4550-AB6B-525E825B095E.md", "https://github.com/OTRF/detection-hackathon-apt29/issues/1", + "https://github.com/OTRF/ThreatHunter-Playbook/blob/2d4257f630f4c9770f78d0c1df059f891ffc3fec/docs/evals/apt29/detections/1.A.1_DFD6A782-9BDB-4550-AB6B-525E825B095E.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_new_application_appcompat.yml" ], "tags": [ @@ -1032,8 +1032,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://github.com/gtworek/PSBits/tree/master/PasswordStealing/NPPSpy", "https://learn.microsoft.com/en-us/troubleshoot/windows-client/setup-upgrade-and-drivers/network-provider-settings-removed-in-place-upgrade", + "https://github.com/gtworek/PSBits/tree/master/PasswordStealing/NPPSpy", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_new_network_provider.yml" ], "tags": [ @@ -1101,8 +1101,8 @@ "logsource.product": "windows", "refs": [ "https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md", "https://learn.microsoft.com/en-us/sysinternals/downloads/autoruns", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_internet_explorer.yml" ], "tags": [ @@ -1202,10 +1202,10 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://blogs.blackberry.com/en/2023/06/romcom-resurfaces-targeting-ukraine", - "https://www.trendmicro.com/en_us/research/23/e/void-rabisu-s-use-of-romcom-backdoor-shows-a-growing-shift-in-th.html", "https://strontic.github.io/xcyclopedia/library/clsid_C90250F3-4D7D-4991-9B69-A5C5BC1C2AE6.html", "https://www.virustotal.com/gui/file/6d3ab9e729bb03ae8ae3fcd824474c5052a165de6cb4c27334969a542c7b261d/detection", + "https://blogs.blackberry.com/en/2023/06/romcom-resurfaces-targeting-ukraine", + "https://www.trendmicro.com/en_us/research/23/e/void-rabisu-s-use-of-romcom-backdoor-shows-a-growing-shift-in-th.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_persistence_comhijack_psfactorybuffer.yml" ], "tags": [ @@ -1271,8 +1271,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/blackbyte-ransomware-pt-1-in-depth-analysis/", "https://redcanary.com/blog/blackbyte-ransomware/?utm_source=twitter&utm_medium=social", + "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/blackbyte-ransomware-pt-1-in-depth-analysis/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_blackbyte_ransomware.yml" ], "tags": [ @@ -1305,8 +1305,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://www.hexacorn.com/blog/2018/12/30/beyond-good-ol-run-key-part-98/", "https://persistence-info.github.io/Data/naturallanguage6.html", + "https://www.hexacorn.com/blog/2018/12/30/beyond-good-ol-run-key-part-98/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_persistence_natural_language.yml" ], "tags": [ @@ -1439,8 +1439,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://pentestlab.blog/2019/10/29/persistence-netsh-helper-dll/", "https://www.ired.team/offensive-security/persistence/t1128-netsh-helper-dll", + "https://pentestlab.blog/2019/10/29/persistence-netsh-helper-dll/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_netsh_helper_dll_potential_persistence.yml" ], "tags": [ @@ -1627,8 +1627,8 @@ "logsource.product": "windows", "refs": [ "https://www.sans.org/blog/protecting-privileged-domain-accounts-lm-hashes-the-good-the-bad-and-the-ugly/", - "https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-347a", "https://learn.microsoft.com/en-us/troubleshoot/windows-server/windows-security/prevent-windows-store-lm-hash-password", + "https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-347a", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_system_lsa_nolmhash.yml" ], "tags": [ @@ -1661,8 +1661,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://securelist.com/scarcruft-surveilling-north-korean-defectors-and-human-rights-activists/105074/", "https://twitter.com/inversecos/status/1494174785621819397", + "https://securelist.com/scarcruft-surveilling-north-korean-defectors-and-human-rights-activists/105074/", "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/zloader-with-a-new-infection-technique/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_office_vba_warnings_tamper.yml" ], @@ -1737,9 +1737,9 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/windows/win32/api/shobjidl_core/nn-shobjidl_core-iexecutecommand", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1548.002/T1548.002.md#atomic-test-7---bypass-uac-using-sdclt-delegateexecute", "https://devblogs.microsoft.com/oldnewthing/20100312-01/?p=14623", + "https://learn.microsoft.com/en-us/windows/win32/api/shobjidl_core/nn-shobjidl_core-iexecutecommand", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_bypass_uac_using_delegateexecute.yml" ], "tags": [ @@ -1773,8 +1773,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://speakerdeck.com/heirhabarov/hunting-for-persistence-via-microsoft-exchange-server-or-outlook?slide=53", "https://www.linkedin.com/pulse/outlook-backdoor-using-vba-samir-b-/", + "https://speakerdeck.com/heirhabarov/hunting-for-persistence-via-microsoft-exchange-server-or-outlook?slide=53", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_office_outlook_enable_load_macro_provider_on_boot.yml" ], "tags": [ @@ -1891,8 +1891,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/devil-bait/NCSC-MAR-Devil-Bait.pdf", "https://admx.help/?Category=InternetExplorer&Policy=Microsoft.Policies.InternetExplorer::NoFirstRunCustomise", + "https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/devil-bait/NCSC-MAR-Devil-Bait.pdf", "https://unit42.paloaltonetworks.com/operation-ke3chang-resurfaces-with-new-tidepool-malware/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_internet_explorer_disable_first_run_customize.yml" ], @@ -1940,8 +1940,8 @@ "logsource.product": "windows", "refs": [ "https://persistence-info.github.io/Data/ifilters.html", - "https://github.com/gtworek/PSBits/blob/8d767892f3b17eefa4d0668f5d2df78e844f01d8/IFilter/Dll.cpp#L281-L308", "https://github.com/gtworek/PSBits/tree/master/IFilter", + "https://github.com/gtworek/PSBits/blob/8d767892f3b17eefa4d0668f5d2df78e844f01d8/IFilter/Dll.cpp#L281-L308", "https://twitter.com/0gtweet/status/1468548924600459267", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_persistence_ifilter.yml" ], @@ -1966,9 +1966,9 @@ "logsource.product": "windows", "refs": [ "https://learn.microsoft.com/en-us/troubleshoot/developer/browsers/security-privacy/ie-security-zones-registry-entries", - "https://twitter.com/M_haggis/status/1699056847154725107", - "https://www.virustotal.com/gui/file/339ff720c74dc44265b917b6d3e3ba0411d61f3cd3c328e9a2bae81592c8a6e5/content", "https://twitter.com/JAMESWT_MHT/status/1699042827261391247", + "https://www.virustotal.com/gui/file/339ff720c74dc44265b917b6d3e3ba0411d61f3cd3c328e9a2bae81592c8a6e5/content", + "https://twitter.com/M_haggis/status/1699056847154725107", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_ie_security_zone_protocol_defaults_downgrade.yml" ], "tags": [ @@ -2057,9 +2057,9 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://twitter.com/nas_bench/status/1626648985824788480", "https://www.hexacorn.com/blog/2019/02/15/beyond-good-ol-run-key-part-103/", "https://admx.help/?Category=Windows_7_2008R2&Policy=Microsoft.Policies.InternetCommunicationManagement::EventViewer_DisableLinks", + "https://twitter.com/nas_bench/status/1626648985824788480", "https://github.com/redcanaryco/atomic-red-team/blob/f296668303c29d3f4c07e42bdd2b28d8dd6625f9/atomics/T1112/T1112.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_persistence_event_viewer_events_asp.yml" ], @@ -2249,8 +2249,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://enigma0x3.net/2016/08/15/fileless-uac-bypass-using-eventvwr-exe-and-registry-hijacking/", "https://www.hybrid-analysis.com/sample/e122bc8bf291f15cab182a5d2d27b8db1e7019e4e96bb5cdbd1dfe7446f3f51f?environmentId=100", + "https://enigma0x3.net/2016/08/15/fileless-uac-bypass-using-eventvwr-exe-and-registry-hijacking/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_uac_bypass_eventvwr.yml" ], "tags": [ @@ -2285,15 +2285,15 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://github.com/dotnet/runtime/blob/ee2355c801d892f2894b0f7b14a20e6cc50e0e54/docs/design/coreclr/jit/viewing-jit-dumps.md#setting-configuration-variables", - "https://github.com/dotnet/runtime/blob/7abe42dc1123722ed385218268bb9fe04556e3d3/src/coreclr/src/inc/clrconfig.h#L33-L39", - "https://blog.xpnsec.com/hiding-your-dotnet-complus-etwenabled/", "https://github.com/dotnet/runtime/blob/4f9ae42d861fcb4be2fcd5d3d55d5f227d30e723/docs/coding-guidelines/clr-jit-coding-conventions.md#1412-disabling-code", "https://social.msdn.microsoft.com/Forums/vstudio/en-US/0878832e-39d7-4eaf-8e16-a729c4c40975/what-can-i-use-e13c0d23ccbc4e12931bd9cc2eee27e4-for?forum=clr", - "https://i.blackhat.com/EU-21/Wednesday/EU-21-Teodorescu-Veni-No-Vidi-No-Vici-Attacks-On-ETW-Blind-EDRs.pdf", - "http://managed670.rssing.com/chan-5590147/all_p1.html", - "https://twitter.com/_xpn_/status/1268712093928378368", "https://github.com/dotnet/runtime/search?p=1&q=COMPlus_&unscoped_q=COMPlus_", + "https://blog.xpnsec.com/hiding-your-dotnet-complus-etwenabled/", + "https://twitter.com/_xpn_/status/1268712093928378368", + "https://github.com/dotnet/runtime/blob/ee2355c801d892f2894b0f7b14a20e6cc50e0e54/docs/design/coreclr/jit/viewing-jit-dumps.md#setting-configuration-variables", + "http://managed670.rssing.com/chan-5590147/all_p1.html", + "https://github.com/dotnet/runtime/blob/7abe42dc1123722ed385218268bb9fe04556e3d3/src/coreclr/src/inc/clrconfig.h#L33-L39", + "https://i.blackhat.com/EU-21/Wednesday/EU-21-Teodorescu-Veni-No-Vidi-No-Vici-Attacks-On-ETW-Blind-EDRs.pdf", "https://bunnyinside.com/?term=f71e8cb9c76a", "https://github.com/dotnet/runtime/blob/f62e93416a1799aecc6b0947adad55a0d9870732/src/coreclr/src/inc/clrconfigvalues.h#L35-L38", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_dot_net_etw_tamper.yml" @@ -2336,8 +2336,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/4ae9580a1a8772db87a1b6cdb0d03e5af231e966/atomics/T1137.006/T1137.006.md", "https://labs.withsecure.com/publications/add-in-opportunities-for-office-persistence", + "https://github.com/redcanaryco/atomic-red-team/blob/4ae9580a1a8772db87a1b6cdb0d03e5af231e966/atomics/T1137.006/T1137.006.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_persistence_xll.yml" ], "tags": [ @@ -2393,8 +2393,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1553.004/T1553.004.md#atomic-test-6---add-root-certificate-to-currentuser-certificate-store", "https://posts.specterops.io/code-signing-certificate-cloning-attacks-and-defenses-6f98657fc6ec", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1553.004/T1553.004.md#atomic-test-6---add-root-certificate-to-currentuser-certificate-store", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_install_root_or_ca_certificat.yml" ], "tags": [ @@ -2451,8 +2451,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://pentestlab.blog/2019/10/29/persistence-netsh-helper-dll/", "https://www.ired.team/offensive-security/persistence/t1128-netsh-helper-dll", + "https://pentestlab.blog/2019/10/29/persistence-netsh-helper-dll/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_netsh_help_dll_persistence_susp_location.yml" ], "tags": [ @@ -2552,8 +2552,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://youtu.be/zSihR3lTf7g", "https://posts.specterops.io/shhmon-silencing-sysmon-via-driver-unload-682b5be57650", + "https://youtu.be/zSihR3lTf7g", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_change_sysmon_driver_altitude.yml" ], "tags": [ @@ -2643,15 +2643,15 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/02c7d02fe1f1feb0fc7944550408ea8224273994/atomics/T1112/T1112.md#atomic-test-63---disable-remote-desktop-anti-alias-setting-through-registry", + "http://woshub.com/rds-shadow-how-to-connect-to-a-user-session-in-windows-server-2012-r2/", + "https://bazaar.abuse.ch/sample/6f3aa9362d72e806490a8abce245331030d1ab5ac77e400dd475748236a6cc81/", + "https://github.com/redcanaryco/atomic-red-team/blob/02c7d02fe1f1feb0fc7944550408ea8224273994/atomics/T1112/T1112.md#atomic-test-64---disable-remote-desktop-security-settings-through-registry", + "https://blog.sekoia.io/darkgate-internals/", "https://threathunterplaybook.com/hunts/windows/190407-RegModEnableRDPConnections/notebook.html", "https://admx.help/HKLM/SOFTWARE/Policies/Microsoft/Windows%20NT/Terminal%20Services", - "https://github.com/redcanaryco/atomic-red-team/blob/02c7d02fe1f1feb0fc7944550408ea8224273994/atomics/T1112/T1112.md#atomic-test-64---disable-remote-desktop-security-settings-through-registry", - "http://woshub.com/rds-shadow-how-to-connect-to-a-user-session-in-windows-server-2012-r2/", - "https://blog.sekoia.io/darkgate-internals/", - "https://bazaar.abuse.ch/sample/6f3aa9362d72e806490a8abce245331030d1ab5ac77e400dd475748236a6cc81/", - "http://etutorials.org/Microsoft+Products/microsoft+windows+server+2003+terminal+services/Chapter+6+Registry/Registry+Keys+for+Terminal+Services/", "https://web.archive.org/web/20200929062532/https://blog.menasec.net/2019/02/threat-hunting-rdp-hijacking-via.html", + "https://github.com/redcanaryco/atomic-red-team/blob/02c7d02fe1f1feb0fc7944550408ea8224273994/atomics/T1112/T1112.md#atomic-test-63---disable-remote-desktop-anti-alias-setting-through-registry", + "http://etutorials.org/Microsoft+Products/microsoft+windows+server+2003+terminal+services/Chapter+6+Registry/Registry+Keys+for+Terminal+Services/", "https://twitter.com/SagieSec/status/1469001618863624194?t=HRf0eA0W1YYzkTSHb-Ky1A&s=03", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_terminal_server_tampering.yml" ], @@ -2773,6 +2773,39 @@ "uuid": "e88a6ddc-74f7-463b-9b26-f69fc0d2ce85", "value": "New TimeProviders Registered With Uncommon DLL Name" }, + { + "description": "Detects activity that indicates a user disabling the ability for Antivirus mini filter to inspect a \"Dev Drive\".\n", + "meta": { + "author": "@kostastsale, Nasreddine Bencherchali (Nextron Systems)", + "creation_date": "2023-11-05", + "falsepositive": [ + "Unlikely" + ], + "filename": "registry_set_devdrv_disallow_antivirus_filter.yml", + "level": "high", + "logsource.category": "registry_set", + "logsource.product": "windows", + "refs": [ + "https://twitter.com/0gtweet/status/1720419490519752955", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_devdrv_disallow_antivirus_filter.yml" + ], + "tags": [ + "attack.defense-evasion", + "attack.t1562.001" + ] + }, + "related": [ + { + "dest-uuid": "ac08589e-ee59-4935-8667-d845e38fe579", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "31e124fb-5dc4-42a0-83b3-44a69c77b271", + "value": "Antivirus Filter Driver Disallowed On Dev Drive - Registry" + }, { "description": "Detects modification of autostart extensibility point (ASEP) in registry.", "meta": { @@ -2788,8 +2821,8 @@ "logsource.product": "windows", "refs": [ "https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md", "https://learn.microsoft.com/en-us/sysinternals/downloads/autoruns", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_office.yml" ], "tags": [ @@ -2822,8 +2855,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/04e487c1828d76df3e834621f4f893ea756d5232/atomics/T1562.001/T1562.001.md#atomic-test-43---disable-hypervisor-enforced-code-integrity-hvci", "https://www.welivesecurity.com/2023/03/01/blacklotus-uefi-bootkit-myth-confirmed/", + "https://github.com/redcanaryco/atomic-red-team/blob/04e487c1828d76df3e834621f4f893ea756d5232/atomics/T1562.001/T1562.001.md#atomic-test-43---disable-hypervisor-enforced-code-integrity-hvci", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_deviceguard_hypervisorenforcedcodeintegrity_disabled.yml" ], "tags": [ @@ -2857,13 +2890,13 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://www.tenforums.com/tutorials/123792-turn-off-tamper-protection-microsoft-defender-antivirus.html", "https://gist.github.com/anadr/7465a9fde63d41341136949f14c21105", - "https://admx.help/?Category=Windows_7_2008R2&Policy=Microsoft.Policies.WindowsDefender::SpyNetReporting", "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ransomware-hive-conti-avoslocker", + "https://www.tenforums.com/tutorials/123792-turn-off-tamper-protection-microsoft-defender-antivirus.html", "https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/", - "https://www.tenforums.com/tutorials/32236-enable-disable-microsoft-defender-pua-protection-windows-10-a.html", + "https://admx.help/?Category=Windows_7_2008R2&Policy=Microsoft.Policies.WindowsDefender::SpyNetReporting", "https://www.tenforums.com/tutorials/105533-enable-disable-windows-defender-exploit-protection-settings.html", + "https://www.tenforums.com/tutorials/32236-enable-disable-microsoft-defender-pua-protection-windows-10-a.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_windows_defender_tamper.yml" ], "tags": [ @@ -2897,8 +2930,8 @@ "logsource.product": "windows", "refs": [ "https://www.fortinet.com/blog/threat-research/enter-the-darkgate-new-cryptocurrency-mining-and-ransomware-campaign", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1548.002/T1548.002.md#atomic-test-9---bypass-uac-using-silentcleanup-task", "https://www.reddit.com/r/hacking/comments/ajtrws/bypassing_highest_uac_level_windows_810/", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1548.002/T1548.002.md#atomic-test-9---bypass-uac-using-silentcleanup-task", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_bypass_uac_using_silentcleanup_task.yml" ], "tags": [ @@ -2934,8 +2967,8 @@ "logsource.product": "windows", "refs": [ "https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md", "https://learn.microsoft.com/en-us/sysinternals/downloads/autoruns", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_classes.yml" ], "tags": [ @@ -2991,9 +3024,9 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ + "https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/", "https://twitter.com/MichalKoczwara/status/1553634816016498688", "https://i.blackhat.com/EU-21/Wednesday/EU-21-Teodorescu-Veni-No-Vidi-No-Vici-Attacks-On-ETW-Blind-EDRs.pdf", - "https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_disable_autologger_sessions.yml" ], "tags": [ @@ -3016,9 +3049,9 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1112/T1112.md#atomic-test-1---modify-registry-of-current-user-profile---cmd", "https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?name=TrojanSpy%3aMSIL%2fHakey.A", "https://unit42.paloaltonetworks.com/ransomware-families/", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1112/T1112.md#atomic-test-1---modify-registry-of-current-user-profile---cmd", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_hidden_extention.yml" ], "tags": [ @@ -3051,8 +3084,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://github.com/nasbench/Misc-Research/tree/b9596e8109dcdb16ec353f316678927e507a5b8d/LOLBINs/Winget", "https://github.com/microsoft/winget-cli/blob/02d2f93807c9851d73eaacb4d8811a76b64b7b01/src/AppInstallerCommonCore/Public/winget/AdminSettings.h#L13", + "https://github.com/nasbench/Misc-Research/tree/b9596e8109dcdb16ec353f316678927e507a5b8d/LOLBINs/Winget", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_winget_admin_settings_tampering.yml" ], "tags": [ @@ -3078,8 +3111,8 @@ "logsource.product": "windows", "refs": [ "https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md", "https://learn.microsoft.com/en-us/sysinternals/downloads/autoruns", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_currentversion_nt.yml" ], "tags": [ @@ -3148,8 +3181,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1543.003/T1543.003.md#atomic-test-4---tinyturla-backdoor-service-w64time", "https://www.hexacorn.com/blog/2013/09/19/beyond-good-ol-run-key-part-4/", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1543.003/T1543.003.md#atomic-test-4---tinyturla-backdoor-service-w64time", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_servicedll_hijack.yml" ], "tags": [ @@ -3185,8 +3218,8 @@ "logsource.product": "windows", "refs": [ "https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md", "https://learn.microsoft.com/en-us/sysinternals/downloads/autoruns", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_winsock2.yml" ], "tags": [ @@ -3252,8 +3285,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://persistence-info.github.io/Data/diskcleanuphandler.html", "https://www.hexacorn.com/blog/2018/09/02/beyond-good-ol-run-key-part-86/", + "https://persistence-info.github.io/Data/diskcleanuphandler.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_disk_cleanup_handler_autorun_persistence.yml" ], "tags": [ @@ -3276,10 +3309,10 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://chromeenterprise.google/policies/?policy=DnsOverHttpsMode", - "https://github.com/elastic/detection-rules/issues/1371", "https://admx.help/HKLM/Software/Policies/Mozilla/Firefox/DNSOverHTTPS", + "https://github.com/elastic/detection-rules/issues/1371", "https://www.tenforums.com/tutorials/151318-how-enable-disable-dns-over-https-doh-microsoft-edge.html", + "https://chromeenterprise.google/policies/?policy=DnsOverHttpsMode", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_dns_over_https_enabled.yml" ], "tags": [ @@ -3445,8 +3478,8 @@ "logsource.product": "windows", "refs": [ "https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md", "https://learn.microsoft.com/en-us/sysinternals/downloads/autoruns", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_currentcontrolset.yml" ], "tags": [ @@ -3552,8 +3585,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://securelist.com/scarcruft-surveilling-north-korean-defectors-and-human-rights-activists/105074/", "https://twitter.com/inversecos/status/1494174785621819397", + "https://securelist.com/scarcruft-surveilling-north-korean-defectors-and-human-rights-activists/105074/", "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/zloader-with-a-new-infection-technique/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_office_access_vbom_tamper.yml" ], @@ -3654,12 +3687,12 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://threathunterplaybook.com/hunts/windows/190407-RegModEnableRDPConnections/notebook.html", - "https://admx.help/HKLM/SOFTWARE/Policies/Microsoft/Windows%20NT/Terminal%20Services", "http://woshub.com/rds-shadow-how-to-connect-to-a-user-session-in-windows-server-2012-r2/", "https://bazaar.abuse.ch/sample/6f3aa9362d72e806490a8abce245331030d1ab5ac77e400dd475748236a6cc81/", - "http://etutorials.org/Microsoft+Products/microsoft+windows+server+2003+terminal+services/Chapter+6+Registry/Registry+Keys+for+Terminal+Services/", + "https://threathunterplaybook.com/hunts/windows/190407-RegModEnableRDPConnections/notebook.html", + "https://admx.help/HKLM/SOFTWARE/Policies/Microsoft/Windows%20NT/Terminal%20Services", "https://web.archive.org/web/20200929062532/https://blog.menasec.net/2019/02/threat-hunting-rdp-hijacking-via.html", + "http://etutorials.org/Microsoft+Products/microsoft+windows+server+2003+terminal+services/Chapter+6+Registry/Registry+Keys+for+Terminal+Services/", "https://twitter.com/SagieSec/status/1469001618863624194?t=HRf0eA0W1YYzkTSHb-Ky1A&s=03", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_terminal_server_suspicious.yml" ], @@ -3728,8 +3761,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://enigma0x3.net/2016/08/15/fileless-uac-bypass-using-eventvwr-exe-and-registry-hijacking/", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1548.002/T1548.002.md#atomic-test-1---bypass-uac-using-event-viewer-cmd", + "https://enigma0x3.net/2016/08/15/fileless-uac-bypass-using-eventvwr-exe-and-registry-hijacking/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_bypass_uac_using_eventviewer.yml" ], "tags": [ @@ -3840,6 +3873,30 @@ "uuid": "9d15044a-7cfe-4d23-8085-6ebc11df7685", "value": "Potential Persistence Via Visual Studio Tools for Office" }, + { + "description": "Detects changes to the \"HVCIDisallowedImages\" registry value to potentially add a driver to the list, in order to prevent it from loading.\n", + "meta": { + "author": "Nasreddine Bencherchali (Nextron Systems), Omar Khaled (@beacon_exe)", + "creation_date": "2023-12-05", + "falsepositive": [ + "Legitimate usage of this key would also trigger this. Investigate the driver being added and make sure its intended" + ], + "filename": "registry_set_hvci_disallowed_images.yml", + "level": "high", + "logsource.category": "registry_set", + "logsource.product": "windows", + "refs": [ + "https://x.com/yarden_shafir/status/1822667605175324787", + "https://github.com/yardenshafir/conference_talks/blob/3de1f5d7c02656c35117f067fbff0a219c304b09/OffensiveCon_2023_Your_Mitigations_are_My_Opportunities.pdf", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_hvci_disallowed_images.yml" + ], + "tags": [ + "attack.defense-evasion" + ] + }, + "uuid": "555155a2-03bf-4fe7-af74-d176b3fdbe16", + "value": "Driver Added To Disallowed Images In HVCI - Registry" + }, { "description": "Detects changes to registry keys related to \"Trusted Location\" of Microsoft Office where the path is set to something uncommon. Attackers might add additional trusted locations to avoid macro security restrictions.", "meta": { @@ -3954,10 +4011,10 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://www.huntress.com/blog/blackcat-ransomware-affiliate-ttps", - "https://www.sentinelone.com/labs/blackcat-ransomware-highly-configurable-rust-driven-raas-on-the-prowl-for-victims/", "https://www.intrinsec.com/alphv-ransomware-gang-analysis/?cn-reloaded=1", + "https://www.sentinelone.com/labs/blackcat-ransomware-highly-configurable-rust-driven-raas-on-the-prowl-for-victims/", "https://securityscorecard.com/research/deep-dive-into-alphv-blackcat-ransomware", + "https://www.huntress.com/blog/blackcat-ransomware-affiliate-ttps", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_optimize_file_sharing_network.yml" ], "tags": [ @@ -4015,8 +4072,8 @@ "logsource.product": "windows", "refs": [ "https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md", "https://learn.microsoft.com/en-us/sysinternals/downloads/autoruns", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_wow6432node_classes.yml" ], "tags": [ @@ -4082,8 +4139,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://github.com/gtworek/PSBits/tree/master/SIP", "https://specterops.io/assets/resources/SpecterOps_Subverting_Trust_in_Windows.pdf", + "https://github.com/gtworek/PSBits/tree/master/SIP", "https://persistence-info.github.io/Data/codesigning.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_sip_persistence.yml" ], @@ -4118,8 +4175,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://persistence-info.github.io/Data/autodialdll.html", "https://www.hexacorn.com/blog/2015/01/13/beyond-good-ol-run-key-part-24/", + "https://persistence-info.github.io/Data/autodialdll.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_persistence_autodial_dll.yml" ], "tags": [ @@ -4712,8 +4769,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/7e11e9b79583545f208a6dc3fa062f2ed443d999/atomics/T1548.002/T1548.002.md", "https://securityintelligence.com/x-force/x-force-hive0129-targeting-financial-institutions-latam-banking-trojan/", + "https://github.com/redcanaryco/atomic-red-team/blob/7e11e9b79583545f208a6dc3fa062f2ed443d999/atomics/T1548.002/T1548.002.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_uac_disable_notification.yml" ], "tags": [ @@ -4780,8 +4837,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://admx.help/?Category=Office2016&Policy=office16.Office.Microsoft.Policies.Windows::L_MacroRuntimeScanScope", "https://www.microsoft.com/en-us/security/blog/2018/09/12/office-vba-amsi-parting-the-veil-on-malicious-macros/", + "https://admx.help/?Category=Office2016&Policy=office16.Office.Microsoft.Policies.Windows::L_MacroRuntimeScanScope", "https://github.com/S3cur3Th1sSh1t/OffensiveVBA/blob/28cc6a2802d8176195ac19b3c8e9a749009a82a3/src/AMSIbypasses.vba", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_disable_macroruntimescanscope.yml" ], @@ -4872,8 +4929,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://forensafe.com/blogs/typedpaths.html", "https://twitter.com/dez_/status/1560101453150257154", + "https://forensafe.com/blogs/typedpaths.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_persistence_typed_paths.yml" ], "tags": [ @@ -5063,8 +5120,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://www.hexacorn.com/blog/2018/08/31/beyond-good-ol-run-key-part-85/", "https://cocomelonc.github.io/malware/2022/11/02/malware-pers-18.html", + "https://www.hexacorn.com/blog/2018/08/31/beyond-good-ol-run-key-part-85/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_persistence_reflectdebugger.yml" ], "tags": [ @@ -5165,9 +5222,9 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://jstnk9.github.io/jstnk9/research/InstallScreenSaver-SCR-files", - "https://twitter.com/VakninHai/status/1517027824984547329", "https://twitter.com/pabraeken/status/998627081360695297", + "https://twitter.com/VakninHai/status/1517027824984547329", + "https://jstnk9.github.io/jstnk9/research/InstallScreenSaver-SCR-files", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_scr_file_executed_by_rundll32.yml" ], "tags": [ @@ -5241,8 +5298,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://www.sentinelone.com/labs/inside-malicious-windows-apps-for-malware-deployment/", "https://twitter.com/malmoeb/status/1560536653709598721", + "https://www.sentinelone.com/labs/inside-malicious-windows-apps-for-malware-deployment/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_turn_on_dev_features.yml" ], "tags": [ @@ -5265,11 +5322,11 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://www.malwarebytes.com/blog/detections/pum-optional-nodispbackgroundpage", - "https://www.mandiant.com/resources/unc2165-shifts-to-evade-sanctions", - "https://www.malwarebytes.com/blog/detections/pum-optional-nodispcpl", - "https://blogs.vmware.com/security/2022/11/batloader-the-evasive-downloader-malware.html", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1112/T1112.md", + "https://blogs.vmware.com/security/2022/11/batloader-the-evasive-downloader-malware.html", + "https://www.malwarebytes.com/blog/detections/pum-optional-nodispbackgroundpage", + "https://www.malwarebytes.com/blog/detections/pum-optional-nodispcpl", + "https://www.mandiant.com/resources/unc2165-shifts-to-evade-sanctions", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_disable_function_user.yml" ], "tags": [ @@ -5435,8 +5492,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/pillowmint-fin7s-monkey-thief/", "https://www.fireeye.com/blog/threat-research/2017/05/fin7-shim-databases-persistence.html", + "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/pillowmint-fin7s-monkey-thief/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_persistence_shim_database_susp_application.yml" ], "tags": [ @@ -5504,8 +5561,8 @@ "logsource.product": "windows", "refs": [ "https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md", "https://learn.microsoft.com/en-us/sysinternals/downloads/autoruns", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_wow6432node_currentversion.yml" ], "tags": [ @@ -5573,10 +5630,10 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://persistence-info.github.io/Data/userinitmprlogonscript.html", "https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md", "https://learn.microsoft.com/en-us/sysinternals/downloads/autoruns", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md", + "https://persistence-info.github.io/Data/userinitmprlogonscript.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_common.yml" ], "tags": [ @@ -5611,8 +5668,8 @@ "logsource.product": "windows", "refs": [ "https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md", "https://learn.microsoft.com/en-us/sysinternals/downloads/autoruns", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_session_manager.yml" ], "tags": [ @@ -5686,9 +5743,9 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://adsecurity.org/?p=1785", "https://www.sentinelone.com/blog/detecting-dsrm-account-misconfigurations/", "https://book.hacktricks.xyz/windows-hardening/active-directory-methodology/dsrm-credentials", + "https://adsecurity.org/?p=1785", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_dsrm_tampering.yml" ], "tags": [ @@ -5723,8 +5780,8 @@ "refs": [ "https://unit42.paloaltonetworks.com/unit42-gorgon-group-slithering-nation-state-cybercrime/", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md", - "https://admx.help/HKCU/software/policies/microsoft/office/16.0/excel/security/protectedview", "https://yoroi.company/research/cyber-criminal-espionage-operation-insists-on-italian-manufacturing/", + "https://admx.help/HKCU/software/policies/microsoft/office/16.0/excel/security/protectedview", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_office_disable_protected_view_features.yml" ], "tags": [ @@ -5924,6 +5981,39 @@ "uuid": "28036918-04d3-423d-91c0-55ecf99fb892", "value": "NET NGenAssemblyUsageLog Registry Key Tamper" }, + { + "description": "Detects changes to the registry value \"PythonFunctionWarnings\" that would prevent any warnings or alerts from showing when Python functions are about to be executed.\nThreat actors could run malicious code through the new Microsoft Excel feature that allows Python to run within the spreadsheet.\n", + "meta": { + "author": "Nasreddine Bencherchali (Nextron Systems), @Kostastsale", + "creation_date": "2024-08-23", + "falsepositive": [ + "Unknown" + ], + "filename": "registry_set_office_disable_python_security_warnings.yml", + "level": "high", + "logsource.category": "registry_set", + "logsource.product": "windows", + "refs": [ + "https://support.microsoft.com/en-us/office/data-security-and-python-in-excel-33cc88a4-4a87-485e-9ff9-f35958278327", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_office_disable_python_security_warnings.yml" + ], + "tags": [ + "attack.defense-evasion", + "attack.t1562.001" + ] + }, + "related": [ + { + "dest-uuid": "ac08589e-ee59-4935-8667-d845e38fe579", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "17e53739-a1fc-4a62-b1b9-87711c2d5e44", + "value": "Python Function Execution Security Warning Disabled In Excel - Registry" + }, { "description": "Detects potential abuse of the provisioning registry key for indirect command execution through \"Provlaunch.exe\".", "meta": { @@ -5937,8 +6027,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/Binaries/Provlaunch/", "https://twitter.com/0gtweet/status/1674399582162153472", + "https://lolbas-project.github.io/lolbas/Binaries/Provlaunch/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_provisioning_command_abuse.yml" ], "tags": [ @@ -6005,8 +6095,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://www.hexacorn.com/blog/2019/09/20/beyond-good-ol-run-key-part-116/", "https://persistence-info.github.io/Data/wer_debugger.html", + "https://www.hexacorn.com/blog/2019/09/20/beyond-good-ol-run-key-part-116/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_hangs_debugger_persistence.yml" ], "tags": [ @@ -6104,8 +6194,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1112/T1112.md#atomic-test-4---add-domain-to-trusted-sites-zone", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1112/T1112.md#atomic-test-5---javascript-in-registry", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1112/T1112.md#atomic-test-4---add-domain-to-trusted-sites-zone", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_persistence_ie.yml" ], "tags": [ @@ -6270,9 +6360,9 @@ "logsource.category": "registry_delete", "logsource.product": "windows", "refs": [ + "http://woshub.com/how-to-clear-rdp-connections-history/", "https://learn.microsoft.com/en-us/troubleshoot/windows-server/remote/remove-entries-from-remote-desktop-connection-computer", "https://www.trendmicro.com/en_us/research/23/a/vice-society-ransomware-group-targets-manufacturing-companies.html", - "http://woshub.com/how-to-clear-rdp-connections-history/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_delete/registry_delete_mstsc_history_cleared.yml" ], "tags": [ @@ -6313,10 +6403,10 @@ "logsource.category": "registry_delete", "logsource.product": "windows", "refs": [ - "https://github.com/OTRF/ThreatHunter-Playbook/blob/2d4257f630f4c9770f78d0c1df059f891ffc3fec/docs/evals/apt29/detections/3.C.1_22A46621-7A92-48C1-81BF-B3937EB4FDC3.md", - "https://learn.microsoft.com/en-us/windows/win32/api/shobjidl_core/nn-shobjidl_core-iexecutecommand", "https://github.com/OTRF/detection-hackathon-apt29/issues/7", "https://learn.microsoft.com/en-us/windows/win32/shell/launch", + "https://github.com/OTRF/ThreatHunter-Playbook/blob/2d4257f630f4c9770f78d0c1df059f891ffc3fec/docs/evals/apt29/detections/3.C.1_22A46621-7A92-48C1-81BF-B3937EB4FDC3.md", + "https://learn.microsoft.com/en-us/windows/win32/api/shobjidl_core/nn-shobjidl_core-iexecutecommand", "https://learn.microsoft.com/en-us/windows/win32/shell/shell-and-managed-code", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_delete/registry_delete_removal_com_hijacking_registry_key.yml" ], @@ -6350,8 +6440,8 @@ "logsource.category": "registry_delete", "logsource.product": "windows", "refs": [ - "https://seclists.org/fulldisclosure/2020/Mar/45", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md", + "https://seclists.org/fulldisclosure/2020/Mar/45", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_delete/registry_delete_removal_amsi_registry_key.yml" ], "tags": [ @@ -6495,9 +6585,9 @@ "logsource.category": "registry_event", "logsource.product": "windows", "refs": [ - "https://www.dfirnotes.net/portproxy_detection/", - "https://www.fireeye.com/blog/threat-research/2019/01/bypassing-network-restrictions-through-rdp-tunneling.html", "https://adepts.of0x.cc/netsh-portproxy-code/", + "https://www.fireeye.com/blog/threat-research/2019/01/bypassing-network-restrictions-through-rdp-tunneling.html", + "https://www.dfirnotes.net/portproxy_detection/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_portproxy_registry_key.yml" ], "tags": [ @@ -6566,9 +6656,9 @@ "logsource.category": "registry_event", "logsource.product": "windows", "refs": [ - "https://outflank.nl/blog/2018/01/16/hunting-for-evil-detect-macros-being-executed/", "https://twitter.com/inversecos/status/1494174785621819397", "http://az4n6.blogspot.com/2016/02/more-on-trust-records-macros-and.html", + "https://outflank.nl/blog/2018/01/16/hunting-for-evil-detect-macros-being-executed/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_office_trust_record_modification.yml" ], "tags": [ @@ -6601,11 +6691,11 @@ "logsource.category": "registry_event", "logsource.product": "windows", "refs": [ + "https://www.lexjansen.com/sesug/1993/SESUG93035.pdf", + "https://nvd.nist.gov/vuln/detail/cve-2021-34527", "https://github.com/gentilkiwi/mimikatz/commit/c21276072b3f2a47a21e215a46962a17d54b3760", "https://nvd.nist.gov/vuln/detail/cve-2021-1675", "https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-rprn/4464eaf0-f34f-40d5-b970-736437a21913", - "https://www.lexjansen.com/sesug/1993/SESUG93035.pdf", - "https://nvd.nist.gov/vuln/detail/cve-2021-34527", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_mimikatz_printernightmare.yml" ], "tags": [ @@ -6676,9 +6766,9 @@ "logsource.product": "windows", "refs": [ "https://github.com/hfiref0x/UACME", - "https://winscripting.blog/2017/05/12/first-entry-welcome-and-uac-bypass/", - "https://tria.ge/211119-gs7rtshcfr/behavioral2 [Lokibot sample from Nov 2021]", "https://github.com/RhinoSecurityLabs/Aggressor-Scripts/tree/master/UACBypass", + "https://tria.ge/211119-gs7rtshcfr/behavioral2 [Lokibot sample from Nov 2021]", + "https://winscripting.blog/2017/05/12/first-entry-welcome-and-uac-bypass/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_shell_open_keys_manipulation.yml" ], "tags": [ @@ -6720,8 +6810,8 @@ "logsource.category": "registry_event", "logsource.product": "windows", "refs": [ - "https://twitter.com/pabraeken/status/990717080805789697", "https://lolbas-project.github.io/lolbas/Binaries/Runonce/", + "https://twitter.com/pabraeken/status/990717080805789697", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_runonce_persistence.yml" ], "tags": [ @@ -7196,8 +7286,8 @@ "logsource.category": "registry_event", "logsource.product": "windows", "refs": [ - "https://github.com/EmpireProject/Empire/blob/08cbd274bef78243d7a8ed6443b8364acd1fc48b/data/module_source/persistence/Install-SSP.ps1#L157", "https://powersploit.readthedocs.io/en/latest/Persistence/Install-SSP/", + "https://github.com/EmpireProject/Empire/blob/08cbd274bef78243d7a8ed6443b8364acd1fc48b/data/module_source/persistence/Install-SSP.ps1#L157", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_ssp_added_lsa_config.yml" ], "tags": [ @@ -7475,8 +7565,8 @@ "logsource.category": "registry_event", "logsource.product": "windows", "refs": [ - "https://blog.xpnsec.com/exploring-mimikatz-part-1/", "https://twitter.com/SBousseaden/status/1183745981189427200", + "https://blog.xpnsec.com/exploring-mimikatz-part-1/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_susp_lsass_dll_load.yml" ], "tags": [ @@ -7686,11 +7776,11 @@ "logsource.category": "registry_add", "logsource.product": "windows", "refs": [ - "https://www.fortinet.com/blog/threat-research/new-netwire-rat-variant-spread-by-phishing", "https://resources.infosecinstitute.com/topic/netwire-malware-what-it-is-how-it-works-and-how-to-prevent-it-malware-spotlight/", - "https://blogs.blackberry.com/en/2021/09/threat-thursday-netwire-rat-is-coming-down-the-line", "https://unit42.paloaltonetworks.com/guloader-installing-netwire-rat/", + "https://blogs.blackberry.com/en/2021/09/threat-thursday-netwire-rat-is-coming-down-the-line", "https://app.any.run/tasks/41ecdbde-4997-4301-a350-0270448b4c8f/", + "https://www.fortinet.com/blog/threat-research/new-netwire-rat-variant-spread-by-phishing", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_add/registry_add_malware_netwire.yml" ], "tags": [ @@ -7790,8 +7880,8 @@ "logsource.category": "registry_add", "logsource.product": "windows", "refs": [ - "https://persistence-info.github.io/Data/amsi.html", "https://github.com/gtworek/PSBits/blob/8d767892f3b17eefa4d0668f5d2df78e844f01d8/FakeAMSI/FakeAMSI.c", + "https://persistence-info.github.io/Data/amsi.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_add/registry_add_persistence_amsi_providers.yml" ], "tags": [ @@ -7814,8 +7904,8 @@ "logsource.category": "registry_add", "logsource.product": "windows", "refs": [ - "https://persistence-info.github.io/Data/diskcleanuphandler.html", "https://www.hexacorn.com/blog/2018/09/02/beyond-good-ol-run-key-part-86/", + "https://persistence-info.github.io/Data/diskcleanuphandler.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_add/registry_add_persistence_disk_cleanup_handler_entry.yml" ], "tags": [ @@ -8207,8 +8297,8 @@ "logsource.category": "driver_load", "logsource.product": "windows", "refs": [ - "https://rastamouse.me/ntlm-relaying-via-cobalt-strike/", "https://reqrypt.org/windivert-doc.html", + "https://rastamouse.me/ntlm-relaying-via-cobalt-strike/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/driver_load/driver_load_win_windivert.yml" ], "tags": [ @@ -8318,8 +8408,8 @@ "logsource.category": "dns_query", "logsource.product": "windows", "refs": [ - "https://www.sentinelone.com/labs/wip26-espionage-threat-actors-abuse-cloud-infrastructure-in-targeted-telco-attacks/", "https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/higaisa-or-winnti-apt-41-backdoors-old-and-new/", + "https://www.sentinelone.com/labs/wip26-espionage-threat-actors-abuse-cloud-infrastructure-in-targeted-telco-attacks/", "https://symantec-enterprise-blogs.security.com/threat-intelligence/harvester-new-apt-attacks-asia", "https://intezer.com/blog/research/how-we-escaped-docker-in-azure-functions/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/dns_query/dns_query_win_domain_azurewebsites.yml" @@ -8354,8 +8444,8 @@ "logsource.category": "dns_query", "logsource.product": "windows", "refs": [ - "https://twitter.com/notwhickey/status/1333900137232523264", "https://lolbas-project.github.io/lolbas/Binaries/AppInstaller/", + "https://twitter.com/notwhickey/status/1333900137232523264", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/dns_query/dns_query_win_appinstaller.yml" ], "tags": [ @@ -8388,8 +8478,8 @@ "logsource.category": "dns_query", "logsource.product": "windows", "refs": [ - "https://twitter.com/neonprimetime/status/1436376497980428318", "https://www.trendmicro.com/en_us/research/23/e/managed-xdr-investigation-of-ducktail-in-trend-micro-vision-one.html", + "https://twitter.com/neonprimetime/status/1436376497980428318", "https://www.binarydefense.com/analysis-of-hancitor-when-boring-begets-beacon", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/dns_query/dns_query_win_susp_external_ip_lookup.yml" ], @@ -8491,9 +8581,9 @@ "logsource.category": "dns_query", "logsource.product": "windows", "refs": [ - "https://blueteamops.medium.com/detecting-dev-tunnels-16f0994dc3e2", - "https://cydefops.com/devtunnels-unleashed", "https://learn.microsoft.com/en-us/azure/developer/dev-tunnels/security", + "https://cydefops.com/devtunnels-unleashed", + "https://blueteamops.medium.com/detecting-dev-tunnels-16f0994dc3e2", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/dns_query/dns_query_win_devtunnels_communication.yml" ], "tags": [ @@ -8691,9 +8781,9 @@ "logsource.category": "dns_query", "logsource.product": "windows", "refs": [ + "https://cydefops.com/vscode-data-exfiltration", "https://badoption.eu/blog/2023/01/31/code_c2.html", "https://ipfyx.fr/post/visual-studio-code-tunnel/", - "https://cydefops.com/vscode-data-exfiltration", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/dns_query/dns_query_win_vscode_tunnel_communication.yml" ], "tags": [ @@ -8727,8 +8817,8 @@ "logsource.product": "windows", "refs": [ "https://malware.guide/browser-hijacker/remove-onelaunch-virus/", - "https://www.myantispyware.com/2020/12/14/how-to-uninstall-onelaunch-browser-removal-guide/", "https://www.malwarebytes.com/blog/detections/pup-optional-onelaunch-silentcf", + "https://www.myantispyware.com/2020/12/14/how-to-uninstall-onelaunch-browser-removal-guide/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/dns_query/dns_query_win_onelaunch_update_service.yml" ], "tags": [ @@ -8761,8 +8851,8 @@ "logsource.category": "dns_query", "logsource.product": "windows", "refs": [ - "https://oddvar.moe/2017/12/13/applocker-case-study-how-insecure-is-it-really-part-1/", "https://pentestlab.blog/2017/05/11/applocker-bypass-regsvr32/", + "https://oddvar.moe/2017/12/13/applocker-case-study-how-insecure-is-it-really-part-1/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/dns_query/dns_query_win_regsvr32_dns_query.yml" ], "tags": [ @@ -8804,11 +8894,11 @@ "logsource.category": "dns_query", "logsource.product": "windows", "refs": [ - "https://redcanary.com/blog/misbehaving-rats/", - "https://techcommunity.microsoft.com/t5/microsoft-sentinel-blog/hunting-for-omi-vulnerability-exploitation-with-azure-sentinel/ba-p/2764093", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1219/T1219.md#atomic-test-4---gotoassist-files-detected-test-on-windows", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1219/T1219.md#atomic-test-6---ammyy-admin-software-execution", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1219/T1219.md#atomic-test-3---logmein-files-detected-test-on-windows", + "https://redcanary.com/blog/misbehaving-rats/", + "https://techcommunity.microsoft.com/t5/microsoft-sentinel-blog/hunting-for-omi-vulnerability-exploitation-with-azure-sentinel/ba-p/2764093", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/dns_query/dns_query_win_remote_access_software_domains_non_browsers.yml" ], "tags": [ @@ -8841,18 +8931,18 @@ "logsource.category": "pipe_created", "logsource.product": "windows", "refs": [ - "https://www.us-cert.gov/ncas/alerts/TA17-117A", "https://unit42.paloaltonetworks.com/emissary-panda-attacks-middle-east-government-sharepoint-servers/", - "https://thedfirreport.com/2020/06/21/snatch-ransomware/", "https://download.bitdefender.com/resources/files/News/CaseStudies/study/115/Bitdefender-Whitepaper-PAC-A4-en-EN1.pdf", "https://web.archive.org/web/20180725233601/https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf", - "https://github.com/RiccardoAncarani/LiquidSnake", "https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html", + "https://www.us-cert.gov/ncas/alerts/TA17-117A", + "https://securelist.com/wild-neutron-economic-espionage-threat-actor-returns-with-new-tricks/71275/", "https://us-cert.cisa.gov/ncas/analysis-reports/ar19-304a", "https://thedfirreport.com/2022/02/21/qbot-and-zerologon-lead-to-full-domain-compromise/", - "https://securelist.com/wild-neutron-economic-espionage-threat-actor-returns-with-new-tricks/71275/", - "https://securelist.com/faq-the-projectsauron-apt/75533/", "https://www.accenture.com/us-en/blogs/cyber-defense/turla-belugasturgeon-compromises-government-entity", + "https://github.com/RiccardoAncarani/LiquidSnake", + "https://thedfirreport.com/2020/06/21/snatch-ransomware/", + "https://securelist.com/faq-the-projectsauron-apt/75533/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/pipe_created/pipe_created_susp_malicious_namedpipes.yml" ], "tags": [ @@ -8887,8 +8977,8 @@ "logsource.category": "pipe_created", "logsource.product": "windows", "refs": [ - "https://gist.github.com/MHaggis/6c600e524045a6d49c35291a21e10752", "https://svch0st.medium.com/guide-to-named-pipes-and-hunting-for-cobalt-strike-pipes-dc46b2c5f575", + "https://gist.github.com/MHaggis/6c600e524045a6d49c35291a21e10752", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/pipe_created/pipe_created_hktl_cobaltstrike_susp_pipe_patterns.yml" ], "tags": [ @@ -8966,9 +9056,9 @@ "logsource.category": "pipe_created", "logsource.product": "windows", "refs": [ - "https://github.com/Azure/SimuLand", - "https://o365blog.com/post/adfs/", "https://github.com/Azure/Azure-Sentinel/blob/f99542b94afe0ad2f19a82cc08262e7ac8e1428e/Detections/SecurityEvent/ADFSDBNamedPipeConnection.yaml", + "https://o365blog.com/post/adfs/", + "https://github.com/Azure/SimuLand", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/pipe_created/pipe_created_adfs_namedpipe_connection_uncommon_tool.yml" ], "tags": [ @@ -9001,8 +9091,8 @@ "logsource.category": "pipe_created", "logsource.product": "windows", "refs": [ - "https://gist.github.com/MHaggis/6c600e524045a6d49c35291a21e10752", "https://svch0st.medium.com/guide-to-named-pipes-and-hunting-for-cobalt-strike-pipes-dc46b2c5f575", + "https://gist.github.com/MHaggis/6c600e524045a6d49c35291a21e10752", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/pipe_created/pipe_created_hktl_cobaltstrike_re.yml" ], "tags": [ @@ -9113,8 +9203,8 @@ "logsource.category": "pipe_created", "logsource.product": "windows", "refs": [ - "https://github.com/hackvens/CoercedPotato", "https://blog.hackvens.fr/articles/CoercedPotato.html", + "https://github.com/hackvens/CoercedPotato", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/pipe_created/pipe_created_hktl_coercedpotato.yml" ], "tags": [ @@ -9148,8 +9238,8 @@ "logsource.category": "pipe_created", "logsource.product": "windows", "refs": [ - "https://twitter.com/SBousseaden/status/1429530155291193354?s=20", "https://github.com/zcgonvh/EfsPotato", + "https://twitter.com/SBousseaden/status/1429530155291193354?s=20", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/pipe_created/pipe_created_hktl_efspotato.yml" ], "tags": [ @@ -9249,9 +9339,9 @@ "logsource.product": "windows", "refs": [ "https://redcanary.com/threat-detection-report/threats/cobalt-strike/", + "https://twitter.com/d4rksystem/status/1357010969264873472", "https://blog.cobaltstrike.com/2021/02/09/learn-pipe-fitting-for-all-of-your-offense-projects/", "https://github.com/SigmaHQ/sigma/issues/253", - "https://twitter.com/d4rksystem/status/1357010969264873472", "https://labs.f-secure.com/blog/detecting-cobalt-strike-default-modules-via-named-pipe-analysis/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/pipe_created/pipe_created_hktl_cobaltstrike.yml" ], @@ -9286,8 +9376,8 @@ "logsource.category": "pipe_created", "logsource.product": "windows", "refs": [ - "https://threathunterplaybook.com/hunts/windows/190410-LocalPwshExecution/notebook.html", "https://threathunterplaybook.com/hunts/windows/190610-PwshAlternateHosts/notebook.html", + "https://threathunterplaybook.com/hunts/windows/190410-LocalPwshExecution/notebook.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/pipe_created/pipe_created_powershell_alternate_host_pipe.yml" ], "tags": [ @@ -9320,8 +9410,8 @@ "logsource.category": "pipe_created", "logsource.product": "windows", "refs": [ - "https://www.jpcert.or.jp/english/pub/sr/ir_research.html", "https://jpcertcc.github.io/ToolAnalysisResultSheet", + "https://www.jpcert.or.jp/english/pub/sr/ir_research.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/pipe_created/pipe_created_sysinternals_psexec_default_pipe_susp_location.yml" ], "tags": [ @@ -9388,8 +9478,8 @@ "logsource.category": "pipe_created", "logsource.product": "windows", "refs": [ - "https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment", "https://image.slidesharecdn.com/zeronights2017kheirkhabarov-171118103000/75/hunting-for-credentials-dumping-in-windows-environment-57-2048.jpg?cb=1666035799", + "https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/pipe_created/pipe_created_hktl_generic_cred_dump_tools_pipes.yml" ], "tags": [ @@ -9446,8 +9536,8 @@ "logsource.category": "pipe_created", "logsource.product": "windows", "refs": [ - "https://threathunterplaybook.com/hunts/windows/190410-LocalPwshExecution/notebook.html", "https://threathunterplaybook.com/hunts/windows/190610-PwshAlternateHosts/notebook.html", + "https://threathunterplaybook.com/hunts/windows/190410-LocalPwshExecution/notebook.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/pipe_created/pipe_created_powershell_execution_pipe.yml" ], "tags": [ @@ -9594,8 +9684,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon", "https://medium.com/@olafhartong/sysmon-15-0-file-executable-detected-40fd64349f36", + "https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/sysmon/sysmon_file_executable_detected.yml" ], "tags": [ @@ -9676,9 +9766,9 @@ "logsource.category": "create_remote_thread", "logsource.product": "windows", "refs": [ - "https://github.com/GhostPack/KeeThief", "https://github.com/denandz/KeeFarce", "https://www.cisa.gov/uscert/ncas/alerts/aa20-259a", + "https://github.com/GhostPack/KeeThief", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/create_remote_thread/create_remote_thread_win_keepass.yml" ], "tags": [ @@ -9787,8 +9877,8 @@ "logsource.category": "create_remote_thread", "logsource.product": "windows", "refs": [ - "https://twitter.com/SBousseaden/status/1090588499517079552", "https://github.com/mdsecactivebreach/CACTUSTORCH", + "https://twitter.com/SBousseaden/status/1090588499517079552", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/create_remote_thread/create_remote_thread_win_hktl_cactustorch.yml" ], "tags": [ @@ -9846,8 +9936,8 @@ "logsource.category": "create_remote_thread", "logsource.product": "windows", "refs": [ - "https://medium.com/@olafhartong/cobalt-strike-remote-threads-detection-206372d11d0f", "https://blog.cobaltstrike.com/2018/04/09/cobalt-strike-3-11-the-snake-that-eats-its-tail/", + "https://medium.com/@olafhartong/cobalt-strike-remote-threads-detection-206372d11d0f", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/create_remote_thread/create_remote_thread_win_hktl_cobaltstrike.yml" ], "tags": [ @@ -10681,8 +10771,8 @@ "logsource.product": "windows", "refs": [ "https://www.microsoft.com/security/blog/2022/09/30/analyzing-attacks-using-the-exchange-vulnerabilities-cve-2022-41040-and-cve-2022-41082/", - "https://en.gteltsc.vn/blog/cap-nhat-nhe-ve-lo-hong-bao-mat-0day-microsoft-exchange-dang-duoc-su-dung-de-tan-cong-cac-to-chuc-tai-viet-nam-9685.html", "https://www.gteltsc.vn/blog/canh-bao-chien-dich-tan-cong-su-dung-lo-hong-zero-day-tren-microsoft-exchange-server-12714.html", + "https://en.gteltsc.vn/blog/cap-nhat-nhe-ve-lo-hong-bao-mat-0day-microsoft-exchange-dang-duoc-su-dung-de-tan-cong-cac-to-chuc-tai-viet-nam-9685.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_exchange_webshell_drop.yml" ], "tags": [ @@ -10715,9 +10805,9 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://en.wikipedia.org/wiki/IExpress", - "https://www.virustotal.com/gui/file/602f4ae507fa8de57ada079adff25a6c2a899bd25cd092d0af7e62cdb619c93c/behavior", "https://strontic.github.io/xcyclopedia/library/iexpress.exe-D594B2A33EFAFD0EABF09E3FDC05FCEA.html", + "https://www.virustotal.com/gui/file/602f4ae507fa8de57ada079adff25a6c2a899bd25cd092d0af7e62cdb619c93c/behavior", + "https://en.wikipedia.org/wiki/IExpress", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_sed_file_creation.yml" ], "tags": [ @@ -10901,9 +10991,9 @@ "refs": [ "https://labs.f-secure.com/blog/prelude-to-ransomware-systembc", "https://www.fireeye.com/blog/threat-research/2020/05/tactics-techniques-procedures-associated-with-maze-ransomware-incidents.html", - "https://assets.documentcloud.org/documents/20444693/fbi-pin-egregor-ransomware-bc-01062021.pdf", "https://thedfirreport.com/2021/01/18/all-that-for-a-coinminer", "https://news.sophos.com/en-us/2019/12/09/snatch-ransomware-reboots-pcs-into-safe-mode-to-bypass-protection/", + "https://assets.documentcloud.org/documents/20444693/fbi-pin-egregor-ransomware-bc-01062021.pdf", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_advanced_ip_scanner.yml" ], "tags": [ @@ -11051,8 +11141,8 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://posts.slayerlabs.com/living-off-the-land/#gathernetworkinfovbs", "https://www.mandiant.com/resources/blog/trojanized-windows-installers-ukrainian-government", + "https://posts.slayerlabs.com/living-off-the-land/#gathernetworkinfovbs", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_lolbin_gather_network_info_script_output.yml" ], "tags": [ @@ -11243,8 +11333,8 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://insight-jp.nttsecurity.com/post/102hojk/operation-restylink-apt-campaign-targeting-japanese-companies", "https://learn.microsoft.com/en-us/office/troubleshoot/excel/use-startup-folders", + "https://insight-jp.nttsecurity.com/post/102hojk/operation-restylink-apt-campaign-targeting-japanese-companies", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_office_startup_persistence.yml" ], "tags": [ @@ -11277,10 +11367,10 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://github.com/Yaxser/Backstab", + "https://news.sophos.com/en-us/2023/04/19/aukill-edr-killer-malware-abuses-process-explorer-driver/", "https://learn.microsoft.com/en-us/sysinternals/downloads/process-explorer", "https://www.elastic.co/security-labs/stopping-vulnerable-driver-attacks", - "https://news.sophos.com/en-us/2023/04/19/aukill-edr-killer-malware-abuses-process-explorer-driver/", + "https://github.com/Yaxser/Backstab", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_sysinternals_procexp_driver_susp_creation.yml" ], "tags": [ @@ -11414,8 +11504,8 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://github.com/OTRF/detection-hackathon-apt29/issues/12", "https://github.com/OTRF/ThreatHunter-Playbook/blob/2d4257f630f4c9770f78d0c1df059f891ffc3fec/docs/evals/apt29/detections/5.B.1_611FCA99-97D0-4873-9E51-1C1BA2DBB40D.md", + "https://github.com/OTRF/detection-hackathon-apt29/issues/12", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_startup_folder_file_write.yml" ], "tags": [ @@ -11448,8 +11538,8 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://www.jpcert.or.jp/english/pub/sr/ir_research.html", "https://jpcertcc.github.io/ToolAnalysisResultSheet", + "https://www.jpcert.or.jp/english/pub/sr/ir_research.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_sysinternals_psexec_service.yml" ], "tags": [ @@ -11542,10 +11632,10 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://web.archive.org/web/20230329154538/https://blog.menasec.net/2019/07/interesting-difr-traces-of-net-clr.html", - "https://github.com/olafhartong/sysmon-modular/blob/fa1ae53132403d262be2bbd7f17ceea7e15e8c78/11_file_create/include_dotnet.xml", "https://bohops.com/2021/03/16/investigating-net-clr-usage-log-tampering-techniques-for-edr-evasion/", + "https://web.archive.org/web/20230329154538/https://blog.menasec.net/2019/07/interesting-difr-traces-of-net-clr.html", "https://web.archive.org/web/20221026202428/https://gist.github.com/code-scrap/d7f152ffcdb3e0b02f7f394f5187f008", + "https://github.com/olafhartong/sysmon-modular/blob/fa1ae53132403d262be2bbd7f17ceea7e15e8c78/11_file_create/include_dotnet.xml", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_net_cli_artefact.yml" ], "tags": [ @@ -11667,8 +11757,8 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://grzegorztworek.medium.com/using-uefi-to-inject-executable-files-into-bitlocker-protected-drives-8ff4ca59c94c", "https://persistence-info.github.io/Data/wpbbin.html", + "https://grzegorztworek.medium.com/using-uefi-to-inject-executable-files-into-bitlocker-protected-drives-8ff4ca59c94c", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_wpbbin_persistence.yml" ], "tags": [ @@ -11749,8 +11839,8 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://twitter.com/rbmaslen/status/1321859647091970051", "https://twitter.com/tifkin_/status/1321916444557365248", + "https://twitter.com/rbmaslen/status/1321859647091970051", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_pcre_net_temp_file.yml" ], "tags": [ @@ -12040,8 +12130,8 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://adsecurity.org/?p=2398", "https://stealthbits.com/blog/extracting-password-hashes-from-the-ntds-dit-file/", + "https://adsecurity.org/?p=2398", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_ntds_dit_uncommon_process.yml" ], "tags": [ @@ -12338,10 +12428,10 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://answers.microsoft.com/en-us/msoffice/forum/all/document-in-word-startup-folder-doesnt-open-when/44ab0932-2917-4150-8cdc-2f2cf39e86f3", - "https://en.wikipedia.org/wiki/List_of_Microsoft_Office_filename_extensions", "http://addbalance.com/word/startup.htm", + "https://answers.microsoft.com/en-us/msoffice/forum/all/document-in-word-startup-folder-doesnt-open-when/44ab0932-2917-4150-8cdc-2f2cf39e86f3", "https://app.any.run/tasks/d6fe6624-6ef8-485d-aa75-3d1bdda2a08c/", + "https://en.wikipedia.org/wiki/List_of_Microsoft_Office_filename_extensions", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_office_uncommon_file_startup.yml" ], "tags": [ @@ -12374,8 +12464,8 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://www.dsinternals.com/en/dpapi-backup-key-theft-auditing/", "https://github.com/MichaelGrafnetter/DSInternals/blob/39ee8a69bbdc1cfd12c9afdd7513b4788c4895d4/Src/DSInternals.Common/Data/DPAPI/DPAPIBackupKey.cs#L28-L32", + "https://www.dsinternals.com/en/dpapi-backup-key-theft-auditing/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_susp_dpapi_backup_and_cert_export_ioc.yml" ], "tags": [ @@ -12415,8 +12505,8 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://cobalt.io/blog/kerberoast-attack-techniques", "https://pentestlab.blog/2019/10/21/persistence-security-support-provider/", + "https://cobalt.io/blog/kerberoast-attack-techniques", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_hktl_mimikatz_files.yml" ], "tags": [ @@ -12473,26 +12563,26 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://github.com/DarkCoderSc/PowerRunAsSystem/", - "https://unit42.paloaltonetworks.com/threat-assessment-black-basta-ransomware/", - "https://github.com/Kevin-Robertson/Powermad", "https://github.com/rvrsh3ll/Misc-Powershell-Scripts/blob/6f23bb41f9675d7e2d32bacccff75e931ae00554/OfficeMemScraper.ps1", - "https://github.com/AlsidOfficial/WSUSpendu/", "https://github.com/xorrior/RandomPS-Scripts/blob/848c919bfce4e2d67b626cbcf4404341cfe3d3b6/Get-DXWebcamVideo.ps1", - "https://github.com/besimorhino/powercat", "https://github.com/adrecon/ADRecon", + "https://github.com/DarkCoderSc/PowerRunAsSystem/", + "https://github.com/dafthack/DomainPasswordSpray/blob/b13d64a5834694aa73fd2aea9911a83027c465a7/DomainPasswordSpray.ps1", + "https://unit42.paloaltonetworks.com/threat-assessment-black-basta-ransomware/", + "https://github.com/HarmJ0y/DAMP", + "https://github.com/S3cur3Th1sSh1t/PowerSharpPack/tree/master/PowerSharpBinaries", "https://github.com/CsEnox/EventViewer-UACBypass", "https://github.com/BC-SECURITY/Invoke-ZeroLogon/blob/111d17c7fec486d9bb23387e2e828b09a26075e4/Invoke-ZeroLogon.ps1", - "https://github.com/samratashok/nishang", - "https://github.com/NetSPI/PowerUpSQL", - "https://github.com/dafthack/DomainPasswordSpray/blob/b13d64a5834694aa73fd2aea9911a83027c465a7/DomainPasswordSpray.ps1", - "https://github.com/S3cur3Th1sSh1t/PowerSharpPack/tree/master/PowerSharpBinaries", - "https://github.com/nettitude/Invoke-PowerThIEf", - "https://github.com/S3cur3Th1sSh1t/WinPwn", - "https://github.com/HarmJ0y/DAMP", - "https://github.com/adrecon/AzureADRecon", - "https://research.nccgroup.com/2022/06/06/shining-the-light-on-black-basta/", "https://github.com/PowerShellMafia/PowerSploit", + "https://github.com/adrecon/AzureADRecon", + "https://github.com/NetSPI/PowerUpSQL", + "https://github.com/besimorhino/powercat", + "https://github.com/AlsidOfficial/WSUSpendu/", + "https://research.nccgroup.com/2022/06/06/shining-the-light-on-black-basta/", + "https://github.com/nettitude/Invoke-PowerThIEf", + "https://github.com/samratashok/nishang", + "https://github.com/Kevin-Robertson/Powermad", + "https://github.com/S3cur3Th1sSh1t/WinPwn", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_powershell_exploit_scripts.yml" ], "tags": [ @@ -12591,8 +12681,8 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://aboutdfir.com/the-key-to-identify-psexec/", "https://twitter.com/davisrichardg/status/1616518800584704028", + "https://aboutdfir.com/the-key-to-identify-psexec/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_sysinternals_psexec_service_key.yml" ], "tags": [ @@ -12646,11 +12736,11 @@ "logsource.product": "windows", "refs": [ "https://github.com/elastic/detection-rules/blob/c76a39796972ecde44cb1da6df47f1b6562c9770/rules/windows/credential_access_lsass_memdump_file_created.toml", + "https://www.google.com/search?q=procdump+lsass", + "https://medium.com/@markmotig/some-ways-to-dump-lsass-exe-c4a75fdc49bf", + "https://www.whiteoaksecurity.com/blog/attacks-defenses-dumping-lsass-no-mimikatz/", "https://github.com/helpsystems/nanodump", "https://github.com/CCob/MirrorDump", - "https://www.google.com/search?q=procdump+lsass", - "https://www.whiteoaksecurity.com/blog/attacks-defenses-dumping-lsass-no-mimikatz/", - "https://medium.com/@markmotig/some-ways-to-dump-lsass-exe-c4a75fdc49bf", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_lsass_default_dump_file_names.yml" ], "tags": [ @@ -12751,10 +12841,10 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/malicious-spam-campaign-uses-iso-image-files-to-deliver-lokibot-and-nanocore", - "https://insights.sei.cmu.edu/blog/the-dangers-of-vhd-and-vhdx-files/", "https://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/", + "https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/malicious-spam-campaign-uses-iso-image-files-to-deliver-lokibot-and-nanocore", "https://blog.emsisoft.com/en/32373/beware-new-wave-of-malware-spreads-via-iso-file-email-attachments/", + "https://insights.sei.cmu.edu/blog/the-dangers-of-vhd-and-vhdx-files/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_iso_file_recent.yml" ], "tags": [ @@ -13009,8 +13099,8 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "PT ESC rule and personal experience", "https://github.com/swisskyrepo/PayloadsAllTheThings/blob/c95a0a1a2855dc0cd7f7327614545fe30482a636/Upload%20Insecure%20Files/README.md", + "PT ESC rule and personal experience", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_webshell_creation_detect.yml" ], "tags": [ @@ -13043,9 +13133,9 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ + "https://twitter.com/orange_8361/status/1518970259868626944?s=20&t=RFXqZjtA7tWM3HxqEH78Aw", "https://twitter.com/splinter_code/status/1519075134296006662?s=12&t=DLUXH86WtcmG_AZ5gY3C6g", "https://lolbas-project.github.io/lolbas/Binaries/Eventvwr/#execute", - "https://twitter.com/orange_8361/status/1518970259868626944?s=20&t=RFXqZjtA7tWM3HxqEH78Aw", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_uac_bypass_eventvwr.yml" ], "tags": [ @@ -13136,8 +13226,8 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://persistence-info.github.io/Data/powershellprofile.html", "https://www.welivesecurity.com/2019/05/29/turla-powershell-usage/", + "https://persistence-info.github.io/Data/powershellprofile.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_susp_powershell_profile.yml" ], "tags": [ @@ -13173,8 +13263,8 @@ "refs": [ "https://speakerdeck.com/heirhabarov/hunting-for-persistence-via-microsoft-exchange-server-or-outlook?slide=79", "https://speakerdeck.com/heirhabarov/hunting-for-persistence-via-microsoft-exchange-server-or-outlook?slide=76", - "https://learn.microsoft.com/en-us/office/vba/outlook/concepts/outlook-forms/create-an-outlook-form", "https://www.slipstick.com/developer/custom-form/clean-outlooks-forms-cache/", + "https://learn.microsoft.com/en-us/office/vba/outlook/concepts/outlook-forms/create-an-outlook-form", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_office_outlook_newform.yml" ], "tags": [ @@ -13307,8 +13397,8 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://github.com/OTRF/detection-hackathon-apt29/issues/14", "https://github.com/OTRF/ThreatHunter-Playbook/blob/2d4257f630f4c9770f78d0c1df059f891ffc3fec/docs/evals/apt29/detections/6.B.1_6392C9F1-D975-4F75-8A70-433DEDD7F622.md", + "https://github.com/OTRF/detection-hackathon-apt29/issues/14", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_susp_pfx_file_creation.yml" ], "tags": [ @@ -13538,10 +13628,10 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1546.011/T1546.011.md#atomic-test-2---new-shim-database-files-created-in-the-default-shim-database-directory", "https://www.mandiant.com/resources/blog/fin7-shim-databases-persistence", "https://liberty-shell.com/sec/2020/02/25/shim-persistence/", "https://andreafortuna.org/2018/11/12/process-injection-and-persistence-using-application-shimming/", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1546.011/T1546.011.md#atomic-test-2---new-shim-database-files-created-in-the-default-shim-database-directory", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_creation_new_shim_database.yml" ], "tags": [ @@ -13707,8 +13797,8 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://thedfirreport.com/2020/11/23/pysa-mespinoza-ransomware/", "https://github.com/Kevin-Robertson/Inveigh/blob/29d9e3c3a625b3033cdaf4683efaafadcecb9007/Inveigh/Support/Output.cs", + "https://thedfirreport.com/2020/11/23/pysa-mespinoza-ransomware/", "https://github.com/Kevin-Robertson/Inveigh/blob/29d9e3c3a625b3033cdaf4683efaafadcecb9007/Inveigh/Support/Control.cs", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_hktl_inveigh_artefacts.yml" ], @@ -13775,8 +13865,8 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://github.com/last-byte/PersistenceSniper", "https://www.hexacorn.com/blog/2022/01/16/beyond-good-ol-run-key-part-135/", + "https://github.com/last-byte/PersistenceSniper", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_errorhandler_persistence.yml" ], "tags": [ @@ -13799,11 +13889,11 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://twitter.com/malwrhunterteam/status/1235135745611960321", - "https://www.anomali.com/blog/china-based-apt-mustang-panda-targets-minority-groups-public-and-private-sector-organizations", "https://www.cybereason.com/blog/research/a-bazar-of-tricks-following-team9s-development-cycles", - "https://www.crowdstrike.com/blog/meet-crowdstrikes-adversary-of-the-month-for-june-mustang-panda/", + "https://twitter.com/malwrhunterteam/status/1235135745611960321", "https://twitter.com/luc4m/status/1073181154126254080", + "https://www.crowdstrike.com/blog/meet-crowdstrikes-adversary-of-the-month-for-june-mustang-panda/", + "https://www.anomali.com/blog/china-based-apt-mustang-panda-targets-minority-groups-public-and-private-sector-organizations", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_susp_lnk_double_extension.yml" ], "tags": [ @@ -13836,10 +13926,10 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ + "https://pentestlab.blog/tag/ntds-dit/", "https://github.com/samratashok/nishang/blob/414ee1104526d7057f9adaeee196d91ae447283e/Gather/Copy-VSS.ps1", "https://www.n00py.io/2022/03/manipulating-user-passwords-without-mimikatz/", "https://www.ired.team/offensive-security/credential-access-and-credential-dumping/ntds.dit-enumeration", - "https://pentestlab.blog/tag/ntds-dit/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_ntds_dit_uncommon_parent_process.yml" ], "tags": [ @@ -13981,8 +14071,8 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://asec.ahnlab.com/en/58878/", "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/honeypot-recon-mysql-malware-infection-via-user-defined-functions-udf/", + "https://asec.ahnlab.com/en/58878/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_mysqld_uncommon_file_creation.yml" ], "tags": [ @@ -14043,8 +14133,8 @@ "logsource.product": "windows", "refs": [ "https://speakerdeck.com/heirhabarov/hunting-for-persistence-via-microsoft-exchange-server-or-outlook?slide=53", - "https://www.mdsec.co.uk/2020/11/a-fresh-outlook-on-mail-based-persistence/", "https://www.linkedin.com/pulse/outlook-backdoor-using-vba-samir-b-/", + "https://www.mdsec.co.uk/2020/11/a-fresh-outlook-on-mail-based-persistence/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_office_outlook_susp_macro_creation.yml" ], "tags": [ @@ -14221,9 +14311,9 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/0f229c0e42bfe7ca736a14023836d65baa941ed2/atomics/T1553.005/T1553.005.md#atomic-test-1---mount-iso-image", "https://securityaffairs.co/wordpress/133680/malware/dll-sideloading-spread-qakbot.html", "https://twitter.com/Sam0x90/status/1552011547974696960", - "https://github.com/redcanaryco/atomic-red-team/blob/0f229c0e42bfe7ca736a14023836d65baa941ed2/atomics/T1553.005/T1553.005.md#atomic-test-1---mount-iso-image", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_iso_file_mount.yml" ], "tags": [ @@ -14280,8 +14370,8 @@ "logsource.product": "windows", "refs": [ "https://www.microsoft.com/security/blog/2022/09/30/analyzing-attacks-using-the-exchange-vulnerabilities-cve-2022-41040-and-cve-2022-41082/", - "https://en.gteltsc.vn/blog/cap-nhat-nhe-ve-lo-hong-bao-mat-0day-microsoft-exchange-dang-duoc-su-dung-de-tan-cong-cac-to-chuc-tai-viet-nam-9685.html", "https://www.gteltsc.vn/blog/canh-bao-chien-dich-tan-cong-su-dung-lo-hong-zero-day-tren-microsoft-exchange-server-12714.html", + "https://en.gteltsc.vn/blog/cap-nhat-nhe-ve-lo-hong-bao-mat-0day-microsoft-exchange-dang-duoc-su-dung-de-tan-cong-cac-to-chuc-tai-viet-nam-9685.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_exchange_webshell_drop_suspicious.yml" ], "tags": [ @@ -14381,9 +14471,9 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ + "https://github.com/fox-it/LDAPFragger", "https://blog.fox-it.com/2020/03/19/ldapfragger-command-and-control-over-ldap-attributes/", "https://medium.com/@ivecodoe/detecting-ldapfragger-a-newly-released-cobalt-strike-beacon-using-ldap-for-c2-communication-c274a7f00961", - "https://github.com/fox-it/LDAPFragger", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_adsi_cache_creation_by_uncommon_tool.yml" ], "tags": [ @@ -14476,11 +14566,11 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://twitter.com/pfiatde/status/1681977680688738305", "https://soroush.me/blog/2010/12/a-dotty-salty-directory-a-secret-place-in-ntfs-for-secret-files/", - "https://github.com/redcanaryco/atomic-red-team/blob/5c3b23002d2bbede3c07e7307165fc2a235a427d/atomics/T1564.004/T1564.004.md#atomic-test-5---create-hidden-directory-via-index_allocation", "https://sec-consult.com/blog/detail/pentesters-windows-ntfs-tricks-collection/", "https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-fscc/c54dec26-1551-4d3a-a0ea-4fa40f848eb3", + "https://twitter.com/pfiatde/status/1681977680688738305", + "https://github.com/redcanaryco/atomic-red-team/blob/5c3b23002d2bbede3c07e7307165fc2a235a427d/atomics/T1564.004/T1564.004.md#atomic-test-5---create-hidden-directory-via-index_allocation", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_susp_hidden_dir_index_allocation.yml" ], "tags": [ @@ -14513,8 +14603,8 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://www.joesandbox.com/analysis/465533/0/html", "https://blog.malwarebytes.com/threat-intelligence/2022/04/colibri-loader-combines-task-scheduler-and-powershell-in-clever-persistence-technique/", + "https://www.joesandbox.com/analysis/465533/0/html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_susp_get_variable.yml" ], "tags": [ @@ -14597,11 +14687,11 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://twitter.com/malwrhunterteam/status/1235135745611960321", - "https://www.anomali.com/blog/china-based-apt-mustang-panda-targets-minority-groups-public-and-private-sector-organizations", "https://www.cybereason.com/blog/research/a-bazar-of-tricks-following-team9s-development-cycles", - "https://www.crowdstrike.com/blog/meet-crowdstrikes-adversary-of-the-month-for-june-mustang-panda/", + "https://twitter.com/malwrhunterteam/status/1235135745611960321", "https://twitter.com/luc4m/status/1073181154126254080", + "https://www.crowdstrike.com/blog/meet-crowdstrikes-adversary-of-the-month-for-june-mustang-panda/", + "https://www.anomali.com/blog/china-based-apt-mustang-panda-targets-minority-groups-public-and-private-sector-organizations", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_susp_double_extension.yml" ], "tags": [ @@ -14634,8 +14724,8 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://github.com/elastic/protections-artifacts/commit/746086721fd385d9f5c6647cada1788db4aea95f#diff-5d46dd4ac6866b4337ec126be8cee0e115467b3e8703794ba6f6df6432c806bc", "https://posts.specterops.io/automating-dll-hijack-discovery-81c4295904b0", + "https://github.com/elastic/protections-artifacts/commit/746086721fd385d9f5c6647cada1788db4aea95f#diff-5d46dd4ac6866b4337ec126be8cee0e115467b3e8703794ba6f6df6432c806bc", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_initial_access_dll_search_order_hijacking.yml" ], "tags": [ @@ -14694,12 +14784,12 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://labs.withsecure.com/publications/detecting-onenote-abuse", - "https://www.bleepingcomputer.com/news/security/hackers-now-use-microsoft-onenote-attachments-to-spread-malware/", + "https://blog.osarmor.com/319/onenote-attachment-delivers-asyncrat-malware/", "https://twitter.com/MaD_c4t/status/1623414582382567424", "https://www.trustedsec.com/blog/new-attacks-old-tricks-how-onenote-malware-is-evolving/", "https://app.any.run/tasks/17f2d378-6d11-4d6f-8340-954b04f35e83/", - "https://blog.osarmor.com/319/onenote-attachment-delivers-asyncrat-malware/", + "https://www.bleepingcomputer.com/news/security/hackers-now-use-microsoft-onenote-attachments-to-spread-malware/", + "https://labs.withsecure.com/publications/detecting-onenote-abuse", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_office_onenote_susp_dropped_files.yml" ], "tags": [ @@ -15047,12 +15137,12 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://clement.notin.org/blog/2020/09/12/CVE-2020-7315-McAfee-Agent-DLL-injection/", "https://github.com/blackarrowsec/redteam-research/tree/26e6fc0c0d30d364758fa11c2922064a9a7fd309/LPE%20via%20StorSvc", - "https://decoded.avast.io/martinchlumecky/png-steganography/", "https://posts.specterops.io/lateral-movement-scm-and-dll-hijacking-primer-d2f61e8ab992", - "https://www.hexacorn.com/blog/2013/12/08/beyond-good-ol-run-key-part-5/", + "https://decoded.avast.io/martinchlumecky/png-steganography/", + "https://clement.notin.org/blog/2020/09/12/CVE-2020-7315-McAfee-Agent-DLL-injection/", "https://github.com/Wh04m1001/SysmonEoP", + "https://www.hexacorn.com/blog/2013/12/08/beyond-good-ol-run-key-part-5/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_create_non_existent_dlls.yml" ], "tags": [ @@ -15095,8 +15185,8 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "Internal Research", "https://labs.withsecure.com/publications/fin7-target-veeam-servers", + "Internal Research", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_perflogs_susp_files.yml" ], "tags": [ @@ -15162,9 +15252,9 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://github.com/rapid7/metasploit-framework/blob/eb6535009f5fdafa954525687f09294918b5398d/data/post/powershell/NTDSgrab.ps1", - "https://github.com/rapid7/metasploit-framework/blob/eb6535009f5fdafa954525687f09294918b5398d/modules/post/windows/gather/ntds_grabber.rb", "https://github.com/SecureAuthCorp/impacket/blob/7d2991d78836b376452ca58b3d14daa61b67cb40/impacket/examples/secretsdump.py#L2405", + "https://github.com/rapid7/metasploit-framework/blob/eb6535009f5fdafa954525687f09294918b5398d/modules/post/windows/gather/ntds_grabber.rb", + "https://github.com/rapid7/metasploit-framework/blob/eb6535009f5fdafa954525687f09294918b5398d/data/post/powershell/NTDSgrab.ps1", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_ntds_exfil_tools.yml" ], "tags": [ @@ -15197,11 +15287,11 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://github.com/HuskyHacks/ShadowSteal", "https://github.com/search?q=CVE-2021-36934", - "https://github.com/FireFart/hivenightmare", - "https://www.google.com/search?q=%22reg.exe+save%22+sam", + "https://github.com/HuskyHacks/ShadowSteal", "https://github.com/cube0x0/CVE-2021-36934", + "https://www.google.com/search?q=%22reg.exe+save%22+sam", + "https://github.com/FireFart/hivenightmare", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_sam_dump.yml" ], "tags": [ @@ -15302,8 +15392,8 @@ "logsource.category": "file_access", "logsource.product": "windows", "refs": [ - "https://www.absolomb.com/2018-01-26-Windows-Privilege-Escalation-Guide/", "https://hunter2.gitbook.io/darthsidious/privilege-escalation/mimikatz", + "https://www.absolomb.com/2018-01-26-Windows-Privilege-Escalation-Guide/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_access/file_access_win_susp_credential_manager_access.yml" ], "tags": [ @@ -15405,8 +15495,8 @@ "logsource.category": "file_access", "logsource.product": "windows", "refs": [ - "https://www.vectra.ai/blog/undermining-microsoft-teams-security-by-mining-tokens", "https://www.bleepingcomputer.com/news/security/microsoft-teams-stores-auth-tokens-as-cleartext-in-windows-linux-macs/", + "https://www.vectra.ai/blog/undermining-microsoft-teams-security-by-mining-tokens", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_access/file_access_win_teams_sensitive_files.yml" ], "tags": [ @@ -15439,8 +15529,8 @@ "logsource.category": "file_access", "logsource.product": "windows", "refs": [ - "https://tools.thehacker.recipes/mimikatz/modules/dpapi/credhist", "https://www.passcape.com/windows_password_recovery_dpapi_credhist", + "https://tools.thehacker.recipes/mimikatz/modules/dpapi/credhist", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_access/file_access_win_susp_credhist.yml" ], "tags": [ @@ -15673,8 +15763,8 @@ "logsource.category": "file_delete", "logsource.product": "windows", "refs": [ - "Internal Research", "https://securityliterate.com/how-malware-abuses-the-zone-identifier-to-circumvent-detection-and-analysis/", + "Internal Research", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_delete/file_delete_win_zone_identifier_ads_uncommon.yml" ], "tags": [ @@ -15878,8 +15968,8 @@ "logsource.category": "file_delete", "logsource.product": "windows", "refs": [ - "https://github.com/OTRF/ThreatHunter-Playbook/blob/2d4257f630f4c9770f78d0c1df059f891ffc3fec/docs/evals/apt29/detections/4.B.4_83D62033-105A-4A02-8B75-DAB52D8D51EC.md", "https://github.com/OTRF/detection-hackathon-apt29/issues/9", + "https://github.com/OTRF/ThreatHunter-Playbook/blob/2d4257f630f4c9770f78d0c1df059f891ffc3fec/docs/evals/apt29/detections/4.B.4_83D62033-105A-4A02-8B75-DAB52D8D51EC.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_delete/file_delete_win_sysinternals_sdelete_file_deletion.yml" ], "tags": [ @@ -15945,9 +16035,9 @@ "logsource.category": "file_executable_detected", "logsource.product": "windows", "refs": [ - "https://en.wikipedia.org/wiki/IExpress", - "https://www.virustotal.com/gui/file/602f4ae507fa8de57ada079adff25a6c2a899bd25cd092d0af7e62cdb619c93c/behavior", "https://strontic.github.io/xcyclopedia/library/iexpress.exe-D594B2A33EFAFD0EABF09E3FDC05FCEA.html", + "https://www.virustotal.com/gui/file/602f4ae507fa8de57ada079adff25a6c2a899bd25cd092d0af7e62cdb619c93c/behavior", + "https://en.wikipedia.org/wiki/IExpress", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_executable_detected/file_executable_detected_win_susp_embeded_sed_file.yml" ], "tags": [ @@ -16105,9 +16195,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://learn.microsoft.com/en-us/powershell/module/defender/set-mppreference?view=windowsserver2022-ps", "https://www.virustotal.com/gui/file/d609799091731d83d75ec5d1f030571af20c45efeeb94840b67ea09a3283ab65/behavior/C2AE", "https://www.virustotal.com/gui/search/content%253A%2522Set-MpPreference%2520-Disable%2522/files", - "https://learn.microsoft.com/en-us/powershell/module/defender/set-mppreference?view=windowsserver2022-ps", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_defender_disable_feature.yml" ], "tags": [ @@ -16392,9 +16482,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://redcanary.com/threat-detection-report/threats/qbot/", "https://thedfirreport.com/2022/10/31/follina-exploit-leads-to-domain-compromise/", "https://thedfirreport.com/2022/02/07/qbot-likes-to-move-it-move-it/", - "https://redcanary.com/threat-detection-report/threats/qbot/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_esentutl_webcache.yml" ], "tags": [ @@ -16428,8 +16518,8 @@ "logsource.product": "windows", "refs": [ "https://twitter.com/splinter_code/status/1483815103279603714", - "https://medium.com/s2wblog/analysis-of-destructive-malware-whispergate-targeting-ukraine-9d5d158f19f3", "https://www.elastic.co/security-labs/operation-bleeding-bear", + "https://medium.com/s2wblog/analysis-of-destructive-malware-whispergate-targeting-ukraine-9d5d158f19f3", "https://www.winhelponline.com/blog/run-program-as-system-localsystem-account-windows/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pua_advancedrun.yml" ], @@ -16468,6 +16558,32 @@ "uuid": "d2b749ee-4225-417e-b20e-a8d2193cbb84", "value": "PUA - AdvancedRun Execution" }, + { + "description": "Detects the execution \"AccCheckConsole\" a command-line tool for verifying the accessibility implementation of an application's UI.\nOne of the tests that this checker can run are called \"verification routine\", which tests for things like Consistency, Navigation, etc.\nThe tool allows a user to provide a DLL that can contain a custom \"verification routine\". An attacker can build such DLLs and pass it via the CLI, which would then be loaded in the context of the \"AccCheckConsole\" utility.\n", + "meta": { + "author": "Florian Roth (Nextron Systems)", + "creation_date": "2022-01-06", + "falsepositive": [ + "Legitimate use of the UI Accessibility Checker" + ], + "filename": "proc_creation_win_acccheckconsole_execution.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://lolbas-project.github.io/lolbas/OtherMSBinaries/AccCheckConsole/", + "https://twitter.com/bohops/status/1477717351017680899?s=12", + "https://gist.github.com/bohops/2444129419c8acf837aedda5f0e7f340", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_acccheckconsole_execution.yml" + ], + "tags": [ + "attack.execution", + "detection.threat-hunting" + ] + }, + "uuid": "0f6da907-5854-4be6-859a-e9958747b0aa", + "value": "Potential DLL Injection Via AccCheckConsole" + }, { "description": "Detects findstring commands that include the keyword lsass, which indicates recon actviity for the LSASS process PID", "meta": { @@ -16548,8 +16664,8 @@ "logsource.product": "windows", "refs": [ "https://twitter.com/_JohnHammond/status/1531672601067675648", - "https://twitter.com/nao_sec/status/1530196847679401984", "https://app.any.run/tasks/713f05d2-fe78-4b9d-a744-f7c133e3fafb/", + "https://twitter.com/nao_sec/status/1530196847679401984", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_msdt_arbitrary_command_execution.yml" ], "tags": [ @@ -16615,9 +16731,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://m0chan.github.io/2019/07/31/How-To-Attack-Kerberos-101.html", - "https://blog.harmj0y.net/redteaming/from-kekeo-to-rubeus", "https://github.com/GhostPack/Rubeus", + "https://blog.harmj0y.net/redteaming/from-kekeo-to-rubeus", + "https://m0chan.github.io/2019/07/31/How-To-Attack-Kerberos-101.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_rubeus.yml" ], "tags": [ @@ -16667,12 +16783,12 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://nwgat.ninja/getting-system-information-with-wmic-on-windows/", - "https://github.com/redcanaryco/atomic-red-team/blob/a2ccd19c37d0278b4ffa8583add3cf52060a5418/atomics/T1082/T1082.md#atomic-test-25---system-information-discovery-with-wmic", - "https://blog.cyble.com/2023/01/18/aurora-a-stealer-using-shapeshifting-tactics/", "https://www.virustotal.com/gui/file/d6f6bc10ae0e634ed4301d584f61418cee18e5d58ad9af72f8aa552dc4aaeca3/behavior", - "https://app.any.run/tasks/a6aa0057-82ec-451f-8f99-55650ca537da/", + "https://nwgat.ninja/getting-system-information-with-wmic-on-windows/", "https://blog.sekoia.io/aurora-a-rising-stealer-flying-under-the-radar", + "https://app.any.run/tasks/a6aa0057-82ec-451f-8f99-55650ca537da/", + "https://blog.cyble.com/2023/01/18/aurora-a-stealer-using-shapeshifting-tactics/", + "https://github.com/redcanaryco/atomic-red-team/blob/a2ccd19c37d0278b4ffa8583add3cf52060a5418/atomics/T1082/T1082.md#atomic-test-25---system-information-discovery-with-wmic", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wmic_recon_system_info_uncommon.yml" ], "tags": [ @@ -16705,13 +16821,13 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://medium.com/@cyberjyot/lolbin-execution-via-diskshadow-f6ff681a27a4", - "https://bohops.com/2018/03/26/diskshadow-the-return-of-vss-evasion-persistence-and-active-directory-database-extraction/", - "https://www.lifars.com/wp-content/uploads/2022/01/GriefRansomware_Whitepaper-2.pdf", "https://research.checkpoint.com/2022/evilplayout-attack-against-irans-state-broadcaster/", - "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/diskshadow", "https://www.ired.team/offensive-security/credential-access-and-credential-dumping/ntds.dit-enumeration", + "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/diskshadow", "https://www.zscaler.com/blogs/security-research/technical-analysis-crytox-ransomware", + "https://medium.com/@cyberjyot/lolbin-execution-via-diskshadow-f6ff681a27a4", + "https://www.lifars.com/wp-content/uploads/2022/01/GriefRansomware_Whitepaper-2.pdf", + "https://bohops.com/2018/03/26/diskshadow-the-return-of-vss-evasion-persistence-and-active-directory-database-extraction/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_diskshadow_script_mode_susp_ext.yml" ], "tags": [ @@ -16744,9 +16860,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "http://www.korznikov.com/2017/03/0-day-or-feature-privilege-escalation.html", "https://www.hackingarticles.in/rdp-session-hijacking-with-tscon/", "https://medium.com/@networksecurity/rdp-hijacking-how-to-hijack-rds-and-remoteapp-sessions-transparently-to-move-through-an-da2a1e73a5f6", - "http://www.korznikov.com/2017/03/0-day-or-feature-privilege-escalation.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_tscon_rdp_redirect.yml" ], "tags": [ @@ -16788,8 +16904,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "http://blog.talosintelligence.com/2022/09/lazarus-three-rats.html", "https://www.microsoft.com/security/blog/2022/01/15/destructive-malware-targeting-ukrainian-organizations/", + "http://blog.talosintelligence.com/2022/09/lazarus-three-rats.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_redirect_local_admin_share.yml" ], "tags": [ @@ -16823,9 +16939,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://ss64.com/bash/rar.html", "https://labs.sentinelone.com/the-anatomy-of-an-apt-attack-and-cobaltstrike-beacons-encoded-configuration/", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1560.001/T1560.001.md", - "https://ss64.com/bash/rar.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_rar_compression_with_password.yml" ], "tags": [ @@ -16858,8 +16974,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.virustotal.com/gui/file/af1c82237b6e5a3a7cdbad82cc498d298c67845d92971bada450023d1335e267/content", "https://learn.microsoft.com/en-us/windows-server/administration/openssh/openssh_install_firstuse?tabs=powershell", + "https://www.virustotal.com/gui/file/af1c82237b6e5a3a7cdbad82cc498d298c67845d92971bada450023d1335e267/content", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_add_windows_capability.yml" ], "tags": [ @@ -17117,10 +17233,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://en.wikipedia.org/wiki/IExpress", - "https://www.virustotal.com/gui/file/602f4ae507fa8de57ada079adff25a6c2a899bd25cd092d0af7e62cdb619c93c/behavior", "https://strontic.github.io/xcyclopedia/library/iexpress.exe-D594B2A33EFAFD0EABF09E3FDC05FCEA.html", "https://decoded.avast.io/janvojtesek/raspberry-robins-roshtyak-a-little-lesson-in-trickery/", + "https://en.wikipedia.org/wiki/IExpress", + "https://www.virustotal.com/gui/file/602f4ae507fa8de57ada079adff25a6c2a899bd25cd092d0af7e62cdb619c93c/behavior", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_iexpress_susp_execution.yml" ], "tags": [ @@ -17186,9 +17302,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/chm-badness-delivers-a-banking-trojan/", "https://github.com/elastic/protections-artifacts/commit/746086721fd385d9f5c6647cada1788db4aea95f#diff-27939090904026cc396b0b629c8e4314acd6f5dac40a676edbc87f4567b47eb7", "https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/higaisa-or-winnti-apt-41-backdoors-old-and-new/", - "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/chm-badness-delivers-a-banking-trojan/", "https://www.zscaler.com/blogs/security-research/unintentional-leak-glimpse-attack-vectors-apt37", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hh_html_help_susp_child_process.yml" ], @@ -17305,8 +17421,8 @@ "logsource.product": "windows", "refs": [ "https://www.cisa.gov/uscert/sites/default/files/publications/aa22-320a_joint_csa_iranian_government-sponsored_apt_actors_compromise_federal%20network_deploy_crypto%20miner_credential_harvester.pdf", - "http://blog.talosintelligence.com/2022/09/lazarus-three-rats.html", "https://www.microsoft.com/en-us/security/blog/2022/10/18/defenders-beware-a-case-for-post-ransomware-investigations/", + "http://blog.talosintelligence.com/2022/09/lazarus-three-rats.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_computer_discovery_get_adcomputer.yml" ], "tags": [ @@ -17376,8 +17492,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://strontic.github.io/xcyclopedia/library/DeviceEnroller.exe-24BEF0D6B0ECED36BB41831759FDE18D.html", "https://mobile.twitter.com/0gtweet/status/1564131230941122561", + "https://strontic.github.io/xcyclopedia/library/DeviceEnroller.exe-24BEF0D6B0ECED36BB41831759FDE18D.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_deviceenroller_dll_sideloading.yml" ], "tags": [ @@ -17445,8 +17561,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.pingcastle.com/documentation/scanner/", "https://thedfirreport.com/2023/10/30/netsupport-intrusion-results-in-domain-compromise/", + "https://www.pingcastle.com/documentation/scanner/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_renamed_pingcastle.yml" ], "tags": [ @@ -17488,8 +17604,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "Turla has used fsutil fsinfo drives to list connected drives.", "https://github.com/elastic/detection-rules/blob/414d32027632a49fb239abb8fbbb55d3fa8dd861/rules/windows/discovery_peripheral_device.toml", + "Turla has used fsutil fsinfo drives to list connected drives.", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_fsutil_drive_enumeration.yml" ], "tags": [ @@ -17522,8 +17638,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/BloodHoundAD/SharpHound", "https://github.com/BloodHoundAD/BloodHound", + "https://github.com/BloodHoundAD/SharpHound", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_bloodhound_sharphound.yml" ], "tags": [ @@ -17647,8 +17763,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1560.001/T1560.001.md", "https://lolbas-project.github.io/lolbas/Binaries/Psr/", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1560.001/T1560.001.md", "https://web.archive.org/web/20200229201156/https://www.sans.org/cyber-security-summit/archives/file/summit-archive-1493861893.pdf", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_psr_capture_screenshots.yml" ], @@ -17871,13 +17987,13 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://github.com/zcgonvh/NTDSDumpEx", + "https://github.com/rapid7/metasploit-framework/blob/d297adcebb5c1df6fe30b12ca79b161deb71571c/data/post/powershell/NTDSgrab.ps1", + "https://www.ired.team/offensive-security/credential-access-and-credential-dumping/ntds.dit-enumeration", + "https://github.com/samratashok/nishang/blob/414ee1104526d7057f9adaeee196d91ae447283e/Gather/Copy-VSS.ps1", "https://blog.talosintelligence.com/2022/08/recent-cyber-attack.html?m=1", "https://pentestlab.blog/tag/ntds-dit/", - "https://github.com/zcgonvh/NTDSDumpEx", - "https://github.com/samratashok/nishang/blob/414ee1104526d7057f9adaeee196d91ae447283e/Gather/Copy-VSS.ps1", "https://www.n00py.io/2022/03/manipulating-user-passwords-without-mimikatz/", - "https://www.ired.team/offensive-security/credential-access-and-credential-dumping/ntds.dit-enumeration", - "https://github.com/rapid7/metasploit-framework/blob/d297adcebb5c1df6fe30b12ca79b161deb71571c/data/post/powershell/NTDSgrab.ps1", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_ntds.yml" ], "tags": [ @@ -17943,8 +18059,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/sysinternals/downloads/sdelete", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1485/T1485.md", + "https://learn.microsoft.com/en-us/sysinternals/downloads/sdelete", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_renamed_sysinternals_sdelete.yml" ], "tags": [ @@ -18055,8 +18171,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://dtm.uk/wuauclt/", "https://blog.malwarebytes.com/threat-intelligence/2022/01/north-koreas-lazarus-apt-leverages-windows-update-client-github-in-latest-campaign/", + "https://dtm.uk/wuauclt/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wuauclt_dll_loading.yml" ], "tags": [ @@ -18388,9 +18504,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.dfirnotes.net/portproxy_detection/", - "https://www.fireeye.com/blog/threat-research/2019/01/bypassing-network-restrictions-through-rdp-tunneling.html", "https://adepts.of0x.cc/netsh-portproxy-code/", + "https://www.fireeye.com/blog/threat-research/2019/01/bypassing-network-restrictions-through-rdp-tunneling.html", + "https://www.dfirnotes.net/portproxy_detection/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_netsh_port_forwarding.yml" ], "tags": [ @@ -18499,10 +18615,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/EmpireProject/Empire/blob/c2ba61ca8d2031dad0cfc1d5770ba723e8b710db/lib/common/helpers.py#L165", "https://github.com/EmpireProject/Empire/blob/e37fb2eef8ff8f5a0a689f1589f424906fe13055/lib/modules/powershell/persistence/powerbreach/resolver.py#L178", "https://github.com/EmpireProject/Empire/blob/e37fb2eef8ff8f5a0a689f1589f424906fe13055/data/module_source/privesc/Invoke-EventVwrBypass.ps1#L64", "https://github.com/EmpireProject/Empire/blob/e37fb2eef8ff8f5a0a689f1589f424906fe13055/lib/modules/powershell/persistence/powerbreach/deaduser.py#L191", + "https://github.com/EmpireProject/Empire/blob/c2ba61ca8d2031dad0cfc1d5770ba723e8b710db/lib/common/helpers.py#L165", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_empire_powershell_launch.yml" ], "tags": [ @@ -18612,10 +18728,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://web.archive.org/web/20220224045756/https://www.ria.ee/sites/default/files/content-editors/kuberturve/tale_of_gamaredon_infection.pdf", "https://unit42.paloaltonetworks.com/unit-42-title-gamaredon-group-toolset-evolution", - "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/shuckworm-gamaredon-espionage-ukraine", "https://uvnc.com/docs/uvnc-viewer/52-ultravnc-viewer-commandline-parameters.html", + "https://web.archive.org/web/20220224045756/https://www.ria.ee/sites/default/files/content-editors/kuberturve/tale_of_gamaredon_infection.pdf", + "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/shuckworm-gamaredon-espionage-ukraine", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_ultravnc_susp_execution.yml" ], "tags": [ @@ -18682,9 +18798,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://blog.reconinfosec.com/emergence-of-akira-ransomware-group", - "https://developers.cloudflare.com/cloudflare-one/connections/connect-apps", "https://github.com/cloudflare/cloudflared", + "https://developers.cloudflare.com/cloudflare-one/connections/connect-apps", + "https://blog.reconinfosec.com/emergence-of-akira-ransomware-group", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_cloudflared_tunnel_run.yml" ], "tags": [ @@ -19115,8 +19231,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.trellix.com/en-us/about/newsroom/stories/research/beyond-file-search-a-novel-method.html", "https://micahbabinski.medium.com/search-ms-webdav-and-chill-99c5b23ac462", + "https://www.trellix.com/en-us/about/newsroom/stories/research/beyond-file-search-a-novel-method.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_webdav_lnk_execution.yml" ], "tags": [ @@ -19157,8 +19273,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Msxsl/", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1220/T1220.md", + "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Msxsl/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_msxsl_execution.yml" ], "tags": [ @@ -19191,9 +19307,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://thedfirreport.com/2022/08/08/bumblebee-roasts-its-way-to-domain-admin/", - "https://thedfirreport.com/2022/09/26/bumblebee-round-two/", "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/bumblebee-loader-cybercrime", + "https://thedfirreport.com/2022/09/26/bumblebee-round-two/", + "https://thedfirreport.com/2022/08/08/bumblebee-roasts-its-way-to-domain-admin/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wab_execution_from_non_default_location.yml" ], "tags": [ @@ -19217,8 +19333,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/johnlatwc/status/1408062131321270282?s=12", "https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/wp-windows-management-instrumentation.pdf", + "https://twitter.com/johnlatwc/status/1408062131321270282?s=12", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wmic_eventconsumer_creation.yml" ], "tags": [ @@ -19251,10 +19367,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/vysecurity/status/885545634958385153", "https://web.archive.org/web/20190213114956/http://www.windowsinspired.com/understanding-the-command-line-string-and-arguments-received-by-a-windows-program/", - "https://twitter.com/Hexacorn/status/885553465417756673", + "https://twitter.com/vysecurity/status/885545634958385153", "https://twitter.com/Hexacorn/status/885570278637678592", + "https://twitter.com/Hexacorn/status/885553465417756673", "https://www.mandiant.com/resources/blog/obfuscation-wild-targeted-attackers-lead-way-evasion-techniques", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_cli_obfuscation_escape_char.yml" ], @@ -19308,6 +19424,29 @@ "uuid": "9801abb8-e297-4dbf-9fbd-57dde0e830ad", "value": "File Download And Execution Via IEExec.EXE" }, + { + "description": "Detects the usage of emojis in the command line, this could be a sign of potential defense evasion activity.", + "meta": { + "author": "@Kostastsale, @TheDFIRReport", + "creation_date": "2022-12-05", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_susp_emoji_usage_in_cli_1.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "Internal Research", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_emoji_usage_in_cli_1.yml" + ], + "tags": [ + "attack.defense-evasion" + ] + }, + "uuid": "4a30ac0c-b9d6-4e01-b71a-5f851bbf4259", + "value": "Potential Defense Evasion Activity Via Emoji Usage In CommandLine - 1" + }, { "description": "A General detection for sdclt spawning new processes. This could be an indicator of sdclt being used for bypass UAC techniques.", "meta": { @@ -19321,8 +19460,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/OTRF/ThreatHunter-Playbook/blob/2d4257f630f4c9770f78d0c1df059f891ffc3fec/docs/evals/apt29/detections/3.B.2_C36B49B5-DF58-4A34-9FE9-56189B9DEFEA.md", "https://github.com/OTRF/detection-hackathon-apt29/issues/6", + "https://github.com/OTRF/ThreatHunter-Playbook/blob/2d4257f630f4c9770f78d0c1df059f891ffc3fec/docs/evals/apt29/detections/3.B.2_C36B49B5-DF58-4A34-9FE9-56189B9DEFEA.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sdclt_child_process.yml" ], "tags": [ @@ -19343,7 +19482,7 @@ "value": "Sdclt Child Processes" }, { - "description": "Detects usage of the \"wusa.exe\" (Windows Update Standalone Installer) utility to extract cab using the \"/extract\" argument from suspicious paths", + "description": "Detects the execution of the \"wusa.exe\" (Windows Update Standalone Installer) utility to extract \".cab\" files using the \"/extract\" argument from potentially suspicious paths.\n", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2022-08-05", @@ -19364,7 +19503,7 @@ ] }, "uuid": "c74c0390-3e20-41fd-a69a-128f0275a5ea", - "value": "Wusa.EXE Extracting Cab Files From Suspicious Paths" + "value": "Cab File Extraction Via Wusa.EXE From Potentially Suspicious Paths" }, { "description": "Detects execution of \"rundll32.exe\" with a parent process of Explorer.exe. This has been observed by variants of Raspberry Robin, as first reported by Red Canary.", @@ -19553,9 +19692,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://blog.viettelcybersecurity.com/saml-show-stopper/", - "https://github.com/horizon3ai/CVE-2022-47966/blob/3a51c6b72ebbd87392babd955a8fbeaee2090b35/CVE-2022-47966.py", "https://www.horizon3.ai/manageengine-cve-2022-47966-technical-deep-dive/", + "https://github.com/horizon3ai/CVE-2022-47966/blob/3a51c6b72ebbd87392babd955a8fbeaee2090b35/CVE-2022-47966.py", + "https://blog.viettelcybersecurity.com/saml-show-stopper/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_java_manageengine_susp_child_process.yml" ], "tags": [ @@ -19647,8 +19786,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/erase", "https://www.joesandbox.com/analysis/509330/0/html#1044F3BDBE3BB6F734E357235F4D5898582D", + "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/erase", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_cmd_del_greedy_deletion.yml" ], "tags": [ @@ -19668,6 +19807,49 @@ "uuid": "204b17ae-4007-471b-917b-b917b315c5db", "value": "Greedy File Deletion Using Del" }, + { + "description": "Detects the execution of a specific OneLiner to download and execute powershell modules in memory.", + "meta": { + "author": "@Kostastsale, @TheDFIRReport", + "creation_date": "2022-05-09", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_powershell_download_cradle_obfuscated.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://thedfirreport.com/2022/05/09/seo-poisoning-a-gootloader-story/", + "https://gist.github.com/mgeeky/3b11169ab77a7de354f4111aa2f0df38", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_download_cradle_obfuscated.yml" + ], + "tags": [ + "attack.defense-evasion", + "attack.execution", + "attack.t1059.001", + "attack.t1562.001" + ] + }, + "related": [ + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "ac08589e-ee59-4935-8667-d845e38fe579", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "44e24481-6202-4c62-9127-5a0ae8e3fe3d", + "value": "Obfuscated PowerShell OneLiner Execution" + }, { "description": "Detects PowerShell command line patterns in combincation with encoded commands that often appear in malware infection chains", "meta": { @@ -19735,6 +19917,39 @@ "uuid": "39ed3c80-e6a1-431b-9df3-911ac53d08a7", "value": "UAC Bypass Using NTFS Reparse Point - Process" }, + { + "description": "Detects the initial execution of \"cmd.exe\" which spawns \"explorer.exe\" with the appropriate command line arguments for opening the \"My Computer\" folder.\n", + "meta": { + "author": "@Kostastsale", + "creation_date": "2022-12-22", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_explorer_folder_shortcut_via_shell_binary.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://ss64.com/nt/shell.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_explorer_folder_shortcut_via_shell_binary.yml" + ], + "tags": [ + "attack.discovery", + "attack.t1135" + ] + }, + "related": [ + { + "dest-uuid": "3489cfc5-640f-4bb3-a103-9137b97de79f", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "c3d76afc-93df-461e-8e67-9b2bad3f2ac4", + "value": "File Explorer Folder Opened Using Explorer Folder Shortcut Via Shell" + }, { "description": "Detects process creation with a renamed BrowserCore.exe (used to extract Azure tokens)", "meta": { @@ -19822,8 +20037,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://grzegorztworek.medium.com/using-uefi-to-inject-executable-files-into-bitlocker-protected-drives-8ff4ca59c94c", "https://persistence-info.github.io/Data/wpbbin.html", + "https://grzegorztworek.medium.com/using-uefi-to-inject-executable-files-into-bitlocker-protected-drives-8ff4ca59c94c", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wpbbin_potential_persistence.yml" ], "tags": [ @@ -19931,8 +20146,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://pentestlab.blog/tag/svchost/", "https://www.n00py.io/2021/05/dumping-plaintext-rdp-credentials-from-svchost-exe/", + "https://pentestlab.blog/tag/svchost/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sc_query_interesting_services.yml" ], "tags": [ @@ -20020,6 +20235,39 @@ "uuid": "a95b9b42-1308-4735-a1af-abb1c5e6f5ac", "value": "Suspicious Service DACL Modification Via Set-Service Cmdlet" }, + { + "description": "Detects changes to the registry value \"PythonFunctionWarnings\" that would prevent any warnings or alerts from showing when Python functions are about to be executed.\nThreat actors could run malicious code through the new Microsoft Excel feature that allows Python to run within the spreadsheet.\n", + "meta": { + "author": "@Kostastsale", + "creation_date": "2023-08-22", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_registry_office_disable_python_security_warnings.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://support.microsoft.com/en-us/office/data-security-and-python-in-excel-33cc88a4-4a87-485e-9ff9-f35958278327", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_registry_office_disable_python_security_warnings.yml" + ], + "tags": [ + "attack.defense-evasion", + "attack.t1562.001" + ] + }, + "related": [ + { + "dest-uuid": "ac08589e-ee59-4935-8667-d845e38fe579", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "023c654f-8f16-44d9-bb2b-00ff36a62af9", + "value": "Python Function Execution Security Warning Disabled In Excel" + }, { "description": "Detects the use of NPS, a port forwarding and intranet penetration proxy server", "meta": { @@ -20066,8 +20314,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/Binaries/Bash/", "https://linux.die.net/man/1/bash", + "https://lolbas-project.github.io/lolbas/Binaries/Bash/", "Internal Research", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_bash_file_execution.yml" ], @@ -20169,9 +20417,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://thedfirreport.com/2022/03/21/apt35-automates-initial-access-using-proxyshell/", - "https://www.elevenforum.com/t/video-guide-how-to-completely-disable-microsoft-defender-antivirus.14608/page-2", "https://github.com/swagkarna/Defeat-Defender-V1.2.0", + "https://www.elevenforum.com/t/video-guide-how-to-completely-disable-microsoft-defender-antivirus.14608/page-2", + "https://thedfirreport.com/2022/03/21/apt35-automates-initial-access-using-proxyshell/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_reg_windows_defender_tamper.yml" ], "tags": [ @@ -20329,9 +20577,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/OtherMSBinaries/FsiAnyCpu/", "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Fsi/", "https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/design/applications-that-can-bypass-wdac", + "https://lolbas-project.github.io/lolbas/OtherMSBinaries/FsiAnyCpu/", "https://bohops.com/2020/11/02/exploring-the-wdac-microsoft-recommended-block-rules-part-ii-wfc-fsi/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_fsi_fsharp_code_execution.yml" ], @@ -20529,9 +20777,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://medium.com/tenable-techblog/uac-bypass-by-mocking-trusted-directories-24a96675f6e", "https://github.com/netero1010/TrustedPath-UACBypass-BOF", "https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows", + "https://medium.com/tenable-techblog/uac-bypass-by-mocking-trusted-directories-24a96675f6e", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_uac_bypass_trustedpath.yml" ], "tags": [ @@ -20640,9 +20888,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://thedfirreport.com/2023/03/06/2022-year-in-review/", "https://www.yeahhub.com/list-installed-programs-version-path-windows/", "https://learn.microsoft.com/en-us/answers/questions/253555/software-list-inventory-wmic-product", - "https://thedfirreport.com/2023/03/06/2022-year-in-review/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wmic_recon_product.yml" ], "tags": [ @@ -20675,11 +20923,11 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/Binaries/Certutil/", - "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/certutil", - "https://twitter.com/egre55/status/1087685529016193025", "https://forensicitguy.github.io/agenttesla-vba-certutil-download/", "https://news.sophos.com/en-us/2021/04/13/compromised-exchange-server-hosting-cryptojacker-targeting-other-exchange-servers/", + "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/certutil", + "https://twitter.com/egre55/status/1087685529016193025", + "https://lolbas-project.github.io/lolbas/Binaries/Certutil/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_certutil_download.yml" ], "tags": [ @@ -20746,10 +20994,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/Binaries/Wbadmin/", "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/wbadmin-start-backup", - "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/wbadmin-start-recovery", "https://github.com/LOLBAS-Project/LOLBAS/blob/2cc01b01132b5c304027a658c698ae09dd6a92bf/yml/OSBinaries/Wbadmin.yml", + "https://lolbas-project.github.io/lolbas/Binaries/Wbadmin/", + "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/wbadmin-start-recovery", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wbadmin_dump_sensitive_files.yml" ], "tags": [ @@ -20851,9 +21099,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.elastic.co/guide/en/security/current/microsoft-iis-service-account-password-dumped.html", - "https://www.netspi.com/blog/technical/network-penetration-testing/decrypting-iis-passwords-to-break-out-of-the-dmz-part-2/", "https://twitter.com/0gtweet/status/1588815661085917186?cxt=HHwWhIDUyaDbzYwsAAAA", + "https://www.netspi.com/blog/technical/network-penetration-testing/decrypting-iis-passwords-to-break-out-of-the-dmz-part-2/", + "https://www.elastic.co/guide/en/security/current/microsoft-iis-service-account-password-dumped.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_iis_appcmd_service_account_password_dumped.yml" ], "tags": [ @@ -21069,9 +21317,9 @@ "logsource.product": "windows", "refs": [ "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/espionage-asia-governments", - "https://thedfirreport.com/2022/09/26/bumblebee-round-two/", - "https://www.huntress.com/blog/slashandgrab-screen-connect-post-exploitation-in-the-wild-cve-2024-1709-cve-2024-1708", "https://www.microsoft.com/en-us/security/blog/2022/10/25/dev-0832-vice-society-opportunistic-ransomware-campaigns-impacting-us-education-sector/", + "https://www.huntress.com/blog/slashandgrab-screen-connect-post-exploitation-in-the-wild-cve-2024-1709-cve-2024-1708", + "https://thedfirreport.com/2022/09/26/bumblebee-round-two/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_weak_or_abused_passwords.yml" ], "tags": [ @@ -21095,8 +21343,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.trendmicro.com/en_us/research/22/j/lv-ransomware-exploits-proxyshell-in-attack.html", "https://gist.github.com/jivoi/c354eaaf3019352ce32522f916c03d70", + "https://www.trendmicro.com/en_us/research/22/j/lv-ransomware-exploits-proxyshell-in-attack.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_susp_download_patterns.yml" ], "tags": [ @@ -21218,8 +21466,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/VirtualAlllocEx/Payload-Download-Cradles/blob/88e8eca34464a547c90d9140d70e9866dcbc6a12/Download-Cradles.cmd", "https://labs.withsecure.com/publications/fin7-target-veeam-servers", + "https://github.com/VirtualAlllocEx/Payload-Download-Cradles/blob/88e8eca34464a547c90d9140d70e9866dcbc6a12/Download-Cradles.cmd", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_download_iex.yml" ], "tags": [ @@ -21286,8 +21534,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/nas_bench/status/1550836225652686848", "https://persistence-info.github.io/Data/windowsterminalprofile.html", + "https://twitter.com/nas_bench/status/1550836225652686848", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_windows_terminal_susp_children.yml" ], "tags": [ @@ -21345,8 +21593,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/an0n_r0/status/1474698356635193346?s=12", "https://twitter.com/mrd0x/status/1475085452784844803?s=12", + "https://twitter.com/an0n_r0/status/1474698356635193346?s=12", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_download_office_domain.yml" ], "tags": [ @@ -21479,8 +21727,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/dsnezhkov/TruffleSnout/blob/master/TruffleSnout/Docs/USAGE.md", "https://github.com/dsnezhkov/TruffleSnout", + "https://github.com/dsnezhkov/TruffleSnout/blob/master/TruffleSnout/Docs/USAGE.md", "https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1482/T1482.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_trufflesnout.yml" ], @@ -21548,10 +21796,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://www.trendmicro.com/en_us/research/24/b/threat-actor-groups-including-black-basta-are-exploiting-recent-.html", + "https://docs.connectwise.com/ConnectWise_Control_Documentation/Get_started/Host_client/View_menu/Backstage_mode", "https://www.huntress.com/blog/slashandgrab-screen-connect-post-exploitation-in-the-wild-cve-2024-1709-cve-2024-1708", "https://www.mandiant.com/resources/telegram-malware-iranian-espionage", - "https://docs.connectwise.com/ConnectWise_Control_Documentation/Get_started/Host_client/View_menu/Backstage_mode", - "https://www.trendmicro.com/en_us/research/24/b/threat-actor-groups-including-black-basta-are-exploiting-recent-.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_remote_access_tools_screenconnect_remote_execution_susp.yml" ], "tags": [ @@ -21584,8 +21832,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.security/set-acl?view=powershell-5.1", "https://github.com/redcanaryco/atomic-red-team/blob/74438b0237d141ee9c99747976447dc884cb1a39/atomics/T1505.005/T1505.005.md", + "https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.security/set-acl?view=powershell-5.1", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_set_acl_susp_location.yml" ], "tags": [ @@ -21821,6 +22069,43 @@ "uuid": "cd219ff3-fa99-45d4-8380-a7d15116c6dc", "value": "New User Created Via Net.EXE" }, + { + "description": "Detect usage of the \"ssh.exe\" binary as a proxy to launch other programs.", + "meta": { + "author": "frack113, Nasreddine Bencherchali", + "creation_date": "2022-12-29", + "falsepositive": [ + "Legitimate usage for administration purposes" + ], + "filename": "proc_creation_win_ssh_proxy_execution.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://man.openbsd.org/ssh_config#ProxyCommand", + "https://github.com/LOLBAS-Project/LOLBAS/pull/211/files", + "https://lolbas-project.github.io/lolbas/Binaries/Ssh/", + "https://gtfobins.github.io/gtfobins/ssh/", + "https://man.openbsd.org/ssh_config#LocalCommand", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_ssh_proxy_execution.yml" + ], + "tags": [ + "attack.defense-evasion", + "attack.t1218" + ] + }, + "related": [ + { + "dest-uuid": "457c7820-d331-465a-915e-42f85500ccc4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "7d6d30b8-5b91-4b90-a891-46cccaf29598", + "value": "Program Executed Using Proxy/Local Command Via SSH.EXE" + }, { "description": "Detects usage of bitsadmin downloading a file to uncommon target folder", "meta": { @@ -21834,9 +22119,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://blog.netspi.com/15-ways-to-download-a-file/#bitsadmin", "https://blog.talosintelligence.com/breaking-the-silence-recent-truebot-activity/", "https://lolbas-project.github.io/lolbas/Binaries/Bitsadmin/", - "https://blog.netspi.com/15-ways-to-download-a-file/#bitsadmin", "https://isc.sans.edu/diary/22264", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_bitsadmin_download_uncommon_targetfolder.yml" ], @@ -21881,8 +22166,8 @@ "logsource.product": "windows", "refs": [ "https://www.volexity.com/blog/2021/03/02/active-exploitation-of-microsoft-exchange-zero-day-vulnerabilities/", - "https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/", "https://www.intrinsec.com/apt27-analysis/", + "https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_snapins_hafnium.yml" ], "tags": [ @@ -21978,40 +22263,6 @@ "uuid": "e96253b8-6b3b-4f90-9e59-3b24b99cf9b4", "value": "HackTool - KrbRelay Execution" }, - { - "description": "Detects execution of of Dxcap.exe", - "meta": { - "author": "Beyu Denis, oscd.community, Nasreddine Bencherchali (Nextron Systems)", - "creation_date": "2019-10-26", - "falsepositive": [ - "Legitimate execution of dxcap.exe by legitimate user" - ], - "filename": "proc_creation_win_lolbin_susp_dxcap.yml", - "level": "medium", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://twitter.com/harr0ey/status/992008180904419328", - "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Dxcap/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_susp_dxcap.yml" - ], - "tags": [ - "attack.defense-evasion", - "attack.t1218" - ] - }, - "related": [ - { - "dest-uuid": "457c7820-d331-465a-915e-42f85500ccc4", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "60f16a96-db70-42eb-8f76-16763e333590", - "value": "Application Whitelisting Bypass via Dxcap.exe" - }, { "description": "Detects the pattern of UAC Bypass using pkgmgr.exe and dism.exe (UACMe 23)", "meta": { @@ -22146,7 +22397,7 @@ { "description": "Detects when adversaries stop services or processes by disabling their respective scheduled tasks in order to conduct data destructive activities", "meta": { - "author": "frack113, Nasreddine Bencherchali (Nextron Systems)", + "author": "frack113, Nasreddine Bencherchali (Nextron Systems), X__Junior", "creation_date": "2021-12-26", "falsepositive": [ "Unknown" @@ -22156,9 +22407,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/MichalKoczwara/status/1553634816016498688", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1490/T1490.md#atomic-test-8---windows---disable-the-sr-scheduled-task", "https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1490/T1490.md#atomic-test-8---windows---disable-the-sr-scheduled-task", + "https://twitter.com/MichalKoczwara/status/1553634816016498688", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_schtasks_disable.yml" ], "tags": [ @@ -22259,8 +22510,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/elastic/detection-rules/blob/dd224fb3f81d0b4bf8593c5f02a029d647ba2b2d/rules/windows/credential_access_relay_ntlm_auth_via_http_spoolss.toml", "https://twitter.com/med0x2e/status/1520402518685200384", + "https://github.com/elastic/detection-rules/blob/dd224fb3f81d0b4bf8593c5f02a029d647ba2b2d/rules/windows/credential_access_relay_ntlm_auth_via_http_spoolss.toml", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_rundll32_ntlmrelay.yml" ], "tags": [ @@ -22471,8 +22722,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/LOLBAS-Project/LOLBAS/blob/8283d8d91552213ded165fd36deb6cb9534cb443/yml/OtherMSBinaries/Sqltoolsps.yml", "https://twitter.com/pabraeken/status/993298228840992768", + "https://github.com/LOLBAS-Project/LOLBAS/blob/8283d8d91552213ded165fd36deb6cb9534cb443/yml/OtherMSBinaries/Sqltoolsps.yml", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_mssql_sqltoolsps_susp_execution.yml" ], "tags": [ @@ -22514,10 +22765,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://web.archive.org/web/20180725233601/https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf", "https://redcanary.com/blog/msix-installers/", - "https://www.cybereason.com/blog/research/operation-ghostshell-novel-rat-targets-global-aerospace-and-telecoms-firms", "https://businessinsights.bitdefender.com/deep-dive-into-a-backdoordiplomacy-attack-a-study-of-an-attackers-toolkit", + "https://www.cybereason.com/blog/research/operation-ghostshell-novel-rat-targets-global-aerospace-and-telecoms-firms", + "https://web.archive.org/web/20180725233601/https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_csvde_export.yml" ], "tags": [ @@ -22551,8 +22802,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://redacted.com/blog/bianlian-ransomware-gang-gives-it-a-go/", "https://www.microsoft.com/security/blog/2022/09/07/profiling-dev-0270-phosphorus-ransomware-operations/", + "https://redacted.com/blog/bianlian-ransomware-gang-gives-it-a-go/", "https://www.trellix.com/en-sg/about/newsroom/stories/threat-labs/lockergoga-ransomware-family-used-in-targeted-attacks.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_net_user_default_accounts_manipulation.yml" ], @@ -22586,8 +22837,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.uptycs.com/blog/kuraystealer-a-bandit-using-discord-webhooks", "https://jonconwayuk.wordpress.com/2014/01/31/wmic-csproduct-using-wmi-to-identify-make-and-model-of-hardware/", + "https://www.uptycs.com/blog/kuraystealer-a-bandit-using-discord-webhooks", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wmic_recon_csproduct.yml" ], "tags": [ @@ -22687,8 +22938,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/WithSecureLabs/iocs/blob/344203de742bb7e68bd56618f66d34be95a9f9fc/FIN7VEEAM/iocs.csv", "https://labs.withsecure.com/publications/fin7-target-veeam-servers", + "https://github.com/WithSecureLabs/iocs/blob/344203de742bb7e68bd56618f66d34be95a9f9fc/FIN7VEEAM/iocs.csv", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_curl_custom_user_agent.yml" ], "tags": [ @@ -22734,10 +22985,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.virustotal.com/gui/file/4abe1395a09fda06d897a9c4eb247278c1b6cddda5d126ce5b3f4f499e3b8fa2/behavior", - "https://www.virustotal.com/gui/file/34de4c8beded481a4084a1fd77855c3e977e8ac643e5c5842d0f15f7f9b9086f/behavior", - "https://www.virustotal.com/gui/file/427616528b7dbc4a6057ac89eb174a3a90f7abcf3f34e5a359b7a910d82f7a72/behavior", "https://www.virustotal.com/gui/file/35c22725a92d5cb1016b09421c0a6cdbfd860fd4778b3313669b057d4a131cb7/behavior", + "https://www.virustotal.com/gui/file/34de4c8beded481a4084a1fd77855c3e977e8ac643e5c5842d0f15f7f9b9086f/behavior", + "https://www.virustotal.com/gui/file/4abe1395a09fda06d897a9c4eb247278c1b6cddda5d126ce5b3f4f499e3b8fa2/behavior", + "https://www.virustotal.com/gui/file/427616528b7dbc4a6057ac89eb174a3a90f7abcf3f34e5a359b7a910d82f7a72/behavior", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_certutil_encode_susp_extensions.yml" ], "tags": [ @@ -22944,9 +23195,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://mikefrobbins.com/2017/06/15/simple-obfuscation-with-powershell-using-base64-encoding/", "https://unit42.paloaltonetworks.com/unit42-pulling-back-the-curtains-on-encodedcommand-powershell-attacks/", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1059.001/T1059.001.md#atomic-test-20---powershell-invoke-known-malicious-cmdlets", + "https://mikefrobbins.com/2017/06/15/simple-obfuscation-with-powershell-using-base64-encoding/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_encode.yml" ], "tags": [ @@ -23013,13 +23264,13 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/Binaries/Msedge/", - "https://lolbas-project.github.io/lolbas/Binaries/msedgewebview2/", - "https://medium.com/@MalFuzzer/one-electron-to-rule-them-all-dc2e9b263daf", "https://positive.security/blog/ms-officecmd-rce", - "https://taggart-tech.com/quasar-electron/", + "https://medium.com/@MalFuzzer/one-electron-to-rule-them-all-dc2e9b263daf", + "https://lolbas-project.github.io/lolbas/Binaries/Msedge/", "https://lolbas-project.github.io/lolbas/Binaries/Teams/", "https://github.com/mttaggart/quasar", + "https://taggart-tech.com/quasar-electron/", + "https://lolbas-project.github.io/lolbas/Binaries/msedgewebview2/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_electron_app_children.yml" ], "tags": [ @@ -23143,8 +23394,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://redcanary.com/blog/threat-detection/process-masquerading/", "https://tria.ge/240731-jh4crsycnb/behavioral2", + "https://redcanary.com/blog/threat-detection/process-masquerading/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_svchost_masqueraded_execution.yml" ], "tags": [ @@ -23177,8 +23428,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-gb/windows-server/administration/windows-commands/ksetup", "https://twitter.com/Oddvarmoe/status/1641712700605513729", + "https://learn.microsoft.com/en-gb/windows-server/administration/windows-commands/ksetup", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_ksetup_password_change_computer.yml" ], "tags": [ @@ -23189,9 +23440,9 @@ "value": "Computer Password Change Via Ksetup.EXE" }, { - "description": "Detects the usage of binaries such as 'net', 'sc' or 'powershell' in order to stop, pause or delete critical or important Windows services such as AV, Backup, etc. As seen being used in some ransomware scripts", + "description": "Detects the usage of binaries such as 'net', 'sc' or 'powershell' in order to stop, pause, disable or delete critical or important Windows services such as AV, Backup, etc. As seen being used in some ransomware scripts", "meta": { - "author": "Nasreddine Bencherchali (Nextron Systems), frack113", + "author": "Nasreddine Bencherchali (Nextron Systems), frack113 , X__Junior", "creation_date": "2022-09-01", "falsepositive": [ "Administrators or tools shutting down the services due to upgrade or removal purposes. If you experience some false positive, please consider adding filters to the parent process launching this command and not removing the entry" @@ -23201,8 +23452,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md", "https://research.nccgroup.com/2022/08/19/back-in-black-unlocking-a-lockbit-3-0-ransomware-attack/", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md", "https://www.trendmicro.com/content/dam/trendmicro/global/en/research/22/h/ransomware-actor-abuses-genshin-impact-anti-cheat-driver-to-kill-antivirus/Genshin%20Impact%20Figure%2010.jpg", "https://www.virustotal.com/gui/file/38283b775552da8981452941ea74191aa0d203edd3f61fb2dee7b0aea3514955", "https://www.trellix.com/en-sg/about/newsroom/stories/threat-labs/lockergoga-ransomware-family-used-in-targeted-attacks.html", @@ -23225,6 +23476,45 @@ "uuid": "ce72ef99-22f1-43d4-8695-419dcb5d9330", "value": "Suspicious Windows Service Tampering" }, + { + "description": "Detects the execution of the BCP utility in order to export data from the database.\nAttackers were seen saving their malware to a database column or table and then later extracting it via \"bcp.exe\" into a file.\n", + "meta": { + "author": "Omar Khaled (@beacon_exe), MahirAli Khan (in/mahiralikhan), Nasreddine Bencherchali (Nextron Systems)", + "creation_date": "2024-08-20", + "falsepositive": [ + "Legitimate data export operations." + ], + "filename": "proc_creation_win_bcp_export_data.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://asec.ahnlab.com/en/78944/", + "https://docs.microsoft.com/en-us/sql/tools/bcp-utility", + "https://asec.ahnlab.com/en/61000/", + "https://news.sophos.com/en-us/2024/08/07/sophos-mdr-hunt-tracks-mimic-ransomware-campaign-against-organizations-in-india/", + "https://research.nccgroup.com/2018/03/10/apt15-is-alive-and-strong-an-analysis-of-royalcli-and-royaldns/", + "https://www.huntress.com/blog/attacking-mssql-servers-pt-ii", + "https://www.huntress.com/blog/attacking-mssql-servers", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_bcp_export_data.yml" + ], + "tags": [ + "attack.execution", + "attack.t1048" + ] + }, + "related": [ + { + "dest-uuid": "a19e86f8-1c0a-4fea-8407-23b73d615776", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "c615d676-f655-46b9-b913-78729021e5d7", + "value": "Data Export From MSSQL Table Via BCP.EXE" + }, { "description": "Detects suspicious Windows Error Reporting manager (wermgr.exe) child process", "meta": { @@ -23238,9 +23528,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.echotrail.io/insights/search/wermgr.exe", "https://www.trendmicro.com/en_us/research/22/j/black-basta-infiltrates-networks-via-qakbot-brute-ratel-and-coba.html", "https://github.com/binderlabs/DirCreate2System", + "https://www.echotrail.io/insights/search/wermgr.exe", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wermgr_susp_child_process.yml" ], "tags": [ @@ -23283,9 +23573,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/defender-endpoint/configure-process-opened-file-exclusions-microsoft-defender-antivirus", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md", "https://twitter.com/AdamTheAnalyst/status/1483497517119590403", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md", + "https://learn.microsoft.com/en-us/defender-endpoint/configure-process-opened-file-exclusions-microsoft-defender-antivirus", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_defender_exclusion.yml" ], "tags": [ @@ -23656,8 +23946,8 @@ "refs": [ "https://tria.ge/240521-ynezpagf56/behavioral1", "https://bazaar.abuse.ch/sample/8c75f8e94486f5bbf461505823f5779f328c5b37f1387c18791e0c21f3fdd576/", - "https://any.run/report/6eea2773c1b4b5c6fb7c142933e220c96f9a4ec89055bf0cf54accdcde7df535/a407f006-ee45-420d-b576-f259094df091", "https://bazaar.abuse.ch/sample/64e6605496919cd76554915cbed88e56fdec10dec6523918a631754664b8c8d3/", + "https://any.run/report/6eea2773c1b4b5c6fb7c142933e220c96f9a4ec89055bf0cf54accdcde7df535/a407f006-ee45-420d-b576-f259094df091", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_bitlockertogo_execution.yml" ], "tags": [ @@ -23725,11 +24015,11 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/cglyer/status/1355171195654709249", "https://research.nccgroup.com/2022/08/19/back-in-black-unlocking-a-lockbit-3-0-ransomware-attack/", - "https://www.mandiant.com/resources/unc2165-shifts-to-evade-sanctions", - "https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/", "https://www.trendmicro.com/en_us/research/23/a/vice-society-ransomware-group-targets-manufacturing-companies.html", + "https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/", + "https://twitter.com/cglyer/status/1355171195654709249", + "https://www.mandiant.com/resources/unc2165-shifts-to-evade-sanctions", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wmic_uninstall_security_products.yml" ], "tags": [ @@ -23762,8 +24052,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://blueteamops.medium.com/secedit-and-i-know-it-595056dee53d", "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/secedit", + "https://blueteamops.medium.com/secedit-and-i-know-it-595056dee53d", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_secedit_execution.yml" ], "tags": [ @@ -23904,9 +24194,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "http://www.hexacorn.com/blog/2019/03/30/sqirrel-packages-manager-as-a-lolbin-a-k-a-many-electron-apps-are-lolbins-by-default/", - "http://www.hexacorn.com/blog/2018/08/16/squirrel-as-a-lolbin/", "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Squirrel/", + "http://www.hexacorn.com/blog/2018/08/16/squirrel-as-a-lolbin/", + "http://www.hexacorn.com/blog/2019/03/30/sqirrel-packages-manager-as-a-lolbin-a-k-a-many-electron-apps-are-lolbins-by-default/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_squirrel_download.yml" ], "tags": [ @@ -23941,8 +24231,8 @@ "logsource.product": "windows", "refs": [ "https://lolbas-project.github.io/lolbas/Binaries/Odbcconf/", - "https://web.archive.org/web/20191023232753/https://twitter.com/Hexacorn/status/1187143326673330176", "https://www.hexacorn.com/blog/2020/08/23/odbcconf-lolbin-trifecta/", + "https://web.archive.org/web/20191023232753/https://twitter.com/Hexacorn/status/1187143326673330176", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_odbcconf_driver_install_susp.yml" ], "tags": [ @@ -24044,8 +24334,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1216/T1216.md", "https://lolbas-project.github.io/lolbas/Binaries/Syncappvpublishingserver/", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1216/T1216.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_syncappvpublishingserver_vbs_execute_psh.yml" ], "tags": [ @@ -24153,8 +24443,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://the.earth.li/~sgtatham/putty/0.58/htmldoc/Chapter7.html", "https://thedfirreport.com/2022/06/06/will-the-real-msiexec-please-stand-up-exploit-leads-to-data-exfiltration/", + "https://the.earth.li/~sgtatham/putty/0.58/htmldoc/Chapter7.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_renamed_plink.yml" ], "tags": [ @@ -24221,8 +24511,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/windows-server/administration/server-core/server-core-sconfig#powershell-is-the-default-shell-on-server-core", "https://cocomelonc.github.io/persistence/2022/12/09/malware-pers-20.html", + "https://learn.microsoft.com/en-us/windows-server/administration/server-core/server-core-sconfig#powershell-is-the-default-shell-on-server-core", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_userinit_uncommon_child_processes.yml" ], "tags": [ @@ -24255,13 +24545,13 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/vletoux/pingcastle", + "https://thedfirreport.com/2023/10/30/netsupport-intrusion-results-in-domain-compromise/", "https://github.com/802-1x/Compliance/blob/2e53df8b6e89686a0b91116b3f42c8f717dca820/Ping%20Castle/Get-PingCastle-HTMLComplianceReport.ps1#L8", - "https://github.com/projectHULK/AD_Recon/blob/dde2daba9b3393a9388cbebda87068972cc0bd3b/SecurityAssessment.ps1#L2699", "https://github.com/fengjixuchui/Start-ADEnum/blob/e237a739db98b6104427d833004836507da36a58/Functions/Start-ADEnum.ps1#L450", "https://github.com/lkys37en/Start-ADEnum/blob/5b42c54215fe5f57fc59abc52c20487d15764005/Functions/Start-ADEnum.ps1#L680", + "https://github.com/projectHULK/AD_Recon/blob/dde2daba9b3393a9388cbebda87068972cc0bd3b/SecurityAssessment.ps1#L2699", "https://github.com/EvotecIT/TheDashboard/blob/481a9ce8f82f2fd55fe65220ee6486bae6df0c9d/Examples/RunReports/PingCastle.ps1", - "https://thedfirreport.com/2023/10/30/netsupport-intrusion-results-in-domain-compromise/", + "https://github.com/vletoux/pingcastle", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pua_pingcastle_script_parent.yml" ], "tags": [ @@ -24329,11 +24619,11 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://github.com/SecureAuthCorp/impacket/blob/8b1a99f7c715702eafe3f24851817bb64721b156/examples/dcomexec.py", "https://www.elastic.co/guide/en/security/current/suspicious-cmd-execution-via-wmi.html", "https://github.com/SecureAuthCorp/impacket/blob/8b1a99f7c715702eafe3f24851817bb64721b156/examples/wmiexec.py", - "https://github.com/SecureAuthCorp/impacket/blob/8b1a99f7c715702eafe3f24851817bb64721b156/examples/smbexec.py", "https://github.com/SecureAuthCorp/impacket/blob/8b1a99f7c715702eafe3f24851817bb64721b156/examples/atexec.py", - "https://github.com/SecureAuthCorp/impacket/blob/8b1a99f7c715702eafe3f24851817bb64721b156/examples/dcomexec.py", + "https://github.com/SecureAuthCorp/impacket/blob/8b1a99f7c715702eafe3f24851817bb64721b156/examples/smbexec.py", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_impacket_lateral_movement.yml" ], "tags": [ @@ -24410,11 +24700,11 @@ "logsource.product": "windows", "refs": [ "https://github.com/elastic/detection-rules/blob/c76a39796972ecde44cb1da6df47f1b6562c9770/rules/windows/credential_access_lsass_memdump_file_created.toml", + "https://medium.com/@markmotig/some-ways-to-dump-lsass-exe-c4a75fdc49bf", + "https://www.whiteoaksecurity.com/blog/attacks-defenses-dumping-lsass-no-mimikatz/", + "https://github.com/Hackndo/lsassy", "https://github.com/helpsystems/nanodump", "https://github.com/CCob/MirrorDump", - "https://www.whiteoaksecurity.com/blog/attacks-defenses-dumping-lsass-no-mimikatz/", - "https://medium.com/@markmotig/some-ways-to-dump-lsass-exe-c4a75fdc49bf", - "https://github.com/Hackndo/lsassy", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_lsass_dmp_cli_keywords.yml" ], "tags": [ @@ -24447,8 +24737,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/Binaries/Print/", "https://twitter.com/Oddvarmoe/status/985518877076541440", + "https://lolbas-project.github.io/lolbas/Binaries/Print/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_print_remote_file_copy.yml" ], "tags": [ @@ -24624,8 +24914,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://researchcenter.paloaltonetworks.com/2018/01/unit42-oilrig-uses-rgdoor-iis-backdoor-targets-middle-east/", "https://www.microsoft.com/security/blog/2022/07/26/malicious-iis-extensions-quietly-open-persistent-backdoors-into-servers/", + "https://researchcenter.paloaltonetworks.com/2018/01/unit42-oilrig-uses-rgdoor-iis-backdoor-targets-middle-east/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_iis_appcmd_susp_module_install.yml" ], "tags": [ @@ -24691,8 +24981,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.youtube.com/watch?v=DsJ9ByX84o4&t=6s", "https://brica.de/alerts/alert/public/1247926/agent-tesla-keylogger-delivered-inside-a-power-iso-daa-archive/", + "https://www.youtube.com/watch?v=DsJ9ByX84o4&t=6s", "https://app.any.run/tasks/7eaba74e-c1ea-400f-9c17-5e30eee89906/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_whoami_all_execution.yml" ], @@ -24769,9 +25059,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://pentestlab.blog/2018/07/04/dumping-domain-password-hashes/", "https://twitter.com/vxunderground/status/1423336151860002816?s=20", "https://www.virustotal.com/gui/file/03e9b8c2e86d6db450e5eceec057d7e369ee2389b9daecaf06331a95410aa5f8/detection", - "https://pentestlab.blog/2018/07/04/dumping-domain-password-hashes/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_sensitive_file_access_shadowcopy.yml" ], "tags": [ @@ -24837,10 +25127,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://techcommunity.microsoft.com/t5/microsoft-365-blog/new-security-hardening-policies-for-trusted-documents/ba-p/3023465", "https://twitter.com/Max_Mal_/status/1633863678909874176", - "Internal Research", + "https://techcommunity.microsoft.com/t5/microsoft-365-blog/new-security-hardening-policies-for-trusted-documents/ba-p/3023465", "https://twitter.com/_JohnHammond/status/1588155401752788994", + "Internal Research", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_office_exec_from_trusted_locations.yml" ], "tags": [ @@ -24906,8 +25196,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://news.sophos.com/en-us/2021/11/11/bazarloader-call-me-back-attack-abuses-windows-10-apps-mechanism/", "https://www.sentinelone.com/labs/inside-malicious-windows-apps-for-malware-deployment/", + "https://news.sophos.com/en-us/2021/11/11/bazarloader-call-me-back-attack-abuses-windows-10-apps-mechanism/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_appx_execution.yml" ], "tags": [ @@ -24930,8 +25220,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1027/T1027.md#atomic-test-6---dlp-evasion-via-sensitive-data-in-vba-macro-over-http", "https://www.wietzebeukema.nl/blog/windows-command-line-obfuscation", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1027/T1027.md#atomic-test-6---dlp-evasion-via-sensitive-data-in-vba-macro-over-http", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_cli_obfuscation_unicode.yml" ], "tags": [ @@ -25030,9 +25320,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://www.bleepingcomputer.com/news/security/gootkit-malware-bypasses-windows-defender-by-setting-path-exclusions/", "https://github.com/redcanaryco/atomic-red-team/blob/5c1e6f1b4fafd01c8d1ece85f510160fc1275fbf/atomics/T1562.001/T1562.001.md", "https://www.bleepingcomputer.com/news/security/iobit-forums-hacked-to-spread-ransomware-to-its-members/", - "https://www.bleepingcomputer.com/news/security/gootkit-malware-bypasses-windows-defender-by-setting-path-exclusions/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wmic_namespace_defender.yml" ], "tags": [ @@ -25065,9 +25355,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://app.any.run/tasks/210244b9-0b6b-4a2c-83a3-04bd3175d017/", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.004/T1562.004.md#atomic-test-1---disable-microsoft-defender-firewall", "https://www.winhelponline.com/blog/enable-and-disable-windows-firewall-quickly-using-command-line/", + "https://app.any.run/tasks/210244b9-0b6b-4a2c-83a3-04bd3175d017/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_netsh_fw_disable.yml" ], "tags": [ @@ -25135,9 +25425,9 @@ "logsource.product": "windows", "refs": [ "https://embracethered.com/blog/posts/2020/chrome-spy-remote-control/", - "https://github.com/defaultnamehere/cookie_crimes/", "https://embracethered.com/blog/posts/2020/cookie-crimes-on-mirosoft-edge/", "https://mango.pdf.zone/stealing-chrome-cookies-without-a-password", + "https://github.com/defaultnamehere/cookie_crimes/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_browsers_chromium_headless_debugging.yml" ], "tags": [ @@ -25223,40 +25513,6 @@ "uuid": "b2815d0d-7481-4bf0-9b6c-a4c48a94b349", "value": "PowerShell Get-Process LSASS" }, - { - "description": "Detects the execution of sigverif binary as a parent process which could indicate it being used as a LOLBIN to proxy execution", - "meta": { - "author": "Nasreddine Bencherchali (Nextron Systems)", - "creation_date": "2022-08-19", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_lolbin_sigverif.yml", - "level": "medium", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://www.hexacorn.com/blog/2018/04/27/i-shot-the-sigverif-exe-the-gui-based-lolbin/", - "https://twitter.com/0gtweet/status/1457676633809330184", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_sigverif.yml" - ], - "tags": [ - "attack.defense-evasion", - "attack.t1216" - ] - }, - "related": [ - { - "dest-uuid": "f6fe9070-7a65-49ea-ae72-76292f42cebe", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "7d4aaec2-08ed-4430-8b96-28420e030e04", - "value": "Suspicious Sigverif Execution" - }, { "description": "Detects the execution of regini.exe which can be used to modify registry keys, the changes are imported from one or more text files.", "meta": { @@ -25270,8 +25526,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/regini", "https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f", + "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/regini", "https://lolbas-project.github.io/lolbas/Binaries/Regini/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_regini_execution.yml" ], @@ -25305,8 +25561,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/Binaries/Provlaunch/", "https://twitter.com/0gtweet/status/1674399582162153472", + "https://lolbas-project.github.io/lolbas/Binaries/Provlaunch/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_provlaunch_susp_child_process.yml" ], "tags": [ @@ -25373,9 +25629,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://labs.withsecure.com/publications/fin7-target-veeam-servers", "https://github.com/pr0xylife/IcedID/blob/8dd1e218460db4f750d955b4c65b2f918a1db906/icedID_09.28.2023.txt", "https://github.com/WithSecureLabs/iocs/blob/344203de742bb7e68bd56618f66d34be95a9f9fc/FIN7VEEAM/iocs.csv", - "https://labs.withsecure.com/publications/fin7-target-veeam-servers", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_curl_download_direct_ip_exec.yml" ], "tags": [ @@ -25385,6 +25641,39 @@ "uuid": "9cc85849-3b02-4cb5-b371-3a1ff54f2218", "value": "File Download From IP URL Via Curl.EXE" }, + { + "description": "Detects the execution of malicious OneNote documents that contain embedded scripts.\nWhen a user clicks on a OneNote attachment and then on the malicious link inside the \".one\" file, it exports and executes the malicious embedded script from specific directories.\n", + "meta": { + "author": "@kostastsale", + "creation_date": "2023-02-02", + "falsepositive": [ + "Unlikely" + ], + "filename": "proc_creation_win_office_onenote_embedded_script_execution.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://bazaar.abuse.ch/browse/tag/one/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_office_onenote_embedded_script_execution.yml" + ], + "tags": [ + "attack.defense-evasion", + "attack.t1218.001" + ] + }, + "related": [ + { + "dest-uuid": "a6937325-9321-4e2e-bb2b-3ed2d40b2a9d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "84b1706c-932a-44c4-ae28-892b28a25b94", + "value": "OneNote.EXE Execution of Malicious Embedded Scripts" + }, { "description": "Detects a certain command line flag combination used by mpiexec.exe LOLBIN from HPC pack that can be used to execute any other binary", "meta": { @@ -25434,8 +25723,8 @@ "logsource.product": "windows", "refs": [ "https://lolbas-project.github.io/lolbas/Binaries/Winget/", - "https://learn.microsoft.com/en-us/windows/package-manager/winget/install#local-install", "https://github.com/nasbench/Misc-Research/tree/b9596e8109dcdb16ec353f316678927e507a5b8d/LOLBINs/Winget", + "https://learn.microsoft.com/en-us/windows/package-manager/winget/install#local-install", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_winget_local_install_via_manifest.yml" ], "tags": [ @@ -25789,8 +26078,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/Binaries/Provlaunch/", "https://twitter.com/0gtweet/status/1674399582162153472", + "https://lolbas-project.github.io/lolbas/Binaries/Provlaunch/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_provlaunch_potential_abuse.yml" ], "tags": [ @@ -25824,9 +26113,9 @@ "logsource.product": "windows", "refs": [ "https://drive.google.com/file/d/1lKya3_mLnR3UQuCoiYruO3qgu052_iS_/view", - "https://www.elastic.co/guide/en/security/current/remote-file-copy-to-a-hidden-share.html", "https://www.microsoft.com/en-us/security/blog/2022/10/18/defenders-beware-a-case-for-post-ransomware-investigations/", "https://twitter.com/SBousseaden/status/1211636381086339073", + "https://www.elastic.co/guide/en/security/current/remote-file-copy-to-a-hidden-share.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_copy_lateral_movement.yml" ], "tags": [ @@ -25911,12 +26200,12 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://redcanary.com/blog/raspberry-robin/", "https://www.trendmicro.com/en_us/research/17/h/backdoor-carrying-emails-set-sights-on-russian-speaking-businesses.html", + "https://web.archive.org/web/20191023232753/https://twitter.com/Hexacorn/status/1187143326673330176", + "https://lolbas-project.github.io/lolbas/Binaries/Odbcconf/", "https://learn.microsoft.com/en-us/sql/odbc/odbcconf-exe?view=sql-server-ver16", "https://www.hexacorn.com/blog/2020/08/23/odbcconf-lolbin-trifecta/", - "https://lolbas-project.github.io/lolbas/Binaries/Odbcconf/", - "https://redcanary.com/blog/raspberry-robin/", - "https://web.archive.org/web/20191023232753/https://twitter.com/Hexacorn/status/1187143326673330176", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_odbcconf_register_dll_regsvr.yml" ], "tags": [ @@ -25982,9 +26271,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://news.sophos.com/en-us/2022/01/19/zloader-installs-remote-access-backdoors-and-delivers-cobalt-strike/", "https://blogs.vmware.com/security/2022/11/batloader-the-evasive-downloader-malware.html", "https://www.gpg4win.de/documentation.html", + "https://news.sophos.com/en-us/2022/01/19/zloader-installs-remote-access-backdoors-and-delivers-cobalt-strike/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_gpg4win_encryption.yml" ], "tags": [ @@ -26007,10 +26296,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/Binaries/Wbadmin/", "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/wbadmin-start-backup", - "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/wbadmin-start-recovery", "https://github.com/LOLBAS-Project/LOLBAS/blob/2cc01b01132b5c304027a658c698ae09dd6a92bf/yml/OSBinaries/Wbadmin.yml", + "https://lolbas-project.github.io/lolbas/Binaries/Wbadmin/", + "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/wbadmin-start-recovery", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wbadmin_restore_sensitive_files.yml" ], "tags": [ @@ -26043,8 +26332,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/powershell/module/pki/import-certificate?view=windowsserver2022-ps", "https://www.microsoft.com/security/blog/2022/09/07/profiling-dev-0270-phosphorus-ransomware-operations/", + "https://learn.microsoft.com/en-us/powershell/module/pki/import-certificate?view=windowsserver2022-ps", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_import_cert_susp_locations.yml" ], "tags": [ @@ -26097,6 +26386,42 @@ "uuid": "d21374ff-f574-44a7-9998-4a8c8bf33d7d", "value": "WmiPrvSE Spawned A Process" }, + { + "description": "Detects the execution of SharpWSUS or WSUSpendu, utilities that allow for lateral movement through WSUS.\nWindows Server Update Services (WSUS) is a critical component of Windows systems and is frequently configured in a way that allows an attacker to circumvent internal networking limitations.\n", + "meta": { + "author": "@Kostastsale, Nasreddine Bencherchali (Nextron Systems)", + "creation_date": "2022-10-07", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_hktl_sharpwsus_wsuspendu_execution.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://web.archive.org/web/20210512154016/https://github.com/AlsidOfficial/WSUSpendu/blob/master/WSUSpendu.ps1", + "https://github.com/nettitude/SharpWSUS", + "https://labs.nettitude.com/blog/introducing-sharpwsus/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_sharpwsus_wsuspendu_execution.yml" + ], + "tags": [ + "attack.execution", + "attack.lateral-movement", + "attack.t1210" + ] + }, + "related": [ + { + "dest-uuid": "9db0cf3a-a3c9-4012-8268-123b9db6fd82", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "b0ce780f-10bd-496d-9067-066d23dc3aa5", + "value": "HackTool - SharpWSUS/WSUSpendu Execution" + }, { "description": "Detects the execution of rundll32 with a command line that doesn't contain a common extension", "meta": { @@ -26404,8 +26729,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1053.002/T1053.002.md", "https://eqllib.readthedocs.io/en/latest/analytics/d8db43cf-ed52-4f5c-9fb3-c9a4b95a0b56.html", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1053.002/T1053.002.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_at_interactive_execution.yml" ], "tags": [ @@ -26514,8 +26839,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "http://blog.talosintelligence.com/2022/09/lazarus-three-rats.html", "https://www.microsoft.com/en-us/security/blog/2022/10/18/defenders-beware-a-case-for-post-ransomware-investigations/", + "http://blog.talosintelligence.com/2022/09/lazarus-three-rats.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_user_discovery_get_aduser.yml" ], "tags": [ @@ -26548,8 +26873,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.cybereason.com/blog/threat-analysis-report-lockbit-2.0-all-paths-lead-to-ransom", "https://www.darkoperator.com/blog/2018/10/5/operating-offensively-against-sysmon", + "https://www.cybereason.com/blog/threat-analysis-report-lockbit-2.0-all-paths-lead-to-ransom", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_fltmc_unload_driver.yml" ], "tags": [ @@ -26674,11 +26999,11 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://reconshell.com/winpwn-tool-for-internal-windows-pentesting-and-ad-security/", + "https://github.com/redcanaryco/atomic-red-team/blob/4d6c4e8e23d465af7a2388620cfe3f8c76e16cf0/atomics/T1082/T1082.md", "https://grep.app/search?q=winpwn&filter[repo][0]=redcanaryco/atomic-red-team", "https://www.publicnow.com/view/EB87DB49C654D9B63995FAD4C9DE3D3CC4F6C3ED?1671634841", "https://github.com/S3cur3Th1sSh1t/WinPwn", - "https://github.com/redcanaryco/atomic-red-team/blob/4d6c4e8e23d465af7a2388620cfe3f8c76e16cf0/atomics/T1082/T1082.md", - "https://reconshell.com/winpwn-tool-for-internal-windows-pentesting-and-ad-security/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_winpwn.yml" ], "tags": [ @@ -26771,10 +27096,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/Cyb3rWard0g/status/1453123054243024897", - "https://foxglovesecurity.com/2016/09/26/rotten-potato-privilege-escalation-from-service-accounts-to-system/", "https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment", "https://github.com/antonioCoco/RogueWinRM", + "https://twitter.com/Cyb3rWard0g/status/1453123054243024897", + "https://foxglovesecurity.com/2016/09/26/rotten-potato-privilege-escalation-from-service-accounts-to-system/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_child_process_as_system_.yml" ], "tags": [ @@ -26807,8 +27132,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/nao_sec/status/1530196847679401984", "https://app.any.run/tasks/713f05d2-fe78-4b9d-a744-f7c133e3fafb/", + "https://twitter.com/nao_sec/status/1530196847679401984", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_msdt_susp_parent.yml" ], "tags": [ @@ -27045,8 +27370,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/Binaries/Msedge/", "https://twitter.com/mrd0x/status/1478116126005641220", + "https://lolbas-project.github.io/lolbas/Binaries/Msedge/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_browsers_inline_file_download.yml" ], "tags": [ @@ -27079,8 +27404,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://gist.github.com/nasbench/a989ce64cefa8081bd50cf6ad8c491b5", "https://twitter.com/mrd0x/status/1463526834918854661", + "https://gist.github.com/nasbench/a989ce64cefa8081bd50cf6ad8c491b5", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pressanykey_lolbin_execution.yml" ], "tags": [ @@ -27188,12 +27513,12 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://www.joeware.net/freetools/tools/adfind/", "https://social.technet.microsoft.com/wiki/contents/articles/7535.adfind-command-examples.aspx", "https://thedfirreport.com/2020/05/08/adfind-recon/", - "https://www.joeware.net/freetools/tools/adfind/", + "https://www.microsoft.com/security/blog/2021/01/20/deep-dive-into-the-solorigate-second-stage-activation-from-sunburst-to-teardrop-and-raindrop/", "https://thedfirreport.com/2021/01/11/trickbot-still-alive-and-well/", "https://github.com/center-for-threat-informed-defense/adversary_emulation_library/blob/bf62ece1c679b07b5fb49c4bae947fe24c81811f/fin6/Emulation_Plan/Phase1.md", - "https://www.microsoft.com/security/blog/2021/01/20/deep-dive-into-the-solorigate-second-stage-activation-from-sunburst-to-teardrop-and-raindrop/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_renamed_adfind.yml" ], "tags": [ @@ -27324,8 +27649,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://sushant747.gitbooks.io/total-oscp-guide/content/privilege_escalation_windows.html", "https://github.com/carlospolop/PEASS-ng/blob/fa0f2e17fbc1d86f1fd66338a40e665e7182501d/winPEAS/winPEASbat/winPEAS.bat", + "https://sushant747.gitbooks.io/total-oscp-guide/content/privilege_escalation_windows.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wmic_recon_hotfix.yml" ], "tags": [ @@ -27392,10 +27717,10 @@ "logsource.product": "windows", "refs": [ "https://www.intrinsec.com/akira_ransomware/", - "https://github.com/cloudflare/cloudflared/releases", - "https://developers.cloudflare.com/cloudflare-one/connections/connect-networks/do-more-with-tunnels/trycloudflare/", - "https://www.guidepointsecurity.com/blog/tunnel-vision-cloudflared-abused-in-the-wild/", "https://github.com/cloudflare/cloudflared", + "https://developers.cloudflare.com/cloudflare-one/connections/connect-networks/do-more-with-tunnels/trycloudflare/", + "https://github.com/cloudflare/cloudflared/releases", + "https://www.guidepointsecurity.com/blog/tunnel-vision-cloudflared-abused-in-the-wild/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_renamed_cloudflared.yml" ], "tags": [ @@ -27428,8 +27753,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/nas_bench/status/1534915321856917506", "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Adplus/", + "https://twitter.com/nas_bench/status/1534915321856917506", "https://twitter.com/nas_bench/status/1534916659676422152", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_adplus_memory_dump.yml" ], @@ -27506,9 +27831,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://news.sophos.com/en-us/2022/01/19/zloader-installs-remote-access-backdoors-and-delivers-cobalt-strike/", "https://blogs.vmware.com/security/2022/11/batloader-the-evasive-downloader-malware.html", "https://www.gpg4win.de/documentation.html", + "https://news.sophos.com/en-us/2022/01/19/zloader-installs-remote-access-backdoors-and-delivers-cobalt-strike/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_gpg4win_decryption.yml" ], "tags": [ @@ -27633,8 +27958,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/gtworek/PSBits/tree/master/PasswordStealing/NPPSpy", "https://learn.microsoft.com/en-us/troubleshoot/windows-client/setup-upgrade-and-drivers/network-provider-settings-removed-in-place-upgrade", + "https://github.com/gtworek/PSBits/tree/master/PasswordStealing/NPPSpy", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_registry_new_network_provider.yml" ], "tags": [ @@ -27667,9 +27992,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/azure/dns/dns-zones-records", "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/dnscmd", "https://lolbas-project.github.io/lolbas/Binaries/Dnscmd/", + "https://learn.microsoft.com/en-us/azure/dns/dns-zones-records", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_dnscmd_discovery.yml" ], "tags": [ @@ -27703,8 +28028,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://app.any.run/tasks/f74c5157-8508-4ac6-9805-d63fe7b0d399/", "https://twitter.com/swisscom_csirt/status/1331634525722521602?s=20", + "https://app.any.run/tasks/f74c5157-8508-4ac6-9805-d63fe7b0d399/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_renamed_rundll32_dllregisterserver.yml" ], "tags": [ @@ -27851,9 +28176,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md", - "https://rvsec0n.wordpress.com/2020/01/24/malwares-that-bypass-windows-defender/", "https://research.nccgroup.com/2020/06/23/wastedlocker-a-new-ransomware-variant-developed-by-the-evil-corp-group/", + "https://rvsec0n.wordpress.com/2020/01/24/malwares-that-bypass-windows-defender/", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_disable_defender_av_security_monitoring.yml" ], "tags": [ @@ -28054,8 +28379,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://anydesk.com/en/changelog/windows", "https://www.bleepingcomputer.com/news/security/anydesk-says-hackers-breached-its-production-servers-reset-passwords/", + "https://anydesk.com/en/changelog/windows", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_remote_access_tools_anydesk_revoked_cert.yml" ], "tags": [ @@ -28080,8 +28405,8 @@ "logsource.product": "windows", "refs": [ "https://www.uptycs.com/blog/warzonerat-can-now-evade-with-process-hollowing", - "https://www.pwc.com/gx/en/issues/cybersecurity/cyber-threat-intelligence/yellow-liderc-ships-its-scripts-delivers-imaploader-malware.html", "https://reaqta.com/2017/11/short-journey-darkvnc/", + "https://www.pwc.com/gx/en/issues/cybersecurity/cyber-threat-intelligence/yellow-liderc-ships-its-scripts-delivers-imaploader-malware.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_csc_susp_parent.yml" ], "tags": [ @@ -28139,8 +28464,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://pentestlab.blog/tag/sharpmove/", "https://github.com/0xthirteen/SharpMove/", + "https://pentestlab.blog/tag/sharpmove/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_sharpmove.yml" ], "tags": [ @@ -28220,10 +28545,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/design/applications-that-can-bypass-wdac", - "https://bohops.com/2020/10/15/exploring-the-wdac-microsoft-recommended-block-rules-visualuiaverifynative/", - "https://lolbas-project.github.io/lolbas/OtherMSBinaries/VisualUiaVerifyNative/", "https://github.com/MicrosoftDocs/windows-itpro-docs/commit/937db704b9148e9cee7c7010cad4d00ce9c4fdad", + "https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/design/applications-that-can-bypass-wdac", + "https://lolbas-project.github.io/lolbas/OtherMSBinaries/VisualUiaVerifyNative/", + "https://bohops.com/2020/10/15/exploring-the-wdac-microsoft-recommended-block-rules-visualuiaverifynative/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_visualuiaverifynative.yml" ], "tags": [ @@ -28313,8 +28638,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://sensepost.com/blog/2022/abusing-windows-tokens-to-compromise-active-directory-without-touching-lsass/", "https://github.com/sensepost/impersonate", + "https://sensepost.com/blog/2022/abusing-windows-tokens-to-compromise-active-directory-without-touching-lsass/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_impersonate.yml" ], "tags": [ @@ -28343,50 +28668,6 @@ "uuid": "cf0c254b-22f1-4b2b-8221-e137b3c0af94", "value": "HackTool - Impersonate Execution" }, - { - "description": "Detects invocation of Microsoft Workflow Compiler, which may permit the execution of arbitrary unsigned code.", - "meta": { - "author": "Nik Seetharaman, frack113", - "creation_date": "2019-01-16", - "falsepositive": [ - "Legitimate MWC use (unlikely in modern enterprise environments)" - ], - "filename": "proc_creation_win_lolbin_workflow_compiler.yml", - "level": "medium", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://lolbas-project.github.io/lolbas/Binaries/Microsoft.Workflow.Compiler/", - "https://posts.specterops.io/arbitrary-unsigned-code-execution-vector-in-microsoft-workflow-compiler-exe-3d9294bc5efb", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218/T1218.md", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_workflow_compiler.yml" - ], - "tags": [ - "attack.defense-evasion", - "attack.execution", - "attack.t1127", - "attack.t1218" - ] - }, - "related": [ - { - "dest-uuid": "ff25900d-76d5-449b-a351-8824e62fc81b", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - }, - { - "dest-uuid": "457c7820-d331-465a-915e-42f85500ccc4", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "419dbf2b-8a9b-4bea-bf99-7544b050ec8d", - "value": "Microsoft Workflow Compiler Execution" - }, { "description": "Detects calls to \"SyncInvoke\" that is part of the \"CL_Invocation.ps1\" script to proxy execution using \"System.Diagnostics.Process\"", "meta": { @@ -28400,8 +28681,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/bohops/status/948061991012327424", "https://lolbas-project.github.io/lolbas/Scripts/Cl_invocation/", + "https://twitter.com/bohops/status/948061991012327424", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_cl_invocation.yml" ], "tags": [ @@ -28479,43 +28760,6 @@ "uuid": "67bc0e75-c0a9-4cfc-8754-84a505b63c04", "value": "Potentially Suspicious Child Process Of ClickOnce Application" }, - { - "description": "Detect usage of the \"ssh.exe\" binary as a proxy to launch other programs", - "meta": { - "author": "frack113, Nasreddine Bencherchali", - "creation_date": "2022-12-29", - "falsepositive": [ - "Legitimate usage for administration purposes" - ], - "filename": "proc_creation_win_lolbin_ssh.yml", - "level": "medium", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://lolbas-project.github.io/lolbas/Binaries/Ssh/", - "https://man.openbsd.org/ssh_config#ProxyCommand", - "https://man.openbsd.org/ssh_config#LocalCommand", - "https://github.com/LOLBAS-Project/LOLBAS/pull/211/files", - "https://gtfobins.github.io/gtfobins/ssh/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_ssh.yml" - ], - "tags": [ - "attack.defense-evasion", - "attack.t1202" - ] - }, - "related": [ - { - "dest-uuid": "3b0e52ce-517a-4614-a523-1bd5deef6c5e", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "7d6d30b8-5b91-4b90-a891-46cccaf29598", - "value": "Lolbin Ssh.exe Use As Proxy" - }, { "description": "Use of the commandline to shutdown or reboot windows", "meta": { @@ -28563,13 +28807,13 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://medium.com/@cyberjyot/lolbin-execution-via-diskshadow-f6ff681a27a4", - "https://bohops.com/2018/03/26/diskshadow-the-return-of-vss-evasion-persistence-and-active-directory-database-extraction/", - "https://www.lifars.com/wp-content/uploads/2022/01/GriefRansomware_Whitepaper-2.pdf", "https://research.checkpoint.com/2022/evilplayout-attack-against-irans-state-broadcaster/", - "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/diskshadow", "https://www.ired.team/offensive-security/credential-access-and-credential-dumping/ntds.dit-enumeration", + "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/diskshadow", "https://www.zscaler.com/blogs/security-research/technical-analysis-crytox-ransomware", + "https://medium.com/@cyberjyot/lolbin-execution-via-diskshadow-f6ff681a27a4", + "https://www.lifars.com/wp-content/uploads/2022/01/GriefRansomware_Whitepaper-2.pdf", + "https://bohops.com/2018/03/26/diskshadow-the-return-of-vss-evasion-persistence-and-active-directory-database-extraction/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_diskshadow_child_process_susp.yml" ], "tags": [ @@ -28602,8 +28846,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://cyble.com/blog/lockfile-ransomware-using-proxyshell-attack-to-deploy-ransomware/", "https://www.bitdefender.com/files/News/CaseStudies/study/377/Bitdefender-Whitepaper-WMI-creat4871-en-EN-GenericUse.pdf", + "https://cyble.com/blog/lockfile-ransomware-using-proxyshell-attack-to-deploy-ransomware/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wmic_terminate_application.yml" ], "tags": [ @@ -28803,8 +29047,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/mrd0x/status/1460815932402679809", "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Devinit/", + "https://twitter.com/mrd0x/status/1460815932402679809", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_devinit_lolbin_usage.yml" ], "tags": [ @@ -28872,9 +29116,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc771151(v=ws.11)", "https://ss64.com/nt/dsacls.html", "https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/using-dsacls-to-check-ad-object-permissions#password-spraying-anyone", - "https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc771151(v=ws.11)", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_dsacls_password_spray.yml" ], "tags": [ @@ -28941,8 +29185,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://thedfirreport.com/2021/08/29/cobalt-strike-a-defenders-guide/", "https://hausec.com/2021/07/26/cobalt-strike-and-tradecraft/", + "https://thedfirreport.com/2021/08/29/cobalt-strike-a-defenders-guide/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_cobaltstrike_process_patterns.yml" ], "tags": [ @@ -28976,10 +29220,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.cybereason.com/blog/deadringer-exposing-chinese-threat-actors-targeting-major-telcos", - "https://research.nccgroup.com/2021/01/12/abusing-cloud-services-to-fly-under-the-radar/", "https://twitter.com/EricaZelic/status/1614075109827874817", "https://github.com/3CORESec/MAL-CL/tree/master/Descriptors/Sysinternals/PsLogList", + "https://research.nccgroup.com/2021/01/12/abusing-cloud-services-to-fly-under-the-radar/", + "https://www.cybereason.com/blog/deadringer-exposing-chinese-threat-actors-targeting-major-telcos", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sysinternals_psloglist.yml" ], "tags": [ @@ -29028,9 +29272,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/sblmsrsn/status/1445758411803480072?s=20", "https://github.com/elastic/protections-artifacts/commit/746086721fd385d9f5c6647cada1788db4aea95f#diff-fe98e74189873d6df72a15df2eaa0315c59ba9cdaca93ecd68afc4ea09194ef2", "https://lolbas-project.github.io/lolbas/Binaries/Certoc/", + "https://twitter.com/sblmsrsn/status/1445758411803480072?s=20", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_certoc_load_dll_susp_locations.yml" ], "tags": [ @@ -29132,14 +29376,14 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/SigmaHQ/sigma/issues/3742", - "https://posts.specterops.io/mavinject-exe-functionality-deconstructed-c29ab2cf5c0e", - "https://twitter.com/Hexacorn/status/776122138063409152", - "https://reaqta.com/2017/12/mavinject-microsoft-injector/", - "https://github.com/keyboardcrunch/SentinelOne-ATTACK-Queries/blob/6a228d23eefe963ca81f2d52f94b815f61ef5ee0/Tactics/DefenseEvasion.md#t1055-process-injection", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1056.004/T1056.004.md", "https://twitter.com/gN3mes1s/status/941315826107510784", + "https://posts.specterops.io/mavinject-exe-functionality-deconstructed-c29ab2cf5c0e", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218/T1218.md", + "https://reaqta.com/2017/12/mavinject-microsoft-injector/", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1056.004/T1056.004.md", + "https://twitter.com/Hexacorn/status/776122138063409152", + "https://github.com/SigmaHQ/sigma/issues/3742", + "https://github.com/keyboardcrunch/SentinelOne-ATTACK-Queries/blob/6a228d23eefe963ca81f2d52f94b815f61ef5ee0/Tactics/DefenseEvasion.md#t1055-process-injection", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_renamed_mavinject.yml" ], "tags": [ @@ -29243,29 +29487,6 @@ "uuid": "1a1ed54a-2ba4-4221-94d5-01dee560d71e", "value": "Renamed CreateDump Utility Execution" }, - { - "description": "Detects usage of the \"wusa.exe\" (Windows Update Standalone Installer) utility to extract cab using the \"/extract\" argument which is not longer supported. This could indicate an attacker using an old technique", - "meta": { - "author": "Nasreddine Bencherchali (Nextron Systems)", - "creation_date": "2022-08-04", - "falsepositive": [ - "The \"extract\" flag still works on older 'wusa.exe' versions, which could be a legitimate use (monitor the path of the cab being extracted)" - ], - "filename": "proc_creation_win_wusa_cab_files_extraction.yml", - "level": "medium", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://web.archive.org/web/20180331144337/https://www.fireeye.com/blog/threat-research/2018/03/sanny-malware-delivery-method-updated-in-recently-observed-attacks.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wusa_cab_files_extraction.yml" - ], - "tags": [ - "attack.execution" - ] - }, - "uuid": "59b39960-5f9d-4a49-9cef-1e4d2c1d0cb9", - "value": "Wusa Extracting Cab Files" - }, { "description": "Detects a suspicious LSASS process process clone that could be a sign of credential dumping activity", "meta": { @@ -29279,9 +29500,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/Hexacorn/status/1420053502554951689", - "https://twitter.com/SBousseaden/status/1464566846594691073?s=20", "https://www.matteomalvica.com/blog/2019/12/02/win-defender-atp-cred-bypass/", + "https://twitter.com/SBousseaden/status/1464566846594691073?s=20", + "https://twitter.com/Hexacorn/status/1420053502554951689", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lsass_process_clone.yml" ], "tags": [ @@ -29359,8 +29580,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/takeown", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1222.001/T1222.001.md#atomic-test-1---take-ownership-using-takeown-utility", + "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/takeown", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_takeown_recursive_own.yml" ], "tags": [ @@ -29393,10 +29614,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/ThreatHuntingProject/ThreatHunting/blob/cb22598bb70651f88e0285abc8d835757d2cb596/hunts/suspicious_process_creation_via_windows_event_logs.md", - "https://github.com/mbevilacqua/appcompatprocessor/blob/6c847937c5a836e2ce2fe2b915f213c345a3c389/AppCompatSearch.txt", - "https://www.secureworks.com/research/bronze-butler-targets-japanese-businesses", "https://www.crowdstrike.com/resources/reports/2019-crowdstrike-global-threat-report/", + "https://github.com/mbevilacqua/appcompatprocessor/blob/6c847937c5a836e2ce2fe2b915f213c345a3c389/AppCompatSearch.txt", + "https://github.com/ThreatHuntingProject/ThreatHunting/blob/cb22598bb70651f88e0285abc8d835757d2cb596/hunts/suspicious_process_creation_via_windows_event_logs.md", + "https://www.secureworks.com/research/bronze-butler-targets-japanese-businesses", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_execution_path.yml" ], "tags": [ @@ -29495,8 +29716,8 @@ "logsource.product": "windows", "refs": [ "https://www.nirsoft.net/utils/nircmd2.html#using", - "https://www.winhelponline.com/blog/run-program-as-system-localsystem-account-windows/", "https://www.nirsoft.net/utils/nircmd.html", + "https://www.winhelponline.com/blog/run-program-as-system-localsystem-account-windows/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pua_nircmd.yml" ], "tags": [ @@ -29553,8 +29774,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://hstechdocs.helpsystems.com/manuals/cobaltstrike/current/userguide/content/cobalt-4-5-user-guide.pdf", "https://thedfirreport.com/2021/10/04/bazarloader-and-the-conti-leaks/", + "https://hstechdocs.helpsystems.com/manuals/cobaltstrike/current/userguide/content/cobalt-4-5-user-guide.pdf", "https://thedfirreport.com/2022/06/16/sans-ransomware-summit-2022-can-you-detect-this/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_cobaltstrike_bloopers_modules.yml" ], @@ -29588,9 +29809,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://thedfirreport.com/2022/08/08/bumblebee-roasts-its-way-to-domain-admin/", - "https://thedfirreport.com/2022/09/26/bumblebee-round-two/", "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/bumblebee-loader-cybercrime", + "https://thedfirreport.com/2022/09/26/bumblebee-round-two/", + "https://thedfirreport.com/2022/08/08/bumblebee-roasts-its-way-to-domain-admin/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wab_unusual_parents.yml" ], "tags": [ @@ -29648,9 +29869,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://eqllib.readthedocs.io/en/latest/analytics/e584f1a1-c303-4885-8a66-21360c90995b.html", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218.003/T1218.003.md", "https://lolbas-project.github.io/lolbas/Binaries/Cmstp/", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218.003/T1218.003.md", + "https://eqllib.readthedocs.io/en/latest/analytics/e584f1a1-c303-4885-8a66-21360c90995b.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_uac_bypass_cmstp.yml" ], "tags": [ @@ -29692,9 +29913,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://redcanary.com/blog/child-processes/", - "https://nasbench.medium.com/what-is-the-dllhost-exe-process-actually-running-ef9fe4c19c08", "https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/goofy-guineapig/NCSC-MAR-Goofy-Guineapig.pdf", + "https://nasbench.medium.com/what-is-the-dllhost-exe-process-actually-running-ef9fe4c19c08", + "https://redcanary.com/blog/child-processes/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_dllhost_no_cli_execution.yml" ], "tags": [ @@ -29727,9 +29948,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://app.any.run/tasks/512c1352-6380-4436-b27d-bb62f0c020d6/", - "https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/devil-bait/NCSC-MAR-Devil-Bait.pdf", "https://twitter.com/RedDrip7/status/1506480588827467785", + "https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/devil-bait/NCSC-MAR-Devil-Bait.pdf", + "https://app.any.run/tasks/512c1352-6380-4436-b27d-bb62f0c020d6/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_schtasks_susp_pattern.yml" ], "tags": [ @@ -29762,8 +29983,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/pabraeken/status/999090532839313408", "https://twitter.com/pabraeken/status/995837734379032576", + "https://twitter.com/pabraeken/status/999090532839313408", "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Msdeploy/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_msdeploy.yml" ], @@ -29873,9 +30094,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://thedfirreport.com/2022/07/11/select-xmrig-from-sqlserver/", - "https://github.com/The-DFIR-Report/Sigma-Rules/blob/75260568a7ffe61b2458ca05f6f25914efb44337/win_mofcomp_execution.yml", "https://learn.microsoft.com/en-us/windows/win32/wmisdk/mofcomp", + "https://github.com/The-DFIR-Report/Sigma-Rules/blob/75260568a7ffe61b2458ca05f6f25914efb44337/win_mofcomp_execution.yml", + "https://thedfirreport.com/2022/07/11/select-xmrig-from-sqlserver/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_mofcomp_execution.yml" ], "tags": [ @@ -29976,17 +30197,17 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.hybrid-analysis.com/sample/465aabe132ccb949e75b8ab9c5bda36d80cf2fd503d52b8bad54e295f28bbc21?environmentId=100", + "https://www.vmray.com/analyses/2d2fa29185ad/report/overview.html", "https://twitter.com/andythevariable/status/1576953781581144064?s=20&t=QiJILvK4ZiBdR8RJe24u-A", - "https://www.elastic.co/security-labs/exploring-the-ref2731-intrusion-set", + "https://github.com/elastic/detection-rules/blob/c76a39796972ecde44cb1da6df47f1b6562c9770/rules/windows/defense_evasion_execution_msbuild_started_by_office_app.toml", "https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/", "https://github.com/vadim-hunter/Detection-Ideas-Rules/blob/02bcbfc2bfb8b4da601bb30de0344ae453aa1afe/Threat%20Intelligence/The%20DFIR%20Report/20210329_Sodinokibi_(aka_REvil)_Ransomware.yaml", - "https://app.any.run/tasks/c903e9c8-0350-440c-8688-3881b556b8e0/", "https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e", - "https://github.com/elastic/detection-rules/blob/c76a39796972ecde44cb1da6df47f1b6562c9770/rules/windows/defense_evasion_execution_msbuild_started_by_office_app.toml", - "https://github.com/splunk/security_content/blob/develop/detections/endpoint/office_spawning_control.yml", "https://mgreen27.github.io/posts/2018/04/02/DownloadCradle.html", - "https://www.vmray.com/analyses/2d2fa29185ad/report/overview.html", + "https://www.hybrid-analysis.com/sample/465aabe132ccb949e75b8ab9c5bda36d80cf2fd503d52b8bad54e295f28bbc21?environmentId=100", + "https://www.elastic.co/security-labs/exploring-the-ref2731-intrusion-set", + "https://github.com/splunk/security_content/blob/develop/detections/endpoint/office_spawning_control.yml", + "https://app.any.run/tasks/c903e9c8-0350-440c-8688-3881b556b8e0/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_office_susp_child_processes.yml" ], "tags": [ @@ -30036,8 +30257,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://developers.cloudflare.com/cloudflare-one/connections/connect-apps", "https://github.com/cloudflare/cloudflared", + "https://developers.cloudflare.com/cloudflare-one/connections/connect-apps", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_cloudflared_tunnel_cleanup.yml" ], "tags": [ @@ -30174,6 +30395,29 @@ "uuid": "33be4333-2c6b-44f4-ae28-102cdbde0a31", "value": "Suspicious Msbuild Execution By Uncommon Parent Process" }, + { + "description": "Detects the usage of emojis in the command line, this could be a sign of potential defense evasion activity.", + "meta": { + "author": "@Kostastsale, @TheDFIRReport", + "creation_date": "2022-12-05", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_susp_emoji_usage_in_cli_2.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "Internal Research", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_emoji_usage_in_cli_2.yml" + ], + "tags": [ + "attack.defense-evasion" + ] + }, + "uuid": "c98f2a0d-e1b8-4f76-90d3-359caf88d6b9", + "value": "Potential Defense Evasion Activity Via Emoji Usage In CommandLine - 2" + }, { "description": "Detects execution of Microsoft bash launcher with the \"-c\" flag.\nThis can be used to potentially bypass defenses and execute Linux or Windows-based binaries directly via bash.\n", "meta": { @@ -30220,8 +30464,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/bluebottle-banks-targeted-africa", "https://www.virustotal.com/gui/file/7872d8845a332dce517adae9c3389fde5313ff2fed38c2577f3b498da786db68/behavior", + "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/bluebottle-banks-targeted-africa", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_double_extension_parent.yml" ], "tags": [ @@ -30278,9 +30522,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://thedfirreport.com/2020/10/18/ryuk-in-5-hours/", "https://redcanary.com/threat-detection-report/", "https://www.cobaltstrike.com/help-windows-executable", + "https://thedfirreport.com/2020/10/18/ryuk-in-5-hours/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_cobaltstrike_load_by_rundll32.yml" ], "tags": [ @@ -30314,9 +30558,9 @@ "logsource.product": "windows", "refs": [ "https://github.com/LOLBAS-Project/LOLBAS/blob/2cc01b01132b5c304027a658c698ae09dd6a92bf/yml/OSBinaries/Esentutl.yml", - "https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment", - "https://room362.com/post/2013/2013-06-10-volume-shadow-copy-ntdsdit-domain-hashes-remotely-part-1/", "https://dfironthemountain.wordpress.com/2018/12/06/locked-file-access-using-esentutl-exe/", + "https://room362.com/post/2013/2013-06-10-volume-shadow-copy-ntdsdit-domain-hashes-remotely-part-1/", + "https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_esentutl_sensitive_file_copy.yml" ], "tags": [ @@ -30359,8 +30603,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://securelist.com/moonbounce-the-dark-side-of-uefi-firmware/105468/", "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/wmic", + "https://securelist.com/moonbounce-the-dark-side-of-uefi-firmware/105468/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wmic_remote_execution.yml" ], "tags": [ @@ -30393,8 +30637,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.malwarebytes.com/blog/news/2014/01/the-rtlo-method", "https://unicode-explorer.com/c/202E", + "https://www.malwarebytes.com/blog/news/2014/01/the-rtlo-method", "https://redcanary.com/blog/right-to-left-override/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_right_to_left_override.yml" ], @@ -30428,8 +30672,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/felixw3000/status/853354851128025088", "https://twitter.com/rikvduijn/status/853251879320662017", + "https://twitter.com/felixw3000/status/853354851128025088", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_rundll32_susp_control_dll_load.yml" ], "tags": [ @@ -30495,8 +30739,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.hybrid-analysis.com/sample/4be06ecd234e2110bd615649fe4a6fa95403979acf889d7e45a78985eb50acf9?environmentId=1", "https://github.com/albertzsigovits/malware-notes/blob/c820c7fea76cf76a861b28ebc77e06100e20ec29/Ransomware/Maze.md", + "https://www.hybrid-analysis.com/sample/4be06ecd234e2110bd615649fe4a6fa95403979acf889d7e45a78985eb50acf9?environmentId=1", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wmic_recon_product_class.yml" ], "tags": [ @@ -30630,9 +30874,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/mrd0x/status/1461041276514623491", "https://twitter.com/tccontre18/status/1480950986650832903", "https://lolbas-project.github.io/lolbas/Binaries/Regsvr32/", + "https://twitter.com/mrd0x/status/1461041276514623491", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_regsvr32_http_ip_pattern.yml" ], "tags": [ @@ -30665,13 +30909,13 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.bleepingcomputer.com/news/security/microsoft-exchange-servers-hacked-to-deploy-hive-ransomware/", - "https://www.softperfect.com/products/networkscanner/", "https://www.protect.airbus.com/blog/uncovering-cyber-intruders-netscan/", - "https://secjoes-reports.s3.eu-central-1.amazonaws.com/Sockbot%2Bin%2BGoLand.pdf", - "https://www.sentinelone.com/labs/black-basta-ransomware-attacks-deploy-custom-edr-evasion-tools-tied-to-fin7-threat-actor/", + "https://www.softperfect.com/products/networkscanner/", "https://research.nccgroup.com/2022/07/13/climbing-mount-everest-black-byte-bytes-back/", + "https://secjoes-reports.s3.eu-central-1.amazonaws.com/Sockbot%2Bin%2BGoLand.pdf", "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/yanluowang-ransomware-attacks-continue", + "https://www.bleepingcomputer.com/news/security/microsoft-exchange-servers-hacked-to-deploy-hive-ransomware/", + "https://www.sentinelone.com/labs/black-basta-ransomware-attacks-deploy-custom-edr-evasion-tools-tied-to-fin7-threat-actor/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pua_netscan.yml" ], "tags": [ @@ -30813,8 +31057,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/Binaries/Bitsadmin/", "https://blog.netspi.com/15-ways-to-download-a-file/#bitsadmin", + "https://lolbas-project.github.io/lolbas/Binaries/Bitsadmin/", "https://isc.sans.edu/diary/22264", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_bitsadmin_download.yml" ], @@ -30968,8 +31212,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1047/T1047.md", "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/wmic", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1047/T1047.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wmic_recon_service.yml" ], "tags": [ @@ -30989,39 +31233,6 @@ "uuid": "76f55eaa-d27f-4213-9d45-7b0e4b60bbae", "value": "Service Reconnaissance Via Wmic.EXE" }, - { - "description": "Extexport.exe loads dll and is execute from other folder the original path", - "meta": { - "author": "frack113", - "creation_date": "2021-11-26", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_lolbin_extexport.yml", - "level": "medium", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://lolbas-project.github.io/lolbas/Binaries/Extexport/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_extexport.yml" - ], - "tags": [ - "attack.defense-evasion", - "attack.t1218" - ] - }, - "related": [ - { - "dest-uuid": "457c7820-d331-465a-915e-42f85500ccc4", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "fb0b815b-f5f6-4f50-970f-ffe21f253f7a", - "value": "Suspicious Extexport Execution" - }, { "description": "Detects code execution via Pester.bat (Pester - Powershell Modulte for testing)", "meta": { @@ -31212,9 +31423,9 @@ "logsource.product": "windows", "refs": [ "https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/", - "https://blog.osarmor.com/319/onenote-attachment-delivers-asyncrat-malware/", - "https://github.com/vadim-hunter/Detection-Ideas-Rules/blob/02bcbfc2bfb8b4da601bb30de0344ae453aa1afe/Threat%20Intelligence/The%20DFIR%20Report/20210329_Sodinokibi_(aka_REvil)_Ransomware.yaml", "https://twitter.com/ForensicITGuy/status/1334734244120309760", + "https://github.com/vadim-hunter/Detection-Ideas-Rules/blob/02bcbfc2bfb8b4da601bb30de0344ae453aa1afe/Threat%20Intelligence/The%20DFIR%20Report/20210329_Sodinokibi_(aka_REvil)_Ransomware.yaml", + "https://blog.osarmor.com/319/onenote-attachment-delivers-asyncrat-malware/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wmiprvse_susp_child_processes.yml" ], "tags": [ @@ -31264,9 +31475,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://technet.microsoft.com/en-us/library/cc754243(v=ws.11).aspx", "https://github.com/redcanaryco/atomic-red-team/blob/b27a3cb25025161d49ac861cb216db68c46a3537/atomics/T1003.005/T1003.005.md#atomic-test-1---cached-credential-dump-via-cmdkey", "https://www.peew.pw/blog/2017/11/26/exploring-cmdkey-an-edge-case-for-privilege-escalation", - "https://technet.microsoft.com/en-us/library/cc754243(v=ws.11).aspx", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_cmdkey_recon.yml" ], "tags": [ @@ -31299,9 +31510,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://redcanary.com/blog/lateral-movement-winrm-wmi/", - "https://lolbas-project.github.io/lolbas/Scripts/Winrm/", "https://twitter.com/bohops/status/994405551751815170", + "https://lolbas-project.github.io/lolbas/Scripts/Winrm/", + "https://redcanary.com/blog/lateral-movement-winrm-wmi/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_winrm_execution_via_scripting_api_winrm_vbs.yml" ], "tags": [ @@ -31368,10 +31579,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://support.microsoft.com/fr-fr/topic/an-ms-dos-based-program-that-uses-the-ms-dos-protected-mode-interface-crashes-on-a-computer-that-is-running-windows-7-5dc739ea-987b-b458-15e4-d28d5cca63c7", - "https://app.any.run/tasks/93fe92fa-8b2b-4d92-8c09-a841aed2e793/", - "https://learn.microsoft.com/en-us/windows/compatibility/ntvdm-and-16-bit-app-support", "https://app.any.run/tasks/214094a7-0abc-4a7b-a564-1b757faed79d/", + "https://app.any.run/tasks/93fe92fa-8b2b-4d92-8c09-a841aed2e793/", + "https://support.microsoft.com/fr-fr/topic/an-ms-dos-based-program-that-uses-the-ms-dos-protected-mode-interface-crashes-on-a-computer-that-is-running-windows-7-5dc739ea-987b-b458-15e4-d28d5cca63c7", + "https://learn.microsoft.com/en-us/windows/compatibility/ntvdm-and-16-bit-app-support", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_16bit_application.yml" ], "tags": [ @@ -31471,8 +31682,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://adsecurity.org/?p=2288", "https://www.hybrid-analysis.com/sample/f2943f5e45befa52fb12748ca7171d30096e1d4fc3c365561497c618341299d5?environmentId=100", + "https://adsecurity.org/?p=2288", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_sysvol_access.yml" ], "tags": [ @@ -31569,8 +31780,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://2019.offzone.moscow/ru/report/hunting-for-powershell-abuses/", "https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=66", + "https://2019.offzone.moscow/ru/report/hunting-for-powershell-abuses/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_cmdline_reversed_strings.yml" ], "tags": [ @@ -31664,8 +31875,8 @@ "logsource.product": "windows", "refs": [ "https://www.splunk.com/en_us/blog/security/breaking-the-chain-defending-against-certificate-services-abuse.html", - "https://us-cert.cisa.gov/ncas/analysis-reports/ar21-112a", "https://learn.microsoft.com/en-us/powershell/module/pki/export-pfxcertificate?view=windowsserver2022-ps", + "https://us-cert.cisa.gov/ncas/analysis-reports/ar21-112a", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_export_certificate.yml" ], "tags": [ @@ -31783,9 +31994,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://unit42.paloaltonetworks.com/unit42-sure-ill-take-new-combojack-malware-alters-clipboards-steal-cryptocurrency/", "https://app.any.run/tasks/c28cabc8-a19f-40f3-a78b-cae506a5c0d4", "https://app.any.run/tasks/cfc8870b-ccd7-4210-88cf-a8087476a6d0", + "https://unit42.paloaltonetworks.com/unit42-sure-ill-take-new-combojack-malware-alters-clipboards-steal-cryptocurrency/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_attrib_system_susp_paths.yml" ], "tags": [ @@ -31818,10 +32029,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://youtu.be/5mqid-7zp8k?t=2481", + "https://peterjson.medium.com/reproducing-the-proxyshell-pwn2own-exploit-49743a4ea9a1", "https://m365internals.com/2022/10/07/hunting-in-on-premises-exchange-server-logs/", "https://blog.orange.tw/2021/08/proxylogon-a-new-attack-surface-on-ms-exchange-part-1.html", - "https://peterjson.medium.com/reproducing-the-proxyshell-pwn2own-exploit-49743a4ea9a1", + "https://youtu.be/5mqid-7zp8k?t=2481", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_mailboxexport_share.yml" ], "tags": [ @@ -31946,9 +32157,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://blog.netspi.com/15-ways-to-download-a-file/#bitsadmin", "https://blog.talosintelligence.com/breaking-the-silence-recent-truebot-activity/", "https://lolbas-project.github.io/lolbas/Binaries/Bitsadmin/", - "https://blog.netspi.com/15-ways-to-download-a-file/#bitsadmin", "https://isc.sans.edu/diary/22264", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_bitsadmin_download_direct_ip.yml" ], @@ -31992,8 +32203,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/cglyer/status/1182389676876980224", "https://twitter.com/cglyer/status/1182391019633029120", + "https://twitter.com/cglyer/status/1182389676876980224", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wmi_backdoor_exchange_transport_agent.yml" ], "tags": [ @@ -32049,12 +32260,12 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/Binaries/Bitsadmin/", - "https://blog.netspi.com/15-ways-to-download-a-file/#bitsadmin", - "https://isc.sans.edu/diary/22264", - "https://www.cisa.gov/uscert/ncas/alerts/aa22-321a", "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ransomware-hive-conti-avoslocker", "https://www.microsoft.com/en-us/security/blog/2024/01/17/new-ttps-observed-in-mint-sandstorm-campaign-targeting-high-profile-individuals-at-universities-and-research-orgs/", + "https://blog.netspi.com/15-ways-to-download-a-file/#bitsadmin", + "https://isc.sans.edu/diary/22264", + "https://lolbas-project.github.io/lolbas/Binaries/Bitsadmin/", + "https://www.cisa.gov/uscert/ncas/alerts/aa22-321a", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_bitsadmin_download_file_sharing_domains.yml" ], "tags": [ @@ -32132,9 +32343,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/DissectMalware/status/998797808907046913", "https://www.phpied.com/make-your-javascript-a-windows-exe/", "https://lolbas-project.github.io/lolbas/Binaries/Jsc/", + "https://twitter.com/DissectMalware/status/998797808907046913", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_jsc_execution.yml" ], "tags": [ @@ -32167,8 +32378,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1018/T1018.md", "https://eqllib.readthedocs.io/en/latest/analytics/b8a94d2f-dc75-4630-9d73-1edc6bd26fff.html", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1018/T1018.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_net_view_share_and_sessions_enum.yml" ], "tags": [ @@ -32340,6 +32551,40 @@ "uuid": "883835a7-df45-43e4-bf1d-4268768afda4", "value": "Regedit as Trusted Installer" }, + { + "description": "Detects the execution of SOAPHound, a .NET tool for collecting Active Directory data, using specific command-line arguments that may indicate an attempt to extract sensitive AD information.\n", + "meta": { + "author": "@kostastsale", + "creation_date": "2024-01-26", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_hktl_soaphound_execution.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://github.com/FalconForceTeam/SOAPHound", + "https://medium.com/falconforce/soaphound-tool-to-collect-active-directory-data-via-adws-165aca78288c", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_soaphound_execution.yml" + ], + "tags": [ + "attack.discovery", + "attack.t1087" + ] + }, + "related": [ + { + "dest-uuid": "72b74d71-8169-42aa-92e0-e7b04b9f5a08", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "e92a4287-e072-4a40-9739-370c106bb750", + "value": "HackTool - SOAPHound Execution" + }, { "description": "Detects suspicious child processes of Excel which could be an indicator of lateral movement leveraging the \"ActivateMicrosoftApp\" Excel DCOM object.\n", "meta": { @@ -32353,9 +32598,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://posts.specterops.io/lateral-movement-abuse-the-power-of-dcom-excel-application-3c016d0d9922", "https://github.com/grayhatkiller/SharpExShell", "https://learn.microsoft.com/en-us/office/vba/api/excel.xlmsapplication", - "https://posts.specterops.io/lateral-movement-abuse-the-power-of-dcom-excel-application-3c016d0d9922", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_office_excel_dcom_lateral_movement.yml" ], "tags": [ @@ -32388,9 +32633,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/sblmsrsn/status/1445758411803480072?s=20", "https://github.com/elastic/protections-artifacts/commit/746086721fd385d9f5c6647cada1788db4aea95f#diff-fe98e74189873d6df72a15df2eaa0315c59ba9cdaca93ecd68afc4ea09194ef2", "https://lolbas-project.github.io/lolbas/Binaries/Certoc/", + "https://twitter.com/sblmsrsn/status/1445758411803480072?s=20", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_certoc_load_dll.yml" ], "tags": [ @@ -32623,10 +32868,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://twitter.com/CyberRaiju/status/1273597319322058752", "https://twitter.com/nas_bench/status/1535322450858233858", "https://securityboulevard.com/2019/09/deobfuscating-ostap-trickbots-34000-line-javascript-downloader/", "https://twitter.com/bohops/status/1276357235954909188?s=12", - "https://twitter.com/CyberRaiju/status/1273597319322058752", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_explorer_break_process_tree.yml" ], "tags": [ @@ -32659,9 +32904,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/cicada-apt10-japan-espionage", "https://unit42.paloaltonetworks.com/chromeloader-malware/", "https://lolbas-project.github.io/lolbas/Binaries/Tar/", - "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/cicada-apt10-japan-espionage", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_tar_extraction.yml" ], "tags": [ @@ -32703,10 +32948,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://labs.withsecure.com/publications/fin7-target-veeam-servers", "https://www.huntress.com/blog/slashandgrab-screen-connect-post-exploitation-in-the-wild-cve-2024-1709-cve-2024-1708", "https://www.microsoft.com/en-us/security/blog/2024/01/17/new-ttps-observed-in-mint-sandstorm-campaign-targeting-high-profile-individuals-at-universities-and-research-orgs/", "https://github.com/WithSecureLabs/iocs/blob/344203de742bb7e68bd56618f66d34be95a9f9fc/FIN7VEEAM/iocs.csv", - "https://labs.withsecure.com/publications/fin7-target-veeam-servers", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_download_susp_file_sharing_domains.yml" ], "tags": [ @@ -32797,8 +33042,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.youtube.com/watch?v=DsJ9ByX84o4&t=6s", "https://brica.de/alerts/alert/public/1247926/agent-tesla-keylogger-delivered-inside-a-power-iso-daa-archive/", + "https://www.youtube.com/watch?v=DsJ9ByX84o4&t=6s", "https://app.any.run/tasks/7eaba74e-c1ea-400f-9c17-5e30eee89906/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_whoami_parent_anomaly.yml" ], @@ -32833,14 +33078,14 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/SigmaHQ/sigma/issues/3742", - "https://posts.specterops.io/mavinject-exe-functionality-deconstructed-c29ab2cf5c0e", - "https://twitter.com/Hexacorn/status/776122138063409152", - "https://reaqta.com/2017/12/mavinject-microsoft-injector/", - "https://github.com/keyboardcrunch/SentinelOne-ATTACK-Queries/blob/6a228d23eefe963ca81f2d52f94b815f61ef5ee0/Tactics/DefenseEvasion.md#t1055-process-injection", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1056.004/T1056.004.md", "https://twitter.com/gN3mes1s/status/941315826107510784", + "https://posts.specterops.io/mavinject-exe-functionality-deconstructed-c29ab2cf5c0e", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218/T1218.md", + "https://reaqta.com/2017/12/mavinject-microsoft-injector/", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1056.004/T1056.004.md", + "https://twitter.com/Hexacorn/status/776122138063409152", + "https://github.com/SigmaHQ/sigma/issues/3742", + "https://github.com/keyboardcrunch/SentinelOne-ATTACK-Queries/blob/6a228d23eefe963ca81f2d52f94b815f61ef5ee0/Tactics/DefenseEvasion.md#t1055-process-injection", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_mavinject_process_injection.yml" ], "tags": [ @@ -32905,8 +33150,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/Binaries/Wsreset/", "https://github.com/hfiref0x/UACME", + "https://lolbas-project.github.io/lolbas/Binaries/Wsreset/", "https://medium.com/falconforce/falconfriday-detecting-uac-bypasses-0xff16-86c2a9107abf", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_uac_bypass_wsreset_integrity_level.yml" ], @@ -32964,8 +33209,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://eqllib.readthedocs.io/en/latest/analytics/1ec33c93-3d0b-4a28-8014-dbdaae5c60ae.html", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1560.001/T1560.001.md", + "https://eqllib.readthedocs.io/en/latest/analytics/1ec33c93-3d0b-4a28-8014-dbdaae5c60ae.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_rar_compress_data.yml" ], "tags": [ @@ -33021,9 +33266,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://thedfirreport.com/2021/12/13/diavol-ransomware/", "https://www.scythe.io/library/threat-emulation-qakbot", "https://sec-consult.com/blog/detail/bumblebee-hunting-with-a-velociraptor/", - "https://thedfirreport.com/2021/12/13/diavol-ransomware/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_lolbin_exec_from_non_c_drive.yml" ], "tags": [ @@ -33079,9 +33324,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://user-images.githubusercontent.com/61026070/136518004-b68cce7d-f9b8-4e9a-9b7b-53b1568a9a94.png", "https://bohops.com/2021/10/08/analyzing-and-detecting-a-vmtools-persistence-technique/", "https://github.com/vmware/open-vm-tools/blob/master/open-vm-tools/tools.conf", - "https://user-images.githubusercontent.com/61026070/136518004-b68cce7d-f9b8-4e9a-9b7b-53b1568a9a94.png", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_vmware_vmtoolsd_susp_child_process.yml" ], "tags": [ @@ -33185,8 +33430,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/pabraeken/status/990717080805789697", "https://lolbas-project.github.io/lolbas/Binaries/Runonce/", + "https://twitter.com/pabraeken/status/990717080805789697", "https://twitter.com/0gtweet/status/1602644163824156672?s=20&t=kuxbUnZPltpvFPZdCrqPXA", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_runonce_execution.yml" ], @@ -33220,8 +33465,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/sensepost/ruler", "https://speakerdeck.com/heirhabarov/hunting-for-persistence-via-microsoft-exchange-server-or-outlook?slide=49", + "https://github.com/sensepost/ruler", "https://www.fireeye.com/blog/threat-research/2018/12/overruled-containing-a-potentially-destructive-adversary.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_office_outlook_susp_child_processes_remote.yml" ], @@ -33263,9 +33508,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://www.echotrail.io/insights/search/regsvr32.exe", "https://www.ired.team/offensive-security/code-execution/t1117-regsvr32-aka-squiblydoo", "https://redcanary.com/blog/intelligence-insights-april-2022/", - "https://www.echotrail.io/insights/search/regsvr32.exe", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_regsvr32_susp_child_process.yml" ], "tags": [ @@ -33422,8 +33667,8 @@ "logsource.product": "windows", "refs": [ "https://twitter.com/jseerden/status/1247985304667066373/photo/1", - "https://learn.microsoft.com/en-us/mem/intune/apps/intune-management-extension", "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Agentexecutor/", + "https://learn.microsoft.com/en-us/mem/intune/apps/intune-management-extension", "https://twitter.com/lefterispan/status/1286259016436514816", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_agentexecutor_potential_abuse.yml" ], @@ -33525,10 +33770,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/mrd0x/status/1511489821247684615", - "https://gist.github.com/nasbench/6d58c3c125e2fa1b8f7a09754c1b087f", - "https://lolbas-project.github.io/lolbas/OtherMSBinaries/DumpMinitool/", "https://twitter.com/mrd0x/status/1511415432888131586", + "https://lolbas-project.github.io/lolbas/OtherMSBinaries/DumpMinitool/", + "https://gist.github.com/nasbench/6d58c3c125e2fa1b8f7a09754c1b087f", + "https://twitter.com/mrd0x/status/1511489821247684615", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_dumpminitool_execution.yml" ], "tags": [ @@ -33570,8 +33815,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://unit42.paloaltonetworks.com/unit42-sure-ill-take-new-combojack-malware-alters-clipboards-steal-cryptocurrency/", "https://www.uptycs.com/blog/lolbins-are-no-laughing-matter", + "https://unit42.paloaltonetworks.com/unit42-sure-ill-take-new-combojack-malware-alters-clipboards-steal-cryptocurrency/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_attrib_hiding_files.yml" ], "tags": [ @@ -33604,8 +33849,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/dotnet/api/microsoft.hpc.scheduler.store.cx509enrollmentwebclassfactoryclass?view=hpc-sdk-5.1.6115", "https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=41", + "https://learn.microsoft.com/en-us/dotnet/api/microsoft.hpc.scheduler.store.cx509enrollmentwebclassfactoryclass?view=hpc-sdk-5.1.6115", "https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=42", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_x509enrollment.yml" ], @@ -33629,7 +33874,7 @@ { "description": "Detects sdiagnhost.exe calling a suspicious child process (e.g. used in exploits for Follina / CVE-2022-30190)", "meta": { - "author": "Nextron Systems", + "author": "Nextron Systems, @Kostastsale", "creation_date": "2022-06-01", "falsepositive": [ "Unknown" @@ -33639,10 +33884,11 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://app.any.run/tasks/c4117d9a-f463-461a-b90f-4cd258746798/", - "https://twitter.com/nao_sec/status/1530196847679401984", "https://app.any.run/tasks/f420d295-0457-4e9b-9b9e-6732be227583/", + "https://app.any.run/tasks/c4117d9a-f463-461a-b90f-4cd258746798/", + "https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e", "https://app.any.run/tasks/713f05d2-fe78-4b9d-a744-f7c133e3fafb/", + "https://twitter.com/nao_sec/status/1530196847679401984", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sdiagnhost_susp_child.yml" ], "tags": [ @@ -33683,8 +33929,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/elastic/protections-artifacts/blob/084067123d3328a823b1c3fdde305b694275c794/behavior/rules/persistence_suspicious_scheduled_task_creation_via_masqueraded_xml_file.toml", "https://learn.microsoft.com/en-us/windows/win32/taskschd/daily-trigger-example--xml-", + "https://github.com/elastic/protections-artifacts/blob/084067123d3328a823b1c3fdde305b694275c794/behavior/rules/persistence_suspicious_scheduled_task_creation_via_masqueraded_xml_file.toml", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_schtasks_schedule_via_masqueraded_xml_file.yml" ], "tags": [ @@ -33726,8 +33972,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://thedfirreport.com/2023/01/09/unwrapping-ursnifs-gifts/", "https://www.fireeye.com/blog/threat-research/2020/01/saigon-mysterious-ursnif-fork.html", + "https://thedfirreport.com/2023/01/09/unwrapping-ursnifs-gifts/", "https://www.vmray.com/cyber-security-blog/analyzing-ursnif-behavior-malware-sandbox/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_driverquery_usage.yml" ], @@ -33784,9 +34030,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://community.broadcom.com/symantecenterprise/communities/community-home/digestviewer/viewthread?MessageKey=6ce94b67-74e1-4333-b16f-000b7fd874f0&CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68&tab=digestviewer", "https://www.exploit-db.com/exploits/37525", "https://community.spiceworks.com/topic/2195015-batch-script-to-uninstall-symantec-endpoint-protection", - "https://community.broadcom.com/symantecenterprise/communities/community-home/digestviewer/viewthread?MessageKey=6ce94b67-74e1-4333-b16f-000b7fd874f0&CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68&tab=digestviewer", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_taskkill_sep.yml" ], "tags": [ @@ -33886,10 +34132,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://thedfirreport.com/2022/05/09/seo-poisoning-a-gootloader-story/", + "https://cloud.google.com/blog/topics/threat-intelligence/alphv-ransomware-backup/", "https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/800c0e06571993a54e39571cf27fd474dcc5c0bc/2017/2017.11.14.Muddying_the_Water/muddying-the-water-targeted-attacks.pdf", "https://github.com/AlessandroZ/LaZagne/tree/master", - "https://cloud.google.com/blog/topics/threat-intelligence/alphv-ransomware-backup/", - "https://thedfirreport.com/2022/05/09/seo-poisoning-a-gootloader-story/", "https://securelist.com/defttorero-tactics-techniques-and-procedures/107610/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_lazagne.yml" ], @@ -34047,8 +34293,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://web.archive.org/web/20220514073704/https://github.com/ch2sh/Jlaive", "https://jstnk9.github.io/jstnk9/research/Jlaive-Antivirus-Evasion-Tool", + "https://web.archive.org/web/20220514073704/https://github.com/ch2sh/Jlaive", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_jlaive_batch_execution.yml" ], "tags": [ @@ -34115,8 +34361,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://ss64.com/nt/netsh.html", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1016/T1016.md#atomic-test-2---list-windows-firewall-rules", + "https://ss64.com/nt/netsh.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_netsh_fw_rules_discovery.yml" ], "tags": [ @@ -34151,8 +34397,8 @@ "refs": [ "https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/06/23093553/Common-TTPs-of-the-modern-ransomware_low-res.pdf", "https://www.acronis.com/en-us/blog/posts/lockbit-ransomware/", - "https://blog.sygnia.co/kaseya-ransomware-supply-chain-attack", "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/blackbyte-exbyte-ransomware", + "https://blog.sygnia.co/kaseya-ransomware-supply-chain-attack", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_cmd_ping_del_combined_execution.yml" ], "tags": [ @@ -34172,6 +34418,41 @@ "uuid": "54786ddc-5b8a-11ed-9b6a-0242ac120002", "value": "Suspicious Ping/Del Command Combination" }, + { + "description": "Detects changes to the registry key \"HKLM\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\SpecialAccounts\\Userlist\" where the value is set to \"0\" in order to hide user account from being listed on the logon screen.\n", + "meta": { + "author": "@Kostastsale, @TheDFIRReport", + "creation_date": "2022-05-14", + "falsepositive": [ + "System administrator activities" + ], + "filename": "proc_creation_win_registry_special_accounts_hide_user.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://thedfirreport.com/2024/04/29/from-icedid-to-dagon-locker-ransomware-in-29-days/", + "https://thedfirreport.com/2024/01/29/buzzing-on-christmas-eve-trigona-ransomware-in-3-hours/", + "https://thedfirreport.com/2024/04/01/from-onenote-to-ransomnote-an-ice-cold-intrusion/", + "https://thedfirreport.com/2022/07/11/select-xmrig-from-sqlserver/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_registry_special_accounts_hide_user.yml" + ], + "tags": [ + "attack.t1564.002" + ] + }, + "related": [ + { + "dest-uuid": "8c4aef43-48d5-49aa-b2af-c0cd58d30c3d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "9ec9fb1b-e059-4489-9642-f270c207923d", + "value": "Hiding User Account Via SpecialAccounts Registry Key - CommandLine" + }, { "description": "Adversaries may disable security tools to avoid possible detection of their tools and activities by removing Windows Defender Definition Files", "meta": { @@ -34219,8 +34500,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/5c1e6f1b4fafd01c8d1ece85f510160fc1275fbf/atomics/T1546.008/T1546.008.md", "https://ss64.com/nt/mklink.html", + "https://github.com/redcanaryco/atomic-red-team/blob/5c1e6f1b4fafd01c8d1ece85f510160fc1275fbf/atomics/T1546.008/T1546.008.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_cmd_mklink_osk_cmd.yml" ], "tags": [ @@ -34299,10 +34580,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://mpgn.gitbook.io/crackmapexec/smb-protocol/authentication/checking-credentials-local", - "https://www.mandiant.com/resources/telegram-malware-iranian-espionage", "https://www.infosecmatter.com/crackmapexec-module-library/?cmem=mssql-mimikatz", "https://www.infosecmatter.com/crackmapexec-module-library/?cmem=smb-pe_inject", + "https://www.mandiant.com/resources/telegram-malware-iranian-espionage", + "https://mpgn.gitbook.io/crackmapexec/smb-protocol/authentication/checking-credentials-local", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_crackmapexec_execution.yml" ], "tags": [ @@ -34445,12 +34726,12 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.trendmicro.com/content/dam/trendmicro/global/en/research/24/b/lockbit-attempts-to-stay-afloat-with-a-new-version/technical-appendix-lockbit-ng-dev-analysis.pdf", - "https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/ransomware-report-avaddon-and-new-techniques-emerge-industrial-sector-targeted", - "https://www.sentinelone.com/labs/ranzy-ransomware-better-encryption-among-new-features-of-thunderx-derivative/", - "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/wbadmin-delete-systemstatebackup", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1490/T1490.md#atomic-test-5---windows---delete-volume-shadow-copies-via-wmi-with-powershell", "https://github.com/albertzsigovits/malware-notes/blob/558898932c1579ff589290092a2c8febefc3a4c9/Ransomware/Lockbit.md", + "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/wbadmin-delete-systemstatebackup", + "https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/ransomware-report-avaddon-and-new-techniques-emerge-industrial-sector-targeted", + "https://www.sentinelone.com/labs/ranzy-ransomware-better-encryption-among-new-features-of-thunderx-derivative/", + "https://www.trendmicro.com/content/dam/trendmicro/global/en/research/24/b/lockbit-attempts-to-stay-afloat-with-a-new-version/technical-appendix-lockbit-ng-dev-analysis.pdf", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wbadmin_delete_all_backups.yml" ], "tags": [ @@ -34525,8 +34806,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://securityxploded.com/", "https://web.archive.org/web/20200601000524/https://cyberx-labs.com/blog/gangnam-industrial-style-apt-campaign-targets-korean-industrial-companies/", + "https://securityxploded.com/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_secutyxploded.yml" ], "tags": [ @@ -34559,10 +34840,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/defaultnamehere/cookie_crimes/", - "https://yoroi.company/wp-content/uploads/2022/05/EternityGroup_report_compressed.pdf", "https://www.mdsec.co.uk/2022/10/analysing-lastpass-part-1/", "https://github.com/wunderwuzzi23/firefox-cookiemonster", + "https://yoroi.company/wp-content/uploads/2022/05/EternityGroup_report_compressed.pdf", + "https://github.com/defaultnamehere/cookie_crimes/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_browsers_remote_debugging.yml" ], "tags": [ @@ -34798,9 +35079,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://nmap.org/ncat/", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1095/T1095.md", "https://www.revshells.com/", + "https://nmap.org/ncat/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pua_netcat.yml" ], "tags": [ @@ -34900,8 +35181,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/tutorial-for-ntds-goodness-vssadmin-wmis-ntdsdit-system/", "https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment", + "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/tutorial-for-ntds-goodness-vssadmin-wmis-ntdsdit-system/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_shadow_copies_creation.yml" ], "tags": [ @@ -35118,11 +35399,11 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.hybrid-analysis.com/search?query=context:74940dcc5b38f9f9b1a0fea760d344735d7d91b610e6d5bd34533dd0153402c5&from_sample=5db135000388385a7644131f&block_redirect=1", - "https://en.wikipedia.org/wiki/Hangul_(word_processor)", "https://twitter.com/cyberwar_15/status/1187287262054076416", + "https://en.wikipedia.org/wiki/Hangul_(word_processor)", "https://www.securitynewspaper.com/2016/11/23/technical-teardown-exploit-malware-hwp-files/", "https://blog.alyac.co.kr/1901", + "https://www.hybrid-analysis.com/search?query=context:74940dcc5b38f9f9b1a0fea760d344735d7d91b610e6d5bd34533dd0153402c5&from_sample=5db135000388385a7644131f&block_redirect=1", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hwp_exploits.yml" ], "tags": [ @@ -35166,17 +35447,18 @@ "author": "Cedric MAURUGEON, Florian Roth (Nextron Systems), Swachchhanda Shrawan Poudel, Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2021-09-24", "falsepositive": [ - "Unknown" + "Unlikely" ], "filename": "proc_creation_win_rdrleakdiag_process_dumping.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.crowdstrike.com/blog/overwatch-exposes-aquatic-panda-in-possession-of-log-4-shell-exploit-tools/", - "https://www.pureid.io/dumping-abusing-windows-credentials-part-1/", "https://twitter.com/0gtweet/status/1299071304805560321?s=21", "https://lolbas-project.github.io/lolbas/Binaries/Rdrleakdiag/", + "https://news.sophos.com/en-us/2024/06/05/operation-crimson-palace-a-technical-deep-dive", + "https://www.crowdstrike.com/blog/overwatch-exposes-aquatic-panda-in-possession-of-log-4-shell-exploit-tools/", + "https://www.pureid.io/dumping-abusing-windows-credentials-part-1/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_rdrleakdiag_process_dumping.yml" ], "tags": [ @@ -35242,8 +35524,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "http://www.hexacorn.com/blog/2017/07/31/the-wizard-of-x-oppa-plugx-style/", "https://lolbas-project.github.io/lolbas/Binaries/Xwizard/", + "http://www.hexacorn.com/blog/2017/07/31/the-wizard-of-x-oppa-plugx-style/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_xwizard_execution_non_default_location.yml" ], "tags": [ @@ -35276,9 +35558,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://businessinsights.bitdefender.com/deep-dive-into-a-backdoordiplomacy-attack-a-study-of-an-attackers-toolkit", "https://www.documentcloud.org/documents/5743766-Global-Threat-Report-2019.html", "https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc731033(v=ws.11)", - "https://businessinsights.bitdefender.com/deep-dive-into-a-backdoordiplomacy-attack-a-study-of-an-attackers-toolkit", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_ldifde_export.yml" ], "tags": [ @@ -35368,9 +35650,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://hyp3rlinx.altervista.org/advisories/MICROSOFT_WINDOWS_DEFENDER_TROJAN.WIN32.POWESSERE.G_MITIGATION_BYPASS_PART2.txt", - "https://twitter.com/n1nj4sec/status/1421190238081277959", "http://hyp3rlinx.altervista.org/advisories/MICROSOFT_WINDOWS_DEFENDER_DETECTION_BYPASS.txt", + "https://twitter.com/n1nj4sec/status/1421190238081277959", + "https://hyp3rlinx.altervista.org/advisories/MICROSOFT_WINDOWS_DEFENDER_TROJAN.WIN32.POWESSERE.G_MITIGATION_BYPASS_PART2.txt", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_rundll32_mshtml_runhtmlapplication.yml" ], "tags": [ @@ -35394,8 +35676,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/vysecurity/status/977198418354491392", "https://github.com/vysecurity/Aggressor-VYSEC/blob/0d61c80387b9432dab64b8b8a9fb52d20cfef80e/ping.cna", + "https://twitter.com/vysecurity/status/977198418354491392", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_ping_hex_ip.yml" ], "tags": [ @@ -35437,8 +35719,8 @@ "logsource.product": "windows", "refs": [ "https://lolbas-project.github.io/lolbas/Binaries/Odbcconf/", - "https://www.trendmicro.com/en_us/research/17/h/backdoor-carrying-emails-set-sights-on-russian-speaking-businesses.html", "https://learn.microsoft.com/en-us/sql/odbc/odbcconf-exe?view=sql-server-ver16", + "https://www.trendmicro.com/en_us/research/17/h/backdoor-carrying-emails-set-sights-on-russian-speaking-businesses.