From e54366fb8736484066698536ba4084358c9449c5 Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Tue, 10 Jan 2023 15:55:30 +0100 Subject: [PATCH 01/13] chg: [threat-actor] added the missing synonyms --- clusters/threat-actor.json | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 2c01817..972a6b9 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -8677,7 +8677,13 @@ "meta": { "refs": [ "https://www.rewterz.com/rewterz-news/rewterz-threat-alert-common-raven-iocs", - "https://www2.swift.com/isac/report/10118" + "https://www2.swift.com/isac/report/10118", + "https://blog.group-ib.com/opera1er-apt" + ], + "synonyms": [ + "OPERA1ER", + "NXSMS", + "DESKTOP-GROUP" ] }, "uuid": "da581c60-7c3d-4de6-b54c-cafea1c58389", @@ -9986,5 +9992,5 @@ "value": "Malteiro" } ], - "version": 256 + "version": 257 } From c0fdfb0e997cef645507b9c8239395ed5b47e41d Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Thu, 12 Jan 2023 13:46:31 +0100 Subject: [PATCH 02/13] chg: [sigma] updated with latest version + new relationship script --- clusters/sigma-rules.json | 22614 ++++++++++++++++++++++++++++++++---- 1 file changed, 20669 insertions(+), 1945 deletions(-) diff --git a/clusters/sigma-rules.json b/clusters/sigma-rules.json index ffc3f22..9954344 100644 --- a/clusters/sigma-rules.json +++ b/clusters/sigma-rules.json @@ -9,6 +9,37 @@ "type": "sigma-rules", "uuid": "9cf7cd2e-d5f1-48c4-9909-7896ba1c96b2", "values": [ + { + "description": "Detects juniper BGP missing MD5 digest. Which may be indicative of brute force attacks to manipulate routing.", + "meta": { + "author": "Tim Brown", + "creation_date": "2023/01/09", + "falsepositive": [ + "Unlikely. Except due to misconfigurations" + ], + "filename": "juniper_bgp_missing_md5.yml", + "level": "low", + "logsource.category": "No established category", + "logsource.product": "juniper", + "refs": [ + "https://www.blackhat.com/presentations/bh-usa-03/bh-us-03-convery-franz-v3.pdf", + "https://github.com/SigmaHQ/sigma/tree/master/rules/network/juniper/bgp/juniper_bgp_missing_md5.yml" + ], + "tags": [ + "attack.initial_access", + "attack.persistence", + "attack.privilege_escalation", + "attack.defense_evasion", + "attack.credential_access", + "attack.collection", + "attack.t1078", + "attack.t1110", + "attack.t1557" + ] + }, + "uuid": "a7c0ae48-8df8-42bf-91bd-2ea57e2f9d43", + "value": "Juniper BGP Missing MD5" + }, { "description": "Detects many failed connection attempts to different ports or hosts", "meta": { @@ -55,6 +86,22 @@ "attack.t1071.004" ] }, + "related": [ + { + "dest-uuid": "fb8d023d-45be-47e9-bc51-f56bcae6435b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "1996eef1-ced3-4d7f-bf94-33298cabbf72", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "51186749-7415-46be-90e5-6914865c825a", "value": "High DNS Requests Rate - Firewall" }, @@ -102,6 +149,15 @@ "attack.t1048.003" ] }, + "related": [ + { + "dest-uuid": "fb8d023d-45be-47e9-bc51-f56bcae6435b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "3b6e327d-8649-4102-993f-d25786481589", "value": "High DNS Bytes Out - Firewall" }, @@ -118,8 +174,8 @@ "logsource.category": "firewall", "logsource.product": "No established product", "refs": [ - "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf", "https://www.cisecurity.org/controls/cis-controls-list/", + "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf", "https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf", "https://github.com/SigmaHQ/sigma/tree/master/rules/network/firewall/net_firewall_cleartext_protocols.yml" ], @@ -141,8 +197,8 @@ "logsource.category": "firewall", "logsource.product": "No established product", "refs": [ - "https://medium.com/@msuiche/the-nsa-compromised-swift-network-50ec3000b195", "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation", + "https://medium.com/@msuiche/the-nsa-compromised-swift-network-50ec3000b195", "https://github.com/SigmaHQ/sigma/tree/master/rules/network/firewall/net_firewall_apt_equationgroup_c2.yml" ], "tags": [ @@ -151,6 +207,15 @@ "attack.t1041" ] }, + "related": [ + { + "dest-uuid": "92d7da27-2d91-488e-a00c-059dc162766d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "881834a4-6659-4773-821e-1c151789d873", "value": "Equation Group C2 Communication" }, @@ -167,10 +232,10 @@ "logsource.category": "dns", "logsource.product": "No established product", "refs": [ - "https://researchcenter.paloaltonetworks.com/2018/03/unit42-telerat-another-android-trojan-leveraging-telegrams-bot-api-to-target-iranian-users/", "https://blog.malwarebytes.com/threat-analysis/2016/11/telecrypt-the-ransomware-abusing-telegram-api-defeated/", - "https://core.telegram.org/bots/faq", + "https://researchcenter.paloaltonetworks.com/2018/03/unit42-telerat-another-android-trojan-leveraging-telegrams-bot-api-to-target-iranian-users/", "https://www.welivesecurity.com/2016/12/13/rise-telebots-analyzing-disruptive-killdisk-attacks/", + "https://core.telegram.org/bots/faq", "https://github.com/SigmaHQ/sigma/tree/master/rules/network/dns/net_dns_susp_telegram_api.yml" ], "tags": [ @@ -178,6 +243,15 @@ "attack.t1102.002" ] }, + "related": [ + { + "dest-uuid": "be055942-6e63-49d7-9fa1-9cb7d8a8f3f4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "c64c5175-5189-431b-a55e-6d9882158251", "value": "Telegram Bot API Request" }, @@ -204,6 +278,22 @@ "attack.t1595.002" ] }, + "related": [ + { + "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "5502c4e9-24ef-4d5f-8ee9-9e906c2f82c4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "aff715fa-4dd5-497a-8db3-910bea555566", "value": "DNS Query to External Service Interaction Domains" }, @@ -229,6 +319,15 @@ "attack.t1071.004" ] }, + "related": [ + { + "dest-uuid": "1996eef1-ced3-4d7f-bf94-33298cabbf72", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "2975af79-28c4-4d2f-a951-9095f229df29", "value": "Cobalt Strike DNS Beaconing" }, @@ -252,6 +351,15 @@ "attack.t1048.003" ] }, + "related": [ + { + "dest-uuid": "fb8d023d-45be-47e9-bc51-f56bcae6435b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "0f6c1bf5-70a5-4963-aef9-aab1eefb50bd", "value": "High DNS Bytes Out" }, @@ -277,6 +385,22 @@ "attack.t1071.004" ] }, + "related": [ + { + "dest-uuid": "fb8d023d-45be-47e9-bc51-f56bcae6435b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "1996eef1-ced3-4d7f-bf94-33298cabbf72", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "44ae5117-9c44-40cf-9c7c-7edad385ca70", "value": "High NULL Records Requests Rate" }, @@ -293,8 +417,8 @@ "logsource.category": "dns", "logsource.product": "No established product", "refs": [ - "https://zeltser.com/c2-dns-tunneling/", "https://patrick-bareiss.com/detect-c2-traffic-over-dns-using-sigma/", + "https://zeltser.com/c2-dns-tunneling/", "https://github.com/SigmaHQ/sigma/tree/master/rules/network/dns/net_dns_c2_detection.yml" ], "tags": [ @@ -304,6 +428,22 @@ "attack.t1048.003" ] }, + "related": [ + { + "dest-uuid": "1996eef1-ced3-4d7f-bf94-33298cabbf72", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "fb8d023d-45be-47e9-bc51-f56bcae6435b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "1ec4b281-aa65-46a2-bdae-5fd830ed914e", "value": "Possible DNS Tunneling" }, @@ -329,6 +469,15 @@ "attack.t1071.004" ] }, + "related": [ + { + "dest-uuid": "1996eef1-ced3-4d7f-bf94-33298cabbf72", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "8ae51330-899c-4641-8125-e39f2e07da72", "value": "DNS TXT Answer with Possible Execution Strings" }, @@ -354,6 +503,22 @@ "attack.t1071.004" ] }, + "related": [ + { + "dest-uuid": "fb8d023d-45be-47e9-bc51-f56bcae6435b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "1996eef1-ced3-4d7f-bf94-33298cabbf72", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "f0a8cedc-1d22-4453-9c44-8d9f4ebd5d35", "value": "High TXT Records Requests Rate" }, @@ -380,6 +545,22 @@ "attack.t1071.004" ] }, + "related": [ + { + "dest-uuid": "fb8d023d-45be-47e9-bc51-f56bcae6435b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "1996eef1-ced3-4d7f-bf94-33298cabbf72", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "4153a907-2451-4e4f-a578-c52bb6881432", "value": "Suspicious DNS Query with B64 Encoded String" }, @@ -405,6 +586,22 @@ "attack.t1071.004" ] }, + "related": [ + { + "dest-uuid": "fb8d023d-45be-47e9-bc51-f56bcae6435b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "1996eef1-ced3-4d7f-bf94-33298cabbf72", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "b4163085-4001-46a3-a79a-55d8bbbc7a3a", "value": "High DNS Requests Rate" }, @@ -429,6 +626,15 @@ "attack.t1071.001" ] }, + "related": [ + { + "dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "3eaf6218-3bed-4d8a-8707-274096f12a18", "value": "Wannacry Killswitch Domain" }, @@ -454,6 +660,22 @@ "attack.t1567" ] }, + "related": [ + { + "dest-uuid": "cd25c1b4-935c-4f0e-ba8d-552f28bc4783", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "40597f16-0963-4249-bf4c-ac93b7fb9807", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "b593fd50-7335-4682-a36c-4edcb68e4641", "value": "Monero Crypto Coin Mining Pool Lookup" }, @@ -485,6 +707,22 @@ "attack.t1124" ] }, + "related": [ + { + "dest-uuid": "b6075259-dba3-44e9-87c7-e954f37ec0d5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "7e150503-88e7-4861-866b-ff1ac82c4475", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "9705a6a1-6db6-4a16-a987-15b7151e299b", "value": "Cisco Discovery" }, @@ -512,6 +750,29 @@ "attack.t1053" ] }, + "related": [ + { + "dest-uuid": "f5d8eed6-48a9-4cdf-a3d7-d1ffa99c3d2a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "d456de47-a16f-4e46-8980-e67478a12dcb", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "d0613359-5781-4fd2-b5be-c269270be1f6", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "671ffc77-50a7-464f-9e3d-9ea2b493b26b", "value": "Cisco Modify Configuration" }, @@ -538,6 +799,29 @@ "attack.t1561.002" ] }, + "related": [ + { + "dest-uuid": "d63a3fb8-9452-4e9d-a60a-54be68d5998c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "fb640c43-aa6b-431e-a961-a279010424ac", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "0af0ca99-357d-4ba1-805f-674fdfb7bef9", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "71d65515-c436-43c0-841b-236b1f32c21e", "value": "Cisco File Deletion" }, @@ -566,6 +850,29 @@ "attack.t1560.001" ] }, + "related": [ + { + "dest-uuid": "7dd95ff6-712e-4056-9626-312ea4ab4c5e", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "00f90846-cbd1-4fc5-9233-df5c2bf2a662", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "5e51acb2-bcbe-435b-99c6-0e3cd5e2aa59", "value": "Cisco Stage Data" }, @@ -589,6 +896,15 @@ "attack.t1552.003" ] }, + "related": [ + { + "dest-uuid": "8187bd2a-866f-4457-9009-86b0ddedffa3", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "b094d9fb-b1ad-4650-9f1a-fb7be9f1d34b", "value": "Cisco Show Commands Input" }, @@ -616,6 +932,22 @@ "attack.t1005" ] }, + "related": [ + { + "dest-uuid": "25659dd6-ea12-45c4-97e6-381e3e4b593e", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "cd072b25-a418-4f98-8ebc-5093fb38fe1a", "value": "Cisco Collect Data" }, @@ -664,6 +996,29 @@ "attack.t1565.001" ] }, + "related": [ + { + "dest-uuid": "f5bb433e-bdf6-4781-84bc-35e97e43be89", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "ff73aa03-0090-4464-83ac-f89e233c02bc", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "1cfcb312-b8d7-47a4-b560-4b16cc677292", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "d94a35f0-7a29-45f6-90a0-80df6159967c", "value": "Cisco Denial of Service" }, @@ -712,6 +1067,22 @@ "attack.t1098" ] }, + "related": [ + { + "dest-uuid": "635cbe30-392d-4e27-978e-66774357c762", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "a10641f4-87b4-45a3-a906-92a149cb2c27", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "6d844f0f-1c18-41af-8f19-33e7654edfc3", "value": "Cisco Local Accounts" }, @@ -737,6 +1108,15 @@ "attack.t1552.004" ] }, + "related": [ + { + "dest-uuid": "60b508a1-6a5e-46b1-821a-9f7b78752abf", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "1f978c6a-4415-47fb-aca5-736a44d7ca3d", "value": "Cisco Crypto Commands" }, @@ -760,9 +1140,111 @@ "attack.t1070.003" ] }, + "related": [ + { + "dest-uuid": "3aef9463-9a7a-43ba-8957-a867e07c1e6a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "ceb407f6-8277-439b-951f-e4210e3ed956", "value": "Cisco Clear Logs" }, + { + "description": "Detects LDP failures which may be indicative of brute force attacks to manipulate MPLS labels", + "meta": { + "author": "Tim Brown", + "creation_date": "2023/01/09", + "falsepositive": [ + "Unlikely. Except due to misconfigurations" + ], + "filename": "cisco_ldp_md5_auth_failed.yml", + "level": "low", + "logsource.category": "No established category", + "logsource.product": "cisco", + "refs": [ + "https://www.blackhat.com/presentations/bh-usa-03/bh-us-03-convery-franz-v3.pdf", + "https://github.com/SigmaHQ/sigma/tree/master/rules/network/cisco/ldp/cisco_ldp_md5_auth_failed.yml" + ], + "tags": [ + "attack.initial_access", + "attack.persistence", + "attack.privilege_escalation", + "attack.defense_evasion", + "attack.credential_access", + "attack.collection", + "attack.t1078", + "attack.t1110", + "attack.t1557" + ] + }, + "uuid": "50e606bf-04ce-4ca7-9d54-3449494bbd4b", + "value": "Cisco LDP Authentication Failures" + }, + { + "description": "Detects BGP failures which may be indicative of brute force attacks to manipulate routing", + "meta": { + "author": "Tim Brown", + "creation_date": "2023/01/09", + "falsepositive": [ + "Unlikely. Except due to misconfigurations" + ], + "filename": "cisco_bgp_md5_auth_failed.yml", + "level": "low", + "logsource.category": "No established category", + "logsource.product": "cisco", + "refs": [ + "https://www.blackhat.com/presentations/bh-usa-03/bh-us-03-convery-franz-v3.pdf", + "https://github.com/SigmaHQ/sigma/tree/master/rules/network/cisco/bgp/cisco_bgp_md5_auth_failed.yml" + ], + "tags": [ + "attack.initial_access", + "attack.persistence", + "attack.privilege_escalation", + "attack.defense_evasion", + "attack.credential_access", + "attack.collection", + "attack.t1078", + "attack.t1110", + "attack.t1557" + ] + }, + "uuid": "56fa3cd6-f8d6-4520-a8c7-607292971886", + "value": "Cisco BGP Authentication Failures" + }, + { + "description": "Detects BGP failures which may be indicative of brute force attacks to manipulate routing.", + "meta": { + "author": "Tim Brown", + "creation_date": "2023/01/09", + "falsepositive": [ + "Unlikely. Except due to misconfigurations" + ], + "filename": "huawei_bgp_auth_failed.yml", + "level": "low", + "logsource.category": "No established category", + "logsource.product": "huawei", + "refs": [ + "https://www.blackhat.com/presentations/bh-usa-03/bh-us-03-convery-franz-v3.pdf", + "https://github.com/SigmaHQ/sigma/tree/master/rules/network/huawei/bgp/huawei_bgp_auth_failed.yml" + ], + "tags": [ + "attack.initial_access", + "attack.persistence", + "attack.privilege_escalation", + "attack.defense_evasion", + "attack.credential_access", + "attack.collection", + "attack.t1078", + "attack.t1110", + "attack.t1557" + ] + }, + "uuid": "a557ffe6-ac54-43d2-ae69-158027082350", + "value": "Huawei BGP Authentication Failures" + }, { "description": "Detects the presence of default Cobalt Strike certificate in the HTTPS traffic", "meta": { @@ -847,10 +1329,10 @@ "logsource.category": "No established category", "logsource.product": "zeek", "refs": [ - "https://msrc.microsoft.com/update-guide/vulnerability/ADV210003", - "https://vx-underground.org/archive/Symantec/windows-vista-network-attack-07-en.pdf", "https://github.com/topotam/PetitPotam/blob/d83ac8f2dd34654628c17490f99106eb128e7d1e/PetitPotam/PetitPotam.cpp", "https://threatpost.com/microsoft-petitpotam-poc/168163/", + "https://msrc.microsoft.com/update-guide/vulnerability/ADV210003", + "https://vx-underground.org/archive/Symantec/windows-vista-network-attack-07-en.pdf", "https://github.com/SigmaHQ/sigma/tree/master/rules/network/zeek/zeek_dce_rpc_potential_petit_potam_efs_rpc_call.yml" ], "tags": [ @@ -858,6 +1340,22 @@ "attack.t1187" ] }, + "related": [ + { + "dest-uuid": "650c784b-7504-4df7-ab2c-4ea882384d1e", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "b77cf5f3-6060-475d-bd60-40ccbf28fdc2", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "4096842a-8f9f-4d36-92b4-d0b2a62f9b2a", "value": "Potential PetitPotam Attack Via EFS RPC Calls" }, @@ -882,6 +1380,15 @@ "attack.t1048.003" ] }, + "related": [ + { + "dest-uuid": "fb8d023d-45be-47e9-bc51-f56bcae6435b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "705072a5-bb6f-4ced-95b6-ecfa6602090b", "value": "WebDav Put Request" }, @@ -909,6 +1416,15 @@ "attack.t1053.002" ] }, + "related": [ + { + "dest-uuid": "f3d95a1f-bba2-44ce-9af7-37866cd63fd0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "dde85b37-40cd-4a94-b00c-0b8794f956b5", "value": "Remote Task Creation via ATSVC Named Pipe - Zeek" }, @@ -934,6 +1450,15 @@ "attack.t1105" ] }, + "related": [ + { + "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "aac2fd97-bcba-491b-ad66-a6edf89c71bf", "value": "Executable from Webdav" }, @@ -957,6 +1482,15 @@ "attack.t1048" ] }, + "related": [ + { + "dest-uuid": "a19e86f8-1c0a-4fea-8407-23b73d615776", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "a8322756-015c-42e7-afb1-436e85ed3ff5", "value": "DNS TOR Proxies" }, @@ -990,6 +1524,43 @@ "attack.t1210" ] }, + "related": [ + { + "dest-uuid": "b21c3b2d-02e6-45b1-980b-e69051040839", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "be2dcee9-a7a7-4e38-afd6-21b31ecc3d63", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "60d0c01d-e2bf-49dd-a453-f8a9c9fa6f65", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "9db0cf3a-a3c9-4012-8268-123b9db6fd82", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "ab6b1a39-a9ee-4ab4-b075-e83acf6e346b", "value": "OMIGOD HTTP No Authentication RCE" }, @@ -1017,6 +1588,29 @@ "attack.t1569.002" ] }, + "related": [ + { + "dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "f3d95a1f-bba2-44ce-9af7-37866cd63fd0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "f1951e8a-500e-4a26-8803-76d95c4554b4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "b640c0b8-87f8-4daa-aef8-95a24261dd1d", "value": "MITRE BZAR Indicators for Execution" }, @@ -1043,6 +1637,29 @@ "attack.t1003.003" ] }, + "related": [ + { + "dest-uuid": "1644e709-12d2-41e5-a60f-3470991f5011", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "1ecfdab8-7d59-4c98-95d4-dc41970f57fc", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "edf91964-b26e-4b4a-9600-ccacd7d7df24", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "92dae1ed-1c9d-4eff-a567-33acbd95b00e", "value": "Possible Impacket SecretDump Remote Activity - Zeek" }, @@ -1083,8 +1700,8 @@ "logsource.category": "No established category", "logsource.product": "zeek", "refs": [ - "https://github.com/nknorg/nkn-sdk-go", "https://github.com/Maka8ka/NGLite", + "https://github.com/nknorg/nkn-sdk-go", "https://unit42.paloaltonetworks.com/manageengine-godzilla-nglite-kdcsponge/", "https://github.com/SigmaHQ/sigma/tree/master/rules/network/zeek/zeek_dns_nkn.yml" ], @@ -1160,8 +1777,8 @@ "logsource.category": "No established category", "logsource.product": "zeek", "refs": [ - "https://github.com/OTRF/detection-hackathon-apt29/issues/37", "https://github.com/OTRF/detection-hackathon-apt29", + "https://github.com/OTRF/detection-hackathon-apt29/issues/37", "https://github.com/SigmaHQ/sigma/tree/master/rules/network/zeek/zeek_dce_rpc_domain_user_enumeration.yml" ], "tags": [ @@ -1194,6 +1811,22 @@ "attack.t1496" ] }, + "related": [ + { + "dest-uuid": "f1951e8a-500e-4a26-8803-76d95c4554b4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "cd25c1b4-935c-4f0e-ba8d-552f28bc4783", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "bf74135c-18e8-4a72-a926-0e4f47888c19", "value": "DNS Events Related To Mining Pools" }, @@ -1210,12 +1843,12 @@ "logsource.category": "No established category", "logsource.product": "zeek", "refs": [ + "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-par/93d1915d-4d9f-4ceb-90a7-e8f2a59adc29", "https://www.crowdstrike.com/blog/cve-2021-1678-printer-spooler-relay-security-advisory/", - "https://github.com/zeek/zeek/blob/691b099de13649d6576c7b9d637f8213ff818832/scripts/base/protocols/dce-rpc/consts.zeek", "https://old.zeek.org/zeekweek2019/slides/bzar.pdf", "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527", + "https://github.com/zeek/zeek/blob/691b099de13649d6576c7b9d637f8213ff818832/scripts/base/protocols/dce-rpc/consts.zeek", "https://github.com/corelight/CVE-2021-1675", - "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-par/93d1915d-4d9f-4ceb-90a7-e8f2a59adc29", "https://github.com/SigmaHQ/sigma/tree/master/rules/network/zeek/zeek_dce_rpc_printnightmare_print_driver_install.yml" ], "tags": [ @@ -1298,6 +1931,29 @@ "attack.t1003.003" ] }, + "related": [ + { + "dest-uuid": "1644e709-12d2-41e5-a60f-3470991f5011", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "65f2d882-3f41-4d48-8a06-29af77ec9f90", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "edf91964-b26e-4b4a-9600-ccacd7d7df24", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "2e69f167-47b5-4ae7-a390-47764529eff5", "value": "Transferring Files with Credential Data via Network Shares - Zeek" }, @@ -1315,10 +1971,10 @@ "logsource.category": "No established category", "logsource.product": "zeek", "refs": [ - "https://tdm.socprime.com/tdm/info/eLbyj4JjI15v#sigma", "https://tools.ietf.org/html/rfc2929#section-2.1", - "https://www.netresec.com/?page=Blog&month=2021-01&post=Finding-Targeted-SUNBURST-Victims-with-pDNS", "https://twitter.com/neu5ron/status/1346245602502443009", + "https://www.netresec.com/?page=Blog&month=2021-01&post=Finding-Targeted-SUNBURST-Victims-with-pDNS", + "https://tdm.socprime.com/tdm/info/eLbyj4JjI15v#sigma", "https://github.com/SigmaHQ/sigma/tree/master/rules/network/zeek/zeek_dns_susp_zbit_flag.yml" ], "tags": [ @@ -1327,6 +1983,22 @@ "attack.command_and_control" ] }, + "related": [ + { + "dest-uuid": "c21d5a77-d422-4a69-acd7-2c53c1faa34b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "b18eae87-b469-4e14-b454-b171b416bc18", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "ede05abc-2c9e-4624-9944-9ff17fdc0bf5", "value": "Suspicious DNS Z Flag Bit Set" }, @@ -1352,221 +2024,18 @@ "attack.t1190" ] }, + "related": [ + { + "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "fd435618-981e-4a7c-81f8-f78ce480d616", "value": "Django Framework Exceptions" }, - { - "description": "Detects a highly relevant Antivirus alert that reports a password dumper", - "meta": { - "author": "Florian Roth", - "creation_date": "2018/09/09", - "falsepositive": [ - "Unlikely" - ], - "filename": "av_password_dumper.yml", - "level": "critical", - "logsource.category": "antivirus", - "logsource.product": "No established product", - "refs": [ - "https://www.nextron-systems.com/2018/09/08/antivirus-event-analysis-cheat-sheet-v1-4/", - "https://www.virustotal.com/gui/file/5fcda49ee7f202559a6cbbb34edb65c33c9a1e0bde9fa2af06a6f11b55ded619/detection", - "https://github.com/SigmaHQ/sigma/tree/master/rules/application/antivirus/av_password_dumper.yml" - ], - "tags": [ - "attack.credential_access", - "attack.t1003", - "attack.t1558", - "attack.t1003.001", - "attack.t1003.002" - ] - }, - "uuid": "78cc2dd2-7d20-4d32-93ff-057084c38b93", - "value": "Antivirus Password Dumper Detection" - }, - { - "description": "Detects the suspicious file that is created from PoC code against Windows Print Spooler Remote Code Execution Vulnerability CVE-2021-34527 (PrinterNightmare), CVE-2021-1675 .", - "meta": { - "author": "Sittikorn S, Nuttakorn T, Tim Shelton", - "creation_date": "2021/07/01", - "falsepositive": [ - "Unlikely, or pending PSP analysis" - ], - "filename": "av_printernightmare_cve_2021_34527.yml", - "level": "critical", - "logsource.category": "antivirus", - "logsource.product": "No established product", - "refs": [ - "https://twitter.com/mvelazco/status/1410291741241102338", - "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527", - "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-1675", - "https://github.com/SigmaHQ/sigma/tree/master/rules/application/antivirus/av_printernightmare_cve_2021_34527.yml" - ], - "tags": [ - "attack.privilege_escalation", - "attack.t1055" - ] - }, - "uuid": "6fe1719e-ecdf-4caf-bffe-4f501cb0a561", - "value": "Antivirus PrinterNightmare CVE-2021-34527 Exploit Detection" - }, - { - "description": "Detects an Antivirus alert in a highly relevant file path or with a relevant file name", - "meta": { - "author": "Florian Roth, Arnim Rupp", - "creation_date": "2018/09/09", - "falsepositive": [ - "Unlikely" - ], - "filename": "av_relevant_files.yml", - "level": "high", - "logsource.category": "antivirus", - "logsource.product": "No established product", - "refs": [ - "https://www.nextron-systems.com/2021/03/25/antivirus-event-analysis-cheat-sheet-v1-8/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/application/antivirus/av_relevant_files.yml" - ], - "tags": [ - "attack.resource_development", - "attack.t1588" - ] - }, - "uuid": "c9a88268-0047-4824-ba6e-4d81ce0b907c", - "value": "Antivirus Relevant File Paths Alerts" - }, - { - "description": "Detects a highly relevant Antivirus alert that reports an exploitation framework", - "meta": { - "author": "Florian Roth", - "creation_date": "2018/09/09", - "falsepositive": [ - "Unlikely" - ], - "filename": "av_exploiting.yml", - "level": "critical", - "logsource.category": "antivirus", - "logsource.product": "No established product", - "refs": [ - "https://www.nextron-systems.com/2018/09/08/antivirus-event-analysis-cheat-sheet-v1-4/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/application/antivirus/av_exploiting.yml" - ], - "tags": [ - "attack.execution", - "attack.t1203", - "attack.command_and_control", - "attack.t1219" - ] - }, - "uuid": "238527ad-3c2c-4e4f-a1f6-92fd63adb864", - "value": "Antivirus Exploitation Framework Detection" - }, - { - "description": "Detects a highly relevant Antivirus alert that reports a hack tool or other attack tool", - "meta": { - "author": "Florian Roth", - "creation_date": "2021/08/16", - "falsepositive": [ - "Unlikely" - ], - "filename": "av_hacktool.yml", - "level": "high", - "logsource.category": "antivirus", - "logsource.product": "No established product", - "refs": [ - "https://www.nextron-systems.com/2021/08/16/antivirus-event-analysis-cheat-sheet-v1-8-2/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/application/antivirus/av_hacktool.yml" - ], - "tags": [ - "attack.execution", - "attack.t1204" - ] - }, - "uuid": "fa0c05b6-8ad3-468d-8231-c1cbccb64fba", - "value": "Antivirus Hacktool Detection" - }, - { - "description": "Detects a highly relevant Antivirus alert that reports a web shell. It's highly recommended to tune this rule to the specific strings used by your anti virus solution by downloading a big webshell repo from e.g. github and checking the matches.", - "meta": { - "author": "Florian Roth, Arnim Rupp", - "creation_date": "2018/09/09", - "falsepositive": [ - "Unlikely" - ], - "filename": "av_webshell.yml", - "level": "high", - "logsource.category": "antivirus", - "logsource.product": "No established product", - "refs": [ - "https://www.virustotal.com/gui/file/b219f7d3c26f8bad7e175934cd5eda4ddb5e3983503e94ff07d39c0666821b7e/detection", - "https://www.virustotal.com/gui/file/308487ed28a3d9abc1fec7ebc812d4b5c07ab025037535421f64c60d3887a3e8/detection", - "https://www.virustotal.com/gui/file/bd1d52289203866645e556e2766a21d2275877fbafa056a76fe0cf884b7f8819/detection", - "https://www.nextron-systems.com/2021/03/25/antivirus-event-analysis-cheat-sheet-v1-8/", - "https://www.virustotal.com/gui/file/e841675a4b82250c75273ebf0861245f80c6a1c3d5803c2d995d9d3b18d5c4b5/detection", - "https://www.virustotal.com/gui/file/b8702acf32fd651af9f809ed42d15135f842788cd98d81a8e1b154ee2a2b76a2/detection", - "https://www.virustotal.com/gui/file/7d3cb8a8ff28f82b07f382789247329ad2d7782a72dde9867941f13266310c80/detection", - "https://github.com/tennc/webshell", - "https://www.virustotal.com/gui/file/a80042c61a0372eaa0c2c1e831adf0d13ef09feaf71d1d20b216156269045801/detection", - "https://github.com/SigmaHQ/sigma/tree/master/rules/application/antivirus/av_webshell.yml" - ], - "tags": [ - "attack.persistence", - "attack.t1505.003" - ] - }, - "uuid": "fdf135a2-9241-4f96-a114-bb404948f736", - "value": "Antivirus Web Shell Detection" - }, - { - "description": "Detects a highly relevant Antivirus alert that reports ransomware", - "meta": { - "author": "Florian Roth", - "creation_date": "2022/05/12", - "falsepositive": [ - "Unlikely" - ], - "filename": "av_ransomware.yml", - "level": "critical", - "logsource.category": "antivirus", - "logsource.product": "No established product", - "refs": [ - "https://www.nextron-systems.com/?s=antivirus", - "https://github.com/SigmaHQ/sigma/tree/master/rules/application/antivirus/av_ransomware.yml" - ], - "tags": [ - "attack.t1486" - ] - }, - "uuid": "4c6ca276-d4d0-4a8c-9e4c-d69832f8671f", - "value": "Antivirus Ransomware Detection" - }, - { - "description": "Detects suspicious SQL query keywrods that are often used during recon, exfiltration or destructive activities. Such as dropping tables and selecting wildcard fields", - "meta": { - "author": "@juju4", - "creation_date": "2022/12/27", - "falsepositive": [ - "Inventory and monitoring activity", - "Vulnerability scanners", - "Legitimate applications" - ], - "filename": "db_anomalous_query.yml", - "level": "medium", - "logsource.category": "database", - "logsource.product": "No established product", - "refs": [ - "https://github.com/sqlmapproject/sqlmap", - "https://github.com/SigmaHQ/sigma/tree/master/rules/application/database/db_anomalous_query.yml" - ], - "tags": [ - "attack.exfiltration", - "attack.initial_access", - "attack.privilege_escalation", - "attack.t1190", - "attack.t1505.001" - ] - }, - "uuid": "d84c0ded-edd7-4123-80ed-348bb3ccc4d5", - "value": "Suspicious SQL Query" - }, { "description": "Detects suspicious Spring framework exceptions that could indicate exploitation attempts", "meta": { @@ -1588,6 +2057,15 @@ "attack.t1190" ] }, + "related": [ + { + "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "ae48ab93-45f7-4051-9dfe-5d30a3f78e33", "value": "Spring Framework Exceptions" }, @@ -1612,6 +2090,15 @@ "attack.t1190" ] }, + "related": [ + { + "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "19aefed0-ffd4-47dc-a7fc-f8b1425e84f9", "value": "Python SQL Exceptions" }, @@ -1636,6 +2123,15 @@ "attack.t1190" ] }, + "related": [ + { + "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "8a670c6d-7189-4b1c-8017-a417ca84a086", "value": "Suspicious SQL Error Messages" }, @@ -1653,9 +2149,9 @@ "logsource.product": "ruby_on_rails", "refs": [ "http://guides.rubyonrails.org/action_controller_overview.html", + "https://stackoverflow.com/questions/25892194/does-rails-come-with-a-not-authorized-exception", "http://edgeguides.rubyonrails.org/security.html", "https://github.com/rails/rails/blob/cd08e6bcc4cd8948fe01e0be1ea0c7ca60373a25/actionpack/lib/action_dispatch/middleware/exception_wrapper.rb", - "https://stackoverflow.com/questions/25892194/does-rails-come-with-a-not-authorized-exception", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/ruby/appframework_ruby_on_rails_exceptions.yml" ], "tags": [ @@ -1663,6 +2159,15 @@ "attack.t1190" ] }, + "related": [ + { + "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "0d2c3d4c-4b48-4ac3-8f23-ea845746bb1a", "value": "Ruby on Rails Framework Exceptions" }, @@ -1679,15 +2184,15 @@ "logsource.category": "application", "logsource.product": "rpc_firewall", "refs": [ - "https://attack.mitre.org/techniques/T1087/", - "https://github.com/zeronetworks/rpcfirewall", - "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-wkst/55118c55-2122-4ef9-8664-0c1ff9e168f3", "https://zeronetworks.com/blog/stopping_lateral_movement_via_the_rpc_firewall/", + "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-wkst/55118c55-2122-4ef9-8664-0c1ff9e168f3", + "https://github.com/zeronetworks/rpcfirewall", "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-WKST.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/rpc_firewall/rpc_firewall_sharphound_recon_account.yml" ], "tags": [ - "attack.t1087" + "attack.t1087", + "attack.discovery" ] }, "uuid": "65f77b1e-8e79-45bf-bb67-5988a8ce45a5", @@ -1706,14 +2211,15 @@ "logsource.category": "application", "logsource.product": "rpc_firewall", "refs": [ - "https://attack.mitre.org/tactics/TA0007/", + "https://zeronetworks.com/blog/stopping_lateral_movement_via_the_rpc_firewall/", + "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rrp/0fa3191d-bb79-490a-81bd-54c2601b7a78", "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-RRP.md", "https://github.com/zeronetworks/rpcfirewall", - "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rrp/0fa3191d-bb79-490a-81bd-54c2601b7a78", - "https://zeronetworks.com/blog/stopping_lateral_movement_via_the_rpc_firewall/", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/rpc_firewall/rpc_firewall_remote_registry_recon.yml" ], - "tags": "No established tags" + "tags": [ + "attack.discovery" + ] }, "uuid": "d8ffe17e-04be-4886-beb9-c1dd1944b9a8", "value": "Remote Registry Recon" @@ -1731,14 +2237,15 @@ "logsource.category": "application", "logsource.product": "rpc_firewall", "refs": [ - "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-TSCH.md", - "https://attack.mitre.org/tactics/TA0007/", - "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-tsch/d1058a28-7e02-4948-8b8d-4a347fa64931", - "https://github.com/zeronetworks/rpcfirewall", "https://zeronetworks.com/blog/stopping_lateral_movement_via_the_rpc_firewall/", + "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-tsch/d1058a28-7e02-4948-8b8d-4a347fa64931", + "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-TSCH.md", + "https://github.com/zeronetworks/rpcfirewall", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/rpc_firewall/rpc_firewall_itaskschedulerservice_recon.yml" ], - "tags": "No established tags" + "tags": [ + "attack.discovery" + ] }, "uuid": "7f7c49eb-2977-4ac8-8ab0-ab1bae14730e", "value": "Remote Schedule Task Recon via ITaskSchedulerService" @@ -1756,12 +2263,10 @@ "logsource.category": "application", "logsource.product": "rpc_firewall", "refs": [ - "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-srvs/accf23b0-0f57-441c-9185-43041f1b0ee9", - "https://attack.mitre.org/tactics/TA0008/", - "https://attack.mitre.org/techniques/T1569/002/", - "https://github.com/zeronetworks/rpcfirewall", - "https://zeronetworks.com/blog/stopping_lateral_movement_via_the_rpc_firewall/", "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-SCMR.md", + "https://zeronetworks.com/blog/stopping_lateral_movement_via_the_rpc_firewall/", + "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-srvs/accf23b0-0f57-441c-9185-43041f1b0ee9", + "https://github.com/zeronetworks/rpcfirewall", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/rpc_firewall/rpc_firewall_remote_service_lateral_movement.yml" ], "tags": [ @@ -1769,6 +2274,15 @@ "attack.t1569.002" ] }, + "related": [ + { + "dest-uuid": "f1951e8a-500e-4a26-8803-76d95c4554b4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "10018e73-06ec-46ec-8107-9172f1e04ff2", "value": "Remote Server Service Abuse for Lateral Movement" }, @@ -1785,12 +2299,10 @@ "logsource.category": "application", "logsource.product": "rpc_firewall", "refs": [ - "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-TSCH.md", - "https://attack.mitre.org/tactics/TA0008/", - "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-tsch/d1058a28-7e02-4948-8b8d-4a347fa64931", - "https://github.com/zeronetworks/rpcfirewall", "https://zeronetworks.com/blog/stopping_lateral_movement_via_the_rpc_firewall/", - "https://attack.mitre.org/techniques/T1053/", + "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-tsch/d1058a28-7e02-4948-8b8d-4a347fa64931", + "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-TSCH.md", + "https://github.com/zeronetworks/rpcfirewall", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/rpc_firewall/rpc_firewall_atsvc_lateral_movement.yml" ], "tags": [ @@ -1799,6 +2311,15 @@ "attack.t1053.002" ] }, + "related": [ + { + "dest-uuid": "f3d95a1f-bba2-44ce-9af7-37866cd63fd0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "0fcd1c79-4eeb-4746-aba9-1b458f7a79cb", "value": "Remote Schedule Task Lateral Movement via ATSvc" }, @@ -1815,15 +2336,15 @@ "logsource.category": "application", "logsource.product": "rpc_firewall", "refs": [ - "https://attack.mitre.org/techniques/T1033/", - "https://github.com/zeronetworks/rpcfirewall", - "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-DRSR.md", - "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-drsr/f977faaa-673e-4f66-b9bf-48c640241d47?redirectedfrom=MSDN", "https://zeronetworks.com/blog/stopping_lateral_movement_via_the_rpc_firewall/", + "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-drsr/f977faaa-673e-4f66-b9bf-48c640241d47?redirectedfrom=MSDN", + "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-DRSR.md", + "https://github.com/zeronetworks/rpcfirewall", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/rpc_firewall/rpc_firewall_dcsync_attack.yml" ], "tags": [ - "attack.t1033" + "attack.t1033", + "attack.discovery" ] }, "uuid": "56fda488-113e-4ce9-8076-afc2457922c3", @@ -1842,12 +2363,13 @@ "logsource.category": "application", "logsource.product": "rpc_firewall", "refs": [ - "https://github.com/zeronetworks/rpcfirewall", - "https://attack.mitre.org/tactics/TA0007/", "https://zeronetworks.com/blog/stopping_lateral_movement_via_the_rpc_firewall/", + "https://github.com/zeronetworks/rpcfirewall", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/rpc_firewall/rpc_firewall_eventlog_recon.yml" ], - "tags": "No established tags" + "tags": [ + "attack.discovery" + ] }, "uuid": "2053961f-44c7-4a64-b62d-f6e72800af0d", "value": "Remote Event Log Recon" @@ -1865,12 +2387,10 @@ "logsource.category": "application", "logsource.product": "rpc_firewall", "refs": [ - "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-TSCH.md", - "https://attack.mitre.org/tactics/TA0008/", - "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-tsch/d1058a28-7e02-4948-8b8d-4a347fa64931", - "https://github.com/zeronetworks/rpcfirewall", "https://zeronetworks.com/blog/stopping_lateral_movement_via_the_rpc_firewall/", - "https://attack.mitre.org/techniques/T1053/", + "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-tsch/d1058a28-7e02-4948-8b8d-4a347fa64931", + "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-TSCH.md", + "https://github.com/zeronetworks/rpcfirewall", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/rpc_firewall/rpc_firewall_itaskschedulerservice_lateral_movement.yml" ], "tags": [ @@ -1879,6 +2399,15 @@ "attack.t1053.002" ] }, + "related": [ + { + "dest-uuid": "f3d95a1f-bba2-44ce-9af7-37866cd63fd0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "ace3ff54-e7fd-46bd-8ea0-74b49a0aca1d", "value": "Remote Schedule Task Lateral Movement via ITaskSchedulerService" }, @@ -1895,12 +2424,9 @@ "logsource.category": "application", "logsource.product": "rpc_firewall", "refs": [ - "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-srvs/accf23b0-0f57-441c-9185-43041f1b0ee9", - "https://attack.mitre.org/tactics/TA0008/", - "https://github.com/zeronetworks/rpcfirewall", - "https://attack.mitre.org/techniques/T1021/003/", - "https://attack.mitre.org/techniques/T1047/", "https://zeronetworks.com/blog/stopping_lateral_movement_via_the_rpc_firewall/", + "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-srvs/accf23b0-0f57-441c-9185-43041f1b0ee9", + "https://github.com/zeronetworks/rpcfirewall", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/rpc_firewall/rpc_firewall_remote_dcom_or_wmi.yml" ], "tags": [ @@ -1909,6 +2435,22 @@ "attack.t1047" ] }, + "related": [ + { + "dest-uuid": "68a0c5ed-bee2-4513-830d-5b0d650139bd", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "68050b10-e477-4377-a99b-3721b422d6ef", "value": "Remote DCOM/WMI Lateral Movement" }, @@ -1925,12 +2467,10 @@ "logsource.category": "application", "logsource.product": "rpc_firewall", "refs": [ - "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-TSCH.md", - "https://attack.mitre.org/tactics/TA0008/", - "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-tsch/d1058a28-7e02-4948-8b8d-4a347fa64931", - "https://github.com/zeronetworks/rpcfirewall", "https://zeronetworks.com/blog/stopping_lateral_movement_via_the_rpc_firewall/", - "https://attack.mitre.org/techniques/T1053/", + "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-tsch/d1058a28-7e02-4948-8b8d-4a347fa64931", + "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-TSCH.md", + "https://github.com/zeronetworks/rpcfirewall", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/rpc_firewall/rpc_firewall_sasec_lateral_movement.yml" ], "tags": [ @@ -1939,6 +2479,15 @@ "attack.t1053.002" ] }, + "related": [ + { + "dest-uuid": "f3d95a1f-bba2-44ce-9af7-37866cd63fd0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "aff229ab-f8cd-447b-b215-084d11e79eb0", "value": "Remote Schedule Task Lateral Movement via SASec" }, @@ -1955,13 +2504,12 @@ "logsource.category": "application", "logsource.product": "rpc_firewall", "refs": [ - "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rprn/d42db7d5-f141-4466-8f47-0a4be14e2fc1", - "https://attack.mitre.org/tactics/TA0008/", - "https://github.com/zeronetworks/rpcfirewall", + "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-pan/e44d984c-07d3-414c-8ffc-f8c8ad8512a8", "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527", "https://zeronetworks.com/blog/stopping_lateral_movement_via_the_rpc_firewall/", "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-RPRN-PAR.md", - "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-pan/e44d984c-07d3-414c-8ffc-f8c8ad8512a8", + "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rprn/d42db7d5-f141-4466-8f47-0a4be14e2fc1", + "https://github.com/zeronetworks/rpcfirewall", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/rpc_firewall/rpc_firewall_printing_lateral_movement.yml" ], "tags": [ @@ -1984,11 +2532,10 @@ "logsource.category": "application", "logsource.product": "rpc_firewall", "refs": [ - "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-srvs/02b1f559-fda2-4ba3-94c2-806eb2777183", - "https://attack.mitre.org/techniques/T1033/", - "https://github.com/zeronetworks/rpcfirewall", "https://zeronetworks.com/blog/stopping_lateral_movement_via_the_rpc_firewall/", + "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-srvs/02b1f559-fda2-4ba3-94c2-806eb2777183", "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-SRVS.md", + "https://github.com/zeronetworks/rpcfirewall", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/rpc_firewall/rpc_firewall_sharphound_recon_sessions.yml" ], "tags": [ @@ -2011,11 +2558,10 @@ "logsource.category": "application", "logsource.product": "rpc_firewall", "refs": [ - "https://attack.mitre.org/tactics/TA0008/", - "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-EFSR.md", - "https://github.com/zeronetworks/rpcfirewall", "https://zeronetworks.com/blog/stopping_lateral_movement_via_the_rpc_firewall/", "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-36942", + "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-EFSR.md", + "https://github.com/zeronetworks/rpcfirewall", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/rpc_firewall/rpc_firewall_efs_abuse.yml" ], "tags": [ @@ -2038,14 +2584,15 @@ "logsource.category": "application", "logsource.product": "rpc_firewall", "refs": [ - "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-TSCH.md", - "https://attack.mitre.org/tactics/TA0007/", - "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-tsch/d1058a28-7e02-4948-8b8d-4a347fa64931", - "https://github.com/zeronetworks/rpcfirewall", "https://zeronetworks.com/blog/stopping_lateral_movement_via_the_rpc_firewall/", + "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-tsch/d1058a28-7e02-4948-8b8d-4a347fa64931", + "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-TSCH.md", + "https://github.com/zeronetworks/rpcfirewall", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/rpc_firewall/rpc_firewall_sasec_recon.yml" ], - "tags": "No established tags" + "tags": [ + "attack.discovery" + ] }, "uuid": "0a3ff354-93fc-4273-8a03-1078782de5b7", "value": "Recon Activity via SASec" @@ -2063,16 +2610,15 @@ "logsource.category": "application", "logsource.product": "rpc_firewall", "refs": [ - "https://attack.mitre.org/tactics/TA0008/", + "https://zeronetworks.com/blog/stopping_lateral_movement_via_the_rpc_firewall/", + "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rrp/0fa3191d-bb79-490a-81bd-54c2601b7a78", "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-RRP.md", "https://github.com/zeronetworks/rpcfirewall", - "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rrp/0fa3191d-bb79-490a-81bd-54c2601b7a78", - "https://zeronetworks.com/blog/stopping_lateral_movement_via_the_rpc_firewall/", - "https://attack.mitre.org/techniques/T1112/", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/rpc_firewall/rpc_firewall_remote_registry_lateral_movement.yml" ], "tags": [ - "attack.lateral_movement" + "attack.lateral_movement", + "attack.t1112" ] }, "uuid": "35c55673-84ca-4e99-8d09-e334f3c29539", @@ -2091,11 +2637,10 @@ "logsource.category": "application", "logsource.product": "rpc_firewall", "refs": [ - "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-srvs/accf23b0-0f57-441c-9185-43041f1b0ee9", - "https://attack.mitre.org/tactics/TA0008/", - "https://github.com/zeronetworks/rpcfirewall", "https://zeronetworks.com/blog/stopping_lateral_movement_via_the_rpc_firewall/", "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-SRVS.md", + "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-srvs/accf23b0-0f57-441c-9185-43041f1b0ee9", + "https://github.com/zeronetworks/rpcfirewall", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/rpc_firewall/rpc_firewall_remote_server_service_abuse.yml" ], "tags": [ @@ -2118,14 +2663,15 @@ "logsource.category": "application", "logsource.product": "rpc_firewall", "refs": [ + "https://zeronetworks.com/blog/stopping_lateral_movement_via_the_rpc_firewall/", "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-TSCH.md", - "https://attack.mitre.org/tactics/TA0007/", "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-tsch/d1058a28-7e02-4948-8b8d-4a347fa64931", "https://github.com/zeronetworks/rpcfirewall", - "https://zeronetworks.com/blog/stopping_lateral_movement_via_the_rpc_firewall/", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/rpc_firewall/rpc_firewall_atsvc_recon.yml" ], - "tags": "No established tags" + "tags": [ + "attack.discovery" + ] }, "uuid": "f177f2bc-5f3e-4453-b599-57eefce9a59c", "value": "Remote Schedule Task Recon via AtScv" @@ -2151,6 +2697,15 @@ "attack.t1003.001" ] }, + "related": [ + { + "dest-uuid": "65f2d882-3f41-4d48-8a06-29af77ec9f90", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "0f920ebe-7aea-4c54-b202-9aa0c609cfe5", "value": "Potential Credential Dumping Attempt Via PowerShell" }, @@ -2167,10 +2722,10 @@ "logsource.category": "process_access", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/windows/win32/procthread/process-security-and-access-rights", "https://cyberwardog.blogspot.com/2017/03/chronicles-of-threat-hunter-hunting-for_22.html", "https://onedrive.live.com/view.aspx?resid=D026B4699190F1E6!2843&ithint=file%2cpptx&app=PowerPoint&authkey=!AMvCRTKB_V1J5ow", "https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment", + "https://docs.microsoft.com/en-us/windows/win32/procthread/process-security-and-access-rights", "http://security-research.dyndns.org/pub/slides/FIRST2017/FIRST-2017_Tom-Ueltschi_Sysmon_FINAL_notes.pdf", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_access/proc_access_win_susp_proc_access_lsass_susp_source.yml" ], @@ -2180,6 +2735,15 @@ "attack.s0002" ] }, + "related": [ + { + "dest-uuid": "65f2d882-3f41-4d48-8a06-29af77ec9f90", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "fa34b441-961a-42fa-a100-ecc28c886725", "value": "LSASS Access from Program in Suspicious Folder" }, @@ -2196,8 +2760,8 @@ "logsource.category": "process_access", "logsource.product": "windows", "refs": [ - "https://twitter.com/shantanukhande/status/1229348874298388484", "https://modexp.wordpress.com/2019/08/30/minidumpwritedump-via-com-services-dll/", + "https://twitter.com/shantanukhande/status/1229348874298388484", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_access/proc_access_win_lsass_dump_comsvcs_dll.yml" ], "tags": [ @@ -2205,6 +2769,15 @@ "attack.t1003.001" ] }, + "related": [ + { + "dest-uuid": "65f2d882-3f41-4d48-8a06-29af77ec9f90", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "a49fa4d5-11db-418c-8473-1e014a8dd462", "value": "Lsass Memory Dump via Comsvcs DLL" }, @@ -2234,6 +2807,22 @@ "car.2019-04-001" ] }, + "related": [ + { + "dest-uuid": "4cbc6a62-9e34-4f94-8a19-5c1a11392a49", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "2f6b4ed7-fef1-44ba-bcb8-1b4beb610b64", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "3b4b232a-af90-427c-a22f-30b0c0837b95", "value": "CMSTP Execution Process Access" }, @@ -2260,6 +2849,15 @@ "attack.t1548.002" ] }, + "related": [ + { + "dest-uuid": "120d5519-3098-4e1c-9191-2aa61232f073", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "fb3722e4-1a06-46b6-b772-253e2e7db933", "value": "Load Undocumented Autoelevated COM Interface" }, @@ -2284,6 +2882,15 @@ "attack.t1003.001" ] }, + "related": [ + { + "dest-uuid": "65f2d882-3f41-4d48-8a06-29af77ec9f90", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "7186e989-4ed7-4f4e-a656-4674b9e3e48b", "value": "Credential Dumping by Pypykatz" }, @@ -2300,8 +2907,8 @@ "logsource.category": "process_access", "logsource.product": "windows", "refs": [ - "https://twitter.com/timbmsft/status/900724491076214784", "https://github.com/hlldz/Invoke-Phant0m", + "https://twitter.com/timbmsft/status/900724491076214784", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_access/proc_access_win_invoke_phantom.yml" ], "tags": [ @@ -2309,6 +2916,15 @@ "attack.t1562.002" ] }, + "related": [ + { + "dest-uuid": "4eb28bed-d11a-4641-9863-c2ac017d910a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "166e9c50-8cd9-44af-815d-d1f0c0e90dde", "value": "Suspect Svchost Memory Asccess" }, @@ -2325,9 +2941,9 @@ "logsource.category": "process_access", "logsource.product": "windows", "refs": [ + "https://twitter.com/mrd0x/status/1460597833917251595", "https://twitter.com/_xpn_/status/1491557187168178176", "https://www.ired.team/offensive-security/credential-access-and-credential-dumping/dump-credentials-from-lsass-process-without-mimikatz", - "https://twitter.com/mrd0x/status/1460597833917251595", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_access/proc_access_win_lsass_memdump_evasion.yml" ], "tags": [ @@ -2336,6 +2952,15 @@ "attack.s0002" ] }, + "related": [ + { + "dest-uuid": "65f2d882-3f41-4d48-8a06-29af77ec9f90", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "4be8b654-0c01-4c9d-a10c-6b28467fc651", "value": "LSASS Access from White-Listed Processes" }, @@ -2365,6 +2990,29 @@ "attack.s0002" ] }, + "related": [ + { + "dest-uuid": "65f2d882-3f41-4d48-8a06-29af77ec9f90", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "60d0c01d-e2bf-49dd-a453-f8a9c9fa6f65", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "aa35a627-33fb-4d04-a165-d33b4afca3e8", "value": "Mimikatz through Windows Remote Management" }, @@ -2391,6 +3039,15 @@ "attack.s0002" ] }, + "related": [ + { + "dest-uuid": "65f2d882-3f41-4d48-8a06-29af77ec9f90", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "e5b33f7d-eb93-48b6-9851-09e1e610b6d7", "value": "WerFault Accassing LSASS" }, @@ -2441,6 +3098,15 @@ "attack.s0349" ] }, + "related": [ + { + "dest-uuid": "65f2d882-3f41-4d48-8a06-29af77ec9f90", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "4b9a8556-99c4-470b-a40c-9c8d02c77ed0", "value": "Credential Dumping by LaZagne" }, @@ -2463,6 +3129,15 @@ "attack.t1548" ] }, + "related": [ + { + "dest-uuid": "67720091-eee3-4d2d-ae16-8264567f6f5b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "174afcfa-6e40-4ae9-af64-496546389294", "value": "SVCHOST Credential Dump" }, @@ -2488,6 +3163,15 @@ "attack.t1548.002" ] }, + "related": [ + { + "dest-uuid": "120d5519-3098-4e1c-9191-2aa61232f073", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "4f6c43e2-f989-4ea5-bcd8-843b49a0317c", "value": "UAC Bypass Using WOW64 Logger DLL Hijack" }, @@ -2504,10 +3188,10 @@ "logsource.category": "process_access", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1003.001/T1003.001.md", - "https://blog.menasec.net/2019/02/threat-hunting-21-procdump-or-taskmgr.html", "https://cyberwardog.blogspot.com/2017/03/chronicles-of-threat-hunter-hunting-for_22.html", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1003.001/T1003.001.md", "https://research.splunk.com/endpoint/windows_possible_credential_dumping/", + "https://blog.menasec.net/2019/02/threat-hunting-21-procdump-or-taskmgr.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_access/proc_access_win_lsass_memdump.yml" ], "tags": [ @@ -2516,6 +3200,15 @@ "attack.s0002" ] }, + "related": [ + { + "dest-uuid": "65f2d882-3f41-4d48-8a06-29af77ec9f90", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "5ef9853e-4d0e-4a70-846f-a9ca37d876da", "value": "LSASS Memory Dump" }, @@ -2532,9 +3225,9 @@ "logsource.category": "process_access", "logsource.product": "windows", "refs": [ - "https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment", "https://cyberwardog.blogspot.com/2017/03/chronicles-of-threat-hunter-hunting-for_22.html", "https://onedrive.live.com/view.aspx?resid=D026B4699190F1E6!2843&ithint=file%2cpptx&app=PowerPoint&authkey=!AMvCRTKB_V1J5ow", + "https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment", "http://security-research.dyndns.org/pub/slides/FIRST2017/FIRST-2017_Tom-Ueltschi_Sysmon_FINAL_notes.pdf", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_access/proc_access_win_cred_dump_lsass_access.yml" ], @@ -2545,6 +3238,15 @@ "car.2019-04-004" ] }, + "related": [ + { + "dest-uuid": "65f2d882-3f41-4d48-8a06-29af77ec9f90", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "32d0d3e2-e58d-4d41-926b-18b520b2b32d", "value": "Credential Dumping Tools Accessing LSASS Memory" }, @@ -2561,10 +3263,10 @@ "logsource.category": "process_access", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/windows/win32/procthread/process-security-and-access-rights", "https://cyberwardog.blogspot.com/2017/03/chronicles-of-threat-hunter-hunting-for_22.html", "https://onedrive.live.com/view.aspx?resid=D026B4699190F1E6!2843&ithint=file%2cpptx&app=PowerPoint&authkey=!AMvCRTKB_V1J5ow", "https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment", + "https://docs.microsoft.com/en-us/windows/win32/procthread/process-security-and-access-rights", "http://security-research.dyndns.org/pub/slides/FIRST2017/FIRST-2017_Tom-Ueltschi_Sysmon_FINAL_notes.pdf", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_access/proc_access_win_rare_proc_access_lsass.yml" ], @@ -2574,6 +3276,15 @@ "attack.s0002" ] }, + "related": [ + { + "dest-uuid": "65f2d882-3f41-4d48-8a06-29af77ec9f90", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "678dfc63-fefb-47a5-a04c-26bcf8cc9f65", "value": "Rare GrantedAccess Flags on LSASS Access" }, @@ -2590,10 +3301,10 @@ "logsource.category": "process_access", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/windows/win32/procthread/process-security-and-access-rights", "https://cyberwardog.blogspot.com/2017/03/chronicles-of-threat-hunter-hunting-for_22.html", "https://onedrive.live.com/view.aspx?resid=D026B4699190F1E6!2843&ithint=file%2cpptx&app=PowerPoint&authkey=!AMvCRTKB_V1J5ow", "https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment", + "https://docs.microsoft.com/en-us/windows/win32/procthread/process-security-and-access-rights", "http://security-research.dyndns.org/pub/slides/FIRST2017/FIRST-2017_Tom-Ueltschi_Sysmon_FINAL_notes.pdf", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_access/proc_access_win_susp_proc_access_lsass.yml" ], @@ -2603,6 +3314,15 @@ "attack.s0002" ] }, + "related": [ + { + "dest-uuid": "65f2d882-3f41-4d48-8a06-29af77ec9f90", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "a18dd26b-6450-46de-8c91-9659150cf088", "value": "Suspicious GrantedAccess Flags on LSASS Access" }, @@ -2627,6 +3347,15 @@ "attack.t1106" ] }, + "related": [ + { + "dest-uuid": "391d824f-0ef1-47a0-b0ee-c59a75e27670", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "3f3f3506-1895-401b-9cc3-e86b16e630d0", "value": "Direct Syscall of NtOpenProcess" }, @@ -2654,6 +3383,40 @@ "uuid": "250ae82f-736e-4844-a68b-0b5e8cc887da", "value": "Potential Shellcode Injection" }, + { + "description": "Detects potential NT API stub patching as seen used by the project PatchingAPI", + "meta": { + "author": "frack113", + "creation_date": "2023/01/07", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_access_win_invoke_patchingapi.yml", + "level": "medium", + "logsource.category": "process_access", + "logsource.product": "windows", + "refs": [ + "https://github.com/D1rkMtr/UnhookingPatch", + "https://twitter.com/D1rkMtr/status/1611471891193298944?s=20", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_access/proc_access_win_invoke_patchingapi.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1562.002" + ] + }, + "related": [ + { + "dest-uuid": "4eb28bed-d11a-4641-9863-c2ac017d910a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "b916cba1-b38a-42da-9223-17114d846fd6", + "value": "Potential NT API Stub Patching" + }, { "description": "Detects the process injection of a LittleCorporal generated Maldoc.", "meta": { @@ -2676,6 +3439,22 @@ "attack.t1055.003" ] }, + "related": [ + { + "dest-uuid": "232b7f21-adf9-4b42-b936-b9d6f7df856e", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "41d9846c-f6af-4302-a654-24bba2729bc6", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "7bdde3bf-2a42-4c39-aa31-a92b3e17afac", "value": "LittleCorporal Generated Maldoc Injection" }, @@ -2702,6 +3481,22 @@ "attack.t1003.001" ] }, + "related": [ + { + "dest-uuid": "391d824f-0ef1-47a0-b0ee-c59a75e27670", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "65f2d882-3f41-4d48-8a06-29af77ec9f90", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "b1bd3a59-c1fd-4860-9f40-4dd161a7d1f5", "value": "HandleKatz Duplicating LSASS Handle" }, @@ -2728,6 +3523,15 @@ "attack.s0002" ] }, + "related": [ + { + "dest-uuid": "65f2d882-3f41-4d48-8a06-29af77ec9f90", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "9bd012ee-0dff-44d7-84a0-aa698cfd87a3", "value": "LSASS Memory Access by Tool Named Dump" }, @@ -2744,9 +3548,9 @@ "logsource.category": "process_access", "logsource.product": "windows", "refs": [ - "https://github.com/codewhitesec/SysmonEnte/blob/main/screens/1.png", - "https://github.com/codewhitesec/SysmonEnte/", "https://codewhitesec.blogspot.com/2022/09/attacks-on-sysmon-revisited-sysmonente.html", + "https://github.com/codewhitesec/SysmonEnte/", + "https://github.com/codewhitesec/SysmonEnte/blob/main/screens/1.png", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_access/proc_access_win_hack_sysmonente.yml" ], "tags": [ @@ -2754,6 +3558,15 @@ "attack.t1562.002" ] }, + "related": [ + { + "dest-uuid": "4eb28bed-d11a-4641-9863-c2ac017d910a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "d29ada0f-af45-4f27-8f32-f7b77c3dbc4e", "value": "SysmonEnte Usage" }, @@ -2781,6 +3594,15 @@ "attack.t1562.001" ] }, + "related": [ + { + "dest-uuid": "391d824f-0ef1-47a0-b0ee-c59a75e27670", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "09706624-b7f6-455d-9d02-adee024cee1d", "value": "CobaltStrike BOF Injection Pattern" }, @@ -2797,9 +3619,9 @@ "logsource.category": "process_access", "logsource.product": "windows", "refs": [ + "https://splintercod3.blogspot.com/p/the-hidden-side-of-seclogon-part-3.html", "https://twitter.com/SBousseaden/status/1541920424635912196", "https://github.com/elastic/detection-rules/blob/2bc1795f3d7bcc3946452eb4f07ae799a756d94e/rules/windows/credential_access_lsass_handle_via_malseclogon.toml", - "https://splintercod3.blogspot.com/p/the-hidden-side-of-seclogon-part-3.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_access/proc_access_win_susp_seclogon.yml" ], "tags": [ @@ -2807,6 +3629,15 @@ "attack.t1003.001" ] }, + "related": [ + { + "dest-uuid": "65f2d882-3f41-4d48-8a06-29af77ec9f90", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "472159c5-31b9-4f56-b794-b766faa8b0a7", "value": "Suspicious LSASS Access Via MalSecLogon" }, @@ -2879,6 +3710,15 @@ "attack.t1055.012" ] }, + "related": [ + { + "dest-uuid": "b200542e-e877-4395-875b-cf1a44537ca4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "c4b890e5-8d8c-4496-8c66-c805753817cd", "value": "Sysmon Process Hollowing Detection" }, @@ -2895,8 +3735,8 @@ "logsource.category": "sysmon_error", "logsource.product": "windows", "refs": [ - "https://talesfrominfosec.blogspot.com/2017/12/killing-sysmon-silently.html", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md", + "https://talesfrominfosec.blogspot.com/2017/12/killing-sysmon-silently.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/sysmon/sysmon_config_modification_error.yml" ], "tags": [ @@ -2904,6 +3744,15 @@ "attack.t1564" ] }, + "related": [ + { + "dest-uuid": "22905430-4901-4c2a-84f6-98243cb173f8", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "815cd91b-7dbc-4247-841a-d7dd1392b0a8", "value": "Sysmon Configuration Error" }, @@ -2920,8 +3769,8 @@ "logsource.category": "sysmon_status", "logsource.product": "windows", "refs": [ - "https://talesfrominfosec.blogspot.com/2017/12/killing-sysmon-silently.html", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md", + "https://talesfrominfosec.blogspot.com/2017/12/killing-sysmon-silently.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/sysmon/sysmon_config_modification_status.yml" ], "tags": [ @@ -2929,6 +3778,15 @@ "attack.t1564" ] }, + "related": [ + { + "dest-uuid": "22905430-4901-4c2a-84f6-98243cb173f8", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "1f2b5353-573f-4880-8e33-7d04dcf97744", "value": "Sysmon Configuration Modification" }, @@ -2945,8 +3803,8 @@ "logsource.category": "pipe_created", "logsource.product": "windows", "refs": [ - "https://gist.github.com/MHaggis/6c600e524045a6d49c35291a21e10752", "https://svch0st.medium.com/guide-to-named-pipes-and-hunting-for-cobalt-strike-pipes-dc46b2c5f575", + "https://gist.github.com/MHaggis/6c600e524045a6d49c35291a21e10752", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/pipe_created/pipe_created_susp_cobaltstrike_pipe_patterns.yml" ], "tags": [ @@ -2971,8 +3829,8 @@ "logsource.category": "pipe_created", "logsource.product": "windows", "refs": [ - "https://gist.github.com/MHaggis/6c600e524045a6d49c35291a21e10752", "https://svch0st.medium.com/guide-to-named-pipes-and-hunting-for-cobalt-strike-pipes-dc46b2c5f575", + "https://gist.github.com/MHaggis/6c600e524045a6d49c35291a21e10752", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/pipe_created/pipe_created_mal_cobaltstrike_re.yml" ], "tags": [ @@ -3008,6 +3866,36 @@ "attack.t1003.005" ] }, + "related": [ + { + "dest-uuid": "65f2d882-3f41-4d48-8a06-29af77ec9f90", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "1644e709-12d2-41e5-a60f-3470991f5011", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "1ecfdab8-7d59-4c98-95d4-dc41970f57fc", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "6add2ab5-2711-4e9d-87c8-7a0be8531530", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "961d0ba2-3eea-4303-a930-2cf78bbfcc5e", "value": "Cred Dump-Tools Named Pipes" }, @@ -3024,11 +3912,11 @@ "logsource.category": "pipe_created", "logsource.product": "windows", "refs": [ - "https://github.com/SigmaHQ/sigma/issues/253", - "https://twitter.com/d4rksystem/status/1357010969264873472", - "https://redcanary.com/threat-detection-report/threats/cobalt-strike/", "https://labs.f-secure.com/blog/detecting-cobalt-strike-default-modules-via-named-pipe-analysis/", "https://blog.cobaltstrike.com/2021/02/09/learn-pipe-fitting-for-all-of-your-offense-projects/", + "https://github.com/SigmaHQ/sigma/issues/253", + "https://redcanary.com/threat-detection-report/threats/cobalt-strike/", + "https://twitter.com/d4rksystem/status/1357010969264873472", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/pipe_created/pipe_created_mal_cobaltstrike.yml" ], "tags": [ @@ -3063,6 +3951,15 @@ "attack.t1106" ] }, + "related": [ + { + "dest-uuid": "391d824f-0ef1-47a0-b0ee-c59a75e27670", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "739915e4-1e70-4778-8b8a-17db02f66db1", "value": "Turla Group Named Pipes" }, @@ -3087,6 +3984,15 @@ "attack.t1059.001" ] }, + "related": [ + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "58cb02d5-78ce-4692-b3e1-dce850aae41a", "value": "Alternate PowerShell Hosts Pipe" }, @@ -3134,6 +4040,15 @@ "attack.t1569.002" ] }, + "related": [ + { + "dest-uuid": "f1951e8a-500e-4a26-8803-76d95c4554b4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "f6451de4-df0a-41fa-8d72-b39f54a08db5", "value": "PAExec Default Named Pipe" }, @@ -3158,6 +4073,15 @@ "attack.execution" ] }, + "related": [ + { + "dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "493fb4ab-cdcc-4c4f-818c-0e363bd1e4bb", "value": "WMI Event Consumer Created Named Pipe" }, @@ -3182,6 +4106,15 @@ "attack.t1059.001" ] }, + "related": [ + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "ac7102b4-9e1e-4802-9b4f-17c5524c015c", "value": "PowerShell Execution Via Named Pipe" }, @@ -3208,6 +4141,15 @@ "attack.s0029" ] }, + "related": [ + { + "dest-uuid": "f1951e8a-500e-4a26-8803-76d95c4554b4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "41504465-5e3a-4a5b-a5b4-2a0baadd4463", "value": "PsExec Tool Execution From Suspicious Locations - PipeName" }, @@ -3260,6 +4202,15 @@ "attack.t1569.002" ] }, + "related": [ + { + "dest-uuid": "f1951e8a-500e-4a26-8803-76d95c4554b4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "9e77ed63-2ecf-4c7b-b09d-640834882028", "value": "PsExec Pipes Artifacts" }, @@ -3276,18 +4227,18 @@ "logsource.category": "pipe_created", "logsource.product": "windows", "refs": [ - "https://www.us-cert.gov/ncas/alerts/TA17-117A", - "https://thedfirreport.com/2020/06/21/snatch-ransomware/", - "https://us-cert.cisa.gov/ncas/analysis-reports/ar19-304a", "https://thedfirreport.com/2022/02/21/qbot-and-zerologon-lead-to-full-domain-compromise/", + "https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf", + "https://unit42.paloaltonetworks.com/emissary-panda-attacks-middle-east-government-sharepoint-servers/", + "https://www.us-cert.gov/ncas/alerts/TA17-117A", + "https://us-cert.cisa.gov/ncas/analysis-reports/ar19-304a", + "https://securelist.com/faq-the-projectsauron-apt/75533/", + "https://github.com/RiccardoAncarani/LiquidSnake", "https://download.bitdefender.com/resources/files/News/CaseStudies/study/115/Bitdefender-Whitepaper-PAC-A4-en-EN1.pdf", + "https://www.accenture.com/us-en/blogs/cyber-defense/turla-belugasturgeon-compromises-government-entity", + "https://thedfirreport.com/2020/06/21/snatch-ransomware/", "https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html", "https://securelist.com/wild-neutron-economic-espionage-threat-actor-returns-with-new-tricks/71275/", - "https://securelist.com/faq-the-projectsauron-apt/75533/", - "https://unit42.paloaltonetworks.com/emissary-panda-attacks-middle-east-government-sharepoint-servers/", - "https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf", - "https://www.accenture.com/us-en/blogs/cyber-defense/turla-belugasturgeon-compromises-government-entity", - "https://github.com/RiccardoAncarani/LiquidSnake", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/pipe_created/pipe_created_mal_namedpipes.yml" ], "tags": [ @@ -3322,6 +4273,15 @@ "attack.s0029" ] }, + "related": [ + { + "dest-uuid": "f1951e8a-500e-4a26-8803-76d95c4554b4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "f3f3a972-f982-40ad-b63c-bca6afdfad7c", "value": "PsExec Default Named Pipe" }, @@ -3338,9 +4298,9 @@ "logsource.category": "pipe_created", "logsource.product": "windows", "refs": [ - "https://o365blog.com/post/adfs/", "https://github.com/Azure/Azure-Sentinel/blob/f99542b94afe0ad2f19a82cc08262e7ac8e1428e/Detections/SecurityEvent/ADFSDBNamedPipeConnection.yaml", "https://github.com/Azure/SimuLand", + "https://o365blog.com/post/adfs/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/pipe_created/pipe_created_susp_adfs_namedpipe_connection.yml" ], "tags": [ @@ -3348,6 +4308,15 @@ "attack.t1005" ] }, + "related": [ + { + "dest-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "1ea13e8c-03ea-409b-877d-ce5c3d2c1cb3", "value": "ADFS Database Named Pipe Connection" }, @@ -3374,6 +4343,22 @@ "attack.t1134.001" ] }, + "related": [ + { + "dest-uuid": "890c9858-598c-401d-a4d5-c67ebcdd703a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "86850eff-2729-40c3-b85e-c4af26da4a2d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "0adc67e0-a68f-4ffd-9c43-28905aad5d6a", "value": "Koh Default Named Pipes" }, @@ -3407,6 +4392,36 @@ "attack.t1003.006" ] }, + "related": [ + { + "dest-uuid": "1644e709-12d2-41e5-a60f-3470991f5011", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "1ecfdab8-7d59-4c98-95d4-dc41970f57fc", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "65f2d882-3f41-4d48-8a06-29af77ec9f90", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "f303a39a-6255-4b89-aecc-18c4d8ca7163", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "06d71506-7beb-4f22-8888-e2e5e2ca7fd8", "value": "Mimikatz Use" }, @@ -3546,6 +4561,15 @@ "attack.t1136.001" ] }, + "related": [ + { + "dest-uuid": "635cbe30-392d-4e27-978e-66774357c762", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "66b6be3d-55d0-4f47-9855-d69df21740ea", "value": "Local User Creation" }, @@ -3572,6 +4596,15 @@ "attack.t1059.001" ] }, + "related": [ + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "7a922f1b-2635-4d6c-91ef-af228b198ad3", "value": "Invoke-Obfuscation COMPRESS OBFUSCATION - Security" }, @@ -3622,6 +4655,15 @@ "attack.t1134.005" ] }, + "related": [ + { + "dest-uuid": "b7dc639b-24cd-482d-a7f1-8897eda21023", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "2632954e-db1c-49cb-9936-67d1ef1d17d2", "value": "Addition of SID History to Active Directory Object" }, @@ -3678,6 +4720,15 @@ "car.2016-04-002" ] }, + "related": [ + { + "dest-uuid": "6495ae23-3ab4-43c5-a94f-5638a2c31fd2", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "d99b79d2-0a6f-4f46-ad8b-260b6e17f982", "value": "Security Eventlog Cleared" }, @@ -3695,8 +4746,8 @@ "logsource.product": "windows", "refs": [ "https://www.trendmicro.com/vinfo/hk-en/security/news/cybercrime-and-digital-threats/malicious-spam-campaign-uses-iso-image-files-to-deliver-lokibot-and-nanocore", - "https://www.proofpoint.com/us/blog/threat-insight/threat-actor-profile-ta2719-uses-colorful-lures-deliver-rats-local-languages", "https://twitter.com/MsftSecIntel/status/1257324139515269121", + "https://www.proofpoint.com/us/blog/threat-insight/threat-actor-profile-ta2719-uses-colorful-lures-deliver-rats-local-languages", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_iso_mount.yml" ], "tags": [ @@ -3729,6 +4780,15 @@ "attack.t1569.002" ] }, + "related": [ + { + "dest-uuid": "f1951e8a-500e-4a26-8803-76d95c4554b4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "c8b00925-926c-47e3-beea-298fd563728e", "value": "Remote Access Tool Services Have Been Installed - Security" }, @@ -3755,6 +4815,15 @@ "attack.t1059.001" ] }, + "related": [ + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "9b8d9203-4e0f-4cd9-bb06-4cc4ea6d0e9a", "value": "Invoke-Obfuscation Via Use MSHTA - Security" }, @@ -3771,8 +4840,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment", "https://cyberwardog.blogspot.com/2017/03/chronicles-of-threat-hunter-hunting-for_22.html", + "https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_susp_lsass_dump_generic.yml" ], "tags": [ @@ -3781,6 +4850,15 @@ "attack.t1003.001" ] }, + "related": [ + { + "dest-uuid": "65f2d882-3f41-4d48-8a06-29af77ec9f90", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "4a1b6da0-d94f-4fc3-98fc-2d9cb9e5ee76", "value": "Generic Password Dumper Activity on LSASS" }, @@ -3797,8 +4875,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-6423", "https://github.com/Yamato-Security/EnableWindowsLogSettings/blob/7f6d755d45ac7cc9fc35b0cbf498e6aa4ef19def/ConfiguringSecurityLogAuditPolicies.md", + "https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-6423", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_device_installation_blocked.yml" ], "tags": "No established tags" @@ -3843,8 +4921,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4964", "https://github.com/Yamato-Security/EnableWindowsLogSettings/blob/7f6d755d45ac7cc9fc35b0cbf498e6aa4ef19def/ConfiguringSecurityLogAuditPolicies.md", + "https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4964", "https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4672", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_admin_logon.yml" ], @@ -3895,8 +4973,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://attack.mitre.org/software/S0359/", "https://jpcertcc.github.io/ToolAnalysisResultSheet/details/nltest.htm", + "https://attack.mitre.org/software/S0359/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_lolbas_execution_of_nltest.yml" ], "tags": [ @@ -3906,6 +4984,15 @@ "attack.t1016" ] }, + "related": [ + { + "dest-uuid": "767dbf9e-df3f-45cb-8998-4903ab5f80c0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "eeb66bbb-3dde-4582-815a-584aee9fe6d1", "value": "Correct Execution of Nltest.exe" }, @@ -3947,8 +5034,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://www.eideon.com/2018-03-02-THL03-WMIBackdoors/", "https://twitter.com/mattifestation/status/899646620148539397", + "https://www.eideon.com/2018-03-02-THL03-WMIBackdoors/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_wmi_persistence.yml" ], "tags": [ @@ -3957,6 +5044,15 @@ "attack.t1546.003" ] }, + "related": [ + { + "dest-uuid": "910906dd-8c0a-475a-9cc1-5e029e2fad58", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "f033f3f3-fd24-4995-97d8-a3bb17550a88", "value": "WMI Persistence - Security" }, @@ -3994,8 +5090,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://twitter.com/menasec1/status/1106899890377052160", "https://www.secureworks.com/blog/ransomware-as-a-distraction", + "https://twitter.com/menasec1/status/1106899890377052160", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_gpo_scheduledtasks.yml" ], "tags": [ @@ -4004,6 +5100,15 @@ "attack.t1053.005" ] }, + "related": [ + { + "dest-uuid": "005a06c6-14bf-4118-afa0-ebcd8aebb0c9", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "a8f29a7b-b137-4446-80a0-b804272f3da2", "value": "Persistence and Execution at Scale via GPO Scheduled Task" }, @@ -4123,10 +5228,10 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4624", - "https://github.com/staaldraad/go-ntlm/blob/cd032d41aa8ce5751c07cb7945400c0f5c81e2eb/ntlm/ntlmv1.go#L427", - "https://github.com/sensepost/ruler", "https://github.com/sensepost/ruler/issues/47", + "https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4624", + "https://github.com/sensepost/ruler", + "https://github.com/staaldraad/go-ntlm/blob/cd032d41aa8ce5751c07cb7945400c0f5c81e2eb/ntlm/ntlmv1.go#L427", "https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4776", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_alert_ruler.yml" ], @@ -4139,6 +5244,22 @@ "attack.t1550.002" ] }, + "related": [ + { + "dest-uuid": "1608f3e1-598a-42f4-a01a-2e252e81728f", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "24549159-ac1b-479c-8175-d42aea947cae", "value": "Hacktool Ruler" }, @@ -4162,6 +5283,15 @@ "attack.t1070.001" ] }, + "related": [ + { + "dest-uuid": "6495ae23-3ab4-43c5-a94f-5638a2c31fd2", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "a122ac13-daf8-4175-83a2-72c387be339d", "value": "Security Event Log Cleared" }, @@ -4179,8 +5309,8 @@ "logsource.product": "windows", "refs": [ "https://awakesecurity.com/blog/threat-hunting-for-paexec/", - "https://blog.f-secure.com/wp-content/uploads/2019/10/CosmicDuke.pdf", "https://www.fireeye.com/blog/threat-research/2017/05/wannacry-malware-profile.html", + "https://blog.f-secure.com/wp-content/uploads/2019/10/CosmicDuke.pdf", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_mal_service_installs.yml" ], "tags": [ @@ -4192,6 +5322,22 @@ "attack.t1569.002" ] }, + "related": [ + { + "dest-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "f1951e8a-500e-4a26-8803-76d95c4554b4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "cb062102-587e-4414-8efa-dbe3c7bf19c6", "value": "Malicious Service Installations" }, @@ -4292,6 +5438,15 @@ "attack.t1059.001" ] }, + "related": [ + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "cd0f7229-d16f-42de-8fe3-fba365fbcb3a", "value": "Invoke-Obfuscation Via Use Rundll32 - Security" }, @@ -4308,9 +5463,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://github.com/Yamato-Security/EnableWindowsLogSettings/blob/7f6d755d45ac7cc9fc35b0cbf498e6aa4ef19def/ConfiguringSecurityLogAuditPolicies.md", - "https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4634", "https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4647", + "https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4634", + "https://github.com/Yamato-Security/EnableWindowsLogSettings/blob/7f6d755d45ac7cc9fc35b0cbf498e6aa4ef19def/ConfiguringSecurityLogAuditPolicies.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_user_logoff.yml" ], "tags": "No established tags" @@ -4378,9 +5533,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://github.com/iadgov/Event-Forwarding-Guidance/tree/master/Events", "https://blog.stealthbits.com/how-to-detect-pass-the-hash-attacks/", "https://blog.binarydefense.com/reliably-detecting-pass-the-hash-through-event-log-analysis", + "https://github.com/iadgov/Event-Forwarding-Guidance/tree/master/Events", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_pass_the_hash_2.yml" ], "tags": [ @@ -4404,9 +5559,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ + "https://docs.microsoft.com/en-gb/sysinternals/downloads/sdelete", "https://jpcertcc.github.io/ToolAnalysisResultSheet/details/sdelete.htm", "https://www.jpcert.or.jp/english/pub/sr/ir_research.html", - "https://docs.microsoft.com/en-gb/sysinternals/downloads/sdelete", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_susp_sdelete.yml" ], "tags": [ @@ -4419,6 +5574,36 @@ "attack.s0195" ] }, + "related": [ + { + "dest-uuid": "d63a3fb8-9452-4e9d-a60a-54be68d5998c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "b0533c6e-8fea-4788-874f-b799cacc4b92", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "d45a3d09-b3cf-48f4-9f0f-f521ee5cb05c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "32901740-b42c-4fdd-bc02-345b5dc57082", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "39a80702-d7ca-4a83-b776-525b1f86a36d", "value": "Secure Deletion with SDelete" }, @@ -4507,8 +5692,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://twitter.com/SBousseaden/status/1207671369963646976", "https://www.fox-it.com/en/news/whitepapers/operation-wocao-shining-a-light-on-one-of-chinas-hidden-hacking-groups/", + "https://twitter.com/SBousseaden/status/1207671369963646976", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_apt_wocao.yml" ], "tags": [ @@ -4522,6 +5707,29 @@ "attack.t1059.001" ] }, + "related": [ + { + "dest-uuid": "7bdca9d5-d500-4d7d-8c52-5fd47baf4c0c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "005a06c6-14bf-4118-afa0-ebcd8aebb0c9", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "74ad4314-482e-4c3e-b237-3f7ed3b9ca8d", "value": "Operation Wocao Activity - Security" }, @@ -4574,6 +5782,15 @@ "attack.t1059.001" ] }, + "related": [ + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "80b708f3-d034-40e4-a6c8-d23b7a7db3d1", "value": "Invoke-Obfuscation Via Stdin - Security" }, @@ -4601,6 +5818,22 @@ "attack.t1569.002" ] }, + "related": [ + { + "dest-uuid": "bf90d72c-c00b-45e3-b3aa-68560560d4c5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "f1951e8a-500e-4a26-8803-76d95c4554b4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "6fb63b40-e02a-403e-9ffd-3bcc1d749442", "value": "Metasploit Or Impacket Service Installation Via SMB PsExec" }, @@ -4625,6 +5858,15 @@ "attack.t1222.001" ] }, + "related": [ + { + "dest-uuid": "34e793de-0274-4982-9c1a-246ed1c19dee", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "028c7842-4243-41cd-be6f-12f3cf1a26c7", "value": "AD Object WriteDAC Access" }, @@ -4648,6 +5890,15 @@ "attack.t1212" ] }, + "related": [ + { + "dest-uuid": "9c306d8d-cde7-4b4c-b6e8-d0bb16caca36", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "f7644214-0eb0-4ace-9455-331ec4c09253", "value": "Kerberos Manipulation" }, @@ -4713,14 +5964,14 @@ "logsource.product": "windows", "refs": [ "https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=632", - "https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=634", - "https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4728", - "https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4730", + "https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf", "https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4729", "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf", "https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=633", + "https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=634", + "https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4728", "https://www.cisecurity.org/controls/cis-controls-list/", - "https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf", + "https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4730", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_group_modification_logging.yml" ], "tags": "No established tags" @@ -4751,6 +6002,29 @@ "attack.t1003.003" ] }, + "related": [ + { + "dest-uuid": "1644e709-12d2-41e5-a60f-3470991f5011", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "65f2d882-3f41-4d48-8a06-29af77ec9f90", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "edf91964-b26e-4b4a-9600-ccacd7d7df24", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "910ab938-668b-401b-b08c-b596e80fdca5", "value": "Transferring Files with Credential Data via Network Shares" }, @@ -4767,8 +6041,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://github.com/elastic/detection-rules/blob/fb6ee2c69864ffdfe347bf3b050cb931f53067a6/rules/windows/privilege_escalation_krbrelayup_suspicious_logon.toml", "https://twitter.com/sbousseaden/status/1518976397364056071?s=12&t=qKO5eKHvWhAP19a50FTZ7g", + "https://github.com/elastic/detection-rules/blob/fb6ee2c69864ffdfe347bf3b050cb931f53067a6/rules/windows/privilege_escalation_krbrelayup_suspicious_logon.toml", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_susp_krbrelayup.yml" ], "tags": [ @@ -4800,6 +6074,15 @@ "attack.t1059.001" ] }, + "related": [ + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "13acf386-b8c6-4fe0-9a6e-c4756b974698", "value": "Remote PowerShell Sessions Network Connections (WinRM)" }, @@ -4816,9 +6099,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://medium.com/@ivecodoe/detecting-ldapfragger-a-newly-released-cobalt-strike-beacon-using-ldap-for-c2-communication-c274a7f00961", - "https://github.com/fox-it/LDAPFragger", "https://blog.fox-it.com/2020/03/19/ldapfragger-command-and-control-over-ldap-attributes/", + "https://github.com/fox-it/LDAPFragger", + "https://medium.com/@ivecodoe/detecting-ldapfragger-a-newly-released-cobalt-strike-beacon-using-ldap-for-c2-communication-c274a7f00961", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_susp_ldap_dataexchange.yml" ], "tags": [ @@ -4826,6 +6109,15 @@ "attack.command_and_control" ] }, + "related": [ + { + "dest-uuid": "c325b232-d5bc-4dde-a3ec-71f3db9e8adc", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "d00a9a72-2c09-4459-ad03-5e0a23351e36", "value": "Suspicious LDAP-Attributes Used" }, @@ -4878,6 +6170,15 @@ "attack.t1003.001" ] }, + "related": [ + { + "dest-uuid": "65f2d882-3f41-4d48-8a06-29af77ec9f90", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "962fe167-e48d-4fd6-9974-11e5b9a5d6d1", "value": "LSASS Access from Non System Account" }, @@ -4904,6 +6205,29 @@ "attack.t1003.003" ] }, + "related": [ + { + "dest-uuid": "1644e709-12d2-41e5-a60f-3470991f5011", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "1ecfdab8-7d59-4c98-95d4-dc41970f57fc", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "edf91964-b26e-4b4a-9600-ccacd7d7df24", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "252902e3-5830-4cf6-bf21-c22083dfd5cf", "value": "Possible Impacket SecretDump Remote Activity" }, @@ -4946,9 +6270,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://blog.alsid.eu/dcshadow-explained-4510f52fc19d", - "https://gist.github.com/gentilkiwi/dcc132457408cf11ad2061340dcb53c2", "https://twitter.com/gentilkiwi/status/1003236624925413376", + "https://gist.github.com/gentilkiwi/dcc132457408cf11ad2061340dcb53c2", + "https://blog.alsid.eu/dcshadow-explained-4510f52fc19d", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_possible_dc_shadow.yml" ], "tags": [ @@ -4956,6 +6280,15 @@ "attack.t1207" ] }, + "related": [ + { + "dest-uuid": "564998d8-ab3e-4123-93fb-eccaa6b9714a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "32e19d25-4aed-4860-a55a-be99cb0bf7ed", "value": "Possible DC Shadow Attack" }, @@ -4980,6 +6313,15 @@ "attack.t1003.004" ] }, + "related": [ + { + "dest-uuid": "1ecfdab8-7d59-4c98-95d4-dc41970f57fc", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "4ac1f50b-3bd0-4968-902d-868b4647937e", "value": "DPAPI Domain Backup Key Extraction" }, @@ -5007,6 +6349,15 @@ "attack.t1053.005" ] }, + "related": [ + { + "dest-uuid": "005a06c6-14bf-4118-afa0-ebcd8aebb0c9", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "4f86b304-3e02-40e3-aa5d-e88a167c9617", "value": "Scheduled Task Deletion" }, @@ -5033,6 +6384,15 @@ "attack.t1021.002" ] }, + "related": [ + { + "dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "f6c68d5f-e101-4b86-8c84-7d96851fd65c", "value": "T1047 Wmiprvse Wbemcomn DLL Hijack" }, @@ -5050,8 +6410,8 @@ "logsource.product": "windows", "refs": [ "https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4616", - "Live environment caused by malware", "Private Cuckoo Sandbox (from many years ago, no longer have hash, NDA as well)", + "Live environment caused by malware", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_susp_time_modification.yml" ], "tags": [ @@ -5059,6 +6419,15 @@ "attack.t1070.006" ] }, + "related": [ + { + "dest-uuid": "47f2d673-ca62-47e9-929b-1b0be9657611", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "faa031b5-21ed-4e02-8881-2591f98d82ed", "value": "Unauthorized System Time Modification" }, @@ -5111,6 +6480,15 @@ "attack.t1133" ] }, + "related": [ + { + "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "f88e112a-21aa-44bd-9b01-6ee2a2bbbed1", "value": "Failed Logon From Public IP" }, @@ -5135,6 +6513,15 @@ "attack.t1003.002" ] }, + "related": [ + { + "dest-uuid": "1644e709-12d2-41e5-a60f-3470991f5011", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "e9faba72-4974-4ab2-a4c5-46e25ad59e9b", "value": "VSSAudit Security Event Source Registration" }, @@ -5184,6 +6571,15 @@ "attack.t1098" ] }, + "related": [ + { + "dest-uuid": "a10641f4-87b4-45a3-a906-92a149cb2c27", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "53ad8e36-f573-46bf-97e4-15ba5bf4bb51", "value": "Password Change on Directory Service Restore Mode (DSRM) Account" }, @@ -5205,6 +6601,15 @@ "attack.t1212" ] }, + "related": [ + { + "dest-uuid": "9c306d8d-cde7-4b4c-b6e8-d0bb16caca36", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "7818b381-5eb1-4641-bea5-ef9e4cfb5951", "value": "Possible Remote Password Change Through SAMR" }, @@ -5229,6 +6634,15 @@ "attack.t1047" ] }, + "related": [ + { + "dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "5af54681-df95-4c26-854f-2565e13cfab0", "value": "Login with WMI" }, @@ -5260,6 +6674,22 @@ "attack.t1071.004" ] }, + "related": [ + { + "dest-uuid": "005a06c6-14bf-4118-afa0-ebcd8aebb0c9", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "1996eef1-ced3-4d7f-bf94-33298cabbf72", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "c0580559-a6bd-4ef6-b9b7-83703d98b561", "value": "Chafer Activity - Security" }, @@ -5286,6 +6716,15 @@ "attack.t1059.001" ] }, + "related": [ + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "0c718a5e-4284-4fb9-b4d9-b9a50b3a1974", "value": "Invoke-Obfuscation STDIN+ Launcher - Security" }, @@ -5311,6 +6750,15 @@ "attack.t1486" ] }, + "related": [ + { + "dest-uuid": "b80d107d-fa0d-4b60-9684-b0433e8bdba0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "97919310-06a7-482c-9639-92b67ed63cf8", "value": "Suspicious Multiple File Rename Or Delete Occurred" }, @@ -5327,9 +6775,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://www.elastic.co/fr/blog/how-attackers-abuse-access-token-manipulation", "https://www.manageengine.com/log-management/cyber-security/access-token-manipulation.html", - "https://attack.mitre.org/techniques/T1134/001/", + "https://www.elastic.co/fr/blog/how-attackers-abuse-access-token-manipulation", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_access_token_abuse.yml" ], "tags": [ @@ -5338,6 +6785,15 @@ "attack.t1134.001" ] }, + "related": [ + { + "dest-uuid": "86850eff-2729-40c3-b85e-c4af26da4a2d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "02f7c9c1-1ae8-4c6a-8add-04693807f92f", "value": "Access Token Abuse" }, @@ -5386,6 +6842,15 @@ "attack.t1098" ] }, + "related": [ + { + "dest-uuid": "a10641f4-87b4-45a3-a906-92a149cb2c27", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "2c99737c-585d-4431-b61a-c911d86ff32f", "value": "Powerview Add-DomainObjectAcl DCSync AD Extend Right" }, @@ -5460,6 +6925,15 @@ "attack.t1059.001" ] }, + "related": [ + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "4edf51e1-cb83-4e1a-bc39-800e396068e3", "value": "Invoke-Obfuscation CLIP+ Launcher - Security" }, @@ -5514,6 +6988,15 @@ "attack.s0039" ] }, + "related": [ + { + "dest-uuid": "2aed01ad-3df3-4410-a8cb-11ea4ded587c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "968eef52-9cff-4454-8992-1e74b9cbad6c", "value": "Reconnaissance Activity" }, @@ -5540,6 +7023,15 @@ "attack.t1059.001" ] }, + "related": [ + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "1a0a2ff1-611b-4dac-8216-8a7b47c618a6", "value": "Invoke-Obfuscation Via Use Clip - Security" }, @@ -5567,6 +7059,15 @@ "attack.t1053.002" ] }, + "related": [ + { + "dest-uuid": "f3d95a1f-bba2-44ce-9af7-37866cd63fd0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "f6de6525-4509-495a-8a82-1f8b0ed73a00", "value": "Remote Task Creation via ATSVC Named Pipe" }, @@ -5605,10 +7106,10 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://twitter.com/SecurityJosh/status/1283027365770276866", "https://securityjosh.github.io/2020/04/23/Mute-Sysmon.html", - "https://twitter.com/Flangvik/status/1283054508084473861", "https://gist.github.com/Cyb3rWard0g/cf08c38c61f7e46e8404b38201ca01c8", + "https://twitter.com/Flangvik/status/1283054508084473861", + "https://twitter.com/SecurityJosh/status/1283027365770276866", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_sysmon_channel_reference_deletion.yml" ], "tags": [ @@ -5647,6 +7148,50 @@ "attack.s0005" ] }, + "related": [ + { + "dest-uuid": "65f2d882-3f41-4d48-8a06-29af77ec9f90", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "1644e709-12d2-41e5-a60f-3470991f5011", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "1ecfdab8-7d59-4c98-95d4-dc41970f57fc", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "6add2ab5-2711-4e9d-87c8-7a0be8531530", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "f303a39a-6255-4b89-aecc-18c4d8ca7163", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "f1951e8a-500e-4a26-8803-76d95c4554b4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "f0d1feba-4344-4ca9-8121-a6c97bd6df52", "value": "Credential Dumping Tools Service Execution - Security" }, @@ -5671,6 +7216,15 @@ "attack.t1003.004" ] }, + "related": [ + { + "dest-uuid": "1ecfdab8-7d59-4c98-95d4-dc41970f57fc", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "39a94fd1-8c9a-4ff6-bf22-c058762f8014", "value": "DPAPI Domain Master Key Backup Attempt" }, @@ -5695,6 +7249,15 @@ "attack.t1010" ] }, + "related": [ + { + "dest-uuid": "4ae4f953-fe58-4cc8-a327-33257e30a830", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "13addce7-47b2-4ca0-a98f-1de964d1d669", "value": "SCM Database Handle Failure" }, @@ -5721,6 +7284,15 @@ "attack.t1059.001" ] }, + "related": [ + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "4c54ba8f-73d2-4d40-8890-d9cf1dca3d30", "value": "Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION - Security" }, @@ -5791,6 +7363,15 @@ "attack.t1048" ] }, + "related": [ + { + "dest-uuid": "a19e86f8-1c0a-4fea-8407-23b73d615776", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "9c8afa4d-0022-48f0-9456-3712466f9701", "value": "Tap Driver Installation - Security" }, @@ -5807,9 +7388,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ + "https://github.com/topotam/PetitPotam", "https://isc.sans.edu/forums/diary/Active+Directory+Certificate+Services+ADCS+PKI+domain+admin+vulnerability/27668/", "https://github.com/splunk/security_content/blob/develop/detections/endpoint/petitpotam_suspicious_kerberos_tgt_request.yml", - "https://github.com/topotam/PetitPotam", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_petitpotam_susp_tgt_request.yml" ], "tags": [ @@ -5817,16 +7398,25 @@ "attack.t1187" ] }, + "related": [ + { + "dest-uuid": "b77cf5f3-6060-475d-bd60-40ccbf28fdc2", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "6a53d871-682d-40b6-83e0-b7c1a6c4e3a5", "value": "PetitPotam Suspicious Kerberos TGT Request" }, { - "description": "Detects the loading of drivers via 'SeLoadDriverPrivilege' required to load or unload a device driver.\nWith this privilege, the user can dynamically load and unload device drivers or other code in to kernel mode.\nThis user right does not apply to Plug and Play device drivers.\nIf you exclude privileged users/admins and processes, which are allowed to do so, you are maybe left with bad programs trying to load malicious kernel drivers.\nThis will detect Ghost-In-The-Logs (https://github.com/bats3c/Ghost-In-The-Logs) and the usage of Sysinternals and various other tools.\nSo you have to work with a whitelist to find the bad stuff.\n", + "description": "Detects the usage of the 'SeLoadDriverPrivilege' privilege. This privilege is required to load or unload a device driver.\nWith this privilege, the user can dynamically load and unload device drivers or other code in to kernel mode.\nThis user right does not apply to Plug and Play device drivers.\nIf you exclude privileged users/admins and processes, which are allowed to do so, you are maybe left with bad programs trying to load malicious kernel drivers.\nThis will detect Ghost-In-The-Logs (https://github.com/bats3c/Ghost-In-The-Logs) and the usage of Sysinternals and various other tools. So you have to work with a whitelist to find the bad stuff.\n", "meta": { "author": "xknow (@xknow_infosec), xorxes (@xor_xes)", "creation_date": "2019/04/08", "falsepositive": [ - "Other legimate tools loading drivers. There are some: Sysinternals, CPU-Z, AVs etc. - but not much. You have to baseline this according to your used products and allowed tools. Also try to exclude users, which are allowed to load drivers." + "Other legimate tools loading drivers. Including but not limited to, Sysinternals, CPU-Z, AVs etc. A baseline needs to be created according to the used products and allowed tools. A good thing to do is to try and exclude users who are allowed to load drivers." ], "filename": "win_security_user_driver_loaded.yml", "level": "medium", @@ -5843,7 +7433,7 @@ ] }, "uuid": "f63508a0-c809-4435-b3be-ed819394d612", - "value": "Suspicious Driver Loaded By User" + "value": "Potential Privileged System Service Operation - SeLoadDriverPrivilege" }, { "description": "Detects Obfuscated use of Environment Variables to execute PowerShell", @@ -5868,6 +7458,15 @@ "attack.t1059.001" ] }, + "related": [ + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "dcf2db1f-f091-425b-a821-c05875b8925a", "value": "Invoke-Obfuscation VAR+ Launcher - Security" }, @@ -5894,6 +7493,22 @@ "attack.t1134.002" ] }, + "related": [ + { + "dest-uuid": "86850eff-2729-40c3-b85e-c4af26da4a2d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "677569f9-a8b0-459e-ab24-7f18091fa7bf", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "ecbc5e16-58e0-4521-9c60-eb9a7ea4ad34", "value": "Meterpreter or Cobalt Strike Getsystem Service Installation - Security" }, @@ -5919,6 +7534,15 @@ "attack.t1557.001" ] }, + "related": [ + { + "dest-uuid": "650c784b-7504-4df7-ab2c-4ea882384d1e", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "16f5d8ca-44bd-47c8-acbe-6fc95a16c12f", "value": "RottenPotato Like Attack Pattern" }, @@ -5936,8 +7560,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://adsecurity.org/?p=3458", "https://www.trimarcsecurity.com/single-post/TrimarcResearch/Detecting-Kerberoasting-Activity", + "https://adsecurity.org/?p=3458", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_susp_rc4_kerberos.yml" ], "tags": [ @@ -5971,6 +7595,15 @@ "attack.t1546.003" ] }, + "related": [ + { + "dest-uuid": "910906dd-8c0a-475a-9cc1-5e029e2fad58", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "9599c180-e3a8-4743-8f92-7fb96d3be648", "value": "Remote WMI ActiveScriptEventConsumers" }, @@ -6044,6 +7677,15 @@ "attack.initial_access" ] }, + "related": [ + { + "dest-uuid": "3b744087-9945-4a6f-91e8-9dbceda417a4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "f69a87ea-955e-4fb4-adb2-bb9fd6685632", "value": "External Disk Drive Or USB Storage Device" }, @@ -6060,8 +7702,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4741", "https://github.com/Yamato-Security/EnableWindowsLogSettings/blob/7f6d755d45ac7cc9fc35b0cbf498e6aa4ef19def/ConfiguringSecurityLogAuditPolicies.md", + "https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4741", "https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4743", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_add_remove_computer.yml" ], @@ -6091,6 +7733,15 @@ "attack.t1548" ] }, + "related": [ + { + "dest-uuid": "67720091-eee3-4d2d-ae16-8264567f6f5b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "dae8171c-5ec6-4396-b210-8466585b53e9", "value": "SCM Database Privileged Operation" }, @@ -6116,6 +7767,22 @@ "attack.t1136.002" ] }, + "related": [ + { + "dest-uuid": "635cbe30-392d-4e27-978e-66774357c762", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "7610cada-1499-41a4-b3dd-46467b68d177", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "1bbf25b9-8038-4154-a50b-118f2a32be27", "value": "Suspicious Windows ANONYMOUS LOGON Local Account Created" }, @@ -6132,8 +7799,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4699", "https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4701", + "https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4699", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_susp_scheduled_task_delete.yml" ], "tags": [ @@ -6143,6 +7810,15 @@ "attack.t1053.005" ] }, + "related": [ + { + "dest-uuid": "005a06c6-14bf-4118-afa0-ebcd8aebb0c9", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "7595ba94-cf3b-4471-aa03-4f6baa9e5fad", "value": "Important Scheduled Task Deleted/Disabled" }, @@ -6170,6 +7846,15 @@ "attack.t1053.005" ] }, + "related": [ + { + "dest-uuid": "005a06c6-14bf-4118-afa0-ebcd8aebb0c9", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "b0d77106-7bb0-41fe-bd94-d1752164d066", "value": "Rare Schtasks Creations" }, @@ -6218,6 +7903,15 @@ "attack.t1569.002" ] }, + "related": [ + { + "dest-uuid": "f1951e8a-500e-4a26-8803-76d95c4554b4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "2a926e6a-4b81-4011-8a96-e36cc8c04302", "value": "PowerShell Scripts Installed as Services - Security" }, @@ -6244,6 +7938,15 @@ "car.2013-07-002" ] }, + "related": [ + { + "dest-uuid": "9db0cf3a-a3c9-4012-8268-123b9db6fd82", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "8400629e-79a9-4737-b387-5db940ab2367", "value": "Scanner PoC for CVE-2019-0708 RDP RCE Vuln" }, @@ -6292,6 +7995,15 @@ "attack.t1554" ] }, + "related": [ + { + "dest-uuid": "960c3c86-1480-4d72-b4e0-8c242e84a5c5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "0ee4d8a5-4e67-4faf-acfa-62a78457d1f2", "value": "HybridConnectionManager Service Installation" }, @@ -6345,6 +8057,15 @@ "attack.t1059.001" ] }, + "related": [ + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "f241cf1b-3a6b-4e1a-b4f9-133c00dd95ca", "value": "Invoke-Obfuscation RUNDLL LAUNCHER - Security" }, @@ -6393,6 +8114,15 @@ "attack.t1003.006" ] }, + "related": [ + { + "dest-uuid": "f303a39a-6255-4b89-aecc-18c4d8ca7163", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "17d619c1-e020-4347-957e-1d1207455c93", "value": "Active Directory Replication from Non Machine Account" }, @@ -6430,9 +8160,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf", "https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4800", "https://www.cisecurity.org/controls/cis-controls-list/", + "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf", "https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_workstation_was_locked.yml" ], @@ -6483,16 +8213,16 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ + "https://github.com/dotnet/runtime/blob/ee2355c801d892f2894b0f7b14a20e6cc50e0e54/docs/design/coreclr/jit/viewing-jit-dumps.md#setting-configuration-variables", + "https://github.com/dotnet/runtime/blob/4f9ae42d861fcb4be2fcd5d3d55d5f227d30e723/docs/coding-guidelines/clr-jit-coding-conventions.md#1412-disabling-code", + "https://bunnyinside.com/?term=f71e8cb9c76a", + "https://github.com/dotnet/runtime/blob/7abe42dc1123722ed385218268bb9fe04556e3d3/src/coreclr/src/inc/clrconfig.h#L33-L39", + "https://github.com/dotnet/runtime/search?p=1&q=COMPlus_&unscoped_q=COMPlus_", + "https://github.com/dotnet/runtime/blob/f62e93416a1799aecc6b0947adad55a0d9870732/src/coreclr/src/inc/clrconfigvalues.h#L35-L38", "http://managed670.rssing.com/chan-5590147/all_p1.html", "https://twitter.com/_xpn_/status/1268712093928378368", - "https://bunnyinside.com/?term=f71e8cb9c76a", - "https://github.com/dotnet/runtime/blob/4f9ae42d861fcb4be2fcd5d3d55d5f227d30e723/docs/coding-guidelines/clr-jit-coding-conventions.md#1412-disabling-code", "https://social.msdn.microsoft.com/Forums/vstudio/en-US/0878832e-39d7-4eaf-8e16-a729c4c40975/what-can-i-use-e13c0d23ccbc4e12931bd9cc2eee27e4-for?forum=clr", - "https://github.com/dotnet/runtime/search?p=1&q=COMPlus_&unscoped_q=COMPlus_", - "https://github.com/dotnet/runtime/blob/ee2355c801d892f2894b0f7b14a20e6cc50e0e54/docs/design/coreclr/jit/viewing-jit-dumps.md#setting-configuration-variables", "https://i.blackhat.com/EU-21/Wednesday/EU-21-Teodorescu-Veni-No-Vidi-No-Vici-Attacks-On-ETW-Blind-EDRs.pdf", - "https://github.com/dotnet/runtime/blob/f62e93416a1799aecc6b0947adad55a0d9870732/src/coreclr/src/inc/clrconfigvalues.h#L35-L38", - "https://github.com/dotnet/runtime/blob/7abe42dc1123722ed385218268bb9fe04556e3d3/src/coreclr/src/inc/clrconfig.h#L33-L39", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_dot_net_etw_tamper.yml" ], "tags": [ @@ -6501,6 +8231,15 @@ "attack.t1562" ] }, + "related": [ + { + "dest-uuid": "3d333250-30e4-4a82-9edc-756c68afc529", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "a4c90ea1-2634-4ca0-adbb-35eae169b6fc", "value": "ETW Logging Disabled In .NET Processes - Registry" }, @@ -6527,6 +8266,15 @@ "attack.t1552.002" ] }, + "related": [ + { + "dest-uuid": "341e222a-a6e3-4f6f-b69c-831d792b1580", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "f8748f2c-89dc-4d95-afb0-5a2dfdbad332", "value": "SAM Registry Hive Handle Request" }, @@ -6577,6 +8325,15 @@ "attack.t1053.005" ] }, + "related": [ + { + "dest-uuid": "005a06c6-14bf-4118-afa0-ebcd8aebb0c9", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "3a734d25-df5c-4b99-8034-af1ddb5883a4", "value": "Suspicious Scheduled Task Creation" }, @@ -6607,6 +8364,22 @@ "car.2013-07-002" ] }, + "related": [ + { + "dest-uuid": "f6dacc85-b37d-458e-b58d-74fc4bbf5755", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "69b8fd78-40e8-4600-ae4d-662c9d7afdb3", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "5bed80b6-b3e8-428e-a3ae-d3c757589e41", "value": "RDP over Reverse SSH Tunnel WFP" }, @@ -6656,6 +8429,15 @@ "attack.t1003.001" ] }, + "related": [ + { + "dest-uuid": "65f2d882-3f41-4d48-8a06-29af77ec9f90", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "aa1697b7-d611-4f9a-9cb2-5125b4ccfd5c", "value": "Password Dumper Activity on LSASS" }, @@ -6681,6 +8463,15 @@ "attack.t1528" ] }, + "related": [ + { + "dest-uuid": "890c9858-598c-401d-a4d5-c67ebcdd703a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "25cde13e-8e20-4c29-b949-4e795b76f16f", "value": "Suspicious Teams Application Related ObjectAcess Event" }, @@ -6731,6 +8522,15 @@ "attack.t1098" ] }, + "related": [ + { + "dest-uuid": "a10641f4-87b4-45a3-a906-92a149cb2c27", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "c265cf08-3f99-46c1-8d59-328247057d57", "value": "User Added to Local Administrators" }, @@ -6755,6 +8555,15 @@ "attack.t1136.001" ] }, + "related": [ + { + "dest-uuid": "635cbe30-392d-4e27-978e-66774357c762", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "7b449a5e-1db5-4dd0-a2dc-4e3a67282538", "value": "Hidden Local User Creation" }, @@ -6817,8 +8626,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://twitter.com/duzvik/status/1269671601852813320", "https://medium.com/@7a616368/can-you-track-processes-accessing-the-camera-and-microphone-7e6885b37072", + "https://twitter.com/duzvik/status/1269671601852813320", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_camera_microphone_access.yml" ], "tags": [ @@ -6842,8 +8651,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://github.com/splunk/security_content/blob/0dd6de32de2118b2818550df9e65255f4109a56d/detections/endpoint/petitpotam_network_share_access_request.yml", "https://github.com/topotam/PetitPotam", + "https://github.com/splunk/security_content/blob/0dd6de32de2118b2818550df9e65255f4109a56d/detections/endpoint/petitpotam_network_share_access_request.yml", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_petitpotam_network_share.yml" ], "tags": [ @@ -6851,6 +8660,15 @@ "attack.t1187" ] }, + "related": [ + { + "dest-uuid": "b77cf5f3-6060-475d-bd60-40ccbf28fdc2", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "1ce8c8a3-2723-48ed-8246-906ac91061a6", "value": "Possible PetitPotam Coerce Authentication Attempt" }, @@ -6875,6 +8693,15 @@ "attack.t1562.002" ] }, + "related": [ + { + "dest-uuid": "4eb28bed-d11a-4641-9863-c2ac017d910a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "69aeb277-f15f-4d2d-b32a-55e883609563", "value": "Disabling Windows Event Auditing" }, @@ -6891,9 +8718,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ + "http://www.stuffithoughtiknew.com/2019/02/detecting-bloodhound.html", "https://docs.microsoft.com/en-us/windows/win32/adschema/attributes-all", "https://www.specterops.io/assets/resources/an_ace_up_the_sleeve.pdf", - "http://www.stuffithoughtiknew.com/2019/02/detecting-bloodhound.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_ad_user_enumeration.yml" ], "tags": [ @@ -6918,8 +8745,8 @@ "logsource.product": "windows", "refs": [ "https://www.harmj0y.net/blog/redteaming/another-word-on-delegation/", - "https://msdn.microsoft.com/en-us/library/cc220234.aspx", "https://adsecurity.org/?p=3466", + "https://msdn.microsoft.com/en-us/library/cc220234.aspx", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_alert_ad_user_backdoors.yml" ], "tags": [ @@ -6927,6 +8754,15 @@ "attack.persistence" ] }, + "related": [ + { + "dest-uuid": "a10641f4-87b4-45a3-a906-92a149cb2c27", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "300bac00-e041-4ee2-9c36-e262656a6ecc", "value": "Active Directory User Backdoors" }, @@ -6968,9 +8804,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ + "https://twitter.com/SBousseaden/status/1581300963650187264?", "https://www.elastic.co/guide/en/security/8.4/potential-shadow-credentials-added-to-ad-object.html", "https://cyberstoph.org/posts/2022/03/detecting-shadow-credentials/", - "https://twitter.com/SBousseaden/status/1581300963650187264?", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_susp_possible_shadow_credentials_added.yml" ], "tags": [ @@ -6978,6 +8814,15 @@ "attack.t1556" ] }, + "related": [ + { + "dest-uuid": "f4c1826f-a322-41cd-9557-562100848c84", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "f598ea0c-c25a-4f72-a219-50c44411c791", "value": "Possible Shadow Credentials Added" }, @@ -7004,6 +8849,15 @@ "attack.s0005" ] }, + "related": [ + { + "dest-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "1de68c67-af5c-4097-9c85-fe5578e09e67", "value": "WCE wceaux.dll Access" }, @@ -7020,9 +8874,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://thedfirreport.com/2021/08/29/cobalt-strike-a-defenders-guide/", - "https://www.crowdstrike.com/blog/getting-the-bacon-from-cobalt-strike-beacon/", "https://www.sans.org/webcasts/119395", + "https://www.crowdstrike.com/blog/getting-the-bacon-from-cobalt-strike-beacon/", + "https://thedfirreport.com/2021/08/29/cobalt-strike-a-defenders-guide/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_cobaltstrike_service_installs.yml" ], "tags": [ @@ -7034,6 +8888,15 @@ "attack.t1569.002" ] }, + "related": [ + { + "dest-uuid": "f1951e8a-500e-4a26-8803-76d95c4554b4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "d7a95147-145f-4678-b85d-d1ff4a3bb3f6", "value": "CobaltStrike Service Installations - Security" }, @@ -7078,6 +8941,15 @@ "attack.t1098" ] }, + "related": [ + { + "dest-uuid": "a10641f4-87b4-45a3-a906-92a149cb2c27", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "0255a820-e564-4e40-af2b-6ac61160335c", "value": "Addition of Domain Trusts" }, @@ -7095,10 +8967,10 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://blog.blacklanternsecurity.com/p/detecting-dcsync?s=r", - "https://gist.github.com/gentilkiwi/dcc132457408cf11ad2061340dcb53c2", "https://twitter.com/gentilkiwi/status/1003236624925413376", "https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4662", + "https://gist.github.com/gentilkiwi/dcc132457408cf11ad2061340dcb53c2", + "https://blog.blacklanternsecurity.com/p/detecting-dcsync?s=r", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_dcsync.yml" ], "tags": [ @@ -7107,6 +8979,15 @@ "attack.t1003.006" ] }, + "related": [ + { + "dest-uuid": "f303a39a-6255-4b89-aecc-18c4d8ca7163", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "611eab06-a145-4dfa-a295-3ccc5c20f59a", "value": "Mimikatz DC Sync" }, @@ -7180,8 +9061,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://twitter.com/SBousseaden/status/1101431884540710913", "https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4625", + "https://twitter.com/SBousseaden/status/1101431884540710913", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_susp_failed_logon_reasons.yml" ], "tags": [ @@ -7208,8 +9089,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://twitter.com/SBousseaden/status/1490608838701166596", "https://www.elastic.co/guide/en/security/current/windows-service-installed-via-an-unusual-client.html", + "https://twitter.com/SBousseaden/status/1490608838701166596", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_service_installation_by_unusal_client.yml" ], "tags": [ @@ -7217,6 +9098,15 @@ "attack.t1543" ] }, + "related": [ + { + "dest-uuid": "106c0cf6-bf73-4601-9aa8-0945c2715ec5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "c4e92a97-a9ff-4392-9d2d-7a4c642768ca", "value": "Service Installed By Unusual Client - Security" }, @@ -7241,6 +9131,15 @@ "attack.t1098" ] }, + "related": [ + { + "dest-uuid": "a10641f4-87b4-45a3-a906-92a149cb2c27", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "311b6ce2-7890-4383-a8c2-663a9f6b43cd", "value": "Enabled User Right in AD to Control User Objects" }, @@ -7258,8 +9157,8 @@ "logsource.product": "windows", "refs": [ "https://github.com/WazeHell/sam-theadmin/blob/main/sam_the_admin.py", - "https://github.com/helloexp/0day/blob/614227a7b9beb0e91e7e2c6a5e532e6f7a8e883c/00-CVE_EXP/CVE-2021-42287/sam-the-admin/sam_the_admin.py", "https://twitter.com/malmoeb/status/1511760068743766026", + "https://github.com/helloexp/0day/blob/614227a7b9beb0e91e7e2c6a5e532e6f7a8e883c/00-CVE_EXP/CVE-2021-42287/sam-the-admin/sam_the_admin.py", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_susp_computer_name.yml" ], "tags": [ @@ -7296,6 +9195,15 @@ "attack.t1053.005" ] }, + "related": [ + { + "dest-uuid": "005a06c6-14bf-4118-afa0-ebcd8aebb0c9", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "614cf376-6651-47c4-9dcc-6b9527f749f4", "value": "Suspicious Scheduled Task Update" }, @@ -7323,6 +9231,15 @@ "car.2016-04-005" ] }, + "related": [ + { + "dest-uuid": "fdc47f44-dd32-4b99-af5f-209f556f63c2", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "0f63e1ef-1eb9-4226-9d54-8927ca08520a", "value": "Admin User Remote Logon" }, @@ -7349,6 +9266,15 @@ "cve.2021.34527" ] }, + "related": [ + { + "dest-uuid": "d157f9d2-d09a-4efa-bb2a-64963f94e253", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "8fe1c584-ee61-444b-be21-e9054b229694", "value": "CVE-2021-1675 Print Spooler Exploitation IPC Access" }, @@ -7374,6 +9300,15 @@ "attack.t1021.003" ] }, + "related": [ + { + "dest-uuid": "68a0c5ed-bee2-4513-830d-5b0d650139bd", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "c39f0c81-7348-4965-ab27-2fde35a1b641", "value": "DCOM InternetExplorer.Application Iertutil DLL Hijack - Security" }, @@ -7449,6 +9384,15 @@ "attack.t1219" ] }, + "related": [ + { + "dest-uuid": "4061e78c-1284-44b4-9116-73e4ac3912f7", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "ce5678bb-b9aa-4fb5-be4b-e57f686256ad", "value": "Potential Remote Desktop Connection to Non-Domain Host" }, @@ -7465,8 +9409,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://cyberpolygon.com/materials/okhota-na-ataki-ms-exchange-chast-2-cve-2020-0688-cve-2020-16875-cve-2021-24085/", "https://www.trustedsec.com/blog/detecting-cve-20200688-remote-code-execution-vulnerability-on-microsoft-exchange-server/", + "https://cyberpolygon.com/materials/okhota-na-ataki-ms-exchange-chast-2-cve-2020-0688-cve-2020-16875-cve-2021-24085/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/application/win_vul_cve_2020_0688.yml" ], "tags": [ @@ -7474,6 +9418,15 @@ "attack.t1190" ] }, + "related": [ + { + "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "d6266bf5-935e-4661-b477-78772735a7cb", "value": "CVE-2020-0688 Exploitation via Eventlog" }, @@ -7497,6 +9450,15 @@ "attack.t1219" ] }, + "related": [ + { + "dest-uuid": "4061e78c-1284-44b4-9116-73e4ac3912f7", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "87261fb2-69d0-42fe-b9de-88c6b5f65a43", "value": "Atera Agent Installation" }, @@ -7522,6 +9484,15 @@ "attack.t1070.004" ] }, + "related": [ + { + "dest-uuid": "d63a3fb8-9452-4e9d-a60a-54be68d5998c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "9703792d-fd9a-456d-a672-ff92efe4806a", "value": "Backup Catalog Deleted" }, @@ -7546,6 +9517,15 @@ "attack.t1190" ] }, + "related": [ + { + "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "7dbb86de-a0cc-494c-8aa8-b2996c9ef3c8", "value": "LPE InstallerFileTakeOver PoC CVE-2021-41379" }, @@ -7594,6 +9574,22 @@ "attack.t1218.007" ] }, + "related": [ + { + "dest-uuid": "457c7820-d331-465a-915e-42f85500ccc4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "365be77f-fc0e-42ee-bac8-4faf806d9336", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "5594e67a-7f92-4a04-b65d-1a42fd824a60", "value": "MSI Installation From Web" }, @@ -7634,8 +9630,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://www.virustotal.com/gui/file/13828b390d5f58b002e808c2c4f02fdd920e236cc8015480fa33b6c1a9300e31", "https://www.virustotal.com/gui/file/15b57c1b68cd6ce3c161042e0f3be9f32d78151fe95461eedc59a79fc222c7ed", + "https://www.virustotal.com/gui/file/13828b390d5f58b002e808c2c4f02fdd920e236cc8015480fa33b6c1a9300e31", "https://www.virustotal.com/gui/file/5092b2672b4cb87a8dd1c2e6047b487b95995ad8ed5e9fc217f46b8bfb1b8c01", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/application/win_av_relevant_match.yml" ], @@ -7644,6 +9640,15 @@ "attack.t1588" ] }, + "related": [ + { + "dest-uuid": "ce0687a0-e692-4b77-964a-0784a8e54ff1", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "78bc5783-81d9-4d73-ac97-59f6db4f72a8", "value": "Relevant Anti-Virus Event" }, @@ -7715,6 +9720,15 @@ "attack.t1489" ] }, + "related": [ + { + "dest-uuid": "20fb2507-d71c-455d-9b6d-6104461cf26b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "570ae5ec-33dc-427c-b815-db86228ad43e", "value": "Application Uninstalled" }, @@ -7731,8 +9745,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://bugs.chromium.org/p/project-zero/issues/detail?id=1252&desc=5", "https://technet.microsoft.com/en-us/library/security/4022344", + "https://bugs.chromium.org/p/project-zero/issues/detail?id=1252&desc=5", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/application/win_susp_msmpeng_crash.yml" ], "tags": [ @@ -7741,6 +9755,15 @@ "attack.t1562.001" ] }, + "related": [ + { + "dest-uuid": "fe926152-f431-4baf-956c-4ad3cb0bf23b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "6c82cf5c-090d-4d57-9188-533577631108", "value": "Microsoft Malware Protection Engine Crash" }, @@ -7758,8 +9781,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://www.netspi.com/blog/technical/network-penetration-testing/sql-server-persistence-part-1-startup-stored-procedures/", "https://thedfirreport.com/2022/07/11/select-xmrig-from-sqlserver/", + "https://www.netspi.com/blog/technical/network-penetration-testing/sql-server-persistence-part-1-startup-stored-procedures/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/application/win_mssql_xp_cmdshell_change.yml" ], "tags": [ @@ -7783,8 +9806,8 @@ "logsource.product": "windows", "refs": [ "https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-erref/596a1078-e883-4972-9bbc-49e60bebca55", - "https://media.defcon.org/DEF%20CON%2030/DEF%20CON%2030%20presentations/Asaf%20Gilboa%20-%20LSASS%20Shtinkering%20Abusing%20Windows%20Error%20Reporting%20to%20Dump%20LSASS.pdf", "https://github.com/deepinstinct/Lsass-Shtinkering", + "https://media.defcon.org/DEF%20CON%2030/DEF%20CON%2030%20presentations/Asaf%20Gilboa%20-%20LSASS%20Shtinkering%20Abusing%20Windows%20Error%20Reporting%20to%20Dump%20LSASS.pdf", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/application/win_werfault_susp_lsass_credential_dump.yml" ], "tags": [ @@ -7792,6 +9815,15 @@ "attack.t1003.001" ] }, + "related": [ + { + "dest-uuid": "65f2d882-3f41-4d48-8a06-29af77ec9f90", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "a18e0862-127b-43ca-be12-1a542c75c7c5", "value": "Potential Credential Dumping Via WER - Application" }, @@ -7811,8 +9843,8 @@ "https://twitter.com/DidierStevens/status/1217533958096924676", "https://nullsec.us/windows-event-log-audit-cve/", "https://twitter.com/VM_vivisector/status/1217190929330655232", - "https://www.youtube.com/watch?v=ebmW42YYveI", "https://twitter.com/FlemmingRiis/status/1217147415482060800", + "https://www.youtube.com/watch?v=ebmW42YYveI", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/application/win_audit_cve.yml" ], "tags": [ @@ -7830,6 +9862,50 @@ "attack.t1499.004" ] }, + "related": [ + { + "dest-uuid": "be2dcee9-a7a7-4e38-afd6-21b31ecc3d63", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "b21c3b2d-02e6-45b1-980b-e69051040839", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "fe926152-f431-4baf-956c-4ad3cb0bf23b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "9c306d8d-cde7-4b4c-b6e8-d0bb16caca36", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "9db0cf3a-a3c9-4012-8268-123b9db6fd82", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "2bee5ffb-7a7a-4119-b1f2-158151b19ac0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "48d91a3a-2363-43ba-a456-ca71ac3da5c2", "value": "Audit CVE Event" }, @@ -7854,6 +9930,15 @@ "attack.t1546" ] }, + "related": [ + { + "dest-uuid": "b6301b64-ef57-4cce-bb0b-77026f14a8db", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "711ab2fe-c9ba-4746-8840-5228a58c3cb8", "value": "MSSQL Extended Stored Procedure Backdoor Maggie" }, @@ -7870,8 +9955,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://www.netspi.com/blog/technical/network-penetration-testing/sql-server-persistence-part-1-startup-stored-procedures/", "https://thedfirreport.com/2022/07/11/select-xmrig-from-sqlserver/", + "https://www.netspi.com/blog/technical/network-penetration-testing/sql-server-persistence-part-1-startup-stored-procedures/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/application/win_mssql_xp_cmdshell_audit_log.yml" ], "tags": [ @@ -7918,8 +10003,8 @@ "logsource.product": "windows", "refs": [ "https://docs.microsoft.com/en-us/sql/t-sql/statements/drop-server-audit-transact-sql?view=sql-server-ver16", - "https://www.netspi.com/blog/technical/network-penetration-testing/sql-server-persistence-part-1-startup-stored-procedures/", "https://docs.microsoft.com/en-us/sql/t-sql/statements/alter-server-audit-transact-sql?view=sql-server-ver16", + "https://www.netspi.com/blog/technical/network-penetration-testing/sql-server-persistence-part-1-startup-stored-procedures/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/application/win_mssql_disable_audit_settings.yml" ], "tags": [ @@ -7950,6 +10035,15 @@ "attack.t1053.005" ] }, + "related": [ + { + "dest-uuid": "005a06c6-14bf-4118-afa0-ebcd8aebb0c9", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "b20f6158-9438-41be-83da-a5a16ac90c2b", "value": "Rare Scheduled Task Creations" }, @@ -7973,6 +10067,15 @@ "attack.t1053.005" ] }, + "related": [ + { + "dest-uuid": "005a06c6-14bf-4118-afa0-ebcd8aebb0c9", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "424273ea-7cf8-43a6-b712-375f925e481f", "value": "Suspicious Scheduled Tasks Locations" }, @@ -7989,8 +10092,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://df-stream.com/2014/01/the-windows-7-event-log-and-usb-device/", "https://www.techrepublic.com/article/how-to-track-down-usb-flash-drive-usage-in-windows-10s-event-viewer/", + "https://df-stream.com/2014/01/the-windows-7-event-log-and-usb-device/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/driverframeworks/win_usb_device_plugged.yml" ], "tags": [ @@ -8014,8 +10117,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://twitter.com/j00sean/status/1537750439701225472", "https://twitter.com/nas_bench/status/1539679555908141061", + "https://twitter.com/j00sean/status/1537750439701225472", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/diagnosis/scripted/win_diagnosis_scripted_load_remote_diagcab.yml" ], "tags": [ @@ -8071,6 +10174,15 @@ "attack.t1543" ] }, + "related": [ + { + "dest-uuid": "106c0cf6-bf73-4601-9aa8-0945c2715ec5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "e4be5675-4a53-426a-8c81-a8bb2387e947", "value": "Code Integrity Blocked Driver Load" }, @@ -8095,6 +10207,15 @@ "attack.t1543" ] }, + "related": [ + { + "dest-uuid": "106c0cf6-bf73-4601-9aa8-0945c2715ec5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "9b72b82d-f1c5-4632-b589-187159bc6ec1", "value": "Block Load Of Revoked Driver" }, @@ -8112,8 +10233,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://twitter.com/moti_b/status/1032645458634653697", "https://www.bsi.bund.de/SharedDocs/Downloads/EN/BSI/Cyber-Security/SiSyPHuS/AP10/Logging_Configuration_Guideline.pdf?__blob=publicationFile&v=5", + "https://twitter.com/moti_b/status/1032645458634653697", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/smbclient/win_susp_failed_hidden_share_mount.yml" ], "tags": [ @@ -8137,9 +10258,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://github.com/hhlxf/PrintNightmare", - "https://twitter.com/KevTheHermit/status/1410203844064301056", "https://github.com/afwu/PrintNightmare", + "https://twitter.com/KevTheHermit/status/1410203844064301056", + "https://github.com/hhlxf/PrintNightmare", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/smbclient/win_susp_failed_guest_logon.yml" ], "tags": [ @@ -8186,11 +10307,11 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://virtualizationreview.com/articles/2020/05/21/ssh-server-on-windows-10.aspx", - "https://docs.microsoft.com/en-us/windows-server/administration/openssh/openssh_install_firstuse", "https://medium.com/threatpunter/detecting-adversary-tradecraft-with-image-load-event-logging-and-eql-8de93338c16", - "https://github.com/mdecrevoisier/EVTX-to-MITRE-Attack/tree/master/TA0008-Lateral%20Movement/T1021.004-Remote%20Service%20SSH", "https://winaero.com/enable-openssh-server-windows-10/", + "https://docs.microsoft.com/en-us/windows-server/administration/openssh/openssh_install_firstuse", + "https://github.com/mdecrevoisier/EVTX-to-MITRE-Attack/tree/master/TA0008-Lateral%20Movement/T1021.004-Remote%20Service%20SSH", + "https://virtualizationreview.com/articles/2020/05/21/ssh-server-on-windows-10.aspx", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/openssh/win_sshd_openssh_server_listening_on_socket.yml" ], "tags": [ @@ -8214,9 +10335,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ + "https://github.com/afwu/PrintNightmare", "https://github.com/hhlxf/PrintNightmare", "https://twitter.com/fuzzyf10w/status/1410202370835898371", - "https://github.com/afwu/PrintNightmare", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/printservice/win_exploit_cve_2021_1675_printspooler.yml" ], "tags": [ @@ -8225,6 +10346,15 @@ "cve.2021.1675" ] }, + "related": [ + { + "dest-uuid": "d157f9d2-d09a-4efa-bb2a-64963f94e253", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "4e64668a-4da1-49f5-a8df-9e2d5b866718", "value": "Possible CVE-2021-1675 Print Spooler Exploitation" }, @@ -8250,6 +10380,15 @@ "cve.2021.1675" ] }, + "related": [ + { + "dest-uuid": "d157f9d2-d09a-4efa-bb2a-64963f94e253", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "f34d942d-c8c4-4f1f-b196-22471aecf10a", "value": "CVE-2021-1675 Print Spooler Exploitation" }, @@ -8325,6 +10464,15 @@ "attack.t1003.001" ] }, + "related": [ + { + "dest-uuid": "65f2d882-3f41-4d48-8a06-29af77ec9f90", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "a0a278fe-2c0e-4de2-ac3c-c68b08a9ba98", "value": "LSASS Access Detected via Attack Surface Reduction" }, @@ -8341,8 +10489,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction?WT.mc_id=twitter#block-process-creations-originating-from-psexec-and-wmi-commands", "https://twitter.com/duff22b/status/1280166329660497920", + "https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction?WT.mc_id=twitter#block-process-creations-originating-from-psexec-and-wmi-commands", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/windefend/win_defender_psexec_wmi_asr.yml" ], "tags": [ @@ -8352,6 +10500,22 @@ "attack.t1569.002" ] }, + "related": [ + { + "dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "f1951e8a-500e-4a26-8803-76d95c4554b4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "97b9ce1e-c5ab-11ea-87d0-0242ac130003", "value": "PSExec and WMI Process Creations Block" }, @@ -8392,8 +10556,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-antivirus/troubleshoot-microsoft-defender-antivirus", "https://answers.microsoft.com/en-us/protect/forum/mse-protect_scanning/microsoft-antimalware-has-removed-history-of/f15af6c9-01a9-4065-8c6c-3f2bdc7de45e", + "https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-antivirus/troubleshoot-microsoft-defender-antivirus", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/windefend/win_defender_history_delete.yml" ], "tags": [ @@ -8448,6 +10612,15 @@ "attack.t1059" ] }, + "related": [ + { + "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "ea9bf0fa-edec-4fb8-8b78-b119f2528186", "value": "Windows Defender AMSI Trigger Detected" }, @@ -8472,6 +10645,15 @@ "attack.t1059" ] }, + "related": [ + { + "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "57b649ef-ff42-4fb0-8bf6-62da243a1708", "value": "Windows Defender Threat Detected" }, @@ -8488,8 +10670,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://bidouillesecurity.com/disable-windows-defender-in-powershell/#DisableAntiSpyware", "https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/troubleshoot-microsoft-defender-antivirus?view=o365-worldwide", + "https://bidouillesecurity.com/disable-windows-defender-in-powershell/#DisableAntiSpyware", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/windefend/win_defender_suspicious_features_tampering.yml" ], "tags": [ @@ -8524,6 +10706,43 @@ "uuid": "bc92ca75-cd42-4d61-9a37-9d5aa259c88b", "value": "Win Defender Restored Quarantine File" }, + { + "description": "Detects a suspicious download using the BITS client from a direct IP. Adversaries may abuse BITS jobs to persistently execute or clean up after malicious payloads.", + "meta": { + "author": "Nasreddine Bencherchali", + "creation_date": "2023/01/11", + "falsepositive": [ + "Unknown" + ], + "filename": "win_bits_client_direct_ip_access.yml", + "level": "high", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://lolbas-project.github.io/lolbas/Binaries/Bitsadmin/", + "https://isc.sans.edu/diary/22264", + "https://blog.netspi.com/15-ways-to-download-a-file/#bitsadmin", + "https://blog.talosintelligence.com/breaking-the-silence-recent-truebot-activity/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/bits_client/win_bits_client_direct_ip_access.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.persistence", + "attack.t1197" + ] + }, + "related": [ + { + "dest-uuid": "c8e87b83-edbb-48d4-9295-4974897525b7", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "90f138c1-f578-4ac3-8c49-eecfd847c8b7", + "value": "Suspicious Download with BITS from Direct IP" + }, { "description": "Adversaries may abuse BITS jobs to persistently execute or clean up after malicious payloads.\nWindows Background Intelligent Transfer Service (BITS) is a low-bandwidth, asynchronous file transfer mechanism exposed through [Component Object Model](https://attack.mitre.org/techniques/T1559/001)\n", "meta": { @@ -8546,6 +10765,15 @@ "attack.t1197" ] }, + "related": [ + { + "dest-uuid": "c8e87b83-edbb-48d4-9295-4974897525b7", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "b85e5894-9b19-4d86-8c87-a2f3b81f0521", "value": "Suspicious Download File Extension with BITS" }, @@ -8571,6 +10799,15 @@ "attack.t1197" ] }, + "related": [ + { + "dest-uuid": "c8e87b83-edbb-48d4-9295-4974897525b7", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "fe3a2d49-f255-4d10-935c-bda7391108eb", "value": "Suspicious Task Added by Powershell" }, @@ -8596,6 +10833,15 @@ "attack.t1197" ] }, + "related": [ + { + "dest-uuid": "c8e87b83-edbb-48d4-9295-4974897525b7", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "1ff315dc-2a3a-4b71-8dde-873818d25d39", "value": "Suspicious Task Added by Bitsadmin" }, @@ -8621,6 +10867,15 @@ "attack.t1197" ] }, + "related": [ + { + "dest-uuid": "c8e87b83-edbb-48d4-9295-4974897525b7", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "f8a56cb7-a363-44ed-a82f-5926bb44cd05", "value": "Download with BITS to Suspicious Folder" }, @@ -8637,9 +10892,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ransomware-hive-conti-avoslocker", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1197/T1197.md", "https://twitter.com/malmoeb/status/1535142803075960832", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1197/T1197.md", + "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ransomware-hive-conti-avoslocker", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/bits_client/win_bits_client_susp_domain.yml" ], "tags": [ @@ -8648,6 +10903,15 @@ "attack.t1197" ] }, + "related": [ + { + "dest-uuid": "c8e87b83-edbb-48d4-9295-4974897525b7", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "d635249d-86b5-4dad-a8c7-d7272b788586", "value": "Suspicious Download with BITS from Suspicious TLD" }, @@ -8664,8 +10928,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1197/T1197.md", "https://twitter.com/malmoeb/status/1535142803075960832", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1197/T1197.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/bits_client/win_bits_client_uncommon_domain.yml" ], "tags": [ @@ -8674,6 +10938,15 @@ "attack.t1197" ] }, + "related": [ + { + "dest-uuid": "c8e87b83-edbb-48d4-9295-4974897525b7", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "6d44fb93-e7d2-475c-9d3d-54c9c1e33427", "value": "Suspicious Uncommon Download with BITS from Suspicious TLD" }, @@ -8690,8 +10963,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://twitter.com/tekdefense/status/1519711183162556416?s=12&t=OTsHCBkQOTNs1k3USz65Zg", "https://ngrok.com/", + "https://twitter.com/tekdefense/status/1519711183162556416?s=12&t=OTsHCBkQOTNs1k3USz65Zg", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/terminalservices/win_terminalservices_rdp_ngrok.yml" ], "tags": [ @@ -8699,6 +10972,15 @@ "attack.t1090" ] }, + "related": [ + { + "dest-uuid": "731f4f55-b6d0-41d1-a7a9-072a66389aea", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "64d51a51-32a6-49f0-9f3d-17e34d640272", "value": "Ngrok Usage with Remote Desktop Service" }, @@ -8710,15 +10992,15 @@ "falsepositive": [ "Unknown" ], - "filename": "win_susp_dns_config.yml", + "filename": "win_dns_server_susp_dns_config.yml", "level": "high", "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://technet.microsoft.com/en-us/library/cc735829(v=ws.10).aspx", - "https://twitter.com/gentilkiwi/status/861641945944391680", "https://medium.com/@esnesenon/feature-not-bug-dnsadmin-to-dc-compromise-in-one-line-a0f779b8dc83", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/dns_server/win_susp_dns_config.yml" + "https://twitter.com/gentilkiwi/status/861641945944391680", + "https://technet.microsoft.com/en-us/library/cc735829(v=ws.10).aspx", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/dns_server/win_dns_server_susp_dns_config.yml" ], "tags": [ "attack.defense_evasion", @@ -8751,6 +11033,15 @@ "attack.t1569.002" ] }, + "related": [ + { + "dest-uuid": "f1951e8a-500e-4a26-8803-76d95c4554b4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "52a85084-6989-40c3-8f32-091e12e13f09", "value": "smbexec.py Service Installation" }, @@ -8777,6 +11068,15 @@ "attack.t1059.001" ] }, + "related": [ + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "487c7524-f892-4054-b263-8a0ace63fc25", "value": "Invoke-Obfuscation Via Stdin - System" }, @@ -8803,6 +11103,22 @@ "attack.t1134.002" ] }, + "related": [ + { + "dest-uuid": "86850eff-2729-40c3-b85e-c4af26da4a2d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "677569f9-a8b0-459e-ab24-7f18091fa7bf", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "843544a7-56e0-4dcc-a44f-5cc266dd97d6", "value": "Meterpreter or Cobalt Strike Getsystem Service Installation - System" }, @@ -8877,6 +11193,15 @@ "attack.t1569.002" ] }, + "related": [ + { + "dest-uuid": "f1951e8a-500e-4a26-8803-76d95c4554b4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "1a31b18a-f00c-4061-9900-f735b96c99fc", "value": "Remote Access Tool Services Have Been Installed - System" }, @@ -8971,6 +11296,15 @@ "attack.t1584" ] }, + "related": [ + { + "dest-uuid": "7e3beebd-8bfe-4e7b-a892-e44ab06a75f9", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "13cfeb75-9e33-4d04-b0f7-ab8faaa95a59", "value": "Windows Update Error" }, @@ -9021,6 +11355,15 @@ "attack.t1569.002" ] }, + "related": [ + { + "dest-uuid": "f1951e8a-500e-4a26-8803-76d95c4554b4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "de7ce410-b3fb-4e8a-b38c-3b999e2c3420", "value": "PAExec Service Installation" }, @@ -9047,6 +11390,15 @@ "attack.t1059.001" ] }, + "related": [ + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "11b52f18-aaec-4d60-9143-5dd8cc4706b9", "value": "Invoke-Obfuscation RUNDLL LAUNCHER - System" }, @@ -9073,6 +11425,15 @@ "attack.t1059.001" ] }, + "related": [ + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "641a4bfb-c017-44f7-800c-2aee0184ce9b", "value": "Invoke-Obfuscation Via Use Rundll32 - System" }, @@ -9097,6 +11458,15 @@ "attack.t1543" ] }, + "related": [ + { + "dest-uuid": "106c0cf6-bf73-4601-9aa8-0945c2715ec5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "71c276aa-49cd-43d2-b920-2dcd3e6962d5", "value": "Service Installed By Unusual Client - System" }, @@ -9121,6 +11491,15 @@ "attack.t1569.002" ] }, + "related": [ + { + "dest-uuid": "f1951e8a-500e-4a26-8803-76d95c4554b4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "a2e5019d-a658-4c6a-92bf-7197b54e2cae", "value": "PowerShell Scripts Installed as Services" }, @@ -9137,9 +11516,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://thedfirreport.com/2021/08/29/cobalt-strike-a-defenders-guide/", - "https://www.crowdstrike.com/blog/getting-the-bacon-from-cobalt-strike-beacon/", "https://www.sans.org/webcasts/119395", + "https://www.crowdstrike.com/blog/getting-the-bacon-from-cobalt-strike-beacon/", + "https://thedfirreport.com/2021/08/29/cobalt-strike-a-defenders-guide/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/win_system_cobaltstrike_service_installs.yml" ], "tags": [ @@ -9151,6 +11530,15 @@ "attack.t1569.002" ] }, + "related": [ + { + "dest-uuid": "f1951e8a-500e-4a26-8803-76d95c4554b4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "5a105d34-05fc-401e-8553-272b45c1522d", "value": "CobaltStrike Service Installations - System" }, @@ -9174,6 +11562,15 @@ "attack.t1003.002" ] }, + "related": [ + { + "dest-uuid": "1644e709-12d2-41e5-a60f-3470991f5011", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "839dd1e8-eda8-4834-8145-01beeee33acd", "value": "SAM Dump to AppData" }, @@ -9190,9 +11587,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ + "https://technet.microsoft.com/en-us/library/cc726884(v=ws.10).aspx", "https://blog.3or.de/mimilib-dhcp-server-callout-dll-injection.html", "https://msdn.microsoft.com/de-de/library/windows/desktop/aa363389(v=vs.85).aspx", - "https://technet.microsoft.com/en-us/library/cc726884(v=ws.10).aspx", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/win_system_susp_dhcp_config.yml" ], "tags": [ @@ -9226,6 +11623,15 @@ "attack.t1059.001" ] }, + "related": [ + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "175997c5-803c-4b08-8bb0-70b099f47595", "value": "Invoke-Obfuscation COMPRESS OBFUSCATION - System" }, @@ -9251,6 +11657,15 @@ "attack.s0029" ] }, + "related": [ + { + "dest-uuid": "f1951e8a-500e-4a26-8803-76d95c4554b4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "d26ce60c-2151-403c-9a42-49420d87b5e4", "value": "Hacktool Service Registration or Execution" }, @@ -9267,8 +11682,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://github.com/zerosum0x0/CVE-2019-0708", "https://github.com/Ekultek/BlueKeep", + "https://github.com/zerosum0x0/CVE-2019-0708", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/win_system_rdp_potential_cve_2019_0708.yml" ], "tags": [ @@ -9277,6 +11692,15 @@ "car.2013-07-002" ] }, + "related": [ + { + "dest-uuid": "9db0cf3a-a3c9-4012-8268-123b9db6fd82", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "aaa5b30d-f418-420b-83a0-299cb6024885", "value": "Potential RDP Exploit CVE-2019-0708" }, @@ -9300,6 +11724,15 @@ "attack.lateral_movement" ] }, + "related": [ + { + "dest-uuid": "9db0cf3a-a3c9-4012-8268-123b9db6fd82", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "18f37338-b9bd-4117-a039-280c81f7a596", "value": "Zerologon Exploitation Using Well-known Tools" }, @@ -9326,6 +11759,15 @@ "attack.t1059.001" ] }, + "related": [ + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "72862bf2-0eb1-11eb-adc1-0242ac120002", "value": "Invoke-Obfuscation STDIN+ Launcher - System" }, @@ -9375,6 +11817,15 @@ "attack.t1219" ] }, + "related": [ + { + "dest-uuid": "4061e78c-1284-44b4-9116-73e4ac3912f7", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "e0d1ad53-c7eb-48ec-a87a-72393cc6cedc", "value": "Mesh Agent Service Installation" }, @@ -9402,6 +11853,15 @@ "attack.t1569.002" ] }, + "related": [ + { + "dest-uuid": "f1951e8a-500e-4a26-8803-76d95c4554b4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "31c51af6-e7aa-4da7-84d4-8f32cc580af2", "value": "Sliver C2 Default Service Installation" }, @@ -9452,6 +11912,15 @@ "attack.t1059.001" ] }, + "related": [ + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "8ca7004b-e620-4ecb-870e-86129b5b8e75", "value": "Invoke-Obfuscation VAR+ Launcher - System" }, @@ -9549,6 +12018,15 @@ "attack.t1562" ] }, + "related": [ + { + "dest-uuid": "3d333250-30e4-4a82-9edc-756c68afc529", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "4d7f1827-1637-4def-8d8a-fd254f9454df", "value": "Sysmon Crash" }, @@ -9575,6 +12053,15 @@ "attack.t1059.001" ] }, + "related": [ + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "14bcba49-a428-42d9-b943-e2ce0f0f7ae6", "value": "Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION - System" }, @@ -9625,6 +12112,15 @@ "car.2016-04-002" ] }, + "related": [ + { + "dest-uuid": "6495ae23-3ab4-43c5-a94f-5638a2c31fd2", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "a62b37e0-45d3-48d9-a517-90c1a1b0186b", "value": "Eventlog Cleared" }, @@ -9697,6 +12193,15 @@ "attack.t1003.002" ] }, + "related": [ + { + "dest-uuid": "1644e709-12d2-41e5-a60f-3470991f5011", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "39f919f3-980b-4e6f-a975-8af7e507ef2b", "value": "QuarksPwDump Clearing Access History" }, @@ -9723,6 +12228,15 @@ "attack.t1569.002" ] }, + "related": [ + { + "dest-uuid": "f1951e8a-500e-4a26-8803-76d95c4554b4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "c4ff1eac-84ad-44dd-a6fb-d56a92fc43a9", "value": "ProcessHacker Privilege Elevation" }, @@ -9826,6 +12340,15 @@ "car.2016-04-002" ] }, + "related": [ + { + "dest-uuid": "6495ae23-3ab4-43c5-a94f-5638a2c31fd2", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "100ef69e-3327-481c-8e5c-6d80d9507556", "value": "System Eventlog Cleared" }, @@ -9842,9 +12365,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ + "https://technet.microsoft.com/en-us/library/cc726884(v=ws.10).aspx", "https://blog.3or.de/mimilib-dhcp-server-callout-dll-injection.html", "https://msdn.microsoft.com/de-de/library/windows/desktop/aa363389(v=vs.85).aspx", - "https://technet.microsoft.com/en-us/library/cc726884(v=ws.10).aspx", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/win_system_susp_dhcp_config_failed.yml" ], "tags": [ @@ -9924,6 +12447,15 @@ "attack.t1003.002" ] }, + "related": [ + { + "dest-uuid": "1644e709-12d2-41e5-a60f-3470991f5011", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "f512acbf-e662-4903-843e-97ce4652b740", "value": "Volume Shadow Copy Mount" }, @@ -9973,6 +12505,15 @@ "attack.t1219" ] }, + "related": [ + { + "dest-uuid": "4061e78c-1284-44b4-9116-73e4ac3912f7", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "4bb79b62-ef12-4861-981d-2aab43fab642", "value": "TacticalRMM Service Installation" }, @@ -10029,6 +12570,50 @@ "attack.s0005" ] }, + "related": [ + { + "dest-uuid": "65f2d882-3f41-4d48-8a06-29af77ec9f90", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "1644e709-12d2-41e5-a60f-3470991f5011", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "1ecfdab8-7d59-4c98-95d4-dc41970f57fc", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "6add2ab5-2711-4e9d-87c8-7a0be8531530", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "f303a39a-6255-4b89-aecc-18c4d8ca7163", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "f1951e8a-500e-4a26-8803-76d95c4554b4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "4976aa50-8f41-45c6-8b15-ab3fc10e79ed", "value": "Credential Dumping Tools Service Execution - System" }, @@ -10052,6 +12637,15 @@ "attack.t1048" ] }, + "related": [ + { + "dest-uuid": "a19e86f8-1c0a-4fea-8407-23b73d615776", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "8e4cf0e5-aa5d-4dc3-beff-dc26917744a9", "value": "Tap Driver Installation" }, @@ -10083,6 +12677,22 @@ "attack.t1071.004" ] }, + "related": [ + { + "dest-uuid": "005a06c6-14bf-4118-afa0-ebcd8aebb0c9", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "1996eef1-ced3-4d7f-bf94-33298cabbf72", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "53ba33fd-3a50-4468-a5ef-c583635cfa92", "value": "Chafer Activity - System" }, @@ -10107,6 +12717,15 @@ "attack.t1543" ] }, + "related": [ + { + "dest-uuid": "106c0cf6-bf73-4601-9aa8-0945c2715ec5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "e97d9903-53b2-41fc-8cb9-889ed4093e80", "value": "KrbRelayUp Service Installation" }, @@ -10133,6 +12752,15 @@ "attack.t1059.001" ] }, + "related": [ + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "7e9c7999-0f9b-4d4a-a6ed-af6d553d4af4", "value": "Invoke-Obfuscation Via Use MSHTA - System" }, @@ -10159,6 +12787,15 @@ "attack.t1059.001" ] }, + "related": [ + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "63e3365d-4824-42d8-8b82-e56810fefa0c", "value": "Invoke-Obfuscation Via Use Clip - System" }, @@ -10185,6 +12822,15 @@ "attack.t1059.001" ] }, + "related": [ + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "f7385ee2-0e0c-11eb-adc1-0242ac120002", "value": "Invoke-Obfuscation CLIP+ Launcher - System" }, @@ -10209,6 +12855,15 @@ "attack.t1557.001" ] }, + "related": [ + { + "dest-uuid": "650c784b-7504-4df7-ab2c-4ea882384d1e", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "bc2e25ed-b92b-4daa-b074-b502bdd1982b", "value": "Local Privilege Escalation Indicator TabTip" }, @@ -10233,6 +12888,15 @@ "attack.t1548" ] }, + "related": [ + { + "dest-uuid": "67720091-eee3-4d2d-ae16-8264567f6f5b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "a0cb7110-edf0-47a4-9177-541a4083128a", "value": "Vulnerable Netlogon Secure Channel Connection Allowed" }, @@ -10259,6 +12923,15 @@ "attack.s0029" ] }, + "related": [ + { + "dest-uuid": "f1951e8a-500e-4a26-8803-76d95c4554b4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "42c575ea-e41e-41f1-b248-8093c3e82a28", "value": "PsExec Service Installation" }, @@ -10355,6 +13028,15 @@ "attack.t1554" ] }, + "related": [ + { + "dest-uuid": "960c3c86-1480-4d72-b4e0-8c242e84a5c5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "b55d23e5-6821-44ff-8a6e-67218891e49f", "value": "HybridConnectionManager Service Running" }, @@ -10429,6 +13111,15 @@ "attack.t1071" ] }, + "related": [ + { + "dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "3db10f25-2527-4b79-8d4b-471eb900ee29", "value": "GALLIUM Artefacts - Builtin" }, @@ -10445,8 +13136,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://www.eideon.com/2018-03-02-THL03-WMIBackdoors/", "https://twitter.com/mattifestation/status/899646620148539397", + "https://www.eideon.com/2018-03-02-THL03-WMIBackdoors/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/wmi/win_wmi_persistence.yml" ], "tags": [ @@ -10455,6 +13146,15 @@ "attack.t1546.003" ] }, + "related": [ + { + "dest-uuid": "910906dd-8c0a-475a-9cc1-5e029e2fad58", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "0b7889b4-5577-4521-a60a-3376ee7f9f7b", "value": "WMI Persistence" }, @@ -10471,9 +13171,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ + "https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/applocker/what-is-applocker", "https://nxlog.co/documentation/nxlog-user-guide/applocker.html", "https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/applocker/using-event-viewer-with-applocker", - "https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/applocker/what-is-applocker", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/applocker/win_applocker_file_was_not_allowed_to_run.yml" ], "tags": [ @@ -10486,6 +13186,50 @@ "attack.t1059.007" ] }, + "related": [ + { + "dest-uuid": "232b7f21-adf9-4b42-b936-b9d6f7df856e", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "dfd7cc1d-e1d8-4394-a198-97c4cab8aa67", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "cc3502b5-30cc-4473-ad48-42d51a6ef6d1", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "0f4a0c76-ab2d-4cb0-85d3-3f0efb8cba0d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "401e5d00-b944-11ea-8f9a-00163ecd60ae", "value": "File Was Not Allowed To Run" }, @@ -10500,11 +13244,11 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://github.com/BloodHoundAD/SharpHound3/blob/7d96b991b1887ff50349ce59c80980bc0d95c86a/SharpHound3/LdapBuilder.cs", - "https://github.com/PowerShellMafia/PowerSploit/blob/d943001a7defb5e0d1657085a77a0e78609be58f/Recon/PowerView.ps1", - "https://techcommunity.microsoft.com/t5/microsoft-defender-for-endpoint/hunting-for-reconnaissance-activities-using-ldap-search-filters/ba-p/824726", "https://github.com/fox-it/BloodHound.py/blob/d65eb614831cd30f26028ccb072f5e77ca287e0b/bloodhound/ad/domain.py#L427", + "https://github.com/BloodHoundAD/SharpHound3/blob/7d96b991b1887ff50349ce59c80980bc0d95c86a/SharpHound3/LdapBuilder.cs", "https://medium.com/falconforce/falconfriday-detecting-active-directory-data-collection-0xff21-c22d1a57494c", + "https://techcommunity.microsoft.com/t5/microsoft-defender-for-endpoint/hunting-for-reconnaissance-activities-using-ldap-search-filters/ba-p/824726", + "https://github.com/PowerShellMafia/PowerSploit/blob/d943001a7defb5e0d1657085a77a0e78609be58f/Recon/PowerView.ps1", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/ldap/win_ldap_recon.yml" ], "tags": [ @@ -10514,9 +13258,154 @@ "attack.t1482" ] }, + "related": [ + { + "dest-uuid": "2aed01ad-3df3-4410-a8cb-11ea4ded587c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "767dbf9e-df3f-45cb-8998-4903ab5f80c0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "31d68132-4038-47c7-8f8e-635a39a7c174", "value": "Potential Active Directory Reconnaissance/Enumeration Via LDAP" }, + { + "description": "Detects an appx package installation with the error code \"0x80073cff\". Whihc indicates that the package didn't meet the sgining requirements and could be suspicious", + "meta": { + "author": "Nasreddine Bencherchali", + "creation_date": "2023/01/11", + "falsepositive": [ + "Legitimate AppX packages not signed by MS used part of an enterprise" + ], + "filename": "appxdeployment_server_susp_appx_package_installation.yml", + "level": "medium", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://learn.microsoft.com/en-us/windows/win32/appxpkg/troubleshooting", + "Internal Research", + "https://news.sophos.com/en-us/2021/11/11/bazarloader-call-me-back-attack-abuses-windows-10-apps-mechanism/", + "https://www.sentinelone.com/labs/inside-malicious-windows-apps-for-malware-deployment/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/appxdeployment_server/appxdeployment_server_susp_appx_package_installation.yml" + ], + "tags": [ + "attack.defense_evasion" + ] + }, + "uuid": "898d5fc9-fbc3-43de-93ad-38e97237c344", + "value": "Suspicious AppX Package Installation Attempt" + }, + { + "description": "Detects an appx package added the pipeline of the \"to be processed\" packages which is located in suspicious locations", + "meta": { + "author": "Nasreddine Bencherchali", + "creation_date": "2023/01/11", + "falsepositive": [ + "Unknown" + ], + "filename": "appxdeployment_server_susp_package_locations.yml", + "level": "high", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://learn.microsoft.com/en-us/windows/win32/appxpkg/troubleshooting", + "Internal Research", + "https://news.sophos.com/en-us/2021/11/11/bazarloader-call-me-back-attack-abuses-windows-10-apps-mechanism/", + "https://www.sentinelone.com/labs/inside-malicious-windows-apps-for-malware-deployment/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/appxdeployment_server/appxdeployment_server_susp_package_locations.yml" + ], + "tags": [ + "attack.defense_evasion" + ] + }, + "uuid": "5cdeaf3d-1489-477c-95ab-c318559fc051", + "value": "Suspicious AppX Package Locations" + }, + { + "description": "Detects installation of known malicious appx packages", + "meta": { + "author": "Nasreddine Bencherchali", + "creation_date": "2023/01/11", + "falsepositive": [ + "Rare occasions where a malicious package uses the exact same name and version as a legtimate application" + ], + "filename": "appxdeployment_server_mal_appx_names.yml", + "level": "medium", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://news.sophos.com/en-us/2021/11/11/bazarloader-call-me-back-attack-abuses-windows-10-apps-mechanism/", + "https://forensicitguy.github.io/analyzing-magnitude-magniber-appx/", + "https://www.sentinelone.com/labs/inside-malicious-windows-apps-for-malware-deployment/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/appxdeployment_server/appxdeployment_server_mal_appx_names.yml" + ], + "tags": [ + "attack.defense_evasion" + ] + }, + "uuid": "09d3b48b-be17-47f5-bf4e-94e7e75d09ce", + "value": "Malicious AppX Package Installed" + }, + { + "description": "Detects an appx package added the pipeline of the \"to be processed\" packages which is downloaded from a suspicious domain", + "meta": { + "author": "Nasreddine Bencherchali", + "creation_date": "2023/01/11", + "falsepositive": [ + "Unknown" + ], + "filename": "appxdeployment_server_susp_domains.yml", + "level": "high", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://learn.microsoft.com/en-us/windows/win32/appxpkg/troubleshooting", + "Internal Research", + "https://news.sophos.com/en-us/2021/11/11/bazarloader-call-me-back-attack-abuses-windows-10-apps-mechanism/", + "https://www.sentinelone.com/labs/inside-malicious-windows-apps-for-malware-deployment/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/appxdeployment_server/appxdeployment_server_susp_domains.yml" + ], + "tags": [ + "attack.defense_evasion" + ] + }, + "uuid": "8b48ad89-10d8-4382-a546-50588c410f0d", + "value": "Suspicious Remote AppX Package Locations" + }, + { + "description": "Detects an appx package added the pipeline of the \"to be processed\" packages which is located in uncommon locations", + "meta": { + "author": "Nasreddine Bencherchali", + "creation_date": "2023/01/11", + "falsepositive": [ + "Unknown" + ], + "filename": "appxdeployment_server_uncommon_package_locations.yml", + "level": "medium", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://learn.microsoft.com/en-us/windows/win32/appxpkg/troubleshooting", + "Internal Research", + "https://news.sophos.com/en-us/2021/11/11/bazarloader-call-me-back-attack-abuses-windows-10-apps-mechanism/", + "https://www.sentinelone.com/labs/inside-malicious-windows-apps-for-malware-deployment/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/appxdeployment_server/appxdeployment_server_uncommon_package_locations.yml" + ], + "tags": [ + "attack.defense_evasion" + ] + }, + "uuid": "c977cb50-3dff-4a9f-b873-9290f56132f1", + "value": "Uncommon AppX Package Locations" + }, { "description": "Detects removal of an exported Exchange mailbox which could be to cover tracks from ProxyShell exploit", "meta": { @@ -10562,6 +13451,15 @@ "attack.t1210" ] }, + "related": [ + { + "dest-uuid": "9db0cf3a-a3c9-4012-8268-123b9db6fd82", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "c92f1896-d1d2-43c3-92d5-7a5b35c217bb", "value": "Possible Exploitation of Exchange RCE CVE-2021-42321" }, @@ -10610,6 +13508,15 @@ "attack.t1505.002" ] }, + "related": [ + { + "dest-uuid": "35187df2-31ed-43b6-a1f5-2f1d3d58d3f1", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "c7d16cae-aaf3-42e5-9c1c-fb8553faa6fa", "value": "Failed MSExchange Transport Agent Installation" }, @@ -10634,6 +13541,15 @@ "attack.resource_development" ] }, + "related": [ + { + "dest-uuid": "212306d8-efa4-44c9-8c2d-ed3d2e224aa0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "550d3350-bb8a-4ff3-9533-2ba533f4a1c0", "value": "ProxyLogon MSExchange OabVirtualDirectory" }, @@ -10706,6 +13622,15 @@ "attack.t1505.002" ] }, + "related": [ + { + "dest-uuid": "35187df2-31ed-43b6-a1f5-2f1d3d58d3f1", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "4fe151c2-ecf9-4fae-95ae-b88ec9c2fca6", "value": "MSExchange Transport Agent Installation - Builtin" }, @@ -10722,8 +13647,8 @@ "logsource.category": "create_stream_hash", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/Binaries/Regedit/", "https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f", + "https://lolbas-project.github.io/lolbas/Binaries/Regedit/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/create_stream_hash/create_stream_hash_regedit_export_to_ads.yml" ], "tags": [ @@ -10731,6 +13656,15 @@ "attack.t1564.004" ] }, + "related": [ + { + "dest-uuid": "f2857333-11d4-45bf-b064-2c28d8525be5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "0d7a9363-af70-4e7b-a3b7-1a176b7fbe84", "value": "Exports Registry Key To an Alternate Data Stream" }, @@ -10747,8 +13681,8 @@ "logsource.category": "create_stream_hash", "logsource.product": "windows", "refs": [ - "https://www.cisa.gov/uscert/ncas/alerts/aa22-321a", "https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=90015", + "https://www.cisa.gov/uscert/ncas/alerts/aa22-321a", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/create_stream_hash/create_stream_hash_susp_domain_ext_combo.yml" ], "tags": [ @@ -10757,6 +13691,15 @@ "attack.t1564.004" ] }, + "related": [ + { + "dest-uuid": "f2857333-11d4-45bf-b064-2c28d8525be5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "52182dfb-afb7-41db-b4bc-5336cb29b464", "value": "Suspicious File Download from File Sharing Domain" }, @@ -10773,8 +13716,8 @@ "logsource.category": "create_stream_hash", "logsource.product": "windows", "refs": [ - "https://www.cisa.gov/uscert/ncas/alerts/aa22-321a", "https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=90015", + "https://www.cisa.gov/uscert/ncas/alerts/aa22-321a", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/create_stream_hash/create_stream_hash_susp_domain_ext_combo_med.yml" ], "tags": [ @@ -10783,6 +13726,15 @@ "attack.t1564.004" ] }, + "related": [ + { + "dest-uuid": "f2857333-11d4-45bf-b064-2c28d8525be5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "ae02ed70-11aa-4a22-b397-c0d0e8f6ea99", "value": "Unusual File Download from File Sharing Domain" }, @@ -10831,6 +13783,15 @@ "attack.t1564.004" ] }, + "related": [ + { + "dest-uuid": "f2857333-11d4-45bf-b064-2c28d8525be5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "025bd229-fd1f-4fdb-97ab-20006e1a5368", "value": "Unusual File Download from Direct IP Address" }, @@ -10856,6 +13817,15 @@ "attack.t1564.004" ] }, + "related": [ + { + "dest-uuid": "f2857333-11d4-45bf-b064-2c28d8525be5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "19b041f6-e583-40dc-b842-d6fa8011493f", "value": "Hacktool Download" }, @@ -10881,6 +13851,15 @@ "attack.t1564.004" ] }, + "related": [ + { + "dest-uuid": "f2857333-11d4-45bf-b064-2c28d8525be5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "b69888d4-380c-45ce-9cf9-d9ce46e67821", "value": "Executable in ADS" }, @@ -10897,7 +13876,7 @@ "logsource.category": "registry_event", "logsource.product": "windows", "refs": [ - "https://attack.mitre.org/techniques/T1137/002/", + "https://unit42.paloaltonetworks.com/unit42-technical-walkthrough-office-test-persistence-method-used-in-recent-sofacy-attacks/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_office_test_regadd.yml" ], "tags": [ @@ -10905,6 +13884,15 @@ "attack.t1137.002" ] }, + "related": [ + { + "dest-uuid": "ed7efd4d-ce28-4a19-a8e6-c58011eb2c7a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "3d27f6dd-1c74-4687-b4fa-ca849d128d1c", "value": "Office Application Startup - Office Test" }, @@ -10971,9 +13959,9 @@ "logsource.category": "registry_event", "logsource.product": "windows", "refs": [ - "https://www.dfirnotes.net/portproxy_detection/", "https://adepts.of0x.cc/netsh-portproxy-code/", "https://www.fireeye.com/blog/threat-research/2019/01/bypassing-network-restrictions-through-rdp-tunneling.html", + "https://www.dfirnotes.net/portproxy_detection/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_portproxy_registry_key.yml" ], "tags": [ @@ -10983,6 +13971,15 @@ "attack.t1090" ] }, + "related": [ + { + "dest-uuid": "731f4f55-b6d0-41d1-a7a9-072a66389aea", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "a54f842a-3713-4b45-8c84-5f136fdebd3c", "value": "PortProxy Registry Key" }, @@ -11000,8 +13997,8 @@ "logsource.product": "windows", "refs": [ "https://www.hexacorn.com/blog/2018/05/28/beyond-good-ol-run-key-part-78-2/", - "https://persistence-info.github.io/Data/recyclebin.html", "https://github.com/vxunderground/VXUG-Papers/blob/751edb8d50f95bd7baa730adf2c6c3bb1b034276/The%20Persistence%20Series/Persistence%20via%20Recycle%20Bin/Persistence_via_Recycle_Bin.pdf", + "https://persistence-info.github.io/Data/recyclebin.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_persistence_recycle_bin.yml" ], "tags": [ @@ -11025,8 +14022,8 @@ "logsource.category": "registry_event", "logsource.product": "windows", "refs": [ - "https://blog.xpnsec.com/exploring-mimikatz-part-1/", "https://twitter.com/SBousseaden/status/1183745981189427200", + "https://blog.xpnsec.com/exploring-mimikatz-part-1/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_susp_lsass_dll_load.yml" ], "tags": [ @@ -11035,6 +14032,15 @@ "attack.t1547.008" ] }, + "related": [ + { + "dest-uuid": "f0589bc3-a6ae-425a-a3d5-5659bfee07f4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "b3503044-60ce-4bf4-bbcb-e3db98788823", "value": "DLL Load via LSASS" }, @@ -11061,6 +14067,15 @@ "attack.t1546.002" ] }, + "related": [ + { + "dest-uuid": "ce4b7013-640e-48a9-b501-d0025a95f4bf", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "67a6c006-3fbe-46a7-9074-2ba3b82c3000", "value": "Path To Screensaver Binary Modified" }, @@ -11077,9 +14092,9 @@ "logsource.category": "registry_event", "logsource.product": "windows", "refs": [ - "https://github.com/gentilkiwi/mimikatz/commit/c21276072b3f2a47a21e215a46962a17d54b3760", "https://www.lexjansen.com/sesug/1993/SESUG93035.pdf", "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rprn/4464eaf0-f34f-40d5-b970-736437a21913", + "https://github.com/gentilkiwi/mimikatz/commit/c21276072b3f2a47a21e215a46962a17d54b3760", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_mimikatz_printernightmare.yml" ], "tags": [ @@ -11089,6 +14104,15 @@ "cve.2021.34527" ] }, + "related": [ + { + "dest-uuid": "8c32eb4d-805f-4fc5-bf60-c4d476c131b5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "ba6b9e43-1d45-4d3c-a504-1043a64c8469", "value": "PrinterNightmare Mimimkatz Driver Name" }, @@ -11154,8 +14178,8 @@ "logsource.category": "registry_event", "logsource.product": "windows", "refs": [ - "http://www.hexacorn.com/blog/2013/01/19/beyond-good-ol-run-key-part-3/", "https://eqllib.readthedocs.io/en/latest/analytics/14f90406-10a0-4d36-a672-31cabe149f2f.html", + "http://www.hexacorn.com/blog/2013/01/19/beyond-good-ol-run-key-part-3/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_new_dll_added_to_appcertdlls_registry_key.yml" ], "tags": [ @@ -11163,6 +14187,15 @@ "attack.t1546.009" ] }, + "related": [ + { + "dest-uuid": "7d57b371-10c2-45e5-b3cc-83a8fb380e4c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "6aa1d992-5925-4e9f-a49b-845e51d1de01", "value": "New DLL Added to AppCertDlls Registry Key" }, @@ -11212,6 +14245,15 @@ "attack.t1136.001" ] }, + "related": [ + { + "dest-uuid": "635cbe30-392d-4e27-978e-66774357c762", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "460479f3-80b7-42da-9c43-2cc1d54dbccd", "value": "Creation of a Local Hidden User Account by Registry" }, @@ -11237,6 +14279,15 @@ "attack.s0005" ] }, + "related": [ + { + "dest-uuid": "65f2d882-3f41-4d48-8a06-29af77ec9f90", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "a6b33c02-8305-488f-8585-03cb2a7763f2", "value": "Windows Credential Editor Registry" }, @@ -11261,6 +14312,15 @@ "attack.t1547.005" ] }, + "related": [ + { + "dest-uuid": "5095a853-299c-4876-abd7-ac0050fb5462", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "eeb30123-9fbd-4ee8-aaa0-2e545bbed6dc", "value": "Security Support Provider (SSP) Added to LSA Configuration" }, @@ -11299,8 +14359,8 @@ "logsource.category": "registry_event", "logsource.product": "windows", "refs": [ - "https://www.welivesecurity.com/2019/03/20/fake-or-fake-keeping-up-with-oceanlotus-decoys/", "https://github.com/eset/malware-ioc/tree/master/oceanlotus", + "https://www.welivesecurity.com/2019/03/20/fake-or-fake-keeping-up-with-oceanlotus-decoys/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_apt_oceanlotus_registry.yml" ], "tags": [ @@ -11334,6 +14394,15 @@ "attack.t1548.002" ] }, + "related": [ + { + "dest-uuid": "120d5519-3098-4e1c-9191-2aa61232f073", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "6ea3bf32-9680-422d-9f50-e90716b12a66", "value": "UAC Bypass Via Wsreset" }, @@ -11375,8 +14444,8 @@ "logsource.category": "registry_event", "logsource.product": "windows", "refs": [ - "https://blogs.technet.microsoft.com/jonathantrull/2016/10/03/detecting-sticky-key-backdoors/", "https://bazaar.abuse.ch/sample/6f3aa9362d72e806490a8abce245331030d1ab5ac77e400dd475748236a6cc81/", + "https://blogs.technet.microsoft.com/jonathantrull/2016/10/03/detecting-sticky-key-backdoors/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_stickykey_like_backdoor.yml" ], "tags": [ @@ -11411,6 +14480,15 @@ "attack.t1546.010" ] }, + "related": [ + { + "dest-uuid": "cc89ecbd-3d33-4a41-bcca-001e702d18fd", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "4f84b697-c9ed-4420-8ab5-e09af5b2345d", "value": "New DLL Added to AppInit_DLLs Registry Key" }, @@ -11486,6 +14564,15 @@ "car.2019-04-001" ] }, + "related": [ + { + "dest-uuid": "4cbc6a62-9e34-4f94-8a19-5c1a11392a49", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "b6d235fc-1d38-4b12-adbe-325f06728f37", "value": "CMSTP Execution Registry Event" }, @@ -11502,8 +14589,8 @@ "logsource.category": "registry_event", "logsource.product": "windows", "refs": [ - "http://az4n6.blogspot.com/2016/02/more-on-trust-records-macros-and.html", "https://outflank.nl/blog/2018/01/16/hunting-for-evil-detect-macros-being-executed/", + "http://az4n6.blogspot.com/2016/02/more-on-trust-records-macros-and.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_trust_record_modification.yml" ], "tags": [ @@ -11527,8 +14614,8 @@ "logsource.category": "registry_event", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/Binaries/Atbroker/", "http://www.hexacorn.com/blog/2016/07/22/beyond-good-ol-run-key-part-42/", + "https://lolbas-project.github.io/lolbas/Binaries/Atbroker/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_susp_atbroker_change.yml" ], "tags": [ @@ -11538,6 +14625,15 @@ "attack.t1547" ] }, + "related": [ + { + "dest-uuid": "457c7820-d331-465a-915e-42f85500ccc4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "9577edbb-851f-4243-8c91-1d5b50c1a39b", "value": "Atbroker Registry Change" }, @@ -11610,6 +14706,15 @@ "attack.t1608" ] }, + "related": [ + { + "dest-uuid": "84771bc3-f6a0-403e-b144-01af70e5fda0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "ac8866c7-ce44-46fd-8c17-b24acff96ca8", "value": "HybridConnectionManager Service Installation - Registry" }, @@ -11634,6 +14739,15 @@ "attack.t1003.002" ] }, + "related": [ + { + "dest-uuid": "1644e709-12d2-41e5-a60f-3470991f5011", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "5aad0995-46ab-41bd-a9ff-724f41114971", "value": "Esentutl Volume Shadow Copy Service Keys" }, @@ -11650,10 +14764,10 @@ "logsource.category": "registry_event", "logsource.product": "windows", "refs": [ - "https://github.com/hfiref0x/UACME", "https://winscripting.blog/2017/05/12/first-entry-welcome-and-uac-bypass/", - "https://github.com/RhinoSecurityLabs/Aggressor-Scripts/tree/master/UACBypass", + "https://github.com/hfiref0x/UACME", "https://tria.ge/211119-gs7rtshcfr/behavioral2 [Lokibot sample from Nov 2021]", + "https://github.com/RhinoSecurityLabs/Aggressor-Scripts/tree/master/UACBypass", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_shell_open_keys_manipulation.yml" ], "tags": [ @@ -11663,6 +14777,15 @@ "attack.t1546.001" ] }, + "related": [ + { + "dest-uuid": "120d5519-3098-4e1c-9191-2aa61232f073", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "152f3630-77c1-4284-bcc0-4cc68ab2f6e7", "value": "Shell Open Registry Keys Manipulation" }, @@ -11712,6 +14835,15 @@ "attack.t1003.001" ] }, + "related": [ + { + "dest-uuid": "65f2d882-3f41-4d48-8a06-29af77ec9f90", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "55e29995-75e7-451a-bef0-6225e2f13597", "value": "Potential Credential Dumping Via LSASS SilentProcessExit Technique" }, @@ -11736,6 +14868,15 @@ "attack.t1491.001" ] }, + "related": [ + { + "dest-uuid": "8c41090b-aa47-4331-986b-8c9a51a91103", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "8b9606c9-28be-4a38-b146-0e313cc232c1", "value": "Potential Ransomware Activity Using LegalNotice Message" }, @@ -11767,6 +14908,22 @@ "attack.t1071.004" ] }, + "related": [ + { + "dest-uuid": "005a06c6-14bf-4118-afa0-ebcd8aebb0c9", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "1996eef1-ced3-4d7f-bf94-33298cabbf72", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "7bdf2a7c-3acc-4091-9581-0a77dad1c5b5", "value": "Chafer Activity - Registry" }, @@ -11792,6 +14949,15 @@ "attack.t1105" ] }, + "related": [ + { + "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "47e0852a-cf81-4494-a8e6-31864f8c86ed", "value": "Pandemic Registry Key" }, @@ -11816,6 +14982,15 @@ "attack.t1562" ] }, + "related": [ + { + "dest-uuid": "3d333250-30e4-4a82-9edc-756c68afc529", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "526cc8bc-1cdc-48ad-8b26-f19bff969cec", "value": "Removal Of Index Value to Hide Schedule Task" }, @@ -11866,6 +15041,15 @@ "attack.t1562" ] }, + "related": [ + { + "dest-uuid": "3d333250-30e4-4a82-9edc-756c68afc529", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "acd74772-5f88-45c7-956b-6a7b36c294d2", "value": "Removal Of SD Value to Hide Schedule Task" }, @@ -11931,11 +15115,11 @@ "logsource.category": "registry_delete", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/windows/win32/api/shobjidl_core/nn-shobjidl_core-iexecutecommand", - "https://threathunterplaybook.com/evals/apt29/detections/3.C.1_22A46621-7A92-48C1-81BF-B3937EB4FDC3.html", - "https://github.com/OTRF/detection-hackathon-apt29/issues/7", - "https://docs.microsoft.com/en-us/windows/win32/shell/launch", "https://docs.microsoft.com/en-us/windows/win32/shell/shell-and-managed-code", + "https://docs.microsoft.com/en-us/windows/win32/shell/launch", + "https://threathunterplaybook.com/evals/apt29/detections/3.C.1_22A46621-7A92-48C1-81BF-B3937EB4FDC3.html", + "https://docs.microsoft.com/en-us/windows/win32/api/shobjidl_core/nn-shobjidl_core-iexecutecommand", + "https://github.com/OTRF/detection-hackathon-apt29/issues/7", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_delete/registry_delete_removal_com_hijacking_registry_key.yml" ], "tags": [ @@ -11967,6 +15151,15 @@ "attack.t1546.015" ] }, + "related": [ + { + "dest-uuid": "bc0f5e80-91c0-4e04-9fbb-e4e332c85dae", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "9b0f8a61-91b2-464f-aceb-0527e0a45020", "value": "Windows Registry Persistence COM Key Linking" }, @@ -11983,8 +15176,8 @@ "logsource.category": "registry_add", "logsource.product": "windows", "refs": [ - "https://blog.trendmicro.com/trendlabs-security-intelligence/phishing-campaign-uses-hijacked-emails-to-deliver-ursnif-by-replying-to-ongoing-threads/", "https://blog.yoroi.company/research/ursnif-long-live-the-steganography/", + "https://blog.trendmicro.com/trendlabs-security-intelligence/phishing-campaign-uses-hijacked-emails-to-deliver-ursnif-by-replying-to-ongoing-threads/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_add/registry_add_mal_ursnif.yml" ], "tags": [ @@ -12017,6 +15210,15 @@ "attack.t1070.004" ] }, + "related": [ + { + "dest-uuid": "d63a3fb8-9452-4e9d-a60a-54be68d5998c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "9841b233-8df8-4ad7-9133-b0b4402a9014", "value": "Sysinternals SDelete Registry Keys" }, @@ -12041,6 +15243,15 @@ "attack.t1588.002" ] }, + "related": [ + { + "dest-uuid": "a2fdce72-04b2-409a-ac10-cc1695f4fce0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "c7da8edc-49ae-45a2-9e61-9fd860e4e73d", "value": "Usage of Suspicious Sysinternals Tools" }, @@ -12057,8 +15268,8 @@ "logsource.category": "registry_add", "logsource.product": "windows", "refs": [ - "https://www.hexacorn.com/blog/2018/09/02/beyond-good-ol-run-key-part-86/", "https://persistence-info.github.io/Data/diskcleanuphandler.html", + "https://www.hexacorn.com/blog/2018/09/02/beyond-good-ol-run-key-part-86/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_add/registry_add_disk_cleanup_handler_new_entry_persistence.yml" ], "tags": [ @@ -12089,6 +15300,15 @@ "attack.t1588.002" ] }, + "related": [ + { + "dest-uuid": "a2fdce72-04b2-409a-ac10-cc1695f4fce0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "f50f3c09-557d-492d-81db-9064a8d4e211", "value": "Usage of Renamed Sysinternals Tools" }, @@ -12106,10 +15326,10 @@ "logsource.product": "windows", "refs": [ "https://unit42.paloaltonetworks.com/guloader-installing-netwire-rat/", - "https://www.fortinet.com/blog/threat-research/new-netwire-rat-variant-spread-by-phishing", "https://app.any.run/tasks/41ecdbde-4997-4301-a350-0270448b4c8f/", "https://blogs.blackberry.com/en/2021/09/threat-thursday-netwire-rat-is-coming-down-the-line", "https://resources.infosecinstitute.com/topic/netwire-malware-what-it-is-how-it-works-and-how-to-prevent-it-malware-spotlight/", + "https://www.fortinet.com/blog/threat-research/new-netwire-rat-variant-spread-by-phishing", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_add/registry_add_mal_netwire.yml" ], "tags": [ @@ -12166,6 +15386,15 @@ "attack.t1588.002" ] }, + "related": [ + { + "dest-uuid": "a2fdce72-04b2-409a-ac10-cc1695f4fce0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "25ffa65d-76d8-4da5-a832-3f2b0136e133", "value": "Usage of Sysinternals Tools - Registry" }, @@ -12183,7 +15412,6 @@ "logsource.product": "windows", "refs": [ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1037.001/T1037.001.md", - "https://attack.mitre.org/techniques/T1037/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_add/registry_add_logon_scripts_userinitmprlogonscript_reg.yml" ], "tags": [ @@ -12192,6 +15420,15 @@ "attack.lateral_movement" ] }, + "related": [ + { + "dest-uuid": "eb125d40-0b2d-41ac-a71a-3229241c2cd3", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "9ace0707-b560-49b8-b6ca-5148b42f39fb", "value": "Logon Scripts Creation in UserInitMprLogonScript Registry" }, @@ -12208,9 +15445,9 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "http://www.hexacorn.com/blog/2018/05/01/wab-exe-as-a-lolbin/", - "https://github.com/LOLBAS-Project/LOLBAS/blob/8283d8d91552213ded165fd36deb6cb9534cb443/yml/OSBinaries/Wab.yml", "https://twitter.com/Hexacorn/status/991447379864932352", + "https://github.com/LOLBAS-Project/LOLBAS/blob/8283d8d91552213ded165fd36deb6cb9534cb443/yml/OSBinaries/Wab.yml", + "http://www.hexacorn.com/blog/2018/05/01/wab-exe-as-a-lolbin/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_wab_dllpath_reg_change.yml" ], "tags": [ @@ -12218,9 +15455,52 @@ "attack.t1218" ] }, + "related": [ + { + "dest-uuid": "457c7820-d331-465a-915e-42f85500ccc4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "fc014922-5def-4da9-a0fc-28c973f41bfb", "value": "Execution DLL of Choice Using WAB.EXE" }, + { + "description": "Detects changes to the \"Default\" property for keys located in the \\Software\\Microsoft\\Windows\\CurrentVersion\\App Paths\\ registry. Which might be used as a method of persistence\nThe entries found under App Paths are used primarily for the following purposes.\nFirst, to map an application's executable file name to that file's fully qualified path.\nSecond, to pre-pend information to the PATH environment variable on a per-application, per-process basis.\n", + "meta": { + "author": "Nasreddine Bencherchali", + "creation_date": "2022/08/10", + "falsepositive": [ + "Legitimate applications registering their binary from on of the suspicious locations mentioned above (tune it)" + ], + "filename": "registry_set_persistence_app_paths.yml", + "level": "high", + "logsource.category": "registry_set", + "logsource.product": "windows", + "refs": [ + "https://www.hexacorn.com/blog/2013/01/19/beyond-good-ol-run-key-part-3/", + "https://docs.microsoft.com/en-us/windows/win32/shell/app-registration?redirectedfrom=MSDN", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_persistence_app_paths.yml" + ], + "tags": [ + "attack.persistence", + "attack.t1546.012" + ] + }, + "related": [ + { + "dest-uuid": "6d4a7fb3-5a24-42be-ae61-6728a2b581f6", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "707e097c-e20f-4f67-8807-1f72ff4500d6", + "value": "Potential Persistence Via App Paths Default Property" + }, { "description": "Detects patterns as noticed in exploitation of Windows CVE-2021-31979 CVE-2021-33771 vulnerability and DevilsTongue malware by threat group Sourgum", "meta": { @@ -12234,8 +15514,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://www.microsoft.com/security/blog/2021/07/15/protecting-customers-from-a-private-sector-offensive-actor-using-0-day-exploits-and-devilstongue-malware/", "https://citizenlab.ca/2021/07/hooking-candiru-another-mercenary-spyware-vendor-comes-into-focus/", + "https://www.microsoft.com/security/blog/2021/07/15/protecting-customers-from-a-private-sector-offensive-actor-using-0-day-exploits-and-devilstongue-malware/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_cve_2021_31979_cve_2021_33771_exploits.yml" ], "tags": [ @@ -12246,6 +15526,15 @@ "cve.2021.31979" ] }, + "related": [ + { + "dest-uuid": "be2dcee9-a7a7-4e38-afd6-21b31ecc3d63", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "32b5db62-cb5f-4266-9639-0fa48376ac00", "value": "CVE-2021-31979 CVE-2021-33771 Exploits" }, @@ -12274,28 +15563,28 @@ "value": "Activate Suppression of Windows Security Center Notifications" }, { - "description": "Detect use of scrobj.dll as this DLL looks for the ScriptletURL key to get the location of the script to execute", + "description": "Detects when an attacker modifies the registry key \"HtmlHelp Author\" to achieve persistence", "meta": { - "author": "frack113", - "creation_date": "2022/08/20", + "author": "Nasreddine Bencherchali", + "creation_date": "2022/07/21", "falsepositive": [ - "Legitimate use of the dll." + "Unknown" ], - "filename": "registry_set_scrobj_dll_persistence.yml", - "level": "medium", + "filename": "registry_set_persistence_chm.yml", + "level": "high", "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1546.015/T1546.015.md", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_scrobj_dll_persistence.yml" + "https://www.hexacorn.com/blog/2018/04/22/beyond-good-ol-run-key-part-76/", + "https://persistence-info.github.io/Data/htmlhelpauthor.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_persistence_chm.yml" ], "tags": [ - "attack.persistence", - "attack.t1546.015" + "attack.persistence" ] }, - "uuid": "fe20dda1-6f37-4379-bbe0-a98d400cae90", - "value": "Scrobj.dll COM Hijacking" + "uuid": "976dd1f2-a484-45ec-aa1d-0e87e882262b", + "value": "Potential Persistence Via CHM Helper DLL" }, { "description": "Detects potential persistence using Appx DebugPath", @@ -12319,8 +15608,17 @@ "attack.t1546.015" ] }, + "related": [ + { + "dest-uuid": "bc0f5e80-91c0-4e04-9fbb-e4e332c85dae", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "df4dc653-1029-47ba-8231-3c44238cc0ae", - "value": "Windows Registry Persistence DebugPath" + "value": "Potential Persistence Using DebugPath" }, { "description": "Detects disabling the CrashDump per registry (as used by HermeticWiper)", @@ -12343,6 +15641,15 @@ "attack.t1112" ] }, + "related": [ + { + "dest-uuid": "22905430-4901-4c2a-84f6-98243cb173f8", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "2ff692c2-4594-41ec-8fcb-46587de769e0", "value": "CrashControl CrashDump Disabled" }, @@ -12368,6 +15675,15 @@ "attack.t1548.002" ] }, + "related": [ + { + "dest-uuid": "120d5519-3098-4e1c-9191-2aa61232f073", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "48437c39-9e5f-47fb-af95-3d663c3f2919", "value": "Disable UAC Using Registry" }, @@ -12384,8 +15700,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://support.microsoft.com/en-us/topic/outlook-home-page-feature-is-missing-in-folder-properties-d207edb7-aa02-46c5-b608-5d9dbed9bd04?ui=en-us&rs=en-us&ad=us", "https://speakerdeck.com/heirhabarov/hunting-for-persistence-via-microsoft-exchange-server-or-outlook?slide=70", + "https://support.microsoft.com/en-us/topic/outlook-home-page-feature-is-missing-in-folder-properties-d207edb7-aa02-46c5-b608-5d9dbed9bd04?ui=en-us&rs=en-us&ad=us", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_outlook_registry_webview.yml" ], "tags": [ @@ -12420,34 +15736,6 @@ "uuid": "1c3121ed-041b-4d97-a075-07f54f20fb4a", "value": "Registry Explorer Policy Modification" }, - { - "description": "Detects registry persistence technique using the GlobalFlags and SilentProcessExit keys", - "meta": { - "author": "Karneades, Jonhnathan Ribeiro, Florian Roth", - "creation_date": "2018/04/11", - "falsepositive": [ - "Unknown" - ], - "filename": "registry_set_globalflags_persistence.yml", - "level": "high", - "logsource.category": "registry_set", - "logsource.product": "windows", - "refs": [ - "https://www.deepinstinct.com/2021/02/16/lsass-memory-dumps-are-stealthier-than-ever-before-part-2/", - "https://oddvar.moe/2018/04/10/persistence-using-globalflags-in-image-file-execution-options-hidden-from-autoruns-exe/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_globalflags_persistence.yml" - ], - "tags": [ - "attack.privilege_escalation", - "attack.persistence", - "attack.defense_evasion", - "attack.t1546.012", - "car.2013-01-002" - ] - }, - "uuid": "36803969-5421-41ec-b92f-8500f79c23b0", - "value": "Potential GlobalFlags Registry Persistence Attempt" - }, { "description": "Detects tampering with attachment manager settings policies associations to lower the default file type risks (See reference for more information)", "meta": { @@ -12470,7 +15758,7 @@ ] }, "uuid": "a9b6c011-ab69-4ddb-bc0a-c4f21c80ec47", - "value": "Modify Attachment Manager Settings - Associations" + "value": "Potential Attachment Manager Settings Associations Tamper" }, { "description": "Detects the installation of a plugin DLL via ServerLevelPluginDll parameter in Registry, which can be used to execute code in context of the DNS server (restart required)", @@ -12512,8 +15800,8 @@ "logsource.product": "windows", "refs": [ "https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d", - "https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md", + "https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_currentversion_nt.yml" ], "tags": [ @@ -12537,13 +15825,13 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://threathunterplaybook.com/notebooks/windows/05_defense_evasion/WIN-190407183310.html", - "https://blog.menasec.net/2019/02/threat-hunting-rdp-hijacking-via.html", - "https://bazaar.abuse.ch/sample/6f3aa9362d72e806490a8abce245331030d1ab5ac77e400dd475748236a6cc81/", "https://twitter.com/SagieSec/status/1469001618863624194?t=HRf0eA0W1YYzkTSHb-Ky1A&s=03", - "http://woshub.com/rds-shadow-how-to-connect-to-a-user-session-in-windows-server-2012-r2/", - "http://etutorials.org/Microsoft+Products/microsoft+windows+server+2003+terminal+services/Chapter+6+Registry/Registry+Keys+for+Terminal+Services/", "https://admx.help/HKLM/SOFTWARE/Policies/Microsoft/Windows%20NT/Terminal%20Services", + "https://threathunterplaybook.com/notebooks/windows/05_defense_evasion/WIN-190407183310.html", + "http://etutorials.org/Microsoft+Products/microsoft+windows+server+2003+terminal+services/Chapter+6+Registry/Registry+Keys+for+Terminal+Services/", + "https://bazaar.abuse.ch/sample/6f3aa9362d72e806490a8abce245331030d1ab5ac77e400dd475748236a6cc81/", + "http://woshub.com/rds-shadow-how-to-connect-to-a-user-session-in-windows-server-2012-r2/", + "https://blog.menasec.net/2019/02/threat-hunting-rdp-hijacking-via.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_terminal_server_suspicious.yml" ], "tags": [ @@ -12555,30 +15843,6 @@ "uuid": "a2863fbc-d5cb-48d5-83fb-d976d4b1743b", "value": "RDP Sensitive Settings Changed to Zero" }, - { - "description": "Detects the modification of the registry settings used for Internet Explorer and other Windows components that use these settings", - "meta": { - "author": "frack113", - "creation_date": "2022/01/22", - "falsepositive": [ - "Unknown" - ], - "filename": "registry_set_ie_persistence.yml", - "level": "low", - "logsource.category": "registry_set", - "logsource.product": "windows", - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1112/T1112.md#atomic-test-5---javascript-in-registry", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_ie_persistence.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1112" - ] - }, - "uuid": "d88d0ab2-e696-4d40-a2ed-9790064e66b3", - "value": "Modification of IE Registry Settings" - }, { "description": "Detects enabling TurnOffCheck which can be used to bypass defense of MSDT Follina vulnerability", "meta": { @@ -12618,8 +15882,8 @@ "logsource.product": "windows", "refs": [ "https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d", - "https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md", + "https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_session_manager.yml" ], "tags": [ @@ -12628,6 +15892,15 @@ "attack.t1546.009" ] }, + "related": [ + { + "dest-uuid": "7d57b371-10c2-45e5-b3cc-83a8fb380e4c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "046218bd-e0d8-4113-a3c3-895a12b2b298", "value": "Session Manager Autorun Keys Modification" }, @@ -12655,6 +15928,29 @@ "uuid": "833ef470-fa01-4631-a79b-6f291c9ac498", "value": "Add Debugger Entry To Hangs Key For Persistence" }, + { + "description": "Detects changes to the PowerShell execution policy in order to bypass signing requirements for script execution", + "meta": { + "author": "Nasreddine Bencherchali", + "creation_date": "2023/01/11", + "falsepositive": [ + "Unknown" + ], + "filename": "registry_set_powershell_execution_policy.yml", + "level": "medium", + "logsource.category": "registry_set", + "logsource.product": "windows", + "refs": [ + "https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.security/set-executionpolicy?view=powershell-7.3", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_powershell_execution_policy.yml" + ], + "tags": [ + "attack.defense_evasion" + ] + }, + "uuid": "fad91067-08c5-4d1a-8d8c-d96a21b37814", + "value": "Potential PowerShell Execution Policy Tampering" + }, { "description": "Detects changes to 'HKCU\\Software\\Classes\\Folder\\shell\\open\\command\\DelegateExecute'", "meta": { @@ -12678,6 +15974,22 @@ "attack.t1548" ] }, + "related": [ + { + "dest-uuid": "b6301b64-ef57-4cce-bb0b-77026f14a8db", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "67720091-eee3-4d2d-ae16-8264567f6f5b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "07743f65-7ec9-404a-a519-913db7118a8d", "value": "COM Hijack via Sdclt" }, @@ -12718,8 +16030,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://redcanary.com/blog/blackbyte-ransomware/?utm_source=twitter&utm_medium=social", "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/blackbyte-ransomware-pt-1-in-depth-analysis/", + "https://redcanary.com/blog/blackbyte-ransomware/?utm_source=twitter&utm_medium=social", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_blackbyte_ransomware.yml" ], "tags": [ @@ -12743,9 +16055,9 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ + "https://securelist.com/scarcruft-surveilling-north-korean-defectors-and-human-rights-activists/105074/", "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/zloader-with-a-new-infection-technique/", "https://twitter.com/inversecos/status/1494174785621819397", - "https://securelist.com/scarcruft-surveilling-north-korean-defectors-and-human-rights-activists/105074/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_office_security.yml" ], "tags": [ @@ -12781,6 +16093,15 @@ "attack.t1569.002" ] }, + "related": [ + { + "dest-uuid": "f1951e8a-500e-4a26-8803-76d95c4554b4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "61a7697c-cb79-42a8-a2ff-5f0cdfae0130", "value": "CobaltStrike Service Installations in Registry" }, @@ -12808,6 +16129,40 @@ "uuid": "b64a026b-8deb-4c1d-92fd-98893209dff1", "value": "Running Chrome VPN Extensions via the Registry 2 VPN Extension" }, + { + "description": "Detects persistence via Visual Studio Tools for Office (VSTO) add-ins in Office applications.", + "meta": { + "author": "Bhabesh Raj", + "creation_date": "2021/01/10", + "falsepositive": [ + "Legitimate Addin Installation" + ], + "filename": "registry_set_persistence_office_vsto.yml", + "level": "medium", + "logsource.category": "registry_set", + "logsource.product": "windows", + "refs": [ + "https://twitter.com/_vivami/status/1347925307643355138", + "https://vanmieghem.io/stealth-outlook-persistence/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_persistence_office_vsto.yml" + ], + "tags": [ + "attack.t1137.006", + "attack.persistence" + ] + }, + "related": [ + { + "dest-uuid": "34f1d81d-fe88-4f97-bd3b-a3164536255d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "9d15044a-7cfe-4d23-8085-6ebc11df7685", + "value": "Potential Persistence Via Visual Studio Tools for Office" + }, { "description": "Detects modification of autostart extensibility point (ASEP) in registry.", "meta": { @@ -12822,10 +16177,10 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d", "https://oddvar.moe/2018/03/21/persistence-using-runonceex-hidden-from-autoruns-exe/", - "https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns", + "https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md", + "https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_wow6432node.yml" ], "tags": [ @@ -12849,8 +16204,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://github.com/SwiftOnSecurity/sysmon-config/pull/92/files", "https://renenyffenegger.ch/notes/Windows/registry/tree/HKEY_CURRENT_USER/Keyboard-Layout/Preload/index", + "https://github.com/SwiftOnSecurity/sysmon-config/pull/92/files", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_susp_keyboard_layout_load.yml" ], "tags": [ @@ -12858,6 +16213,15 @@ "attack.t1588.002" ] }, + "related": [ + { + "dest-uuid": "a2fdce72-04b2-409a-ac10-cc1695f4fce0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "34aa0252-6039-40ff-951f-939fd6ce47d8", "value": "Suspicious Keyboard Layout Load" }, @@ -12885,31 +16249,6 @@ "uuid": "93d298a1-d28f-47f1-a468-d971e7796679", "value": "Disable Tamper Protection on Windows Defender" }, - { - "description": "Detects persistence via Visual Studio Tools for Office (VSTO) add-ins in Office applications.", - "meta": { - "author": "Bhabesh Raj", - "creation_date": "2021/01/10", - "falsepositive": [ - "Legitimate Addin Installation" - ], - "filename": "registry_set_office_vsto_persistence.yml", - "level": "medium", - "logsource.category": "registry_set", - "logsource.product": "windows", - "refs": [ - "https://vanmieghem.io/stealth-outlook-persistence/", - "https://twitter.com/_vivami/status/1347925307643355138", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_office_vsto_persistence.yml" - ], - "tags": [ - "attack.t1137.006", - "attack.persistence" - ] - }, - "uuid": "9d15044a-7cfe-4d23-8085-6ebc11df7685", - "value": "Stealthy VSTO Persistence" - }, { "description": "Detects potential malicious modification of the property value of UseLogonCredential from HKLM:\\SYSTEM\\CurrentControlSet\\Control\\SecurityProviders\\WDigest to enable clear-text credentials", "meta": { @@ -12948,8 +16287,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://raw.githubusercontent.com/RiccardoAncarani/talks/master/F-Secure/unorthodox-lateral-movement.pdf", "https://twitter.com/dottor_morte/status/1544652325570191361", + "https://raw.githubusercontent.com/RiccardoAncarani/talks/master/F-Secure/unorthodox-lateral-movement.pdf", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_fax_dll_persistance.yml" ], "tags": [ @@ -12982,6 +16321,15 @@ "attack.t1562" ] }, + "related": [ + { + "dest-uuid": "3d333250-30e4-4a82-9edc-756c68afc529", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "4f281b83-0200-4b34-bf35-d24687ea57c2", "value": "ETW Logging Disabled For SCM" }, @@ -13022,8 +16370,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://persistence-info.github.io/Data/codesigning.html", "https://github.com/gtworek/PSBits/tree/master/SIP", + "https://persistence-info.github.io/Data/codesigning.html", "https://specterops.io/assets/resources/SpecterOps_Subverting_Trust_in_Windows.pdf", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_sip_persistence.yml" ], @@ -13033,6 +16381,15 @@ "attack.t1553.003" ] }, + "related": [ + { + "dest-uuid": "543fceb5-cb92-40cb-aacf-6913d4db58bc", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "5a2b21ee-6aaa-4234-ac9d-59a59edf90a1", "value": "Persistence Via New SIP Provider" }, @@ -13051,8 +16408,8 @@ "logsource.product": "windows", "refs": [ "https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d", - "https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md", + "https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_classes.yml" ], "tags": [ @@ -13108,6 +16465,15 @@ "attack.t1562.004" ] }, + "related": [ + { + "dest-uuid": "5372c5fe-f424-4def-bcd5-d3a8e770f07b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "974515da-6cc5-4c95-ae65-f97f9150ec7f", "value": "Disable Microsoft Defender Firewall via Registry" }, @@ -13133,6 +16499,15 @@ "attack.t1574" ] }, + "related": [ + { + "dest-uuid": "aedfca76-3b30-4866-b2aa-0f1d7fd1e4b6", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "9827ae57-3802-418f-994b-d5ecf5cd974b", "value": "Potential Registry Persistence Attempt Via DbgManagedDebugger" }, @@ -13181,6 +16556,15 @@ "attack.t1588.002" ] }, + "related": [ + { + "dest-uuid": "a2fdce72-04b2-409a-ac10-cc1695f4fce0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "8023f872-3f1d-4301-a384-801889917ab4", "value": "Usage of Renamed Sysinternals Tools - RegistrySet" }, @@ -13197,8 +16581,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1546.015/T1546.015.md", "https://www.youtube.com/watch?v=3gz1QmiMhss&t=1251s", + "https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1546.015/T1546.015.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_treatas_persistence.yml" ], "tags": [ @@ -13206,6 +16590,15 @@ "attack.t1546.015" ] }, + "related": [ + { + "dest-uuid": "bc0f5e80-91c0-4e04-9fbb-e4e332c85dae", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "dc5c24af-6995-49b2-86eb-a9ff62199e82", "value": "COM Hijacking via TreatAs" }, @@ -13254,34 +16647,18 @@ "attack.t1562.002" ] }, + "related": [ + { + "dest-uuid": "4eb28bed-d11a-4641-9863-c2ac017d910a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "2f78da12-f7c7-430b-8b19-a28f269b77a3", "value": "Disable Winevt Event Logging Via Registry" }, - { - "description": "Detects changes to the \"Default\" property for keys located in the \\Software\\Microsoft\\Windows\\CurrentVersion\\App Paths\\ registry. Which might be used as a method of persistence\nThe entries found under App Paths are used primarily for the following purposes.\nFirst, to map an application's executable file name to that file's fully qualified path.\nSecond, to pre-pend information to the PATH environment variable on a per-application, per-process basis.\n", - "meta": { - "author": "Nasreddine Bencherchali", - "creation_date": "2022/08/10", - "falsepositive": [ - "Legitimate applications registering their binary from on of the suspicious locations mentioned above (tune it)" - ], - "filename": "registry_set_susp_app_paths_persistence.yml", - "level": "high", - "logsource.category": "registry_set", - "logsource.product": "windows", - "refs": [ - "https://docs.microsoft.com/en-us/windows/win32/shell/app-registration?redirectedfrom=MSDN", - "https://www.hexacorn.com/blog/2013/01/19/beyond-good-ol-run-key-part-3/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_susp_app_paths_persistence.yml" - ], - "tags": [ - "attack.persistence", - "attack.t1546.012" - ] - }, - "uuid": "707e097c-e20f-4f67-8807-1f72ff4500d6", - "value": "Suspicious Values In App Paths Default Property" - }, { "description": "Detects the modification of the registry to allow a driver or service to persist in Safe Mode.", "meta": { @@ -13295,8 +16672,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1112/T1112.md#atomic-test-34---windows-add-registry-value-to-load-service-in-safe-mode-with-network", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1112/T1112.md#atomic-test-33---windows-add-registry-value-to-load-service-in-safe-mode-without-network", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1112/T1112.md#atomic-test-34---windows-add-registry-value-to-load-service-in-safe-mode-with-network", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_add_load_service_in_safe_mode.yml" ], "tags": [ @@ -13304,6 +16681,15 @@ "attack.t1564.001" ] }, + "related": [ + { + "dest-uuid": "ec8fc7e2-b356-455c-8db5-2e37be158e7d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "1547e27c-3974-43e2-a7d7-7f484fb928ec", "value": "Registry Persitence via Service in Safe Mode" }, @@ -13320,8 +16706,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/", "https://labs.f-secure.com/blog/scheduled-task-tampering/", + "https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_taskcache_entry.yml" ], "tags": [ @@ -13330,24 +16716,33 @@ "attack.t1053.005" ] }, + "related": [ + { + "dest-uuid": "005a06c6-14bf-4118-afa0-ebcd8aebb0c9", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "4720b7df-40c3-48fd-bbdf-fd4b3c464f0d", "value": "Scheduled TaskCache Change by Uncommon Program" }, { - "description": "Adds a RUN key that contains a powershell keyword", + "description": "Detects potential PowerShell commands or code within registry run keys", "meta": { "author": "frack113, Florian Roth", "creation_date": "2022/03/17", "falsepositive": [ - "Legitimate admin or third party scripts" + "Legitimate admin or third party scripts. Baseline according to your environnement" ], "filename": "registry_set_powershell_in_run_keys.yml", "level": "medium", "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://github.com/frack113/atomic-red-team/blob/a9051c38de8a5320b31c7039efcbd3b56cf2d65a/atomics/T1547.001/T1547.001.md#atomic-test-9---systembc-malware-as-a-service-registry", "https://www.trendmicro.com/en_us/research/22/j/lv-ransomware-exploits-proxyshell-in-attack.html", + "https://github.com/frack113/atomic-red-team/blob/a9051c38de8a5320b31c7039efcbd3b56cf2d65a/atomics/T1547.001/T1547.001.md#atomic-test-9---systembc-malware-as-a-service-registry", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_powershell_in_run_keys.yml" ], "tags": [ @@ -13356,7 +16751,7 @@ ] }, "uuid": "8d85cf08-bf97-4260-ba49-986a2a65129c", - "value": "Powershell in Windows Run Keys" + "value": "Suspicious Powershell In Registry Run Keys" }, { "description": "Detects a possible persistence mechanism using RUN key for Windows Explorer and pointing to a suspicious folder", @@ -13382,6 +16777,43 @@ "uuid": "b7916c2a-fa2f-4795-9477-32b731f70f11", "value": "Registry Persistence via Explorer Run Key" }, + { + "description": "Detects registry persistence technique using the GlobalFlags and SilentProcessExit keys", + "meta": { + "author": "Karneades, Jonhnathan Ribeiro, Florian Roth", + "creation_date": "2018/04/11", + "falsepositive": [ + "Unknown" + ], + "filename": "registry_set_persistence_globalflags.yml", + "level": "high", + "logsource.category": "registry_set", + "logsource.product": "windows", + "refs": [ + "https://oddvar.moe/2018/04/10/persistence-using-globalflags-in-image-file-execution-options-hidden-from-autoruns-exe/", + "https://www.deepinstinct.com/2021/02/16/lsass-memory-dumps-are-stealthier-than-ever-before-part-2/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_persistence_globalflags.yml" + ], + "tags": [ + "attack.privilege_escalation", + "attack.persistence", + "attack.defense_evasion", + "attack.t1546.012", + "car.2013-01-002" + ] + }, + "related": [ + { + "dest-uuid": "6d4a7fb3-5a24-42be-ae61-6728a2b581f6", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "36803969-5421-41ec-b92f-8500f79c23b0", + "value": "Potential Persistence Via GlobalFlags" + }, { "description": "Detects when an attacker modifies values of the Disk Cleanup Handler in the registry to achieve persistence via autorun.\nThe disk cleanup manager is part of the operating system.\nIt displays the dialog box […] The user has the option of enabling or disabling individual handlers by selecting or clearing their check box in the disk cleanup manager's UI.\nAlthough Windows comes with a number of disk cleanup handlers, they aren't designed to handle files produced by other applications.\nInstead, the disk cleanup manager is designed to be flexible and extensible by enabling any developer to implement and register their own disk cleanup handler.\nAny developer can extend the available disk cleanup services by implementing and registering a disk cleanup handler.\n", "meta": { @@ -13395,8 +16827,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://www.hexacorn.com/blog/2018/09/02/beyond-good-ol-run-key-part-86/", "https://persistence-info.github.io/Data/diskcleanuphandler.html", + "https://www.hexacorn.com/blog/2018/09/02/beyond-good-ol-run-key-part-86/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_disk_cleanup_handler_autorun_persistence.yml" ], "tags": [ @@ -13427,7 +16859,41 @@ ] }, "uuid": "8fbe98a8-8f9d-44f8-aa71-8c572e29ef06", - "value": "Persistence Via MyComputer Key and SubKeys" + "value": "Potential Persistence Via MyComputer Registry Keys" + }, + { + "description": "Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by application shims.\nThe Microsoft Windows Application Compatibility Infrastructure/Framework (Application Shim) was created to allow for backward compatibility of software as the operating system codebase changes over time\n", + "meta": { + "author": "frack113", + "creation_date": "2021/12/30", + "falsepositive": [ + "Unknown" + ], + "filename": "registry_set_persistence_shim_databases.yml", + "level": "medium", + "logsource.category": "registry_set", + "logsource.product": "windows", + "refs": [ + "https://www.fireeye.com/blog/threat-research/2017/05/fin7-shim-databases-persistence.html", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1546.011/T1546.011.md#atomic-test-3---registry-key-creation-andor-modification-events-for-sdb", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_persistence_shim_databases.yml" + ], + "tags": [ + "attack.persistence", + "attack.t1546.011" + ] + }, + "related": [ + { + "dest-uuid": "42fe883a-21ea-4cfb-b94a-78b6476dcc83", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "dfb5b4e8-91d0-4291-b40a-e3b0d3942c45", + "value": "Potential Persistence Via Shim Database Modification" }, { "description": "Detects suspicious new RUN key element pointing to an executable in a suspicious folder", @@ -13474,6 +16940,15 @@ "attack.t1202" ] }, + "related": [ + { + "dest-uuid": "3b0e52ce-517a-4614-a523-1bd5deef6c5e", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "7530b96f-ad8e-431d-a04d-ac85cc461fdc", "value": "Custom File Open Handler Executes PowerShell" }, @@ -13538,8 +17013,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/outlook/troubleshoot/security/information-about-email-security-settings", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1137/T1137.md", + "https://docs.microsoft.com/en-us/outlook/troubleshoot/security/information-about-email-security-settings", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_outlook_security.yml" ], "tags": [ @@ -13547,6 +17022,15 @@ "attack.t1137" ] }, + "related": [ + { + "dest-uuid": "2c4d4e92-0ccf-4a97-b54c-86d662988a53", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "c3cefdf4-6703-4e1c-bad8-bf422fc5015a", "value": "Change Outlook Security Setting in Registry" }, @@ -13565,9 +17049,9 @@ "logsource.product": "windows", "refs": [ "https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d", - "https://persistence-info.github.io/Data/userinitmprlogonscript.html", - "https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md", + "https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns", + "https://persistence-info.github.io/Data/userinitmprlogonscript.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_common.yml" ], "tags": [ @@ -13600,32 +17084,50 @@ "attack.t1562" ] }, + "related": [ + { + "dest-uuid": "3d333250-30e4-4a82-9edc-756c68afc529", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "90f342e1-1aaa-4e43-b092-39fda57ed11e", "value": "ETW Logging Disabled For rpcrt4.dll" }, { - "description": "Detects when a new custom protocole handler is registered", + "description": "Detect use of scrobj.dll as this DLL looks for the ScriptletURL key to get the location of the script to execute", "meta": { - "author": "Nasreddine Bencherchali", - "creation_date": "2022/05/30", + "author": "frack113", + "creation_date": "2022/08/20", "falsepositive": [ - "Legitimate applications registering a new custom protocol handler" + "Legitimate use of the dll." ], - "filename": "registry_set_register_custom_protocol_handler.yml", + "filename": "registry_set_persistence_scrobj_dll.yml", "level": "medium", "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://ladydebug.com/blog/2019/06/21/custom-protocol-handler-cph/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_register_custom_protocol_handler.yml" + "https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1546.015/T1546.015.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_persistence_scrobj_dll.yml" ], "tags": [ - "attack.defense_evasion", - "attack.t1112" + "attack.persistence", + "attack.t1546.015" ] }, - "uuid": "fdbf0b9d-0182-4c43-893b-a1eaab92d085", - "value": "Newly Registered Protocol Handler" + "related": [ + { + "dest-uuid": "bc0f5e80-91c0-4e04-9fbb-e4e332c85dae", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "fe20dda1-6f37-4379-bbe0-a98d400cae90", + "value": "Potential Persistence Via Scrobj.dll COM Hijacking" }, { "description": "Detect enable rdp feature to allow specific user to rdp connect on the targeted machine", @@ -13651,30 +17153,6 @@ "uuid": "37b437cf-3fc5-4c8e-9c94-1d7c9aff842b", "value": "Allow RDP Remote Assistance Feature" }, - { - "description": "Detects when an attacker adds a new \"DLLPathOverride\" value to the \"Natural Language\" key in order to achieve persistence which will get invoked by \"SearchIndexer.exe\" process", - "meta": { - "author": "Nasreddine Bencherchali", - "creation_date": "2022/07/21", - "falsepositive": [ - "Unknown" - ], - "filename": "registry_set_natural_language_persistence.yml", - "level": "high", - "logsource.category": "registry_set", - "logsource.product": "windows", - "refs": [ - "https://persistence-info.github.io/Data/naturallanguage6.html", - "https://www.hexacorn.com/blog/2018/12/30/beyond-good-ol-run-key-part-98/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_natural_language_persistence.yml" - ], - "tags": [ - "attack.persistence" - ] - }, - "uuid": "a1b1fd53-9c4a-444c-bae0-34a330fc7aa8", - "value": "Add DLLPathOverride Entry For Persistence" - }, { "description": "Detects tampering to RDP Terminal Service/Server sensitive settings.\nSuch as allowing unauthorized users access to a system via the 'fAllowUnsolicited' or enabling RDP via 'fDenyTSConnections'...etc\n", "meta": { @@ -13688,13 +17166,13 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://threathunterplaybook.com/notebooks/windows/05_defense_evasion/WIN-190407183310.html", - "https://blog.menasec.net/2019/02/threat-hunting-rdp-hijacking-via.html", - "https://bazaar.abuse.ch/sample/6f3aa9362d72e806490a8abce245331030d1ab5ac77e400dd475748236a6cc81/", "https://twitter.com/SagieSec/status/1469001618863624194?t=HRf0eA0W1YYzkTSHb-Ky1A&s=03", - "http://woshub.com/rds-shadow-how-to-connect-to-a-user-session-in-windows-server-2012-r2/", - "http://etutorials.org/Microsoft+Products/microsoft+windows+server+2003+terminal+services/Chapter+6+Registry/Registry+Keys+for+Terminal+Services/", "https://admx.help/HKLM/SOFTWARE/Policies/Microsoft/Windows%20NT/Terminal%20Services", + "https://threathunterplaybook.com/notebooks/windows/05_defense_evasion/WIN-190407183310.html", + "http://etutorials.org/Microsoft+Products/microsoft+windows+server+2003+terminal+services/Chapter+6+Registry/Registry+Keys+for+Terminal+Services/", + "https://bazaar.abuse.ch/sample/6f3aa9362d72e806490a8abce245331030d1ab5ac77e400dd475748236a6cc81/", + "http://woshub.com/rds-shadow-how-to-connect-to-a-user-session-in-windows-server-2012-r2/", + "https://blog.menasec.net/2019/02/threat-hunting-rdp-hijacking-via.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_terminal_server_tampering.yml" ], "tags": [ @@ -13727,33 +17205,18 @@ "attack.t1547.010" ] }, + "related": [ + { + "dest-uuid": "43881e51-ac74-445b-b4c6-f9f9e9bf23fe", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "944e8941-f6f6-4ee8-ac05-1c224e923c0e", "value": "Add Port Monitor Persistence in Registry" }, - { - "description": "Detects when an attacker modifies the \"REG_MULTI_SZ\" value named \"Extensions\" to include a custom DLL to achieve persistence via lsass.\nThe \"Extensions\" list contains filenames of DLLs being automatically loaded by lsass.exe. Each DLL has its InitializeLsaExtension() method called after loading.\n", - "meta": { - "author": "Nasreddine Bencherchali", - "creation_date": "2022/07/21", - "falsepositive": [ - "Unlikely" - ], - "filename": "registry_set_lsa_extension_persistence.yml", - "level": "high", - "logsource.category": "registry_set", - "logsource.product": "windows", - "refs": [ - "https://twitter.com/0gtweet/status/1476286368385019906", - "https://persistence-info.github.io/Data/lsaaextension.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_lsa_extension_persistence.yml" - ], - "tags": [ - "attack.persistence" - ] - }, - "uuid": "41f6531d-af6e-4c6e-918f-b946f2b85a36", - "value": "Persistence Via LSA Extensions" - }, { "description": "Detects modification of autostart extensibility point (ASEP) in registry.", "meta": { @@ -13769,8 +17232,8 @@ "logsource.product": "windows", "refs": [ "https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d", - "https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md", + "https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_office.yml" ], "tags": [ @@ -13796,8 +17259,8 @@ "logsource.product": "windows", "refs": [ "https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d", - "https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md", + "https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_wow6432node_classes.yml" ], "tags": [ @@ -13854,6 +17317,15 @@ "attack.t1221" ] }, + "related": [ + { + "dest-uuid": "dc31fe1e-d722-49da-8f5f-92c7b5aff534", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "2d9403d5-7927-46b7-8216-37ab7c9ec5e3", "value": "Suspicious Set Value of MSDT in Registry (CVE-2022-30190)" }, @@ -13871,7 +17343,6 @@ "logsource.product": "windows", "refs": [ "https://www.cyberbit.com/blog/endpoint-security/com-hijacking-windows-overlooked-security-vulnerability/", - "https://attack.mitre.org/techniques/T1546/015/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_persistence_search_order.yml" ], "tags": [ @@ -13879,8 +17350,17 @@ "attack.t1546.015" ] }, + "related": [ + { + "dest-uuid": "bc0f5e80-91c0-4e04-9fbb-e4e332c85dae", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "a0ff33d8-79e4-4cef-b4f3-9dc4133ccd12", - "value": "Windows Registry Persistence COM Search Order Hijacking" + "value": "Potential Persistence Via COM Search Order Hijacking" }, { "description": "Detects the pattern of UAC Bypass using a path parsing issue in winsat.exe (UACMe 52)", @@ -13904,6 +17384,15 @@ "attack.t1548.002" ] }, + "related": [ + { + "dest-uuid": "120d5519-3098-4e1c-9191-2aa61232f073", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "6597be7b-ac61-4ac8-bef4-d3ec88174853", "value": "UAC Bypass Abusing Winsat Path Parsing - Registry" }, @@ -13929,6 +17418,15 @@ "attack.t1548.002" ] }, + "related": [ + { + "dest-uuid": "120d5519-3098-4e1c-9191-2aa61232f073", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "5f9db380-ea57-4d1e-beab-8a2d33397e93", "value": "UAC Bypass Using Windows Media Player - Registry" }, @@ -13954,7 +17452,7 @@ ] }, "uuid": "ee77a5db-b0f3-4be2-bfd4-b58be1c6b15a", - "value": "Modify Attachment Manager Settings - Attachments" + "value": "Potential Attachment Manager Settings Attachments Tamper" }, { "description": "Detects the Setting of Windows Defender Exclusions", @@ -14003,6 +17501,15 @@ "attack.t1562.002" ] }, + "related": [ + { + "dest-uuid": "4eb28bed-d11a-4641-9863-c2ac017d910a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "7d9263bd-dc47-4a58-bc92-5474abab390c", "value": "Change Winevt Event Access Permission Via Registry" }, @@ -14021,8 +17528,8 @@ "logsource.product": "windows", "refs": [ "https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d", - "https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md", + "https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_winsock2.yml" ], "tags": [ @@ -14078,9 +17585,42 @@ "attack.t1562.004" ] }, + "related": [ + { + "dest-uuid": "5372c5fe-f424-4def-bcd5-d3a8e770f07b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "e78c408a-e2ea-43cd-b5ea-51975cf358c0", "value": "Disable Windows Firewall by Registry" }, + { + "description": "Detects potential persistence activity via the registering of a new custom protocole handlers. While legitimate applications register protocole handlers often times during installation. And attacker can abuse this by setting a custom handler to be used as a persistence mechanism.", + "meta": { + "author": "Nasreddine Bencherchali", + "creation_date": "2022/05/30", + "falsepositive": [ + "Legitimate applications registering a new custom protocol handler" + ], + "filename": "registry_set_persistence_custom_protocol_handler.yml", + "level": "medium", + "logsource.category": "registry_set", + "logsource.product": "windows", + "refs": [ + "https://ladydebug.com/blog/2019/06/21/custom-protocol-handler-cph/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_persistence_custom_protocol_handler.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1112" + ] + }, + "uuid": "fdbf0b9d-0182-4c43-893b-a1eaab92d085", + "value": "Potential Persistence Via Custom Protocol Handler" + }, { "description": "Detect modification for a specific user to prevent that user from being listed on the logon screen", "meta": { @@ -14102,6 +17642,15 @@ "attack.t1564.002" ] }, + "related": [ + { + "dest-uuid": "8c4aef43-48d5-49aa-b2af-c0cd58d30c3d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "8a58209c-7ae6-4027-afb0-307a78e4589a", "value": "User Account Hidden By Registry" }, @@ -14127,6 +17676,15 @@ "attack.t1047" ] }, + "related": [ + { + "dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "92b0b372-a939-44ed-a11b-5136cf680e27", "value": "Blue Mockingbird - Registry" }, @@ -14175,6 +17733,15 @@ "attack.t1547.010" ] }, + "related": [ + { + "dest-uuid": "43881e51-ac74-445b-b4c6-f9f9e9bf23fe", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "509e84b9-a71a-40e0-834f-05470369bd1e", "value": "Changing RDP Port to Non Standard Number" }, @@ -14191,10 +17758,10 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://admx.help/?Category=Windows_7_2008R2&Policy=Microsoft.Policies.WindowsDefender::SpyNetReporting", - "https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/", - "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ransomware-hive-conti-avoslocker", "https://gist.github.com/anadr/7465a9fde63d41341136949f14c21105", + "https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/", + "https://admx.help/?Category=Windows_7_2008R2&Policy=Microsoft.Policies.WindowsDefender::SpyNetReporting", + "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ransomware-hive-conti-avoslocker", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_windows_defender_tamper.yml" ], "tags": [ @@ -14218,8 +17785,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1553.004/T1553.004.md#atomic-test-6---add-root-certificate-to-currentuser-certificate-store", "https://posts.specterops.io/code-signing-certificate-cloning-attacks-and-defenses-6f98657fc6ec", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1553.004/T1553.004.md#atomic-test-6---add-root-certificate-to-currentuser-certificate-store", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_install_root_or_ca_certificat.yml" ], "tags": [ @@ -14227,6 +17794,15 @@ "attack.t1490" ] }, + "related": [ + { + "dest-uuid": "f5d8eed6-48a9-4cdf-a3d7-d1ffa99c3d2a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "d223b46b-5621-4037-88fe-fda32eead684", "value": "New Root or CA or AuthRoot Certificate to Store" }, @@ -14243,8 +17819,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://github.com/hfiref0x/UACME", "https://enigma0x3.net/2017/03/17/fileless-uac-bypass-using-sdclt-exe/", + "https://github.com/hfiref0x/UACME", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_uac_bypass_sdclt.yml" ], "tags": [ @@ -14254,6 +17830,15 @@ "car.2019-04-001" ] }, + "related": [ + { + "dest-uuid": "120d5519-3098-4e1c-9191-2aa61232f073", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "5b872a46-3b90-45c1-8419-f675db8053aa", "value": "UAC Bypass via Sdclt" }, @@ -14270,8 +17855,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://persistence-info.github.io/Data/hhctrl.html", "https://www.hexacorn.com/blog/2018/04/23/beyond-good-ol-run-key-part-77/", + "https://persistence-info.github.io/Data/hhctrl.