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_odbcconf_response_file_susp.yml" ], "tags": [ @@ -35655,8 +35937,8 @@ "logsource.product": "windows", "refs": [ "https://lolbas-project.github.io/lolbas/Binaries/Odbcconf/", - "https://web.archive.org/web/20191023232753/https://twitter.com/Hexacorn/status/1187143326673330176", "https://www.hexacorn.com/blog/2020/08/23/odbcconf-lolbin-trifecta/", + "https://web.archive.org/web/20191023232753/https://twitter.com/Hexacorn/status/1187143326673330176", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_odbcconf_driver_install.yml" ], "tags": [ @@ -35689,11 +35971,11 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/nas_bench/status/1433344116071583746", - "https://twitter.com/eral4m/status/1479106975967240209", - "https://twitter.com/Hexacorn/status/885258886428725250", "https://gist.github.com/ryhanson/227229866af52e2d963cf941af135a52", + "https://twitter.com/nas_bench/status/1433344116071583746", "http://www.hexacorn.com/blog/2017/05/01/running-programs-via-proxy-jumping-on-a-edr-bypass-trampoline/", + "https://twitter.com/Hexacorn/status/885258886428725250", + "https://twitter.com/eral4m/status/1479106975967240209", "https://twitter.com/eral4m/status/1479080793003671557", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_rundll32_susp_activity.yml" ], @@ -35793,8 +36075,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/archive/blogs/jonathantrull/detecting-sticky-key-backdoors", "https://www.fireeye.com/blog/threat-research/2017/03/apt29_domain_frontin.html", + "https://learn.microsoft.com/en-us/archive/blogs/jonathantrull/detecting-sticky-key-backdoors", "https://www.clearskysec.com/wp-content/uploads/2020/02/ClearSky-Fox-Kitten-Campaign-v1.pdf", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_cmd_sticky_keys_replace.yml" ], @@ -35828,8 +36110,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://forums.veeam.com/veeam-backup-replication-f2/recover-esxi-password-in-veeam-t34630.html", "https://thedfirreport.com/2021/12/13/diavol-ransomware/", + "https://forums.veeam.com/veeam-backup-replication-f2/recover-esxi-password-in-veeam-t34630.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sqlcmd_veeam_dump.yml" ], "tags": [ @@ -35922,11 +36204,11 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/wevtutil", - "https://eqllib.readthedocs.io/en/latest/analytics/5b223758-07d6-4100-9e11-238cfdd0fe97.html", "https://gist.github.com/fovtran/ac0624983c7722e80a8f5a4babb170ee", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070.001/T1070.001.md", "https://jdhnet.wordpress.com/2017/12/19/changing-the-location-of-the-windows-event-logs/", + "https://eqllib.readthedocs.io/en/latest/analytics/5b223758-07d6-4100-9e11-238cfdd0fe97.html", + "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/wevtutil", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_eventlog_clear.yml" ], "tags": [ @@ -36134,9 +36416,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://lolbas-project.github.io/lolbas/Binaries/Findstr/", "https://oddvar.moe/2018/04/11/putting-data-in-alternate-data-streams-and-how-to-execute-it-part-2/", "https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f", - "https://lolbas-project.github.io/lolbas/Binaries/Findstr/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_findstr_subfolder_search.yml" ], "tags": [ @@ -36227,8 +36509,8 @@ "logsource.product": "windows", "refs": [ "https://app.any.run/tasks/40115012-a919-4208-bfed-41e82cb3dadf/", - "http://hyp3rlinx.altervista.org/advisories/Windows_TCPIP_Finger_Command_C2_Channel_and_Bypassing_Security_Software.txt", "https://twitter.com/bigmacjpg/status/1349727699863011328?s=12", + "http://hyp3rlinx.altervista.org/advisories/Windows_TCPIP_Finger_Command_C2_Channel_and_Bypassing_Security_Software.txt", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_finger_execution.yml" ], "tags": [ @@ -36401,7 +36683,7 @@ "value": "Invoke-Obfuscation VAR+ Launcher" }, { - "description": "Detects execution of the \"wusa.exe\" (Windows Update Standalone Installer) utility by a parent process that is located in a suspicious location.\n", + "description": "Detects execution of the \"wusa.exe\" (Windows Update Standalone Installer) utility by a parent process that is located in a suspicious location.\nAttackers could instantiate an instance of \"wusa.exe\" in order to bypass User Account Control (UAC). They can duplicate the access token from \"wusa.exe\" to gain elevated privileges.\n", "meta": { "author": "X__Junior (Nextron Systems)", "creation_date": "2023-11-26", @@ -36677,11 +36959,11 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.sans.org/blog/red-team-tactics-hiding-windows-services/", - "https://blog.talosintelligence.com/2021/10/threat-hunting-in-large-datasets-by.html", "https://twitter.com/0gtweet/status/1628720819537936386", - "https://itconnect.uw.edu/tools-services-support/it-systems-infrastructure/msinf/other-help/understanding-sddl-syntax/", "https://twitter.com/Alh4zr3d/status/1580925761996828672", + "https://www.sans.org/blog/red-team-tactics-hiding-windows-services/", + "https://itconnect.uw.edu/tools-services-support/it-systems-infrastructure/msinf/other-help/understanding-sddl-syntax/", + "https://blog.talosintelligence.com/2021/10/threat-hunting-in-large-datasets-by.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sc_sdset_modification.yml" ], "tags": [ @@ -36716,9 +36998,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://docs.python.org/3/using/cmdline.html#cmdoption-c", "https://www.revshells.com/", "https://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet", + "https://docs.python.org/3/using/cmdline.html#cmdoption-c", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_python_inline_command_execution.yml" ], "tags": [ @@ -36874,10 +37156,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.guidepointsecurity.com/blog/tunnel-vision-cloudflared-abused-in-the-wild/", - "https://www.intrinsec.com/akira_ransomware/", "https://developers.cloudflare.com/cloudflare-one/connections/connect-networks/do-more-with-tunnels/trycloudflare/", "https://github.com/cloudflare/cloudflared", + "https://www.intrinsec.com/akira_ransomware/", + "https://www.guidepointsecurity.com/blog/tunnel-vision-cloudflared-abused-in-the-wild/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_cloudflared_quicktunnel_execution.yml" ], "tags": [ @@ -36910,8 +37192,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/EmpireProject/Empire/blob/08cbd274bef78243d7a8ed6443b8364acd1fc48b/lib/modules/powershell/persistence/userland/schtasks.py", "https://github.com/0xdeadbeefJERKY/PowerSploit/blob/8690399ef70d2cad10213575ac67e8fa90ddf7c3/Persistence/Persistence.psm1", + "https://github.com/EmpireProject/Empire/blob/08cbd274bef78243d7a8ed6443b8364acd1fc48b/lib/modules/powershell/persistence/userland/schtasks.py", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_powersploit_empire_default_schtasks.yml" ], "tags": [ @@ -36958,8 +37240,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://eqllib.readthedocs.io/en/latest/analytics/fcdb99c2-ac3c-4bde-b664-4b336329bed2.html", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1124/T1124.md", + "https://eqllib.readthedocs.io/en/latest/analytics/fcdb99c2-ac3c-4bde-b664-4b336329bed2.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_remote_time_discovery.yml" ], "tags": [ @@ -36992,8 +37274,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://lab52.io/blog/winter-vivern-all-summer/", "https://blog.redteam.pl/2020/06/black-kingdom-ransomware.html", + "https://lab52.io/blog/winter-vivern-all-summer/", "https://hatching.io/blog/powershell-analysis/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_download_patterns.yml" ], @@ -37094,10 +37376,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://enigma0x3.net/2016/11/21/bypassing-application-whitelisting-by-using-rcsi-exe/", "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Rcsi/", - "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Csi/", "https://twitter.com/Z3Jpa29z/status/1317545798981324801", + "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Csi/", + "https://enigma0x3.net/2016/11/21/bypassing-application-whitelisting-by-using-rcsi-exe/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_csi_execution.yml" ], "tags": [ @@ -37215,9 +37497,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://github.com/nccgroup/redsnarf/blob/35949b30106ae543dc6f2bc3f1be10c6d9a8d40e/redsnarf.py", "https://www.absolomb.com/2018-01-26-Windows-Privilege-Escalation-Guide/", "https://github.com/S3cur3Th1sSh1t/Creds/blob/eac23d67f7f90c7fc8e3130587d86158c22aa398/PowershellScripts/jaws-enum.ps1", - "https://github.com/nccgroup/redsnarf/blob/35949b30106ae543dc6f2bc3f1be10c6d9a8d40e/redsnarf.py", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wmic_recon_unquoted_service_search.yml" ], "tags": [ @@ -37284,8 +37566,8 @@ "logsource.product": "windows", "refs": [ "https://unit42.paloaltonetworks.com/unit42-sofacy-groups-parallel-attacks/", - "https://blog.f-secure.com/hunting-for-koadic-a-com-based-rootkit/", "https://github.com/offsecginger/koadic/blob/457f9a3ff394c989cdb4c599ab90eb34fb2c762c/data/stager/js/stdlib.js", + "https://blog.f-secure.com/hunting-for-koadic-a-com-based-rootkit/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_koadic.yml" ], "tags": [ @@ -37334,9 +37616,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Cdb/", "https://twitter.com/nas_bench/status/1534957360032120833", "https://web.archive.org/web/20170715043507/http://www.exploit-monday.com/2016/08/windbg-cdb-shellcode-runner.html", + "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Cdb/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_cdb_arbitrary_command_execution.yml" ], "tags": [ @@ -37452,8 +37734,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/Kevin-Robertson/Inveigh", "https://thedfirreport.com/2020/11/23/pysa-mespinoza-ransomware/", + "https://github.com/Kevin-Robertson/Inveigh", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_inveigh.yml" ], "tags": [ @@ -37622,8 +37904,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1482/T1482.md", "https://posts.specterops.io/an-introduction-to-manual-active-directory-querying-with-dsquery-and-ldapsearch-84943c13d7eb?gi=41b97a644843", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1482/T1482.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_dsquery_domain_trust_discovery.yml" ], "tags": [ @@ -37742,9 +38024,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/oulusoyum/status/1191329746069655553", - "https://lolbas-project.github.io/lolbas/Binaries/Tttracer/", "https://twitter.com/mattifestation/status/1196390321783025666", + "https://lolbas-project.github.io/lolbas/Binaries/Tttracer/", + "https://twitter.com/oulusoyum/status/1191329746069655553", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_tttracer_mod_load.yml" ], "tags": [ @@ -37987,6 +38269,40 @@ "uuid": "05ebafc8-7aa2-4bcd-a269-2aec93f9e842", "value": "Add New Download Source To Winget" }, + { + "description": "Detects uncommon child processes spawning from \"sigverif.exe\", which could indicate potential abuse of the latter as a living of the land binary in order to proxy execution.\n", + "meta": { + "author": "Nasreddine Bencherchali (Nextron Systems)", + "creation_date": "2022-08-19", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_sigverif_uncommon_child_process.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://twitter.com/0gtweet/status/1457676633809330184", + "https://www.hexacorn.com/blog/2018/04/27/i-shot-the-sigverif-exe-the-gui-based-lolbin/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sigverif_uncommon_child_process.yml" + ], + "tags": [ + "attack.defense-evasion", + "attack.t1216" + ] + }, + "related": [ + { + "dest-uuid": "f6fe9070-7a65-49ea-ae72-76292f42cebe", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "7d4aaec2-08ed-4430-8b96-28420e030e04", + "value": "Uncommon Sigverif.EXE Child Process" + }, { "description": "Detects the execution of PowerShell with a specific flag sequence that is used by the Wmiexec script", "meta": { @@ -38066,9 +38382,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "http://blog.talosintelligence.com/2022/09/lazarus-three-rats.html", - "https://www.sprocketsecurity.com/resources/crossing-the-log4j-horizon-a-vulnerability-with-no-return", "https://www.rapid7.com/blog/post/2022/01/18/active-exploitation-of-vmware-horizon-servers/", + "https://www.sprocketsecurity.com/resources/crossing-the-log4j-horizon-a-vulnerability-with-no-return", + "http://blog.talosintelligence.com/2022/09/lazarus-three-rats.html", "https://nodejs.org/api/cli.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_node_abuse.yml" ], @@ -38102,9 +38418,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://labs.withsecure.com/publications/fin7-target-veeam-servers", "https://github.com/pr0xylife/IcedID/blob/8dd1e218460db4f750d955b4c65b2f918a1db906/icedID_09.28.2023.txt", "https://github.com/WithSecureLabs/iocs/blob/344203de742bb7e68bd56618f66d34be95a9f9fc/FIN7VEEAM/iocs.csv", - "https://labs.withsecure.com/publications/fin7-target-veeam-servers", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_curl_download_direct_ip_susp_extensions.yml" ], "tags": [ @@ -38128,8 +38444,8 @@ "logsource.product": "windows", "refs": [ "https://www.helpnetsecurity.com/2023/08/02/aws-instances-attackers-access/", - "https://www.mitiga.io/blog/mitiga-security-advisory-abusing-the-ssm-agent-as-a-remote-access-trojan", "https://www.bleepingcomputer.com/news/security/amazons-aws-ssm-agent-can-be-used-as-post-exploitation-rat-malware/", + "https://www.mitiga.io/blog/mitiga-security-advisory-abusing-the-ssm-agent-as-a-remote-access-trojan", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_ssm_agent_abuse.yml" ], "tags": [ @@ -38198,8 +38514,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.youtube.com/watch?v=ro2QuZTIMBM", "https://learn.microsoft.com/en-us/sysinternals/downloads/psexec", + "https://www.youtube.com/watch?v=ro2QuZTIMBM", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_renamed_sysinternals_psexec_service.yml" ], "tags": [ @@ -38255,24 +38571,24 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/calebstewart/CVE-2021-1675", - "https://github.com/BC-SECURITY/Invoke-ZeroLogon/blob/111d17c7fec486d9bb23387e2e828b09a26075e4/Invoke-ZeroLogon.ps1", - "https://github.com/S3cur3Th1sSh1t/PowerSharpPack/tree/master/PowerSharpBinaries", "https://github.com/samratashok/nishang", - "https://adsecurity.org/?p=2921", - "https://github.com/BloodHoundAD/BloodHound/blob/0927441f67161cc6dc08a53c63ceb8e333f55874/Collectors/AzureHound.ps1", - "https://github.com/HarmJ0y/DAMP", - "https://github.com/DarkCoderSc/PowerRunAsSystem/", - "https://unit42.paloaltonetworks.com/threat-assessment-black-basta-ransomware/", - "https://github.com/adrecon/ADRecon", - "https://github.com/Kevin-Robertson/Powermad", - "https://github.com/rvrsh3ll/Misc-Powershell-Scripts/blob/6f23bb41f9675d7e2d32bacccff75e931ae00554/OfficeMemScraper.ps1", - "https://github.com/dafthack/DomainPasswordSpray/blob/b13d64a5834694aa73fd2aea9911a83027c465a7/DomainPasswordSpray.ps1", - "https://bloodhound.readthedocs.io/en/latest/data-collection/azurehound.html", "https://research.nccgroup.com/2022/06/06/shining-the-light-on-black-basta/", - "https://github.com/adrecon/AzureADRecon", + "https://github.com/rvrsh3ll/Misc-Powershell-Scripts/blob/6f23bb41f9675d7e2d32bacccff75e931ae00554/OfficeMemScraper.ps1", + "https://github.com/BloodHoundAD/BloodHound/blob/0927441f67161cc6dc08a53c63ceb8e333f55874/Collectors/AzureHound.ps1", + "https://github.com/BC-SECURITY/Invoke-ZeroLogon/blob/111d17c7fec486d9bb23387e2e828b09a26075e4/Invoke-ZeroLogon.ps1", "https://github.com/xorrior/RandomPS-Scripts/blob/848c919bfce4e2d67b626cbcf4404341cfe3d3b6/Get-DXWebcamVideo.ps1", + "https://github.com/Kevin-Robertson/Powermad", + "https://github.com/calebstewart/CVE-2021-1675", + "https://github.com/adrecon/ADRecon", + "https://adsecurity.org/?p=2921", + "https://github.com/DarkCoderSc/PowerRunAsSystem/", "https://github.com/besimorhino/powercat", + "https://github.com/adrecon/AzureADRecon", + "https://github.com/dafthack/DomainPasswordSpray/blob/b13d64a5834694aa73fd2aea9911a83027c465a7/DomainPasswordSpray.ps1", + "https://unit42.paloaltonetworks.com/threat-assessment-black-basta-ransomware/", + "https://github.com/HarmJ0y/DAMP", + "https://github.com/S3cur3Th1sSh1t/PowerSharpPack/tree/master/PowerSharpBinaries", + "https://bloodhound.readthedocs.io/en/latest/data-collection/azurehound.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_malicious_cmdlets.yml" ], "tags": [ @@ -38407,50 +38723,6 @@ "uuid": "bed2a484-9348-4143-8a8a-b801c979301c", "value": "Webshell Detection With Command Line Keywords" }, - { - "description": "Detects potential abuse of Windows Subsystem for Linux (WSL) binary as a LOLBIN to execute arbitrary Linux or Windows commands", - "meta": { - "author": "oscd.community, Zach Stanford @svch0st, Nasreddine Bencherchali (Nextron Systems)", - "creation_date": "2020-10-05", - "falsepositive": [ - "Automation and orchestration scripts may use this method to execute scripts etc.", - "Legitimate use by Windows to kill processes opened via WSL (example VsCode WSL server)" - ], - "filename": "proc_creation_win_wsl_lolbin_execution.yml", - "level": "medium", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Wsl/", - "https://twitter.com/nas_bench/status/1535431474429808642", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wsl_lolbin_execution.yml" - ], - "tags": [ - "attack.execution", - "attack.defense-evasion", - "attack.t1218", - "attack.t1202" - ] - }, - "related": [ - { - "dest-uuid": "457c7820-d331-465a-915e-42f85500ccc4", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - }, - { - "dest-uuid": "3b0e52ce-517a-4614-a523-1bd5deef6c5e", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "dec44ca7-61ad-493c-bfd7-8819c5faa09b", - "value": "Arbitrary Command Execution Using WSL" - }, { "description": "Detects when a browser process or browser tab is launched from an application that handles document files such as Adobe, Microsoft Office, etc. And connects to a web application over http(s), this could indicate a possible phishing attempt.\n", "meta": { @@ -38498,9 +38770,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.elastic.co/guide/en/security/current/execution-of-com-object-via-xwizard.html", "https://www.hexacorn.com/blog/2017/07/31/the-wizard-of-x-oppa-plugx-style/", "https://lolbas-project.github.io/lolbas/Binaries/Xwizard/", + "https://www.elastic.co/guide/en/security/current/execution-of-com-object-via-xwizard.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_xwizard_runwizard_com_object_exec.yml" ], "tags": [ @@ -38601,8 +38873,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/Binaries/MpCmdRun/", "https://web.archive.org/web/20200903194959/https://twitter.com/djmtshepana/status/1301608169496612866", + "https://lolbas-project.github.io/lolbas/Binaries/MpCmdRun/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_mpcmdrun_download_arbitrary_file.yml" ], "tags": [ @@ -38743,9 +39015,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/defender-endpoint/configure-process-opened-file-exclusions-microsoft-defender-antivirus", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md", "https://twitter.com/AdamTheAnalyst/status/1483497517119590403", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md", + "https://learn.microsoft.com/en-us/defender-endpoint/configure-process-opened-file-exclusions-microsoft-defender-antivirus", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_base64_mppreference.yml" ], "tags": [ @@ -38888,10 +39160,10 @@ "logsource.product": "windows", "refs": [ "https://www.intrinsec.com/akira_ransomware/", - "https://github.com/cloudflare/cloudflared/releases", - "https://developers.cloudflare.com/cloudflare-one/connections/connect-networks/do-more-with-tunnels/trycloudflare/", - "https://www.guidepointsecurity.com/blog/tunnel-vision-cloudflared-abused-in-the-wild/", "https://github.com/cloudflare/cloudflared", + "https://developers.cloudflare.com/cloudflare-one/connections/connect-networks/do-more-with-tunnels/trycloudflare/", + "https://github.com/cloudflare/cloudflared/releases", + "https://www.guidepointsecurity.com/blog/tunnel-vision-cloudflared-abused-in-the-wild/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_cloudflared_portable_execution.yml" ], "tags": [ @@ -39074,8 +39346,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/pabraeken/status/990758590020452353", "https://learn.microsoft.com/en-us/visualstudio/debugger/debug-using-the-just-in-time-debugger?view=vs-2019", + "https://twitter.com/pabraeken/status/990758590020452353", "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Vsjitdebugger/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_use_of_vsjitdebugger_bin.yml" ], @@ -39167,8 +39439,8 @@ "logsource.product": "windows", "refs": [ "https://twitter.com/jseerden/status/1247985304667066373/photo/1", - "https://learn.microsoft.com/en-us/mem/intune/apps/intune-management-extension", "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Agentexecutor/", + "https://learn.microsoft.com/en-us/mem/intune/apps/intune-management-extension", "https://twitter.com/lefterispan/status/1286259016436514816", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_agentexecutor_susp_usage.yml" ], @@ -39269,8 +39541,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://gist.github.com/nasbench/a989ce64cefa8081bd50cf6ad8c491b5", "https://twitter.com/mrd0x/status/1463526834918854661", + "https://gist.github.com/nasbench/a989ce64cefa8081bd50cf6ad8c491b5", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_renamed_pressanykey.yml" ], "tags": [ @@ -39304,10 +39576,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.virustotal.com/gui/file/4abe1395a09fda06d897a9c4eb247278c1b6cddda5d126ce5b3f4f499e3b8fa2/behavior", - "https://www.virustotal.com/gui/file/34de4c8beded481a4084a1fd77855c3e977e8ac643e5c5842d0f15f7f9b9086f/behavior", - "https://www.virustotal.com/gui/file/427616528b7dbc4a6057ac89eb174a3a90f7abcf3f34e5a359b7a910d82f7a72/behavior", "https://www.virustotal.com/gui/file/35c22725a92d5cb1016b09421c0a6cdbfd860fd4778b3313669b057d4a131cb7/behavior", + "https://www.virustotal.com/gui/file/34de4c8beded481a4084a1fd77855c3e977e8ac643e5c5842d0f15f7f9b9086f/behavior", + "https://www.virustotal.com/gui/file/4abe1395a09fda06d897a9c4eb247278c1b6cddda5d126ce5b3f4f499e3b8fa2/behavior", + "https://www.virustotal.com/gui/file/427616528b7dbc4a6057ac89eb174a3a90f7abcf3f34e5a359b7a910d82f7a72/behavior", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_certutil_encode_susp_location.yml" ], "tags": [ @@ -39340,8 +39612,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.youtube.com/watch?v=DsJ9ByX84o4&t=6s", "https://brica.de/alerts/alert/public/1247926/agent-tesla-keylogger-delivered-inside-a-power-iso-daa-archive/", + "https://www.youtube.com/watch?v=DsJ9ByX84o4&t=6s", "https://app.any.run/tasks/7eaba74e-c1ea-400f-9c17-5e30eee89906/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_whoami_output.yml" ], @@ -39376,8 +39648,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://news.sophos.com/en-us/2022/01/19/zloader-installs-remote-access-backdoors-and-delivers-cobalt-strike/", "https://blogs.vmware.com/security/2022/11/batloader-the-evasive-downloader-malware.html", + "https://news.sophos.com/en-us/2022/01/19/zloader-installs-remote-access-backdoors-and-delivers-cobalt-strike/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_gpg4win_susp_location.yml" ], "tags": [ @@ -39433,12 +39705,12 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://www.localpotato.com/", + "https://github.com/ohpe/juicy-potato", "https://hunter2.gitbook.io/darthsidious/other/war-stories/domain-admin-in-30-minutes", + "https://foxglovesecurity.com/2016/09/26/rotten-potato-privilege-escalation-from-service-accounts-to-system/", "https://pentestlab.blog/2017/04/13/hot-potato/", "https://hunter2.gitbook.io/darthsidious/execution/responder-with-ntlm-relay-and-empire", - "https://github.com/ohpe/juicy-potato", - "https://foxglovesecurity.com/2016/09/26/rotten-potato-privilege-escalation-from-service-accounts-to-system/", - "https://www.localpotato.com/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_relay_attacks_tools.yml" ], "tags": [ @@ -39541,9 +39813,9 @@ "refs": [ "https://labs.f-secure.com/blog/prelude-to-ransomware-systembc", "https://www.fireeye.com/blog/threat-research/2020/05/tactics-techniques-procedures-associated-with-maze-ransomware-incidents.html", - "https://assets.documentcloud.org/documents/20444693/fbi-pin-egregor-ransomware-bc-01062021.pdf", "https://thedfirreport.com/2021/01/18/all-that-for-a-coinminer", "https://news.sophos.com/en-us/2019/12/09/snatch-ransomware-reboots-pcs-into-safe-mode-to-bypass-protection/", + "https://assets.documentcloud.org/documents/20444693/fbi-pin-egregor-ransomware-bc-01062021.pdf", "https://github.com/3CORESec/MAL-CL/tree/master/Descriptors/Other/Advanced%20IP%20Scanner", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pua_advanced_ip_scanner.yml" ], @@ -39686,8 +39958,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/9e5b12c4912c07562aec7500447b11fa3e17e254/atomics/T1072/T1072.md", "https://www.pdq.com/pdq-deploy/", + "https://github.com/redcanaryco/atomic-red-team/blob/9e5b12c4912c07562aec7500447b11fa3e17e254/atomics/T1072/T1072.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pdqdeploy_execution.yml" ], "tags": [ @@ -39721,8 +39993,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/knight0x07/WinRAR-Code-Execution-Vulnerability-CVE-2023-38831/blob/26ab6c40b6d2c09bb4fc60feaa4a3a90cfd20c23/Part-1-Overview.md", "https://www.group-ib.com/blog/cve-2023-38831-winrar-zero-day/", + "https://github.com/knight0x07/WinRAR-Code-Execution-Vulnerability-CVE-2023-38831/blob/26ab6c40b6d2c09bb4fc60feaa4a3a90cfd20c23/Part-1-Overview.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_winrar_susp_child_process.yml" ], "tags": [ @@ -39800,8 +40072,8 @@ "logsource.product": "windows", "refs": [ "https://github.com/samratashok/ADModule", - "https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/active-directory-enumeration-with-ad-module-without-rsat-or-admin-privileges", "https://twitter.com/cyb3rops/status/1617108657166061568?s=20", + "https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/active-directory-enumeration-with-ad-module-without-rsat-or-admin-privileges", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_active_directory_module_dll_import.yml" ], "tags": [ @@ -39814,7 +40086,7 @@ "value": "Potential Active Directory Enumeration Using AD Module - ProcCreation" }, { - "description": "Detects the execution of Windows binaries from within a WSL instance. This could be used to masquerade parent-child relationships", + "description": "Detects the execution of Windows binaries from within a WSL instance.\nThis could be used to masquerade parent-child relationships\n", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2023-02-14", @@ -39895,13 +40167,13 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.fireeye.com/blog/threat-research/2021/05/shining-a-light-on-darkside-ransomware-operations.html", - "https://ngrok.com/docs", - "https://www.virustotal.com/gui/file/58d21840d915aaf4040ceb89522396124c82f325282f805d1085527e1e2ccfa1/detection", "https://cybleinc.com/2021/02/15/ngrok-platform-abused-by-hackers-to-deliver-a-new-wave-of-phishing-attacks/", - "https://stackoverflow.com/questions/42442320/ssh-tunnel-to-ngrok-and-initiate-rdp", "https://twitter.com/xorJosh/status/1598646907802451969", "https://www.softwaretestinghelp.com/how-to-use-ngrok/", + "https://www.fireeye.com/blog/threat-research/2021/05/shining-a-light-on-darkside-ransomware-operations.html", + "https://stackoverflow.com/questions/42442320/ssh-tunnel-to-ngrok-and-initiate-rdp", + "https://www.virustotal.com/gui/file/58d21840d915aaf4040ceb89522396124c82f325282f805d1085527e1e2ccfa1/detection", + "https://ngrok.com/docs", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pua_ngrok.yml" ], "tags": [ @@ -39967,9 +40239,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/msiexec", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218.007/T1218.007.md", "https://twitter.com/_st0pp3r_/status/1583914515996897281", - "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/msiexec", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_msiexec_execute_dll.yml" ], "tags": [ @@ -40037,8 +40309,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://social.technet.microsoft.com/wiki/contents/articles/32905.remote-desktop-services-enable-restricted-admin-mode.aspx", + "https://thedfirreport.com/2022/05/09/seo-poisoning-a-gootloader-story/", "https://github.com/redcanaryco/atomic-red-team/blob/a8e3cf63e97b973a25903d3df9fd55da6252e564/atomics/T1112/T1112.md", + "https://social.technet.microsoft.com/wiki/contents/articles/32905.remote-desktop-services-enable-restricted-admin-mode.aspx", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_reg_lsa_disable_restricted_admin.yml" ], "tags": [ @@ -40142,8 +40415,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.fortinet.com/content/dam/fortinet/assets/analyst-reports/ar-qakbot.pdf", "https://www.microsoft.com/security/blog/2021/12/09/a-closer-look-at-qakbots-latest-building-blocks-and-how-to-knock-them-down/", + "https://www.fortinet.com/content/dam/fortinet/assets/analyst-reports/ar-qakbot.pdf", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_msra_process_injection.yml" ], "tags": [ @@ -40220,8 +40493,8 @@ "logsource.product": "windows", "refs": [ "https://www.virustotal.com/gui/file/91ba814a86ddedc7a9d546e26f912c541205b47a853d227756ab1334ade92c3f", - "https://learn.microsoft.com/en-us/windows/win32/shell/csidl", "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/shuckworm-russia-ukraine-military", + "https://learn.microsoft.com/en-us/windows/win32/shell/csidl", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_script_exec_from_env_folder.yml" ], "tags": [ @@ -40491,12 +40764,12 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/Binaries/Certutil/", - "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/certutil", - "https://twitter.com/egre55/status/1087685529016193025", - "https://www.microsoft.com/en-us/security/blog/2024/01/17/new-ttps-observed-in-mint-sandstorm-campaign-targeting-high-profile-individuals-at-universities-and-research-orgs/", "https://forensicitguy.github.io/agenttesla-vba-certutil-download/", "https://news.sophos.com/en-us/2021/04/13/compromised-exchange-server-hosting-cryptojacker-targeting-other-exchange-servers/", + "https://www.microsoft.com/en-us/security/blog/2024/01/17/new-ttps-observed-in-mint-sandstorm-campaign-targeting-high-profile-individuals-at-universities-and-research-orgs/", + "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/certutil", + "https://twitter.com/egre55/status/1087685529016193025", + "https://lolbas-project.github.io/lolbas/Binaries/Certutil/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_certutil_download_file_sharing_domains.yml" ], "tags": [ @@ -40531,8 +40804,8 @@ "refs": [ "https://github.com/hfiref0x/UACME", "https://twitter.com/hFireF0X/status/897640081053364225", - "https://medium.com/falconforce/falconfriday-detecting-uac-bypasses-0xff16-86c2a9107abf", "https://web.archive.org/web/20190720093911/http://www.endurant.io/cmstp/detecting-cmstp-enabled-code-execution-and-uac-bypass-with-sysmon/", + "https://medium.com/falconforce/falconfriday-detecting-uac-bypasses-0xff16-86c2a9107abf", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_uac_bypass_cmstp_com_object_access.yml" ], "tags": [ @@ -40577,8 +40850,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://posts.slayerlabs.com/living-off-the-land/#gathernetworkinfovbs", "https://www.mandiant.com/resources/blog/trojanized-windows-installers-ukrainian-government", + "https://posts.slayerlabs.com/living-off-the-land/#gathernetworkinfovbs", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_gather_network_info.yml" ], "tags": [ @@ -40620,8 +40893,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/danielbohannon/Invoke-DOSfuscation", "https://www.fireeye.com/content/dam/fireeye-www/blog/pdfs/dosfuscation-report.pdf", + "https://github.com/danielbohannon/Invoke-DOSfuscation", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_cmd_dosfuscation.yml" ], "tags": [ @@ -40655,15 +40928,15 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.bleepingcomputer.com/news/security/why-everyone-should-disable-vssadmin-exe-now/", - "https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment", + "https://github.com/Neo23x0/Raccine#the-process", "https://redcanary.com/blog/intelligence-insights-october-2021/", "https://github.com/Neo23x0/Raccine/blob/20a569fa21625086433dcce8bb2765d0ea08dcb6/yara/gen_ransomware_command_lines.yar", + "https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment", "https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/new-teslacrypt-ransomware-arrives-via-spam/", - "https://blog.talosintelligence.com/2017/05/wannacry.html", "https://www.hybrid-analysis.com/sample/ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa?environmentId=100", - "https://github.com/Neo23x0/Raccine#the-process", + "https://www.bleepingcomputer.com/news/security/why-everyone-should-disable-vssadmin-exe-now/", "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/blackbyte-exbyte-ransomware", + "https://blog.talosintelligence.com/2017/05/wannacry.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_shadow_copies_deletion.yml" ], "tags": [ @@ -40890,8 +41163,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1072/T1072.md", "https://www.radmin.fr/", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1072/T1072.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pua_radmin.yml" ], "tags": [ @@ -40925,9 +41198,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://bohops.com/2018/08/18/abusing-the-com-registry-structure-part-2-loading-techniques-for-evasion-and-persistence/", "https://gist.github.com/NickTyrer/0598b60112eaafe6d07789f7964290d5", "https://lolbas-project.github.io/lolbas/Binaries/Verclsid/", + "https://bohops.com/2018/08/18/abusing-the-com-registry-structure-part-2-loading-techniques-for-evasion-and-persistence/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_verclsid_runs_com.yml" ], "tags": [ @@ -40960,10 +41233,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.security/set-executionpolicy?view=powershell-7.4", - "https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_execution_policies?view=powershell-7.4", - "https://adsecurity.org/?p=2604", "https://thedfirreport.com/2021/11/01/from-zero-to-domain-admin/", + "https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.security/set-executionpolicy?view=powershell-7.4", + "https://adsecurity.org/?p=2604", + "https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_execution_policies?view=powershell-7.4", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_set_policies_to_unsecure_level.yml" ], "tags": [ @@ -40997,8 +41270,8 @@ "logsource.product": "windows", "refs": [ "https://www.acunetix.com/blog/articles/windows-short-8-3-filenames-web-security-problem/", - "https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-2000-server/cc959352(v=technet.10)", "https://twitter.com/jonasLyk/status/1555914501802921984", + "https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-2000-server/cc959352(v=technet.10)", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_ntfs_short_name_use_cli.yml" ], "tags": [ @@ -41104,8 +41377,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/schtasks", "https://www.elastic.co/security-labs/exploring-the-qbot-attack-pattern", + "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/schtasks", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_schtasks_system.yml" ], "tags": [ @@ -41229,12 +41502,12 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/Binaries/Certutil/", - "https://twitter.com/JohnLaTwC/status/835149808817991680", - "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/certutil", - "https://learn.microsoft.com/en-us/archive/blogs/pki/basic-crl-checking-with-certutil", - "https://unit42.paloaltonetworks.com/new-babyshark-malware-targets-u-s-national-security-think-tanks/", "https://news.sophos.com/en-us/2021/04/13/compromised-exchange-server-hosting-cryptojacker-targeting-other-exchange-servers/", + "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/certutil", + "https://lolbas-project.github.io/lolbas/Binaries/Certutil/", + "https://learn.microsoft.com/en-us/archive/blogs/pki/basic-crl-checking-with-certutil", + "https://twitter.com/JohnLaTwC/status/835149808817991680", + "https://unit42.paloaltonetworks.com/new-babyshark-malware-targets-u-s-national-security-think-tanks/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_certutil_decode.yml" ], "tags": [ @@ -41267,9 +41540,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1615/T1615.md", "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/gpresult", "https://unit42.paloaltonetworks.com/emissary-trojan-changelog-did-operation-lotus-blossom-cause-it-to-evolve/", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1615/T1615.md", "https://www.welivesecurity.com/wp-content/uploads/2020/05/ESET_Turla_ComRAT.pdf", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_gpresult_execution.yml" ], @@ -41303,9 +41576,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.poweradmin.com/paexec/", - "https://learn.microsoft.com/en-us/sysinternals/downloads/psexec", "https://www.fireeye.com/blog/threat-research/2020/10/kegtap-and-singlemalt-with-a-ransomware-chaser.html", + "https://learn.microsoft.com/en-us/sysinternals/downloads/psexec", + "https://www.poweradmin.com/paexec/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sysinternals_psexec_remote_execution.yml" ], "tags": [ @@ -41363,9 +41636,9 @@ "logsource.product": "windows", "refs": [ "https://learn.microsoft.com/en-us/troubleshoot/developer/browsers/security-privacy/ie-security-zones-registry-entries", - "https://twitter.com/M_haggis/status/1699056847154725107", - "https://www.virustotal.com/gui/file/339ff720c74dc44265b917b6d3e3ba0411d61f3cd3c328e9a2bae81592c8a6e5/content", "https://twitter.com/JAMESWT_MHT/status/1699042827261391247", + "https://www.virustotal.com/gui/file/339ff720c74dc44265b917b6d3e3ba0411d61f3cd3c328e9a2bae81592c8a6e5/content", + "https://twitter.com/M_haggis/status/1699056847154725107", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_registry_ie_security_zone_protocol_defaults_downgrade.yml" ], "tags": [ @@ -41389,8 +41662,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.echotrail.io/insights/search/mshta.exe", "https://en.wikipedia.org/wiki/HTML_Application", + "https://www.echotrail.io/insights/search/mshta.exe", "https://app.any.run/tasks/34221348-072d-4b70-93f3-aa71f6ebecad/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_mshta_susp_pattern.yml" ], @@ -41425,8 +41698,8 @@ "logsource.product": "windows", "refs": [ "https://www.fireeye.com/blog/threat-research/2019/10/staying-hidden-on-the-endpoint-evading-detection-with-shellcode.html", - "https://lolbas-project.github.io/lolbas/Binaries/Rasautou/", "https://github.com/fireeye/DueDLLigence", + "https://lolbas-project.github.io/lolbas/Binaries/Rasautou/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_rasautou_dll_execution.yml" ], "tags": [ @@ -41501,8 +41774,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/nas_bench/status/1618021838407495681", "https://twitter.com/nas_bench/status/1618021415852335105", + "https://twitter.com/nas_bench/status/1618021838407495681", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_vscode_child_processes_anomalies.yml" ], "tags": [ @@ -41544,9 +41817,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.virustotal.com/gui/search/filename%253A*spoof*%2520filename%253A*ppid*/files", "https://www.ired.team/offensive-security/defense-evasion/parent-process-id-ppid-spoofing", "https://pentestlab.blog/2020/02/24/parent-pid-spoofing/", + "https://www.virustotal.com/gui/search/filename%253A*spoof*%2520filename%253A*ppid*/files", "https://www.picussecurity.com/resource/blog/how-to-detect-parent-pid-ppid-spoofing-attacks", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_selectmyparent.yml" ], @@ -41613,14 +41886,14 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/dotnet/runtime/blob/ee2355c801d892f2894b0f7b14a20e6cc50e0e54/docs/design/coreclr/jit/viewing-jit-dumps.md#setting-configuration-variables", - "https://github.com/dotnet/runtime/blob/7abe42dc1123722ed385218268bb9fe04556e3d3/src/coreclr/src/inc/clrconfig.h#L33-L39", "https://github.com/dotnet/runtime/blob/4f9ae42d861fcb4be2fcd5d3d55d5f227d30e723/docs/coding-guidelines/clr-jit-coding-conventions.md#1412-disabling-code", "https://social.msdn.microsoft.com/Forums/vstudio/en-US/0878832e-39d7-4eaf-8e16-a729c4c40975/what-can-i-use-e13c0d23ccbc4e12931bd9cc2eee27e4-for?forum=clr", - "https://i.blackhat.com/EU-21/Wednesday/EU-21-Teodorescu-Veni-No-Vidi-No-Vici-Attacks-On-ETW-Blind-EDRs.pdf", - "http://managed670.rssing.com/chan-5590147/all_p1.html", - "https://twitter.com/_xpn_/status/1268712093928378368", "https://github.com/dotnet/runtime/search?p=1&q=COMPlus_&unscoped_q=COMPlus_", + "https://twitter.com/_xpn_/status/1268712093928378368", + "https://github.com/dotnet/runtime/blob/ee2355c801d892f2894b0f7b14a20e6cc50e0e54/docs/design/coreclr/jit/viewing-jit-dumps.md#setting-configuration-variables", + "http://managed670.rssing.com/chan-5590147/all_p1.html", + "https://github.com/dotnet/runtime/blob/7abe42dc1123722ed385218268bb9fe04556e3d3/src/coreclr/src/inc/clrconfig.h#L33-L39", + "https://i.blackhat.com/EU-21/Wednesday/EU-21-Teodorescu-Veni-No-Vidi-No-Vici-Attacks-On-ETW-Blind-EDRs.pdf", "https://bunnyinside.com/?term=f71e8cb9c76a", "https://github.com/dotnet/runtime/blob/f62e93416a1799aecc6b0947adad55a0d9870732/src/coreclr/src/inc/clrconfigvalues.h#L35-L38", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_etw_modification_cmdline.yml" @@ -41678,10 +41951,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://medium.com/tsscyber/pentesting-and-hta-bypassing-powershell-constrained-language-mode-53a42856c997", - "https://learn.microsoft.com/en-us/previous-versions/dotnet/framework/data/xml/xslt/xslt-stylesheet-scripting-using-msxsl-script", - "https://0x00sec.org/t/clientside-exploitation-in-2018-how-pentesting-has-changed/7356", "http://blog.sevagas.com/?Hacking-around-HTA-files", + "https://0x00sec.org/t/clientside-exploitation-in-2018-how-pentesting-has-changed/7356", + "https://learn.microsoft.com/en-us/previous-versions/dotnet/framework/data/xml/xslt/xslt-stylesheet-scripting-using-msxsl-script", + "https://medium.com/tsscyber/pentesting-and-hta-bypassing-powershell-constrained-language-mode-53a42856c997", "https://twitter.com/mattifestation/status/1326228491302563846", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_mshta_susp_execution.yml" ], @@ -41733,15 +42006,15 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/wevtutil", - "http://blog.talosintelligence.com/2022/09/lazarus-three-rats.html", - "http://www.solomonson.com/posts/2010-07-09-reading-eventviewer-command-line/", - "https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.diagnostics/get-winevent?view=powershell-7.3", - "https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-144a", "https://www.group-ib.com/blog/apt41-world-tour-2021/", - "https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.management/get-eventlog?view=powershell-5.1", - "https://labs.withsecure.com/content/dam/labs/docs/f-secureLABS-tlp-white-lazarus-threat-intel-report2.pdf", "https://thedfirreport.com/2023/10/30/netsupport-intrusion-results-in-domain-compromise/", + "https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.diagnostics/get-winevent?view=powershell-7.3", + "https://labs.withsecure.com/content/dam/labs/docs/f-secureLABS-tlp-white-lazarus-threat-intel-report2.pdf", + "http://blog.talosintelligence.com/2022/09/lazarus-three-rats.html", + "https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.management/get-eventlog?view=powershell-5.1", + "http://www.solomonson.com/posts/2010-07-09-reading-eventviewer-command-line/", + "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/wevtutil", + "https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-144a", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_eventlog_content_recon.yml" ], "tags": [ @@ -41944,9 +42217,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://www.sans.org/blog/red-team-tactics-hiding-windows-services/", "https://twitter.com/Alh4zr3d/status/1580925761996828672", "https://itconnect.uw.edu/tools-services-support/it-systems-infrastructure/msinf/other-help/understanding-sddl-syntax/", - "https://www.sans.org/blog/red-team-tactics-hiding-windows-services/", "https://blog.talosintelligence.com/2021/10/threat-hunting-in-large-datasets-by.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sc_sdset_hide_sevices.yml" ], @@ -41982,8 +42255,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://forensafe.com/blogs/typedpaths.html", "https://twitter.com/dez_/status/1560101453150257154", + "https://forensafe.com/blogs/typedpaths.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_registry_typed_paths_persistence.yml" ], "tags": [ @@ -42006,9 +42279,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "http://www.hexacorn.com/blog/2019/03/30/sqirrel-packages-manager-as-a-lolbin-a-k-a-many-electron-apps-are-lolbins-by-default/", - "http://www.hexacorn.com/blog/2018/08/16/squirrel-as-a-lolbin/", "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Squirrel/", + "http://www.hexacorn.com/blog/2018/08/16/squirrel-as-a-lolbin/", + "http://www.hexacorn.com/blog/2019/03/30/sqirrel-packages-manager-as-a-lolbin-a-k-a-many-electron-apps-are-lolbins-by-default/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_squirrel_proxy_execution.yml" ], "tags": [ @@ -42042,9 +42315,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://blog.netspi.com/15-ways-to-download-a-file/#bitsadmin", "https://blog.talosintelligence.com/breaking-the-silence-recent-truebot-activity/", "https://lolbas-project.github.io/lolbas/Binaries/Bitsadmin/", - "https://blog.netspi.com/15-ways-to-download-a-file/#bitsadmin", "https://isc.sans.edu/diary/22264", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_bitsadmin_download_susp_targetfolder.yml" ], @@ -42154,13 +42427,13 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://www.cobaltstrike.com/help-opsec", "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/regsvr32", - "https://blog.malwarebytes.com/malwarebytes-news/2020/10/kraken-attack-abuses-wer-service/", - "https://twitter.com/CyberRaiju/status/1251492025678983169", "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/rundll32", "https://learn.microsoft.com/en-us/dotnet/framework/tools/regsvcs-exe-net-services-installation-tool", "https://learn.microsoft.com/en-us/dotnet/framework/tools/regasm-exe-assembly-registration-tool", - "https://www.cobaltstrike.com/help-opsec", + "https://twitter.com/CyberRaiju/status/1251492025678983169", + "https://blog.malwarebytes.com/malwarebytes-news/2020/10/kraken-attack-abuses-wer-service/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_bad_opsec_sacrificial_processes.yml" ], "tags": [ @@ -42249,8 +42522,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://cybercryptosec.medium.com/covid-19-cyber-infection-c615ead7c29", "https://learn.microsoft.com/en-us/windows/win32/secauthz/mandatory-integrity-control", + "https://cybercryptosec.medium.com/covid-19-cyber-infection-c615ead7c29", "https://thedfirreport.com/2022/04/04/stolen-images-campaign-ends-in-conti-ransomware/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_conhost_legacy_option.yml" ], @@ -42317,8 +42590,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://enigma0x3.net/2016/08/15/fileless-uac-bypass-using-eventvwr-exe-and-registry-hijacking/", "https://www.hybrid-analysis.com/sample/e122bc8bf291f15cab182a5d2d27b8db1e7019e4e96bb5cdbd1dfe7446f3f51f?environmentId=100", + "https://enigma0x3.net/2016/08/15/fileless-uac-bypass-using-eventvwr-exe-and-registry-hijacking/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_eventvwr_susp_child_process.yml" ], "tags": [ @@ -42431,9 +42704,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.echotrail.io/insights/search/wermgr.exe", "https://www.trendmicro.com/en_us/research/22/j/black-basta-infiltrates-networks-via-qakbot-brute-ratel-and-coba.html", "https://github.com/binderlabs/DirCreate2System", + "https://www.echotrail.io/insights/search/wermgr.exe", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wermgr_susp_exec_location.yml" ], "tags": [ @@ -42456,8 +42729,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/WithSecureLabs/iocs/blob/344203de742bb7e68bd56618f66d34be95a9f9fc/FIN7VEEAM/iocs.csv", "https://labs.withsecure.com/publications/fin7-target-veeam-servers", + "https://github.com/WithSecureLabs/iocs/blob/344203de742bb7e68bd56618f66d34be95a9f9fc/FIN7VEEAM/iocs.csv", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_curl_download_susp_file_sharing_domains.yml" ], "tags": [ @@ -42597,8 +42870,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/Binaries/Infdefaultinstall/", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218/T1218.md#atomic-test-4---infdefaultinstallexe-inf-execution", + "https://lolbas-project.github.io/lolbas/Binaries/Infdefaultinstall/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_infdefaultinstall_execute_sct_scripts.yml" ], "tags": [ @@ -42655,8 +42928,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://blogs.msdn.microsoft.com/canberrapfe/2012/03/30/capture-a-network-trace-without-installing-anything-capture-a-network-trace-of-a-reboot/", "https://klausjochem.me/2016/02/03/netsh-the-cyber-attackers-tool-of-choice/", + "https://blogs.msdn.microsoft.com/canberrapfe/2012/03/30/capture-a-network-trace-without-installing-anything-capture-a-network-trace-of-a-reboot/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_netsh_packet_capture.yml" ], "tags": [ @@ -42815,11 +43088,11 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/pfiatde/status/1681977680688738305", "https://soroush.me/blog/2010/12/a-dotty-salty-directory-a-secret-place-in-ntfs-for-secret-files/", - "https://github.com/redcanaryco/atomic-red-team/blob/5c3b23002d2bbede3c07e7307165fc2a235a427d/atomics/T1564.004/T1564.004.md#atomic-test-5---create-hidden-directory-via-index_allocation", "https://sec-consult.com/blog/detail/pentesters-windows-ntfs-tricks-collection/", "https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-fscc/c54dec26-1551-4d3a-a0ea-4fa40f848eb3", + "https://twitter.com/pfiatde/status/1681977680688738305", + "https://github.com/redcanaryco/atomic-red-team/blob/5c3b23002d2bbede3c07e7307165fc2a235a427d/atomics/T1564.004/T1564.004.md#atomic-test-5---create-hidden-directory-via-index_allocation", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_hidden_dir_index_allocation.yml" ], "tags": [ @@ -42852,8 +43125,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1115/T1115.md", "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/clip", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1115/T1115.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_clip_execution.yml" ], "tags": [ @@ -42919,8 +43192,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/mrd0x/status/1478234484881436672?s=12", "https://www.trendmicro.com/en_us/research/23/e/managed-xdr-investigation-of-ducktail-in-trend-micro-vision-one.html", + "https://twitter.com/mrd0x/status/1478234484881436672?s=12", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_browsers_chromium_headless_file_download.yml" ], "tags": [ @@ -43055,9 +43328,9 @@ "logsource.product": "windows", "refs": [ "https://lolbas-project.github.io/lolbas/Binaries/Wsreset/", - "https://eqllib.readthedocs.io/en/latest/analytics/532b5ed4-7930-11e9-8f5c-d46d6d62a49e.html", "https://www.activecyber.us/activelabs/windows-uac-bypass", "https://twitter.com/ReaQta/status/1222548288731217921", + "https://eqllib.readthedocs.io/en/latest/analytics/532b5ed4-7930-11e9-8f5c-d46d6d62a49e.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_uac_bypass_wsreset.yml" ], "tags": [ @@ -43248,8 +43521,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/Binaries/Eventvwr/#execute", "https://twitter.com/orange_8361/status/1518970259868626944", + "https://lolbas-project.github.io/lolbas/Binaries/Eventvwr/#execute", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_uac_bypass_eventvwr_recentviews.yml" ], "tags": [ @@ -43273,8 +43546,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.microsoft.com/en-us/security/blog/2024/01/17/new-ttps-observed-in-mint-sandstorm-campaign-targeting-high-profile-individuals-at-universities-and-research-orgs/", "https://www.nirsoft.net/utils/nircmd.html", + "https://www.microsoft.com/en-us/security/blog/2024/01/17/new-ttps-observed-in-mint-sandstorm-campaign-targeting-high-profile-individuals-at-universities-and-research-orgs/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_renamed_nircmd.yml" ], "tags": [ @@ -43416,8 +43689,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/Gerenios/AADInternals", "https://o365blog.com/aadinternals/", + "https://github.com/Gerenios/AADInternals", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_aadinternals_cmdlets_execution.yml" ], "tags": [ @@ -43502,8 +43775,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.security/convertto-securestring?view=powershell-7.3#examples", "https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=65", + "https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.security/convertto-securestring?view=powershell-7.3#examples", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_cmdline_convertto_securestring.yml" ], "tags": [ @@ -43644,8 +43917,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.security/set-acl?view=powershell-5.1", "https://github.com/redcanaryco/atomic-red-team/blob/74438b0237d141ee9c99747976447dc884cb1a39/atomics/T1505.005/T1505.005.md", + "https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.security/set-acl?view=powershell-5.1", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_set_acl.yml" ], "tags": [ @@ -43669,8 +43942,8 @@ "logsource.product": "windows", "refs": [ "https://www.nirsoft.net/utils/nircmd2.html#using", - "https://www.winhelponline.com/blog/run-program-as-system-localsystem-account-windows/", "https://www.nirsoft.net/utils/nircmd.html", + "https://www.winhelponline.com/blog/run-program-as-system-localsystem-account-windows/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pua_nircmd_as_system.yml" ], "tags": [ @@ -44039,9 +44312,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://kb.acronis.com/content/60892", "https://4sysops.com/archives/creating-a-complete-memory-dump-without-a-blue-screen/", "https://learn.microsoft.com/en-us/sysinternals/downloads/livekd", - "https://kb.acronis.com/content/60892", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sysinternals_livekd_kernel_memory_dump.yml" ], "tags": [ @@ -44106,8 +44379,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://thedfirreport.com/2022/02/07/qbot-likes-to-move-it-move-it/", "https://redcanary.com/threat-detection-report/threats/qbot/", + "https://thedfirreport.com/2022/02/07/qbot-likes-to-move-it-move-it/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_reg_defender_exclusion.yml" ], "tags": [ @@ -44140,8 +44413,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/OtherMSBinaries/DefaultPack/", "https://www.echotrail.io/insights/search/defaultpack.exe", + "https://lolbas-project.github.io/lolbas/OtherMSBinaries/DefaultPack/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_defaultpack_uncommon_child_process.yml" ], "tags": [ @@ -44176,8 +44449,8 @@ "logsource.product": "windows", "refs": [ "https://lolbas-project.github.io/lolbas/Binaries/Odbcconf/", - "https://www.trendmicro.com/en_us/research/17/h/backdoor-carrying-emails-set-sights-on-russian-speaking-businesses.html", "https://learn.microsoft.com/en-us/sql/odbc/odbcconf-exe?view=sql-server-ver16", + "https://www.trendmicro.com/en_us/research/17/h/backdoor-carrying-emails-set-sights-on-russian-speaking-businesses.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_odbcconf_register_dll_regsvr_susp.yml" ], "tags": [ @@ -44210,8 +44483,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/wdormann/status/1478011052130459653?s=20", "https://twitter.com/0gtweet/status/1477925112561209344", + "https://twitter.com/wdormann/status/1478011052130459653?s=20", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_format_uncommon_filesystem_load.yml" ], "tags": [ @@ -44235,8 +44508,8 @@ "logsource.product": "windows", "refs": [ "https://lolbas-project.github.io/lolbas/Binaries/Msiexec/", - "https://twitter.com/_st0pp3r_/status/1583914515996897281", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218.007/T1218.007.md", + "https://twitter.com/_st0pp3r_/status/1583914515996897281", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_msiexec_dll.yml" ], "tags": [ @@ -44437,8 +44710,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1047/T1047.md", "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/wmic", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1047/T1047.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wmic_recon_process.yml" ], "tags": [ @@ -44471,8 +44744,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1003.002/T1003.002.md#atomic-test-1---registry-dump-of-sam-creds-and-secrets", + "https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment", "https://www.wietzebeukema.nl/blog/windows-command-line-obfuscation", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1003/T1003.md", "https://eqllib.readthedocs.io/en/latest/analytics/aed95fc6-5e3f-49dc-8b35-06508613f979.html", @@ -44525,9 +44798,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/chm-badness-delivers-a-banking-trojan/", "https://github.com/elastic/protections-artifacts/commit/746086721fd385d9f5c6647cada1788db4aea95f#diff-27939090904026cc396b0b629c8e4314acd6f5dac40a676edbc87f4567b47eb7", "https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/higaisa-or-winnti-apt-41-backdoors-old-and-new/", - "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/chm-badness-delivers-a-banking-trojan/", "https://www.zscaler.com/blogs/security-research/unintentional-leak-glimpse-attack-vectors-apt37", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hh_susp_execution.yml" ], @@ -44710,13 +44983,13 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/Wietze/status/1542107456507203586", - "https://twitter.com/shantanukhande/status/1229348874298388484", - "https://github.com/Hackndo/lsassy/blob/14d8f8ae596ecf22b449bfe919829173b8a07635/lsassy/dumpmethod/comsvcs.py", "https://twitter.com/SBousseaden/status/1167417096374050817", "https://twitter.com/Hexacorn/status/1224848930795552769", "https://twitter.com/pythonresponder/status/1385064506049630211?s=21", + "https://twitter.com/Wietze/status/1542107456507203586", + "https://github.com/Hackndo/lsassy/blob/14d8f8ae596ecf22b449bfe919829173b8a07635/lsassy/dumpmethod/comsvcs.py", "https://modexp.wordpress.com/2019/08/30/minidumpwritedump-via-com-services-dll/", + "https://twitter.com/shantanukhande/status/1229348874298388484", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_rundll32_process_dump_via_comsvcs.yml" ], "tags": [ @@ -44759,9 +45032,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://isc.sans.edu/diary/Wipe+the+drive+Stealthy+Malware+Persistence+Mechanism+-+Part+1/15394", - "https://www.fireeye.com/blog/threat-research/2020/10/kegtap-and-singlemalt-with-a-ransomware-chaser.html", "http://0xthem.blogspot.com/2014/03/t-emporal-persistence-with-and-schtasks.html", + "https://www.fireeye.com/blog/threat-research/2020/10/kegtap-and-singlemalt-with-a-ransomware-chaser.html", + "https://isc.sans.edu/diary/Wipe+the+drive+Stealthy+Malware+Persistence+Mechanism+-+Part+1/15394", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_bitsadmin_potential_persistence.yml" ], "tags": [ @@ -44794,8 +45067,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/OTRF/ThreatHunter-Playbook/blob/2d4257f630f4c9770f78d0c1df059f891ffc3fec/docs/evals/apt29/detections/3.B.2_C36B49B5-DF58-4A34-9FE9-56189B9DEFEA.md", "https://github.com/OTRF/detection-hackathon-apt29/issues/6", + "https://github.com/OTRF/ThreatHunter-Playbook/blob/2d4257f630f4c9770f78d0c1df059f891ffc3fec/docs/evals/apt29/detections/3.B.2_C36B49B5-DF58-4A34-9FE9-56189B9DEFEA.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_uac_bypass_sdclt.yml" ], "tags": [ @@ -44829,9 +45102,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://mgreen27.github.io/posts/2019/05/12/BinaryRename.html", "https://github.com/redcanaryco/atomic-red-team/blob/0f229c0e42bfe7ca736a14023836d65baa941ed2/atomics/T1036.003/T1036.003.md#atomic-test-1---masquerading-as-windows-lsass-process", "https://mgreen27.github.io/posts/2019/05/29/BinaryRename2.html", + "https://mgreen27.github.io/posts/2019/05/12/BinaryRename.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_renamed_binary.yml" ], "tags": [ @@ -44864,9 +45137,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1018/T1018.md", - "https://ss64.com/ps/foreach-object.html", "https://ss64.com/nt/for.html", + "https://ss64.com/ps/foreach-object.html", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1018/T1018.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_network_scan_loop.yml" ], "tags": [ @@ -44908,9 +45181,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/mrd0x/status/1461041276514623491", "https://twitter.com/tccontre18/status/1480950986650832903", "https://lolbas-project.github.io/lolbas/Binaries/Regsvr32/", + "https://twitter.com/mrd0x/status/1461041276514623491", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_regsvr32_network_pattern.yml" ], "tags": [ @@ -45197,8 +45470,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/Yasser_Elsnbary/status/1553804135354564608", "https://h.43z.one/ipconverter/", + "https://twitter.com/Yasser_Elsnbary/status/1553804135354564608", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_obfuscated_ip_via_cli.yml" ], "tags": [ @@ -45254,8 +45527,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/JohnLaTwC/status/1082851155481288706", "https://app.any.run/tasks/f87f1c4e-47e2-4c46-9cf4-31454c06ce03", + "https://twitter.com/JohnLaTwC/status/1082851155481288706", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_susp_ps_appdata.yml" ], "tags": [ @@ -45289,9 +45562,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.poweradmin.com/paexec/", - "https://learn.microsoft.com/en-us/sysinternals/downloads/psexec", "https://www.fireeye.com/blog/threat-research/2020/10/kegtap-and-singlemalt-with-a-ransomware-chaser.html", + "https://learn.microsoft.com/en-us/sysinternals/downloads/psexec", + "https://www.poweradmin.com/paexec/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sysinternals_susp_psexec_paexec_flags.yml" ], "tags": [ @@ -45360,11 +45633,11 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://lolbas-project.github.io/lolbas/Binaries/DataSvcUtil/", "https://learn.microsoft.com/en-us/previous-versions/dotnet/framework/data/wcf/how-to-add-a-data-service-reference-wcf-data-services", + "https://learn.microsoft.com/en-us/previous-versions/dotnet/framework/data/wcf/generating-the-data-service-client-library-wcf-data-services", "https://learn.microsoft.com/en-us/previous-versions/dotnet/framework/data/wcf/wcf-data-service-client-utility-datasvcutil-exe", "https://gist.github.com/teixeira0xfffff/837e5bfed0d1b0a29a7cb1e5dbdd9ca6", - "https://learn.microsoft.com/en-us/previous-versions/dotnet/framework/data/wcf/generating-the-data-service-client-library-wcf-data-services", - "https://lolbas-project.github.io/lolbas/Binaries/DataSvcUtil/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_data_exfiltration_by_using_datasvcutil.yml" ], "tags": [ @@ -45508,8 +45781,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://bohops.com/2018/03/10/leveraging-inf-sct-fetch-execute-techniques-for-bypass-evasion-persistence-part-2/", "https://lolbas-project.github.io/lolbas/Binaries/Ie4uinit/", + "https://bohops.com/2018/03/10/leveraging-inf-sct-fetch-execute-techniques-for-bypass-evasion-persistence-part-2/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_ie4uinit.yml" ], "tags": [ @@ -45542,11 +45815,11 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://research.nccgroup.com/2021/05/27/detecting-rclone-an-effective-tool-for-exfiltration/", "https://labs.sentinelone.com/egregor-raas-continues-the-chaos-with-cobalt-strike-and-rclone", + "https://us-cert.cisa.gov/ncas/analysis-reports/ar21-126a", + "https://research.nccgroup.com/2021/05/27/detecting-rclone-an-effective-tool-for-exfiltration/", "https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware", "https://www.splunk.com/en_us/blog/security/darkside-ransomware-splunk-threat-update-and-detections.html", - "https://us-cert.cisa.gov/ncas/analysis-reports/ar21-126a", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pua_rclone_execution.yml" ], "tags": [ @@ -45579,10 +45852,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://web.archive.org/web/20190209154607/https://subt0x11.blogspot.com/2018/04/wmicexe-whitelisting-bypass-hacking.html", - "https://atomicredteam.io/defense-evasion/T1220/", - "https://lolbas-project.github.io/lolbas/Binaries/Wmic/", "https://twitter.com/mattifestation/status/986280382042595328", + "https://web.archive.org/web/20190209154607/https://subt0x11.blogspot.com/2018/04/wmicexe-whitelisting-bypass-hacking.html", + "https://lolbas-project.github.io/lolbas/Binaries/Wmic/", + "https://atomicredteam.io/defense-evasion/T1220/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wmic_squiblytwo_bypass.yml" ], "tags": [ @@ -45641,8 +45914,8 @@ "logsource.product": "windows", "refs": [ "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/wevtutil", - "https://medium.com/palantir/tampering-with-windows-event-tracing-background-offense-and-defense-4be7ac62ac63", "https://abuse.io/lockergoga.txt", + "https://medium.com/palantir/tampering-with-windows-event-tracing-background-offense-and-defense-4be7ac62ac63", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_etw_trace_evasion.yml" ], "tags": [ @@ -45805,13 +46078,13 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/vletoux/pingcastle", + "https://thedfirreport.com/2023/10/30/netsupport-intrusion-results-in-domain-compromise/", "https://github.com/802-1x/Compliance/blob/2e53df8b6e89686a0b91116b3f42c8f717dca820/Ping%20Castle/Get-PingCastle-HTMLComplianceReport.ps1#L8", - "https://github.com/projectHULK/AD_Recon/blob/dde2daba9b3393a9388cbebda87068972cc0bd3b/SecurityAssessment.ps1#L2699", "https://github.com/fengjixuchui/Start-ADEnum/blob/e237a739db98b6104427d833004836507da36a58/Functions/Start-ADEnum.ps1#L450", "https://github.com/lkys37en/Start-ADEnum/blob/5b42c54215fe5f57fc59abc52c20487d15764005/Functions/Start-ADEnum.ps1#L680", + "https://github.com/projectHULK/AD_Recon/blob/dde2daba9b3393a9388cbebda87068972cc0bd3b/SecurityAssessment.ps1#L2699", "https://github.com/EvotecIT/TheDashboard/blob/481a9ce8f82f2fd55fe65220ee6486bae6df0c9d/Examples/RunReports/PingCastle.ps1", - "https://thedfirreport.com/2023/10/30/netsupport-intrusion-results-in-domain-compromise/", + "https://github.com/vletoux/pingcastle", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pua_pingcastle.yml" ], "tags": [ @@ -45844,8 +46117,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://mgreen27.github.io/posts/2018/04/02/DownloadCradle.html", "https://www.hybrid-analysis.com/sample/465aabe132ccb949e75b8ab9c5bda36d80cf2fd503d52b8bad54e295f28bbc21?environmentId=100", + "https://mgreen27.github.io/posts/2018/04/02/DownloadCradle.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_office_outlook_susp_child_processes.yml" ], "tags": [ @@ -46022,8 +46295,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/skelsec/pypykatz", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1003.002/T1003.002.md#atomic-test-2---registry-parse-with-pypykatz", + "https://github.com/skelsec/pypykatz", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_pypykatz.yml" ], "tags": [ @@ -46132,8 +46405,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://nmap.org/", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1046/T1046.md#atomic-test-3---port-scan-nmap-for-windows", + "https://nmap.org/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pua_nmap_zenmap.yml" ], "tags": [ @@ -46167,10 +46440,10 @@ "logsource.product": "windows", "refs": [ "https://twitter.com/bohops/status/980659399495741441", - "https://lolbas-project.github.io/lolbas/Scripts/Manage-bde/", - "https://gist.github.com/bohops/735edb7494fe1bd1010d67823842b712", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1216/T1216.md", "https://twitter.com/JohnLaTwC/status/1223292479270600706", + "https://gist.github.com/bohops/735edb7494fe1bd1010d67823842b712", + "https://lolbas-project.github.io/lolbas/Scripts/Manage-bde/", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1216/T1216.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_manage_bde.yml" ], "tags": [ @@ -46291,6 +46564,40 @@ "uuid": "dee4af55-1f22-4e1d-a9d2-4bdc7ecb472a", "value": "Disabled Volume Snapshots" }, + { + "description": "Detects the execution of \"DXCap.EXE\" with the \"-c\" flag, which allows a user to launch any arbitrary binary or windows package through DXCap itself. This can be abused to potentially bypass application whitelisting.\n", + "meta": { + "author": "Beyu Denis, oscd.community, Nasreddine Bencherchali (Nextron Systems)", + "creation_date": "2019-10-26", + "falsepositive": [ + "Legitimate execution of dxcap.exe by legitimate user" + ], + "filename": "proc_creation_win_dxcap_arbitrary_binary_execution.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Dxcap/", + "https://twitter.com/harr0ey/status/992008180904419328", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_dxcap_arbitrary_binary_execution.yml" + ], + "tags": [ + "attack.defense-evasion", + "attack.t1218" + ] + }, + "related": [ + { + "dest-uuid": "457c7820-d331-465a-915e-42f85500ccc4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "60f16a96-db70-42eb-8f76-16763e333590", + "value": "New Capture Session Launched Via DXCap.EXE" + }, { "description": "Detects the import of an alternate data stream with regini.exe, regini.exe can be used to modify registry keys.", "meta": { @@ -46304,8 +46611,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/regini", "https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f", + "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/regini", "https://lolbas-project.github.io/lolbas/Binaries/Regini/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_regini_ads.yml" ], @@ -46339,8 +46646,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.hybrid-analysis.com/sample/f16c729aad5c74f19784a24257236a8bbe27f7cdc4a89806031ec7f1bebbd475?environmentId=100", "https://www.hybrid-analysis.com/sample/3a1f01206684410dbe8f1900bbeaaa543adfcd07368ba646b499fa5274b9edf6?environmentId=100", + "https://www.hybrid-analysis.com/sample/f16c729aad5c74f19784a24257236a8bbe27f7cdc4a89806031ec7f1bebbd475?environmentId=100", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_cmd_http_appdata.yml" ], "tags": [ @@ -46390,8 +46697,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/windows/msix/package/unsigned-package", "https://twitter.com/WindowsDocs/status/1620078135080325122", + "https://learn.microsoft.com/en-us/windows/msix/package/unsigned-package", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_install_unsigned_appx_packages.yml" ], "tags": [ @@ -46481,12 +46788,12 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/Binaries/Certutil/", - "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/certutil", - "https://twitter.com/egre55/status/1087685529016193025", - "https://twitter.com/_JohnHammond/status/1708910264261980634", "https://forensicitguy.github.io/agenttesla-vba-certutil-download/", "https://news.sophos.com/en-us/2021/04/13/compromised-exchange-server-hosting-cryptojacker-targeting-other-exchange-servers/", + "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/certutil", + "https://twitter.com/_JohnHammond/status/1708910264261980634", + "https://twitter.com/egre55/status/1087685529016193025", + "https://lolbas-project.github.io/lolbas/Binaries/Certutil/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_certutil_download_direct_ip.yml" ], "tags": [ @@ -46561,11 +46868,11 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://mgreen27.github.io/posts/2019/05/12/BinaryRename.html", + "https://twitter.com/christophetd/status/1164506034720952320", + "https://www.trendmicro.com/vinfo/hk-en/security/news/cybercrime-and-digital-threats/megacortex-ransomware-spotted-attacking-enterprise-networks", "https://threatresearch.ext.hp.com/svcready-a-new-loader-reveals-itself/", "https://mgreen27.github.io/posts/2019/05/29/BinaryRename2.html", - "https://www.trendmicro.com/vinfo/hk-en/security/news/cybercrime-and-digital-threats/megacortex-ransomware-spotted-attacking-enterprise-networks", - "https://twitter.com/christophetd/status/1164506034720952320", + "https://mgreen27.github.io/posts/2019/05/12/BinaryRename.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_renamed_binary_highly_relevant.yml" ], "tags": [ @@ -46698,8 +47005,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/windows/win32/projfs/enabling-windows-projected-file-system", "https://learn.microsoft.com/en-us/windows/wsl/install-on-server", + "https://learn.microsoft.com/en-us/windows/win32/projfs/enabling-windows-projected-file-system", "https://learn.microsoft.com/en-us/powershell/module/dism/enable-windowsoptionalfeature?view=windowsserver2022-ps", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_enable_susp_windows_optional_feature.yml" ], @@ -46723,8 +47030,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/Binaries/Bitsadmin/", "https://blog.netspi.com/15-ways-to-download-a-file/#bitsadmin", + "https://lolbas-project.github.io/lolbas/Binaries/Bitsadmin/", "https://isc.sans.edu/diary/22264", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_bitsadmin_download_susp_extensions.yml" ], @@ -46811,8 +47118,8 @@ "logsource.product": "windows", "refs": [ "https://www.acunetix.com/blog/articles/windows-short-8-3-filenames-web-security-problem/", - "https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-2000-server/cc959352(v=technet.10)", "https://twitter.com/jonasLyk/status/1555914501802921984", + "https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-2000-server/cc959352(v=technet.10)", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_ntfs_short_name_use_image.yml" ], "tags": [ @@ -46894,8 +47201,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://enigma0x3.net/2016/11/17/bypassing-application-whitelisting-by-using-dnx-exe/", "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Csi/", + "https://enigma0x3.net/2016/11/17/bypassing-application-whitelisting-by-using-dnx-exe/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_dnx_execute_csharp_code.yml" ], "tags": [ @@ -47002,8 +47309,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/dotnet/core/diagnostics/dotnet-dump#dotnet-dump-collect", "https://twitter.com/bohops/status/1635288066909966338", + "https://learn.microsoft.com/en-us/dotnet/core/diagnostics/dotnet-dump#dotnet-dump-collect", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_dotnetdump_memory_dump.yml" ], "tags": [ @@ -47144,8 +47451,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Msxsl/", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1220/T1220.md", + "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Msxsl/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_msxsl_remote_execution.yml" ], "tags": [ @@ -47178,8 +47485,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.hexacorn.com/blog/2018/08/31/beyond-good-ol-run-key-part-85/", "https://cocomelonc.github.io/malware/2022/11/02/malware-pers-18.html", + "https://www.hexacorn.com/blog/2018/08/31/beyond-good-ol-run-key-part-85/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_werfault_reflect_debugger_exec.yml" ], "tags": [ @@ -47246,12 +47553,12 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/Binaries/Msedge/", - "https://lolbas-project.github.io/lolbas/Binaries/msedgewebview2/", - "https://chromium.googlesource.com/chromium/chromium/+/master/content/public/common/content_switches.cc", - "https://medium.com/@MalFuzzer/one-electron-to-rule-them-all-dc2e9b263daf", "https://positive.security/blog/ms-officecmd-rce", + "https://medium.com/@MalFuzzer/one-electron-to-rule-them-all-dc2e9b263daf", + "https://chromium.googlesource.com/chromium/chromium/+/master/content/public/common/content_switches.cc", + "https://lolbas-project.github.io/lolbas/Binaries/Msedge/", "https://lolbas-project.github.io/lolbas/Binaries/Teams/", + "https://lolbas-project.github.io/lolbas/Binaries/msedgewebview2/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_electron_execution_proxy.yml" ], "tags": [ @@ -47316,8 +47623,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://posts.slayerlabs.com/living-off-the-land/#gathernetworkinfovbs", "https://www.mandiant.com/resources/blog/trojanized-windows-installers-ukrainian-government", + "https://posts.slayerlabs.com/living-off-the-land/#gathernetworkinfovbs", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_gather_network_info_execution.yml" ], "tags": [ @@ -47394,8 +47701,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://pentestlab.blog/2020/02/10/credential-access-password-filter-dll/", "https://github.com/3gstudent/PasswordFilter/tree/master/PasswordFilter", + "https://pentestlab.blog/2020/02/10/credential-access-password-filter-dll/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_reg_credential_access_via_password_filter.yml" ], "tags": [ @@ -47428,8 +47735,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://ss64.com/nt/dsacls.html", "https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc771151(v=ws.11)", + "https://ss64.com/nt/dsacls.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_dsacls_abuse_permissions.yml" ], "tags": [ @@ -47562,11 +47869,11 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/pr0xylife/Qakbot/blob/4f0795d79dabee5bc9dd69f17a626b48852e7869/Qakbot_AA_23.06.2022.txt", "https://twitter.com/max_mal_/status/1542461200797163522", + "https://www.volexity.com/blog/2022/07/28/sharptongue-deploys-clever-mail-stealing-browser-extension-sharpext/", "https://web.archive.org/web/20200128160046/https://twitter.com/reegun21/status/1222093798009790464", "https://github.com/redcanaryco/atomic-red-team/blob/0f229c0e42bfe7ca736a14023836d65baa941ed2/atomics/T1105/T1105.md#atomic-test-18---curl-download-file", - "https://www.volexity.com/blog/2022/07/28/sharptongue-deploys-clever-mail-stealing-browser-extension-sharpext/", + "https://github.com/pr0xylife/Qakbot/blob/4f0795d79dabee5bc9dd69f17a626b48852e7869/Qakbot_AA_23.06.2022.txt", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_curl_susp_download.yml" ], "tags": [ @@ -47599,9 +47906,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://twitter.com/bryon_/status/975835709587075072", "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Sqlps/", "https://learn.microsoft.com/en-us/sql/tools/sqlps-utility?view=sql-server-ver15", - "https://twitter.com/bryon_/status/975835709587075072", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_mssql_sqlps_susp_execution.yml" ], "tags": [ @@ -47692,9 +47999,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.huntress.com/blog/fake-browser-updates-lead-to-boinc-volunteer-computing-software", - "https://www.virustotal.com/gui/file/91e405e8a527023fb8696624e70498ae83660fe6757cef4871ce9bcc659264d3/details", "https://boinc.berkeley.edu/", + "https://www.virustotal.com/gui/file/91e405e8a527023fb8696624e70498ae83660fe6757cef4871ce9bcc659264d3/details", + "https://www.huntress.com/blog/fake-browser-updates-lead-to-boinc-volunteer-computing-software", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_renamed_boinc.yml" ], "tags": [ @@ -47769,8 +48076,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://thedfirreport.com/2023/01/09/unwrapping-ursnifs-gifts/", "https://www.fireeye.com/blog/threat-research/2020/01/saigon-mysterious-ursnif-fork.html", + "https://thedfirreport.com/2023/01/09/unwrapping-ursnifs-gifts/", "https://www.vmray.com/cyber-security-blog/analyzing-ursnif-behavior-malware-sandbox/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_driverquery_recon.yml" ], @@ -47794,9 +48101,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://pentestlab.blog/2018/07/04/dumping-domain-password-hashes/", "https://twitter.com/vxunderground/status/1423336151860002816?s=20", "https://www.virustotal.com/gui/file/03e9b8c2e86d6db450e5eceec057d7e369ee2389b9daecaf06331a95410aa5f8/detection", - "https://pentestlab.blog/2018/07/04/dumping-domain-password-hashes/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_cmd_shadowcopy_access.yml" ], "tags": [ @@ -47829,8 +48136,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://securelist.com/muddywater/88059/", "https://www.virustotal.com/#/file/276a765a10f98cda1a38d3a31e7483585ca3722ecad19d784441293acf1b7beb/detection", + "https://securelist.com/muddywater/88059/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_file_characteristics.yml" ], "tags": [ @@ -47863,8 +48170,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/erase", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070.004/T1070.004.md", + "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/erase", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_cmd_del_execution.yml" ], "tags": [ @@ -48028,10 +48335,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/synacktiv/Radmin3-Password-Cracker/blob/acfc87393e4b7c06353973a14a6c7126a51f36ac/regkey.txt", - "https://github.com/HyperSine/how-does-MobaXterm-encrypt-password", - "https://isc.sans.edu/diary/More+Data+Exfiltration/25698", "https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#inside-the-registry", + "https://isc.sans.edu/diary/More+Data+Exfiltration/25698", + "https://github.com/HyperSine/how-does-MobaXterm-encrypt-password", + "https://github.com/synacktiv/Radmin3-Password-Cracker/blob/acfc87393e4b7c06353973a14a6c7126a51f36ac/regkey.txt", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_registry_enumeration_for_credentials_cli.yml" ], "tags": [ @@ -48110,8 +48417,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/Binaries/Regedit/", "https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f", + "https://lolbas-project.github.io/lolbas/Binaries/Regedit/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_regedit_import_keys_ads.yml" ], "tags": [ @@ -48144,8 +48451,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.youtube.com/watch?v=ro2QuZTIMBM", "https://learn.microsoft.com/en-us/sysinternals/downloads/psexec", + "https://www.youtube.com/watch?v=ro2QuZTIMBM", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sysinternals_psexesvc.yml" ], "tags": [ @@ -48168,8 +48475,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/Binaries/Regedit/", "https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f", + "https://lolbas-project.github.io/lolbas/Binaries/Regedit/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_regedit_export_critical_keys.yml" ], "tags": [ @@ -48384,9 +48691,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/mrd0x/status/1511489821247684615", - "https://lolbas-project.github.io/lolbas/OtherMSBinaries/DumpMinitool/", "https://twitter.com/mrd0x/status/1511415432888131586", + "https://lolbas-project.github.io/lolbas/OtherMSBinaries/DumpMinitool/", + "https://twitter.com/mrd0x/status/1511489821247684615", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_dumpminitool_susp_execution.yml" ], "tags": [ @@ -48460,8 +48767,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/harleyQu1nn/AggressorScripts", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1518/T1518.md", + "https://github.com/harleyQu1nn/AggressorScripts", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_reg_software_discovery.yml" ], "tags": [ @@ -48604,10 +48911,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc731033(v=ws.11)", + "https://strontic.github.io/xcyclopedia/library/setres.exe-0E30E4C09637D7A128A37B59A3BC4D09.html", "https://twitter.com/0gtweet/status/1583356502340870144", "https://lolbas-project.github.io/lolbas/Binaries/Setres/", - "https://strontic.github.io/xcyclopedia/library/setres.exe-0E30E4C09637D7A128A37B59A3BC4D09.html", + "https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc731033(v=ws.11)", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_setres_uncommon_child_process.yml" ], "tags": [ @@ -48648,10 +48955,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://twitter.com/gbti_sa/status/1249653895900602375?lang=en", + "https://thedfirreport.com/2022/11/28/emotet-strikes-again-lnk-file-leads-to-domain-wide-ransomware/", "https://www.softpedia.com/get/Antivirus/Removal-Tools/ithurricane-PowerTool.shtml", "https://www.trendmicro.com/en_us/research/22/i/play-ransomware-s-attack-playbook-unmasks-it-as-another-hive-aff.html", - "https://thedfirreport.com/2022/11/28/emotet-strikes-again-lnk-file-leads-to-domain-wide-ransomware/", - "https://twitter.com/gbti_sa/status/1249653895900602375?lang=en", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_powertool.yml" ], "tags": [ @@ -48684,14 +48991,14 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://thedfirreport.com/2021/08/16/trickbot-leads-up-to-fake-1password-installation/", + "https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc731935(v=ws.11)", "https://research.nccgroup.com/2022/08/19/back-in-black-unlocking-a-lockbit-3-0-ransomware-attack/", "https://book.hacktricks.xyz/windows/basic-cmd-for-pentesters", - "https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc731935(v=ws.11)", "https://eqllib.readthedocs.io/en/latest/analytics/03e231a6-74bc-467a-acb1-e5676b0fb55e.html", + "https://thedfirreport.com/2021/08/16/trickbot-leads-up-to-fake-1password-installation/", + "https://github.com/redcanaryco/atomic-red-team/blob/5360c9d9ffa3b25f6495f7a16e267b719eba2c37/atomics/T1482/T1482.md#atomic-test-2---windows---discover-domain-trusts-with-nltest", "https://redcanary.com/blog/how-one-hospital-thwarted-a-ryuk-ransomware-outbreak/", "https://thedfirreport.com/2020/10/18/ryuk-in-5-hours/", - "https://github.com/redcanaryco/atomic-red-team/blob/5360c9d9ffa3b25f6495f7a16e267b719eba2c37/atomics/T1482/T1482.md#atomic-test-2---windows---discover-domain-trusts-with-nltest", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_nltest_recon.yml" ], "tags": [ @@ -48806,8 +49113,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://asec.ahnlab.com/en/39828/", "https://twitter.com/GelosSnake/status/934900723426439170", + "https://asec.ahnlab.com/en/39828/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_system_exe_anomaly.yml" ], "tags": [ @@ -48841,8 +49148,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/Binaries/Regedit/", "https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f", + "https://lolbas-project.github.io/lolbas/Binaries/Regedit/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_regedit_import_keys.yml" ], "tags": [ @@ -48910,9 +49217,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "http://www.korznikov.com/2017/03/0-day-or-feature-privilege-escalation.html", "https://www.ired.team/offensive-security/lateral-movement/t1076-rdp-hijacking-for-lateral-movement", "https://medium.com/@networksecurity/rdp-hijacking-how-to-hijack-rds-and-remoteapp-sessions-transparently-to-move-through-an-da2a1e73a5f6", - "http://www.korznikov.com/2017/03/0-day-or-feature-privilege-escalation.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_tscon_localsystem.yml" ], "tags": [ @@ -48947,10 +49254,10 @@ "logsource.product": "windows", "refs": [ "https://blog.cluster25.duskrise.com/2023/05/22/back-in-black-blackbyte-nt", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070/T1070.md", "https://eqllib.readthedocs.io/en/latest/analytics/c91f422a-5214-4b17-8664-c5fcf115c0a2.html", "https://github.com/albertzsigovits/malware-notes/blob/558898932c1579ff589290092a2c8febefc3a4c9/Ransomware/Lockbit.md", "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/fsutil-usn", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070/T1070.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_fsutil_usage.yml" ], "tags": [ @@ -48992,9 +49299,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://github.com/gordonbay/Windows-On-Reins/blob/e587ac7a0407847865926d575e3c46f68cf7c68d/wor.ps1", "https://vms.drweb.fr/virus/?i=24144899", "https://bidouillesecurity.com/disable-windows-defender-in-powershell/", - "https://github.com/gordonbay/Windows-On-Reins/blob/e587ac7a0407847865926d575e3c46f68cf7c68d/wor.ps1", "https://twitter.com/JohnLaTwC/status/1415295021041979392", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_reg_disable_sec_services.yml" ], @@ -49029,8 +49336,8 @@ "logsource.product": "windows", "refs": [ "https://thedfirreport.com/2021/08/01/bazarcall-to-conti-ransomware-via-trickbot-and-cobalt-strike/", - "https://attack.mitre.org/software/S0404/", "https://twitter.com/vxunderground/status/1423336151860002816", + "https://attack.mitre.org/software/S0404/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_esentutl_params.yml" ], "tags": [ @@ -49298,8 +49605,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/nas_bench/status/1537896324837781506", "https://github.com/GossiTheDog/ThreatHunting/blob/e85884abbf05d5b41efc809ea6532b10b45bd05c/AdvancedHuntingQueries/DogWalk-DiagCab", + "https://twitter.com/nas_bench/status/1537896324837781506", "https://irsl.medium.com/the-trouble-with-microsofts-troubleshooters-6e32fc80b8bd", "https://github.com/elastic/protections-artifacts/commit/746086721fd385d9f5c6647cada1788db4aea95f#diff-9015912909545e72ed42cbac4d1e96295e8964579c406d23fd9c47a8091576a0", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_msdt_susp_cab_options.yml" @@ -49334,8 +49641,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://asec.ahnlab.com/en/38156/", "https://github.com/fatedier/frp", + "https://asec.ahnlab.com/en/38156/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pua_frp.yml" ], "tags": [ @@ -49368,9 +49675,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://github.com/pr0xylife/Pikabot/blob/main/Pikabot_30.10.2023.txt", "https://github.com/pr0xylife/Pikabot/blob/main/Pikabot_22.12.2023.txt", "Internal Research", - "https://github.com/pr0xylife/Pikabot/blob/main/Pikabot_30.10.2023.txt", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wscript_cscript_susp_child_processes.yml" ], "tags": [ @@ -49492,8 +49799,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/erase", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070.004/T1070.004.md", + "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/erase", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_cmd_rmdir_execution.yml" ], "tags": [ @@ -49559,9 +49866,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.hhs.gov/sites/default/files/manage-engine-vulnerability-sector-alert-tlpclear.pdf", - "https://www.microsoft.com/en-us/security/blog/2023/10/18/multiple-north-korean-threat-actors-exploiting-the-teamcity-cve-2023-42793-vulnerability/", "https://github.com/redcanaryco/atomic-red-team/blob/987e3ca988ae3cff4b9f6e388c139c05bf44bbb8/atomics/T1518.001/T1518.001.md#atomic-test-1---security-software-discovery", + "https://www.microsoft.com/en-us/security/blog/2023/10/18/multiple-north-korean-threat-actors-exploiting-the-teamcity-cve-2023-42793-vulnerability/", + "https://www.hhs.gov/sites/default/files/manage-engine-vulnerability-sector-alert-tlpclear.pdf", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_findstr_security_keyword_lookup.yml" ], "tags": [ @@ -49662,8 +49969,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.fireeye.com/blog/threat-research/2018/12/overruled-containing-a-potentially-destructive-adversary.html", "https://speakerdeck.com/heirhabarov/hunting-for-persistence-via-microsoft-exchange-server-or-outlook?slide=44", + "https://www.fireeye.com/blog/threat-research/2018/12/overruled-containing-a-potentially-destructive-adversary.html", "https://support.microsoft.com/en-us/topic/how-to-control-the-rule-actions-to-start-an-application-or-run-a-macro-in-outlook-2016-and-outlook-2013-e4964b72-173c-959d-5d7b-ead562979048", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_office_outlook_enable_unsafe_client_mail_rules.yml" ], @@ -49706,8 +50013,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://blog.cobaltstrike.com/2014/04/02/what-happens-when-i-type-getsystem/", "https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment", + "https://blog.cobaltstrike.com/2014/04/02/what-happens-when-i-type-getsystem/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_meterpreter_getsystem.yml" ], "tags": [ @@ -49823,9 +50130,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/fr0s7_/status/1712780207105404948", - "https://twitter.com/Yasser_Elsnbary/status/1553804135354564608", "https://h.43z.one/ipconverter/", + "https://twitter.com/Yasser_Elsnbary/status/1553804135354564608", + "https://twitter.com/fr0s7_/status/1712780207105404948", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_obfuscated_ip_download.yml" ], "tags": [ @@ -49946,6 +50253,29 @@ "uuid": "86588b36-c6d3-465f-9cee-8f9093e07798", "value": "Scheduled Task Executing Payload from Registry" }, + { + "description": "Detects the usage of emojis in the command line, this could be a sign of potential defense evasion activity.", + "meta": { + "author": "@Kostastsale, @TheDFIRReport", + "creation_date": "2022-12-05", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_susp_emoji_usage_in_cli_3.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "Internal Research", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_emoji_usage_in_cli_3.yml" + ], + "tags": [ + "attack.defense-evasion" + ] + }, + "uuid": "f9578658-9e71-4711-b634-3f9b50cd3c06", + "value": "Potential Defense Evasion Activity Via Emoji Usage In CommandLine - 3" + }, { "description": "An adversary might use WMI to discover information about the system, such as the volume name, size,\nfree space, and other disk information. This can be done using the `wmic` command-line utility and has been\nobserved being used by threat actors such as Volt Typhoon.\n", "meta": { @@ -50038,8 +50368,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.poweradmin.com/paexec/", "https://summit.fireeye.com/content/dam/fireeye-www/summit/cds-2018/presentations/cds18-technical-s05-att&cking-fin7.pdf", + "https://www.poweradmin.com/paexec/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_renamed_paexec.yml" ], "tags": [ @@ -50106,8 +50436,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://blog.jourdant.me/post/3-ways-to-download-files-with-powershell", "https://4sysops.com/archives/use-powershell-to-download-a-file-with-http-https-and-ftp/", + "https://blog.jourdant.me/post/3-ways-to-download-files-with-powershell", "https://learn.microsoft.com/en-us/powershell/module/bitstransfer/add-bitsfile?view=windowsserver2019-ps", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_web_request_cmd_and_cmdlets.yml" ], @@ -50353,8 +50683,8 @@ "logsource.product": "windows", "refs": [ "https://www.sans.org/blog/protecting-privileged-domain-accounts-lm-hashes-the-good-the-bad-and-the-ugly/", - "https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-347a", "https://learn.microsoft.com/en-us/troubleshoot/windows-server/windows-security/prevent-windows-store-lm-hash-password", + "https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-347a", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_reg_nolmhash.yml" ], "tags": [ @@ -50497,9 +50827,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://security.stackexchange.com/questions/210843/is-it-possible-to-change-original-filename-of-an-exe", "https://www.virustotal.com/gui/file/02e8e8c5d430d8b768980f517b62d7792d690982b9ba0f7e04163cbc1a6e7915", "https://github.com/electron/rcedit", - "https://security.stackexchange.com/questions/210843/is-it-possible-to-change-original-filename-of-an-exe", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pua_rcedit_execution.yml" ], "tags": [ @@ -50590,13 +50920,13 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/0f229c0e42bfe7ca736a14023836d65baa941ed2/atomics/T1087.002/T1087.002.md#atomic-test-7---adfind---enumerate-active-directory-user-objects", + "https://www.joeware.net/freetools/tools/adfind/", "https://social.technet.microsoft.com/wiki/contents/articles/7535.adfind-command-examples.aspx", "https://thedfirreport.com/2020/05/08/adfind-recon/", - "https://www.joeware.net/freetools/tools/adfind/", + "https://www.microsoft.com/security/blog/2021/01/20/deep-dive-into-the-solorigate-second-stage-activation-from-sunburst-to-teardrop-and-raindrop/", + "https://github.com/redcanaryco/atomic-red-team/blob/0f229c0e42bfe7ca736a14023836d65baa941ed2/atomics/T1087.002/T1087.002.md#atomic-test-7---adfind---enumerate-active-directory-user-objects", "https://thedfirreport.com/2021/01/11/trickbot-still-alive-and-well/", "https://github.com/center-for-threat-informed-defense/adversary_emulation_library/blob/bf62ece1c679b07b5fb49c4bae947fe24c81811f/fin6/Emulation_Plan/Phase1.md", - "https://www.microsoft.com/security/blog/2021/01/20/deep-dive-into-the-solorigate-second-stage-activation-from-sunburst-to-teardrop-and-raindrop/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pua_adfind_susp_usage.yml" ], "tags": [ @@ -50654,8 +50984,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://sourceforge.net/projects/mouselock/", "https://github.com/klsecservices/Publications/blob/657deb6a6eb6e00669afd40173f425fb49682eaa/Incident-Response-Analyst-Report-2020.pdf", + "https://sourceforge.net/projects/mouselock/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pua_mouselock_execution.yml" ], "tags": [ @@ -50689,8 +51019,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc731033(v=ws.11)", "https://strontic.github.io/xcyclopedia/library/ldifde.exe-979DE101F5059CEC1D2C56967CA2BAC0.html", + "https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc731033(v=ws.11)", "https://twitter.com/0gtweet/status/1564968845726580736", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_ldifde_file_load.yml" ], @@ -50808,12 +51138,12 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.trendmicro.com/content/dam/trendmicro/global/en/research/24/b/lockbit-attempts-to-stay-afloat-with-a-new-version/technical-appendix-lockbit-ng-dev-analysis.pdf", - "https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/ransomware-report-avaddon-and-new-techniques-emerge-industrial-sector-targeted", - "https://www.sentinelone.com/labs/ranzy-ransomware-better-encryption-among-new-features-of-thunderx-derivative/", - "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/wbadmin-delete-systemstatebackup", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1490/T1490.md#atomic-test-5---windows---delete-volume-shadow-copies-via-wmi-with-powershell", "https://github.com/albertzsigovits/malware-notes/blob/558898932c1579ff589290092a2c8febefc3a4c9/Ransomware/Lockbit.md", + "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/wbadmin-delete-systemstatebackup", + "https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/ransomware-report-avaddon-and-new-techniques-emerge-industrial-sector-targeted", + "https://www.sentinelone.com/labs/ranzy-ransomware-better-encryption-among-new-features-of-thunderx-derivative/", + "https://www.trendmicro.com/content/dam/trendmicro/global/en/research/24/b/lockbit-attempts-to-stay-afloat-with-a-new-version/technical-appendix-lockbit-ng-dev-analysis.pdf", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wbadmin_delete_backups.yml" ], "tags": [ @@ -50888,8 +51218,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://eqllib.readthedocs.io/en/latest/analytics/c4732632-9c1d-4980-9fa8-1d98c93f918e.html", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1490/T1490.md", + "https://eqllib.readthedocs.io/en/latest/analytics/c4732632-9c1d-4980-9fa8-1d98c93f918e.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_bcdedit_boot_conf_tamper.yml" ], "tags": [ @@ -50990,9 +51320,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Dotnet/", "https://bohops.com/2019/08/19/dotnet-core-a-vector-for-awl-bypass-defense-evasion/", "https://twitter.com/_felamos/status/1204705548668555264", - "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Dotnet/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_dotnet_arbitrary_dll_csproj_execution.yml" ], "tags": [ @@ -51025,9 +51355,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://lolbas-project.github.io/lolbas/Binaries/Findstr/", "https://oddvar.moe/2018/04/11/putting-data-in-alternate-data-streams-and-how-to-execute-it-part-2/", "https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f", - "https://lolbas-project.github.io/lolbas/Binaries/Findstr/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_findstr_download.yml" ], "tags": [ @@ -51085,9 +51415,9 @@ "logsource.product": "windows", "refs": [ "https://lolbas-project.github.io/lolbas/Libraries/Setupapi/", - "https://gist.githubusercontent.com/bohops/0cc6586f205f3691e04a1ebf1806aabd/raw/baf7b29891bb91e76198e30889fbf7d6642e8974/calc_exe.inf", - "https://raw.githubusercontent.com/huntresslabs/evading-autoruns/master/shady.inf", "https://twitter.com/Z3Jpa29z/status/1313742350292746241?s=20", + "https://raw.githubusercontent.com/huntresslabs/evading-autoruns/master/shady.inf", + "https://gist.githubusercontent.com/bohops/0cc6586f205f3691e04a1ebf1806aabd/raw/baf7b29891bb91e76198e30889fbf7d6642e8974/calc_exe.inf", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_rundll32_setupapi_installhinfsection.yml" ], "tags": [ @@ -51341,8 +51671,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218.001/T1218.001.md", "https://eqllib.readthedocs.io/en/latest/analytics/b25aa548-7937-11e9-8f5c-d46d6d62a49e.html", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218.001/T1218.001.md", "https://www.zscaler.com/blogs/security-research/unintentional-leak-glimpse-attack-vectors-apt37", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hh_chm_execution.yml" ], @@ -51511,9 +51841,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://www.hexacorn.com/blog/2018/04/20/kernel-hacking-tool-you-might-have-never-heard-of-xuetr-pchunter/", "https://web.archive.org/web/20231210115125/http://www.xuetr.com/", "https://www.crowdstrike.com/blog/falcon-overwatch-report-finds-increase-in-ecrime/", - "https://www.hexacorn.com/blog/2018/04/20/kernel-hacking-tool-you-might-have-never-heard-of-xuetr-pchunter/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_pchunter.yml" ], "tags": [ @@ -51612,8 +51942,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.autohotkey.com/download/", "https://thedfirreport.com/2023/02/06/collect-exfiltrate-sleep-repeat/", + "https://www.autohotkey.com/download/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_renamed_autohotkey.yml" ], "tags": [ @@ -51669,9 +51999,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.carbonblack.com/2014/06/10/screenshot-demo-hunt-evil-faster-than-ever-with-carbon-black/", - "https://web.archive.org/web/20180718061628/https://securitybytes.io/blue-team-fundamentals-part-two-windows-processes-759fe15965e2", "https://www.13cubed.com/downloads/windows_process_genealogy_v2.pdf", + "https://web.archive.org/web/20180718061628/https://securitybytes.io/blue-team-fundamentals-part-two-windows-processes-759fe15965e2", + "https://www.carbonblack.com/2014/06/10/screenshot-demo-hunt-evil-faster-than-ever-with-carbon-black/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_proc_wrong_parent.yml" ], "tags": [ @@ -51745,8 +52075,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/84215139ee5127f8e3a117e063b604812bd71928/atomics/T1047/T1047.md#atomic-test-5---wmi-execute-local-process", "https://www.sans.org/blog/wmic-for-incident-response/", + "https://github.com/redcanaryco/atomic-red-team/blob/84215139ee5127f8e3a117e063b604812bd71928/atomics/T1047/T1047.md#atomic-test-5---wmi-execute-local-process", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wmic_process_creation.yml" ], "tags": [ @@ -51780,9 +52110,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1546.007/T1546.007.md", - "https://web.archive.org/web/20160928212230/https://www.adaptforward.com/2016/09/using-netshell-to-execute-evil-dlls-and-persist-on-a-host/", "https://github.com/outflanknl/NetshHelperBeacon", + "https://web.archive.org/web/20160928212230/https://www.adaptforward.com/2016/09/using-netshell-to-execute-evil-dlls-and-persist-on-a-host/", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1546.007/T1546.007.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_netsh_helper_dll_persistence.yml" ], "tags": [ @@ -52097,8 +52427,8 @@ "logsource.product": "windows", "refs": [ "https://twitter.com/vysecurity/status/974806438316072960", - "https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/hh875578(v=ws.11)", "https://twitter.com/vysecurity/status/873181705024266241", + "https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/hh875578(v=ws.11)", "https://lolbas-project.github.io/lolbas/Binaries/Rpcping/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_rpcping_credential_capture.yml" ], @@ -52301,8 +52631,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://blogs.blackberry.com/en/2022/05/dirty-deeds-done-dirt-cheap-russian-rat-offers-backdoor-bargains", "https://github.com/redcanaryco/atomic-red-team/blob/d0dad62dbcae9c60c519368e82c196a3db577055/atomics/T1124/T1124.md", + "https://blogs.blackberry.com/en/2022/05/dirty-deeds-done-dirt-cheap-russian-rat-offers-backdoor-bargains", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_w32tm.yml" ], "tags": [ @@ -52443,9 +52773,9 @@ "logsource.product": "windows", "refs": [ "https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment?slide=43", - "https://www.youtube.com/watch?v=JGs-aKf2OtU&ab_channel=OFFZONEMOSCOW", - "https://github.com/gladiatx0r/Powerless/blob/04f553bbc0c65baf4e57344deff84e3f016e6b51/Powerless.bat", "https://github.com/carlospolop/PEASS-ng/blob/fa0f2e17fbc1d86f1fd66338a40e665e7182501d/winPEAS/winPEASbat/winPEAS.bat", + "https://github.com/gladiatx0r/Powerless/blob/04f553bbc0c65baf4e57344deff84e3f016e6b51/Powerless.bat", + "https://www.youtube.com/watch?v=JGs-aKf2OtU&ab_channel=OFFZONEMOSCOW", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sysinternals_accesschk_check_permissions.yml" ], "tags": [ @@ -52478,9 +52808,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://labs.withsecure.com/publications/fin7-target-veeam-servers", "https://www.microsoft.com/en-us/security/blog/2024/01/17/new-ttps-observed-in-mint-sandstorm-campaign-targeting-high-profile-individuals-at-universities-and-research-orgs/", "https://github.com/WithSecureLabs/iocs/blob/344203de742bb7e68bd56618f66d34be95a9f9fc/FIN7VEEAM/iocs.csv", - "https://labs.withsecure.com/publications/fin7-target-veeam-servers", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wget_download_susp_file_sharing_domains.yml" ], "tags": [ @@ -52536,8 +52866,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/Binaries/Regedit/", "https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f", + "https://lolbas-project.github.io/lolbas/Binaries/Regedit/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_regedit_export_keys.yml" ], "tags": [ @@ -52775,9 +53105,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/cicada-apt10-japan-espionage", "https://unit42.paloaltonetworks.com/chromeloader-malware/", "https://lolbas-project.github.io/lolbas/Binaries/Tar/", - "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/cicada-apt10-japan-espionage", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_tar_compression.yml" ], "tags": [ @@ -52941,31 +53271,6 @@ "uuid": "517490a7-115a-48c6-8862-1a481504d5a8", "value": "Potential Shim Database Persistence via Sdbinst.EXE" }, - { - "description": "Detects suspicious LOLBIN AccCheckConsole execution with parameters as used to load an arbitrary DLL", - "meta": { - "author": "Florian Roth (Nextron Systems)", - "creation_date": "2022-01-06", - "falsepositive": [ - "Legitimate use of the UI Accessibility Checker" - ], - "filename": "proc_creation_win_lolbin_susp_acccheckconsole.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://lolbas-project.github.io/lolbas/OtherMSBinaries/AccCheckConsole/", - "https://twitter.com/bohops/status/1477717351017680899?s=12", - "https://gist.github.com/bohops/2444129419c8acf837aedda5f0e7f340", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_susp_acccheckconsole.yml" - ], - "tags": [ - "attack.execution" - ] - }, - "uuid": "0f6da907-5854-4be6-859a-e9958747b0aa", - "value": "Suspicious LOLBIN AccCheckConsole" - }, { "description": "Detects audio capture via PowerShell Cmdlet.", "meta": { @@ -52979,9 +53284,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://eqllib.readthedocs.io/en/latest/analytics/ab7a6ef4-0983-4275-a4f1-5c6bd3c31c23.html", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1123/T1123.md", "https://github.com/frgnca/AudioDeviceCmdlets", + "https://eqllib.readthedocs.io/en/latest/analytics/ab7a6ef4-0983-4275-a4f1-5c6bd3c31c23.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_audio_capture.yml" ], "tags": [ @@ -53014,8 +53319,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1049/T1049.md#atomic-test-4---system-discovery-using-sharpview", "https://github.com/tevora-threat/SharpView/", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1049/T1049.md#atomic-test-4---system-discovery-using-sharpview", "https://github.com/PowerShellMafia/PowerSploit/blob/dev/Recon/PowerView.ps1", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_sharpview.yml" ], @@ -53226,8 +53531,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://hackingiscool.pl/cmdhijack-command-argument-confusion-with-path-traversal-in-cmd-exe/", "https://twitter.com/Oddvarmoe/status/1270633613449723905", + "https://hackingiscool.pl/cmdhijack-command-argument-confusion-with-path-traversal-in-cmd-exe/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_cmd_path_traversal.yml" ], "tags": [ @@ -53407,8 +53712,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1082/T1082.md#atomic-test-6---hostname-discovery-windows", "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/hostname", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1082/T1082.md#atomic-test-6---hostname-discovery-windows", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hostname_execution.yml" ], "tags": [ @@ -53519,9 +53824,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218.007/T1218.007.md", "https://twitter.com/_st0pp3r_/status/1583914244344799235", "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/msiexec", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218.007/T1218.007.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_msiexec_install_quiet.yml" ], "tags": [ @@ -53541,6 +53846,29 @@ "uuid": "79a87aa6-e4bd-42fc-a5bb-5e6fbdcd62f5", "value": "Msiexec Quiet Installation" }, + { + "description": "Detects the usage of emojis in the command line, this could be a sign of potential defense evasion activity.", + "meta": { + "author": "@Kostastsale, @TheDFIRReport", + "creation_date": "2022-12-05", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_susp_emoji_usage_in_cli_4.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "Internal Research", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_emoji_usage_in_cli_4.yml" + ], + "tags": [ + "attack.defense-evasion" + ] + }, + "uuid": "225274c4-8dd1-40db-9e09-71dff4f6fb3c", + "value": "Potential Defense Evasion Activity Via Emoji Usage In CommandLine - 4" + }, { "description": "Detects potential abuse of the provisioning registry key for indirect command execution through \"Provlaunch.exe\".", "meta": { @@ -53554,8 +53882,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/Binaries/Provlaunch/", "https://twitter.com/0gtweet/status/1674399582162153472", + "https://lolbas-project.github.io/lolbas/Binaries/Provlaunch/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_registry_provlaunch_provisioning_command.yml" ], "tags": [ @@ -53588,8 +53916,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/mrd0x/status/1478234484881436672?s=12", "https://www.trendmicro.com/en_us/research/23/e/managed-xdr-investigation-of-ducktail-in-trend-micro-vision-one.html", + "https://twitter.com/mrd0x/status/1478234484881436672?s=12", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_browsers_chromium_headless_exec.yml" ], "tags": [ @@ -53623,9 +53951,9 @@ "logsource.product": "windows", "refs": [ "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/mode", - "https://www.virustotal.com/gui/file/5e75ef02517afd6e8ba6462b19217dc4a5a574abb33d10eb0f2bab49d8d48c22/behavior", - "https://learn.microsoft.com/en-us/windows/win32/intl/code-page-identifiers", "https://strontic.github.io/xcyclopedia/library/mode.com-59D1ED51ACB8C3D50F1306FD75F20E99.html", + "https://learn.microsoft.com/en-us/windows/win32/intl/code-page-identifiers", + "https://www.virustotal.com/gui/file/5e75ef02517afd6e8ba6462b19217dc4a5a574abb33d10eb0f2bab49d8d48c22/behavior", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_mode_codepage_russian.yml" ], "tags": [ @@ -53658,9 +53986,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Sqldumper/", "https://twitter.com/countuponsec/status/910977826853068800", "https://twitter.com/countuponsec/status/910969424215232518", + "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Sqldumper/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_susp_sqldumper_activity.yml" ], "tags": [ @@ -53694,8 +54022,8 @@ "logsource.product": "windows", "refs": [ "https://twitter.com/splinter_code/status/1483815103279603714", - "https://medium.com/s2wblog/analysis-of-destructive-malware-whispergate-targeting-ukraine-9d5d158f19f3", "https://www.elastic.co/security-labs/operation-bleeding-bear", + "https://medium.com/s2wblog/analysis-of-destructive-malware-whispergate-targeting-ukraine-9d5d158f19f3", "https://www.winhelponline.com/blog/run-program-as-system-localsystem-account-windows/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pua_advancedrun_priv_user.yml" ], @@ -53765,8 +54093,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://pentestlab.blog/tag/svchost/", "https://www.n00py.io/2021/05/dumping-plaintext-rdp-credentials-from-svchost-exe/", + "https://pentestlab.blog/tag/svchost/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_tasklist_module_enumeration.yml" ], "tags": [ @@ -53871,8 +54199,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/0gtweet/status/1206692239839289344", "https://lolbas-project.github.io/lolbas/Binaries/Runexehelper/", + "https://twitter.com/0gtweet/status/1206692239839289344", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_runexehelper.yml" ], "tags": [ @@ -54047,9 +54375,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1087.002/T1087.002.md", - "https://www.joeware.net/freetools/tools/adfind/", "https://social.technet.microsoft.com/wiki/contents/articles/7535.adfind-command-examples.aspx", + "https://www.joeware.net/freetools/tools/adfind/", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1087.002/T1087.002.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pua_adfind_enumeration.yml" ], "tags": [ @@ -54117,8 +54445,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/Azure/Azure-Sentinel/blob/7e6aa438e254d468feec061618a7877aa528ee9f/Hunting%20Queries/Microsoft%20365%20Defender/Ransomware/DEV-0270/Email%20data%20exfiltration%20via%20PowerShell.yaml", "https://www.microsoft.com/security/blog/2022/09/07/profiling-dev-0270-phosphorus-ransomware-operations/", + "https://github.com/Azure/Azure-Sentinel/blob/7e6aa438e254d468feec061618a7877aa528ee9f/Hunting%20Queries/Microsoft%20365%20Defender/Ransomware/DEV-0270/Email%20data%20exfiltration%20via%20PowerShell.yaml", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_email_exfil.yml" ], "tags": [ @@ -54141,13 +54469,13 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://medium.com/@cyberjyot/lolbin-execution-via-diskshadow-f6ff681a27a4", - "https://bohops.com/2018/03/26/diskshadow-the-return-of-vss-evasion-persistence-and-active-directory-database-extraction/", - "https://www.lifars.com/wp-content/uploads/2022/01/GriefRansomware_Whitepaper-2.pdf", "https://research.checkpoint.com/2022/evilplayout-attack-against-irans-state-broadcaster/", - "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/diskshadow", "https://www.ired.team/offensive-security/credential-access-and-credential-dumping/ntds.dit-enumeration", + "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/diskshadow", "https://www.zscaler.com/blogs/security-research/technical-analysis-crytox-ransomware", + "https://medium.com/@cyberjyot/lolbin-execution-via-diskshadow-f6ff681a27a4", + "https://www.lifars.com/wp-content/uploads/2022/01/GriefRansomware_Whitepaper-2.pdf", + "https://bohops.com/2018/03/26/diskshadow-the-return-of-vss-evasion-persistence-and-active-directory-database-extraction/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_diskshadow_script_mode_susp_location.yml" ], "tags": [ @@ -54182,11 +54510,11 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/b27a3cb25025161d49ac861cb216db68c46a3537/atomics/T1027.004/T1027.004.md#atomic-test-1---compile-after-delivery-using-cscexe", "https://www.clearskysec.com/wp-content/uploads/2018/11/MuddyWater-Operations-in-Lebanon-and-Oman.pdf", "https://securityboulevard.com/2019/08/agent-tesla-evading-edr-by-removing-api-hooks/", - "https://app.any.run/tasks/c6993447-d1d8-414e-b856-675325e5aa09/", "https://twitter.com/gN3mes1s/status/1206874118282448897", - "https://github.com/redcanaryco/atomic-red-team/blob/b27a3cb25025161d49ac861cb216db68c46a3537/atomics/T1027.004/T1027.004.md#atomic-test-1---compile-after-delivery-using-cscexe", + "https://app.any.run/tasks/c6993447-d1d8-414e-b856-675325e5aa09/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_csc_susp_dynamic_compilation.yml" ], "tags": [ @@ -54287,9 +54615,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.poweradmin.com/paexec/", - "https://learn.microsoft.com/en-us/sysinternals/downloads/psexec", "https://www.fireeye.com/blog/threat-research/2020/10/kegtap-and-singlemalt-with-a-ransomware-chaser.html", + "https://learn.microsoft.com/en-us/sysinternals/downloads/psexec", + "https://www.poweradmin.com/paexec/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sysinternals_psexec_paexec_escalate_system.yml" ], "tags": [ @@ -54523,8 +54851,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/SwiftOnSecurity/status/1455897435063074824", "https://github.com/LOLBAS-Project/LOLBAS/pull/151", + "https://twitter.com/SwiftOnSecurity/status/1455897435063074824", "https://lolbas-project.github.io/lolbas/Binaries/Cmdl32/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_cmdl32_arbitrary_file_download.yml" ], @@ -54601,8 +54929,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://ss64.com/nt/cmd.html", "https://twitter.com/cyb3rops/status/1562072617552678912", + "https://ss64.com/nt/cmd.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_cmd_no_space_execution.yml" ], "tags": [ @@ -54635,8 +54963,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/Moriarty_Meng/status/984380793383370752", "https://github.com/LOLBAS-Project/LOLBAS/blob/4db780e0f0b2e2bb8cb1fa13e09196da9b9f1834/yml/LOLUtilz/OSBinaries/Powershell.yml", + "https://twitter.com/Moriarty_Meng/status/984380793383370752", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_run_script_from_input_stream.yml" ], "tags": [ @@ -54770,8 +55098,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://hstechdocs.helpsystems.com/manuals/cobaltstrike/current/userguide/content/cobalt-4-5-user-guide.pdf", "https://thedfirreport.com/2021/10/04/bazarloader-and-the-conti-leaks/", + "https://hstechdocs.helpsystems.com/manuals/cobaltstrike/current/userguide/content/cobalt-4-5-user-guide.pdf", "https://thedfirreport.com/2022/06/16/sans-ransomware-summit-2022-can-you-detect-this/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_cobaltstrike_bloopers_cmd.yml" ], @@ -54972,9 +55300,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://blog.talosintelligence.com/2021/10/threat-hunting-in-large-datasets-by.html", "https://guides.lib.umich.edu/c.php?g=282942&p=1885348", "https://thedfirreport.com/2021/11/29/continuing-the-bazar-ransomware-story/", - "https://blog.talosintelligence.com/2021/10/threat-hunting-in-large-datasets-by.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_regsvr32_susp_extensions.yml" ], "tags": [ @@ -55007,10 +55335,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://mez0.cc/posts/cobaltstrike-powershell-exec/", "https://zero2auto.com/2020/05/19/netwalker-re/", - "https://redcanary.com/blog/yellow-cockatoo/", "https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=65", + "https://redcanary.com/blog/yellow-cockatoo/", + "https://mez0.cc/posts/cobaltstrike-powershell-exec/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_xor_commandline.yml" ], "tags": [ @@ -55102,9 +55430,9 @@ "logsource.category": "wmi_event", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#event-id-20-wmievent-wmieventconsumer-activity-detected", - "https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#event-id-19-wmievent-wmieventfilter-activity-detected", "https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#event-id-21-wmievent-wmieventconsumertofilter-activity-detected", + "https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#event-id-19-wmievent-wmieventfilter-activity-detected", + "https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#event-id-20-wmievent-wmieventconsumer-activity-detected", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/wmi_event/sysmon_wmi_event_subscription.yml" ], "tags": [ @@ -55137,9 +55465,9 @@ "logsource.category": "wmi_event", "logsource.product": "windows", "refs": [ + "https://in.security/an-intro-into-abusing-and-identifying-wmi-event-subscriptions-for-persistence/", "https://github.com/RiccardoAncarani/LiquidSnake", "https://github.com/Neo23x0/signature-base/blob/615bf1f6bac3c1bdc417025c40c073e6c2771a76/yara/gen_susp_lnk_files.yar#L19", - "https://in.security/an-intro-into-abusing-and-identifying-wmi-event-subscriptions-for-persistence/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/wmi_event/sysmon_wmi_susp_scripting.yml" ], "tags": [ @@ -55240,8 +55568,8 @@ "logsource.category": "network_connection", "logsource.product": "windows", "refs": [ - "https://oddvar.moe/2017/12/13/applocker-case-study-how-insecure-is-it-really-part-1/", "https://pentestlab.blog/2017/05/11/applocker-bypass-regsvr32/", + "https://oddvar.moe/2017/12/13/applocker-case-study-how-insecure-is-it-really-part-1/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_regsvr32_network_activity.yml" ], "tags": [ @@ -55283,9 +55611,9 @@ "logsource.category": "network_connection", "logsource.product": "windows", "refs": [ + "https://cydefops.com/vscode-data-exfiltration", "https://badoption.eu/blog/2023/01/31/code_c2.html", "https://ipfyx.fr/post/visual-studio-code-tunnel/", - "https://cydefops.com/vscode-data-exfiltration", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_domain_vscode_tunnel_connection.yml" ], "tags": [ @@ -55318,9 +55646,9 @@ "logsource.category": "network_connection", "logsource.product": "windows", "refs": [ - "https://blueteamops.medium.com/detecting-dev-tunnels-16f0994dc3e2", - "https://cydefops.com/devtunnels-unleashed", "https://learn.microsoft.com/en-us/azure/developer/dev-tunnels/security", + "https://cydefops.com/devtunnels-unleashed", + "https://blueteamops.medium.com/detecting-dev-tunnels-16f0994dc3e2", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_domain_devtunnels.yml" ], "tags": [ @@ -55353,8 +55681,8 @@ "logsource.category": "network_connection", "logsource.product": "windows", "refs": [ - "https://www.mandiant.com/resources/russian-targeting-gov-business", "https://megatools.megous.com/", + "https://www.mandiant.com/resources/russian-targeting-gov-business", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_domain_mega_nz.yml" ], "tags": [ @@ -55464,8 +55792,8 @@ "logsource.category": "network_connection", "logsource.product": "windows", "refs": [ - "https://github.com/mttaggart/OffensiveNotion", "https://medium.com/@huskyhacks.mk/we-put-a-c2-in-your-notetaking-app-offensivenotion-3e933bace332", + "https://github.com/mttaggart/OffensiveNotion", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_domain_notion_api_susp_communication.yml" ], "tags": [ @@ -55574,11 +55902,11 @@ "logsource.category": "network_connection", "logsource.product": "windows", "refs": [ + "https://www.bleepingcomputer.com/news/security/hackers-abuse-google-command-and-control-red-team-tool-in-attacks/", + "https://youtu.be/n2dFlSaBBKo", + "https://services.google.com/fh/files/blogs/gcat_threathorizons_full_apr2023.pdf", "https://github.com/looCiprian/GC2-sheet", "https://www.tanium.com/blog/apt41-deploys-google-gc2-for-attacks-cyber-threat-intelligence-roundup/", - "https://www.bleepingcomputer.com/news/security/hackers-abuse-google-command-and-control-red-team-tool-in-attacks/", - "https://services.google.com/fh/files/blogs/gcat_threathorizons_full_apr2023.pdf", - "https://youtu.be/n2dFlSaBBKo", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_domain_google_api_non_browser_access.yml" ], "tags": [ @@ -55712,9 +56040,9 @@ "logsource.category": "network_connection", "logsource.product": "windows", "refs": [ - "https://portmap.io/", - "https://github.com/rapid7/metasploit-framework/issues/11337", "https://pro.twitter.com/JaromirHorejsi/status/1795001037746761892/photo/2", + "https://github.com/rapid7/metasploit-framework/issues/11337", + "https://portmap.io/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_domain_portmap.yml" ], "tags": [ @@ -55791,8 +56119,8 @@ "logsource.category": "network_connection", "logsource.product": "windows", "refs": [ - "https://corelight.com/blog/detecting-cve-2021-42292", "https://learn.microsoft.com/de-de/microsoft-365/enterprise/urls-and-ip-address-ranges?view=o365-worldwide", + "https://corelight.com/blog/detecting-cve-2021-42292", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_office_outbound_non_local_ip.yml" ], "tags": [ @@ -55859,9 +56187,9 @@ "logsource.category": "network_connection", "logsource.product": "windows", "refs": [ - "Internal Research", - "https://www.guidepointsecurity.com/blog/tunnel-vision-cloudflared-abused-in-the-wild/", "https://defr0ggy.github.io/research/Abusing-Cloudflared-A-Proxy-Service-To-Host-Share-Applications/", + "https://www.guidepointsecurity.com/blog/tunnel-vision-cloudflared-abused-in-the-wild/", + "Internal Research", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_domain_cloudflared_communication.yml" ], "tags": [ @@ -55928,8 +56256,8 @@ "logsource.category": "network_connection", "logsource.product": "windows", "refs": [ - "https://twitter.com/tekdefense/status/1519711183162556416?s=12&t=OTsHCBkQOTNs1k3USz65Zg", "https://www.mandiant.com/resources/bypassing-network-restrictions-through-rdp-tunneling", + "https://twitter.com/tekdefense/status/1519711183162556416?s=12&t=OTsHCBkQOTNs1k3USz65Zg", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_rdp_to_http.yml" ], "tags": [ @@ -56062,11 +56390,11 @@ "logsource.category": "network_connection", "logsource.product": "windows", "refs": [ - "https://www.cisa.gov/uscert/ncas/alerts/aa22-321a", - "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ransomware-hive-conti-avoslocker", "https://twitter.com/M_haggis/status/900741347035889665", + "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ransomware-hive-conti-avoslocker", "https://github.com/EmpireProject/Empire/blob/e37fb2eef8ff8f5a0a689f1589f424906fe13055/data/module_source/exfil/Invoke-ExfilDataToGitHub.ps1", "https://twitter.com/M_haggis/status/1032799638213066752", + "https://www.cisa.gov/uscert/ncas/alerts/aa22-321a", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_susp_file_sharing_domains_susp_folders.yml" ], "tags": [ @@ -56168,9 +56496,9 @@ "logsource.category": "network_connection", "logsource.product": "windows", "refs": [ - "https://app.any.run/tasks/ec207948-4916-47eb-a0f4-4c6abb2e7668/", "https://lolbas-project.github.io/lolbas/Binaries/Regasm/", "https://research.splunk.com/endpoint/07921114-6db4-4e2e-ae58-3ea8a52ae93f/", + "https://app.any.run/tasks/ec207948-4916-47eb-a0f4-4c6abb2e7668/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_regasm_network_activity.yml" ], "tags": [ @@ -56203,10 +56531,10 @@ "logsource.category": "network_connection", "logsource.product": "windows", "refs": [ + "https://strontic.github.io/xcyclopedia/library/dialer.exe-0B69655F912619756C704A0BF716B61F.html", + "https://app.any.run/tasks/6720b85b-9c53-4a12-b1dc-73052a78477d", "https://tria.ge/240301-rk34sagf5x/behavioral2", "https://research.checkpoint.com/2023/rhadamanthys-v0-5-0-a-deep-dive-into-the-stealers-components/", - "https://app.any.run/tasks/6720b85b-9c53-4a12-b1dc-73052a78477d", - "https://strontic.github.io/xcyclopedia/library/dialer.exe-0B69655F912619756C704A0BF716B61F.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_dialer_initiated_connection.yml" ], "tags": [ @@ -56262,10 +56590,10 @@ "logsource.category": "network_connection", "logsource.product": "windows", "refs": [ + "https://ngrok.com/blog-post/new-ngrok-domains", "https://ngrok.com/", "https://www.rnbo.gov.ua/files/2023_YEAR/CYBERCENTER/november/APT29%20attacks%20Embassies%20using%20CVE-2023-38831%20-%20report%20en.pdf", "https://www.virustotal.com/gui/file/cca0c1182ac114b44dc52dd2058fcd38611c20bb6b5ad84710681d38212f835a/", - "https://ngrok.com/blog-post/new-ngrok-domains", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_domain_ngrok.yml" ], "tags": [ @@ -56285,6 +56613,40 @@ "uuid": "18249279-932f-45e2-b37a-8925f2597670", "value": "Process Initiated Network Connection To Ngrok Domain" }, + { + "description": "Detects uncommon network connections to the Active Directory Web Services (ADWS) from processes not typically associated with ADWS management.\n", + "meta": { + "author": "@kostastsale", + "creation_date": "2024-01-26", + "falsepositive": [ + "ADWS is used by a number of legitimate applications that need to interact with Active Directory. These applications should be added to the allow-listing to avoid false positives." + ], + "filename": "net_connection_win_adws_unusual_connection.yml", + "level": "medium", + "logsource.category": "network_connection", + "logsource.product": "windows", + "refs": [ + "https://github.com/FalconForceTeam/FalconFriday/blob/master/Discovery/ADWS_Connection_from_Unexpected_Binary-Win.md", + "https://medium.com/falconforce/soaphound-tool-to-collect-active-directory-data-via-adws-165aca78288c", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_adws_unusual_connection.yml" + ], + "tags": [ + "attack.discovery", + "attack.t1087" + ] + }, + "related": [ + { + "dest-uuid": "72b74d71-8169-42aa-92e0-e7b04b9f5a08", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "b3ad3c0f-c949-47a1-a30e-b0491ccae876", + "value": "Uncommon Connection to Active Directory Web Services" + }, { "description": "Detects initiated network connections to crypto mining pools", "meta": { @@ -56298,9 +56660,9 @@ "logsource.category": "network_connection", "logsource.product": "windows", "refs": [ + "https://www.poolwatch.io/coin/monero", "https://github.com/stamparm/maltrail/blob/3ea70459b9559134449423c0a7d8b965ac5c40ea/trails/static/suspicious/crypto_mining.txt", "https://www.virustotal.com/gui/search/behaviour_network%253A*.miningocean.org/files", - "https://www.poolwatch.io/coin/monero", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_domain_crypto_mining_pools.yml" ], "tags": [ @@ -56409,8 +56771,8 @@ "logsource.category": "network_connection", "logsource.product": "windows", "refs": [ - "https://www.sentinelone.com/labs/wip26-espionage-threat-actors-abuse-cloud-infrastructure-in-targeted-telco-attacks/", "https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/higaisa-or-winnti-apt-41-backdoors-old-and-new/", + "https://www.sentinelone.com/labs/wip26-espionage-threat-actors-abuse-cloud-infrastructure-in-targeted-telco-attacks/", "https://symantec-enterprise-blogs.security.com/threat-intelligence/harvester-new-apt-attacks-asia", "https://intezer.com/blog/research/how-we-escaped-docker-in-azure-functions/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_domain_azurewebsites.yml" @@ -56487,8 +56849,8 @@ "logsource.category": "network_connection", "logsource.product": "windows", "refs": [ - "https://twitter.com/hakluke/status/1587733971814977537/photo/1", "https://ngrok.com/docs/secure-tunnels/tunnels/ssh-reverse-tunnel-agent", + "https://twitter.com/hakluke/status/1587733971814977537/photo/1", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_domain_ngrok_tunnel.yml" ], "tags": [ @@ -56682,9 +57044,9 @@ "logsource.category": "network_connection", "logsource.product": "windows", "refs": [ + "https://news.sophos.com/en-us/2019/07/18/a-new-equation-editor-exploit-goes-commercial-as-maldoc-attacks-using-it-spike/", "https://twitter.com/forensicitguy/status/1513538712986079238", "https://forensicitguy.github.io/xloader-formbook-velvetsweatshop-spreadsheet/", - "https://news.sophos.com/en-us/2019/07/18/a-new-equation-editor-exploit-goes-commercial-as-maldoc-attacks-using-it-spike/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_eqnedt.yml" ], "tags": [ @@ -56717,10 +57079,10 @@ "logsource.category": "network_connection", "logsource.product": "windows", "refs": [ - "https://www.cisa.gov/news-events/cybersecurity-advisories/aa20-302a", - "https://github.com/rsp/scripts/blob/c8bb272d68164a9836e4f273d8f924927f39b8c6/externalip-benchmark.md", "https://www.trendmicro.com/en_us/research/23/e/managed-xdr-investigation-of-ducktail-in-trend-micro-vision-one.html", + "https://www.cisa.gov/news-events/cybersecurity-advisories/aa20-302a", "https://thedfirreport.com/2022/11/28/emotet-strikes-again-lnk-file-leads-to-domain-wide-ransomware/", + "https://github.com/rsp/scripts/blob/c8bb272d68164a9836e4f273d8f924927f39b8c6/externalip-benchmark.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_domain_external_ip_lookup.yml" ], "tags": [ @@ -56857,9 +57219,9 @@ "refs": [ "https://securelist.com/the-tetrade-brazilian-banking-malware/97779/", "https://web.archive.org/web/20220830134315/https://content.fireeye.com/apt-41/rpt-apt41/", - "https://blog.bushidotoken.net/2021/04/dead-drop-resolvers-espionage-inspired.html", "https://github.com/kleiton0x00/RedditC2", "https://www.linkedin.com/posts/kleiton-kurti_github-kleiton0x00redditc2-abusing-reddit-activity-7009939662462984192-5DbI/?originalSubdomain=al", + "https://blog.bushidotoken.net/2021/04/dead-drop-resolvers-espionage-inspired.html", "https://twitter.com/kleiton0x7e/status/1600567316810551296", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_domain_dead_drop_resolvers.yml" ], @@ -56886,7 +57248,7 @@ } ], "uuid": "297ae038-edc2-4b2e-bb3e-7c5fc94dd5c7", - "value": "Potential Dead Drop Resolvers" + "value": "New Connection Initiated To Potential Dead Drop Resolver Domain" }, { "description": "Detects a network connection initiated by \"wordpad.exe\" over uncommon destination ports.\nThis might indicate potential process injection activity from a beacon or similar mechanisms.\n", @@ -57158,9 +57520,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://www.microsoft.com/en-us/security/blog/2024/01/17/new-ttps-observed-in-mint-sandstorm-campaign-targeting-high-profile-individuals-at-universities-and-research-orgs/", - "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ransomware-hive-conti-avoslocker", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1197/T1197.md", + "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ransomware-hive-conti-avoslocker", + "https://www.microsoft.com/en-us/security/blog/2024/01/17/new-ttps-observed-in-mint-sandstorm-campaign-targeting-high-profile-individuals-at-universities-and-research-orgs/", "https://twitter.com/malmoeb/status/1535142803075960832", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/bits_client/win_bits_client_new_transfer_via_file_sharing_domains.yml" ], @@ -57263,9 +57625,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ + "https://blog.netspi.com/15-ways-to-download-a-file/#bitsadmin", "https://blog.talosintelligence.com/breaking-the-silence-recent-truebot-activity/", "https://lolbas-project.github.io/lolbas/Binaries/Bitsadmin/", - "https://blog.netspi.com/15-ways-to-download-a-file/#bitsadmin", "https://isc.sans.edu/diary/22264", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/bits_client/win_bits_client_new_transfer_via_ip_address.yml" ], @@ -57300,8 +57662,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/applocker/using-event-viewer-with-applocker", "https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/applocker/what-is-applocker", + "https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/applocker/using-event-viewer-with-applocker", "https://nxlog.co/documentation/nxlog-user-guide/applocker.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/applocker/win_applocker_file_was_not_allowed_to_run.yml" ], @@ -57534,9 +57896,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://malware.news/t/the-rhysida-ransomware-activity-analysis-and-ties-to-vice-society/72170", - "https://cybersecuritynews.com/rhysida-ransomware-attacking-windows/", "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.004/T1562.004.md#atomic-test-24---set-a-firewall-rule-using-new-netfirewallrule", + "https://cybersecuritynews.com/rhysida-ransomware-attacking-windows/", + "https://malware.news/t/the-rhysida-ransomware-activity-analysis-and-ties-to-vice-society/72170", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/firewall_as/win_firewall_as_add_rule_wmiprvse.yml" ], "tags": [ @@ -57777,8 +58139,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://medium.com/@7a616368/can-you-track-processes-accessing-the-camera-and-microphone-7e6885b37072", "https://twitter.com/duzvik/status/1269671601852813320", + "https://medium.com/@7a616368/can-you-track-processes-accessing-the-camera-and-microphone-7e6885b37072", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_camera_microphone_access.yml" ], "tags": [ @@ -57954,8 +58316,8 @@ "logsource.product": "windows", "refs": [ "https://posts.specterops.io/hunting-in-active-directory-unconstrained-delegation-forests-trusts-71f2b33688e1", - "https://twitter.com/_dirkjan/status/1309214379003588608", "https://dirkjanm.io/a-different-way-of-abusing-zerologon/", + "https://twitter.com/_dirkjan/status/1309214379003588608", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_dce_rpc_smb_spoolss_named_pipe.yml" ], "tags": [ @@ -58154,9 +58516,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://threathunterplaybook.com/hunts/windows/180815-ADObjectAccessReplication/notebook.html", "https://threathunterplaybook.com/hunts/windows/190101-ADModDirectoryReplication/notebook.html", "https://threathunterplaybook.com/library/windows/active_directory_replication.html", + "https://threathunterplaybook.com/hunts/windows/180815-ADObjectAccessReplication/notebook.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_ad_object_writedac_access.yml" ], "tags": [ @@ -58189,8 +58551,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://github.com/OTRF/ThreatHunter-Playbook/blob/f7a58156dbfc9b019f17f638b8c62d22e557d350/playbooks/WIN-201012004336.yaml", "https://securitydatasets.com/notebooks/atomic/windows/lateral_movement/SDWIN-200806015757.html?highlight=create%20file", + "https://github.com/OTRF/ThreatHunter-Playbook/blob/f7a58156dbfc9b019f17f638b8c62d22e557d350/playbooks/WIN-201012004336.yaml", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_smb_file_creation_admin_shares.yml" ], "tags": [ @@ -58385,9 +58747,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://twitter.com/SBousseaden/status/1490608838701166596", "https://www.x86matthew.com/view_post?id=create_svc_rpc", "https://www.elastic.co/guide/en/security/current/windows-service-installed-via-an-unusual-client.html", + "https://twitter.com/SBousseaden/status/1490608838701166596", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_service_installation_by_unusal_client.yml" ], "tags": [ @@ -58420,8 +58782,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://twitter.com/SBousseaden/status/1101431884540710913", "https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4625", + "https://twitter.com/SBousseaden/status/1101431884540710913", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_susp_failed_logon_reasons.yml" ], "tags": [ @@ -58457,8 +58819,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://blog.cobaltstrike.com/2014/04/02/what-happens-when-i-type-getsystem/", "https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment", + "https://blog.cobaltstrike.com/2014/04/02/what-happens-when-i-type-getsystem/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_meterpreter_or_cobaltstrike_getsystem_service_install.yml" ], "tags": [ @@ -58633,10 +58995,10 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf", "https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf", - "https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4800", "https://www.cisecurity.org/controls/cis-controls-list/", + "https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4800", + "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_workstation_was_locked.yml" ], "tags": [ @@ -58659,8 +59021,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "http://www.stuffithoughtiknew.com/2019/02/detecting-bloodhound.html", "https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4662", + "http://www.stuffithoughtiknew.com/2019/02/detecting-bloodhound.html", "https://www.specterops.io/assets/resources/an_ace_up_the_sleeve.pdf", "https://learn.microsoft.com/en-us/windows/win32/adschema/attributes-all", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_ad_user_enumeration.yml" @@ -58870,9 +59232,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ + "https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4634", "https://github.com/Yamato-Security/EnableWindowsLogSettings/blob/7f6d755d45ac7cc9fc35b0cbf498e6aa4ef19def/ConfiguringSecurityLogAuditPolicies.md", "https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4647", - "https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4634", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_user_logoff.yml" ], "tags": [ @@ -59006,9 +59368,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://github.com/splunk/security_content/blob/develop/detections/endpoint/petitpotam_suspicious_kerberos_tgt_request.yml", - "https://github.com/topotam/PetitPotam", "https://isc.sans.edu/forums/diary/Active+Directory+Certificate+Services+ADCS+PKI+domain+admin+vulnerability/27668/", + "https://github.com/topotam/PetitPotam", + "https://github.com/splunk/security_content/blob/develop/detections/endpoint/petitpotam_suspicious_kerberos_tgt_request.yml", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_petitpotam_susp_tgt_request.yml" ], "tags": [ @@ -59095,6 +59457,40 @@ "uuid": "962fe167-e48d-4fd6-9974-11e5b9a5d6d1", "value": "LSASS Access From Non System Account" }, + { + "description": "This rule will collect the data needed to start looking into possible kerberoasting activity.\nFurther analysis or computation within the query is needed focusing on requests from one specific host/IP towards multiple service names within a time period of 5 seconds.\nYou can then set a threshold for the number of requests and time between the requests to turn this into an alert.\n", + "meta": { + "author": "@kostastsale", + "creation_date": "2022-01-21", + "falsepositive": [ + "Legacy applications." + ], + "filename": "win_security_kerberoasting_activity.yml", + "level": "medium", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://adsecurity.org/?p=3513", + "https://www.trustedsec.com/blog/art_of_kerberoast/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_kerberoasting_activity.yml" + ], + "tags": [ + "attack.credential-access", + "attack.t1558.003" + ] + }, + "related": [ + { + "dest-uuid": "f2877f7f-9a4c-4251-879f-1224e3006bee", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "d04ae2b8-ad54-4de0-bd87-4bc1da66aa59", + "value": "Kerberoasting Activity - Initial Query" + }, { "description": "Potential adversaries stopping ETW providers recording loaded .NET assemblies.", "meta": { @@ -59108,14 +59504,14 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://github.com/dotnet/runtime/blob/ee2355c801d892f2894b0f7b14a20e6cc50e0e54/docs/design/coreclr/jit/viewing-jit-dumps.md#setting-configuration-variables", - "https://github.com/dotnet/runtime/blob/7abe42dc1123722ed385218268bb9fe04556e3d3/src/coreclr/src/inc/clrconfig.h#L33-L39", "https://github.com/dotnet/runtime/blob/4f9ae42d861fcb4be2fcd5d3d55d5f227d30e723/docs/coding-guidelines/clr-jit-coding-conventions.md#1412-disabling-code", "https://social.msdn.microsoft.com/Forums/vstudio/en-US/0878832e-39d7-4eaf-8e16-a729c4c40975/what-can-i-use-e13c0d23ccbc4e12931bd9cc2eee27e4-for?forum=clr", - "https://i.blackhat.com/EU-21/Wednesday/EU-21-Teodorescu-Veni-No-Vidi-No-Vici-Attacks-On-ETW-Blind-EDRs.pdf", - "http://managed670.rssing.com/chan-5590147/all_p1.html", - "https://twitter.com/_xpn_/status/1268712093928378368", "https://github.com/dotnet/runtime/search?p=1&q=COMPlus_&unscoped_q=COMPlus_", + "https://twitter.com/_xpn_/status/1268712093928378368", + "https://github.com/dotnet/runtime/blob/ee2355c801d892f2894b0f7b14a20e6cc50e0e54/docs/design/coreclr/jit/viewing-jit-dumps.md#setting-configuration-variables", + "http://managed670.rssing.com/chan-5590147/all_p1.html", + "https://github.com/dotnet/runtime/blob/7abe42dc1123722ed385218268bb9fe04556e3d3/src/coreclr/src/inc/clrconfig.h#L33-L39", + "https://i.blackhat.com/EU-21/Wednesday/EU-21-Teodorescu-Veni-No-Vidi-No-Vici-Attacks-On-ETW-Blind-EDRs.pdf", "https://bunnyinside.com/?term=f71e8cb9c76a", "https://github.com/dotnet/runtime/blob/f62e93416a1799aecc6b0947adad55a0d9870732/src/coreclr/src/inc/clrconfigvalues.h#L35-L38", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_dot_net_etw_tamper.yml" @@ -59200,8 +59596,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://www.secureworks.com/blog/ransomware-as-a-distraction", "https://twitter.com/menasec1/status/1106899890377052160", + "https://www.secureworks.com/blog/ransomware-as-a-distraction", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_gpo_scheduledtasks.yml" ], "tags": [ @@ -59276,8 +59672,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://adsecurity.org/?p=3466", "https://blog.harmj0y.net/redteaming/another-word-on-delegation/", + "https://adsecurity.org/?p=3466", "https://msdn.microsoft.com/en-us/library/cc220234.aspx", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_alert_ad_user_backdoors.yml" ], @@ -59419,9 +59815,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://thedfirreport.com/2021/08/29/cobalt-strike-a-defenders-guide/", - "https://www.crowdstrike.com/blog/getting-the-bacon-from-cobalt-strike-beacon/", "https://www.sans.org/webcasts/119395", + "https://www.crowdstrike.com/blog/getting-the-bacon-from-cobalt-strike-beacon/", + "https://thedfirreport.com/2021/08/29/cobalt-strike-a-defenders-guide/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_cobaltstrike_service_installs.yml" ], "tags": [ @@ -59473,8 +59869,8 @@ "logsource.product": "windows", "refs": [ "https://twitter.com/gentilkiwi/status/1003236624925413376", - "https://web.archive.org/web/20180203014709/https://blog.alsid.eu/dcshadow-explained-4510f52fc19d?gi=c426ac876c48", "https://gist.github.com/gentilkiwi/dcc132457408cf11ad2061340dcb53c2", + "https://web.archive.org/web/20180203014709/https://blog.alsid.eu/dcshadow-explained-4510f52fc19d?gi=c426ac876c48", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_possible_dc_shadow.yml" ], "tags": [ @@ -59507,10 +59903,10 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://www.proofpoint.com/us/blog/threat-insight/threat-actor-profile-ta2719-uses-colorful-lures-deliver-rats-local-languages", "https://github.com/redcanaryco/atomic-red-team/blob/0f229c0e42bfe7ca736a14023836d65baa941ed2/atomics/T1553.005/T1553.005.md#atomic-test-1---mount-iso-image", - "https://twitter.com/MsftSecIntel/status/1257324139515269121", "https://www.trendmicro.com/vinfo/hk-en/security/news/cybercrime-and-digital-threats/malicious-spam-campaign-uses-iso-image-files-to-deliver-lokibot-and-nanocore", + "https://twitter.com/MsftSecIntel/status/1257324139515269121", + "https://www.proofpoint.com/us/blog/threat-insight/threat-actor-profile-ta2719-uses-colorful-lures-deliver-rats-local-languages", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_iso_mount.yml" ], "tags": [ @@ -59685,8 +60081,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://www.jpcert.or.jp/english/pub/sr/ir_research.html", "https://learn.microsoft.com/en-gb/sysinternals/downloads/sdelete", + "https://www.jpcert.or.jp/english/pub/sr/ir_research.html", "https://jpcertcc.github.io/ToolAnalysisResultSheet/details/sdelete.htm", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_susp_sdelete.yml" ], @@ -59746,9 +60142,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://cyberstoph.org/posts/2022/03/detecting-shadow-credentials/", - "https://www.elastic.co/guide/en/security/8.4/potential-shadow-credentials-added-to-ad-object.html", "https://twitter.com/SBousseaden/status/1581300963650187264?", + "https://www.elastic.co/guide/en/security/8.4/potential-shadow-credentials-added-to-ad-object.html", + "https://cyberstoph.org/posts/2022/03/detecting-shadow-credentials/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_susp_possible_shadow_credentials_added.yml" ], "tags": [ @@ -59815,8 +60211,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://adsecurity.org/?p=2053", "https://blog.harmj0y.net/redteaming/another-word-on-delegation/", + "https://adsecurity.org/?p=2053", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_alert_enable_weak_encryption.yml" ], "tags": [ @@ -59952,9 +60348,9 @@ "logsource.product": "windows", "refs": [ "https://www.deepinstinct.com/blog/nofilter-abusing-windows-filtering-platform-for-privilege-escalation", - "https://github.com/deepinstinct/NoFilter/blob/121d215ab130c5e8e3ad45a7e7fcd56f4de97b4d/NoFilter/Consts.cpp", "https://x.com/_st0pp3r_/status/1742203752361128162?s=20", "https://github.com/deepinstinct/NoFilter", + "https://github.com/deepinstinct/NoFilter/blob/121d215ab130c5e8e3ad45a7e7fcd56f4de97b4d/NoFilter/Consts.cpp", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_hktl_nofilter.yml" ], "tags": [ @@ -60113,8 +60509,8 @@ "logsource.product": "windows", "refs": [ "https://github.com/Azure/Azure-Sentinel/blob/f99542b94afe0ad2f19a82cc08262e7ac8e1428e/Detections/SecurityEvent/SecurityEventLogCleared.yaml", - "https://twitter.com/deviouspolack/status/832535435960209408", "https://www.hybrid-analysis.com/sample/027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745?environmentId=100", + "https://twitter.com/deviouspolack/status/832535435960209408", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_audit_log_cleared.yml" ], "tags": [ @@ -60148,9 +60544,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://securityjosh.github.io/2020/04/23/Mute-Sysmon.html", "https://twitter.com/Flangvik/status/1283054508084473861", "https://gist.github.com/Cyb3rWard0g/cf08c38c61f7e46e8404b38201ca01c8", + "https://securityjosh.github.io/2020/04/23/Mute-Sysmon.html", "https://twitter.com/SecurityJosh/status/1283027365770276866", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_sysmon_channel_reference_deletion.yml" ], @@ -60259,9 +60655,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://threathunterplaybook.com/hunts/windows/180815-ADObjectAccessReplication/notebook.html", "https://threathunterplaybook.com/hunts/windows/190101-ADModDirectoryReplication/notebook.html", "https://threathunterplaybook.com/library/windows/active_directory_replication.html", + "https://threathunterplaybook.com/hunts/windows/180815-ADObjectAccessReplication/notebook.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_ad_replication_non_machine_account.yml" ], "tags": [ @@ -60294,8 +60690,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://github.com/Yamato-Security/EnableWindowsLogSettings/blob/7f6d755d45ac7cc9fc35b0cbf498e6aa4ef19def/ConfiguringSecurityLogAuditPolicies.md", "https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4741", + "https://github.com/Yamato-Security/EnableWindowsLogSettings/blob/7f6d755d45ac7cc9fc35b0cbf498e6aa4ef19def/ConfiguringSecurityLogAuditPolicies.md", "https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4743", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_add_remove_computer.yml" ], @@ -60684,9 +61080,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ + "https://github.com/fox-it/LDAPFragger", "https://blog.fox-it.com/2020/03/19/ldapfragger-command-and-control-over-ldap-attributes/", "https://medium.com/@ivecodoe/detecting-ldapfragger-a-newly-released-cobalt-strike-beacon-using-ldap-for-c2-communication-c274a7f00961", - "https://github.com/fox-it/LDAPFragger", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_susp_ldap_dataexchange.yml" ], "tags": [ @@ -61060,10 +61456,10 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://blog.blacklanternsecurity.com/p/detecting-dcsync?s=r", "https://twitter.com/gentilkiwi/status/1003236624925413376", "https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4662", "https://gist.github.com/gentilkiwi/dcc132457408cf11ad2061340dcb53c2", + "https://blog.blacklanternsecurity.com/p/detecting-dcsync?s=r", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_dcsync.yml" ], "tags": [ @@ -61097,8 +61493,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://www.jpcert.or.jp/english/pub/sr/ir_research.html", "https://jpcertcc.github.io/ToolAnalysisResultSheet", + "https://www.jpcert.or.jp/english/pub/sr/ir_research.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_mal_wceaux_dll.yml" ], "tags": [ @@ -61534,8 +61930,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://github.com/jpalanco/alienvault-ossim/blob/f74359c0c027e42560924b5cff25cdf121e5505a/os-sim/agent/src/ParserUtil.py#L951", "https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4661", + "https://github.com/jpalanco/alienvault-ossim/blob/f74359c0c027e42560924b5cff25cdf121e5505a/os-sim/agent/src/ParserUtil.py#L951", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_password_policy_enumerated.yml" ], "tags": [ @@ -61749,8 +62145,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://web.archive.org/web/20230331181619/https://blog.dylan.codes/evading-sysmon-and-windows-event-logging/", "https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4673", + "https://web.archive.org/web/20230331181619/https://blog.dylan.codes/evading-sysmon-and-windows-event-logging/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_user_driver_loaded.yml" ], "tags": [ @@ -61784,10 +62180,10 @@ "logsource.product": "windows", "refs": [ "https://github.com/sensepost/ruler", - "https://github.com/staaldraad/go-ntlm/blob/cd032d41aa8ce5751c07cb7945400c0f5c81e2eb/ntlm/ntlmv1.go#L427", - "https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4624", "https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4776", "https://github.com/sensepost/ruler/issues/47", + "https://github.com/staaldraad/go-ntlm/blob/cd032d41aa8ce5751c07cb7945400c0f5c81e2eb/ntlm/ntlmv1.go#L427", + "https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4624", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_alert_ruler.yml" ], "tags": [ @@ -61961,8 +62357,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment", "https://web.archive.org/web/20230208123920/https://cyberwardog.blogspot.com/2017/03/chronicles-of-threat-hunter-hunting-for_22.html", + "https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_susp_lsass_dump_generic.yml" ], "tags": [ @@ -62107,8 +62503,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://github.com/SigmaHQ/sigma/blob/master/documentation/logsource-guides/windows/service/security.md", "https://docs.google.com/presentation/d/1dkrldTTlN3La-OjWtkWJBb4hVk6vfsSMBFBERs6R8zA/edit", + "https://github.com/SigmaHQ/sigma/blob/master/documentation/logsource-guides/windows/service/security.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_disable_event_auditing_critical.yml" ], "tags": [ @@ -62277,8 +62673,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://twitter.com/Purp1eW0lf/status/1616144561965002752", "https://www.inversecos.com/2020/04/successful-4624-anonymous-logons-to.html", + "https://twitter.com/Purp1eW0lf/status/1616144561965002752", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/account_management/win_security_successful_external_remote_smb_login.yml" ], "tags": [ @@ -62412,8 +62808,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://twitter.com/AdamTheAnalyst/status/1134394070045003776", "https://github.com/zerosum0x0/CVE-2019-0708", + "https://twitter.com/AdamTheAnalyst/status/1134394070045003776", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/account_management/win_security_rdp_bluekeep_poc_scanner.yml" ], "tags": [ @@ -62592,8 +62988,8 @@ "logsource.product": "windows", "refs": [ "https://blog.stealthbits.com/how-to-detect-pass-the-hash-attacks/", - "https://github.com/iadgov/Event-Forwarding-Guidance/tree/master/Events", "https://web.archive.org/web/20170909091934/https://blog.binarydefense.com/reliably-detecting-pass-the-hash-through-event-log-analysis", + "https://github.com/iadgov/Event-Forwarding-Guidance/tree/master/Events", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/account_management/win_security_pass_the_hash_2.yml" ], "tags": [ @@ -62626,11 +63022,11 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4730", - "https://www.cisecurity.org/controls/cis-controls-list/", - "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf", "https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf", + "https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4730", "https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=634", + "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf", + "https://www.cisecurity.org/controls/cis-controls-list/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/account_management/win_security_security_enabled_global_group_deleted.yml" ], "tags": [ @@ -62663,8 +63059,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://twitter.com/Purp1eW0lf/status/1616144561965002752", "https://www.inversecos.com/2020/04/successful-4624-anonymous-logons-to.html", + "https://twitter.com/Purp1eW0lf/status/1616144561965002752", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/account_management/win_security_successful_external_remote_rdp_login.yml" ], "tags": [ @@ -62783,11 +63179,11 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=633", - "https://www.cisecurity.org/controls/cis-controls-list/", - "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf", "https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf", "https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4729", + "https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=633", + "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf", + "https://www.cisecurity.org/controls/cis-controls-list/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/account_management/win_security_member_removed_security_enabled_global_group.yml" ], "tags": [ @@ -62820,11 +63216,11 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4728", - "https://www.cisecurity.org/controls/cis-controls-list/", - "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf", "https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf", "https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=632", + "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf", + "https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4728", + "https://www.cisecurity.org/controls/cis-controls-list/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/account_management/win_security_member_added_security_enabled_global_group.yml" ], "tags": [ @@ -62857,8 +63253,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://github.com/amjcyber/EDRNoiseMaker", "https://github.com/netero1010/EDRSilencer", + "https://github.com/amjcyber/EDRNoiseMaker", "https://ghoulsec.medium.com/misc-series-4-forensics-on-edrsilencer-events-428b20b3f983", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/object_access/win_security_wfp_endpoint_agent_blocked.yml" ], @@ -62892,9 +63288,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "Internal Research", - "https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/operations/event-tag-explanations", "https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/operations/event-id-explanations", + "https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/operations/event-tag-explanations", + "Internal Research", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/code_integrity/win_codeintegrity_revoked_driver_loaded.yml" ], "tags": [ @@ -62917,9 +63313,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "Internal Research", - "https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/operations/event-tag-explanations", "https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/operations/event-id-explanations", + "https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/operations/event-tag-explanations", + "Internal Research", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/code_integrity/win_codeintegrity_whql_failure.yml" ], "tags": [ @@ -62942,9 +63338,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "Internal Research", - "https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/operations/event-tag-explanations", "https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/operations/event-id-explanations", + "https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/operations/event-tag-explanations", + "Internal Research", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/code_integrity/win_codeintegrity_revoked_image_loaded.yml" ], "tags": [ @@ -62967,9 +63363,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "Internal Research", - "https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/operations/event-tag-explanations", "https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/operations/event-id-explanations", + "https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/operations/event-tag-explanations", + "Internal Research", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/code_integrity/win_codeintegrity_revoked_image_blocked.yml" ], "tags": [ @@ -62992,9 +63388,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "Internal Research", - "https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/operations/event-tag-explanations", "https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/operations/event-id-explanations", + "https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/operations/event-tag-explanations", + "Internal Research", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/code_integrity/win_codeintegrity_blocked_protected_process_file.yml" ], "tags": [ @@ -63017,9 +63413,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "Internal Research", - "https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/operations/event-tag-explanations", "https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/operations/event-id-explanations", + "https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/operations/event-tag-explanations", + "Internal Research", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/code_integrity/win_codeintegrity_unsigned_driver_loaded.yml" ], "tags": [ @@ -63042,9 +63438,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "Internal Research", - "https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/operations/event-tag-explanations", "https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/operations/event-id-explanations", + "https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/operations/event-tag-explanations", + "Internal Research", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/code_integrity/win_codeintegrity_revoked_driver_blocked.yml" ], "tags": [ @@ -63077,9 +63473,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "Internal Research", - "https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/operations/event-tag-explanations", "https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/operations/event-id-explanations", + "https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/operations/event-tag-explanations", + "Internal Research", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/code_integrity/win_codeintegrity_unsigned_image_loaded.yml" ], "tags": [ @@ -63103,9 +63499,9 @@ "logsource.product": "windows", "refs": [ "https://twitter.com/SBousseaden/status/1483810148602814466", + "https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/operations/event-id-explanations", "https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/operations/event-tag-explanations", "https://github.com/MicrosoftDocs/windows-itpro-docs/blob/40fe118976734578f83e5e839b9c63ae7a4af82d/windows/security/threat-protection/windows-defender-application-control/event-id-explanations.md#windows-codeintegrity-operational-log", - "https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/operations/event-id-explanations", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/code_integrity/win_codeintegrity_attempted_dll_load.yml" ], "tags": [ @@ -63128,9 +63524,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://github.com/MicrosoftDocs/windows-itpro-docs/blob/40fe118976734578f83e5e839b9c63ae7a4af82d/windows/security/threat-protection/windows-defender-application-control/event-id-explanations.md#windows-codeintegrity-operational-log", "https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/operations/event-id-explanations", "https://twitter.com/wdormann/status/1590434950335320065", + "https://github.com/MicrosoftDocs/windows-itpro-docs/blob/40fe118976734578f83e5e839b9c63ae7a4af82d/windows/security/threat-protection/windows-defender-application-control/event-id-explanations.md#windows-codeintegrity-operational-log", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/code_integrity/win_codeintegrity_enforced_policy_block.yml" ], "tags": [ @@ -63726,9 +64122,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://twitter.com/KevTheHermit/status/1410203844064301056", - "https://github.com/afwu/PrintNightmare", "https://github.com/hhlxf/PrintNightmare", + "https://github.com/afwu/PrintNightmare", + "https://twitter.com/KevTheHermit/status/1410203844064301056", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/smbclient/security/win_smbclient_security_susp_failed_guest_logon.yml" ], "tags": [ @@ -64009,8 +64405,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://web.archive.org/web/20160727113019/https://answers.microsoft.com/en-us/protect/forum/mse-protect_scanning/microsoft-antimalware-has-removed-history-of/f15af6c9-01a9-4065-8c6c-3f2bdc7de45e", "https://learn.microsoft.com/en-us/defender-endpoint/troubleshoot-microsoft-defender-antivirus", + "https://web.archive.org/web/20160727113019/https://answers.microsoft.com/en-us/protect/forum/mse-protect_scanning/microsoft-antimalware-has-removed-history-of/f15af6c9-01a9-4065-8c6c-3f2bdc7de45e", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/windefend/win_defender_history_delete.yml" ], "tags": [ @@ -64066,9 +64462,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/defender-endpoint/troubleshoot-microsoft-defender-antivirus?view=o365-worldwide#event-id-5010", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md", "https://craigclouditpro.wordpress.com/2020/03/04/hunting-malicious-windows-defender-activity/", + "https://learn.microsoft.com/en-us/defender-endpoint/troubleshoot-microsoft-defender-antivirus?view=o365-worldwide#event-id-5010", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/windefend/win_defender_malware_and_pua_scan_disabled.yml" ], "tags": [ @@ -64167,8 +64563,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/defender-endpoint/troubleshoot-microsoft-defender-antivirus?view=o365-worldwide#event-id-5101", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md", + "https://learn.microsoft.com/en-us/defender-endpoint/troubleshoot-microsoft-defender-antivirus?view=o365-worldwide#event-id-5101", "https://craigclouditpro.wordpress.com/2020/03/04/hunting-malicious-windows-defender-activity/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/windefend/win_defender_antimalware_platform_expired.yml" ], @@ -64202,8 +64598,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://gist.github.com/nasbench/33732d6705cbdc712fae356f07666346", "https://www.microsoft.com/en-us/security/blog/2023/04/11/guidance-for-investigating-attacks-using-cve-2022-21894-the-blacklotus-campaign/", + "https://gist.github.com/nasbench/33732d6705cbdc712fae356f07666346", "Internal Research", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/windefend/win_defender_real_time_protection_errors.yml" ], @@ -64305,8 +64701,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/windows-server/identity/software-restriction-policies/software-restriction-policies", "https://github.com/nasbench/EVTX-ETW-Resources/blob/7a806a148b3d9d381193d4a80356016e6e8b1ee8/ETWEventsList/CSV/Windows11/22H2/W11_22H2_Pro_20220920_22621.382/Providers/Microsoft-Windows-AppXDeployment-Server.csv", + "https://learn.microsoft.com/en-us/windows-server/identity/software-restriction-policies/software-restriction-policies", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/application/microsoft_windows_software_restriction_policies/win_software_restriction_policies_block.yml" ], "tags": [ @@ -64340,9 +64736,9 @@ "logsource.product": "windows", "refs": [ "https://www.virustotal.com/gui/file/13828b390d5f58b002e808c2c4f02fdd920e236cc8015480fa33b6c1a9300e31", + "https://www.virustotal.com/gui/file/5092b2672b4cb87a8dd1c2e6047b487b95995ad8ed5e9fc217f46b8bfb1b8c01", "https://www.virustotal.com/gui/file/15b57c1b68cd6ce3c161042e0f3be9f32d78151fe95461eedc59a79fc222c7ed", "https://www.nextron-systems.com/?s=antivirus", - "https://www.virustotal.com/gui/file/5092b2672b4cb87a8dd1c2e6047b487b95995ad8ed5e9fc217f46b8bfb1b8c01", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/application/Other/win_av_relevant_match.yml" ], "tags": [ @@ -64417,9 +64813,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ + "https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-erref/596a1078-e883-4972-9bbc-49e60bebca55", "https://github.com/deepinstinct/Lsass-Shtinkering", "https://media.defcon.org/DEF%20CON%2030/DEF%20CON%2030%20presentations/Asaf%20Gilboa%20-%20LSASS%20Shtinkering%20Abusing%20Windows%20Error%20Reporting%20to%20Dump%20LSASS.pdf", - "https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-erref/596a1078-e883-4972-9bbc-49e60bebca55", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/application/application_error/win_werfault_susp_lsass_credential_dump.yml" ], "tags": [ @@ -64494,8 +64890,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/jj574207(v=ws.11)", "https://twitter.com/mgreen27/status/1558223256704122882", + "https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/jj574207(v=ws.11)", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/application/esent/win_esent_ntdsutil_abuse.yml" ], "tags": [ @@ -64528,8 +64924,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/jj574207(v=ws.11)", "https://twitter.com/mgreen27/status/1558223256704122882", + "https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/jj574207(v=ws.11)", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/application/esent/win_esent_ntdsutil_abuse_susp_location.yml" ], "tags": [ @@ -64552,9 +64948,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://twitter.com/DidierStevens/status/1217533958096924676", "https://www.youtube.com/watch?v=ebmW42YYveI", "https://nullsec.us/windows-event-log-audit-cve/", + "https://twitter.com/DidierStevens/status/1217533958096924676", "https://twitter.com/FlemmingRiis/status/1217147415482060800", "https://twitter.com/VM_vivisector/status/1217190929330655232", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/application/microsoft-windows_audit_cve/win_audit_cve.yml" @@ -64635,8 +65031,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://thedfirreport.com/2022/07/11/select-xmrig-from-sqlserver/", "https://www.netspi.com/blog/technical/network-penetration-testing/sql-server-persistence-part-1-startup-stored-procedures/", + "https://thedfirreport.com/2022/07/11/select-xmrig-from-sqlserver/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/application/mssqlserver/win_mssql_xp_cmdshell_change.yml" ], "tags": [ @@ -64659,8 +65055,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/sql/relational-databases/system-stored-procedures/sp-procoption-transact-sql?view=sql-server-ver16", "https://www.netspi.com/blog/technical/network-penetration-testing/sql-server-persistence-part-1-startup-stored-procedures/", + "https://learn.microsoft.com/en-us/sql/relational-databases/system-stored-procedures/sp-procoption-transact-sql?view=sql-server-ver16", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/application/mssqlserver/win_mssql_sp_procoption_set.yml" ], "tags": [ @@ -64706,9 +65102,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/sql/t-sql/statements/alter-server-audit-transact-sql?view=sql-server-ver16", "https://www.netspi.com/blog/technical/network-penetration-testing/sql-server-persistence-part-1-startup-stored-procedures/", "https://learn.microsoft.com/en-us/sql/t-sql/statements/drop-server-audit-transact-sql?view=sql-server-ver16", + "https://learn.microsoft.com/en-us/sql/t-sql/statements/alter-server-audit-transact-sql?view=sql-server-ver16", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/application/mssqlserver/win_mssql_disable_audit_settings.yml" ], "tags": [ @@ -64731,8 +65127,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://thedfirreport.com/2022/07/11/select-xmrig-from-sqlserver/", "https://www.netspi.com/blog/technical/network-penetration-testing/sql-server-persistence-part-1-startup-stored-procedures/", + "https://thedfirreport.com/2022/07/11/select-xmrig-from-sqlserver/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/application/mssqlserver/win_mssql_xp_cmdshell_audit_log.yml" ], "tags": [ @@ -64953,8 +65349,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://www.hybrid-analysis.com/sample/ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa?environmentId=100", "https://technet.microsoft.com/en-us/library/cc742154(v=ws.11).aspx", + "https://www.hybrid-analysis.com/sample/ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa?environmentId=100", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/application/microsoft_windows_backup/win_susp_backup_delete.yml" ], "tags": [ @@ -65053,11 +65449,12 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ + "https://medium.com/falconforce/falconfriday-detecting-active-directory-data-collection-0xff21-c22d1a57494c", "https://github.com/fox-it/BloodHound.py/blob/d65eb614831cd30f26028ccb072f5e77ca287e0b/bloodhound/ad/domain.py#L427", - "https://techcommunity.microsoft.com/t5/microsoft-defender-for-endpoint/hunting-for-reconnaissance-activities-using-ldap-search-filters/ba-p/824726", "https://github.com/BloodHoundAD/SharpHound3/blob/7d96b991b1887ff50349ce59c80980bc0d95c86a/SharpHound3/LdapBuilder.cs", "https://github.com/PowerShellMafia/PowerSploit/blob/d943001a7defb5e0d1657085a77a0e78609be58f/Recon/PowerView.ps1", - "https://medium.com/falconforce/falconfriday-detecting-active-directory-data-collection-0xff21-c22d1a57494c", + "https://techcommunity.microsoft.com/t5/microsoft-defender-for-endpoint/hunting-for-reconnaissance-activities-using-ldap-search-filters/ba-p/824726", + "https://ipurple.team/2024/07/15/sharphound-detection/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/ldap/win_ldap_recon.yml" ], "tags": [ @@ -65106,8 +65503,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://www.techrepublic.com/article/how-to-track-down-usb-flash-drive-usage-in-windows-10s-event-viewer/", "https://df-stream.com/2014/01/the-windows-7-event-log-and-usb-device/", + "https://www.techrepublic.com/article/how-to-track-down-usb-flash-drive-usage-in-windows-10s-event-viewer/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/driverframeworks/win_usb_device_plugged.yml" ], "tags": [ @@ -65572,9 +65969,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://github.com/fortra/impacket/blob/edef71f17bc1240f9f8c957bbda98662951ac3ec/examples/smbexec.py#L60", "https://github.com/fortra/impacket/blob/33058eb2fde6976ea62e04bc7d6b629d64d44712/examples/smbexec.py#L286-L296", "https://blog.ropnop.com/using-credentials-to-own-windows-boxes-part-2-psexec-and-services/", + "https://github.com/fortra/impacket/blob/edef71f17bc1240f9f8c957bbda98662951ac3ec/examples/smbexec.py#L60", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/service_control_manager/win_system_hack_smbexec.yml" ], "tags": [ @@ -65903,8 +66300,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md", "https://learn.microsoft.com/en-us/defender-endpoint/troubleshoot-microsoft-defender-antivirus", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/service_control_manager/win_system_defender_disabled.yml" ], "tags": [ @@ -66077,9 +66474,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://thedfirreport.com/2021/08/29/cobalt-strike-a-defenders-guide/", - "https://www.crowdstrike.com/blog/getting-the-bacon-from-cobalt-strike-beacon/", "https://www.sans.org/webcasts/119395", + "https://www.crowdstrike.com/blog/getting-the-bacon-from-cobalt-strike-beacon/", + "https://thedfirreport.com/2021/08/29/cobalt-strike-a-defenders-guide/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/service_control_manager/win_system_cobaltstrike_service_installs.yml" ], "tags": [ @@ -66658,8 +67055,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://blog.cobaltstrike.com/2014/04/02/what-happens-when-i-type-getsystem/", "https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment", + "https://blog.cobaltstrike.com/2014/04/02/what-happens-when-i-type-getsystem/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/service_control_manager/win_system_meterpreter_or_cobaltstrike_getsystem_service_installation.yml" ], "tags": [ @@ -66864,8 +67261,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://github.com/BishopFox/sliver/blob/79f2d48fcdfc2bee4713b78d431ea4b27f733f30/client/command/commands.go#L1231", "https://www.microsoft.com/security/blog/2022/08/24/looking-for-the-sliver-lining-hunting-for-emerging-command-and-control-frameworks/", + "https://github.com/BishopFox/sliver/blob/79f2d48fcdfc2bee4713b78d431ea4b27f733f30/client/command/commands.go#L1231", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/service_control_manager/win_system_service_install_sliver.yml" ], "tags": [ @@ -66949,8 +67346,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://www.jpcert.or.jp/english/pub/sr/ir_research.html", "https://jpcertcc.github.io/ToolAnalysisResultSheet", + "https://www.jpcert.or.jp/english/pub/sr/ir_research.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/service_control_manager/win_system_service_install_sysinternals_psexec.yml" ], "tags": [ @@ -67026,9 +67423,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://twitter.com/wdormann/status/1347958161609809921", - "https://twitter.com/jonasLyk/status/1347900440000811010", "https://www.bleepingcomputer.com/news/security/windows-10-bug-corrupts-your-hard-drive-on-seeing-this-files-icon/", + "https://twitter.com/jonasLyk/status/1347900440000811010", + "https://twitter.com/wdormann/status/1347958161609809921", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/ntfs/win_system_ntfs_vuln_exploit.yml" ], "tags": [ @@ -67094,8 +67491,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://github.com/Ekultek/BlueKeep", "https://github.com/zerosum0x0/CVE-2019-0708", + "https://github.com/Ekultek/BlueKeep", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/termdd/win_system_rdp_potential_cve_2019_0708.yml" ], "tags": [ @@ -67129,9 +67526,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://technet.microsoft.com/en-us/library/cc726884(v=ws.10).aspx", - "https://msdn.microsoft.com/de-de/library/windows/desktop/aa363389(v=vs.85).aspx", "https://blog.3or.de/mimilib-dhcp-server-callout-dll-injection.html", + "https://msdn.microsoft.com/de-de/library/windows/desktop/aa363389(v=vs.85).aspx", + "https://technet.microsoft.com/en-us/library/cc726884(v=ws.10).aspx", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/microsoft_windows_dhcp_server/win_system_susp_dhcp_config.yml" ], "tags": [ @@ -67164,9 +67561,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://technet.microsoft.com/en-us/library/cc726884(v=ws.10).aspx", - "https://msdn.microsoft.com/de-de/library/windows/desktop/aa363389(v=vs.85).aspx", "https://blog.3or.de/mimilib-dhcp-server-callout-dll-injection.html", + "https://msdn.microsoft.com/de-de/library/windows/desktop/aa363389(v=vs.85).aspx", + "https://technet.microsoft.com/en-us/library/cc726884(v=ws.10).aspx", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/microsoft_windows_dhcp_server/win_system_susp_dhcp_config_failed.yml" ], "tags": [ @@ -67279,8 +67676,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/dd348773(v=ws.10)", "https://learn.microsoft.com/en-us/troubleshoot/windows-server/windows-security/kdc-event-16-27-des-encryption-disabled", + "https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/dd348773(v=ws.10)", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/microsoft_windows_kerberos_key_distribution_center/win_system_kdcsvc_tgs_no_suitable_encryption_key_found.yml" ], "tags": [ @@ -67347,8 +67744,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://twitter.com/deviouspolack/status/832535435960209408", "https://www.hybrid-analysis.com/sample/027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745?environmentId=100", + "https://twitter.com/deviouspolack/status/832535435960209408", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/microsoft_windows_eventlog/win_system_eventlog_cleared.yml" ], "tags": [ @@ -67383,8 +67780,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://twitter.com/deviouspolack/status/832535435960209408", "https://www.hybrid-analysis.com/sample/027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745?environmentId=100", + "https://twitter.com/deviouspolack/status/832535435960209408", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/microsoft_windows_eventlog/win_system_susp_eventlog_cleared.yml" ], "tags": [ @@ -67535,11 +67932,11 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://winaero.com/enable-openssh-server-windows-10/", "https://github.com/mdecrevoisier/EVTX-to-MITRE-Attack/tree/master/TA0008-Lateral%20Movement/T1021.004-Remote%20Service%20SSH", "https://virtualizationreview.com/articles/2020/05/21/ssh-server-on-windows-10.aspx", - "https://learn.microsoft.com/en-us/windows-server/administration/openssh/openssh_install_firstuse", "https://medium.com/threatpunter/detecting-adversary-tradecraft-with-image-load-event-logging-and-eql-8de93338c16", + "https://winaero.com/enable-openssh-server-windows-10/", + "https://learn.microsoft.com/en-us/windows-server/administration/openssh/openssh_install_firstuse", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/openssh/win_sshd_openssh_server_listening_on_socket.yml" ], "tags": [ @@ -67652,6 +68049,29 @@ "uuid": "0d18728b-f5bf-4381-9dcf-915539fff6c2", "value": "Suspicious Cobalt Strike DNS Beaconing - DNS Client" }, + { + "description": "Detects DNS queries for subdomains related to \"Put.io\" sharing website.", + "meta": { + "author": "Omar Khaled (@beacon_exe)", + "creation_date": "2024-08-23", + "falsepositive": [ + "Legitimate DNS queries and usage of Put.io" + ], + "filename": "win_dns_client_put_io.yml", + "level": "medium", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://darkatlas.io/blog/medusa-ransomware-group-opsec-failure", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/dns_client/win_dns_client_put_io.yml" + ], + "tags": [ + "attack.command-and-control" + ] + }, + "uuid": "8b69fd42-9dad-4674-abef-7fdef43ef92a", + "value": "DNS Query To Put.io - DNS Client" + }, { "description": "Detects DNS resolution of an .onion address related to Tor routing networks", "meta": { @@ -67844,9 +68264,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://www.sentinelone.com/labs/inside-malicious-windows-apps-for-malware-deployment/", "https://forensicitguy.github.io/analyzing-magnitude-magniber-appx/", "https://news.sophos.com/en-us/2021/11/11/bazarloader-call-me-back-attack-abuses-windows-10-apps-mechanism/", + "https://www.sentinelone.com/labs/inside-malicious-windows-apps-for-malware-deployment/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/appxdeployment_server/win_appxdeployment_server_mal_appx_names.yml" ], "tags": [ @@ -67893,10 +68313,10 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://www.sentinelone.com/labs/inside-malicious-windows-apps-for-malware-deployment/", - "Internal Research", "https://news.sophos.com/en-us/2021/11/11/bazarloader-call-me-back-attack-abuses-windows-10-apps-mechanism/", "https://learn.microsoft.com/en-us/windows/win32/appxpkg/troubleshooting", + "https://www.sentinelone.com/labs/inside-malicious-windows-apps-for-malware-deployment/", + "Internal Research", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/appxdeployment_server/win_appxdeployment_server_uncommon_package_locations.yml" ], "tags": [ @@ -67919,10 +68339,10 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://www.sentinelone.com/labs/inside-malicious-windows-apps-for-malware-deployment/", - "Internal Research", "https://news.sophos.com/en-us/2021/11/11/bazarloader-call-me-back-attack-abuses-windows-10-apps-mechanism/", "https://learn.microsoft.com/en-us/windows/win32/appxpkg/troubleshooting", + "https://www.sentinelone.com/labs/inside-malicious-windows-apps-for-malware-deployment/", + "Internal Research", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/appxdeployment_server/win_appxdeployment_server_susp_appx_package_installation.yml" ], "tags": [ @@ -67945,10 +68365,10 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://www.sentinelone.com/labs/inside-malicious-windows-apps-for-malware-deployment/", - "Internal Research", "https://news.sophos.com/en-us/2021/11/11/bazarloader-call-me-back-attack-abuses-windows-10-apps-mechanism/", "https://learn.microsoft.com/en-us/windows/win32/appxpkg/troubleshooting", + "https://www.sentinelone.com/labs/inside-malicious-windows-apps-for-malware-deployment/", + "Internal Research", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/appxdeployment_server/win_appxdeployment_server_susp_package_locations.yml" ], "tags": [ @@ -67959,7 +68379,7 @@ "value": "Suspicious AppX Package Locations" }, { - "description": "Detects an appx package added the pipeline of the \"to be processed\" packages which is downloaded from a suspicious domain", + "description": "Detects an appx package added to the pipeline of the \"to be processed\" packages which was downloaded from a suspicious domain.\n", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2023-01-11", @@ -67971,10 +68391,10 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://www.sentinelone.com/labs/inside-malicious-windows-apps-for-malware-deployment/", - "Internal Research", "https://news.sophos.com/en-us/2021/11/11/bazarloader-call-me-back-attack-abuses-windows-10-apps-mechanism/", "https://learn.microsoft.com/en-us/windows/win32/appxpkg/troubleshooting", + "https://www.sentinelone.com/labs/inside-malicious-windows-apps-for-malware-deployment/", + "Internal Research", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/appxdeployment_server/win_appxdeployment_server_susp_domains.yml" ], "tags": [ @@ -68224,8 +68644,8 @@ "logsource.category": "image_load", "logsource.product": "windows", "refs": [ - "https://strontic.github.io/xcyclopedia/library/DeviceEnroller.exe-24BEF0D6B0ECED36BB41831759FDE18D.html", "https://mobile.twitter.com/0gtweet/status/1564131230941122561", + "https://strontic.github.io/xcyclopedia/library/DeviceEnroller.exe-24BEF0D6B0ECED36BB41831759FDE18D.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_side_load_shell_chrome_api.yml" ], "tags": [ @@ -68268,11 +68688,11 @@ "logsource.category": "image_load", "logsource.product": "windows", "refs": [ - "https://github.com/XForceIR/SideLoadHunter/blob/cc7ef2e5d8908279b0c4cee4e8b6f85f7b8eed52/SideLoads/README.md", - "https://hijacklibs.net/", "https://blog.cyble.com/2022/07/21/qakbot-resurfaces-with-new-playbook/", "https://www.hexacorn.com/blog/2023/12/26/1-little-known-secret-of-runonce-exe-32-bit/", "https://blog.cyble.com/2022/07/27/targeted-attacks-being-carried-out-via-dll-sideloading/", + "https://hijacklibs.net/", + "https://github.com/XForceIR/SideLoadHunter/blob/cc7ef2e5d8908279b0c4cee4e8b6f85f7b8eed52/SideLoads/README.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_side_load_from_non_system_location.yml" ], "tags": [ @@ -68524,9 +68944,9 @@ "logsource.category": "image_load", "logsource.product": "windows", "refs": [ - "https://twitter.com/oulusoyum/status/1191329746069655553", - "https://lolbas-project.github.io/lolbas/Binaries/Tttracer/", "https://twitter.com/mattifestation/status/1196390321783025666", + "https://lolbas-project.github.io/lolbas/Binaries/Tttracer/", + "https://twitter.com/oulusoyum/status/1191329746069655553", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_dll_tttracer_module_load.yml" ], "tags": [ @@ -68766,12 +69186,12 @@ "logsource.category": "image_load", "logsource.product": "windows", "refs": [ - "https://clement.notin.org/blog/2020/09/12/CVE-2020-7315-McAfee-Agent-DLL-injection/", + "https://posts.specterops.io/lateral-movement-scm-and-dll-hijacking-primer-d2f61e8ab992", "http://remoteawesomethoughts.blogspot.com/2019/05/windows-10-task-schedulerservice.html", "https://decoded.avast.io/martinchlumecky/png-steganography/", - "https://posts.specterops.io/lateral-movement-scm-and-dll-hijacking-primer-d2f61e8ab992", - "https://www.hexacorn.com/blog/2013/12/08/beyond-good-ol-run-key-part-5/", + "https://clement.notin.org/blog/2020/09/12/CVE-2020-7315-McAfee-Agent-DLL-injection/", "https://github.com/Wh04m1001/SysmonEoP", + "https://www.hexacorn.com/blog/2013/12/08/beyond-good-ol-run-key-part-5/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_side_load_non_existent_dlls.yml" ], "tags": [ @@ -68815,10 +69235,10 @@ "logsource.category": "image_load", "logsource.product": "windows", "refs": [ + "https://www.crowdstrike.com/blog/windows-restart-manager-part-1/", + "https://www.crowdstrike.com/blog/windows-restart-manager-part-2/", "https://taiwan.postsen.com/business/88601/Hamas-hackers-use-data-destruction-software-BiBi-which-consumes-a-lot-of-processor-resources-to-wipe-Windows-computer-data--iThome.html", "https://web.archive.org/web/20231221193106/https://www.swascan.com/cactus-ransomware-malware-analysis/", - "https://www.crowdstrike.com/blog/windows-restart-manager-part-2/", - "https://www.crowdstrike.com/blog/windows-restart-manager-part-1/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_dll_rstrtmgr_uncommon_load.yml" ], "tags": [ @@ -68926,10 +69346,10 @@ "logsource.category": "image_load", "logsource.product": "windows", "refs": [ - "https://thewover.github.io/Introducing-Donut/", - "https://web.archive.org/web/20221026202428/https://gist.github.com/code-scrap/d7f152ffcdb3e0b02f7f394f5187f008", "https://github.com/tyranid/DotNetToJScript", "https://web.archive.org/web/20230329154538/https://blog.menasec.net/2019/07/interesting-difr-traces-of-net-clr.html", + "https://web.archive.org/web/20221026202428/https://gist.github.com/code-scrap/d7f152ffcdb3e0b02f7f394f5187f008", + "https://thewover.github.io/Introducing-Donut/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_susp_script_dotnet_clr_dll_load.yml" ], "tags": [ @@ -68963,8 +69383,8 @@ "logsource.category": "image_load", "logsource.product": "windows", "refs": [ - "https://research.checkpoint.com/2023/malware-spotlight-camaro-dragons-tinynote-backdoor/", "https://www.qurium.org/alerts/targeted-malware-against-crph/", + "https://research.checkpoint.com/2023/malware-spotlight-camaro-dragons-tinynote-backdoor/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_side_load_smadhook.yml" ], "tags": [ @@ -69225,8 +69645,8 @@ "logsource.category": "image_load", "logsource.product": "windows", "refs": [ - "http://www.windowexe.com/bbs/board.php?q=jsschhlp-exe-c-program-files-common-files-justsystem-jsschhlp-jsschhlp", "https://www.welivesecurity.com/2022/12/14/unmasking-mirrorface-operation-liberalface-targeting-japanese-political-entities/", + "http://www.windowexe.com/bbs/board.php?q=jsschhlp-exe-c-program-files-common-files-justsystem-jsschhlp-jsschhlp", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_side_load_jsschhlp.yml" ], "tags": [ @@ -69270,10 +69690,10 @@ "logsource.product": "windows", "refs": [ "https://bazaar.abuse.ch/sample/5cb9876681f78d3ee8a01a5aaa5d38b05ec81edc48b09e3865b75c49a2187831/", - "https://twitter.com/Max_Mal_/status/1775222576639291859", "https://csirt-cti.net/2024/02/01/stately-taurus-continued-new-information-on-cyberespionage-attacks-against-myanmar-military-junta/", - "https://thehackernews.com/2024/03/two-chinese-apt-groups-ramp-up-cyber.html", "https://twitter.com/DTCERT/status/1712785426895839339", + "https://thehackernews.com/2024/03/two-chinese-apt-groups-ramp-up-cyber.html", + "https://twitter.com/Max_Mal_/status/1775222576639291859", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_side_load_keyscrambler.yml" ], "tags": [ @@ -69315,10 +69735,10 @@ "logsource.category": "image_load", "logsource.product": "windows", "refs": [ - "https://github.com/bohops/WSMan-WinRM", - "https://bohops.com/2020/05/12/ws-management-com-another-approach-for-winrm-lateral-movement/", "https://learn.microsoft.com/en-us/windows/win32/winrm/windows-remote-management-architecture", + "https://github.com/bohops/WSMan-WinRM", "https://twitter.com/chadtilbury/status/1275851297770610688", + "https://bohops.com/2020/05/12/ws-management-com-another-approach-for-winrm-lateral-movement/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_wsman_provider_image_load.yml" ], "tags": [ @@ -69436,8 +69856,8 @@ "logsource.category": "image_load", "logsource.product": "windows", "refs": [ - "https://news.sophos.com/en-us/2022/11/03/family-tree-dll-sideloading-cases-may-be-related/", "https://twitter.com/WhichbufferArda/status/1658829954182774784", + "https://news.sophos.com/en-us/2022/11/03/family-tree-dll-sideloading-cases-may-be-related/", "https://securelist.com/apt-luminousmoth/103332/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_side_load_wwlib.yml" ], @@ -69629,7 +70049,7 @@ "value": "Third Party Software DLL Sideloading" }, { - "description": "Detect usage of DLL \"coregen.exe\" (Microsoft CoreCLR Native Image Generator) binary to sideload arbitrary DLLs.", + "description": "Detect usage of the \"coregen.exe\" (Microsoft CoreCLR Native Image Generator) binary to sideload arbitrary DLLs.", "meta": { "author": "frack113", "creation_date": "2022-12-31", @@ -69839,8 +70259,8 @@ "logsource.category": "image_load", "logsource.product": "windows", "refs": [ - "https://www.hexacorn.com/blog/2024/01/06/1-little-known-secret-of-fondue-exe/", "https://www.hexacorn.com/blog/2024/01/01/1-little-known-secret-of-hdwwiz-exe/", + "https://www.hexacorn.com/blog/2024/01/06/1-little-known-secret-of-fondue-exe/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_side_load_cpl_from_non_system_location.yml" ], "tags": [ @@ -70018,8 +70438,8 @@ "logsource.category": "image_load", "logsource.product": "windows", "refs": [ - "https://github.com/ly4k/SpoolFool", "https://github.com/hhlxf/PrintNightmare", + "https://github.com/ly4k/SpoolFool", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_spoolsv_dll_load.yml" ], "tags": [ @@ -70099,9 +70519,9 @@ "logsource.category": "image_load", "logsource.product": "windows", "refs": [ - "https://www.elastic.co/security-labs/Hunting-for-Suspicious-Windows-Libraries-for-Execution-and-Evasion", "https://unit42.paloaltonetworks.com/unsigned-dlls/?web_view=true", "https://akhere.hashnode.dev/hunting-unsigned-dlls-using-kql", + "https://www.elastic.co/security-labs/Hunting-for-Suspicious-Windows-Libraries-for-Execution-and-Evasion", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_susp_unsigned_dll.yml" ], "tags": [ @@ -70228,9 +70648,9 @@ "logsource.category": "image_load", "logsource.product": "windows", "refs": [ - "https://twitter.com/StopMalvertisin/status/1648604148848549888", "https://twitter.com/t3ft3lb/status/1656194831830401024", "https://www.roboform.com/", + "https://twitter.com/StopMalvertisin/status/1648604148848549888", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_side_load_robform.yml" ], "tags": [ @@ -70314,10 +70734,10 @@ "logsource.category": "image_load", "logsource.product": "windows", "refs": [ + "https://securitydatasets.com/notebooks/atomic/windows/credential_access/SDWIN-201020013208.html", + "https://learn.microsoft.com/en-us/windows/win32/api/wincred/nf-wincred-creduipromptforcredentialsa", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1056.002/T1056.002.md#atomic-test-2---powershell---prompt-user-for-password", "https://github.com/S12cybersecurity/RDPCredentialStealer", - "https://learn.microsoft.com/en-us/windows/win32/api/wincred/nf-wincred-creduipromptforcredentialsa", - "https://securitydatasets.com/notebooks/atomic/windows/credential_access/SDWIN-201020013208.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_dll_credui_uncommon_process_load.yml" ], "tags": [ @@ -70494,8 +70914,8 @@ "logsource.category": "image_load", "logsource.product": "windows", "refs": [ - "https://twitter.com/rbmaslen/status/1321859647091970051", "https://twitter.com/tifkin_/status/1321916444557365248", + "https://twitter.com/rbmaslen/status/1321859647091970051", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_dll_pcre_dotnet_dll_load.yml" ], "tags": [ @@ -70825,10 +71245,10 @@ "logsource.category": "image_load", "logsource.product": "windows", "refs": [ + "https://www.crowdstrike.com/blog/windows-restart-manager-part-1/", + "https://www.crowdstrike.com/blog/windows-restart-manager-part-2/", "https://taiwan.postsen.com/business/88601/Hamas-hackers-use-data-destruction-software-BiBi-which-consumes-a-lot-of-processor-resources-to-wipe-Windows-computer-data--iThome.html", "https://web.archive.org/web/20231221193106/https://www.swascan.com/cactus-ransomware-malware-analysis/", - "https://www.crowdstrike.com/blog/windows-restart-manager-part-2/", - "https://www.crowdstrike.com/blog/windows-restart-manager-part-1/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_dll_rstrtmgr_suspicious_load.yml" ], "tags": [ @@ -70956,8 +71376,8 @@ "logsource.category": "image_load", "logsource.product": "windows", "refs": [ - "https://wazuh.com/blog/detecting-xll-files-used-for-dropping-fin7-jssloader-with-wazuh/", "https://www.mandiant.com/resources/blog/lnk-between-browsers", + "https://wazuh.com/blog/detecting-xll-files-used-for-dropping-fin7-jssloader-with-wazuh/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_office_excel_xll_susp_load.yml" ], "tags": [ @@ -71311,8 +71731,8 @@ "logsource.category": "image_load", "logsource.product": "windows", "refs": [ - "https://blogs.blackberry.com/en/2022/12/mustang-panda-uses-the-russian-ukrainian-war-to-attack-europe-and-asia-pacific-targets", "https://app.any.run/tasks/6d8cabb0-dcda-44b6-8050-28d6ce281687/", + "https://blogs.blackberry.com/en/2022/12/mustang-panda-uses-the-russian-ukrainian-war-to-attack-europe-and-asia-pacific-targets", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_side_load_classicexplorer32.yml" ], "tags": [ @@ -71607,9 +72027,9 @@ "logsource.category": "ps_classic_start", "logsource.product": "windows", "refs": [ - "https://nmap.org/ncat/", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1095/T1095.md", "https://github.com/besimorhino/powercat", + "https://nmap.org/ncat/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_classic/posh_pc_powercat.yml" ], "tags": [ @@ -71743,8 +72163,8 @@ "logsource.product": "windows", "refs": [ "https://github.com/bohops/WSMan-WinRM", - "https://bohops.com/2020/05/12/ws-management-com-another-approach-for-winrm-lateral-movement/", "https://twitter.com/chadtilbury/status/1275851297770610688", + "https://bohops.com/2020/05/12/ws-management-com-another-approach-for-winrm-lateral-movement/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_classic/posh_pc_wsman_com_provider_no_powershell.yml" ], "tags": [ @@ -72365,8 +72785,8 @@ "logsource.product": "windows", "refs": [ "https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.security/set-executionpolicy?view=powershell-7.4", - "https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_execution_policies?view=powershell-7.4", "https://adsecurity.org/?p=2604", + "https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_execution_policies?view=powershell-7.4", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_set_policies_to_unsecure_level.yml" ], "tags": [ @@ -72400,10 +72820,10 @@ "logsource.product": "windows", "refs": [ "http://woshub.com/manage-windows-firewall-powershell/", - "https://web.archive.org/web/20230929023836/http://powershellhelp.space/commands/set-netfirewallrule-psv5.php", - "https://www.tutorialspoint.com/how-to-get-windows-firewall-profile-settings-using-powershell", "https://learn.microsoft.com/en-us/powershell/module/netsecurity/set-netfirewallprofile?view=windowsserver2022-ps", + "https://www.tutorialspoint.com/how-to-get-windows-firewall-profile-settings-using-powershell", "https://www.elastic.co/guide/en/security/current/windows-firewall-disabled-via-powershell.html", + "https://web.archive.org/web/20230929023836/http://powershellhelp.space/commands/set-netfirewallrule-psv5.php", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_windows_firewall_profile_disabled.yml" ], "tags": [ @@ -72572,8 +72992,8 @@ "logsource.product": "windows", "refs": [ "https://github.com/samratashok/ADModule", - "https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/active-directory-enumeration-with-ad-module-without-rsat-or-admin-privileges", "https://twitter.com/cyb3rops/status/1617108657166061568?s=20", + "https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/active-directory-enumeration-with-ad-module-without-rsat-or-admin-privileges", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_active_directory_module_dll_import.yml" ], "tags": [ @@ -72674,8 +73094,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1056.001/src/Get-Keystrokes.ps1", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218/T1218.md", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1056.001/src/Get-Keystrokes.ps1", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_keylogging.yml" ], "tags": [ @@ -72775,8 +73195,8 @@ "logsource.product": "windows", "refs": [ "https://www.splunk.com/en_us/blog/security/breaking-the-chain-defending-against-certificate-services-abuse.html", - "https://us-cert.cisa.gov/ncas/analysis-reports/ar21-112a", "https://learn.microsoft.com/en-us/powershell/module/pki/export-pfxcertificate?view=windowsserver2022-ps", + "https://us-cert.cisa.gov/ncas/analysis-reports/ar21-112a", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_export_certificate.yml" ], "tags": [ @@ -72899,8 +73319,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/dotnet/api/system.net.webclient.downloadstring?view=net-8.0", "https://learn.microsoft.com/en-us/dotnet/api/system.net.webclient.downloadfile?view=net-8.0", + "https://learn.microsoft.com/en-us/dotnet/api/system.net.webclient.downloadstring?view=net-8.0", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_download.yml" ], "tags": [ @@ -73031,24 +73451,24 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://github.com/calebstewart/CVE-2021-1675", - "https://github.com/BC-SECURITY/Invoke-ZeroLogon/blob/111d17c7fec486d9bb23387e2e828b09a26075e4/Invoke-ZeroLogon.ps1", - "https://github.com/S3cur3Th1sSh1t/PowerSharpPack/tree/master/PowerSharpBinaries", "https://github.com/samratashok/nishang", - "https://adsecurity.org/?p=2921", - "https://github.com/BloodHoundAD/BloodHound/blob/0927441f67161cc6dc08a53c63ceb8e333f55874/Collectors/AzureHound.ps1", - "https://github.com/HarmJ0y/DAMP", - "https://github.com/DarkCoderSc/PowerRunAsSystem/", - "https://unit42.paloaltonetworks.com/threat-assessment-black-basta-ransomware/", - "https://github.com/adrecon/ADRecon", - "https://github.com/Kevin-Robertson/Powermad", - "https://github.com/rvrsh3ll/Misc-Powershell-Scripts/blob/6f23bb41f9675d7e2d32bacccff75e931ae00554/OfficeMemScraper.ps1", - "https://github.com/dafthack/DomainPasswordSpray/blob/b13d64a5834694aa73fd2aea9911a83027c465a7/DomainPasswordSpray.ps1", - "https://bloodhound.readthedocs.io/en/latest/data-collection/azurehound.html", "https://research.nccgroup.com/2022/06/06/shining-the-light-on-black-basta/", - "https://github.com/adrecon/AzureADRecon", + "https://github.com/rvrsh3ll/Misc-Powershell-Scripts/blob/6f23bb41f9675d7e2d32bacccff75e931ae00554/OfficeMemScraper.ps1", + "https://github.com/BloodHoundAD/BloodHound/blob/0927441f67161cc6dc08a53c63ceb8e333f55874/Collectors/AzureHound.ps1", + "https://github.com/BC-SECURITY/Invoke-ZeroLogon/blob/111d17c7fec486d9bb23387e2e828b09a26075e4/Invoke-ZeroLogon.ps1", "https://github.com/xorrior/RandomPS-Scripts/blob/848c919bfce4e2d67b626cbcf4404341cfe3d3b6/Get-DXWebcamVideo.ps1", + "https://github.com/Kevin-Robertson/Powermad", + "https://github.com/calebstewart/CVE-2021-1675", + "https://github.com/adrecon/ADRecon", + "https://adsecurity.org/?p=2921", + "https://github.com/DarkCoderSc/PowerRunAsSystem/", "https://github.com/besimorhino/powercat", + "https://github.com/adrecon/AzureADRecon", + "https://github.com/dafthack/DomainPasswordSpray/blob/b13d64a5834694aa73fd2aea9911a83027c465a7/DomainPasswordSpray.ps1", + "https://unit42.paloaltonetworks.com/threat-assessment-black-basta-ransomware/", + "https://github.com/HarmJ0y/DAMP", + "https://github.com/S3cur3Th1sSh1t/PowerSharpPack/tree/master/PowerSharpBinaries", + "https://bloodhound.readthedocs.io/en/latest/data-collection/azurehound.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_malicious_commandlets.yml" ], "tags": [ @@ -73138,8 +73558,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1201/T1201.md#atomic-test-9---enumerate-active-directory-password-policy-with-get-addefaultdomainpasswordpolicy", "https://learn.microsoft.com/en-us/powershell/module/activedirectory/get-addefaultdomainpasswordpolicy?view=windowsserver2022-ps", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1201/T1201.md#atomic-test-9---enumerate-active-directory-password-policy-with-get-addefaultdomainpasswordpolicy", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_get_addefaultdomainpasswordpolicy.yml" ], "tags": [ @@ -73347,8 +73767,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://bi-zone.medium.com/from-pentest-to-apt-attack-cybercriminal-group-fin7-disguises-its-malware-as-an-ethical-hackers-c23c9a75e319", "https://github.com/sense-of-security/ADRecon/blob/11881a24e9c8b207f31b56846809ce1fb189bcc9/ADRecon.ps1", + "https://bi-zone.medium.com/from-pentest-to-apt-attack-cybercriminal-group-fin7-disguises-its-malware-as-an-ethical-hackers-c23c9a75e319", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_adrecon_execution.yml" ], "tags": [ @@ -73604,8 +74024,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.localaccounts/?view=powershell-5.1", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1098/T1098.md#atomic-test-1---admin-account-manipulate", + "https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.localaccounts/?view=powershell-5.1", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_localuser.yml" ], "tags": [ @@ -73705,9 +74125,9 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://m0chan.github.io/2019/07/31/How-To-Attack-Kerberos-101.html", - "https://blog.harmj0y.net/redteaming/from-kekeo-to-rubeus", "https://github.com/GhostPack/Rubeus", + "https://blog.harmj0y.net/redteaming/from-kekeo-to-rubeus", + "https://m0chan.github.io/2019/07/31/How-To-Attack-Kerberos-101.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_hktl_rubeus.yml" ], "tags": [ @@ -74035,8 +74455,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1021.002/T1021.002.md#atomic-test-2---map-admin-share-powershell", "https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.management/new-psdrive?view=powershell-7.2", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1021.002/T1021.002.md#atomic-test-2---map-admin-share-powershell", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_new_psdrive.yml" ], "tags": [ @@ -74069,8 +74489,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://www.pwndefend.com/2021/02/15/retrieving-passwords-from-veeam-backup-servers/", "https://labs.withsecure.com/publications/fin7-target-veeam-servers", + "https://www.pwndefend.com/2021/02/15/retrieving-passwords-from-veeam-backup-servers/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_veeam_credential_dumping_script.yml" ], "tags": [ @@ -74193,8 +74613,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1048/T1048.md#atomic-test-3---dnsexfiltration-doh", "https://github.com/Arno0x/DNSExfiltrator", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1048/T1048.md#atomic-test-3---dnsexfiltration-doh", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_invoke_dnsexfiltration.yml" ], "tags": [ @@ -74227,8 +74647,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://blog.jourdant.me/post/3-ways-to-download-files-with-powershell", "https://4sysops.com/archives/use-powershell-to-download-a-file-with-http-https-and-ftp/", + "https://blog.jourdant.me/post/3-ways-to-download-files-with-powershell", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_web_request_cmd_and_cmdlets.yml" ], "tags": [ @@ -74294,8 +74714,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://t.co/ezOTGy1a1G", "https://twitter.com/JohnLaTwC/status/850381440629981184", + "https://t.co/ezOTGy1a1G", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_prompt_credentials.yml" ], "tags": [ @@ -74483,8 +74903,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "http://blog.talosintelligence.com/2022/09/lazarus-three-rats.html", "https://www.microsoft.com/en-us/security/blog/2022/10/18/defenders-beware-a-case-for-post-ransomware-investigations/", + "http://blog.talosintelligence.com/2022/09/lazarus-three-rats.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_user_discovery_get_aduser.yml" ], "tags": [ @@ -74517,10 +74937,10 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://youtu.be/5mqid-7zp8k?t=2481", + "https://peterjson.medium.com/reproducing-the-proxyshell-pwn2own-exploit-49743a4ea9a1", "https://m365internals.com/2022/10/07/hunting-in-on-premises-exchange-server-logs/", "https://blog.orange.tw/2021/08/proxylogon-a-new-attack-surface-on-ms-exchange-part-1.html", - "https://peterjson.medium.com/reproducing-the-proxyshell-pwn2own-exploit-49743a4ea9a1", + "https://youtu.be/5mqid-7zp8k?t=2481", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_mailboxexport_share.yml" ], "tags": [ @@ -74618,8 +75038,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1546.003/T1546.003.md", "https://github.com/EmpireProject/Empire/blob/08cbd274bef78243d7a8ed6443b8364acd1fc48b/data/module_source/persistence/Persistence.psm1#L545", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1546.003/T1546.003.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_wmi_persistence.yml" ], "tags": [ @@ -74768,8 +75188,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://github.com/forgottentq/powershell/blob/9e616363d497143dc955c4fdce68e5c18d28a6cb/captureWindows-Endpoint.ps1#L13", "https://github.com/0xsyr0/Awesome-Cybersecurity-Handbooks/blob/7b8935fe4c82cb64d61343de1a8b2e38dd968534/handbooks/10_post_exploitation.md", + "https://github.com/forgottentq/powershell/blob/9e616363d497143dc955c4fdce68e5c18d28a6cb/captureWindows-Endpoint.ps1#L13", "https://github.com/redcanaryco/atomic-red-team/blob/5f866ca4517e837c4ea576e7309d0891e78080a8/atomics/T1040/T1040.md#atomic-test-16---powershell-network-sniffing", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_packet_capture.yml" ], @@ -74838,9 +75258,9 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ + "https://github.com/nccgroup/redsnarf/blob/35949b30106ae543dc6f2bc3f1be10c6d9a8d40e/redsnarf.py", "https://www.absolomb.com/2018-01-26-Windows-Privilege-Escalation-Guide/", "https://github.com/S3cur3Th1sSh1t/Creds/blob/eac23d67f7f90c7fc8e3130587d86158c22aa398/PowershellScripts/jaws-enum.ps1", - "https://github.com/nccgroup/redsnarf/blob/35949b30106ae543dc6f2bc3f1be10c6d9a8d40e/redsnarf.py", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_wmi_unquoted_service_search.yml" ], "tags": [ @@ -74873,8 +75293,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://github.com/harleyQu1nn/AggressorScripts", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1518/T1518.md", + "https://github.com/harleyQu1nn/AggressorScripts", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_software_discovery.yml" ], "tags": [ @@ -75063,10 +75483,10 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ + "https://github.com/hlldz/Phant0m/blob/30c2935d8cf4aafda17ee2fab7cd0c4aa9a607c2/old/Invoke-Phant0m.ps1", + "https://gist.github.com/MHaggis/0dbe00ad401daa7137c81c99c268cfb7", "https://posts.specterops.io/entering-a-covenant-net-command-and-control-e11038bcf462", "https://github.com/PowerShellMafia/PowerSploit/blob/d943001a7defb5e0d1657085a77a0e78609be58f/CodeExecution/Invoke-ReflectivePEInjection.ps1", - "https://gist.github.com/MHaggis/0dbe00ad401daa7137c81c99c268cfb7", - "https://github.com/hlldz/Phant0m/blob/30c2935d8cf4aafda17ee2fab7cd0c4aa9a607c2/old/Invoke-Phant0m.ps1", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_keywords.yml" ], "tags": [ @@ -75211,8 +75631,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1571/T1571.md#atomic-test-1---testing-usage-of-uncommonly-used-port-with-powershell", "https://learn.microsoft.com/en-us/powershell/module/nettcpip/test-netconnection?view=windowsserver2022-ps", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1571/T1571.md#atomic-test-1---testing-usage-of-uncommonly-used-port-with-powershell", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_test_netconnection.yml" ], "tags": [ @@ -75331,9 +75751,9 @@ "logsource.product": "windows", "refs": [ "https://adsecurity.org/?p=2277", - "https://powersploit.readthedocs.io/en/stable/Recon/README", - "https://github.com/PowerShellMafia/PowerSploit/tree/master/Recon", "https://thedfirreport.com/2020/10/08/ryuks-return", + "https://github.com/PowerShellMafia/PowerSploit/tree/master/Recon", + "https://powersploit.readthedocs.io/en/stable/Recon/README", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_powerview_malicious_commandlets.yml" ], "tags": [ @@ -75399,8 +75819,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/dotnet/api/microsoft.hpc.scheduler.store.cx509enrollmentwebclassfactoryclass?view=hpc-sdk-5.1.6115", "https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=41", + "https://learn.microsoft.com/en-us/dotnet/api/microsoft.hpc.scheduler.store.cx509enrollmentwebclassfactoryclass?view=hpc-sdk-5.1.6115", "https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=42", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_x509enrollment.yml" ], @@ -75534,9 +75954,9 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1018/T1018.md", - "https://github.com/redcanaryco/atomic-red-team/blob/02cb591f75064ffe1e0df9ac3ed5972a2e491c97/atomics/T1087.002/T1087.002.md", "https://learn.microsoft.com/en-us/powershell/module/activedirectory/get-adcomputer", + "https://github.com/redcanaryco/atomic-red-team/blob/02cb591f75064ffe1e0df9ac3ed5972a2e491c97/atomics/T1087.002/T1087.002.md", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1018/T1018.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_get_adcomputer.yml" ], "tags": [ @@ -75577,8 +75997,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://www.offensive-security.com/metasploit-unleashed/timestomp/", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070.006/T1070.006.md", + "https://www.offensive-security.com/metasploit-unleashed/timestomp/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_timestomp.yml" ], "tags": [ @@ -75611,8 +76031,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.management/get-wmiobject?view=powershell-5.1&viewFallbackFrom=powershell-7", "https://attack.mitre.org/datasources/DS0005/", + "https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.management/get-wmiobject?view=powershell-5.1&viewFallbackFrom=powershell-7", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_create_volume_shadow_copy.yml" ], "tags": [ @@ -75678,11 +76098,11 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ + "https://reconshell.com/winpwn-tool-for-internal-windows-pentesting-and-ad-security/", + "https://github.com/redcanaryco/atomic-red-team/blob/4d6c4e8e23d465af7a2388620cfe3f8c76e16cf0/atomics/T1082/T1082.md", "https://grep.app/search?q=winpwn&filter[repo][0]=redcanaryco/atomic-red-team", "https://www.publicnow.com/view/EB87DB49C654D9B63995FAD4C9DE3D3CC4F6C3ED?1671634841", "https://github.com/S3cur3Th1sSh1t/WinPwn", - "https://github.com/redcanaryco/atomic-red-team/blob/4d6c4e8e23d465af7a2388620cfe3f8c76e16cf0/atomics/T1082/T1082.md", - "https://reconshell.com/winpwn-tool-for-internal-windows-pentesting-and-ad-security/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_hktl_winpwn.yml" ], "tags": [ @@ -75775,8 +76195,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://www.virustotal.com/gui/file/af1c82237b6e5a3a7cdbad82cc498d298c67845d92971bada450023d1335e267/content", "https://learn.microsoft.com/en-us/windows-server/administration/openssh/openssh_install_firstuse?tabs=powershell", + "https://www.virustotal.com/gui/file/af1c82237b6e5a3a7cdbad82cc498d298c67845d92971bada450023d1335e267/content", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_add_windows_capability.yml" ], "tags": [ @@ -75799,9 +76219,9 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ + "https://stefanos.cloud/blog/kb/how-to-clear-the-powershell-command-history/", "https://www.shellhacks.com/clear-history-powershell/", "https://community.sophos.com/sophos-labs/b/blog/posts/powershell-command-history-forensics", - "https://stefanos.cloud/blog/kb/how-to-clear-the-powershell-command-history/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_clearing_windows_console_history.yml" ], "tags": [ @@ -75877,8 +76297,8 @@ "logsource.product": "windows", "refs": [ "https://www.cisa.gov/uscert/sites/default/files/publications/aa22-320a_joint_csa_iranian_government-sponsored_apt_actors_compromise_federal%20network_deploy_crypto%20miner_credential_harvester.pdf", - "http://blog.talosintelligence.com/2022/09/lazarus-three-rats.html", "https://www.microsoft.com/en-us/security/blog/2022/10/18/defenders-beware-a-case-for-post-ransomware-investigations/", + "http://blog.talosintelligence.com/2022/09/lazarus-three-rats.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_computer_discovery_get_adcomputer.yml" ], "tags": [ @@ -76069,8 +76489,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://twitter.com/NathanMcNulty/status/1569497348841287681", "https://learn.microsoft.com/en-us/powershell/module/dnsclient/add-dnsclientnrptrule?view=windowsserver2022-ps", + "https://twitter.com/NathanMcNulty/status/1569497348841287681", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_add_dnsclient_rule.yml" ], "tags": [ @@ -76179,8 +76599,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/windows/msix/package/unsigned-package", "https://twitter.com/WindowsDocs/status/1620078135080325122", + "https://learn.microsoft.com/en-us/windows/msix/package/unsigned-package", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_install_unsigned_appx_packages.yml" ], "tags": [ @@ -76204,8 +76624,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://twitter.com/nas_bench/status/1537919885031772161", "https://lolbas-project.github.io/lolbas/Binaries/Msdt/", + "https://twitter.com/nas_bench/status/1537919885031772161", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_follina_execution.yml" ], "tags": [ @@ -76381,8 +76801,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1053.005/T1053.005.md#atomic-test-6---wmi-invoke-cimmethod-scheduled-task", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1053.005/T1053.005.md#atomic-test-4---powershell-cmdlet-scheduled-task", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1053.005/T1053.005.md#atomic-test-6---wmi-invoke-cimmethod-scheduled-task", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_cmdlet_scheduled_task.yml" ], "tags": [ @@ -76415,9 +76835,9 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://twitter.com/oroneequalsone/status/1568432028361830402", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070.001/T1070.001.md", "https://eqllib.readthedocs.io/en/latest/analytics/5b223758-07d6-4100-9e11-238cfdd0fe97.html", + "https://twitter.com/oroneequalsone/status/1568432028361830402", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_clear_eventlog.yml" ], "tags": [ @@ -76519,8 +76939,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/windows/win32/projfs/enabling-windows-projected-file-system", "https://learn.microsoft.com/en-us/windows/wsl/install-on-server", + "https://learn.microsoft.com/en-us/windows/win32/projfs/enabling-windows-projected-file-system", "https://learn.microsoft.com/en-us/powershell/module/dism/enable-windowsoptionalfeature?view=windowsserver2022-ps", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_enable_susp_windows_optional_feature.yml" ], @@ -76611,8 +77031,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1615/T1615.md", "https://learn.microsoft.com/en-us/powershell/module/grouppolicy/get-gpo?view=windowsserver2022-ps", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1615/T1615.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_get_gpo.yml" ], "tags": [ @@ -76779,8 +77199,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1497.001/T1497.001.md", "https://techgenix.com/malicious-powershell-scripts-evade-detection/", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1497.001/T1497.001.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_detect_vm_env.yml" ], "tags": [ @@ -76855,8 +77275,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://github.com/Gerenios/AADInternals", "https://o365blog.com/aadinternals/", + "https://github.com/Gerenios/AADInternals", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_aadinternals_cmdlets_execution.yml" ], "tags": [ @@ -77115,9 +77535,9 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://www.trendmicro.com/en_id/research/22/e/uncovering-a-kingminer-botnet-attack-using-trend-micro-managed-x.html", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1059.001/T1059.001.md#atomic-test-7---powershell-msxml-com-object---with-prompt", "https://learn.microsoft.com/en-us/previous-versions/windows/desktop/ms766431(v=vs.85)", + "https://www.trendmicro.com/en_id/research/22/e/uncovering-a-kingminer-botnet-attack-using-trend-micro-managed-x.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_msxml_com.yml" ], "tags": [ @@ -77291,8 +77711,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.management/Start-Process?view=powershell-5.1&viewFallbackFrom=powershell-7", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1036.003/T1036.003.md", + "https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.management/Start-Process?view=powershell-5.1&viewFallbackFrom=powershell-7", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_start_process.yml" ], "tags": [ @@ -77325,9 +77745,9 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ + "https://learn.microsoft.com/en-us/powershell/module/defender/set-mppreference?view=windowsserver2022-ps", "https://bidouillesecurity.com/disable-windows-defender-in-powershell/", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md", - "https://learn.microsoft.com/en-us/powershell/module/defender/set-mppreference?view=windowsserver2022-ps", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_tamper_windows_defender_set_mp.yml" ], "tags": [ @@ -77393,10 +77813,10 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://www.virustotal.com/gui/file/d4486b63512755316625230e0c9c81655093be93876e0d80732e7eeaf7d83476/content", - "https://www.virustotal.com/gui/file/720a7ee9f2178c70501d7e3f4bcc28a4f456e200486dbd401b25af6da3b4da62/content", "https://learn.microsoft.com/en-us/dotnet/api/system.windows.input.keyboard.iskeydown?view=windowsdesktop-7.0", "https://twitter.com/ScumBots/status/1610626724257046529", + "https://www.virustotal.com/gui/file/d4486b63512755316625230e0c9c81655093be93876e0d80732e7eeaf7d83476/content", + "https://www.virustotal.com/gui/file/720a7ee9f2178c70501d7e3f4bcc28a4f456e200486dbd401b25af6da3b4da62/content", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_keylogger_activity.yml" ], "tags": [ @@ -77639,8 +78059,8 @@ "logsource.product": "windows", "refs": [ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1048.003/T1048.003.md#atomic-test-5---exfiltration-over-alternative-protocol---smtp", - "https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.utility/send-mailmessage?view=powershell-7.4", "https://www.ietf.org/rfc/rfc2821.txt", + "https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.utility/send-mailmessage?view=powershell-7.4", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_send_mailmessage.yml" ], "tags": [ @@ -77933,8 +78353,8 @@ "logsource.product": "windows", "refs": [ "https://github.com/samratashok/ADModule", - "https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/active-directory-enumeration-with-ad-module-without-rsat-or-admin-privileges", "https://twitter.com/cyb3rops/status/1617108657166061568?s=20", + "https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/active-directory-enumeration-with-ad-module-without-rsat-or-admin-privileges", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_module/posh_pm_active_directory_module_dll_import.yml" ], "tags": [ @@ -78110,8 +78530,8 @@ "logsource.category": "ps_module", "logsource.product": "windows", "refs": [ - "https://github.com/Hackplayers/evil-winrm/blob/7514b055d67ec19836e95c05bd63e7cc47c4c2aa/evil-winrm.rb", "https://github.com/search?q=repo%3AHackplayers%2Fevil-winrm++shell.run%28&type=code", + "https://github.com/Hackplayers/evil-winrm/blob/7514b055d67ec19836e95c05bd63e7cc47c4c2aa/evil-winrm.rb", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_module/posh_pm_hktl_evil_winrm_execution.yml" ], "tags": [ @@ -78209,8 +78629,8 @@ "logsource.category": "ps_module", "logsource.product": "windows", "refs": [ - "https://github.com/OTRF/detection-hackathon-apt29/issues/8", "https://github.com/OTRF/ThreatHunter-Playbook/blob/2d4257f630f4c9770f78d0c1df059f891ffc3fec/docs/evals/apt29/detections/4.A.3_09F29912-8E93-461E-9E89-3F06F6763383.md", + "https://github.com/OTRF/detection-hackathon-apt29/issues/8", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_module/posh_pm_decompress_commands.yml" ], "tags": [ @@ -78276,23 +78696,23 @@ "logsource.category": "ps_module", "logsource.product": "windows", "refs": [ - "https://github.com/BC-SECURITY/Invoke-ZeroLogon/blob/111d17c7fec486d9bb23387e2e828b09a26075e4/Invoke-ZeroLogon.ps1", - "https://github.com/S3cur3Th1sSh1t/PowerSharpPack/tree/master/PowerSharpBinaries", "https://github.com/nettitude/Invoke-PowerThIEf", - "https://github.com/samratashok/nishang", - "https://github.com/S3cur3Th1sSh1t/WinPwn", - "https://github.com/HarmJ0y/DAMP", - "https://github.com/DarkCoderSc/PowerRunAsSystem/", - "https://unit42.paloaltonetworks.com/threat-assessment-black-basta-ransomware/", "https://github.com/CsEnox/EventViewer-UACBypass", - "https://github.com/NetSPI/PowerUpSQL", - "https://github.com/xorrior/RandomPS-Scripts/blob/848c919bfce4e2d67b626cbcf4404341cfe3d3b6/Get-DXWebcamVideo.ps1", "https://github.com/rvrsh3ll/Misc-Powershell-Scripts/blob/6f23bb41f9675d7e2d32bacccff75e931ae00554/OfficeMemScraper.ps1", - "https://github.com/dafthack/DomainPasswordSpray/blob/b13d64a5834694aa73fd2aea9911a83027c465a7/DomainPasswordSpray.ps1", "https://research.nccgroup.com/2022/06/06/shining-the-light-on-black-basta/", - "https://github.com/AlsidOfficial/WSUSpendu/", + "https://github.com/samratashok/nishang", + "https://github.com/BC-SECURITY/Invoke-ZeroLogon/blob/111d17c7fec486d9bb23387e2e828b09a26075e4/Invoke-ZeroLogon.ps1", + "https://github.com/xorrior/RandomPS-Scripts/blob/848c919bfce4e2d67b626cbcf4404341cfe3d3b6/Get-DXWebcamVideo.ps1", "https://github.com/PowerShellMafia/PowerSploit", + "https://github.com/DarkCoderSc/PowerRunAsSystem/", "https://github.com/besimorhino/powercat", + "https://github.com/dafthack/DomainPasswordSpray/blob/b13d64a5834694aa73fd2aea9911a83027c465a7/DomainPasswordSpray.ps1", + "https://unit42.paloaltonetworks.com/threat-assessment-black-basta-ransomware/", + "https://github.com/HarmJ0y/DAMP", + "https://github.com/NetSPI/PowerUpSQL", + "https://github.com/AlsidOfficial/WSUSpendu/", + "https://github.com/S3cur3Th1sSh1t/PowerSharpPack/tree/master/PowerSharpBinaries", + "https://github.com/S3cur3Th1sSh1t/WinPwn", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_module/posh_pm_exploit_scripts.yml" ], "tags": [ @@ -78325,8 +78745,8 @@ "logsource.category": "ps_module", "logsource.product": "windows", "refs": [ - "https://www.n00py.io/2022/03/manipulating-user-passwords-without-mimikatz/", "https://github.com/MichaelGrafnetter/DSInternals/blob/7ba59c12ee9a1cb430d7dc186a3366842dd612c8/Documentation/PowerShell/Get-ADDBAccount.md", + "https://www.n00py.io/2022/03/manipulating-user-passwords-without-mimikatz/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_module/posh_pm_get_addbaccount.yml" ], "tags": [ @@ -78435,24 +78855,24 @@ "logsource.category": "ps_module", "logsource.product": "windows", "refs": [ - "https://github.com/calebstewart/CVE-2021-1675", - "https://github.com/BC-SECURITY/Invoke-ZeroLogon/blob/111d17c7fec486d9bb23387e2e828b09a26075e4/Invoke-ZeroLogon.ps1", - "https://github.com/S3cur3Th1sSh1t/PowerSharpPack/tree/master/PowerSharpBinaries", "https://github.com/samratashok/nishang", - "https://adsecurity.org/?p=2921", - "https://github.com/BloodHoundAD/BloodHound/blob/0927441f67161cc6dc08a53c63ceb8e333f55874/Collectors/AzureHound.ps1", - "https://github.com/HarmJ0y/DAMP", - "https://github.com/DarkCoderSc/PowerRunAsSystem/", - "https://unit42.paloaltonetworks.com/threat-assessment-black-basta-ransomware/", - "https://github.com/adrecon/ADRecon", - "https://github.com/Kevin-Robertson/Powermad", - "https://github.com/rvrsh3ll/Misc-Powershell-Scripts/blob/6f23bb41f9675d7e2d32bacccff75e931ae00554/OfficeMemScraper.ps1", - "https://github.com/dafthack/DomainPasswordSpray/blob/b13d64a5834694aa73fd2aea9911a83027c465a7/DomainPasswordSpray.ps1", - "https://bloodhound.readthedocs.io/en/latest/data-collection/azurehound.html", "https://research.nccgroup.com/2022/06/06/shining-the-light-on-black-basta/", - "https://github.com/adrecon/AzureADRecon", + "https://github.com/rvrsh3ll/Misc-Powershell-Scripts/blob/6f23bb41f9675d7e2d32bacccff75e931ae00554/OfficeMemScraper.ps1", + "https://github.com/BloodHoundAD/BloodHound/blob/0927441f67161cc6dc08a53c63ceb8e333f55874/Collectors/AzureHound.ps1", + "https://github.com/BC-SECURITY/Invoke-ZeroLogon/blob/111d17c7fec486d9bb23387e2e828b09a26075e4/Invoke-ZeroLogon.ps1", "https://github.com/xorrior/RandomPS-Scripts/blob/848c919bfce4e2d67b626cbcf4404341cfe3d3b6/Get-DXWebcamVideo.ps1", + "https://github.com/Kevin-Robertson/Powermad", + "https://github.com/calebstewart/CVE-2021-1675", + "https://github.com/adrecon/ADRecon", + "https://adsecurity.org/?p=2921", + "https://github.com/DarkCoderSc/PowerRunAsSystem/", "https://github.com/besimorhino/powercat", + "https://github.com/adrecon/AzureADRecon", + "https://github.com/dafthack/DomainPasswordSpray/blob/b13d64a5834694aa73fd2aea9911a83027c465a7/DomainPasswordSpray.ps1", + "https://unit42.paloaltonetworks.com/threat-assessment-black-basta-ransomware/", + "https://github.com/HarmJ0y/DAMP", + "https://github.com/S3cur3Th1sSh1t/PowerSharpPack/tree/master/PowerSharpBinaries", + "https://bloodhound.readthedocs.io/en/latest/data-collection/azurehound.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_module/posh_pm_malicious_commandlets.yml" ], "tags": [ @@ -78542,8 +78962,8 @@ "logsource.category": "ps_module", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/dotnet/api/system.net.webclient.downloadstring?view=net-8.0", "https://learn.microsoft.com/en-us/dotnet/api/system.net.webclient.downloadfile?view=net-8.0", + "https://learn.microsoft.com/en-us/dotnet/api/system.net.webclient.downloadstring?view=net-8.0", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_module/posh_pm_susp_download.yml" ], "tags": [ @@ -79063,8 +79483,8 @@ "logsource.category": "create_stream_hash", "logsource.product": "windows", "refs": [ - "https://fabian-voith.de/2020/06/25/sysmon-v11-1-reads-alternate-data-streams/", "https://twitter.com/cyb3rops/status/1659175181695287297", + "https://fabian-voith.de/2020/06/25/sysmon-v11-1-reads-alternate-data-streams/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/create_stream_hash/create_stream_hash_zip_tld_download.yml" ], "tags": [ @@ -79108,7 +79528,7 @@ } ], "uuid": "ae02ed70-11aa-4a22-b397-c0d0e8f6ea99", - "value": "Unusual File Download From File Sharing Websites" + "value": "Unusual File Download From File Sharing Websites - File Stream" }, { "description": "Detects the creation of a named file stream with the imphash of a well-known hack tool", @@ -79124,16 +79544,16 @@ "logsource.product": "windows", "refs": [ "https://www.tarasco.org/security/pwdump_7/", - "https://github.com/outflanknl/Dumpert", - "https://github.com/ohpe/juicy-potato", - "https://github.com/topotam/PetitPotam", - "https://github.com/gentilkiwi/mimikatz", - "https://github.com/xuanxuan0/DripLoader", - "https://github.com/fortra/nanodump", - "https://github.com/hfiref0x/UACME", - "https://github.com/antonioCoco/RoguePotato", - "https://github.com/wavestone-cdt/EDRSandblast", "https://github.com/codewhitesec/HandleKatz", + "https://github.com/antonioCoco/RoguePotato", + "https://github.com/outflanknl/Dumpert", + "https://github.com/gentilkiwi/mimikatz", + "https://github.com/ohpe/juicy-potato", + "https://github.com/fortra/nanodump", + "https://github.com/wavestone-cdt/EDRSandblast", + "https://github.com/hfiref0x/UACME", + "https://github.com/topotam/PetitPotam", + "https://github.com/xuanxuan0/DripLoader", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/create_stream_hash/create_stream_hash_hktl_generic_download.yml" ], "tags": [ @@ -79249,8 +79669,8 @@ "logsource.category": "create_stream_hash", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/Binaries/Regedit/", "https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f", + "https://lolbas-project.github.io/lolbas/Binaries/Regedit/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/create_stream_hash/create_stream_hash_regedit_export_to_ads.yml" ], "tags": [ @@ -79305,7 +79725,7 @@ } ], "uuid": "52182dfb-afb7-41db-b4bc-5336cb29b464", - "value": "Suspicious File Download From File Sharing Websites" + "value": "Suspicious File Download From File Sharing Websites - File Stream" }, { "description": "Detects the download of suspicious file type from URLs with IP", @@ -79320,8 +79740,8 @@ "logsource.category": "create_stream_hash", "logsource.product": "windows", "refs": [ - "https://github.com/trustedsec/SysmonCommunityGuide/blob/adcdfee20999f422b974c8d4149bf4c361237db7/chapters/file-stream-creation-hash.md", "https://labs.withsecure.com/publications/detecting-onenote-abuse", + "https://github.com/trustedsec/SysmonCommunityGuide/blob/adcdfee20999f422b974c8d4149bf4c361237db7/chapters/file-stream-creation-hash.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/create_stream_hash/create_stream_hash_susp_ip_domains.yml" ], "tags": [ @@ -79355,8 +79775,8 @@ "logsource.product": "windows", "refs": [ "https://github.com/codewhitesec/SysmonEnte/blob/main/screens/1.png", - "https://github.com/codewhitesec/SysmonEnte/", "https://codewhitesec.blogspot.com/2022/09/attacks-on-sysmon-revisited-sysmonente.html", + "https://github.com/codewhitesec/SysmonEnte/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_access/proc_access_win_hktl_sysmonente.yml" ], "tags": [ @@ -79434,8 +79854,8 @@ "logsource.category": "process_access", "logsource.product": "windows", "refs": [ - "https://github.com/skelsec/pypykatz", "https://twitter.com/bh4b3sh/status/1303674603819081728", + "https://github.com/skelsec/pypykatz", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_access/proc_access_win_lsass_python_based_tool.yml" ], "tags": [ @@ -79470,8 +79890,8 @@ "logsource.product": "windows", "refs": [ "https://research.splunk.com/endpoint/windows_possible_credential_dumping/", - "https://web.archive.org/web/20230329170326/https://blog.menasec.net/2019/02/threat-hunting-21-procdump-or-taskmgr.html", "https://web.archive.org/web/20230208123920/https://cyberwardog.blogspot.com/2017/03/chronicles-of-threat-hunter-hunting-for_22.html", + "https://web.archive.org/web/20230329170326/https://blog.menasec.net/2019/02/threat-hunting-21-procdump-or-taskmgr.html", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1003.001/T1003.001.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_access/proc_access_win_lsass_memdump.yml" ], @@ -79539,8 +79959,8 @@ "logsource.category": "process_access", "logsource.product": "windows", "refs": [ - "https://gist.github.com/hfiref0x/de9c83966623236f5ebf8d9ae2407611", "https://www.snip2code.com/Snippet/4397378/UAC-bypass-using-EditionUpgradeManager-C/", + "https://gist.github.com/hfiref0x/de9c83966623236f5ebf8d9ae2407611", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_access/proc_access_win_uac_bypass_editionupgrademanagerobj.yml" ], "tags": [ @@ -79678,9 +80098,9 @@ "logsource.category": "process_access", "logsource.product": "windows", "refs": [ + "https://github.com/elastic/detection-rules/blob/2bc1795f3d7bcc3946452eb4f07ae799a756d94e/rules/windows/credential_access_lsass_handle_via_malseclogon.toml", "https://twitter.com/SBousseaden/status/1541920424635912196", "https://splintercod3.blogspot.com/p/the-hidden-side-of-seclogon-part-3.html", - "https://github.com/elastic/detection-rules/blob/2bc1795f3d7bcc3946452eb4f07ae799a756d94e/rules/windows/credential_access_lsass_handle_via_malseclogon.toml", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_access/proc_access_win_lsass_seclogon_access.yml" ], "tags": [ @@ -79713,8 +80133,8 @@ "logsource.category": "process_access", "logsource.product": "windows", "refs": [ - "https://twitter.com/_xpn_/status/1491557187168178176", "https://www.ired.team/offensive-security/credential-access-and-credential-dumping/dump-credentials-from-lsass-process-without-mimikatz", + "https://twitter.com/_xpn_/status/1491557187168178176", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_access/proc_access_win_lsass_dump_keyword_image.yml" ], "tags": [ @@ -79951,8 +80371,8 @@ "logsource.category": "process_access", "logsource.product": "windows", "refs": [ - "https://twitter.com/shantanukhande/status/1229348874298388484", "https://modexp.wordpress.com/2019/08/30/minidumpwritedump-via-com-services-dll/", + "https://twitter.com/shantanukhande/status/1229348874298388484", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_access/proc_access_win_lsass_dump_comsvcs_dll.yml" ], "tags": [ @@ -80018,8 +80438,8 @@ "logsource.product": "windows", "refs": [ "https://twitter.com/mrd0x/status/1460597833917251595", - "https://twitter.com/_xpn_/status/1491557187168178176", "https://www.ired.team/offensive-security/credential-access-and-credential-dumping/dump-credentials-from-lsass-process-without-mimikatz", + "https://twitter.com/_xpn_/status/1491557187168178176", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_access/proc_access_win_lsass_whitelisted_process_names.yml" ], "tags": [ @@ -80055,8 +80475,8 @@ "refs": [ "https://learn.microsoft.com/en-us/windows/win32/procthread/process-security-and-access-rights", "https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment", - "https://onedrive.live.com/view.aspx?resid=D026B4699190F1E6!2843&ithint=file%2cpptx&app=PowerPoint&authkey=!AMvCRTKB_V1J5ow", "https://web.archive.org/web/20230420013146/http://security-research.dyndns.org/pub/slides/FIRST2017/FIRST-2017_Tom-Ueltschi_Sysmon_FINAL_notes.pdf", + "https://onedrive.live.com/view.aspx?resid=D026B4699190F1E6!2843&ithint=file%2cpptx&app=PowerPoint&authkey=!AMvCRTKB_V1J5ow", "https://web.archive.org/web/20230208123920/https://cyberwardog.blogspot.com/2017/03/chronicles-of-threat-hunter-hunting-for_22.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_access/proc_access_win_lsass_susp_access_flag.yml" ], @@ -80091,8 +80511,8 @@ "logsource.category": "process_access", "logsource.product": "windows", "refs": [ - "https://github.com/boku7/spawn", "https://github.com/boku7/injectAmsiBypass", + "https://github.com/boku7/spawn", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_access/proc_access_win_hktl_cobaltstrike_bof_injection_pattern.yml" ], "tags": [ @@ -80406,10 +80826,10 @@ "logsource.category": "No established category", "logsource.product": "zeek", "refs": [ - "https://msrc.microsoft.com/update-guide/vulnerability/ADV210003", - "https://vx-underground.org/archive/Symantec/windows-vista-network-attack-07-en.pdf", "https://threatpost.com/microsoft-petitpotam-poc/168163/", "https://github.com/topotam/PetitPotam/blob/d83ac8f2dd34654628c17490f99106eb128e7d1e/PetitPotam/PetitPotam.cpp", + "https://msrc.microsoft.com/update-guide/vulnerability/ADV210003", + "https://vx-underground.org/archive/Symantec/windows-vista-network-attack-07-en.pdf", "https://github.com/SigmaHQ/sigma/tree/master/rules/network/zeek/zeek_dce_rpc_potential_petit_potam_efs_rpc_call.yml" ], "tags": [ @@ -80449,8 +80869,8 @@ "logsource.category": "No established category", "logsource.product": "zeek", "refs": [ - "https://github.com/Maka8ka/NGLite", "https://unit42.paloaltonetworks.com/manageengine-godzilla-nglite-kdcsponge/", + "https://github.com/Maka8ka/NGLite", "https://github.com/nknorg/nkn-sdk-go", "https://github.com/SigmaHQ/sigma/tree/master/rules/network/zeek/zeek_dns_nkn.yml" ], @@ -80696,12 +81116,12 @@ "logsource.category": "No established category", "logsource.product": "zeek", "refs": [ - "https://www.crowdstrike.com/blog/cve-2021-1678-printer-spooler-relay-security-advisory/", "https://github.com/zeek/zeek/blob/691b099de13649d6576c7b9d637f8213ff818832/scripts/base/protocols/dce-rpc/consts.zeek", - "https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-par/93d1915d-4d9f-4ceb-90a7-e8f2a59adc29", - "https://old.zeek.org/zeekweek2019/slides/bzar.pdf", "https://github.com/corelight/CVE-2021-1675", "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527", + "https://www.crowdstrike.com/blog/cve-2021-1678-printer-spooler-relay-security-advisory/", + "https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-par/93d1915d-4d9f-4ceb-90a7-e8f2a59adc29", + "https://old.zeek.org/zeekweek2019/slides/bzar.pdf", "https://github.com/SigmaHQ/sigma/tree/master/rules/network/zeek/zeek_dce_rpc_printnightmare_print_driver_install.yml" ], "tags": [ @@ -80889,8 +81309,8 @@ "logsource.product": "zeek", "refs": [ "https://posts.specterops.io/hunting-in-active-directory-unconstrained-delegation-forests-trusts-71f2b33688e1", - "https://twitter.com/_dirkjan/status/1309214379003588608", "https://dirkjanm.io/a-different-way-of-abusing-zerologon/", + "https://twitter.com/_dirkjan/status/1309214379003588608", "https://github.com/SigmaHQ/sigma/tree/master/rules/network/zeek/zeek_dce_rpc_smb_spoolss_named_pipe.yml" ], "tags": [ @@ -81017,9 +81437,9 @@ "logsource.category": "No established category", "logsource.product": "cisco", "refs": [ - "https://www.cisco.com/E-Learning/bulk/public/tac/cim/cib/using_cisco_ios_software/cmdrefs/show_startup-config.htm", "https://blog.router-switch.com/2013/11/show-running-config/", "https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/config-mgmt/configuration/15-sy/config-mgmt-15-sy-book/cm-config-diff.html", + "https://www.cisco.com/E-Learning/bulk/public/tac/cim/cib/using_cisco_ios_software/cmdrefs/show_startup-config.htm", "https://github.com/SigmaHQ/sigma/tree/master/rules/network/cisco/aaa/cisco_cli_collect_data.yml" ], "tags": [ @@ -81838,10 +82258,10 @@ "logsource.category": "dns", "logsource.product": "No established product", "refs": [ - "https://researchcenter.paloaltonetworks.com/2018/03/unit42-telerat-another-android-trojan-leveraging-telegrams-bot-api-to-target-iranian-users/", - "https://core.telegram.org/bots/faq", "https://www.welivesecurity.com/2016/12/13/rise-telebots-analyzing-disruptive-killdisk-attacks/", + "https://researchcenter.paloaltonetworks.com/2018/03/unit42-telerat-another-android-trojan-leveraging-telegrams-bot-api-to-target-iranian-users/", "https://blog.malwarebytes.com/threat-analysis/2016/11/telecrypt-the-ransomware-abusing-telegram-api-defeated/", + "https://core.telegram.org/bots/faq", "https://github.com/SigmaHQ/sigma/tree/master/rules/network/dns/net_dns_susp_telegram_api.yml" ], "tags": [ @@ -81970,9 +82390,9 @@ "logsource.category": "firewall", "logsource.product": "No established product", "refs": [ - "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf", "https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf", "https://www.cisecurity.org/controls/cis-controls-list/", + "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf", "https://github.com/SigmaHQ/sigma/tree/master/rules/network/firewall/net_firewall_cleartext_protocols.yml" ], "tags": [ @@ -82063,10 +82483,10 @@ "logsource.category": "proxy", "logsource.product": "No established product", "refs": [ - "https://github.com/yeyintminthuhtut/Malleable-C2-Profiles-Collection/", "https://github.com/rsmudge/Malleable-C2-Profiles/blob/26323784672913923d20c5a638c6ca79459e8529/normal/ocsp.profile", - "https://github.com/rsmudge/Malleable-C2-Profiles/blob/26323784672913923d20c5a638c6ca79459e8529/normal/amazon.profile", "https://www.hybrid-analysis.com/sample/ee5eca8648e45e2fea9dac0d920ef1a1792d8690c41ee7f20343de1927cc88b9?environmentId=100", + "https://github.com/yeyintminthuhtut/Malleable-C2-Profiles-Collection/", + "https://github.com/rsmudge/Malleable-C2-Profiles/blob/26323784672913923d20c5a638c6ca79459e8529/normal/amazon.profile", "https://github.com/rsmudge/Malleable-C2-Profiles/blob/26323784672913923d20c5a638c6ca79459e8529/normal/onedrive_getonly.profile", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/proxy_generic/proxy_hktl_cobalt_strike_malleable_c2_requests.yml" ], @@ -82101,9 +82521,9 @@ "logsource.category": "proxy", "logsource.product": "No established product", "refs": [ + "https://www.trellix.com/en-us/about/newsroom/stories/research/beyond-file-search-a-novel-method.html", "https://dear-territory-023.notion.site/WebDav-Share-Testing-e4950fa0c00149c3aa430d779b9b1d0f?pvs=4", "https://micahbabinski.medium.com/search-ms-webdav-and-chill-99c5b23ac462", - "https://www.trellix.com/en-us/about/newsroom/stories/research/beyond-file-search-a-novel-method.html", "https://www.trendmicro.com/en_no/research/24/b/cve202421412-water-hydra-targets-traders-with-windows-defender-s.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/proxy_generic/proxy_webdav_external_execution.yml" ], @@ -82179,10 +82599,10 @@ "logsource.category": "proxy", "logsource.product": "No established product", "refs": [ - "https://krebsonsecurity.com/2018/06/bad-men-at-work-please-dont-click/", "https://promos.mcafee.com/en-US/PDF/MTMW_Report.pdf", "https://www.symantec.com/connect/blogs/shady-tld-research-gdn-and-our-2016-wrap", "https://www.spamhaus.org/statistics/tlds/", + "https://krebsonsecurity.com/2018/06/bad-men-at-work-please-dont-click/", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/proxy_generic/proxy_download_susp_tlds_blacklist.yml" ], "tags": [ @@ -82343,14 +82763,14 @@ "logsource.category": "proxy", "logsource.product": "No established product", "refs": [ - "http://www.botopedia.org/search?searchword=scan&searchphrase=all", - "https://www.bluecoat.com/en-gb/security-blog/2015-05-05/know-your-agents", - "https://pbs.twimg.com/media/FtYbfsDXoAQ1Y8M?format=jpg&name=large", - "https://twitter.com/crep1x/status/1635034100213112833", - "https://perishablepress.com/blacklist/ua-2013.txt", "http://rules.emergingthreats.net/open/snort-2.9.0/rules/emerging-user_agents.rules", - "https://networkraptor.blogspot.com/2015/01/user-agent-strings.html", + "https://twitter.com/crep1x/status/1635034100213112833", "https://twitter.com/kladblokje_88/status/1614673320124743681?s=12&t=joEpeVa5d58aHYNGA_To7Q", + "https://pbs.twimg.com/media/FtYbfsDXoAQ1Y8M?format=jpg&name=large", + "https://networkraptor.blogspot.com/2015/01/user-agent-strings.html", + "https://perishablepress.com/blacklist/ua-2013.txt", + "https://www.bluecoat.com/en-gb/security-blog/2015-05-05/know-your-agents", + "http://www.botopedia.org/search?searchword=scan&searchphrase=all", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/proxy_generic/proxy_ua_malware.yml" ], "tags": [ @@ -82383,8 +82803,8 @@ "logsource.category": "proxy", "logsource.product": "No established product", "refs": [ - "https://github.com/xmrig/xmrig/blob/427b6516e0550200c17ca28675118f0fffcc323f/src/version.h", "https://github.com/xmrig/xmrig/blob/da22b3e6c45825f3ac1f208255126cb8585cd4fc/src/base/kernel/Platform_win.cpp#L65", + "https://github.com/xmrig/xmrig/blob/427b6516e0550200c17ca28675118f0fffcc323f/src/version.h", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/proxy_generic/proxy_ua_cryptominer.yml" ], "tags": [ @@ -82417,8 +82837,8 @@ "logsource.category": "proxy", "logsource.product": "No established product", "refs": [ - "https://blogs.jpcert.or.jp/en/2022/07/yamabot.html", "https://deviceatlas.com/blog/list-of-user-agent-strings#desktop", + "https://blogs.jpcert.or.jp/en/2022/07/yamabot.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/proxy_generic/proxy_ua_susp_base64.yml" ], "tags": [ @@ -82520,9 +82940,9 @@ "logsource.category": "proxy", "logsource.product": "No established product", "refs": [ + "https://blog.talosintelligence.com/ipfs-abuse/", "https://github.com/Cisco-Talos/IOCs/tree/80caca039988252fbb3f27a2e89c2f2917f582e0/2022/11", "https://isc.sans.edu/diary/IPFS%20phishing%20and%20the%20need%20for%20correctly%20set%20HTTP%20security%20headers/29638", - "https://blog.talosintelligence.com/ipfs-abuse/", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/proxy_generic/proxy_susp_ipfs_cred_harvest.yml" ], "tags": [ @@ -82605,9 +83025,9 @@ "logsource.category": "proxy", "logsource.product": "No established product", "refs": [ + "https://f5-sdk.readthedocs.io/en/latest/apidoc/f5.bigip.tm.util.html#module-f5.bigip.tm.util.bash", "https://community.f5.com/t5/technical-forum/icontrolrest-11-5-execute-bash-command/td-p/203029", "https://community.f5.com/t5/technical-forum/running-bash-commands-via-rest-api/td-p/272516", - "https://f5-sdk.readthedocs.io/en/latest/apidoc/f5.bigip.tm.util.html#module-f5.bigip.tm.util.bash", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/proxy_generic/proxy_f5_tm_utility_bash_api_request.yml" ], "tags": [ @@ -82877,8 +83297,8 @@ "logsource.category": "proxy", "logsource.product": "No established product", "refs": [ - "https://github.com/fastly/waf_testbed/blob/8bfc406551f3045e418cbaad7596cff8da331dfc/templates/default/scanners-user-agents.data.erb", "http://rules.emergingthreats.net/open/snort-2.9.0/rules/emerging-user_agents.rules", + "https://github.com/fastly/waf_testbed/blob/8bfc406551f3045e418cbaad7596cff8da331dfc/templates/default/scanners-user-agents.data.erb", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/proxy_generic/proxy_ua_hacktool.yml" ], "tags": [ @@ -83054,8 +83474,8 @@ "logsource.product": "No established product", "refs": [ "https://researchcenter.paloaltonetworks.com/2018/03/unit42-telerat-another-android-trojan-leveraging-telegrams-bot-api-to-target-iranian-users/", - "https://www.welivesecurity.com/2016/12/13/rise-telebots-analyzing-disruptive-killdisk-attacks/", "https://blog.malwarebytes.com/threat-analysis/2016/11/telecrypt-the-ransomware-abusing-telegram-api-defeated/", + "https://www.welivesecurity.com/2016/12/13/rise-telebots-analyzing-disruptive-killdisk-attacks/", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/proxy_generic/proxy_telegram_api.yml" ], "tags": [ @@ -83097,8 +83517,8 @@ "logsource.category": "No established category", "logsource.product": "No established product", "refs": [ - "https://www.x41-dsec.de/lab/advisories/x41-2021-002-nginx-resolver-copy/", "https://docs.nginx.com/nginx/admin-guide/monitoring/debugging/#enabling-core-dumps", + "https://www.x41-dsec.de/lab/advisories/x41-2021-002-nginx-resolver-copy/", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/product/nginx/web_nginx_core_dump.yml" ], "tags": [ @@ -83240,11 +83660,11 @@ "logsource.category": "webserver", "logsource.product": "No established product", "refs": [ - "https://www.rapid7.com/blog/post/2021/09/02/active-exploitation-of-confluence-server-cve-2021-26084/", - "https://www.rapid7.com/blog/post/2022/06/02/active-exploitation-of-confluence-cve-2022-26134/", "https://github.com/httpvoid/writeups/blob/62d3751945289d088ccfdf4d0ffbf61598a2cd7d/Confluence-RCE.md", - "https://medium.com/geekculture/text4shell-exploit-walkthrough-ebc02a01f035", "https://twitter.com/httpvoid0x2f/status/1532924261035384832", + "https://www.rapid7.com/blog/post/2021/09/02/active-exploitation-of-confluence-server-cve-2021-26084/", + "https://medium.com/geekculture/text4shell-exploit-walkthrough-ebc02a01f035", + "https://www.rapid7.com/blog/post/2022/06/02/active-exploitation-of-confluence-cve-2022-26134/", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/webserver_generic/web_java_payload_in_access_logs.yml" ], "tags": [ @@ -83313,8 +83733,8 @@ "logsource.category": "webserver", "logsource.product": "No established product", "refs": [ - "https://web.archive.org/web/20231015205935/https://githubmemory.com/repo/FunctFan/JNDIExploit", "https://github.com/pimps/JNDI-Exploit-Kit", + "https://web.archive.org/web/20231015205935/https://githubmemory.com/repo/FunctFan/JNDIExploit", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/webserver_generic/web_jndi_exploit.yml" ], "tags": [ @@ -83383,8 +83803,8 @@ "logsource.category": "webserver", "logsource.product": "No established product", "refs": [ - "https://github.com/lanmaster53/recon-ng/blob/9e907dfe09fce2997f0301d746796408e01a60b7/recon/core/base.py#L92", "https://github.com/xmendez/wfuzz/blob/1b695ee9a87d66a7d7bf6cae70d60a33fae51541/docs/user/basicusage.rst", + "https://github.com/lanmaster53/recon-ng/blob/9e907dfe09fce2997f0301d746796408e01a60b7/recon/core/base.py#L92", "https://github.com/wpscanteam/wpscan/blob/196fbab5b1ce3870a43515153d4f07878a89d410/lib/wpscan/browser.rb", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/webserver_generic/web_susp_useragents.yml" ], @@ -83453,9 +83873,9 @@ "logsource.category": "webserver", "logsource.product": "No established product", "refs": [ + "https://f5-sdk.readthedocs.io/en/latest/apidoc/f5.bigip.tm.util.html#module-f5.bigip.tm.util.bash", "https://community.f5.com/t5/technical-forum/icontrolrest-11-5-execute-bash-command/td-p/203029", "https://community.f5.com/t5/technical-forum/running-bash-commands-via-rest-api/td-p/272516", - "https://f5-sdk.readthedocs.io/en/latest/apidoc/f5.bigip.tm.util.html#module-f5.bigip.tm.util.bash", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/webserver_generic/web_f5_tm_utility_bash_api_request.yml" ], "tags": [ @@ -83489,8 +83909,8 @@ "logsource.category": "webserver", "logsource.product": "No established product", "refs": [ - "https://m365internals.com/2022/10/07/hunting-in-on-premises-exchange-server-logs/", "https://bad-jubies.github.io/RCE-NOW-WHAT/", + "https://m365internals.com/2022/10/07/hunting-in-on-premises-exchange-server-logs/", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/webserver_generic/web_win_webshells_in_access_logs.yml" ], "tags": [ @@ -83525,11 +83945,11 @@ "logsource.category": "webserver", "logsource.product": "No established product", "refs": [ - "https://brightsec.com/blog/sql-injection-payloads/", "https://www.acunetix.com/blog/articles/exploiting-sql-injection-example/", - "https://book.hacktricks.xyz/pentesting-web/sql-injection/mysql-injection", + "https://brightsec.com/blog/sql-injection-payloads/", "https://www.acunetix.com/blog/articles/using-logs-to-investigate-a-web-application-attack/", "https://github.com/payloadbox/sql-injection-payload-list", + "https://book.hacktricks.xyz/pentesting-web/sql-injection/mysql-injection", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/webserver_generic/web_sql_injection_in_access_logs.yml" ], "tags": [ @@ -83631,8 +84051,8 @@ "logsource.category": "webserver", "logsource.product": "No established product", "refs": [ - "https://github.com/projectdiscovery/nuclei-templates/blob/9d2889356eebba661c8407038e430759dfd4ec31/fuzzing/iis-shortname.yaml", "https://github.com/lijiejie/IIS_shortname_Scanner", + "https://github.com/projectdiscovery/nuclei-templates/blob/9d2889356eebba661c8407038e430759dfd4ec31/fuzzing/iis-shortname.yaml", "https://www.exploit-db.com/exploits/19525", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/webserver_generic/web_iis_tilt_shortname_scan.yml" ], @@ -83699,8 +84119,8 @@ "logsource.category": "application", "logsource.product": "jvm", "refs": [ - "https://secariolabs.com/research/analysing-and-reproducing-poc-for-log4j-2-15-0", "https://www.wix.engineering/post/threat-and-vulnerability-hunting-with-application-server-error-logs", + "https://secariolabs.com/research/analysing-and-reproducing-poc-for-log4j-2-15-0", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/jvm/java_jndi_injection_exploitation_attempt.yml" ], "tags": [ @@ -83766,8 +84186,8 @@ "logsource.category": "application", "logsource.product": "jvm", "refs": [ - "https://owasp.org/www-community/vulnerabilities/XML_External_Entity_(XXE)_Processing", "https://rules.sonarsource.com/java/RSPEC-2755", + "https://owasp.org/www-community/vulnerabilities/XML_External_Entity_(XXE)_Processing", "https://www.wix.engineering/post/threat-and-vulnerability-hunting-with-application-server-error-logs", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/jvm/java_xxe_exploitation_attempt.yml" ], @@ -83869,8 +84289,8 @@ "logsource.category": "application", "logsource.product": "spring", "refs": [ - "https://owasp.org/www-community/vulnerabilities/Expression_Language_Injection", "https://www.wix.engineering/post/threat-and-vulnerability-hunting-with-application-server-error-logs", + "https://owasp.org/www-community/vulnerabilities/Expression_Language_Injection", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/spring/spring_spel_injection.yml" ], "tags": [ @@ -83936,10 +84356,10 @@ "logsource.category": "application", "logsource.product": "ruby_on_rails", "refs": [ - "https://stackoverflow.com/questions/25892194/does-rails-come-with-a-not-authorized-exception", - "http://edgeguides.rubyonrails.org/security.html", - "http://guides.rubyonrails.org/action_controller_overview.html", "https://github.com/rails/rails/blob/cd08e6bcc4cd8948fe01e0be1ea0c7ca60373a25/actionpack/lib/action_dispatch/middleware/exception_wrapper.rb", + "http://edgeguides.rubyonrails.org/security.html", + "https://stackoverflow.com/questions/25892194/does-rails-come-with-a-not-authorized-exception", + "http://guides.rubyonrails.org/action_controller_overview.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/ruby/appframework_ruby_on_rails_exceptions.yml" ], "tags": [ @@ -83973,8 +84393,8 @@ "logsource.category": "application", "logsource.product": "velocity", "refs": [ - "https://antgarsil.github.io/posts/velocity/", "https://www.wix.engineering/post/threat-and-vulnerability-hunting-with-application-server-error-logs", + "https://antgarsil.github.io/posts/velocity/", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/velocity/velocity_ssti_injection.yml" ], "tags": [ @@ -84861,8 +85281,8 @@ "logsource.category": "No established category", "logsource.product": "kubernetes", "refs": [ - "https://commandk.dev/blog/guide-to-audit-k8s-secrets-for-compliance/", "https://kubernetes.io/docs/reference/config-api/apiserver-audit.v1/", + "https://commandk.dev/blog/guide-to-audit-k8s-secrets-for-compliance/", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/kubernetes/audit/kubernetes_audit_secrets_modified_or_deleted.yml" ], "tags": [ @@ -84918,8 +85338,8 @@ "logsource.category": "No established category", "logsource.product": "kubernetes", "refs": [ - "https://medium.com/@seifeddinerajhi/kubernetes-rbac-privilege-escalation-exploits-and-mitigations-26c07629eeab", "https://kubernetes.io/docs/reference/config-api/apiserver-audit.v1/", + "https://medium.com/@seifeddinerajhi/kubernetes-rbac-privilege-escalation-exploits-and-mitigations-26c07629eeab", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/kubernetes/audit/kubernetes_audit_rolebinding_modification.yml" ], "tags": [ @@ -84975,8 +85395,8 @@ "logsource.category": "No established category", "logsource.product": "kubernetes", "refs": [ - "https://security.padok.fr/en/blog/kubernetes-webhook-attackers", "https://kubernetes.io/docs/reference/config-api/apiserver-audit.v1/", + "https://security.padok.fr/en/blog/kubernetes-webhook-attackers", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/kubernetes/audit/kubernetes_audit_change_admission_controller.yml" ], "tags": [ @@ -85026,8 +85446,8 @@ "logsource.category": "No established category", "logsource.product": "kubernetes", "refs": [ - "https://www.datadoghq.com/blog/monitor-kubernetes-audit-logs/#monitor-api-authentication-issues", "https://kubernetes.io/docs/reference/config-api/apiserver-audit.v1/", + "https://www.datadoghq.com/blog/monitor-kubernetes-audit-logs/#monitor-api-authentication-issues", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/kubernetes/audit/kubernetes_audit_unauthorized_unauthenticated_actions.yml" ], "tags": [ @@ -85051,8 +85471,8 @@ "logsource.category": "No established category", "logsource.product": "kubernetes", "refs": [ - "https://www.redhat.com/en/blog/protecting-kubernetes-against-mitre-attck-persistence#technique-33-kubernetes-cronjob", "https://kubernetes.io/docs/reference/config-api/apiserver-audit.v1/", + "https://www.redhat.com/en/blog/protecting-kubernetes-against-mitre-attck-persistence#technique-33-kubernetes-cronjob", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/kubernetes/audit/kubernetes_audit_cronjob_modification.yml" ], "tags": [ @@ -85149,8 +85569,8 @@ "logsource.category": "application", "logsource.product": "kubernetes", "refs": [ - "https://blog.appsecco.com/kubernetes-namespace-breakout-using-insecure-host-path-volume-part-1-b382f2a6e216", "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Writable%20hostPath%20mount/", + "https://blog.appsecco.com/kubernetes-namespace-breakout-using-insecure-host-path-volume-part-1-b382f2a6e216", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/kubernetes/audit/kubernetes_audit_hostpath_mount.yml" ], "tags": [ @@ -85214,10 +85634,10 @@ "logsource.category": "application", "logsource.product": "kubernetes", "refs": [ - "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Privileged%20container/", "https://www.elastic.co/guide/en/security/current/kubernetes-container-created-with-excessive-linux-capabilities.html", "https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-kubernetes.html#privilegeescalation-kubernetes-privilegedcontainer", "https://www.elastic.co/guide/en/security/current/kubernetes-pod-created-with-hostnetwork.html", + "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Privileged%20container/", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/kubernetes/audit/kubernetes_audit_privileged_pod_creation.yml" ], "tags": [ @@ -85281,8 +85701,8 @@ "logsource.category": "application", "logsource.product": "kubernetes", "refs": [ - "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Sidecar%20Injection/", "https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch", + "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Sidecar%20Injection/", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/kubernetes/audit/kubernetes_audit_sidecar_injection.yml" ], "tags": [ @@ -85338,10 +85758,10 @@ "logsource.category": "application", "logsource.product": "rpc_firewall", "refs": [ - "https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-tsch/d1058a28-7e02-4948-8b8d-4a347fa64931", "https://zeronetworks.com/blog/stopping-lateral-movement-via-the-rpc-firewall/", - "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-TSCH.md", "https://github.com/zeronetworks/rpcfirewall", + "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-TSCH.md", + "https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-tsch/d1058a28-7e02-4948-8b8d-4a347fa64931", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/rpc_firewall/rpc_firewall_sasec_recon.yml" ], "tags": [ @@ -85364,10 +85784,10 @@ "logsource.category": "application", "logsource.product": "rpc_firewall", "refs": [ + "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-36942", + "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-EFSR.md", "https://github.com/zeronetworks/rpcfirewall", "https://zeronetworks.com/blog/stopping-lateral-movement-via-the-rpc-firewall/", - "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-EFSR.md", - "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-36942", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/rpc_firewall/rpc_firewall_efs_abuse.yml" ], "tags": [ @@ -85433,10 +85853,10 @@ "logsource.category": "application", "logsource.product": "rpc_firewall", "refs": [ - "https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-tsch/d1058a28-7e02-4948-8b8d-4a347fa64931", "https://zeronetworks.com/blog/stopping-lateral-movement-via-the-rpc-firewall/", - "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-TSCH.md", "https://github.com/zeronetworks/rpcfirewall", + "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-TSCH.md", + "https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-tsch/d1058a28-7e02-4948-8b8d-4a347fa64931", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/rpc_firewall/rpc_firewall_atsvc_lateral_movement.yml" ], "tags": [ @@ -85477,10 +85897,10 @@ "logsource.category": "application", "logsource.product": "rpc_firewall", "refs": [ - "https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-tsch/d1058a28-7e02-4948-8b8d-4a347fa64931", "https://zeronetworks.com/blog/stopping-lateral-movement-via-the-rpc-firewall/", - "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-TSCH.md", "https://github.com/zeronetworks/rpcfirewall", + "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-TSCH.md", + "https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-tsch/d1058a28-7e02-4948-8b8d-4a347fa64931", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/rpc_firewall/rpc_firewall_itaskschedulerservice_lateral_movement.yml" ], "tags": [ @@ -85521,9 +85941,9 @@ "logsource.category": "application", "logsource.product": "rpc_firewall", "refs": [ - "https://zeronetworks.com/blog/stopping-lateral-movement-via-the-rpc-firewall/", "https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-wkst/55118c55-2122-4ef9-8664-0c1ff9e168f3", "https://github.com/zeronetworks/rpcfirewall", + "https://zeronetworks.com/blog/stopping-lateral-movement-via-the-rpc-firewall/", "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-WKST.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/rpc_firewall/rpc_firewall_sharphound_recon_account.yml" ], @@ -85557,12 +85977,12 @@ "logsource.category": "application", "logsource.product": "rpc_firewall", "refs": [ - "https://github.com/zeronetworks/rpcfirewall", - "https://zeronetworks.com/blog/stopping-lateral-movement-via-the-rpc-firewall/", - "https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-pan/e44d984c-07d3-414c-8ffc-f8c8ad8512a8", - "https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-rprn/d42db7d5-f141-4466-8f47-0a4be14e2fc1", "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-RPRN-PAR.md", + "https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-rprn/d42db7d5-f141-4466-8f47-0a4be14e2fc1", + "https://zeronetworks.com/blog/stopping-lateral-movement-via-the-rpc-firewall/", + "https://github.com/zeronetworks/rpcfirewall", "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527", + "https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-pan/e44d984c-07d3-414c-8ffc-f8c8ad8512a8", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/rpc_firewall/rpc_firewall_printing_lateral_movement.yml" ], "tags": [ @@ -85585,10 +86005,10 @@ "logsource.category": "application", "logsource.product": "rpc_firewall", "refs": [ - "https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-tsch/d1058a28-7e02-4948-8b8d-4a347fa64931", "https://zeronetworks.com/blog/stopping-lateral-movement-via-the-rpc-firewall/", - "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-TSCH.md", "https://github.com/zeronetworks/rpcfirewall", + "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-TSCH.md", + "https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-tsch/d1058a28-7e02-4948-8b8d-4a347fa64931", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/rpc_firewall/rpc_firewall_sasec_lateral_movement.yml" ], "tags": [ @@ -85630,8 +86050,8 @@ "logsource.product": "rpc_firewall", "refs": [ "https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-srvs/accf23b0-0f57-441c-9185-43041f1b0ee9", - "https://github.com/zeronetworks/rpcfirewall", "https://zeronetworks.com/blog/stopping-lateral-movement-via-the-rpc-firewall/", + "https://github.com/zeronetworks/rpcfirewall", "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-SCMR.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/rpc_firewall/rpc_firewall_remote_service_lateral_movement.yml" ], @@ -85665,9 +86085,9 @@ "logsource.category": "application", "logsource.product": "rpc_firewall", "refs": [ - "https://github.com/zeronetworks/rpcfirewall", - "https://zeronetworks.com/blog/stopping-lateral-movement-via-the-rpc-firewall/", "https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-drsr/f977faaa-673e-4f66-b9bf-48c640241d47?redirectedfrom=MSDN", + "https://zeronetworks.com/blog/stopping-lateral-movement-via-the-rpc-firewall/", + "https://github.com/zeronetworks/rpcfirewall", "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-DRSR.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/rpc_firewall/rpc_firewall_dcsync_attack.yml" ], @@ -85701,10 +86121,10 @@ "logsource.category": "application", "logsource.product": "rpc_firewall", "refs": [ - "https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-tsch/d1058a28-7e02-4948-8b8d-4a347fa64931", "https://zeronetworks.com/blog/stopping-lateral-movement-via-the-rpc-firewall/", - "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-TSCH.md", "https://github.com/zeronetworks/rpcfirewall", + "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-TSCH.md", + "https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-tsch/d1058a28-7e02-4948-8b8d-4a347fa64931", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/rpc_firewall/rpc_firewall_itaskschedulerservice_recon.yml" ], "tags": [ @@ -85727,10 +86147,10 @@ "logsource.category": "application", "logsource.product": "rpc_firewall", "refs": [ - "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-RRP.md", - "https://zeronetworks.com/blog/stopping-lateral-movement-via-the-rpc-firewall/", - "https://github.com/zeronetworks/rpcfirewall", "https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-rrp/0fa3191d-bb79-490a-81bd-54c2601b7a78", + "https://github.com/zeronetworks/rpcfirewall", + "https://zeronetworks.com/blog/stopping-lateral-movement-via-the-rpc-firewall/", + "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-RRP.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/rpc_firewall/rpc_firewall_remote_registry_lateral_movement.yml" ], "tags": [ @@ -85763,10 +86183,10 @@ "logsource.category": "application", "logsource.product": "rpc_firewall", "refs": [ - "https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-tsch/d1058a28-7e02-4948-8b8d-4a347fa64931", "https://zeronetworks.com/blog/stopping-lateral-movement-via-the-rpc-firewall/", - "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-TSCH.md", "https://github.com/zeronetworks/rpcfirewall", + "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-TSCH.md", + "https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-tsch/d1058a28-7e02-4948-8b8d-4a347fa64931", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/rpc_firewall/rpc_firewall_atsvc_recon.yml" ], "tags": [ @@ -85789,10 +86209,10 @@ "logsource.category": "application", "logsource.product": "rpc_firewall", "refs": [ - "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-RRP.md", - "https://zeronetworks.com/blog/stopping-lateral-movement-via-the-rpc-firewall/", - "https://github.com/zeronetworks/rpcfirewall", "https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-rrp/0fa3191d-bb79-490a-81bd-54c2601b7a78", + "https://github.com/zeronetworks/rpcfirewall", + "https://zeronetworks.com/blog/stopping-lateral-movement-via-the-rpc-firewall/", + "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-RRP.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/rpc_firewall/rpc_firewall_remote_registry_recon.yml" ], "tags": [ @@ -85816,9 +86236,9 @@ "logsource.product": "rpc_firewall", "refs": [ "https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-srvs/accf23b0-0f57-441c-9185-43041f1b0ee9", - "https://github.com/zeronetworks/rpcfirewall", "https://zeronetworks.com/blog/stopping-lateral-movement-via-the-rpc-firewall/", "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-SRVS.md", + "https://github.com/zeronetworks/rpcfirewall", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/rpc_firewall/rpc_firewall_remote_server_service_abuse.yml" ], "tags": [ @@ -85841,10 +86261,10 @@ "logsource.category": "application", "logsource.product": "rpc_firewall", "refs": [ - "https://github.com/zeronetworks/rpcfirewall", + "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-SRVS.md", "https://zeronetworks.com/blog/stopping-lateral-movement-via-the-rpc-firewall/", "https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-srvs/02b1f559-fda2-4ba3-94c2-806eb2777183", - "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-SRVS.md", + "https://github.com/zeronetworks/rpcfirewall", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/rpc_firewall/rpc_firewall_sharphound_recon_sessions.yml" ], "tags": [ @@ -85946,8 +86366,8 @@ "logsource.category": "process_creation", "logsource.product": "macos", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/1fed40dc7e48f16ed44dcdd9c73b9222a70cca85/atomics/T1553.001/T1553.001.md", "https://www.loobins.io/binaries/xattr/", + "https://github.com/redcanaryco/atomic-red-team/blob/1fed40dc7e48f16ed44dcdd9c73b9222a70cca85/atomics/T1553.001/T1553.001.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_xattr_gatekeeper_bypass.yml" ], "tags": [ @@ -85980,10 +86400,10 @@ "logsource.category": "process_creation", "logsource.product": "macos", "refs": [ - "https://www.virustotal.com/gui/file/05a2adb266ec6c0ba9ed176d87d8530e71e845348c13caf9f60049760c312cd3/behavior", - "https://objective-see.org/blog/blog_0x6D.html", "https://ss64.com/osx/csrutil.html", "https://www.welivesecurity.com/2017/10/20/osx-proton-supply-chain-attack-elmedia/", + "https://www.virustotal.com/gui/file/05a2adb266ec6c0ba9ed176d87d8530e71e845348c13caf9f60049760c312cd3/behavior", + "https://objective-see.org/blog/blog_0x6D.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_csrutil_disable.yml" ], "tags": [ @@ -86158,8 +86578,8 @@ "logsource.product": "macos", "refs": [ "https://www.virustotal.com/gui/file/0373d78db6c3c0f6f6dcc409821bf89e1ad8c165d6f95c5c80ecdce2219627d7/behavior", - "https://www.virustotal.com/gui/file/4ffdc72d1ff1ee8228e31691020fc275afd1baee5a985403a71ca8c7bd36e2e4/behavior", "https://www.trendmicro.com/en_ph/research/20/k/new-macos-backdoor-connected-to-oceanlotus-surfaces.html", + "https://www.virustotal.com/gui/file/4ffdc72d1ff1ee8228e31691020fc275afd1baee5a985403a71ca8c7bd36e2e4/behavior", "https://www.virustotal.com/gui/file/5907d59ec1303cfb5c0a0f4aaca3efc0830707d86c732ba6b9e842b5730b95dc/behavior", "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_ioreg_discovery.yml" ], @@ -86193,9 +86613,9 @@ "logsource.category": "process_creation", "logsource.product": "macos", "refs": [ + "https://github.com/elastic/protections-artifacts/commit/746086721fd385d9f5c6647cada1788db4aea95f#diff-c68a1fcbf7a3f80c87225d7fdc031f691e9f3b6a14a36754be00762bfe6eae97", "https://malpedia.caad.fkie.fraunhofer.de/details/osx.xcsset", "https://www.microsoft.com/security/blog/2022/02/02/the-evolution-of-a-mac-trojan-updateagents-progression/", - "https://github.com/elastic/protections-artifacts/commit/746086721fd385d9f5c6647cada1788db4aea95f#diff-c68a1fcbf7a3f80c87225d7fdc031f691e9f3b6a14a36754be00762bfe6eae97", "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_wizardupdate_malware_infection.yml" ], "tags": [ @@ -86252,8 +86672,8 @@ "logsource.category": "process_creation", "logsource.product": "macos", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1490/T1490.md#atomic-test-12---disable-time-machine", "https://www.loobins.io/binaries/tmutil/", + "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1490/T1490.md#atomic-test-12---disable-time-machine", "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_tmutil_disable_backup.yml" ], "tags": [ @@ -86286,9 +86706,9 @@ "logsource.category": "process_creation", "logsource.product": "macos", "refs": [ - "https://github.com/MythicAgents/typhon/", - "https://www.zoocoup.org/casper/jamf_cheatsheet.pdf", "https://docs.jamf.com/10.30.0/jamf-pro/administrator-guide/Components_Installed_on_Managed_Computers.html", + "https://www.zoocoup.org/casper/jamf_cheatsheet.pdf", + "https://github.com/MythicAgents/typhon/", "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_jamf_usage.yml" ], "tags": [ @@ -86348,9 +86768,9 @@ "refs": [ "https://www.welivesecurity.com/2020/07/16/mac-cryptocurrency-trading-application-rebranded-bundled-malware/", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1569.001/T1569.001.md", - "https://www.trendmicro.com/en_us/research/18/d/new-macos-backdoor-linked-to-oceanlotus-found.html", "https://www.sentinelone.com/labs/20-common-tools-techniques-used-by-macos-threat-actors-malware/", "https://www.loobins.io/binaries/launchctl/", + "https://www.trendmicro.com/en_us/research/18/d/new-macos-backdoor-linked-to-oceanlotus-found.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_launchctl_execution.yml" ], "tags": [ @@ -86400,9 +86820,9 @@ "logsource.category": "process_creation", "logsource.product": "macos", "refs": [ + "https://www.sentinelone.com/blog/from-the-front-linesunsigned-macos-orat-malware-gambles-for-the-win/", "https://ss64.com/mac/hdiutil.html", "https://www.loobins.io/binaries/hdiutil/", - "https://www.sentinelone.com/blog/from-the-front-linesunsigned-macos-orat-malware-gambles-for-the-win/", "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_hdiutil_create.yml" ], "tags": [ @@ -86494,9 +86914,9 @@ "logsource.category": "process_creation", "logsource.product": "macos", "refs": [ + "https://www.virustotal.com/gui/file/d3fa64f63563fe958b75238742d1e473800cb5f49f5cb79d38d4aa3c93709026/behavior", "https://ss64.com/osx/sw_vers.html", "https://www.virustotal.com/gui/file/03b71eaceadea05bc0eea5cddecaa05f245126d6b16cfcd0f3ba0442ac58dab3/behavior", - "https://www.virustotal.com/gui/file/d3fa64f63563fe958b75238742d1e473800cb5f49f5cb79d38d4aa3c93709026/behavior", "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_swvers_discovery.yml" ], "tags": [ @@ -86529,9 +86949,9 @@ "logsource.category": "process_creation", "logsource.product": "macos", "refs": [ - "https://github.com/MythicAgents/typhon/", - "https://www.zoocoup.org/casper/jamf_cheatsheet.pdf", "https://docs.jamf.com/10.30.0/jamf-pro/administrator-guide/Components_Installed_on_Managed_Computers.html", + "https://www.zoocoup.org/casper/jamf_cheatsheet.pdf", + "https://github.com/MythicAgents/typhon/", "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_jamf_susp_child.yml" ], "tags": [ @@ -86554,8 +86974,8 @@ "logsource.category": "process_creation", "logsource.product": "macos", "refs": [ - "https://ss64.com/osx/dscl.html", "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1078.003/T1078.003.md#atomic-test-2---create-local-account-with-admin-privileges---macos", + "https://ss64.com/osx/dscl.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_dscl_add_user_to_admin_group.yml" ], "tags": [ @@ -86589,9 +87009,9 @@ "logsource.category": "process_creation", "logsource.product": "macos", "refs": [ - "https://ss64.com/osx/dsenableroot.html", - "https://github.com/elastic/detection-rules/blob/4312d8c9583be524578a14fe6295c3370b9a9307/rules/macos/persistence_enable_root_account.toml", "https://github.com/redcanaryco/atomic-red-team/blob/b27a3cb25025161d49ac861cb216db68c46a3537/atomics/T1078.003/T1078.003.md", + "https://github.com/elastic/detection-rules/blob/4312d8c9583be524578a14fe6295c3370b9a9307/rules/macos/persistence_enable_root_account.toml", + "https://ss64.com/osx/dsenableroot.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_dsenableroot_enable_root_account.yml" ], "tags": [ @@ -86707,9 +87127,9 @@ "logsource.category": "process_creation", "logsource.product": "macos", "refs": [ - "https://support.apple.com/guide/security/firmware-password-protection-sec28382c9ca/web", "https://github.com/usnistgov/macos_security/blob/932a51f3e819dd3e02ebfcf3ef433cfffafbe28b/rules/os/os_firmware_password_require.yaml", "https://www.manpagez.com/man/8/firmwarepasswd/", + "https://support.apple.com/guide/security/firmware-password-protection-sec28382c9ca/web", "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_susp_macos_firmware_activity.yml" ], "tags": [ @@ -86732,9 +87152,9 @@ "logsource.category": "process_creation", "logsource.product": "macos", "refs": [ + "https://www.sentinelone.com/blog/from-the-front-linesunsigned-macos-orat-malware-gambles-for-the-win/", "https://ss64.com/mac/hdiutil.html", "https://www.loobins.io/binaries/hdiutil/", - "https://www.sentinelone.com/blog/from-the-front-linesunsigned-macos-orat-malware-gambles-for-the-win/", "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_hdiutil_mount.yml" ], "tags": [ @@ -86862,6 +87282,39 @@ "uuid": "88c0f9d8-30a8-4120-bb6b-ebb54abcf2a0", "value": "File Time Attribute Change" }, + { + "description": "Detects enumeration of local network configuration", + "meta": { + "author": "remotephone, oscd.community", + "creation_date": "2020-10-06", + "falsepositive": [ + "Legitimate administration activities" + ], + "filename": "proc_creation_macos_susp_system_network_discovery.yml", + "level": "informational", + "logsource.category": "process_creation", + "logsource.product": "macos", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1016/T1016.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_susp_system_network_discovery.yml" + ], + "tags": [ + "attack.discovery", + "attack.t1016" + ] + }, + "related": [ + { + "dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "58800443-f9fc-4d55-ae0c-98a3966dfb97", + "value": "System Network Discovery - macOS" + }, { "description": "Detects the execution of \"sysctl\" with specific arguments that have been used by threat actors and malware. It provides system hardware information.\nThis process is primarily used to detect and avoid virtualization and analysis environments.\n", "meta": { @@ -86875,13 +87328,13 @@ "logsource.category": "process_creation", "logsource.product": "macos", "refs": [ + "https://objective-see.org/blog/blog_0x1E.html", + "https://www.sentinelone.com/labs/20-common-tools-techniques-used-by-macos-threat-actors-malware/", + "https://www.virustotal.com/gui/file/b4b1fc65f87b3dcfa35e2dbe8e0a34ad9d8a400bec332025c0a2e200671038aa/behavior", + "https://www.welivesecurity.com/2019/04/09/oceanlotus-macos-malware-update/", "https://www.virustotal.com/gui/file/1c547a064494a35d6b5e6b459de183ab2720a22725e082bed6f6629211f7abc1/behavior", "https://www.loobins.io/binaries/sysctl/#", "https://evasions.checkpoint.com/techniques/macos.html", - "https://www.welivesecurity.com/2019/04/09/oceanlotus-macos-malware-update/", - "https://objective-see.org/blog/blog_0x1E.html", - "https://www.virustotal.com/gui/file/b4b1fc65f87b3dcfa35e2dbe8e0a34ad9d8a400bec332025c0a2e200671038aa/behavior", - "https://www.sentinelone.com/labs/20-common-tools-techniques-used-by-macos-threat-actors-malware/", "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_sysctl_discovery.yml" ], "tags": [ @@ -87059,8 +87512,8 @@ "logsource.category": "process_creation", "logsource.product": "macos", "refs": [ - "https://redcanary.com/blog/applescript/", "https://objective-see.org/blog/blog_0x4B.html", + "https://redcanary.com/blog/applescript/", "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_office_susp_child_processes.yml" ], "tags": [ @@ -87184,8 +87637,8 @@ "logsource.category": "process_creation", "logsource.product": "macos", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1059.002/T1059.002.md", "https://redcanary.com/blog/applescript/", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1059.002/T1059.002.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_applescript.yml" ], "tags": [ @@ -87251,10 +87704,10 @@ "logsource.category": "process_creation", "logsource.product": "macos", "refs": [ - "https://www.virustotal.com/gui/file/05a2adb266ec6c0ba9ed176d87d8530e71e845348c13caf9f60049760c312cd3/behavior", - "https://objective-see.org/blog/blog_0x6D.html", "https://ss64.com/osx/csrutil.html", "https://www.welivesecurity.com/2017/10/20/osx-proton-supply-chain-attack-elmedia/", + "https://www.virustotal.com/gui/file/05a2adb266ec6c0ba9ed176d87d8530e71e845348c13caf9f60049760c312cd3/behavior", + "https://objective-see.org/blog/blog_0x6D.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_csrutil_status.yml" ], "tags": [ @@ -87320,8 +87773,8 @@ "logsource.category": "process_creation", "logsource.product": "macos", "refs": [ - "https://wojciechregula.blog/post/macos-red-teaming-initial-access-via-applescript-url/", "https://github.com/elastic/protections-artifacts/commit/746086721fd385d9f5c6647cada1788db4aea95f#diff-7f541fbc4a4a28a92970e8bf53effea5bd934604429112c920affb457f5b2685", + "https://wojciechregula.blog/post/macos-red-teaming-initial-access-via-applescript-url/", "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_susp_execution_macos_script_editor.yml" ], "tags": [ @@ -87457,8 +87910,8 @@ "logsource.category": "process_creation", "logsource.product": "macos", "refs": [ - "https://github.com/elastic/detection-rules/blob/4312d8c9583be524578a14fe6295c3370b9a9307/rules/macos/execution_installer_package_spawned_network_event.toml", "https://redcanary.com/blog/clipping-silver-sparrows-wings/", + "https://github.com/elastic/detection-rules/blob/4312d8c9583be524578a14fe6295c3370b9a9307/rules/macos/execution_installer_package_spawned_network_event.toml", "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_installer_susp_child_process.yml" ], "tags": [ @@ -87537,39 +87990,6 @@ "uuid": "09a910bf-f71f-4737-9c40-88880ba5913d", "value": "Potential Base64 Decoded From Images" }, - { - "description": "Detects enumeration of local network configuration", - "meta": { - "author": "remotephone, oscd.community", - "creation_date": "2020-10-06", - "falsepositive": [ - "Legitimate administration activities" - ], - "filename": "proc_creation_macos_system_network_discovery.yml", - "level": "informational", - "logsource.category": "process_creation", - "logsource.product": "macos", - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1016/T1016.md", - "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_system_network_discovery.yml" - ], - "tags": [ - "attack.discovery", - "attack.t1016" - ] - }, - "related": [ - { - "dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "58800443-f9fc-4d55-ae0c-98a3966dfb97", - "value": "System Network Discovery - macOS" - }, { "description": "Detects potential in-memory downloading and compiling of applets using curl and osacompile as seen used by XCSSET malware", "meta": { @@ -87625,8 +88045,8 @@ "logsource.category": "process_creation", "logsource.product": "macos", "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/osx.xcsset", "https://github.com/elastic/protections-artifacts/commit/746086721fd385d9f5c6647cada1788db4aea95f#diff-f5deb07688e1a8dec9530bc3071967b2da5c16b482e671812b864c37beb28f08", + "https://malpedia.caad.fkie.fraunhofer.de/details/osx.xcsset", "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_xcsset_malware_infection.yml" ], "tags": [ @@ -87733,9 +88153,9 @@ "logsource.category": "process_creation", "logsource.product": "macos", "refs": [ - "https://www.loobins.io/binaries/nscurl/", "https://gist.github.com/nasbench/ca6ef95db04ae04ffd1e0b1ce709cadd", "https://www.agnosticdev.com/content/how-diagnose-app-transport-security-issues-using-nscurl-and-openssl", + "https://www.loobins.io/binaries/nscurl/", "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_nscurl_usage.yml" ], "tags": [ @@ -87903,12 +88323,12 @@ "logsource.category": "process_creation", "logsource.product": "macos", "refs": [ - "https://www.trendmicro.com/en_za/research/20/k/new-macos-backdoor-connected-to-oceanlotus-surfaces.html", - "https://gist.github.com/nasbench/9a1ba4bc7094ea1b47bc42bf172961af", - "https://objective-see.org/blog/blog_0x62.html", "https://www.sentinelone.com/wp-content/uploads/pdf-gen/1630910064/20-common-tools-techniques-used-by-macos-threat-actors-malware.pdf", "https://www.welivesecurity.com/2019/04/09/oceanlotus-macos-malware-update/", "https://ss64.com/mac/system_profiler.html", + "https://gist.github.com/nasbench/9a1ba4bc7094ea1b47bc42bf172961af", + "https://www.trendmicro.com/en_za/research/20/k/new-macos-backdoor-connected-to-oceanlotus-surfaces.html", + "https://objective-see.org/blog/blog_0x62.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_system_profiler_discovery.yml" ], "tags": [ @@ -87970,6 +88390,66 @@ "uuid": "9a7a0393-2144-4626-9bf1-7c2f5a7321db", "value": "System Network Connections Discovery - MacOs" }, + { + "description": "Detects the execution of the \"chflags\" utility with the \"hidden\" flag, in order to hide files on MacOS.\nWhen a file or directory has this hidden flag set, it becomes invisible to the default file listing commands and in graphical file browsers.\n", + "meta": { + "author": "Omar Khaled (@beacon_exe)", + "creation_date": "2024-08-21", + "falsepositive": [ + "Legitimate usage of chflags by administrators and users." + ], + "filename": "proc_creation_macos_chflags_hidden_flag.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "macos", + "refs": [ + "https://ss64.com/mac/chflags.html", + "https://www.welivesecurity.com/2019/04/09/oceanlotus-macos-malware-update/", + "https://www.sentinelone.com/labs/apt32-multi-stage-macos-trojan-innovates-on-crimeware-scripting-technique/", + "https://www.paloaltonetworks.com/content/dam/pan/en_US/assets/pdf/reports/Unit_42/unit42-wirelurker.pdf", + "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_chflags_hidden_flag.yml" + ], + "tags": [ + "attack.defense-evasion", + "attack.t1218", + "attack.t1564.004", + "attack.t1552.001", + "attack.t1105" + ] + }, + "related": [ + { + "dest-uuid": "457c7820-d331-465a-915e-42f85500ccc4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "f2857333-11d4-45bf-b064-2c28d8525be5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "837f9164-50af-4ac0-8219-379d8a74cefc", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "3b2c1059-ae5f-40b6-b5d4-6106d3ac20fe", + "value": "Hidden Flag Set On File/Directory Via Chflags - MacOS" + }, { "description": "Detects deletion of local audit logs", "meta": { @@ -88016,8 +88496,8 @@ "logsource.category": "process_creation", "logsource.product": "macos", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1490/T1490.md#atomic-test-12---disable-time-machine", "https://www.loobins.io/binaries/tmutil/", + "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1490/T1490.md#atomic-test-12---disable-time-machine", "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_tmutil_delete_backup.yml" ], "tags": [ @@ -88225,8 +88705,8 @@ "logsource.category": "process_creation", "logsource.product": "macos", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1490/T1490.md#atomic-test-12---disable-time-machine", "https://www.loobins.io/binaries/tmutil/", + "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1490/T1490.md#atomic-test-12---disable-time-machine", "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_tmutil_exclude_file_from_backup.yml" ], "tags": [ @@ -88259,8 +88739,8 @@ "logsource.category": "process_creation", "logsource.product": "macos", "refs": [ - "https://www.manpagez.com/man/8/PlistBuddy/", "https://redcanary.com/blog/clipping-silver-sparrows-wings/", + "https://www.manpagez.com/man/8/PlistBuddy/", "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_persistence_via_plistbuddy.yml" ], "tags": [ @@ -88489,10 +88969,10 @@ "logsource.category": "No established category", "logsource.product": "github", "refs": [ - "https://docs.github.com/en/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-security-and-analysis-settings-for-your-repository", + "https://docs.github.com/en/enterprise-cloud@latest/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/audit-log-events-for-your-enterprise", "https://docs.github.com/en/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/reviewing-the-audit-log-for-your-organization#dependabot_alerts-category-actions", "https://docs.github.com/en/organizations/managing-oauth-access-to-your-organizations-data/disabling-oauth-app-access-restrictions-for-your-organization", - "https://docs.github.com/en/enterprise-cloud@latest/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/audit-log-events-for-your-enterprise", + "https://docs.github.com/en/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-security-and-analysis-settings-for-your-repository", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/github/github_disable_high_risk_configuration.yml" ], "tags": [ @@ -88560,10 +89040,10 @@ "logsource.category": "No established category", "logsource.product": "github", "refs": [ - "https://docs.github.com/en/repositories/creating-and-managing-repositories/transferring-a-repository", "https://docs.github.com/en/organizations/managing-organization-settings/transferring-organization-ownership", - "https://docs.github.com/en/enterprise-cloud@latest/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/audit-log-events-for-your-enterprise#migration", "https://docs.github.com/en/migrations", + "https://docs.github.com/en/repositories/creating-and-managing-repositories/transferring-a-repository", + "https://docs.github.com/en/enterprise-cloud@latest/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/audit-log-events-for-your-enterprise#migration", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/github/github_repo_or_org_transferred.yml" ], "tags": [ @@ -88744,8 +89224,8 @@ "logsource.category": "No established category", "logsource.product": "github", "refs": [ - "https://docs.github.com/en/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/reviewing-the-audit-log-for-your-organization#audit-log-actions", "https://docs.github.com/en/organizations/keeping-your-organization-secure/managing-two-factor-authentication-for-your-organization/requiring-two-factor-authentication-in-your-organization", + "https://docs.github.com/en/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/reviewing-the-audit-log-for-your-organization#audit-log-actions", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/github/github_outside_collaborator_detected.yml" ], "tags": [ @@ -88797,8 +89277,8 @@ "logsource.category": "No established category", "logsource.product": "github", "refs": [ - "https://docs.github.com/en/actions/hosting-your-own-runners/about-self-hosted-runners#about-self-hosted-runners", "https://docs.github.com/en/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/reviewing-the-audit-log-for-your-organization#search-based-on-operation", + "https://docs.github.com/en/actions/hosting-your-own-runners/about-self-hosted-runners#about-self-hosted-runners", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/github/github_self_hosted_runner_changes_detected.yml" ], "tags": [ @@ -88853,8 +89333,8 @@ "logsource.category": "No established category", "logsource.product": "okta", "refs": [ - "https://developer.okta.com/docs/reference/api/system-log/", "https://developer.okta.com/docs/reference/api/event-types/", + "https://developer.okta.com/docs/reference/api/system-log/", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/okta/okta_policy_rule_modified_or_deleted.yml" ], "tags": [ @@ -88877,8 +89357,8 @@ "logsource.category": "No established category", "logsource.product": "okta", "refs": [ - "https://developer.okta.com/docs/reference/api/system-log/", "https://sec.okta.com/articles/2023/08/cross-tenant-impersonation-prevention-and-detection", + "https://developer.okta.com/docs/reference/api/system-log/", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/okta/okta_identity_provider_created.yml" ], "tags": [ @@ -88911,8 +89391,8 @@ "logsource.category": "No established category", "logsource.product": "okta", "refs": [ - "https://developer.okta.com/docs/reference/api/system-log/", "https://developer.okta.com/docs/reference/api/event-types/", + "https://developer.okta.com/docs/reference/api/system-log/", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/okta/okta_admin_role_assigned_to_user_or_group.yml" ], "tags": [ @@ -88945,8 +89425,8 @@ "logsource.category": "No established category", "logsource.product": "okta", "refs": [ - "https://dataconomy.com/2023/10/23/okta-data-breach/", "https://blog.cloudflare.com/how-cloudflare-mitigated-yet-another-okta-compromise/", + "https://dataconomy.com/2023/10/23/okta-data-breach/", "https://www.beyondtrust.com/blog/entry/okta-support-unit-breach", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/okta/okta_admin_activity_from_proxy_query.yml" ], @@ -88993,9 +89473,9 @@ "logsource.category": "No established category", "logsource.product": "okta", "refs": [ - "https://developer.okta.com/docs/reference/api/system-log/", "https://www.mitiga.io/blog/how-okta-passwords-can-be-compromised-uncovering-a-risk-to-user-data", "https://help.okta.com/en-us/Content/Topics/users-groups-profiles/usgp-create-character-restriction.htm", + "https://developer.okta.com/docs/reference/api/system-log/", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/okta/okta_password_in_alternateid_field.yml" ], "tags": [ @@ -89028,8 +89508,8 @@ "logsource.category": "No established category", "logsource.product": "okta", "refs": [ - "https://developer.okta.com/docs/reference/api/system-log/", "https://developer.okta.com/docs/reference/api/event-types/", + "https://developer.okta.com/docs/reference/api/system-log/", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/okta/okta_application_modified_or_deleted.yml" ], "tags": [ @@ -89052,8 +89532,8 @@ "logsource.category": "No established category", "logsource.product": "okta", "refs": [ - "https://developer.okta.com/docs/reference/api/system-log/", "https://developer.okta.com/docs/reference/api/event-types/", + "https://developer.okta.com/docs/reference/api/system-log/", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/okta/okta_api_token_revoked.yml" ], "tags": [ @@ -89076,8 +89556,8 @@ "logsource.category": "No established category", "logsource.product": "okta", "refs": [ - "https://developer.okta.com/docs/reference/api/system-log/", "https://github.com/okta/workflows-templates/blob/master/workflows/suspicious_activity_reported/readme.md", + "https://developer.okta.com/docs/reference/api/system-log/", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/okta/okta_suspicious_activity_enduser_report.yml" ], "tags": [ @@ -89110,9 +89590,9 @@ "logsource.category": "No established category", "logsource.product": "okta", "refs": [ - "https://developer.okta.com/docs/reference/api/system-log/", "https://okta.github.io/okta-help/en/prod/Content/Topics/Security/threat-insight/configure-threatinsight-system-log.htm", "https://developer.okta.com/docs/reference/api/event-types/", + "https://developer.okta.com/docs/reference/api/system-log/", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/okta/okta_security_threat_detected.yml" ], "tags": [ @@ -89135,8 +89615,8 @@ "logsource.category": "No established category", "logsource.product": "okta", "refs": [ - "https://developer.okta.com/docs/reference/api/system-log/", "https://developer.okta.com/docs/reference/api/event-types/", + "https://developer.okta.com/docs/reference/api/system-log/", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/okta/okta_application_sign_on_policy_modified_or_deleted.yml" ], "tags": [ @@ -89159,8 +89639,8 @@ "logsource.category": "No established category", "logsource.product": "okta", "refs": [ - "https://developer.okta.com/docs/reference/api/system-log/", "https://developer.okta.com/docs/reference/api/event-types/", + "https://developer.okta.com/docs/reference/api/system-log/", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/okta/okta_api_token_created.yml" ], "tags": [ @@ -89183,8 +89663,8 @@ "logsource.category": "No established category", "logsource.product": "okta", "refs": [ - "https://developer.okta.com/docs/reference/api/system-log/", "https://developer.okta.com/docs/reference/api/event-types/", + "https://developer.okta.com/docs/reference/api/system-log/", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/okta/okta_user_account_locked_out.yml" ], "tags": [ @@ -89217,8 +89697,8 @@ "logsource.category": "No established category", "logsource.product": "okta", "refs": [ - "https://developer.okta.com/docs/reference/api/system-log/", "https://developer.okta.com/docs/reference/api/event-types/", + "https://developer.okta.com/docs/reference/api/system-log/", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/okta/okta_network_zone_deactivated_or_deleted.yml" ], "tags": [ @@ -89241,8 +89721,8 @@ "logsource.category": "No established category", "logsource.product": "okta", "refs": [ - "https://developer.okta.com/docs/reference/api/system-log/", "https://sec.okta.com/articles/2023/08/cross-tenant-impersonation-prevention-and-detection", + "https://developer.okta.com/docs/reference/api/system-log/", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/okta/okta_new_behaviours_admin_console.yml" ], "tags": [ @@ -89275,9 +89755,9 @@ "logsource.category": "No established category", "logsource.product": "okta", "refs": [ - "https://developer.okta.com/docs/reference/api/system-log/", - "https://developer.okta.com/docs/reference/api/event-types/", "https://sec.okta.com/fastpassphishingdetection", + "https://developer.okta.com/docs/reference/api/event-types/", + "https://developer.okta.com/docs/reference/api/system-log/", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/okta/okta_fastpass_phishing_detection.yml" ], "tags": [ @@ -89310,8 +89790,8 @@ "logsource.category": "No established category", "logsource.product": "okta", "refs": [ - "https://developer.okta.com/docs/reference/api/system-log/", "https://developer.okta.com/docs/reference/api/event-types/", + "https://developer.okta.com/docs/reference/api/system-log/", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/okta/okta_admin_role_assignment_created.yml" ], "tags": [ @@ -89334,8 +89814,8 @@ "logsource.category": "No established category", "logsource.product": "okta", "refs": [ - "https://developer.okta.com/docs/reference/api/system-log/", "https://developer.okta.com/docs/reference/api/event-types/", + "https://developer.okta.com/docs/reference/api/system-log/", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/okta/okta_unauthorized_access_to_app.yml" ], "tags": [ @@ -89360,8 +89840,8 @@ "logsource.category": "No established category", "logsource.product": "okta", "refs": [ - "https://developer.okta.com/docs/reference/api/system-log/", "https://developer.okta.com/docs/reference/api/event-types/", + "https://developer.okta.com/docs/reference/api/system-log/", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/okta/okta_policy_modified_or_deleted.yml" ], "tags": [ @@ -89384,8 +89864,8 @@ "logsource.category": "No established category", "logsource.product": "okta", "refs": [ - "https://developer.okta.com/docs/reference/api/system-log/", "https://developer.okta.com/docs/reference/api/event-types/", + "https://developer.okta.com/docs/reference/api/system-log/", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/okta/okta_mfa_reset_or_deactivated.yml" ], "tags": [ @@ -89420,8 +89900,8 @@ "logsource.category": "No established category", "logsource.product": "okta", "refs": [ - "https://developer.okta.com/docs/reference/api/system-log/", "https://sec.okta.com/articles/2023/08/cross-tenant-impersonation-prevention-and-detection", + "https://developer.okta.com/docs/reference/api/system-log/", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/okta/okta_user_session_start_via_anonymised_proxy.yml" ], "tags": [ @@ -89454,8 +89934,8 @@ "logsource.category": "No established category", "logsource.product": "cisco", "refs": [ - "https://help.duo.com/s/article/6327?language=en_US", "https://duo.com/docs/adminapi#logs", + "https://help.duo.com/s/article/6327?language=en_US", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/cisco/duo/cisco_duo_mfa_bypass_via_bypass_code.yml" ], "tags": [ @@ -89699,8 +90179,8 @@ "logsource.category": "No established category", "logsource.product": "aws", "refs": [ - "https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/", "https://docs.aws.amazon.com/glue/latest/webapi/API_CreateDevEndpoint.html", + "https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/aws/cloudtrail/aws_passed_role_to_glue_development_endpoint.yml" ], "tags": [ @@ -89860,8 +90340,8 @@ "logsource.category": "No established category", "logsource.product": "aws", "refs": [ - "https://docs.aws.amazon.com/IAM/latest/APIReference/API_UpdateSAMLProvider.html", "https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRoleWithSAML.html", + "https://docs.aws.amazon.com/IAM/latest/APIReference/API_UpdateSAMLProvider.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/aws/cloudtrail/aws_susp_saml_activity.yml" ], "tags": [ @@ -89920,9 +90400,9 @@ "logsource.category": "No established category", "logsource.product": "aws", "refs": [ - "https://securitycafe.ro/2022/12/14/aws-enumeration-part-ii-practical-enumeration/", "https://github.com/Lifka/hacking-resources/blob/c2ae355d381bd0c9f0b32c4ead049f44e5b1573f/cloud-hacking-cheat-sheets.md", "https://jamesonhacking.blogspot.com/2020/12/pivoting-to-private-aws-s3-buckets.html", + "https://securitycafe.ro/2022/12/14/aws-enumeration-part-ii-practical-enumeration/", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/aws/cloudtrail/aws_enum_buckets.yml" ], "tags": [ @@ -90072,9 +90552,9 @@ "logsource.category": "No established category", "logsource.product": "aws", "refs": [ - "https://github.com/elastic/detection-rules/blob/c76a39796972ecde44cb1da6df47f1b6562c9770/rules/integrations/aws/persistence_route_53_domain_transfer_lock_disabled.toml", "https://docs.aws.amazon.com/Route53/latest/APIReference/API_Operations_Amazon_Route_53.html", "https://docs.aws.amazon.com/Route53/latest/APIReference/API_domains_DisableDomainTransferLock.html", + "https://github.com/elastic/detection-rules/blob/c76a39796972ecde44cb1da6df47f1b6562c9770/rules/integrations/aws/persistence_route_53_domain_transfer_lock_disabled.toml", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/aws/cloudtrail/aws_route_53_domain_transferred_lock_disabled.yml" ], "tags": [ @@ -90199,8 +90679,8 @@ "logsource.category": "No established category", "logsource.product": "aws", "refs": [ - "https://github.com/elastic/detection-rules/pull/1214", "https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRole.html", + "https://github.com/elastic/detection-rules/pull/1214", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/aws/cloudtrail/aws_sts_assumerole_misuse.yml" ], "tags": [ @@ -90250,8 +90730,8 @@ "logsource.category": "No established category", "logsource.product": "aws", "refs": [ - "https://docs.aws.amazon.com/singlesignon/latest/userguide/app-enablement.html", "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsiamidentitycentersuccessortoawssinglesign-on.html", + "https://docs.aws.amazon.com/singlesignon/latest/userguide/app-enablement.html", "https://docs.aws.amazon.com/singlesignon/latest/userguide/sso-info-in-cloudtrail.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/aws/cloudtrail/aws_sso_idp_change.yml" ], @@ -90460,9 +90940,9 @@ "logsource.category": "No established category", "logsource.product": "aws", "refs": [ - "https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-instance-identity-roles.html", - "https://www.packetmischief.ca/2023/07/31/amazon-ec2-credential-exfiltration-how-it-happens-and-how-to-mitigate-it/#lifting-credentials-from-imds-this-is-why-we-cant-have-nice-things", "https://ermetic.com/blog/aws/aws-ec2-imds-what-you-need-to-know/", + "https://www.packetmischief.ca/2023/07/31/amazon-ec2-credential-exfiltration-how-it-happens-and-how-to-mitigate-it/#lifting-credentials-from-imds-this-is-why-we-cant-have-nice-things", + "https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-instance-identity-roles.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/aws/cloudtrail/aws_cloudtrail_imds_malicious_usage.yml" ], "tags": [ @@ -90546,9 +91026,9 @@ "logsource.category": "No established category", "logsource.product": "aws", "refs": [ - "https://github.com/RhinoSecurityLabs/pacu/blob/866376cd711666c775bbfcde0524c817f2c5b181/pacu/modules/ecs__backdoor_task_def/main.py", - "https://docs.aws.amazon.com/AmazonECS/latest/developerguide/task-iam-roles.html", "https://docs.aws.amazon.com/AmazonECS/latest/APIReference/API_RegisterTaskDefinition.html", + "https://docs.aws.amazon.com/AmazonECS/latest/developerguide/task-iam-roles.html", + "https://github.com/RhinoSecurityLabs/pacu/blob/866376cd711666c775bbfcde0524c817f2c5b181/pacu/modules/ecs__backdoor_task_def/main.py", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/aws/cloudtrail/aws_ecs_task_definition_cred_endpoint_query.yml" ], "tags": [ @@ -90737,13 +91217,13 @@ "logsource.category": "No established category", "logsource.product": "aws", "refs": [ - "https://docs.aws.amazon.com/AmazonS3/latest/API/API_RestoreObject.html", - "https://docs.aws.amazon.com/AmazonS3/latest/API/API_PutBucketEncryption.html", "https://github.com/elastic/detection-rules/pull/1145/files", + "https://docs.aws.amazon.com/AmazonS3/latest/API/API_RestoreObject.html", "https://docs.aws.amazon.com/AmazonS3/latest/userguide/setting-repl-config-perm-overview.html", - "https://docs.aws.amazon.com/AmazonS3/latest/API/API_PutBucketLogging.html", - "https://docs.aws.amazon.com/AmazonS3/latest/API/API_PutBucketWebsite.html", "https://docs.aws.amazon.com/AmazonS3/latest/API/API_Operations.html", + "https://docs.aws.amazon.com/AmazonS3/latest/API/API_PutBucketWebsite.html", + "https://docs.aws.amazon.com/AmazonS3/latest/API/API_PutBucketLogging.html", + "https://docs.aws.amazon.com/AmazonS3/latest/API/API_PutBucketEncryption.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/aws/cloudtrail/aws_s3_data_management_tampering.yml" ], "tags": [ @@ -90942,8 +91422,8 @@ "logsource.category": "No established category", "logsource.product": "aws", "refs": [ - "https://github.com/NetSPI/aws_consoler", "https://www.crowdstrike.com/blog/analysis-of-intrusion-campaign-targeting-telecom-and-bpo-companies/", + "https://github.com/NetSPI/aws_consoler", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/aws/cloudtrail/aws_console_getsignintoken.yml" ], "tags": [ @@ -91158,8 +91638,8 @@ "logsource.product": "gcp", "refs": [ "https://cloud.google.com/access-context-manager/docs/audit-logging", - "https://cloud.google.com/logging/docs/reference/audit/auditlog/rest/Shared.Types/AuditLog", "https://cloud.google.com/logging/docs/audit/understanding-audit-logs", + "https://cloud.google.com/logging/docs/reference/audit/auditlog/rest/Shared.Types/AuditLog", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/gcp/audit/gcp_access_policy_deleted.yml" ], "tags": [ @@ -91386,11 +91866,11 @@ "logsource.category": "No established category", "logsource.product": "gcp", "refs": [ - "https://kubernetes.io/docs/reference/kubernetes-api/authorization-resources/cluster-role-v1/#ClusterRole", - "https://github.com/elastic/detection-rules/pull/1267", "https://cloud.google.com/kubernetes-engine/docs/how-to/audit-logging", - "https://cloud.google.com/kubernetes-engine/docs/how-to/role-based-access-control", + "https://github.com/elastic/detection-rules/pull/1267", "https://kubernetes.io/docs/reference/access-authn-authz/rbac/", + "https://kubernetes.io/docs/reference/kubernetes-api/authorization-resources/cluster-role-v1/#ClusterRole", + "https://cloud.google.com/kubernetes-engine/docs/how-to/role-based-access-control", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/gcp/audit/gcp_kubernetes_rolebinding.yml" ], "tags": [ @@ -91509,8 +91989,8 @@ "logsource.product": "gcp", "refs": [ "https://cloud.google.com/logging/docs/audit/gsuite-audit-logging#3", - "https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-security-settings?hl=en#ALLOW_STRONG_AUTHENTICATION", "https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-security-settings#ENFORCE_STRONG_AUTHENTICATION", + "https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-security-settings?hl=en#ALLOW_STRONG_AUTHENTICATION", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/gcp/gworkspace/gcp_gworkspace_mfa_disabled.yml" ], "tags": [ @@ -91557,9 +92037,9 @@ "logsource.category": "No established category", "logsource.product": "gcp", "refs": [ - "https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-domain-settings?hl=en#REMOVE_APPLICATION_FROM_WHITELIST", "https://cloud.google.com/logging/docs/audit/gsuite-audit-logging#3", "https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-domain-settings?hl=en#REMOVE_APPLICATION", + "https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-domain-settings?hl=en#REMOVE_APPLICATION_FROM_WHITELIST", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/gcp/gworkspace/gcp_gworkspace_application_removed.yml" ], "tags": [ @@ -91582,8 +92062,8 @@ "logsource.category": "No established category", "logsource.product": "gcp", "refs": [ - "https://support.google.com/a/answer/9261439", "https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-application-settings", + "https://support.google.com/a/answer/9261439", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/gcp/gworkspace/gcp_gworkspace_application_access_levels_modified.yml" ], "tags": [ @@ -91651,8 +92131,8 @@ "logsource.category": "No established category", "logsource.product": "gcp", "refs": [ - "https://cloud.google.com/logging/docs/audit/gsuite-audit-logging#3", "https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-user-settings#GRANT_ADMIN_PRIVILEGE", + "https://cloud.google.com/logging/docs/audit/gsuite-audit-logging#3", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/gcp/gworkspace/gcp_gworkspace_user_granted_admin_privileges.yml" ], "tags": [ @@ -91785,8 +92265,8 @@ "logsource.category": "No established category", "logsource.product": "bitbucket", "refs": [ - "https://confluence.atlassian.com/bitbucketserver/audit-log-events-776640423.html", "https://confluence.atlassian.com/bitbucketserver/global-permissions-776640369.html", + "https://confluence.atlassian.com/bitbucketserver/audit-log-events-776640423.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/bitbucket/audit/bitbucket_audit_global_permissions_change_detected.yml" ], "tags": [ @@ -92126,8 +92606,8 @@ "logsource.category": "No established category", "logsource.product": "bitbucket", "refs": [ - "https://confluence.atlassian.com/bitbucketserver/view-and-configure-the-audit-log-776640417.html", "https://confluence.atlassian.com/bitbucketserver/enable-ssh-access-to-git-repositories-776640358.html", + "https://confluence.atlassian.com/bitbucketserver/view-and-configure-the-audit-log-776640417.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/bitbucket/audit/bitbucket_audit_user_login_failure_via_ssh_detected.yml" ], "tags": [ @@ -92251,11 +92731,11 @@ "logsource.category": "No established category", "logsource.product": "m365", "refs": [ - "https://www.sygnia.co/golden-saml-advisory", "https://www.fireeye.com/content/dam/fireeye-www/blog/pdfs/wp-m-unc2452-2021-000343-01.pdf", + "https://www.splunk.com/en_us/blog/security/a-golden-saml-journey-solarwinds-continued.html", "https://us-cert.cisa.gov/ncas/alerts/aa21-008a", "https://o365blog.com/post/aadbackdoor/", - "https://www.splunk.com/en_us/blog/security/a-golden-saml-journey-solarwinds-continued.html", + "https://www.sygnia.co/golden-saml-advisory", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/m365/exchange/microsoft365_new_federated_domain_added_exchange.yml" ], "tags": [ @@ -92288,8 +92768,8 @@ "logsource.category": "No established category", "logsource.product": "m365", "refs": [ - "https://o365blog.com/post/aadbackdoor/", "https://research.splunk.com/cloud/e155876a-6048-11eb-ae93-0242ac130002/", + "https://o365blog.com/post/aadbackdoor/", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/m365/audit/microsoft365_new_federated_domain_added_audit.yml" ], "tags": [ @@ -92838,6 +93318,30 @@ "uuid": "665e2d43-70dc-4ccc-9d27-026c9dd7ed9c", "value": "User Removed From Group With CA Policy Modification Access" }, + { + "description": "Detects changes to the \"StrongAuthenticationRequirement\" value, where the state is set to \"0\" or \"Disabled\".\nThreat actors were seen disabling multi factor authentication for users in order to maintain or achieve access to the account. Also see in SIM Swap attacks.\n", + "meta": { + "author": "Harjot Singh (@cyb3rjy0t)", + "creation_date": "2024-08-21", + "falsepositive": [ + "Legitimate authorized activity." + ], + "filename": "azure_user_account_mfa_disable.yml", + "level": "medium", + "logsource.category": "No established category", + "logsource.product": "azure", + "refs": [ + "https://www.sans.org/blog/defending-against-scattered-spider-and-the-com-with-cybercrime-intelligence/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/audit_logs/azure_user_account_mfa_disable.yml" + ], + "tags": [ + "attack.credential-access", + "attack.persistence" + ] + }, + "uuid": "b18454c8-0be3-41f7-86bc-9c614611b839", + "value": "Multi Factor Authentication Disabled For User Account" + }, { "description": "Monitor and alert for users added to device admin roles.", "meta": { @@ -93395,6 +93899,30 @@ "uuid": "74298991-9fc4-460e-a92e-511aa60baec1", "value": "Added Owner To Application" }, + { + "description": "Detects changes and updates to the user risk and MFA registration policy.\nAttackers can modified the policies to Bypass MFA, weaken security thresholds, facilitate further attacks, maintain persistence.\n", + "meta": { + "author": "Harjot Singh (@cyb3rjy0t)", + "creation_date": "2024-08-13", + "falsepositive": [ + "Known updates by administrators." + ], + "filename": "azure_update_risk_and_mfa_registration_policy.yml", + "level": "high", + "logsource.category": "No established category", + "logsource.product": "azure", + "refs": [ + "https://learn.microsoft.com/en-us/entra/id-protection/howto-identity-protection-configure-mfa-policy", + "https://learn.microsoft.com/en-us/entra/identity/monitoring-health/reference-audit-activities", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/audit_logs/azure_update_risk_and_mfa_registration_policy.yml" + ], + "tags": [ + "attack.persistence" + ] + }, + "uuid": "d4c7758e-9417-4f2e-9109-6125d66dabef", + "value": "User Risk and MFA Registration Policy Updated" + }, { "description": "Detects newly added root certificate authority to an AzureAD tenant to support certificate based authentication.", "meta": { @@ -93443,9 +93971,9 @@ "logsource.category": "No established category", "logsource.product": "azure", "refs": [ - "https://techcommunity.microsoft.com/t5/microsoft-entra-blog/introducing-windows-local-administrator-password-solution-with/ba-p/1942487", "https://twitter.com/NathanMcNulty/status/1785051227568632263", "https://www.cloudcoffee.ch/microsoft-365/configure-windows-laps-in-microsoft-intune/", + "https://techcommunity.microsoft.com/t5/microsoft-entra-blog/introducing-windows-local-administrator-password-solution-with/ba-p/1942487", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/audit_logs/azure_auditlogs_laps_credential_dumping.yml" ], "tags": [ @@ -94084,8 +94612,8 @@ "logsource.category": "No established category", "logsource.product": "azure", "refs": [ - "https://web.archive.org/web/20230217071802/https://blooteem.com/march-2022", "https://www.microsoft.com/en-us/security/blog/2021/10/26/protect-your-business-from-password-sprays-with-microsoft-dart-recommendations/", + "https://web.archive.org/web/20230217071802/https://blooteem.com/march-2022", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/signin_logs/azure_ad_suspicious_signin_bypassing_mfa.yml" ], "tags": [ @@ -94991,8 +95519,8 @@ "logsource.category": "No established category", "logsource.product": "azure", "refs": [ - "https://learn.microsoft.com/en-us/entra/architecture/security-operations-user-accounts#unusual-sign-ins", "https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#activity-from-anonymous-ip-address", + "https://learn.microsoft.com/en-us/entra/architecture/security-operations-user-accounts#unusual-sign-ins", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/identity_protection/azure_identity_protection_anonymous_ip_activity.yml" ], "tags": [ @@ -95028,8 +95556,8 @@ "logsource.category": "No established category", "logsource.product": "azure", "refs": [ - "https://learn.microsoft.com/en-us/entra/architecture/security-operations-user-accounts#unusual-sign-ins", "https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#token-issuer-anomaly", + "https://learn.microsoft.com/en-us/entra/architecture/security-operations-user-accounts#unusual-sign-ins", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/identity_protection/azure_identity_protection_token_issuer_anomaly.yml" ], "tags": [ @@ -95272,8 +95800,8 @@ "logsource.category": "No established category", "logsource.product": "azure", "refs": [ - "https://learn.microsoft.com/en-us/entra/architecture/security-operations-user-accounts#unusual-sign-ins", "https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#anomalous-user-activity", + "https://learn.microsoft.com/en-us/entra/architecture/security-operations-user-accounts#unusual-sign-ins", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/identity_protection/azure_identity_protection_anomalous_user.yml" ], "tags": [ @@ -95306,8 +95834,8 @@ "logsource.category": "No established category", "logsource.product": "azure", "refs": [ - "https://learn.microsoft.com/en-us/entra/architecture/security-operations-user-accounts#unusual-sign-ins", "https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#suspicious-browser", + "https://learn.microsoft.com/en-us/entra/architecture/security-operations-user-accounts#unusual-sign-ins", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/identity_protection/azure_identity_protection_suspicious_browser.yml" ], "tags": [ @@ -95414,9 +95942,9 @@ "logsource.category": "No established category", "logsource.product": "azure", "refs": [ + "https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#azure-ad-threat-intelligence-sign-in", "https://learn.microsoft.com/en-us/entra/architecture/security-operations-user-accounts#unusual-sign-ins", "https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#azure-ad-threat-intelligence-user", - "https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#azure-ad-threat-intelligence-sign-in", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/identity_protection/azure_identity_protection_threat_intel.yml" ], "tags": [ @@ -95588,8 +96116,8 @@ "logsource.category": "No established category", "logsource.product": "azure", "refs": [ - "https://learn.microsoft.com/en-us/graph/api/resources/riskdetection?view=graph-rest-1.0", "https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#anonymous-ip-address", + "https://learn.microsoft.com/en-us/graph/api/resources/riskdetection?view=graph-rest-1.0", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/identity_protection/azure_identity_protection_anonymous_ip_address.yml" ], "tags": [ @@ -95685,11 +96213,11 @@ "logsource.category": "No established category", "logsource.product": "azure", "refs": [ + "https://medium.com/mitre-engenuity/att-ck-for-containers-now-available-4c2359654bf1", "https://www.microsoft.com/security/blog/2021/03/23/secure-containerized-environments-with-updated-threat-matrix-for-kubernetes/", + "https://attack.mitre.org/matrices/enterprise/cloud/", "https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes", "https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/", - "https://medium.com/mitre-engenuity/att-ck-for-containers-now-available-4c2359654bf1", - "https://attack.mitre.org/matrices/enterprise/cloud/", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/activity_logs/azure_container_registry_created_or_deleted.yml" ], "tags": [ @@ -95738,11 +96266,11 @@ "logsource.category": "No established category", "logsource.product": "azure", "refs": [ + "https://medium.com/mitre-engenuity/att-ck-for-containers-now-available-4c2359654bf1", "https://www.microsoft.com/security/blog/2021/03/23/secure-containerized-environments-with-updated-threat-matrix-for-kubernetes/", + "https://attack.mitre.org/matrices/enterprise/cloud/", "https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes", "https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/", - "https://medium.com/mitre-engenuity/att-ck-for-containers-now-available-4c2359654bf1", - "https://attack.mitre.org/matrices/enterprise/cloud/", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/activity_logs/azure_kubernetes_role_access.yml" ], "tags": [ @@ -95765,11 +96293,11 @@ "logsource.category": "No established category", "logsource.product": "azure", "refs": [ + "https://medium.com/mitre-engenuity/att-ck-for-containers-now-available-4c2359654bf1", "https://www.microsoft.com/security/blog/2021/03/23/secure-containerized-environments-with-updated-threat-matrix-for-kubernetes/", + "https://attack.mitre.org/matrices/enterprise/cloud/", "https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes", "https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/", - "https://medium.com/mitre-engenuity/att-ck-for-containers-now-available-4c2359654bf1", - "https://attack.mitre.org/matrices/enterprise/cloud/", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/activity_logs/azure_kubernetes_secret_or_config_object_access.yml" ], "tags": [ @@ -96354,11 +96882,11 @@ "logsource.category": "No established category", "logsource.product": "azure", "refs": [ + "https://medium.com/mitre-engenuity/att-ck-for-containers-now-available-4c2359654bf1", "https://www.microsoft.com/security/blog/2021/03/23/secure-containerized-environments-with-updated-threat-matrix-for-kubernetes/", + "https://attack.mitre.org/matrices/enterprise/cloud/", "https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes", "https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/", - "https://medium.com/mitre-engenuity/att-ck-for-containers-now-available-4c2359654bf1", - "https://attack.mitre.org/matrices/enterprise/cloud/", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/activity_logs/azure_kubernetes_network_policy_change.yml" ], "tags": [ @@ -96466,11 +96994,11 @@ "logsource.category": "No established category", "logsource.product": "azure", "refs": [ + "https://medium.com/mitre-engenuity/att-ck-for-containers-now-available-4c2359654bf1", "https://www.microsoft.com/security/blog/2021/03/23/secure-containerized-environments-with-updated-threat-matrix-for-kubernetes/", + "https://attack.mitre.org/matrices/enterprise/cloud/", "https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes", "https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/", - "https://medium.com/mitre-engenuity/att-ck-for-containers-now-available-4c2359654bf1", - "https://attack.mitre.org/matrices/enterprise/cloud/", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/activity_logs/azure_kubernetes_rolebinding_modified_or_deleted.yml" ], "tags": [ @@ -96618,11 +97146,11 @@ "logsource.category": "No established category", "logsource.product": "azure", "refs": [ + "https://medium.com/mitre-engenuity/att-ck-for-containers-now-available-4c2359654bf1", "https://www.microsoft.com/security/blog/2021/03/23/secure-containerized-environments-with-updated-threat-matrix-for-kubernetes/", + "https://attack.mitre.org/matrices/enterprise/cloud/", "https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes", "https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/", - "https://medium.com/mitre-engenuity/att-ck-for-containers-now-available-4c2359654bf1", - "https://attack.mitre.org/matrices/enterprise/cloud/", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/activity_logs/azure_kubernetes_service_account_modified_or_deleted.yml" ], "tags": [ @@ -96656,11 +97184,11 @@ "logsource.category": "No established category", "logsource.product": "azure", "refs": [ + "https://medium.com/mitre-engenuity/att-ck-for-containers-now-available-4c2359654bf1", "https://www.microsoft.com/security/blog/2021/03/23/secure-containerized-environments-with-updated-threat-matrix-for-kubernetes/", + "https://attack.mitre.org/matrices/enterprise/cloud/", "https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes", "https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/", - "https://medium.com/mitre-engenuity/att-ck-for-containers-now-available-4c2359654bf1", - "https://attack.mitre.org/matrices/enterprise/cloud/", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/activity_logs/azure_kubernetes_cluster_created_or_deleted.yml" ], "tags": [ @@ -96940,9 +97468,9 @@ "logsource.category": "No established category", "logsource.product": "azure", "refs": [ - "https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/", "https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes", "https://kubernetes.io/docs/concepts/workloads/controllers/job/", + "https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/", "https://kubernetes.io/docs/concepts/workloads/controllers/cron-jobs/", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/activity_logs/azure_kubernetes_cronjob.yml" ], @@ -96978,8 +97506,8 @@ "logsource.category": "No established category", "logsource.product": "azure", "refs": [ - "https://github.com/elastic/detection-rules/blob/da3852b681cf1a33898b1535892eab1f3a76177a/rules/integrations/azure/defense_evasion_kubernetes_events_deleted.toml", "https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes", + "https://github.com/elastic/detection-rules/blob/da3852b681cf1a33898b1535892eab1f3a76177a/rules/integrations/azure/defense_evasion_kubernetes_events_deleted.toml", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/activity_logs/azure_kubernetes_events_deleted.yml" ], "tags": [ @@ -97256,9 +97784,9 @@ "logsource.category": "No established category", "logsource.product": "qualys", "refs": [ - "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf", "https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf", "https://www.cisecurity.org/controls/cis-controls-list/", + "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf", "https://github.com/SigmaHQ/sigma/tree/master/rules/compliance/host_without_firewall.yml" ], "tags": "No established tags" @@ -97279,10 +97807,10 @@ "logsource.category": "No established category", "logsource.product": "qualys", "refs": [ - "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf", "https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf", - "https://community.qualys.com/docs/DOC-6406-reporting-toolbox-focused-search-lists", "https://www.cisecurity.org/controls/cis-controls-list/", + "https://community.qualys.com/docs/DOC-6406-reporting-toolbox-focused-search-lists", + "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf", "https://github.com/SigmaHQ/sigma/tree/master/rules/compliance/default_credentials_usage.yml" ], "tags": [ @@ -97305,9 +97833,9 @@ "logsource.category": "No established category", "logsource.product": "No established product", "refs": [ - "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf", "https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf", "https://www.cisecurity.org/controls/cis-controls-list/", + "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf", "https://github.com/SigmaHQ/sigma/tree/master/rules/compliance/netflow_cleartext_protocols.yml" ], "tags": [ @@ -97375,9 +97903,9 @@ "logsource.category": "antivirus", "logsource.product": "No established product", "refs": [ + "https://www.virustotal.com/gui/file/5fcda49ee7f202559a6cbbb34edb65c33c9a1e0bde9fa2af06a6f11b55ded619", "https://www.virustotal.com/gui/file/a4edfbd42595d5bddb442c82a02cf0aaa10893c1bf79ea08b9ce576f82749448", "https://www.nextron-systems.com/?s=antivirus", - "https://www.virustotal.com/gui/file/5fcda49ee7f202559a6cbbb34edb65c33c9a1e0bde9fa2af06a6f11b55ded619", "https://github.com/SigmaHQ/sigma/tree/master/rules/category/antivirus/av_password_dumper.yml" ], "tags": [ @@ -97467,12 +97995,12 @@ "logsource.category": "antivirus", "logsource.product": "No established product", "refs": [ - "https://www.virustotal.com/gui/file/c312c05ddbd227cbb08958876df2b69d0f7c1b09e5689eb9d93c5b357f63eff7", - "https://www.virustotal.com/gui/file/554db97ea82f17eba516e6a6fdb9dc04b1d25580a1eb8cb755eeb260ad0bd61d", - "https://www.nextron-systems.com/?s=antivirus", "https://www.virustotal.com/gui/file/43b0f7872900bd234975a0877744554f4f355dc57505517abd1ef611e1ce6916", - "https://www.virustotal.com/gui/file/69fe77dd558e281621418980040e2af89a2547d377d0f2875502005ce22bc95c", "https://www.virustotal.com/gui/file/20179093c59bca3acc6ce9a4281e8462f577ffd29fd7bf51cf2a70d106062045", + "https://www.virustotal.com/gui/file/69fe77dd558e281621418980040e2af89a2547d377d0f2875502005ce22bc95c", + "https://www.nextron-systems.com/?s=antivirus", + "https://www.virustotal.com/gui/file/554db97ea82f17eba516e6a6fdb9dc04b1d25580a1eb8cb755eeb260ad0bd61d", + "https://www.virustotal.com/gui/file/c312c05ddbd227cbb08958876df2b69d0f7c1b09e5689eb9d93c5b357f63eff7", "https://github.com/SigmaHQ/sigma/tree/master/rules/category/antivirus/av_ransomware.yml" ], "tags": [ @@ -97538,16 +98066,16 @@ "logsource.category": "antivirus", "logsource.product": "No established product", "refs": [ - "https://www.virustotal.com/gui/file/b8702acf32fd651af9f809ed42d15135f842788cd98d81a8e1b154ee2a2b76a2/detection", - "https://www.virustotal.com/gui/file/bd1d52289203866645e556e2766a21d2275877fbafa056a76fe0cf884b7f8819/detection", - "https://www.nextron-systems.com/?s=antivirus", - "https://www.virustotal.com/gui/file/e841675a4b82250c75273ebf0861245f80c6a1c3d5803c2d995d9d3b18d5c4b5/detection", - "https://www.virustotal.com/gui/file/b219f7d3c26f8bad7e175934cd5eda4ddb5e3983503e94ff07d39c0666821b7e/detection", - "https://www.virustotal.com/gui/file/a80042c61a0372eaa0c2c1e831adf0d13ef09feaf71d1d20b216156269045801/detection", - "https://www.virustotal.com/gui/file/7d3cb8a8ff28f82b07f382789247329ad2d7782a72dde9867941f13266310c80/detection", - "https://www.virustotal.com/gui/file/308487ed28a3d9abc1fec7ebc812d4b5c07ab025037535421f64c60d3887a3e8/detection", "https://www.virustotal.com/gui/file/13ae8bfbc02254b389ab052aba5e1ba169b16a399d9bc4cb7414c4a73cd7dc78/detection", + "https://www.virustotal.com/gui/file/bd1d52289203866645e556e2766a21d2275877fbafa056a76fe0cf884b7f8819/detection", + "https://www.virustotal.com/gui/file/b8702acf32fd651af9f809ed42d15135f842788cd98d81a8e1b154ee2a2b76a2/detection", + "https://www.virustotal.com/gui/file/e841675a4b82250c75273ebf0861245f80c6a1c3d5803c2d995d9d3b18d5c4b5/detection", + "https://www.virustotal.com/gui/file/7d3cb8a8ff28f82b07f382789247329ad2d7782a72dde9867941f13266310c80/detection", "https://github.com/tennc/webshell", + "https://www.nextron-systems.com/?s=antivirus", + "https://www.virustotal.com/gui/file/b219f7d3c26f8bad7e175934cd5eda4ddb5e3983503e94ff07d39c0666821b7e/detection", + "https://www.virustotal.com/gui/file/308487ed28a3d9abc1fec7ebc812d4b5c07ab025037535421f64c60d3887a3e8/detection", + "https://www.virustotal.com/gui/file/a80042c61a0372eaa0c2c1e831adf0d13ef09feaf71d1d20b216156269045801/detection", "https://github.com/SigmaHQ/sigma/tree/master/rules/category/antivirus/av_webshell.yml" ], "tags": [ @@ -97580,10 +98108,10 @@ "logsource.category": "antivirus", "logsource.product": "No established product", "refs": [ - "https://www.virustotal.com/gui/file/8f8daabe1c8ceb5710949283818e16c4aa8059bf2ce345e2f2c90b8692978424", "https://www.virustotal.com/gui/file/925b0b28472d4d79b4bf92050e38cc2b8f722691c713fc28743ac38551bc3797", - "https://www.nextron-systems.com/?s=antivirus", + "https://www.virustotal.com/gui/file/8f8daabe1c8ceb5710949283818e16c4aa8059bf2ce345e2f2c90b8692978424", "https://www.virustotal.com/gui/file/d9669f7e3eb3a9cdf6a750eeb2ba303b5ae148a43e36546896f1d1801e912466", + "https://www.nextron-systems.com/?s=antivirus", "https://github.com/SigmaHQ/sigma/tree/master/rules/category/antivirus/av_exploiting.yml" ], "tags": [ @@ -97716,10 +98244,10 @@ "logsource.category": "file_event", "logsource.product": "linux", "refs": [ - "https://jstnk9.github.io/jstnk9/research/GobRAT-Malware/", - "https://www.virustotal.com/gui/file/3e44c807a25a56f4068b5b8186eee5002eed6f26d665a8b791c472ad154585d1/detection", - "https://blogs.jpcert.or.jp/en/2023/05/gobrat.html", "https://www.virustotal.com/gui/file/60bcd645450e4c846238cf0e7226dc40c84c96eba99f6b2cffcd0ab4a391c8b3/detection", + "https://www.virustotal.com/gui/file/3e44c807a25a56f4068b5b8186eee5002eed6f26d665a8b791c472ad154585d1/detection", + "https://jstnk9.github.io/jstnk9/research/GobRAT-Malware/", + "https://blogs.jpcert.or.jp/en/2023/05/gobrat.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/file_event/file_event_lnx_susp_shell_script_under_profile_directory.yml" ], "tags": [ @@ -97776,10 +98304,10 @@ "logsource.category": "file_event", "logsource.product": "linux", "refs": [ - "https://jstnk9.github.io/jstnk9/research/GobRAT-Malware/", - "https://www.virustotal.com/gui/file/3e44c807a25a56f4068b5b8186eee5002eed6f26d665a8b791c472ad154585d1/detection", - "https://blogs.jpcert.or.jp/en/2023/05/gobrat.html", "https://www.virustotal.com/gui/file/60bcd645450e4c846238cf0e7226dc40c84c96eba99f6b2cffcd0ab4a391c8b3/detection", + "https://www.virustotal.com/gui/file/3e44c807a25a56f4068b5b8186eee5002eed6f26d665a8b791c472ad154585d1/detection", + "https://jstnk9.github.io/jstnk9/research/GobRAT-Malware/", + "https://blogs.jpcert.or.jp/en/2023/05/gobrat.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/file_event/file_event_lnx_wget_download_file_in_tmp_dir.yml" ], "tags": [ @@ -97902,8 +98430,8 @@ "logsource.category": "No established category", "logsource.product": "linux", "refs": [ - "Self Experience", "https://github.com/Neo23x0/auditd/blob/master/audit.rules", + "Self Experience", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_auditing_config_change.yml" ], "tags": [ @@ -97978,10 +98506,10 @@ "logsource.category": "No established category", "logsource.product": "linux", "refs": [ - "https://linux.die.net/man/8/pam_tty_audit", - "https://access.redhat.com/articles/4409591#audit-record-types-2", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1056.001/T1056.001.md", + "https://access.redhat.com/articles/4409591#audit-record-types-2", "https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/security_guide/sec-configuring_pam_for_auditing", + "https://linux.die.net/man/8/pam_tty_audit", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_keylogging_with_pam_d.yml" ], "tags": [ @@ -98156,10 +98684,10 @@ "logsource.category": "No established category", "logsource.product": "linux", "refs": [ - "https://www.hackingarticles.in/linux-privilege-escalation-using-capabilities/", - "https://man7.org/linux/man-pages/man8/getcap.8.html", - "https://int0x33.medium.com/day-44-linux-capabilities-privilege-escalation-via-openssl-with-selinux-enabled-and-enforced-74d2bec02099", "https://mn3m.info/posts/suid-vs-capabilities/", + "https://man7.org/linux/man-pages/man8/getcap.8.html", + "https://www.hackingarticles.in/linux-privilege-escalation-using-capabilities/", + "https://int0x33.medium.com/day-44-linux-capabilities-privilege-escalation-via-openssl-with-selinux-enabled-and-enforced-74d2bec02099", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_capabilities_discovery.yml" ], "tags": [ @@ -98367,8 +98895,8 @@ "logsource.category": "No established category", "logsource.product": "linux", "refs": [ - "https://www.elastic.co/security-labs/a-peek-behind-the-bpfdoor", "https://www.sandflysecurity.com/blog/bpfdoor-an-evasive-linux-backdoor-technical-analysis/", + "https://www.elastic.co/security-labs/a-peek-behind-the-bpfdoor", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_bpfdoor_port_redirect.yml" ], "tags": [ @@ -98434,8 +98962,8 @@ "logsource.category": "No established category", "logsource.product": "linux", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.004/T1562.004.md", "https://firewalld.org/documentation/man-pages/firewall-cmd.html", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.004/T1562.004.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_disable_system_firewall.yml" ], "tags": [ @@ -98468,8 +98996,8 @@ "logsource.category": "No established category", "logsource.product": "linux", "refs": [ - "https://github.com/Azure/Azure-Sentinel/pull/3059", "https://www.wiz.io/blog/omigod-critical-vulnerabilities-in-omi-azure", + "https://github.com/Azure/Azure-Sentinel/pull/3059", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_omigod_scx_runasprovider_executeshellcommand.yml" ], "tags": [ @@ -98554,8 +99082,8 @@ "logsource.category": "No established category", "logsource.product": "linux", "refs": [ - "https://www.elastic.co/security-labs/a-peek-behind-the-bpfdoor", "https://www.sandflysecurity.com/blog/bpfdoor-an-evasive-linux-backdoor-technical-analysis/", + "https://www.elastic.co/security-labs/a-peek-behind-the-bpfdoor", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_bpfdoor_file_accessed.yml" ], "tags": [ @@ -98630,8 +99158,8 @@ "logsource.category": "No established category", "logsource.product": "linux", "refs": [ - "https://gtfobins.github.io/gtfobins/wget/", "https://linux.die.net/man/1/wget", + "https://gtfobins.github.io/gtfobins/wget/", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_data_exfil_wget.yml" ], "tags": [ @@ -98730,8 +99258,8 @@ "logsource.category": "No established category", "logsource.product": "linux", "refs": [ - "https://linux.die.net/man/1/arecord", "https://linuxconfig.org/how-to-test-microphone-with-audio-linux-sound-architecture-alsa", + "https://linux.die.net/man/1/arecord", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_audio_capture.yml" ], "tags": [ @@ -98764,10 +99292,10 @@ "logsource.category": "No established category", "logsource.product": "linux", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1201/T1201.md", - "https://superuser.com/questions/150675/how-to-display-password-policy-information-for-a-user-ubuntu", - "https://linux.die.net/man/1/chage", "https://man7.org/linux/man-pages/man1/passwd.1.html", + "https://linux.die.net/man/1/chage", + "https://superuser.com/questions/150675/how-to-display-password-policy-information-for-a-user-ubuntu", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1201/T1201.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_password_policy_discovery.yml" ], "tags": [ @@ -98866,8 +99394,8 @@ "logsource.category": "No established category", "logsource.product": "linux", "refs": [ - "https://blog.aquasec.com/container-security-tnt-container-attack", "https://www.trendmicro.com/en_us/research/22/c/cyclops-blink-sets-sights-on-asus-routers--.html", + "https://blog.aquasec.com/container-security-tnt-container-attack", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_modify_system_firewall.yml" ], "tags": [ @@ -98900,8 +99428,8 @@ "logsource.category": "No established category", "logsource.product": "linux", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1113/T1113.md", "https://imagemagick.org/", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1113/T1113.md", "https://linux.die.net/man/1/import", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_screencapture_import.yml" ], @@ -98935,8 +99463,8 @@ "logsource.category": "No established category", "logsource.product": "linux", "refs": [ - "https://www.youtube.com/watch?v=VmvY5SQm5-Y&ab_channel=M45C07", "https://access.redhat.com/articles/4409591#audit-record-types-2", + "https://www.youtube.com/watch?v=VmvY5SQm5-Y&ab_channel=M45C07", "https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/security_guide/sec-understanding_audit_log_files", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_create_account.yml" ], @@ -99004,9 +99532,9 @@ "logsource.category": "No established category", "logsource.product": "linux", "refs": [ - "https://www.anomali.com/blog/pulling-linux-rabbit-rabbot-malware-out-of-a-hat", - "https://objective-see.org/blog/blog_0x68.html", "https://web.archive.org/web/20221204161143/https://www.glitch-cat.com/p/green-lambert-and-attack", + "https://objective-see.org/blog/blog_0x68.html", + "https://www.anomali.com/blog/pulling-linux-rabbit-rabbot-malware-out-of-a-hat", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_unix_shell_configuration_modification.yml" ], "tags": [ @@ -99434,9 +99962,9 @@ "logsource.category": "No established category", "logsource.product": "linux", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.006/T1547.006.md", "https://man7.org/linux/man-pages/man8/kmod.8.html", "https://linux.die.net/man/8/insmod", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.006/T1547.006.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_load_module_insmod.yml" ], "tags": [ @@ -99571,8 +100099,8 @@ "refs": [ "https://www.virustotal.com/gui/file/beddf70a7bab805f0c0b69ac0989db6755949f9f68525c08cb874988353f78a9/content", "https://regex101.com/r/RugQYK/1", - "https://intezer.com/wp-content/uploads/2021/09/TeamTNT-Cryptomining-Explosion.pdf", "https://www.cadosecurity.com/blog/spinning-yarn-a-new-linux-malware-campaign-targets-docker-apache-hadoop-redis-and-confluence", + "https://intezer.com/wp-content/uploads/2021/09/TeamTNT-Cryptomining-Explosion.pdf", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_pnscan_binary_cli_pattern.yml" ], "tags": [ @@ -99638,8 +100166,8 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ - "https://dev.to/0xbf/use-mkfifo-to-create-named-pipe-linux-tips-5bbk", "https://www.mandiant.com/resources/blog/barracuda-esg-exploited-globally", + "https://dev.to/0xbf/use-mkfifo-to-create-named-pipe-linux-tips-5bbk", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_mkfifo_named_pipe_creation_susp_location.yml" ], "tags": [ @@ -99720,8 +100248,8 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ - "https://dev.to/0xbf/use-mkfifo-to-create-named-pipe-linux-tips-5bbk", "https://www.mandiant.com/resources/blog/barracuda-esg-exploited-globally", + "https://dev.to/0xbf/use-mkfifo-to-create-named-pipe-linux-tips-5bbk", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_mkfifo_named_pipe_creation.yml" ], "tags": [ @@ -100026,8 +100554,8 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ - "https://attack.mitre.org/techniques/T1548/001/", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1548.001/T1548.001.md", + "https://attack.mitre.org/techniques/T1548/001/", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_setgid_setuid.yml" ], "tags": [ @@ -100060,10 +100588,10 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ - "https://jstnk9.github.io/jstnk9/research/GobRAT-Malware/", - "https://www.virustotal.com/gui/file/3e44c807a25a56f4068b5b8186eee5002eed6f26d665a8b791c472ad154585d1/detection", - "https://blogs.jpcert.or.jp/en/2023/05/gobrat.html", "https://www.virustotal.com/gui/file/60bcd645450e4c846238cf0e7226dc40c84c96eba99f6b2cffcd0ab4a391c8b3/detection", + "https://www.virustotal.com/gui/file/3e44c807a25a56f4068b5b8186eee5002eed6f26d665a8b791c472ad154585d1/detection", + "https://jstnk9.github.io/jstnk9/research/GobRAT-Malware/", + "https://blogs.jpcert.or.jp/en/2023/05/gobrat.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_crontab_enumeration.yml" ], "tags": [ @@ -100129,8 +100657,8 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ - "https://github.com/Azure/Azure-Sentinel/pull/3059", "https://www.wiz.io/blog/omigod-critical-vulnerabilities-in-omi-azure", + "https://github.com/Azure/Azure-Sentinel/pull/3059", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_omigod_scx_runasprovider_executeshellcommand.yml" ], "tags": [ @@ -100181,9 +100709,9 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ + "https://github.com/Tib3rius/AutoRecon", "https://github.com/projectdiscovery/naabu", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1046/T1046.md", - "https://github.com/Tib3rius/AutoRecon", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_susp_network_utilities_execution.yml" ], "tags": [ @@ -100250,8 +100778,8 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ - "https://github.com/sleventyeleven/linuxprivchecker/", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1552.003/T1552.003.md", + "https://github.com/sleventyeleven/linuxprivchecker/", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_susp_history_recon.yml" ], "tags": [ @@ -100408,10 +100936,10 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ - "https://jstnk9.github.io/jstnk9/research/GobRAT-Malware/", - "https://www.virustotal.com/gui/file/3e44c807a25a56f4068b5b8186eee5002eed6f26d665a8b791c472ad154585d1/detection", - "https://blogs.jpcert.or.jp/en/2023/05/gobrat.html", "https://www.virustotal.com/gui/file/60bcd645450e4c846238cf0e7226dc40c84c96eba99f6b2cffcd0ab4a391c8b3/detection", + "https://www.virustotal.com/gui/file/3e44c807a25a56f4068b5b8186eee5002eed6f26d665a8b791c472ad154585d1/detection", + "https://jstnk9.github.io/jstnk9/research/GobRAT-Malware/", + "https://blogs.jpcert.or.jp/en/2023/05/gobrat.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_grep_os_arch_discovery.yml" ], "tags": [ @@ -100469,8 +100997,8 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ - "https://bpftrace.org/", "https://embracethered.com/blog/posts/2021/offensive-bpf-bpftrace/", + "https://bpftrace.org/", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_bpftrace_unsafe_option_usage.yml" ], "tags": [ @@ -100673,9 +101201,9 @@ "logsource.product": "linux", "refs": [ "https://www.crowdstrike.com/blog/hypervisor-jackpotting-ecrime-actors-increase-targeting-of-esxi-servers/", + "https://www.secuinfra.com/en/techtalk/hide-your-hypervisor-analysis-of-esxiargs-ransomware/", "https://developer.vmware.com/docs/11743/esxi-7-0-esxcli-command-reference/namespace/esxcli_vm.html", "https://www.trendmicro.com/en_us/research/22/e/new-linux-based-ransomware-cheerscrypt-targets-exsi-devices.html", - "https://www.secuinfra.com/en/techtalk/hide-your-hypervisor-analysis-of-esxiargs-ransomware/", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_esxcli_vm_discovery.yml" ], "tags": [ @@ -100750,8 +101278,8 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ - "https://developer.vmware.com/docs/11743/esxi-7-0-esxcli-command-reference/namespace/esxcli_system.html", "https://support.solarwinds.com/SuccessCenter/s/article/Configure-ESXi-Syslog-to-LEM?language=en_US", + "https://developer.vmware.com/docs/11743/esxi-7-0-esxcli-command-reference/namespace/esxcli_system.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_esxcli_syslog_config_change.yml" ], "tags": [ @@ -100792,10 +101320,10 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ - "https://jstnk9.github.io/jstnk9/research/GobRAT-Malware/", - "https://www.virustotal.com/gui/file/3e44c807a25a56f4068b5b8186eee5002eed6f26d665a8b791c472ad154585d1/detection", - "https://blogs.jpcert.or.jp/en/2023/05/gobrat.html", "https://www.virustotal.com/gui/file/60bcd645450e4c846238cf0e7226dc40c84c96eba99f6b2cffcd0ab4a391c8b3/detection", + "https://www.virustotal.com/gui/file/3e44c807a25a56f4068b5b8186eee5002eed6f26d665a8b791c472ad154585d1/detection", + "https://jstnk9.github.io/jstnk9/research/GobRAT-Malware/", + "https://blogs.jpcert.or.jp/en/2023/05/gobrat.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_susp_shell_child_process_from_parent_tmp_folder.yml" ], "tags": [ @@ -100819,8 +101347,8 @@ "logsource.product": "linux", "refs": [ "https://github.com/diego-treitos/linux-smart-enumeration", - "https://github.com/carlospolop/PEASS-ng", "https://github.com/SaiSathvik1/Linux-Privilege-Escalation-Notes", + "https://github.com/carlospolop/PEASS-ng", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_capa_discovery.yml" ], "tags": [ @@ -100877,10 +101405,10 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ - "https://jstnk9.github.io/jstnk9/research/GobRAT-Malware/", - "https://www.virustotal.com/gui/file/3e44c807a25a56f4068b5b8186eee5002eed6f26d665a8b791c472ad154585d1/detection", - "https://blogs.jpcert.or.jp/en/2023/05/gobrat.html", "https://www.virustotal.com/gui/file/60bcd645450e4c846238cf0e7226dc40c84c96eba99f6b2cffcd0ab4a391c8b3/detection", + "https://www.virustotal.com/gui/file/3e44c807a25a56f4068b5b8186eee5002eed6f26d665a8b791c472ad154585d1/detection", + "https://jstnk9.github.io/jstnk9/research/GobRAT-Malware/", + "https://blogs.jpcert.or.jp/en/2023/05/gobrat.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_wget_download_suspicious_directory.yml" ], "tags": [ @@ -100914,9 +101442,9 @@ "logsource.product": "linux", "refs": [ "https://www.crowdstrike.com/blog/hypervisor-jackpotting-ecrime-actors-increase-targeting-of-esxi-servers/", + "https://www.secuinfra.com/en/techtalk/hide-your-hypervisor-analysis-of-esxiargs-ransomware/", "https://developer.vmware.com/docs/11743/esxi-7-0-esxcli-command-reference/namespace/esxcli_vm.html", "https://www.trendmicro.com/en_us/research/22/e/new-linux-based-ransomware-cheerscrypt-targets-exsi-devices.html", - "https://www.secuinfra.com/en/techtalk/hide-your-hypervisor-analysis-of-esxiargs-ransomware/", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_esxcli_vm_kill.yml" ], "tags": [ @@ -100975,8 +101503,8 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ - "https://access.redhat.com/security/cve/cve-2019-14287", "https://twitter.com/matthieugarin/status/1183970598210412546", + "https://access.redhat.com/security/cve/cve-2019-14287", "https://www.openwall.com/lists/oss-security/2019/10/14/1", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_sudo_cve_2019_14287.yml" ], @@ -101019,9 +101547,9 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ + "https://www.cyberciti.biz/tips/linux-iptables-how-to-flush-all-rules.html", "https://blogs.blackberry.com/", "https://twitter.com/Joseliyo_Jstnk/status/1620131033474822144", - "https://www.cyberciti.biz/tips/linux-iptables-how-to-flush-all-rules.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_iptables_flush_ufw.yml" ], "tags": [ @@ -101088,8 +101616,8 @@ "logsource.product": "linux", "refs": [ "https://www.helpnetsecurity.com/2023/08/02/aws-instances-attackers-access/", - "https://www.mitiga.io/blog/mitiga-security-advisory-abusing-the-ssm-agent-as-a-remote-access-trojan", "https://www.bleepingcomputer.com/news/security/amazons-aws-ssm-agent-can-be-used-as-post-exploitation-rat-malware/", + "https://www.mitiga.io/blog/mitiga-security-advisory-abusing-the-ssm-agent-as-a-remote-access-trojan", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_ssm_agent_abuse.yml" ], "tags": [ @@ -101190,10 +101718,10 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ - "https://linuxize.com/post/how-to-delete-group-in-linux/", - "https://www.cybrary.it/blog/0p3n/linux-commands-used-attackers/", - "https://linux.die.net/man/8/groupdel", "https://www.cyberciti.biz/faq/linux-remove-user-command/", + "https://linux.die.net/man/8/groupdel", + "https://www.cybrary.it/blog/0p3n/linux-commands-used-attackers/", + "https://linuxize.com/post/how-to-delete-group-in-linux/", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_groupdel.yml" ], "tags": [ @@ -101249,10 +101777,10 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ - "https://linuxize.com/post/how-to-delete-group-in-linux/", - "https://www.cybrary.it/blog/0p3n/linux-commands-used-attackers/", - "https://linux.die.net/man/8/userdel", "https://www.cyberciti.biz/faq/linux-remove-user-command/", + "https://linux.die.net/man/8/userdel", + "https://www.cybrary.it/blog/0p3n/linux-commands-used-attackers/", + "https://linuxize.com/post/how-to-delete-group-in-linux/", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_userdel.yml" ], "tags": [ @@ -101285,10 +101813,10 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ - "https://jstnk9.github.io/jstnk9/research/GobRAT-Malware/", - "https://www.virustotal.com/gui/file/3e44c807a25a56f4068b5b8186eee5002eed6f26d665a8b791c472ad154585d1/detection", - "https://blogs.jpcert.or.jp/en/2023/05/gobrat.html", "https://www.virustotal.com/gui/file/60bcd645450e4c846238cf0e7226dc40c84c96eba99f6b2cffcd0ab4a391c8b3/detection", + "https://www.virustotal.com/gui/file/3e44c807a25a56f4068b5b8186eee5002eed6f26d665a8b791c472ad154585d1/detection", + "https://jstnk9.github.io/jstnk9/research/GobRAT-Malware/", + "https://blogs.jpcert.or.jp/en/2023/05/gobrat.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_nohup_susp_execution.yml" ], "tags": [ @@ -101379,8 +101907,8 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ - "https://developer.vmware.com/docs/11743/esxi-7-0-esxcli-command-reference/namespace/esxcli_vsan.html", "https://www.trendmicro.com/en_us/research/21/e/darkside-linux-vms-targeted.html", + "https://developer.vmware.com/docs/11743/esxi-7-0-esxcli-command-reference/namespace/esxcli_vsan.html", "https://www.trendmicro.com/en_us/research/22/a/analysis-and-Impact-of-lockbit-ransomwares-first-linux-and-vmware-esxi-variant.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_esxcli_vsan_discovery.yml" ], @@ -101422,15 +101950,15 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ - "https://github.com/Ne0nd0g/merlin", "https://github.com/pathtofile/bad-bpf", - "https://github.com/Pennyw0rth/NetExec/", "https://github.com/HavocFramework/Havoc", - "https://github.com/t3l3machus/Villain", - "https://github.com/1N3/Sn1per", - "https://github.com/carlospolop/PEASS-ng", - "https://github.com/Gui774ume/ebpfkit", "https://github.com/t3l3machus/hoaxshell", + "https://github.com/t3l3machus/Villain", + "https://github.com/Pennyw0rth/NetExec/", + "https://github.com/Gui774ume/ebpfkit", + "https://github.com/carlospolop/PEASS-ng", + "https://github.com/1N3/Sn1per", + "https://github.com/Ne0nd0g/merlin", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_susp_hktl_execution.yml" ], "tags": [ @@ -101530,8 +102058,8 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ - "https://www.virustotal.com/gui/file/60bcd645450e4c846238cf0e7226dc40c84c96eba99f6b2cffcd0ab4a391c8b3/detection", "https://www.virustotal.com/gui/file/3e44c807a25a56f4068b5b8186eee5002eed6f26d665a8b791c472ad154585d1/detection", + "https://www.virustotal.com/gui/file/60bcd645450e4c846238cf0e7226dc40c84c96eba99f6b2cffcd0ab4a391c8b3/detection", "https://blogs.jpcert.or.jp/en/2023/05/gobrat.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_malware_gobrat_grep_payload_discovery.yml" ], @@ -101623,8 +102151,8 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ - "https://www.crowdstrike.com/blog/hypervisor-jackpotting-ecrime-actors-increase-targeting-of-esxi-servers/", "https://developer.vmware.com/docs/11743/esxi-7-0-esxcli-command-reference/namespace/esxcli_network.html", + "https://www.crowdstrike.com/blog/hypervisor-jackpotting-ecrime-actors-increase-targeting-of-esxi-servers/", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_esxcli_network_discovery.yml" ], "tags": [ @@ -101859,11 +102387,11 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ - "https://www.trendmicro.com/en_us/research/22/i/how-malicious-actors-abuse-native-linux-tools-in-their-attacks.html", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1105/T1105.md#atomic-test-19---curl-upload-file", - "https://curl.se/docs/manpage.html", - "https://medium.com/@petehouston/upload-files-with-curl-93064dcccc76", "https://twitter.com/d1r4c/status/1279042657508081664", + "https://medium.com/@petehouston/upload-files-with-curl-93064dcccc76", + "https://www.trendmicro.com/en_us/research/22/i/how-malicious-actors-abuse-native-linux-tools-in-their-attacks.html", + "https://curl.se/docs/manpage.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_susp_curl_fileupload.yml" ], "tags": [ @@ -102027,9 +102555,9 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ + "https://www.computerhope.com/unix/unohup.htm", "https://en.wikipedia.org/wiki/Nohup", "https://gtfobins.github.io/gtfobins/nohup/", - "https://www.computerhope.com/unix/unohup.htm", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_nohup.yml" ], "tags": [ @@ -102095,8 +102623,8 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ - "https://www.trendmicro.com/en_us/research/23/c/iron-tiger-sysupdate-adds-linux-targeting.html", "https://www.cyberciti.biz/faq/how-force-kill-process-linux/", + "https://www.trendmicro.com/en_us/research/23/c/iron-tiger-sysupdate-adds-linux-targeting.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_kill_process.yml" ], "tags": [ @@ -102162,8 +102690,8 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ - "https://github.com/Azure/Azure-Sentinel/pull/3059", "https://www.wiz.io/blog/omigod-critical-vulnerabilities-in-omi-azure", + "https://github.com/Azure/Azure-Sentinel/pull/3059", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_omigod_scx_runasprovider_executescript.yml" ], "tags": [ @@ -102257,11 +102785,11 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ - "https://www.hackingtutorials.org/networking/hacking-netcat-part-2-bind-reverse-shells/", - "https://www.revshells.com/", - "https://www.infosecademy.com/netcat-reverse-shells/", "https://man7.org/linux/man-pages/man1/ncat.1.html", "https://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet", + "https://www.infosecademy.com/netcat-reverse-shells/", + "https://www.revshells.com/", + "https://www.hackingtutorials.org/networking/hacking-netcat-part-2-bind-reverse-shells/", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_netcat_reverse_shell.yml" ], "tags": [ @@ -102393,8 +102921,8 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ - "https://github.com/arget13/DDexec", "https://www.mandiant.com/resources/blog/barracuda-esg-exploited-globally", + "https://github.com/arget13/DDexec", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_base64_execution.yml" ], "tags": [ @@ -102493,9 +103021,9 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ - "https://gtfobins.github.io/gtfobins/rvim/", "https://gtfobins.github.io/gtfobins/vim/", "https://gtfobins.github.io/gtfobins/vimdiff/", + "https://gtfobins.github.io/gtfobins/rvim/", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_gtfobin_vim.yml" ], "tags": [ @@ -102528,10 +103056,10 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ - "https://jstnk9.github.io/jstnk9/research/GobRAT-Malware/", - "https://www.virustotal.com/gui/file/3e44c807a25a56f4068b5b8186eee5002eed6f26d665a8b791c472ad154585d1/detection", - "https://blogs.jpcert.or.jp/en/2023/05/gobrat.html", "https://www.virustotal.com/gui/file/60bcd645450e4c846238cf0e7226dc40c84c96eba99f6b2cffcd0ab4a391c8b3/detection", + "https://www.virustotal.com/gui/file/3e44c807a25a56f4068b5b8186eee5002eed6f26d665a8b791c472ad154585d1/detection", + "https://jstnk9.github.io/jstnk9/research/GobRAT-Malware/", + "https://blogs.jpcert.or.jp/en/2023/05/gobrat.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_susp_shell_script_exec_from_susp_location.yml" ], "tags": [ @@ -102587,9 +103115,9 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ + "https://embracethered.com/blog/posts/2021/offensive-bpf-bpftrace/", "https://www.kernel.org/doc/html/v5.0/trace/kprobetrace.html", "https://bpftrace.org/", - "https://embracethered.com/blog/posts/2021/offensive-bpf-bpftrace/", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_bpf_kprob_tracing_enabled.yml" ], "tags": [ @@ -102646,10 +103174,10 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ - "https://jstnk9.github.io/jstnk9/research/GobRAT-Malware/", - "https://www.virustotal.com/gui/file/3e44c807a25a56f4068b5b8186eee5002eed6f26d665a8b791c472ad154585d1/detection", - "https://blogs.jpcert.or.jp/en/2023/05/gobrat.html", "https://www.virustotal.com/gui/file/60bcd645450e4c846238cf0e7226dc40c84c96eba99f6b2cffcd0ab4a391c8b3/detection", + "https://www.virustotal.com/gui/file/3e44c807a25a56f4068b5b8186eee5002eed6f26d665a8b791c472ad154585d1/detection", + "https://jstnk9.github.io/jstnk9/research/GobRAT-Malware/", + "https://blogs.jpcert.or.jp/en/2023/05/gobrat.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_susp_execution_tmp_folder.yml" ], "tags": [ @@ -102682,9 +103210,9 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ + "https://www.cyberciti.biz/faq/linux-hide-processes-from-other-users/", "https://blogs.blackberry.com/", "https://twitter.com/Joseliyo_Jstnk/status/1620131033474822144", - "https://www.cyberciti.biz/faq/linux-hide-processes-from-other-users/", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_mount_hidepid.yml" ], "tags": [ @@ -102750,8 +103278,8 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ - "https://github.com/sleventyeleven/linuxprivchecker/", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1552.003/T1552.003.md", + "https://github.com/sleventyeleven/linuxprivchecker/", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_susp_history_delete.yml" ], "tags": [ @@ -102784,10 +103312,10 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ - "https://www.tutorialspoint.com/how-to-install-a-software-on-linux-using-yum-command", "https://linuxhint.com/uninstall_yum_package/", - "https://sysdig.com/blog/mitre-defense-evasion-falco", "https://linuxhint.com/uninstall-debian-packages/", + "https://sysdig.com/blog/mitre-defense-evasion-falco", + "https://www.tutorialspoint.com/how-to-install-a-software-on-linux-using-yum-command", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_remove_package.yml" ], "tags": [ @@ -103071,8 +103599,8 @@ "logsource.category": "network_connection", "logsource.product": "linux", "refs": [ - "https://twitter.com/hakluke/status/1587733971814977537/photo/1", "https://ngrok.com/docs/secure-tunnels/tunnels/ssh-reverse-tunnel-agent", + "https://twitter.com/hakluke/status/1587733971814977537/photo/1", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/network_connection/net_connection_lnx_ngrok_tunnel.yml" ], "tags": [ @@ -103205,11 +103733,11 @@ "logsource.category": "network_connection", "logsource.product": "linux", "refs": [ - "https://thehackernews.com/2024/01/systembc-malwares-c2-server-analysis.html", - "https://www.mandiant.com/resources/blog/ukraine-and-sandworm-team", - "https://www.mandiant.com/resources/blog/triton-actor-ttp-profile-custom-attack-tools-detections", - "https://www.elastic.co/guide/en/security/current/potential-non-standard-port-ssh-connection.html", "https://www.cybereason.com/blog/sliver-c2-leveraged-by-many-threat-actors", + "https://www.elastic.co/guide/en/security/current/potential-non-standard-port-ssh-connection.html", + "https://thehackernews.com/2024/01/systembc-malwares-c2-server-analysis.html", + "https://www.mandiant.com/resources/blog/triton-actor-ttp-profile-custom-attack-tools-detections", + "https://www.mandiant.com/resources/blog/ukraine-and-sandworm-team", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/network_connection/net_connection_lnx_susp_malware_callback_port.yml" ], "tags": [ @@ -103425,10 +103953,10 @@ "logsource.category": "No established category", "logsource.product": "linux", "refs": [ - "https://github.com/rapid7/metasploit-framework/blob/eb6535009f5fdafa954525687f09294918b5398d/modules/exploits/multi/http/struts_code_exec_exception_delegator.rb", - "https://web.archive.org/web/20170319121015/http://www.threatgeek.com/2017/03/widespread-exploitation-attempts-using-cve-2017-5638.html", - "https://artkond.com/2017/03/23/pivoting-guide/", "http://pastebin.com/FtygZ1cg", + "https://web.archive.org/web/20170319121015/http://www.threatgeek.com/2017/03/widespread-exploitation-attempts-using-cve-2017-5638.html", + "https://github.com/rapid7/metasploit-framework/blob/eb6535009f5fdafa954525687f09294918b5398d/modules/exploits/multi/http/struts_code_exec_exception_delegator.rb", + "https://artkond.com/2017/03/23/pivoting-guide/", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/builtin/lnx_shell_susp_commands.yml" ], "tags": [ @@ -103661,8 +104189,8 @@ "logsource.category": "No established category", "logsource.product": "linux", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070.003/T1070.003.md", "https://www.hackers-arise.com/post/2016/06/20/covering-your-bash-shell-tracks-antiforensics", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070.003/T1070.003.md", "https://www.cadosecurity.com/spinning-yarn-a-new-linux-malware-campaign-targets-docker-apache-hadoop-redis-and-confluence/", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/builtin/lnx_shell_clear_cmd_history.yml" ], @@ -103853,8 +104381,8 @@ "logsource.category": "No established category", "logsource.product": "linux", "refs": [ - "https://access.redhat.com/security/cve/cve-2019-14287", "https://twitter.com/matthieugarin/status/1183970598210412546", + "https://access.redhat.com/security/cve/cve-2019-14287", "https://www.openwall.com/lists/oss-security/2019/10/14/1", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/builtin/sudo/lnx_sudo_cve_2019_14287_user.yml" ], @@ -104029,8 +104557,8 @@ "logsource.category": "No established category", "logsource.product": "linux", "refs": [ - "https://github.com/openssh/openssh-portable/blob/c483a5c0fb8e8b8915fad85c5f6113386a4341ca/ssherr.c", "https://github.com/ossec/ossec-hids/blob/1ecffb1b884607cb12e619f9ab3c04f530801083/etc/rules/sshd_rules.xml", + "https://github.com/openssh/openssh-portable/blob/c483a5c0fb8e8b8915fad85c5f6113386a4341ca/ssherr.c", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/builtin/sshd/lnx_sshd_susp_ssh.yml" ], "tags": [ @@ -104117,5 +104645,5 @@ "value": "Modifying Crontab" } ], - "version": 20240820 + "version": 20240902 } From 1640effc6aec3c4d2d32571cb1f9b640dd44f251 Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Mon, 2 Sep 2024 10:30:47 +0200 Subject: [PATCH 10/36] chg: [ransomware] updated --- clusters/ransomware.json | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/clusters/ransomware.json b/clusters/ransomware.json index 602c7a3..3ca0ead 100644 --- a/clusters/ransomware.json +++ b/clusters/ransomware.json @@ -29447,7 +29447,8 @@ "meta": { "links": [ "http://c2mdhim6btaiyae3xqthnxsz64brvdxsnbty4tvos65zb565y4v55iid.onion", - "http://c2mdhim6btaiyae3xqthnxsz64brvdxsnbty4tvos65zb565y4v55iid.onion/b/" + "http://c2mdhim6btaiyae3xqthnxsz64brvdxsnbty4tvos65zb565y4v55iid.onion/b/", + "http://c2mdhim6btaiyae3xqthnxsz64brvdxsnbty4tvos65zb565y4v55iid.onion/blogs.html" ], "refs": [ "https://www.ransomlook.io/group/pyrx" @@ -29628,5 +29629,5 @@ "value": "helldown" } ], - "version": 131 + "version": 132 } From d0b2e3e45621ad33b68abe1ec307bcd04bca1b0c Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Mon, 2 Sep 2024 10:41:59 +0200 Subject: [PATCH 11/36] chg: [tidal] updated --- clusters/tidal-campaigns.json | 645 ++++- clusters/tidal-groups.json | 1651 ++++++++++++- clusters/tidal-references.json | 2597 +++++++++++++------- clusters/tidal-software.json | 4174 +++++++++++++++++++++++++++++--- 4 files changed, 7689 insertions(+), 1378 deletions(-) diff --git a/clusters/tidal-campaigns.json b/clusters/tidal-campaigns.json index 6375c9e..996d30a 100644 --- a/clusters/tidal-campaigns.json +++ b/clusters/tidal-campaigns.json @@ -15,7 +15,10 @@ "campaign_attack_id": "C0028", "first_seen": "2015-12-01T05:00:00Z", "last_seen": "2016-01-01T05:00:00Z", - "source": "MITRE" + "source": "MITRE", + "tags": [ + "3ed3f7a6-b446-4fbc-a433-ff1d63c0e647" + ] }, "related": [], "uuid": "96e367d0-a744-5b63-85ec-595f505248a3", @@ -27,7 +30,10 @@ "campaign_attack_id": "C0025", "first_seen": "2016-12-01T05:00:00Z", "last_seen": "2016-12-01T05:00:00Z", - "source": "MITRE" + "source": "MITRE", + "tags": [ + "3ed3f7a6-b446-4fbc-a433-ff1d63c0e647" + ] }, "related": [], "uuid": "06197e03-e1c1-56af-ba98-5071f98f91f1", @@ -39,7 +45,10 @@ "campaign_attack_id": "C0034", "first_seen": "2022-06-01T04:00:00Z", "last_seen": "2022-10-01T04:00:00Z", - "source": "MITRE" + "source": "MITRE", + "tags": [ + "3ed3f7a6-b446-4fbc-a433-ff1d63c0e647" + ] }, "related": [], "uuid": "a79e06d1-df08-5c72-9180-2c373274f889", @@ -103,6 +112,110 @@ "uuid": "d25f0485-fdf3-4b85-b2ec-53e98e215d0b", "value": "2023 Zoho ManageEngine APT Exploits" }, + { + "description": "AMBERSQUID is a \"cloud-native\" financially motivated threat operation that specifically leverages AWS services. Researchers estimated that AMBERSQUID cryptojacking activity could cost its victims more than $10,000 per day.[[Sysdig AMBERSQUID September 18 2023](/references/7ffa880f-5854-4b8a-83f5-da42c1c39345)]", + "meta": { + "campaign_attack_id": "C5031", + "first_seen": "2022-05-01T00:00:00Z", + "last_seen": "2023-03-31T00:00:00Z", + "owner": "TidalCyberIan", + "source": "Tidal Cyber", + "tags": [ + "c6e1f516-1a18-4ff9-b563-e6ac8103b104", + "2e5f6e4a-4579-46f7-9997-6923180815dd", + "8d95e4d6-9a1e-4920-9f5c-83d9fe07a66e", + "2feda37d-5579-4102-a073-aa02e82cb49f" + ] + }, + "related": [], + "uuid": "cf42d51a-8002-4f04-a930-21c15115769f", + "value": "AMBERSQUID" + }, + { + "description": "In July 2024, U.S. cybersecurity authorities and international partners published Cybersecurity Advisory AA24-207A, which detailed North Korean state-sponsored cyber espionage activity likely intended to support the regime's military and nuclear development programs. The advisory focused on an actor group tracked as Andariel, Onyx Sleet, and APT45 and highlighted how this group has shifted from conducting destructive attacks to carrying out espionage operations that have been funded through ransomware. Where past destructive operations mainly targeted U.S. and South Korean entities, recent espionage attacks targeted various defense, aerospace, nuclear, and engineering organizations, while ransomware attacks targeted U.S. healthcare entities.\n\nAndariel actors gain initial access especially by exploiting software vulnerabilities, use widely available tools for discovery and privilege escalation, and leverage a wide range of custom as well as commodity malware. The advisory does not clearly identify the timeframe in which malicious activities were observed, although it discusses actors' exploits of vulnerabilities disclosed in 2017, 2019, and especially 2021, 2022, and 2023 and referenced public threat reporting published from March 2021 through May 2024.[[U.S. CISA Andariel July 25 2024](/references/b615953e-3c6c-4201-914c-4b75e45bb9ed)]", + "meta": { + "campaign_attack_id": "C5048", + "first_seen": "2021-03-01T00:00:00Z", + "last_seen": "2024-05-30T00:00:00Z", + "owner": "TidalCyberIan", + "source": "Tidal Cyber", + "tags": [ + "af5e9be5-b86e-47af-91dd-966a5e34a186", + "27a117ce-bb19-4f79-9bc2-a851b69c5c50", + "6070668f-1cbd-4878-8066-c636d1d8659c", + "61cdbb28-cbfd-498b-9ab1-1f14337f9524", + "e551ae97-d1b4-484e-9267-89f33829ec2c", + "15787198-6c8b-4f79-bf50-258d55072fee", + "4f4744b0-8401-423c-9ed0-3cb2985d9fd3", + "ddfaecd0-bd3e-41ac-85c7-ca2156684343", + "0dbed83d-af67-4ce0-a1ee-16f1165fdc0f", + "6422a882-7606-4aa3-b994-f917f53c2ada", + "c1b123d2-ce58-4345-8482-d1da27b3c053", + "f166e59e-9877-4102-a39b-fae38df4b790", + "6a82d685-3f77-498d-91c3-a759292ec2da", + "a32a757a-9d6b-43ca-ac4b-5f695dd0f110", + "ac70560d-c3e7-4b40-a4d6-a3287e3d952b", + "75f62312-a7ee-4534-8c8a-e3b7366a3a4b", + "887d1cfe-d0c5-431c-8dce-0e1b9a2505aa", + "96eec53f-355c-406c-87ba-18c3be4c69a1", + "54fafdbe-1ea0-4f48-99ad-757c8fe50df2", + "35b334ec-4169-4898-ab90-487eea7feb69", + "4ac4e1b9-2192-47ac-a4d1-3a31aa0f2140", + "936a56f5-a4f1-42d8-83b7-c44399ead661", + "0d19ceed-28f6-4258-b365-f6e6f296121d", + "037cc75c-9683-49db-aaa8-c8142763bb87", + "ff71ed89-8355-4abc-9da4-eb4768a38c9c", + "6fade0a3-0c26-4a11-b81e-25d20e38bdd3", + "3b54d8a5-580f-43bf-a12d-8e011f953bad", + "0f6e72e1-ba8f-4d1d-920d-d8945a4fee59", + "7bbc5366-897a-4505-bc68-3a18e3d4cf44", + "4cd85398-c33a-4374-9a76-2bbf297cca63", + "5ec8231e-70e9-4675-b922-368bcb9e914a", + "21c64d34-e52a-42ba-a8c7-85aa82dc0b3f", + "cd9ab9e7-248f-4097-b120-a42834ce0f89", + "91ddbeac-b587-4978-a80d-543a5d96cb77", + "b8448700-7ed0-48b8-85f5-ed23e0d9ab97", + "12b074b9-6748-4ad7-880f-836cb80587e1", + "45f92502-0775-4fc6-8fcd-97b325ea49a9", + "cddb4563-fe90-4c72-be81-6256d175a698", + "69f278d7-194f-42d0-8f83-11de9f861264", + "f0c58aa3-5d21-4ade-95a0-b775dde7e8a3", + "5f9b1c23-81f8-4aa3-8d97-235302e77eec", + "d842c7ff-e3d3-4534-9ed7-283752f4bbe2", + "ecd84106-2a5b-4d25-854e-b8d1f57f6b75", + "7e6ef160-8e4f-4132-bdc4-9991f01c472e", + "532b7819-d407-41e9-9733-0d716b69eb17", + "e401022a-36ac-486d-8503-dd531410a927", + "173e1480-8d9b-49c5-854d-594dde9740d6", + "7551097a-dfdd-426f-aaa2-a2916dd9b873", + "c475ad68-3fdc-4725-8abc-784c56125e96", + "08809fa0-61b6-4394-b103-1c4d19a5be16", + "4ac8dcde-2665-4066-9ad9-b5572d5f0d28", + "5e7433ad-a894-4489-93bc-41e90da90019", + "7e7b0c67-bb85-4996-a289-da0e792d7172" + ] + }, + "related": [], + "uuid": "458dc371-5dc2-4e6c-8157-3a872dd29726", + "value": "Andariel Espionage Activity" + }, + { + "description": "Threat actors, believed to be associated with the FIN7 financially motivated adversary group, stood up malicious hosting websites impersonating prominent brands in the financial services, technology/SaaS, and media sectors, then used paid web search advertisements to direct victims to these sites. Victims were then tricked into downloading malicious binaries, which ultimately led to the ingress of the NetSupport RAT and/or DiceLoader (aka Lizar) malware (these latter tools are known to be used for a range of persistent access and malware ingress purposes).[[Esentire 5 8 2024](/references/67c3a7ed-e2e2-4566-aca7-61e766f177bf)]", + "meta": { + "campaign_attack_id": "C5038", + "first_seen": "2024-04-01T00:00:00Z", + "last_seen": "2024-04-30T00:00:00Z", + "owner": "TidalCyberIan", + "source": "Tidal Cyber", + "tags": [ + "c6e1f516-1a18-4ff9-b563-e6ac8103b104", + "2feda37d-5579-4102-a073-aa02e82cb49f" + ] + }, + "related": [], + "uuid": "2b869157-0b66-42fc-8ead-171160412660", + "value": "April 2024 FIN7 Malvertising Campaign" + }, { "description": "In April 2023, U.S. and UK cybersecurity authorities released joint Cybersecurity Advisory AA23-108, which detailed a campaign by Russia-backed APT28 to compromise vulnerable routers running Cisco Internetworking Operating System (IOS). Actors collected device information and conducted further network reconnaissance on victims “worldwide”, including U.S. government institutions, 250 Ukrainian entities, and “a small number” of victims elsewhere in Europe. Adversary activity occurred over an unspecified timeframe in 2021.\n\nActors exploited CVE-2017-6742, a Simple Network Management Protocol (SNMP) vulnerability for which Cisco released a patch in 2017, and used default authentication strings to gain initial access to devices and subsequently gather router information, such as router interface details. In some cases, authorities observed actors deploying Jaguar Tooth, a malicious software bundle consisting of a series of payloads and patches. Jaguar Tooth deployments allowed actors to collect further device information via execution of Cisco IOS Command Line Interface commands, discover other network devices, and achieve unauthenticated, backdoor access to victim systems.[[U.S. CISA APT28 Cisco Routers April 18 2023](/references/c532a6fc-b27f-4240-a071-3eaa866bce89)]\n\nIn addition to behavioral observations, the Advisory also provided mitigation recommendations and indicators of compromise, which can be found in the [source report](https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-108).\n\n**Related Vulnerabilities**: CVE-2017-6742[[U.S. CISA APT28 Cisco Routers April 18 2023](/references/c532a6fc-b27f-4240-a071-3eaa866bce89)]", "meta": { @@ -178,6 +291,54 @@ "uuid": "80ae546a-70e5-4427-be1d-e74efc428ffd", "value": "APT29 TeamCity Exploits" }, + { + "description": "On July 8, 2024, international authorities published an advisory (CISA Alert AA24-190A) that detailed recent activity associated with APT40, a Chinese state-sponsored cyber espionage group. The advisory covers observed attacks on Australian organizations, but the group has been recently active elsewhere (Tidal metadata shows observed activity historically across East/Southeast Asia, the Middle East, Europe, and North America). The advisory emphasized that the recently published TTPs are relevant for defenders at organizations “globally”.\n\nThe advisory spotlighted the group's efforts to compromise outdated small-office/home-office (SOHO) routers via vulnerability exploits, using the routers as infrastructure to carry out further attacks. However, the advisory also summarized a range of other Techniques not previously associated with APT40, which were used at phases across the attack chain, including for persistence, credential access, lateral movement, collection, and exfiltration.[[U.S. CISA APT40 July 8 2024](/references/3bf90a48-caf6-4b9d-adc2-3d1176f49ffc)]", + "meta": { + "campaign_attack_id": "C5047", + "first_seen": "2022-04-01T00:00:00Z", + "last_seen": "2022-09-30T00:00:00Z", + "owner": "TidalCyberIan", + "source": "Tidal Cyber", + "tags": [ + "96d58ca1-ab18-4e53-8891-d8ba62a47e5d", + "6070668f-1cbd-4878-8066-c636d1d8659c", + "d8f7e071-fbfd-46f8-b431-e241bb1513ac", + "758c3085-2f79-40a8-ab95-f8a684737927", + "1dc8fd1e-0737-405a-98a1-111dd557f1b5", + "61cdbb28-cbfd-498b-9ab1-1f14337f9524", + "e551ae97-d1b4-484e-9267-89f33829ec2c", + "15787198-6c8b-4f79-bf50-258d55072fee", + "35e694ec-5133-46e3-b7e1-5831867c3b55", + "375983b3-6e87-4281-99e2-1561519dd17b", + "3ed2343c-a29c-42e2-8259-410381164c6a", + "a46c422c-5dad-49fc-a4ac-169a075a4d9a", + "2eeef0b4-08b5-4d25-84f7-25d41fe6305b", + "64d3f7d8-30b7-4b03-bee2-a6029672216c", + "7e6ef160-8e4f-4132-bdc4-9991f01c472e", + "b20e7912-6a8d-46e3-8e13-9a3fc4813852" + ] + }, + "related": [], + "uuid": "3db5682a-0b99-4653-b487-bd0d30292a19", + "value": "APT40 Recent Tradecraft" + }, + { + "description": "In July 2024, security researchers publicized a campaign attributed to Chinese state-sponsored espionage group APT41, where actors gained and maintained long-term access to various organizations' networks in multiple sectors around the world. Victims belonged to the shipping/logistics, media, entertainment, technology, and automotive industries and were located in western Europe, the Middle East, and East and Southeast Asia. Actors used a combination of red teaming tools, publicly available software, and custom malware for persistence, command and control, data collection, and exfiltration to Microsoft OneDrive accounts. The intrusions were notable for featuring the reemergence of DUSTPAN, a dropper not observed since a series of older APT41 compromises in 2021 & 2022.[[Mandiant APT41 July 18 2024](/references/34ee3a7c-27c0-492f-a3c6-a5a3e86915f0)]", + "meta": { + "campaign_attack_id": "C5049", + "first_seen": "2023-03-21T00:00:00Z", + "last_seen": "2024-07-16T00:00:00Z", + "owner": "TidalCyberIan", + "source": "Tidal Cyber", + "tags": [ + "c6e1f516-1a18-4ff9-b563-e6ac8103b104", + "2feda37d-5579-4102-a073-aa02e82cb49f" + ] + }, + "related": [], + "uuid": "ea6266fd-50a7-4223-ade3-e60c3467f540", + "value": "APT41 2023-2024 Persistence & Exfiltration Activity" + }, { "description": "ArcaneDoor was a campaign, which likely ran from November 2023 until around February 2024, that targeted Cisco Adaptive Security Appliances (ASAs). ASAs are network devices that combine firewall, VPN, and other functionality. The campaign targeted unspecified government institutions around the world and was believed to have been conducted for espionage purposes.[[Cisco Talos ArcaneDoor April 24 2024](/references/531c3f6f-2d2b-4774-b069-e2b7a13602c1)]\n\nResearchers attributed the campaign to UAT4356 (aka Storm-1849), a possible China-linked adversary.[[Wired ArcaneDoor April 24 2024](/references/05a8afd3-0173-41ca-b23b-196ea0f3b1c1)] The initial access vector for the ArcaneDoor attacks remains unclear. After gaining a foothold, actors used the Line Dancer tool to upload Line Runner, a persistence and arbitrary code execution capability, to compromised ASAs (Cisco assigned two vulnerabilities, CVE-2024-20359 and CVE-2024-20353, to these activities). Responders observed various actions on objectives during the attacks, including device configuration modification, network traffic capture, and possible lateral movement.[[Cisco Talos ArcaneDoor April 24 2024](/references/531c3f6f-2d2b-4774-b069-e2b7a13602c1)]", "meta": { @@ -201,6 +362,102 @@ "uuid": "ccc6401a-b79f-424b-8617-3c2d55475584", "value": "ArcaneDoor" }, + { + "description": "This object represents a collection of MITRE ATT&CK® Techniques related to an incident response where an attacker used exposed cloud credentials to gain access to an AWS environment and ultimately collect and exfiltrate data before deleting files and leaving a ransom note extorting the victim to recover the stolen data.[[Www.invictus-ir.com 1 11 2024](/references/5e2a0756-d8f6-4359-9ca3-1e96fb8b5ac9)]", + "meta": { + "campaign_attack_id": "C5035", + "first_seen": "2024-01-01T00:00:00Z", + "last_seen": "2024-01-01T00:00:00Z", + "owner": "TidalCyberIan", + "source": "Tidal Cyber", + "tags": [ + "c6e1f516-1a18-4ff9-b563-e6ac8103b104", + "2e5f6e4a-4579-46f7-9997-6923180815dd", + "5e7433ad-a894-4489-93bc-41e90da90019", + "7e7b0c67-bb85-4996-a289-da0e792d7172", + "2feda37d-5579-4102-a073-aa02e82cb49f" + ] + }, + "related": [], + "uuid": "9779935d-e316-4482-bec8-3d0704a26dc0", + "value": "AWS Data Theft & Ransom Attack" + }, + { + "description": "Security researchers observed adversary activity that involved deployment of hundreds of AWS ECS Fargate clusters used to run XMRig cryptomining software. Researchers assessed that the activity was likely part of a wider campaign involving potentially hundreds of thousands of environments.[[Datadog ECS January 19 2024](/references/7e4e44a7-b079-41af-b41d-176ba7e99563)]", + "meta": { + "campaign_attack_id": "C5032", + "first_seen": "2023-12-01T00:00:00Z", + "last_seen": "2024-01-19T00:00:00Z", + "owner": "TidalCyberIan", + "source": "Tidal Cyber", + "tags": [ + "c6e1f516-1a18-4ff9-b563-e6ac8103b104", + "2e5f6e4a-4579-46f7-9997-6923180815dd", + "8d95e4d6-9a1e-4920-9f5c-83d9fe07a66e", + "2feda37d-5579-4102-a073-aa02e82cb49f" + ] + }, + "related": [], + "uuid": "a94a5919-953e-4607-aaa4-dfccf6d938b5", + "value": "AWS Fargate Cryptojacking Activity" + }, + { + "description": "This object represents a collection of MITRE ATT&CK® Techniques related to an incident response where an attacker was able to steal AWS Lambda credentials, use them to execute various API calls and enumerate various cloud services, and ultimately perform a cloud-based phishing attack, which reportedly cost the target organization considerable financial damage.[[Unit 42 12 8 2022](/references/e7a4a0cf-ffa2-48cc-9b21-a2333592c773)]", + "meta": { + "campaign_attack_id": "C5033", + "first_seen": "2022-05-20T00:00:00Z", + "last_seen": "2022-05-20T00:00:00Z", + "owner": "TidalCyberIan", + "source": "Tidal Cyber", + "tags": [ + "c6e1f516-1a18-4ff9-b563-e6ac8103b104", + "2e5f6e4a-4579-46f7-9997-6923180815dd", + "2feda37d-5579-4102-a073-aa02e82cb49f" + ] + }, + "related": [], + "uuid": "64bddb9e-8bb4-481e-851a-0ddd7ba34615", + "value": "AWS Lambda Credential Theft & Phishing Attack" + }, + { + "description": "Adversaries used email bombing and subsequent voice phishing to convince target users into granting the actors remote access to victim systems via legitimate tools including AnyDesk and the built-in Windows Quick Assist utility. The actors then used malicious remote access tools to access other assets within compromised environments, in some cases followed by deployment of Black Basta ransomware.[[Rapid7 Blog 5 10 2024](/references/ba749fe0-1ac7-4767-85df-97e6351c37f9)][[Microsoft Security Blog 5 15 2024](/references/0876de6e-ea0c-4717-89a4-9c7baed53b6f)]", + "meta": { + "campaign_attack_id": "C5037", + "first_seen": "2024-04-15T00:00:00Z", + "last_seen": "2024-05-15T00:00:00Z", + "owner": "TidalCyberIan", + "source": "Tidal Cyber", + "tags": [ + "c6e1f516-1a18-4ff9-b563-e6ac8103b104", + "562e535e-19f5-4d6c-81ed-ce2aec544f09", + "5e7433ad-a894-4489-93bc-41e90da90019", + "7e7b0c67-bb85-4996-a289-da0e792d7172", + "2feda37d-5579-4102-a073-aa02e82cb49f" + ] + }, + "related": [], + "uuid": "b6ce227e-7240-4591-a8b9-641822c1f9f4", + "value": "Black Basta Operator Social Engineering Campaign" + }, + { + "description": "This object represents observed pre-attack, initial access, execution, and other techniques used to distribute Bumblebee malware in 2023 and early 2024. Further background & contextual details can be found in the References tab below, and additional techniques associated with the technical mechanics of Bumblebee binaries can be found in the relevant Software object.", + "meta": { + "campaign_attack_id": "C5029", + "first_seen": "2023-03-01T00:00:00Z", + "last_seen": "2024-02-01T00:00:00Z", + "owner": "TidalCyberIan", + "source": "Tidal Cyber", + "tags": [ + "c6e1f516-1a18-4ff9-b563-e6ac8103b104", + "f8669b82-2194-49a9-8e20-92e7f9ab0a6f", + "84615fe0-c2a5-4e07-8957-78ebc29b4635", + "2feda37d-5579-4102-a073-aa02e82cb49f" + ] + }, + "related": [], + "uuid": "0e3a0fa7-78eb-4820-9881-d62b04fe6f92", + "value": "Bumblebee Distribution Campaigns 2023-24" + }, { "description": "[C0010](https://app.tidalcyber.com/campaigns/a1e33caf-6eb0-442f-b97a-f6042f21df48) was a cyber espionage campaign conducted by UNC3890 that targeted Israeli shipping, government, aviation, energy, and healthcare organizations. Security researcher assess UNC3890 conducts operations in support of Iranian interests, and noted several limited technical connections to Iran, including PDB strings and Farsi language artifacts. [C0010](https://app.tidalcyber.com/campaigns/a1e33caf-6eb0-442f-b97a-f6042f21df48) began by at least late 2020, and was still ongoing as of mid-2022.[[Mandiant UNC3890 Aug 2022](https://app.tidalcyber.com/references/7b3fda0b-d327-4f02-bebe-2b8974f9959d)]", "meta": { @@ -350,6 +607,24 @@ "uuid": "f20c935b-e0c5-4941-b710-73cf06dd2b4a", "value": "Clop MOVEit Transfer Vulnerability Exploitation" }, + { + "description": "This object represents a collection of MITRE ATT&CK® Techniques and other objects (Groups and/or Software) related to the specified threat activity. Further background & contextual details can be found in the References tab below.", + "meta": { + "campaign_attack_id": "C5026", + "first_seen": "2023-11-14T00:00:00Z", + "last_seen": "2023-11-24T00:00:00Z", + "owner": "TidalCyberIan", + "source": "Tidal Cyber", + "tags": [ + "fe28cf32-a15c-44cf-892c-faa0360d6109", + "c6e1f516-1a18-4ff9-b563-e6ac8103b104", + "2feda37d-5579-4102-a073-aa02e82cb49f" + ] + }, + "related": [], + "uuid": "bbbdc2a2-bd7e-4251-a064-b7f4997ac2a4", + "value": "Cloudflare Thanksgiving 2023 security incident" + }, { "description": "[CostaRicto](https://app.tidalcyber.com/campaigns/fb011ed2-bfb9-4f0f-bd88-8b3fa0cf9b48) was a suspected hacker-for-hire cyber espionage campaign that targeted multiple industries worldwide, with a large number being financial institutions. [CostaRicto](https://app.tidalcyber.com/campaigns/fb011ed2-bfb9-4f0f-bd88-8b3fa0cf9b48) actors targeted organizations in Europe, the Americas, Asia, Australia, and Africa, with a large concentration in South Asia (especially India, Bangladesh, and Singapore), using custom malware, open source tools, and a complex network of proxies and SSH tunnels.[[BlackBerry CostaRicto November 2020](https://app.tidalcyber.com/references/93a23447-641c-4ee2-9fbd-64b2adea8a5f)]", "meta": { @@ -370,6 +645,7 @@ "last_seen": "2024-02-01T05:00:00Z", "source": "MITRE", "tags": [ + "fe984a01-910d-4e39-9c49-179aa03f75ab", "9768aada-9d63-4d46-ab9f-d41b8c8e4010", "758c3085-2f79-40a8-ab95-f8a684737927", "af5e9be5-b86e-47af-91dd-966a5e34a186", @@ -385,6 +661,24 @@ "uuid": "4e605e33-57fe-5bb2-b0ad-ec146aac041b", "value": "Cutting Edge" }, + { + "description": "This object represents a collection of MITRE ATT&CK® Techniques related to an incident response where an attacker gained initial access to an AWS environment using an \"accidentally exposed long term access key belonging to an IAM user\". The actor persisted for approximately a month and ultimately used their access to carry out limited cryptomining acitivty, conduct phishing and spam email attacks via AWS SES, and establish domains for further phishing/spam campaigns.[[Www.invictus-ir.com 1 31 2024](/references/803a084a-0468-4c43-9843-a0b5652acdba)]", + "meta": { + "campaign_attack_id": "C5034", + "first_seen": "2024-01-01T00:00:00Z", + "last_seen": "2024-01-31T00:00:00Z", + "owner": "TidalCyberIan", + "source": "Tidal Cyber", + "tags": [ + "c6e1f516-1a18-4ff9-b563-e6ac8103b104", + "2e5f6e4a-4579-46f7-9997-6923180815dd", + "2feda37d-5579-4102-a073-aa02e82cb49f" + ] + }, + "related": [], + "uuid": "8ee9d9f1-9906-4f0d-a4a7-0e6ed1aa4069", + "value": "DangerDev AWS Attack" + }, { "description": "German and South Korean cybersecurity authorities published an advisory highlighting recent attempts by North Korea-linked cyber actors to target enterprises and research centers in the defense sector. The advisory detailed a supply chain attack, attributed to an unnamed threat group, in which actors compromised a company that maintained a defense sector research center's web servers, then used stolen SSH credentials to remotely access the research center's network. The actors then used various methods to evade defenses, including impersonating security staff, deployed malware via a patch management system, and stole account information and email contents before being evicted from the network.[[BfV North Korea February 17 2024](/references/cc76be15-6d9d-40b2-b7f3-196bb0a7106a)]", "meta": { @@ -412,6 +706,7 @@ "owner": "TidalCyberIan", "source": "Tidal Cyber", "tags": [ + "89c5b94b-ecf4-4d53-9b74-3465086d4565", "2743d495-7728-4a75-9e5f-b64854039792", "ecd84106-2a5b-4d25-854e-b8d1f57f6b75", "a6ba64e1-4b4a-4bbd-a26d-ce35c22b2530", @@ -447,6 +742,41 @@ "uuid": "94587edf-0292-445b-8c66-b16629597f1e", "value": "FunnyDream" }, + { + "description": "U.S. cybersecurity authorities released an advisory that warned of recent attacks targeting healthcare entities and providers, which leveraged social engineering techniques for initial access and ultimately led to financial theft. The attacks used voice phishing and phishing domains, and sometimes bypassed multi-factor authentication measures, to gain footholds. Actors often used information gathered through extensive reconnaissance to facilitate these efforts.\n\nActors then used \"living off the land\" (LOTL) techniques to persist stealthily in compromised environments. Ultimately, actors sought to modify patient automated clearinghouse (ACH) account information to divert payments to actor-controlled bank accounts. The advisory did not attribute the recent campaign to a named adversary group.[[FBI Social Engineering Attacks June 24 2024](/references/527ac41a-a65e-4cf9-a9c9-194443b37c5b)]", + "meta": { + "campaign_attack_id": "C5042", + "first_seen": "2023-08-01T00:00:00Z", + "last_seen": "2024-06-24T00:00:00Z", + "owner": "TidalCyberIan", + "source": "Tidal Cyber", + "tags": [ + "d903e38b-600d-4736-9e3b-cf1a6e436481", + "e551ae97-d1b4-484e-9267-89f33829ec2c" + ] + }, + "related": [], + "uuid": "1610257c-e2fc-4b05-bd63-5c2cbfb2342e", + "value": "Healthcare Social Engineering & Payment Diversion Activity" + }, + { + "description": "This object represents a collection of MITRE ATT&CK® Techniques and other objects (Groups and/or Software) related to the specified threat activity. Further background & contextual details can be found in the References tab below.", + "meta": { + "campaign_attack_id": "C5025", + "first_seen": "2023-05-01T00:00:00Z", + "last_seen": "2023-12-12T00:00:00Z", + "owner": "TidalCyberIan", + "source": "Tidal Cyber", + "tags": [ + "c6e1f516-1a18-4ff9-b563-e6ac8103b104", + "15f2277a-a17e-4d85-8acd-480bf84f16b4", + "2feda37d-5579-4102-a073-aa02e82cb49f" + ] + }, + "related": [], + "uuid": "d1244338-85dd-4650-989a-9df8020860b9", + "value": "HPE Midnight Blizzard Office 365 Email Exfiltration" + }, { "description": "In November 2022, U.S. cybersecurity authorities released Cybersecurity Advisory AA22-320A, which detailed an incident response engagement at an unspecified U.S. Federal Civilian Executive Branch organization. Authorities assessed that the network compromise was carried out by unspecified Iranian government-sponsored advanced persistent threat (APT) actors. The actors achieved initial network access by exploiting the Log4Shell vulnerability in an unpatched VMware Horizon server. Post-exploit activities included installing XMRig crypto mining software and executing Mimikatz to harvest credentials, as well as moving laterally to the domain controller and implanting Ngrok reverse proxies on multiple hosts to maintain persistence.\n\nAdditional details, including incident response guidance and relevant mitigations, can be found in the [source report](https://www.cisa.gov/news-events/cybersecurity-advisories/aa22-320a).[[U.S. CISA Advisory November 25 2022](/references/daae1f54-8471-4620-82d5-023d04144acd)]\n\n**Related Vulnerabilities**: CVE-2021-44228[[U.S. CISA Advisory November 25 2022](/references/daae1f54-8471-4620-82d5-023d04144acd)]", "meta": { @@ -486,6 +816,9 @@ "owner": "TidalCyberIan", "source": "Tidal Cyber", "tags": [ + "3ed2343c-a29c-42e2-8259-410381164c6a", + "375983b3-6e87-4281-99e2-1561519dd17b", + "64d3f7d8-30b7-4b03-bee2-a6029672216c", "5e7433ad-a894-4489-93bc-41e90da90019", "7e7b0c67-bb85-4996-a289-da0e792d7172", "15787198-6c8b-4f79-bf50-258d55072fee", @@ -505,7 +838,7 @@ "value": "Iranian IRGC Data Extortion Operations" }, { - "description": "This object represents a collection of MITRE ATT&CK® Techniques and other objects (Groups and/or Software) related to joint Cybersecurity Advisory AA24-060B, which detailed recent exploits of vulnerabilities (CVE-2023-46805, CVE-2024-21887, and CVE-2024-21893) affecting Ivanti Connect Secure and Policy Secure VPN and gateway appliances by unspecified threat actors. Further background & contextual details can be found in the References tab below.", + "description": "*We are no longer maintaining this object in favor of a similar object subsequently published by MITRE: \"Cutting Edge\" (Campaign). All relevant Tidal content extensions (e.g. additional Technique and Object relationships and metadata) have been added to the MITRE-authored object.*\n\n\nThis object represents a collection of MITRE ATT&CK® Techniques and other objects (Groups and/or Software) related to joint Cybersecurity Advisory AA24-060B, which detailed recent exploits of vulnerabilities (CVE-2023-46805, CVE-2024-21887, and CVE-2024-21893) affecting Ivanti Connect Secure and Policy Secure VPN and gateway appliances by unspecified threat actors. Further background & contextual details can be found in the References tab below.", "meta": { "campaign_attack_id": "C5017", "first_seen": "2023-12-01T00:00:00Z", @@ -527,7 +860,24 @@ }, "related": [], "uuid": "c2544d1d-3c99-4601-86fe-8b62020aaffc", - "value": "Ivanti Gateway Vulnerability Exploits" + "value": "Ivanti Gateway Vulnerability Exploits (Deprecated)" + }, + { + "description": "JOKERSPY (aka REF9134) was an intrusion involving a Python-based backdoor, which was used to deploy a malicious macOS-based enumeration tool called Swiftbelt and other open-source tools.[[elastic.co 6 21 2023](/references/42c40ec8-f46a-48fa-bd97-818e3d3d320e)]", + "meta": { + "campaign_attack_id": "C5036", + "first_seen": "2023-05-31T00:00:00Z", + "last_seen": "2023-06-01T00:00:00Z", + "owner": "TidalCyberIan", + "source": "Tidal Cyber", + "tags": [ + "c6e1f516-1a18-4ff9-b563-e6ac8103b104", + "2feda37d-5579-4102-a073-aa02e82cb49f" + ] + }, + "related": [], + "uuid": "c44d9a29-3025-40b3-8c12-45390597cc0f", + "value": "JOKERSPY Intrusion" }, { "description": "In July 2023, U.S. Cybersecurity & Infrastructure Security Agency authorities released Cybersecurity Advisory AA23-201A, which detailed an observed exploit of a zero-day vulnerability (CVE-2023-3519) affecting NetScaler (formerly Citrix) Application Delivery Controller (\"ADC\") and NetScaler Gateway appliances. According to the Advisory, the exploitation activity occurred in June 2023, and the victim (an undisclosed entity in the critical infrastructure sector) reported it in July 2023.[[U.S. CISA CVE-2023-3519 Exploits](/references/021c4caa-7a7a-4e49-9c5c-6eec176bf923)] Citrix acknowledged the reported exploit of the vulnerability, which enables unauthenticated remote code execution, and released a patch on July 18, 2023.[[Citrix Bulletin CVE-2023-3519](/references/245ef1b7-778d-4df2-99a9-b51c95c57580)]\n\nAfter achieving initial access via exploit of CVE-2023-3519, threat actors dropped a web shell on the vulnerable ADC appliance, which was present on a non-production environment. The web shell enabled subsequent information discovery on the victim's Active Directory (\"AD\"), followed by collection and exfiltration of AD-related data. The actors also attempted lateral movement to a domain controller, but the Advisory indicated that network segementation controls for the ADC appliance blocked this attempted activity.[[U.S. CISA CVE-2023-3519 Exploits](/references/021c4caa-7a7a-4e49-9c5c-6eec176bf923)] Separately, in a blog on CVE-2023-3519 exploit investigations released the day after the CISA Advisory, Mandiant indicated that the type of activity observed is \"consistent with previous operations by China-nexus actors\".[[Mandiant CVE-2023-3519 Exploitation](/references/4404ed65-3020-453d-8c51-2885018ba03b)]\n\n**Related Vulnerabilities**: CVE-2023-3519[[U.S. CISA CVE-2023-3519 Exploits](/references/021c4caa-7a7a-4e49-9c5c-6eec176bf923)]", @@ -567,6 +917,75 @@ "uuid": "f4225d6a-8734-401f-aa2a-1a73c23b16e6", "value": "LockBit Affiliate Citrix Bleed Exploits" }, + { + "description": "The DFIR Report researchers reported about activity taking place in May 2023, which saw an adversary, attributed to FIN11 and Lace Tempest, achieve initial access into a victim environment via a spearphishing email, leading to the download of Truebot malware. Several other tools and malware were then subsequently used to move laterally, discover and collect victim information, exfiltrate it, and ultimately deploy a wiper. These included: FlawedGrace, Cobalt Strike, Impacket, various native utilities, and MBR Killer. In total, the activity lasted for 29 hours.[[The DFIR Report Truebot June 12 2023](/references/a6311a66-bb36-4cad-a98f-2b0b89aafa3d)]", + "meta": { + "campaign_attack_id": "C5021", + "first_seen": "2023-05-01T00:00:00Z", + "last_seen": "2023-05-31T00:00:00Z", + "owner": "TidalCyberIan", + "source": "Tidal Cyber", + "tags": [ + "c6e1f516-1a18-4ff9-b563-e6ac8103b104", + "2feda37d-5579-4102-a073-aa02e82cb49f" + ] + }, + "related": [], + "uuid": "f74885c3-c39b-4db4-ab4f-2990929450a2", + "value": "May 2023 Exfiltration & Wiper Activity (Truebot + FlawedGrace + MBR Killer)" + }, + { + "description": "This object represents a collection of MITRE ATT&CK® Techniques and other objects (Groups and/or Software) related to the specified threat activity. Further background & contextual details can be found in the References tab below.", + "meta": { + "campaign_attack_id": "C5027", + "first_seen": "2023-11-30T00:00:00Z", + "last_seen": "2024-01-12T00:00:00Z", + "owner": "TidalCyberIan", + "source": "Tidal Cyber", + "tags": [ + "c6e1f516-1a18-4ff9-b563-e6ac8103b104", + "15f2277a-a17e-4d85-8acd-480bf84f16b4", + "2feda37d-5579-4102-a073-aa02e82cb49f" + ] + }, + "related": [], + "uuid": "4c01ad48-6a09-462a-abf4-24ba0a4cea56", + "value": "Microsoft Midnight Blizzard Breach" + }, + { + "description": "Researchers observed a campaign that took place in the latter half of 2021, apparently directed at individuals representing financial and political figures in Palestine and Tukery, that used malicious, macro-based Microsoft Office files to compromise victim systems with the aim of installing a .NET-based backdoor tool. Researchers attributed the activity to the Molerats APT group.[[Zscaler Molerats Campaign](/references/3b39e73e-229f-4ff4-bec3-d83e6364a66e)]", + "meta": { + "campaign_attack_id": "C5022", + "first_seen": "2021-07-01T00:00:00Z", + "last_seen": "2021-12-01T00:00:00Z", + "owner": "TidalCyberIan", + "source": "Tidal Cyber", + "tags": [ + "c6e1f516-1a18-4ff9-b563-e6ac8103b104", + "2feda37d-5579-4102-a073-aa02e82cb49f" + ] + }, + "related": [], + "uuid": "f1922702-2c16-496e-9d21-f32fc9c6daee", + "value": "Molerats 2021 Backdoor Delivery Campaign" + }, + { + "description": "This object represents a collection of MITRE ATT&CK® Techniques related to multiple incidents attributed to the North Korean actor group Moonstone Sleet that took place from August 2023 through May 2024. Attacks targeted individuals and organizations related to the software, information technology, education, and defense industrial base sectors, and are believed to have been carried out for both financial gain and espionage purposes.[[Microsoft Security Blog 5 28 2024](/references/faf315ed-71f7-4e29-8334-701da35a69ad)]", + "meta": { + "campaign_attack_id": "C5039", + "first_seen": "2023-08-01T00:00:00Z", + "last_seen": "2024-05-28T00:00:00Z", + "owner": "TidalCyberIan", + "source": "Tidal Cyber", + "tags": [ + "c6e1f516-1a18-4ff9-b563-e6ac8103b104", + "2feda37d-5579-4102-a073-aa02e82cb49f" + ] + }, + "related": [], + "uuid": "6e63729b-6483-4a87-923c-2de179a32f17", + "value": "Moonstone Sleet Operations" + }, { "description": "[Night Dragon](https://app.tidalcyber.com/campaigns/85f136b3-d5a3-4c4c-a37c-40e4418dc989) was a cyber espionage campaign that targeted oil, energy, and petrochemical companies, along with individuals and executives in Kazakhstan, Taiwan, Greece, and the United States. The unidentified threat actors searched for information related to oil and gas field production systems, financials, and collected data from SCADA systems. Based on the observed techniques, tools, and network activities, security researchers assessed the campaign involved a threat group based in China.[[McAfee Night Dragon](https://app.tidalcyber.com/references/242d2933-ca2b-4511-803a-454727a3acc5)]", "meta": { @@ -579,6 +998,24 @@ "uuid": "85f136b3-d5a3-4c4c-a37c-40e4418dc989", "value": "Night Dragon" }, + { + "description": "According to details published by Okta Security, threat actors gained unauthorized access to Okta’s customer support management system from September 28 to October 17, 2023. Initial access to the system was believed to have been achieved after an employee signed into a personal cloud account on their Okta-managed laptop and saved the legitimate credentials for an Okta service account into that cloud profile. Okta Security believes the personal cloud account was most likely compromised (through unspecified means), exposing the Okta service account credentials.\n\nAfter gaining access to the Okta customer support management system using the valid service account credentials, the threat actor accessed HTTP Archive (HAR) files provided by Okta customers, which can contain cookies and session tokens. Okta indicated that the threat actor used session tokens compromised during the incident to hijack the legitimate Okta sessions of at least five customers. The threat actor is also believed to have run and downloaded a report that contained the names and email addresses of all Okta customer support system users. Considering that customers’ names and email addresses were downloaded, Okta Security indicated that they assessed there is an increased risk of phishing and social engineering attacks directed at those users following the incident.[[Okta HAR Files Incident Notice](/references/14855034-494e-477d-8c91-fc534fd7790d)][[Okta HAR Files RCA](/references/742d095c-9bd1-4f4a-8bc6-16db6d15a9f4)][[Okta HAR Files Incident Update](/references/5e09ab9c-8cb2-49f5-b65f-fd5447e71ef4)]", + "meta": { + "campaign_attack_id": "C5023", + "first_seen": "2023-09-28T00:00:00Z", + "last_seen": "2023-10-17T00:00:00Z", + "owner": "TidalCyberIan", + "source": "Tidal Cyber", + "tags": [ + "fe28cf32-a15c-44cf-892c-faa0360d6109", + "c6e1f516-1a18-4ff9-b563-e6ac8103b104", + "2feda37d-5579-4102-a073-aa02e82cb49f" + ] + }, + "related": [], + "uuid": "a11d1575-5487-41cd-83b5-1601aa9d5487", + "value": "Okta Customer Support Security Incident" + }, { "description": "\"Operation Bearded Barbie\" was a suspected AridViper (aka APT-C-23/Desert Falcon) campaign that appeared to target Israeli individuals, especially \"high-profile\" defense, law enforcement, and other government service personnel. The campaign heavily relied upon social engineering techniques, including the use of well-developed social media personas, aimed at tricking targets into installing backdoors for Windows and Android devices. The campaign appeared to be motivated by information collection for espionage purposes.[[Cybereason Operation Bearded Barbie April 5 2022](/references/7d71b7c9-531e-4e4f-ab85-df2380555b7a)]", "meta": { @@ -586,7 +1023,11 @@ "first_seen": "2022-03-01T00:00:00Z", "last_seen": "2022-04-01T00:00:00Z", "owner": "TidalCyberIan", - "source": "Tidal Cyber" + "source": "Tidal Cyber", + "tags": [ + "c6e1f516-1a18-4ff9-b563-e6ac8103b104", + "2feda37d-5579-4102-a073-aa02e82cb49f" + ] }, "related": [], "uuid": "0496e076-1813-4f51-86e6-8f551983e8f8", @@ -652,6 +1093,23 @@ "uuid": "f741ed36-2d52-40ae-bbdc-70722f4071c7", "value": "Operation Honeybee" }, + { + "description": "Operation In(ter)ception refers to a series of threat activities attributed to Lazarus Group dating back to at least late 2019. Operation In(ter)ception campaigns are considered a sub-component of broader Lazarus Group espionage activities known as Operation Dream Job. Operation In(ter)ception attacks typically feature social engineering lures containing fake job vacany announcements for cryptocurrency companies. They are designed to ultimately infect targets with macOS malware.[[SentinelOne 9 26 2022](/references/973a110c-f1cd-46cd-b92b-5c7d8e7492b1)]", + "meta": { + "campaign_attack_id": "C5040", + "first_seen": "2019-12-01T00:00:00Z", + "last_seen": "2022-09-26T00:00:00Z", + "owner": "TidalCyberIan", + "source": "Tidal Cyber", + "tags": [ + "c6e1f516-1a18-4ff9-b563-e6ac8103b104", + "2feda37d-5579-4102-a073-aa02e82cb49f" + ] + }, + "related": [], + "uuid": "9637ff1e-803e-47f7-b808-f4d1ef6fd500", + "value": "Operation In(ter)ception" + }, { "description": "[Operation Sharpshooter](https://app.tidalcyber.com/campaigns/57e858c8-fd0b-4382-a178-0165d03aa8a9) was a global cyber espionage campaign that targeted nuclear, defense, government, energy, and financial companies, with many located in Germany, Turkey, the United Kingdom, and the United States. Security researchers noted the campaign shared many similarities with previous [Lazarus Group](https://app.tidalcyber.com/groups/0bc66e95-de93-4de7-b415-4041b7191f08) operations, including fake job recruitment lures and shared malware code.[[McAfee Sharpshooter December 2018](https://app.tidalcyber.com/references/96b6d012-8620-4ef5-bf9a-5f88e465a495)][[Bleeping Computer Op Sharpshooter March 2019](https://app.tidalcyber.com/references/84430646-6568-4288-8710-2827692a8862)][[Threatpost New Op Sharpshooter Data March 2019](https://app.tidalcyber.com/references/2361b5b1-3a01-4d77-99c6-261f444a498e)] ", "meta": { @@ -725,6 +1183,100 @@ "uuid": "71f6d3b1-c45e-421c-99cb-3b695647cf0b", "value": "Pikabot Distribution Campaigns 2023" }, + { + "description": "Researchers observed a campaign, with activity occurring between March and at least June 2024, where multiple discrete threat actor clusters used similar social engineering techniques to trick users into copying and executing PowerShell scripts, which ultimately led to malware deployment on the victim's system. Payloads included droppers, RATs, and information stealer malware.\n\nInitial contact with the victim occurred through both malspam email campaigns and web browser injects, which would trigger a popup claiming an error occurred when trying to open a document or webpage. The popup would prompt the user to run a script in the PowerShell terminal or Windows Run dialog box. Researchers attributed these campaigns to TA571, an initial access broker, a known intrusion set (ClearFake), and a newer group dubbed ClickFix.[[Proofpoint June 17 2024](/references/a65d7492-04a4-46d4-85ed-134786c6828b)][[BleepingComputer Fake Chrome Errors June 17 2024](/references/6efa70e3-d8eb-4260-b0ab-62335681e6fd)]", + "meta": { + "campaign_attack_id": "C5045", + "first_seen": "2024-03-01T00:00:00Z", + "last_seen": "2024-06-07T00:00:00Z", + "owner": "TidalCyberIan", + "source": "Tidal Cyber", + "tags": [ + "c6e1f516-1a18-4ff9-b563-e6ac8103b104", + "2feda37d-5579-4102-a073-aa02e82cb49f" + ] + }, + "related": [], + "uuid": "9864ed5a-0633-4c04-85f1-728d3ff37e82", + "value": "PowerShell User Execution Social Engineering Campaign (TA571, ClearFake, ClickFix)" + }, + { + "description": "A collections of TTPs associated with a phishing-based campaign that resulted in QakBot deployments. The campaign comes about four months after the reported disruption of QakBot distribution networks in an international law enforcement operation.[[K7 QakBot Returns January 4 2024](/references/5cb5e645-b77b-4bd1-a742-c8f53f234713)]", + "meta": { + "campaign_attack_id": "C5024", + "first_seen": "2023-12-11T00:00:00Z", + "last_seen": "2024-01-04T00:00:00Z", + "owner": "TidalCyberIan", + "source": "Tidal Cyber", + "tags": [ + "c6e1f516-1a18-4ff9-b563-e6ac8103b104", + "e809d252-12cc-494d-94f5-954c49eb87ce", + "2feda37d-5579-4102-a073-aa02e82cb49f" + ] + }, + "related": [], + "uuid": "6292123a-3d7e-4e8e-8ff0-daa7868433b7", + "value": "QakBot January 2024 Campaign" + }, + { + "description": "Independent investigators reported details about a response to a compromise involving Quantum ransomware. The date of the attack was not disclosed, but the incident was reported in April 2022. IcedID was used to gain an initial foothold, Cobalt Strike and RDP were leveraged for lateral movement, and WMI and PsExec were used to deploy the ransomware payload. The incident was described as \"one of the fastest ransomware cases\" the investigators had handled, with domain-wide encryption occurring within four hours of initial access.[[The DFIR Report April 25 2022](/references/2e28c754-911a-4f08-a7bd-4580f5283571)]", + "meta": { + "campaign_attack_id": "C5043", + "first_seen": "2022-04-01T00:00:00Z", + "last_seen": "2022-04-25T00:00:00Z", + "owner": "TidalCyberIan", + "source": "Tidal Cyber", + "tags": [ + "5e7433ad-a894-4489-93bc-41e90da90019", + "7e7b0c67-bb85-4996-a289-da0e792d7172", + "c6e1f516-1a18-4ff9-b563-e6ac8103b104", + "2feda37d-5579-4102-a073-aa02e82cb49f" + ] + }, + "related": [], + "uuid": "a9bef150-04e6-41f2-9f94-069f9912f5e3", + "value": "Quantum Ransomware Compromise" + }, + { + "description": "Researchers have observed an evolution in Scattered Spider's/UNC3944's TTPs since the second half of 2023, with actors especially focusing on gaining wide access to victim SaaS environments for reconnaissance, data theft, and subsequent extortion purposes. This object reflects the MITRE ATT&CK® Techniques associated with this activity.[[Google Cloud June 13 2024](/references/161423a2-165d-448f-90e9-0c53e319a125)]\n\nNotable Techniques newly associated with Scattered Spider via this Campaign object include Forge Web Credentials: SAML Tokens (T1606.002), Impair Defenses: Disable or Modify Tools (T1562.001), Indicator Removal: Clear Windows Event Logs (T1070.001), Software Discovery: Security Software Discovery (T1518.001), and Pre-OS Boot: System Firmware (T1542.001).", + "meta": { + "campaign_attack_id": "C5041", + "first_seen": "2023-08-13T00:00:00Z", + "last_seen": "2024-06-13T00:00:00Z", + "owner": "TidalCyberIan", + "source": "Tidal Cyber", + "tags": [ + "fe28cf32-a15c-44cf-892c-faa0360d6109", + "c6e1f516-1a18-4ff9-b563-e6ac8103b104", + "2feda37d-5579-4102-a073-aa02e82cb49f" + ] + }, + "related": [], + "uuid": "43f29c00-437f-43f3-8d69-052a06f1a2eb", + "value": "Scattered Spider TTP Evolution - SaaS Targeting" + }, + { + "description": "This object represents a collection of MITRE ATT&CK® Techniques and other objects (Groups and/or Software) related to recently reported attacks that featured exploits of recently disclosed vulnerabilities in the ConnectWise ScreenConnect utility (CVE-2024-1709 and CVE-2024-1708, aka \"SlashAndGrab\"). Several of the observed attacks saw the ingress of various malicious tools, including suspected ransomware.\n\nFurther background & contextual details can be found in the References tab below.", + "meta": { + "campaign_attack_id": "C5028", + "first_seen": "2024-02-19T00:00:00Z", + "last_seen": "2024-02-23T00:00:00Z", + "owner": "TidalCyberIan", + "source": "Tidal Cyber", + "tags": [ + "c6e1f516-1a18-4ff9-b563-e6ac8103b104", + "fdd53e62-5bf1-41f1-8bd6-b970a866c39d", + "d431939f-2dc0-410b-83f7-86c458125444", + "7e7b0c67-bb85-4996-a289-da0e792d7172", + "e727eaa6-ef41-4965-b93a-8ad0c51d0236", + "509a90c7-9ca9-4b23-bca2-cd38ef6a6207", + "2feda37d-5579-4102-a073-aa02e82cb49f" + ] + }, + "related": [], + "uuid": "365150b8-94ed-4d43-895e-fb07d0a8a7cd", + "value": "ScreenConnect Vulnerability Exploit Attacks" + }, { "description": "The [SolarWinds Compromise](https://app.tidalcyber.com/campaigns/8bde8146-0656-5800-82e6-e24e008e4f4a) was a sophisticated supply chain cyber operation conducted by [APT29](https://app.tidalcyber.com/groups/4c3e48b9-4426-4271-a7af-c3dfad79f447) that was discovered in mid-December 2020. [APT29](https://app.tidalcyber.com/groups/4c3e48b9-4426-4271-a7af-c3dfad79f447) used customized malware to inject malicious code into the SolarWinds Orion software build process that was later distributed through a normal software update; they also used password spraying, token theft, API abuse, spear phishing, and other supply chain attacks to compromise user accounts and leverage their associated access. Victims of this campaign included government, consulting, technology, telecom, and other organizations in North America, Europe, Asia, and the Middle East. Industry reporting initially referred to the actors involved in this campaign as UNC2452, NOBELIUM, StellarParticle, Dark Halo, and SolarStorm.[[SolarWinds Advisory Dec 2020](https://app.tidalcyber.com/references/4e8b908a-bdc5-441b-bc51-98dfa87f6b7a)][[SolarWinds Sunburst Sunspot Update January 2021](https://app.tidalcyber.com/references/1be1b6e0-1b42-4d07-856b-b6321c17bb88)][[FireEye SUNBURST Backdoor December 2020](https://app.tidalcyber.com/references/d006ed03-a8af-4887-9356-3481d81d43e4)][[Volexity SolarWinds](https://app.tidalcyber.com/references/355cecf8-ef3e-4a6e-a652-3bf26fe46d88)][[CrowdStrike StellarParticle January 2022](https://app.tidalcyber.com/references/149c1446-d6a1-4a63-9420-def9272d6cb9)][[Unit 42 SolarStorm December 2020](https://app.tidalcyber.com/references/ecbb602a-2427-5eba-8c2b-25d90c95f166)][[Microsoft Analyzing Solorigate Dec 2020](https://app.tidalcyber.com/references/8ad72d46-ba2c-426f-bb0d-eb47723c8e11)][[Microsoft Internal Solorigate Investigation Blog](https://app.tidalcyber.com/references/66cade99-0040-464c-98a6-bba57719f0a4)] \n\nIn April 2021, the US and UK governments attributed the [SolarWinds Compromise](https://app.tidalcyber.com/campaigns/8bde8146-0656-5800-82e6-e24e008e4f4a) to Russia's Foreign Intelligence Service (SVR); public statements included citations to [APT29](https://app.tidalcyber.com/groups/4c3e48b9-4426-4271-a7af-c3dfad79f447), Cozy Bear, and The Dukes.[[NSA Joint Advisory SVR SolarWinds April 2021](https://app.tidalcyber.com/references/43d9c469-1d54-454b-ba67-74e7f1de9c10)][[UK NSCS Russia SolarWinds April 2021](https://app.tidalcyber.com/references/f49e6780-8caa-4c3c-8d68-47a2cc4319a1)][[Mandiant UNC2452 APT29 April 2022](https://app.tidalcyber.com/references/5276508c-6792-56be-b757-e4b495ef6c37)] The US government assessed that of the approximately 18,000 affected public and private sector customers of Solar Winds’ Orion product, a much smaller number were compromised by follow-on [APT29](https://app.tidalcyber.com/groups/4c3e48b9-4426-4271-a7af-c3dfad79f447) activity on their systems.[[USG Joint Statement SolarWinds January 2021](https://app.tidalcyber.com/references/336a6549-a95d-5763-bbaf-5ef0d3141800)] ", "meta": { @@ -733,6 +1285,7 @@ "last_seen": "2021-01-01T06:00:00Z", "source": "MITRE", "tags": [ + "fe28cf32-a15c-44cf-892c-faa0360d6109", "f2ae2283-f94d-4f8f-bbde-43f2bed66c55" ] }, @@ -740,17 +1293,95 @@ "uuid": "8bde8146-0656-5800-82e6-e24e008e4f4a", "value": "SolarWinds Compromise" }, + { + "description": "This object represents a collection of MITRE ATT&CK® Techniques and other objects (Groups and/or Software) related to the specified threat activity. Further background & contextual details can be found in the References tab below.", + "meta": { + "campaign_attack_id": "C5030", + "first_seen": "2024-02-26T00:00:00Z", + "last_seen": "2024-02-27T00:00:00Z", + "owner": "TidalCyberIan", + "source": "Tidal Cyber", + "tags": [ + "c6e1f516-1a18-4ff9-b563-e6ac8103b104", + "2feda37d-5579-4102-a073-aa02e82cb49f" + ] + }, + "related": [], + "uuid": "55fe6e08-96df-41a0-bfa9-555c6b4ce623", + "value": "TA577 NTLM Credential Theft Attacks" + }, { "description": "[Triton Safety Instrumented System Attack](https://app.tidalcyber.com/campaigns/6c7185e1-bd46-5a80-9a76-a376b16fbc7b) was a campaign employed by [TEMP.Veles](https://app.tidalcyber.com/groups/3a54b8dc-a231-4db8-96da-1c0c1aa396f6) which leveraged the [Triton](https://app.tidalcyber.com/software/) malware framework against a petrochemical organization.[[Triton-EENews-2017](https://app.tidalcyber.com/references/5cc54d85-ee53-579d-a8fb-9b54b3540dc0)] The malware and techniques used within this campaign targeted specific Triconex [Safety Controller](https://attack.mitre.org/assets/A0010)s within the environment.[[FireEye TRITON 2018](https://app.tidalcyber.com/references/bfa5886a-a7f4-40d1-98d0-c3358abcf265)] The incident was eventually discovered due to a safety trip that occurred as a result of an issue in the malware.[[FireEye TRITON 2017](https://app.tidalcyber.com/references/597a4d8b-ffb2-4551-86db-b319f5a5b707)]\n", "meta": { "campaign_attack_id": "C0030", "first_seen": "2017-06-01T04:00:00Z", "last_seen": "2017-08-01T04:00:00Z", - "source": "MITRE" + "source": "MITRE", + "tags": [ + "3ed3f7a6-b446-4fbc-a433-ff1d63c0e647" + ] }, "related": [], "uuid": "6c7185e1-bd46-5a80-9a76-a376b16fbc7b", "value": "Triton Safety Instrumented System Attack" + }, + { + "description": "Researchers observed suspected \"China-nexus\" actor Velvet Ant exploiting CVE-2024-20399 in Cisco Nexus network switch devices in order to upload and execute \"previously unknown custom malware\" on the devices' operating systems. Researchers first observed \"zero-day\" exploit activity in the wild at an undisclosed point \"during the past year\", and after they shared the findings, Cisco acknowledged the vulnerability in an advisory published on July 1, 2024.\n\nThe vulnerability's overall risk is mitigated by the fact that it requires valid administrator-level credentials and network access to the target switch for successful exploitation. However, researchers highlighted how sophisticated threat groups are increasingly targeting network appliances as means of network access and persistence, since those appliances \"are often not sufficiently protected and monitored\". This exploit campaign was discovered as part of a larger investigation into Velvet Ant, which was previously observed targeting F5 load balancer devices for persistence.[[The Hacker News Velvet Ant Cisco July 2 2024](/references/e3949201-c949-4126-9e02-34bfad4713c0)][[Sygnia Velvet Ant July 1 2024](/references/a0cfeeb6-4617-4dea-80d2-290eaf2bcf5b)]", + "meta": { + "campaign_attack_id": "C5046", + "first_seen": "2023-07-01T00:00:00Z", + "last_seen": "2024-07-01T00:00:00Z", + "owner": "TidalCyberIan", + "source": "Tidal Cyber", + "tags": [ + "72bc70fa-3979-4d3b-a0e9-b9ebebcf2a38", + "a98d7a43-f227-478e-81de-e7299639a355", + "a159c91c-5258-49ea-af7d-e803008d97d3", + "c6e1f516-1a18-4ff9-b563-e6ac8103b104", + "2feda37d-5579-4102-a073-aa02e82cb49f" + ] + }, + "related": [], + "uuid": "bcf6bb5b-443f-4adb-ab6b-f864ea27614d", + "value": "Velvet Ant Cisco Network Switches Exploit Activity (CVE-2024-20399)" + }, + { + "description": "This object reflects the tools & TTPs associated with a campaign attributed to Velvet Ant, a suspected \"China-nexus\" state-sponsored threat group. Researchers believe the actor managed to maintain extremely prolonged access to a victim network – residing and remaining active there for around three years – notably by abusing a legacy, internet-exposed F5 BIG-IP load balancer appliance as an internal command and control mechanism. Researchers assess the intrusion was carried out for espionage purposes.[[Sygnia Velvet Ant June 17 2024](/references/5c313af4-61a8-449d-a6c7-f7ead6c72e19)][[BleepingComputer Velvet Ant June 17 2024](/references/70235e47-f8bb-4d16-9933-9f4923f08f5d)]", + "meta": { + "campaign_attack_id": "C5044", + "first_seen": "2020-12-01T00:00:00Z", + "last_seen": "2023-12-01T00:00:00Z", + "owner": "TidalCyberIan", + "source": "Tidal Cyber", + "tags": [ + "a159c91c-5258-49ea-af7d-e803008d97d3", + "c6e1f516-1a18-4ff9-b563-e6ac8103b104", + "2feda37d-5579-4102-a073-aa02e82cb49f" + ] + }, + "related": [], + "uuid": "b78565ce-8eec-49ad-b762-8d2107fa9ce7", + "value": "Velvet Ant F5 BIG-IP Espionage Activity" + }, + { + "description": "A suspected affiliate of the Zloader operation carried out attacks mainly affecting financial institutions. Intrusions typically came via drive-by compromise and initiallly saw the installation of the Atera software, which was then used to load Zloader, and in some cases, Ursnif.[[WeLiveSecurity April 19 2022](/references/f86845b9-03c4-446b-845f-b31b79b247ee)]", + "meta": { + "campaign_attack_id": "C5020", + "first_seen": "2020-10-01T00:00:00Z", + "last_seen": "2022-04-13T00:00:00Z", + "owner": "TidalCyberIan", + "source": "Tidal Cyber", + "tags": [ + "c6e1f516-1a18-4ff9-b563-e6ac8103b104", + "ebec1bf0-e06c-48b2-adeb-fc0669306bc8", + "39357cc1-dbb1-49e4-9fe0-ff24032b94d5", + "e7681e16-9106-4d0a-a915-9958989161a3", + "2feda37d-5579-4102-a073-aa02e82cb49f" + ] + }, + "related": [], + "uuid": "396e073e-76d7-4fcf-97b4-9343d0a0b819", + "value": "Zloader & Ursnif Affiliate Campaign 2020-22" } ], "version": 1 diff --git a/clusters/tidal-groups.json b/clusters/tidal-groups.json index 5aeb492..b3b4666 100644 --- a/clusters/tidal-groups.json +++ b/clusters/tidal-groups.json @@ -9,6 +9,37 @@ "type": "groups", "uuid": "877cdc4b-3392-4353-a7d4-2e46d40e5936", "values": [ + { + "description": "This object represents the behaviors associated with operators of 8Base ransomware, who may or may not operate as a cohesive unit. Behaviors associated with samples of 8Base ransomware are represented in the \"8Base Ransomware\" Software object.\n \nThe 8Base ransomware operation began claiming significant numbers of victims on its data leak site in June 2023, including organizations in a range of sectors. Researchers have observed considerable similarities between aspects of 8Base's operations and those of other ransomware groups, leading them to suspect that 8Base may be an evolution or offshoot of existing operations. The language in 8Base's ransom notes is similar to the language seen in RansomHouse's notes, and there is strong overlap between the code of Phobos ransomware and 8Base.[[VMWare 8Base June 28 2023](/references/573e9520-6181-4535-9ed3-2338688a8e9f)][[Acronis 8Base July 17 2023](/references/c9822477-1578-4068-9882-41e4d6eaee3f)]", + "meta": { + "group_attack_id": "G5030", + "observed_motivations": [ + "Financial Gain" + ], + "owner": "TidalCyberIan", + "source": "Tidal Cyber", + "tags": [ + "c6e1f516-1a18-4ff9-b563-e6ac8103b104", + "562e535e-19f5-4d6c-81ed-ce2aec544f09", + "5e7433ad-a894-4489-93bc-41e90da90019", + "7e7b0c67-bb85-4996-a289-da0e792d7172", + "2feda37d-5579-4102-a073-aa02e82cb49f" + ], + "target_categories": [ + "Automotive", + "Construction", + "Financial Services", + "Healthcare", + "Hospitality Leisure", + "Manufacturing", + "Non Profit", + "Technology" + ] + }, + "related": [], + "uuid": "00b45c13-d165-44d0-ad6b-99787d2a7ce3", + "value": "8Base Ransomware Actors" + }, { "description": "[admin@338](https://app.tidalcyber.com/groups/8567136b-f84a-45ed-8cce-46324c7da60e) is a China-based cyber threat group. It has previously used newsworthy events as lures to deliver malware and has primarily targeted organizations involved in financial, economic, and trade policy, typically using publicly available RATs such as [PoisonIvy](https://app.tidalcyber.com/software/1d87a695-7989-49ae-ac1a-b6601db565c3), as well as some non-public backdoors. [[FireEye admin@338](https://app.tidalcyber.com/references/f3470275-9652-440e-914d-ad4fc5165413)]", "meta": { @@ -23,7 +54,12 @@ "Financial Services" ] }, - "related": [], + "related": [ + { + "dest-uuid": "ac4bce1f-b3ec-4c44-bd36-b6cc986b319b", + "type": "similar" + } + ], "uuid": "8567136b-f84a-45ed-8cce-46324c7da60e", "value": "admin@338" }, @@ -100,7 +136,7 @@ "value": "Akira" }, { - "description": "This Group object reflects the tools & TTPs used by threat actors known to deploy Akira, a ransomware family that researchers believe has been used since at least March 2023.[[TrendMicro Akira October 5 2023](/references/8f45fb21-c6ad-4b97-b459-da96eb643069)] Researchers assess that the Akira operation relates to and possibly derives from the Conti ransomware operation (by way of the Royal ransomware operation).[[GitHub ransomware_map](/references/d995f4b2-3262-4c37-855a-61aef7d7b8a8)]\n\nTTPs associated with the Akria ransomware binary itself can be found in the separate \"Akira Ransomware\" Software object.", + "description": "*We are no longer maintaining this object in favor of a similar object subsequently published by MITRE: \"Akira\" (Group). All relevant Tidal content extensions (e.g. additional Technique and Object relationships and metadata) have been added to the MITRE-authored object.*\n\n\nThis Group object reflects the tools & TTPs used by threat actors known to deploy Akira, a ransomware family that researchers believe has been used since at least March 2023.[[TrendMicro Akira October 5 2023](/references/8f45fb21-c6ad-4b97-b459-da96eb643069)] Researchers assess that the Akira operation relates to and possibly derives from the Conti ransomware operation (by way of the Royal ransomware operation).[[GitHub ransomware_map](/references/d995f4b2-3262-4c37-855a-61aef7d7b8a8)]\n\nTTPs associated with the Akria ransomware binary itself can be found in the separate \"Akira Ransomware\" Software object.", "meta": { "group_attack_id": "G5021", "observed_countries": [ @@ -155,7 +191,7 @@ }, "related": [], "uuid": "0fcb2205-e75b-46c9-ac54-00f218d5e331", - "value": "Akira Ransomware Actors" + "value": "Akira Ransomware Actors (Deprecated)" }, { "description": "[Andariel](https://app.tidalcyber.com/groups/2cc997b5-5076-4eef-9974-f54387614f46) is a North Korean state-sponsored threat group that has been active since at least 2009. [Andariel](https://app.tidalcyber.com/groups/2cc997b5-5076-4eef-9974-f54387614f46) has primarily focused its operations--which have included destructive attacks--against South Korean government agencies, military organizations, and a variety of domestic companies; they have also conducted cyber financial operations against ATMs, banks, and cryptocurrency exchanges. [Andariel](https://app.tidalcyber.com/groups/2cc997b5-5076-4eef-9974-f54387614f46)'s notable activity includes Operation Black Mine, Operation GoldenAxe, and Campaign Rifle.[[FSI Andariel Campaign Rifle July 2017](https://app.tidalcyber.com/references/bde61ee9-16f9-4bd9-a847-5cc9df21335c)][[IssueMakersLab Andariel GoldenAxe May 2017](https://app.tidalcyber.com/references/10a21964-d31f-40af-bf32-5ccd7d8c99a2)][[AhnLab Andariel Subgroup of Lazarus June 2018](https://app.tidalcyber.com/references/bbc66e9f-98f9-4e34-b568-2833ea536f2e)][[TrendMicro New Andariel Tactics July 2018](https://app.tidalcyber.com/references/b667eb44-8c2f-4319-bc93-f03610214b8b)][[CrowdStrike Silent Chollima Adversary September 2021](https://app.tidalcyber.com/references/835283b5-af3b-4baf-805e-da8ebbe8b5d2)]\n\n[Andariel](https://app.tidalcyber.com/groups/2cc997b5-5076-4eef-9974-f54387614f46) is considered a sub-set of [Lazarus Group](https://app.tidalcyber.com/groups/0bc66e95-de93-4de7-b415-4041b7191f08), and has been attributed to North Korea's Reconnaissance General Bureau.[[Treasury North Korean Cyber Groups September 2019](https://app.tidalcyber.com/references/54977bb2-2929-41d7-bdea-06d39dc76174)]\n\nNorth Korean group definitions are known to have significant overlap, and some security researchers report all North Korean state-sponsored cyber activity under the name [Lazarus Group](https://app.tidalcyber.com/groups/0bc66e95-de93-4de7-b415-4041b7191f08) instead of tracking clusters or subgroups.", @@ -166,37 +202,105 @@ "BR", "CA", "CN", + "FR", "DE", "IN", "IL", "JP", "KR", + "NG", "NO", "PH", "RO", "RU", "SE", + "GB", "US", "VN" ], "observed_motivations": [ "Cyber Espionage", - "Destruction" + "Destruction", + "Financial Gain" ], "source": "MITRE", + "tags": [ + "af5e9be5-b86e-47af-91dd-966a5e34a186", + "27a117ce-bb19-4f79-9bc2-a851b69c5c50", + "6070668f-1cbd-4878-8066-c636d1d8659c", + "61cdbb28-cbfd-498b-9ab1-1f14337f9524", + "e551ae97-d1b4-484e-9267-89f33829ec2c", + "15787198-6c8b-4f79-bf50-258d55072fee", + "4f4744b0-8401-423c-9ed0-3cb2985d9fd3", + "ddfaecd0-bd3e-41ac-85c7-ca2156684343", + "0dbed83d-af67-4ce0-a1ee-16f1165fdc0f", + "6422a882-7606-4aa3-b994-f917f53c2ada", + "c1b123d2-ce58-4345-8482-d1da27b3c053", + "f166e59e-9877-4102-a39b-fae38df4b790", + "6a82d685-3f77-498d-91c3-a759292ec2da", + "a32a757a-9d6b-43ca-ac4b-5f695dd0f110", + "ac70560d-c3e7-4b40-a4d6-a3287e3d952b", + "75f62312-a7ee-4534-8c8a-e3b7366a3a4b", + "887d1cfe-d0c5-431c-8dce-0e1b9a2505aa", + "96eec53f-355c-406c-87ba-18c3be4c69a1", + "54fafdbe-1ea0-4f48-99ad-757c8fe50df2", + "35b334ec-4169-4898-ab90-487eea7feb69", + "4ac4e1b9-2192-47ac-a4d1-3a31aa0f2140", + "936a56f5-a4f1-42d8-83b7-c44399ead661", + "0d19ceed-28f6-4258-b365-f6e6f296121d", + "037cc75c-9683-49db-aaa8-c8142763bb87", + "ff71ed89-8355-4abc-9da4-eb4768a38c9c", + "6fade0a3-0c26-4a11-b81e-25d20e38bdd3", + "3b54d8a5-580f-43bf-a12d-8e011f953bad", + "0f6e72e1-ba8f-4d1d-920d-d8945a4fee59", + "7bbc5366-897a-4505-bc68-3a18e3d4cf44", + "4cd85398-c33a-4374-9a76-2bbf297cca63", + "5ec8231e-70e9-4675-b922-368bcb9e914a", + "21c64d34-e52a-42ba-a8c7-85aa82dc0b3f", + "cd9ab9e7-248f-4097-b120-a42834ce0f89", + "91ddbeac-b587-4978-a80d-543a5d96cb77", + "b8448700-7ed0-48b8-85f5-ed23e0d9ab97", + "12b074b9-6748-4ad7-880f-836cb80587e1", + "45f92502-0775-4fc6-8fcd-97b325ea49a9", + "cddb4563-fe90-4c72-be81-6256d175a698", + "69f278d7-194f-42d0-8f83-11de9f861264", + "f0c58aa3-5d21-4ade-95a0-b775dde7e8a3", + "5f9b1c23-81f8-4aa3-8d97-235302e77eec", + "d842c7ff-e3d3-4534-9ed7-283752f4bbe2", + "ecd84106-2a5b-4d25-854e-b8d1f57f6b75", + "7e6ef160-8e4f-4132-bdc4-9991f01c472e", + "532b7819-d407-41e9-9733-0d716b69eb17", + "e401022a-36ac-486d-8503-dd531410a927", + "173e1480-8d9b-49c5-854d-594dde9740d6", + "7551097a-dfdd-426f-aaa2-a2916dd9b873", + "c475ad68-3fdc-4725-8abc-784c56125e96", + "08809fa0-61b6-4394-b103-1c4d19a5be16", + "4ac8dcde-2665-4066-9ad9-b5572d5f0d28", + "5e7433ad-a894-4489-93bc-41e90da90019", + "7e7b0c67-bb85-4996-a289-da0e792d7172" + ], "target_categories": [ "Aerospace", "Agriculture", "Casinos Gambling", + "Chemical", "Defense", + "Education", "Energy", "Financial Services", "Government", "Healthcare", + "Insurance", + "Legal", "Media", + "Nuclear", "Pharmaceuticals", + "Retail", "Technology", - "Travel Services" + "Telecommunications", + "Transportation", + "Travel Services", + "Utilities" ] }, "related": [], @@ -237,6 +341,7 @@ "LV", "NL", "SE", + "UA", "AE", "US" ], @@ -314,7 +419,12 @@ "Transportation" ] }, - "related": [], + "related": [ + { + "dest-uuid": "1cb7e1cc-d695-42b1-92f4-fd0112a3c9be", + "type": "similar" + } + ], "uuid": "5307bba1-2674-4fbd-bfd5-1db1ae06fc5f", "value": "APT1" }, @@ -356,7 +466,12 @@ "Technology" ] }, - "related": [], + "related": [ + { + "dest-uuid": "1f73e14f-b882-4032-a565-26dc653b0daf", + "type": "similar" + } + ], "uuid": "06a05175-0812-44f5-a529-30eba07d1762", "value": "APT16" }, @@ -388,7 +503,12 @@ "Technology" ] }, - "related": [], + "related": [ + { + "dest-uuid": "99e30d89-9361-4b73-a999-9e5ff9320bcb", + "type": "similar" + } + ], "uuid": "5f083251-f5dc-459a-abfc-47a1aa7f5094", "value": "APT17" }, @@ -406,7 +526,12 @@ "Technology" ] }, - "related": [], + "related": [ + { + "dest-uuid": "9a683d9c-8f7d-43df-bba2-ad0ca71e277c", + "type": "similar" + } + ], "uuid": "a0c31021-b281-4c41-9855-436768299fe7", "value": "APT18" }, @@ -432,7 +557,12 @@ "Telecommunications" ] }, - "related": [], + "related": [ + { + "dest-uuid": "066d25c1-71bd-4bd4-8ca7-edbba00063f4", + "type": "similar" + } + ], "uuid": "713e2963-fbf4-406f-a8cf-6a4489d90439", "value": "APT19" }, @@ -545,6 +675,7 @@ ], "source": "MITRE", "tags": [ + "fe28cf32-a15c-44cf-892c-faa0360d6109", "6070668f-1cbd-4878-8066-c636d1d8659c", "d8f7e071-fbfd-46f8-b431-e241bb1513ac", "61cdbb28-cbfd-498b-9ab1-1f14337f9524", @@ -574,7 +705,12 @@ "Utilities" ] }, - "related": [], + "related": [ + { + "dest-uuid": "5b4ee3ea-eee3-4c8e-8323-85ae32658754", + "type": "similar" + } + ], "uuid": "5b1a5b9e-4722-41fc-a15d-196a549e3ac5", "value": "APT28" }, @@ -664,7 +800,12 @@ "Video Games" ] }, - "related": [], + "related": [ + { + "dest-uuid": "b2056ff0-00b9-482e-b11c-c771daa5f28a", + "type": "similar" + } + ], "uuid": "4c3e48b9-4426-4271-a7af-c3dfad79f447", "value": "APT29" }, @@ -723,7 +864,12 @@ "Media" ] }, - "related": [], + "related": [ + { + "dest-uuid": "2f1fd017-9df6-4759-91fb-e7039609b5ff", + "type": "similar" + } + ], "uuid": "be45ff95-6c74-4000-bc39-63044673d82f", "value": "APT30" }, @@ -761,7 +907,12 @@ "Technology" ] }, - "related": [], + "related": [ + { + "dest-uuid": "aa29ae56-e54b-47a2-ad16-d3ab0242d5d7", + "type": "similar" + } + ], "uuid": "c0fe9859-e8de-4ce1-bc3c-b489e914a145", "value": "APT32" }, @@ -783,12 +934,21 @@ "Cyber Espionage" ], "source": "MITRE", + "tags": [ + "c9c73000-30a5-4a16-8c8b-79169f9c24aa", + "3ed3f7a6-b446-4fbc-a433-ff1d63c0e647" + ], "target_categories": [ "Aerospace", "Energy" ] }, - "related": [], + "related": [ + { + "dest-uuid": "4f69ec6d-cb6b-42af-b8e2-920a2aa4be10", + "type": "similar" + } + ], "uuid": "99bbbe25-45af-492f-a7ff-7cbc57828bac", "value": "APT33" }, @@ -823,7 +983,12 @@ "Technology" ] }, - "related": [], + "related": [ + { + "dest-uuid": "50cd027f-df14-40b2-aa22-bf5de5061163", + "type": "similar" + } + ], "uuid": "013fdfdc-aa32-4779-8f6e-7920615cbf66", "value": "APT37" }, @@ -889,7 +1054,12 @@ "Media" ] }, - "related": [], + "related": [ + { + "dest-uuid": "68391641-859f-4a9a-9a1e-3e5cf71ec376", + "type": "similar" + } + ], "uuid": "dfbce236-735c-436d-b433-933bd6eae17b", "value": "APT38" }, @@ -916,7 +1086,12 @@ "Travel Services" ] }, - "related": [], + "related": [ + { + "dest-uuid": "c2c64bd3-a325-446f-91a8-b4c0f173a30b", + "type": "similar" + } + ], "uuid": "a57b52c7-9f64-4ffe-a7c3-0de738fb2af1", "value": "APT39" }, @@ -952,6 +1127,7 @@ "SA", "SG", "ZA", + "ES", "SE", "CH", "TW", @@ -968,6 +1144,7 @@ ], "source": "MITRE", "tags": [ + "fe28cf32-a15c-44cf-892c-faa0360d6109", "f2ae2283-f94d-4f8f-bbde-43f2bed66c55", "a98d7a43-f227-478e-81de-e7299639a355" ], @@ -976,21 +1153,77 @@ "Automotive", "Education", "Energy", + "Entertainment", "Financial Services", "Healthcare", "High Tech", "Media", "Pharmaceuticals", "Retail", + "Technology", "Telecommunications", + "Transportation", "Travel Services", "Video Games" ] }, - "related": [], + "related": [ + { + "dest-uuid": "9c124874-042d-48cd-b72b-ccdc51ecbbd6", + "type": "similar" + } + ], "uuid": "502223ee-8947-42f8-a532-a3b3da12b7d9", "value": "APT41" }, + { + "description": "APT42 is an Iranian state-sponsored espionage group believed to operate on behalf of the Islamic Revolutionary Guard Corps (IRGC) Intelligence Organization (IRGC-IO). APT42 primarily focuses on collecting information on and surveilling its targets, mainly individuals and organizations with strategic significance to Iran's government. The group's operations are characterized by targeted spear-phishing attacks and surveillance activity. Mandiant researchers acknowledged overlaps between APT42 and APT35, which both likely operate on behalf of the IRGC, but noted that the groups display \"substantial differences\" in targeting patterns and TTPs.[[Mandiant Crooked Charms August 12 2022](/references/53bab956-be5b-4d8d-b553-9926bc5d9fee)]", + "meta": { + "country": "IR", + "group_attack_id": "G5051", + "observed_countries": [ + "AU", + "BG", + "DE", + "IR", + "IL", + "IT", + "MY", + "NO", + "UA", + "AE", + "GB", + "US" + ], + "observed_motivations": [ + "Cyber Espionage" + ], + "owner": "TidalCyberIan", + "source": "Tidal Cyber", + "tags": [ + "15f2277a-a17e-4d85-8acd-480bf84f16b4", + "c6e1f516-1a18-4ff9-b563-e6ac8103b104", + "2feda37d-5579-4102-a073-aa02e82cb49f" + ], + "target_categories": [ + "Defense", + "Education", + "Energy", + "Financial Services", + "Government", + "Healthcare", + "Human Rights", + "Legal", + "Manufacturing", + "Media", + "NGOs", + "Pharmaceuticals" + ] + }, + "related": [], + "uuid": "ce126445-6984-45bb-9737-35448f06f27b", + "value": "APT42" + }, { "description": "[APT5](https://app.tidalcyber.com/groups/f46d6ee9-9d1d-586a-9f2d-6bff8fb92910) is a China-based espionage actor that has been active since at least 2007 primarily targeting the telecommunications, aerospace, and defense industries throughout the U.S., Europe, and Asia. [APT5](https://app.tidalcyber.com/groups/f46d6ee9-9d1d-586a-9f2d-6bff8fb92910) has displayed advanced tradecraft and significant interest in compromising networking devices and their underlying software including through the use of zero-day exploits.[[NSA APT5 Citrix Threat Hunting December 2022](https://app.tidalcyber.com/references/916e2137-46e6-53c2-a917-5b5b5c4bae3a)][[Microsoft East Asia Threats September 2023](https://app.tidalcyber.com/references/31f2c61e-cefe-5df7-9c2b-780bf03c88ec)][[Mandiant Pulse Secure Zero-Day April 2021](https://app.tidalcyber.com/references/0760480c-97be-5fc9-a6aa-f1df91a314a3)][[Mandiant Pulse Secure Update May 2021](https://app.tidalcyber.com/references/5620adaf-c2a7-5f0f-ae70-554ce720426e)][[FireEye Southeast Asia Threat Landscape March 2015](https://app.tidalcyber.com/references/59658f8b-af24-5df5-8f7d-cb6b9cf7579e)][[Mandiant Advanced Persistent Threats](https://app.tidalcyber.com/references/2d16615b-09fc-5925-8f59-6d20f334d236)] ", "meta": { @@ -1094,7 +1327,12 @@ "Telecommunications" ] }, - "related": [], + "related": [ + { + "dest-uuid": "99e30d89-9361-4b73-a999-9e5ff9320bcb", + "type": "similar" + } + ], "uuid": "90f4d3f9-3fe3-4a64-8dc1-172c6d037dca", "value": "Axiom" }, @@ -1152,6 +1390,9 @@ "owner": "TidalCyberIan", "source": "Tidal Cyber", "tags": [ + "64d3f7d8-30b7-4b03-bee2-a6029672216c", + "3ed2343c-a29c-42e2-8259-410381164c6a", + "89c5b94b-ecf4-4d53-9b74-3465086d4565", "35e694ec-5133-46e3-b7e1-5831867c3b55", "15787198-6c8b-4f79-bf50-258d55072fee", "d713747c-2d53-487e-9dac-259230f04460", @@ -1185,6 +1426,9 @@ "description": "[BITTER](https://app.tidalcyber.com/groups/3a02aa1b-851a-43e1-b83b-58037f3c7025) is a suspected South Asian cyber espionage threat group that has been active since at least 2013. [BITTER](https://app.tidalcyber.com/groups/3a02aa1b-851a-43e1-b83b-58037f3c7025) has targeted government, energy, and engineering organizations in Pakistan, China, Bangladesh, and Saudi Arabia.[[Cisco Talos Bitter Bangladesh May 2022](https://app.tidalcyber.com/references/097583ed-03b0-41cd-bf85-66d473f46439)][[Forcepoint BITTER Pakistan Oct 2016](https://app.tidalcyber.com/references/9fc54fb0-b7d9-49dc-b6dd-ab4cb2cd34fa)]", "meta": { "group_attack_id": "G1002", + "observed_motivations": [ + "Cyber Espionage" + ], "source": "MITRE" }, "related": [], @@ -1245,6 +1489,7 @@ "owner": "TidalCyberIan", "source": "Tidal Cyber", "tags": [ + "89c5b94b-ecf4-4d53-9b74-3465086d4565", "d903e38b-600d-4736-9e3b-cf1a6e436481", "e551ae97-d1b4-484e-9267-89f33829ec2c", "d819ae1a-e385-49fd-88d5-f66660729ecb", @@ -1327,6 +1572,7 @@ "owner": "TidalCyberIan", "source": "Tidal Cyber", "tags": [ + "c475ad68-3fdc-4725-8abc-784c56125e96", "562e535e-19f5-4d6c-81ed-ce2aec544f09", "e499005b-adba-45bb-85e3-07043fd9edf9", "8b1cb0dc-dd3e-44ba-828c-55c040e93b93", @@ -1393,10 +1639,68 @@ ], "source": "MITRE" }, - "related": [], + "related": [ + { + "dest-uuid": "8fbd195f-5e03-4e85-8ca5-4f1dff300bec", + "type": "similar" + } + ], "uuid": "428dc121-a593-4981-9127-f958ae0a0fdd", "value": "BlackOasis" }, + { + "description": "This object reflects the ATT&CK Techniques associated with threat actors who deploy BlackSuit, a ransomware capable of running on Windows and Linux systems. BlackSuit is believed to be a successor to Royal, a ransomware operation which itself derives from the notorious Russia-based Conti gang. BlackSuit operations were first observed in May 2023, and although they were relatively low in number, U.S. authorities issued a warning for healthcare sector organizations due to the ransomware's suspected pedigree.