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_hhctrl_persistence.yml" ], "tags": [ @@ -14302,6 +17887,15 @@ "attack.t1490" ] }, + "related": [ + { + "dest-uuid": "f5d8eed6-48a9-4cdf-a3d7-d1ffa99c3d2a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "5de03871-5d46-4539-a82d-3aa992a69a83", "value": "Registry Disable System Restore" }, @@ -14326,6 +17920,15 @@ "attack.t1053.005" ] }, + "related": [ + { + "dest-uuid": "005a06c6-14bf-4118-afa0-ebcd8aebb0c9", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "73a883d0-0348-4be4-a8d8-51031c2564f8", "value": "Potential Registry Persistence Attempt Via Windows Telemetry" }, @@ -14353,11 +17956,34 @@ "attack.t1546" ] }, + "related": [ + { + "dest-uuid": "2c4d4e92-0ccf-4a97-b54c-86d662988a53", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "f24faf46-3b26-4dbb-98f2-63460498e433", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "b6301b64-ef57-4cce-bb0b-77026f14a8db", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "e3b50fa5-3c3f-444e-937b-0a99d33731cd", "value": "Outlook C2 Registry Key" }, { - "description": "Detects the modification of the registry of the currently logged in user to disable PowerShell module logging, script block logging or transcription and script execution logging", + "description": "Detects changes to the registry for the currently logged-in user. In order to disable PowerShell module logging, script block logging or transcription and script execution logging", "meta": { "author": "frack113", "creation_date": "2022/04/02", @@ -14365,7 +17991,7 @@ "Unknown" ], "filename": "registry_set_powershell_logging_disabled.yml", - "level": "medium", + "level": "high", "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ @@ -14377,8 +18003,17 @@ "attack.t1564.001" ] }, + "related": [ + { + "dest-uuid": "ec8fc7e2-b356-455c-8db5-2e37be158e7d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "fecfd1a1-cc78-4313-a1ea-2ee2e8ec27a7", - "value": "PowerShell Logging Disabled" + "value": "PowerShell Logging Disabled Via Registry Key Tampering" }, { "description": "Detects when the 'AllowMultipleTSSessions' value is enabled.\nWhich allows for multiple Remote Desktop connection sessions to be opened at once.\nThis is often used by attacker as a way to connect to an RDP session without disconnecting the other users\n", @@ -14440,8 +18075,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/troubleshoot/developer/browsers/security-privacy/ie-security-zones-registry-entries", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1112/T1112.md#atomic-test-4---add-domain-to-trusted-sites-zone", + "https://docs.microsoft.com/en-us/troubleshoot/developer/browsers/security-privacy/ie-security-zones-registry-entries", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_change_security_zones.yml" ], "tags": [ @@ -14449,9 +18084,42 @@ "attack.t1137" ] }, + "related": [ + { + "dest-uuid": "2c4d4e92-0ccf-4a97-b54c-86d662988a53", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "45e112d0-7759-4c2a-aa36-9f8fb79d3393", "value": "IE Change Domain Zone" }, + { + "description": "Detects when an attacker adds a new \"DLLPathOverride\" value to the \"Natural Language\" key in order to achieve persistence which will get invoked by \"SearchIndexer.exe\" process", + "meta": { + "author": "Nasreddine Bencherchali", + "creation_date": "2022/07/21", + "falsepositive": [ + "Unknown" + ], + "filename": "registry_set_persistence_natural_language.yml", + "level": "high", + "logsource.category": "registry_set", + "logsource.product": "windows", + "refs": [ + "https://www.hexacorn.com/blog/2018/12/30/beyond-good-ol-run-key-part-98/", + "https://persistence-info.github.io/Data/naturallanguage6.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_persistence_natural_language.yml" + ], + "tags": [ + "attack.persistence" + ] + }, + "uuid": "a1b1fd53-9c4a-444c-bae0-34a330fc7aa8", + "value": "Potential Persistence Via DLLPathOverride" + }, { "description": "Detects setting a custom URL for OneDriveStandaloneUpdater.exe to download a file from the Internet without executing any\nanomalous executables with suspicious arguments. The downloaded file will be in C:\\Users\\redacted\\AppData\\Local\\Microsoft\\OneDrive\\StandaloneUpdaterreSignInSettingsConfig.json\n", "meta": { @@ -14473,6 +18141,15 @@ "attack.t1105" ] }, + "related": [ + { + "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "3aff0be0-7802-4a7e-a4fa-c60c74bc5e1d", "value": "Lolbas OneDriveStandaloneUpdater.exe Proxy Download" }, @@ -14489,8 +18166,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://enigma0x3.net/2016/08/15/fileless-uac-bypass-using-eventvwr-exe-and-registry-hijacking/", "https://www.hybrid-analysis.com/sample/e122bc8bf291f15cab182a5d2d27b8db1e7019e4e96bb5cdbd1dfe7446f3f51f?environmentId=100", + "https://enigma0x3.net/2016/08/15/fileless-uac-bypass-using-eventvwr-exe-and-registry-hijacking/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_uac_bypass_eventvwr.yml" ], "tags": [ @@ -14500,6 +18177,15 @@ "car.2019-04-001" ] }, + "related": [ + { + "dest-uuid": "120d5519-3098-4e1c-9191-2aa61232f073", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "7c81fec3-1c1d-43b0-996a-46753041b1b6", "value": "UAC Bypass via Event Viewer - Registry Set" }, @@ -14518,8 +18204,8 @@ "logsource.product": "windows", "refs": [ "https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d", - "https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md", + "https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_wow6432node_currentversion.yml" ], "tags": [ @@ -14530,6 +18216,30 @@ "uuid": "480421f9-417f-4d3b-9552-fd2728443ec8", "value": "Wow6432Node Windows NT CurrentVersion Autorun Keys Modification" }, + { + "description": "Detects when an attacker register a new SIP provider for persistence and defense evasion", + "meta": { + "author": "Nasreddine Bencherchali", + "creation_date": "2022/07/21", + "falsepositive": [ + "Might trigger if a legitimate new SIP provider is registered. But this is not a common occurrence in an environment and should be investigated either way" + ], + "filename": "registry_set_persistence_mpnotify.yml", + "level": "high", + "logsource.category": "registry_set", + "logsource.product": "windows", + "refs": [ + "https://persistence-info.github.io/Data/mpnotify.html", + "https://www.youtube.com/watch?v=ggY3srD9dYs&ab_channel=GrzegorzTworek", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_persistence_mpnotify.yml" + ], + "tags": [ + "attack.persistence" + ] + }, + "uuid": "92772523-d9c1-4c93-9547-b0ca500baba3", + "value": "Potential Persistence Via Mpnotify" + }, { "description": "Detects modification of autostart extensibility point (ASEP) in registry.", "meta": { @@ -14545,8 +18255,8 @@ "logsource.product": "windows", "refs": [ "https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d", - "https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md", + "https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_currentcontrolset.yml" ], "tags": [ @@ -14578,6 +18288,15 @@ "attack.t1562.002" ] }, + "related": [ + { + "dest-uuid": "4eb28bed-d11a-4641-9863-c2ac017d910a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "0cb8d736-995d-4ce7-a31e-1e8d452a1459", "value": "Potential EventLog File Location Tampering" }, @@ -14644,8 +18363,8 @@ "logsource.product": "windows", "refs": [ "https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d", - "https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md", + "https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_system_scripts.yml" ], "tags": [ @@ -14669,9 +18388,9 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ + "https://github.com/deepinstinct/Lsass-Shtinkering", "https://learn.microsoft.com/en-us/windows/win32/wer/collecting-user-mode-dumps", "https://media.defcon.org/DEF%20CON%2030/DEF%20CON%2030%20presentations/Asaf%20Gilboa%20-%20LSASS%20Shtinkering%20Abusing%20Windows%20Error%20Reporting%20to%20Dump%20LSASS.pdf", - "https://github.com/deepinstinct/Lsass-Shtinkering", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_lsass_usermode_dumping.yml" ], "tags": [ @@ -14679,6 +18398,15 @@ "attack.t1003.001" ] }, + "related": [ + { + "dest-uuid": "65f2d882-3f41-4d48-8a06-29af77ec9f90", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "33efc23c-6ea2-4503-8cfe-bdf82ce8f719", "value": "Lsass Full Dump Request Via DumpType Registry Settings" }, @@ -14695,9 +18423,9 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ + "https://technet.microsoft.com/en-us/library/cc726884(v=ws.10).aspx", "https://blog.3or.de/mimilib-dhcp-server-callout-dll-injection.html", "https://msdn.microsoft.com/de-de/library/windows/desktop/aa363389(v=vs.85).aspx", - "https://technet.microsoft.com/en-us/library/cc726884(v=ws.10).aspx", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_dhcp_calloutdll.yml" ], "tags": [ @@ -14730,6 +18458,15 @@ "attack.t1564.002" ] }, + "related": [ + { + "dest-uuid": "8c4aef43-48d5-49aa-b2af-c0cd58d30c3d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "f8aebc67-a56d-4ec9-9fbe-7b0e8b7b4efd", "value": "Hide User Account Via Special Accounts Reg Key" }, @@ -14746,9 +18483,9 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://devblogs.microsoft.com/oldnewthing/20100312-01/?p=14623", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1548.002/T1548.002.md#atomic-test-7---bypass-uac-using-sdclt-delegateexecute", "https://docs.microsoft.com/en-us/windows/win32/api/shobjidl_core/nn-shobjidl_core-iexecutecommand", + "https://devblogs.microsoft.com/oldnewthing/20100312-01/?p=14623", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_bypass_uac_using_delegateexecute.yml" ], "tags": [ @@ -14757,9 +18494,43 @@ "attack.t1548.002" ] }, + "related": [ + { + "dest-uuid": "120d5519-3098-4e1c-9191-2aa61232f073", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "46dd5308-4572-4d12-aa43-8938f0184d4f", "value": "Bypass UAC Using DelegateExecute" }, + { + "description": "Detects modification of the registry settings used for Internet Explorer and other Windows components that use these settings. An attacker can abuse this registry key to add a domain to the trusted sites Zone or insert javascript for persistence", + "meta": { + "author": "frack113", + "creation_date": "2022/01/22", + "falsepositive": [ + "Unknown" + ], + "filename": "registry_set_persistence_ie.yml", + "level": "low", + "logsource.category": "registry_set", + "logsource.product": "windows", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1112/T1112.md#atomic-test-4---add-domain-to-trusted-sites-zone", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1112/T1112.md#atomic-test-5---javascript-in-registry", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_persistence_ie.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1112" + ] + }, + "uuid": "d88d0ab2-e696-4d40-a2ed-9790064e66b3", + "value": "Modification of IE Registry Settings" + }, { "description": "Detects that a powershell code is written to the registry as a service.", "meta": { @@ -14781,6 +18552,15 @@ "attack.t1569.002" ] }, + "related": [ + { + "dest-uuid": "f1951e8a-500e-4a26-8803-76d95c4554b4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "4a5f5a5e-ac01-474b-9b4e-d61298c9df1d", "value": "PowerShell as a Service in Registry" }, @@ -14807,6 +18587,15 @@ "attack.t1574.012" ] }, + "related": [ + { + "dest-uuid": "ffeb0780-356e-4261-b036-cfb6bd234335", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "ad89044a-8f49-4673-9a55-cbd88a1b374f", "value": "Enabling COR Profiler Environment Variables" }, @@ -14856,6 +18645,15 @@ "cve.2021.1675" ] }, + "related": [ + { + "dest-uuid": "aedfca76-3b30-4866-b2aa-0f1d7fd1e4b6", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "e0813366-0407-449a-9869-a2db1119dc41", "value": "Suspicious Printer Driver Empty Manufacturer" }, @@ -14881,6 +18679,15 @@ "attack.t1547.003" ] }, + "related": [ + { + "dest-uuid": "61afc315-860c-4364-825d-0d62b2e91edc", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "e88a6ddc-74f7-463b-9b26-f69fc0d2ce85", "value": "Set TimeProviders DllName" }, @@ -14921,8 +18728,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://raw.githubusercontent.com/RiccardoAncarani/talks/master/F-Secure/unorthodox-lateral-movement.pdf", "https://twitter.com/dottor_morte/status/1544652325570191361", + "https://raw.githubusercontent.com/RiccardoAncarani/talks/master/F-Secure/unorthodox-lateral-movement.pdf", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_fax_change_service_user.yml" ], "tags": [ @@ -14954,33 +18761,18 @@ "attack.t1070.005" ] }, + "related": [ + { + "dest-uuid": "a750a9f6-0bde-4bb3-9aae-1e2786e9780c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "c7dcacd0-cc59-4004-b0a4-1d6cdebe6f3e", "value": "Disable Administrative Share Creation at Startup" }, - { - "description": "Detects when an attacker register a new SIP provider for persistence and defense evasion", - "meta": { - "author": "Nasreddine Bencherchali", - "creation_date": "2022/07/21", - "falsepositive": [ - "Might trigger if a legitimate new SIP provider is registered. But this is not a common occurrence in an environment and should be investigated either way" - ], - "filename": "registry_set_mpnotify_persistence.yml", - "level": "high", - "logsource.category": "registry_set", - "logsource.product": "windows", - "refs": [ - "https://www.youtube.com/watch?v=ggY3srD9dYs&ab_channel=GrzegorzTworek", - "https://persistence-info.github.io/Data/mpnotify.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_mpnotify_persistence.yml" - ], - "tags": [ - "attack.persistence" - ] - }, - "uuid": "92772523-d9c1-4c93-9547-b0ca500baba3", - "value": "Persistence Via Mpnotify" - }, { "description": "Detects disabling Windows Defender Exploit Guard Network Protection", "meta": { @@ -15005,6 +18797,30 @@ "uuid": "bf9e1387-b040-4393-9851-1598f8ecfae9", "value": "Disable Exploit Guard Network Protection on Windows Defender" }, + { + "description": "Detects when an attacker modifies the \"REG_MULTI_SZ\" value named \"Extensions\" to include a custom DLL to achieve persistence via lsass.\nThe \"Extensions\" list contains filenames of DLLs being automatically loaded by lsass.exe. Each DLL has its InitializeLsaExtension() method called after loading.\n", + "meta": { + "author": "Nasreddine Bencherchali", + "creation_date": "2022/07/21", + "falsepositive": [ + "Unlikely" + ], + "filename": "registry_set_persistence_lsa_extension.yml", + "level": "high", + "logsource.category": "registry_set", + "logsource.product": "windows", + "refs": [ + "https://twitter.com/0gtweet/status/1476286368385019906", + "https://persistence-info.github.io/Data/lsaaextension.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_persistence_lsa_extension.yml" + ], + "tags": [ + "attack.persistence" + ] + }, + "uuid": "41f6531d-af6e-4c6e-918f-b946f2b85a36", + "value": "Potential Persistence Via LSA Extensions" + }, { "description": "Bypasses User Account Control using Event Viewer and a relevant Windows Registry modification", "meta": { @@ -15018,8 +18834,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://enigma0x3.net/2016/08/15/fileless-uac-bypass-using-eventvwr-exe-and-registry-hijacking/", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1548.002/T1548.002.md#atomic-test-1---bypass-uac-using-event-viewer-cmd", + "https://enigma0x3.net/2016/08/15/fileless-uac-bypass-using-eventvwr-exe-and-registry-hijacking/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_bypass_uac_using_eventviewer.yml" ], "tags": [ @@ -15027,6 +18843,15 @@ "attack.t1547.010" ] }, + "related": [ + { + "dest-uuid": "43881e51-ac74-445b-b4c6-f9f9e9bf23fe", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "674202d0-b22a-4af4-ae5f-2eda1f3da1af", "value": "Bypass UAC Using Event Viewer" }, @@ -15077,6 +18902,15 @@ "attack.t1559.002" ] }, + "related": [ + { + "dest-uuid": "232a7e42-cd6e-4902-8fe9-2960f529dd4d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "63647769-326d-4dde-a419-b925cc0caf42", "value": "Enable Microsoft Dynamic Data Exchange" }, @@ -15104,6 +18938,15 @@ "attack.t1204.002" ] }, + "related": [ + { + "dest-uuid": "232b7f21-adf9-4b42-b936-b9d6f7df856e", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "60936b49-fca0-4f32-993d-7415edcf9a5d", "value": "New Application in AppCompat" }, @@ -15120,8 +18963,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/", "https://gist.github.com/anadr/7465a9fde63d41341136949f14c21105", + "https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_disable_windows_defender_service.yml" ], "tags": [ @@ -15145,8 +18988,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://jstnk9.github.io/jstnk9/research/InstallScreenSaver-SCR-files", "https://twitter.com/pabraeken/status/998627081360695297", + "https://jstnk9.github.io/jstnk9/research/InstallScreenSaver-SCR-files", "https://twitter.com/VakninHai/status/1517027824984547329", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_scr_file_executed_by_rundll32.yml" ], @@ -15155,6 +18998,15 @@ "attack.t1218.011" ] }, + "related": [ + { + "dest-uuid": "045d0922-2310-4e60-b5e4-3302302cb3c5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "40b6e656-4e11-4c0c-8772-c1cc6dae34ce", "value": "ScreenSaver Registry Key Set" }, @@ -15171,8 +19023,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://www.hexacorn.com/blog/2015/01/13/beyond-good-ol-run-key-part-24/", "https://persistence-info.github.io/Data/autodialdll.html", + "https://www.hexacorn.com/blog/2015/01/13/beyond-good-ol-run-key-part-24/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_persistence_autodial_dll.yml" ], "tags": [ @@ -15180,7 +19032,7 @@ ] }, "uuid": "e6fe26ee-d063-4f5b-b007-39e90aaf50e3", - "value": "Persistence Via AutodialDLL" + "value": "Potential Persistence Via AutodialDLL" }, { "description": "Detect modification of the startup key to a path where a payload could be stored to be launched during startup", @@ -15246,10 +19098,10 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d", "https://oddvar.moe/2018/03/21/persistence-using-runonceex-hidden-from-autoruns-exe/", - "https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns", + "https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md", + "https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_currentversion.yml" ], "tags": [ @@ -15281,6 +19133,15 @@ "attack.t1564.001" ] }, + "related": [ + { + "dest-uuid": "ec8fc7e2-b356-455c-8db5-2e37be158e7d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "5a5152f1-463f-436b-b2f5-8eceb3964b42", "value": "Modification of Explorer Hidden Keys" }, @@ -15307,6 +19168,15 @@ "attack.t1137" ] }, + "related": [ + { + "dest-uuid": "2c4d4e92-0ccf-4a97-b54c-86d662988a53", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "5df86130-4e95-4a54-90f7-26541b40aec2", "value": "Registry Modification to Hidden File Extension" }, @@ -15321,8 +19191,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://www.hybrid-analysis.com/sample/ba86fa0d4b6af2db0656a88b1dd29f36fe362473ae8ad04255c4e52f214a541c?environmentId=100", "https://www.first.org/resources/papers/conf2017/Advanced-Incident-Detection-and-Threat-Hunting-using-Sysmon-and-Splunk.pdf", + "https://www.hybrid-analysis.com/sample/ba86fa0d4b6af2db0656a88b1dd29f36fe362473ae8ad04255c4e52f214a541c?environmentId=100", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_mal_adwind.yml" ], "tags": [ @@ -15331,6 +19201,22 @@ "attack.t1059.007" ] }, + "related": [ + { + "dest-uuid": "dfd7cc1d-e1d8-4394-a198-97c4cab8aa67", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "0f4a0c76-ab2d-4cb0-85d3-3f0efb8cba0d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "42f0e038-767e-4b85-9d96-2c6335bad0b5", "value": "Adwind RAT / JRAT - Registry" }, @@ -15357,6 +19243,15 @@ "attack.t1548.002" ] }, + "related": [ + { + "dest-uuid": "120d5519-3098-4e1c-9191-2aa61232f073", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "724ea201-6514-4f38-9739-e5973c34f49a", "value": "Bypass UAC Using SilentCleanup Task" }, @@ -15373,9 +19268,9 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md", "https://yoroi.company/research/cyber-criminal-espionage-operation-insists-on-italian-manufacturing/", "https://unit42.paloaltonetworks.com/unit42-gorgon-group-slithering-nation-state-cybercrime/", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_disable_microsoft_office_security_features.yml" ], "tags": [ @@ -15423,9 +19318,9 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://github.com/S3cur3Th1sSh1t/OffensiveVBA/blob/28cc6a2802d8176195ac19b3c8e9a749009a82a3/src/AMSIbypasses.vba", "https://www.microsoft.com/en-us/security/blog/2018/09/12/office-vba-amsi-parting-the-veil-on-malicious-macros/", "https://admx.help/?Category=Office2016&Policy=office16.Office.Microsoft.Policies.Windows::L_MacroRuntimeScanScope", + "https://github.com/S3cur3Th1sSh1t/OffensiveVBA/blob/28cc6a2802d8176195ac19b3c8e9a749009a82a3/src/AMSIbypasses.vba", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_disable_macroruntimescanscope.yml" ], "tags": [ @@ -15448,10 +19343,10 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://www.tenforums.com/tutorials/151318-how-enable-disable-dns-over-https-doh-microsoft-edge.html", - "https://github.com/elastic/detection-rules/issues/1371", - "https://chromeenterprise.google/policies/?policy=DnsOverHttpsMode", "https://admx.help/HKLM/Software/Policies/Mozilla/Firefox/DNSOverHTTPS", + "https://github.com/elastic/detection-rules/issues/1371", + "https://www.tenforums.com/tutorials/151318-how-enable-disable-dns-over-https-doh-microsoft-edge.html", + "https://chromeenterprise.google/policies/?policy=DnsOverHttpsMode", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_dns_over_https_enabled.yml" ], "tags": [ @@ -15460,33 +19355,18 @@ "attack.t1112" ] }, + "related": [ + { + "dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "04b45a8a-d11d-49e4-9acc-4a1b524407a5", "value": "DNS-over-HTTPS Enabled by Registry" }, - { - "description": "Detects when an attacker modifies the registry key \"HtmlHelp Author\" to achieve persistence", - "meta": { - "author": "Nasreddine Bencherchali", - "creation_date": "2022/07/21", - "falsepositive": [ - "Unknown" - ], - "filename": "registry_set_chm_persistence.yml", - "level": "high", - "logsource.category": "registry_set", - "logsource.product": "windows", - "refs": [ - "https://persistence-info.github.io/Data/htmlhelpauthor.html", - "https://www.hexacorn.com/blog/2018/04/22/beyond-good-ol-run-key-part-76/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_chm_persistence.yml" - ], - "tags": [ - "attack.persistence" - ] - }, - "uuid": "976dd1f2-a484-45ec-aa1d-0e87e882262b", - "value": "CHM Helper DLL Persistence" - }, { "description": "Detect set UseActionCenterExperience to 0 to disable the windows security center notification", "meta": { @@ -15532,6 +19412,15 @@ "attack.t1562" ] }, + "related": [ + { + "dest-uuid": "3d333250-30e4-4a82-9edc-756c68afc529", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "5b16df71-8615-4f7f-ac9b-6c43c0509e61", "value": "Hide Schedule Task Via Index Value Tamper" }, @@ -15548,9 +19437,9 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/", - "https://twitter.com/MichalKoczwara/status/1553634816016498688", "https://i.blackhat.com/EU-21/Wednesday/EU-21-Teodorescu-Veni-No-Vidi-No-Vici-Attacks-On-ETW-Blind-EDRs.pdf", + "https://twitter.com/MichalKoczwara/status/1553634816016498688", + "https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_disable_autologger_sessions.yml" ], "tags": [ @@ -15573,17 +19462,17 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ + "https://blog.xpnsec.com/hiding-your-dotnet-complus-etwenabled/", + "https://github.com/dotnet/runtime/blob/ee2355c801d892f2894b0f7b14a20e6cc50e0e54/docs/design/coreclr/jit/viewing-jit-dumps.md#setting-configuration-variables", + "https://github.com/dotnet/runtime/blob/4f9ae42d861fcb4be2fcd5d3d55d5f227d30e723/docs/coding-guidelines/clr-jit-coding-conventions.md#1412-disabling-code", + "https://bunnyinside.com/?term=f71e8cb9c76a", + "https://github.com/dotnet/runtime/blob/7abe42dc1123722ed385218268bb9fe04556e3d3/src/coreclr/src/inc/clrconfig.h#L33-L39", + "https://github.com/dotnet/runtime/search?p=1&q=COMPlus_&unscoped_q=COMPlus_", + "https://github.com/dotnet/runtime/blob/f62e93416a1799aecc6b0947adad55a0d9870732/src/coreclr/src/inc/clrconfigvalues.h#L35-L38", "http://managed670.rssing.com/chan-5590147/all_p1.html", "https://twitter.com/_xpn_/status/1268712093928378368", - "https://bunnyinside.com/?term=f71e8cb9c76a", - "https://github.com/dotnet/runtime/blob/4f9ae42d861fcb4be2fcd5d3d55d5f227d30e723/docs/coding-guidelines/clr-jit-coding-conventions.md#1412-disabling-code", "https://social.msdn.microsoft.com/Forums/vstudio/en-US/0878832e-39d7-4eaf-8e16-a729c4c40975/what-can-i-use-e13c0d23ccbc4e12931bd9cc2eee27e4-for?forum=clr", - "https://blog.xpnsec.com/hiding-your-dotnet-complus-etwenabled/", - "https://github.com/dotnet/runtime/search?p=1&q=COMPlus_&unscoped_q=COMPlus_", - "https://github.com/dotnet/runtime/blob/ee2355c801d892f2894b0f7b14a20e6cc50e0e54/docs/design/coreclr/jit/viewing-jit-dumps.md#setting-configuration-variables", "https://i.blackhat.com/EU-21/Wednesday/EU-21-Teodorescu-Veni-No-Vidi-No-Vici-Attacks-On-ETW-Blind-EDRs.pdf", - "https://github.com/dotnet/runtime/blob/f62e93416a1799aecc6b0947adad55a0d9870732/src/coreclr/src/inc/clrconfigvalues.h#L35-L38", - "https://github.com/dotnet/runtime/blob/7abe42dc1123722ed385218268bb9fe04556e3d3/src/coreclr/src/inc/clrconfig.h#L33-L39", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_dot_net_etw_tamper.yml" ], "tags": [ @@ -15592,34 +19481,18 @@ "attack.t1562" ] }, + "related": [ + { + "dest-uuid": "3d333250-30e4-4a82-9edc-756c68afc529", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "bf4fc428-dcc3-4bbd-99fe-2422aeee2544", "value": "ETW Logging Disabled In .NET Processes - Sysmon Registry" }, - { - "description": "Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by application shims.\nThe Microsoft Windows Application Compatibility Infrastructure/Framework (Application Shim) was created to allow for backward compatibility of software as the operating system codebase changes over time\n", - "meta": { - "author": "frack113", - "creation_date": "2021/12/30", - "falsepositive": [ - "Unknown" - ], - "filename": "registry_set_shim_databases_persistence.yml", - "level": "medium", - "logsource.category": "registry_set", - "logsource.product": "windows", - "refs": [ - "https://www.fireeye.com/blog/threat-research/2017/05/fin7-shim-databases-persistence.html", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1546.011/T1546.011.md#atomic-test-3---registry-key-creation-andor-modification-events-for-sdb", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_shim_databases_persistence.yml" - ], - "tags": [ - "attack.persistence", - "attack.t1546.011" - ] - }, - "uuid": "dfb5b4e8-91d0-4291-b40a-e3b0d3942c45", - "value": "Registry Key Creation or Modification for Shim DataBase" - }, { "description": "Detects potential COM object hijacking where the \"Server\" (In/Out) is pointing to a supsicious or unsuale location", "meta": { @@ -15641,8 +19514,17 @@ "attack.t1546.015" ] }, + "related": [ + { + "dest-uuid": "bc0f5e80-91c0-4e04-9fbb-e4e332c85dae", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "3d968d17-ffa4-4bc0-bfdc-f139de76ce77", - "value": "COM Hijacking For Persistence With Suspicious Locations" + "value": "Potential Persistence Via COM Hijacking From Suspicious Locations" }, { "description": "Detects modification of autostart extensibility point (ASEP) in registry.", @@ -15659,8 +19541,8 @@ "logsource.product": "windows", "refs": [ "https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d", - "https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md", + "https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_internet_explorer.yml" ], "tags": [ @@ -15693,6 +19575,15 @@ "attack.t1003" ] }, + "related": [ + { + "dest-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "0442defa-b4a2-41c9-ae2c-ea7042fc4701", "value": "New Network Provider - Registry" }, @@ -15709,8 +19600,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://blogs.vmware.com/security/2022/11/batloader-the-evasive-downloader-malware.html", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1112/T1112.md", + "https://blogs.vmware.com/security/2022/11/batloader-the-evasive-downloader-malware.html", "https://www.mandiant.com/resources/unc2165-shifts-to-evade-sanctions", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_disable_function_user.yml" ], @@ -15755,16 +19646,16 @@ "falsepositive": [ "Legitimate registration of IFilters by the OS or software" ], - "filename": "registry_set_ifilter_persistence.yml", + "filename": "registry_set_persistence_ifilter.yml", "level": "medium", "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ "https://twitter.com/0gtweet/status/1468548924600459267", - "https://persistence-info.github.io/Data/ifilters.html", "https://github.com/gtworek/PSBits/tree/master/IFilter", + "https://persistence-info.github.io/Data/ifilters.html", "https://github.com/gtworek/PSBits/blob/8d767892f3b17eefa4d0668f5d2df78e844f01d8/IFilter/Dll.cpp#L281-L308", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_ifilter_persistence.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_persistence_ifilter.yml" ], "tags": [ "attack.persistence" @@ -15810,8 +19701,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://forensafe.com/blogs/typedpaths.html", "https://twitter.com/dez_/status/1560101453150257154", + "https://forensafe.com/blogs/typedpaths.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_persistence_typed_paths.yml" ], "tags": [ @@ -15819,7 +19710,7 @@ ] }, "uuid": "086ae989-9ca6-4fe7-895a-759c5544f247", - "value": "Persistence Via TypedPaths" + "value": "Potential Persistence Via TypedPaths" }, { "description": "Detects changes to the \"ServiceDLL\" value related to a service in the registry. This is often used as a method of persistence.", @@ -15835,8 +19726,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://www.hexacorn.com/blog/2013/09/19/beyond-good-ol-run-key-part-4/", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1543.003/T1543.003.md#atomic-test-4---tinyturla-backdoor-service-w64time", + "https://www.hexacorn.com/blog/2013/09/19/beyond-good-ol-run-key-part-4/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_servicedll_hijack.yml" ], "tags": [ @@ -15894,6 +19785,15 @@ "attack.t1204.002" ] }, + "related": [ + { + "dest-uuid": "232b7f21-adf9-4b42-b936-b9d6f7df856e", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "ff0f2b05-09db-4095-b96d-1b75ca24894a", "value": "dotNET DLL Loaded Via Office Applications" }, @@ -15912,9 +19812,9 @@ "logsource.category": "image_load", "logsource.product": "windows", "refs": [ + "https://securitydatasets.com/notebooks/small/windows/05_defense_evasion/SDWIN-201017061100.html", "https://twitter.com/dez_/status/986614411711442944", "https://lolbas-project.github.io/lolbas/Binaries/Wmic/", - "https://securitydatasets.com/notebooks/small/windows/05_defense_evasion/SDWIN-201017061100.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_wmic_remote_xsl_scripting_dlls.yml" ], "tags": [ @@ -15922,6 +19822,15 @@ "attack.t1220" ] }, + "related": [ + { + "dest-uuid": "ebbe170d-aa74-4946-8511-9921243415a3", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "06ce37c2-61ab-4f05-9ff5-b1a96d18ae32", "value": "WMIC Loading Scripting Libraries" }, @@ -15947,6 +19856,15 @@ "attack.t1055" ] }, + "related": [ + { + "dest-uuid": "457c7820-d331-465a-915e-42f85500ccc4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "0fa66f66-e3f6-4a9c-93f8-4f2610b00171", "value": "Potential DLL Sideloading Using Coregen.exe" }, @@ -15971,6 +19889,15 @@ "attack.t1562.002" ] }, + "related": [ + { + "dest-uuid": "4eb28bed-d11a-4641-9863-c2ac017d910a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "49329257-089d-46e6-af37-4afce4290685", "value": "SharpEvtMute Imphash EvtMuteHook Load" }, @@ -15987,8 +19914,8 @@ "logsource.category": "image_load", "logsource.product": "windows", "refs": [ - "https://github.com/binderlabs/DirCreate2System", "https://github.com/sailay1996/awesome_windows_logical_bugs/blob/60cbb23a801f4c3195deac1cc46df27c225c3d07/dir_create2system.txt", + "https://github.com/binderlabs/DirCreate2System", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_side_load_comctl32.yml" ], "tags": [ @@ -16016,9 +19943,9 @@ "logsource.product": "windows", "refs": [ "https://github.com/bohops/WSMan-WinRM", - "https://twitter.com/chadtilbury/status/1275851297770610688", - "https://docs.microsoft.com/en-us/windows/win32/winrm/windows-remote-management-architecture", "https://bohops.com/2020/05/12/ws-management-com-another-approach-for-winrm-lateral-movement/", + "https://docs.microsoft.com/en-us/windows/win32/winrm/windows-remote-management-architecture", + "https://twitter.com/chadtilbury/status/1275851297770610688", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_wsman_provider_image_load.yml" ], "tags": [ @@ -16028,6 +19955,22 @@ "attack.t1021.003" ] }, + "related": [ + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "68a0c5ed-bee2-4513-830d-5b0d650139bd", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "ad1f4bb9-8dfb-4765-adb6-2a7cfb6c0f94", "value": "Suspicious WSMAN Provider Image Loads" }, @@ -16052,6 +19995,15 @@ "attack.t1204.002" ] }, + "related": [ + { + "dest-uuid": "232b7f21-adf9-4b42-b936-b9d6f7df856e", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "a2a3b925-7bb0-433b-b508-db9003263cc4", "value": "Active Directory Parsing DLL Loaded Via Office Applications" }, @@ -16078,6 +20030,15 @@ "attack.t1490" ] }, + "related": [ + { + "dest-uuid": "f5d8eed6-48a9-4cdf-a3d7-d1ffa99c3d2a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "333cdbe8-27bb-4246-bf82-b41a0dca4b70", "value": "Image Load of VSS_PS.dll by Uncommon Executable" }, @@ -16105,6 +20066,15 @@ "attack.t1574.002" ] }, + "related": [ + { + "dest-uuid": "120d5519-3098-4e1c-9191-2aa61232f073", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "a5ea83a7-05a5-44c1-be2e-addccbbd8c03", "value": "UAC Bypass With Fake DLL" }, @@ -16121,8 +20091,8 @@ "logsource.category": "image_load", "logsource.product": "windows", "refs": [ - "https://twitter.com/tifkin_/status/1321916444557365248", "https://twitter.com/rbmaslen/status/1321859647091970051", + "https://twitter.com/tifkin_/status/1321916444557365248", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_pcre_net_load.yml" ], "tags": [ @@ -16130,6 +20100,15 @@ "attack.t1059" ] }, + "related": [ + { + "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "84b0a8f3-680b-4096-a45b-e9a89221727c", "value": "PCRE.NET Package Image Load" }, @@ -16154,6 +20133,15 @@ "attack.t1204.002" ] }, + "related": [ + { + "dest-uuid": "232b7f21-adf9-4b42-b936-b9d6f7df856e", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "90217a70-13fc-48e4-b3db-0d836c5824ac", "value": "GAC DLL Loaded Via Office Applications" }, @@ -16180,6 +20168,15 @@ "attack.t1548.002" ] }, + "related": [ + { + "dest-uuid": "120d5519-3098-4e1c-9191-2aa61232f073", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "9ed5959a-c43c-4c59-84e3-d28628429456", "value": "UAC Bypass Using Iscsicpl - ImageLoad" }, @@ -16204,6 +20201,15 @@ "attack.t1204.002" ] }, + "related": [ + { + "dest-uuid": "232b7f21-adf9-4b42-b936-b9d6f7df856e", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "d13c43f0-f66b-4279-8b2c-5912077c1780", "value": "CLR DLL Loaded Via Office Applications" }, @@ -16256,6 +20262,15 @@ "car.2019-04-004" ] }, + "related": [ + { + "dest-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "c0478ead-5336-46c2-bd5e-b4c84bc3a36e", "value": "Mimikatz In-Memory" }, @@ -16280,6 +20295,15 @@ "attack.persistence" ] }, + "related": [ + { + "dest-uuid": "910906dd-8c0a-475a-9cc1-5e029e2fad58", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "05936ce2-ee05-4dae-9d03-9a391cf2d2c6", "value": "WMI Persistence - Command Line Event Consumer" }, @@ -16323,12 +20347,12 @@ "logsource.category": "image_load", "logsource.product": "windows", "refs": [ - "https://github.com/Wh04m1001/SysmonEoP", "https://www.hexacorn.com/blog/2013/12/08/beyond-good-ol-run-key-part-5/", - "https://clement.notin.org/blog/2020/09/12/CVE-2020-7315-McAfee-Agent-DLL-injection/", "https://posts.specterops.io/lateral-movement-scm-and-dll-hijacking-primer-d2f61e8ab992", - "http://remoteawesomethoughts.blogspot.com/2019/05/windows-10-task-schedulerservice.html", "https://decoded.avast.io/martinchlumecky/png-steganography/", + "https://github.com/Wh04m1001/SysmonEoP", + "http://remoteawesomethoughts.blogspot.com/2019/05/windows-10-task-schedulerservice.html", + "https://clement.notin.org/blog/2020/09/12/CVE-2020-7315-McAfee-Agent-DLL-injection/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_side_load_non_existent_dlls.yml" ], "tags": [ @@ -16340,7 +20364,7 @@ ] }, "uuid": "6b98b92b-4f00-4f62-b4fe-4d1920215771", - "value": "Sideloading Of Non-Existent DLLs From System Folders" + "value": "Potential DLL Sideloading Of Non-Existent DLLs From System Folders" }, { "description": "Detects DLL sideloading of DLLs that are part of web browsers", @@ -16418,6 +20442,15 @@ "attack.t1490" ] }, + "related": [ + { + "dest-uuid": "f5d8eed6-48a9-4cdf-a3d7-d1ffa99c3d2a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "37774c23-25a1-4adb-bb6d-8bb9fd59c0f8", "value": "Image Load of VSS Dll by Uncommon Executable" }, @@ -16434,8 +20467,8 @@ "logsource.category": "image_load", "logsource.product": "windows", "refs": [ - "http://www.windowexe.com/bbs/board.php?q=jsschhlp-exe-c-program-files-common-files-justsystem-jsschhlp-jsschhlp", "https://www.welivesecurity.com/2022/12/14/unmasking-mirrorface-operation-liberalface-targeting-japanese-political-entities/", + "http://www.windowexe.com/bbs/board.php?q=jsschhlp-exe-c-program-files-common-files-justsystem-jsschhlp-jsschhlp", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_side_load_jsschhlp.yml" ], "tags": [ @@ -16470,6 +20503,15 @@ "attack.t1071" ] }, + "related": [ + { + "dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "75c505b1-711d-4f68-a357-8c3fe37dbf2d", "value": "SILENTTRINITY Stager Execution - DLL" }, @@ -16511,10 +20553,10 @@ "logsource.category": "image_load", "logsource.product": "windows", "refs": [ - "https://blog.cyble.com/2022/07/21/qakbot-resurfaces-with-new-playbook/", - "https://hijacklibs.net/", "https://github.com/XForceIR/SideLoadHunter/blob/cc7ef2e5d8908279b0c4cee4e8b6f85f7b8eed52/SideLoads/README.md", + "https://blog.cyble.com/2022/07/21/qakbot-resurfaces-with-new-playbook/", "https://blog.cyble.com/2022/07/27/targeted-attacks-being-carried-out-via-dll-sideloading/", + "https://hijacklibs.net/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_side_load_from_non_system_location.yml" ], "tags": [ @@ -16526,7 +20568,7 @@ ] }, "uuid": "4fc0deee-0057-4998-ab31-d24e46e0aba4", - "value": "System DLL Sideloading From Non System Locations" + "value": "Potential System DLL Sideloading From Non System Locations" }, { "description": "Detects cmstp loading \"dll\" or \"ocx\" files from suspicious locations", @@ -16549,6 +20591,15 @@ "attack.t1218.003" ] }, + "related": [ + { + "dest-uuid": "4cbc6a62-9e34-4f94-8a19-5c1a11392a49", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "75e508f7-932d-4ebc-af77-269237a84ce1", "value": "Cmstp Suspicious DLL Load" }, @@ -16573,6 +20624,15 @@ "attack.t1204.002" ] }, + "related": [ + { + "dest-uuid": "232b7f21-adf9-4b42-b936-b9d6f7df856e", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "7417e29e-c2e7-4cf6-a2e8-767228c64837", "value": "Active Directory Kerberos DLL Loaded Via Office Applications" }, @@ -16589,9 +20649,9 @@ "logsource.category": "image_load", "logsource.product": "windows", "refs": [ - "https://www.pinvoke.net/default.aspx/dbghelp/MiniDumpWriteDump.html", - "https://docs.microsoft.com/en-us/windows/win32/api/minidumpapiset/nf-minidumpapiset-minidumpwritedump", "https://medium.com/@fsx30/bypass-edrs-memory-protection-introduction-to-hooking-2efb21acffd6", + "https://docs.microsoft.com/en-us/windows/win32/api/minidumpapiset/nf-minidumpapiset-minidumpwritedump", + "https://www.pinvoke.net/default.aspx/dbghelp/MiniDumpWriteDump.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_susp_dbghelp_dbgcore_load.yml" ], "tags": [ @@ -16599,6 +20659,15 @@ "attack.t1003.001" ] }, + "related": [ + { + "dest-uuid": "65f2d882-3f41-4d48-8a06-29af77ec9f90", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "0e277796-5f23-4e49-a490-483131d4f6e1", "value": "Load of dbghelp/dbgcore DLL from Suspicious Process" }, @@ -16680,6 +20749,15 @@ "attack.t1021.003" ] }, + "related": [ + { + "dest-uuid": "68a0c5ed-bee2-4513-830d-5b0d650139bd", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "f354eba5-623b-450f-b073-0b5b2773b6aa", "value": "Potential DCOM InternetExplorer.Application DLL Hijack - Image Load" }, @@ -16710,7 +20788,7 @@ "value": "Python Py2Exe Image Load" }, { - "description": "Detects CLR DLL being loaded by an scripting applications", + "description": "Detects .NET CLR DLLs being loaded by scripting applications such as wscript or cscript", "meta": { "author": "omkar72, oscd.community", "creation_date": "2020/10/14", @@ -16723,6 +20801,7 @@ "logsource.product": "windows", "refs": [ "https://github.com/tyranid/DotNetToJScript", + "https://web.archive.org/web/20221026202428/https://gist.github.com/code-scrap/d7f152ffcdb3e0b02f7f394f5187f008", "https://blog.menasec.net/2019/07/interesting-difr-traces-of-net-clr.html", "https://thewover.github.io/Introducing-Donut/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_susp_script_dotnet_clr_dll_load.yml" @@ -16783,6 +20862,15 @@ "attack.t1059.001" ] }, + "related": [ + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "fe6e002f-f244-4278-9263-20e4b593827f", "value": "Alternate PowerShell Hosts - Image" }, @@ -16835,6 +20923,15 @@ "attack.t1587" ] }, + "related": [ + { + "dest-uuid": "edadea33-549c-4ed1-9783-8f5a5853cbdf", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "640dc51c-7713-4faa-8a0e-e7c0d9d4654c", "value": "FoggyWeb Backdoor DLL Loading" }, @@ -16914,6 +21011,15 @@ "attack.t1047" ] }, + "related": [ + { + "dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "671bb7e3-a020-4824-a00e-2ee5b55f385e", "value": "WMI Modules Loaded" }, @@ -16939,6 +21045,15 @@ "attack.t1003.001" ] }, + "related": [ + { + "dest-uuid": "65f2d882-3f41-4d48-8a06-29af77ec9f90", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "8cde342c-ba48-4b74-b615-172c330f2e93", "value": "Rundll32 Loading Renamed Comsvcs DLL" }, @@ -16964,6 +21079,15 @@ "cve.2022.30190" ] }, + "related": [ + { + "dest-uuid": "3b0e52ce-517a-4614-a523-1bd5deef6c5e", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "ec8c4047-fad9-416a-8c81-0f479353d7f6", "value": "MSDT.exe Loading Diagnostic Library" }, @@ -17012,11 +21136,20 @@ "attack.t1003.001" ] }, + "related": [ + { + "dest-uuid": "65f2d882-3f41-4d48-8a06-29af77ec9f90", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "857c8db3-c89b-42fb-882b-f681c7cf4da2", "value": "Unsigned Image Loaded Into LSASS Process" }, { - "description": "Detects DLL's Loaded Via Word Containing VBA Macros", + "description": "Detects VB DLL's loaded by an office application. Which could indicate the presence of VBA Macros.", "meta": { "author": "Antonlovesdnb", "creation_date": "2020/02/19", @@ -17036,8 +21169,17 @@ "attack.t1204.002" ] }, + "related": [ + { + "dest-uuid": "232b7f21-adf9-4b42-b936-b9d6f7df856e", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "e6ce8457-68b1-485b-9bdd-3c2b5d679aa9", - "value": "VBA DLL Loaded Via Microsoft Word" + "value": "VBA DLL Loaded Via Office Application" }, { "description": "Detects when a system process (ie located in system32, syswow64...etc) loads a DLL from a suspicious location such as %temp%", @@ -17127,8 +21269,8 @@ "logsource.product": "windows", "refs": [ "https://www.mdsec.co.uk/2020/09/i-like-to-move-it-windows-lateral-movement-part-1-wmi-event-subscription/", - "https://threathunterplaybook.com/notebooks/windows/08_lateral_movement/WIN-200902020333.html", "https://twitter.com/HunterPlaybook/status/1301207718355759107", + "https://threathunterplaybook.com/notebooks/windows/08_lateral_movement/WIN-200902020333.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_scrcons_imageload_wmi_scripteventconsumer.yml" ], "tags": [ @@ -17138,6 +21280,15 @@ "attack.t1546.003" ] }, + "related": [ + { + "dest-uuid": "910906dd-8c0a-475a-9cc1-5e029e2fad58", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "b439f47d-ef52-4b29-9a2f-57d8a96cb6b8", "value": "WMI Script Host Process Image Loaded" }, @@ -17164,6 +21315,15 @@ "attack.execution" ] }, + "related": [ + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "092bc4b9-3d1d-43b4-a6b4-8c8acd83522f", "value": "In-memory PowerShell" }, @@ -17190,6 +21350,15 @@ "attack.t1021.002" ] }, + "related": [ + { + "dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "7707a579-e0d8-4886-a853-ce47e4575aaa", "value": "Wmiprvse Wbemcomn DLL Hijack" }, @@ -17269,6 +21438,15 @@ "cve.2021.34527" ] }, + "related": [ + { + "dest-uuid": "aedfca76-3b30-4866-b2aa-0f1d7fd1e4b6", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "02fb90de-c321-4e63-a6b9-25f4b03dfd14", "value": "Windows Spooler Service Suspicious Binary Load" }, @@ -17312,8 +21490,8 @@ "logsource.category": "image_load", "logsource.product": "windows", "refs": [ - "https://securitydatasets.com/notebooks/small/windows/06_credential_access/SDWIN-201020013208.html", "https://docs.microsoft.com/en-us/windows/win32/api/wincred/nf-wincred-creduipromptforcredentialsa", + "https://securitydatasets.com/notebooks/small/windows/06_credential_access/SDWIN-201020013208.html", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1056.002/T1056.002.md#atomic-test-2---powershell---prompt-user-for-password", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_uipromptforcreds_dlls.yml" ], @@ -17339,9 +21517,9 @@ "logsource.category": "image_load", "logsource.product": "windows", "refs": [ + "https://lolbas-project.github.io/lolbas/Binaries/Tttracer/", "https://twitter.com/oulusoyum/status/1191329746069655553", "https://twitter.com/mattifestation/status/1196390321783025666", - "https://lolbas-project.github.io/lolbas/Binaries/Tttracer/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_tttracer_mod_load.yml" ], "tags": [ @@ -17351,6 +21529,22 @@ "attack.t1003.001" ] }, + "related": [ + { + "dest-uuid": "457c7820-d331-465a-915e-42f85500ccc4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "65f2d882-3f41-4d48-8a06-29af77ec9f90", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "e76c8240-d68f-4773-8880-5c6f63595aaf", "value": "Time Travel Debugging Utility Usage - Image" }, @@ -17401,6 +21595,22 @@ "attack.t1546.003" ] }, + "related": [ + { + "dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "910906dd-8c0a-475a-9cc1-5e029e2fad58", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "83844185-1c5b-45bc-bcf3-b5bf3084ca5b", "value": "Suspicious Encoded Scripts in a WMI Consumer" }, @@ -17424,6 +21634,15 @@ "attack.t1546.003" ] }, + "related": [ + { + "dest-uuid": "910906dd-8c0a-475a-9cc1-5e029e2fad58", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "0f06a3a5-6a09-413f-8743-e6cf35561297", "value": "WMI Event Subscription" }, @@ -17440,9 +21659,9 @@ "logsource.category": "wmi_event", "logsource.product": "windows", "refs": [ - "https://github.com/RiccardoAncarani/LiquidSnake", - "https://in.security/an-intro-into-abusing-and-identifying-wmi-event-subscriptions-for-persistence/", "https://github.com/Neo23x0/signature-base/blob/615bf1f6bac3c1bdc417025c40c073e6c2771a76/yara/gen_susp_lnk_files.yar#L19", + "https://in.security/an-intro-into-abusing-and-identifying-wmi-event-subscriptions-for-persistence/", + "https://github.com/RiccardoAncarani/LiquidSnake", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/wmi_event/sysmon_wmi_susp_scripting.yml" ], "tags": [ @@ -17450,6 +21669,15 @@ "attack.t1059.005" ] }, + "related": [ + { + "dest-uuid": "dfd7cc1d-e1d8-4394-a198-97c4cab8aa67", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "fe21810c-2a8c-478f-8dd3-5a287fb2a0e0", "value": "Suspicious Scripting in a WMI Consumer" }, @@ -17466,8 +21694,8 @@ "logsource.category": "ps_classic_start", "logsource.product": "windows", "refs": [ - "https://github.com/besimorhino/powercat", "https://nmap.org/ncat/", + "https://github.com/besimorhino/powercat", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1095/T1095.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_classic/posh_pc_powercat.yml" ], @@ -17476,6 +21704,15 @@ "attack.t1095" ] }, + "related": [ + { + "dest-uuid": "c21d5a77-d422-4a69-acd7-2c53c1faa34b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "c5b20776-639a-49bf-94c7-84f912b91c15", "value": "Netcat The Powershell Version" }, @@ -17493,8 +21730,8 @@ "logsource.product": "windows", "refs": [ "https://github.com/bohops/WSMan-WinRM", - "https://twitter.com/chadtilbury/status/1275851297770610688", "https://bohops.com/2020/05/12/ws-management-com-another-approach-for-winrm-lateral-movement/", + "https://twitter.com/chadtilbury/status/1275851297770610688", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_classic/posh_pc_wsman_com_provider_no_powershell.yml" ], "tags": [ @@ -17504,6 +21741,22 @@ "attack.t1021.003" ] }, + "related": [ + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "68a0c5ed-bee2-4513-830d-5b0d650139bd", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "df9a0e0e-fedb-4d6c-8668-d765dfc92aa7", "value": "Suspicious Non PowerShell WSMAN COM Provider" }, @@ -17528,6 +21781,15 @@ "attack.t1049" ] }, + "related": [ + { + "dest-uuid": "7e150503-88e7-4861-866b-ff1ac82c4475", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "b366adb4-d63d-422d-8a2c-186463b5ded0", "value": "Use Get-NetTCPConnection" }, @@ -17554,6 +21816,22 @@ "attack.t1021.006" ] }, + "related": [ + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "60d0c01d-e2bf-49dd-a453-f8a9c9fa6f65", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "60167e5c-84b2-4c95-a7ac-86281f27c445", "value": "Remote PowerShell Session (PS Classic)" }, @@ -17579,6 +21857,15 @@ "attack.t1059.001" ] }, + "related": [ + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "c70e019b-1479-4b65-b0cc-cd0c6093a599", "value": "PowerShell Called from an Executable Version Mismatch" }, @@ -17604,6 +21891,15 @@ "attack.t1218" ] }, + "related": [ + { + "dest-uuid": "457c7820-d331-465a-915e-42f85500ccc4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "f65e22f9-819e-4f96-9c7b-498364ae7a25", "value": "Abusable Invoke-ATHRemoteFXvGPUDisablementCommand - PowerShell" }, @@ -17630,6 +21926,15 @@ "attack.t1059.001" ] }, + "related": [ + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "d7326048-328b-4d5e-98af-86e84b17c765", "value": "Alternate PowerShell Hosts" }, @@ -17655,6 +21960,15 @@ "attack.t1059.001" ] }, + "related": [ + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "6331d09b-4785-4c13-980f-f96661356249", "value": "PowerShell Downgrade Attack - PowerShell" }, @@ -17680,6 +21994,15 @@ "attack.t1490" ] }, + "related": [ + { + "dest-uuid": "f5d8eed6-48a9-4cdf-a3d7-d1ffa99c3d2a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "87df9ee1-5416-453a-8a08-e8d4a51e9ce1", "value": "Delete Volume Shadow Copies Via WMI With PowerShell" }, @@ -17704,6 +22027,15 @@ "attack.t1059.001" ] }, + "related": [ + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "812837bb-b17f-45e9-8bd0-0ec35d2e3bd6", "value": "Suspicious XOR Encoded PowerShell Command Line - PowerShell" }, @@ -17728,6 +22060,15 @@ "attack.t1074.001" ] }, + "related": [ + { + "dest-uuid": "1c34f7aa-9341-4a48-bfab-af22e51aca6c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "71ff406e-b633-4989-96ec-bc49d825a412", "value": "Zip A Folder With PowerShell For Staging In Temp - PowerShell" }, @@ -17752,6 +22093,15 @@ "attack.t1059.001" ] }, + "related": [ + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "3236fcd0-b7e3-4433-b4f8-86ad61a9af2d", "value": "Suspicious PowerShell Download" }, @@ -17776,6 +22126,15 @@ "attack.t1059.001" ] }, + "related": [ + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "30a8cb77-8eb3-4cfb-8e79-ad457c5a4592", "value": "Renamed Powershell Under Powershell Channel" }, @@ -17824,6 +22183,15 @@ "attack.t1059.001" ] }, + "related": [ + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "999bff6d-dc15-44c9-9f5c-e1051bfc86e1", "value": "Nslookup PowerShell Download Cradle" }, @@ -17850,6 +22218,15 @@ "attack.t1059.001" ] }, + "related": [ + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "64e8e417-c19a-475a-8d19-98ea705394cc", "value": "Alternate PowerShell Hosts - PowerShell Module" }, @@ -17876,6 +22253,15 @@ "attack.t1059.001" ] }, + "related": [ + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "9ac8b09b-45de-4a07-9da1-0de8c09304a3", "value": "Invoke-Obfuscation STDIN+ Launcher - PowerShell Module" }, @@ -17892,9 +22278,9 @@ "logsource.category": "ps_module", "logsource.product": "windows", "refs": [ - "https://newtonpaul.com/analysing-fileless-malware-cobalt-strike-beacon/", "https://www.mdeditor.tw/pl/pgRt", "https://labs.sentinelone.com/top-tier-russian-organized-cybercrime-group-unveils-fileless-stealthy-powertrick-backdoor-for-high-value-targets/", + "https://newtonpaul.com/analysing-fileless-malware-cobalt-strike-beacon/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_module/posh_pm_bad_opsec_artifacts.yml" ], "tags": [ @@ -17902,6 +22288,15 @@ "attack.t1059.001" ] }, + "related": [ + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "8d31a8ce-46b5-4dd6-bdc3-680931f1db86", "value": "Bad Opsec Powershell Code Artifacts" }, @@ -17952,6 +22347,15 @@ "attack.t1140" ] }, + "related": [ + { + "dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "1ddc1472-8e52-4f7d-9f11-eab14fc171f5", "value": "PowerShell Decompress Commands" }, @@ -17976,6 +22380,15 @@ "attack.t1069.001" ] }, + "related": [ + { + "dest-uuid": "a01bf75f-00b2-4568-a58f-565ff9bf202b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "815bfc17-7fc6-4908-a55e-2f37b98cedb4", "value": "AD Groups Or Users Enumeration Using PowerShell - PoshModule" }, @@ -18002,6 +22415,15 @@ "attack.t1059.001" ] }, + "related": [ + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "ebdf49d8-b89c-46c9-8fdf-2c308406f6bd", "value": "Invoke-Obfuscation Via Use Clip - PowerShell Module" }, @@ -18028,6 +22450,15 @@ "attack.t1059.001" ] }, + "related": [ + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "f3c89218-8c3d-4ba9-9974-f1d8e6a1b4a6", "value": "Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION - PowerShell Module" }, @@ -18052,6 +22483,15 @@ "attack.t1069.001" ] }, + "related": [ + { + "dest-uuid": "a01bf75f-00b2-4568-a58f-565ff9bf202b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "cef24b90-dddc-4ae1-a09a-8764872f69fc", "value": "Suspicious Get Local Groups Information" }, @@ -18077,6 +22517,15 @@ "attack.t1003.003" ] }, + "related": [ + { + "dest-uuid": "edf91964-b26e-4b4a-9600-ccacd7d7df24", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "b140afd9-474b-4072-958e-2ebb435abd68", "value": "Suspicious Get-ADDBAccount Usage" }, @@ -18093,8 +22542,8 @@ "logsource.category": "ps_module", "logsource.product": "windows", "refs": [ - "https://github.com/besimorhino/powercat", "https://nmap.org/ncat/", + "https://github.com/besimorhino/powercat", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1095/T1095.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_module/posh_pm_powercat.yml" ], @@ -18103,6 +22552,15 @@ "attack.t1095" ] }, + "related": [ + { + "dest-uuid": "c21d5a77-d422-4a69-acd7-2c53c1faa34b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "bf7286e7-c0be-460b-a7e8-5b2e07ecc2f2", "value": "Netcat The Powershell Version - PowerShell Module" }, @@ -18127,6 +22585,15 @@ "attack.t1070.003" ] }, + "related": [ + { + "dest-uuid": "3aef9463-9a7a-43ba-8957-a867e07c1e6a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "f99276ad-d122-4989-a09a-d00904a5f9d2", "value": "Clear PowerShell History - PowerShell Module" }, @@ -18153,6 +22620,15 @@ "attack.t1059.001" ] }, + "related": [ + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "2f211361-7dce-442d-b78a-c04039677378", "value": "Invoke-Obfuscation Obfuscated IEX Invocation - PowerShell Module" }, @@ -18179,6 +22655,22 @@ "attack.t1021.006" ] }, + "related": [ + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "60d0c01d-e2bf-49dd-a453-f8a9c9fa6f65", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "96b9f619-aa91-478f-bacb-c3e50f8df575", "value": "Remote PowerShell Session (PS Module)" }, @@ -18203,6 +22695,15 @@ "attack.t1069.001" ] }, + "related": [ + { + "dest-uuid": "a01bf75f-00b2-4568-a58f-565ff9bf202b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "6942bd25-5970-40ab-af49-944247103358", "value": "Suspicious Get Information for SMB Share - PowerShell Module" }, @@ -18229,6 +22730,15 @@ "attack.t1059.001" ] }, + "related": [ + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "07ad2ea8-6a55-4ac6-bf3e-91b8e59676eb", "value": "Invoke-Obfuscation Via Use MSHTA - PowerShell Module" }, @@ -18255,6 +22765,15 @@ "attack.t1059.001" ] }, + "related": [ + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "7034cbbb-cc55-4dc2-8dad-36c0b942e8f1", "value": "Invoke-Obfuscation COMPRESS OBFUSCATION - PowerShell Module" }, @@ -18278,6 +22797,15 @@ "attack.t1059.001" ] }, + "related": [ + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "de41232e-12e8-49fa-86bc-c05c7e722df9", "value": "Suspicious PowerShell Download - PowerShell Module" }, @@ -18304,6 +22832,15 @@ "attack.t1059.001" ] }, + "related": [ + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "c72aca44-8d52-45ad-8f81-f96c4d3c755e", "value": "Invoke-Obfuscation Via Stdin - PowerShell Module" }, @@ -18330,6 +22867,15 @@ "attack.t1059.001" ] }, + "related": [ + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "a136cde0-61ad-4a61-9b82-8dc490e60dd2", "value": "Invoke-Obfuscation CLIP+ Launcher - PowerShell Module" }, @@ -18353,6 +22899,15 @@ "attack.t1059.001" ] }, + "related": [ + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "bbb80e91-5746-4fbe-8898-122e2cafdbf4", "value": "Suspicious PowerShell Invocations - Generic - PowerShell Module" }, @@ -18377,6 +22932,15 @@ "attack.t1218" ] }, + "related": [ + { + "dest-uuid": "457c7820-d331-465a-915e-42f85500ccc4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "fe5ce7eb-dad8-467c-84a9-31ec23bd644a", "value": "SyncAppvPublishingServer Bypass Powershell Restriction - PS Module" }, @@ -18403,6 +22967,15 @@ "attack.t1059.001" ] }, + "related": [ + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "a23791fe-8846-485a-b16b-ca691e1b03d4", "value": "Invoke-Obfuscation RUNDLL LAUNCHER - PowerShell Module" }, @@ -18429,6 +23002,15 @@ "attack.t1059.001" ] }, + "related": [ + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "6bfb8fa7-b2e7-4f6c-8d9d-824e5d06ea9e", "value": "Invoke-Obfuscation VAR+ Launcher - PowerShell Module" }, @@ -18452,6 +23034,15 @@ "attack.t1059.001" ] }, + "related": [ + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "8ff28fdd-e2fa-4dfa-aeda-ef3d61c62090", "value": "Suspicious PowerShell Invocations - Specific - PowerShell Module" }, @@ -18502,6 +23093,15 @@ "attack.t1218" ] }, + "related": [ + { + "dest-uuid": "457c7820-d331-465a-915e-42f85500ccc4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "38a7625e-b2cb-485d-b83d-aff137d859f4", "value": "Abusable Invoke-ATHRemoteFXvGPUDisablementCommand - PowerShell Module" }, @@ -18526,6 +23126,15 @@ "attack.t1049" ] }, + "related": [ + { + "dest-uuid": "7e150503-88e7-4861-866b-ff1ac82c4475", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "aff815cc-e400-4bf0-a47a-5d8a2407d4e1", "value": "Use Get-NetTCPConnection - PowerShell Module" }, @@ -18552,6 +23161,15 @@ "attack.t1059.001" ] }, + "related": [ + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "88a22f69-62f9-4b8a-aa00-6b0212f2f05a", "value": "Invoke-Obfuscation Via Use Rundll32 - PowerShell Module" }, @@ -18576,6 +23194,15 @@ "attack.t1074.001" ] }, + "related": [ + { + "dest-uuid": "1c34f7aa-9341-4a48-bfab-af22e51aca6c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "daf7eb81-35fd-410d-9d7a-657837e602bb", "value": "Zip A Folder With PowerShell For Staging In Temp - PowerShell Module" }, @@ -18600,6 +23227,15 @@ "attack.t1071.001" ] }, + "related": [ + { + "dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "d4488827-73af-4f8d-9244-7b7662ef046e", "value": "Change User Agents with WebRequest" }, @@ -18624,6 +23260,15 @@ "attack.t1027.009" ] }, + "related": [ + { + "dest-uuid": "0533ab23-3f7d-463f-9bd8-634d27e4dee1", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "f3a98ce4-6164-4dd4-867c-4d83de7eca51", "value": "Powershell Token Obfuscation - Powershell" }, @@ -18649,11 +23294,20 @@ "attack.t1546" ] }, + "related": [ + { + "dest-uuid": "b6301b64-ef57-4cce-bb0b-77026f14a8db", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "0332a266-b584-47b4-933d-a00b103e1b37", "value": "Suspicious Get-WmiObject" }, { - "description": "Detects the use of various web request commands with commandline tools and Windows PowerShell cmdlets (including aliases) via PowerShell logs", + "description": "Detects the use of various web request commands with commandline tools and Windows PowerShell cmdlets (including aliases) via PowerShell scriptblock logs", "meta": { "author": "James Pemberton / @4A616D6573", "creation_date": "2019/10/24", @@ -18674,8 +23328,17 @@ "attack.t1059.001" ] }, + "related": [ + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "1139d2e2-84b1-4226-b445-354492eba8ba", - "value": "Usage Of Web Request Commands And Cmdlets - PowerShell" + "value": "Usage Of Web Request Commands And Cmdlets - ScriptBlock" }, { "description": "Uses PowerShell to install/copy a a file into a system directory such as \"System32\" or \"SysWOW64\"", @@ -18698,6 +23361,15 @@ "attack.t1556.002" ] }, + "related": [ + { + "dest-uuid": "3731fbcd-0e43-47ae-ae6c-d15e510f0d42", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "63bf8794-9917-45bc-88dd-e1b5abc0ecfd", "value": "Powershell Install a DLL in System Directory" }, @@ -18722,6 +23394,15 @@ "attack.t1218.007" ] }, + "related": [ + { + "dest-uuid": "365be77f-fc0e-42ee-bac8-4faf806d9336", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "91109523-17f0-4248-a800-f81d9e7c081d", "value": "PowerShell WMI Win32_Product Install MSI" }, @@ -18748,6 +23429,15 @@ "attack.t1059.001" ] }, + "related": [ + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "779c8c12-0eb1-11eb-adc1-0242ac120002", "value": "Invoke-Obfuscation STDIN+ Launcher - Powershell" }, @@ -18773,6 +23463,15 @@ "attack.t1059.001" ] }, + "related": [ + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "a0edd39f-a0c6-4c17-8141-261f958e8d8f", "value": "PowerShell Remote Session Creation" }, @@ -18821,6 +23520,15 @@ "attack.t1490" ] }, + "related": [ + { + "dest-uuid": "f5d8eed6-48a9-4cdf-a3d7-d1ffa99c3d2a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "e17121b4-ef2a-4418-8a59-12fb1631fa9e", "value": "Delete Volume Shadow Copies via WMI with PowerShell - PS Script" }, @@ -18845,6 +23553,15 @@ "attack.t1564.003" ] }, + "related": [ + { + "dest-uuid": "cbb66055-0325-4111-aca0-40547b6ad5b0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "313fbb0a-a341-4682-848d-6d6f8c4fab7c", "value": "Suspicious PowerShell WindowStyle Option" }, @@ -18861,8 +23578,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/previous-versions/windows/desktop/ms766431(v=vs.85)", "https://www.trendmicro.com/en_id/research/22/e/uncovering-a-kingminer-botnet-attack-using-trend-micro-managed-x.html", + "https://docs.microsoft.com/en-us/previous-versions/windows/desktop/ms766431(v=vs.85)", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1059.001/T1059.001.md#atomic-test-7---powershell-msxml-com-object---with-prompt", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_msxml_com.yml" ], @@ -18871,6 +23588,15 @@ "attack.t1059.001" ] }, + "related": [ + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "78aa1347-1517-4454-9982-b338d6df8343", "value": "Powershell MsXml COM Object" }, @@ -18896,6 +23622,15 @@ "attack.t1497.001" ] }, + "related": [ + { + "dest-uuid": "29be378d-262d-4e99-b00d-852d573628e6", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "d93129cd-1ee0-479f-bc03-ca6f129882e3", "value": "Powershell Detect Virtualization Environment" }, @@ -18922,9 +23657,53 @@ "attack.t1059.001" ] }, + "related": [ + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "20e5497e-331c-4cd5-8d36-935f6e2a9a07", "value": "Invoke-Obfuscation COMPRESS OBFUSCATION - PowerShell" }, + { + "description": "Detects specific techniques often seen used inside of PowerShell scripts to obfscuate Alias creation", + "meta": { + "author": "Nasreddine Bencherchali", + "creation_date": "2023/01/09", + "falsepositive": [ + "Unknown" + ], + "filename": "posh_ps_susp_alias_obfscuation.yml", + "level": "low", + "logsource.category": "ps_script", + "logsource.product": "windows", + "refs": [ + "Internal Research", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_alias_obfscuation.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.execution", + "attack.t1027", + "attack.t1059.001" + ] + }, + "related": [ + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "e8314f79-564d-4f79-bc13-fbc0bf2660d8", + "value": "Potential PowerShell Obfuscation Using Character Join" + }, { "description": "Detects Commandlet names from PowerView of PowerSploit exploitation framework.", "meta": { @@ -18938,10 +23717,10 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://thedfirreport.com/2020/10/08/ryuks-return", + "https://adsecurity.org/?p=2277", "https://github.com/PowerShellMafia/PowerSploit/tree/master/Recon", "https://powersploit.readthedocs.io/en/stable/Recon/README", - "https://adsecurity.org/?p=2277", + "https://thedfirreport.com/2020/10/08/ryuks-return", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_powerview_malicious_commandlets.yml" ], "tags": [ @@ -18949,6 +23728,15 @@ "attack.t1059.001" ] }, + "related": [ + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "dcd74b95-3f36-4ed9-9598-0490951643aa", "value": "Malicious PowerView PowerShell Commandlets" }, @@ -18975,6 +23763,22 @@ "attack.t1136.001" ] }, + "related": [ + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "635cbe30-392d-4e27-978e-66774357c762", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "243de76f-4725-4f2e-8225-a8a69b15ad61", "value": "PowerShell Create Local User" }, @@ -18991,8 +23795,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://twitter.com/bohops/status/948061991012327424", "https://lolbas-project.github.io/lolbas/Scripts/Cl_invocation/", + "https://twitter.com/bohops/status/948061991012327424", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_cl_invocation_lolscript.yml" ], "tags": [ @@ -19000,6 +23804,15 @@ "attack.t1216" ] }, + "related": [ + { + "dest-uuid": "f6fe9070-7a65-49ea-ae72-76292f42cebe", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "4cd29327-685a-460e-9dac-c3ab96e549dc", "value": "Execution via CL_Invocation.ps1 - Powershell" }, @@ -19024,6 +23837,15 @@ "attack.t1059.001" ] }, + "related": [ + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "afd3df04-948d-46f6-ae44-25966c44b97f", "value": "PSAsyncShell - Asynchronous TCP Reverse Shell" }, @@ -19040,9 +23862,9 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1048.003/T1048.003.md#atomic-test-5---exfiltration-over-alternative-protocol---smtp", "https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.utility/send-mailmessage?view=powershell-7.2", "https://www.ietf.org/rfc/rfc2821.txt", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1048.003/T1048.003.md#atomic-test-5---exfiltration-over-alternative-protocol---smtp", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_send_mailmessage.yml" ], "tags": [ @@ -19050,6 +23872,15 @@ "attack.t1048.003" ] }, + "related": [ + { + "dest-uuid": "fb8d023d-45be-47e9-bc51-f56bcae6435b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "9a7afa56-4762-43eb-807d-c3dc9ffe211b", "value": "Powershell Exfiltration Over SMTP" }, @@ -19067,8 +23898,8 @@ "logsource.product": "windows", "refs": [ "https://www.cisa.gov/uscert/sites/default/files/publications/aa22-320a_joint_csa_iranian_government-sponsored_apt_actors_compromise_federal%20network_deploy_crypto%20miner_credential_harvester.pdf", - "https://www.microsoft.com/en-us/security/blog/2022/10/18/defenders-beware-a-case-for-post-ransomware-investigations/", "http://blog.talosintelligence.com/2022/09/lazarus-three-rats.html", + "https://www.microsoft.com/en-us/security/blog/2022/10/18/defenders-beware-a-case-for-post-ransomware-investigations/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_computer_discovery_get_adcomputer.yml" ], "tags": [ @@ -19093,8 +23924,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.management/set-service?view=powershell-7.2", "https://twitter.com/Alh4zr3d/status/1580925761996828672", + "https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.management/set-service?view=powershell-7.2", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_using_set_service_to_hide_services.yml" ], "tags": [ @@ -19151,6 +23982,15 @@ "attack.t1059.001" ] }, + "related": [ + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "ed965133-513f-41d9-a441-e38076a0798f", "value": "Suspicious PowerShell Invocations - Generic" }, @@ -19175,6 +24015,15 @@ "attack.t1218" ] }, + "related": [ + { + "dest-uuid": "457c7820-d331-465a-915e-42f85500ccc4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "dddfebae-c46f-439c-af7a-fdb6bde90218", "value": "SyncAppvPublishingServer Execution to Bypass Powershell Restriction" }, @@ -19199,6 +24048,15 @@ "attack.t1119" ] }, + "related": [ + { + "dest-uuid": "30208d3e-0d6b-43c8-883e-44462a514619", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "c1dda054-d638-4c16-afc8-53e007f3fbc5", "value": "Automated Collection Command PowerShell" }, @@ -19215,11 +24073,11 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://www.tutorialspoint.com/how-to-get-windows-firewall-profile-settings-using-powershell", - "https://docs.microsoft.com/en-us/powershell/module/netsecurity/set-netfirewallprofile?view=windowsserver2019-ps", "https://www.elastic.co/guide/en/security/current/windows-firewall-disabled-via-powershell.html", - "http://woshub.com/manage-windows-firewall-powershell/", + "https://docs.microsoft.com/en-us/powershell/module/netsecurity/set-netfirewallprofile?view=windowsserver2019-ps", "http://powershellhelp.space/commands/set-netfirewallrule-psv5.php", + "https://www.tutorialspoint.com/how-to-get-windows-firewall-profile-settings-using-powershell", + "http://woshub.com/manage-windows-firewall-powershell/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_windows_firewall_profile_disabled.yml" ], "tags": [ @@ -19227,6 +24085,15 @@ "attack.t1562.004" ] }, + "related": [ + { + "dest-uuid": "5372c5fe-f424-4def-bcd5-d3a8e770f07b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "488b44e7-3781-4a71-888d-c95abfacf44d", "value": "Windows Firewall Profile Disabled" }, @@ -19252,6 +24119,15 @@ "attack.t1136.002" ] }, + "related": [ + { + "dest-uuid": "7610cada-1499-41a4-b3dd-46467b68d177", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "b29a93fb-087c-4b5b-a84d-ee3309e69d08", "value": "Manipulation of User Computer or Group Security Principals Across AD" }, @@ -19276,6 +24152,15 @@ "attack.t1070.003" ] }, + "related": [ + { + "dest-uuid": "3aef9463-9a7a-43ba-8957-a867e07c1e6a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "602f5669-6927-4688-84db-0d4b7afb2150", "value": "Disable Powershell Command History" }, @@ -19325,6 +24210,15 @@ "attack.t1555.003" ] }, + "related": [ + { + "dest-uuid": "58a3e6aa-4453-4cc8-a51f-4befe80b31a8", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "fc028194-969d-4122-8abe-0470d5b8f12f", "value": "Access to Browser Login Data" }, @@ -19342,9 +24236,9 @@ "logsource.product": "windows", "refs": [ "https://youtu.be/5mqid-7zp8k?t=2481", - "https://m365internals.com/2022/10/07/hunting-in-on-premises-exchange-server-logs/", "https://peterjson.medium.com/reproducing-the-proxyshell-pwn2own-exploit-49743a4ea9a1", "https://blog.orange.tw/2021/08/proxylogon-a-new-attack-surface-on-ms-exchange-part-1.html", + "https://m365internals.com/2022/10/07/hunting-in-on-premises-exchange-server-logs/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_mailboxexport_share.yml" ], "tags": [ @@ -19375,6 +24269,15 @@ "attack.t1059.001" ] }, + "related": [ + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "21f9162c-5f5d-4b01-89a8-b705bd7d10ab", "value": "Import PowerShell Modules From Suspicious Directories" }, @@ -19423,6 +24326,15 @@ "attack.t1555" ] }, + "related": [ + { + "dest-uuid": "3fc9b85a-2862-4363-a64d-d692e3ffbee0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "99c49d9c-34ea-45f7-84a7-4751ae6b2cbc", "value": "Dump Credentials from Windows Credential Manager With PowerShell" }, @@ -19448,6 +24360,15 @@ "attack.t1573" ] }, + "related": [ + { + "dest-uuid": "b8902400-e6c5-4ba2-95aa-2d35b442b118", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "195626f3-5f1b-4403-93b7-e6cfd4d6a078", "value": "Suspicious SSL Connection" }, @@ -19473,7 +24394,7 @@ "value": "Potential In-Memory Execution Using Reflection.Assembly" }, { - "description": "Detecting use WinAPI Functions in PowerShell", + "description": "Detects use of WinAPI Functions in PowerShell scripts", "meta": { "author": "Nikita Nazarov, oscd.community, Tim Shelton", "creation_date": "2020/10/06", @@ -19494,8 +24415,24 @@ "attack.t1106" ] }, + "related": [ + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "391d824f-0ef1-47a0-b0ee-c59a75e27670", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "03d83090-8cba-44a0-b02f-0b756a050306", - "value": "Accessing WinAPI in PowerShell" + "value": "Potential WinAPI Calls Via PowerShell Scripts" }, { "description": "The DSInternals PowerShell Module exposes several internal features of Active Directory and Azure Active Directory.\nThese include FIDO2 and NGC key auditing, offline ntds.dit file manipulation, password auditing, DC recovery from IFM backups and password hash calculation.\n", @@ -19510,8 +24447,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1003.006/T1003.006.md#atomic-test-2---run-dsinternals-get-adreplaccount", "https://www.powershellgallery.com/packages/DSInternals", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1003.006/T1003.006.md#atomic-test-2---run-dsinternals-get-adreplaccount", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_get_adreplaccount.yml" ], "tags": [ @@ -19519,6 +24456,15 @@ "attack.t1003.006" ] }, + "related": [ + { + "dest-uuid": "f303a39a-6255-4b89-aecc-18c4d8ca7163", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "060c3ef1-fd0a-4091-bf46-e7d625f60b73", "value": "Suspicious Get-ADReplAccount" }, @@ -19561,8 +24507,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.security/set-executionpolicy?view=powershell-7.1", "https://adsecurity.org/?p=2604", + "https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.security/set-executionpolicy?view=powershell-7.1", "https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_execution_policies?view=powershell-7.1", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_set_policies_to_unsecure_level.yml" ], @@ -19571,6 +24517,15 @@ "attack.t1059.001" ] }, + "related": [ + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "61d0475c-173f-4844-86f7-f3eebae1c66b", "value": "Change PowerShell Policies to an Insecure Level - PowerShell" }, @@ -19611,8 +24566,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1553.005/T1553.005.md#atomic-test-3---remove-the-zoneidentifier-alternate-data-stream", "https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.utility/unblock-file?view=powershell-7.2", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1553.005/T1553.005.md#atomic-test-3---remove-the-zoneidentifier-alternate-data-stream", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_unblock_file.yml" ], "tags": [ @@ -19620,6 +24575,15 @@ "attack.t1553.005" ] }, + "related": [ + { + "dest-uuid": "7e7c2fba-7cca-486c-9582-4c1bb2851961", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "5947497f-1aa4-41dd-9693-c9848d58727d", "value": "Suspicious Unblock-File" }, @@ -19668,6 +24632,15 @@ "attack.t1555" ] }, + "related": [ + { + "dest-uuid": "3fc9b85a-2862-4363-a64d-d692e3ffbee0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "603c6630-5225-49c1-8047-26c964553e0e", "value": "Enumerate Credentials from Windows Credential Manager With PowerShell" }, @@ -19694,6 +24667,15 @@ "attack.t1059.001" ] }, + "related": [ + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "a5a30a6e-75ca-4233-8b8c-42e0f2037d3b", "value": "Invoke-Obfuscation Via Use Rundll32 - PowerShell" }, @@ -19710,8 +24692,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/5b67c9b141fa3918017f8fa44f2f88f0b1ecb9e1/atomics/T1562.001/T1562.001.md", "https://docs.microsoft.com/en-us/powershell/module/dism/disable-windowsoptionalfeature?view=windowsserver2022-ps", + "https://github.com/redcanaryco/atomic-red-team/blob/5b67c9b141fa3918017f8fa44f2f88f0b1ecb9e1/atomics/T1562.001/T1562.001.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_disable_windowsoptionalfeature.yml" ], "tags": [ @@ -19743,6 +24725,15 @@ "attack.t1546.013" ] }, + "related": [ + { + "dest-uuid": "0f2c410d-d740-4ed9-abb1-b8f4a7faf6c3", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "05b3e303-faf0-4f4a-9b30-46cc13e69152", "value": "Powershell Trigger Profiles by Add_Content" }, @@ -19791,6 +24782,15 @@ "attack.t1059.003" ] }, + "related": [ + { + "dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "b5522a23-82da-44e5-9c8b-e10ed8955f88", "value": "Powershell Execute Batch Script" }, @@ -19817,6 +24817,15 @@ "attack.t1059.001" ] }, + "related": [ + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "1b9dc62e-6e9e-42a3-8990-94d7a10007f7", "value": "Invoke-Obfuscation Obfuscated IEX Invocation - PowerShell" }, @@ -19842,6 +24851,15 @@ "attack.t1484.001" ] }, + "related": [ + { + "dest-uuid": "5d2be8b9-d24c-4e98-83bf-2f5f79477163", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "b7216a7d-687e-4c8d-82b1-3080b2ad961f", "value": "Modify Group Policy Settings - ScriptBlockLogging" }, @@ -19866,6 +24884,15 @@ "attack.t1564.004" ] }, + "related": [ + { + "dest-uuid": "f2857333-11d4-45bf-b064-2c28d8525be5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "a699b30e-d010-46c8-bbd1-ee2e26765fe9", "value": "Powershell Store File In Alternate Data Stream" }, @@ -19913,6 +24940,15 @@ "attack.t1059.001" ] }, + "related": [ + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "403c2cc0-7f6b-4925-9423-bfa573bed7eb", "value": "Suspicious PowerShell Download - Powershell Script" }, @@ -19929,8 +24965,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.management/Remove-Item?view=powershell-5.1&viewFallbackFrom=powershell-7", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070.004/T1070.004.md", + "https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.management/Remove-Item?view=powershell-5.1&viewFallbackFrom=powershell-7", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_remove_item_path.yml" ], "tags": [ @@ -19938,6 +24974,15 @@ "attack.t1070.004" ] }, + "related": [ + { + "dest-uuid": "d63a3fb8-9452-4e9d-a60a-54be68d5998c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "b8af5f36-1361-4ebe-9e76-e36128d947bf", "value": "Use Remove-Item to Delete File" }, @@ -19964,6 +25009,15 @@ "attack.t1059.001" ] }, + "related": [ + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "ca8b77a9-d499-4095-b793-5d5f330d450e", "value": "PowerShell Credential Prompt" }, @@ -19989,6 +25043,15 @@ "attack.t1021.006" ] }, + "related": [ + { + "dest-uuid": "60d0c01d-e2bf-49dd-a453-f8a9c9fa6f65", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "7b836d7f-179c-4ba4-90a7-a7e60afb48e6", "value": "Execute Invoke-command on Remote Host" }, @@ -20014,6 +25077,15 @@ "attack.t1565" ] }, + "related": [ + { + "dest-uuid": "ac9e6b22-11bf-45d7-9181-c1cb08360931", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "4368354e-1797-463c-bc39-a309effbe8d7", "value": "Powershell Add Name Resolution Policy Table Rule" }, @@ -20038,6 +25110,15 @@ "attack.t1059.001" ] }, + "related": [ + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "f62176f3-8128-4faa-bf6c-83261322e5eb", "value": "Malicious PowerShell Keywords" }, @@ -20064,6 +25145,15 @@ "attack.t1059.001" ] }, + "related": [ + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "0adfbc14-0ed1-11eb-adc1-0242ac120002", "value": "Invoke-Obfuscation VAR+ Launcher - PowerShell" }, @@ -20088,6 +25178,15 @@ "attack.t1069.001" ] }, + "related": [ + { + "dest-uuid": "a01bf75f-00b2-4568-a58f-565ff9bf202b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "88f0884b-331d-403d-a3a1-b668cf035603", "value": "AD Groups Or Users Enumeration Using PowerShell - ScriptBlock" }, @@ -20137,6 +25236,15 @@ "attack.t1059.001" ] }, + "related": [ + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "bf72941a-cba0-41ea-b18c-9aca3925690d", "value": "PowerShell ADRecon Execution" }, @@ -20162,6 +25270,15 @@ "attack.t1615" ] }, + "related": [ + { + "dest-uuid": "1b20efbf-8063-4fc3-a07d-b575318a301b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "eb2fd349-ec67-4caa-9143-d79c7fb34441", "value": "Suspicious GPO Discovery With Get-GPO" }, @@ -20187,6 +25304,15 @@ "attack.t1098" ] }, + "related": [ + { + "dest-uuid": "a10641f4-87b4-45a3-a906-92a149cb2c27", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "4fdc44df-bfe9-4fcc-b041-68f5a2d3031c", "value": "Powershell LocalAccount Manipulation" }, @@ -20211,6 +25337,15 @@ "attack.t1048.003" ] }, + "related": [ + { + "dest-uuid": "fb8d023d-45be-47e9-bc51-f56bcae6435b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "4c4af3cd-2115-479c-8193-6b8bfce9001c", "value": "PowerShell ICMP Exfiltration" }, @@ -20242,6 +25377,36 @@ "attack.s0363" ] }, + "related": [ + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "1996eef1-ced3-4d7f-bf94-33298cabbf72", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "4fe28b27-b13c-453e-a386-c2ef362a573b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "ff73aa03-0090-4464-83ac-f89e233c02bc", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "3ceb2083-a27f-449a-be33-14ec1b7cc973", "value": "Silence.EDA Detection" }, @@ -20258,8 +25423,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1571/T1571.md#atomic-test-1---testing-usage-of-uncommonly-used-port-with-powershell", "https://docs.microsoft.com/en-us/powershell/module/nettcpip/test-netconnection?view=windowsserver2022-ps", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1571/T1571.md#atomic-test-1---testing-usage-of-uncommonly-used-port-with-powershell", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_test_netconnection.yml" ], "tags": [ @@ -20267,6 +25432,15 @@ "attack.t1571" ] }, + "related": [ + { + "dest-uuid": "b18eae87-b469-4e14-b454-b171b416bc18", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "adf876b3-f1f8-4aa9-a4e4-a64106feec06", "value": "Testing Usage of Uncommonly Used Port" }, @@ -20306,9 +25480,9 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://bidouillesecurity.com/disable-windows-defender-in-powershell/", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md", "https://docs.microsoft.com/en-us/powershell/module/defender/set-mppreference?view=windowsserver2022-ps", + "https://bidouillesecurity.com/disable-windows-defender-in-powershell/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_tamper_defender.yml" ], "tags": [ @@ -20340,6 +25514,15 @@ "attack.t1491.001" ] }, + "related": [ + { + "dest-uuid": "8c41090b-aa47-4331-986b-8c9a51a91103", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "c5ac6a1e-9407-45f5-a0ce-ca9a0806a287", "value": "Replace Desktop Wallpaper by Powershell" }, @@ -20387,6 +25570,15 @@ "attack.t1003" ] }, + "related": [ + { + "dest-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "cd185561-4760-45d6-a63e-a51325112cae", "value": "Live Memory Dump Using Powershell" }, @@ -20441,9 +25633,53 @@ "attack.t1059.001" ] }, + "related": [ + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "e6cb92b4-b470-4eb8-8a9d-d63e8583aae0", "value": "Invoke-Obfuscation RUNDLL LAUNCHER - PowerShell" }, + { + "description": "Detects Set-Alias or New-Alias cmdlet usage. Which can be use as a mean to obfuscate PowerShell scripts", + "meta": { + "author": "frack113", + "creation_date": "2023/01/08", + "falsepositive": [ + "Unknown" + ], + "filename": "posh_ps_susp_set_alias.yml", + "level": "low", + "logsource.category": "ps_script", + "logsource.product": "windows", + "refs": [ + "https://github.com/1337Rin/Swag-PSO", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_set_alias.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.execution", + "attack.t1027", + "attack.t1059.001" + ] + }, + "related": [ + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "96cd126d-f970-49c4-848a-da3a09f55c55", + "value": "Potential PowerShell Obfuscation Using Alias Cmdlets" + }, { "description": "Adversaries may use to interact with a remote network share using Server Message Block (SMB). The adversary may then perform actions as the logged-on user.", "meta": { @@ -20506,8 +25742,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "http://www.powertheshell.com/ntfsstreams/", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1564.004/T1564.004.md", + "http://www.powertheshell.com/ntfsstreams/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_ntfs_ads_access.yml" ], "tags": [ @@ -20517,6 +25753,22 @@ "attack.t1059.001" ] }, + "related": [ + { + "dest-uuid": "f2857333-11d4-45bf-b064-2c28d8525be5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "8c521530-5169-495d-a199-0a3a881ad24e", "value": "NTFS Alternate Data Stream" }, @@ -20558,8 +25810,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1053.005/T1053.005.md#atomic-test-4---powershell-cmdlet-scheduled-task", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1053.005/T1053.005.md#atomic-test-6---wmi-invoke-cimmethod-scheduled-task", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1053.005/T1053.005.md#atomic-test-4---powershell-cmdlet-scheduled-task", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_cmdlet_scheduled_task.yml" ], "tags": [ @@ -20567,6 +25819,15 @@ "attack.t1053.005" ] }, + "related": [ + { + "dest-uuid": "005a06c6-14bf-4118-afa0-ebcd8aebb0c9", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "363eccc0-279a-4ccf-a3ab-24c2e63b11fb", "value": "Powershell Create Scheduled Task" }, @@ -20583,8 +25844,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://www.offensive-security.com/metasploit-unleashed/timestomp/", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070.006/T1070.006.md", + "https://www.offensive-security.com/metasploit-unleashed/timestomp/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_timestomp.yml" ], "tags": [ @@ -20592,6 +25853,15 @@ "attack.t1070.006" ] }, + "related": [ + { + "dest-uuid": "47f2d673-ca62-47e9-929b-1b0be9657611", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "c6438007-e081-42ce-9483-b067fbef33c3", "value": "Powershell Timestomp" }, @@ -20616,6 +25886,15 @@ "attack.t1059.001" ] }, + "related": [ + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "b7ec41a4-042c-4f31-a5db-d0fcde9fa5c5", "value": "PowerShell PSAttack" }, @@ -20641,6 +25920,15 @@ "attack.t1564.006" ] }, + "related": [ + { + "dest-uuid": "b5327dd1-6bf9-4785-a199-25bcbd1f4a9d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "42d36aa1-3240-4db0-8257-e0118dcdd9cd", "value": "Suspicious Hyper-V Cmdlets" }, @@ -20691,6 +25979,15 @@ "attack.t1003.003" ] }, + "related": [ + { + "dest-uuid": "edf91964-b26e-4b4a-9600-ccacd7d7df24", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "afd12fed-b0ec-45c9-a13d-aa86625dac81", "value": "Create Volume Shadow Copy with Powershell" }, @@ -20716,6 +26013,15 @@ "attack.t1021.006" ] }, + "related": [ + { + "dest-uuid": "60d0c01d-e2bf-49dd-a453-f8a9c9fa6f65", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "991a9744-f2f0-44f2-bd33-9092eba17dc3", "value": "Enable Windows Remote Management" }, @@ -20755,9 +26061,9 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://eqllib.readthedocs.io/en/latest/analytics/5b223758-07d6-4100-9e11-238cfdd0fe97.html", - "https://twitter.com/oroneequalsone/status/1568432028361830402", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070.001/T1070.001.md", + "https://twitter.com/oroneequalsone/status/1568432028361830402", + "https://eqllib.readthedocs.io/en/latest/analytics/5b223758-07d6-4100-9e11-238cfdd0fe97.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_clear_eventlog.yml" ], "tags": [ @@ -20765,6 +26071,15 @@ "attack.t1070.001" ] }, + "related": [ + { + "dest-uuid": "6495ae23-3ab4-43c5-a94f-5638a2c31fd2", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "0f017df3-8f5a-414f-ad6b-24aff1128278", "value": "Suspicious Eventlog Clear" }, @@ -20789,6 +26104,15 @@ "attack.t1069.001" ] }, + "related": [ + { + "dest-uuid": "a01bf75f-00b2-4568-a58f-565ff9bf202b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "95f0643a-ed40-467c-806b-aac9542ec5ab", "value": "Suspicious Get Information for SMB Share" }, @@ -20834,6 +26158,15 @@ "attack.t1059.001" ] }, + "related": [ + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "402e1e1d-ad59-47b6-bf80-1ee44985b3a7", "value": "Malicious ShellIntel PowerShell Commandlets" }, @@ -20851,8 +26184,8 @@ "logsource.product": "windows", "refs": [ "https://www.absolomb.com/2018-01-26-Windows-Privilege-Escalation-Guide/", - "https://github.com/nccgroup/redsnarf/blob/35949b30106ae543dc6f2bc3f1be10c6d9a8d40e/redsnarf.py", "https://github.com/S3cur3Th1sSh1t/Creds/blob/eac23d67f7f90c7fc8e3130587d86158c22aa398/PowershellScripts/jaws-enum.ps1", + "https://github.com/nccgroup/redsnarf/blob/35949b30106ae543dc6f2bc3f1be10c6d9a8d40e/redsnarf.py", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_wmi_unquoted_service_search.yml" ], "tags": [ @@ -20860,6 +26193,15 @@ "attack.t1047" ] }, + "related": [ + { + "dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "09658312-bc27-4a3b-91c5-e49ab9046d1b", "value": "WMIC Unquoted Services Path Lookup - PowerShell" }, @@ -20911,6 +26253,15 @@ "attack.t1553.005" ] }, + "related": [ + { + "dest-uuid": "7e7c2fba-7cca-486c-9582-4c1bb2851961", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "902cedee-0398-4e3a-8183-6f3a89773a96", "value": "Suspicious Invoke-Item From Mount-DiskImage" }, @@ -20935,6 +26286,15 @@ "attack.t1114.001" ] }, + "related": [ + { + "dest-uuid": "1e9eb839-294b-48cc-b0d3-c45555a2a004", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "2837e152-93c8-43d2-85ba-c3cd3c2ae614", "value": "Powershell Local Email Collection" }, @@ -20976,8 +26336,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://www.microsoft.com/en-us/security/blog/2022/10/18/defenders-beware-a-case-for-post-ransomware-investigations/", "http://blog.talosintelligence.com/2022/09/lazarus-three-rats.html", + "https://www.microsoft.com/en-us/security/blog/2022/10/18/defenders-beware-a-case-for-post-ransomware-investigations/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_user_discovery_get_aduser.yml" ], "tags": [ @@ -21001,8 +26361,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://twitter.com/bohops/status/948061991012327424", "https://lolbas-project.github.io/lolbas/Scripts/Cl_invocation/", + "https://twitter.com/bohops/status/948061991012327424", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_cl_invocation_lolscript_count.yml" ], "tags": [ @@ -21010,6 +26370,15 @@ "attack.t1216" ] }, + "related": [ + { + "dest-uuid": "f6fe9070-7a65-49ea-ae72-76292f42cebe", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "f588e69b-0750-46bb-8f87-0e9320d57536", "value": "Execution via CL_Invocation.ps1 (2 Lines)" }, @@ -21034,6 +26403,15 @@ "attack.t1560" ] }, + "related": [ + { + "dest-uuid": "53ac20cd-aca3-406e-9aa0-9fc7fdc60a5a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "6dc5d284-69ea-42cf-9311-fb1c3932a69a", "value": "Data Compressed - PowerShell" }, @@ -21075,8 +26453,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.management/set-service?view=powershell-7.2", "https://twitter.com/Alh4zr3d/status/1580925761996828672", + "https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.management/set-service?view=powershell-7.2", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_service_dacl_modification_set_service.yml" ], "tags": [ @@ -21110,6 +26488,15 @@ "attack.t1003" ] }, + "related": [ + { + "dest-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "189e3b02-82b2-4b90-9662-411eb64486d4", "value": "Potential Invoke-Mimikatz PowerShell Script" }, @@ -21135,6 +26522,15 @@ "attack.t1202" ] }, + "related": [ + { + "dest-uuid": "3b0e52ce-517a-4614-a523-1bd5deef6c5e", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "03409c93-a7c7-49ba-9a4c-a00badf2a153", "value": "Troubleshooting Pack Cmdlet Execution" }, @@ -21160,6 +26556,15 @@ "attack.t1216" ] }, + "related": [ + { + "dest-uuid": "f6fe9070-7a65-49ea-ae72-76292f42cebe", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "39776c99-1c7b-4ba0-b5aa-641525eee1a4", "value": "Execution via CL_Mutexverifiers.ps1" }, @@ -21235,6 +26640,15 @@ "attack.t1059.001" ] }, + "related": [ + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "db92dd33-a3ad-49cf-8c2c-608c3e30ace0", "value": "Invoke-Obfuscation Via Use Clip - Powershell" }, @@ -21284,6 +26698,15 @@ "attack.t1553.005" ] }, + "related": [ + { + "dest-uuid": "7e7c2fba-7cca-486c-9582-4c1bb2851961", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "29e1c216-6408-489d-8a06-ee9d151ef819", "value": "Suspicious Mount-DiskImage" }, @@ -21300,10 +26723,10 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://posts.specterops.io/entering-a-covenant-net-command-and-control-e11038bcf462", - "https://github.com/hlldz/Phant0m/blob/30c2935d8cf4aafda17ee2fab7cd0c4aa9a607c2/old/Invoke-Phant0m.ps1", "https://gist.github.com/MHaggis/0dbe00ad401daa7137c81c99c268cfb7", "https://github.com/PowerShellMafia/PowerSploit/blob/d943001a7defb5e0d1657085a77a0e78609be58f/CodeExecution/Invoke-ReflectivePEInjection.ps1", + "https://posts.specterops.io/entering-a-covenant-net-command-and-control-e11038bcf462", + "https://github.com/hlldz/Phant0m/blob/30c2935d8cf4aafda17ee2fab7cd0c4aa9a607c2/old/Invoke-Phant0m.ps1", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_keywords.yml" ], "tags": [ @@ -21311,6 +26734,15 @@ "attack.t1059.001" ] }, + "related": [ + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "1f49f2ab-26bc-48b3-96cc-dcffbc93eadf", "value": "Suspicious PowerShell Keywords" }, @@ -21335,6 +26767,15 @@ "attack.t1119" ] }, + "related": [ + { + "dest-uuid": "30208d3e-0d6b-43c8-883e-44462a514619", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "a9723fcc-881c-424c-8709-fd61442ab3c3", "value": "Recon Information for Export with PowerShell" }, @@ -21375,8 +26816,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/powershell/module/activedirectory/get-addefaultdomainpasswordpolicy", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1201/T1201.md#atomic-test-9---enumerate-active-directory-password-policy-with-get-addefaultdomainpasswordpolicy", + "https://docs.microsoft.com/en-us/powershell/module/activedirectory/get-addefaultdomainpasswordpolicy", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_get_addefaultdomainpasswordpolicy.yml" ], "tags": [ @@ -21384,6 +26825,15 @@ "attack.t1201" ] }, + "related": [ + { + "dest-uuid": "b6075259-dba3-44e9-87c7-e954f37ec0d5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "bbb9495b-58fc-4016-b9df-9a3a1b67ca82", "value": "Password Policy Discovery With Get-AdDefaultDomainPasswordPolicy" }, @@ -21400,8 +26850,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.management/Start-Process?view=powershell-5.1&viewFallbackFrom=powershell-7", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1036.003/T1036.003.md", + "https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.management/Start-Process?view=powershell-5.1&viewFallbackFrom=powershell-7", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_start_process.yml" ], "tags": [ @@ -21409,6 +26859,15 @@ "attack.t1036.003" ] }, + "related": [ + { + "dest-uuid": "bd5b58a4-a52d-4a29-bc0d-3f1d3968eb6b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "0718cd72-f316-4aa2-988f-838ea8533277", "value": "Suspicious Start-Process PassThru" }, @@ -21433,6 +26892,15 @@ "attack.t1531" ] }, + "related": [ + { + "dest-uuid": "b24e2a20-3b3d-4bf0-823b-1ed765398fb0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "48a45d45-8112-416b-8a67-46e03a4b2107", "value": "Remove Account From Domain Admin Group" }, @@ -21457,6 +26925,15 @@ "attack.t1070.005" ] }, + "related": [ + { + "dest-uuid": "a750a9f6-0bde-4bb3-9aae-1e2786e9780c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "66a4d409-451b-4151-94f4-a55d559c49b0", "value": "PowerShell Deleted Mounted Share" }, @@ -21481,6 +26958,15 @@ "attack.t1090" ] }, + "related": [ + { + "dest-uuid": "731f4f55-b6d0-41d1-a7a9-072a66389aea", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "bd33d2aa-497e-4651-9893-5c5364646595", "value": "Suspicious TCP Tunnel Via PowerShell Script" }, @@ -21508,6 +26994,15 @@ "attack.t1059.001" ] }, + "related": [ + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "16b37b70-6fcf-4814-a092-c36bd3aafcbd", "value": "PowerShell ShellCode" }, @@ -21533,6 +27028,15 @@ "attack.t1552.004" ] }, + "related": [ + { + "dest-uuid": "60b508a1-6a5e-46b1-821a-9f7b78752abf", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "aa7a3fce-bef5-4311-9cc1-5f04bb8c308c", "value": "Suspicious Export-PfxCertificate" }, @@ -21557,6 +27061,15 @@ "attack.t1069.001" ] }, + "related": [ + { + "dest-uuid": "a01bf75f-00b2-4568-a58f-565ff9bf202b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "fa6a5a45-3ee2-4529-aa14-ee5edc9e29cb", "value": "Suspicious Get Local Groups Information - PowerShell" }, @@ -21581,6 +27094,15 @@ "attack.t1074.001" ] }, + "related": [ + { + "dest-uuid": "1c34f7aa-9341-4a48-bfab-af22e51aca6c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "b7a3c9a3-09ea-4934-8864-6a32cacd98d9", "value": "Zip A Folder With PowerShell For Staging In Temp - PowerShell Script" }, @@ -21598,8 +27120,8 @@ "logsource.product": "windows", "refs": [ "https://learn.microsoft.com/en-us/windows/win32/projfs/enabling-windows-projected-file-system", - "https://docs.microsoft.com/en-us/powershell/module/dism/enable-windowsoptionalfeature?view=windowsserver2022-ps", "https://learn.microsoft.com/en-us/windows/wsl/install-on-server", + "https://docs.microsoft.com/en-us/powershell/module/dism/enable-windowsoptionalfeature?view=windowsserver2022-ps", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_enable_windowsoptionalfeature.yml" ], "tags": [ @@ -21622,10 +27144,10 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://www.virustotal.com/gui/file/720a7ee9f2178c70501d7e3f4bcc28a4f456e200486dbd401b25af6da3b4da62/content", + "https://www.virustotal.com/gui/file/d4486b63512755316625230e0c9c81655093be93876e0d80732e7eeaf7d83476/content", "https://learn.microsoft.com/en-us/dotnet/api/system.windows.input.keyboard.iskeydown?view=windowsdesktop-7.0", "https://twitter.com/ScumBots/status/1610626724257046529", - "https://www.virustotal.com/gui/file/d4486b63512755316625230e0c9c81655093be93876e0d80732e7eeaf7d83476/content", + "https://www.virustotal.com/gui/file/720a7ee9f2178c70501d7e3f4bcc28a4f456e200486dbd401b25af6da3b4da62/content", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_keylogger_activity.yml" ], "tags": [ @@ -21650,8 +27172,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1057/T1057.md#atomic-test-3---process-discovery---get-process", "https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.management/get-process?view=powershell-7", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1057/T1057.md#atomic-test-3---process-discovery---get-process", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_get_process.yml" ], "tags": [ @@ -21683,6 +27205,15 @@ "attack.t1070.003" ] }, + "related": [ + { + "dest-uuid": "3aef9463-9a7a-43ba-8957-a867e07c1e6a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "26b692dc-1722-49b2-b496-a8258aa6371d", "value": "Clear PowerShell History - PowerShell" }, @@ -21707,6 +27238,15 @@ "attack.t1069.002" ] }, + "related": [ + { + "dest-uuid": "2aed01ad-3df3-4410-a8cb-11ea4ded587c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "8c3a6607-b7dc-4f0d-a646-ef38c00b76ee", "value": "Active Directory Group Enumeration With Get-AdGroup" }, @@ -21754,13 +27294,29 @@ "attack.t1059.001" ] }, + "related": [ + { + "dest-uuid": "a19e86f8-1c0a-4fea-8407-23b73d615776", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "a6d67db4-6220-436d-8afc-f3842fe05d43", "value": "Dnscat Execution" }, { "description": "Detects Commandlet names from well-known PowerShell exploitation frameworks", "meta": { - "author": "Sean Metcalf (source), Florian Roth (rule), Bartlomiej Czyz @bczyz1 (update), oscd.community (update), Nasreddine Bencherchali (update), Tim Shelton (fp), Mustafa Kaan Demir (update), Georg Lauenstein (update), Max Altgelt (update), Tobias Michalski (update), Austin Songer (@austinsonger) (update)", + "author": "Sean Metcalf, Florian Roth, Bartlomiej Czyz @bczyz1, oscd.community, Nasreddine Bencherchali, Tim Shelton, Mustafa Kaan Demir, Georg Lauenstein, Max Altgelt, Tobias Michalski, Austin Songer", "creation_date": "2017/03/05", "falsepositive": [ "Unknown" @@ -21770,17 +27326,19 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://unit42.paloaltonetworks.com/threat-assessment-black-basta-ransomware/", - "https://github.com/BloodHoundAD/BloodHound/blob/0927441f67161cc6dc08a53c63ceb8e333f55874/Collectors/AzureHound.ps1", - "https://github.com/xorrior/RandomPS-Scripts/blob/848c919bfce4e2d67b626cbcf4404341cfe3d3b6/Get-DXWebcamVideo.ps1", - "https://github.com/BC-SECURITY/Invoke-ZeroLogon/blob/111d17c7fec486d9bb23387e2e828b09a26075e4/Invoke-ZeroLogon.ps1", "https://github.com/dafthack/DomainPasswordSpray/blob/b13d64a5834694aa73fd2aea9911a83027c465a7/DomainPasswordSpray.ps1", - "https://github.com/S3cur3Th1sSh1t/PowerSharpPack/tree/master/PowerSharpBinaries", - "https://adsecurity.org/?p=2921", - "https://research.nccgroup.com/2022/06/06/shining-the-light-on-black-basta/", - "https://github.com/calebstewart/CVE-2021-1675", - "https://bloodhound.readthedocs.io/en/latest/data-collection/azurehound.html", "https://github.com/rvrsh3ll/Misc-Powershell-Scripts/blob/6f23bb41f9675d7e2d32bacccff75e931ae00554/OfficeMemScraper.ps1", + "https://unit42.paloaltonetworks.com/threat-assessment-black-basta-ransomware/", + "https://adsecurity.org/?p=2921", + "https://github.com/BC-SECURITY/Invoke-ZeroLogon/blob/111d17c7fec486d9bb23387e2e828b09a26075e4/Invoke-ZeroLogon.ps1", + "https://bloodhound.readthedocs.io/en/latest/data-collection/azurehound.html", + "https://github.com/calebstewart/CVE-2021-1675", + "https://github.com/HarmJ0y/DAMP", + "https://github.com/xorrior/RandomPS-Scripts/blob/848c919bfce4e2d67b626cbcf4404341cfe3d3b6/Get-DXWebcamVideo.ps1", + "https://research.nccgroup.com/2022/06/06/shining-the-light-on-black-basta/", + "https://github.com/S3cur3Th1sSh1t/PowerSharpPack/tree/master/PowerSharpBinaries", + "https://github.com/BloodHoundAD/BloodHound/blob/0927441f67161cc6dc08a53c63ceb8e333f55874/Collectors/AzureHound.ps1", + "https://github.com/samratashok/nishang", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_malicious_commandlets.yml" ], "tags": [ @@ -21796,6 +27354,43 @@ "attack.t1059.001" ] }, + "related": [ + { + "dest-uuid": "767dbf9e-df3f-45cb-8998-4903ab5f80c0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "25659dd6-ea12-45c4-97e6-381e3e4b593e", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "a01bf75f-00b2-4568-a58f-565ff9bf202b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "2aed01ad-3df3-4410-a8cb-11ea4ded587c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "89819aa4-bbd6-46bc-88ec-c7f7fe30efa6", "value": "Malicious PowerShell Commandlets - ScriptBlock" }, @@ -21822,6 +27417,15 @@ "attack.t1059.001" ] }, + "related": [ + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "e54f5149-6ba3-49cf-b153-070d24679126", "value": "Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION - PowerShell" }, @@ -21838,9 +27442,9 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://community.sophos.com/sophos-labs/b/blog/posts/powershell-command-history-forensics", "https://stefanos.cloud/blog/kb/how-to-clear-the-powershell-command-history/", "https://www.shellhacks.com/clear-history-powershell/", + "https://community.sophos.com/sophos-labs/b/blog/posts/powershell-command-history-forensics", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_clearing_windows_console_history.yml" ], "tags": [ @@ -21849,6 +27453,15 @@ "attack.t1070.003" ] }, + "related": [ + { + "dest-uuid": "3aef9463-9a7a-43ba-8957-a867e07c1e6a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "bde47d4b-9987-405c-94c7-b080410e8ea7", "value": "Clearing Windows Console History" }, @@ -21873,6 +27486,15 @@ "attack.t1059.001" ] }, + "related": [ + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "6c6c6282-7671-4fe9-a0ce-a2dcebdc342b", "value": "Powershell XML Execute Command" }, @@ -21896,6 +27518,15 @@ "attack.t1059.001" ] }, + "related": [ + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "ae7fbf8e-f3cb-49fd-8db4-5f3bed522c71", "value": "Suspicious PowerShell Invocations - Specific" }, @@ -21922,6 +27553,22 @@ "attack.t1059" ] }, + "related": [ + { + "dest-uuid": "3d333250-30e4-4a82-9edc-756c68afc529", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "c1344fa2-323b-4d2e-9176-84b4d4821c88", "value": "Windows Defender Exclusions Added - PowerShell" }, @@ -21938,8 +27585,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=41", "https://learn.microsoft.com/en-us/dotnet/api/microsoft.hpc.scheduler.store.cx509enrollmentwebclassfactoryclass?view=hpc-sdk-5.1.6115", + "https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=41", "https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=42", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_x509enrollment.yml" ], @@ -21969,6 +27616,15 @@ "attack.t1059.001" ] }, + "related": [ + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "f772cee9-b7c2-4cb2-8f07-49870adc02e0", "value": "Malicious Nishang PowerShell Commandlets" }, @@ -21994,6 +27650,15 @@ "attack.t1546.015" ] }, + "related": [ + { + "dest-uuid": "bc0f5e80-91c0-4e04-9fbb-e4e332c85dae", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "8bc063d5-3a3a-4f01-a140-bc15e55e8437", "value": "Suspicious GetTypeFromCLSID ShellExecute" }, @@ -22019,6 +27684,22 @@ "attack.t1059.001" ] }, + "related": [ + { + "dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "8028c2c3-e25a-46e3-827f-bbb5abf181d7", "value": "WMImplant Hack Tool" }, @@ -22043,6 +27724,15 @@ "attack.t1574.012" ] }, + "related": [ + { + "dest-uuid": "ffeb0780-356e-4261-b036-cfb6bd234335", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "23590215-4702-4a70-8805-8dc9e58314a2", "value": "Registry-Free Process Scope COR_PROFILER" }, @@ -22068,6 +27758,15 @@ "attack.t1048" ] }, + "related": [ + { + "dest-uuid": "a19e86f8-1c0a-4fea-8407-23b73d615776", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "d59d7842-9a21-4bc6-ba98-64bfe0091355", "value": "Powershell DNSExfiltration" }, @@ -22094,9 +27793,43 @@ "attack.t1059.001" ] }, + "related": [ + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "e55a5195-4724-480e-a77e-3ebe64bd3759", "value": "Invoke-Obfuscation Via Use MSHTA - PowerShell" }, + { + "description": "Detects usage of certain functions and keywords that are used to manipulate security descriptors in order to potentially set a backdoor. As seen used in the DAMP project.", + "meta": { + "author": "Nasreddine Bencherchali", + "creation_date": "2023/01/05", + "falsepositive": [ + "Unknown" + ], + "filename": "posh_ps_susp_ace_tampering.yml", + "level": "high", + "logsource.category": "ps_script", + "logsource.product": "windows", + "refs": [ + "https://github.com/HarmJ0y/DAMP", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_ace_tampering.yml" + ], + "tags": [ + "attack.persistence", + "attack.defense_evasion", + "attack.privilege_escalation" + ] + }, + "uuid": "2f77047c-e6e9-4c11-b088-a3de399524cd", + "value": "Potential Persistence Via Security Descriptors - ScriptBlock" + }, { "description": "Adversaries may establish persistence and elevate privileges by executing malicious content triggered by a Windows Management Instrumentation (WMI) event subscription.", "meta": { @@ -22110,8 +27843,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://github.com/EmpireProject/Empire/blob/08cbd274bef78243d7a8ed6443b8364acd1fc48b/data/module_source/persistence/Persistence.psm1#L545", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1546.003/T1546.003.md", + "https://github.com/EmpireProject/Empire/blob/08cbd274bef78243d7a8ed6443b8364acd1fc48b/data/module_source/persistence/Persistence.psm1#L545", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_wmi_persistence.yml" ], "tags": [ @@ -22119,6 +27852,15 @@ "attack.t1546.003" ] }, + "related": [ + { + "dest-uuid": "910906dd-8c0a-475a-9cc1-5e029e2fad58", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "9e07f6e7-83aa-45c6-998e-0af26efd0a85", "value": "Powershell WMI Persistence" }, @@ -22145,6 +27887,15 @@ "attack.t1020" ] }, + "related": [ + { + "dest-uuid": "774a3188-6ba9-4dc4-879d-d54ee48a5ce9", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "d2e3f2f6-7e09-4bf2-bc5d-90186809e7fb", "value": "Windows PowerShell Upload Web Request" }, @@ -22169,6 +27920,15 @@ "attack.t1137.006" ] }, + "related": [ + { + "dest-uuid": "34f1d81d-fe88-4f97-bd3b-a3164536255d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "36fbec91-fa1b-4d5d-8df1-8d8edcb632ad", "value": "Code Executed Via Office Add-in XLL File" }, @@ -22185,8 +27945,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1083/T1083.md", "https://www.mandiant.com/resources/tactics-techniques-procedures-associated-with-maze-ransomware-incidents", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1083/T1083.