[[HC3 Analyst Note BlackSuit Ransomware November 2023](/references/d956f0c6-d90e-49e8-a64c-a46bfc177cc6)] The number of attacks claimed by BlackSuit operators increased notably in Q2 2024.[[GitHub ransomwatch](/references/62037959-58e4-475a-bb91-ff360d20c1d7)]\n\nATT&CK Techniques associated with the BlackSuit ransomware binary are tracked in a separate \"BlackSuit Ransomware\" Software object.", + "meta": { + "group_attack_id": "G5048", + "observed_countries": [ + "AU", + "BR", + "CA", + "CN", + "DE", + "IL", + "IT", + "JM", + "JP", + "KR", + "NL", + "NG", + "ZA", + "GB", + "US" + ], + "observed_motivations": [ + "Financial Gain" + ], + "owner": "TidalCyberIan", + "source": "Tidal Cyber", + "tags": [ + "e551ae97-d1b4-484e-9267-89f33829ec2c", + "15787198-6c8b-4f79-bf50-258d55072fee", + "a2e000da-8181-4327-bacd-32013dbd3654", + "5e7433ad-a894-4489-93bc-41e90da90019", + "7e7b0c67-bb85-4996-a289-da0e792d7172" + ], + "target_categories": [ + "Automotive", + "Construction", + "Education", + "Financial Services", + "Government", + "Healthcare", + "Hospitality Leisure", + "Mining", + "Non Profit", + "Pharmaceuticals", + "Technology", + "Telecommunications", + "Transportation" + ] + }, + "related": [], + "uuid": "1d751794-ce94-4936-bf45-4ab86d0e3b6e", + "value": "BlackSuit Ransomware Actors" + }, { "description": "[BlackTech](https://app.tidalcyber.com/groups/528ab2ea-b8f1-44d8-8831-2a89fefd97cb) is a suspected Chinese cyber espionage group that has primarily targeted organizations in East Asia--particularly Taiwan, Japan, and Hong Kong--and the US since at least 2013. [BlackTech](https://app.tidalcyber.com/groups/528ab2ea-b8f1-44d8-8831-2a89fefd97cb) has used a combination of custom malware, dual-use tools, and living off the land tactics to compromise media, construction, engineering, electronics, and financial company networks.[[TrendMicro BlackTech June 2017](https://app.tidalcyber.com/references/abb9cb19-d30e-4048-b106-eb29a6dad7fc)][[Symantec Palmerworm Sep 2020](https://app.tidalcyber.com/references/84ecd475-8d3f-4e7c-afa8-2dff6078bed5)][[Reuters Taiwan BlackTech August 2020](https://app.tidalcyber.com/references/77293f88-e336-4786-b042-7f0080bbff32)]", "meta": { @@ -1427,7 +1731,12 @@ "Telecommunications" ] }, - "related": [], + "related": [ + { + "dest-uuid": "320c42f7-eab7-4ef9-b09a-74396caa6c3e", + "type": "similar" + } + ], "uuid": "528ab2ea-b8f1-44d8-8831-2a89fefd97cb", "value": "BlackTech" }, @@ -1471,10 +1780,63 @@ "Manufacturing" ] }, - "related": [], + "related": [ + { + "dest-uuid": "add6554a-815a-4ac3-9b22-9337b9661ab8", + "type": "similar" + } + ], "uuid": "5825a840-5577-4ffc-a08d-3f48d64395cb", "value": "BRONZE BUTLER" }, + { + "description": "This Group object reflects the tools & TTPs observed in use by threat actors known to deploy CACTUS, a ransomware that researchers believe has been used since at least March 2023.[[Kroll CACTUS Ransomware May 10 2023](/references/f50de2f6-465f-4cae-a79c-cc135ebfee4f)] Specific pre- and post-exploit behaviors may vary among intrusions carried out by distinct actors or actor clusters. TTPs associated with the CACTUS ransomware binary itself can be found in the separate dedicated Software object.", + "meta": { + "group_attack_id": "G5035", + "observed_countries": [ + "AU", + "BE", + "CA", + "DK", + "FR", + "DE", + "IT", + "MX", + "RO", + "ES", + "SE", + "GB", + "US" + ], + "observed_motivations": [ + "Financial Gain" + ], + "owner": "TidalCyberIan", + "source": "Tidal Cyber", + "tags": [ + "c6e1f516-1a18-4ff9-b563-e6ac8103b104", + "3b615816-3403-46a4-bd7e-f7a723fc56da", + "a2e000da-8181-4327-bacd-32013dbd3654", + "562e535e-19f5-4d6c-81ed-ce2aec544f09", + "5e7433ad-a894-4489-93bc-41e90da90019", + "7e7b0c67-bb85-4996-a289-da0e792d7172", + "2feda37d-5579-4102-a073-aa02e82cb49f" + ], + "target_categories": [ + "Automotive", + "Construction", + "Healthcare", + "Hospitality Leisure", + "Media", + "Mining", + "Retail", + "Technology" + ] + }, + "related": [], + "uuid": "fac6fbf1-935f-4106-ad8b-c8fd8389dd38", + "value": "CACTUS Ransomware Actors" + }, { "description": "[Carbanak](https://app.tidalcyber.com/groups/72d9bea7-9ca1-43e6-8702-2fb7fb1355de) is a cybercriminal group that has used [Carbanak](https://app.tidalcyber.com/software/4cb9294b-9e4c-41b9-b640-46213a01952d) malware to target financial institutions since at least 2013. [Carbanak](https://app.tidalcyber.com/groups/72d9bea7-9ca1-43e6-8702-2fb7fb1355de) may be linked to groups tracked separately as [Cobalt Group](https://app.tidalcyber.com/groups/58db02e6-d908-47c2-bc82-ed58ada61331) and [FIN7](https://app.tidalcyber.com/groups/4348c510-50fc-4448-ab8d-c8cededd19ff) that have also used [Carbanak](https://app.tidalcyber.com/software/4cb9294b-9e4c-41b9-b640-46213a01952d) malware.[[Kaspersky Carbanak](https://app.tidalcyber.com/references/2f7e77db-fe39-4004-9945-3c8943708494)][[FireEye FIN7 April 2017](https://app.tidalcyber.com/references/6ee27fdb-1753-4fdf-af72-3295b072ff10)][[Europol Cobalt Mar 2018](https://app.tidalcyber.com/references/f9d1f2ab-9e75-48ce-bcdf-b7119687feef)][[Secureworks GOLD NIAGARA Threat Profile](https://app.tidalcyber.com/references/b11276cb-f6dd-4e91-90cd-9c287fb3e6b1)][[Secureworks GOLD KINGSWOOD Threat Profile](https://app.tidalcyber.com/references/36035bbb-1609-4461-be27-ef4a920b814c)]", "meta": { @@ -1515,7 +1877,12 @@ "Financial Services" ] }, - "related": [], + "related": [ + { + "dest-uuid": "00220228-a5a4-4032-a30d-826bb55aa3fb", + "type": "similar" + } + ], "uuid": "72d9bea7-9ca1-43e6-8702-2fb7fb1355de", "value": "Carbanak" }, @@ -1585,7 +1952,12 @@ "Telecommunications" ] }, - "related": [], + "related": [ + { + "dest-uuid": "86724806-7ec9-4a48-a0a7-ecbde3bf4810", + "type": "similar" + } + ], "uuid": "c8cc6ce8-d421-42e6-a6eb-2ea9d2d9ab07", "value": "Cleaver" }, @@ -1621,7 +1993,12 @@ "Financial Services" ] }, - "related": [], + "related": [ + { + "dest-uuid": "01967480-c49b-4d4a-a7fa-aef0eaf535fe", + "type": "similar" + } + ], "uuid": "58db02e6-d908-47c2-bc82-ed58ada61331", "value": "Cobalt Group" }, @@ -1669,10 +2046,36 @@ "Technology" ] }, - "related": [], + "related": [ + { + "dest-uuid": "8cca9a1d-66e4-4bc4-ad49-95f759f4c1ae", + "type": "similar" + } + ], "uuid": "6a8f5eca-8ecc-4bff-9c5f-5380e044ed5b", "value": "CopyKittens" }, + { + "description": "A Group object to represent actors that deploy Cuba Ransomware in victim environments.[[U.S. CISA Cuba Ransomware October 2022](/references/d6ed5172-a319-45b0-b1cb-d270a2a48fa3)]", + "meta": { + "group_attack_id": "G5026", + "observed_motivations": [ + "Financial Gain" + ], + "owner": "TidalCyberIan", + "source": "Tidal Cyber", + "tags": [ + "c6e1f516-1a18-4ff9-b563-e6ac8103b104", + "562e535e-19f5-4d6c-81ed-ce2aec544f09", + "5e7433ad-a894-4489-93bc-41e90da90019", + "7e7b0c67-bb85-4996-a289-da0e792d7172", + "2feda37d-5579-4102-a073-aa02e82cb49f" + ] + }, + "related": [], + "uuid": "5216ac81-da4c-4b87-86ce-b90a651f1048", + "value": "Cuba Ransomware Actors" + }, { "description": "[CURIUM](https://app.tidalcyber.com/groups/ab15a328-c41e-5701-993f-3cab29ac4544) is an Iranian threat group first reported in November 2021 that has invested in building a relationship with potential targets via social media over a period of months to establish trust and confidence before sending malware. Security researchers note [CURIUM](https://app.tidalcyber.com/groups/ab15a328-c41e-5701-993f-3cab29ac4544) has demonstrated great patience and persistence by chatting with potential targets daily and sending benign files to help lower their security consciousness.[[Microsoft Iranian Threat Actor Trends November 2021](https://app.tidalcyber.com/references/78d39ee7-1cd5-5cb8-844a-1c3649e367a1)]", "meta": { @@ -1683,6 +2086,40 @@ "uuid": "ab15a328-c41e-5701-993f-3cab29ac4544", "value": "CURIUM" }, + { + "description": "The Cyber Army of Russia is a threat group that appears to carry out cyber attacks in line with Russian strategic interests. The group has claimed many distributed denial of service (DDoS) attacks against a variety of targets perceived as opposed to Russian interests. More recently, it has claimed disruptive industrial software-based attacks against water utilities in the United States, France, and Poland. Researchers link the Cyber Army of Russia to APT44 / Sandworm Team, although it remains unclear what level of direct support, if any, is provided by the latter group.[[Wired Cyber Army of Russia April 17 2024](/references/53583baf-4e09-4d19-9348-6110206b88be)][[Mandiant APT44 April 17 2024](/references/a64f689e-2bb4-4253-86cd-545e7f633a7e)]", + "meta": { + "country": "RU", + "group_attack_id": "G5038", + "observed_countries": [ + "FR", + "PL", + "UA", + "US" + ], + "observed_motivations": [ + "Destruction" + ], + "owner": "TidalCyberIan", + "source": "Tidal Cyber", + "tags": [ + "c6e1f516-1a18-4ff9-b563-e6ac8103b104", + "3ed3f7a6-b446-4fbc-a433-ff1d63c0e647", + "2feda37d-5579-4102-a073-aa02e82cb49f" + ], + "target_categories": [ + "Aerospace", + "Government", + "Media", + "Nuclear", + "Utilities", + "Water" + ] + }, + "related": [], + "uuid": "411e005e-95a4-4805-8296-0accf902d08d", + "value": "Cyber Army of Russia" + }, { "description": "CyberAv3ngers is a cyber actor group that has claimed responsibility for numerous disruption-focused attacks against critical infrastructure organizations, including an oil refinery and electric utility in Israel and water/wastewater utilities in the United States. According to a joint advisory released by U.S. & Israeli cybersecurity authorities in December 2023, CyberAv3ngers (aka Cyber Av3ngers or Cyber Avengers) is a “cyber persona” of advanced persistent threat actors affiliated with the Iranian Islamic Revolutionary Guard Corps (IRGC). The advisory detailed how suspected CyberAv3ngers actors compromised programmable logic controller (PLC) devices that were exposed to the internet and used the vendor's default passwords and ports, leaving defacement images and possibly rendering the devices inoperable. The defacement messages suggested that the group or affiliates might carry out attacks against other technological equipment produced in or associated with Israel.[[U.S. CISA IRGC-Affiliated PLC Activity December 2023](/references/51a18523-5276-4a67-8644-2bc6997d043c)]", "meta": { @@ -1698,18 +2135,49 @@ "owner": "TidalCyberIan", "source": "Tidal Cyber", "tags": [ + "3ed3f7a6-b446-4fbc-a433-ff1d63c0e647", "841ce707-a678-4bcf-86ff-7feeacd37e55", "15787198-6c8b-4f79-bf50-258d55072fee" ], "target_categories": [ "Energy", - "Utilities" + "Utilities", + "Water" ] }, "related": [], "uuid": "44a9c8ac-c287-45d2-9ebc-2c8a7d0a1f57", "value": "CyberAv3ngers" }, + { + "description": "Cyber Toufan is an apparently politically motivated, destruction-focused threat actor group that has predominantly targeted organizations based in or perceived to be aligned with Israel. Cyber Toufan publicizes many of their cyber operations and in some cases has leaked victim data allegedly exfiltrated during their attacks.[[SOCRadar Cyber Toufan Profile](/references/a9aa6361-8c4d-4456-bb3f-c64ca5260695)] Check Point researchers labeled Cyber Toufan as an \"Iranian-affiliated\", \"hacktivist proxy\" group.[[Check Point Iranian Proxies December 4 2023](/references/60432d84-8f46-4934-951f-df8e0f297ff0)]", + "meta": { + "group_attack_id": "G5049", + "observed_countries": [ + "IL", + "GB", + "US" + ], + "observed_motivations": [ + "Destruction" + ], + "owner": "TidalCyberIan", + "source": "Tidal Cyber", + "target_categories": [ + "Automotive", + "Government", + "High Tech", + "Manufacturing", + "Retail", + "Technology", + "Utilities", + "Water" + ] + }, + "related": [], + "uuid": "42a7c134-c574-430b-8105-bf7a00e742ae", + "value": "Cyber Toufan" + }, { "description": "Daixin Team is a ransomware- and data extortion-focused threat group first observed in mid-2022. Daixin Team is known to publicly extort its victims to pressure them into paying a ransom. It has used ransomware (believed to be based on the leaked source code for Babuk Locker) to encrypt victim data and has also exfiltrated sensitive data from victim environments and threatened to publicly leak that data.\n\nMany of Daixin Team’s victims belong to critical infrastructure sectors, especially the Healthcare and Public Health (“HPH”) sector. An October 2022 joint Cybersecurity Advisory noted Daixin Team attacks on multiple U.S. HPH organizations.[[U.S. CISA Daixin Team October 2022](/references/cbf5ecfb-de79-41cc-8250-01790ff6e89b)] Alleged victims referenced on the threat group’s extortion website belong to the healthcare, utilities, transportation (airline), automobile manufacturing, information technology, retail, and media sectors in the United States, Europe, and Asia.[[GitHub ransomwatch](/references/62037959-58e4-475a-bb91-ff360d20c1d7)]", "meta": { @@ -1780,7 +2248,12 @@ ], "source": "MITRE" }, - "related": [], + "related": [ + { + "dest-uuid": "3d449c83-4426-431a-b06a-cb4f8a0fca94", + "type": "similar" + } + ], "uuid": "7ad94dbf-9909-42dd-8b62-a435481bdb14", "value": "Dark Caracal" }, @@ -1814,7 +2287,12 @@ "Non Profit" ] }, - "related": [], + "related": [ + { + "dest-uuid": "b8c8b96d-61e6-47b1-8e38-fd8ad5d9854d", + "type": "similar" + } + ], "uuid": "efa1d922-8f48-43a6-89fe-237e1f3812c8", "value": "Darkhotel" }, @@ -1828,7 +2306,12 @@ "Government" ] }, - "related": [], + "related": [ + { + "dest-uuid": "ce2c2dfd-2445-4fbc-a747-9e7092e383f9", + "type": "similar" + } + ], "uuid": "f2b31240-0b4a-4fa4-82a4-6bb00e146e75", "value": "DarkHydrus" }, @@ -1879,7 +2362,12 @@ "Telecommunications" ] }, - "related": [], + "related": [ + { + "dest-uuid": "066d25c1-71bd-4bd4-8ca7-edbba00063f4", + "type": "similar" + } + ], "uuid": "43f826a1-e8c8-47b8-9b00-38e1b3e4293b", "value": "Deep Panda" }, @@ -1910,6 +2398,7 @@ ], "source": "MITRE", "tags": [ + "3ed3f7a6-b446-4fbc-a433-ff1d63c0e647", "f2ae2283-f94d-4f8f-bbde-43f2bed66c55" ], "target_categories": [ @@ -1918,7 +2407,12 @@ "Travel Services" ] }, - "related": [], + "related": [ + { + "dest-uuid": "64d6559c-6d5c-4585-bbf9-c17868f763ee", + "type": "similar" + } + ], "uuid": "472080b0-e3d4-4546-9272-c4359fe856e1", "value": "Dragonfly" }, @@ -1939,7 +2433,12 @@ "Technology" ] }, - "related": [], + "related": [ + { + "dest-uuid": "a9b44750-992c-4743-8922-129880d277ea", + "type": "similar" + } + ], "uuid": "f2c2db08-624c-46b9-b7ed-b22c21b81813", "value": "DragonOK" }, @@ -1980,10 +2479,41 @@ "Technology" ] }, - "related": [], + "related": [ + { + "dest-uuid": "da754aeb-a86d-4874-b388-d1d2028a56be", + "type": "similar" + } + ], "uuid": "51146bb6-7478-44a3-8f08-19adcdceffca", "value": "Elderwood" }, + { + "description": "This object reflects the ATT&CK Techniques associated with threat actors who deploy Eldorado, a ransomware-as-a-service (\"RaaS\") first advertised for sale on cybercrime forums in March 2024. Researchers assess that Eldorado is a \"unique\" ransomware strain that is likely not derived from previously leaked ransomware source code.[[Group-IB July 3 2024](/references/50148a85-314c-4b29-bdfc-913ab647dadf)]\n\nWindows and Linux-focused versions of the ransomware are known to exist. (ATT&CK Techniques associated with these malware binaries are tracked in a separate \"Eldorado Ransomware\" Software object.)", + "meta": { + "group_attack_id": "G5046", + "observed_motivations": [ + "Financial Gain" + ], + "owner": "TidalCyberIan", + "source": "Tidal Cyber", + "tags": [ + "a2e000da-8181-4327-bacd-32013dbd3654", + "5e7433ad-a894-4489-93bc-41e90da90019", + "562e535e-19f5-4d6c-81ed-ce2aec544f09", + "7e7b0c67-bb85-4996-a289-da0e792d7172", + "c6e1f516-1a18-4ff9-b563-e6ac8103b104", + "2feda37d-5579-4102-a073-aa02e82cb49f" + ], + "target_categories": [ + "Education", + "Healthcare" + ] + }, + "related": [], + "uuid": "26e1c52e-0c48-4cd0-bdc5-9cf981a6e714", + "value": "Eldorado Ransomware Operators" + }, { "description": "[Ember Bear](https://app.tidalcyber.com/groups/407274be-1820-4a84-939e-629313f4de1d) is a suspected Russian state-sponsored cyber espionage group that has been active since at least March 2021. [Ember Bear](https://app.tidalcyber.com/groups/407274be-1820-4a84-939e-629313f4de1d) has primarily focused their operations against Ukraine and Georgia, but has also targeted Western European and North American foreign ministries, pharmaceutical companies, and financial sector organizations. Security researchers assess [Ember Bear](https://app.tidalcyber.com/groups/407274be-1820-4a84-939e-629313f4de1d) likely conducted the [WhisperGate](https://app.tidalcyber.com/software/791f0afd-c2c4-4e23-8aee-1d14462667f5) destructive wiper attacks against Ukraine in early 2022.[[CrowdStrike Ember Bear Profile March 2022](https://app.tidalcyber.com/references/0639c340-b495-4d91-8418-3069f3fe0df1)][[Mandiant UNC2589 March 2022](https://app.tidalcyber.com/references/63d89139-9dd4-4ed6-bf6e-8cd872c5d034)][[Palo Alto Unit 42 OutSteel SaintBot February 2022 ](https://app.tidalcyber.com/references/b0632490-76be-4018-982d-4b73b3d13881)] ", "meta": { @@ -2046,7 +2576,12 @@ "Telecommunications" ] }, - "related": [], + "related": [ + { + "dest-uuid": "7036fb3d-86b7-4d9c-bc66-1e1ead8b7840", + "type": "similar" + } + ], "uuid": "a4704485-65b5-49ec-bebe-5cc932362dd2", "value": "Equation" }, @@ -2116,10 +2651,48 @@ "Mining" ] }, - "related": [], + "related": [ + { + "dest-uuid": "f2d02410-8c2c-11e9-8df1-a31c1fb33d79", + "type": "similar" + } + ], "uuid": "345e553a-164d-4c9d-8bf9-19fcf8a51533", "value": "FIN10" }, + { + "description": "FIN11 is a financially motivated adversary identified by Mandiant in 2020. Originally known for high-volume phishing campaigns leading to ransomware and data theft, the group more recently is known for carrying out wide-ranging exploitation of multiple vulnerabilities in 2023, including vulnerabilities affecting PaperCut print management software and MOVEit Transfer file transfer software to deliver Clop ransomware and for more general data theft, respectively, as well as GoAnywhere file transfer software exploits.[[Microsoft Threat Intelligence Tweet April 26 2023](/references/3b5a2349-e10c-422b-91e3-20e9033fdb60)][[Mandiant MOVEit Transfer June 2 2023](/references/232c7555-0483-4a57-88cb-71a990f7d683)]. Microsoft Threat Intelligence reports overlaps between FIN11 and Lace Tempest (DEV-0950), which it identifies as a Clop ransomware affiliate. The DFIR Report researchers attributed a May 2023 data theft and wiper campaign to FIN11 and Lace Tempest.[[The DFIR Report Truebot June 12 2023](/references/a6311a66-bb36-4cad-a98f-2b0b89aafa3d)]", + "meta": { + "group_attack_id": "G5028", + "observed_countries": [ + "CA", + "IN", + "US" + ], + "observed_motivations": [ + "Financial Gain" + ], + "owner": "TidalCyberIan", + "source": "Tidal Cyber", + "tags": [ + "c6e1f516-1a18-4ff9-b563-e6ac8103b104", + "173e1480-8d9b-49c5-854d-594dde9740d6", + "1b5da77a-bf84-4fba-a6d7-8b3b8f7699e0", + "992bdd33-4a47-495d-883a-58010a2f0efb", + "5e7433ad-a894-4489-93bc-41e90da90019", + "7e7b0c67-bb85-4996-a289-da0e792d7172", + "2feda37d-5579-4102-a073-aa02e82cb49f" + ], + "target_categories": [ + "Financial Services", + "Hospitality Leisure", + "Retail" + ] + }, + "related": [], + "uuid": "ecdbd431-d62b-4b30-8663-b1ecb4304ec0", + "value": "FIN11" + }, { "description": "FIN12 is a financially motivated threat actor group believed to be responsible for multiple high-profile ransomware attacks since 2018. The group has attacked victims in various sectors and locations, including multiple attacks on healthcare entities. An October 2021 Mandiant assessment indicated 85% of the group's victims were U.S.-based, and the large majority of them were large enterprises with more than $300 million in annual revenue. The report also assessed that initial access brokers partnering with FIN12 target a wider range of organizations and allow FIN12 actors to select victims for further malicious activity.[[Mandiant FIN12 Group Profile October 07 2021](/references/7af84b3d-bbd6-449f-b29b-2f14591c9f05)]\n\nFIN12's toolset has reportedly shifted over time. Cobalt Strike has been observed in most intrusions. While TrickBot and Empire were common post-exploitation tools historically, French authorities observed the group using SystemBC alongside Cobalt Strike during a March 2023 hospital center intrusion. Ryuk, and to a lesser degree Conti, were traditionally used ransomware payloads, with the former used in a series of attacks on U.S. healthcare entities in 2020. However, a French CERT assessment published in 2023 linked the group to multiple more recent incidents it investigated and analyzed, which featured deployment of various ransomware families, including Hive, Nokoyawa, Play, Royal, and BlackCat, along with Emotet and BazarLoader malware for initial footholds.[[Mandiant FIN12 Group Profile October 07 2021](/references/7af84b3d-bbd6-449f-b29b-2f14591c9f05)][[CERTFR-2023-CTI-007](/references/0f4a03c5-79b3-418e-a77d-305d5a32caca)]\n\n**Related Vulnerabilities**: CVE-2023-21746, CVE-2022-24521, CVE-2021-34527, CVE-2019-0708, CVE-2020-1472[[CERTFR-2023-CTI-007](/references/0f4a03c5-79b3-418e-a77d-305d5a32caca)]", "meta": { @@ -2144,6 +2717,7 @@ "owner": "TidalCyberIan", "source": "Tidal Cyber", "tags": [ + "89c5b94b-ecf4-4d53-9b74-3465086d4565", "2743d495-7728-4a75-9e5f-b64854039792", "ecd84106-2a5b-4d25-854e-b8d1f57f6b75", "a6ba64e1-4b4a-4bbd-a26d-ce35c22b2530", @@ -2199,7 +2773,12 @@ "Pharmaceuticals" ] }, - "related": [], + "related": [ + { + "dest-uuid": "ff449346-aa9f-45f6-b482-71e886a5cf57", + "type": "similar" + } + ], "uuid": "4b6531dc-5b29-4577-8b54-fa99229ab0ca", "value": "FIN4" }, @@ -2216,7 +2795,12 @@ "Hospitality Leisure" ] }, - "related": [], + "related": [ + { + "dest-uuid": "44dc2f9c-8c28-11e9-9b9a-7fdced8cbf70", + "type": "similar" + } + ], "uuid": "7902f5cc-d6a5-4a57-8d54-4c75e0c58b83", "value": "FIN5" }, @@ -2237,7 +2821,12 @@ "Retail" ] }, - "related": [], + "related": [ + { + "dest-uuid": "647894f6-1723-4cba-aba4-0ef0966d5302", + "type": "similar" + } + ], "uuid": "fcaadc12-7c17-4946-a9dc-976ed610854c", "value": "FIN6" }, @@ -2291,7 +2880,12 @@ "Transportation" ] }, - "related": [], + "related": [ + { + "dest-uuid": "00220228-a5a4-4032-a30d-826bb55aa3fb", + "type": "similar" + } + ], "uuid": "4348c510-50fc-4448-ab8d-c8cededd19ff", "value": "FIN7" }, @@ -2321,10 +2915,43 @@ "Technology" ] }, - "related": [], + "related": [ + { + "dest-uuid": "a78ae9fe-71cd-4563-9213-7b6260bd9a73", + "type": "similar" + } + ], "uuid": "b3061284-0335-4dcb-9f8e-a3b0412fd46f", "value": "FIN8" }, + { + "description": "Researchers assess that Flax Typhoon is a nation-state-sponsored espionage group based in China that has targeted government, education, manufacturing, and IT organizations in Taiwan, elsewhere in Southeast Asia, North America, and Africa. Flax Typhoon is believed to overlap with the ETHEREAL PANDA group and has been active since mid-2021. Flax Typhoon has been seen establishing persistence, moving laterally, and accessing victim credentials after achieving network access, but to date, researchers have not observed the actors acting on final objectives during intrusions. Microsoft researchers assess that Flax Typhoon's techniques, which lean on legitimate, often built-in tools & utilities, could be used in attacks on victims in other regions.[[Microsoft Flax Typhoon August 24 2023](/references/ec962b72-7b7f-4f7e-b6d6-7c5380b07201)]", + "meta": { + "country": "CN", + "group_attack_id": "G5031", + "observed_countries": [ + "TW" + ], + "observed_motivations": [ + "Cyber Espionage" + ], + "owner": "TidalCyberIan", + "source": "Tidal Cyber", + "tags": [ + "c6e1f516-1a18-4ff9-b563-e6ac8103b104", + "2feda37d-5579-4102-a073-aa02e82cb49f" + ], + "target_categories": [ + "Education", + "Government", + "Manufacturing", + "Technology" + ] + }, + "related": [], + "uuid": "b39d8eae-12e3-4903-a387-4c31d16a73b2", + "value": "Flax Typhoon" + }, { "description": "[Fox Kitten](https://app.tidalcyber.com/groups/7094468a-2310-48b5-ad24-e669152bd66d) is threat actor with a suspected nexus to the Iranian government that has been active since at least 2017 against entities in the Middle East, North Africa, Europe, Australia, and North America. [Fox Kitten](https://app.tidalcyber.com/groups/7094468a-2310-48b5-ad24-e669152bd66d) has targeted multiple industrial verticals including oil and gas, technology, government, defense, healthcare, manufacturing, and engineering.[[ClearkSky Fox Kitten February 2020](https://app.tidalcyber.com/references/a5ad6321-897a-4adc-9cdd-034a2538e3d6)][[CrowdStrike PIONEER KITTEN August 2020](https://app.tidalcyber.com/references/4fce29cc-ddab-4b96-b295-83c282a87564)][[Dragos PARISITE ](https://app.tidalcyber.com/references/15e974db-51a9-4ec1-9725-cff8bb9bc2fa)][[ClearSky Pay2Kitten December 2020](https://app.tidalcyber.com/references/6e09bc1a-8a5d-4512-9176-40eed91af358)]", "meta": { @@ -2350,10 +2977,16 @@ "US" ], "observed_motivations": [ - "Cyber Espionage" + "Cyber Espionage", + "Financial Gain" ], "source": "MITRE", "tags": [ + "e551ae97-d1b4-484e-9267-89f33829ec2c", + "15787198-6c8b-4f79-bf50-258d55072fee", + "9768aada-9d63-4d46-ab9f-d41b8c8e4010", + "5e7433ad-a894-4489-93bc-41e90da90019", + "7e7b0c67-bb85-4996-a289-da0e792d7172", "291c006e-f77a-4c9c-ae7e-084974c0e1eb" ], "target_categories": [ @@ -2468,7 +3101,12 @@ "Non Profit" ] }, - "related": [], + "related": [ + { + "dest-uuid": "1a77e156-76bc-43f5-bdd7-bd67f30fbbbb", + "type": "similar" + } + ], "uuid": "41e8b4a4-2d31-46ee-bc56-12375084d067", "value": "Gamaredon Group" }, @@ -2484,7 +3122,12 @@ "Financial Services" ] }, - "related": [], + "related": [ + { + "dest-uuid": "d93889de-b4bc-4a29-9ce7-d67717c140a0", + "type": "similar" + } + ], "uuid": "dbc85db0-937d-47d7-9002-7364d41be48a", "value": "GCMAN" }, @@ -2523,20 +3166,72 @@ "Government" ] }, - "related": [], + "related": [ + { + "dest-uuid": "e47c2c4d-706b-4098-92a2-b93e7103e131", + "type": "similar" + } + ], "uuid": "efb3b5ac-cd86-44a2-9de1-02e4612b8cc2", "value": "Gorgon Group" }, + { + "description": "GreenMwizi is assessed to be an actor based in Nairobi, Kenya that has carried out scam campaigns involving social media bots. A campaign observed in May 2023 appeared to target customers of a major online travel/hospitality booking brand.[[GreenMwizi - Kenyan scamming campaign using Twitter bots](/references/3b09696a-1345-4283-a59b-e9a13124ef59)]", + "meta": { + "group_attack_id": "G5024", + "observed_motivations": [ + "Financial Gain" + ], + "owner": "TidalCyberIan", + "source": "Tidal Cyber", + "tags": [ + "c6e1f516-1a18-4ff9-b563-e6ac8103b104", + "2feda37d-5579-4102-a073-aa02e82cb49f" + ], + "target_categories": [ + "Hospitality Leisure", + "Travel Services" + ] + }, + "related": [], + "uuid": "7d17fa48-e897-4a0c-8aa5-c7f2b6cd96a0", + "value": "GreenMwizi" + }, { "description": "[Group5](https://app.tidalcyber.com/groups/fcc6d937-8cd6-4f2c-adb8-48caedbde70a) is a threat group with a suspected Iranian nexus, though this attribution is not definite. The group has targeted individuals connected to the Syrian opposition via spearphishing and watering holes, normally using Syrian and Iranian themes. [Group5](https://app.tidalcyber.com/groups/fcc6d937-8cd6-4f2c-adb8-48caedbde70a) has used two commonly available remote access tools (RATs), [njRAT](https://app.tidalcyber.com/software/82996f6f-0575-45cd-8f7c-ba1b063d5b9f) and [NanoCore](https://app.tidalcyber.com/software/db05dbaa-eb3a-4303-b37e-18d67e7e85a1), as well as an Android RAT, DroidJack. [[Citizen Lab Group5](https://app.tidalcyber.com/references/ffbec5e8-947a-4363-b7e1-812dfd79935a)]", "meta": { "group_attack_id": "G0043", "source": "MITRE" }, - "related": [], + "related": [ + { + "dest-uuid": "bc8390aa-8c4e-11e9-a9cb-e37c361210af", + "type": "similar" + } + ], "uuid": "fcc6d937-8cd6-4f2c-adb8-48caedbde70a", "value": "Group5" }, + { + "description": "H0lyGh0st is a North Korea-based ransomware-focused threat actor group.[[H0lyGh0st - North Korean Threat Group Strikes Back With New Ransomware](/references/3f66ef62-ac0d-4ece-9a4b-917ae70f1617)]", + "meta": { + "group_attack_id": "G5025", + "observed_motivations": [ + "Financial Gain" + ], + "owner": "TidalCyberIan", + "source": "Tidal Cyber", + "tags": [ + "c6e1f516-1a18-4ff9-b563-e6ac8103b104", + "5e7433ad-a894-4489-93bc-41e90da90019", + "7e7b0c67-bb85-4996-a289-da0e792d7172", + "2feda37d-5579-4102-a073-aa02e82cb49f" + ] + }, + "related": [], + "uuid": "cd83ecfb-8e42-4b55-8d1e-fd4dbe4b68cd", + "value": "H0lyGh0st Ransomware Group" + }, { "description": "[HAFNIUM](https://app.tidalcyber.com/groups/1bcc9382-ccfe-4b04-91f3-ef1250df5e5b) is a likely state-sponsored cyber espionage group operating out of China that has been active since at least January 2021. [HAFNIUM](https://app.tidalcyber.com/groups/1bcc9382-ccfe-4b04-91f3-ef1250df5e5b) primarily targets entities in the US across a number of industry sectors, including infectious disease researchers, law firms, higher education institutions, defense contractors, policy think tanks, and NGOs.[[Microsoft HAFNIUM March 2020](https://app.tidalcyber.com/references/6a986c46-79a3-49c6-94d2-d9b1f5db08f3)][[Volexity Exchange Marauder March 2021](https://app.tidalcyber.com/references/ef0626e9-281c-4770-b145-ffe36e18e369)]", "meta": { @@ -2557,7 +3252,12 @@ "Think Tanks" ] }, - "related": [], + "related": [ + { + "dest-uuid": "4f05d6c1-3fc1-4567-91cd-dd4637cc38b5", + "type": "similar" + } + ], "uuid": "1bcc9382-ccfe-4b04-91f3-ef1250df5e5b", "value": "HAFNIUM" }, @@ -2565,7 +3265,10 @@ "description": "[HEXANE](https://app.tidalcyber.com/groups/eecf7289-294f-48dd-a747-7705820f4735) is a cyber espionage threat group that has targeted oil & gas, telecommunications, aviation, and internet service provider organizations since at least 2017. Targeted companies have been located in the Middle East and Africa, including Israel, Saudi Arabia, Kuwait, Morocco, and Tunisia. [HEXANE](https://app.tidalcyber.com/groups/eecf7289-294f-48dd-a747-7705820f4735)'s TTPs appear similar to [APT33](https://app.tidalcyber.com/groups/99bbbe25-45af-492f-a7ff-7cbc57828bac) and [OilRig](https://app.tidalcyber.com/groups/d01abdb1-0378-4654-aa38-1a4a292703e2) but due to differences in victims and tools it is tracked as a separate entity.[[Dragos Hexane](https://app.tidalcyber.com/references/11838e67-5032-4352-ad1f-81ba0398a14f)][[Kaspersky Lyceum October 2021](https://app.tidalcyber.com/references/b3d13a82-c24e-4b47-b47a-7221ad449859)][[ClearSky Siamesekitten August 2021](https://app.tidalcyber.com/references/9485efce-8d54-4461-b64e-0d15e31fbf8c)][[Accenture Lyceum Targets November 2021](https://app.tidalcyber.com/references/127836ce-e459-405d-a75c-32fd5f0ab198)]", "meta": { "group_attack_id": "G1001", - "source": "MITRE" + "source": "MITRE", + "tags": [ + "3ed3f7a6-b446-4fbc-a433-ff1d63c0e647" + ] }, "related": [], "uuid": "eecf7289-294f-48dd-a747-7705820f4735", @@ -2592,6 +3295,49 @@ "uuid": "f1477581-d485-403f-a95f-c56bf88c5d1e", "value": "Higaisa" }, + { + "description": "This Group object reflects the tools & TTPs associated with threat actors known to deploy Hive, a ransomware-as-a-service (RaaS) variant first observed in June 2021.[[U.S. CISA Hive November 25 2022](/references/fce322e6-5e23-404a-acf8-cd003f00c79d)] Specific pre- and post-compromise behaviors may vary among intrusions carried out by different Hive affiliates.\n\nHive actors have targeted victims in a wide range of verticals, including the government, communications, manufacturing, information technology, financial services, education, and especially the healthcare sectors. In January 2023, international authorities announced they disrupted Hive ransomware operations, seizing control of servers and websites used for communication among Hive actors and capturing Hive decryption keys.[[U.S. Justice Department Hive January 2023](/references/81bd5579-6a8a-40d2-b7b7-5cdb879ebdf0)]", + "meta": { + "group_attack_id": "G5042", + "observed_countries": [ + "DE", + "NL", + "GB", + "US" + ], + "observed_motivations": [ + "Financial Gain" + ], + "owner": "TidalCyberIan", + "source": "Tidal Cyber", + "tags": [ + "d903e38b-600d-4736-9e3b-cf1a6e436481", + "e551ae97-d1b4-484e-9267-89f33829ec2c", + "15787198-6c8b-4f79-bf50-258d55072fee", + "5e9581be-dea3-42b2-a92a-4c307cedec2c", + "3ed2343c-a29c-42e2-8259-410381164c6a", + "375983b3-6e87-4281-99e2-1561519dd17b", + "64d3f7d8-30b7-4b03-bee2-a6029672216c", + "1423b5a8-cff3-48d5-a0a2-09b3afc9f195", + "562e535e-19f5-4d6c-81ed-ce2aec544f09", + "5e7433ad-a894-4489-93bc-41e90da90019", + "7e7b0c67-bb85-4996-a289-da0e792d7172" + ], + "target_categories": [ + "Construction", + "Education", + "Financial Services", + "Government", + "Healthcare", + "High Tech", + "Manufacturing", + "Telecommunications" + ] + }, + "related": [], + "uuid": "05cd82bb-f8fc-40f3-83ba-1586ef953d05", + "value": "Hive Ransomware Actors" + }, { "description": "[Inception](https://app.tidalcyber.com/groups/d7c58e7f-f0b0-44c6-b205-5adcfb56f0e6) is a cyber espionage group active since at least 2014. The group has targeted multiple industries and governmental entities primarily in Russia, but has also been active in the United States and throughout Europe, Asia, Africa, and the Middle East.[[Unit 42 Inception November 2018](https://app.tidalcyber.com/references/5cb98fce-f386-4878-b69c-5c6440ad689c)][[Symantec Inception Framework March 2018](https://app.tidalcyber.com/references/166f5c44-7d8c-45d5-8d9f-3b8bd21a2af3)][[Kaspersky Cloud Atlas December 2014](https://app.tidalcyber.com/references/41a9b3e3-0953-4bde-9e1d-c2f51de1120e)]", "meta": { @@ -2628,7 +3374,12 @@ "Media" ] }, - "related": [], + "related": [ + { + "dest-uuid": "71ef51ca-a791-11e8-a026-07980ca910ca", + "type": "similar" + } + ], "uuid": "d7c58e7f-f0b0-44c6-b205-5adcfb56f0e6", "value": "Inception" }, @@ -2742,7 +3493,12 @@ "NGOs" ] }, - "related": [], + "related": [ + { + "dest-uuid": "3501fbf2-098f-47e7-be6a-6b0ff5742ce8", + "type": "similar" + } + ], "uuid": "26c0925f-1a3c-4df6-b27a-62b9731299b8", "value": "Ke3chang" }, @@ -2820,6 +3576,7 @@ "group_attack_id": "G1004", "source": "MITRE", "tags": [ + "fe28cf32-a15c-44cf-892c-faa0360d6109", "2e5f6e4a-4579-46f7-9997-6923180815dd", "c9c73000-30a5-4a16-8c8b-79169f9c24aa", "a2e000da-8181-4327-bacd-32013dbd3654", @@ -2850,6 +3607,7 @@ ], "source": "MITRE", "tags": [ + "3ed3f7a6-b446-4fbc-a433-ff1d63c0e647", "f2ae2283-f94d-4f8f-bbde-43f2bed66c55" ], "target_categories": [ @@ -2862,7 +3620,12 @@ "Infrastructure" ] }, - "related": [], + "related": [ + { + "dest-uuid": "68391641-859f-4a9a-9a1e-3e5cf71ec376", + "type": "similar" + } + ], "uuid": "0bc66e95-de93-4de7-b415-4041b7191f08", "value": "Lazarus Group" }, @@ -2933,8 +3696,29 @@ "GB", "US" ], + "observed_motivations": [ + "Cyber Espionage" + ], "source": "MITRE", "tags": [ + "96d58ca1-ab18-4e53-8891-d8ba62a47e5d", + "6070668f-1cbd-4878-8066-c636d1d8659c", + "d8f7e071-fbfd-46f8-b431-e241bb1513ac", + "758c3085-2f79-40a8-ab95-f8a684737927", + "1dc8fd1e-0737-405a-98a1-111dd557f1b5", + "61cdbb28-cbfd-498b-9ab1-1f14337f9524", + "e551ae97-d1b4-484e-9267-89f33829ec2c", + "15787198-6c8b-4f79-bf50-258d55072fee", + "35e694ec-5133-46e3-b7e1-5831867c3b55", + "ee3188ce-20e9-4e8e-bbfd-cdc527d5a2b2", + "a10eccee-317c-40f7-988f-f79517cf42e8", + "375983b3-6e87-4281-99e2-1561519dd17b", + "3ed2343c-a29c-42e2-8259-410381164c6a", + "a46c422c-5dad-49fc-a4ac-169a075a4d9a", + "2eeef0b4-08b5-4d25-84f7-25d41fe6305b", + "64d3f7d8-30b7-4b03-bee2-a6029672216c", + "7e6ef160-8e4f-4132-bdc4-9991f01c472e", + "b20e7912-6a8d-46e3-8e13-9a3fc4813852", "931d2342-5165-41cf-a5a9-8308d9c9f7ed" ], "target_categories": [ @@ -2948,7 +3732,12 @@ "Transportation" ] }, - "related": [], + "related": [ + { + "dest-uuid": "5b4b6980-3bc7-11e8-84d6-879aaac37dd9", + "type": "similar" + } + ], "uuid": "eadd78e3-3b5d-430a-b994-4360b172c871", "value": "Leviathan" }, @@ -3004,6 +3793,10 @@ "owner": "TidalCyberIan", "source": "Tidal Cyber", "tags": [ + "64d3f7d8-30b7-4b03-bee2-a6029672216c", + "375983b3-6e87-4281-99e2-1561519dd17b", + "3ed2343c-a29c-42e2-8259-410381164c6a", + "89c5b94b-ecf4-4d53-9b74-3465086d4565", "562e535e-19f5-4d6c-81ed-ce2aec544f09", "793f4441-3916-4b3d-a3fd-686a59dc3de2", "1b5da77a-bf84-4fba-a6d7-8b3b8f7699e0", @@ -3082,7 +3875,12 @@ "Government" ] }, - "related": [], + "related": [ + { + "dest-uuid": "32fafa69-fe3c-49db-afd4-aac2664bcf0d", + "type": "similar" + } + ], "uuid": "2849455a-cf39-4a9f-bd89-c2b3c1e5dd52", "value": "Lotus Blossom" }, @@ -3096,6 +3894,29 @@ "uuid": "b10aa4c0-10a1-5e08-8d9d-82ce95d45e6a", "value": "LuminousMoth" }, + { + "description": "Luna Moth (aka Silent Ransom Group) is a financially-motivated, extortion-focused adversary active since at least March 2022 and through at least June 2023. The group is known for carrying out \"callback phishing\" attacks, where actors entice victims to call an actor-controlled number, for example by sending a fraudulent email that claims the victim recently registered for a popular subscription service. Once connected, actors would convince victims to join a live, actor-connected sessions with legitimate remote access tools provided via a link in a subsequent email, then install other legitimate remote administration software used to support further discovery and exfiltration activity.[[Sygnia Luna Moth July 1 2022](/references/115590b2-ab57-432c-900e-000627464a11)][[FBI Ransomware Tools November 7 2023](/references/e096e1f4-6b62-4756-8811-f263cf1dcecc)]", + "meta": { + "group_attack_id": "G5043", + "observed_motivations": [ + "Financial Gain" + ], + "owner": "TidalCyberIan", + "source": "Tidal Cyber", + "tags": [ + "5e7433ad-a894-4489-93bc-41e90da90019", + "c6e1f516-1a18-4ff9-b563-e6ac8103b104", + "2feda37d-5579-4102-a073-aa02e82cb49f" + ], + "target_categories": [ + "Legal", + "Retail" + ] + }, + "related": [], + "uuid": "cca12ba9-f65f-4a29-87ab-a9fc0f99521f", + "value": "Luna Moth" + }, { "description": "[Machete](https://app.tidalcyber.com/groups/a3be79a2-3d4f-4697-a8a1-83f0884220af) is a suspected Spanish-speaking cyber espionage group that has been active since at least 2010. It has primarily focused its operations within Latin America, with a particular emphasis on Venezuela, but also in the US, Europe, Russia, and parts of Asia. [Machete](https://app.tidalcyber.com/groups/a3be79a2-3d4f-4697-a8a1-83f0884220af) generally targets high-profile organizations such as government institutions, intelligence services, and military units, as well as telecommunications and power companies.[[Cylance Machete Mar 2017](https://app.tidalcyber.com/references/92a9a311-1e0b-4819-9856-2dfc8dbfc08d)][[Securelist Machete Aug 2014](https://app.tidalcyber.com/references/fc7be240-bd15-4ec4-bc01-f8891d7210d9)][[ESET Machete July 2019](https://app.tidalcyber.com/references/408d5e33-fcb6-4d21-8be9-7aa5a8bd3385)][[360 Machete Sep 2020](https://app.tidalcyber.com/references/682c843d-1bb8-4f30-9d2e-35e8d41b1976)]", "meta": { @@ -3137,7 +3958,12 @@ "Utilities" ] }, - "related": [], + "related": [ + { + "dest-uuid": "827c17e0-c3f5-4ad1-a4f4-30a40ed0a2d3", + "type": "similar" + } + ], "uuid": "a3be79a2-3d4f-4697-a8a1-83f0884220af", "value": "Machete" }, @@ -3183,7 +4009,12 @@ "Telecommunications" ] }, - "related": [], + "related": [ + { + "dest-uuid": "b8967b3c-3bc9-11e8-8701-8b1ead8c099e", + "type": "similar" + } + ], "uuid": "7a9d653c-8812-4b96-81d1-b0a27ca918b4", "value": "Magic Hound" }, @@ -3265,6 +4096,7 @@ "owner": "TidalCyberIan", "source": "Tidal Cyber", "tags": [ + "562e535e-19f5-4d6c-81ed-ce2aec544f09", "5e7433ad-a894-4489-93bc-41e90da90019", "7e7b0c67-bb85-4996-a289-da0e792d7172" ], @@ -3348,7 +4180,12 @@ "Technology" ] }, - "related": [], + "related": [ + { + "dest-uuid": "56b37b05-72e7-4a89-ba8a-61ce45269a8c", + "type": "similar" + } + ], "uuid": "fb93231d-2ae4-45da-9dea-4c372a11f322", "value": "menuPass" }, @@ -3382,7 +4219,12 @@ "Manufacturing" ] }, - "related": [], + "related": [ + { + "dest-uuid": "a9b44750-992c-4743-8922-129880d277ea", + "type": "similar" + } + ], "uuid": "4510ce41-27b9-479c-9bf3-a328b77bae29", "value": "Moafee" }, @@ -3440,10 +4282,41 @@ "NGOs" ] }, - "related": [], + "related": [ + { + "dest-uuid": "f7c2e501-73b1-400f-a5d9-2e2e07b7dfde", + "type": "similar" + } + ], "uuid": "679b7b6b-9659-4e56-9ffd-688a6fab01b6", "value": "Molerats" }, + { + "description": "Moonstone Sleet is a North Korea state-aligned threat actor group that has targeted individuals and organizations related to the software, information technology, education, and defense industrial base sectors, for both financial gain and espionage purposes. The group is believed to be well-resourced, capable of conducting multiple distinct campaigns simultaneously. Microsoft security researchers assess that Moonstone Sleet has expanded its capabilities, with possible goals of enabling disruptive operations and/or software supply chain attacks.[[Microsoft Security Blog 5 28 2024](/references/faf315ed-71f7-4e29-8334-701da35a69ad)]", + "meta": { + "country": "KP", + "group_attack_id": "G5040", + "observed_motivations": [ + "Cyber Espionage", + "Financial Gain" + ], + "owner": "TidalCyberIan", + "source": "Tidal Cyber", + "tags": [ + "c6e1f516-1a18-4ff9-b563-e6ac8103b104", + "2feda37d-5579-4102-a073-aa02e82cb49f" + ], + "target_categories": [ + "Aerospace", + "Defense", + "Education", + "Technology" + ] + }, + "related": [], + "uuid": "3b8a2c50-5d8e-49b4-bd50-10ae66ca6c72", + "value": "Moonstone Sleet" + }, { "description": "[Moses Staff](https://app.tidalcyber.com/groups/a41725c5-eb3a-4772-8d1e-17c3bbade79c) is a suspected Iranian threat group that has primarily targeted Israeli companies since at least September 2021. [Moses Staff](https://app.tidalcyber.com/groups/a41725c5-eb3a-4772-8d1e-17c3bbade79c) openly stated their motivation in attacking Israeli companies is to cause damage by leaking stolen sensitive data and encrypting the victim's networks without a ransom demand.[[Checkpoint MosesStaff Nov 2021](https://app.tidalcyber.com/references/d6da2849-cff0-408a-9f09-81a33fc88a56)] \n\nSecurity researchers assess [Moses Staff](https://app.tidalcyber.com/groups/a41725c5-eb3a-4772-8d1e-17c3bbade79c) is politically motivated, and has targeted government, finance, travel, energy, manufacturing, and utility companies outside of Israel as well, including those in Italy, India, Germany, Chile, Turkey, the UAE, and the US.[[Cybereason StrifeWater Feb 2022](https://app.tidalcyber.com/references/30c911b2-9a5e-4510-a78c-c65e84398c7e)]", "meta": { @@ -3536,6 +4409,9 @@ "Cyber Espionage" ], "source": "MITRE", + "tags": [ + "992bdd33-4a47-495d-883a-58010a2f0efb" + ], "target_categories": [ "Education", "Energy", @@ -3544,7 +4420,12 @@ "Telecommunications" ] }, - "related": [], + "related": [ + { + "dest-uuid": "a29af069-03c3-4534-b78b-7d1a77ea085b", + "type": "similar" + } + ], "uuid": "dcb260d8-9d53-404f-9ff5-dbee2c6effe6", "value": "MuddyWater" }, @@ -3638,7 +4519,12 @@ "Government" ] }, - "related": [], + "related": [ + { + "dest-uuid": "2f1fd017-9df6-4759-91fb-e7039609b5ff", + "type": "similar" + } + ], "uuid": "a80c00b2-b8b6-4780-99bb-df8fe921947d", "value": "Naikon" }, @@ -3654,7 +4540,12 @@ ], "source": "MITRE" }, - "related": [], + "related": [ + { + "dest-uuid": "ada08ea8-4517-4eea-aff1-3ad69e5466bb", + "type": "similar" + } + ], "uuid": "3a660ef3-9954-4252-8946-f903f3f42d0c", "value": "NEODYMIUM" }, @@ -3695,6 +4586,9 @@ "US" ], "source": "MITRE", + "tags": [ + "3ed3f7a6-b446-4fbc-a433-ff1d63c0e647" + ], "target_categories": [ "Banks", "Chemical", @@ -3705,7 +4599,12 @@ "Telecommunications" ] }, - "related": [], + "related": [ + { + "dest-uuid": "42be2a84-5a5c-4c6d-9864-3f09d75bb0ba", + "type": "similar" + } + ], "uuid": "d01abdb1-0378-4654-aa38-1a4a292703e2", "value": "OilRig" }, @@ -3773,7 +4672,12 @@ "Think Tanks" ] }, - "related": [], + "related": [ + { + "dest-uuid": "18d473a5-831b-47a5-97a1-a32156299825", + "type": "similar" + } + ], "uuid": "32385eba-7bbf-439e-acf2-83040e97165a", "value": "Patchwork" }, @@ -3823,7 +4727,12 @@ "Telecommunications" ] }, - "related": [], + "related": [ + { + "dest-uuid": "4d37813c-b8e9-4e58-a758-03168d8aa189", + "type": "similar" + } + ], "uuid": "60936d3c-37ed-4116-a407-868da3aa4446", "value": "PittyTiger" }, @@ -3847,7 +4756,12 @@ "Telecommunications" ] }, - "related": [], + "related": [ + { + "dest-uuid": "1fc5671f-5757-43bf-8d6d-a9a93b03713a", + "type": "similar" + } + ], "uuid": "f036b992-4c3f-47b7-a458-94ac133bce74", "value": "PLATINUM" }, @@ -3877,6 +4791,9 @@ "owner": "TidalCyberIan", "source": "Tidal Cyber", "tags": [ + "89c5b94b-ecf4-4d53-9b74-3465086d4565", + "5e7433ad-a894-4489-93bc-41e90da90019", + "7e7b0c67-bb85-4996-a289-da0e792d7172", "562e535e-19f5-4d6c-81ed-ce2aec544f09", "17864218-bc4f-4564-8abf-97c988eea9f7", "b6458e46-650e-4e96-8e68-8a9d70bcf045", @@ -3936,7 +4853,12 @@ "Utilities" ] }, - "related": [], + "related": [ + { + "dest-uuid": "5fc09923-fcff-4e81-9cae-4518ef31cf4d", + "type": "similar" + } + ], "uuid": "553e2b7b-170c-4eb5-812b-ea33fe1dd4a0", "value": "Poseidon Group" }, @@ -3952,7 +4874,12 @@ ], "source": "MITRE" }, - "related": [], + "related": [ + { + "dest-uuid": "43894e2a-174e-4931-94a8-2296afe8f650", + "type": "similar" + } + ], "uuid": "cc798766-8662-4b55-8536-6d057fbc58f0", "value": "PROMETHIUM" }, @@ -3974,10 +4901,36 @@ "Telecommunications" ] }, - "related": [], + "related": [ + { + "dest-uuid": "0ca45163-e223-4167-b1af-f088ed14a93d", + "type": "similar" + } + ], "uuid": "6005f4a9-fe26-4237-a44e-3f6cbb1fe75c", "value": "Putter Panda" }, + { + "description": "This Group object reflects the tools & TTPs associated with threat actors known to deploy Quantum ransomware (aka Quantum Locker, which derives from the MountLocker, AstroLocker, and XingLocker ransomware families). The Quantum group is known to publicly extort its victims.[[Cybereason Quantum Ransomware May 9 2022](/references/19027620-216a-4921-8d78-f56377778a12)] Researchers indicate the group is a rebranding of the \"Conti Team Two\" that formed after the fragmenting of the Ryuk/Conti ransom group in early 2022.[[AdvIntel Bazar Call August 10 2022](/references/5d3dff70-28c2-42a5-bf58-211fe6491fd2)]", + "meta": { + "group_attack_id": "G5044", + "observed_motivations": [ + "Financial Gain" + ], + "owner": "TidalCyberIan", + "source": "Tidal Cyber", + "tags": [ + "5e7433ad-a894-4489-93bc-41e90da90019", + "562e535e-19f5-4d6c-81ed-ce2aec544f09", + "7e7b0c67-bb85-4996-a289-da0e792d7172", + "c6e1f516-1a18-4ff9-b563-e6ac8103b104", + "2feda37d-5579-4102-a073-aa02e82cb49f" + ] + }, + "related": [], + "uuid": "e75a1b98-be68-467f-a8df-bcb7671543b3", + "value": "Quantum Ransomware Actors" + }, { "description": "[Rancor](https://app.tidalcyber.com/groups/021b3c71-6467-4e46-a413-8b726f066f2c) is a threat group that has led targeted campaigns against the South East Asia region. [Rancor](https://app.tidalcyber.com/groups/021b3c71-6467-4e46-a413-8b726f066f2c) uses politically-motivated lures to entice victims to open malicious documents. [[Rancor Unit42 June 2018](https://app.tidalcyber.com/references/45098a85-a61f-491a-a549-f62b02dc2ecd)]", "meta": { @@ -3991,10 +4944,35 @@ ], "source": "MITRE" }, - "related": [], + "related": [ + { + "dest-uuid": "79c7c7e0-79d5-11e8-9b9c-1ff96be20c0b", + "type": "similar" + } + ], "uuid": "021b3c71-6467-4e46-a413-8b726f066f2c", "value": "Rancor" }, + { + "description": "RansomHub is an extortion group that regularly republicizes victim data allegedly stolen in other ransomware groups' attacks, but it is also believed to have developed an original ransomware payload.[[BroadcomSW June 5 2024](/references/3fa49490-cb22-4362-bf48-eaba9e83e6f5)][[The Record RansomHub June 3 2024](/references/1e474240-bd12-4472-8e69-1631b0e4c102)] This object reflects the ATT&CK Techniques and/or associated Software & Campaigns linked to attacks by actors deploying RansomHub ransomware.", + "meta": { + "group_attack_id": "G5050", + "observed_motivations": [ + "Financial Gain" + ], + "owner": "TidalCyberIan", + "source": "Tidal Cyber", + "tags": [ + "5e7433ad-a894-4489-93bc-41e90da90019", + "7e7b0c67-bb85-4996-a289-da0e792d7172", + "c6e1f516-1a18-4ff9-b563-e6ac8103b104", + "2feda37d-5579-4102-a073-aa02e82cb49f" + ] + }, + "related": [], + "uuid": "94794e7b-8b54-4be8-885a-fd1009425ed5", + "value": "RansomHub Ransomware Actors" + }, { "description": "This object represents the behaviors associated with operators of Rhysida ransomware, which is licensed on a ransomware-as-a-service (\"RaaS\") basis. Various affiliated ransomware operators likely do not operate as a cohesive unit. The Rhysida RaaS operation has been active since May 2023, claiming attacks on multiple sectors in several countries in North and South America, Western Europe, and Australia. Many alleged victims are education sector entities. Security researchers have observed TTP and victimology overlaps with the Vice Society extortion group.[[HC3 Analyst Note Rhysida Ransomware August 2023](/references/3f6e2821-5073-4382-b5dd-08676eaa2240)]\n\n**Related Vulnerabilities**: CVE-2020-1472[[U.S. CISA Rhysida Ransomware November 15 2023](/references/6d902955-d9a9-4ec1-8dd4-264f7594605e)]", "meta": { @@ -4079,6 +5057,8 @@ "owner": "TidalCyberIan", "source": "Tidal Cyber", "tags": [ + "e551ae97-d1b4-484e-9267-89f33829ec2c", + "a2e000da-8181-4327-bacd-32013dbd3654", "d63754b9-0267-4a70-82a3-212ef32fa796", "15787198-6c8b-4f79-bf50-258d55072fee", "5e7433ad-a894-4489-93bc-41e90da90019", @@ -4122,7 +5102,12 @@ ], "source": "MITRE" }, - "related": [], + "related": [ + { + "dest-uuid": "88100602-8e8b-11e9-bb7c-1bf20b58e305", + "type": "similar" + } + ], "uuid": "666ab5f0-3ef1-4e74-8a10-65c60a7d1acd", "value": "RTM" }, @@ -4153,6 +5138,7 @@ ], "source": "MITRE", "tags": [ + "3ed3f7a6-b446-4fbc-a433-ff1d63c0e647", "b20e7912-6a8d-46e3-8e13-9a3fc4813852", "f2ae2283-f94d-4f8f-bbde-43f2bed66c55" ], @@ -4165,10 +5151,34 @@ "Transportation" ] }, - "related": [], + "related": [ + { + "dest-uuid": "f512de42-f76b-40d2-9923-59e7dbdfec35", + "type": "similar" + } + ], "uuid": "16a65ee9-cd60-4f04-ba34-f2f45fcfc666", "value": "Sandworm Team" }, + { + "description": "SCARLETEEL is a threat actor known to leverage various cloud-based technologies in order to steal proprietary software and other data from victim environments.[[Sysdig Scarleteel February 28 2023](/references/18931f81-51bf-44af-9573-512ccb66c238)]", + "meta": { + "group_attack_id": "G5036", + "owner": "TidalCyberIan", + "source": "Tidal Cyber", + "tags": [ + "c6e1f516-1a18-4ff9-b563-e6ac8103b104", + "efa33611-88a5-40ba-9bc4-3d85c6c8819b", + "4fa6f8e1-b0d5-4169-8038-33e355c08bde", + "2e5f6e4a-4579-46f7-9997-6923180815dd", + "8d95e4d6-9a1e-4920-9f5c-83d9fe07a66e", + "2feda37d-5579-4102-a073-aa02e82cb49f" + ] + }, + "related": [], + "uuid": "788ffbf6-1a36-481a-a504-bbcd9f907886", + "value": "SCARLETEEL" + }, { "description": "[Scarlet Mimic](https://app.tidalcyber.com/groups/6c1bdc51-f633-4512-8b20-04a11c2d97f4) is a threat group that has targeted minority rights activists. This group has not been directly linked to a government source, but the group's motivations appear to overlap with those of the Chinese government. While there is some overlap between IP addresses used by [Scarlet Mimic](https://app.tidalcyber.com/groups/6c1bdc51-f633-4512-8b20-04a11c2d97f4) and [Putter Panda](https://app.tidalcyber.com/groups/6005f4a9-fe26-4237-a44e-3f6cbb1fe75c), it has not been concluded that the groups are the same. [[Scarlet Mimic Jan 2016](https://app.tidalcyber.com/references/f84a5b6d-3af1-45b1-ac55-69ceced8735f)]", "meta": { @@ -4181,7 +5191,12 @@ "Human Rights" ] }, - "related": [], + "related": [ + { + "dest-uuid": "0da10682-85c6-4c0b-bace-ba1f7adfb63e", + "type": "similar" + } + ], "uuid": "6c1bdc51-f633-4512-8b20-04a11c2d97f4", "value": "Scarlet Mimic" }, @@ -4210,6 +5225,7 @@ ], "source": "MITRE", "tags": [ + "fe28cf32-a15c-44cf-892c-faa0360d6109", "15f2277a-a17e-4d85-8acd-480bf84f16b4", "c9c73000-30a5-4a16-8c8b-79169f9c24aa", "15787198-6c8b-4f79-bf50-258d55072fee", @@ -4219,6 +5235,7 @@ ], "target_categories": [ "Aerospace", + "Banks", "Casinos Gambling", "Commercial", "Construction", @@ -4227,6 +5244,7 @@ "Entertainment", "Financial Services", "Hospitality Leisure", + "Insurance", "Legal", "Media", "Pharmaceuticals", @@ -4387,10 +5405,33 @@ "Government" ] }, - "related": [], + "related": [ + { + "dest-uuid": "1ca3b039-404e-4132-88c2-4e41235cd2f5", + "type": "similar" + } + ], "uuid": "6632f07f-7c6b-4d12-8544-82edc6a7a577", "value": "Sowbug" }, + { + "description": "Spandex Tempest is a financially motivated adversary group associated with Dudear campaigns, which deliver the FlawedGrace remote access Trojan for information theft purposes.[[Microsoft Threat Actor Naming](/references/de9cda86-0b23-4bc8-b524-e74fecf99448)] The group has evolved initial access techniques observed during these campaigns to evade defenses.[[Microsoft Threat Intelligence Tweet June 17 2020](/references/98fc7485-9424-412f-8162-a69d6c10c243)]", + "meta": { + "group_attack_id": "G5029", + "observed_motivations": [ + "Financial Gain" + ], + "owner": "TidalCyberIan", + "source": "Tidal Cyber", + "tags": [ + "c6e1f516-1a18-4ff9-b563-e6ac8103b104", + "2feda37d-5579-4102-a073-aa02e82cb49f" + ] + }, + "related": [], + "uuid": "eb10ed9e-ea8d-4b61-bfc3-5994d30970df", + "value": "Spandex Tempest" + }, { "description": "*Operationalize this intelligence by pivoting to relevant defensive resources via the Techniques below. Alternatively, use the **Add to Matrix** button above, then overlay entire sets of capabilities from your own defensive stack to identify threat overlaps & potential gaps (watch a [60-second tutorial here](https://www.youtube.com/watch?v=4jBo3XLO01E)).*\n\nStar Blizzard is believed to be a Russia-based cyber threat actor group. According to joint Cybersecurity Advisory AA23-341A (December 2023), U.S. and international authorities assess that Star Blizzard is “almost certainly” a subordinate of the Russian Federal Security Service (FSB) Centre 18. Star Blizzard is known to successfully use spear-phishing attacks against its targets for information-gathering purposes. The advisory indicated that authorities observed these spear-phishing attacks occurring through 2023. Star Blizzard has traditionally targeted academic, defense, government, non-governmental (NGO), and think tank organizations (and associated personnel) in the United States and United Kingdom, other NATO nations, and countries neighboring Russia. Politicians have also been targeted. According to the advisory, beginning in 2022, authorities witnessed Star Blizzard targeting expand to targets in the defense-industrial sector and U.S. Department of Energy facilities.[[U.S. CISA Star Blizzard December 2023](/references/3d53c154-8ced-4dbe-ab4e-db3bc15bfe4b)]", "meta": { @@ -4405,6 +5446,11 @@ ], "owner": "TidalCyberIan", "source": "Tidal Cyber", + "tags": [ + "82009876-294a-4e06-8cfc-3236a429bda4", + "15f2277a-a17e-4d85-8acd-480bf84f16b4", + "fe28cf32-a15c-44cf-892c-faa0360d6109" + ], "target_categories": [ "Defense", "Education", @@ -4430,10 +5476,57 @@ "Human Rights" ] }, - "related": [], + "related": [ + { + "dest-uuid": "dab75e38-6969-4e78-9304-dc269c3cbcf0", + "type": "similar" + } + ], "uuid": "ca3016f3-642a-4ae0-86bc-7258475d6937", "value": "Stealth Falcon" }, + { + "description": "Storm-0844 is a threat actor originally known for distributing Akira ransomware, and more recently, for distributing Fog ransomware. The actor gains initial access likely by abusing valid accounts, then uses freely available tools for discovery, lateral movement, and exfiltration prior to ransomware deployment.[[Microsoft Threat Intelligence LinkedIn July 15 2024](/references/0e7ea8d0-bdb8-48a6-9718-703f64d16460)]", + "meta": { + "group_attack_id": "G5047", + "observed_motivations": [ + "Financial Gain" + ], + "owner": "TidalCyberIan", + "source": "Tidal Cyber", + "tags": [ + "562e535e-19f5-4d6c-81ed-ce2aec544f09", + "5e7433ad-a894-4489-93bc-41e90da90019", + "7e7b0c67-bb85-4996-a289-da0e792d7172", + "c6e1f516-1a18-4ff9-b563-e6ac8103b104", + "2feda37d-5579-4102-a073-aa02e82cb49f" + ] + }, + "related": [], + "uuid": "fcbf6963-839b-4853-8b80-73ff6831b7d7", + "value": "Storm-0844" + }, + { + "description": "According to Microsoft security researchers, Storm-1811 is a \"financially motivated cybercriminal group known to deploy Black Basta ransomware\".[[Microsoft Security Blog 5 15 2024](/references/0876de6e-ea0c-4717-89a4-9c7baed53b6f)]", + "meta": { + "group_attack_id": "G5039", + "observed_motivations": [ + "Financial Gain" + ], + "owner": "TidalCyberIan", + "source": "Tidal Cyber", + "tags": [ + "c6e1f516-1a18-4ff9-b563-e6ac8103b104", + "5e7433ad-a894-4489-93bc-41e90da90019", + "7e7b0c67-bb85-4996-a289-da0e792d7172", + "562e535e-19f5-4d6c-81ed-ce2aec544f09", + "2feda37d-5579-4102-a073-aa02e82cb49f" + ] + }, + "related": [], + "uuid": "ee2da206-2532-44e3-a343-d66e9bfdbca0", + "value": "Storm-1811" + }, { "description": "[Strider](https://app.tidalcyber.com/groups/deb573c6-071a-4b50-9e92-4aa648d8bdc1) is a threat group that has been active since at least 2011 and has targeted victims in Russia, China, Sweden, Belgium, Iran, and Rwanda.[[Symantec Strider Blog](https://app.tidalcyber.com/references/664eac41-257f-4d4d-aba5-5d2e8e2117a7)][[Kaspersky ProjectSauron Blog](https://app.tidalcyber.com/references/baeaa632-3fa5-4d2b-9537-ccc7674fd7d6)]", "meta": { @@ -4458,7 +5551,12 @@ "Telecommunications" ] }, - "related": [], + "related": [ + { + "dest-uuid": "f3179cfb-9c86-4980-bd6b-e4fa74adaaa7", + "type": "similar" + } + ], "uuid": "deb573c6-071a-4b50-9e92-4aa648d8bdc1", "value": "Strider" }, @@ -4475,7 +5573,12 @@ ], "source": "MITRE" }, - "related": [], + "related": [ + { + "dest-uuid": "5abb12e7-5066-4f84-a109-49a037205c76", + "type": "similar" + } + ], "uuid": "06549082-ff70-43bf-985e-88c695c7113c", "value": "Suckfly" }, @@ -4513,7 +5616,12 @@ ], "source": "MITRE" }, - "related": [], + "related": [ + { + "dest-uuid": "c6472ae1-c6ad-4cf1-8d6e-8c94b94fe314", + "type": "similar" + } + ], "uuid": "e343c1f1-458c-467b-bc4a-c1b97b2127e3", "value": "TA459" }, @@ -4538,7 +5646,12 @@ "a98d7a43-f227-478e-81de-e7299639a355" ] }, - "related": [], + "related": [ + { + "dest-uuid": "03c80674-35f8-4fe0-be2b-226ed0fcd69f", + "type": "similar" + } + ], "uuid": "b3220638-6682-4a4e-ab64-e7dc4202a3f1", "value": "TA505" }, @@ -4551,7 +5664,12 @@ ], "source": "MITRE" }, - "related": [], + "related": [ + { + "dest-uuid": "36e8c848-4d20-47ea-9fc2-31aa17bf82d1", + "type": "similar" + } + ], "uuid": "8951bff3-c444-4374-8a9e-b2115d9125b2", "value": "TA551" }, @@ -4563,7 +5681,11 @@ "Financial Gain" ], "owner": "TidalCyberIan", - "source": "Tidal Cyber" + "source": "Tidal Cyber", + "tags": [ + "5e7433ad-a894-4489-93bc-41e90da90019", + "7e7b0c67-bb85-4996-a289-da0e792d7172" + ] }, "related": [], "uuid": "28f3dbcc-b248-442f-9ff3-234210bb2f2a", @@ -4598,11 +5720,19 @@ "US" ], "source": "MITRE", + "tags": [ + "3ed3f7a6-b446-4fbc-a433-ff1d63c0e647" + ], "target_categories": [ "Infrastructure" ] }, - "related": [], + "related": [ + { + "dest-uuid": "90abfc42-91c6-11e9-89b1-af58de8f7ec2", + "type": "similar" + } + ], "uuid": "3a54b8dc-a231-4db8-96da-1c0c1aa396f6", "value": "TEMP.Veles" }, @@ -4680,7 +5810,12 @@ "Technology" ] }, - "related": [], + "related": [ + { + "dest-uuid": "834e0acd-d92a-4e38-bb14-dc4159d7cb32", + "type": "similar" + } + ], "uuid": "79be2f31-5626-425e-844c-fd9c99e38fe5", "value": "Threat Group-3390" }, @@ -4700,7 +5835,12 @@ "Telecommunications" ] }, - "related": [], + "related": [ + { + "dest-uuid": "98be4300-a9ef-11e8-9a95-bb9221083cfc", + "type": "similar" + } + ], "uuid": "a3b39b07-0bfa-4c69-9f01-acf7dc6033b4", "value": "Thrip" }, @@ -4740,7 +5880,12 @@ "Telecommunications" ] }, - "related": [], + "related": [ + { + "dest-uuid": "0ab7c8de-fc23-4793-99aa-7ee336199e26", + "type": "similar" + } + ], "uuid": "9f5c5672-5e7e-4440-afc8-3fdf46a1bb6c", "value": "Tonto Team" }, @@ -4813,7 +5958,12 @@ "Transportation" ] }, - "related": [], + "related": [ + { + "dest-uuid": "7f16d1f5-04ee-4d99-abf0-87e1f23f9fee", + "type": "similar" + } + ], "uuid": "0a245c5e-c1a8-480f-8655-bb2594e3266b", "value": "Tropic Trooper" }, @@ -4911,7 +6061,12 @@ "Telecommunications" ] }, - "related": [], + "related": [ + { + "dest-uuid": "fa80877c-f509-4daf-8b62-20aba1635f68", + "type": "similar" + } + ], "uuid": "47ae4fb1-fc61-4e8e-9310-66dda706e1a2", "value": "Turla" }, @@ -4939,6 +6094,111 @@ "uuid": "f69c7e2f-b616-4782-b2f3-28e9b6702eb4", "value": "UAT4356" }, + { + "description": "UNC3966 is a threat actor group tracked by Mandiant. In an intrusion documented in March 2023, UNC3966 received access to a victim network initially compromised by the group UNC961. UNC3966 primary motivations remain unclear. During the intrusion, the group was observed collecting and exfiltrating victim data. While a ransom note was also discovered, UNC3966 did not appear to deploy ransomware encryption software and did not appear to demand a ransom payment.[[Mandiant UNC961 March 23 2023](/references/cef19ceb-179f-4d49-acba-5ce40ab9f65e)]", + "meta": { + "group_attack_id": "G5034", + "owner": "TidalCyberIan", + "source": "Tidal Cyber", + "tags": [ + "c6e1f516-1a18-4ff9-b563-e6ac8103b104", + "2feda37d-5579-4102-a073-aa02e82cb49f" + ] + }, + "related": [], + "uuid": "b07431f8-fcf0-4204-8e7c-138eb5cd5342", + "value": "UNC3966" + }, + { + "description": "UNC5537 is a threat actor believed to be responsible for compromising a large number of database instances belonging to customers of Snowflake, a multi-cloud data warehousing platform, in Q2 2024. Initial access was largely achieved using stolen customer credentials compromised previously via infostealer malware. Actors sought to monetize their access by selling victim data on underground forums and by extorting victims. Researchers believe UNC5537 is comprised of members based in North America and at least one member in Turkey, and it has targeted hundreds of organizations globally.[[Google Cloud June 10 2024](/references/0afe3662-b55c-4189-9c9a-2be55a9b6a70)]", + "meta": { + "group_attack_id": "G5041", + "observed_countries": [ + "ES", + "US" + ], + "observed_motivations": [ + "Financial Gain" + ], + "owner": "TidalCyberIan", + "source": "Tidal Cyber", + "tags": [ + "c6e1f516-1a18-4ff9-b563-e6ac8103b104", + "291c006e-f77a-4c9c-ae7e-084974c0e1eb", + "2feda37d-5579-4102-a073-aa02e82cb49f" + ], + "target_categories": [ + "Automotive", + "Banks", + "Entertainment", + "Financial Services", + "Retail", + "Technology" + ] + }, + "related": [], + "uuid": "809c288d-2dec-4c34-8ac1-f91d227ddfbd", + "value": "UNC5537" + }, + { + "description": "UNC961 is a financially motivated group active since at least 2018. It traditionally targeted retail and \"business services\" organizations based in North America, until expanding its targeting in 2020 to also include victims in a range of additional sectors in Northern Europe and Western Asia. In all known intrusions, UNC961 gained initial access by exploiting web-facing applications.[[Mandiant Log4Shell March 28 2022](/references/62d4d685-09c4-47b6-865c-4a6096e551cd)]", + "meta": { + "group_attack_id": "G5033", + "observed_motivations": [ + "Financial Gain" + ], + "owner": "TidalCyberIan", + "source": "Tidal Cyber", + "tags": [ + "c6e1f516-1a18-4ff9-b563-e6ac8103b104", + "7e6ef160-8e4f-4132-bdc4-9991f01c472e", + "b1944c88-95cf-41db-b11c-d9284e733bf2", + "2eeef0b4-08b5-4d25-84f7-25d41fe6305b", + "f8b11afb-0876-4cd2-af74-9b305ff1b311", + "51287d7b-2674-4842-a880-c192d886eac3", + "ab64f2d8-8da3-48de-ac66-0fd91d634b22", + "8e05f5f0-6e25-448d-b08f-4c7627124fbd", + "2feda37d-5579-4102-a073-aa02e82cb49f" + ], + "target_categories": [ + "Commercial", + "Education", + "Energy", + "Financial Services", + "Government", + "Healthcare", + "High Tech", + "Media", + "Retail", + "Transportation" + ] + }, + "related": [], + "uuid": "e47b2958-b7c4-4fe1-a006-03137db91963", + "value": "UNC961" + }, + { + "description": "Velvet Ant is a suspected \"China-nexus\" espionage group that has notably targeted network devices as part of its operations. In one case involving an unspecified victim located in East Asia, the group was seen abusing a legacy, internet-exposed F5 BIG-IP load balancer appliance as a command-and-control mechanism, managing to maintain network persistence for a period of three years. As part of the broader investigation into the group, researchers also observed cases of zero-day exploitation of CVE-2024-20399 in Cisco Nexus network switch devices, which allowed actors to upload and execute previously unknown, custom malware. The researchers highlighted how sophisticated threat groups are increasingly targeting network appliances as means of network access and persistence, since those appliances \"are often not sufficiently protected and monitored\".[[Sygnia Velvet Ant June 17 2024](/references/5c313af4-61a8-449d-a6c7-f7ead6c72e19)][[Sygnia Velvet Ant July 1 2024](/references/a0cfeeb6-4617-4dea-80d2-290eaf2bcf5b)]", + "meta": { + "country": "CN", + "group_attack_id": "G5045", + "observed_motivations": [ + "Cyber Espionage" + ], + "owner": "TidalCyberIan", + "source": "Tidal Cyber", + "tags": [ + "a98d7a43-f227-478e-81de-e7299639a355", + "72bc70fa-3979-4d3b-a0e9-b9ebebcf2a38", + "a159c91c-5258-49ea-af7d-e803008d97d3", + "c6e1f516-1a18-4ff9-b563-e6ac8103b104", + "2feda37d-5579-4102-a073-aa02e82cb49f" + ] + }, + "related": [], + "uuid": "9327f7c0-2187-4b98-9c33-8d89849be0bc", + "value": "Velvet Ant" + }, { "description": "Vice Society is an extortion-focused threat actor group first observed in mid-2021. The group gained notoriety after targeting a considerable number of educational institutions, especially lower education institutions. Although the education sector accounts for a disproportionate amount of the group’s victims, Vice Society has claimed victims in multiple other industries too, including the healthcare, retail, financial, insurance, and public services sectors. The group regularly pressures victims into paying a ransom by threatening to leak data exfiltrated during its intrusions. Vice Society is not known to have developed its own ransomware, instead deploying other existing families, including HELLOKITTY/FIVEHANDS and Zeppelin.[[U.S. CISA Vice Society September 2022](/references/0a754513-5f20-44a0-8cea-c5d9519106c8)]\n\n**Related Vulnerabilities**: CVE-2021-1675[[Unit 42 Vice Society December 6 2022](/references/6abf7387-0857-4938-b36e-1374a66d4ed8)], CVE-2021-34527[[Unit 42 Vice Society December 6 2022](/references/6abf7387-0857-4938-b36e-1374a66d4ed8)]", "meta": { @@ -5010,6 +6270,35 @@ "uuid": "2e2d3e75-1160-4ba5-80cc-8e7685fcfc44", "value": "Vice Society" }, + { + "description": "Void Rabisu is a threat actor believed be responsible for distributing Cuba ransomware.[[Unit 42 Cuba August 9 2022](/references/06f668d9-9a68-4d2f-b9a0-b92beb3b75d6)] Trend Micro researchers assess that, since October 2022, Void Rabisu's use of the RomCom backdoor during attacks could suggest a shift in its motivation towards more geopolitically motivated activity.[[Trend Micro Void Rabisu May 30 2023](/references/5fd628ca-f366-4f0d-b493-8be19fa4dd4e)]", + "meta": { + "group_attack_id": "G5027", + "observed_countries": [ + "UA", + "US" + ], + "observed_motivations": [ + "Financial Gain" + ], + "owner": "TidalCyberIan", + "source": "Tidal Cyber", + "tags": [ + "c6e1f516-1a18-4ff9-b563-e6ac8103b104", + "5e7433ad-a894-4489-93bc-41e90da90019", + "7e7b0c67-bb85-4996-a289-da0e792d7172", + "2feda37d-5579-4102-a073-aa02e82cb49f" + ], + "target_categories": [ + "Defense", + "Government", + "Utilities" + ] + }, + "related": [], + "uuid": "c2015888-72c0-4367-b2cf-df85688a56b7", + "value": "Void Rabisu" + }, { "description": "[Volatile Cedar](https://app.tidalcyber.com/groups/7c3ef21c-0e1c-43d5-afb0-3a07c5a66937) is a Lebanese threat group that has targeted individuals, companies, and institutions worldwide. [Volatile Cedar](https://app.tidalcyber.com/groups/7c3ef21c-0e1c-43d5-afb0-3a07c5a66937) has been operating since 2012 and is motivated by political and ideological interests.[[CheckPoint Volatile Cedar March 2015](https://app.tidalcyber.com/references/a26344a2-63ca-422e-8cf9-0cf22a5bee72)][[ClearSky Lebanese Cedar Jan 2021](https://app.tidalcyber.com/references/53944d48-caa9-4912-b42d-94a3789ed15b)]", "meta": { @@ -5028,6 +6317,10 @@ "Cyber Espionage" ], "source": "MITRE", + "tags": [ + "c6e1f516-1a18-4ff9-b563-e6ac8103b104", + "2feda37d-5579-4102-a073-aa02e82cb49f" + ], "target_categories": [ "Defense", "Education", @@ -5041,7 +6334,46 @@ "value": "Volatile Cedar" }, { - "description": "Volt Typhoon is a China state-backed threat actor that has targeted critical infrastructure organizations in a range of specific sectors in Guam and elsewhere in the United States since mid-2021. Its activities primarily focus on espionage and information gathering. Researchers indicate the group is focused on maintaining stealth and persistence in victim networks for as long as possible, leveraging a large number of living-off-the-land techniques to accomplish these goals. Researchers assessed with moderate confidence that Volt Typhoon's activities are focused on developing capabilities that could disrupt communications infrastructure between the United States and entities in Asia in the event of a potential geopolitical crisis.[[U.S. CISA Volt Typhoon May 24 2023](/references/12320f38-ebbf-486a-a450-8a548c3722d6)]\n\n**Related Vulnerabilities**: CVE-2021-40539, CVE-2021-27860[[U.S. CISA Volt Typhoon May 24 2023](/references/12320f38-ebbf-486a-a450-8a548c3722d6)]", + "description": "[Volt Typhoon](https://app.tidalcyber.com/groups/4ea1245f-3f35-5168-bd10-1fc49142fd4e) is a People's Republic of China (PRC) state-sponsored actor that has been active since at least 2021. [Volt Typhoon](https://app.tidalcyber.com/groups/4ea1245f-3f35-5168-bd10-1fc49142fd4e) typically focuses on espionage and information gathering and has targeted critical infrastructure organizations in the US including Guam. [Volt Typhoon](https://app.tidalcyber.com/groups/4ea1245f-3f35-5168-bd10-1fc49142fd4e) has emphasized stealth in operations using web shells, living-off-the-land (LOTL) binaries, hands on keyboard activities, and stolen credentials.[[Microsoft Volt Typhoon May 2023](https://app.tidalcyber.com/references/8b74f0b7-9719-598c-b3ee-61d734393e6f)][[Joint Cybersecurity Advisory Volt Typhoon June 2023](https://app.tidalcyber.com/references/14872f08-e219-5c0d-a2d7-43a3ba348b4b)][[Secureworks BRONZE SILHOUETTE May 2023](https://app.tidalcyber.com/references/77624549-e170-5894-9219-a15b4aa31726)]", + "meta": { + "country": "CN", + "group_attack_id": "G1017", + "observed_countries": [ + "GU", + "US" + ], + "observed_motivations": [ + "Cyber Espionage" + ], + "source": "MITRE", + "tags": [ + "758c3085-2f79-40a8-ab95-f8a684737927", + "af5e9be5-b86e-47af-91dd-966a5e34a186", + "35e694ec-5133-46e3-b7e1-5831867c3b55", + "1dc8fd1e-0737-405a-98a1-111dd557f1b5", + "15787198-6c8b-4f79-bf50-258d55072fee", + "97cc0c9b-3625-42c3-824a-646a91702977", + "53331b05-782f-45fc-b925-27c9598dde80" + ], + "target_categories": [ + "Construction", + "Education", + "Government", + "Manufacturing", + "Maritime", + "Technology", + "Telecommunications", + "Transportation", + "Utilities", + "Water" + ] + }, + "related": [], + "uuid": "4ea1245f-3f35-5168-bd10-1fc49142fd4e", + "value": "Volt Typhoon" + }, + { + "description": "*We are no longer maintaining this object in favor of a similar object subsequently published by MITRE: \"Volt Typhoon\" (Group). All relevant Tidal content extensions (e.g. additional Technique and Object relationships and metadata) have been added to the MITRE-authored object.*\n\n\nVolt Typhoon is a China state-backed threat actor that has targeted critical infrastructure organizations in a range of specific sectors in Guam and elsewhere in the United States since mid-2021. Its activities primarily focus on espionage and information gathering. Researchers indicate the group is focused on maintaining stealth and persistence in victim networks for as long as possible, leveraging a large number of living-off-the-land techniques to accomplish these goals. Researchers assessed with moderate confidence that Volt Typhoon's activities are focused on developing capabilities that could disrupt communications infrastructure between the United States and entities in Asia in the event of a potential geopolitical crisis.[[U.S. CISA Volt Typhoon May 24 2023](/references/12320f38-ebbf-486a-a450-8a548c3722d6)]\n\n**Related Vulnerabilities**: CVE-2021-40539, CVE-2021-27860[[U.S. CISA Volt Typhoon May 24 2023](/references/12320f38-ebbf-486a-a450-8a548c3722d6)]", "meta": { "country": "CN", "group_attack_id": "G5001", @@ -5079,44 +6411,6 @@ "uuid": "3290dcb9-5781-4b87-8fa0-6ae820e152cd", "value": "Volt Typhoon - Tidal" }, - { - "description": "[Volt Typhoon](https://app.tidalcyber.com/groups/4ea1245f-3f35-5168-bd10-1fc49142fd4e) is a People's Republic of China (PRC) state-sponsored actor that has been active since at least 2021. [Volt Typhoon](https://app.tidalcyber.com/groups/4ea1245f-3f35-5168-bd10-1fc49142fd4e) typically focuses on espionage and information gathering and has targeted critical infrastructure organizations in the US including Guam. [Volt Typhoon](https://app.tidalcyber.com/groups/4ea1245f-3f35-5168-bd10-1fc49142fd4e) has emphasized stealth in operations using web shells, living-off-the-land (LOTL) binaries, hands on keyboard activities, and stolen credentials.[[Microsoft Volt Typhoon May 2023](https://app.tidalcyber.com/references/8b74f0b7-9719-598c-b3ee-61d734393e6f)][[Joint Cybersecurity Advisory Volt Typhoon June 2023](https://app.tidalcyber.com/references/14872f08-e219-5c0d-a2d7-43a3ba348b4b)][[Secureworks BRONZE SILHOUETTE May 2023](https://app.tidalcyber.com/references/77624549-e170-5894-9219-a15b4aa31726)]", - "meta": { - "country": "CN", - "group_attack_id": "G1017", - "observed_countries": [ - "GU", - "US" - ], - "observed_motivations": [ - "Cyber Espionage" - ], - "source": "MITRE", - "tags": [ - "758c3085-2f79-40a8-ab95-f8a684737927", - "af5e9be5-b86e-47af-91dd-966a5e34a186", - "35e694ec-5133-46e3-b7e1-5831867c3b55", - "1dc8fd1e-0737-405a-98a1-111dd557f1b5", - "15787198-6c8b-4f79-bf50-258d55072fee", - "97cc0c9b-3625-42c3-824a-646a91702977", - "53331b05-782f-45fc-b925-27c9598dde80" - ], - "target_categories": [ - "Construction", - "Education", - "Government", - "Manufacturing", - "Maritime", - "Technology", - "Telecommunications", - "Transportation", - "Utilities" - ] - }, - "related": [], - "uuid": "4ea1245f-3f35-5168-bd10-1fc49142fd4e", - "value": "Volt Typhoon" - }, { "description": "[Whitefly](https://app.tidalcyber.com/groups/f0943620-7bbb-4239-8ed3-c541c36baaa1) is a cyber espionage group that has been operating since at least 2017. The group has targeted organizations based mostly in Singapore across a wide variety of sectors, and is primarily interested in stealing large amounts of sensitive information. The group has been linked to an attack against Singapore’s largest public health organization, SingHealth.[[Symantec Whitefly March 2019](https://app.tidalcyber.com/references/d0e48356-36d9-4b4c-b621-e3c4404378d2)]", "meta": { @@ -5192,7 +6486,12 @@ "Entertainment" ] }, - "related": [], + "related": [ + { + "dest-uuid": "9c124874-042d-48cd-b72b-ccdc51ecbbd6", + "type": "similar" + } + ], "uuid": "6932662a-53a7-4e43-877f-6e940e2d744b", "value": "Winnti Group" }, @@ -5275,6 +6574,36 @@ "uuid": "0b431229-036f-4157-a1da-ff16dfc095f8", "value": "Wizard Spider" }, + { + "description": "Yellow Liderc (aka Imperial Kitten, Tortoiseshell, TA456, Crimson Sandstorm) is a threat actor group based in Iran that is believed to be aligned with the Iranian Islamic Revolutionary Guard Corp (IRGC). Researchers have observed the group targeting victims in a range of sectors in the United States, Europe, the Middle East and Mediterranean, and South Asia.[[PwC Yellow Liderc October 25 2023](/references/cbeaf9b5-865f-44a1-a913-9eec28d7a5ff)]", + "meta": { + "country": "IR", + "group_attack_id": "G5032", + "observed_countries": [ + "US" + ], + "observed_motivations": [ + "Cyber Espionage" + ], + "owner": "TidalCyberIan", + "source": "Tidal Cyber", + "tags": [ + "c6e1f516-1a18-4ff9-b563-e6ac8103b104", + "2feda37d-5579-4102-a073-aa02e82cb49f" + ], + "target_categories": [ + "Aerospace", + "Automotive", + "Defense", + "Energy", + "Maritime", + "Technology" + ] + }, + "related": [], + "uuid": "9e8620c4-a560-4081-aefc-118c7ec3fc22", + "value": "Yellow Liderc" + }, { "description": "[ZIRCONIUM](https://app.tidalcyber.com/groups/5e34409e-2f55-4384-b519-80747d02394c) is a threat group operating out of China, active since at least 2017, that has targeted individuals associated with the 2020 US presidential election and prominent leaders in the international affairs community.[[Microsoft Targeting Elections September 2020](https://app.tidalcyber.com/references/1d7070fd-01be-4776-bb21-13368a6173b1)][[Check Point APT31 February 2021](https://app.tidalcyber.com/references/84ac99ef-106f-44e9-97f0-3eda90570932)]", "meta": { @@ -5313,6 +6642,74 @@ "related": [], "uuid": "5e34409e-2f55-4384-b519-80747d02394c", "value": "ZIRCONIUM" + }, + { + "description": "This object reflects the TTPs used by threat actors to distribute and deploy the Zloader trojan malware. Researchers have observed actors distributing Zloader in campaigns without attributing the activity to named adversaries, such as the operations described by ESET researchers cited in the References.[[WeLiveSecurity April 19 2022](/references/f86845b9-03c4-446b-845f-b31b79b247ee)]\n\nTTPs associated with Zloader binaries themselves can be found in the separate \"Zloader\" Software object.", + "meta": { + "group_attack_id": "G5037", + "observed_countries": [ + "AF", + "AR", + "AU", + "AT", + "BE", + "BR", + "CA", + "CL", + "CN", + "CO", + "HR", + "CZ", + "EC", + "FI", + "FR", + "GF", + "DE", + "GH", + "GR", + "HU", + "IN", + "ID", + "IE", + "IL", + "IT", + "JP", + "KR", + "KW", + "MX", + "NL", + "NG", + "PK", + "PE", + "PL", + "RU", + "RW", + "SA", + "SL", + "SK", + "ZA", + "ES", + "SE", + "CH", + "TH", + "UA", + "AE", + "GB", + "US", + "YE" + ], + "owner": "TidalCyberIan", + "source": "Tidal Cyber", + "tags": [ + "c6e1f516-1a18-4ff9-b563-e6ac8103b104", + "39357cc1-dbb1-49e4-9fe0-ff24032b94d5", + "f8669b82-2194-49a9-8e20-92e7f9ab0a6f", + "2feda37d-5579-4102-a073-aa02e82cb49f" + ] + }, + "related": [], + "uuid": "d2fd3da1-e49c-4273-9add-3d15afc3b837", + "value": "Zloader Threat Actors" } ], "version": 1 diff --git a/clusters/tidal-references.json b/clusters/tidal-references.json index be4099a..115d356 100644 --- a/clusters/tidal-references.json +++ b/clusters/tidal-references.json @@ -248,6 +248,22 @@ "uuid": "0f154aa6-8c9d-5bfc-a3c4-5f3e1420f55f", "value": "RC PowerShell" }, + { + "description": "Australian Signals Directorate. (2023, January 24). 2023-01: ASD's ACSC Ransomware Profile - Royal. Retrieved June 28, 2024.", + "meta": { + "date_accessed": "2024-06-28T00:00:00Z", + "date_published": "2023-01-24T00:00:00Z", + "owner": "TidalCyberIan", + "refs": [ + "https://www.cyber.gov.au/about-us/advisories/2023-01-asdacsc-ransomware-profile-royal" + ], + "source": "Tidal Cyber", + "title": "2023-01: ASD's ACSC Ransomware Profile - Royal" + }, + "related": [], + "uuid": "514b704c-8668-4b61-8411-5b682e3b8471", + "value": "ASD Royal Ransomware January 24 2023" + }, { "description": "Phil Stokes. (2021, February 16). 20 Common Tools & Techniques Used by macOS Threat Actors & Malware. Retrieved August 23, 2021.", "meta": { @@ -3453,21 +3469,6 @@ "uuid": "03eb080d-0b83-5cbb-9317-c50b35996c9b", "value": "SecureList Fileless" }, - { - "description": "M.Léveillé, M.. (2014, February 21). An In-depth Analysis of Linux/Ebury. Retrieved April 19, 2019.", - "meta": { - "date_accessed": "2019-04-19T00:00:00Z", - "date_published": "2014-02-21T00:00:00Z", - "refs": [ - "https://www.welivesecurity.com/2014/02/21/an-in-depth-analysis-of-linuxebury/" - ], - "source": "MITRE", - "title": "An In-depth Analysis of Linux/Ebury" - }, - "related": [], - "uuid": "eb6d4f77-ac63-4cb8-8487-20f9e709334b", - "value": "ESET Ebury Feb 2014" - }, { "description": "M.Léveillé, M. (2014, February 21). An In-depth Analysis of Linux/Ebury. Retrieved January 8, 2018.", "meta": { @@ -3483,6 +3484,21 @@ "uuid": "39384c7a-3032-4b45-a5eb-8ebe7de22aa2", "value": "Welivesecurity Ebury SSH" }, + { + "description": "M.Léveillé, M.. (2014, February 21). An In-depth Analysis of Linux/Ebury. Retrieved April 19, 2019.", + "meta": { + "date_accessed": "2019-04-19T00:00:00Z", + "date_published": "2014-02-21T00:00:00Z", + "refs": [ + "https://www.welivesecurity.com/2014/02/21/an-in-depth-analysis-of-linuxebury/" + ], + "source": "MITRE", + "title": "An In-depth Analysis of Linux/Ebury" + }, + "related": [], + "uuid": "eb6d4f77-ac63-4cb8-8487-20f9e709334b", + "value": "ESET Ebury Feb 2014" + }, { "description": "Avertium. (2022, June 1). AN IN-DEPTH LOOK AT BLACK BASTA RANSOMWARE. Retrieved March 7, 2023.", "meta": { @@ -4381,21 +4397,6 @@ "uuid": "3dd67aae-7feb-4b07-a985-ccadc1b16f1d", "value": "Bitdefender APT28 Dec 2015" }, - { - "description": "Dunwoody, M. (2017, March 27). APT29 Domain Fronting With TOR. Retrieved March 27, 2017.", - "meta": { - "date_accessed": "2017-03-27T00:00:00Z", - "date_published": "2017-03-27T00:00:00Z", - "refs": [ - "https://www.fireeye.com/blog/threat-research/2017/03/apt29_domain_frontin.html" - ], - "source": "MITRE", - "title": "APT29 Domain Fronting With TOR" - }, - "related": [], - "uuid": "3e013b07-deaf-4387-acd7-2d0565d196a9", - "value": "FireEye APT29 Domain Fronting" - }, { "description": "Matthew Dunwoody. (2017, March 27). APT29 Domain Fronting With TOR. Retrieved November 20, 2017.", "meta": { @@ -4411,6 +4412,21 @@ "uuid": "1d919991-bc87-41bf-9e58-edf1b3806bb8", "value": "FireEye APT29 Domain Fronting With TOR March 2017" }, + { + "description": "Dunwoody, M. (2017, March 27). APT29 Domain Fronting With TOR. Retrieved March 27, 2017.", + "meta": { + "date_accessed": "2017-03-27T00:00:00Z", + "date_published": "2017-03-27T00:00:00Z", + "refs": [ + "https://www.fireeye.com/blog/threat-research/2017/03/apt29_domain_frontin.html" + ], + "source": "MITRE", + "title": "APT29 Domain Fronting With TOR" + }, + "related": [], + "uuid": "3e013b07-deaf-4387-acd7-2d0565d196a9", + "value": "FireEye APT29 Domain Fronting" + }, { "description": "FireEye Labs. (2015, April). APT30 AND THE MECHANICS OF A LONG-RUNNING CYBER ESPIONAGE OPERATION. Retrieved May 1, 2015.", "meta": { @@ -4606,6 +4622,22 @@ "uuid": "8a44368f-3348-4817-aca7-81bfaca5ae6d", "value": "FireEye APT40 March 2019" }, + { + "description": "Mike Stokkel, Pierre Gerlings, Renato Fontana, Luis Rocha, Jared Wilson, Stephen Eckels, Jonathan Lepore. (2024, July 18). APT41 Has Arisen From the DUST. Retrieved August 2, 2024.", + "meta": { + "date_accessed": "2024-08-02T00:00:00Z", + "date_published": "2024-07-18T00:00:00Z", + "owner": "TidalCyberIan", + "refs": [ + "https://cloud.google.com/blog/topics/threat-intelligence/apt41-arisen-from-dust" + ], + "source": "Tidal Cyber", + "title": "APT41 Has Arisen From the DUST" + }, + "related": [], + "uuid": "34ee3a7c-27c0-492f-a3c6-a5a3e86915f0", + "value": "Mandiant APT41 July 18 2024" + }, { "description": "Nikita Rostovcev. (2022, August 18). APT41 World Tour 2021 on a tight schedule. Retrieved February 22, 2024.", "meta": { @@ -4635,6 +4667,38 @@ "uuid": "10b3e476-a0c5-41fd-8cb8-5bfb245b118f", "value": "Mandiant APT42" }, + { + "description": "Mandiant. (2022, August 12). APT42: Crooked Charms, Cons and Compromises. Retrieved August 30, 2024.", + "meta": { + "date_accessed": "2024-08-30T00:00:00Z", + "date_published": "2022-08-12T00:00:00Z", + "owner": "TidalCyberIan", + "refs": [ + "https://www.mandiant.com/sites/default/files/2022-09/apt42-report-mandiant.pdf" + ], + "source": "Tidal Cyber", + "title": "APT42: Crooked Charms, Cons and Compromises" + }, + "related": [], + "uuid": "53bab956-be5b-4d8d-b553-9926bc5d9fee", + "value": "Mandiant Crooked Charms August 12 2022" + }, + { + "description": "Taylor Long, Jeff Johnson, Alice Revelli, Fred Plan, Michael Barnhart. (2024, July 25). APT45: North Korea’s Digital Military Machine. Retrieved July 26, 2024.", + "meta": { + "date_accessed": "2024-07-26T00:00:00Z", + "date_published": "2024-07-25T00:00:00Z", + "owner": "TidalCyberIan", + "refs": [ + "https://cloud.google.com/blog/topics/threat-intelligence/apt45-north-korea-digital-military-machine" + ], + "source": "Tidal Cyber", + "title": "APT45: North Korea’s Digital Military Machine" + }, + "related": [], + "uuid": "a9673491-7493-4b85-b5fc-595e91bc7fdc", + "value": "Mandiant APT45 July 25 2024" + }, { "description": "National Security Agency. (2022, December). APT5: Citrix ADC Threat Hunting Guidance. Retrieved February 5, 2024.", "meta": { @@ -5539,21 +5603,6 @@ "uuid": "d4ca3351-eeb8-5342-8c85-806614e22c48", "value": "FireEye TRITON Dec 2017" }, - { - "description": "Sandvik, R. (2014, January 14). Attackers Scrape GitHub For Cloud Service Credentials, Hijack Account To Mine Virtual Currency. Retrieved October 19, 2020.", - "meta": { - "date_accessed": "2020-10-19T00:00:00Z", - "date_published": "2014-01-14T00:00:00Z", - "refs": [ - "https://www.forbes.com/sites/runasandvik/2014/01/14/attackers-scrape-github-for-cloud-service-credentials-hijack-account-to-mine-virtual-currency/#242c479d3196" - ], - "source": "MITRE", - "title": "Attackers Scrape GitHub For Cloud Service Credentials, Hijack Account To Mine Virtual Currency" - }, - "related": [], - "uuid": "303f8801-bdd6-4a0c-a90a-37867898c99c", - "value": "Forbes GitHub Creds" - }, { "description": "Runa A. Sandvik. (2014, January 14). Attackers Scrape GitHub For Cloud Service Credentials, Hijack Account To Mine Virtual Currency. Retrieved August 9, 2022.", "meta": { @@ -5569,6 +5618,21 @@ "uuid": "d2186b8c-10c9-493b-8e25-7d69fce006e4", "value": "GitHub Cloud Service Credentials" }, + { + "description": "Sandvik, R. (2014, January 14). Attackers Scrape GitHub For Cloud Service Credentials, Hijack Account To Mine Virtual Currency. Retrieved October 19, 2020.", + "meta": { + "date_accessed": "2020-10-19T00:00:00Z", + "date_published": "2014-01-14T00:00:00Z", + "refs": [ + "https://www.forbes.com/sites/runasandvik/2014/01/14/attackers-scrape-github-for-cloud-service-credentials-hijack-account-to-mine-virtual-currency/#242c479d3196" + ], + "source": "MITRE", + "title": "Attackers Scrape GitHub For Cloud Service Credentials, Hijack Account To Mine Virtual Currency" + }, + "related": [], + "uuid": "303f8801-bdd6-4a0c-a90a-37867898c99c", + "value": "Forbes GitHub Creds" + }, { "description": "Chen, J.. (2020, January 29). Attacker's Tactics and Techniques in Unsecured Docker Daemons Revealed. Retrieved March 31, 2021.", "meta": { @@ -5794,6 +5858,22 @@ "uuid": "2b4dcb27-f32e-50f0-83e0-350659e49f0b", "value": "Obfuscated scripts" }, + { + "description": "Andreas Klopsch. (2024, August 27). Attack tool update impairs Windows computers. Retrieved August 30, 2024.", + "meta": { + "date_accessed": "2024-08-30T00:00:00Z", + "date_published": "2024-08-27T00:00:00Z", + "owner": "TidalCyberIan", + "refs": [ + "https://news.sophos.com/en-us/2024/08/27/burnt-cigar-2/" + ], + "source": "Tidal Cyber", + "title": "Attack tool update impairs Windows computers" + }, + "related": [], + "uuid": "af1dfc7b-fdc2-448f-a4bf-34f8ee7d55bc", + "value": "Sophos News August 27 2024" + }, { "description": "Co, M. and Sison, G. (2018, February 8). Attack Using Windows Installer msiexec.exe leads to LokiBot. Retrieved April 18, 2019.", "meta": { @@ -7404,6 +7484,22 @@ "uuid": "53e12ade-99ed-51ee-b5c8-32180f144658", "value": "BATLOADER: The Evasive Downloader Malware" }, + { + "description": "AdvIntel. (2022, August 10). “BazarCall” Advisory: Essential Guide to Attack Vector that Revolutionized Data Breaches. Retrieved June 28, 2024.", + "meta": { + "date_accessed": "2024-06-28T00:00:00Z", + "date_published": "2022-08-10T00:00:00Z", + "owner": "TidalCyberIan", + "refs": [ + "https://web.archive.org/web/20220810223007/https://www.advintel.io/post/bazarcall-advisory-the-essential-guide-to-call-back-phishing-attacks-that-revolutionized-the-data" + ], + "source": "Tidal Cyber", + "title": "“BazarCall” Advisory: Essential Guide to Attack Vector that Revolutionized Data Breaches" + }, + "related": [], + "uuid": "5d3dff70-28c2-42a5-bf58-211fe6491fd2", + "value": "AdvIntel Bazar Call August 10 2022" + }, { "description": "Lee, B. Grunzweig, J. (2015, December 22). BBSRAT Attacks Targeting Russian Organizations Linked to Roaming Tiger. Retrieved August 19, 2016.", "meta": { @@ -8220,21 +8316,6 @@ "uuid": "481a0106-d5b6-532c-8f5b-6c0c477185f4", "value": "Sophos BlackCat Jul 2022" }, - { - "description": "Cherepanov, A.. (2016, January 3). BlackEnergy by the SSHBearDoor: attacks against Ukrainian news media and electric industry. Retrieved May 18, 2016.", - "meta": { - "date_accessed": "2016-05-18T00:00:00Z", - "date_published": "2016-01-03T00:00:00Z", - "refs": [ - "http://www.welivesecurity.com/2016/01/03/blackenergy-sshbeardoor-details-2015-attacks-ukrainian-news-media-electric-industry/" - ], - "source": "MITRE", - "title": "BlackEnergy by the SSHBearDoor: attacks against Ukrainian news media and electric industry" - }, - "related": [], - "uuid": "4d626eb9-3722-4aa4-b95e-1650cc2865c2", - "value": "ESEST Black Energy Jan 2016" - }, { "description": "Cherepanov, A.. (2016, January 3). BlackEnergy by the SSHBearDoor: attacks against Ukrainian news media and electric industry . Retrieved June 10, 2020.", "meta": { @@ -8250,6 +8331,21 @@ "uuid": "a0103079-c966-46b6-8871-c01f7f0eea4c", "value": "ESET BlackEnergy Jan 2016" }, + { + "description": "Cherepanov, A.. (2016, January 3). BlackEnergy by the SSHBearDoor: attacks against Ukrainian news media and electric industry. Retrieved May 18, 2016.", + "meta": { + "date_accessed": "2016-05-18T00:00:00Z", + "date_published": "2016-01-03T00:00:00Z", + "refs": [ + "http://www.welivesecurity.com/2016/01/03/blackenergy-sshbeardoor-details-2015-attacks-ukrainian-news-media-electric-industry/" + ], + "source": "MITRE", + "title": "BlackEnergy by the SSHBearDoor: attacks against Ukrainian news media and electric industry" + }, + "related": [], + "uuid": "4d626eb9-3722-4aa4-b95e-1650cc2865c2", + "value": "ESEST Black Energy Jan 2016" + }, { "description": "F-Secure Labs. (2014). BlackEnergy & Quedagh: The convergence of crimeware and APT attacks. Retrieved March 24, 2016.", "meta": { @@ -8478,21 +8574,6 @@ "uuid": "e90b4941-5dff-4f38-b4dd-af3426fd621e", "value": "GitHub Bloodhound" }, - { - "description": "Kunz, Bruce. (2018, October 14). Blue Cloud of Death: Red Teaming Azure. Retrieved November 21, 2019.", - "meta": { - "date_accessed": "2019-11-21T00:00:00Z", - "date_published": "2018-10-14T00:00:00Z", - "refs": [ - "https://www.youtube.com/watch?v=wQ1CuAPnrLM&feature=youtu.be&t=2815" - ], - "source": "MITRE", - "title": "Blue Cloud of Death: Red Teaming Azure" - }, - "related": [], - "uuid": "39b0adf6-c71e-4501-b8bb-fab82718486b", - "value": "Blue Cloud of Death Video" - }, { "description": "Kunz, Bryce. (2018, May 11). Blue Cloud of Death: Red Teaming Azure. Retrieved October 23, 2019.", "meta": { @@ -8508,6 +8589,21 @@ "uuid": "0c764280-9d8c-4fa4-9088-170f02550d4c", "value": "Blue Cloud of Death" }, + { + "description": "Kunz, Bruce. (2018, October 14). Blue Cloud of Death: Red Teaming Azure. Retrieved November 21, 2019.", + "meta": { + "date_accessed": "2019-11-21T00:00:00Z", + "date_published": "2018-10-14T00:00:00Z", + "refs": [ + "https://www.youtube.com/watch?v=wQ1CuAPnrLM&feature=youtu.be&t=2815" + ], + "source": "MITRE", + "title": "Blue Cloud of Death: Red Teaming Azure" + }, + "related": [], + "uuid": "39b0adf6-c71e-4501-b8bb-fab82718486b", + "value": "Blue Cloud of Death Video" + }, { "description": "SEONGSU PARK. (2022, December 27). BlueNoroff introduces new methods bypassing MoTW. Retrieved February 6, 2024.", "meta": { @@ -8836,21 +8932,6 @@ "uuid": "60fac434-2815-4568-b951-4bde55c2e3af", "value": "PaloAlto Preventing Opportunistic Attacks Apr 2016" }, - { - "description": "Kirk, N. (2018, June 18). Bring Your Own Land (BYOL) – A Novel Red Teaming Technique. Retrieved October 4, 2021.", - "meta": { - "date_accessed": "2021-10-04T00:00:00Z", - "date_published": "2018-06-18T00:00:00Z", - "refs": [ - "https://www.mandiant.com/resources/bring-your-own-land-novel-red-teaming-technique" - ], - "source": "MITRE", - "title": "Bring Your Own Land (BYOL) – A Novel Red Teaming Technique" - }, - "related": [], - "uuid": "445efe8b-659a-4023-afc7-aa7cd21ee5a1", - "value": "Mandiant BYOL" - }, { "description": "Kirk, N. (2018, June 18). Bring Your Own Land (BYOL) – A Novel Red Teaming Technique. Retrieved October 8, 2021.", "meta": { @@ -8866,6 +8947,21 @@ "uuid": "104a1c1c-0899-4ff9-a5c4-73de702c467d", "value": "Mandiant BYOL 2018" }, + { + "description": "Kirk, N. (2018, June 18). Bring Your Own Land (BYOL) – A Novel Red Teaming Technique. Retrieved October 4, 2021.", + "meta": { + "date_accessed": "2021-10-04T00:00:00Z", + "date_published": "2018-06-18T00:00:00Z", + "refs": [ + "https://www.mandiant.com/resources/bring-your-own-land-novel-red-teaming-technique" + ], + "source": "MITRE", + "title": "Bring Your Own Land (BYOL) – A Novel Red Teaming Technique" + }, + "related": [], + "uuid": "445efe8b-659a-4023-afc7-aa7cd21ee5a1", + "value": "Mandiant BYOL" + }, { "description": "Bischoff, P. (2020, October 15). Broadvoice database of more than 350 million customer records exposed online. Retrieved October 20, 2020.", "meta": { @@ -9574,21 +9670,6 @@ "uuid": "7180c6a7-e6ea-54bf-bcd7-c5238bbc5f5b", "value": "Cadet Blizzard emerges as novel threat actor" }, - { - "description": "Matt Muir. (2022, April 6). Cado Discovers Denonia: The First Malware Specifically Targeting Lambda. Retrieved May 27, 2022.", - "meta": { - "date_accessed": "2022-05-27T00:00:00Z", - "date_published": "2022-04-06T00:00:00Z", - "refs": [ - "https://www.cadosecurity.com/cado-discovers-denonia-the-first-malware-specifically-targeting-lambda/" - ], - "source": "MITRE", - "title": "Cado Discovers Denonia: The First Malware Specifically Targeting Lambda" - }, - "related": [], - "uuid": "584e7ace-ef33-423b-9801-4728a447cb34", - "value": "Cado Security Denonia" - }, { "description": "jbowen. (2022, April 3). Cado Discovers Denonia: The First Malware Specifically Targeting Lambda. Retrieved April 11, 2024.", "meta": { @@ -9605,6 +9686,21 @@ "uuid": "b276c28d-1488-4a21-86d1-7acdfd77794b", "value": "Cado Denonia April 3 2022" }, + { + "description": "Matt Muir. (2022, April 6). Cado Discovers Denonia: The First Malware Specifically Targeting Lambda. Retrieved May 27, 2022.", + "meta": { + "date_accessed": "2022-05-27T00:00:00Z", + "date_published": "2022-04-06T00:00:00Z", + "refs": [ + "https://www.cadosecurity.com/cado-discovers-denonia-the-first-malware-specifically-targeting-lambda/" + ], + "source": "MITRE", + "title": "Cado Discovers Denonia: The First Malware Specifically Targeting Lambda" + }, + "related": [], + "uuid": "584e7ace-ef33-423b-9801-4728a447cb34", + "value": "Cado Security Denonia" + }, { "description": "William Turton. (2023, September 13). Caesars Entertainment Paid Millions to Hackers in Attack. Retrieved September 14, 2023.", "meta": { @@ -10371,6 +10467,22 @@ "uuid": "657b43aa-ead2-41d3-911a-d714d9b28e19", "value": "JPCERT ChChes Feb 2017" }, + { + "description": "Check Point Research. (2023, December 4). Check Point Research Report: Iranian Hacktivist Proxies Escalate Activities Beyond Israel. Retrieved August 8, 2024.", + "meta": { + "date_accessed": "2024-08-08T00:00:00Z", + "date_published": "2023-12-04T00:00:00Z", + "owner": "TidalCyberIan", + "refs": [ + "https://blog.checkpoint.com/research/check-point-research-report-shift-in-cyber-warfare-tactics-iranian-hacktivist-proxies-extend-activities-beyond-israel/" + ], + "source": "Tidal Cyber", + "title": "Check Point Research Report: Iranian Hacktivist Proxies Escalate Activities Beyond Israel" + }, + "related": [], + "uuid": "60432d84-8f46-4934-951f-df8e0f297ff0", + "value": "Check Point Iranian Proxies December 4 2023" + }, { "description": "Howard Oakley. (2020, November 16). Checks on executable code in Catalina and Big Sur: a first draft. Retrieved September 21, 2022.", "meta": { @@ -10461,6 +10573,38 @@ "uuid": "6da7eb8a-aab4-41ea-a0b7-5313d88cbe91", "value": "Recorded Future RedEcho Feb 2021" }, + { + "description": "Sygnia Team. (2024, June 17). China-Nexus Threat Group ‘Velvet Ant’ Abuses F5 Load Balancers for Persistence. Retrieved June 20, 2024.", + "meta": { + "date_accessed": "2024-06-20T00:00:00Z", + "date_published": "2024-06-17T00:00:00Z", + "owner": "TidalCyberIan", + "refs": [ + "https://www.sygnia.co/blog/china-nexus-threat-group-velvet-ant/" + ], + "source": "Tidal Cyber", + "title": "China-Nexus Threat Group ‘Velvet Ant’ Abuses F5 Load Balancers for Persistence" + }, + "related": [], + "uuid": "5c313af4-61a8-449d-a6c7-f7ead6c72e19", + "value": "Sygnia Velvet Ant June 17 2024" + }, + { + "description": "Sygnia. (2024, July 1). China-Nexus Threat Group ‘Velvet Ant’ Exploits Cisco Zero-Day (CVE-2024-20399) to Compromise Nexus Switch Devices. Retrieved July 3, 2024.", + "meta": { + "date_accessed": "2024-07-03T00:00:00Z", + "date_published": "2024-07-01T00:00:00Z", + "owner": "TidalCyberIan", + "refs": [ + "https://www.sygnia.co/threat-reports-and-advisories/china-nexus-threat-group-velvet-ant-exploits-cisco-0-day/" + ], + "source": "Tidal Cyber", + "title": "China-Nexus Threat Group ‘Velvet Ant’ Exploits Cisco Zero-Day (CVE-2024-20399) to Compromise Nexus Switch Devices" + }, + "related": [], + "uuid": "a0cfeeb6-4617-4dea-80d2-290eaf2bcf5b", + "value": "Sygnia Velvet Ant July 1 2024" + }, { "description": "Budington, B. (2015, April 2). China Uses Unencrypted Websites to Hijack Browsers in GitHub Attack. Retrieved September 1, 2023.", "meta": { @@ -10521,6 +10665,22 @@ "uuid": "de78446a-cb46-4422-820b-9ddf07557b1a", "value": "Hacker News LuckyMouse June 2018" }, + { + "description": "Newsroom. (2024, July 2). Chinese Hackers Exploiting Cisco Switches Zero-Day to Deliver Malware. Retrieved July 3, 2024.", + "meta": { + "date_accessed": "2024-07-03T00:00:00Z", + "date_published": "2024-07-02T00:00:00Z", + "owner": "TidalCyberIan", + "refs": [ + "https://thehackernews.com/2024/07/chinese-hackers-exploiting-cisco.html" + ], + "source": "Tidal Cyber", + "title": "Chinese Hackers Exploiting Cisco Switches Zero-Day to Deliver Malware" + }, + "related": [], + "uuid": "e3949201-c949-4126-9e02-34bfad4713c0", + "value": "The Hacker News Velvet Ant Cisco July 2 2024" + }, { "description": "Catalin Cimpanu. (2021, July 20). Chinese hacking group APT31 uses mesh of home routers to disguise attacks. Retrieved April 25, 2024.", "meta": { @@ -12180,21 +12340,6 @@ "uuid": "4adfc72b-cd32-46a6-bdf4-a4c2c6cffa73", "value": "Microsoft Configure LSA" }, - { - "description": "Microsoft. (2014, March 12). Configuring Additional LSA Protection. Retrieved November 27, 2017.", - "meta": { - "date_accessed": "2017-11-27T00:00:00Z", - "date_published": "2014-03-12T00:00:00Z", - "refs": [ - "https://technet.microsoft.com/library/dn408187.aspx" - ], - "source": "MITRE", - "title": "Configuring Additional LSA Protection" - }, - "related": [], - "uuid": "da3f1d7d-188f-4500-9bc6-3299ba043b5c", - "value": "Microsoft LSA Protection Mar 2014" - }, { "description": "Microsoft. (2013, July 31). Configuring Additional LSA Protection. Retrieved February 13, 2015.", "meta": { @@ -12210,6 +12355,21 @@ "uuid": "3ad49746-4e42-4663-a49e-ae64152b9463", "value": "Microsoft LSA" }, + { + "description": "Microsoft. (2014, March 12). Configuring Additional LSA Protection. Retrieved November 27, 2017.", + "meta": { + "date_accessed": "2017-11-27T00:00:00Z", + "date_published": "2014-03-12T00:00:00Z", + "refs": [ + "https://technet.microsoft.com/library/dn408187.aspx" + ], + "source": "MITRE", + "title": "Configuring Additional LSA Protection" + }, + "related": [], + "uuid": "da3f1d7d-188f-4500-9bc6-3299ba043b5c", + "value": "Microsoft LSA Protection Mar 2014" + }, { "description": "Google. (n.d.). Configuring Data Access audit logs. Retrieved October 16, 2020.", "meta": { @@ -13670,21 +13830,6 @@ "uuid": "be233077-7bb4-48be-aecf-03258931527d", "value": "Microsoft Subkey" }, - { - "description": "MSRC. (2020, December 13). Customer Guidance on Recent Nation-State Cyber Attacks. Retrieved December 17, 2020.", - "meta": { - "date_accessed": "2020-12-17T00:00:00Z", - "date_published": "2020-12-13T00:00:00Z", - "refs": [ - "https://msrc-blog.microsoft.com/2020/12/13/customer-guidance-on-recent-nation-state-cyber-attacks/" - ], - "source": "MITRE", - "title": "Customer Guidance on Recent Nation-State Cyber Attacks" - }, - "related": [], - "uuid": "b486ae40-a854-4998-bf1b-aaf6ea2047ed", - "value": "Microsoft SolarWinds Customer Guidance" - }, { "description": "MSRC. (2020, December 13). Customer Guidance on Recent Nation-State Cyber Attacks. Retrieved December 30, 2020.", "meta": { @@ -13700,6 +13845,21 @@ "uuid": "47031992-841f-4ef4-87c6-bb4c077fb8dc", "value": "Microsoft - Customer Guidance on Recent Nation-State Cyber Attacks" }, + { + "description": "MSRC. (2020, December 13). Customer Guidance on Recent Nation-State Cyber Attacks. Retrieved December 17, 2020.", + "meta": { + "date_accessed": "2020-12-17T00:00:00Z", + "date_published": "2020-12-13T00:00:00Z", + "refs": [ + "https://msrc-blog.microsoft.com/2020/12/13/customer-guidance-on-recent-nation-state-cyber-attacks/" + ], + "source": "MITRE", + "title": "Customer Guidance on Recent Nation-State Cyber Attacks" + }, + "related": [], + "uuid": "b486ae40-a854-4998-bf1b-aaf6ea2047ed", + "value": "Microsoft SolarWinds Customer Guidance" + }, { "description": "Apple. (2016, September 13). Customizing Login and Logout. Retrieved April 1, 2022.", "meta": { @@ -14078,6 +14238,22 @@ "uuid": "ebdf09ed-6eec-450f-aaea-067504ec25ca", "value": "Cybereason OSX Pirrit" }, + { + "description": "Cybereason Nocturnus. (2022, May 9). Cybereason vs. Quantum Locker Ransomware. Retrieved June 28, 2024.", + "meta": { + "date_accessed": "2024-06-28T00:00:00Z", + "date_published": "2022-05-09T00:00:00Z", + "owner": "TidalCyberIan", + "refs": [ + "https://www.cybereason.com/blog/cybereason-vs.-quantum-locker-ransomware" + ], + "source": "Tidal Cyber", + "title": "Cybereason vs. Quantum Locker Ransomware" + }, + "related": [], + "uuid": "19027620-216a-4921-8d78-f56377778a12", + "value": "Cybereason Quantum Ransomware May 9 2022" + }, { "description": "Cimpanu, C.. (2018, December 5). Cyber-espionage group uses Chrome extension to infect victims. Retrieved August 26, 2019.", "meta": { @@ -14244,6 +14420,22 @@ "uuid": "1f46872c-6255-4ce0-a6c3-2bfa9e767765", "value": "Cyber Threat Profile MALTEIRO – Sciblog" }, + { + "description": "Kevin Beaumont. (2023, December 28). Cyber Toufan goes Oprah mode with free Linux system wipes of over 100 organisations. Retrieved August 8, 2024.", + "meta": { + "date_accessed": "2024-08-08T00:00:00Z", + "date_published": "2023-12-28T00:00:00Z", + "owner": "TidalCyberIan", + "refs": [ + "https://doublepulsar.com/cyber-toufan-goes-oprah-mode-with-free-linux-system-wipes-of-over-100-organisations-eaf249b042dc" + ], + "source": "Tidal Cyber", + "title": "Cyber Toufan goes Oprah mode with free Linux system wipes of over 100 organisations" + }, + "related": [], + "uuid": "2fc1f6de-e01c-4225-bd29-8d547bf91e9e", + "value": "DoublePulsar Cyber Toufan" + }, { "description": "NCSC. (2022, February 23). Cyclops Blink Malware Analysis Report. Retrieved March 3, 2022.", "meta": { @@ -14621,6 +14813,38 @@ "uuid": "449e7b5c-7c62-4a63-a676-80026a597fc9", "value": "Prevailion DarkWatchman 2021" }, + { + "description": "SOCRadar Research. (2022, December 12). Dark Web Profile: APT42 – Iranian Cyber Espionage Group. Retrieved August 30, 2024.", + "meta": { + "date_accessed": "2024-08-30T00:00:00Z", + "date_published": "2022-12-12T00:00:00Z", + "owner": "TidalCyberIan", + "refs": [ + "https://socradar.io/dark-web-profile-apt42-iranian-cyber-espionage-group/" + ], + "source": "Tidal Cyber", + "title": "Dark Web Profile: APT42 – Iranian Cyber Espionage Group" + }, + "related": [], + "uuid": "6077faed-b162-4850-969a-2abedc842198", + "value": "SOCRadar APT42 December 12 2022" + }, + { + "description": "SOCRadar. (2023, December 20). Dark Web Profile: Cyber Toufan Al-aqsa. Retrieved August 8, 2024.", + "meta": { + "date_accessed": "2024-08-08T00:00:00Z", + "date_published": "2023-12-20T00:00:00Z", + "owner": "TidalCyberIan", + "refs": [ + "https://socradar.io/dark-web-profile-cyber-toufan-al-aqsa/" + ], + "source": "Tidal Cyber", + "title": "Dark Web Profile: Cyber Toufan Al-aqsa" + }, + "related": [], + "uuid": "a9aa6361-8c4d-4456-bb3f-c64ca5260695", + "value": "SOCRadar Cyber Toufan Profile" + }, { "description": "Moran, N., Oppenheim, M., Engle, S., & Wartell, R.. (2014, September 3). Darwin’s Favorite APT Group [Blog]. Retrieved November 12, 2014.", "meta": { @@ -15596,6 +15820,22 @@ "uuid": "e0c1fcd3-b7a8-42af-8984-873a6f969975", "value": "Microsoft WhisperGate January 2022" }, + { + "description": "S2W. (2024, January 16). Detailed Analysis of DarkGate. Retrieved July 12, 2024.", + "meta": { + "date_accessed": "2024-07-12T00:00:00Z", + "date_published": "2024-01-16T00:00:00Z", + "owner": "TidalCyberIan", + "refs": [ + "https://medium.com/s2wblog/detailed-analysis-of-darkgate-investigating-new-top-trend-backdoor-malware-0545ecf5f606" + ], + "source": "Tidal Cyber", + "title": "Detailed Analysis of DarkGate" + }, + "related": [], + "uuid": "62d6a280-06df-4b96-85c8-13174e496256", + "value": "S2W DarkGate January 16 2024" + }, { "description": "Australian Cyber Security Centre. National Security Agency. (2020, April 21). Detect and Prevent Web Shell Malware. Retrieved February 9, 2024.", "meta": { @@ -16997,21 +17237,6 @@ "uuid": "a1b987cc-7789-411c-9673-3cf6357b207c", "value": "ASERT Donot March 2018" }, - { - "description": "Nick Simonian. (2023, May 22). Don't @ Me: URL Obfuscation Through Schema Abuse. Retrieved August 4, 2023.", - "meta": { - "date_accessed": "2023-08-04T00:00:00Z", - "date_published": "2023-05-22T00:00:00Z", - "refs": [ - "https://www.mandiant.com/resources/blog/url-obfuscation-schema-abuse" - ], - "source": "MITRE", - "title": "Don't @ Me: URL Obfuscation Through Schema Abuse" - }, - "related": [], - "uuid": "b63f5934-2ace-5326-89be-7a850469a563", - "value": "Mandiant URL Obfuscation 2023" - }, { "description": "Simonian, Nick. (2023, May 22). Don't @ Me: URL Obfuscation Through Schema Abuse. Retrieved January 17, 2024.", "meta": { @@ -17042,6 +17267,21 @@ "uuid": "75b860d9-a48d-57de-ba1e-b0db970abb1b", "value": "Schema-abuse" }, + { + "description": "Nick Simonian. (2023, May 22). Don't @ Me: URL Obfuscation Through Schema Abuse. Retrieved August 4, 2023.", + "meta": { + "date_accessed": "2023-08-04T00:00:00Z", + "date_published": "2023-05-22T00:00:00Z", + "refs": [ + "https://www.mandiant.com/resources/blog/url-obfuscation-schema-abuse" + ], + "source": "MITRE", + "title": "Don't @ Me: URL Obfuscation Through Schema Abuse" + }, + "related": [], + "uuid": "b63f5934-2ace-5326-89be-7a850469a563", + "value": "Mandiant URL Obfuscation 2023" + }, { "description": "TheWover. (2019, May 9). donut. Retrieved March 25, 2022.", "meta": { @@ -17716,21 +17956,6 @@ "uuid": "72458590-ee1b-4447-adb8-ca4f486d1db5", "value": "Microsoft Dynamic-Link Library Redirection" }, - { - "description": "Microsoft. (2018, May 31). Dynamic-Link Library Search Order. Retrieved November 30, 2014.", - "meta": { - "date_accessed": "2014-11-30T00:00:00Z", - "date_published": "2018-05-31T00:00:00Z", - "refs": [ - "https://docs.microsoft.com/en-us/windows/win32/dlls/dynamic-link-library-search-order?redirectedfrom=MSDN" - ], - "source": "MITRE", - "title": "Dynamic-Link Library Search Order" - }, - "related": [], - "uuid": "7b1f945b-2547-4bc6-98bf-30248bdf3587", - "value": "Microsoft Dynamic Link Library Search Order" - }, { "description": "Microsoft. (n.d.). Dynamic-Link Library Search Order. Retrieved November 30, 2014.", "meta": { @@ -17746,18 +17971,19 @@ "value": "Microsoft DLL Search" }, { - "description": "Microsoft. (n.d.). Dynamic-Link Library Security. Retrieved July 25, 2016.", + "description": "Microsoft. (2018, May 31). Dynamic-Link Library Search Order. Retrieved November 30, 2014.", "meta": { - "date_accessed": "2016-07-25T00:00:00Z", + "date_accessed": "2014-11-30T00:00:00Z", + "date_published": "2018-05-31T00:00:00Z", "refs": [ - "https://msdn.microsoft.com/en-us/library/ff919712.aspx" + "https://docs.microsoft.com/en-us/windows/win32/dlls/dynamic-link-library-search-order?redirectedfrom=MSDN" ], "source": "MITRE", - "title": "Dynamic-Link Library Security" + "title": "Dynamic-Link Library Search Order" }, "related": [], - "uuid": "5d1d1916-cef4-49d1-b8e2-a6d18fb297f6", - "value": "MSDN DLL Security" + "uuid": "7b1f945b-2547-4bc6-98bf-30248bdf3587", + "value": "Microsoft Dynamic Link Library Search Order" }, { "description": "Microsoft. (n.d.). Dynamic-Link Library Security. Retrieved November 27, 2017.", @@ -17787,6 +18013,20 @@ "uuid": "e087442a-0a53-4cc8-9fd6-772cbd0295d5", "value": "Microsoft Dynamic-Link Library Security" }, + { + "description": "Microsoft. (n.d.). Dynamic-Link Library Security. Retrieved July 25, 2016.", + "meta": { + "date_accessed": "2016-07-25T00:00:00Z", + "refs": [ + "https://msdn.microsoft.com/en-us/library/ff919712.aspx" + ], + "source": "MITRE", + "title": "Dynamic-Link Library Security" + }, + "related": [], + "uuid": "5d1d1916-cef4-49d1-b8e2-a6d18fb297f6", + "value": "MSDN DLL Security" + }, { "description": "Symantec Security Response. (2015, June 23). Dyre: Emerging threat on financial fraud landscape. Retrieved August 23, 2018.", "meta": { @@ -17982,6 +18222,38 @@ "uuid": "c8a018c5-caa3-4af1-b210-b65bbf94c8b2", "value": "Dragos EKANS" }, + { + "description": "Nathan Eddy; Contributing Writer. (2024, July 9). Eldorado Ransomware Cruises Onto the Scene to Target VMware ESXi. Retrieved July 15, 2024.", + "meta": { + "date_accessed": "2024-07-15T00:00:00Z", + "date_published": "2024-07-09T00:00:00Z", + "owner": "TidalCyberIan", + "refs": [ + "https://www.darkreading.com/endpoint-security/eldorado-ransomware-target-vmware-esxi" + ], + "source": "Tidal Cyber", + "title": "Eldorado Ransomware Cruises Onto the Scene to Target VMware ESXi" + }, + "related": [], + "uuid": "cec05996-84a1-4c07-86eb-d72f8c6d9362", + "value": "Dark Reading July 9 2024" + }, + { + "description": "Nikolay Kichatov Cyber Intelligence Analyst; Group-IB. (2024, July 3). Eldorado Ransomware The New Golden Empire of Cybercrime . Retrieved July 15, 2024.", + "meta": { + "date_accessed": "2024-07-15T00:00:00Z", + "date_published": "2024-07-03T00:00:00Z", + "owner": "TidalCyberIan", + "refs": [ + "https://www.group-ib.com/blog/eldorado-ransomware/" + ], + "source": "Tidal Cyber", + "title": "Eldorado Ransomware The New Golden Empire of Cybercrime" + }, + "related": [], + "uuid": "50148a85-314c-4b29-bdfc-913ab647dadf", + "value": "Group-IB July 3 2024" + }, { "description": "Edwards, M. (2007, March 14). EldoS Provides Raw Disk Access for Vista and XP. Retrieved March 26, 2019.", "meta": { @@ -19883,6 +20155,21 @@ "uuid": "186c1213-d0c5-4eb6-aa0f-0fd61b07a1f7", "value": "ThreatPost Social Media Phishing" }, + { + "description": "Phil Stokes. (2021, January 11). FADE DEAD | Adventures in Reversing Malicious Run-Only AppleScripts. Retrieved September 30, 2022.", + "meta": { + "date_accessed": "2022-09-30T00:00:00Z", + "date_published": "2021-01-11T00:00:00Z", + "refs": [ + "https://www.sentinelone.com/labs/fade-dead-adventures-in-reversing-malicious-run-only-applescripts/" + ], + "source": "MITRE", + "title": "FADE DEAD | Adventures in Reversing Malicious Run-Only AppleScripts" + }, + "related": [], + "uuid": "785f7692-2be8-4f5d-921e-51efdfe0c0b9", + "value": "Sentinel Labs" + }, { "description": "Phil Stokes. (2021, January 11). FADE DEAD | Adventures in Reversing Malicious Run-Only AppleScripts. Retrieved September 29, 2022.", "meta": { @@ -19899,19 +20186,20 @@ "value": "SentinelLabs reversing run-only applescripts 2021" }, { - "description": "Phil Stokes. (2021, January 11). FADE DEAD | Adventures in Reversing Malicious Run-Only AppleScripts. Retrieved September 30, 2022.", + "description": "Bill Toulas. (2024, June 17). Fake Google Chrome errors trick you into running malicious PowerShell scripts. Retrieved June 20, 2024.", "meta": { - "date_accessed": "2022-09-30T00:00:00Z", - "date_published": "2021-01-11T00:00:00Z", + "date_accessed": "2024-06-20T00:00:00Z", + "date_published": "2024-06-17T00:00:00Z", + "owner": "TidalCyberIan", "refs": [ - "https://www.sentinelone.com/labs/fade-dead-adventures-in-reversing-malicious-run-only-applescripts/" + "https://www.bleepingcomputer.com/news/security/fake-google-chrome-errors-trick-you-into-running-malicious-powershell-scripts/" ], - "source": "MITRE", - "title": "FADE DEAD | Adventures in Reversing Malicious Run-Only AppleScripts" + "source": "Tidal Cyber", + "title": "Fake Google Chrome errors trick you into running malicious PowerShell scripts" }, "related": [], - "uuid": "785f7692-2be8-4f5d-921e-51efdfe0c0b9", - "value": "Sentinel Labs" + "uuid": "6efa70e3-d8eb-4260-b0ab-62335681e6fd", + "value": "BleepingComputer Fake Chrome Errors June 17 2024" }, { "description": "Dumont, R. (2019, March 20). Fake or Fake: Keeping up with OceanLotus decoys. Retrieved April 1, 2019.", @@ -20486,6 +20774,21 @@ "uuid": "6ee27fdb-1753-4fdf-af72-3295b072ff10", "value": "FireEye FIN7 April 2017" }, + { + "description": "Abdo, B., et al. (2022, April 4). FIN7 Power Hour: Adversary Archaeology and the Evolution of FIN7. Retrieved April 5, 2022.", + "meta": { + "date_accessed": "2022-04-05T00:00:00Z", + "date_published": "2022-04-04T00:00:00Z", + "refs": [ + "https://www.mandiant.com/resources/evolution-of-fin7" + ], + "source": "MITRE", + "title": "FIN7 Power Hour: Adversary Archaeology and the Evolution of FIN7" + }, + "related": [], + "uuid": "be9919c0-ca52-593b-aea0-c5e9a262b570", + "value": "Mandiant FIN7 Apr 2022" + }, { "description": "Bryce Abdo, Zander Work, Ioana Teaca, Brendan McKeague. (2022, April 4). FIN7 Power Hour: Adversary Archaeology and the Evolution of FIN7. Retrieved May 25, 2023.", "meta": { @@ -20502,21 +20805,6 @@ "uuid": "fbc3ea90-d3d4-440e-964d-6cd2e991df0c", "value": "Mandiant FIN7 April 4 2022" }, - { - "description": "Abdo, B., et al. (2022, April 4). FIN7 Power Hour: Adversary Archaeology and the Evolution of FIN7. Retrieved April 5, 2022.", - "meta": { - "date_accessed": "2022-04-05T00:00:00Z", - "date_published": "2022-04-04T00:00:00Z", - "refs": [ - "https://www.mandiant.com/resources/evolution-of-fin7" - ], - "source": "MITRE", - "title": "FIN7 Power Hour: Adversary Archaeology and the Evolution of FIN7" - }, - "related": [], - "uuid": "be9919c0-ca52-593b-aea0-c5e9a262b570", - "value": "Mandiant FIN7 Apr 2022" - }, { "description": "Gemini Advisory. (2021, October 21). FIN7 Recruits Talent For Push Into Ransomware. Retrieved February 2, 2022.", "meta": { @@ -20804,21 +21092,6 @@ "uuid": "6ef0b8d8-ba98-49ce-807d-5a85d111b027", "value": "FinFisher Citation" }, - { - "description": "Allievi, A.,Flori, E. (2018, March 01). FinFisher exposed: A researcher’s tale of defeating traps, tricks, and complex virtual machines. Retrieved July 9, 2018.", - "meta": { - "date_accessed": "2018-07-09T00:00:00Z", - "date_published": "2018-03-01T00:00:00Z", - "refs": [ - "https://cloudblogs.microsoft.com/microsoftsecure/2018/03/01/finfisher-exposed-a-researchers-tale-of-defeating-traps-tricks-and-complex-virtual-machines/" - ], - "source": "MITRE", - "title": "FinFisher exposed: A researcher’s tale of defeating traps, tricks, and complex virtual machines" - }, - "related": [], - "uuid": "88c97a9a-ef14-4695-bde0-9de2b5f5343b", - "value": "Microsoft FinFisher March 2018" - }, { "description": "Microsoft Defender Security Research Team. (2018, March 1). FinFisher exposed: A researcher’s tale of defeating traps, tricks, and complex virtual machines. Retrieved January 27, 2022.", "meta": { @@ -20834,6 +21107,21 @@ "uuid": "b2f4541e-f981-4b25-abf4-1bec92b16faa", "value": "FinFisher exposed" }, + { + "description": "Allievi, A.,Flori, E. (2018, March 01). FinFisher exposed: A researcher’s tale of defeating traps, tricks, and complex virtual machines. Retrieved July 9, 2018.", + "meta": { + "date_accessed": "2018-07-09T00:00:00Z", + "date_published": "2018-03-01T00:00:00Z", + "refs": [ + "https://cloudblogs.microsoft.com/microsoftsecure/2018/03/01/finfisher-exposed-a-researchers-tale-of-defeating-traps-tricks-and-complex-virtual-machines/" + ], + "source": "MITRE", + "title": "FinFisher exposed: A researcher’s tale of defeating traps, tricks, and complex virtual machines" + }, + "related": [], + "uuid": "88c97a9a-ef14-4695-bde0-9de2b5f5343b", + "value": "Microsoft FinFisher March 2018" + }, { "description": "LOLBAS. (2021, August 30). Finger.exe. Retrieved December 4, 2023.", "meta": { @@ -21512,6 +21800,22 @@ "uuid": "605b58ea-9544-49b8-b3c8-0a97b2b155dc", "value": "blackmatter_blackcat" }, + { + "description": "Tommy Madjar, Dusty Miller, Selena Larson, The Proofpoint Threat Research Team. (2024, June 17). From Clipboard to Compromise A PowerShell Self-Pwn . Retrieved June 20, 2024.", + "meta": { + "date_accessed": "2024-06-20T00:00:00Z", + "date_published": "2024-06-17T00:00:00Z", + "owner": "TidalCyberIan", + "refs": [ + "https://www.proofpoint.com/us/blog/threat-insight/clipboard-compromise-powershell-self-pwn" + ], + "source": "Tidal Cyber", + "title": "From Clipboard to Compromise A PowerShell Self-Pwn" + }, + "related": [], + "uuid": "a65d7492-04a4-46d4-85ed-134786c6828b", + "value": "Proofpoint June 17 2024" + }, { "description": "Samantha Stallings, Brad Duncan. (2023, December 29). From DarkGate to AsyncRAT: Malware Detected and Shared As Unit 42 Timely Threat Intelligence. Retrieved January 11, 2024.", "meta": { @@ -22436,6 +22740,21 @@ "uuid": "eea178f4-80bd-49d1-84b1-f80671e9a3e4", "value": "GitHub evilginx2 - Duplicate" }, + { + "description": "Flangvik. (n.d.). GitHub Flangvik SharpExfiltrate. Retrieved June 18, 2024.", + "meta": { + "date_accessed": "2024-06-18T00:00:00Z", + "owner": "TidalCyberIan", + "refs": [ + "https://github.com/Flangvik/SharpExfiltrate" + ], + "source": "Tidal Cyber", + "title": "GitHub Flangvik SharpExfiltrate" + }, + "related": [], + "uuid": "7f0c0c86-c042-4a69-982a-c8c70ec1199c", + "value": "GitHub Flangvik SharpExfiltrate" + }, { "description": "Mudge, R. (2014, July 14). Github Malleable-C2-Profiles safebrowsing.profile. Retrieved June 18, 2017.", "meta": { @@ -22466,6 +22785,21 @@ "uuid": "7ae0b5c6-c9e5-4922-9e98-6483c81a8b42", "value": "GitHub masscan" }, + { + "description": "meganz. (n.d.). GitHub meganz MEGAcmd. Retrieved June 18, 2024.", + "meta": { + "date_accessed": "2024-06-18T00:00:00Z", + "owner": "TidalCyberIan", + "refs": [ + "https://github.com/meganz/MEGAcmd" + ], + "source": "Tidal Cyber", + "title": "GitHub meganz MEGAcmd" + }, + "related": [], + "uuid": "6e4d67f5-cca1-4298-b21c-d7511aa264ae", + "value": "GitHub meganz MEGAcmd" + }, { "description": "GitHub. (n.d.). GitHub - meganz/MEGAsync: Easy automated syncing between your computers and your MEGA Cloud Drive. Retrieved June 22, 2023.", "meta": { @@ -22629,6 +22963,21 @@ "uuid": "c29a90a7-016f-49b7-a970-334290964f19", "value": "GitHub secretsdump" }, + { + "description": "securesocketfunneling. (n.d.). GitHub securesocketfunneling ssf. Retrieved July 10, 2024.", + "meta": { + "date_accessed": "2024-07-10T00:00:00Z", + "owner": "TidalCyberIan", + "refs": [ + "https://github.com/securesocketfunneling/ssf" + ], + "source": "Tidal Cyber", + "title": "GitHub securesocketfunneling ssf" + }, + "related": [], + "uuid": "077ab224-9406-4be7-8467-2a6da8dc786d", + "value": "GitHub securesocketfunneling ssf" + }, { "description": "djhohnstein. (n.d.). GitHub SharpChromium. Retrieved December 14, 2023.", "meta": { @@ -23187,6 +23536,22 @@ "uuid": "77624549-e170-5894-9219-a15b4aa31726", "value": "Secureworks BRONZE SILHOUETTE May 2023" }, + { + "description": "Kate Morgan. (2023, October 18). Government-backed actors exploiting WinRAR vulnerability. Retrieved July 10, 2024.", + "meta": { + "date_accessed": "2024-07-10T00:00:00Z", + "date_published": "2023-10-18T00:00:00Z", + "owner": "TidalCyberIan", + "refs": [ + "https://blog.google/threat-analysis-group/government-backed-actors-exploiting-winrar-vulnerability/" + ], + "source": "Tidal Cyber", + "title": "Government-backed actors exploiting WinRAR vulnerability" + }, + "related": [], + "uuid": "6e8fb629-4bb8-4557-9d42-385060be598f", + "value": "Google TAG CVE-2023-38831 October 18 2023" + }, { "description": "Patil, S. and Williams, M.. (2019, June 5). Government Sector in Central Asia Targeted With New HAWKBALL Backdoor Delivered via Microsoft Office Vulnerabilities. Retrieved June 20, 2019.", "meta": { @@ -23860,6 +24225,22 @@ "uuid": "f652524c-7950-4a8a-9860-0e658a9581d8", "value": "PCMag FakeLogin" }, + { + "description": "Bill Toulas. (2024, June 17). Hackers use F5 BIG-IP malware to stealthily steal data for years. Retrieved June 20, 2024.", + "meta": { + "date_accessed": "2024-06-20T00:00:00Z", + "date_published": "2024-06-17T00:00:00Z", + "owner": "TidalCyberIan", + "refs": [ + "https://www.bleepingcomputer.com/news/security/hackers-use-f5-big-ip-malware-to-stealthily-steal-data-for-years/" + ], + "source": "Tidal Cyber", + "title": "Hackers use F5 BIG-IP malware to stealthily steal data for years" + }, + "related": [], + "uuid": "70235e47-f8bb-4d16-9933-9f4923f08f5d", + "value": "BleepingComputer Velvet Ant June 17 2024" + }, { "description": "Brian Krebs. (2016, October 31). Hackforums Shutters Booter Service Bazaar. Retrieved May 15, 2017.", "meta": { @@ -24160,21 +24541,6 @@ "uuid": "95d6d1ce-ceba-48ee-88c4-0fb30058bd80", "value": "Specter Ops - Cloud Credential Storage" }, - { - "description": "KONSTANTIN ZYKOV. (2019, September 23). Hello! My name is Dtrack. Retrieved September 30, 2022.", - "meta": { - "date_accessed": "2022-09-30T00:00:00Z", - "date_published": "2019-09-23T00:00:00Z", - "refs": [ - "https://securelist.com/my-name-is-dtrack/93338/" - ], - "source": "MITRE", - "title": "Hello! My name is Dtrack" - }, - "related": [], - "uuid": "a011b68a-30e0-4204-9bf3-fa73f2a238b4", - "value": "Securelist Dtrack2" - }, { "description": "Konstantin Zykov. (2019, September 23). Hello! My name is Dtrack. Retrieved January 20, 2021.", "meta": { @@ -24190,6 +24556,21 @@ "uuid": "49bd8841-a4b5-4ced-adfa-0ad0c8625ccd", "value": "Securelist Dtrack" }, + { + "description": "KONSTANTIN ZYKOV. (2019, September 23). Hello! My name is Dtrack. Retrieved September 30, 2022.", + "meta": { + "date_accessed": "2022-09-30T00:00:00Z", + "date_published": "2019-09-23T00:00:00Z", + "refs": [ + "https://securelist.com/my-name-is-dtrack/93338/" + ], + "source": "MITRE", + "title": "Hello! My name is Dtrack" + }, + "related": [], + "uuid": "a011b68a-30e0-4204-9bf3-fa73f2a238b4", + "value": "Securelist Dtrack2" + }, { "description": "Baggett, M. (2012, November 8). Help eliminate unquoted path vulnerabilities. Retrieved December 4, 2014.", "meta": { @@ -24953,21 +25334,6 @@ "uuid": "561ff84d-17ce-511c-af0c-059310f3c129", "value": "Kaspersky Autofill" }, - { - "description": "Microsoft . (2023, July 12). How Microsoft names threat actors. Retrieved November 17, 2023.", - "meta": { - "date_accessed": "2023-11-17T00:00:00Z", - "date_published": "2023-07-12T00:00:00Z", - "refs": [ - "https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide" - ], - "source": "MITRE", - "title": "How Microsoft names threat actors" - }, - "related": [], - "uuid": "78a8137d-694e-533d-aed3-6bd48fc0cd4a", - "value": "Microsoft Threat Actor Naming July 2023" - }, { "description": "diannegali, schmurky, Dansimp, chrisda, Stacyrch140. (2023, April 20). How Microsoft names threat actors. Retrieved June 22, 2023.", "meta": { @@ -24984,6 +25350,21 @@ "uuid": "de9cda86-0b23-4bc8-b524-e74fecf99448", "value": "Microsoft Threat Actor Naming" }, + { + "description": "Microsoft . (2023, July 12). How Microsoft names threat actors. Retrieved November 17, 2023.", + "meta": { + "date_accessed": "2023-11-17T00:00:00Z", + "date_published": "2023-07-12T00:00:00Z", + "refs": [ + "https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide" + ], + "source": "MITRE", + "title": "How Microsoft names threat actors" + }, + "related": [], + "uuid": "78a8137d-694e-533d-aed3-6bd48fc0cd4a", + "value": "Microsoft Threat Actor Naming July 2023" + }, { "description": "How Notarization Works. (2020, August 28). How notarization works. Retrieved September 13, 2021.", "meta": { @@ -27993,20 +28374,6 @@ "uuid": "956b3d80-4e19-4cab-a65f-ad86f233aa12", "value": "GitHub Invoke-Obfuscation" }, - { - "description": "Barrett Adams . (n.d.). Invoke-PSImage . Retrieved September 30, 2022.", - "meta": { - "date_accessed": "2022-09-30T00:00:00Z", - "refs": [ - "https://github.com/peewpw/Invoke-PSImage" - ], - "source": "MITRE", - "title": "Invoke-PSImage" - }, - "related": [], - "uuid": "449c873c-c5af-45b8-8bd7-505d2181a05c", - "value": "GitHub PSImage" - }, { "description": "Adams, B. (2017, December 17). Invoke-PSImage. Retrieved April 10, 2018.", "meta": { @@ -28022,6 +28389,20 @@ "uuid": "dd210b79-bd5f-4282-9542-4d1ae2f16438", "value": "GitHub Invoke-PSImage" }, + { + "description": "Barrett Adams . (n.d.). Invoke-PSImage . Retrieved September 30, 2022.", + "meta": { + "date_accessed": "2022-09-30T00:00:00Z", + "refs": [ + "https://github.com/peewpw/Invoke-PSImage" + ], + "source": "MITRE", + "title": "Invoke-PSImage" + }, + "related": [], + "uuid": "449c873c-c5af-45b8-8bd7-505d2181a05c", + "value": "GitHub PSImage" + }, { "description": "PowerShellMafia. (2016, December 14). Invoke-Shellcode. Retrieved May 25, 2023.", "meta": { @@ -28110,6 +28491,22 @@ "uuid": "0a6166a3-5649-4117-97f4-7b8b5b559929", "value": "Symantec Chafer Dec 2015" }, + { + "description": "Cybersecurity and Infrastructure Security Agency. (2024, August 28). Iran-based Cyber Actors Enabling Ransomware Attacks on US Organizations. Retrieved August 29, 2024.", + "meta": { + "date_accessed": "2024-08-29T00:00:00Z", + "date_published": "2024-08-28T00:00:00Z", + "owner": "TidalCyberIan", + "refs": [ + "https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-241a" + ], + "source": "Tidal Cyber", + "title": "Iran-based Cyber Actors Enabling Ransomware Attacks on US Organizations" + }, + "related": [], + "uuid": "783f4aee-84d9-43dc-accc-99fee6b1ff92", + "value": "U.S. CISA Pioneer Kitten August 28 2024" + }, { "description": "CISA. (2020, September 15). Iran-Based Threat Actor Exploits VPN Vulnerabilities. Retrieved December 21, 2020.", "meta": { @@ -28171,6 +28568,22 @@ "uuid": "a2d79c6a-16d6-4dbd-b8a5-845dcc36212d", "value": "Talos MuddyWater Jan 2022" }, + { + "description": "Google Threat Analysis Group. (2024, August 14). Iranian backed group steps up phishing campaigns against Israel, U.S.. Retrieved August 30, 2024.", + "meta": { + "date_accessed": "2024-08-30T00:00:00Z", + "date_published": "2024-08-14T00:00:00Z", + "owner": "TidalCyberIan", + "refs": [ + "https://blog.google/threat-analysis-group/iranian-backed-group-steps-up-phishing-campaigns-against-israel-us/" + ], + "source": "Tidal Cyber", + "title": "Iranian backed group steps up phishing campaigns against Israel, U.S." + }, + "related": [], + "uuid": "669836b5-4069-49af-a919-2cb32bf94d4b", + "value": "Google TAG APT42 August 14 2024" + }, { "description": "Rusu, B. (2020, May 21). Iranian Chafer APT Targeted Air Transportation and Government in Kuwait and Saudi Arabia. Retrieved May 22, 2020.", "meta": { @@ -29024,21 +29437,6 @@ "uuid": "26a554dc-39c0-4638-902d-7e84fe01b961", "value": "U.S. Justice Department GRU Botnet February 2024" }, - { - "description": "Dr. Nestori Syynimaa. (2020, June 13). Just looking: Azure Active Directory reconnaissance as an outsider. Retrieved May 27, 2022.", - "meta": { - "date_accessed": "2022-05-27T00:00:00Z", - "date_published": "2020-06-13T00:00:00Z", - "refs": [ - "https://o365blog.com/post/just-looking/" - ], - "source": "MITRE", - "title": "Just looking: Azure Active Directory reconnaissance as an outsider" - }, - "related": [], - "uuid": "42dad2a3-5b33-4be4-a19b-58a27fb3ee5d", - "value": "Azure Active Directory Reconnaisance" - }, { "description": "Dr. Nestori Syynimaa. (2020, June 13). Just looking: Azure Active Directory reconnaissance as an outsider. Retrieved February 1, 2022.", "meta": { @@ -29054,6 +29452,21 @@ "uuid": "16565eaf-44fb-44f4-b490-40dc1160ff2b", "value": "Azure AD Recon" }, + { + "description": "Dr. Nestori Syynimaa. (2020, June 13). Just looking: Azure Active Directory reconnaissance as an outsider. Retrieved May 27, 2022.", + "meta": { + "date_accessed": "2022-05-27T00:00:00Z", + "date_published": "2020-06-13T00:00:00Z", + "refs": [ + "https://o365blog.com/post/just-looking/" + ], + "source": "MITRE", + "title": "Just looking: Azure Active Directory reconnaissance as an outsider" + }, + "related": [], + "uuid": "42dad2a3-5b33-4be4-a19b-58a27fb3ee5d", + "value": "Azure Active Directory Reconnaisance" + }, { "description": "Paul Litvak. (2020, May 4). Kaiji: New Chinese Linux malware turning to Golang. Retrieved December 17, 2020.", "meta": { @@ -29560,21 +29973,6 @@ "uuid": "502cc03b-350b-4e2d-9436-364c43a0a203", "value": "Flashpoint Glossary Killnet" }, - { - "description": "Jazi, H. (2021, June 1). Kimsuky APT continues to target South Korean government using AppleSeed backdoor. Retrieved June 10, 2021.", - "meta": { - "date_accessed": "2021-06-10T00:00:00Z", - "date_published": "2021-06-01T00:00:00Z", - "refs": [ - "https://blog.malwarebytes.com/threat-analysis/2021/06/kimsuky-apt-continues-to-target-south-korean-government-using-appleseed-backdoor/" - ], - "source": "MITRE, Tidal Cyber", - "title": "Kimsuky APT continues to target South Korean government using AppleSeed backdoor" - }, - "related": [], - "uuid": "9a497c56-f1d3-4889-8c1a-14b013f14668", - "value": "Malwarebytes Kimsuky June 2021" - }, { "description": "Hossein Jazi. (2021, June 1). Kimsuky APT continues to target South Korean government using AppleSeed backdoor. Retrieved January 10, 2024.", "meta": { @@ -29590,6 +29988,21 @@ "uuid": "8b0dd1d7-dc9c-50d3-a47e-20304591ac40", "value": "Kimsuky Malwarebytes" }, + { + "description": "Jazi, H. (2021, June 1). Kimsuky APT continues to target South Korean government using AppleSeed backdoor. Retrieved June 10, 2021.", + "meta": { + "date_accessed": "2021-06-10T00:00:00Z", + "date_published": "2021-06-01T00:00:00Z", + "refs": [ + "https://blog.malwarebytes.com/threat-analysis/2021/06/kimsuky-apt-continues-to-target-south-korean-government-using-appleseed-backdoor/" + ], + "source": "MITRE, Tidal Cyber", + "title": "Kimsuky APT continues to target South Korean government using AppleSeed backdoor" + }, + "related": [], + "uuid": "9a497c56-f1d3-4889-8c1a-14b013f14668", + "value": "Malwarebytes Kimsuky June 2021" + }, { "description": "Kim, J. et al. (2019, October). KIMSUKY GROUP: TRACKING THE KING OF THE SPEAR PHISHING. Retrieved November 2, 2020.", "meta": { @@ -30195,8 +30608,8 @@ "title": "Lazarus KillDisks Central American casino" }, "related": [], - "uuid": "6f931476-29e6-4bba-ba1b-37ab742f4b49", - "value": "Lazarus KillDisk" + "uuid": "454704b7-9ede-4d30-acfd-2cf16a89bcb3", + "value": "ESET Lazarus KillDisk April 2018" }, { "description": "Kálnai, P., Cherepanov A. (2018, April 03). Lazarus KillDisks Central American casino. Retrieved May 17, 2018.", @@ -30210,8 +30623,24 @@ "title": "Lazarus KillDisks Central American casino" }, "related": [], - "uuid": "454704b7-9ede-4d30-acfd-2cf16a89bcb3", - "value": "ESET Lazarus KillDisk April 2018" + "uuid": "6f931476-29e6-4bba-ba1b-37ab742f4b49", + "value": "Lazarus KillDisk" + }, + { + "description": "Dinesh Devadoss, Phil Stokes. (2022, September 26). Lazarus \"Operation In(ter)ception\" Targets macOS Users Dreaming of Jobs in Crypto. Retrieved March 8, 2024.", + "meta": { + "date_accessed": "2024-03-08T00:00:00Z", + "date_published": "2022-09-26T00:00:00Z", + "owner": "TidalCyberIan", + "refs": [ + "https://www.sentinelone.com/blog/lazarus-operation-interception-targets-macos-users-dreaming-of-jobs-in-crypto/" + ], + "source": "Tidal Cyber", + "title": "Lazarus \"Operation In(ter)ception\" Targets macOS Users Dreaming of Jobs in Crypto" + }, + "related": [], + "uuid": "973a110c-f1cd-46cd-b92b-5c7d8e7492b1", + "value": "SentinelOne 9 26 2022" }, { "description": "Sherstobitoff, R. (2018, February 12). Lazarus Resurfaces, Targets Global Banks and Bitcoin Users. Retrieved February 19, 2018.", @@ -30243,21 +30672,6 @@ "uuid": "ba6a5fcc-9391-42c0-8b90-57b729525f41", "value": "Kaspersky ThreatNeedle Feb 2021" }, - { - "description": "GReAT. (2017, April 3). Lazarus Under the Hood. Retrieved April 17, 2019.", - "meta": { - "date_accessed": "2019-04-17T00:00:00Z", - "date_published": "2017-04-03T00:00:00Z", - "refs": [ - "https://securelist.com/lazarus-under-the-hood/77908/" - ], - "source": "MITRE, Tidal Cyber", - "title": "Lazarus Under the Hood" - }, - "related": [], - "uuid": "a1e1ab6a-8db0-4593-95ec-78784607dfa0", - "value": "Kaspersky Lazarus Under The Hood Blog 2017" - }, { "description": "GReAT. (2017, April 3). Lazarus Under the Hood. Retrieved October 3, 2018.", "meta": { @@ -30273,6 +30687,21 @@ "uuid": "312b30b1-3bd6-46ea-8f77-504f442499bc", "value": "Kaspersky Lazarus Under The Hood APR 2017" }, + { + "description": "GReAT. (2017, April 3). Lazarus Under the Hood. Retrieved April 17, 2019.", + "meta": { + "date_accessed": "2019-04-17T00:00:00Z", + "date_published": "2017-04-03T00:00:00Z", + "refs": [ + "https://securelist.com/lazarus-under-the-hood/77908/" + ], + "source": "MITRE, Tidal Cyber", + "title": "Lazarus Under the Hood" + }, + "related": [], + "uuid": "a1e1ab6a-8db0-4593-95ec-78784607dfa0", + "value": "Kaspersky Lazarus Under The Hood Blog 2017" + }, { "description": "Mclellan, M.. (2018, November 19). Lazy Passwords Become Rocket Fuel for Emotet SMB Spreader. Retrieved March 25, 2019.", "meta": { @@ -31452,6 +31881,22 @@ "uuid": "6043b34d-dec3-415b-8329-05f698f320e3", "value": "Fidelis DarkComet" }, + { + "description": "Stefan Hostetler, Steven Campbell, Christopher Prest, Connor Belfiore, Markus Neis, Joe Wedderspoon, Rick McQuown, Arctic Wolf Labs Team. (2024, June 4). Lost in the Fog: A New Ransomware Threat. Retrieved July 29, 2024.", + "meta": { + "date_accessed": "2024-07-29T00:00:00Z", + "date_published": "2024-06-04T00:00:00Z", + "owner": "TidalCyberIan", + "refs": [ + "https://arcticwolf.com/resources/blog/lost-in-the-fog-a-new-ransomware-threat/" + ], + "source": "Tidal Cyber", + "title": "Lost in the Fog: A New Ransomware Threat" + }, + "related": [], + "uuid": "86111971-cd37-4a87-bcaa-3e0f6326da5c", + "value": "Arctic Wolf Fog Ransomware June 4 2024" + }, { "description": "Liberman, T. & Kogan, E. (2017, December 7). Lost in Transaction: Process Doppelgänging. Retrieved December 20, 2017.", "meta": { @@ -31645,6 +32090,22 @@ "uuid": "3e1c2a64-8446-538d-a148-2de87991955a", "value": "sygnia Luna Month" }, + { + "description": "Oren Biderman, Tomer Lahiyani, Noam Lifshitz, Ori Porag. (2022, July 1). Luna Moth Ransomware: The Threat Actors Behind Recent False Subscription Scams. Retrieved June 28, 2024.", + "meta": { + "date_accessed": "2024-06-28T00:00:00Z", + "date_published": "2022-07-01T00:00:00Z", + "owner": "TidalCyberIan", + "refs": [ + "https://www.sygnia.co/blog/luna-moth-false-subscription-scams/" + ], + "source": "Tidal Cyber", + "title": "Luna Moth Ransomware: The Threat Actors Behind Recent False Subscription Scams" + }, + "related": [], + "uuid": "115590b2-ab57-432c-900e-000627464a11", + "value": "Sygnia Luna Moth July 1 2022" + }, { "description": "Shivtarkar, N. and Kumar, A. (2022, June 9). Lyceum .NET DNS Backdoor. Retrieved June 23, 2022.", "meta": { @@ -32200,21 +32661,6 @@ "uuid": "afe89472-ac42-4a0d-b398-5ed6a5dee74f", "value": "NetSPI Startup Stored Procedures" }, - { - "description": "Nathaniel Raymond. (2023, August 16). Major Energy Company Targeted in Large QR Code Phishing Campaign. Retrieved February 13, 2024.", - "meta": { - "date_accessed": "2024-02-13T00:00:00Z", - "date_published": "2023-08-16T00:00:00Z", - "refs": [ - "https://cofense.com/blog/major-energy-company-targeted-in-large-qr-code-campaign/" - ], - "source": "MITRE", - "title": "Major Energy Company Targeted in Large QR Code Phishing Campaign" - }, - "related": [], - "uuid": "eda8270f-c76f-5d01-b45f-74246945ec50", - "value": "QR-cofense" - }, { "description": "Raymond, Nathaniel. (2023, August 16). Major Energy Company Targeted in Large QR Code Phishing Campaign. Retrieved January 17, 2024.", "meta": { @@ -32230,6 +32676,21 @@ "uuid": "450da173-3573-5502-ab53-6d6b9955714d", "value": "Cofense-redirect" }, + { + "description": "Nathaniel Raymond. (2023, August 16). Major Energy Company Targeted in Large QR Code Phishing Campaign. Retrieved February 13, 2024.", + "meta": { + "date_accessed": "2024-02-13T00:00:00Z", + "date_published": "2023-08-16T00:00:00Z", + "refs": [ + "https://cofense.com/blog/major-energy-company-targeted-in-large-qr-code-campaign/" + ], + "source": "MITRE", + "title": "Major Energy Company Targeted in Large QR Code Phishing Campaign" + }, + "related": [], + "uuid": "eda8270f-c76f-5d01-b45f-74246945ec50", + "value": "QR-cofense" + }, { "description": "LOLBAS. (2018, May 25). Makecab.exe. Retrieved December 4, 2023.", "meta": { @@ -33143,20 +33604,6 @@ "uuid": "8d237948-7b10-5055-b9e6-52e6cab16f32", "value": "Mandiant WMI" }, - { - "description": "Microsoft. (n.d.). Manifests. Retrieved June 3, 2016.", - "meta": { - "date_accessed": "2016-06-03T00:00:00Z", - "refs": [ - "https://msdn.microsoft.com/en-us/library/aa375365" - ], - "source": "MITRE", - "title": "Manifests" - }, - "related": [], - "uuid": "a29301fe-0e3c-4c6e-85c5-a30a6bcb9114", - "value": "MSDN Manifests" - }, { "description": "Microsoft. (n.d.). Manifests. Retrieved December 5, 2014.", "meta": { @@ -33171,6 +33618,20 @@ "uuid": "e336dc02-c7bb-4046-93d9-17b9512fb731", "value": "Microsoft Manifests" }, + { + "description": "Microsoft. (n.d.). Manifests. Retrieved June 3, 2016.", + "meta": { + "date_accessed": "2016-06-03T00:00:00Z", + "refs": [ + "https://msdn.microsoft.com/en-us/library/aa375365" + ], + "source": "MITRE", + "title": "Manifests" + }, + "related": [], + "uuid": "a29301fe-0e3c-4c6e-85c5-a30a6bcb9114", + "value": "MSDN Manifests" + }, { "description": "Wikipedia. (2017, October 28). Man-in-the-browser. Retrieved January 10, 2018.", "meta": { @@ -33214,21 +33675,6 @@ "uuid": "33b25966-0ab9-4cc6-9702-62263a23af9c", "value": "Rapid7 MiTM Basics" }, - { - "description": "praetorian Editorial Team. (2014, August 19). Man-in-the-Middle TLS Protocol Downgrade Attack. Retrieved December 8, 2021.", - "meta": { - "date_accessed": "2021-12-08T00:00:00Z", - "date_published": "2014-08-19T00:00:00Z", - "refs": [ - "https://www.praetorian.com/blog/man-in-the-middle-tls-ssl-protocol-downgrade-attack/" - ], - "source": "MITRE", - "title": "Man-in-the-Middle TLS Protocol Downgrade Attack" - }, - "related": [], - "uuid": "af907fe1-1e37-4f44-8ad4-fcc3826ee6fb", - "value": "mitm_tls_downgrade_att" - }, { "description": "Praetorian. (2014, August 19). Man-in-the-Middle TLS Protocol Downgrade Attack. Retrieved October 8, 2021.", "meta": { @@ -33244,6 +33690,21 @@ "uuid": "4375602d-4b5f-476d-82f8-3cef84d3378e", "value": "Praetorian TLS Downgrade Attack 2014" }, + { + "description": "praetorian Editorial Team. (2014, August 19). Man-in-the-Middle TLS Protocol Downgrade Attack. Retrieved December 8, 2021.", + "meta": { + "date_accessed": "2021-12-08T00:00:00Z", + "date_published": "2014-08-19T00:00:00Z", + "refs": [ + "https://www.praetorian.com/blog/man-in-the-middle-tls-ssl-protocol-downgrade-attack/" + ], + "source": "MITRE", + "title": "Man-in-the-Middle TLS Protocol Downgrade Attack" + }, + "related": [], + "uuid": "af907fe1-1e37-4f44-8ad4-fcc3826ee6fb", + "value": "mitm_tls_downgrade_att" + }, { "description": "Warren, J. (2017, July 11). Manipulating User Passwords with Mimikatz. Retrieved December 4, 2017.", "meta": { @@ -34234,21 +34695,6 @@ "uuid": "f9daf15d-61ea-4cfa-a4e8-9d33d1acd28f", "value": "Microsoft HTML Help May 2018" }, - { - "description": "Microsoft. (2019, August 29). Microsoft identity platform access tokens. Retrieved September 12, 2019.", - "meta": { - "date_accessed": "2019-09-12T00:00:00Z", - "date_published": "2019-08-29T00:00:00Z", - "refs": [ - "https://docs.microsoft.com/en-us/azure/active-directory/develop/access-tokens" - ], - "source": "MITRE", - "title": "Microsoft identity platform access tokens" - }, - "related": [], - "uuid": "44767d53-8cd7-44dd-a69d-8a7bebc1d87d", - "value": "Microsoft - Azure AD Identity Tokens - Aug 2019" - }, { "description": "Cai, S., Flores, J., de Guzman, C., et. al.. (2019, August 27). Microsoft identity platform access tokens. Retrieved October 4, 2019.", "meta": { @@ -34264,6 +34710,21 @@ "uuid": "a39d976e-9b52-48f3-b5db-0ffd84ecd338", "value": "Microsoft Identity Platform Access 2019" }, + { + "description": "Microsoft. (2019, August 29). Microsoft identity platform access tokens. Retrieved September 12, 2019.", + "meta": { + "date_accessed": "2019-09-12T00:00:00Z", + "date_published": "2019-08-29T00:00:00Z", + "refs": [ + "https://docs.microsoft.com/en-us/azure/active-directory/develop/access-tokens" + ], + "source": "MITRE", + "title": "Microsoft identity platform access tokens" + }, + "related": [], + "uuid": "44767d53-8cd7-44dd-a69d-8a7bebc1d87d", + "value": "Microsoft - Azure AD Identity Tokens - Aug 2019" + }, { "description": "Microsoft. (n.d.). Microsoft identity platform and OAuth 2.0 authorization code flow. Retrieved September 12, 2019.", "meta": { @@ -34425,21 +34886,6 @@ "uuid": "86955cd2-5980-44ba-aa7b-4b9f8e347730", "value": "Microsoft WDAC" }, - { - "description": "Microsoft. (2020, October 15). Microsoft recommended driver block rules. Retrieved March 16, 2021.", - "meta": { - "date_accessed": "2021-03-16T00:00:00Z", - "date_published": "2020-10-15T00:00:00Z", - "refs": [ - "https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules" - ], - "source": "MITRE", - "title": "Microsoft recommended driver block rules" - }, - "related": [], - "uuid": "2ad8414a-4490-4896-8266-556b8bdbb77f", - "value": "Microsoft Driver Block Rules" - }, { "description": "Jordan Geurten et al. . (2022, March 29). Microsoft recommended driver block rules. Retrieved April 7, 2022.", "meta": { @@ -34455,6 +34901,21 @@ "uuid": "9bb5c330-56bd-47e7-8414-729d8e6cb3b3", "value": "Microsoft driver block rules - Duplicate" }, + { + "description": "Microsoft. (2020, October 15). Microsoft recommended driver block rules. Retrieved March 16, 2021.", + "meta": { + "date_accessed": "2021-03-16T00:00:00Z", + "date_published": "2020-10-15T00:00:00Z", + "refs": [ + "https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules" + ], + "source": "MITRE", + "title": "Microsoft recommended driver block rules" + }, + "related": [], + "uuid": "2ad8414a-4490-4896-8266-556b8bdbb77f", + "value": "Microsoft Driver Block Rules" + }, { "description": "Microsoft. (n.d.). Retrieved January 24, 2020.", "meta": { @@ -34605,6 +35066,22 @@ "uuid": "619b9cf8-7201-45de-9c36-834ccee356a9", "value": "Microsoft SIR Vol 21" }, + { + "description": "Microsoft Threat Intelligence. (2024, July 15). Microsoft Threat Intelligence LinkedIn Q2 2024. Retrieved July 26, 2024.", + "meta": { + "date_accessed": "2024-07-26T00:00:00Z", + "date_published": "2024-07-15T00:00:00Z", + "owner": "TidalCyberIan", + "refs": [ + "https://www.linkedin.com/posts/microsoft-threat-intelligence_in-the-second-quarter-of-2024-financially-activity-7218696257739923456-KKy_/" + ], + "source": "Tidal Cyber", + "title": "Microsoft Threat Intelligence LinkedIn Q2 2024" + }, + "related": [], + "uuid": "0e7ea8d0-bdb8-48a6-9718-703f64d16460", + "value": "Microsoft Threat Intelligence LinkedIn July 15 2024" + }, { "description": "MsftSecIntel. (2023, May 26). Microsoft Threat Intelligence Tweet April 26 2023. Retrieved June 16, 2023.", "meta": { @@ -34850,21 +35327,6 @@ "uuid": "07ff57eb-1e23-433b-8da7-80f1caf7543e", "value": "ADSecurity AD Kerberos Attacks" }, - { - "description": "Schroeder, W. (2015, September 22). Mimikatz and DCSync and ExtraSids, Oh My. Retrieved December 4, 2017.", - "meta": { - "date_accessed": "2017-12-04T00:00:00Z", - "date_published": "2015-09-22T00:00:00Z", - "refs": [ - "http://www.harmj0y.net/blog/redteaming/mimikatz-and-dcsync-and-extrasids-oh-my/" - ], - "source": "MITRE", - "title": "Mimikatz and DCSync and ExtraSids, Oh My" - }, - "related": [], - "uuid": "2a01a70c-28a8-444e-95a7-00a568d51ce6", - "value": "Harmj0y DCSync Sept 2015" - }, { "description": "Schroeder, W. (2015, September 22). Mimikatz and DCSync and ExtraSids, Oh My. Retrieved August 7, 2017.", "meta": { @@ -34881,19 +35343,19 @@ "value": "Harmj0y Mimikatz and DCSync" }, { - "description": "Metcalf, S. (2015, September 25). Mimikatz DCSync Usage, Exploitation, and Detection. Retrieved August 7, 2017.", + "description": "Schroeder, W. (2015, September 22). Mimikatz and DCSync and ExtraSids, Oh My. Retrieved December 4, 2017.", "meta": { - "date_accessed": "2017-08-07T00:00:00Z", - "date_published": "2015-09-25T00:00:00Z", + "date_accessed": "2017-12-04T00:00:00Z", + "date_published": "2015-09-22T00:00:00Z", "refs": [ - "https://adsecurity.org/?p=1729" + "http://www.harmj0y.net/blog/redteaming/mimikatz-and-dcsync-and-extrasids-oh-my/" ], "source": "MITRE", - "title": "Mimikatz DCSync Usage, Exploitation, and Detection" + "title": "Mimikatz and DCSync and ExtraSids, Oh My" }, "related": [], - "uuid": "61b0bb42-2ed6-413d-b331-0a84df12a87d", - "value": "ADSecurity Mimikatz DCSync" + "uuid": "2a01a70c-28a8-444e-95a7-00a568d51ce6", + "value": "Harmj0y DCSync Sept 2015" }, { "description": "Metcalf, S. (2015, September 25). Mimikatz DCSync Usage, Exploitation, and Detection. Retrieved December 4, 2017.", @@ -34910,6 +35372,21 @@ "uuid": "856ed70b-29b0-4f56-b5ae-a98981a22eaf", "value": "AdSecurity DCSync Sept 2015" }, + { + "description": "Metcalf, S. (2015, September 25). Mimikatz DCSync Usage, Exploitation, and Detection. Retrieved August 7, 2017.", + "meta": { + "date_accessed": "2017-08-07T00:00:00Z", + "date_published": "2015-09-25T00:00:00Z", + "refs": [ + "https://adsecurity.org/?p=1729" + ], + "source": "MITRE", + "title": "Mimikatz DCSync Usage, Exploitation, and Detection" + }, + "related": [], + "uuid": "61b0bb42-2ed6-413d-b331-0a84df12a87d", + "value": "ADSecurity Mimikatz DCSync" + }, { "description": "Jamieson O'Reilly (putterpanda). (2016, July 4). mimikittenz. Retrieved June 20, 2019.", "meta": { @@ -35030,6 +35507,21 @@ "uuid": "0110500c-bf67-43a5-97cb-16eb6c01040b", "value": "APT15 Intezer June 2018" }, + { + "description": "ESET Security. (2019, November 19). Mispadu: Advertisement for a discounted Unhappy Meal. Retrieved March 13, 2024.", + "meta": { + "date_accessed": "2024-03-13T00:00:00Z", + "date_published": "2019-11-19T00:00:00Z", + "refs": [ + "https://www.welivesecurity.com/2019/11/19/mispadu-advertisement-discounted-unhappy-meal/" + ], + "source": "MITRE", + "title": "Mispadu: Advertisement for a discounted Unhappy Meal" + }, + "related": [], + "uuid": "e1b945f4-20e0-5b69-8fd7-f05afce8c0ba", + "value": "ESET Security Mispadu Facebook Ads 2019" + }, { "description": "ESET Research. (2019, November 19). Mispadu: Advertisement for a discounted Unhappy Meal. Retrieved April 4, 2024.", "meta": { @@ -35046,21 +35538,6 @@ "uuid": "a27753c1-2f7a-40c4-9e28-a37265bce28c", "value": "ESET Mispadu November 2019" }, - { - "description": "ESET Security. (2019, November 19). Mispadu: Advertisement for a discounted Unhappy Meal. Retrieved March 13, 2024.", - "meta": { - "date_accessed": "2024-03-13T00:00:00Z", - "date_published": "2019-11-19T00:00:00Z", - "refs": [ - "https://www.welivesecurity.com/2019/11/19/mispadu-advertisement-discounted-unhappy-meal/" - ], - "source": "MITRE", - "title": "Mispadu: Advertisement for a discounted Unhappy Meal" - }, - "related": [], - "uuid": "e1b945f4-20e0-5b69-8fd7-f05afce8c0ba", - "value": "ESET Security Mispadu Facebook Ads 2019" - }, { "description": "Duarte, H., Morrison, B. (2012). (Mis)trusting and (ab)using ssh. Retrieved January 8, 2018.", "meta": { @@ -35507,21 +35984,6 @@ "uuid": "6851b3f9-0239-40fc-ba44-34a775e9bd4e", "value": "ESET EvilNum July 2020" }, - { - "description": "Microsoft. (2010, August 12). More information about the DLL Preloading remote attack vector. Retrieved December 5, 2014.", - "meta": { - "date_accessed": "2014-12-05T00:00:00Z", - "date_published": "2010-08-12T00:00:00Z", - "refs": [ - "https://msrc-blog.microsoft.com/2010/08/23/more-information-about-the-dll-preloading-remote-attack-vector/" - ], - "source": "MITRE", - "title": "More information about the DLL Preloading remote attack vector" - }, - "related": [], - "uuid": "80289c7b-53c1-4aec-9436-04a43a82f769", - "value": "Microsoft More information about DLL" - }, { "description": "Microsoft. (2010, August 12). More information about the DLL Preloading remote attack vector. Retrieved December 5, 2014.", "meta": { @@ -35537,6 +35999,21 @@ "uuid": "46aa7075-9f0a-461e-8519-5c4860208678", "value": "Microsoft DLL Preloading" }, + { + "description": "Microsoft. (2010, August 12). More information about the DLL Preloading remote attack vector. Retrieved December 5, 2014.", + "meta": { + "date_accessed": "2014-12-05T00:00:00Z", + "date_published": "2010-08-12T00:00:00Z", + "refs": [ + "https://msrc-blog.microsoft.com/2010/08/23/more-information-about-the-dll-preloading-remote-attack-vector/" + ], + "source": "MITRE", + "title": "More information about the DLL Preloading remote attack vector" + }, + "related": [], + "uuid": "80289c7b-53c1-4aec-9436-04a43a82f769", + "value": "Microsoft More information about DLL" + }, { "description": "valsmith. (2012, September 21). More on APTSim. Retrieved September 28, 2017.", "meta": { @@ -35626,21 +36103,6 @@ "uuid": "e9c47d8e-f732-45c9-bceb-26c5d564e781", "value": "CrowdStrike Deep Panda Web Shells" }, - { - "description": "Faou, M. (2023, August 10). MoustachedBouncer: Espionage against foreign diplomats in Belarus. Retrieved September 25, 2023.", - "meta": { - "date_accessed": "2023-09-25T00:00:00Z", - "date_published": "2023-08-10T00:00:00Z", - "refs": [ - "https://www.welivesecurity.com/en/eset-research/moustachedbouncer-espionage-against-foreign-diplomats-in-belarus/" - ], - "source": "MITRE", - "title": "MoustachedBouncer: Espionage against foreign diplomats in Belarus" - }, - "related": [], - "uuid": "9070f14b-5d5e-5f6d-bcac-628478e01242", - "value": "MoustachedBouncer ESET August 2023" - }, { "description": "Faou, M. (2023, August 10). MoustachedBouncer: Espionage against foreign diplomats in Belarus. Retrieved September 1, 2023.", "meta": { @@ -35656,6 +36118,21 @@ "uuid": "6c85e925-d42b-590c-a424-14ebb49812bb", "value": "ESET MoustachedBouncer" }, + { + "description": "Faou, M. (2023, August 10). MoustachedBouncer: Espionage against foreign diplomats in Belarus. Retrieved September 25, 2023.", + "meta": { + "date_accessed": "2023-09-25T00:00:00Z", + "date_published": "2023-08-10T00:00:00Z", + "refs": [ + "https://www.welivesecurity.com/en/eset-research/moustachedbouncer-espionage-against-foreign-diplomats-in-belarus/" + ], + "source": "MITRE", + "title": "MoustachedBouncer: Espionage against foreign diplomats in Belarus" + }, + "related": [], + "uuid": "9070f14b-5d5e-5f6d-bcac-628478e01242", + "value": "MoustachedBouncer ESET August 2023" + }, { "description": "Progress Software. (2023, June 16). MOVEit Transfer Critical Vulnerability (May 2023) (CVE-2023-34362). Retrieved July 28, 2023.", "meta": { @@ -35717,21 +36194,6 @@ "uuid": "e208c277-e477-4123-8c3c-313d55cdc1ea", "value": "Volatility Detecting Hooks Sept 2012" }, - { - "description": "Kugler, R. (2012, November 20). Mozilla Foundation Security Advisory 2012-98. Retrieved March 10, 2017.", - "meta": { - "date_accessed": "2017-03-10T00:00:00Z", - "date_published": "2012-11-20T00:00:00Z", - "refs": [ - "https://www.mozilla.org/en-US/security/advisories/mfsa2012-98/" - ], - "source": "MITRE", - "title": "Mozilla Foundation Security Advisory 2012-98" - }, - "related": [], - "uuid": "920d1607-154e-4c74-b1eb-0d8299be536f", - "value": "Mozilla Firefox Installer DLL Hijack" - }, { "description": "Robert Kugler. (2012, November 20). Mozilla Foundation Security Advisory 2012-98. Retrieved March 10, 2017.", "meta": { @@ -35747,6 +36209,21 @@ "uuid": "cd720550-a0b5-4d1d-85dd-98da97f45b62", "value": "mozilla_sec_adv_2012" }, + { + "description": "Kugler, R. (2012, November 20). Mozilla Foundation Security Advisory 2012-98. Retrieved March 10, 2017.", + "meta": { + "date_accessed": "2017-03-10T00:00:00Z", + "date_published": "2012-11-20T00:00:00Z", + "refs": [ + "https://www.mozilla.org/en-US/security/advisories/mfsa2012-98/" + ], + "source": "MITRE", + "title": "Mozilla Foundation Security Advisory 2012-98" + }, + "related": [], + "uuid": "920d1607-154e-4c74-b1eb-0d8299be536f", + "value": "Mozilla Firefox Installer DLL Hijack" + }, { "description": "LOLBAS. (2020, March 20). MpCmdRun.exe. Retrieved December 4, 2023.", "meta": { @@ -35793,21 +36270,6 @@ "uuid": "a15fff18-5d3f-4898-9e47-ec6ae7dda749", "value": "SRD GPP" }, - { - "description": "Microsoft. (2014, May 13). MS14-025: Vulnerability in Group Policy Preferences could allow elevation of privilege. Retrieved January 28, 2015.", - "meta": { - "date_accessed": "2015-01-28T00:00:00Z", - "date_published": "2014-05-13T00:00:00Z", - "refs": [ - "http://support.microsoft.com/kb/2962486" - ], - "source": "MITRE", - "title": "MS14-025: Vulnerability in Group Policy Preferences could allow elevation of privilege" - }, - "related": [], - "uuid": "dbe32cbd-8c6e-483f-887c-ea2a5102cf65", - "value": "Microsoft MS14-025" - }, { "description": "Microsoft. (2014, May 13). MS14-025: Vulnerability in Group Policy Preferences could allow elevation of privilege. Retrieved February 17, 2020.", "meta": { @@ -35823,6 +36285,21 @@ "uuid": "7537c0bb-6f14-4a4a-94cc-98c6ed9e878f", "value": "MS14-025" }, + { + "description": "Microsoft. (2014, May 13). MS14-025: Vulnerability in Group Policy Preferences could allow elevation of privilege. Retrieved January 28, 2015.", + "meta": { + "date_accessed": "2015-01-28T00:00:00Z", + "date_published": "2014-05-13T00:00:00Z", + "refs": [ + "http://support.microsoft.com/kb/2962486" + ], + "source": "MITRE", + "title": "MS14-025: Vulnerability in Group Policy Preferences could allow elevation of privilege" + }, + "related": [], + "uuid": "dbe32cbd-8c6e-483f-887c-ea2a5102cf65", + "value": "Microsoft MS14-025" + }, { "description": "Microsoft. (n.d.). MSBuild1. Retrieved November 30, 2016.", "meta": { @@ -36961,21 +37438,6 @@ "uuid": "b218434e-4233-5963-824e-50ee32d468ed", "value": "Network Provider API" }, - { - "description": "Hossein Jazi. (2020, April 16). New AgentTesla variant steals WiFi credentials. Retrieved September 8, 2023.", - "meta": { - "date_accessed": "2023-09-08T00:00:00Z", - "date_published": "2020-04-16T00:00:00Z", - "refs": [ - "https://www.malwarebytes.com/blog/news/2020/04/new-agenttesla-variant-steals-wifi-credentials" - ], - "source": "MITRE", - "title": "New AgentTesla variant steals WiFi credentials" - }, - "related": [], - "uuid": "b61b7db6-ed0d-546d-b1e0-c2630530975b", - "value": "Malware Bytes New AgentTesla variant steals WiFi credentials" - }, { "description": "Jazi, H. (2020, April 16). New AgentTesla variant steals WiFi credentials. Retrieved May 19, 2020.", "meta": { @@ -36991,6 +37453,21 @@ "uuid": "87f4fe4c-54cd-40a7-938b-6e6f6d2efbea", "value": "Malwarebytes Agent Tesla April 2020" }, + { + "description": "Hossein Jazi. (2020, April 16). New AgentTesla variant steals WiFi credentials. Retrieved September 8, 2023.", + "meta": { + "date_accessed": "2023-09-08T00:00:00Z", + "date_published": "2020-04-16T00:00:00Z", + "refs": [ + "https://www.malwarebytes.com/blog/news/2020/04/new-agenttesla-variant-steals-wifi-credentials" + ], + "source": "MITRE", + "title": "New AgentTesla variant steals WiFi credentials" + }, + "related": [], + "uuid": "b61b7db6-ed0d-546d-b1e0-c2630530975b", + "value": "Malware Bytes New AgentTesla variant steals WiFi credentials" + }, { "description": "Chen, Joseph. (2018, July 16). New Andariel Reconnaissance Tactics Uncovered. Retrieved September 29, 2021.", "meta": { @@ -37305,21 +37782,6 @@ "uuid": "1641553f-96e7-4829-8c77-d96388dac5c7", "value": "Avast CCleaner3 2018" }, - { - "description": "Claud Xiao, Cong Zheng, Yanhui Jia. (2017, April 6). New IoT/Linux Malware Targets DVRs, Forms Botnet. Retrieved February 19, 2018.", - "meta": { - "date_accessed": "2018-02-19T00:00:00Z", - "date_published": "2017-04-06T00:00:00Z", - "refs": [ - "https://researchcenter.paloaltonetworks.com/2017/04/unit42-new-iotlinux-malware-targets-dvrs-forms-botnet/" - ], - "source": "MITRE", - "title": "New IoT/Linux Malware Targets DVRs, Forms Botnet" - }, - "related": [], - "uuid": "489a6c57-f64c-423b-a7bd-169fa36c4cdf", - "value": "amnesia malware" - }, { "description": "Claud Xiao and Cong Zheng. (2017, April 6). New IoT/Linux Malware Targets DVRs, Forms Botnet. Retrieved December 17, 2020.", "meta": { @@ -37335,6 +37797,21 @@ "uuid": "95b5b03e-f160-47cf-920c-8f4f3d4114a3", "value": "Tsunami" }, + { + "description": "Claud Xiao, Cong Zheng, Yanhui Jia. (2017, April 6). New IoT/Linux Malware Targets DVRs, Forms Botnet. Retrieved February 19, 2018.", + "meta": { + "date_accessed": "2018-02-19T00:00:00Z", + "date_published": "2017-04-06T00:00:00Z", + "refs": [ + "https://researchcenter.paloaltonetworks.com/2017/04/unit42-new-iotlinux-malware-targets-dvrs-forms-botnet/" + ], + "source": "MITRE", + "title": "New IoT/Linux Malware Targets DVRs, Forms Botnet" + }, + "related": [], + "uuid": "489a6c57-f64c-423b-a7bd-169fa36c4cdf", + "value": "amnesia malware" + }, { "description": "ClearSky Cyber Security . (2021, August). New Iranian Espionage Campaign By “Siamesekitten” - Lyceum. Retrieved June 6, 2022.", "meta": { @@ -37441,21 +37918,6 @@ "uuid": "b1540c5c-0bbc-4b9d-9185-fae224ba31be", "value": "Gallagher 2015" }, - { - "description": "Vaish, A. & Nemes, S. (2017, November 28). Newly Observed Ursnif Variant Employs Malicious TLS Callback Technique to Achieve Process Injection. Retrieved June 5, 2019.", - "meta": { - "date_accessed": "2019-06-05T00:00:00Z", - "date_published": "2017-11-28T00:00:00Z", - "refs": [ - "https://www.fireeye.com/blog/threat-research/2017/11/ursnif-variant-malicious-tls-callback-technique.html" - ], - "source": "MITRE", - "title": "Newly Observed Ursnif Variant Employs Malicious TLS Callback Technique to Achieve Process Injection" - }, - "related": [], - "uuid": "32c0b9d2-9f31-4e49-8b3a-c63ff4fffa47", - "value": "FireEye Ursnif Nov 2017" - }, { "description": "Vaish, A. & Nemes, S. (2017, November 28). Newly Observed Ursnif Variant Employs Malicious TLS Callback Technique to Achieve Process Injection. Retrieved December 18, 2017.", "meta": { @@ -37471,6 +37933,21 @@ "uuid": "9737055a-f583-448e-84d0-1d336c4da9a8", "value": "FireEye TLS Nov 2017" }, + { + "description": "Vaish, A. & Nemes, S. (2017, November 28). Newly Observed Ursnif Variant Employs Malicious TLS Callback Technique to Achieve Process Injection. Retrieved June 5, 2019.", + "meta": { + "date_accessed": "2019-06-05T00:00:00Z", + "date_published": "2017-11-28T00:00:00Z", + "refs": [ + "https://www.fireeye.com/blog/threat-research/2017/11/ursnif-variant-malicious-tls-callback-technique.html" + ], + "source": "MITRE", + "title": "Newly Observed Ursnif Variant Employs Malicious TLS Callback Technique to Achieve Process Injection" + }, + "related": [], + "uuid": "32c0b9d2-9f31-4e49-8b3a-c63ff4fffa47", + "value": "FireEye Ursnif Nov 2017" + }, { "description": "Thomas Reed. (2017, January 18). New Mac backdoor using antiquated code. Retrieved July 5, 2017.", "meta": { @@ -38369,21 +38846,6 @@ "uuid": "65f1bbaa-8ad1-4ad5-b726-660558d27efc", "value": "Nmap: the Network Mapper" }, - { - "description": "Microsoft Threat Intelligence Center. (2021, October 25). NOBELIUM targeting delegated administrative privileges to facilitate broader attacks. Retrieved January 31, 2022.", - "meta": { - "date_accessed": "2022-01-31T00:00:00Z", - "date_published": "2021-10-25T00:00:00Z", - "refs": [ - "https://www.microsoft.com/security/blog/2021/10/25/nobelium-targeting-delegated-administrative-privileges-to-facilitate-broader-attacks" - ], - "source": "MITRE", - "title": "NOBELIUM targeting delegated administrative privileges to facilitate broader attacks" - }, - "related": [], - "uuid": "aa315293-77a5-4ad9-b024-9af844edff9a", - "value": "Microsoft Nobelium Admin Privileges" - }, { "description": "Microsoft Threat Intelligence Center. (2021, October 25). NOBELIUM targeting delegated administrative privileges to facilitate broader attacks. Retrieved March 25, 2022.", "meta": { @@ -38399,6 +38861,21 @@ "uuid": "7b6cc308-9871-47e5-9039-a9a7e66ce373", "value": "MSTIC Nobelium Oct 2021" }, + { + "description": "Microsoft Threat Intelligence Center. (2021, October 25). NOBELIUM targeting delegated administrative privileges to facilitate broader attacks. Retrieved January 31, 2022.", + "meta": { + "date_accessed": "2022-01-31T00:00:00Z", + "date_published": "2021-10-25T00:00:00Z", + "refs": [ + "https://www.microsoft.com/security/blog/2021/10/25/nobelium-targeting-delegated-administrative-privileges-to-facilitate-broader-attacks" + ], + "source": "MITRE", + "title": "NOBELIUM targeting delegated administrative privileges to facilitate broader attacks" + }, + "related": [], + "uuid": "aa315293-77a5-4ad9-b024-9af844edff9a", + "value": "Microsoft Nobelium Admin Privileges" + }, { "description": "Symantec Threat Hunter Team. (2022, September 22). Noberus Ransomware: Darkside and BlackMatter Successor Continues to Evolve its Tactics. Retrieved September 14, 2023.", "meta": { @@ -38594,6 +39071,22 @@ "uuid": "93c89ca5-1863-4ee2-9fff-258f94f655c4", "value": "Cybernews Yanfeng Qilin November 2023" }, + { + "description": "Cybersecurity and Infrastructure Security Agency. (2024, July 25). North Korea Cyber Group Conducts Global Espionage Campaign to Advance Regime’s Military and Nuclear Programs. Retrieved July 29, 2024.", + "meta": { + "date_accessed": "2024-07-29T00:00:00Z", + "date_published": "2024-07-25T00:00:00Z", + "owner": "TidalCyberIan", + "refs": [ + "https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-207a" + ], + "source": "Tidal Cyber", + "title": "North Korea Cyber Group Conducts Global Espionage Campaign to Advance Regime’s Military and Nuclear Programs" + }, + "related": [], + "uuid": "b615953e-3c6c-4201-914c-4b75e45bb9ed", + "value": "U.S. CISA Andariel July 25 2024" + }, { "description": "Lakshmanan, R. (2022, August 17). North Korea Hackers Spotted Targeting Job Seekers with macOS Malware. Retrieved April 10, 2023.", "meta": { @@ -38699,21 +39192,6 @@ "uuid": "72d4b682-ed19-4e0f-aeff-faa52b3a0439", "value": "Github NoRunDll" }, - { - "description": "Parisi, T. (2022, December 2). Not a SIMulation: CrowdStrike Investigations Reveal Intrusion Campaign Targeting Telco and BPO Companies. Retrieved June 30, 2023.", - "meta": { - "date_accessed": "2023-06-30T00:00:00Z", - "date_published": "2022-12-02T00:00:00Z", - "refs": [ - "https://www.crowdstrike.com/blog/analysis-of-intrusion-campaign-targeting-telecom-and-bpo-companies/" - ], - "source": "MITRE", - "title": "Not a SIMulation: CrowdStrike Investigations Reveal Intrusion Campaign Targeting Telco and BPO Companies" - }, - "related": [], - "uuid": "382785e1-4ef3-506e-b74f-cd07df9ae46e", - "value": "Crowdstrike TELCO BPO Campaign December 2022" - }, { "description": "Tim Parisi. (2022, December 22). Not a SIMulation: CrowdStrike Investigations Reveal Intrusion Campaign Targeting Telco and BPO Companies. Retrieved September 14, 2023.", "meta": { @@ -38730,6 +39208,21 @@ "uuid": "e48760ba-2752-4d30-8f99-152c81f63017", "value": "CrowdStrike Scattered Spider SIM Swapping December 22 2022" }, + { + "description": "Parisi, T. (2022, December 2). Not a SIMulation: CrowdStrike Investigations Reveal Intrusion Campaign Targeting Telco and BPO Companies. Retrieved June 30, 2023.", + "meta": { + "date_accessed": "2023-06-30T00:00:00Z", + "date_published": "2022-12-02T00:00:00Z", + "refs": [ + "https://www.crowdstrike.com/blog/analysis-of-intrusion-campaign-targeting-telecom-and-bpo-companies/" + ], + "source": "MITRE", + "title": "Not a SIMulation: CrowdStrike Investigations Reveal Intrusion Campaign Targeting Telco and BPO Companies" + }, + "related": [], + "uuid": "382785e1-4ef3-506e-b74f-cd07df9ae46e", + "value": "Crowdstrike TELCO BPO Campaign December 2022" + }, { "description": "Ducklin, P. (2015, April 20). Notes from SophosLabs: Dyreza, the malware that discriminates against old computers. Retrieved June 16, 2020.", "meta": { @@ -40234,6 +40727,22 @@ "uuid": "fd581c0c-d93e-4396-a372-99cde3cd0c7c", "value": "Operation Hangover May 2013" }, + { + "description": "Dominik Breitenbacher, Kaspars Osis. (2020, June 17). Operation In(ter)ception: Aerospace and military companies in the crosshairs of cyberspies. Retrieved June 20, 2024.", + "meta": { + "date_accessed": "2024-06-20T00:00:00Z", + "date_published": "2020-06-17T00:00:00Z", + "owner": "TidalCyberIan", + "refs": [ + "https://www.welivesecurity.com/2020/06/17/operation-interception-aerospace-military-companies-cyberspies/" + ], + "source": "Tidal Cyber", + "title": "Operation In(ter)ception: Aerospace and military companies in the crosshairs of cyberspies" + }, + "related": [], + "uuid": "481ac64d-912b-4c69-97e5-004bb5768b48", + "value": "ESET Operation Interception June 17 2020" + }, { "description": "Breitenbacher, D and Osis, K. (2020, June 17). OPERATION IN(TER)CEPTION: Targeted Attacks Against European Aerospace and Military Companies. Retrieved December 20, 2021.", "meta": { @@ -40952,21 +41461,6 @@ "uuid": "55ee5bcc-ba56-58ac-9afb-2349aa75fe39", "value": "Kubernetes Cloud Native Security" }, - { - "description": "Apple Inc.. (2012, July 23). Overview of Dynamic Libraries. Retrieved March 24, 2021.", - "meta": { - "date_accessed": "2021-03-24T00:00:00Z", - "date_published": "2012-07-23T00:00:00Z", - "refs": [ - "https://developer.apple.com/library/archive/documentation/DeveloperTools/Conceptual/DynamicLibraries/100-Articles/OverviewOfDynamicLibraries.html" - ], - "source": "MITRE", - "title": "Overview of Dynamic Libraries" - }, - "related": [], - "uuid": "e3b8cc52-2096-418c-b291-1bc76022961d", - "value": "Apple Doco Archive Dynamic Libraries" - }, { "description": "Apple. (2012, July 23). Overview of Dynamic Libraries. Retrieved September 7, 2023.", "meta": { @@ -40982,6 +41476,21 @@ "uuid": "39ffd162-4052-57ec-bd20-2fe6b8e6beab", "value": "Apple Dev Dynamic Libraries" }, + { + "description": "Apple Inc.. (2012, July 23). Overview of Dynamic Libraries. Retrieved March 24, 2021.", + "meta": { + "date_accessed": "2021-03-24T00:00:00Z", + "date_published": "2012-07-23T00:00:00Z", + "refs": [ + "https://developer.apple.com/library/archive/documentation/DeveloperTools/Conceptual/DynamicLibraries/100-Articles/OverviewOfDynamicLibraries.html" + ], + "source": "MITRE", + "title": "Overview of Dynamic Libraries" + }, + "related": [], + "uuid": "e3b8cc52-2096-418c-b291-1bc76022961d", + "value": "Apple Doco Archive Dynamic Libraries" + }, { "description": "Google Cloud. (n.d.). Overview of IAM Conditions. Retrieved January 2, 2024.", "meta": { @@ -41143,6 +41652,22 @@ "uuid": "deba605b-7abc-5794-a820-448a395aab69", "value": "Pacu Detection Disruption Module" }, + { + "description": "Ionut Arghire. (2024, January 3). Palestinian Hackers Hit 100 Israeli Organizations in Destructive Attacks. Retrieved August 8, 2024.", + "meta": { + "date_accessed": "2024-08-08T00:00:00Z", + "date_published": "2024-01-03T00:00:00Z", + "owner": "TidalCyberIan", + "refs": [ + "https://www.securityweek.com/palestinian-hackers-hit-100-israeli-organizations-in-destructive-attacks/" + ], + "source": "Tidal Cyber", + "title": "Palestinian Hackers Hit 100 Israeli Organizations in Destructive Attacks" + }, + "related": [], + "uuid": "413b7917-e22a-4706-aff3-80eb31521b6a", + "value": "SecurityWeek Cyber Toufan January 3 2024" + }, { "description": "Threat Intelligence. (2020, September 29). Palmerworm: Espionage Gang Targets the Media, Finance, and Other Sectors. Retrieved March 25, 2022.", "meta": { @@ -41187,21 +41712,6 @@ "uuid": "6bc5ad93-3cc2-4429-ac4c-aae72193df27", "value": "Man Pam_Unix" }, - { - "description": "Lancaster, T., Idrizovic, E. (2017, June 27). Paranoid PlugX. Retrieved April 19, 2019.", - "meta": { - "date_accessed": "2019-04-19T00:00:00Z", - "date_published": "2017-06-27T00:00:00Z", - "refs": [ - "https://unit42.paloaltonetworks.com/unit42-paranoid-plugx/" - ], - "source": "MITRE", - "title": "Paranoid PlugX" - }, - "related": [], - "uuid": "9dc629a0-543c-4221-86cc-0dfb93903988", - "value": "Unit42 PlugX June 2017" - }, { "description": "Lancaster, T. and Idrizovic, E.. (2017, June 27). Paranoid PlugX. Retrieved July 13, 2017.", "meta": { @@ -41217,6 +41727,21 @@ "uuid": "27f17e79-ef38-4c20-9250-40c81fa8717a", "value": "Palo Alto PlugX June 2017" }, + { + "description": "Lancaster, T., Idrizovic, E. (2017, June 27). Paranoid PlugX. Retrieved April 19, 2019.", + "meta": { + "date_accessed": "2019-04-19T00:00:00Z", + "date_published": "2017-06-27T00:00:00Z", + "refs": [ + "https://unit42.paloaltonetworks.com/unit42-paranoid-plugx/" + ], + "source": "MITRE", + "title": "Paranoid PlugX" + }, + "related": [], + "uuid": "9dc629a0-543c-4221-86cc-0dfb93903988", + "value": "Unit42 PlugX June 2017" + }, { "description": "Secuirtyinbits . (2019, May 14). Parent PID Spoofing (Stage 2) Ataware Ransomware Part 3. Retrieved June 6, 2019.", "meta": { @@ -41663,19 +42188,20 @@ "value": "Pcwutl.dll - LOLBAS Project" }, { - "description": "Microsoft Threat Intelligence. (2023, September 14). Peach Sandstorm password spray campaigns enable intelligence collection at high-value targets. Retrieved September 18, 2023.", + "description": "Microsoft Threat Intelligence. (2024, August 28). Peach Sandstorm deploys new custom Tickler malware in long-running intelligence gathering operations . Retrieved August 29, 2024.", "meta": { - "date_accessed": "2023-09-18T00:00:00Z", - "date_published": "2023-09-14T00:00:00Z", + "date_accessed": "2024-08-29T00:00:00Z", + "date_published": "2024-08-28T00:00:00Z", + "owner": "TidalCyberIan", "refs": [ - "https://www.microsoft.com/en-us/security/blog/2023/09/14/peach-sandstorm-password-spray-campaigns-enable-intelligence-collection-at-high-value-targets/" + "https://www.microsoft.com/en-us/security/blog/2024/08/28/peach-sandstorm-deploys-new-custom-tickler-malware-in-long-running-intelligence-gathering-operations/" ], - "source": "MITRE", - "title": "Peach Sandstorm password spray campaigns enable intelligence collection at high-value targets" + "source": "Tidal Cyber", + "title": "Peach Sandstorm deploys new custom Tickler malware in long-running intelligence gathering operations" }, "related": [], - "uuid": "84d026ed-b8f2-5bbb-865a-2d93aa4b2ef8", - "value": "Microsoft Peach Sandstorm 2023" + "uuid": "940c0755-18df-4fcb-9691-9f2eb45e6441", + "value": "Microsoft Security Blog August 28 2024" }, { "description": "Microsoft Threat Intelligence. (2023, September 14). Peach Sandstorm password spray campaigns enable intelligence collection at high-value targets. Retrieved January 31, 2024.", @@ -41693,6 +42219,21 @@ "uuid": "98a631f4-4b95-4159-b311-dee1216ec208", "value": "Microsoft Peach Sandstorm September 14 2023" }, + { + "description": "Microsoft Threat Intelligence. (2023, September 14). Peach Sandstorm password spray campaigns enable intelligence collection at high-value targets. Retrieved September 18, 2023.", + "meta": { + "date_accessed": "2023-09-18T00:00:00Z", + "date_published": "2023-09-14T00:00:00Z", + "refs": [ + "https://www.microsoft.com/en-us/security/blog/2023/09/14/peach-sandstorm-password-spray-campaigns-enable-intelligence-collection-at-high-value-targets/" + ], + "source": "MITRE", + "title": "Peach Sandstorm password spray campaigns enable intelligence collection at high-value targets" + }, + "related": [], + "uuid": "84d026ed-b8f2-5bbb-865a-2d93aa4b2ef8", + "value": "Microsoft Peach Sandstorm 2023" + }, { "description": "Microsoft. (2021, October 6). PEB structure (winternl.h). Retrieved November 19, 2021.", "meta": { @@ -41755,20 +42296,20 @@ "value": "U.S. CISA BlackTech September 27 2023" }, { - "description": "Cybersecurity and Infrastructure Security Agency. (2023, May 24). People's Republic of China State-Sponsored Cyber Actor Living off the Land to Evade Detection. Retrieved May 25, 2023.", + "description": "Cybersecurity and Infrastructure Security Agency. (2024, July 8). People’s Republic of China (PRC) Ministry of State Security APT40 Tradecraft in Action. Retrieved July 10, 2024.", "meta": { - "date_accessed": "2023-05-25T00:00:00Z", - "date_published": "2023-05-24T00:00:00Z", + "date_accessed": "2024-07-10T00:00:00Z", + "date_published": "2024-07-08T00:00:00Z", "owner": "TidalCyberIan", "refs": [ - "https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-144a" + "https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-190a" ], "source": "Tidal Cyber", - "title": "People's Republic of China State-Sponsored Cyber Actor Living off the Land to Evade Detection" + "title": "People’s Republic of China (PRC) Ministry of State Security APT40 Tradecraft in Action" }, "related": [], - "uuid": "12320f38-ebbf-486a-a450-8a548c3722d6", - "value": "U.S. CISA Volt Typhoon May 24 2023" + "uuid": "3bf90a48-caf6-4b9d-adc2-3d1176f49ffc", + "value": "U.S. CISA APT40 July 8 2024" }, { "description": "NSA et al. (2023, May 24). People's Republic of China State-Sponsored Cyber Actor Living off the Land to Evade Detection. Retrieved July 27, 2023.", @@ -41785,6 +42326,22 @@ "uuid": "14872f08-e219-5c0d-a2d7-43a3ba348b4b", "value": "Joint Cybersecurity Advisory Volt Typhoon June 2023" }, + { + "description": "Cybersecurity and Infrastructure Security Agency. (2023, May 24). People's Republic of China State-Sponsored Cyber Actor Living off the Land to Evade Detection. Retrieved May 25, 2023.", + "meta": { + "date_accessed": "2023-05-25T00:00:00Z", + "date_published": "2023-05-24T00:00:00Z", + "owner": "TidalCyberIan", + "refs": [ + "https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-144a" + ], + "source": "Tidal Cyber", + "title": "People's Republic of China State-Sponsored Cyber Actor Living off the Land to Evade Detection" + }, + "related": [], + "uuid": "12320f38-ebbf-486a-a450-8a548c3722d6", + "value": "U.S. CISA Volt Typhoon May 24 2023" + }, { "description": "Microsoft. (2004, February 6). Perimeter Firewall Design. Retrieved April 25, 2016.", "meta": { @@ -42281,22 +42838,6 @@ "uuid": "a78613a5-ce17-4d11-8f2f-3e642cd7673c", "value": "Symantec Play Ransomware April 19 2023" }, - { - "description": "Don Ovid Ladores, Lucas Silva, Scott Burden, Janus Agcaoili, Ivan Nicole Chavez, Ian Kenefick, Ieriz Nicolle Gonzalez, Paul Pajares. (2022, September 6). Play Ransomware's Attack Playbook Similar to that of Hive, Nokoyawa. Retrieved September 21, 2023.", - "meta": { - "date_accessed": "2023-09-21T00:00:00Z", - "date_published": "2022-09-06T00:00:00Z", - "owner": "TidalCyberIan", - "refs": [ - "https://www.trendmicro.com/es_es/research/22/i/play-ransomware-s-attack-playbook-unmasks-it-as-another-hive-aff.html" - ], - "source": "Tidal Cyber", - "title": "Play Ransomware's Attack Playbook Similar to that of Hive, Nokoyawa" - }, - "related": [], - "uuid": "ed02529c-920d-4a92-8e86-be1ed7083991", - "value": "Trend Micro Play Ransomware September 06 2022" - }, { "description": "Don Ovid Ladores, Lucas Silva, Scott Burden, Janus Agcaoili, Ivan Nicole Chavez, Ian Kenefick, Ieriz Nicolle Gonzalez, Paul Pajares. (2022, September 6). Play Ransomware's Attack Playbook Similar to that of Hive, Nokoyawa. Retrieved August 10, 2023.", "meta": { @@ -42313,6 +42854,22 @@ "uuid": "2d2b527d-25b0-4b58-9ae6-c87060b64069", "value": "Trend Micro Play Playbook September 06 2022" }, + { + "description": "Don Ovid Ladores, Lucas Silva, Scott Burden, Janus Agcaoili, Ivan Nicole Chavez, Ian Kenefick, Ieriz Nicolle Gonzalez, Paul Pajares. (2022, September 6). Play Ransomware's Attack Playbook Similar to that of Hive, Nokoyawa. Retrieved September 21, 2023.", + "meta": { + "date_accessed": "2023-09-21T00:00:00Z", + "date_published": "2022-09-06T00:00:00Z", + "owner": "TidalCyberIan", + "refs": [ + "https://www.trendmicro.com/es_es/research/22/i/play-ransomware-s-attack-playbook-unmasks-it-as-another-hive-aff.html" + ], + "source": "Tidal Cyber", + "title": "Play Ransomware's Attack Playbook Similar to that of Hive, Nokoyawa" + }, + "related": [], + "uuid": "ed02529c-920d-4a92-8e86-be1ed7083991", + "value": "Trend Micro Play Ransomware September 06 2022" + }, { "description": "Tomonaga, S. (2018, June 8). PLEAD Downloader Used by BlackTech. Retrieved May 6, 2020.", "meta": { @@ -43051,20 +43608,6 @@ "uuid": "c84be284-03ad-4674-94db-03f264f2db9f", "value": "PrivateLoader: The first step in many malware schemes | Intel471" }, - { - "description": "Spencer Gietzen. (n.d.). Privilege Escalation in Google Cloud Platform – Part 1 (IAM). Retrieved September 21, 2023.", - "meta": { - "date_accessed": "2023-09-21T00:00:00Z", - "refs": [ - "https://rhinosecuritylabs.com/gcp/privilege-escalation-google-cloud-platform-part-1/" - ], - "source": "MITRE", - "title": "Privilege Escalation in Google Cloud Platform – Part 1 (IAM)" - }, - "related": [], - "uuid": "55173e12-9edc-5685-ac0b-acd51617cc6e", - "value": "Rhino Google Cloud Privilege Escalation" - }, { "description": "Spencer Gietzen. (n.d.). Privilege Escalation in Google Cloud Platform – Part 1 (IAM). Retrieved May 27, 2022.", "meta": { @@ -43079,6 +43622,20 @@ "uuid": "55373476-1cbe-49f5-aecb-69d60b336d38", "value": "Rhingo Security Labs GCP Privilege Escalation" }, + { + "description": "Spencer Gietzen. (n.d.). Privilege Escalation in Google Cloud Platform – Part 1 (IAM). Retrieved September 21, 2023.", + "meta": { + "date_accessed": "2023-09-21T00:00:00Z", + "refs": [ + "https://rhinosecuritylabs.com/gcp/privilege-escalation-google-cloud-platform-part-1/" + ], + "source": "MITRE", + "title": "Privilege Escalation in Google Cloud Platform – Part 1 (IAM)" + }, + "related": [], + "uuid": "55173e12-9edc-5685-ac0b-acd51617cc6e", + "value": "Rhino Google Cloud Privilege Escalation" + }, { "description": "Ahl, I. (2017, June 06). Privileges and Credentials: Phished at the Request of Counsel. Retrieved May 17, 2018.", "meta": { @@ -43363,6 +43920,22 @@ "uuid": "188d990e-f0be-40f2-90f3-913dfe687d27", "value": "Talos Promethium June 2020" }, + { + "description": "Daryna Antoniuk. (2023, December 29). Pro-Palestinian operation claims dozens of data breaches against Israeli firms. Retrieved August 8, 2024.", + "meta": { + "date_accessed": "2024-08-08T00:00:00Z", + "date_published": "2023-12-29T00:00:00Z", + "owner": "TidalCyberIan", + "refs": [ + "https://therecord.media/cyber-toufan-data-breaches-israel-iran-palestinians" + ], + "source": "Tidal Cyber", + "title": "Pro-Palestinian operation claims dozens of data breaches against Israeli firms" + }, + "related": [], + "uuid": "bc621380-7094-4877-abbe-5c20588e5dbc", + "value": "The Record Cyber Toufan December 29 2023" + }, { "description": "Intel471. (2022, September 14). Pro-Russian Hacktivist Groups Target Ukraine Supporters. Retrieved April 30, 2024.", "meta": { @@ -43755,21 +44328,6 @@ "uuid": "069ef9af-3402-4b13-8c60-b397b0b0bfd7", "value": "PaloAlto EncodedCommand March 2017" }, - { - "description": "Anomali Labs. (2018, December 6). Pulling Linux Rabbit/Rabbot Malware Out of a Hat. Retrieved March 4, 2019.", - "meta": { - "date_accessed": "2019-03-04T00:00:00Z", - "date_published": "2018-12-06T00:00:00Z", - "refs": [ - "https://www.anomali.com/blog/pulling-linux-rabbit-rabbot-malware-out-of-a-hat" - ], - "source": "MITRE", - "title": "Pulling Linux Rabbit/Rabbot Malware Out of a Hat" - }, - "related": [], - "uuid": "e843eb47-21b0-44b9-8065-02aea0a0b05f", - "value": "Anomali Linux Rabbit 2018" - }, { "description": "Anomali Threat Research. (2018, December 6). Pulling Linux Rabbit/Rabbot Malware Out of a Hat. Retrieved December 17, 2020.", "meta": { @@ -43785,6 +44343,21 @@ "uuid": "ec413dc7-028c-4153-9e98-abe85961747f", "value": "anomali-linux-rabbit" }, + { + "description": "Anomali Labs. (2018, December 6). Pulling Linux Rabbit/Rabbot Malware Out of a Hat. Retrieved March 4, 2019.", + "meta": { + "date_accessed": "2019-03-04T00:00:00Z", + "date_published": "2018-12-06T00:00:00Z", + "refs": [ + "https://www.anomali.com/blog/pulling-linux-rabbit-rabbot-malware-out-of-a-hat" + ], + "source": "MITRE", + "title": "Pulling Linux Rabbit/Rabbot Malware Out of a Hat" + }, + "related": [], + "uuid": "e843eb47-21b0-44b9-8065-02aea0a0b05f", + "value": "Anomali Linux Rabbit 2018" + }, { "description": "CrowdStrike. (n.d.). Punk Spider. Retrieved February 20, 2024.", "meta": { @@ -44116,6 +44689,22 @@ "uuid": "58df8729-ab42-55ee-a27d-655644bdeb0d", "value": "qr-phish-agriculture" }, + { + "description": "The DFIR Report. (2022, April 25). Quantum Ransomware. Retrieved June 28, 2024.", + "meta": { + "date_accessed": "2024-06-28T00:00:00Z", + "date_published": "2022-04-25T00:00:00Z", + "owner": "TidalCyberIan", + "refs": [ + "https://thedfirreport.com/2022/04/25/quantum-ransomware/" + ], + "source": "Tidal Cyber", + "title": "Quantum Ransomware" + }, + "related": [], + "uuid": "2e28c754-911a-4f08-a7bd-4580f5283571", + "value": "The DFIR Report April 25 2022" + }, { "description": "hoakley. (2020, October 29). Quarantine and the quarantine flag. Retrieved September 13, 2021.", "meta": { @@ -44432,19 +45021,20 @@ "value": "DHS/CISA Ransomware Targeting Healthcare October 2020" }, { - "description": "Zafra, D. Lunden, K. Brubaker, N. Kennelly, J.. (2020, February 24). Ransomware Against the Machine: How Adversaries are Learning to Disrupt Industrial Production by Targeting IT and OT. Retrieved February 9, 2021.", + "description": "Federal Bureau of Investigation. (2023, November 7). Ransomware Actors Continue to Gain Access through Third Parties and Legitimate System Tools. Retrieved June 28, 2024.", "meta": { - "date_accessed": "2021-02-09T00:00:00Z", - "date_published": "2020-02-24T00:00:00Z", + "date_accessed": "2024-06-28T00:00:00Z", + "date_published": "2023-11-07T00:00:00Z", + "owner": "TidalCyberIan", "refs": [ - "https://www.fireeye.com/blog/threat-research/2020/02/ransomware-against-machine-learning-to-disrupt-industrial-production.html" + "https://www.aha.org/system/files/media/file/2023/11/bi-tlp-clear-pin-ransomware-actors-continue-to-gain-access-through-third-parties-and-legitimate-system-tools-11-7-23.pdf" ], - "source": "MITRE", - "title": "Ransomware Against the Machine: How Adversaries are Learning to Disrupt Industrial Production by Targeting IT and OT" + "source": "Tidal Cyber", + "title": "Ransomware Actors Continue to Gain Access through Third Parties and Legitimate System Tools" }, "related": [], - "uuid": "9ffa0f35-98e4-4265-8b66-9c805a2b6525", - "value": "FireEye Ransomware Disrupt Industrial Production" + "uuid": "e096e1f4-6b62-4756-8811-f263cf1dcecc", + "value": "FBI Ransomware Tools November 7 2023" }, { "description": "Zafra, D., et al. (2020, February 24). Ransomware Against the Machine: How Adversaries are Learning to Disrupt Industrial Production by Targeting IT and OT. Retrieved March 2, 2021.", @@ -44461,6 +45051,21 @@ "uuid": "44856547-2de5-45ff-898f-a523095bd593", "value": "FireEye Ransomware Feb 2020" }, + { + "description": "Zafra, D. Lunden, K. Brubaker, N. Kennelly, J.. (2020, February 24). Ransomware Against the Machine: How Adversaries are Learning to Disrupt Industrial Production by Targeting IT and OT. Retrieved February 9, 2021.", + "meta": { + "date_accessed": "2021-02-09T00:00:00Z", + "date_published": "2020-02-24T00:00:00Z", + "refs": [ + "https://www.fireeye.com/blog/threat-research/2020/02/ransomware-against-machine-learning-to-disrupt-industrial-production.html" + ], + "source": "MITRE", + "title": "Ransomware Against the Machine: How Adversaries are Learning to Disrupt Industrial Production by Targeting IT and OT" + }, + "related": [], + "uuid": "9ffa0f35-98e4-4265-8b66-9c805a2b6525", + "value": "FireEye Ransomware Disrupt Industrial Production" + }, { "description": "Check Point. (2020, November 6). Ransomware Alert: Pay2Key. Retrieved January 4, 2021.", "meta": { @@ -44491,6 +45096,22 @@ "uuid": "833018b5-6ef6-5327-9af5-1a551df25cd2", "value": "Microsoft Ransomware as a Service" }, + { + "description": "Andreas Klopsch. (2024, August 14). Ransomware attackers introduce new EDR killer to their arsenal. Retrieved August 22, 2024.", + "meta": { + "date_accessed": "2024-08-22T00:00:00Z", + "date_published": "2024-08-14T00:00:00Z", + "owner": "TidalCyberIan", + "refs": [ + "https://news.sophos.com/en-us/2024/08/14/edr-kill-shifter/" + ], + "source": "Tidal Cyber", + "title": "Ransomware attackers introduce new EDR killer to their arsenal" + }, + "related": [], + "uuid": "d0811fd4-e89d-4337-9bc1-a9a8774d44b1", + "value": "Sophos News August 14 2024" + }, { "description": "Www.invictus-ir.com. (2024, January 11). Ransomware in the cloud. Retrieved April 17, 2024.", "meta": { @@ -45594,21 +46215,6 @@ "uuid": "4054604b-7c0f-5012-b40c-2b117f6b54c2", "value": "Mandiant Remediation and Hardening Strategies for Microsoft 365" }, - { - "description": "Mandiant. (2021, January 19). Remediation and Hardening Strategies for Microsoft 365 to Defend Against UNC2452. Retrieved January 22, 2021.", - "meta": { - "date_accessed": "2021-01-22T00:00:00Z", - "date_published": "2021-01-19T00:00:00Z", - "refs": [ - "https://www.mandiant.com/resources/blog/remediation-and-hardening-strategies-for-microsoft-365-to-defend-against-unc2452" - ], - "source": "MITRE", - "title": "Remediation and Hardening Strategies for Microsoft 365 to Defend Against UNC2452" - }, - "related": [], - "uuid": "ed031297-d0f5-44a7-9723-ba692e923a6e", - "value": "Mandiant Defend UNC2452 White Paper" - }, { "description": "Mike Burns, Matthew McWhirt, Douglas Bienstock, Nick Bennett. (2021, January 19). Remediation and Hardening Strategies for Microsoft 365 to Defend Against UNC2452. Retrieved September 25, 2021.", "meta": { @@ -45624,6 +46230,21 @@ "uuid": "7aa5c294-df8e-4994-9b9e-69444d75ef37", "value": "Remediation and Hardening Strategies for Microsoft 365 to Defend Against UNC2452" }, + { + "description": "Mandiant. (2021, January 19). Remediation and Hardening Strategies for Microsoft 365 to Defend Against UNC2452. Retrieved January 22, 2021.", + "meta": { + "date_accessed": "2021-01-22T00:00:00Z", + "date_published": "2021-01-19T00:00:00Z", + "refs": [ + "https://www.mandiant.com/resources/blog/remediation-and-hardening-strategies-for-microsoft-365-to-defend-against-unc2452" + ], + "source": "MITRE", + "title": "Remediation and Hardening Strategies for Microsoft 365 to Defend Against UNC2452" + }, + "related": [], + "uuid": "ed031297-d0f5-44a7-9723-ba692e923a6e", + "value": "Mandiant Defend UNC2452 White Paper" + }, { "description": "Microsoft. (n.d.). Remote Desktop Services. Retrieved June 1, 2016.", "meta": { @@ -46595,6 +47216,22 @@ "uuid": "dcdcc965-56d0-58e6-996b-d8bd40916745", "value": "Kroll Royal Deep Dive February 2023" }, + { + "description": "Laurie Iacono, Keith Wojcieszek, George Glass. (2023, February 13). Royal Ransomware Deep Dive. Retrieved June 17, 2024.", + "meta": { + "date_accessed": "2024-06-17T00:00:00Z", + "date_published": "2023-02-13T00:00:00Z", + "owner": "TidalCyberIan", + "refs": [ + "https://www.kroll.com/en/insights/publications/cyber/royal-ransomware-deep-dive" + ], + "source": "Tidal Cyber", + "title": "Royal Ransomware Deep Dive" + }, + "related": [], + "uuid": "de385ede-f928-4a1e-934c-8ce7a6e7f33b", + "value": "Kroll Royal Ransomware February 13 2023" + }, { "description": "Morales, N. et al. (2023, February 20). Royal Ransomware Expands Attacks by Targeting Linux ESXi Servers. Retrieved March 30, 2023.", "meta": { @@ -46610,21 +47247,6 @@ "uuid": "e5bb846f-d11f-580c-b96a-9de4ba5eaed6", "value": "Trend Micro Royal Linux ESXi February 2023" }, - { - "description": "Cybereason Global SOC and Cybereason Security Research Teams. (2022, December 14). Royal Rumble: Analysis of Royal Ransomware. Retrieved March 30, 2023.", - "meta": { - "date_accessed": "2023-03-30T00:00:00Z", - "date_published": "2022-12-14T00:00:00Z", - "refs": [ - "https://www.cybereason.com/blog/royal-ransomware-analysis" - ], - "source": "MITRE", - "title": "Royal Rumble: Analysis of Royal Ransomware" - }, - "related": [], - "uuid": "28aef64e-20d3-5227-a3c9-e657c6e2d07e", - "value": "Cybereason Royal December 2022" - }, { "description": "Cybereason global soc & cybereason security research teams. (n.d.). Royal Rumble: Analysis of Royal Ransomware. Retrieved May 18, 2023.", "meta": { @@ -46640,6 +47262,21 @@ "uuid": "5afa7fd0-908e-4714-9ab3-2bbbc1fff976", "value": "Royal Rumble: Analysis of Royal Ransomware" }, + { + "description": "Cybereason Global SOC and Cybereason Security Research Teams. (2022, December 14). Royal Rumble: Analysis of Royal Ransomware. Retrieved March 30, 2023.", + "meta": { + "date_accessed": "2023-03-30T00:00:00Z", + "date_published": "2022-12-14T00:00:00Z", + "refs": [ + "https://www.cybereason.com/blog/royal-ransomware-analysis" + ], + "source": "MITRE", + "title": "Royal Rumble: Analysis of Royal Ransomware" + }, + "related": [], + "uuid": "28aef64e-20d3-5227-a3c9-e657c6e2d07e", + "value": "Cybereason Royal December 2022" + }, { "description": "LOLBAS. (2018, May 25). Rpcping.exe. Retrieved December 4, 2023.", "meta": { @@ -47644,21 +48281,6 @@ "uuid": "2dd5b872-a4ab-4b77-8457-a3d947298fc0", "value": "Securelist ScarCruft May 2019" }, - { - "description": "Alessandro Brucato. (2023, July 11). SCARLETEEL 2.0: Fargate, Kubernetes, and Crypto. Retrieved September 25, 2023.", - "meta": { - "date_accessed": "2023-09-25T00:00:00Z", - "date_published": "2023-07-11T00:00:00Z", - "refs": [ - "https://sysdig.com/blog/scarleteel-2-0/" - ], - "source": "MITRE", - "title": "SCARLETEEL 2.0: Fargate, Kubernetes, and Crypto" - }, - "related": [], - "uuid": "285266e7-7a62-5f98-9b0f-fefde4b21c88", - "value": "Sysdig ScarletEel 2.0 2023" - }, { "description": "SCARLETEEL 2.0: Fargate, Kubernetes, and Crypto. (2023, July 11). SCARLETEEL 2.0: Fargate, Kubernetes, and Crypto. Retrieved July 12, 2023.", "meta": { @@ -47674,6 +48296,21 @@ "uuid": "90e60242-82d8-5648-b7e4-def6fd508e16", "value": "Sysdig ScarletEel 2.0" }, + { + "description": "Alessandro Brucato. (2023, July 11). SCARLETEEL 2.0: Fargate, Kubernetes, and Crypto. Retrieved September 25, 2023.", + "meta": { + "date_accessed": "2023-09-25T00:00:00Z", + "date_published": "2023-07-11T00:00:00Z", + "refs": [ + "https://sysdig.com/blog/scarleteel-2-0/" + ], + "source": "MITRE", + "title": "SCARLETEEL 2.0: Fargate, Kubernetes, and Crypto" + }, + "related": [], + "uuid": "285266e7-7a62-5f98-9b0f-fefde4b21c88", + "value": "Sysdig ScarletEel 2.0 2023" + }, { "description": "Alberto Pellitteri. (2023, February 28). SCARLETEEL: Operation leveraging Terraform, Kubernetes, and AWS for data theft. Retrieved February 2, 2023.", "meta": { @@ -48491,21 +49128,6 @@ "uuid": "c2f7958b-f521-4133-9aeb-c5c8fae23e78", "value": "ProofPoint Serpent" }, - { - "description": "Wikipedia. (2016, June 12). Server Message Block. Retrieved June 12, 2016.", - "meta": { - "date_accessed": "2016-06-12T00:00:00Z", - "date_published": "2016-06-12T00:00:00Z", - "refs": [ - "https://en.wikipedia.org/wiki/Server_Message_Block" - ], - "source": "MITRE", - "title": "Server Message Block" - }, - "related": [], - "uuid": "087b4779-22d5-4872-adb7-583904a92285", - "value": "Wikipedia SMB" - }, { "description": "Wikipedia. (2017, December 16). Server Message Block. Retrieved December 21, 2017.", "meta": { @@ -48521,6 +49143,21 @@ "uuid": "3ea03c65-12e0-4e28-bbdc-17bb8c1e1831", "value": "Wikipedia Server Message Block" }, + { + "description": "Wikipedia. (2016, June 12). Server Message Block. Retrieved June 12, 2016.", + "meta": { + "date_accessed": "2016-06-12T00:00:00Z", + "date_published": "2016-06-12T00:00:00Z", + "refs": [ + "https://en.wikipedia.org/wiki/Server_Message_Block" + ], + "source": "MITRE", + "title": "Server Message Block" + }, + "related": [], + "uuid": "087b4779-22d5-4872-adb7-583904a92285", + "value": "Wikipedia SMB" + }, { "description": "Schwarz, D. and Proofpoint Staff. (2019, January 9). ServHelper and FlawedGrace - New malware introduced by TA505. Retrieved May 28, 2019.", "meta": { @@ -48992,6 +49629,20 @@ "uuid": "6f454218-91b7-4606-9467-c6d465c0fd1f", "value": "AWS EBS Snapshot Sharing" }, + { + "description": "The Linux Documentation Project. (n.d.). Shared Libraries. Retrieved January 31, 2020.", + "meta": { + "date_accessed": "2020-01-31T00:00:00Z", + "refs": [ + "https://www.tldp.org/HOWTO/Program-Library-HOWTO/shared-libraries.html" + ], + "source": "MITRE", + "title": "Shared Libraries" + }, + "related": [], + "uuid": "2862845b-72b3-41d8-aafb-b36e90c6c30a", + "value": "TLDP Shared Libraries" + }, { "description": "Wheeler, D. (2003, April 11). Shared Libraries. Retrieved September 7, 2023.", "meta": { @@ -49007,20 +49658,6 @@ "uuid": "054d769a-f88e-55e9-971a-f169ee434cfe", "value": "Linux Shared Libraries" }, - { - "description": "The Linux Documentation Project. (n.d.). Shared Libraries. Retrieved January 31, 2020.", - "meta": { - "date_accessed": "2020-01-31T00:00:00Z", - "refs": [ - "https://www.tldp.org/HOWTO/Program-Library-HOWTO/shared-libraries.html" - ], - "source": "MITRE", - "title": "Shared Libraries" - }, - "related": [], - "uuid": "2862845b-72b3-41d8-aafb-b36e90c6c30a", - "value": "TLDP Shared Libraries" - }, { "description": "halflife. (1997, September 1). Shared Library Redirection Techniques. Retrieved December 20, 2017.", "meta": { @@ -50076,21 +50713,6 @@ "uuid": "a81ad3ef-fd96-432c-a7c8-ccc86d127a1b", "value": "FireEye SMOKEDHAM June 2021" }, - { - "description": "Warren, R. (2017, August 8). Smuggling HTA files in Internet Explorer/Edge. Retrieved May 20, 2021.", - "meta": { - "date_accessed": "2021-05-20T00:00:00Z", - "date_published": "2017-08-08T00:00:00Z", - "refs": [ - "https://research.nccgroup.com/2017/08/08/smuggling-hta-files-in-internet-explorer-edge/" - ], - "source": "MITRE", - "title": "Smuggling HTA files in Internet Explorer/Edge" - }, - "related": [], - "uuid": "f5615cdc-bc56-415b-8e38-6f3fd1c33c88", - "value": "nccgroup Smuggling HTA 2017" - }, { "description": "Warren, R. (2017, August 8). Smuggling HTA files in Internet Explorer/Edge. Retrieved January 16, 2019.", "meta": { @@ -50106,6 +50728,21 @@ "uuid": "b16bae1a-75aa-478b-b8c7-458ee5a3f7e5", "value": "Environmental Keyed HTA" }, + { + "description": "Warren, R. (2017, August 8). Smuggling HTA files in Internet Explorer/Edge. Retrieved May 20, 2021.", + "meta": { + "date_accessed": "2021-05-20T00:00:00Z", + "date_published": "2017-08-08T00:00:00Z", + "refs": [ + "https://research.nccgroup.com/2017/08/08/smuggling-hta-files-in-internet-explorer-edge/" + ], + "source": "MITRE", + "title": "Smuggling HTA files in Internet Explorer/Edge" + }, + "related": [], + "uuid": "f5615cdc-bc56-415b-8e38-6f3fd1c33c88", + "value": "nccgroup Smuggling HTA 2017" + }, { "description": "Accenture Security. (2018, November 29). SNAKEMACKEREL. Retrieved April 15, 2019.", "meta": { @@ -50228,21 +50865,6 @@ "uuid": "01d9c3ba-29e2-5090-b399-0e7adf50a6b9", "value": "SocGholish-update" }, - { - "description": "Milenkoski, A. (2022, November 7). SocGholish Diversifies and Expands Its Malware Staging Infrastructure to Counter Defenders. Retrieved March 22, 2024.", - "meta": { - "date_accessed": "2024-03-22T00:00:00Z", - "date_published": "2022-11-07T00:00:00Z", - "refs": [ - "https://www.sentinelone.com/labs/socgholish-diversifies-and-expands-its-malware-staging-infrastructure-to-counter-defenders/" - ], - "source": "MITRE", - "title": "SocGholish Diversifies and Expands Its Malware Staging Infrastructure to Counter Defenders" - }, - "related": [], - "uuid": "8a26eeb6-6f80-58f1-b773-b38835c6781d", - "value": "SentinelOne SocGholish Infrastructure November 2022" - }, { "description": "Aleksandar Milenkoski. (2022, November 7). SocGholish Diversifies and Expands Its Malware Staging Infrastructure to Counter Defenders. Retrieved May 7, 2023.", "meta": { @@ -50259,6 +50881,21 @@ "uuid": "c2dd119c-25d8-4e48-8eeb-89552a5a096c", "value": "SentinelLabs SocGholish November 2022" }, + { + "description": "Milenkoski, A. (2022, November 7). SocGholish Diversifies and Expands Its Malware Staging Infrastructure to Counter Defenders. Retrieved March 22, 2024.", + "meta": { + "date_accessed": "2024-03-22T00:00:00Z", + "date_published": "2022-11-07T00:00:00Z", + "refs": [ + "https://www.sentinelone.com/labs/socgholish-diversifies-and-expands-its-malware-staging-infrastructure-to-counter-defenders/" + ], + "source": "MITRE", + "title": "SocGholish Diversifies and Expands Its Malware Staging Infrastructure to Counter Defenders" + }, + "related": [], + "uuid": "8a26eeb6-6f80-58f1-b773-b38835c6781d", + "value": "SentinelOne SocGholish Infrastructure November 2022" + }, { "description": "Proofpoint. (2022, November 21). SocGholish Malware: A Real Threat from a Fake Update | Proofpoint US. Retrieved May 7, 2023.", "meta": { @@ -50291,6 +50928,22 @@ "uuid": "ba749fe0-1ac7-4767-85df-97e6351c37f9", "value": "Rapid7 Blog 5 10 2024" }, + { + "description": "Federal Bureau of Investigation. (2024, June 24). Social Engineering Tactics Targeting Healthcare & Public Health Entities and Providers. Retrieved June 28, 2024.", + "meta": { + "date_accessed": "2024-06-28T00:00:00Z", + "date_published": "2024-06-24T00:00:00Z", + "owner": "TidalCyberIan", + "refs": [ + "https://www.ic3.gov/Media/News/2024/240624.pdf" + ], + "source": "Tidal Cyber", + "title": "Social Engineering Tactics Targeting Healthcare & Public Health Entities and Providers" + }, + "related": [], + "uuid": "527ac41a-a65e-4cf9-a9c9-194443b37c5b", + "value": "FBI Social Engineering Attacks June 24 2024" + }, { "description": "Felipe Duarte, Ido Naor. (2022, March 9). Sockbot in GoLand. Retrieved September 22, 2023.", "meta": { @@ -51219,21 +51872,6 @@ "uuid": "edd0cab4-48f7-48d8-a318-ced118af6a63", "value": "Sekoia.io Stealc February 27 2023" }, - { - "description": "Dr. Nestori Syynimaa. (2022, February 15). Stealing and faking Azure AD device identities. Retrieved February 21, 2023.", - "meta": { - "date_accessed": "2023-02-21T00:00:00Z", - "date_published": "2022-02-15T00:00:00Z", - "refs": [ - "https://aadinternals.com/post/deviceidentity/" - ], - "source": "MITRE", - "title": "Stealing and faking Azure AD device identities" - }, - "related": [], - "uuid": "b5ef16c4-1db0-51e9-93ab-54a8e480debc", - "value": "AADInternals Azure AD Device Identities" - }, { "description": "Syynimaa, N. (2022, February 15). Stealing and faking Azure AD device identities. Retrieved August 3, 2022.", "meta": { @@ -51249,6 +51887,21 @@ "uuid": "ec94c043-92ef-4691-b21a-7ea68f39e338", "value": "O365 Blog Azure AD Device IDs" }, + { + "description": "Dr. Nestori Syynimaa. (2022, February 15). Stealing and faking Azure AD device identities. Retrieved February 21, 2023.", + "meta": { + "date_accessed": "2023-02-21T00:00:00Z", + "date_published": "2022-02-15T00:00:00Z", + "refs": [ + "https://aadinternals.com/post/deviceidentity/" + ], + "source": "MITRE", + "title": "Stealing and faking Azure AD device identities" + }, + "related": [], + "uuid": "b5ef16c4-1db0-51e9-93ab-54a8e480debc", + "value": "AADInternals Azure AD Device Identities" + }, { "description": "Fuller, R. (2013, September 11). Stealing passwords every time they change. Retrieved November 21, 2017.", "meta": { @@ -51340,6 +51993,22 @@ "uuid": "bd034cc8-29e2-4d58-a72a-161b831191b7", "value": "FireEye VBA stomp Feb 2020" }, + { + "description": "Threat Hunter Team. (2022, April 27). Stonefly: North Korea-linked Spying Operation Continues to Hit High-value Targets. Retrieved July 26, 2024.", + "meta": { + "date_accessed": "2024-07-26T00:00:00Z", + "date_published": "2022-04-27T00:00:00Z", + "owner": "TidalCyberIan", + "refs": [ + "https://symantec-enterprise-blogs.security.com/threat-intelligence/stonefly-north-korea-espionage" + ], + "source": "Tidal Cyber", + "title": "Stonefly: North Korea-linked Spying Operation Continues to Hit High-value Targets" + }, + "related": [], + "uuid": "64d72689-0c7a-480a-a295-6321fc0d82fc", + "value": "Symantec Stonefly April 27 2022" + }, { "description": "Amazon Web Services. (n.d.). Stopping CloudTrail from Sending Events to CloudWatch Logs. Retrieved October 16, 2020.", "meta": { @@ -51512,6 +52181,22 @@ "uuid": "cbf5ecfb-de79-41cc-8250-01790ff6e89b", "value": "U.S. CISA Daixin Team October 2022" }, + { + "description": "Cybersecurity and Infrastructure Security Agency. (2022, November 25). #StopRansomware: Hive Ransomware. Retrieved June 18, 2024.", + "meta": { + "date_accessed": "2024-06-18T00:00:00Z", + "date_published": "2022-11-25T00:00:00Z", + "owner": "TidalCyberIan", + "refs": [ + "https://www.cisa.gov/news-events/cybersecurity-advisories/aa22-321a" + ], + "source": "Tidal Cyber", + "title": "#StopRansomware: Hive Ransomware" + }, + "related": [], + "uuid": "fce322e6-5e23-404a-acf8-cd003f00c79d", + "value": "U.S. CISA Hive November 25 2022" + }, { "description": "Cybersecurity and Infrastructure Security Agency. (2023, March 16). #StopRansomware: LockBit 3.0. Retrieved May 19, 2023.", "meta": { @@ -52419,20 +53104,6 @@ "uuid": "6be16aba-a37f-49c4-9a36-51d2676f64e6", "value": "Ubuntu Manpage systemd rc" }, - { - "description": "Freedesktop.org. (n.d.). systemd.service — Service unit configuration. Retrieved March 16, 2020.", - "meta": { - "date_accessed": "2020-03-16T00:00:00Z", - "refs": [ - "https://www.freedesktop.org/software/systemd/man/systemd.service.html" - ], - "source": "MITRE", - "title": "systemd.service — Service unit configuration" - }, - "related": [], - "uuid": "43bae447-d2e3-4b53-b17b-12a0b54ac604", - "value": "Systemd Service Units" - }, { "description": "Free Desktop. (n.d.). systemd.service — Service unit configuration. Retrieved March 20, 2023.", "meta": { @@ -52447,6 +53118,20 @@ "uuid": "cae49a7a-db3b-5202-ba45-fbfa98b073c9", "value": "freedesktop systemd.service" }, + { + "description": "Freedesktop.org. (n.d.). systemd.service — Service unit configuration. Retrieved March 16, 2020.", + "meta": { + "date_accessed": "2020-03-16T00:00:00Z", + "refs": [ + "https://www.freedesktop.org/software/systemd/man/systemd.service.html" + ], + "source": "MITRE", + "title": "systemd.service — Service unit configuration" + }, + "related": [], + "uuid": "43bae447-d2e3-4b53-b17b-12a0b54ac604", + "value": "Systemd Service Units" + }, { "description": "Man7. (n.d.). systemd-sleep.conf(5) — Linux manual page. Retrieved June 7, 2023.", "meta": { @@ -52519,20 +53204,6 @@ "uuid": "2a3c5216-b153-4d89-b0b1-f32af3aa83d0", "value": "Peripheral Discovery macOS" }, - { - "description": "Microsoft. (n.d.). System Time. Retrieved November 25, 2016.", - "meta": { - "date_accessed": "2016-11-25T00:00:00Z", - "refs": [ - "https://msdn.microsoft.com/ms724961.aspx" - ], - "source": "MITRE", - "title": "System Time" - }, - "related": [], - "uuid": "5e15e03b-be8b-4f3d-a3ae-0df7a4ecfbec", - "value": "MSDN System Time" - }, { "description": "ArchLinux. (2024, February 1). System Time. Retrieved March 27, 2024.", "meta": { @@ -52548,6 +53219,20 @@ "uuid": "2dfd22d7-c78b-5967-b732-736f37ea5489", "value": "linux system time" }, + { + "description": "Microsoft. (n.d.). System Time. Retrieved November 25, 2016.", + "meta": { + "date_accessed": "2016-11-25T00:00:00Z", + "refs": [ + "https://msdn.microsoft.com/ms724961.aspx" + ], + "source": "MITRE", + "title": "System Time" + }, + "related": [], + "uuid": "5e15e03b-be8b-4f3d-a3ae-0df7a4ecfbec", + "value": "MSDN System Time" + }, { "description": "Atomic Red Team. (2023, November). T1003.007 - OS Credential Dumping: Proc Filesystem. Retrieved March 28, 2024.", "meta": { @@ -53255,21 +53940,6 @@ "uuid": "b98f1967-c62f-5afe-a2f7-4c426615d576", "value": "AquaSec TeamTNT 2023" }, - { - "description": "Darin Smith. (2022, April 21). TeamTNT targeting AWS, Alibaba. Retrieved July 8, 2022.", - "meta": { - "date_accessed": "2022-07-08T00:00:00Z", - "date_published": "2022-04-21T00:00:00Z", - "refs": [ - "https://blog.talosintelligence.com/2022/04/teamtnt-targeting-aws-alibaba.html" - ], - "source": "MITRE", - "title": "TeamTNT targeting AWS, Alibaba" - }, - "related": [], - "uuid": "acd1b4c5-da28-584e-b892-599180a8dbb0", - "value": "Talos TeamTNT" - }, { "description": "Darin Smith. (2022, April 21). TeamTNT targeting AWS, Alibaba. Retrieved August 4, 2022.", "meta": { @@ -53285,6 +53955,21 @@ "uuid": "f39b5f92-6e14-4c7f-b79d-7bade722e6d9", "value": "Cisco Talos Intelligence Group" }, + { + "description": "Darin Smith. (2022, April 21). TeamTNT targeting AWS, Alibaba. Retrieved July 8, 2022.", + "meta": { + "date_accessed": "2022-07-08T00:00:00Z", + "date_published": "2022-04-21T00:00:00Z", + "refs": [ + "https://blog.talosintelligence.com/2022/04/teamtnt-targeting-aws-alibaba.html" + ], + "source": "MITRE", + "title": "TeamTNT targeting AWS, Alibaba" + }, + "related": [], + "uuid": "acd1b4c5-da28-584e-b892-599180a8dbb0", + "value": "Talos TeamTNT" + }, { "description": "Cado Security. (2020, August 16). Team TNT – The First Crypto-Mining Worm to Steal AWS Credentials. Retrieved September 22, 2021.", "meta": { @@ -53987,21 +54672,6 @@ "uuid": "93a23447-641c-4ee2-9fbd-64b2adea8a5f", "value": "BlackBerry CostaRicto November 2020" }, - { - "description": "Invictus Incident Response. (2024, January 31). The curious case of DangerDev@protonmail.me. Retrieved March 19, 2024.", - "meta": { - "date_accessed": "2024-03-19T00:00:00Z", - "date_published": "2024-01-31T00:00:00Z", - "refs": [ - "https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me" - ], - "source": "MITRE", - "title": "The curious case of DangerDev@protonmail.me" - }, - "related": [], - "uuid": "90d608b9-ddbf-5476-bce1-85e8466aca47", - "value": "Invictus IR DangerDev 2024" - }, { "description": "Www.invictus-ir.com. (2024, January 31). The curious case of DangerDev@protonmail.me. Retrieved April 17, 2024.", "meta": { @@ -54018,6 +54688,21 @@ "uuid": "803a084a-0468-4c43-9843-a0b5652acdba", "value": "Www.invictus-ir.com 1 31 2024" }, + { + "description": "Invictus Incident Response. (2024, January 31). The curious case of DangerDev@protonmail.me. Retrieved March 19, 2024.", + "meta": { + "date_accessed": "2024-03-19T00:00:00Z", + "date_published": "2024-01-31T00:00:00Z", + "refs": [ + "https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me" + ], + "source": "MITRE", + "title": "The curious case of DangerDev@protonmail.me" + }, + "related": [], + "uuid": "90d608b9-ddbf-5476-bce1-85e8466aca47", + "value": "Invictus IR DangerDev 2024" + }, { "description": "Counter Threat Unit Research Team. (2017, July 27). The Curious Case of Mia Ash: Fake Persona Lures Middle Eastern Targets. Retrieved February 26, 2018.", "meta": { @@ -54661,8 +55346,8 @@ "title": "The LaZagne Project !!!" }, "related": [], - "uuid": "9347b507-3a41-405d-87f9-d4fc2bfc48e5", - "value": "GitHub LaZagne Dec 2018" + "uuid": "33cca4fa-72a8-59a3-a62f-12f71a499a15", + "value": "GitHub LaZange Dec 2018" }, { "description": "Zanni, A. (n.d.). The LaZagne Project !!!. Retrieved December 14, 2018.", @@ -54675,8 +55360,8 @@ "title": "The LaZagne Project !!!" }, "related": [], - "uuid": "33cca4fa-72a8-59a3-a62f-12f71a499a15", - "value": "GitHub LaZange Dec 2018" + "uuid": "9347b507-3a41-405d-87f9-d4fc2bfc48e5", + "value": "GitHub LaZagne Dec 2018" }, { "description": "SecureWorks. (2013). The Lifecycle of Peer-to-Peer (Gameover) ZeuS. Retrieved August 19, 2015.", @@ -56045,6 +56730,22 @@ "uuid": "dcdd4e48-3c3d-4008-a6f6-390f896f147b", "value": "Palo Alto Unit 42 EKANS" }, + { + "description": "Kristopher Russo. (2022, November 21). Threat Assessment: Luna Moth Callback Phishing Campaign. Retrieved June 28, 2024.", + "meta": { + "date_accessed": "2024-06-28T00:00:00Z", + "date_published": "2022-11-21T00:00:00Z", + "owner": "TidalCyberIan", + "refs": [ + "https://unit42.paloaltonetworks.com/luna-moth-callback-phishing/" + ], + "source": "Tidal Cyber", + "title": "Threat Assessment: Luna Moth Callback Phishing Campaign" + }, + "related": [], + "uuid": "042f51db-c9f3-4827-883d-d7e7422fd642", + "value": "Unit42 Luna Moth November 21 2022" + }, { "description": "UNIT 42. (2022, March 24). Threat Brief: Lapsus$ Group. Retrieved May 17, 2022.", "meta": { @@ -56165,20 +56866,6 @@ "uuid": "c113cde7-5dd5-45e9-af16-3ab6ed0b1728", "value": "Awake Security Avaddon" }, - { - "description": "Gary Golomb. (n.d.). Threat Hunting Series: Detecting Command & Control in the Cloud. Retrieved July 8, 2022.", - "meta": { - "date_accessed": "2022-07-08T00:00:00Z", - "refs": [ - "https://awakesecurity.com/blog/threat-hunting-series-detecting-command-control-in-the-cloud/" - ], - "source": "MITRE", - "title": "Threat Hunting Series: Detecting Command & Control in the Cloud" - }, - "related": [], - "uuid": "b12e0288-48cd-46ec-8305-0f4d050782f2", - "value": "Detecting Command & Control in the Cloud" - }, { "description": "Gary Golomb and Tory Kei. (n.d.). Threat Hunting Series: Detecting Command & Control in the Cloud. Retrieved May 27, 2022.", "meta": { @@ -56193,6 +56880,20 @@ "uuid": "fa3762ce-3e60-4991-b464-12601d2a6912", "value": "Awake Security C2 Cloud" }, + { + "description": "Gary Golomb. (n.d.). Threat Hunting Series: Detecting Command & Control in the Cloud. Retrieved July 8, 2022.", + "meta": { + "date_accessed": "2022-07-08T00:00:00Z", + "refs": [ + "https://awakesecurity.com/blog/threat-hunting-series-detecting-command-control-in-the-cloud/" + ], + "source": "MITRE", + "title": "Threat Hunting Series: Detecting Command & Control in the Cloud" + }, + "related": [], + "uuid": "b12e0288-48cd-46ec-8305-0f4d050782f2", + "value": "Detecting Command & Control in the Cloud" + }, { "description": "Weizman, Y. (2020, April 2). Threat Matrix for Kubernetes. Retrieved March 30, 2021.", "meta": { @@ -56583,6 +57284,22 @@ "uuid": "140e6b01-6b98-4f82-9455-0c84b3856b86", "value": "TrendMicro Tonto Team October 2020" }, + { + "description": "Sandra Joyce, Shane Huntley. (2024, February 14). Tool of First Resort: Israel-Hamas War in Cyber. Retrieved August 30, 2024.", + "meta": { + "date_accessed": "2024-08-30T00:00:00Z", + "date_published": "2024-02-14T00:00:00Z", + "owner": "TidalCyberIan", + "refs": [ + "https://services.google.com/fh/files/misc/tool-of-first-resort-israel-hamas-war-cyber.pdf" + ], + "source": "Tidal Cyber", + "title": "Tool of First Resort: Israel-Hamas War in Cyber" + }, + "related": [], + "uuid": "55290507-e007-4366-9116-bbad364c14f3", + "value": "Google Israel-Hamas War February 14 2024" + }, { "description": "Rascagneres, P. (2015, May). Tools used by the Uroburos actors. Retrieved August 18, 2016.", "meta": { @@ -56806,21 +57523,6 @@ "uuid": "99e48516-f918-477c-b85e-4ad894cc031f", "value": "JScrip May 2018" }, - { - "description": "Malhotra, A., McKay, K. et al. (2021, May 13). Transparent Tribe APT expands its Windows malware arsenal . Retrieved July 29, 2022.", - "meta": { - "date_accessed": "2022-07-29T00:00:00Z", - "date_published": "2021-05-13T00:00:00Z", - "refs": [ - "https://blog.talosintelligence.com/2021/05/transparent-tribe-infra-and-targeting.html" - ], - "source": "MITRE", - "title": "Transparent Tribe APT expands its Windows malware arsenal" - }, - "related": [], - "uuid": "be1e3092-1981-457b-ae76-b55b057e1d73", - "value": "tt_obliqueRAT" - }, { "description": "Malhotra, A. et al. (2021, May 13). Transparent Tribe APT expands its Windows malware arsenal. Retrieved September 2, 2021.", "meta": { @@ -56836,6 +57538,21 @@ "uuid": "5d58c285-bc7d-4a8a-a96a-ac7118c1089d", "value": "Talos Transparent Tribe May 2021" }, + { + "description": "Malhotra, A., McKay, K. et al. (2021, May 13). Transparent Tribe APT expands its Windows malware arsenal . Retrieved July 29, 2022.", + "meta": { + "date_accessed": "2022-07-29T00:00:00Z", + "date_published": "2021-05-13T00:00:00Z", + "refs": [ + "https://blog.talosintelligence.com/2021/05/transparent-tribe-infra-and-targeting.html" + ], + "source": "MITRE", + "title": "Transparent Tribe APT expands its Windows malware arsenal" + }, + "related": [], + "uuid": "be1e3092-1981-457b-ae76-b55b057e1d73", + "value": "tt_obliqueRAT" + }, { "description": "N. Baisini. (2022, July 13). Transparent Tribe begins targeting education sector in latest campaign. Retrieved September 22, 2022.", "meta": { @@ -57613,21 +58330,6 @@ "uuid": "5d69d122-13bc-45c4-95ab-68283a21b699", "value": "TrendMicro Tropic Trooper Mar 2018" }, - { - "description": "Ray, V. (2016, November 22). Tropic Trooper Targets Taiwanese Government and Fossil Fuel Provider With Poison Ivy. Retrieved November 9, 2018.", - "meta": { - "date_accessed": "2018-11-09T00:00:00Z", - "date_published": "2016-11-22T00:00:00Z", - "refs": [ - "https://researchcenter.paloaltonetworks.com/2016/11/unit42-tropic-trooper-targets-taiwanese-government-and-fossil-fuel-provider-with-poison-ivy/" - ], - "source": "MITRE", - "title": "Tropic Trooper Targets Taiwanese Government and Fossil Fuel Provider With Poison Ivy" - }, - "related": [], - "uuid": "cad84e3d-9506-44f8-bdd9-d090e6ce9b06", - "value": "Unit 42 Tropic Trooper Nov 2016" - }, { "description": "Ray, V., et al. (2016, November 22). Tropic Trooper Targets Taiwanese Government and Fossil Fuel Provider With Poison Ivy. Retrieved December 18, 2020.", "meta": { @@ -57643,6 +58345,21 @@ "uuid": "47524b17-1acd-44b1-8de5-168369fa9455", "value": "paloalto Tropic Trooper 2016" }, + { + "description": "Ray, V. (2016, November 22). Tropic Trooper Targets Taiwanese Government and Fossil Fuel Provider With Poison Ivy. Retrieved November 9, 2018.", + "meta": { + "date_accessed": "2018-11-09T00:00:00Z", + "date_published": "2016-11-22T00:00:00Z", + "refs": [ + "https://researchcenter.paloaltonetworks.com/2016/11/unit42-tropic-trooper-targets-taiwanese-government-and-fossil-fuel-provider-with-poison-ivy/" + ], + "source": "MITRE", + "title": "Tropic Trooper Targets Taiwanese Government and Fossil Fuel Provider With Poison Ivy" + }, + "related": [], + "uuid": "cad84e3d-9506-44f8-bdd9-d090e6ce9b06", + "value": "Unit 42 Tropic Trooper Nov 2016" + }, { "description": "Microsoft. (2023, October 23). Troubleshooting Conditional Access policy changes. Retrieved January 2, 2024.", "meta": { @@ -58319,6 +59036,22 @@ "uuid": "452ca091-42b1-5bef-8a01-921c1f46bbee", "value": "Mandiant APT29 Eye Spy Email Nov 22" }, + { + "description": "Mandiant. (2024, June 13). UNC3944 Targets SaaS Applications . Retrieved June 17, 2024.", + "meta": { + "date_accessed": "2024-06-17T00:00:00Z", + "date_published": "2024-06-13T00:00:00Z", + "owner": "TidalCyberIan", + "refs": [ + "https://cloud.google.com/blog/topics/threat-intelligence/unc3944-targets-saas-applications" + ], + "source": "Tidal Cyber", + "title": "UNC3944 Targets SaaS Applications" + }, + "related": [], + "uuid": "161423a2-165d-448f-90e9-0c53e319a125", + "value": "Google Cloud June 13 2024" + }, { "description": "Mandiant. (2024, June 10). UNC5537 Targets Snowflake Customer Instances for Data Theft and Extortion . Retrieved June 13, 2024.", "meta": { @@ -58351,6 +59084,22 @@ "uuid": "cef19ceb-179f-4d49-acba-5ce40ab9f65e", "value": "Mandiant UNC961 March 23 2023" }, + { + "description": "Ofir Rozmann, Asli Koksal, Adrian Hernandez, Sarah Bock, Jonathan Leathery. (2024, May 1). Uncharmed: Untangling Iran's APT42 Operations. Retrieved August 30, 2024.", + "meta": { + "date_accessed": "2024-08-30T00:00:00Z", + "date_published": "2024-05-01T00:00:00Z", + "owner": "TidalCyberIan", + "refs": [ + "https://cloud.google.com/blog/topics/threat-intelligence/untangling-iran-apt42-operations" + ], + "source": "Tidal Cyber", + "title": "Uncharmed: Untangling Iran's APT42 Operations" + }, + "related": [], + "uuid": "84c0313a-bea1-44a7-9396-8e12437852d1", + "value": "Mandiant Uncharmed May 1 2024" + }, { "description": "Lunghi, D. et al. (2020, February). Uncovering DRBControl. Retrieved November 12, 2021.", "meta": { @@ -59129,6 +59878,22 @@ "uuid": "600de668-f128-4368-8667-24ed9a9db47a", "value": "USCYBERCOM SLOTHFULMEDIA October 2020" }, + { + "description": "Office of Public Affairs. (2023, January 26). U.S. Department of Justice Disrupts Hive Ransomware Variant. Retrieved June 18, 2024.", + "meta": { + "date_accessed": "2024-06-18T00:00:00Z", + "date_published": "2023-01-26T00:00:00Z", + "owner": "TidalCyberIan", + "refs": [ + "https://www.justice.gov/opa/pr/us-department-justice-disrupts-hive-ransomware-variant" + ], + "source": "Tidal Cyber", + "title": "U.S. Department of Justice Disrupts Hive Ransomware Variant" + }, + "related": [], + "uuid": "81bd5579-6a8a-40d2-b7b7-5cdb879ebdf0", + "value": "U.S. Justice Department Hive January 2023" + }, { "description": "Microsoft. (2021, July 2). Use attack surface reduction rules to prevent malware infection. Retrieved June 24, 2021.", "meta": { @@ -60251,21 +61016,6 @@ "uuid": "a26344a2-63ca-422e-8cf9-0cf22a5bee72", "value": "CheckPoint Volatile Cedar March 2015" }, - { - "description": "Microsoft Threat Intelligence. (2023, May 24). Volt Typhoon targets US critical infrastructure with living-off-the-land techniques. Retrieved July 27, 2023.", - "meta": { - "date_accessed": "2023-07-27T00:00:00Z", - "date_published": "2023-05-24T00:00:00Z", - "refs": [ - "https://www.microsoft.com/en-us/security/blog/2023/05/24/volt-typhoon-targets-us-critical-infrastructure-with-living-off-the-land-techniques/" - ], - "source": "MITRE", - "title": "Volt Typhoon targets US critical infrastructure with living-off-the-land techniques" - }, - "related": [], - "uuid": "8b74f0b7-9719-598c-b3ee-61d734393e6f", - "value": "Microsoft Volt Typhoon May 2023" - }, { "description": "Microsoft Threat Intelligence. (2023, May 24). Volt Typhoon targets US critical infrastructure with living-off-the-land techniques. Retrieved May 25, 2023.", "meta": { @@ -60282,6 +61032,21 @@ "uuid": "2e94c44a-d2a7-4e56-ac8a-df315fc14ec1", "value": "Microsoft Volt Typhoon May 24 2023" }, + { + "description": "Microsoft Threat Intelligence. (2023, May 24). Volt Typhoon targets US critical infrastructure with living-off-the-land techniques. Retrieved July 27, 2023.", + "meta": { + "date_accessed": "2023-07-27T00:00:00Z", + "date_published": "2023-05-24T00:00:00Z", + "refs": [ + "https://www.microsoft.com/en-us/security/blog/2023/05/24/volt-typhoon-targets-us-critical-infrastructure-with-living-off-the-land-techniques/" + ], + "source": "MITRE", + "title": "Volt Typhoon targets US critical infrastructure with living-off-the-land techniques" + }, + "related": [], + "uuid": "8b74f0b7-9719-598c-b3ee-61d734393e6f", + "value": "Microsoft Volt Typhoon May 2023" + }, { "description": "LOLBAS. (2023, July 12). VSDiagnostics.exe. Retrieved December 4, 2023.", "meta": { @@ -60902,6 +61667,20 @@ "uuid": "d316c581-646d-48e7-956e-34e2f957c67d", "value": "Cofense Astaroth Sept 2018" }, + { + "description": "Microsoft. (n.d.). wevtutil. Retrieved September 14, 2021.", + "meta": { + "date_accessed": "2021-09-14T00:00:00Z", + "refs": [ + "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/wevtutil" + ], + "source": "MITRE", + "title": "wevtutil" + }, + "related": [], + "uuid": "25511dde-9e13-4e03-8ae4-2495e9f5eb5e", + "value": "Wevtutil Microsoft Documentation" + }, { "description": "Plett, C. et al.. (2017, October 16). wevtutil. Retrieved July 2, 2018.", "meta": { @@ -60917,20 +61696,6 @@ "uuid": "8896d802-96c6-4546-8a82-c1f7f2d71ea1", "value": "Microsoft wevtutil Oct 2017" }, - { - "description": "Microsoft. (n.d.). wevtutil. Retrieved September 14, 2021.", - "meta": { - "date_accessed": "2021-09-14T00:00:00Z", - "refs": [ - "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/wevtutil" - ], - "source": "MITRE", - "title": "wevtutil" - }, - "related": [], - "uuid": "25511dde-9e13-4e03-8ae4-2495e9f5eb5e", - "value": "Wevtutil Microsoft Documentation" - }, { "description": "LOLBAS. (2021, September 26). Wfc.exe. Retrieved December 4, 2023.", "meta": { @@ -61904,6 +62669,21 @@ "uuid": "92ac290c-4863-4774-b334-848ed72e3627", "value": "Trend Micro Privileged Container" }, + { + "description": "Mandiant Intelligence. (2023, September 14). Why Are You Texting Me? UNC3944 Leverages SMS Phishing Campaigns for SIM Swapping, Ransomware, Extortion, and Notoriety. Retrieved January 2, 2024.", + "meta": { + "date_accessed": "2024-01-02T00:00:00Z", + "date_published": "2023-09-14T00:00:00Z", + "refs": [ + "https://www.mandiant.com/resources/blog/unc3944-sms-phishing-sim-swapping-ransomware" + ], + "source": "MITRE", + "title": "Why Are You Texting Me? UNC3944 Leverages SMS Phishing Campaigns for SIM Swapping, Ransomware, Extortion, and Notoriety" + }, + "related": [], + "uuid": "3a310dbd-4b5c-5eaf-a4ce-699e52007c9b", + "value": "Mandiant UNC3944 SMS Phishing 2023" + }, { "description": "Mandiant Intelligence. (2023, September 14). Why Are You Texting Me? UNC3944 Leverages SMS Phishing Campaigns for SIM Swapping, Ransomware, Extortion, and Notoriety. Retrieved November 16, 2023.", "meta": { @@ -61920,21 +62700,6 @@ "uuid": "7420d79f-c6a3-4932-9c2e-c9cc36e2ca35", "value": "Mandiant UNC3944 September 14 2023" }, - { - "description": "Mandiant Intelligence. (2023, September 14). Why Are You Texting Me? UNC3944 Leverages SMS Phishing Campaigns for SIM Swapping, Ransomware, Extortion, and Notoriety. Retrieved January 2, 2024.", - "meta": { - "date_accessed": "2024-01-02T00:00:00Z", - "date_published": "2023-09-14T00:00:00Z", - "refs": [ - "https://www.mandiant.com/resources/blog/unc3944-sms-phishing-sim-swapping-ransomware" - ], - "source": "MITRE", - "title": "Why Are You Texting Me? UNC3944 Leverages SMS Phishing Campaigns for SIM Swapping, Ransomware, Extortion, and Notoriety" - }, - "related": [], - "uuid": "3a310dbd-4b5c-5eaf-a4ce-699e52007c9b", - "value": "Mandiant UNC3944 SMS Phishing 2023" - }, { "description": "Stack Overflow. (n.d.). Why do I see an \"Electron Security Warning\" after updating my Electron project to the latest version?. Retrieved March 7, 2024.", "meta": { @@ -63771,5 +64536,5 @@ "value": "Sysdig Kinsing November 2020" } ], - "version": 2 + "version": 1 } diff --git a/clusters/tidal-software.json b/clusters/tidal-software.json index d27482d..096cdd4 100644 --- a/clusters/tidal-software.json +++ b/clusters/tidal-software.json @@ -28,6 +28,10 @@ { "dest-uuid": "6005f4a9-fe26-4237-a44e-3f6cbb1fe75c", "type": "used-by" + }, + { + "dest-uuid": "7bec698a-7e20-4fd3-bb6a-12787770fb1a", + "type": "similar" } ], "uuid": "71d76208-c465-4447-8d6e-c54f142b65a4", @@ -52,6 +56,10 @@ { "dest-uuid": "6005f4a9-fe26-4237-a44e-3f6cbb1fe75c", "type": "used-by" + }, + { + "dest-uuid": "8e461ca3-0996-4e6e-a0df-e2a5bbc51ebc", + "type": "similar" } ], "uuid": "a15142a3-4797-4fef-8ec6-065e3322a69b", @@ -67,6 +75,7 @@ "software_attack_id": "S5023", "source": "Tidal Cyber", "tags": [ + "e551ae97-d1b4-484e-9267-89f33829ec2c", "e1af18e3-3224-4e4c-9d0f-533768474508", "c45ce044-b5b9-426a-866c-130e9f2a4427", "ed2b3f47-3e07-4019-a9bf-ec9d87f28c96", @@ -85,6 +94,14 @@ ] }, "related": [ + { + "dest-uuid": "7094468a-2310-48b5-ad24-e669152bd66d", + "type": "used-by" + }, + { + "dest-uuid": "ce126445-6984-45bb-9737-35448f06f27b", + "type": "used-by" + }, { "dest-uuid": "d0f3353c-fbdd-4bd5-8793-a42e1f319b59", "type": "used-by" @@ -164,6 +181,10 @@ { "dest-uuid": "4c3e48b9-4426-4271-a7af-c3dfad79f447", "type": "used-by" + }, + { + "dest-uuid": "2c5281dd-b5fd-4531-8aea-c1bf8a0f8756", + "type": "similar" } ], "uuid": "3d33fbf5-c21e-4587-ba31-9aeec3cc10c0", @@ -188,6 +209,10 @@ { "dest-uuid": "5825a840-5577-4ffc-a08d-3f48d64395cb", "type": "used-by" + }, + { + "dest-uuid": "a0ebedca-d558-4e48-8ff7-4bf76208d90c", + "type": "similar" } ], "uuid": "394cadd0-bc4d-4181-ac53-858e84b8e3de", @@ -259,6 +284,10 @@ { "dest-uuid": "16a65ee9-cd60-4f04-ba34-f2f45fcfc666", "type": "used-by" + }, + { + "dest-uuid": "04cecafd-cb5f-4daf-aa1f-73899116c4a2", + "type": "similar" } ], "uuid": "cf465790-3d6d-5767-bb8c-63a429f95d83", @@ -280,6 +309,10 @@ { "dest-uuid": "31bc763e-623f-4870-9780-86e43d732594", "type": "used-by" + }, + { + "dest-uuid": "36801ffb-5c85-4c50-9121-6122e389366d", + "type": "similar" } ], "uuid": "202781a3-d481-4984-9e5a-31caafc20135", @@ -301,6 +334,10 @@ { "dest-uuid": "f036b992-4c3f-47b7-a458-94ac133bce74", "type": "used-by" + }, + { + "dest-uuid": "0f1ad2ef-41d4-4b7a-9304-ddae68ea3005", + "type": "similar" } ], "uuid": "f52e759a-a725-4b50-84f2-12bef89d369e", @@ -336,6 +373,9 @@ "software_attack_id": "S0552", "source": "MITRE", "tags": [ + "27a117ce-bb19-4f79-9bc2-a851b69c5c50", + "6070668f-1cbd-4878-8066-c636d1d8659c", + "61cdbb28-cbfd-498b-9ab1-1f14337f9524", "c5a258ce-9045-48d9-b254-ec2bf6437bb5", "cc4ea215-87ce-4351-9579-cf527caf5992", "e551ae97-d1b4-484e-9267-89f33829ec2c", @@ -357,13 +397,25 @@ }, "related": [ { - "dest-uuid": "4348c510-50fc-4448-ab8d-c8cededd19ff", + "dest-uuid": "2cc997b5-5076-4eef-9974-f54387614f46", + "type": "used-by" + }, + { + "dest-uuid": "fcbf6963-839b-4853-8b80-73ff6831b7d7", + "type": "used-by" + }, + { + "dest-uuid": "1d751794-ce94-4936-bf45-4ab86d0e3b6e", "type": "used-by" }, { "dest-uuid": "4c3e48b9-4426-4271-a7af-c3dfad79f447", "type": "used-by" }, + { + "dest-uuid": "4348c510-50fc-4448-ab8d-c8cededd19ff", + "type": "used-by" + }, { "dest-uuid": "d0f3353c-fbdd-4bd5-8793-a42e1f319b59", "type": "used-by" @@ -396,6 +448,10 @@ "dest-uuid": "6eb50f82-86cc-4eff-b1d1-66e1c6fd74f3", "type": "used-by" }, + { + "dest-uuid": "e75a1b98-be68-467f-a8df-bcb7671543b3", + "type": "used-by" + }, { "dest-uuid": "b07431f8-fcf0-4204-8e7c-138eb5cd5342", "type": "used-by" @@ -407,6 +463,10 @@ { "dest-uuid": "0b431229-036f-4157-a1da-ff16dfc095f8", "type": "used-by" + }, + { + "dest-uuid": "f59508a6-3615-47c3-b493-6676e1a39a87", + "type": "similar" } ], "uuid": "70559096-2a6b-4388-97e6-c2b16f3be78e", @@ -491,6 +551,14 @@ ] }, "related": [ + { + "dest-uuid": "fcbf6963-839b-4853-8b80-73ff6831b7d7", + "type": "used-by" + }, + { + "dest-uuid": "1d751794-ce94-4936-bf45-4ab86d0e3b6e", + "type": "used-by" + }, { "dest-uuid": "923f478c-7ad1-516f-986d-61f96b9c553e", "type": "used-by" @@ -640,6 +708,10 @@ { "dest-uuid": "5b1a5b9e-4722-41fc-a15d-196a549e3ac5", "type": "used-by" + }, + { + "dest-uuid": "fb575479-14ef-41e9-bfab-0b7cf10bec73", + "type": "similar" } ], "uuid": "ef7f4f5f-6f30-4059-87d1-cd8375bf1bee", @@ -661,7 +733,12 @@ "malware" ] }, - "related": [], + "related": [ + { + "dest-uuid": "40d3e230-ed32-469f-ba89-be70cc08ab39", + "type": "similar" + } + ], "uuid": "f27c9a91-c618-40c6-837d-089ba4d80f45", "value": "Agent.btz" }, @@ -710,6 +787,10 @@ { "dest-uuid": "e47ae2a7-d34d-4528-ba67-c9c07daa91ba", "type": "used-by" + }, + { + "dest-uuid": "e7a5229f-05eb-440e-b982-9a6d2b2b87c8", + "type": "similar" } ], "uuid": "304650b1-a0b5-460c-9210-23a5b53815a4", @@ -737,16 +818,24 @@ ] }, "related": [ + { + "dest-uuid": "fcbf6963-839b-4853-8b80-73ff6831b7d7", + "type": "used-by" + }, { "dest-uuid": "923f478c-7ad1-516f-986d-61f96b9c553e", "type": "used-by" + }, + { + "dest-uuid": "6f6b2353-4b39-40ce-9d6d-d00b7a61e656", + "type": "similar" } ], "uuid": "96ae0e1e-975a-5e11-adbe-c79ee17cee11", "value": "Akira" }, { - "description": "A ransomware binary designed to encrypt victim files. More details about the TTPs typically observed during Akira ransomware attacks can be found in the associated Group object, \"Akira Ransomware Actors\".", + "description": "*We are no longer maintaining this object in favor of a similar object subsequently published by MITRE: \"Akira\" (Software). All relevant Tidal content extensions (e.g. additional Technique and Object relationships and metadata) have been added to the MITRE-authored object.*\n\n\nA ransomware binary designed to encrypt victim files. More details about the TTPs typically observed during Akira ransomware attacks can be found in the associated Group object, \"Akira Ransomware Actors\".", "meta": { "owner": "TidalCyberIan", "platforms": [ @@ -774,7 +863,7 @@ } ], "uuid": "59d598a9-e115-4d90-8fef-096015afa8d4", - "value": "Akira Ransomware" + "value": "Akira Ransomware (Deprecated)" }, { "description": "[Amadey](https://app.tidalcyber.com/software/f173ec20-ef40-436b-a859-fef017e1e767) is a Trojan bot that has been used since at least October 2018.[[Korean FSI TA505 2020](https://app.tidalcyber.com/references/d4e2c109-341c-45b3-9d41-3eb980724524)][[BlackBerry Amadey 2020](https://app.tidalcyber.com/references/21b7a7c7-55a2-4235-ba11-d34ba68d1bf5)]", @@ -797,6 +886,10 @@ { "dest-uuid": "b3220638-6682-4a4e-ab64-e7dc4202a3f1", "type": "used-by" + }, + { + "dest-uuid": "05318127-5962-444b-b900-a9dcfe0ff6e9", + "type": "similar" } ], "uuid": "f173ec20-ef40-436b-a859-fef017e1e767", @@ -822,6 +915,10 @@ { "dest-uuid": "0b431229-036f-4157-a1da-ff16dfc095f8", "type": "used-by" + }, + { + "dest-uuid": "5f1d4579-4e8f-48e7-860e-2da773ae432e", + "type": "similar" } ], "uuid": "9521c535-1043-4b82-ba5d-e5eaeca500ee", @@ -839,7 +936,12 @@ "malware" ] }, - "related": [], + "related": [ + { + "dest-uuid": "dcd9548e-df9e-47c2-81f3-bc084289959d", + "type": "similar" + } + ], "uuid": "69aac793-9e6a-5167-bc62-823189ee2f7b", "value": "ANDROMEDA" }, @@ -907,6 +1009,14 @@ ] }, "related": [ + { + "dest-uuid": "1d751794-ce94-4936-bf45-4ab86d0e3b6e", + "type": "used-by" + }, + { + "dest-uuid": "7094468a-2310-48b5-ad24-e669152bd66d", + "type": "used-by" + }, { "dest-uuid": "ee2da206-2532-44e3-a343-d66e9bfdbca0", "type": "used-by" @@ -955,6 +1065,10 @@ "dest-uuid": "0fcb2205-e75b-46c9-ac54-00f218d5e331", "type": "used-by" }, + { + "dest-uuid": "cca12ba9-f65f-4a29-87ab-a9fc0f99521f", + "type": "used-by" + }, { "dest-uuid": "fac6fbf1-935f-4106-ad8b-c8fd8389dd38", "type": "used-by" @@ -1011,6 +1125,10 @@ { "dest-uuid": "0bc66e95-de93-4de7-b415-4041b7191f08", "type": "used-by" + }, + { + "dest-uuid": "e2d34c63-6f5a-41f5-86a2-e2380f27f858", + "type": "similar" } ], "uuid": "cdeb3110-07e5-4c3d-9eef-e6f2b760ef33", @@ -1036,6 +1154,10 @@ { "dest-uuid": "37f317d8-02f0-43d4-8a7d-7a65ce8aadf1", "type": "used-by" + }, + { + "dest-uuid": "295721d2-ee20-4fa3-ade3-37f4146b4570", + "type": "similar" } ], "uuid": "9df2e42e-b454-46ea-b50d-2f7d999f3d42", @@ -1101,6 +1223,10 @@ { "dest-uuid": "a80c00b2-b8b6-4780-99bb-df8fe921947d", "type": "used-by" + }, + { + "dest-uuid": "3161d76a-e2b2-4b97-9906-24909b735386", + "type": "similar" } ], "uuid": "7ba79887-d496-47aa-8b71-df7f46329322", @@ -1143,6 +1269,10 @@ { "dest-uuid": "47ae4fb1-fc61-4e8e-9310-66dda706e1a2", "type": "used-by" + }, + { + "dest-uuid": "30489451-5886-4c46-90c9-0dff9adc5252", + "type": "similar" } ], "uuid": "45b51950-6190-4572-b1a2-7c69d865251e", @@ -1200,6 +1330,10 @@ { "dest-uuid": "79be2f31-5626-425e-844c-fd9c99e38fe5", "type": "used-by" + }, + { + "dest-uuid": "56f46b17-8cfa-46c0-b501-dd52fef394e2", + "type": "similar" } ], "uuid": "a0cce010-9158-45e5-978a-f002e5c31a03", @@ -1220,7 +1354,12 @@ "malware" ] }, - "related": [], + "related": [ + { + "dest-uuid": "edb24a93-1f7a-4bbf-a738-1397a14662c6", + "type": "similar" + } + ], "uuid": "ea719a35-cbe9-4503-873d-164f68ab4544", "value": "Astaroth" }, @@ -1233,6 +1372,12 @@ "software_attack_id": "S1087", "source": "MITRE", "tags": [ + "af5e9be5-b86e-47af-91dd-966a5e34a186", + "27a117ce-bb19-4f79-9bc2-a851b69c5c50", + "6070668f-1cbd-4878-8066-c636d1d8659c", + "61cdbb28-cbfd-498b-9ab1-1f14337f9524", + "e551ae97-d1b4-484e-9267-89f33829ec2c", + "15787198-6c8b-4f79-bf50-258d55072fee", "c6e1f516-1a18-4ff9-b563-e6ac8103b104", "f8669b82-2194-49a9-8e20-92e7f9ab0a6f", "2feda37d-5579-4102-a073-aa02e82cb49f", @@ -1244,6 +1389,10 @@ ] }, "related": [ + { + "dest-uuid": "2cc997b5-5076-4eef-9974-f54387614f46", + "type": "used-by" + }, { "dest-uuid": "1bfbb1e1-022c-57e9-b70e-711c601640be", "type": "used-by" @@ -1251,6 +1400,10 @@ { "dest-uuid": "153c14a6-31b7-44f2-892e-6d9fdc152267", "type": "used-by" + }, + { + "dest-uuid": "6a5947f3-1a36-4653-8734-526df3e1d28d", + "type": "similar" } ], "uuid": "d587efff-4699-51c7-a4cc-bdbd1b302ed4", @@ -1287,6 +1440,10 @@ { "dest-uuid": "5825a840-5577-4ffc-a08d-3f48d64395cb", "type": "used-by" + }, + { + "dest-uuid": "0c8465c0-d0b4-4670-992e-4eee8d7ff952", + "type": "similar" } ], "uuid": "af01dc7b-a2bc-4fda-bbfe-d2be889c2860", @@ -1345,6 +1502,14 @@ ] }, "related": [ + { + "dest-uuid": "1d751794-ce94-4936-bf45-4ab86d0e3b6e", + "type": "used-by" + }, + { + "dest-uuid": "4ea1245f-3f35-5168-bd10-1fc49142fd4e", + "type": "used-by" + }, { "dest-uuid": "a2add2a0-2b54-4623-a380-a9ad91f1f2dd", "type": "used-by" @@ -1353,6 +1518,10 @@ "dest-uuid": "33159d02-a1ce-49ec-a381-60b069db66f7", "type": "used-by" }, + { + "dest-uuid": "393da13e-016c-41a3-9d89-b33173adecbf", + "type": "used-by" + }, { "dest-uuid": "3290dcb9-5781-4b87-8fa0-6ae820e152cd", "type": "used-by" @@ -1362,11 +1531,11 @@ "type": "used-by" }, { - "dest-uuid": "393da13e-016c-41a3-9d89-b33173adecbf", + "dest-uuid": "86b97a39-49c3-431e-bcc8-f4e13dbfcdf5", "type": "used-by" }, { - "dest-uuid": "86b97a39-49c3-431e-bcc8-f4e13dbfcdf5", + "dest-uuid": "cca12ba9-f65f-4a29-87ab-a9fc0f99521f", "type": "used-by" } ], @@ -1406,7 +1575,12 @@ "malware" ] }, - "related": [], + "related": [ + { + "dest-uuid": "8f423bd7-6ca7-4303-9e85-008c7ad5fdaa", + "type": "similar" + } + ], "uuid": "89c35e9f-b435-4f58-9073-f24c1ee8754f", "value": "Attor" }, @@ -1426,6 +1600,10 @@ { "dest-uuid": "0bc66e95-de93-4de7-b415-4041b7191f08", "type": "used-by" + }, + { + "dest-uuid": "24b4ce59-eaac-4c8b-8634-9b093b7ccd92", + "type": "similar" } ], "uuid": "d0c25f14-5eb3-40c1-a890-2ab1349dff53", @@ -1451,6 +1629,10 @@ { "dest-uuid": "99bbbe25-45af-492f-a7ff-7cbc57828bac", "type": "used-by" + }, + { + "dest-uuid": "f5352566-1a64-49ac-8f7f-97e1d1a03300", + "type": "similar" } ], "uuid": "3f927596-5219-49eb-bd0d-57068b0e04ed", @@ -1504,6 +1686,10 @@ { "dest-uuid": "31bc763e-623f-4870-9780-86e43d732594", "type": "used-by" + }, + { + "dest-uuid": "3e4e2c79-2b27-4245-a5c1-5586a3cbd8f5", + "type": "similar" } ], "uuid": "649a4cfc-c0d0-412d-a28c-1bd4ed604ea8", @@ -1526,7 +1712,12 @@ "malware" ] }, - "related": [], + "related": [ + { + "dest-uuid": "58c5a3a1-928f-4094-9e98-a5a4e56dd5f3", + "type": "similar" + } + ], "uuid": "bad92974-35f6-4183-8024-b629140c6ee6", "value": "Avaddon" }, @@ -1549,6 +1740,10 @@ { "dest-uuid": "5825a840-5577-4ffc-a08d-3f48d64395cb", "type": "used-by" + }, + { + "dest-uuid": "36ede314-7db4-4d09-b53d-81bbfbe5f6f8", + "type": "similar" } ], "uuid": "e5ca0192-e905-46a1-abef-ce1119c1f967", @@ -1577,7 +1772,12 @@ "malware" ] }, - "related": [], + "related": [ + { + "dest-uuid": "0945a1a5-a79a-47c8-9079-10c16cdfcb5d", + "type": "similar" + } + ], "uuid": "e792dc8d-b0f4-5916-8850-a61ff53125d0", "value": "AvosLocker" }, @@ -1600,6 +1800,10 @@ { "dest-uuid": "b3220638-6682-4a4e-ab64-e7dc4202a3f1", "type": "used-by" + }, + { + "dest-uuid": "f9b05f33-d45d-4e4d-aafe-c208d38a0080", + "type": "similar" } ], "uuid": "cc68a7f0-c955-465f-bee0-2dacbb179078", @@ -1615,6 +1819,9 @@ "software_attack_id": "S0638", "source": "MITRE", "tags": [ + "64d3f7d8-30b7-4b03-bee2-a6029672216c", + "375983b3-6e87-4281-99e2-1561519dd17b", + "3ed2343c-a29c-42e2-8259-410381164c6a", "562e535e-19f5-4d6c-81ed-ce2aec544f09", "b5962a84-f1c7-4d0d-985c-86301db95129", "12124060-8392-49a3-b7b7-1dde3ebc8e67", @@ -1630,7 +1837,12 @@ "malware" ] }, - "related": [], + "related": [ + { + "dest-uuid": "61c7a91a-0b83-461d-ad32-75d96eed4a09", + "type": "similar" + } + ], "uuid": "0dc07eb9-66df-4116-b1bc-7020ca6395a1", "value": "Babuk" }, @@ -1653,6 +1865,10 @@ { "dest-uuid": "37f317d8-02f0-43d4-8a7d-7a65ce8aadf1", "type": "used-by" + }, + { + "dest-uuid": "d1b7830a-fced-4be3-a99c-f495af9d9e1b", + "type": "similar" } ], "uuid": "ebb824a2-abff-4bfd-87f0-d63cb02b62e6", @@ -1677,6 +1893,10 @@ { "dest-uuid": "32385eba-7bbf-439e-acf2-83040e97165a", "type": "used-by" + }, + { + "dest-uuid": "c13d9621-aca7-436b-ab3d-3a95badb3d00", + "type": "similar" } ], "uuid": "2763ad8c-cf4e-42eb-88db-a40ff8f96cf9", @@ -1701,6 +1921,10 @@ { "dest-uuid": "472080b0-e3d4-4546-9272-c4359fe856e1", "type": "used-by" + }, + { + "dest-uuid": "083bb47b-02c8-4423-81a2-f9ef58572974", + "type": "similar" } ], "uuid": "f7cc5974-767c-4cb4-acc7-36295a386ce5", @@ -1725,6 +1949,10 @@ { "dest-uuid": "be45ff95-6c74-4000-bc39-63044673d82f", "type": "used-by" + }, + { + "dest-uuid": "fb261c56-b80e-43a9-8351-c84081e7213d", + "type": "similar" } ], "uuid": "d0daaa00-68e1-4568-bb08-3f28bcd82c63", @@ -1789,6 +2017,10 @@ { "dest-uuid": "0bc66e95-de93-4de7-b415-4041b7191f08", "type": "used-by" + }, + { + "dest-uuid": "9dbdadb6-fdbf-490f-a35f-38762d06a0d2", + "type": "similar" } ], "uuid": "d7aa53a5-0912-4952-8f7f-55698e933c3b", @@ -1813,6 +2045,10 @@ { "dest-uuid": "eadd78e3-3b5d-430a-b994-4360b172c871", "type": "used-by" + }, + { + "dest-uuid": "57d83eac-a2ea-42b0-a7b2-c80c55157790", + "type": "similar" } ], "uuid": "8c454294-81cb-45d0-b299-818994ad3e6f", @@ -1834,6 +2070,10 @@ { "dest-uuid": "b3061284-0335-4dcb-9f8e-a3b0412fd46f", "type": "used-by" + }, + { + "dest-uuid": "3553b49d-d4ae-4fb6-ab17-0adbc520c888", + "type": "similar" } ], "uuid": "16481e0f-49d5-54c1-a1fe-16d9e7f8d08c", @@ -1855,6 +2095,10 @@ { "dest-uuid": "32385eba-7bbf-439e-acf2-83040e97165a", "type": "used-by" + }, + { + "dest-uuid": "e9595678-d269-469e-ae6b-75e49259de63", + "type": "similar" } ], "uuid": "34c24d27-c779-42a4-9f61-3f0d3fea6fd4", @@ -1872,7 +2116,12 @@ "malware" ] }, - "related": [], + "related": [ + { + "dest-uuid": "9af05de0-bc09-4511-a350-5eb8b06185c1", + "type": "similar" + } + ], "uuid": "10e76722-4b52-47f6-9276-70e95fecb26b", "value": "BadPatch" }, @@ -1925,6 +2174,10 @@ { "dest-uuid": "16a65ee9-cd60-4f04-ba34-f2f45fcfc666", "type": "used-by" + }, + { + "dest-uuid": "2eaa5319-5e1e-4dd7-bbc4-566fced3964a", + "type": "similar" } ], "uuid": "a1d86d8f-fa48-43aa-9833-7355750e455c", @@ -1951,6 +2204,10 @@ { "dest-uuid": "7ad94dbf-9909-42dd-8b62-a435481bdb14", "type": "used-by" + }, + { + "dest-uuid": "835a79f1-842d-472d-b8f4-d54b545c341b", + "type": "similar" } ], "uuid": "5c0f8c35-88ff-40a1-977a-af5ce534e932", @@ -1975,6 +2232,10 @@ { "dest-uuid": "0bc66e95-de93-4de7-b415-4041b7191f08", "type": "used-by" + }, + { + "dest-uuid": "1f6e3702-7ca1-4582-b2e7-4591297d05a8", + "type": "similar" } ], "uuid": "24b8471d-698f-48cc-b47a-8fbbaf28b293", @@ -2064,6 +2325,10 @@ { "dest-uuid": "0b431229-036f-4157-a1da-ff16dfc095f8", "type": "used-by" + }, + { + "dest-uuid": "99fdf3b4-96ef-4ab9-b191-fc683441cad0", + "type": "similar" } ], "uuid": "b35d9817-6ead-4dbd-a2fa-4b8e217f8eac", @@ -2088,6 +2353,10 @@ { "dest-uuid": "5825a840-5577-4ffc-a08d-3f48d64395cb", "type": "used-by" + }, + { + "dest-uuid": "f0fc920e-57a3-4af5-89be-9ea594c8b1ea", + "type": "similar" } ], "uuid": "3daa5ae1-464e-4c0a-aa46-15264a2a0126", @@ -2105,7 +2374,12 @@ "malware" ] }, - "related": [], + "related": [ + { + "dest-uuid": "64d76fa5-cf8f-469c-b78c-1a4f7c5bad80", + "type": "similar" + } + ], "uuid": "be4dab36-d499-4ac3-b204-5e309e3a5331", "value": "BBSRAT" }, @@ -2128,6 +2402,10 @@ { "dest-uuid": "528ab2ea-b8f1-44d8-8831-2a89fefd97cb", "type": "used-by" + }, + { + "dest-uuid": "805480f1-6caa-4a67-8ca9-b2b39650d986", + "type": "similar" } ], "uuid": "a114a498-fcfd-4e0a-9d1e-e26750d71af8", @@ -2225,6 +2503,10 @@ { "dest-uuid": "5307bba1-2674-4fbd-bfd5-1db1ae06fc5f", "type": "used-by" + }, + { + "dest-uuid": "b8eb28e4-48a6-40ae-951a-328714f75eda", + "type": "similar" } ], "uuid": "3ad98097-2d10-4aa1-9594-7e74828a3643", @@ -2249,6 +2531,10 @@ { "dest-uuid": "9f5c5672-5e7e-4440-afc8-3fdf46a1bb6c", "type": "used-by" + }, + { + "dest-uuid": "65ffc206-d7c1-45b3-b543-f6b726e7840d", + "type": "similar" } ], "uuid": "b898816e-610f-4c2f-9045-d9f28a54ee58", @@ -2274,6 +2560,10 @@ { "dest-uuid": "3c7ad595-1940-40fc-b9ca-3e649c1e5d87", "type": "used-by" + }, + { + "dest-uuid": "fa766a65-5136-4ff3-8429-36d08eaa0100", + "type": "similar" } ], "uuid": "e7dec940-8701-4c06-9865-5b11c61c046d", @@ -2335,6 +2625,10 @@ { "dest-uuid": "0b431229-036f-4157-a1da-ff16dfc095f8", "type": "used-by" + }, + { + "dest-uuid": "64764dc6-a032-495f-8250-1e4c06bdc163", + "type": "similar" } ], "uuid": "52a20d3d-1edd-4f17-87f0-b77c67d260b4", @@ -2370,6 +2664,10 @@ { "dest-uuid": "7f52cadb-7a12-4b9d-9290-1ef02123fbe4", "type": "used-by" + }, + { + "dest-uuid": "8d242fb4-9033-4f13-8a88-4b9b4bcd9a53", + "type": "similar" } ], "uuid": "0d5b24ba-68dc-50fa-8268-3012180fe374", @@ -2411,6 +2709,10 @@ { "dest-uuid": "33159d02-a1ce-49ec-a381-60b069db66f7", "type": "used-by" + }, + { + "dest-uuid": "50c44c34-3abb-48ae-9433-a2337de5b0bc", + "type": "similar" } ], "uuid": "691369e5-ef74-5ff9-bc20-34efeb4b6c5b", @@ -2440,6 +2742,10 @@ { "dest-uuid": "eadd78e3-3b5d-430a-b994-4360b172c871", "type": "used-by" + }, + { + "dest-uuid": "d69c8146-ab35-4d50-8382-6fc80e641d43", + "type": "similar" } ], "uuid": "e85e2fca-9347-4448-bfc1-342f29d5d6a1", @@ -2464,6 +2770,10 @@ { "dest-uuid": "16a65ee9-cd60-4f04-ba34-f2f45fcfc666", "type": "used-by" + }, + { + "dest-uuid": "54cc1d4f-5c53-4f0e-9ef5-11b4998e82e4", + "type": "similar" } ], "uuid": "908216c7-3ad4-4e0c-9dd3-a7ed5d1c695f", @@ -2508,6 +2818,10 @@ { "dest-uuid": "15ff1ce0-44f0-4f1d-a4ef-83444570e572", "type": "used-by" + }, + { + "dest-uuid": "63c4511b-2d6e-4bb2-b582-e2e99a8a467d", + "type": "similar" } ], "uuid": "da348a51-d047-4144-9ba4-34d2ce964a11", @@ -2524,6 +2838,9 @@ "software_attack_id": "S5324", "source": "Tidal Cyber", "tags": [ + "e551ae97-d1b4-484e-9267-89f33829ec2c", + "15787198-6c8b-4f79-bf50-258d55072fee", + "a2e000da-8181-4327-bacd-32013dbd3654", "c6e1f516-1a18-4ff9-b563-e6ac8103b104", "5e7433ad-a894-4489-93bc-41e90da90019", "7e7b0c67-bb85-4996-a289-da0e792d7172", @@ -2533,7 +2850,12 @@ "malware" ] }, - "related": [], + "related": [ + { + "dest-uuid": "1d751794-ce94-4936-bf45-4ab86d0e3b6e", + "type": "used-by" + } + ], "uuid": "6e200813-4379-457b-9cce-2203bed4b072", "value": "BlackSuit Ransomware" }, @@ -2553,6 +2875,10 @@ { "dest-uuid": "0bc66e95-de93-4de7-b415-4041b7191f08", "type": "used-by" + }, + { + "dest-uuid": "01dbc71d-0ee8-420d-abb4-3dfb6a4bf725", + "type": "similar" } ], "uuid": "1af8ea81-40df-4fba-8d63-1858b8b31217", @@ -2625,6 +2951,10 @@ { "dest-uuid": "ca93af75-0ffa-4df4-b86a-92d4d50e496e", "type": "used-by" + }, + { + "dest-uuid": "066b057c-944e-4cfc-b654-e3dfba04b926", + "type": "similar" } ], "uuid": "72658763-8077-451e-8572-38858f8cacf3", @@ -2649,6 +2979,10 @@ { "dest-uuid": "013fdfdc-aa32-4779-8f6e-7920615cbf66", "type": "used-by" + }, + { + "dest-uuid": "8bd47506-29ae-44ea-a5c1-c57e8a1ab6b0", + "type": "similar" } ], "uuid": "3aaaaf86-638b-4a65-be18-c6e6dcdcdb97", @@ -2666,7 +3000,12 @@ "malware" ] }, - "related": [], + "related": [ + { + "dest-uuid": "4c6d62c2-89f5-4159-8fab-0190b1f9d328", + "type": "similar" + } + ], "uuid": "3793db4b-f843-4cfd-89d2-ec28b62feda5", "value": "Bonadan" }, @@ -2686,6 +3025,10 @@ { "dest-uuid": "d01abdb1-0378-4654-aa38-1a4a292703e2", "type": "used-by" + }, + { + "dest-uuid": "d5268dfb-ae2b-4e0e-ac07-02a460613d8a", + "type": "similar" } ], "uuid": "d8690218-5272-47d8-8189-35d3b518e66f", @@ -2710,6 +3053,10 @@ { "dest-uuid": "4c3e48b9-4426-4271-a7af-c3dfad79f447", "type": "used-by" + }, + { + "dest-uuid": "c26f1c05-b861-4970-94dc-2f7f921a3074", + "type": "similar" } ], "uuid": "9d393f6f-855e-4348-8a26-008174e3605a", @@ -2734,6 +3081,10 @@ { "dest-uuid": "4348c510-50fc-4448-ab8d-c8cededd19ff", "type": "used-by" + }, + { + "dest-uuid": "56d10a7f-bb42-4267-9b4c-63abb9c06010", + "type": "similar" } ], "uuid": "74a73624-d53b-4c84-a14b-8ae964fd577c", @@ -2751,7 +3102,12 @@ "malware" ] }, - "related": [], + "related": [ + { + "dest-uuid": "da2ef4a9-7cbe-400a-a379-e2f230f28db3", + "type": "similar" + } + ], "uuid": "d47a4753-80f5-494e-aad7-d033aaff0d6d", "value": "BOOTRASH" }, @@ -2774,6 +3130,10 @@ { "dest-uuid": "988f5312-834e-48ea-93b7-e6e01ee0938d", "type": "used-by" + }, + { + "dest-uuid": "919a056e-5104-43b9-ad55-2ac929108b71", + "type": "similar" } ], "uuid": "d3e46011-3433-426c-83b3-61c2576d5f71", @@ -2795,6 +3155,10 @@ { "dest-uuid": "37f317d8-02f0-43d4-8a7d-7a65ce8aadf1", "type": "used-by" + }, + { + "dest-uuid": "28b97733-ef07-4414-aaa5-df50b2d30cc5", + "type": "similar" } ], "uuid": "51b27e2c-c737-4006-a657-195ea1a1f4f0", @@ -2816,6 +3180,10 @@ { "dest-uuid": "51146bb6-7478-44a3-8f08-19adcdceffca", "type": "used-by" + }, + { + "dest-uuid": "79499993-a8d6-45eb-b343-bf58dea5bdde", + "type": "similar" } ], "uuid": "7942783c-73a7-413c-94d1-8981029a1c51", @@ -2841,6 +3209,10 @@ { "dest-uuid": "33159d02-a1ce-49ec-a381-60b069db66f7", "type": "used-by" + }, + { + "dest-uuid": "75d8b521-6b6a-42ff-8af3-d97e20ce12a5", + "type": "similar" } ], "uuid": "23043b44-69a6-5cdf-8f60-5a68068680c7", @@ -2858,7 +3230,12 @@ "malware" ] }, - "related": [], + "related": [ + { + "dest-uuid": "67fc172a-36fa-4a35-88eb-4ba730ed52a6", + "type": "similar" + } + ], "uuid": "c9e773de-0213-4b64-83fb-637060c8b5ed", "value": "BS2005" }, @@ -2881,6 +3258,10 @@ { "dest-uuid": "8567136b-f84a-45ed-8cce-46324c7da60e", "type": "used-by" + }, + { + "dest-uuid": "123bd7b3-675c-4b1a-8482-c55782b20e2b", + "type": "similar" } ], "uuid": "2be4e3d2-e8c5-4406-8041-2c17bdb3a547", @@ -2905,6 +3286,10 @@ { "dest-uuid": "5825a840-5577-4ffc-a08d-3f48d64395cb", "type": "used-by" + }, + { + "dest-uuid": "d2c7f8ad-3b50-4cfa-bbb1-799eff06fb40", + "type": "similar" } ], "uuid": "c21d3e6c-0f6d-44a8-bdd5-5b3180a641c9", @@ -2931,6 +3316,10 @@ { "dest-uuid": "396a4361-3e84-47bc-9544-58e287c05799", "type": "used-by" + }, + { + "dest-uuid": "04378e79-4387-468a-a8f7-f974b8254e44", + "type": "similar" } ], "uuid": "cc155181-fb34-4aaf-b083-b7b57b140b7a", @@ -2951,7 +3340,12 @@ "malware" ] }, - "related": [], + "related": [ + { + "dest-uuid": "7bef1b56-4870-4e74-b32a-7dd88c390c44", + "type": "similar" + } + ], "uuid": "e9873bf1-9619-4c62-b4cf-1009e83de186", "value": "Bundlore" }, @@ -2967,7 +3361,12 @@ "malware" ] }, - "related": [], + "related": [ + { + "dest-uuid": "29a0bb87-1162-4c83-9834-2a98a876051b", + "type": "similar" + } + ], "uuid": "44ed9567-2cb6-590e-b332-154557fb93f9", "value": "BUSHWALK" }, @@ -2987,6 +3386,10 @@ { "dest-uuid": "5307bba1-2674-4fbd-bfd5-1db1ae06fc5f", "type": "used-by" + }, + { + "dest-uuid": "c9cd7ec9-40b7-49db-80be-1399eddd9c52", + "type": "similar" } ], "uuid": "7c03fb92-3cd8-4ce4-a1e0-75e47465e4bc", @@ -3037,7 +3440,12 @@ "malware" ] }, - "related": [], + "related": [ + { + "dest-uuid": "b30d999d-64e0-4e35-9856-884e4b83d611", + "type": "similar" + } + ], "uuid": "62d0ddcd-790d-4d2d-9d94-276f54b40cf0", "value": "CaddyWiper" }, @@ -3057,6 +3465,10 @@ { "dest-uuid": "a57b52c7-9f64-4ffe-a7c3-0de738fb2af1", "type": "used-by" + }, + { + "dest-uuid": "a705b085-1eae-455e-8f4d-842483d814eb", + "type": "similar" } ], "uuid": "c8a51b39-6906-4381-9bb4-4e9e612aa085", @@ -3078,6 +3490,10 @@ { "dest-uuid": "5307bba1-2674-4fbd-bfd5-1db1ae06fc5f", "type": "used-by" + }, + { + "dest-uuid": "5a84dc36-df0d-4053-9b7c-f0c388a57283", + "type": "similar" } ], "uuid": "ad859a79-c183-44f6-a89a-f734710672a9", @@ -3095,7 +3511,12 @@ "malware" ] }, - "related": [], + "related": [ + { + "dest-uuid": "b8fdef82-d2cf-4948-8949-6466357b1be1", + "type": "similar" + } + ], "uuid": "6b5b408c-4f9d-4137-bfb1-830d12e9736c", "value": "Calisto" }, @@ -3115,6 +3536,10 @@ { "dest-uuid": "6c1bdc51-f633-4512-8b20-04a11c2d97f4", "type": "used-by" + }, + { + "dest-uuid": "cb7bcf6f-085f-41db-81ee-4b68481661b5", + "type": "similar" } ], "uuid": "352ee271-89e6-4d3f-9c26-98dbab0e2986", @@ -3136,6 +3561,10 @@ { "dest-uuid": "5b1a5b9e-4722-41fc-a15d-196a549e3ac5", "type": "used-by" + }, + { + "dest-uuid": "d20b397a-ea47-48a9-b503-2e2a3551e11d", + "type": "similar" } ], "uuid": "790e931d-2571-496d-9f48-322774a7d482", @@ -3161,6 +3590,10 @@ { "dest-uuid": "72d9bea7-9ca1-43e6-8702-2fb7fb1355de", "type": "used-by" + }, + { + "dest-uuid": "72f54d66-675d-4587-9bd3-4ed09f9522e4", + "type": "similar" } ], "uuid": "4cb9294b-9e4c-41b9-b640-46213a01952d", @@ -3178,7 +3611,12 @@ "malware" ] }, - "related": [], + "related": [ + { + "dest-uuid": "bbcd7a02-ef24-4171-ac94-a93540173b94", + "type": "similar" + } + ], "uuid": "df9491fd-5e24-4548-8e21-1268dce59d1f", "value": "Carberp" }, @@ -3198,6 +3636,10 @@ { "dest-uuid": "47ae4fb1-fc61-4e8e-9310-66dda706e1a2", "type": "used-by" + }, + { + "dest-uuid": "b7e9880a-7a7c-4162-bddb-e28e8ef2bf1f", + "type": "similar" } ], "uuid": "61f5d19c-1da2-43d1-ab20-51eacbca71f2", @@ -3218,7 +3660,12 @@ "malware" ] }, - "related": [], + "related": [ + { + "dest-uuid": "b879758f-bbc4-4cab-b5ba-177ac9b009b4", + "type": "similar" + } + ], "uuid": "fa23acef-3034-43ee-9610-4fc322f0d80b", "value": "Cardinal RAT" }, @@ -3237,7 +3684,12 @@ "tool" ] }, - "related": [], + "related": [ + { + "dest-uuid": "5fc81b43-62b5-41b1-9113-c79ae5f030c4", + "type": "similar" + } + ], "uuid": "84bb4068-b441-435e-8535-02a458ffd50b", "value": "CARROTBALL" }, @@ -3253,7 +3705,12 @@ "malware" ] }, - "related": [], + "related": [ + { + "dest-uuid": "1b9f0800-035e-4ed1-9648-b18294cc5bc8", + "type": "similar" + } + ], "uuid": "aefa893d-fc6e-41a9-8794-2700049db9e5", "value": "CARROTBAT" }, @@ -3273,6 +3730,10 @@ { "dest-uuid": "a3b39b07-0bfa-4c69-9f01-acf7dc6033b4", "type": "used-by" + }, + { + "dest-uuid": "8d9e758b-735f-4cbc-ba7c-32cd15138b2a", + "type": "similar" } ], "uuid": "04deccb5-9850-45c3-a900-5d7039a94190", @@ -3297,6 +3758,10 @@ { "dest-uuid": "7c3ef21c-0e1c-43d5-afb0-3a07c5a66937", "type": "used-by" + }, + { + "dest-uuid": "751b77e6-af1f-483b-93fe-eddf17f92a64", + "type": "similar" } ], "uuid": "ee88afaa-88bc-4c20-906f-332866388549", @@ -3343,7 +3808,12 @@ "malware" ] }, - "related": [], + "related": [ + { + "dest-uuid": "b0f13390-cec7-4814-b37c-ccec01887faa", + "type": "similar" + } + ], "uuid": "4eb0720c-7046-4ff1-adfd-ae603506e499", "value": "CCBkdr" }, @@ -3359,7 +3829,12 @@ "malware" ] }, - "related": [], + "related": [ + { + "dest-uuid": "a394448a-4576-41b8-81cc-9b61abad94ab", + "type": "similar" + } + ], "uuid": "e00c2a0c-bbe5-4eff-b0ad-b2543456a317", "value": "ccf32" }, @@ -3456,10 +3931,6 @@ ] }, "related": [ - { - "dest-uuid": "fb93231d-2ae4-45da-9dea-4c372a11f322", - "type": "used-by" - }, { "dest-uuid": "f1477581-d485-403f-a95f-c56bf88c5d1e", "type": "used-by" @@ -3472,6 +3943,14 @@ "dest-uuid": "5b1a5b9e-4722-41fc-a15d-196a549e3ac5", "type": "used-by" }, + { + "dest-uuid": "fb93231d-2ae4-45da-9dea-4c372a11f322", + "type": "used-by" + }, + { + "dest-uuid": "e47b2958-b7c4-4fe1-a006-03137db91963", + "type": "used-by" + }, { "dest-uuid": "3290dcb9-5781-4b87-8fa0-6ae820e152cd", "type": "used-by" @@ -3492,10 +3971,6 @@ "dest-uuid": "b39d8eae-12e3-4903-a387-4c31d16a73b2", "type": "used-by" }, - { - "dest-uuid": "e47b2958-b7c4-4fe1-a006-03137db91963", - "type": "used-by" - }, { "dest-uuid": "646e35d2-75de-4c1d-8ad3-616d3e155c5e", "type": "used-by" @@ -3511,6 +3986,10 @@ { "dest-uuid": "570198e3-b59c-5772-b1ee-15d7ea14d48a", "type": "used-by" + }, + { + "dest-uuid": "0a68f1f1-da74-4d28-8d9a-696c082706cc", + "type": "similar" } ], "uuid": "2fe21578-ee31-4ee8-b6ab-b5f76f97d043", @@ -3531,7 +4010,12 @@ "malware" ] }, - "related": [], + "related": [ + { + "dest-uuid": "77e0ecf7-ca91-4c06-8012-8e728986a87a", + "type": "similar" + } + ], "uuid": "0c8efcd0-bfdf-4771-8754-18aac836c359", "value": "Chaes" }, @@ -3551,7 +4035,12 @@ "malware" ] }, - "related": [], + "related": [ + { + "dest-uuid": "5bcd5511-6756-4824-a692-e8bb109364af", + "type": "similar" + } + ], "uuid": "92c88765-6b12-42cd-b1d7-f6a65b2236e2", "value": "Chaos" }, @@ -3574,6 +4063,10 @@ { "dest-uuid": "7a9d653c-8812-4b96-81d1-b0a27ca918b4", "type": "used-by" + }, + { + "dest-uuid": "7acb15b6-fe2c-4319-b136-6ab36ff0b2d4", + "type": "similar" } ], "uuid": "b1e3b56f-2e83-4cab-a1c1-16999009d056", @@ -3595,6 +4088,10 @@ { "dest-uuid": "fb93231d-2ae4-45da-9dea-4c372a11f322", "type": "used-by" + }, + { + "dest-uuid": "dc5d1a33-62aa-4a0c-aa8c-589b87beb11e", + "type": "similar" } ], "uuid": "3f2283ef-67c2-49a3-98ac-1aa9f0499361", @@ -3616,6 +4113,10 @@ { "dest-uuid": "8e059c6b-d278-5454-a234-a8ad69feb66c", "type": "used-by" + }, + { + "dest-uuid": "5d3fa1db-5041-4560-b87b-8f61cc225c52", + "type": "similar" } ], "uuid": "6475bc8c-b95d-5cb3-92f0-aa7e2f18859a", @@ -3633,7 +4134,12 @@ "malware" ] }, - "related": [], + "related": [ + { + "dest-uuid": "b2203c59-4089-4ee4-bfe1-28fa25f0dbfe", + "type": "similar" + } + ], "uuid": "2fd6f564-918e-4ee7-920a-2b4be858d11a", "value": "Cherry Picker" }, @@ -3654,14 +4160,6 @@ ] }, "related": [ - { - "dest-uuid": "502223ee-8947-42f8-a532-a3b3da12b7d9", - "type": "used-by" - }, - { - "dest-uuid": "1bcc9382-ccfe-4b04-91f3-ef1250df5e5b", - "type": "used-by" - }, { "dest-uuid": "15ff1ce0-44f0-4f1d-a4ef-83444570e572", "type": "used-by" @@ -3670,6 +4168,14 @@ "dest-uuid": "eadd78e3-3b5d-430a-b994-4360b172c871", "type": "used-by" }, + { + "dest-uuid": "502223ee-8947-42f8-a532-a3b3da12b7d9", + "type": "used-by" + }, + { + "dest-uuid": "1bcc9382-ccfe-4b04-91f3-ef1250df5e5b", + "type": "used-by" + }, { "dest-uuid": "79be2f31-5626-425e-844c-fd9c99e38fe5", "type": "used-by" @@ -3689,6 +4195,10 @@ { "dest-uuid": "7094468a-2310-48b5-ad24-e669152bd66d", "type": "used-by" + }, + { + "dest-uuid": "5a3a31fe-5a8f-48e1-bff0-a753e5b1be70", + "type": "similar" } ], "uuid": "723c5ab7-23ca-46f2-83bb-f1d1e550122c", @@ -3706,7 +4216,12 @@ "malware" ] }, - "related": [], + "related": [ + { + "dest-uuid": "0b639373-5f03-430e-b8f9-2fe8c8faad8e", + "type": "similar" + } + ], "uuid": "7c36563a-9143-4766-8aef-4e1787e18d8c", "value": "Chinoxy" }, @@ -3720,6 +4235,7 @@ "software_attack_id": "S5063", "source": "Tidal Cyber", "tags": [ + "e551ae97-d1b4-484e-9267-89f33829ec2c", "e1af18e3-3224-4e4c-9d0f-533768474508", "febea5b6-2ea2-402b-8bec-f3f5b3f73c59", "ed2b3f47-3e07-4019-a9bf-ec9d87f28c96", @@ -3731,6 +4247,10 @@ ] }, "related": [ + { + "dest-uuid": "1d751794-ce94-4936-bf45-4ab86d0e3b6e", + "type": "used-by" + }, { "dest-uuid": "7094468a-2310-48b5-ad24-e669152bd66d", "type": "used-by" @@ -3803,6 +4323,10 @@ { "dest-uuid": "5b1a5b9e-4722-41fc-a15d-196a549e3ac5", "type": "used-by" + }, + { + "dest-uuid": "ccd61dfc-b03f-4689-8c18-7c97eab08472", + "type": "similar" } ], "uuid": "01c6c49a-f7c8-44cd-a377-4dfd358ffeba", @@ -3823,7 +4347,12 @@ "malware" ] }, - "related": [], + "related": [ + { + "dest-uuid": "579607c2-d046-40df-99ab-beb479c37a2a", + "type": "similar" + } + ], "uuid": "df77ed2a-f135-4f00-9a5e-79b7a6a2ed14", "value": "Chrommme" }, @@ -3843,6 +4372,10 @@ { "dest-uuid": "79be2f31-5626-425e-844c-fd9c99e38fe5", "type": "used-by" + }, + { + "dest-uuid": "6e95feb1-78ee-48d3-b421-4d76663b5c49", + "type": "similar" } ], "uuid": "4bac93bd-7e58-4ddb-a205-d99597b9e65e", @@ -3950,6 +4483,10 @@ { "dest-uuid": "ecdbd431-d62b-4b30-8663-b1ecb4304ec0", "type": "used-by" + }, + { + "dest-uuid": "cad3ba95-8c89-4146-ab10-08daa813f9de", + "type": "similar" } ], "uuid": "5321aa75-924c-47ae-b97a-b36f023abf2a", @@ -3995,6 +4532,10 @@ { "dest-uuid": "4c3e48b9-4426-4271-a7af-c3dfad79f447", "type": "used-by" + }, + { + "dest-uuid": "cbf646f1-7db5-4dc6-808b-0094313949df", + "type": "similar" } ], "uuid": "b3dd424b-ee96-449c-aa52-abbc7d4dfb86", @@ -4019,6 +4560,10 @@ ] }, "related": [ + { + "dest-uuid": "15ff1ce0-44f0-4f1d-a4ef-83444570e572", + "type": "used-by" + }, { "dest-uuid": "b3061284-0335-4dcb-9f8e-a3b0412fd46f", "type": "used-by" @@ -4031,10 +4576,6 @@ "dest-uuid": "a0c31021-b281-4c41-9855-436768299fe7", "type": "used-by" }, - { - "dest-uuid": "15ff1ce0-44f0-4f1d-a4ef-83444570e572", - "type": "used-by" - }, { "dest-uuid": "fb93231d-2ae4-45da-9dea-4c372a11f322", "type": "used-by" @@ -4150,6 +4691,10 @@ { "dest-uuid": "5825a840-5577-4ffc-a08d-3f48d64395cb", "type": "used-by" + }, + { + "dest-uuid": "bba595da-b73a-4354-aa6c-224d4de7cb4e", + "type": "similar" } ], "uuid": "98d89476-63ec-4baf-b2b3-86c52170f5d8", @@ -4244,7 +4789,12 @@ "malware" ] }, - "related": [], + "related": [ + { + "dest-uuid": "0c242cc5-58d3-4fe3-a866-b00a4b6fb817", + "type": "similar" + } + ], "uuid": "fbd3f71a-e123-5527-908c-9e7ea0d646e8", "value": "COATHANGER" }, @@ -4277,19 +4827,7 @@ }, "related": [ { - "dest-uuid": "502223ee-8947-42f8-a532-a3b3da12b7d9", - "type": "used-by" - }, - { - "dest-uuid": "c0fe9859-e8de-4ce1-bc3c-b489e914a145", - "type": "used-by" - }, - { - "dest-uuid": "ca93af75-0ffa-4df4-b86a-92d4d50e496e", - "type": "used-by" - }, - { - "dest-uuid": "ee2da206-2532-44e3-a343-d66e9bfdbca0", + "dest-uuid": "1d751794-ce94-4936-bf45-4ab86d0e3b6e", "type": "used-by" }, { @@ -4312,6 +4850,22 @@ "dest-uuid": "0f41da7d-1e47-58fe-ba6e-ee658a985e1b", "type": "used-by" }, + { + "dest-uuid": "502223ee-8947-42f8-a532-a3b3da12b7d9", + "type": "used-by" + }, + { + "dest-uuid": "c0fe9859-e8de-4ce1-bc3c-b489e914a145", + "type": "used-by" + }, + { + "dest-uuid": "ca93af75-0ffa-4df4-b86a-92d4d50e496e", + "type": "used-by" + }, + { + "dest-uuid": "ee2da206-2532-44e3-a343-d66e9bfdbca0", + "type": "used-by" + }, { "dest-uuid": "58db02e6-d908-47c2-bc82-ed58ada61331", "type": "used-by" @@ -4384,6 +4938,10 @@ "dest-uuid": "33159d02-a1ce-49ec-a381-60b069db66f7", "type": "used-by" }, + { + "dest-uuid": "e75a1b98-be68-467f-a8df-bcb7671543b3", + "type": "used-by" + }, { "dest-uuid": "fac6fbf1-935f-4106-ad8b-c8fd8389dd38", "type": "used-by" @@ -4419,6 +4977,10 @@ { "dest-uuid": "713e2963-fbf4-406f-a8cf-6a4489d90439", "type": "used-by" + }, + { + "dest-uuid": "a7881f21-e978-4fe4-af56-92c9416a2616", + "type": "similar" } ], "uuid": "9b6bcbba-3ab4-4a4c-a233-cd12254823f6", @@ -4467,7 +5029,12 @@ "malware" ] }, - "related": [], + "related": [ + { + "dest-uuid": "aa1462a1-d065-416c-b354-bedd04998c7f", + "type": "similar" + } + ], "uuid": "d4e6f9f7-7f4d-47c2-be24-b267d9317303", "value": "Cobian RAT" }, @@ -4504,7 +5071,12 @@ "malware" ] }, - "related": [], + "related": [ + { + "dest-uuid": "d1531eaa-9e17-473e-a680-3298469662c3", + "type": "similar" + } + ], "uuid": "b0d9b31a-072b-4744-8d2f-3a63256a932f", "value": "CoinTicker" }, @@ -4542,7 +5114,12 @@ "malware" ] }, - "related": [], + "related": [ + { + "dest-uuid": "f4c80d39-ce10-4f74-9b50-a7e3f5df1f2e", + "type": "similar" + } + ], "uuid": "341fc709-4908-4e41-8df3-554dae6d72b0", "value": "Comnie" }, @@ -4565,6 +5142,10 @@ { "dest-uuid": "47ae4fb1-fc61-4e8e-9310-66dda706e1a2", "type": "used-by" + }, + { + "dest-uuid": "da5880b4-f7da-4869-85f2-e0aba84b8565", + "type": "similar" } ], "uuid": "300c5997-a486-4a61-8213-93a180c22849", @@ -4622,7 +5203,12 @@ "malware" ] }, - "related": [], + "related": [ + { + "dest-uuid": "58eddbaf-7416-419a-ad7b-e65b9d4c3b55", + "type": "similar" + } + ], "uuid": "ef33f1fa-18a3-4b30-b359-17b7930f43a7", "value": "Conficker" }, @@ -4724,6 +5310,10 @@ { "dest-uuid": "b4d068ac-9b68-4cd8-bf0c-019f910ef8e3", "type": "used-by" + }, + { + "dest-uuid": "842976c7-f9c8-41b2-8371-41dc64fbe261", + "type": "similar" } ], "uuid": "6f9bb24d-cce2-49de-bedd-1849d9bde7a0", @@ -4738,6 +5328,9 @@ "software_attack_id": "S0575", "source": "MITRE", "tags": [ + "64d3f7d8-30b7-4b03-bee2-a6029672216c", + "375983b3-6e87-4281-99e2-1561519dd17b", + "3ed2343c-a29c-42e2-8259-410381164c6a", "89c5b94b-ecf4-4d53-9b74-3465086d4565", "562e535e-19f5-4d6c-81ed-ce2aec544f09", "0ed7d10c-c65b-4174-9edb-446bf301d250", @@ -4766,6 +5359,10 @@ { "dest-uuid": "0b431229-036f-4157-a1da-ff16dfc095f8", "type": "used-by" + }, + { + "dest-uuid": "4dea7d8e-af94-4bfb-afe4-7ff54f59308b", + "type": "similar" } ], "uuid": "8e995c29-2759-4aeb-9a0f-bb7cd97b06e5", @@ -4805,7 +5402,12 @@ "malware" ] }, - "related": [], + "related": [ + { + "dest-uuid": "eedc01d5-95e6-4d21-bcd4-1121b1df4586", + "type": "similar" + } + ], "uuid": "6e2c4aef-2f69-4507-9ee3-55432d76341e", "value": "CookieMiner" }, @@ -4828,6 +5430,10 @@ { "dest-uuid": "013fdfdc-aa32-4779-8f6e-7920615cbf66", "type": "used-by" + }, + { + "dest-uuid": "8ab98e25-1672-4b5f-a2fb-e60f08a5ea9e", + "type": "similar" } ], "uuid": "f13c8455-d615-4f8d-9d9c-5b31e593cd8a", @@ -4874,6 +5480,10 @@ { "dest-uuid": "5b1a5b9e-4722-41fc-a15d-196a549e3ac5", "type": "used-by" + }, + { + "dest-uuid": "60c18d06-7b91-4742-bae3-647845cd9d81", + "type": "similar" } ], "uuid": "3b193f62-2b49-4eff-bdf4-501fb8a28274", @@ -4898,6 +5508,10 @@ { "dest-uuid": "4c3e48b9-4426-4271-a7af-c3dfad79f447", "type": "used-by" + }, + { + "dest-uuid": "2eb9b131-d333-4a48-9eb4-d8dec46c19ee", + "type": "similar" } ], "uuid": "43b317c6-5b4f-47b8-b7b4-15cd6f455091", @@ -4915,7 +5529,12 @@ "malware" ] }, - "related": [], + "related": [ + { + "dest-uuid": "5d342981-5194-41e7-b33f-8e91998d7d88", + "type": "similar" + } + ], "uuid": "ea9e2d19-89fe-4039-a1e0-467b14554c6f", "value": "CostaBricks" }, @@ -4938,6 +5557,10 @@ { "dest-uuid": "4c3e48b9-4426-4271-a7af-c3dfad79f447", "type": "used-by" + }, + { + "dest-uuid": "e6ef745b-077f-42e1-a37d-29eecff9c754", + "type": "similar" } ], "uuid": "c2353daa-fd4c-44e1-8013-55400439965a", @@ -4962,11 +5585,11 @@ }, "related": [ { - "dest-uuid": "dcb260d8-9d53-404f-9ff5-dbee2c6effe6", + "dest-uuid": "a57b52c7-9f64-4ffe-a7c3-0de738fb2af1", "type": "used-by" }, { - "dest-uuid": "a57b52c7-9f64-4ffe-a7c3-0de738fb2af1", + "dest-uuid": "dcb260d8-9d53-404f-9ff5-dbee2c6effe6", "type": "used-by" }, { @@ -4980,6 +5603,10 @@ { "dest-uuid": "4348c510-50fc-4448-ab8d-c8cededd19ff", "type": "used-by" + }, + { + "dest-uuid": "c4810609-7da6-48ec-8057-1b70a7814db0", + "type": "similar" } ], "uuid": "47e710b4-1397-47cf-a979-20891192f313", @@ -5042,6 +5669,11 @@ ], "software_attack_id": "S1023", "source": "MITRE", + "tags": [ + "15f2277a-a17e-4d85-8acd-480bf84f16b4", + "be319849-fb2c-4b5f-8055-0bde562c280b", + "8bf128ad-288b-41bc-904f-093f4fdde745" + ], "type": [ "malware" ] @@ -5050,6 +5682,10 @@ { "dest-uuid": "7fbd7514-76e9-4696-8c66-9f95546e3315", "type": "used-by" + }, + { + "dest-uuid": "750eb92a-7fdf-451e-9592-1d42357018f1", + "type": "similar" } ], "uuid": "7f7f05c3-fbb1-475e-b672-2113709065c8", @@ -5071,6 +5707,10 @@ { "dest-uuid": "7fbd7514-76e9-4696-8c66-9f95546e3315", "type": "used-by" + }, + { + "dest-uuid": "d23de441-f9cf-4802-b1ff-f588a11a896b", + "type": "similar" } ], "uuid": "11ce380c-481b-4c9b-b44e-06f1a91c01c1", @@ -5095,6 +5735,10 @@ { "dest-uuid": "441b91d1-256a-4763-bac6-8f1c76764a25", "type": "used-by" + }, + { + "dest-uuid": "326af1cd-78e7-45b7-a326-125d2f7ef8f2", + "type": "similar" } ], "uuid": "3b3f296f-20a6-459a-98c5-62ebdee3701f", @@ -5118,6 +5762,10 @@ { "dest-uuid": "7ad94dbf-9909-42dd-8b62-a435481bdb14", "type": "used-by" + }, + { + "dest-uuid": "a5e91d50-24fa-44ec-9894-39a88f658cea", + "type": "similar" } ], "uuid": "38811c3b-f548-43fa-ab26-c7243b84a055", @@ -5139,6 +5787,10 @@ { "dest-uuid": "47ae4fb1-fc61-4e8e-9310-66dda706e1a2", "type": "used-by" + }, + { + "dest-uuid": "925a6c52-5cf0-4fec-99de-b0d6917d8593", + "type": "similar" } ], "uuid": "e1ad229b-d750-4148-a1f3-36e767b03cd1", @@ -5160,6 +5812,10 @@ { "dest-uuid": "0bc66e95-de93-4de7-b415-4041b7191f08", "type": "used-by" + }, + { + "dest-uuid": "a04d9a4c-bb52-40bf-98ec-e350c2d6a862", + "type": "similar" } ], "uuid": "12ce6d04-ebe5-440e-b342-0283b7c8a0c8", @@ -5252,6 +5908,10 @@ { "dest-uuid": "37f317d8-02f0-43d4-8a7d-7a65ce8aadf1", "type": "used-by" + }, + { + "dest-uuid": "5256c0f8-9108-4c92-8b09-482dfacdcd94", + "type": "similar" } ], "uuid": "eb481db6-d7ba-4873-a171-76a228c9eb97", @@ -5266,6 +5926,9 @@ "software_attack_id": "S0625", "source": "MITRE", "tags": [ + "64d3f7d8-30b7-4b03-bee2-a6029672216c", + "375983b3-6e87-4281-99e2-1561519dd17b", + "3ed2343c-a29c-42e2-8259-410381164c6a", "89c5b94b-ecf4-4d53-9b74-3465086d4565", "562e535e-19f5-4d6c-81ed-ce2aec544f09", "4bc9ab8f-7f57-4b1a-8857-ffaa7e5cc930", @@ -5292,6 +5955,10 @@ { "dest-uuid": "c2015888-72c0-4367-b2cf-df85688a56b7", "type": "used-by" + }, + { + "dest-uuid": "6cd07296-14aa-403d-9229-6343d03d4752", + "type": "similar" } ], "uuid": "095064c6-144e-4935-b878-f82151bc08e4", @@ -5339,6 +6006,10 @@ { "dest-uuid": "16a65ee9-cd60-4f04-ba34-f2f45fcfc666", "type": "used-by" + }, + { + "dest-uuid": "b350b47f-88fe-4921-8538-6d9c59bac84e", + "type": "similar" } ], "uuid": "68792756-7dbf-41fd-8d48-ac3cc2b52712", @@ -5362,6 +6033,10 @@ { "dest-uuid": "0bc66e95-de93-4de7-b415-4041b7191f08", "type": "used-by" + }, + { + "dest-uuid": "3aa169f8-bbf6-44bb-b57d-7f6ada5c2128", + "type": "similar" } ], "uuid": "9d521c18-09f0-47be-bfe5-e1bf26f7b928", @@ -5386,6 +6061,10 @@ { "dest-uuid": "eecf7289-294f-48dd-a747-7705820f4735", "type": "used-by" + }, + { + "dest-uuid": "b8d48deb-450c-44f6-a934-ac8765aa89cb", + "type": "similar" } ], "uuid": "131c0eb2-9191-4ccd-a2d6-5f36046a8f2f", @@ -5418,6 +6097,10 @@ { "dest-uuid": "441b91d1-256a-4763-bac6-8f1c76764a25", "type": "used-by" + }, + { + "dest-uuid": "53ab35c2-d00e-491a-8753-41d35ae7e547", + "type": "similar" } ], "uuid": "74f88899-56d0-4de8-97de-539b3590ab90", @@ -5442,13 +6125,17 @@ { "dest-uuid": "28f3dbcc-b248-442f-9ff3-234210bb2f2a", "type": "used-by" + }, + { + "dest-uuid": "6f6f67c9-556d-4459-95c2-78d272190e52", + "type": "similar" } ], "uuid": "39d81c48-8f7c-54cb-8fac-485598e31a55", "value": "DarkGate - Duplicate" }, { - "description": "*Operationalize this intelligence by pivoting to relevant defensive resources via the Techniques below. Alternatively, use the **Add to Matrix** button above, then overlay entire sets of capabilities from your own defensive stack to identify threat overlaps & potential gaps (watch a [60-second tutorial here](https://www.youtube.com/watch?v=4jBo3XLO01E)).*\n\nDarkGate is a commodity downloader. Researchers have often observed DarkGate samples making use of legitimate copies of AutoIt, a freeware BASIC-like scripting language, using it to run AutoIt scripts as part of its execution chain. Reports of DarkGate infections surged following the announcement of the disruption of the QakBot botnet by international authorities in late August 2023.[[Bleeping Computer DarkGate October 14 2023](/references/313e5558-d8f9-4457-9004-810d9fa5340c)] The delivery of DarkGate payloads via instant messaging platforms including Microsoft Teams and Skype was reported in September and October 2023.[[DarkGate Loader delivered via Teams - Truesec](/references/4222a06f-9528-4076-8037-a27012c2930c)][[Trend Micro DarkGate October 12 2023](/references/81650f5b-628b-4e76-80d6-2c15cf70d37a)]", + "description": "*We are no longer maintaining this object in favor of a similar object subsequently published by MITRE: \"DarkGate\" (Software). All relevant Tidal content extensions (e.g. additional Technique and Object relationships and metadata) have been added to the MITRE-authored object.*\n\n\n*Operationalize this intelligence by pivoting to relevant defensive resources via the Techniques below. Alternatively, use the **Add to Matrix** button above, then overlay entire sets of capabilities from your own defensive stack to identify threat overlaps & potential gaps (watch a [60-second tutorial here](https://www.youtube.com/watch?v=4jBo3XLO01E)).*\n\nDarkGate is a commodity downloader. Researchers have often observed DarkGate samples making use of legitimate copies of AutoIt, a freeware BASIC-like scripting language, using it to run AutoIt scripts as part of its execution chain. Reports of DarkGate infections surged following the announcement of the disruption of the QakBot botnet by international authorities in late August 2023.[[Bleeping Computer DarkGate October 14 2023](/references/313e5558-d8f9-4457-9004-810d9fa5340c)] The delivery of DarkGate payloads via instant messaging platforms including Microsoft Teams and Skype was reported in September and October 2023.[[DarkGate Loader delivered via Teams - Truesec](/references/4222a06f-9528-4076-8037-a27012c2930c)][[Trend Micro DarkGate October 12 2023](/references/81650f5b-628b-4e76-80d6-2c15cf70d37a)]", "meta": { "owner": "TidalCyberIan", "platforms": [ @@ -5470,7 +6157,7 @@ } ], "uuid": "7144b703-f471-4bde-bedc-e8b274854de5", - "value": "DarkGate" + "value": "DarkGate (Deprecated)" }, { "description": "[DarkTortilla](https://app.tidalcyber.com/software/35abcb6b-3259-57c1-94fc-50cfd5bde786) is a highly configurable .NET-based crypter that has been possibly active since at least August 2015. [DarkTortilla](https://app.tidalcyber.com/software/35abcb6b-3259-57c1-94fc-50cfd5bde786) has been used to deliver popular information stealers, RATs, and payloads such as [Agent Tesla](https://app.tidalcyber.com/software/304650b1-a0b5-460c-9210-23a5b53815a4), AsyncRat, [NanoCore](https://app.tidalcyber.com/software/db05dbaa-eb3a-4303-b37e-18d67e7e85a1), RedLine, [Cobalt Strike](https://app.tidalcyber.com/software/9b6bcbba-3ab4-4a4c-a233-cd12254823f6), and Metasploit.[[Secureworks DarkTortilla Aug 2022](https://app.tidalcyber.com/references/4b48cc22-55ac-5b61-b183-9008f7db37fd)]", @@ -5484,7 +6171,12 @@ "malware" ] }, - "related": [], + "related": [ + { + "dest-uuid": "5faaf81a-aa5b-4a4b-bae5-522439e068f8", + "type": "similar" + } + ], "uuid": "35abcb6b-3259-57c1-94fc-50cfd5bde786", "value": "DarkTortilla" }, @@ -5503,7 +6195,12 @@ "malware" ] }, - "related": [], + "related": [ + { + "dest-uuid": "63686509-069b-4143-99ea-4e59cad6cb2a", + "type": "similar" + } + ], "uuid": "740a0327-4caf-4d90-8b51-f3f9a4d59b37", "value": "DarkWatchman" }, @@ -5523,6 +6220,10 @@ { "dest-uuid": "5825a840-5577-4ffc-a08d-3f48d64395cb", "type": "used-by" + }, + { + "dest-uuid": "b6b3dfc7-9a81-43ff-ac04-698bad48973a", + "type": "similar" } ], "uuid": "fad65026-57c4-4d4f-8803-87178dd4b887", @@ -5592,6 +6293,10 @@ { "dest-uuid": "a41725c5-eb3a-4772-8d1e-17c3bbade79c", "type": "used-by" + }, + { + "dest-uuid": "5633ffd3-81ef-4f98-8f93-4896b03998f0", + "type": "similar" } ], "uuid": "26ae3cd1-6710-4807-b674-957bd67d3e76", @@ -5610,6 +6315,10 @@ { "dest-uuid": "021b3c71-6467-4e46-a413-8b726f066f2c", "type": "used-by" + }, + { + "dest-uuid": "d186c1d6-e3ac-4c3d-a534-9ddfeb8c57bb", + "type": "similar" } ], "uuid": "0657b804-a889-400a-97d7-a4989809a623", @@ -5630,7 +6339,12 @@ "malware" ] }, - "related": [], + "related": [ + { + "dest-uuid": "c46eb8e6-bf29-4696-8008-3ddb0b4ca470", + "type": "similar" + } + ], "uuid": "e9533664-90c5-5b40-a40e-a69a2eda8bc9", "value": "DEADEYE" }, @@ -5653,6 +6367,10 @@ { "dest-uuid": "5b1a5b9e-4722-41fc-a15d-196a549e3ac5", "type": "used-by" + }, + { + "dest-uuid": "8f460983-1bbb-4e7e-8094-f0b5e720f658", + "type": "similar" } ], "uuid": "64dc5d44-2304-4875-b517-316ab98512c2", @@ -5674,7 +6392,12 @@ "malware" ] }, - "related": [], + "related": [ + { + "dest-uuid": "6de9cad1-eed2-4e27-b0b5-39fa29349ea0", + "type": "similar" + } + ], "uuid": "832f5ab1-1267-40c9-84ef-f32d6373be4e", "value": "DEATHRANSOM" }, @@ -5754,6 +6477,10 @@ { "dest-uuid": "c0fe9859-e8de-4ce1-bc3c-b489e914a145", "type": "used-by" + }, + { + "dest-uuid": "f25aab1a-0cef-4910-a85d-bb38b32ea41a", + "type": "similar" } ], "uuid": "df4002d2-f557-4f95-af7a-9a4582fb7068", @@ -5814,6 +6541,10 @@ { "dest-uuid": "502223ee-8947-42f8-a532-a3b3da12b7d9", "type": "used-by" + }, + { + "dest-uuid": "94379dec-5c87-49db-b36e-66abc0b81344", + "type": "similar" } ], "uuid": "9222aa77-922e-43c7-89ad-71067c428fb2", @@ -6056,6 +6787,10 @@ { "dest-uuid": "0b431229-036f-4157-a1da-ff16dfc095f8", "type": "used-by" + }, + { + "dest-uuid": "4e9bdf9a-4957-47f6-87b3-c76898d3f623", + "type": "similar" } ], "uuid": "d057b6e7-1de4-4f2f-b374-7e879caecd67", @@ -6077,6 +6812,10 @@ { "dest-uuid": "f036b992-4c3f-47b7-a458-94ac133bce74", "type": "used-by" + }, + { + "dest-uuid": "e170995d-4f61-4f17-b60e-04f9a06ee517", + "type": "similar" } ], "uuid": "226ee563-4d49-48c2-aa91-82999f43ce30", @@ -6098,6 +6837,10 @@ { "dest-uuid": "f31df12e-66ea-5a49-87bc-2bc1756a89fc", "type": "used-by" + }, + { + "dest-uuid": "e1445afd-c359-45ed-8f27-626dc4d5e157", + "type": "similar" } ], "uuid": "194314e3-4edc-5346-96b6-d2d7bf5d830a", @@ -6176,6 +6919,10 @@ { "dest-uuid": "eecf7289-294f-48dd-a747-7705820f4735", "type": "used-by" + }, + { + "dest-uuid": "8a2867f9-e8fc-4bf1-a860-ef6e46311900", + "type": "similar" } ], "uuid": "e69a913d-4ddc-4d69-9961-25a31cae5899", @@ -6221,6 +6968,10 @@ { "dest-uuid": "013fdfdc-aa32-4779-8f6e-7920615cbf66", "type": "used-by" + }, + { + "dest-uuid": "0852567d-7958-4f4b-8947-4f840ec8d57d", + "type": "similar" } ], "uuid": "81ce23c0-f505-4d75-9928-4fbd627d3bc2", @@ -6238,7 +6989,12 @@ "malware" ] }, - "related": [], + "related": [ + { + "dest-uuid": "f36b2598-515f-4345-84e5-5ccde253edbe", + "type": "similar" + } + ], "uuid": "dfa14314-3c64-4a10-9889-0423b884f7aa", "value": "Dok" }, @@ -6258,7 +7014,12 @@ "malware" ] }, - "related": [], + "related": [ + { + "dest-uuid": "4f1c389e-a80e-4a3e-9b0e-9be8c91df64f", + "type": "similar" + } + ], "uuid": "e6160c55-1868-47bd-bec6-7becbf236bbb", "value": "Doki" }, @@ -6282,6 +7043,10 @@ { "dest-uuid": "3c7ad595-1940-40fc-b9ca-3e649c1e5d87", "type": "used-by" + }, + { + "dest-uuid": "a7b5df47-73bb-4d47-b701-869f185633a6", + "type": "similar" } ], "uuid": "40d25a38-91f4-4e07-bb97-8866bed8e44f", @@ -6328,6 +7093,10 @@ { "dest-uuid": "5b1a5b9e-4722-41fc-a15d-196a549e3ac5", "type": "used-by" + }, + { + "dest-uuid": "08d20cd2-f084-45ee-8558-fa6ef5a18519", + "type": "similar" } ], "uuid": "f7b64b81-f9e7-46bf-8f63-6d7520da832c", @@ -6352,6 +7121,10 @@ { "dest-uuid": "5825a840-5577-4ffc-a08d-3f48d64395cb", "type": "used-by" + }, + { + "dest-uuid": "8be7c69e-d8e3-4970-9668-61de08e508cc", + "type": "similar" } ], "uuid": "20b796cf-6c90-4928-999e-88107078e15e", @@ -6373,6 +7146,10 @@ { "dest-uuid": "7a9d653c-8812-4b96-81d1-b0a27ca918b4", "type": "used-by" + }, + { + "dest-uuid": "e48df773-7c95-4a4c-ba70-ea3d15900148", + "type": "similar" } ], "uuid": "fc433c9d-a7fe-4915-8aa0-06b58f288249", @@ -6390,7 +7167,12 @@ "malware" ] }, - "related": [], + "related": [ + { + "dest-uuid": "56aa3c82-ed40-4b5a-84bf-7231356d9e96", + "type": "similar" + } + ], "uuid": "c6c79fc5-e4b1-4f6c-a71d-d22d699d5caf", "value": "DRATzarus" }, @@ -6417,6 +7199,10 @@ { "dest-uuid": "b3220638-6682-4a4e-ab64-e7dc4202a3f1", "type": "used-by" + }, + { + "dest-uuid": "f01e2711-4b48-4192-a2e8-5f56c945ca19", + "type": "similar" } ], "uuid": "e3cd4405-b698-41d9-88e4-fff29e7a19e2", @@ -6438,6 +7224,10 @@ { "dest-uuid": "679b7b6b-9659-4e56-9ffd-688a6fab01b6", "type": "used-by" + }, + { + "dest-uuid": "3ae6097d-d700-46c6-8b21-42fc0bcb48fa", + "type": "similar" } ], "uuid": "9c44d3f9-7a7b-4716-9cfa-640b36548ab0", @@ -6464,6 +7254,10 @@ { "dest-uuid": "5b1a5b9e-4722-41fc-a15d-196a549e3ac5", "type": "used-by" + }, + { + "dest-uuid": "99164b38-1775-40bc-b77b-a2373b14540a", + "type": "similar" } ], "uuid": "bb7f7c19-ffb5-4bfe-99b1-ead3525c5e7b", @@ -6516,6 +7310,10 @@ { "dest-uuid": "b3061284-0335-4dcb-9f8e-a3b0412fd46f", "type": "used-by" + }, + { + "dest-uuid": "38952eac-cb1b-4a71-bad2-ee8223a1c8fe", + "type": "similar" } ], "uuid": "06402bdc-a4a1-4e4a-bfc4-09f2c159af75", @@ -6540,6 +7338,10 @@ { "dest-uuid": "0bc66e95-de93-4de7-b415-4041b7191f08", "type": "used-by" + }, + { + "dest-uuid": "f8774023-8021-4ece-9aca-383ac89d2759", + "type": "similar" } ], "uuid": "aa21462d-9653-48eb-a82e-5c93c9db5f7a", @@ -6604,7 +7406,12 @@ "malware" ] }, - "related": [], + "related": [ + { + "dest-uuid": "68dca94f-c11d-421e-9287-7c501108e18c", + "type": "similar" + } + ], "uuid": "d4a664e5-9819-4f33-8b2b-e6f8e6a64999", "value": "Duqu" }, @@ -6627,6 +7434,10 @@ { "dest-uuid": "679b7b6b-9659-4e56-9ffd-688a6fab01b6", "type": "used-by" + }, + { + "dest-uuid": "687c23e4-4e25-4ee7-a870-c5e002511f54", + "type": "similar" } ], "uuid": "77506f02-104f-4aac-a4e0-9649bd7efe2e", @@ -6670,6 +7481,10 @@ { "dest-uuid": "0b431229-036f-4157-a1da-ff16dfc095f8", "type": "used-by" + }, + { + "dest-uuid": "63c2a130-8a5b-452f-ad96-07cf0af12ffe", + "type": "similar" } ], "uuid": "38e012f7-fb3a-4250-a129-92da3a488724", @@ -6726,6 +7541,10 @@ { "dest-uuid": "eeb69751-8c22-4a5f-8da2-239cc7d7746c", "type": "used-by" + }, + { + "dest-uuid": "d6b3fcd0-1c86-4350-96f0-965ed02fcc51", + "type": "similar" } ], "uuid": "2375465a-e6a9-40ab-b631-a5b04cf5c689", @@ -6751,6 +7570,10 @@ { "dest-uuid": "0bc66e95-de93-4de7-b415-4041b7191f08", "type": "used-by" + }, + { + "dest-uuid": "e928333f-f3df-4039-9b8b-556c2add0e42", + "type": "similar" } ], "uuid": "70f703b3-0e24-4ffe-9772-f0e386ec607f", @@ -6772,11 +7595,42 @@ { "dest-uuid": "fb93231d-2ae4-45da-9dea-4c372a11f322", "type": "used-by" + }, + { + "dest-uuid": "292eb0c5-b8e8-4af6-9e8f-0fda6b4528d3", + "type": "similar" } ], "uuid": "6508d3dc-eb22-468c-9122-dcf541caa69c", "value": "Ecipekac" }, + { + "description": "EDRKillShifter is a suspected threat actor-developed tool that is designed to disable victim endpoint detection & response (EDR) software. In August 2024, security researchers reported that the RansomHub ransomware group had deployed EDRKillShifter during attacks in May. The researchers also noted that EDRKillShifter primarily functions as a loader for payloads that could vary. This object mainly reflects ATT&CK Techniques associated with observed EDRKillShifter loader and payload deployments reported in August 2024.[[Sophos News August 14 2024](/references/d0811fd4-e89d-4337-9bc1-a9a8774d44b1)]", + "meta": { + "owner": "TidalCyberIan", + "platforms": [ + "Windows" + ], + "software_attack_id": "S5332", + "source": "Tidal Cyber", + "tags": [ + "39d6e8b7-6c8a-4ec5-a584-54ca32aa29fb", + "c6e1f516-1a18-4ff9-b563-e6ac8103b104", + "2feda37d-5579-4102-a073-aa02e82cb49f" + ], + "type": [ + "malware" + ] + }, + "related": [ + { + "dest-uuid": "94794e7b-8b54-4be8-885a-fd1009425ed5", + "type": "used-by" + } + ], + "uuid": "1233436f-2a00-4557-89a4-8cbc45e6f9f7", + "value": "EDRKillShifter" + }, { "description": "[Egregor](https://app.tidalcyber.com/software/0e36b62f-a6e2-4406-b3d9-e05204e14a66) is a Ransomware-as-a-Service (RaaS) tool that was first observed in September 2020. Researchers have noted code similarities between [Egregor](https://app.tidalcyber.com/software/0e36b62f-a6e2-4406-b3d9-e05204e14a66) and Sekhmet ransomware, as well as [Maze](https://app.tidalcyber.com/software/3c206491-45c0-4ff7-9f40-45f9aae4de64) ransomware.[[NHS Digital Egregor Nov 2020](https://app.tidalcyber.com/references/92f74037-2a20-4667-820d-2ccc0e4dbd3d)][[Cyble Egregor Oct 2020](https://app.tidalcyber.com/references/545a131d-88fc-4b34-923c-0b759b45fc7f)][[Security Boulevard Egregor Oct 2020](https://app.tidalcyber.com/references/cd37a000-9e15-45a3-a7c9-bb508c10e55d)]", "meta": { @@ -6796,7 +7650,12 @@ "malware" ] }, - "related": [], + "related": [ + { + "dest-uuid": "cc4c1287-9c86-4447-810c-744f3880ec37", + "type": "similar" + } + ], "uuid": "0e36b62f-a6e2-4406-b3d9-e05204e14a66", "value": "Egregor" }, @@ -6817,10 +7676,46 @@ "malware" ] }, - "related": [], + "related": [ + { + "dest-uuid": "00e7d565-9883-4ee5-b642-8fd17fd6a3f5", + "type": "similar" + } + ], "uuid": "cd7821cb-32f3-4d81-a5d1-0cdee94a15c4", "value": "EKANS" }, + { + "description": "This object reflects the ATT&CK Techniques associated with binaries of Eldorado, a ransomware-as-a-service (\"RaaS\") first observed in March 2024.[[Group-IB July 3 2024](/references/50148a85-314c-4b29-bdfc-913ab647dadf)] A small number of Techniques associated with threat actors who deploy Eldorado can be found in the \"Eldorado Ransomware Operators\" Group object.\n\nEldorado is written in the cross-platform Golang language. A custom \"builder\" allows threat actors to create both Windows- and Linux-focused versions of the ransomware. Researchers indicate that the Linux version has a relatively simple set of capabilities, lacking any native discovery, defense evasion, or other common post-exploit abilities common in many modern (Windows) ransomware. The operator must have access to the target system(s) and must provide a target directory path, after which the ransomware will recursively loop through the files within that path and encrypt them (T1486).[[Group-IB July 3 2024](/references/50148a85-314c-4b29-bdfc-913ab647dadf)]", + "meta": { + "owner": "TidalCyberIan", + "platforms": [ + "Linux", + "Windows" + ], + "software_attack_id": "S5330", + "source": "Tidal Cyber", + "tags": [ + "a2e000da-8181-4327-bacd-32013dbd3654", + "5e7433ad-a894-4489-93bc-41e90da90019", + "562e535e-19f5-4d6c-81ed-ce2aec544f09", + "7e7b0c67-bb85-4996-a289-da0e792d7172", + "c6e1f516-1a18-4ff9-b563-e6ac8103b104", + "2feda37d-5579-4102-a073-aa02e82cb49f" + ], + "type": [ + "malware" + ] + }, + "related": [ + { + "dest-uuid": "26e1c52e-0c48-4cd0-bdc5-9cf981a6e714", + "type": "used-by" + } + ], + "uuid": "a2ad5253-e31b-432c-804d-971be8652344", + "value": "Eldorado Ransomware" + }, { "description": "[Elise](https://app.tidalcyber.com/software/fd5efee9-8710-4536-861f-c88d882f4d24) is a custom backdoor Trojan that appears to be used exclusively by [Lotus Blossom](https://app.tidalcyber.com/groups/2849455a-cf39-4a9f-bd89-c2b3c1e5dd52). It is part of a larger group of\ntools referred to as LStudio, ST Group, and APT0LSTU. [[Lotus Blossom Jun 2015](https://app.tidalcyber.com/references/46fdb8ca-b14d-43bd-a20f-cae7b26e56c6)][[Accenture Dragonfish Jan 2018](https://app.tidalcyber.com/references/f692c6fa-7b3a-4d1d-9002-b1a59f7116f4)]", "meta": { @@ -6840,6 +7735,10 @@ { "dest-uuid": "2849455a-cf39-4a9f-bd89-c2b3c1e5dd52", "type": "used-by" + }, + { + "dest-uuid": "7551188b-8f91-4d34-8350-0d0c57b2b913", + "type": "similar" } ], "uuid": "fd5efee9-8710-4536-861f-c88d882f4d24", @@ -6861,6 +7760,10 @@ { "dest-uuid": "06a05175-0812-44f5-a529-30eba07d1762", "type": "used-by" + }, + { + "dest-uuid": "3cab1b76-2f40-4cd0-8d2c-7ed16eeb909c", + "type": "similar" } ], "uuid": "6a3ca97e-6dd6-44e5-a5f0-7225099ab474", @@ -6882,6 +7785,10 @@ { "dest-uuid": "2849455a-cf39-4a9f-bd89-c2b3c1e5dd52", "type": "used-by" + }, + { + "dest-uuid": "0f862b01-99da-47cc-9bdb-db4a86a95bb1", + "type": "similar" } ], "uuid": "fd95d38d-83f9-4b31-8292-ba2b04275b36", @@ -6916,6 +7823,10 @@ { "dest-uuid": "0b431229-036f-4157-a1da-ff16dfc095f8", "type": "used-by" + }, + { + "dest-uuid": "32066e94-3112-48ca-b9eb-ba2b59d2f023", + "type": "similar" } ], "uuid": "c987d255-a351-4736-913f-91e2f28d0654", @@ -6945,7 +7856,7 @@ }, "related": [ { - "dest-uuid": "502223ee-8947-42f8-a532-a3b3da12b7d9", + "dest-uuid": "b534349f-55a4-41b8-9623-6707765c3c50", "type": "used-by" }, { @@ -6953,7 +7864,7 @@ "type": "used-by" }, { - "dest-uuid": "b534349f-55a4-41b8-9623-6707765c3c50", + "dest-uuid": "502223ee-8947-42f8-a532-a3b3da12b7d9", "type": "used-by" }, { @@ -7015,6 +7926,10 @@ { "dest-uuid": "345e553a-164d-4c9d-8bf9-19fcf8a51533", "type": "used-by" + }, + { + "dest-uuid": "3433a9e8-1c47-4320-b9bf-ed449061d1c3", + "type": "similar" } ], "uuid": "fea655ac-558f-4dd0-867f-9a5553626207", @@ -7039,6 +7954,10 @@ { "dest-uuid": "4c3e48b9-4426-4271-a7af-c3dfad79f447", "type": "used-by" + }, + { + "dest-uuid": "2f8229dc-da94-41c6-89ba-b5b6c32f6b7d", + "type": "similar" } ], "uuid": "8da6fbf0-a18d-49a0-9235-101300d49d5e", @@ -7063,6 +7982,10 @@ { "dest-uuid": "47ae4fb1-fc61-4e8e-9310-66dda706e1a2", "type": "used-by" + }, + { + "dest-uuid": "6b62e336-176f-417b-856a-8552dd8c44e1", + "type": "similar" } ], "uuid": "a7e71387-b276-413c-a0de-4cf07e39b158", @@ -7093,6 +8016,10 @@ { "dest-uuid": "fb93231d-2ae4-45da-9dea-4c372a11f322", "type": "used-by" + }, + { + "dest-uuid": "c256da91-6dd5-40b2-beeb-ee3b22ab3d27", + "type": "similar" } ], "uuid": "a7589733-6b04-4215-a4e7-4b62cd4610fa", @@ -7132,7 +8059,12 @@ "malware" ] }, - "related": [], + "related": [ + { + "dest-uuid": "a8a778f5-0035-4870-bb25-53dc05029586", + "type": "similar" + } + ], "uuid": "300e8176-e7ee-44ef-8d10-dff96502f6c6", "value": "EvilBunny" }, @@ -7146,6 +8078,7 @@ "software_attack_id": "S5078", "source": "Tidal Cyber", "tags": [ + "fe28cf32-a15c-44cf-892c-faa0360d6109", "e1af18e3-3224-4e4c-9d0f-533768474508", "dcd6d78a-50e9-4fbd-a36a-06fbe6b7b40c", "ed2b3f47-3e07-4019-a9bf-ec9d87f28c96" @@ -7186,6 +8119,10 @@ { "dest-uuid": "fb93231d-2ae4-45da-9dea-4c372a11f322", "type": "used-by" + }, + { + "dest-uuid": "2f1a9fd0-3b7c-4d77-a358-78db13adbe78", + "type": "similar" } ], "uuid": "e862419c-d6b6-4433-a02a-c1cc98ea6f9e", @@ -7210,6 +8147,10 @@ { "dest-uuid": "4bdc62c9-af6a-4377-8431-58a6f39235dd", "type": "used-by" + }, + { + "dest-uuid": "7cdfccda-2950-4167-981a-60872ff5d0db", + "type": "similar" } ], "uuid": "e0eaae6d-5137-4053-bf37-ff90bf5767a9", @@ -7231,6 +8172,10 @@ { "dest-uuid": "16a65ee9-cd60-4f04-ba34-f2f45fcfc666", "type": "used-by" + }, + { + "dest-uuid": "11194d8b-fdce-45d2-8047-df15bb8f16bd", + "type": "similar" } ], "uuid": "c773f709-b5fe-4514-9d88-24ceb0dd8063", @@ -7252,6 +8197,10 @@ { "dest-uuid": "16a65ee9-cd60-4f04-ba34-f2f45fcfc666", "type": "used-by" + }, + { + "dest-uuid": "051eaca1-958f-4091-9e5f-a9acd8f820b5", + "type": "similar" } ], "uuid": "21569dfb-c9f1-468e-903e-348f19dbae1f", @@ -7320,7 +8269,12 @@ "tool" ] }, - "related": [], + "related": [ + { + "dest-uuid": "ca656c25-44f1-471b-9d9f-e2a3bbb84973", + "type": "similar" + } + ], "uuid": "5d7a39e3-c667-45b3-987e-3b0ca49cff61", "value": "Expand" }, @@ -7370,6 +8324,10 @@ { "dest-uuid": "7c3ef21c-0e1c-43d5-afb0-3a07c5a66937", "type": "used-by" + }, + { + "dest-uuid": "6a21e3a4-5ffe-4581-af9a-6a54c7536f44", + "type": "similar" } ], "uuid": "572eec55-2855-49ac-a82e-2c21e9aca27e", @@ -7470,6 +8428,10 @@ { "dest-uuid": "6c1bdc51-f633-4512-8b20-04a11c2d97f4", "type": "used-by" + }, + { + "dest-uuid": "bb3c1098-d654-4620-bf40-694386d28921", + "type": "similar" } ], "uuid": "8c64a330-1457-4c32-ab2f-12b6eb37d607", @@ -7519,6 +8481,10 @@ { "dest-uuid": "0bc66e95-de93-4de7-b415-4041b7191f08", "type": "used-by" + }, + { + "dest-uuid": "fece06b7-d4b1-42cf-b81a-5323c917546e", + "type": "similar" } ], "uuid": "ea47f1fd-0171-4254-8c92-92b7a5eec5e1", @@ -7543,6 +8509,10 @@ { "dest-uuid": "4c3e48b9-4426-4271-a7af-c3dfad79f447", "type": "used-by" + }, + { + "dest-uuid": "54a01db0-9fab-4d5f-8209-53cef8425f4a", + "type": "similar" } ], "uuid": "997ff740-1b00-40b6-887a-ef4101e93295", @@ -7564,6 +8534,10 @@ { "dest-uuid": "6632f07f-7c6b-4d12-8544-82edc6a7a577", "type": "used-by" + }, + { + "dest-uuid": "196f1f32-e0c2-4d46-99cd-234d4b6befe1", + "type": "similar" } ], "uuid": "c66ed8ab-4692-4948-820e-5ce87cc78db5", @@ -7581,7 +8555,12 @@ "malware" ] }, - "related": [], + "related": [ + { + "dest-uuid": "cf8df906-179c-4a78-bd6e-6605e30f6624", + "type": "similar" + } + ], "uuid": "4b1a07cd-4c1f-4d93-a454-07fd59b3039a", "value": "FELIXROOT" }, @@ -7601,6 +8580,10 @@ { "dest-uuid": "73da066d-b25f-45ba-862b-1a69228c6baa", "type": "used-by" + }, + { + "dest-uuid": "73d08401-005f-4e1f-90b9-8f45d120879f", + "type": "similar" } ], "uuid": "3e54ba7a-fd4c-477f-9c2d-34b4f69fc091", @@ -7618,7 +8601,12 @@ "tool" ] }, - "related": [], + "related": [ + { + "dest-uuid": "4f45dfeb-fe51-4df0-8db3-edf7dd0513fe", + "type": "similar" + } + ], "uuid": "1bbf04bb-d869-48c5-a538-70a25503de1d", "value": "Fgdump" }, @@ -7688,6 +8676,10 @@ { "dest-uuid": "013fdfdc-aa32-4779-8f6e-7920615cbf66", "type": "used-by" + }, + { + "dest-uuid": "a2282af0-f9dd-4373-9b92-eaf9e11e0c71", + "type": "similar" } ], "uuid": "eb4dc358-e353-47fc-8207-b7cb10d580f7", @@ -7741,6 +8733,10 @@ { "dest-uuid": "7ad94dbf-9909-42dd-8b62-a435481bdb14", "type": "used-by" + }, + { + "dest-uuid": "a5528622-3a8a-4633-86ce-8cdaf8423858", + "type": "similar" } ], "uuid": "41f54ce1-842c-428a-977f-518a5b63b4d7", @@ -7791,6 +8787,10 @@ { "dest-uuid": "2e2d3e75-1160-4ba5-80cc-8e7685fcfc44", "type": "used-by" + }, + { + "dest-uuid": "f464354c-7103-47c6-969b-8766f0157ed2", + "type": "similar" } ], "uuid": "84187393-2fe9-4136-8720-a6893734ee8c", @@ -7815,6 +8815,10 @@ { "dest-uuid": "528ab2ea-b8f1-44d8-8831-2a89fefd97cb", "type": "used-by" + }, + { + "dest-uuid": "592260fb-dd5c-4a30-8d99-106a0485be0d", + "type": "similar" } ], "uuid": "977aaf8a-2216-40f0-8682-61dd91638147", @@ -7835,7 +8839,12 @@ "malware" ] }, - "related": [], + "related": [ + { + "dest-uuid": "ff6840c9-4c87-4d07-bbb6-9f50aa33d498", + "type": "similar" + } + ], "uuid": "87604333-638f-4f4a-94e0-16aa825dd5b8", "value": "Flame" }, @@ -7855,6 +8864,10 @@ { "dest-uuid": "be45ff95-6c74-4000-bc39-63044673d82f", "type": "used-by" + }, + { + "dest-uuid": "43213480-78f7-4fb3-976f-d48f5f6a4c2a", + "type": "similar" } ], "uuid": "44a5e62a-6de4-49d2-8f1b-e68ecdf9f332", @@ -7876,13 +8889,17 @@ ] }, "related": [ + { + "dest-uuid": "b3220638-6682-4a4e-ab64-e7dc4202a3f1", + "type": "used-by" + }, { "dest-uuid": "fcaadc12-7c17-4946-a9dc-976ed610854c", "type": "used-by" }, { - "dest-uuid": "b3220638-6682-4a4e-ab64-e7dc4202a3f1", - "type": "used-by" + "dest-uuid": "432555de-63bf-4f2a-a3fa-f720a4561078", + "type": "similar" } ], "uuid": "308dbe77-3d58-40bb-b0a5-cd00f152dc60", @@ -7918,6 +8935,10 @@ { "dest-uuid": "eb10ed9e-ea8d-4b61-bfc3-5994d30970df", "type": "used-by" + }, + { + "dest-uuid": "43155329-3edf-47a6-9a14-7dac899b01e4", + "type": "similar" } ], "uuid": "c558e948-c817-4494-a95d-ad3207f10e26", @@ -7970,6 +8991,10 @@ { "dest-uuid": "7902f5cc-d6a5-4a57-8d54-4c75e0c58b83", "type": "used-by" + }, + { + "dest-uuid": "0e18b800-906c-4e44-a143-b11c72b3448b", + "type": "similar" } ], "uuid": "18002747-ddcc-42c1-b0ca-1e598a9f1919", @@ -8016,11 +9041,44 @@ { "dest-uuid": "4c3e48b9-4426-4271-a7af-c3dfad79f447", "type": "used-by" + }, + { + "dest-uuid": "72911fe3-f085-40f7-b4f2-f25a4221fe44", + "type": "similar" } ], "uuid": "bc11844e-0348-4eed-a48a-0554d68db38c", "value": "FoggyWeb" }, + { + "description": "Fog is a ransomware family first observed in May 2024. Its distribution has been linked to Storm-0844, a threat actor that also leverages suspected valid credentials and freely available tools for initial access and post-exploit activity prior to ransomware deployment.[[Arctic Wolf Fog Ransomware June 4 2024](/references/86111971-cd37-4a87-bcaa-3e0f6326da5c)]", + "meta": { + "owner": "TidalCyberIan", + "platforms": [ + "Windows" + ], + "software_attack_id": "S5331", + "source": "Tidal Cyber", + "tags": [ + "562e535e-19f5-4d6c-81ed-ce2aec544f09", + "5e7433ad-a894-4489-93bc-41e90da90019", + "7e7b0c67-bb85-4996-a289-da0e792d7172", + "c6e1f516-1a18-4ff9-b563-e6ac8103b104", + "2feda37d-5579-4102-a073-aa02e82cb49f" + ], + "type": [ + "malware" + ] + }, + "related": [ + { + "dest-uuid": "fcbf6963-839b-4853-8b80-73ff6831b7d7", + "type": "used-by" + } + ], + "uuid": "3480069a-13eb-4f1e-9967-57ecac415c52", + "value": "Fog Ransomware" + }, { "description": "[Forfiles](https://app.tidalcyber.com/software/c6dc67a6-587d-4700-a7de-bee043a0031a) is a Windows utility commonly used in batch jobs to execute commands on one or more selected files or directories (ex: list all directories in a drive, read the first line of all files created yesterday, etc.). Forfiles can be executed from either the command line, Run window, or batch files/scripts. [[Microsoft Forfiles Aug 2016](https://app.tidalcyber.com/references/fd7eaa47-3512-4dbd-b881-bc679d06cd1b)]", "meta": { @@ -8043,6 +9101,10 @@ { "dest-uuid": "5b1a5b9e-4722-41fc-a15d-196a549e3ac5", "type": "used-by" + }, + { + "dest-uuid": "90ec2b22-7061-4469-b539-0989ec4f96c2", + "type": "similar" } ], "uuid": "c6dc67a6-587d-4700-a7de-bee043a0031a", @@ -8082,7 +9144,12 @@ "malware" ] }, - "related": [], + "related": [ + { + "dest-uuid": "bcaae558-9697-47a2-9ec7-c75000ddf58c", + "type": "similar" + } + ], "uuid": "83721b89-df58-50bf-be2a-0b696fb0da78", "value": "FRAMESTING" }, @@ -8099,6 +9166,10 @@ { "dest-uuid": "fcaadc12-7c17-4946-a9dc-976ed610854c", "type": "used-by" + }, + { + "dest-uuid": "1cdbbcab-903a-414d-8eb0-439a97343737", + "type": "similar" } ], "uuid": "aef7cbbc-5163-419c-8e4b-3f73bed50474", @@ -8151,7 +9222,12 @@ "malware" ] }, - "related": [], + "related": [ + { + "dest-uuid": "4a98e44a-bd52-461e-af1e-a4457de87a36", + "type": "similar" + } + ], "uuid": "3a05085e-5a1f-4a74-b489-d679b80e2c18", "value": "FruitFly" }, @@ -8251,6 +9327,10 @@ ] }, "related": [ + { + "dest-uuid": "a57b52c7-9f64-4ffe-a7c3-0de738fb2af1", + "type": "used-by" + }, { "dest-uuid": "502223ee-8947-42f8-a532-a3b3da12b7d9", "type": "used-by" @@ -8259,10 +9339,6 @@ "dest-uuid": "a80c00b2-b8b6-4780-99bb-df8fe921947d", "type": "used-by" }, - { - "dest-uuid": "a57b52c7-9f64-4ffe-a7c3-0de738fb2af1", - "type": "used-by" - }, { "dest-uuid": "d01abdb1-0378-4654-aa38-1a4a292703e2", "type": "used-by" @@ -8270,6 +9346,10 @@ { "dest-uuid": "99bbbe25-45af-492f-a7ff-7cbc57828bac", "type": "used-by" + }, + { + "dest-uuid": "cf23bf4a-e003-4116-bbae-1ea6c558d565", + "type": "similar" } ], "uuid": "062deac9-8f05-44e2-b347-96b59ba166ca", @@ -8290,7 +9370,12 @@ "malware" ] }, - "related": [], + "related": [ + { + "dest-uuid": "be25c1c0-1590-4219-a3d5-6f31799d1d1b", + "type": "similar" + } + ], "uuid": "d0490e1d-8287-44d3-8342-944d1203b237", "value": "FunnyDream" }, @@ -8310,6 +9395,10 @@ { "dest-uuid": "fb93231d-2ae4-45da-9dea-4c372a11f322", "type": "used-by" + }, + { + "dest-uuid": "434ba392-ebdc-488b-b1ef-518deea65774", + "type": "similar" } ], "uuid": "be9a2ae5-373a-4dee-9c1e-b54235dafed0", @@ -8334,6 +9423,10 @@ { "dest-uuid": "5b1a5b9e-4722-41fc-a15d-196a549e3ac5", "type": "used-by" + }, + { + "dest-uuid": "50d6688b-0985-4f3d-8cbe-0c796b30703b", + "type": "similar" } ], "uuid": "317a7647-aee7-4ce1-a8f8-33a61190f55d", @@ -8358,6 +9451,10 @@ { "dest-uuid": "47ae4fb1-fc61-4e8e-9310-66dda706e1a2", "type": "used-by" + }, + { + "dest-uuid": "76abb3ef-dafd-4762-97cb-a35379429db4", + "type": "similar" } ], "uuid": "7a60b984-b0c8-4acc-be24-841f4b652872", @@ -8375,7 +9472,12 @@ "malware" ] }, - "related": [], + "related": [ + { + "dest-uuid": "efa7c4d6-8e30-41d9-a8fd-26dc337f4a1b", + "type": "similar" + } + ], "uuid": "9a117508-1d22-4fea-aa65-db670c13a5c9", "value": "Gelsemium" }, @@ -8395,6 +9497,10 @@ { "dest-uuid": "4c3e48b9-4426-4271-a7af-c3dfad79f447", "type": "used-by" + }, + { + "dest-uuid": "199463de-d9be-46d6-bb41-07234c1dd5a6", + "type": "similar" } ], "uuid": "97f32f68-dcd2-4f80-9967-cc87305dc342", @@ -8419,6 +9525,10 @@ { "dest-uuid": "b3220638-6682-4a4e-ab64-e7dc4202a3f1", "type": "used-by" + }, + { + "dest-uuid": "099ecff2-41b8-436d-843c-038a9aa9aa69", + "type": "similar" } ], "uuid": "a997aaaf-edfc-4489-80a9-3f8d64545de1", @@ -8462,10 +9572,6 @@ ] }, "related": [ - { - "dest-uuid": "a0c31021-b281-4c41-9855-436768299fe7", - "type": "used-by" - }, { "dest-uuid": "2cc997b5-5076-4eef-9974-f54387614f46", "type": "used-by" @@ -8478,6 +9584,10 @@ "dest-uuid": "e343c1f1-458c-467b-bc4a-c1b97b2127e3", "type": "used-by" }, + { + "dest-uuid": "a0c31021-b281-4c41-9855-436768299fe7", + "type": "used-by" + }, { "dest-uuid": "60936d3c-37ed-4116-a407-868da3aa4446", "type": "used-by" @@ -8501,6 +9611,10 @@ { "dest-uuid": "79be2f31-5626-425e-844c-fd9c99e38fe5", "type": "used-by" + }, + { + "dest-uuid": "88c621a7-aef9-4ae0-94e3-1fc87123eb24", + "type": "similar" } ], "uuid": "269ef8f5-35c8-44ba-afe4-63f4c6431427", @@ -8518,7 +9632,12 @@ "malware" ] }, - "related": [], + "related": [ + { + "dest-uuid": "554e010d-726b-439d-9a1a-f60fff0cc109", + "type": "similar" + } + ], "uuid": "5c1a1ce5-927c-5c79-8a14-2789756d41ee", "value": "GLASSTOKEN" }, @@ -8538,6 +9657,10 @@ { "dest-uuid": "5307bba1-2674-4fbd-bfd5-1db1ae06fc5f", "type": "used-by" + }, + { + "dest-uuid": "f2e8c7a1-cae1-45c4-baf0-6f21bdcbb2c2", + "type": "similar" } ], "uuid": "09fdec78-5253-433d-8680-294ba6847be9", @@ -8602,6 +9725,10 @@ { "dest-uuid": "37f317d8-02f0-43d4-8a7d-7a65ce8aadf1", "type": "used-by" + }, + { + "dest-uuid": "b9799466-9dd7-4098-b2d6-f999ce50b9a8", + "type": "similar" } ], "uuid": "348fdeb5-6a74-4803-ac6e-e0133ecd7263", @@ -8622,7 +9749,12 @@ "malware" ] }, - "related": [], + "related": [ + { + "dest-uuid": "b9704a7d-feef-4af9-8898-5280f1686326", + "type": "similar" + } + ], "uuid": "1b135393-c799-4698-a880-c6a86782adee", "value": "GoldenSpy" }, @@ -8642,6 +9774,10 @@ { "dest-uuid": "4c3e48b9-4426-4271-a7af-c3dfad79f447", "type": "used-by" + }, + { + "dest-uuid": "b7010785-699f-412f-ba49-524da6033c76", + "type": "similar" } ], "uuid": "4e8c58c5-443e-4f73-91e9-89146f04e307", @@ -8667,6 +9803,10 @@ { "dest-uuid": "4c3e48b9-4426-4271-a7af-c3dfad79f447", "type": "used-by" + }, + { + "dest-uuid": "5c747acd-47f0-4c5a-b9e5-213541fc01e0", + "type": "similar" } ], "uuid": "b05a9763-4288-4656-bf4e-ba02bb8b35d6", @@ -8691,6 +9831,10 @@ { "dest-uuid": "c0fe9859-e8de-4ce1-bc3c-b489e914a145", "type": "used-by" + }, + { + "dest-uuid": "eac3d77f-2b7b-4599-ba74-948dc16633ad", + "type": "similar" } ], "uuid": "a75855fd-2b6b-43d8-99a5-2be03b544f34", @@ -8734,6 +9878,8 @@ "software_attack_id": "S5289", "source": "Tidal Cyber", "tags": [ + "e551ae97-d1b4-484e-9267-89f33829ec2c", + "15787198-6c8b-4f79-bf50-258d55072fee", "c6e1f516-1a18-4ff9-b563-e6ac8103b104", "84615fe0-c2a5-4e07-8957-78ebc29b4635", "2feda37d-5579-4102-a073-aa02e82cb49f" @@ -8742,7 +9888,12 @@ "malware" ] }, - "related": [], + "related": [ + { + "dest-uuid": "1d751794-ce94-4936-bf45-4ab86d0e3b6e", + "type": "used-by" + } + ], "uuid": "3eec857e-dce3-4865-a65f-3ad5a559a3e6", "value": "Gootloader" }, @@ -8783,7 +9934,12 @@ "malware" ] }, - "related": [], + "related": [ + { + "dest-uuid": "958b5d06-8bb0-4c5b-a2e7-0130fe654ac7", + "type": "similar" + } + ], "uuid": "61d277f2-abdc-4f2b-b50a-10d0fe91e588", "value": "Grandoreiro" }, @@ -8821,7 +9977,12 @@ "malware" ] }, - "related": [], + "related": [ + { + "dest-uuid": "1d1fce2f-0db5-402b-9843-4278a0694637", + "type": "similar" + } + ], "uuid": "08cb425d-7b7a-41dc-a897-9057ce57fea9", "value": "GravityRAT" }, @@ -8840,7 +10001,12 @@ "malware" ] }, - "related": [], + "related": [ + { + "dest-uuid": "59c8a28c-200c-4565-9af1-cbdb24870ba0", + "type": "similar" + } + ], "uuid": "f5691425-6690-4e5e-8304-3ede9d2f5a90", "value": "Green Lambert" }, @@ -8860,6 +10026,10 @@ { "dest-uuid": "16a65ee9-cd60-4f04-ba34-f2f45fcfc666", "type": "used-by" + }, + { + "dest-uuid": "308b3d68-a084-4dfb-885a-3125e1a9c1e8", + "type": "similar" } ], "uuid": "f646e7f9-4d09-46f6-9831-54668fa20483", @@ -8884,6 +10054,10 @@ { "dest-uuid": "4348c510-50fc-4448-ab8d-c8cededd19ff", "type": "used-by" + }, + { + "dest-uuid": "04fc1842-f9e4-47cf-8cb8-5c61becad142", + "type": "similar" } ], "uuid": "ad358082-d83a-4c22-81a1-6c34dd67af26", @@ -8912,6 +10086,10 @@ { "dest-uuid": "0b431229-036f-4157-a1da-ff16dfc095f8", "type": "used-by" + }, + { + "dest-uuid": "c9b99d03-ff11-4a48-95f0-82660d582c25", + "type": "similar" } ], "uuid": "c40a71d4-8592-4f82-8af5-18f763e52caf", @@ -8977,6 +10155,10 @@ { "dest-uuid": "79be2f31-5626-425e-844c-fd9c99e38fe5", "type": "used-by" + }, + { + "dest-uuid": "b07c2c47-fefb-4d7c-a69e-6a3296171f54", + "type": "similar" } ], "uuid": "5ffe662f-9da1-4b6f-ad3a-f296383e828c", @@ -8999,7 +10181,12 @@ "malware" ] }, - "related": [], + "related": [ + { + "dest-uuid": "45c759ac-b490-48bb-80d4-c8eee3431027", + "type": "similar" + } + ], "uuid": "03e985d6-870b-4533-af13-08b1e0511444", "value": "GuLoader" }, @@ -9015,7 +10202,12 @@ "malware" ] }, - "related": [], + "related": [ + { + "dest-uuid": "f8dfbc54-b070-4224-b560-79aaa5f835bd", + "type": "similar" + } + ], "uuid": "5f1602fe-a4ce-4932-9cf9-ec842f2c58f1", "value": "H1N1" }, @@ -9028,7 +10220,12 @@ "malware" ] }, - "related": [], + "related": [ + { + "dest-uuid": "4b62ab58-c23b-4704-9c15-edd568cd59f8", + "type": "similar" + } + ], "uuid": "75db2ac3-901e-4b1f-9a0d-bac6562d57a3", "value": "Hacking Team UEFI Rootkit" }, @@ -9045,6 +10242,10 @@ { "dest-uuid": "4348c510-50fc-4448-ab8d-c8cededd19ff", "type": "used-by" + }, + { + "dest-uuid": "0ced8926-914e-4c78-bc93-356fb90dbd1f", + "type": "similar" } ], "uuid": "5edf0ef7-a960-4500-8a89-8c8b4fdf8824", @@ -9069,6 +10270,10 @@ { "dest-uuid": "4c3e48b9-4426-4271-a7af-c3dfad79f447", "type": "used-by" + }, + { + "dest-uuid": "2daa14d6-cbf3-4308-bb8e-213c324a08e4", + "type": "similar" } ], "uuid": "cc07f03f-9919-4856-9b30-f4d88940b0ec", @@ -9089,7 +10294,12 @@ "malware" ] }, - "related": [], + "related": [ + { + "dest-uuid": "ef2247bf-8062-404b-894f-d65d00564817", + "type": "similar" + } + ], "uuid": "4eee3272-07fa-48ee-a7b9-9dfee3e4550a", "value": "Hancitor" }, @@ -9106,6 +10316,10 @@ { "dest-uuid": "013fdfdc-aa32-4779-8f6e-7920615cbf66", "type": "used-by" + }, + { + "dest-uuid": "211cfe9f-2676-4e1c-a5f5-2c8091da2a68", + "type": "similar" } ], "uuid": "c2c31b2e-5da6-4feb-80e3-14ea6d0ea7e8", @@ -9127,6 +10341,10 @@ { "dest-uuid": "0bc66e95-de93-4de7-b415-4041b7191f08", "type": "used-by" + }, + { + "dest-uuid": "bd0536d7-b081-43ae-a773-cfb057c5b988", + "type": "similar" } ], "uuid": "ad0ae3b7-88aa-48b3-86ca-6a5d8b5309a7", @@ -9145,6 +10363,10 @@ { "dest-uuid": "e38bcb42-12c1-4202-a794-ec26cd830caa", "type": "used-by" + }, + { + "dest-uuid": "fbd727ea-c0dc-42a9-8448-9e12962d1ab5", + "type": "similar" } ], "uuid": "8bd36306-bd4b-4a76-8842-44acb0cedbcc", @@ -9162,7 +10384,12 @@ "malware" ] }, - "related": [], + "related": [ + { + "dest-uuid": "12a7450d-b03e-4990-a5b8-b405ab9c803b", + "type": "similar" + } + ], "uuid": "392c5a32-53b5-4ce8-a946-226cb533cc4e", "value": "HAWKBALL" }, @@ -9182,6 +10409,10 @@ { "dest-uuid": "a0c31021-b281-4c41-9855-436768299fe7", "type": "used-by" + }, + { + "dest-uuid": "9e2bba94-950b-4fcf-8070-cb3f816c5f4e", + "type": "similar" } ], "uuid": "a7ffe1bd-45ca-4ca4-94da-3b6c583a868d", @@ -9203,6 +10434,10 @@ { "dest-uuid": "a80c00b2-b8b6-4780-99bb-df8fe921947d", "type": "used-by" + }, + { + "dest-uuid": "007b44b6-e4c5-480b-b5b9-56f2081b1b7b", + "type": "similar" } ], "uuid": "f155b6f9-258d-4446-8867-fe5ee26d8c72", @@ -9232,6 +10467,10 @@ { "dest-uuid": "2e2d3e75-1160-4ba5-80cc-8e7685fcfc44", "type": "used-by" + }, + { + "dest-uuid": "5d11d418-95dd-4377-b782-23160dfa17b4", + "type": "similar" } ], "uuid": "813a4ca1-84fe-42dc-89de-5873d028f98d", @@ -9256,6 +10495,10 @@ { "dest-uuid": "d01abdb1-0378-4654-aa38-1a4a292703e2", "type": "used-by" + }, + { + "dest-uuid": "eff1a885-6f90-42a1-901f-eef6e7a1905e", + "type": "similar" } ], "uuid": "d6560c81-1e7e-4d01-9814-4be4fb43e655", @@ -9276,7 +10519,12 @@ "malware" ] }, - "related": [], + "related": [ + { + "dest-uuid": "a0ab8a96-40c9-4483-8a54-3fafa6d6007a", + "type": "similar" + } + ], "uuid": "f0456f14-4913-4861-b4ad-5e7f3960040e", "value": "HermeticWiper" }, @@ -9295,7 +10543,12 @@ "malware" ] }, - "related": [], + "related": [ + { + "dest-uuid": "ff7ed9c1-dca3-4e62-9da6-72c5d388b8fa", + "type": "similar" + } + ], "uuid": "36ddc8cd-8f80-489e-a702-c682936b5393", "value": "HermeticWizard" }, @@ -9318,6 +10571,10 @@ { "dest-uuid": "454402a3-0503-45bf-b2e0-177fa2e2d412", "type": "used-by" + }, + { + "dest-uuid": "dff90475-9f72-41a6-84ed-1fbefd3874c0", + "type": "similar" } ], "uuid": "1841a6e8-6c23-46a1-9c81-783746083764", @@ -9357,7 +10614,12 @@ "malware" ] }, - "related": [], + "related": [ + { + "dest-uuid": "fc774af4-533b-4724-96d2-ac1026316794", + "type": "similar" + } + ], "uuid": "ec02fb9c-bf9f-404d-bc54-819f2b3fb040", "value": "HiddenWasp" }, @@ -9380,6 +10642,10 @@ { "dest-uuid": "5b1a5b9e-4722-41fc-a15d-196a549e3ac5", "type": "used-by" + }, + { + "dest-uuid": "e669bb87-f773-4c7b-bfcc-a9ffebfdd8d4", + "type": "similar" } ], "uuid": "ce1af464-0b14-4fe9-8591-a6fe58aa96c7", @@ -9401,6 +10667,10 @@ { "dest-uuid": "90f4d3f9-3fe3-4a64-8dc1-172c6d037dca", "type": "used-by" + }, + { + "dest-uuid": "95047f03-4811-4300-922e-1ba937d53a61", + "type": "similar" } ], "uuid": "8046c80c-4339-4cfb-8bfd-464801db2bfe", @@ -9428,6 +10698,10 @@ { "dest-uuid": "325c11be-e1ee-47db-afa6-44ac5d16f0e7", "type": "used-by" + }, + { + "dest-uuid": "40a1b8ec-7295-416c-a6b1-68181d86f120", + "type": "similar" } ], "uuid": "7ef8cd3a-33cf-43bb-a3b8-a78fc844ce0c", @@ -9448,7 +10722,12 @@ "malware" ] }, - "related": [], + "related": [ + { + "dest-uuid": "5967cc93-57c9-404a-8ffd-097edfa7bdfc", + "type": "similar" + } + ], "uuid": "286184d9-f28a-4d5a-a9dd-2216b3c47809", "value": "Hi-Zor" }, @@ -9468,6 +10747,10 @@ { "dest-uuid": "eadd78e3-3b5d-430a-b994-4360b172c871", "type": "used-by" + }, + { + "dest-uuid": "7451bcf9-e6e6-4a70-bc3d-1599173d0035", + "type": "similar" } ], "uuid": "16db13f2-f350-4323-96cb-c5f4ac36c3e0", @@ -9493,6 +10776,10 @@ { "dest-uuid": "0bc66e95-de93-4de7-b415-4041b7191f08", "type": "used-by" + }, + { + "dest-uuid": "454fe82d-6fd2-4ac6-91ab-28a33fe01369", + "type": "similar" } ], "uuid": "4d94594c-2224-46ca-8bc3-28b12ed139f9", @@ -9514,6 +10801,10 @@ { "dest-uuid": "0bc66e95-de93-4de7-b415-4041b7191f08", "type": "used-by" + }, + { + "dest-uuid": "aad11e34-02ca-4220-91cd-2ed420af4db3", + "type": "similar" } ], "uuid": "a00e7fcc-b4e8-4f64-83d2-f9db64f0f3fe", @@ -9543,6 +10834,10 @@ { "dest-uuid": "225314a7-8f40-48d4-9cff-3ec39b177762", "type": "used-by" + }, + { + "dest-uuid": "d5e96a35-7b0b-4c6a-9533-d63ecbda563e", + "type": "similar" } ], "uuid": "b98d9fe7-9aa3-409a-bf5c-eadb01bac948", @@ -9568,6 +10863,10 @@ { "dest-uuid": "a0c31021-b281-4c41-9855-436768299fe7", "type": "used-by" + }, + { + "dest-uuid": "e066bf86-9cfb-407a-9d25-26fd5d91e360", + "type": "similar" } ], "uuid": "c4fe23f7-f18c-40f6-b431-0b104b497eaa", @@ -9589,6 +10888,10 @@ { "dest-uuid": "6005f4a9-fe26-4237-a44e-3f6cbb1fe75c", "type": "used-by" + }, + { + "dest-uuid": "e8268361-a599-4e45-bd3f-71c8c7e700c0", + "type": "similar" } ], "uuid": "bf19eba4-7ea1-4c24-95c6-6bcfb44f4c49", @@ -9614,6 +10917,10 @@ { "dest-uuid": "fb93231d-2ae4-45da-9dea-4c372a11f322", "type": "used-by" + }, + { + "dest-uuid": "54089fba-8662-4f37-9a44-6ad25a5f630a", + "type": "similar" } ], "uuid": "2df88e4e-5a89-5535-ae1a-4c68b19d9078", @@ -9643,6 +10950,10 @@ { "dest-uuid": "51146bb6-7478-44a3-8f08-19adcdceffca", "type": "used-by" + }, + { + "dest-uuid": "73a4793a-ce55-4159-b2a6-208ef29b326f", + "type": "similar" } ], "uuid": "4ffbca79-358a-4ba5-bfbb-dc1694c45646", @@ -9667,6 +10978,10 @@ { "dest-uuid": "79be2f31-5626-425e-844c-fd9c99e38fe5", "type": "used-by" + }, + { + "dest-uuid": "5e814485-012d-423d-b769-026bfed0f451", + "type": "similar" } ], "uuid": "57cec527-26fb-44a1-b1a9-506a3af2c9f2", @@ -9688,6 +11003,10 @@ { "dest-uuid": "47ae4fb1-fc61-4e8e-9310-66dda706e1a2", "type": "used-by" + }, + { + "dest-uuid": "2cf7dec3-66fc-423f-b2c7-58f1de243b4e", + "type": "similar" } ], "uuid": "ba3236e9-c86b-4b5d-89ed-7f71940a0588", @@ -9705,7 +11024,12 @@ "malware" ] }, - "related": [], + "related": [ + { + "dest-uuid": "dd889a55-fb2c-4ec7-8e9f-c399939a49e1", + "type": "similar" + } + ], "uuid": "5a73defd-6a1a-4132-8427-cec649e8267a", "value": "IceApple" }, @@ -9732,6 +11056,14 @@ { "dest-uuid": "28f3dbcc-b248-442f-9ff3-234210bb2f2a", "type": "used-by" + }, + { + "dest-uuid": "e75a1b98-be68-467f-a8df-bcb7671543b3", + "type": "used-by" + }, + { + "dest-uuid": "5147ef15-1cae-4707-8ea1-bee8d98b7f1d", + "type": "similar" } ], "uuid": "7f59bb7c-5fa9-497d-9d8e-ba9349fd9433", @@ -9854,7 +11186,12 @@ "tool" ] }, - "related": [], + "related": [ + { + "dest-uuid": "362dc67f-4e85-4562-9dac-1b6b7f3ec4b5", + "type": "similar" + } + ], "uuid": "93ab16d1-625e-4b1c-bb28-28974c269c47", "value": "ifconfig" }, @@ -9870,7 +11207,12 @@ "malware" ] }, - "related": [], + "related": [ + { + "dest-uuid": "2cfe8a26-5be7-4a09-8915-ea3d9e787513", + "type": "similar" + } + ], "uuid": "71098f6e-a2c0-434f-b991-6c079fd3e82d", "value": "iKitten" }, @@ -9968,6 +11310,10 @@ { "dest-uuid": "1bfbb1e1-022c-57e9-b70e-711c601640be", "type": "used-by" + }, + { + "dest-uuid": "8f8cd191-902c-4e83-bf20-b57c8c4640e9", + "type": "similar" } ], "uuid": "925fc0db-9315-4703-9353-1d0e9ecb1439", @@ -9984,6 +11330,7 @@ "software_attack_id": "S0357", "source": "MITRE", "tags": [ + "27a117ce-bb19-4f79-9bc2-a851b69c5c50", "e1af18e3-3224-4e4c-9d0f-533768474508", "ed2b3f47-3e07-4019-a9bf-ec9d87f28c96", "6070668f-1cbd-4878-8066-c636d1d8659c", @@ -10006,6 +11353,14 @@ ] }, "related": [ + { + "dest-uuid": "2cc997b5-5076-4eef-9974-f54387614f46", + "type": "used-by" + }, + { + "dest-uuid": "4c3e48b9-4426-4271-a7af-c3dfad79f447", + "type": "used-by" + }, { "dest-uuid": "4ea1245f-3f35-5168-bd10-1fc49142fd4e", "type": "used-by" @@ -10018,10 +11373,6 @@ "dest-uuid": "fb93231d-2ae4-45da-9dea-4c372a11f322", "type": "used-by" }, - { - "dest-uuid": "4c3e48b9-4426-4271-a7af-c3dfad79f447", - "type": "used-by" - }, { "dest-uuid": "a2add2a0-2b54-4623-a380-a9ad91f1f2dd", "type": "used-by" @@ -10085,6 +11436,10 @@ { "dest-uuid": "7f52cadb-7a12-4b9d-9290-1ef02123fbe4", "type": "used-by" + }, + { + "dest-uuid": "26c87906-d750-42c5-946c-d4162c73fc7b", + "type": "similar" } ], "uuid": "cf2c5666-e8ad-49c1-ac8f-30ed65f9e52c", @@ -10110,6 +11465,10 @@ { "dest-uuid": "16a65ee9-cd60-4f04-ba34-f2f45fcfc666", "type": "used-by" + }, + { + "dest-uuid": "e401d4fe-f0c9-44f0-98e6-f93487678808", + "type": "similar" } ], "uuid": "09398a7c-aee5-44af-b99d-f73d3b39c299", @@ -10132,6 +11491,10 @@ { "dest-uuid": "16a65ee9-cd60-4f04-ba34-f2f45fcfc666", "type": "used-by" + }, + { + "dest-uuid": "6a0d0ea9-b2c4-43fe-a552-ac41a3009dc5", + "type": "similar" } ], "uuid": "53c5fb76-a690-55c3-9e02-39577990da2a", @@ -10170,7 +11533,12 @@ "malware" ] }, - "related": [], + "related": [ + { + "dest-uuid": "c8b6cc43-ce61-42ae-87f3-a5f10526f952", + "type": "similar" + } + ], "uuid": "e42bf572-1e70-4467-a4b7-5e22c776c758", "value": "InnaputRAT" }, @@ -10251,7 +11619,12 @@ "malware" ] }, - "related": [], + "related": [ + { + "dest-uuid": "47afe41c-4c08-485e-b062-c3bd209a1cce", + "type": "similar" + } + ], "uuid": "3ee4c49d-2f2c-4677-b193-69f16f2851a4", "value": "InvisiMole" }, @@ -10268,6 +11641,10 @@ { "dest-uuid": "16a65ee9-cd60-4f04-ba34-f2f45fcfc666", "type": "used-by" + }, + { + "dest-uuid": "b52d6583-14a2-4ddc-8527-87fd2142558f", + "type": "similar" } ], "uuid": "2200a647-3312-44c0-9691-4a26153febbb", @@ -10384,6 +11761,10 @@ "dest-uuid": "15ff1ce0-44f0-4f1d-a4ef-83444570e572", "type": "used-by" }, + { + "dest-uuid": "e75a1b98-be68-467f-a8df-bcb7671543b3", + "type": "used-by" + }, { "dest-uuid": "e47b2958-b7c4-4fe1-a006-03137db91963", "type": "used-by" @@ -10395,6 +11776,10 @@ { "dest-uuid": "79be2f31-5626-425e-844c-fd9c99e38fe5", "type": "used-by" + }, + { + "dest-uuid": "294e2560-bd48-44b2-9da2-833b5588ad11", + "type": "similar" } ], "uuid": "4f519002-0576-4f8e-8add-73ebac9a86e6", @@ -10419,6 +11804,10 @@ { "dest-uuid": "47ae4fb1-fc61-4e8e-9310-66dda706e1a2", "type": "used-by" + }, + { + "dest-uuid": "b1595ddd-a783-482a-90e1-8afc8d48467e", + "type": "similar" } ], "uuid": "9ca96281-8ff9-4619-a79d-16c5a9594eae", @@ -10443,6 +11832,10 @@ { "dest-uuid": "d01abdb1-0378-4654-aa38-1a4a292703e2", "type": "used-by" + }, + { + "dest-uuid": "5be33fef-39c0-4532-84ee-bea31e1b5324", + "type": "similar" } ], "uuid": "752ab0fc-7fa1-4e54-bd9a-7a280a38ed77", @@ -10464,6 +11857,10 @@ { "dest-uuid": "225314a7-8f40-48d4-9cff-3ec39b177762", "type": "used-by" + }, + { + "dest-uuid": "8beac7c2-48d2-4cd9-9b15-6c452f38ac06", + "type": "similar" } ], "uuid": "6dbf31cf-0ba0-48b4-be82-38889450845c", @@ -10510,7 +11907,12 @@ "malware" ] }, - "related": [], + "related": [ + { + "dest-uuid": "234e7770-99b0-4f65-b983-d3230f76a60b", + "type": "similar" + } + ], "uuid": "a4debf1f-8a37-4c89-8ebc-31de71d33f79", "value": "Janicab" }, @@ -10526,7 +11928,12 @@ "malware" ] }, - "related": [], + "related": [ + { + "dest-uuid": "64122557-5940-4271-9123-25bfc0c693db", + "type": "similar" + } + ], "uuid": "853d3d18-d746-4650-a9bd-c36a0e86dd02", "value": "Javali" }, @@ -10543,7 +11950,12 @@ "malware" ] }, - "related": [], + "related": [ + { + "dest-uuid": "aaf3fa65-8b27-4e68-91de-2b7738fe4c82", + "type": "similar" + } + ], "uuid": "41ec0bbc-65ca-4913-a763-1638215d7b2f", "value": "JCry" }, @@ -10566,6 +11978,10 @@ { "dest-uuid": "5b1a5b9e-4722-41fc-a15d-196a549e3ac5", "type": "used-by" + }, + { + "dest-uuid": "8ae43c46-57ef-47d5-a77a-eebb35628db2", + "type": "similar" } ], "uuid": "d50ef3fc-7d1c-4a82-b1cf-2319d83da3ae", @@ -10587,6 +12003,10 @@ { "dest-uuid": "f036b992-4c3f-47b7-a458-94ac133bce74", "type": "used-by" + }, + { + "dest-uuid": "de6cb631-52f6-4169-a73b-7965390b0c30", + "type": "similar" } ], "uuid": "c96fce69-6b9c-4bbc-bb42-f6a8fb6eb88f", @@ -10614,6 +12034,10 @@ { "dest-uuid": "1bfbb1e1-022c-57e9-b70e-711c601640be", "type": "used-by" + }, + { + "dest-uuid": "efece7e8-e40b-49c2-9f84-c55c5c93d05c", + "type": "similar" } ], "uuid": "42fe9795-5cf6-4ad7-b56e-2aa655377992", @@ -10661,6 +12085,10 @@ { "dest-uuid": "4348c510-50fc-4448-ab8d-c8cededd19ff", "type": "used-by" + }, + { + "dest-uuid": "f559f945-eb8b-48b1-904c-68568deebed3", + "type": "similar" } ], "uuid": "c67f3029-a26c-4752-b7f1-8e3369c2f79d", @@ -10709,6 +12137,10 @@ { "dest-uuid": "013fdfdc-aa32-4779-8f6e-7920615cbf66", "type": "used-by" + }, + { + "dest-uuid": "3c02fb1f-cbdb-48f5-abaf-8c81d6e0c322", + "type": "similar" } ], "uuid": "ca883d21-97ca-420d-a66b-ef19a8355467", @@ -10729,7 +12161,12 @@ "malware" ] }, - "related": [], + "related": [ + { + "dest-uuid": "26fed817-e7bf-41f9-829a-9075ffac45c2", + "type": "similar" + } + ], "uuid": "1896b9c9-a93e-4220-b4c2-6c4c9c5ca297", "value": "Kasidet" }, @@ -10753,6 +12190,10 @@ { "dest-uuid": "47ae4fb1-fc61-4e8e-9310-66dda706e1a2", "type": "used-by" + }, + { + "dest-uuid": "536be338-e2ef-4a6b-afb6-8d5568b91eb2", + "type": "similar" } ], "uuid": "e93990a0-4841-4867-8b74-ac2806d787bf", @@ -10777,6 +12218,10 @@ { "dest-uuid": "c0fe9859-e8de-4ce1-bc3c-b489e914a145", "type": "used-by" + }, + { + "dest-uuid": "8c1d01ff-fdc0-4586-99bd-c248e0761af5", + "type": "similar" } ], "uuid": "17c28e46-1005-4737-8567-d4ad9f1aefd1", @@ -10794,7 +12239,12 @@ "malware" ] }, - "related": [], + "related": [ + { + "dest-uuid": "c984b414-b766-44c5-814a-2fe96c913c12", + "type": "similar" + } + ], "uuid": "32f1e0d3-753f-4b51-aec5-cfaa393cedc3", "value": "Kessel" }, @@ -10814,6 +12264,10 @@ { "dest-uuid": "eecf7289-294f-48dd-a747-7705820f4735", "type": "used-by" + }, + { + "dest-uuid": "e7863f5d-cb6a-4f81-8804-0a635eec160a", + "type": "similar" } ], "uuid": "b9730d7c-aa57-4d6f-9125-57dcb65b02e0", @@ -10835,6 +12289,10 @@ { "dest-uuid": "0a245c5e-c1a8-480f-8655-bb2594e3266b", "type": "used-by" + }, + { + "dest-uuid": "5dd649c0-bca4-488b-bd85-b180474ec62e", + "type": "similar" } ], "uuid": "6ec39371-d50b-43b6-937c-52de00491eab", @@ -10852,7 +12310,12 @@ "malware" ] }, - "related": [], + "related": [ + { + "dest-uuid": "4b072c90-bc7a-432b-940e-016fc1c01761", + "type": "similar" + } + ], "uuid": "aefbe6ff-7ce4-479e-916d-e8f0259d81f6", "value": "Keydnap" }, @@ -10872,6 +12335,10 @@ { "dest-uuid": "0bc66e95-de93-4de7-b415-4041b7191f08", "type": "used-by" + }, + { + "dest-uuid": "11e36d5b-6a92-4bf9-8eb7-85eb24f59e22", + "type": "similar" } ], "uuid": "a644f61e-6a9b-41ab-beca-72518351c27f", @@ -10894,6 +12361,10 @@ { "dest-uuid": "502223ee-8947-42f8-a532-a3b3da12b7d9", "type": "used-by" + }, + { + "dest-uuid": "6c575670-d14c-4c7f-9b9d-fd1b363e255d", + "type": "similar" } ], "uuid": "ba9e56b9-7904-5ec8-bb39-7f82f7b2e89a", @@ -10915,6 +12386,10 @@ { "dest-uuid": "37f317d8-02f0-43d4-8a7d-7a65ce8aadf1", "type": "used-by" + }, + { + "dest-uuid": "8bdfe255-e658-4ddd-a11c-b854762e451d", + "type": "similar" } ], "uuid": "c1e1ab6a-d5ce-4520-98c5-c6df41005fd9", @@ -10946,6 +12421,10 @@ { "dest-uuid": "16a65ee9-cd60-4f04-ba34-f2f45fcfc666", "type": "used-by" + }, + { + "dest-uuid": "e221eb77-1502-4129-af1d-fe1ad55e7ec6", + "type": "similar" } ], "uuid": "b5532e91-d267-4819-a05d-8c5358995add", @@ -10968,7 +12447,12 @@ "malware" ] }, - "related": [], + "related": [ + { + "dest-uuid": "d6e55656-e43f-411f-a7af-45df650471c5", + "type": "similar" + } + ], "uuid": "7b4f157c-4b34-4f55-9c20-ff787495e9ba", "value": "Kinsing" }, @@ -10988,6 +12472,10 @@ { "dest-uuid": "528ab2ea-b8f1-44d8-8831-2a89fefd97cb", "type": "used-by" + }, + { + "dest-uuid": "b2d134a1-7bd5-4293-94d4-8fc978cb1cd7", + "type": "similar" } ], "uuid": "673ed346-9562-4997-80b2-e701b1a99a58", @@ -11021,6 +12509,10 @@ { "dest-uuid": "5b1a5b9e-4722-41fc-a15d-196a549e3ac5", "type": "used-by" + }, + { + "dest-uuid": "c8655260-9f4b-44e3-85e1-6538a5f6e4f4", + "type": "similar" } ], "uuid": "5e981594-d00a-4c7f-8ed0-3d4a60cc3fcd", @@ -11038,7 +12530,12 @@ "malware" ] }, - "related": [], + "related": [ + { + "dest-uuid": "9abdda30-08e0-4ab1-9cf0-d447654c6de9", + "type": "similar" + } + ], "uuid": "bf918663-90bd-489e-91e7-6951a18a25fd", "value": "Kobalos" }, @@ -11058,6 +12555,10 @@ { "dest-uuid": "12279b62-289e-49ee-97cb-c780edd3d091", "type": "used-by" + }, + { + "dest-uuid": "df9b350b-d4f9-4e79-a826-75cc75fbc1eb", + "type": "similar" } ], "uuid": "3e13d07d-d9e1-4456-bec3-b2375e404753", @@ -11079,6 +12580,10 @@ { "dest-uuid": "5b1a5b9e-4722-41fc-a15d-196a549e3ac5", "type": "used-by" + }, + { + "dest-uuid": "f108215f-3487-489d-be8b-80e346d32518", + "type": "similar" } ], "uuid": "2cf1be0d-2fba-4fd0-ab2f-3695716d1735", @@ -11100,6 +12605,10 @@ { "dest-uuid": "c0fe9859-e8de-4ce1-bc3c-b489e914a145", "type": "used-by" + }, + { + "dest-uuid": "7dbb67c7-270a-40ad-836e-c45f8948aa5a", + "type": "similar" } ], "uuid": "3067f148-2e2b-4aac-9652-59823b3ad4f1", @@ -11120,7 +12629,12 @@ "malware" ] }, - "related": [], + "related": [ + { + "dest-uuid": "86b92f6c-9c05-4c51-b361-4c7bb13e21a1", + "type": "similar" + } + ], "uuid": "d381de2a-30cb-4d50-bbce-fd1e489c4889", "value": "KONNI" }, @@ -11140,6 +12654,10 @@ { "dest-uuid": "47ae4fb1-fc61-4e8e-9310-66dda706e1a2", "type": "used-by" + }, + { + "dest-uuid": "09fcc02f-f9d4-43fa-8609-5e5e186b7103", + "type": "similar" } ], "uuid": "d09c4459-1aa3-547d-99f4-7ac73b8043f0", @@ -11161,6 +12679,10 @@ { "dest-uuid": "863b7013-133d-4a82-93d2-51b53a8fd30e", "type": "used-by" + }, + { + "dest-uuid": "c2417bab-3189-4d4d-9d60-96de2cdaf0ab", + "type": "similar" } ], "uuid": "35ac4018-8506-4025-a9e3-bd017700b3b3", @@ -11221,11 +12743,11 @@ }, "related": [ { - "dest-uuid": "325c11be-e1ee-47db-afa6-44ac5d16f0e7", + "dest-uuid": "9da726e6-af02-49b8-8ebe-7ea4235513c9", "type": "used-by" }, { - "dest-uuid": "9da726e6-af02-49b8-8ebe-7ea4235513c9", + "dest-uuid": "325c11be-e1ee-47db-afa6-44ac5d16f0e7", "type": "used-by" }, { @@ -11287,6 +12809,10 @@ { "dest-uuid": "0b431229-036f-4157-a1da-ff16dfc095f8", "type": "used-by" + }, + { + "dest-uuid": "b76b2d94-60e4-4107-a903-4a3a7622fb3b", + "type": "similar" } ], "uuid": "f5558af4-e3e2-47c2-b8fe-72850bd30f37", @@ -11404,6 +12930,10 @@ { "dest-uuid": "47ae4fb1-fc61-4e8e-9310-66dda706e1a2", "type": "used-by" + }, + { + "dest-uuid": "6ba1d7ae-d60b-43e6-9f08-a8b787e9d9cb", + "type": "similar" } ], "uuid": "c9d2f023-d54b-4d08-9598-a42fb92b3161", @@ -11421,7 +12951,12 @@ "malware" ] }, - "related": [], + "related": [ + { + "dest-uuid": "5dc9e8ec-9917-4de7-b8ab-16007899dd80", + "type": "similar" + } + ], "uuid": "1b3af76f-f9a1-58ce-8c7d-aec535f8d0c0", "value": "LIGHTWIRE" }, @@ -11435,6 +12970,7 @@ "software_attack_id": "S5034", "source": "Tidal Cyber", "tags": [ + "e551ae97-d1b4-484e-9267-89f33829ec2c", "e1af18e3-3224-4e4c-9d0f-533768474508", "febea5b6-2ea2-402b-8bec-f3f5b3f73c59", "ed2b3f47-3e07-4019-a9bf-ec9d87f28c96", @@ -11452,6 +12988,10 @@ ] }, "related": [ + { + "dest-uuid": "7094468a-2310-48b5-ad24-e669152bd66d", + "type": "used-by" + }, { "dest-uuid": "d0f3353c-fbdd-4bd5-8793-a42e1f319b59", "type": "used-by" @@ -11531,6 +13071,10 @@ { "dest-uuid": "51146bb6-7478-44a3-8f08-19adcdceffca", "type": "used-by" + }, + { + "dest-uuid": "e9e9bfe2-76f4-4870-a2a1-b7af89808613", + "type": "similar" } ], "uuid": "925975f8-e8ff-411f-a40e-f799968046f7", @@ -11552,7 +13096,12 @@ "malware" ] }, - "related": [], + "related": [ + { + "dest-uuid": "0efefea5-78da-4022-92bc-d726139e8883", + "type": "similar" + } + ], "uuid": "d017e133-fce9-4982-a2df-6867a80089e7", "value": "Linux Rabbit" }, @@ -11575,6 +13124,10 @@ { "dest-uuid": "4c3e48b9-4426-4271-a7af-c3dfad79f447", "type": "used-by" + }, + { + "dest-uuid": "95e2cbae-d82c-4f7b-b63c-16462015d35d", + "type": "similar" } ], "uuid": "71e4028c-9ca1-45ce-bc44-98209ae9f6bd", @@ -11596,6 +13149,10 @@ { "dest-uuid": "73da066d-b25f-45ba-862b-1a69228c6baa", "type": "used-by" + }, + { + "dest-uuid": "9020f5c7-efde-4125-a4f1-1b70f1274ddd", + "type": "similar" } ], "uuid": "cc568409-71ff-468b-9c38-d0dd9020e409", @@ -11613,7 +13170,12 @@ "malware" ] }, - "related": [], + "related": [ + { + "dest-uuid": "19256855-65e9-48f2-8b74-9f3d0a994428", + "type": "similar" + } + ], "uuid": "c9c5e7ad-6e95-5d53-b4db-f6b51c7167ca", "value": "LITTLELAMB.WOOLTEA" }, @@ -11643,6 +13205,10 @@ { "dest-uuid": "393da13e-016c-41a3-9d89-b33173adecbf", "type": "used-by" + }, + { + "dest-uuid": "f74a5069-015d-4404-83ad-5ca01056c0dc", + "type": "similar" } ], "uuid": "65d46aab-b3ce-4f5b-b1fc-871db2573fa1", @@ -11705,6 +13271,10 @@ { "dest-uuid": "fcaadc12-7c17-4946-a9dc-976ed610854c", "type": "used-by" + }, + { + "dest-uuid": "5af7a825-2d9f-400d-931a-e00eb9e27f48", + "type": "similar" } ], "uuid": "65bc8e81-0a08-49f6-9d04-a2d63d512342", @@ -11726,6 +13296,10 @@ { "dest-uuid": "0f41da7d-1e47-58fe-ba6e-ee658a985e1b", "type": "used-by" + }, + { + "dest-uuid": "452da2d9-706c-4185-ad6f-f5edaf4b9f48", + "type": "similar" } ], "uuid": "d28c3706-df25-59e2-939f-131abaf8a1eb", @@ -11752,6 +13326,10 @@ ] }, "related": [ + { + "dest-uuid": "1d751794-ce94-4936-bf45-4ab86d0e3b6e", + "type": "used-by" + }, { "dest-uuid": "0060bb76-6713-4942-a4c0-d4ae01ec2866", "type": "used-by" @@ -11783,6 +13361,10 @@ { "dest-uuid": "5b1a5b9e-4722-41fc-a15d-196a549e3ac5", "type": "used-by" + }, + { + "dest-uuid": "b865dded-0553-4962-a44b-6fe7863effed", + "type": "similar" } ], "uuid": "039f34e9-f379-4a24-a53f-b28ba579854c", @@ -11807,6 +13389,10 @@ { "dest-uuid": "e47ae2a7-d34d-4528-ba67-c9c07daa91ba", "type": "used-by" + }, + { + "dest-uuid": "cb741463-f0fe-42e0-8d45-bc7e8335f5ae", + "type": "similar" } ], "uuid": "4fead65c-499d-4f44-8879-2c35b24dac68", @@ -11824,7 +13410,12 @@ "malware" ] }, - "related": [], + "related": [ + { + "dest-uuid": "c9ccc4df-1f56-49e7-ad57-b383e1451688", + "type": "similar" + } + ], "uuid": "bfd2a077-5000-4500-82c4-5c85fb98dd5a", "value": "LookBack" }, @@ -11879,7 +13470,12 @@ "malware" ] }, - "related": [], + "related": [ + { + "dest-uuid": "f99f3dcc-683f-4936-8791-075ac5e58f10", + "type": "similar" + } + ], "uuid": "f503535b-406c-4e24-8123-0e22fec995bb", "value": "LoudMiner" }, @@ -11899,6 +13495,10 @@ { "dest-uuid": "8567136b-f84a-45ed-8cce-46324c7da60e", "type": "used-by" + }, + { + "dest-uuid": "2a6f4c7b-e690-4cc7-ab6b-1f821fb6b80b", + "type": "similar" } ], "uuid": "fce1117a-e699-4aef-b1fc-04c3967acc33", @@ -11923,6 +13523,10 @@ { "dest-uuid": "5307bba1-2674-4fbd-bfd5-1db1ae06fc5f", "type": "used-by" + }, + { + "dest-uuid": "2fab555f-7664-4623-b4e0-1675ae38190b", + "type": "similar" } ], "uuid": "37a5ae23-3da5-4cbc-a21a-a7ef98a3b7cc", @@ -11940,7 +13544,12 @@ "malware" ] }, - "related": [], + "related": [ + { + "dest-uuid": "54a73038-1937-4d71-a253-316e76d5413c", + "type": "similar" + } + ], "uuid": "723d9a27-74fd-4333-a8db-63df2a8b4dd4", "value": "Lucifer" }, @@ -11960,6 +13569,10 @@ { "dest-uuid": "60936d3c-37ed-4116-a407-868da3aa4446", "type": "used-by" + }, + { + "dest-uuid": "251fbae2-78f6-4de7-84f6-194c727a64ad", + "type": "similar" } ], "uuid": "0cc9e24b-d458-4782-a332-4e4fd68c057b", @@ -11981,6 +13594,10 @@ { "dest-uuid": "a3be79a2-3d4f-4697-a8a1-83f0884220af", "type": "used-by" + }, + { + "dest-uuid": "35cd1d01-1ede-44d2-b073-a264d727bc04", + "type": "similar" } ], "uuid": "be8a1630-9562-41ad-a621-65989f961a10", @@ -11998,7 +13615,12 @@ "malware" ] }, - "related": [], + "related": [ + { + "dest-uuid": "bdee9574-7479-4073-a7dc-e86d8acd073a", + "type": "similar" + } + ], "uuid": "7e5a643d-ebfd-4ec6-9fdc-79d6f47fafdb", "value": "MacMa" }, @@ -12014,7 +13636,12 @@ "malware" ] }, - "related": [], + "related": [ + { + "dest-uuid": "2a59a237-1530-4d55-91f9-2aebf961cc37", + "type": "similar" + } + ], "uuid": "74feb557-21bc-40fb-8ab5-45d3af84c380", "value": "macOS.OSAMiner" }, @@ -12030,7 +13657,12 @@ "malware" ] }, - "related": [], + "related": [ + { + "dest-uuid": "f72251cb-2be5-421f-a081-99c29a1209e7", + "type": "similar" + } + ], "uuid": "e5e67c67-e658-45b5-850b-044312be4258", "value": "MacSpy" }, @@ -12050,6 +13682,10 @@ { "dest-uuid": "a3a3a1d3-7fe7-5578-8c5f-9c0f2f68079b", "type": "used-by" + }, + { + "dest-uuid": "3be1fb7a-0f7e-415e-8e3a-74a80d596e68", + "type": "similar" } ], "uuid": "7506616c-b808-54fb-9982-072a0dcf8a04", @@ -12077,6 +13713,10 @@ { "dest-uuid": "b5c28235-d441-40d9-8da2-d49ba2f2568b", "type": "used-by" + }, + { + "dest-uuid": "999c4e6e-b8dc-4b4f-8d6e-1b829f29997e", + "type": "similar" } ], "uuid": "d762974a-ca7e-45ee-bc1d-f5218bf46c84", @@ -12159,6 +13799,10 @@ { "dest-uuid": "275ca7b0-3b21-4c3a-8b6f-57b6f0ffb6fb", "type": "used-by" + }, + { + "dest-uuid": "532c6004-b1e8-415b-9516-f7c14ba783b1", + "type": "similar" } ], "uuid": "40806539-1496-4a64-b740-66f6a1467f40", @@ -12214,6 +13858,10 @@ { "dest-uuid": "6a8f5eca-8ecc-4bff-9c5f-5380e044ed5b", "type": "used-by" + }, + { + "dest-uuid": "1cc934e4-b01d-4543-a011-b988dfc1a458", + "type": "similar" } ], "uuid": "eeb700ea-2819-46f4-936d-f7592f20dedc", @@ -12272,6 +13920,10 @@ { "dest-uuid": "4348c510-50fc-4448-ab8d-c8cededd19ff", "type": "used-by" + }, + { + "dest-uuid": "d9f7383c-95ec-4080-bbce-121c9384457b", + "type": "similar" } ], "uuid": "3c206491-45c0-4ff7-9f40-45f9aae4de64", @@ -12320,6 +13972,10 @@ { "dest-uuid": "472080b0-e3d4-4546-9272-c4359fe856e1", "type": "used-by" + }, + { + "dest-uuid": "975737f1-b10d-476f-8bda-3ec26ea57172", + "type": "similar" } ], "uuid": "939cbe39-5b63-4651-b0c0-85ac39cb9f0e", @@ -12341,6 +13997,10 @@ { "dest-uuid": "a57b52c7-9f64-4ffe-a7c3-0de738fb2af1", "type": "used-by" + }, + { + "dest-uuid": "dfa03c7d-79ed-4ce2-b9d1-ddc9dbf56ad2", + "type": "similar" } ], "uuid": "31cbe3c8-be88-4a4f-891d-04c3bb7ed482", @@ -12394,11 +14054,47 @@ { "dest-uuid": "4c3e48b9-4426-4271-a7af-c3dfad79f447", "type": "used-by" + }, + { + "dest-uuid": "65370d0b-3bd4-4653-8cf9-daf56f6be830", + "type": "similar" } ], "uuid": "6c3bbcae-3217-43c7-b709-5c54bc7636b1", "value": "meek" }, + { + "description": "MEGAcmd is an open-source tool that enables non-UI access (e.g., via command line interaction or scripts) to the MEGA cloud storage/file sharing service.[[GitHub meganz MEGAcmd](/references/6e4d67f5-cca1-4298-b21c-d7511aa264ae)]", + "meta": { + "owner": "TidalCyberIan", + "platforms": [ + "macOS", + "Linux", + "Windows" + ], + "software_attack_id": "S5328", + "source": "Tidal Cyber", + "tags": [ + "8bf128ad-288b-41bc-904f-093f4fdde745", + "509a90c7-9ca9-4b23-bca2-cd38ef6a6207", + "ed2b3f47-3e07-4019-a9bf-ec9d87f28c96", + "e1af18e3-3224-4e4c-9d0f-533768474508", + "c6e1f516-1a18-4ff9-b563-e6ac8103b104", + "2feda37d-5579-4102-a073-aa02e82cb49f" + ], + "type": [ + "tool" + ] + }, + "related": [ + { + "dest-uuid": "86b97a39-49c3-431e-bcc8-f4e13dbfcdf5", + "type": "used-by" + } + ], + "uuid": "f2384d09-61fa-4679-b975-6901dcd5c506", + "value": "MEGAcmd" + }, { "description": "[MegaCortex](https://app.tidalcyber.com/software/d8a4a817-2914-47b0-867c-ad8eeb7efd10) is ransomware that first appeared in May 2019. [[IBM MegaCortex](https://app.tidalcyber.com/references/3d70d9b7-88e4-411e-a59a-bc862da965a7)] [MegaCortex](https://app.tidalcyber.com/software/d8a4a817-2914-47b0-867c-ad8eeb7efd10) has mainly targeted industrial organizations. [[FireEye Ransomware Disrupt Industrial Production](https://app.tidalcyber.com/references/9ffa0f35-98e4-4265-8b66-9c805a2b6525)][[FireEye Financial Actors Moving into OT](https://app.tidalcyber.com/references/4bd514b8-1f79-4946-b001-110ce5cf29a9)]", "meta": { @@ -12415,7 +14111,12 @@ "malware" ] }, - "related": [], + "related": [ + { + "dest-uuid": "909617c3-6d87-4330-8f32-bd3af38c3b92", + "type": "similar" + } + ], "uuid": "d8a4a817-2914-47b0-867c-ad8eeb7efd10", "value": "MegaCortex" }, @@ -12464,6 +14165,10 @@ "dest-uuid": "d0f3353c-fbdd-4bd5-8793-a42e1f319b59", "type": "used-by" }, + { + "dest-uuid": "05cd82bb-f8fc-40f3-83ba-1586ef953d05", + "type": "used-by" + }, { "dest-uuid": "ecdbd431-d62b-4b30-8663-b1ecb4304ec0", "type": "used-by" @@ -12496,7 +14201,12 @@ "malware" ] }, - "related": [], + "related": [ + { + "dest-uuid": "d3105fb5-c494-4fd1-a7be-414eab9e0c96", + "type": "similar" + } + ], "uuid": "aa844e6b-feda-4928-8c6d-c59f7be88da0", "value": "Melcoz" }, @@ -12516,6 +14226,10 @@ { "dest-uuid": "502223ee-8947-42f8-a532-a3b3da12b7d9", "type": "used-by" + }, + { + "dest-uuid": "9b19d6b4-cfcb-492f-8ca8-8449e7331573", + "type": "similar" } ], "uuid": "15d7e478-349d-42e6-802d-f16302b98319", @@ -12537,6 +14251,10 @@ { "dest-uuid": "a3a3a1d3-7fe7-5578-8c5f-9c0f2f68079b", "type": "used-by" + }, + { + "dest-uuid": "df350889-4de9-44e5-8cb3-888b8343e97c", + "type": "similar" } ], "uuid": "0a9874bf-4f02-5fab-8ab6-d0f42c6bc71d", @@ -12557,7 +14275,12 @@ "malware" ] }, - "related": [], + "related": [ + { + "dest-uuid": "81c57a96-fc8c-4f91-af8e-63e24c2927c2", + "type": "similar" + } + ], "uuid": "ca607087-25ad-4a91-af83-608646cccbcb", "value": "Metamorfo" }, @@ -12629,7 +14352,12 @@ "malware" ] }, - "related": [], + "related": [ + { + "dest-uuid": "d79e7a60-5de9-448e-a074-f95d2d80f8d0", + "type": "similar" + } + ], "uuid": "ee07030e-ff50-404b-ad27-ab999fc1a23a", "value": "Meteor" }, @@ -12673,6 +14401,10 @@ { "dest-uuid": "e3c5164e-49cf-5bb1-955d-6775585abb14", "type": "used-by" + }, + { + "dest-uuid": "8c050cea-86e1-4b63-bf21-7af4fa483349", + "type": "similar" } ], "uuid": "5879efc1-f122-43ec-a80d-e25aa449594d", @@ -12741,6 +14473,10 @@ { "dest-uuid": "eecf7289-294f-48dd-a747-7705820f4735", "type": "used-by" + }, + { + "dest-uuid": "aea6d6b8-d832-4c90-a1bb-f52c6684db6c", + "type": "similar" } ], "uuid": "57545dbc-c72a-409d-a373-bc35e25160cd", @@ -12755,6 +14491,9 @@ "software_attack_id": "S0002", "source": "MITRE", "tags": [ + "27a117ce-bb19-4f79-9bc2-a851b69c5c50", + "6070668f-1cbd-4878-8066-c636d1d8659c", + "61cdbb28-cbfd-498b-9ab1-1f14337f9524", "d903e38b-600d-4736-9e3b-cf1a6e436481", "c5a258ce-9045-48d9-b254-ec2bf6437bb5", "cc4ea215-87ce-4351-9579-cf527caf5992", @@ -12780,27 +14519,11 @@ }, "related": [ { - "dest-uuid": "37f317d8-02f0-43d4-8a7d-7a65ce8aadf1", + "dest-uuid": "2cc997b5-5076-4eef-9974-f54387614f46", "type": "used-by" }, { - "dest-uuid": "502223ee-8947-42f8-a532-a3b3da12b7d9", - "type": "used-by" - }, - { - "dest-uuid": "472080b0-e3d4-4546-9272-c4359fe856e1", - "type": "used-by" - }, - { - "dest-uuid": "c0fe9859-e8de-4ce1-bc3c-b489e914a145", - "type": "used-by" - }, - { - "dest-uuid": "dcb260d8-9d53-404f-9ff5-dbee2c6effe6", - "type": "used-by" - }, - { - "dest-uuid": "b5c28235-d441-40d9-8da2-d49ba2f2568b", + "dest-uuid": "1d751794-ce94-4936-bf45-4ab86d0e3b6e", "type": "used-by" }, { @@ -12831,16 +14554,44 @@ "dest-uuid": "e5b0da2b-12bc-4113-9459-9c51329c9ae0", "type": "used-by" }, + { + "dest-uuid": "3290dcb9-5781-4b87-8fa0-6ae820e152cd", + "type": "used-by" + }, { "dest-uuid": "f46d6ee9-9d1d-586a-9f2d-6bff8fb92910", "type": "used-by" }, { - "dest-uuid": "0060bb76-6713-4942-a4c0-d4ae01ec2866", + "dest-uuid": "37f317d8-02f0-43d4-8a7d-7a65ce8aadf1", "type": "used-by" }, { - "dest-uuid": "3290dcb9-5781-4b87-8fa0-6ae820e152cd", + "dest-uuid": "502223ee-8947-42f8-a532-a3b3da12b7d9", + "type": "used-by" + }, + { + "dest-uuid": "472080b0-e3d4-4546-9272-c4359fe856e1", + "type": "used-by" + }, + { + "dest-uuid": "c0fe9859-e8de-4ce1-bc3c-b489e914a145", + "type": "used-by" + }, + { + "dest-uuid": "dcb260d8-9d53-404f-9ff5-dbee2c6effe6", + "type": "used-by" + }, + { + "dest-uuid": "b5c28235-d441-40d9-8da2-d49ba2f2568b", + "type": "used-by" + }, + { + "dest-uuid": "60936d3c-37ed-4116-a407-868da3aa4446", + "type": "used-by" + }, + { + "dest-uuid": "0060bb76-6713-4942-a4c0-d4ae01ec2866", "type": "used-by" }, { @@ -12996,11 +14747,11 @@ "type": "used-by" }, { - "dest-uuid": "eecf7289-294f-48dd-a747-7705820f4735", + "dest-uuid": "7a9d653c-8812-4b96-81d1-b0a27ca918b4", "type": "used-by" }, { - "dest-uuid": "7a9d653c-8812-4b96-81d1-b0a27ca918b4", + "dest-uuid": "eecf7289-294f-48dd-a747-7705820f4735", "type": "used-by" }, { @@ -13012,8 +14763,8 @@ "type": "used-by" }, { - "dest-uuid": "60936d3c-37ed-4116-a407-868da3aa4446", - "type": "used-by" + "dest-uuid": "afc079f3-c0ea-4096-b75d-3f05338b7f60", + "type": "similar" } ], "uuid": "b8e7c0b4-49e4-4e8d-9467-b17f305ddf16", @@ -13038,6 +14789,10 @@ { "dest-uuid": "325c11be-e1ee-47db-afa6-44ac5d16f0e7", "type": "used-by" + }, + { + "dest-uuid": "5a33468d-844d-4b1f-98c9-0e786c556b27", + "type": "similar" } ], "uuid": "42350632-b59a-4cc5-995e-d95d8c608553", @@ -13052,7 +14807,12 @@ "malware" ] }, - "related": [], + "related": [ + { + "dest-uuid": "17dec760-9c8f-4f1b-9b4b-0ac47a453234", + "type": "similar" + } + ], "uuid": "c0dea9db-1551-4f6c-8a19-182efc34093a", "value": "Miner-C" }, @@ -13075,6 +14835,10 @@ { "dest-uuid": "4c3e48b9-4426-4271-a7af-c3dfad79f447", "type": "used-by" + }, + { + "dest-uuid": "5e7ef1dc-7fb6-4913-ac75-e06113b59e0c", + "type": "similar" } ], "uuid": "2bb16809-6bc3-46c3-b28a-39cb49410340", @@ -13099,6 +14863,10 @@ { "dest-uuid": "26c0925f-1a3c-4df6-b27a-62b9731299b8", "type": "used-by" + }, + { + "dest-uuid": "e3cedcfe-6515-4348-af65-7f2c4157bf0d", + "type": "similar" } ], "uuid": "535f1b97-7a70-4d18-be4e-3a9f74ccf78a", @@ -13116,7 +14884,12 @@ "malware" ] }, - "related": [], + "related": [ + { + "dest-uuid": "0db09158-6e48-4e7c-8ce7-2b10b9c0c039", + "type": "similar" + } + ], "uuid": "4048afa2-79c8-4d38-8219-2207adddd884", "value": "Misdat" }, @@ -13139,6 +14912,10 @@ { "dest-uuid": "803f8018-6e45-5b0f-978f-1fe96b217120", "type": "used-by" + }, + { + "dest-uuid": "4e6464d2-69df-4e56-8d4c-1973f84d7b80", + "type": "similar" } ], "uuid": "758e5226-6015-5cc7-af4b-20fa35c9bac1", @@ -13156,7 +14933,12 @@ "malware" ] }, - "related": [], + "related": [ + { + "dest-uuid": "e1161124-f22e-487f-9d5f-ed8efc8dcd61", + "type": "similar" + } + ], "uuid": "fe554d2e-f974-41d6-8e7a-701bd758355d", "value": "Mis-Type" }, @@ -13176,6 +14958,10 @@ { "dest-uuid": "43f826a1-e8c8-47b8-9b00-38e1b3e4293b", "type": "used-by" + }, + { + "dest-uuid": "fbb470da-1d44-4f29-bbb3-9efbe20f94a3", + "type": "similar" } ], "uuid": "f603ea32-91c3-4b62-a60f-57670433b080", @@ -13216,6 +15002,10 @@ { "dest-uuid": "6c1bdc51-f633-4512-8b20-04a11c2d97f4", "type": "used-by" + }, + { + "dest-uuid": "463f68f1-5cde-4dc2-a831-68b73488f8f4", + "type": "similar" } ], "uuid": "116f913c-0d5e-43d1-ba0d-3a12127af8f6", @@ -13240,6 +15030,10 @@ { "dest-uuid": "679b7b6b-9659-4e56-9ffd-688a6fab01b6", "type": "used-by" + }, + { + "dest-uuid": "8a59f456-79a0-4151-9f56-9b1a67332af2", + "type": "similar" } ], "uuid": "7ca5debb-f813-4e06-98f8-d1186552e5d2", @@ -13264,6 +15058,10 @@ { "dest-uuid": "454402a3-0503-45bf-b2e0-177fa2e2d412", "type": "used-by" + }, + { + "dest-uuid": "6fb36c6f-bb3d-4ed6-9471-cb9933e5c154", + "type": "similar" } ], "uuid": "7f5355b3-e819-4c82-a0fa-b80fda8fd6e6", @@ -13281,7 +15079,12 @@ "malware" ] }, - "related": [], + "related": [ + { + "dest-uuid": "9ea525fa-b0a9-4dde-84f2-bcea0137b3c1", + "type": "similar" + } + ], "uuid": "a699f32f-6596-4060-8fcd-42587a844b80", "value": "MoonWind" }, @@ -13312,6 +15115,10 @@ { "dest-uuid": "58db02e6-d908-47c2-bc82-ed58ada61331", "type": "used-by" + }, + { + "dest-uuid": "bfd2738c-8b43-43c3-bc9f-d523c8e88bf4", + "type": "similar" } ], "uuid": "69f202e7-4bc9-4f4f-943f-330c053ae977", @@ -13333,6 +15140,10 @@ { "dest-uuid": "dcb260d8-9d53-404f-9ff5-dbee2c6effe6", "type": "used-by" + }, + { + "dest-uuid": "7e100ca4-e639-48d9-9a9d-8ad84aa7b448", + "type": "similar" } ], "uuid": "385e1eaf-9ba8-4381-981a-3c7af718a77d", @@ -13357,6 +15168,10 @@ { "dest-uuid": "47ae4fb1-fc61-4e8e-9310-66dda706e1a2", "type": "used-by" + }, + { + "dest-uuid": "92b55426-109f-4d93-899f-1833ce91ff90", + "type": "similar" } ], "uuid": "c3939dad-d728-4ddb-804e-cf1e3743a55d", @@ -13774,6 +15589,10 @@ { "dest-uuid": "eadd78e3-3b5d-430a-b994-4360b172c871", "type": "used-by" + }, + { + "dest-uuid": "049ff071-0b3c-4712-95d2-d21c6aa54501", + "type": "similar" } ], "uuid": "768111f9-0948-474b-82a6-cd5455079513", @@ -13797,7 +15616,12 @@ "tool" ] }, - "related": [], + "related": [ + { + "dest-uuid": "d505fc8b-2e64-46eb-96d6-9ef7ffca5b66", + "type": "similar" + } + ], "uuid": "f1398367-a0af-4a89-b240-50cae4985ed9", "value": "Mythic" }, @@ -13820,6 +15644,10 @@ { "dest-uuid": "51146bb6-7478-44a3-8f08-19adcdceffca", "type": "used-by" + }, + { + "dest-uuid": "48523614-309e-43bf-a2b8-705c2b45d7b2", + "type": "similar" } ], "uuid": "5cfd6135-c53b-4234-a17e-759494b2101f", @@ -13841,6 +15669,10 @@ { "dest-uuid": "eadd78e3-3b5d-430a-b994-4360b172c871", "type": "used-by" + }, + { + "dest-uuid": "705f0783-5f7d-4491-b6b7-9628e6e006d2", + "type": "similar" } ], "uuid": "0e28dfc9-8948-4c08-b7d8-9e80e19cc464", @@ -13878,6 +15710,10 @@ { "dest-uuid": "99bbbe25-45af-492f-a7ff-7cbc57828bac", "type": "used-by" + }, + { + "dest-uuid": "b4d80f8b-d2b9-4448-8844-4bef777ed676", + "type": "similar" } ], "uuid": "db05dbaa-eb3a-4303-b37e-18d67e7e85a1", @@ -13902,6 +15738,10 @@ { "dest-uuid": "4c3e48b9-4426-4271-a7af-c3dfad79f447", "type": "used-by" + }, + { + "dest-uuid": "b4783be3-35d9-4a56-ac8d-1f3e1c9d9a84", + "type": "similar" } ], "uuid": "a814fd1d-8c2c-41b3-bb3a-30c4318c74c0", @@ -13926,6 +15766,10 @@ { "dest-uuid": "013fdfdc-aa32-4779-8f6e-7920615cbf66", "type": "used-by" + }, + { + "dest-uuid": "53a42597-1974-4b8e-84fd-3675e8992053", + "type": "similar" } ], "uuid": "b410d30c-4db6-4239-950e-9b0e0521f0d2", @@ -13977,6 +15821,10 @@ { "dest-uuid": "646e35d2-75de-4c1d-8ad3-616d3e155c5e", "type": "used-by" + }, + { + "dest-uuid": "b63970b7-ddfb-4aee-97b1-80d335e033a8", + "type": "similar" } ], "uuid": "950f13e6-3ae3-411e-a2b2-4ba1afe6cb76", @@ -13995,6 +15843,10 @@ { "dest-uuid": "47ae4fb1-fc61-4e8e-9310-66dda706e1a2", "type": "used-by" + }, + { + "dest-uuid": "b35068ec-107a-4266-bda8-eb7036267aea", + "type": "similar" } ], "uuid": "81c2fc9b-8c2c-40f6-a327-dcdd64b70a7e", @@ -14016,6 +15868,10 @@ { "dest-uuid": "32385eba-7bbf-439e-acf2-83040e97165a", "type": "used-by" + }, + { + "dest-uuid": "d1183cb9-258e-4f2f-8415-50ac8252c49e", + "type": "similar" } ], "uuid": "6d42e6c5-3056-4ff1-8d5d-a736807ec84c", @@ -14037,6 +15893,10 @@ { "dest-uuid": "a80c00b2-b8b6-4780-99bb-df8fe921947d", "type": "used-by" + }, + { + "dest-uuid": "22b17791-45bf-45c0-9322-ff1a0af5cf2b", + "type": "similar" } ], "uuid": "38510bab-aece-4d7b-b621-7594c2c4fe14", @@ -14061,6 +15921,10 @@ { "dest-uuid": "26c0925f-1a3c-4df6-b27a-62b9731299b8", "type": "used-by" + }, + { + "dest-uuid": "4d7bf2ac-f953-4907-b114-be44dc174d67", + "type": "similar" } ], "uuid": "8662e29e-5766-4311-894e-5ca52515ccbe", @@ -14082,6 +15946,10 @@ { "dest-uuid": "51146bb6-7478-44a3-8f08-19adcdceffca", "type": "used-by" + }, + { + "dest-uuid": "c251e4a5-9a2e-4166-8e42-442af75c3b9a", + "type": "similar" } ], "uuid": "de8b18c9-ebab-4126-96a9-282fa8829877", @@ -14115,18 +15983,6 @@ ] }, "related": [ - { - "dest-uuid": "502223ee-8947-42f8-a532-a3b3da12b7d9", - "type": "used-by" - }, - { - "dest-uuid": "472080b0-e3d4-4546-9272-c4359fe856e1", - "type": "used-by" - }, - { - "dest-uuid": "fb93231d-2ae4-45da-9dea-4c372a11f322", - "type": "used-by" - }, { "dest-uuid": "26c0925f-1a3c-4df6-b27a-62b9731299b8", "type": "used-by" @@ -14152,13 +16008,29 @@ "type": "used-by" }, { - "dest-uuid": "0b431229-036f-4157-a1da-ff16dfc095f8", + "dest-uuid": "502223ee-8947-42f8-a532-a3b3da12b7d9", + "type": "used-by" + }, + { + "dest-uuid": "472080b0-e3d4-4546-9272-c4359fe856e1", + "type": "used-by" + }, + { + "dest-uuid": "fb93231d-2ae4-45da-9dea-4c372a11f322", + "type": "used-by" + }, + { + "dest-uuid": "0f86e871-0c6c-4227-ae28-3f3696d6ae9d", "type": "used-by" }, { "dest-uuid": "3290dcb9-5781-4b87-8fa0-6ae820e152cd", "type": "used-by" }, + { + "dest-uuid": "0b431229-036f-4157-a1da-ff16dfc095f8", + "type": "used-by" + }, { "dest-uuid": "7a9d653c-8812-4b96-81d1-b0a27ca918b4", "type": "used-by" @@ -14223,6 +16095,10 @@ "dest-uuid": "15ff1ce0-44f0-4f1d-a4ef-83444570e572", "type": "used-by" }, + { + "dest-uuid": "e75a1b98-be68-467f-a8df-bcb7671543b3", + "type": "used-by" + }, { "dest-uuid": "e47b2958-b7c4-4fe1-a006-03137db91963", "type": "used-by" @@ -14251,10 +16127,6 @@ "dest-uuid": "f46d6ee9-9d1d-586a-9f2d-6bff8fb92910", "type": "used-by" }, - { - "dest-uuid": "0f86e871-0c6c-4227-ae28-3f3696d6ae9d", - "type": "used-by" - }, { "dest-uuid": "99bbbe25-45af-492f-a7ff-7cbc57828bac", "type": "used-by" @@ -14262,6 +16134,10 @@ { "dest-uuid": "b3061284-0335-4dcb-9f8e-a3b0412fd46f", "type": "used-by" + }, + { + "dest-uuid": "03342581-f790-4f03-ba41-e82e67392e23", + "type": "similar" } ], "uuid": "c9b8522f-126d-40ff-b44e-1f46098bd8cc", @@ -14283,6 +16159,10 @@ { "dest-uuid": "c8cc6ce8-d421-42e6-a6eb-2ea9d2d9ab07", "type": "used-by" + }, + { + "dest-uuid": "fde50aaa-f5de-4cb8-989a-babb57d6a704", + "type": "similar" } ], "uuid": "947c6212-4da8-48dd-9da9-ce4b077dd759", @@ -14307,6 +16187,10 @@ { "dest-uuid": "be45ff95-6c74-4000-bc39-63044673d82f", "type": "used-by" + }, + { + "dest-uuid": "53cf6cc4-65aa-445a-bcf8-c3d296f8a7a2", + "type": "similar" } ], "uuid": "852c300d-9313-442d-9b49-9883522c3f4b", @@ -14380,6 +16264,10 @@ { "dest-uuid": "7a9d653c-8812-4b96-81d1-b0a27ca918b4", "type": "used-by" + }, + { + "dest-uuid": "5a63f900-5e7e-4928-a746-dd4558e1df71", + "type": "similar" } ], "uuid": "803192b8-747b-4108-ae15-2d7481d39162", @@ -14403,10 +16291,6 @@ ] }, "related": [ - { - "dest-uuid": "8567136b-f84a-45ed-8cce-46324c7da60e", - "type": "used-by" - }, { "dest-uuid": "d01abdb1-0378-4654-aa38-1a4a292703e2", "type": "used-by" @@ -14423,6 +16307,10 @@ "dest-uuid": "f46d6ee9-9d1d-586a-9f2d-6bff8fb92910", "type": "used-by" }, + { + "dest-uuid": "8567136b-f84a-45ed-8cce-46324c7da60e", + "type": "used-by" + }, { "dest-uuid": "3290dcb9-5781-4b87-8fa0-6ae820e152cd", "type": "used-by" @@ -14450,6 +16338,10 @@ { "dest-uuid": "79be2f31-5626-425e-844c-fd9c99e38fe5", "type": "used-by" + }, + { + "dest-uuid": "4664b683-f578-434f-919b-1c1aad2a1111", + "type": "similar" } ], "uuid": "132fb908-9f13-4bcf-aa64-74cbc72f5491", @@ -14509,6 +16401,10 @@ { "dest-uuid": "e343c1f1-458c-467b-bc4a-c1b97b2127e3", "type": "used-by" + }, + { + "dest-uuid": "cafd0bf8-2b9c-46c7-ae3c-3e0f42c5062e", + "type": "similar" } ], "uuid": "1b8f9cf9-db8f-437d-800e-5ddd090fe30d", @@ -14538,7 +16434,12 @@ "malware" ] }, - "related": [], + "related": [ + { + "dest-uuid": "754effde-613c-4244-a83e-fb659b2a4d06", + "type": "similar" + } + ], "uuid": "5b4b395f-f61a-4bd6-94c1-fb45ed3cd13d", "value": "Netwalker" }, @@ -14575,6 +16476,10 @@ { "dest-uuid": "99bbbe25-45af-492f-a7ff-7cbc57828bac", "type": "used-by" + }, + { + "dest-uuid": "2a70812b-f1ef-44db-8578-a496a227aef2", + "type": "similar" } ], "uuid": "c7d0e881-80a1-49ea-9c1f-b6e53cf399a8", @@ -14621,7 +16526,12 @@ "malware" ] }, - "related": [], + "related": [ + { + "dest-uuid": "72b5f07f-5448-4e00-9ff2-08bc193a7b77", + "type": "similar" + } + ], "uuid": "48b161fe-3ae1-5551-9f26-d6f2d6b5afb9", "value": "NGLite" }, @@ -14700,11 +16610,42 @@ { "dest-uuid": "7094468a-2310-48b5-ad24-e669152bd66d", "type": "used-by" + }, + { + "dest-uuid": "2f7f03bb-f367-4a5a-ad9b-310a12a48906", + "type": "similar" } ], "uuid": "316ecd9d-ac0b-58c7-8083-5d9214c770f6", "value": "ngrok" }, + { + "description": "NICECURL is a custom backdoor developed and used by Iranian espionage group APT42. It is usually delivered via phishing attacks and serves as a post-compromise command execution and malware ingress capability.[[Mandiant Uncharmed May 1 2024](/references/84c0313a-bea1-44a7-9396-8e12437852d1)]", + "meta": { + "owner": "TidalCyberIan", + "platforms": [ + "Windows" + ], + "software_attack_id": "S5333", + "source": "Tidal Cyber", + "tags": [ + "f8669b82-2194-49a9-8e20-92e7f9ab0a6f", + "c6e1f516-1a18-4ff9-b563-e6ac8103b104", + "2feda37d-5579-4102-a073-aa02e82cb49f" + ], + "type": [ + "malware" + ] + }, + "related": [ + { + "dest-uuid": "ce126445-6984-45bb-9737-35448f06f27b", + "type": "used-by" + } + ], + "uuid": "9d3fd630-1ba8-4d14-907f-f3bdc5a13fa3", + "value": "NICECURL" + }, { "description": "[Nidiran](https://app.tidalcyber.com/software/3ae9acd7-39f8-45c6-b557-c7d9a40eed2c) is a custom backdoor developed and used by [Suckfly](https://app.tidalcyber.com/groups/06549082-ff70-43bf-985e-88c695c7113c). It has been delivered via strategic web compromise. [[Symantec Suckfly March 2016](https://app.tidalcyber.com/references/8711c175-e405-4cb0-8c86-8aaa471e5573)]", "meta": { @@ -14721,6 +16662,10 @@ { "dest-uuid": "06549082-ff70-43bf-985e-88c695c7113c", "type": "used-by" + }, + { + "dest-uuid": "9e9b9415-a7df-406b-b14d-92bfe6809fbe", + "type": "similar" } ], "uuid": "3ae9acd7-39f8-45c6-b557-c7d9a40eed2c", @@ -14742,6 +16687,10 @@ { "dest-uuid": "f31df12e-66ea-5a49-87bc-2bc1756a89fc", "type": "used-by" + }, + { + "dest-uuid": "91c57ed3-7c32-4c68-b388-7db00cb8dac6", + "type": "similar" } ], "uuid": "b1963876-dbdc-5beb-ace3-acb6d7705543", @@ -14763,6 +16712,10 @@ { "dest-uuid": "0f41da7d-1e47-58fe-ba6e-ee658a985e1b", "type": "used-by" + }, + { + "dest-uuid": "023254de-caaf-4a05-b2c7-e4e2f283f7a5", + "type": "similar" } ], "uuid": "2dd26ff0-22d6-591b-9054-78e84fa3e05c", @@ -14791,6 +16744,10 @@ ] }, "related": [ + { + "dest-uuid": "1d751794-ce94-4936-bf45-4ab86d0e3b6e", + "type": "used-by" + }, { "dest-uuid": "f138c814-48c0-4638-a4d6-edc48e7ac23a", "type": "used-by" @@ -14843,6 +16800,10 @@ { "dest-uuid": "441b91d1-256a-4763-bac6-8f1c76764a25", "type": "used-by" + }, + { + "dest-uuid": "d906e6f7-434c-44c0-b51a-ed50af8f7945", + "type": "similar" } ], "uuid": "82996f6f-0575-45cd-8f7c-ba1b063d5b9f", @@ -14862,7 +16823,12 @@ "malware" ] }, - "related": [], + "related": [ + { + "dest-uuid": "bd2ebee8-7c38-408a-871d-221012104222", + "type": "similar" + } + ], "uuid": "e26988e0-e755-54a4-8234-e8f961266d82", "value": "NKAbuse" }, @@ -14890,11 +16856,11 @@ }, "related": [ { - "dest-uuid": "4ea1245f-3f35-5168-bd10-1fc49142fd4e", + "dest-uuid": "646e35d2-75de-4c1d-8ad3-616d3e155c5e", "type": "used-by" }, { - "dest-uuid": "646e35d2-75de-4c1d-8ad3-616d3e155c5e", + "dest-uuid": "4ea1245f-3f35-5168-bd10-1fc49142fd4e", "type": "used-by" }, { @@ -14924,6 +16890,14 @@ { "dest-uuid": "6eb50f82-86cc-4eff-b1d1-66e1c6fd74f3", "type": "used-by" + }, + { + "dest-uuid": "e75a1b98-be68-467f-a8df-bcb7671543b3", + "type": "used-by" + }, + { + "dest-uuid": "981acc4c-2ede-4b56-be6e-fa1a75f37acf", + "type": "similar" } ], "uuid": "fbb1546a-f288-4e43-9e5c-14c94423c4f6", @@ -14939,6 +16913,15 @@ "software_attack_id": "S5051", "source": "Tidal Cyber", "tags": [ + "509a90c7-9ca9-4b23-bca2-cd38ef6a6207", + "96d58ca1-ab18-4e53-8891-d8ba62a47e5d", + "6070668f-1cbd-4878-8066-c636d1d8659c", + "d8f7e071-fbfd-46f8-b431-e241bb1513ac", + "758c3085-2f79-40a8-ab95-f8a684737927", + "1dc8fd1e-0737-405a-98a1-111dd557f1b5", + "61cdbb28-cbfd-498b-9ab1-1f14337f9524", + "e551ae97-d1b4-484e-9267-89f33829ec2c", + "35e694ec-5133-46e3-b7e1-5831867c3b55", "ed2b3f47-3e07-4019-a9bf-ec9d87f28c96", "6ff40d11-214a-434b-b137-993e4ff5e34e", "15787198-6c8b-4f79-bf50-258d55072fee", @@ -14988,6 +16971,10 @@ { "dest-uuid": "37f317d8-02f0-43d4-8a7d-7a65ce8aadf1", "type": "used-by" + }, + { + "dest-uuid": "071d5d65-83ec-4a55-acfa-be7d5f28ba9a", + "type": "similar" } ], "uuid": "31aa0433-fb6b-4290-8af5-a0d0c6c18548", @@ -15017,6 +17004,10 @@ { "dest-uuid": "16a65ee9-cd60-4f04-ba34-f2f45fcfc666", "type": "used-by" + }, + { + "dest-uuid": "5719af9d-6b16-46f9-9b28-fb019541ddbb", + "type": "similar" } ], "uuid": "2538e0fe-1290-4ae1-aef9-e55d83c9eb23", @@ -15123,6 +17114,10 @@ { "dest-uuid": "441b91d1-256a-4763-bac6-8f1c76764a25", "type": "used-by" + }, + { + "dest-uuid": "5864e59f-eb4c-43ad-83b2-b5e4fae056c9", + "type": "similar" } ], "uuid": "97e8148c-e146-444c-9de5-6e2fdbda2f9f", @@ -15140,7 +17135,12 @@ "malware" ] }, - "related": [], + "related": [ + { + "dest-uuid": "288fa242-e894-4c7e-ac86-856deedf5cea", + "type": "similar" + } + ], "uuid": "f1723994-058b-4525-8e11-2f0c80d8f3a4", "value": "OceanSalt" }, @@ -15160,6 +17160,10 @@ { "dest-uuid": "5f8c6ee0-f302-403b-b712-f1e3df064c0c", "type": "used-by" + }, + { + "dest-uuid": "e2031fd5-02c2-43d4-85e2-b64f474530c2", + "type": "similar" } ], "uuid": "8f04e609-8773-4529-b247-d32f530cc453", @@ -15232,6 +17236,10 @@ { "dest-uuid": "26c0925f-1a3c-4df6-b27a-62b9731299b8", "type": "used-by" + }, + { + "dest-uuid": "4b6ec280-7bbb-48ff-ae59-b189520ebe83", + "type": "similar" } ], "uuid": "f9bcf0a1-f287-44ec-8f53-6859d41e041c", @@ -15256,6 +17264,10 @@ { "dest-uuid": "5b1a5b9e-4722-41fc-a15d-196a549e3ac5", "type": "used-by" + }, + { + "dest-uuid": "2dd34b01-6110-4aac-835d-b5e7b936b0be", + "type": "similar" } ], "uuid": "479814e2-2656-4ea2-9e79-fcdb818f703e", @@ -15280,6 +17292,10 @@ { "dest-uuid": "16a65ee9-cd60-4f04-ba34-f2f45fcfc666", "type": "used-by" + }, + { + "dest-uuid": "3249e92a-870b-426d-8790-ba311c1abfb4", + "type": "similar" } ], "uuid": "073b5288-11d6-4db0-9f2c-a1816847d15c", @@ -15326,6 +17342,10 @@ { "dest-uuid": "4c3e48b9-4426-4271-a7af-c3dfad79f447", "type": "used-by" + }, + { + "dest-uuid": "b136d088-a829-432c-ac26-5529c26d4c7e", + "type": "similar" } ], "uuid": "6056bf36-fb45-498d-a285-5f98ae08b090", @@ -15350,6 +17370,10 @@ { "dest-uuid": "d01abdb1-0378-4654-aa38-1a4a292703e2", "type": "used-by" + }, + { + "dest-uuid": "8e101fdd-9f7f-4916-bb04-6bd9e94c129c", + "type": "similar" } ], "uuid": "4f1894d4-d085-4348-af50-dfda257a9e18", @@ -15399,6 +17423,10 @@ ] }, "related": [ + { + "dest-uuid": "1d751794-ce94-4936-bf45-4ab86d0e3b6e", + "type": "used-by" + }, { "dest-uuid": "ee2da206-2532-44e3-a343-d66e9bfdbca0", "type": "used-by" @@ -15442,6 +17470,10 @@ { "dest-uuid": "eadd78e3-3b5d-430a-b994-4360b172c871", "type": "used-by" + }, + { + "dest-uuid": "06d735e7-1db1-4dbe-ab4b-acbe419f902b", + "type": "similar" } ], "uuid": "45a52a29-00c0-458a-b705-1040e06a43f2", @@ -15463,6 +17495,10 @@ { "dest-uuid": "9da726e6-af02-49b8-8ebe-7ea4235513c9", "type": "used-by" + }, + { + "dest-uuid": "f6d1d2cb-12f5-4221-9636-44606ea1f3f8", + "type": "similar" } ], "uuid": "fa1e13b8-2fb7-42e8-b630-25f0edfbca65", @@ -15487,6 +17523,10 @@ { "dest-uuid": "c0fe9859-e8de-4ce1-bc3c-b489e914a145", "type": "used-by" + }, + { + "dest-uuid": "b00f90b6-c75c-4bfd-b813-ca9e6c9ebf29", + "type": "similar" } ], "uuid": "a45904b5-0ada-4567-be4c-947146c7f574", @@ -15504,7 +17544,12 @@ "malware" ] }, - "related": [], + "related": [ + { + "dest-uuid": "f1314e75-ada8-49f4-b281-b1fb8b48f2a7", + "type": "similar" + } + ], "uuid": "4d91d625-21d8-484a-b63f-0a3daa4ed434", "value": "OSX/Shlayer" }, @@ -15524,6 +17569,10 @@ { "dest-uuid": "dcb260d8-9d53-404f-9ff5-dbee2c6effe6", "type": "used-by" + }, + { + "dest-uuid": "80c815bb-b24a-4b9c-9d73-ff4c075a278d", + "type": "similar" } ], "uuid": "273b1e8d-a23d-4c22-8493-80f3d6639352", @@ -15549,6 +17598,10 @@ { "dest-uuid": "407274be-1820-4a84-939e-629313f4de1d", "type": "used-by" + }, + { + "dest-uuid": "c113230f-f044-423b-af63-9b63c802f5ae", + "type": "similar" } ], "uuid": "042fe42b-f60e-45e1-b47d-a913e0677976", @@ -15566,7 +17619,12 @@ "malware" ] }, - "related": [], + "related": [ + { + "dest-uuid": "a60657fa-e2e7-4f8f-8128-a882534ae8c5", + "type": "similar" + } + ], "uuid": "6d8a8510-e6f1-49a7-b3a5-bd4664937147", "value": "OwaAuth" }, @@ -15582,7 +17640,12 @@ "malware" ] }, - "related": [], + "related": [ + { + "dest-uuid": "b2c5d3ca-b43a-4888-ad8d-e2d43497bf85", + "type": "similar" + } + ], "uuid": "916f8a7c-e487-4446-b6ee-c8da712a9569", "value": "P2P ZeuS" }, @@ -15602,6 +17665,10 @@ { "dest-uuid": "fb93231d-2ae4-45da-9dea-4c372a11f322", "type": "used-by" + }, + { + "dest-uuid": "7c58fff0-d206-4db1-96b1-e3a9e0e320b9", + "type": "similar" } ], "uuid": "1933ad3d-3085-4b1b-82b9-ac51b440e2bf", @@ -15624,6 +17691,10 @@ { "dest-uuid": "f46d6ee9-9d1d-586a-9f2d-6bff8fb92910", "type": "used-by" + }, + { + "dest-uuid": "647215dd-29a6-4528-b354-ca8b5e08fca1", + "type": "similar" } ], "uuid": "13856c51-d81c-5d75-bb6a-0bbdcc857cdd", @@ -15656,6 +17727,10 @@ { "dest-uuid": "788ffbf6-1a36-481a-a504-bbcd9f907886", "type": "used-by" + }, + { + "dest-uuid": "1b3b8f96-43b1-4460-8e02-1f53d7802fb9", + "type": "similar" } ], "uuid": "e90eb529-1665-5fd7-a44e-695715e4081b", @@ -15684,6 +17759,10 @@ { "dest-uuid": "79be2f31-5626-425e-844c-fd9c99e38fe5", "type": "used-by" + }, + { + "dest-uuid": "a545456a-f9a7-47ad-9ea6-8b017def38d1", + "type": "similar" } ], "uuid": "320b0784-4f0f-46ea-99e9-c34bfcca1c2e", @@ -15705,6 +17784,10 @@ { "dest-uuid": "51146bb6-7478-44a3-8f08-19adcdceffca", "type": "used-by" + }, + { + "dest-uuid": "e811ff6a-4cef-4856-a6ae-a7daf9ed39ae", + "type": "similar" } ], "uuid": "3f018e73-d09b-4c8d-815b-8b2c8faf7055", @@ -15723,6 +17806,10 @@ { "dest-uuid": "5307bba1-2674-4fbd-bfd5-1db1ae06fc5f", "type": "used-by" + }, + { + "dest-uuid": "a52edc76-328d-4596-85e7-d56ef5a9eb69", + "type": "similar" } ], "uuid": "8d007d52-8898-494c-8d72-354abd93da1e", @@ -15783,6 +17870,10 @@ { "dest-uuid": "16a65ee9-cd60-4f04-ba34-f2f45fcfc666", "type": "used-by" + }, + { + "dest-uuid": "4800d0f9-00aa-47cd-a4d2-92198585b8fd", + "type": "similar" } ], "uuid": "4d79530c-2fd9-4438-a8da-74f42119695a", @@ -15809,6 +17900,10 @@ { "dest-uuid": "7094468a-2310-48b5-ad24-e669152bd66d", "type": "used-by" + }, + { + "dest-uuid": "77ca1aa3-280c-4b67-abaa-e8fb891a8f83", + "type": "similar" } ], "uuid": "9aa21e50-726e-4002-8b7b-75697a03eb2b", @@ -15852,6 +17947,10 @@ { "dest-uuid": "0f41da7d-1e47-58fe-ba6e-ee658a985e1b", "type": "used-by" + }, + { + "dest-uuid": "e4feffc2-53d1-45c9-904e-adb9faca0d15", + "type": "similar" } ], "uuid": "873ede85-548b-5fc0-a29e-80bd5afc5bf4", @@ -15922,6 +18021,10 @@ { "dest-uuid": "f46d6ee9-9d1d-586a-9f2d-6bff8fb92910", "type": "used-by" + }, + { + "dest-uuid": "3a53b207-aba2-4a2b-9cdb-273d633669e7", + "type": "similar" } ], "uuid": "71eb2211-39aa-4b89-bd51-9dcabd363149", @@ -15996,6 +18099,10 @@ { "dest-uuid": "788ffbf6-1a36-481a-a504-bbcd9f907886", "type": "used-by" + }, + { + "dest-uuid": "79dd477a-8226-4b3d-ad15-28623675f221", + "type": "similar" } ], "uuid": "52a19c73-2454-4893-8f84-8d05c37a9472", @@ -16017,6 +18124,10 @@ { "dest-uuid": "47ae4fb1-fc61-4e8e-9310-66dda706e1a2", "type": "used-by" + }, + { + "dest-uuid": "d18cb958-f4ad-4fb3-bb4f-e8994d206550", + "type": "similar" } ], "uuid": "951fad62-f636-4c01-b924-bb0ce87f5b20", @@ -16038,6 +18149,10 @@ { "dest-uuid": "441b91d1-256a-4763-bac6-8f1c76764a25", "type": "used-by" + }, + { + "dest-uuid": "6c2550d5-a01a-4bbb-a004-6ead348ba623", + "type": "similar" } ], "uuid": "1f080577-c002-4b49-a342-fa70983c1d58", @@ -16141,6 +18256,10 @@ { "dest-uuid": "c0fe9859-e8de-4ce1-bc3c-b489e914a145", "type": "used-by" + }, + { + "dest-uuid": "f6ae7a52-f3b6-4525-9daf-640c083f006e", + "type": "similar" } ], "uuid": "fd63cec1-9f72-4ed0-9926-2dbbb3d9cead", @@ -16191,6 +18310,10 @@ { "dest-uuid": "4348c510-50fc-4448-ab8d-c8cededd19ff", "type": "used-by" + }, + { + "dest-uuid": "bd7a9e13-69fa-4243-a5e5-04326a63f9f2", + "type": "similar" } ], "uuid": "db5d718b-1344-4aa2-8e6a-54e68d8adfb1", @@ -16215,6 +18338,10 @@ { "dest-uuid": "4c3e48b9-4426-4271-a7af-c3dfad79f447", "type": "used-by" + }, + { + "dest-uuid": "ae9d818d-95d0-41da-b045-9cabea1ca164", + "type": "similar" } ], "uuid": "ba2208c8-5e1e-46cd-bef1-ffa7a2be3be4", @@ -16238,11 +18365,11 @@ }, "related": [ { - "dest-uuid": "a80c00b2-b8b6-4780-99bb-df8fe921947d", + "dest-uuid": "15ff1ce0-44f0-4f1d-a4ef-83444570e572", "type": "used-by" }, { - "dest-uuid": "15ff1ce0-44f0-4f1d-a4ef-83444570e572", + "dest-uuid": "a80c00b2-b8b6-4780-99bb-df8fe921947d", "type": "used-by" }, { @@ -16296,6 +18423,10 @@ { "dest-uuid": "b3061284-0335-4dcb-9f8e-a3b0412fd46f", "type": "used-by" + }, + { + "dest-uuid": "b77b563c-34bb-4fb8-86a3-3694338f7b47", + "type": "similar" } ], "uuid": "4ea12106-c0a1-4546-bb64-a1675d9f5dc7", @@ -16358,6 +18489,10 @@ { "dest-uuid": "15ff1ce0-44f0-4f1d-a4ef-83444570e572", "type": "used-by" + }, + { + "dest-uuid": "3a0f6128-0a01-421d-8eca-e57d8671b1f1", + "type": "similar" } ], "uuid": "4360cc62-7263-48b2-bd2a-a7737563545c", @@ -16379,6 +18514,10 @@ { "dest-uuid": "6932662a-53a7-4e43-877f-6e940e2d744b", "type": "used-by" + }, + { + "dest-uuid": "8393dac0-0583-456a-9372-fd81691bca20", + "type": "similar" } ], "uuid": "92744f7b-9f1a-472c-bae0-2d4a7ce68bb4", @@ -16400,6 +18539,10 @@ { "dest-uuid": "a0c31021-b281-4c41-9855-436768299fe7", "type": "used-by" + }, + { + "dest-uuid": "b96680d1-5eb3-4f07-b95c-00ab904ac236", + "type": "similar" } ], "uuid": "14e65c5d-5164-41a3-92de-67fdd1d529d2", @@ -16417,7 +18560,12 @@ "malware" ] }, - "related": [], + "related": [ + { + "dest-uuid": "d79b1800-3b5d-4a4f-8863-8251eca793e2", + "type": "similar" + } + ], "uuid": "c0e56f14-9768-5547-abcb-aa3f220d0e40", "value": "PITSTOP" }, @@ -16458,6 +18606,10 @@ { "dest-uuid": "021b3c71-6467-4e46-a413-8b726f066f2c", "type": "used-by" + }, + { + "dest-uuid": "21c0b55b-5ff3-4654-a05e-e3fc1ee1ce1b", + "type": "similar" } ], "uuid": "9445f18a-a796-447a-a35f-94a9fb72411c", @@ -16512,6 +18664,10 @@ { "dest-uuid": "528ab2ea-b8f1-44d8-8831-2a89fefd97cb", "type": "used-by" + }, + { + "dest-uuid": "b57f419e-8b12-49d3-886b-145383725dcd", + "type": "similar" } ], "uuid": "9a890a85-afbe-4c35-a3e7-1adad481bdf7", @@ -16527,6 +18683,10 @@ "software_attack_id": "S5041", "source": "Tidal Cyber", "tags": [ + "27a117ce-bb19-4f79-9bc2-a851b69c5c50", + "6070668f-1cbd-4878-8066-c636d1d8659c", + "61cdbb28-cbfd-498b-9ab1-1f14337f9524", + "e551ae97-d1b4-484e-9267-89f33829ec2c", "e1af18e3-3224-4e4c-9d0f-533768474508", "febea5b6-2ea2-402b-8bec-f3f5b3f73c59", "ed2b3f47-3e07-4019-a9bf-ec9d87f28c96", @@ -16546,6 +18706,10 @@ ] }, "related": [ + { + "dest-uuid": "2cc997b5-5076-4eef-9974-f54387614f46", + "type": "used-by" + }, { "dest-uuid": "d0f3353c-fbdd-4bd5-8793-a42e1f319b59", "type": "used-by" @@ -16578,10 +18742,6 @@ ] }, "related": [ - { - "dest-uuid": "fb93231d-2ae4-45da-9dea-4c372a11f322", - "type": "used-by" - }, { "dest-uuid": "4a4641b1-7686-49da-8d83-00d8013f4b47", "type": "used-by" @@ -16594,6 +18754,10 @@ "dest-uuid": "b10aa4c0-10a1-5e08-8d9d-82ce95d45e6a", "type": "used-by" }, + { + "dest-uuid": "fb93231d-2ae4-45da-9dea-4c372a11f322", + "type": "used-by" + }, { "dest-uuid": "4173c301-0307-458d-89dd-2583e94247ec", "type": "used-by" @@ -16633,6 +18797,10 @@ { "dest-uuid": "6932662a-53a7-4e43-877f-6e940e2d744b", "type": "used-by" + }, + { + "dest-uuid": "64fa0de0-6240-41f4-8638-f4ca7ed528fd", + "type": "similar" } ], "uuid": "070b56f4-7810-4dad-b85f-bdfce9c08c10", @@ -16654,6 +18822,10 @@ { "dest-uuid": "6005f4a9-fe26-4237-a44e-3f6cbb1fe75c", "type": "used-by" + }, + { + "dest-uuid": "800bdfba-6d66-480f-9f45-15845c05cb5d", + "type": "similar" } ], "uuid": "95c273d2-3081-4cb5-8d41-37eb4e90264d", @@ -16693,7 +18865,12 @@ "malware" ] }, - "related": [], + "related": [ + { + "dest-uuid": "cc5497f7-a9e8-436f-94da-b2b4a9b9ad3c", + "type": "similar" + } + ], "uuid": "79b4f277-3b18-4aa7-9f96-44b35b23166b", "value": "PoetRAT" }, @@ -16772,6 +18949,10 @@ { "dest-uuid": "60936d3c-37ed-4116-a407-868da3aa4446", "type": "used-by" + }, + { + "dest-uuid": "b42378e0-f147-496f-992a-26a49705395b", + "type": "similar" } ], "uuid": "1d87a695-7989-49ae-ac1a-b6601db565c3", @@ -16796,6 +18977,10 @@ { "dest-uuid": "4c3e48b9-4426-4271-a7af-c3dfad79f447", "type": "used-by" + }, + { + "dest-uuid": "3d57dcc4-be99-4613-9482-d5218f5ec13e", + "type": "similar" } ], "uuid": "3b7179fa-7b8b-4068-b224-d8d9c642964d", @@ -16816,7 +19001,12 @@ "malware" ] }, - "related": [], + "related": [ + { + "dest-uuid": "222ba512-32d9-49ac-aefd-50ce981ce2ce", + "type": "similar" + } + ], "uuid": "555b612e-3f0d-421d-b2a7-63eb2d1ece5f", "value": "Pony" }, @@ -16836,11 +19026,58 @@ { "dest-uuid": "013fdfdc-aa32-4779-8f6e-7920615cbf66", "type": "used-by" + }, + { + "dest-uuid": "53d47b09-09c2-4015-8d37-6633ecd53f79", + "type": "similar" } ], "uuid": "1353d695-5bae-4593-988f-9bd07a6fd1bb", "value": "POORAIM" }, + { + "description": "POORTRY is a malicious kernel driver known to be used by multiple ransomware groups for defense evasion purposes, typically in conjunction with a related loader capability, STONESTOP. POORTRY abuses or falsifies certificates to evade code signing processes. Since being discovered and disclosed in 2022, POORTRY has evolved its focus from disabling security software to actually removing critical software components from victim disks.[[Sophos News August 27 2024](/references/af1dfc7b-fdc2-448f-a4bf-34f8ee7d55bc)]", + "meta": { + "owner": "TidalCyberIan", + "platforms": [ + "Windows" + ], + "software_attack_id": "S5336", + "source": "Tidal Cyber", + "tags": [ + "39d6e8b7-6c8a-4ec5-a584-54ca32aa29fb", + "c6e1f516-1a18-4ff9-b563-e6ac8103b104", + "2feda37d-5579-4102-a073-aa02e82cb49f" + ], + "type": [ + "malware" + ] + }, + "related": [ + { + "dest-uuid": "5216ac81-da4c-4b87-86ce-b90a651f1048", + "type": "used-by" + }, + { + "dest-uuid": "33159d02-a1ce-49ec-a381-60b069db66f7", + "type": "used-by" + }, + { + "dest-uuid": "316a49d5-5fe0-4e0b-a276-f955f4277162", + "type": "used-by" + }, + { + "dest-uuid": "d0f3353c-fbdd-4bd5-8793-a42e1f319b59", + "type": "used-by" + }, + { + "dest-uuid": "94794e7b-8b54-4be8-885a-fd1009425ed5", + "type": "used-by" + } + ], + "uuid": "439059e2-f756-4c38-8d87-1d3c534f2e16", + "value": "POORTRY" + }, { "description": "[PoshC2](https://app.tidalcyber.com/software/a3a03835-79bf-4558-8e80-7983aeb842fb) is an open source remote administration and post-exploitation framework that is publicly available on GitHub. The server-side components of the tool are primarily written in Python, while the implants are written in [PowerShell](https://app.tidalcyber.com/technique/6ca7838a-e8ad-43e8-9da6-15b640d1cbde). Although [PoshC2](https://app.tidalcyber.com/software/a3a03835-79bf-4558-8e80-7983aeb842fb) is primarily focused on Windows implantation, it does contain a basic Python dropper for Linux/macOS.[[GitHub PoshC2](https://app.tidalcyber.com/references/45e79c0e-a2f6-4b56-b621-4142756bd1b1)]", "meta": { @@ -16866,6 +19103,10 @@ { "dest-uuid": "eecf7289-294f-48dd-a747-7705820f4735", "type": "used-by" + }, + { + "dest-uuid": "4b57c098-f043-4da2-83ef-7588a6d426bc", + "type": "similar" } ], "uuid": "a3a03835-79bf-4558-8e80-7983aeb842fb", @@ -16890,6 +19131,10 @@ { "dest-uuid": "4c3e48b9-4426-4271-a7af-c3dfad79f447", "type": "used-by" + }, + { + "dest-uuid": "5e595477-2e78-4ce7-ae42-e0b059b17808", + "type": "similar" } ], "uuid": "b92f28c4-cbc8-4721-ac79-2d8bdf5247e5", @@ -16914,6 +19159,10 @@ { "dest-uuid": "4c3e48b9-4426-4271-a7af-c3dfad79f447", "type": "used-by" + }, + { + "dest-uuid": "00c3bfcb-99bd-4767-8c03-b08f585f5c8a", + "type": "similar" } ], "uuid": "d9e4f4a1-dd41-424e-986a-b9a39ebea805", @@ -16935,6 +19184,10 @@ { "dest-uuid": "7a9d653c-8812-4b96-81d1-b0a27ca918b4", "type": "used-by" + }, + { + "dest-uuid": "35ee9bf3-264b-4411-8a8f-b58cec8f35e4", + "type": "similar" } ], "uuid": "8b9159c1-db48-472b-9897-34325da5dca7", @@ -16949,7 +19202,12 @@ "malware" ] }, - "related": [], + "related": [ + { + "dest-uuid": "0a9c51e0-825d-4b9b-969d-ce86ed8ce3c3", + "type": "similar" + } + ], "uuid": "018ee1d9-35af-49dc-a667-11b77cd76f46", "value": "Power Loader" }, @@ -16993,6 +19251,10 @@ { "dest-uuid": "41e8b4a4-2d31-46ee-bc56-12375084d067", "type": "used-by" + }, + { + "dest-uuid": "d52291b4-bb23-45a8-aef0-3dc7e986ba15", + "type": "similar" } ], "uuid": "e7cdaf70-5e28-442a-b34d-894484788dc5", @@ -17014,6 +19276,10 @@ { "dest-uuid": "d7c58e7f-f0b0-44c6-b205-5adcfb56f0e6", "type": "used-by" + }, + { + "dest-uuid": "53486bc7-7748-4716-8190-e4f1fde04c53", + "type": "similar" } ], "uuid": "2ca245de-77a9-4857-ba93-fd0d6988df9d", @@ -17038,6 +19304,10 @@ { "dest-uuid": "4348c510-50fc-4448-ab8d-c8cededd19ff", "type": "used-by" + }, + { + "dest-uuid": "17e919aa-4a49-445c-b103-dbb8df9e7351", + "type": "similar" } ], "uuid": "a4700431-6578-489f-9782-52e394277296", @@ -17061,6 +19331,14 @@ ] }, "related": [ + { + "dest-uuid": "646e35d2-75de-4c1d-8ad3-616d3e155c5e", + "type": "used-by" + }, + { + "dest-uuid": "eadd78e3-3b5d-430a-b994-4360b172c871", + "type": "used-by" + }, { "dest-uuid": "32385eba-7bbf-439e-acf2-83040e97165a", "type": "used-by" @@ -17077,14 +19355,6 @@ "dest-uuid": "4348c510-50fc-4448-ab8d-c8cededd19ff", "type": "used-by" }, - { - "dest-uuid": "eadd78e3-3b5d-430a-b994-4360b172c871", - "type": "used-by" - }, - { - "dest-uuid": "646e35d2-75de-4c1d-8ad3-616d3e155c5e", - "type": "used-by" - }, { "dest-uuid": "33159d02-a1ce-49ec-a381-60b069db66f7", "type": "used-by" @@ -17104,6 +19374,10 @@ { "dest-uuid": "99bbbe25-45af-492f-a7ff-7cbc57828bac", "type": "used-by" + }, + { + "dest-uuid": "13cd9151-83b7-410d-9f98-25d0f0d1d80d", + "type": "similar" } ], "uuid": "82fad10d-c921-4a87-a533-49def83d002b", @@ -17128,6 +19402,10 @@ { "dest-uuid": "47ae4fb1-fc61-4e8e-9310-66dda706e1a2", "type": "used-by" + }, + { + "dest-uuid": "dcac85c1-6485-4790-84f6-de5e6f6b91dd", + "type": "similar" } ], "uuid": "837bcf97-37a7-4001-a466-306574fd7890", @@ -17152,6 +19430,10 @@ { "dest-uuid": "dcb260d8-9d53-404f-9ff5-dbee2c6effe6", "type": "used-by" + }, + { + "dest-uuid": "e8545794-b98c-492b-a5b3-4b5a02682e37", + "type": "similar" } ], "uuid": "39fc59c6-f1aa-4c93-8e43-1f41563e9d9e", @@ -17173,6 +19455,10 @@ { "dest-uuid": "99bbbe25-45af-492f-a7ff-7cbc57828bac", "type": "used-by" + }, + { + "dest-uuid": "e85cae1a-bce3-4ac4-b36b-b00acac0567b", + "type": "similar" } ], "uuid": "b3c28750-3825-4e4d-ab92-f39a6b0827dd", @@ -17279,6 +19565,10 @@ { "dest-uuid": "dcb260d8-9d53-404f-9ff5-dbee2c6effe6", "type": "used-by" + }, + { + "dest-uuid": "c19d19ae-dd58-4584-8469-966bbeaa80e3", + "type": "similar" } ], "uuid": "7ed984bb-d098-4d0a-90fd-b03e68842479", @@ -17303,6 +19593,10 @@ { "dest-uuid": "d01abdb1-0378-4654-aa38-1a4a292703e2", "type": "used-by" + }, + { + "dest-uuid": "09b2cd76-c674-47cc-9f57-d2f2ad150a46", + "type": "similar" } ], "uuid": "67cdb7a6-5142-43fa-8b8d-d9bdd2a4dae4", @@ -17350,6 +19644,10 @@ { "dest-uuid": "16a65ee9-cd60-4f04-ba34-f2f45fcfc666", "type": "used-by" + }, + { + "dest-uuid": "1da748a5-875d-4212-9222-b4c23ab861be", + "type": "similar" } ], "uuid": "4fb5b109-5a5c-5441-a0f9-f639ead5405e", @@ -17370,7 +19668,12 @@ "malware" ] }, - "related": [], + "related": [ + { + "dest-uuid": "37cc7eb6-12e3-467b-82e8-f20f2cc73c69", + "type": "similar" + } + ], "uuid": "1da989a8-41cc-4e89-a435-a88acb72ae0d", "value": "Prikormka" }, @@ -17428,6 +19731,10 @@ "software_attack_id": "S5036", "source": "Tidal Cyber", "tags": [ + "27a117ce-bb19-4f79-9bc2-a851b69c5c50", + "6070668f-1cbd-4878-8066-c636d1d8659c", + "61cdbb28-cbfd-498b-9ab1-1f14337f9524", + "e551ae97-d1b4-484e-9267-89f33829ec2c", "e1af18e3-3224-4e4c-9d0f-533768474508", "c3eaf8a7-06e5-4e3a-9615-36316d9e10a8", "af5e9be5-b86e-47af-91dd-966a5e34a186", @@ -17445,6 +19752,10 @@ ] }, "related": [ + { + "dest-uuid": "2cc997b5-5076-4eef-9974-f54387614f46", + "type": "used-by" + }, { "dest-uuid": "d0f3353c-fbdd-4bd5-8793-a42e1f319b59", "type": "used-by" @@ -17518,7 +19829,12 @@ "malware" ] }, - "related": [], + "related": [ + { + "dest-uuid": "471d0e9f-2c8a-4e4b-8f3b-f85d2407806e", + "type": "similar" + } + ], "uuid": "c8af096e-c71e-4751-b203-70c285b7a7bd", "value": "ProLock" }, @@ -17556,7 +19872,12 @@ "malware" ] }, - "related": [], + "related": [ + { + "dest-uuid": "c541efb4-e7b1-4ad6-9da8-b4e113f5dd42", + "type": "similar" + } + ], "uuid": "d3bcdbc4-5998-4e50-bd45-cba6a3278427", "value": "Proton" }, @@ -17598,6 +19919,10 @@ { "dest-uuid": "0bc66e95-de93-4de7-b415-4041b7191f08", "type": "used-by" + }, + { + "dest-uuid": "069af411-9b24-4e85-b26c-623d035bbe84", + "type": "similar" } ], "uuid": "94f43629-243e-49dc-8c2b-cdf4fc15cf83", @@ -17615,7 +19940,12 @@ "malware" ] }, - "related": [], + "related": [ + { + "dest-uuid": "13183cdf-280b-46be-913a-5c6df47831e7", + "type": "similar" + } + ], "uuid": "8cd401ac-a233-4395-a8ae-d75db9d5b845", "value": "PS1" }, @@ -17652,19 +19982,7 @@ }, "related": [ { - "dest-uuid": "472080b0-e3d4-4546-9272-c4359fe856e1", - "type": "used-by" - }, - { - "dest-uuid": "fb93231d-2ae4-45da-9dea-4c372a11f322", - "type": "used-by" - }, - { - "dest-uuid": "fcaadc12-7c17-4946-a9dc-976ed610854c", - "type": "used-by" - }, - { - "dest-uuid": "5307bba1-2674-4fbd-bfd5-1db1ae06fc5f", + "dest-uuid": "1d751794-ce94-4936-bf45-4ab86d0e3b6e", "type": "used-by" }, { @@ -17683,6 +20001,22 @@ "dest-uuid": "0f86e871-0c6c-4227-ae28-3f3696d6ae9d", "type": "used-by" }, + { + "dest-uuid": "472080b0-e3d4-4546-9272-c4359fe856e1", + "type": "used-by" + }, + { + "dest-uuid": "fb93231d-2ae4-45da-9dea-4c372a11f322", + "type": "used-by" + }, + { + "dest-uuid": "fcaadc12-7c17-4946-a9dc-976ed610854c", + "type": "used-by" + }, + { + "dest-uuid": "5307bba1-2674-4fbd-bfd5-1db1ae06fc5f", + "type": "used-by" + }, { "dest-uuid": "a3b39b07-0bfa-4c69-9f01-acf7dc6033b4", "type": "used-by" @@ -17771,6 +20105,10 @@ "dest-uuid": "3c7ad595-1940-40fc-b9ca-3e649c1e5d87", "type": "used-by" }, + { + "dest-uuid": "e75a1b98-be68-467f-a8df-bcb7671543b3", + "type": "used-by" + }, { "dest-uuid": "fac6fbf1-935f-4106-ad8b-c8fd8389dd38", "type": "used-by" @@ -17822,6 +20160,10 @@ { "dest-uuid": "b3061284-0335-4dcb-9f8e-a3b0412fd46f", "type": "used-by" + }, + { + "dest-uuid": "ff6caf67-ea1f-4895-b80e-4bb0fc31c6db", + "type": "similar" } ], "uuid": "73eb32af-4bd3-4e21-8048-355edc55a9c6", @@ -17865,6 +20207,10 @@ { "dest-uuid": "6c1bdc51-f633-4512-8b20-04a11c2d97f4", "type": "used-by" + }, + { + "dest-uuid": "dfb5fa9b-3051-4b97-8035-08f80aef945b", + "type": "similar" } ], "uuid": "8c35d349-2f70-4edb-8668-e1cc2b67e4a0", @@ -17889,6 +20235,10 @@ { "dest-uuid": "41e8b4a4-2d31-46ee-bc56-12375084d067", "type": "used-by" + }, + { + "dest-uuid": "5f9f7648-04ba-4a9f-bb4c-2a13e74572bd", + "type": "similar" } ], "uuid": "7fed4276-807e-4656-95f5-90878b6e2dbb", @@ -17938,6 +20288,10 @@ { "dest-uuid": "f46d6ee9-9d1d-586a-9f2d-6bff8fb92910", "type": "used-by" + }, + { + "dest-uuid": "9a097d18-d15f-4635-a4f1-189df7efdc40", + "type": "similar" } ], "uuid": "d777204c-f93c-54d9-b80e-41641a3d55ce", @@ -17990,6 +20344,10 @@ { "dest-uuid": "b3061284-0335-4dcb-9f8e-a3b0412fd46f", "type": "used-by" + }, + { + "dest-uuid": "5c6ed2dc-37f4-40ea-b2e1-4c76140a388c", + "type": "similar" } ], "uuid": "d8999d60-3818-4d75-8756-8a55531254d8", @@ -18014,6 +20372,10 @@ { "dest-uuid": "b3061284-0335-4dcb-9f8e-a3b0412fd46f", "type": "used-by" + }, + { + "dest-uuid": "c4de7d83-e875-4c88-8b5d-06c41e5b7e79", + "type": "similar" } ], "uuid": "1638d99b-fbcf-40ec-ac48-802ce5be520a", @@ -18042,6 +20404,10 @@ { "dest-uuid": "99bbbe25-45af-492f-a7ff-7cbc57828bac", "type": "used-by" + }, + { + "dest-uuid": "cb69b20d-56d0-41ab-8440-4a4b251614d4", + "type": "similar" } ], "uuid": "0a8bedc2-b404-4a9a-b4f5-ff90ff8294be", @@ -18079,6 +20445,11 @@ "software_attack_id": "S5065", "source": "Tidal Cyber", "tags": [ + "af5e9be5-b86e-47af-91dd-966a5e34a186", + "27a117ce-bb19-4f79-9bc2-a851b69c5c50", + "6070668f-1cbd-4878-8066-c636d1d8659c", + "61cdbb28-cbfd-498b-9ab1-1f14337f9524", + "e551ae97-d1b4-484e-9267-89f33829ec2c", "e1af18e3-3224-4e4c-9d0f-533768474508", "ed2b3f47-3e07-4019-a9bf-ec9d87f28c96", "15787198-6c8b-4f79-bf50-258d55072fee" @@ -18088,6 +20459,10 @@ ] }, "related": [ + { + "dest-uuid": "2cc997b5-5076-4eef-9974-f54387614f46", + "type": "used-by" + }, { "dest-uuid": "3d77fb6c-cfb4-5563-b0be-7aa1ad535337", "type": "used-by" @@ -18139,6 +20514,10 @@ { "dest-uuid": "7902f5cc-d6a5-4a57-8d54-4c75e0c58b83", "type": "used-by" + }, + { + "dest-uuid": "9de2308e-7bed-43a3-8e58-f194b3586700", + "type": "similar" } ], "uuid": "77f629db-d971-49d8-8b73-c7c779b7de3e", @@ -18163,6 +20542,10 @@ { "dest-uuid": "a41725c5-eb3a-4772-8d1e-17c3bbade79c", "type": "used-by" + }, + { + "dest-uuid": "2ac41e8b-4865-4ced-839d-78e7852c47f3", + "type": "similar" } ], "uuid": "51b2c56e-7d64-4e15-b1bd-45a980c9c44d", @@ -18185,7 +20568,12 @@ "malware" ] }, - "related": [], + "related": [ + { + "dest-uuid": "a19c1197-9414-46e3-986f-0f609ff4a46b", + "type": "similar" + } + ], "uuid": "e0d5ecce-eca0-4f01-afcc-0c8e92323016", "value": "Pysa" }, @@ -18225,6 +20613,10 @@ { "dest-uuid": "8951bff3-c444-4374-8a9e-b2115d9125b2", "type": "used-by" + }, + { + "dest-uuid": "edc5e045-5401-42bb-ad92-52b5b2ee0de9", + "type": "similar" } ], "uuid": "9050b418-5ffd-481a-a30d-f9059b0871ea", @@ -18252,7 +20644,12 @@ "malware" ] }, - "related": [], + "related": [ + { + "dest-uuid": "3d77fb6c-cfb4-5563-b0be-7aa1ad535337", + "type": "used-by" + } + ], "uuid": "3b78dda9-d273-4ffc-9a9f-75e80178c7b2", "value": "Qilin Ransomware" }, @@ -18300,6 +20697,10 @@ { "dest-uuid": "d01abdb1-0378-4654-aa38-1a4a292703e2", "type": "used-by" + }, + { + "dest-uuid": "7e6c2a9d-9dc1-4eb0-b27c-91e8076a9d77", + "type": "similar" } ], "uuid": "2bf68242-1dbd-405b-ac35-330eda887081", @@ -18321,6 +20722,10 @@ ] }, "related": [ + { + "dest-uuid": "12279b62-289e-49ee-97cb-c780edd3d091", + "type": "used-by" + }, { "dest-uuid": "efb3b5ac-cd86-44a2-9de1-02e4612b8cc2", "type": "used-by" @@ -18329,10 +20734,6 @@ "dest-uuid": "fb93231d-2ae4-45da-9dea-4c372a11f322", "type": "used-by" }, - { - "dest-uuid": "12279b62-289e-49ee-97cb-c780edd3d091", - "type": "used-by" - }, { "dest-uuid": "32385eba-7bbf-439e-acf2-83040e97165a", "type": "used-by" @@ -18340,6 +20741,10 @@ { "dest-uuid": "e5b0da2b-12bc-4113-9459-9c51329c9ae0", "type": "used-by" + }, + { + "dest-uuid": "da04ac30-27da-4959-a67d-450ce47d9470", + "type": "similar" } ], "uuid": "4bab7c2b-5ec4-467e-8df4-f2e6996e136b", @@ -18390,7 +20795,12 @@ "malware" ] }, - "related": [], + "related": [ + { + "dest-uuid": "93289ecf-4d15-4d6b-a9c3-4ab27e145ef4", + "type": "similar" + } + ], "uuid": "52d3515c-5184-5257-bf24-56adccb4cccd", "value": "QUIETCANARY" }, @@ -18413,6 +20823,10 @@ { "dest-uuid": "4c3e48b9-4426-4271-a7af-c3dfad79f447", "type": "used-by" + }, + { + "dest-uuid": "4816d361-f82b-4a18-aa05-b215e7cf9200", + "type": "similar" } ], "uuid": "947ab087-7550-577f-9ae9-5e82e9910610", @@ -18437,6 +20851,10 @@ { "dest-uuid": "41e8b4a4-2d31-46ee-bc56-12375084d067", "type": "used-by" + }, + { + "dest-uuid": "03eb4a05-6a02-43f6-afb7-3c7835501828", + "type": "similar" } ], "uuid": "dcdb74c5-4445-49bd-9f9c-236a7ecc7904", @@ -18573,6 +20991,10 @@ { "dest-uuid": "b3061284-0335-4dcb-9f8e-a3b0412fd46f", "type": "used-by" + }, + { + "dest-uuid": "54895630-efd2-4608-9c24-319de972a9eb", + "type": "similar" } ], "uuid": "d25f7acd-a995-4b8b-8ffe-ccc9703cdf5f", @@ -18597,6 +21019,10 @@ { "dest-uuid": "4c3e48b9-4426-4271-a7af-c3dfad79f447", "type": "used-by" + }, + { + "dest-uuid": "4efc3e00-72f2-466a-ab7c-8a7dc6603b19", + "type": "similar" } ], "uuid": "80295aeb-59e3-4c5d-ac39-9879158f8d23", @@ -18618,6 +21044,10 @@ { "dest-uuid": "a80c00b2-b8b6-4780-99bb-df8fe921947d", "type": "used-by" + }, + { + "dest-uuid": "29231689-5837-4a7a-aafc-1b65b3f50cc7", + "type": "similar" } ], "uuid": "42b775bd-0c1d-4ad3-8f7f-cbb0ba84e19e", @@ -18635,7 +21065,12 @@ "malware" ] }, - "related": [], + "related": [ + { + "dest-uuid": "ba09b86c-1c40-4ff1-bda0-0d8c4ca35997", + "type": "similar" + } + ], "uuid": "dc307b3c-9bc5-4624-b0bc-4807fa1fc57b", "value": "Ramsay" }, @@ -18660,7 +21095,20 @@ "malware" ] }, - "related": [], + "related": [ + { + "dest-uuid": "3d77fb6c-cfb4-5563-b0be-7aa1ad535337", + "type": "used-by" + }, + { + "dest-uuid": "3c7ad595-1940-40fc-b9ca-3e649c1e5d87", + "type": "used-by" + }, + { + "dest-uuid": "94794e7b-8b54-4be8-885a-fd1009425ed5", + "type": "used-by" + } + ], "uuid": "a3044fb5-3aae-4590-b589-cc88bf0d1f34", "value": "RansomHub (Payload)" }, @@ -18681,6 +21129,10 @@ { "dest-uuid": "f46d6ee9-9d1d-586a-9f2d-6bff8fb92910", "type": "used-by" + }, + { + "dest-uuid": "880f7b3e-ad27-4158-8b03-d44c9357950b", + "type": "similar" } ], "uuid": "129abb68-7992-554e-92fa-fa376279c0b6", @@ -18705,6 +21157,10 @@ { "dest-uuid": "a80c00b2-b8b6-4780-99bb-df8fe921947d", "type": "used-by" + }, + { + "dest-uuid": "8c553311-0baa-4146-997a-f79acef3d831", + "type": "similar" } ], "uuid": "a9c9fda8-c156-44f2-bc7e-1b696f3fbaa2", @@ -18774,6 +21230,10 @@ { "dest-uuid": "0bc66e95-de93-4de7-b415-4041b7191f08", "type": "used-by" + }, + { + "dest-uuid": "9b325b06-35a1-457d-be46-a4ecc0b7ff0c", + "type": "similar" } ], "uuid": "40466d7d-a107-46aa-a6fc-180e0eef2c6b", @@ -18795,6 +21255,10 @@ { "dest-uuid": "0bc66e95-de93-4de7-b415-4041b7191f08", "type": "used-by" + }, + { + "dest-uuid": "3ffbdc1f-d2bf-41ab-91a2-c7b857e98079", + "type": "similar" } ], "uuid": "d86a562d-d235-4481-9a3f-273fa3ebe89a", @@ -18816,6 +21280,10 @@ { "dest-uuid": "7902f5cc-d6a5-4a57-8d54-4c75e0c58b83", "type": "used-by" + }, + { + "dest-uuid": "9752aef4-a1f3-4328-929f-b64eb0536090", + "type": "similar" } ], "uuid": "6ea1bf95-fed8-4b94-8071-aa19a3af5e34", @@ -18855,6 +21323,10 @@ ] }, "related": [ + { + "dest-uuid": "fcbf6963-839b-4853-8b80-73ff6831b7d7", + "type": "used-by" + }, { "dest-uuid": "a2add2a0-2b54-4623-a380-a9ad91f1f2dd", "type": "used-by" @@ -18867,6 +21339,10 @@ "dest-uuid": "d0f3353c-fbdd-4bd5-8793-a42e1f319b59", "type": "used-by" }, + { + "dest-uuid": "05cd82bb-f8fc-40f3-83ba-1586ef953d05", + "type": "used-by" + }, { "dest-uuid": "3d77fb6c-cfb4-5563-b0be-7aa1ad535337", "type": "used-by" @@ -18887,6 +21363,10 @@ "dest-uuid": "0fcb2205-e75b-46c9-ac54-00f218d5e331", "type": "used-by" }, + { + "dest-uuid": "cca12ba9-f65f-4a29-87ab-a9fc0f99521f", + "type": "used-by" + }, { "dest-uuid": "fac6fbf1-935f-4106-ad8b-c8fd8389dd38", "type": "used-by" @@ -18894,6 +21374,10 @@ { "dest-uuid": "8e059c6b-d278-5454-a234-a8ad69feb66c", "type": "used-by" + }, + { + "dest-uuid": "59096109-a1dd-463b-87e7-a8d110fe3a79", + "type": "similar" } ], "uuid": "1f3f15fa-1b4b-494d-abc8-c7f8a227b7b4", @@ -18922,6 +21406,10 @@ { "dest-uuid": "4a4641b1-7686-49da-8d83-00d8013f4b47", "type": "used-by" + }, + { + "dest-uuid": "03acae53-9b98-46f6-b204-16b930839055", + "type": "similar" } ], "uuid": "38c4d208-fe38-4965-871c-709fa1479ba3", @@ -18967,6 +21455,10 @@ { "dest-uuid": "d01abdb1-0378-4654-aa38-1a4a292703e2", "type": "used-by" + }, + { + "dest-uuid": "4b346d12-7f91-48d2-8f06-b26ffa0d825b", + "type": "similar" } ], "uuid": "567da30e-fd4d-4ec5-a308-bf08788f3bfb", @@ -18991,6 +21483,10 @@ { "dest-uuid": "4348c510-50fc-4448-ab8d-c8cededd19ff", "type": "used-by" + }, + { + "dest-uuid": "065196de-d7e8-4888-acfb-b2134022ba1b", + "type": "similar" } ], "uuid": "ca4e973c-da15-46a9-8f3a-0b1560c9a783", @@ -19060,7 +21556,12 @@ "malware" ] }, - "related": [], + "related": [ + { + "dest-uuid": "65341f30-bec6-4b1d-8abf-1a5620446c29", + "type": "similar" + } + ], "uuid": "ca544771-d43e-4747-80e5-cf0f4a4836f3", "value": "Reaver" }, @@ -19080,6 +21581,10 @@ { "dest-uuid": "fb93231d-2ae4-45da-9dea-4c372a11f322", "type": "used-by" + }, + { + "dest-uuid": "17b40f60-729f-4fe8-8aea-cc9ee44a95d5", + "type": "similar" } ], "uuid": "5264c3ab-14e1-4ae1-854e-889ebde029b4", @@ -19149,6 +21654,10 @@ { "dest-uuid": "47ae4fb1-fc61-4e8e-9310-66dda706e1a2", "type": "used-by" + }, + { + "dest-uuid": "cde2d700-9ed1-46cf-9bce-07364fe8b24f", + "type": "similar" } ], "uuid": "d796615c-fa3d-4afd-817a-1a3db8c73532", @@ -19195,6 +21704,10 @@ { "dest-uuid": "4c3e48b9-4426-4271-a7af-c3dfad79f447", "type": "used-by" + }, + { + "dest-uuid": "47124daf-44be-4530-9c63-038bc64318dd", + "type": "similar" } ], "uuid": "52dc08d8-82cc-46dc-91ae-383193d72963", @@ -19234,7 +21747,12 @@ "malware" ] }, - "related": [], + "related": [ + { + "dest-uuid": "4c59cce8-cb48-4141-b9f1-f646edfaadb0", + "type": "similar" + } + ], "uuid": "e88bf527-bb9c-45c3-b86b-04a07dcd91fd", "value": "Regin" }, @@ -19391,6 +21909,10 @@ { "dest-uuid": "12279b62-289e-49ee-97cb-c780edd3d091", "type": "used-by" + }, + { + "dest-uuid": "7cd0bc75-055b-4098-a00e-83dc8beaff14", + "type": "similar" } ], "uuid": "2eb92fa8-514e-4018-adc4-c9fe4f082567", @@ -19412,6 +21934,10 @@ { "dest-uuid": "a57b52c7-9f64-4ffe-a7c3-0de738fb2af1", "type": "used-by" + }, + { + "dest-uuid": "ecc2f65a-b452-4eaf-9689-7e181f17f7a5", + "type": "similar" } ], "uuid": "82d0bb4d-4711-49e3-9fe5-c522bbe5e8bb", @@ -19455,6 +21981,10 @@ { "dest-uuid": "9da726e6-af02-49b8-8ebe-7ea4235513c9", "type": "used-by" + }, + { + "dest-uuid": "4e6b9625-bbda-4d96-a652-b3bb45453f26", + "type": "similar" } ], "uuid": "57fa64ea-975a-470a-a194-3428148ae9ee", @@ -19476,6 +22006,10 @@ { "dest-uuid": "dcb260d8-9d53-404f-9ff5-dbee2c6effe6", "type": "used-by" + }, + { + "dest-uuid": "03c6e0ea-96d3-4b23-9afb-05055663cf4b", + "type": "similar" } ], "uuid": "8a7fa0df-c688-46be-94bf-462fae33b788", @@ -19497,6 +22031,10 @@ { "dest-uuid": "deb573c6-071a-4b50-9e92-4aa648d8bdc1", "type": "used-by" + }, + { + "dest-uuid": "69d6f4a9-fcf0-4f51-bca7-597c51ad0bb8", + "type": "similar" } ], "uuid": "e3729cff-f25e-4c01-a7a1-e8b83e903b30", @@ -19549,6 +22087,10 @@ { "dest-uuid": "0bc66e95-de93-4de7-b415-4041b7191f08", "type": "used-by" + }, + { + "dest-uuid": "a1dd2dbd-1550-44bf-abcc-1a4c52e97719", + "type": "similar" } ], "uuid": "2a5ea3a7-9873-4a2e-b4b5-4e27a80db305", @@ -19574,6 +22116,10 @@ { "dest-uuid": "830079fe-9824-405b-93e0-c28592155c49", "type": "used-by" + }, + { + "dest-uuid": "bdb27a1d-1844-42f1-a0c0-826027ae0326", + "type": "similar" } ], "uuid": "f99712b4-37a2-437c-92d7-fb4f94a1f892", @@ -19609,16 +22155,20 @@ }, "related": [ { - "dest-uuid": "4348c510-50fc-4448-ab8d-c8cededd19ff", + "dest-uuid": "b4d068ac-9b68-4cd8-bf0c-019f910ef8e3", "type": "used-by" }, { - "dest-uuid": "b4d068ac-9b68-4cd8-bf0c-019f910ef8e3", + "dest-uuid": "4348c510-50fc-4448-ab8d-c8cededd19ff", "type": "used-by" }, { "dest-uuid": "28f3dbcc-b248-442f-9ff3-234210bb2f2a", "type": "used-by" + }, + { + "dest-uuid": "ac61f1f9-7bb1-465e-9b8a-c2ce8e88baf5", + "type": "similar" } ], "uuid": "9314531e-bf46-4cba-9c19-198279ccf9cd", @@ -19643,6 +22193,10 @@ { "dest-uuid": "d01abdb1-0378-4654-aa38-1a4a292703e2", "type": "used-by" + }, + { + "dest-uuid": "b9eec47e-98f4-4b3c-b574-3fa8a87ebe05", + "type": "similar" } ], "uuid": "d5649d69-52d4-4198-9683-b250348dea32", @@ -19693,6 +22247,10 @@ { "dest-uuid": "2cc997b5-5076-4eef-9974-f54387614f46", "type": "used-by" + }, + { + "dest-uuid": "44c75271-0e4d-496f-ae0a-a6d883a42a65", + "type": "similar" } ], "uuid": "ca5ae7c8-467a-4434-82fc-db50ce3fc671", @@ -19714,6 +22272,10 @@ { "dest-uuid": "225314a7-8f40-48d4-9cff-3ec39b177762", "type": "used-by" + }, + { + "dest-uuid": "ad4f146f-e3ec-444a-ba71-24bffd7f0f8e", + "type": "similar" } ], "uuid": "00fa4cc2-6f99-4b18-b927-689964ef57e1", @@ -19731,7 +22293,12 @@ "malware" ] }, - "related": [], + "related": [ + { + "dest-uuid": "56e6b6c2-e573-4969-8bab-783205cebbbf", + "type": "similar" + } + ], "uuid": "19b1f1c8-5ef3-4328-b605-38e0bafc084d", "value": "Rising Sun" }, @@ -19751,6 +22318,10 @@ { "dest-uuid": "4c3e48b9-4426-4271-a7af-c3dfad79f447", "type": "used-by" + }, + { + "dest-uuid": "6dbdc657-d8e0-4f2f-909b-7251b3e72c6d", + "type": "similar" } ], "uuid": "15bc8e94-64d1-4f1f-bc99-08cfbac417dc", @@ -19773,7 +22344,12 @@ "malware" ] }, - "related": [], + "related": [ + { + "dest-uuid": "0a607c53-df52-45da-a75d-0e53df4dad5f", + "type": "similar" + } + ], "uuid": "b65956ef-439a-463d-b85e-6606467f508a", "value": "RobbinHood" }, @@ -19793,6 +22369,10 @@ { "dest-uuid": "502223ee-8947-42f8-a532-a3b3da12b7d9", "type": "used-by" + }, + { + "dest-uuid": "cba78a1c-186f-4112-9e6a-be1839f030f7", + "type": "similar" } ], "uuid": "cb7aa34e-312f-4210-be7b-47a1e3f5b7b5", @@ -19814,6 +22394,10 @@ { "dest-uuid": "f2b31240-0b4a-4fa4-82a4-6bb00e146e75", "type": "used-by" + }, + { + "dest-uuid": "8ec6e3b4-b06d-4805-b6aa-af916acc2122", + "type": "similar" } ], "uuid": "852cf78d-9cdc-4971-a972-405921027436", @@ -19838,6 +22422,10 @@ { "dest-uuid": "013fdfdc-aa32-4779-8f6e-7920615cbf66", "type": "used-by" + }, + { + "dest-uuid": "60a9c2f0-b7a5-4e8e-959c-e1a3ff314a5f", + "type": "similar" } ], "uuid": "a3479628-af0b-4088-8d2a-fafa384731dd", @@ -19886,6 +22474,10 @@ { "dest-uuid": "c0fe9859-e8de-4ce1-bc3c-b489e914a145", "type": "used-by" + }, + { + "dest-uuid": "08e844a8-371f-4fe3-9d1f-e056e64a7fde", + "type": "similar" } ], "uuid": "169bfcf6-544c-5824-a7cd-2d5070304b57", @@ -19908,6 +22500,10 @@ { "dest-uuid": "0bc66e95-de93-4de7-b415-4041b7191f08", "type": "used-by" + }, + { + "dest-uuid": "c11ac61d-50f4-444f-85d8-6f006067f0de", + "type": "similar" } ], "uuid": "3b755518-9085-474e-8bc4-4f9344d9c8af", @@ -19925,7 +22521,12 @@ "malware" ] }, - "related": [], + "related": [ + { + "dest-uuid": "6b616fc1-1505-48e3-8b2c-0d19337bff38", + "type": "similar" + } + ], "uuid": "ef38ff3e-fa36-46f2-a720-3abaca167b04", "value": "Rover" }, @@ -19938,6 +22539,8 @@ "software_attack_id": "S1073", "source": "MITRE", "tags": [ + "e551ae97-d1b4-484e-9267-89f33829ec2c", + "a2e000da-8181-4327-bacd-32013dbd3654", "5e7433ad-a894-4489-93bc-41e90da90019", "15787198-6c8b-4f79-bf50-258d55072fee", "7e7b0c67-bb85-4996-a289-da0e792d7172" @@ -19954,6 +22557,10 @@ { "dest-uuid": "86b97a39-49c3-431e-bcc8-f4e13dbfcdf5", "type": "used-by" + }, + { + "dest-uuid": "802a874d-7463-4f2a-99e3-6a1f5a919a21", + "type": "similar" } ], "uuid": "221e24cb-910f-5988-9473-578ef350870c", @@ -20021,6 +22628,10 @@ { "dest-uuid": "666ab5f0-3ef1-4e74-8a10-65c60a7d1acd", "type": "used-by" + }, + { + "dest-uuid": "92ec0cbd-2c30-44a2-b270-73f4ec949841", + "type": "similar" } ], "uuid": "1836485e-a3a6-4fae-a15d-d0990788811a", @@ -20044,6 +22655,10 @@ ] }, "related": [ + { + "dest-uuid": "fcbf6963-839b-4853-8b80-73ff6831b7d7", + "type": "used-by" + }, { "dest-uuid": "33159d02-a1ce-49ec-a381-60b069db66f7", "type": "used-by" @@ -20055,6 +22670,10 @@ { "dest-uuid": "0b431229-036f-4157-a1da-ff16dfc095f8", "type": "used-by" + }, + { + "dest-uuid": "e33267fe-099f-4af2-8730-63d49f8813b2", + "type": "similar" } ], "uuid": "2e54f40c-ab62-535e-bbab-3f3a835ff55a", @@ -20077,6 +22696,10 @@ { "dest-uuid": "99bbbe25-45af-492f-a7ff-7cbc57828bac", "type": "used-by" + }, + { + "dest-uuid": "90ac9266-68ce-46f2-b24f-5eb3b2a8ea38", + "type": "similar" } ], "uuid": "69563cbd-7dc1-4396-b576-d5886df11046", @@ -20216,7 +22839,12 @@ "malware" ] }, - "related": [], + "related": [ + { + "dest-uuid": "60d50676-459a-47dd-92e9-a827a9fe9c58", + "type": "similar" + } + ], "uuid": "e8afda1f-fa83-4fc3-b6fb-7d5daca7173f", "value": "RunningRAT" }, @@ -20298,6 +22926,10 @@ { "dest-uuid": "fcaadc12-7c17-4946-a9dc-976ed610854c", "type": "used-by" + }, + { + "dest-uuid": "a020a61c-423f-4195-8c46-ba1d21abba37", + "type": "similar" } ], "uuid": "8ae86854-4cdc-49eb-895a-d1fa742f7974", @@ -20322,6 +22954,10 @@ { "dest-uuid": "407274be-1820-4a84-939e-629313f4de1d", "type": "used-by" + }, + { + "dest-uuid": "7724581b-06ff-4d2b-b77c-80dc8d53070b", + "type": "similar" } ], "uuid": "d66e5d18-e9f5-4091-bdf4-acdac129e2e0", @@ -20346,6 +22982,10 @@ { "dest-uuid": "43f826a1-e8c8-47b8-9b00-38e1b3e4293b", "type": "used-by" + }, + { + "dest-uuid": "96b08451-b27a-4ff6-893f-790e26393a8e", + "type": "similar" } ], "uuid": "a316c704-144a-4d14-8e4e-685bb6ae391c", @@ -20367,7 +23007,12 @@ "malware" ] }, - "related": [], + "related": [ + { + "dest-uuid": "4d56e6e9-1a6d-46e3-896c-dfdf3cc96e62", + "type": "similar" + } + ], "uuid": "88831e9f-453e-466f-9510-9acaa1f20368", "value": "SamSam" }, @@ -20387,6 +23032,10 @@ { "dest-uuid": "0f41da7d-1e47-58fe-ba6e-ee658a985e1b", "type": "used-by" + }, + { + "dest-uuid": "ae91fb8f-5031-4f57-9839-e3be3ed503f0", + "type": "similar" } ], "uuid": "bd75c822-7be6-5e6f-bd2e-0512be6d38d9", @@ -20408,6 +23057,10 @@ { "dest-uuid": "b3061284-0335-4dcb-9f8e-a3b0412fd46f", "type": "used-by" + }, + { + "dest-uuid": "0c52f5bc-557d-4083-bd27-66d7cdb794bb", + "type": "similar" } ], "uuid": "9ab0d523-3496-5e64-9ca1-bb756f5e64e0", @@ -20498,6 +23151,10 @@ { "dest-uuid": "5825a840-5577-4ffc-a08d-3f48d64395cb", "type": "used-by" + }, + { + "dest-uuid": "c9703cd3-141c-43a0-a926-380082be5d04", + "type": "similar" } ], "uuid": "2aacbf3a-a359-41d2-9a71-76447f0545b5", @@ -20564,6 +23221,10 @@ { "dest-uuid": "b3220638-6682-4a4e-ab64-e7dc4202a3f1", "type": "used-by" + }, + { + "dest-uuid": "92b03a94-7147-4952-9d5a-b4d24da7487c", + "type": "similar" } ], "uuid": "046bbd0c-bff5-46fc-9028-cbe46a9f8ec5", @@ -20600,6 +23261,10 @@ { "dest-uuid": "58db02e6-d908-47c2-bc82-ed58ada61331", "type": "used-by" + }, + { + "dest-uuid": "d8d19e33-94fd-4aa3-b94a-08ee801a2153", + "type": "similar" } ], "uuid": "3d4be65d-231b-44bb-8d12-5038a3d48bae", @@ -20624,6 +23289,10 @@ { "dest-uuid": "4c3e48b9-4426-4271-a7af-c3dfad79f447", "type": "used-by" + }, + { + "dest-uuid": "67e6d66b-1b82-4699-b47a-e2efb6268d14", + "type": "similar" } ], "uuid": "ae30d58e-21c5-41a4-9ebb-081dc1f26863", @@ -20645,6 +23314,10 @@ { "dest-uuid": "5307bba1-2674-4fbd-bfd5-1db1ae06fc5f", "type": "used-by" + }, + { + "dest-uuid": "b45747dc-87ca-4597-a245-7e16a61bc491", + "type": "similar" } ], "uuid": "3527b09b-f3f6-4716-9f90-64ea7d3b9d8a", @@ -20669,6 +23342,10 @@ { "dest-uuid": "d01abdb1-0378-4654-aa38-1a4a292703e2", "type": "used-by" + }, + { + "dest-uuid": "0998045d-f96e-4284-95ce-3c8219707486", + "type": "similar" } ], "uuid": "42c8504c-8a18-46d2-a145-35b0cd8ba669", @@ -20748,6 +23425,40 @@ "uuid": "a1fef846-cb22-4885-aa14-cb67ab38fce4", "value": "secretsdump" }, + { + "description": "According to its GitHub project page, Secure Socket Funneling (SSF) is a \"network tool and toolkit\" that \"provides simple and efficient ways to forward data from multiple sockets (TCP or UDP) through a single secure TLS tunnel to a remote computer\".[[GitHub securesocketfunneling ssf](/references/077ab224-9406-4be7-8467-2a6da8dc786d)]", + "meta": { + "owner": "TidalCyberIan", + "platforms": [ + "macOS", + "Network", + "Linux", + "Windows" + ], + "software_attack_id": "S5329", + "source": "Tidal Cyber", + "tags": [ + "96d58ca1-ab18-4e53-8891-d8ba62a47e5d", + "6070668f-1cbd-4878-8066-c636d1d8659c", + "d8f7e071-fbfd-46f8-b431-e241bb1513ac", + "758c3085-2f79-40a8-ab95-f8a684737927", + "1dc8fd1e-0737-405a-98a1-111dd557f1b5", + "61cdbb28-cbfd-498b-9ab1-1f14337f9524", + "e551ae97-d1b4-484e-9267-89f33829ec2c", + "15787198-6c8b-4f79-bf50-258d55072fee", + "35e694ec-5133-46e3-b7e1-5831867c3b55", + "febea5b6-2ea2-402b-8bec-f3f5b3f73c59", + "ed2b3f47-3e07-4019-a9bf-ec9d87f28c96", + "509a90c7-9ca9-4b23-bca2-cd38ef6a6207" + ], + "type": [ + "tool" + ] + }, + "related": [], + "uuid": "80b9180e-bae5-44a7-8016-8c1463bbd054", + "value": "Secure Socket Funneling" + }, { "description": "[ServHelper](https://app.tidalcyber.com/software/704ed49d-103c-4b33-b85c-73670cc1d719) is a backdoor first observed in late 2018. The backdoor is written in Delphi and is typically delivered as a DLL file.[[Proofpoint TA505 Jan 2019](https://app.tidalcyber.com/references/b744f739-8810-4fb9-96e3-6488f9ed6305)]", "meta": { @@ -20767,6 +23478,10 @@ { "dest-uuid": "b3220638-6682-4a4e-ab64-e7dc4202a3f1", "type": "used-by" + }, + { + "dest-uuid": "aae22730-e571-4d17-b037-65f2a3e26213", + "type": "similar" } ], "uuid": "704ed49d-103c-4b33-b85c-73670cc1d719", @@ -20788,7 +23503,12 @@ "malware" ] }, - "related": [], + "related": [ + { + "dest-uuid": "f931a0b9-0361-4b1b-bacf-955062c35746", + "type": "similar" + } + ], "uuid": "fb47c051-d22b-4a05-94a7-cf979419b60a", "value": "Seth-Locker" }, @@ -20893,6 +23613,10 @@ { "dest-uuid": "9f5c5672-5e7e-4440-afc8-3fdf46a1bb6c", "type": "used-by" + }, + { + "dest-uuid": "ec9e00dd-0313-4d5b-8105-c20aa47abffc", + "type": "similar" } ], "uuid": "5190f50d-7e54-410a-9961-79ab751ddbab", @@ -20913,7 +23637,12 @@ "malware" ] }, - "related": [], + "related": [ + { + "dest-uuid": "8901ac23-6b50-410c-b0dd-d8174a86f9b3", + "type": "similar" + } + ], "uuid": "840db1db-e262-4d6f-b6e3-2a64696a41c5", "value": "Shamoon" }, @@ -20936,6 +23665,10 @@ { "dest-uuid": "eecf7289-294f-48dd-a747-7705820f4735", "type": "used-by" + }, + { + "dest-uuid": "99854cc8-f202-4e03-aa0a-4f8a4af93229", + "type": "similar" } ], "uuid": "278da5e8-4d4c-4c45-ad72-8f078872fb4a", @@ -20982,11 +23715,44 @@ { "dest-uuid": "f31df12e-66ea-5a49-87bc-2bc1756a89fc", "type": "used-by" + }, + { + "dest-uuid": "1fefb062-feda-484a-8f10-0cebf65e20e3", + "type": "similar" } ], "uuid": "4ed1e83b-a208-5518-bed2-d07c1b289da2", "value": "SharpDisco" }, + { + "description": "According to its GitHub project page, SharpExfiltrate is a \"modular C# framework to exfiltrate loot over secure and trusted channels\".[[GitHub Flangvik SharpExfiltrate](/references/7f0c0c86-c042-4a69-982a-c8c70ec1199c)]", + "meta": { + "owner": "TidalCyberIan", + "platforms": [ + "Windows" + ], + "software_attack_id": "S5327", + "source": "Tidal Cyber", + "tags": [ + "8bf128ad-288b-41bc-904f-093f4fdde745", + "ed2b3f47-3e07-4019-a9bf-ec9d87f28c96", + "e1af18e3-3224-4e4c-9d0f-533768474508", + "c6e1f516-1a18-4ff9-b563-e6ac8103b104", + "2feda37d-5579-4102-a073-aa02e82cb49f" + ], + "type": [ + "tool" + ] + }, + "related": [ + { + "dest-uuid": "86b97a39-49c3-431e-bcc8-f4e13dbfcdf5", + "type": "used-by" + } + ], + "uuid": "20e472dd-dc65-40e4-b655-c8b4fae7714a", + "value": "SharpExfiltrate" + }, { "description": "SharpHound is an open-source software utility incorporated into the BloodHound Active Directory (AD) reconnaissance tool.[[GitHub SharpHound](/references/e1c405b4-b591-4469-848c-7a7dd69151c0)] Adversaries have used SharpHound for AD enumeration.[[U.S. CISA Phobos February 29 2024](/references/bd6f9bd3-22ec-42fc-9d85-fdc14dcfa55a)]", "meta": { @@ -21079,6 +23845,10 @@ { "dest-uuid": "a2add2a0-2b54-4623-a380-a9ad91f1f2dd", "type": "used-by" + }, + { + "dest-uuid": "cca12ba9-f65f-4a29-87ab-a9fc0f99521f", + "type": "used-by" } ], "uuid": "a202b37f-5c61-410b-bb14-a3e6b2b82833", @@ -21100,6 +23870,10 @@ { "dest-uuid": "679b7b6b-9659-4e56-9ffd-688a6fab01b6", "type": "used-by" + }, + { + "dest-uuid": "0ba9281c-93fa-4b29-8e9e-7ef918c7b13a", + "type": "similar" } ], "uuid": "564643fd-7113-490e-9f6a-f0cc3f0e1a4c", @@ -21124,6 +23898,10 @@ { "dest-uuid": "dcb260d8-9d53-404f-9ff5-dbee2c6effe6", "type": "used-by" + }, + { + "dest-uuid": "73c4711b-407a-449d-b269-e3b1531fe7a9", + "type": "similar" } ], "uuid": "f655306f-f7b4-4eec-9bd6-ac75142fcb43", @@ -21210,6 +23988,10 @@ { "dest-uuid": "8bc69792-c26d-4493-87e3-d8e47605fed8", "type": "used-by" + }, + { + "dest-uuid": "5763217a-05b6-4edd-9bca-057e47b5e403", + "type": "similar" } ], "uuid": "a3287231-351f-472f-96cc-24db2e3829c7", @@ -21231,6 +24013,10 @@ { "dest-uuid": "8bc69792-c26d-4493-87e3-d8e47605fed8", "type": "used-by" + }, + { + "dest-uuid": "115f88dd-0618-4389-83cb-98d33ae81848", + "type": "similar" } ], "uuid": "77d9c948-93e3-4e12-9764-4da7570d9275", @@ -21249,6 +24035,10 @@ { "dest-uuid": "be45ff95-6c74-4000-bc39-63044673d82f", "type": "used-by" + }, + { + "dest-uuid": "b1de6916-7a22-4460-8d26-6b5483ffaa2a", + "type": "similar" } ], "uuid": "3db0b464-ec5d-4cdd-86c2-62eac9c8acd6", @@ -21270,6 +24060,10 @@ { "dest-uuid": "9da726e6-af02-49b8-8ebe-7ea4235513c9", "type": "used-by" + }, + { + "dest-uuid": "58adaaa8-f1e8-4606-9a08-422e568461eb", + "type": "similar" } ], "uuid": "49351818-579e-4298-9137-03b3dc699e22", @@ -21288,6 +24082,10 @@ { "dest-uuid": "013fdfdc-aa32-4779-8f6e-7920615cbf66", "type": "used-by" + }, + { + "dest-uuid": "4189a679-72ed-4a89-a57c-7f689712ecf8", + "type": "similar" } ], "uuid": "5b2d82a6-ed96-485d-bca9-2320590de890", @@ -21312,6 +24110,10 @@ { "dest-uuid": "4c3e48b9-4426-4271-a7af-c3dfad79f447", "type": "used-by" + }, + { + "dest-uuid": "979adb5a-dc30-48f0-9e3d-9a26d866928c", + "type": "similar" } ], "uuid": "ea0a1282-f2bf-4ae0-a19c-d7e379c2309b", @@ -21336,6 +24138,10 @@ { "dest-uuid": "d01abdb1-0378-4654-aa38-1a4a292703e2", "type": "used-by" + }, + { + "dest-uuid": "df4cd566-ff2f-4d08-976d-8c86e95782de", + "type": "similar" } ], "uuid": "61227a76-d315-4339-803a-e024f96e089e", @@ -21353,7 +24159,12 @@ "tool" ] }, - "related": [], + "related": [ + { + "dest-uuid": "1244e058-fa10-48cb-b484-0bcf671107ae", + "type": "similar" + } + ], "uuid": "4765999f-c35e-4a9f-8284-9f10a17e6c34", "value": "SILENTTRINITY" }, @@ -21373,7 +24184,12 @@ "malware" ] }, - "related": [], + "related": [ + { + "dest-uuid": "4fbd565b-bf55-4ac7-80b4-b183a7b64b9c", + "type": "similar" + } + ], "uuid": "8ea75674-cc08-40cf-824c-40eb5cd6097e", "value": "Siloscape" }, @@ -21393,6 +24209,10 @@ { "dest-uuid": "f46d6ee9-9d1d-586a-9f2d-6bff8fb92910", "type": "used-by" + }, + { + "dest-uuid": "89f63ae4-f229-4a5c-95ad-6f22ed2b5c49", + "type": "similar" } ], "uuid": "206453a4-a298-4cab-9fdf-f136a4e0c761", @@ -21410,7 +24230,12 @@ "malware" ] }, - "related": [], + "related": [ + { + "dest-uuid": "4b68b5ea-2e1b-4225-845b-8632f702b9a0", + "type": "similar" + } + ], "uuid": "cc91d3d4-bbf5-4a9c-b43a-2ba034db4858", "value": "Skidmap" }, @@ -21431,6 +24256,10 @@ { "dest-uuid": "f46d6ee9-9d1d-586a-9f2d-6bff8fb92910", "type": "used-by" + }, + { + "dest-uuid": "d1008b78-960c-4b36-bdc4-39a734e1e4e3", + "type": "similar" } ], "uuid": "c8fed4fc-5721-5db2-b107-b2a9b677244e", @@ -21461,6 +24290,10 @@ { "dest-uuid": "8e059c6b-d278-5454-a234-a8ad69feb66c", "type": "used-by" + }, + { + "dest-uuid": "11f8d7eb-1927-4806-9267-3a11d4d4d6be", + "type": "similar" } ], "uuid": "bbd16b7b-7e35-4a11-86ff-9b19e17bdab3", @@ -21478,7 +24311,12 @@ "malware" ] }, - "related": [], + "related": [ + { + "dest-uuid": "feb2d7bb-aacb-48df-ad04-ccf41a30cd90", + "type": "similar" + } + ], "uuid": "563c6534-497e-4d65-828c-420d5bb2041a", "value": "SLOTHFULMEDIA" }, @@ -21498,6 +24336,10 @@ { "dest-uuid": "013fdfdc-aa32-4779-8f6e-7920615cbf66", "type": "used-by" + }, + { + "dest-uuid": "414dc555-c79e-4b24-a2da-9b607f7eaf16", + "type": "similar" } ], "uuid": "7c047a54-93cf-4dfc-ab20-d905791aebb2", @@ -21519,6 +24361,10 @@ { "dest-uuid": "f46d6ee9-9d1d-586a-9f2d-6bff8fb92910", "type": "used-by" + }, + { + "dest-uuid": "f8fc98ac-ad6d-44db-b6e2-f0c6eb4eace4", + "type": "similar" } ], "uuid": "37e264a6-5ad3-5a79-bf2c-db725622206e", @@ -21543,6 +24389,10 @@ { "dest-uuid": "dcb260d8-9d53-404f-9ff5-dbee2c6effe6", "type": "used-by" + }, + { + "dest-uuid": "ff41b9b6-4c1d-407b-a7e2-835109c8dbc5", + "type": "similar" } ], "uuid": "c58028b9-2e79-4bc9-9b04-d24ea4dd4948", @@ -21563,7 +24413,12 @@ "malware" ] }, - "related": [], + "related": [ + { + "dest-uuid": "7e0f8b0f-716e-494d-827e-310bd6ed709e", + "type": "similar" + } + ], "uuid": "9ae4154d-ee48-4aeb-b76f-6e40dbe18ff3", "value": "SMOKEDHAM" }, @@ -21593,6 +24448,10 @@ { "dest-uuid": "f138c814-48c0-4638-a4d6-edc48e7ac23a", "type": "used-by" + }, + { + "dest-uuid": "0c824410-58ff-49b2-9cf2-1c96b182bdf0", + "type": "similar" } ], "uuid": "2244253f-a4ad-4ea9-a4bf-fa2f4d895853", @@ -21614,6 +24473,10 @@ { "dest-uuid": "1bfbb1e1-022c-57e9-b70e-711c601640be", "type": "used-by" + }, + { + "dest-uuid": "4327aff5-f194-440c-b499-4d9730cc1eab", + "type": "similar" } ], "uuid": "f587dc27-92be-5894-a4a8-d6c8bbcf8ede", @@ -21635,6 +24498,10 @@ { "dest-uuid": "fb93231d-2ae4-45da-9dea-4c372a11f322", "type": "used-by" + }, + { + "dest-uuid": "3240cbe4-c550-443b-aa76-cc2a7058b870", + "type": "similar" } ], "uuid": "d6c24f7c-fe79-4094-8f3c-68c4446ae4c7", @@ -21659,6 +24526,10 @@ { "dest-uuid": "0898e7cb-118e-5eeb-b856-04e56ed18182", "type": "used-by" + }, + { + "dest-uuid": "5911d2ca-64f6-49b3-b94f-29b5d185085c", + "type": "similar" } ], "uuid": "ab84f259-9b9a-51d8-a68a-2bcd7512d760", @@ -21676,7 +24547,12 @@ "malware" ] }, - "related": [], + "related": [ + { + "dest-uuid": "e494ad79-37ee-4cd0-866b-299c521d8b94", + "type": "similar" + } + ], "uuid": "c1906bb6-0b5b-4916-8b29-37f7e272f6b3", "value": "Socksbot" }, @@ -21699,6 +24575,10 @@ { "dest-uuid": "fb93231d-2ae4-45da-9dea-4c372a11f322", "type": "used-by" + }, + { + "dest-uuid": "94d6d788-07bb-4dcc-b62f-e02626b00108", + "type": "similar" } ], "uuid": "6ecd970c-427b-4421-a831-69f46047d22a", @@ -21790,6 +24670,10 @@ "dest-uuid": "33159d02-a1ce-49ec-a381-60b069db66f7", "type": "used-by" }, + { + "dest-uuid": "cca12ba9-f65f-4a29-87ab-a9fc0f99521f", + "type": "used-by" + }, { "dest-uuid": "fac6fbf1-935f-4106-ad8b-c8fd8389dd38", "type": "used-by" @@ -21813,7 +24697,12 @@ "malware" ] }, - "related": [], + "related": [ + { + "dest-uuid": "425771c5-48b4-4ecd-9f95-74ed3fc9da59", + "type": "similar" + } + ], "uuid": "0ec24158-d5d7-4d2e-b5a5-bc862328a317", "value": "SombRAT" }, @@ -21836,6 +24725,10 @@ { "dest-uuid": "4c3e48b9-4426-4271-a7af-c3dfad79f447", "type": "used-by" + }, + { + "dest-uuid": "e33e4603-afab-402d-b2a1-248d435b5fe0", + "type": "similar" } ], "uuid": "3e959586-14ff-407b-a0d0-4e9580546f3f", @@ -21857,6 +24750,10 @@ { "dest-uuid": "c0fe9859-e8de-4ce1-bc3c-b489e914a145", "type": "used-by" + }, + { + "dest-uuid": "9ca488bd-9587-48ef-b923-1743523e63b2", + "type": "similar" } ], "uuid": "069538a5-3cb8-4eb4-9fbb-83867bb4d826", @@ -21878,6 +24775,10 @@ { "dest-uuid": "be45ff95-6c74-4000-bc39-63044673d82f", "type": "used-by" + }, + { + "dest-uuid": "8b880b41-5139-4807-baa9-309690218719", + "type": "similar" } ], "uuid": "0f8d0a73-9cd3-475a-b31b-d457278c921a", @@ -21902,6 +24803,10 @@ { "dest-uuid": "679b7b6b-9659-4e56-9ffd-688a6fab01b6", "type": "used-by" + }, + { + "dest-uuid": "03ea629c-517a-41e3-94f8-c7e5368cf8f4", + "type": "similar" } ], "uuid": "93f8c180-6794-4e9c-b716-6b31f42eb72d", @@ -21920,7 +24825,12 @@ "malware" ] }, - "related": [], + "related": [ + { + "dest-uuid": "a5575606-9b85-4e3d-9cd2-40ef30e3672d", + "type": "similar" + } + ], "uuid": "b9b67878-4eb1-4a0b-9b36-a798881ed566", "value": "SpeakUp" }, @@ -21997,6 +24907,10 @@ { "dest-uuid": "58db02e6-d908-47c2-bc82-ed58ada61331", "type": "used-by" + }, + { + "dest-uuid": "599cd7b5-37b5-4cdd-8174-2811531ce9d0", + "type": "similar" } ], "uuid": "2be9e22d-0af8-46f5-b30e-b3712ccf716d", @@ -22053,6 +24967,10 @@ "dest-uuid": "3d77fb6c-cfb4-5563-b0be-7aa1ad535337", "type": "used-by" }, + { + "dest-uuid": "cca12ba9-f65f-4a29-87ab-a9fc0f99521f", + "type": "used-by" + }, { "dest-uuid": "fac6fbf1-935f-4106-ad8b-c8fd8389dd38", "type": "used-by" @@ -22108,6 +25026,10 @@ { "dest-uuid": "26c0925f-1a3c-4df6-b27a-62b9731299b8", "type": "used-by" + }, + { + "dest-uuid": "33b9e38f-103c-412d-bdcf-904a91fff1e4", + "type": "similar" } ], "uuid": "0fdabff3-d996-493c-af67-f3ac02e4b00b", @@ -22152,6 +25074,10 @@ { "dest-uuid": "e38bcb42-12c1-4202-a794-ec26cd830caa", "type": "used-by" + }, + { + "dest-uuid": "9a2640c2-9f43-46fe-b13f-bde881e55555", + "type": "similar" } ], "uuid": "96c224a6-6ca4-4ac1-9990-d863ec5a317a", @@ -22195,6 +25121,10 @@ { "dest-uuid": "4348c510-50fc-4448-ab8d-c8cededd19ff", "type": "used-by" + }, + { + "dest-uuid": "8fc6c9e7-a162-4ca4-a488-f1819e9a7b06", + "type": "similar" } ], "uuid": "612f780a-239a-4bd0-a29f-63beadf3ed22", @@ -22258,7 +25188,12 @@ "malware" ] }, - "related": [], + "related": [ + { + "dest-uuid": "3c18ad16-9eaf-4649-984e-68551bff0d47", + "type": "similar" + } + ], "uuid": "46943a69-0b19-4d3a-b2a3-1302e85239a3", "value": "Squirrelwaffle" }, @@ -22302,6 +25237,10 @@ { "dest-uuid": "a80c00b2-b8b6-4780-99bb-df8fe921947d", "type": "used-by" + }, + { + "dest-uuid": "2fb26586-2b53-4b9a-ad4f-2b3bcb9a2421", + "type": "similar" } ], "uuid": "3334a124-3e74-4a90-8ed1-55eea3274b19", @@ -22323,6 +25262,10 @@ { "dest-uuid": "6632f07f-7c6b-4d12-8544-82edc6a7a577", "type": "used-by" + }, + { + "dest-uuid": "96566860-9f11-4b6f-964d-1c924e4f24a4", + "type": "similar" } ], "uuid": "fc18e220-2200-4d70-a426-0700ba14c4c0", @@ -22347,6 +25290,10 @@ { "dest-uuid": "dcb260d8-9d53-404f-9ff5-dbee2c6effe6", "type": "used-by" + }, + { + "dest-uuid": "e355fc84-6f3c-4888-8e0a-d7fa9c378532", + "type": "similar" } ], "uuid": "764c6121-2d15-4a10-ac53-b1c431dc8b47", @@ -22364,7 +25311,12 @@ "malware" ] }, - "related": [], + "related": [ + { + "dest-uuid": "ca0fead6-5277-427a-825b-42ff1fbe476e", + "type": "similar" + } + ], "uuid": "ea561f0b-b891-5735-aa99-97cc8818fbef", "value": "STEADYPULSE" }, @@ -22436,11 +25388,37 @@ { "dest-uuid": "99bbbe25-45af-492f-a7ff-7cbc57828bac", "type": "used-by" + }, + { + "dest-uuid": "8dbadf80-468c-4a62-b817-4e4d8b606887", + "type": "similar" } ], "uuid": "9eee52a2-5ac1-4561-826c-23ec7fbc7876", "value": "StoneDrill" }, + { + "description": "STONESTOP refers to the loader capability associated with the malicious kernel driver POORTRY, which has been used by multiple ransomware groups since 2022.[[Sophos News August 27 2024](/references/af1dfc7b-fdc2-448f-a4bf-34f8ee7d55bc)]", + "meta": { + "owner": "TidalCyberIan", + "platforms": [ + "Windows" + ], + "software_attack_id": "S5337", + "source": "Tidal Cyber", + "tags": [ + "84615fe0-c2a5-4e07-8957-78ebc29b4635", + "c6e1f516-1a18-4ff9-b563-e6ac8103b104", + "2feda37d-5579-4102-a073-aa02e82cb49f" + ], + "type": [ + "malware" + ] + }, + "related": [], + "uuid": "9bfeb8a3-5a5e-4e66-acfd-0b84d74e0e0d", + "value": "STONESTOP" + }, { "description": "This object contains information sourced from the [Living Off The Land Binaries, Scripts and Libraries (LOLBAS)](https://github.com/LOLBAS-Project/LOLBAS) project, which is licensed under [GNU General Public License v3.0](https://github.com/LOLBAS-Project/LOLBAS/blob/master/LICENSE).\n\n**Description:** Storage diagnostic tool\n\n**Author:** Eral4m\n\n**Paths:**\n* c:\\windows\\system32\\stordiag.exe\n* c:\\windows\\syswow64\\stordiag.exe\n\n**Resources:**\n* [https://twitter.com/eral4m/status/1451112385041911809](https://twitter.com/eral4m/status/1451112385041911809)\n\n**Detection:**\n* Sigma: [proc_creation_win_stordiag_susp_child_process.yml](https://github.com/SigmaHQ/sigma/blob/683b63f8184b93c9564c4310d10c571cbe367e1e/rules/windows/process_creation/proc_creation_win_stordiag_susp_child_process.yml)\n* IOC: systeminfo.exe, fltmc.exe or schtasks.exe being executed outside of their normal path of c:\\windows\\system32\\ or c:\\windows\\syswow64\\[[Stordiag.exe - LOLBAS Project](/references/5e52a211-7ef6-42bd-93a1-5902f5e1c2ea)]", "meta": { @@ -22479,6 +25457,10 @@ { "dest-uuid": "43f826a1-e8c8-47b8-9b00-38e1b3e4293b", "type": "used-by" + }, + { + "dest-uuid": "91000a8a-58cc-4aba-9ad0-993ad6302b86", + "type": "similar" } ], "uuid": "502b490c-2067-40a4-8f73-7245d7910851", @@ -22503,6 +25485,10 @@ { "dest-uuid": "a41725c5-eb3a-4772-8d1e-17c3bbade79c", "type": "used-by" + }, + { + "dest-uuid": "fb78294a-7d7a-4d38-8ad0-92e67fddc9f0", + "type": "similar" } ], "uuid": "dd8bb0a3-6cb1-412d-adeb-cbaae98462a9", @@ -22524,6 +25510,10 @@ { "dest-uuid": "cc798766-8662-4b55-8536-6d057fbc58f0", "type": "used-by" + }, + { + "dest-uuid": "20945359-3b39-4542-85ef-08ecb4e1c174", + "type": "similar" } ], "uuid": "ed563524-235e-4e06-8c69-3f9d8ddbfd8a", @@ -22545,7 +25535,12 @@ "malware" ] }, - "related": [], + "related": [ + { + "dest-uuid": "088f1d6e-0783-47c6-9923-9c79b2af43d4", + "type": "similar" + } + ], "uuid": "3fdf3833-fca9-4414-8d2e-779dabc4ee31", "value": "Stuxnet" }, @@ -22561,7 +25556,12 @@ "malware" ] }, - "related": [], + "related": [ + { + "dest-uuid": "66b1dcde-17a0-4c7b-95fa-b08d430c2131", + "type": "similar" + } + ], "uuid": "b19b6c38-d38b-46f2-a535-d0bfc5790368", "value": "S-Type" }, @@ -22577,7 +25577,12 @@ "malware" ] }, - "related": [], + "related": [ + { + "dest-uuid": "9c10cede-c0bb-4c5c-91c0-8baec30abaf6", + "type": "similar" + } + ], "uuid": "6ff7bf2e-286c-4b1b-92a0-1e5322870c59", "value": "SUGARDUMP" }, @@ -22593,7 +25598,12 @@ "malware" ] }, - "related": [], + "related": [ + { + "dest-uuid": "44e2a842-415b-47f4-8549-83fbdb8a5674", + "type": "similar" + } + ], "uuid": "004c781a-3d7d-446b-9677-a042c8f6566e", "value": "SUGARUSH" }, @@ -22616,6 +25626,10 @@ { "dest-uuid": "4c3e48b9-4426-4271-a7af-c3dfad79f447", "type": "used-by" + }, + { + "dest-uuid": "a8839c95-029f-44cf-8f3d-a3cf2039e927", + "type": "similar" } ], "uuid": "6b04e98e-c541-4958-a8a5-d433e575ce78", @@ -22641,6 +25655,10 @@ { "dest-uuid": "4c3e48b9-4426-4271-a7af-c3dfad79f447", "type": "used-by" + }, + { + "dest-uuid": "bf48e7f8-752c-4ce8-bf8f-748edacd8fa6", + "type": "similar" } ], "uuid": "66966a12-3db3-4e43-a7e8-6c6836ccd8fe", @@ -22658,7 +25676,12 @@ "malware" ] }, - "related": [], + "related": [ + { + "dest-uuid": "b2b0b946-be0a-4a7f-9c32-a2e5211d1cd9", + "type": "similar" + } + ], "uuid": "f02abaee-237b-4891-bb5d-30ca86dfc2c8", "value": "SUPERNOVA" }, @@ -22677,7 +25700,12 @@ "malware" ] }, - "related": [], + "related": [ + { + "dest-uuid": "7230ded7-3b1a-4d6e-9735-d0ffd47af9f6", + "type": "similar" + } + ], "uuid": "a8110f81-5ee9-5819-91ce-3a57aa330dcb", "value": "SVCReady" }, @@ -22693,7 +25721,12 @@ "malware" ] }, - "related": [], + "related": [ + { + "dest-uuid": "6a0ef5d4-fc7c-4dda-85d7-592e4dbdc5d9", + "type": "similar" + } + ], "uuid": "ae749f9c-cf46-42ce-b0b8-f0be8660e3f3", "value": "Sykipot" }, @@ -22713,7 +25746,12 @@ "malware" ] }, - "related": [], + "related": [ + { + "dest-uuid": "04227b24-7817-4de1-9050-b7b1b57f5866", + "type": "similar" + } + ], "uuid": "19ae8345-745e-4872-8a29-d56c8800d626", "value": "SynAck" }, @@ -22776,7 +25814,12 @@ "malware" ] }, - "related": [], + "related": [ + { + "dest-uuid": "84c1ecc6-e5a2-4e8a-bf4b-651a618e0053", + "type": "similar" + } + ], "uuid": "69ab291d-5066-4e47-9862-1f5c7bac7200", "value": "SYNful Knock" }, @@ -22796,6 +25839,10 @@ { "dest-uuid": "a80c00b2-b8b6-4780-99bb-df8fe921947d", "type": "used-by" + }, + { + "dest-uuid": "7f8730af-f683-423f-9ee1-5f6875a80481", + "type": "similar" } ], "uuid": "2df35a92-2295-417a-af5a-ba5c943ef40d", @@ -22816,7 +25863,12 @@ "malware" ] }, - "related": [], + "related": [ + { + "dest-uuid": "edf5aee2-9b1c-4252-8e64-25b12f14c8b3", + "type": "similar" + } + ], "uuid": "ea556a8d-4959-423f-a2dd-622d0497d484", "value": "SYSCON" }, @@ -22852,6 +25904,7 @@ "software_attack_id": "S5058", "source": "Tidal Cyber", "tags": [ + "e551ae97-d1b4-484e-9267-89f33829ec2c", "15787198-6c8b-4f79-bf50-258d55072fee", "84615fe0-c2a5-4e07-8957-78ebc29b4635" ], @@ -22860,6 +25913,10 @@ ] }, "related": [ + { + "dest-uuid": "1d751794-ce94-4936-bf45-4ab86d0e3b6e", + "type": "used-by" + }, { "dest-uuid": "6d6ed42c-760c-4964-a81e-1d4df06a8800", "type": "used-by" @@ -22899,10 +25956,6 @@ ] }, "related": [ - { - "dest-uuid": "8567136b-f84a-45ed-8cce-46324c7da60e", - "type": "used-by" - }, { "dest-uuid": "26c0925f-1a3c-4df6-b27a-62b9731299b8", "type": "used-by" @@ -22915,6 +25968,10 @@ "dest-uuid": "3290dcb9-5781-4b87-8fa0-6ae820e152cd", "type": "used-by" }, + { + "dest-uuid": "8567136b-f84a-45ed-8cce-46324c7da60e", + "type": "used-by" + }, { "dest-uuid": "4ea1245f-3f35-5168-bd10-1fc49142fd4e", "type": "used-by" @@ -22942,6 +25999,10 @@ { "dest-uuid": "79be2f31-5626-425e-844c-fd9c99e38fe5", "type": "used-by" + }, + { + "dest-uuid": "7fcbc4e8-1989-441f-9ac5-e7b6ff5806f1", + "type": "similar" } ], "uuid": "cecea681-a753-47b5-9d77-c10a5b4403ab", @@ -22964,6 +26025,10 @@ { "dest-uuid": "79be2f31-5626-425e-844c-fd9c99e38fe5", "type": "used-by" + }, + { + "dest-uuid": "c009560a-f097-45a3-8f9f-78ec1440a783", + "type": "similar" } ], "uuid": "148d587c-3b1e-4e71-bdfb-8c37005e7e77", @@ -22981,7 +26046,12 @@ "malware" ] }, - "related": [], + "related": [ + { + "dest-uuid": "876f6a77-fbc5-4e13-ab1a-5611986730a3", + "type": "similar" + } + ], "uuid": "c5647cc4-0d46-4a41-8591-9179737747a2", "value": "T9000" }, @@ -23026,7 +26096,12 @@ "malware" ] }, - "related": [], + "related": [ + { + "dest-uuid": "b143dfa4-e944-43ff-8429-bfffc308c517", + "type": "similar" + } + ], "uuid": "9334df79-9023-44bb-bc28-16c1f07b836b", "value": "Taidoor" }, @@ -23075,6 +26150,10 @@ { "dest-uuid": "0bc66e95-de93-4de7-b415-4041b7191f08", "type": "used-by" + }, + { + "dest-uuid": "7f4bbe05-1674-4087-8a16-8f1ad61b6152", + "type": "similar" } ], "uuid": "1548c94a-fb4d-43d8-9956-ea26f5cc552f", @@ -23092,10 +26171,42 @@ "malware" ] }, - "related": [], + "related": [ + { + "dest-uuid": "b51797f7-57da-4210-b8ac-b8632ee75d70", + "type": "similar" + } + ], "uuid": "b1b7a8d9-6df3-4e89-8622-a6eea3da729b", "value": "TajMahal" }, + { + "description": "TAMECAT is a custom backdoor developed and used by Iranian espionage group APT42. It is usually delivered via phishing attacks and serves as a post-compromise command execution and malware ingress capability.[[Mandiant Uncharmed May 1 2024](/references/84c0313a-bea1-44a7-9396-8e12437852d1)]", + "meta": { + "owner": "TidalCyberIan", + "platforms": [ + "Windows" + ], + "software_attack_id": "S5334", + "source": "Tidal Cyber", + "tags": [ + "f8669b82-2194-49a9-8e20-92e7f9ab0a6f", + "c6e1f516-1a18-4ff9-b563-e6ac8103b104", + "2feda37d-5579-4102-a073-aa02e82cb49f" + ], + "type": [ + "malware" + ] + }, + "related": [ + { + "dest-uuid": "ce126445-6984-45bb-9737-35448f06f27b", + "type": "used-by" + } + ], + "uuid": "8d00b893-7492-4a67-a9b0-d817c5a21603", + "value": "TAMECAT" + }, { "description": "This object contains information sourced from the [Living Off The Land Binaries, Scripts and Libraries (LOLBAS)](https://github.com/LOLBAS-Project/LOLBAS) project, which is licensed under [GNU General Public License v3.0](https://github.com/LOLBAS-Project/LOLBAS/blob/master/LICENSE).\n\n**Description:** Used by Windows to extract and create archives.\n\n**Author:** Brian Lucero\n\n**Paths:**\n* C:\\Windows\\System32\\tar.exe\n\n**Resources:**\n* [https://twitter.com/Cyber_Sorcery/status/1619819249886969856](https://twitter.com/Cyber_Sorcery/status/1619819249886969856)\n\n**Detection:**\n* IOC: tar.exe extracting files from a remote host within the environment[[Tar.exe - LOLBAS Project](/references/e5f54ded-3ec1-49c1-9302-6b9f372d5015)]", "meta": { @@ -23133,6 +26244,10 @@ { "dest-uuid": "1bcc9382-ccfe-4b04-91f3-ef1250df5e5b", "type": "used-by" + }, + { + "dest-uuid": "988976ff-beeb-4fb5-b07d-ca7437ea66e8", + "type": "similar" } ], "uuid": "7bb9d181-4405-4938-bafb-b13cc98b6cd8", @@ -23157,10 +26272,6 @@ ] }, "related": [ - { - "dest-uuid": "4ea1245f-3f35-5168-bd10-1fc49142fd4e", - "type": "used-by" - }, { "dest-uuid": "d01abdb1-0378-4654-aa38-1a4a292703e2", "type": "used-by" @@ -23169,6 +26280,10 @@ "dest-uuid": "a80c00b2-b8b6-4780-99bb-df8fe921947d", "type": "used-by" }, + { + "dest-uuid": "4ea1245f-3f35-5168-bd10-1fc49142fd4e", + "type": "used-by" + }, { "dest-uuid": "3290dcb9-5781-4b87-8fa0-6ae820e152cd", "type": "used-by" @@ -23204,6 +26319,10 @@ { "dest-uuid": "79be2f31-5626-425e-844c-fd9c99e38fe5", "type": "used-by" + }, + { + "dest-uuid": "2e45723a-31da-4a7e-aaa6-e01998a6788f", + "type": "similar" } ], "uuid": "abae8f19-9497-4a71-82b6-ae6edd26ad98", @@ -23221,6 +26340,13 @@ "software_attack_id": "S5267", "source": "Tidal Cyber", "tags": [ + "96d58ca1-ab18-4e53-8891-d8ba62a47e5d", + "758c3085-2f79-40a8-ab95-f8a684737927", + "1dc8fd1e-0737-405a-98a1-111dd557f1b5", + "61cdbb28-cbfd-498b-9ab1-1f14337f9524", + "e551ae97-d1b4-484e-9267-89f33829ec2c", + "15787198-6c8b-4f79-bf50-258d55072fee", + "35e694ec-5133-46e3-b7e1-5831867c3b55", "02495172-1563-48e7-8ac2-98463bd85e9d", "6070668f-1cbd-4878-8066-c636d1d8659c", "d8f7e071-fbfd-46f8-b431-e241bb1513ac", @@ -23287,6 +26413,10 @@ { "dest-uuid": "6a8f5eca-8ecc-4bff-9c5f-5380e044ed5b", "type": "used-by" + }, + { + "dest-uuid": "0b32ec39-ba61-4864-9ebe-b4b0b73caf9a", + "type": "similar" } ], "uuid": "e7116740-fe7c-45e2-b98d-0c594a7dff2f", @@ -23424,6 +26554,10 @@ { "dest-uuid": "4c3e48b9-4426-4271-a7af-c3dfad79f447", "type": "used-by" + }, + { + "dest-uuid": "32f49626-87f4-4d6c-8f59-a0dca953fe26", + "type": "similar" } ], "uuid": "bae20f59-469c-451c-b4ca-70a9a04a1574", @@ -23522,6 +26656,10 @@ { "dest-uuid": "4348c510-50fc-4448-ab8d-c8cededd19ff", "type": "used-by" + }, + { + "dest-uuid": "4f6aa78c-c3d4-4883-9840-96ca2f5d6d47", + "type": "similar" } ], "uuid": "49d0ae81-d51b-4534-b1e0-08371a47ef79", @@ -23544,7 +26682,12 @@ "malware" ] }, - "related": [], + "related": [ + { + "dest-uuid": "727afb95-3d0f-4451-b297-362a43909923", + "type": "similar" + } + ], "uuid": "2ed5f691-68eb-49dd-b730-793dc8a7d134", "value": "ThiefQuest" }, @@ -23564,6 +26707,10 @@ { "dest-uuid": "0bc66e95-de93-4de7-b415-4041b7191f08", "type": "used-by" + }, + { + "dest-uuid": "16040b1c-ed28-4850-9d8f-bb8b81c42092", + "type": "similar" } ], "uuid": "b31c7b8e-dbdd-4ad5-802e-dcdc72b7462e", @@ -23604,6 +26751,33 @@ "uuid": "8fe38eda-30be-4c88-ae76-ac6ebc89d66b", "value": "ThunderShell" }, + { + "description": "Tickler is a custom multi-stage backdoor deployed by Iranian state-sponsored espionage group Peach Sandstorm (APT33) in compromises in Q2 and Q3 2024.[[Microsoft Security Blog August 28 2024](/references/940c0755-18df-4fcb-9691-9f2eb45e6441)]", + "meta": { + "owner": "TidalCyberIan", + "platforms": [ + "Windows" + ], + "software_attack_id": "S5335", + "source": "Tidal Cyber", + "tags": [ + "f8669b82-2194-49a9-8e20-92e7f9ab0a6f", + "c6e1f516-1a18-4ff9-b563-e6ac8103b104", + "2feda37d-5579-4102-a073-aa02e82cb49f" + ], + "type": [ + "malware" + ] + }, + "related": [ + { + "dest-uuid": "99bbbe25-45af-492f-a7ff-7cbc57828bac", + "type": "used-by" + } + ], + "uuid": "b39d2bea-83f4-4450-b331-3c39dff89ee8", + "value": "Tickler" + }, { "description": "According to its project page, TightVNC is a free and open-source remote desktop software tool that is Virtual Network Computing (VNC)-compatible. It is designed to enable remote access to other systems.[[TightVNC Software Project Page](/references/e1725230-4f6c-47c5-8e30-90dfb01a75d7)]", "meta": { @@ -23616,6 +26790,8 @@ "software_attack_id": "S5015", "source": "Tidal Cyber", "tags": [ + "e551ae97-d1b4-484e-9267-89f33829ec2c", + "15787198-6c8b-4f79-bf50-258d55072fee", "e1af18e3-3224-4e4c-9d0f-533768474508", "ed2b3f47-3e07-4019-a9bf-ec9d87f28c96", "509a90c7-9ca9-4b23-bca2-cd38ef6a6207", @@ -23665,6 +26841,10 @@ { "dest-uuid": "47ae4fb1-fc61-4e8e-9310-66dda706e1a2", "type": "used-by" + }, + { + "dest-uuid": "2a7c1bb7-cd12-456e-810d-ab3bf8457bab", + "type": "similar" } ], "uuid": "39f0371c-b755-4655-a97e-82a572f2fae4", @@ -23686,6 +26866,10 @@ { "dest-uuid": "32385eba-7bbf-439e-acf2-83040e97165a", "type": "used-by" + }, + { + "dest-uuid": "85b39628-204a-48d2-b377-ec368cbcb7ca", + "type": "similar" } ], "uuid": "0e009cb8-848e-427a-9581-d3a4fd9f6a87", @@ -23707,6 +26891,10 @@ { "dest-uuid": "c8cc6ce8-d421-42e6-a6eb-2ea9d2d9ab07", "type": "used-by" + }, + { + "dest-uuid": "c0c45d38-fe57-4cd4-b2b2-9ecd0ddd4ca9", + "type": "similar" } ], "uuid": "277290fe-51f3-4822-bb46-8b69fd1c8ae5", @@ -23724,7 +26912,12 @@ "malware" ] }, - "related": [], + "related": [ + { + "dest-uuid": "327b3a25-9e60-4431-b3b6-93b9c64eacbc", + "type": "similar" + } + ], "uuid": "eff417ad-c775-4a95-9f36-a1b5a675ba82", "value": "Tomiris" }, @@ -23750,6 +26943,10 @@ ] }, "related": [ + { + "dest-uuid": "42a7c134-c574-430b-8105-bf7a00e742ae", + "type": "used-by" + }, { "dest-uuid": "393da13e-016c-41a3-9d89-b33173adecbf", "type": "used-by" @@ -23773,6 +26970,10 @@ { "dest-uuid": "5b1a5b9e-4722-41fc-a15d-196a549e3ac5", "type": "used-by" + }, + { + "dest-uuid": "ed7d0cb1-87a6-43b4-9f46-ef1bc56d6c68", + "type": "similar" } ], "uuid": "8c70d85b-b06d-423c-8bab-ecff18f332d6", @@ -23790,7 +26991,12 @@ "malware" ] }, - "related": [], + "related": [ + { + "dest-uuid": "0715560d-4299-4e84-9e20-6e80ab57e4f2", + "type": "similar" + } + ], "uuid": "4bce135b-91ba-45ae-88f9-09e01f983a74", "value": "Torisma" }, @@ -23835,6 +27041,10 @@ { "dest-uuid": "4c3e48b9-4426-4271-a7af-c3dfad79f447", "type": "used-by" + }, + { + "dest-uuid": "bdad6f3b-de88-42fa-9295-d29b5271808e", + "type": "similar" } ], "uuid": "7a6ae9f8-5f8b-4e94-8716-d8ee82027197", @@ -23867,6 +27077,10 @@ { "dest-uuid": "6d6ed42c-760c-4964-a81e-1d4df06a8800", "type": "used-by" + }, + { + "dest-uuid": "00806466-754d-44ea-ad6f-0caf59cb8556", + "type": "similar" } ], "uuid": "c2bd4213-fc7b-474f-b5a0-28145b07c51d", @@ -23888,6 +27102,10 @@ { "dest-uuid": "472080b0-e3d4-4546-9272-c4359fe856e1", "type": "used-by" + }, + { + "dest-uuid": "82cb34ba-02b5-432b-b2d2-07f55cbf674d", + "type": "similar" } ], "uuid": "b88c4891-40da-4832-ba42-6c6acd455bd1", @@ -23905,7 +27123,12 @@ "malware" ] }, - "related": [], + "related": [ + { + "dest-uuid": "c5e9cb46-aced-466c-85ea-7db5572ad9ec", + "type": "similar" + } + ], "uuid": "f8a4213d-633b-4e3d-8e59-a769e852b93b", "value": "Trojan.Mebromi" }, @@ -23962,6 +27185,10 @@ { "dest-uuid": "cc798766-8662-4b55-8536-6d057fbc58f0", "type": "used-by" + }, + { + "dest-uuid": "691c60e2-273d-4d56-9ce6-b67e0f8719ad", + "type": "similar" } ], "uuid": "50844dba-8999-42ba-ba29-511e3faf4bc3", @@ -23983,6 +27210,10 @@ { "dest-uuid": "528ab2ea-b8f1-44d8-8831-2a89fefd97cb", "type": "used-by" + }, + { + "dest-uuid": "76ac7989-c5cc-42e2-93e3-d6c476f01ace", + "type": "similar" } ], "uuid": "9872ab5a-c76e-4404-91f9-5b745722443b", @@ -24074,6 +27305,10 @@ { "dest-uuid": "e5b0da2b-12bc-4113-9459-9c51329c9ae0", "type": "used-by" + }, + { + "dest-uuid": "350f12cf-fd3b-4dad-b323-14b943090df4", + "type": "similar" } ], "uuid": "571a45a7-68c9-452c-99bf-1d5b5fdd08b3", @@ -24095,6 +27330,10 @@ { "dest-uuid": "99bbbe25-45af-492f-a7ff-7cbc57828bac", "type": "used-by" + }, + { + "dest-uuid": "db1355a7-e5c9-4e2c-8da7-eccf2ae9bf5c", + "type": "similar" } ], "uuid": "c7f10715-cf13-4360-8511-aa3f93dd7688", @@ -24119,6 +27358,10 @@ { "dest-uuid": "0bc66e95-de93-4de7-b415-4041b7191f08", "type": "used-by" + }, + { + "dest-uuid": "7ba0fc46-197d-466d-8b9f-f1c64d5d81e5", + "type": "similar" } ], "uuid": "6c93d3c4-cae5-48a9-948d-bc5264230316", @@ -24137,7 +27380,12 @@ "tool" ] }, - "related": [], + "related": [ + { + "dest-uuid": "102c3898-85e0-43ee-ae28-62a0a3ed9507", + "type": "similar" + } + ], "uuid": "5788edee-d1b7-4406-9122-bee596362236", "value": "UACMe" }, @@ -24153,7 +27401,12 @@ "malware" ] }, - "related": [], + "related": [ + { + "dest-uuid": "518bb5f1-91f4-4ff2-b09d-5a94e1ebe95f", + "type": "similar" + } + ], "uuid": "5214ae01-ccd5-4e97-8f9c-14eb16e75544", "value": "UBoatRAT" }, @@ -24169,7 +27422,12 @@ "malware" ] }, - "related": [], + "related": [ + { + "dest-uuid": "3d8e547d-9456-4f32-a895-dc86134e282f", + "type": "similar" + } + ], "uuid": "227c12df-8126-4e79-b9bd-0e4633fa12fa", "value": "Umbreon" }, @@ -24219,6 +27477,10 @@ { "dest-uuid": "32385eba-7bbf-439e-acf2-83040e97165a", "type": "used-by" + }, + { + "dest-uuid": "ab3580c8-8435-4117-aace-3d9fbe46aa56", + "type": "similar" } ], "uuid": "846b3762-3949-4501-b781-6dca22db088f", @@ -24283,6 +27545,10 @@ { "dest-uuid": "fb93231d-2ae4-45da-9dea-4c372a11f322", "type": "used-by" + }, + { + "dest-uuid": "fb4e3792-e915-4fdd-a9cd-92dfa2ace7aa", + "type": "similar" } ], "uuid": "a3c211f8-52aa-4bfd-8382-940f2194af28", @@ -24331,6 +27597,10 @@ { "dest-uuid": "47ae4fb1-fc61-4e8e-9310-66dda706e1a2", "type": "used-by" + }, + { + "dest-uuid": "80a014ba-3fef-4768-990b-37d8bd10d7f4", + "type": "similar" } ], "uuid": "89ffc27c-b81f-473a-87d6-907cacdce61c", @@ -24354,6 +27624,10 @@ ] }, "related": [ + { + "dest-uuid": "1d751794-ce94-4936-bf45-4ab86d0e3b6e", + "type": "used-by" + }, { "dest-uuid": "86b97a39-49c3-431e-bcc8-f4e13dbfcdf5", "type": "used-by" @@ -24365,6 +27639,10 @@ { "dest-uuid": "8951bff3-c444-4374-8a9e-b2115d9125b2", "type": "used-by" + }, + { + "dest-uuid": "1492d0f8-7e14-4af3-9239-bc3fe10d3407", + "type": "similar" } ], "uuid": "3e501609-87e4-4c47-bd88-5054be0f1037", @@ -24386,6 +27664,10 @@ { "dest-uuid": "0a245c5e-c1a8-480f-8655-bb2594e3266b", "type": "used-by" + }, + { + "dest-uuid": "75bba379-4ba1-467e-8c60-ec2b269ee984", + "type": "similar" } ], "uuid": "26d93db8-dbc3-44b5-a393-2b219cef4f5b", @@ -24410,6 +27692,10 @@ { "dest-uuid": "5b1a5b9e-4722-41fc-a15d-196a549e3ac5", "type": "used-by" + }, + { + "dest-uuid": "af2ad3b7-ab6a-4807-91fd-51bcaff9acbb", + "type": "similar" } ], "uuid": "50eab018-8d52-46f5-8252-95942c2c0a89", @@ -24455,6 +27741,10 @@ { "dest-uuid": "8951bff3-c444-4374-8a9e-b2115d9125b2", "type": "used-by" + }, + { + "dest-uuid": "ade37ada-14af-4b44-b36c-210eec255d53", + "type": "similar" } ], "uuid": "b149f12f-3cf4-4547-841d-c63b7677547d", @@ -24479,6 +27769,10 @@ { "dest-uuid": "4c3e48b9-4426-4271-a7af-c3dfad79f447", "type": "used-by" + }, + { + "dest-uuid": "96eca9b9-b37f-42f1-96dc-a2c441403194", + "type": "similar" } ], "uuid": "63940761-8dea-4362-8795-7bc0653ce1d4", @@ -24500,6 +27794,10 @@ { "dest-uuid": "51146bb6-7478-44a3-8f08-19adcdceffca", "type": "used-by" + }, + { + "dest-uuid": "f4d8a2d6-c684-453a-8a14-cf4a94f755c5", + "type": "similar" } ], "uuid": "fe116518-cd0c-4b10-8190-4f57208df4e4", @@ -24543,6 +27841,10 @@ { "dest-uuid": "d7c58e7f-f0b0-44c6-b205-5adcfb56f0e6", "type": "used-by" + }, + { + "dest-uuid": "8caa18af-4758-4fd3-9600-e8af579e89ed", + "type": "similar" } ], "uuid": "150b6079-bb10-48a8-b570-fbe8b0e3287c", @@ -24606,7 +27908,12 @@ "malware" ] }, - "related": [], + "related": [ + { + "dest-uuid": "5189f018-fea2-45d7-b0ed-23f9ee0a46f3", + "type": "similar" + } + ], "uuid": "afa4023f-aa2e-45d6-bb3c-38e61f876eac", "value": "VERMIN" }, @@ -24676,6 +27983,10 @@ { "dest-uuid": "0bc66e95-de93-4de7-b415-4041b7191f08", "type": "used-by" + }, + { + "dest-uuid": "495b6cdb-7b5a-4fbc-8d33-e7ef68806d08", + "type": "similar" } ], "uuid": "7fcfba45-5752-4f0c-8023-db67729ae34e", @@ -24885,6 +28196,10 @@ { "dest-uuid": "0bc66e95-de93-4de7-b415-4041b7191f08", "type": "used-by" + }, + { + "dest-uuid": "75ecdbf1-c2bb-4afc-a3f9-c8da4de8c661", + "type": "similar" } ], "uuid": "6e7d1bcf-a308-4861-8aa5-0f4c6f126b0a", @@ -24902,7 +28217,12 @@ "malware" ] }, - "related": [], + "related": [ + { + "dest-uuid": "a5818d36-e9b0-46da-842d-b727a5e36ea6", + "type": "similar" + } + ], "uuid": "9a592b49-1701-5e4c-95cf-9b8c98b80527", "value": "WARPWIRE" }, @@ -24937,6 +28257,10 @@ { "dest-uuid": "1bfbb1e1-022c-57e9-b70e-711c601640be", "type": "used-by" + }, + { + "dest-uuid": "fde19a18-e502-467f-be14-58c71b4e7f4b", + "type": "similar" } ], "uuid": "cfebe868-15cb-4be5-b7ed-38b52f2a0722", @@ -24962,6 +28286,10 @@ { "dest-uuid": "3c7ad595-1940-40fc-b9ca-3e649c1e5d87", "type": "used-by" + }, + { + "dest-uuid": "46cbafbc-8907-42d3-9002-5327c26f8927", + "type": "similar" } ], "uuid": "0ba6ee8d-2b29-4980-8e55-348ea05f00ad", @@ -24983,6 +28311,10 @@ { "dest-uuid": "528ab2ea-b8f1-44d8-8831-2a89fefd97cb", "type": "used-by" + }, + { + "dest-uuid": "f3f1fbed-7e29-49cb-8579-4a378f858deb", + "type": "similar" } ], "uuid": "56872a5b-dc01-455c-85d5-06c577abb030", @@ -25007,6 +28339,10 @@ { "dest-uuid": "5307bba1-2674-4fbd-bfd5-1db1ae06fc5f", "type": "used-by" + }, + { + "dest-uuid": "1d808f62-cf63-4063-9727-ff6132514c22", + "type": "similar" } ], "uuid": "f228af8f-8938-4836-9461-c6ca220ed7c5", @@ -25031,6 +28367,10 @@ { "dest-uuid": "4c3e48b9-4426-4271-a7af-c3dfad79f447", "type": "used-by" + }, + { + "dest-uuid": "959f3b19-2dc8-48d5-8942-c66813a5101a", + "type": "similar" } ], "uuid": "b936a1b3-5493-4d6c-9b69-29addeace418", @@ -25056,6 +28396,10 @@ { "dest-uuid": "4c3e48b9-4426-4271-a7af-c3dfad79f447", "type": "used-by" + }, + { + "dest-uuid": "3a4197ae-ec63-4162-907b-9a073d1157e4", + "type": "similar" } ], "uuid": "20725ec7-ee35-44cf-bed6-91158aa03ce4", @@ -25097,6 +28441,10 @@ "dest-uuid": "6eb50f82-86cc-4eff-b1d1-66e1c6fd74f3", "type": "used-by" }, + { + "dest-uuid": "05cd82bb-f8fc-40f3-83ba-1586ef953d05", + "type": "used-by" + }, { "dest-uuid": "4ea1245f-3f35-5168-bd10-1fc49142fd4e", "type": "used-by" @@ -25104,6 +28452,10 @@ { "dest-uuid": "0610cd57-2511-467a-97e3-3c810384074f", "type": "used-by" + }, + { + "dest-uuid": "f91162cc-1686-4ff8-8115-bf3f61a4cc7a", + "type": "similar" } ], "uuid": "2bcbcea6-192a-4501-aab1-1edde53875fa", @@ -25150,6 +28502,10 @@ { "dest-uuid": "407274be-1820-4a84-939e-629313f4de1d", "type": "used-by" + }, + { + "dest-uuid": "49fee0b0-390e-4bde-97f8-97ed46bd19b7", + "type": "similar" } ], "uuid": "791f0afd-c2c4-4e23-8aee-1d14462667f5", @@ -25171,6 +28527,10 @@ { "dest-uuid": "51146bb6-7478-44a3-8f08-19adcdceffca", "type": "used-by" + }, + { + "dest-uuid": "039814a0-88de-46c5-a4fb-b293db21880a", + "type": "similar" } ], "uuid": "7b393608-c141-48af-ae3d-3eff13c3e01c", @@ -25219,6 +28579,10 @@ { "dest-uuid": "79be2f31-5626-425e-844c-fd9c99e38fe5", "type": "used-by" + }, + { + "dest-uuid": "242f3da3-4425-4d11-8f5c-b842886da966", + "type": "similar" } ], "uuid": "7c2c44d7-b307-4e13-b181-52352975a6f5", @@ -25237,6 +28601,10 @@ { "dest-uuid": "c0fe9859-e8de-4ce1-bc3c-b489e914a145", "type": "used-by" + }, + { + "dest-uuid": "98e8a977-3416-43aa-87fa-33e287e9c14c", + "type": "similar" } ], "uuid": "ed50dcf7-e283-451e-95b1-a8485f8dd214", @@ -25258,6 +28626,10 @@ { "dest-uuid": "4e880d01-313a-4926-8470-78c48824aa82", "type": "used-by" + }, + { + "dest-uuid": "0d1f9f5b-11ea-42c3-b5f4-63cce0122541", + "type": "similar" } ], "uuid": "3afe711d-ed58-4c94-a9b6-9c847e1e8a2f", @@ -25276,6 +28648,10 @@ { "dest-uuid": "013fdfdc-aa32-4779-8f6e-7920615cbf66", "type": "used-by" + }, + { + "dest-uuid": "49abab73-3c5c-476e-afd5-69b5c732d845", + "type": "similar" } ], "uuid": "5f994df7-55b0-4383-8ebc-506d4987292a", @@ -25295,13 +28671,17 @@ "dest-uuid": "5b1a5b9e-4722-41fc-a15d-196a549e3ac5", "type": "used-by" }, + { + "dest-uuid": "b534349f-55a4-41b8-9623-6707765c3c50", + "type": "used-by" + }, { "dest-uuid": "d428f9be-6faf-4d57-b677-4a927fea5f7e", "type": "used-by" }, { - "dest-uuid": "b534349f-55a4-41b8-9623-6707765c3c50", - "type": "used-by" + "dest-uuid": "96fd6cc4-a693-4118-83ec-619e5352d07d", + "type": "similar" } ], "uuid": "65d5b524-0e84-417d-9884-e2c501abfacd", @@ -25323,6 +28703,10 @@ { "dest-uuid": "3a660ef3-9954-4252-8946-f903f3f42d0c", "type": "used-by" + }, + { + "dest-uuid": "a8d3d497-2da9-4797-8e0b-ed176be08654", + "type": "similar" } ], "uuid": "3e70078f-407e-4b03-b604-bdc05b372f37", @@ -25366,6 +28750,10 @@ { "dest-uuid": "a80c00b2-b8b6-4780-99bb-df8fe921947d", "type": "used-by" + }, + { + "dest-uuid": "22addc7b-b39f-483d-979a-1b35147da5de", + "type": "similar" } ], "uuid": "e10423c2-71a7-4878-96ba-343191136c19", @@ -25391,6 +28779,10 @@ { "dest-uuid": "646e35d2-75de-4c1d-8ad3-616d3e155c5e", "type": "used-by" + }, + { + "dest-uuid": "8787e86d-8475-4f13-acea-d33eb83b6105", + "type": "similar" } ], "uuid": "e384e711-0796-4cbc-8854-8c3f939faf57", @@ -25412,6 +28804,10 @@ { "dest-uuid": "6932662a-53a7-4e43-877f-6e940e2d744b", "type": "used-by" + }, + { + "dest-uuid": "d3afa961-a80c-4043-9509-282cdf69ab21", + "type": "similar" } ], "uuid": "245c216e-41c3-4dec-8b23-bfc7c6a46d6e", @@ -25427,6 +28823,10 @@ "software_attack_id": "S5081", "source": "Tidal Cyber", "tags": [ + "af5e9be5-b86e-47af-91dd-966a5e34a186", + "27a117ce-bb19-4f79-9bc2-a851b69c5c50", + "6070668f-1cbd-4878-8066-c636d1d8659c", + "61cdbb28-cbfd-498b-9ab1-1f14337f9524", "c5a258ce-9045-48d9-b254-ec2bf6437bb5", "cc4ea215-87ce-4351-9579-cf527caf5992", "e551ae97-d1b4-484e-9267-89f33829ec2c", @@ -25442,6 +28842,10 @@ ] }, "related": [ + { + "dest-uuid": "2cc997b5-5076-4eef-9974-f54387614f46", + "type": "used-by" + }, { "dest-uuid": "923f478c-7ad1-516f-986d-61f96b9c553e", "type": "used-by" @@ -25490,6 +28894,9 @@ "software_attack_id": "S5046", "source": "Tidal Cyber", "tags": [ + "27a117ce-bb19-4f79-9bc2-a851b69c5c50", + "6070668f-1cbd-4878-8066-c636d1d8659c", + "61cdbb28-cbfd-498b-9ab1-1f14337f9524", "d903e38b-600d-4736-9e3b-cf1a6e436481", "c5a258ce-9045-48d9-b254-ec2bf6437bb5", "cc4ea215-87ce-4351-9579-cf527caf5992", @@ -25512,6 +28919,10 @@ ] }, "related": [ + { + "dest-uuid": "2cc997b5-5076-4eef-9974-f54387614f46", + "type": "used-by" + }, { "dest-uuid": "923f478c-7ad1-516f-986d-61f96b9c553e", "type": "used-by" @@ -25540,6 +28951,10 @@ "dest-uuid": "6eb50f82-86cc-4eff-b1d1-66e1c6fd74f3", "type": "used-by" }, + { + "dest-uuid": "cca12ba9-f65f-4a29-87ab-a9fc0f99521f", + "type": "used-by" + }, { "dest-uuid": "b07431f8-fcf0-4204-8e7c-138eb5cd5342", "type": "used-by" @@ -25588,7 +29003,12 @@ "malware" ] }, - "related": [], + "related": [ + { + "dest-uuid": "a19c49aa-36fe-4c05-b817-23e1c7a7d085", + "type": "similar" + } + ], "uuid": "627e05c2-c02e-433e-9288-c2d78bce156f", "value": "Wiper" }, @@ -25604,7 +29024,12 @@ "malware" ] }, - "related": [], + "related": [ + { + "dest-uuid": "c93e3079-43fb-4d8d-9e99-db63d07eadc9", + "type": "similar" + } + ], "uuid": "93b02819-8acc-5d7d-ad11-abb33f9309cc", "value": "WIREFIRE" }, @@ -25683,6 +29108,10 @@ ] }, "related": [ + { + "dest-uuid": "05cd82bb-f8fc-40f3-83ba-1586ef953d05", + "type": "used-by" + }, { "dest-uuid": "4ea1245f-3f35-5168-bd10-1fc49142fd4e", "type": "used-by" @@ -25706,6 +29135,10 @@ { "dest-uuid": "7a9d653c-8812-4b96-81d1-b0a27ca918b4", "type": "used-by" + }, + { + "dest-uuid": "e75a1b98-be68-467f-a8df-bcb7671543b3", + "type": "used-by" } ], "uuid": "24f3b066-a533-4b6c-a590-313a67154ba0", @@ -25723,7 +29156,12 @@ "malware" ] }, - "related": [], + "related": [ + { + "dest-uuid": "3bc7e862-5610-4c02-9c48-15b2e2dc1ddb", + "type": "similar" + } + ], "uuid": "1f374a54-c839-5139-b755-555c66a21c12", "value": "Woody RAT" }, @@ -25769,11 +29207,11 @@ }, "related": [ { - "dest-uuid": "407274be-1820-4a84-939e-629313f4de1d", + "dest-uuid": "0bc66e95-de93-4de7-b415-4041b7191f08", "type": "used-by" }, { - "dest-uuid": "0bc66e95-de93-4de7-b415-4041b7191f08", + "dest-uuid": "407274be-1820-4a84-939e-629313f4de1d", "type": "used-by" } ], @@ -25888,6 +29326,10 @@ { "dest-uuid": "5b1a5b9e-4722-41fc-a15d-196a549e3ac5", "type": "used-by" + }, + { + "dest-uuid": "59a97b15-8189-4d51-9404-e1ce8ea4a069", + "type": "similar" } ], "uuid": "6f411b69-6643-4cc7-9cbd-e15d9219e99c", @@ -25906,7 +29348,12 @@ "malware" ] }, - "related": [], + "related": [ + { + "dest-uuid": "6a92d80f-cc65-45f6-aa66-3cdea6786b3c", + "type": "similar" + } + ], "uuid": "ab442140-0761-4227-bd9e-151da5d0a04f", "value": "Xbash" }, @@ -25926,6 +29373,10 @@ { "dest-uuid": "988f5312-834e-48ea-93b7-e6e01ee0938d", "type": "used-by" + }, + { + "dest-uuid": "21583311-6321-4891-8a37-3eb4e57b0fb1", + "type": "similar" } ], "uuid": "11a0dff4-1dc8-4553-8a38-90a07b01bfcd", @@ -25944,6 +29395,10 @@ { "dest-uuid": "5307bba1-2674-4fbd-bfd5-1db1ae06fc5f", "type": "used-by" + }, + { + "dest-uuid": "4fa49fc0-9162-4bdb-a37e-7aa3dcb6d38b", + "type": "similar" } ], "uuid": "d943d3d9-3a99-464f-94f0-95aa7963d858", @@ -26000,7 +29455,12 @@ "malware" ] }, - "related": [], + "related": [ + { + "dest-uuid": "e14085cb-0e8d-4be6-92ba-e3b93ee5978f", + "type": "similar" + } + ], "uuid": "3672ecfa-20bf-4d69-948d-876be343563f", "value": "XCSSET" }, @@ -26096,6 +29556,10 @@ { "dest-uuid": "5b1a5b9e-4722-41fc-a15d-196a549e3ac5", "type": "used-by" + }, + { + "dest-uuid": "7343e208-7cab-45f2-a47b-41ba5e2f0fab", + "type": "similar" } ], "uuid": "133136f0-7254-4cec-8710-0ab99d5da4e5", @@ -26166,6 +29630,10 @@ { "dest-uuid": "0a245c5e-c1a8-480f-8655-bb2594e3266b", "type": "used-by" + }, + { + "dest-uuid": "cb444a16-3ea5-4a91-88c6-f329adcb8af3", + "type": "similar" } ], "uuid": "0844bc42-5c29-47c3-b1b3-6bfffbf1732a", @@ -26213,7 +29681,12 @@ "malware" ] }, - "related": [], + "related": [ + { + "dest-uuid": "0817aaf2-afea-4c32-9285-4dcd1df5bf14", + "type": "similar" + } + ], "uuid": "e0962ff7-5524-4683-9b95-0e4ba07dccb2", "value": "yty" }, @@ -26236,6 +29709,10 @@ { "dest-uuid": "5b1a5b9e-4722-41fc-a15d-196a549e3ac5", "type": "used-by" + }, + { + "dest-uuid": "a4f57468-fbd5-49e4-8476-52088220b92d", + "type": "similar" } ], "uuid": "e317b8a6-1722-4017-be33-717a5a93ef1c", @@ -26250,7 +29727,12 @@ "malware" ] }, - "related": [], + "related": [ + { + "dest-uuid": "552462b9-ae79-49dd-855c-5973014e157f", + "type": "similar" + } + ], "uuid": "2f52b513-5293-4833-9c4d-b120e7a84341", "value": "Zeroaccess" }, @@ -26273,6 +29755,10 @@ { "dest-uuid": "e343c1f1-458c-467b-bc4a-c1b97b2127e3", "type": "used-by" + }, + { + "dest-uuid": "4ab44516-ad75-4e43-a280-705dc0420e2f", + "type": "similar" } ], "uuid": "f51df90e-ea1b-4eeb-9aff-ec5abf4a5dfd", @@ -26293,7 +29779,12 @@ "malware" ] }, - "related": [], + "related": [ + { + "dest-uuid": "198db886-47af-4f4c-bff5-11b891f85946", + "type": "similar" + } + ], "uuid": "be8add13-40d7-495e-91eb-258d3a4711bc", "value": "Zeus Panda" }, @@ -26331,7 +29822,12 @@ "malware" ] }, - "related": [], + "related": [ + { + "dest-uuid": "d9765cbd-4c88-4805-ba98-4c6ccb56b864", + "type": "similar" + } + ], "uuid": "976a7797-3008-5316-9e28-19c9a05959d0", "value": "ZIPLINE" }, @@ -26347,7 +29843,12 @@ "malware" ] }, - "related": [], + "related": [ + { + "dest-uuid": "166c0eca-02fd-424a-92c0-6b5106994d31", + "type": "similar" + } + ], "uuid": "1ac8d363-2903-43da-9c1d-2b28179638c8", "value": "ZLib" }, @@ -26395,6 +29896,10 @@ { "dest-uuid": "90f4d3f9-3fe3-4a64-8dc1-172c6d037dca", "type": "used-by" + }, + { + "dest-uuid": "fb28627c-d6ea-4c35-b138-ab5e96ae5445", + "type": "similar" } ], "uuid": "75dd9acb-fcff-4b0b-b45b-f943fb589d78", @@ -26415,7 +29920,12 @@ "malware" ] }, - "related": [], + "related": [ + { + "dest-uuid": "54e8672d-5338-4ad1-954a-a7c986bee530", + "type": "similar" + } + ], "uuid": "49314d4e-dc04-456f-918e-a3bedfc3192a", "value": "zwShell" }, @@ -26439,6 +29949,10 @@ "dest-uuid": "90f4d3f9-3fe3-4a64-8dc1-172c6d037dca", "type": "used-by" }, + { + "dest-uuid": "79be2f31-5626-425e-844c-fd9c99e38fe5", + "type": "used-by" + }, { "dest-uuid": "4173c301-0307-458d-89dd-2583e94247ec", "type": "used-by" @@ -26448,8 +29962,8 @@ "type": "used-by" }, { - "dest-uuid": "79be2f31-5626-425e-844c-fd9c99e38fe5", - "type": "used-by" + "dest-uuid": "cfc75b0d-e579-40ae-ad07-a1ce00d49a6c", + "type": "similar" } ], "uuid": "eea89ff2-036d-4fa6-bbed-f89502c62318", @@ -26471,11 +29985,15 @@ { "dest-uuid": "3a02aa1b-851a-43e1-b83b-58037f3c7025", "type": "used-by" + }, + { + "dest-uuid": "97cfbdc6-504d-41e9-a46c-78a9f806ff0d", + "type": "similar" } ], "uuid": "91e1ee26-d6ae-4203-a466-93c9e5019b47", "value": "ZxxZ" } ], - "version": 2 + "version": 1 } From 31e9bdb95047bba3cd9542687b7abcd915708d4f Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Mon, 2 Sep 2024 10:47:47 +0200 Subject: [PATCH 12/36] chg: [README] tidal updated --- README.md | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/README.md b/README.md index 9afca7b..2c7f9d2 100644 --- a/README.md +++ b/README.md @@ -535,7 +535,7 @@ Category: *sector* - source: *CERT-EU* - total: *118* elements [Sigma-Rules](https://www.misp-galaxy.org/sigma-rules) - MISP galaxy cluster based on Sigma Rules. -Category: *rules* - source: *https://github.com/jstnk9/MISP/tree/main/misp-galaxy/sigma* - total: *2932* elements +Category: *rules* - source: *https://github.com/jstnk9/MISP/tree/main/misp-galaxy/sigma* - total: *2949* elements [[HTML](https://www.misp-galaxy.org/sigma-rules)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/sigma-rules.json)] @@ -607,7 +607,7 @@ Category: *actor* - source: *MISP Project* - total: *721* elements [Tidal Campaigns](https://www.misp-galaxy.org/tidal-campaigns) - Tidal Campaigns Cluster -Category: *Campaigns* - source: *https://app-api.tidalcyber.com/api/v1/campaigns/* - total: *48* elements +Category: *Campaigns* - source: *https://app-api.tidalcyber.com/api/v1/campaigns/* - total: *78* elements [[HTML](https://www.misp-galaxy.org/tidal-campaigns)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/tidal-campaigns.json)] @@ -615,7 +615,7 @@ Category: *Campaigns* - source: *https://app-api.tidalcyber.com/api/v1/campaigns [Tidal Groups](https://www.misp-galaxy.org/tidal-groups) - Tidal Groups Galaxy -Category: *Threat Groups* - source: *https://app-api.tidalcyber.com/api/v1/groups/* - total: *172* elements +Category: *Threat Groups* - source: *https://app-api.tidalcyber.com/api/v1/groups/* - total: *200* elements [[HTML](https://www.misp-galaxy.org/tidal-groups)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/tidal-groups.json)] @@ -623,7 +623,7 @@ Category: *Threat Groups* - source: *https://app-api.tidalcyber.com/api/v1/group [Tidal References](https://www.misp-galaxy.org/tidal-references) - Tidal References Cluster -Category: *References* - source: *https://app-api.tidalcyber.com/api/v1/references/* - total: *4261* elements +Category: *References* - source: *https://app-api.tidalcyber.com/api/v1/references/* - total: *4309* elements [[HTML](https://www.misp-galaxy.org/tidal-references)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/tidal-references.json)] @@ -631,7 +631,7 @@ Category: *References* - source: *https://app-api.tidalcyber.com/api/v1/referenc [Tidal Software](https://www.misp-galaxy.org/tidal-software) - Tidal Software Cluster -Category: *Software* - source: *https://app-api.tidalcyber.com/api/v1/software/* - total: *1003* elements +Category: *Software* - source: *https://app-api.tidalcyber.com/api/v1/software/* - total: *1014* elements [[HTML](https://www.misp-galaxy.org/tidal-software)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/tidal-software.json)] From 8134dfdf921c72ca3d743b2f89c60a055d56c62d Mon Sep 17 00:00:00 2001 From: Jean-Louis Huynen Date: Mon, 2 Sep 2024 11:13:10 +0200 Subject: [PATCH 13/36] add: [first-csirt] keep the best script --- tools/gen_csf.py | 17 ++-- tools/gen_csf_alt.py | 228 ------------------------------------------- 2 files changed, 10 insertions(+), 235 deletions(-) delete mode 100644 tools/gen_csf_alt.py diff --git a/tools/gen_csf.py b/tools/gen_csf.py index fb3cc52..8e658e2 100644 --- a/tools/gen_csf.py +++ b/tools/gen_csf.py @@ -4,6 +4,7 @@ # A simple convertor script to generate galaxies from the MITRE NICE framework # https://niccs.cisa.gov/workforce-development/nice-framework # Copyright (C) 2024 Jean-Louis Huynen +# Copyright (C) 2024 Déborah Servili # # This program is free software: you can redistribute it and/or modify # it under the terms of the GNU Affero General Public License as @@ -56,7 +57,6 @@ url = "https://www.first.org/standards/frameworks/csirts/csirt_services_framewor # Send a GET request to the webpage response = requests.get(url) - def extract_nostrong_content(element): content = element.find_next_siblings('p', limit=3) extracted = {} @@ -75,13 +75,11 @@ def extract_nostrong_content(element): extracted["outcome"] = content[2].text.strip()[8:] for sibling in content[2].find_next_siblings(): - if sibling.name == "h4": + if sibling.name in ["h2", "h3", "h4"] or any(substring in sibling.text for substring in ["The following functions", "List of functions"]): break extracted["outcome"] += f" {sibling.text.strip()}" - return extracted - def extract_content(element): content = {} description_title = element.find_next( @@ -103,6 +101,7 @@ def extract_content(element): .replace("Description:", "") .strip() ) + for sibling in description_title.parent.parent.find_next_siblings(): if "Outcome:" in sibling.text: break @@ -112,22 +111,26 @@ def extract_content(element): outcome_title.parent.parent.get_text(strip=True).replace("Outcome:", "").strip() ) for sibling in outcome_title.parent.parent.find_next_siblings(): - if sibling.name == "h4": + if sibling.name in ["h2", "h3", "h4"] or any(substring in sibling.text for substring in ["The following functions", "List of functions"]): break content["outcome"] += f" {sibling.text.strip()}" - + content["outcome"] = content["outcome"].split("The following functions")[0].strip() return content def remove_heading(input_string): return re.sub(r'^\d+(\.\d+)*\s+', '', input_string) - # Check if the request was successful if response.status_code == 200: # Parse the page content with BeautifulSoup soup = BeautifulSoup(response.content, 'html.parser') + # Removing all links + for a in soup.find_all('a', href=True): + if a['href'].startswith('#'): + a.decompose() + # Extract the section titled "4 CSIRT Services Framework Structure" section_header = soup.find( 'h2', id="5-Service-Area-Information-Security-Event-Management" diff --git a/tools/gen_csf_alt.py b/tools/gen_csf_alt.py deleted file mode 100644 index 4eeb54c..0000000 --- a/tools/gen_csf_alt.py +++ /dev/null @@ -1,228 +0,0 @@ -#!/usr/bin/env python3 -# -*- coding: utf-8 -*- -# -# A simple convertor script to generate galaxies from the MITRE NICE framework -# https://niccs.cisa.gov/workforce-development/nice-framework -# Copyright (C) 2024 Jean-Louis Huynen -# -# This program is free software: you can redistribute it and/or modify -# it under the terms of the GNU Affero General Public License as -# published by the Free Software Foundation, either version 3 of the -# License, or (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU Affero General Public License for more details. -# -# You should have received a copy of the GNU Affero General Public License -# along with this program. If not, see . - -import pdb -import requests -import json -import os -import uuid -import re -from bs4 import BeautifulSoup - -# uuidv4 generated to be concatenated in v5: 43803a9f-9ea6-4ebc-9cb5-68ccdc2c23e0 - -galaxy = { - "namespace": "first", - "type": "first-csirt-services-framework", - "name": "FIRST CSIRT Services Framework", - "description": "The Computer Security Incident Response Team (CSIRT) Services Framework is a high-level document describing in a structured way a collection of cyber security services and associated functions that Computer Security Incident Response Teams and other teams providing incident management related services may provide", - "uuid": "4a72488f-ef5b-4895-a5d9-c625dee663cb", - "version": 1, - "icon": 'user', -} - -cluster = { - 'authors': ["FIRST", "CIRCL", "Jean-Louis Huynen"], - 'category': 'csirt', - "type": "first-csirt-services-framework", - "name": "FIRST CSIRT Services Framework", - "description": "The Computer Security Incident Response Team (CSIRT) Services Framework is a high-level document describing in a structured way a collection of cyber security services and associated functions that Computer Security Incident Response Teams and other teams providing incident management related services may provide", - "uuid": "4a72488f-ef5b-4895-a5d9-c625dee663cb", - 'source': 'https://www.first.org/standards/frameworks/csirts/csirt_services_framework_v2.1', - 'values': [], - 'version': 1, -} - -# URL to download -url = "https://www.first.org/standards/frameworks/csirts/csirt_services_framework_v2.1#5-Service-Area-Information-Security-Event-Management" - -# Send a GET request to the webpage -response = requests.get(url) - -def extract_nostrong_content(element): - content = element.find_next_siblings('p', limit=3) - extracted = {} - - extracted["purpose"] = content[0].text.strip()[8:] - for sibling in content[0].find_next_siblings(): - if "Description:" in sibling.text: - break - extracted["purpose"] += f" {sibling.text.strip()}" - - extracted["description"] = content[1].text.strip()[12:] - for sibling in content[1].find_next_siblings(): - if "Outcome:" in sibling.text: - break - extracted["description"] += f" {sibling.text.strip()}" - - extracted["outcome"] = content[2].text.strip()[8:] - for sibling in content[2].find_next_siblings(): - if sibling.name in ["h2", "h3", "h4"] or any(substring in sibling.text for substring in ["The following functions", "List of functions"]): - break - extracted["outcome"] += f" {sibling.text.strip()}" - return extracted - -def extract_content(element): - content = {} - description_title = element.find_next( - "em", string=lambda text: "Description:" in text - ) - purpose_title = element.find_next("em", string=lambda text: "Purpose:" in text) - outcome_title = element.find_next("em", string=lambda text: "Outcome:" in text) - - content["purpose"] = ( - purpose_title.parent.parent.get_text(strip=True).replace("Purpose:", "").strip() - ) - for sibling in purpose_title.parent.parent.find_next_siblings(): - if "Description:" in sibling.text: - break - content["purpose"] += f" {sibling.text.strip()}" - - content["description"] = ( - description_title.parent.parent.get_text(strip=True) - .replace("Description:", "") - .strip() - ) - - for sibling in description_title.parent.parent.find_next_siblings(): - if "Outcome:" in sibling.text: - break - content["description"] += f" {sibling.text.strip()}" - - content["outcome"] = ( - outcome_title.parent.parent.get_text(strip=True).replace("Outcome:", "").strip() - ) - for sibling in outcome_title.parent.parent.find_next_siblings(): - if sibling.name in ["h2", "h3", "h4"] or any(substring in sibling.text for substring in ["The following functions", "List of functions"]): - break - content["outcome"] += f" {sibling.text.strip()}" - content["outcome"] = content["outcome"].split("The following functions")[0].strip() - return content - - -def remove_heading(input_string): - return re.sub(r'^\d+(\.