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_directory_enum.yml" ], "tags": [ @@ -22218,6 +27978,15 @@ "attack.t1217" ] }, + "related": [ + { + "dest-uuid": "5e4a2073-9643-44cb-a0b5-e7f4048446c7", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "e0565f5d-d420-4e02-8a68-ac00d864f9cf", "value": "Automated Collection Bookmarks Using Get-ChildItem PowerShell" }, @@ -22234,8 +28003,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://www.elastic.co/guide/en/security/current/volume-shadow-copy-deletion-via-powershell.html", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1490/T1490.md#atomic-test-5---windows---delete-volume-shadow-copies-via-wmi-with-powershell", + "https://www.elastic.co/guide/en/security/current/volume-shadow-copy-deletion-via-powershell.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_win32_shadowcopy_deletion.yml" ], "tags": [ @@ -22243,6 +28012,15 @@ "attack.t1490" ] }, + "related": [ + { + "dest-uuid": "f5d8eed6-48a9-4cdf-a3d7-d1ffa99c3d2a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "c1337eb8-921a-4b59-855b-4ba188ddcc42", "value": "Deletion of Volume Shadow Copies via WMI with PowerShell - PS Script" }, @@ -22269,6 +28047,15 @@ "attack.t1059.001" ] }, + "related": [ + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "73e67340-0d25-11eb-adc1-0242ac120002", "value": "Invoke-Obfuscation CLIP+ Launcher - PowerShell" }, @@ -22293,6 +28080,15 @@ "attack.t1003.001" ] }, + "related": [ + { + "dest-uuid": "65f2d882-3f41-4d48-8a06-29af77ec9f90", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "84c174ab-d3ef-481f-9c86-a50d0b8e3edb", "value": "PowerShell Get-Process LSASS in ScriptBlock" }, @@ -22317,6 +28113,15 @@ "attack.t1070.003" ] }, + "related": [ + { + "dest-uuid": "3aef9463-9a7a-43ba-8957-a867e07c1e6a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "70ad982f-67c8-40e0-a955-b920c2fa05cb", "value": "Suspicious IO.FileStream" }, @@ -22343,6 +28148,15 @@ "attack.t1059.001" ] }, + "related": [ + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "86b896ba-ffa1-4fea-83e3-ee28a4c915c7", "value": "Invoke-Obfuscation Via Stdin - Powershell" }, @@ -22392,6 +28206,15 @@ "attack.t1216" ] }, + "related": [ + { + "dest-uuid": "f6fe9070-7a65-49ea-ae72-76292f42cebe", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "6609c444-9670-4eab-9636-fe4755a851ce", "value": "Execution via CL_Mutexverifiers.ps1 (2 Lines)" }, @@ -22416,6 +28239,15 @@ "attack.t1006" ] }, + "related": [ + { + "dest-uuid": "0c8ab3eb-df48-4b9c-ace7-beacaac81cc5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "db809f10-56ce-4420-8c86-d6a7d793c79c", "value": "Raw Disk Access Using Illegitimate Tools" }, @@ -22432,8 +28264,8 @@ "logsource.category": "create_remote_thread", "logsource.product": "windows", "refs": [ - "https://blog.cobaltstrike.com/2018/04/09/cobalt-strike-3-11-the-snake-that-eats-its-tail/", "https://medium.com/@olafhartong/cobalt-strike-remote-threads-detection-206372d11d0f", + "https://blog.cobaltstrike.com/2018/04/09/cobalt-strike-3-11-the-snake-that-eats-its-tail/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/create_remote_thread/create_remote_thread_win_cobaltstrike_process_injection.yml" ], "tags": [ @@ -22441,6 +28273,15 @@ "attack.t1055.001" ] }, + "related": [ + { + "dest-uuid": "f4599aa0-4f85-4a32-80ea-fc39dc965945", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "6309645e-122d-4c5b-bb2b-22e4f9c2fa42", "value": "CobaltStrike Process Injection" }, @@ -22465,6 +28306,15 @@ "attack.t1059.001" ] }, + "related": [ + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "eeb2e3dc-c1f4-40dd-9bd5-149ee465ad50", "value": "Accessing WinAPI in PowerShell. Code Injection" }, @@ -22490,6 +28340,15 @@ "attack.t1003.001" ] }, + "related": [ + { + "dest-uuid": "65f2d882-3f41-4d48-8a06-29af77ec9f90", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "f239b326-2f41-4d6b-9dfa-c846a60ef505", "value": "Password Dumper Remote Thread in LSASS" }, @@ -22516,6 +28375,22 @@ "attack.t1059.001" ] }, + "related": [ + { + "dest-uuid": "045d0922-2310-4e60-b5e4-3302302cb3c5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "994cac2b-92c2-44bf-8853-14f6ca39fbda", "value": "Bumblebee Remote Thread Creation" }, @@ -22540,6 +28415,15 @@ "attack.t1003.001" ] }, + "related": [ + { + "dest-uuid": "65f2d882-3f41-4d48-8a06-29af77ec9f90", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "fb656378-f909-47c1-8747-278bf09f4f4f", "value": "Potential Credential Dumping Attempt Via PowerShell Remote Thread" }, @@ -22565,6 +28449,15 @@ "attack.t1055.003" ] }, + "related": [ + { + "dest-uuid": "41d9846c-f6af-4302-a654-24bba2729bc6", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "a1a144b7-5c9b-4853-a559-2172be8d4a03", "value": "Remote Thread Creation in Suspicious Targets" }, @@ -22581,9 +28474,9 @@ "logsource.category": "create_remote_thread", "logsource.product": "windows", "refs": [ - "https://github.com/denandz/KeeFarce", "https://github.com/GhostPack/KeeThief", "https://www.cisa.gov/uscert/ncas/alerts/aa20-259a", + "https://github.com/denandz/KeeFarce", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/create_remote_thread/create_remote_thread_win_password_dumper_keepass.yml" ], "tags": [ @@ -22591,6 +28484,15 @@ "attack.t1555.005" ] }, + "related": [ + { + "dest-uuid": "315f51f0-6b03-4c1e-bfb2-84740afb8e21", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "77564cc2-7382-438b-a7f6-395c2ae53b9a", "value": "KeePass Password Dumping" }, @@ -22607,8 +28509,8 @@ "logsource.category": "create_remote_thread", "logsource.product": "windows", "refs": [ - "https://github.com/mdsecactivebreach/CACTUSTORCH", "https://twitter.com/SBousseaden/status/1090588499517079552", + "https://github.com/mdsecactivebreach/CACTUSTORCH", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/create_remote_thread/create_remote_thread_win_cactustorch.yml" ], "tags": [ @@ -22620,6 +28522,36 @@ "attack.t1218.005" ] }, + "related": [ + { + "dest-uuid": "b200542e-e877-4395-875b-cf1a44537ca4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "dfd7cc1d-e1d8-4394-a198-97c4cab8aa67", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "0f4a0c76-ab2d-4cb0-85d3-3f0efb8cba0d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "840a987a-99bd-4a80-a5c9-0cb2baa6cade", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "2e4e488a-6164-4811-9ea1-f960c7359c40", "value": "CACTUSTORCH Remote Thread Creation" }, @@ -22636,8 +28568,8 @@ "logsource.category": "create_remote_thread", "logsource.product": "windows", "refs": [ - "Personal research, statistical analysis", "https://lolbas-project.github.io", + "Personal research, statistical analysis", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/create_remote_thread/create_remote_thread_win_susp_remote_thread_source.yml" ], "tags": [ @@ -22691,6 +28623,15 @@ "attack.t1127" ] }, + "related": [ + { + "dest-uuid": "ff25900d-76d5-449b-a351-8824e62fc81b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "c15e99a3-c474-48ab-b9a7-84549a7a9d16", "value": "Remote Thread Creation Ttdinject.exe Proxy" }, @@ -22715,6 +28656,15 @@ "attack.t1055.001" ] }, + "related": [ + { + "dest-uuid": "f4599aa0-4f85-4a32-80ea-fc39dc965945", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "052ec6f6-1adc-41e6-907a-f1c813478bee", "value": "CreateRemoteThread API and LoadLibrary" }, @@ -22741,6 +28691,22 @@ "attack.t1059.001" ] }, + "related": [ + { + "dest-uuid": "045d0922-2310-4e60-b5e4-3302302cb3c5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "99b97608-3e21-4bfe-8217-2a127c396a0e", "value": "PowerShell Rundll32 Remote Thread Creation" }, @@ -22766,6 +28732,22 @@ "attack.t1068" ] }, + "related": [ + { + "dest-uuid": "106c0cf6-bf73-4601-9aa8-0945c2715ec5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "b21c3b2d-02e6-45b1-980b-e69051040839", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "91bc09e7-674d-4cf5-8d86-ed5d8bdb95a6", "value": "Usage Of Malicious POORTRY Signed Driver" }, @@ -22831,10 +28813,10 @@ "logsource.product": "windows", "refs": [ "https://www.virustotal.com/gui/file/31f4cfb4c71da44120752721103a16512444c13c2ac2d857a7e6f13cb679b427/details", - "https://www.virustotal.com/gui/file/cfc5c585dd4e592dd1a08887ded28b92d9a5820587b6f4f8fa4f56d60289259b/details", + "https://github.com/fengjixuchui/gdrv-loader", "https://twitter.com/malmoeb/status/1551449425842786306", "https://medium.com/@fsx30/weaponizing-vulnerable-driver-for-privilege-escalation-gigabyte-edition-e73ee523598b", - "https://github.com/fengjixuchui/gdrv-loader", + "https://www.virustotal.com/gui/file/cfc5c585dd4e592dd1a08887ded28b92d9a5820587b6f4f8fa4f56d60289259b/details", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/driver_load/driver_load_win_vuln_gigabyte_driver.yml" ], "tags": [ @@ -22883,18 +28865,18 @@ "logsource.category": "driver_load", "logsource.product": "windows", "refs": [ - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-37969", - "https://github.com/eclypsium/Screwed-Drivers/blob/master/DRIVERS.md", - "https://github.com/Chigusa0w0/AsusDriversPrivEscala", - "https://github.com/CaledoniaProject/drivers-binaries", - "https://www.rapid7.com/blog/post/2021/12/13/driver-based-attacks-past-and-present/", - "https://github.com/namazso/physmem_drivers", "https://github.com/jbaines-r7/dellicious", - "https://www.welivesecurity.com/2022/01/11/signed-kernel-drivers-unguarded-gateway-windows-core/", + "https://www.rapid7.com/blog/post/2021/12/13/driver-based-attacks-past-and-present/", "https://eclypsium.com/2019/11/12/mother-of-all-drivers/", - "https://github.com/stong/CVE-2020-15368", - "https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules", + "https://github.com/eclypsium/Screwed-Drivers/blob/master/DRIVERS.md", "https://github.com/MicrosoftDocs/windows-itpro-docs/blob/public/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules.md", + "https://github.com/CaledoniaProject/drivers-binaries", + "https://github.com/stong/CVE-2020-15368", + "https://github.com/Chigusa0w0/AsusDriversPrivEscala", + "https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-37969", + "https://github.com/namazso/physmem_drivers", + "https://www.welivesecurity.com/2022/01/11/signed-kernel-drivers-unguarded-gateway-windows-core/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/driver_load/driver_load_win_vuln_drivers_names.yml" ], "tags": [ @@ -22903,6 +28885,15 @@ "attack.t1068" ] }, + "related": [ + { + "dest-uuid": "b21c3b2d-02e6-45b1-980b-e69051040839", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "c316eac1-f3d8-42da-ad1c-66dcec5ca787", "value": "Vulnerable Driver Load By Name" }, @@ -22927,6 +28918,15 @@ "attack.t1569.002" ] }, + "related": [ + { + "dest-uuid": "f1951e8a-500e-4a26-8803-76d95c4554b4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "46deb5e1-28c9-4905-b2df-51cdcc9e6073", "value": "PowerShell Scripts Run by a Services" }, @@ -22979,6 +28979,22 @@ "attack.t1557.001" ] }, + "related": [ + { + "dest-uuid": "4ffc1794-ec3b-45be-9e52-42dbcb2af2de", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "650c784b-7504-4df7-ab2c-4ea882384d1e", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "679085d5-f427-4484-9f58-1dc30a7c426d", "value": "WinDivert Driver Load" }, @@ -22995,22 +29011,22 @@ "logsource.category": "driver_load", "logsource.product": "windows", "refs": [ - "https://www.unknowncheats.me/forum/anti-cheat-bypass/334557-vulnerable-driver-megathread.html", - "https://www.rapid7.com/db/modules/exploit/windows/local/razer_zwopenprocess/", - "https://github.com/eclypsium/Screwed-Drivers/blob/master/DRIVERS.md", - "https://www.unknowncheats.me/forum/downloads.php?do=file&id=25444", - "https://www.unknowncheats.me/forum/downloads.php?do=file&id=21780", - "https://github.com/CaledoniaProject/drivers-binaries", - "https://github.com/Chigusa0w0/AsusDriversPrivEscala/blob/master/ATSZIO.md", - "https://github.com/Chigusa0w0/AsusDriversPrivEscala/blob/master/DRIVER7.md", - "https://www.rapid7.com/blog/post/2021/12/13/driver-based-attacks-past-and-present/", - "https://github.com/namazso/physmem_drivers", "https://github.com/jbaines-r7/dellicious", - "https://github.com/stong/CVE-2020-15368", - "https://www.zscaler.com/blogs/security-research/technical-analysis-windows-clfs-zero-day-vulnerability-cve-2022-37969-part", - "https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules", - "https://github.com/MicrosoftDocs/windows-itpro-docs/blob/public/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules.md", "https://github.com/tandasat/ExploitCapcom", + "https://github.com/Chigusa0w0/AsusDriversPrivEscala/blob/master/ATSZIO.md", + "https://www.rapid7.com/blog/post/2021/12/13/driver-based-attacks-past-and-present/", + "https://www.unknowncheats.me/forum/downloads.php?do=file&id=25444", + "https://github.com/eclypsium/Screwed-Drivers/blob/master/DRIVERS.md", + "https://github.com/MicrosoftDocs/windows-itpro-docs/blob/public/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules.md", + "https://github.com/CaledoniaProject/drivers-binaries", + "https://github.com/stong/CVE-2020-15368", + "https://www.rapid7.com/db/modules/exploit/windows/local/razer_zwopenprocess/", + "https://www.zscaler.com/blogs/security-research/technical-analysis-windows-clfs-zero-day-vulnerability-cve-2022-37969-part", + "https://www.unknowncheats.me/forum/anti-cheat-bypass/334557-vulnerable-driver-megathread.html", + "https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules", + "https://www.unknowncheats.me/forum/downloads.php?do=file&id=21780", + "https://github.com/namazso/physmem_drivers", + "https://github.com/Chigusa0w0/AsusDriversPrivEscala/blob/master/DRIVER7.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/driver_load/driver_load_win_vuln_drivers.yml" ], "tags": [ @@ -23019,6 +29035,15 @@ "attack.t1068" ] }, + "related": [ + { + "dest-uuid": "b21c3b2d-02e6-45b1-980b-e69051040839", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "7aaaf4b8-e47c-4295-92ee-6ed40a6f60c8", "value": "Vulnerable Driver Load" }, @@ -23045,6 +29070,22 @@ "attack.t1068" ] }, + "related": [ + { + "dest-uuid": "106c0cf6-bf73-4601-9aa8-0945c2715ec5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "b21c3b2d-02e6-45b1-980b-e69051040839", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "21b23707-60d6-41bb-96e3-0f0481b0fed9", "value": "Vulnerable Dell BIOS Update Driver Load" }, @@ -23076,6 +29117,50 @@ "attack.s0005" ] }, + "related": [ + { + "dest-uuid": "65f2d882-3f41-4d48-8a06-29af77ec9f90", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "1644e709-12d2-41e5-a60f-3470991f5011", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "1ecfdab8-7d59-4c98-95d4-dc41970f57fc", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "6add2ab5-2711-4e9d-87c8-7a0be8531530", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "f303a39a-6255-4b89-aecc-18c4d8ca7163", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "f1951e8a-500e-4a26-8803-76d95c4554b4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "df5ff0a5-f83f-4a5b-bba1-3e6a3f6f6ea2", "value": "Credential Dumping Tools Service Execution" }, @@ -23092,8 +29177,8 @@ "logsource.category": "driver_load", "logsource.product": "windows", "refs": [ - "https://processhacker.sourceforge.io/", "https://systeminformer.sourceforge.io/", + "https://processhacker.sourceforge.io/", "https://github.com/winsiderss/systeminformer", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/driver_load/driver_load_win_process_hacker.yml" ], @@ -23103,6 +29188,15 @@ "attack.t1543" ] }, + "related": [ + { + "dest-uuid": "106c0cf6-bf73-4601-9aa8-0945c2715ec5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "67add051-9ee7-4ad3-93ba-42935615ae8d", "value": "Process Hacker and System Informer Driver Load" }, @@ -23144,8 +29238,8 @@ "logsource.category": "driver_load", "logsource.product": "windows", "refs": [ - "https://support.lenovo.com/de/en/product_security/ps500533-lenovo-diagnostics-vulnerabilities", "https://github.com/alfarom256/CVE-2022-3699/", + "https://support.lenovo.com/de/en/product_security/ps500533-lenovo-diagnostics-vulnerabilities", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/driver_load/driver_load_win_vuln_lenovo_driver.yml" ], "tags": [ @@ -23154,6 +29248,15 @@ "attack.t1543" ] }, + "related": [ + { + "dest-uuid": "106c0cf6-bf73-4601-9aa8-0945c2715ec5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "ac683a42-877b-4ff8-91ac-69e94b0f70b4", "value": "Vulnerable Lenovo Driver Load" }, @@ -23179,6 +29282,15 @@ "attack.t1059.001" ] }, + "related": [ + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "1f21ec3f-810d-4b0e-8045-322202e22b4b", "value": "PowerShell Network Connections" }, @@ -23197,8 +29309,8 @@ "logsource.product": "windows", "refs": [ "https://github.com/EmpireProject/Empire/blob/e37fb2eef8ff8f5a0a689f1589f424906fe13055/data/module_source/exfil/Invoke-ExfilDataToGitHub.ps1", - "https://twitter.com/M_haggis/status/900741347035889665", "https://twitter.com/M_haggis/status/1032799638213066752", + "https://twitter.com/M_haggis/status/900741347035889665", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_binary_github_com.yml" ], "tags": [ @@ -23208,6 +29320,22 @@ "attack.t1567.001" ] }, + "related": [ + { + "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "86a96bf6-cf8b-411c-aaeb-8959944d64f7", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "635dbb88-67b3-4b41-9ea5-a3af2dd88153", "value": "Microsoft Binary Github Communication" }, @@ -23276,9 +29404,9 @@ "logsource.category": "network_connection", "logsource.product": "windows", "refs": [ + "https://securelist.com/the-tetrade-brazilian-banking-malware/97779/", "https://blog.bushidotoken.net/2021/04/dead-drop-resolvers-espionage-inspired.html", "https://content.fireeye.com/apt-41/rpt-apt41", - "https://securelist.com/the-tetrade-brazilian-banking-malware/97779/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_dead_drop_resolvers.yml" ], "tags": [ @@ -23287,6 +29415,22 @@ "attack.t1102.001" ] }, + "related": [ + { + "dest-uuid": "830c9528-df21-472c-8c14-a036bf17d665", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "f7827069-0bf2-4764-af4f-23fae0d181b7", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "297ae038-edc2-4b2e-bb3e-7c5fc94dd5c7", "value": "Dead Drop Resolvers" }, @@ -23311,6 +29455,15 @@ "attack.t1105" ] }, + "related": [ + { + "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "992a6cae-db6a-43c8-9cec-76d7195c96fc", "value": "Script Initiated Connection to Non-Local Network" }, @@ -23350,8 +29503,8 @@ "logsource.category": "network_connection", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/1cf4dd51f83dcb0ebe6ade902d6157ad2dbc6ac8/atomics/T1218.001/T1218.001.md", "https://www.splunk.com/en_us/blog/security/follina-for-protocol-handlers.html", + "https://github.com/redcanaryco/atomic-red-team/blob/1cf4dd51f83dcb0ebe6ade902d6157ad2dbc6ac8/atomics/T1218.001/T1218.001.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_hh.yml" ], "tags": [ @@ -23359,6 +29512,15 @@ "attack.t1218.001" ] }, + "related": [ + { + "dest-uuid": "a6937325-9321-4e2e-bb2b-3ed2d40b2a9d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "468a8cea-2920-4909-a593-0cbe1d96674a", "value": "HH.EXE Network Connections" }, @@ -23383,6 +29545,15 @@ "attack.t1218" ] }, + "related": [ + { + "dest-uuid": "457c7820-d331-465a-915e-42f85500ccc4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "c649a6c7-cd8c-4a78-9c04-000fc76df954", "value": "Wuauclt Network Connection" }, @@ -23408,6 +29579,15 @@ "attack.execution" ] }, + "related": [ + { + "dest-uuid": "045d0922-2310-4e60-b5e4-3302302cb3c5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "cdc8da7d-c303-42f8-b08c-b4ab47230263", "value": "Rundll32 Internet Connection" }, @@ -23461,6 +29641,22 @@ "attack.t1218.010" ] }, + "related": [ + { + "dest-uuid": "2f6b4ed7-fef1-44ba-bcb8-1b4beb610b64", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "b97f1d35-4249-4486-a6b5-ee60ccf24fab", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "c7e91a02-d771-4a6d-a700-42587e0b1095", "value": "Regsvr32 Network Activity" }, @@ -23488,6 +29684,22 @@ "attack.t1021.006" ] }, + "related": [ + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "60d0c01d-e2bf-49dd-a453-f8a9c9fa6f65", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "c539afac-c12a-46ed-b1bd-5a5567c9f045", "value": "Remote PowerShell Session (Network)" }, @@ -23514,6 +29726,15 @@ "attack.defense_evasion" ] }, + "related": [ + { + "dest-uuid": "457c7820-d331-465a-915e-42f85500ccc4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "9f2cc74d-78af-4eb2-bb64-9cd1d292b87b", "value": "Microsoft Sync Center Suspicious Network Connections" }, @@ -23542,6 +29763,15 @@ "car.2013-07-002" ] }, + "related": [ + { + "dest-uuid": "4fe28b27-b13c-453e-a386-c2ef362a573b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "b1e5da3b-ca8e-4adf-915c-9921f3d85481", "value": "RDP to HTTP or HTTPS Target Ports" }, @@ -23568,6 +29798,15 @@ "attack.t1203" ] }, + "related": [ + { + "dest-uuid": "be2dcee9-a7a7-4e38-afd6-21b31ecc3d63", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "75e33ce3-ae32-4dcc-9aa8-a2a3029d6f84", "value": "Excel Network Connections" }, @@ -23592,6 +29831,15 @@ "attack.t1105" ] }, + "related": [ + { + "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "0dba975d-a193-4ed1-a067-424df57570d1", "value": "Certutil Initiated Connection" }, @@ -23608,8 +29856,8 @@ "logsource.category": "network_connection", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1048.003/T1048.003.md#atomic-test-5---exfiltration-over-alternative-protocol---smtp", "https://www.ietf.org/rfc/rfc2821.txt", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1048.003/T1048.003.md#atomic-test-5---exfiltration-over-alternative-protocol---smtp", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_susp_outbound_smtp_connections.yml" ], "tags": [ @@ -23617,6 +29865,15 @@ "attack.t1048.003" ] }, + "related": [ + { + "dest-uuid": "fb8d023d-45be-47e9-bc51-f56bcae6435b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "9976fa64-2804-423c-8a5b-646ade840773", "value": "Suspicious Outbound SMTP Connections" }, @@ -23633,10 +29890,10 @@ "logsource.category": "network_connection", "logsource.product": "windows", "refs": [ - "https://twitter.com/M_haggis/status/900741347035889665", - "https://www.cisa.gov/uscert/ncas/alerts/aa22-321a", - "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ransomware-hive-conti-avoslocker", "https://twitter.com/M_haggis/status/1032799638213066752", + "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ransomware-hive-conti-avoslocker", + "https://www.cisa.gov/uscert/ncas/alerts/aa22-321a", + "https://twitter.com/M_haggis/status/900741347035889665", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_binary_susp_com.yml" ], "tags": [ @@ -23644,6 +29901,15 @@ "attack.t1105" ] }, + "related": [ + { + "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "e0f8ab85-0ac9-423b-a73a-81b3c7b1aa97", "value": "Microsoft Binary Suspicious Communication Endpoint" }, @@ -23675,6 +29941,43 @@ "attack.s0508" ] }, + "related": [ + { + "dest-uuid": "40597f16-0963-4249-bf4c-ac93b7fb9807", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "118f61a5-eb3e-4fb6-931f-2096647f4ecd", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "4fe28b27-b13c-453e-a386-c2ef362a573b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "731f4f55-b6d0-41d1-a7a9-072a66389aea", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "830c9528-df21-472c-8c14-a036bf17d665", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "1d08ac94-400d-4469-a82f-daee9a908849", "value": "Communication To Ngrok Tunneling Service" }, @@ -23699,6 +30002,15 @@ "attack.t1571" ] }, + "related": [ + { + "dest-uuid": "b18eae87-b469-4e14-b454-b171b416bc18", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "4b89abaa-99fe-4232-afdd-8f9aa4d20382", "value": "Suspicious Typical Malware Back Connect Ports" }, @@ -23723,6 +30035,15 @@ "attack.t1127.001" ] }, + "related": [ + { + "dest-uuid": "c92e3d68-2349-49e4-a341-7edca2deff96", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "50e54b8d-ad73-43f8-96a1-5191685b17a4", "value": "Silenttrinity Stager Msbuild Activity" }, @@ -23770,6 +30091,15 @@ "attack.t1105" ] }, + "related": [ + { + "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "08249dc0-a28d-4555-8ba5-9255a198e08c", "value": "Script Initiated Connection" }, @@ -23820,6 +30150,15 @@ "attack.t1105" ] }, + "related": [ + { + "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "7b434893-c57d-4f41-908d-6a17bf1ae98f", "value": "Suspicious Program Location with Network Connections" }, @@ -23847,6 +30186,15 @@ "car.2013-07-002" ] }, + "related": [ + { + "dest-uuid": "4fe28b27-b13c-453e-a386-c2ef362a573b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "5f699bc5-5446-4a4a-a0b7-5ef2885a3eb4", "value": "RDP Over Reverse SSH Tunnel" }, @@ -23863,8 +30211,8 @@ "logsource.category": "network_connection", "logsource.product": "windows", "refs": [ - "https://www.virustotal.com/gui/file/cca0c1182ac114b44dc52dd2058fcd38611c20bb6b5ad84710681d38212f835a/", "https://ngrok.com/", + "https://www.virustotal.com/gui/file/cca0c1182ac114b44dc52dd2058fcd38611c20bb6b5ad84710681d38212f835a/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_ngrok_io.yml" ], "tags": [ @@ -23872,6 +30220,15 @@ "attack.t1567.001" ] }, + "related": [ + { + "dest-uuid": "86a96bf6-cf8b-411c-aaeb-8959944d64f7", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "18249279-932f-45e2-b37a-8925f2597670", "value": "Communication To Ngrok.Io" }, @@ -23888,8 +30245,8 @@ "logsource.category": "network_connection", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/Binaries/IMEWDBLD/", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1105/T1105.md#atomic-test-10---windows---powershell-download", + "https://lolbas-project.github.io/lolbas/Binaries/IMEWDBLD/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_imewdbld.yml" ], "tags": [ @@ -23897,6 +30254,15 @@ "attack.t1105" ] }, + "related": [ + { + "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "8d7e392e-9b28-49e1-831d-5949c6281228", "value": "Download a File with IMEWDBLD.exe" }, @@ -23924,6 +30290,22 @@ "attack.t1559.001" ] }, + "related": [ + { + "dest-uuid": "457c7820-d331-465a-915e-42f85500ccc4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "2f6b4ed7-fef1-44ba-bcb8-1b4beb610b64", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "cfed2f44-16df-4bf3-833a-79405198b277", "value": "Dllhost Internet Connection" }, @@ -23948,6 +30330,15 @@ "attack.t1218.003" ] }, + "related": [ + { + "dest-uuid": "4cbc6a62-9e34-4f94-8a19-5c1a11392a49", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "efafe0bf-4238-479e-af8f-797bd3490d2d", "value": "Cmstp Making Network Connection" }, @@ -23964,8 +30355,8 @@ "logsource.category": "network_connection", "logsource.product": "windows", "refs": [ - "https://news.sophos.com/en-us/2019/07/18/a-new-equation-editor-exploit-goes-commercial-as-maldoc-attacks-using-it-spike/", "https://twitter.com/forensicitguy/status/1513538712986079238", + "https://news.sophos.com/en-us/2019/07/18/a-new-equation-editor-exploit-goes-commercial-as-maldoc-attacks-using-it-spike/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_eqnedt.yml" ], "tags": [ @@ -23973,6 +30364,15 @@ "attack.t1203" ] }, + "related": [ + { + "dest-uuid": "be2dcee9-a7a7-4e38-afd6-21b31ecc3d63", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "a66bc059-c370-472c-a0d7-f8fd1bf9d583", "value": "Equation Editor Network Connection" }, @@ -23989,8 +30389,8 @@ "logsource.category": "network_connection", "logsource.product": "windows", "refs": [ - "https://www.zscaler.com/blogs/security-research/new-espionage-attack-molerats-apt-targeting-users-middle-east", "https://app.any.run/tasks/7e906adc-9d11-447f-8641-5f40375ecebb", + "https://www.zscaler.com/blogs/security-research/new-espionage-attack-molerats-apt-targeting-users-middle-east", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_susp_dropbox_api.yml" ], "tags": "No established tags" @@ -24011,8 +30411,8 @@ "logsource.category": "network_connection", "logsource.product": "windows", "refs": [ - "https://megatools.megous.com/", "https://www.mandiant.com/resources/russian-targeting-gov-business", + "https://megatools.megous.com/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_mega_nz.yml" ], "tags": [ @@ -24020,6 +30420,15 @@ "attack.t1567.001" ] }, + "related": [ + { + "dest-uuid": "86a96bf6-cf8b-411c-aaeb-8959944d64f7", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "fdeebdf0-9f3f-4d08-84a6-4c4d13e39fe4", "value": "Communication To Mega.nz" }, @@ -24044,6 +30453,15 @@ "attack.t1496" ] }, + "related": [ + { + "dest-uuid": "cd25c1b4-935c-4f0e-ba8d-552f28bc4783", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "fa5b1358-b040-4403-9868-15f7d9ab6329", "value": "Windows Crypto Mining Pool Connections" }, @@ -24069,6 +30487,15 @@ "attack.t1218.007" ] }, + "related": [ + { + "dest-uuid": "365be77f-fc0e-42ee-bac8-4faf806d9336", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "8e5e38e4-5350-4c0b-895a-e872ce0dd54f", "value": "Msiexec Initiated Connection" }, @@ -24085,8 +30512,8 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://stealthbits.com/blog/extracting-password-hashes-from-the-ntds-dit-file/", "https://adsecurity.org/?p=2398", + "https://stealthbits.com/blog/extracting-password-hashes-from-the-ntds-dit-file/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_susp_ntds_dit.yml" ], "tags": [ @@ -24095,6 +30522,22 @@ "attack.t1003.003" ] }, + "related": [ + { + "dest-uuid": "1644e709-12d2-41e5-a60f-3470991f5011", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "edf91964-b26e-4b4a-9600-ccacd7d7df24", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "11b1ed55-154d-4e82-8ad7-83739298f720", "value": "Suspicious Process Writes Ntds.dit" }, @@ -24111,8 +30554,8 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://github.com/binderlabs/DirCreate2System", "https://github.com/sailay1996/awesome_windows_logical_bugs/blob/60cbb23a801f4c3195deac1cc46df27c225c3d07/dir_create2system.txt", + "https://github.com/binderlabs/DirCreate2System", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_system32_local_folder_privilege_escalation.yml" ], "tags": [ @@ -24137,11 +30580,11 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://www.crowdstrike.com/blog/meet-crowdstrikes-adversary-of-the-month-for-june-mustang-panda/", - "https://twitter.com/malwrhunterteam/status/1235135745611960321", - "https://twitter.com/luc4m/status/1073181154126254080", "https://www.cybereason.com/blog/research/a-bazar-of-tricks-following-team9s-development-cycles", "https://www.anomali.com/blog/china-based-apt-mustang-panda-targets-minority-groups-public-and-private-sector-organizations", + "https://twitter.com/luc4m/status/1073181154126254080", + "https://twitter.com/malwrhunterteam/status/1235135745611960321", + "https://www.crowdstrike.com/blog/meet-crowdstrikes-adversary-of-the-month-for-june-mustang-panda/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_susp_lnk_double_extension.yml" ], "tags": [ @@ -24149,6 +30592,15 @@ "attack.t1036.007" ] }, + "related": [ + { + "dest-uuid": "11f29a39-0942-4d62-92b6-fe236cf3066e", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "3215aa19-f060-4332-86d5-5602511f3ca8", "value": "Suspicious LNK Double Extension Files" }, @@ -24173,6 +30625,15 @@ "attack.t1486" ] }, + "related": [ + { + "dest-uuid": "b80d107d-fa0d-4b60-9684-b0433e8bdba0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "caf02a0a-1e1c-4552-9b48-5e070bd88d11", "value": "Suspicious Creation TXT File in User Desktop" }, @@ -24242,6 +30703,15 @@ "attack.t1218.011" ] }, + "related": [ + { + "dest-uuid": "045d0922-2310-4e60-b5e4-3302302cb3c5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "3a3f81ca-652c-482b-adeb-b1c804727f74", "value": "Unidentified Attacker November 2018 - File" }, @@ -24254,7 +30724,7 @@ "Legitimate use of the profile by developers or administrators" ], "filename": "file_event_win_susp_vscode_powershell_profile.yml", - "level": "high", + "level": "medium", "logsource.category": "file_event", "logsource.product": "windows", "refs": [ @@ -24267,6 +30737,15 @@ "attack.t1546.013" ] }, + "related": [ + { + "dest-uuid": "0f2c410d-d740-4ed9-abb1-b8f4a7faf6c3", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "3a9fa2ec-30bc-4ebd-b49e-7c9cff225502", "value": "VsCode Powershell Profile Modification" }, @@ -24307,11 +30786,11 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://medium.com/@markmotig/some-ways-to-dump-lsass-exe-c4a75fdc49bf", - "https://github.com/elastic/detection-rules/blob/c76a39796972ecde44cb1da6df47f1b6562c9770/rules/windows/credential_access_lsass_memdump_file_created.toml", - "https://github.com/helpsystems/nanodump", - "https://www.google.com/search?q=procdump+lsass", "https://www.whiteoaksecurity.com/blog/attacks-defenses-dumping-lsass-no-mimikatz/", + "https://github.com/elastic/detection-rules/blob/c76a39796972ecde44cb1da6df47f1b6562c9770/rules/windows/credential_access_lsass_memdump_file_created.toml", + "https://www.google.com/search?q=procdump+lsass", + "https://github.com/helpsystems/nanodump", + "https://medium.com/@markmotig/some-ways-to-dump-lsass-exe-c4a75fdc49bf", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_lsass_dump.yml" ], "tags": [ @@ -24319,6 +30798,15 @@ "attack.t1003.001" ] }, + "related": [ + { + "dest-uuid": "65f2d882-3f41-4d48-8a06-29af77ec9f90", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "a5a2d357-1ab8-4675-a967-ef9990a59391", "value": "LSASS Process Memory Dump Files" }, @@ -24344,6 +30832,15 @@ "cve.2021.26858" ] }, + "related": [ + { + "dest-uuid": "be2dcee9-a7a7-4e38-afd6-21b31ecc3d63", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "b06335b3-55ac-4b41-937e-16b7f5d57dfd", "value": "CVE-2021-26858 Exchange Exploitation" }, @@ -24369,6 +30866,15 @@ "attack.t1003.001" ] }, + "related": [ + { + "dest-uuid": "65f2d882-3f41-4d48-8a06-29af77ec9f90", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "93d94efc-d7ad-4161-ad7d-1638c4f908d8", "value": "Dumpert Process Dumper Default File" }, @@ -24395,6 +30901,15 @@ "attack.s0029" ] }, + "related": [ + { + "dest-uuid": "f1951e8a-500e-4a26-8803-76d95c4554b4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "259e5a6a-b8d2-4c38-86e2-26c5e651361d", "value": "PsExec Service File Creation" }, @@ -24435,11 +30950,11 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://www.crowdstrike.com/blog/meet-crowdstrikes-adversary-of-the-month-for-june-mustang-panda/", - "https://twitter.com/malwrhunterteam/status/1235135745611960321", - "https://twitter.com/luc4m/status/1073181154126254080", "https://www.cybereason.com/blog/research/a-bazar-of-tricks-following-team9s-development-cycles", "https://www.anomali.com/blog/china-based-apt-mustang-panda-targets-minority-groups-public-and-private-sector-organizations", + "https://twitter.com/luc4m/status/1073181154126254080", + "https://twitter.com/malwrhunterteam/status/1235135745611960321", + "https://www.crowdstrike.com/blog/meet-crowdstrikes-adversary-of-the-month-for-june-mustang-panda/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_susp_double_extension.yml" ], "tags": [ @@ -24447,6 +30962,15 @@ "attack.t1036.007" ] }, + "related": [ + { + "dest-uuid": "11f29a39-0942-4d62-92b6-fe236cf3066e", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "b4926b47-a9d7-434c-b3a0-adc3fa0bd13e", "value": "Suspicious Double Extension Files" }, @@ -24519,6 +31043,15 @@ "attack.t1219" ] }, + "related": [ + { + "dest-uuid": "4061e78c-1284-44b4-9116-73e4ac3912f7", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "5d756aee-ad3e-4306-ad95-cb1abec48de2", "value": "GoToAssist Temporary Installation Artefact" }, @@ -24590,6 +31123,15 @@ "attack.t1218" ] }, + "related": [ + { + "dest-uuid": "457c7820-d331-465a-915e-42f85500ccc4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "f0540f7e-2db3-4432-b9e0-3965486744bc", "value": "Legitimate Application Dropped Executable" }, @@ -24635,6 +31177,15 @@ "attack.t1137.006" ] }, + "related": [ + { + "dest-uuid": "34f1d81d-fe88-4f97-bd3b-a3164536255d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "8e1cb247-6cf6-42fa-b440-3f27d57e9936", "value": "Microsoft Office Add-In Loading" }, @@ -24644,7 +31195,7 @@ "author": "@ScoubiMtl", "creation_date": "2021/04/05", "falsepositive": [ - "User genuinly creates a VB Macro for their email" + "User genuinely creates a VB Macro for their email" ], "filename": "file_event_win_outlook_c2_macro_creation.yml", "level": "medium", @@ -24662,6 +31213,29 @@ "attack.t1546" ] }, + "related": [ + { + "dest-uuid": "2c4d4e92-0ccf-4a97-b54c-86d662988a53", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "f24faf46-3b26-4dbb-98f2-63460498e433", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "b6301b64-ef57-4cce-bb0b-77026f14a8db", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "8c31f563-f9a7-450c-bfa8-35f8f32f1f61", "value": "Outlook C2 Macro Creation" }, @@ -24678,8 +31252,8 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://app.any.run/tasks/76c69e2d-01e8-49d9-9aea-fb7cc0c4d3ad/", "https://medium.com/@SumitVerma101/windows-privilege-escalation-part-1-unquoted-service-path-c7a011a8d8ae", + "https://app.any.run/tasks/76c69e2d-01e8-49d9-9aea-fb7cc0c4d3ad/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_susp_executable_creation.yml" ], "tags": [ @@ -24687,6 +31261,15 @@ "attack.t1564" ] }, + "related": [ + { + "dest-uuid": "22905430-4901-4c2a-84f6-98243cb173f8", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "74babdd6-a758-4549-9632-26535279e654", "value": "Suspicious Executable File Creation" }, @@ -24703,9 +31286,9 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://github.com/hhlxf/PrintNightmare", "https://github.com/cube0x0/CVE-2021-1675", "https://github.com/afwu/PrintNightmare", + "https://github.com/hhlxf/PrintNightmare", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_cve_2021_1675_printspooler.yml" ], "tags": [ @@ -24716,6 +31299,15 @@ "cve.2021.1675" ] }, + "related": [ + { + "dest-uuid": "edadea33-549c-4ed1-9783-8f5a5853cbdf", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "2131cfb3-8c12-45e8-8fa0-31f5924e9f07", "value": "CVE-2021-1675 Print Spooler Exploitation Filename Pattern" }, @@ -24740,6 +31332,15 @@ "attack.t1003" ] }, + "related": [ + { + "dest-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "034affe8-6170-11ec-844f-0f78aa0c4d66", "value": "Mimikatz MemSSP Default Log File Creation" }, @@ -24782,8 +31383,8 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://www.microsoft.com/security/blog/2021/07/15/protecting-customers-from-a-private-sector-offensive-actor-using-0-day-exploits-and-devilstongue-malware/", "https://citizenlab.ca/2021/07/hooking-candiru-another-mercenary-spyware-vendor-comes-into-focus/", + "https://www.microsoft.com/security/blog/2021/07/15/protecting-customers-from-a-private-sector-offensive-actor-using-0-day-exploits-and-devilstongue-malware/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_cve_2021_31979_cve_2021_33771_exploits.yml" ], "tags": [ @@ -24794,6 +31395,15 @@ "cve.2021.31979" ] }, + "related": [ + { + "dest-uuid": "be2dcee9-a7a7-4e38-afd6-21b31ecc3d63", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "ad7085ac-92e4-4b76-8ce2-276d2c0e68ef", "value": "CVE-2021-31979 CVE-2021-33771 Exploits by Sourgum" }, @@ -24844,6 +31454,15 @@ "attack.t1219" ] }, + "related": [ + { + "dest-uuid": "4061e78c-1284-44b4-9116-73e4ac3912f7", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "162ab1e4-6874-4564-853c-53ec3ab8be01", "value": "TeamViewer Remote Session" }, @@ -24874,6 +31493,43 @@ "attack.t1059.001" ] }, + "related": [ + { + "dest-uuid": "25659dd6-ea12-45c4-97e6-381e3e4b593e", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "767dbf9e-df3f-45cb-8998-4903ab5f80c0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "a01bf75f-00b2-4568-a58f-565ff9bf202b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "2aed01ad-3df3-4410-a8cb-11ea4ded587c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "02773bed-83bf-469f-b7ff-e676e7d78bab", "value": "BloodHound Collection Files" }, @@ -24924,6 +31580,15 @@ "attack.t1137" ] }, + "related": [ + { + "dest-uuid": "2c4d4e92-0ccf-4a97-b54c-86d662988a53", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "0e20c89d-2264-44ae-8238-aeeaba609ece", "value": "Office Template Creation" }, @@ -24948,6 +31613,15 @@ "attack.t1195.001" ] }, + "related": [ + { + "dest-uuid": "191cc6af-1bb2-4344-ab5f-28e496638720", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "805c55d9-31e6-4846-9878-c34c75054fe9", "value": "Octopus Scanner Malware" }, @@ -24974,6 +31648,15 @@ "attack.t1219" ] }, + "related": [ + { + "dest-uuid": "4061e78c-1284-44b4-9116-73e4ac3912f7", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "bb09dd3e-2b78-4819-8e35-a7c1b874e449", "value": "Inveigh Execution Artefacts" }, @@ -25000,6 +31683,15 @@ "attack.defense_evasion" ] }, + "related": [ + { + "dest-uuid": "457c7820-d331-465a-915e-42f85500ccc4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "409f8a98-4496-4aaa-818a-c931c0a8b832", "value": "Created Files by Microsoft Sync Center" }, @@ -25024,15 +31716,26 @@ "attack.t1219" ] }, + "related": [ + { + "dest-uuid": "4061e78c-1284-44b4-9116-73e4ac3912f7", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "2d367498-5112-4ae5-a06a-96e7bc33a211", "value": "Suspicious Binary Writes Via AnyDesk" }, { - "description": "Detects a phishing attack which expands a ZIP file containing a malicious shortcut. If the victim expands the ZIP file via the explorer process, then the explorer process expands the malicious ZIP file and drops a malicious shortcut redirected to a backdoor into the Startup folder. Additionally, the file name of the malicious shortcut in Startup folder contains {0AFACED1-E828-11D1-9187-B532F1E9575D} meaning the folder shortcut operation.", + "description": "Detects a phishing attack which expands a ZIP file containing a malicious shortcut.\nIf the victim expands the ZIP file via the explorer process, then the explorer process expands the malicious ZIP file and drops a malicious shortcut redirected to a backdoor into the Startup folder.\nAdditionally, the file name of the malicious shortcut in Startup folder contains {0AFACED1-E828-11D1-9187-B532F1E9575D} meaning the folder shortcut operation.\n", "meta": { "author": "Greg (rule)", "creation_date": "2022/07/21", - "falsepositive": "No established falsepositives", + "falsepositive": [ + "Unknown" + ], "filename": "file_event_win_ripzip_attack.yml", "level": "high", "logsource.category": "file_event", @@ -25042,12 +31745,12 @@ "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_ripzip_attack.yml" ], "tags": [ - "attack.t1547", - "attack.persistence" + "attack.persistence", + "attack.t1547" ] }, "uuid": "a6976974-ea6f-4e97-818e-ea08625c52cb", - "value": "RipZip Attack on Startup Folder" + "value": "Potential RipZip Attack on Startup Folder" }, { "description": "Detects the use of Advanced IP Scanner. Seems to be a popular tool for ransomware groups.", @@ -25062,11 +31765,11 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://www.fireeye.com/blog/threat-research/2020/05/tactics-techniques-procedures-associated-with-maze-ransomware-incidents.html", + "https://labs.f-secure.com/blog/prelude-to-ransomware-systembc", + "https://thedfirreport.com/2021/01/18/all-that-for-a-coinminer", "https://news.sophos.com/en-us/2019/12/09/snatch-ransomware-reboots-pcs-into-safe-mode-to-bypass-protection/", "https://assets.documentcloud.org/documents/20444693/fbi-pin-egregor-ransomware-bc-01062021.pdf", - "https://thedfirreport.com/2021/01/18/all-that-for-a-coinminer", - "https://labs.f-secure.com/blog/prelude-to-ransomware-systembc", + "https://www.fireeye.com/blog/threat-research/2020/05/tactics-techniques-procedures-associated-with-maze-ransomware-incidents.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_advanced_ip_scanner.yml" ], "tags": [ @@ -25123,11 +31826,20 @@ "attack.t1548.002" ] }, + "related": [ + { + "dest-uuid": "120d5519-3098-4e1c-9191-2aa61232f073", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "68578b43-65df-4f81-9a9b-92f32711a951", "value": "UAC Bypass Using Windows Media Player - File" }, { - "description": "Detects the creation of known powershell scripts for exploitation", + "description": "Detects the creation of known offensive powershell scripts used for exploitation", "meta": { "author": "Markus Neis, Nasreddine Bencherchali, Mustafa Kaan Demir, Georg Lauenstein", "creation_date": "2018/04/07", @@ -25139,19 +31851,21 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ + "https://github.com/dafthack/DomainPasswordSpray/blob/b13d64a5834694aa73fd2aea9911a83027c465a7/DomainPasswordSpray.ps1", "https://github.com/nettitude/Invoke-PowerThIEf", + "https://github.com/rvrsh3ll/Misc-Powershell-Scripts/blob/6f23bb41f9675d7e2d32bacccff75e931ae00554/OfficeMemScraper.ps1", "https://unit42.paloaltonetworks.com/threat-assessment-black-basta-ransomware/", + "https://github.com/BC-SECURITY/Invoke-ZeroLogon/blob/111d17c7fec486d9bb23387e2e828b09a26075e4/Invoke-ZeroLogon.ps1", + "https://github.com/PowerShellMafia/PowerSploit", + "https://github.com/HarmJ0y/DAMP", + "https://github.com/AlsidOfficial/WSUSpendu/", + "https://github.com/xorrior/RandomPS-Scripts/blob/848c919bfce4e2d67b626cbcf4404341cfe3d3b6/Get-DXWebcamVideo.ps1", + "https://github.com/NetSPI/PowerUpSQL", "https://github.com/CsEnox/EventViewer-UACBypass", "https://github.com/S3cur3Th1sSh1t/WinPwn", - "https://github.com/xorrior/RandomPS-Scripts/blob/848c919bfce4e2d67b626cbcf4404341cfe3d3b6/Get-DXWebcamVideo.ps1", - "https://github.com/BC-SECURITY/Invoke-ZeroLogon/blob/111d17c7fec486d9bb23387e2e828b09a26075e4/Invoke-ZeroLogon.ps1", - "https://github.com/dafthack/DomainPasswordSpray/blob/b13d64a5834694aa73fd2aea9911a83027c465a7/DomainPasswordSpray.ps1", - "https://github.com/S3cur3Th1sSh1t/PowerSharpPack/tree/master/PowerSharpBinaries", - "https://github.com/NetSPI/PowerUpSQL", "https://research.nccgroup.com/2022/06/06/shining-the-light-on-black-basta/", - "https://github.com/rvrsh3ll/Misc-Powershell-Scripts/blob/6f23bb41f9675d7e2d32bacccff75e931ae00554/OfficeMemScraper.ps1", - "https://github.com/AlsidOfficial/WSUSpendu/", - "https://github.com/PowerShellMafia/PowerSploit", + "https://github.com/S3cur3Th1sSh1t/PowerSharpPack/tree/master/PowerSharpBinaries", + "https://github.com/samratashok/nishang", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_powershell_exploit_scripts.yml" ], "tags": [ @@ -25159,6 +31873,15 @@ "attack.t1059.001" ] }, + "related": [ + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "f331aa1f-8c53-4fc3-b083-cc159bc971cb", "value": "Malicious PowerShell Commandlets - FileCreation" }, @@ -25175,9 +31898,9 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://www.gteltsc.vn/blog/canh-bao-chien-dich-tan-cong-su-dung-lo-hong-zero-day-tren-microsoft-exchange-server-12714.html", "https://www.microsoft.com/security/blog/2022/09/30/analyzing-attacks-using-the-exchange-vulnerabilities-cve-2022-41040-and-cve-2022-41082/", "https://en.gteltsc.vn/blog/cap-nhat-nhe-ve-lo-hong-bao-mat-0day-microsoft-exchange-dang-duoc-su-dung-de-tan-cong-cac-to-chuc-tai-viet-nam-9685.html", + "https://www.gteltsc.vn/blog/canh-bao-chien-dich-tan-cong-su-dung-lo-hong-zero-day-tren-microsoft-exchange-server-12714.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_exchange_webshell_drop_suspicious.yml" ], "tags": [ @@ -25187,6 +31910,15 @@ "attack.t1505.003" ] }, + "related": [ + { + "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "6b269392-9eba-40b5-acb6-55c882b20ba6", "value": "Suspicious File Drop by Exchange" }, @@ -25213,6 +31945,15 @@ "attack.t1505.003" ] }, + "related": [ + { + "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "7280c9f3-a5af-45d0-916a-bc01cb4151c9", "value": "Suspicious MSExchangeMailboxReplication ASPX Write" }, @@ -25229,8 +31970,8 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://twitter.com/tifkin_/status/1321916444557365248", "https://twitter.com/rbmaslen/status/1321859647091970051", + "https://twitter.com/tifkin_/status/1321916444557365248", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_pcre_net_temp_file.yml" ], "tags": [ @@ -25238,6 +31979,15 @@ "attack.t1059" ] }, + "related": [ + { + "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "6e90ae7a-7cd3-473f-a035-4ebb72d961da", "value": "PCRE.NET Package Temp Files" }, @@ -25290,6 +32040,43 @@ "attack.t1003.005" ] }, + "related": [ + { + "dest-uuid": "65f2d882-3f41-4d48-8a06-29af77ec9f90", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "1644e709-12d2-41e5-a60f-3470991f5011", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "edf91964-b26e-4b4a-9600-ccacd7d7df24", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "1ecfdab8-7d59-4c98-95d4-dc41970f57fc", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "6add2ab5-2711-4e9d-87c8-7a0be8531530", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "8fbf3271-1ef6-4e94-8210-03c2317947f6", "value": "Cred Dump Tools Dropped Files" }, @@ -25316,6 +32103,15 @@ "attack.t1546.013" ] }, + "related": [ + { + "dest-uuid": "0f2c410d-d740-4ed9-abb1-b8f4a7faf6c3", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "b5b78988-486d-4a80-b991-930eff3ff8bf", "value": "PowerShell Profile Modification" }, @@ -25340,6 +32136,15 @@ "attack.t1219" ] }, + "related": [ + { + "dest-uuid": "4061e78c-1284-44b4-9116-73e4ac3912f7", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "9711de76-5d4f-4c50-a94f-21e4e8f8384d", "value": "Installation of TeamViewer Desktop" }, @@ -25365,6 +32170,15 @@ "attack.t1548.002" ] }, + "related": [ + { + "dest-uuid": "120d5519-3098-4e1c-9191-2aa61232f073", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "93a19907-d4f9-4deb-9f91-aac4692776a6", "value": "UAC Bypass Using .NET Code Profiler on MMC" }, @@ -25381,8 +32195,8 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://thedfirreport.com/2022/06/06/will-the-real-msiexec-please-stand-up-exploit-leads-to-data-exfiltration/", "https://github.com/horizon3ai/CVE-2021-44077/blob/b7a48e25824e8ead95e028475c7fd0e107e6e6bf/exploit.py", + "https://thedfirreport.com/2022/06/06/will-the-real-msiexec-please-stand-up-exploit-leads-to-data-exfiltration/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_cve_2021_44077_poc_default_files.yml" ], "tags": [ @@ -25414,6 +32228,15 @@ "attack.persistence" ] }, + "related": [ + { + "dest-uuid": "910906dd-8c0a-475a-9cc1-5e029e2fad58", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "33f41cdd-35ac-4ba8-814b-c6a4244a1ad4", "value": "WMI Persistence - Script Event Consumer File Write" }, @@ -25439,6 +32262,15 @@ "attack.t1021.003" ] }, + "related": [ + { + "dest-uuid": "68a0c5ed-bee2-4513-830d-5b0d650139bd", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "2f7979ae-f82b-45af-ac1d-2b10e93b0baa", "value": "Potential DCOM InternetExplorer.Application DLL Hijack" }, @@ -25491,7 +32323,7 @@ "value": "Drop Binaries Into Spool Drivers Color Folder" }, { - "description": "Detects actions caused by the RedMimicry Winnti playbook", + "description": "Detects files dropped by Winnti as described in RedMimicry Winnti playbook", "meta": { "author": "Alexander Rausch", "creation_date": "2020/06/24", @@ -25503,7 +32335,7 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://redmimicry.com", + "https://redmimicry.com/posts/redmimicry-winnti/#dropper", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_redmimicry_winnti_filedrop.yml" ], "tags": [ @@ -25512,7 +32344,7 @@ ] }, "uuid": "130c9e58-28ac-4f83-8574-0a4cc913b97e", - "value": "RedMimicry Winnti Playbook Dropped File" + "value": "Potential Winnti Dropper Activity" }, { "description": "A general detection for processes creating PFX files. This could be an indicator of an adversary exporting a local certificate to a PFX file.", @@ -25527,8 +32359,8 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://threathunterplaybook.com/evals/apt29/detections/6.B.1_6392C9F1-D975-4F75-8A70-433DEDD7F622.html", "https://github.com/OTRF/detection-hackathon-apt29/issues/14", + "https://threathunterplaybook.com/evals/apt29/detections/6.B.1_6392C9F1-D975-4F75-8A70-433DEDD7F622.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_susp_pfx_file_creation.yml" ], "tags": [ @@ -25536,6 +32368,15 @@ "attack.t1552.004" ] }, + "related": [ + { + "dest-uuid": "60b508a1-6a5e-46b1-821a-9f7b78752abf", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "dca1b3e8-e043-4ec8-85d7-867f334b5724", "value": "Suspicious PFX File Creation" }, @@ -25553,8 +32394,8 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://github.com/klinix5/InstallerFileTakeOver", "https://www.zerodayinitiative.com/advisories/ZDI-21-1308/", + "https://github.com/klinix5/InstallerFileTakeOver", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_cve_2021_41379_msi_lpe.yml" ], "tags": [ @@ -25562,6 +32403,15 @@ "attack.t1068" ] }, + "related": [ + { + "dest-uuid": "b21c3b2d-02e6-45b1-980b-e69051040839", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "3be82d5d-09fe-4d6a-a275-0d40d234d324", "value": "InstallerFileTakeOver LPE CVE-2021-41379 File Create Event" }, @@ -25590,20 +32440,22 @@ "value": "Mimikatz Kirbi File Creation" }, { - "description": "Detects the creation of Usage Log files by the CLR (clr.dll). These files are named after the executing process once the assembly is finished executing for the first time in the (user) session context", + "description": "Detects the creation of Usage Log files by the CLR (clr.dll). These files are named after the executing process once the assembly is finished executing for the first time in the (user) session context.", "meta": { - "author": "frack113", + "author": "frack113, omkar72, oscd.community, Wojciech Lesicki", "creation_date": "2022/11/18", "falsepositive": [ - "Legitimate use" + "Rundll32.exe with zzzzInvokeManagedCustomActionOutOfProc in command line and msiexec.exe as parent process - https://twitter.com/SBousseaden/status/1388064061087260675" ], "filename": "file_event_win_net_cli_artefact.yml", - "level": "medium", + "level": "high", "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://github.com/olafhartong/sysmon-modular/blob/fa1ae53132403d262be2bbd7f17ceea7e15e8c78/11_file_create/include_dotnet.xml", "https://bohops.com/2021/03/16/investigating-net-clr-usage-log-tampering-techniques-for-edr-evasion/", + "https://web.archive.org/web/20221026202428/https://gist.github.com/code-scrap/d7f152ffcdb3e0b02f7f394f5187f008", + "https://blog.menasec.net/2019/07/interesting-difr-traces-of-net-clr.html", + "https://github.com/olafhartong/sysmon-modular/blob/fa1ae53132403d262be2bbd7f17ceea7e15e8c78/11_file_create/include_dotnet.xml", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_net_cli_artefact.yml" ], "tags": [ @@ -25611,6 +32463,15 @@ "attack.t1218" ] }, + "related": [ + { + "dest-uuid": "457c7820-d331-465a-915e-42f85500ccc4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "e0b06658-7d1d-4cd3-bf15-03467507ff7c", "value": "NET CLR Binary Execution Usage Log Artifact" }, @@ -25627,8 +32488,8 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://twitter.com/splinter_code/status/1519075134296006662?s=12&t=DLUXH86WtcmG_AZ5gY3C6g", "https://twitter.com/orange_8361/status/1518970259868626944?s=20&t=RFXqZjtA7tWM3HxqEH78Aw", + "https://twitter.com/splinter_code/status/1519075134296006662?s=12&t=DLUXH86WtcmG_AZ5gY3C6g", "https://lolbas-project.github.io/lolbas/Binaries/Eventvwr/#execute", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_uac_bypass_eventvwr.yml" ], @@ -25653,9 +32514,9 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://www.gteltsc.vn/blog/canh-bao-chien-dich-tan-cong-su-dung-lo-hong-zero-day-tren-microsoft-exchange-server-12714.html", "https://www.microsoft.com/security/blog/2022/09/30/analyzing-attacks-using-the-exchange-vulnerabilities-cve-2022-41040-and-cve-2022-41082/", "https://en.gteltsc.vn/blog/cap-nhat-nhe-ve-lo-hong-bao-mat-0day-microsoft-exchange-dang-duoc-su-dung-de-tan-cong-cac-to-chuc-tai-viet-nam-9685.html", + "https://www.gteltsc.vn/blog/canh-bao-chien-dich-tan-cong-su-dung-lo-hong-zero-day-tren-microsoft-exchange-server-12714.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_exchange_webshell_drop.yml" ], "tags": [ @@ -25677,8 +32538,8 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://www.hybrid-analysis.com/sample/ba86fa0d4b6af2db0656a88b1dd29f36fe362473ae8ad04255c4e52f214a541c?environmentId=100", "https://www.first.org/resources/papers/conf2017/Advanced-Incident-Detection-and-Threat-Hunting-using-Sysmon-and-Splunk.pdf", + "https://www.hybrid-analysis.com/sample/ba86fa0d4b6af2db0656a88b1dd29f36fe362473ae8ad04255c4e52f214a541c?environmentId=100", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_mal_adwind.yml" ], "tags": [ @@ -25687,6 +32548,22 @@ "attack.t1059.007" ] }, + "related": [ + { + "dest-uuid": "dfd7cc1d-e1d8-4394-a198-97c4cab8aa67", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "0f4a0c76-ab2d-4cb0-85d3-3f0efb8cba0d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "0bcfabcb-7929-47f4-93d6-b33fb67d34d1", "value": "Adwind RAT / JRAT File Artifact" }, @@ -25711,6 +32588,15 @@ "attack.t1137.003" ] }, + "related": [ + { + "dest-uuid": "a9e2cea0-c805-4bf8-9e31-f5f0513a3634", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "c3edc6a5-d9d4-48d8-930e-aab518390917", "value": "Outlook Form Installation" }, @@ -25727,8 +32613,8 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://media.defcon.org/DEF%20CON%2030/DEF%20CON%2030%20presentations/Asaf%20Gilboa%20-%20LSASS%20Shtinkering%20Abusing%20Windows%20Error%20Reporting%20to%20Dump%20LSASS.pdf", "https://github.com/deepinstinct/Lsass-Shtinkering", + "https://media.defcon.org/DEF%20CON%2030/DEF%20CON%2030%20presentations/Asaf%20Gilboa%20-%20LSASS%20Shtinkering%20Abusing%20Windows%20Error%20Reporting%20to%20Dump%20LSASS.pdf", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_lsass_shtinkering.yml" ], "tags": [ @@ -25736,6 +32622,15 @@ "attack.t1003.001" ] }, + "related": [ + { + "dest-uuid": "65f2d882-3f41-4d48-8a06-29af77ec9f90", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "6902955a-01b7-432c-b32a-6f5f81d8f625", "value": "LSASS Process Dump Artefact In CrashDumps Folder" }, @@ -25761,8 +32656,17 @@ "attack.t1003" ] }, + "related": [ + { + "dest-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "6e2a900a-ced9-4e4a-a9c2-13e706f9518a", - "value": "Remote Credential Dump" + "value": "Potential Remote Credential Dumping Activity" }, { "description": "An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks.\nThese services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment.\nRemote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land)\n", @@ -25785,6 +32689,15 @@ "attack.t1219" ] }, + "related": [ + { + "dest-uuid": "4061e78c-1284-44b4-9116-73e4ac3912f7", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "0b9ad457-2554-44c1-82c2-d56a99c42377", "value": "Anydesk Temporary Artefact" }, @@ -25809,6 +32722,15 @@ "attack.t1047" ] }, + "related": [ + { + "dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "8d5aca11-22b3-4f22-b7ba-90e60533e1fb", "value": "Wmiexec Default Output File" }, @@ -25858,6 +32780,15 @@ "attack.t1546.002" ] }, + "related": [ + { + "dest-uuid": "ce4b7013-640e-48a9-b501-d0025a95f4bf", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "97aa2e88-555c-450d-85a6-229bcd87efb8", "value": "Suspicious Screensaver Binary File Creation" }, @@ -25900,8 +32831,8 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/", "https://github.com/vadim-hunter/Detection-Ideas-Rules/blob/02bcbfc2bfb8b4da601bb30de0344ae453aa1afe/Threat%20Intelligence/The%20DFIR%20Report/20210329_Sodinokibi_(aka_REvil)_Ransomware.yaml", + "https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_script_creation_by_office_using_file_ext.yml" ], "tags": [ @@ -25909,6 +32840,15 @@ "attack.execution" ] }, + "related": [ + { + "dest-uuid": "232b7f21-adf9-4b42-b936-b9d6f7df856e", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "c7a74c80-ba5a-486e-9974-ab9e682bc5e4", "value": "Created Files by Office Applications" }, @@ -25933,6 +32873,15 @@ "attack.t1027.004" ] }, + "related": [ + { + "dest-uuid": "c726e0a2-a57a-4b7b-a973-d0f013246617", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "e4a74e34-ecde-4aab-b2fb-9112dd01aed0", "value": "Dynamic C Sharp Compile Artefact" }, @@ -25942,7 +32891,7 @@ "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", "creation_date": "2020/05/02", "falsepositive": [ - "An FP could be caused by legitimate application writing shortcuts for example. This folder should always be inspected to make sure that all the files in there are legitimate" + "FP could be caused by legitimate application writing shortcuts for example. This folder should always be inspected to make sure that all the files in there are legitimate" ], "filename": "file_event_win_startup_folder_file_write.yml", "level": "medium", @@ -25983,6 +32932,15 @@ "attack.t1548.002" ] }, + "related": [ + { + "dest-uuid": "120d5519-3098-4e1c-9191-2aa61232f073", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "7fff6773-2baa-46de-a24a-b6eec1aba2d1", "value": "UAC Bypass Using NTFS Reparse Point - File" }, @@ -25999,8 +32957,8 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://www.n00py.io/2022/03/manipulating-user-passwords-without-mimikatz/", "https://www.ired.team/offensive-security/credential-access-and-credential-dumping/ntds.dit-enumeration", + "https://www.n00py.io/2022/03/manipulating-user-passwords-without-mimikatz/", "https://github.com/samratashok/nishang/blob/414ee1104526d7057f9adaeee196d91ae447283e/Gather/Copy-VSS.ps1", "https://pentestlab.blog/tag/ntds-dit/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_ntds_dit.yml" @@ -26010,6 +32968,15 @@ "attack.t1003.003" ] }, + "related": [ + { + "dest-uuid": "edf91964-b26e-4b4a-9600-ccacd7d7df24", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "4e7050dd-e548-483f-b7d6-527ab4fa784d", "value": "Suspicious NTDS.DIT Creation" }, @@ -26026,9 +32993,9 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://github.com/SecureAuthCorp/impacket/blob/7d2991d78836b376452ca58b3d14daa61b67cb40/impacket/examples/secretsdump.py#L2405", "https://github.com/rapid7/metasploit-framework/blob/eb6535009f5fdafa954525687f09294918b5398d/modules/post/windows/gather/ntds_grabber.rb", "https://github.com/rapid7/metasploit-framework/blob/eb6535009f5fdafa954525687f09294918b5398d/data/post/powershell/NTDSgrab.ps1", + "https://github.com/SecureAuthCorp/impacket/blob/7d2991d78836b376452ca58b3d14daa61b67cb40/impacket/examples/secretsdump.py#L2405", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_ntds_exfil_tools.yml" ], "tags": [ @@ -26036,6 +33003,15 @@ "attack.t1003.003" ] }, + "related": [ + { + "dest-uuid": "edf91964-b26e-4b4a-9600-ccacd7d7df24", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "3a8da4e0-36c1-40d2-8b29-b3e890d5172a", "value": "Suspicious NTDS Exfil Filename Patterns" }, @@ -26061,6 +33037,15 @@ "attack.t1003.001" ] }, + "related": [ + { + "dest-uuid": "65f2d882-3f41-4d48-8a06-29af77ec9f90", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "e074832a-eada-4fd7-94a1-10642b130e16", "value": "SafetyKatz Default Dump Filename" }, @@ -26077,8 +33062,8 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://twitter.com/RonnyTNL/status/1436334640617373699?s=20", "https://twitter.com/vanitasnk/status/1437329511142420483?s=21", + "https://twitter.com/RonnyTNL/status/1436334640617373699?s=20", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_winword_cve_2021_40444.yml" ], "tags": [ @@ -26086,6 +33071,15 @@ "attack.t1587" ] }, + "related": [ + { + "dest-uuid": "edadea33-549c-4ed1-9783-8f5a5853cbdf", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "60c0a111-787a-4e8a-9262-ee485f3ef9d5", "value": "Suspicious Word Cab File Write CVE-2021-40444" }, @@ -26134,6 +33128,15 @@ "attack.t1548.002" ] }, + "related": [ + { + "dest-uuid": "120d5519-3098-4e1c-9191-2aa61232f073", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "48ea844d-19b1-4642-944e-fe39c2cc1fec", "value": "UAC Bypass Using IDiagnostic Profile - File" }, @@ -26159,6 +33162,15 @@ "attack.t1105" ] }, + "related": [ + { + "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "fc4f4817-0c53-4683-a4ee-b17a64bc1039", "value": "Suspicious Desktopimgdownldr Target File" }, @@ -26184,6 +33196,15 @@ "attack.t1548.002" ] }, + "related": [ + { + "dest-uuid": "120d5519-3098-4e1c-9191-2aa61232f073", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "62ed5b55-f991-406a-85d9-e8e8fdf18789", "value": "UAC Bypass Using Consent and Comctl32 - File" }, @@ -26200,11 +33221,11 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://github.com/cube0x0/CVE-2021-36934", - "https://www.google.com/search?q=%22reg.exe+save%22+sam", "https://github.com/HuskyHacks/ShadowSteal", - "https://github.com/search?q=CVE-2021-36934", "https://github.com/FireFart/hivenightmare", + "https://github.com/cube0x0/CVE-2021-36934", + "https://github.com/search?q=CVE-2021-36934", + "https://www.google.com/search?q=%22reg.exe+save%22+sam", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_sam_dump.yml" ], "tags": [ @@ -26212,36 +33233,17 @@ "attack.t1003.002" ] }, + "related": [ + { + "dest-uuid": "1644e709-12d2-41e5-a60f-3470991f5011", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "4e87b8e2-2ee9-4b2a-a715-4727d297ece0", - "value": "SAM Dump File Creation" - }, - { - "description": "Detects suspicious .NET assembly executions. Could detect using Cobalt Strike's command execute-assembly.", - "meta": { - "author": "omkar72, oscd.community, Wojciech Lesicki", - "creation_date": "2020/10/12", - "falsepositive": [ - "Rundll32.exe with zzzzInvokeManagedCustomActionOutOfProc in command line and msiexec.exe as parent process - https://twitter.com/SBousseaden/status/1388064061087260675" - ], - "filename": "file_event_win_susp_clr_logs.yml", - "level": "high", - "logsource.category": "file_event", - "logsource.product": "windows", - "refs": [ - "https://blog.menasec.net/2019/07/interesting-difr-traces-of-net-clr.html", - "https://github.com/olafhartong/sysmon-modular/blob/5e5f6d90819a7f35eec0aba08021d0d201bb9055/11_file_create/include_dotnet.xml", - "https://bohops.com/2021/03/16/investigating-net-clr-usage-log-tampering-techniques-for-edr-evasion/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_susp_clr_logs.yml" - ], - "tags": [ - "attack.execution", - "attack.defense_evasion", - "attack.t1059.001", - "attack.t1218" - ] - }, - "uuid": "e4b63079-6198-405c-abd7-3fe8b0ce3263", - "value": "Suspicious CLR Logs Creation" + "value": "Potential SAM Database Dump" }, { "description": "Detects the use of Moriya rootkit as described in the securelist's Operation TunnelSnake report", @@ -26290,6 +33292,15 @@ "attack.t1548.002" ] }, + "related": [ + { + "dest-uuid": "120d5519-3098-4e1c-9191-2aa61232f073", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "41bb431f-56d8-4691-bb56-ed34e390906f", "value": "UAC Bypass Using MSConfig Token Modification - File" }, @@ -26339,6 +33350,15 @@ "attack.t1562.002" ] }, + "related": [ + { + "dest-uuid": "4eb28bed-d11a-4641-9863-c2ac017d910a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "65236ec7-ace0-4f0c-82fd-737b04fd4dcb", "value": "EVTX Created In Uncommon Location" }, @@ -26355,10 +33375,10 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://github.com/WiredPulse/Invoke-HiveNightmare", - "https://github.com/FireFart/hivenightmare/", - "https://github.com/GossiTheDog/HiveNightmare", "https://twitter.com/cube0x0/status/1418920190759378944", + "https://github.com/GossiTheDog/HiveNightmare", + "https://github.com/FireFart/hivenightmare/", + "https://github.com/WiredPulse/Invoke-HiveNightmare", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_hivenightmare_file_exports.yml" ], "tags": [ @@ -26392,6 +33412,15 @@ "attack.t1548.002" ] }, + "related": [ + { + "dest-uuid": "120d5519-3098-4e1c-9191-2aa61232f073", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "155dbf56-e0a4-4dd0-8905-8a98705045e8", "value": "UAC Bypass Abusing Winsat Path Parsing - File" }, @@ -26416,6 +33445,15 @@ "attack.t1003.002" ] }, + "related": [ + { + "dest-uuid": "1644e709-12d2-41e5-a60f-3470991f5011", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "847def9e-924d-4e90-b7c4-5f581395a2b4", "value": "QuarksPwDump Dump File" }, @@ -26432,9 +33470,9 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ + "https://www.kaspersky.com/blog/lazarus-vhd-ransomware/36559/", "https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/", "https://redcanary.com/blog/intelligence-insights-october-2021/", - "https://www.kaspersky.com/blog/lazarus-vhd-ransomware/36559/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_mal_vhd_download.yml" ], "tags": [ @@ -26442,6 +33480,15 @@ "attack.t1587.001" ] }, + "related": [ + { + "dest-uuid": "212306d8-efa4-44c9-8c2d-ed3d2e224aa0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "8468111a-ef07-4654-903b-b863a80bbc95", "value": "Suspicious VHD Image Download From Browser" }, @@ -26467,6 +33514,15 @@ "attack.t1548.002" ] }, + "related": [ + { + "dest-uuid": "120d5519-3098-4e1c-9191-2aa61232f073", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "bdd8157d-8e85-4397-bb82-f06cc9c71dbb", "value": "UAC Bypass Using IEInstal - File" }, @@ -26491,6 +33547,15 @@ "attack.t1219" ] }, + "related": [ + { + "dest-uuid": "4061e78c-1284-44b4-9116-73e4ac3912f7", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "fec96f39-988b-4586-b746-b93d59fd1922", "value": "ScreenConnect Temporary Installation Artefact" }, @@ -26520,6 +33585,15 @@ "attack.defense_evasion" ] }, + "related": [ + { + "dest-uuid": "aedfca76-3b30-4866-b2aa-0f1d7fd1e4b6", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "dbbd9f66-2ed3-4ca2-98a4-6ea985dd1a1c", "value": "Potential Initial Access via DLL Search Order Hijacking" }, @@ -26544,6 +33618,15 @@ "attack.t1564" ] }, + "related": [ + { + "dest-uuid": "22905430-4901-4c2a-84f6-98243cb173f8", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "e15b518d-b4ce-4410-a9cd-501f23ce4a18", "value": "Suspicious Creation with Colorcpl" }, @@ -26567,6 +33650,15 @@ "attack.t1219" ] }, + "related": [ + { + "dest-uuid": "4061e78c-1284-44b4-9116-73e4ac3912f7", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "52753ea4-b3a0-4365-910d-36cff487b789", "value": "Hijack Legit RDP Session to Move Laterally" }, @@ -26592,7 +33684,7 @@ ] }, "uuid": "54127bd4-f541-4ac3-afdb-ea073f63f692", - "value": "Persistence Via Notepad++ Plugins" + "value": "Potential Persistence Via Notepad++ Plugins" }, { "description": "Detects windows executables that writes files with suspicious extensions", @@ -26637,6 +33729,15 @@ "attack.t1003.001" ] }, + "related": [ + { + "dest-uuid": "65f2d882-3f41-4d48-8a06-29af77ec9f90", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "5e3d3601-0662-4af0-b1d2-36a05e90c40a", "value": "LSASS Memory Dump File Creation" }, @@ -26653,10 +33754,10 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/", "https://insights.sei.cmu.edu/blog/the-dangers-of-vhd-and-vhdx-files/", - "https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/malicious-spam-campaign-uses-iso-image-files-to-deliver-lokibot-and-nanocore", "https://blog.emsisoft.com/en/32373/beware-new-wave-of-malware-spreads-via-iso-file-email-attachments/", + "https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/malicious-spam-campaign-uses-iso-image-files-to-deliver-lokibot-and-nanocore", + "https://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_iso_file_recent.yml" ], "tags": "No established tags" @@ -26686,6 +33787,15 @@ "cve.2022.24527" ] }, + "related": [ + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "e0a41412-c69a-446f-8e6e-0e6d7483dad7", "value": "CVE-2022-24527 Microsoft Connected Cache LPE" }, @@ -26738,6 +33848,15 @@ "attack.t1587.001" ] }, + "related": [ + { + "dest-uuid": "212306d8-efa4-44c9-8c2d-ed3d2e224aa0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "297afac9-5d02-4138-8c58-b977bac60556", "value": "Creation of an Executable by an Executable" }, @@ -26778,9 +33897,9 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://medium.com/@ivecodoe/detecting-ldapfragger-a-newly-released-cobalt-strike-beacon-using-ldap-for-c2-communication-c274a7f00961", - "https://github.com/fox-it/LDAPFragger", "https://blog.fox-it.com/2020/03/19/ldapfragger-command-and-control-over-ldap-attributes/", + "https://github.com/fox-it/LDAPFragger", + "https://medium.com/@ivecodoe/detecting-ldapfragger-a-newly-released-cobalt-strike-beacon-using-ldap-for-c2-communication-c274a7f00961", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_susp_adsi_cache_usage.yml" ], "tags": [ @@ -26788,6 +33907,15 @@ "attack.command_and_control" ] }, + "related": [ + { + "dest-uuid": "c325b232-d5bc-4dde-a3ec-71f3db9e8adc", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "75bf09fa-1dd7-4d18-9af9-dd9e492562eb", "value": "Suspicious ADSI-Cache Usage By Unknown Tool" }, @@ -26804,8 +33932,8 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://twitter.com/Sam0x90/status/1552011547974696960", "https://securityaffairs.co/wordpress/133680/malware/dll-sideloading-spread-qakbot.html", + "https://twitter.com/Sam0x90/status/1552011547974696960", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_iso_file_mount.yml" ], "tags": [ @@ -26837,6 +33965,15 @@ "attack.t1216" ] }, + "related": [ + { + "dest-uuid": "f6fe9070-7a65-49ea-ae72-76292f42cebe", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "d353dac0-1b41-46c2-820c-d7d2561fc6ed", "value": "AWL Bypass with Winrm.vbs and Malicious WsmPty.xsl/WsmTxt.xsl - File" }, @@ -26912,6 +34049,15 @@ "attack.t1027" ] }, + "related": [ + { + "dest-uuid": "b6301b64-ef57-4cce-bb0b-77026f14a8db", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "0c3fac91-5627-46e8-a6a8-a0d7b9b8ae1b", "value": "Suspicious Get-Variable.exe Creation" }, @@ -26936,6 +34082,15 @@ "attack.t1003.001" ] }, + "related": [ + { + "dest-uuid": "65f2d882-3f41-4d48-8a06-29af77ec9f90", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "c3e76af5-4ce0-4a14-9c9a-25ceb8fda182", "value": "WerFault LSASS Process Memory Dump" }, @@ -26961,6 +34116,15 @@ "attack.t1528" ] }, + "related": [ + { + "dest-uuid": "890c9858-598c-401d-a4d5-c67ebcdd703a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "6902955a-01b7-432c-b32a-6f5f81d8f624", "value": "Suspicious File Event With Teams Objects" }, @@ -26985,6 +34149,15 @@ "attack.t1546.002" ] }, + "related": [ + { + "dest-uuid": "ce4b7013-640e-48a9-b501-d0025a95f4bf", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "4aafb0fa-bff5-4b9d-b99e-8093e659c65f", "value": "Writing Local Admin Share" }, @@ -27009,6 +34182,15 @@ "attack.defense_evasion" ] }, + "related": [ + { + "dest-uuid": "045d0922-2310-4e60-b5e4-3302302cb3c5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "c048f047-7e2a-4888-b302-55f509d4a91d", "value": "SCR File Write Event" }, @@ -27033,6 +34215,15 @@ "attack.t1003.001" ] }, + "related": [ + { + "dest-uuid": "65f2d882-3f41-4d48-8a06-29af77ec9f90", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "9433ff9c-5d3f-4269-99f8-95fc826ea489", "value": "CrackMapExec File Creation Patterns" }, @@ -27057,6 +34248,15 @@ "attack.t1218" ] }, + "related": [ + { + "dest-uuid": "457c7820-d331-465a-915e-42f85500ccc4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "654fcc6d-840d-4844-9b07-2c3300e54a26", "value": "Legitimate Application Dropped Archive" }, @@ -27073,11 +34273,11 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://github.com/Wh04m1001/SysmonEoP", "https://www.hexacorn.com/blog/2013/12/08/beyond-good-ol-run-key-part-5/", - "https://clement.notin.org/blog/2020/09/12/CVE-2020-7315-McAfee-Agent-DLL-injection/", "https://posts.specterops.io/lateral-movement-scm-and-dll-hijacking-primer-d2f61e8ab992", "https://decoded.avast.io/martinchlumecky/png-steganography/", + "https://github.com/Wh04m1001/SysmonEoP", + "https://clement.notin.org/blog/2020/09/12/CVE-2020-7315-McAfee-Agent-DLL-injection/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_create_non_existent_dlls.yml" ], "tags": [ @@ -27114,6 +34314,15 @@ "attack.t1021.002" ] }, + "related": [ + { + "dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "614a7e17-5643-4d89-b6fe-f9df1a79641c", "value": "Wmiprvse Wbemcomn DLL Hijack - File" }, @@ -27138,6 +34347,15 @@ "attack.t1218" ] }, + "related": [ + { + "dest-uuid": "457c7820-d331-465a-915e-42f85500ccc4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "7d604714-e071-49ff-8726-edeb95a70679", "value": "Legitimate Application Dropped Script" }, @@ -27155,6 +34373,8 @@ "logsource.product": "windows", "refs": [ "Malware Sandbox https://app.any.run/tasks/d6fe6624-6ef8-485d-aa75-3d1bdda2a08c/", + "http://addbalance.com/word/startup.htm", + "https://answers.microsoft.com/en-us/msoffice/forum/all/document-in-word-startup-folder-doesnt-open-when/44ab0932-2917-4150-8cdc-2f2cf39e86f3", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_susp_winword_startup.yml" ], "tags": [ @@ -27162,6 +34382,15 @@ "attack.t1587.001" ] }, + "related": [ + { + "dest-uuid": "212306d8-efa4-44c9-8c2d-ed3d2e224aa0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "a10a2c40-2c4d-49f8-b557-1a946bc55d9d", "value": "Creation In User Word Startup Folder" }, @@ -27211,6 +34440,15 @@ "attack.t1567.002" ] }, + "related": [ + { + "dest-uuid": "bf1b6176-597c-4600-bfcd-ac989670f96b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "34986307-b7f4-49be-92f3-e7a4d01ac5db", "value": "Rclone Config File Creation" }, @@ -27227,8 +34465,8 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://twitter.com/cyb3rops/status/1552932770464292864", "https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows", + "https://twitter.com/cyb3rops/status/1552932770464292864", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_dll_sideloading_space_path.yml" ], "tags": [ @@ -27279,8 +34517,8 @@ "logsource.category": "file_rename", "logsource.product": "windows", "refs": [ - "https://blog.cyble.com/2022/08/10/onyx-ransomware-renames-its-leak-site-to-vsop/", "https://app.any.run/tasks/d66ead5a-faf4-4437-93aa-65785afaf9e5/", + "https://blog.cyble.com/2022/08/10/onyx-ransomware-renames-its-leak-site-to-vsop/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_rename/file_rename_win_ransomware.yml" ], "tags": [ @@ -27288,6 +34526,15 @@ "attack.t1486" ] }, + "related": [ + { + "dest-uuid": "b80d107d-fa0d-4b60-9684-b0433e8bdba0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "e3f673b3-65d1-4d80-9146-466f8b63fa99", "value": "Suspicious Appended Extension" }, @@ -27359,6 +34606,15 @@ "attack.t1490" ] }, + "related": [ + { + "dest-uuid": "f5d8eed6-48a9-4cdf-a3d7-d1ffa99c3d2a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "06125661-3814-4e03-bfa2-1e4411c60ac3", "value": "Deletes Backup Files" }, @@ -27384,6 +34640,15 @@ "attack.t1070.004" ] }, + "related": [ + { + "dest-uuid": "d63a3fb8-9452-4e9d-a60a-54be68d5998c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "6ddab845-b1b8-49c2-bbf7-1a11967f64bc", "value": "Sysinternals SDelete File Deletion" }, @@ -27408,6 +34673,15 @@ "attack.t1070.004" ] }, + "related": [ + { + "dest-uuid": "d63a3fb8-9452-4e9d-a60a-54be68d5998c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "b1decb61-ed83-4339-8e95-53ea51901720", "value": "Delete Log from Application" }, @@ -27431,6 +34705,15 @@ "attack.t1070.004" ] }, + "related": [ + { + "dest-uuid": "d63a3fb8-9452-4e9d-a60a-54be68d5998c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "0a1f9d29-6465-4776-b091-7f43b26e4c89", "value": "Prefetch File Deletion" }, @@ -27447,8 +34730,8 @@ "logsource.category": "file_delete", "logsource.product": "windows", "refs": [ - "https://github.com/hhlxf/PrintNightmare", "https://github.com/cube0x0/CVE-2021-1675", + "https://github.com/hhlxf/PrintNightmare", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_delete/file_delete_win_cve_2021_1675_printspooler_del.yml" ], "tags": [ @@ -27459,6 +34742,15 @@ "cve.2021.1675" ] }, + "related": [ + { + "dest-uuid": "aedfca76-3b30-4866-b2aa-0f1d7fd1e4b6", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "5b2bbc47-dead-4ef7-8908-0cf73fcbecbf", "value": "Windows Spooler Service Suspicious File Deletion" }, @@ -27523,8 +34815,8 @@ "logsource.category": "file_access", "logsource.product": "windows", "refs": [ - "https://www.absolomb.com/2018-01-26-Windows-Privilege-Escalation-Guide/", "https://hunter2.gitbook.io/darthsidious/privilege-escalation/mimikatz", + "https://www.absolomb.com/2018-01-26-Windows-Privilege-Escalation-Guide/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_access/file_access_win_credential_manager_stealing.yml" ], "tags": [ @@ -27532,6 +34824,15 @@ "attack.credential_access" ] }, + "related": [ + { + "dest-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "407aecb1-e762-4acf-8c7b-d087bcff3bb6", "value": "Credential Manager Access" }, @@ -27548,8 +34849,8 @@ "logsource.category": "file_access", "logsource.product": "windows", "refs": [ - "https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation/dpapi-extracting-passwords", "https://web.archive.org/web/20181130065817/http://www.harmj0y.net/blog/redteaming/operational-guidance-for-offensive-user-dpapi-abuse/", + "https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation/dpapi-extracting-passwords", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_access/file_access_win_dpapi_master_key_access.yml" ], "tags": [ @@ -27557,6 +34858,15 @@ "attack.t1555.004" ] }, + "related": [ + { + "dest-uuid": "d336b553-5da9-46ca-98a8-0b23f49fb447", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "46612ae6-86be-4802-bc07-39b59feb1309", "value": "Suspicious Access To Windows DPAPI Master Keys" }, @@ -27585,6 +34895,15 @@ "attack.credential_access" ] }, + "related": [ + { + "dest-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "91cb43db-302a-47e3-b3c8-7ede481e27bf", "value": "Browser Credential Store Access" }, @@ -27601,8 +34920,8 @@ "logsource.category": "file_access", "logsource.product": "windows", "refs": [ - "https://www.passcape.com/windows_password_recovery_dpapi_credhist", "https://tools.thehacker.recipes/mimikatz/modules/dpapi/credhist", + "https://www.passcape.com/windows_password_recovery_dpapi_credhist", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_access/file_access_win_susp_cred_hist_access.yml" ], "tags": [ @@ -27610,6 +34929,15 @@ "attack.t1555.004" ] }, + "related": [ + { + "dest-uuid": "d336b553-5da9-46ca-98a8-0b23f49fb447", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "7a2a22ea-a203-4cd3-9abf-20eb1c5c6cd2", "value": "Suspicious Access To Windows Credential History File" }, @@ -27658,9 +34986,52 @@ "attack.defense_evasion" ] }, + "related": [ + { + "dest-uuid": "47f2d673-ca62-47e9-929b-1b0be9657611", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "558eebe5-f2ba-4104-b339-36f7902bcc1a", "value": "File Creation Date Changed to Another Year" }, + { + "description": "AppInstaller.exe is spawned by the default handler for the \"ms-appinstaller\" URI. It attempts to load/install a package from the referenced URL", + "meta": { + "author": "frack113", + "creation_date": "2021/11/24", + "falsepositive": [ + "Unknown" + ], + "filename": "dns_query_win_lolbin_appinstaller.yml", + "level": "medium", + "logsource.category": "dns_query", + "logsource.product": "windows", + "refs": [ + "https://lolbas-project.github.io/lolbas/Binaries/AppInstaller/", + "https://twitter.com/notwhickey/status/1333900137232523264", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/dns_query/dns_query_win_lolbin_appinstaller.yml" + ], + "tags": [ + "attack.command_and_control", + "attack.t1105" + ] + }, + "related": [ + { + "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "7cff77e1-9663-46a3-8260-17f2e1aa9d0a", + "value": "AppX Package Installation Attempts Via AppInstaller" + }, { "description": "Detects Azure Hybrid Connection Manager services querying the Azure service bus service", "meta": { @@ -27682,6 +35053,15 @@ "attack.t1554" ] }, + "related": [ + { + "dest-uuid": "960c3c86-1480-4d72-b4e0-8c242e84a5c5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "7bd3902d-8b8b-4dd4-838a-c6862d40150d", "value": "DNS HybridConnectionManager Service Bus" }, @@ -27706,34 +35086,18 @@ "attack.t1567.002" ] }, + "related": [ + { + "dest-uuid": "bf1b6176-597c-4600-bfcd-ac989670f96b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "065cceea-77ec-4030-9052-fc0affea7110", "value": "DNS Query for Anonfiles.com Domain" }, - { - "description": "AppInstaller.exe is spawned by the default handler for the URI, it attempts to load/install a package from the URL", - "meta": { - "author": "frack113", - "creation_date": "2021/11/24", - "falsepositive": [ - "Unknown" - ], - "filename": "dns_query_win_lobas_appinstaller.yml", - "level": "medium", - "logsource.category": "dns_query", - "logsource.product": "windows", - "refs": [ - "https://twitter.com/notwhickey/status/1333900137232523264", - "https://lolbas-project.github.io/lolbas/Binaries/AppInstaller/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/dns_query/dns_query_win_lobas_appinstaller.yml" - ], - "tags": [ - "attack.command_and_control", - "attack.t1105" - ] - }, - "uuid": "7cff77e1-9663-46a3-8260-17f2e1aa9d0a", - "value": "AppInstaller Attempts From URL by DNS" - }, { "description": "An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks.\nThese services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment.\nRemote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land)\n", "meta": { @@ -27747,9 +35111,9 @@ "logsource.category": "dns_query", "logsource.product": "windows", "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1219/T1219.md#atomic-test-6---ammyy-admin-software-execution", "https://redcanary.com/blog/misbehaving-rats/", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1219/T1219.md#atomic-test-4---gotoassist-files-detected-test-on-windows", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1219/T1219.md#atomic-test-6---ammyy-admin-software-execution", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1219/T1219.md#atomic-test-3---logmein-files-detected-test-on-windows", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/dns_query/dns_query_win_remote_access_software_domains.yml" ], @@ -27758,6 +35122,15 @@ "attack.t1219" ] }, + "related": [ + { + "dest-uuid": "4061e78c-1284-44b4-9116-73e4ac3912f7", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "4d07b1f4-cb00-4470-b9f8-b0191d48ff52", "value": "DNS Query To Remote Access Software Domain" }, @@ -27785,6 +35158,22 @@ "attack.t1218.010" ] }, + "related": [ + { + "dest-uuid": "2f6b4ed7-fef1-44ba-bcb8-1b4beb610b64", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "b97f1d35-4249-4486-a6b5-ee60ccf24fab", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "36e037c4-c228-4866-b6a3-48eb292b9955", "value": "Regsvr32 Network Activity - DNS" }, @@ -27809,6 +35198,15 @@ "attack.t1567.002" ] }, + "related": [ + { + "dest-uuid": "bf1b6176-597c-4600-bfcd-ac989670f96b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "1cbbeaaf-3c8c-4e4c-9d72-49485b6a176b", "value": "DNS Query for Ufile.io Upload Domain" }, @@ -27833,6 +35231,15 @@ "attack.t1567.002" ] }, + "related": [ + { + "dest-uuid": "bf1b6176-597c-4600-bfcd-ac989670f96b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "613c03ba-0779-4a53-8a1f-47f914a4ded3", "value": "DNS Query for MEGA.io Upload Domain" }, @@ -27858,6 +35265,15 @@ "attack.t1071.004" ] }, + "related": [ + { + "dest-uuid": "1996eef1-ced3-4d7f-bf94-33298cabbf72", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "f356a9c4-effd-4608-bbf8-408afd5cd006", "value": "Suspicious Cobalt Strike DNS Beaconing" }, @@ -27883,6 +35299,15 @@ "attack.t1219" ] }, + "related": [ + { + "dest-uuid": "4061e78c-1284-44b4-9116-73e4ac3912f7", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "778ba9a8-45e4-4b80-8e3e-34a419f0b85e", "value": "Suspicious TeamViewer Domain Access" }, @@ -27907,6 +35332,15 @@ "attack.t1090.003" ] }, + "related": [ + { + "dest-uuid": "a782ebe2-daba-42c7-bc82-e8e9d923162d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "b55ca2a3-7cff-4dda-8bdd-c7bfa63bf544", "value": "Query Tor Onion Address" }, @@ -27931,6 +35365,15 @@ "attack.t1482" ] }, + "related": [ + { + "dest-uuid": "767dbf9e-df3f-45cb-8998-4903ab5f80c0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "a21bcd7e-38ec-49ad-b69a-9ea17e69509e", "value": "Suspicious LDAP Domain Access" }, @@ -27953,6 +35396,15 @@ "attack.t1189" ] }, + "related": [ + { + "dest-uuid": "d742a578-d70e-4d0e-96a6-02a9c30204e6", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "eb07e747-2552-44cd-af36-b659ae0958e4", "value": "Possible DNS Rebinding" }, @@ -27978,6 +35430,15 @@ "attack.t1590" ] }, + "related": [ + { + "dest-uuid": "9d48cab2-7929-4812-ad22-f536665f0109", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "ec82e2a5-81ea-4211-a1f8-37a0286df2c2", "value": "Suspicious DNS Query for IP Lookup Service APIs" }, @@ -28027,6 +35488,15 @@ "attack.t1105" ] }, + "related": [ + { + "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "94771a71-ba41-4b6e-a757-b531372eaab6", "value": "Suspicious Minimized MSEdge Start" }, @@ -28051,6 +35521,15 @@ "attack.t1202" ] }, + "related": [ + { + "dest-uuid": "3b0e52ce-517a-4614-a523-1bd5deef6c5e", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "5edc2273-c26f-406c-83f3-f4d948e740dd", "value": "Suspicious Subsystem for Linux Bash Execution" }, @@ -28075,6 +35554,15 @@ "attack.t1218.005" ] }, + "related": [ + { + "dest-uuid": "840a987a-99bd-4a80-a5c9-0cb2baa6cade", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "ed5d72a6-f8f4-479d-ba79-02f6a80d7471", "value": "MSHTA Spwaned by SVCHOST" }, @@ -28091,8 +35579,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://drive.google.com/file/d/1lKya3_mLnR3UQuCoiYruO3qgu052_iS_/view?usp=sharing", "https://enigma0x3.net/2017/01/05/lateral-movement-using-the-mmc20-application-com-object/", + "https://drive.google.com/file/d/1lKya3_mLnR3UQuCoiYruO3qgu052_iS_/view?usp=sharing", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_mmc20_lateral_movement.yml" ], "tags": [ @@ -28100,6 +35588,15 @@ "attack.t1021.003" ] }, + "related": [ + { + "dest-uuid": "68a0c5ed-bee2-4513-830d-5b0d650139bd", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "f1f3bf22-deb2-418d-8cce-e1a45e46a5bd", "value": "MMC20 Lateral Movement" }, @@ -28225,6 +35722,15 @@ "attack.defense_evasion" ] }, + "related": [ + { + "dest-uuid": "045d0922-2310-4e60-b5e4-3302302cb3c5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "15bd98ea-55f4-4d37-b09a-e7caa0fa2221", "value": "Rundll32 InstallScreenSaver Execution" }, @@ -28250,6 +35756,15 @@ "attack.t1218" ] }, + "related": [ + { + "dest-uuid": "457c7820-d331-465a-915e-42f85500ccc4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "a6fc3c46-23b8-4996-9ea2-573f4c4d88c5", "value": "Abusable Invoke-ATHRemoteFXvGPUDisablementCommand" }, @@ -28274,6 +35789,15 @@ "attack.t1218.011" ] }, + "related": [ + { + "dest-uuid": "045d0922-2310-4e60-b5e4-3302302cb3c5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "d7eb979b-c2b5-4a6f-a3a7-c87ce6763819", "value": "Suspicious Control Panel DLL Load" }, @@ -28319,12 +35843,12 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/nas_bench/status/1433344116071583746", - "https://gist.github.com/ryhanson/227229866af52e2d963cf941af135a52", "https://twitter.com/eral4m/status/1479106975967240209", - "https://twitter.com/eral4m/status/1479080793003671557", "https://twitter.com/Hexacorn/status/885258886428725250", + "https://gist.github.com/ryhanson/227229866af52e2d963cf941af135a52", + "https://twitter.com/nas_bench/status/1433344116071583746", "http://www.hexacorn.com/blog/2017/05/01/running-programs-via-proxy-jumping-on-a-edr-bypass-trampoline/", + "https://twitter.com/eral4m/status/1479080793003671557", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_rundll32_activity.yml" ], "tags": [ @@ -28332,6 +35856,15 @@ "attack.t1218.011" ] }, + "related": [ + { + "dest-uuid": "045d0922-2310-4e60-b5e4-3302302cb3c5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "e593cf51-88db-4ee1-b920-37e89012a3c9", "value": "Suspicious Rundll32 Activity" }, @@ -28356,6 +35889,15 @@ "attack.t1569.002" ] }, + "related": [ + { + "dest-uuid": "f1951e8a-500e-4a26-8803-76d95c4554b4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "3ede524d-21cc-472d-a3ce-d21b568d8db7", "value": "PsExec Service Start" }, @@ -28380,6 +35922,15 @@ "attack.t1217" ] }, + "related": [ + { + "dest-uuid": "5e4a2073-9643-44cb-a0b5-e7f4048446c7", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "7c9340a9-e2ee-4e43-94c5-c54ebbea1006", "value": "Suspicious DIR Execution" }, @@ -28405,6 +35956,15 @@ "attack.t1021" ] }, + "related": [ + { + "dest-uuid": "d157f9d2-d09a-4efa-bb2a-64963f94e253", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "730fc21b-eaff-474b-ad23-90fd265d4988", "value": "Psexec Accepteula Condition" }, @@ -28421,9 +35981,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://app.any.run/tasks/ce4deab5-3263-494f-93e3-afb2b9d79f14/", - "https://app.any.run/tasks/4bc9860d-ab51-4077-9e09-59ad346b92fd/", "https://securelist.com/my-name-is-dtrack/93338/", + "https://app.any.run/tasks/4bc9860d-ab51-4077-9e09-59ad346b92fd/", + "https://app.any.run/tasks/ce4deab5-3263-494f-93e3-afb2b9d79f14/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_malware_dtrack.yml" ], "tags": [ @@ -28431,6 +35991,15 @@ "attack.t1490" ] }, + "related": [ + { + "dest-uuid": "f5d8eed6-48a9-4cdf-a3d7-d1ffa99c3d2a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "f1531fa4-5b84-4342-8f68-9cf3fdbd83d4", "value": "DTRACK Process Creation" }, @@ -28480,6 +36049,15 @@ "attack.t1539" ] }, + "related": [ + { + "dest-uuid": "10ffac09-e42d-4f56-ab20-db94c67d76ff", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "24c77512-782b-448a-8950-eddb0785fc71", "value": "SQLite Chrome Cookie DB Access" }, @@ -28496,8 +36074,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.mandiant.com/resources/telegram-malware-iranian-espionage", "https://docs.connectwise.com/ConnectWise_Control_Documentation/Get_started/Host_client/View_menu/Backstage_mode", + "https://www.mandiant.com/resources/telegram-malware-iranian-espionage", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_screenconnect_anomaly.yml" ], "tags": [ @@ -28505,6 +36083,15 @@ "attack.t1219" ] }, + "related": [ + { + "dest-uuid": "4061e78c-1284-44b4-9116-73e4ac3912f7", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "7b582f1a-b318-4c6a-bf4e-66fe49bf55a5", "value": "ScreenConnect Backstage Mode Anomaly" }, @@ -28531,6 +36118,29 @@ "attack.t1071.001" ] }, + "related": [ + { + "dest-uuid": "92d7da27-2d91-488e-a00c-059dc162766d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "4fe28b27-b13c-453e-a386-c2ef362a573b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "c75309a3-59f8-4a8d-9c2c-4c927ad50555", "value": "Exfiltration and Tunneling Tools Execution" }, @@ -28547,8 +36157,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://bohops.com/2018/01/07/executing-commands-and-bypassing-applocker-with-powershell-diagnostic-scripts/", "https://lolbas-project.github.io/lolbas/Scripts/CL_LoadAssembly/", + "https://bohops.com/2018/01/07/executing-commands-and-bypassing-applocker-with-powershell-diagnostic-scripts/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_cl_loadassembly.yml" ], "tags": [ @@ -28556,6 +36166,15 @@ "attack.t1216" ] }, + "related": [ + { + "dest-uuid": "f6fe9070-7a65-49ea-ae72-76292f42cebe", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "c57872c7-614f-4d7f-a40d-b78c8df2d30d", "value": "CL_LoadAssembly.ps1 Proxy Execution" }, @@ -28572,8 +36191,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://research.checkpoint.com/2020/resolving-your-way-into-domain-admin-exploiting-a-17-year-old-bug-in-windows-dns-servers/", "https://blog.menasec.net/2019/02/threat-hunting-24-microsoft-windows-dns.html", + "https://research.checkpoint.com/2020/resolving-your-way-into-domain-admin-exploiting-a-17-year-old-bug-in-windows-dns-servers/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_exploit_cve_2020_1350.yml" ], "tags": [ @@ -28583,6 +36202,22 @@ "attack.t1569.002" ] }, + "related": [ + { + "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "f1951e8a-500e-4a26-8803-76d95c4554b4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "b5281f31-f9cc-4d0d-95d0-45b91c45b487", "value": "DNS RCE CVE-2020-1350" }, @@ -28600,8 +36235,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc731620(v=ws.11)", "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/espionage-asia-governments", + "https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc731620(v=ws.11)", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_ntdsutil_usage.yml" ], "tags": [ @@ -28609,6 +36244,15 @@ "attack.t1003.003" ] }, + "related": [ + { + "dest-uuid": "edf91964-b26e-4b4a-9600-ccacd7d7df24", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "a58353df-af43-4753-bad0-cd83ef35eef5", "value": "Suspicious Usage Of Active Directory Diagnostic Tool (ntdsutil.exe)" }, @@ -28634,6 +36278,15 @@ "attack.t1003.001" ] }, + "related": [ + { + "dest-uuid": "65f2d882-3f41-4d48-8a06-29af77ec9f90", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "66e563f9-1cbd-4a22-a957-d8b7c0f44372", "value": "XORDump Use" }, @@ -28650,9 +36303,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-2000-server/cc959352(v=technet.10)?redirectedfrom=MSDN", "https://www.acunetix.com/blog/articles/windows-short-8-3-filenames-web-security-problem/", "https://twitter.com/frack113/status/1555830623633375232", + "https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-2000-server/cc959352(v=technet.10)?redirectedfrom=MSDN", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_ntfs_short_name_path_use_image.yml" ], "tags": [ @@ -28660,6 +36313,15 @@ "attack.t1564.004" ] }, + "related": [ + { + "dest-uuid": "f2857333-11d4-45bf-b064-2c28d8525be5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "a96970af-f126-420d-90e1-d37bf25e50e1", "value": "Use Short Name Path in Image" }, @@ -28682,6 +36344,15 @@ "attack.t1021.003" ] }, + "related": [ + { + "dest-uuid": "68a0c5ed-bee2-4513-830d-5b0d650139bd", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "05a2ab7e-ce11-4b63-86db-ab32e763e11d", "value": "MMC Spawning Windows Shell" }, @@ -28753,6 +36424,15 @@ "attack.t1003" ] }, + "related": [ + { + "dest-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "97dbf6e2-e436-44d8-abee-4261b24d3e41", "value": "Microsoft IIS Connection Strings Decryption" }, @@ -28777,6 +36457,15 @@ "attack.t1090" ] }, + "related": [ + { + "dest-uuid": "731f4f55-b6d0-41d1-a7a9-072a66389aea", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "d7654f02-e04b-4934-9838-65c46f187ebc", "value": "IOX Tunneling Tool" }, @@ -28793,9 +36482,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Sqldumper/", - "https://twitter.com/countuponsec/status/910977826853068800", "https://twitter.com/countuponsec/status/910969424215232518", + "https://twitter.com/countuponsec/status/910977826853068800", + "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Sqldumper/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_susp_sqldumper_activity.yml" ], "tags": [ @@ -28803,6 +36492,15 @@ "attack.t1003.001" ] }, + "related": [ + { + "dest-uuid": "65f2d882-3f41-4d48-8a06-29af77ec9f90", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "23ceaf5c-b6f1-4a32-8559-f2ff734be516", "value": "Dumping Process via Sqldumper.exe" }, @@ -28851,6 +36549,15 @@ "attack.t1564.001" ] }, + "related": [ + { + "dest-uuid": "ec8fc7e2-b356-455c-8db5-2e37be158e7d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "4ae81040-fc1c-4249-bfa3-938d260214d9", "value": "Use Icacls to Hide File to Everyone" }, @@ -28867,10 +36574,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://attack.mitre.org/techniques/T1036/", + "https://www.carbonblack.com/2014/06/10/screenshot-demo-hunt-evil-faster-than-ever-with-carbon-black/", "https://securitybytes.io/blue-team-fundamentals-part-two-windows-processes-759fe15965e2", "https://www.13cubed.com/downloads/windows_process_genealogy_v2.pdf", - "https://www.carbonblack.com/2014/06/10/screenshot-demo-hunt-evil-faster-than-ever-with-carbon-black/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_proc_wrong_parent.yml" ], "tags": [ @@ -28879,6 +36585,15 @@ "attack.t1036.005" ] }, + "related": [ + { + "dest-uuid": "bd5b58a4-a52d-4a29-bc0d-3f1d3968eb6b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "96036718-71cc-4027-a538-d1587e0006a7", "value": "Windows Processes Suspicious Parent Directory" }, @@ -28951,6 +36666,15 @@ "attack.t1218" ] }, + "related": [ + { + "dest-uuid": "457c7820-d331-465a-915e-42f85500ccc4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "fbd7c32d-db2a-4418-b92c-566eb8911133", "value": "SyncAppvPublishingServer Execute Arbitrary PowerShell Code" }, @@ -28977,6 +36701,15 @@ "attack.t1105" ] }, + "related": [ + { + "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "0c79148b-118e-472b-bdb7-9b57b444cc19", "value": "Malicious Payload Download via Office Binaries" }, @@ -29001,6 +36734,15 @@ "attack.t1204" ] }, + "related": [ + { + "dest-uuid": "8c32eb4d-805f-4fc5-bf60-c4d476c131b5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "5325945e-f1f0-406e-97b8-65104d393fff", "value": "Snatch Ransomware" }, @@ -29017,9 +36759,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows", "https://github.com/netero1010/TrustedPath-UACBypass-BOF", "https://medium.com/tenable-techblog/uac-bypass-by-mocking-trusted-directories-24a96675f6e", - "https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_uac_bypass_trustedpath.yml" ], "tags": [ @@ -29027,6 +36769,15 @@ "attack.t1548.002" ] }, + "related": [ + { + "dest-uuid": "120d5519-3098-4e1c-9191-2aa61232f073", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "4ac47ed3-44c2-4b1f-9d51-bf46e8914126", "value": "TrustedPath UAC Bypass Pattern" }, @@ -29043,8 +36794,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules", "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Wfc/", + "https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_wfc.yml" ], "tags": [ @@ -29052,6 +36803,15 @@ "attack.t1127" ] }, + "related": [ + { + "dest-uuid": "ff25900d-76d5-449b-a351-8824e62fc81b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "49be8799-7b4d-4fda-ad23-cafbefdebbc5", "value": "Use of Wfc.exe" }, @@ -29068,10 +36828,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://blog.talosintelligence.com/breaking-the-silence-recent-truebot-activity/", - "https://blog.netspi.com/15-ways-to-download-a-file/#bitsadmin", - "https://isc.sans.edu/diary/22264", "https://lolbas-project.github.io/lolbas/Binaries/Bitsadmin/", + "https://isc.sans.edu/diary/22264", + "https://blog.netspi.com/15-ways-to-download-a-file/#bitsadmin", + "https://blog.talosintelligence.com/breaking-the-silence-recent-truebot-activity/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_bitsadmin_download_susp_ip.yml" ], "tags": [ @@ -29082,6 +36842,22 @@ "attack.t1036.003" ] }, + "related": [ + { + "dest-uuid": "c8e87b83-edbb-48d4-9295-4974897525b7", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "bd5b58a4-a52d-4a29-bc0d-3f1d3968eb6b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "99c840f2-2012-46fd-9141-c761987550ef", "value": "Bitsadmin Download File from IP" }, @@ -29098,9 +36874,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/Hexacorn/status/1420053502554951689", "https://www.matteomalvica.com/blog/2019/12/02/win-defender-atp-cred-bypass/", "https://twitter.com/SBousseaden/status/1464566846594691073?s=20", + "https://twitter.com/Hexacorn/status/1420053502554951689", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_lsass_clone.yml" ], "tags": [ @@ -29109,6 +36885,22 @@ "attack.t1003.001" ] }, + "related": [ + { + "dest-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "65f2d882-3f41-4d48-8a06-29af77ec9f90", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "c8da0dfd-4ed0-4b68-962d-13c9c884384e", "value": "Suspicious LSASS Process Clone" }, @@ -29138,6 +36930,22 @@ "attack.t1027" ] }, + "related": [ + { + "dest-uuid": "bd5b58a4-a52d-4a29-bc0d-3f1d3968eb6b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "b0533c6e-8fea-4788-874f-b799cacc4b92", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "0c92f2e6-f08f-4b73-9216-ecb0ca634689", "value": "Potential PE Metadata Tamper Using Rcedit" }, @@ -29164,6 +36972,15 @@ "attack.t1027" ] }, + "related": [ + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "47688f1b-9f51-4656-b013-3cc49a166a36", "value": "Base64 Encoded Listing of Shadowcopy" }, @@ -29180,9 +36997,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://redcanary.com/blog/raspberry-robin/", - "https://github.com/SigmaHQ/sigma/issues/1009", "https://www.microsoft.com/en-us/security/blog/2022/10/27/raspberry-robin-worm-part-of-larger-ecosystem-facilitating-pre-ransomware-activity/", + "https://github.com/SigmaHQ/sigma/issues/1009", + "https://redcanary.com/blog/raspberry-robin/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_shellexec_rundll_usage.yml" ], "tags": [ @@ -29228,8 +37045,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/Binaries/Gpscript/", "https://oddvar.moe/2018/04/27/gpscript-exe-another-lolbin-to-the-list/", + "https://lolbas-project.github.io/lolbas/Binaries/Gpscript/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_gpscript.yml" ], "tags": [ @@ -29237,6 +37054,15 @@ "attack.t1218" ] }, + "related": [ + { + "dest-uuid": "457c7820-d331-465a-915e-42f85500ccc4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "1e59c230-6670-45bf-83b0-98903780607e", "value": "Gpscript Execution" }, @@ -29253,12 +37079,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://attack.mitre.org/techniques/T1482/", - "https://thedfirreport.com/2021/08/16/trickbot-leads-up-to-fake-1password-installation/", - "https://book.hacktricks.xyz/windows/basic-cmd-for-pentesters", "https://research.nccgroup.com/2022/08/19/back-in-black-unlocking-a-lockbit-3-0-ransomware-attack/", "https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc731935(v=ws.11)", - "https://attack.mitre.org/techniques/T1016/", + "https://thedfirreport.com/2021/08/16/trickbot-leads-up-to-fake-1password-installation/", + "https://book.hacktricks.xyz/windows/basic-cmd-for-pentesters", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_nltest_recon.yml" ], "tags": [ @@ -29267,6 +37091,15 @@ "attack.t1482" ] }, + "related": [ + { + "dest-uuid": "767dbf9e-df3f-45cb-8998-4903ab5f80c0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "5cc90652-4cbd-4241-aa3b-4b462fa5a248", "value": "Recon Activity with NLTEST" }, @@ -29291,6 +37124,15 @@ "attack.t1562.004" ] }, + "related": [ + { + "dest-uuid": "5372c5fe-f424-4def-bcd5-d3a8e770f07b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "01aeb693-138d-49d2-9403-c4f52d7d3d62", "value": "Netsh RDP Port Opening" }, @@ -29315,6 +37157,15 @@ "attack.t1505.002" ] }, + "related": [ + { + "dest-uuid": "35187df2-31ed-43b6-a1f5-2f1d3d58d3f1", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "83809e84-4475-4b69-bc3e-4aad8568612f", "value": "MSExchange Transport Agent Installation" }, @@ -29342,6 +37193,15 @@ "car.2019-04-001" ] }, + "related": [ + { + "dest-uuid": "4cbc6a62-9e34-4f94-8a19-5c1a11392a49", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "7d4cdc5a-0076-40ca-aac8-f7e714570e47", "value": "CMSTP Execution Process Creation" }, @@ -29373,6 +37233,36 @@ "attack.t1490" ] }, + "related": [ + { + "dest-uuid": "9db0cf3a-a3c9-4012-8268-123b9db6fd82", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "34e793de-0274-4982-9c1a-246ed1c19dee", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "b80d107d-fa0d-4b60-9684-b0433e8bdba0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "f5d8eed6-48a9-4cdf-a3d7-d1ffa99c3d2a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "41d40bff-377a-43e2-8e1b-2e543069e079", "value": "WannaCry Ransomware" }, @@ -29397,6 +37287,15 @@ "attack.t1053.005" ] }, + "related": [ + { + "dest-uuid": "005a06c6-14bf-4118-afa0-ebcd8aebb0c9", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "43f487f0-755f-4c2a-bce7-d6d2eec2fcf8", "value": "Suspicious Add Scheduled Task From User AppData Temp" }, @@ -29422,6 +37321,15 @@ "attack.t1204.002" ] }, + "related": [ + { + "dest-uuid": "232b7f21-adf9-4b42-b936-b9d6f7df856e", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "438025f9-5856-4663-83f7-52f878a70a50", "value": "Microsoft Office Product Spawning Windows Shell" }, @@ -29447,6 +37355,22 @@ "attack.t1027" ] }, + "related": [ + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "bb780e0c-16cf-4383-8383-1e5471db6cf9", "value": "Suspicious XOR Encoded PowerShell Command Line" }, @@ -29463,8 +37387,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.mandiant.com/resources/blog/sharpersist-windows-persistence-toolkit", "https://github.com/mandiant/SharPersist", + "https://www.mandiant.com/resources/blog/sharpersist-windows-persistence-toolkit", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hack_sharpersist.yml" ], "tags": [ @@ -29514,8 +37438,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/BloodHoundAD/SharpHound", "https://github.com/BloodHoundAD/BloodHound", + "https://github.com/BloodHoundAD/SharpHound", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hack_bloodhound.yml" ], "tags": [ @@ -29529,6 +37453,43 @@ "attack.t1059.001" ] }, + "related": [ + { + "dest-uuid": "25659dd6-ea12-45c4-97e6-381e3e4b593e", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "767dbf9e-df3f-45cb-8998-4903ab5f80c0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "a01bf75f-00b2-4568-a58f-565ff9bf202b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "2aed01ad-3df3-4410-a8cb-11ea4ded587c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "f376c8a7-a2d0-4ddc-aa0c-16c17236d962", "value": "Bloodhound and Sharphound Hack Tool" }, @@ -29545,8 +37506,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/wp-windows-management-instrumentation.pdf", "https://twitter.com/johnlatwc/status/1408062131321270282?s=12", + "https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/wp-windows-management-instrumentation.pdf", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_wmic_eventconsumer_create.yml" ], "tags": [ @@ -29554,6 +37515,15 @@ "attack.t1546.003" ] }, + "related": [ + { + "dest-uuid": "910906dd-8c0a-475a-9cc1-5e029e2fad58", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "ebef4391-1a81-4761-a40a-1db446c0e625", "value": "Suspicious WMIC ActiveScriptEventConsumer Creation" }, @@ -29580,6 +37550,15 @@ "attack.t1546.003" ] }, + "related": [ + { + "dest-uuid": "910906dd-8c0a-475a-9cc1-5e029e2fad58", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "ec1d5e28-8f3b-4188-a6f8-6e8df81dc28e", "value": "WMI Persistence - Script Event Consumer" }, @@ -29605,6 +37584,15 @@ "attack.t1059" ] }, + "related": [ + { + "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "42333b2c-b425-441c-b70e-99404a17170f", "value": "Sliver C2 Implant Activity Pattern" }, @@ -29653,6 +37641,15 @@ "attack.privilege_escalation" ] }, + "related": [ + { + "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "5cc2cda8-f261-4d88-a2de-e9e193c86716", "value": "Suspicious Processes Spawned by WinRM" }, @@ -29723,6 +37720,15 @@ "attack.t1218.011" ] }, + "related": [ + { + "dest-uuid": "045d0922-2310-4e60-b5e4-3302302cb3c5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "b18c9d4c-fac9-4708-bd06-dd5bfacf200f", "value": "F-Secure C3 Load by Rundll32" }, @@ -29739,8 +37745,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/Oddvarmoe/status/1270633613449723905", "https://hackingiscool.pl/cmdhijack-command-argument-confusion-with-path-traversal-in-cmd-exe/", + "https://twitter.com/Oddvarmoe/status/1270633613449723905", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_commandline_path_traversal.yml" ], "tags": [ @@ -29748,6 +37754,15 @@ "attack.t1059.003" ] }, + "related": [ + { + "dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "087790e3-3287-436c-bccf-cbd0184a7db1", "value": "Cmd.exe CommandLine Path Traversal" }, @@ -29796,6 +37811,15 @@ "attack.t1216" ] }, + "related": [ + { + "dest-uuid": "f6fe9070-7a65-49ea-ae72-76292f42cebe", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "7d4aaec2-08ed-4430-8b96-28420e030e04", "value": "Suspicious Sigverif Execution" }, @@ -29822,6 +37846,15 @@ "attack.t1059.001" ] }, + "related": [ + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "74403157-20f5-415d-89a7-c505779585cf", "value": "Encoded PowerShell Command Line Usage of ConvertTo-SecureString" }, @@ -29870,6 +37903,15 @@ "attack.t1105" ] }, + "related": [ + { + "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "185d7418-f250-42d0-b72e-0c8b70661e93", "value": "Suspicious Diantz Download and Compress Into a CAB File" }, @@ -29888,9 +37930,9 @@ "refs": [ "https://isc.sans.edu/diary/22264", "https://www.cisa.gov/uscert/ncas/alerts/aa22-321a", - "https://blog.netspi.com/15-ways-to-download-a-file/#bitsadmin", "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ransomware-hive-conti-avoslocker", "https://lolbas-project.github.io/lolbas/Binaries/Bitsadmin/", + "https://blog.netspi.com/15-ways-to-download-a-file/#bitsadmin", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_bitsadmin_download_susp_domain.yml" ], "tags": [ @@ -29901,6 +37943,22 @@ "attack.t1036.003" ] }, + "related": [ + { + "dest-uuid": "c8e87b83-edbb-48d4-9295-4974897525b7", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "bd5b58a4-a52d-4a29-bc0d-3f1d3968eb6b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "8518ed3d-f7c9-4601-a26c-f361a4256a0c", "value": "Bitsadmin Download from Suspicious Domain" }, @@ -29917,9 +37975,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/nas_bench/status/1534915321856917506", - "https://twitter.com/nas_bench/status/1534916659676422152", "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Adplus/", + "https://twitter.com/nas_bench/status/1534916659676422152", + "https://twitter.com/nas_bench/status/1534915321856917506", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_adplus.yml" ], "tags": [ @@ -29928,6 +37986,15 @@ "attack.t1003.001" ] }, + "related": [ + { + "dest-uuid": "65f2d882-3f41-4d48-8a06-29af77ec9f90", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "2f869d59-7f6a-4931-992c-cce556ff2d53", "value": "Use of Adplus.exe" }, @@ -29944,8 +38011,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.winhelponline.com/blog/run-program-as-system-localsystem-account-windows/", "https://www.nirsoft.net/utils/nircmd.html", + "https://www.winhelponline.com/blog/run-program-as-system-localsystem-account-windows/", "https://www.nirsoft.net/utils/nircmd2.html#using", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_tool_nircmd_as_system.yml" ], @@ -29955,6 +38022,15 @@ "attack.s0029" ] }, + "related": [ + { + "dest-uuid": "f1951e8a-500e-4a26-8803-76d95c4554b4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "d9047477-0359-48c9-b8c7-792cedcdc9c4", "value": "NirCmd Tool Execution As LOCAL SYSTEM" }, @@ -29981,6 +38057,15 @@ "attack.t1027" ] }, + "related": [ + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "fd6e2919-3936-40c9-99db-0aa922c356f7", "value": "Malicious Base64 Encoded Powershell Invoke Cmdlets" }, @@ -30006,6 +38091,15 @@ "attack.t1059.005" ] }, + "related": [ + { + "dest-uuid": "dfd7cc1d-e1d8-4394-a198-97c4cab8aa67", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "966e4016-627f-44f7-8341-f394905c361f", "value": "WMIExec VBS Script" }, @@ -30033,7 +38127,7 @@ "value": "Taskmgr as LOCAL_SYSTEM" }, { - "description": "Detects a Get-Process command on lsass process, which is in almost all cases a sign of malicious activity", + "description": "Detects a \"Get-Process\" cmdlet and it's aliases on lsass process, which is in almost all cases a sign of malicious activity", "meta": { "author": "Florian Roth", "creation_date": "2021/04/23", @@ -30053,6 +38147,15 @@ "attack.t1552.004" ] }, + "related": [ + { + "dest-uuid": "60b508a1-6a5e-46b1-821a-9f7b78752abf", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "b2815d0d-7481-4bf0-9b6c-a4c48a94b349", "value": "PowerShell Get-Process LSASS" }, @@ -30078,6 +38181,15 @@ "attack.t1218" ] }, + "related": [ + { + "dest-uuid": "457c7820-d331-465a-915e-42f85500ccc4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "a85ffc3a-e8fd-4040-93bf-78aff284d801", "value": "Use Of The SFTP.EXE Binary As A LOLBIN" }, @@ -30104,6 +38216,15 @@ "attack.t1548.002" ] }, + "related": [ + { + "dest-uuid": "120d5519-3098-4e1c-9191-2aa61232f073", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "4cbef972-f347-4170-b62a-8253f6168e6d", "value": "UAC Bypass Using IDiagnostic Profile" }, @@ -30120,8 +38241,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/Libraries/Pcwutl/", "https://twitter.com/harr0ey/status/989617817849876488", + "https://lolbas-project.github.io/lolbas/Libraries/Pcwutl/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_pcwutl.yml" ], "tags": [ @@ -30129,6 +38250,15 @@ "attack.t1218.011" ] }, + "related": [ + { + "dest-uuid": "045d0922-2310-4e60-b5e4-3302302cb3c5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "9386d78a-7207-4048-9c9f-a93a7c2d1c05", "value": "Code Execution via Pcwutl.dll" }, @@ -30181,6 +38311,15 @@ "attack.t1059.003" ] }, + "related": [ + { + "dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "ee5e119b-1f75-4b34-add8-3be976961e39", "value": "Conhost.exe CommandLine Path Traversal" }, @@ -30206,6 +38345,15 @@ "attack.t1036.003" ] }, + "related": [ + { + "dest-uuid": "bd5b58a4-a52d-4a29-bc0d-3f1d3968eb6b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "edd8a48c-1b9f-4ba1-83aa-490338cd1ccb", "value": "Renamed jusched.exe" }, @@ -30232,6 +38380,15 @@ "attack.t1222.001" ] }, + "related": [ + { + "dest-uuid": "34e793de-0274-4982-9c1a-246ed1c19dee", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "554601fb-9b71-4bcc-abf4-21a611be4fde", "value": "Suspicious Recursive Takeown" }, @@ -30281,6 +38438,15 @@ "attack.t1548.002" ] }, + "related": [ + { + "dest-uuid": "120d5519-3098-4e1c-9191-2aa61232f073", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "0058b9e5-bcd7-40d4-9205-95ca5a16d7b2", "value": "UAC Bypass Using Windows Media Player - Process" }, @@ -30305,6 +38471,15 @@ "attack.t1572" ] }, + "related": [ + { + "dest-uuid": "4fe28b27-b13c-453e-a386-c2ef362a573b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "f38ce0b9-5e97-4b47-a211-7dc8d8b871da", "value": "Suspicious Plink Usage RDP Tunneling" }, @@ -30353,6 +38528,15 @@ "attack.t1055.001" ] }, + "related": [ + { + "dest-uuid": "f4599aa0-4f85-4a32-80ea-fc39dc965945", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "d1aa3382-abab-446f-96ea-4de52908210b", "value": "TAIDOOR RAT DLL Load" }, @@ -30377,6 +38561,15 @@ "attack.t1068" ] }, + "related": [ + { + "dest-uuid": "b21c3b2d-02e6-45b1-980b-e69051040839", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "c01f7bd6-0c1d-47aa-9c61-187b91273a16", "value": "SystemNightmare Exploitation Script Execution" }, @@ -30393,9 +38586,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.echotrail.io/insights/search/wermgr.exe", - "https://github.com/binderlabs/DirCreate2System", "https://www.trendmicro.com/en_us/research/22/j/black-basta-infiltrates-networks-via-qakbot-brute-ratel-and-coba.html", + "https://github.com/binderlabs/DirCreate2System", + "https://www.echotrail.io/insights/search/wermgr.exe", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_wermgr.yml" ], "tags": "No established tags" @@ -30425,6 +38618,15 @@ "attack.t1059" ] }, + "related": [ + { + "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "6bba49bf-7f8c-47d6-a1bb-6b4dece4640e", "value": "Suspicious RASdial Activity" }, @@ -30441,8 +38643,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/cyb3rops/status/1562072617552678912", "https://ss64.com/nt/cmd.html", + "https://twitter.com/cyb3rops/status/1562072617552678912", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_missing_spaces.yml" ], "tags": [ @@ -30450,6 +38652,15 @@ "attack.t1059.001" ] }, + "related": [ + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "a16980c2-0c56-4de0-9a79-17971979efdd", "value": "Missing Space Characters in Command Lines" }, @@ -30466,10 +38677,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://redcanary.com/blog/raspberry-robin/", - "https://twitter.com/Hexacorn/status/1187143326673330176", "https://github.com/elastic/protections-artifacts/commit/746086721fd385d9f5c6647cada1788db4aea95f#diff-94a1964b682707e4e3f77dd61a3bfface5401d08d8cf81145f388e09614aceca", "https://lolbas-project.github.io/lolbas/Binaries/Odbcconf/", + "https://redcanary.com/blog/raspberry-robin/", + "https://twitter.com/Hexacorn/status/1187143326673330176", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_odbcconf.yml" ], "tags": [ @@ -30477,6 +38688,15 @@ "attack.t1218.008" ] }, + "related": [ + { + "dest-uuid": "6e3bd510-6b33-41a4-af80-2d80f3ee0071", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "65d2be45-8600-4042-b4c0-577a1ff8a60e", "value": "Application Whitelisting Bypass via DLL Loaded by odbcconf.exe" }, @@ -30502,6 +38722,15 @@ "attack.t1218" ] }, + "related": [ + { + "dest-uuid": "457c7820-d331-465a-915e-42f85500ccc4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "3b3c7f55-f771-4dd6-8a6e-08d057a17caf", "value": "Download Arbitrary Files Via MSPUB.EXE" }, @@ -30527,6 +38756,15 @@ "attack.t1218" ] }, + "related": [ + { + "dest-uuid": "457c7820-d331-465a-915e-42f85500ccc4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "01c42d3c-242d-4655-85b2-34f1739632f7", "value": "Abusing Permissions Using Dsacls" }, @@ -30552,6 +38790,15 @@ "attack.t1059" ] }, + "related": [ + { + "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "f426547a-e0f7-441a-b63e-854ac5bdf54d", "value": "Perl Inline Command Execution" }, @@ -30579,6 +38826,15 @@ "attack.t1615" ] }, + "related": [ + { + "dest-uuid": "1b20efbf-8063-4fc3-a07d-b575318a301b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "e56d3073-83ff-4021-90fe-c658e0709e72", "value": "Gpresult Display Group Policy Information" }, @@ -30595,8 +38851,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation", "https://github.com/carlospolop/PEASS-ng", + "https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_winpeas_tool.yml" ], "tags": [ @@ -30631,6 +38887,15 @@ "attack.t1218" ] }, + "related": [ + { + "dest-uuid": "457c7820-d331-465a-915e-42f85500ccc4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "961e0abb-1b1e-4c84-a453-aafe56ad0d34", "value": "Execution via stordiag.exe" }, @@ -30647,8 +38912,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/SecureAuthCorp/impacket/blob/8b1a99f7c715702eafe3f24851817bb64721b156/examples/smbexec.py", "https://github.com/SecureAuthCorp/impacket/blob/8b1a99f7c715702eafe3f24851817bb64721b156/examples/atexec.py", + "https://github.com/SecureAuthCorp/impacket/blob/8b1a99f7c715702eafe3f24851817bb64721b156/examples/smbexec.py", "https://github.com/SecureAuthCorp/impacket/blob/8b1a99f7c715702eafe3f24851817bb64721b156/examples/dcomexec.py", "https://github.com/SecureAuthCorp/impacket/blob/8b1a99f7c715702eafe3f24851817bb64721b156/examples/wmiexec.py", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_impacket_lateralization.yml" @@ -30660,6 +38925,22 @@ "attack.t1021.003" ] }, + "related": [ + { + "dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "68a0c5ed-bee2-4513-830d-5b0d650139bd", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "10c14723-61c7-4c75-92ca-9af245723ad2", "value": "Impacket Lateralization Detection" }, @@ -30686,6 +38967,22 @@ "attack.t1216" ] }, + "related": [ + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "f6fe9070-7a65-49ea-ae72-76292f42cebe", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "59e938ff-0d6d-4dc3-b13f-36cc28734d4e", "value": "Execute Code with Pester.bat" }, @@ -30757,6 +39054,15 @@ "cve.2021.35211" ] }, + "related": [ + { + "dest-uuid": "635cbe30-392d-4e27-978e-66774357c762", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "75578840-9526-4b2a-9462-af469a45e767", "value": "Serv-U Exploitation CVE-2021-35211 by DEV-0322" }, @@ -30773,9 +39079,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.virustotal.com/gui/file/03e9b8c2e86d6db450e5eceec057d7e369ee2389b9daecaf06331a95410aa5f8/detection", - "https://twitter.com/vxunderground/status/1423336151860002816?s=20", "https://pentestlab.blog/2018/07/04/dumping-domain-password-hashes/", + "https://twitter.com/vxunderground/status/1423336151860002816?s=20", + "https://www.virustotal.com/gui/file/03e9b8c2e86d6db450e5eceec057d7e369ee2389b9daecaf06331a95410aa5f8/detection", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_malware_conti_shadowcopy.yml" ], "tags": [ @@ -30783,6 +39089,15 @@ "attack.t1490" ] }, + "related": [ + { + "dest-uuid": "f5d8eed6-48a9-4cdf-a3d7-d1ffa99c3d2a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "f57f8d16-1f39-4dcb-a604-6c73d9b54b3d", "value": "Sensitive Registry Access via Volume Shadow Copy" }, @@ -30807,6 +39122,15 @@ "attack.t1059" ] }, + "related": [ + { + "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "4b991083-3d0e-44ce-8fc4-b254025d8d4b", "value": "Unusual Parent Process for cmd.exe" }, @@ -30833,6 +39157,15 @@ "attack.t1027" ] }, + "related": [ + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "6385697e-9f1b-40bd-8817-f4a91f40508e", "value": "Suspicious Base64 Encoded Powershell Invoke" }, @@ -30857,6 +39190,15 @@ "attack.t1105" ] }, + "related": [ + { + "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "0e8cfe08-02c9-4815-a2f8-0d157b7ed33e", "value": "File Download with Headless Browser" }, @@ -30882,6 +39224,15 @@ "attack.t1548.002" ] }, + "related": [ + { + "dest-uuid": "120d5519-3098-4e1c-9191-2aa61232f073", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "a743ceba-c771-4d75-97eb-8a90f7f4844c", "value": "UAC Bypass Using PkgMgr and DISM" }, @@ -30907,6 +39258,15 @@ "attack.t1218" ] }, + "related": [ + { + "dest-uuid": "457c7820-d331-465a-915e-42f85500ccc4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "cd71385d-fd9b-4691-9b98-2b1f7e508714", "value": "Lolbin Runexehelper Use As Proxy" }, @@ -30957,6 +39317,15 @@ "attack.t1202" ] }, + "related": [ + { + "dest-uuid": "3b0e52ce-517a-4614-a523-1bd5deef6c5e", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "4ae3e30b-b03f-43aa-87e3-b622f4048eed", "value": "Winword LOLBIN Usage" }, @@ -30987,6 +39356,22 @@ "attack.t1218.011" ] }, + "related": [ + { + "dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "045d0922-2310-4e60-b5e4-3302302cb3c5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "ba778144-5e3d-40cf-8af9-e28fb1df1e20", "value": "Sofacy Trojan Loader Activity" }, @@ -31027,8 +39412,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.trendmicro.com/en_us/research/22/h/ransomware-actor-abuses-genshin-impact-anti-cheat-driver-to-kill-antivirus.html", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md#atomic-test-26---disable-windows-defender-with-dism", + "https://www.trendmicro.com/en_us/research/22/h/ransomware-actor-abuses-genshin-impact-anti-cheat-driver-to-kill-antivirus.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_dsim_remove.yml" ], "tags": [ @@ -31052,8 +39437,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.vmray.com/analyses/5ad401c3a568/report/overview.html", "https://www.virustotal.com/gui/file/5ad401c3a568bd87dd13f8a9ddc4e450ece61cd9ce4d1b23f68ce0b1f3c190b7/", + "https://www.vmray.com/analyses/5ad401c3a568/report/overview.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_apt_muddywater_dnstunnel.yml" ], "tags": [ @@ -31061,6 +39446,15 @@ "attack.t1071.004" ] }, + "related": [ + { + "dest-uuid": "1996eef1-ced3-4d7f-bf94-33298cabbf72", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "36222790-0d43-4fe8-86e4-674b27809543", "value": "DNS Tunnel Technique from MuddyWater" }, @@ -31085,6 +39479,15 @@ "attack.t1564.001" ] }, + "related": [ + { + "dest-uuid": "ec8fc7e2-b356-455c-8db5-2e37be158e7d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "4281cb20-2994-4580-aa63-c8b86d019934", "value": "Hiding Files with Attrib.exe" }, @@ -31110,6 +39513,15 @@ "attack.t1218" ] }, + "related": [ + { + "dest-uuid": "457c7820-d331-465a-915e-42f85500ccc4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "28c8f68b-098d-45af-8d43-8089f3e35403", "value": "Suspicious Registration via cscript.exe" }, @@ -31224,9 +39636,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://www.poweradmin.com/paexec/", "https://www.fireeye.com/blog/threat-research/2020/10/kegtap-and-singlemalt-with-a-ransomware-chaser.html", "https://docs.microsoft.com/en-us/sysinternals/downloads/psexec", - "https://www.poweradmin.com/paexec/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_psexex_paexec_escalate_system.yml" ], "tags": [ @@ -31234,6 +39646,15 @@ "attack.t1587.001" ] }, + "related": [ + { + "dest-uuid": "212306d8-efa4-44c9-8c2d-ed3d2e224aa0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "8834e2f7-6b4b-4f09-8906-d2276470ee23", "value": "PsExec/PAExec Escalation to LOCAL SYSTEM" }, @@ -31259,33 +39680,18 @@ "attack.t1059" ] }, + "related": [ + { + "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "d5b9ae7a-e6fc-405e-80ff-2ff9dcc64e7e", "value": "Sysprep on AppData Folder" }, - { - "description": "Detects PowerShell command line patterns in combincation with encoded commands that often appear in malware infection chains", - "meta": { - "author": "Florian Roth", - "creation_date": "2022/05/24", - "falsepositive": [ - "Other tools that work with encoded scripts in the command line instead of script files" - ], - "filename": "proc_creation_win_susp_powershell_cmd_patterns.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://app.any.run/tasks/b9040c63-c140-479b-ad59-f1bb56ce7a97/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_powershell_cmd_patterns.yml" - ], - "tags": [ - "attack.execution", - "attack.t1059.001" - ] - }, - "uuid": "b9d9cc83-380b-4ba3-8d8f-60c0e7e2930c", - "value": "Suspicious PowerShell Encoded Command Patterns" - }, { "description": "Detects a suspicious Microsoft desktopimgdownldr execution with parameters used to download files from the Internet", "meta": { @@ -31308,6 +39714,15 @@ "attack.t1105" ] }, + "related": [ + { + "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "bb58aa4a-b80b-415a-a2c0-2f65a4c81009", "value": "Suspicious Desktopimgdownldr Command" }, @@ -31332,6 +39747,15 @@ "attack.t1218" ] }, + "related": [ + { + "dest-uuid": "457c7820-d331-465a-915e-42f85500ccc4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "9cfc00b6-bfb7-49ce-9781-ef78503154bb", "value": "Wlrmdr Lolbin Use as Launcher" }, @@ -31348,14 +39772,14 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://posts.specterops.io/mavinject-exe-functionality-deconstructed-c29ab2cf5c0e", - "https://twitter.com/Hexacorn/status/776122138063409152", + "https://github.com/keyboardcrunch/SentinelOne-ATTACK-Queries/blob/6a228d23eefe963ca81f2d52f94b815f61ef5ee0/Tactics/DefenseEvasion.md#t1055-process-injection", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1056.004/T1056.004.md", "https://reaqta.com/2017/12/mavinject-microsoft-injector/", "https://github.com/SigmaHQ/sigma/issues/3742", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218/T1218.md", - "https://github.com/keyboardcrunch/SentinelOne-ATTACK-Queries/blob/6a228d23eefe963ca81f2d52f94b815f61ef5ee0/Tactics/DefenseEvasion.md#t1055-process-injection", + "https://twitter.com/Hexacorn/status/776122138063409152", "https://twitter.com/gN3mes1s/status/941315826107510784", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1056.004/T1056.004.md", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218/T1218.md", + "https://posts.specterops.io/mavinject-exe-functionality-deconstructed-c29ab2cf5c0e", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_renamed_mavinject.yml" ], "tags": [ @@ -31365,16 +39789,32 @@ "attack.t1218.013" ] }, + "related": [ + { + "dest-uuid": "f4599aa0-4f85-4a32-80ea-fc39dc965945", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "1bae753e-8e52-4055-a66d-2ead90303ca9", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "e6474a1b-5390-49cd-ab41-8d88655f7394", "value": "Rename Mavinject Execution" }, { - "description": "Detects the Nishang Invoke-PowerShellTcpOneLine reverse shell", + "description": "Detects usage of the \"TcpClient\" class. Which can be abused to establish remote connections and reverse-shells. As seen used by the Nishang \"Invoke-PowerShellTcpOneLine\" reverse shell.", "meta": { "author": "FPT.EagleEye, wagga", "creation_date": "2021/03/03", "falsepositive": [ - "Administrative might use this function for checking network connectivity" + "Administrative might use this function to check network connectivity" ], "filename": "proc_creation_win_powershell_reverse_shell_connection.yml", "level": "high", @@ -31382,6 +39822,7 @@ "logsource.product": "windows", "refs": [ "https://www.volexity.com/blog/2021/03/02/active-exploitation-of-microsoft-exchange-zero-day-vulnerabilities/", + "https://github.com/samratashok/nishang/blob/414ee1104526d7057f9adaeee196d91ae447283e/Shells/Invoke-PowerShellTcpOneLine.ps1", "https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_reverse_shell_connection.yml" ], @@ -31390,8 +39831,17 @@ "attack.t1059.001" ] }, + "related": [ + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "edc2f8ae-2412-4dfd-b9d5-0c57727e70be", - "value": "Powershell Reverse Shell Connection" + "value": "Potential Powershell ReverseShell Connection" }, { "description": "Detects using Diskshadow.exe to execute arbitrary code in text file", @@ -31415,9 +39865,42 @@ "attack.t1218" ] }, + "related": [ + { + "dest-uuid": "457c7820-d331-465a-915e-42f85500ccc4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "0c2f8629-7129-4a8a-9897-7e0768f13ff2", "value": "Execution via Diskshadow.exe" }, + { + "description": "Detects when a user enable developer features such as \"Developer Mode\" or \"Application Sideloading\". Which allows the user to install untrusted packages.", + "meta": { + "author": "Nasreddine Bencherchali", + "creation_date": "2023/01/11", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_turn_on_dev_features.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "Internal Research", + "https://www.sentinelone.com/labs/inside-malicious-windows-apps-for-malware-deployment/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_turn_on_dev_features.yml" + ], + "tags": [ + "attack.defense_evasion" + ] + }, + "uuid": "a383dec4-deec-4e6e-913b-ed9249670848", + "value": "Potential Signing Bypass Via Windows Developer Features" + }, { "description": "Detects netsh commands that configure a port forwarding (PortProxy)", "meta": { @@ -31432,9 +39915,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.dfirnotes.net/portproxy_detection/", "https://adepts.of0x.cc/netsh-portproxy-code/", "https://www.fireeye.com/blog/threat-research/2019/01/bypassing-network-restrictions-through-rdp-tunneling.html", + "https://www.dfirnotes.net/portproxy_detection/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_netsh_port_fwd.yml" ], "tags": [ @@ -31444,6 +39927,15 @@ "attack.t1090" ] }, + "related": [ + { + "dest-uuid": "731f4f55-b6d0-41d1-a7a9-072a66389aea", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "322ed9ec-fcab-4f67-9a34-e7c6aef43614", "value": "Netsh Port Forwarding" }, @@ -31470,6 +39962,15 @@ "attack.t1218" ] }, + "related": [ + { + "dest-uuid": "457c7820-d331-465a-915e-42f85500ccc4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "7a74da6b-ea76-47db-92cc-874ad90df734", "value": "MSDT Executed with Suspicious Parent" }, @@ -31524,6 +40025,15 @@ "attack.t1059.001" ] }, + "related": [ + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "d7bcd677-645d-4691-a8d4-7a5602b780d1", "value": "Suspicious PowerShell Command Line" }, @@ -31548,6 +40058,15 @@ "attack.t1555.004" ] }, + "related": [ + { + "dest-uuid": "d336b553-5da9-46ca-98a8-0b23f49fb447", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "a4694263-59a8-4608-a3a0-6f8d3a51664c", "value": "Suspicious Key Manager Access" }, @@ -31564,8 +40083,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.virusradar.com/en/Win32_Kasidet.AD/description", "https://www.hybrid-analysis.com/sample/07e789f4f2f3259e7559fdccb36e96814c2dbff872a21e1fa03de9ee377d581f?environmentId=100", + "https://www.virusradar.com/en/Win32_Kasidet.AD/description", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_netsh_fw_add_susp_image.yml" ], "tags": [ @@ -31573,6 +40092,15 @@ "attack.t1562.004" ] }, + "related": [ + { + "dest-uuid": "5372c5fe-f424-4def-bcd5-d3a8e770f07b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "a35f5a72-f347-4e36-8895-9869b0d5fc6d", "value": "Netsh Program Allowed with Suspcious Location" }, @@ -31589,8 +40117,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/SBousseaden/status/1207671369963646976", "https://www.fox-it.com/en/news/whitepapers/operation-wocao-shining-a-light-on-one-of-chinas-hidden-hacking-groups/", + "https://twitter.com/SBousseaden/status/1207671369963646976", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_apt_wocao.yml" ], "tags": [ @@ -31604,6 +40132,29 @@ "attack.t1059.001" ] }, + "related": [ + { + "dest-uuid": "7bdca9d5-d500-4d7d-8c52-5fd47baf4c0c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "005a06c6-14bf-4118-afa0-ebcd8aebb0c9", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "1cfac73c-be78-4f9a-9b08-5bde0c3953ab", "value": "Operation Wocao Activity" }, @@ -31629,6 +40180,15 @@ "attack.t1087.001" ] }, + "related": [ + { + "dest-uuid": "25659dd6-ea12-45c4-97e6-381e3e4b593e", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "502b42de-4306-40b4-9596-6f590c81f073", "value": "Local Accounts Discovery" }, @@ -31645,12 +40205,12 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.elastic.co/security-labs/exploring-the-ref2731-intrusion-set", - "https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e", "https://github.com/vadim-hunter/Detection-Ideas-Rules/blob/02bcbfc2bfb8b4da601bb30de0344ae453aa1afe/Threat%20Intelligence/The%20DFIR%20Report/20210329_Sodinokibi_(aka_REvil)_Ransomware.yaml", - "https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/", - "https://twitter.com/andythevariable/status/1576953781581144064?s=20&t=QiJILvK4ZiBdR8RJe24u-A", + "https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e", "https://github.com/splunk/security_content/blob/develop/detections/endpoint/office_spawning_control.yml", + "https://www.elastic.co/security-labs/exploring-the-ref2731-intrusion-set", + "https://twitter.com/andythevariable/status/1576953781581144064?s=20&t=QiJILvK4ZiBdR8RJe24u-A", + "https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbins_by_office_applications.yml" ], "tags": [ @@ -31661,6 +40221,29 @@ "attack.defense_evasion" ] }, + "related": [ + { + "dest-uuid": "232b7f21-adf9-4b42-b936-b9d6f7df856e", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "b97f1d35-4249-4486-a6b5-ee60ccf24fab", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "23daeb52-e6eb-493c-8607-c4f0246cb7d8", "value": "New Lolbin Process by Office Applications" }, @@ -31677,9 +40260,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/higaisa-or-winnti-apt-41-backdoors-old-and-new/", "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/chm-badness-delivers-a-banking-trojan/", "https://github.com/elastic/protections-artifacts/commit/746086721fd385d9f5c6647cada1788db4aea95f#diff-27939090904026cc396b0b629c8e4314acd6f5dac40a676edbc87f4567b47eb7", - "https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/higaisa-or-winnti-apt-41-backdoors-old-and-new/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_html_help_spawn.yml" ], "tags": [ @@ -31699,6 +40282,71 @@ "attack.t1218" ] }, + "related": [ + { + "dest-uuid": "a6937325-9321-4e2e-bb2b-3ed2d40b2a9d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "b97f1d35-4249-4486-a6b5-ee60ccf24fab", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "045d0922-2310-4e60-b5e4-3302302cb3c5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "dfd7cc1d-e1d8-4394-a198-97c4cab8aa67", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "0f4a0c76-ab2d-4cb0-85d3-3f0efb8cba0d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "457c7820-d331-465a-915e-42f85500ccc4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "52cad028-0ff0-4854-8f67-d25dfcbc78b4", "value": "HTML Help Shell Spawn" }, @@ -31754,13 +40402,29 @@ "attack.s0404" ] }, + "related": [ + { + "dest-uuid": "1644e709-12d2-41e5-a60f-3470991f5011", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "edf91964-b26e-4b4a-9600-ccacd7d7df24", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "e7be6119-fc37-43f0-ad4f-1f3f99be2f9f", "value": "Copying Sensitive Files with Credential Data" }, { "description": "Detects a suspicious curl process start on Windows and outputs the requested document to a local file", "meta": { - "author": "Florian Roth, Nasreddine Bencherchali (updated)", + "author": "Florian Roth, Nasreddine Bencherchali", "creation_date": "2020/07/03", "falsepositive": [ "Unknown" @@ -31770,10 +40434,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://www.volexity.com/blog/2022/07/28/sharptongue-deploys-clever-mail-stealing-browser-extension-sharpext/", "https://twitter.com/max_mal_/status/1542461200797163522", "https://github.com/pr0xylife/Qakbot/blob/4f0795d79dabee5bc9dd69f17a626b48852e7869/Qakbot_AA_23.06.2022.txt", "https://web.archive.org/web/20200128160046/https://twitter.com/reegun21/status/1222093798009790464", - "https://www.volexity.com/blog/2022/07/28/sharptongue-deploys-clever-mail-stealing-browser-extension-sharpext/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_curl_download.yml" ], "tags": [ @@ -31781,6 +40445,15 @@ "attack.t1105" ] }, + "related": [ + { + "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "e218595b-bbe7-4ee5-8a96-f32a24ad3468", "value": "Suspicious Curl Usage on Windows" }, @@ -31821,9 +40494,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/using-dsacls-to-check-ad-object-permissions#password-spraying-anyone", "https://ss64.com/nt/dsacls.html", "https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc771151(v=ws.11)", - "https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/using-dsacls-to-check-ad-object-permissions#password-spraying-anyone", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_dsacls_password_spray.yml" ], "tags": [ @@ -31831,6 +40504,15 @@ "attack.t1218" ] }, + "related": [ + { + "dest-uuid": "457c7820-d331-465a-915e-42f85500ccc4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "bac9fb54-2da7-44e9-988f-11e9a5edbc0c", "value": "Password Spraying Attempts Using Dsacls" }, @@ -31847,9 +40529,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://nvd.nist.gov/vuln/detail/CVE-2021-26084", "https://github.com/h3v0x/CVE-2021-26084_Confluence", "https://confluence.atlassian.com/doc/confluence-security-advisory-2021-08-25-1077906215.html", + "https://nvd.nist.gov/vuln/detail/CVE-2021-26084", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_atlassian_confluence_cve_2021_26084_exploit.yml" ], "tags": [ @@ -31859,9 +40541,58 @@ "attack.t1059" ] }, + "related": [ + { + "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "245f92e3-c4da-45f1-9070-bc552e06db11", "value": "Atlassian Confluence CVE-2021-26084" }, + { + "description": "Detects potential DLL injection and execution using \"Tracker.exe\"", + "meta": { + "author": "Avneet Singh @v3t0_, oscd.community", + "creation_date": "2020/10/18", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_lolbin_tracker.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Tracker/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_tracker.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1055.001" + ] + }, + "related": [ + { + "dest-uuid": "f4599aa0-4f85-4a32-80ea-fc39dc965945", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "148431ce-4b70-403d-8525-fcc2993f29ea", + "value": "Potential DLL Injection Or Execution Using Tracker.exe" + }, { "description": "Detects WMIC executing \"process call create\" with suspicious calls to processes such as \"rundll32\", \"regsrv32\"...etc", "meta": { @@ -31884,6 +40615,15 @@ "attack.t1047" ] }, + "related": [ + { + "dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "3c89a1e8-0fba-449e-8f1b-8409d6267ec8", "value": "Suspicious WMIC Execution - ProcessCallCreate" }, @@ -31900,9 +40640,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.elastic.co/guide/en/security/current/microsoft-iis-service-account-password-dumped.html", - "https://www.netspi.com/blog/technical/network-penetration-testing/decrypting-iis-passwords-to-break-out-of-the-dmz-part-2/", "https://twitter.com/0gtweet/status/1588815661085917186?cxt=HHwWhIDUyaDbzYwsAAAA", + "https://www.netspi.com/blog/technical/network-penetration-testing/decrypting-iis-passwords-to-break-out-of-the-dmz-part-2/", + "https://www.elastic.co/guide/en/security/current/microsoft-iis-service-account-password-dumped.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_iis_service_account_password_dumped.yml" ], "tags": [ @@ -31910,6 +40650,15 @@ "attack.t1003" ] }, + "related": [ + { + "dest-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "2d3cdeec-c0db-45b4-aa86-082f7eb75701", "value": "Microsoft IIS Service Account Password Dumped" }, @@ -31934,6 +40683,15 @@ "attack.t1105" ] }, + "related": [ + { + "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "74a12f18-505c-4114-8d0b-8448dd5485c6", "value": "Nimgrab File Download" }, @@ -31985,6 +40743,15 @@ "attack.t1003.001" ] }, + "related": [ + { + "dest-uuid": "65f2d882-3f41-4d48-8a06-29af77ec9f90", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "79b06761-465f-4f88-9ef2-150e24d3d737", "value": "Procdump Evasion" }, @@ -32002,9 +40769,9 @@ "logsource.product": "windows", "refs": [ "https://youtu.be/5mqid-7zp8k?t=2481", - "https://m365internals.com/2022/10/07/hunting-in-on-premises-exchange-server-logs/", "https://peterjson.medium.com/reproducing-the-proxyshell-pwn2own-exploit-49743a4ea9a1", "https://blog.orange.tw/2021/08/proxylogon-a-new-attack-surface-on-ms-exchange-part-1.html", + "https://m365internals.com/2022/10/07/hunting-in-on-premises-exchange-server-logs/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_mailboxexport_share.yml" ], "tags": [ @@ -32057,6 +40824,15 @@ "attack.t1588.002" ] }, + "related": [ + { + "dest-uuid": "a2fdce72-04b2-409a-ac10-cc1695f4fce0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "7cccd811-7ae9-4ebe-9afd-cb5c406b824b", "value": "Usage of Sysinternals Tools" }, @@ -32083,6 +40859,22 @@ "attack.t1059.001" ] }, + "related": [ + { + "dest-uuid": "005a06c6-14bf-4118-afa0-ebcd8aebb0c9", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "c5c00f49-b3f9-45a6-997e-cfdecc6e1967", "value": "Suspicious Schtasks Execution AppData Folder" }, @@ -32108,6 +40900,15 @@ "attack.t1548.002" ] }, + "related": [ + { + "dest-uuid": "120d5519-3098-4e1c-9191-2aa61232f073", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "b697e69c-746f-4a86-9f59-7bfff8eab881", "value": "UAC Bypass Using Disk Cleanup" }, @@ -32124,9 +40925,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Dotnet/", "https://twitter.com/_felamos/status/1204705548668555264", "https://bohops.com/2019/08/19/dotnet-core-a-vector-for-awl-bypass-defense-evasion/", - "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Dotnet/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_dotnet.yml" ], "tags": [ @@ -32134,6 +40935,15 @@ "attack.t1218" ] }, + "related": [ + { + "dest-uuid": "457c7820-d331-465a-915e-42f85500ccc4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "d80d5c81-04ba-45b4-84e4-92eba40e0ad3", "value": "Dotnet.exe Exec Dll and Execute Unsigned Code LOLBIN" }, @@ -32150,8 +40960,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/Binaries/Regedit/", "https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f", + "https://lolbas-project.github.io/lolbas/Binaries/Regedit/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_regedit_import_keys_ads.yml" ], "tags": [ @@ -32186,6 +40996,15 @@ "car.2013-05-002" ] }, + "related": [ + { + "dest-uuid": "232b7f21-adf9-4b42-b936-b9d6f7df856e", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "aa3a6f94-890e-4e22-b634-ffdfd54792cc", "value": "MS Office Product Spawning Exe in User Dir" }, @@ -32214,6 +41033,15 @@ "car.2013-08-001" ] }, + "related": [ + { + "dest-uuid": "005a06c6-14bf-4118-afa0-ebcd8aebb0c9", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "92626ddd-662c-49e3-ac59-f6535f12d189", "value": "Scheduled Task Creation" }, @@ -32255,8 +41083,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/klsecservices/Publications/blob/657deb6a6eb6e00669afd40173f425fb49682eaa/Incident-Response-Analyst-Report-2020.pdf", "https://sourceforge.net/projects/mouselock/", + "https://github.com/klsecservices/Publications/blob/657deb6a6eb6e00669afd40173f425fb49682eaa/Incident-Response-Analyst-Report-2020.pdf", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_mouse_lock.yml" ], "tags": [ @@ -32281,8 +41109,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.echotrail.io/insights/search/wusa.exe/", "https://web.archive.org/web/20180331144337/https://www.fireeye.com/blog/threat-research/2018/03/sanny-malware-delivery-method-updated-in-recently-observed-attacks.html", + "https://www.echotrail.io/insights/search/wusa.exe/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wusa_susp_cap_extraction_from_susp_paths.yml" ], "tags": [ @@ -32313,6 +41141,15 @@ "attack.t1564.004" ] }, + "related": [ + { + "dest-uuid": "f2857333-11d4-45bf-b064-2c28d8525be5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "70e68156-6571-427b-a6e9-4476a173a9b6", "value": "Cmd Stream Redirection" }, @@ -32337,6 +41174,15 @@ "attack.t1528" ] }, + "related": [ + { + "dest-uuid": "890c9858-598c-401d-a4d5-c67ebcdd703a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "6d3a3952-6530-44a3-8554-cf17c116c615", "value": "Suspicious Office Token Search Via CLI" }, @@ -32353,8 +41199,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/OTRF/detection-hackathon-apt29/issues/17", "https://threathunterplaybook.com/evals/apt29/detections/7.B.4_C10730EA-6345-4934-AA0F-B0EFCA0C4BA6.html", + "https://github.com/OTRF/detection-hackathon-apt29/issues/17", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_webdav_client_execution.yml" ], "tags": [ @@ -32362,6 +41208,15 @@ "attack.t1048.003" ] }, + "related": [ + { + "dest-uuid": "fb8d023d-45be-47e9-bc51-f56bcae6435b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "2dbd9d3d-9e27-42a8-b8df-f13825c6c3d5", "value": "Suspicious WebDav Client Execution" }, @@ -32401,8 +41256,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://support.anydesk.com/Automatic_Deployment", "https://twitter.com/TheDFIRReport/status/1423361119926816776?s=20", + "https://support.anydesk.com/Automatic_Deployment", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_anydesk_silent_install.yml" ], "tags": [ @@ -32410,6 +41265,15 @@ "attack.t1219" ] }, + "related": [ + { + "dest-uuid": "4061e78c-1284-44b4-9116-73e4ac3912f7", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "114e7f1c-f137-48c8-8f54-3088c24ce4b9", "value": "AnyDesk Silent Installation" }, @@ -32426,8 +41290,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://gist.github.com/am0nsec/8378da08f848424e4ab0cc5b317fdd26", "https://twitter.com/subTee/status/1216465628946563073", + "https://gist.github.com/am0nsec/8378da08f848424e4ab0cc5b317fdd26", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_task_folder_evasion.yml" ], "tags": [ @@ -32462,6 +41326,22 @@ "attack.t1021.006" ] }, + "related": [ + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "60d0c01d-e2bf-49dd-a453-f8a9c9fa6f65", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "734f8d9b-42b8-41b2-bcf5-abaf49d5a3c8", "value": "Remote PowerShell Session Host Process (WinRM)" }, @@ -32487,7 +41367,7 @@ ] }, "uuid": "2569ed8c-1147-498a-9b8c-2ad3656b10ed", - "value": "DllRegisterServer Call From Non Rundll32" + "value": "Renamed Rundll32 Execution Via DllRegisterServer" }, { "description": "Detects commands that temporarily turn off Volume Snapshots", @@ -32534,6 +41414,15 @@ "attack.t1127" ] }, + "related": [ + { + "dest-uuid": "ff25900d-76d5-449b-a351-8824e62fc81b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "3d48c9d3-1aa6-418d-98d3-8fd3c01a564e", "value": "Use of Mftrace.exe" }, @@ -32558,6 +41447,15 @@ "attack.t1202" ] }, + "related": [ + { + "dest-uuid": "3b0e52ce-517a-4614-a523-1bd5deef6c5e", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "1775e15e-b61b-4d14-a1a3-80981298085a", "value": "Suspicious Rundll32 Without Any CommandLine Params" }, @@ -32574,9 +41472,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/filip_dragovic/status/1590104354727436290", "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-41120", "https://twitter.com/filip_dragovic/status/1590052248260055041", + "https://twitter.com/filip_dragovic/status/1590104354727436290", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sysmon_exploitation.yml" ], "tags": "No established tags" @@ -32605,6 +41503,15 @@ "attack.t1003.001" ] }, + "related": [ + { + "dest-uuid": "65f2d882-3f41-4d48-8a06-29af77ec9f90", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "edadb1e5-5919-4e4c-8462-a9e643b02c4b", "value": "Process Dump via RdrLeakDiag.exe" }, @@ -32621,8 +41528,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.anomali.com/blog/china-based-apt-mustang-panda-targets-minority-groups-public-and-private-sector-organizations", "https://app.any.run/tasks/b12cccf3-1c22-4e28-9d3e-c7a6062f3914/", + "https://www.anomali.com/blog/china-based-apt-mustang-panda-targets-minority-groups-public-and-private-sector-organizations", "https://app.any.run/tasks/7ca5661d-a67b-43ec-98c1-dd7a8103c256/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_apt_mustangpanda.yml" ], @@ -32631,6 +41538,15 @@ "attack.resource_development" ] }, + "related": [ + { + "dest-uuid": "212306d8-efa4-44c9-8c2d-ed3d2e224aa0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "2d87d610-d760-45ee-a7e6-7a6f2a65de00", "value": "Mustang Panda Dropper" }, @@ -32657,6 +41573,15 @@ "attack.t1003.001" ] }, + "related": [ + { + "dest-uuid": "65f2d882-3f41-4d48-8a06-29af77ec9f90", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "dee0a7a3-f200-4112-a99b-952196d81e42", "value": "DumpMinitool Usage" }, @@ -32682,6 +41607,15 @@ "attack.t1059.006" ] }, + "related": [ + { + "dest-uuid": "cc3502b5-30cc-4473-ad48-42d51a6ef6d1", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "9637e8a5-7131-4f7f-bdc7-2b05d8670c43", "value": "Suspicious File Characteristics Due to Missing Fields" }, @@ -32711,6 +41645,29 @@ "attack.t1490" ] }, + "related": [ + { + "dest-uuid": "232b7f21-adf9-4b42-b936-b9d6f7df856e", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "f5d8eed6-48a9-4cdf-a3d7-d1ffa99c3d2a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "29fd07fc-9cfd-4331-b7fd-cc18dfa21052", "value": "Maze Ransomware" }, @@ -32751,10 +41708,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/Binaries/Wsreset/", "https://www.activecyber.us/activelabs/windows-uac-bypass", - "https://eqllib.readthedocs.io/en/latest/analytics/532b5ed4-7930-11e9-8f5c-d46d6d62a49e.html", "https://twitter.com/ReaQta/status/1222548288731217921", + "https://lolbas-project.github.io/lolbas/Binaries/Wsreset/", + "https://eqllib.readthedocs.io/en/latest/analytics/532b5ed4-7930-11e9-8f5c-d46d6d62a49e.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_uac_bypass_wsreset.yml" ], "tags": [ @@ -32763,6 +41720,15 @@ "attack.t1548.002" ] }, + "related": [ + { + "dest-uuid": "120d5519-3098-4e1c-9191-2aa61232f073", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "d797268e-28a9-49a7-b9a8-2f5039011c5c", "value": "Bypass UAC via WSReset.exe" }, @@ -32780,8 +41746,8 @@ "logsource.product": "windows", "refs": [ "https://medium.com/@malwaredancer/lockergoga-input-arguments-ipc-communication-and-others-bd4e5a7ba80a", - "https://blog.f-secure.com/analysis-of-lockergoga-ransomware/", "https://www.carbonblack.com/blog/tau-threat-intelligence-notification-lockergoga-ransomware/", + "https://blog.f-secure.com/analysis-of-lockergoga-ransomware/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_mal_lockergoga_ransomware.yml" ], "tags": [ @@ -32789,6 +41755,15 @@ "attack.t1486" ] }, + "related": [ + { + "dest-uuid": "b80d107d-fa0d-4b60-9684-b0433e8bdba0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "74db3488-fd28-480a-95aa-b7af626de068", "value": "LockerGoga Ransomware" }, @@ -32815,6 +41790,15 @@ "attack.t1059" ] }, + "related": [ + { + "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "899133d5-4d7c-4a7f-94ee-27355c879d90", "value": "Python Inline Command Execution" }, @@ -32859,8 +41843,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/vysecurity/Aggressor-VYSEC/blob/0d61c80387b9432dab64b8b8a9fb52d20cfef80e/ping.cna", "https://twitter.com/vysecurity/status/977198418354491392", + "https://github.com/vysecurity/Aggressor-VYSEC/blob/0d61c80387b9432dab64b8b8a9fb52d20cfef80e/ping.cna", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_ping_hex_ip.yml" ], "tags": [ @@ -32869,6 +41853,15 @@ "attack.t1027" ] }, + "related": [ + { + "dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "1a0d4aba-7668-4365-9ce4-6d79ab088dfd", "value": "Ping Hex IP" }, @@ -32885,8 +41878,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.elastic.co/security-labs/exploring-the-qbot-attack-pattern", "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/schtasks", + "https://www.elastic.co/security-labs/exploring-the-qbot-attack-pattern", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_schtasks_system.yml" ], "tags": [ @@ -32895,9 +41888,49 @@ "attack.t1053.005" ] }, + "related": [ + { + "dest-uuid": "005a06c6-14bf-4118-afa0-ebcd8aebb0c9", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "89ca78fd-b37c-4310-b3d3-81a023f83936", "value": "Schtasks Creation Or Modification With SYSTEM Privileges" }, + { + "description": "Detects suspicious powershell process starts with base64 encoded commands (e.g. Emotet)", + "meta": { + "author": "Florian Roth, Markus Neis, Jonhnathan Ribeiro, Daniil Yugoslavskiy, Anton Kutepov, oscd.community", + "creation_date": "2018/09/03", + "falsepositive": "No established falsepositives", + "filename": "proc_creation_win_susp_powershell_base64_encoded_cmd.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://app.any.run/tasks/6217d77d-3189-4db2-a957-8ab239f3e01e", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_powershell_base64_encoded_cmd.yml" + ], + "tags": [ + "attack.execution", + "attack.t1059.001" + ] + }, + "related": [ + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "ca2092a1-c273-4878-9b4b-0d60115bf5ea", + "value": "Suspicious Encoded PowerShell Command Line" + }, { "description": "Detects when the Console Window Host (conhost.exe) process is spawned by a suspicious parent process, which could be indicative of code injection.", "meta": { @@ -32919,6 +41952,15 @@ "attack.t1059" ] }, + "related": [ + { + "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "cbb9e3d1-2386-4e59-912e-62f1484f7a89", "value": "Conhost Spawned By Suspicious Parent Process" }, @@ -32947,6 +41989,22 @@ "attack.g0001" ] }, + "related": [ + { + "dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "045d0922-2310-4e60-b5e4-3302302cb3c5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "f0b70adb-0075-43b0-9745-e82a1c608fcc", "value": "ZxShell Malware" }, @@ -32963,7 +42021,7 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "Turla has used fsutil fsinfo drives to list connected drives. https://attack.mitre.org/techniques/T1120/", + "Turla has used fsutil fsinfo drives to list connected drives.", "https://github.com/elastic/detection-rules/blob/414d32027632a49fb239abb8fbbb55d3fa8dd861/rules/windows/discovery_peripheral_device.toml", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_fsutil_drive_enumeration.yml" ], @@ -33020,6 +42078,15 @@ "attack.t1218" ] }, + "related": [ + { + "dest-uuid": "457c7820-d331-465a-915e-42f85500ccc4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "7d6d30b8-5b91-4b90-a891-46cccaf29598", "value": "Lolbin Ssh.exe Use As Proxy" }, @@ -33036,8 +42103,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/LOLBAS-Project/LOLBAS/blob/8283d8d91552213ded165fd36deb6cb9534cb443/yml/OtherMSBinaries/Sqltoolsps.yml", "https://twitter.com/pabraeken/status/993298228840992768", + "https://github.com/LOLBAS-Project/LOLBAS/blob/8283d8d91552213ded165fd36deb6cb9534cb443/yml/OtherMSBinaries/Sqltoolsps.yml", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_use_of_sqltoolsps_bin.yml" ], "tags": [ @@ -33047,6 +42114,22 @@ "attack.t1127" ] }, + "related": [ + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "ff25900d-76d5-449b-a351-8824e62fc81b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "a746c9b8-a2fb-4ee5-a428-92bee9e99060", "value": "SQL Client Tools PowerShell Session Detection" }, @@ -33072,6 +42155,15 @@ "attack.t1574" ] }, + "related": [ + { + "dest-uuid": "aedfca76-3b30-4866-b2aa-0f1d7fd1e4b6", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "a2910908-e86f-4687-aeba-76a5f996e652", "value": "DLL Execution Via Register-cimprovider.exe" }, @@ -33096,6 +42188,15 @@ "attack.t1564.004" ] }, + "related": [ + { + "dest-uuid": "f2857333-11d4-45bf-b064-2c28d8525be5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "45a594aa-1fbd-4972-a809-ff5a99dd81b8", "value": "Run PowerShell Script from ADS" }, @@ -33113,15 +42214,15 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://redcanary.com/blog/intelligence-insights-october-2021/", - "https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/new-teslacrypt-ransomware-arrives-via-spam/", "https://www.bleepingcomputer.com/news/security/why-everyone-should-disable-vssadmin-exe-now/", - "https://github.com/Neo23x0/Raccine#the-process", + "https://blog.talosintelligence.com/2017/05/wannacry.html", + "https://www.hybrid-analysis.com/sample/ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa?environmentId=100", "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/blackbyte-exbyte-ransomware", "https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment", - "https://blog.talosintelligence.com/2017/05/wannacry.html", + "https://github.com/Neo23x0/Raccine#the-process", + "https://redcanary.com/blog/intelligence-insights-october-2021/", "https://github.com/Neo23x0/Raccine/blob/20a569fa21625086433dcce8bb2765d0ea08dcb6/yara/gen_ransomware_command_lines.yar", - "https://www.hybrid-analysis.com/sample/ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa?environmentId=100", + "https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/new-teslacrypt-ransomware-arrives-via-spam/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_shadow_copies_deletion.yml" ], "tags": [ @@ -33131,6 +42232,15 @@ "attack.t1490" ] }, + "related": [ + { + "dest-uuid": "f5d8eed6-48a9-4cdf-a3d7-d1ffa99c3d2a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "c947b146-0abc-4c87-9c64-b17e9d7274a2", "value": "Shadow Copies Deletion Using Operating Systems Utilities" }, @@ -33147,9 +42257,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/bumblebee-loader-cybercrime", "https://thedfirreport.com/2022/08/08/bumblebee-roasts-its-way-to-domain-admin/", "https://thedfirreport.com/2022/09/26/bumblebee-round-two/", + "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/bumblebee-loader-cybercrime", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wab_execution_from_non_default_location.yml" ], "tags": [ @@ -33173,9 +42283,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://blog.netspi.com/15-ways-to-download-a-file/#bitsadmin", - "https://isc.sans.edu/diary/22264", "https://lolbas-project.github.io/lolbas/Binaries/Bitsadmin/", + "https://isc.sans.edu/diary/22264", + "https://blog.netspi.com/15-ways-to-download-a-file/#bitsadmin", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_bitsadmin_download.yml" ], "tags": [ @@ -33186,6 +42296,22 @@ "attack.t1036.003" ] }, + "related": [ + { + "dest-uuid": "c8e87b83-edbb-48d4-9295-4974897525b7", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "bd5b58a4-a52d-4a29-bc0d-3f1d3968eb6b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "d059842b-6b9d-4ed1-b5c3-5b89143c6ede", "value": "Bitsadmin Download" }, @@ -33211,6 +42337,15 @@ "attack.t1560.001" ] }, + "related": [ + { + "dest-uuid": "00f90846-cbd1-4fc5-9233-df5c2bf2a662", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "6f3e2987-db24-4c78-a860-b4f4095a7095", "value": "Data Compressed - rar.exe" }, @@ -33238,6 +42373,22 @@ "attack.t1134.003" ] }, + "related": [ + { + "dest-uuid": "86850eff-2729-40c3-b85e-c4af26da4a2d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "8cdeb020-e31e-4f88-a582-f53dcfbda819", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "f89b08d0-77ad-4728-817b-9b16c5a69c7a", "value": "SharpImpersonation Execution" }, @@ -33286,6 +42437,15 @@ "attack.t1087.001" ] }, + "related": [ + { + "dest-uuid": "25659dd6-ea12-45c4-97e6-381e3e4b593e", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "c8a180d6-47a3-4345-a609-53f9c3d834fc", "value": "Suspicious Reconnaissance Activity Using Get-LocalGroupMember Cmdlet" }, @@ -33310,6 +42470,15 @@ "attack.t1560.001" ] }, + "related": [ + { + "dest-uuid": "00f90846-cbd1-4fc5-9233-df5c2bf2a662", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "27a72a60-7e5e-47b1-9d17-909c9abafdcd", "value": "Suspicious Compression Tool Parameters" }, @@ -33326,11 +42495,11 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1216/T1216.md", - "https://gist.github.com/bohops/735edb7494fe1bd1010d67823842b712", - "https://lolbas-project.github.io/lolbas/Scripts/Manage-bde/", - "https://twitter.com/JohnLaTwC/status/1223292479270600706", "https://twitter.com/bohops/status/980659399495741441", + "https://twitter.com/JohnLaTwC/status/1223292479270600706", + "https://lolbas-project.github.io/lolbas/Scripts/Manage-bde/", + "https://gist.github.com/bohops/735edb7494fe1bd1010d67823842b712", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1216/T1216.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_manage_bde_lolbas.yml" ], "tags": [ @@ -33338,6 +42507,15 @@ "attack.t1216" ] }, + "related": [ + { + "dest-uuid": "f6fe9070-7a65-49ea-ae72-76292f42cebe", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "c363385c-f75d-4753-a108-c1a8e28bdbda", "value": "Suspicious Usage of the Manage-bde.wsf Script" }, @@ -33362,9 +42540,52 @@ "attack.t1127" ] }, + "related": [ + { + "dest-uuid": "ff25900d-76d5-449b-a351-8824e62fc81b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "18749301-f1c5-4efc-a4c3-276ff1f5b6f8", "value": "Use of VSIISExeLauncher.exe" }, + { + "description": "Detect execution of suspicious double extension files in ParentCommandLine", + "meta": { + "author": "frack113", + "creation_date": "2023/01/06", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_double_ext_parent.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://www.virustotal.com/gui/file/7872d8845a332dce517adae9c3389fde5313ff2fed38c2577f3b498da786db68/behavior", + "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/bluebottle-banks-targeted-africa", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_double_ext_parent.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1036.007" + ] + }, + "related": [ + { + "dest-uuid": "11f29a39-0942-4d62-92b6-fe236cf3066e", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "5e6a80c8-2d45-4633-9ef4-fa2671a39c5c", + "value": "Suspicious Double File Extention in ParentCommandLine" + }, { "description": "This rule detects execution of a PowerShell code through the sqlps.exe utility, which is included in the standard set of utilities supplied with the MSSQL Server.\nScript blocks are not logged in this case, so this utility helps to bypass protection mechanisms based on the analysis of these logs.\n", "meta": { @@ -33378,9 +42599,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/sql/tools/sqlps-utility?view=sql-server-ver15", - "https://twitter.com/bryon_/status/975835709587075072", "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Sqlps/", + "https://twitter.com/bryon_/status/975835709587075072", + "https://docs.microsoft.com/en-us/sql/tools/sqlps-utility?view=sql-server-ver15", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_use_of_sqlps_bin.yml" ], "tags": [ @@ -33390,6 +42611,22 @@ "attack.t1127" ] }, + "related": [ + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "ff25900d-76d5-449b-a351-8824e62fc81b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "0152550d-3a26-4efd-9f0e-54a0b28ae2f3", "value": "Detection of PowerShell Execution via Sqlps.exe" }, @@ -33414,6 +42651,15 @@ "attack.t1548" ] }, + "related": [ + { + "dest-uuid": "67720091-eee3-4d2d-ae16-8264567f6f5b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "d522eca2-2973-4391-a3e0-ef0374321dae", "value": "Abused Debug Privilege by Arbitrary Parent Processes" }, @@ -33440,6 +42686,15 @@ "attack.t1059.001" ] }, + "related": [ + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "e1561947-b4e3-4a74-9bdd-83baed21bdb5", "value": "Invoke-Obfuscation Via Use Clip" }, @@ -33464,6 +42719,15 @@ "attack.t1218" ] }, + "related": [ + { + "dest-uuid": "457c7820-d331-465a-915e-42f85500ccc4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "1c8774a0-44d4-4db0-91f8-e792359c70bd", "value": "REGISTER_APP.VBS Proxy Execution" }, @@ -33488,6 +42752,15 @@ "attack.t1202" ] }, + "related": [ + { + "dest-uuid": "3b0e52ce-517a-4614-a523-1bd5deef6c5e", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "883faa95-175a-4e22-8181-e5761aeb373c", "value": "Suspicious Service Binary Directory" }, @@ -33528,8 +42801,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.virustotal.com/gui/search/metadata%253ACube0x0/files", "https://github.com/cube0x0", + "https://www.virustotal.com/gui/search/metadata%253ACube0x0/files", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hack_cube0x0_tools.yml" ], "tags": "No established tags" @@ -33559,6 +42832,15 @@ "attack.t1559" ] }, + "related": [ + { + "dest-uuid": "acd0ba37-7ba9-4cc5-ac61-796586cd856d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "58bf96d9-ff5f-44bd-8dcc-1c4f79bf3a27", "value": "Trickbot Malware Activity" }, @@ -33575,10 +42857,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Rcsi/", - "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Csi/", - "https://twitter.com/Z3Jpa29z/status/1317545798981324801", "https://enigma0x3.net/2016/11/21/bypassing-application-whitelisting-by-using-rcsi-exe/", + "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Rcsi/", + "https://twitter.com/Z3Jpa29z/status/1317545798981324801", + "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Csi/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_csi.yml" ], "tags": [ @@ -33588,9 +42870,52 @@ "attack.t1218" ] }, + "related": [ + { + "dest-uuid": "457c7820-d331-465a-915e-42f85500ccc4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "40b95d31-1afc-469e-8d34-9a3a667d058e", "value": "Suspicious Csi.exe Usage" }, + { + "description": "Detects suspicious powershell invocations from interpreters or unusual programs", + "meta": { + "author": "Florian Roth", + "creation_date": "2019/01/16", + "falsepositive": [ + "Microsoft Operations Manager (MOM)", + "Other scripts" + ], + "filename": "proc_creation_win_susp_powershell_script_engine_parent_.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://www.securitynewspaper.com/2017/03/20/attackers-leverage-excel-powershell-dns-latest-non-malware-attack/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_powershell_script_engine_parent_.yml" + ], + "tags": [ + "attack.execution", + "attack.t1059.001" + ] + }, + "related": [ + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "95eadcb2-92e4-4ed1-9031-92547773a6db", + "value": "Suspicious PowerShell Invocation From Script Engines" + }, { "description": "Detects the execution of a renamed ProcDump executable often used by attackers or malware", "meta": { @@ -33613,6 +42938,15 @@ "attack.t1036.003" ] }, + "related": [ + { + "dest-uuid": "bd5b58a4-a52d-4a29-bc0d-3f1d3968eb6b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "4a0b2c7e-7cb2-495d-8b63-5f268e7bfd67", "value": "Renamed ProcDump Execution" }, @@ -33629,14 +42963,23 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.scythe.io/library/threat-emulation-qakbot", "https://thedfirreport.com/2021/12/13/diavol-ransomware/", + "https://www.scythe.io/library/threat-emulation-qakbot", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_not_from_c_drive.yml" ], "tags": [ "attack.t1218.001" ] }, + "related": [ + { + "dest-uuid": "a6937325-9321-4e2e-bb2b-3ed2d40b2a9d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "d4ca7c59-e9e4-42d8-bf57-91a776efcb87", "value": "LOLBIN From Abnormal Drive" }, @@ -33662,6 +43005,15 @@ "attack.t1059" ] }, + "related": [ + { + "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "0955e4e1-c281-4fb9-9ee1-5ee7b4b754d2", "value": "Use of Pcalua For Execution" }, @@ -33678,8 +43030,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.winhelponline.com/blog/run-program-as-system-localsystem-account-windows/", "https://www.nirsoft.net/utils/nircmd.html", + "https://www.winhelponline.com/blog/run-program-as-system-localsystem-account-windows/", "https://www.nirsoft.net/utils/nircmd2.html#using", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_tool_nircmd.yml" ], @@ -33689,11 +43041,20 @@ "attack.s0029" ] }, + "related": [ + { + "dest-uuid": "f1951e8a-500e-4a26-8803-76d95c4554b4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "4e2ed651-1906-4a59-a78a-18220fca1b22", "value": "NirCmd Tool Execution" }, { - "description": "Detects suspicious ways to download files or content and execute them using PowerShell", + "description": "Detects suspicious ways to download files or content and execute them using PowerShell Invoke-Expression", "meta": { "author": "Florian Roth", "creation_date": "2022/03/24", @@ -33713,6 +43074,15 @@ "attack.t1059" ] }, + "related": [ + { + "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "85b0b087-eddf-4a2b-b033-d771fa2b9775", "value": "PowerShell Web Download and Execution" }, @@ -33729,8 +43099,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/hostname", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1082/T1082.md#atomic-test-6---hostname-discovery-windows", + "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/hostname", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_hostname.yml" ], "tags": [ @@ -33754,10 +43124,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://twitter.com/hFireF0X/status/897640081053364225", "https://medium.com/falconforce/falconfriday-detecting-uac-bypasses-0xff16-86c2a9107abf", "https://github.com/hfiref0x/UACME", "https://web.archive.org/web/20190720093911/http://www.endurant.io/cmstp/detecting-cmstp-enabled-code-execution-and-uac-bypass-with-sysmon/", - "https://twitter.com/hFireF0X/status/897640081053364225", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_cmstp_com_object_access.yml" ], "tags": [ @@ -33770,6 +43140,22 @@ "car.2019-04-001" ] }, + "related": [ + { + "dest-uuid": "120d5519-3098-4e1c-9191-2aa61232f073", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "4cbc6a62-9e34-4f94-8a19-5c1a11392a49", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "4b60e6f2-bf39-47b4-b4ea-398e33cfe253", "value": "CMSTP UAC Bypass via COM Object Access" }, @@ -33811,8 +43197,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/x86matthew/status/1505476263464607744?s=12", "https://svch0st.medium.com/stats-from-hunting-cobalt-strike-beacons-c17e56255f9b", + "https://twitter.com/x86matthew/status/1505476263464607744?s=12", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_parents.yml" ], "tags": "No established tags" @@ -33845,6 +43231,29 @@ "attack.s0106" ] }, + "related": [ + { + "dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "058f4380-962d-40a5-afce-50207d36d7e2", "value": "CrackMapExec Command Execution" }, @@ -33862,9 +43271,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md", "https://twitter.com/AdamTheAnalyst/status/1483497517119590403", "https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/configure-process-opened-file-exclusions-microsoft-defender-antivirus", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_defender_exclusion.yml" ], "tags": [ @@ -33889,10 +43298,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://techtalk.pcmatic.com/2017/11/30/running-dll-files-malware-analysis/", - "https://github.com/Neo23x0/DLLRunner", - "https://www.welivesecurity.com/2022/03/01/isaacwiper-hermeticwizard-wiper-worm-targeting-ukraine/", "https://twitter.com/cyb3rops/status/1186631731543236608", + "https://techtalk.pcmatic.com/2017/11/30/running-dll-files-malware-analysis/", + "https://www.welivesecurity.com/2022/03/01/isaacwiper-hermeticwizard-wiper-worm-targeting-ukraine/", + "https://github.com/Neo23x0/DLLRunner", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_rundll32_by_ordinal.yml" ], "tags": [ @@ -33900,6 +43309,15 @@ "attack.t1218.011" ] }, + "related": [ + { + "dest-uuid": "045d0922-2310-4e60-b5e4-3302302cb3c5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "e79a9e79-eb72-4e78-a628-0e7e8f59e89c", "value": "Suspicious Call by Ordinal" }, @@ -33924,6 +43342,15 @@ "attack.t1218.010" ] }, + "related": [ + { + "dest-uuid": "b97f1d35-4249-4486-a6b5-ee60ccf24fab", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "10152a7b-b566-438f-a33c-390b607d1c8d", "value": "Empire Monkey" }, @@ -33950,6 +43377,15 @@ "car.2013-05-009" ] }, + "related": [ + { + "dest-uuid": "bd5b58a4-a52d-4a29-bc0d-3f1d3968eb6b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "18da1007-3f26-470f-875d-f77faf1cab31", "value": "Ps.exe Renamed SysInternals Tool" }, @@ -33974,6 +43410,15 @@ "attack.t1127" ] }, + "related": [ + { + "dest-uuid": "ff25900d-76d5-449b-a351-8824e62fc81b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "d047726b-c71c-4048-a99b-2e2f50dc107d", "value": "Kavremover Dropped Binary LOLBIN Usage" }, @@ -34000,6 +43445,15 @@ "attack.t1218.007" ] }, + "related": [ + { + "dest-uuid": "365be77f-fc0e-42ee-bac8-4faf806d9336", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "84f52741-8834-4a8c-a413-2eb2269aa6c8", "value": "Suspicious Msiexec Load DLL" }, @@ -34026,6 +43480,22 @@ "attack.t1202" ] }, + "related": [ + { + "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "3b0e52ce-517a-4614-a523-1bd5deef6c5e", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "eca49c87-8a75-4f13-9c73-a5a29e845f03", "value": "Suspicious Runscripthelper.exe" }, @@ -34050,6 +43520,15 @@ "attack.t1216" ] }, + "related": [ + { + "dest-uuid": "f6fe9070-7a65-49ea-ae72-76292f42cebe", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "1e0e1a81-e79b-44bc-935b-ddb9c8006b3d", "value": "CL_Mutexverifiers.ps1 Proxy Execution" }, @@ -34075,6 +43554,15 @@ "attack.t1218" ] }, + "related": [ + { + "dest-uuid": "457c7820-d331-465a-915e-42f85500ccc4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "90d50722-0483-4065-8e35-57efaadd354d", "value": "DevInit Lolbin Download" }, @@ -34091,8 +43579,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://unit42.paloaltonetworks.com/unit42-gorgon-group-slithering-nation-state-cybercrime/", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md", + "https://unit42.paloaltonetworks.com/unit42-gorgon-group-slithering-nation-state-cybercrime/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_remove_windows_defender_definition_files.yml" ], "tags": [ @@ -34116,8 +43604,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/j0nh4t/status/1429049506021138437", "https://streamable.com/q2dsji", + "https://twitter.com/j0nh4t/status/1429049506021138437", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_razorinstaller_explorer.yml" ], "tags": [ @@ -34125,6 +43613,15 @@ "attack.t1553" ] }, + "related": [ + { + "dest-uuid": "b83e166d-13d7-4b52-8677-dff90c548fd7", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "a4eaf250-7dc1-4842-862a-5e71cd59a167", "value": "Suspicious RazerInstaller Explorer Subprocess" }, @@ -34148,6 +43645,15 @@ "attack.t1059.001" ] }, + "related": [ + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "88f680b8-070e-402c-ae11-d2914f2257f1", "value": "Encoded IEX" }, @@ -34165,8 +43671,8 @@ "logsource.product": "windows", "refs": [ "https://learn.microsoft.com/en-us/windows/win32/projfs/enabling-windows-projected-file-system", - "https://docs.microsoft.com/en-us/powershell/module/dism/enable-windowsoptionalfeature?view=windowsserver2022-ps", "https://learn.microsoft.com/en-us/windows/wsl/install-on-server", + "https://docs.microsoft.com/en-us/powershell/module/dism/enable-windowsoptionalfeature?view=windowsserver2022-ps", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_windowsoptionalfeature.yml" ], "tags": [ @@ -34197,6 +43703,15 @@ "attack.t1119" ] }, + "related": [ + { + "dest-uuid": "30208d3e-0d6b-43c8-883e-44462a514619", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "aa2efee7-34dd-446e-8a37-40790a66efd7", "value": "Recon Information for Export with Command Prompt" }, @@ -34223,6 +43738,15 @@ "attack.t1059.001" ] }, + "related": [ + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "033fe7d6-66d1-4240-ac6b-28908009c71f", "value": "APT29" }, @@ -34275,6 +43799,15 @@ "attack.t1003.002" ] }, + "related": [ + { + "dest-uuid": "1644e709-12d2-41e5-a60f-3470991f5011", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "038cd51c-3ad8-41c5-ba8f-5d1c92f3cc1e", "value": "Registry Dump of SAM Creds and Secrets" }, @@ -34370,8 +43903,8 @@ "refs": [ "https://strontic.github.io/xcyclopedia/library/setres.exe-0E30E4C09637D7A128A37B59A3BC4D09.html", "https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc731033(v=ws.11)", - "https://lolbas-project.github.io/lolbas/Binaries/Setres/", "https://twitter.com/0gtweet/status/1583356502340870144", + "https://lolbas-project.github.io/lolbas/Binaries/Setres/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_setres.yml" ], "tags": [ @@ -34380,6 +43913,22 @@ "attack.t1202" ] }, + "related": [ + { + "dest-uuid": "457c7820-d331-465a-915e-42f85500ccc4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "3b0e52ce-517a-4614-a523-1bd5deef6c5e", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "835e75bf-4bfd-47a4-b8a6-b766cac8bcb7", "value": "Use of Setres.exe" }, @@ -34396,10 +43945,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://labs.sentinelone.com/egregor-raas-continues-the-chaos-with-cobalt-strike-and-rclone", - "https://us-cert.cisa.gov/ncas/analysis-reports/ar21-126a", "https://www.splunk.com/en_us/blog/security/darkside-ransomware-splunk-threat-update-and-detections.html", "https://research.nccgroup.com/2021/05/27/detecting-rclone-an-effective-tool-for-exfiltration/", + "https://labs.sentinelone.com/egregor-raas-continues-the-chaos-with-cobalt-strike-and-rclone", + "https://us-cert.cisa.gov/ncas/analysis-reports/ar21-126a", "https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_rclone_execution.yml" ], @@ -34408,6 +43957,15 @@ "attack.t1567.002" ] }, + "related": [ + { + "dest-uuid": "bf1b6176-597c-4600-bfcd-ac989670f96b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "e37db05d-d1f9-49c8-b464-cee1a4b11638", "value": "Rclone Execution via Command Line or PowerShell" }, @@ -34424,9 +43982,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.virustotal.com/gui/file/03e9b8c2e86d6db450e5eceec057d7e369ee2389b9daecaf06331a95410aa5f8/detection", - "https://twitter.com/vxunderground/status/1423336151860002816?s=20", "https://pentestlab.blog/2018/07/04/dumping-domain-password-hashes/", + "https://twitter.com/vxunderground/status/1423336151860002816?s=20", + "https://www.virustotal.com/gui/file/03e9b8c2e86d6db450e5eceec057d7e369ee2389b9daecaf06331a95410aa5f8/detection", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_cmd_shadowcopy_access.yml" ], "tags": [ @@ -34434,6 +43992,15 @@ "attack.t1490" ] }, + "related": [ + { + "dest-uuid": "f5d8eed6-48a9-4cdf-a3d7-d1ffa99c3d2a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "c73124a7-3e89-44a3-bdc1-25fe4df754b1", "value": "Copy from Volume Shadow Copy" }, @@ -34450,9 +44017,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://twitter.com/c_APT_ure/status/939475433711722497", "https://www.fireeye.com/blog/threat-research/2016/05/targeted_attacksaga.html", "https://twitter.com/haroonmeer/status/939099379834658817", - "https://twitter.com/c_APT_ure/status/939475433711722497", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_builtin_commands_recon.yml" ], "tags": [ @@ -34511,6 +44078,22 @@ "attack.t1059.007" ] }, + "related": [ + { + "dest-uuid": "dfd7cc1d-e1d8-4394-a198-97c4cab8aa67", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "0f4a0c76-ab2d-4cb0-85d3-3f0efb8cba0d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "cea72823-df4d-4567-950c-0b579eaf0846", "value": "WScript or CScript Dropper" }, @@ -34535,6 +44118,15 @@ "attack.t1218" ] }, + "related": [ + { + "dest-uuid": "457c7820-d331-465a-915e-42f85500ccc4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "6e968eb1-5f05-4dac-94e9-fd0c5cb49fd6", "value": "Sideloading Link.EXE" }, @@ -34559,6 +44151,15 @@ "attack.t1059" ] }, + "related": [ + { + "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "a6a39bdb-935c-4f0a-ab77-35f4bbf44d33", "value": "Suspicious Script Execution From Temp Folder" }, @@ -34585,6 +44186,22 @@ "attack.t1059.001" ] }, + "related": [ + { + "dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "e32d4572-9826-4738-b651-95fa63747e8a", "value": "FromBase64String Command Line" }, @@ -34609,6 +44226,15 @@ "attack.t1219" ] }, + "related": [ + { + "dest-uuid": "4061e78c-1284-44b4-9116-73e4ac3912f7", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "065b00ca-5d5c-4557-ac95-64a6d0b64d86", "value": "Use of Anydesk Remote Access Software from Suspicious Folder" }, @@ -34634,6 +44260,15 @@ "attack.t1003.001" ] }, + "related": [ + { + "dest-uuid": "65f2d882-3f41-4d48-8a06-29af77ec9f90", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "6355a919-2e97-4285-a673-74645566340d", "value": "RdrLeakDiag Process Dump" }, @@ -34662,6 +44297,15 @@ "car.2014-04-003" ] }, + "related": [ + { + "dest-uuid": "840a987a-99bd-4a80-a5c9-0cb2baa6cade", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "03cc0c25-389f-4bf8-b48d-11878079f1ca", "value": "MSHTA Spawning Windows Shell" }, @@ -34686,6 +44330,15 @@ "attack.t1485" ] }, + "related": [ + { + "dest-uuid": "d45a3d09-b3cf-48f4-9f0f-f521ee5cb05c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "4b046706-5789-4673-b111-66f25fe99534", "value": "Overwrite Deleted Data with Cipher" }, @@ -34727,8 +44380,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/an0n_r0/status/1474698356635193346?s=12", "https://twitter.com/mrd0x/status/1475085452784844803?s=12", + "https://twitter.com/an0n_r0/status/1474698356635193346?s=12", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_download_office_domain.yml" ], "tags": "No established tags" @@ -34749,8 +44402,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://forensafe.com/blogs/typedpaths.html", "https://twitter.com/dez_/status/1560101453150257154", + "https://forensafe.com/blogs/typedpaths.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_persistence_typed_paths.yml" ], "tags": [ @@ -34781,6 +44434,15 @@ "attack.t1059.001" ] }, + "related": [ + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "9be34ad0-b6a7-4fbd-91cf-fc7ec1047f5f", "value": "UNC2452 Process Creation Patterns" }, @@ -34797,8 +44459,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/swagkarna/Defeat-Defender-V1.2.0", "https://thedfirreport.com/2022/03/21/apt35-automates-initial-access-using-proxyshell/", + "https://github.com/swagkarna/Defeat-Defender-V1.2.0", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_reg_defender_tampering.yml" ], "tags": [ @@ -34847,8 +44509,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/OtherMSBinaries/DefaultPack/", "https://www.echotrail.io/insights/search/defaultpack.exe", + "https://lolbas-project.github.io/lolbas/OtherMSBinaries/DefaultPack/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_defaultpack.yml" ], "tags": [ @@ -34857,6 +44519,15 @@ "attack.execution" ] }, + "related": [ + { + "dest-uuid": "457c7820-d331-465a-915e-42f85500ccc4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "b2309017-4235-44fe-b5af-b15363011957", "value": "Lolbin Defaultpack.exe Use As Proxy" }, @@ -34874,10 +44545,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.clearskysec.com/wp-content/uploads/2018/11/MuddyWater-Operations-in-Lebanon-and-Oman.pdf", "https://securityboulevard.com/2019/08/agent-tesla-evading-edr-by-removing-api-hooks/", - "https://twitter.com/gN3mes1s/status/1206874118282448897", "https://app.any.run/tasks/c6993447-d1d8-414e-b856-675325e5aa09/", + "https://twitter.com/gN3mes1s/status/1206874118282448897", + "https://www.clearskysec.com/wp-content/uploads/2018/11/MuddyWater-Operations-in-Lebanon-and-Oman.pdf", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_csc_folder.yml" ], "tags": [ @@ -34885,6 +44556,15 @@ "attack.t1027.004" ] }, + "related": [ + { + "dest-uuid": "c726e0a2-a57a-4b7b-a973-d0f013246617", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "dcaa3f04-70c3-427a-80b4-b870d73c94c4", "value": "Suspicious Csc.exe Source File Folder" }, @@ -34909,6 +44589,15 @@ "attack.t1218" ] }, + "related": [ + { + "dest-uuid": "457c7820-d331-465a-915e-42f85500ccc4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "75edd216-1939-4c73-8d61-7f3a0d85b5cc", "value": "Suspicious Execution of InstallUtil To Download" }, @@ -34934,6 +44623,15 @@ "attack.t1003.001" ] }, + "related": [ + { + "dest-uuid": "65f2d882-3f41-4d48-8a06-29af77ec9f90", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "b99a1518-1ad5-4f65-bc95-1ffff97a8fd0", "value": "Inveigh Hack Tool" }, @@ -34961,6 +44659,22 @@ "attack.t1071" ] }, + "related": [ + { + "dest-uuid": "9c306d8d-cde7-4b4c-b6e8-d0bb16caca36", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "18739897-21b1-41da-8ee4-5b786915a676", "value": "GALLIUM Artefacts" }, @@ -34986,6 +44700,15 @@ "attack.g0069" ] }, + "related": [ + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "a62298a3-1fe0-422f-9a68-ffbcbc5a123d", "value": "MERCURY Command Line Patterns" }, @@ -35010,6 +44733,15 @@ "attack.t1564.004" ] }, + "related": [ + { + "dest-uuid": "f2857333-11d4-45bf-b064-2c28d8525be5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "6b369ced-4b1d-48f1-b427-fdc0de0790bd", "value": "Suspicious Diantz Alternate Data Stream Execution" }, @@ -35035,6 +44767,15 @@ "attack.t1204.002" ] }, + "related": [ + { + "dest-uuid": "232b7f21-adf9-4b42-b936-b9d6f7df856e", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "208748f7-881d-47ac-a29c-07ea84bf691d", "value": "Microsoft Outlook Product Spawning Windows Shell" }, @@ -35060,6 +44801,15 @@ "attack.t1548.002" ] }, + "related": [ + { + "dest-uuid": "120d5519-3098-4e1c-9191-2aa61232f073", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "d38d2fa4-98e6-4a24-aff1-410b0c9ad177", "value": "UAC Bypass Tool UACMe Akagi" }, @@ -35086,6 +44836,15 @@ "attack.t1059.001" ] }, + "related": [ + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "b222df08-0e07-11eb-adc1-0242ac120002", "value": "Invoke-Obfuscation CLIP+ Launcher" }, @@ -35110,6 +44869,15 @@ "attack.t1489" ] }, + "related": [ + { + "dest-uuid": "20fb2507-d71c-455d-9b6d-6104461cf26b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "86085955-ea48-42a2-9dd3-85d4c36b167d", "value": "Suspicious Execution of Taskkill" }, @@ -35158,6 +44926,15 @@ "attack.t1003.001" ] }, + "related": [ + { + "dest-uuid": "65f2d882-3f41-4d48-8a06-29af77ec9f90", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "ca621ba5-54ab-4035-9942-d378e6fcde3c", "value": "HandleKatz LSASS Dumper Usage" }, @@ -35174,11 +44951,11 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/Binaries/Certutil/", - "https://twitter.com/JohnLaTwC/status/835149808817991680", - "https://www.trustedsec.com/2017/07/new-tool-release-nps_payload/", - "https://blogs.technet.microsoft.com/pki/2006/11/30/basic-crl-checking-with-certutil/", "https://twitter.com/egre55/status/1087685529016193025", + "https://blogs.technet.microsoft.com/pki/2006/11/30/basic-crl-checking-with-certutil/", + "https://www.trustedsec.com/2017/07/new-tool-release-nps_payload/", + "https://twitter.com/JohnLaTwC/status/835149808817991680", + "https://lolbas-project.github.io/lolbas/Binaries/Certutil/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_certutil_command.yml" ], "tags": [ @@ -35195,6 +44972,22 @@ "attack.g0096" ] }, + "related": [ + { + "dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "e011a729-98a6-4139-b5c4-bf6f6dd8239a", "value": "Suspicious Certutil Command Usage" }, @@ -35211,8 +45004,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1018/T1018.md", "https://eqllib.readthedocs.io/en/latest/analytics/b8a94d2f-dc75-4630-9d73-1edc6bd26fff.html", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1018/T1018.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_net_enum.yml" ], "tags": [ @@ -35268,6 +45061,15 @@ "attack.t1059" ] }, + "related": [ + { + "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "afe52666-401e-4a02-b4ff-5d128990b8cb", "value": "RAR Greedy Compression" }, @@ -35284,8 +45086,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/schtasks-change", "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/schtasks-create", + "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/schtasks-change", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_schtasks_schedule_type_system.yml" ], "tags": [ @@ -35293,6 +45095,15 @@ "attack.t1053.005" ] }, + "related": [ + { + "dest-uuid": "005a06c6-14bf-4118-afa0-ebcd8aebb0c9", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "7a02e22e-b885-4404-b38b-1ddc7e65258a", "value": "Suspicious Schtasks Schedule Type With High Privileges" }, @@ -35318,6 +45129,15 @@ "attack.t1059.001" ] }, + "related": [ + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "cc08d590-8b90-413a-aff6-31d1a99678d7", "value": "Suspicious PrinterPorts Creation (CVE-2020-1048)" }, @@ -35334,8 +45154,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/Binaries/MpCmdRun/", "https://web.archive.org/web/20200903194959/https://twitter.com/djmtshepana/status/1301608169496612866", + "https://lolbas-project.github.io/lolbas/Binaries/MpCmdRun/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_susp_mpcmdrun_download.yml" ], "tags": [ @@ -35345,6 +45165,22 @@ "attack.t1105" ] }, + "related": [ + { + "dest-uuid": "457c7820-d331-465a-915e-42f85500ccc4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "46123129-1024-423e-9fae-43af4a0fa9a5", "value": "Windows Defender Download Activity" }, @@ -35372,6 +45208,15 @@ "car.2019-04-001" ] }, + "related": [ + { + "dest-uuid": "120d5519-3098-4e1c-9191-2aa61232f073", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "3268b746-88d8-4cd3-bffc-30077d02c787", "value": "Empire PowerShell UAC Bypass" }, @@ -35396,6 +45241,15 @@ "attack.t1218" ] }, + "related": [ + { + "dest-uuid": "457c7820-d331-465a-915e-42f85500ccc4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "8e0bb260-d4b2-4fff-bb8d-3f82118e6892", "value": "Suspicious CMD Shell Redirect" }, @@ -35412,10 +45266,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://blog.talosintelligence.com/breaking-the-silence-recent-truebot-activity/", - "https://blog.netspi.com/15-ways-to-download-a-file/#bitsadmin", - "https://isc.sans.edu/diary/22264", "https://lolbas-project.github.io/lolbas/Binaries/Bitsadmin/", + "https://isc.sans.edu/diary/22264", + "https://blog.netspi.com/15-ways-to-download-a-file/#bitsadmin", + "https://blog.talosintelligence.com/breaking-the-silence-recent-truebot-activity/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_bitsadmin_download_uncommon_targetfolder.yml" ], "tags": [ @@ -35426,6 +45280,22 @@ "attack.t1036.003" ] }, + "related": [ + { + "dest-uuid": "c8e87b83-edbb-48d4-9295-4974897525b7", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "bd5b58a4-a52d-4a29-bc0d-3f1d3968eb6b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "6e30c82f-a9f8-4aab-b79c-7c12bce6f248", "value": "Bitsadmin Download to Uncommon Target Folder" }, @@ -35518,8 +45388,8 @@ "logsource.product": "windows", "refs": [ "https://www.virustotal.com/gui/search/content%253A%2522Set-MpPreference%2520-Disable%2522/files", - "https://www.virustotal.com/gui/file/d609799091731d83d75ec5d1f030571af20c45efeeb94840b67ea09a3283ab65/behavior/C2AE", "https://docs.microsoft.com/en-us/powershell/module/defender/set-mppreference?view=windowsserver2022-ps", + "https://www.virustotal.com/gui/file/d609799091731d83d75ec5d1f030571af20c45efeeb94840b67ea09a3283ab65/behavior/C2AE", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_defender_disable_feature.yml" ], "tags": [ @@ -35552,6 +45422,15 @@ "attack.t1218" ] }, + "related": [ + { + "dest-uuid": "457c7820-d331-465a-915e-42f85500ccc4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "64760eef-87f7-4ed3-93fd-655668ea9420", "value": "Use of Scriptrunner.exe" }, @@ -35568,8 +45447,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://technet.microsoft.com/en-us/library/cc754243(v=ws.11).aspx", "https://www.peew.pw/blog/2017/11/26/exploring-cmdkey-an-edge-case-for-privilege-escalation", + "https://technet.microsoft.com/en-us/library/cc754243(v=ws.11).aspx", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_cmdkey_recon.yml" ], "tags": [ @@ -35577,6 +45456,15 @@ "attack.t1003.005" ] }, + "related": [ + { + "dest-uuid": "6add2ab5-2711-4e9d-87c8-7a0be8531530", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "07f8bdc2-c9b3-472a-9817-5a670b872f53", "value": "Cmdkey Cached Credentials Recon" }, @@ -35593,10 +45481,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://blog.talosintelligence.com/breaking-the-silence-recent-truebot-activity/", - "https://blog.netspi.com/15-ways-to-download-a-file/#bitsadmin", - "https://isc.sans.edu/diary/22264", "https://lolbas-project.github.io/lolbas/Binaries/Bitsadmin/", + "https://isc.sans.edu/diary/22264", + "https://blog.netspi.com/15-ways-to-download-a-file/#bitsadmin", + "https://blog.talosintelligence.com/breaking-the-silence-recent-truebot-activity/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_bitsadmin_download_susp_targetfolder.yml" ], "tags": [ @@ -35607,6 +45495,22 @@ "attack.t1036.003" ] }, + "related": [ + { + "dest-uuid": "c8e87b83-edbb-48d4-9295-4974897525b7", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "bd5b58a4-a52d-4a29-bc0d-3f1d3968eb6b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "2ddef153-167b-4e89-86b6-757a9e65dcac", "value": "Bitsadmin Download to Suspicious Target Folder" }, @@ -35631,6 +45535,15 @@ "attack.t1105" ] }, + "related": [ + { + "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "70ad0861-d1fe-491c-a45f-fa48148a300d", "value": "Suspicious File Download via CertOC.exe" }, @@ -35647,12 +45560,11 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://hunter2.gitbook.io/darthsidious/other/war-stories/domain-admin-in-30-minutes", - "https://foxglovesecurity.com/2016/09/26/rotten-potato-privilege-escalation-from-service-accounts-to-system/", - "https://attack.mitre.org/techniques/T1557/001/", - "https://github.com/ohpe/juicy-potato", "https://pentestlab.blog/2017/04/13/hot-potato/", + "https://github.com/ohpe/juicy-potato", + "https://foxglovesecurity.com/2016/09/26/rotten-potato-privilege-escalation-from-service-accounts-to-system/", "https://hunter2.gitbook.io/darthsidious/execution/responder-with-ntlm-relay-and-empire", + "https://hunter2.gitbook.io/darthsidious/other/war-stories/domain-admin-in-30-minutes", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_tools_relay_attacks.yml" ], "tags": [ @@ -35660,6 +45572,15 @@ "attack.t1557.001" ] }, + "related": [ + { + "dest-uuid": "650c784b-7504-4df7-ab2c-4ea882384d1e", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "5589ab4f-a767-433c-961d-c91f3f704db1", "value": "SMB Relay Attack Tools" }, @@ -35685,6 +45606,15 @@ "attack.s0111" ] }, + "related": [ + { + "dest-uuid": "005a06c6-14bf-4118-afa0-ebcd8aebb0c9", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "958d81aa-8566-4cea-a565-59ccd4df27b0", "value": "Defrag Deactivation" }, @@ -35711,6 +45641,15 @@ "attack.t1095" ] }, + "related": [ + { + "dest-uuid": "c21d5a77-d422-4a69-acd7-2c53c1faa34b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "e31033fc-33f0-4020-9a16-faf9b31cbf08", "value": "Netcat Suspicious Execution" }, @@ -35735,6 +45674,15 @@ "attack.t1485" ] }, + "related": [ + { + "dest-uuid": "d45a3d09-b3cf-48f4-9f0f-f521ee5cb05c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "a4824fca-976f-4964-b334-0621379e84c4", "value": "Sysinternals SDelete Delete File" }, @@ -35751,9 +45699,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://medium.com/palantir/tampering-with-windows-event-tracing-background-offense-and-defense-4be7ac62ac63", "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/wevtutil", "https://abuse.io/lockergoga.txt", - "https://medium.com/palantir/tampering-with-windows-event-tracing-background-offense-and-defense-4be7ac62ac63", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_etw_trace_evasion.yml" ], "tags": [ @@ -35781,8 +45729,8 @@ "refs": [ "https://github.com/EmpireProject/Empire/blob/c2ba61ca8d2031dad0cfc1d5770ba723e8b710db/lib/common/helpers.py#L165", "https://github.com/EmpireProject/Empire/blob/e37fb2eef8ff8f5a0a689f1589f424906fe13055/lib/modules/powershell/persistence/powerbreach/deaduser.py#L191", - "https://github.com/EmpireProject/Empire/blob/e37fb2eef8ff8f5a0a689f1589f424906fe13055/data/module_source/privesc/Invoke-EventVwrBypass.ps1#L64", "https://github.com/EmpireProject/Empire/blob/e37fb2eef8ff8f5a0a689f1589f424906fe13055/lib/modules/powershell/persistence/powerbreach/resolver.py#L178", + "https://github.com/EmpireProject/Empire/blob/e37fb2eef8ff8f5a0a689f1589f424906fe13055/data/module_source/privesc/Invoke-EventVwrBypass.ps1#L64", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_powershell_empire_launch.yml" ], "tags": [ @@ -35790,6 +45738,15 @@ "attack.t1059.001" ] }, + "related": [ + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "79f4ede3-402e-41c8-bc3e-ebbf5f162581", "value": "Empire PowerShell Launch Parameters" }, @@ -35832,8 +45789,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.cybereason.com/blog/deadringer-exposing-chinese-threat-actors-targeting-major-telcos", "https://research.nccgroup.com/2021/01/12/abusing-cloud-services-to-fly-under-the-radar/", + "https://www.cybereason.com/blog/deadringer-exposing-chinese-threat-actors-targeting-major-telcos", "https://github.com/3CORESec/MAL-CL/tree/master/Descriptors/Sysinternals/PsLogList", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_psloglist.yml" ], @@ -35844,6 +45801,15 @@ "attack.t1087.002" ] }, + "related": [ + { + "dest-uuid": "25659dd6-ea12-45c4-97e6-381e3e4b593e", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "aae1243f-d8af-40d8-ab20-33fc6d0c55bc", "value": "Suspicious Use of PsLogList" }, @@ -35860,9 +45826,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-2000-server/cc959352(v=technet.10)?redirectedfrom=MSDN", "https://www.acunetix.com/blog/articles/windows-short-8-3-filenames-web-security-problem/", "https://twitter.com/frack113/status/1555830623633375232", + "https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-2000-server/cc959352(v=technet.10)?redirectedfrom=MSDN", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_ntfs_short_name_path_use_cli.yml" ], "tags": [ @@ -35870,6 +45836,15 @@ "attack.t1564.004" ] }, + "related": [ + { + "dest-uuid": "f2857333-11d4-45bf-b064-2c28d8525be5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "349d891d-fef0-4fe4-bc53-eee623a15969", "value": "Use Short Name Path in Command Line" }, @@ -35894,6 +45869,15 @@ "attack.t1219" ] }, + "related": [ + { + "dest-uuid": "4061e78c-1284-44b4-9116-73e4ac3912f7", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "88656cec-6c3b-487c-82c0-f73ebb805503", "value": "Use of UltraViewer Remote Access Software" }, @@ -35918,6 +45902,15 @@ "attack.t1059.003" ] }, + "related": [ + { + "dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "00a4bacd-6db4-46d5-9258-a7d5ebff4003", "value": "Read and Execute a File Via Cmd.exe" }, @@ -35934,9 +45927,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://blog.netspi.com/15-ways-to-download-a-file/#bitsadmin", - "https://isc.sans.edu/diary/22264", "https://lolbas-project.github.io/lolbas/Binaries/Bitsadmin/", + "https://isc.sans.edu/diary/22264", + "https://blog.netspi.com/15-ways-to-download-a-file/#bitsadmin", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_bitsadmin_download_susp_ext.yml" ], "tags": [ @@ -35947,6 +45940,22 @@ "attack.t1036.003" ] }, + "related": [ + { + "dest-uuid": "c8e87b83-edbb-48d4-9295-4974897525b7", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "bd5b58a4-a52d-4a29-bc0d-3f1d3968eb6b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "5b80a791-ad9b-4b75-bcc1-ad4e1e89c200", "value": "Bitsadmin Download File with Suspicious Extension" }, @@ -35971,6 +45980,15 @@ "attack.t1047" ] }, + "related": [ + { + "dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "0b7163dc-7eee-4960-af17-c0cd517f92da", "value": "WMIC Service Start/Stop" }, @@ -35995,6 +46013,15 @@ "attack.t1105" ] }, + "related": [ + { + "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "5e3cc4d8-3e68-43db-8656-eaaeefdec9cc", "value": "Suspicious Invoke-WebRequest Usage" }, @@ -36045,6 +46072,15 @@ "attack.t1562.004" ] }, + "related": [ + { + "dest-uuid": "5372c5fe-f424-4def-bcd5-d3a8e770f07b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "1a5fefe6-734f-452e-a07d-fc1c35bce4b2", "value": "Netsh Firewall Rule Deletion" }, @@ -36061,11 +46097,11 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "http://www.windowsinspired.com/understanding-the-command-line-string-and-arguments-received-by-a-windows-program/", "https://twitter.com/vysecurity/status/885545634958385153", - "https://www.fireeye.com/blog/threat-research/2017/06/obfuscation-in-the-wild.html", - "https://twitter.com/Hexacorn/status/885570278637678592", "https://twitter.com/Hexacorn/status/885553465417756673", + "https://twitter.com/Hexacorn/status/885570278637678592", + "https://www.fireeye.com/blog/threat-research/2017/06/obfuscation-in-the-wild.html", + "http://www.windowsinspired.com/understanding-the-command-line-string-and-arguments-received-by-a-windows-program/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_cli_escape.yml" ], "tags": [ @@ -36073,6 +46109,15 @@ "attack.t1140" ] }, + "related": [ + { + "dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "f0cdd048-82dc-4f7a-8a7a-b87a52b6d0fd", "value": "Suspicious Commandline Escape" }, @@ -36098,6 +46143,15 @@ "attack.t1218" ] }, + "related": [ + { + "dest-uuid": "457c7820-d331-465a-915e-42f85500ccc4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "b124ddf4-778d-418e-907f-6dd3fc0d31cd", "value": "Download Arbitrary Files Via PresentationHost.exe" }, @@ -36160,8 +46214,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://pentestlab.blog/2017/03/31/insecure-registry-permissions/", "https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment", + "https://pentestlab.blog/2017/03/31/insecure-registry-permissions/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_possible_privilege_escalation_via_service_reg_perm.yml" ], "tags": [ @@ -36193,6 +46247,15 @@ "attack.t1136.001" ] }, + "related": [ + { + "dest-uuid": "635cbe30-392d-4e27-978e-66774357c762", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "b9f0e6f5-09b4-4358-bae4-08408705bd5c", "value": "Net.exe User Account Creation - Never Expire" }, @@ -36233,6 +46296,7 @@ "logsource.product": "windows", "refs": [ "https://docs.microsoft.com/en-us/windows/package-manager/winget/install#local-install", + "https://lolbas-project.github.io/lolbas/Binaries/Winget/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_execution_via_winget.yml" ], "tags": [ @@ -36241,6 +46305,15 @@ "attack.t1059" ] }, + "related": [ + { + "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "313d6012-51a0-4d93-8dfc-de8553239e25", "value": "Monitoring Winget For LOLbin Execution" }, @@ -36289,6 +46362,15 @@ "attack.t1202" ] }, + "related": [ + { + "dest-uuid": "3b0e52ce-517a-4614-a523-1bd5deef6c5e", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "dc4576d4-7467-424f-9eee-fd2b02855fe0", "value": "MSDT.EXE Execution With Suspicious Cab Option" }, @@ -36303,8 +46385,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.hybrid-analysis.com/sample/ba86fa0d4b6af2db0656a88b1dd29f36fe362473ae8ad04255c4e52f214a541c?environmentId=100", "https://www.first.org/resources/papers/conf2017/Advanced-Incident-Detection-and-Threat-Hunting-using-Sysmon-and-Splunk.pdf", + "https://www.hybrid-analysis.com/sample/ba86fa0d4b6af2db0656a88b1dd29f36fe362473ae8ad04255c4e52f214a541c?environmentId=100", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_mal_adwind.yml" ], "tags": [ @@ -36313,6 +46395,22 @@ "attack.t1059.007" ] }, + "related": [ + { + "dest-uuid": "dfd7cc1d-e1d8-4394-a198-97c4cab8aa67", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "0f4a0c76-ab2d-4cb0-85d3-3f0efb8cba0d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "1fac1481-2dbc-48b2-9096-753c49b4ec71", "value": "Adwind RAT / JRAT" }, @@ -36338,6 +46436,15 @@ "attack.s0005" ] }, + "related": [ + { + "dest-uuid": "65f2d882-3f41-4d48-8a06-29af77ec9f90", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "7aa7009a-28b9-4344-8c1f-159489a390df", "value": "Windows Credential Editor" }, @@ -36354,8 +46461,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/yosqueoy/ditsnap", "https://thedfirreport.com/2020/06/21/snatch-ransomware/", + "https://github.com/yosqueoy/ditsnap", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_ditsnap.yml" ], "tags": [ @@ -36363,6 +46470,15 @@ "attack.t1003.003" ] }, + "related": [ + { + "dest-uuid": "edf91964-b26e-4b4a-9600-ccacd7d7df24", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "d3b70aad-097e-409c-9df2-450f80dc476b", "value": "DIT Snapshot Viewer Use" }, @@ -36379,8 +46495,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://sushant747.gitbooks.io/total-oscp-guide/content/privilege_escalation_windows.html", "https://github.com/carlospolop/PEASS-ng/blob/fa0f2e17fbc1d86f1fd66338a40e665e7182501d/winPEAS/winPEASbat/winPEAS.bat", + "https://sushant747.gitbooks.io/total-oscp-guide/content/privilege_escalation_windows.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wmic_hotfix_enum.yml" ], "tags": [ @@ -36388,6 +46504,15 @@ "attack.t1047" ] }, + "related": [ + { + "dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "dfd2fcb7-8bd5-4daa-b132-5adb61d6ad45", "value": "WMIC Hotfix Recon" }, @@ -36404,8 +46529,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://ss64.com/ps/foreach-object.htmll", "https://ss64.com/nt/for.html", + "https://ss64.com/ps/foreach-object.htmll", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1018/T1018.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_network_scan_loop.yml" ], @@ -36416,6 +46541,15 @@ "attack.t1018" ] }, + "related": [ + { + "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "f8ad2e2c-40b6-4117-84d7-20b89896ab23", "value": "Suspicious Scan Loop Network" }, @@ -36462,6 +46596,15 @@ "attack.t1489" ] }, + "related": [ + { + "dest-uuid": "20fb2507-d71c-455d-9b6d-6104461cf26b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "ce72ef99-22f1-43d4-8695-419dcb5d9330", "value": "Suspicious Stop Windows Service" }, @@ -36487,6 +46630,22 @@ "attack.t1059.001" ] }, + "related": [ + { + "dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "fdb62a13-9a81-4e5c-a38f-ea93a16f6d7c", "value": "Encoded FromBase64String" }, @@ -36512,6 +46671,15 @@ "attack.t1482" ] }, + "related": [ + { + "dest-uuid": "767dbf9e-df3f-45cb-8998-4903ab5f80c0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "69ca006d-b9a9-47f5-80ff-ecd4d25d481a", "value": "Launch TruffleSnout Executable" }, @@ -36537,6 +46705,15 @@ "attack.t1047" ] }, + "related": [ + { + "dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "9d7ca793-f6bd-471c-8d0f-11e68b2f0d2f", "value": "Suspicious Get ComputerSystem Information with WMIC" }, @@ -36553,9 +46730,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://lolbas-project.github.io/lolbas/Binaries/Tttracer/", "https://twitter.com/oulusoyum/status/1191329746069655553", "https://twitter.com/mattifestation/status/1196390321783025666", - "https://lolbas-project.github.io/lolbas/Binaries/Tttracer/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_tttracer_mod_load.yml" ], "tags": [ @@ -36565,6 +46742,22 @@ "attack.t1003.001" ] }, + "related": [ + { + "dest-uuid": "457c7820-d331-465a-915e-42f85500ccc4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "65f2d882-3f41-4d48-8a06-29af77ec9f90", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "0b4ae027-2a2d-4b93-8c7e-962caaba5b2a", "value": "Time Travel Debugging Utility Usage" }, @@ -36581,9 +46774,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://redcanary.com/threat-detection-report/threats/qbot/", "https://thedfirreport.com/2022/02/07/qbot-likes-to-move-it-move-it/", "https://thedfirreport.com/2022/10/31/follina-exploit-leads-to-domain-compromise/", + "https://redcanary.com/threat-detection-report/threats/qbot/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_esentutl_webcache.yml" ], "tags": [ @@ -36591,6 +46784,15 @@ "attack.t1005" ] }, + "related": [ + { + "dest-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "6a69f62d-ce75-4b57-8dce-6351eb55b362", "value": "Esentutl Steals Browser Information" }, @@ -36607,9 +46809,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://oddvar.moe/2018/04/11/putting-data-in-alternate-data-streams-and-how-to-execute-it-part-2/", "https://lolbas-project.github.io/lolbas/Binaries/Findstr/", "https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f", - "https://oddvar.moe/2018/04/11/putting-data-in-alternate-data-streams-and-how-to-execute-it-part-2/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_findstr.yml" ], "tags": [ @@ -36620,6 +46822,29 @@ "attack.t1105" ] }, + "related": [ + { + "dest-uuid": "457c7820-d331-465a-915e-42f85500ccc4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "f2857333-11d4-45bf-b064-2c28d8525be5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "bf6c39fc-e203-45b9-9538-05397c1b4f3f", "value": "Abusing Findstr for Defense Evasion" }, @@ -36637,9 +46862,9 @@ "logsource.product": "windows", "refs": [ "https://www.trendmicro.com/en_us/research/22/i/play-ransomware-s-attack-playbook-unmasks-it-as-another-hive-aff.html", - "https://twitter.com/gbti_sa/status/1249653895900602375?lang=en", "https://thedfirreport.com/2022/11/28/emotet-strikes-again-lnk-file-leads-to-domain-wide-ransomware/", "https://www.softpedia.com/get/Antivirus/Removal-Tools/ithurricane-PowerTool.shtml", + "https://twitter.com/gbti_sa/status/1249653895900602375?lang=en", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powertool_execution.yml" ], "tags": [ @@ -36674,6 +46899,22 @@ "attack.t1569.002" ] }, + "related": [ + { + "dest-uuid": "bf90d72c-c00b-45e3-b3aa-68560560d4c5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "f1951e8a-500e-4a26-8803-76d95c4554b4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "5bb68627-3198-40ca-b458-49f973db8752", "value": "Rundll32 Without Parameters" }, @@ -36702,6 +46943,22 @@ "attack.t1202" ] }, + "related": [ + { + "dest-uuid": "457c7820-d331-465a-915e-42f85500ccc4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "3b0e52ce-517a-4614-a523-1bd5deef6c5e", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "dec44ca7-61ad-493c-bfd7-8819c5faa09b", "value": "WSL Execution" }, @@ -36770,6 +47027,15 @@ "attack.t1560.001" ] }, + "related": [ + { + "dest-uuid": "00f90846-cbd1-4fc5-9233-df5c2bf2a662", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "9fbf5927-5261-4284-a71d-f681029ea574", "value": "Compress Data and Lock With Password for Exfiltration With 7-ZIP" }, @@ -36794,6 +47060,15 @@ "attack.t1105" ] }, + "related": [ + { + "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "44143844-0631-49ab-97a0-96387d6b2d7c", "value": "Download Files Using Notepad++ GUP Utility" }, @@ -36818,6 +47093,15 @@ "attack.t1027.009" ] }, + "related": [ + { + "dest-uuid": "0533ab23-3f7d-463f-9bd8-634d27e4dee1", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "deb9b646-a508-44ee-b7c9-d8965921c6b6", "value": "Powershell Token Obfuscation - Process Creation" }, @@ -36892,6 +47176,15 @@ "attack.t1218" ] }, + "related": [ + { + "dest-uuid": "457c7820-d331-465a-915e-42f85500ccc4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "cc268ac1-42d9-40fd-9ed3-8c4e1a5b87e6", "value": "Devtoolslauncher.exe Executes Specified Binary" }, @@ -36917,6 +47210,15 @@ "attack.t1003.003" ] }, + "related": [ + { + "dest-uuid": "edf91964-b26e-4b4a-9600-ccacd7d7df24", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "b83f5166-9237-4b5e-9cd4-7b5d52f4d8ee", "value": "Judgement Panda Credential Access Activity" }, @@ -36933,8 +47235,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/regini", "https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f", + "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/regini", "https://lolbas-project.github.io/lolbas/Binaries/Regini/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_regini.yml" ], @@ -36967,6 +47269,15 @@ "attack.t1560.001" ] }, + "related": [ + { + "dest-uuid": "00f90846-cbd1-4fc5-9233-df5c2bf2a662", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "ec570e53-4c76-45a9-804d-dc3f355ff7a7", "value": "7Zip Compressing Dump Files" }, @@ -37008,8 +47319,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://vulmon.com/exploitdetails?qidtp=exploitdb&qid=48224", "https://www.fireeye.com/blog/threat-research/2020/03/apt41-initiates-global-intrusion-campaign-using-multiple-exploits.html", + "https://vulmon.com/exploitdetails?qidtp=exploitdb&qid=48224", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_exploit_cve_2020_10189.yml" ], "tags": [ @@ -37022,6 +47333,29 @@ "cve.2020.10189" ] }, + "related": [ + { + "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "846b866e-2a57-46ee-8e16-85fa92759be7", "value": "Exploited CVE-2020-10189 Zoho ManageEngine" }, @@ -37038,8 +47372,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.microsoft.com/security/blog/2022/09/07/profiling-dev-0270-phosphorus-ransomware-operations/", "https://docs.microsoft.com/en-us/powershell/module/pki/import-certificate?view=windowsserver2022-ps", + "https://www.microsoft.com/security/blog/2022/09/07/profiling-dev-0270-phosphorus-ransomware-operations/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_import_cert_susp_locations.yml" ], "tags": [ @@ -37072,6 +47406,15 @@ "cve.2021.35211" ] }, + "related": [ + { + "dest-uuid": "3fc9b85a-2862-4363-a64d-d692e3ffbee0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "58f4ea09-0fc2-4520-ba18-b85c540b0eaf", "value": "Suspicious Serv-U Process Pattern" }, @@ -37097,6 +47440,15 @@ "attack.t1059" ] }, + "related": [ + { + "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "bdeeabc9-ff2a-4a51-be59-bb253aac7891", "value": "Wsudo Suspicious Execution" }, @@ -37113,8 +47465,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/", "https://github.com/vadim-hunter/Detection-Ideas-Rules/blob/02bcbfc2bfb8b4da601bb30de0344ae453aa1afe/Threat%20Intelligence/The%20DFIR%20Report/20210329_Sodinokibi_(aka_REvil)_Ransomware.yaml", + "https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_office_proxy_exec_wmic.yml" ], "tags": [ @@ -37125,6 +47477,29 @@ "attack.defense_evasion" ] }, + "related": [ + { + "dest-uuid": "232b7f21-adf9-4b42-b936-b9d6f7df856e", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "b97f1d35-4249-4486-a6b5-ee60ccf24fab", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "e1693bc8-7168-4eab-8718-cdcaa68a1738", "value": "Office Processes Proxy Execution Through WMIC" }, @@ -37150,6 +47525,15 @@ "attack.t1218.010" ] }, + "related": [ + { + "dest-uuid": "b97f1d35-4249-4486-a6b5-ee60ccf24fab", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "2dd2c217-bf68-437a-b57c-fe9fd01d5de8", "value": "Suspicious Regsvr32 HTTP IP Pattern" }, @@ -37175,6 +47559,15 @@ "attack.t1105" ] }, + "related": [ + { + "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "bbeaed61-1990-4773-bf57-b81dbad7db2d", "value": "Curl Usage on Windows" }, @@ -37199,6 +47592,15 @@ "attack.t1218.011" ] }, + "related": [ + { + "dest-uuid": "045d0922-2310-4e60-b5e4-3302302cb3c5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "6812a10b-60ea-420c-832f-dfcc33b646ba", "value": "Detection of PowerShell Execution via DLL" }, @@ -37223,11 +47625,20 @@ "attack.t1218" ] }, + "related": [ + { + "dest-uuid": "457c7820-d331-465a-915e-42f85500ccc4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "0bbc6369-43e3-453d-9944-cae58821c173", "value": "Execution via WorkFolders.exe" }, { - "description": "Detects suspicious sub processes spawned by PowerShell", + "description": "Detects suspicious child processes spawned by PowerShell", "meta": { "author": "Florian Roth, Tim Shelton", "creation_date": "2022/04/26", @@ -37245,7 +47656,7 @@ "tags": "No established tags" }, "uuid": "e4b6d2a7-d8a4-4f19-acbd-943c16d90647", - "value": "Suspicious PowerShell Sub Processes" + "value": "Suspicious PowerShell Child Processes" }, { "description": "Adversaries may install a root certificate on a compromised system to avoid warnings when connecting to adversary controlled web servers.", @@ -37284,8 +47695,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.virustotal.com/gui/file/a63376ee1dba76361df73338928e528ca5b20171ea74c24581605366dcaa0104/behavior", "https://twitter.com/ShadowChasing1/status/1552595370961944576", + "https://www.virustotal.com/gui/file/a63376ee1dba76361df73338928e528ca5b20171ea74c24581605366dcaa0104/behavior", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_net_use.yml" ], "tags": [ @@ -37293,6 +47704,15 @@ "attack.t1059.001" ] }, + "related": [ + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "f0507c0f-a3a2-40f5-acc6-7f543c334993", "value": "Suspicious Net Use Command Combo" }, @@ -37309,8 +47729,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.hybrid-analysis.com/sample/0b4ef455e385b750d9f90749f1467eaf00e46e8d6c2885c260e1b78211a51684?environmentId=100", "https://www.reverse.it/sample/0b4ef455e385b750d9f90749f1467eaf00e46e8d6c2885c260e1b78211a51684?environmentId=100", + "https://www.hybrid-analysis.com/sample/0b4ef455e385b750d9f90749f1467eaf00e46e8d6c2885c260e1b78211a51684?environmentId=100", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_exploit_cve_2017_8759.yml" ], "tags": [ @@ -37321,6 +47741,22 @@ "attack.t1566.001" ] }, + "related": [ + { + "dest-uuid": "be2dcee9-a7a7-4e38-afd6-21b31ecc3d63", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "232b7f21-adf9-4b42-b936-b9d6f7df856e", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "fdd84c68-a1f6-47c9-9477-920584f94905", "value": "Exploit for CVE-2017-8759" }, @@ -37345,6 +47781,15 @@ "attack.t1216" ] }, + "related": [ + { + "dest-uuid": "f6fe9070-7a65-49ea-ae72-76292f42cebe", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "84b14121-9d14-416e-800b-f3b829c5a14d", "value": "Suspicious CustomShellHost Execution" }, @@ -37369,6 +47814,15 @@ "attack.t1562.010" ] }, + "related": [ + { + "dest-uuid": "824add00-99a1-4b15-9a2d-6c5683b7b497", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "8c0eca51-0f88-4db2-9183-fdfb10c703f9", "value": "Registry Disabling LSASS PPL" }, @@ -37416,6 +47870,15 @@ "attack.t1053.005" ] }, + "related": [ + { + "dest-uuid": "005a06c6-14bf-4118-afa0-ebcd8aebb0c9", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "f548a603-c9f2-4c89-b511-b089f7e94549", "value": "Potential Persistence Execution Via Microsoft Compatibility Appraiser" }, @@ -37444,6 +47907,22 @@ "attack.t1620" ] }, + "related": [ + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "4933e63b-9b77-476e-ab29-761bc5b7d15a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "62b7ccc9-23b4-471e-aa15-6da3663c4d59", "value": "Base64 Encoded Reflective Assembly Load" }, @@ -37460,9 +47939,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/schtasks-change", - "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/schtasks-create", "http://blog.talosintelligence.com/2022/09/lazarus-three-rats.html", + "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/schtasks-create", + "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/schtasks-change", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_schtasks_schedule_type.yml" ], "tags": [ @@ -37470,6 +47949,15 @@ "attack.t1053.005" ] }, + "related": [ + { + "dest-uuid": "005a06c6-14bf-4118-afa0-ebcd8aebb0c9", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "24c8392b-aa3c-46b7-a545-43f71657fe98", "value": "Suspicious Schtasks Schedule Types" }, @@ -37486,8 +47974,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.wietzebeukema.nl/blog/windows-command-line-obfuscation", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1027/T1027.md#atomic-test-6---dlp-evasion-via-sensitive-data-in-vba-macro-over-http", + "https://www.wietzebeukema.nl/blog/windows-command-line-obfuscation", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_char_in_cmd.yml" ], "tags": [ @@ -37523,6 +48011,29 @@ "attack.t1202" ] }, + "related": [ + { + "dest-uuid": "dfd7cc1d-e1d8-4394-a198-97c4cab8aa67", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "457c7820-d331-465a-915e-42f85500ccc4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "3b0e52ce-517a-4614-a523-1bd5deef6c5e", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "aaf46cdc-934e-4284-b329-34aa701e3771", "value": "Application Whitelisting Bypass via Bginfo" }, @@ -37540,8 +48051,8 @@ "logsource.product": "windows", "refs": [ "https://www.absolomb.com/2018-01-26-Windows-Privilege-Escalation-Guide/", - "https://github.com/nccgroup/redsnarf/blob/35949b30106ae543dc6f2bc3f1be10c6d9a8d40e/redsnarf.py", "https://github.com/S3cur3Th1sSh1t/Creds/blob/eac23d67f7f90c7fc8e3130587d86158c22aa398/PowershellScripts/jaws-enum.ps1", + "https://github.com/nccgroup/redsnarf/blob/35949b30106ae543dc6f2bc3f1be10c6d9a8d40e/redsnarf.py", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wmic_unquoted_service_search.yml" ], "tags": [ @@ -37549,6 +48060,15 @@ "attack.t1047" ] }, + "related": [ + { + "dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "68bcd73b-37ef-49cb-95fc-edc809730be6", "value": "WMIC Unquoted Services Path Lookup" }, @@ -37565,8 +48085,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/Binaries/Eventvwr/#execute", "https://twitter.com/orange_8361/status/1518970259868626944", + "https://lolbas-project.github.io/lolbas/Binaries/Eventvwr/#execute", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_uac_bypass_eventvwr.yml" ], "tags": [ @@ -37590,12 +48110,12 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://thedfirreport.com/2021/01/11/trickbot-still-alive-and-well/", - "https://www.microsoft.com/security/blog/2021/01/20/deep-dive-into-the-solorigate-second-stage-activation-from-sunburst-to-teardrop-and-raindrop/", "https://www.joeware.net/freetools/tools/adfind/", - "https://github.com/center-for-threat-informed-defense/adversary_emulation_library/blob/bf62ece1c679b07b5fb49c4bae947fe24c81811f/fin6/Emulation_Plan/Phase1.md", - "https://social.technet.microsoft.com/wiki/contents/articles/7535.adfind-command-examples.aspx", "https://thedfirreport.com/2020/05/08/adfind-recon/", + "https://thedfirreport.com/2021/01/11/trickbot-still-alive-and-well/", + "https://github.com/center-for-threat-informed-defense/adversary_emulation_library/blob/bf62ece1c679b07b5fb49c4bae947fe24c81811f/fin6/Emulation_Plan/Phase1.md", + "https://www.microsoft.com/security/blog/2021/01/20/deep-dive-into-the-solorigate-second-stage-activation-from-sunburst-to-teardrop-and-raindrop/", + "https://social.technet.microsoft.com/wiki/contents/articles/7535.adfind-command-examples.aspx", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_renamed_adfind.yml" ], "tags": [ @@ -37606,6 +48126,22 @@ "attack.t1069.002" ] }, + "related": [ + { + "dest-uuid": "767dbf9e-df3f-45cb-8998-4903ab5f80c0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "2aed01ad-3df3-4410-a8cb-11ea4ded587c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "df55196f-f105-44d3-a675-e9dfb6cc2f2b", "value": "Renamed AdFind Detection" }, @@ -37631,6 +48167,15 @@ "attack.t1218" ] }, + "related": [ + { + "dest-uuid": "457c7820-d331-465a-915e-42f85500ccc4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "643bdcac-8b82-49f4-9fd9-25a90b929f3b", "value": "Renamed MegaSync" }, @@ -37687,6 +48232,29 @@ "attack.t1218.005" ] }, + "related": [ + { + "dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "840a987a-99bd-4a80-a5c9-0cb2baa6cade", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "2b30fa36-3a18-402f-a22d-bf4ce2189f35", "value": "Baby Shark Activity" }, @@ -37736,6 +48304,15 @@ "attack.t1485" ] }, + "related": [ + { + "dest-uuid": "d45a3d09-b3cf-48f4-9f0f-f521ee5cb05c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "1a70042a-6622-4a2b-8958-267625349abf", "value": "Run from a Zip File" }, @@ -37761,6 +48338,15 @@ "attack.t1546.011" ] }, + "related": [ + { + "dest-uuid": "42fe883a-21ea-4cfb-b94a-78b6476dcc83", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "517490a7-115a-48c6-8862-1a481504d5a8", "value": "Possible Shim Database Persistence via sdbinst.exe" }, @@ -37777,9 +48363,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://www.php.net/manual/en/features.commandline.php", "https://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet", "https://www.revshells.com/", - "https://www.php.net/manual/en/features.commandline.php", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_php_inline_command_execution.yml" ], "tags": [ @@ -37787,6 +48373,15 @@ "attack.t1059" ] }, + "related": [ + { + "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "d81871ef-5738-47ab-9797-7a9c90cd4bfb", "value": "Php Inline Command Execution" }, @@ -37837,6 +48432,15 @@ "attack.t1560.001" ] }, + "related": [ + { + "dest-uuid": "00f90846-cbd1-4fc5-9233-df5c2bf2a662", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "faa48cae-6b25-4f00-a094-08947fef582f", "value": "Rar Usage with Password and Compression Level" }, @@ -37862,6 +48466,15 @@ "attack.execution" ] }, + "related": [ + { + "dest-uuid": "aedfca76-3b30-4866-b2aa-0f1d7fd1e4b6", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "50919691-7302-437f-8e10-1fe088afa145", "value": "Regsvr32 Command Line Without DLL" }, @@ -37887,6 +48500,15 @@ "attack.t1047" ] }, + "related": [ + { + "dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "c3198a27-23a0-4c2c-af19-e5328d49680e", "value": "Blue Mockingbird" }, @@ -37906,8 +48528,8 @@ "logsource.product": "windows", "refs": [ "https://app.any.run/tasks/7eaba74e-c1ea-400f-9c17-5e30eee89906/", - "https://www.youtube.com/watch?v=DsJ9ByX84o4&t=6s", "https://brica.de/alerts/alert/public/1247926/agent-tesla-keylogger-delivered-inside-a-power-iso-daa-archive/", + "https://www.youtube.com/watch?v=DsJ9ByX84o4&t=6s", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_whoami_anomaly.yml" ], "tags": [ @@ -37940,6 +48562,15 @@ "attack.t1218.010" ] }, + "related": [ + { + "dest-uuid": "b97f1d35-4249-4486-a6b5-ee60ccf24fab", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "88a87a10-384b-4ad7-8871-2f9bf9259ce5", "value": "Suspicious Regsvr32 Execution From Remote Share" }, @@ -37956,8 +48587,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/klinix5/InstallerFileTakeOver", "https://www.zerodayinitiative.com/advisories/ZDI-21-1308/", + "https://github.com/klinix5/InstallerFileTakeOver", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_exploit_lpe_cve_2021_41379.yml" ], "tags": [ @@ -37965,6 +48596,15 @@ "attack.t1068" ] }, + "related": [ + { + "dest-uuid": "b21c3b2d-02e6-45b1-980b-e69051040839", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "af8bbce4-f751-46b4-8d91-82a33a736f61", "value": "Possible InstallerFileTakeOver LPE CVE-2021-41379" }, @@ -37992,6 +48632,15 @@ "attack.t1021.001" ] }, + "related": [ + { + "dest-uuid": "635cbe30-392d-4e27-978e-66774357c762", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "ffa28e60-bdb1-46e0-9f82-05f7a61cc06e", "value": "Suspicious Add User to Remote Desktop Users Group" }, @@ -38008,8 +48657,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/pt-br/windows/win32/secauthz/sid-strings", "https://www.sans.org/blog/red-team-tactics-hiding-windows-services/", + "https://docs.microsoft.com/pt-br/windows/win32/secauthz/sid-strings", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_service_dacl_modification.yml" ], "tags": [ @@ -38040,6 +48689,15 @@ "attack.t1059.001" ] }, + "related": [ + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "3b6ab547-8ec2-4991-b9d2-2b06702a48d7", "value": "PowerShell Download from URL" }, @@ -38103,8 +48761,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/cglyer/status/1182389676876980224", "https://twitter.com/cglyer/status/1182391019633029120", + "https://twitter.com/cglyer/status/1182389676876980224", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wmi_backdoor_exchange_transport_agent.yml" ], "tags": [ @@ -38112,6 +48770,15 @@ "attack.t1546.003" ] }, + "related": [ + { + "dest-uuid": "910906dd-8c0a-475a-9cc1-5e029e2fad58", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "797011dc-44f4-4e6f-9f10-a8ceefbe566b", "value": "WMI Backdoor Exchange Transport Agent" }, @@ -38190,6 +48857,15 @@ "attack.t1190" ] }, + "related": [ + { + "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "8202070f-edeb-4d31-a010-a26c72ac5600", "value": "Shells Spawned by Web Servers" }, @@ -38206,14 +48882,14 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://posts.specterops.io/mavinject-exe-functionality-deconstructed-c29ab2cf5c0e", - "https://twitter.com/Hexacorn/status/776122138063409152", + "https://github.com/keyboardcrunch/SentinelOne-ATTACK-Queries/blob/6a228d23eefe963ca81f2d52f94b815f61ef5ee0/Tactics/DefenseEvasion.md#t1055-process-injection", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1056.004/T1056.004.md", "https://reaqta.com/2017/12/mavinject-microsoft-injector/", "https://github.com/SigmaHQ/sigma/issues/3742", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218/T1218.md", - "https://github.com/keyboardcrunch/SentinelOne-ATTACK-Queries/blob/6a228d23eefe963ca81f2d52f94b815f61ef5ee0/Tactics/DefenseEvasion.md#t1055-process-injection", + "https://twitter.com/Hexacorn/status/776122138063409152", "https://twitter.com/gN3mes1s/status/941315826107510784", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1056.004/T1056.004.md", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218/T1218.md", + "https://posts.specterops.io/mavinject-exe-functionality-deconstructed-c29ab2cf5c0e", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_mavinject_process_injection.yml" ], "tags": [ @@ -38223,6 +48899,22 @@ "attack.t1218.013" ] }, + "related": [ + { + "dest-uuid": "f4599aa0-4f85-4a32-80ea-fc39dc965945", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "1bae753e-8e52-4055-a66d-2ead90303ca9", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "4f73421b-5a0b-4bbf-a892-5a7fb99bea66", "value": "Mavinject Inject DLL Into Running Process" }, @@ -38247,6 +48939,15 @@ "attack.t1218.007" ] }, + "related": [ + { + "dest-uuid": "365be77f-fc0e-42ee-bac8-4faf806d9336", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "8150732a-0c9d-4a99-82b9-9efb9b90c40c", "value": "Suspicious Msiexec Quiet Install From Remote Location" }, @@ -38271,6 +48972,15 @@ "attack.t1218" ] }, + "related": [ + { + "dest-uuid": "457c7820-d331-465a-915e-42f85500ccc4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "9eb271b9-24ae-4cd4-9465-19cfc1047f3e", "value": "Proxy Execution Via Explorer.exe" }, @@ -38295,6 +49005,15 @@ "attack.t1003.001" ] }, + "related": [ + { + "dest-uuid": "65f2d882-3f41-4d48-8a06-29af77ec9f90", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "36d88494-1d43-4dc0-b3fa-35c8fea0ca9d", "value": "CreateMiniDump Hacktool" }, @@ -38335,12 +49054,12 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.fireeye.com/blog/threat-research/2020/05/tactics-techniques-procedures-associated-with-maze-ransomware-incidents.html", + "https://labs.f-secure.com/blog/prelude-to-ransomware-systembc", + "https://thedfirreport.com/2021/01/18/all-that-for-a-coinminer", "https://news.sophos.com/en-us/2019/12/09/snatch-ransomware-reboots-pcs-into-safe-mode-to-bypass-protection/", "https://assets.documentcloud.org/documents/20444693/fbi-pin-egregor-ransomware-bc-01062021.pdf", "https://github.com/3CORESec/MAL-CL/tree/master/Descriptors/Other/Advanced%20IP%20Scanner", - "https://thedfirreport.com/2021/01/18/all-that-for-a-coinminer", - "https://labs.f-secure.com/blog/prelude-to-ransomware-systembc", + "https://www.fireeye.com/blog/threat-research/2020/05/tactics-techniques-procedures-associated-with-maze-ransomware-incidents.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_advanced_ip_scanner.yml" ], "tags": [ @@ -38365,8 +49084,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/med0x2e/status/1520402518685200384", "https://github.com/elastic/detection-rules/blob/dd224fb3f81d0b4bf8593c5f02a029d647ba2b2d/rules/windows/credential_access_relay_ntlm_auth_via_http_spoolss.toml", + "https://twitter.com/med0x2e/status/1520402518685200384", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_ntlmrelay.yml" ], "tags": [ @@ -38375,6 +49094,15 @@ "attack.t1212" ] }, + "related": [ + { + "dest-uuid": "9c306d8d-cde7-4b4c-b6e8-d0bb16caca36", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "bb76d96b-821c-47cf-944b-7ce377864492", "value": "Suspicious NTLM Authentication on the Printer Spooler Service" }, @@ -38425,6 +49153,15 @@ "attack.t1218" ] }, + "related": [ + { + "dest-uuid": "457c7820-d331-465a-915e-42f85500ccc4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "9f107a84-532c-41af-b005-8d12a607639f", "value": "Cabinet File Expansion" }, @@ -38449,6 +49186,15 @@ "attack.t1489" ] }, + "related": [ + { + "dest-uuid": "20fb2507-d71c-455d-9b6d-6104461cf26b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "220457c1-1c9f-4c2e-afe6-9598926222c1", "value": "Delete All Scheduled Tasks" }, @@ -38498,6 +49244,15 @@ "attack.t1059.001" ] }, + "related": [ + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "8c7090c3-e0a0-4944-bd08-08c3a0cecf79", "value": "TropicTrooper Campaign November 2018" }, @@ -38514,9 +49269,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://thedfirreport.com/2022/07/11/select-xmrig-from-sqlserver/", "https://docs.microsoft.com/en-us/windows/win32/wmisdk/mofcomp", "https://github.com/The-DFIR-Report/Sigma-Rules/blob/75260568a7ffe61b2458ca05f6f25914efb44337/win_mofcomp_execution.yml", - "https://thedfirreport.com/2022/07/11/select-xmrig-from-sqlserver/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_mofcomp_execution.yml" ], "tags": [ @@ -38524,6 +49279,15 @@ "attack.t1218" ] }, + "related": [ + { + "dest-uuid": "457c7820-d331-465a-915e-42f85500ccc4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "1dd05363-104e-4b4a-b963-196a534b03a1", "value": "Suspicious Mofcomp Execution" }, @@ -38565,8 +49329,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.004/T1562.004.md#atomic-test-1---disable-microsoft-defender-firewall", "https://app.any.run/tasks/210244b9-0b6b-4a2c-83a3-04bd3175d017/", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.004/T1562.004.md#atomic-test-1---disable-microsoft-defender-firewall", "https://www.winhelponline.com/blog/enable-and-disable-windows-firewall-quickly-using-command-line/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_netsh_firewall_disable.yml" ], @@ -38576,6 +49340,15 @@ "attack.s0108" ] }, + "related": [ + { + "dest-uuid": "5372c5fe-f424-4def-bcd5-d3a8e770f07b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "57c4bf16-227f-4394-8ec7-1b745ee061c3", "value": "Firewall Disabled via Netsh" }, @@ -38600,6 +49373,15 @@ "attack.t1216" ] }, + "related": [ + { + "dest-uuid": "f6fe9070-7a65-49ea-ae72-76292f42cebe", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "074e0ded-6ced-4ebd-8b4d-53f55908119d", "value": "AWL Bypass with Winrm.vbs and Malicious WsmPty.xsl/WsmTxt.xsl" }, @@ -38626,6 +49408,15 @@ "attack.t1218.009" ] }, + "related": [ + { + "dest-uuid": "c48a67ee-b657-45c1-91bf-6cdbe27205f8", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "cc368ed0-2411-45dc-a222-510ace303cb2", "value": "Regasm/Regsvcs Suspicious Execution" }, @@ -38653,6 +49444,15 @@ "attack.t1185" ] }, + "related": [ + { + "dest-uuid": "544b0346-29ad-41e1-a808-501bb4193f47", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "b3d34dc5-2efd-4ae3-845f-8ec14921f449", "value": "Browser Started with Remote Debugging" }, @@ -38669,8 +49469,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/9e5b12c4912c07562aec7500447b11fa3e17e254/atomics/T1072/T1072.md", "https://www.pdq.com/pdq-deploy/", + "https://github.com/redcanaryco/atomic-red-team/blob/9e5b12c4912c07562aec7500447b11fa3e17e254/atomics/T1072/T1072.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pdq_deploy.yml" ], "tags": [ @@ -38682,6 +49482,28 @@ "uuid": "d679950c-abb7-43a6-80fb-2a480c4fc450", "value": "Use of PDQ Deploy Remote Adminstartion Tool" }, + { + "description": "Detects suspicious PowerShell invocation command parameters", + "meta": { + "author": "Nasreddine Bencherchali", + "creation_date": "2023/01/05", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_susp_powershell_invocation_specific.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_powershell_invocation_specific.yml" + ], + "tags": [ + "attack.defense_evasion" + ] + }, + "uuid": "536e2947-3729-478c-9903-745aaffe60d2", + "value": "Suspicious PowerShell Invocations - Specific - ProcessCreation" + }, { "description": "Detects the use of Pingback backdoor that creates ICMP tunnel for C2 as described in the trustwave report", "meta": { @@ -38720,9 +49542,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://mgreen27.github.io/posts/2019/05/29/BinaryRename2.html", "https://mgreen27.github.io/posts/2019/05/12/BinaryRename.html", - "https://attack.mitre.org/techniques/T1036/", + "https://mgreen27.github.io/posts/2019/05/29/BinaryRename2.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_renamed_binary_highly_relevant.yml" ], "tags": [ @@ -38730,6 +49551,15 @@ "attack.t1036.003" ] }, + "related": [ + { + "dest-uuid": "bd5b58a4-a52d-4a29-bc0d-3f1d3968eb6b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "0ba1da6d-b6ce-4366-828c-18826c9de23e", "value": "Highly Relevant Renamed Binary" }, @@ -38746,8 +49576,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1490/T1490.md", "https://eqllib.readthedocs.io/en/latest/analytics/c4732632-9c1d-4980-9fa8-1d98c93f918e.html", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1490/T1490.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_bootconf_mod.yml" ], "tags": [ @@ -38755,9 +49585,51 @@ "attack.t1490" ] }, + "related": [ + { + "dest-uuid": "f5d8eed6-48a9-4cdf-a3d7-d1ffa99c3d2a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "1444443e-6757-43e4-9ea4-c8fc705f79a2", "value": "Modification of Boot Configuration" }, + { + "description": "Detects PowerShell command line patterns in combincation with encoded commands that often appear in malware infection chains", + "meta": { + "author": "Florian Roth", + "creation_date": "2022/05/24", + "falsepositive": [ + "Other tools that work with encoded scripts in the command line instead of script files" + ], + "filename": "proc_creation_win_susp_powershell_encoded_cmd_patterns.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://app.any.run/tasks/b9040c63-c140-479b-ad59-f1bb56ce7a97/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_powershell_encoded_cmd_patterns.yml" + ], + "tags": [ + "attack.execution", + "attack.t1059.001" + ] + }, + "related": [ + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "b9d9cc83-380b-4ba3-8d8f-60c0e7e2930c", + "value": "Suspicious PowerShell Encoded Command Patterns" + }, { "description": "Detect the harvesting of wifi credentials using netsh.exe", "meta": { @@ -38804,6 +49676,15 @@ "attack.t1053.005" ] }, + "related": [ + { + "dest-uuid": "005a06c6-14bf-4118-afa0-ebcd8aebb0c9", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "8a8379b8-780b-4dbf-b1e9-31c8d112fefb", "value": "Schtasks From Suspicious Folders" }, @@ -38829,6 +49710,15 @@ "attack.t1552.006" ] }, + "related": [ + { + "dest-uuid": "8d7bd4f5-3a89-4453-9c82-2c8894d5655e", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "05f3c945-dcc8-4393-9f3d-af65077a8f86", "value": "Suspicious SYSVOL Domain Group Policy Access" }, @@ -38855,6 +49745,15 @@ "attack.t1053.005" ] }, + "related": [ + { + "dest-uuid": "005a06c6-14bf-4118-afa0-ebcd8aebb0c9", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "81325ce1-be01-4250-944f-b4789644556f", "value": "Suspicious Schtasks From Env Var Folder" }, @@ -38871,8 +49770,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/pt-br/windows/win32/secauthz/sid-strings", "https://www.sans.org/blog/red-team-tactics-hiding-windows-services/", + "https://docs.microsoft.com/pt-br/windows/win32/secauthz/sid-strings", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_service_dacl_modification_set_service.yml" ], "tags": [ @@ -38896,8 +49795,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/Binaries/Regedit/", "https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f", + "https://lolbas-project.github.io/lolbas/Binaries/Regedit/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_regedit_export_critical_keys.yml" ], "tags": [ @@ -38929,6 +49828,15 @@ "attack.t1218.010" ] }, + "related": [ + { + "dest-uuid": "b97f1d35-4249-4486-a6b5-ee60ccf24fab", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "b236190c-1c61-41e9-84b3-3fe03f6d76b0", "value": "Regsvr32 Flags Anomaly" }, @@ -38945,9 +49853,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/bumblebee-loader-cybercrime", "https://thedfirreport.com/2022/08/08/bumblebee-roasts-its-way-to-domain-admin/", "https://thedfirreport.com/2022/09/26/bumblebee-round-two/", + "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/bumblebee-loader-cybercrime", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wab_unusual_parents.yml" ], "tags": [ @@ -38997,8 +49905,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://blogs.technet.microsoft.com/jonathantrull/2016/10/03/detecting-sticky-key-backdoors/", "https://bazaar.abuse.ch/sample/6f3aa9362d72e806490a8abce245331030d1ab5ac77e400dd475748236a6cc81/", + "https://blogs.technet.microsoft.com/jonathantrull/2016/10/03/detecting-sticky-key-backdoors/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_install_reg_debugger_backdoor.yml" ], "tags": [ @@ -39031,6 +49939,15 @@ "attack.t1059.001" ] }, + "related": [ + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "f26c6093-6f14-4b12-800f-0fcb46f5ffd0", "value": "Malicious Base64 Encoded PowerShell Keywords in Command Lines" }, @@ -39047,9 +49964,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://eqllib.readthedocs.io/en/latest/analytics/210b4ea4-12fc-11e9-8d76-4d6bb837cda4.html", "https://eqllib.readthedocs.io/en/latest/analytics/1e1ef6be-12fc-11e9-8d76-4d6bb837cda4.html", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1003/T1003.md", + "https://eqllib.readthedocs.io/en/latest/analytics/210b4ea4-12fc-11e9-8d76-4d6bb837cda4.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lsass_dump.yml" ], "tags": [ @@ -39057,6 +49974,15 @@ "attack.t1003.001" ] }, + "related": [ + { + "dest-uuid": "65f2d882-3f41-4d48-8a06-29af77ec9f90", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "ffa6861c-4461-4f59-8a41-578c39f3f23e", "value": "LSASS Memory Dumping" }, @@ -39081,6 +50007,15 @@ "attack.t1562.002" ] }, + "related": [ + { + "dest-uuid": "4eb28bed-d11a-4641-9863-c2ac017d910a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "0a13e132-651d-11eb-ae93-0242ac130002", "value": "Suspicious Auditpol Usage" }, @@ -39106,6 +50041,15 @@ "attack.t1564.001" ] }, + "related": [ + { + "dest-uuid": "ec8fc7e2-b356-455c-8db5-2e37be158e7d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "efec536f-72e8-4656-8960-5e85d091345b", "value": "Set Suspicious Files as System Files Using Attrib" }, @@ -39130,6 +50074,15 @@ "attack.t1548" ] }, + "related": [ + { + "dest-uuid": "67720091-eee3-4d2d-ae16-8264567f6f5b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "883835a7-df45-43e4-bf1d-4268768afda4", "value": "Regedit as Trusted Installer" }, @@ -39146,8 +50099,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://securelist.com/schroedingers-petya/78870/", "https://www.hybrid-analysis.com/sample/64b0b58a2c030c77fdb2b537b2fcc4af432bc55ffb36599a31d418c7c69e94b1?environmentId=100", + "https://securelist.com/schroedingers-petya/78870/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_malware_notpetya.yml" ], "tags": [ @@ -39159,6 +50112,29 @@ "car.2016-04-002" ] }, + "related": [ + { + "dest-uuid": "045d0922-2310-4e60-b5e4-3302302cb3c5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "6495ae23-3ab4-43c5-a94f-5638a2c31fd2", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "65f2d882-3f41-4d48-8a06-29af77ec9f90", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "79aeeb41-8156-4fac-a0cd-076495ab82a1", "value": "NotPetya Ransomware Activity" }, @@ -39175,8 +50151,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://asec.ahnlab.com/en/38156/", "https://github.com/fatedier/frp", + "https://asec.ahnlab.com/en/38156/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_frp.yml" ], "tags": [ @@ -39184,6 +50160,15 @@ "attack.t1090" ] }, + "related": [ + { + "dest-uuid": "731f4f55-b6d0-41d1-a7a9-072a66389aea", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "32410e29-5f94-4568-b6a3-d91a8adad863", "value": "Fast Reverse Proxy (FRP)" }, @@ -39201,9 +50186,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://mgreen27.github.io/posts/2019/05/29/BinaryRename2.html", "https://mgreen27.github.io/posts/2019/05/12/BinaryRename.html", - "https://attack.mitre.org/techniques/T1036/", + "https://mgreen27.github.io/posts/2019/05/29/BinaryRename2.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_renamed_binary.yml" ], "tags": [ @@ -39211,6 +50195,15 @@ "attack.t1036.003" ] }, + "related": [ + { + "dest-uuid": "bd5b58a4-a52d-4a29-bc0d-3f1d3968eb6b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "36480ae1-a1cb-4eaa-a0d6-29801d7e9142", "value": "Renamed Binary" }, @@ -39227,7 +50220,6 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://attack.mitre.org/techniques/T1196/", "https://ired.team/offensive-security/code-execution/code-execution-through-control-panel-add-ins", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_control_panel_item.yml" ], @@ -39239,6 +50231,22 @@ "attack.t1546" ] }, + "related": [ + { + "dest-uuid": "4ff5d6a8-c062-4c68-a778-36fc5edd564f", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "b6301b64-ef57-4cce-bb0b-77026f14a8db", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "0ba863e6-def5-4e50-9cea-4dd8c7dc46a4", "value": "Control Panel Items" }, @@ -39263,6 +50271,15 @@ "attack.t1059" ] }, + "related": [ + { + "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "344482e4-a477-436c-aa70-7536d18a48c7", "value": "Execution via MSSQL Xp_cmdshell Stored Procedure" }, @@ -39280,8 +50297,8 @@ "logsource.product": "windows", "refs": [ "https://eqllib.readthedocs.io/en/latest/analytics/aed95fc6-5e3f-49dc-8b35-06508613f979.html", - "https://www.wietzebeukema.nl/blog/windows-command-line-obfuscation", "https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment", + "https://www.wietzebeukema.nl/blog/windows-command-line-obfuscation", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1003/T1003.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_grabbing_sensitive_hives_via_reg.yml" ], @@ -39293,6 +50310,29 @@ "car.2013-07-001" ] }, + "related": [ + { + "dest-uuid": "1644e709-12d2-41e5-a60f-3470991f5011", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "1ecfdab8-7d59-4c98-95d4-dc41970f57fc", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "6add2ab5-2711-4e9d-87c8-7a0be8531530", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "fd877b94-9bb5-4191-bb25-d79cbd93c167", "value": "Grabbing Sensitive Hives via Reg Utility" }, @@ -39309,12 +50349,12 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://thedfirreport.com/2021/01/11/trickbot-still-alive-and-well/", - "https://www.microsoft.com/security/blog/2021/01/20/deep-dive-into-the-solorigate-second-stage-activation-from-sunburst-to-teardrop-and-raindrop/", "https://www.joeware.net/freetools/tools/adfind/", - "https://github.com/center-for-threat-informed-defense/adversary_emulation_library/blob/bf62ece1c679b07b5fb49c4bae947fe24c81811f/fin6/Emulation_Plan/Phase1.md", - "https://social.technet.microsoft.com/wiki/contents/articles/7535.adfind-command-examples.aspx", "https://thedfirreport.com/2020/05/08/adfind-recon/", + "https://thedfirreport.com/2021/01/11/trickbot-still-alive-and-well/", + "https://github.com/center-for-threat-informed-defense/adversary_emulation_library/blob/bf62ece1c679b07b5fb49c4bae947fe24c81811f/fin6/Emulation_Plan/Phase1.md", + "https://www.microsoft.com/security/blog/2021/01/20/deep-dive-into-the-solorigate-second-stage-activation-from-sunburst-to-teardrop-and-raindrop/", + "https://social.technet.microsoft.com/wiki/contents/articles/7535.adfind-command-examples.aspx", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_adfind_usage.yml" ], "tags": [ @@ -39325,6 +50365,22 @@ "attack.t1069.002" ] }, + "related": [ + { + "dest-uuid": "767dbf9e-df3f-45cb-8998-4903ab5f80c0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "2aed01ad-3df3-4410-a8cb-11ea4ded587c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "9a132afa-654e-11eb-ae93-0242ac130002", "value": "AdFind Usage Detection" }, @@ -39341,11 +50397,11 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://www.hybrid-analysis.com/search?query=context:74940dcc5b38f9f9b1a0fea760d344735d7d91b610e6d5bd34533dd0153402c5&from_sample=5db135000388385a7644131f&block_redirect=1", + "https://blog.alyac.co.kr/1901", + "https://www.securitynewspaper.com/2016/11/23/technical-teardown-exploit-malware-hwp-files/", "https://en.wikipedia.org/wiki/Hangul_(word_processor)", "https://twitter.com/cyberwar_15/status/1187287262054076416", - "https://blog.alyac.co.kr/1901", - "https://www.hybrid-analysis.com/search?query=context:74940dcc5b38f9f9b1a0fea760d344735d7d91b610e6d5bd34533dd0153402c5&from_sample=5db135000388385a7644131f&block_redirect=1", - "https://www.securitynewspaper.com/2016/11/23/technical-teardown-exploit-malware-hwp-files/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hwp_exploits.yml" ], "tags": [ @@ -39357,6 +50413,22 @@ "attack.g0032" ] }, + "related": [ + { + "dest-uuid": "be2dcee9-a7a7-4e38-afd6-21b31ecc3d63", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "023394c4-29d5-46ab-92b8-6a534c6f447b", "value": "Suspicious HWP Sub Processes" }, @@ -39381,6 +50453,15 @@ "attack.t1548" ] }, + "related": [ + { + "dest-uuid": "67720091-eee3-4d2d-ae16-8264567f6f5b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "e52cb31c-10ed-4aea-bcb7-593c9f4a315b", "value": "UAC Bypass via Windows Firewall Snap-In Hijack" }, @@ -39405,6 +50486,15 @@ "attack.t1555.003" ] }, + "related": [ + { + "dest-uuid": "58a3e6aa-4453-4cc8-a51f-4befe80b31a8", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "d0dae994-26c6-4d2d-83b5-b3c8b79ae513", "value": "Launch WebBrowserPassView Executable" }, @@ -39445,8 +50535,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/seedworm-apt-iran-middle-east", "https://github.com/quarkslab/quarkspwdump", + "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/seedworm-apt-iran-middle-east", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_quarks_pwdump.yml" ], "tags": [ @@ -39454,6 +50544,15 @@ "attack.t1003.002" ] }, + "related": [ + { + "dest-uuid": "1644e709-12d2-41e5-a60f-3470991f5011", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "0685b176-c816-4837-8e7b-1216f346636b", "value": "Quarks PwDump Usage" }, @@ -39478,6 +50577,15 @@ "attack.t1572" ] }, + "related": [ + { + "dest-uuid": "4fe28b27-b13c-453e-a386-c2ef362a573b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "f7d7ebd5-a016-46e2-9c54-f9932f2d386d", "value": "Suspicious SSH Usage RDP Tunneling" }, @@ -39494,9 +50602,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://web.archive.org/web/20170715043507/http://www.exploit-monday.com/2016/08/windbg-cdb-shellcode-runner.html", "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Cdb/", "https://twitter.com/nas_bench/status/1534957360032120833", - "https://web.archive.org/web/20170715043507/http://www.exploit-monday.com/2016/08/windbg-cdb-shellcode-runner.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_cdb.yml" ], "tags": [ @@ -39507,6 +50615,29 @@ "attack.t1127" ] }, + "related": [ + { + "dest-uuid": "391d824f-0ef1-47a0-b0ee-c59a75e27670", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "457c7820-d331-465a-915e-42f85500ccc4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "ff25900d-76d5-449b-a351-8824e62fc81b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "b5c7395f-e501-4a08-94d4-57fe7a9da9d2", "value": "WinDbg/CDB LOLBIN Usage" }, @@ -39523,8 +50654,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment", "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/tutorial-for-ntds-goodness-vssadmin-wmis-ntdsdit-system/", + "https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_shadow_copies_creation.yml" ], "tags": [ @@ -39534,6 +50665,29 @@ "attack.t1003.003" ] }, + "related": [ + { + "dest-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "1644e709-12d2-41e5-a60f-3470991f5011", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "edf91964-b26e-4b4a-9600-ccacd7d7df24", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "b17ea6f7-6e90-447e-a799-e6c0a493d6ce", "value": "Shadow Copies Creation Using Operating Systems Utilities" }, @@ -39558,6 +50712,15 @@ "attack.t1003.001" ] }, + "related": [ + { + "dest-uuid": "65f2d882-3f41-4d48-8a06-29af77ec9f90", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "b1876533-4ed5-4a83-90f3-b8645840a413", "value": "SafetyKatz Hack Tool" }, @@ -39583,6 +50746,15 @@ "attack.t1047" ] }, + "related": [ + { + "dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "09af397b-c5eb-4811-b2bb-08b3de464ebf", "value": "WMI Reconnaissance List Remote Services" }, @@ -39609,6 +50781,15 @@ "attack.t1218.011" ] }, + "related": [ + { + "dest-uuid": "045d0922-2310-4e60-b5e4-3302302cb3c5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "3d4aebe0-6d29-45b2-a8a4-3dfde586a26d", "value": "Fireball Archer Install" }, @@ -39636,6 +50817,22 @@ "attack.t1218" ] }, + "related": [ + { + "dest-uuid": "ff25900d-76d5-449b-a351-8824e62fc81b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "457c7820-d331-465a-915e-42f85500ccc4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "419dbf2b-8a9b-4bea-bf99-7544b050ec8d", "value": "Microsoft Workflow Compiler" }, @@ -39652,8 +50849,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/Binaries/Print/", "https://twitter.com/Oddvarmoe/status/985518877076541440", + "https://lolbas-project.github.io/lolbas/Binaries/Print/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_print.yml" ], "tags": [ @@ -39661,6 +50858,15 @@ "attack.t1218" ] }, + "related": [ + { + "dest-uuid": "457c7820-d331-465a-915e-42f85500ccc4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "bafac3d6-7de9-4dd9-8874-4a1194b493ed", "value": "Abusing Print Executable" }, @@ -39677,8 +50883,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/d0dad62dbcae9c60c519368e82c196a3db577055/atomics/T1124/T1124.md", "https://blogs.blackberry.com/en/2022/05/dirty-deeds-done-dirt-cheap-russian-rat-offers-backdoor-bargains", + "https://github.com/redcanaryco/atomic-red-team/blob/d0dad62dbcae9c60c519368e82c196a3db577055/atomics/T1124/T1124.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_w32tm.yml" ], "tags": [ @@ -39713,6 +50919,15 @@ "attack.t1059.003" ] }, + "related": [ + { + "dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "e507feb7-5f73-4ef6-a970-91bb6f6d744f", "value": "Elise Backdoor" }, @@ -39738,6 +50953,15 @@ "attack.t1106" ] }, + "related": [ + { + "dest-uuid": "391d824f-0ef1-47a0-b0ee-c59a75e27670", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "4a12fa47-c735-4032-a214-6fab5b120670", "value": "Lazarus Activity Apr21" }, @@ -39786,6 +51010,15 @@ "attack.t1555.003" ] }, + "related": [ + { + "dest-uuid": "58a3e6aa-4453-4cc8-a51f-4befe80b31a8", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "47147b5b-9e17-4d76-b8d2-7bac24c5ce1b", "value": "Potential Browser Data Stealing" }, @@ -39802,7 +51035,6 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://attack.mitre.org/techniques/T1564/006/", "https://news.sophos.com/en-us/2020/05/21/ragnar-locker-ransomware-deploys-virtual-machine-to-dodge-security/", "https://threatpost.com/maze-ransomware-ragnar-locker-virtual-machine/159350/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_run_virtualbox.yml" @@ -39813,6 +51045,22 @@ "attack.t1564" ] }, + "related": [ + { + "dest-uuid": "b5327dd1-6bf9-4785-a199-25bcbd1f4a9d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "22905430-4901-4c2a-84f6-98243cb173f8", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "bab049ca-7471-4828-9024-38279a4c04da", "value": "Detect Virtualbox Driver Installation OR Starting Of VMs" }, @@ -39837,6 +51085,15 @@ "attack.t1588.002" ] }, + "related": [ + { + "dest-uuid": "a2fdce72-04b2-409a-ac10-cc1695f4fce0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "cd764533-2e07-40d6-a718-cfeec7f2da7f", "value": "Renamed SysInternals Debug View" }, @@ -39854,8 +51111,8 @@ "logsource.product": "windows", "refs": [ "https://www.echotrail.io/insights/search/mshta.exe", - "https://en.wikipedia.org/wiki/HTML_Application", "https://app.any.run/tasks/34221348-072d-4b70-93f3-aa71f6ebecad/", + "https://en.wikipedia.org/wiki/HTML_Application", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_mshta_pattern.yml" ], "tags": [ @@ -39863,6 +51120,15 @@ "attack.t1106" ] }, + "related": [ + { + "dest-uuid": "391d824f-0ef1-47a0-b0ee-c59a75e27670", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "e32f92d1-523e-49c3-9374-bdb13b46a3ba", "value": "Suspicious MSHTA Process Patterns" }, @@ -39888,32 +51154,6 @@ "uuid": "02b64f1b-3f33-4e67-aede-ef3b0a5a8fcf", "value": "Potential COM Objects Download Cradles Usage - Process Creation" }, - { - "description": "Detects suspicious encoded character syntax often used for defense evasion", - "meta": { - "author": "Florian Roth", - "creation_date": "2020/07/09", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_susp_powershell_encoded_param.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://twitter.com/0gtweet/status/1281103918693482496", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_powershell_encoded_param.yml" - ], - "tags": [ - "attack.execution", - "attack.t1059.001", - "attack.defense_evasion", - "attack.t1027" - ] - }, - "uuid": "e312efd0-35a1-407f-8439-b8d434b438a6", - "value": "PowerShell Encoded Character Syntax" - }, { "description": "Detects the use of 3proxy, a tiny free proxy server", "meta": { @@ -39927,8 +51167,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/3proxy/3proxy", "https://blog.talosintelligence.com/2022/09/lazarus-three-rats.html", + "https://github.com/3proxy/3proxy", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_3proxy_usage.yml" ], "tags": [ @@ -39936,6 +51176,15 @@ "attack.t1572" ] }, + "related": [ + { + "dest-uuid": "4fe28b27-b13c-453e-a386-c2ef362a573b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "f38a82d2-fba3-4781-b549-525efbec8506", "value": "3Proxy Usage" }, @@ -39952,10 +51201,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://twitter.com/d1r4c/status/1279042657508081664", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1105/T1105.md#atomic-test-19---curl-upload-file", "https://curl.se/docs/manpage.html", "https://medium.com/@petehouston/upload-files-with-curl-93064dcccc76", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1105/T1105.md#atomic-test-19---curl-upload-file", - "https://twitter.com/d1r4c/status/1279042657508081664", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_curl_fileupload.yml" ], "tags": [ @@ -39964,6 +51213,22 @@ "attack.t1105" ] }, + "related": [ + { + "dest-uuid": "40597f16-0963-4249-bf4c-ac93b7fb9807", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "00bca14a-df4e-4649-9054-3f2aa676bc04", "value": "Suspicious Curl File Upload" }, @@ -39989,6 +51254,15 @@ "attack.t1548.002" ] }, + "related": [ + { + "dest-uuid": "120d5519-3098-4e1c-9191-2aa61232f073", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "80fc36aa-945e-4181-89f2-2f907ab6775d", "value": "UAC Bypass Using IEInstal - Process" }, @@ -40016,6 +51290,22 @@ "attack.t1202" ] }, + "related": [ + { + "dest-uuid": "457c7820-d331-465a-915e-42f85500ccc4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "3b0e52ce-517a-4614-a523-1bd5deef6c5e", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "90dcf730-1b71-4ae7-9ffc-6fcf62bd0132", "value": "Suspicious ZipExec Execution" }, @@ -40042,6 +51332,29 @@ "attack.t1132.001" ] }, + "related": [ + { + "dest-uuid": "79a4052e-1a89-4b09-aea6-51f1d11fe19c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "1996eef1-ced3-4d7f-bf94-33298cabbf72", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "04fd5427-79c7-44ea-ae13-11b24778ff1c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "98a96a5a-64a0-4c42-92c5-489da3866cb0", "value": "DNS Exfiltration and Tunneling Tools Execution" }, @@ -40066,6 +51379,15 @@ "attack.t1219" ] }, + "related": [ + { + "dest-uuid": "4061e78c-1284-44b4-9116-73e4ac3912f7", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "b6d98a4f-cef0-4abf-bbf6-24132854a83d", "value": "Use of GoToAssist Remote Access Software" }, @@ -40090,6 +51412,15 @@ "attack.t1552.006" ] }, + "related": [ + { + "dest-uuid": "8d7bd4f5-3a89-4453-9c82-2c8894d5655e", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "91a2c315-9ee6-4052-a853-6f6a8238f90d", "value": "Findstr GPP Passwords" }, @@ -40129,9 +51460,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://blog.talosintelligence.com/2021/10/threat-hunting-in-large-datasets-by.html", "https://thedfirreport.com/2021/11/29/continuing-the-bazar-ransomware-story/", "https://guides.lib.umich.edu/c.php?g=282942&p=1885348", + "https://blog.talosintelligence.com/2021/10/threat-hunting-in-large-datasets-by.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_regsvr32_image.yml" ], "tags": [ @@ -40139,6 +51470,15 @@ "attack.t1218.010" ] }, + "related": [ + { + "dest-uuid": "b97f1d35-4249-4486-a6b5-ee60ccf24fab", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "089fc3d2-71e8-4763-a8a5-c97fbb0a403e", "value": "Suspicious Regsvr32 Execution With Image Extension" }, @@ -40164,6 +51504,15 @@ "attack.t1216" ] }, + "related": [ + { + "dest-uuid": "f6fe9070-7a65-49ea-ae72-76292f42cebe", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "9df0dd3a-1a5c-47e3-a2bc-30ed177646a0", "value": "Remote Code Execute via Winrm.vbs" }, @@ -40182,8 +51531,8 @@ "logsource.product": "windows", "refs": [ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070/T1070.md", - "https://eqllib.readthedocs.io/en/latest/analytics/c91f422a-5214-4b17-8664-c5fcf115c0a2.html", "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/fsutil-usn", + "https://eqllib.readthedocs.io/en/latest/analytics/c91f422a-5214-4b17-8664-c5fcf115c0a2.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_fsutil_usage.yml" ], "tags": [ @@ -40207,10 +51556,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/SBousseaden/status/1211636381086339073", - "https://www.elastic.co/guide/en/security/current/remote-file-copy-to-a-hidden-share.html", - "https://www.microsoft.com/en-us/security/blog/2022/10/18/defenders-beware-a-case-for-post-ransomware-investigations/", "https://drive.google.com/file/d/1lKya3_mLnR3UQuCoiYruO3qgu052_iS_/view", + "https://www.elastic.co/guide/en/security/current/remote-file-copy-to-a-hidden-share.html", + "https://twitter.com/SBousseaden/status/1211636381086339073", + "https://www.microsoft.com/en-us/security/blog/2022/10/18/defenders-beware-a-case-for-post-ransomware-investigations/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_copy_lateral_movement.yml" ], "tags": [ @@ -40222,6 +51571,15 @@ "attack.t1021.002" ] }, + "related": [ + { + "dest-uuid": "a19e86f8-1c0a-4fea-8407-23b73d615776", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "855bc8b5-2ae8-402e-a9ed-b889e6df1900", "value": "Copy from Admin Share" }, @@ -40247,6 +51605,15 @@ "attack.t1548.002" ] }, + "related": [ + { + "dest-uuid": "120d5519-3098-4e1c-9191-2aa61232f073", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "49f2f17b-b4c8-4172-a68b-d5bf95d05130", "value": "UAC Bypass via ICMLuaUtil" }, @@ -40271,6 +51638,15 @@ "attack.t1562.002" ] }, + "related": [ + { + "dest-uuid": "4eb28bed-d11a-4641-9863-c2ac017d910a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "bedfc8ad-d1c7-4e37-a20e-e2b0dbee759c", "value": "SharpEvtMute EvtMuteHook Load" }, @@ -40298,6 +51674,22 @@ "attack.t1134.003" ] }, + "related": [ + { + "dest-uuid": "86850eff-2729-40c3-b85e-c4af26da4a2d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "8cdeb020-e31e-4f88-a582-f53dcfbda819", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "cf0c254b-22f1-4b2b-8221-e137b3c0af94", "value": "Impersonate Execution" }, @@ -40314,8 +51706,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.management/set-service?view=powershell-7.2", "https://twitter.com/Alh4zr3d/status/1580925761996828672", + "https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.management/set-service?view=powershell-7.2", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_using_set_service_to_hide_services.yml" ], "tags": [ @@ -40412,9 +51804,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-2000-server/cc959352(v=technet.10)?redirectedfrom=MSDN", - "https://www.acunetix.com/blog/articles/windows-short-8-3-filenames-web-security-problem/", "https://twitter.com/jonasLyk/status/1555914501802921984", + "https://www.acunetix.com/blog/articles/windows-short-8-3-filenames-web-security-problem/", + "https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-2000-server/cc959352(v=technet.10)?redirectedfrom=MSDN", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_ntfs_short_name_use_image.yml" ], "tags": [ @@ -40422,6 +51814,15 @@ "attack.t1564.004" ] }, + "related": [ + { + "dest-uuid": "f2857333-11d4-45bf-b064-2c28d8525be5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "3ef5605c-9eb9-47b0-9a71-b727e6aa5c3b", "value": "Use NTFS Short Name in Image" }, @@ -40447,6 +51848,15 @@ "attack.t1036.003" ] }, + "related": [ + { + "dest-uuid": "bd5b58a4-a52d-4a29-bc0d-3f1d3968eb6b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "d178a2d7-129a-4ba4-8ee6-d6e1fecd5d20", "value": "Renamed PowerShell" }, @@ -40471,6 +51881,15 @@ "attack.t1539" ] }, + "related": [ + { + "dest-uuid": "10ffac09-e42d-4f56-ab20-db94c67d76ff", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "4833155a-4053-4c9c-a997-777fcea0baa7", "value": "SQLite Firefox Cookie DB Access" }, @@ -40488,8 +51907,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/hexacorn/status/1448037865435320323", "https://twitter.com/Gal_B1t/status/1062971006078345217", + "https://twitter.com/hexacorn/status/1448037865435320323", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_commandline_path_traversal_evasion.yml" ], "tags": [ @@ -40571,6 +51990,15 @@ "attack.t1218" ] }, + "related": [ + { + "dest-uuid": "457c7820-d331-465a-915e-42f85500ccc4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "ce7cf472-6fcc-490a-9481-3786840b5d9b", "value": "InfDefaultInstall.exe .inf Execution" }, @@ -40588,8 +52016,8 @@ "logsource.product": "windows", "refs": [ "https://hstechdocs.helpsystems.com/manuals/cobaltstrike/current/userguide/content/cobalt-4-5-user-guide.pdf", - "https://thedfirreport.com/2022/06/16/sans-ransomware-summit-2022-can-you-detect-this/", "https://thedfirreport.com/2021/10/04/bazarloader-and-the-conti-leaks/", + "https://thedfirreport.com/2022/06/16/sans-ransomware-summit-2022-can-you-detect-this/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_cobaltstrike_bloopers_modules.yml" ], "tags": [ @@ -40597,6 +52025,15 @@ "attack.t1059.003" ] }, + "related": [ + { + "dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "4f154fb6-27d1-4813-a759-78b93e0b9c48", "value": "Operator Bloopers Cobalt Strike Modules" }, @@ -40613,8 +52050,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/bohops/status/948061991012327424", "https://lolbas-project.github.io/lolbas/Scripts/Cl_invocation/", + "https://twitter.com/bohops/status/948061991012327424", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_cl_invocation.yml" ], "tags": [ @@ -40622,6 +52059,15 @@ "attack.t1216" ] }, + "related": [ + { + "dest-uuid": "f6fe9070-7a65-49ea-ae72-76292f42cebe", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "a0459f02-ac51-4c09-b511-b8c9203fc429", "value": "Execution via CL_Invocation.ps1" }, @@ -40741,6 +52187,15 @@ "attack.t1135" ] }, + "related": [ + { + "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "75925535-ca97-4e0a-a850-00b5c00779dc", "value": "Automated Turla Group Lateral Movement" }, @@ -40765,6 +52220,15 @@ "attack.t1564.004" ] }, + "related": [ + { + "dest-uuid": "f2857333-11d4-45bf-b064-2c28d8525be5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "7f43c430-5001-4f8b-aaa9-c3b88f18fa5c", "value": "Execute From Alternate Data Streams" }, @@ -40811,6 +52275,15 @@ "attack.t1484.001" ] }, + "related": [ + { + "dest-uuid": "5d2be8b9-d24c-4e98-83bf-2f5f79477163", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "ada4b0c4-758b-46ac-9033-9004613a150d", "value": "Modify Group Policy Settings" }, @@ -40837,6 +52310,15 @@ "attack.t1202" ] }, + "related": [ + { + "dest-uuid": "3b0e52ce-517a-4614-a523-1bd5deef6c5e", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "258fc8ce-8352-443a-9120-8a11e4857fa5", "value": "Execute Arbitrary Commands Using MSDT.EXE" }, @@ -40861,6 +52343,15 @@ "attack.t1552.002" ] }, + "related": [ + { + "dest-uuid": "341e222a-a6e3-4f6f-b69c-831d792b1580", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "e0b0c2ab-3d52-46d9-8cb7-049dc775fbd1", "value": "Enumeration for Credentials in Registry" }, @@ -40885,6 +52376,15 @@ "attack.t1218" ] }, + "related": [ + { + "dest-uuid": "457c7820-d331-465a-915e-42f85500ccc4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "53d4bb30-3f36-4e8a-b078-69d36c4a79ff", "value": "Custom Class Execution via Xwizard" }, @@ -40901,10 +52401,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://discuss.elastic.co/t/detection-and-response-for-hafnium-activity/266289/3", "https://twitter.com/BleepinComputer/status/1372218235949617161", "https://blog.truesec.com/2021/03/07/exchange-zero-day-proxylogon-and-hafnium/", "https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/", - "https://discuss.elastic.co/t/detection-and-response-for-hafnium-activity/266289/3", "https://twitter.com/GadixCRK/status/1369313704869834753?s=20", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_apt_hafnium.yml" ], @@ -40914,6 +52414,15 @@ "attack.t1053" ] }, + "related": [ + { + "dest-uuid": "b6301b64-ef57-4cce-bb0b-77026f14a8db", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "bbb2dedd-a0e3-46ab-ba6c-6c82ae7a9aa7", "value": "Exchange Exploitation Activity" }, @@ -40931,8 +52440,8 @@ "logsource.product": "windows", "refs": [ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1047/T1047.md#atomic-test-7---create-a-process-using-wmi-query-and-an-encoded-command", - "https://www.microsoft.com/security/blog/2020/12/18/analyzing-solorigate-the-compromised-dll-file-that-started-a-sophisticated-cyberattack-and-how-microsoft-defender-helps-protect/", "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/solarwinds-raindrop-malware", + "https://www.microsoft.com/security/blog/2020/12/18/analyzing-solorigate-the-compromised-dll-file-that-started-a-sophisticated-cyberattack-and-how-microsoft-defender-helps-protect/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_apt_unc2452_ps.yml" ], "tags": [ @@ -40941,6 +52450,22 @@ "attack.t1047" ] }, + "related": [ + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "b7155193-8a81-4d8f-805d-88de864ca50c", "value": "UNC2452 PowerShell Pattern" }, @@ -40967,6 +52492,22 @@ "attack.t1562.002" ] }, + "related": [ + { + "dest-uuid": "3d333250-30e4-4a82-9edc-756c68afc529", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "4eb28bed-d11a-4641-9863-c2ac017d910a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "4d7cda18-1b12-4e52-b45c-d28653210df8", "value": "Sysmon Driver Unload" }, @@ -41015,6 +52556,15 @@ "attack.execution" ] }, + "related": [ + { + "dest-uuid": "be2dcee9-a7a7-4e38-afd6-21b31ecc3d63", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "8f88e3f6-2a49-48f5-a5c4-2f7eedf78710", "value": "Java Running with Remote Debugging" }, @@ -41056,8 +52606,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://app.any.run/tasks/93fe92fa-8b2b-4d92-8c09-a841aed2e793/", "https://docs.microsoft.com/en-us/windows/compatibility/ntvdm-and-16-bit-app-support", + "https://app.any.run/tasks/93fe92fa-8b2b-4d92-8c09-a841aed2e793/", "https://support.microsoft.com/fr-fr/topic/an-ms-dos-based-program-that-uses-the-ms-dos-protected-mode-interface-crashes-on-a-computer-that-is-running-windows-7-5dc739ea-987b-b458-15e4-d28d5cca63c7", "https://app.any.run/tasks/214094a7-0abc-4a7b-a564-1b757faed79d/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_16bit_application.yml" @@ -41088,9 +52638,53 @@ "attack.t1218.011" ] }, + "related": [ + { + "dest-uuid": "045d0922-2310-4e60-b5e4-3302302cb3c5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "7453575c-a747-40b9-839b-125a0aae324b", "value": "Unidentified Attacker November 2018" }, + { + "description": "Detects suspicious encoded character syntax often used for defense evasion", + "meta": { + "author": "Florian Roth", + "creation_date": "2020/07/09", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_susp_powershell_obfuscation_via_utf8.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://twitter.com/0gtweet/status/1281103918693482496", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_powershell_obfuscation_via_utf8.yml" + ], + "tags": [ + "attack.execution", + "attack.t1059.001", + "attack.defense_evasion", + "attack.t1027" + ] + }, + "related": [ + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "e312efd0-35a1-407f-8439-b8d434b438a6", + "value": "Potential PowerShell Obfuscation Via WCHAR" + }, { "description": "Detects when a possible suspicious driver is being installed via pnputil.exe lolbin", "meta": { @@ -41106,8 +52700,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://strontic.github.io/xcyclopedia/library/pnputil.exe-60EDC5E6BDBAEE441F2E3AEACD0340D2.html", "https://docs.microsoft.com/en-us/windows-hardware/drivers/devtest/pnputil-command-syntax", + "https://strontic.github.io/xcyclopedia/library/pnputil.exe-60EDC5E6BDBAEE441F2E3AEACD0340D2.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_susp_driver_installed_by_pnputil.yml" ], "tags": [ @@ -41139,6 +52733,15 @@ "attack.t1219" ] }, + "related": [ + { + "dest-uuid": "4061e78c-1284-44b4-9116-73e4ac3912f7", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "145322e4-0fd3-486b-81ca-9addc75736d8", "value": "Use of UltraVNC Remote Access Software" }, @@ -41164,6 +52767,15 @@ "attack.t1053.005" ] }, + "related": [ + { + "dest-uuid": "005a06c6-14bf-4118-afa0-ebcd8aebb0c9", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "ff2fff64-4cd6-4a2b-ba7d-e28a30bbe66b", "value": "Suspicious Scheduled Task Name As GUID" }, @@ -41189,6 +52801,15 @@ "attack.t1021.006" ] }, + "related": [ + { + "dest-uuid": "60d0c01d-e2bf-49dd-a453-f8a9c9fa6f65", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "a197e378-d31b-41c0-9635-cfdf1c1bb423", "value": "WinRM Access with Evil-WinRM" }, @@ -41214,9 +52835,42 @@ "attack.t1053.005" ] }, + "related": [ + { + "dest-uuid": "005a06c6-14bf-4118-afa0-ebcd8aebb0c9", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "e1118a8f-82f5-44b3-bb6b-8a284e5df602", "value": "Scheduled Task WScript VBScript" }, + { + "description": "Detects suspicious children of application launched from inside the WindowsApps directory. This could be a sign of a rogue \".appx\" package installation/execution", + "meta": { + "author": "Nasreddine Bencherchali", + "creation_date": "2023/01/12", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_susp_appx_execution.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://news.sophos.com/en-us/2021/11/11/bazarloader-call-me-back-attack-abuses-windows-10-apps-mechanism/", + "https://www.sentinelone.com/labs/inside-malicious-windows-apps-for-malware-deployment/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_appx_execution.yml" + ], + "tags": [ + "attack.defense_evasion" + ] + }, + "uuid": "f91ed517-a6ba-471d-9910-b3b4a398c0f3", + "value": "Suspicious Windows App Activity" + }, { "description": "Detects Wscript or Cscript executing from a drive other than C. This has been observed with Qakbot executing from within a mounted ISO file.", "meta": { @@ -41239,6 +52893,15 @@ "attack.t1059" ] }, + "related": [ + { + "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "5b80cf53-3a46-4adc-960b-05ec19348d74", "value": "Wscript Execution from Non C Drive" }, @@ -41263,6 +52926,15 @@ "attack.t1027.004" ] }, + "related": [ + { + "dest-uuid": "c726e0a2-a57a-4b7b-a973-d0f013246617", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "7b10f171-7f04-47c7-9fa2-5be43c76e535", "value": "Visual Basic Command Line Compiler Usage" }, @@ -41324,9 +52996,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.absolomb.com/2018-01-26-Windows-Privilege-Escalation-Guide/", "https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1562.001/T1562.001.md", "https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1112/T1112.md", + "https://www.absolomb.com/2018-01-26-Windows-Privilege-Escalation-Guide/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_reg_add.yml" ], "tags": [ @@ -41351,8 +53023,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/Yasser_Elsnbary/status/1553804135354564608", "https://h.43z.one/ipconverter/", + "https://twitter.com/Yasser_Elsnbary/status/1553804135354564608", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_obfuscated_ip_via_cli.yml" ], "tags": [ @@ -41385,6 +53057,15 @@ "attack.initial_access" ] }, + "related": [ + { + "dest-uuid": "8c32eb4d-805f-4fc5-bf60-c4d476c131b5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "24de4f3b-804c-4165-b442-5a06a2302c7e", "value": "Arbitrary Shell Command Execution Via Settingcontent-Ms" }, @@ -41401,8 +53082,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.echotrail.io/insights/search/regsvr32.exe", "https://redcanary.com/blog/intelligence-insights-april-2022/", + "https://www.echotrail.io/insights/search/regsvr32.exe", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_regsvr32_spawn_explorer.yml" ], "tags": [ @@ -41410,6 +53091,15 @@ "attack.t1218.010" ] }, + "related": [ + { + "dest-uuid": "b97f1d35-4249-4486-a6b5-ee60ccf24fab", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "6f0947a4-1c5e-4e0d-8ac7-53159b8f23ca", "value": "Regsvr32 Spawning Explorer" }, @@ -41426,8 +53116,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://threathunterplaybook.com/evals/apt29/detections/3.B.2_C36B49B5-DF58-4A34-9FE9-56189B9DEFEA.html", "https://github.com/OTRF/detection-hackathon-apt29/issues/6", + "https://threathunterplaybook.com/evals/apt29/detections/3.B.2_C36B49B5-DF58-4A34-9FE9-56189B9DEFEA.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_high_integrity_sdclt.yml" ], "tags": [ @@ -41436,6 +53126,15 @@ "attack.t1548.002" ] }, + "related": [ + { + "dest-uuid": "120d5519-3098-4e1c-9191-2aa61232f073", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "40f9af16-589d-4984-b78d-8c2aec023197", "value": "High Integrity Sdclt Process" }, @@ -41452,8 +53151,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://blu3-team.blogspot.com/2019/08/powershell-dns-c2-notes.html", "https://ragged-lab.blogspot.com/2020/06/it-is-always-dns-powershell-edition.html", + "https://blu3-team.blogspot.com/2019/08/powershell-dns-c2-notes.html", "https://github.com/lukebaggett/dnscat2-powershell", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_dnscat2_powershell_implementation.yml" ], @@ -41465,6 +53164,36 @@ "attack.t1041" ] }, + "related": [ + { + "dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "1996eef1-ced3-4d7f-bf94-33298cabbf72", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "c325b232-d5bc-4dde-a3ec-71f3db9e8adc", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "92d7da27-2d91-488e-a00c-059dc162766d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "b11d75d6-d7c1-11ea-87d0-0242ac130003", "value": "DNSCat2 Powershell Implementation Detection Via Process Creation" }, @@ -41490,6 +53219,22 @@ "attack.t1059.007" ] }, + "related": [ + { + "dest-uuid": "ff25900d-76d5-449b-a351-8824e62fc81b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "0f4a0c76-ab2d-4cb0-85d3-3f0efb8cba0d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "df1f26d3-bea7-4700-9ea2-ad3e990cf90e", "value": "Node Process Executions" }, @@ -41507,8 +53252,8 @@ "logsource.product": "windows", "refs": [ "https://www.hybrid-analysis.com/sample/4be06ecd234e2110bd615649fe4a6fa95403979acf889d7e45a78985eb50acf9?environmentId=1", - "https://digital-forensics.sans.org/blog/2010/06/04/wmic-draft/", "https://blog.malwarebytes.com/threat-analysis/2016/04/rokku-ransomware/", + "https://digital-forensics.sans.org/blog/2010/06/04/wmic-draft/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_wmic_execution.yml" ], "tags": [ @@ -41517,6 +53262,15 @@ "car.2016-03-002" ] }, + "related": [ + { + "dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "526be59f-a573-4eea-b5f7-f0973207634d", "value": "Suspicious WMIC Execution" }, @@ -41542,6 +53296,15 @@ "attack.t1053.005" ] }, + "related": [ + { + "dest-uuid": "005a06c6-14bf-4118-afa0-ebcd8aebb0c9", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "1c0e41cd-21bb-4433-9acc-4a2cd6367b9b", "value": "Suspicious Modification Of Scheduled Tasks" }, @@ -41568,33 +53331,18 @@ "attack.t1059.001" ] }, + "related": [ + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "b3512211-c67e-4707-bedc-66efc7848863", "value": "Potential PowerShell Downgrade Attack" }, - { - "description": "This rule detects DLL injection and execution via LOLBAS - Tracker.exe", - "meta": { - "author": "Avneet Singh @v3t0_, oscd.community", - "creation_date": "2020/10/18", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_susp_tracker_execution.yml", - "level": "medium", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Tracker/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_tracker_execution.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1055.001" - ] - }, - "uuid": "148431ce-4b70-403d-8525-fcc2993f29ea", - "value": "DLL Injection with Tracker.exe" - }, { "description": "Detects suspicious process patterns found in logs when CrackMapExec is used", "meta": { @@ -41616,6 +53364,15 @@ "attack.t1003.001" ] }, + "related": [ + { + "dest-uuid": "65f2d882-3f41-4d48-8a06-29af77ec9f90", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "f26307d8-14cd-47e3-a26b-4b4769f24af6", "value": "CrackMapExec Process Patterns" }, @@ -41643,6 +53400,15 @@ "attack.t1036.003" ] }, + "related": [ + { + "dest-uuid": "bd5b58a4-a52d-4a29-bc0d-3f1d3968eb6b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "fff9d2b7-e11c-4a69-93d3-40ef66189767", "value": "Suspicious Copy From or To System32" }, @@ -41669,6 +53435,22 @@ "attack.persistence" ] }, + "related": [ + { + "dest-uuid": "fe926152-f431-4baf-956c-4ad3cb0bf23b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "ae9b0bd7-8888-4606-b444-0ed7410cb728", "value": "Writing Of Malicious Files To The Fonts Folder" }, @@ -41695,6 +53477,15 @@ "attack.t1059.001" ] }, + "related": [ + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "ac20ae82-8758-4f38-958e-b44a3140ca88", "value": "Invoke-Obfuscation Via Use MSHTA" }, @@ -41719,9 +53510,51 @@ "attack.t1219" ] }, + "related": [ + { + "dest-uuid": "4061e78c-1284-44b4-9116-73e4ac3912f7", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "d85873ef-a0f8-4c48-a53a-6b621f11729d", "value": "Use of LogMeIn Remote Access Software" }, + { + "description": "Detects powershell scripts that import modules from suspicious directories", + "meta": { + "author": "Nasreddine Bencherchali", + "creation_date": "2023/01/10", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_import_module_susp_dirs.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1003.002/T1003.002.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_import_module_susp_dirs.yml" + ], + "tags": [ + "attack.execution", + "attack.t1059.001" + ] + }, + "related": [ + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "c31364f7-8be6-4b77-8483-dd2b5a7b69a3", + "value": "Import PowerShell Modules From Suspicious Directories - ProcCreation" + }, { "description": "An adversary may compress or encrypt data that is collected prior to exfiltration using 3rd party utilities", "meta": { @@ -41743,6 +53576,15 @@ "attack.t1560.001" ] }, + "related": [ + { + "dest-uuid": "00f90846-cbd1-4fc5-9233-df5c2bf2a662", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "e2e80da2-8c66-4e00-ae3c-2eebd29f6b6d", "value": "Compress Data and Lock With Password for Exfiltration With WINZIP" }, @@ -41768,6 +53610,15 @@ "attack.t1564.001" ] }, + "related": [ + { + "dest-uuid": "ec8fc7e2-b356-455c-8db5-2e37be158e7d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "bb19e94c-59ae-4c15-8c12-c563d23fe52b", "value": "Set Windows System File with Attrib" }, @@ -41798,6 +53649,15 @@ "attack.t1135" ] }, + "related": [ + { + "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "c601f20d-570a-4cde-a7d6-e17f99cb8e7f", "value": "Turla Group Lateral Movement" }, @@ -41822,6 +53682,15 @@ "attack.t1564.004" ] }, + "related": [ + { + "dest-uuid": "f2857333-11d4-45bf-b064-2c28d8525be5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "4b13db67-0c45-40f1-aba8-66a1a7198a1e", "value": "Suspicious Extrac32 Alternate Data Stream Execution" }, @@ -41848,6 +53717,15 @@ "attack.t1218" ] }, + "related": [ + { + "dest-uuid": "457c7820-d331-465a-915e-42f85500ccc4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "a20391f8-76fb-437b-abc0-dba2df1952c6", "value": "NodejsTools PressAnyKey Lolbin" }, @@ -41872,6 +53750,15 @@ "attack.t1105" ] }, + "related": [ + { + "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "eee00933-a761-4cd0-be70-c42fe91731e7", "value": "GfxDownloadWrapper.exe Downloads File from Suspicious URL" }, @@ -41913,10 +53800,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://www.rapid7.com/blog/post/2022/01/18/active-exploitation-of-vmware-horizon-servers/", + "http://blog.talosintelligence.com/2022/09/lazarus-three-rats.html", "https://www.sprocketsecurity.com/resources/crossing-the-log4j-horizon-a-vulnerability-with-no-return", "https://nodejs.org/api/cli.html", - "http://blog.talosintelligence.com/2022/09/lazarus-three-rats.html", - "https://www.rapid7.com/blog/post/2022/01/18/active-exploitation-of-vmware-horizon-servers/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_node_abuse.yml" ], "tags": [ @@ -41924,6 +53811,15 @@ "attack.t1127" ] }, + "related": [ + { + "dest-uuid": "ff25900d-76d5-449b-a351-8824e62fc81b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "6640f31c-01ad-49b5-beb5-83498a5cd8bd", "value": "Node.exe Process Abuse" }, @@ -41949,6 +53845,15 @@ "attack.t1059.001" ] }, + "related": [ + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "ac175779-025a-4f12-98b0-acdaeb77ea85", "value": "PowerShell Script Run in AppData" }, @@ -41965,9 +53870,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://mattharr0ey.medium.com/privilege-escalation-uac-bypass-in-changepk-c40b92818d1b", "https://medium.com/falconforce/falconfriday-detecting-uac-bypasses-0xff16-86c2a9107abf", "https://github.com/hfiref0x/UACME", - "https://mattharr0ey.medium.com/privilege-escalation-uac-bypass-in-changepk-c40b92818d1b", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_uac_bypass_changepk_slui.yml" ], "tags": [ @@ -41976,6 +53881,15 @@ "attack.t1548.002" ] }, + "related": [ + { + "dest-uuid": "120d5519-3098-4e1c-9191-2aa61232f073", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "503d581c-7df0-4bbe-b9be-5840c0ecc1fc", "value": "UAC Bypass Using ChangePK and SLUI" }, @@ -41992,8 +53906,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.google.com/url?hl=en&q=https://embedi.com/blog/skeleton-closet-ms-office-vulnerability-you-didnt-know-about&source=gmail&ust=1511481120837000&usg=AFQjCNGdL7gVwLXaNSl2Td8ylDYbSJFmPw", "https://www.hybrid-analysis.com/sample/2a4ae284c76f868fc51d3bb65da8caa6efacb707f265b25c30f34250b76b7507?environmentId=100", + "https://www.google.com/url?hl=en&q=https://embedi.com/blog/skeleton-closet-ms-office-vulnerability-you-didnt-know-about&source=gmail&ust=1511481120837000&usg=AFQjCNGdL7gVwLXaNSl2Td8ylDYbSJFmPw", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_exploit_cve_2017_11882.yml" ], "tags": [ @@ -42004,6 +53918,22 @@ "attack.t1566.001" ] }, + "related": [ + { + "dest-uuid": "be2dcee9-a7a7-4e38-afd6-21b31ecc3d63", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "232b7f21-adf9-4b42-b936-b9d6f7df856e", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "678eb5f4-8597-4be6-8be7-905e4234b53a", "value": "Droppers Exploiting CVE-2017-11882" }, @@ -42029,6 +53959,15 @@ "attack.t1059" ] }, + "related": [ + { + "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "c0b2768a-dd06-4671-8339-b16ca8d1f27f", "value": "Fsutil Behavior Set SymlinkEvaluation" }, @@ -42053,6 +53992,15 @@ "attack.t1552.006" ] }, + "related": [ + { + "dest-uuid": "8d7bd4f5-3a89-4453-9c82-2c8894d5655e", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "fe63010f-8823-4864-a96b-a7b4a0f7b929", "value": "Findstr LSASS" }, @@ -42092,8 +54040,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.security/set-executionpolicy?view=powershell-7.1", "https://adsecurity.org/?p=2604", + "https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.security/set-executionpolicy?view=powershell-7.1", "https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_execution_policies?view=powershell-7.1", "https://thedfirreport.com/2021/11/01/from-zero-to-domain-admin/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_set_policies_to_unsecure_level.yml" @@ -42103,6 +54051,15 @@ "attack.t1059.001" ] }, + "related": [ + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "87e3c4e8-a6a8-4ad9-bb4f-46e7ff99a180", "value": "Change PowerShell Policies to an Insecure Level" }, @@ -42119,9 +54076,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/0gtweet/status/1602644163824156672?s=20&t=kuxbUnZPltpvFPZdCrqPXA", "https://twitter.com/pabraeken/status/990717080805789697", "https://lolbas-project.github.io/lolbas/Binaries/Runonce/", + "https://twitter.com/0gtweet/status/1602644163824156672?s=20&t=kuxbUnZPltpvFPZdCrqPXA", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_runonce_execution.yml" ], "tags": [ @@ -42155,6 +54112,15 @@ "attack.t1090" ] }, + "related": [ + { + "dest-uuid": "731f4f55-b6d0-41d1-a7a9-072a66389aea", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "782d6f3e-4c5d-4b8c-92a3-1d05fed72e63", "value": "Netsh RDP Port Forwarding" }, @@ -42203,6 +54169,15 @@ "attack.t1090.003" ] }, + "related": [ + { + "dest-uuid": "a782ebe2-daba-42c7-bc82-e8e9d923162d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "62f7c9bf-9135-49b2-8aeb-1e54a6ecc13c", "value": "Tor Client or Tor Browser Use" }, @@ -42219,12 +54194,12 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/shantanukhande/status/1229348874298388484", + "https://twitter.com/Wietze/status/1542107456507203586", "https://twitter.com/pythonresponder/status/1385064506049630211?s=21", "https://twitter.com/Hexacorn/status/1224848930795552769", - "https://modexp.wordpress.com/2019/08/30/minidumpwritedump-via-com-services-dll/", "https://twitter.com/SBousseaden/status/1167417096374050817", - "https://twitter.com/Wietze/status/1542107456507203586", + "https://modexp.wordpress.com/2019/08/30/minidumpwritedump-via-com-services-dll/", + "https://twitter.com/shantanukhande/status/1229348874298388484", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_process_dump_rundll32_comsvcs.yml" ], "tags": [ @@ -42235,6 +54210,15 @@ "car.2013-05-009" ] }, + "related": [ + { + "dest-uuid": "65f2d882-3f41-4d48-8a06-29af77ec9f90", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "646ea171-dded-4578-8a4d-65e9822892e3", "value": "Process Dump via Rundll32 and Comsvcs.dll" }, @@ -42251,16 +54235,16 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://github.com/dotnet/runtime/blob/ee2355c801d892f2894b0f7b14a20e6cc50e0e54/docs/design/coreclr/jit/viewing-jit-dumps.md#setting-configuration-variables", + "https://github.com/dotnet/runtime/blob/4f9ae42d861fcb4be2fcd5d3d55d5f227d30e723/docs/coding-guidelines/clr-jit-coding-conventions.md#1412-disabling-code", + "https://bunnyinside.com/?term=f71e8cb9c76a", + "https://github.com/dotnet/runtime/blob/7abe42dc1123722ed385218268bb9fe04556e3d3/src/coreclr/src/inc/clrconfig.h#L33-L39", + "https://github.com/dotnet/runtime/search?p=1&q=COMPlus_&unscoped_q=COMPlus_", + "https://github.com/dotnet/runtime/blob/f62e93416a1799aecc6b0947adad55a0d9870732/src/coreclr/src/inc/clrconfigvalues.h#L35-L38", "http://managed670.rssing.com/chan-5590147/all_p1.html", "https://twitter.com/_xpn_/status/1268712093928378368", - "https://bunnyinside.com/?term=f71e8cb9c76a", - "https://github.com/dotnet/runtime/blob/4f9ae42d861fcb4be2fcd5d3d55d5f227d30e723/docs/coding-guidelines/clr-jit-coding-conventions.md#1412-disabling-code", "https://social.msdn.microsoft.com/Forums/vstudio/en-US/0878832e-39d7-4eaf-8e16-a729c4c40975/what-can-i-use-e13c0d23ccbc4e12931bd9cc2eee27e4-for?forum=clr", - "https://github.com/dotnet/runtime/search?p=1&q=COMPlus_&unscoped_q=COMPlus_", - "https://github.com/dotnet/runtime/blob/ee2355c801d892f2894b0f7b14a20e6cc50e0e54/docs/design/coreclr/jit/viewing-jit-dumps.md#setting-configuration-variables", "https://i.blackhat.com/EU-21/Wednesday/EU-21-Teodorescu-Veni-No-Vidi-No-Vici-Attacks-On-ETW-Blind-EDRs.pdf", - "https://github.com/dotnet/runtime/blob/f62e93416a1799aecc6b0947adad55a0d9870732/src/coreclr/src/inc/clrconfigvalues.h#L35-L38", - "https://github.com/dotnet/runtime/blob/7abe42dc1123722ed385218268bb9fe04556e3d3/src/coreclr/src/inc/clrconfig.h#L33-L39", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_etw_modification_cmdline.yml" ], "tags": [ @@ -42268,11 +54252,20 @@ "attack.t1562" ] }, + "related": [ + { + "dest-uuid": "3d333250-30e4-4a82-9edc-756c68afc529", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "41421f44-58f9-455d-838a-c398859841d4", "value": "ETW Logging Tamper In .NET Processes" }, { - "description": "Detects the use of WinAPI Functions via the commandline as seen used by threat actors via the tool winapiexec", + "description": "Detects the use of WinAPI Functions via the commandline. As seen used by threat actors via the tool winapiexec", "meta": { "author": "Nasreddine Bencherchali", "creation_date": "2022/09/06", @@ -42292,8 +54285,17 @@ "attack.t1106" ] }, + "related": [ + { + "dest-uuid": "391d824f-0ef1-47a0-b0ee-c59a75e27670", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "ba3f5c1b-6272-4119-9dbd-0bc8d21c2702", - "value": "Potential WinAPI Access Via CommandLine" + "value": "Potential WinAPI Calls Via CommandLine" }, { "description": "Detects suspicious scheduled task creations from a parent stored in a temporary folder", @@ -42316,6 +54318,15 @@ "attack.t1053.005" ] }, + "related": [ + { + "dest-uuid": "005a06c6-14bf-4118-afa0-ebcd8aebb0c9", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "9494479d-d994-40bf-a8b1-eea890237021", "value": "Suspicious Add Scheduled Task Parent" }, @@ -42341,6 +54352,15 @@ "car.2013-08-001" ] }, + "related": [ + { + "dest-uuid": "005a06c6-14bf-4118-afa0-ebcd8aebb0c9", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "931b6802-d6a6-4267-9ffa-526f57f22aaf", "value": "Windows 10 Scheduled Task SandboxEscaper 0-day" }, @@ -42357,8 +54377,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.sneakymonkey.net/2019/05/22/trickbot-analysis/", "https://app.any.run/tasks/f74c5157-8508-4ac6-9805-d63fe7b0d399/", + "https://www.sneakymonkey.net/2019/05/22/trickbot-analysis/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_malware_trickbot_recon_activity.yml" ], "tags": [ @@ -42366,6 +54386,15 @@ "attack.t1482" ] }, + "related": [ + { + "dest-uuid": "767dbf9e-df3f-45cb-8998-4903ab5f80c0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "410ad193-a728-4107-bc79-4419789fcbf8", "value": "Trickbot Malware Recon Activity" }, @@ -42413,6 +54442,15 @@ "attack.s0029" ] }, + "related": [ + { + "dest-uuid": "f1951e8a-500e-4a26-8803-76d95c4554b4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "93199800-b52a-4dec-b762-75212c196542", "value": "RunXCmd Tool Execution As System" }, @@ -42429,8 +54467,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/pabraeken/status/990758590020452353", "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Vsjitdebugger/", + "https://twitter.com/pabraeken/status/990758590020452353", "https://docs.microsoft.com/en-us/visualstudio/debugger/debug-using-the-just-in-time-debugger?view=vs-2019", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_use_of_vsjitdebugger_bin.yml" ], @@ -42439,6 +54477,15 @@ "attack.defense_evasion" ] }, + "related": [ + { + "dest-uuid": "457c7820-d331-465a-915e-42f85500ccc4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "15c7904e-6ad1-4a45-9b46-5fb25df37fd2", "value": "Malicious PE Execution by Microsoft Visual Studio Debugger" }, @@ -42467,6 +54514,29 @@ "attack.t1059.007" ] }, + "related": [ + { + "dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "dfd7cc1d-e1d8-4394-a198-97c4cab8aa67", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "0f4a0c76-ab2d-4cb0-85d3-3f0efb8cba0d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "5cddf373-ef00-4112-ad72-960ac29bac34", "value": "Koadic Execution" }, @@ -42491,6 +54561,15 @@ "attack.t1562.002" ] }, + "related": [ + { + "dest-uuid": "4eb28bed-d11a-4641-9863-c2ac017d910a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "e4ed6030-ffe5-4e6a-8a8a-ab3c1ab9d94e", "value": "Disable Windows IIS HTTP Logging" }, @@ -42515,6 +54594,15 @@ "attack.t1217" ] }, + "related": [ + { + "dest-uuid": "5e4a2073-9643-44cb-a0b5-e7f4048446c7", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "725a9768-0f5e-4cb3-aec2-bc5719c6831a", "value": "Suspicious Where Execution" }, @@ -42532,8 +54620,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://curl.se/docs/manpage.html", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1071.001/T1071.001.md#atomic-test-2---malicious-user-agents---cmd", + "https://curl.se/docs/manpage.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_curl_useragent.yml" ], "tags": [ @@ -42541,6 +54629,15 @@ "attack.t1071.001" ] }, + "related": [ + { + "dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "3286d37a-00fd-41c2-a624-a672dcd34e60", "value": "Suspicious Curl Change User Agents" }, @@ -42565,6 +54662,15 @@ "attack.t1555.004" ] }, + "related": [ + { + "dest-uuid": "d336b553-5da9-46ca-98a8-0b23f49fb447", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "58f50261-c53b-4c88-bd12-1d71f12eda4c", "value": "Windows Credential Manager Access via VaultCmd" }, @@ -42605,8 +54711,8 @@ "logsource.product": "windows", "refs": [ "https://www.microsoft.com/security/blog/2021/07/15/protecting-customers-from-a-private-sector-offensive-actor-using-0-day-exploits-and-devilstongue-malware/", - "https://www.virustotal.com/gui/file/c299063e3eae8ddc15839767e83b9808fd43418dc5a1af7e4f44b97ba53fbd3d/detection", "https://github.com/Azure/Azure-Sentinel/blob/43e9be273dca321295190bfc4902858e009d4a35/Detections/MultipleDataSources/SOURGUM_IOC.yaml", + "https://www.virustotal.com/gui/file/c299063e3eae8ddc15839767e83b9808fd43418dc5a1af7e4f44b97ba53fbd3d/detection", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_apt_sourgrum.yml" ], "tags": [ @@ -42616,6 +54722,22 @@ "attack.privilege_escalation" ] }, + "related": [ + { + "dest-uuid": "b6301b64-ef57-4cce-bb0b-77026f14a8db", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "bc0f5e80-91c0-4e04-9fbb-e4e332c85dae", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "7ba08e95-1e0b-40cd-9db5-b980555e42fd", "value": "SOURGUM Actor Behaviours" }, @@ -42632,8 +54754,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.elastic.co/guide/en/security/current/volume-shadow-copy-deletion-via-powershell.html", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1490/T1490.md#atomic-test-5---windows---delete-volume-shadow-copies-via-wmi-with-powershell", + "https://www.elastic.co/guide/en/security/current/volume-shadow-copy-deletion-via-powershell.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_shadowcopy_deletion_via_powershell.yml" ], "tags": [ @@ -42641,6 +54763,15 @@ "attack.t1490" ] }, + "related": [ + { + "dest-uuid": "f5d8eed6-48a9-4cdf-a3d7-d1ffa99c3d2a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "21ff4ca9-f13a-41ad-b828-0077b2af2e40", "value": "Deletion of Volume Shadow Copies via WMI with PowerShell" }, @@ -42657,9 +54788,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://twitter.com/vysecurity/status/974806438316072960", "https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/hh875578(v=ws.11)", "https://lolbas-project.github.io/lolbas/Binaries/Rpcping/", - "https://twitter.com/vysecurity/status/974806438316072960", "https://twitter.com/vysecurity/status/873181705024266241", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_rpcping.yml" ], @@ -42668,6 +54799,15 @@ "attack.t1003" ] }, + "related": [ + { + "dest-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "93671f99-04eb-4ab4-a161-70d446a84003", "value": "Capture Credentials with Rpcping.exe" }, @@ -42694,6 +54834,15 @@ "attack.t1003.001" ] }, + "related": [ + { + "dest-uuid": "65f2d882-3f41-4d48-8a06-29af77ec9f90", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "1a1ed54a-2ba4-4221-94d5-01dee560d71e", "value": "Renamed CreateDump Process Dump" }, @@ -42710,8 +54859,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1216/T1216.md", "https://lolbas-project.github.io/lolbas/Binaries/Syncappvpublishingserver/", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1216/T1216.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_syncappvpublishingserver_vbs_execute_psh.yml" ], "tags": [ @@ -42720,6 +54869,22 @@ "attack.t1216" ] }, + "related": [ + { + "dest-uuid": "457c7820-d331-465a-915e-42f85500ccc4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "f6fe9070-7a65-49ea-ae72-76292f42cebe", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "36475a7d-0f6d-4dce-9b01-6aeb473bbaf1", "value": "SyncAppvPublishingServer VBS Execute Arbitrary PowerShell Code" }, @@ -42736,9 +54901,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://arcticwolf.com/resources/blog/lorenz-ransomware-chiseling-in/", - "https://github.com/jpillora/chisel/", "https://blog.sekoia.io/lucky-mouse-incident-response-to-detection-engineering/", + "https://github.com/jpillora/chisel/", + "https://arcticwolf.com/resources/blog/lorenz-ransomware-chiseling-in/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_chisel_usage.yml" ], "tags": [ @@ -42746,6 +54911,15 @@ "attack.t1090.001" ] }, + "related": [ + { + "dest-uuid": "f6dacc85-b37d-458e-b58d-74fc4bbf5755", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "8b0e12da-d3c3-49db-bb4f-256703f380e5", "value": "Chisel Tunneling Tool Usage" }, @@ -42770,6 +54944,15 @@ "attack.t1557.001" ] }, + "related": [ + { + "dest-uuid": "650c784b-7504-4df7-ab2c-4ea882384d1e", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "4627c6ae-6899-46e2-aa0c-6ebcb1becd19", "value": "Impacket Tool Execution" }, @@ -42810,8 +54993,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/LOLBAS-Project/LOLBAS/blob/4db780e0f0b2e2bb8cb1fa13e09196da9b9f1834/yml/LOLUtilz/OtherBinaries/VBoxDrvInst.yml", "https://twitter.com/pabraeken/status/993497996179492864", + "https://github.com/LOLBAS-Project/LOLBAS/blob/4db780e0f0b2e2bb8cb1fa13e09196da9b9f1834/yml/LOLUtilz/OtherBinaries/VBoxDrvInst.yml", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_vboxdrvinst.yml" ], "tags": [ @@ -42843,6 +55026,15 @@ "attack.t1567" ] }, + "related": [ + { + "dest-uuid": "40597f16-0963-4249-bf4c-ac93b7fb9807", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "1f0f6176-6482-4027-b151-00071af39d7e", "value": "Suspicious ConfigSecurityPolicy Execution" }, @@ -42859,8 +55051,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/_xpn_/status/1491557187168178176", "https://www.youtube.com/watch?v=Ie831jF0bb0", + "https://twitter.com/_xpn_/status/1491557187168178176", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_trolleyexpress_procdump.yml" ], "tags": [ @@ -42870,6 +55062,22 @@ "attack.t1003.001" ] }, + "related": [ + { + "dest-uuid": "045d0922-2310-4e60-b5e4-3302302cb3c5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "65f2d882-3f41-4d48-8a06-29af77ec9f90", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "4c0aaedc-154c-4427-ada0-d80ef9c9deb6", "value": "Process Access via TrolleyExpress Exclusion" }, @@ -42886,9 +55094,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://research.nccgroup.com/2020/06/23/wastedlocker-a-new-ransomware-variant-developed-by-the-evil-corp-group/", - "https://rvsec0n.wordpress.com/2020/01/24/malwares-that-bypass-windows-defender/", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md", + "https://rvsec0n.wordpress.com/2020/01/24/malwares-that-bypass-windows-defender/", + "https://research.nccgroup.com/2020/06/23/wastedlocker-a-new-ransomware-variant-developed-by-the-evil-corp-group/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_disable_defender_av_security_monitoring.yml" ], "tags": [ @@ -42921,6 +55129,15 @@ "attack.t1548.002" ] }, + "related": [ + { + "dest-uuid": "120d5519-3098-4e1c-9191-2aa61232f073", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "7f741dcf-fc22-4759-87b4-9ae8376676a2", "value": "Bypass UAC via Fodhelper.exe" }, @@ -42945,6 +55162,15 @@ "attack.t1090" ] }, + "related": [ + { + "dest-uuid": "731f4f55-b6d0-41d1-a7a9-072a66389aea", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "68d37776-61db-42f5-bf54-27e87072d17e", "value": "NPS Tunneling Tool" }, @@ -42970,6 +55196,15 @@ "attack.t1003.001" ] }, + "related": [ + { + "dest-uuid": "65f2d882-3f41-4d48-8a06-29af77ec9f90", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "2704ab9e-afe2-4854-a3b1-0c0706d03578", "value": "Dumpert Process Dumper" }, @@ -43020,6 +55255,15 @@ "attack.t1059.001" ] }, + "related": [ + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "056a7ee1-4853-4e67-86a0-3fd9ceed7555", "value": "Invoke-Obfuscation RUNDLL LAUNCHER" }, @@ -43044,6 +55288,15 @@ "attack.t1059" ] }, + "related": [ + { + "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "a77c1610-fc73-4019-8e29-0f51efc04a51", "value": "Suspicious Dosfuscation Character in Commandline" }, @@ -43068,6 +55321,15 @@ "attack.t1552.004" ] }, + "related": [ + { + "dest-uuid": "60b508a1-6a5e-46b1-821a-9f7b78752abf", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "213d6a77-3d55-4ce8-ba74-fcfef741974e", "value": "Discover Private Keys" }, @@ -43093,6 +55355,15 @@ "attack.t1556.002" ] }, + "related": [ + { + "dest-uuid": "3731fbcd-0e43-47ae-ae6c-d15e510f0d42", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "b7966f4a-b333-455b-8370-8ca53c229762", "value": "Dropping Of Password Filter DLL" }, @@ -43120,6 +55391,22 @@ "attack.t1027" ] }, + "related": [ + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "005a06c6-14bf-4118-afa0-ebcd8aebb0c9", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "9e2e51c5-c699-4794-ba5a-29f5da40ac0c", "value": "Turla Group Commands May 2020" }, @@ -43144,6 +55431,15 @@ "attack.t1059.001" ] }, + "related": [ + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "c86133ad-4725-4bd0-8170-210788e0a7ba", "value": "Net WebClient Casing Anomalies" }, @@ -43168,6 +55464,15 @@ "attack.t1218.011" ] }, + "related": [ + { + "dest-uuid": "045d0922-2310-4e60-b5e4-3302302cb3c5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "731231b9-0b5d-4219-94dd-abb6959aa7ea", "value": "Suspicious Rundll32 Activity Invoking Sys File" }, @@ -43209,8 +55514,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/OtherMSBinaries/ProtocolHandler/", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218/T1218.md", + "https://lolbas-project.github.io/lolbas/OtherMSBinaries/ProtocolHandler/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_protocolhandler_download.yml" ], "tags": [ @@ -43218,6 +55523,15 @@ "attack.t1218" ] }, + "related": [ + { + "dest-uuid": "457c7820-d331-465a-915e-42f85500ccc4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "104cdb48-a7a8-4ca7-a453-32942c6e5dcb", "value": "File Download Using ProtocolHandler.exe" }, @@ -43242,13 +55556,22 @@ "attack.t1098" ] }, + "related": [ + { + "dest-uuid": "a10641f4-87b4-45a3-a906-92a149cb2c27", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "ad720b90-25ad-43ff-9b5e-5c841facc8e5", "value": "Add User to Local Administrators" }, { - "description": "Detects the use of various web request commands with commandline tools and Windows PowerShell cmdlets (including aliases)", + "description": "Detects the use of various web request commands with commandline tools and Windows PowerShell cmdlets (including aliases) viq CommandLine", "meta": { - "author": "James Pemberton / @4A616D6573", + "author": "James Pemberton / @4A616D6573, Endgame, JHasenbusch, oscd.community, Austin Songer @austinsonger", "creation_date": "2019/10/24", "falsepositive": [ "Use of Get-Command and Get-Help modules to reference Invoke-WebRequest and Start-BitsTransfer." @@ -43259,6 +55582,7 @@ "logsource.product": "windows", "refs": [ "https://blog.jourdant.me/post/3-ways-to-download-files-with-powershell", + "https://docs.microsoft.com/en-us/powershell/module/bitstransfer/add-bitsfile?view=windowsserver2019-ps", "https://4sysops.com/archives/use-powershell-to-download-a-file-with-http-https-and-ftp/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_web_request_cmd_and_cmdlets.yml" ], @@ -43267,6 +55591,15 @@ "attack.t1059.001" ] }, + "related": [ + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "9fc51a3c-81b3-4fa7-b35f-7c02cf10fd2d", "value": "Usage Of Web Request Commands And Cmdlets" }, @@ -43291,6 +55624,15 @@ "attack.t1560.001" ] }, + "related": [ + { + "dest-uuid": "00f90846-cbd1-4fc5-9233-df5c2bf2a662", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "1ac14d38-3dfc-4635-92c7-e3fd1c5f5bfc", "value": "Winrar Compressing Dump Files" }, @@ -43307,10 +55649,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://app.any.run/tasks/97f875e8-0e08-4328-815f-055e971ba754/", "https://app.any.run/tasks/e13ab713-64cf-4b23-ad93-6dceaa5429ac/", "https://app.any.run/tasks/84fc9b4a-ea2b-47b1-8aa6-9014402dfb56/", "https://app.any.run/tasks/81f3c28c-c686-425d-8a2b-a98198d244e1/", + "https://app.any.run/tasks/97f875e8-0e08-4328-815f-055e971ba754/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_malware_emotet.yml" ], "tags": [ @@ -43320,6 +55662,15 @@ "attack.t1027" ] }, + "related": [ + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "d02e8cf5-6099-48cf-9bfc-1eec2d0c7b18", "value": "Emotet Process Creation" }, @@ -43337,8 +55688,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://research.nccgroup.com/2022/08/19/back-in-black-unlocking-a-lockbit-3-0-ransomware-attack/", "https://thedfirreport.com/2020/10/18/ryuk-in-5-hours/", + "https://research.nccgroup.com/2022/08/19/back-in-black-unlocking-a-lockbit-3-0-ransomware-attack/", "https://redcanary.com/blog/how-one-hospital-thwarted-a-ryuk-ransomware-outbreak/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_net_recon.yml" ], @@ -43348,6 +55699,15 @@ "attack.t1087.002" ] }, + "related": [ + { + "dest-uuid": "25659dd6-ea12-45c4-97e6-381e3e4b593e", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "d95de845-b83c-4a9a-8a6a-4fc802ebf6c0", "value": "Suspicious Reconnaissance Activity Using Net" }, @@ -43374,6 +55734,15 @@ "attack.t1059.001" ] }, + "related": [ + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "6c96fc76-0eb1-11eb-adc1-0242ac120002", "value": "Invoke-Obfuscation STDIN+ Launcher" }, @@ -43424,6 +55793,22 @@ "attack.t1059.001" ] }, + "related": [ + { + "dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "692f0bec-83ba-4d04-af7e-e884a96059b6", "value": "WMI Spawning Windows PowerShell" }, @@ -43452,6 +55837,22 @@ "attack.t1114" ] }, + "related": [ + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "1608f3e1-598a-42f4-a01a-2e252e81728f", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "25676e10-2121-446e-80a4-71ff8506af47", "value": "Exchange PowerShell Snap-Ins Usage" }, @@ -43477,6 +55878,15 @@ "attack.t1548.002" ] }, + "related": [ + { + "dest-uuid": "120d5519-3098-4e1c-9191-2aa61232f073", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "853e74f9-9392-4935-ad3b-2e8c040dae86", "value": "UAC Bypass Using DismHost" }, @@ -43503,6 +55913,15 @@ "attack.s0040" ] }, + "related": [ + { + "dest-uuid": "731f4f55-b6d0-41d1-a7a9-072a66389aea", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "f5e3b62f-e577-4e59-931e-0a15b2b94e1e", "value": "Htran or NATBypass Markers" }, @@ -43528,6 +55947,15 @@ "attack.t1529" ] }, + "related": [ + { + "dest-uuid": "ff73aa03-0090-4464-83ac-f89e233c02bc", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "ec290c06-9b6b-4338-8b6b-095c0f284f10", "value": "Suspicious Execution of Shutdown to Log Out" }, @@ -43544,9 +55972,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://bohops.com/2018/08/18/abusing-the-com-registry-structure-part-2-loading-techniques-for-evasion-and-persistence/", - "https://lolbas-project.github.io/lolbas/Binaries/Verclsid/", "https://gist.github.com/NickTyrer/0598b60112eaafe6d07789f7964290d5", + "https://lolbas-project.github.io/lolbas/Binaries/Verclsid/", + "https://bohops.com/2018/08/18/abusing-the-com-registry-structure-part-2-loading-techniques-for-evasion-and-persistence/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_verclsid_runs_com.yml" ], "tags": [ @@ -43554,6 +55982,15 @@ "attack.t1218" ] }, + "related": [ + { + "dest-uuid": "457c7820-d331-465a-915e-42f85500ccc4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "d06be4b9-8045-428b-a567-740a26d9db25", "value": "Verclsid.exe Runs COM Object" }, @@ -43570,8 +56007,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/5c1e6f1b4fafd01c8d1ece85f510160fc1275fbf/atomics/T1546.008/T1546.008.md", "https://ss64.com/nt/mklink.html", + "https://github.com/redcanaryco/atomic-red-team/blob/5c1e6f1b4fafd01c8d1ece85f510160fc1275fbf/atomics/T1546.008/T1546.008.