\d+)*\s+', '', input_string) - -# Check if the request was successful -if response.status_code == 200: - # Parse the page content with BeautifulSoup - soup = BeautifulSoup(response.content, 'html.parser') - - # Removing all links - for a in soup.find_all('a', href=True): - if a['href'].startswith('#'): - a.decompose() - - # Extract the section titled "4 CSIRT Services Framework Structure" - section_header = soup.find( - 'h2', id="5-Service-Area-Information-Security-Event-Management" - ) - if section_header: - - services = section_header.find_next_siblings('h3') - functions = section_header.find_next_siblings('h4') - - for service in services: - if "Monitoring and detection" in service.text: - content = extract_nostrong_content(service) - else: - content = extract_content(service) - name = remove_heading(service.text.strip()) - suuid = str( - uuid.uuid5(uuid.UUID("43803a9f-9ea6-4ebc-9cb5-68ccdc2c23e0"), name) - ) - cluster["values"].append( - { - "description": content["description"], - "meta": { - "purpose": content["purpose"], - "outcome": content["outcome"], - }, - "uuid": suuid, - "value": name, - "related": [], - } - ) - - for function in functions: - content = extract_content(function) - # get the parent service - parent_service = function.find_previous('h3') - relationship = { - "dest-uuid": str( - uuid.uuid5( - uuid.UUID("43803a9f-9ea6-4ebc-9cb5-68ccdc2c23e0"), - remove_heading(parent_service.text.strip()), - ) - ), - "type": "part-of", - } - - name = remove_heading(function.text.strip()) - - cluster["values"].append( - { - "description": content["description"], - "meta": { - "purpose": content["purpose"], - "outcome": content["outcome"], - }, - "uuid": str( - uuid.uuid5( - uuid.UUID("43803a9f-9ea6-4ebc-9cb5-68ccdc2c23e0"), name - ) - ), - "value": name, - "related": [relationship], - } - ) - - with open( - os.path.join( - os.path.dirname(__file__), - '..', - 'galaxies', - f'first-csirt-services-framework.json', - ), - 'w', - ) as f: - json.dump(galaxy, f, indent=2, sort_keys=True, ensure_ascii=False) - f.write( - '\n' - ) # only needed for the beauty and to be compliant with jq_all_the_things - - with open( - os.path.join( - os.path.dirname(__file__), - '..', - 'clusters', - f'first-csirt-services-framework.json', - ), - 'w', - ) as f: - json.dump(cluster, f, indent=2, sort_keys=True, ensure_ascii=False) - f.write( - '\n' - ) # only needed for the beauty and to be compliant with jq_all_the_things - - else: - print("Couldn't find the section header.") -else: - print(f"Failed to download the webpage. Status code: {response.status_code}") From ef3ace43c627bf50896c5d769a8f998e66abbd76 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Wed, 4 Sep 2024 00:03:44 +0000 Subject: [PATCH 14/36] build(deps): bump cryptography from 42.0.4 to 43.0.1 in /tools/mkdocs Bumps [cryptography](https://github.com/pyca/cryptography) from 42.0.4 to 43.0.1. - [Changelog](https://github.com/pyca/cryptography/blob/main/CHANGELOG.rst) - [Commits](https://github.com/pyca/cryptography/compare/42.0.4...43.0.1) --- updated-dependencies: - dependency-name: cryptography dependency-type: direct:production ... Signed-off-by: dependabot[bot] --- tools/mkdocs/requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tools/mkdocs/requirements.txt b/tools/mkdocs/requirements.txt index 9a84d08..d616546 100644 --- a/tools/mkdocs/requirements.txt +++ b/tools/mkdocs/requirements.txt @@ -5,7 +5,7 @@ cffi==1.16.0 charset-normalizer==3.3.2 click==8.1.7 colorama==0.4.6 -cryptography==42.0.4 +cryptography==43.0.1 Deprecated==1.2.14 ghp-import==2.1.0 gitdb==4.0.11 From f3fe0d59d37d6b28f92792b82dd49fc28ee5bfcd Mon Sep 17 00:00:00 2001 From: Mathieu4141 Date: Mon, 9 Sep 2024 08:18:22 -0700 Subject: [PATCH 15/36] [threat-actors] Add CL-STA-0043 aliases --- clusters/threat-actor.json | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 5db66b1..bf2dfe8 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -13773,7 +13773,11 @@ "meta": { "refs": [ "https://www.securonix.com/blog/securonix-threat-labs-monthly-intelligence-insights-june-2023/", - "https://www.paloaltonetworks.com/blog/security-operations/through-the-cortex-xdr-lens-uncovering-a-new-activity-group-targeting-governments-in-the-middle-east-and-africa/" + "https://www.paloaltonetworks.com/blog/security-operations/through-the-cortex-xdr-lens-uncovering-a-new-activity-group-targeting-governments-in-the-middle-east-and-africa/", + "https://unit42.paloaltonetworks.com/operation-diplomatic-specter/" + ], + "synonyms": [ + "TGR-STA-0043" ] }, "uuid": "5d0aee14-f18a-44da-a44d-28d950f06b9c", From d935c1e62ac41c60e95dba56293d72520f001b0c Mon Sep 17 00:00:00 2001 From: Mathieu4141 Date: Mon, 9 Sep 2024 08:18:22 -0700 Subject: [PATCH 16/36] [threat-actors] Add UNC4540 --- clusters/threat-actor.json | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index bf2dfe8..c7aa533 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -16515,6 +16515,17 @@ }, "uuid": "34f2d3ad-e367-4058-a10b-1f7a4274c418", "value": "Hive0137" + }, + { + "description": "UNC4540 is a suspected Chinese threat actor targeting unpatched SonicWall Secure Mobile Access appliances to deploy custom malware that establishes long-term persistence for cyber espionage. The malware is designed to steal hashed credentials, provide shell access, and persist through firmware upgrades, utilizing a variant of the TinyShell backdoor. Mandiant has tracked UNC4540's activities back to 2021, noting their focus on maintaining access to compromised devices. The group's tactics are consistent with patterns observed in other Chinese threat actor campaigns targeting network devices for zero-day exploits.", + "meta": { + "country": "CN", + "refs": [ + "https://www.mandiant.com/resources/blog/suspected-chinese-persist-sonicwall" + ] + }, + "uuid": "e6b27374-5055-4c2c-950b-06b4fc75a210", + "value": "UNC4540" } ], "version": 313 From 164222d3c6adfeb150dd9e79d857b0d533cdd416 Mon Sep 17 00:00:00 2001 From: Mathieu4141 Date: Mon, 9 Sep 2024 08:18:22 -0700 Subject: [PATCH 17/36] [threat-actors] Add TIDRONE --- clusters/threat-actor.json | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index c7aa533..22f0111 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -16526,6 +16526,17 @@ }, "uuid": "e6b27374-5055-4c2c-950b-06b4fc75a210", "value": "UNC4540" + }, + { + "description": "TIDRONE is an unidentified threat actor linked to Chinese-speaking groups, with a focus on military-related industry chains, particularly drone manufacturers in Taiwan. The actor employs advanced malware variants such as CXCLNT and CLNTEND, which are distributed through ERP software or remote desktops. The consistency in file compilation times and operational patterns aligns with other Chinese espionage activities, indicating a likely espionage motive.", + "meta": { + "country": "CN", + "refs": [ + "https://www.trendmicro.com/en_us/research/24/i/tidrone-targets-military-and-satellite-industries-in-taiwan.html" + ] + }, + "uuid": "020d512f-0636-482b-8033-2bd404e0321f", + "value": "TIDRONE" } ], "version": 313 From 63566220afecaf9eaf8aaec5e9ac3962cd6c778e Mon Sep 17 00:00:00 2001 From: Mathieu4141 Date: Mon, 9 Sep 2024 08:18:22 -0700 Subject: [PATCH 18/36] [threat-actors] Add Actor240524 --- clusters/threat-actor.json | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 22f0111..13a886a 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -16537,6 +16537,16 @@ }, "uuid": "020d512f-0636-482b-8033-2bd404e0321f", "value": "TIDRONE" + }, + { + "description": "Actor240524 is a newly identified APT group that targeted Azerbaijani and Israeli diplomats through spear-phishing emails to steal sensitive data. The group employs a Trojan program known as ABCloader and ABCsync, demonstrating capabilities to steal secrets and modify file data. Their operations appear to focus on undermining the cooperative relationship between Azerbaijan and Israel. Actor240524 utilizes various countermeasures to obscure their attack tactics and techniques.", + "meta": { + "refs": [ + "https://nsfocusglobal.com/new-apt-group-actor240524-a-closer-look-at-its-cyber-tactics-against-azerbaijan-and-israel/" + ] + }, + "uuid": "6f394add-1703-41e7-be27-d79613f9929c", + "value": "Actor240524" } ], "version": 313 From 5dcf22e4eff59d02dc7aa3ebc8d8d137bc7ebcf6 Mon Sep 17 00:00:00 2001 From: Mathieu4141 Date: Mon, 9 Sep 2024 08:18:22 -0700 Subject: [PATCH 19/36] [threat-actors] Add ZeroSevenGroup --- clusters/threat-actor.json | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 13a886a..1b42415 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -16547,6 +16547,17 @@ }, "uuid": "6f394add-1703-41e7-be27-d79613f9929c", "value": "Actor240524" + }, + { + "description": "ZeroSevenGroup is a threat actor that claims to have breached a U.S. branch of Toyota, stealing 240GB of sensitive data, including employee and customer information, contracts, and financial details. They have also allegedly gained full network access to critical Israeli infrastructure, with access to 80TB of sensitive data across various sectors. The group has threatened to use the stolen data for malicious activities, including ransomware attacks. Their operations involve exploiting vulnerabilities, as indicated by their reference to manipulating memory through buffer overflow techniques.", + "meta": { + "refs": [ + "https://siliconangle.com/2024/08/20/toyota-alleges-stolen-customer-data-published-hacking-site-came-outside-supplier/", + "https://www.oodaloop.com/briefs/2024/08/21/toyota-customer-employee-data-leaked-in-confirmed-data-breach/" + ] + }, + "uuid": "c54b9a98-1436-4e29-b194-e5bde003dd4d", + "value": "ZeroSevenGroup" } ], "version": 313 From 0d8e535b88235b982d411af685cd8be0870ed7cd Mon Sep 17 00:00:00 2001 From: Mathieu4141 Date: Mon, 9 Sep 2024 08:18:22 -0700 Subject: [PATCH 20/36] [threat-actors] Add UNC2970 --- clusters/threat-actor.json | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 1b42415..7842eb3 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -16558,6 +16558,17 @@ }, "uuid": "c54b9a98-1436-4e29-b194-e5bde003dd4d", "value": "ZeroSevenGroup" + }, + { + "description": "UNC2970 is a North Korean threat actor that primarily targets organizations through spear-phishing emails with job recruitment themes, often utilizing fake LinkedIn accounts to engage victims. The group employs the PLANKWALK backdoor and other malware families, leveraging compromised WordPress sites for command and control. They have been observed using BYOVD techniques to exploit vulnerable drivers for evading detection. Mandiant has noted a shift in UNC2970's targeting strategy, including a focus on security researchers and advancements in their operational capabilities against EDR tools.", + "meta": { + "country": "KP", + "refs": [ + "https://www.mandiant.com/resources/blog/lightshow-north-korea-unc2970" + ] + }, + "uuid": "e40cf515-f155-46d4-b174-88b38383f9bb", + "value": "UNC2970" } ], "version": 313 From d8ee3beada0c81477ac3c7368425fac331c0c08a Mon Sep 17 00:00:00 2001 From: Mathieu4141 Date: Mon, 9 Sep 2024 08:18:22 -0700 Subject: [PATCH 21/36] [threat-actors] Add SILKFIN AGENCY --- clusters/threat-actor.json | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 7842eb3..e43c795 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -16569,6 +16569,18 @@ }, "uuid": "e40cf515-f155-46d4-b174-88b38383f9bb", "value": "UNC2970" + }, + { + "description": "SILKFIN AGENCY has claimed responsibility for multiple significant data breaches, including the compromise of DimeCuba.com, which exposed over 1 million SMS records and more than 100,000 email records. They also targeted the Sri Lankan Department of Agrarian Development, allegedly compromising the personal and agricultural data of over 1.45 million farmers. Additionally, they claimed a breach of the Siam Cement Group's database. The breaches involved sensitive data such as NIC numbers and transaction details.", + "meta": { + "refs": [ + "https://dailydarkweb.net/threat-actor-claims-breach-of-siam-cement-group-database/", + "https://dailydarkweb.net/threat-actor-claimed-to-breach-database-of-dimecuba/", + "https://dailydarkweb.net/a-threat-actor-alleged-breach-of-sri-lankan-farmers-community-database/" + ] + }, + "uuid": "b1fd5c1a-f0e9-42b1-b386-9925c02ba508", + "value": "SILKFIN AGENCY" } ], "version": 313 From 47983fed2063883b445c535515cb5a34db03afdd Mon Sep 17 00:00:00 2001 From: Mathieu4141 Date: Mon, 9 Sep 2024 08:18:23 -0700 Subject: [PATCH 22/36] [threat-actors] Add UNC4536 --- clusters/threat-actor.json | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index e43c795..cb174a8 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -16581,6 +16581,16 @@ }, "uuid": "b1fd5c1a-f0e9-42b1-b386-9925c02ba508", "value": "SILKFIN AGENCY" + }, + { + "description": "UNC4536 is a threat actor that distributes malware, including ICEDID, REDLINESTEALER, and CARBANAK, primarily through malvertising and trojanized MSIX installers masquerading as popular software. They utilize SEO poisoning tactics to direct victims to malicious sites that mimic legitimate software hosting platforms, facilitating the download of compromised installers. The actor employs a PowerShell script known as NUMOZYLOD to deliver tailored payloads, such as the CARBANAK backdoor, to their partners. Additionally, UNC4536 has been linked to campaigns that distribute NetSupport RAT, targeting IT administrators through fake sites promoted via Google Ads.", + "meta": { + "refs": [ + "https://www.googlecloudcommunity.com/gc/Community-Blog/Finding-Malware-Unveiling-NUMOZYLOD-with-Google-Security/ba-p/789551" + ] + }, + "uuid": "5a00ccdb-7987-4563-af4f-e368af8406df", + "value": "UNC4536" } ], "version": 313 From 4fc5c37d088a22251cd9d3297839cc60ecfe7be8 Mon Sep 17 00:00:00 2001 From: Mathieu4141 Date: Mon, 9 Sep 2024 08:18:23 -0700 Subject: [PATCH 23/36] [threat-actors] Add UAC-0154 --- clusters/threat-actor.json | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index cb174a8..a3b2b9f 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -16591,6 +16591,16 @@ }, "uuid": "5a00ccdb-7987-4563-af4f-e368af8406df", "value": "UNC4536" + }, + { + "description": "UAC-0154 is a threat actor orchestrating the STARK#VORTEX phishing campaign, specifically targeting Ukraine’s military. They employ a Microsoft Help file containing obfuscated JavaScript as a lure, disguised as a manual for Pilot-in-Command Drones, to deliver the MerlinAgent malware. This PowerShell-based RAT is heavily obfuscated and downloads a payload from a remote server, enabling full control over compromised systems. The group initially targeted Ukrainian entities using military-themed documents sent via email to @ukr.net addresses.", + "meta": { + "refs": [ + "https://www.securonix.com/blog/securonix-threat-labs-monthly-intelligence-insights-september-2023/" + ] + }, + "uuid": "8356805a-5612-449c-9fdc-cbe536c1f392", + "value": "UAC-0154" } ], "version": 313 From af9d1833716be487f9512275399c6c0b6dc18b4a Mon Sep 17 00:00:00 2001 From: Mathieu4141 Date: Mon, 9 Sep 2024 08:18:23 -0700 Subject: [PATCH 24/36] [threat-actors] Add IRLeaks --- clusters/threat-actor.json | 14 ++++++++++++++ 1 file changed, 14 insertions(+) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index a3b2b9f..9ec4fae 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -16601,6 +16601,20 @@ }, "uuid": "8356805a-5612-449c-9fdc-cbe536c1f392", "value": "UAC-0154" + }, + { + "description": "IRLeaks is a threat actor known for significant cyberattacks targeting Iranian organizations, including a major breach of SnappFood, where they exfiltrated 3TB of sensitive data from 20 million user profiles. They have also compromised data from 23 leading Iranian insurance companies, offering over 160 million records for sale. Their operations involve extortion tactics, as seen in the ransom negotiations with Tosan, and they utilize malware such as StealC for data extraction. IRLeaks communicates primarily in Persian and has been active in selling stolen data on cybercriminal marketplaces.", + "meta": { + "refs": [ + "https://www.hackread.com/iranian-food-delivery-snappfood-cyber-attack/", + "https://cisoseries.com/cyber-security-headlines-google-5b-suit-settled-orbit-chain-loses-80m-fda-cyber-agreement/", + "https://www.oodaloop.com/briefs/2024/01/04/pilfered-data-from-iranian-insurance-and-food-delivery-firms-leaked-online/", + "https://cybershafarat.com/2024/09/04/major-ir-leaks/", + "https://www.scmagazine.com/brief/significant-ransom-payment-by-major-iranian-it-firm-underway" + ] + }, + "uuid": "f0a50fa0-25ca-4346-a666-390923f2c5a1", + "value": "IRLeaks" } ], "version": 313 From 40dc998b9b961bbd5c8a7329b7071bd39a5c24ec Mon Sep 17 00:00:00 2001 From: Mathieu4141 Date: Mon, 9 Sep 2024 08:18:23 -0700 Subject: [PATCH 25/36] [threat-actors] Add RaHDit --- clusters/threat-actor.json | 15 +++++++++++++++ 1 file changed, 15 insertions(+) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 9ec4fae..3065294 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -16615,6 +16615,21 @@ }, "uuid": "f0a50fa0-25ca-4346-a666-390923f2c5a1", "value": "IRLeaks" + }, + { + "description": "RaHDit is a pro-Kremlin hacktivist group known for orchestrating hack-and-leak operations, including the publication of personal information about Ukrainian military intelligence personnel and their associates. The group has been linked to Russian intelligence and has claimed to provide actionable intelligence to the Russian army. RaHDit operates a website called NemeZida, where they disclose sensitive data, and has been involved in disinformation campaigns supporting Russian narratives. Their activities include collaboration with other hacktivist groups and targeting Ukrainian cyberdefense efforts.", + "meta": { + "country": "RU", + "refs": [ + "https://flashpoint.io/blog/pro-kremlin-hacktivist-groups/", + "https://news.risky.biz/risky-biz-news-doppelganger-gets-a-kick-in-the-butt-from-uncle-sam/" + ], + "synonyms": [ + "Russian Angry Hackers Did It" + ] + }, + "uuid": "1e3efe43-9006-4ac8-b9ee-f1fbb9794cd9", + "value": "RaHDit" } ], "version": 313 From c68dd137720c26f7fb4797b0948d9a4b141dd2f5 Mon Sep 17 00:00:00 2001 From: Mathieu4141 Date: Mon, 9 Sep 2024 08:18:23 -0700 Subject: [PATCH 26/36] [threat-actors] Add UAT-5394 --- clusters/threat-actor.json | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 3065294..7308e94 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -16630,6 +16630,17 @@ }, "uuid": "1e3efe43-9006-4ac8-b9ee-f1fbb9794cd9", "value": "RaHDit" + }, + { + "description": "UAT-5394 is a state-sponsored North Korean threat actor known for developing the MoonPeak RAT, which is based on XenoRAT. They have transitioned from using QuasarRAT to MoonPeak and have established command and control infrastructure. UAT-5394 employs tactics such as using RDP for remote access and has implemented State Machines in their malware to complicate analysis. Their activity indicates a focus on rapidly evolving their malware and infrastructure to enhance operational capabilities.", + "meta": { + "country": "KP", + "refs": [ + "https://blog.talosintelligence.com/moonpeak-malware-infrastructure-north-korea/" + ] + }, + "uuid": "6038ceaf-4c1b-470d-af36-c62948488786", + "value": "UAT-5394" } ], "version": 313 From 6cb21d39a7fbcb602a0796f4511bed03abd55784 Mon Sep 17 00:00:00 2001 From: Mathieu4141 Date: Mon, 9 Sep 2024 08:18:23 -0700 Subject: [PATCH 27/36] [threat-actors] Add Storm-1679 --- clusters/threat-actor.json | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 7308e94..574c4b2 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -16641,6 +16641,17 @@ }, "uuid": "6038ceaf-4c1b-470d-af36-c62948488786", "value": "UAT-5394" + }, + { + "description": "Storm-1679 is a Russian disinformation group believed to be a spinoff of the Internet Research Agency, actively engaged in influence operations targeting the International Olympic Committee and the 2024 Olympic Games. The group has employed AI-generated content, including deepfake videos and fabricated narratives about violence, to discredit the IOC and instill fear among potential attendees. Their campaigns have been identified across multiple languages and platforms, utilizing techniques such as impersonation of media outlets and the creation of disinformation websites. Microsoft attributes significant disinformation activities related to the Olympics to Storm-1679, highlighting their focus on spreading falsehoods and promoting anti-Olympics messaging.", + "meta": { + "country": "RU", + "refs": [ + "https://blogs.microsoft.com/on-the-issues/2024/06/02/russia-cyber-bots-disinformation-2024-paris-olympics/" + ] + }, + "uuid": "10582c97-90de-4f2b-8e4d-21513c3971fc", + "value": "Storm-1679" } ], "version": 313 From 63bcac4ed9fb9e86f792234c0efde88c2f0ff577 Mon Sep 17 00:00:00 2001 From: Mathieu4141 Date: Mon, 9 Sep 2024 08:18:23 -0700 Subject: [PATCH 28/36] [threat-actors] Add Fail0verflow --- clusters/threat-actor.json | 15 +++++++++++++++ 1 file changed, 15 insertions(+) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 574c4b2..dc53ae0 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -16652,6 +16652,21 @@ }, "uuid": "10582c97-90de-4f2b-8e4d-21513c3971fc", "value": "Storm-1679" + }, + { + "description": "Fail0verflow is a hacking group known for exploiting vulnerabilities in gaming consoles, notably the Nintendo Wii and PlayStation 3. They utilized techniques such as RAM shorting, buffer overflow, and a signing bug to achieve code execution and develop the Homebrew Channel for the Wii. In 2010, they compromised an ECDSA key for the PS3, and later announced the retrieval of PS5 symmetric root keys, enabling the potential for custom firmware and homebrew software. Their exploits often involve kernel access and have raised concerns about the implications for piracy and litigation in the gaming community.", + "meta": { + "refs": [ + "https://blog.0x7d0.dev/history/how-the-nintendo-wii-security-was-defeated/", + "https://arstechnica.com/gaming/2021/11/uncovered-ps5-encryption-keys-are-the-first-step-to-unlocking-the-console/", + "https://malware.news/t/playstation-5-hacked-twice/54441/1" + ], + "synonyms": [ + "Team Twiizer" + ] + }, + "uuid": "096c57c1-263f-463e-8089-e553872db149", + "value": "Fail0verflow" } ], "version": 313 From 1725fd3b1b85a36d463e0e052491193aa6748f82 Mon Sep 17 00:00:00 2001 From: Mathieu4141 Date: Mon, 9 Sep 2024 08:18:23 -0700 Subject: [PATCH 29/36] [threat-actors] Add UTG-Q-010 --- clusters/threat-actor.json | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index dc53ae0..1c35d92 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -16667,6 +16667,16 @@ }, "uuid": "096c57c1-263f-463e-8089-e553872db149", "value": "Fail0verflow" + }, + { + "description": "UTG-Q-010 is a financially motivated APT group from East Asia that has been active since late 2022, primarily targeting the pharmaceutical industry and cryptocurrency enthusiasts. They exploit legitimate Windows processes, such as \"WerFault.exe,\" to sideload malicious DLLs like \"faultrep.dll\" and employ sophisticated phishing campaigns to deliver malware disguised as enticing content. Their recent campaigns have involved the use of the Pupy RAT and advanced defense evasion techniques, including in-memory execution and reflective DLL loading. UTG-Q-010's strategic focus on HR departments and the cryptocurrency sector highlights their understanding of target vulnerabilities and their ability to evade detection.", + "meta": { + "refs": [ + "https://cyble.com/blog/analysing-the-utg-q-010-campaign/" + ] + }, + "uuid": "279ca8a7-1d04-4d95-aa8c-32c758c2de2b", + "value": "UTG-Q-010" } ], "version": 313 From 0d3143ab2a1e42138229cc3c254d6a4d9eef1ba3 Mon Sep 17 00:00:00 2001 From: Mathieu4141 Date: Mon, 9 Sep 2024 08:18:23 -0700 Subject: [PATCH 30/36] [threat-actors] Add HikkI-Chan --- clusters/threat-actor.json | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 1c35d92..5dfa613 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -16677,6 +16677,17 @@ }, "uuid": "279ca8a7-1d04-4d95-aa8c-32c758c2de2b", "value": "UTG-Q-010" + }, + { + "description": "Hikki-Chan has claimed responsibility for multiple significant data breaches, including the theft of data from 390.4 million users of VKontakte, which included sensitive personal information. The actor has also targeted Strong Current Enterprises and disclosed a breach involving the Israeli Ministry of Welfare and Social Affairs, leaking over 457,000 records. Additionally, Hikki-Chan is attributed with a breach of the Florida Office of Financial Regulation, exposing tens of thousands of records across various industries.", + "meta": { + "refs": [ + "https://hackread.com/hacker-leaks-data-of-vk-users-russian-social-network/", + "https://dailydarkweb.net/sensitive-israeli-ministry-data-allegedly-leaked-on-dark-web/" + ] + }, + "uuid": "071d271a-313f-442d-9bf0-10e6eeba0a8e", + "value": "HikkI-Chan" } ], "version": 313 From ce0d77f87d4090c545808fed524f252bfaccd314 Mon Sep 17 00:00:00 2001 From: Mathieu4141 Date: Mon, 9 Sep 2024 08:18:25 -0700 Subject: [PATCH 31/36] [threat actors] Update README --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 2c7f9d2..025c1f8 100644 --- a/README.md +++ b/README.md @@ -599,7 +599,7 @@ Category: *tea-matrix* - source: ** - total: *7* elements [Threat Actor](https://www.misp-galaxy.org/threat-actor) - Known or estimated adversary groups targeting organizations and employees. Adversary groups are regularly confused with their initial operation or campaign. threat-actor-classification meta can be used to clarify the understanding of the threat-actor if also considered as operation, campaign or activity group. -Category: *actor* - source: *MISP Project* - total: *721* elements +Category: *actor* - source: *MISP Project* - total: *736* elements [[HTML](https://www.misp-galaxy.org/threat-actor)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/threat-actor.json)] From 1049d230d703a84b61fc302cb82acecf69c18079 Mon Sep 17 00:00:00 2001 From: Tom Date: Mon, 9 Sep 2024 12:40:42 -0400 Subject: [PATCH 32/36] chg: [producer] added some security companies. --- clusters/producer.json | 46 +++++++++++++++++++++++++++++++++++++++++- 1 file changed, 45 insertions(+), 1 deletion(-) diff --git a/clusters/producer.json b/clusters/producer.json index 0852c3a..d8161eb 100644 --- a/clusters/producer.json +++ b/clusters/producer.json @@ -619,7 +619,51 @@ }, "uuid": "3caca164-4600-42a2-b2f0-7a552a66e7b6", "value": "JPCERT" + }, + { + "description": "Proofpoint, Inc. is an American enterprise cybersecurity company based in Sunnyvale, California that provides software as a service and products for email security, identity threat defense, data loss prevention, electronic discovery, and email archiving.", + "meta": { + "country": "US", + "official-refs": [ + "https://www.proofpoint.com/" + ] + }, + "uuid": "cae79680-67a6-4411-903c-f824dbcc813f", + "value": "Proofpoint" + }, + { + "description": "Qihoo 360 (Chinese: 奇虎 360; pinyin: Qíhǔ Sānliùlíng; approximate pronunciation CHEE-hoo), full name 360 Security Technology Inc., is a Chinese internet security company that has developed the antivirus software programs 360 Safeguard and 360 Mobile Safe, the Web browser 360 Secure Browser, and the mobile application store 360 Mobile Assistant.", + "meta": { + "country": "CN", + "official-refs": [ + "https://www.360.cn/" + ] + }, + "uuid": "28bceaef-f6ab-418b-ac5b-7e4089a808b5", + "value": "Qihoo 360" + }, + { + "description": "Bitdefender provides cybersecurity solutions with leading security efficacy, performance and ease of use to small and medium businesses, mid-market enterprises and consumers.", + "meta": { + "country": "RO", + "official-refs": [ + "https://www.bitdefender.com/" + ] + }, + "uuid": "1c141c9b-ec78-4f86-a8ea-b02944fa5492", + "value": "Bitdefender" + }, + { + "description": "Avira Operations GmbH & Co. KG is a German multinational computer security software company mainly known for its Avira Free Security antivirus software. Since 2021, Avira has been owned by American software company NortonLifeLock (now Gen Digital), which also operates Norton, Avast and AVG. It was previously owned by investment firm Investcorp.", + "meta": { + "country": "DE", + "official-refs": [ + "https://www.avira.com" + ] + }, + "uuid": "e5964f36-7644-4f73-bdfd-f24d9e006656", + "value": "Avira" } ], - "version": 10 + "version": 11 } From 771b2f01a91b6451a2ab651d928854f411a84546 Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Thu, 19 Sep 2024 10:56:53 +0200 Subject: [PATCH 33/36] chg: [doc] updated --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 2c7f9d2..47c04b1 100644 --- a/README.md +++ b/README.md @@ -487,7 +487,7 @@ Category: *measure* - source: *MISP Project* - total: *20* elements [Producer](https://www.misp-galaxy.org/producer) - List of threat intelligence producer from security vendors to CERTs including any producer of intelligence at large. -Category: *actor* - source: *MISP Project* - total: *33* elements +Category: *actor* - source: *MISP Project* - total: *37* elements [[HTML](https://www.misp-galaxy.org/producer)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/producer.json)] From c57a99cd2363adfd7464b6397fd41ed09aadab74 Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Thu, 19 Sep 2024 11:11:43 +0200 Subject: [PATCH 34/36] chg: [doc] updated --- README.md | 2 +- clusters/sigma-rules.json | 4178 +++++++++++++++++++++---------------- 2 files changed, 2337 insertions(+), 1843 deletions(-) diff --git a/README.md b/README.md index 263ce24..68eed5e 100644 --- a/README.md +++ b/README.md @@ -535,7 +535,7 @@ Category: *sector* - source: *CERT-EU* - total: *118* elements [Sigma-Rules](https://www.misp-galaxy.org/sigma-rules) - MISP galaxy cluster based on Sigma Rules. -Category: *rules* - source: *https://github.com/jstnk9/MISP/tree/main/misp-galaxy/sigma* - total: *2949* elements +Category: *rules* - source: *https://github.com/jstnk9/MISP/tree/main/misp-galaxy/sigma* - total: *2964* elements [[HTML](https://www.misp-galaxy.org/sigma-rules)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/sigma-rules.json)] diff --git a/clusters/sigma-rules.json b/clusters/sigma-rules.json index 17d0966..222a4df 100644 --- a/clusters/sigma-rules.json +++ b/clusters/sigma-rules.json @@ -23,9 +23,9 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d", "https://learn.microsoft.com/en-us/sysinternals/downloads/autoruns", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md", + "https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d", "https://oddvar.moe/2018/03/21/persistence-using-runonceex-hidden-from-autoruns-exe/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_currentversion.yml" ], @@ -59,8 +59,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://www.youtube.com/watch?v=3gz1QmiMhss&t=1251s", "https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1546.015/T1546.015.md", + "https://www.youtube.com/watch?v=3gz1QmiMhss&t=1251s", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_treatas_persistence.yml" ], "tags": [ @@ -93,8 +93,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://www.hexacorn.com/blog/2013/09/19/beyond-good-ol-run-key-part-4/", "https://github.com/last-byte/PersistenceSniper", + "https://www.hexacorn.com/blog/2013/09/19/beyond-good-ol-run-key-part-4/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_dbgmanageddebugger_persistence.yml" ], "tags": [ @@ -127,8 +127,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://support.microsoft.com/en-us/topic/information-about-the-attachment-manager-in-microsoft-windows-c48a4dcd-8de5-2af5-ee9b-cd795ae42738", "https://www.virustotal.com/gui/file/2bcd5702a7565952c44075ac6fb946c7780526640d1264f692c7664c02c68465", + "https://support.microsoft.com/en-us/topic/information-about-the-attachment-manager-in-microsoft-windows-c48a4dcd-8de5-2af5-ee9b-cd795ae42738", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_policies_attachments_tamper.yml" ], "tags": [ @@ -149,10 +149,10 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://www.sans.org/cyber-security-summit/archives", - "https://learn.microsoft.com/en-us/dotnet/core/runtime-config/debugging-profiling", - "https://www.slideshare.net/JamieWilliams130/started-from-the-bottom-exploiting-data-sources-to-uncover-attck-behaviors", "https://twitter.com/jamieantisocial/status/1304520651248668673", + "https://learn.microsoft.com/en-us/dotnet/core/runtime-config/debugging-profiling", + "https://www.sans.org/cyber-security-summit/archives", + "https://www.slideshare.net/JamieWilliams130/started-from-the-bottom-exploiting-data-sources-to-uncover-attck-behaviors", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_enabling_cor_profiler_env_variables.yml" ], "tags": [ @@ -188,9 +188,9 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d", "https://learn.microsoft.com/en-us/sysinternals/downloads/autoruns", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md", + "https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_system_scripts.yml" ], "tags": [ @@ -223,8 +223,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1137/T1137.md", "https://learn.microsoft.com/en-us/outlook/troubleshoot/security/information-about-email-security-settings", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1137/T1137.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_office_outlook_security_settings.yml" ], "tags": [ @@ -258,9 +258,9 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d", "https://learn.microsoft.com/en-us/sysinternals/downloads/autoruns", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md", + "https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d", "https://oddvar.moe/2018/03/21/persistence-using-runonceex-hidden-from-autoruns-exe/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_wow6432node.yml" ], @@ -295,8 +295,8 @@ "logsource.product": "windows", "refs": [ "http://www.hexacorn.com/blog/2018/05/01/wab-exe-as-a-lolbin/", - "https://github.com/LOLBAS-Project/LOLBAS/blob/8283d8d91552213ded165fd36deb6cb9534cb443/yml/OSBinaries/Wab.yml", "https://twitter.com/Hexacorn/status/991447379864932352", + "https://github.com/LOLBAS-Project/LOLBAS/blob/8283d8d91552213ded165fd36deb6cb9534cb443/yml/OSBinaries/Wab.yml", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_wab_dllpath_reg_change.yml" ], "tags": [ @@ -419,12 +419,12 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://www.trendmicro.com/en_us/research/23/h/an-overview-of-the-new-rhysida-ransomware.html", "https://research.checkpoint.com/2023/the-rhysida-ransomware-activity-analysis-and-ties-to-vice-society/", - "https://www.attackiq.com/2023/09/20/emulating-rhysida/", "https://www.virustotal.com/gui/file/a864282fea5a536510ae86c77ce46f7827687783628e4f2ceb5bf2c41b8cd3c6/behavior", "https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.ControlPanelDisplay::CPL_Personalization_NoDesktopBackgroundUI", "https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDesktop::Wallpaper", + "https://www.trendmicro.com/en_us/research/23/h/an-overview-of-the-new-rhysida-ransomware.html", + "https://www.attackiq.com/2023/09/20/emulating-rhysida/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_desktop_background_change.yml" ], "tags": [ @@ -466,11 +466,11 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://any.run/report/3ecd4763ffc944fdc67a9027e459cd4f448b1a8d1b36147977afaf86bbf2a261/64b0ba45-e7ce-423b-9a1d-5b4ea59521e6", "https://devblogs.microsoft.com/scripting/determine-pending-reboot-statuspowershell-style-part-1/", "https://www.trendmicro.com/en_us/research/21/j/purplefox-adds-new-backdoor-that-uses-websockets.html", - "https://www.trendmicro.com/en_us/research/19/i/purple-fox-fileless-malware-with-rookit-component-delivered-by-rig-exploit-kit-now-abuses-powershell.html", "https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-2000-server/cc960241(v=technet.10)?redirectedfrom=MSDN", + "https://any.run/report/3ecd4763ffc944fdc67a9027e459cd4f448b1a8d1b36147977afaf86bbf2a261/64b0ba45-e7ce-423b-9a1d-5b4ea59521e6", + "https://www.trendmicro.com/en_us/research/19/i/purple-fox-fileless-malware-with-rookit-component-delivered-by-rig-exploit-kit-now-abuses-powershell.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_susp_pendingfilerenameoperations.yml" ], "tags": [ @@ -540,8 +540,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://support.microsoft.com/en-us/topic/information-about-the-attachment-manager-in-microsoft-windows-c48a4dcd-8de5-2af5-ee9b-cd795ae42738", "https://www.virustotal.com/gui/file/2bcd5702a7565952c44075ac6fb946c7780526640d1264f692c7664c02c68465", + "https://support.microsoft.com/en-us/topic/information-about-the-attachment-manager-in-microsoft-windows-c48a4dcd-8de5-2af5-ee9b-cd795ae42738", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_policies_associations_tamper.yml" ], "tags": [ @@ -716,9 +716,9 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ + "https://media.defcon.org/DEF%20CON%2030/DEF%20CON%2030%20presentations/Asaf%20Gilboa%20-%20LSASS%20Shtinkering%20Abusing%20Windows%20Error%20Reporting%20to%20Dump%20LSASS.pdf", "https://learn.microsoft.com/en-us/windows/win32/wer/collecting-user-mode-dumps", "https://github.com/deepinstinct/Lsass-Shtinkering", - "https://media.defcon.org/DEF%20CON%2030/DEF%20CON%2030%20presentations/Asaf%20Gilboa%20-%20LSASS%20Shtinkering%20Abusing%20Windows%20Error%20Reporting%20to%20Dump%20LSASS.pdf", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_lsass_usermode_dumping.yml" ], "tags": [ @@ -751,8 +751,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://twitter.com/standa_t/status/1808868985678803222", "https://github.com/AaLl86/WindowsInternals/blob/070dc4f317726dfb6ffd2b7a7c121a33a8659b5e/Slides/Hypervisor-enforced%20Paging%20Translation%20-%20The%20end%20of%20non%20data-driven%20Kernel%20Exploits%20(Recon2024).pdf", + "https://twitter.com/standa_t/status/1808868985678803222", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_deviceguard_hypervisorenforcedpagingtranslation_disabled.yml" ], "tags": [ @@ -820,8 +820,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://blog.3or.de/mimilib-dhcp-server-callout-dll-injection.html", "https://msdn.microsoft.com/de-de/library/windows/desktop/aa363389(v=vs.85).aspx", + "https://blog.3or.de/mimilib-dhcp-server-callout-dll-injection.html", "https://technet.microsoft.com/en-us/library/cc726884(v=ws.10).aspx", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_dhcp_calloutdll.yml" ], @@ -863,8 +863,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://speakerdeck.com/heirhabarov/hunting-for-persistence-via-microsoft-exchange-server-or-outlook?slide=74", "https://trustedsec.com/blog/specula-turning-outlook-into-a-c2-with-one-registry-change", + "https://speakerdeck.com/heirhabarov/hunting-for-persistence-via-microsoft-exchange-server-or-outlook?slide=74", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_persistence_outlook_todaypage.yml" ], "tags": [ @@ -899,8 +899,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://github.com/OTRF/detection-hackathon-apt29/issues/1", "https://github.com/OTRF/ThreatHunter-Playbook/blob/2d4257f630f4c9770f78d0c1df059f891ffc3fec/docs/evals/apt29/detections/1.A.1_DFD6A782-9BDB-4550-AB6B-525E825B095E.md", + "https://github.com/OTRF/detection-hackathon-apt29/issues/1", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_new_application_appcompat.yml" ], "tags": [ @@ -1032,8 +1032,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/troubleshoot/windows-client/setup-upgrade-and-drivers/network-provider-settings-removed-in-place-upgrade", "https://github.com/gtworek/PSBits/tree/master/PasswordStealing/NPPSpy", + "https://learn.microsoft.com/en-us/troubleshoot/windows-client/setup-upgrade-and-drivers/network-provider-settings-removed-in-place-upgrade", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_new_network_provider.yml" ], "tags": [ @@ -1100,9 +1100,9 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d", "https://learn.microsoft.com/en-us/sysinternals/downloads/autoruns", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md", + "https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_internet_explorer.yml" ], "tags": [ @@ -1202,10 +1202,10 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://strontic.github.io/xcyclopedia/library/clsid_C90250F3-4D7D-4991-9B69-A5C5BC1C2AE6.html", "https://www.virustotal.com/gui/file/6d3ab9e729bb03ae8ae3fcd824474c5052a165de6cb4c27334969a542c7b261d/detection", - "https://blogs.blackberry.com/en/2023/06/romcom-resurfaces-targeting-ukraine", "https://www.trendmicro.com/en_us/research/23/e/void-rabisu-s-use-of-romcom-backdoor-shows-a-growing-shift-in-th.html", + "https://blogs.blackberry.com/en/2023/06/romcom-resurfaces-targeting-ukraine", + "https://strontic.github.io/xcyclopedia/library/clsid_C90250F3-4D7D-4991-9B69-A5C5BC1C2AE6.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_persistence_comhijack_psfactorybuffer.yml" ], "tags": [ @@ -1271,8 +1271,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://redcanary.com/blog/blackbyte-ransomware/?utm_source=twitter&utm_medium=social", "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/blackbyte-ransomware-pt-1-in-depth-analysis/", + "https://redcanary.com/blog/blackbyte-ransomware/?utm_source=twitter&utm_medium=social", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_blackbyte_ransomware.yml" ], "tags": [ @@ -1329,8 +1329,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/", "https://labs.f-secure.com/blog/scheduled-task-tampering/", + "https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_taskcache_entry.yml" ], "tags": [ @@ -1541,8 +1541,8 @@ "logsource.product": "windows", "refs": [ "https://app.any.run/tasks/77b2e328-8f36-46b2-b2e2-8a80398217ab/", - "https://itconnect.uw.edu/tools-services-support/it-systems-infrastructure/msinf/other-help/understanding-sddl-syntax/", "https://learn.microsoft.com/en-us/windows/win32/api/winevt/", + "https://itconnect.uw.edu/tools-services-support/it-systems-infrastructure/msinf/other-help/understanding-sddl-syntax/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_change_winevt_channelaccess.yml" ], "tags": [ @@ -1575,8 +1575,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://speakerdeck.com/heirhabarov/hunting-for-persistence-via-microsoft-exchange-server-or-outlook?slide=53", "https://www.mdsec.co.uk/2020/11/a-fresh-outlook-on-mail-based-persistence/", + "https://speakerdeck.com/heirhabarov/hunting-for-persistence-via-microsoft-exchange-server-or-outlook?slide=53", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_office_outlook_enable_macro_execution.yml" ], "tags": [ @@ -1626,9 +1626,9 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ + "https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-347a", "https://www.sans.org/blog/protecting-privileged-domain-accounts-lm-hashes-the-good-the-bad-and-the-ugly/", "https://learn.microsoft.com/en-us/troubleshoot/windows-server/windows-security/prevent-windows-store-lm-hash-password", - "https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-347a", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_system_lsa_nolmhash.yml" ], "tags": [ @@ -1737,9 +1737,9 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ + "https://learn.microsoft.com/en-us/windows/win32/api/shobjidl_core/nn-shobjidl_core-iexecutecommand", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1548.002/T1548.002.md#atomic-test-7---bypass-uac-using-sdclt-delegateexecute", "https://devblogs.microsoft.com/oldnewthing/20100312-01/?p=14623", - "https://learn.microsoft.com/en-us/windows/win32/api/shobjidl_core/nn-shobjidl_core-iexecutecommand", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_bypass_uac_using_delegateexecute.yml" ], "tags": [ @@ -1773,8 +1773,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://www.linkedin.com/pulse/outlook-backdoor-using-vba-samir-b-/", "https://speakerdeck.com/heirhabarov/hunting-for-persistence-via-microsoft-exchange-server-or-outlook?slide=53", + "https://www.linkedin.com/pulse/outlook-backdoor-using-vba-samir-b-/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_office_outlook_enable_load_macro_provider_on_boot.yml" ], "tags": [ @@ -1891,8 +1891,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://admx.help/?Category=InternetExplorer&Policy=Microsoft.Policies.InternetExplorer::NoFirstRunCustomise", "https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/devil-bait/NCSC-MAR-Devil-Bait.pdf", + "https://admx.help/?Category=InternetExplorer&Policy=Microsoft.Policies.InternetExplorer::NoFirstRunCustomise", "https://unit42.paloaltonetworks.com/operation-ke3chang-resurfaces-with-new-tidepool-malware/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_internet_explorer_disable_first_run_customize.yml" ], @@ -1939,10 +1939,10 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://persistence-info.github.io/Data/ifilters.html", - "https://github.com/gtworek/PSBits/tree/master/IFilter", "https://github.com/gtworek/PSBits/blob/8d767892f3b17eefa4d0668f5d2df78e844f01d8/IFilter/Dll.cpp#L281-L308", + "https://github.com/gtworek/PSBits/tree/master/IFilter", "https://twitter.com/0gtweet/status/1468548924600459267", + "https://persistence-info.github.io/Data/ifilters.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_persistence_ifilter.yml" ], "tags": [ @@ -1965,10 +1965,10 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/troubleshoot/developer/browsers/security-privacy/ie-security-zones-registry-entries", "https://twitter.com/JAMESWT_MHT/status/1699042827261391247", "https://www.virustotal.com/gui/file/339ff720c74dc44265b917b6d3e3ba0411d61f3cd3c328e9a2bae81592c8a6e5/content", "https://twitter.com/M_haggis/status/1699056847154725107", + "https://learn.microsoft.com/en-us/troubleshoot/developer/browsers/security-privacy/ie-security-zones-registry-entries", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_ie_security_zone_protocol_defaults_downgrade.yml" ], "tags": [ @@ -2057,9 +2057,9 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://www.hexacorn.com/blog/2019/02/15/beyond-good-ol-run-key-part-103/", - "https://admx.help/?Category=Windows_7_2008R2&Policy=Microsoft.Policies.InternetCommunicationManagement::EventViewer_DisableLinks", "https://twitter.com/nas_bench/status/1626648985824788480", + "https://admx.help/?Category=Windows_7_2008R2&Policy=Microsoft.Policies.InternetCommunicationManagement::EventViewer_DisableLinks", + "https://www.hexacorn.com/blog/2019/02/15/beyond-good-ol-run-key-part-103/", "https://github.com/redcanaryco/atomic-red-team/blob/f296668303c29d3f4c07e42bdd2b28d8dd6625f9/atomics/T1112/T1112.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_persistence_event_viewer_events_asp.yml" ], @@ -2249,8 +2249,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://www.hybrid-analysis.com/sample/e122bc8bf291f15cab182a5d2d27b8db1e7019e4e96bb5cdbd1dfe7446f3f51f?environmentId=100", "https://enigma0x3.net/2016/08/15/fileless-uac-bypass-using-eventvwr-exe-and-registry-hijacking/", + "https://www.hybrid-analysis.com/sample/e122bc8bf291f15cab182a5d2d27b8db1e7019e4e96bb5cdbd1dfe7446f3f51f?environmentId=100", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_uac_bypass_eventvwr.yml" ], "tags": [ @@ -2285,17 +2285,17 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://github.com/dotnet/runtime/blob/4f9ae42d861fcb4be2fcd5d3d55d5f227d30e723/docs/coding-guidelines/clr-jit-coding-conventions.md#1412-disabling-code", - "https://social.msdn.microsoft.com/Forums/vstudio/en-US/0878832e-39d7-4eaf-8e16-a729c4c40975/what-can-i-use-e13c0d23ccbc4e12931bd9cc2eee27e4-for?forum=clr", + "https://github.com/dotnet/runtime/blob/f62e93416a1799aecc6b0947adad55a0d9870732/src/coreclr/src/inc/clrconfigvalues.h#L35-L38", "https://github.com/dotnet/runtime/search?p=1&q=COMPlus_&unscoped_q=COMPlus_", + "http://managed670.rssing.com/chan-5590147/all_p1.html", + "https://github.com/dotnet/runtime/blob/4f9ae42d861fcb4be2fcd5d3d55d5f227d30e723/docs/coding-guidelines/clr-jit-coding-conventions.md#1412-disabling-code", + "https://bunnyinside.com/?term=f71e8cb9c76a", + "https://social.msdn.microsoft.com/Forums/vstudio/en-US/0878832e-39d7-4eaf-8e16-a729c4c40975/what-can-i-use-e13c0d23ccbc4e12931bd9cc2eee27e4-for?forum=clr", "https://blog.xpnsec.com/hiding-your-dotnet-complus-etwenabled/", + "https://i.blackhat.com/EU-21/Wednesday/EU-21-Teodorescu-Veni-No-Vidi-No-Vici-Attacks-On-ETW-Blind-EDRs.pdf", "https://twitter.com/_xpn_/status/1268712093928378368", "https://github.com/dotnet/runtime/blob/ee2355c801d892f2894b0f7b14a20e6cc50e0e54/docs/design/coreclr/jit/viewing-jit-dumps.md#setting-configuration-variables", - "http://managed670.rssing.com/chan-5590147/all_p1.html", "https://github.com/dotnet/runtime/blob/7abe42dc1123722ed385218268bb9fe04556e3d3/src/coreclr/src/inc/clrconfig.h#L33-L39", - "https://i.blackhat.com/EU-21/Wednesday/EU-21-Teodorescu-Veni-No-Vidi-No-Vici-Attacks-On-ETW-Blind-EDRs.pdf", - "https://bunnyinside.com/?term=f71e8cb9c76a", - "https://github.com/dotnet/runtime/blob/f62e93416a1799aecc6b0947adad55a0d9870732/src/coreclr/src/inc/clrconfigvalues.h#L35-L38", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_dot_net_etw_tamper.yml" ], "tags": [ @@ -2472,39 +2472,6 @@ "uuid": "e7b18879-676e-4a0e-ae18-27039185a8e7", "value": "New Netsh Helper DLL Registered From A Suspicious Location" }, - { - "description": "Detects potential COM object hijacking leveraging the COM Search Order", - "meta": { - "author": "Maxime Thiebaut (@0xThiebaut), oscd.community, Cédric Hien", - "creation_date": "2020-04-14", - "falsepositive": [ - "Some installed utilities (i.e. OneDrive) may serve new COM objects at user-level" - ], - "filename": "registry_set_persistence_search_order.yml", - "level": "medium", - "logsource.category": "registry_set", - "logsource.product": "windows", - "refs": [ - "https://www.cyberbit.com/blog/endpoint-security/com-hijacking-windows-overlooked-security-vulnerability/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_persistence_search_order.yml" - ], - "tags": [ - "attack.persistence", - "attack.t1546.015" - ] - }, - "related": [ - { - "dest-uuid": "bc0f5e80-91c0-4e04-9fbb-e4e332c85dae", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "a0ff33d8-79e4-4cef-b4f3-9dc4133ccd12", - "value": "Potential Persistence Via COM Search Order Hijacking" - }, { "description": "Detects the keyboard preload installation with a suspicious keyboard layout, e.g. Chinese, Iranian or Vietnamese layout load in user session on systems maintained by US staff only", "meta": { @@ -2518,8 +2485,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://renenyffenegger.ch/notes/Windows/registry/tree/HKEY_CURRENT_USER/Keyboard-Layout/Preload/index", "https://github.com/SwiftOnSecurity/sysmon-config/pull/92/files", + "https://renenyffenegger.ch/notes/Windows/registry/tree/HKEY_CURRENT_USER/Keyboard-Layout/Preload/index", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_susp_keyboard_layout_load.yml" ], "tags": [ @@ -2552,8 +2519,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://posts.specterops.io/shhmon-silencing-sysmon-via-driver-unload-682b5be57650", "https://youtu.be/zSihR3lTf7g", + "https://posts.specterops.io/shhmon-silencing-sysmon-via-driver-unload-682b5be57650", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_change_sysmon_driver_altitude.yml" ], "tags": [ @@ -2643,16 +2610,16 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "http://woshub.com/rds-shadow-how-to-connect-to-a-user-session-in-windows-server-2012-r2/", - "https://bazaar.abuse.ch/sample/6f3aa9362d72e806490a8abce245331030d1ab5ac77e400dd475748236a6cc81/", - "https://github.com/redcanaryco/atomic-red-team/blob/02c7d02fe1f1feb0fc7944550408ea8224273994/atomics/T1112/T1112.md#atomic-test-64---disable-remote-desktop-security-settings-through-registry", "https://blog.sekoia.io/darkgate-internals/", - "https://threathunterplaybook.com/hunts/windows/190407-RegModEnableRDPConnections/notebook.html", - "https://admx.help/HKLM/SOFTWARE/Policies/Microsoft/Windows%20NT/Terminal%20Services", "https://web.archive.org/web/20200929062532/https://blog.menasec.net/2019/02/threat-hunting-rdp-hijacking-via.html", + "https://bazaar.abuse.ch/sample/6f3aa9362d72e806490a8abce245331030d1ab5ac77e400dd475748236a6cc81/", + "https://admx.help/HKLM/SOFTWARE/Policies/Microsoft/Windows%20NT/Terminal%20Services", + "http://woshub.com/rds-shadow-how-to-connect-to-a-user-session-in-windows-server-2012-r2/", "https://github.com/redcanaryco/atomic-red-team/blob/02c7d02fe1f1feb0fc7944550408ea8224273994/atomics/T1112/T1112.md#atomic-test-63---disable-remote-desktop-anti-alias-setting-through-registry", + "https://threathunterplaybook.com/hunts/windows/190407-RegModEnableRDPConnections/notebook.html", "http://etutorials.org/Microsoft+Products/microsoft+windows+server+2003+terminal+services/Chapter+6+Registry/Registry+Keys+for+Terminal+Services/", "https://twitter.com/SagieSec/status/1469001618863624194?t=HRf0eA0W1YYzkTSHb-Ky1A&s=03", + "https://github.com/redcanaryco/atomic-red-team/blob/02c7d02fe1f1feb0fc7944550408ea8224273994/atomics/T1112/T1112.md#atomic-test-64---disable-remote-desktop-security-settings-through-registry", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_terminal_server_tampering.yml" ], "tags": [ @@ -2820,9 +2787,9 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d", "https://learn.microsoft.com/en-us/sysinternals/downloads/autoruns", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md", + "https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_office.yml" ], "tags": [ @@ -2855,8 +2822,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://www.welivesecurity.com/2023/03/01/blacklotus-uefi-bootkit-myth-confirmed/", "https://github.com/redcanaryco/atomic-red-team/blob/04e487c1828d76df3e834621f4f893ea756d5232/atomics/T1562.001/T1562.001.md#atomic-test-43---disable-hypervisor-enforced-code-integrity-hvci", + "https://www.welivesecurity.com/2023/03/01/blacklotus-uefi-bootkit-myth-confirmed/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_deviceguard_hypervisorenforcedcodeintegrity_disabled.yml" ], "tags": [ @@ -2890,13 +2857,13 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://gist.github.com/anadr/7465a9fde63d41341136949f14c21105", + "https://admx.help/?Category=Windows_7_2008R2&Policy=Microsoft.Policies.WindowsDefender::SpyNetReporting", "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ransomware-hive-conti-avoslocker", "https://www.tenforums.com/tutorials/123792-turn-off-tamper-protection-microsoft-defender-antivirus.html", - "https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/", - "https://admx.help/?Category=Windows_7_2008R2&Policy=Microsoft.Policies.WindowsDefender::SpyNetReporting", + "https://gist.github.com/anadr/7465a9fde63d41341136949f14c21105", "https://www.tenforums.com/tutorials/105533-enable-disable-windows-defender-exploit-protection-settings.html", "https://www.tenforums.com/tutorials/32236-enable-disable-microsoft-defender-pua-protection-windows-10-a.html", + "https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_windows_defender_tamper.yml" ], "tags": [ @@ -2929,8 +2896,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://www.fortinet.com/blog/threat-research/enter-the-darkgate-new-cryptocurrency-mining-and-ransomware-campaign", "https://www.reddit.com/r/hacking/comments/ajtrws/bypassing_highest_uac_level_windows_810/", + "https://www.fortinet.com/blog/threat-research/enter-the-darkgate-new-cryptocurrency-mining-and-ransomware-campaign", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1548.002/T1548.002.md#atomic-test-9---bypass-uac-using-silentcleanup-task", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_bypass_uac_using_silentcleanup_task.yml" ], @@ -2966,9 +2933,9 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d", "https://learn.microsoft.com/en-us/sysinternals/downloads/autoruns", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md", + "https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_classes.yml" ], "tags": [ @@ -3024,9 +2991,9 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/", "https://twitter.com/MichalKoczwara/status/1553634816016498688", "https://i.blackhat.com/EU-21/Wednesday/EU-21-Teodorescu-Veni-No-Vidi-No-Vici-Attacks-On-ETW-Blind-EDRs.pdf", + "https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_disable_autologger_sessions.yml" ], "tags": [ @@ -3049,9 +3016,9 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ + "https://unit42.paloaltonetworks.com/ransomware-families/", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1112/T1112.md#atomic-test-1---modify-registry-of-current-user-profile---cmd", "https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?name=TrojanSpy%3aMSIL%2fHakey.A", - "https://unit42.paloaltonetworks.com/ransomware-families/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_hidden_extention.yml" ], "tags": [ @@ -3110,9 +3077,9 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d", "https://learn.microsoft.com/en-us/sysinternals/downloads/autoruns", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md", + "https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_currentversion_nt.yml" ], "tags": [ @@ -3145,9 +3112,9 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://www.blackhat.com/docs/asia-14/materials/Erickson/Asia-14-Erickson-Persist-It-Using-And-Abusing-Microsofts-Fix-It-Patches.pdf", - "https://andreafortuna.org/2018/11/12/process-injection-and-persistence-using-application-shimming/", "https://www.fireeye.com/blog/threat-research/2017/05/fin7-shim-databases-persistence.html", + "https://andreafortuna.org/2018/11/12/process-injection-and-persistence-using-application-shimming/", + "https://www.blackhat.com/docs/asia-14/materials/Erickson/Asia-14-Erickson-Persist-It-Using-And-Abusing-Microsofts-Fix-It-Patches.pdf", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_persistence_shim_database_uncommon_location.yml" ], "tags": [ @@ -3181,8 +3148,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://www.hexacorn.com/blog/2013/09/19/beyond-good-ol-run-key-part-4/", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1543.003/T1543.003.md#atomic-test-4---tinyturla-backdoor-service-w64time", + "https://www.hexacorn.com/blog/2013/09/19/beyond-good-ol-run-key-part-4/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_servicedll_hijack.yml" ], "tags": [ @@ -3217,9 +3184,9 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d", "https://learn.microsoft.com/en-us/sysinternals/downloads/autoruns", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md", + "https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_winsock2.yml" ], "tags": [ @@ -3285,8 +3252,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://www.hexacorn.com/blog/2018/09/02/beyond-good-ol-run-key-part-86/", "https://persistence-info.github.io/Data/diskcleanuphandler.html", + "https://www.hexacorn.com/blog/2018/09/02/beyond-good-ol-run-key-part-86/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_disk_cleanup_handler_autorun_persistence.yml" ], "tags": [ @@ -3309,10 +3276,10 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://admx.help/HKLM/Software/Policies/Mozilla/Firefox/DNSOverHTTPS", - "https://github.com/elastic/detection-rules/issues/1371", "https://www.tenforums.com/tutorials/151318-how-enable-disable-dns-over-https-doh-microsoft-edge.html", + "https://github.com/elastic/detection-rules/issues/1371", "https://chromeenterprise.google/policies/?policy=DnsOverHttpsMode", + "https://admx.help/HKLM/Software/Policies/Mozilla/Firefox/DNSOverHTTPS", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_dns_over_https_enabled.yml" ], "tags": [ @@ -3477,9 +3444,9 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d", "https://learn.microsoft.com/en-us/sysinternals/downloads/autoruns", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md", + "https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_currentcontrolset.yml" ], "tags": [ @@ -3653,8 +3620,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://www.hexacorn.com/blog/2013/01/19/beyond-good-ol-run-key-part-3/", "https://learn.microsoft.com/en-us/windows/win32/shell/app-registration", + "https://www.hexacorn.com/blog/2013/01/19/beyond-good-ol-run-key-part-3/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_persistence_app_paths.yml" ], "tags": [ @@ -3687,11 +3654,11 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "http://woshub.com/rds-shadow-how-to-connect-to-a-user-session-in-windows-server-2012-r2/", - "https://bazaar.abuse.ch/sample/6f3aa9362d72e806490a8abce245331030d1ab5ac77e400dd475748236a6cc81/", - "https://threathunterplaybook.com/hunts/windows/190407-RegModEnableRDPConnections/notebook.html", - "https://admx.help/HKLM/SOFTWARE/Policies/Microsoft/Windows%20NT/Terminal%20Services", "https://web.archive.org/web/20200929062532/https://blog.menasec.net/2019/02/threat-hunting-rdp-hijacking-via.html", + "https://bazaar.abuse.ch/sample/6f3aa9362d72e806490a8abce245331030d1ab5ac77e400dd475748236a6cc81/", + "https://admx.help/HKLM/SOFTWARE/Policies/Microsoft/Windows%20NT/Terminal%20Services", + "http://woshub.com/rds-shadow-how-to-connect-to-a-user-session-in-windows-server-2012-r2/", + "https://threathunterplaybook.com/hunts/windows/190407-RegModEnableRDPConnections/notebook.html", "http://etutorials.org/Microsoft+Products/microsoft+windows+server+2003+terminal+services/Chapter+6+Registry/Registry+Keys+for+Terminal+Services/", "https://twitter.com/SagieSec/status/1469001618863624194?t=HRf0eA0W1YYzkTSHb-Ky1A&s=03", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_terminal_server_suspicious.yml" @@ -3795,8 +3762,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://www.youtube.com/watch?v=ggY3srD9dYs&ab_channel=GrzegorzTworek", "https://persistence-info.github.io/Data/mpnotify.html", + "https://www.youtube.com/watch?v=ggY3srD9dYs&ab_channel=GrzegorzTworek", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_persistence_mpnotify.yml" ], "tags": [ @@ -3852,8 +3819,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://twitter.com/_vivami/status/1347925307643355138", "https://vanmieghem.io/stealth-outlook-persistence/", + "https://twitter.com/_vivami/status/1347925307643355138", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_persistence_office_vsto.yml" ], "tags": [ @@ -3910,8 +3877,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://admx.help/?Category=Office2016&Policy=excel16.Office.Microsoft.Policies.Windows::L_TrustedLoc01", "Internal Research", + "https://admx.help/?Category=Office2016&Policy=excel16.Office.Microsoft.Policies.Windows::L_TrustedLoc01", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_office_trusted_location_uncommon.yml" ], "tags": [ @@ -4011,8 +3978,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://www.intrinsec.com/alphv-ransomware-gang-analysis/?cn-reloaded=1", "https://www.sentinelone.com/labs/blackcat-ransomware-highly-configurable-rust-driven-raas-on-the-prowl-for-victims/", + "https://www.intrinsec.com/alphv-ransomware-gang-analysis/?cn-reloaded=1", "https://securityscorecard.com/research/deep-dive-into-alphv-blackcat-ransomware", "https://www.huntress.com/blog/blackcat-ransomware-affiliate-ttps", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_optimize_file_sharing_network.yml" @@ -4071,9 +4038,9 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d", "https://learn.microsoft.com/en-us/sysinternals/downloads/autoruns", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md", + "https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_wow6432node_classes.yml" ], "tags": [ @@ -4139,9 +4106,9 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://specterops.io/assets/resources/SpecterOps_Subverting_Trust_in_Windows.pdf", - "https://github.com/gtworek/PSBits/tree/master/SIP", "https://persistence-info.github.io/Data/codesigning.html", + "https://github.com/gtworek/PSBits/tree/master/SIP", + "https://specterops.io/assets/resources/SpecterOps_Subverting_Trust_in_Windows.pdf", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_sip_persistence.yml" ], "tags": [ @@ -4175,8 +4142,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://www.hexacorn.com/blog/2015/01/13/beyond-good-ol-run-key-part-24/", "https://persistence-info.github.io/Data/autodialdll.html", + "https://www.hexacorn.com/blog/2015/01/13/beyond-good-ol-run-key-part-24/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_persistence_autodial_dll.yml" ], "tags": [ @@ -4232,8 +4199,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://posts.specterops.io/less-smartscreen-more-caffeine-ab-using-clickonce-for-trusted-code-execution-1446ea8051c5", "https://learn.microsoft.com/en-us/visualstudio/deployment/how-to-configure-the-clickonce-trust-prompt-behavior", + "https://posts.specterops.io/less-smartscreen-more-caffeine-ab-using-clickonce-for-trusted-code-execution-1446ea8051c5", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_clickonce_trust_prompt.yml" ], "tags": [ @@ -4432,8 +4399,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://github.com/hfiref0x/UACME", "https://enigma0x3.net/2017/03/17/fileless-uac-bypass-using-sdclt-exe/", + "https://github.com/hfiref0x/UACME", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_uac_bypass_sdclt.yml" ], "tags": [ @@ -4569,8 +4536,8 @@ "logsource.product": "windows", "refs": [ "https://speakerdeck.com/heirhabarov/hunting-for-persistence-via-microsoft-exchange-server-or-outlook?slide=70", - "https://support.microsoft.com/en-us/topic/outlook-home-page-feature-is-missing-in-folder-properties-d207edb7-aa02-46c5-b608-5d9dbed9bd04?ui=en-us&rs=en-us&ad=us", "https://trustedsec.com/blog/specula-turning-outlook-into-a-c2-with-one-registry-change", + "https://support.microsoft.com/en-us/topic/outlook-home-page-feature-is-missing-in-folder-properties-d207edb7-aa02-46c5-b608-5d9dbed9bd04?ui=en-us&rs=en-us&ad=us", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_persistence_outlook_homepage.yml" ], "tags": [ @@ -4678,8 +4645,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://oddvar.moe/2018/09/06/persistence-using-universal-windows-platform-apps-appx/", "https://github.com/rootm0s/WinPwnage", + "https://oddvar.moe/2018/09/06/persistence-using-universal-windows-platform-apps-appx/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_persistence_appx_debugger.yml" ], "tags": [ @@ -4837,9 +4804,9 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ + "https://github.com/S3cur3Th1sSh1t/OffensiveVBA/blob/28cc6a2802d8176195ac19b3c8e9a749009a82a3/src/AMSIbypasses.vba", "https://www.microsoft.com/en-us/security/blog/2018/09/12/office-vba-amsi-parting-the-veil-on-malicious-macros/", "https://admx.help/?Category=Office2016&Policy=office16.Office.Microsoft.Policies.Windows::L_MacroRuntimeScanScope", - "https://github.com/S3cur3Th1sSh1t/OffensiveVBA/blob/28cc6a2802d8176195ac19b3c8e9a749009a82a3/src/AMSIbypasses.vba", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_disable_macroruntimescanscope.yml" ], "tags": [ @@ -4929,8 +4896,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://twitter.com/dez_/status/1560101453150257154", "https://forensafe.com/blogs/typedpaths.html", + "https://twitter.com/dez_/status/1560101453150257154", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_persistence_typed_paths.yml" ], "tags": [ @@ -5019,8 +4986,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/troubleshoot/developer/browsers/security-privacy/ie-security-zones-registry-entries", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1112/T1112.md#atomic-test-4---add-domain-to-trusted-sites-zone", + "https://learn.microsoft.com/en-us/troubleshoot/developer/browsers/security-privacy/ie-security-zones-registry-entries", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_change_security_zones.yml" ], "tags": [ @@ -5086,8 +5053,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://twitter.com/WhichbufferArda/status/1543900539280293889", "https://github.com/DebugPrivilege/CPP/blob/c39d365617dbfbcb01fffad200d52b6239b2918c/Windows%20Defender/RestoreDefenderConfig.cpp", + "https://twitter.com/WhichbufferArda/status/1543900539280293889", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_disable_winevt_logging.yml" ], "tags": [ @@ -5222,9 +5189,9 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ + "https://jstnk9.github.io/jstnk9/research/InstallScreenSaver-SCR-files", "https://twitter.com/pabraeken/status/998627081360695297", "https://twitter.com/VakninHai/status/1517027824984547329", - "https://jstnk9.github.io/jstnk9/research/InstallScreenSaver-SCR-files", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_scr_file_executed_by_rundll32.yml" ], "tags": [ @@ -5298,8 +5265,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://twitter.com/malmoeb/status/1560536653709598721", "https://www.sentinelone.com/labs/inside-malicious-windows-apps-for-malware-deployment/", + "https://twitter.com/malmoeb/status/1560536653709598721", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_turn_on_dev_features.yml" ], "tags": [ @@ -5323,8 +5290,8 @@ "logsource.product": "windows", "refs": [ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1112/T1112.md", - "https://blogs.vmware.com/security/2022/11/batloader-the-evasive-downloader-malware.html", "https://www.malwarebytes.com/blog/detections/pum-optional-nodispbackgroundpage", + "https://blogs.vmware.com/security/2022/11/batloader-the-evasive-downloader-malware.html", "https://www.malwarebytes.com/blog/detections/pum-optional-nodispcpl", "https://www.mandiant.com/resources/unc2165-shifts-to-evade-sanctions", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_disable_function_user.yml" @@ -5560,9 +5527,9 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d", "https://learn.microsoft.com/en-us/sysinternals/downloads/autoruns", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md", + "https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_wow6432node_currentversion.yml" ], "tags": [ @@ -5630,10 +5597,10 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d", "https://learn.microsoft.com/en-us/sysinternals/downloads/autoruns", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md", "https://persistence-info.github.io/Data/userinitmprlogonscript.html", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md", + "https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_common.yml" ], "tags": [ @@ -5667,9 +5634,9 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d", "https://learn.microsoft.com/en-us/sysinternals/downloads/autoruns", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md", + "https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_session_manager.yml" ], "tags": [ @@ -5743,8 +5710,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://www.sentinelone.com/blog/detecting-dsrm-account-misconfigurations/", "https://book.hacktricks.xyz/windows-hardening/active-directory-methodology/dsrm-credentials", + "https://www.sentinelone.com/blog/detecting-dsrm-account-misconfigurations/", "https://adsecurity.org/?p=1785", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_dsrm_tampering.yml" ], @@ -5778,9 +5745,9 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://unit42.paloaltonetworks.com/unit42-gorgon-group-slithering-nation-state-cybercrime/", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md", "https://yoroi.company/research/cyber-criminal-espionage-operation-insists-on-italian-manufacturing/", + "https://unit42.paloaltonetworks.com/unit42-gorgon-group-slithering-nation-state-cybercrime/", "https://admx.help/HKCU/software/policies/microsoft/office/16.0/excel/security/protectedview", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_office_disable_protected_view_features.yml" ], @@ -6027,8 +5994,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://twitter.com/0gtweet/status/1674399582162153472", "https://lolbas-project.github.io/lolbas/Binaries/Provlaunch/", + "https://twitter.com/0gtweet/status/1674399582162153472", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_provisioning_command_abuse.yml" ], "tags": [ @@ -6095,8 +6062,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://persistence-info.github.io/Data/wer_debugger.html", "https://www.hexacorn.com/blog/2019/09/20/beyond-good-ol-run-key-part-116/", + "https://persistence-info.github.io/Data/wer_debugger.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_hangs_debugger_persistence.yml" ], "tags": [ @@ -6194,8 +6161,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1112/T1112.md#atomic-test-5---javascript-in-registry", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1112/T1112.md#atomic-test-4---add-domain-to-trusted-sites-zone", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1112/T1112.md#atomic-test-5---javascript-in-registry", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_persistence_ie.yml" ], "tags": [ @@ -6360,9 +6327,9 @@ "logsource.category": "registry_delete", "logsource.product": "windows", "refs": [ - "http://woshub.com/how-to-clear-rdp-connections-history/", "https://learn.microsoft.com/en-us/troubleshoot/windows-server/remote/remove-entries-from-remote-desktop-connection-computer", "https://www.trendmicro.com/en_us/research/23/a/vice-society-ransomware-group-targets-manufacturing-companies.html", + "http://woshub.com/how-to-clear-rdp-connections-history/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_delete/registry_delete_mstsc_history_cleared.yml" ], "tags": [ @@ -6403,11 +6370,11 @@ "logsource.category": "registry_delete", "logsource.product": "windows", "refs": [ - "https://github.com/OTRF/detection-hackathon-apt29/issues/7", - "https://learn.microsoft.com/en-us/windows/win32/shell/launch", - "https://github.com/OTRF/ThreatHunter-Playbook/blob/2d4257f630f4c9770f78d0c1df059f891ffc3fec/docs/evals/apt29/detections/3.C.1_22A46621-7A92-48C1-81BF-B3937EB4FDC3.md", "https://learn.microsoft.com/en-us/windows/win32/api/shobjidl_core/nn-shobjidl_core-iexecutecommand", + "https://github.com/OTRF/detection-hackathon-apt29/issues/7", + "https://github.com/OTRF/ThreatHunter-Playbook/blob/2d4257f630f4c9770f78d0c1df059f891ffc3fec/docs/evals/apt29/detections/3.C.1_22A46621-7A92-48C1-81BF-B3937EB4FDC3.md", "https://learn.microsoft.com/en-us/windows/win32/shell/shell-and-managed-code", + "https://learn.microsoft.com/en-us/windows/win32/shell/launch", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_delete/registry_delete_removal_com_hijacking_registry_key.yml" ], "tags": [ @@ -6585,9 +6552,9 @@ "logsource.category": "registry_event", "logsource.product": "windows", "refs": [ - "https://adepts.of0x.cc/netsh-portproxy-code/", - "https://www.fireeye.com/blog/threat-research/2019/01/bypassing-network-restrictions-through-rdp-tunneling.html", "https://www.dfirnotes.net/portproxy_detection/", + "https://www.fireeye.com/blog/threat-research/2019/01/bypassing-network-restrictions-through-rdp-tunneling.html", + "https://adepts.of0x.cc/netsh-portproxy-code/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_portproxy_registry_key.yml" ], "tags": [ @@ -6622,8 +6589,8 @@ "logsource.category": "registry_event", "logsource.product": "windows", "refs": [ - "https://eqllib.readthedocs.io/en/latest/analytics/14f90406-10a0-4d36-a672-31cabe149f2f.html", "http://www.hexacorn.com/blog/2013/01/19/beyond-good-ol-run-key-part-3/", + "https://eqllib.readthedocs.io/en/latest/analytics/14f90406-10a0-4d36-a672-31cabe149f2f.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_new_dll_added_to_appcertdlls_registry_key.yml" ], "tags": [ @@ -6657,8 +6624,8 @@ "logsource.product": "windows", "refs": [ "https://twitter.com/inversecos/status/1494174785621819397", - "http://az4n6.blogspot.com/2016/02/more-on-trust-records-macros-and.html", "https://outflank.nl/blog/2018/01/16/hunting-for-evil-detect-macros-being-executed/", + "http://az4n6.blogspot.com/2016/02/more-on-trust-records-macros-and.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_office_trust_record_modification.yml" ], "tags": [ @@ -6691,11 +6658,11 @@ "logsource.category": "registry_event", "logsource.product": "windows", "refs": [ + "https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-rprn/4464eaf0-f34f-40d5-b970-736437a21913", "https://www.lexjansen.com/sesug/1993/SESUG93035.pdf", "https://nvd.nist.gov/vuln/detail/cve-2021-34527", "https://github.com/gentilkiwi/mimikatz/commit/c21276072b3f2a47a21e215a46962a17d54b3760", "https://nvd.nist.gov/vuln/detail/cve-2021-1675", - "https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-rprn/4464eaf0-f34f-40d5-b970-736437a21913", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_mimikatz_printernightmare.yml" ], "tags": [ @@ -6765,10 +6732,10 @@ "logsource.category": "registry_event", "logsource.product": "windows", "refs": [ - "https://github.com/hfiref0x/UACME", "https://github.com/RhinoSecurityLabs/Aggressor-Scripts/tree/master/UACBypass", - "https://tria.ge/211119-gs7rtshcfr/behavioral2 [Lokibot sample from Nov 2021]", + "https://github.com/hfiref0x/UACME", "https://winscripting.blog/2017/05/12/first-entry-welcome-and-uac-bypass/", + "https://tria.ge/211119-gs7rtshcfr/behavioral2 [Lokibot sample from Nov 2021]", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_shell_open_keys_manipulation.yml" ], "tags": [ @@ -6810,8 +6777,8 @@ "logsource.category": "registry_event", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/Binaries/Runonce/", "https://twitter.com/pabraeken/status/990717080805789697", + "https://lolbas-project.github.io/lolbas/Binaries/Runonce/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_runonce_persistence.yml" ], "tags": [ @@ -7111,8 +7078,8 @@ "logsource.category": "registry_event", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1546.002/T1546.002.md", "https://www.welivesecurity.com/wp-content/uploads/2017/08/eset-gazer.pdf", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1546.002/T1546.002.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_modify_screensaver_binary_path.yml" ], "tags": [ @@ -7461,8 +7428,8 @@ "logsource.category": "registry_event", "logsource.product": "windows", "refs": [ - "https://wikileaks.org/vault7/#Pandemic", "https://twitter.com/MalwareJake/status/870349480356454401", + "https://wikileaks.org/vault7/#Pandemic", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_apt_pandemic.yml" ], "tags": [ @@ -7565,8 +7532,8 @@ "logsource.category": "registry_event", "logsource.product": "windows", "refs": [ - "https://twitter.com/SBousseaden/status/1183745981189427200", "https://blog.xpnsec.com/exploring-mimikatz-part-1/", + "https://twitter.com/SBousseaden/status/1183745981189427200", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_susp_lsass_dll_load.yml" ], "tags": [ @@ -7778,9 +7745,9 @@ "refs": [ "https://resources.infosecinstitute.com/topic/netwire-malware-what-it-is-how-it-works-and-how-to-prevent-it-malware-spotlight/", "https://unit42.paloaltonetworks.com/guloader-installing-netwire-rat/", - "https://blogs.blackberry.com/en/2021/09/threat-thursday-netwire-rat-is-coming-down-the-line", "https://app.any.run/tasks/41ecdbde-4997-4301-a350-0270448b4c8f/", "https://www.fortinet.com/blog/threat-research/new-netwire-rat-variant-spread-by-phishing", + "https://blogs.blackberry.com/en/2021/09/threat-thursday-netwire-rat-is-coming-down-the-line", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_add/registry_add_malware_netwire.yml" ], "tags": [ @@ -7880,8 +7847,8 @@ "logsource.category": "registry_add", "logsource.product": "windows", "refs": [ - "https://github.com/gtworek/PSBits/blob/8d767892f3b17eefa4d0668f5d2df78e844f01d8/FakeAMSI/FakeAMSI.c", "https://persistence-info.github.io/Data/amsi.html", + "https://github.com/gtworek/PSBits/blob/8d767892f3b17eefa4d0668f5d2df78e844f01d8/FakeAMSI/FakeAMSI.c", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_add/registry_add_persistence_amsi_providers.yml" ], "tags": [ @@ -7904,8 +7871,8 @@ "logsource.category": "registry_add", "logsource.product": "windows", "refs": [ - "https://www.hexacorn.com/blog/2018/09/02/beyond-good-ol-run-key-part-86/", "https://persistence-info.github.io/Data/diskcleanuphandler.html", + "https://www.hexacorn.com/blog/2018/09/02/beyond-good-ol-run-key-part-86/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_add/registry_add_persistence_disk_cleanup_handler_entry.yml" ], "tags": [ @@ -7962,8 +7929,8 @@ "logsource.category": "driver_load", "logsource.product": "windows", "refs": [ - "https://github.com/xmrig/xmrig/tree/master/bin/WinRing0", "https://www.rapid7.com/blog/post/2021/12/13/driver-based-attacks-past-and-present/", + "https://github.com/xmrig/xmrig/tree/master/bin/WinRing0", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/driver_load/driver_load_win_vuln_winring0_driver.yml" ], "tags": [ @@ -8374,8 +8341,8 @@ "logsource.category": "dns_query", "logsource.product": "windows", "refs": [ - "https://www.guidepointsecurity.com/blog/tunnel-vision-cloudflared-abused-in-the-wild/", "Internal Research", + "https://www.guidepointsecurity.com/blog/tunnel-vision-cloudflared-abused-in-the-wild/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/dns_query/dns_query_win_cloudflared_communication.yml" ], "tags": [ @@ -8408,9 +8375,9 @@ "logsource.category": "dns_query", "logsource.product": "windows", "refs": [ - "https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/higaisa-or-winnti-apt-41-backdoors-old-and-new/", "https://www.sentinelone.com/labs/wip26-espionage-threat-actors-abuse-cloud-infrastructure-in-targeted-telco-attacks/", "https://symantec-enterprise-blogs.security.com/threat-intelligence/harvester-new-apt-attacks-asia", + "https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/higaisa-or-winnti-apt-41-backdoors-old-and-new/", "https://intezer.com/blog/research/how-we-escaped-docker-in-azure-functions/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/dns_query/dns_query_win_domain_azurewebsites.yml" ], @@ -8581,9 +8548,9 @@ "logsource.category": "dns_query", "logsource.product": "windows", "refs": [ + "https://blueteamops.medium.com/detecting-dev-tunnels-16f0994dc3e2", "https://learn.microsoft.com/en-us/azure/developer/dev-tunnels/security", "https://cydefops.com/devtunnels-unleashed", - "https://blueteamops.medium.com/detecting-dev-tunnels-16f0994dc3e2", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/dns_query/dns_query_win_devtunnels_communication.yml" ], "tags": [ @@ -8816,9 +8783,9 @@ "logsource.category": "dns_query", "logsource.product": "windows", "refs": [ - "https://malware.guide/browser-hijacker/remove-onelaunch-virus/", - "https://www.malwarebytes.com/blog/detections/pup-optional-onelaunch-silentcf", "https://www.myantispyware.com/2020/12/14/how-to-uninstall-onelaunch-browser-removal-guide/", + "https://www.malwarebytes.com/blog/detections/pup-optional-onelaunch-silentcf", + "https://malware.guide/browser-hijacker/remove-onelaunch-virus/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/dns_query/dns_query_win_onelaunch_update_service.yml" ], "tags": [ @@ -8851,8 +8818,8 @@ "logsource.category": "dns_query", "logsource.product": "windows", "refs": [ - "https://pentestlab.blog/2017/05/11/applocker-bypass-regsvr32/", "https://oddvar.moe/2017/12/13/applocker-case-study-how-insecure-is-it-really-part-1/", + "https://pentestlab.blog/2017/05/11/applocker-bypass-regsvr32/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/dns_query/dns_query_win_regsvr32_dns_query.yml" ], "tags": [ @@ -8894,11 +8861,14 @@ "logsource.category": "dns_query", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1219/T1219.md#atomic-test-4---gotoassist-files-detected-test-on-windows", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1219/T1219.md#atomic-test-6---ammyy-admin-software-execution", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1219/T1219.md#atomic-test-3---logmein-files-detected-test-on-windows", + "https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-320a", "https://redcanary.com/blog/misbehaving-rats/", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1219/T1219.md#atomic-test-3---logmein-files-detected-test-on-windows", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1219/T1219.md#atomic-test-6---ammyy-admin-software-execution", + "https://blog.sekoia.io/scattered-spider-laying-new-eggs/", "https://techcommunity.microsoft.com/t5/microsoft-sentinel-blog/hunting-for-omi-vulnerability-exploitation-with-azure-sentinel/ba-p/2764093", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1219/T1219.md#atomic-test-4---gotoassist-files-detected-test-on-windows", + "https://learn.microsoft.com/en-us/windows/client-management/client-tools/quick-assist#disable-quick-assist-within-your-organization", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/dns_query/dns_query_win_remote_access_software_domains_non_browsers.yml" ], "tags": [ @@ -8932,17 +8902,17 @@ "logsource.product": "windows", "refs": [ "https://unit42.paloaltonetworks.com/emissary-panda-attacks-middle-east-government-sharepoint-servers/", - "https://download.bitdefender.com/resources/files/News/CaseStudies/study/115/Bitdefender-Whitepaper-PAC-A4-en-EN1.pdf", - "https://web.archive.org/web/20180725233601/https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf", - "https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html", - "https://www.us-cert.gov/ncas/alerts/TA17-117A", - "https://securelist.com/wild-neutron-economic-espionage-threat-actor-returns-with-new-tricks/71275/", - "https://us-cert.cisa.gov/ncas/analysis-reports/ar19-304a", - "https://thedfirreport.com/2022/02/21/qbot-and-zerologon-lead-to-full-domain-compromise/", - "https://www.accenture.com/us-en/blogs/cyber-defense/turla-belugasturgeon-compromises-government-entity", - "https://github.com/RiccardoAncarani/LiquidSnake", "https://thedfirreport.com/2020/06/21/snatch-ransomware/", + "https://github.com/RiccardoAncarani/LiquidSnake", + "https://web.archive.org/web/20180725233601/https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf", "https://securelist.com/faq-the-projectsauron-apt/75533/", + "https://download.bitdefender.com/resources/files/News/CaseStudies/study/115/Bitdefender-Whitepaper-PAC-A4-en-EN1.pdf", + "https://thedfirreport.com/2022/02/21/qbot-and-zerologon-lead-to-full-domain-compromise/", + "https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html", + "https://www.accenture.com/us-en/blogs/cyber-defense/turla-belugasturgeon-compromises-government-entity", + "https://us-cert.cisa.gov/ncas/analysis-reports/ar19-304a", + "https://securelist.com/wild-neutron-economic-espionage-threat-actor-returns-with-new-tricks/71275/", + "https://www.us-cert.gov/ncas/alerts/TA17-117A", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/pipe_created/pipe_created_susp_malicious_namedpipes.yml" ], "tags": [ @@ -9013,8 +8983,8 @@ "logsource.category": "pipe_created", "logsource.product": "windows", "refs": [ - "https://drive.google.com/file/d/1lKya3_mLnR3UQuCoiYruO3qgu052_iS_/view", "https://github.com/kavika13/RemCom", + "https://drive.google.com/file/d/1lKya3_mLnR3UQuCoiYruO3qgu052_iS_/view", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/pipe_created/pipe_created_pua_remcom_default_pipe.yml" ], "tags": [ @@ -9126,8 +9096,8 @@ "logsource.category": "pipe_created", "logsource.product": "windows", "refs": [ - "https://github.com/microsoft/Microsoft-365-Defender-Hunting-Queries/blob/efa17a600b43c897b4b7463cc8541daa1987eeb4/Command%20and%20Control/C2-NamedPipe.md", "https://github.com/poweradminllc/PAExec", + "https://github.com/microsoft/Microsoft-365-Defender-Hunting-Queries/blob/efa17a600b43c897b4b7463cc8541daa1987eeb4/Command%20and%20Control/C2-NamedPipe.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/pipe_created/pipe_created_pua_paexec_default_pipe.yml" ], "tags": [ @@ -9203,8 +9173,8 @@ "logsource.category": "pipe_created", "logsource.product": "windows", "refs": [ - "https://blog.hackvens.fr/articles/CoercedPotato.html", "https://github.com/hackvens/CoercedPotato", + "https://blog.hackvens.fr/articles/CoercedPotato.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/pipe_created/pipe_created_hktl_coercedpotato.yml" ], "tags": [ @@ -9238,8 +9208,8 @@ "logsource.category": "pipe_created", "logsource.product": "windows", "refs": [ - "https://github.com/zcgonvh/EfsPotato", "https://twitter.com/SBousseaden/status/1429530155291193354?s=20", + "https://github.com/zcgonvh/EfsPotato", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/pipe_created/pipe_created_hktl_efspotato.yml" ], "tags": [ @@ -9338,11 +9308,11 @@ "logsource.category": "pipe_created", "logsource.product": "windows", "refs": [ - "https://redcanary.com/threat-detection-report/threats/cobalt-strike/", "https://twitter.com/d4rksystem/status/1357010969264873472", - "https://blog.cobaltstrike.com/2021/02/09/learn-pipe-fitting-for-all-of-your-offense-projects/", - "https://github.com/SigmaHQ/sigma/issues/253", + "https://redcanary.com/threat-detection-report/threats/cobalt-strike/", "https://labs.f-secure.com/blog/detecting-cobalt-strike-default-modules-via-named-pipe-analysis/", + "https://github.com/SigmaHQ/sigma/issues/253", + "https://blog.cobaltstrike.com/2021/02/09/learn-pipe-fitting-for-all-of-your-offense-projects/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/pipe_created/pipe_created_hktl_cobaltstrike.yml" ], "tags": [ @@ -9410,8 +9380,8 @@ "logsource.category": "pipe_created", "logsource.product": "windows", "refs": [ - "https://jpcertcc.github.io/ToolAnalysisResultSheet", "https://www.jpcert.or.jp/english/pub/sr/ir_research.html", + "https://jpcertcc.github.io/ToolAnalysisResultSheet", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/pipe_created/pipe_created_sysinternals_psexec_default_pipe_susp_location.yml" ], "tags": [ @@ -9478,8 +9448,8 @@ "logsource.category": "pipe_created", "logsource.product": "windows", "refs": [ - "https://image.slidesharecdn.com/zeronights2017kheirkhabarov-171118103000/75/hunting-for-credentials-dumping-in-windows-environment-57-2048.jpg?cb=1666035799", "https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment", + "https://image.slidesharecdn.com/zeronights2017kheirkhabarov-171118103000/75/hunting-for-credentials-dumping-in-windows-environment-57-2048.jpg?cb=1666035799", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/pipe_created/pipe_created_hktl_generic_cred_dump_tools_pipes.yml" ], "tags": [ @@ -9684,8 +9654,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://medium.com/@olafhartong/sysmon-15-0-file-executable-detected-40fd64349f36", "https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon", + "https://medium.com/@olafhartong/sysmon-15-0-file-executable-detected-40fd64349f36", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/sysmon/sysmon_file_executable_detected.yml" ], "tags": [ @@ -9766,9 +9736,9 @@ "logsource.category": "create_remote_thread", "logsource.product": "windows", "refs": [ + "https://github.com/GhostPack/KeeThief", "https://github.com/denandz/KeeFarce", "https://www.cisa.gov/uscert/ncas/alerts/aa20-259a", - "https://github.com/GhostPack/KeeThief", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/create_remote_thread/create_remote_thread_win_keepass.yml" ], "tags": [ @@ -9801,8 +9771,8 @@ "logsource.category": "create_remote_thread", "logsource.product": "windows", "refs": [ - "https://www.binarydefense.com/resources/blog/icedid-gziploader-analysis/", "https://research.splunk.com/endpoint/10399c1e-f51e-11eb-b920-acde48001122/", + "https://www.binarydefense.com/resources/blog/icedid-gziploader-analysis/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/create_remote_thread/create_remote_thread_win_susp_target_shell_application.yml" ], "tags": [ @@ -9877,8 +9847,8 @@ "logsource.category": "create_remote_thread", "logsource.product": "windows", "refs": [ - "https://github.com/mdsecactivebreach/CACTUSTORCH", "https://twitter.com/SBousseaden/status/1090588499517079552", + "https://github.com/mdsecactivebreach/CACTUSTORCH", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/create_remote_thread/create_remote_thread_win_hktl_cactustorch.yml" ], "tags": [ @@ -9936,8 +9906,8 @@ "logsource.category": "create_remote_thread", "logsource.product": "windows", "refs": [ - "https://blog.cobaltstrike.com/2018/04/09/cobalt-strike-3-11-the-snake-that-eats-its-tail/", "https://medium.com/@olafhartong/cobalt-strike-remote-threads-detection-206372d11d0f", + "https://blog.cobaltstrike.com/2018/04/09/cobalt-strike-3-11-the-snake-that-eats-its-tail/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/create_remote_thread/create_remote_thread_win_hktl_cobaltstrike.yml" ], "tags": [ @@ -10269,8 +10239,8 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://app.any.run/tasks/76c69e2d-01e8-49d9-9aea-fb7cc0c4d3ad/", "https://medium.com/@SumitVerma101/windows-privilege-escalation-part-1-unquoted-service-path-c7a011a8d8ae", + "https://app.any.run/tasks/76c69e2d-01e8-49d9-9aea-fb7cc0c4d3ad/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_susp_executable_creation.yml" ], "tags": [ @@ -10337,8 +10307,8 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://irsl.medium.com/the-trouble-with-microsofts-troubleshooters-6e32fc80b8bd", "https://msrc-blog.microsoft.com/2022/05/30/guidance-for-cve-2022-30190-microsoft-support-diagnostic-tool-vulnerability/", + "https://irsl.medium.com/the-trouble-with-microsofts-troubleshooters-6e32fc80b8bd", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_msdt_susp_directories.yml" ], "tags": [ @@ -10553,8 +10523,8 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://github.com/GhostPack/SafetyKatz/blob/715b311f76eb3a4c8d00a1bd29c6cd1899e450b7/SafetyKatz/Program.cs#L63", "https://github.com/GhostPack/SafetyKatz", + "https://github.com/GhostPack/SafetyKatz/blob/715b311f76eb3a4c8d00a1bd29c6cd1899e450b7/SafetyKatz/Program.cs#L63", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_hktl_safetykatz.yml" ], "tags": [ @@ -10712,8 +10682,8 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/powershell/scripting/developer/module/understanding-a-windows-powershell-module?view=powershell-7.3", "Internal Research", + "https://learn.microsoft.com/en-us/powershell/scripting/developer/module/understanding-a-windows-powershell-module?view=powershell-7.3", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_powershell_module_creation.yml" ], "tags": [ @@ -10770,9 +10740,9 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ + "https://en.gteltsc.vn/blog/cap-nhat-nhe-ve-lo-hong-bao-mat-0day-microsoft-exchange-dang-duoc-su-dung-de-tan-cong-cac-to-chuc-tai-viet-nam-9685.html", "https://www.microsoft.com/security/blog/2022/09/30/analyzing-attacks-using-the-exchange-vulnerabilities-cve-2022-41040-and-cve-2022-41082/", "https://www.gteltsc.vn/blog/canh-bao-chien-dich-tan-cong-su-dung-lo-hong-zero-day-tren-microsoft-exchange-server-12714.html", - "https://en.gteltsc.vn/blog/cap-nhat-nhe-ve-lo-hong-bao-mat-0day-microsoft-exchange-dang-duoc-su-dung-de-tan-cong-cac-to-chuc-tai-viet-nam-9685.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_exchange_webshell_drop.yml" ], "tags": [ @@ -10805,9 +10775,9 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://strontic.github.io/xcyclopedia/library/iexpress.exe-D594B2A33EFAFD0EABF09E3FDC05FCEA.html", - "https://www.virustotal.com/gui/file/602f4ae507fa8de57ada079adff25a6c2a899bd25cd092d0af7e62cdb619c93c/behavior", "https://en.wikipedia.org/wiki/IExpress", + "https://www.virustotal.com/gui/file/602f4ae507fa8de57ada079adff25a6c2a899bd25cd092d0af7e62cdb619c93c/behavior", + "https://strontic.github.io/xcyclopedia/library/iexpress.exe-D594B2A33EFAFD0EABF09E3FDC05FCEA.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_sed_file_creation.yml" ], "tags": [ @@ -10953,8 +10923,8 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows", "https://twitter.com/cyb3rops/status/1552932770464292864", + "https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_dll_sideloading_space_path.yml" ], "tags": [ @@ -10990,10 +10960,10 @@ "logsource.product": "windows", "refs": [ "https://labs.f-secure.com/blog/prelude-to-ransomware-systembc", - "https://www.fireeye.com/blog/threat-research/2020/05/tactics-techniques-procedures-associated-with-maze-ransomware-incidents.html", - "https://thedfirreport.com/2021/01/18/all-that-for-a-coinminer", "https://news.sophos.com/en-us/2019/12/09/snatch-ransomware-reboots-pcs-into-safe-mode-to-bypass-protection/", + "https://www.fireeye.com/blog/threat-research/2020/05/tactics-techniques-procedures-associated-with-maze-ransomware-incidents.html", "https://assets.documentcloud.org/documents/20444693/fbi-pin-egregor-ransomware-bc-01062021.pdf", + "https://thedfirreport.com/2021/01/18/all-that-for-a-coinminer", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_advanced_ip_scanner.yml" ], "tags": [ @@ -11026,8 +10996,8 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://www.kaspersky.com/blog/lazarus-vhd-ransomware/36559/", "https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/", + "https://www.kaspersky.com/blog/lazarus-vhd-ransomware/36559/", "https://redcanary.com/blog/intelligence-insights-october-2021/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_vhd_download_via_browsers.yml" ], @@ -11141,8 +11111,8 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://www.mandiant.com/resources/blog/trojanized-windows-installers-ukrainian-government", "https://posts.slayerlabs.com/living-off-the-land/#gathernetworkinfovbs", + "https://www.mandiant.com/resources/blog/trojanized-windows-installers-ukrainian-government", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_lolbin_gather_network_info_script_output.yml" ], "tags": [ @@ -11367,10 +11337,10 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://news.sophos.com/en-us/2023/04/19/aukill-edr-killer-malware-abuses-process-explorer-driver/", "https://learn.microsoft.com/en-us/sysinternals/downloads/process-explorer", - "https://www.elastic.co/security-labs/stopping-vulnerable-driver-attacks", "https://github.com/Yaxser/Backstab", + "https://news.sophos.com/en-us/2023/04/19/aukill-edr-killer-malware-abuses-process-explorer-driver/", + "https://www.elastic.co/security-labs/stopping-vulnerable-driver-attacks", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_sysinternals_procexp_driver_susp_creation.yml" ], "tags": [ @@ -11504,8 +11474,8 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://github.com/OTRF/ThreatHunter-Playbook/blob/2d4257f630f4c9770f78d0c1df059f891ffc3fec/docs/evals/apt29/detections/5.B.1_611FCA99-97D0-4873-9E51-1C1BA2DBB40D.md", "https://github.com/OTRF/detection-hackathon-apt29/issues/12", + "https://github.com/OTRF/ThreatHunter-Playbook/blob/2d4257f630f4c9770f78d0c1df059f891ffc3fec/docs/evals/apt29/detections/5.B.1_611FCA99-97D0-4873-9E51-1C1BA2DBB40D.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_startup_folder_file_write.yml" ], "tags": [ @@ -11538,8 +11508,8 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://jpcertcc.github.io/ToolAnalysisResultSheet", "https://www.jpcert.or.jp/english/pub/sr/ir_research.html", + "https://jpcertcc.github.io/ToolAnalysisResultSheet", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_sysinternals_psexec_service.yml" ], "tags": [ @@ -11574,8 +11544,8 @@ "logsource.product": "windows", "refs": [ "https://labs.withsecure.com/publications/add-in-opportunities-for-office-persistence", - "https://github.com/redcanaryco/atomic-red-team/blob/4ae9580a1a8772db87a1b6cdb0d03e5af231e966/atomics/T1137.006/T1137.006.md", "Internal Research", + "https://github.com/redcanaryco/atomic-red-team/blob/4ae9580a1a8772db87a1b6cdb0d03e5af231e966/atomics/T1137.006/T1137.006.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_office_addin_persistence.yml" ], "tags": [ @@ -11633,8 +11603,8 @@ "logsource.product": "windows", "refs": [ "https://bohops.com/2021/03/16/investigating-net-clr-usage-log-tampering-techniques-for-edr-evasion/", - "https://web.archive.org/web/20230329154538/https://blog.menasec.net/2019/07/interesting-difr-traces-of-net-clr.html", "https://web.archive.org/web/20221026202428/https://gist.github.com/code-scrap/d7f152ffcdb3e0b02f7f394f5187f008", + "https://web.archive.org/web/20230329154538/https://blog.menasec.net/2019/07/interesting-difr-traces-of-net-clr.html", "https://github.com/olafhartong/sysmon-modular/blob/fa1ae53132403d262be2bbd7f17ceea7e15e8c78/11_file_create/include_dotnet.xml", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_net_cli_artefact.yml" ], @@ -11815,8 +11785,8 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/powershell/scripting/developer/module/understanding-a-windows-powershell-module?view=powershell-7.3", "Internal Research", + "https://learn.microsoft.com/en-us/powershell/scripting/developer/module/understanding-a-windows-powershell-module?view=powershell-7.3", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_powershell_module_uncommon_creation.yml" ], "tags": [ @@ -12022,8 +11992,8 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "http://www.irongeek.com/homoglyph-attack-generator.php", "https://redcanary.com/threat-detection-report/threats/socgholish/#threat-socgholish", + "http://www.irongeek.com/homoglyph-attack-generator.php", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_susp_homoglyph_filename.yml" ], "tags": [ @@ -12281,8 +12251,8 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://github.com/Porchetta-Industries/CrackMapExec", "https://github.com/SecureAuthCorp/impacket/blob/master/examples/secretsdump.py", + "https://github.com/Porchetta-Industries/CrackMapExec", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_hktl_remote_cred_dump.yml" ], "tags": [ @@ -12428,9 +12398,9 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "http://addbalance.com/word/startup.htm", - "https://answers.microsoft.com/en-us/msoffice/forum/all/document-in-word-startup-folder-doesnt-open-when/44ab0932-2917-4150-8cdc-2f2cf39e86f3", "https://app.any.run/tasks/d6fe6624-6ef8-485d-aa75-3d1bdda2a08c/", + "https://answers.microsoft.com/en-us/msoffice/forum/all/document-in-word-startup-folder-doesnt-open-when/44ab0932-2917-4150-8cdc-2f2cf39e86f3", + "http://addbalance.com/word/startup.htm", "https://en.wikipedia.org/wiki/List_of_Microsoft_Office_filename_extensions", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_office_uncommon_file_startup.yml" ], @@ -12505,8 +12475,8 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://pentestlab.blog/2019/10/21/persistence-security-support-provider/", "https://cobalt.io/blog/kerberoast-attack-techniques", + "https://pentestlab.blog/2019/10/21/persistence-security-support-provider/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_hktl_mimikatz_files.yml" ], "tags": [ @@ -12563,26 +12533,26 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ + "https://github.com/besimorhino/powercat", + "https://github.com/S3cur3Th1sSh1t/WinPwn", + "https://github.com/adrecon/ADRecon", + "https://research.nccgroup.com/2022/06/06/shining-the-light-on-black-basta/", + "https://github.com/samratashok/nishang", + "https://github.com/DarkCoderSc/PowerRunAsSystem/", + "https://github.com/NetSPI/PowerUpSQL", + "https://github.com/adrecon/AzureADRecon", + "https://github.com/dafthack/DomainPasswordSpray/blob/b13d64a5834694aa73fd2aea9911a83027c465a7/DomainPasswordSpray.ps1", + "https://github.com/HarmJ0y/DAMP", + "https://github.com/nettitude/Invoke-PowerThIEf", + "https://github.com/S3cur3Th1sSh1t/PowerSharpPack/tree/master/PowerSharpBinaries", + "https://web.archive.org/web/20210511204621/https://github.com/AlsidOfficial/WSUSpendu", + "https://github.com/PowerShellMafia/PowerSploit", "https://github.com/rvrsh3ll/Misc-Powershell-Scripts/blob/6f23bb41f9675d7e2d32bacccff75e931ae00554/OfficeMemScraper.ps1", "https://github.com/xorrior/RandomPS-Scripts/blob/848c919bfce4e2d67b626cbcf4404341cfe3d3b6/Get-DXWebcamVideo.ps1", - "https://github.com/adrecon/ADRecon", - "https://github.com/DarkCoderSc/PowerRunAsSystem/", - "https://github.com/dafthack/DomainPasswordSpray/blob/b13d64a5834694aa73fd2aea9911a83027c465a7/DomainPasswordSpray.ps1", - "https://unit42.paloaltonetworks.com/threat-assessment-black-basta-ransomware/", - "https://github.com/HarmJ0y/DAMP", - "https://github.com/S3cur3Th1sSh1t/PowerSharpPack/tree/master/PowerSharpBinaries", - "https://github.com/CsEnox/EventViewer-UACBypass", "https://github.com/BC-SECURITY/Invoke-ZeroLogon/blob/111d17c7fec486d9bb23387e2e828b09a26075e4/Invoke-ZeroLogon.ps1", - "https://github.com/PowerShellMafia/PowerSploit", - "https://github.com/adrecon/AzureADRecon", - "https://github.com/NetSPI/PowerUpSQL", - "https://github.com/besimorhino/powercat", - "https://github.com/AlsidOfficial/WSUSpendu/", - "https://research.nccgroup.com/2022/06/06/shining-the-light-on-black-basta/", - "https://github.com/nettitude/Invoke-PowerThIEf", - "https://github.com/samratashok/nishang", + "https://github.com/CsEnox/EventViewer-UACBypass", "https://github.com/Kevin-Robertson/Powermad", - "https://github.com/S3cur3Th1sSh1t/WinPwn", + "https://unit42.paloaltonetworks.com/threat-assessment-black-basta-ransomware/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_powershell_exploit_scripts.yml" ], "tags": [ @@ -12735,11 +12705,11 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://github.com/elastic/detection-rules/blob/c76a39796972ecde44cb1da6df47f1b6562c9770/rules/windows/credential_access_lsass_memdump_file_created.toml", - "https://www.google.com/search?q=procdump+lsass", - "https://medium.com/@markmotig/some-ways-to-dump-lsass-exe-c4a75fdc49bf", - "https://www.whiteoaksecurity.com/blog/attacks-defenses-dumping-lsass-no-mimikatz/", "https://github.com/helpsystems/nanodump", + "https://www.google.com/search?q=procdump+lsass", + "https://www.whiteoaksecurity.com/blog/attacks-defenses-dumping-lsass-no-mimikatz/", + "https://github.com/elastic/detection-rules/blob/c76a39796972ecde44cb1da6df47f1b6562c9770/rules/windows/credential_access_lsass_memdump_file_created.toml", + "https://medium.com/@markmotig/some-ways-to-dump-lsass-exe-c4a75fdc49bf", "https://github.com/CCob/MirrorDump", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_lsass_default_dump_file_names.yml" ], @@ -12841,10 +12811,10 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/", + "https://insights.sei.cmu.edu/blog/the-dangers-of-vhd-and-vhdx-files/", "https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/malicious-spam-campaign-uses-iso-image-files-to-deliver-lokibot-and-nanocore", "https://blog.emsisoft.com/en/32373/beware-new-wave-of-malware-spreads-via-iso-file-email-attachments/", - "https://insights.sei.cmu.edu/blog/the-dangers-of-vhd-and-vhdx-files/", + "https://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_iso_file_recent.yml" ], "tags": [ @@ -13075,8 +13045,8 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/powershell/scripting/developer/module/understanding-a-windows-powershell-module?view=powershell-7.3", "Internal Research", + "https://learn.microsoft.com/en-us/powershell/scripting/developer/module/understanding-a-windows-powershell-module?view=powershell-7.3", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_powershell_module_susp_creation.yml" ], "tags": [ @@ -13133,9 +13103,9 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://twitter.com/orange_8361/status/1518970259868626944?s=20&t=RFXqZjtA7tWM3HxqEH78Aw", - "https://twitter.com/splinter_code/status/1519075134296006662?s=12&t=DLUXH86WtcmG_AZ5gY3C6g", "https://lolbas-project.github.io/lolbas/Binaries/Eventvwr/#execute", + "https://twitter.com/splinter_code/status/1519075134296006662?s=12&t=DLUXH86WtcmG_AZ5gY3C6g", + "https://twitter.com/orange_8361/status/1518970259868626944?s=20&t=RFXqZjtA7tWM3HxqEH78Aw", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_uac_bypass_eventvwr.yml" ], "tags": [ @@ -13261,10 +13231,10 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://speakerdeck.com/heirhabarov/hunting-for-persistence-via-microsoft-exchange-server-or-outlook?slide=79", - "https://speakerdeck.com/heirhabarov/hunting-for-persistence-via-microsoft-exchange-server-or-outlook?slide=76", "https://www.slipstick.com/developer/custom-form/clean-outlooks-forms-cache/", + "https://speakerdeck.com/heirhabarov/hunting-for-persistence-via-microsoft-exchange-server-or-outlook?slide=79", "https://learn.microsoft.com/en-us/office/vba/outlook/concepts/outlook-forms/create-an-outlook-form", + "https://speakerdeck.com/heirhabarov/hunting-for-persistence-via-microsoft-exchange-server-or-outlook?slide=76", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_office_outlook_newform.yml" ], "tags": [ @@ -13397,8 +13367,8 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://github.com/OTRF/ThreatHunter-Playbook/blob/2d4257f630f4c9770f78d0c1df059f891ffc3fec/docs/evals/apt29/detections/6.B.1_6392C9F1-D975-4F75-8A70-433DEDD7F622.md", "https://github.com/OTRF/detection-hackathon-apt29/issues/14", + "https://github.com/OTRF/ThreatHunter-Playbook/blob/2d4257f630f4c9770f78d0c1df059f891ffc3fec/docs/evals/apt29/detections/6.B.1_6392C9F1-D975-4F75-8A70-433DEDD7F622.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_susp_pfx_file_creation.yml" ], "tags": [ @@ -13629,9 +13599,9 @@ "logsource.product": "windows", "refs": [ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1546.011/T1546.011.md#atomic-test-2---new-shim-database-files-created-in-the-default-shim-database-directory", + "https://andreafortuna.org/2018/11/12/process-injection-and-persistence-using-application-shimming/", "https://www.mandiant.com/resources/blog/fin7-shim-databases-persistence", "https://liberty-shell.com/sec/2020/02/25/shim-persistence/", - "https://andreafortuna.org/2018/11/12/process-injection-and-persistence-using-application-shimming/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_creation_new_shim_database.yml" ], "tags": [ @@ -13698,8 +13668,8 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://redcanary.com/blog/intelligence-insights-october-2021/", "https://github.com/redcanaryco/atomic-red-team/blob/36d49de4c8b00bf36054294b4a1fcbab3917d7c5/atomics/T1547.001/T1547.001.md#atomic-test-7---add-executable-shortcut-link-to-user-startup-folder", + "https://redcanary.com/blog/intelligence-insights-october-2021/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_powershell_startup_shortcuts.yml" ], "tags": [ @@ -13797,9 +13767,9 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://github.com/Kevin-Robertson/Inveigh/blob/29d9e3c3a625b3033cdaf4683efaafadcecb9007/Inveigh/Support/Output.cs", - "https://thedfirreport.com/2020/11/23/pysa-mespinoza-ransomware/", "https://github.com/Kevin-Robertson/Inveigh/blob/29d9e3c3a625b3033cdaf4683efaafadcecb9007/Inveigh/Support/Control.cs", + "https://thedfirreport.com/2020/11/23/pysa-mespinoza-ransomware/", + "https://github.com/Kevin-Robertson/Inveigh/blob/29d9e3c3a625b3033cdaf4683efaafadcecb9007/Inveigh/Support/Output.cs", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_hktl_inveigh_artefacts.yml" ], "tags": [ @@ -13889,11 +13859,11 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://www.cybereason.com/blog/research/a-bazar-of-tricks-following-team9s-development-cycles", "https://twitter.com/malwrhunterteam/status/1235135745611960321", - "https://twitter.com/luc4m/status/1073181154126254080", + "https://www.cybereason.com/blog/research/a-bazar-of-tricks-following-team9s-development-cycles", "https://www.crowdstrike.com/blog/meet-crowdstrikes-adversary-of-the-month-for-june-mustang-panda/", "https://www.anomali.com/blog/china-based-apt-mustang-panda-targets-minority-groups-public-and-private-sector-organizations", + "https://twitter.com/luc4m/status/1073181154126254080", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_susp_lnk_double_extension.yml" ], "tags": [ @@ -13926,10 +13896,10 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://pentestlab.blog/tag/ntds-dit/", - "https://github.com/samratashok/nishang/blob/414ee1104526d7057f9adaeee196d91ae447283e/Gather/Copy-VSS.ps1", - "https://www.n00py.io/2022/03/manipulating-user-passwords-without-mimikatz/", "https://www.ired.team/offensive-security/credential-access-and-credential-dumping/ntds.dit-enumeration", + "https://pentestlab.blog/tag/ntds-dit/", + "https://www.n00py.io/2022/03/manipulating-user-passwords-without-mimikatz/", + "https://github.com/samratashok/nishang/blob/414ee1104526d7057f9adaeee196d91ae447283e/Gather/Copy-VSS.ps1", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_ntds_dit_uncommon_parent_process.yml" ], "tags": [ @@ -13962,8 +13932,8 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/", "https://github.com/vadim-hunter/Detection-Ideas-Rules/blob/02bcbfc2bfb8b4da601bb30de0344ae453aa1afe/Threat%20Intelligence/The%20DFIR%20Report/20210329_Sodinokibi_(aka_REvil)_Ransomware.yaml", + "https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_office_susp_file_extension.yml" ], "tags": [ @@ -14096,9 +14066,9 @@ "logsource.product": "windows", "refs": [ "https://twitter.com/cube0x0/status/1418920190759378944", + "https://github.com/WiredPulse/Invoke-HiveNightmare", "https://github.com/GossiTheDog/HiveNightmare", "https://github.com/FireFart/hivenightmare/", - "https://github.com/WiredPulse/Invoke-HiveNightmare", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_hktl_hivenightmare_file_exports.yml" ], "tags": [ @@ -14132,9 +14102,9 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://speakerdeck.com/heirhabarov/hunting-for-persistence-via-microsoft-exchange-server-or-outlook?slide=53", - "https://www.linkedin.com/pulse/outlook-backdoor-using-vba-samir-b-/", "https://www.mdsec.co.uk/2020/11/a-fresh-outlook-on-mail-based-persistence/", + "https://www.linkedin.com/pulse/outlook-backdoor-using-vba-samir-b-/", + "https://speakerdeck.com/heirhabarov/hunting-for-persistence-via-microsoft-exchange-server-or-outlook?slide=53", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_office_outlook_susp_macro_creation.yml" ], "tags": [ @@ -14243,8 +14213,8 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://github.com/deepinstinct/Lsass-Shtinkering", "https://media.defcon.org/DEF%20CON%2030/DEF%20CON%2030%20presentations/Asaf%20Gilboa%20-%20LSASS%20Shtinkering%20Abusing%20Windows%20Error%20Reporting%20to%20Dump%20LSASS.pdf", + "https://github.com/deepinstinct/Lsass-Shtinkering", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_lsass_shtinkering.yml" ], "tags": [ @@ -14311,8 +14281,8 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/0f229c0e42bfe7ca736a14023836d65baa941ed2/atomics/T1553.005/T1553.005.md#atomic-test-1---mount-iso-image", "https://securityaffairs.co/wordpress/133680/malware/dll-sideloading-spread-qakbot.html", + "https://github.com/redcanaryco/atomic-red-team/blob/0f229c0e42bfe7ca736a14023836d65baa941ed2/atomics/T1553.005/T1553.005.md#atomic-test-1---mount-iso-image", "https://twitter.com/Sam0x90/status/1552011547974696960", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_iso_file_mount.yml" ], @@ -14369,9 +14339,9 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ + "https://en.gteltsc.vn/blog/cap-nhat-nhe-ve-lo-hong-bao-mat-0day-microsoft-exchange-dang-duoc-su-dung-de-tan-cong-cac-to-chuc-tai-viet-nam-9685.html", "https://www.microsoft.com/security/blog/2022/09/30/analyzing-attacks-using-the-exchange-vulnerabilities-cve-2022-41040-and-cve-2022-41082/", "https://www.gteltsc.vn/blog/canh-bao-chien-dich-tan-cong-su-dung-lo-hong-zero-day-tren-microsoft-exchange-server-12714.html", - "https://en.gteltsc.vn/blog/cap-nhat-nhe-ve-lo-hong-bao-mat-0day-microsoft-exchange-dang-duoc-su-dung-de-tan-cong-cac-to-chuc-tai-viet-nam-9685.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_exchange_webshell_drop_suspicious.yml" ], "tags": [ @@ -14437,8 +14407,8 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://unit42.paloaltonetworks.com/actors-still-exploiting-sharepoint-vulnerability/", "https://github.com/outflanknl/Dumpert", + "https://unit42.paloaltonetworks.com/actors-still-exploiting-sharepoint-vulnerability/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_hktl_dumpert.yml" ], "tags": [ @@ -14471,9 +14441,9 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ + "https://medium.com/@ivecodoe/detecting-ldapfragger-a-newly-released-cobalt-strike-beacon-using-ldap-for-c2-communication-c274a7f00961", "https://github.com/fox-it/LDAPFragger", "https://blog.fox-it.com/2020/03/19/ldapfragger-command-and-control-over-ldap-attributes/", - "https://medium.com/@ivecodoe/detecting-ldapfragger-a-newly-released-cobalt-strike-beacon-using-ldap-for-c2-communication-c274a7f00961", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_adsi_cache_creation_by_uncommon_tool.yml" ], "tags": [ @@ -14540,8 +14510,8 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://github.com/binderlabs/DirCreate2System", "https://github.com/sailay1996/awesome_windows_logical_bugs/blob/60cbb23a801f4c3195deac1cc46df27c225c3d07/dir_create2system.txt", + "https://github.com/binderlabs/DirCreate2System", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_system32_local_folder_privilege_escalation.yml" ], "tags": [ @@ -14566,11 +14536,11 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/5c3b23002d2bbede3c07e7307165fc2a235a427d/atomics/T1564.004/T1564.004.md#atomic-test-5---create-hidden-directory-via-index_allocation", + "https://twitter.com/pfiatde/status/1681977680688738305", + "https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-fscc/c54dec26-1551-4d3a-a0ea-4fa40f848eb3", "https://soroush.me/blog/2010/12/a-dotty-salty-directory-a-secret-place-in-ntfs-for-secret-files/", "https://sec-consult.com/blog/detail/pentesters-windows-ntfs-tricks-collection/", - "https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-fscc/c54dec26-1551-4d3a-a0ea-4fa40f848eb3", - "https://twitter.com/pfiatde/status/1681977680688738305", - "https://github.com/redcanaryco/atomic-red-team/blob/5c3b23002d2bbede3c07e7307165fc2a235a427d/atomics/T1564.004/T1564.004.md#atomic-test-5---create-hidden-directory-via-index_allocation", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_susp_hidden_dir_index_allocation.yml" ], "tags": [ @@ -14603,8 +14573,8 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://blog.malwarebytes.com/threat-intelligence/2022/04/colibri-loader-combines-task-scheduler-and-powershell-in-clever-persistence-technique/", "https://www.joesandbox.com/analysis/465533/0/html", + "https://blog.malwarebytes.com/threat-intelligence/2022/04/colibri-loader-combines-task-scheduler-and-powershell-in-clever-persistence-technique/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_susp_get_variable.yml" ], "tags": [ @@ -14687,11 +14657,11 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://www.cybereason.com/blog/research/a-bazar-of-tricks-following-team9s-development-cycles", "https://twitter.com/malwrhunterteam/status/1235135745611960321", - "https://twitter.com/luc4m/status/1073181154126254080", + "https://www.cybereason.com/blog/research/a-bazar-of-tricks-following-team9s-development-cycles", "https://www.crowdstrike.com/blog/meet-crowdstrikes-adversary-of-the-month-for-june-mustang-panda/", "https://www.anomali.com/blog/china-based-apt-mustang-panda-targets-minority-groups-public-and-private-sector-organizations", + "https://twitter.com/luc4m/status/1073181154126254080", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_susp_double_extension.yml" ], "tags": [ @@ -14724,8 +14694,8 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://posts.specterops.io/automating-dll-hijack-discovery-81c4295904b0", "https://github.com/elastic/protections-artifacts/commit/746086721fd385d9f5c6647cada1788db4aea95f#diff-5d46dd4ac6866b4337ec126be8cee0e115467b3e8703794ba6f6df6432c806bc", + "https://posts.specterops.io/automating-dll-hijack-discovery-81c4295904b0", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_initial_access_dll_search_order_hijacking.yml" ], "tags": [ @@ -14784,12 +14754,12 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://blog.osarmor.com/319/onenote-attachment-delivers-asyncrat-malware/", "https://twitter.com/MaD_c4t/status/1623414582382567424", "https://www.trustedsec.com/blog/new-attacks-old-tricks-how-onenote-malware-is-evolving/", - "https://app.any.run/tasks/17f2d378-6d11-4d6f-8340-954b04f35e83/", - "https://www.bleepingcomputer.com/news/security/hackers-now-use-microsoft-onenote-attachments-to-spread-malware/", "https://labs.withsecure.com/publications/detecting-onenote-abuse", + "https://app.any.run/tasks/17f2d378-6d11-4d6f-8340-954b04f35e83/", + "https://blog.osarmor.com/319/onenote-attachment-delivers-asyncrat-malware/", + "https://www.bleepingcomputer.com/news/security/hackers-now-use-microsoft-onenote-attachments-to-spread-malware/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_office_onenote_susp_dropped_files.yml" ], "tags": [ @@ -15047,8 +15017,8 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1003/T1003.md#atomic-test-2---credential-dumping-with-nppspy", "https://twitter.com/0gtweet/status/1465282548494487554", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1003/T1003.md#atomic-test-2---credential-dumping-with-nppspy", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_hktl_nppspy.yml" ], "tags": [ @@ -15137,11 +15107,11 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://github.com/blackarrowsec/redteam-research/tree/26e6fc0c0d30d364758fa11c2922064a9a7fd309/LPE%20via%20StorSvc", "https://posts.specterops.io/lateral-movement-scm-and-dll-hijacking-primer-d2f61e8ab992", - "https://decoded.avast.io/martinchlumecky/png-steganography/", - "https://clement.notin.org/blog/2020/09/12/CVE-2020-7315-McAfee-Agent-DLL-injection/", "https://github.com/Wh04m1001/SysmonEoP", + "https://clement.notin.org/blog/2020/09/12/CVE-2020-7315-McAfee-Agent-DLL-injection/", + "https://github.com/blackarrowsec/redteam-research/tree/26e6fc0c0d30d364758fa11c2922064a9a7fd309/LPE%20via%20StorSvc", + "https://decoded.avast.io/martinchlumecky/png-steganography/", "https://www.hexacorn.com/blog/2013/12/08/beyond-good-ol-run-key-part-5/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_create_non_existent_dlls.yml" ], @@ -15289,9 +15259,9 @@ "refs": [ "https://github.com/search?q=CVE-2021-36934", "https://github.com/HuskyHacks/ShadowSteal", - "https://github.com/cube0x0/CVE-2021-36934", - "https://www.google.com/search?q=%22reg.exe+save%22+sam", "https://github.com/FireFart/hivenightmare", + "https://www.google.com/search?q=%22reg.exe+save%22+sam", + "https://web.archive.org/web/20210725081645/https://github.com/cube0x0/CVE-2021-36934", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_sam_dump.yml" ], "tags": [ @@ -15324,8 +15294,8 @@ "logsource.category": "file_rename", "logsource.product": "windows", "refs": [ - "https://blog.cyble.com/2022/08/10/onyx-ransomware-renames-its-leak-site-to-vsop/", "https://app.any.run/tasks/d66ead5a-faf4-4437-93aa-65785afaf9e5/", + "https://blog.cyble.com/2022/08/10/onyx-ransomware-renames-its-leak-site-to-vsop/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_rename/file_rename_win_ransomware.yml" ], "tags": [ @@ -15392,8 +15362,8 @@ "logsource.category": "file_access", "logsource.product": "windows", "refs": [ - "https://hunter2.gitbook.io/darthsidious/privilege-escalation/mimikatz", "https://www.absolomb.com/2018-01-26-Windows-Privilege-Escalation-Guide/", + "https://hunter2.gitbook.io/darthsidious/privilege-escalation/mimikatz", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_access/file_access_win_susp_credential_manager_access.yml" ], "tags": [ @@ -15495,8 +15465,8 @@ "logsource.category": "file_access", "logsource.product": "windows", "refs": [ - "https://www.bleepingcomputer.com/news/security/microsoft-teams-stores-auth-tokens-as-cleartext-in-windows-linux-macs/", "https://www.vectra.ai/blog/undermining-microsoft-teams-security-by-mining-tokens", + "https://www.bleepingcomputer.com/news/security/microsoft-teams-stores-auth-tokens-as-cleartext-in-windows-linux-macs/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_access/file_access_win_teams_sensitive_files.yml" ], "tags": [ @@ -15716,6 +15686,29 @@ "uuid": "8f0b1fb1-9bd4-4e74-8cdf-a8de4d2adfd0", "value": "Unusual File Deletion by Dns.exe" }, + { + "description": "Detects the deletion of a process's executable by itself. This is usually not possible without workarounds and may be used by malware to hide its traces.\n", + "meta": { + "author": "Max Altgelt (Nextron Systems)", + "creation_date": "2024-09-03", + "falsepositive": [ + "Some false positives are to be expected from uninstallers." + ], + "filename": "file_delete_win_delete_own_image.yml", + "level": "medium", + "logsource.category": "file_delete", + "logsource.product": "windows", + "refs": [ + "https://github.com/joaoviictorti/RustRedOps/tree/ce04369a246006d399e8c61d9fe0e6b34f988a49/Self_Deletion", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_delete/file_delete_win_delete_own_image.yml" + ], + "tags": [ + "attack.defense-evasion" + ] + }, + "uuid": "f01d1f70-cd41-42ec-9c0b-26dd9c22bf29", + "value": "Process Deletion of Its Own Executable" + }, { "description": "Detects the deletion of IIS WebServer access logs which may indicate an attempt to destroy forensic evidence", "meta": { @@ -15830,7 +15823,7 @@ "logsource.category": "file_delete", "logsource.product": "windows", "refs": [ - "https://github.com/hhlxf/PrintNightmare", + "https://web.archive.org/web/20210629055600/https://github.com/hhlxf/PrintNightmare/", "https://github.com/cube0x0/CVE-2021-1675", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_delete/file_delete_win_cve_2021_1675_print_nightmare.yml" ], @@ -15968,8 +15961,8 @@ "logsource.category": "file_delete", "logsource.product": "windows", "refs": [ - "https://github.com/OTRF/detection-hackathon-apt29/issues/9", "https://github.com/OTRF/ThreatHunter-Playbook/blob/2d4257f630f4c9770f78d0c1df059f891ffc3fec/docs/evals/apt29/detections/4.B.4_83D62033-105A-4A02-8B75-DAB52D8D51EC.md", + "https://github.com/OTRF/detection-hackathon-apt29/issues/9", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_delete/file_delete_win_sysinternals_sdelete_file_deletion.yml" ], "tags": [ @@ -16035,9 +16028,9 @@ "logsource.category": "file_executable_detected", "logsource.product": "windows", "refs": [ - "https://strontic.github.io/xcyclopedia/library/iexpress.exe-D594B2A33EFAFD0EABF09E3FDC05FCEA.html", - "https://www.virustotal.com/gui/file/602f4ae507fa8de57ada079adff25a6c2a899bd25cd092d0af7e62cdb619c93c/behavior", "https://en.wikipedia.org/wiki/IExpress", + "https://www.virustotal.com/gui/file/602f4ae507fa8de57ada079adff25a6c2a899bd25cd092d0af7e62cdb619c93c/behavior", + "https://strontic.github.io/xcyclopedia/library/iexpress.exe-D594B2A33EFAFD0EABF09E3FDC05FCEA.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_executable_detected/file_executable_detected_win_susp_embeded_sed_file.yml" ], "tags": [ @@ -16070,8 +16063,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/PhilipTsukerman/status/992021361106268161", "https://lolbas-project.github.io/lolbas/Binaries/Register-cimprovider/", + "https://twitter.com/PhilipTsukerman/status/992021361106268161", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_registry_cimprovider_dll_load.yml" ], "tags": [ @@ -16196,8 +16189,8 @@ "logsource.product": "windows", "refs": [ "https://learn.microsoft.com/en-us/powershell/module/defender/set-mppreference?view=windowsserver2022-ps", - "https://www.virustotal.com/gui/file/d609799091731d83d75ec5d1f030571af20c45efeeb94840b67ea09a3283ab65/behavior/C2AE", "https://www.virustotal.com/gui/search/content%253A%2522Set-MpPreference%2520-Disable%2522/files", + "https://www.virustotal.com/gui/file/d609799091731d83d75ec5d1f030571af20c45efeeb94840b67ea09a3283ab65/behavior/C2AE", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_defender_disable_feature.yml" ], "tags": [ @@ -16230,9 +16223,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://medium.com/falconforce/falconfriday-detecting-uac-bypasses-0xff16-86c2a9107abf", "https://github.com/hfiref0x/UACME", "https://mattharr0ey.medium.com/privilege-escalation-uac-bypass-in-changepk-c40b92818d1b", - "https://medium.com/falconforce/falconfriday-detecting-uac-bypasses-0xff16-86c2a9107abf", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_uac_bypass_changepk_slui.yml" ], "tags": [ @@ -16483,8 +16476,8 @@ "logsource.product": "windows", "refs": [ "https://redcanary.com/threat-detection-report/threats/qbot/", - "https://thedfirreport.com/2022/10/31/follina-exploit-leads-to-domain-compromise/", "https://thedfirreport.com/2022/02/07/qbot-likes-to-move-it-move-it/", + "https://thedfirreport.com/2022/10/31/follina-exploit-leads-to-domain-compromise/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_esentutl_webcache.yml" ], "tags": [ @@ -16517,10 +16510,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://www.winhelponline.com/blog/run-program-as-system-localsystem-account-windows/", "https://twitter.com/splinter_code/status/1483815103279603714", "https://www.elastic.co/security-labs/operation-bleeding-bear", "https://medium.com/s2wblog/analysis-of-destructive-malware-whispergate-targeting-ukraine-9d5d158f19f3", - "https://www.winhelponline.com/blog/run-program-as-system-localsystem-account-windows/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pua_advancedrun.yml" ], "tags": [ @@ -16571,9 +16564,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/OtherMSBinaries/AccCheckConsole/", "https://twitter.com/bohops/status/1477717351017680899?s=12", "https://gist.github.com/bohops/2444129419c8acf837aedda5f0e7f340", + "https://lolbas-project.github.io/lolbas/OtherMSBinaries/AccCheckConsole/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_acccheckconsole_execution.yml" ], "tags": [ @@ -16663,9 +16656,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/_JohnHammond/status/1531672601067675648", "https://app.any.run/tasks/713f05d2-fe78-4b9d-a744-f7c133e3fafb/", "https://twitter.com/nao_sec/status/1530196847679401984", + "https://twitter.com/_JohnHammond/status/1531672601067675648", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_msdt_arbitrary_command_execution.yml" ], "tags": [ @@ -16731,8 +16724,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/GhostPack/Rubeus", "https://blog.harmj0y.net/redteaming/from-kekeo-to-rubeus", + "https://github.com/GhostPack/Rubeus", "https://m0chan.github.io/2019/07/31/How-To-Attack-Kerberos-101.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_rubeus.yml" ], @@ -16783,12 +16776,12 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.virustotal.com/gui/file/d6f6bc10ae0e634ed4301d584f61418cee18e5d58ad9af72f8aa552dc4aaeca3/behavior", + "https://blog.cyble.com/2023/01/18/aurora-a-stealer-using-shapeshifting-tactics/", "https://nwgat.ninja/getting-system-information-with-wmic-on-windows/", + "https://www.virustotal.com/gui/file/d6f6bc10ae0e634ed4301d584f61418cee18e5d58ad9af72f8aa552dc4aaeca3/behavior", + "https://github.com/redcanaryco/atomic-red-team/blob/a2ccd19c37d0278b4ffa8583add3cf52060a5418/atomics/T1082/T1082.md#atomic-test-25---system-information-discovery-with-wmic", "https://blog.sekoia.io/aurora-a-rising-stealer-flying-under-the-radar", "https://app.any.run/tasks/a6aa0057-82ec-451f-8f99-55650ca537da/", - "https://blog.cyble.com/2023/01/18/aurora-a-stealer-using-shapeshifting-tactics/", - "https://github.com/redcanaryco/atomic-red-team/blob/a2ccd19c37d0278b4ffa8583add3cf52060a5418/atomics/T1082/T1082.md#atomic-test-25---system-information-discovery-with-wmic", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wmic_recon_system_info_uncommon.yml" ], "tags": [ @@ -16821,13 +16814,13 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://www.zscaler.com/blogs/security-research/technical-analysis-crytox-ransomware", + "https://www.lifars.com/wp-content/uploads/2022/01/GriefRansomware_Whitepaper-2.pdf", "https://research.checkpoint.com/2022/evilplayout-attack-against-irans-state-broadcaster/", "https://www.ired.team/offensive-security/credential-access-and-credential-dumping/ntds.dit-enumeration", - "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/diskshadow", - "https://www.zscaler.com/blogs/security-research/technical-analysis-crytox-ransomware", "https://medium.com/@cyberjyot/lolbin-execution-via-diskshadow-f6ff681a27a4", - "https://www.lifars.com/wp-content/uploads/2022/01/GriefRansomware_Whitepaper-2.pdf", "https://bohops.com/2018/03/26/diskshadow-the-return-of-vss-evasion-persistence-and-active-directory-database-extraction/", + "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/diskshadow", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_diskshadow_script_mode_susp_ext.yml" ], "tags": [ @@ -16860,9 +16853,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://medium.com/@networksecurity/rdp-hijacking-how-to-hijack-rds-and-remoteapp-sessions-transparently-to-move-through-an-da2a1e73a5f6", "http://www.korznikov.com/2017/03/0-day-or-feature-privilege-escalation.html", "https://www.hackingarticles.in/rdp-session-hijacking-with-tscon/", - "https://medium.com/@networksecurity/rdp-hijacking-how-to-hijack-rds-and-remoteapp-sessions-transparently-to-move-through-an-da2a1e73a5f6", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_tscon_rdp_redirect.yml" ], "tags": [ @@ -16904,8 +16897,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.microsoft.com/security/blog/2022/01/15/destructive-malware-targeting-ukrainian-organizations/", "http://blog.talosintelligence.com/2022/09/lazarus-three-rats.html", + "https://www.microsoft.com/security/blog/2022/01/15/destructive-malware-targeting-ukrainian-organizations/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_redirect_local_admin_share.yml" ], "tags": [ @@ -16939,8 +16932,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://ss64.com/bash/rar.html", "https://labs.sentinelone.com/the-anatomy-of-an-apt-attack-and-cobaltstrike-beacons-encoded-configuration/", + "https://ss64.com/bash/rar.html", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1560.001/T1560.001.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_rar_compression_with_password.yml" ], @@ -16974,8 +16967,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/windows-server/administration/openssh/openssh_install_firstuse?tabs=powershell", "https://www.virustotal.com/gui/file/af1c82237b6e5a3a7cdbad82cc498d298c67845d92971bada450023d1335e267/content", + "https://learn.microsoft.com/en-us/windows-server/administration/openssh/openssh_install_firstuse?tabs=powershell", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_add_windows_capability.yml" ], "tags": [ @@ -17031,8 +17024,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.praetorian.com/blog/how-to-use-kerberoasting-t1208-for-privilege-escalation/?edition=2019", "https://web.archive.org/web/20200329173843/https://p16.praetorian.com/blog/how-to-use-kerberoasting-t1208-for-privilege-escalation", + "https://www.praetorian.com/blog/how-to-use-kerberoasting-t1208-for-privilege-escalation/?edition=2019", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_setspn_spn_enumeration.yml" ], "tags": [ @@ -17166,8 +17159,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/chcp", "https://thedfirreport.com/2022/04/04/stolen-images-campaign-ends-in-conti-ransomware/", + "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/chcp", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_chcp_codepage_lookup.yml" ], "tags": [ @@ -17233,10 +17226,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://strontic.github.io/xcyclopedia/library/iexpress.exe-D594B2A33EFAFD0EABF09E3FDC05FCEA.html", - "https://decoded.avast.io/janvojtesek/raspberry-robins-roshtyak-a-little-lesson-in-trickery/", "https://en.wikipedia.org/wiki/IExpress", "https://www.virustotal.com/gui/file/602f4ae507fa8de57ada079adff25a6c2a899bd25cd092d0af7e62cdb619c93c/behavior", + "https://strontic.github.io/xcyclopedia/library/iexpress.exe-D594B2A33EFAFD0EABF09E3FDC05FCEA.html", + "https://decoded.avast.io/janvojtesek/raspberry-robins-roshtyak-a-little-lesson-in-trickery/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_iexpress_susp_execution.yml" ], "tags": [ @@ -17302,8 +17295,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/chm-badness-delivers-a-banking-trojan/", "https://github.com/elastic/protections-artifacts/commit/746086721fd385d9f5c6647cada1788db4aea95f#diff-27939090904026cc396b0b629c8e4314acd6f5dac40a676edbc87f4567b47eb7", + "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/chm-badness-delivers-a-banking-trojan/", "https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/higaisa-or-winnti-apt-41-backdoors-old-and-new/", "https://www.zscaler.com/blogs/security-research/unintentional-leak-glimpse-attack-vectors-apt37", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hh_html_help_susp_child_process.yml" @@ -17420,9 +17413,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.cisa.gov/uscert/sites/default/files/publications/aa22-320a_joint_csa_iranian_government-sponsored_apt_actors_compromise_federal%20network_deploy_crypto%20miner_credential_harvester.pdf", "https://www.microsoft.com/en-us/security/blog/2022/10/18/defenders-beware-a-case-for-post-ransomware-investigations/", "http://blog.talosintelligence.com/2022/09/lazarus-three-rats.html", + "https://www.cisa.gov/uscert/sites/default/files/publications/aa22-320a_joint_csa_iranian_government-sponsored_apt_actors_compromise_federal%20network_deploy_crypto%20miner_credential_harvester.pdf", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_computer_discovery_get_adcomputer.yml" ], "tags": [ @@ -17492,8 +17485,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://mobile.twitter.com/0gtweet/status/1564131230941122561", "https://strontic.github.io/xcyclopedia/library/DeviceEnroller.exe-24BEF0D6B0ECED36BB41831759FDE18D.html", + "https://mobile.twitter.com/0gtweet/status/1564131230941122561", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_deviceenroller_dll_sideloading.yml" ], "tags": [ @@ -17526,8 +17519,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://code.visualstudio.com/docs/remote/tunnels", "https://badoption.eu/blog/2023/01/31/code_c2.html", + "https://code.visualstudio.com/docs/remote/tunnels", "https://ipfyx.fr/post/visual-studio-code-tunnel/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_vscode_tunnel_service_install.yml" ], @@ -17561,8 +17554,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://thedfirreport.com/2023/10/30/netsupport-intrusion-results-in-domain-compromise/", "https://www.pingcastle.com/documentation/scanner/", + "https://thedfirreport.com/2023/10/30/netsupport-intrusion-results-in-domain-compromise/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_renamed_pingcastle.yml" ], "tags": [ @@ -17713,8 +17706,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.bluetangle.dev/2022/08/fastening-seatbelt-on-threat-hunting.html", "https://github.com/GhostPack/Seatbelt", + "https://www.bluetangle.dev/2022/08/fastening-seatbelt-on-threat-hunting.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pua_seatbelt.yml" ], "tags": [ @@ -17763,9 +17756,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://web.archive.org/web/20200229201156/https://www.sans.org/cyber-security-summit/archives/file/summit-archive-1493861893.pdf", "https://lolbas-project.github.io/lolbas/Binaries/Psr/", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1560.001/T1560.001.md", - "https://web.archive.org/web/20200229201156/https://www.sans.org/cyber-security-summit/archives/file/summit-archive-1493861893.pdf", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_psr_capture_screenshots.yml" ], "tags": [ @@ -17930,8 +17923,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.mandiant.com/resources/blog/sharpersist-windows-persistence-toolkit", "https://github.com/mandiant/SharPersist", + "https://www.mandiant.com/resources/blog/sharpersist-windows-persistence-toolkit", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_sharpersist.yml" ], "tags": [ @@ -17987,13 +17980,13 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/zcgonvh/NTDSDumpEx", + "https://www.n00py.io/2022/03/manipulating-user-passwords-without-mimikatz/", "https://github.com/rapid7/metasploit-framework/blob/d297adcebb5c1df6fe30b12ca79b161deb71571c/data/post/powershell/NTDSgrab.ps1", + "https://github.com/zcgonvh/NTDSDumpEx", "https://www.ired.team/offensive-security/credential-access-and-credential-dumping/ntds.dit-enumeration", + "https://pentestlab.blog/tag/ntds-dit/", "https://github.com/samratashok/nishang/blob/414ee1104526d7057f9adaeee196d91ae447283e/Gather/Copy-VSS.ps1", "https://blog.talosintelligence.com/2022/08/recent-cyber-attack.html?m=1", - "https://pentestlab.blog/tag/ntds-dit/", - "https://www.n00py.io/2022/03/manipulating-user-passwords-without-mimikatz/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_ntds.yml" ], "tags": [ @@ -18059,8 +18052,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1485/T1485.md", "https://learn.microsoft.com/en-us/sysinternals/downloads/sdelete", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1485/T1485.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_renamed_sysinternals_sdelete.yml" ], "tags": [ @@ -18093,8 +18086,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.qemu.org/docs/master/system/invocation.html#hxtool-5", "https://securelist.com/network-tunneling-with-qemu/111803/", + "https://www.qemu.org/docs/master/system/invocation.html#hxtool-5", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_qemu_suspicious_execution.yml" ], "tags": [ @@ -18315,8 +18308,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://tools.thehacker.recipes/mimikatz/modules", "Internal Research", + "https://tools.thehacker.recipes/mimikatz/modules", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_system_user_anomaly.yml" ], "tags": [ @@ -18504,9 +18497,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://adepts.of0x.cc/netsh-portproxy-code/", - "https://www.fireeye.com/blog/threat-research/2019/01/bypassing-network-restrictions-through-rdp-tunneling.html", "https://www.dfirnotes.net/portproxy_detection/", + "https://www.fireeye.com/blog/threat-research/2019/01/bypassing-network-restrictions-through-rdp-tunneling.html", + "https://adepts.of0x.cc/netsh-portproxy-code/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_netsh_port_forwarding.yml" ], "tags": [ @@ -18615,9 +18608,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/EmpireProject/Empire/blob/e37fb2eef8ff8f5a0a689f1589f424906fe13055/lib/modules/powershell/persistence/powerbreach/resolver.py#L178", - "https://github.com/EmpireProject/Empire/blob/e37fb2eef8ff8f5a0a689f1589f424906fe13055/data/module_source/privesc/Invoke-EventVwrBypass.ps1#L64", "https://github.com/EmpireProject/Empire/blob/e37fb2eef8ff8f5a0a689f1589f424906fe13055/lib/modules/powershell/persistence/powerbreach/deaduser.py#L191", + "https://github.com/EmpireProject/Empire/blob/e37fb2eef8ff8f5a0a689f1589f424906fe13055/data/module_source/privesc/Invoke-EventVwrBypass.ps1#L64", + "https://github.com/EmpireProject/Empire/blob/e37fb2eef8ff8f5a0a689f1589f424906fe13055/lib/modules/powershell/persistence/powerbreach/resolver.py#L178", "https://github.com/EmpireProject/Empire/blob/c2ba61ca8d2031dad0cfc1d5770ba723e8b710db/lib/common/helpers.py#L165", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_empire_powershell_launch.yml" ], @@ -18728,9 +18721,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://web.archive.org/web/20220224045756/https://www.ria.ee/sites/default/files/content-editors/kuberturve/tale_of_gamaredon_infection.pdf", "https://unit42.paloaltonetworks.com/unit-42-title-gamaredon-group-toolset-evolution", "https://uvnc.com/docs/uvnc-viewer/52-ultravnc-viewer-commandline-parameters.html", - "https://web.archive.org/web/20220224045756/https://www.ria.ee/sites/default/files/content-editors/kuberturve/tale_of_gamaredon_infection.pdf", "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/shuckworm-gamaredon-espionage-ukraine", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_ultravnc_susp_execution.yml" ], @@ -18798,9 +18791,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/cloudflare/cloudflared", - "https://developers.cloudflare.com/cloudflare-one/connections/connect-apps", "https://blog.reconinfosec.com/emergence-of-akira-ransomware-group", + "https://developers.cloudflare.com/cloudflare-one/connections/connect-apps", + "https://github.com/cloudflare/cloudflared", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_cloudflared_tunnel_run.yml" ], "tags": [ @@ -19095,8 +19088,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.huntress.com/blog/slashandgrab-screen-connect-post-exploitation-in-the-wild-cve-2024-1709-cve-2024-1708", "https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.utility/invoke-expression?view=powershell-7.2", + "https://www.huntress.com/blog/slashandgrab-screen-connect-post-exploitation-in-the-wild-cve-2024-1709-cve-2024-1708", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_iex_patterns.yml" ], "tags": [ @@ -19129,8 +19122,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/", "https://github.com/vadim-hunter/Detection-Ideas-Rules/blob/02bcbfc2bfb8b4da601bb30de0344ae453aa1afe/Threat%20Intelligence/The%20DFIR%20Report/20210329_Sodinokibi_(aka_REvil)_Ransomware.yaml", + "https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wmic_susp_execution_via_office_process.yml" ], "tags": [ @@ -19231,8 +19224,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://micahbabinski.medium.com/search-ms-webdav-and-chill-99c5b23ac462", "https://www.trellix.com/en-us/about/newsroom/stories/research/beyond-file-search-a-novel-method.html", + "https://micahbabinski.medium.com/search-ms-webdav-and-chill-99c5b23ac462", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_webdav_lnk_execution.yml" ], "tags": [ @@ -19273,8 +19266,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1220/T1220.md", "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Msxsl/", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1220/T1220.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_msxsl_execution.yml" ], "tags": [ @@ -19307,9 +19300,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/bumblebee-loader-cybercrime", "https://thedfirreport.com/2022/09/26/bumblebee-round-two/", "https://thedfirreport.com/2022/08/08/bumblebee-roasts-its-way-to-domain-admin/", + "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/bumblebee-loader-cybercrime", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wab_execution_from_non_default_location.yml" ], "tags": [ @@ -19367,11 +19360,11 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://web.archive.org/web/20190213114956/http://www.windowsinspired.com/understanding-the-command-line-string-and-arguments-received-by-a-windows-program/", "https://twitter.com/vysecurity/status/885545634958385153", "https://twitter.com/Hexacorn/status/885570278637678592", - "https://twitter.com/Hexacorn/status/885553465417756673", "https://www.mandiant.com/resources/blog/obfuscation-wild-targeted-attackers-lead-way-evasion-techniques", + "https://web.archive.org/web/20190213114956/http://www.windowsinspired.com/understanding-the-command-line-string-and-arguments-received-by-a-windows-program/", + "https://twitter.com/Hexacorn/status/885553465417756673", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_cli_obfuscation_escape_char.yml" ], "tags": [ @@ -19518,8 +19511,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://redcanary.com/blog/raspberry-robin/", "https://thedfirreport.com/2022/09/26/bumblebee-round-two/", + "https://redcanary.com/blog/raspberry-robin/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_rundll32_parent_explorer.yml" ], "tags": [ @@ -19575,8 +19568,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/SBousseaden/status/1451237393017839616", "https://github.com/Tylous/ZipExec", + "https://twitter.com/SBousseaden/status/1451237393017839616", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_zipexec.yml" ], "tags": [ @@ -19692,9 +19685,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://blog.viettelcybersecurity.com/saml-show-stopper/", "https://www.horizon3.ai/manageengine-cve-2022-47966-technical-deep-dive/", "https://github.com/horizon3ai/CVE-2022-47966/blob/3a51c6b72ebbd87392babd955a8fbeaee2090b35/CVE-2022-47966.py", - "https://blog.viettelcybersecurity.com/saml-show-stopper/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_java_manageengine_susp_child_process.yml" ], "tags": [ @@ -19786,8 +19779,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.joesandbox.com/analysis/509330/0/html#1044F3BDBE3BB6F734E357235F4D5898582D", "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/erase", + "https://www.joesandbox.com/analysis/509330/0/html#1044F3BDBE3BB6F734E357235F4D5898582D", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_cmd_del_greedy_deletion.yml" ], "tags": [ @@ -20146,8 +20139,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.n00py.io/2021/05/dumping-plaintext-rdp-credentials-from-svchost-exe/", "https://pentestlab.blog/tag/svchost/", + "https://www.n00py.io/2021/05/dumping-plaintext-rdp-credentials-from-svchost-exe/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sc_query_interesting_services.yml" ], "tags": [ @@ -20179,9 +20172,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://redcanary.com/blog/chromeloader/", "https://emkc.org/s/RJjuLa", "https://www.mandiant.com/resources/blog/lnk-between-browsers", + "https://redcanary.com/blog/chromeloader/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_browsers_chromium_load_extension.yml" ], "tags": [ @@ -20214,8 +20207,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/pt-br/windows/win32/secauthz/sid-strings", "https://www.sans.org/blog/red-team-tactics-hiding-windows-services/", + "https://learn.microsoft.com/pt-br/windows/win32/secauthz/sid-strings", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_service_dacl_modification_set_service.yml" ], "tags": [ @@ -20452,8 +20445,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1074.001/T1074.001.md", "https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-347a", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1074.001/T1074.001.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_zip_compress.yml" ], "tags": [ @@ -20519,9 +20512,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://twitter.com/gN3mes1s/status/1222088214581825540", "https://twitter.com/gN3mes1s/status/1222095963789111296", "https://twitter.com/gN3mes1s/status/1222095371175911424", - "https://twitter.com/gN3mes1s/status/1222088214581825540", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_dctask64_arbitrary_command_and_dll_execution.yml" ], "tags": [ @@ -20577,10 +20570,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Fsi/", - "https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/design/applications-that-can-bypass-wdac", "https://lolbas-project.github.io/lolbas/OtherMSBinaries/FsiAnyCpu/", + "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Fsi/", "https://bohops.com/2020/11/02/exploring-the-wdac-microsoft-recommended-block-rules-part-ii-wfc-fsi/", + "https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/design/applications-that-can-bypass-wdac", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_fsi_fsharp_code_execution.yml" ], "tags": [ @@ -20664,8 +20657,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/Binaries/Aspnet_Compiler/", "https://ijustwannared.team/2020/08/01/the-curious-case-of-aspnet_compiler-exe/", + "https://lolbas-project.github.io/lolbas/Binaries/Aspnet_Compiler/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_aspnet_compiler_susp_paths.yml" ], "tags": [ @@ -20739,11 +20732,11 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.microsoft.com/en-us/security/blog/wp-content/uploads/2023/03/Figure-7-sample-webdav-process-create-event.png", - "https://www.mdsec.co.uk/2023/03/exploiting-cve-2023-23397-microsoft-outlook-elevation-of-privilege-vulnerability/", "https://twitter.com/aceresponder/status/1636116096506818562", "https://www.microsoft.com/en-us/security/blog/2023/03/24/guidance-for-investigating-attacks-using-cve-2023-23397/", + "https://www.mdsec.co.uk/2023/03/exploiting-cve-2023-23397-microsoft-outlook-elevation-of-privilege-vulnerability/", "https://www.pwndefend.com/2023/03/15/the-long-game-persistent-hash-theft/", + "https://www.microsoft.com/en-us/security/blog/wp-content/uploads/2023/03/Figure-7-sample-webdav-process-create-event.png", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_rundll32_webdav_client_susp_execution.yml" ], "tags": [ @@ -20777,9 +20770,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/netero1010/TrustedPath-UACBypass-BOF", - "https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows", "https://medium.com/tenable-techblog/uac-bypass-by-mocking-trusted-directories-24a96675f6e", + "https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows", + "https://github.com/netero1010/TrustedPath-UACBypass-BOF", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_uac_bypass_trustedpath.yml" ], "tags": [ @@ -20924,9 +20917,9 @@ "logsource.product": "windows", "refs": [ "https://forensicitguy.github.io/agenttesla-vba-certutil-download/", - "https://news.sophos.com/en-us/2021/04/13/compromised-exchange-server-hosting-cryptojacker-targeting-other-exchange-servers/", "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/certutil", "https://twitter.com/egre55/status/1087685529016193025", + "https://news.sophos.com/en-us/2021/04/13/compromised-exchange-server-hosting-cryptojacker-targeting-other-exchange-servers/", "https://lolbas-project.github.io/lolbas/Binaries/Certutil/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_certutil_download.yml" ], @@ -20960,8 +20953,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/schtasks", "Internal Research", + "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/schtasks", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_schtasks_change.yml" ], "tags": [ @@ -20994,10 +20987,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/wbadmin-start-backup", - "https://github.com/LOLBAS-Project/LOLBAS/blob/2cc01b01132b5c304027a658c698ae09dd6a92bf/yml/OSBinaries/Wbadmin.yml", "https://lolbas-project.github.io/lolbas/Binaries/Wbadmin/", + "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/wbadmin-start-backup", "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/wbadmin-start-recovery", + "https://github.com/LOLBAS-Project/LOLBAS/blob/2cc01b01132b5c304027a658c698ae09dd6a92bf/yml/OSBinaries/Wbadmin.yml", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wbadmin_dump_sensitive_files.yml" ], "tags": [ @@ -21030,8 +21023,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.trendmicro.com/en_us/research/17/h/backdoor-carrying-emails-set-sights-on-russian-speaking-businesses.html", "https://learn.microsoft.com/en-us/sql/odbc/odbcconf-exe?view=sql-server-ver16", + "https://www.trendmicro.com/en_us/research/17/h/backdoor-carrying-emails-set-sights-on-russian-speaking-businesses.html", "https://securityintelligence.com/posts/raspberry-robin-worm-dridex-malware/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_odbcconf_exec_susp_locations.yml" ], @@ -21136,8 +21129,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://thedfirreport.com/2023/08/28/html-smuggling-leads-to-domain-wide-ransomware/", "https://www.hybrid-analysis.com/sample/8da5b75b6380a41eee3a399c43dfe0d99eeefaa1fd21027a07b1ecaa4cd96fdd?environmentId=120", + "https://thedfirreport.com/2023/08/28/html-smuggling-leads-to-domain-wide-ransomware/", "https://web.archive.org/web/20180331144337/https://www.fireeye.com/blog/threat-research/2018/03/sanny-malware-delivery-method-updated-in-recently-observed-attacks.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_copy_system_dir.yml" ], @@ -21281,8 +21274,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/espionage-asia-governments", "https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc731620(v=ws.11)", + "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/espionage-asia-governments", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_ntdsutil_susp_usage.yml" ], "tags": [ @@ -21316,10 +21309,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/espionage-asia-governments", - "https://www.microsoft.com/en-us/security/blog/2022/10/25/dev-0832-vice-society-opportunistic-ransomware-campaigns-impacting-us-education-sector/", - "https://www.huntress.com/blog/slashandgrab-screen-connect-post-exploitation-in-the-wild-cve-2024-1709-cve-2024-1708", "https://thedfirreport.com/2022/09/26/bumblebee-round-two/", + "https://www.microsoft.com/en-us/security/blog/2022/10/25/dev-0832-vice-society-opportunistic-ransomware-campaigns-impacting-us-education-sector/", + "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/espionage-asia-governments", + "https://www.huntress.com/blog/slashandgrab-screen-connect-post-exploitation-in-the-wild-cve-2024-1709-cve-2024-1708", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_weak_or_abused_passwords.yml" ], "tags": [ @@ -21466,8 +21459,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://labs.withsecure.com/publications/fin7-target-veeam-servers", "https://github.com/VirtualAlllocEx/Payload-Download-Cradles/blob/88e8eca34464a547c90d9140d70e9866dcbc6a12/Download-Cradles.cmd", + "https://labs.withsecure.com/publications/fin7-target-veeam-servers", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_download_iex.yml" ], "tags": [ @@ -21534,8 +21527,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://persistence-info.github.io/Data/windowsterminalprofile.html", "https://twitter.com/nas_bench/status/1550836225652686848", + "https://persistence-info.github.io/Data/windowsterminalprofile.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_windows_terminal_susp_children.yml" ], "tags": [ @@ -21580,6 +21573,40 @@ "uuid": "62b20d44-1546-4e61-afce-8e175eb9473c", "value": "Service StartupType Change Via PowerShell Set-Service" }, + { + "description": "Detects potential commandline obfuscation using unicode characters.\nAdversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit.\n", + "meta": { + "author": "frack113, Florian Roth (Nextron Systems), Josh Nickels", + "creation_date": "2024-09-02", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_susp_cli_obfuscation_unicode_img.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1027/T1027.md#atomic-test-6---dlp-evasion-via-sensitive-data-in-vba-macro-over-http", + "https://www.wietzebeukema.nl/blog/windows-command-line-obfuscation", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_cli_obfuscation_unicode_img.yml" + ], + "tags": [ + "attack.defense-evasion", + "attack.t1027" + ] + }, + "related": [ + { + "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "584bca0f-3608-4402-80fd-4075ff6072e3", + "value": "Potential CommandLine Obfuscation Using Unicode Characters From Suspicious Image" + }, { "description": "Detects suspicious ways to download files from Microsoft domains that are used to store attachments in Emails or OneNote documents", "meta": { @@ -21593,8 +21620,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/mrd0x/status/1475085452784844803?s=12", "https://twitter.com/an0n_r0/status/1474698356635193346?s=12", + "https://twitter.com/mrd0x/status/1475085452784844803?s=12", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_download_office_domain.yml" ], "tags": [ @@ -21635,10 +21662,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/Binaries/Odbcconf/", "https://learn.microsoft.com/en-us/sql/odbc/odbcconf-exe?view=sql-server-ver16", "https://www.hexacorn.com/blog/2020/08/23/odbcconf-lolbin-trifecta/", "https://www.cybereason.com/blog/threat-analysis-report-bumblebee-loader-the-high-road-to-enterprise-domain-control", + "https://lolbas-project.github.io/lolbas/Binaries/Odbcconf/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_odbcconf_response_file.yml" ], "tags": [ @@ -21796,10 +21823,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.trendmicro.com/en_us/research/24/b/threat-actor-groups-including-black-basta-are-exploiting-recent-.html", - "https://docs.connectwise.com/ConnectWise_Control_Documentation/Get_started/Host_client/View_menu/Backstage_mode", - "https://www.huntress.com/blog/slashandgrab-screen-connect-post-exploitation-in-the-wild-cve-2024-1709-cve-2024-1708", "https://www.mandiant.com/resources/telegram-malware-iranian-espionage", + "https://docs.connectwise.com/ConnectWise_Control_Documentation/Get_started/Host_client/View_menu/Backstage_mode", + "https://www.trendmicro.com/en_us/research/24/b/threat-actor-groups-including-black-basta-are-exploiting-recent-.html", + "https://www.huntress.com/blog/slashandgrab-screen-connect-post-exploitation-in-the-wild-cve-2024-1709-cve-2024-1708", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_remote_access_tools_screenconnect_remote_execution_susp.yml" ], "tags": [ @@ -21856,8 +21883,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/_st0pp3r_/status/1560072680887525378", "https://twitter.com/Oddvarmoe/status/993383596244258816", + "https://twitter.com/_st0pp3r_/status/1560072680887525378", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_pester.yml" ], "tags": [ @@ -22082,11 +22109,11 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://man.openbsd.org/ssh_config#ProxyCommand", - "https://github.com/LOLBAS-Project/LOLBAS/pull/211/files", "https://lolbas-project.github.io/lolbas/Binaries/Ssh/", - "https://gtfobins.github.io/gtfobins/ssh/", + "https://github.com/LOLBAS-Project/LOLBAS/pull/211/files", "https://man.openbsd.org/ssh_config#LocalCommand", + "https://gtfobins.github.io/gtfobins/ssh/", + "https://man.openbsd.org/ssh_config#ProxyCommand", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_ssh_proxy_execution.yml" ], "tags": [ @@ -22119,10 +22146,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://blog.netspi.com/15-ways-to-download-a-file/#bitsadmin", - "https://blog.talosintelligence.com/breaking-the-silence-recent-truebot-activity/", "https://lolbas-project.github.io/lolbas/Binaries/Bitsadmin/", "https://isc.sans.edu/diary/22264", + "https://blog.talosintelligence.com/breaking-the-silence-recent-truebot-activity/", + "https://blog.netspi.com/15-ways-to-download-a-file/#bitsadmin", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_bitsadmin_download_uncommon_targetfolder.yml" ], "tags": [ @@ -22165,9 +22192,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.volexity.com/blog/2021/03/02/active-exploitation-of-microsoft-exchange-zero-day-vulnerabilities/", - "https://www.intrinsec.com/apt27-analysis/", "https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/", + "https://www.intrinsec.com/apt27-analysis/", + "https://www.volexity.com/blog/2021/03/02/active-exploitation-of-microsoft-exchange-zero-day-vulnerabilities/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_snapins_hafnium.yml" ], "tags": [ @@ -22407,9 +22434,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1490/T1490.md#atomic-test-8---windows---disable-the-sr-scheduled-task", "https://twitter.com/MichalKoczwara/status/1553634816016498688", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1490/T1490.md#atomic-test-8---windows---disable-the-sr-scheduled-task", + "https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_schtasks_disable.yml" ], "tags": [ @@ -22510,8 +22537,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/med0x2e/status/1520402518685200384", "https://github.com/elastic/detection-rules/blob/dd224fb3f81d0b4bf8593c5f02a029d647ba2b2d/rules/windows/credential_access_relay_ntlm_auth_via_http_spoolss.toml", + "https://twitter.com/med0x2e/status/1520402518685200384", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_rundll32_ntlmrelay.yml" ], "tags": [ @@ -22587,8 +22614,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/Binaries/Aspnet_Compiler/", "https://ijustwannared.team/2020/08/01/the-curious-case-of-aspnet_compiler-exe/", + "https://lolbas-project.github.io/lolbas/Binaries/Aspnet_Compiler/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_aspnet_compiler_susp_child_process.yml" ], "tags": [ @@ -22722,8 +22749,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/pabraeken/status/993298228840992768", "https://github.com/LOLBAS-Project/LOLBAS/blob/8283d8d91552213ded165fd36deb6cb9534cb443/yml/OtherMSBinaries/Sqltoolsps.yml", + "https://twitter.com/pabraeken/status/993298228840992768", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_mssql_sqltoolsps_susp_execution.yml" ], "tags": [ @@ -22765,9 +22792,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://www.cybereason.com/blog/research/operation-ghostshell-novel-rat-targets-global-aerospace-and-telecoms-firms", "https://redcanary.com/blog/msix-installers/", "https://businessinsights.bitdefender.com/deep-dive-into-a-backdoordiplomacy-attack-a-study-of-an-attackers-toolkit", - "https://www.cybereason.com/blog/research/operation-ghostshell-novel-rat-targets-global-aerospace-and-telecoms-firms", "https://web.archive.org/web/20180725233601/https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_csvde_export.yml" ], @@ -22985,10 +23012,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.virustotal.com/gui/file/35c22725a92d5cb1016b09421c0a6cdbfd860fd4778b3313669b057d4a131cb7/behavior", - "https://www.virustotal.com/gui/file/34de4c8beded481a4084a1fd77855c3e977e8ac643e5c5842d0f15f7f9b9086f/behavior", - "https://www.virustotal.com/gui/file/4abe1395a09fda06d897a9c4eb247278c1b6cddda5d126ce5b3f4f499e3b8fa2/behavior", "https://www.virustotal.com/gui/file/427616528b7dbc4a6057ac89eb174a3a90f7abcf3f34e5a359b7a910d82f7a72/behavior", + "https://www.virustotal.com/gui/file/4abe1395a09fda06d897a9c4eb247278c1b6cddda5d126ce5b3f4f499e3b8fa2/behavior", + "https://www.virustotal.com/gui/file/34de4c8beded481a4084a1fd77855c3e977e8ac643e5c5842d0f15f7f9b9086f/behavior", + "https://www.virustotal.com/gui/file/35c22725a92d5cb1016b09421c0a6cdbfd860fd4778b3313669b057d4a131cb7/behavior", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_certutil_encode_susp_extensions.yml" ], "tags": [ @@ -23195,8 +23222,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://unit42.paloaltonetworks.com/unit42-pulling-back-the-curtains-on-encodedcommand-powershell-attacks/", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1059.001/T1059.001.md#atomic-test-20---powershell-invoke-known-malicious-cmdlets", + "https://unit42.paloaltonetworks.com/unit42-pulling-back-the-curtains-on-encodedcommand-powershell-attacks/", "https://mikefrobbins.com/2017/06/15/simple-obfuscation-with-powershell-using-base64-encoding/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_encode.yml" ], @@ -23264,13 +23291,13 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://positive.security/blog/ms-officecmd-rce", - "https://medium.com/@MalFuzzer/one-electron-to-rule-them-all-dc2e9b263daf", "https://lolbas-project.github.io/lolbas/Binaries/Msedge/", - "https://lolbas-project.github.io/lolbas/Binaries/Teams/", - "https://github.com/mttaggart/quasar", - "https://taggart-tech.com/quasar-electron/", + "https://medium.com/@MalFuzzer/one-electron-to-rule-them-all-dc2e9b263daf", + "https://positive.security/blog/ms-officecmd-rce", "https://lolbas-project.github.io/lolbas/Binaries/msedgewebview2/", + "https://lolbas-project.github.io/lolbas/Binaries/Teams/", + "https://taggart-tech.com/quasar-electron/", + "https://github.com/mttaggart/quasar", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_electron_app_children.yml" ], "tags": [ @@ -23326,9 +23353,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-2000-server/cc959352(v=technet.10)", "https://www.acunetix.com/blog/articles/windows-short-8-3-filenames-web-security-problem/", "https://twitter.com/frack113/status/1555830623633375232", - "https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-2000-server/cc959352(v=technet.10)", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_ntfs_short_name_path_use_cli.yml" ], "tags": [ @@ -23428,8 +23455,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/Oddvarmoe/status/1641712700605513729", "https://learn.microsoft.com/en-gb/windows-server/administration/windows-commands/ksetup", + "https://twitter.com/Oddvarmoe/status/1641712700605513729", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_ksetup_password_change_computer.yml" ], "tags": [ @@ -23452,11 +23479,11 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://research.nccgroup.com/2022/08/19/back-in-black-unlocking-a-lockbit-3-0-ransomware-attack/", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md", - "https://www.trendmicro.com/content/dam/trendmicro/global/en/research/22/h/ransomware-actor-abuses-genshin-impact-anti-cheat-driver-to-kill-antivirus/Genshin%20Impact%20Figure%2010.jpg", - "https://www.virustotal.com/gui/file/38283b775552da8981452941ea74191aa0d203edd3f61fb2dee7b0aea3514955", "https://www.trellix.com/en-sg/about/newsroom/stories/threat-labs/lockergoga-ransomware-family-used-in-targeted-attacks.html", + "https://www.virustotal.com/gui/file/38283b775552da8981452941ea74191aa0d203edd3f61fb2dee7b0aea3514955", + "https://www.trendmicro.com/content/dam/trendmicro/global/en/research/22/h/ransomware-actor-abuses-genshin-impact-anti-cheat-driver-to-kill-antivirus/Genshin%20Impact%20Figure%2010.jpg", + "https://research.nccgroup.com/2022/08/19/back-in-black-unlocking-a-lockbit-3-0-ransomware-attack/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_service_tamper.yml" ], "tags": [ @@ -23489,13 +23516,13 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://asec.ahnlab.com/en/78944/", "https://docs.microsoft.com/en-us/sql/tools/bcp-utility", "https://asec.ahnlab.com/en/61000/", - "https://news.sophos.com/en-us/2024/08/07/sophos-mdr-hunt-tracks-mimic-ransomware-campaign-against-organizations-in-india/", + "https://www.huntress.com/blog/attacking-mssql-servers", + "https://asec.ahnlab.com/en/78944/", "https://research.nccgroup.com/2018/03/10/apt15-is-alive-and-strong-an-analysis-of-royalcli-and-royaldns/", "https://www.huntress.com/blog/attacking-mssql-servers-pt-ii", - "https://www.huntress.com/blog/attacking-mssql-servers", + "https://news.sophos.com/en-us/2024/08/07/sophos-mdr-hunt-tracks-mimic-ransomware-campaign-against-organizations-in-india/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_bcp_export_data.yml" ], "tags": [ @@ -23528,9 +23555,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://www.echotrail.io/insights/search/wermgr.exe", "https://www.trendmicro.com/en_us/research/22/j/black-basta-infiltrates-networks-via-qakbot-brute-ratel-and-coba.html", "https://github.com/binderlabs/DirCreate2System", - "https://www.echotrail.io/insights/search/wermgr.exe", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wermgr_susp_child_process.yml" ], "tags": [ @@ -23573,8 +23600,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/AdamTheAnalyst/status/1483497517119590403", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md", + "https://twitter.com/AdamTheAnalyst/status/1483497517119590403", "https://learn.microsoft.com/en-us/defender-endpoint/configure-process-opened-file-exclusions-microsoft-defender-antivirus", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_defender_exclusion.yml" ], @@ -23664,8 +23691,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/sysinternals/downloads/pssuspend", "https://twitter.com/0gtweet/status/1638069413717975046", + "https://learn.microsoft.com/en-us/sysinternals/downloads/pssuspend", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sysinternals_pssuspend_execution.yml" ], "tags": [ @@ -23699,8 +23726,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1543.003/T1543.003.md", "https://web.archive.org/web/20180331144337/https://www.fireeye.com/blog/threat-research/2018/03/sanny-malware-delivery-method-updated-in-recently-observed-attacks.html", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1543.003/T1543.003.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sc_service_path_modification.yml" ], "tags": [ @@ -23767,8 +23794,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/OTRF/ThreatHunter-Playbook/blob/2d4257f630f4c9770f78d0c1df059f891ffc3fec/docs/evals/apt29/detections/3.B.2_C36B49B5-DF58-4A34-9FE9-56189B9DEFEA.md", "https://github.com/OTRF/detection-hackathon-apt29/issues/16", + "https://github.com/OTRF/ThreatHunter-Playbook/blob/2d4257f630f4c9770f78d0c1df059f891ffc3fec/docs/evals/apt29/detections/3.B.2_C36B49B5-DF58-4A34-9FE9-56189B9DEFEA.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_get_clipboard.yml" ], "tags": [ @@ -23801,8 +23828,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/dotnet/api/system.type.gettypefromclsid?view=net-7.0", "https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=57", + "https://learn.microsoft.com/en-us/dotnet/api/system.type.gettypefromclsid?view=net-7.0", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_download_com_cradles.yml" ], "tags": [ @@ -23877,8 +23904,8 @@ "logsource.product": "windows", "refs": [ "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/schtasks-create", - "http://blog.talosintelligence.com/2022/09/lazarus-three-rats.html", "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/schtasks-change", + "http://blog.talosintelligence.com/2022/09/lazarus-three-rats.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_schtasks_schedule_type.yml" ], "tags": [ @@ -23945,9 +23972,9 @@ "logsource.product": "windows", "refs": [ "https://tria.ge/240521-ynezpagf56/behavioral1", - "https://bazaar.abuse.ch/sample/8c75f8e94486f5bbf461505823f5779f328c5b37f1387c18791e0c21f3fdd576/", "https://bazaar.abuse.ch/sample/64e6605496919cd76554915cbed88e56fdec10dec6523918a631754664b8c8d3/", "https://any.run/report/6eea2773c1b4b5c6fb7c142933e220c96f9a4ec89055bf0cf54accdcde7df535/a407f006-ee45-420d-b576-f259094df091", + "https://bazaar.abuse.ch/sample/8c75f8e94486f5bbf461505823f5779f328c5b37f1387c18791e0c21f3fdd576/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_bitlockertogo_execution.yml" ], "tags": [ @@ -24015,10 +24042,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://research.nccgroup.com/2022/08/19/back-in-black-unlocking-a-lockbit-3-0-ransomware-attack/", "https://www.trendmicro.com/en_us/research/23/a/vice-society-ransomware-group-targets-manufacturing-companies.html", "https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/", "https://twitter.com/cglyer/status/1355171195654709249", + "https://research.nccgroup.com/2022/08/19/back-in-black-unlocking-a-lockbit-3-0-ransomware-attack/", "https://www.mandiant.com/resources/unc2165-shifts-to-evade-sanctions", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wmic_uninstall_security_products.yml" ], @@ -24052,8 +24079,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/secedit", "https://blueteamops.medium.com/secedit-and-i-know-it-595056dee53d", + "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/secedit", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_secedit_execution.yml" ], "tags": [ @@ -24265,8 +24292,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1082/T1082.md#atomic-test-1---system-information-discovery", "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/systeminfo", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1082/T1082.md#atomic-test-1---system-information-discovery", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_systeminfo_execution.yml" ], "tags": [ @@ -24376,8 +24403,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Remote/", "https://blog.thecybersecuritytutor.com/Exeuction-AWL-Bypass-Remote-exe-LOLBin/", + "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Remote/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_remote.yml" ], "tags": [ @@ -24443,8 +24470,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://thedfirreport.com/2022/06/06/will-the-real-msiexec-please-stand-up-exploit-leads-to-data-exfiltration/", "https://the.earth.li/~sgtatham/putty/0.58/htmldoc/Chapter7.html", + "https://thedfirreport.com/2022/06/06/will-the-real-msiexec-please-stand-up-exploit-leads-to-data-exfiltration/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_renamed_plink.yml" ], "tags": [ @@ -24511,8 +24538,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://cocomelonc.github.io/persistence/2022/12/09/malware-pers-20.html", "https://learn.microsoft.com/en-us/windows-server/administration/server-core/server-core-sconfig#powershell-is-the-default-shell-on-server-core", + "https://cocomelonc.github.io/persistence/2022/12/09/malware-pers-20.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_userinit_uncommon_child_processes.yml" ], "tags": [ @@ -24545,13 +24572,13 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://github.com/vletoux/pingcastle", "https://thedfirreport.com/2023/10/30/netsupport-intrusion-results-in-domain-compromise/", "https://github.com/802-1x/Compliance/blob/2e53df8b6e89686a0b91116b3f42c8f717dca820/Ping%20Castle/Get-PingCastle-HTMLComplianceReport.ps1#L8", - "https://github.com/fengjixuchui/Start-ADEnum/blob/e237a739db98b6104427d833004836507da36a58/Functions/Start-ADEnum.ps1#L450", - "https://github.com/lkys37en/Start-ADEnum/blob/5b42c54215fe5f57fc59abc52c20487d15764005/Functions/Start-ADEnum.ps1#L680", "https://github.com/projectHULK/AD_Recon/blob/dde2daba9b3393a9388cbebda87068972cc0bd3b/SecurityAssessment.ps1#L2699", "https://github.com/EvotecIT/TheDashboard/blob/481a9ce8f82f2fd55fe65220ee6486bae6df0c9d/Examples/RunReports/PingCastle.ps1", - "https://github.com/vletoux/pingcastle", + "https://github.com/lkys37en/Start-ADEnum/blob/5b42c54215fe5f57fc59abc52c20487d15764005/Functions/Start-ADEnum.ps1#L680", + "https://github.com/fengjixuchui/Start-ADEnum/blob/e237a739db98b6104427d833004836507da36a58/Functions/Start-ADEnum.ps1#L450", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pua_pingcastle_script_parent.yml" ], "tags": [ @@ -24571,6 +24598,41 @@ "uuid": "b37998de-a70b-4f33-b219-ec36bf433dc0", "value": "PUA - PingCastle Execution From Potentially Suspicious Parent" }, + { + "description": "Detects the use of DISM to enable the PowerShell Web Access feature, which could be used for remote access and potential abuse", + "meta": { + "author": "Michael Haag", + "creation_date": "2024-09-03", + "falsepositive": [ + "Legitimate PowerShell Web Access installations by administrators" + ], + "filename": "proc_creation_win_dism_enable_powershell_web_access_feature.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://gist.github.com/MHaggis/7e67b659af9148fa593cf2402edebb41", + "https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-241a", + "https://docs.microsoft.com/en-us/powershell/module/dism/enable-windowsoptionalfeature", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_dism_enable_powershell_web_access_feature.yml" + ], + "tags": [ + "attack.persistence", + "attack.t1548.002" + ] + }, + "related": [ + { + "dest-uuid": "120d5519-3098-4e1c-9191-2aa61232f073", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "7e8f2d3b-9c1a-4f67-b9e8-8d9006e0e51f", + "value": "PowerShell Web Access Feature Enabled Via DISM" + }, { "description": "Detects a suspicious process spawning a Chromium based browser process with the 'load-extension' flag to start an instance with a custom extension", "meta": { @@ -24584,9 +24646,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://redcanary.com/blog/chromeloader/", "https://emkc.org/s/RJjuLa", "https://www.mandiant.com/resources/blog/lnk-between-browsers", + "https://redcanary.com/blog/chromeloader/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_browsers_chromium_susp_load_extension.yml" ], "tags": [ @@ -24619,11 +24681,11 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/SecureAuthCorp/impacket/blob/8b1a99f7c715702eafe3f24851817bb64721b156/examples/dcomexec.py", - "https://www.elastic.co/guide/en/security/current/suspicious-cmd-execution-via-wmi.html", - "https://github.com/SecureAuthCorp/impacket/blob/8b1a99f7c715702eafe3f24851817bb64721b156/examples/wmiexec.py", - "https://github.com/SecureAuthCorp/impacket/blob/8b1a99f7c715702eafe3f24851817bb64721b156/examples/atexec.py", "https://github.com/SecureAuthCorp/impacket/blob/8b1a99f7c715702eafe3f24851817bb64721b156/examples/smbexec.py", + "https://github.com/SecureAuthCorp/impacket/blob/8b1a99f7c715702eafe3f24851817bb64721b156/examples/wmiexec.py", + "https://github.com/SecureAuthCorp/impacket/blob/8b1a99f7c715702eafe3f24851817bb64721b156/examples/dcomexec.py", + "https://github.com/SecureAuthCorp/impacket/blob/8b1a99f7c715702eafe3f24851817bb64721b156/examples/atexec.py", + "https://www.elastic.co/guide/en/security/current/suspicious-cmd-execution-via-wmi.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_impacket_lateral_movement.yml" ], "tags": [ @@ -24699,11 +24761,11 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/elastic/detection-rules/blob/c76a39796972ecde44cb1da6df47f1b6562c9770/rules/windows/credential_access_lsass_memdump_file_created.toml", - "https://medium.com/@markmotig/some-ways-to-dump-lsass-exe-c4a75fdc49bf", + "https://github.com/helpsystems/nanodump", "https://www.whiteoaksecurity.com/blog/attacks-defenses-dumping-lsass-no-mimikatz/", "https://github.com/Hackndo/lsassy", - "https://github.com/helpsystems/nanodump", + "https://github.com/elastic/detection-rules/blob/c76a39796972ecde44cb1da6df47f1b6562c9770/rules/windows/credential_access_lsass_memdump_file_created.toml", + "https://medium.com/@markmotig/some-ways-to-dump-lsass-exe-c4a75fdc49bf", "https://github.com/CCob/MirrorDump", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_lsass_dmp_cli_keywords.yml" ], @@ -24737,8 +24799,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/Oddvarmoe/status/985518877076541440", "https://lolbas-project.github.io/lolbas/Binaries/Print/", + "https://twitter.com/Oddvarmoe/status/985518877076541440", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_print_remote_file_copy.yml" ], "tags": [ @@ -24820,8 +24882,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet", "https://www.revshells.com/", + "https://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet", "https://www.php.net/manual/en/features.commandline.php", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_php_inline_command_execution.yml" ], @@ -24880,8 +24942,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://strontic.github.io/xcyclopedia/library/pnputil.exe-60EDC5E6BDBAEE441F2E3AEACD0340D2.html", "https://learn.microsoft.com/en-us/windows-hardware/drivers/devtest/pnputil-command-syntax", + "https://strontic.github.io/xcyclopedia/library/pnputil.exe-60EDC5E6BDBAEE441F2E3AEACD0340D2.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_susp_driver_installed_by_pnputil.yml" ], "tags": [ @@ -24914,8 +24976,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.microsoft.com/security/blog/2022/07/26/malicious-iis-extensions-quietly-open-persistent-backdoors-into-servers/", "https://researchcenter.paloaltonetworks.com/2018/01/unit42-oilrig-uses-rgdoor-iis-backdoor-targets-middle-east/", + "https://www.microsoft.com/security/blog/2022/07/26/malicious-iis-extensions-quietly-open-persistent-backdoors-into-servers/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_iis_appcmd_susp_module_install.yml" ], "tags": [ @@ -24981,9 +25043,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://app.any.run/tasks/7eaba74e-c1ea-400f-9c17-5e30eee89906/", "https://brica.de/alerts/alert/public/1247926/agent-tesla-keylogger-delivered-inside-a-power-iso-daa-archive/", "https://www.youtube.com/watch?v=DsJ9ByX84o4&t=6s", - "https://app.any.run/tasks/7eaba74e-c1ea-400f-9c17-5e30eee89906/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_whoami_all_execution.yml" ], "tags": [ @@ -25127,10 +25189,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/Max_Mal_/status/1633863678909874176", - "https://techcommunity.microsoft.com/t5/microsoft-365-blog/new-security-hardening-policies-for-trusted-documents/ba-p/3023465", "https://twitter.com/_JohnHammond/status/1588155401752788994", + "https://twitter.com/Max_Mal_/status/1633863678909874176", "Internal Research", + "https://techcommunity.microsoft.com/t5/microsoft-365-blog/new-security-hardening-policies-for-trusted-documents/ba-p/3023465", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_office_exec_from_trusted_locations.yml" ], "tags": [ @@ -25207,40 +25269,6 @@ "uuid": "f91ed517-a6ba-471d-9910-b3b4a398c0f3", "value": "Potentially Suspicious Windows App Activity" }, - { - "description": "Detects potential commandline obfuscation using unicode characters.\nAdversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit.\n", - "meta": { - "author": "frack113, Florian Roth (Nextron Systems)", - "creation_date": "2022-01-15", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_susp_cli_obfuscation_unicode.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://www.wietzebeukema.nl/blog/windows-command-line-obfuscation", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1027/T1027.md#atomic-test-6---dlp-evasion-via-sensitive-data-in-vba-macro-over-http", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_cli_obfuscation_unicode.yml" - ], - "tags": [ - "attack.defense-evasion", - "attack.t1027" - ] - }, - "related": [ - { - "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "e0552b19-5a83-4222-b141-b36184bb8d79", - "value": "Potential Commandline Obfuscation Using Unicode Characters" - }, { "description": "Detects the use of a Microsoft signed script 'REGISTER_APP.VBS' to register a VSS/VDS Provider as a COM+ application.", "meta": { @@ -25320,9 +25348,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://www.bleepingcomputer.com/news/security/iobit-forums-hacked-to-spread-ransomware-to-its-members/", "https://www.bleepingcomputer.com/news/security/gootkit-malware-bypasses-windows-defender-by-setting-path-exclusions/", "https://github.com/redcanaryco/atomic-red-team/blob/5c1e6f1b4fafd01c8d1ece85f510160fc1275fbf/atomics/T1562.001/T1562.001.md", - "https://www.bleepingcomputer.com/news/security/iobit-forums-hacked-to-spread-ransomware-to-its-members/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wmic_namespace_defender.yml" ], "tags": [ @@ -25425,9 +25453,9 @@ "logsource.product": "windows", "refs": [ "https://embracethered.com/blog/posts/2020/chrome-spy-remote-control/", - "https://embracethered.com/blog/posts/2020/cookie-crimes-on-mirosoft-edge/", "https://mango.pdf.zone/stealing-chrome-cookies-without-a-password", "https://github.com/defaultnamehere/cookie_crimes/", + "https://embracethered.com/blog/posts/2020/cookie-crimes-on-mirosoft-edge/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_browsers_chromium_headless_debugging.yml" ], "tags": [ @@ -25526,9 +25554,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f", - "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/regini", "https://lolbas-project.github.io/lolbas/Binaries/Regini/", + "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/regini", + "https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_regini_execution.yml" ], "tags": [ @@ -25561,8 +25589,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/0gtweet/status/1674399582162153472", "https://lolbas-project.github.io/lolbas/Binaries/Provlaunch/", + "https://twitter.com/0gtweet/status/1674399582162153472", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_provlaunch_susp_child_process.yml" ], "tags": [ @@ -25687,8 +25715,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/powershell/high-performance-computing/mpiexec?view=hpc19-ps", "https://twitter.com/mrd0x/status/1465058133303246867", + "https://learn.microsoft.com/en-us/powershell/high-performance-computing/mpiexec?view=hpc19-ps", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_mpiexec.yml" ], "tags": [ @@ -25722,9 +25750,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://learn.microsoft.com/en-us/windows/package-manager/winget/install#local-install", "https://lolbas-project.github.io/lolbas/Binaries/Winget/", "https://github.com/nasbench/Misc-Research/tree/b9596e8109dcdb16ec353f316678927e507a5b8d/LOLBINs/Winget", - "https://learn.microsoft.com/en-us/windows/package-manager/winget/install#local-install", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_winget_local_install_via_manifest.yml" ], "tags": [ @@ -25808,8 +25836,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/Neo23x0/Raccine/blob/20a569fa21625086433dcce8bb2765d0ea08dcb6/yara/mal_revil.yar", "https://thedfirreport.com/2022/05/09/seo-poisoning-a-gootloader-story/", + "https://github.com/Neo23x0/Raccine/blob/20a569fa21625086433dcce8bb2765d0ea08dcb6/yara/mal_revil.yar", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_base64_reflection_assembly_load.yml" ], "tags": [ @@ -25893,8 +25921,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://oddvar.moe/2017/05/18/bypassing-application-whitelisting-with-bginfo/", "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Bginfo/", + "https://oddvar.moe/2017/05/18/bypassing-application-whitelisting-with-bginfo/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_bginfo_suspicious_child_process.yml" ], "tags": [ @@ -25944,8 +25972,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/0gtweet/status/1493963591745220608?s=20&t=xUg9DsZhJy1q9bPTUWgeIQ", "https://lolbas-project.github.io/lolbas/Binaries/Wlrmdr/", + "https://twitter.com/0gtweet/status/1493963591745220608?s=20&t=xUg9DsZhJy1q9bPTUWgeIQ", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wlrmdr_uncommon_child_process.yml" ], "tags": [ @@ -26078,8 +26106,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/0gtweet/status/1674399582162153472", "https://lolbas-project.github.io/lolbas/Binaries/Provlaunch/", + "https://twitter.com/0gtweet/status/1674399582162153472", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_provlaunch_potential_abuse.yml" ], "tags": [ @@ -26114,8 +26142,8 @@ "refs": [ "https://drive.google.com/file/d/1lKya3_mLnR3UQuCoiYruO3qgu052_iS_/view", "https://www.microsoft.com/en-us/security/blog/2022/10/18/defenders-beware-a-case-for-post-ransomware-investigations/", - "https://twitter.com/SBousseaden/status/1211636381086339073", "https://www.elastic.co/guide/en/security/current/remote-file-copy-to-a-hidden-share.html", + "https://twitter.com/SBousseaden/status/1211636381086339073", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_copy_lateral_movement.yml" ], "tags": [ @@ -26166,8 +26194,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/Binaries/Gpscript/", "https://oddvar.moe/2018/04/27/gpscript-exe-another-lolbin-to-the-list/", + "https://lolbas-project.github.io/lolbas/Binaries/Gpscript/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_gpscript.yml" ], "tags": [ @@ -26200,12 +26228,12 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://redcanary.com/blog/raspberry-robin/", + "https://learn.microsoft.com/en-us/sql/odbc/odbcconf-exe?view=sql-server-ver16", "https://www.trendmicro.com/en_us/research/17/h/backdoor-carrying-emails-set-sights-on-russian-speaking-businesses.html", + "https://www.hexacorn.com/blog/2020/08/23/odbcconf-lolbin-trifecta/", + "https://redcanary.com/blog/raspberry-robin/", "https://web.archive.org/web/20191023232753/https://twitter.com/Hexacorn/status/1187143326673330176", "https://lolbas-project.github.io/lolbas/Binaries/Odbcconf/", - "https://learn.microsoft.com/en-us/sql/odbc/odbcconf-exe?view=sql-server-ver16", - "https://www.hexacorn.com/blog/2020/08/23/odbcconf-lolbin-trifecta/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_odbcconf_register_dll_regsvr.yml" ], "tags": [ @@ -26271,8 +26299,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://blogs.vmware.com/security/2022/11/batloader-the-evasive-downloader-malware.html", "https://www.gpg4win.de/documentation.html", + "https://blogs.vmware.com/security/2022/11/batloader-the-evasive-downloader-malware.html", "https://news.sophos.com/en-us/2022/01/19/zloader-installs-remote-access-backdoors-and-delivers-cobalt-strike/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_gpg4win_encryption.yml" ], @@ -26283,6 +26311,40 @@ "uuid": "550bbb84-ce5d-4e61-84ad-e590f0024dcd", "value": "File Encryption Using Gpg4win" }, + { + "description": "Deployment Image Servicing and Management tool. DISM is used to enumerate, install, uninstall, configure, and update features and packages in Windows images", + "meta": { + "author": "frack113", + "creation_date": "2022-01-16", + "falsepositive": [ + "Legitimate script" + ], + "filename": "proc_creation_win_dism_remove.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md#atomic-test-26---disable-windows-defender-with-dism", + "https://www.trendmicro.com/en_us/research/22/h/ransomware-actor-abuses-genshin-impact-anti-cheat-driver-to-kill-antivirus.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_dism_remove.yml" + ], + "tags": [ + "attack.defense-evasion", + "attack.t1562.001" + ] + }, + "related": [ + { + "dest-uuid": "ac08589e-ee59-4935-8667-d845e38fe579", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "43e32da2-fdd0-4156-90de-50dfd62636f9", + "value": "Dism Remove Online Package" + }, { "description": "Detects the dump of highly sensitive files such as \"NTDS.DIT\" and \"SECURITY\" hive.\nAttackers can leverage the \"wbadmin\" utility in order to dump sensitive files that might contain credential or sensitive information.\n", "meta": { @@ -26296,10 +26358,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/wbadmin-start-backup", - "https://github.com/LOLBAS-Project/LOLBAS/blob/2cc01b01132b5c304027a658c698ae09dd6a92bf/yml/OSBinaries/Wbadmin.yml", "https://lolbas-project.github.io/lolbas/Binaries/Wbadmin/", + "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/wbadmin-start-backup", "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/wbadmin-start-recovery", + "https://github.com/LOLBAS-Project/LOLBAS/blob/2cc01b01132b5c304027a658c698ae09dd6a92bf/yml/OSBinaries/Wbadmin.yml", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wbadmin_restore_sensitive_files.yml" ], "tags": [ @@ -26400,8 +26462,8 @@ "logsource.product": "windows", "refs": [ "https://web.archive.org/web/20210512154016/https://github.com/AlsidOfficial/WSUSpendu/blob/master/WSUSpendu.ps1", - "https://github.com/nettitude/SharpWSUS", "https://labs.nettitude.com/blog/introducing-sharpwsus/", + "https://github.com/nettitude/SharpWSUS", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_sharpwsus_wsuspendu_execution.yml" ], "tags": [ @@ -26695,8 +26757,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/Gal_B1t/status/1062971006078345217", "https://twitter.com/hexacorn/status/1448037865435320323", + "https://twitter.com/Gal_B1t/status/1062971006078345217", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_commandline_path_traversal_evasion.yml" ], "tags": [ @@ -26729,8 +26791,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://eqllib.readthedocs.io/en/latest/analytics/d8db43cf-ed52-4f5c-9fb3-c9a4b95a0b56.html", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1053.002/T1053.002.md", + "https://eqllib.readthedocs.io/en/latest/analytics/d8db43cf-ed52-4f5c-9fb3-c9a4b95a0b56.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_at_interactive_execution.yml" ], "tags": [ @@ -26873,8 +26935,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.darkoperator.com/blog/2018/10/5/operating-offensively-against-sysmon", "https://www.cybereason.com/blog/threat-analysis-report-lockbit-2.0-all-paths-lead-to-ransom", + "https://www.darkoperator.com/blog/2018/10/5/operating-offensively-against-sysmon", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_fltmc_unload_driver.yml" ], "tags": [ @@ -26964,8 +27026,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://brica.de/alerts/alert/public/1247926/agent-tesla-keylogger-delivered-inside-a-power-iso-daa-archive/", "https://app.any.run/tasks/7eaba74e-c1ea-400f-9c17-5e30eee89906/", + "https://brica.de/alerts/alert/public/1247926/agent-tesla-keylogger-delivered-inside-a-power-iso-daa-archive/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_renamed_whoami.yml" ], "tags": [ @@ -26999,11 +27061,11 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://reconshell.com/winpwn-tool-for-internal-windows-pentesting-and-ad-security/", + "https://github.com/S3cur3Th1sSh1t/WinPwn", "https://github.com/redcanaryco/atomic-red-team/blob/4d6c4e8e23d465af7a2388620cfe3f8c76e16cf0/atomics/T1082/T1082.md", "https://grep.app/search?q=winpwn&filter[repo][0]=redcanaryco/atomic-red-team", "https://www.publicnow.com/view/EB87DB49C654D9B63995FAD4C9DE3D3CC4F6C3ED?1671634841", - "https://github.com/S3cur3Th1sSh1t/WinPwn", + "https://reconshell.com/winpwn-tool-for-internal-windows-pentesting-and-ad-security/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_winpwn.yml" ], "tags": [ @@ -27096,10 +27158,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment", - "https://github.com/antonioCoco/RogueWinRM", "https://twitter.com/Cyb3rWard0g/status/1453123054243024897", + "https://github.com/antonioCoco/RogueWinRM", "https://foxglovesecurity.com/2016/09/26/rotten-potato-privilege-escalation-from-service-accounts-to-system/", + "https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_child_process_as_system_.yml" ], "tags": [ @@ -27280,8 +27342,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://blogs.vmware.com/security/2022/11/batloader-the-evasive-downloader-malware.html", "https://learn.microsoft.com/en-us/windows-hardware/design/device-experiences/powercfg-command-line-options", + "https://blogs.vmware.com/security/2022/11/batloader-the-evasive-downloader-malware.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powercfg_execution.yml" ], "tags": [ @@ -27370,8 +27432,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/mrd0x/status/1478116126005641220", "https://lolbas-project.github.io/lolbas/Binaries/Msedge/", + "https://twitter.com/mrd0x/status/1478116126005641220", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_browsers_inline_file_download.yml" ], "tags": [ @@ -27404,8 +27466,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/mrd0x/status/1463526834918854661", "https://gist.github.com/nasbench/a989ce64cefa8081bd50cf6ad8c491b5", + "https://twitter.com/mrd0x/status/1463526834918854661", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pressanykey_lolbin_execution.yml" ], "tags": [ @@ -27513,12 +27575,12 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.joeware.net/freetools/tools/adfind/", - "https://social.technet.microsoft.com/wiki/contents/articles/7535.adfind-command-examples.aspx", "https://thedfirreport.com/2020/05/08/adfind-recon/", + "https://social.technet.microsoft.com/wiki/contents/articles/7535.adfind-command-examples.aspx", + "https://www.joeware.net/freetools/tools/adfind/", "https://www.microsoft.com/security/blog/2021/01/20/deep-dive-into-the-solorigate-second-stage-activation-from-sunburst-to-teardrop-and-raindrop/", - "https://thedfirreport.com/2021/01/11/trickbot-still-alive-and-well/", "https://github.com/center-for-threat-informed-defense/adversary_emulation_library/blob/bf62ece1c679b07b5fb49c4bae947fe24c81811f/fin6/Emulation_Plan/Phase1.md", + "https://thedfirreport.com/2021/01/11/trickbot-still-alive-and-well/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_renamed_adfind.yml" ], "tags": [ @@ -27649,8 +27711,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/carlospolop/PEASS-ng/blob/fa0f2e17fbc1d86f1fd66338a40e665e7182501d/winPEAS/winPEASbat/winPEAS.bat", "https://sushant747.gitbooks.io/total-oscp-guide/content/privilege_escalation_windows.html", + "https://github.com/carlospolop/PEASS-ng/blob/fa0f2e17fbc1d86f1fd66338a40e665e7182501d/winPEAS/winPEASbat/winPEAS.bat", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wmic_recon_hotfix.yml" ], "tags": [ @@ -27716,10 +27778,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.intrinsec.com/akira_ransomware/", + "https://github.com/cloudflare/cloudflared/releases", "https://github.com/cloudflare/cloudflared", "https://developers.cloudflare.com/cloudflare-one/connections/connect-networks/do-more-with-tunnels/trycloudflare/", - "https://github.com/cloudflare/cloudflared/releases", + "https://www.intrinsec.com/akira_ransomware/", "https://www.guidepointsecurity.com/blog/tunnel-vision-cloudflared-abused-in-the-wild/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_renamed_cloudflared.yml" ], @@ -27753,9 +27815,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Adplus/", "https://twitter.com/nas_bench/status/1534915321856917506", "https://twitter.com/nas_bench/status/1534916659676422152", + "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Adplus/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_adplus_memory_dump.yml" ], "tags": [ @@ -27831,8 +27893,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://blogs.vmware.com/security/2022/11/batloader-the-evasive-downloader-malware.html", "https://www.gpg4win.de/documentation.html", + "https://blogs.vmware.com/security/2022/11/batloader-the-evasive-downloader-malware.html", "https://news.sophos.com/en-us/2022/01/19/zloader-installs-remote-access-backdoors-and-delivers-cobalt-strike/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_gpg4win_decryption.yml" ], @@ -27958,8 +28020,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/troubleshoot/windows-client/setup-upgrade-and-drivers/network-provider-settings-removed-in-place-upgrade", "https://github.com/gtworek/PSBits/tree/master/PasswordStealing/NPPSpy", + "https://learn.microsoft.com/en-us/troubleshoot/windows-client/setup-upgrade-and-drivers/network-provider-settings-removed-in-place-upgrade", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_registry_new_network_provider.yml" ], "tags": [ @@ -27992,8 +28054,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/dnscmd", "https://lolbas-project.github.io/lolbas/Binaries/Dnscmd/", + "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/dnscmd", "https://learn.microsoft.com/en-us/azure/dns/dns-zones-records", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_dnscmd_discovery.yml" ], @@ -28176,8 +28238,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://research.nccgroup.com/2020/06/23/wastedlocker-a-new-ransomware-variant-developed-by-the-evil-corp-group/", "https://rvsec0n.wordpress.com/2020/01/24/malwares-that-bypass-windows-defender/", + "https://research.nccgroup.com/2020/06/23/wastedlocker-a-new-ransomware-variant-developed-by-the-evil-corp-group/", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_disable_defender_av_security_monitoring.yml" ], @@ -28244,8 +28306,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/sysinternals/downloads/pssuspend", "https://twitter.com/0gtweet/status/1638069413717975046", + "https://learn.microsoft.com/en-us/sysinternals/downloads/pssuspend", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sysinternals_pssuspend_susp_execution.yml" ], "tags": [ @@ -28278,8 +28340,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/Binaries/Aspnet_Compiler/", "https://ijustwannared.team/2020/08/01/the-curious-case-of-aspnet_compiler-exe/", + "https://lolbas-project.github.io/lolbas/Binaries/Aspnet_Compiler/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_aspnet_compiler_exectuion.yml" ], "tags": [ @@ -28379,8 +28441,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.bleepingcomputer.com/news/security/anydesk-says-hackers-breached-its-production-servers-reset-passwords/", "https://anydesk.com/en/changelog/windows", + "https://www.bleepingcomputer.com/news/security/anydesk-says-hackers-breached-its-production-servers-reset-passwords/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_remote_access_tools_anydesk_revoked_cert.yml" ], "tags": [ @@ -28498,12 +28560,12 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.trendmicro.com/en_us/research/23/h/an-overview-of-the-new-rhysida-ransomware.html", "https://research.checkpoint.com/2023/the-rhysida-ransomware-activity-analysis-and-ties-to-vice-society/", - "https://www.attackiq.com/2023/09/20/emulating-rhysida/", "https://www.virustotal.com/gui/file/a864282fea5a536510ae86c77ce46f7827687783628e4f2ceb5bf2c41b8cd3c6/behavior", "https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.ControlPanelDisplay::CPL_Personalization_NoDesktopBackgroundUI", "https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDesktop::Wallpaper", + "https://www.trendmicro.com/en_us/research/23/h/an-overview-of-the-new-rhysida-ransomware.html", + "https://www.attackiq.com/2023/09/20/emulating-rhysida/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_reg_desktop_background_change.yml" ], "tags": [ @@ -28546,9 +28608,9 @@ "logsource.product": "windows", "refs": [ "https://github.com/MicrosoftDocs/windows-itpro-docs/commit/937db704b9148e9cee7c7010cad4d00ce9c4fdad", - "https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/design/applications-that-can-bypass-wdac", - "https://lolbas-project.github.io/lolbas/OtherMSBinaries/VisualUiaVerifyNative/", "https://bohops.com/2020/10/15/exploring-the-wdac-microsoft-recommended-block-rules-visualuiaverifynative/", + "https://lolbas-project.github.io/lolbas/OtherMSBinaries/VisualUiaVerifyNative/", + "https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/design/applications-that-can-bypass-wdac", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_visualuiaverifynative.yml" ], "tags": [ @@ -28638,8 +28700,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/sensepost/impersonate", "https://sensepost.com/blog/2022/abusing-windows-tokens-to-compromise-active-directory-without-touching-lsass/", + "https://github.com/sensepost/impersonate", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_impersonate.yml" ], "tags": [ @@ -28773,8 +28835,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1529/T1529.md", "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/shutdown", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1529/T1529.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_shutdown_execution.yml" ], "tags": [ @@ -28807,13 +28869,13 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://www.zscaler.com/blogs/security-research/technical-analysis-crytox-ransomware", + "https://www.lifars.com/wp-content/uploads/2022/01/GriefRansomware_Whitepaper-2.pdf", "https://research.checkpoint.com/2022/evilplayout-attack-against-irans-state-broadcaster/", "https://www.ired.team/offensive-security/credential-access-and-credential-dumping/ntds.dit-enumeration", - "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/diskshadow", - "https://www.zscaler.com/blogs/security-research/technical-analysis-crytox-ransomware", "https://medium.com/@cyberjyot/lolbin-execution-via-diskshadow-f6ff681a27a4", - "https://www.lifars.com/wp-content/uploads/2022/01/GriefRansomware_Whitepaper-2.pdf", "https://bohops.com/2018/03/26/diskshadow-the-return-of-vss-evasion-persistence-and-active-directory-database-extraction/", + "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/diskshadow", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_diskshadow_child_process_susp.yml" ], "tags": [ @@ -28846,8 +28908,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.bitdefender.com/files/News/CaseStudies/study/377/Bitdefender-Whitepaper-WMI-creat4871-en-EN-GenericUse.pdf", "https://cyble.com/blog/lockfile-ransomware-using-proxyshell-attack-to-deploy-ransomware/", + "https://www.bitdefender.com/files/News/CaseStudies/study/377/Bitdefender-Whitepaper-WMI-creat4871-en-EN-GenericUse.pdf", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wmic_terminate_application.yml" ], "tags": [ @@ -28913,8 +28975,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/Hackplayers/evil-winrm", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1021.006/T1021.006.md#atomic-test-3---winrm-access-with-evil-winrm", + "https://github.com/Hackplayers/evil-winrm", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_evil_winrm.yml" ], "tags": [ @@ -29047,8 +29109,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Devinit/", "https://twitter.com/mrd0x/status/1460815932402679809", + "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Devinit/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_devinit_lolbin_usage.yml" ], "tags": [ @@ -29082,8 +29144,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://web.archive.org/web/20220306121156/https://www.x86matthew.com/view_post?id=ntdll_pipe", "https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1059.003/T1059.003.md", + "https://web.archive.org/web/20220306121156/https://www.x86matthew.com/view_post?id=ntdll_pipe", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_cmd_stdin_redirect.yml" ], "tags": [ @@ -29116,8 +29178,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc771151(v=ws.11)", "https://ss64.com/nt/dsacls.html", + "https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc771151(v=ws.11)", "https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/using-dsacls-to-check-ad-object-permissions#password-spraying-anyone", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_dsacls_password_spray.yml" ], @@ -29185,8 +29247,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://hausec.com/2021/07/26/cobalt-strike-and-tradecraft/", "https://thedfirreport.com/2021/08/29/cobalt-strike-a-defenders-guide/", + "https://hausec.com/2021/07/26/cobalt-strike-and-tradecraft/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_cobaltstrike_process_patterns.yml" ], "tags": [ @@ -29220,10 +29282,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/EricaZelic/status/1614075109827874817", - "https://github.com/3CORESec/MAL-CL/tree/master/Descriptors/Sysinternals/PsLogList", "https://research.nccgroup.com/2021/01/12/abusing-cloud-services-to-fly-under-the-radar/", "https://www.cybereason.com/blog/deadringer-exposing-chinese-threat-actors-targeting-major-telcos", + "https://twitter.com/EricaZelic/status/1614075109827874817", + "https://github.com/3CORESec/MAL-CL/tree/master/Descriptors/Sysinternals/PsLogList", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sysinternals_psloglist.yml" ], "tags": [ @@ -29272,8 +29334,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/elastic/protections-artifacts/commit/746086721fd385d9f5c6647cada1788db4aea95f#diff-fe98e74189873d6df72a15df2eaa0315c59ba9cdaca93ecd68afc4ea09194ef2", "https://lolbas-project.github.io/lolbas/Binaries/Certoc/", + "https://github.com/elastic/protections-artifacts/commit/746086721fd385d9f5c6647cada1788db4aea95f#diff-fe98e74189873d6df72a15df2eaa0315c59ba9cdaca93ecd68afc4ea09194ef2", "https://twitter.com/sblmsrsn/status/1445758411803480072?s=20", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_certoc_load_dll_susp_locations.yml" ], @@ -29307,8 +29369,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/nasbench/Misc-Research/tree/b9596e8109dcdb16ec353f316678927e507a5b8d/LOLBINs/Winget", "https://learn.microsoft.com/en-us/windows/package-manager/winget/source", + "https://github.com/nasbench/Misc-Research/tree/b9596e8109dcdb16ec353f316678927e507a5b8d/LOLBINs/Winget", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_winget_add_insecure_custom_source.yml" ], "tags": [ @@ -29377,13 +29439,13 @@ "logsource.product": "windows", "refs": [ "https://twitter.com/gN3mes1s/status/941315826107510784", - "https://posts.specterops.io/mavinject-exe-functionality-deconstructed-c29ab2cf5c0e", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218/T1218.md", - "https://reaqta.com/2017/12/mavinject-microsoft-injector/", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1056.004/T1056.004.md", - "https://twitter.com/Hexacorn/status/776122138063409152", + "https://reaqta.com/2017/12/mavinject-microsoft-injector/", "https://github.com/SigmaHQ/sigma/issues/3742", "https://github.com/keyboardcrunch/SentinelOne-ATTACK-Queries/blob/6a228d23eefe963ca81f2d52f94b815f61ef5ee0/Tactics/DefenseEvasion.md#t1055-process-injection", + "https://posts.specterops.io/mavinject-exe-functionality-deconstructed-c29ab2cf5c0e", + "https://twitter.com/Hexacorn/status/776122138063409152", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218/T1218.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_renamed_mavinject.yml" ], "tags": [ @@ -29458,8 +29520,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.crowdstrike.com/blog/overwatch-exposes-aquatic-panda-in-possession-of-log-4-shell-exploit-tools/", "https://twitter.com/bopin2020/status/1366400799199272960", + "https://www.crowdstrike.com/blog/overwatch-exposes-aquatic-panda-in-possession-of-log-4-shell-exploit-tools/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_renamed_createdump.yml" ], "tags": [ @@ -29501,8 +29563,8 @@ "logsource.product": "windows", "refs": [ "https://www.matteomalvica.com/blog/2019/12/02/win-defender-atp-cred-bypass/", - "https://twitter.com/SBousseaden/status/1464566846594691073?s=20", "https://twitter.com/Hexacorn/status/1420053502554951689", + "https://twitter.com/SBousseaden/status/1464566846594691073?s=20", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lsass_process_clone.yml" ], "tags": [ @@ -29580,8 +29642,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1222.001/T1222.001.md#atomic-test-1---take-ownership-using-takeown-utility", "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/takeown", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1222.001/T1222.001.md#atomic-test-1---take-ownership-using-takeown-utility", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_takeown_recursive_own.yml" ], "tags": [ @@ -29614,10 +29676,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.crowdstrike.com/resources/reports/2019-crowdstrike-global-threat-report/", - "https://github.com/mbevilacqua/appcompatprocessor/blob/6c847937c5a836e2ce2fe2b915f213c345a3c389/AppCompatSearch.txt", - "https://github.com/ThreatHuntingProject/ThreatHunting/blob/cb22598bb70651f88e0285abc8d835757d2cb596/hunts/suspicious_process_creation_via_windows_event_logs.md", "https://www.secureworks.com/research/bronze-butler-targets-japanese-businesses", + "https://www.crowdstrike.com/resources/reports/2019-crowdstrike-global-threat-report/", + "https://github.com/ThreatHuntingProject/ThreatHunting/blob/cb22598bb70651f88e0285abc8d835757d2cb596/hunts/suspicious_process_creation_via_windows_event_logs.md", + "https://github.com/mbevilacqua/appcompatprocessor/blob/6c847937c5a836e2ce2fe2b915f213c345a3c389/AppCompatSearch.txt", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_execution_path.yml" ], "tags": [ @@ -29715,9 +29777,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.nirsoft.net/utils/nircmd2.html#using", "https://www.nirsoft.net/utils/nircmd.html", "https://www.winhelponline.com/blog/run-program-as-system-localsystem-account-windows/", + "https://www.nirsoft.net/utils/nircmd2.html#using", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pua_nircmd.yml" ], "tags": [ @@ -29774,9 +29836,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://thedfirreport.com/2022/06/16/sans-ransomware-summit-2022-can-you-detect-this/", "https://thedfirreport.com/2021/10/04/bazarloader-and-the-conti-leaks/", "https://hstechdocs.helpsystems.com/manuals/cobaltstrike/current/userguide/content/cobalt-4-5-user-guide.pdf", - "https://thedfirreport.com/2022/06/16/sans-ransomware-summit-2022-can-you-detect-this/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_cobaltstrike_bloopers_modules.yml" ], "tags": [ @@ -29809,9 +29871,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/bumblebee-loader-cybercrime", "https://thedfirreport.com/2022/09/26/bumblebee-round-two/", "https://thedfirreport.com/2022/08/08/bumblebee-roasts-its-way-to-domain-admin/", + "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/bumblebee-loader-cybercrime", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wab_unusual_parents.yml" ], "tags": [ @@ -29869,9 +29931,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/Binaries/Cmstp/", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218.003/T1218.003.md", "https://eqllib.readthedocs.io/en/latest/analytics/e584f1a1-c303-4885-8a66-21360c90995b.html", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218.003/T1218.003.md", + "https://lolbas-project.github.io/lolbas/Binaries/Cmstp/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_uac_bypass_cmstp.yml" ], "tags": [ @@ -29913,9 +29975,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/goofy-guineapig/NCSC-MAR-Goofy-Guineapig.pdf", "https://nasbench.medium.com/what-is-the-dllhost-exe-process-actually-running-ef9fe4c19c08", "https://redcanary.com/blog/child-processes/", + "https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/goofy-guineapig/NCSC-MAR-Goofy-Guineapig.pdf", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_dllhost_no_cli_execution.yml" ], "tags": [ @@ -29948,9 +30010,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/RedDrip7/status/1506480588827467785", "https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/devil-bait/NCSC-MAR-Devil-Bait.pdf", "https://app.any.run/tasks/512c1352-6380-4436-b27d-bb62f0c020d6/", + "https://twitter.com/RedDrip7/status/1506480588827467785", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_schtasks_susp_pattern.yml" ], "tags": [ @@ -30018,9 +30080,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.trendmicro.com/en_us/research/22/d/spring4shell-exploited-to-deploy-cryptocurrency-miners.html", - "https://www.hhs.gov/sites/default/files/manage-engine-vulnerability-sector-alert-tlpclear.pdf", "https://github.com/redcanaryco/atomic-red-team/blob/02cb591f75064ffe1e0df9ac3ed5972a2e491c97/atomics/T1057/T1057.md#atomic-test-6---discover-specific-process---tasklist", + "https://www.hhs.gov/sites/default/files/manage-engine-vulnerability-sector-alert-tlpclear.pdf", + "https://www.trendmicro.com/en_us/research/22/d/spring4shell-exploited-to-deploy-cryptocurrency-miners.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_findstr_recon_pipe_output.yml" ], "tags": [ @@ -30094,8 +30156,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/windows/win32/wmisdk/mofcomp", "https://github.com/The-DFIR-Report/Sigma-Rules/blob/75260568a7ffe61b2458ca05f6f25914efb44337/win_mofcomp_execution.yml", + "https://learn.microsoft.com/en-us/windows/win32/wmisdk/mofcomp", "https://thedfirreport.com/2022/07/11/select-xmrig-from-sqlserver/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_mofcomp_execution.yml" ], @@ -30197,17 +30259,17 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.vmray.com/analyses/2d2fa29185ad/report/overview.html", - "https://twitter.com/andythevariable/status/1576953781581144064?s=20&t=QiJILvK4ZiBdR8RJe24u-A", - "https://github.com/elastic/detection-rules/blob/c76a39796972ecde44cb1da6df47f1b6562c9770/rules/windows/defense_evasion_execution_msbuild_started_by_office_app.toml", - "https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/", - "https://github.com/vadim-hunter/Detection-Ideas-Rules/blob/02bcbfc2bfb8b4da601bb30de0344ae453aa1afe/Threat%20Intelligence/The%20DFIR%20Report/20210329_Sodinokibi_(aka_REvil)_Ransomware.yaml", - "https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e", - "https://mgreen27.github.io/posts/2018/04/02/DownloadCradle.html", - "https://www.hybrid-analysis.com/sample/465aabe132ccb949e75b8ab9c5bda36d80cf2fd503d52b8bad54e295f28bbc21?environmentId=100", "https://www.elastic.co/security-labs/exploring-the-ref2731-intrusion-set", "https://github.com/splunk/security_content/blob/develop/detections/endpoint/office_spawning_control.yml", + "https://github.com/elastic/detection-rules/blob/c76a39796972ecde44cb1da6df47f1b6562c9770/rules/windows/defense_evasion_execution_msbuild_started_by_office_app.toml", + "https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/", + "https://www.vmray.com/analyses/2d2fa29185ad/report/overview.html", + "https://www.hybrid-analysis.com/sample/465aabe132ccb949e75b8ab9c5bda36d80cf2fd503d52b8bad54e295f28bbc21?environmentId=100", + "https://mgreen27.github.io/posts/2018/04/02/DownloadCradle.html", + "https://github.com/vadim-hunter/Detection-Ideas-Rules/blob/02bcbfc2bfb8b4da601bb30de0344ae453aa1afe/Threat%20Intelligence/The%20DFIR%20Report/20210329_Sodinokibi_(aka_REvil)_Ransomware.yaml", + "https://twitter.com/andythevariable/status/1576953781581144064?s=20&t=QiJILvK4ZiBdR8RJe24u-A", "https://app.any.run/tasks/c903e9c8-0350-440c-8688-3881b556b8e0/", + "https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_office_susp_child_processes.yml" ], "tags": [ @@ -30257,8 +30319,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/cloudflare/cloudflared", "https://developers.cloudflare.com/cloudflare-one/connections/connect-apps", + "https://github.com/cloudflare/cloudflared", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_cloudflared_tunnel_cleanup.yml" ], "tags": [ @@ -30307,8 +30369,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1105/T1105.md#atomic-test-10---windows---powershell-download", "https://lolbas-project.github.io/lolbas/Binaries/IMEWDBLD/", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1105/T1105.md#atomic-test-10---windows---powershell-download", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_imewbdld_download.yml" ], "tags": [ @@ -30522,9 +30584,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://thedfirreport.com/2020/10/18/ryuk-in-5-hours/", "https://redcanary.com/threat-detection-report/", "https://www.cobaltstrike.com/help-windows-executable", - "https://thedfirreport.com/2020/10/18/ryuk-in-5-hours/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_cobaltstrike_load_by_rundll32.yml" ], "tags": [ @@ -30557,10 +30619,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment", + "https://room362.com/post/2013/2013-06-10-volume-shadow-copy-ntdsdit-domain-hashes-remotely-part-1/", "https://github.com/LOLBAS-Project/LOLBAS/blob/2cc01b01132b5c304027a658c698ae09dd6a92bf/yml/OSBinaries/Esentutl.yml", "https://dfironthemountain.wordpress.com/2018/12/06/locked-file-access-using-esentutl-exe/", - "https://room362.com/post/2013/2013-06-10-volume-shadow-copy-ntdsdit-domain-hashes-remotely-part-1/", - "https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_esentutl_sensitive_file_copy.yml" ], "tags": [ @@ -30637,9 +30699,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://unicode-explorer.com/c/202E", "https://www.malwarebytes.com/blog/news/2014/01/the-rtlo-method", "https://redcanary.com/blog/right-to-left-override/", + "https://unicode-explorer.com/c/202E", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_right_to_left_override.yml" ], "tags": [ @@ -30874,9 +30936,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://twitter.com/mrd0x/status/1461041276514623491", "https://twitter.com/tccontre18/status/1480950986650832903", "https://lolbas-project.github.io/lolbas/Binaries/Regsvr32/", - "https://twitter.com/mrd0x/status/1461041276514623491", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_regsvr32_http_ip_pattern.yml" ], "tags": [ @@ -30910,12 +30972,12 @@ "logsource.product": "windows", "refs": [ "https://www.protect.airbus.com/blog/uncovering-cyber-intruders-netscan/", - "https://www.softperfect.com/products/networkscanner/", - "https://research.nccgroup.com/2022/07/13/climbing-mount-everest-black-byte-bytes-back/", "https://secjoes-reports.s3.eu-central-1.amazonaws.com/Sockbot%2Bin%2BGoLand.pdf", - "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/yanluowang-ransomware-attacks-continue", - "https://www.bleepingcomputer.com/news/security/microsoft-exchange-servers-hacked-to-deploy-hive-ransomware/", "https://www.sentinelone.com/labs/black-basta-ransomware-attacks-deploy-custom-edr-evasion-tools-tied-to-fin7-threat-actor/", + "https://www.bleepingcomputer.com/news/security/microsoft-exchange-servers-hacked-to-deploy-hive-ransomware/", + "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/yanluowang-ransomware-attacks-continue", + "https://research.nccgroup.com/2022/07/13/climbing-mount-everest-black-byte-bytes-back/", + "https://www.softperfect.com/products/networkscanner/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pua_netscan.yml" ], "tags": [ @@ -31057,9 +31119,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://blog.netspi.com/15-ways-to-download-a-file/#bitsadmin", "https://lolbas-project.github.io/lolbas/Binaries/Bitsadmin/", "https://isc.sans.edu/diary/22264", + "https://blog.netspi.com/15-ways-to-download-a-file/#bitsadmin", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_bitsadmin_download.yml" ], "tags": [ @@ -31289,8 +31351,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.d7xtech.com/free-software/runx/", "https://www.winhelponline.com/blog/run-program-as-system-localsystem-account-windows/", + "https://www.d7xtech.com/free-software/runx/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pua_runxcmd.yml" ], "tags": [ @@ -31422,10 +31484,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/", - "https://twitter.com/ForensicITGuy/status/1334734244120309760", "https://github.com/vadim-hunter/Detection-Ideas-Rules/blob/02bcbfc2bfb8b4da601bb30de0344ae453aa1afe/Threat%20Intelligence/The%20DFIR%20Report/20210329_Sodinokibi_(aka_REvil)_Ransomware.yaml", "https://blog.osarmor.com/319/onenote-attachment-delivers-asyncrat-malware/", + "https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/", + "https://twitter.com/ForensicITGuy/status/1334734244120309760", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wmiprvse_susp_child_processes.yml" ], "tags": [ @@ -31475,9 +31537,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://www.peew.pw/blog/2017/11/26/exploring-cmdkey-an-edge-case-for-privilege-escalation", "https://technet.microsoft.com/en-us/library/cc754243(v=ws.11).aspx", "https://github.com/redcanaryco/atomic-red-team/blob/b27a3cb25025161d49ac861cb216db68c46a3537/atomics/T1003.005/T1003.005.md#atomic-test-1---cached-credential-dump-via-cmdkey", - "https://www.peew.pw/blog/2017/11/26/exploring-cmdkey-an-edge-case-for-privilege-escalation", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_cmdkey_recon.yml" ], "tags": [ @@ -31511,8 +31573,8 @@ "logsource.product": "windows", "refs": [ "https://twitter.com/bohops/status/994405551751815170", - "https://lolbas-project.github.io/lolbas/Scripts/Winrm/", "https://redcanary.com/blog/lateral-movement-winrm-wmi/", + "https://lolbas-project.github.io/lolbas/Scripts/Winrm/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_winrm_execution_via_scripting_api_winrm_vbs.yml" ], "tags": [ @@ -31545,8 +31607,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/deepinstinct/Lsass-Shtinkering", "https://media.defcon.org/DEF%20CON%2030/DEF%20CON%2030%20presentations/Asaf%20Gilboa%20-%20LSASS%20Shtinkering%20Abusing%20Windows%20Error%20Reporting%20to%20Dump%20LSASS.pdf", + "https://github.com/deepinstinct/Lsass-Shtinkering", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_werfault_lsass_shtinkering.yml" ], "tags": [ @@ -31579,10 +31641,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://app.any.run/tasks/214094a7-0abc-4a7b-a564-1b757faed79d/", "https://app.any.run/tasks/93fe92fa-8b2b-4d92-8c09-a841aed2e793/", "https://support.microsoft.com/fr-fr/topic/an-ms-dos-based-program-that-uses-the-ms-dos-protected-mode-interface-crashes-on-a-computer-that-is-running-windows-7-5dc739ea-987b-b458-15e4-d28d5cca63c7", "https://learn.microsoft.com/en-us/windows/compatibility/ntvdm-and-16-bit-app-support", + "https://app.any.run/tasks/214094a7-0abc-4a7b-a564-1b757faed79d/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_16bit_application.yml" ], "tags": [ @@ -31647,8 +31709,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/nasbench/Misc-Research/blob/8ee690e43a379cbce8c9d61107442c36bd9be3d3/Other/Undocumented-Flags-Sdbinst.md", "https://www.fireeye.com/blog/threat-research/2017/05/fin7-shim-databases-persistence.html", + "https://github.com/nasbench/Misc-Research/blob/8ee690e43a379cbce8c9d61107442c36bd9be3d3/Other/Undocumented-Flags-Sdbinst.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sdbinst_susp_extension.yml" ], "tags": [ @@ -31823,8 +31885,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://oddvar.moe/2017/05/18/bypassing-application-whitelisting-with-bginfo/", "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Bginfo/", + "https://oddvar.moe/2017/05/18/bypassing-application-whitelisting-with-bginfo/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_bginfo_uncommon_child_process.yml" ], "tags": [ @@ -31874,9 +31936,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.splunk.com/en_us/blog/security/breaking-the-chain-defending-against-certificate-services-abuse.html", - "https://learn.microsoft.com/en-us/powershell/module/pki/export-pfxcertificate?view=windowsserver2022-ps", "https://us-cert.cisa.gov/ncas/analysis-reports/ar21-112a", + "https://learn.microsoft.com/en-us/powershell/module/pki/export-pfxcertificate?view=windowsserver2022-ps", + "https://www.splunk.com/en_us/blog/security/breaking-the-chain-defending-against-certificate-services-abuse.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_export_certificate.yml" ], "tags": [ @@ -31951,9 +32013,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1562.001/T1562.001.md", - "https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1112/T1112.md", "https://www.absolomb.com/2018-01-26-Windows-Privilege-Escalation-Guide/", + "https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1112/T1112.md", + "https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1562.001/T1562.001.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_reg_susp_paths.yml" ], "tags": [ @@ -31994,9 +32056,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://app.any.run/tasks/c28cabc8-a19f-40f3-a78b-cae506a5c0d4", - "https://app.any.run/tasks/cfc8870b-ccd7-4210-88cf-a8087476a6d0", "https://unit42.paloaltonetworks.com/unit42-sure-ill-take-new-combojack-malware-alters-clipboards-steal-cryptocurrency/", + "https://app.any.run/tasks/cfc8870b-ccd7-4210-88cf-a8087476a6d0", + "https://app.any.run/tasks/c28cabc8-a19f-40f3-a78b-cae506a5c0d4", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_attrib_system_susp_paths.yml" ], "tags": [ @@ -32031,8 +32093,8 @@ "refs": [ "https://peterjson.medium.com/reproducing-the-proxyshell-pwn2own-exploit-49743a4ea9a1", "https://m365internals.com/2022/10/07/hunting-in-on-premises-exchange-server-logs/", - "https://blog.orange.tw/2021/08/proxylogon-a-new-attack-surface-on-ms-exchange-part-1.html", "https://youtu.be/5mqid-7zp8k?t=2481", + "https://blog.orange.tw/2021/08/proxylogon-a-new-attack-surface-on-ms-exchange-part-1.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_mailboxexport_share.yml" ], "tags": [ @@ -32090,8 +32152,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/0f229c0e42bfe7ca736a14023836d65baa941ed2/atomics/T1218.011/T1218.011.md#atomic-test-13---rundll32-with-deskcpl", "https://lolbas-project.github.io/lolbas/Libraries/Desk/", + "https://github.com/redcanaryco/atomic-red-team/blob/0f229c0e42bfe7ca736a14023836d65baa941ed2/atomics/T1218.011/T1218.011.md#atomic-test-13---rundll32-with-deskcpl", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_rundll32_installscreensaver.yml" ], "tags": [ @@ -32157,10 +32219,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://blog.netspi.com/15-ways-to-download-a-file/#bitsadmin", - "https://blog.talosintelligence.com/breaking-the-silence-recent-truebot-activity/", "https://lolbas-project.github.io/lolbas/Binaries/Bitsadmin/", "https://isc.sans.edu/diary/22264", + "https://blog.talosintelligence.com/breaking-the-silence-recent-truebot-activity/", + "https://blog.netspi.com/15-ways-to-download-a-file/#bitsadmin", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_bitsadmin_download_direct_ip.yml" ], "tags": [ @@ -32260,12 +32322,12 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ransomware-hive-conti-avoslocker", - "https://www.microsoft.com/en-us/security/blog/2024/01/17/new-ttps-observed-in-mint-sandstorm-campaign-targeting-high-profile-individuals-at-universities-and-research-orgs/", - "https://blog.netspi.com/15-ways-to-download-a-file/#bitsadmin", - "https://isc.sans.edu/diary/22264", - "https://lolbas-project.github.io/lolbas/Binaries/Bitsadmin/", "https://www.cisa.gov/uscert/ncas/alerts/aa22-321a", + "https://lolbas-project.github.io/lolbas/Binaries/Bitsadmin/", + "https://blog.netspi.com/15-ways-to-download-a-file/#bitsadmin", + "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ransomware-hive-conti-avoslocker", + "https://isc.sans.edu/diary/22264", + "https://www.microsoft.com/en-us/security/blog/2024/01/17/new-ttps-observed-in-mint-sandstorm-campaign-targeting-high-profile-individuals-at-universities-and-research-orgs/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_bitsadmin_download_file_sharing_domains.yml" ], "tags": [ @@ -32344,8 +32406,8 @@ "logsource.product": "windows", "refs": [ "https://www.phpied.com/make-your-javascript-a-windows-exe/", - "https://lolbas-project.github.io/lolbas/Binaries/Jsc/", "https://twitter.com/DissectMalware/status/998797808907046913", + "https://lolbas-project.github.io/lolbas/Binaries/Jsc/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_jsc_execution.yml" ], "tags": [ @@ -32598,9 +32660,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://learn.microsoft.com/en-us/office/vba/api/excel.xlmsapplication", "https://posts.specterops.io/lateral-movement-abuse-the-power-of-dcom-excel-application-3c016d0d9922", "https://github.com/grayhatkiller/SharpExShell", - "https://learn.microsoft.com/en-us/office/vba/api/excel.xlmsapplication", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_office_excel_dcom_lateral_movement.yml" ], "tags": [ @@ -32633,8 +32695,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/elastic/protections-artifacts/commit/746086721fd385d9f5c6647cada1788db4aea95f#diff-fe98e74189873d6df72a15df2eaa0315c59ba9cdaca93ecd68afc4ea09194ef2", "https://lolbas-project.github.io/lolbas/Binaries/Certoc/", + "https://github.com/elastic/protections-artifacts/commit/746086721fd385d9f5c6647cada1788db4aea95f#diff-fe98e74189873d6df72a15df2eaa0315c59ba9cdaca93ecd68afc4ea09194ef2", "https://twitter.com/sblmsrsn/status/1445758411803480072?s=20", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_certoc_load_dll.yml" ], @@ -32868,10 +32930,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/CyberRaiju/status/1273597319322058752", "https://twitter.com/nas_bench/status/1535322450858233858", - "https://securityboulevard.com/2019/09/deobfuscating-ostap-trickbots-34000-line-javascript-downloader/", "https://twitter.com/bohops/status/1276357235954909188?s=12", + "https://twitter.com/CyberRaiju/status/1273597319322058752", + "https://securityboulevard.com/2019/09/deobfuscating-ostap-trickbots-34000-line-javascript-downloader/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_explorer_break_process_tree.yml" ], "tags": [ @@ -32904,8 +32966,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/cicada-apt10-japan-espionage", "https://unit42.paloaltonetworks.com/chromeloader-malware/", + "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/cicada-apt10-japan-espionage", "https://lolbas-project.github.io/lolbas/Binaries/Tar/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_tar_extraction.yml" ], @@ -32949,9 +33011,9 @@ "logsource.product": "windows", "refs": [ "https://labs.withsecure.com/publications/fin7-target-veeam-servers", - "https://www.huntress.com/blog/slashandgrab-screen-connect-post-exploitation-in-the-wild-cve-2024-1709-cve-2024-1708", "https://www.microsoft.com/en-us/security/blog/2024/01/17/new-ttps-observed-in-mint-sandstorm-campaign-targeting-high-profile-individuals-at-universities-and-research-orgs/", "https://github.com/WithSecureLabs/iocs/blob/344203de742bb7e68bd56618f66d34be95a9f9fc/FIN7VEEAM/iocs.csv", + "https://www.huntress.com/blog/slashandgrab-screen-connect-post-exploitation-in-the-wild-cve-2024-1709-cve-2024-1708", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_download_susp_file_sharing_domains.yml" ], "tags": [ @@ -33042,9 +33104,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://app.any.run/tasks/7eaba74e-c1ea-400f-9c17-5e30eee89906/", "https://brica.de/alerts/alert/public/1247926/agent-tesla-keylogger-delivered-inside-a-power-iso-daa-archive/", "https://www.youtube.com/watch?v=DsJ9ByX84o4&t=6s", - "https://app.any.run/tasks/7eaba74e-c1ea-400f-9c17-5e30eee89906/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_whoami_parent_anomaly.yml" ], "tags": [ @@ -33079,13 +33141,13 @@ "logsource.product": "windows", "refs": [ "https://twitter.com/gN3mes1s/status/941315826107510784", - "https://posts.specterops.io/mavinject-exe-functionality-deconstructed-c29ab2cf5c0e", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218/T1218.md", - "https://reaqta.com/2017/12/mavinject-microsoft-injector/", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1056.004/T1056.004.md", - "https://twitter.com/Hexacorn/status/776122138063409152", + "https://reaqta.com/2017/12/mavinject-microsoft-injector/", "https://github.com/SigmaHQ/sigma/issues/3742", "https://github.com/keyboardcrunch/SentinelOne-ATTACK-Queries/blob/6a228d23eefe963ca81f2d52f94b815f61ef5ee0/Tactics/DefenseEvasion.md#t1055-process-injection", + "https://posts.specterops.io/mavinject-exe-functionality-deconstructed-c29ab2cf5c0e", + "https://twitter.com/Hexacorn/status/776122138063409152", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218/T1218.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_mavinject_process_injection.yml" ], "tags": [ @@ -33151,8 +33213,8 @@ "logsource.product": "windows", "refs": [ "https://github.com/hfiref0x/UACME", - "https://lolbas-project.github.io/lolbas/Binaries/Wsreset/", "https://medium.com/falconforce/falconfriday-detecting-uac-bypasses-0xff16-86c2a9107abf", + "https://lolbas-project.github.io/lolbas/Binaries/Wsreset/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_uac_bypass_wsreset_integrity_level.yml" ], "tags": [ @@ -33209,8 +33271,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1560.001/T1560.001.md", "https://eqllib.readthedocs.io/en/latest/analytics/1ec33c93-3d0b-4a28-8014-dbdaae5c60ae.html", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1560.001/T1560.001.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_rar_compress_data.yml" ], "tags": [ @@ -33266,8 +33328,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://thedfirreport.com/2021/12/13/diavol-ransomware/", "https://www.scythe.io/library/threat-emulation-qakbot", + "https://thedfirreport.com/2021/12/13/diavol-ransomware/", "https://sec-consult.com/blog/detail/bumblebee-hunting-with-a-velociraptor/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_lolbin_exec_from_non_c_drive.yml" ], @@ -33324,9 +33386,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://user-images.githubusercontent.com/61026070/136518004-b68cce7d-f9b8-4e9a-9b7b-53b1568a9a94.png", - "https://bohops.com/2021/10/08/analyzing-and-detecting-a-vmtools-persistence-technique/", "https://github.com/vmware/open-vm-tools/blob/master/open-vm-tools/tools.conf", + "https://bohops.com/2021/10/08/analyzing-and-detecting-a-vmtools-persistence-technique/", + "https://user-images.githubusercontent.com/61026070/136518004-b68cce7d-f9b8-4e9a-9b7b-53b1568a9a94.png", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_vmware_vmtoolsd_susp_child_process.yml" ], "tags": [ @@ -33361,9 +33423,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/Binaries/Odbcconf/", "https://learn.microsoft.com/en-us/sql/odbc/odbcconf-exe?view=sql-server-ver16", "https://medium.com/@cyberjyot/t1218-008-dll-execution-using-odbcconf-exe-803fa9e08dac", + "https://lolbas-project.github.io/lolbas/Binaries/Odbcconf/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_odbcconf_uncommon_child_process.yml" ], "tags": [ @@ -33430,8 +33492,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/Binaries/Runonce/", "https://twitter.com/pabraeken/status/990717080805789697", + "https://lolbas-project.github.io/lolbas/Binaries/Runonce/", "https://twitter.com/0gtweet/status/1602644163824156672?s=20&t=kuxbUnZPltpvFPZdCrqPXA", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_runonce_execution.yml" ], @@ -33465,9 +33527,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://speakerdeck.com/heirhabarov/hunting-for-persistence-via-microsoft-exchange-server-or-outlook?slide=49", "https://github.com/sensepost/ruler", "https://www.fireeye.com/blog/threat-research/2018/12/overruled-containing-a-potentially-destructive-adversary.html", + "https://speakerdeck.com/heirhabarov/hunting-for-persistence-via-microsoft-exchange-server-or-outlook?slide=49", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_office_outlook_susp_child_processes_remote.yml" ], "tags": [ @@ -33508,8 +33570,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.echotrail.io/insights/search/regsvr32.exe", "https://www.ired.team/offensive-security/code-execution/t1117-regsvr32-aka-squiblydoo", + "https://www.echotrail.io/insights/search/regsvr32.exe", "https://redcanary.com/blog/intelligence-insights-april-2022/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_regsvr32_susp_child_process.yml" ], @@ -33633,7 +33695,7 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/snovvcrash/DInjector", + "https://web.archive.org/web/20211001064856/https://github.com/snovvcrash/DInjector", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_dinjector.yml" ], "tags": [ @@ -33666,9 +33728,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/jseerden/status/1247985304667066373/photo/1", - "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Agentexecutor/", "https://learn.microsoft.com/en-us/mem/intune/apps/intune-management-extension", + "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Agentexecutor/", + "https://twitter.com/jseerden/status/1247985304667066373/photo/1", "https://twitter.com/lefterispan/status/1286259016436514816", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_agentexecutor_potential_abuse.yml" ], @@ -33702,8 +33764,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://blog.talosintelligence.com/2022/09/lazarus-three-rats.html", "https://github.com/3proxy/3proxy", + "https://blog.talosintelligence.com/2022/09/lazarus-three-rats.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pua_3proxy_execution.yml" ], "tags": [ @@ -33770,10 +33832,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/mrd0x/status/1511415432888131586", - "https://lolbas-project.github.io/lolbas/OtherMSBinaries/DumpMinitool/", - "https://gist.github.com/nasbench/6d58c3c125e2fa1b8f7a09754c1b087f", "https://twitter.com/mrd0x/status/1511489821247684615", + "https://gist.github.com/nasbench/6d58c3c125e2fa1b8f7a09754c1b087f", + "https://lolbas-project.github.io/lolbas/OtherMSBinaries/DumpMinitool/", + "https://twitter.com/mrd0x/status/1511415432888131586", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_dumpminitool_execution.yml" ], "tags": [ @@ -33815,8 +33877,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.uptycs.com/blog/lolbins-are-no-laughing-matter", "https://unit42.paloaltonetworks.com/unit42-sure-ill-take-new-combojack-malware-alters-clipboards-steal-cryptocurrency/", + "https://www.uptycs.com/blog/lolbins-are-no-laughing-matter", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_attrib_hiding_files.yml" ], "tags": [ @@ -33849,9 +33911,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=41", "https://learn.microsoft.com/en-us/dotnet/api/microsoft.hpc.scheduler.store.cx509enrollmentwebclassfactoryclass?view=hpc-sdk-5.1.6115", "https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=42", + "https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=41", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_x509enrollment.yml" ], "tags": [ @@ -33884,11 +33946,11 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://app.any.run/tasks/f420d295-0457-4e9b-9b9e-6732be227583/", - "https://app.any.run/tasks/c4117d9a-f463-461a-b90f-4cd258746798/", - "https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e", - "https://app.any.run/tasks/713f05d2-fe78-4b9d-a744-f7c133e3fafb/", "https://twitter.com/nao_sec/status/1530196847679401984", + "https://app.any.run/tasks/c4117d9a-f463-461a-b90f-4cd258746798/", + "https://app.any.run/tasks/713f05d2-fe78-4b9d-a744-f7c133e3fafb/", + "https://app.any.run/tasks/f420d295-0457-4e9b-9b9e-6732be227583/", + "https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sdiagnhost_susp_child.yml" ], "tags": [ @@ -33929,8 +33991,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/windows/win32/taskschd/daily-trigger-example--xml-", "https://github.com/elastic/protections-artifacts/blob/084067123d3328a823b1c3fdde305b694275c794/behavior/rules/persistence_suspicious_scheduled_task_creation_via_masqueraded_xml_file.toml", + "https://learn.microsoft.com/en-us/windows/win32/taskschd/daily-trigger-example--xml-", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_schtasks_schedule_via_masqueraded_xml_file.yml" ], "tags": [ @@ -33972,9 +34034,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.fireeye.com/blog/threat-research/2020/01/saigon-mysterious-ursnif-fork.html", "https://thedfirreport.com/2023/01/09/unwrapping-ursnifs-gifts/", "https://www.vmray.com/cyber-security-blog/analyzing-ursnif-behavior-malware-sandbox/", + "https://www.fireeye.com/blog/threat-research/2020/01/saigon-mysterious-ursnif-fork.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_driverquery_usage.yml" ], "tags": [ @@ -34030,9 +34092,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://community.broadcom.com/symantecenterprise/communities/community-home/digestviewer/viewthread?MessageKey=6ce94b67-74e1-4333-b16f-000b7fd874f0&CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68&tab=digestviewer", - "https://www.exploit-db.com/exploits/37525", "https://community.spiceworks.com/topic/2195015-batch-script-to-uninstall-symantec-endpoint-protection", + "https://www.exploit-db.com/exploits/37525", + "https://community.broadcom.com/symantecenterprise/communities/community-home/digestviewer/viewthread?MessageKey=6ce94b67-74e1-4333-b16f-000b7fd874f0&CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68&tab=digestviewer", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_taskkill_sep.yml" ], "tags": [ @@ -34132,11 +34194,11 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://thedfirreport.com/2022/05/09/seo-poisoning-a-gootloader-story/", - "https://cloud.google.com/blog/topics/threat-intelligence/alphv-ransomware-backup/", "https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/800c0e06571993a54e39571cf27fd474dcc5c0bc/2017/2017.11.14.Muddying_the_Water/muddying-the-water-targeted-attacks.pdf", - "https://github.com/AlessandroZ/LaZagne/tree/master", "https://securelist.com/defttorero-tactics-techniques-and-procedures/107610/", + "https://cloud.google.com/blog/topics/threat-intelligence/alphv-ransomware-backup/", + "https://github.com/AlessandroZ/LaZagne/tree/master", + "https://thedfirreport.com/2022/05/09/seo-poisoning-a-gootloader-story/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_lazagne.yml" ], "tags": [ @@ -34159,8 +34221,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://docs.paloaltonetworks.com/cortex/cortex-xdr/cortex-xdr-analytics-alert-reference/cortex-xdr-analytics-alert-reference/scrcons-exe-rare-child-process.html", "https://redcanary.com/blog/child-processes/", + "https://docs.paloaltonetworks.com/cortex/cortex-xdr/cortex-xdr-analytics-alert-reference/cortex-xdr-analytics-alert-reference/scrcons-exe-rare-child-process.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_scrcons_susp_child_process.yml" ], "tags": [ @@ -34293,8 +34355,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://jstnk9.github.io/jstnk9/research/Jlaive-Antivirus-Evasion-Tool", "https://web.archive.org/web/20220514073704/https://github.com/ch2sh/Jlaive", + "https://jstnk9.github.io/jstnk9/research/Jlaive-Antivirus-Evasion-Tool", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_jlaive_batch_execution.yml" ], "tags": [ @@ -34327,8 +34389,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218.005/T1218.005.md", "https://eqllib.readthedocs.io/en/latest/analytics/6bc283c4-21f2-4aed-a05c-a9a3ffa95dd4.html", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218.005/T1218.005.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_mshta_javascript.yml" ], "tags": [ @@ -34361,8 +34423,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1016/T1016.md#atomic-test-2---list-windows-firewall-rules", "https://ss64.com/nt/netsh.html", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1016/T1016.md#atomic-test-2---list-windows-firewall-rules", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_netsh_fw_rules_discovery.yml" ], "tags": [ @@ -34396,9 +34458,9 @@ "logsource.product": "windows", "refs": [ "https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/06/23093553/Common-TTPs-of-the-modern-ransomware_low-res.pdf", + "https://blog.sygnia.co/kaseya-ransomware-supply-chain-attack", "https://www.acronis.com/en-us/blog/posts/lockbit-ransomware/", "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/blackbyte-exbyte-ransomware", - "https://blog.sygnia.co/kaseya-ransomware-supply-chain-attack", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_cmd_ping_del_combined_execution.yml" ], "tags": [ @@ -34431,8 +34493,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://thedfirreport.com/2024/04/29/from-icedid-to-dagon-locker-ransomware-in-29-days/", "https://thedfirreport.com/2024/01/29/buzzing-on-christmas-eve-trigona-ransomware-in-3-hours/", + "https://thedfirreport.com/2024/04/29/from-icedid-to-dagon-locker-ransomware-in-29-days/", "https://thedfirreport.com/2024/04/01/from-onenote-to-ransomnote-an-ice-cold-intrusion/", "https://thedfirreport.com/2022/07/11/select-xmrig-from-sqlserver/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_registry_special_accounts_hide_user.yml" @@ -34466,8 +34528,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://unit42.paloaltonetworks.com/unit42-gorgon-group-slithering-nation-state-cybercrime/", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md", + "https://unit42.paloaltonetworks.com/unit42-gorgon-group-slithering-nation-state-cybercrime/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_mpcmdrun_remove_windows_defender_definition.yml" ], "tags": [ @@ -34500,8 +34562,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://ss64.com/nt/mklink.html", "https://github.com/redcanaryco/atomic-red-team/blob/5c1e6f1b4fafd01c8d1ece85f510160fc1275fbf/atomics/T1546.008/T1546.008.md", + "https://ss64.com/nt/mklink.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_cmd_mklink_osk_cmd.yml" ], "tags": [ @@ -34580,10 +34642,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.infosecmatter.com/crackmapexec-module-library/?cmem=mssql-mimikatz", - "https://www.infosecmatter.com/crackmapexec-module-library/?cmem=smb-pe_inject", - "https://www.mandiant.com/resources/telegram-malware-iranian-espionage", "https://mpgn.gitbook.io/crackmapexec/smb-protocol/authentication/checking-credentials-local", + "https://www.infosecmatter.com/crackmapexec-module-library/?cmem=mssql-mimikatz", + "https://www.mandiant.com/resources/telegram-malware-iranian-espionage", + "https://www.infosecmatter.com/crackmapexec-module-library/?cmem=smb-pe_inject", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_crackmapexec_execution.yml" ], "tags": [ @@ -34726,12 +34788,12 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1490/T1490.md#atomic-test-5---windows---delete-volume-shadow-copies-via-wmi-with-powershell", - "https://github.com/albertzsigovits/malware-notes/blob/558898932c1579ff589290092a2c8febefc3a4c9/Ransomware/Lockbit.md", - "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/wbadmin-delete-systemstatebackup", - "https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/ransomware-report-avaddon-and-new-techniques-emerge-industrial-sector-targeted", "https://www.sentinelone.com/labs/ranzy-ransomware-better-encryption-among-new-features-of-thunderx-derivative/", + "https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/ransomware-report-avaddon-and-new-techniques-emerge-industrial-sector-targeted", + "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/wbadmin-delete-systemstatebackup", + "https://github.com/albertzsigovits/malware-notes/blob/558898932c1579ff589290092a2c8febefc3a4c9/Ransomware/Lockbit.md", "https://www.trendmicro.com/content/dam/trendmicro/global/en/research/24/b/lockbit-attempts-to-stay-afloat-with-a-new-version/technical-appendix-lockbit-ng-dev-analysis.pdf", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1490/T1490.md#atomic-test-5---windows---delete-volume-shadow-copies-via-wmi-with-powershell", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wbadmin_delete_all_backups.yml" ], "tags": [ @@ -34840,9 +34902,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.mdsec.co.uk/2022/10/analysing-lastpass-part-1/", - "https://github.com/wunderwuzzi23/firefox-cookiemonster", "https://yoroi.company/wp-content/uploads/2022/05/EternityGroup_report_compressed.pdf", + "https://github.com/wunderwuzzi23/firefox-cookiemonster", + "https://www.mdsec.co.uk/2022/10/analysing-lastpass-part-1/", "https://github.com/defaultnamehere/cookie_crimes/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_browsers_remote_debugging.yml" ], @@ -35079,8 +35141,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1095/T1095.md", "https://www.revshells.com/", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1095/T1095.md", "https://nmap.org/ncat/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pua_netcat.yml" ], @@ -35114,8 +35176,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://drive.google.com/file/d/1lKya3_mLnR3UQuCoiYruO3qgu052_iS_/view?usp=sharing", "https://enigma0x3.net/2017/01/05/lateral-movement-using-the-mmc20-application-com-object/", + "https://drive.google.com/file/d/1lKya3_mLnR3UQuCoiYruO3qgu052_iS_/view?usp=sharing", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_mmc_mmc20_lateral_movement.yml" ], "tags": [ @@ -35340,9 +35402,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://twitter.com/gN3mes1s/status/1222088214581825540", "https://twitter.com/gN3mes1s/status/1222095963789111296", "https://twitter.com/gN3mes1s/status/1222095371175911424", - "https://twitter.com/gN3mes1s/status/1222088214581825540", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_renamed_dctask64.yml" ], "tags": [ @@ -35399,11 +35461,11 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/cyberwar_15/status/1187287262054076416", - "https://en.wikipedia.org/wiki/Hangul_(word_processor)", - "https://www.securitynewspaper.com/2016/11/23/technical-teardown-exploit-malware-hwp-files/", - "https://blog.alyac.co.kr/1901", "https://www.hybrid-analysis.com/search?query=context:74940dcc5b38f9f9b1a0fea760d344735d7d91b610e6d5bd34533dd0153402c5&from_sample=5db135000388385a7644131f&block_redirect=1", + "https://twitter.com/cyberwar_15/status/1187287262054076416", + "https://www.securitynewspaper.com/2016/11/23/technical-teardown-exploit-malware-hwp-files/", + "https://en.wikipedia.org/wiki/Hangul_(word_processor)", + "https://blog.alyac.co.kr/1901", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hwp_exploits.yml" ], "tags": [ @@ -35454,10 +35516,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/0gtweet/status/1299071304805560321?s=21", - "https://lolbas-project.github.io/lolbas/Binaries/Rdrleakdiag/", "https://news.sophos.com/en-us/2024/06/05/operation-crimson-palace-a-technical-deep-dive", "https://www.crowdstrike.com/blog/overwatch-exposes-aquatic-panda-in-possession-of-log-4-shell-exploit-tools/", + "https://lolbas-project.github.io/lolbas/Binaries/Rdrleakdiag/", + "https://twitter.com/0gtweet/status/1299071304805560321?s=21", "https://www.pureid.io/dumping-abusing-windows-credentials-part-1/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_rdrleakdiag_process_dumping.yml" ], @@ -35558,9 +35620,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc731033(v=ws.11)", "https://businessinsights.bitdefender.com/deep-dive-into-a-backdoordiplomacy-attack-a-study-of-an-attackers-toolkit", "https://www.documentcloud.org/documents/5743766-Global-Threat-Report-2019.html", - "https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc731033(v=ws.11)", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_ldifde_export.yml" ], "tags": [ @@ -35616,8 +35678,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218/T1218.md", "https://lolbas-project.github.io/lolbas/OtherMSBinaries/ProtocolHandler/", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218/T1218.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_protocolhandler_download.yml" ], "tags": [ @@ -35718,9 +35780,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/Binaries/Odbcconf/", "https://learn.microsoft.com/en-us/sql/odbc/odbcconf-exe?view=sql-server-ver16", "https://www.trendmicro.com/en_us/research/17/h/backdoor-carrying-emails-set-sights-on-russian-speaking-businesses.html", + "https://lolbas-project.github.io/lolbas/Binaries/Odbcconf/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_odbcconf_response_file_susp.yml" ], "tags": [ @@ -35776,8 +35838,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.vectra.ai/blogpost/undermining-microsoft-teams-security-by-mining-tokens", "https://www.bleepingcomputer.com/news/security/microsoft-teams-stores-auth-tokens-as-cleartext-in-windows-linux-macs/", + "https://www.vectra.ai/blogpost/undermining-microsoft-teams-security-by-mining-tokens", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_teams_suspicious_command_line_cred_access.yml" ], "tags": [ @@ -35971,12 +36033,12 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://twitter.com/eral4m/status/1479080793003671557", + "https://twitter.com/Hexacorn/status/885258886428725250", "https://gist.github.com/ryhanson/227229866af52e2d963cf941af135a52", "https://twitter.com/nas_bench/status/1433344116071583746", - "http://www.hexacorn.com/blog/2017/05/01/running-programs-via-proxy-jumping-on-a-edr-bypass-trampoline/", - "https://twitter.com/Hexacorn/status/885258886428725250", "https://twitter.com/eral4m/status/1479106975967240209", - "https://twitter.com/eral4m/status/1479080793003671557", + "http://www.hexacorn.com/blog/2017/05/01/running-programs-via-proxy-jumping-on-a-edr-bypass-trampoline/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_rundll32_susp_activity.yml" ], "tags": [ @@ -36076,8 +36138,8 @@ "logsource.product": "windows", "refs": [ "https://www.fireeye.com/blog/threat-research/2017/03/apt29_domain_frontin.html", - "https://learn.microsoft.com/en-us/archive/blogs/jonathantrull/detecting-sticky-key-backdoors", "https://www.clearskysec.com/wp-content/uploads/2020/02/ClearSky-Fox-Kitten-Campaign-v1.pdf", + "https://learn.microsoft.com/en-us/archive/blogs/jonathantrull/detecting-sticky-key-backdoors", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_cmd_sticky_keys_replace.yml" ], "tags": [ @@ -36110,8 +36172,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://thedfirreport.com/2021/12/13/diavol-ransomware/", "https://forums.veeam.com/veeam-backup-replication-f2/recover-esxi-password-in-veeam-t34630.html", + "https://thedfirreport.com/2021/12/13/diavol-ransomware/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sqlcmd_veeam_dump.yml" ], "tags": [ @@ -36167,8 +36229,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/nasbench/Misc-Research/tree/b9596e8109dcdb16ec353f316678927e507a5b8d/LOLBINs/Winget", "https://learn.microsoft.com/en-us/windows/package-manager/winget/source", + "https://github.com/nasbench/Misc-Research/tree/b9596e8109dcdb16ec353f316678927e507a5b8d/LOLBINs/Winget", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_winget_add_susp_custom_source.yml" ], "tags": [ @@ -36204,11 +36266,11 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://gist.github.com/fovtran/ac0624983c7722e80a8f5a4babb170ee", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070.001/T1070.001.md", - "https://jdhnet.wordpress.com/2017/12/19/changing-the-location-of-the-windows-event-logs/", + "https://gist.github.com/fovtran/ac0624983c7722e80a8f5a4babb170ee", "https://eqllib.readthedocs.io/en/latest/analytics/5b223758-07d6-4100-9e11-238cfdd0fe97.html", "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/wevtutil", + "https://jdhnet.wordpress.com/2017/12/19/changing-the-location-of-the-windows-event-logs/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_eventlog_clear.yml" ], "tags": [ @@ -36340,8 +36402,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/seedworm-apt-iran-middle-east", "https://github.com/quarkslab/quarkspwdump", + "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/seedworm-apt-iran-middle-east", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_quarks_pwdump.yml" ], "tags": [ @@ -36416,8 +36478,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/Binaries/Findstr/", "https://oddvar.moe/2018/04/11/putting-data-in-alternate-data-streams-and-how-to-execute-it-part-2/", + "https://lolbas-project.github.io/lolbas/Binaries/Findstr/", "https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_findstr_subfolder_search.yml" ], @@ -36508,9 +36570,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://app.any.run/tasks/40115012-a919-4208-bfed-41e82cb3dadf/", - "https://twitter.com/bigmacjpg/status/1349727699863011328?s=12", "http://hyp3rlinx.altervista.org/advisories/Windows_TCPIP_Finger_Command_C2_Channel_and_Bypassing_Security_Software.txt", + "https://twitter.com/bigmacjpg/status/1349727699863011328?s=12", + "https://app.any.run/tasks/40115012-a919-4208-bfed-41e82cb3dadf/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_finger_execution.yml" ], "tags": [ @@ -36619,8 +36681,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.mdsec.co.uk/2018/06/exploring-powershell-amsi-and-logging-evasion/", "https://s3cur3th1ssh1t.github.io/Bypass_AMSI_by_manual_modification/", + "https://www.mdsec.co.uk/2018/06/exploring-powershell-amsi-and-logging-evasion/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_amsi_init_failed_bypass.yml" ], "tags": [ @@ -36959,11 +37021,11 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/0gtweet/status/1628720819537936386", - "https://twitter.com/Alh4zr3d/status/1580925761996828672", - "https://www.sans.org/blog/red-team-tactics-hiding-windows-services/", - "https://itconnect.uw.edu/tools-services-support/it-systems-infrastructure/msinf/other-help/understanding-sddl-syntax/", "https://blog.talosintelligence.com/2021/10/threat-hunting-in-large-datasets-by.html", + "https://twitter.com/0gtweet/status/1628720819537936386", + "https://itconnect.uw.edu/tools-services-support/it-systems-infrastructure/msinf/other-help/understanding-sddl-syntax/", + "https://www.sans.org/blog/red-team-tactics-hiding-windows-services/", + "https://twitter.com/Alh4zr3d/status/1580925761996828672", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sc_sdset_modification.yml" ], "tags": [ @@ -37156,9 +37218,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://developers.cloudflare.com/cloudflare-one/connections/connect-networks/do-more-with-tunnels/trycloudflare/", - "https://github.com/cloudflare/cloudflared", "https://www.intrinsec.com/akira_ransomware/", + "https://github.com/cloudflare/cloudflared", + "https://developers.cloudflare.com/cloudflare-one/connections/connect-networks/do-more-with-tunnels/trycloudflare/", "https://www.guidepointsecurity.com/blog/tunnel-vision-cloudflared-abused-in-the-wild/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_cloudflared_quicktunnel_execution.yml" ], @@ -37192,8 +37254,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/0xdeadbeefJERKY/PowerSploit/blob/8690399ef70d2cad10213575ac67e8fa90ddf7c3/Persistence/Persistence.psm1", "https://github.com/EmpireProject/Empire/blob/08cbd274bef78243d7a8ed6443b8364acd1fc48b/lib/modules/powershell/persistence/userland/schtasks.py", + "https://github.com/0xdeadbeefJERKY/PowerSploit/blob/8690399ef70d2cad10213575ac67e8fa90ddf7c3/Persistence/Persistence.psm1", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_powersploit_empire_default_schtasks.yml" ], "tags": [ @@ -37240,8 +37302,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1124/T1124.md", "https://eqllib.readthedocs.io/en/latest/analytics/fcdb99c2-ac3c-4bde-b664-4b336329bed2.html", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1124/T1124.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_remote_time_discovery.yml" ], "tags": [ @@ -37274,9 +37336,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://blog.redteam.pl/2020/06/black-kingdom-ransomware.html", - "https://lab52.io/blog/winter-vivern-all-summer/", "https://hatching.io/blog/powershell-analysis/", + "https://lab52.io/blog/winter-vivern-all-summer/", + "https://blog.redteam.pl/2020/06/black-kingdom-ransomware.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_download_patterns.yml" ], "tags": [ @@ -37377,9 +37439,9 @@ "logsource.product": "windows", "refs": [ "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Rcsi/", + "https://enigma0x3.net/2016/11/21/bypassing-application-whitelisting-by-using-rcsi-exe/", "https://twitter.com/Z3Jpa29z/status/1317545798981324801", "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Csi/", - "https://enigma0x3.net/2016/11/21/bypassing-application-whitelisting-by-using-rcsi-exe/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_csi_execution.yml" ], "tags": [ @@ -37408,40 +37470,6 @@ "uuid": "40b95d31-1afc-469e-8d34-9a3a667d058e", "value": "Suspicious Csi.exe Usage" }, - { - "description": "Deployment Image Servicing and Management tool. DISM is used to enumerate, install, uninstall, configure, and update features and packages in Windows images", - "meta": { - "author": "frack113", - "creation_date": "2022-01-16", - "falsepositive": [ - "Legitimate script" - ], - "filename": "proc_creation_win_dsim_remove.yml", - "level": "medium", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md#atomic-test-26---disable-windows-defender-with-dism", - "https://www.trendmicro.com/en_us/research/22/h/ransomware-actor-abuses-genshin-impact-anti-cheat-driver-to-kill-antivirus.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_dsim_remove.yml" - ], - "tags": [ - "attack.defense-evasion", - "attack.t1562.001" - ] - }, - "related": [ - { - "dest-uuid": "ac08589e-ee59-4935-8667-d845e38fe579", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "43e32da2-fdd0-4156-90de-50dfd62636f9", - "value": "Dism Remove Online Package" - }, { "description": "Detects Stracciatella which executes a Powershell runspace from within C# (aka SharpPick technique) with AMSI, ETW and Script Block Logging disabled based on PE metadata characteristics.", "meta": { @@ -37497,9 +37525,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/nccgroup/redsnarf/blob/35949b30106ae543dc6f2bc3f1be10c6d9a8d40e/redsnarf.py", "https://www.absolomb.com/2018-01-26-Windows-Privilege-Escalation-Guide/", "https://github.com/S3cur3Th1sSh1t/Creds/blob/eac23d67f7f90c7fc8e3130587d86158c22aa398/PowershellScripts/jaws-enum.ps1", + "https://github.com/nccgroup/redsnarf/blob/35949b30106ae543dc6f2bc3f1be10c6d9a8d40e/redsnarf.py", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wmic_recon_unquoted_service_search.yml" ], "tags": [ @@ -37566,8 +37594,8 @@ "logsource.product": "windows", "refs": [ "https://unit42.paloaltonetworks.com/unit42-sofacy-groups-parallel-attacks/", - "https://github.com/offsecginger/koadic/blob/457f9a3ff394c989cdb4c599ab90eb34fb2c762c/data/stager/js/stdlib.js", "https://blog.f-secure.com/hunting-for-koadic-a-com-based-rootkit/", + "https://github.com/offsecginger/koadic/blob/457f9a3ff394c989cdb4c599ab90eb34fb2c762c/data/stager/js/stdlib.js", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_koadic.yml" ], "tags": [ @@ -37616,9 +37644,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Cdb/", "https://twitter.com/nas_bench/status/1534957360032120833", "https://web.archive.org/web/20170715043507/http://www.exploit-monday.com/2016/08/windbg-cdb-shellcode-runner.html", - "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Cdb/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_cdb_arbitrary_command_execution.yml" ], "tags": [ @@ -37734,8 +37762,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://thedfirreport.com/2020/11/23/pysa-mespinoza-ransomware/", "https://github.com/Kevin-Robertson/Inveigh", + "https://thedfirreport.com/2020/11/23/pysa-mespinoza-ransomware/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_inveigh.yml" ], "tags": [ @@ -37870,8 +37898,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet", "https://www.revshells.com/", + "https://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_perl_inline_command_execution.yml" ], "tags": [ @@ -38024,9 +38052,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://twitter.com/oulusoyum/status/1191329746069655553", "https://twitter.com/mattifestation/status/1196390321783025666", "https://lolbas-project.github.io/lolbas/Binaries/Tttracer/", - "https://twitter.com/oulusoyum/status/1191329746069655553", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_tttracer_mod_load.yml" ], "tags": [ @@ -38145,8 +38173,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/subTee/status/1216465628946563073", "https://gist.github.com/am0nsec/8378da08f848424e4ab0cc5b317fdd26", + "https://twitter.com/subTee/status/1216465628946563073", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_task_folder_evasion.yml" ], "tags": [ @@ -38247,8 +38275,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/nasbench/Misc-Research/tree/b9596e8109dcdb16ec353f316678927e507a5b8d/LOLBINs/Winget", "https://learn.microsoft.com/en-us/windows/package-manager/winget/source", + "https://github.com/nasbench/Misc-Research/tree/b9596e8109dcdb16ec353f316678927e507a5b8d/LOLBINs/Winget", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_winget_add_custom_source.yml" ], "tags": [ @@ -38282,8 +38310,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/0gtweet/status/1457676633809330184", "https://www.hexacorn.com/blog/2018/04/27/i-shot-the-sigverif-exe-the-gui-based-lolbin/", + "https://twitter.com/0gtweet/status/1457676633809330184", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sigverif_uncommon_child_process.yml" ], "tags": [ @@ -38382,9 +38410,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.rapid7.com/blog/post/2022/01/18/active-exploitation-of-vmware-horizon-servers/", "https://www.sprocketsecurity.com/resources/crossing-the-log4j-horizon-a-vulnerability-with-no-return", "http://blog.talosintelligence.com/2022/09/lazarus-three-rats.html", + "https://www.rapid7.com/blog/post/2022/01/18/active-exploitation-of-vmware-horizon-servers/", "https://nodejs.org/api/cli.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_node_abuse.yml" ], @@ -38443,8 +38471,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.helpnetsecurity.com/2023/08/02/aws-instances-attackers-access/", "https://www.bleepingcomputer.com/news/security/amazons-aws-ssm-agent-can-be-used-as-post-exploitation-rat-malware/", + "https://www.helpnetsecurity.com/2023/08/02/aws-instances-attackers-access/", "https://www.mitiga.io/blog/mitiga-security-advisory-abusing-the-ssm-agent-as-a-remote-access-trojan", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_ssm_agent_abuse.yml" ], @@ -38479,8 +38507,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://code.visualstudio.com/docs/remote/tunnels", "https://badoption.eu/blog/2023/01/31/code_c2.html", + "https://code.visualstudio.com/docs/remote/tunnels", "https://ipfyx.fr/post/visual-studio-code-tunnel/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_vscode_tunnel_execution.yml" ], @@ -38514,8 +38542,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/sysinternals/downloads/psexec", "https://www.youtube.com/watch?v=ro2QuZTIMBM", + "https://learn.microsoft.com/en-us/sysinternals/downloads/psexec", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_renamed_sysinternals_psexec_service.yml" ], "tags": [ @@ -38571,24 +38599,24 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/samratashok/nishang", - "https://research.nccgroup.com/2022/06/06/shining-the-light-on-black-basta/", - "https://github.com/rvrsh3ll/Misc-Powershell-Scripts/blob/6f23bb41f9675d7e2d32bacccff75e931ae00554/OfficeMemScraper.ps1", - "https://github.com/BloodHoundAD/BloodHound/blob/0927441f67161cc6dc08a53c63ceb8e333f55874/Collectors/AzureHound.ps1", - "https://github.com/BC-SECURITY/Invoke-ZeroLogon/blob/111d17c7fec486d9bb23387e2e828b09a26075e4/Invoke-ZeroLogon.ps1", - "https://github.com/xorrior/RandomPS-Scripts/blob/848c919bfce4e2d67b626cbcf4404341cfe3d3b6/Get-DXWebcamVideo.ps1", - "https://github.com/Kevin-Robertson/Powermad", - "https://github.com/calebstewart/CVE-2021-1675", - "https://github.com/adrecon/ADRecon", - "https://adsecurity.org/?p=2921", "https://github.com/DarkCoderSc/PowerRunAsSystem/", + "https://github.com/BloodHoundAD/BloodHound/blob/0927441f67161cc6dc08a53c63ceb8e333f55874/Collectors/AzureHound.ps1", "https://github.com/besimorhino/powercat", + "https://github.com/rvrsh3ll/Misc-Powershell-Scripts/blob/6f23bb41f9675d7e2d32bacccff75e931ae00554/OfficeMemScraper.ps1", + "https://github.com/adrecon/ADRecon", + "https://github.com/xorrior/RandomPS-Scripts/blob/848c919bfce4e2d67b626cbcf4404341cfe3d3b6/Get-DXWebcamVideo.ps1", "https://github.com/adrecon/AzureADRecon", "https://github.com/dafthack/DomainPasswordSpray/blob/b13d64a5834694aa73fd2aea9911a83027c465a7/DomainPasswordSpray.ps1", - "https://unit42.paloaltonetworks.com/threat-assessment-black-basta-ransomware/", - "https://github.com/HarmJ0y/DAMP", - "https://github.com/S3cur3Th1sSh1t/PowerSharpPack/tree/master/PowerSharpBinaries", "https://bloodhound.readthedocs.io/en/latest/data-collection/azurehound.html", + "https://research.nccgroup.com/2022/06/06/shining-the-light-on-black-basta/", + "https://github.com/samratashok/nishang", + "https://github.com/BC-SECURITY/Invoke-ZeroLogon/blob/111d17c7fec486d9bb23387e2e828b09a26075e4/Invoke-ZeroLogon.ps1", + "https://github.com/HarmJ0y/DAMP", + "https://github.com/Kevin-Robertson/Powermad", + "https://adsecurity.org/?p=2921", + "https://unit42.paloaltonetworks.com/threat-assessment-black-basta-ransomware/", + "https://github.com/calebstewart/CVE-2021-1675", + "https://github.com/S3cur3Th1sSh1t/PowerSharpPack/tree/master/PowerSharpBinaries", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_malicious_cmdlets.yml" ], "tags": [ @@ -38678,8 +38706,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://unit42.paloaltonetworks.com/bumblebee-webshell-xhunt-campaign/", "https://www.fireeye.com/blog/threat-research/2013/08/breaking-down-the-china-chopper-web-shell-part-ii.html", + "https://unit42.paloaltonetworks.com/bumblebee-webshell-xhunt-campaign/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_webshell_recon_commands_and_processes.yml" ], "tags": [ @@ -38736,8 +38764,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://app.any.run/tasks/69c5abaa-92ad-45ba-8c53-c11e23e05d04/", "https://app.any.run/tasks/64043a79-165f-4052-bcba-e6e49f847ec1/", + "https://app.any.run/tasks/69c5abaa-92ad-45ba-8c53-c11e23e05d04/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_browser_launch_from_document_reader_process.yml" ], "tags": [ @@ -38873,8 +38901,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://web.archive.org/web/20200903194959/https://twitter.com/djmtshepana/status/1301608169496612866", "https://lolbas-project.github.io/lolbas/Binaries/MpCmdRun/", + "https://web.archive.org/web/20200903194959/https://twitter.com/djmtshepana/status/1301608169496612866", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_mpcmdrun_download_arbitrary_file.yml" ], "tags": [ @@ -39015,8 +39043,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/AdamTheAnalyst/status/1483497517119590403", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md", + "https://twitter.com/AdamTheAnalyst/status/1483497517119590403", "https://learn.microsoft.com/en-us/defender-endpoint/configure-process-opened-file-exclusions-microsoft-defender-antivirus", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_base64_mppreference.yml" ], @@ -39159,10 +39187,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.intrinsec.com/akira_ransomware/", + "https://github.com/cloudflare/cloudflared/releases", "https://github.com/cloudflare/cloudflared", "https://developers.cloudflare.com/cloudflare-one/connections/connect-networks/do-more-with-tunnels/trycloudflare/", - "https://github.com/cloudflare/cloudflared/releases", + "https://www.intrinsec.com/akira_ransomware/", "https://www.guidepointsecurity.com/blog/tunnel-vision-cloudflared-abused-in-the-wild/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_cloudflared_portable_execution.yml" ], @@ -39381,8 +39409,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1123/T1123.md", "https://eqllib.readthedocs.io/en/latest/analytics/f72a98cb-7b3d-4100-99c3-a138b6e9ff6e.html", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1123/T1123.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_soundrecorder_audio_capture.yml" ], "tags": [ @@ -39438,9 +39466,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/jseerden/status/1247985304667066373/photo/1", - "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Agentexecutor/", "https://learn.microsoft.com/en-us/mem/intune/apps/intune-management-extension", + "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Agentexecutor/", + "https://twitter.com/jseerden/status/1247985304667066373/photo/1", "https://twitter.com/lefterispan/status/1286259016436514816", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_agentexecutor_susp_usage.yml" ], @@ -39507,8 +39535,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://blu3-team.blogspot.com/2019/06/misleading-extensions-xlsexe-docexe.html", "https://twitter.com/blackorbird/status/1140519090961825792", + "https://blu3-team.blogspot.com/2019/06/misleading-extensions-xlsexe-docexe.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_double_extension.yml" ], "tags": [ @@ -39541,8 +39569,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/mrd0x/status/1463526834918854661", "https://gist.github.com/nasbench/a989ce64cefa8081bd50cf6ad8c491b5", + "https://twitter.com/mrd0x/status/1463526834918854661", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_renamed_pressanykey.yml" ], "tags": [ @@ -39576,10 +39604,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.virustotal.com/gui/file/35c22725a92d5cb1016b09421c0a6cdbfd860fd4778b3313669b057d4a131cb7/behavior", - "https://www.virustotal.com/gui/file/34de4c8beded481a4084a1fd77855c3e977e8ac643e5c5842d0f15f7f9b9086f/behavior", - "https://www.virustotal.com/gui/file/4abe1395a09fda06d897a9c4eb247278c1b6cddda5d126ce5b3f4f499e3b8fa2/behavior", "https://www.virustotal.com/gui/file/427616528b7dbc4a6057ac89eb174a3a90f7abcf3f34e5a359b7a910d82f7a72/behavior", + "https://www.virustotal.com/gui/file/4abe1395a09fda06d897a9c4eb247278c1b6cddda5d126ce5b3f4f499e3b8fa2/behavior", + "https://www.virustotal.com/gui/file/34de4c8beded481a4084a1fd77855c3e977e8ac643e5c5842d0f15f7f9b9086f/behavior", + "https://www.virustotal.com/gui/file/35c22725a92d5cb1016b09421c0a6cdbfd860fd4778b3313669b057d4a131cb7/behavior", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_certutil_encode_susp_location.yml" ], "tags": [ @@ -39612,9 +39640,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://app.any.run/tasks/7eaba74e-c1ea-400f-9c17-5e30eee89906/", "https://brica.de/alerts/alert/public/1247926/agent-tesla-keylogger-delivered-inside-a-power-iso-daa-archive/", "https://www.youtube.com/watch?v=DsJ9ByX84o4&t=6s", - "https://app.any.run/tasks/7eaba74e-c1ea-400f-9c17-5e30eee89906/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_whoami_output.yml" ], "tags": [ @@ -39705,12 +39733,12 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.localpotato.com/", "https://github.com/ohpe/juicy-potato", - "https://hunter2.gitbook.io/darthsidious/other/war-stories/domain-admin-in-30-minutes", - "https://foxglovesecurity.com/2016/09/26/rotten-potato-privilege-escalation-from-service-accounts-to-system/", "https://pentestlab.blog/2017/04/13/hot-potato/", + "https://www.localpotato.com/", + "https://foxglovesecurity.com/2016/09/26/rotten-potato-privilege-escalation-from-service-accounts-to-system/", "https://hunter2.gitbook.io/darthsidious/execution/responder-with-ntlm-relay-and-empire", + "https://hunter2.gitbook.io/darthsidious/other/war-stories/domain-admin-in-30-minutes", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_relay_attacks_tools.yml" ], "tags": [ @@ -39812,10 +39840,10 @@ "logsource.product": "windows", "refs": [ "https://labs.f-secure.com/blog/prelude-to-ransomware-systembc", - "https://www.fireeye.com/blog/threat-research/2020/05/tactics-techniques-procedures-associated-with-maze-ransomware-incidents.html", - "https://thedfirreport.com/2021/01/18/all-that-for-a-coinminer", "https://news.sophos.com/en-us/2019/12/09/snatch-ransomware-reboots-pcs-into-safe-mode-to-bypass-protection/", + "https://www.fireeye.com/blog/threat-research/2020/05/tactics-techniques-procedures-associated-with-maze-ransomware-incidents.html", "https://assets.documentcloud.org/documents/20444693/fbi-pin-egregor-ransomware-bc-01062021.pdf", + "https://thedfirreport.com/2021/01/18/all-that-for-a-coinminer", "https://github.com/3CORESec/MAL-CL/tree/master/Descriptors/Other/Advanced%20IP%20Scanner", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pua_advanced_ip_scanner.yml" ], @@ -39857,8 +39885,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://thedfirreport.com/2023/08/28/html-smuggling-leads-to-domain-wide-ransomware/", "https://www.hybrid-analysis.com/sample/8da5b75b6380a41eee3a399c43dfe0d99eeefaa1fd21027a07b1ecaa4cd96fdd?environmentId=120", + "https://thedfirreport.com/2023/08/28/html-smuggling-leads-to-domain-wide-ransomware/", "https://web.archive.org/web/20180331144337/https://www.fireeye.com/blog/threat-research/2018/03/sanny-malware-delivery-method-updated-in-recently-observed-attacks.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_copy_system_dir_lolbin.yml" ], @@ -39993,8 +40021,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.group-ib.com/blog/cve-2023-38831-winrar-zero-day/", "https://github.com/knight0x07/WinRAR-Code-Execution-Vulnerability-CVE-2023-38831/blob/26ab6c40b6d2c09bb4fc60feaa4a3a90cfd20c23/Part-1-Overview.md", + "https://www.group-ib.com/blog/cve-2023-38831-winrar-zero-day/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_winrar_susp_child_process.yml" ], "tags": [ @@ -40027,9 +40055,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/Neo23x0/Raccine/blob/20a569fa21625086433dcce8bb2765d0ea08dcb6/yara/mal_revil.yar", "https://thedfirreport.com/2022/05/09/seo-poisoning-a-gootloader-story/", "https://learn.microsoft.com/en-us/dotnet/api/system.appdomain.load?view=net-7.0", + "https://github.com/Neo23x0/Raccine/blob/20a569fa21625086433dcce8bb2765d0ea08dcb6/yara/mal_revil.yar", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_base64_reflection_assembly_load_obfusc.yml" ], "tags": [ @@ -40071,9 +40099,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/active-directory-enumeration-with-ad-module-without-rsat-or-admin-privileges", "https://github.com/samratashok/ADModule", "https://twitter.com/cyb3rops/status/1617108657166061568?s=20", - "https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/active-directory-enumeration-with-ad-module-without-rsat-or-admin-privileges", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_active_directory_module_dll_import.yml" ], "tags": [ @@ -40170,10 +40198,10 @@ "https://cybleinc.com/2021/02/15/ngrok-platform-abused-by-hackers-to-deliver-a-new-wave-of-phishing-attacks/", "https://twitter.com/xorJosh/status/1598646907802451969", "https://www.softwaretestinghelp.com/how-to-use-ngrok/", + "https://ngrok.com/docs", "https://www.fireeye.com/blog/threat-research/2021/05/shining-a-light-on-darkside-ransomware-operations.html", "https://stackoverflow.com/questions/42442320/ssh-tunnel-to-ngrok-and-initiate-rdp", "https://www.virustotal.com/gui/file/58d21840d915aaf4040ceb89522396124c82f325282f805d1085527e1e2ccfa1/detection", - "https://ngrok.com/docs", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pua_ngrok.yml" ], "tags": [ @@ -40309,8 +40337,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://thedfirreport.com/2022/05/09/seo-poisoning-a-gootloader-story/", "https://github.com/redcanaryco/atomic-red-team/blob/a8e3cf63e97b973a25903d3df9fd55da6252e564/atomics/T1112/T1112.md", + "https://thedfirreport.com/2022/05/09/seo-poisoning-a-gootloader-story/", "https://social.technet.microsoft.com/wiki/contents/articles/32905.remote-desktop-services-enable-restricted-admin-mode.aspx", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_reg_lsa_disable_restricted_admin.yml" ], @@ -40380,8 +40408,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/0gtweet/status/1628720819537936386", "https://itconnect.uw.edu/tools-services-support/it-systems-infrastructure/msinf/other-help/understanding-sddl-syntax/", + "https://twitter.com/0gtweet/status/1628720819537936386", "https://learn.microsoft.com/en-us/windows/win32/secauthz/sid-strings", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sc_sdset_allow_service_changes.yml" ], @@ -40415,8 +40443,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.microsoft.com/security/blog/2021/12/09/a-closer-look-at-qakbots-latest-building-blocks-and-how-to-knock-them-down/", "https://www.fortinet.com/content/dam/fortinet/assets/analyst-reports/ar-qakbot.pdf", + "https://www.microsoft.com/security/blog/2021/12/09/a-closer-look-at-qakbots-latest-building-blocks-and-how-to-knock-them-down/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_msra_process_injection.yml" ], "tags": [ @@ -40492,9 +40520,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.virustotal.com/gui/file/91ba814a86ddedc7a9d546e26f912c541205b47a853d227756ab1334ade92c3f", "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/shuckworm-russia-ukraine-military", "https://learn.microsoft.com/en-us/windows/win32/shell/csidl", + "https://www.virustotal.com/gui/file/91ba814a86ddedc7a9d546e26f912c541205b47a853d227756ab1334ade92c3f", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_script_exec_from_env_folder.yml" ], "tags": [ @@ -40660,8 +40688,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/EmpireProject/Empire/blob/e37fb2eef8ff8f5a0a689f1589f424906fe13055/data/module_source/privesc/Invoke-EventVwrBypass.ps1#L64", "https://github.com/EmpireProject/Empire/blob/e37fb2eef8ff8f5a0a689f1589f424906fe13055/data/module_source/privesc/Invoke-FodHelperBypass.ps1#L64", + "https://github.com/EmpireProject/Empire/blob/e37fb2eef8ff8f5a0a689f1589f424906fe13055/data/module_source/privesc/Invoke-EventVwrBypass.ps1#L64", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_empire_powershell_uac_bypass.yml" ], "tags": [ @@ -40729,9 +40757,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://unit42.paloaltonetworks.com/new-babyshark-malware-targets-u-s-national-security-think-tanks/", "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/certutil", "https://lolbas-project.github.io/lolbas/Binaries/Certutil/", - "https://unit42.paloaltonetworks.com/new-babyshark-malware-targets-u-s-national-security-think-tanks/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_certutil_encode.yml" ], "tags": [ @@ -40765,11 +40793,11 @@ "logsource.product": "windows", "refs": [ "https://forensicitguy.github.io/agenttesla-vba-certutil-download/", - "https://news.sophos.com/en-us/2021/04/13/compromised-exchange-server-hosting-cryptojacker-targeting-other-exchange-servers/", - "https://www.microsoft.com/en-us/security/blog/2024/01/17/new-ttps-observed-in-mint-sandstorm-campaign-targeting-high-profile-individuals-at-universities-and-research-orgs/", "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/certutil", "https://twitter.com/egre55/status/1087685529016193025", + "https://news.sophos.com/en-us/2021/04/13/compromised-exchange-server-hosting-cryptojacker-targeting-other-exchange-servers/", "https://lolbas-project.github.io/lolbas/Binaries/Certutil/", + "https://www.microsoft.com/en-us/security/blog/2024/01/17/new-ttps-observed-in-mint-sandstorm-campaign-targeting-high-profile-individuals-at-universities-and-research-orgs/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_certutil_download_file_sharing_domains.yml" ], "tags": [ @@ -40802,10 +40830,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/hfiref0x/UACME", - "https://twitter.com/hFireF0X/status/897640081053364225", "https://web.archive.org/web/20190720093911/http://www.endurant.io/cmstp/detecting-cmstp-enabled-code-execution-and-uac-bypass-with-sysmon/", + "https://twitter.com/hFireF0X/status/897640081053364225", "https://medium.com/falconforce/falconfriday-detecting-uac-bypasses-0xff16-86c2a9107abf", + "https://github.com/hfiref0x/UACME", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_uac_bypass_cmstp_com_object_access.yml" ], "tags": [ @@ -40850,8 +40878,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.mandiant.com/resources/blog/trojanized-windows-installers-ukrainian-government", "https://posts.slayerlabs.com/living-off-the-land/#gathernetworkinfovbs", + "https://www.mandiant.com/resources/blog/trojanized-windows-installers-ukrainian-government", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_gather_network_info.yml" ], "tags": [ @@ -40928,15 +40956,15 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/Neo23x0/Raccine#the-process", "https://redcanary.com/blog/intelligence-insights-october-2021/", - "https://github.com/Neo23x0/Raccine/blob/20a569fa21625086433dcce8bb2765d0ea08dcb6/yara/gen_ransomware_command_lines.yar", - "https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment", - "https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/new-teslacrypt-ransomware-arrives-via-spam/", + "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/blackbyte-exbyte-ransomware", "https://www.hybrid-analysis.com/sample/ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa?environmentId=100", "https://www.bleepingcomputer.com/news/security/why-everyone-should-disable-vssadmin-exe-now/", - "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/blackbyte-exbyte-ransomware", + "https://github.com/Neo23x0/Raccine#the-process", + "https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment", + "https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/new-teslacrypt-ransomware-arrives-via-spam/", "https://blog.talosintelligence.com/2017/05/wannacry.html", + "https://github.com/Neo23x0/Raccine/blob/20a569fa21625086433dcce8bb2765d0ea08dcb6/yara/gen_ransomware_command_lines.yar", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_shadow_copies_deletion.yml" ], "tags": [ @@ -41011,8 +41039,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://code.visualstudio.com/docs/remote/tunnels", "https://badoption.eu/blog/2023/01/31/code_c2.html", + "https://code.visualstudio.com/docs/remote/tunnels", "https://ipfyx.fr/post/visual-studio-code-tunnel/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_vscode_tunnel_renamed_execution.yml" ], @@ -41163,8 +41191,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.radmin.fr/", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1072/T1072.md", + "https://www.radmin.fr/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pua_radmin.yml" ], "tags": [ @@ -41198,9 +41226,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://bohops.com/2018/08/18/abusing-the-com-registry-structure-part-2-loading-techniques-for-evasion-and-persistence/", "https://gist.github.com/NickTyrer/0598b60112eaafe6d07789f7964290d5", "https://lolbas-project.github.io/lolbas/Binaries/Verclsid/", - "https://bohops.com/2018/08/18/abusing-the-com-registry-structure-part-2-loading-techniques-for-evasion-and-persistence/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_verclsid_runs_com.yml" ], "tags": [ @@ -41234,9 +41262,9 @@ "logsource.product": "windows", "refs": [ "https://thedfirreport.com/2021/11/01/from-zero-to-domain-admin/", - "https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.security/set-executionpolicy?view=powershell-7.4", "https://adsecurity.org/?p=2604", "https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_execution_policies?view=powershell-7.4", + "https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.security/set-executionpolicy?view=powershell-7.4", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_set_policies_to_unsecure_level.yml" ], "tags": [ @@ -41269,9 +41297,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-2000-server/cc959352(v=technet.10)", "https://www.acunetix.com/blog/articles/windows-short-8-3-filenames-web-security-problem/", "https://twitter.com/jonasLyk/status/1555914501802921984", - "https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-2000-server/cc959352(v=technet.10)", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_ntfs_short_name_use_cli.yml" ], "tags": [ @@ -41502,11 +41530,11 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://news.sophos.com/en-us/2021/04/13/compromised-exchange-server-hosting-cryptojacker-targeting-other-exchange-servers/", - "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/certutil", - "https://lolbas-project.github.io/lolbas/Binaries/Certutil/", "https://learn.microsoft.com/en-us/archive/blogs/pki/basic-crl-checking-with-certutil", + "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/certutil", + "https://news.sophos.com/en-us/2021/04/13/compromised-exchange-server-hosting-cryptojacker-targeting-other-exchange-servers/", "https://twitter.com/JohnLaTwC/status/835149808817991680", + "https://lolbas-project.github.io/lolbas/Binaries/Certutil/", "https://unit42.paloaltonetworks.com/new-babyshark-malware-targets-u-s-national-security-think-tanks/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_certutil_decode.yml" ], @@ -41540,10 +41568,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/gpresult", + "https://www.welivesecurity.com/wp-content/uploads/2020/05/ESET_Turla_ComRAT.pdf", "https://unit42.paloaltonetworks.com/emissary-trojan-changelog-did-operation-lotus-blossom-cause-it-to-evolve/", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1615/T1615.md", - "https://www.welivesecurity.com/wp-content/uploads/2020/05/ESET_Turla_ComRAT.pdf", + "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/gpresult", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_gpresult_execution.yml" ], "tags": [ @@ -41576,9 +41604,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://www.poweradmin.com/paexec/", "https://www.fireeye.com/blog/threat-research/2020/10/kegtap-and-singlemalt-with-a-ransomware-chaser.html", "https://learn.microsoft.com/en-us/sysinternals/downloads/psexec", - "https://www.poweradmin.com/paexec/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sysinternals_psexec_remote_execution.yml" ], "tags": [ @@ -41611,8 +41639,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://securelist.com/moonbounce-the-dark-side-of-uefi-firmware/105468/", "https://learn.microsoft.com/en-us/dotnet/framework/tools/installutil-exe-installer-tool", + "https://securelist.com/moonbounce-the-dark-side-of-uefi-firmware/105468/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_instalutil_no_log_execution.yml" ], "tags": [ @@ -41635,10 +41663,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/troubleshoot/developer/browsers/security-privacy/ie-security-zones-registry-entries", "https://twitter.com/JAMESWT_MHT/status/1699042827261391247", "https://www.virustotal.com/gui/file/339ff720c74dc44265b917b6d3e3ba0411d61f3cd3c328e9a2bae81592c8a6e5/content", "https://twitter.com/M_haggis/status/1699056847154725107", + "https://learn.microsoft.com/en-us/troubleshoot/developer/browsers/security-privacy/ie-security-zones-registry-entries", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_registry_ie_security_zone_protocol_defaults_downgrade.yml" ], "tags": [ @@ -41662,9 +41690,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://app.any.run/tasks/34221348-072d-4b70-93f3-aa71f6ebecad/", "https://en.wikipedia.org/wiki/HTML_Application", "https://www.echotrail.io/insights/search/mshta.exe", - "https://app.any.run/tasks/34221348-072d-4b70-93f3-aa71f6ebecad/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_mshta_susp_pattern.yml" ], "tags": [ @@ -41697,9 +41725,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.fireeye.com/blog/threat-research/2019/10/staying-hidden-on-the-endpoint-evading-detection-with-shellcode.html", - "https://github.com/fireeye/DueDLLigence", "https://lolbas-project.github.io/lolbas/Binaries/Rasautou/", + "https://github.com/fireeye/DueDLLigence", + "https://www.fireeye.com/blog/threat-research/2019/10/staying-hidden-on-the-endpoint-evading-detection-with-shellcode.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_rasautou_dll_execution.yml" ], "tags": [ @@ -41817,10 +41845,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.ired.team/offensive-security/defense-evasion/parent-process-id-ppid-spoofing", - "https://pentestlab.blog/2020/02/24/parent-pid-spoofing/", "https://www.virustotal.com/gui/search/filename%253A*spoof*%2520filename%253A*ppid*/files", + "https://pentestlab.blog/2020/02/24/parent-pid-spoofing/", "https://www.picussecurity.com/resource/blog/how-to-detect-parent-pid-ppid-spoofing-attacks", + "https://www.ired.team/offensive-security/defense-evasion/parent-process-id-ppid-spoofing", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_selectmyparent.yml" ], "tags": [ @@ -41886,16 +41914,16 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/dotnet/runtime/blob/4f9ae42d861fcb4be2fcd5d3d55d5f227d30e723/docs/coding-guidelines/clr-jit-coding-conventions.md#1412-disabling-code", - "https://social.msdn.microsoft.com/Forums/vstudio/en-US/0878832e-39d7-4eaf-8e16-a729c4c40975/what-can-i-use-e13c0d23ccbc4e12931bd9cc2eee27e4-for?forum=clr", + "https://github.com/dotnet/runtime/blob/f62e93416a1799aecc6b0947adad55a0d9870732/src/coreclr/src/inc/clrconfigvalues.h#L35-L38", "https://github.com/dotnet/runtime/search?p=1&q=COMPlus_&unscoped_q=COMPlus_", + "http://managed670.rssing.com/chan-5590147/all_p1.html", + "https://github.com/dotnet/runtime/blob/4f9ae42d861fcb4be2fcd5d3d55d5f227d30e723/docs/coding-guidelines/clr-jit-coding-conventions.md#1412-disabling-code", + "https://bunnyinside.com/?term=f71e8cb9c76a", + "https://social.msdn.microsoft.com/Forums/vstudio/en-US/0878832e-39d7-4eaf-8e16-a729c4c40975/what-can-i-use-e13c0d23ccbc4e12931bd9cc2eee27e4-for?forum=clr", + "https://i.blackhat.com/EU-21/Wednesday/EU-21-Teodorescu-Veni-No-Vidi-No-Vici-Attacks-On-ETW-Blind-EDRs.pdf", "https://twitter.com/_xpn_/status/1268712093928378368", "https://github.com/dotnet/runtime/blob/ee2355c801d892f2894b0f7b14a20e6cc50e0e54/docs/design/coreclr/jit/viewing-jit-dumps.md#setting-configuration-variables", - "http://managed670.rssing.com/chan-5590147/all_p1.html", "https://github.com/dotnet/runtime/blob/7abe42dc1123722ed385218268bb9fe04556e3d3/src/coreclr/src/inc/clrconfig.h#L33-L39", - "https://i.blackhat.com/EU-21/Wednesday/EU-21-Teodorescu-Veni-No-Vidi-No-Vici-Attacks-On-ETW-Blind-EDRs.pdf", - "https://bunnyinside.com/?term=f71e8cb9c76a", - "https://github.com/dotnet/runtime/blob/f62e93416a1799aecc6b0947adad55a0d9870732/src/coreclr/src/inc/clrconfigvalues.h#L35-L38", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_etw_modification_cmdline.yml" ], "tags": [ @@ -41951,11 +41979,11 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "http://blog.sevagas.com/?Hacking-around-HTA-files", "https://0x00sec.org/t/clientside-exploitation-in-2018-how-pentesting-has-changed/7356", - "https://learn.microsoft.com/en-us/previous-versions/dotnet/framework/data/xml/xslt/xslt-stylesheet-scripting-using-msxsl-script", - "https://medium.com/tsscyber/pentesting-and-hta-bypassing-powershell-constrained-language-mode-53a42856c997", "https://twitter.com/mattifestation/status/1326228491302563846", + "https://learn.microsoft.com/en-us/previous-versions/dotnet/framework/data/xml/xslt/xslt-stylesheet-scripting-using-msxsl-script", + "http://blog.sevagas.com/?Hacking-around-HTA-files", + "https://medium.com/tsscyber/pentesting-and-hta-bypassing-powershell-constrained-language-mode-53a42856c997", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_mshta_susp_execution.yml" ], "tags": [ @@ -42006,15 +42034,15 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://labs.withsecure.com/content/dam/labs/docs/f-secureLABS-tlp-white-lazarus-threat-intel-report2.pdf", + "https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.diagnostics/get-winevent?view=powershell-7.3", + "http://blog.talosintelligence.com/2022/09/lazarus-three-rats.html", + "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/wevtutil", "https://www.group-ib.com/blog/apt41-world-tour-2021/", "https://thedfirreport.com/2023/10/30/netsupport-intrusion-results-in-domain-compromise/", - "https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.diagnostics/get-winevent?view=powershell-7.3", - "https://labs.withsecure.com/content/dam/labs/docs/f-secureLABS-tlp-white-lazarus-threat-intel-report2.pdf", - "http://blog.talosintelligence.com/2022/09/lazarus-three-rats.html", + "https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-144a", "https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.management/get-eventlog?view=powershell-5.1", "http://www.solomonson.com/posts/2010-07-09-reading-eventviewer-command-line/", - "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/wevtutil", - "https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-144a", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_eventlog_content_recon.yml" ], "tags": [ @@ -42125,8 +42153,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.virustotal.com/gui/file/23160972c6ae07f740800fa28e421a81d7c0ca5d5cab95bc082b4a986fbac57", "https://blog.morphisec.com/fin7-not-finished-morphisec-spots-new-campaign", + "https://www.virustotal.com/gui/file/23160972c6ae07f740800fa28e421a81d7c0ca5d5cab95bc082b4a986fbac57", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_office_spawn_exe_from_users_directory.yml" ], "tags": [ @@ -42217,10 +42245,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.sans.org/blog/red-team-tactics-hiding-windows-services/", "https://twitter.com/Alh4zr3d/status/1580925761996828672", - "https://itconnect.uw.edu/tools-services-support/it-systems-infrastructure/msinf/other-help/understanding-sddl-syntax/", "https://blog.talosintelligence.com/2021/10/threat-hunting-in-large-datasets-by.html", + "https://itconnect.uw.edu/tools-services-support/it-systems-infrastructure/msinf/other-help/understanding-sddl-syntax/", + "https://www.sans.org/blog/red-team-tactics-hiding-windows-services/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sc_sdset_hide_sevices.yml" ], "tags": [ @@ -42255,8 +42283,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/dez_/status/1560101453150257154", "https://forensafe.com/blogs/typedpaths.html", + "https://twitter.com/dez_/status/1560101453150257154", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_registry_typed_paths_persistence.yml" ], "tags": [ @@ -42315,10 +42343,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://blog.netspi.com/15-ways-to-download-a-file/#bitsadmin", - "https://blog.talosintelligence.com/breaking-the-silence-recent-truebot-activity/", "https://lolbas-project.github.io/lolbas/Binaries/Bitsadmin/", "https://isc.sans.edu/diary/22264", + "https://blog.talosintelligence.com/breaking-the-silence-recent-truebot-activity/", + "https://blog.netspi.com/15-ways-to-download-a-file/#bitsadmin", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_bitsadmin_download_susp_targetfolder.yml" ], "tags": [ @@ -42427,13 +42455,13 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.cobaltstrike.com/help-opsec", "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/regsvr32", - "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/rundll32", - "https://learn.microsoft.com/en-us/dotnet/framework/tools/regsvcs-exe-net-services-installation-tool", "https://learn.microsoft.com/en-us/dotnet/framework/tools/regasm-exe-assembly-registration-tool", - "https://twitter.com/CyberRaiju/status/1251492025678983169", "https://blog.malwarebytes.com/malwarebytes-news/2020/10/kraken-attack-abuses-wer-service/", + "https://learn.microsoft.com/en-us/dotnet/framework/tools/regsvcs-exe-net-services-installation-tool", + "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/rundll32", + "https://twitter.com/CyberRaiju/status/1251492025678983169", + "https://www.cobaltstrike.com/help-opsec", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_bad_opsec_sacrificial_processes.yml" ], "tags": [ @@ -42522,9 +42550,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://thedfirreport.com/2022/04/04/stolen-images-campaign-ends-in-conti-ransomware/", "https://learn.microsoft.com/en-us/windows/win32/secauthz/mandatory-integrity-control", "https://cybercryptosec.medium.com/covid-19-cyber-infection-c615ead7c29", - "https://thedfirreport.com/2022/04/04/stolen-images-campaign-ends-in-conti-ransomware/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_conhost_legacy_option.yml" ], "tags": [ @@ -42590,8 +42618,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.hybrid-analysis.com/sample/e122bc8bf291f15cab182a5d2d27b8db1e7019e4e96bb5cdbd1dfe7446f3f51f?environmentId=100", "https://enigma0x3.net/2016/08/15/fileless-uac-bypass-using-eventvwr-exe-and-registry-hijacking/", + "https://www.hybrid-analysis.com/sample/e122bc8bf291f15cab182a5d2d27b8db1e7019e4e96bb5cdbd1dfe7446f3f51f?environmentId=100", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_eventvwr_susp_child_process.yml" ], "tags": [ @@ -42627,8 +42655,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/Binaries/Pcwrun/", "https://twitter.com/pabraeken/status/991335019833708544", + "https://lolbas-project.github.io/lolbas/Binaries/Pcwrun/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_pcwrun.yml" ], "tags": [ @@ -42704,9 +42732,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://www.echotrail.io/insights/search/wermgr.exe", "https://www.trendmicro.com/en_us/research/22/j/black-basta-infiltrates-networks-via-qakbot-brute-ratel-and-coba.html", "https://github.com/binderlabs/DirCreate2System", - "https://www.echotrail.io/insights/search/wermgr.exe", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wermgr_susp_exec_location.yml" ], "tags": [ @@ -42753,8 +42781,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://unit42.paloaltonetworks.com/actors-still-exploiting-sharepoint-vulnerability/", "https://github.com/outflanknl/Dumpert", + "https://unit42.paloaltonetworks.com/actors-still-exploiting-sharepoint-vulnerability/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_dumpert.yml" ], "tags": [ @@ -42870,8 +42898,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218/T1218.md#atomic-test-4---infdefaultinstallexe-inf-execution", "https://lolbas-project.github.io/lolbas/Binaries/Infdefaultinstall/", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218/T1218.md#atomic-test-4---infdefaultinstallexe-inf-execution", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_infdefaultinstall_execute_sct_scripts.yml" ], "tags": [ @@ -42928,8 +42956,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://klausjochem.me/2016/02/03/netsh-the-cyber-attackers-tool-of-choice/", "https://blogs.msdn.microsoft.com/canberrapfe/2012/03/30/capture-a-network-trace-without-installing-anything-capture-a-network-trace-of-a-reboot/", + "https://klausjochem.me/2016/02/03/netsh-the-cyber-attackers-tool-of-choice/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_netsh_packet_capture.yml" ], "tags": [ @@ -42963,8 +42991,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet", "https://www.revshells.com/", + "https://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_ruby_inline_command_execution.yml" ], "tags": [ @@ -43088,11 +43116,11 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/5c3b23002d2bbede3c07e7307165fc2a235a427d/atomics/T1564.004/T1564.004.md#atomic-test-5---create-hidden-directory-via-index_allocation", + "https://twitter.com/pfiatde/status/1681977680688738305", + "https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-fscc/c54dec26-1551-4d3a-a0ea-4fa40f848eb3", "https://soroush.me/blog/2010/12/a-dotty-salty-directory-a-secret-place-in-ntfs-for-secret-files/", "https://sec-consult.com/blog/detail/pentesters-windows-ntfs-tricks-collection/", - "https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-fscc/c54dec26-1551-4d3a-a0ea-4fa40f848eb3", - "https://twitter.com/pfiatde/status/1681977680688738305", - "https://github.com/redcanaryco/atomic-red-team/blob/5c3b23002d2bbede3c07e7307165fc2a235a427d/atomics/T1564.004/T1564.004.md#atomic-test-5---create-hidden-directory-via-index_allocation", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_hidden_dir_index_allocation.yml" ], "tags": [ @@ -43192,8 +43220,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.trendmicro.com/en_us/research/23/e/managed-xdr-investigation-of-ducktail-in-trend-micro-vision-one.html", "https://twitter.com/mrd0x/status/1478234484881436672?s=12", + "https://www.trendmicro.com/en_us/research/23/e/managed-xdr-investigation-of-ducktail-in-trend-micro-vision-one.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_browsers_chromium_headless_file_download.yml" ], "tags": [ @@ -43327,8 +43355,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/Binaries/Wsreset/", "https://www.activecyber.us/activelabs/windows-uac-bypass", + "https://lolbas-project.github.io/lolbas/Binaries/Wsreset/", "https://twitter.com/ReaQta/status/1222548288731217921", "https://eqllib.readthedocs.io/en/latest/analytics/532b5ed4-7930-11e9-8f5c-d46d6d62a49e.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_uac_bypass_wsreset.yml" @@ -43397,9 +43425,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://redcanary.com/blog/raspberry-robin/", - "https://www.microsoft.com/en-us/security/blog/2022/10/27/raspberry-robin-worm-part-of-larger-ecosystem-facilitating-pre-ransomware-activity/", "https://github.com/SigmaHQ/sigma/issues/1009", + "https://www.microsoft.com/en-us/security/blog/2022/10/27/raspberry-robin-worm-part-of-larger-ecosystem-facilitating-pre-ransomware-activity/", + "https://redcanary.com/blog/raspberry-robin/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_rundll32_susp_shellexec_execution.yml" ], "tags": [ @@ -43521,8 +43549,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/orange_8361/status/1518970259868626944", "https://lolbas-project.github.io/lolbas/Binaries/Eventvwr/#execute", + "https://twitter.com/orange_8361/status/1518970259868626944", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_uac_bypass_eventvwr_recentviews.yml" ], "tags": [ @@ -43589,8 +43617,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.004/T1562.004.md#atomic-test-3---allow-smb-and-rdp-on-microsoft-defender-firewall", "https://learn.microsoft.com/en-us/troubleshoot/windows-server/networking/netsh-advfirewall-firewall-control-firewall-behavior", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.004/T1562.004.md#atomic-test-3---allow-smb-and-rdp-on-microsoft-defender-firewall", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_netsh_fw_enable_group_rule.yml" ], "tags": [ @@ -43689,8 +43717,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://o365blog.com/aadinternals/", "https://github.com/Gerenios/AADInternals", + "https://o365blog.com/aadinternals/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_aadinternals_cmdlets_execution.yml" ], "tags": [ @@ -43775,8 +43803,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=65", "https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.security/convertto-securestring?view=powershell-7.3#examples", + "https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=65", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_cmdline_convertto_securestring.yml" ], "tags": [ @@ -43941,9 +43969,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.nirsoft.net/utils/nircmd2.html#using", "https://www.nirsoft.net/utils/nircmd.html", "https://www.winhelponline.com/blog/run-program-as-system-localsystem-account-windows/", + "https://www.nirsoft.net/utils/nircmd2.html#using", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pua_nircmd_as_system.yml" ], "tags": [ @@ -44134,9 +44162,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Te/", - "https://twitter.com/pabraeken/status/993298228840992768", "https://learn.microsoft.com/en-us/windows-hardware/drivers/taef/", + "https://twitter.com/pabraeken/status/993298228840992768", + "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Te/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_use_of_te_bin.yml" ], "tags": [ @@ -44245,8 +44273,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/TheDFIRReport/status/1423361119926816776?s=20", "https://support.anydesk.com/Automatic_Deployment", + "https://twitter.com/TheDFIRReport/status/1423361119926816776?s=20", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_remote_access_tools_anydesk_silent_install.yml" ], "tags": [ @@ -44312,8 +44340,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://kb.acronis.com/content/60892", "https://4sysops.com/archives/creating-a-complete-memory-dump-without-a-blue-screen/", + "https://kb.acronis.com/content/60892", "https://learn.microsoft.com/en-us/sysinternals/downloads/livekd", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sysinternals_livekd_kernel_memory_dump.yml" ], @@ -44448,9 +44476,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/Binaries/Odbcconf/", "https://learn.microsoft.com/en-us/sql/odbc/odbcconf-exe?view=sql-server-ver16", "https://www.trendmicro.com/en_us/research/17/h/backdoor-carrying-emails-set-sights-on-russian-speaking-businesses.html", + "https://lolbas-project.github.io/lolbas/Binaries/Odbcconf/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_odbcconf_register_dll_regsvr_susp.yml" ], "tags": [ @@ -44507,9 +44535,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/Binaries/Msiexec/", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218.007/T1218.007.md", "https://twitter.com/_st0pp3r_/status/1583914515996897281", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218.007/T1218.007.md", + "https://lolbas-project.github.io/lolbas/Binaries/Msiexec/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_msiexec_dll.yml" ], "tags": [ @@ -44745,10 +44773,10 @@ "logsource.product": "windows", "refs": [ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1003.002/T1003.002.md#atomic-test-1---registry-dump-of-sam-creds-and-secrets", - "https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment", - "https://www.wietzebeukema.nl/blog/windows-command-line-obfuscation", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1003/T1003.md", "https://eqllib.readthedocs.io/en/latest/analytics/aed95fc6-5e3f-49dc-8b35-06508613f979.html", + "https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment", + "https://www.wietzebeukema.nl/blog/windows-command-line-obfuscation", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_reg_dumping_sensitive_hives.yml" ], "tags": [ @@ -44798,8 +44826,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/chm-badness-delivers-a-banking-trojan/", "https://github.com/elastic/protections-artifacts/commit/746086721fd385d9f5c6647cada1788db4aea95f#diff-27939090904026cc396b0b629c8e4314acd6f5dac40a676edbc87f4567b47eb7", + "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/chm-badness-delivers-a-banking-trojan/", "https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/higaisa-or-winnti-apt-41-backdoors-old-and-new/", "https://www.zscaler.com/blogs/security-research/unintentional-leak-glimpse-attack-vectors-apt37", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hh_susp_execution.yml" @@ -44983,13 +45011,13 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/SBousseaden/status/1167417096374050817", - "https://twitter.com/Hexacorn/status/1224848930795552769", "https://twitter.com/pythonresponder/status/1385064506049630211?s=21", "https://twitter.com/Wietze/status/1542107456507203586", "https://github.com/Hackndo/lsassy/blob/14d8f8ae596ecf22b449bfe919829173b8a07635/lsassy/dumpmethod/comsvcs.py", - "https://modexp.wordpress.com/2019/08/30/minidumpwritedump-via-com-services-dll/", "https://twitter.com/shantanukhande/status/1229348874298388484", + "https://twitter.com/Hexacorn/status/1224848930795552769", + "https://twitter.com/SBousseaden/status/1167417096374050817", + "https://modexp.wordpress.com/2019/08/30/minidumpwritedump-via-com-services-dll/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_rundll32_process_dump_via_comsvcs.yml" ], "tags": [ @@ -45032,9 +45060,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "http://0xthem.blogspot.com/2014/03/t-emporal-persistence-with-and-schtasks.html", "https://www.fireeye.com/blog/threat-research/2020/10/kegtap-and-singlemalt-with-a-ransomware-chaser.html", "https://isc.sans.edu/diary/Wipe+the+drive+Stealthy+Malware+Persistence+Mechanism+-+Part+1/15394", + "http://0xthem.blogspot.com/2014/03/t-emporal-persistence-with-and-schtasks.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_bitsadmin_potential_persistence.yml" ], "tags": [ @@ -45102,9 +45130,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://mgreen27.github.io/posts/2019/05/12/BinaryRename.html", "https://github.com/redcanaryco/atomic-red-team/blob/0f229c0e42bfe7ca736a14023836d65baa941ed2/atomics/T1036.003/T1036.003.md#atomic-test-1---masquerading-as-windows-lsass-process", "https://mgreen27.github.io/posts/2019/05/29/BinaryRename2.html", - "https://mgreen27.github.io/posts/2019/05/12/BinaryRename.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_renamed_binary.yml" ], "tags": [ @@ -45137,8 +45165,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://ss64.com/nt/for.html", "https://ss64.com/ps/foreach-object.html", + "https://ss64.com/nt/for.html", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1018/T1018.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_network_scan_loop.yml" ], @@ -45181,9 +45209,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://twitter.com/mrd0x/status/1461041276514623491", "https://twitter.com/tccontre18/status/1480950986650832903", "https://lolbas-project.github.io/lolbas/Binaries/Regsvr32/", - "https://twitter.com/mrd0x/status/1461041276514623491", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_regsvr32_network_pattern.yml" ], "tags": [ @@ -45216,8 +45244,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/Binaries/Wbadmin/", "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/wbadmin-start-recovery", + "https://lolbas-project.github.io/lolbas/Binaries/Wbadmin/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wbadmin_restore_file.yml" ], "tags": [ @@ -45435,8 +45463,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://brica.de/alerts/alert/public/1247926/agent-tesla-keylogger-delivered-inside-a-power-iso-daa-archive/", "https://app.any.run/tasks/7eaba74e-c1ea-400f-9c17-5e30eee89906/", + "https://brica.de/alerts/alert/public/1247926/agent-tesla-keylogger-delivered-inside-a-power-iso-daa-archive/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_whoami_execution.yml" ], "tags": [ @@ -45470,8 +45498,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://h.43z.one/ipconverter/", "https://twitter.com/Yasser_Elsnbary/status/1553804135354564608", + "https://h.43z.one/ipconverter/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_obfuscated_ip_via_cli.yml" ], "tags": [ @@ -45562,9 +45590,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://www.poweradmin.com/paexec/", "https://www.fireeye.com/blog/threat-research/2020/10/kegtap-and-singlemalt-with-a-ransomware-chaser.html", "https://learn.microsoft.com/en-us/sysinternals/downloads/psexec", - "https://www.poweradmin.com/paexec/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sysinternals_susp_psexec_paexec_flags.yml" ], "tags": [ @@ -45633,11 +45661,11 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/Binaries/DataSvcUtil/", - "https://learn.microsoft.com/en-us/previous-versions/dotnet/framework/data/wcf/how-to-add-a-data-service-reference-wcf-data-services", "https://learn.microsoft.com/en-us/previous-versions/dotnet/framework/data/wcf/generating-the-data-service-client-library-wcf-data-services", "https://learn.microsoft.com/en-us/previous-versions/dotnet/framework/data/wcf/wcf-data-service-client-utility-datasvcutil-exe", + "https://learn.microsoft.com/en-us/previous-versions/dotnet/framework/data/wcf/how-to-add-a-data-service-reference-wcf-data-services", "https://gist.github.com/teixeira0xfffff/837e5bfed0d1b0a29a7cb1e5dbdd9ca6", + "https://lolbas-project.github.io/lolbas/Binaries/DataSvcUtil/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_data_exfiltration_by_using_datasvcutil.yml" ], "tags": [ @@ -45670,8 +45698,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://app.any.run/tasks/61a296bb-81ad-4fee-955f-3b399f4aaf4b", "https://www.symantec.com/blogs/threat-intelligence/thrip-hits-satellite-telecoms-defense-targets", + "https://app.any.run/tasks/61a296bb-81ad-4fee-955f-3b399f4aaf4b", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sysprep_appdata.yml" ], "tags": [ @@ -45730,8 +45758,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/iagox86/dnscat2", "https://github.com/yarrick/iodine", + "https://github.com/iagox86/dnscat2", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_dns_exfiltration_tools_execution.yml" ], "tags": [ @@ -45815,10 +45843,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://labs.sentinelone.com/egregor-raas-continues-the-chaos-with-cobalt-strike-and-rclone", - "https://us-cert.cisa.gov/ncas/analysis-reports/ar21-126a", - "https://research.nccgroup.com/2021/05/27/detecting-rclone-an-effective-tool-for-exfiltration/", "https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware", + "https://labs.sentinelone.com/egregor-raas-continues-the-chaos-with-cobalt-strike-and-rclone", + "https://research.nccgroup.com/2021/05/27/detecting-rclone-an-effective-tool-for-exfiltration/", + "https://us-cert.cisa.gov/ncas/analysis-reports/ar21-126a", "https://www.splunk.com/en_us/blog/security/darkside-ransomware-splunk-threat-update-and-detections.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pua_rclone_execution.yml" ], @@ -45852,9 +45880,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/mattifestation/status/986280382042595328", - "https://web.archive.org/web/20190209154607/https://subt0x11.blogspot.com/2018/04/wmicexe-whitelisting-bypass-hacking.html", "https://lolbas-project.github.io/lolbas/Binaries/Wmic/", + "https://web.archive.org/web/20190209154607/https://subt0x11.blogspot.com/2018/04/wmicexe-whitelisting-bypass-hacking.html", + "https://twitter.com/mattifestation/status/986280382042595328", "https://atomicredteam.io/defense-evasion/T1220/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wmic_squiblytwo_bypass.yml" ], @@ -45957,8 +45985,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1083/T1083.md", "https://news.sophos.com/en-us/2022/07/14/blackcat-ransomware-attacks-not-merely-a-byproduct-of-bad-luck/", + "https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1083/T1083.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_dirlister_execution.yml" ], "tags": [ @@ -46078,13 +46106,13 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://github.com/vletoux/pingcastle", "https://thedfirreport.com/2023/10/30/netsupport-intrusion-results-in-domain-compromise/", "https://github.com/802-1x/Compliance/blob/2e53df8b6e89686a0b91116b3f42c8f717dca820/Ping%20Castle/Get-PingCastle-HTMLComplianceReport.ps1#L8", - "https://github.com/fengjixuchui/Start-ADEnum/blob/e237a739db98b6104427d833004836507da36a58/Functions/Start-ADEnum.ps1#L450", - "https://github.com/lkys37en/Start-ADEnum/blob/5b42c54215fe5f57fc59abc52c20487d15764005/Functions/Start-ADEnum.ps1#L680", "https://github.com/projectHULK/AD_Recon/blob/dde2daba9b3393a9388cbebda87068972cc0bd3b/SecurityAssessment.ps1#L2699", "https://github.com/EvotecIT/TheDashboard/blob/481a9ce8f82f2fd55fe65220ee6486bae6df0c9d/Examples/RunReports/PingCastle.ps1", - "https://github.com/vletoux/pingcastle", + "https://github.com/lkys37en/Start-ADEnum/blob/5b42c54215fe5f57fc59abc52c20487d15764005/Functions/Start-ADEnum.ps1#L680", + "https://github.com/fengjixuchui/Start-ADEnum/blob/e237a739db98b6104427d833004836507da36a58/Functions/Start-ADEnum.ps1#L450", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pua_pingcastle.yml" ], "tags": [ @@ -46193,8 +46221,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/cglyer/status/1183756892952248325", "https://learn.microsoft.com/en-us/windows/win32/intl/code-page-identifiers", + "https://twitter.com/cglyer/status/1183756892952248325", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_chcp_codepage_switch.yml" ], "tags": [ @@ -46261,8 +46289,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://thedfirreport.com/2022/10/31/follina-exploit-leads-to-domain-compromise/", "https://thedfirreport.com/2022/02/21/qbot-and-zerologon-lead-to-full-domain-compromise/", + "https://thedfirreport.com/2022/10/31/follina-exploit-leads-to-domain-compromise/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_schtasks_guid_task_name.yml" ], "tags": [ @@ -46295,8 +46323,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1003.002/T1003.002.md#atomic-test-2---registry-parse-with-pypykatz", "https://github.com/skelsec/pypykatz", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1003.002/T1003.002.md#atomic-test-2---registry-parse-with-pypykatz", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_pypykatz.yml" ], "tags": [ @@ -46405,8 +46433,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1046/T1046.md#atomic-test-3---port-scan-nmap-for-windows", "https://nmap.org/", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1046/T1046.md#atomic-test-3---port-scan-nmap-for-windows", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pua_nmap_zenmap.yml" ], "tags": [ @@ -46439,10 +46467,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/bohops/status/980659399495741441", - "https://twitter.com/JohnLaTwC/status/1223292479270600706", - "https://gist.github.com/bohops/735edb7494fe1bd1010d67823842b712", "https://lolbas-project.github.io/lolbas/Scripts/Manage-bde/", + "https://twitter.com/JohnLaTwC/status/1223292479270600706", + "https://twitter.com/bohops/status/980659399495741441", + "https://gist.github.com/bohops/735edb7494fe1bd1010d67823842b712", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1216/T1216.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_manage_bde.yml" ], @@ -46611,9 +46639,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f", - "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/regini", "https://lolbas-project.github.io/lolbas/Binaries/Regini/", + "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/regini", + "https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_regini_ads.yml" ], "tags": [ @@ -46697,8 +46725,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/WindowsDocs/status/1620078135080325122", "https://learn.microsoft.com/en-us/windows/msix/package/unsigned-package", + "https://twitter.com/WindowsDocs/status/1620078135080325122", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_install_unsigned_appx_packages.yml" ], "tags": [ @@ -46789,11 +46817,11 @@ "logsource.product": "windows", "refs": [ "https://forensicitguy.github.io/agenttesla-vba-certutil-download/", - "https://news.sophos.com/en-us/2021/04/13/compromised-exchange-server-hosting-cryptojacker-targeting-other-exchange-servers/", "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/certutil", - "https://twitter.com/_JohnHammond/status/1708910264261980634", "https://twitter.com/egre55/status/1087685529016193025", + "https://news.sophos.com/en-us/2021/04/13/compromised-exchange-server-hosting-cryptojacker-targeting-other-exchange-servers/", "https://lolbas-project.github.io/lolbas/Binaries/Certutil/", + "https://twitter.com/_JohnHammond/status/1708910264261980634", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_certutil_download_direct_ip.yml" ], "tags": [ @@ -46868,11 +46896,11 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://mgreen27.github.io/posts/2019/05/12/BinaryRename.html", + "https://mgreen27.github.io/posts/2019/05/29/BinaryRename2.html", "https://twitter.com/christophetd/status/1164506034720952320", "https://www.trendmicro.com/vinfo/hk-en/security/news/cybercrime-and-digital-threats/megacortex-ransomware-spotted-attacking-enterprise-networks", "https://threatresearch.ext.hp.com/svcready-a-new-loader-reveals-itself/", - "https://mgreen27.github.io/posts/2019/05/29/BinaryRename2.html", - "https://mgreen27.github.io/posts/2019/05/12/BinaryRename.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_renamed_binary_highly_relevant.yml" ], "tags": [ @@ -47006,8 +47034,8 @@ "logsource.product": "windows", "refs": [ "https://learn.microsoft.com/en-us/windows/wsl/install-on-server", - "https://learn.microsoft.com/en-us/windows/win32/projfs/enabling-windows-projected-file-system", "https://learn.microsoft.com/en-us/powershell/module/dism/enable-windowsoptionalfeature?view=windowsserver2022-ps", + "https://learn.microsoft.com/en-us/windows/win32/projfs/enabling-windows-projected-file-system", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_enable_susp_windows_optional_feature.yml" ], "tags": [ @@ -47030,9 +47058,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://blog.netspi.com/15-ways-to-download-a-file/#bitsadmin", "https://lolbas-project.github.io/lolbas/Binaries/Bitsadmin/", "https://isc.sans.edu/diary/22264", + "https://blog.netspi.com/15-ways-to-download-a-file/#bitsadmin", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_bitsadmin_download_susp_extensions.yml" ], "tags": [ @@ -47117,9 +47145,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-2000-server/cc959352(v=technet.10)", "https://www.acunetix.com/blog/articles/windows-short-8-3-filenames-web-security-problem/", "https://twitter.com/jonasLyk/status/1555914501802921984", - "https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-2000-server/cc959352(v=technet.10)", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_ntfs_short_name_use_image.yml" ], "tags": [ @@ -47201,8 +47229,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Csi/", "https://enigma0x3.net/2016/11/17/bypassing-application-whitelisting-by-using-dnx-exe/", + "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Csi/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_dnx_execute_csharp_code.yml" ], "tags": [ @@ -47309,8 +47337,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/bohops/status/1635288066909966338", "https://learn.microsoft.com/en-us/dotnet/core/diagnostics/dotnet-dump#dotnet-dump-collect", + "https://twitter.com/bohops/status/1635288066909966338", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_dotnetdump_memory_dump.yml" ], "tags": [ @@ -47451,8 +47479,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1220/T1220.md", "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Msxsl/", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1220/T1220.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_msxsl_remote_execution.yml" ], "tags": [ @@ -47553,12 +47581,12 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://positive.security/blog/ms-officecmd-rce", - "https://medium.com/@MalFuzzer/one-electron-to-rule-them-all-dc2e9b263daf", - "https://chromium.googlesource.com/chromium/chromium/+/master/content/public/common/content_switches.cc", "https://lolbas-project.github.io/lolbas/Binaries/Msedge/", - "https://lolbas-project.github.io/lolbas/Binaries/Teams/", + "https://medium.com/@MalFuzzer/one-electron-to-rule-them-all-dc2e9b263daf", + "https://positive.security/blog/ms-officecmd-rce", "https://lolbas-project.github.io/lolbas/Binaries/msedgewebview2/", + "https://chromium.googlesource.com/chromium/chromium/+/master/content/public/common/content_switches.cc", + "https://lolbas-project.github.io/lolbas/Binaries/Teams/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_electron_execution_proxy.yml" ], "tags": [ @@ -47623,8 +47651,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.mandiant.com/resources/blog/trojanized-windows-installers-ukrainian-government", "https://posts.slayerlabs.com/living-off-the-land/#gathernetworkinfovbs", + "https://www.mandiant.com/resources/blog/trojanized-windows-installers-ukrainian-government", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_gather_network_info_execution.yml" ], "tags": [ @@ -47735,8 +47763,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc771151(v=ws.11)", "https://ss64.com/nt/dsacls.html", + "https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc771151(v=ws.11)", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_dsacls_abuse_permissions.yml" ], "tags": [ @@ -47869,11 +47897,11 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/max_mal_/status/1542461200797163522", "https://www.volexity.com/blog/2022/07/28/sharptongue-deploys-clever-mail-stealing-browser-extension-sharpext/", "https://web.archive.org/web/20200128160046/https://twitter.com/reegun21/status/1222093798009790464", - "https://github.com/redcanaryco/atomic-red-team/blob/0f229c0e42bfe7ca736a14023836d65baa941ed2/atomics/T1105/T1105.md#atomic-test-18---curl-download-file", "https://github.com/pr0xylife/Qakbot/blob/4f0795d79dabee5bc9dd69f17a626b48852e7869/Qakbot_AA_23.06.2022.txt", + "https://github.com/redcanaryco/atomic-red-team/blob/0f229c0e42bfe7ca736a14023836d65baa941ed2/atomics/T1105/T1105.md#atomic-test-18---curl-download-file", + "https://twitter.com/max_mal_/status/1542461200797163522", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_curl_susp_download.yml" ], "tags": [ @@ -47999,9 +48027,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://boinc.berkeley.edu/", "https://www.virustotal.com/gui/file/91e405e8a527023fb8696624e70498ae83660fe6757cef4871ce9bcc659264d3/details", "https://www.huntress.com/blog/fake-browser-updates-lead-to-boinc-volunteer-computing-software", + "https://boinc.berkeley.edu/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_renamed_boinc.yml" ], "tags": [ @@ -48076,9 +48104,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.fireeye.com/blog/threat-research/2020/01/saigon-mysterious-ursnif-fork.html", "https://thedfirreport.com/2023/01/09/unwrapping-ursnifs-gifts/", "https://www.vmray.com/cyber-security-blog/analyzing-ursnif-behavior-malware-sandbox/", + "https://www.fireeye.com/blog/threat-research/2020/01/saigon-mysterious-ursnif-fork.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_driverquery_recon.yml" ], "tags": [ @@ -48136,8 +48164,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.virustotal.com/#/file/276a765a10f98cda1a38d3a31e7483585ca3722ecad19d784441293acf1b7beb/detection", "https://securelist.com/muddywater/88059/", + "https://www.virustotal.com/#/file/276a765a10f98cda1a38d3a31e7483585ca3722ecad19d784441293acf1b7beb/detection", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_file_characteristics.yml" ], "tags": [ @@ -48170,8 +48198,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070.004/T1070.004.md", "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/erase", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070.004/T1070.004.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_cmd_del_execution.yml" ], "tags": [ @@ -48267,9 +48295,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.trendmicro.com/vinfo/vn/threat-encyclopedia/malware/ransom.bat.zarlock.a", - "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1486/T1486.md", "https://securelist.com/locked-out/68960/", + "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1486/T1486.md", + "https://www.trendmicro.com/vinfo/vn/threat-encyclopedia/malware/ransom.bat.zarlock.a", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_gpg4win_portable_execution.yml" ], "tags": [ @@ -48335,10 +48363,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#inside-the-registry", "https://isc.sans.edu/diary/More+Data+Exfiltration/25698", - "https://github.com/HyperSine/how-does-MobaXterm-encrypt-password", "https://github.com/synacktiv/Radmin3-Password-Cracker/blob/acfc87393e4b7c06353973a14a6c7126a51f36ac/regkey.txt", + "https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#inside-the-registry", + "https://github.com/HyperSine/how-does-MobaXterm-encrypt-password", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_registry_enumeration_for_credentials_cli.yml" ], "tags": [ @@ -48417,8 +48445,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f", "https://lolbas-project.github.io/lolbas/Binaries/Regedit/", + "https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_regedit_import_keys_ads.yml" ], "tags": [ @@ -48451,8 +48479,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/sysinternals/downloads/psexec", "https://www.youtube.com/watch?v=ro2QuZTIMBM", + "https://learn.microsoft.com/en-us/sysinternals/downloads/psexec", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sysinternals_psexesvc.yml" ], "tags": [ @@ -48475,8 +48503,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f", "https://lolbas-project.github.io/lolbas/Binaries/Regedit/", + "https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_regedit_export_critical_keys.yml" ], "tags": [ @@ -48509,8 +48537,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/eral4m/status/1451112385041911809", "https://strontic.github.io/xcyclopedia/library/stordiag.exe-1F08FC87C373673944F6A7E8B18CD845.html", + "https://twitter.com/eral4m/status/1451112385041911809", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_stordiag_susp_child_process.yml" ], "tags": [ @@ -48633,9 +48661,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-2000-server/cc959352(v=technet.10)", "https://www.acunetix.com/blog/articles/windows-short-8-3-filenames-web-security-problem/", "https://twitter.com/frack113/status/1555830623633375232", - "https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-2000-server/cc959352(v=technet.10)", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_ntfs_short_name_path_use_image.yml" ], "tags": [ @@ -48691,9 +48719,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/mrd0x/status/1511415432888131586", - "https://lolbas-project.github.io/lolbas/OtherMSBinaries/DumpMinitool/", "https://twitter.com/mrd0x/status/1511489821247684615", + "https://lolbas-project.github.io/lolbas/OtherMSBinaries/DumpMinitool/", + "https://twitter.com/mrd0x/status/1511415432888131586", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_dumpminitool_susp_execution.yml" ], "tags": [ @@ -48767,8 +48795,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1518/T1518.md", "https://github.com/harleyQu1nn/AggressorScripts", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1518/T1518.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_reg_software_discovery.yml" ], "tags": [ @@ -48801,8 +48829,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/Binaries/CustomShellHost/", "https://github.com/LOLBAS-Project/LOLBAS/pull/180", + "https://lolbas-project.github.io/lolbas/Binaries/CustomShellHost/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_customshellhost.yml" ], "tags": [ @@ -48869,8 +48897,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.crowdstrike.com/blog/overwatch-exposes-aquatic-panda-in-possession-of-log-4-shell-exploit-tools/", "https://twitter.com/bopin2020/status/1366400799199272960", + "https://www.crowdstrike.com/blog/overwatch-exposes-aquatic-panda-in-possession-of-log-4-shell-exploit-tools/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_createdump_lolbin_execution.yml" ], "tags": [ @@ -48911,10 +48939,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://strontic.github.io/xcyclopedia/library/setres.exe-0E30E4C09637D7A128A37B59A3BC4D09.html", "https://twitter.com/0gtweet/status/1583356502340870144", - "https://lolbas-project.github.io/lolbas/Binaries/Setres/", "https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc731033(v=ws.11)", + "https://strontic.github.io/xcyclopedia/library/setres.exe-0E30E4C09637D7A128A37B59A3BC4D09.html", + "https://lolbas-project.github.io/lolbas/Binaries/Setres/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_setres_uncommon_child_process.yml" ], "tags": [ @@ -48955,8 +48983,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/gbti_sa/status/1249653895900602375?lang=en", "https://thedfirreport.com/2022/11/28/emotet-strikes-again-lnk-file-leads-to-domain-wide-ransomware/", + "https://twitter.com/gbti_sa/status/1249653895900602375?lang=en", "https://www.softpedia.com/get/Antivirus/Removal-Tools/ithurricane-PowerTool.shtml", "https://www.trendmicro.com/en_us/research/22/i/play-ransomware-s-attack-playbook-unmasks-it-as-another-hive-aff.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_powertool.yml" @@ -48992,13 +49020,13 @@ "logsource.product": "windows", "refs": [ "https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc731935(v=ws.11)", - "https://research.nccgroup.com/2022/08/19/back-in-black-unlocking-a-lockbit-3-0-ransomware-attack/", - "https://book.hacktricks.xyz/windows/basic-cmd-for-pentesters", - "https://eqllib.readthedocs.io/en/latest/analytics/03e231a6-74bc-467a-acb1-e5676b0fb55e.html", - "https://thedfirreport.com/2021/08/16/trickbot-leads-up-to-fake-1password-installation/", "https://github.com/redcanaryco/atomic-red-team/blob/5360c9d9ffa3b25f6495f7a16e267b719eba2c37/atomics/T1482/T1482.md#atomic-test-2---windows---discover-domain-trusts-with-nltest", - "https://redcanary.com/blog/how-one-hospital-thwarted-a-ryuk-ransomware-outbreak/", + "https://eqllib.readthedocs.io/en/latest/analytics/03e231a6-74bc-467a-acb1-e5676b0fb55e.html", "https://thedfirreport.com/2020/10/18/ryuk-in-5-hours/", + "https://redcanary.com/blog/how-one-hospital-thwarted-a-ryuk-ransomware-outbreak/", + "https://research.nccgroup.com/2022/08/19/back-in-black-unlocking-a-lockbit-3-0-ransomware-attack/", + "https://thedfirreport.com/2021/08/16/trickbot-leads-up-to-fake-1password-installation/", + "https://book.hacktricks.xyz/windows/basic-cmd-for-pentesters", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_nltest_recon.yml" ], "tags": [ @@ -49113,8 +49141,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/GelosSnake/status/934900723426439170", "https://asec.ahnlab.com/en/39828/", + "https://twitter.com/GelosSnake/status/934900723426439170", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_system_exe_anomaly.yml" ], "tags": [ @@ -49148,8 +49176,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f", "https://lolbas-project.github.io/lolbas/Binaries/Regedit/", + "https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_regedit_import_keys.yml" ], "tags": [ @@ -49217,9 +49245,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://medium.com/@networksecurity/rdp-hijacking-how-to-hijack-rds-and-remoteapp-sessions-transparently-to-move-through-an-da2a1e73a5f6", "http://www.korznikov.com/2017/03/0-day-or-feature-privilege-escalation.html", "https://www.ired.team/offensive-security/lateral-movement/t1076-rdp-hijacking-for-lateral-movement", - "https://medium.com/@networksecurity/rdp-hijacking-how-to-hijack-rds-and-remoteapp-sessions-transparently-to-move-through-an-da2a1e73a5f6", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_tscon_localsystem.yml" ], "tags": [ @@ -49253,11 +49281,11 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://blog.cluster25.duskrise.com/2023/05/22/back-in-black-blackbyte-nt", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070/T1070.md", + "https://blog.cluster25.duskrise.com/2023/05/22/back-in-black-blackbyte-nt", + "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/fsutil-usn", "https://eqllib.readthedocs.io/en/latest/analytics/c91f422a-5214-4b17-8664-c5fcf115c0a2.html", "https://github.com/albertzsigovits/malware-notes/blob/558898932c1579ff589290092a2c8febefc3a4c9/Ransomware/Lockbit.md", - "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/fsutil-usn", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_fsutil_usage.yml" ], "tags": [ @@ -49299,10 +49327,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/gordonbay/Windows-On-Reins/blob/e587ac7a0407847865926d575e3c46f68cf7c68d/wor.ps1", - "https://vms.drweb.fr/virus/?i=24144899", "https://bidouillesecurity.com/disable-windows-defender-in-powershell/", + "https://github.com/gordonbay/Windows-On-Reins/blob/e587ac7a0407847865926d575e3c46f68cf7c68d/wor.ps1", "https://twitter.com/JohnLaTwC/status/1415295021041979392", + "https://vms.drweb.fr/virus/?i=24144899", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_reg_disable_sec_services.yml" ], "tags": [ @@ -49335,9 +49363,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://attack.mitre.org/software/S0404/", "https://thedfirreport.com/2021/08/01/bazarcall-to-conti-ransomware-via-trickbot-and-cobalt-strike/", "https://twitter.com/vxunderground/status/1423336151860002816", - "https://attack.mitre.org/software/S0404/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_esentutl_params.yml" ], "tags": [ @@ -49571,8 +49599,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.cybereason.com/blog/cybereason-vs.-blackcat-ransomware", "https://learn.microsoft.com/fr-fr/windows-server/administration/windows-commands/fsutil-behavior", + "https://www.cybereason.com/blog/cybereason-vs.-blackcat-ransomware", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_fsutil_symlinkevaluation.yml" ], "tags": [ @@ -49605,10 +49633,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/GossiTheDog/ThreatHunting/blob/e85884abbf05d5b41efc809ea6532b10b45bd05c/AdvancedHuntingQueries/DogWalk-DiagCab", - "https://twitter.com/nas_bench/status/1537896324837781506", - "https://irsl.medium.com/the-trouble-with-microsofts-troubleshooters-6e32fc80b8bd", "https://github.com/elastic/protections-artifacts/commit/746086721fd385d9f5c6647cada1788db4aea95f#diff-9015912909545e72ed42cbac4d1e96295e8964579c406d23fd9c47a8091576a0", + "https://irsl.medium.com/the-trouble-with-microsofts-troubleshooters-6e32fc80b8bd", + "https://twitter.com/nas_bench/status/1537896324837781506", + "https://github.com/GossiTheDog/ThreatHunting/blob/e85884abbf05d5b41efc809ea6532b10b45bd05c/AdvancedHuntingQueries/DogWalk-DiagCab", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_msdt_susp_cab_options.yml" ], "tags": [ @@ -49641,8 +49669,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/fatedier/frp", "https://asec.ahnlab.com/en/38156/", + "https://github.com/fatedier/frp", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pua_frp.yml" ], "tags": [ @@ -49676,8 +49704,8 @@ "logsource.product": "windows", "refs": [ "https://github.com/pr0xylife/Pikabot/blob/main/Pikabot_30.10.2023.txt", - "https://github.com/pr0xylife/Pikabot/blob/main/Pikabot_22.12.2023.txt", "Internal Research", + "https://github.com/pr0xylife/Pikabot/blob/main/Pikabot_22.12.2023.txt", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wscript_cscript_susp_child_processes.yml" ], "tags": [ @@ -49799,8 +49827,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070.004/T1070.004.md", "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/erase", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070.004/T1070.004.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_cmd_rmdir_execution.yml" ], "tags": [ @@ -49866,9 +49894,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/987e3ca988ae3cff4b9f6e388c139c05bf44bbb8/atomics/T1518.001/T1518.001.md#atomic-test-1---security-software-discovery", "https://www.microsoft.com/en-us/security/blog/2023/10/18/multiple-north-korean-threat-actors-exploiting-the-teamcity-cve-2023-42793-vulnerability/", "https://www.hhs.gov/sites/default/files/manage-engine-vulnerability-sector-alert-tlpclear.pdf", + "https://github.com/redcanaryco/atomic-red-team/blob/987e3ca988ae3cff4b9f6e388c139c05bf44bbb8/atomics/T1518.001/T1518.001.md#atomic-test-1---security-software-discovery", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_findstr_security_keyword_lookup.yml" ], "tags": [ @@ -49969,8 +49997,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://speakerdeck.com/heirhabarov/hunting-for-persistence-via-microsoft-exchange-server-or-outlook?slide=44", "https://www.fireeye.com/blog/threat-research/2018/12/overruled-containing-a-potentially-destructive-adversary.html", + "https://speakerdeck.com/heirhabarov/hunting-for-persistence-via-microsoft-exchange-server-or-outlook?slide=44", "https://support.microsoft.com/en-us/topic/how-to-control-the-rule-actions-to-start-an-application-or-run-a-macro-in-outlook-2016-and-outlook-2013-e4964b72-173c-959d-5d7b-ead562979048", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_office_outlook_enable_unsafe_client_mail_rules.yml" ], @@ -50013,8 +50041,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment", "https://blog.cobaltstrike.com/2014/04/02/what-happens-when-i-type-getsystem/", + "https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_meterpreter_getsystem.yml" ], "tags": [ @@ -50130,9 +50158,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://h.43z.one/ipconverter/", "https://twitter.com/Yasser_Elsnbary/status/1553804135354564608", "https://twitter.com/fr0s7_/status/1712780207105404948", + "https://h.43z.one/ipconverter/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_obfuscated_ip_download.yml" ], "tags": [ @@ -50155,10 +50183,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Winword/", + "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Excel/", "https://medium.com/@reegun/unsanitized-file-validation-leads-to-malicious-payload-download-via-office-binaries-202d02db7191", "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Powerpnt/", - "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Excel/", - "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Winword/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_office_arbitrary_cli_download.yml" ], "tags": [ @@ -50368,8 +50396,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://summit.fireeye.com/content/dam/fireeye-www/summit/cds-2018/presentations/cds18-technical-s05-att&cking-fin7.pdf", "https://www.poweradmin.com/paexec/", + "https://summit.fireeye.com/content/dam/fireeye-www/summit/cds-2018/presentations/cds18-technical-s05-att&cking-fin7.pdf", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_renamed_paexec.yml" ], "tags": [ @@ -50436,9 +50464,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://4sysops.com/archives/use-powershell-to-download-a-file-with-http-https-and-ftp/", "https://blog.jourdant.me/post/3-ways-to-download-files-with-powershell", "https://learn.microsoft.com/en-us/powershell/module/bitstransfer/add-bitsfile?view=windowsserver2019-ps", + "https://4sysops.com/archives/use-powershell-to-download-a-file-with-http-https-and-ftp/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_web_request_cmd_and_cmdlets.yml" ], "tags": [ @@ -50547,9 +50575,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.volexity.com/blog/2021/03/02/active-exploitation-of-microsoft-exchange-zero-day-vulnerabilities/", "https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/", "https://github.com/samratashok/nishang/blob/414ee1104526d7057f9adaeee196d91ae447283e/Shells/Invoke-PowerShellTcpOneLine.ps1", + "https://www.volexity.com/blog/2021/03/02/active-exploitation-of-microsoft-exchange-zero-day-vulnerabilities/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_reverse_shell_connection.yml" ], "tags": [ @@ -50582,8 +50610,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://pentestlab.blog/2020/07/06/indirect-command-execution/", "https://lolbas-project.github.io/lolbas/Binaries/Forfiles/", + "https://pentestlab.blog/2020/07/06/indirect-command-execution/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_forfiles_proxy_execution_.yml" ], "tags": [ @@ -50682,9 +50710,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-347a", "https://www.sans.org/blog/protecting-privileged-domain-accounts-lm-hashes-the-good-the-bad-and-the-ugly/", "https://learn.microsoft.com/en-us/troubleshoot/windows-server/windows-security/prevent-windows-store-lm-hash-password", - "https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-347a", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_reg_nolmhash.yml" ], "tags": [ @@ -50920,13 +50948,13 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.joeware.net/freetools/tools/adfind/", - "https://social.technet.microsoft.com/wiki/contents/articles/7535.adfind-command-examples.aspx", "https://thedfirreport.com/2020/05/08/adfind-recon/", - "https://www.microsoft.com/security/blog/2021/01/20/deep-dive-into-the-solorigate-second-stage-activation-from-sunburst-to-teardrop-and-raindrop/", "https://github.com/redcanaryco/atomic-red-team/blob/0f229c0e42bfe7ca736a14023836d65baa941ed2/atomics/T1087.002/T1087.002.md#atomic-test-7---adfind---enumerate-active-directory-user-objects", - "https://thedfirreport.com/2021/01/11/trickbot-still-alive-and-well/", + "https://social.technet.microsoft.com/wiki/contents/articles/7535.adfind-command-examples.aspx", + "https://www.joeware.net/freetools/tools/adfind/", + "https://www.microsoft.com/security/blog/2021/01/20/deep-dive-into-the-solorigate-second-stage-activation-from-sunburst-to-teardrop-and-raindrop/", "https://github.com/center-for-threat-informed-defense/adversary_emulation_library/blob/bf62ece1c679b07b5fb49c4bae947fe24c81811f/fin6/Emulation_Plan/Phase1.md", + "https://thedfirreport.com/2021/01/11/trickbot-still-alive-and-well/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pua_adfind_susp_usage.yml" ], "tags": [ @@ -51019,9 +51047,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://strontic.github.io/xcyclopedia/library/ldifde.exe-979DE101F5059CEC1D2C56967CA2BAC0.html", - "https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc731033(v=ws.11)", "https://twitter.com/0gtweet/status/1564968845726580736", + "https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc731033(v=ws.11)", + "https://strontic.github.io/xcyclopedia/library/ldifde.exe-979DE101F5059CEC1D2C56967CA2BAC0.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_ldifde_file_load.yml" ], "tags": [ @@ -51096,8 +51124,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "http://www.irongeek.com/homoglyph-attack-generator.php", "https://redcanary.com/threat-detection-report/threats/socgholish/#threat-socgholish", + "http://www.irongeek.com/homoglyph-attack-generator.php", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_homoglyph_cyrillic_lookalikes.yml" ], "tags": [ @@ -51138,12 +51166,12 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1490/T1490.md#atomic-test-5---windows---delete-volume-shadow-copies-via-wmi-with-powershell", - "https://github.com/albertzsigovits/malware-notes/blob/558898932c1579ff589290092a2c8febefc3a4c9/Ransomware/Lockbit.md", - "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/wbadmin-delete-systemstatebackup", - "https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/ransomware-report-avaddon-and-new-techniques-emerge-industrial-sector-targeted", "https://www.sentinelone.com/labs/ranzy-ransomware-better-encryption-among-new-features-of-thunderx-derivative/", + "https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/ransomware-report-avaddon-and-new-techniques-emerge-industrial-sector-targeted", + "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/wbadmin-delete-systemstatebackup", + "https://github.com/albertzsigovits/malware-notes/blob/558898932c1579ff589290092a2c8febefc3a4c9/Ransomware/Lockbit.md", "https://www.trendmicro.com/content/dam/trendmicro/global/en/research/24/b/lockbit-attempts-to-stay-afloat-with-a-new-version/technical-appendix-lockbit-ng-dev-analysis.pdf", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1490/T1490.md#atomic-test-5---windows---delete-volume-shadow-copies-via-wmi-with-powershell", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wbadmin_delete_backups.yml" ], "tags": [ @@ -51218,8 +51246,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1490/T1490.md", "https://eqllib.readthedocs.io/en/latest/analytics/c4732632-9c1d-4980-9fa8-1d98c93f918e.html", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1490/T1490.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_bcdedit_boot_conf_tamper.yml" ], "tags": [ @@ -51252,9 +51280,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/jpillora/chisel/", - "https://arcticwolf.com/resources/blog/lorenz-ransomware-chiseling-in/", "https://blog.sekoia.io/lucky-mouse-incident-response-to-detection-engineering/", + "https://arcticwolf.com/resources/blog/lorenz-ransomware-chiseling-in/", + "https://github.com/jpillora/chisel/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pua_chisel.yml" ], "tags": [ @@ -51321,8 +51349,8 @@ "logsource.product": "windows", "refs": [ "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Dotnet/", - "https://bohops.com/2019/08/19/dotnet-core-a-vector-for-awl-bypass-defense-evasion/", "https://twitter.com/_felamos/status/1204705548668555264", + "https://bohops.com/2019/08/19/dotnet-core-a-vector-for-awl-bypass-defense-evasion/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_dotnet_arbitrary_dll_csproj_execution.yml" ], "tags": [ @@ -51355,8 +51383,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/Binaries/Findstr/", "https://oddvar.moe/2018/04/11/putting-data-in-alternate-data-streams-and-how-to-execute-it-part-2/", + "https://lolbas-project.github.io/lolbas/Binaries/Findstr/", "https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_findstr_download.yml" ], @@ -51414,10 +51442,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://gist.githubusercontent.com/bohops/0cc6586f205f3691e04a1ebf1806aabd/raw/baf7b29891bb91e76198e30889fbf7d6642e8974/calc_exe.inf", "https://lolbas-project.github.io/lolbas/Libraries/Setupapi/", "https://twitter.com/Z3Jpa29z/status/1313742350292746241?s=20", "https://raw.githubusercontent.com/huntresslabs/evading-autoruns/master/shady.inf", - "https://gist.githubusercontent.com/bohops/0cc6586f205f3691e04a1ebf1806aabd/raw/baf7b29891bb91e76198e30889fbf7d6642e8974/calc_exe.inf", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_rundll32_setupapi_installhinfsection.yml" ], "tags": [ @@ -51484,8 +51512,8 @@ "logsource.product": "windows", "refs": [ "https://www.splunk.com/en_us/blog/security/follina-for-protocol-handlers.html", - "https://www.zscaler.com/blogs/security-research/unintentional-leak-glimpse-attack-vectors-apt37", "https://github.com/redcanaryco/atomic-red-team/blob/1cf4dd51f83dcb0ebe6ade902d6157ad2dbc6ac8/atomics/T1218.001/T1218.001.md", + "https://www.zscaler.com/blogs/security-research/unintentional-leak-glimpse-attack-vectors-apt37", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hh_chm_remote_download_or_execution.yml" ], "tags": [ @@ -51602,8 +51630,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1546.015/T1546.015.md", "https://nasbench.medium.com/a-deep-dive-into-rundll32-exe-642344b41e90", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1546.015/T1546.015.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_rundll32_registered_com_objects.yml" ], "tags": [ @@ -51807,8 +51835,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://app.any.run/tasks/e1fe6a62-bce8-4323-a49a-63795d9afd5d/", "https://twitter.com/1ZRR4H/status/1534259727059787783", + "https://app.any.run/tasks/e1fe6a62-bce8-4323-a49a-63795d9afd5d/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_archiver_iso_phishing.yml" ], "tags": [ @@ -51841,9 +51869,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.hexacorn.com/blog/2018/04/20/kernel-hacking-tool-you-might-have-never-heard-of-xuetr-pchunter/", - "https://web.archive.org/web/20231210115125/http://www.xuetr.com/", "https://www.crowdstrike.com/blog/falcon-overwatch-report-finds-increase-in-ecrime/", + "https://web.archive.org/web/20231210115125/http://www.xuetr.com/", + "https://www.hexacorn.com/blog/2018/04/20/kernel-hacking-tool-you-might-have-never-heard-of-xuetr-pchunter/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_pchunter.yml" ], "tags": [ @@ -51999,8 +52027,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.13cubed.com/downloads/windows_process_genealogy_v2.pdf", "https://web.archive.org/web/20180718061628/https://securitybytes.io/blue-team-fundamentals-part-two-windows-processes-759fe15965e2", + "https://www.13cubed.com/downloads/windows_process_genealogy_v2.pdf", "https://www.carbonblack.com/2014/06/10/screenshot-demo-hunt-evil-faster-than-ever-with-carbon-black/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_proc_wrong_parent.yml" ], @@ -52075,8 +52103,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.sans.org/blog/wmic-for-incident-response/", "https://github.com/redcanaryco/atomic-red-team/blob/84215139ee5127f8e3a117e063b604812bd71928/atomics/T1047/T1047.md#atomic-test-5---wmi-execute-local-process", + "https://www.sans.org/blog/wmic-for-incident-response/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wmic_process_creation.yml" ], "tags": [ @@ -52315,8 +52343,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/cw1997/NATBypass", "https://github.com/HiwinCN/HTran", + "https://github.com/cw1997/NATBypass", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_htran_or_natbypass.yml" ], "tags": [ @@ -52428,8 +52456,8 @@ "refs": [ "https://twitter.com/vysecurity/status/974806438316072960", "https://twitter.com/vysecurity/status/873181705024266241", - "https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/hh875578(v=ws.11)", "https://lolbas-project.github.io/lolbas/Binaries/Rpcping/", + "https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/hh875578(v=ws.11)", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_rpcping_credential_capture.yml" ], "tags": [ @@ -52462,8 +52490,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1543.003/T1543.003.md", "https://web.archive.org/web/20180331144337/https://www.fireeye.com/blog/threat-research/2018/03/sanny-malware-delivery-method-updated-in-recently-observed-attacks.html", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1543.003/T1543.003.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_service_creation.yml" ], "tags": [ @@ -52597,8 +52625,8 @@ "logsource.product": "windows", "refs": [ "https://itconnect.uw.edu/tools-services-support/it-systems-infrastructure/msinf/other-help/understanding-sddl-syntax/", - "https://learn.microsoft.com/en-us/windows/win32/secauthz/sid-strings", "https://www.sans.org/blog/red-team-tactics-hiding-windows-services/", + "https://learn.microsoft.com/en-us/windows/win32/secauthz/sid-strings", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sc_sdset_deny_service_access.yml" ], "tags": [ @@ -52772,10 +52800,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment?slide=43", - "https://github.com/carlospolop/PEASS-ng/blob/fa0f2e17fbc1d86f1fd66338a40e665e7182501d/winPEAS/winPEASbat/winPEAS.bat", - "https://github.com/gladiatx0r/Powerless/blob/04f553bbc0c65baf4e57344deff84e3f016e6b51/Powerless.bat", "https://www.youtube.com/watch?v=JGs-aKf2OtU&ab_channel=OFFZONEMOSCOW", + "https://github.com/gladiatx0r/Powerless/blob/04f553bbc0c65baf4e57344deff84e3f016e6b51/Powerless.bat", + "https://github.com/carlospolop/PEASS-ng/blob/fa0f2e17fbc1d86f1fd66338a40e665e7182501d/winPEAS/winPEASbat/winPEAS.bat", + "https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment?slide=43", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sysinternals_accesschk_check_permissions.yml" ], "tags": [ @@ -52866,8 +52894,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f", "https://lolbas-project.github.io/lolbas/Binaries/Regedit/", + "https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_regedit_export_keys.yml" ], "tags": [ @@ -53071,8 +53099,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/LOLBAS-Project/LOLBAS/blob/4db780e0f0b2e2bb8cb1fa13e09196da9b9f1834/yml/LOLUtilz/OtherBinaries/VBoxDrvInst.yml", "https://twitter.com/pabraeken/status/993497996179492864", + "https://github.com/LOLBAS-Project/LOLBAS/blob/4db780e0f0b2e2bb8cb1fa13e09196da9b9f1834/yml/LOLUtilz/OtherBinaries/VBoxDrvInst.yml", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_virtualbox_vboxdrvinst_execution.yml" ], "tags": [ @@ -53105,8 +53133,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/cicada-apt10-japan-espionage", "https://unit42.paloaltonetworks.com/chromeloader-malware/", + "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/cicada-apt10-japan-espionage", "https://lolbas-project.github.io/lolbas/Binaries/Tar/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_tar_compression.yml" ], @@ -53284,9 +53312,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1123/T1123.md", "https://github.com/frgnca/AudioDeviceCmdlets", "https://eqllib.readthedocs.io/en/latest/analytics/ab7a6ef4-0983-4275-a4f1-5c6bd3c31c23.html", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1123/T1123.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_audio_capture.yml" ], "tags": [ @@ -53565,8 +53593,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://code.visualstudio.com/docs/remote/tunnels", "https://badoption.eu/blog/2023/01/31/code_c2.html", + "https://code.visualstudio.com/docs/remote/tunnels", "https://ipfyx.fr/post/visual-studio-code-tunnel/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_vscode_tunnel_remote_shell_.yml" ], @@ -53635,8 +53663,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1546.002/T1546.002.md", "https://www.welivesecurity.com/wp-content/uploads/2017/08/eset-gazer.pdf", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1546.002/T1546.002.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_reg_screensaver.yml" ], "tags": [ @@ -53712,8 +53740,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/hostname", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1082/T1082.md#atomic-test-6---hostname-discovery-windows", + "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/hostname", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hostname_execution.yml" ], "tags": [ @@ -53824,9 +53852,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/_st0pp3r_/status/1583914244344799235", "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/msiexec", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218.007/T1218.007.md", + "https://twitter.com/_st0pp3r_/status/1583914244344799235", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_msiexec_install_quiet.yml" ], "tags": [ @@ -53882,8 +53910,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/0gtweet/status/1674399582162153472", "https://lolbas-project.github.io/lolbas/Binaries/Provlaunch/", + "https://twitter.com/0gtweet/status/1674399582162153472", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_registry_provlaunch_provisioning_command.yml" ], "tags": [ @@ -53916,8 +53944,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.trendmicro.com/en_us/research/23/e/managed-xdr-investigation-of-ducktail-in-trend-micro-vision-one.html", "https://twitter.com/mrd0x/status/1478234484881436672?s=12", + "https://www.trendmicro.com/en_us/research/23/e/managed-xdr-investigation-of-ducktail-in-trend-micro-vision-one.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_browsers_chromium_headless_exec.yml" ], "tags": [ @@ -53950,8 +53978,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/mode", "https://strontic.github.io/xcyclopedia/library/mode.com-59D1ED51ACB8C3D50F1306FD75F20E99.html", + "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/mode", "https://learn.microsoft.com/en-us/windows/win32/intl/code-page-identifiers", "https://www.virustotal.com/gui/file/5e75ef02517afd6e8ba6462b19217dc4a5a574abb33d10eb0f2bab49d8d48c22/behavior", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_mode_codepage_russian.yml" @@ -53987,8 +54015,8 @@ "logsource.product": "windows", "refs": [ "https://twitter.com/countuponsec/status/910977826853068800", - "https://twitter.com/countuponsec/status/910969424215232518", "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Sqldumper/", + "https://twitter.com/countuponsec/status/910969424215232518", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_susp_sqldumper_activity.yml" ], "tags": [ @@ -54021,10 +54049,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://www.winhelponline.com/blog/run-program-as-system-localsystem-account-windows/", "https://twitter.com/splinter_code/status/1483815103279603714", "https://www.elastic.co/security-labs/operation-bleeding-bear", "https://medium.com/s2wblog/analysis-of-destructive-malware-whispergate-targeting-ukraine-9d5d158f19f3", - "https://www.winhelponline.com/blog/run-program-as-system-localsystem-account-windows/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pua_advancedrun_priv_user.yml" ], "tags": [ @@ -54093,8 +54121,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.n00py.io/2021/05/dumping-plaintext-rdp-credentials-from-svchost-exe/", "https://pentestlab.blog/tag/svchost/", + "https://www.n00py.io/2021/05/dumping-plaintext-rdp-credentials-from-svchost-exe/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_tasklist_module_enumeration.yml" ], "tags": [ @@ -54199,8 +54227,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/Binaries/Runexehelper/", "https://twitter.com/0gtweet/status/1206692239839289344", + "https://lolbas-project.github.io/lolbas/Binaries/Runexehelper/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_runexehelper.yml" ], "tags": [ @@ -54469,13 +54497,13 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://www.zscaler.com/blogs/security-research/technical-analysis-crytox-ransomware", + "https://www.lifars.com/wp-content/uploads/2022/01/GriefRansomware_Whitepaper-2.pdf", "https://research.checkpoint.com/2022/evilplayout-attack-against-irans-state-broadcaster/", "https://www.ired.team/offensive-security/credential-access-and-credential-dumping/ntds.dit-enumeration", - "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/diskshadow", - "https://www.zscaler.com/blogs/security-research/technical-analysis-crytox-ransomware", "https://medium.com/@cyberjyot/lolbin-execution-via-diskshadow-f6ff681a27a4", - "https://www.lifars.com/wp-content/uploads/2022/01/GriefRansomware_Whitepaper-2.pdf", "https://bohops.com/2018/03/26/diskshadow-the-return-of-vss-evasion-persistence-and-active-directory-database-extraction/", + "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/diskshadow", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_diskshadow_script_mode_susp_location.yml" ], "tags": [ @@ -54510,10 +54538,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/b27a3cb25025161d49ac861cb216db68c46a3537/atomics/T1027.004/T1027.004.md#atomic-test-1---compile-after-delivery-using-cscexe", - "https://www.clearskysec.com/wp-content/uploads/2018/11/MuddyWater-Operations-in-Lebanon-and-Oman.pdf", "https://securityboulevard.com/2019/08/agent-tesla-evading-edr-by-removing-api-hooks/", "https://twitter.com/gN3mes1s/status/1206874118282448897", + "https://www.clearskysec.com/wp-content/uploads/2018/11/MuddyWater-Operations-in-Lebanon-and-Oman.pdf", + "https://github.com/redcanaryco/atomic-red-team/blob/b27a3cb25025161d49ac861cb216db68c46a3537/atomics/T1027.004/T1027.004.md#atomic-test-1---compile-after-delivery-using-cscexe", "https://app.any.run/tasks/c6993447-d1d8-414e-b856-675325e5aa09/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_csc_susp_dynamic_compilation.yml" ], @@ -54615,9 +54643,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://www.poweradmin.com/paexec/", "https://www.fireeye.com/blog/threat-research/2020/10/kegtap-and-singlemalt-with-a-ransomware-chaser.html", "https://learn.microsoft.com/en-us/sysinternals/downloads/psexec", - "https://www.poweradmin.com/paexec/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sysinternals_psexec_paexec_escalate_system.yml" ], "tags": [ @@ -54684,8 +54712,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://ss64.com/nt/logman.html", "https://twitter.com/0gtweet/status/1359039665232306183?s=21", + "https://ss64.com/nt/logman.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_logman_disable_eventlog.yml" ], "tags": [ @@ -54726,8 +54754,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/AtomicTestHarnesses/blob/7e1e4da116801e3d6fcc6bedb207064577e40572/TestHarnesses/T1218_SignedBinaryProxyExecution/InvokeRemoteFXvGPUDisablementCommand.ps1", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218/T1218.md", + "https://github.com/redcanaryco/AtomicTestHarnesses/blob/7e1e4da116801e3d6fcc6bedb207064577e40572/TestHarnesses/T1218_SignedBinaryProxyExecution/InvokeRemoteFXvGPUDisablementCommand.ps1", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_remotefxvgpudisablement_abuse.yml" ], "tags": [ @@ -54851,9 +54879,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/LOLBAS-Project/LOLBAS/pull/151", "https://twitter.com/SwiftOnSecurity/status/1455897435063074824", "https://lolbas-project.github.io/lolbas/Binaries/Cmdl32/", + "https://github.com/LOLBAS-Project/LOLBAS/pull/151", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_cmdl32_arbitrary_file_download.yml" ], "tags": [ @@ -54895,8 +54923,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/harr0ey/status/991670870384021504", "https://github.com/LOLBAS-Project/LOLBAS/blob/4db780e0f0b2e2bb8cb1fa13e09196da9b9f1834/yml/LOLUtilz/OSBinaries/Openwith.yml", + "https://twitter.com/harr0ey/status/991670870384021504", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_openwith.yml" ], "tags": [ @@ -55031,8 +55059,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/9e5b12c4912c07562aec7500447b11fa3e17e254/atomics/T1529/T1529.md", "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/shutdown", + "https://github.com/redcanaryco/atomic-red-team/blob/9e5b12c4912c07562aec7500447b11fa3e17e254/atomics/T1529/T1529.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_shutdown_logoff.yml" ], "tags": [ @@ -55098,9 +55126,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://thedfirreport.com/2022/06/16/sans-ransomware-summit-2022-can-you-detect-this/", "https://thedfirreport.com/2021/10/04/bazarloader-and-the-conti-leaks/", "https://hstechdocs.helpsystems.com/manuals/cobaltstrike/current/userguide/content/cobalt-4-5-user-guide.pdf", - "https://thedfirreport.com/2022/06/16/sans-ransomware-summit-2022-can-you-detect-this/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_cobaltstrike_bloopers_cmd.yml" ], "tags": [ @@ -55301,8 +55329,8 @@ "logsource.product": "windows", "refs": [ "https://blog.talosintelligence.com/2021/10/threat-hunting-in-large-datasets-by.html", - "https://guides.lib.umich.edu/c.php?g=282942&p=1885348", "https://thedfirreport.com/2021/11/29/continuing-the-bazar-ransomware-story/", + "https://guides.lib.umich.edu/c.php?g=282942&p=1885348", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_regsvr32_susp_extensions.yml" ], "tags": [ @@ -55336,9 +55364,9 @@ "logsource.product": "windows", "refs": [ "https://zero2auto.com/2020/05/19/netwalker-re/", + "https://mez0.cc/posts/cobaltstrike-powershell-exec/", "https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=65", "https://redcanary.com/blog/yellow-cockatoo/", - "https://mez0.cc/posts/cobaltstrike-powershell-exec/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_xor_commandline.yml" ], "tags": [ @@ -55430,9 +55458,9 @@ "logsource.category": "wmi_event", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#event-id-21-wmievent-wmieventconsumertofilter-activity-detected", - "https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#event-id-19-wmievent-wmieventfilter-activity-detected", "https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#event-id-20-wmievent-wmieventconsumer-activity-detected", + "https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#event-id-19-wmievent-wmieventfilter-activity-detected", + "https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#event-id-21-wmievent-wmieventconsumertofilter-activity-detected", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/wmi_event/sysmon_wmi_event_subscription.yml" ], "tags": [ @@ -55465,9 +55493,9 @@ "logsource.category": "wmi_event", "logsource.product": "windows", "refs": [ - "https://in.security/an-intro-into-abusing-and-identifying-wmi-event-subscriptions-for-persistence/", - "https://github.com/RiccardoAncarani/LiquidSnake", "https://github.com/Neo23x0/signature-base/blob/615bf1f6bac3c1bdc417025c40c073e6c2771a76/yara/gen_susp_lnk_files.yar#L19", + "https://github.com/RiccardoAncarani/LiquidSnake", + "https://in.security/an-intro-into-abusing-and-identifying-wmi-event-subscriptions-for-persistence/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/wmi_event/sysmon_wmi_susp_scripting.yml" ], "tags": [ @@ -55568,8 +55596,8 @@ "logsource.category": "network_connection", "logsource.product": "windows", "refs": [ - "https://pentestlab.blog/2017/05/11/applocker-bypass-regsvr32/", "https://oddvar.moe/2017/12/13/applocker-case-study-how-insecure-is-it-really-part-1/", + "https://pentestlab.blog/2017/05/11/applocker-bypass-regsvr32/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_regsvr32_network_activity.yml" ], "tags": [ @@ -55646,9 +55674,9 @@ "logsource.category": "network_connection", "logsource.product": "windows", "refs": [ + "https://blueteamops.medium.com/detecting-dev-tunnels-16f0994dc3e2", "https://learn.microsoft.com/en-us/azure/developer/dev-tunnels/security", "https://cydefops.com/devtunnels-unleashed", - "https://blueteamops.medium.com/detecting-dev-tunnels-16f0994dc3e2", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_domain_devtunnels.yml" ], "tags": [ @@ -55792,8 +55820,8 @@ "logsource.category": "network_connection", "logsource.product": "windows", "refs": [ - "https://medium.com/@huskyhacks.mk/we-put-a-c2-in-your-notetaking-app-offensivenotion-3e933bace332", "https://github.com/mttaggart/OffensiveNotion", + "https://medium.com/@huskyhacks.mk/we-put-a-c2-in-your-notetaking-app-offensivenotion-3e933bace332", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_domain_notion_api_susp_communication.yml" ], "tags": [ @@ -55902,11 +55930,11 @@ "logsource.category": "network_connection", "logsource.product": "windows", "refs": [ - "https://www.bleepingcomputer.com/news/security/hackers-abuse-google-command-and-control-red-team-tool-in-attacks/", "https://youtu.be/n2dFlSaBBKo", - "https://services.google.com/fh/files/blogs/gcat_threathorizons_full_apr2023.pdf", + "https://www.bleepingcomputer.com/news/security/hackers-abuse-google-command-and-control-red-team-tool-in-attacks/", "https://github.com/looCiprian/GC2-sheet", "https://www.tanium.com/blog/apt41-deploys-google-gc2-for-attacks-cyber-threat-intelligence-roundup/", + "https://services.google.com/fh/files/blogs/gcat_threathorizons_full_apr2023.pdf", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_domain_google_api_non_browser_access.yml" ], "tags": [ @@ -55973,8 +56001,8 @@ "logsource.category": "network_connection", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1105/T1105.md#atomic-test-10---windows---powershell-download", "https://lolbas-project.github.io/lolbas/Binaries/IMEWDBLD/", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1105/T1105.md#atomic-test-10---windows---powershell-download", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_imewdbld.yml" ], "tags": [ @@ -56040,9 +56068,9 @@ "logsource.category": "network_connection", "logsource.product": "windows", "refs": [ - "https://pro.twitter.com/JaromirHorejsi/status/1795001037746761892/photo/2", - "https://github.com/rapid7/metasploit-framework/issues/11337", "https://portmap.io/", + "https://github.com/rapid7/metasploit-framework/issues/11337", + "https://pro.twitter.com/JaromirHorejsi/status/1795001037746761892/photo/2", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_domain_portmap.yml" ], "tags": [ @@ -56187,9 +56215,9 @@ "logsource.category": "network_connection", "logsource.product": "windows", "refs": [ - "https://defr0ggy.github.io/research/Abusing-Cloudflared-A-Proxy-Service-To-Host-Share-Applications/", - "https://www.guidepointsecurity.com/blog/tunnel-vision-cloudflared-abused-in-the-wild/", "Internal Research", + "https://www.guidepointsecurity.com/blog/tunnel-vision-cloudflared-abused-in-the-wild/", + "https://defr0ggy.github.io/research/Abusing-Cloudflared-A-Proxy-Service-To-Host-Share-Applications/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_domain_cloudflared_communication.yml" ], "tags": [ @@ -56256,8 +56284,8 @@ "logsource.category": "network_connection", "logsource.product": "windows", "refs": [ - "https://www.mandiant.com/resources/bypassing-network-restrictions-through-rdp-tunneling", "https://twitter.com/tekdefense/status/1519711183162556416?s=12&t=OTsHCBkQOTNs1k3USz65Zg", + "https://www.mandiant.com/resources/bypassing-network-restrictions-through-rdp-tunneling", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_rdp_to_http.yml" ], "tags": [ @@ -56390,11 +56418,11 @@ "logsource.category": "network_connection", "logsource.product": "windows", "refs": [ + "https://www.cisa.gov/uscert/ncas/alerts/aa22-321a", "https://twitter.com/M_haggis/status/900741347035889665", "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ransomware-hive-conti-avoslocker", "https://github.com/EmpireProject/Empire/blob/e37fb2eef8ff8f5a0a689f1589f424906fe13055/data/module_source/exfil/Invoke-ExfilDataToGitHub.ps1", "https://twitter.com/M_haggis/status/1032799638213066752", - "https://www.cisa.gov/uscert/ncas/alerts/aa22-321a", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_susp_file_sharing_domains_susp_folders.yml" ], "tags": [ @@ -56460,8 +56488,8 @@ "logsource.category": "network_connection", "logsource.product": "windows", "refs": [ - "https://web.archive.org/web/20200219102749/https://www.sans.org/cyber-security-summit/archives/file/summit-archive-1492186586.pdf", "https://www.cobaltstrike.com/blog/why-is-notepad-exe-connecting-to-the-internet", + "https://web.archive.org/web/20200219102749/https://www.sans.org/cyber-security-summit/archives/file/summit-archive-1492186586.pdf", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_notepad.yml" ], "tags": [ @@ -56497,8 +56525,8 @@ "logsource.product": "windows", "refs": [ "https://lolbas-project.github.io/lolbas/Binaries/Regasm/", - "https://research.splunk.com/endpoint/07921114-6db4-4e2e-ae58-3ea8a52ae93f/", "https://app.any.run/tasks/ec207948-4916-47eb-a0f4-4c6abb2e7668/", + "https://research.splunk.com/endpoint/07921114-6db4-4e2e-ae58-3ea8a52ae93f/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_regasm_network_activity.yml" ], "tags": [ @@ -56531,10 +56559,10 @@ "logsource.category": "network_connection", "logsource.product": "windows", "refs": [ - "https://strontic.github.io/xcyclopedia/library/dialer.exe-0B69655F912619756C704A0BF716B61F.html", - "https://app.any.run/tasks/6720b85b-9c53-4a12-b1dc-73052a78477d", - "https://tria.ge/240301-rk34sagf5x/behavioral2", "https://research.checkpoint.com/2023/rhadamanthys-v0-5-0-a-deep-dive-into-the-stealers-components/", + "https://tria.ge/240301-rk34sagf5x/behavioral2", + "https://app.any.run/tasks/6720b85b-9c53-4a12-b1dc-73052a78477d", + "https://strontic.github.io/xcyclopedia/library/dialer.exe-0B69655F912619756C704A0BF716B61F.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_dialer_initiated_connection.yml" ], "tags": [ @@ -56590,9 +56618,9 @@ "logsource.category": "network_connection", "logsource.product": "windows", "refs": [ - "https://ngrok.com/blog-post/new-ngrok-domains", - "https://ngrok.com/", "https://www.rnbo.gov.ua/files/2023_YEAR/CYBERCENTER/november/APT29%20attacks%20Embassies%20using%20CVE-2023-38831%20-%20report%20en.pdf", + "https://ngrok.com/", + "https://ngrok.com/blog-post/new-ngrok-domains", "https://www.virustotal.com/gui/file/cca0c1182ac114b44dc52dd2058fcd38611c20bb6b5ad84710681d38212f835a/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_domain_ngrok.yml" ], @@ -56626,8 +56654,8 @@ "logsource.category": "network_connection", "logsource.product": "windows", "refs": [ - "https://github.com/FalconForceTeam/FalconFriday/blob/master/Discovery/ADWS_Connection_from_Unexpected_Binary-Win.md", "https://medium.com/falconforce/soaphound-tool-to-collect-active-directory-data-via-adws-165aca78288c", + "https://github.com/FalconForceTeam/FalconFriday/blob/master/Discovery/ADWS_Connection_from_Unexpected_Binary-Win.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_adws_unusual_connection.yml" ], "tags": [ @@ -56660,9 +56688,9 @@ "logsource.category": "network_connection", "logsource.product": "windows", "refs": [ - "https://www.poolwatch.io/coin/monero", - "https://github.com/stamparm/maltrail/blob/3ea70459b9559134449423c0a7d8b965ac5c40ea/trails/static/suspicious/crypto_mining.txt", "https://www.virustotal.com/gui/search/behaviour_network%253A*.miningocean.org/files", + "https://github.com/stamparm/maltrail/blob/3ea70459b9559134449423c0a7d8b965ac5c40ea/trails/static/suspicious/crypto_mining.txt", + "https://www.poolwatch.io/coin/monero", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_domain_crypto_mining_pools.yml" ], "tags": [ @@ -56771,9 +56799,9 @@ "logsource.category": "network_connection", "logsource.product": "windows", "refs": [ - "https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/higaisa-or-winnti-apt-41-backdoors-old-and-new/", "https://www.sentinelone.com/labs/wip26-espionage-threat-actors-abuse-cloud-infrastructure-in-targeted-telco-attacks/", "https://symantec-enterprise-blogs.security.com/threat-intelligence/harvester-new-apt-attacks-asia", + "https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/higaisa-or-winnti-apt-41-backdoors-old-and-new/", "https://intezer.com/blog/research/how-we-escaped-docker-in-azure-functions/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_domain_azurewebsites.yml" ], @@ -56849,8 +56877,8 @@ "logsource.category": "network_connection", "logsource.product": "windows", "refs": [ - "https://ngrok.com/docs/secure-tunnels/tunnels/ssh-reverse-tunnel-agent", "https://twitter.com/hakluke/status/1587733971814977537/photo/1", + "https://ngrok.com/docs/secure-tunnels/tunnels/ssh-reverse-tunnel-agent", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_domain_ngrok_tunnel.yml" ], "tags": [ @@ -56917,8 +56945,8 @@ "logsource.category": "network_connection", "logsource.product": "windows", "refs": [ - "https://cloud.google.com/blog/topics/threat-intelligence/unc3944-targets-saas-applications", "https://localtonet.com/documents/supported-tunnels", + "https://cloud.google.com/blog/topics/threat-intelligence/unc3944-targets-saas-applications", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_domain_localtonet_tunnel.yml" ], "tags": [ @@ -56954,6 +56982,39 @@ "uuid": "3ab65069-d82a-4d44-a759-466661a082d1", "value": "Communication To LocaltoNet Tunneling Service Initiated" }, + { + "description": "Detects network connections to BTunnels domains initiated by a process on the system.\nAttackers can abuse that feature to establish a reverse shell or persistence on a machine.\n", + "meta": { + "author": "Kamran Saifullah", + "creation_date": "2024-09-13", + "falsepositive": [ + "Legitimate use of BTunnels will also trigger this." + ], + "filename": "net_connection_win_domain_btunnels.yml", + "level": "medium", + "logsource.category": "network_connection", + "logsource.product": "windows", + "refs": [ + "https://defr0ggy.github.io/research/Utilizing-BTunnel-For-Data-Exfiltration/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_domain_btunnels.yml" + ], + "tags": [ + "attack.exfiltration", + "attack.t1567.001" + ] + }, + "related": [ + { + "dest-uuid": "86a96bf6-cf8b-411c-aaeb-8959944d64f7", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "9e02c8ec-02b9-43e8-81eb-34a475ba7965", + "value": "Network Connection Initiated To BTunnels Domains" + }, { "description": "Detects a process that initiated a network connection over ports 5985 or 5986 from a non-network service account.\nThis could potentially indicates a remote PowerShell connection.\n", "meta": { @@ -56997,6 +57058,41 @@ "uuid": "c539afac-c12a-46ed-b1bd-5a5567c9f045", "value": "Potential Remote PowerShell Session Initiated" }, + { + "description": "Detects incoming connections to AnyDesk. This could indicate a potential remote attacker trying to connect to a listening instance of AnyDesk and use it as potential command and control channel.\n", + "meta": { + "author": "@d4ns4n_ (Wuerth-Phoenix)", + "creation_date": "2024-09-02", + "falsepositive": [ + "Legitimate incoming connections (e.g. sysadmin activity). Most of the time I would expect outgoing connections (initiated locally)." + ], + "filename": "net_connection_win_remote_access_tools_anydesk_incoming_connection.yml", + "level": "medium", + "logsource.category": "network_connection", + "logsource.product": "windows", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1219/T1219.md#atomic-test-2---anydesk-files-detected-test-on-windows", + "https://asec.ahnlab.com/en/40263/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_remote_access_tools_anydesk_incoming_connection.yml" + ], + "tags": [ + "attack.persistence", + "attack.command-and-control", + "attack.t1219" + ] + }, + "related": [ + { + "dest-uuid": "4061e78c-1284-44b4-9116-73e4ac3912f7", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "d58ba5c6-0ed7-4b9d-a433-6878379efda9", + "value": "Remote Access Tool - AnyDesk Incoming Connection" + }, { "description": "Detects programs that connect to known malware callback ports based on statistical analysis from two different sandbox system databases\n", "meta": { @@ -57079,9 +57175,9 @@ "logsource.category": "network_connection", "logsource.product": "windows", "refs": [ + "https://thedfirreport.com/2022/11/28/emotet-strikes-again-lnk-file-leads-to-domain-wide-ransomware/", "https://www.trendmicro.com/en_us/research/23/e/managed-xdr-investigation-of-ducktail-in-trend-micro-vision-one.html", "https://www.cisa.gov/news-events/cybersecurity-advisories/aa20-302a", - "https://thedfirreport.com/2022/11/28/emotet-strikes-again-lnk-file-leads-to-domain-wide-ransomware/", "https://github.com/rsp/scripts/blob/c8bb272d68164a9836e4f273d8f924927f39b8c6/externalip-benchmark.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_domain_external_ip_lookup.yml" ], @@ -57217,12 +57313,12 @@ "logsource.category": "network_connection", "logsource.product": "windows", "refs": [ - "https://securelist.com/the-tetrade-brazilian-banking-malware/97779/", - "https://web.archive.org/web/20220830134315/https://content.fireeye.com/apt-41/rpt-apt41/", - "https://github.com/kleiton0x00/RedditC2", "https://www.linkedin.com/posts/kleiton-kurti_github-kleiton0x00redditc2-abusing-reddit-activity-7009939662462984192-5DbI/?originalSubdomain=al", - "https://blog.bushidotoken.net/2021/04/dead-drop-resolvers-espionage-inspired.html", "https://twitter.com/kleiton0x7e/status/1600567316810551296", + "https://blog.bushidotoken.net/2021/04/dead-drop-resolvers-espionage-inspired.html", + "https://securelist.com/the-tetrade-brazilian-banking-malware/97779/", + "https://github.com/kleiton0x00/RedditC2", + "https://web.archive.org/web/20220830134315/https://content.fireeye.com/apt-41/rpt-apt41/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_domain_dead_drop_resolvers.yml" ], "tags": [ @@ -57383,8 +57479,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://ngrok.com/", "https://twitter.com/tekdefense/status/1519711183162556416?s=12&t=OTsHCBkQOTNs1k3USz65Zg", + "https://ngrok.com/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/terminalservices/win_terminalservices_rdp_ngrok.yml" ], "tags": [ @@ -57520,8 +57616,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1197/T1197.md", "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ransomware-hive-conti-avoslocker", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1197/T1197.md", "https://www.microsoft.com/en-us/security/blog/2024/01/17/new-ttps-observed-in-mint-sandstorm-campaign-targeting-high-profile-individuals-at-universities-and-research-orgs/", "https://twitter.com/malmoeb/status/1535142803075960832", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/bits_client/win_bits_client_new_transfer_via_file_sharing_domains.yml" @@ -57625,10 +57721,10 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://blog.netspi.com/15-ways-to-download-a-file/#bitsadmin", - "https://blog.talosintelligence.com/breaking-the-silence-recent-truebot-activity/", "https://lolbas-project.github.io/lolbas/Binaries/Bitsadmin/", "https://isc.sans.edu/diary/22264", + "https://blog.talosintelligence.com/breaking-the-silence-recent-truebot-activity/", + "https://blog.netspi.com/15-ways-to-download-a-file/#bitsadmin", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/bits_client/win_bits_client_new_transfer_via_ip_address.yml" ], "tags": [ @@ -57662,9 +57758,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/applocker/what-is-applocker", - "https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/applocker/using-event-viewer-with-applocker", "https://nxlog.co/documentation/nxlog-user-guide/applocker.html", + "https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/applocker/using-event-viewer-with-applocker", + "https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/applocker/what-is-applocker", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/applocker/win_applocker_file_was_not_allowed_to_run.yml" ], "tags": [ @@ -57896,9 +57992,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.004/T1562.004.md#atomic-test-24---set-a-firewall-rule-using-new-netfirewallrule", "https://cybersecuritynews.com/rhysida-ransomware-attacking-windows/", "https://malware.news/t/the-rhysida-ransomware-activity-analysis-and-ties-to-vice-society/72170", + "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.004/T1562.004.md#atomic-test-24---set-a-firewall-rule-using-new-netfirewallrule", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/firewall_as/win_firewall_as_add_rule_wmiprvse.yml" ], "tags": [ @@ -58086,8 +58182,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://twitter.com/SBousseaden/status/1096148422984384514", "https://github.com/sbousseaden/EVTX-ATTACK-SAMPLES/blob/44fbe85f72ee91582876b49678f9a26292a155fb/Command%20and%20Control/DE_RDP_Tunnel_5156.evtx", + "https://twitter.com/SBousseaden/status/1096148422984384514", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_rdp_reverse_tunnel.yml" ], "tags": [ @@ -58139,8 +58235,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://twitter.com/duzvik/status/1269671601852813320", "https://medium.com/@7a616368/can-you-track-processes-accessing-the-camera-and-microphone-7e6885b37072", + "https://twitter.com/duzvik/status/1269671601852813320", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_camera_microphone_access.yml" ], "tags": [ @@ -58315,9 +58411,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ + "https://twitter.com/_dirkjan/status/1309214379003588608", "https://posts.specterops.io/hunting-in-active-directory-unconstrained-delegation-forests-trusts-71f2b33688e1", "https://dirkjanm.io/a-different-way-of-abusing-zerologon/", - "https://twitter.com/_dirkjan/status/1309214379003588608", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_dce_rpc_smb_spoolss_named_pipe.yml" ], "tags": [ @@ -58516,9 +58612,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ + "https://threathunterplaybook.com/hunts/windows/180815-ADObjectAccessReplication/notebook.html", "https://threathunterplaybook.com/hunts/windows/190101-ADModDirectoryReplication/notebook.html", "https://threathunterplaybook.com/library/windows/active_directory_replication.html", - "https://threathunterplaybook.com/hunts/windows/180815-ADObjectAccessReplication/notebook.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_ad_object_writedac_access.yml" ], "tags": [ @@ -58551,8 +58647,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://securitydatasets.com/notebooks/atomic/windows/lateral_movement/SDWIN-200806015757.html?highlight=create%20file", "https://github.com/OTRF/ThreatHunter-Playbook/blob/f7a58156dbfc9b019f17f638b8c62d22e557d350/playbooks/WIN-201012004336.yaml", + "https://securitydatasets.com/notebooks/atomic/windows/lateral_movement/SDWIN-200806015757.html?highlight=create%20file", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_smb_file_creation_admin_shares.yml" ], "tags": [ @@ -58586,8 +58682,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://adsecurity.org/?p=3458", "https://www.trimarcsecurity.com/single-post/TrimarcResearch/Detecting-Kerberoasting-Activity", + "https://adsecurity.org/?p=3458", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_susp_rc4_kerberos.yml" ], "tags": [ @@ -58673,6 +58769,39 @@ "uuid": "52d8b0c6-53d6-439a-9e41-52ad442ad9ad", "value": "First Time Seen Remote Named Pipe" }, + { + "description": "Detects the first occurrence of a modification to Group Policy Object Attributes to add privileges to user accounts or use them to add users as local admins.\n", + "meta": { + "author": "Elastic, Josh Nickels, Marius Rothenbücher", + "creation_date": "2024-09-04", + "falsepositive": [ + "Users allowed to perform these modifications (user found in field SubjectUserName)" + ], + "filename": "win_security_susp_group_policy_abuse_privilege_addition.yml", + "level": "medium", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://www.elastic.co/guide/en/security/current/group-policy-abuse-for-privilege-addition.html#_setup_275", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_susp_group_policy_abuse_privilege_addition.yml" + ], + "tags": [ + "attack.privilege-escalation", + "attack.t1484.001" + ] + }, + "related": [ + { + "dest-uuid": "5d2be8b9-d24c-4e98-83bf-2f5f79477163", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "1c480e10-7ee1-46d4-8ed2-85f9789e3ce4", + "value": "Group Policy Abuse for Privilege Addition" + }, { "description": "Detects suspicious scheduled task creation events. Based on attributes such as paths, commands line flags, etc.", "meta": { @@ -58747,8 +58876,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://www.x86matthew.com/view_post?id=create_svc_rpc", "https://www.elastic.co/guide/en/security/current/windows-service-installed-via-an-unusual-client.html", + "https://www.x86matthew.com/view_post?id=create_svc_rpc", "https://twitter.com/SBousseaden/status/1490608838701166596", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_service_installation_by_unusal_client.yml" ], @@ -58782,8 +58911,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4625", "https://twitter.com/SBousseaden/status/1101431884540710913", + "https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4625", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_susp_failed_logon_reasons.yml" ], "tags": [ @@ -58806,6 +58935,47 @@ "uuid": "9eb99343-d336-4020-a3cd-67f3819e68ee", "value": "Account Tampering - Suspicious Failed Logon Reasons" }, + { + "description": "Detects the modification of Group Policy Objects (GPO) to add a startup/logon script to users or computer objects.\n", + "meta": { + "author": "Elastic, Josh Nickels, Marius Rothenbücher", + "creation_date": "2024-09-06", + "falsepositive": [ + "Legitimate execution by system administrators." + ], + "filename": "win_security_susp_group_policy_startup_script_added_to_gpo.yml", + "level": "medium", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://www.elastic.co/guide/en/security/current/startup-logon-script-added-to-group-policy-object.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_susp_group_policy_startup_script_added_to_gpo.yml" + ], + "tags": [ + "attack.privilege-escalation", + "attack.t1484.001", + "attack.t1547" + ] + }, + "related": [ + { + "dest-uuid": "5d2be8b9-d24c-4e98-83bf-2f5f79477163", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "1ecb2399-e8ba-4f6b-8ba7-5c27d49405cf", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "123e4e6d-b123-48f8-b261-7214938acaf0", + "value": "Startup/Logon Script Added to Group Policy Object" + }, { "description": "Detects the use of getsystem Meterpreter/Cobalt Strike command by detecting a specific service installation", "meta": { @@ -58819,8 +58989,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment", "https://blog.cobaltstrike.com/2014/04/02/what-happens-when-i-type-getsystem/", + "https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_meterpreter_or_cobaltstrike_getsystem_service_install.yml" ], "tags": [ @@ -58997,8 +59167,8 @@ "refs": [ "https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf", "https://www.cisecurity.org/controls/cis-controls-list/", - "https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4800", "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf", + "https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4800", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_workstation_was_locked.yml" ], "tags": [ @@ -59021,10 +59191,10 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4662", "http://www.stuffithoughtiknew.com/2019/02/detecting-bloodhound.html", "https://www.specterops.io/assets/resources/an_ace_up_the_sleeve.pdf", "https://learn.microsoft.com/en-us/windows/win32/adschema/attributes-all", + "https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4662", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_ad_user_enumeration.yml" ], "tags": [ @@ -59165,8 +59335,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://github.com/Yamato-Security/EnableWindowsLogSettings/blob/7f6d755d45ac7cc9fc35b0cbf498e6aa4ef19def/ConfiguringSecurityLogAuditPolicies.md", "https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4649", + "https://github.com/Yamato-Security/EnableWindowsLogSettings/blob/7f6d755d45ac7cc9fc35b0cbf498e6aa4ef19def/ConfiguringSecurityLogAuditPolicies.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_replay_attack_detected.yml" ], "tags": [ @@ -59233,8 +59403,8 @@ "logsource.product": "windows", "refs": [ "https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4634", - "https://github.com/Yamato-Security/EnableWindowsLogSettings/blob/7f6d755d45ac7cc9fc35b0cbf498e6aa4ef19def/ConfiguringSecurityLogAuditPolicies.md", "https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4647", + "https://github.com/Yamato-Security/EnableWindowsLogSettings/blob/7f6d755d45ac7cc9fc35b0cbf498e6aa4ef19def/ConfiguringSecurityLogAuditPolicies.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_user_logoff.yml" ], "tags": [ @@ -59368,9 +59538,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://isc.sans.edu/forums/diary/Active+Directory+Certificate+Services+ADCS+PKI+domain+admin+vulnerability/27668/", "https://github.com/topotam/PetitPotam", "https://github.com/splunk/security_content/blob/develop/detections/endpoint/petitpotam_suspicious_kerberos_tgt_request.yml", + "https://isc.sans.edu/forums/diary/Active+Directory+Certificate+Services+ADCS+PKI+domain+admin+vulnerability/27668/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_petitpotam_susp_tgt_request.yml" ], "tags": [ @@ -59470,8 +59640,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://adsecurity.org/?p=3513", "https://www.trustedsec.com/blog/art_of_kerberoast/", + "https://adsecurity.org/?p=3513", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_kerberoasting_activity.yml" ], "tags": [ @@ -59504,16 +59674,16 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://github.com/dotnet/runtime/blob/4f9ae42d861fcb4be2fcd5d3d55d5f227d30e723/docs/coding-guidelines/clr-jit-coding-conventions.md#1412-disabling-code", - "https://social.msdn.microsoft.com/Forums/vstudio/en-US/0878832e-39d7-4eaf-8e16-a729c4c40975/what-can-i-use-e13c0d23ccbc4e12931bd9cc2eee27e4-for?forum=clr", + "https://github.com/dotnet/runtime/blob/f62e93416a1799aecc6b0947adad55a0d9870732/src/coreclr/src/inc/clrconfigvalues.h#L35-L38", "https://github.com/dotnet/runtime/search?p=1&q=COMPlus_&unscoped_q=COMPlus_", + "http://managed670.rssing.com/chan-5590147/all_p1.html", + "https://github.com/dotnet/runtime/blob/4f9ae42d861fcb4be2fcd5d3d55d5f227d30e723/docs/coding-guidelines/clr-jit-coding-conventions.md#1412-disabling-code", + "https://bunnyinside.com/?term=f71e8cb9c76a", + "https://social.msdn.microsoft.com/Forums/vstudio/en-US/0878832e-39d7-4eaf-8e16-a729c4c40975/what-can-i-use-e13c0d23ccbc4e12931bd9cc2eee27e4-for?forum=clr", + "https://i.blackhat.com/EU-21/Wednesday/EU-21-Teodorescu-Veni-No-Vidi-No-Vici-Attacks-On-ETW-Blind-EDRs.pdf", "https://twitter.com/_xpn_/status/1268712093928378368", "https://github.com/dotnet/runtime/blob/ee2355c801d892f2894b0f7b14a20e6cc50e0e54/docs/design/coreclr/jit/viewing-jit-dumps.md#setting-configuration-variables", - "http://managed670.rssing.com/chan-5590147/all_p1.html", "https://github.com/dotnet/runtime/blob/7abe42dc1123722ed385218268bb9fe04556e3d3/src/coreclr/src/inc/clrconfig.h#L33-L39", - "https://i.blackhat.com/EU-21/Wednesday/EU-21-Teodorescu-Veni-No-Vidi-No-Vici-Attacks-On-ETW-Blind-EDRs.pdf", - "https://bunnyinside.com/?term=f71e8cb9c76a", - "https://github.com/dotnet/runtime/blob/f62e93416a1799aecc6b0947adad55a0d9870732/src/coreclr/src/inc/clrconfigvalues.h#L35-L38", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_dot_net_etw_tamper.yml" ], "tags": [ @@ -59589,7 +59759,7 @@ "author": "Samir Bousseaden", "creation_date": "2019-04-03", "falsepositive": [ - "If the source IP is not localhost then it's super suspicious, better to monitor both local and remote changes to GPO scheduledtasks" + "If the source IP is not localhost then it's super suspicious, better to monitor both local and remote changes to GPO scheduled tasks." ], "filename": "win_security_gpo_scheduledtasks.yml", "level": "high", @@ -59598,6 +59768,7 @@ "refs": [ "https://twitter.com/menasec1/status/1106899890377052160", "https://www.secureworks.com/blog/ransomware-as-a-distraction", + "https://www.elastic.co/guide/en/security/7.17/prebuilt-rule-0-16-1-scheduled-task-execution-at-scale-via-gpo.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_gpo_scheduledtasks.yml" ], "tags": [ @@ -59672,9 +59843,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://blog.harmj0y.net/redteaming/another-word-on-delegation/", - "https://adsecurity.org/?p=3466", "https://msdn.microsoft.com/en-us/library/cc220234.aspx", + "https://adsecurity.org/?p=3466", + "https://blog.harmj0y.net/redteaming/another-word-on-delegation/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_alert_ad_user_backdoors.yml" ], "tags": [ @@ -59816,8 +59987,8 @@ "logsource.product": "windows", "refs": [ "https://www.sans.org/webcasts/119395", - "https://www.crowdstrike.com/blog/getting-the-bacon-from-cobalt-strike-beacon/", "https://thedfirreport.com/2021/08/29/cobalt-strike-a-defenders-guide/", + "https://www.crowdstrike.com/blog/getting-the-bacon-from-cobalt-strike-beacon/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_cobaltstrike_service_installs.yml" ], "tags": [ @@ -59869,8 +60040,8 @@ "logsource.product": "windows", "refs": [ "https://twitter.com/gentilkiwi/status/1003236624925413376", - "https://gist.github.com/gentilkiwi/dcc132457408cf11ad2061340dcb53c2", "https://web.archive.org/web/20180203014709/https://blog.alsid.eu/dcshadow-explained-4510f52fc19d?gi=c426ac876c48", + "https://gist.github.com/gentilkiwi/dcc132457408cf11ad2061340dcb53c2", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_possible_dc_shadow.yml" ], "tags": [ @@ -59903,8 +60074,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/0f229c0e42bfe7ca736a14023836d65baa941ed2/atomics/T1553.005/T1553.005.md#atomic-test-1---mount-iso-image", "https://www.trendmicro.com/vinfo/hk-en/security/news/cybercrime-and-digital-threats/malicious-spam-campaign-uses-iso-image-files-to-deliver-lokibot-and-nanocore", + "https://github.com/redcanaryco/atomic-red-team/blob/0f229c0e42bfe7ca736a14023836d65baa941ed2/atomics/T1553.005/T1553.005.md#atomic-test-1---mount-iso-image", "https://twitter.com/MsftSecIntel/status/1257324139515269121", "https://www.proofpoint.com/us/blog/threat-insight/threat-actor-profile-ta2719-uses-colorful-lures-deliver-rats-local-languages", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_iso_mount.yml" @@ -60081,9 +60252,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-gb/sysinternals/downloads/sdelete", - "https://www.jpcert.or.jp/english/pub/sr/ir_research.html", "https://jpcertcc.github.io/ToolAnalysisResultSheet/details/sdelete.htm", + "https://www.jpcert.or.jp/english/pub/sr/ir_research.html", + "https://learn.microsoft.com/en-gb/sysinternals/downloads/sdelete", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_susp_sdelete.yml" ], "tags": [ @@ -60142,9 +60313,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://twitter.com/SBousseaden/status/1581300963650187264?", - "https://www.elastic.co/guide/en/security/8.4/potential-shadow-credentials-added-to-ad-object.html", "https://cyberstoph.org/posts/2022/03/detecting-shadow-credentials/", + "https://www.elastic.co/guide/en/security/8.4/potential-shadow-credentials-added-to-ad-object.html", + "https://twitter.com/SBousseaden/status/1581300963650187264?", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_susp_possible_shadow_credentials_added.yml" ], "tags": [ @@ -60177,8 +60348,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://o365blog.com/post/hybridhealthagent/", "https://github.com/OTRF/Set-AuditRule/blob/c3dec5443414231714d850565d364ca73475ade5/rules/registry/aad_connect_health_monitoring_agent.yml", + "https://o365blog.com/post/hybridhealthagent/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_aadhealth_mon_agent_regkey_access.yml" ], "tags": [ @@ -60211,8 +60382,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://blog.harmj0y.net/redteaming/another-word-on-delegation/", "https://adsecurity.org/?p=2053", + "https://blog.harmj0y.net/redteaming/another-word-on-delegation/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_alert_enable_weak_encryption.yml" ], "tags": [ @@ -60245,8 +60416,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://www.vectra.ai/blogpost/undermining-microsoft-teams-security-by-mining-tokens", "https://www.bleepingcomputer.com/news/security/microsoft-teams-stores-auth-tokens-as-cleartext-in-windows-linux-macs/", + "https://www.vectra.ai/blogpost/undermining-microsoft-teams-security-by-mining-tokens", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_teams_suspicious_objectaccess.yml" ], "tags": [ @@ -60279,9 +60450,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "Private Cuckoo Sandbox (from many years ago, no longer have hash, NDA as well)", "https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4616", "Live environment caused by malware", + "Private Cuckoo Sandbox (from many years ago, no longer have hash, NDA as well)", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_susp_time_modification.yml" ], "tags": [ @@ -60347,10 +60518,10 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://www.deepinstinct.com/blog/nofilter-abusing-windows-filtering-platform-for-privilege-escalation", "https://x.com/_st0pp3r_/status/1742203752361128162?s=20", "https://github.com/deepinstinct/NoFilter", "https://github.com/deepinstinct/NoFilter/blob/121d215ab130c5e8e3ad45a7e7fcd56f4de97b4d/NoFilter/Consts.cpp", + "https://www.deepinstinct.com/blog/nofilter-abusing-windows-filtering-platform-for-privilege-escalation", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_hktl_nofilter.yml" ], "tags": [ @@ -60509,8 +60680,8 @@ "logsource.product": "windows", "refs": [ "https://github.com/Azure/Azure-Sentinel/blob/f99542b94afe0ad2f19a82cc08262e7ac8e1428e/Detections/SecurityEvent/SecurityEventLogCleared.yaml", - "https://www.hybrid-analysis.com/sample/027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745?environmentId=100", "https://twitter.com/deviouspolack/status/832535435960209408", + "https://www.hybrid-analysis.com/sample/027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745?environmentId=100", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_audit_log_cleared.yml" ], "tags": [ @@ -60544,9 +60715,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://twitter.com/Flangvik/status/1283054508084473861", "https://gist.github.com/Cyb3rWard0g/cf08c38c61f7e46e8404b38201ca01c8", "https://securityjosh.github.io/2020/04/23/Mute-Sysmon.html", + "https://twitter.com/Flangvik/status/1283054508084473861", "https://twitter.com/SecurityJosh/status/1283027365770276866", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_sysmon_channel_reference_deletion.yml" ], @@ -60655,9 +60826,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ + "https://threathunterplaybook.com/hunts/windows/180815-ADObjectAccessReplication/notebook.html", "https://threathunterplaybook.com/hunts/windows/190101-ADModDirectoryReplication/notebook.html", "https://threathunterplaybook.com/library/windows/active_directory_replication.html", - "https://threathunterplaybook.com/hunts/windows/180815-ADObjectAccessReplication/notebook.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_ad_replication_non_machine_account.yml" ], "tags": [ @@ -60690,9 +60861,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4741", - "https://github.com/Yamato-Security/EnableWindowsLogSettings/blob/7f6d755d45ac7cc9fc35b0cbf498e6aa4ef19def/ConfiguringSecurityLogAuditPolicies.md", "https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4743", + "https://github.com/Yamato-Security/EnableWindowsLogSettings/blob/7f6d755d45ac7cc9fc35b0cbf498e6aa4ef19def/ConfiguringSecurityLogAuditPolicies.md", + "https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4741", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_add_remove_computer.yml" ], "tags": [ @@ -61080,9 +61251,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ + "https://medium.com/@ivecodoe/detecting-ldapfragger-a-newly-released-cobalt-strike-beacon-using-ldap-for-c2-communication-c274a7f00961", "https://github.com/fox-it/LDAPFragger", "https://blog.fox-it.com/2020/03/19/ldapfragger-command-and-control-over-ldap-attributes/", - "https://medium.com/@ivecodoe/detecting-ldapfragger-a-newly-released-cobalt-strike-beacon-using-ldap-for-c2-communication-c274a7f00961", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_susp_ldap_dataexchange.yml" ], "tags": [ @@ -61457,9 +61628,9 @@ "logsource.product": "windows", "refs": [ "https://twitter.com/gentilkiwi/status/1003236624925413376", - "https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4662", - "https://gist.github.com/gentilkiwi/dcc132457408cf11ad2061340dcb53c2", "https://blog.blacklanternsecurity.com/p/detecting-dcsync?s=r", + "https://gist.github.com/gentilkiwi/dcc132457408cf11ad2061340dcb53c2", + "https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4662", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_dcsync.yml" ], "tags": [ @@ -61493,8 +61664,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://jpcertcc.github.io/ToolAnalysisResultSheet", "https://www.jpcert.or.jp/english/pub/sr/ir_research.html", + "https://jpcertcc.github.io/ToolAnalysisResultSheet", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_mal_wceaux_dll.yml" ], "tags": [ @@ -61828,8 +61999,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://twitter.com/menasec1/status/1111556090137903104", "https://www.specterops.io/assets/resources/an_ace_up_the_sleeve.pdf", + "https://twitter.com/menasec1/status/1111556090137903104", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_account_backdoor_dcsync_rights.yml" ], "tags": [ @@ -61896,8 +62067,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4701", "https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4699", + "https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4701", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_susp_scheduled_task_delete_or_disable.yml" ], "tags": [ @@ -61930,8 +62101,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4661", "https://github.com/jpalanco/alienvault-ossim/blob/f74359c0c027e42560924b5cff25cdf121e5505a/os-sim/agent/src/ParserUtil.py#L951", + "https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4661", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_password_policy_enumerated.yml" ], "tags": [ @@ -61964,8 +62135,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-5038", "https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-6281", + "https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-5038", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_codeintegrity_check_failure.yml" ], "tags": [ @@ -62040,9 +62211,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ + "https://github.com/WazeHell/sam-theadmin/blob/main/sam_the_admin.py", "https://twitter.com/malmoeb/status/1511760068743766026", "https://github.com/helloexp/0day/blob/614227a7b9beb0e91e7e2c6a5e532e6f7a8e883c/00-CVE_EXP/CVE-2021-42287/sam-the-admin/sam_the_admin.py", - "https://github.com/WazeHell/sam-theadmin/blob/main/sam_the_admin.py", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_susp_computer_name.yml" ], "tags": [ @@ -62179,11 +62350,11 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://github.com/sensepost/ruler", "https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4776", - "https://github.com/sensepost/ruler/issues/47", - "https://github.com/staaldraad/go-ntlm/blob/cd032d41aa8ce5751c07cb7945400c0f5c81e2eb/ntlm/ntlmv1.go#L427", "https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4624", + "https://github.com/sensepost/ruler/issues/47", + "https://github.com/sensepost/ruler", + "https://github.com/staaldraad/go-ntlm/blob/cd032d41aa8ce5751c07cb7945400c0f5c81e2eb/ntlm/ntlmv1.go#L427", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_alert_ruler.yml" ], "tags": [ @@ -62357,8 +62528,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://web.archive.org/web/20230208123920/https://cyberwardog.blogspot.com/2017/03/chronicles-of-threat-hunter-hunting-for_22.html", "https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment", + "https://web.archive.org/web/20230208123920/https://cyberwardog.blogspot.com/2017/03/chronicles-of-threat-hunter-hunting-for_22.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_susp_lsass_dump_generic.yml" ], "tags": [ @@ -62392,8 +62563,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4732", "https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/manage/understand-security-identifiers", + "https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4732", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_user_added_to_local_administrators.yml" ], "tags": [ @@ -62503,8 +62674,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://docs.google.com/presentation/d/1dkrldTTlN3La-OjWtkWJBb4hVk6vfsSMBFBERs6R8zA/edit", "https://github.com/SigmaHQ/sigma/blob/master/documentation/logsource-guides/windows/service/security.md", + "https://docs.google.com/presentation/d/1dkrldTTlN3La-OjWtkWJBb4hVk6vfsSMBFBERs6R8zA/edit", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_disable_event_auditing_critical.yml" ], "tags": [ @@ -62625,41 +62796,6 @@ "uuid": "16f5d8ca-44bd-47c8-acbe-6fc95a16c12f", "value": "RottenPotato Like Attack Pattern" }, - { - "description": "Detect potential adversaries leveraging WMI ActiveScriptEventConsumers remotely to move laterally in a network", - "meta": { - "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", - "creation_date": "2020-09-02", - "falsepositive": [ - "SCCM" - ], - "filename": "win_security_scrcons_remote_wmi_scripteventconsumer.yml", - "level": "high", - "logsource.category": "No established category", - "logsource.product": "windows", - "refs": [ - "https://threathunterplaybook.com/hunts/windows/200902-RemoteWMIActiveScriptEventConsumers/notebook.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/account_management/win_security_scrcons_remote_wmi_scripteventconsumer.yml" - ], - "tags": [ - "attack.lateral-movement", - "attack.privilege-escalation", - "attack.persistence", - "attack.t1546.003" - ] - }, - "related": [ - { - "dest-uuid": "910906dd-8c0a-475a-9cc1-5e029e2fad58", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "9599c180-e3a8-4743-8f92-7fb96d3be648", - "value": "Remote WMI ActiveScriptEventConsumers" - }, { "description": "Detects successful logon from public IP address via SMB. This can indicate a publicly-exposed SMB port.", "meta": { @@ -62673,8 +62809,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://www.inversecos.com/2020/04/successful-4624-anonymous-logons-to.html", "https://twitter.com/Purp1eW0lf/status/1616144561965002752", + "https://www.inversecos.com/2020/04/successful-4624-anonymous-logons-to.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/account_management/win_security_successful_external_remote_smb_login.yml" ], "tags": [ @@ -62808,7 +62944,7 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://github.com/zerosum0x0/CVE-2019-0708", + "https://web.archive.org/web/20190710034152/https://github.com/zerosum0x0/CVE-2019-0708", "https://twitter.com/AdamTheAnalyst/status/1134394070045003776", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/account_management/win_security_rdp_bluekeep_poc_scanner.yml" ], @@ -63022,11 +63158,11 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf", - "https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4730", - "https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=634", - "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf", "https://www.cisecurity.org/controls/cis-controls-list/", + "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf", + "https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=634", + "https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4730", + "https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/account_management/win_security_security_enabled_global_group_deleted.yml" ], "tags": [ @@ -63059,8 +63195,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://www.inversecos.com/2020/04/successful-4624-anonymous-logons-to.html", "https://twitter.com/Purp1eW0lf/status/1616144561965002752", + "https://www.inversecos.com/2020/04/successful-4624-anonymous-logons-to.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/account_management/win_security_successful_external_remote_rdp_login.yml" ], "tags": [ @@ -63110,8 +63246,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://twitter.com/sbousseaden/status/1518976397364056071?s=12&t=qKO5eKHvWhAP19a50FTZ7g", "https://github.com/elastic/detection-rules/blob/5fe7833312031a4787e07893e27e4ea7a7665745/rules/_deprecated/privilege_escalation_krbrelayup_suspicious_logon.toml#L38", + "https://twitter.com/sbousseaden/status/1518976397364056071?s=12&t=qKO5eKHvWhAP19a50FTZ7g", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/account_management/win_security_susp_privesc_kerberos_relay_over_ldap.yml" ], "tags": [ @@ -63179,11 +63315,11 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf", "https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4729", - "https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=633", - "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf", "https://www.cisecurity.org/controls/cis-controls-list/", + "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf", + "https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=633", + "https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/account_management/win_security_member_removed_security_enabled_global_group.yml" ], "tags": [ @@ -63216,11 +63352,11 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf", "https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=632", + "https://www.cisecurity.org/controls/cis-controls-list/", "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf", "https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4728", - "https://www.cisecurity.org/controls/cis-controls-list/", + "https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/account_management/win_security_member_added_security_enabled_global_group.yml" ], "tags": [ @@ -63253,9 +63389,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://github.com/netero1010/EDRSilencer", - "https://github.com/amjcyber/EDRNoiseMaker", "https://ghoulsec.medium.com/misc-series-4-forensics-on-edrsilencer-events-428b20b3f983", + "https://github.com/amjcyber/EDRNoiseMaker", + "https://github.com/netero1010/EDRSilencer", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/object_access/win_security_wfp_endpoint_agent_blocked.yml" ], "tags": [ @@ -63288,9 +63424,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/operations/event-id-explanations", "https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/operations/event-tag-explanations", "Internal Research", + "https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/operations/event-id-explanations", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/code_integrity/win_codeintegrity_revoked_driver_loaded.yml" ], "tags": [ @@ -63313,9 +63449,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/operations/event-id-explanations", "https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/operations/event-tag-explanations", "Internal Research", + "https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/operations/event-id-explanations", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/code_integrity/win_codeintegrity_whql_failure.yml" ], "tags": [ @@ -63338,9 +63474,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/operations/event-id-explanations", "https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/operations/event-tag-explanations", "Internal Research", + "https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/operations/event-id-explanations", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/code_integrity/win_codeintegrity_revoked_image_loaded.yml" ], "tags": [ @@ -63363,9 +63499,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/operations/event-id-explanations", "https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/operations/event-tag-explanations", "Internal Research", + "https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/operations/event-id-explanations", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/code_integrity/win_codeintegrity_revoked_image_blocked.yml" ], "tags": [ @@ -63388,9 +63524,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/operations/event-id-explanations", "https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/operations/event-tag-explanations", "Internal Research", + "https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/operations/event-id-explanations", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/code_integrity/win_codeintegrity_blocked_protected_process_file.yml" ], "tags": [ @@ -63413,9 +63549,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/operations/event-id-explanations", "https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/operations/event-tag-explanations", "Internal Research", + "https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/operations/event-id-explanations", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/code_integrity/win_codeintegrity_unsigned_driver_loaded.yml" ], "tags": [ @@ -63438,9 +63574,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/operations/event-id-explanations", "https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/operations/event-tag-explanations", "Internal Research", + "https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/operations/event-id-explanations", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/code_integrity/win_codeintegrity_revoked_driver_blocked.yml" ], "tags": [ @@ -63473,9 +63609,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/operations/event-id-explanations", "https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/operations/event-tag-explanations", "Internal Research", + "https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/operations/event-id-explanations", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/code_integrity/win_codeintegrity_unsigned_image_loaded.yml" ], "tags": [ @@ -63498,10 +63634,10 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ + "https://github.com/MicrosoftDocs/windows-itpro-docs/blob/40fe118976734578f83e5e839b9c63ae7a4af82d/windows/security/threat-protection/windows-defender-application-control/event-id-explanations.md#windows-codeintegrity-operational-log", + "https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/operations/event-tag-explanations", "https://twitter.com/SBousseaden/status/1483810148602814466", "https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/operations/event-id-explanations", - "https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/operations/event-tag-explanations", - "https://github.com/MicrosoftDocs/windows-itpro-docs/blob/40fe118976734578f83e5e839b9c63ae7a4af82d/windows/security/threat-protection/windows-defender-application-control/event-id-explanations.md#windows-codeintegrity-operational-log", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/code_integrity/win_codeintegrity_attempted_dll_load.yml" ], "tags": [ @@ -63524,9 +63660,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/operations/event-id-explanations", - "https://twitter.com/wdormann/status/1590434950335320065", "https://github.com/MicrosoftDocs/windows-itpro-docs/blob/40fe118976734578f83e5e839b9c63ae7a4af82d/windows/security/threat-protection/windows-defender-application-control/event-id-explanations.md#windows-codeintegrity-operational-log", + "https://twitter.com/wdormann/status/1590434950335320065", + "https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/operations/event-id-explanations", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/code_integrity/win_codeintegrity_enforced_policy_block.yml" ], "tags": [ @@ -64122,9 +64258,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://github.com/hhlxf/PrintNightmare", - "https://github.com/afwu/PrintNightmare", + "https://web.archive.org/web/20210629055600/https://github.com/hhlxf/PrintNightmare/", "https://twitter.com/KevTheHermit/status/1410203844064301056", + "https://web.archive.org/web/20210701042336/https://github.com/afwu/PrintNightmare", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/smbclient/security/win_smbclient_security_susp_failed_guest_logon.yml" ], "tags": [ @@ -64190,8 +64326,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://bhabeshraj.com/post/tampering-with-microsoft-defenders-tamper-protection", "https://learn.microsoft.com/en-us/defender-endpoint/troubleshoot-microsoft-defender-antivirus?view=o365-worldwide", + "https://bhabeshraj.com/post/tampering-with-microsoft-defenders-tamper-protection", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/windefend/win_defender_tamper_protection_trigger.yml" ], "tags": [ @@ -64371,8 +64507,8 @@ "logsource.product": "windows", "refs": [ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md", - "https://learn.microsoft.com/en-us/defender-endpoint/troubleshoot-microsoft-defender-antivirus?view=o365-worldwide#event-id-5012", "https://craigclouditpro.wordpress.com/2020/03/04/hunting-malicious-windows-defender-activity/", + "https://learn.microsoft.com/en-us/defender-endpoint/troubleshoot-microsoft-defender-antivirus?view=o365-worldwide#event-id-5012", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/windefend/win_defender_virus_scan_disabled.yml" ], "tags": [ @@ -64462,9 +64598,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md", - "https://craigclouditpro.wordpress.com/2020/03/04/hunting-malicious-windows-defender-activity/", "https://learn.microsoft.com/en-us/defender-endpoint/troubleshoot-microsoft-defender-antivirus?view=o365-worldwide#event-id-5010", + "https://craigclouditpro.wordpress.com/2020/03/04/hunting-malicious-windows-defender-activity/", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/windefend/win_defender_malware_and_pua_scan_disabled.yml" ], "tags": [ @@ -64564,8 +64700,8 @@ "logsource.product": "windows", "refs": [ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md", - "https://learn.microsoft.com/en-us/defender-endpoint/troubleshoot-microsoft-defender-antivirus?view=o365-worldwide#event-id-5101", "https://craigclouditpro.wordpress.com/2020/03/04/hunting-malicious-windows-defender-activity/", + "https://learn.microsoft.com/en-us/defender-endpoint/troubleshoot-microsoft-defender-antivirus?view=o365-worldwide#event-id-5101", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/windefend/win_defender_antimalware_platform_expired.yml" ], "tags": [ @@ -64598,8 +64734,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://www.microsoft.com/en-us/security/blog/2023/04/11/guidance-for-investigating-attacks-using-cve-2022-21894-the-blacklotus-campaign/", "https://gist.github.com/nasbench/33732d6705cbdc712fae356f07666346", + "https://www.microsoft.com/en-us/security/blog/2023/04/11/guidance-for-investigating-attacks-using-cve-2022-21894-the-blacklotus-campaign/", "Internal Research", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/windefend/win_defender_real_time_protection_errors.yml" ], @@ -64735,10 +64871,10 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://www.virustotal.com/gui/file/13828b390d5f58b002e808c2c4f02fdd920e236cc8015480fa33b6c1a9300e31", - "https://www.virustotal.com/gui/file/5092b2672b4cb87a8dd1c2e6047b487b95995ad8ed5e9fc217f46b8bfb1b8c01", "https://www.virustotal.com/gui/file/15b57c1b68cd6ce3c161042e0f3be9f32d78151fe95461eedc59a79fc222c7ed", + "https://www.virustotal.com/gui/file/13828b390d5f58b002e808c2c4f02fdd920e236cc8015480fa33b6c1a9300e31", "https://www.nextron-systems.com/?s=antivirus", + "https://www.virustotal.com/gui/file/5092b2672b4cb87a8dd1c2e6047b487b95995ad8ed5e9fc217f46b8bfb1b8c01", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/application/Other/win_av_relevant_match.yml" ], "tags": [ @@ -64813,9 +64949,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ + "https://media.defcon.org/DEF%20CON%2030/DEF%20CON%2030%20presentations/Asaf%20Gilboa%20-%20LSASS%20Shtinkering%20Abusing%20Windows%20Error%20Reporting%20to%20Dump%20LSASS.pdf", "https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-erref/596a1078-e883-4972-9bbc-49e60bebca55", "https://github.com/deepinstinct/Lsass-Shtinkering", - "https://media.defcon.org/DEF%20CON%2030/DEF%20CON%2030%20presentations/Asaf%20Gilboa%20-%20LSASS%20Shtinkering%20Abusing%20Windows%20Error%20Reporting%20to%20Dump%20LSASS.pdf", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/application/application_error/win_werfault_susp_lsass_credential_dump.yml" ], "tags": [ @@ -64948,10 +65084,10 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://www.youtube.com/watch?v=ebmW42YYveI", - "https://nullsec.us/windows-event-log-audit-cve/", "https://twitter.com/DidierStevens/status/1217533958096924676", "https://twitter.com/FlemmingRiis/status/1217147415482060800", + "https://nullsec.us/windows-event-log-audit-cve/", + "https://www.youtube.com/watch?v=ebmW42YYveI", "https://twitter.com/VM_vivisector/status/1217190929330655232", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/application/microsoft-windows_audit_cve/win_audit_cve.yml" ], @@ -65031,8 +65167,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://www.netspi.com/blog/technical/network-penetration-testing/sql-server-persistence-part-1-startup-stored-procedures/", "https://thedfirreport.com/2022/07/11/select-xmrig-from-sqlserver/", + "https://www.netspi.com/blog/technical/network-penetration-testing/sql-server-persistence-part-1-startup-stored-procedures/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/application/mssqlserver/win_mssql_xp_cmdshell_change.yml" ], "tags": [ @@ -65055,8 +65191,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://www.netspi.com/blog/technical/network-penetration-testing/sql-server-persistence-part-1-startup-stored-procedures/", "https://learn.microsoft.com/en-us/sql/relational-databases/system-stored-procedures/sp-procoption-transact-sql?view=sql-server-ver16", + "https://www.netspi.com/blog/technical/network-penetration-testing/sql-server-persistence-part-1-startup-stored-procedures/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/application/mssqlserver/win_mssql_sp_procoption_set.yml" ], "tags": [ @@ -65102,9 +65238,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://www.netspi.com/blog/technical/network-penetration-testing/sql-server-persistence-part-1-startup-stored-procedures/", - "https://learn.microsoft.com/en-us/sql/t-sql/statements/drop-server-audit-transact-sql?view=sql-server-ver16", "https://learn.microsoft.com/en-us/sql/t-sql/statements/alter-server-audit-transact-sql?view=sql-server-ver16", + "https://learn.microsoft.com/en-us/sql/t-sql/statements/drop-server-audit-transact-sql?view=sql-server-ver16", + "https://www.netspi.com/blog/technical/network-penetration-testing/sql-server-persistence-part-1-startup-stored-procedures/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/application/mssqlserver/win_mssql_disable_audit_settings.yml" ], "tags": [ @@ -65127,8 +65263,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://www.netspi.com/blog/technical/network-penetration-testing/sql-server-persistence-part-1-startup-stored-procedures/", "https://thedfirreport.com/2022/07/11/select-xmrig-from-sqlserver/", + "https://www.netspi.com/blog/technical/network-penetration-testing/sql-server-persistence-part-1-startup-stored-procedures/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/application/mssqlserver/win_mssql_xp_cmdshell_audit_log.yml" ], "tags": [ @@ -65292,8 +65428,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/windows/win32/msi/event-logging", "https://github.com/nasbench/EVTX-ETW-Resources/blob/f1b010ce0ee1b71e3024180de1a3e67f99701fe4/ETWProvidersManifests/Windows11/22H2/W11_22H2_Pro_20221220_22621.963/WEPExplorer/Microsoft-Windows-MsiServer.xml", + "https://learn.microsoft.com/en-us/windows/win32/msi/event-logging", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/application/msiinstaller/win_builtin_remove_application.yml" ], "tags": [ @@ -65349,8 +65485,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://technet.microsoft.com/en-us/library/cc742154(v=ws.11).aspx", "https://www.hybrid-analysis.com/sample/ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa?environmentId=100", + "https://technet.microsoft.com/en-us/library/cc742154(v=ws.11).aspx", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/application/microsoft_windows_backup/win_susp_backup_delete.yml" ], "tags": [ @@ -65449,12 +65585,12 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://medium.com/falconforce/falconfriday-detecting-active-directory-data-collection-0xff21-c22d1a57494c", - "https://github.com/fox-it/BloodHound.py/blob/d65eb614831cd30f26028ccb072f5e77ca287e0b/bloodhound/ad/domain.py#L427", "https://github.com/BloodHoundAD/SharpHound3/blob/7d96b991b1887ff50349ce59c80980bc0d95c86a/SharpHound3/LdapBuilder.cs", "https://github.com/PowerShellMafia/PowerSploit/blob/d943001a7defb5e0d1657085a77a0e78609be58f/Recon/PowerView.ps1", - "https://techcommunity.microsoft.com/t5/microsoft-defender-for-endpoint/hunting-for-reconnaissance-activities-using-ldap-search-filters/ba-p/824726", + "https://github.com/fox-it/BloodHound.py/blob/d65eb614831cd30f26028ccb072f5e77ca287e0b/bloodhound/ad/domain.py#L427", "https://ipurple.team/2024/07/15/sharphound-detection/", + "https://medium.com/falconforce/falconfriday-detecting-active-directory-data-collection-0xff21-c22d1a57494c", + "https://techcommunity.microsoft.com/t5/microsoft-defender-for-endpoint/hunting-for-reconnaissance-activities-using-ldap-search-filters/ba-p/824726", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/ldap/win_ldap_recon.yml" ], "tags": [ @@ -65570,8 +65706,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd299871(v=ws.10)", "https://www.gradenegger.eu/en/details-of-the-event-with-id-53-of-the-source-microsoft-windows-certificationauthority/", + "https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd299871(v=ws.10)", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/microsoft_windows_certification_authority/win_system_adcs_enrollment_request_denied.yml" ], "tags": [ @@ -65726,8 +65862,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://bi-zone.medium.com/hunting-for-zerologon-f65c61586382", "https://www.secura.com/blog/zero-logon", + "https://bi-zone.medium.com/hunting-for-zerologon-f65c61586382", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/netlogon/win_system_possible_zerologon_exploitation_using_wellknown_tools.yml" ], "tags": [ @@ -65969,8 +66105,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://github.com/fortra/impacket/blob/33058eb2fde6976ea62e04bc7d6b629d64d44712/examples/smbexec.py#L286-L296", "https://blog.ropnop.com/using-credentials-to-own-windows-boxes-part-2-psexec-and-services/", + "https://github.com/fortra/impacket/blob/33058eb2fde6976ea62e04bc7d6b629d64d44712/examples/smbexec.py#L286-L296", "https://github.com/fortra/impacket/blob/edef71f17bc1240f9f8c957bbda98662951ac3ec/examples/smbexec.py#L60", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/service_control_manager/win_system_hack_smbexec.yml" ], @@ -66300,8 +66436,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/defender-endpoint/troubleshoot-microsoft-defender-antivirus", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md", + "https://learn.microsoft.com/en-us/defender-endpoint/troubleshoot-microsoft-defender-antivirus", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/service_control_manager/win_system_defender_disabled.yml" ], "tags": [ @@ -66475,8 +66611,8 @@ "logsource.product": "windows", "refs": [ "https://www.sans.org/webcasts/119395", - "https://www.crowdstrike.com/blog/getting-the-bacon-from-cobalt-strike-beacon/", "https://thedfirreport.com/2021/08/29/cobalt-strike-a-defenders-guide/", + "https://www.crowdstrike.com/blog/getting-the-bacon-from-cobalt-strike-beacon/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/service_control_manager/win_system_cobaltstrike_service_installs.yml" ], "tags": [ @@ -67055,8 +67191,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment", "https://blog.cobaltstrike.com/2014/04/02/what-happens-when-i-type-getsystem/", + "https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/service_control_manager/win_system_meterpreter_or_cobaltstrike_getsystem_service_installation.yml" ], "tags": [ @@ -67346,8 +67482,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://jpcertcc.github.io/ToolAnalysisResultSheet", "https://www.jpcert.or.jp/english/pub/sr/ir_research.html", + "https://jpcertcc.github.io/ToolAnalysisResultSheet", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/service_control_manager/win_system_service_install_sysinternals_psexec.yml" ], "tags": [ @@ -67423,8 +67559,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://www.bleepingcomputer.com/news/security/windows-10-bug-corrupts-your-hard-drive-on-seeing-this-files-icon/", "https://twitter.com/jonasLyk/status/1347900440000811010", + "https://www.bleepingcomputer.com/news/security/windows-10-bug-corrupts-your-hard-drive-on-seeing-this-files-icon/", "https://twitter.com/wdormann/status/1347958161609809921", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/ntfs/win_system_ntfs_vuln_exploit.yml" ], @@ -67491,7 +67627,7 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://github.com/zerosum0x0/CVE-2019-0708", + "https://web.archive.org/web/20190710034152/https://github.com/zerosum0x0/CVE-2019-0708", "https://github.com/Ekultek/BlueKeep", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/termdd/win_system_rdp_potential_cve_2019_0708.yml" ], @@ -67526,8 +67662,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://blog.3or.de/mimilib-dhcp-server-callout-dll-injection.html", "https://msdn.microsoft.com/de-de/library/windows/desktop/aa363389(v=vs.85).aspx", + "https://blog.3or.de/mimilib-dhcp-server-callout-dll-injection.html", "https://technet.microsoft.com/en-us/library/cc726884(v=ws.10).aspx", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/microsoft_windows_dhcp_server/win_system_susp_dhcp_config.yml" ], @@ -67561,8 +67697,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://blog.3or.de/mimilib-dhcp-server-callout-dll-injection.html", "https://msdn.microsoft.com/de-de/library/windows/desktop/aa363389(v=vs.85).aspx", + "https://blog.3or.de/mimilib-dhcp-server-callout-dll-injection.html", "https://technet.microsoft.com/en-us/library/cc726884(v=ws.10).aspx", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/microsoft_windows_dhcp_server/win_system_susp_dhcp_config_failed.yml" ], @@ -67744,8 +67880,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://www.hybrid-analysis.com/sample/027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745?environmentId=100", "https://twitter.com/deviouspolack/status/832535435960209408", + "https://www.hybrid-analysis.com/sample/027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745?environmentId=100", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/microsoft_windows_eventlog/win_system_eventlog_cleared.yml" ], "tags": [ @@ -67780,8 +67916,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://www.hybrid-analysis.com/sample/027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745?environmentId=100", "https://twitter.com/deviouspolack/status/832535435960209408", + "https://www.hybrid-analysis.com/sample/027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745?environmentId=100", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/microsoft_windows_eventlog/win_system_susp_eventlog_cleared.yml" ], "tags": [ @@ -67815,9 +67951,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ + "https://technet.microsoft.com/en-us/library/cc735829(v=ws.10).aspx", "https://twitter.com/gentilkiwi/status/861641945944391680", "https://medium.com/@esnesenon/feature-not-bug-dnsadmin-to-dc-compromise-in-one-line-a0f779b8dc83", - "https://technet.microsoft.com/en-us/library/cc735829(v=ws.10).aspx", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/dns_server/win_dns_server_susp_server_level_plugin_dll.yml" ], "tags": [ @@ -67933,10 +68069,10 @@ "logsource.product": "windows", "refs": [ "https://github.com/mdecrevoisier/EVTX-to-MITRE-Attack/tree/master/TA0008-Lateral%20Movement/T1021.004-Remote%20Service%20SSH", - "https://virtualizationreview.com/articles/2020/05/21/ssh-server-on-windows-10.aspx", - "https://medium.com/threatpunter/detecting-adversary-tradecraft-with-image-load-event-logging-and-eql-8de93338c16", - "https://winaero.com/enable-openssh-server-windows-10/", "https://learn.microsoft.com/en-us/windows-server/administration/openssh/openssh_install_firstuse", + "https://winaero.com/enable-openssh-server-windows-10/", + "https://medium.com/threatpunter/detecting-adversary-tradecraft-with-image-load-event-logging-and-eql-8de93338c16", + "https://virtualizationreview.com/articles/2020/05/21/ssh-server-on-windows-10.aspx", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/openssh/win_sshd_openssh_server_listening_on_socket.yml" ], "tags": [ @@ -68265,8 +68401,8 @@ "logsource.product": "windows", "refs": [ "https://forensicitguy.github.io/analyzing-magnitude-magniber-appx/", - "https://news.sophos.com/en-us/2021/11/11/bazarloader-call-me-back-attack-abuses-windows-10-apps-mechanism/", "https://www.sentinelone.com/labs/inside-malicious-windows-apps-for-malware-deployment/", + "https://news.sophos.com/en-us/2021/11/11/bazarloader-call-me-back-attack-abuses-windows-10-apps-mechanism/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/appxdeployment_server/win_appxdeployment_server_mal_appx_names.yml" ], "tags": [ @@ -68313,10 +68449,10 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://news.sophos.com/en-us/2021/11/11/bazarloader-call-me-back-attack-abuses-windows-10-apps-mechanism/", - "https://learn.microsoft.com/en-us/windows/win32/appxpkg/troubleshooting", "https://www.sentinelone.com/labs/inside-malicious-windows-apps-for-malware-deployment/", "Internal Research", + "https://news.sophos.com/en-us/2021/11/11/bazarloader-call-me-back-attack-abuses-windows-10-apps-mechanism/", + "https://learn.microsoft.com/en-us/windows/win32/appxpkg/troubleshooting", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/appxdeployment_server/win_appxdeployment_server_uncommon_package_locations.yml" ], "tags": [ @@ -68339,10 +68475,10 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://news.sophos.com/en-us/2021/11/11/bazarloader-call-me-back-attack-abuses-windows-10-apps-mechanism/", - "https://learn.microsoft.com/en-us/windows/win32/appxpkg/troubleshooting", "https://www.sentinelone.com/labs/inside-malicious-windows-apps-for-malware-deployment/", "Internal Research", + "https://news.sophos.com/en-us/2021/11/11/bazarloader-call-me-back-attack-abuses-windows-10-apps-mechanism/", + "https://learn.microsoft.com/en-us/windows/win32/appxpkg/troubleshooting", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/appxdeployment_server/win_appxdeployment_server_susp_appx_package_installation.yml" ], "tags": [ @@ -68365,10 +68501,10 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://news.sophos.com/en-us/2021/11/11/bazarloader-call-me-back-attack-abuses-windows-10-apps-mechanism/", - "https://learn.microsoft.com/en-us/windows/win32/appxpkg/troubleshooting", "https://www.sentinelone.com/labs/inside-malicious-windows-apps-for-malware-deployment/", "Internal Research", + "https://news.sophos.com/en-us/2021/11/11/bazarloader-call-me-back-attack-abuses-windows-10-apps-mechanism/", + "https://learn.microsoft.com/en-us/windows/win32/appxpkg/troubleshooting", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/appxdeployment_server/win_appxdeployment_server_susp_package_locations.yml" ], "tags": [ @@ -68391,10 +68527,10 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://news.sophos.com/en-us/2021/11/11/bazarloader-call-me-back-attack-abuses-windows-10-apps-mechanism/", - "https://learn.microsoft.com/en-us/windows/win32/appxpkg/troubleshooting", "https://www.sentinelone.com/labs/inside-malicious-windows-apps-for-malware-deployment/", "Internal Research", + "https://news.sophos.com/en-us/2021/11/11/bazarloader-call-me-back-attack-abuses-windows-10-apps-mechanism/", + "https://learn.microsoft.com/en-us/windows/win32/appxpkg/troubleshooting", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/appxdeployment_server/win_appxdeployment_server_susp_domains.yml" ], "tags": [ @@ -68644,8 +68780,8 @@ "logsource.category": "image_load", "logsource.product": "windows", "refs": [ - "https://mobile.twitter.com/0gtweet/status/1564131230941122561", "https://strontic.github.io/xcyclopedia/library/DeviceEnroller.exe-24BEF0D6B0ECED36BB41831759FDE18D.html", + "https://mobile.twitter.com/0gtweet/status/1564131230941122561", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_side_load_shell_chrome_api.yml" ], "tags": [ @@ -68688,10 +68824,10 @@ "logsource.category": "image_load", "logsource.product": "windows", "refs": [ - "https://blog.cyble.com/2022/07/21/qakbot-resurfaces-with-new-playbook/", + "https://hijacklibs.net/", "https://www.hexacorn.com/blog/2023/12/26/1-little-known-secret-of-runonce-exe-32-bit/", "https://blog.cyble.com/2022/07/27/targeted-attacks-being-carried-out-via-dll-sideloading/", - "https://hijacklibs.net/", + "https://blog.cyble.com/2022/07/21/qakbot-resurfaces-with-new-playbook/", "https://github.com/XForceIR/SideLoadHunter/blob/cc7ef2e5d8908279b0c4cee4e8b6f85f7b8eed52/SideLoads/README.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_side_load_from_non_system_location.yml" ], @@ -68944,9 +69080,9 @@ "logsource.category": "image_load", "logsource.product": "windows", "refs": [ + "https://twitter.com/oulusoyum/status/1191329746069655553", "https://twitter.com/mattifestation/status/1196390321783025666", "https://lolbas-project.github.io/lolbas/Binaries/Tttracer/", - "https://twitter.com/oulusoyum/status/1191329746069655553", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_dll_tttracer_module_load.yml" ], "tags": [ @@ -69077,8 +69213,8 @@ "logsource.product": "windows", "refs": [ "https://twitter.com/dez_/status/986614411711442944", - "https://securitydatasets.com/notebooks/atomic/windows/defense_evasion/SDWIN-201017061100.html", "https://lolbas-project.github.io/lolbas/Binaries/Wmic/", + "https://securitydatasets.com/notebooks/atomic/windows/defense_evasion/SDWIN-201017061100.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_wmic_remote_xsl_scripting_dlls.yml" ], "tags": [ @@ -69187,11 +69323,11 @@ "logsource.product": "windows", "refs": [ "https://posts.specterops.io/lateral-movement-scm-and-dll-hijacking-primer-d2f61e8ab992", - "http://remoteawesomethoughts.blogspot.com/2019/05/windows-10-task-schedulerservice.html", - "https://decoded.avast.io/martinchlumecky/png-steganography/", - "https://clement.notin.org/blog/2020/09/12/CVE-2020-7315-McAfee-Agent-DLL-injection/", "https://github.com/Wh04m1001/SysmonEoP", + "https://clement.notin.org/blog/2020/09/12/CVE-2020-7315-McAfee-Agent-DLL-injection/", + "https://decoded.avast.io/martinchlumecky/png-steganography/", "https://www.hexacorn.com/blog/2013/12/08/beyond-good-ol-run-key-part-5/", + "http://remoteawesomethoughts.blogspot.com/2019/05/windows-10-task-schedulerservice.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_side_load_non_existent_dlls.yml" ], "tags": [ @@ -69235,10 +69371,10 @@ "logsource.category": "image_load", "logsource.product": "windows", "refs": [ + "https://web.archive.org/web/20231221193106/https://www.swascan.com/cactus-ransomware-malware-analysis/", + "https://taiwan.postsen.com/business/88601/Hamas-hackers-use-data-destruction-software-BiBi-which-consumes-a-lot-of-processor-resources-to-wipe-Windows-computer-data--iThome.html", "https://www.crowdstrike.com/blog/windows-restart-manager-part-1/", "https://www.crowdstrike.com/blog/windows-restart-manager-part-2/", - "https://taiwan.postsen.com/business/88601/Hamas-hackers-use-data-destruction-software-BiBi-which-consumes-a-lot-of-processor-resources-to-wipe-Windows-computer-data--iThome.html", - "https://web.archive.org/web/20231221193106/https://www.swascan.com/cactus-ransomware-malware-analysis/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_dll_rstrtmgr_uncommon_load.yml" ], "tags": [ @@ -69346,9 +69482,9 @@ "logsource.category": "image_load", "logsource.product": "windows", "refs": [ - "https://github.com/tyranid/DotNetToJScript", "https://web.archive.org/web/20230329154538/https://blog.menasec.net/2019/07/interesting-difr-traces-of-net-clr.html", "https://web.archive.org/web/20221026202428/https://gist.github.com/code-scrap/d7f152ffcdb3e0b02f7f394f5187f008", + "https://github.com/tyranid/DotNetToJScript", "https://thewover.github.io/Introducing-Donut/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_susp_script_dotnet_clr_dll_load.yml" ], @@ -69383,8 +69519,8 @@ "logsource.category": "image_load", "logsource.product": "windows", "refs": [ - "https://www.qurium.org/alerts/targeted-malware-against-crph/", "https://research.checkpoint.com/2023/malware-spotlight-camaro-dragons-tinynote-backdoor/", + "https://www.qurium.org/alerts/targeted-malware-against-crph/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_side_load_smadhook.yml" ], "tags": [ @@ -69492,8 +69628,8 @@ "logsource.category": "image_load", "logsource.product": "windows", "refs": [ - "https://research.checkpoint.com/2023/beyond-the-horizon-traveling-the-world-on-camaro-dragons-usb-flash-drives/", "https://www.trendmicro.com/en_us/research/23/f/behind-the-scenes-unveiling-the-hidden-workings-of-earth-preta.html", + "https://research.checkpoint.com/2023/beyond-the-horizon-traveling-the-world-on-camaro-dragons-usb-flash-drives/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_side_load_abused_dlls_susp_paths.yml" ], "tags": [ @@ -69689,11 +69825,11 @@ "logsource.category": "image_load", "logsource.product": "windows", "refs": [ - "https://bazaar.abuse.ch/sample/5cb9876681f78d3ee8a01a5aaa5d38b05ec81edc48b09e3865b75c49a2187831/", - "https://csirt-cti.net/2024/02/01/stately-taurus-continued-new-information-on-cyberespionage-attacks-against-myanmar-military-junta/", "https://twitter.com/DTCERT/status/1712785426895839339", "https://thehackernews.com/2024/03/two-chinese-apt-groups-ramp-up-cyber.html", "https://twitter.com/Max_Mal_/status/1775222576639291859", + "https://bazaar.abuse.ch/sample/5cb9876681f78d3ee8a01a5aaa5d38b05ec81edc48b09e3865b75c49a2187831/", + "https://csirt-cti.net/2024/02/01/stately-taurus-continued-new-information-on-cyberespionage-attacks-against-myanmar-military-junta/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_side_load_keyscrambler.yml" ], "tags": [ @@ -69736,9 +69872,9 @@ "logsource.product": "windows", "refs": [ "https://learn.microsoft.com/en-us/windows/win32/winrm/windows-remote-management-architecture", - "https://github.com/bohops/WSMan-WinRM", "https://twitter.com/chadtilbury/status/1275851297770610688", "https://bohops.com/2020/05/12/ws-management-com-another-approach-for-winrm-lateral-movement/", + "https://github.com/bohops/WSMan-WinRM", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_wsman_provider_image_load.yml" ], "tags": [ @@ -70438,7 +70574,7 @@ "logsource.category": "image_load", "logsource.product": "windows", "refs": [ - "https://github.com/hhlxf/PrintNightmare", + "https://web.archive.org/web/20210629055600/https://github.com/hhlxf/PrintNightmare/", "https://github.com/ly4k/SpoolFool", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_spoolsv_dll_load.yml" ], @@ -70520,8 +70656,8 @@ "logsource.product": "windows", "refs": [ "https://unit42.paloaltonetworks.com/unsigned-dlls/?web_view=true", - "https://akhere.hashnode.dev/hunting-unsigned-dlls-using-kql", "https://www.elastic.co/security-labs/Hunting-for-Suspicious-Windows-Libraries-for-Execution-and-Evasion", + "https://akhere.hashnode.dev/hunting-unsigned-dlls-using-kql", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_susp_unsigned_dll.yml" ], "tags": [ @@ -70648,9 +70784,9 @@ "logsource.category": "image_load", "logsource.product": "windows", "refs": [ - "https://twitter.com/t3ft3lb/status/1656194831830401024", "https://www.roboform.com/", "https://twitter.com/StopMalvertisin/status/1648604148848549888", + "https://twitter.com/t3ft3lb/status/1656194831830401024", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_side_load_robform.yml" ], "tags": [ @@ -70734,10 +70870,10 @@ "logsource.category": "image_load", "logsource.product": "windows", "refs": [ - "https://securitydatasets.com/notebooks/atomic/windows/credential_access/SDWIN-201020013208.html", "https://learn.microsoft.com/en-us/windows/win32/api/wincred/nf-wincred-creduipromptforcredentialsa", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1056.002/T1056.002.md#atomic-test-2---powershell---prompt-user-for-password", "https://github.com/S12cybersecurity/RDPCredentialStealer", + "https://securitydatasets.com/notebooks/atomic/windows/credential_access/SDWIN-201020013208.html", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1056.002/T1056.002.md#atomic-test-2---powershell---prompt-user-for-password", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_dll_credui_uncommon_process_load.yml" ], "tags": [ @@ -70981,8 +71117,8 @@ "logsource.category": "image_load", "logsource.product": "windows", "refs": [ - "https://hijacklibs.net/entries/3rd_party/vlc/libvlc.html", "https://www.trendmicro.com/en_us/research/23/c/earth-preta-updated-stealthy-strategies.html", + "https://hijacklibs.net/entries/3rd_party/vlc/libvlc.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_side_load_libvlc.yml" ], "tags": [ @@ -71142,8 +71278,8 @@ "logsource.category": "image_load", "logsource.product": "windows", "refs": [ - "https://www.paloaltonetworks.com/blog/security-operations/stopping-powershell-without-powershell/", "Internal Research", + "https://www.paloaltonetworks.com/blog/security-operations/stopping-powershell-without-powershell/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_dll_amsi_suspicious_process.yml" ], "tags": [ @@ -71166,8 +71302,8 @@ "logsource.category": "image_load", "logsource.product": "windows", "refs": [ - "https://github.com/binderlabs/DirCreate2System", "https://github.com/sailay1996/awesome_windows_logical_bugs/blob/60cbb23a801f4c3195deac1cc46df27c225c3d07/dir_create2system.txt", + "https://github.com/binderlabs/DirCreate2System", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_side_load_comctl32.yml" ], "tags": [ @@ -71245,10 +71381,10 @@ "logsource.category": "image_load", "logsource.product": "windows", "refs": [ + "https://web.archive.org/web/20231221193106/https://www.swascan.com/cactus-ransomware-malware-analysis/", + "https://taiwan.postsen.com/business/88601/Hamas-hackers-use-data-destruction-software-BiBi-which-consumes-a-lot-of-processor-resources-to-wipe-Windows-computer-data--iThome.html", "https://www.crowdstrike.com/blog/windows-restart-manager-part-1/", "https://www.crowdstrike.com/blog/windows-restart-manager-part-2/", - "https://taiwan.postsen.com/business/88601/Hamas-hackers-use-data-destruction-software-BiBi-which-consumes-a-lot-of-processor-resources-to-wipe-Windows-computer-data--iThome.html", - "https://web.archive.org/web/20231221193106/https://www.swascan.com/cactus-ransomware-malware-analysis/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_dll_rstrtmgr_suspicious_load.yml" ], "tags": [ @@ -71376,8 +71512,8 @@ "logsource.category": "image_load", "logsource.product": "windows", "refs": [ - "https://www.mandiant.com/resources/blog/lnk-between-browsers", "https://wazuh.com/blog/detecting-xll-files-used-for-dropping-fin7-jssloader-with-wazuh/", + "https://www.mandiant.com/resources/blog/lnk-between-browsers", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_office_excel_xll_susp_load.yml" ], "tags": [ @@ -71731,8 +71867,8 @@ "logsource.category": "image_load", "logsource.product": "windows", "refs": [ - "https://app.any.run/tasks/6d8cabb0-dcda-44b6-8050-28d6ce281687/", "https://blogs.blackberry.com/en/2022/12/mustang-panda-uses-the-russian-ukrainian-war-to-attack-europe-and-asia-pacific-targets", + "https://app.any.run/tasks/6d8cabb0-dcda-44b6-8050-28d6ce281687/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_side_load_classicexplorer32.yml" ], "tags": [ @@ -72027,8 +72163,8 @@ "logsource.category": "ps_classic_start", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1095/T1095.md", "https://github.com/besimorhino/powercat", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1095/T1095.md", "https://nmap.org/ncat/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_classic/posh_pc_powercat.yml" ], @@ -72162,9 +72298,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://github.com/bohops/WSMan-WinRM", "https://twitter.com/chadtilbury/status/1275851297770610688", "https://bohops.com/2020/05/12/ws-management-com-another-approach-for-winrm-lateral-movement/", + "https://github.com/bohops/WSMan-WinRM", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_classic/posh_pc_wsman_com_provider_no_powershell.yml" ], "tags": [ @@ -72381,8 +72517,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1074.001/T1074.001.md", "https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-347a", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1074.001/T1074.001.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_classic/posh_pc_susp_zip_compress.yml" ], "tags": [ @@ -72415,8 +72551,8 @@ "logsource.category": "ps_classic_start", "logsource.product": "windows", "refs": [ - "https://www.fortinet.com/blog/threat-research/stomping-shadow-copies-a-second-look-into-deletion-methods", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1490/T1490.md", + "https://www.fortinet.com/blog/threat-research/stomping-shadow-copies-a-second-look-into-deletion-methods", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_classic/posh_pc_delete_volume_shadow_copies.yml" ], "tags": [ @@ -72482,8 +72618,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/AtomicTestHarnesses/blob/7e1e4da116801e3d6fcc6bedb207064577e40572/TestHarnesses/T1218_SignedBinaryProxyExecution/InvokeRemoteFXvGPUDisablementCommand.ps1", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218/T1218.md", + "https://github.com/redcanaryco/AtomicTestHarnesses/blob/7e1e4da116801e3d6fcc6bedb207064577e40572/TestHarnesses/T1218_SignedBinaryProxyExecution/InvokeRemoteFXvGPUDisablementCommand.ps1", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_classic/posh_pc_remotefxvgpudisablement_abuse.yml" ], "tags": [ @@ -72615,8 +72751,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://www.mdsec.co.uk/2018/06/exploring-powershell-amsi-and-logging-evasion/", "https://twitter.com/cyb3rops/status/1588574518057979905?s=20&t=A7hh93ONM7ni1Rj1jO5OaA", + "https://www.mdsec.co.uk/2018/06/exploring-powershell-amsi-and-logging-evasion/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_amsi_bypass_pattern_nov22.yml" ], "tags": [ @@ -72684,8 +72820,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.core/new-pssession?view=powershell-7.4", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1059.001/T1059.001.md#atomic-test-10---powershell-invoke-downloadcradle", + "https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.core/new-pssession?view=powershell-7.4", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_remote_session_creation.yml" ], "tags": [ @@ -72784,9 +72920,9 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.security/set-executionpolicy?view=powershell-7.4", "https://adsecurity.org/?p=2604", "https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_execution_policies?view=powershell-7.4", + "https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.security/set-executionpolicy?view=powershell-7.4", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_set_policies_to_unsecure_level.yml" ], "tags": [ @@ -72819,11 +72955,11 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "http://woshub.com/manage-windows-firewall-powershell/", - "https://learn.microsoft.com/en-us/powershell/module/netsecurity/set-netfirewallprofile?view=windowsserver2022-ps", "https://www.tutorialspoint.com/how-to-get-windows-firewall-profile-settings-using-powershell", - "https://www.elastic.co/guide/en/security/current/windows-firewall-disabled-via-powershell.html", + "https://learn.microsoft.com/en-us/powershell/module/netsecurity/set-netfirewallprofile?view=windowsserver2022-ps", "https://web.archive.org/web/20230929023836/http://powershellhelp.space/commands/set-netfirewallrule-psv5.php", + "http://woshub.com/manage-windows-firewall-powershell/", + "https://www.elastic.co/guide/en/security/current/windows-firewall-disabled-via-powershell.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_windows_firewall_profile_disabled.yml" ], "tags": [ @@ -72890,8 +73026,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1573/T1573.md#atomic-test-1---openssl-c2", "https://medium.com/walmartglobaltech/openssl-server-reverse-shell-from-windows-client-aee2dbfa0926", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1573/T1573.md#atomic-test-1---openssl-c2", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_ssl_keyword.yml" ], "tags": [ @@ -72957,8 +73093,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1069.002/T1069.002.md#atomic-test-11---get-aduser-enumeration-using-useraccountcontrol-flags-as-rep-roasting", "https://shellgeek.com/useraccountcontrol-flags-to-manipulate-properties/", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1069.002/T1069.002.md#atomic-test-11---get-aduser-enumeration-using-useraccountcontrol-flags-as-rep-roasting", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_as_rep_roasting.yml" ], "tags": [ @@ -72991,9 +73127,9 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ + "https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/active-directory-enumeration-with-ad-module-without-rsat-or-admin-privileges", "https://github.com/samratashok/ADModule", "https://twitter.com/cyb3rops/status/1617108657166061568?s=20", - "https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/active-directory-enumeration-with-ad-module-without-rsat-or-admin-privileges", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_active_directory_module_dll_import.yml" ], "tags": [ @@ -73094,8 +73230,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218/T1218.md", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1056.001/src/Get-Keystrokes.ps1", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218/T1218.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_keylogging.yml" ], "tags": [ @@ -73194,9 +73330,9 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://www.splunk.com/en_us/blog/security/breaking-the-chain-defending-against-certificate-services-abuse.html", - "https://learn.microsoft.com/en-us/powershell/module/pki/export-pfxcertificate?view=windowsserver2022-ps", "https://us-cert.cisa.gov/ncas/analysis-reports/ar21-112a", + "https://learn.microsoft.com/en-us/powershell/module/pki/export-pfxcertificate?view=windowsserver2022-ps", + "https://www.splunk.com/en_us/blog/security/breaking-the-chain-defending-against-certificate-services-abuse.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_export_certificate.yml" ], "tags": [ @@ -73319,8 +73455,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/dotnet/api/system.net.webclient.downloadfile?view=net-8.0", "https://learn.microsoft.com/en-us/dotnet/api/system.net.webclient.downloadstring?view=net-8.0", + "https://learn.microsoft.com/en-us/dotnet/api/system.net.webclient.downloadfile?view=net-8.0", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_download.yml" ], "tags": [ @@ -73451,24 +73587,24 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://github.com/samratashok/nishang", - "https://research.nccgroup.com/2022/06/06/shining-the-light-on-black-basta/", - "https://github.com/rvrsh3ll/Misc-Powershell-Scripts/blob/6f23bb41f9675d7e2d32bacccff75e931ae00554/OfficeMemScraper.ps1", - "https://github.com/BloodHoundAD/BloodHound/blob/0927441f67161cc6dc08a53c63ceb8e333f55874/Collectors/AzureHound.ps1", - "https://github.com/BC-SECURITY/Invoke-ZeroLogon/blob/111d17c7fec486d9bb23387e2e828b09a26075e4/Invoke-ZeroLogon.ps1", - "https://github.com/xorrior/RandomPS-Scripts/blob/848c919bfce4e2d67b626cbcf4404341cfe3d3b6/Get-DXWebcamVideo.ps1", - "https://github.com/Kevin-Robertson/Powermad", - "https://github.com/calebstewart/CVE-2021-1675", - "https://github.com/adrecon/ADRecon", - "https://adsecurity.org/?p=2921", "https://github.com/DarkCoderSc/PowerRunAsSystem/", + "https://github.com/BloodHoundAD/BloodHound/blob/0927441f67161cc6dc08a53c63ceb8e333f55874/Collectors/AzureHound.ps1", "https://github.com/besimorhino/powercat", + "https://github.com/rvrsh3ll/Misc-Powershell-Scripts/blob/6f23bb41f9675d7e2d32bacccff75e931ae00554/OfficeMemScraper.ps1", + "https://github.com/adrecon/ADRecon", + "https://github.com/xorrior/RandomPS-Scripts/blob/848c919bfce4e2d67b626cbcf4404341cfe3d3b6/Get-DXWebcamVideo.ps1", "https://github.com/adrecon/AzureADRecon", "https://github.com/dafthack/DomainPasswordSpray/blob/b13d64a5834694aa73fd2aea9911a83027c465a7/DomainPasswordSpray.ps1", - "https://unit42.paloaltonetworks.com/threat-assessment-black-basta-ransomware/", - "https://github.com/HarmJ0y/DAMP", - "https://github.com/S3cur3Th1sSh1t/PowerSharpPack/tree/master/PowerSharpBinaries", "https://bloodhound.readthedocs.io/en/latest/data-collection/azurehound.html", + "https://research.nccgroup.com/2022/06/06/shining-the-light-on-black-basta/", + "https://github.com/samratashok/nishang", + "https://github.com/BC-SECURITY/Invoke-ZeroLogon/blob/111d17c7fec486d9bb23387e2e828b09a26075e4/Invoke-ZeroLogon.ps1", + "https://github.com/HarmJ0y/DAMP", + "https://github.com/Kevin-Robertson/Powermad", + "https://adsecurity.org/?p=2921", + "https://unit42.paloaltonetworks.com/threat-assessment-black-basta-ransomware/", + "https://github.com/calebstewart/CVE-2021-1675", + "https://github.com/S3cur3Th1sSh1t/PowerSharpPack/tree/master/PowerSharpBinaries", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_malicious_commandlets.yml" ], "tags": [ @@ -73700,8 +73836,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1074.001/T1074.001.md", "https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-347a", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1074.001/T1074.001.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_zip_compress.yml" ], "tags": [ @@ -73767,8 +73903,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://github.com/sense-of-security/ADRecon/blob/11881a24e9c8b207f31b56846809ce1fb189bcc9/ADRecon.ps1", "https://bi-zone.medium.com/from-pentest-to-apt-attack-cybercriminal-group-fin7-disguises-its-malware-as-an-ethical-hackers-c23c9a75e319", + "https://github.com/sense-of-security/ADRecon/blob/11881a24e9c8b207f31b56846809ce1fb189bcc9/ADRecon.ps1", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_adrecon_execution.yml" ], "tags": [ @@ -73802,8 +73938,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/dotnet/api/system.type.gettypefromclsid?view=net-7.0", "https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=57", + "https://learn.microsoft.com/en-us/dotnet/api/system.type.gettypefromclsid?view=net-7.0", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_download_com_cradles.yml" ], "tags": [ @@ -74125,8 +74261,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://github.com/GhostPack/Rubeus", "https://blog.harmj0y.net/redteaming/from-kekeo-to-rubeus", + "https://github.com/GhostPack/Rubeus", "https://m0chan.github.io/2019/07/31/How-To-Attack-Kerberos-101.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_hktl_rubeus.yml" ], @@ -74276,8 +74412,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://www.powershellgallery.com/packages/DSInternals", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1003.006/T1003.006.md#atomic-test-2---run-dsinternals-get-adreplaccount", + "https://www.powershellgallery.com/packages/DSInternals", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_get_adreplaccount.yml" ], "tags": [ @@ -74455,8 +74591,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.management/new-psdrive?view=powershell-7.2", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1021.002/T1021.002.md#atomic-test-2---map-admin-share-powershell", + "https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.management/new-psdrive?view=powershell-7.2", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_new_psdrive.yml" ], "tags": [ @@ -74647,8 +74783,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://4sysops.com/archives/use-powershell-to-download-a-file-with-http-https-and-ftp/", "https://blog.jourdant.me/post/3-ways-to-download-files-with-powershell", + "https://4sysops.com/archives/use-powershell-to-download-a-file-with-http-https-and-ftp/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_web_request_cmd_and_cmdlets.yml" ], "tags": [ @@ -74714,8 +74850,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://twitter.com/JohnLaTwC/status/850381440629981184", "https://t.co/ezOTGy1a1G", + "https://twitter.com/JohnLaTwC/status/850381440629981184", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_prompt_credentials.yml" ], "tags": [ @@ -74939,8 +75075,8 @@ "refs": [ "https://peterjson.medium.com/reproducing-the-proxyshell-pwn2own-exploit-49743a4ea9a1", "https://m365internals.com/2022/10/07/hunting-in-on-premises-exchange-server-logs/", - "https://blog.orange.tw/2021/08/proxylogon-a-new-attack-surface-on-ms-exchange-part-1.html", "https://youtu.be/5mqid-7zp8k?t=2481", + "https://blog.orange.tw/2021/08/proxylogon-a-new-attack-surface-on-ms-exchange-part-1.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_mailboxexport_share.yml" ], "tags": [ @@ -75189,8 +75325,8 @@ "logsource.product": "windows", "refs": [ "https://github.com/0xsyr0/Awesome-Cybersecurity-Handbooks/blob/7b8935fe4c82cb64d61343de1a8b2e38dd968534/handbooks/10_post_exploitation.md", - "https://github.com/forgottentq/powershell/blob/9e616363d497143dc955c4fdce68e5c18d28a6cb/captureWindows-Endpoint.ps1#L13", "https://github.com/redcanaryco/atomic-red-team/blob/5f866ca4517e837c4ea576e7309d0891e78080a8/atomics/T1040/T1040.md#atomic-test-16---powershell-network-sniffing", + "https://github.com/forgottentq/powershell/blob/9e616363d497143dc955c4fdce68e5c18d28a6cb/captureWindows-Endpoint.ps1#L13", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_packet_capture.yml" ], "tags": [ @@ -75224,8 +75360,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://www.fortypoundhead.com/showcontent.asp?artid=24022", "https://labs.withsecure.com/publications/fin7-target-veeam-servers", + "https://www.fortypoundhead.com/showcontent.asp?artid=24022", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_resolve_list_of_ip_from_file.yml" ], "tags": [ @@ -75258,9 +75394,9 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://github.com/nccgroup/redsnarf/blob/35949b30106ae543dc6f2bc3f1be10c6d9a8d40e/redsnarf.py", "https://www.absolomb.com/2018-01-26-Windows-Privilege-Escalation-Guide/", "https://github.com/S3cur3Th1sSh1t/Creds/blob/eac23d67f7f90c7fc8e3130587d86158c22aa398/PowershellScripts/jaws-enum.ps1", + "https://github.com/nccgroup/redsnarf/blob/35949b30106ae543dc6f2bc3f1be10c6d9a8d40e/redsnarf.py", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_wmi_unquoted_service_search.yml" ], "tags": [ @@ -75293,8 +75429,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1518/T1518.md", "https://github.com/harleyQu1nn/AggressorScripts", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1518/T1518.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_software_discovery.yml" ], "tags": [ @@ -75416,8 +75552,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.security/set-acl?view=powershell-5.1", "https://github.com/redcanaryco/atomic-red-team/blob/74438b0237d141ee9c99747976447dc884cb1a39/atomics/T1505.005/T1505.005.md", + "https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.security/set-acl?view=powershell-5.1", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_set_acl_susp_location.yml" ], "tags": [ @@ -75484,9 +75620,9 @@ "logsource.product": "windows", "refs": [ "https://github.com/hlldz/Phant0m/blob/30c2935d8cf4aafda17ee2fab7cd0c4aa9a607c2/old/Invoke-Phant0m.ps1", - "https://gist.github.com/MHaggis/0dbe00ad401daa7137c81c99c268cfb7", - "https://posts.specterops.io/entering-a-covenant-net-command-and-control-e11038bcf462", "https://github.com/PowerShellMafia/PowerSploit/blob/d943001a7defb5e0d1657085a77a0e78609be58f/CodeExecution/Invoke-ReflectivePEInjection.ps1", + "https://posts.specterops.io/entering-a-covenant-net-command-and-control-e11038bcf462", + "https://gist.github.com/MHaggis/0dbe00ad401daa7137c81c99c268cfb7", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_keywords.yml" ], "tags": [ @@ -75707,8 +75843,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1564.004/T1564.004.md", "https://web.archive.org/web/20220614030603/http://www.powertheshell.com/ntfsstreams/", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1564.004/T1564.004.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_ntfs_ads_access.yml" ], "tags": [ @@ -75737,6 +75873,41 @@ "uuid": "8c521530-5169-495d-a199-0a3a881ad24e", "value": "NTFS Alternate Data Stream" }, + { + "description": "Detects the installation and configuration of PowerShell Web Access, which could be used for remote access and potential abuse", + "meta": { + "author": "Michael Haag", + "creation_date": "2024-09-03", + "falsepositive": [ + "Legitimate PowerShell Web Access installations by administrators" + ], + "filename": "posh_ps_powershell_web_access_installation.yml", + "level": "high", + "logsource.category": "ps_script", + "logsource.product": "windows", + "refs": [ + "https://gist.github.com/MHaggis/7e67b659af9148fa593cf2402edebb41", + "https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-241a", + "https://docs.microsoft.com/en-us/powershell/module/powershellwebaccess/install-pswawebapplication", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_powershell_web_access_installation.yml" + ], + "tags": [ + "attack.persistence", + "attack.t1059.001" + ] + }, + "related": [ + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "5f9c7f1a-7c21-4c39-b2f3-8d8006e0e51f", + "value": "PowerShell Web Access Installation - PsScript" + }, { "description": "Detects Cmdlet names from PowerView of the PowerSploit exploitation framework.", "meta": { @@ -75750,10 +75921,10 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://adsecurity.org/?p=2277", + "https://powersploit.readthedocs.io/en/stable/Recon/README", "https://thedfirreport.com/2020/10/08/ryuks-return", "https://github.com/PowerShellMafia/PowerSploit/tree/master/Recon", - "https://powersploit.readthedocs.io/en/stable/Recon/README", + "https://adsecurity.org/?p=2277", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_powerview_malicious_commandlets.yml" ], "tags": [ @@ -75819,9 +75990,9 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=41", "https://learn.microsoft.com/en-us/dotnet/api/microsoft.hpc.scheduler.store.cx509enrollmentwebclassfactoryclass?view=hpc-sdk-5.1.6115", "https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=42", + "https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=41", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_x509enrollment.yml" ], "tags": [ @@ -75887,8 +76058,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1553.005/T1553.005.md#atomic-test-3---remove-the-zoneidentifier-alternate-data-stream", "https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.utility/unblock-file?view=powershell-7.2", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1553.005/T1553.005.md#atomic-test-3---remove-the-zoneidentifier-alternate-data-stream", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_unblock_file.yml" ], "tags": [ @@ -75954,9 +76125,9 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/powershell/module/activedirectory/get-adcomputer", "https://github.com/redcanaryco/atomic-red-team/blob/02cb591f75064ffe1e0df9ac3ed5972a2e491c97/atomics/T1087.002/T1087.002.md", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1018/T1018.md", + "https://learn.microsoft.com/en-us/powershell/module/activedirectory/get-adcomputer", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_get_adcomputer.yml" ], "tags": [ @@ -76031,8 +76202,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://attack.mitre.org/datasources/DS0005/", "https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.management/get-wmiobject?view=powershell-5.1&viewFallbackFrom=powershell-7", + "https://attack.mitre.org/datasources/DS0005/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_create_volume_shadow_copy.yml" ], "tags": [ @@ -76098,11 +76269,11 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://reconshell.com/winpwn-tool-for-internal-windows-pentesting-and-ad-security/", + "https://github.com/S3cur3Th1sSh1t/WinPwn", "https://github.com/redcanaryco/atomic-red-team/blob/4d6c4e8e23d465af7a2388620cfe3f8c76e16cf0/atomics/T1082/T1082.md", "https://grep.app/search?q=winpwn&filter[repo][0]=redcanaryco/atomic-red-team", "https://www.publicnow.com/view/EB87DB49C654D9B63995FAD4C9DE3D3CC4F6C3ED?1671634841", - "https://github.com/S3cur3Th1sSh1t/WinPwn", + "https://reconshell.com/winpwn-tool-for-internal-windows-pentesting-and-ad-security/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_hktl_winpwn.yml" ], "tags": [ @@ -76195,8 +76366,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/windows-server/administration/openssh/openssh_install_firstuse?tabs=powershell", "https://www.virustotal.com/gui/file/af1c82237b6e5a3a7cdbad82cc498d298c67845d92971bada450023d1335e267/content", + "https://learn.microsoft.com/en-us/windows-server/administration/openssh/openssh_install_firstuse?tabs=powershell", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_add_windows_capability.yml" ], "tags": [ @@ -76219,9 +76390,9 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ + "https://community.sophos.com/sophos-labs/b/blog/posts/powershell-command-history-forensics", "https://stefanos.cloud/blog/kb/how-to-clear-the-powershell-command-history/", "https://www.shellhacks.com/clear-history-powershell/", - "https://community.sophos.com/sophos-labs/b/blog/posts/powershell-command-history-forensics", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_clearing_windows_console_history.yml" ], "tags": [ @@ -76296,9 +76467,9 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://www.cisa.gov/uscert/sites/default/files/publications/aa22-320a_joint_csa_iranian_government-sponsored_apt_actors_compromise_federal%20network_deploy_crypto%20miner_credential_harvester.pdf", "https://www.microsoft.com/en-us/security/blog/2022/10/18/defenders-beware-a-case-for-post-ransomware-investigations/", "http://blog.talosintelligence.com/2022/09/lazarus-three-rats.html", + "https://www.cisa.gov/uscert/sites/default/files/publications/aa22-320a_joint_csa_iranian_government-sponsored_apt_actors_compromise_federal%20network_deploy_crypto%20miner_credential_harvester.pdf", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_computer_discovery_get_adcomputer.yml" ], "tags": [ @@ -76599,8 +76770,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://twitter.com/WindowsDocs/status/1620078135080325122", "https://learn.microsoft.com/en-us/windows/msix/package/unsigned-package", + "https://twitter.com/WindowsDocs/status/1620078135080325122", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_install_unsigned_appx_packages.yml" ], "tags": [ @@ -76624,8 +76795,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/Binaries/Msdt/", "https://twitter.com/nas_bench/status/1537919885031772161", + "https://lolbas-project.github.io/lolbas/Binaries/Msdt/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_follina_execution.yml" ], "tags": [ @@ -76801,8 +76972,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1053.005/T1053.005.md#atomic-test-4---powershell-cmdlet-scheduled-task", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1053.005/T1053.005.md#atomic-test-6---wmi-invoke-cimmethod-scheduled-task", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1053.005/T1053.005.md#atomic-test-4---powershell-cmdlet-scheduled-task", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_cmdlet_scheduled_task.yml" ], "tags": [ @@ -76835,9 +77006,9 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ + "https://twitter.com/oroneequalsone/status/1568432028361830402", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070.001/T1070.001.md", "https://eqllib.readthedocs.io/en/latest/analytics/5b223758-07d6-4100-9e11-238cfdd0fe97.html", - "https://twitter.com/oroneequalsone/status/1568432028361830402", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_clear_eventlog.yml" ], "tags": [ @@ -76904,9 +77075,9 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.utility/invoke-webrequest?view=powershell-7.4", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1020/T1020.md", "https://www.w3.org/Protocols/rfc2616/rfc2616-sec9.html", + "https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.utility/invoke-webrequest?view=powershell-7.4", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_script_with_upload_capabilities.yml" ], "tags": [ @@ -76940,8 +77111,8 @@ "logsource.product": "windows", "refs": [ "https://learn.microsoft.com/en-us/windows/wsl/install-on-server", - "https://learn.microsoft.com/en-us/windows/win32/projfs/enabling-windows-projected-file-system", "https://learn.microsoft.com/en-us/powershell/module/dism/enable-windowsoptionalfeature?view=windowsserver2022-ps", + "https://learn.microsoft.com/en-us/windows/win32/projfs/enabling-windows-projected-file-system", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_enable_susp_windows_optional_feature.yml" ], "tags": [ @@ -77031,8 +77202,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/powershell/module/grouppolicy/get-gpo?view=windowsserver2022-ps", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1615/T1615.md", + "https://learn.microsoft.com/en-us/powershell/module/grouppolicy/get-gpo?view=windowsserver2022-ps", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_get_gpo.yml" ], "tags": [ @@ -77131,8 +77302,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/powershell/module/dism/disable-windowsoptionalfeature?view=windowsserver2022-ps", "https://github.com/redcanaryco/atomic-red-team/blob/5b67c9b141fa3918017f8fa44f2f88f0b1ecb9e1/atomics/T1562.001/T1562.001.md", + "https://learn.microsoft.com/en-us/powershell/module/dism/disable-windowsoptionalfeature?view=windowsserver2022-ps", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_disable_windows_optional_feature.yml" ], "tags": [ @@ -77165,8 +77336,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/AtomicTestHarnesses/blob/7e1e4da116801e3d6fcc6bedb207064577e40572/TestHarnesses/T1218_SignedBinaryProxyExecution/InvokeRemoteFXvGPUDisablementCommand.ps1", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218/T1218.md", + "https://github.com/redcanaryco/AtomicTestHarnesses/blob/7e1e4da116801e3d6fcc6bedb207064577e40572/TestHarnesses/T1218_SignedBinaryProxyExecution/InvokeRemoteFXvGPUDisablementCommand.ps1", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_remotefxvgpudisablement_abuse.yml" ], "tags": [ @@ -77275,8 +77446,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://o365blog.com/aadinternals/", "https://github.com/Gerenios/AADInternals", + "https://o365blog.com/aadinternals/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_aadinternals_cmdlets_execution.yml" ], "tags": [ @@ -77336,8 +77507,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1057/T1057.md#atomic-test-3---process-discovery---get-process", "https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.management/get-process?view=powershell-7.4", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1057/T1057.md#atomic-test-3---process-discovery---get-process", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_get_process.yml" ], "tags": [ @@ -77536,8 +77707,8 @@ "logsource.product": "windows", "refs": [ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1059.001/T1059.001.md#atomic-test-7---powershell-msxml-com-object---with-prompt", - "https://learn.microsoft.com/en-us/previous-versions/windows/desktop/ms766431(v=vs.85)", "https://www.trendmicro.com/en_id/research/22/e/uncovering-a-kingminer-botnet-attack-using-trend-micro-managed-x.html", + "https://learn.microsoft.com/en-us/previous-versions/windows/desktop/ms766431(v=vs.85)", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_msxml_com.yml" ], "tags": [ @@ -77745,9 +77916,9 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md", "https://learn.microsoft.com/en-us/powershell/module/defender/set-mppreference?view=windowsserver2022-ps", "https://bidouillesecurity.com/disable-windows-defender-in-powershell/", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_tamper_windows_defender_set_mp.yml" ], "tags": [ @@ -77813,9 +77984,9 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/dotnet/api/system.windows.input.keyboard.iskeydown?view=windowsdesktop-7.0", - "https://twitter.com/ScumBots/status/1610626724257046529", "https://www.virustotal.com/gui/file/d4486b63512755316625230e0c9c81655093be93876e0d80732e7eeaf7d83476/content", + "https://twitter.com/ScumBots/status/1610626724257046529", + "https://learn.microsoft.com/en-us/dotnet/api/system.windows.input.keyboard.iskeydown?view=windowsdesktop-7.0", "https://www.virustotal.com/gui/file/720a7ee9f2178c70501d7e3f4bcc28a4f456e200486dbd401b25af6da3b4da62/content", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_keylogger_activity.yml" ], @@ -78352,9 +78523,9 @@ "logsource.category": "ps_module", "logsource.product": "windows", "refs": [ + "https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/active-directory-enumeration-with-ad-module-without-rsat-or-admin-privileges", "https://github.com/samratashok/ADModule", "https://twitter.com/cyb3rops/status/1617108657166061568?s=20", - "https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/active-directory-enumeration-with-ad-module-without-rsat-or-admin-privileges", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_module/posh_pm_active_directory_module_dll_import.yml" ], "tags": [ @@ -78496,8 +78667,8 @@ "logsource.category": "ps_module", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.management/reset-computermachinepassword?view=powershell-5.1", "https://thedfirreport.com/2022/02/21/qbot-and-zerologon-lead-to-full-domain-compromise/", + "https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.management/reset-computermachinepassword?view=powershell-5.1", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_module/posh_pm_susp_reset_computermachinepassword.yml" ], "tags": [ @@ -78530,8 +78701,8 @@ "logsource.category": "ps_module", "logsource.product": "windows", "refs": [ - "https://github.com/search?q=repo%3AHackplayers%2Fevil-winrm++shell.run%28&type=code", "https://github.com/Hackplayers/evil-winrm/blob/7514b055d67ec19836e95c05bd63e7cc47c4c2aa/evil-winrm.rb", + "https://github.com/search?q=repo%3AHackplayers%2Fevil-winrm++shell.run%28&type=code", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_module/posh_pm_hktl_evil_winrm_execution.yml" ], "tags": [ @@ -78629,8 +78800,8 @@ "logsource.category": "ps_module", "logsource.product": "windows", "refs": [ - "https://github.com/OTRF/ThreatHunter-Playbook/blob/2d4257f630f4c9770f78d0c1df059f891ffc3fec/docs/evals/apt29/detections/4.A.3_09F29912-8E93-461E-9E89-3F06F6763383.md", "https://github.com/OTRF/detection-hackathon-apt29/issues/8", + "https://github.com/OTRF/ThreatHunter-Playbook/blob/2d4257f630f4c9770f78d0c1df059f891ffc3fec/docs/evals/apt29/detections/4.A.3_09F29912-8E93-461E-9E89-3F06F6763383.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_module/posh_pm_decompress_commands.yml" ], "tags": [ @@ -78696,23 +78867,23 @@ "logsource.category": "ps_module", "logsource.product": "windows", "refs": [ - "https://github.com/nettitude/Invoke-PowerThIEf", - "https://github.com/CsEnox/EventViewer-UACBypass", - "https://github.com/rvrsh3ll/Misc-Powershell-Scripts/blob/6f23bb41f9675d7e2d32bacccff75e931ae00554/OfficeMemScraper.ps1", - "https://research.nccgroup.com/2022/06/06/shining-the-light-on-black-basta/", - "https://github.com/samratashok/nishang", - "https://github.com/BC-SECURITY/Invoke-ZeroLogon/blob/111d17c7fec486d9bb23387e2e828b09a26075e4/Invoke-ZeroLogon.ps1", - "https://github.com/xorrior/RandomPS-Scripts/blob/848c919bfce4e2d67b626cbcf4404341cfe3d3b6/Get-DXWebcamVideo.ps1", "https://github.com/PowerShellMafia/PowerSploit", "https://github.com/DarkCoderSc/PowerRunAsSystem/", "https://github.com/besimorhino/powercat", - "https://github.com/dafthack/DomainPasswordSpray/blob/b13d64a5834694aa73fd2aea9911a83027c465a7/DomainPasswordSpray.ps1", - "https://unit42.paloaltonetworks.com/threat-assessment-black-basta-ransomware/", - "https://github.com/HarmJ0y/DAMP", - "https://github.com/NetSPI/PowerUpSQL", - "https://github.com/AlsidOfficial/WSUSpendu/", - "https://github.com/S3cur3Th1sSh1t/PowerSharpPack/tree/master/PowerSharpBinaries", "https://github.com/S3cur3Th1sSh1t/WinPwn", + "https://github.com/rvrsh3ll/Misc-Powershell-Scripts/blob/6f23bb41f9675d7e2d32bacccff75e931ae00554/OfficeMemScraper.ps1", + "https://github.com/xorrior/RandomPS-Scripts/blob/848c919bfce4e2d67b626cbcf4404341cfe3d3b6/Get-DXWebcamVideo.ps1", + "https://github.com/NetSPI/PowerUpSQL", + "https://github.com/dafthack/DomainPasswordSpray/blob/b13d64a5834694aa73fd2aea9911a83027c465a7/DomainPasswordSpray.ps1", + "https://research.nccgroup.com/2022/06/06/shining-the-light-on-black-basta/", + "https://github.com/samratashok/nishang", + "https://github.com/BC-SECURITY/Invoke-ZeroLogon/blob/111d17c7fec486d9bb23387e2e828b09a26075e4/Invoke-ZeroLogon.ps1", + "https://github.com/CsEnox/EventViewer-UACBypass", + "https://github.com/HarmJ0y/DAMP", + "https://unit42.paloaltonetworks.com/threat-assessment-black-basta-ransomware/", + "https://github.com/nettitude/Invoke-PowerThIEf", + "https://github.com/S3cur3Th1sSh1t/PowerSharpPack/tree/master/PowerSharpBinaries", + "https://web.archive.org/web/20210511204621/https://github.com/AlsidOfficial/WSUSpendu", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_module/posh_pm_exploit_scripts.yml" ], "tags": [ @@ -78821,8 +78992,8 @@ "logsource.category": "ps_module", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/AtomicTestHarnesses/blob/7e1e4da116801e3d6fcc6bedb207064577e40572/TestHarnesses/T1218_SignedBinaryProxyExecution/InvokeRemoteFXvGPUDisablementCommand.ps1", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218/T1218.md", + "https://github.com/redcanaryco/AtomicTestHarnesses/blob/7e1e4da116801e3d6fcc6bedb207064577e40572/TestHarnesses/T1218_SignedBinaryProxyExecution/InvokeRemoteFXvGPUDisablementCommand.ps1", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_module/posh_pm_remotefxvgpudisablement_abuse.yml" ], "tags": [ @@ -78855,24 +79026,24 @@ "logsource.category": "ps_module", "logsource.product": "windows", "refs": [ - "https://github.com/samratashok/nishang", - "https://research.nccgroup.com/2022/06/06/shining-the-light-on-black-basta/", - "https://github.com/rvrsh3ll/Misc-Powershell-Scripts/blob/6f23bb41f9675d7e2d32bacccff75e931ae00554/OfficeMemScraper.ps1", - "https://github.com/BloodHoundAD/BloodHound/blob/0927441f67161cc6dc08a53c63ceb8e333f55874/Collectors/AzureHound.ps1", - "https://github.com/BC-SECURITY/Invoke-ZeroLogon/blob/111d17c7fec486d9bb23387e2e828b09a26075e4/Invoke-ZeroLogon.ps1", - "https://github.com/xorrior/RandomPS-Scripts/blob/848c919bfce4e2d67b626cbcf4404341cfe3d3b6/Get-DXWebcamVideo.ps1", - "https://github.com/Kevin-Robertson/Powermad", - "https://github.com/calebstewart/CVE-2021-1675", - "https://github.com/adrecon/ADRecon", - "https://adsecurity.org/?p=2921", "https://github.com/DarkCoderSc/PowerRunAsSystem/", + "https://github.com/BloodHoundAD/BloodHound/blob/0927441f67161cc6dc08a53c63ceb8e333f55874/Collectors/AzureHound.ps1", "https://github.com/besimorhino/powercat", + "https://github.com/rvrsh3ll/Misc-Powershell-Scripts/blob/6f23bb41f9675d7e2d32bacccff75e931ae00554/OfficeMemScraper.ps1", + "https://github.com/adrecon/ADRecon", + "https://github.com/xorrior/RandomPS-Scripts/blob/848c919bfce4e2d67b626cbcf4404341cfe3d3b6/Get-DXWebcamVideo.ps1", "https://github.com/adrecon/AzureADRecon", "https://github.com/dafthack/DomainPasswordSpray/blob/b13d64a5834694aa73fd2aea9911a83027c465a7/DomainPasswordSpray.ps1", - "https://unit42.paloaltonetworks.com/threat-assessment-black-basta-ransomware/", - "https://github.com/HarmJ0y/DAMP", - "https://github.com/S3cur3Th1sSh1t/PowerSharpPack/tree/master/PowerSharpBinaries", "https://bloodhound.readthedocs.io/en/latest/data-collection/azurehound.html", + "https://research.nccgroup.com/2022/06/06/shining-the-light-on-black-basta/", + "https://github.com/samratashok/nishang", + "https://github.com/BC-SECURITY/Invoke-ZeroLogon/blob/111d17c7fec486d9bb23387e2e828b09a26075e4/Invoke-ZeroLogon.ps1", + "https://github.com/HarmJ0y/DAMP", + "https://github.com/Kevin-Robertson/Powermad", + "https://adsecurity.org/?p=2921", + "https://unit42.paloaltonetworks.com/threat-assessment-black-basta-ransomware/", + "https://github.com/calebstewart/CVE-2021-1675", + "https://github.com/S3cur3Th1sSh1t/PowerSharpPack/tree/master/PowerSharpBinaries", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_module/posh_pm_malicious_commandlets.yml" ], "tags": [ @@ -78962,8 +79133,8 @@ "logsource.category": "ps_module", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/dotnet/api/system.net.webclient.downloadfile?view=net-8.0", "https://learn.microsoft.com/en-us/dotnet/api/system.net.webclient.downloadstring?view=net-8.0", + "https://learn.microsoft.com/en-us/dotnet/api/system.net.webclient.downloadfile?view=net-8.0", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_module/posh_pm_susp_download.yml" ], "tags": [ @@ -79256,8 +79427,8 @@ "logsource.category": "ps_module", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1074.001/T1074.001.md", "https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-347a", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1074.001/T1074.001.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_module/posh_pm_susp_zip_compress.yml" ], "tags": [ @@ -79449,8 +79620,8 @@ "logsource.category": "ps_module", "logsource.product": "windows", "refs": [ - "https://github.com/OTRF/ThreatHunter-Playbook/blob/2d4257f630f4c9770f78d0c1df059f891ffc3fec/docs/evals/apt29/detections/7.A.2_F4609F7E-C4DB-4327-91D4-59A58C962A02.md", "https://github.com/OTRF/detection-hackathon-apt29/issues/16", + "https://github.com/OTRF/ThreatHunter-Playbook/blob/2d4257f630f4c9770f78d0c1df059f891ffc3fec/docs/evals/apt29/detections/7.A.2_F4609F7E-C4DB-4327-91D4-59A58C962A02.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_module/posh_pm_get_clipboard.yml" ], "tags": [ @@ -79508,8 +79679,8 @@ "logsource.product": "windows", "refs": [ "https://www.cisa.gov/uscert/ncas/alerts/aa22-321a", - "https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=90015", "https://www.microsoft.com/en-us/security/blog/2024/01/17/new-ttps-observed-in-mint-sandstorm-campaign-targeting-high-profile-individuals-at-universities-and-research-orgs/", + "https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=90015", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/create_stream_hash/create_stream_hash_file_sharing_domains_download_unusual_extension.yml" ], "tags": [ @@ -79543,17 +79714,17 @@ "logsource.category": "create_stream_hash", "logsource.product": "windows", "refs": [ - "https://www.tarasco.org/security/pwdump_7/", - "https://github.com/codewhitesec/HandleKatz", - "https://github.com/antonioCoco/RoguePotato", + "https://github.com/ohpe/juicy-potato", "https://github.com/outflanknl/Dumpert", "https://github.com/gentilkiwi/mimikatz", - "https://github.com/ohpe/juicy-potato", + "https://github.com/antonioCoco/RoguePotato", "https://github.com/fortra/nanodump", "https://github.com/wavestone-cdt/EDRSandblast", + "https://github.com/codewhitesec/HandleKatz", + "https://github.com/xuanxuan0/DripLoader", + "https://www.tarasco.org/security/pwdump_7/", "https://github.com/hfiref0x/UACME", "https://github.com/topotam/PetitPotam", - "https://github.com/xuanxuan0/DripLoader", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/create_stream_hash/create_stream_hash_hktl_generic_download.yml" ], "tags": [ @@ -79669,8 +79840,8 @@ "logsource.category": "create_stream_hash", "logsource.product": "windows", "refs": [ - "https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f", "https://lolbas-project.github.io/lolbas/Binaries/Regedit/", + "https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/create_stream_hash/create_stream_hash_regedit_export_to_ads.yml" ], "tags": [ @@ -79703,10 +79874,10 @@ "logsource.category": "create_stream_hash", "logsource.product": "windows", "refs": [ - "https://www.cisa.gov/uscert/ncas/alerts/aa22-321a", - "https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=90015", - "https://www.microsoft.com/en-us/security/blog/2024/01/17/new-ttps-observed-in-mint-sandstorm-campaign-targeting-high-profile-individuals-at-universities-and-research-orgs/", "https://fabian-voith.de/2020/06/25/sysmon-v11-1-reads-alternate-data-streams/", + "https://www.cisa.gov/uscert/ncas/alerts/aa22-321a", + "https://www.microsoft.com/en-us/security/blog/2024/01/17/new-ttps-observed-in-mint-sandstorm-campaign-targeting-high-profile-individuals-at-universities-and-research-orgs/", + "https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=90015", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/create_stream_hash/create_stream_hash_file_sharing_domains_download_susp_extension.yml" ], "tags": [ @@ -79774,8 +79945,8 @@ "logsource.category": "process_access", "logsource.product": "windows", "refs": [ - "https://github.com/codewhitesec/SysmonEnte/blob/main/screens/1.png", "https://codewhitesec.blogspot.com/2022/09/attacks-on-sysmon-revisited-sysmonente.html", + "https://github.com/codewhitesec/SysmonEnte/blob/main/screens/1.png", "https://github.com/codewhitesec/SysmonEnte/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_access/proc_access_win_hktl_sysmonente.yml" ], @@ -79889,10 +80060,10 @@ "logsource.category": "process_access", "logsource.product": "windows", "refs": [ - "https://research.splunk.com/endpoint/windows_possible_credential_dumping/", - "https://web.archive.org/web/20230208123920/https://cyberwardog.blogspot.com/2017/03/chronicles-of-threat-hunter-hunting-for_22.html", - "https://web.archive.org/web/20230329170326/https://blog.menasec.net/2019/02/threat-hunting-21-procdump-or-taskmgr.html", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1003.001/T1003.001.md", + "https://web.archive.org/web/20230329170326/https://blog.menasec.net/2019/02/threat-hunting-21-procdump-or-taskmgr.html", + "https://web.archive.org/web/20230208123920/https://cyberwardog.blogspot.com/2017/03/chronicles-of-threat-hunter-hunting-for_22.html", + "https://research.splunk.com/endpoint/windows_possible_credential_dumping/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_access/proc_access_win_lsass_memdump.yml" ], "tags": [ @@ -79959,8 +80130,8 @@ "logsource.category": "process_access", "logsource.product": "windows", "refs": [ - "https://www.snip2code.com/Snippet/4397378/UAC-bypass-using-EditionUpgradeManager-C/", "https://gist.github.com/hfiref0x/de9c83966623236f5ebf8d9ae2407611", + "https://www.snip2code.com/Snippet/4397378/UAC-bypass-using-EditionUpgradeManager-C/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_access/proc_access_win_uac_bypass_editionupgrademanagerobj.yml" ], "tags": [ @@ -80063,8 +80234,8 @@ "logsource.category": "process_access", "logsource.product": "windows", "refs": [ - "https://jsecurity101.medium.com/bypassing-access-mask-auditing-strategies-480fb641c158", "https://www.splunk.com/en_us/blog/security/you-bet-your-lsass-hunting-lsass-access.html", + "https://jsecurity101.medium.com/bypassing-access-mask-auditing-strategies-480fb641c158", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_access/proc_access_win_hktl_generic_access.yml" ], "tags": [ @@ -80098,9 +80269,9 @@ "logsource.category": "process_access", "logsource.product": "windows", "refs": [ - "https://github.com/elastic/detection-rules/blob/2bc1795f3d7bcc3946452eb4f07ae799a756d94e/rules/windows/credential_access_lsass_handle_via_malseclogon.toml", - "https://twitter.com/SBousseaden/status/1541920424635912196", "https://splintercod3.blogspot.com/p/the-hidden-side-of-seclogon-part-3.html", + "https://twitter.com/SBousseaden/status/1541920424635912196", + "https://github.com/elastic/detection-rules/blob/2bc1795f3d7bcc3946452eb4f07ae799a756d94e/rules/windows/credential_access_lsass_handle_via_malseclogon.toml", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_access/proc_access_win_lsass_seclogon_access.yml" ], "tags": [ @@ -80210,8 +80381,8 @@ "logsource.category": "process_access", "logsource.product": "windows", "refs": [ - "https://github.com/hlldz/Invoke-Phant0m", "https://twitter.com/timbmsft/status/900724491076214784", + "https://github.com/hlldz/Invoke-Phant0m", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_access/proc_access_win_svchost_susp_access_request.yml" ], "tags": [ @@ -80437,8 +80608,8 @@ "logsource.category": "process_access", "logsource.product": "windows", "refs": [ - "https://twitter.com/mrd0x/status/1460597833917251595", "https://www.ired.team/offensive-security/credential-access-and-credential-dumping/dump-credentials-from-lsass-process-without-mimikatz", + "https://twitter.com/mrd0x/status/1460597833917251595", "https://twitter.com/_xpn_/status/1491557187168178176", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_access/proc_access_win_lsass_whitelisted_process_names.yml" ], @@ -80473,9 +80644,9 @@ "logsource.category": "process_access", "logsource.product": "windows", "refs": [ + "https://web.archive.org/web/20230420013146/http://security-research.dyndns.org/pub/slides/FIRST2017/FIRST-2017_Tom-Ueltschi_Sysmon_FINAL_notes.pdf", "https://learn.microsoft.com/en-us/windows/win32/procthread/process-security-and-access-rights", "https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment", - "https://web.archive.org/web/20230420013146/http://security-research.dyndns.org/pub/slides/FIRST2017/FIRST-2017_Tom-Ueltschi_Sysmon_FINAL_notes.pdf", "https://onedrive.live.com/view.aspx?resid=D026B4699190F1E6!2843&ithint=file%2cpptx&app=PowerPoint&authkey=!AMvCRTKB_V1J5ow", "https://web.archive.org/web/20230208123920/https://cyberwardog.blogspot.com/2017/03/chronicles-of-threat-hunter-hunting-for_22.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_access/proc_access_win_lsass_susp_access_flag.yml" @@ -80511,8 +80682,8 @@ "logsource.category": "process_access", "logsource.product": "windows", "refs": [ - "https://github.com/boku7/injectAmsiBypass", "https://github.com/boku7/spawn", + "https://github.com/boku7/injectAmsiBypass", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_access/proc_access_win_hktl_cobaltstrike_bof_injection_pattern.yml" ], "tags": [ @@ -80869,9 +81040,9 @@ "logsource.category": "No established category", "logsource.product": "zeek", "refs": [ + "https://github.com/nknorg/nkn-sdk-go", "https://unit42.paloaltonetworks.com/manageengine-godzilla-nglite-kdcsponge/", "https://github.com/Maka8ka/NGLite", - "https://github.com/nknorg/nkn-sdk-go", "https://github.com/SigmaHQ/sigma/tree/master/rules/network/zeek/zeek_dns_nkn.yml" ], "tags": [ @@ -81116,12 +81287,12 @@ "logsource.category": "No established category", "logsource.product": "zeek", "refs": [ - "https://github.com/zeek/zeek/blob/691b099de13649d6576c7b9d637f8213ff818832/scripts/base/protocols/dce-rpc/consts.zeek", "https://github.com/corelight/CVE-2021-1675", "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527", - "https://www.crowdstrike.com/blog/cve-2021-1678-printer-spooler-relay-security-advisory/", "https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-par/93d1915d-4d9f-4ceb-90a7-e8f2a59adc29", "https://old.zeek.org/zeekweek2019/slides/bzar.pdf", + "https://www.crowdstrike.com/blog/cve-2021-1678-printer-spooler-relay-security-advisory/", + "https://github.com/zeek/zeek/blob/691b099de13649d6576c7b9d637f8213ff818832/scripts/base/protocols/dce-rpc/consts.zeek", "https://github.com/SigmaHQ/sigma/tree/master/rules/network/zeek/zeek_dce_rpc_printnightmare_print_driver_install.yml" ], "tags": [ @@ -81148,9 +81319,9 @@ "logsource.category": "No established category", "logsource.product": "zeek", "refs": [ - "https://tools.ietf.org/html/rfc2929#section-2.1", - "https://twitter.com/neu5ron/status/1346245602502443009", "https://tdm.socprime.com/tdm/info/eLbyj4JjI15v#sigma", + "https://twitter.com/neu5ron/status/1346245602502443009", + "https://tools.ietf.org/html/rfc2929#section-2.1", "https://www.netresec.com/?page=Blog&month=2021-01&post=Finding-Targeted-SUNBURST-Victims-with-pDNS", "https://github.com/SigmaHQ/sigma/tree/master/rules/network/zeek/zeek_dns_susp_zbit_flag.yml" ], @@ -81308,9 +81479,9 @@ "logsource.category": "No established category", "logsource.product": "zeek", "refs": [ + "https://twitter.com/_dirkjan/status/1309214379003588608", "https://posts.specterops.io/hunting-in-active-directory-unconstrained-delegation-forests-trusts-71f2b33688e1", "https://dirkjanm.io/a-different-way-of-abusing-zerologon/", - "https://twitter.com/_dirkjan/status/1309214379003588608", "https://github.com/SigmaHQ/sigma/tree/master/rules/network/zeek/zeek_dce_rpc_smb_spoolss_named_pipe.yml" ], "tags": [ @@ -81438,8 +81609,8 @@ "logsource.product": "cisco", "refs": [ "https://blog.router-switch.com/2013/11/show-running-config/", - "https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/config-mgmt/configuration/15-sy/config-mgmt-15-sy-book/cm-config-diff.html", "https://www.cisco.com/E-Learning/bulk/public/tac/cim/cib/using_cisco_ios_software/cmdrefs/show_startup-config.htm", + "https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/config-mgmt/configuration/15-sy/config-mgmt-15-sy-book/cm-config-diff.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/network/cisco/aaa/cisco_cli_collect_data.yml" ], "tags": [ @@ -82258,10 +82429,10 @@ "logsource.category": "dns", "logsource.product": "No established product", "refs": [ - "https://www.welivesecurity.com/2016/12/13/rise-telebots-analyzing-disruptive-killdisk-attacks/", - "https://researchcenter.paloaltonetworks.com/2018/03/unit42-telerat-another-android-trojan-leveraging-telegrams-bot-api-to-target-iranian-users/", - "https://blog.malwarebytes.com/threat-analysis/2016/11/telecrypt-the-ransomware-abusing-telegram-api-defeated/", "https://core.telegram.org/bots/faq", + "https://researchcenter.paloaltonetworks.com/2018/03/unit42-telerat-another-android-trojan-leveraging-telegrams-bot-api-to-target-iranian-users/", + "https://www.welivesecurity.com/2016/12/13/rise-telebots-analyzing-disruptive-killdisk-attacks/", + "https://blog.malwarebytes.com/threat-analysis/2016/11/telecrypt-the-ransomware-abusing-telegram-api-defeated/", "https://github.com/SigmaHQ/sigma/tree/master/rules/network/dns/net_dns_susp_telegram_api.yml" ], "tags": [ @@ -82483,11 +82654,11 @@ "logsource.category": "proxy", "logsource.product": "No established product", "refs": [ - "https://github.com/rsmudge/Malleable-C2-Profiles/blob/26323784672913923d20c5a638c6ca79459e8529/normal/ocsp.profile", "https://www.hybrid-analysis.com/sample/ee5eca8648e45e2fea9dac0d920ef1a1792d8690c41ee7f20343de1927cc88b9?environmentId=100", + "https://github.com/rsmudge/Malleable-C2-Profiles/blob/26323784672913923d20c5a638c6ca79459e8529/normal/ocsp.profile", + "https://github.com/rsmudge/Malleable-C2-Profiles/blob/26323784672913923d20c5a638c6ca79459e8529/normal/onedrive_getonly.profile", "https://github.com/yeyintminthuhtut/Malleable-C2-Profiles-Collection/", "https://github.com/rsmudge/Malleable-C2-Profiles/blob/26323784672913923d20c5a638c6ca79459e8529/normal/amazon.profile", - "https://github.com/rsmudge/Malleable-C2-Profiles/blob/26323784672913923d20c5a638c6ca79459e8529/normal/onedrive_getonly.profile", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/proxy_generic/proxy_hktl_cobalt_strike_malleable_c2_requests.yml" ], "tags": [ @@ -82521,10 +82692,10 @@ "logsource.category": "proxy", "logsource.product": "No established product", "refs": [ - "https://www.trellix.com/en-us/about/newsroom/stories/research/beyond-file-search-a-novel-method.html", "https://dear-territory-023.notion.site/WebDav-Share-Testing-e4950fa0c00149c3aa430d779b9b1d0f?pvs=4", - "https://micahbabinski.medium.com/search-ms-webdav-and-chill-99c5b23ac462", + "https://www.trellix.com/en-us/about/newsroom/stories/research/beyond-file-search-a-novel-method.html", "https://www.trendmicro.com/en_no/research/24/b/cve202421412-water-hydra-targets-traders-with-windows-defender-s.html", + "https://micahbabinski.medium.com/search-ms-webdav-and-chill-99c5b23ac462", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/proxy_generic/proxy_webdav_external_execution.yml" ], "tags": [ @@ -82763,14 +82934,14 @@ "logsource.category": "proxy", "logsource.product": "No established product", "refs": [ - "http://rules.emergingthreats.net/open/snort-2.9.0/rules/emerging-user_agents.rules", - "https://twitter.com/crep1x/status/1635034100213112833", - "https://twitter.com/kladblokje_88/status/1614673320124743681?s=12&t=joEpeVa5d58aHYNGA_To7Q", - "https://pbs.twimg.com/media/FtYbfsDXoAQ1Y8M?format=jpg&name=large", - "https://networkraptor.blogspot.com/2015/01/user-agent-strings.html", - "https://perishablepress.com/blacklist/ua-2013.txt", - "https://www.bluecoat.com/en-gb/security-blog/2015-05-05/know-your-agents", "http://www.botopedia.org/search?searchword=scan&searchphrase=all", + "http://rules.emergingthreats.net/open/snort-2.9.0/rules/emerging-user_agents.rules", + "https://networkraptor.blogspot.com/2015/01/user-agent-strings.html", + "https://twitter.com/kladblokje_88/status/1614673320124743681?s=12&t=joEpeVa5d58aHYNGA_To7Q", + "https://www.bluecoat.com/en-gb/security-blog/2015-05-05/know-your-agents", + "https://twitter.com/crep1x/status/1635034100213112833", + "https://pbs.twimg.com/media/FtYbfsDXoAQ1Y8M?format=jpg&name=large", + "https://perishablepress.com/blacklist/ua-2013.txt", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/proxy_generic/proxy_ua_malware.yml" ], "tags": [ @@ -82803,8 +82974,8 @@ "logsource.category": "proxy", "logsource.product": "No established product", "refs": [ - "https://github.com/xmrig/xmrig/blob/da22b3e6c45825f3ac1f208255126cb8585cd4fc/src/base/kernel/Platform_win.cpp#L65", "https://github.com/xmrig/xmrig/blob/427b6516e0550200c17ca28675118f0fffcc323f/src/version.h", + "https://github.com/xmrig/xmrig/blob/da22b3e6c45825f3ac1f208255126cb8585cd4fc/src/base/kernel/Platform_win.cpp#L65", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/proxy_generic/proxy_ua_cryptominer.yml" ], "tags": [ @@ -82837,8 +83008,8 @@ "logsource.category": "proxy", "logsource.product": "No established product", "refs": [ - "https://deviceatlas.com/blog/list-of-user-agent-strings#desktop", "https://blogs.jpcert.or.jp/en/2022/07/yamabot.html", + "https://deviceatlas.com/blog/list-of-user-agent-strings#desktop", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/proxy_generic/proxy_ua_susp_base64.yml" ], "tags": [ @@ -82906,8 +83077,8 @@ "logsource.category": "proxy", "logsource.product": "No established product", "refs": [ - "https://rclone.org/", "https://www.kroll.com/en/insights/publications/cyber/new-m365-business-email-compromise-attacks-with-rclone", + "https://rclone.org/", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/proxy_generic/proxy_ua_rclone.yml" ], "tags": [ @@ -82941,8 +83112,8 @@ "logsource.product": "No established product", "refs": [ "https://blog.talosintelligence.com/ipfs-abuse/", - "https://github.com/Cisco-Talos/IOCs/tree/80caca039988252fbb3f27a2e89c2f2917f582e0/2022/11", "https://isc.sans.edu/diary/IPFS%20phishing%20and%20the%20need%20for%20correctly%20set%20HTTP%20security%20headers/29638", + "https://github.com/Cisco-Talos/IOCs/tree/80caca039988252fbb3f27a2e89c2f2917f582e0/2022/11", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/proxy_generic/proxy_susp_ipfs_cred_harvest.yml" ], "tags": [ @@ -83026,8 +83197,8 @@ "logsource.product": "No established product", "refs": [ "https://f5-sdk.readthedocs.io/en/latest/apidoc/f5.bigip.tm.util.html#module-f5.bigip.tm.util.bash", - "https://community.f5.com/t5/technical-forum/icontrolrest-11-5-execute-bash-command/td-p/203029", "https://community.f5.com/t5/technical-forum/running-bash-commands-via-rest-api/td-p/272516", + "https://community.f5.com/t5/technical-forum/icontrolrest-11-5-execute-bash-command/td-p/203029", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/proxy_generic/proxy_f5_tm_utility_bash_api_request.yml" ], "tags": [ @@ -83102,8 +83273,8 @@ "logsource.category": "proxy", "logsource.product": "No established product", "refs": [ - "https://www.advanced-ip-scanner.com/", "https://www.advanced-port-scanner.com/", + "https://www.advanced-ip-scanner.com/", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/proxy_generic/proxy_pua_advanced_ip_scanner_update_check.yml" ], "tags": [ @@ -83297,8 +83468,8 @@ "logsource.category": "proxy", "logsource.product": "No established product", "refs": [ - "http://rules.emergingthreats.net/open/snort-2.9.0/rules/emerging-user_agents.rules", "https://github.com/fastly/waf_testbed/blob/8bfc406551f3045e418cbaad7596cff8da331dfc/templates/default/scanners-user-agents.data.erb", + "http://rules.emergingthreats.net/open/snort-2.9.0/rules/emerging-user_agents.rules", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/proxy_generic/proxy_ua_hacktool.yml" ], "tags": [ @@ -83473,8 +83644,8 @@ "logsource.category": "proxy", "logsource.product": "No established product", "refs": [ - "https://researchcenter.paloaltonetworks.com/2018/03/unit42-telerat-another-android-trojan-leveraging-telegrams-bot-api-to-target-iranian-users/", "https://blog.malwarebytes.com/threat-analysis/2016/11/telecrypt-the-ransomware-abusing-telegram-api-defeated/", + "https://researchcenter.paloaltonetworks.com/2018/03/unit42-telerat-another-android-trojan-leveraging-telegrams-bot-api-to-target-iranian-users/", "https://www.welivesecurity.com/2016/12/13/rise-telebots-analyzing-disruptive-killdisk-attacks/", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/proxy_generic/proxy_telegram_api.yml" ], @@ -83517,8 +83688,8 @@ "logsource.category": "No established category", "logsource.product": "No established product", "refs": [ - "https://docs.nginx.com/nginx/admin-guide/monitoring/debugging/#enabling-core-dumps", "https://www.x41-dsec.de/lab/advisories/x41-2021-002-nginx-resolver-copy/", + "https://docs.nginx.com/nginx/admin-guide/monitoring/debugging/#enabling-core-dumps", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/product/nginx/web_nginx_core_dump.yml" ], "tags": [ @@ -83660,10 +83831,10 @@ "logsource.category": "webserver", "logsource.product": "No established product", "refs": [ - "https://github.com/httpvoid/writeups/blob/62d3751945289d088ccfdf4d0ffbf61598a2cd7d/Confluence-RCE.md", - "https://twitter.com/httpvoid0x2f/status/1532924261035384832", "https://www.rapid7.com/blog/post/2021/09/02/active-exploitation-of-confluence-server-cve-2021-26084/", + "https://twitter.com/httpvoid0x2f/status/1532924261035384832", "https://medium.com/geekculture/text4shell-exploit-walkthrough-ebc02a01f035", + "https://github.com/httpvoid/writeups/blob/62d3751945289d088ccfdf4d0ffbf61598a2cd7d/Confluence-RCE.md", "https://www.rapid7.com/blog/post/2022/06/02/active-exploitation-of-confluence-cve-2022-26134/", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/webserver_generic/web_java_payload_in_access_logs.yml" ], @@ -83699,8 +83870,8 @@ "logsource.category": "webserver", "logsource.product": "No established product", "refs": [ - "https://github.com/sensepost/reGeorg", "https://community.rsa.com/community/products/netwitness/blog/2019/02/19/web-shells-and-netwitness-part-3", + "https://github.com/sensepost/reGeorg", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/webserver_generic/web_webshell_regeorg.yml" ], "tags": [ @@ -83803,9 +83974,9 @@ "logsource.category": "webserver", "logsource.product": "No established product", "refs": [ + "https://github.com/wpscanteam/wpscan/blob/196fbab5b1ce3870a43515153d4f07878a89d410/lib/wpscan/browser.rb", "https://github.com/xmendez/wfuzz/blob/1b695ee9a87d66a7d7bf6cae70d60a33fae51541/docs/user/basicusage.rst", "https://github.com/lanmaster53/recon-ng/blob/9e907dfe09fce2997f0301d746796408e01a60b7/recon/core/base.py#L92", - "https://github.com/wpscanteam/wpscan/blob/196fbab5b1ce3870a43515153d4f07878a89d410/lib/wpscan/browser.rb", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/webserver_generic/web_susp_useragents.yml" ], "tags": [ @@ -83839,8 +84010,8 @@ "logsource.category": "webserver", "logsource.product": "No established product", "refs": [ - "https://book.hacktricks.xyz/pentesting-web/ssti-server-side-template-injection", "https://github.com/payloadbox/ssti-payloads", + "https://book.hacktricks.xyz/pentesting-web/ssti-server-side-template-injection", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/webserver_generic/web_ssti_in_access_logs.yml" ], "tags": [ @@ -83874,8 +84045,8 @@ "logsource.product": "No established product", "refs": [ "https://f5-sdk.readthedocs.io/en/latest/apidoc/f5.bigip.tm.util.html#module-f5.bigip.tm.util.bash", - "https://community.f5.com/t5/technical-forum/icontrolrest-11-5-execute-bash-command/td-p/203029", "https://community.f5.com/t5/technical-forum/running-bash-commands-via-rest-api/td-p/272516", + "https://community.f5.com/t5/technical-forum/icontrolrest-11-5-execute-bash-command/td-p/203029", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/webserver_generic/web_f5_tm_utility_bash_api_request.yml" ], "tags": [ @@ -83909,8 +84080,8 @@ "logsource.category": "webserver", "logsource.product": "No established product", "refs": [ - "https://bad-jubies.github.io/RCE-NOW-WHAT/", "https://m365internals.com/2022/10/07/hunting-in-on-premises-exchange-server-logs/", + "https://bad-jubies.github.io/RCE-NOW-WHAT/", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/webserver_generic/web_win_webshells_in_access_logs.yml" ], "tags": [ @@ -83945,10 +84116,10 @@ "logsource.category": "webserver", "logsource.product": "No established product", "refs": [ - "https://www.acunetix.com/blog/articles/exploiting-sql-injection-example/", - "https://brightsec.com/blog/sql-injection-payloads/", - "https://www.acunetix.com/blog/articles/using-logs-to-investigate-a-web-application-attack/", "https://github.com/payloadbox/sql-injection-payload-list", + "https://www.acunetix.com/blog/articles/using-logs-to-investigate-a-web-application-attack/", + "https://brightsec.com/blog/sql-injection-payloads/", + "https://www.acunetix.com/blog/articles/exploiting-sql-injection-example/", "https://book.hacktricks.xyz/pentesting-web/sql-injection/mysql-injection", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/webserver_generic/web_sql_injection_in_access_logs.yml" ], @@ -84051,9 +84222,9 @@ "logsource.category": "webserver", "logsource.product": "No established product", "refs": [ - "https://github.com/lijiejie/IIS_shortname_Scanner", - "https://github.com/projectdiscovery/nuclei-templates/blob/9d2889356eebba661c8407038e430759dfd4ec31/fuzzing/iis-shortname.yaml", "https://www.exploit-db.com/exploits/19525", + "https://github.com/projectdiscovery/nuclei-templates/blob/9d2889356eebba661c8407038e430759dfd4ec31/fuzzing/iis-shortname.yaml", + "https://github.com/lijiejie/IIS_shortname_Scanner", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/webserver_generic/web_iis_tilt_shortname_scan.yml" ], "tags": [ @@ -84187,8 +84358,8 @@ "logsource.product": "jvm", "refs": [ "https://rules.sonarsource.com/java/RSPEC-2755", - "https://owasp.org/www-community/vulnerabilities/XML_External_Entity_(XXE)_Processing", "https://www.wix.engineering/post/threat-and-vulnerability-hunting-with-application-server-error-logs", + "https://owasp.org/www-community/vulnerabilities/XML_External_Entity_(XXE)_Processing", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/jvm/java_xxe_exploitation_attempt.yml" ], "tags": [ @@ -84356,10 +84527,10 @@ "logsource.category": "application", "logsource.product": "ruby_on_rails", "refs": [ + "http://guides.rubyonrails.org/action_controller_overview.html", "https://github.com/rails/rails/blob/cd08e6bcc4cd8948fe01e0be1ea0c7ca60373a25/actionpack/lib/action_dispatch/middleware/exception_wrapper.rb", "http://edgeguides.rubyonrails.org/security.html", "https://stackoverflow.com/questions/25892194/does-rails-come-with-a-not-authorized-exception", - "http://guides.rubyonrails.org/action_controller_overview.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/ruby/appframework_ruby_on_rails_exceptions.yml" ], "tags": [ @@ -84460,8 +84631,8 @@ "logsource.category": "application", "logsource.product": "django", "refs": [ - "https://docs.djangoproject.com/en/1.11/ref/exceptions/", "https://docs.djangoproject.com/en/1.11/topics/logging/#django-security", + "https://docs.djangoproject.com/en/1.11/ref/exceptions/", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/django/appframework_django_exceptions.yml" ], "tags": [ @@ -84527,8 +84698,8 @@ "logsource.category": "application", "logsource.product": "opencanary", "refs": [ - "https://github.com/thinkst/opencanary/blob/a0896adfcaf0328cfd5829fe10d2878c7445138e/opencanary/logger.py#L52", "https://opencanary.readthedocs.io/en/latest/starting/configuration.html#services-configuration", + "https://github.com/thinkst/opencanary/blob/a0896adfcaf0328cfd5829fe10d2878c7445138e/opencanary/logger.py#L52", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/opencanary/opencanary_smb_file_open.yml" ], "tags": [ @@ -84570,8 +84741,8 @@ "logsource.category": "application", "logsource.product": "opencanary", "refs": [ - "https://github.com/thinkst/opencanary/blob/a0896adfcaf0328cfd5829fe10d2878c7445138e/opencanary/logger.py#L52", "https://opencanary.readthedocs.io/en/latest/starting/configuration.html#services-configuration", + "https://github.com/thinkst/opencanary/blob/a0896adfcaf0328cfd5829fe10d2878c7445138e/opencanary/logger.py#L52", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/opencanary/opencanary_vnc_connection_attempt.yml" ], "tags": [ @@ -84604,8 +84775,8 @@ "logsource.category": "application", "logsource.product": "opencanary", "refs": [ - "https://github.com/thinkst/opencanary/blob/a0896adfcaf0328cfd5829fe10d2878c7445138e/opencanary/logger.py#L52", "https://opencanary.readthedocs.io/en/latest/starting/configuration.html#services-configuration", + "https://github.com/thinkst/opencanary/blob/a0896adfcaf0328cfd5829fe10d2878c7445138e/opencanary/logger.py#L52", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/opencanary/opencanary_ssh_new_connection.yml" ], "tags": [ @@ -84656,8 +84827,8 @@ "logsource.category": "application", "logsource.product": "opencanary", "refs": [ - "https://github.com/thinkst/opencanary/blob/a0896adfcaf0328cfd5829fe10d2878c7445138e/opencanary/logger.py#L52", "https://opencanary.readthedocs.io/en/latest/starting/configuration.html#services-configuration", + "https://github.com/thinkst/opencanary/blob/a0896adfcaf0328cfd5829fe10d2878c7445138e/opencanary/logger.py#L52", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/opencanary/opencanary_tftp_request.yml" ], "tags": [ @@ -84690,8 +84861,8 @@ "logsource.category": "application", "logsource.product": "opencanary", "refs": [ - "https://github.com/thinkst/opencanary/blob/a0896adfcaf0328cfd5829fe10d2878c7445138e/opencanary/logger.py#L52", "https://opencanary.readthedocs.io/en/latest/starting/configuration.html#services-configuration", + "https://github.com/thinkst/opencanary/blob/a0896adfcaf0328cfd5829fe10d2878c7445138e/opencanary/logger.py#L52", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/opencanary/opencanary_ftp_login_attempt.yml" ], "tags": [ @@ -84733,8 +84904,8 @@ "logsource.category": "application", "logsource.product": "opencanary", "refs": [ - "https://github.com/thinkst/opencanary/blob/a0896adfcaf0328cfd5829fe10d2878c7445138e/opencanary/logger.py#L52", "https://opencanary.readthedocs.io/en/latest/starting/configuration.html#services-configuration", + "https://github.com/thinkst/opencanary/blob/a0896adfcaf0328cfd5829fe10d2878c7445138e/opencanary/logger.py#L52", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/opencanary/opencanary_httpproxy_login_attempt.yml" ], "tags": [ @@ -84768,8 +84939,8 @@ "logsource.category": "application", "logsource.product": "opencanary", "refs": [ - "https://github.com/thinkst/opencanary/blob/a0896adfcaf0328cfd5829fe10d2878c7445138e/opencanary/logger.py#L52", "https://opencanary.readthedocs.io/en/latest/starting/configuration.html#services-configuration", + "https://github.com/thinkst/opencanary/blob/a0896adfcaf0328cfd5829fe10d2878c7445138e/opencanary/logger.py#L52", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/opencanary/opencanary_http_post_login_attempt.yml" ], "tags": [ @@ -84802,8 +84973,8 @@ "logsource.category": "application", "logsource.product": "opencanary", "refs": [ - "https://github.com/thinkst/opencanary/blob/a0896adfcaf0328cfd5829fe10d2878c7445138e/opencanary/logger.py#L52", "https://opencanary.readthedocs.io/en/latest/starting/configuration.html#services-configuration", + "https://github.com/thinkst/opencanary/blob/a0896adfcaf0328cfd5829fe10d2878c7445138e/opencanary/logger.py#L52", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/opencanary/opencanary_git_clone_request.yml" ], "tags": [ @@ -84836,8 +85007,8 @@ "logsource.category": "application", "logsource.product": "opencanary", "refs": [ - "https://github.com/thinkst/opencanary/blob/a0896adfcaf0328cfd5829fe10d2878c7445138e/opencanary/logger.py#L52", "https://opencanary.readthedocs.io/en/latest/starting/configuration.html#services-configuration", + "https://github.com/thinkst/opencanary/blob/a0896adfcaf0328cfd5829fe10d2878c7445138e/opencanary/logger.py#L52", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/opencanary/opencanary_snmp_cmd.yml" ], "tags": [ @@ -84879,8 +85050,8 @@ "logsource.category": "application", "logsource.product": "opencanary", "refs": [ - "https://github.com/thinkst/opencanary/blob/a0896adfcaf0328cfd5829fe10d2878c7445138e/opencanary/logger.py#L52", "https://opencanary.readthedocs.io/en/latest/starting/configuration.html#services-configuration", + "https://github.com/thinkst/opencanary/blob/a0896adfcaf0328cfd5829fe10d2878c7445138e/opencanary/logger.py#L52", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/opencanary/opencanary_sip_request.yml" ], "tags": [ @@ -84913,8 +85084,8 @@ "logsource.category": "application", "logsource.product": "opencanary", "refs": [ - "https://github.com/thinkst/opencanary/blob/a0896adfcaf0328cfd5829fe10d2878c7445138e/opencanary/logger.py#L52", "https://opencanary.readthedocs.io/en/latest/starting/configuration.html#services-configuration", + "https://github.com/thinkst/opencanary/blob/a0896adfcaf0328cfd5829fe10d2878c7445138e/opencanary/logger.py#L52", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/opencanary/opencanary_ssh_login_attempt.yml" ], "tags": [ @@ -84965,8 +85136,8 @@ "logsource.category": "application", "logsource.product": "opencanary", "refs": [ - "https://github.com/thinkst/opencanary/blob/a0896adfcaf0328cfd5829fe10d2878c7445138e/opencanary/logger.py#L52", "https://opencanary.readthedocs.io/en/latest/starting/configuration.html#services-configuration", + "https://github.com/thinkst/opencanary/blob/a0896adfcaf0328cfd5829fe10d2878c7445138e/opencanary/logger.py#L52", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/opencanary/opencanary_mysql_login_attempt.yml" ], "tags": [ @@ -85008,8 +85179,8 @@ "logsource.category": "application", "logsource.product": "opencanary", "refs": [ - "https://github.com/thinkst/opencanary/blob/a0896adfcaf0328cfd5829fe10d2878c7445138e/opencanary/logger.py#L52", "https://opencanary.readthedocs.io/en/latest/starting/configuration.html#services-configuration", + "https://github.com/thinkst/opencanary/blob/a0896adfcaf0328cfd5829fe10d2878c7445138e/opencanary/logger.py#L52", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/opencanary/opencanary_redis_command.yml" ], "tags": [ @@ -85051,8 +85222,8 @@ "logsource.category": "application", "logsource.product": "opencanary", "refs": [ - "https://github.com/thinkst/opencanary/blob/a0896adfcaf0328cfd5829fe10d2878c7445138e/opencanary/logger.py#L52", "https://opencanary.readthedocs.io/en/latest/starting/configuration.html#services-configuration", + "https://github.com/thinkst/opencanary/blob/a0896adfcaf0328cfd5829fe10d2878c7445138e/opencanary/logger.py#L52", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/opencanary/opencanary_mssql_login_sqlauth.yml" ], "tags": [ @@ -85094,8 +85265,8 @@ "logsource.category": "application", "logsource.product": "opencanary", "refs": [ - "https://github.com/thinkst/opencanary/blob/a0896adfcaf0328cfd5829fe10d2878c7445138e/opencanary/logger.py#L52", "https://opencanary.readthedocs.io/en/latest/starting/configuration.html#services-configuration", + "https://github.com/thinkst/opencanary/blob/a0896adfcaf0328cfd5829fe10d2878c7445138e/opencanary/logger.py#L52", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/opencanary/opencanary_telnet_login_attempt.yml" ], "tags": [ @@ -85137,8 +85308,8 @@ "logsource.category": "application", "logsource.product": "opencanary", "refs": [ - "https://github.com/thinkst/opencanary/blob/a0896adfcaf0328cfd5829fe10d2878c7445138e/opencanary/logger.py#L52", "https://opencanary.readthedocs.io/en/latest/starting/configuration.html#services-configuration", + "https://github.com/thinkst/opencanary/blob/a0896adfcaf0328cfd5829fe10d2878c7445138e/opencanary/logger.py#L52", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/opencanary/opencanary_mssql_login_winauth.yml" ], "tags": [ @@ -85180,8 +85351,8 @@ "logsource.category": "application", "logsource.product": "opencanary", "refs": [ - "https://github.com/thinkst/opencanary/blob/a0896adfcaf0328cfd5829fe10d2878c7445138e/opencanary/logger.py#L52", "https://opencanary.readthedocs.io/en/latest/starting/configuration.html#services-configuration", + "https://github.com/thinkst/opencanary/blob/a0896adfcaf0328cfd5829fe10d2878c7445138e/opencanary/logger.py#L52", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/opencanary/opencanary_http_get.yml" ], "tags": [ @@ -85214,8 +85385,8 @@ "logsource.category": "application", "logsource.product": "opencanary", "refs": [ - "https://github.com/thinkst/opencanary/blob/a0896adfcaf0328cfd5829fe10d2878c7445138e/opencanary/logger.py#L52", "https://opencanary.readthedocs.io/en/latest/starting/configuration.html#services-configuration", + "https://github.com/thinkst/opencanary/blob/a0896adfcaf0328cfd5829fe10d2878c7445138e/opencanary/logger.py#L52", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/opencanary/opencanary_ntp_monlist.yml" ], "tags": [ @@ -85338,8 +85509,8 @@ "logsource.category": "No established category", "logsource.product": "kubernetes", "refs": [ - "https://kubernetes.io/docs/reference/config-api/apiserver-audit.v1/", "https://medium.com/@seifeddinerajhi/kubernetes-rbac-privilege-escalation-exploits-and-mitigations-26c07629eeab", + "https://kubernetes.io/docs/reference/config-api/apiserver-audit.v1/", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/kubernetes/audit/kubernetes_audit_rolebinding_modification.yml" ], "tags": [ @@ -85634,10 +85805,10 @@ "logsource.category": "application", "logsource.product": "kubernetes", "refs": [ + "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Privileged%20container/", + "https://www.elastic.co/guide/en/security/current/kubernetes-pod-created-with-hostnetwork.html", "https://www.elastic.co/guide/en/security/current/kubernetes-container-created-with-excessive-linux-capabilities.html", "https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-kubernetes.html#privilegeescalation-kubernetes-privilegedcontainer", - "https://www.elastic.co/guide/en/security/current/kubernetes-pod-created-with-hostnetwork.html", - "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Privileged%20container/", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/kubernetes/audit/kubernetes_audit_privileged_pod_creation.yml" ], "tags": [ @@ -85758,10 +85929,10 @@ "logsource.category": "application", "logsource.product": "rpc_firewall", "refs": [ + "https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-tsch/d1058a28-7e02-4948-8b8d-4a347fa64931", "https://zeronetworks.com/blog/stopping-lateral-movement-via-the-rpc-firewall/", "https://github.com/zeronetworks/rpcfirewall", "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-TSCH.md", - "https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-tsch/d1058a28-7e02-4948-8b8d-4a347fa64931", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/rpc_firewall/rpc_firewall_sasec_recon.yml" ], "tags": [ @@ -85784,10 +85955,10 @@ "logsource.category": "application", "logsource.product": "rpc_firewall", "refs": [ - "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-36942", "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-EFSR.md", - "https://github.com/zeronetworks/rpcfirewall", "https://zeronetworks.com/blog/stopping-lateral-movement-via-the-rpc-firewall/", + "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-36942", + "https://github.com/zeronetworks/rpcfirewall", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/rpc_firewall/rpc_firewall_efs_abuse.yml" ], "tags": [ @@ -85810,8 +85981,8 @@ "logsource.category": "application", "logsource.product": "rpc_firewall", "refs": [ - "https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-srvs/accf23b0-0f57-441c-9185-43041f1b0ee9", "https://zeronetworks.com/blog/stopping-lateral-movement-via-the-rpc-firewall/", + "https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-srvs/accf23b0-0f57-441c-9185-43041f1b0ee9", "https://github.com/zeronetworks/rpcfirewall", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/rpc_firewall/rpc_firewall_remote_dcom_or_wmi.yml" ], @@ -85853,10 +86024,10 @@ "logsource.category": "application", "logsource.product": "rpc_firewall", "refs": [ + "https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-tsch/d1058a28-7e02-4948-8b8d-4a347fa64931", "https://zeronetworks.com/blog/stopping-lateral-movement-via-the-rpc-firewall/", "https://github.com/zeronetworks/rpcfirewall", "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-TSCH.md", - "https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-tsch/d1058a28-7e02-4948-8b8d-4a347fa64931", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/rpc_firewall/rpc_firewall_atsvc_lateral_movement.yml" ], "tags": [ @@ -85897,10 +86068,10 @@ "logsource.category": "application", "logsource.product": "rpc_firewall", "refs": [ + "https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-tsch/d1058a28-7e02-4948-8b8d-4a347fa64931", "https://zeronetworks.com/blog/stopping-lateral-movement-via-the-rpc-firewall/", "https://github.com/zeronetworks/rpcfirewall", "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-TSCH.md", - "https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-tsch/d1058a28-7e02-4948-8b8d-4a347fa64931", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/rpc_firewall/rpc_firewall_itaskschedulerservice_lateral_movement.yml" ], "tags": [ @@ -85941,10 +86112,10 @@ "logsource.category": "application", "logsource.product": "rpc_firewall", "refs": [ - "https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-wkst/55118c55-2122-4ef9-8664-0c1ff9e168f3", - "https://github.com/zeronetworks/rpcfirewall", "https://zeronetworks.com/blog/stopping-lateral-movement-via-the-rpc-firewall/", + "https://github.com/zeronetworks/rpcfirewall", "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-WKST.md", + "https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-wkst/55118c55-2122-4ef9-8664-0c1ff9e168f3", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/rpc_firewall/rpc_firewall_sharphound_recon_account.yml" ], "tags": [ @@ -85979,10 +86150,10 @@ "refs": [ "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-RPRN-PAR.md", "https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-rprn/d42db7d5-f141-4466-8f47-0a4be14e2fc1", - "https://zeronetworks.com/blog/stopping-lateral-movement-via-the-rpc-firewall/", "https://github.com/zeronetworks/rpcfirewall", - "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527", "https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-pan/e44d984c-07d3-414c-8ffc-f8c8ad8512a8", + "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527", + "https://zeronetworks.com/blog/stopping-lateral-movement-via-the-rpc-firewall/", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/rpc_firewall/rpc_firewall_printing_lateral_movement.yml" ], "tags": [ @@ -86005,10 +86176,10 @@ "logsource.category": "application", "logsource.product": "rpc_firewall", "refs": [ + "https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-tsch/d1058a28-7e02-4948-8b8d-4a347fa64931", "https://zeronetworks.com/blog/stopping-lateral-movement-via-the-rpc-firewall/", "https://github.com/zeronetworks/rpcfirewall", "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-TSCH.md", - "https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-tsch/d1058a28-7e02-4948-8b8d-4a347fa64931", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/rpc_firewall/rpc_firewall_sasec_lateral_movement.yml" ], "tags": [ @@ -86049,10 +86220,10 @@ "logsource.category": "application", "logsource.product": "rpc_firewall", "refs": [ - "https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-srvs/accf23b0-0f57-441c-9185-43041f1b0ee9", "https://zeronetworks.com/blog/stopping-lateral-movement-via-the-rpc-firewall/", - "https://github.com/zeronetworks/rpcfirewall", + "https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-srvs/accf23b0-0f57-441c-9185-43041f1b0ee9", "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-SCMR.md", + "https://github.com/zeronetworks/rpcfirewall", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/rpc_firewall/rpc_firewall_remote_service_lateral_movement.yml" ], "tags": [ @@ -86086,9 +86257,9 @@ "logsource.product": "rpc_firewall", "refs": [ "https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-drsr/f977faaa-673e-4f66-b9bf-48c640241d47?redirectedfrom=MSDN", + "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-DRSR.md", "https://zeronetworks.com/blog/stopping-lateral-movement-via-the-rpc-firewall/", "https://github.com/zeronetworks/rpcfirewall", - "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-DRSR.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/rpc_firewall/rpc_firewall_dcsync_attack.yml" ], "tags": [ @@ -86121,10 +86292,10 @@ "logsource.category": "application", "logsource.product": "rpc_firewall", "refs": [ + "https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-tsch/d1058a28-7e02-4948-8b8d-4a347fa64931", "https://zeronetworks.com/blog/stopping-lateral-movement-via-the-rpc-firewall/", "https://github.com/zeronetworks/rpcfirewall", "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-TSCH.md", - "https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-tsch/d1058a28-7e02-4948-8b8d-4a347fa64931", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/rpc_firewall/rpc_firewall_itaskschedulerservice_recon.yml" ], "tags": [ @@ -86147,10 +86318,10 @@ "logsource.category": "application", "logsource.product": "rpc_firewall", "refs": [ - "https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-rrp/0fa3191d-bb79-490a-81bd-54c2601b7a78", "https://github.com/zeronetworks/rpcfirewall", "https://zeronetworks.com/blog/stopping-lateral-movement-via-the-rpc-firewall/", "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-RRP.md", + "https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-rrp/0fa3191d-bb79-490a-81bd-54c2601b7a78", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/rpc_firewall/rpc_firewall_remote_registry_lateral_movement.yml" ], "tags": [ @@ -86183,10 +86354,10 @@ "logsource.category": "application", "logsource.product": "rpc_firewall", "refs": [ - "https://zeronetworks.com/blog/stopping-lateral-movement-via-the-rpc-firewall/", - "https://github.com/zeronetworks/rpcfirewall", "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-TSCH.md", "https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-tsch/d1058a28-7e02-4948-8b8d-4a347fa64931", + "https://zeronetworks.com/blog/stopping-lateral-movement-via-the-rpc-firewall/", + "https://github.com/zeronetworks/rpcfirewall", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/rpc_firewall/rpc_firewall_atsvc_recon.yml" ], "tags": [ @@ -86209,10 +86380,10 @@ "logsource.category": "application", "logsource.product": "rpc_firewall", "refs": [ - "https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-rrp/0fa3191d-bb79-490a-81bd-54c2601b7a78", "https://github.com/zeronetworks/rpcfirewall", "https://zeronetworks.com/blog/stopping-lateral-movement-via-the-rpc-firewall/", "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-RRP.md", + "https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-rrp/0fa3191d-bb79-490a-81bd-54c2601b7a78", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/rpc_firewall/rpc_firewall_remote_registry_recon.yml" ], "tags": [ @@ -86235,9 +86406,9 @@ "logsource.category": "application", "logsource.product": "rpc_firewall", "refs": [ - "https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-srvs/accf23b0-0f57-441c-9185-43041f1b0ee9", "https://zeronetworks.com/blog/stopping-lateral-movement-via-the-rpc-firewall/", "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-SRVS.md", + "https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-srvs/accf23b0-0f57-441c-9185-43041f1b0ee9", "https://github.com/zeronetworks/rpcfirewall", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/rpc_firewall/rpc_firewall_remote_server_service_abuse.yml" ], @@ -86261,9 +86432,9 @@ "logsource.category": "application", "logsource.product": "rpc_firewall", "refs": [ - "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-SRVS.md", - "https://zeronetworks.com/blog/stopping-lateral-movement-via-the-rpc-firewall/", "https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-srvs/02b1f559-fda2-4ba3-94c2-806eb2777183", + "https://zeronetworks.com/blog/stopping-lateral-movement-via-the-rpc-firewall/", + "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-SRVS.md", "https://github.com/zeronetworks/rpcfirewall", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/rpc_firewall/rpc_firewall_sharphound_recon_sessions.yml" ], @@ -86296,8 +86467,8 @@ "logsource.category": "file_event", "logsource.product": "macos", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1546.014/T1546.014.md", "https://posts.specterops.io/leveraging-emond-on-macos-for-persistence-a040a2785124", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1546.014/T1546.014.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/file_event/file_event_macos_emond_launch_daemon.yml" ], "tags": [ @@ -86400,9 +86571,9 @@ "logsource.category": "process_creation", "logsource.product": "macos", "refs": [ + "https://www.virustotal.com/gui/file/05a2adb266ec6c0ba9ed176d87d8530e71e845348c13caf9f60049760c312cd3/behavior", "https://ss64.com/osx/csrutil.html", "https://www.welivesecurity.com/2017/10/20/osx-proton-supply-chain-attack-elmedia/", - "https://www.virustotal.com/gui/file/05a2adb266ec6c0ba9ed176d87d8530e71e845348c13caf9f60049760c312cd3/behavior", "https://objective-see.org/blog/blog_0x6D.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_csrutil_disable.yml" ], @@ -86577,10 +86748,10 @@ "logsource.category": "process_creation", "logsource.product": "macos", "refs": [ - "https://www.virustotal.com/gui/file/0373d78db6c3c0f6f6dcc409821bf89e1ad8c165d6f95c5c80ecdce2219627d7/behavior", "https://www.trendmicro.com/en_ph/research/20/k/new-macos-backdoor-connected-to-oceanlotus-surfaces.html", - "https://www.virustotal.com/gui/file/4ffdc72d1ff1ee8228e31691020fc275afd1baee5a985403a71ca8c7bd36e2e4/behavior", "https://www.virustotal.com/gui/file/5907d59ec1303cfb5c0a0f4aaca3efc0830707d86c732ba6b9e842b5730b95dc/behavior", + "https://www.virustotal.com/gui/file/0373d78db6c3c0f6f6dcc409821bf89e1ad8c165d6f95c5c80ecdce2219627d7/behavior", + "https://www.virustotal.com/gui/file/4ffdc72d1ff1ee8228e31691020fc275afd1baee5a985403a71ca8c7bd36e2e4/behavior", "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_ioreg_discovery.yml" ], "tags": [ @@ -86614,8 +86785,8 @@ "logsource.product": "macos", "refs": [ "https://github.com/elastic/protections-artifacts/commit/746086721fd385d9f5c6647cada1788db4aea95f#diff-c68a1fcbf7a3f80c87225d7fdc031f691e9f3b6a14a36754be00762bfe6eae97", - "https://malpedia.caad.fkie.fraunhofer.de/details/osx.xcsset", "https://www.microsoft.com/security/blog/2022/02/02/the-evolution-of-a-mac-trojan-updateagents-progression/", + "https://malpedia.caad.fkie.fraunhofer.de/details/osx.xcsset", "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_wizardupdate_malware_infection.yml" ], "tags": [ @@ -86672,8 +86843,8 @@ "logsource.category": "process_creation", "logsource.product": "macos", "refs": [ - "https://www.loobins.io/binaries/tmutil/", "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1490/T1490.md#atomic-test-12---disable-time-machine", + "https://www.loobins.io/binaries/tmutil/", "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_tmutil_disable_backup.yml" ], "tags": [ @@ -86706,9 +86877,9 @@ "logsource.category": "process_creation", "logsource.product": "macos", "refs": [ - "https://docs.jamf.com/10.30.0/jamf-pro/administrator-guide/Components_Installed_on_Managed_Computers.html", "https://www.zoocoup.org/casper/jamf_cheatsheet.pdf", "https://github.com/MythicAgents/typhon/", + "https://docs.jamf.com/10.30.0/jamf-pro/administrator-guide/Components_Installed_on_Managed_Computers.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_jamf_usage.yml" ], "tags": [ @@ -86766,11 +86937,11 @@ "logsource.category": "process_creation", "logsource.product": "macos", "refs": [ - "https://www.welivesecurity.com/2020/07/16/mac-cryptocurrency-trading-application-rebranded-bundled-malware/", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1569.001/T1569.001.md", "https://www.sentinelone.com/labs/20-common-tools-techniques-used-by-macos-threat-actors-malware/", - "https://www.loobins.io/binaries/launchctl/", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1569.001/T1569.001.md", "https://www.trendmicro.com/en_us/research/18/d/new-macos-backdoor-linked-to-oceanlotus-found.html", + "https://www.loobins.io/binaries/launchctl/", + "https://www.welivesecurity.com/2020/07/16/mac-cryptocurrency-trading-application-rebranded-bundled-malware/", "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_launchctl_execution.yml" ], "tags": [ @@ -86820,9 +86991,9 @@ "logsource.category": "process_creation", "logsource.product": "macos", "refs": [ + "https://www.loobins.io/binaries/hdiutil/", "https://www.sentinelone.com/blog/from-the-front-linesunsigned-macos-orat-malware-gambles-for-the-win/", "https://ss64.com/mac/hdiutil.html", - "https://www.loobins.io/binaries/hdiutil/", "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_hdiutil_create.yml" ], "tags": [ @@ -86880,8 +87051,8 @@ "logsource.category": "process_creation", "logsource.product": "macos", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1056.002/T1056.002.md", "https://scriptingosx.com/2018/08/user-interaction-from-bash-scripts/", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1056.002/T1056.002.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_gui_input_capture.yml" ], "tags": [ @@ -86914,8 +87085,8 @@ "logsource.category": "process_creation", "logsource.product": "macos", "refs": [ - "https://www.virustotal.com/gui/file/d3fa64f63563fe958b75238742d1e473800cb5f49f5cb79d38d4aa3c93709026/behavior", "https://ss64.com/osx/sw_vers.html", + "https://www.virustotal.com/gui/file/d3fa64f63563fe958b75238742d1e473800cb5f49f5cb79d38d4aa3c93709026/behavior", "https://www.virustotal.com/gui/file/03b71eaceadea05bc0eea5cddecaa05f245126d6b16cfcd0f3ba0442ac58dab3/behavior", "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_swvers_discovery.yml" ], @@ -86949,9 +87120,9 @@ "logsource.category": "process_creation", "logsource.product": "macos", "refs": [ - "https://docs.jamf.com/10.30.0/jamf-pro/administrator-guide/Components_Installed_on_Managed_Computers.html", "https://www.zoocoup.org/casper/jamf_cheatsheet.pdf", "https://github.com/MythicAgents/typhon/", + "https://docs.jamf.com/10.30.0/jamf-pro/administrator-guide/Components_Installed_on_Managed_Computers.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_jamf_susp_child.yml" ], "tags": [ @@ -87009,9 +87180,9 @@ "logsource.category": "process_creation", "logsource.product": "macos", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/b27a3cb25025161d49ac861cb216db68c46a3537/atomics/T1078.003/T1078.003.md", "https://github.com/elastic/detection-rules/blob/4312d8c9583be524578a14fe6295c3370b9a9307/rules/macos/persistence_enable_root_account.toml", "https://ss64.com/osx/dsenableroot.html", + "https://github.com/redcanaryco/atomic-red-team/blob/b27a3cb25025161d49ac861cb216db68c46a3537/atomics/T1078.003/T1078.003.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_dsenableroot_enable_root_account.yml" ], "tags": [ @@ -87127,9 +87298,9 @@ "logsource.category": "process_creation", "logsource.product": "macos", "refs": [ - "https://github.com/usnistgov/macos_security/blob/932a51f3e819dd3e02ebfcf3ef433cfffafbe28b/rules/os/os_firmware_password_require.yaml", - "https://www.manpagez.com/man/8/firmwarepasswd/", "https://support.apple.com/guide/security/firmware-password-protection-sec28382c9ca/web", + "https://www.manpagez.com/man/8/firmwarepasswd/", + "https://github.com/usnistgov/macos_security/blob/932a51f3e819dd3e02ebfcf3ef433cfffafbe28b/rules/os/os_firmware_password_require.yaml", "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_susp_macos_firmware_activity.yml" ], "tags": [ @@ -87152,9 +87323,9 @@ "logsource.category": "process_creation", "logsource.product": "macos", "refs": [ + "https://www.loobins.io/binaries/hdiutil/", "https://www.sentinelone.com/blog/from-the-front-linesunsigned-macos-orat-malware-gambles-for-the-win/", "https://ss64.com/mac/hdiutil.html", - "https://www.loobins.io/binaries/hdiutil/", "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_hdiutil_mount.yml" ], "tags": [ @@ -87228,8 +87399,8 @@ "logsource.category": "process_creation", "logsource.product": "macos", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1113/T1113.md", "https://github.com/EmpireProject/Empire/blob/08cbd274bef78243d7a8ed6443b8364acd1fc48b/lib/modules/python/collection/osx/screenshot.py", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1113/T1113.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_screencapture.yml" ], "tags": [ @@ -87328,13 +87499,13 @@ "logsource.category": "process_creation", "logsource.product": "macos", "refs": [ - "https://objective-see.org/blog/blog_0x1E.html", - "https://www.sentinelone.com/labs/20-common-tools-techniques-used-by-macos-threat-actors-malware/", - "https://www.virustotal.com/gui/file/b4b1fc65f87b3dcfa35e2dbe8e0a34ad9d8a400bec332025c0a2e200671038aa/behavior", "https://www.welivesecurity.com/2019/04/09/oceanlotus-macos-malware-update/", - "https://www.virustotal.com/gui/file/1c547a064494a35d6b5e6b459de183ab2720a22725e082bed6f6629211f7abc1/behavior", - "https://www.loobins.io/binaries/sysctl/#", "https://evasions.checkpoint.com/techniques/macos.html", + "https://www.sentinelone.com/labs/20-common-tools-techniques-used-by-macos-threat-actors-malware/", + "https://www.loobins.io/binaries/sysctl/#", + "https://www.virustotal.com/gui/file/1c547a064494a35d6b5e6b459de183ab2720a22725e082bed6f6629211f7abc1/behavior", + "https://www.virustotal.com/gui/file/b4b1fc65f87b3dcfa35e2dbe8e0a34ad9d8a400bec332025c0a2e200671038aa/behavior", + "https://objective-see.org/blog/blog_0x1E.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_sysctl_discovery.yml" ], "tags": [ @@ -87409,9 +87580,9 @@ "logsource.category": "process_creation", "logsource.product": "macos", "refs": [ + "https://linux.die.net/man/1/dd", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1027.001/T1027.001.md", "https://linux.die.net/man/1/truncate", - "https://linux.die.net/man/1/dd", "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_binary_padding.yml" ], "tags": [ @@ -87637,8 +87808,8 @@ "logsource.category": "process_creation", "logsource.product": "macos", "refs": [ - "https://redcanary.com/blog/applescript/", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1059.002/T1059.002.md", + "https://redcanary.com/blog/applescript/", "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_applescript.yml" ], "tags": [ @@ -87704,9 +87875,9 @@ "logsource.category": "process_creation", "logsource.product": "macos", "refs": [ + "https://www.virustotal.com/gui/file/05a2adb266ec6c0ba9ed176d87d8530e71e845348c13caf9f60049760c312cd3/behavior", "https://ss64.com/osx/csrutil.html", "https://www.welivesecurity.com/2017/10/20/osx-proton-supply-chain-attack-elmedia/", - "https://www.virustotal.com/gui/file/05a2adb266ec6c0ba9ed176d87d8530e71e845348c13caf9f60049760c312cd3/behavior", "https://objective-see.org/blog/blog_0x6D.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_csrutil_status.yml" ], @@ -87910,8 +88081,8 @@ "logsource.category": "process_creation", "logsource.product": "macos", "refs": [ - "https://redcanary.com/blog/clipping-silver-sparrows-wings/", "https://github.com/elastic/detection-rules/blob/4312d8c9583be524578a14fe6295c3370b9a9307/rules/macos/execution_installer_package_spawned_network_event.toml", + "https://redcanary.com/blog/clipping-silver-sparrows-wings/", "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_installer_susp_child_process.yml" ], "tags": [ @@ -87969,8 +88140,8 @@ "logsource.category": "process_creation", "logsource.product": "macos", "refs": [ - "https://www.virustotal.com/gui/file/16bafdf741e7a13137c489f3c8db1334f171c7cb13b62617d691b0a64783cc48/behavior", "https://www.virustotal.com/gui/file/483fafc64a2b84197e1ef6a3f51e443f84dc5742602e08b9e8ec6ad690b34ed0/behavior", + "https://www.virustotal.com/gui/file/16bafdf741e7a13137c489f3c8db1334f171c7cb13b62617d691b0a64783cc48/behavior", "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_tail_base64_decode_from_image.yml" ], "tags": [ @@ -88102,8 +88273,8 @@ "logsource.category": "process_creation", "logsource.product": "macos", "refs": [ - "https://fr.slideshare.net/codeblue_jp/cb19-recent-apt-attack-on-crypto-exchange-employees-by-heungsoo-kang", "https://github.com/elastic/detection-rules/blob/4312d8c9583be524578a14fe6295c3370b9a9307/rules/macos/execution_initial_access_suspicious_browser_childproc.toml", + "https://fr.slideshare.net/codeblue_jp/cb19-recent-apt-attack-on-crypto-exchange-employees-by-heungsoo-kang", "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_susp_browser_child_process.yml" ], "tags": [ @@ -88153,9 +88324,9 @@ "logsource.category": "process_creation", "logsource.product": "macos", "refs": [ - "https://gist.github.com/nasbench/ca6ef95db04ae04ffd1e0b1ce709cadd", - "https://www.agnosticdev.com/content/how-diagnose-app-transport-security-issues-using-nscurl-and-openssl", "https://www.loobins.io/binaries/nscurl/", + "https://www.agnosticdev.com/content/how-diagnose-app-transport-security-issues-using-nscurl-and-openssl", + "https://gist.github.com/nasbench/ca6ef95db04ae04ffd1e0b1ce709cadd", "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_nscurl_usage.yml" ], "tags": [ @@ -88222,8 +88393,8 @@ "logsource.category": "process_creation", "logsource.product": "macos", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1136.001/T1136.001.md", "https://ss64.com/osx/sysadminctl.html", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1136.001/T1136.001.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_create_account.yml" ], "tags": [ @@ -88323,11 +88494,11 @@ "logsource.category": "process_creation", "logsource.product": "macos", "refs": [ - "https://www.sentinelone.com/wp-content/uploads/pdf-gen/1630910064/20-common-tools-techniques-used-by-macos-threat-actors-malware.pdf", - "https://www.welivesecurity.com/2019/04/09/oceanlotus-macos-malware-update/", "https://ss64.com/mac/system_profiler.html", - "https://gist.github.com/nasbench/9a1ba4bc7094ea1b47bc42bf172961af", "https://www.trendmicro.com/en_za/research/20/k/new-macos-backdoor-connected-to-oceanlotus-surfaces.html", + "https://www.welivesecurity.com/2019/04/09/oceanlotus-macos-malware-update/", + "https://gist.github.com/nasbench/9a1ba4bc7094ea1b47bc42bf172961af", + "https://www.sentinelone.com/wp-content/uploads/pdf-gen/1630910064/20-common-tools-techniques-used-by-macos-threat-actors-malware.pdf", "https://objective-see.org/blog/blog_0x62.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_system_profiler_discovery.yml" ], @@ -88403,10 +88574,10 @@ "logsource.category": "process_creation", "logsource.product": "macos", "refs": [ - "https://ss64.com/mac/chflags.html", "https://www.welivesecurity.com/2019/04/09/oceanlotus-macos-malware-update/", - "https://www.sentinelone.com/labs/apt32-multi-stage-macos-trojan-innovates-on-crimeware-scripting-technique/", "https://www.paloaltonetworks.com/content/dam/pan/en_US/assets/pdf/reports/Unit_42/unit42-wirelurker.pdf", + "https://www.sentinelone.com/labs/apt32-multi-stage-macos-trojan-innovates-on-crimeware-scripting-technique/", + "https://ss64.com/mac/chflags.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_chflags_hidden_flag.yml" ], "tags": [ @@ -88496,8 +88667,8 @@ "logsource.category": "process_creation", "logsource.product": "macos", "refs": [ - "https://www.loobins.io/binaries/tmutil/", "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1490/T1490.md#atomic-test-12---disable-time-machine", + "https://www.loobins.io/binaries/tmutil/", "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_tmutil_delete_backup.yml" ], "tags": [ @@ -88705,8 +88876,8 @@ "logsource.category": "process_creation", "logsource.product": "macos", "refs": [ - "https://www.loobins.io/binaries/tmutil/", "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1490/T1490.md#atomic-test-12---disable-time-machine", + "https://www.loobins.io/binaries/tmutil/", "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_tmutil_exclude_file_from_backup.yml" ], "tags": [ @@ -88739,8 +88910,8 @@ "logsource.category": "process_creation", "logsource.product": "macos", "refs": [ - "https://redcanary.com/blog/clipping-silver-sparrows-wings/", "https://www.manpagez.com/man/8/PlistBuddy/", + "https://redcanary.com/blog/clipping-silver-sparrows-wings/", "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_persistence_via_plistbuddy.yml" ], "tags": [ @@ -88969,10 +89140,10 @@ "logsource.category": "No established category", "logsource.product": "github", "refs": [ - "https://docs.github.com/en/enterprise-cloud@latest/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/audit-log-events-for-your-enterprise", - "https://docs.github.com/en/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/reviewing-the-audit-log-for-your-organization#dependabot_alerts-category-actions", - "https://docs.github.com/en/organizations/managing-oauth-access-to-your-organizations-data/disabling-oauth-app-access-restrictions-for-your-organization", "https://docs.github.com/en/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-security-and-analysis-settings-for-your-repository", + "https://docs.github.com/en/organizations/managing-oauth-access-to-your-organizations-data/disabling-oauth-app-access-restrictions-for-your-organization", + "https://docs.github.com/en/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/reviewing-the-audit-log-for-your-organization#dependabot_alerts-category-actions", + "https://docs.github.com/en/enterprise-cloud@latest/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/audit-log-events-for-your-enterprise", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/github/github_disable_high_risk_configuration.yml" ], "tags": [ @@ -89040,10 +89211,10 @@ "logsource.category": "No established category", "logsource.product": "github", "refs": [ - "https://docs.github.com/en/organizations/managing-organization-settings/transferring-organization-ownership", - "https://docs.github.com/en/migrations", - "https://docs.github.com/en/repositories/creating-and-managing-repositories/transferring-a-repository", "https://docs.github.com/en/enterprise-cloud@latest/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/audit-log-events-for-your-enterprise#migration", + "https://docs.github.com/en/repositories/creating-and-managing-repositories/transferring-a-repository", + "https://docs.github.com/en/migrations", + "https://docs.github.com/en/organizations/managing-organization-settings/transferring-organization-ownership", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/github/github_repo_or_org_transferred.yml" ], "tags": [ @@ -89333,8 +89504,8 @@ "logsource.category": "No established category", "logsource.product": "okta", "refs": [ - "https://developer.okta.com/docs/reference/api/event-types/", "https://developer.okta.com/docs/reference/api/system-log/", + "https://developer.okta.com/docs/reference/api/event-types/", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/okta/okta_policy_rule_modified_or_deleted.yml" ], "tags": [ @@ -89357,8 +89528,8 @@ "logsource.category": "No established category", "logsource.product": "okta", "refs": [ - "https://sec.okta.com/articles/2023/08/cross-tenant-impersonation-prevention-and-detection", "https://developer.okta.com/docs/reference/api/system-log/", + "https://sec.okta.com/articles/2023/08/cross-tenant-impersonation-prevention-and-detection", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/okta/okta_identity_provider_created.yml" ], "tags": [ @@ -89391,8 +89562,8 @@ "logsource.category": "No established category", "logsource.product": "okta", "refs": [ - "https://developer.okta.com/docs/reference/api/event-types/", "https://developer.okta.com/docs/reference/api/system-log/", + "https://developer.okta.com/docs/reference/api/event-types/", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/okta/okta_admin_role_assigned_to_user_or_group.yml" ], "tags": [ @@ -89425,9 +89596,9 @@ "logsource.category": "No established category", "logsource.product": "okta", "refs": [ - "https://blog.cloudflare.com/how-cloudflare-mitigated-yet-another-okta-compromise/", "https://dataconomy.com/2023/10/23/okta-data-breach/", "https://www.beyondtrust.com/blog/entry/okta-support-unit-breach", + "https://blog.cloudflare.com/how-cloudflare-mitigated-yet-another-okta-compromise/", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/okta/okta_admin_activity_from_proxy_query.yml" ], "tags": [ @@ -89473,9 +89644,9 @@ "logsource.category": "No established category", "logsource.product": "okta", "refs": [ + "https://developer.okta.com/docs/reference/api/system-log/", "https://www.mitiga.io/blog/how-okta-passwords-can-be-compromised-uncovering-a-risk-to-user-data", "https://help.okta.com/en-us/Content/Topics/users-groups-profiles/usgp-create-character-restriction.htm", - "https://developer.okta.com/docs/reference/api/system-log/", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/okta/okta_password_in_alternateid_field.yml" ], "tags": [ @@ -89508,8 +89679,8 @@ "logsource.category": "No established category", "logsource.product": "okta", "refs": [ - "https://developer.okta.com/docs/reference/api/event-types/", "https://developer.okta.com/docs/reference/api/system-log/", + "https://developer.okta.com/docs/reference/api/event-types/", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/okta/okta_application_modified_or_deleted.yml" ], "tags": [ @@ -89532,8 +89703,8 @@ "logsource.category": "No established category", "logsource.product": "okta", "refs": [ - "https://developer.okta.com/docs/reference/api/event-types/", "https://developer.okta.com/docs/reference/api/system-log/", + "https://developer.okta.com/docs/reference/api/event-types/", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/okta/okta_api_token_revoked.yml" ], "tags": [ @@ -89556,8 +89727,8 @@ "logsource.category": "No established category", "logsource.product": "okta", "refs": [ - "https://github.com/okta/workflows-templates/blob/master/workflows/suspicious_activity_reported/readme.md", "https://developer.okta.com/docs/reference/api/system-log/", + "https://github.com/okta/workflows-templates/blob/master/workflows/suspicious_activity_reported/readme.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/okta/okta_suspicious_activity_enduser_report.yml" ], "tags": [ @@ -89590,9 +89761,9 @@ "logsource.category": "No established category", "logsource.product": "okta", "refs": [ - "https://okta.github.io/okta-help/en/prod/Content/Topics/Security/threat-insight/configure-threatinsight-system-log.htm", - "https://developer.okta.com/docs/reference/api/event-types/", "https://developer.okta.com/docs/reference/api/system-log/", + "https://developer.okta.com/docs/reference/api/event-types/", + "https://okta.github.io/okta-help/en/prod/Content/Topics/Security/threat-insight/configure-threatinsight-system-log.htm", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/okta/okta_security_threat_detected.yml" ], "tags": [ @@ -89615,8 +89786,8 @@ "logsource.category": "No established category", "logsource.product": "okta", "refs": [ - "https://developer.okta.com/docs/reference/api/event-types/", "https://developer.okta.com/docs/reference/api/system-log/", + "https://developer.okta.com/docs/reference/api/event-types/", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/okta/okta_application_sign_on_policy_modified_or_deleted.yml" ], "tags": [ @@ -89639,8 +89810,8 @@ "logsource.category": "No established category", "logsource.product": "okta", "refs": [ - "https://developer.okta.com/docs/reference/api/event-types/", "https://developer.okta.com/docs/reference/api/system-log/", + "https://developer.okta.com/docs/reference/api/event-types/", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/okta/okta_api_token_created.yml" ], "tags": [ @@ -89663,8 +89834,8 @@ "logsource.category": "No established category", "logsource.product": "okta", "refs": [ - "https://developer.okta.com/docs/reference/api/event-types/", "https://developer.okta.com/docs/reference/api/system-log/", + "https://developer.okta.com/docs/reference/api/event-types/", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/okta/okta_user_account_locked_out.yml" ], "tags": [ @@ -89697,8 +89868,8 @@ "logsource.category": "No established category", "logsource.product": "okta", "refs": [ - "https://developer.okta.com/docs/reference/api/event-types/", "https://developer.okta.com/docs/reference/api/system-log/", + "https://developer.okta.com/docs/reference/api/event-types/", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/okta/okta_network_zone_deactivated_or_deleted.yml" ], "tags": [ @@ -89721,8 +89892,8 @@ "logsource.category": "No established category", "logsource.product": "okta", "refs": [ - "https://sec.okta.com/articles/2023/08/cross-tenant-impersonation-prevention-and-detection", "https://developer.okta.com/docs/reference/api/system-log/", + "https://sec.okta.com/articles/2023/08/cross-tenant-impersonation-prevention-and-detection", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/okta/okta_new_behaviours_admin_console.yml" ], "tags": [ @@ -89755,9 +89926,9 @@ "logsource.category": "No established category", "logsource.product": "okta", "refs": [ - "https://sec.okta.com/fastpassphishingdetection", - "https://developer.okta.com/docs/reference/api/event-types/", "https://developer.okta.com/docs/reference/api/system-log/", + "https://developer.okta.com/docs/reference/api/event-types/", + "https://sec.okta.com/fastpassphishingdetection", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/okta/okta_fastpass_phishing_detection.yml" ], "tags": [ @@ -89790,8 +89961,8 @@ "logsource.category": "No established category", "logsource.product": "okta", "refs": [ - "https://developer.okta.com/docs/reference/api/event-types/", "https://developer.okta.com/docs/reference/api/system-log/", + "https://developer.okta.com/docs/reference/api/event-types/", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/okta/okta_admin_role_assignment_created.yml" ], "tags": [ @@ -89814,8 +89985,8 @@ "logsource.category": "No established category", "logsource.product": "okta", "refs": [ - "https://developer.okta.com/docs/reference/api/event-types/", "https://developer.okta.com/docs/reference/api/system-log/", + "https://developer.okta.com/docs/reference/api/event-types/", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/okta/okta_unauthorized_access_to_app.yml" ], "tags": [ @@ -89840,8 +90011,8 @@ "logsource.category": "No established category", "logsource.product": "okta", "refs": [ - "https://developer.okta.com/docs/reference/api/event-types/", "https://developer.okta.com/docs/reference/api/system-log/", + "https://developer.okta.com/docs/reference/api/event-types/", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/okta/okta_policy_modified_or_deleted.yml" ], "tags": [ @@ -89864,8 +90035,8 @@ "logsource.category": "No established category", "logsource.product": "okta", "refs": [ - "https://developer.okta.com/docs/reference/api/event-types/", "https://developer.okta.com/docs/reference/api/system-log/", + "https://developer.okta.com/docs/reference/api/event-types/", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/okta/okta_mfa_reset_or_deactivated.yml" ], "tags": [ @@ -89900,8 +90071,8 @@ "logsource.category": "No established category", "logsource.product": "okta", "refs": [ - "https://sec.okta.com/articles/2023/08/cross-tenant-impersonation-prevention-and-detection", "https://developer.okta.com/docs/reference/api/system-log/", + "https://sec.okta.com/articles/2023/08/cross-tenant-impersonation-prevention-and-detection", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/okta/okta_user_session_start_via_anonymised_proxy.yml" ], "tags": [ @@ -90092,8 +90263,8 @@ "logsource.category": "No established category", "logsource.product": "aws", "refs": [ - "https://docs.aws.amazon.com/STS/latest/APIReference/API_GetSessionToken.html", "https://github.com/elastic/detection-rules/pull/1213", + "https://docs.aws.amazon.com/STS/latest/APIReference/API_GetSessionToken.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/aws/cloudtrail/aws_sts_getsessiontoken_misuse.yml" ], "tags": [ @@ -90340,8 +90511,8 @@ "logsource.category": "No established category", "logsource.product": "aws", "refs": [ - "https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRoleWithSAML.html", "https://docs.aws.amazon.com/IAM/latest/APIReference/API_UpdateSAMLProvider.html", + "https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRoleWithSAML.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/aws/cloudtrail/aws_susp_saml_activity.yml" ], "tags": [ @@ -90400,9 +90571,9 @@ "logsource.category": "No established category", "logsource.product": "aws", "refs": [ + "https://securitycafe.ro/2022/12/14/aws-enumeration-part-ii-practical-enumeration/", "https://github.com/Lifka/hacking-resources/blob/c2ae355d381bd0c9f0b32c4ead049f44e5b1573f/cloud-hacking-cheat-sheets.md", "https://jamesonhacking.blogspot.com/2020/12/pivoting-to-private-aws-s3-buckets.html", - "https://securitycafe.ro/2022/12/14/aws-enumeration-part-ii-practical-enumeration/", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/aws/cloudtrail/aws_enum_buckets.yml" ], "tags": [ @@ -90730,9 +90901,9 @@ "logsource.category": "No established category", "logsource.product": "aws", "refs": [ - "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsiamidentitycentersuccessortoawssinglesign-on.html", "https://docs.aws.amazon.com/singlesignon/latest/userguide/app-enablement.html", "https://docs.aws.amazon.com/singlesignon/latest/userguide/sso-info-in-cloudtrail.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsiamidentitycentersuccessortoawssinglesign-on.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/aws/cloudtrail/aws_sso_idp_change.yml" ], "tags": [ @@ -90940,9 +91111,9 @@ "logsource.category": "No established category", "logsource.product": "aws", "refs": [ - "https://ermetic.com/blog/aws/aws-ec2-imds-what-you-need-to-know/", "https://www.packetmischief.ca/2023/07/31/amazon-ec2-credential-exfiltration-how-it-happens-and-how-to-mitigate-it/#lifting-credentials-from-imds-this-is-why-we-cant-have-nice-things", "https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-instance-identity-roles.html", + "https://ermetic.com/blog/aws/aws-ec2-imds-what-you-need-to-know/", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/aws/cloudtrail/aws_cloudtrail_imds_malicious_usage.yml" ], "tags": [ @@ -91026,9 +91197,9 @@ "logsource.category": "No established category", "logsource.product": "aws", "refs": [ - "https://docs.aws.amazon.com/AmazonECS/latest/APIReference/API_RegisterTaskDefinition.html", - "https://docs.aws.amazon.com/AmazonECS/latest/developerguide/task-iam-roles.html", "https://github.com/RhinoSecurityLabs/pacu/blob/866376cd711666c775bbfcde0524c817f2c5b181/pacu/modules/ecs__backdoor_task_def/main.py", + "https://docs.aws.amazon.com/AmazonECS/latest/developerguide/task-iam-roles.html", + "https://docs.aws.amazon.com/AmazonECS/latest/APIReference/API_RegisterTaskDefinition.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/aws/cloudtrail/aws_ecs_task_definition_cred_endpoint_query.yml" ], "tags": [ @@ -91217,13 +91388,13 @@ "logsource.category": "No established category", "logsource.product": "aws", "refs": [ - "https://github.com/elastic/detection-rules/pull/1145/files", - "https://docs.aws.amazon.com/AmazonS3/latest/API/API_RestoreObject.html", "https://docs.aws.amazon.com/AmazonS3/latest/userguide/setting-repl-config-perm-overview.html", "https://docs.aws.amazon.com/AmazonS3/latest/API/API_Operations.html", - "https://docs.aws.amazon.com/AmazonS3/latest/API/API_PutBucketWebsite.html", - "https://docs.aws.amazon.com/AmazonS3/latest/API/API_PutBucketLogging.html", "https://docs.aws.amazon.com/AmazonS3/latest/API/API_PutBucketEncryption.html", + "https://docs.aws.amazon.com/AmazonS3/latest/API/API_RestoreObject.html", + "https://docs.aws.amazon.com/AmazonS3/latest/API/API_PutBucketLogging.html", + "https://github.com/elastic/detection-rules/pull/1145/files", + "https://docs.aws.amazon.com/AmazonS3/latest/API/API_PutBucketWebsite.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/aws/cloudtrail/aws_s3_data_management_tampering.yml" ], "tags": [ @@ -91422,8 +91593,8 @@ "logsource.category": "No established category", "logsource.product": "aws", "refs": [ - "https://www.crowdstrike.com/blog/analysis-of-intrusion-campaign-targeting-telecom-and-bpo-companies/", "https://github.com/NetSPI/aws_consoler", + "https://www.crowdstrike.com/blog/analysis-of-intrusion-campaign-targeting-telecom-and-bpo-companies/", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/aws/cloudtrail/aws_console_getsignintoken.yml" ], "tags": [ @@ -91637,9 +91808,9 @@ "logsource.category": "No established category", "logsource.product": "gcp", "refs": [ - "https://cloud.google.com/access-context-manager/docs/audit-logging", - "https://cloud.google.com/logging/docs/audit/understanding-audit-logs", "https://cloud.google.com/logging/docs/reference/audit/auditlog/rest/Shared.Types/AuditLog", + "https://cloud.google.com/logging/docs/audit/understanding-audit-logs", + "https://cloud.google.com/access-context-manager/docs/audit-logging", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/gcp/audit/gcp_access_policy_deleted.yml" ], "tags": [ @@ -91699,8 +91870,8 @@ "logsource.category": "No established category", "logsource.product": "gcp", "refs": [ - "https://cloud.google.com/kubernetes-engine/docs/how-to/audit-logging", "https://developers.google.com/resources/api-libraries/documentation/compute/v1/java/latest/com/google/api/services/compute/Compute.PacketMirrorings.html", + "https://cloud.google.com/kubernetes-engine/docs/how-to/audit-logging", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/gcp/audit/gcp_full_network_traffic_packet_capture.yml" ], "tags": [ @@ -91866,11 +92037,11 @@ "logsource.category": "No established category", "logsource.product": "gcp", "refs": [ - "https://cloud.google.com/kubernetes-engine/docs/how-to/audit-logging", - "https://github.com/elastic/detection-rules/pull/1267", "https://kubernetes.io/docs/reference/access-authn-authz/rbac/", - "https://kubernetes.io/docs/reference/kubernetes-api/authorization-resources/cluster-role-v1/#ClusterRole", "https://cloud.google.com/kubernetes-engine/docs/how-to/role-based-access-control", + "https://cloud.google.com/kubernetes-engine/docs/how-to/audit-logging", + "https://kubernetes.io/docs/reference/kubernetes-api/authorization-resources/cluster-role-v1/#ClusterRole", + "https://github.com/elastic/detection-rules/pull/1267", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/gcp/audit/gcp_kubernetes_rolebinding.yml" ], "tags": [ @@ -91894,9 +92065,9 @@ "logsource.category": "No established category", "logsource.product": "gcp", "refs": [ - "https://kubernetes.io/docs/concepts/workloads/controllers/job/", - "https://cloud.google.com/kubernetes-engine/docs", "https://kubernetes.io/docs/concepts/workloads/controllers/cron-jobs/", + "https://cloud.google.com/kubernetes-engine/docs", + "https://kubernetes.io/docs/concepts/workloads/controllers/job/", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/gcp/audit/gcp_kubernetes_cronjob.yml" ], "tags": [ @@ -91988,9 +92159,9 @@ "logsource.category": "No established category", "logsource.product": "gcp", "refs": [ - "https://cloud.google.com/logging/docs/audit/gsuite-audit-logging#3", "https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-security-settings#ENFORCE_STRONG_AUTHENTICATION", "https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-security-settings?hl=en#ALLOW_STRONG_AUTHENTICATION", + "https://cloud.google.com/logging/docs/audit/gsuite-audit-logging#3", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/gcp/gworkspace/gcp_gworkspace_mfa_disabled.yml" ], "tags": [ @@ -92013,8 +92184,8 @@ "logsource.category": "No established category", "logsource.product": "gcp", "refs": [ - "https://cloud.google.com/logging/docs/audit/gsuite-audit-logging#3", "https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-delegated-admin-settings", + "https://cloud.google.com/logging/docs/audit/gsuite-audit-logging#3", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/gcp/gworkspace/gcp_gworkspace_role_privilege_deleted.yml" ], "tags": [ @@ -92037,9 +92208,9 @@ "logsource.category": "No established category", "logsource.product": "gcp", "refs": [ - "https://cloud.google.com/logging/docs/audit/gsuite-audit-logging#3", "https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-domain-settings?hl=en#REMOVE_APPLICATION", "https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-domain-settings?hl=en#REMOVE_APPLICATION_FROM_WHITELIST", + "https://cloud.google.com/logging/docs/audit/gsuite-audit-logging#3", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/gcp/gworkspace/gcp_gworkspace_application_removed.yml" ], "tags": [ @@ -92062,8 +92233,8 @@ "logsource.category": "No established category", "logsource.product": "gcp", "refs": [ - "https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-application-settings", "https://support.google.com/a/answer/9261439", + "https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-application-settings", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/gcp/gworkspace/gcp_gworkspace_application_access_levels_modified.yml" ], "tags": [ @@ -92097,8 +92268,8 @@ "logsource.category": "No established category", "logsource.product": "gcp", "refs": [ - "https://cloud.google.com/logging/docs/audit/gsuite-audit-logging#3", "https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-domain-settings#AUTHORIZE_API_CLIENT_ACCESS", + "https://cloud.google.com/logging/docs/audit/gsuite-audit-logging#3", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/gcp/gworkspace/gcp_gworkspace_granted_domain_api_access.yml" ], "tags": [ @@ -92165,8 +92336,8 @@ "logsource.category": "No established category", "logsource.product": "gcp", "refs": [ - "https://cloud.google.com/logging/docs/audit/gsuite-audit-logging#3", "https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-delegated-admin-settings", + "https://cloud.google.com/logging/docs/audit/gsuite-audit-logging#3", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/gcp/gworkspace/gcp_gworkspace_role_modified_or_deleted.yml" ], "tags": [ @@ -92265,8 +92436,8 @@ "logsource.category": "No established category", "logsource.product": "bitbucket", "refs": [ - "https://confluence.atlassian.com/bitbucketserver/global-permissions-776640369.html", "https://confluence.atlassian.com/bitbucketserver/audit-log-events-776640423.html", + "https://confluence.atlassian.com/bitbucketserver/global-permissions-776640369.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/bitbucket/audit/bitbucket_audit_global_permissions_change_detected.yml" ], "tags": [ @@ -92343,8 +92514,8 @@ "logsource.category": "No established category", "logsource.product": "bitbucket", "refs": [ - "https://support.atlassian.com/security-and-access-policies/docs/export-user-accounts", "https://confluence.atlassian.com/bitbucketserver/audit-log-events-776640423.html", + "https://support.atlassian.com/security-and-access-policies/docs/export-user-accounts", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/bitbucket/audit/bitbucket_audit_user_details_export_attempt_detected.yml" ], "tags": [ @@ -92495,8 +92666,8 @@ "logsource.category": "No established category", "logsource.product": "bitbucket", "refs": [ - "https://confluence.atlassian.com/adminjiraserver0811/importing-and-exporting-data-1019391889.html", "https://confluence.atlassian.com/bitbucketserver/audit-log-events-776640423.html", + "https://confluence.atlassian.com/adminjiraserver0811/importing-and-exporting-data-1019391889.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/bitbucket/audit/bitbucket_audit_full_data_export_triggered.yml" ], "tags": [ @@ -92731,11 +92902,11 @@ "logsource.category": "No established category", "logsource.product": "m365", "refs": [ - "https://www.fireeye.com/content/dam/fireeye-www/blog/pdfs/wp-m-unc2452-2021-000343-01.pdf", - "https://www.splunk.com/en_us/blog/security/a-golden-saml-journey-solarwinds-continued.html", - "https://us-cert.cisa.gov/ncas/alerts/aa21-008a", "https://o365blog.com/post/aadbackdoor/", + "https://us-cert.cisa.gov/ncas/alerts/aa21-008a", + "https://www.splunk.com/en_us/blog/security/a-golden-saml-journey-solarwinds-continued.html", "https://www.sygnia.co/golden-saml-advisory", + "https://www.fireeye.com/content/dam/fireeye-www/blog/pdfs/wp-m-unc2452-2021-000343-01.pdf", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/m365/exchange/microsoft365_new_federated_domain_added_exchange.yml" ], "tags": [ @@ -92835,8 +93006,8 @@ "logsource.category": "No established category", "logsource.product": "m365", "refs": [ - "https://learn.microsoft.com/en-us/defender-cloud-apps/anomaly-detection-policy", "https://learn.microsoft.com/en-us/defender-cloud-apps/policy-template-reference", + "https://learn.microsoft.com/en-us/defender-cloud-apps/anomaly-detection-policy", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/m365/threat_management/microsoft365_activity_from_infrequent_country.yml" ], "tags": [ @@ -92869,8 +93040,8 @@ "logsource.category": "No established category", "logsource.product": "m365", "refs": [ - "https://learn.microsoft.com/en-us/defender-cloud-apps/anomaly-detection-policy", "https://learn.microsoft.com/en-us/defender-cloud-apps/policy-template-reference", + "https://learn.microsoft.com/en-us/defender-cloud-apps/anomaly-detection-policy", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/m365/threat_management/microsoft365_impossible_travel_activity.yml" ], "tags": [ @@ -92903,8 +93074,8 @@ "logsource.category": "No established category", "logsource.product": "m365", "refs": [ - "https://learn.microsoft.com/en-us/defender-cloud-apps/anomaly-detection-policy", "https://learn.microsoft.com/en-us/defender-cloud-apps/policy-template-reference", + "https://learn.microsoft.com/en-us/defender-cloud-apps/anomaly-detection-policy", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/m365/threat_management/microsoft365_activity_from_anonymous_ip_addresses.yml" ], "tags": [ @@ -92937,8 +93108,8 @@ "logsource.category": "No established category", "logsource.product": "m365", "refs": [ - "https://learn.microsoft.com/en-us/defender-cloud-apps/anomaly-detection-policy", "https://learn.microsoft.com/en-us/defender-cloud-apps/policy-template-reference", + "https://learn.microsoft.com/en-us/defender-cloud-apps/anomaly-detection-policy", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/m365/threat_management/microsoft365_unusual_volume_of_file_deletion.yml" ], "tags": [ @@ -92971,8 +93142,8 @@ "logsource.category": "No established category", "logsource.product": "m365", "refs": [ - "https://learn.microsoft.com/en-us/defender-cloud-apps/anomaly-detection-policy", "https://learn.microsoft.com/en-us/defender-cloud-apps/policy-template-reference", + "https://learn.microsoft.com/en-us/defender-cloud-apps/anomaly-detection-policy", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/m365/threat_management/microsoft365_susp_inbox_forwarding.yml" ], "tags": [ @@ -93005,8 +93176,8 @@ "logsource.category": "No established category", "logsource.product": "m365", "refs": [ - "https://learn.microsoft.com/en-us/defender-cloud-apps/anomaly-detection-policy", "https://learn.microsoft.com/en-us/defender-cloud-apps/policy-template-reference", + "https://learn.microsoft.com/en-us/defender-cloud-apps/anomaly-detection-policy", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/m365/threat_management/microsoft365_susp_oauth_app_file_download_activities.yml" ], "tags": [ @@ -93062,8 +93233,8 @@ "logsource.category": "No established category", "logsource.product": "m365", "refs": [ - "https://learn.microsoft.com/en-us/defender-cloud-apps/anomaly-detection-policy", "https://learn.microsoft.com/en-us/defender-cloud-apps/policy-template-reference", + "https://learn.microsoft.com/en-us/defender-cloud-apps/anomaly-detection-policy", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/m365/threat_management/microsoft365_user_restricted_from_sending_email.yml" ], "tags": [ @@ -93096,8 +93267,8 @@ "logsource.category": "No established category", "logsource.product": "m365", "refs": [ - "https://learn.microsoft.com/en-us/defender-cloud-apps/anomaly-detection-policy", "https://learn.microsoft.com/en-us/defender-cloud-apps/policy-template-reference", + "https://learn.microsoft.com/en-us/defender-cloud-apps/anomaly-detection-policy", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/m365/threat_management/microsoft365_potential_ransomware_activity.yml" ], "tags": [ @@ -93130,8 +93301,8 @@ "logsource.category": "No established category", "logsource.product": "m365", "refs": [ - "https://learn.microsoft.com/en-us/defender-cloud-apps/anomaly-detection-policy", "https://learn.microsoft.com/en-us/defender-cloud-apps/policy-template-reference", + "https://learn.microsoft.com/en-us/defender-cloud-apps/anomaly-detection-policy", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/m365/threat_management/microsoft365_activity_by_terminated_user.yml" ], "tags": [ @@ -93154,8 +93325,8 @@ "logsource.category": "No established category", "logsource.product": "m365", "refs": [ - "https://learn.microsoft.com/en-us/defender-cloud-apps/anomaly-detection-policy", "https://learn.microsoft.com/en-us/defender-cloud-apps/policy-template-reference", + "https://learn.microsoft.com/en-us/defender-cloud-apps/anomaly-detection-policy", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/m365/threat_management/microsoft365_logon_from_risky_ip_address.yml" ], "tags": [ @@ -93188,8 +93359,8 @@ "logsource.category": "No established category", "logsource.product": "m365", "refs": [ - "https://learn.microsoft.com/en-us/defender-cloud-apps/anomaly-detection-policy", "https://learn.microsoft.com/en-us/defender-cloud-apps/policy-template-reference", + "https://learn.microsoft.com/en-us/defender-cloud-apps/anomaly-detection-policy", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/m365/threat_management/microsoft365_data_exfiltration_to_unsanctioned_app.yml" ], "tags": [ @@ -93255,8 +93426,8 @@ "logsource.category": "No established category", "logsource.product": "m365", "refs": [ - "https://learn.microsoft.com/en-us/defender-cloud-apps/anomaly-detection-policy", "https://learn.microsoft.com/en-us/defender-cloud-apps/policy-template-reference", + "https://learn.microsoft.com/en-us/defender-cloud-apps/anomaly-detection-policy", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/m365/threat_detection/microsoft365_from_susp_ip_addresses.yml" ], "tags": [ @@ -93972,8 +94143,8 @@ "logsource.product": "azure", "refs": [ "https://twitter.com/NathanMcNulty/status/1785051227568632263", - "https://www.cloudcoffee.ch/microsoft-365/configure-windows-laps-in-microsoft-intune/", "https://techcommunity.microsoft.com/t5/microsoft-entra-blog/introducing-windows-local-administrator-password-solution-with/ba-p/1942487", + "https://www.cloudcoffee.ch/microsoft-365/configure-windows-laps-in-microsoft-intune/", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/audit_logs/azure_auditlogs_laps_credential_dumping.yml" ], "tags": [ @@ -95590,8 +95761,8 @@ "logsource.category": "No established category", "logsource.product": "azure", "refs": [ - "https://learn.microsoft.com/en-us/entra/architecture/security-operations-user-accounts#unusual-sign-ins", "https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#impossible-travel", + "https://learn.microsoft.com/en-us/entra/architecture/security-operations-user-accounts#unusual-sign-ins", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/identity_protection/azure_identity_protection_impossible_travel.yml" ], "tags": [ @@ -95627,8 +95798,8 @@ "logsource.category": "No established category", "logsource.product": "azure", "refs": [ - "https://learn.microsoft.com/en-us/entra/architecture/security-operations-user-accounts#unusual-sign-ins", "https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#possible-attempt-to-access-primary-refresh-token-prt", + "https://learn.microsoft.com/en-us/entra/architecture/security-operations-user-accounts#unusual-sign-ins", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/identity_protection/azure_identity_protection_prt_access.yml" ], "tags": [ @@ -95661,8 +95832,8 @@ "logsource.category": "No established category", "logsource.product": "azure", "refs": [ - "https://learn.microsoft.com/en-us/entra/architecture/security-operations-user-accounts#unusual-sign-ins", "https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#malicious-ip-address", + "https://learn.microsoft.com/en-us/entra/architecture/security-operations-user-accounts#unusual-sign-ins", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/identity_protection/azure_identity_protection_malicious_ip_address_suspicious.yml" ], "tags": [ @@ -95695,8 +95866,8 @@ "logsource.category": "No established category", "logsource.product": "azure", "refs": [ - "https://learn.microsoft.com/en-us/entra/architecture/security-operations-user-accounts#unusual-sign-ins", "https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#anomalous-token", + "https://learn.microsoft.com/en-us/entra/architecture/security-operations-user-accounts#unusual-sign-ins", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/identity_protection/azure_identity_protection_anomalous_token.yml" ], "tags": [ @@ -95766,8 +95937,8 @@ "logsource.category": "No established category", "logsource.product": "azure", "refs": [ - "https://learn.microsoft.com/en-us/entra/architecture/security-operations-user-accounts#unusual-sign-ins", "https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#malicious-ip-address", + "https://learn.microsoft.com/en-us/entra/architecture/security-operations-user-accounts#unusual-sign-ins", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/identity_protection/azure_identity_protection_malicious_ip_address.yml" ], "tags": [ @@ -95871,8 +96042,8 @@ "logsource.category": "No established category", "logsource.product": "azure", "refs": [ - "https://learn.microsoft.com/en-us/entra/architecture/security-operations-user-accounts#unusual-sign-ins", "https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#suspicious-inbox-forwarding", + "https://learn.microsoft.com/en-us/entra/architecture/security-operations-user-accounts#unusual-sign-ins", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/identity_protection/azure_identity_protection_inbox_forwarding_rule.yml" ], "tags": [ @@ -95980,8 +96151,8 @@ "logsource.category": "No established category", "logsource.product": "azure", "refs": [ - "https://learn.microsoft.com/en-us/entra/architecture/security-operations-user-accounts#unusual-sign-ins", "https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#leaked-credentials", + "https://learn.microsoft.com/en-us/entra/architecture/security-operations-user-accounts#unusual-sign-ins", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/identity_protection/azure_identity_protection_leaked_credentials.yml" ], "tags": [ @@ -96014,8 +96185,8 @@ "logsource.category": "No established category", "logsource.product": "azure", "refs": [ - "https://learn.microsoft.com/en-us/entra/architecture/security-operations-user-accounts#unusual-sign-ins", "https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#malware-linked-ip-address-deprecated", + "https://learn.microsoft.com/en-us/entra/architecture/security-operations-user-accounts#unusual-sign-ins", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/identity_protection/azure_identity_protection_malware_linked_ip.yml" ], "tags": [ @@ -96048,8 +96219,8 @@ "logsource.category": "No established category", "logsource.product": "azure", "refs": [ - "https://learn.microsoft.com/en-us/entra/architecture/security-operations-user-accounts#unusual-sign-ins", "https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#suspicious-inbox-manipulation-rules", + "https://learn.microsoft.com/en-us/entra/architecture/security-operations-user-accounts#unusual-sign-ins", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/identity_protection/azure_identity_protection_inbox_manipulation.yml" ], "tags": [ @@ -96082,8 +96253,8 @@ "logsource.category": "No established category", "logsource.product": "azure", "refs": [ - "https://learn.microsoft.com/en-us/entra/architecture/security-operations-user-accounts#unusual-sign-ins", "https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#password-spray", + "https://learn.microsoft.com/en-us/entra/architecture/security-operations-user-accounts#unusual-sign-ins", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/identity_protection/azure_identity_protection_password_spray.yml" ], "tags": [ @@ -96116,8 +96287,8 @@ "logsource.category": "No established category", "logsource.product": "azure", "refs": [ - "https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#anonymous-ip-address", "https://learn.microsoft.com/en-us/graph/api/resources/riskdetection?view=graph-rest-1.0", + "https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#anonymous-ip-address", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/identity_protection/azure_identity_protection_anonymous_ip_address.yml" ], "tags": [ @@ -96150,8 +96321,8 @@ "logsource.category": "No established category", "logsource.product": "azure", "refs": [ - "https://learn.microsoft.com/en-us/entra/architecture/security-operations-user-accounts#unusual-sign-ins", "https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#atypical-travel", + "https://learn.microsoft.com/en-us/entra/architecture/security-operations-user-accounts#unusual-sign-ins", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/identity_protection/azure_identity_protection_atypical_travel.yml" ], "tags": [ @@ -96214,10 +96385,10 @@ "logsource.product": "azure", "refs": [ "https://medium.com/mitre-engenuity/att-ck-for-containers-now-available-4c2359654bf1", - "https://www.microsoft.com/security/blog/2021/03/23/secure-containerized-environments-with-updated-threat-matrix-for-kubernetes/", - "https://attack.mitre.org/matrices/enterprise/cloud/", - "https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes", "https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/", + "https://www.microsoft.com/security/blog/2021/03/23/secure-containerized-environments-with-updated-threat-matrix-for-kubernetes/", + "https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes", + "https://attack.mitre.org/matrices/enterprise/cloud/", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/activity_logs/azure_container_registry_created_or_deleted.yml" ], "tags": [ @@ -96267,10 +96438,10 @@ "logsource.product": "azure", "refs": [ "https://medium.com/mitre-engenuity/att-ck-for-containers-now-available-4c2359654bf1", - "https://www.microsoft.com/security/blog/2021/03/23/secure-containerized-environments-with-updated-threat-matrix-for-kubernetes/", - "https://attack.mitre.org/matrices/enterprise/cloud/", - "https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes", "https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/", + "https://www.microsoft.com/security/blog/2021/03/23/secure-containerized-environments-with-updated-threat-matrix-for-kubernetes/", + "https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes", + "https://attack.mitre.org/matrices/enterprise/cloud/", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/activity_logs/azure_kubernetes_role_access.yml" ], "tags": [ @@ -96294,10 +96465,10 @@ "logsource.product": "azure", "refs": [ "https://medium.com/mitre-engenuity/att-ck-for-containers-now-available-4c2359654bf1", - "https://www.microsoft.com/security/blog/2021/03/23/secure-containerized-environments-with-updated-threat-matrix-for-kubernetes/", - "https://attack.mitre.org/matrices/enterprise/cloud/", - "https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes", "https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/", + "https://www.microsoft.com/security/blog/2021/03/23/secure-containerized-environments-with-updated-threat-matrix-for-kubernetes/", + "https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes", + "https://attack.mitre.org/matrices/enterprise/cloud/", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/activity_logs/azure_kubernetes_secret_or_config_object_access.yml" ], "tags": [ @@ -96883,10 +97054,10 @@ "logsource.product": "azure", "refs": [ "https://medium.com/mitre-engenuity/att-ck-for-containers-now-available-4c2359654bf1", - "https://www.microsoft.com/security/blog/2021/03/23/secure-containerized-environments-with-updated-threat-matrix-for-kubernetes/", - "https://attack.mitre.org/matrices/enterprise/cloud/", - "https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes", "https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/", + "https://www.microsoft.com/security/blog/2021/03/23/secure-containerized-environments-with-updated-threat-matrix-for-kubernetes/", + "https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes", + "https://attack.mitre.org/matrices/enterprise/cloud/", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/activity_logs/azure_kubernetes_network_policy_change.yml" ], "tags": [ @@ -96995,10 +97166,10 @@ "logsource.product": "azure", "refs": [ "https://medium.com/mitre-engenuity/att-ck-for-containers-now-available-4c2359654bf1", - "https://www.microsoft.com/security/blog/2021/03/23/secure-containerized-environments-with-updated-threat-matrix-for-kubernetes/", - "https://attack.mitre.org/matrices/enterprise/cloud/", - "https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes", "https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/", + "https://www.microsoft.com/security/blog/2021/03/23/secure-containerized-environments-with-updated-threat-matrix-for-kubernetes/", + "https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes", + "https://attack.mitre.org/matrices/enterprise/cloud/", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/activity_logs/azure_kubernetes_rolebinding_modified_or_deleted.yml" ], "tags": [ @@ -97147,10 +97318,10 @@ "logsource.product": "azure", "refs": [ "https://medium.com/mitre-engenuity/att-ck-for-containers-now-available-4c2359654bf1", - "https://www.microsoft.com/security/blog/2021/03/23/secure-containerized-environments-with-updated-threat-matrix-for-kubernetes/", - "https://attack.mitre.org/matrices/enterprise/cloud/", - "https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes", "https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/", + "https://www.microsoft.com/security/blog/2021/03/23/secure-containerized-environments-with-updated-threat-matrix-for-kubernetes/", + "https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes", + "https://attack.mitre.org/matrices/enterprise/cloud/", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/activity_logs/azure_kubernetes_service_account_modified_or_deleted.yml" ], "tags": [ @@ -97185,10 +97356,10 @@ "logsource.product": "azure", "refs": [ "https://medium.com/mitre-engenuity/att-ck-for-containers-now-available-4c2359654bf1", - "https://www.microsoft.com/security/blog/2021/03/23/secure-containerized-environments-with-updated-threat-matrix-for-kubernetes/", - "https://attack.mitre.org/matrices/enterprise/cloud/", - "https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes", "https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/", + "https://www.microsoft.com/security/blog/2021/03/23/secure-containerized-environments-with-updated-threat-matrix-for-kubernetes/", + "https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes", + "https://attack.mitre.org/matrices/enterprise/cloud/", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/activity_logs/azure_kubernetes_cluster_created_or_deleted.yml" ], "tags": [ @@ -97468,10 +97639,10 @@ "logsource.category": "No established category", "logsource.product": "azure", "refs": [ + "https://kubernetes.io/docs/concepts/workloads/controllers/cron-jobs/", + "https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/", "https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes", "https://kubernetes.io/docs/concepts/workloads/controllers/job/", - "https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/", - "https://kubernetes.io/docs/concepts/workloads/controllers/cron-jobs/", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/activity_logs/azure_kubernetes_cronjob.yml" ], "tags": [ @@ -97506,8 +97677,8 @@ "logsource.category": "No established category", "logsource.product": "azure", "refs": [ - "https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes", "https://github.com/elastic/detection-rules/blob/da3852b681cf1a33898b1535892eab1f3a76177a/rules/integrations/azure/defense_evasion_kubernetes_events_deleted.toml", + "https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/activity_logs/azure_kubernetes_events_deleted.yml" ], "tags": [ @@ -97809,8 +97980,8 @@ "refs": [ "https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf", "https://www.cisecurity.org/controls/cis-controls-list/", - "https://community.qualys.com/docs/DOC-6406-reporting-toolbox-focused-search-lists", "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf", + "https://community.qualys.com/docs/DOC-6406-reporting-toolbox-focused-search-lists", "https://github.com/SigmaHQ/sigma/tree/master/rules/compliance/default_credentials_usage.yml" ], "tags": [ @@ -97996,10 +98167,10 @@ "logsource.product": "No established product", "refs": [ "https://www.virustotal.com/gui/file/43b0f7872900bd234975a0877744554f4f355dc57505517abd1ef611e1ce6916", - "https://www.virustotal.com/gui/file/20179093c59bca3acc6ce9a4281e8462f577ffd29fd7bf51cf2a70d106062045", - "https://www.virustotal.com/gui/file/69fe77dd558e281621418980040e2af89a2547d377d0f2875502005ce22bc95c", "https://www.nextron-systems.com/?s=antivirus", "https://www.virustotal.com/gui/file/554db97ea82f17eba516e6a6fdb9dc04b1d25580a1eb8cb755eeb260ad0bd61d", + "https://www.virustotal.com/gui/file/20179093c59bca3acc6ce9a4281e8462f577ffd29fd7bf51cf2a70d106062045", + "https://www.virustotal.com/gui/file/69fe77dd558e281621418980040e2af89a2547d377d0f2875502005ce22bc95c", "https://www.virustotal.com/gui/file/c312c05ddbd227cbb08958876df2b69d0f7c1b09e5689eb9d93c5b357f63eff7", "https://github.com/SigmaHQ/sigma/tree/master/rules/category/antivirus/av_ransomware.yml" ], @@ -98066,16 +98237,16 @@ "logsource.category": "antivirus", "logsource.product": "No established product", "refs": [ + "https://www.virustotal.com/gui/file/a80042c61a0372eaa0c2c1e831adf0d13ef09feaf71d1d20b216156269045801/detection", "https://www.virustotal.com/gui/file/13ae8bfbc02254b389ab052aba5e1ba169b16a399d9bc4cb7414c4a73cd7dc78/detection", - "https://www.virustotal.com/gui/file/bd1d52289203866645e556e2766a21d2275877fbafa056a76fe0cf884b7f8819/detection", - "https://www.virustotal.com/gui/file/b8702acf32fd651af9f809ed42d15135f842788cd98d81a8e1b154ee2a2b76a2/detection", - "https://www.virustotal.com/gui/file/e841675a4b82250c75273ebf0861245f80c6a1c3d5803c2d995d9d3b18d5c4b5/detection", + "https://www.virustotal.com/gui/file/b219f7d3c26f8bad7e175934cd5eda4ddb5e3983503e94ff07d39c0666821b7e/detection", "https://www.virustotal.com/gui/file/7d3cb8a8ff28f82b07f382789247329ad2d7782a72dde9867941f13266310c80/detection", + "https://www.virustotal.com/gui/file/e841675a4b82250c75273ebf0861245f80c6a1c3d5803c2d995d9d3b18d5c4b5/detection", "https://github.com/tennc/webshell", "https://www.nextron-systems.com/?s=antivirus", - "https://www.virustotal.com/gui/file/b219f7d3c26f8bad7e175934cd5eda4ddb5e3983503e94ff07d39c0666821b7e/detection", + "https://www.virustotal.com/gui/file/b8702acf32fd651af9f809ed42d15135f842788cd98d81a8e1b154ee2a2b76a2/detection", + "https://www.virustotal.com/gui/file/bd1d52289203866645e556e2766a21d2275877fbafa056a76fe0cf884b7f8819/detection", "https://www.virustotal.com/gui/file/308487ed28a3d9abc1fec7ebc812d4b5c07ab025037535421f64c60d3887a3e8/detection", - "https://www.virustotal.com/gui/file/a80042c61a0372eaa0c2c1e831adf0d13ef09feaf71d1d20b216156269045801/detection", "https://github.com/SigmaHQ/sigma/tree/master/rules/category/antivirus/av_webshell.yml" ], "tags": [ @@ -98108,10 +98279,10 @@ "logsource.category": "antivirus", "logsource.product": "No established product", "refs": [ - "https://www.virustotal.com/gui/file/925b0b28472d4d79b4bf92050e38cc2b8f722691c713fc28743ac38551bc3797", "https://www.virustotal.com/gui/file/8f8daabe1c8ceb5710949283818e16c4aa8059bf2ce345e2f2c90b8692978424", - "https://www.virustotal.com/gui/file/d9669f7e3eb3a9cdf6a750eeb2ba303b5ae148a43e36546896f1d1801e912466", + "https://www.virustotal.com/gui/file/925b0b28472d4d79b4bf92050e38cc2b8f722691c713fc28743ac38551bc3797", "https://www.nextron-systems.com/?s=antivirus", + "https://www.virustotal.com/gui/file/d9669f7e3eb3a9cdf6a750eeb2ba303b5ae148a43e36546896f1d1801e912466", "https://github.com/SigmaHQ/sigma/tree/master/rules/category/antivirus/av_exploiting.yml" ], "tags": [ @@ -98244,10 +98415,10 @@ "logsource.category": "file_event", "logsource.product": "linux", "refs": [ - "https://www.virustotal.com/gui/file/60bcd645450e4c846238cf0e7226dc40c84c96eba99f6b2cffcd0ab4a391c8b3/detection", - "https://www.virustotal.com/gui/file/3e44c807a25a56f4068b5b8186eee5002eed6f26d665a8b791c472ad154585d1/detection", - "https://jstnk9.github.io/jstnk9/research/GobRAT-Malware/", "https://blogs.jpcert.or.jp/en/2023/05/gobrat.html", + "https://jstnk9.github.io/jstnk9/research/GobRAT-Malware/", + "https://www.virustotal.com/gui/file/3e44c807a25a56f4068b5b8186eee5002eed6f26d665a8b791c472ad154585d1/detection", + "https://www.virustotal.com/gui/file/60bcd645450e4c846238cf0e7226dc40c84c96eba99f6b2cffcd0ab4a391c8b3/detection", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/file_event/file_event_lnx_susp_shell_script_under_profile_directory.yml" ], "tags": [ @@ -98304,10 +98475,10 @@ "logsource.category": "file_event", "logsource.product": "linux", "refs": [ - "https://www.virustotal.com/gui/file/60bcd645450e4c846238cf0e7226dc40c84c96eba99f6b2cffcd0ab4a391c8b3/detection", - "https://www.virustotal.com/gui/file/3e44c807a25a56f4068b5b8186eee5002eed6f26d665a8b791c472ad154585d1/detection", - "https://jstnk9.github.io/jstnk9/research/GobRAT-Malware/", "https://blogs.jpcert.or.jp/en/2023/05/gobrat.html", + "https://jstnk9.github.io/jstnk9/research/GobRAT-Malware/", + "https://www.virustotal.com/gui/file/3e44c807a25a56f4068b5b8186eee5002eed6f26d665a8b791c472ad154585d1/detection", + "https://www.virustotal.com/gui/file/60bcd645450e4c846238cf0e7226dc40c84c96eba99f6b2cffcd0ab4a391c8b3/detection", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/file_event/file_event_lnx_wget_download_file_in_tmp_dir.yml" ], "tags": [ @@ -98430,8 +98601,8 @@ "logsource.category": "No established category", "logsource.product": "linux", "refs": [ - "https://github.com/Neo23x0/auditd/blob/master/audit.rules", "Self Experience", + "https://github.com/Neo23x0/auditd/blob/master/audit.rules", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_auditing_config_change.yml" ], "tags": [ @@ -98506,9 +98677,9 @@ "logsource.category": "No established category", "logsource.product": "linux", "refs": [ + "https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/security_guide/sec-configuring_pam_for_auditing", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1056.001/T1056.001.md", "https://access.redhat.com/articles/4409591#audit-record-types-2", - "https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/security_guide/sec-configuring_pam_for_auditing", "https://linux.die.net/man/8/pam_tty_audit", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_keylogging_with_pam_d.yml" ], @@ -98684,8 +98855,8 @@ "logsource.category": "No established category", "logsource.product": "linux", "refs": [ - "https://mn3m.info/posts/suid-vs-capabilities/", "https://man7.org/linux/man-pages/man8/getcap.8.html", + "https://mn3m.info/posts/suid-vs-capabilities/", "https://www.hackingarticles.in/linux-privilege-escalation-using-capabilities/", "https://int0x33.medium.com/day-44-linux-capabilities-privilege-escalation-via-openssl-with-selinux-enabled-and-enforced-74d2bec02099", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_capabilities_discovery.yml" @@ -98895,8 +99066,8 @@ "logsource.category": "No established category", "logsource.product": "linux", "refs": [ - "https://www.sandflysecurity.com/blog/bpfdoor-an-evasive-linux-backdoor-technical-analysis/", "https://www.elastic.co/security-labs/a-peek-behind-the-bpfdoor", + "https://www.sandflysecurity.com/blog/bpfdoor-an-evasive-linux-backdoor-technical-analysis/", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_bpfdoor_port_redirect.yml" ], "tags": [ @@ -98983,58 +99154,6 @@ "uuid": "53059bc0-1472-438b-956a-7508a94a91f0", "value": "Disable System Firewall" }, - { - "description": "Rule to detect the use of the SCX RunAsProvider Invoke_ExecuteShellCommand to execute any UNIX/Linux command using the /bin/sh shell.\nSCXcore, started as the Microsoft Operations Manager UNIX/Linux Agent, is now used in a host of products including Microsoft Operations Manager.\nMicrosoft Azure, and Microsoft Operations Management Suite.\n", - "meta": { - "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", - "creation_date": "2021-09-17", - "falsepositive": [ - "Legitimate use of SCX RunAsProvider Invoke_ExecuteShellCommand." - ], - "filename": "lnx_auditd_omigod_scx_runasprovider_executeshellcommand.yml", - "level": "high", - "logsource.category": "No established category", - "logsource.product": "linux", - "refs": [ - "https://www.wiz.io/blog/omigod-critical-vulnerabilities-in-omi-azure", - "https://github.com/Azure/Azure-Sentinel/pull/3059", - "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_omigod_scx_runasprovider_executeshellcommand.yml" - ], - "tags": [ - "attack.privilege-escalation", - "attack.initial-access", - "attack.execution", - "attack.t1068", - "attack.t1190", - "attack.t1203" - ] - }, - "related": [ - { - "dest-uuid": "b21c3b2d-02e6-45b1-980b-e69051040839", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - }, - { - "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - }, - { - "dest-uuid": "be2dcee9-a7a7-4e38-afd6-21b31ecc3d63", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "045b5f9c-49f7-4419-a236-9854fb3c827a", - "value": "OMIGOD SCX RunAsProvider ExecuteShellCommand - Auditd" - }, { "description": "Detects adversary creating screen capture of a full with xwd. Highly recommended using rule on servers, due high usage of screenshot utilities on user workstations", "meta": { @@ -99048,8 +99167,8 @@ "logsource.category": "No established category", "logsource.product": "linux", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1113/T1113.md#atomic-test-3---x-windows-capture", "https://linux.die.net/man/1/xwd", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1113/T1113.md#atomic-test-3---x-windows-capture", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_screencaputre_xwd.yml" ], "tags": [ @@ -99082,8 +99201,8 @@ "logsource.category": "No established category", "logsource.product": "linux", "refs": [ - "https://www.sandflysecurity.com/blog/bpfdoor-an-evasive-linux-backdoor-technical-analysis/", "https://www.elastic.co/security-labs/a-peek-behind-the-bpfdoor", + "https://www.sandflysecurity.com/blog/bpfdoor-an-evasive-linux-backdoor-technical-analysis/", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_bpfdoor_file_accessed.yml" ], "tags": [ @@ -99124,8 +99243,8 @@ "logsource.category": "No established category", "logsource.product": "linux", "refs": [ - "https://linux.die.net/man/1/xclip", "https://www.cyberciti.biz/faq/xclip-linux-insert-files-command-output-intoclipboard/", + "https://linux.die.net/man/1/xclip", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_clipboard_collection.yml" ], "tags": [ @@ -99158,8 +99277,8 @@ "logsource.category": "No established category", "logsource.product": "linux", "refs": [ - "https://linux.die.net/man/1/wget", "https://gtfobins.github.io/gtfobins/wget/", + "https://linux.die.net/man/1/wget", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_data_exfil_wget.yml" ], "tags": [ @@ -99293,9 +99412,9 @@ "logsource.product": "linux", "refs": [ "https://man7.org/linux/man-pages/man1/passwd.1.html", - "https://linux.die.net/man/1/chage", - "https://superuser.com/questions/150675/how-to-display-password-policy-information-for-a-user-ubuntu", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1201/T1201.md", + "https://superuser.com/questions/150675/how-to-display-password-policy-information-for-a-user-ubuntu", + "https://linux.die.net/man/1/chage", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_password_policy_discovery.yml" ], "tags": [ @@ -99394,8 +99513,8 @@ "logsource.category": "No established category", "logsource.product": "linux", "refs": [ - "https://www.trendmicro.com/en_us/research/22/c/cyclops-blink-sets-sights-on-asus-routers--.html", "https://blog.aquasec.com/container-security-tnt-container-attack", + "https://www.trendmicro.com/en_us/research/22/c/cyclops-blink-sets-sights-on-asus-routers--.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_modify_system_firewall.yml" ], "tags": [ @@ -99428,9 +99547,9 @@ "logsource.category": "No established category", "logsource.product": "linux", "refs": [ + "https://linux.die.net/man/1/import", "https://imagemagick.org/", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1113/T1113.md", - "https://linux.die.net/man/1/import", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_screencapture_import.yml" ], "tags": [ @@ -99463,9 +99582,9 @@ "logsource.category": "No established category", "logsource.product": "linux", "refs": [ - "https://access.redhat.com/articles/4409591#audit-record-types-2", - "https://www.youtube.com/watch?v=VmvY5SQm5-Y&ab_channel=M45C07", "https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/security_guide/sec-understanding_audit_log_files", + "https://www.youtube.com/watch?v=VmvY5SQm5-Y&ab_channel=M45C07", + "https://access.redhat.com/articles/4409591#audit-record-types-2", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_create_account.yml" ], "tags": [ @@ -99532,9 +99651,9 @@ "logsource.category": "No established category", "logsource.product": "linux", "refs": [ - "https://web.archive.org/web/20221204161143/https://www.glitch-cat.com/p/green-lambert-and-attack", "https://objective-see.org/blog/blog_0x68.html", "https://www.anomali.com/blog/pulling-linux-rabbit-rabbot-malware-out-of-a-hat", + "https://web.archive.org/web/20221204161143/https://www.glitch-cat.com/p/green-lambert-and-attack", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_unix_shell_configuration_modification.yml" ], "tags": [ @@ -99962,8 +100081,8 @@ "logsource.category": "No established category", "logsource.product": "linux", "refs": [ - "https://man7.org/linux/man-pages/man8/kmod.8.html", "https://linux.die.net/man/8/insmod", + "https://man7.org/linux/man-pages/man8/kmod.8.html", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.006/T1547.006.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_load_module_insmod.yml" ], @@ -100097,9 +100216,9 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ + "https://www.cadosecurity.com/blog/spinning-yarn-a-new-linux-malware-campaign-targets-docker-apache-hadoop-redis-and-confluence", "https://www.virustotal.com/gui/file/beddf70a7bab805f0c0b69ac0989db6755949f9f68525c08cb874988353f78a9/content", "https://regex101.com/r/RugQYK/1", - "https://www.cadosecurity.com/blog/spinning-yarn-a-new-linux-malware-campaign-targets-docker-apache-hadoop-redis-and-confluence", "https://intezer.com/wp-content/uploads/2021/09/TeamTNT-Cryptomining-Explosion.pdf", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_pnscan_binary_cli_pattern.yml" ], @@ -100166,8 +100285,8 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ - "https://www.mandiant.com/resources/blog/barracuda-esg-exploited-globally", "https://dev.to/0xbf/use-mkfifo-to-create-named-pipe-linux-tips-5bbk", + "https://www.mandiant.com/resources/blog/barracuda-esg-exploited-globally", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_mkfifo_named_pipe_creation_susp_location.yml" ], "tags": [ @@ -100178,38 +100297,40 @@ "value": "Potentially Suspicious Named Pipe Created Via Mkfifo" }, { - "description": "Detects usage of \"apt\" and \"apt-get\" as a GTFOBin to execute and proxy command and binary execution", + "description": "Detects the execution of \"awk\" or it's sibling commands, to invoke a shell using the system() function.\nThis behavior is commonly associated with attempts to execute arbitrary commands or escalate privileges, potentially leading to unauthorized access or further exploitation.\n", "meta": { - "author": "Nasreddine Bencherchali (Nextron Systems)", - "creation_date": "2022-12-28", + "author": "Li Ling, Andy Parkidomo, Robert Rakowski, Blake Hartstein (Bloomberg L.P.)", + "creation_date": "2024-09-02", "falsepositive": [ "Unknown" ], - "filename": "proc_creation_lnx_gtfobin_apt.yml", - "level": "medium", + "filename": "proc_creation_lnx_awk_shell_spawn.yml", + "level": "high", "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ - "https://gtfobins.github.io/gtfobins/apt/", - "https://gtfobins.github.io/gtfobins/apt-get/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_gtfobin_apt.yml" + "https://gtfobins.github.io/gtfobins/awk/#shell", + "https://gtfobins.github.io/gtfobins/nawk/#shell", + "https://gtfobins.github.io/gtfobins/mawk/#shell", + "https://gtfobins.github.io/gtfobins/gawk/#shell", + "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_awk_shell_spawn.yml" ], "tags": [ - "attack.discovery", - "attack.t1083" + "attack.execution", + "attack.t1059" ] }, "related": [ { - "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", + "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], - "uuid": "bb382fd5-b454-47ea-a264-1828e4c766d6", - "value": "Apt GTFOBin Abuse - Linux" + "uuid": "8c1a5675-cb85-452f-a298-b01b22a51856", + "value": "Suspicious Invocation of Shell via AWK - Linux" }, { "description": "Detects executing python with keywords related to network activity that could indicate a potential reverse shell", @@ -100224,8 +100345,8 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ - "https://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet", "https://www.revshells.com/", + "https://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_python_reverse_shell.yml" ], "tags": [ @@ -100248,8 +100369,8 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ - "https://www.mandiant.com/resources/blog/barracuda-esg-exploited-globally", "https://dev.to/0xbf/use-mkfifo-to-create-named-pipe-linux-tips-5bbk", + "https://www.mandiant.com/resources/blog/barracuda-esg-exploited-globally", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_mkfifo_named_pipe_creation.yml" ], "tags": [ @@ -100466,6 +100587,40 @@ "uuid": "e3a8a052-111f-4606-9aee-f28ebeb76776", "value": "Disabling Security Tools" }, + { + "description": "Detects the use of the \"nice\" utility to execute a shell. Such behavior may be associated with privilege escalation, unauthorized command execution, or to break out from restricted environments.\n", + "meta": { + "author": "Li Ling, Andy Parkidomo, Robert Rakowski, Blake Hartstein (Bloomberg L.P.)", + "creation_date": "2024-09-02", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_lnx_nice_shell_execution.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "linux", + "refs": [ + "https://www.elastic.co/guide/en/security/current/linux-restricted-shell-breakout-via-linux-binary-s.html", + "https://gtfobins.github.io/gtfobins/nice/#shell", + "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_nice_shell_execution.yml" + ], + "tags": [ + "attack.discovery", + "attack.t1083" + ] + }, + "related": [ + { + "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "093d68c7-762a-42f4-9f46-95e79142571a", + "value": "Shell Execution via Nice - Linux" + }, { "description": "Detects the command line executed when TeamViewer starts a session started by a remote host.\nOnce a connection has been started, an investigator can verify the connection details by viewing the \"incoming_connections.txt\" log file in the TeamViewer folder.\n", "meta": { @@ -100588,10 +100743,10 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ - "https://www.virustotal.com/gui/file/60bcd645450e4c846238cf0e7226dc40c84c96eba99f6b2cffcd0ab4a391c8b3/detection", - "https://www.virustotal.com/gui/file/3e44c807a25a56f4068b5b8186eee5002eed6f26d665a8b791c472ad154585d1/detection", - "https://jstnk9.github.io/jstnk9/research/GobRAT-Malware/", "https://blogs.jpcert.or.jp/en/2023/05/gobrat.html", + "https://jstnk9.github.io/jstnk9/research/GobRAT-Malware/", + "https://www.virustotal.com/gui/file/3e44c807a25a56f4068b5b8186eee5002eed6f26d665a8b791c472ad154585d1/detection", + "https://www.virustotal.com/gui/file/60bcd645450e4c846238cf0e7226dc40c84c96eba99f6b2cffcd0ab4a391c8b3/detection", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_crontab_enumeration.yml" ], "tags": [ @@ -100709,8 +100864,8 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ - "https://github.com/Tib3rius/AutoRecon", "https://github.com/projectdiscovery/naabu", + "https://github.com/Tib3rius/AutoRecon", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1046/T1046.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_susp_network_utilities_execution.yml" ], @@ -100765,6 +100920,39 @@ "uuid": "fe2f9663-41cb-47e2-b954-8a228f3b9dff", "value": "Linux Base64 Encoded Shebang In CLI" }, + { + "description": "Detects the use of the \"git\" utility to execute a shell. Such behavior may be associated with privilege escalation, unauthorized command execution, or to break out from restricted environments.\n", + "meta": { + "author": "Li Ling, Andy Parkidomo, Robert Rakowski, Blake Hartstein (Bloomberg L.P.)", + "creation_date": "2024-09-02", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_lnx_git_shell_execution.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "linux", + "refs": [ + "https://gtfobins.github.io/gtfobins/git/#shell", + "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_git_shell_execution.yml" + ], + "tags": [ + "attack.execution", + "attack.t1059" + ] + }, + "related": [ + { + "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "47b3bbd4-1bf7-48cc-84ab-995362aaa75a", + "value": "Shell Execution via Git - Linux" + }, { "description": "Detects events in which someone prints the contents of history files to the commandline or redirects it to a file for reconnaissance", "meta": { @@ -100845,9 +101033,9 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ - "https://linux.die.net/man/1/bash", - "https://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet", "https://www.revshells.com/", + "https://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet", + "https://linux.die.net/man/1/bash", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_bash_interactive_shell.yml" ], "tags": [ @@ -100936,10 +101124,10 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ - "https://www.virustotal.com/gui/file/60bcd645450e4c846238cf0e7226dc40c84c96eba99f6b2cffcd0ab4a391c8b3/detection", - "https://www.virustotal.com/gui/file/3e44c807a25a56f4068b5b8186eee5002eed6f26d665a8b791c472ad154585d1/detection", - "https://jstnk9.github.io/jstnk9/research/GobRAT-Malware/", "https://blogs.jpcert.or.jp/en/2023/05/gobrat.html", + "https://jstnk9.github.io/jstnk9/research/GobRAT-Malware/", + "https://www.virustotal.com/gui/file/3e44c807a25a56f4068b5b8186eee5002eed6f26d665a8b791c472ad154585d1/detection", + "https://www.virustotal.com/gui/file/60bcd645450e4c846238cf0e7226dc40c84c96eba99f6b2cffcd0ab4a391c8b3/detection", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_grep_os_arch_discovery.yml" ], "tags": [ @@ -100972,8 +101160,8 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ - "https://pberba.github.io/security/2021/11/23/linux-threat-hunting-for-persistence-account-creation-manipulation/", "https://www.configserverfirewall.com/ubuntu-linux/ubuntu-add-user-to-root-group/", + "https://pberba.github.io/security/2021/11/23/linux-threat-hunting-for-persistence-account-creation-manipulation/", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_usermod_susp_group.yml" ], "tags": [ @@ -101031,8 +101219,8 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ - "https://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet", "https://www.revshells.com/", + "https://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_xterm_reverse_shell.yml" ], "tags": [ @@ -101100,8 +101288,8 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ - "https://blogs.blackberry.com/", "https://twitter.com/Joseliyo_Jstnk/status/1620131033474822144", + "https://blogs.blackberry.com/", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_touch_susp.yml" ], "tags": [ @@ -101187,6 +101375,39 @@ "uuid": "7fb14105-530e-4e2e-8cfb-99f7d8700b66", "value": "Atlassian Confluence CVE-2022-26134" }, + { + "description": "Detects execution of inline Python code via the \"-c\" in order to call the \"system\" function from the \"os\" library, and spawn a shell.\n", + "meta": { + "author": "Li Ling, Andy Parkidomo, Robert Rakowski, Blake Hartstein (Bloomberg L.P.)", + "creation_date": "2024-09-02", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_lnx_python_shell_os_system.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "linux", + "refs": [ + "https://gtfobins.github.io/gtfobins/python/#shell", + "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_python_shell_os_system.yml" + ], + "tags": [ + "attack.execution", + "attack.t1059" + ] + }, + "related": [ + { + "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "2d2f44ff-4611-4778-a8fc-323a0e9850cc", + "value": "Inline Python Execution - Spawn Shell Via OS System Library" + }, { "description": "Detects execution of the \"esxcli\" command with the \"vm\" flag in order to retrieve information about the installed VMs.", "meta": { @@ -101200,10 +101421,10 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ - "https://www.crowdstrike.com/blog/hypervisor-jackpotting-ecrime-actors-increase-targeting-of-esxi-servers/", "https://www.secuinfra.com/en/techtalk/hide-your-hypervisor-analysis-of-esxiargs-ransomware/", - "https://developer.vmware.com/docs/11743/esxi-7-0-esxcli-command-reference/namespace/esxcli_vm.html", "https://www.trendmicro.com/en_us/research/22/e/new-linux-based-ransomware-cheerscrypt-targets-exsi-devices.html", + "https://www.crowdstrike.com/blog/hypervisor-jackpotting-ecrime-actors-increase-targeting-of-esxi-servers/", + "https://developer.vmware.com/docs/11743/esxi-7-0-esxcli-command-reference/namespace/esxcli_vm.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_esxcli_vm_discovery.yml" ], "tags": [ @@ -101320,10 +101541,10 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ - "https://www.virustotal.com/gui/file/60bcd645450e4c846238cf0e7226dc40c84c96eba99f6b2cffcd0ab4a391c8b3/detection", - "https://www.virustotal.com/gui/file/3e44c807a25a56f4068b5b8186eee5002eed6f26d665a8b791c472ad154585d1/detection", - "https://jstnk9.github.io/jstnk9/research/GobRAT-Malware/", "https://blogs.jpcert.or.jp/en/2023/05/gobrat.html", + "https://jstnk9.github.io/jstnk9/research/GobRAT-Malware/", + "https://www.virustotal.com/gui/file/3e44c807a25a56f4068b5b8186eee5002eed6f26d665a8b791c472ad154585d1/detection", + "https://www.virustotal.com/gui/file/60bcd645450e4c846238cf0e7226dc40c84c96eba99f6b2cffcd0ab4a391c8b3/detection", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_susp_shell_child_process_from_parent_tmp_folder.yml" ], "tags": [ @@ -101405,10 +101626,10 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ - "https://www.virustotal.com/gui/file/60bcd645450e4c846238cf0e7226dc40c84c96eba99f6b2cffcd0ab4a391c8b3/detection", - "https://www.virustotal.com/gui/file/3e44c807a25a56f4068b5b8186eee5002eed6f26d665a8b791c472ad154585d1/detection", - "https://jstnk9.github.io/jstnk9/research/GobRAT-Malware/", "https://blogs.jpcert.or.jp/en/2023/05/gobrat.html", + "https://jstnk9.github.io/jstnk9/research/GobRAT-Malware/", + "https://www.virustotal.com/gui/file/3e44c807a25a56f4068b5b8186eee5002eed6f26d665a8b791c472ad154585d1/detection", + "https://www.virustotal.com/gui/file/60bcd645450e4c846238cf0e7226dc40c84c96eba99f6b2cffcd0ab4a391c8b3/detection", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_wget_download_suspicious_directory.yml" ], "tags": [ @@ -101428,6 +101649,73 @@ "uuid": "cf610c15-ed71-46e1-bdf8-2bd1a99de6c4", "value": "Download File To Potentially Suspicious Directory Via Wget" }, + { + "description": "Detects the use of the \"ssh\" utility to execute a shell. Such behavior may be associated with privilege escalation, unauthorized command execution, or to break out from restricted environments.\n", + "meta": { + "author": "Li Ling, Andy Parkidomo, Robert Rakowski, Blake Hartstein (Bloomberg L.P.)", + "creation_date": "2024-08-29", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_lnx_ssh_shell_execution.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "linux", + "refs": [ + "https://www.elastic.co/guide/en/security/current/linux-restricted-shell-breakout-via-linux-binary-s.html", + "https://gtfobins.github.io/gtfobins/ssh/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_ssh_shell_execution.yml" + ], + "tags": [ + "attack.execution", + "attack.t1059" + ] + }, + "related": [ + { + "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "8737b7f6-8df3-4bb7-b1da-06019b99b687", + "value": "Shell Invocation Via Ssh - Linux" + }, + { + "description": "Detects the use of the \"gcc\" utility to execute a shell. Such behavior may be associated with privilege escalation, unauthorized command execution, or to break out from restricted environments.\n", + "meta": { + "author": "Li Ling, Andy Parkidomo, Robert Rakowski, Blake Hartstein (Bloomberg L.P.)", + "creation_date": "2024-09-02", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_lnx_rsync_shell_execution.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "linux", + "refs": [ + "https://gtfobins.github.io/gtfobins/rsync/#shell", + "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_rsync_shell_execution.yml" + ], + "tags": [ + "attack.execution", + "attack.t1059" + ] + }, + "related": [ + { + "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "e2326866-609f-4015-aea9-7ec634e8aa04", + "value": "Shell Execution via Rsync - Linux" + }, { "description": "Detects execution of the \"esxcli\" command with the \"vm\" and \"kill\" flag in order to kill/shutdown a specific VM.", "meta": { @@ -101441,10 +101729,10 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ - "https://www.crowdstrike.com/blog/hypervisor-jackpotting-ecrime-actors-increase-targeting-of-esxi-servers/", "https://www.secuinfra.com/en/techtalk/hide-your-hypervisor-analysis-of-esxiargs-ransomware/", - "https://developer.vmware.com/docs/11743/esxi-7-0-esxcli-command-reference/namespace/esxcli_vm.html", "https://www.trendmicro.com/en_us/research/22/e/new-linux-based-ransomware-cheerscrypt-targets-exsi-devices.html", + "https://www.crowdstrike.com/blog/hypervisor-jackpotting-ecrime-actors-increase-targeting-of-esxi-servers/", + "https://developer.vmware.com/docs/11743/esxi-7-0-esxcli-command-reference/namespace/esxcli_vm.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_esxcli_vm_kill.yml" ], "tags": [ @@ -101467,9 +101755,9 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ + "https://github.com/W01fh4cker/cve-2022-33891/blob/fd973b56e78bca8822caa3a2e3cf1b5aff5d0950/cve_2022_33891_poc.py", "https://sumsec.me/2022/CVE-2022-33891%20Apache%20Spark%20shell%20command%20injection.html", "https://github.com/apache/spark/pull/36315/files", - "https://github.com/W01fh4cker/cve-2022-33891/blob/fd973b56e78bca8822caa3a2e3cf1b5aff5d0950/cve_2022_33891_poc.py", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_cve_2022_33891_spark_shell_command_injection.yml" ], "tags": [ @@ -101504,8 +101792,8 @@ "logsource.product": "linux", "refs": [ "https://twitter.com/matthieugarin/status/1183970598210412546", - "https://access.redhat.com/security/cve/cve-2019-14287", "https://www.openwall.com/lists/oss-security/2019/10/14/1", + "https://access.redhat.com/security/cve/cve-2019-14287", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_sudo_cve_2019_14287.yml" ], "tags": [ @@ -101534,6 +101822,40 @@ "uuid": "f74107df-b6c6-4e80-bf00-4170b658162b", "value": "Sudo Privilege Escalation CVE-2019-14287" }, + { + "description": "Detects the use of the \"capsh\" utility to invoke a shell.\n", + "meta": { + "author": "Li Ling, Andy Parkidomo, Robert Rakowski, Blake Hartstein (Bloomberg L.P.)", + "creation_date": "2024-09-02", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_lnx_capsh_shell_invocation.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "linux", + "refs": [ + "https://gtfobins.github.io/gtfobins/capsh/#shell", + "https://www.elastic.co/guide/en/security/current/linux-restricted-shell-breakout-via-linux-binary-s.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_capsh_shell_invocation.yml" + ], + "tags": [ + "attack.execution", + "attack.t1059" + ] + }, + "related": [ + { + "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "db1ac3be-f606-4e3a-89e0-9607cbe6b98a", + "value": "Capsh Shell Invocation - Linux" + }, { "description": "Detect use of iptables to flush all firewall rules, tables and chains and allow all network traffic", "meta": { @@ -101547,9 +101869,9 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ - "https://www.cyberciti.biz/tips/linux-iptables-how-to-flush-all-rules.html", - "https://blogs.blackberry.com/", "https://twitter.com/Joseliyo_Jstnk/status/1620131033474822144", + "https://blogs.blackberry.com/", + "https://www.cyberciti.biz/tips/linux-iptables-how-to-flush-all-rules.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_iptables_flush_ufw.yml" ], "tags": [ @@ -101615,8 +101937,8 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ - "https://www.helpnetsecurity.com/2023/08/02/aws-instances-attackers-access/", "https://www.bleepingcomputer.com/news/security/amazons-aws-ssm-agent-can-be-used-as-post-exploitation-rat-malware/", + "https://www.helpnetsecurity.com/2023/08/02/aws-instances-attackers-access/", "https://www.mitiga.io/blog/mitiga-security-advisory-abusing-the-ssm-agent-as-a-remote-access-trojan", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_ssm_agent_abuse.yml" ], @@ -101684,8 +102006,8 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ - "https://blogs.blackberry.com/", "https://twitter.com/Joseliyo_Jstnk/status/1620131033474822144", + "https://blogs.blackberry.com/", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_cp_passwd_or_shadow_tmp.yml" ], "tags": [ @@ -101718,10 +102040,10 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ - "https://www.cyberciti.biz/faq/linux-remove-user-command/", - "https://linux.die.net/man/8/groupdel", - "https://www.cybrary.it/blog/0p3n/linux-commands-used-attackers/", "https://linuxize.com/post/how-to-delete-group-in-linux/", + "https://www.cybrary.it/blog/0p3n/linux-commands-used-attackers/", + "https://linux.die.net/man/8/groupdel", + "https://www.cyberciti.biz/faq/linux-remove-user-command/", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_groupdel.yml" ], "tags": [ @@ -101777,10 +102099,10 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ - "https://www.cyberciti.biz/faq/linux-remove-user-command/", + "https://linuxize.com/post/how-to-delete-group-in-linux/", "https://linux.die.net/man/8/userdel", "https://www.cybrary.it/blog/0p3n/linux-commands-used-attackers/", - "https://linuxize.com/post/how-to-delete-group-in-linux/", + "https://www.cyberciti.biz/faq/linux-remove-user-command/", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_userdel.yml" ], "tags": [ @@ -101813,10 +102135,10 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ - "https://www.virustotal.com/gui/file/60bcd645450e4c846238cf0e7226dc40c84c96eba99f6b2cffcd0ab4a391c8b3/detection", - "https://www.virustotal.com/gui/file/3e44c807a25a56f4068b5b8186eee5002eed6f26d665a8b791c472ad154585d1/detection", - "https://jstnk9.github.io/jstnk9/research/GobRAT-Malware/", "https://blogs.jpcert.or.jp/en/2023/05/gobrat.html", + "https://jstnk9.github.io/jstnk9/research/GobRAT-Malware/", + "https://www.virustotal.com/gui/file/3e44c807a25a56f4068b5b8186eee5002eed6f26d665a8b791c472ad154585d1/detection", + "https://www.virustotal.com/gui/file/60bcd645450e4c846238cf0e7226dc40c84c96eba99f6b2cffcd0ab4a391c8b3/detection", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_nohup_susp_execution.yml" ], "tags": [ @@ -101826,6 +102148,40 @@ "uuid": "457df417-8b9d-4912-85f3-9dbda39c3645", "value": "Suspicious Nohup Execution" }, + { + "description": "Detects the use of the find command to execute a shell. Such behavior may be associated with privilege escalation, unauthorized command execution, or exploitation attempt.\n", + "meta": { + "author": "Li Ling, Andy Parkidomo, Robert Rakowski, Blake Hartstein (Bloomberg L.P.)", + "creation_date": "2024-09-02", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_lnx_find_shell_execution.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "linux", + "refs": [ + "https://www.elastic.co/guide/en/security/current/linux-restricted-shell-breakout-via-linux-binary-s.html", + "https://gtfobins.github.io/gtfobins/find/#shell", + "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_find_shell_execution.yml" + ], + "tags": [ + "attack.discovery", + "attack.t1083" + ] + }, + "related": [ + { + "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "6adfbf8f-52be-4444-9bac-81b539624146", + "value": "Shell Execution via Find - Linux" + }, { "description": "Detects a suspicious curl process start on linux with set useragent options", "meta": { @@ -101873,8 +102229,8 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ - "https://blogs.blackberry.com/", "https://twitter.com/Joseliyo_Jstnk/status/1620131033474822144", + "https://blogs.blackberry.com/", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_disable_ufw.yml" ], "tags": [ @@ -101951,14 +102307,14 @@ "logsource.product": "linux", "refs": [ "https://github.com/pathtofile/bad-bpf", - "https://github.com/HavocFramework/Havoc", - "https://github.com/t3l3machus/hoaxshell", - "https://github.com/t3l3machus/Villain", - "https://github.com/Pennyw0rth/NetExec/", - "https://github.com/Gui774ume/ebpfkit", - "https://github.com/carlospolop/PEASS-ng", "https://github.com/1N3/Sn1per", + "https://github.com/Pennyw0rth/NetExec/", + "https://github.com/t3l3machus/Villain", + "https://github.com/t3l3machus/hoaxshell", + "https://github.com/HavocFramework/Havoc", "https://github.com/Ne0nd0g/merlin", + "https://github.com/carlospolop/PEASS-ng", + "https://github.com/Gui774ume/ebpfkit", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_susp_hktl_execution.yml" ], "tags": [ @@ -102012,6 +102368,40 @@ "uuid": "c9d8b7fd-78e4-44fe-88f6-599135d46d60", "value": "Security Software Discovery - Linux" }, + { + "description": "Detects the use of the \"flock\" command to execute a shell. Such behavior may be associated with privilege escalation, unauthorized command execution, or to break out from restricted environments.\n", + "meta": { + "author": "Li Ling, Andy Parkidomo, Robert Rakowski, Blake Hartstein (Bloomberg L.P.)", + "creation_date": "2024-09-02", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_lnx_flock_shell_execution.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "linux", + "refs": [ + "https://www.elastic.co/guide/en/security/current/linux-restricted-shell-breakout-via-linux-binary-s.html", + "https://gtfobins.github.io/gtfobins/flock/#shell", + "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_flock_shell_execution.yml" + ], + "tags": [ + "attack.discovery", + "attack.t1083" + ] + }, + "related": [ + { + "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "4b09c71e-4269-4111-9cdd-107d8867f0cc", + "value": "Shell Execution via Flock - Linux" + }, { "description": "Detects process discovery commands. Adversaries may attempt to get information about running processes on a system.\nInformation obtained could be used to gain an understanding of common software/applications running on systems within the network\n", "meta": { @@ -102058,9 +102448,9 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ + "https://blogs.jpcert.or.jp/en/2023/05/gobrat.html", "https://www.virustotal.com/gui/file/3e44c807a25a56f4068b5b8186eee5002eed6f26d665a8b791c472ad154585d1/detection", "https://www.virustotal.com/gui/file/60bcd645450e4c846238cf0e7226dc40c84c96eba99f6b2cffcd0ab4a391c8b3/detection", - "https://blogs.jpcert.or.jp/en/2023/05/gobrat.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_malware_gobrat_grep_payload_discovery.yml" ], "tags": [ @@ -102093,8 +102483,8 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ - "https://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet", "https://www.revshells.com/", + "https://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_php_reverse_shell.yml" ], "tags": [ @@ -102151,8 +102541,8 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ - "https://developer.vmware.com/docs/11743/esxi-7-0-esxcli-command-reference/namespace/esxcli_network.html", "https://www.crowdstrike.com/blog/hypervisor-jackpotting-ecrime-actors-increase-targeting-of-esxi-servers/", + "https://developer.vmware.com/docs/11743/esxi-7-0-esxcli-command-reference/namespace/esxcli_network.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_esxcli_network_discovery.yml" ], "tags": [ @@ -102228,8 +102618,8 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ - "https://blog.skyplabs.net/posts/container-detection/", "https://stackoverflow.com/questions/20010199/how-to-determine-if-a-process-runs-inside-lxc-docker", + "https://blog.skyplabs.net/posts/container-detection/", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_susp_dockerenv_recon.yml" ], "tags": [ @@ -102262,8 +102652,8 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ - "https://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet", "https://www.revshells.com/", + "https://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_ruby_reverse_shell.yml" ], "tags": [ @@ -102306,6 +102696,42 @@ "uuid": "11063ec2-de63-4153-935e-b1a8b9e616f1", "value": "Linux Remote System Discovery" }, + { + "description": "Detects the use of the \"gcc\" utility to execute a shell. Such behavior may be associated with privilege escalation, unauthorized command execution, or to break out from restricted environments.\n", + "meta": { + "author": "Li Ling, Andy Parkidomo, Robert Rakowski, Blake Hartstein (Bloomberg L.P.)", + "creation_date": "2024-09-02", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_lnx_gcc_shell_execution.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "linux", + "refs": [ + "https://www.elastic.co/guide/en/security/current/linux-restricted-shell-breakout-via-linux-binary-s.html", + "https://gtfobins.github.io/gtfobins/gcc/#shell", + "https://gtfobins.github.io/gtfobins/c89/#shell", + "https://gtfobins.github.io/gtfobins/c99/#shell", + "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_gcc_shell_execution.yml" + ], + "tags": [ + "attack.discovery", + "attack.t1083" + ] + }, + "related": [ + { + "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "9b5de532-a757-4d70-946c-1f3e44f48b4d", + "value": "Shell Execution GCC - Linux" + }, { "description": "Detects potential container discovery via listing of certain kernel features in the \"/proc\" virtual filesystem", "meta": { @@ -102320,8 +102746,8 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ - "https://blog.skyplabs.net/posts/container-detection/", "https://stackoverflow.com/questions/20010199/how-to-determine-if-a-process-runs-inside-lxc-docker", + "https://blog.skyplabs.net/posts/container-detection/", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_susp_container_residence_discovery.yml" ], "tags": [ @@ -102374,6 +102800,41 @@ "uuid": "78a80655-a51e-4669-bc6b-e9d206a462ee", "value": "Install Root Certificate" }, + { + "description": "Detects the use of \"vim\" and it's siblings commands to execute a shell or proxy commands.\nSuch behavior may be associated with privilege escalation, unauthorized command execution, or to break out from restricted environments.\n", + "meta": { + "author": "Nasreddine Bencherchali (Nextron Systems)", + "creation_date": "2022-12-28", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_lnx_vim_shell_execution.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "linux", + "refs": [ + "https://gtfobins.github.io/gtfobins/vim/", + "https://gtfobins.github.io/gtfobins/vimdiff/", + "https://gtfobins.github.io/gtfobins/rvim/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_vim_shell_execution.yml" + ], + "tags": [ + "attack.discovery", + "attack.t1083" + ] + }, + "related": [ + { + "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "7ab8f73a-fcff-428b-84aa-6a5ff7877dea", + "value": "Vim GTFOBin Abuse - Linux" + }, { "description": "Detects a suspicious curl process start the adds a file to a web request", "meta": { @@ -102387,11 +102848,11 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1105/T1105.md#atomic-test-19---curl-upload-file", - "https://twitter.com/d1r4c/status/1279042657508081664", - "https://medium.com/@petehouston/upload-files-with-curl-93064dcccc76", "https://www.trendmicro.com/en_us/research/22/i/how-malicious-actors-abuse-native-linux-tools-in-their-attacks.html", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1105/T1105.md#atomic-test-19---curl-upload-file", + "https://medium.com/@petehouston/upload-files-with-curl-93064dcccc76", "https://curl.se/docs/manpage.html", + "https://twitter.com/d1r4c/status/1279042657508081664", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_susp_curl_fileupload.yml" ], "tags": [ @@ -102531,8 +102992,8 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ - "https://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet", "https://www.revshells.com/", + "https://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_perl_reverse_shell.yml" ], "tags": [ @@ -102555,9 +103016,9 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ + "https://gtfobins.github.io/gtfobins/nohup/", "https://www.computerhope.com/unix/unohup.htm", "https://en.wikipedia.org/wiki/Nohup", - "https://gtfobins.github.io/gtfobins/nohup/", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_nohup.yml" ], "tags": [ @@ -102772,6 +103233,40 @@ "uuid": "f41dada5-3f56-4232-8503-3fb7f9cf2d60", "value": "ESXi Storage Information Discovery Via ESXCLI" }, + { + "description": "Detects the use of the env command to invoke a shell. This may indicate an attempt to bypass restricted environments, escalate privileges, or execute arbitrary commands.\n", + "meta": { + "author": "Li Ling, Andy Parkidomo, Robert Rakowski, Blake Hartstein (Bloomberg L.P.)", + "creation_date": "2024-09-02", + "falsepositive": [ + "Github operations such as ghe-backup" + ], + "filename": "proc_creation_lnx_env_shell_invocation.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "linux", + "refs": [ + "https://gtfobins.github.io/gtfobins/env/#shell", + "https://www.elastic.co/guide/en/security/current/linux-restricted-shell-breakout-via-linux-binary-s.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_env_shell_invocation.yml" + ], + "tags": [ + "attack.execution", + "attack.t1059" + ] + }, + "related": [ + { + "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "bed978f8-7f3a-432b-82c5-9286a9b3031a", + "value": "Shell Invocation via Env Command - Linux" + }, { "description": "Detects execution of netcat with the \"-e\" flag followed by common shells. This could be a sign of a potential reverse shell setup.", "meta": { @@ -102785,11 +103280,11 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ - "https://man7.org/linux/man-pages/man1/ncat.1.html", "https://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet", - "https://www.infosecademy.com/netcat-reverse-shells/", "https://www.revshells.com/", + "https://man7.org/linux/man-pages/man1/ncat.1.html", "https://www.hackingtutorials.org/networking/hacking-netcat-part-2-bind-reverse-shells/", + "https://www.infosecademy.com/netcat-reverse-shells/", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_netcat_reverse_shell.yml" ], "tags": [ @@ -103008,41 +103503,6 @@ "uuid": "2953194b-e33c-4859-b9e8-05948c167447", "value": "DD File Overwrite" }, - { - "description": "Detects usage of \"vim\" and it's siblings as a GTFOBin to execute and proxy command and binary execution", - "meta": { - "author": "Nasreddine Bencherchali (Nextron Systems)", - "creation_date": "2022-12-28", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_lnx_gtfobin_vim.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "linux", - "refs": [ - "https://gtfobins.github.io/gtfobins/vim/", - "https://gtfobins.github.io/gtfobins/vimdiff/", - "https://gtfobins.github.io/gtfobins/rvim/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_gtfobin_vim.yml" - ], - "tags": [ - "attack.discovery", - "attack.t1083" - ] - }, - "related": [ - { - "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "7ab8f73a-fcff-428b-84aa-6a5ff7877dea", - "value": "Vim GTFOBin Abuse - Linux" - }, { "description": "Detects executions of scripts located in potentially suspicious locations such as \"/tmp\" via a shell such as \"bash\", \"sh\", etc.", "meta": { @@ -103056,10 +103516,10 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ - "https://www.virustotal.com/gui/file/60bcd645450e4c846238cf0e7226dc40c84c96eba99f6b2cffcd0ab4a391c8b3/detection", - "https://www.virustotal.com/gui/file/3e44c807a25a56f4068b5b8186eee5002eed6f26d665a8b791c472ad154585d1/detection", - "https://jstnk9.github.io/jstnk9/research/GobRAT-Malware/", "https://blogs.jpcert.or.jp/en/2023/05/gobrat.html", + "https://jstnk9.github.io/jstnk9/research/GobRAT-Malware/", + "https://www.virustotal.com/gui/file/3e44c807a25a56f4068b5b8186eee5002eed6f26d665a8b791c472ad154585d1/detection", + "https://www.virustotal.com/gui/file/60bcd645450e4c846238cf0e7226dc40c84c96eba99f6b2cffcd0ab4a391c8b3/detection", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_susp_shell_script_exec_from_susp_location.yml" ], "tags": [ @@ -103161,6 +103621,40 @@ "uuid": "8344c0e5-5783-47cc-9cf9-a0f7fd03e6cf", "value": "Potential Discovery Activity Using Find - Linux" }, + { + "description": "Detects the use of the \"apt\" and \"apt-get\" commands to execute a shell or proxy commands.\nSuch behavior may be associated with privilege escalation, unauthorized command execution, or to break out from restricted environments.\n", + "meta": { + "author": "Nasreddine Bencherchali (Nextron Systems)", + "creation_date": "2022-12-28", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_lnx_apt_shell_execution.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "linux", + "refs": [ + "https://gtfobins.github.io/gtfobins/apt/", + "https://gtfobins.github.io/gtfobins/apt-get/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_apt_shell_execution.yml" + ], + "tags": [ + "attack.discovery", + "attack.t1083" + ] + }, + "related": [ + { + "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "bb382fd5-b454-47ea-a264-1828e4c766d6", + "value": "Shell Invocation via Apt - Linux" + }, { "description": "Detects a potentially suspicious execution of a process located in the '/tmp/' folder", "meta": { @@ -103174,10 +103668,10 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ - "https://www.virustotal.com/gui/file/60bcd645450e4c846238cf0e7226dc40c84c96eba99f6b2cffcd0ab4a391c8b3/detection", - "https://www.virustotal.com/gui/file/3e44c807a25a56f4068b5b8186eee5002eed6f26d665a8b791c472ad154585d1/detection", - "https://jstnk9.github.io/jstnk9/research/GobRAT-Malware/", "https://blogs.jpcert.or.jp/en/2023/05/gobrat.html", + "https://jstnk9.github.io/jstnk9/research/GobRAT-Malware/", + "https://www.virustotal.com/gui/file/3e44c807a25a56f4068b5b8186eee5002eed6f26d665a8b791c472ad154585d1/detection", + "https://www.virustotal.com/gui/file/60bcd645450e4c846238cf0e7226dc40c84c96eba99f6b2cffcd0ab4a391c8b3/detection", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_susp_execution_tmp_folder.yml" ], "tags": [ @@ -103210,9 +103704,9 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ - "https://www.cyberciti.biz/faq/linux-hide-processes-from-other-users/", - "https://blogs.blackberry.com/", "https://twitter.com/Joseliyo_Jstnk/status/1620131033474822144", + "https://blogs.blackberry.com/", + "https://www.cyberciti.biz/faq/linux-hide-processes-from-other-users/", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_mount_hidepid.yml" ], "tags": [ @@ -103312,10 +103806,10 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ - "https://linuxhint.com/uninstall_yum_package/", - "https://linuxhint.com/uninstall-debian-packages/", "https://sysdig.com/blog/mitre-defense-evasion-falco", "https://www.tutorialspoint.com/how-to-install-a-software-on-linux-using-yum-command", + "https://linuxhint.com/uninstall-debian-packages/", + "https://linuxhint.com/uninstall_yum_package/", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_remove_package.yml" ], "tags": [ @@ -103372,8 +103866,8 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ - "https://blog.skyplabs.net/posts/container-detection/", "https://stackoverflow.com/questions/20010199/how-to-determine-if-a-process-runs-inside-lxc-docker", + "https://blog.skyplabs.net/posts/container-detection/", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_susp_inod_listing.yml" ], "tags": [ @@ -103439,8 +103933,8 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1222.002/T1222.002.md", "https://www.intezer.com/blog/malware-analysis/new-backdoor-sysjoker/", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1222.002/T1222.002.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_susp_chmod_directories.yml" ], "tags": [ @@ -103473,8 +103967,8 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ - "https://www.aon.com/cyber-solutions/aon_cyber_labs/linux-based-inter-process-code-injection-without-ptrace2/", "https://github.com/AonCyberLabs/Cexigua/blob/34d338620afae4c6335ba8d8d499e1d7d3d5d7b5/overwrite.sh", + "https://www.aon.com/cyber-solutions/aon_cyber_labs/linux-based-inter-process-code-injection-without-ptrace2/", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_dd_process_injection.yml" ], "tags": [ @@ -103549,8 +104043,8 @@ "logsource.category": "network_connection", "logsource.product": "linux", "refs": [ - "https://cloud.google.com/blog/topics/threat-intelligence/unc3944-targets-saas-applications", "https://localtonet.com/documents/supported-tunnels", + "https://cloud.google.com/blog/topics/threat-intelligence/unc3944-targets-saas-applications", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/network_connection/net_connection_lnx_domain_localtonet_tunnel.yml" ], "tags": [ @@ -103599,8 +104093,8 @@ "logsource.category": "network_connection", "logsource.product": "linux", "refs": [ - "https://ngrok.com/docs/secure-tunnels/tunnels/ssh-reverse-tunnel-agent", "https://twitter.com/hakluke/status/1587733971814977537/photo/1", + "https://ngrok.com/docs/secure-tunnels/tunnels/ssh-reverse-tunnel-agent", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/network_connection/net_connection_lnx_ngrok_tunnel.yml" ], "tags": [ @@ -103733,10 +104227,10 @@ "logsource.category": "network_connection", "logsource.product": "linux", "refs": [ - "https://www.cybereason.com/blog/sliver-c2-leveraged-by-many-threat-actors", - "https://www.elastic.co/guide/en/security/current/potential-non-standard-port-ssh-connection.html", "https://thehackernews.com/2024/01/systembc-malwares-c2-server-analysis.html", "https://www.mandiant.com/resources/blog/triton-actor-ttp-profile-custom-attack-tools-detections", + "https://www.elastic.co/guide/en/security/current/potential-non-standard-port-ssh-connection.html", + "https://www.cybereason.com/blog/sliver-c2-leveraged-by-many-threat-actors", "https://www.mandiant.com/resources/blog/ukraine-and-sandworm-team", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/network_connection/net_connection_lnx_susp_malware_callback_port.yml" ], @@ -103829,8 +104323,8 @@ "logsource.category": "No established category", "logsource.product": "linux", "refs": [ - "https://man7.org/linux/man-pages/man7/bpf-helpers.7.html", "https://redcanary.com/blog/ebpf-malware/", + "https://man7.org/linux/man-pages/man7/bpf-helpers.7.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/builtin/lnx_potential_susp_ebpf_activity.yml" ], "tags": [ @@ -103953,10 +104447,10 @@ "logsource.category": "No established category", "logsource.product": "linux", "refs": [ - "http://pastebin.com/FtygZ1cg", - "https://web.archive.org/web/20170319121015/http://www.threatgeek.com/2017/03/widespread-exploitation-attempts-using-cve-2017-5638.html", "https://github.com/rapid7/metasploit-framework/blob/eb6535009f5fdafa954525687f09294918b5398d/modules/exploits/multi/http/struts_code_exec_exception_delegator.rb", "https://artkond.com/2017/03/23/pivoting-guide/", + "http://pastebin.com/FtygZ1cg", + "https://web.archive.org/web/20170319121015/http://www.threatgeek.com/2017/03/widespread-exploitation-attempts-using-cve-2017-5638.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/builtin/lnx_shell_susp_commands.yml" ], "tags": [ @@ -104012,8 +104506,8 @@ "logsource.category": "No established category", "logsource.product": "linux", "refs": [ - "https://digital.nhs.uk/cyber-alerts/2018/cc-2825", "https://linux.die.net/man/8/useradd", + "https://digital.nhs.uk/cyber-alerts/2018/cc-2825", "https://github.com/redcanaryco/atomic-red-team/blob/25acadc0b43a07125a8a5b599b28bbc1a91ffb06/atomics/T1136.001/T1136.001.md#atomic-test-5---create-a-new-user-in-linux-with-root-uid-and-gid", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/builtin/lnx_privileged_user_creation.yml" ], @@ -104190,8 +104684,8 @@ "logsource.product": "linux", "refs": [ "https://www.hackers-arise.com/post/2016/06/20/covering-your-bash-shell-tracks-antiforensics", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070.003/T1070.003.md", "https://www.cadosecurity.com/spinning-yarn-a-new-linux-malware-campaign-targets-docker-apache-hadoop-redis-and-confluence/", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070.003/T1070.003.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/builtin/lnx_shell_clear_cmd_history.yml" ], "tags": [ @@ -104382,8 +104876,8 @@ "logsource.product": "linux", "refs": [ "https://twitter.com/matthieugarin/status/1183970598210412546", - "https://access.redhat.com/security/cve/cve-2019-14287", "https://www.openwall.com/lists/oss-security/2019/10/14/1", + "https://access.redhat.com/security/cve/cve-2019-14287", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/builtin/sudo/lnx_sudo_cve_2019_14287_user.yml" ], "tags": [ @@ -104557,8 +105051,8 @@ "logsource.category": "No established category", "logsource.product": "linux", "refs": [ - "https://github.com/ossec/ossec-hids/blob/1ecffb1b884607cb12e619f9ab3c04f530801083/etc/rules/sshd_rules.xml", "https://github.com/openssh/openssh-portable/blob/c483a5c0fb8e8b8915fad85c5f6113386a4341ca/ssherr.c", + "https://github.com/ossec/ossec-hids/blob/1ecffb1b884607cb12e619f9ab3c04f530801083/etc/rules/sshd_rules.xml", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/builtin/sshd/lnx_sshd_susp_ssh.yml" ], "tags": [ @@ -104645,5 +105139,5 @@ "value": "Modifying Crontab" } ], - "version": 20240902 + "version": 20240919 } From 53a65b17d204158b494b2022963facf2c935f8bb Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Thu, 19 Sep 2024 11:45:32 +0200 Subject: [PATCH 35/36] chg: [ransomware] updated to the latest version --- clusters/ransomware.json | 65 ++++++++++++++++++++++++++++++++++++---- 1 file changed, 60 insertions(+), 5 deletions(-) diff --git a/clusters/ransomware.json b/clusters/ransomware.json index 3ca0ead..2a91f5c 100644 --- a/clusters/ransomware.json +++ b/clusters/ransomware.json @@ -29291,7 +29291,9 @@ { "meta": { "links": [ - "http://dataleakypypu7uwblm5kttv726l3iripago6p336xjnbstkjwrlnlid.onion/" + "http://dataleakypypu7uwblm5kttv726l3iripago6p336xjnbstkjwrlnlid.onion/", + "http://panelqbinglxczi2gqkwderfvgq6bcv5cbjwxrksjtvr5xv7ozh5wqad.onion", + "http://panelqbinglxczi2gqkwderfvgq6bcv5cbjwxrksjtvr5xv7ozh5wqad.onion/Url=4094dd92-0f91-4699-8328-fdb7070a8230" ], "refs": [ "https://www.ransomlook.io/group/el dorado" @@ -29448,7 +29450,8 @@ "links": [ "http://c2mdhim6btaiyae3xqthnxsz64brvdxsnbty4tvos65zb565y4v55iid.onion", "http://c2mdhim6btaiyae3xqthnxsz64brvdxsnbty4tvos65zb565y4v55iid.onion/b/", - "http://c2mdhim6btaiyae3xqthnxsz64brvdxsnbty4tvos65zb565y4v55iid.onion/blogs.html" + "http://c2mdhim6btaiyae3xqthnxsz64brvdxsnbty4tvos65zb565y4v55iid.onion/blogs.html", + "http://pyrx.cc" ], "refs": [ "https://www.ransomlook.io/group/pyrx" @@ -29496,7 +29499,8 @@ "http://nullbulge.co/blog.html", "http://nullbulge.se", "http://nullbulge.com", - "http://goocasino.org" + "http://goocasino.org", + "http://nullblgtk7dwzpfklgktzll27ovvnj7pvqkoprmhubnnb32qcbmcpgid.onion" ], "refs": [ "https://www.ransomlook.io/group/nullbulge" @@ -29578,12 +29582,26 @@ "value": "ransomcortex" }, { + "description": "", "meta": { "links": [ "http://lynxblog.net/", "http://lynxbllrfr5262yvbgtqoyq76s7mpztcqkv6tjjxgpilpma7nyoeohyd.onion/leaks", "http://lynxch2k5xi35j7hlbmwl7d6u2oz4vp2wqp6qkwol624cod3d6iqiyqd.onion/login", - "http://lynxblog.net/leaks" + "http://lynxblog.net/leaks", + "http://lynxchatly4zludmhmi75jrwhycnoqvkxb4prohxmyzf4euf5gjxroad.onion/login", + "http://lynxchatohmppv6au67lloc2vs6chy7nya7dsu2hhs55mcjxp2joglad.onion/login", + "http://lynxchatbykq2vycvyrtjqb3yuj4ze2wvdubzr2u6b632trwvdbsgmyd.onion/login", + "http://lynxchatde4spv5x6xlwxf47jdo7wtwwgikdoeroxamphu3e7xx5doqd.onion/login", + "http://lynxchatdy3tgcuijsqofhssopcepirjfq2f4pvb5qd4un4dhqyxswqd.onion/login", + "http://lynxchatdykpoelffqlvcbtry6o7gxk3rs2aiagh7ddz5yfttd6quxqd.onion/login", + "http://lynxblogxstgzsarfyk2pvhdv45igghb4zmthnzmsipzeoduruz3xwqd.onion", + "http://lynxblogco7r37jt7p5wrmfxzqze7ghxw6rihzkqc455qluacwotciyd.onion", + "http://lynxblogijy4jfoblgix2klxmkbgee4leoeuge7qt4fpfkj4zbi2sjyd.onion", + "http://lynxblogmx3rbiwg3rpj4nds25hjsnrwkpxt5gaznetfikz4gz2csyad.onion", + "http://lynxblogoxllth4b46cfwlop5pfj4s7dyv37yuy7qn2ftan6gd72hsad.onion", + "http://lynxblogtwatfsrwj3oatpejwxk5bngqcd5f7s26iskagfu7ouaomjad.onion", + "http://lynxblogxutufossaeawlij3j3uikaloll5ko6grzhkwdclrjngrfoid.onion" ], "refs": [ "https://www.ransomlook.io/group/lynx" @@ -29627,7 +29645,44 @@ }, "uuid": "1fe17577-91bb-581b-8189-c61f05cf35aa", "value": "helldown" + }, + { + "description": "Official twitter account: https://x.com/ValenciaLeaks72", + "meta": { + "links": [ + "http://6doyqxqqj36vnedtt2zwxmngx52mgyp7brbrtwkyd75jgiolocoybgid.onion/" + ], + "refs": [ + "https://www.ransomlook.io/group/valencia leaks" + ] + }, + "uuid": "af5911d6-37d6-513c-a90e-1b373378f55f", + "value": "valencia leaks" + }, + { + "meta": { + "links": [ + "http://xzbltrroh4ocknyi7kj2ucjuw63fhyy23dh6lplydl545d33kbygw2id.onion/home" + ], + "refs": [ + "https://www.ransomlook.io/group/soleenya" + ] + }, + "uuid": "c6c0200a-9c77-5285-ad47-74c7a3d53bdb", + "value": "soleenya" + }, + { + "meta": { + "links": [ + "http://orca66hwnpciepupe5626k2ib6dds6zizjwuuashz67usjps2wehz4id.onion" + ], + "refs": [ + "https://www.ransomlook.io/group/orca" + ] + }, + "uuid": "2a1e103b-da5f-56d6-a0c8-5daff4c4fd87", + "value": "orca" } ], - "version": 132 + "version": 133 } From c93cd265bcb90a855254502f8fb47a1e1338e2ab Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Thu, 19 Sep 2024 14:18:45 +0200 Subject: [PATCH 36/36] chg: [doc] README updated --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 68eed5e..3be9919 100644 --- a/README.md +++ b/README.md @@ -495,7 +495,7 @@ Category: *actor* - source: *MISP Project* - total: *37* elements [Ransomware](https://www.misp-galaxy.org/ransomware) - Ransomware galaxy based on different sources and maintained by the MISP Project. -Category: *tool* - source: *Various* - total: *1801* elements +Category: *tool* - source: *Various* - total: *1804* elements [[HTML](https://www.misp-galaxy.org/ransomware)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/ransomware.json)]