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_create_link_osk_cmd.yml" ], "tags": [ @@ -43607,6 +56044,29 @@ "attack.t1105" ] }, + "related": [ + { + "dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "1ac8666b-046f-4201-8aba-1951aaec03a3", "value": "Command Line Execution with Suspicious URL and AppData Strings" }, @@ -43664,6 +56124,15 @@ "attack.t1218" ] }, + "related": [ + { + "dest-uuid": "457c7820-d331-465a-915e-42f85500ccc4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "fa4b21c9-0057-4493-b289-2556416ae4d7", "value": "Squirrel Lolbin" }, @@ -43681,9 +56150,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://app.any.run/tasks/8b9a571b-bcc1-4783-ba32-df4ba623b9c0/", - "https://www.joesandbox.com/analysis/411752/0/html#7048BB9A06B8F2DD9D24C77F389D7B2B58D2", "https://www.fireeye.com/blog/threat-research/2021/05/shining-a-light-on-darkside-ransomware-operations.html", + "https://www.joesandbox.com/analysis/411752/0/html#7048BB9A06B8F2DD9D24C77F389D7B2B58D2", + "https://app.any.run/tasks/8b9a571b-bcc1-4783-ba32-df4ba623b9c0/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_mal_darkside_ransomware.yml" ], "tags": [ @@ -43691,6 +56160,15 @@ "attack.t1204" ] }, + "related": [ + { + "dest-uuid": "8c32eb4d-805f-4fc5-bf60-c4d476c131b5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "965fff6c-1d7e-4e25-91fd-cdccd75f7d2c", "value": "DarkSide Ransomware Pattern" }, @@ -43760,6 +56238,15 @@ "attack.execution" ] }, + "related": [ + { + "dest-uuid": "457c7820-d331-465a-915e-42f85500ccc4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "6004abd0-afa4-4557-ba90-49d172e0a299", "value": "Execute Pcwrun.EXE To Leverage Follina" }, @@ -43784,6 +56271,15 @@ "attack.t1127" ] }, + "related": [ + { + "dest-uuid": "ff25900d-76d5-449b-a351-8824e62fc81b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "a9e416a8-e613-4f8b-88b8-a7d1d1af2f61", "value": "Suspicious Use of CSharp Interactive Console" }, @@ -43800,8 +56296,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://attack.mitre.org/software/S0246/ (Lazarus HARDRAIN)", "https://www.operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-RAT-and-Staging-Report.pdf", + "https://attack.mitre.org/software/S0246/ (Lazarus HARDRAIN)", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_netsh_fw_add.yml" ], "tags": [ @@ -43809,6 +56305,15 @@ "attack.t1562.004" ] }, + "related": [ + { + "dest-uuid": "5372c5fe-f424-4def-bcd5-d3a8e770f07b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "cd5cfd80-aa5f-44c0-9c20-108c4ae12e3c", "value": "Netsh Port or Application Allowed" }, @@ -43834,6 +56339,15 @@ "attack.t1218.011" ] }, + "related": [ + { + "dest-uuid": "045d0922-2310-4e60-b5e4-3302302cb3c5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "73fcad2e-ff14-4c38-b11d-4172c8ac86c7", "value": "Suspicious Rundll32 Script in CommandLine" }, @@ -43883,6 +56397,15 @@ "attack.t1552.006" ] }, + "related": [ + { + "dest-uuid": "8d7bd4f5-3a89-4453-9c82-2c8894d5655e", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "47e4bab7-c626-47dc-967b-255608c9a920", "value": "Suspicious Recon Activity Using Findstr Keywords" }, @@ -43900,9 +56423,9 @@ "logsource.product": "windows", "refs": [ "https://foxglovesecurity.com/2016/09/26/rotten-potato-privilege-escalation-from-service-accounts-to-system/", - "https://twitter.com/Cyb3rWard0g/status/1453123054243024897", "https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment", "https://github.com/antonioCoco/RogueWinRM", + "https://twitter.com/Cyb3rWard0g/status/1453123054243024897", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_child_process_as_system_.yml" ], "tags": [ @@ -43910,6 +56433,15 @@ "attack.t1134.002" ] }, + "related": [ + { + "dest-uuid": "677569f9-a8b0-459e-ab24-7f18091fa7bf", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "590a5f4c-6c8c-4f10-8307-89afe9453a9d", "value": "Suspicious Child Process Created as System" }, @@ -43926,11 +56458,11 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://community.sophos.com/b/security-blog/posts/active-ransomware-attack-on-kaseya-customers", - "https://www.joesandbox.com/analysis/443736/0/html", "https://blog.truesec.com/2021/07/04/kaseya-supply-chain-attack-targeting-msps-to-deliver-revil-ransomware/", + "https://community.sophos.com/b/security-blog/posts/active-ransomware-attack-on-kaseya-customers", "https://therecord.media/revil-ransomware-executes-supply-chain-attack-via-malicious-kaseya-update/", "https://doublepulsar.com/kaseya-supply-chain-attack-delivers-mass-ransomware-event-to-us-companies-76e4ec6ec64b", + "https://www.joesandbox.com/analysis/443736/0/html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_apt_revil_kaseya.yml" ], "tags": [ @@ -43939,6 +56471,15 @@ "attack.g0115" ] }, + "related": [ + { + "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "5de632bc-7fbd-4c8a-944a-fce55c59eae5", "value": "REvil Kaseya Incident Malware Patterns" }, @@ -43955,8 +56496,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/Yasser_Elsnbary/status/1553804135354564608", "https://h.43z.one/ipconverter/", + "https://twitter.com/Yasser_Elsnbary/status/1553804135354564608", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_obfuscated_ip_download.yml" ], "tags": [ @@ -43989,6 +56530,15 @@ "attack.t1218.011" ] }, + "related": [ + { + "dest-uuid": "045d0922-2310-4e60-b5e4-3302302cb3c5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "ae9c6a7c-9521-42a6-915e-5aaa8689d529", "value": "CobaltStrike Load by Rundll32" }, @@ -44039,7 +56589,7 @@ "value": "Network Sniffing" }, { - "description": "Detects a suspicious parents of powershell.exe", + "description": "Detects a suspicious parents of powershell.exe process", "meta": { "author": "Teymur Kheirkhabarov, Harish Segar (rule)", "creation_date": "2020/03/20", @@ -44059,6 +56609,15 @@ "attack.t1059.001" ] }, + "related": [ + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "754ed792-634f-40ae-b3bc-e0448d33f695", "value": "Suspicious PowerShell Parent Process" }, @@ -44075,8 +56634,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://pentestlab.blog/2020/02/24/parent-pid-spoofing/", "https://www.virustotal.com/gui/search/filename%253A*spoof*%2520filename%253A*ppid*/files", + "https://pentestlab.blog/2020/02/24/parent-pid-spoofing/", "https://www.picussecurity.com/resource/blog/how-to-detect-parent-pid-ppid-spoofing-attacks", "https://www.ired.team/offensive-security/defense-evasion/parent-process-id-ppid-spoofing", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_selectmyparent.yml" @@ -44086,6 +56645,15 @@ "attack.t1134.004" ] }, + "related": [ + { + "dest-uuid": "93591901-3172-4e94-abf8-6034ab26f44a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "52ff7941-8211-46f9-84f8-9903efb7077d", "value": "PPID Spoofing Tool Usage" }, @@ -44102,9 +56670,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.winhelponline.com/blog/run-program-as-system-localsystem-account-windows/", "https://medium.com/s2wblog/analysis-of-destructive-malware-whispergate-targeting-ukraine-9d5d158f19f3", "https://twitter.com/splinter_code/status/1483815103279603714", + "https://www.winhelponline.com/blog/run-program-as-system-localsystem-account-windows/", "https://elastic.github.io/security-research/malware/2022/01/01.operation-bleeding-bear/article/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_advancedrun_priv_user.yml" ], @@ -44126,9 +56694,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/dnscmd", "https://docs.microsoft.com/en-us/azure/dns/dns-zones-records", "https://lolbas-project.github.io/lolbas/Binaries/Dnscmd/", + "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/dnscmd", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_dnscmd_discovery.yml" ], "tags": [ @@ -44161,6 +56729,15 @@ "attack.t1003.001" ] }, + "related": [ + { + "dest-uuid": "65f2d882-3f41-4d48-8a06-29af77ec9f90", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "129966c9-de17-4334-a123-8b58172e664d", "value": "Suspicious Dump64.exe Execution" }, @@ -44188,6 +56765,22 @@ "attack.t1202" ] }, + "related": [ + { + "dest-uuid": "457c7820-d331-465a-915e-42f85500ccc4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "3b0e52ce-517a-4614-a523-1bd5deef6c5e", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "f37aba28-a9e6-4045-882c-d5004043b337", "value": "Suspicious Cmdl32 Execution" }, @@ -44204,8 +56797,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://unit42.paloaltonetworks.com/unit42-pulling-back-the-curtains-on-encodedcommand-powershell-attacks/", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1059.001/T1059.001.md#atomic-test-20---powershell-invoke-known-malicious-cmdlets", + "https://unit42.paloaltonetworks.com/unit42-pulling-back-the-curtains-on-encodedcommand-powershell-attacks/", "https://mikefrobbins.com/2017/06/15/simple-obfuscation-with-powershell-using-base64-encoding/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_powershell_encode.yml" ], @@ -44214,6 +56807,15 @@ "attack.t1059.001" ] }, + "related": [ + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "fb843269-508c-4b76-8b8d-88679db22ce7", "value": "Suspicious Execution of Powershell with Base64" }, @@ -44238,6 +56840,15 @@ "attack.t1219" ] }, + "related": [ + { + "dest-uuid": "4061e78c-1284-44b4-9116-73e4ac3912f7", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "b52e84a3-029e-4529-b09b-71d19dd27e94", "value": "Use of Anydesk Remote Access Software" }, @@ -44254,8 +56865,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/Binaries/Atbroker/", "http://www.hexacorn.com/blog/2016/07/22/beyond-good-ol-run-key-part-42/", + "https://lolbas-project.github.io/lolbas/Binaries/Atbroker/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_susp_atbroker.yml" ], "tags": [ @@ -44263,6 +56874,15 @@ "attack.t1218" ] }, + "related": [ + { + "dest-uuid": "457c7820-d331-465a-915e-42f85500ccc4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "f24bcaea-0cd1-11eb-adc1-0242ac120002", "value": "Suspicious Atbroker Execution" }, @@ -44289,6 +56909,15 @@ "attack.t1059.001" ] }, + "related": [ + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "4bf943c6-5146-4273-98dd-e958fd1e3abf", "value": "Invoke-Obfuscation Obfuscated IEX Invocation" }, @@ -44305,9 +56934,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://lolbas-project.github.io/lolbas/Binaries/Rasautou/", "https://www.fireeye.com/blog/threat-research/2019/10/staying-hidden-on-the-endpoint-evading-detection-with-shellcode.html", "https://github.com/fireeye/DueDLLigence", - "https://lolbas-project.github.io/lolbas/Binaries/Rasautou/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_rasautou_dll_execution.yml" ], "tags": [ @@ -44315,6 +56944,15 @@ "attack.t1218" ] }, + "related": [ + { + "dest-uuid": "457c7820-d331-465a-915e-42f85500ccc4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "cd3d1298-eb3b-476c-ac67-12847de55813", "value": "DLL Execution via Rasautou.exe" }, @@ -44339,6 +56977,15 @@ "attack.t1059.001" ] }, + "related": [ + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "30e92f50-bb5a-4884-98b5-d20aa80f3d7a", "value": "Hidden Powershell in Link File Pattern" }, @@ -44355,9 +57002,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/PowerShellMafia/PowerSploit/blob/dev/Recon/PowerView.ps1", "https://github.com/tevora-threat/SharpView/", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1049/T1049.md#atomic-test-4---system-discovery-using-sharpview", + "https://github.com/PowerShellMafia/PowerSploit/blob/dev/Recon/PowerView.ps1", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_sharpview.yml" ], "tags": [ @@ -44369,6 +57016,29 @@ "attack.t1033" ] }, + "related": [ + { + "dest-uuid": "7e150503-88e7-4861-866b-ff1ac82c4475", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "2aed01ad-3df3-4410-a8cb-11ea4ded587c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "767dbf9e-df3f-45cb-8998-4903ab5f80c0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "b2317cfa-4a47-4ead-b3ff-297438c0bc2d", "value": "Suspicious Execution of SharpView Aka PowerView" }, @@ -44420,6 +57090,15 @@ "attack.t1202" ] }, + "related": [ + { + "dest-uuid": "3b0e52ce-517a-4614-a523-1bd5deef6c5e", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "3037d961-21e9-4732-b27a-637bcc7bf539", "value": "Suspicious High IntegrityLevel Conhost Legacy Option" }, @@ -44471,6 +57150,22 @@ "attack.t1059.001" ] }, + "related": [ + { + "dest-uuid": "005a06c6-14bf-4118-afa0-ebcd8aebb0c9", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "b66474aa-bd92-4333-a16c-298155b120df", "value": "Suspicious Powershell No File or Command" }, @@ -44497,6 +57192,15 @@ "attack.s0108" ] }, + "related": [ + { + "dest-uuid": "f63fe421-b1d1-45c0-b8a7-02cd16ff2bed", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "56321594-9087-49d9-bf10-524fe8479452", "value": "Suspicious Netsh DLL Persistence" }, @@ -44550,6 +57254,43 @@ "attack.t1003.006" ] }, + "related": [ + { + "dest-uuid": "65f2d882-3f41-4d48-8a06-29af77ec9f90", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "1644e709-12d2-41e5-a60f-3470991f5011", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "1ecfdab8-7d59-4c98-95d4-dc41970f57fc", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "6add2ab5-2711-4e9d-87c8-7a0be8531530", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "f303a39a-6255-4b89-aecc-18c4d8ca7163", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "a642964e-bead-4bed-8910-1bb4d63e3b4d", "value": "Mimikatz Command Line" }, @@ -44575,6 +57316,15 @@ "attack.t1485" ] }, + "related": [ + { + "dest-uuid": "d45a3d09-b3cf-48f4-9f0f-f521ee5cb05c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "c1d867fe-8d95-4487-aab4-e53f2d339f90", "value": "Renamed Sysinternals Sdelete Usage" }, @@ -44591,8 +57341,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/cglyer/status/1183756892952248325", "https://docs.microsoft.com/en-us/windows/win32/intl/code-page-identifiers", + "https://twitter.com/cglyer/status/1183756892952248325", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_codepage_switch.yml" ], "tags": [ @@ -44616,10 +57366,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://embracethered.com/blog/posts/2020/cookie-crimes-on-mirosoft-edge/", + "https://embracethered.com/blog/posts/2020/chrome-spy-remote-control/", "https://github.com/defaultnamehere/cookie_crimes/", "https://mango.pdf.zone/stealing-chrome-cookies-without-a-password", - "https://embracethered.com/blog/posts/2020/chrome-spy-remote-control/", + "https://embracethered.com/blog/posts/2020/cookie-crimes-on-mirosoft-edge/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_chromium_headless_debugging.yml" ], "tags": [ @@ -44627,11 +57377,20 @@ "attack.t1185" ] }, + "related": [ + { + "dest-uuid": "544b0346-29ad-41e1-a808-501bb4193f47", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "3e8207c5-fcd2-4ea6-9418-15d45b4890e4", "value": "Potential Data Stealing Via Chromium Headless Debugging" }, { - "description": "Detects suspicious ways to run Invoke-Execution using IEX acronym", + "description": "Detects suspicious ways to run Invoke-Execution using IEX alias", "meta": { "author": "Florian Roth", "creation_date": "2022/03/24", @@ -44672,6 +57431,15 @@ "attack.t1218" ] }, + "related": [ + { + "dest-uuid": "457c7820-d331-465a-915e-42f85500ccc4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "6c6d9280-e6d0-4b9d-80ac-254701b64916", "value": "NTLM Coercion Via Certutil.exe" }, @@ -44740,8 +57508,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://cyber.wtf/2021/11/15/guess-whos-back/", "https://paste.cryptolaemus.com/emotet/2020/12/22/emotet-malware-IoCs_12-22-20.html", + "https://cyber.wtf/2021/11/15/guess-whos-back/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_emotet_rundll32_execution.yml" ], "tags": [ @@ -44749,6 +57517,15 @@ "attack.t1218.011" ] }, + "related": [ + { + "dest-uuid": "045d0922-2310-4e60-b5e4-3302302cb3c5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "54e57ce3-0672-46eb-a402-2c0948d5e3e9", "value": "Emotet RunDLL32 Process Creation" }, @@ -44789,8 +57566,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://threathunterplaybook.com/evals/apt29/detections/3.B.2_C36B49B5-DF58-4A34-9FE9-56189B9DEFEA.html", "https://github.com/OTRF/detection-hackathon-apt29/issues/6", + "https://threathunterplaybook.com/evals/apt29/detections/3.B.2_C36B49B5-DF58-4A34-9FE9-56189B9DEFEA.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sdclt_child_process.yml" ], "tags": [ @@ -44798,6 +57575,15 @@ "attack.t1548.002" ] }, + "related": [ + { + "dest-uuid": "120d5519-3098-4e1c-9191-2aa61232f073", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "da2738f2-fadb-4394-afa7-0a0674885afa", "value": "Sdclt Child Processes" }, @@ -44838,9 +57624,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/neonprimetime/status/1435584010202255375", - "https://www.joesandbox.com/analysis/476188/1/iochtml", "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-40444", + "https://www.joesandbox.com/analysis/476188/1/iochtml", + "https://twitter.com/neonprimetime/status/1435584010202255375", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_control_cve_2021_40444.yml" ], "tags": [ @@ -44848,6 +57634,15 @@ "attack.t1059" ] }, + "related": [ + { + "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "894397c6-da03-425c-a589-3d09e7d1f750", "value": "CVE-2021-40444 Process Pattern" }, @@ -44864,8 +57659,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.hvs-consulting.de/lazarus-report/", "https://securelist.com/lazarus-covets-covid-19-related-intelligence/99906/", + "https://www.hvs-consulting.de/lazarus-report/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_apt_lazarus_activity_dec20.yml" ], "tags": [ @@ -44874,6 +57669,15 @@ "attack.t1059" ] }, + "related": [ + { + "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "24c4d154-05a4-4b99-b57d-9b977472443a", "value": "Lazarus Activity Dec20" }, @@ -44890,8 +57694,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.ria.ee/sites/default/files/content-editors/kuberturve/tale_of_gamaredon_infection.pdf", "https://unit42.paloaltonetworks.com/unit-42-title-gamaredon-group-toolset-evolution", + "https://www.ria.ee/sites/default/files/content-editors/kuberturve/tale_of_gamaredon_infection.pdf", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_apt_gamaredon_ultravnc.yml" ], "tags": [ @@ -44926,6 +57730,15 @@ "attack.t1218" ] }, + "related": [ + { + "dest-uuid": "457c7820-d331-465a-915e-42f85500ccc4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "242301bc-f92f-4476-8718-78004a6efd9f", "value": "Suspicious Load DLL via CertOC.exe" }, @@ -44951,6 +57764,15 @@ "attack.t1548.002" ] }, + "related": [ + { + "dest-uuid": "120d5519-3098-4e1c-9191-2aa61232f073", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "1ca6bd18-0ba0-44ca-851c-92ed89a61085", "value": "UAC Bypass Using Consent and Comctl32 - Process" }, @@ -44967,8 +57789,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://bohops.com/2018/03/10/leveraging-inf-sct-fetch-execute-techniques-for-bypass-evasion-persistence-part-2/", "https://lolbas-project.github.io/lolbas/Binaries/Ie4uinit/", + "https://bohops.com/2018/03/10/leveraging-inf-sct-fetch-execute-techniques-for-bypass-evasion-persistence-part-2/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_ie4uinit.yml" ], "tags": [ @@ -44976,6 +57798,15 @@ "attack.t1218" ] }, + "related": [ + { + "dest-uuid": "457c7820-d331-465a-915e-42f85500ccc4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "d3bf399f-b0cf-4250-8bb4-dfc192ab81dc", "value": "Ie4uinit Lolbin Use From Invalid Path" }, @@ -44992,8 +57823,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://enigma0x3.net/2016/08/15/fileless-uac-bypass-using-eventvwr-exe-and-registry-hijacking/", "https://www.hybrid-analysis.com/sample/e122bc8bf291f15cab182a5d2d27b8db1e7019e4e96bb5cdbd1dfe7446f3f51f?environmentId=100", + "https://enigma0x3.net/2016/08/15/fileless-uac-bypass-using-eventvwr-exe-and-registry-hijacking/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sysmon_uac_bypass_eventvwr.yml" ], "tags": [ @@ -45003,6 +57834,15 @@ "car.2019-04-001" ] }, + "related": [ + { + "dest-uuid": "120d5519-3098-4e1c-9191-2aa61232f073", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "be344333-921d-4c4d-8bb8-e584cf584780", "value": "UAC Bypass via Event Viewer" }, @@ -45052,6 +57892,15 @@ "attack.t1059.001" ] }, + "related": [ + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "7eedcc9d-9fdb-4d94-9c54-474e8affc0c7", "value": "Invoke-Obfuscation COMPRESS OBFUSCATION" }, @@ -45068,8 +57917,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/Binaries/Regedit/", "https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f", + "https://lolbas-project.github.io/lolbas/Binaries/Regedit/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_regedit_export_keys.yml" ], "tags": [ @@ -45102,6 +57951,15 @@ "attack.t1218" ] }, + "related": [ + { + "dest-uuid": "457c7820-d331-465a-915e-42f85500ccc4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "459f2f98-397b-4a4a-9f47-6a5ec2f1c69d", "value": "Download Arbitrary Files Via MSOHTMED.EXE" }, @@ -45129,6 +57987,22 @@ "attack.t1566.001" ] }, + "related": [ + { + "dest-uuid": "be2dcee9-a7a7-4e38-afd6-21b31ecc3d63", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "232b7f21-adf9-4b42-b936-b9d6f7df856e", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "864403a1-36c9-40a2-a982-4c9a45f7d833", "value": "Exploit for CVE-2017-0261" }, @@ -45145,7 +58019,7 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://attack.mitre.org/techniques/T1037/", + "https://cocomelonc.github.io/persistence/2022/12/09/malware-pers-20.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_logon_scripts_userinitmprlogonscript_proc.yml" ], "tags": [ @@ -45153,6 +58027,15 @@ "attack.persistence" ] }, + "related": [ + { + "dest-uuid": "eb125d40-0b2d-41ac-a71a-3229241c2cd3", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "0a98a10c-685d-4ab0-bddc-b6bdd1d48458", "value": "Logon Scripts (UserInitMprLogonScript)" }, @@ -45177,6 +58060,15 @@ "attack.t1047" ] }, + "related": [ + { + "dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "d21374ff-f574-44a7-9998-4a8c8bf33d7d", "value": "Wmiprvse Spawning Process" }, @@ -45202,6 +58094,15 @@ "attack.t1003" ] }, + "related": [ + { + "dest-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "baef1ec6-2ca9-47a3-97cc-4cf2bda10b77", "value": "New Network Provider - CommandLine" }, @@ -45227,6 +58128,15 @@ "attack.t1059" ] }, + "related": [ + { + "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "f35c5d71-b489-4e22-a115-f003df287317", "value": "CobaltStrike Process Patterns" }, @@ -45253,6 +58163,15 @@ "attack.execution" ] }, + "related": [ + { + "dest-uuid": "457c7820-d331-465a-915e-42f85500ccc4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "af77cf95-c469-471c-b6a0-946c685c4798", "value": "Proxy Execution via Wuauclt" }, @@ -45270,7 +58189,6 @@ "logsource.product": "windows", "refs": [ "https://github.com/vanhauser-thc/thc-hydra", - "https://attack.mitre.org/techniques/T1110/001/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hack_hydra.yml" ], "tags": [ @@ -45295,8 +58213,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://thedfirreport.com/2022/06/06/will-the-real-msiexec-please-stand-up-exploit-leads-to-data-exfiltration/", "https://the.earth.li/~sgtatham/putty/0.58/htmldoc/Chapter7.html", + "https://thedfirreport.com/2022/06/06/will-the-real-msiexec-please-stand-up-exploit-leads-to-data-exfiltration/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_renamed_plink.yml" ], "tags": [ @@ -45329,6 +58247,15 @@ "attack.t1548.002" ] }, + "related": [ + { + "dest-uuid": "120d5519-3098-4e1c-9191-2aa61232f073", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "3c05e90d-7eba-4324-9972-5d7f711a60a8", "value": "UAC Bypass Tools Using ComputerDefaults" }, @@ -45370,10 +58297,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://www.crowdstrike.com/resources/reports/2019-crowdstrike-global-threat-report/", "https://github.com/mbevilacqua/appcompatprocessor/blob/6c847937c5a836e2ce2fe2b915f213c345a3c389/AppCompatSearch.txt", "https://github.com/ThreatHuntingProject/ThreatHunting/blob/cb22598bb70651f88e0285abc8d835757d2cb596/hunts/suspicious_process_creation_via_windows_event_logs.md", "https://www.secureworks.com/research/bronze-butler-targets-japanese-businesses", - "https://www.crowdstrike.com/resources/reports/2019-crowdstrike-global-threat-report/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_execution_path.yml" ], "tags": [ @@ -45397,8 +58324,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.fortinet.com/content/dam/fortinet/assets/analyst-reports/ar-qakbot.pdf", "https://www.microsoft.com/security/blog/2021/12/09/a-closer-look-at-qakbots-latest-building-blocks-and-how-to-knock-them-down/", + "https://www.fortinet.com/content/dam/fortinet/assets/analyst-reports/ar-qakbot.pdf", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_msra_process_injection.yml" ], "tags": [ @@ -45432,6 +58359,15 @@ "attack.t1197" ] }, + "related": [ + { + "dest-uuid": "c8e87b83-edbb-48d4-9295-4974897525b7", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "b9cbbc17-d00d-4e3d-a827-b06d03d2380d", "value": "Monitoring For Persistence Via BITS" }, @@ -45481,6 +58417,15 @@ "attack.t1003.003" ] }, + "related": [ + { + "dest-uuid": "edf91964-b26e-4b4a-9600-ccacd7d7df24", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "2afafd61-6aae-4df4-baed-139fa1f4c345", "value": "Invocation of Active Directory Diagnostic Tool (ntdsutil.exe)" }, @@ -45520,8 +58465,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/kmkz/Pentesting/blob/47592e5e160d3b86c2024f09ef04ceb87d204995/Post-Exploitation-Cheat-Sheet", "https://twitter.com/kmkz_security/status/1220694202301976576", + "https://github.com/kmkz/Pentesting/blob/47592e5e160d3b86c2024f09ef04ceb87d204995/Post-Exploitation-Cheat-Sheet", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_rdp_hijack_shadowing.yml" ], "tags": [ @@ -45529,6 +58474,15 @@ "attack.t1563.002" ] }, + "related": [ + { + "dest-uuid": "e0033c16-a07e-48aa-8204-7c3ca669998c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "6ba5a05f-b095-4f0a-8654-b825f4f16334", "value": "MSTSC Shadowing" }, @@ -45545,9 +58499,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/adamcaudill/EquationGroupLeak/search?utf8=%E2%9C%93&q=dll_u&type=", "https://twitter.com/cyb3rops/status/972186477512839170", "https://securelist.com/apt-slingshot/84312/", + "https://github.com/adamcaudill/EquationGroupLeak/search?utf8=%E2%9C%93&q=dll_u&type=", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_apt_equationgroup_dll_u_load.yml" ], "tags": [ @@ -45556,6 +58510,15 @@ "attack.t1218.011" ] }, + "related": [ + { + "dest-uuid": "045d0922-2310-4e60-b5e4-3302302cb3c5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "d465d1d8-27a2-4cca-9621-a800f37cf72e", "value": "Equation Group DLL_U Load" }, @@ -45573,8 +58536,8 @@ "logsource.product": "windows", "refs": [ "https://www.hexacorn.com/blog/2018/04/20/kernel-hacking-tool-you-might-have-never-heard-of-xuetr-pchunter/", - "http://www.xuetr.com/", "https://www.crowdstrike.com/blog/falcon-overwatch-report-finds-increase-in-ecrime/", + "http://www.xuetr.com/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_pchunter.yml" ], "tags": "No established tags" @@ -45596,13 +58559,13 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://stackoverflow.com/questions/42442320/ssh-tunnel-to-ngrok-and-initiate-rdp", + "https://www.fireeye.com/blog/threat-research/2021/05/shining-a-light-on-darkside-ransomware-operations.html", + "https://cybleinc.com/2021/02/15/ngrok-platform-abused-by-hackers-to-deliver-a-new-wave-of-phishing-attacks/", "https://twitter.com/xorJosh/status/1598646907802451969", "https://ngrok.com/docs", + "https://stackoverflow.com/questions/42442320/ssh-tunnel-to-ngrok-and-initiate-rdp", "https://www.virustotal.com/gui/file/58d21840d915aaf4040ceb89522396124c82f325282f805d1085527e1e2ccfa1/detection", "https://www.softwaretestinghelp.com/how-to-use-ngrok/", - "https://cybleinc.com/2021/02/15/ngrok-platform-abused-by-hackers-to-deliver-a-new-wave-of-phishing-attacks/", - "https://www.fireeye.com/blog/threat-research/2021/05/shining-a-light-on-darkside-ransomware-operations.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_ngrok_pua.yml" ], "tags": [ @@ -45610,9 +58573,41 @@ "attack.t1572" ] }, + "related": [ + { + "dest-uuid": "4fe28b27-b13c-453e-a386-c2ef362a573b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "ee37eb7c-a4e7-4cd5-8fa4-efa27f1c3f31", "value": "Ngrok Usage" }, + { + "description": "Detects changes to the PowerShell execution policy registry key in order to bypass signing requirements for script execution from the CommandLine", + "meta": { + "author": "Nasreddine Bencherchali", + "creation_date": "2023/01/11", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_set_unsecure_powershell_policy.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://learn.microsoft.com/de-de/powershell/module/microsoft.powershell.security/set-executionpolicy?view=powershell-7.3", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_set_unsecure_powershell_policy.yml" + ], + "tags": [ + "attack.defense_evasion" + ] + }, + "uuid": "cf2e938e-9a3e-4fe8-a347-411642b28a9f", + "value": "Potential PowerShell Execution Policy Tampering - ProcCreation" + }, { "description": "Detects usage of a CLSID folder name located in a suspicious location from the commandline as seen being used in IcedID", "meta": { @@ -45650,10 +58645,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Fsi/", - "https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules", - "https://lolbas-project.github.io/lolbas/OtherMSBinaries/FsiAnyCpu/", "https://bohops.com/2020/11/02/exploring-the-wdac-microsoft-recommended-block-rules-part-ii-wfc-fsi/", + "https://lolbas-project.github.io/lolbas/OtherMSBinaries/FsiAnyCpu/", + "https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules", + "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Fsi/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_fsharp_interpreters.yml" ], "tags": [ @@ -45661,6 +58656,15 @@ "attack.t1059" ] }, + "related": [ + { + "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "b96b2031-7c17-4473-afe7-a30ce714db29", "value": "Use of FSharp Interpreters" }, @@ -45677,8 +58681,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/", "https://github.com/vadim-hunter/Detection-Ideas-Rules/blob/02bcbfc2bfb8b4da601bb30de0344ae453aa1afe/Threat%20Intelligence/The%20DFIR%20Report/20210329_Sodinokibi_(aka_REvil)_Ransomware.yaml", + "https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_office_applications_spawning_wmi_commandline.yml" ], "tags": [ @@ -45689,6 +58693,29 @@ "attack.defense_evasion" ] }, + "related": [ + { + "dest-uuid": "232b7f21-adf9-4b42-b936-b9d6f7df856e", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "b97f1d35-4249-4486-a6b5-ee60ccf24fab", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "518643ba-7d9c-4fa5-9f37-baed36059f6a", "value": "Office Applications Spawning Wmi Cli" }, @@ -45705,9 +58732,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/pabraeken/status/995837734379032576", "https://twitter.com/pabraeken/status/999090532839313408", "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Msdeploy/", + "https://twitter.com/pabraeken/status/995837734379032576", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_msdeploy.yml" ], "tags": [ @@ -45715,6 +58742,15 @@ "attack.t1218" ] }, + "related": [ + { + "dest-uuid": "457c7820-d331-465a-915e-42f85500ccc4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "646bc99f-6682-4b47-a73a-17b1b64c9d34", "value": "Execute Files with Msdeploy.exe" }, @@ -45740,6 +58776,15 @@ "attack.t1528" ] }, + "related": [ + { + "dest-uuid": "890c9858-598c-401d-a4d5-c67ebcdd703a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "d2eb17db-1d39-41dc-b57f-301f6512fa75", "value": "Suspicious Command With Teams Objects Pathes" }, @@ -45756,8 +58801,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/mattifestation/status/735261176745988096", "https://www.hybrid-analysis.com/sample/0ced17419e01663a0cd836c9c2eb925e3031ffb5b18ccf35f4dea5d586d0203e?environmentId=120", + "https://twitter.com/mattifestation/status/735261176745988096", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_amsi_bypass.yml" ], "tags": [ @@ -45768,28 +58813,6 @@ "uuid": "30edb182-aa75-42c0-b0a9-e998bb29067c", "value": "Powershell AMSI Bypass via .NET Reflection" }, - { - "description": "Detects suspicious powershell process starts with base64 encoded commands (e.g. Emotet)", - "meta": { - "author": "Florian Roth, Markus Neis, Jonhnathan Ribeiro, Daniil Yugoslavskiy, Anton Kutepov, oscd.community", - "creation_date": "2018/09/03", - "falsepositive": "No established falsepositives", - "filename": "proc_creation_win_susp_powershell_enc_cmd.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://app.any.run/tasks/6217d77d-3189-4db2-a957-8ab239f3e01e", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_powershell_enc_cmd.yml" - ], - "tags": [ - "attack.execution", - "attack.t1059.001" - ] - }, - "uuid": "ca2092a1-c273-4878-9b4b-0d60115bf5ea", - "value": "Suspicious Encoded PowerShell Command Line" - }, { "description": "Detects execution of Microsoft Defender's CLI process (MpCmdRun.exe) from the non-default directory which may be an attempt to sideload arbitrary DLL", "meta": { @@ -45827,8 +58850,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/skelsec/pypykatz", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1003.002/T1003.002.md#atomic-test-2---registry-parse-with-pypykatz", + "https://github.com/skelsec/pypykatz", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pypykatz.yml" ], "tags": [ @@ -45836,6 +58859,15 @@ "attack.t1003.002" ] }, + "related": [ + { + "dest-uuid": "1644e709-12d2-41e5-a60f-3470991f5011", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "a29808fd-ef50-49ff-9c7a-59a9b040b404", "value": "Registry Parse with Pypykatz" }, @@ -45852,9 +58884,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://gist.github.com/bohops/2444129419c8acf837aedda5f0e7f340", - "https://twitter.com/bohops/status/1477717351017680899?s=12", "https://lolbas-project.github.io/lolbas/OtherMSBinaries/AccCheckConsole/", + "https://twitter.com/bohops/status/1477717351017680899?s=12", + "https://gist.github.com/bohops/2444129419c8acf837aedda5f0e7f340", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_susp_acccheckconsole.yml" ], "tags": [ @@ -45877,9 +58909,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc731033(v=ws.11)", "https://twitter.com/0gtweet/status/1564968845726580736", "https://strontic.github.io/xcyclopedia/library/ldifde.exe-979DE101F5059CEC1D2C56967CA2BAC0.html", + "https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc731033(v=ws.11)", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_ldifde_file_load.yml" ], "tags": [ @@ -45889,6 +58921,22 @@ "attack.t1218" ] }, + "related": [ + { + "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "457c7820-d331-465a-915e-42f85500ccc4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "6f535e01-ca1f-40be-ab8d-45b19c0c8b7f", "value": "Suspicious Ldifde Command Usage" }, @@ -45917,6 +58965,29 @@ "attack.t1218" ] }, + "related": [ + { + "dest-uuid": "dfd7cc1d-e1d8-4394-a198-97c4cab8aa67", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "457c7820-d331-465a-915e-42f85500ccc4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "3a6586ad-127a-4d3b-a677-1e6eacdf8fde", "value": "Windows Shell Spawning Suspicious Program" }, @@ -45933,10 +59004,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment?slide=43", - "https://github.com/gladiatx0r/Powerless/blob/04f553bbc0c65baf4e57344deff84e3f016e6b51/Powerless.bat", "https://github.com/carlospolop/PEASS-ng/blob/fa0f2e17fbc1d86f1fd66338a40e665e7182501d/winPEAS/winPEASbat/winPEAS.bat", "https://www.youtube.com/watch?v=JGs-aKf2OtU&ab_channel=OFFZONEMOSCOW", + "https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment?slide=43", + "https://github.com/gladiatx0r/Powerless/blob/04f553bbc0c65baf4e57344deff84e3f016e6b51/Powerless.bat", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_accesschk_usage_after_priv_escalation.yml" ], "tags": [ @@ -45944,6 +59015,15 @@ "attack.t1069.001" ] }, + "related": [ + { + "dest-uuid": "a01bf75f-00b2-4568-a58f-565ff9bf202b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "c625d754-6a3d-4f65-9c9a-536aea960d37", "value": "Accesschk Usage To Check Privileges" }, @@ -45968,6 +59048,15 @@ "attack.t1127" ] }, + "related": [ + { + "dest-uuid": "ff25900d-76d5-449b-a351-8824e62fc81b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "b27077d6-23e6-45d2-81a0-e2b356eea5fd", "value": "Use of TTDInject.exe" }, @@ -45993,6 +59082,15 @@ "attack.execution" ] }, + "related": [ + { + "dest-uuid": "457c7820-d331-465a-915e-42f85500ccc4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "9c7e131a-0f2c-4ae0-9d43-b04f4e266d43", "value": "Using AppVLP To Circumvent ASR File Path Rule" }, @@ -46009,10 +59107,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/06/23093553/Common-TTPs-of-the-modern-ransomware_low-res.pdf", - "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/blackbyte-exbyte-ransomware", "https://www.acronis.com/en-us/blog/posts/lockbit-ransomware/", "https://blog.sygnia.co/kaseya-ransomware-supply-chain-attack", + "https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/06/23093553/Common-TTPs-of-the-modern-ransomware_low-res.pdf", + "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/blackbyte-exbyte-ransomware", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_ping_del.yml" ], "tags": [ @@ -46020,6 +59118,15 @@ "attack.t1070.004" ] }, + "related": [ + { + "dest-uuid": "d63a3fb8-9452-4e9d-a60a-54be68d5998c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "54786ddc-5b8a-11ed-9b6a-0242ac120002", "value": "Suspicious Ping And Del Combination" }, @@ -46046,6 +59153,15 @@ "attack.t1053.005" ] }, + "related": [ + { + "dest-uuid": "005a06c6-14bf-4118-afa0-ebcd8aebb0c9", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "39019a4e-317f-4ce3-ae63-309a8c6b53c5", "value": "Suspicious Scheduled Task Creation Involving Temp Folder" }, @@ -46096,6 +59212,22 @@ "attack.t1105" ] }, + "related": [ + { + "dest-uuid": "365be77f-fc0e-42ee-bac8-4faf806d9336", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "f7b5f842-a6af-4da5-9e95-e32478f3cd2f", "value": "MsiExec Web Install" }, @@ -46122,6 +59254,22 @@ "attack.t1059.005" ] }, + "related": [ + { + "dest-uuid": "1b20efbf-8063-4fc3-a07d-b575318a301b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "dfd7cc1d-e1d8-4394-a198-97c4cab8aa67", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "575dce0c-8139-4e30-9295-1ee75969f7fe", "value": "GatherNetworkInfo.vbs Script Usage" }, @@ -46148,6 +59296,22 @@ "attack.t1202" ] }, + "related": [ + { + "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "3b0e52ce-517a-4614-a523-1bd5deef6c5e", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "06b401f4-107c-4ff9-947f-9ec1e7649f1e", "value": "LOLBIN Execution Of The FTP.EXE Binary" }, @@ -46173,6 +59337,15 @@ "attack.t1068" ] }, + "related": [ + { + "dest-uuid": "b21c3b2d-02e6-45b1-980b-e69051040839", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "02e0b2ea-a597-428e-b04a-af6a1a403e5c", "value": "Exploiting CVE-2019-1388" }, @@ -46197,6 +59370,15 @@ "attack.t1548.002" ] }, + "related": [ + { + "dest-uuid": "120d5519-3098-4e1c-9191-2aa61232f073", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "1e53dd56-8d83-4eb4-a43e-b790a05510aa", "value": "Always Install Elevated MSI Spawned Cmd And Powershell" }, @@ -46223,6 +59405,15 @@ "attack.t1003.001" ] }, + "related": [ + { + "dest-uuid": "65f2d882-3f41-4d48-8a06-29af77ec9f90", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "515c8be5-e5df-4c5e-8f6d-a4a2f05e4b48", "value": "CreateDump Process Dump" }, @@ -46272,6 +59463,15 @@ "attack.t1003.002" ] }, + "related": [ + { + "dest-uuid": "1644e709-12d2-41e5-a60f-3470991f5011", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "1af57a4b-460a-4738-9034-db68b880c665", "value": "PowerShell SAM Copy" }, @@ -46296,6 +59496,15 @@ "attack.t1071" ] }, + "related": [ + { + "dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "03552375-cc2c-4883-bbe4-7958d5a980be", "value": "SILENTTRINITY Stager Execution" }, @@ -46312,9 +59521,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://m0chan.github.io/2019/07/31/How-To-Attack-Kerberos-101.html", - "https://github.com/GhostPack/Rubeus", "https://www.harmj0y.net/blog/redteaming/from-kekeo-to-rubeus/", + "https://github.com/GhostPack/Rubeus", + "https://m0chan.github.io/2019/07/31/How-To-Attack-Kerberos-101.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hack_rubeus.yml" ], "tags": [ @@ -46325,6 +59534,15 @@ "attack.t1550.003" ] }, + "related": [ + { + "dest-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "7ec2c172-dceb-4c10-92c9-87c1881b7e18", "value": "Rubeus Hack Tool" }, @@ -46341,8 +59559,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/killamjr/status/1179034907932315648", "https://app.any.run/tasks/2e0647b7-eb86-4f72-904b-d2d0ecac07d1/", + "https://twitter.com/killamjr/status/1179034907932315648", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_malware_qbot.yml" ], "tags": [ @@ -46350,6 +59568,15 @@ "attack.t1059.005" ] }, + "related": [ + { + "dest-uuid": "dfd7cc1d-e1d8-4394-a198-97c4cab8aa67", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "4fcac6eb-0287-4090-8eea-2602e4c20040", "value": "QBot Process Creation" }, @@ -46376,6 +59603,22 @@ "attack.t1564.004" ] }, + "related": [ + { + "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "f2857333-11d4-45bf-b064-2c28d8525be5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "cafeeba3-01da-4ab4-b6c4-a31b1d9730c7", "value": "PrintBrm ZIP Creation of Extraction" }, @@ -46392,11 +59635,11 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://eqllib.readthedocs.io/en/latest/analytics/e61f557c-a9d0-4c25-ab5b-bbc46bb24deb.html", + "https://eqllib.readthedocs.io/en/latest/analytics/9b3dd402-891c-4c4d-a662-28947168ce61.html", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1007/T1007.md#atomic-test-2---system-service-discovery---netexe", "https://eqllib.readthedocs.io/en/latest/analytics/4d2e7fc1-af0b-4915-89aa-03d25ba7805e.html", "https://pentest.blog/windows-privilege-escalation-methods-for-pentesters/", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1007/T1007.md#atomic-test-2---system-service-discovery---netexe", - "https://eqllib.readthedocs.io/en/latest/analytics/9b3dd402-891c-4c4d-a662-28947168ce61.html", + "https://eqllib.readthedocs.io/en/latest/analytics/e61f557c-a9d0-4c25-ab5b-bbc46bb24deb.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_net_execution.yml" ], "tags": [ @@ -46415,6 +59658,43 @@ "attack.s0039" ] }, + "related": [ + { + "dest-uuid": "7e150503-88e7-4861-866b-ff1ac82c4475", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "b6075259-dba3-44e9-87c7-e954f37ec0d5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "a01bf75f-00b2-4568-a58f-565ff9bf202b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "2aed01ad-3df3-4410-a8cb-11ea4ded587c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "25659dd6-ea12-45c4-97e6-381e3e4b593e", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "183e7ea8-ac4b-4c23-9aec-b3dac4e401ac", "value": "Net.exe Execution" }, @@ -46440,6 +59720,22 @@ "attack.t1003.003" ] }, + "related": [ + { + "dest-uuid": "1644e709-12d2-41e5-a60f-3470991f5011", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "edf91964-b26e-4b4a-9600-ccacd7d7df24", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "40b19fa6-d835-400c-b301-41f3a2baacaf", "value": "Shadow Copies Access via Symlink" }, @@ -46464,6 +59760,15 @@ "attack.t1036.003" ] }, + "related": [ + { + "dest-uuid": "bd5b58a4-a52d-4a29-bc0d-3f1d3968eb6b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "bd1c6866-65fc-44b2-be51-5588fcff82b9", "value": "Renamed Msdt.exe" }, @@ -46515,6 +59820,15 @@ "attack.s0029" ] }, + "related": [ + { + "dest-uuid": "f1951e8a-500e-4a26-8803-76d95c4554b4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "771d1eb5-9587-4568-95fb-9ec44153a012", "value": "NSudo Tool Execution" }, @@ -46539,6 +59853,15 @@ "attack.t1216" ] }, + "related": [ + { + "dest-uuid": "f6fe9070-7a65-49ea-ae72-76292f42cebe", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "0403d67d-6227-4ea8-8145-4e72db7da120", "value": "UtilityFunctions.ps1 Proxy Dll" }, @@ -46555,10 +59878,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/Libraries/Setupapi/", - "https://gist.githubusercontent.com/bohops/0cc6586f205f3691e04a1ebf1806aabd/raw/baf7b29891bb91e76198e30889fbf7d6642e8974/calc_exe.inf", "https://twitter.com/Z3Jpa29z/status/1313742350292746241?s=20", "https://raw.githubusercontent.com/huntresslabs/evading-autoruns/master/shady.inf", + "https://lolbas-project.github.io/lolbas/Libraries/Setupapi/", + "https://gist.githubusercontent.com/bohops/0cc6586f205f3691e04a1ebf1806aabd/raw/baf7b29891bb91e76198e30889fbf7d6642e8974/calc_exe.inf", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_rundll32_setupapi_installhinfsection.yml" ], "tags": [ @@ -46566,6 +59889,15 @@ "attack.t1218.011" ] }, + "related": [ + { + "dest-uuid": "045d0922-2310-4e60-b5e4-3302302cb3c5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "285b85b1-a555-4095-8652-a8a4106af63f", "value": "Suspicious Rundll32 Setupapi.dll Activity" }, @@ -46583,8 +59915,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://eqllib.readthedocs.io/en/latest/analytics/014c3f51-89c6-40f1-ac9c-5688f26090ab.html", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1136.001/T1136.001.md", + "https://eqllib.readthedocs.io/en/latest/analytics/014c3f51-89c6-40f1-ac9c-5688f26090ab.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_net_user_add.yml" ], "tags": [ @@ -46592,6 +59924,15 @@ "attack.t1136.001" ] }, + "related": [ + { + "dest-uuid": "635cbe30-392d-4e27-978e-66774357c762", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "cd219ff3-fa99-45d4-8380-a7d15116c6dc", "value": "Net.exe User Account Creation" }, @@ -46608,8 +59949,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/0gtweet/status/1474899714290208777?s=12", "https://docs.microsoft.com/en-us/windows-hardware/drivers/devtest/dtrace", + "https://twitter.com/0gtweet/status/1474899714290208777?s=12", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_dtrace_kernel_dump.yml" ], "tags": "No established tags" @@ -46641,6 +59982,15 @@ "car.2013-07-002" ] }, + "related": [ + { + "dest-uuid": "e0033c16-a07e-48aa-8204-7c3ca669998c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "f72aa3e8-49f9-4c7d-bd74-f8ab84ff9bbb", "value": "Suspicious RDP Redirect Using TSCON" }, @@ -46665,6 +60015,15 @@ "attack.t1219" ] }, + "related": [ + { + "dest-uuid": "4061e78c-1284-44b4-9116-73e4ac3912f7", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "758ff488-18d5-4cbe-8ec4-02b6285a434f", "value": "Use of NetSupport Remote Access Software" }, @@ -46690,6 +60049,15 @@ "attack.t1068" ] }, + "related": [ + { + "dest-uuid": "b21c3b2d-02e6-45b1-980b-e69051040839", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "0eb2107b-a596-422e-b123-b389d5594ed7", "value": "Hurricane Panda Activity" }, @@ -46717,6 +60085,15 @@ "attack.t1027" ] }, + "related": [ + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "9c0295ce-d60d-40bd-bd74-84673b7592b1", "value": "Suspicious Encoded Obfuscated LOAD String" }, @@ -46733,8 +60110,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://media.defcon.org/DEF%20CON%2030/DEF%20CON%2030%20presentations/Asaf%20Gilboa%20-%20LSASS%20Shtinkering%20Abusing%20Windows%20Error%20Reporting%20to%20Dump%20LSASS.pdf", "https://github.com/deepinstinct/Lsass-Shtinkering", + "https://media.defcon.org/DEF%20CON%2030/DEF%20CON%2030%20presentations/Asaf%20Gilboa%20-%20LSASS%20Shtinkering%20Abusing%20Windows%20Error%20Reporting%20to%20Dump%20LSASS.pdf", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lsass_shtinkering.yml" ], "tags": [ @@ -46742,6 +60119,15 @@ "attack.t1003.001" ] }, + "related": [ + { + "dest-uuid": "65f2d882-3f41-4d48-8a06-29af77ec9f90", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "9a4ccd1a-3526-4d99-b980-9f9c5d3a6ff3", "value": "Potential Credential Dumping Via WER" }, @@ -46768,6 +60154,22 @@ "attack.t1202" ] }, + "related": [ + { + "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "3b0e52ce-517a-4614-a523-1bd5deef6c5e", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "277a4393-446c-449a-b0ed-7fdc7795244c", "value": "Renamed FTP.EXE Binary Execution" }, @@ -46784,8 +60186,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://redcanary.com/blog/chromeloader/", "https://emkc.org/s/RJjuLa", + "https://redcanary.com/blog/chromeloader/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_chrome_load_extension.yml" ], "tags": [ @@ -46793,6 +60195,15 @@ "attack.t1176" ] }, + "related": [ + { + "dest-uuid": "389735f1-f21c-4208-b8f0-f8031e7169b8", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "27ba3207-dd30-4812-abbf-5d20c57d474e", "value": "Powershell ChromeLoader Browser Hijacker" }, @@ -46818,6 +60229,15 @@ "attack.t1496" ] }, + "related": [ + { + "dest-uuid": "cd25c1b4-935c-4f0e-ba8d-552f28bc4783", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "66c3b204-9f88-4d0a-a7f7-8a57d521ca55", "value": "Windows Crypto Mining Indicators" }, @@ -46842,6 +60262,15 @@ "attack.t1127" ] }, + "related": [ + { + "dest-uuid": "ff25900d-76d5-449b-a351-8824e62fc81b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "52788a70-f1da-40dd-8fbd-73b5865d6568", "value": "JSC Convert Javascript To Executable" }, @@ -46869,6 +60298,15 @@ "car.2019-04-003" ] }, + "related": [ + { + "dest-uuid": "b97f1d35-4249-4486-a6b5-ee60ccf24fab", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "8e2b24c9-4add-46a0-b4bb-0057b4e6187d", "value": "Regsvr32 Anomaly" }, @@ -46885,9 +60323,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://twitter.com/MichalKoczwara/status/1553634816016498688", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1490/T1490.md#atomic-test-8---windows---disable-the-sr-scheduled-task", "https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/", - "https://twitter.com/MichalKoczwara/status/1553634816016498688", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_schtasks_disable.yml" ], "tags": [ @@ -46895,6 +60333,15 @@ "attack.t1489" ] }, + "related": [ + { + "dest-uuid": "20fb2507-d71c-455d-9b6d-6104461cf26b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "9ac94dc8-9042-493c-ba45-3b5e7c86b980", "value": "Disable Important Scheduled Task" }, @@ -46920,6 +60367,15 @@ "attack.execution" ] }, + "related": [ + { + "dest-uuid": "457c7820-d331-465a-915e-42f85500ccc4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "9c8c7000-3065-44a8-a555-79bcba5d9955", "value": "Execute MSDT Via Answer File" }, @@ -46944,6 +60400,15 @@ "attack.t1059.001" ] }, + "related": [ + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "36210e0d-5b19-485d-a087-c096088885f0", "value": "Suspicious PowerShell Parameter Substring" }, @@ -46960,8 +60425,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/Oddvarmoe/status/993383596244258816", "https://twitter.com/_st0pp3r_/status/1560072680887525378", + "https://twitter.com/Oddvarmoe/status/993383596244258816", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_pester_parent.yml" ], "tags": [ @@ -46971,6 +60436,22 @@ "attack.t1216" ] }, + "related": [ + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "f6fe9070-7a65-49ea-ae72-76292f42cebe", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "18988e1b-9087-4f8a-82fe-0414dce49878", "value": "Execute Code with Pester.bat as Parent" }, @@ -46996,6 +60477,15 @@ "attack.t1546.002" ] }, + "related": [ + { + "dest-uuid": "ce4b7013-640e-48a9-b501-d0025a95f4bf", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "0fc35fc3-efe6-4898-8a37-0b233339524f", "value": "Suspicious ScreenSave Change by Reg.exe" }, @@ -47045,6 +60535,15 @@ "attack.t1219" ] }, + "related": [ + { + "dest-uuid": "4061e78c-1284-44b4-9116-73e4ac3912f7", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "b1377339-fda6-477a-b455-ac0923f9ec2c", "value": "AnyDesk Inline Piped Password" }, @@ -47061,9 +60560,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/gN3mes1s/status/1222095963789111296", "https://twitter.com/gN3mes1s/status/1222088214581825540", "https://twitter.com/gN3mes1s/status/1222095371175911424", + "https://twitter.com/gN3mes1s/status/1222095963789111296", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_dctask64_proc_inject.yml" ], "tags": [ @@ -47071,6 +60570,15 @@ "attack.t1055.001" ] }, + "related": [ + { + "dest-uuid": "f4599aa0-4f85-4a32-80ea-fc39dc965945", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "6345b048-8441-43a7-9bed-541133633d7a", "value": "ZOHO Dctask64 Process Injection" }, @@ -47095,6 +60603,15 @@ "attack.t1059.001" ] }, + "related": [ + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "7d1aaf3d-4304-425c-b7c3-162055e0b3ab", "value": "Possible Exfiltration Of Data Via CLI" }, @@ -47145,6 +60662,22 @@ "attack.t1027.004" ] }, + "related": [ + { + "dest-uuid": "457c7820-d331-465a-915e-42f85500ccc4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "c726e0a2-a57a-4b7b-a973-d0f013246617", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "81ebd28b-9607-4478-bf06-974ed9d53ed7", "value": "Application Whitelisting Bypass via Dnx.exe" }, @@ -47162,9 +60695,9 @@ "logsource.product": "windows", "refs": [ "https://lolbas-project.github.io/lolbas/OtherMSBinaries/VisualUiaVerifyNative/", - "https://bohops.com/2020/10/15/exploring-the-wdac-microsoft-recommended-block-rules-visualuiaverifynative/", "https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules", "https://github.com/MicrosoftDocs/windows-itpro-docs/commit/937db704b9148e9cee7c7010cad4d00ce9c4fdad", + "https://bohops.com/2020/10/15/exploring-the-wdac-microsoft-recommended-block-rules-visualuiaverifynative/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_visualuiaverifynative.yml" ], "tags": [ @@ -47172,6 +60705,15 @@ "attack.t1218" ] }, + "related": [ + { + "dest-uuid": "457c7820-d331-465a-915e-42f85500ccc4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "b30a8bc5-e21b-4ca2-9420-0a94019ac56a", "value": "Use of VisualUiaVerifyNative.exe" }, @@ -47196,6 +60738,15 @@ "attack.t1047" ] }, + "related": [ + { + "dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "e31f89f7-36fb-4697-8ab6-48823708353b", "value": "Suspicious Cmd Execution via WMI" }, @@ -47220,6 +60771,15 @@ "attack.t1557.001" ] }, + "related": [ + { + "dest-uuid": "650c784b-7504-4df7-ab2c-4ea882384d1e", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "cd8c163e-a19b-402e-bdd5-419ff5859f12", "value": "ADCSPwn Hack Tool" }, @@ -47236,8 +60796,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://redcanary.com/blog/raspberry-robin/", "https://thedfirreport.com/2022/09/26/bumblebee-round-two/", + "https://redcanary.com/blog/raspberry-robin/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_rundll32_parent_explorer.yml" ], "tags": [ @@ -47269,6 +60829,15 @@ "attack.t1059" ] }, + "related": [ + { + "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "5687f942-867b-4578-ade7-1e341c46e99a", "value": "VMToolsd Suspicious Child Process" }, @@ -47295,6 +60864,22 @@ "attack.t1059.001" ] }, + "related": [ + { + "dest-uuid": "005a06c6-14bf-4118-afa0-ebcd8aebb0c9", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "c4eeeeae-89f4-43a7-8b48-8d1bdfa66c78", "value": "Scheduled Task Executing Powershell Encoded Payload from Registry" }, @@ -47313,8 +60898,8 @@ "logsource.product": "windows", "refs": [ "https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/hh750728(v=ws.11)", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1222.001/T1222.001.md", "https://github.com/swagkarna/Defeat-Defender-V1.2.0", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1222.001/T1222.001.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_file_permission_modifications.yml" ], "tags": [ @@ -47322,6 +60907,15 @@ "attack.t1222.001" ] }, + "related": [ + { + "dest-uuid": "34e793de-0274-4982-9c1a-246ed1c19dee", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "37ae075c-271b-459b-8d7b-55ad5f993dd8", "value": "File or Folder Permissions Modifications" }, @@ -47348,6 +60942,15 @@ "attack.t1059" ] }, + "related": [ + { + "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "178e615d-e666-498b-9630-9ed363038101", "value": "Suspicious Elevated System Shell" }, @@ -47401,6 +61004,22 @@ "attack.t1218.003" ] }, + "related": [ + { + "dest-uuid": "120d5519-3098-4e1c-9191-2aa61232f073", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "4cbc6a62-9e34-4f94-8a19-5c1a11392a49", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "e66779cc-383e-4224-a3a4-267eeb585c40", "value": "Bypass UAC via CMSTP" }, @@ -47418,9 +61037,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md", "https://twitter.com/AdamTheAnalyst/status/1483497517119590403", "https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/configure-process-opened-file-exclusions-microsoft-defender-antivirus", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_defender_base64.yml" ], "tags": [ @@ -47454,6 +61073,15 @@ "attack.s0029" ] }, + "related": [ + { + "dest-uuid": "f1951e8a-500e-4a26-8803-76d95c4554b4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "fa91cc36-24c9-41ce-b3c8-3bbc3f2f67ba", "value": "PsExec Tool Execution" }, @@ -47500,6 +61128,15 @@ "cve.2021.26857" ] }, + "related": [ + { + "dest-uuid": "be2dcee9-a7a7-4e38-afd6-21b31ecc3d63", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "cd479ccc-d8f0-4c66-ba7d-e06286f3f887", "value": "CVE-2021-26857 Exchange Exploitation" }, @@ -47524,6 +61161,15 @@ "attack.t1027.005" ] }, + "related": [ + { + "dest-uuid": "b0533c6e-8fea-4788-874f-b799cacc4b92", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "f0ca6c24-3225-47d5-b1f5-352bf07ecfa7", "value": "DefenderCheck Usage" }, @@ -47540,8 +61186,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.synacktiv.com/en/publications/how-to-exploit-cve-2021-40539-on-manageengine-adselfservice-plus.html", "https://redcanary.com/blog/intelligence-insights-december-2021", + "https://www.synacktiv.com/en/publications/how-to-exploit-cve-2021-40539-on-manageengine-adselfservice-plus.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_shell_spawn_by_java_keytool.yml" ], "tags": [ @@ -47599,6 +61245,15 @@ "attack.t1059" ] }, + "related": [ + { + "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "61ab5496-748e-4818-a92f-de78e20fe7f1", "value": "Quick Execution of a Series of Suspicious Commands" }, @@ -47616,8 +61271,8 @@ "logsource.product": "windows", "refs": [ "https://www.cisa.gov/uscert/sites/default/files/publications/aa22-320a_joint_csa_iranian_government-sponsored_apt_actors_compromise_federal%20network_deploy_crypto%20miner_credential_harvester.pdf", - "https://www.microsoft.com/en-us/security/blog/2022/10/18/defenders-beware-a-case-for-post-ransomware-investigations/", "http://blog.talosintelligence.com/2022/09/lazarus-three-rats.html", + "https://www.microsoft.com/en-us/security/blog/2022/10/18/defenders-beware-a-case-for-post-ransomware-investigations/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_computer_discovery_get_adcomputer.yml" ], "tags": [ @@ -47652,6 +61307,15 @@ "attack.t1548.002" ] }, + "related": [ + { + "dest-uuid": "120d5519-3098-4e1c-9191-2aa61232f073", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "89a9a0e0-f61a-42e5-8957-b1479565a658", "value": "UAC Bypass WSReset" }, @@ -47725,6 +61389,15 @@ "attack.t1218" ] }, + "related": [ + { + "dest-uuid": "457c7820-d331-465a-915e-42f85500ccc4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "b8b1b304-a60f-4999-9a6e-c547bde03ffd", "value": "DeviceCredentialDeployment Execution" }, @@ -47741,8 +61414,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/", "https://github.com/vadim-hunter/Detection-Ideas-Rules/blob/02bcbfc2bfb8b4da601bb30de0344ae453aa1afe/Threat%20Intelligence/The%20DFIR%20Report/20210329_Sodinokibi_(aka_REvil)_Ransomware.yaml", + "https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_office_spawning_wmi_commandline.yml" ], "tags": [ @@ -47753,6 +61426,29 @@ "attack.defense_evasion" ] }, + "related": [ + { + "dest-uuid": "232b7f21-adf9-4b42-b936-b9d6f7df856e", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "b97f1d35-4249-4486-a6b5-ee60ccf24fab", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "04f5363a-6bca-42ff-be70-0d28bf629ead", "value": "Office Applications Spawning Wmi Cli Alternate" }, @@ -47777,6 +61473,15 @@ "attack.t1569.002" ] }, + "related": [ + { + "dest-uuid": "f1951e8a-500e-4a26-8803-76d95c4554b4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "2a072a96-a086-49fa-bcb5-15cc5a619093", "value": "Service Execution" }, @@ -47802,6 +61507,15 @@ "attack.t1003.001" ] }, + "related": [ + { + "dest-uuid": "65f2d882-3f41-4d48-8a06-29af77ec9f90", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "2e65275c-8288-4ab4-aeb7-6274f58b6b20", "value": "Procdump Usage" }, @@ -47827,6 +61541,15 @@ "attack.t1218.005" ] }, + "related": [ + { + "dest-uuid": "840a987a-99bd-4a80-a5c9-0cb2baa6cade", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "67f113fa-e23d-4271-befa-30113b3e08b1", "value": "Mshta JavaScript Execution" }, @@ -47852,6 +61575,15 @@ "attack.t1059" ] }, + "related": [ + { + "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "20a5ffa1-3848-4584-b6f8-c7c7fd9f69c8", "value": "Ruby Inline Command Execution" }, @@ -47876,6 +61608,15 @@ "attack.t1003" ] }, + "related": [ + { + "dest-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "dd3ee8cc-f751-41c9-ba53-5a32ed47e563", "value": "Suspicious Reg Add Open Command" }, @@ -47902,6 +61643,15 @@ "attack.t1036.003" ] }, + "related": [ + { + "dest-uuid": "bd5b58a4-a52d-4a29-bc0d-3f1d3968eb6b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "a7a7e0e5-1d57-49df-9c58-9fe5bc0346a2", "value": "Renamed PsExec" }, @@ -47926,6 +61676,22 @@ "attack.t1059.007" ] }, + "related": [ + { + "dest-uuid": "dfd7cc1d-e1d8-4394-a198-97c4cab8aa67", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "0f4a0c76-ab2d-4cb0-85d3-3f0efb8cba0d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "1e33157c-53b1-41ad-bbcc-780b80b58288", "value": "WSF/JSE/JS/VBA/VBE File Execution" }, @@ -47954,6 +61720,36 @@ "attack.t1027.004" ] }, + "related": [ + { + "dest-uuid": "dfd7cc1d-e1d8-4394-a198-97c4cab8aa67", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "0f4a0c76-ab2d-4cb0-85d3-3f0efb8cba0d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "840a987a-99bd-4a80-a5c9-0cb2baa6cade", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "c726e0a2-a57a-4b7b-a973-d0f013246617", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "b730a276-6b63-41b8-bcf8-55930c8fc6ee", "value": "Suspicious Parent of Csc.exe" }, @@ -47980,6 +61776,15 @@ "attack.t1059.001" ] }, + "related": [ + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "e9f55347-2928-4c06-88e5-1a7f8169942e", "value": "Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION" }, @@ -47996,8 +61801,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://redcanary.com/threat-detection-report/threats/qbot/", "https://thedfirreport.com/2022/02/07/qbot-likes-to-move-it-move-it/", + "https://redcanary.com/threat-detection-report/threats/qbot/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_reg_defender_exclusion.yml" ], "tags": [ @@ -48046,8 +61851,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.welivesecurity.com/2020/07/09/more-evil-deep-look-evilnum-toolset/", "https://app.any.run/tasks/33d37fdf-158d-4930-aa68-813e1d5eb8ba/", + "https://www.welivesecurity.com/2020/07/09/more-evil-deep-look-evilnum-toolset/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_apt_evilnum_jul20.yml" ], "tags": [ @@ -48055,6 +61860,15 @@ "attack.t1218.011" ] }, + "related": [ + { + "dest-uuid": "045d0922-2310-4e60-b5e4-3302302cb3c5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "8acf3cfa-1e8c-4099-83de-a0c4038e18f0", "value": "EvilNum Golden Chickens Deployment via OCX Files" }, @@ -48079,6 +61893,15 @@ "attack.t1489" ] }, + "related": [ + { + "dest-uuid": "20fb2507-d71c-455d-9b6d-6104461cf26b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "dbc1f800-0fe0-4bc0-9c66-292c2abe3f78", "value": "Delete Important Scheduled Task" }, @@ -48095,8 +61918,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/byt3bl33d3r/CrackMapExec", "https://github.com/byt3bl33d3r/CrackMapExec/blob/0a49f75347b625e81ee6aa8c33d3970b5515ea9e/cme/helpers/powershell.py#L242", + "https://github.com/byt3bl33d3r/CrackMapExec", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_crackmapexec_powershell_obfuscation.yml" ], "tags": [ @@ -48106,6 +61929,22 @@ "attack.t1027.005" ] }, + "related": [ + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "b0533c6e-8fea-4788-874f-b799cacc4b92", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "6f8b3439-a203-45dc-a88b-abf57ea15ccf", "value": "CrackMapExec PowerShell Obfuscation" }, @@ -48132,6 +61971,15 @@ "attack.t1027.003" ] }, + "related": [ + { + "dest-uuid": "3b0e52ce-517a-4614-a523-1bd5deef6c5e", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "33339be3-148b-4e16-af56-ad16ec6c7e7b", "value": "Findstr Launching .lnk File" }, @@ -48180,6 +62028,15 @@ "attack.t1490" ] }, + "related": [ + { + "dest-uuid": "f5d8eed6-48a9-4cdf-a3d7-d1ffa99c3d2a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "89f75308-5b1b-4390-b2d8-d6b2340efaf8", "value": "Wbadmin Delete Systemstatebackup" }, @@ -48204,6 +62061,15 @@ "attack.t1074.001" ] }, + "related": [ + { + "dest-uuid": "1c34f7aa-9341-4a48-bfab-af22e51aca6c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "85a8e5ba-bd03-4bfb-bbfa-a4409a8f8b98", "value": "Zip A Folder With PowerShell For Staging In Temp" }, @@ -48214,7 +62080,8 @@ "creation_date": "2019/09/26", "falsepositive": [ "Admin activity", - "Scripts and administrative tools used in the monitored environment" + "Scripts and administrative tools used in the monitored environment", + "Maintenance activity" ], "filename": "proc_creation_win_susp_eventlog_clear.yml", "level": "high", @@ -48222,8 +62089,10 @@ "logsource.product": "windows", "refs": [ "https://eqllib.readthedocs.io/en/latest/analytics/5b223758-07d6-4100-9e11-238cfdd0fe97.html", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070.001/T1070.001.md", "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/wevtutil", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070.001/T1070.001.md", + "https://jdhnet.wordpress.com/2017/12/19/changing-the-location-of-the-windows-event-logs/", + "https://gist.github.com/fovtran/ac0624983c7722e80a8f5a4babb170ee", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_eventlog_clear.yml" ], "tags": [ @@ -48233,6 +62102,22 @@ "car.2016-04-002" ] }, + "related": [ + { + "dest-uuid": "6495ae23-3ab4-43c5-a94f-5638a2c31fd2", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "4eb28bed-d11a-4641-9863-c2ac017d910a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "cc36992a-4671-4f21-a91d-6c2b72a2edf5", "value": "Suspicious Eventlog Clear or Configuration Using Wevtutil" }, @@ -48283,6 +62168,15 @@ "attack.t1562" ] }, + "related": [ + { + "dest-uuid": "3d333250-30e4-4a82-9edc-756c68afc529", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "75f7a0e2-7154-4c4d-9eae-5cdb4e0a5c13", "value": "Write Protect For Storage Disabled" }, @@ -48310,6 +62204,22 @@ "attack.t1134.002" ] }, + "related": [ + { + "dest-uuid": "86850eff-2729-40c3-b85e-c4af26da4a2d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "677569f9-a8b0-459e-ab24-7f18091fa7bf", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "15619216-e993-4721-b590-4c520615a67d", "value": "Meterpreter or Cobalt Strike Getsystem Service Start" }, @@ -48334,6 +62244,15 @@ "attack.t1105" ] }, + "related": [ + { + "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "4480827a-9799-4232-b2c4-ccc6c4e9e12b", "value": "Suspicious Certreq Command to Download" }, @@ -48357,6 +62276,15 @@ "attack.t1489" ] }, + "related": [ + { + "dest-uuid": "20fb2507-d71c-455d-9b6d-6104461cf26b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "eb87818d-db5d-49cc-a987-d5da331fbd90", "value": "Stop Windows Service" }, @@ -48381,6 +62309,22 @@ "attack.t1036.003" ] }, + "related": [ + { + "dest-uuid": "890c9858-598c-401d-a4d5-c67ebcdd703a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "bd5b58a4-a52d-4a29-bc0d-3f1d3968eb6b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "8a4519e8-e64a-40b6-ae85-ba8ad2177559", "value": "Process Creation with Renamed BrowserCore.exe" }, @@ -48405,6 +62349,15 @@ "attack.t1049" ] }, + "related": [ + { + "dest-uuid": "7e150503-88e7-4861-866b-ff1ac82c4475", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "1c67a717-32ba-409b-a45d-0fb704a73a81", "value": "Suspicious Listing of Network Connections" }, @@ -48429,6 +62382,15 @@ "attack.t1218" ] }, + "related": [ + { + "dest-uuid": "457c7820-d331-465a-915e-42f85500ccc4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "02b18447-ea83-4b1b-8805-714a8a34546a", "value": "Suspicious OfflineScannerShell.exe Execution From Another Folder" }, @@ -48456,6 +62418,15 @@ "attack.t1083" ] }, + "related": [ + { + "dest-uuid": "e24fcba8-2557-4442-a139-1ee2f2e784db", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "38646daa-e78f-4ace-9de0-55547b2d30da", "value": "Seatbelt PUA Tool" }, @@ -48481,6 +62452,15 @@ "attack.t1548.002" ] }, + "related": [ + { + "dest-uuid": "120d5519-3098-4e1c-9191-2aa61232f073", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "7a01183d-71a2-46ad-ad5c-acd989ac1793", "value": "UAC Bypass Abusing Winsat Path Parsing - Process" }, @@ -48505,6 +62485,15 @@ "attack.t1486" ] }, + "related": [ + { + "dest-uuid": "b80d107d-fa0d-4b60-9684-b0433e8bdba0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "0e0255bf-2548-47b8-9582-c0955c9283f5", "value": "Suspicious Reg Add BitLocker" }, @@ -48529,6 +62518,15 @@ "attack.t1216.001" ] }, + "related": [ + { + "dest-uuid": "09cd431f-eaf4-4d2a-acaf-2a7acfe7ed58", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "45d3a03d-f441-458c-8883-df101a3bb146", "value": "Launch-VsDevShell.PS1 Proxy Execution" }, @@ -48554,6 +62552,15 @@ "attack.t1548.002" ] }, + "related": [ + { + "dest-uuid": "120d5519-3098-4e1c-9191-2aa61232f073", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "cd951fdc-4b2f-47f5-ba99-a33bf61e3770", "value": "Always Install Elevated Windows Installer" }, @@ -48582,6 +62589,15 @@ "attack.t1218" ] }, + "related": [ + { + "dest-uuid": "457c7820-d331-465a-915e-42f85500ccc4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "f3d39c45-de1a-4486-a687-ab126124f744", "value": "Sdiagnhost Calling Suspicious Child Process" }, @@ -48647,8 +62663,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.microsoft.com/en-us/security/blog/2022/10/18/defenders-beware-a-case-for-post-ransomware-investigations/", "http://blog.talosintelligence.com/2022/09/lazarus-three-rats.html", + "https://www.microsoft.com/en-us/security/blog/2022/10/18/defenders-beware-a-case-for-post-ransomware-investigations/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_user_discovery_get_aduser.yml" ], "tags": [ @@ -48680,6 +62696,15 @@ "attack.privilege_escalation" ] }, + "related": [ + { + "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "869b9ca7-9ea2-4a5a-8325-e80e62f75445", "value": "Suspicious Shells Spawn by SQL Server" }, @@ -48706,6 +62731,15 @@ "attack.t1059.001" ] }, + "related": [ + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "5b572dcf-254b-425c-a8c5-d9af6bea35a6", "value": "Suspicious Xor PowerShell Command Line" }, @@ -48731,6 +62765,15 @@ "attack.t1548.002" ] }, + "related": [ + { + "dest-uuid": "120d5519-3098-4e1c-9191-2aa61232f073", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "ad92e3f9-7eb6-460e-96b1-582b0ccbb980", "value": "UAC Bypass Using MSConfig Token Modification - Process" }, @@ -48747,9 +62790,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.winhelponline.com/blog/run-program-as-system-localsystem-account-windows/", "https://medium.com/s2wblog/analysis-of-destructive-malware-whispergate-targeting-ukraine-9d5d158f19f3", "https://twitter.com/splinter_code/status/1483815103279603714", + "https://www.winhelponline.com/blog/run-program-as-system-localsystem-account-windows/", "https://elastic.github.io/security-research/malware/2022/01/01.operation-bleeding-bear/article/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_advancedrun.yml" ], @@ -48805,6 +62848,15 @@ "attack.t1059" ] }, + "related": [ + { + "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "1228c958-e64e-4e71-92ad-7d429f4138ba", "value": "Script Interpreter Execution From Suspicious Folder" }, @@ -48832,6 +62884,15 @@ "attack.t1059.001" ] }, + "related": [ + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "b6b49cd1-34d6-4ead-b1bf-176e9edba9a4", "value": "Suspicious PowerShell Cmdline" }, @@ -48848,8 +62909,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/1cf4dd51f83dcb0ebe6ade902d6157ad2dbc6ac8/atomics/T1218.001/T1218.001.md", "https://www.splunk.com/en_us/blog/security/follina-for-protocol-handlers.html", + "https://github.com/redcanaryco/atomic-red-team/blob/1cf4dd51f83dcb0ebe6ade902d6157ad2dbc6ac8/atomics/T1218.001/T1218.001.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hh_chm_http.yml" ], "tags": [ @@ -48857,6 +62918,15 @@ "attack.t1218.001" ] }, + "related": [ + { + "dest-uuid": "a6937325-9321-4e2e-bb2b-3ed2d40b2a9d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "f57c58b3-ee69-4ef5-9041-455bf39aaa89", "value": "HH.exe Remote CHM File Execution" }, @@ -48873,8 +62943,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.virustotal.com/gui/file/03e9b8c2e86d6db450e5eceec057d7e369ee2389b9daecaf06331a95410aa5f8/detection", "https://twitter.com/vxunderground/status/1423336151860002816?s=20", + "https://www.virustotal.com/gui/file/03e9b8c2e86d6db450e5eceec057d7e369ee2389b9daecaf06331a95410aa5f8/detection", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_malware_conti_7zip.yml" ], "tags": [ @@ -48882,6 +62952,15 @@ "attack.t1560" ] }, + "related": [ + { + "dest-uuid": "53ac20cd-aca3-406e-9aa0-9fc7fdc60a5a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "aa92fd02-09f2-48b0-8a93-864813fb8f41", "value": "Conti NTDS Exfiltration Command" }, @@ -48906,6 +62985,15 @@ "attack.t1562" ] }, + "related": [ + { + "dest-uuid": "3d333250-30e4-4a82-9edc-756c68afc529", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "12f6b752-042d-483e-bf9c-915a6d06ad75", "value": "Windows Firewall Disabled via PowerShell" }, @@ -48932,6 +63020,15 @@ "attack.t1059.001" ] }, + "related": [ + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "27aec9c9-dbb0-4939-8422-1742242471d0", "value": "Invoke-Obfuscation VAR+ Launcher" }, @@ -48958,31 +63055,6 @@ "uuid": "01d2e2a1-5f09-44f7-9fc1-24faa7479b6d", "value": "Suspicious Svchost Process" }, - { - "description": "Detects transferring files from system on a server bitstransfer Powershell cmdlets", - "meta": { - "author": "Austin Songer @austinsonger", - "creation_date": "2021/08/19", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_susp_bitstransfer.yml", - "level": "medium", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://docs.microsoft.com/en-us/powershell/module/bitstransfer/add-bitsfile?view=windowsserver2019-ps", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_bitstransfer.yml" - ], - "tags": [ - "attack.exfiltration", - "attack.persistence", - "attack.t1197" - ] - }, - "uuid": "cd5c8085-4070-4e22-908d-a5b3342deb74", - "value": "Suspicious Bitstransfer via PowerShell" - }, { "description": "Threat actors can use an older version of the auditpol binary available inside the NT resource kit to change audit policy configuration to impair detection capability.\nThis can be carried out by selectively disabling/removing certain audit policies as well as restoring a custom policy owned by the threat actor.\n", "meta": { @@ -49004,6 +63076,15 @@ "attack.t1562.002" ] }, + "related": [ + { + "dest-uuid": "4eb28bed-d11a-4641-9863-c2ac017d910a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "c6c56ada-612b-42d1-9a29-adad3c5c2c1e", "value": "Suspicious NT Resource Kit Auditpol Usage" }, @@ -49030,6 +63111,22 @@ "attack.t1218" ] }, + "related": [ + { + "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "457c7820-d331-465a-915e-42f85500ccc4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "d7825193-b70a-48a4-b992-8b5b3015cc11", "value": "Windows Update Client LOLBIN" }, @@ -49046,8 +63143,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/shantanu561993/SharpChisel", "https://www.sentinelone.com/labs/wading-through-muddy-waters-recent-activity-of-an-iranian-state-sponsored-threat-actor/", + "https://github.com/shantanu561993/SharpChisel", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sharp_chisel_usage.yml" ], "tags": [ @@ -49055,6 +63152,15 @@ "attack.t1090.001" ] }, + "related": [ + { + "dest-uuid": "f6dacc85-b37d-458e-b58d-74fc4bbf5755", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "cf93e05e-d798-4d9e-b522-b0248dc61eaf", "value": "SharpChisel Usage" }, @@ -49072,8 +63178,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/Binaries/Regedit/", "https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f", + "https://lolbas-project.github.io/lolbas/Binaries/Regedit/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_regedit_import_keys.yml" ], "tags": [ @@ -49099,9 +63205,9 @@ "refs": [ "https://medium.com/tsscyber/pentesting-and-hta-bypassing-powershell-constrained-language-mode-53a42856c997", "http://blog.sevagas.com/?Hacking-around-HTA-files", - "https://twitter.com/mattifestation/status/1326228491302563846", "https://docs.microsoft.com/en-us/dotnet/standard/data/xml/xslt-stylesheet-scripting-using-msxsl-script", "https://0x00sec.org/t/clientside-exploitation-in-2018-how-pentesting-has-changed/7356", + "https://twitter.com/mattifestation/status/1326228491302563846", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_mshta_execution.yml" ], "tags": [ @@ -49113,6 +63219,29 @@ "cve.2020.1599" ] }, + "related": [ + { + "dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "840a987a-99bd-4a80-a5c9-0cb2baa6cade", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "0f4a0c76-ab2d-4cb0-85d3-3f0efb8cba0d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "cc7abbd0-762b-41e3-8a26-57ad50d2eea3", "value": "MSHTA Suspicious Execution 01" }, @@ -49160,6 +63289,29 @@ "attack.t1574.005" ] }, + "related": [ + { + "dest-uuid": "1b20efbf-8063-4fc3-a07d-b575318a301b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "f1951e8a-500e-4a26-8803-76d95c4554b4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "70d81154-b187-45f9-8ec5-295d01255979", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "c484e533-ee16-4a93-b6ac-f0ea4868b2f1", "value": "SharpUp PrivEsc Tool" }, @@ -49176,8 +63328,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://forums.veeam.com/veeam-backup-replication-f2/recover-esxi-password-in-veeam-t34630.html", "https://thedfirreport.com/2021/12/13/diavol-ransomware/", + "https://forums.veeam.com/veeam-backup-replication-f2/recover-esxi-password-in-veeam-t34630.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sqlcmd_veeam_dump.yml" ], "tags": [ @@ -49185,6 +63337,15 @@ "attack.t1005" ] }, + "related": [ + { + "dest-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "b57ba453-b384-4ab9-9f40-1038086b4e53", "value": "VeeamBackup Database Credentials Dump" }, @@ -49209,6 +63370,15 @@ "attack.t1047" ] }, + "related": [ + { + "dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "b53317a0-8acf-4fd1-8de8-a5401e776b96", "value": "WMI Uninstall An Application" }, @@ -49225,8 +63395,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/LOLBAS-Project/LOLBAS/blob/4db780e0f0b2e2bb8cb1fa13e09196da9b9f1834/yml/LOLUtilz/OSBinaries/Openwith.yml", "https://twitter.com/harr0ey/status/991670870384021504", + "https://github.com/LOLBAS-Project/LOLBAS/blob/4db780e0f0b2e2bb8cb1fa13e09196da9b9f1834/yml/LOLUtilz/OSBinaries/Openwith.yml", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_openwith.yml" ], "tags": [ @@ -49234,6 +63404,15 @@ "attack.t1218" ] }, + "related": [ + { + "dest-uuid": "457c7820-d331-465a-915e-42f85500ccc4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "cec8e918-30f7-4e2d-9bfa-a59cc97ae60f", "value": "OpenWith.exe Executes Specified Binary" }, @@ -49250,8 +63429,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.microsoft.com/security/blog/2022/09/07/profiling-dev-0270-phosphorus-ransomware-operations/", "https://www.trellix.com/en-sg/about/newsroom/stories/threat-labs/lockergoga-ransomware-family-used-in-targeted-attacks.html", + "https://www.microsoft.com/security/blog/2022/09/07/profiling-dev-0270-phosphorus-ransomware-operations/", "https://redacted.com/blog/bianlian-ransomware-gang-gives-it-a-go/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_net_default_accounts_manipulation.yml" ], @@ -49260,6 +63439,15 @@ "attack.t1560.001" ] }, + "related": [ + { + "dest-uuid": "00f90846-cbd1-4fc5-9233-df5c2bf2a662", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "5b768e71-86f2-4879-b448-81061cbae951", "value": "Suspicious Manipulation Of Default Accounts" }, @@ -49276,8 +63464,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1546.015/T1546.015.md", "https://nasbench.medium.com/a-deep-dive-into-rundll32-exe-642344b41e90", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1546.015/T1546.015.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_rundll32_registered_com_objects.yml" ], "tags": [ @@ -49286,6 +63474,15 @@ "attack.t1546.015" ] }, + "related": [ + { + "dest-uuid": "bc0f5e80-91c0-4e04-9fbb-e4e332c85dae", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "f1edd233-30b5-4823-9e6a-c4171b24d316", "value": "Rundll32 Registered COM Objects" }, @@ -49333,6 +63530,15 @@ "attack.t1202" ] }, + "related": [ + { + "dest-uuid": "3b0e52ce-517a-4614-a523-1bd5deef6c5e", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "1f1a8509-2cbb-44f5-8751-8e1571518ce2", "value": "Suspicious Splwow64 Without Params" }, @@ -49349,9 +63555,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-2000-server/cc959352(v=technet.10)?redirectedfrom=MSDN", - "https://www.acunetix.com/blog/articles/windows-short-8-3-filenames-web-security-problem/", "https://twitter.com/jonasLyk/status/1555914501802921984", + "https://www.acunetix.com/blog/articles/windows-short-8-3-filenames-web-security-problem/", + "https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-2000-server/cc959352(v=technet.10)?redirectedfrom=MSDN", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_ntfs_short_name_use_cli.yml" ], "tags": [ @@ -49359,6 +63565,15 @@ "attack.t1564.004" ] }, + "related": [ + { + "dest-uuid": "f2857333-11d4-45bf-b064-2c28d8525be5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "dd6b39d9-d9be-4a3b-8fe0-fe3c6a5c1795", "value": "Use NTFS Short Name in Command Line" }, @@ -49375,8 +63590,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/Moriarty_Meng/status/984380793383370752", "https://github.com/LOLBAS-Project/LOLBAS/blob/4db780e0f0b2e2bb8cb1fa13e09196da9b9f1834/yml/LOLUtilz/OSBinaries/Powershell.yml", + "https://twitter.com/Moriarty_Meng/status/984380793383370752", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_run_powershell_script_from_input_stream.yml" ], "tags": [ @@ -49385,6 +63600,15 @@ "attack.t1059" ] }, + "related": [ + { + "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "c83bf4b5-cdf0-437c-90fa-43d734f7c476", "value": "Run PowerShell Script from Redirected Input Stream" }, @@ -49436,6 +63660,22 @@ "attack.t1560.001" ] }, + "related": [ + { + "dest-uuid": "65f2d882-3f41-4d48-8a06-29af77ec9f90", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "00f90846-cbd1-4fc5-9233-df5c2bf2a662", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "03e2746e-2b31-42f1-ab7a-eb39365b2422", "value": "Judgement Panda Exfil Activity" }, @@ -49461,6 +63701,15 @@ "attack.t1106" ] }, + "related": [ + { + "dest-uuid": "391d824f-0ef1-47a0-b0ee-c59a75e27670", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "18cf6cf0-39b0-4c22-9593-e244bdc9a2d4", "value": "TA505 Dropper Load Pattern" }, @@ -49487,6 +63736,15 @@ "attack.t1059.001" ] }, + "related": [ + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "cdf05894-89e7-4ead-b2b0-0a5f97a90f2f", "value": "Encoded PowerShell Command Line" }, @@ -49566,6 +63824,22 @@ "attack.t1036.005" ] }, + "related": [ + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "3711eee4-a808-4849-8a14-faf733da3612", "value": "Greenbug Campaign Indicators" }, @@ -49590,6 +63864,15 @@ "attack.t1070.004" ] }, + "related": [ + { + "dest-uuid": "d63a3fb8-9452-4e9d-a60a-54be68d5998c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "379fa130-190e-4c3f-b7bc-6c8e834485f3", "value": "Windows Cmd Delete File" }, @@ -49606,8 +63889,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218.001/T1218.001.md", "https://eqllib.readthedocs.io/en/latest/analytics/b25aa548-7937-11e9-8f5c-d46d6d62a49e.html", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218.001/T1218.001.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hh_chm.yml" ], "tags": [ @@ -49615,6 +63898,15 @@ "attack.t1218.001" ] }, + "related": [ + { + "dest-uuid": "a6937325-9321-4e2e-bb2b-3ed2d40b2a9d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "68c8acb4-1b60-4890-8e82-3ddf7a6dba84", "value": "HH.exe Execution" }, @@ -49642,6 +63934,29 @@ "attack.t1105" ] }, + "related": [ + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "84e02621-8fdf-470f-bd58-993bb6a89d91", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "8f70ac5f-1f6f-4f8e-b454-db19561216c5", "value": "PowerShell DownloadFile" }, @@ -49658,8 +63973,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://research.nccgroup.com/2022/08/19/back-in-black-unlocking-a-lockbit-3-0-ransomware-attack/", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md", + "https://research.nccgroup.com/2022/08/19/back-in-black-unlocking-a-lockbit-3-0-ransomware-attack/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_service_modification.yml" ], "tags": [ @@ -49683,8 +63998,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://blueteamops.medium.com/secedit-and-i-know-it-595056dee53d", "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/secedit", + "https://blueteamops.medium.com/secedit-and-i-know-it-595056dee53d", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_secedit.yml" ], "tags": [ @@ -49709,6 +64024,71 @@ "attack.t1082" ] }, + "related": [ + { + "dest-uuid": "4eb28bed-d11a-4641-9863-c2ac017d910a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "379809f6-2fac-42c1-bd2e-e9dee70b27f8", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "3731fbcd-0e43-47ae-ae6c-d15e510f0d42", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "3d333250-30e4-4a82-9edc-756c68afc529", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "8c4aef43-48d5-49aa-b2af-c0cd58d30c3d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "f63fe421-b1d1-45c0-b8a7-02cd16ff2bed", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "22522668-ddf6-470b-a027-9d6866679f67", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "43881e51-ac74-445b-b4c6-f9f9e9bf23fe", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "b8cfed42-6a8a-4989-ad72-541af74475ec", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "c2c76b77-32be-4d1f-82c9-7e544bdfe0eb", "value": "Potential Suspicious Activity Using SeCEdit" }, @@ -49735,6 +64115,15 @@ "attack.t1218.007" ] }, + "related": [ + { + "dest-uuid": "365be77f-fc0e-42ee-bac8-4faf806d9336", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "6f4191bb-912b-48a8-9ce7-682769541e6d", "value": "Suspicious Msiexec Execute Arbitrary DLL" }, @@ -49759,6 +64148,15 @@ "attack.resource_development" ] }, + "related": [ + { + "dest-uuid": "edadea33-549c-4ed1-9783-8f5a5853cbdf", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "ff23ffbc-3378-435e-992f-0624dcf93ab4", "value": "PurpleSharp Indicator" }, @@ -49775,8 +64173,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.exploit-db.com/exploits/37525", "https://community.spiceworks.com/topic/2195015-batch-script-to-uninstall-symantec-endpoint-protection", + "https://www.exploit-db.com/exploits/37525", "https://community.broadcom.com/symantecenterprise/communities/community-home/digestviewer/viewthread?MessageKey=6ce94b67-74e1-4333-b16f-000b7fd874f0&CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68&tab=digestviewer", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_taskkill_sep.yml" ], @@ -49799,8 +64197,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/windows-hardware/drivers/devtest/bcdedit--set", "https://twitter.com/malwrhunterteam/status/1372536434125512712/photo/2", + "https://docs.microsoft.com/en-us/windows-hardware/drivers/devtest/bcdedit--set", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_bcdedit.yml" ], "tags": [ @@ -49908,6 +64306,15 @@ "attack.t1204" ] }, + "related": [ + { + "dest-uuid": "8c32eb4d-805f-4fc5-bf60-c4d476c131b5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "0acaad27-9f02-4136-a243-c357202edd74", "value": "Ryuk Ransomware Command Line Activity" }, @@ -49924,8 +64331,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/EmpireProject/Empire/blob/08cbd274bef78243d7a8ed6443b8364acd1fc48b/lib/modules/powershell/persistence/userland/schtasks.py", "https://github.com/0xdeadbeefJERKY/PowerSploit/blob/8690399ef70d2cad10213575ac67e8fa90ddf7c3/Persistence/Persistence.psm1", + "https://github.com/EmpireProject/Empire/blob/08cbd274bef78243d7a8ed6443b8364acd1fc48b/lib/modules/powershell/persistence/userland/schtasks.py", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powersploit_empire_schtasks.yml" ], "tags": [ @@ -49940,6 +64347,22 @@ "attack.t1059.001" ] }, + "related": [ + { + "dest-uuid": "005a06c6-14bf-4118-afa0-ebcd8aebb0c9", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "56c217c3-2de2-479b-990f-5c109ba8458f", "value": "Default PowerSploit and Empire Schtasks Persistence" }, @@ -49964,6 +64387,15 @@ "attack.t1059" ] }, + "related": [ + { + "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "2c28c248-7f50-417a-9186-a85b223010ee", "value": "Wscript Shell Run In CommandLine" }, @@ -49980,10 +64412,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://research.nccgroup.com/2022/08/19/back-in-black-unlocking-a-lockbit-3-0-ransomware-attack/", + "https://www.mandiant.com/resources/unc2165-shifts-to-evade-sanctions", "https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/", "https://twitter.com/cglyer/status/1355171195654709249", - "https://www.mandiant.com/resources/unc2165-shifts-to-evade-sanctions", + "https://research.nccgroup.com/2022/08/19/back-in-black-unlocking-a-lockbit-3-0-ransomware-attack/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_wmic_security_product_uninstall.yml" ], "tags": [ @@ -50016,6 +64448,15 @@ "attack.t1548.002" ] }, + "related": [ + { + "dest-uuid": "120d5519-3098-4e1c-9191-2aa61232f073", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "534f2ef7-e8a2-4433-816d-c91bccde289b", "value": "Explorer NOUACCHECK Flag" }, @@ -50044,6 +64485,15 @@ "car.2013-05-009" ] }, + "related": [ + { + "dest-uuid": "65f2d882-3f41-4d48-8a06-29af77ec9f90", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "5afee48e-67dd-4e03-a783-f74259dcf998", "value": "Suspicious Use of Procdump on LSASS" }, @@ -50062,10 +64512,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/Binaries/DataSvcUtil/", - "https://docs.microsoft.com/en-us/dotnet/framework/data/wcf/wcf-data-service-client-utility-datasvcutil-exe", "https://docs.microsoft.com/en-us/dotnet/framework/data/wcf/how-to-add-a-data-service-reference-wcf-data-services", "https://gist.github.com/teixeira0xfffff/837e5bfed0d1b0a29a7cb1e5dbdd9ca6", + "https://lolbas-project.github.io/lolbas/Binaries/DataSvcUtil/", + "https://docs.microsoft.com/en-us/dotnet/framework/data/wcf/wcf-data-service-client-utility-datasvcutil-exe", "https://docs.microsoft.com/en-us/dotnet/framework/data/wcf/generating-the-data-service-client-library-wcf-data-services", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_data_exfiltration_by_using_datasvcutil.yml" ], @@ -50074,6 +64524,15 @@ "attack.t1567" ] }, + "related": [ + { + "dest-uuid": "40597f16-0963-4249-bf4c-ac93b7fb9807", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "e290b10b-1023-4452-a4a9-eb31a9013b3a", "value": "LOLBAS Data Exfiltration by DataSvcUtil.exe" }, @@ -50105,6 +64564,22 @@ "attack.t1071.004" ] }, + "related": [ + { + "dest-uuid": "005a06c6-14bf-4118-afa0-ebcd8aebb0c9", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "1996eef1-ced3-4d7f-bf94-33298cabbf72", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "ce6e34ca-966d-41c9-8d93-5b06c8b97a06", "value": "Chafer Activity" }, @@ -50129,6 +64604,15 @@ "attack.t1219" ] }, + "related": [ + { + "dest-uuid": "4061e78c-1284-44b4-9116-73e4ac3912f7", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "e1e0b7d7-e10b-4ee4-ac49-a4bda05d320d", "value": "Gpg4Win Decrypt Files From Suspicious Locations" }, @@ -50169,8 +64653,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.sans.org/summit-archives/file/summit-archive-1493861893.pdf", "https://lolbas-project.github.io/lolbas/Binaries/Psr/", + "https://www.sans.org/summit-archives/file/summit-archive-1493861893.pdf", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1560.001/T1560.001.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_psr_capture_screenshots.yml" ], @@ -50218,11 +64702,11 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://redcanary.com/blog/how-one-hospital-thwarted-a-ryuk-ransomware-outbreak/", - "https://eqllib.readthedocs.io/en/latest/analytics/03e231a6-74bc-467a-acb1-e5676b0fb55e.html", - "https://www.harmj0y.net/blog/redteaming/a-guide-to-attacking-domain-trusts/", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1482/T1482.md", + "https://www.harmj0y.net/blog/redteaming/a-guide-to-attacking-domain-trusts/", + "https://eqllib.readthedocs.io/en/latest/analytics/03e231a6-74bc-467a-acb1-e5676b0fb55e.html", "https://thedfirreport.com/2020/10/18/ryuk-in-5-hours/", + "https://redcanary.com/blog/how-one-hospital-thwarted-a-ryuk-ransomware-outbreak/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_trust_discovery.yml" ], "tags": [ @@ -50230,6 +64714,15 @@ "attack.t1482" ] }, + "related": [ + { + "dest-uuid": "767dbf9e-df3f-45cb-8998-4903ab5f80c0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "3bad990e-4848-4a78-9530-b427d854aac0", "value": "Domain Trust Discovery" }, @@ -50246,8 +64739,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.verfassungsschutz.de/embed/broschuere-2020-06-bfv-cyber-brief-2020-01.pdf", "https://unit42.paloaltonetworks.com/operation-ke3chang-resurfaces-with-new-tidepool-malware/", + "https://www.verfassungsschutz.de/embed/broschuere-2020-06-bfv-cyber-brief-2020-01.pdf", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_apt_ke3chang_regadd.yml" ], "tags": [ @@ -50308,6 +64801,22 @@ "attack.t1071" ] }, + "related": [ + { + "dest-uuid": "9c306d8d-cde7-4b4c-b6e8-d0bb16caca36", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "440a56bf-7873-4439-940a-1c8a671073c2", "value": "GALLIUM Sha1 Artefacts" }, @@ -50335,6 +64844,22 @@ "car.2013-07-002" ] }, + "related": [ + { + "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "9db0cf3a-a3c9-4012-8268-123b9db6fd82", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "1012f107-b8f1-4271-af30-5aed2de89b39", "value": "Terminal Service Process Spawn" }, @@ -50352,9 +64877,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://www.poweradmin.com/paexec/", "https://www.fireeye.com/blog/threat-research/2020/10/kegtap-and-singlemalt-with-a-ransomware-chaser.html", "https://docs.microsoft.com/en-us/sysinternals/downloads/psexec", - "https://www.poweradmin.com/paexec/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_psexex_paexec_flags.yml" ], "tags": [ @@ -50362,6 +64887,15 @@ "attack.t1587.001" ] }, + "related": [ + { + "dest-uuid": "212306d8-efa4-44c9-8c2d-ed3d2e224aa0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "207b0396-3689-42d9-8399-4222658efc99", "value": "PsExec/PAExec Flags" }, @@ -50404,8 +64938,8 @@ "logsource.product": "windows", "refs": [ "https://hstechdocs.helpsystems.com/manuals/cobaltstrike/current/userguide/content/cobalt-4-5-user-guide.pdf", - "https://thedfirreport.com/2022/06/16/sans-ransomware-summit-2022-can-you-detect-this/", "https://thedfirreport.com/2021/10/04/bazarloader-and-the-conti-leaks/", + "https://thedfirreport.com/2022/06/16/sans-ransomware-summit-2022-can-you-detect-this/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_cobaltstrike_bloopers_cmd.yml" ], "tags": [ @@ -50413,6 +64947,15 @@ "attack.t1059.003" ] }, + "related": [ + { + "dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "647c7b9e-d784-4fda-b9a0-45c565a7b729", "value": "Operator Bloopers Cobalt Strike Commands" }, @@ -50437,6 +64980,22 @@ "attack.t1564.003" ] }, + "related": [ + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "cbb66055-0325-4111-aca0-40547b6ad5b0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "c260b6db-48ba-4b4a-a76f-2f67644e99d2", "value": "Covenant Launcher Indicators" }, @@ -50464,6 +65023,15 @@ "attack.t1070.001" ] }, + "related": [ + { + "dest-uuid": "6495ae23-3ab4-43c5-a94f-5638a2c31fd2", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "cd1f961e-0b96-436b-b7c6-38da4583ec00", "value": "Disable or Delete Windows Eventlog" }, @@ -50506,9 +65074,9 @@ "logsource.product": "windows", "refs": [ "https://app.any.run/tasks/8e22486b-5edc-4cef-821c-373e945f296c/", + "https://app.any.run/tasks/388d5802-aa48-4826-b069-250420504758/", "https://inquest.net/blog/2018/06/22/a-look-at-formbook-stealer", "https://app.any.run/tasks/62bb01ae-25a4-4180-b278-8e464a90b8d7/", - "https://app.any.run/tasks/388d5802-aa48-4826-b069-250420504758/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_malware_formbook.yml" ], "tags": [ @@ -50516,6 +65084,15 @@ "attack.t1587.001" ] }, + "related": [ + { + "dest-uuid": "212306d8-efa4-44c9-8c2d-ed3d2e224aa0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "032f5fb3-d959-41a5-9263-4173c802dc2b", "value": "Formbook Process Creation" }, @@ -50542,6 +65119,15 @@ "attack.t1219" ] }, + "related": [ + { + "dest-uuid": "4061e78c-1284-44b4-9116-73e4ac3912f7", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "9847f263-4a81-424f-970c-875dab15b79b", "value": "Suspicious TSCON Start as SYSTEM" }, @@ -50566,6 +65152,15 @@ "attack.t1218" ] }, + "related": [ + { + "dest-uuid": "457c7820-d331-465a-915e-42f85500ccc4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "fb0b815b-f5f6-4f50-970f-ffe21f253f7a", "value": "Suspicious Extexport Execution" }, @@ -50582,9 +65177,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://twitter.com/_st0pp3r_/status/1583914244344799235", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218.007/T1218.007.md", "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/msiexec", - "https://twitter.com/_st0pp3r_/status/1583914244344799235", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_msiexec_install_quiet.yml" ], "tags": [ @@ -50592,6 +65187,15 @@ "attack.t1218.007" ] }, + "related": [ + { + "dest-uuid": "365be77f-fc0e-42ee-bac8-4faf806d9336", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "79a87aa6-e4bd-42fc-a5bb-5e6fbdcd62f5", "value": "Suspicious Msiexec Quiet Install" }, @@ -50616,6 +65220,15 @@ "attack.t1218.011" ] }, + "related": [ + { + "dest-uuid": "045d0922-2310-4e60-b5e4-3302302cb3c5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "caa06de8-fdef-4c91-826a-7f9e163eef4b", "value": "RunDLL32 Spawning Explorer" }, @@ -50686,8 +65299,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=41", "https://learn.microsoft.com/en-us/dotnet/api/microsoft.hpc.scheduler.store.cx509enrollmentwebclassfactoryclass?view=hpc-sdk-5.1.6115", + "https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=41", "https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=42", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_x509enrollment.yml" ], @@ -50719,6 +65332,22 @@ "attack.t1068" ] }, + "related": [ + { + "dest-uuid": "be2dcee9-a7a7-4e38-afd6-21b31ecc3d63", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "b21c3b2d-02e6-45b1-980b-e69051040839", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "dcdbc940-0bff-46b2-95f3-2d73f848e33b", "value": "Suspicious Spool Service Child Process" }, @@ -50745,6 +65374,15 @@ "attack.t1218.011" ] }, + "related": [ + { + "dest-uuid": "045d0922-2310-4e60-b5e4-3302302cb3c5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "5cdb711b-5740-4fb2-ba88-f7945027afac", "value": "Rundll32 UNC Path Execution" }, @@ -50769,6 +65407,15 @@ "attack.t1059.001" ] }, + "related": [ + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "f4bbd493-b796-416e-bbf2-121235348529", "value": "Non Interactive PowerShell" }, @@ -50785,8 +65432,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://summit.fireeye.com/content/dam/fireeye-www/summit/cds-2018/presentations/cds18-technical-s05-att&cking-fin7.pdf", "sha256=01a461ad68d11b5b5096f45eb54df9ba62c5af413fa9eb544eacb598373a26bc", + "https://summit.fireeye.com/content/dam/fireeye-www/summit/cds-2018/presentations/cds18-technical-s05-att&cking-fin7.pdf", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_renamed_paexec.yml" ], "tags": [ @@ -50798,6 +65445,22 @@ "attack.t1569.002" ] }, + "related": [ + { + "dest-uuid": "bd5b58a4-a52d-4a29-bc0d-3f1d3968eb6b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "f1951e8a-500e-4a26-8803-76d95c4554b4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "7b0666ad-3e38-4e3d-9bab-78b06de85f7b", "value": "Execution of Renamed PaExec" }, @@ -50825,6 +65488,22 @@ "attack.t1003.003" ] }, + "related": [ + { + "dest-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "edf91964-b26e-4b4a-9600-ccacd7d7df24", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "7df1713a-1a5b-4a4b-a071-dc83b144a101", "value": "Esentutl Gather Credentials" }, @@ -50841,9 +65520,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/gN3mes1s/status/1222095963789111296", "https://twitter.com/gN3mes1s/status/1222088214581825540", "https://twitter.com/gN3mes1s/status/1222095371175911424", + "https://twitter.com/gN3mes1s/status/1222095963789111296", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_renamed_dctask64.yml" ], "tags": [ @@ -50854,6 +65533,29 @@ "attack.t1218" ] }, + "related": [ + { + "dest-uuid": "f4599aa0-4f85-4a32-80ea-fc39dc965945", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "3b0e52ce-517a-4614-a523-1bd5deef6c5e", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "457c7820-d331-465a-915e-42f85500ccc4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "340a090b-c4e9-412e-bb36-b4b16fe96f9b", "value": "Renamed ZOHO Dctask64" }, @@ -50870,8 +65572,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://blog.thecybersecuritytutor.com/Exeuction-AWL-Bypass-Remote-exe-LOLBin/", "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Remote/", + "https://blog.thecybersecuritytutor.com/Exeuction-AWL-Bypass-Remote-exe-LOLBin/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_remote.yml" ], "tags": [ @@ -50879,6 +65581,15 @@ "attack.t1127" ] }, + "related": [ + { + "dest-uuid": "ff25900d-76d5-449b-a351-8824e62fc81b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "4eddc365-79b4-43ff-a9d7-99422dc34b93", "value": "Use of Remote.exe" }, @@ -50903,6 +65614,15 @@ "attack.t1059" ] }, + "related": [ + { + "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "814c95cc-8192-4378-a70a-f1aafd877af1", "value": "Use of OpenConsole" }, @@ -50975,6 +65695,15 @@ "attack.t1047" ] }, + "related": [ + { + "dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "221b251a-357a-49a9-920a-271802777cc0", "value": "WMI Process Reconnaissance" }, @@ -51000,6 +65729,15 @@ "attack.t1127" ] }, + "related": [ + { + "dest-uuid": "ff25900d-76d5-449b-a351-8824e62fc81b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "850d55f9-6eeb-4492-ad69-a72338f65ba4", "value": "Ilasm Lolbin Use Compile C-Sharp" }, @@ -51024,6 +65762,15 @@ "attack.t1593.003" ] }, + "related": [ + { + "dest-uuid": "70910fbd-58dc-4c1c-8c48-814d11fcd022", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "aef9d1f1-7396-4e92-a927-4567c7a495c1", "value": "Suspicious Git Clone" }, @@ -51049,6 +65796,15 @@ "attack.t1218.011" ] }, + "related": [ + { + "dest-uuid": "045d0922-2310-4e60-b5e4-3302302cb3c5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "32b96012-7892-429e-b26c-ac2bf46066ff", "value": "Shell32 DLL Execution in Suspicious Directory" }, @@ -51073,6 +65829,15 @@ "attack.defense_evasion" ] }, + "related": [ + { + "dest-uuid": "365be77f-fc0e-42ee-bac8-4faf806d9336", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "4a2a2c3e-209f-4d01-b513-4155a540b469", "value": "Suspicious MsiExec Embedding Parent" }, @@ -51147,6 +65912,15 @@ "attack.t1021.001" ] }, + "related": [ + { + "dest-uuid": "4fe28b27-b13c-453e-a386-c2ef362a573b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "48a61b29-389f-4032-b317-b30de6b95314", "value": "Suspicious Plink Port Forwarding" }, @@ -51164,10 +65938,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/gordonbay/Windows-On-Reins/blob/e587ac7a0407847865926d575e3c46f68cf7c68d/wor.ps1", "https://bidouillesecurity.com/disable-windows-defender-in-powershell/", - "https://twitter.com/JohnLaTwC/status/1415295021041979392", + "https://github.com/gordonbay/Windows-On-Reins/blob/e587ac7a0407847865926d575e3c46f68cf7c68d/wor.ps1", "https://vms.drweb.fr/virus/?i=24144899", + "https://twitter.com/JohnLaTwC/status/1415295021041979392", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_reg_disable_sec_services.yml" ], "tags": [ @@ -51247,6 +66021,15 @@ "attack.t1059.001" ] }, + "related": [ + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "d0d28567-4b9a-45e2-8bbc-fb1b66a1f7f6", "value": "Too Long PowerShell Commandlines" }, @@ -51271,6 +66054,15 @@ "attack.t1105" ] }, + "related": [ + { + "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "214641c2-c579-4ecb-8427-0cf19df6842e", "value": "Remote File Download via Desktopimgdownldr Utility" }, @@ -51316,6 +66108,15 @@ "attack.t1003" ] }, + "related": [ + { + "dest-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "4d6c9da1-318b-4edf-bcea-b6c93fa98fd0", "value": "Credential Acquisition via Registry Hive Dumping" }, @@ -51340,6 +66141,15 @@ "attack.t1218" ] }, + "related": [ + { + "dest-uuid": "457c7820-d331-465a-915e-42f85500ccc4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "43103702-5886-11ed-9b6a-0242ac120002", "value": "Suspicious Vsls-Agent Command With AgentExtensionPath Load" }, @@ -51369,6 +66179,36 @@ "attack.t1059.007" ] }, + "related": [ + { + "dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "ebbe170d-aa74-4946-8511-9921243415a3", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "dfd7cc1d-e1d8-4394-a198-97c4cab8aa67", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "0f4a0c76-ab2d-4cb0-85d3-3f0efb8cba0d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "8d63dadf-b91b-4187-87b6-34a1114577ea", "value": "SquiblyTwo Execution" }, @@ -51396,6 +66236,15 @@ "attack.t1552.001" ] }, + "related": [ + { + "dest-uuid": "30208d3e-0d6b-43c8-883e-44462a514619", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "f576a613-2392-4067-9d1a-9345fb58d8d1", "value": "Automated Collection Command Prompt" }, @@ -51445,6 +66294,15 @@ "attack.t1529" ] }, + "related": [ + { + "dest-uuid": "ff73aa03-0090-4464-83ac-f89e233c02bc", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "34ebb878-1b15-4895-b352-ca2eeb99b274", "value": "Suspicious Execution of Shutdown" }, @@ -51496,6 +66354,29 @@ "cve.2019.1378" ] }, + "related": [ + { + "dest-uuid": "b21c3b2d-02e6-45b1-980b-e69051040839", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "aedfca76-3b30-4866-b2aa-0f1d7fd1e4b6", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "1c373b6d-76ce-4553-997d-8c1da9a6b5f5", "value": "Exploiting SetupComplete.cmd CVE-2019-1378" }, @@ -51512,15 +66393,24 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Te/", "https://docs.microsoft.com/en-us/windows-hardware/drivers/taef/", "https://twitter.com/pabraeken/status/993298228840992768", - "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Te/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_use_of_te_bin.yml" ], "tags": [ "attack.t1218" ] }, + "related": [ + { + "dest-uuid": "457c7820-d331-465a-915e-42f85500ccc4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "634b00d5-ccc3-4a06-ae3b-0ec8444dd51b", "value": "Malicious Windows Script Components File Execution by TAEF Detection" }, @@ -51558,8 +66448,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/chcp", "https://thedfirreport.com/2022/04/04/stolen-images-campaign-ends-in-conti-ransomware/", + "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/chcp", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_codepage_lookup.yml" ], "tags": [ @@ -51567,6 +66457,15 @@ "attack.t1614.001" ] }, + "related": [ + { + "dest-uuid": "c1b68a96-3c48-49ea-a6c0-9b27359f9c19", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "7090adee-82e2-4269-bd59-80691e7c6338", "value": "CHCP CodePage Locale Lookup" }, @@ -51583,8 +66482,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/", "https://github.com/vadim-hunter/Detection-Ideas-Rules/blob/02bcbfc2bfb8b4da601bb30de0344ae453aa1afe/Threat%20Intelligence/The%20DFIR%20Report/20210329_Sodinokibi_(aka_REvil)_Ransomware.yaml", + "https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbins_with_wmiprvse_parent_process.yml" ], "tags": [ @@ -51595,6 +66494,29 @@ "attack.defense_evasion" ] }, + "related": [ + { + "dest-uuid": "232b7f21-adf9-4b42-b936-b9d6f7df856e", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "b97f1d35-4249-4486-a6b5-ee60ccf24fab", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "8a582fe2-0882-4b89-a82a-da6b2dc32937", "value": "Lolbins Process Creation with WmiPrvse" }, @@ -51622,6 +66544,29 @@ "attack.t1218.011" ] }, + "related": [ + { + "dest-uuid": "391d824f-0ef1-47a0-b0ee-c59a75e27670", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "045d0922-2310-4e60-b5e4-3302302cb3c5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "95022b85-ff2a-49fa-939a-d7b8f56eeb9b", "value": "RedMimicry Winnti Playbook Execute" }, @@ -51647,6 +66592,15 @@ "attack.t1562.004" ] }, + "related": [ + { + "dest-uuid": "5372c5fe-f424-4def-bcd5-d3a8e770f07b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "347906f3-e207-4d18-ae5b-a9403d6bcdef", "value": "Netsh Allow Group Policy on Microsoft Defender Firewall" }, @@ -51663,10 +66617,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/bohops/status/1276357235954909188?s=12", - "https://twitter.com/CyberRaiju/status/1273597319322058752", "https://twitter.com/nas_bench/status/1535322450858233858", + "https://twitter.com/CyberRaiju/status/1273597319322058752", "https://securityboulevard.com/2019/09/deobfuscating-ostap-trickbots-34000-line-javascript-downloader/", + "https://twitter.com/bohops/status/1276357235954909188?s=12", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_explorer_break_proctree.yml" ], "tags": [ @@ -51690,10 +66644,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/jseerden/status/1247985304667066373/photo/1", "https://twitter.com/lefterispan/status/1286259016436514816", - "https://docs.microsoft.com/en-us/mem/intune/apps/intune-management-extension", "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Agentexecutor/", + "https://twitter.com/jseerden/status/1247985304667066373/photo/1", + "https://docs.microsoft.com/en-us/mem/intune/apps/intune-management-extension", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_agentexecutor_susp_usage.yml" ], "tags": [ @@ -51701,6 +66655,15 @@ "attack.t1218" ] }, + "related": [ + { + "dest-uuid": "457c7820-d331-465a-915e-42f85500ccc4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "c0b40568-b1e9-4b03-8d6c-b096da6da9ab", "value": "Suspicious AgentExecutor PowerShell Execution" }, @@ -51727,6 +66690,15 @@ "attack.t1220" ] }, + "related": [ + { + "dest-uuid": "ebbe170d-aa74-4946-8511-9921243415a3", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "05c36dd6-79d6-4a9a-97da-3db20298ab2d", "value": "XSL Script Processing" }, @@ -51751,6 +66723,15 @@ "attack.t1216.001" ] }, + "related": [ + { + "dest-uuid": "09cd431f-eaf4-4d2a-acaf-2a7acfe7ed58", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "1fb76ab8-fa60-4b01-bddd-71e89bf555da", "value": "Pubprn.vbs Proxy Execution" }, @@ -51800,6 +66781,15 @@ "attack.t1059" ] }, + "related": [ + { + "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "9aa5106d-bce3-4b13-86df-3a20f1d5cf0b", "value": "Use of Forfiles For Execution" }, @@ -51849,6 +66839,15 @@ "attack.t1218" ] }, + "related": [ + { + "dest-uuid": "457c7820-d331-465a-915e-42f85500ccc4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "727454c0-d851-48b0-8b89-385611ab0704", "value": "Lolbin Unregmp2.exe Use As Proxy" }, @@ -51866,12 +66865,12 @@ "logsource.product": "windows", "refs": [ "https://www.ired.team/offensive-security/credential-access-and-credential-dumping/ntds.dit-enumeration", - "https://github.com/rapid7/metasploit-framework/blob/d297adcebb5c1df6fe30b12ca79b161deb71571c/data/post/powershell/NTDSgrab.ps1", "https://www.n00py.io/2022/03/manipulating-user-passwords-without-mimikatz/", - "https://github.com/samratashok/nishang/blob/414ee1104526d7057f9adaeee196d91ae447283e/Gather/Copy-VSS.ps1", "https://github.com/zcgonvh/NTDSDumpEx", - "https://blog.talosintelligence.com/2022/08/recent-cyber-attack.html?m=1", + "https://github.com/samratashok/nishang/blob/414ee1104526d7057f9adaeee196d91ae447283e/Gather/Copy-VSS.ps1", "https://pentestlab.blog/tag/ntds-dit/", + "https://github.com/rapid7/metasploit-framework/blob/d297adcebb5c1df6fe30b12ca79b161deb71571c/data/post/powershell/NTDSgrab.ps1", + "https://blog.talosintelligence.com/2022/08/recent-cyber-attack.html?m=1", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_ntds.yml" ], "tags": [ @@ -51879,6 +66878,15 @@ "attack.t1003.003" ] }, + "related": [ + { + "dest-uuid": "edf91964-b26e-4b4a-9600-ccacd7d7df24", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "8bc64091-6875-4881-aaf9-7bd25b5dda08", "value": "Suspicious Process Patterns NTDS.DIT Exfil" }, @@ -51895,9 +66903,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.virustotal.com/gui/file/03e9b8c2e86d6db450e5eceec057d7e369ee2389b9daecaf06331a95410aa5f8/detection", - "https://twitter.com/vxunderground/status/1423336151860002816?s=20", "https://docs.microsoft.com/en-us/sql/tools/sqlcmd-utility?view=sql-server-ver15", + "https://twitter.com/vxunderground/status/1423336151860002816?s=20", + "https://www.virustotal.com/gui/file/03e9b8c2e86d6db450e5eceec057d7e369ee2389b9daecaf06331a95410aa5f8/detection", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_conti_sqlcmd.yml" ], "tags": [ @@ -51905,6 +66913,15 @@ "attack.t1005" ] }, + "related": [ + { + "dest-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "2f47f1fd-0901-466e-a770-3b7092834a1b", "value": "Conti Backup Database" }, @@ -51921,13 +66938,13 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/dotnet/framework/tools/regsvcs-exe-net-services-installation-tool#feedback", - "https://blog.malwarebytes.com/malwarebytes-news/2020/10/kraken-attack-abuses-wer-service/", "https://www.cobaltstrike.com/help-opsec", - "https://docs.microsoft.com/en-us/dotnet/framework/tools/regasm-exe-assembly-registration-tool", - "https://twitter.com/CyberRaiju/status/1251492025678983169", + "https://blog.malwarebytes.com/malwarebytes-news/2020/10/kraken-attack-abuses-wer-service/", "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/regsvr32", + "https://docs.microsoft.com/en-us/dotnet/framework/tools/regsvcs-exe-net-services-installation-tool#feedback", + "https://docs.microsoft.com/en-us/dotnet/framework/tools/regasm-exe-assembly-registration-tool", "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/rundll32", + "https://twitter.com/CyberRaiju/status/1251492025678983169", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_bad_opsec_sacrificial_processes.yml" ], "tags": [ @@ -51935,6 +66952,15 @@ "attack.t1218.011" ] }, + "related": [ + { + "dest-uuid": "045d0922-2310-4e60-b5e4-3302302cb3c5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "a7c3d773-caef-227e-a7e7-c2f13c622329", "value": "Bad Opsec Defaults Sacrificial Processes With Improper Arguments" }, @@ -51959,6 +66985,15 @@ "attack.t1218.010" ] }, + "related": [ + { + "dest-uuid": "b97f1d35-4249-4486-a6b5-ee60ccf24fab", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "bd70d3f8-e60e-4d25-89f0-0b5a9cff20e0", "value": "BlueMashroom DLL Load" }, @@ -51976,9 +67011,9 @@ "logsource.product": "windows", "refs": [ "https://www.infosecmatter.com/crackmapexec-module-library/?cmem=mssql-mimikatz", - "https://www.infosecmatter.com/crackmapexec-module-library/?cmem=smb-pe_inject", "https://mpgn.gitbook.io/crackmapexec/smb-protocol/authentication/checking-credentials-local", "https://www.mandiant.com/resources/telegram-malware-iranian-espionage", + "https://www.infosecmatter.com/crackmapexec-module-library/?cmem=smb-pe_inject", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_crackmapexec_flags.yml" ], "tags": "No established tags" @@ -51987,7 +67022,7 @@ "value": "CrackMapExec Command Line Flags" }, { - "description": "Use \">\" to redicrect information in commandline", + "description": "Detects use of redirection character \">\" to redicrect information in commandline", "meta": { "author": "frack113", "creation_date": "2022/01/22", @@ -52031,6 +67066,15 @@ "attack.t1059.005" ] }, + "related": [ + { + "dest-uuid": "dfd7cc1d-e1d8-4394-a198-97c4cab8aa67", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "23250293-eed5-4c39-b57a-841c8933a57d", "value": "Cscript Visual Basic Script Execution" }, @@ -52047,8 +67091,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://gist.github.com/jivoi/c354eaaf3019352ce32522f916c03d70", "https://www.trendmicro.com/en_us/research/22/j/lv-ransomware-exploits-proxyshell-in-attack.html", + "https://gist.github.com/jivoi/c354eaaf3019352ce32522f916c03d70", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_download_patterns.yml" ], "tags": [ @@ -52056,6 +67100,15 @@ "attack.t1059.001" ] }, + "related": [ + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "e6c54d94-498c-4562-a37c-b469d8e9a275", "value": "Suspicious PowerShell Download and Execute Pattern" }, @@ -52081,6 +67134,15 @@ "attack.t1555" ] }, + "related": [ + { + "dest-uuid": "3fc9b85a-2862-4363-a64d-d692e3ffbee0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "7679d464-4f74-45e2-9e01-ac66c5eb041a", "value": "SecurityXploded Tool" }, @@ -52098,9 +67160,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.microsoft.com/en-us/security/blog/2022/10/25/dev-0832-vice-society-opportunistic-ransomware-campaigns-impacting-us-education-sector/", - "https://thedfirreport.com/2022/09/26/bumblebee-round-two/", "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/espionage-asia-governments", + "https://thedfirreport.com/2022/09/26/bumblebee-round-two/", + "https://www.microsoft.com/en-us/security/blog/2022/10/25/dev-0832-vice-society-opportunistic-ransomware-campaigns-impacting-us-education-sector/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_weak_or_abused_passwords.yml" ], "tags": [ @@ -52133,6 +67195,15 @@ "attack.privilege_escalation" ] }, + "related": [ + { + "dest-uuid": "b21c3b2d-02e6-45b1-980b-e69051040839", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "8a7e90c5-fe6e-45dc-889e-057fe4378bd9", "value": "SysmonEOP Hack Tool" }, @@ -52157,6 +67228,15 @@ "attack.t1059" ] }, + "related": [ + { + "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "480e7e51-e797-47e3-8d72-ebfce65b6d8d", "value": "Python Spawning Pretty TTY on Windows" }, @@ -52173,8 +67253,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/Binaries/Replace/", "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/replace", + "https://lolbas-project.github.io/lolbas/Binaries/Replace/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_replace.yml" ], "tags": [ @@ -52182,6 +67262,15 @@ "attack.t1105" ] }, + "related": [ + { + "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "9292293b-8496-4715-9db6-37028dcda4b3", "value": "Replace.exe Usage" }, @@ -52206,6 +67295,15 @@ "attack.t1070.005" ] }, + "related": [ + { + "dest-uuid": "a750a9f6-0bde-4bb3-9aae-1e2786e9780c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "cb7c4a03-2871-43c0-9bbb-18bbdb079896", "value": "Mounted Share Deleted" }, @@ -52233,6 +67331,15 @@ "attack.execution" ] }, + "related": [ + { + "dest-uuid": "457c7820-d331-465a-915e-42f85500ccc4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "b97cd4b1-30b8-4a9d-bd72-6293928d52bc", "value": "Indirect Command Execution By Program Compatibility Wizard" }, @@ -52259,6 +67366,15 @@ "attack.t1059.001" ] }, + "related": [ + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "9c14c9fa-1a63-4a64-8e57-d19280559490", "value": "Invoke-Obfuscation Via Stdin" }, @@ -52283,6 +67399,15 @@ "attack.t1127" ] }, + "related": [ + { + "dest-uuid": "ff25900d-76d5-449b-a351-8824e62fc81b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "a01b8329-5953-4f73-ae2d-aa01e1f35f00", "value": "Suspicious aspnet_compiler.exe Execution" }, @@ -52299,8 +67424,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.hvs-consulting.de/lazarus-report/", "https://securelist.com/lazarus-covets-covid-19-related-intelligence/99906/", + "https://www.hvs-consulting.de/lazarus-report/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_apt_lazarus_loader.yml" ], "tags": [ @@ -52309,6 +67434,15 @@ "attack.t1059" ] }, + "related": [ + { + "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "7b49c990-4a9a-4e65-ba95-47c9cc448f6e", "value": "Lazarus Loaders" }, @@ -52325,9 +67459,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://social.technet.microsoft.com/wiki/contents/articles/7535.adfind-command-examples.aspx", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1087.002/T1087.002.md", "https://www.joeware.net/freetools/tools/adfind/", + "https://social.technet.microsoft.com/wiki/contents/articles/7535.adfind-command-examples.aspx", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_adfind_enumeration.yml" ], "tags": [ @@ -52373,8 +67507,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://redcanary.com/blog/child-processes/", "https://docs.paloaltonetworks.com/cortex/cortex-xdr/cortex-xdr-analytics-alert-reference/cortex-xdr-analytics-alert-reference/scrcons-exe-rare-child-process.html", + "https://redcanary.com/blog/child-processes/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_script_event_consumer_spawn.yml" ], "tags": [ @@ -52382,6 +67516,15 @@ "attack.t1047" ] }, + "related": [ + { + "dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "f6d1dd2f-b8ce-40ca-bc23-062efb686b34", "value": "Script Event Consumer Spawning Process" }, @@ -52406,6 +67549,15 @@ "attack.t1069.001" ] }, + "related": [ + { + "dest-uuid": "a01bf75f-00b2-4568-a58f-565ff9bf202b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "164eda96-11b2-430b-85ff-6a265c15bf32", "value": "Suspicious Get Local Groups Information with WMIC" }, @@ -52422,8 +67574,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/wmic", "https://securelist.com/moonbounce-the-dark-side-of-uefi-firmware/105468/", + "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/wmic", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wmic_remote_command.yml" ], "tags": [ @@ -52431,6 +67583,15 @@ "attack.t1047" ] }, + "related": [ + { + "dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "e42af9df-d90b-4306-b7fb-05c863847ebd", "value": "WMI Remote Command Execution" }, @@ -52447,8 +67608,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/ch2sh/Jlaive", "https://jstnk9.github.io/jstnk9/research/Jlaive-Antivirus-Evasion-Tool", + "https://github.com/ch2sh/Jlaive", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_jlaive_batch_execution.yml" ], "tags": [ @@ -52456,6 +67617,15 @@ "attack.t1059.003" ] }, + "related": [ + { + "dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "0a99eb3e-1617-41bd-b095-13dc767f3def", "value": "Jlaive Usage For Assembly Execution In-Memory" }, @@ -52473,8 +67643,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1021.001/T1021.001.md#t1021001---remote-desktop-protocol", "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/mstsc", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1021.001/T1021.001.md#t1021001---remote-desktop-protocol", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_mstsc.yml" ], "tags": [ @@ -52509,6 +67679,22 @@ "attack.t1569.002" ] }, + "related": [ + { + "dest-uuid": "212306d8-efa4-44c9-8c2d-ed3d2e224aa0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "f1951e8a-500e-4a26-8803-76d95c4554b4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "d08a2711-ee8b-4323-bdec-b7d85e892b31", "value": "CsExec Remote Execution Tool Usage" }, @@ -52525,8 +67711,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/regini", "https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f", + "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/regini", "https://lolbas-project.github.io/lolbas/Binaries/Regini/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_regini_ads.yml" ], @@ -52559,6 +67745,15 @@ "attack.t1105" ] }, + "related": [ + { + "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "aa0b3a82-eacc-4ec3-9150-b5a9a3e3f82f", "value": "Potential Download/Upload Activity Using Type Command" }, @@ -52584,6 +67779,15 @@ "attack.t1218.005" ] }, + "related": [ + { + "dest-uuid": "840a987a-99bd-4a80-a5c9-0cb2baa6cade", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "b98d0db6-511d-45de-ad02-e82a98729620", "value": "Mshta Remotely Hosted HTA File Execution" }, @@ -52600,9 +67804,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://www.sans.org/blog/red-team-tactics-hiding-windows-services/", "https://twitter.com/Alh4zr3d/status/1580925761996828672", "https://blog.talosintelligence.com/2021/10/threat-hunting-in-large-datasets-by.html", - "https://www.sans.org/blog/red-team-tactics-hiding-windows-services/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_using_sc_to_hide_sevices.yml" ], "tags": [ @@ -52628,8 +67832,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#inside-the-registry", "https://github.com/HyperSine/how-does-MobaXterm-encrypt-password", + "https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#inside-the-registry", "https://github.com/synacktiv/Radmin3-Password-Cracker/blob/acfc87393e4b7c06353973a14a6c7126a51f36ac/regkey.txt", "https://isc.sans.edu/diary/More+Data+Exfiltration/25698", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_enumeration_for_credentials_cli.yml" @@ -52639,6 +67843,15 @@ "attack.t1552.002" ] }, + "related": [ + { + "dest-uuid": "341e222a-a6e3-4f6f-b69c-831d792b1580", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "87a476dc-0079-4583-a985-dee7a20a03de", "value": "Enumeration for 3rd Party Creds From CLI" }, @@ -52684,6 +67897,15 @@ "attack.t1560.001" ] }, + "related": [ + { + "dest-uuid": "00f90846-cbd1-4fc5-9233-df5c2bf2a662", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "4ede543c-e098-43d9-a28f-dd784a13132f", "value": "Winrar Execution in Non-Standard Folder" }, @@ -52708,6 +67930,15 @@ "attack.t1105" ] }, + "related": [ + { + "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "aa8e035d-7be4-48d3-a944-102aec04400d", "value": "Suspicious Extrac32 Execution" }, @@ -52724,8 +67955,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/sensepost/ruler", "https://www.fireeye.com/blog/threat-research/2018/12/overruled-containing-a-potentially-destructive-adversary.html", + "https://github.com/sensepost/ruler", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_outlook.yml" ], "tags": [ @@ -52734,6 +67965,22 @@ "attack.t1202" ] }, + "related": [ + { + "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "3b0e52ce-517a-4614-a523-1bd5deef6c5e", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "e212d415-0e93-435f-9e1a-f29005bb4723", "value": "Suspicious Execution from Outlook" }, @@ -52797,17 +68044,19 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://unit42.paloaltonetworks.com/threat-assessment-black-basta-ransomware/", - "https://github.com/BloodHoundAD/BloodHound/blob/0927441f67161cc6dc08a53c63ceb8e333f55874/Collectors/AzureHound.ps1", - "https://github.com/xorrior/RandomPS-Scripts/blob/848c919bfce4e2d67b626cbcf4404341cfe3d3b6/Get-DXWebcamVideo.ps1", - "https://github.com/BC-SECURITY/Invoke-ZeroLogon/blob/111d17c7fec486d9bb23387e2e828b09a26075e4/Invoke-ZeroLogon.ps1", "https://github.com/dafthack/DomainPasswordSpray/blob/b13d64a5834694aa73fd2aea9911a83027c465a7/DomainPasswordSpray.ps1", - "https://github.com/S3cur3Th1sSh1t/PowerSharpPack/tree/master/PowerSharpBinaries", - "https://adsecurity.org/?p=2921", - "https://research.nccgroup.com/2022/06/06/shining-the-light-on-black-basta/", - "https://github.com/calebstewart/CVE-2021-1675", - "https://bloodhound.readthedocs.io/en/latest/data-collection/azurehound.html", "https://github.com/rvrsh3ll/Misc-Powershell-Scripts/blob/6f23bb41f9675d7e2d32bacccff75e931ae00554/OfficeMemScraper.ps1", + "https://unit42.paloaltonetworks.com/threat-assessment-black-basta-ransomware/", + "https://adsecurity.org/?p=2921", + "https://github.com/BC-SECURITY/Invoke-ZeroLogon/blob/111d17c7fec486d9bb23387e2e828b09a26075e4/Invoke-ZeroLogon.ps1", + "https://bloodhound.readthedocs.io/en/latest/data-collection/azurehound.html", + "https://github.com/calebstewart/CVE-2021-1675", + "https://github.com/HarmJ0y/DAMP", + "https://github.com/xorrior/RandomPS-Scripts/blob/848c919bfce4e2d67b626cbcf4404341cfe3d3b6/Get-DXWebcamVideo.ps1", + "https://research.nccgroup.com/2022/06/06/shining-the-light-on-black-basta/", + "https://github.com/S3cur3Th1sSh1t/PowerSharpPack/tree/master/PowerSharpBinaries", + "https://github.com/BloodHoundAD/BloodHound/blob/0927441f67161cc6dc08a53c63ceb8e333f55874/Collectors/AzureHound.ps1", + "https://github.com/samratashok/nishang", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_malicious_cmdlets.yml" ], "tags": [ @@ -52823,6 +68072,43 @@ "attack.t1059.001" ] }, + "related": [ + { + "dest-uuid": "767dbf9e-df3f-45cb-8998-4903ab5f80c0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "25659dd6-ea12-45c4-97e6-381e3e4b593e", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "a01bf75f-00b2-4568-a58f-565ff9bf202b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "2aed01ad-3df3-4410-a8cb-11ea4ded587c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "02030f2f-6199-49ec-b258-ea71b07e03dc", "value": "Malicious PowerShell Commandlets - ProcessCreation" }, @@ -52847,6 +68133,15 @@ "attack.t1070.004" ] }, + "related": [ + { + "dest-uuid": "d63a3fb8-9452-4e9d-a60a-54be68d5998c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "204b17ae-4007-471b-917b-b917b315c5db", "value": "Suspicious Del in CommandLine" }, @@ -52894,6 +68189,22 @@ "attack.t1202" ] }, + "related": [ + { + "dest-uuid": "457c7820-d331-465a-915e-42f85500ccc4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "3b0e52ce-517a-4614-a523-1bd5deef6c5e", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "7cce6fc8-a07f-4d84-a53e-96e1879843c9", "value": "Potential Binary Impersonating Sysinternals Tools" }, @@ -52978,9 +68289,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "http://hyp3rlinx.altervista.org/advisories/Windows_TCPIP_Finger_Command_C2_Channel_and_Bypassing_Security_Software.txt", "https://twitter.com/bigmacjpg/status/1349727699863011328?s=12", "https://app.any.run/tasks/40115012-a919-4208-bfed-41e82cb3dadf/", - "http://hyp3rlinx.altervista.org/advisories/Windows_TCPIP_Finger_Command_C2_Channel_and_Bypassing_Security_Software.txt", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_finger_usage.yml" ], "tags": [ @@ -52988,6 +68299,15 @@ "attack.t1105" ] }, + "related": [ + { + "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "af491bca-e752-4b44-9c86-df5680533dbc", "value": "Finger.exe Suspicious Invocation" }, @@ -53014,6 +68334,15 @@ "attack.t1218" ] }, + "related": [ + { + "dest-uuid": "457c7820-d331-465a-915e-42f85500ccc4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "729ce0ea-5d8f-4769-9762-e35de441586d", "value": "MpiExec Lolbin" }, @@ -53030,8 +68359,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1082/T1082.md#atomic-test-1---system-information-discovery", "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/systeminfo", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1082/T1082.md#atomic-test-1---system-information-discovery", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_systeminfo.yml" ], "tags": [ @@ -53056,8 +68385,8 @@ "logsource.product": "windows", "refs": [ "https://github.com/elastic/protections-artifacts/commit/746086721fd385d9f5c6647cada1788db4aea95f#diff-9015912909545e72ed42cbac4d1e96295e8964579c406d23fd9c47a8091576a0", - "https://github.com/GossiTheDog/ThreatHunting/blob/e85884abbf05d5b41efc809ea6532b10b45bd05c/AdvancedHuntingQueries/DogWalk-DiagCab", "https://irsl.medium.com/the-trouble-with-microsofts-troubleshooters-6e32fc80b8bd", + "https://github.com/GossiTheDog/ThreatHunting/blob/e85884abbf05d5b41efc809ea6532b10b45bd05c/AdvancedHuntingQueries/DogWalk-DiagCab", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_msdt_diagcab.yml" ], "tags": [ @@ -53065,6 +68394,15 @@ "attack.t1202" ] }, + "related": [ + { + "dest-uuid": "3b0e52ce-517a-4614-a523-1bd5deef6c5e", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "6545ce61-a1bd-4119-b9be-fcbee42c0cf3", "value": "Execute MSDT.EXE Using Diagcab File" }, @@ -53081,10 +68419,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/jseerden/status/1247985304667066373/photo/1", "https://twitter.com/lefterispan/status/1286259016436514816", - "https://docs.microsoft.com/en-us/mem/intune/apps/intune-management-extension", "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Agentexecutor/", + "https://twitter.com/jseerden/status/1247985304667066373/photo/1", + "https://docs.microsoft.com/en-us/mem/intune/apps/intune-management-extension", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_agentexecutor.yml" ], "tags": [ @@ -53092,6 +68430,15 @@ "attack.t1218" ] }, + "related": [ + { + "dest-uuid": "457c7820-d331-465a-915e-42f85500ccc4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "7efd2c8d-8b18-45b7-947d-adfe9ed04f61", "value": "AgentExecutor PowerShell Execution" }, @@ -53118,6 +68465,15 @@ "attack.t1202" ] }, + "related": [ + { + "dest-uuid": "3b0e52ce-517a-4614-a523-1bd5deef6c5e", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "c4e49831-1496-40cf-8ce1-b53f942b02f9", "value": "Renamed PAExec" }, @@ -53141,6 +68497,15 @@ "attack.t1048" ] }, + "related": [ + { + "dest-uuid": "a19e86f8-1c0a-4fea-8407-23b73d615776", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "99793437-3e16-439b-be0f-078782cf953d", "value": "Tap Installer Execution" }, @@ -53166,6 +68531,15 @@ "attack.t1548.002" ] }, + "related": [ + { + "dest-uuid": "120d5519-3098-4e1c-9191-2aa61232f073", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "39ed3c80-e6a1-431b-9df3-911ac53d08a7", "value": "UAC Bypass Using NTFS Reparse Point - Process" }, @@ -53192,6 +68566,15 @@ "attack.t1021.001" ] }, + "related": [ + { + "dest-uuid": "4fe28b27-b13c-453e-a386-c2ef362a573b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "327f48c1-a6db-4eb8-875a-f6981f1b0183", "value": "Suspicious SSH Port Forwarding" }, @@ -53217,6 +68600,15 @@ "attack.t1218" ] }, + "related": [ + { + "dest-uuid": "457c7820-d331-465a-915e-42f85500ccc4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "d22e2925-cfd8-463f-96f6-89cec9d9bc5f", "value": "Application Whitelisting Bypass via PresentationHost.exe" }, @@ -53234,9 +68626,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-26809", "https://twitter.com/cyb3rops/status/1514217991034097664", "https://www.bleepingcomputer.com/startups/RpcSs.exe-14544.html", + "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-26809", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_rpcss_anomalies.yml" ], "tags": [ @@ -53246,6 +68638,22 @@ "attack.t1569.002" ] }, + "related": [ + { + "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "f1951e8a-500e-4a26-8803-76d95c4554b4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "a7cd7306-df8b-4398-b711-6f3e4935cf16", "value": "Remote Procedure Call Service Anomaly" }, @@ -53271,6 +68679,15 @@ "attack.t1218" ] }, + "related": [ + { + "dest-uuid": "457c7820-d331-465a-915e-42f85500ccc4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "60f16a96-db70-42eb-8f76-16763e333590", "value": "Application Whitelisting Bypass via Dxcap.exe" }, @@ -53297,6 +68714,15 @@ "attack.t1486" ] }, + "related": [ + { + "dest-uuid": "b80d107d-fa0d-4b60-9684-b0433e8bdba0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "689308fc-cfba-4f72-9897-796c1dc61487", "value": "Conti Ransomware Execution" }, @@ -53321,6 +68747,15 @@ "attack.t1219" ] }, + "related": [ + { + "dest-uuid": "4061e78c-1284-44b4-9116-73e4ac3912f7", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "57bff678-25d1-4d6c-8211-8ca106d12053", "value": "Use of ScreenConnect Remote Access Software" }, @@ -53337,8 +68772,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/mrd0x/status/1511489821247684615", "https://twitter.com/mrd0x/status/1511415432888131586", + "https://twitter.com/mrd0x/status/1511489821247684615", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_proc_dump_susp_dumpminitool.yml" ], "tags": [ @@ -53347,6 +68782,15 @@ "attack.t1003.001" ] }, + "related": [ + { + "dest-uuid": "65f2d882-3f41-4d48-8a06-29af77ec9f90", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "eb1c4225-1c23-4241-8dd4-051389fde4ce", "value": "Suspicious DumpMinitool Usage" }, @@ -53363,8 +68807,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "http://www.hexacorn.com/blog/2017/07/31/the-wizard-of-x-oppa-plugx-style/", "https://lolbas-project.github.io/lolbas/Binaries/Xwizard/", + "http://www.hexacorn.com/blog/2017/07/31/the-wizard-of-x-oppa-plugx-style/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_dll_sideload_xwizard.yml" ], "tags": [ @@ -53412,8 +68856,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://eqllib.readthedocs.io/en/latest/analytics/fcdb99c2-ac3c-4bde-b664-4b336329bed2.html", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1124/T1124.md", + "https://eqllib.readthedocs.io/en/latest/analytics/fcdb99c2-ac3c-4bde-b664-4b336329bed2.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_remote_time_discovery.yml" ], "tags": [ @@ -53447,6 +68891,22 @@ "attack.t1105" ] }, + "related": [ + { + "dest-uuid": "457c7820-d331-465a-915e-42f85500ccc4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "21dd6d38-2b18-4453-9404-a0fe4a0cc288", "value": "Curl Start Combination" }, @@ -53471,6 +68931,15 @@ "attack.t1202" ] }, + "related": [ + { + "dest-uuid": "3b0e52ce-517a-4614-a523-1bd5deef6c5e", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "7dc2dedd-7603-461a-bc13-15803d132355", "value": "Conhost Parent Process Executions" }, @@ -53487,8 +68956,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://mobile.twitter.com/0gtweet/status/1564131230941122561", "https://strontic.github.io/xcyclopedia/library/DeviceEnroller.exe-24BEF0D6B0ECED36BB41831759FDE18D.html", + "https://mobile.twitter.com/0gtweet/status/1564131230941122561", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_deviceenroller_evasion.yml" ], "tags": [ @@ -53538,8 +69007,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.virustotal.com/gui/file/03e9b8c2e86d6db450e5eceec057d7e369ee2389b9daecaf06331a95410aa5f8/detection", "https://twitter.com/vxunderground/status/1423336151860002816?s=20", + "https://www.virustotal.com/gui/file/03e9b8c2e86d6db450e5eceec057d7e369ee2389b9daecaf06331a95410aa5f8/detection", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_malware_conti.yml" ], "tags": [ @@ -53547,34 +69016,18 @@ "attack.resource_development" ] }, + "related": [ + { + "dest-uuid": "212306d8-efa4-44c9-8c2d-ed3d2e224aa0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "7b30e0a7-c675-4b24-8a46-82fa67e2433d", "value": "Conti Volume Shadow Listing" }, - { - "description": "Detects suspicious powershell invocations from interpreters or unusual programs", - "meta": { - "author": "Florian Roth", - "creation_date": "2019/01/16", - "falsepositive": [ - "Microsoft Operations Manager (MOM)", - "Other scripts" - ], - "filename": "proc_creation_win_susp_powershell_parent_combo.yml", - "level": "medium", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://www.carbonblack.com/2017/03/15/attackers-leverage-excel-powershell-dns-latest-non-malware-attack/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_powershell_parent_combo.yml" - ], - "tags": [ - "attack.execution", - "attack.t1059.001" - ] - }, - "uuid": "95eadcb2-92e4-4ed1-9031-92547773a6db", - "value": "Suspicious PowerShell Invocation Based on Parent Process" - }, { "description": "Detect an interactive AT job, which may be used as a form of privilege escalation.", "meta": { @@ -53588,8 +69041,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://eqllib.readthedocs.io/en/latest/analytics/d8db43cf-ed52-4f5c-9fb3-c9a4b95a0b56.html", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1053.002/T1053.002.md", + "https://eqllib.readthedocs.io/en/latest/analytics/d8db43cf-ed52-4f5c-9fb3-c9a4b95a0b56.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_interactive_at.yml" ], "tags": [ @@ -53597,6 +69050,15 @@ "attack.t1053.002" ] }, + "related": [ + { + "dest-uuid": "f3d95a1f-bba2-44ce-9af7-37866cd63fd0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "60fc936d-2eb0-4543-8a13-911c750a1dfc", "value": "Interactive AT Job" }, @@ -53645,9 +69107,390 @@ "attack.t1053.005" ] }, + "related": [ + { + "dest-uuid": "005a06c6-14bf-4118-afa0-ebcd8aebb0c9", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "f2c64357-b1d2-41b7-849f-34d2682c0fad", "value": "Suspicious Add Scheduled Command Pattern" }, + { + "description": "Detects a highly relevant Antivirus alert that reports a password dumper", + "meta": { + "author": "Florian Roth", + "creation_date": "2018/09/09", + "falsepositive": [ + "Unlikely" + ], + "filename": "av_password_dumper.yml", + "level": "critical", + "logsource.category": "antivirus", + "logsource.product": "No established product", + "refs": [ + "https://www.virustotal.com/gui/file/5fcda49ee7f202559a6cbbb34edb65c33c9a1e0bde9fa2af06a6f11b55ded619/detection", + "https://www.nextron-systems.com/2018/09/08/antivirus-event-analysis-cheat-sheet-v1-4/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/category/antivirus/av_password_dumper.yml" + ], + "tags": [ + "attack.credential_access", + "attack.t1003", + "attack.t1558", + "attack.t1003.001", + "attack.t1003.002" + ] + }, + "related": [ + { + "dest-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "65f2d882-3f41-4d48-8a06-29af77ec9f90", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "1644e709-12d2-41e5-a60f-3470991f5011", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "78cc2dd2-7d20-4d32-93ff-057084c38b93", + "value": "Antivirus Password Dumper Detection" + }, + { + "description": "Detects the suspicious file that is created from PoC code against Windows Print Spooler Remote Code Execution Vulnerability CVE-2021-34527 (PrinterNightmare), CVE-2021-1675 .", + "meta": { + "author": "Sittikorn S, Nuttakorn T, Tim Shelton", + "creation_date": "2021/07/01", + "falsepositive": [ + "Unlikely, or pending PSP analysis" + ], + "filename": "av_printernightmare_cve_2021_34527.yml", + "level": "critical", + "logsource.category": "antivirus", + "logsource.product": "No established product", + "refs": [ + "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-1675", + "https://twitter.com/mvelazco/status/1410291741241102338", + "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527", + "https://github.com/SigmaHQ/sigma/tree/master/rules/category/antivirus/av_printernightmare_cve_2021_34527.yml" + ], + "tags": [ + "attack.privilege_escalation", + "attack.t1055" + ] + }, + "uuid": "6fe1719e-ecdf-4caf-bffe-4f501cb0a561", + "value": "Antivirus PrinterNightmare CVE-2021-34527 Exploit Detection" + }, + { + "description": "Detects an Antivirus alert in a highly relevant file path or with a relevant file name", + "meta": { + "author": "Florian Roth, Arnim Rupp", + "creation_date": "2018/09/09", + "falsepositive": [ + "Unlikely" + ], + "filename": "av_relevant_files.yml", + "level": "high", + "logsource.category": "antivirus", + "logsource.product": "No established product", + "refs": [ + "https://www.nextron-systems.com/2021/03/25/antivirus-event-analysis-cheat-sheet-v1-8/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/category/antivirus/av_relevant_files.yml" + ], + "tags": [ + "attack.resource_development", + "attack.t1588" + ] + }, + "related": [ + { + "dest-uuid": "ce0687a0-e692-4b77-964a-0784a8e54ff1", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "c9a88268-0047-4824-ba6e-4d81ce0b907c", + "value": "Antivirus Relevant File Paths Alerts" + }, + { + "description": "Detects a highly relevant Antivirus alert that reports an exploitation framework", + "meta": { + "author": "Florian Roth", + "creation_date": "2018/09/09", + "falsepositive": [ + "Unlikely" + ], + "filename": "av_exploiting.yml", + "level": "critical", + "logsource.category": "antivirus", + "logsource.product": "No established product", + "refs": [ + "https://www.nextron-systems.com/2018/09/08/antivirus-event-analysis-cheat-sheet-v1-4/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/category/antivirus/av_exploiting.yml" + ], + "tags": [ + "attack.execution", + "attack.t1203", + "attack.command_and_control", + "attack.t1219" + ] + }, + "related": [ + { + "dest-uuid": "be2dcee9-a7a7-4e38-afd6-21b31ecc3d63", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "4061e78c-1284-44b4-9116-73e4ac3912f7", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "238527ad-3c2c-4e4f-a1f6-92fd63adb864", + "value": "Antivirus Exploitation Framework Detection" + }, + { + "description": "Detects a highly relevant Antivirus alert that reports a hack tool or other attack tool", + "meta": { + "author": "Florian Roth", + "creation_date": "2021/08/16", + "falsepositive": [ + "Unlikely" + ], + "filename": "av_hacktool.yml", + "level": "high", + "logsource.category": "antivirus", + "logsource.product": "No established product", + "refs": [ + "https://www.nextron-systems.com/2021/08/16/antivirus-event-analysis-cheat-sheet-v1-8-2/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/category/antivirus/av_hacktool.yml" + ], + "tags": [ + "attack.execution", + "attack.t1204" + ] + }, + "related": [ + { + "dest-uuid": "8c32eb4d-805f-4fc5-bf60-c4d476c131b5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "fa0c05b6-8ad3-468d-8231-c1cbccb64fba", + "value": "Antivirus Hacktool Detection" + }, + { + "description": "Detects a highly relevant Antivirus alert that reports a web shell. It's highly recommended to tune this rule to the specific strings used by your anti virus solution by downloading a big webshell repo from e.g. github and checking the matches.", + "meta": { + "author": "Florian Roth, Arnim Rupp", + "creation_date": "2018/09/09", + "falsepositive": [ + "Unlikely" + ], + "filename": "av_webshell.yml", + "level": "high", + "logsource.category": "antivirus", + "logsource.product": "No established product", + "refs": [ + "https://www.virustotal.com/gui/file/7d3cb8a8ff28f82b07f382789247329ad2d7782a72dde9867941f13266310c80/detection", + "https://www.virustotal.com/gui/file/a80042c61a0372eaa0c2c1e831adf0d13ef09feaf71d1d20b216156269045801/detection", + "https://www.virustotal.com/gui/file/e841675a4b82250c75273ebf0861245f80c6a1c3d5803c2d995d9d3b18d5c4b5/detection", + "https://www.virustotal.com/gui/file/bd1d52289203866645e556e2766a21d2275877fbafa056a76fe0cf884b7f8819/detection", + "https://www.nextron-systems.com/2021/03/25/antivirus-event-analysis-cheat-sheet-v1-8/", + "https://www.virustotal.com/gui/file/308487ed28a3d9abc1fec7ebc812d4b5c07ab025037535421f64c60d3887a3e8/detection", + "https://www.virustotal.com/gui/file/b8702acf32fd651af9f809ed42d15135f842788cd98d81a8e1b154ee2a2b76a2/detection", + "https://github.com/tennc/webshell", + "https://www.virustotal.com/gui/file/b219f7d3c26f8bad7e175934cd5eda4ddb5e3983503e94ff07d39c0666821b7e/detection", + "https://github.com/SigmaHQ/sigma/tree/master/rules/category/antivirus/av_webshell.yml" + ], + "tags": [ + "attack.persistence", + "attack.t1505.003" + ] + }, + "uuid": "fdf135a2-9241-4f96-a114-bb404948f736", + "value": "Antivirus Web Shell Detection" + }, + { + "description": "Detects a highly relevant Antivirus alert that reports ransomware", + "meta": { + "author": "Florian Roth", + "creation_date": "2022/05/12", + "falsepositive": [ + "Unlikely" + ], + "filename": "av_ransomware.yml", + "level": "critical", + "logsource.category": "antivirus", + "logsource.product": "No established product", + "refs": [ + "https://www.nextron-systems.com/?s=antivirus", + "https://github.com/SigmaHQ/sigma/tree/master/rules/category/antivirus/av_ransomware.yml" + ], + "tags": [ + "attack.t1486" + ] + }, + "related": [ + { + "dest-uuid": "b80d107d-fa0d-4b60-9684-b0433e8bdba0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "4c6ca276-d4d0-4a8c-9e4c-d69832f8671f", + "value": "Antivirus Ransomware Detection" + }, + { + "description": "Detects suspicious SQL query keywrods that are often used during recon, exfiltration or destructive activities. Such as dropping tables and selecting wildcard fields", + "meta": { + "author": "@juju4", + "creation_date": "2022/12/27", + "falsepositive": [ + "Inventory and monitoring activity", + "Vulnerability scanners", + "Legitimate applications" + ], + "filename": "db_anomalous_query.yml", + "level": "medium", + "logsource.category": "database", + "logsource.product": "No established product", + "refs": [ + "https://github.com/sqlmapproject/sqlmap", + "https://github.com/SigmaHQ/sigma/tree/master/rules/category/database/db_anomalous_query.yml" + ], + "tags": [ + "attack.exfiltration", + "attack.initial_access", + "attack.privilege_escalation", + "attack.t1190", + "attack.t1505.001" + ] + }, + "related": [ + { + "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "f9e9365a-9ca2-4d9c-8e7c-050d73d1101a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "d84c0ded-edd7-4123-80ed-348bb3ccc4d5", + "value": "Suspicious SQL Query" + }, + { + "description": "Detects an issue in apache logs that reports threading related errors", + "meta": { + "author": "Florian Roth", + "creation_date": "2019/01/22", + "falsepositive": [ + "3rd party apache modules - https://bz.apache.org/bugzilla/show_bug.cgi?id=46185" + ], + "filename": "web_apache_threading_error.yml", + "level": "medium", + "logsource.category": "No established category", + "logsource.product": "No established product", + "refs": [ + "https://github.com/hannob/apache-uaf/blob/da40f2be3684c8095ec6066fa68eb5c07a086233/README.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/product/apache/web_apache_threading_error.yml" + ], + "tags": "No established tags" + }, + "uuid": "e9a2b582-3f6a-48ac-b4a1-6849cdc50b3c", + "value": "Apache Threading Error" + }, + { + "description": "Detects a segmentation fault error message caused by a creashing apache worker process", + "meta": { + "author": "Florian Roth", + "creation_date": "2017/02/28", + "falsepositive": [ + "Unknown" + ], + "filename": "web_apache_segfault.yml", + "level": "high", + "logsource.category": "No established category", + "logsource.product": "No established product", + "refs": [ + "http://www.securityfocus.com/infocus/1633", + "https://github.com/SigmaHQ/sigma/tree/master/rules/product/apache/web_apache_segfault.yml" + ], + "tags": [ + "attack.impact", + "attack.t1499.004" + ] + }, + "related": [ + { + "dest-uuid": "2bee5ffb-7a7a-4119-b1f2-158151b19ac0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "1da8ce0b-855d-4004-8860-7d64d42063b1", + "value": "Apache Segmentation Fault" + }, + { + "description": "Detects multiple blocks by the mod_security module (Web Application Firewall)", + "meta": { + "author": "Florian Roth", + "creation_date": "2017/02/28", + "falsepositive": [ + "Vulnerability scanners", + "Frequent attacks if system faces Internet" + ], + "filename": "modsec_mulitple_blocks.yml", + "level": "medium", + "logsource.category": "No established category", + "logsource.product": "modsecurity", + "refs": [ + "https://github.com/SigmaHQ/sigma/tree/master/rules/product/modsecurity/modsec_mulitple_blocks.yml" + ], + "tags": [ + "attack.impact", + "attack.t1499" + ] + }, + "uuid": "a06eea10-d932-4aa6-8ba9-186df72c8d23", + "value": "Multiple Modsecurity Blocks" + }, { "description": "Detects when an security threat is detected in Okta.", "meta": { @@ -53662,8 +69505,8 @@ "logsource.product": "okta", "refs": [ "https://developer.okta.com/docs/reference/api/system-log/", - "https://developer.okta.com/docs/reference/api/event-types/", "https://okta.github.io/okta-help/en/prod/Content/Topics/Security/threat-insight/configure-threatinsight-system-log.htm", + "https://developer.okta.com/docs/reference/api/event-types/", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/okta/okta_security_threat_detected.yml" ], "tags": "No established tags" @@ -53950,8 +69793,8 @@ "logsource.category": "No established category", "logsource.product": "m365", "refs": [ - "https://docs.microsoft.com/en-us/cloud-app-security/policy-template-reference", "https://docs.microsoft.com/en-us/cloud-app-security/anomaly-detection-policy", + "https://docs.microsoft.com/en-us/cloud-app-security/policy-template-reference", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/m365/microsoft365_activity_from_anonymous_ip_addresses.yml" ], "tags": [ @@ -53959,6 +69802,15 @@ "attack.t1573" ] }, + "related": [ + { + "dest-uuid": "b8902400-e6c5-4ba2-95aa-2d35b442b118", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "d8b0a4fe-07a8-41be-bd39-b14afa025d95", "value": "Activity from Anonymous IP Addresses" }, @@ -53975,8 +69827,8 @@ "logsource.category": "No established category", "logsource.product": "m365", "refs": [ - "https://docs.microsoft.com/en-us/cloud-app-security/policy-template-reference", "https://docs.microsoft.com/en-us/cloud-app-security/anomaly-detection-policy", + "https://docs.microsoft.com/en-us/cloud-app-security/policy-template-reference", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/m365/microsoft365_data_exfiltration_to_unsanctioned_app.yml" ], "tags": [ @@ -53984,6 +69836,15 @@ "attack.t1537" ] }, + "related": [ + { + "dest-uuid": "d4bdbdea-eaec-4071-b4f9-5105e12ea4b6", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "2b669496-d215-47d8-bd9a-f4a45bf07cda", "value": "Data Exfiltration to Unsanctioned Apps" }, @@ -54000,8 +69861,8 @@ "logsource.category": "No established category", "logsource.product": "m365", "refs": [ - "https://docs.microsoft.com/en-us/cloud-app-security/policy-template-reference", "https://docs.microsoft.com/en-us/cloud-app-security/anomaly-detection-policy", + "https://docs.microsoft.com/en-us/cloud-app-security/policy-template-reference", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/m365/microsoft365_from_susp_ip_addresses.yml" ], "tags": [ @@ -54009,6 +69870,15 @@ "attack.t1573" ] }, + "related": [ + { + "dest-uuid": "b8902400-e6c5-4ba2-95aa-2d35b442b118", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "a3501e8e-af9e-43c6-8cd6-9360bdaae498", "value": "Activity from Suspicious IP Addresses" }, @@ -54025,8 +69895,8 @@ "logsource.category": "No established category", "logsource.product": "m365", "refs": [ - "https://docs.microsoft.com/en-us/cloud-app-security/policy-template-reference", "https://docs.microsoft.com/en-us/cloud-app-security/anomaly-detection-policy", + "https://docs.microsoft.com/en-us/cloud-app-security/policy-template-reference", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/m365/microsoft365_susp_inbox_forwarding.yml" ], "tags": [ @@ -54034,6 +69904,15 @@ "attack.t1020" ] }, + "related": [ + { + "dest-uuid": "774a3188-6ba9-4dc4-879d-d54ee48a5ce9", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "6c220477-0b5b-4b25-bb90-66183b4089e8", "value": "Suspicious Inbox Forwarding" }, @@ -54050,8 +69929,8 @@ "logsource.category": "No established category", "logsource.product": "m365", "refs": [ - "https://docs.microsoft.com/en-us/cloud-app-security/policy-template-reference", "https://docs.microsoft.com/en-us/cloud-app-security/anomaly-detection-policy", + "https://docs.microsoft.com/en-us/cloud-app-security/policy-template-reference", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/m365/microsoft365_activity_by_terminated_user.yml" ], "tags": [ @@ -54075,10 +69954,10 @@ "logsource.product": "m365", "refs": [ "https://us-cert.cisa.gov/ncas/alerts/aa21-008a", - "https://www.sygnia.co/golden-saml-advisory", - "https://o365blog.com/post/aadbackdoor/", "https://www.splunk.com/en_us/blog/security/a-golden-saml-journey-solarwinds-continued.html", + "https://o365blog.com/post/aadbackdoor/", "https://www.fireeye.com/content/dam/fireeye-www/blog/pdfs/wp-m-unc2452-2021-000343-01.pdf", + "https://www.sygnia.co/golden-saml-advisory", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/m365/microsoft365_new_federated_domain_added.yml" ], "tags": [ @@ -54086,6 +69965,15 @@ "attack.t1136.003" ] }, + "related": [ + { + "dest-uuid": "a009cb25-4801-4116-9105-80a91cf15c1b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "42127bdd-9133-474f-a6f1-97b6c08a4339", "value": "New Federated Domain Added" }, @@ -54102,8 +69990,8 @@ "logsource.category": "No established category", "logsource.product": "m365", "refs": [ - "https://docs.microsoft.com/en-us/cloud-app-security/policy-template-reference", "https://docs.microsoft.com/en-us/cloud-app-security/anomaly-detection-policy", + "https://docs.microsoft.com/en-us/cloud-app-security/policy-template-reference", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/m365/microsoft365_logon_from_risky_ip_address.yml" ], "tags": [ @@ -54135,6 +70023,15 @@ "attack.t1114" ] }, + "related": [ + { + "dest-uuid": "1608f3e1-598a-42f4-a01a-2e252e81728f", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "6897cd82-6664-11ed-9022-0242ac120002", "value": "PST Export Alert Using New-ComplianceSearchAction" }, @@ -54151,8 +70048,8 @@ "logsource.category": "No established category", "logsource.product": "m365", "refs": [ - "https://docs.microsoft.com/en-us/cloud-app-security/policy-template-reference", "https://docs.microsoft.com/en-us/cloud-app-security/anomaly-detection-policy", + "https://docs.microsoft.com/en-us/cloud-app-security/policy-template-reference", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/m365/microsoft365_unusual_volume_of_file_deletion.yml" ], "tags": [ @@ -54160,6 +70057,15 @@ "attack.t1485" ] }, + "related": [ + { + "dest-uuid": "d45a3d09-b3cf-48f4-9f0f-f521ee5cb05c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "78a34b67-3c39-4886-8fb4-61c46dc18ecd", "value": "Microsoft 365 - Unusual Volume of File Deletion" }, @@ -54176,8 +70082,8 @@ "logsource.category": "No established category", "logsource.product": "m365", "refs": [ - "https://docs.microsoft.com/en-us/cloud-app-security/policy-template-reference", "https://docs.microsoft.com/en-us/cloud-app-security/anomaly-detection-policy", + "https://docs.microsoft.com/en-us/cloud-app-security/policy-template-reference", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/m365/microsoft365_user_restricted_from_sending_email.yml" ], "tags": [ @@ -54185,6 +70091,15 @@ "attack.t1199" ] }, + "related": [ + { + "dest-uuid": "9fa07bef-9c81-421e-a8e5-ad4366c5a925", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "ff246f56-7f24-402a-baca-b86540e3925c", "value": "Microsoft 365 - User Restricted from Sending Email" }, @@ -54201,8 +70116,8 @@ "logsource.category": "No established category", "logsource.product": "m365", "refs": [ - "https://docs.microsoft.com/en-us/cloud-app-security/policy-template-reference", "https://docs.microsoft.com/en-us/cloud-app-security/anomaly-detection-policy", + "https://docs.microsoft.com/en-us/cloud-app-security/policy-template-reference", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/m365/microsoft365_susp_oauth_app_file_download_activities.yml" ], "tags": [ @@ -54225,8 +70140,8 @@ "logsource.category": "No established category", "logsource.product": "m365", "refs": [ - "https://docs.microsoft.com/en-us/cloud-app-security/policy-template-reference", "https://docs.microsoft.com/en-us/cloud-app-security/anomaly-detection-policy", + "https://docs.microsoft.com/en-us/cloud-app-security/policy-template-reference", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/m365/microsoft365_impossible_travel_activity.yml" ], "tags": [ @@ -54250,8 +70165,8 @@ "logsource.category": "No established category", "logsource.product": "m365", "refs": [ - "https://docs.microsoft.com/en-us/cloud-app-security/policy-template-reference", "https://docs.microsoft.com/en-us/cloud-app-security/anomaly-detection-policy", + "https://docs.microsoft.com/en-us/cloud-app-security/policy-template-reference", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/m365/microsoft365_potential_ransomware_activity.yml" ], "tags": [ @@ -54259,6 +70174,15 @@ "attack.t1486" ] }, + "related": [ + { + "dest-uuid": "b80d107d-fa0d-4b60-9684-b0433e8bdba0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "bd132164-884a-48f1-aa2d-c6d646b04c69", "value": "Microsoft 365 - Potential Ransomware Activity" }, @@ -54283,6 +70207,15 @@ "attack.t1114" ] }, + "related": [ + { + "dest-uuid": "1608f3e1-598a-42f4-a01a-2e252e81728f", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "18b88d08-d73e-4f21-bc25-4b9892a4fdd0", "value": "PST Export Alert Using eDiscovery Alert" }, @@ -54299,8 +70232,8 @@ "logsource.category": "No established category", "logsource.product": "m365", "refs": [ - "https://docs.microsoft.com/en-us/cloud-app-security/policy-template-reference", "https://docs.microsoft.com/en-us/cloud-app-security/anomaly-detection-policy", + "https://docs.microsoft.com/en-us/cloud-app-security/policy-template-reference", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/m365/microsoft365_activity_from_infrequent_country.yml" ], "tags": [ @@ -54308,6 +70241,15 @@ "attack.t1573" ] }, + "related": [ + { + "dest-uuid": "b8902400-e6c5-4ba2-95aa-2d35b442b118", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "0f2468a2-5055-4212-a368-7321198ee706", "value": "Activity from Infrequent Country" }, @@ -54421,11 +70363,11 @@ "logsource.category": "No established category", "logsource.product": "gcp", "refs": [ + "https://cloud.google.com/kubernetes-engine/docs/how-to/role-based-access-control", "https://kubernetes.io/docs/reference/kubernetes-api/authorization-resources/cluster-role-v1/#ClusterRole", + "https://github.com/elastic/detection-rules/pull/1267", "https://cloud.google.com/kubernetes-engine/docs/how-to/audit-logging", "https://kubernetes.io/docs/reference/access-authn-authz/rbac/", - "https://cloud.google.com/kubernetes-engine/docs/how-to/role-based-access-control", - "https://github.com/elastic/detection-rules/pull/1267", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/gcp/gcp_kubernetes_rolebinding.yml" ], "tags": [ @@ -54473,8 +70415,8 @@ "logsource.category": "No established category", "logsource.product": "gcp", "refs": [ - "https://kubernetes.io/docs/concepts/workloads/controllers/cron-jobs/", "https://cloud.google.com/kubernetes-engine/docs", + "https://kubernetes.io/docs/concepts/workloads/controllers/cron-jobs/", "https://kubernetes.io/docs/concepts/workloads/controllers/job/", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/gcp/gcp_kubernetes_cronjob.yml" ], @@ -54526,8 +70468,8 @@ "logsource.category": "No established category", "logsource.product": "gcp", "refs": [ - "https://developers.google.com/resources/api-libraries/documentation/compute/v1/java/latest/com/google/api/services/compute/Compute.Firewalls.html", "https://cloud.google.com/kubernetes-engine/docs/how-to/audit-logging", + "https://developers.google.com/resources/api-libraries/documentation/compute/v1/java/latest/com/google/api/services/compute/Compute.Firewalls.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/gcp/gcp_firewall_rule_modified_or_deleted.yml" ], "tags": [ @@ -54535,6 +70477,15 @@ "attack.t1562" ] }, + "related": [ + { + "dest-uuid": "3d333250-30e4-4a82-9edc-756c68afc529", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "fe513c69-734c-4d4a-8548-ac5f609be82b", "value": "Google Cloud Firewall Modified or Deleted" }, @@ -54559,6 +70510,15 @@ "attack.t1565" ] }, + "related": [ + { + "dest-uuid": "ac9e6b22-11bf-45d7-9181-c1cb08360931", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "234f9f48-904b-4736-a34c-55d23919e4b7", "value": "Google Cloud Re-identifies Sensitive Information" }, @@ -54587,6 +70547,22 @@ "attack.t1552.007" ] }, + "related": [ + { + "dest-uuid": "435dfb86-2697-4867-85b5-2fef496c0517", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "f8ef3a62-3f44-40a4-abca-761ab235c436", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "6ad91e31-53df-4826-bd27-0166171c8040", "value": "Google Cloud Kubernetes Admission Controller" }, @@ -54612,6 +70588,15 @@ "attack.t1531" ] }, + "related": [ + { + "dest-uuid": "b24e2a20-3b3d-4bf0-823b-1ed765398fb0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "13f81a90-a69c-4fab-8f07-b5bb55416a9f", "value": "Google Cloud Service Account Disabled or Deleted" }, @@ -54653,8 +70638,8 @@ "logsource.category": "No established category", "logsource.product": "gcp", "refs": [ - "https://developers.google.com/resources/api-libraries/documentation/compute/v1/java/latest/com/google/api/services/compute/Compute.PacketMirrorings.html", "https://cloud.google.com/kubernetes-engine/docs/how-to/audit-logging", + "https://developers.google.com/resources/api-libraries/documentation/compute/v1/java/latest/com/google/api/services/compute/Compute.PacketMirrorings.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/gcp/gcp_full_network_traffic_packet_capture.yml" ], "tags": [ @@ -54662,6 +70647,15 @@ "attack.t1074" ] }, + "related": [ + { + "dest-uuid": "7dd95ff6-712e-4056-9626-312ea4ab4c5e", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "980a7598-1e7f-4962-9372-2d754c930d0e", "value": "Google Full Network Traffic Packet Capture" }, @@ -54679,8 +70673,8 @@ "logsource.product": "google_workspace", "refs": [ "https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-domain-settings?hl=en#REMOVE_APPLICATION_FROM_WHITELIST", - "https://cloud.google.com/logging/docs/audit/gsuite-audit-logging#3", "https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-domain-settings?hl=en#REMOVE_APPLICATION", + "https://cloud.google.com/logging/docs/audit/gsuite-audit-logging#3", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/gworkspace/gworkspace_application_removed.yml" ], "tags": [ @@ -54712,6 +70706,15 @@ "attack.t1098" ] }, + "related": [ + { + "dest-uuid": "a10641f4-87b4-45a3-a906-92a149cb2c27", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "2d1b83e4-17c6-4896-a37b-29140b40a788", "value": "Google Workspace User Granted Admin Privileges" }, @@ -54776,8 +70779,8 @@ "logsource.category": "No established category", "logsource.product": "google_workspace", "refs": [ - "https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-security-settings#ENFORCE_STRONG_AUTHENTICATION", "https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-security-settings?hl=en#ALLOW_STRONG_AUTHENTICATION", + "https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-security-settings#ENFORCE_STRONG_AUTHENTICATION", "https://cloud.google.com/logging/docs/audit/gsuite-audit-logging#3", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/gworkspace/gworkspace_mfa_disabled.yml" ], @@ -54801,8 +70804,8 @@ "logsource.category": "No established category", "logsource.product": "google_workspace", "refs": [ - "https://cloud.google.com/logging/docs/audit/gsuite-audit-logging#3", "https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-domain-settings#AUTHORIZE_API_CLIENT_ACCESS", + "https://cloud.google.com/logging/docs/audit/gsuite-audit-logging#3", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/gworkspace/gworkspace_granted_domain_api_access.yml" ], "tags": [ @@ -54810,6 +70813,15 @@ "attack.t1098" ] }, + "related": [ + { + "dest-uuid": "a10641f4-87b4-45a3-a906-92a149cb2c27", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "04e2a23a-9b29-4a5c-be3a-3542e3f982ba", "value": "Google Workspace Granted Domain API Access" }, @@ -54872,13 +70884,13 @@ "logsource.category": "No established category", "logsource.product": "aws", "refs": [ + "https://docs.aws.amazon.com/AmazonS3/latest/API/API_PutBucketEncryption.html", "https://docs.aws.amazon.com/AmazonS3/latest/API/API_PutBucketLogging.html", - "https://docs.aws.amazon.com/AmazonS3/latest/API/API_RestoreObject.html", - "https://docs.aws.amazon.com/AmazonS3/latest/API/API_PutBucketWebsite.html", "https://github.com/elastic/detection-rules/pull/1145/files", "https://docs.aws.amazon.com/AmazonS3/latest/userguide/setting-repl-config-perm-overview.html", + "https://docs.aws.amazon.com/AmazonS3/latest/API/API_RestoreObject.html", "https://docs.aws.amazon.com/AmazonS3/latest/API/API_Operations.html", - "https://docs.aws.amazon.com/AmazonS3/latest/API/API_PutBucketEncryption.html", + "https://docs.aws.amazon.com/AmazonS3/latest/API/API_PutBucketWebsite.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/aws/aws_s3_data_management_tampering.yml" ], "tags": [ @@ -54886,6 +70898,15 @@ "attack.t1537" ] }, + "related": [ + { + "dest-uuid": "d4bdbdea-eaec-4071-b4f9-5105e12ea4b6", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "78b3756a-7804-4ef7-8555-7b9024a02e2d", "value": "AWS S3 Data Management Tampering" }, @@ -54912,6 +70933,22 @@ "attack.t1565" ] }, + "related": [ + { + "dest-uuid": "b80d107d-fa0d-4b60-9684-b0433e8bdba0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "ac9e6b22-11bf-45d7-9181-c1cb08360931", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "16124c2d-e40b-4fcc-8f2c-5ab7870a2223", "value": "AWS EC2 Disable EBS Encryption" }, @@ -54937,6 +70974,15 @@ "attack.t1098" ] }, + "related": [ + { + "dest-uuid": "a10641f4-87b4-45a3-a906-92a149cb2c27", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "0a5177f4-6ca9-44c2-aacf-d3f3d8b6e4d2", "value": "AWS IAM Backdoor Users Keys" }, @@ -54962,6 +71008,15 @@ "attack.t1562" ] }, + "related": [ + { + "dest-uuid": "3d333250-30e4-4a82-9edc-756c68afc529", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "a607e1fe-74bf-4440-a3ec-b059b9103157", "value": "AWS SecurityHub Findings Evasion" }, @@ -54978,7 +71033,6 @@ "logsource.category": "No established category", "logsource.product": "aws", "refs": [ - "https://attack.mitre.org/techniques/T1525", "https://docs.aws.amazon.com/AmazonECS/latest/APIReference/API_RegisterTaskDefinition.html", "https://github.com/RhinoSecurityLabs/pacu/blob/866376cd711666c775bbfcde0524c817f2c5b181/pacu/modules/ecs__backdoor_task_def/main.py", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/aws/aws_ecs_task_definition_backdoor.yml" @@ -54988,6 +71042,15 @@ "attack.t1525" ] }, + "related": [ + { + "dest-uuid": "4fd8a28b-4b3a-4cd6-a8cf-85ba5f824a7f", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "b94bf91e-c2bf-4047-9c43-c6810f43baad", "value": "AWS ECS Backdoor Task Definition" }, @@ -55036,6 +71099,15 @@ "attack.t1619" ] }, + "related": [ + { + "dest-uuid": "8565825b-21c8-4518-b75e-cbc4c717a156", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "4723218f-2048-41f6-bcb0-417f2d784f61", "value": "Potential Storage Enumeration on AWS" }, @@ -55053,7 +71125,6 @@ "logsource.product": "aws", "refs": [ "https://www.justice.gov/file/1080281/download", - "https://attack.mitre.org/techniques/T1537/", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/aws/aws_snapshot_backup_exfiltration.yml" ], "tags": [ @@ -55061,6 +71132,15 @@ "attack.t1537" ] }, + "related": [ + { + "dest-uuid": "d4bdbdea-eaec-4071-b4f9-5105e12ea4b6", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "abae8fec-57bd-4f87-aff6-6e3db989843d", "value": "AWS Snapshot Backup Exfiltration" }, @@ -55085,6 +71165,15 @@ "attack.t1580" ] }, + "related": [ + { + "dest-uuid": "57a3d31a-d04f-4663-b2da-7df8ec3f8c9d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "76255e09-755e-4675-8b6b-dbce9842cd2a", "value": "Potential Backup Enumeration on AWS" }, @@ -55109,6 +71198,15 @@ "attack.t1485" ] }, + "related": [ + { + "dest-uuid": "d45a3d09-b3cf-48f4-9f0f-f521ee5cb05c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "6a7ba45c-63d8-473e-9736-2eaabff79964", "value": "AWS EFS Fileshare Mount Modified or Deleted" }, @@ -55134,6 +71232,15 @@ "attack.t1098" ] }, + "related": [ + { + "dest-uuid": "a10641f4-87b4-45a3-a906-92a149cb2c27", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "b056de1a-6e6e-4e40-a67e-97c9808cf41b", "value": "AWS Route 53 Domain Transferred to Another Account" }, @@ -55158,6 +71265,15 @@ "attack.resource_development" ] }, + "related": [ + { + "dest-uuid": "88d31120-5bc7-4ce3-a9c0-7cf147be8e54", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "60b84424-a724-4502-bd0d-cc676e1bc90e", "value": "Potential AWS Cloud Email Service Abuse" }, @@ -55213,6 +71329,22 @@ "attack.t1550.001" ] }, + "related": [ + { + "dest-uuid": "67720091-eee3-4d2d-ae16-8264567f6f5b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "51a14c76-dd3b-440b-9c20-2bf91d25a814", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "905d389b-b853-46d0-9d3d-dea0d3a3cd49", "value": "AWS STS AssumeRole Misuse" }, @@ -55237,6 +71369,15 @@ "attack.t1020" ] }, + "related": [ + { + "dest-uuid": "774a3188-6ba9-4dc4-879d-d54ee48a5ce9", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "8a63cdd4-6207-414a-85bc-7e032bd3c1a2", "value": "AWS RDS Master Password Change" }, @@ -55261,6 +71402,15 @@ "attack.t1531" ] }, + "related": [ + { + "dest-uuid": "b24e2a20-3b3d-4bf0-823b-1ed765398fb0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "7c797da2-9cf2-4523-ba64-33b06339f0cc", "value": "AWS ElastiCache Security Group Modified or Deleted" }, @@ -55279,8 +71429,8 @@ "logsource.category": "No established category", "logsource.product": "aws", "refs": [ - "https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRoleWithSAML.html", "https://docs.aws.amazon.com/IAM/latest/APIReference/API_UpdateSAMLProvider.html", + "https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRoleWithSAML.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/aws/aws_susp_saml_activity.yml" ], "tags": [ @@ -55293,6 +71443,22 @@ "attack.t1550.001" ] }, + "related": [ + { + "dest-uuid": "67720091-eee3-4d2d-ae16-8264567f6f5b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "51a14c76-dd3b-440b-9c20-2bf91d25a814", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "f43f5d2f-3f2a-4cc8-b1af-81fde7dbaf0e", "value": "AWS Suspicious SAML Activity" }, @@ -55319,6 +71485,15 @@ "attack.t1485" ] }, + "related": [ + { + "dest-uuid": "d45a3d09-b3cf-48f4-9f0f-f521ee5cb05c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "33d50d03-20ec-4b74-a74e-1e65a38af1c0", "value": "AWS EKS Cluster Created or Deleted" }, @@ -55343,6 +71518,15 @@ "attack.t1020" ] }, + "related": [ + { + "dest-uuid": "774a3188-6ba9-4dc4-879d-d54ee48a5ce9", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "c3f265c7-ff03-4056-8ab2-d486227b4599", "value": "Restore Public AWS RDS Instance" }, @@ -55393,9 +71577,67 @@ "attack.t1059.004" ] }, + "related": [ + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "a9d4b653-6915-42af-98b2-5758c4ceee56", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "1ab3c5ed-5baf-417b-bb6b-78ca33f6c3df", "value": "AWS EC2 Startup Shell Script Change" }, + { + "description": "Looks for potential enumeration of AWS buckets via ListBuckets.", + "meta": { + "author": "Christopher Peacock @securepeacock, SCYTHE @scythe_io", + "creation_date": "2023/01/06", + "falsepositive": [ + "Administrators listing buckets, it may be necessary to filter out users who commonly conduct this activity." + ], + "filename": "aws_enum_buckets.yml", + "level": "low", + "logsource.category": "No established category", + "logsource.product": "aws", + "refs": [ + "https://jamesonhacking.blogspot.com/2020/12/pivoting-to-private-aws-s3-buckets.html", + "https://securitycafe.ro/2022/12/14/aws-enumeration-part-ii-practical-enumeration/", + "https://github.com/Lifka/hacking-resources/blob/c2ae355d381bd0c9f0b32c4ead049f44e5b1573f/cloud-hacking-cheat-sheets.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/aws/aws_enum_buckets.yml" + ], + "tags": [ + "attack.discovery", + "attack.t1580" + ] + }, + "related": [ + { + "dest-uuid": "57a3d31a-d04f-4663-b2da-7df8ec3f8c9d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "f305fd62-beca-47da-ad95-7690a0620084", + "value": "Potential Bucket Enumeration on AWS" + }, { "description": "An attacker with the iam:UpdateLoginProfile permission on other users can change the password used to login to the AWS console on any user that already has a login profile setup.\nWith this alert, it is used to detect anyone is changing password on behalf of other users.\n", "meta": { @@ -55417,6 +71659,15 @@ "attack.t1098" ] }, + "related": [ + { + "dest-uuid": "a10641f4-87b4-45a3-a906-92a149cb2c27", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "055fb148-60f8-462d-ad16-26926ce050f1", "value": "AWS User Login Profile Was Modified" }, @@ -55441,6 +71692,22 @@ "attack.t1537" ] }, + "related": [ + { + "dest-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "d4bdbdea-eaec-4071-b4f9-5105e12ea4b6", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "54b9a76a-3c71-4673-b4b3-2edb4566ea7b", "value": "AWS EC2 VM Export Failure" }, @@ -55465,6 +71732,15 @@ "attack.t1020" ] }, + "related": [ + { + "dest-uuid": "774a3188-6ba9-4dc4-879d-d54ee48a5ce9", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "26ff4080-194e-47e7-9889-ef7602efed0c", "value": "AWS EC2 Download Userdata" }, @@ -55481,8 +71757,8 @@ "logsource.category": "No established category", "logsource.product": "aws", "refs": [ - "https://github.com/elastic/detection-rules/pull/1213", "https://docs.aws.amazon.com/STS/latest/APIReference/API_GetSessionToken.html", + "https://github.com/elastic/detection-rules/pull/1213", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/aws/aws_sts_getsessiontoken_misuse.yml" ], "tags": [ @@ -55493,6 +71769,22 @@ "attack.t1550.001" ] }, + "related": [ + { + "dest-uuid": "67720091-eee3-4d2d-ae16-8264567f6f5b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "51a14c76-dd3b-440b-9c20-2bf91d25a814", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "b45ab1d2-712f-4f01-a751-df3826969807", "value": "AWS STS GetSessionToken Misuse" }, @@ -55557,9 +71849,9 @@ "logsource.category": "No established category", "logsource.product": "aws", "refs": [ + "https://github.com/elastic/detection-rules/blob/c76a39796972ecde44cb1da6df47f1b6562c9770/rules/integrations/aws/persistence_route_53_domain_transfer_lock_disabled.toml", "https://docs.aws.amazon.com/Route53/latest/APIReference/API_domains_DisableDomainTransferLock.html", "https://docs.aws.amazon.com/Route53/latest/APIReference/API_Operations_Amazon_Route_53.html", - "https://github.com/elastic/detection-rules/blob/c76a39796972ecde44cb1da6df47f1b6562c9770/rules/integrations/aws/persistence_route_53_domain_transfer_lock_disabled.toml", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/aws/aws_route_53_domain_transferred_lock_disabled.yml" ], "tags": [ @@ -55568,6 +71860,15 @@ "attack.t1098" ] }, + "related": [ + { + "dest-uuid": "a10641f4-87b4-45a3-a906-92a149cb2c27", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "3940b5f1-3f46-44aa-b746-ebe615b879e0", "value": "AWS Route 53 Domain Transfer Lock Disabled" }, @@ -55638,6 +71939,15 @@ "attack.t1592" ] }, + "related": [ + { + "dest-uuid": "09312b1a-c3c6-4b45-9844-3ccc78e5d82f", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "e9c14b23-47e2-4a8b-8a63-d36618e33d70", "value": "Account Enumeration on AWS" }, @@ -55679,8 +71989,8 @@ "logsource.category": "No established category", "logsource.product": "aws", "refs": [ - "https://docs.aws.amazon.com/glue/latest/webapi/API_CreateDevEndpoint.html", "https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/", + "https://docs.aws.amazon.com/glue/latest/webapi/API_CreateDevEndpoint.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/aws/aws_passed_role_to_glue_development_endpoint.yml" ], "tags": [ @@ -55711,6 +72021,15 @@ "attack.t1078.004" ] }, + "related": [ + { + "dest-uuid": "f232fa7a-025c-4d43-abc7-318e81a73d65", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "8ad1600d-e9dc-4251-b0ee-a65268f29add", "value": "AWS Root Credentials" }, @@ -55759,6 +72078,22 @@ "attack.t1136.003" ] }, + "related": [ + { + "dest-uuid": "e01be9c5-e763-4caf-aeb7-000b416aef67", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "a009cb25-4801-4116-9105-80a91cf15c1b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "4ae68615-866f-4304-b24b-ba048dfa5ca7", "value": "AWS ElastiCache Security Group Created" }, @@ -55783,6 +72118,15 @@ "attack.t1212" ] }, + "related": [ + { + "dest-uuid": "9c306d8d-cde7-4b4c-b6e8-d0bb16caca36", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "60f6535a-760f-42a9-be3f-c9a0a025906e", "value": "Use of Legacy Authentication Protocols" }, @@ -55886,7 +72230,7 @@ "value": "Applications That Are Using ROPC Authentication Flow" }, { - "description": "Change to authentication method could be an indicated of an attacker adding an auth method to the account so they can have continued access.", + "description": "Change to authentication method could be an indicator of an attacker adding an auth method to the account so they can have continued access.", "meta": { "author": "AlertIQ", "creation_date": "2021/10/10", @@ -55902,9 +72246,21 @@ "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_change_to_authentication_method.yml" ], "tags": [ - "attack.credential_access" + "attack.credential_access", + "attack.t1556", + "attack.persistence", + "attack.defense_evasion" ] }, + "related": [ + { + "dest-uuid": "f4c1826f-a322-41cd-9557-562100848c84", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "4d78a000-ab52-4564-88a5-7ab5242b20c7", "value": "Change to Authentication Method" }, @@ -55927,9 +72283,18 @@ "tags": [ "attack.persistence", "attack.defense_evasion", - "attack.t1078" + "attack.t1078.004" ] }, + "related": [ + { + "dest-uuid": "f232fa7a-025c-4d43-abc7-318e81a73d65", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "0b4b72e3-4c53-4d5b-b198-2c58cfef39a9", "value": "Guest User Invited By Non Approved Inviters" }, @@ -55983,6 +72348,15 @@ "attack.t1552.001" ] }, + "related": [ + { + "dest-uuid": "435dfb86-2697-4867-85b5-2fef496c0517", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "459a2970-bb84-4e6a-a32e-ff0fbd99448d", "value": "Azure Key Vault Modified or Deleted" }, @@ -56101,9 +72475,20 @@ "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_firewall_rule_collection_modified_or_deleted.yml" ], "tags": [ - "attack.impact" + "attack.impact", + "attack.defense_evasion", + "attack.t1562.004" ] }, + "related": [ + { + "dest-uuid": "5372c5fe-f424-4def-bcd5-d3a8e770f07b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "025c9fe7-db72-49f9-af0d-31341dd7dd57", "value": "Azure Firewall Rule Collection Modified or Deleted" }, @@ -56132,6 +72517,22 @@ "attack.t1552.007" ] }, + "related": [ + { + "dest-uuid": "435dfb86-2697-4867-85b5-2fef496c0517", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "f8ef3a62-3f44-40a4-abca-761ab235c436", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "a61a3c56-4ce2-4351-a079-88ae4cbd2b58", "value": "Azure Kubernetes Admission Controller" }, @@ -56155,6 +72556,15 @@ "attack.t1003" ] }, + "related": [ + { + "dest-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "c1182e02-49a3-481c-b3de-0fadc4091488", "value": "Rare Subscription-level Operations In Azure" }, @@ -56229,6 +72639,15 @@ "attack.defense_evasion" ] }, + "related": [ + { + "dest-uuid": "890c9858-598c-401d-a4d5-c67ebcdd703a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "74298991-9fc4-460e-a92e-511aa60baec1", "value": "Added Owner To Application" }, @@ -56301,6 +72720,15 @@ "attack.t1098" ] }, + "related": [ + { + "dest-uuid": "a10641f4-87b4-45a3-a906-92a149cb2c27", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "91c95675-1f27-46d0-bead-d1ae96b97cd3", "value": "User Added To Group With CA Policy Modification Access" }, @@ -56343,7 +72771,6 @@ "logsource.product": "azure", "refs": [ "https://docs.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-monitor-federation-changes", - "https://attack.mitre.org/techniques/T1078", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_federation_modified.yml" ], "tags": [ @@ -56448,6 +72875,15 @@ "attack.persistence" ] }, + "related": [ + { + "dest-uuid": "a10641f4-87b4-45a3-a906-92a149cb2c27", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "cbb67ecc-fb70-4467-9350-c910bdf7c628", "value": "Added Credentials to Existing Application" }, @@ -56470,9 +72906,27 @@ "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_device_or_configuration_modified_or_deleted.yml" ], "tags": [ - "attack.impact" + "attack.impact", + "attack.t1485", + "attack.t1565.001" ] }, + "related": [ + { + "dest-uuid": "d45a3d09-b3cf-48f4-9f0f-f521ee5cb05c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "1cfcb312-b8d7-47a4-b560-4b16cc677292", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "46530378-f9db-4af9-a9e5-889c177d3881", "value": "Azure Device or Configuration Modified or Deleted" }, @@ -56495,9 +72949,20 @@ "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_application_deleted.yml" ], "tags": [ - "attack.defense_evasion" + "attack.defense_evasion", + "attack.impact", + "attack.t1489" ] }, + "related": [ + { + "dest-uuid": "20fb2507-d71c-455d-9b6d-6104461cf26b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "410d2a41-1e6d-452f-85e5-abdd8257a823", "value": "Azure Application Deleted" }, @@ -56546,9 +73011,18 @@ ], "tags": [ "attack.initial_access", - "attack.t1078" + "attack.t1078.004" ] }, + "related": [ + { + "dest-uuid": "f232fa7a-025c-4d43-abc7-318e81a73d65", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "09438caa-07b1-4870-8405-1dbafe3dad95", "value": "Azure Subscription Permission Elevation Via ActivityLogs" }, @@ -56590,11 +73064,11 @@ "logsource.category": "No established category", "logsource.product": "azure", "refs": [ + "https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/", + "https://medium.com/mitre-engenuity/att-ck-for-containers-now-available-4c2359654bf1", "https://attack.mitre.org/matrices/enterprise/cloud/", "https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes", - "https://medium.com/mitre-engenuity/att-ck-for-containers-now-available-4c2359654bf1", "https://www.microsoft.com/security/blog/2021/03/23/secure-containerized-environments-with-updated-threat-matrix-for-kubernetes/", - "https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_kubernetes_cluster_created_or_deleted.yml" ], "tags": [ @@ -56625,6 +73099,15 @@ "attack.t1098" ] }, + "related": [ + { + "dest-uuid": "a10641f4-87b4-45a3-a906-92a149cb2c27", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "102e11e3-2db5-4c9e-bc26-357d42585d21", "value": "Bulk Deletion Changes To Privileged Account Permissions" }, @@ -56673,6 +73156,15 @@ "attack.t1098" ] }, + "related": [ + { + "dest-uuid": "a10641f4-87b4-45a3-a906-92a149cb2c27", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "49a268a4-72f4-4e38-8a7b-885be690c5b5", "value": "User Added To Privilege Role" }, @@ -56693,9 +73185,19 @@ "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_creating_number_of_resources_detection.yml" ], "tags": [ + "attack.persistence", "attack.t1098" ] }, + "related": [ + { + "dest-uuid": "a10641f4-87b4-45a3-a906-92a149cb2c27", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "d2d901db-7a75-45a1-bc39-0cbf00812192", "value": "Number Of Resource Creation Or Deployment Activities" }, @@ -56788,9 +73290,20 @@ "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_network_firewall_policy_modified_or_deleted.yml" ], "tags": [ - "attack.impact" + "attack.impact", + "attack.defense_evasion", + "attack.t1562.007" ] }, + "related": [ + { + "dest-uuid": "77532a55-c283-4cd2-bc5d-2d0b65e9d88c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "83c17918-746e-4bd9-920b-8e098bf88c23", "value": "Azure Network Firewall Policy Modified or Deleted" }, @@ -56864,6 +73377,15 @@ "attack.t1059" ] }, + "related": [ + { + "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "72af37e2-ec32-47dc-992b-bc288a2708cb", "value": "Azure New CloudShell Created" }, @@ -56937,6 +73459,15 @@ "attack.t1548" ] }, + "related": [ + { + "dest-uuid": "67720091-eee3-4d2d-ae16-8264567f6f5b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "26e7c5e2-6545-481e-b7e6-050143459635", "value": "CA Policy Removed by Non Approved Actor" }, @@ -56961,6 +73492,15 @@ "attack.t1578.003" ] }, + "related": [ + { + "dest-uuid": "70857657-bd0b-4695-ad3e-b13f92cac1b4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "48739819-8230-4ee3-a8ea-e0289d1fb0ff", "value": "Azure Active Directory Hybrid Health AD FS Service Delete" }, @@ -57034,6 +73574,15 @@ "attack.t1548" ] }, + "related": [ + { + "dest-uuid": "67720091-eee3-4d2d-ae16-8264567f6f5b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "0922467f-db53-4348-b7bf-dee8d0d348c6", "value": "New CA Policy by Non-approved Actor" }, @@ -57059,6 +73608,22 @@ "attack.t1526" ] }, + "related": [ + { + "dest-uuid": "8f104855-e5b7-4077-b1f5-bc3103b41abe", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "e24fcba8-2557-4442-a139-1ee2f2e784db", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "35b781cc-1a08-4a5a-80af-42fd7c315c6b", "value": "Discovery Using AzureHound" }, @@ -57084,6 +73649,15 @@ "attack.t1548" ] }, + "related": [ + { + "dest-uuid": "67720091-eee3-4d2d-ae16-8264567f6f5b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "50a3c7aa-ec29-44a4-92c1-fce229eef6fc", "value": "CA Policy Updated by Non Approved Actor" }, @@ -57130,9 +73704,18 @@ "tags": [ "attack.privilege_escalation", "attack.defense_evasion", - "attack.t1078" + "attack.t1078.004" ] }, + "related": [ + { + "dest-uuid": "f232fa7a-025c-4d43-abc7-318e81a73d65", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "db6c06c4-bf3b-421c-aa88-15672b88c743", "value": "Changes To PIM Settings" }, @@ -57181,6 +73764,15 @@ "attack.t1578" ] }, + "related": [ + { + "dest-uuid": "144e007b-e638-431d-a894-45d90c54ab90", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "288a39fc-4914-4831-9ada-270e9dc12cb4", "value": "Azure Active Directory Hybrid Health AD FS New Server" }, @@ -57229,6 +73821,15 @@ "attack.t1078.004" ] }, + "related": [ + { + "dest-uuid": "f232fa7a-025c-4d43-abc7-318e81a73d65", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "5496ff55-42ec-4369-81cb-00f417029e25", "value": "Multifactor Authentication Interrupted" }, @@ -57249,9 +73850,19 @@ "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_guest_to_member.yml" ], "tags": [ - "attack.t1078" + "attack.privilege_escalation", + "attack.t1078.004" ] }, + "related": [ + { + "dest-uuid": "f232fa7a-025c-4d43-abc7-318e81a73d65", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "8dee7a0d-43fd-4b3c-8cd1-605e189d195e", "value": "User State Changed From Guest To Member" }, @@ -57301,6 +73912,15 @@ "attack.t1078.004" ] }, + "related": [ + { + "dest-uuid": "f232fa7a-025c-4d43-abc7-318e81a73d65", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "e40f4962-b02b-4192-9bfe-245f7ece1f99", "value": "Multifactor Authentication Denied" }, @@ -57325,6 +73945,15 @@ "attack.t1484" ] }, + "related": [ + { + "dest-uuid": "ebb42bbe-62d7-47d7-a55f-3b08b61d792d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "aeaef14c-e5bf-4690-a9c8-835caad458bd", "value": "PIM Alert Setting Changes To Disabled" }, @@ -57345,9 +73974,19 @@ "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_granting_permission_detection.yml" ], "tags": [ - "attack.t1098" + "attack.persistence", + "attack.t1098.003" ] }, + "related": [ + { + "dest-uuid": "2dbbdcd5-92cf-44c0-aea2-fe24783a6bc3", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "a622fcd2-4b5a-436a-b8a2-a4171161833c", "value": "Granting Of Permissions To An Account" }, @@ -57364,11 +74003,11 @@ "logsource.category": "No established category", "logsource.product": "azure", "refs": [ + "https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/", + "https://medium.com/mitre-engenuity/att-ck-for-containers-now-available-4c2359654bf1", "https://attack.mitre.org/matrices/enterprise/cloud/", "https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes", - "https://medium.com/mitre-engenuity/att-ck-for-containers-now-available-4c2359654bf1", "https://www.microsoft.com/security/blog/2021/03/23/secure-containerized-environments-with-updated-threat-matrix-for-kubernetes/", - "https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_kubernetes_secret_or_config_object_access.yml" ], "tags": [ @@ -57400,6 +74039,15 @@ "attack.credential_access" ] }, + "related": [ + { + "dest-uuid": "890c9858-598c-401d-a4d5-c67ebcdd703a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "0055ad1f-be85-4798-83cf-a6da17c993b3", "value": "Application URI Configuration Changes" }, @@ -57417,11 +74065,11 @@ "logsource.category": "No established category", "logsource.product": "azure", "refs": [ + "https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/", + "https://medium.com/mitre-engenuity/att-ck-for-containers-now-available-4c2359654bf1", "https://attack.mitre.org/matrices/enterprise/cloud/", "https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes", - "https://medium.com/mitre-engenuity/att-ck-for-containers-now-available-4c2359654bf1", "https://www.microsoft.com/security/blog/2021/03/23/secure-containerized-environments-with-updated-threat-matrix-for-kubernetes/", - "https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_kubernetes_role_access.yml" ], "tags": [ @@ -57456,6 +74104,15 @@ "attack.t1552.001" ] }, + "related": [ + { + "dest-uuid": "435dfb86-2697-4867-85b5-2fef496c0517", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "80eeab92-0979-4152-942d-96749e11df40", "value": "Azure Keyvault Key Modified or Deleted" }, @@ -57528,6 +74185,15 @@ "attack.credential_access" ] }, + "related": [ + { + "dest-uuid": "890c9858-598c-401d-a4d5-c67ebcdd703a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "1b45b0d1-773f-4f23-aedc-814b759563b1", "value": "Application AppID Uri Configuration Changes" }, @@ -57545,11 +74211,11 @@ "logsource.category": "No established category", "logsource.product": "azure", "refs": [ + "https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/", + "https://medium.com/mitre-engenuity/att-ck-for-containers-now-available-4c2359654bf1", "https://attack.mitre.org/matrices/enterprise/cloud/", "https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes", - "https://medium.com/mitre-engenuity/att-ck-for-containers-now-available-4c2359654bf1", "https://www.microsoft.com/security/blog/2021/03/23/secure-containerized-environments-with-updated-threat-matrix-for-kubernetes/", - "https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_container_registry_created_or_deleted.yml" ], "tags": [ @@ -57577,9 +74243,18 @@ ], "tags": [ "attack.initial_access", - "attack.t1078" + "attack.t1078.004" ] }, + "related": [ + { + "dest-uuid": "f232fa7a-025c-4d43-abc7-318e81a73d65", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "908655e0-25cf-4ae1-b775-1c8ce9cf43d8", "value": "Login to Disabled Account" }, @@ -57606,6 +74281,15 @@ "attack.t1562.001" ] }, + "related": [ + { + "dest-uuid": "3d333250-30e4-4a82-9edc-756c68afc529", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "225d8b09-e714-479c-a0e4-55e6f29adf35", "value": "Azure Kubernetes Events Deleted" }, @@ -57623,7 +74307,6 @@ "logsource.product": "azure", "refs": [ "https://m365internals.com/2021/07/13/what-ive-learned-from-doing-a-year-of-cloud-forensics-in-azure-ad/", - "https://attack.mitre.org/techniques/T1098/003/", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_ad_user_added_to_admin_role.yml" ], "tags": [ @@ -57631,6 +74314,15 @@ "attack.t1098.003" ] }, + "related": [ + { + "dest-uuid": "2dbbdcd5-92cf-44c0-aea2-fe24783a6bc3", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "ebbeb024-5b1d-4e16-9c0c-917f86c708a7", "value": "User Added to an Administrator's Azure AD Role" }, @@ -57648,18 +74340,28 @@ "logsource.category": "No established category", "logsource.product": "azure", "refs": [ - "https://kubernetes.io/docs/concepts/workloads/controllers/cron-jobs/", "https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes", "https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/", + "https://kubernetes.io/docs/concepts/workloads/controllers/cron-jobs/", "https://kubernetes.io/docs/concepts/workloads/controllers/job/", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_kubernetes_cronjob.yml" ], "tags": [ "attack.persistence", + "attack.t1053.003", "attack.privilege_escalation", "attack.execution" ] }, + "related": [ + { + "dest-uuid": "2acf44aa-542f-4366-b4eb-55ef5747759c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "1c71e254-6655-42c1-b2d6-5e4718d7fc0a", "value": "Azure Kubernetes CronJob" }, @@ -57724,11 +74426,11 @@ "logsource.category": "No established category", "logsource.product": "azure", "refs": [ + "https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/", + "https://medium.com/mitre-engenuity/att-ck-for-containers-now-available-4c2359654bf1", "https://attack.mitre.org/matrices/enterprise/cloud/", "https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes", - "https://medium.com/mitre-engenuity/att-ck-for-containers-now-available-4c2359654bf1", "https://www.microsoft.com/security/blog/2021/03/23/secure-containerized-environments-with-updated-threat-matrix-for-kubernetes/", - "https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_kubernetes_rolebinding_modified_or_deleted.yml" ], "tags": [ @@ -57803,12 +74505,47 @@ "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_firewall_modified_or_deleted.yml" ], "tags": [ - "attack.impact" + "attack.impact", + "attack.defense_evasion", + "attack.t1562.004" ] }, + "related": [ + { + "dest-uuid": "5372c5fe-f424-4def-bcd5-d3a8e770f07b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "512cf937-ea9b-4332-939c-4c2c94baadcd", "value": "Azure Firewall Modified or Deleted" }, + { + "description": "Detects risky authencaition from a non AD registered device without MFA being required.", + "meta": { + "author": "Harjot Singh, '@cyb3rjy0t'", + "creation_date": "2023/01/10", + "falsepositive": [ + "Unknown" + ], + "filename": "azure_ad_risky_sign_ins_with_singlefactorauth_from_unknown_devices.yml", + "level": "high", + "logsource.category": "No established category", + "logsource.product": "azure", + "refs": [ + "https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-devices#non-compliant-device-sign-in", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_ad_risky_sign_ins_with_singlefactorauth_from_unknown_devices.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1078" + ] + }, + "uuid": "572b12d4-9062-11ed-a1eb-0242ac120002", + "value": "Suspicious SignIns From A Non Registered Device" + }, { "description": "Identifies when DNS zone is modified or deleted.", "meta": { @@ -57827,9 +74564,19 @@ "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_dns_zone_modified_or_deleted.yml" ], "tags": [ - "attack.impact" + "attack.impact", + "attack.t1565.001" ] }, + "related": [ + { + "dest-uuid": "1cfcb312-b8d7-47a4-b560-4b16cc677292", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "af6925b0-8826-47f1-9324-337507a0babd", "value": "Azure DNS Zone Modified or Deleted" }, @@ -57879,6 +74626,15 @@ "attack.t1484" ] }, + "related": [ + { + "dest-uuid": "ebb42bbe-62d7-47d7-a55f-3b08b61d792d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "9494bff8-959f-4440-bbce-fb87a208d517", "value": "Changes to Device Registration Policy" }, @@ -57899,9 +74655,18 @@ "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_ad_only_single_factor_auth_required.yml" ], "tags": [ - "attack.t1078" + "attack.t1078.004" ] }, + "related": [ + { + "dest-uuid": "f232fa7a-025c-4d43-abc7-318e81a73d65", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "28eea407-28d7-4e42-b0be-575d5ba60b2c", "value": "Azure AD Only Single Factor Authentication Required" }, @@ -57948,9 +74713,18 @@ "tags": [ "attack.persistence", "attack.privilege_escalation", - "attack.t1078" + "attack.t1078.004" ] }, + "related": [ + { + "dest-uuid": "f232fa7a-025c-4d43-abc7-318e81a73d65", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "f7b5b004-dece-46e4-a4a5-f6fd0e1c6947", "value": "Privileged Account Creation" }, @@ -57998,6 +74772,15 @@ "attack.t1098" ] }, + "related": [ + { + "dest-uuid": "a10641f4-87b4-45a3-a906-92a149cb2c27", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "665e2d43-70dc-4ccc-9d27-026c9dd7ed9c", "value": "User Removed From Group With CA Policy Modification Access" }, @@ -58039,7 +74822,6 @@ "logsource.product": "azure", "refs": [ "https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-userstates", - "https://attack.mitre.org/techniques/T1556/", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_mfa_disabled.yml" ], "tags": [ @@ -58047,6 +74829,15 @@ "attack.t1556" ] }, + "related": [ + { + "dest-uuid": "f4c1826f-a322-41cd-9557-562100848c84", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "7ea78478-a4f9-42a6-9dcd-f861816122bf", "value": "Disabled MFA to Bypass Authentication Mechanisms" }, @@ -58174,6 +74965,15 @@ "attack.t1552.001" ] }, + "related": [ + { + "dest-uuid": "435dfb86-2697-4867-85b5-2fef496c0517", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "b831353c-1971-477b-abb6-2828edc3bca1", "value": "Azure Keyvault Secrets Modified or Deleted" }, @@ -58191,11 +74991,11 @@ "logsource.category": "No established category", "logsource.product": "azure", "refs": [ + "https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/", + "https://medium.com/mitre-engenuity/att-ck-for-containers-now-available-4c2359654bf1", "https://attack.mitre.org/matrices/enterprise/cloud/", "https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes", - "https://medium.com/mitre-engenuity/att-ck-for-containers-now-available-4c2359654bf1", "https://www.microsoft.com/security/blog/2021/03/23/secure-containerized-environments-with-updated-threat-matrix-for-kubernetes/", - "https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_kubernetes_network_policy_change.yml" ], "tags": [ @@ -58220,17 +75020,27 @@ "logsource.category": "No established category", "logsource.product": "azure", "refs": [ + "https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/", + "https://medium.com/mitre-engenuity/att-ck-for-containers-now-available-4c2359654bf1", "https://attack.mitre.org/matrices/enterprise/cloud/", "https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes", - "https://medium.com/mitre-engenuity/att-ck-for-containers-now-available-4c2359654bf1", "https://www.microsoft.com/security/blog/2021/03/23/secure-containerized-environments-with-updated-threat-matrix-for-kubernetes/", - "https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_kubernetes_service_account_modified_or_deleted.yml" ], "tags": [ - "attack.impact" + "attack.impact", + "attack.t1531" ] }, + "related": [ + { + "dest-uuid": "b24e2a20-3b3d-4bf0-823b-1ed765398fb0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "12d027c3-b48c-4d9d-8bb6-a732200034b2", "value": "Azure Kubernetes Service Account Modified or Deleted" }, @@ -58255,6 +75065,15 @@ "attack.t1071.001" ] }, + "related": [ + { + "dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "6ec820f2-e963-4801-9127-d8b2dce4d31b", "value": "APT User Agent" }, @@ -58279,6 +75098,15 @@ "attack.t1071.001" ] }, + "related": [ + { + "dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "894a8613-cf12-48b3-8e57-9085f54aa0c3", "value": "Suspicious Base64 User Agent" }, @@ -58304,6 +75132,15 @@ "attack.t1071.001" ] }, + "related": [ + { + "dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "b923f7d6-ac89-4a50-a71a-89fb846b4aa8", "value": "Empire UserAgent URI Combo" }, @@ -58320,8 +75157,8 @@ "logsource.category": "proxy", "logsource.product": "No established product", "refs": [ - "https://twitter.com/jhencinski/status/1102695118455349248", "https://isc.sans.edu/forums/diary/Investigating+Microsoft+BITS+Activity/23281/", + "https://twitter.com/jhencinski/status/1102695118455349248", "https://github.com/SigmaHQ/sigma/tree/master/rules/proxy/proxy_ua_bitsadmin_susp_tld.yml" ], "tags": [ @@ -58333,6 +75170,22 @@ "attack.s0190" ] }, + "related": [ + { + "dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "c8e87b83-edbb-48d4-9295-4974897525b7", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "9eb68894-7476-4cd6-8752-23b51f5883a7", "value": "Bitsadmin to Uncommon TLD" }, @@ -58359,6 +75212,15 @@ "attack.g0010" ] }, + "related": [ + { + "dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "7857f021-007f-4928-8b2c-7aedbe64bb82", "value": "Turla ComRAT" }, @@ -58383,6 +75245,15 @@ "attack.t1071.001" ] }, + "related": [ + { + "dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "fb502828-2db0-438e-93e6-801c7548686d", "value": "Chafer Malware URL Pattern" }, @@ -58399,9 +75270,9 @@ "logsource.category": "proxy", "logsource.product": "No established product", "refs": [ - "https://twitter.com/purp1ew0lf/status/1602989967776808961?s=12&t=OkZJl_ViICeiftVEsohRyw", "https://www.rapid7.com/blog/post/2022/12/21/cve-2022-41080-cve-2022-41082-rapid7-observed-exploitation-of-owassrf-in-exchange-for-rce/", "https://www.crowdstrike.com/blog/owassrf-exploit-analysis-and-recommendations/", + "https://twitter.com/purp1ew0lf/status/1602989967776808961?s=12&t=OkZJl_ViICeiftVEsohRyw", "https://github.com/SigmaHQ/sigma/tree/master/rules/proxy/proxy_exchange_owassrf_poc_exploitation.yml" ], "tags": [ @@ -58409,6 +75280,15 @@ "attack.t1190" ] }, + "related": [ + { + "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "fdd7e904-7304-4616-a46a-e32f917c4be4", "value": "OWASSRF Exploitation Attempt Using Public POC - Proxy" }, @@ -58433,6 +75313,15 @@ "attack.t1071.001" ] }, + "related": [ + { + "dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "fdd1bfb5-f60b-4a35-910e-f36ed3d0b32f", "value": "Exploit Framework User Agent" }, @@ -58459,6 +75348,15 @@ "attack.t1071.001" ] }, + "related": [ + { + "dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "e09aed7a-09e0-4c9a-90dd-f0d52507347e", "value": "Windows WebDAV User Agent" }, @@ -58485,6 +75383,22 @@ "attack.t1568" ] }, + "related": [ + { + "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "7bd9c723-2f78-4309-82c5-47cad406572b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "195c1119-ef07-4909-bb12-e66f5e07bf3c", "value": "Download from Suspicious Dyndns Hosts" }, @@ -58510,6 +75424,15 @@ "attack.t1071.001" ] }, + "related": [ + { + "dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "c9b33401-cc6a-4cf6-83bb-57ddcb2407fc", "value": "CobaltStrike Malleable OneDrive Browsing Traffic Profile" }, @@ -58534,6 +75457,15 @@ "attack.t1071.001" ] }, + "related": [ + { + "dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "7195a772-4b3f-43a4-a210-6a003d65caa1", "value": "Suspicious User Agent" }, @@ -58551,8 +75483,8 @@ "logsource.product": "No established product", "refs": [ "https://researchcenter.paloaltonetworks.com/2018/03/unit42-telerat-another-android-trojan-leveraging-telegrams-bot-api-to-target-iranian-users/", - "https://blog.malwarebytes.com/threat-analysis/2016/11/telecrypt-the-ransomware-abusing-telegram-api-defeated/", "https://www.welivesecurity.com/2016/12/13/rise-telebots-analyzing-disruptive-killdisk-attacks/", + "https://blog.malwarebytes.com/threat-analysis/2016/11/telecrypt-the-ransomware-abusing-telegram-api-defeated/", "https://github.com/SigmaHQ/sigma/tree/master/rules/proxy/proxy_telegram_api.yml" ], "tags": [ @@ -58562,6 +75494,22 @@ "attack.t1102.002" ] }, + "related": [ + { + "dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "be055942-6e63-49d7-9fa1-9cb7d8a8f3f4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "b494b165-6634-483d-8c47-2026a6c52372", "value": "Telegram API Access" }, @@ -58588,8 +75536,24 @@ "attack.t1204.002" ] }, + "related": [ + { + "dest-uuid": "be2dcee9-a7a7-4e38-afd6-21b31ecc3d63", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "232b7f21-adf9-4b42-b936-b9d6f7df856e", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "b5de2919-b74a-4805-91a7-5049accbaefe", - "value": "Download EXE from Suspicious TLD" + "value": "Download From Suspicious TLD - Whitelist" }, { "description": "Detects suspicious user agent strings used by malware in proxy logs", @@ -58604,9 +75568,9 @@ "logsource.category": "proxy", "logsource.product": "No established product", "refs": [ - "https://www.bluecoat.com/en-gb/security-blog/2015-05-05/know-your-agents", "http://rules.emergingthreats.net/open/snort-2.9.0/rules/emerging-user_agents.rules", "https://networkraptor.blogspot.com/2015/01/user-agent-strings.html", + "https://www.bluecoat.com/en-gb/security-blog/2015-05-05/know-your-agents", "http://www.botopedia.org/search?searchword=scan&searchphrase=all", "https://perishablepress.com/blacklist/ua-2013.txt", "https://github.com/SigmaHQ/sigma/tree/master/rules/proxy/proxy_ua_malware.yml" @@ -58616,6 +75580,15 @@ "attack.t1071.001" ] }, + "related": [ + { + "dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "5c84856b-55a5-45f1-826f-13f37250cf4e", "value": "Malware User Agent" }, @@ -58643,6 +75616,22 @@ "attack.s0190" ] }, + "related": [ + { + "dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "c8e87b83-edbb-48d4-9295-4974897525b7", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "8ccd35a2-1c7c-468b-b568-ac6cdf80eec3", "value": "Bitsadmin to Uncommon IP Server Address" }, @@ -58659,8 +75648,8 @@ "logsource.category": "proxy", "logsource.product": "No established product", "refs": [ - "https://www.kroll.com/en/insights/publications/cyber/new-m365-business-email-compromise-attacks-with-rclone", "https://rclone.org/", + "https://www.kroll.com/en/insights/publications/cyber/new-m365-business-email-compromise-attacks-with-rclone", "https://github.com/SigmaHQ/sigma/tree/master/rules/proxy/proxy_ua_rclone.yml" ], "tags": [ @@ -58668,6 +75657,15 @@ "attack.t1567.002" ] }, + "related": [ + { + "dest-uuid": "bf1b6176-597c-4600-bfcd-ac989670f96b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "2c03648b-e081-41a5-b9fb-7d854a915091", "value": "Rclone Activity via Proxy" }, @@ -58693,6 +75691,15 @@ "attack.t1190" ] }, + "related": [ + { + "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "1ddf4596-1908-43c9-add2-1d2c2fcc4797", "value": "Potential OWASSRF Exploitation Attempt - Proxy" }, @@ -58718,6 +75725,15 @@ "attack.t1071.001" ] }, + "related": [ + { + "dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "fa935401-513b-467b-81f4-f9e77aa0dd78", "value": "Crypto Miner User Agent" }, @@ -58769,6 +75785,36 @@ "attack.t1552.001" ] }, + "related": [ + { + "dest-uuid": "be2dcee9-a7a7-4e38-afd6-21b31ecc3d63", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "30208d3e-0d6b-43c8-883e-44462a514619", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "890c9858-598c-401d-a4d5-c67ebcdd703a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "e06ac91d-b9e6-443d-8e5b-af749e7aa6b6", "value": "iOS Implant URL Pattern" }, @@ -58794,6 +75840,15 @@ "attack.t1071.001" ] }, + "related": [ + { + "dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "41b42a36-f62c-4c34-bd40-8cb804a34ad8", "value": "CobaltStrike Malformed UAs in Malleable Profiles" }, @@ -58821,6 +75876,29 @@ "attack.defense_evasion" ] }, + "related": [ + { + "dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "f7827069-0bf2-4764-af4f-23fae0d181b7", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "9c99724c-a483-4d60-ad9d-7f004e42e8e8", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "5468045b-4fcc-4d1a-973c-c9c9578edacb", "value": "Raw Paste Service Access" }, @@ -58846,6 +75924,15 @@ "attack.t1590" ] }, + "related": [ + { + "dest-uuid": "9d48cab2-7929-4812-ad22-f536665f0109", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "1a9bb21a-1bb5-42d7-aa05-3219c7c8f47d", "value": "Advanced IP/Port Scanner Update Check" }, @@ -58863,9 +75950,9 @@ "logsource.product": "No established product", "refs": [ "https://krebsonsecurity.com/2018/06/bad-men-at-work-please-dont-click/", + "https://www.spamhaus.org/statistics/tlds/", "https://www.symantec.com/connect/blogs/shady-tld-research-gdn-and-our-2016-wrap", "https://promos.mcafee.com/en-US/PDF/MTMW_Report.pdf", - "https://www.spamhaus.org/statistics/tlds/", "https://github.com/SigmaHQ/sigma/tree/master/rules/proxy/proxy_download_susp_tlds_blacklist.yml" ], "tags": [ @@ -58876,8 +75963,24 @@ "attack.t1204.002" ] }, + "related": [ + { + "dest-uuid": "be2dcee9-a7a7-4e38-afd6-21b31ecc3d63", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "232b7f21-adf9-4b42-b936-b9d6f7df856e", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "00d0b5ab-1f55-4120-8e83-487c0a7baf19", - "value": "Download from Suspicious TLD" + "value": "Download From Suspicious TLD - Blacklist" }, { "description": "Detects specific malware patterns used by FurBall malware linked to Iranian Domestic Kitten APT group", @@ -58915,8 +76018,8 @@ "logsource.category": "proxy", "logsource.product": "No established product", "refs": [ - "https://github.com/rsmudge/Malleable-C2-Profiles/blob/26323784672913923d20c5a638c6ca79459e8529/normal/amazon.profile", "https://www.hybrid-analysis.com/sample/ee5eca8648e45e2fea9dac0d920ef1a1792d8690c41ee7f20343de1927cc88b9?environmentId=100", + "https://github.com/rsmudge/Malleable-C2-Profiles/blob/26323784672913923d20c5a638c6ca79459e8529/normal/amazon.profile", "https://github.com/SigmaHQ/sigma/tree/master/rules/proxy/proxy_cobalt_amazon.yml" ], "tags": [ @@ -58925,6 +76028,15 @@ "attack.t1071.001" ] }, + "related": [ + { + "dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "953b895e-5cc9-454b-b183-7f3db555452e", "value": "CobaltStrike Malleable Amazon Browsing Traffic Profile" }, @@ -58951,6 +76063,29 @@ "attack.t1102.003" ] }, + "related": [ + { + "dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "f7827069-0bf2-4764-af4f-23fae0d181b7", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "9c99724c-a483-4d60-ad9d-7f004e42e8e8", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "2b1ee7e4-89b6-4739-b7bb-b811b6607e5e", "value": "PwnDrp Access" }, @@ -58976,6 +76111,15 @@ "attack.t1071.001" ] }, + "related": [ + { + "dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "37325383-740a-403d-b1a2-b2b4ab7992e7", "value": "CobaltStrike Malleable (OCSP) Profile" }, @@ -59002,6 +76146,15 @@ "attack.t1071.001" ] }, + "related": [ + { + "dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "c8557060-9221-4448-8794-96320e6f3e74", "value": "Windows PowerShell User Agent" }, @@ -59049,6 +76202,15 @@ "attack.t1071.001" ] }, + "related": [ + { + "dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "304810ed-8853-437f-9e36-c4975c3dfd7e", "value": "BabyShark Agent Pattern" }, @@ -59065,8 +76227,8 @@ "logsource.category": "proxy", "logsource.product": "No established product", "refs": [ - "https://github.com/fastly/waf_testbed/blob/8bfc406551f3045e418cbaad7596cff8da331dfc/templates/default/scanners-user-agents.data.erb", "http://rules.emergingthreats.net/open/snort-2.9.0/rules/emerging-user_agents.rules", + "https://github.com/fastly/waf_testbed/blob/8bfc406551f3045e418cbaad7596cff8da331dfc/templates/default/scanners-user-agents.data.erb", "https://github.com/SigmaHQ/sigma/tree/master/rules/proxy/proxy_ua_hacktool.yml" ], "tags": [ @@ -59076,6 +76238,15 @@ "attack.t1110" ] }, + "related": [ + { + "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "c42a3073-30fb-48ae-8c99-c23ada84b103", "value": "Hack Tool User Agent" }, @@ -59102,6 +76273,22 @@ "attack.t1567.002" ] }, + "related": [ + { + "dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "bf1b6176-597c-4600-bfcd-ac989670f96b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "5ba715b6-71b7-44fd-8245-f66893e81b3d", "value": "APT40 Dropbox Tool User Agent" }, @@ -59130,6 +76317,22 @@ "attack.t1071.001" ] }, + "related": [ + { + "dest-uuid": "232b7f21-adf9-4b42-b936-b9d6f7df856e", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "932ac737-33ca-4afd-9869-0d48b391fcc9", "value": "Ursnif Malware C2 URL Pattern" }, @@ -59155,6 +76358,15 @@ "attack.t1071.001" ] }, + "related": [ + { + "dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "21e44d78-95e7-421b-a464-ffd8395659c4", "value": "Empty User Agent" }, @@ -59183,6 +76395,22 @@ "attack.t1036.005" ] }, + "related": [ + { + "dest-uuid": "d742a578-d70e-4d0e-96a6-02a9c30204e6", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "232b7f21-adf9-4b42-b936-b9d6f7df856e", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "4922a5dd-6743-4fc2-8e81-144374280997", "value": "Flash Player Update from Suspicious Location" }, @@ -59199,8 +76427,8 @@ "logsource.category": "webserver", "logsource.product": "No established product", "refs": [ - "https://paper.seebug.org/1495/", "https://twitter.com/wugeej/status/1369476795255320580", + "https://paper.seebug.org/1495/", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_cve_2021_21978_vmware_view_planner_exploit.yml" ], "tags": [ @@ -59209,6 +76437,15 @@ "cve.2021.21978" ] }, + "related": [ + { + "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "77586a7f-7ea4-4c41-b19c-820140b84ca9", "value": "CVE-2021-21978 Exploitation Attempt" }, @@ -59226,8 +76463,8 @@ "logsource.category": "webserver", "logsource.product": "No established product", "refs": [ - "https://m365internals.com/2022/10/07/hunting-in-on-premises-exchange-server-logs/", "https://bad-jubies.github.io/RCE-NOW-WHAT/", + "https://m365internals.com/2022/10/07/hunting-in-on-premises-exchange-server-logs/", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_win_webshells_in_access_logs.yml" ], "tags": [ @@ -59262,6 +76499,15 @@ "cve.2020.14882" ] }, + "related": [ + { + "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "85d466b0-d74c-4514-84d3-2bdd3327588b", "value": "Oracle WebLogic Exploit CVE-2020-14882" }, @@ -59278,10 +76524,10 @@ "logsource.category": "webserver", "logsource.product": "No established product", "refs": [ - "https://mraddon.blog/2017/03/20/confluence-trick-to-create-pages-from-blueprint-templates/", "https://github.com/TesterCC/exp_poc_library/blob/master/exp_poc/CVE-2021-26084_Confluence_OGNL_injection/CVE-2021-26084.md", - "https://github.com/httpvoid/writeups/blob/main/Confluence-RCE.md", "https://confluence.atlassian.com/doc/confluence-security-advisory-2021-08-25-1077906215.html", + "https://github.com/httpvoid/writeups/blob/main/Confluence-RCE.md", + "https://mraddon.blog/2017/03/20/confluence-trick-to-create-pages-from-blueprint-templates/", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_cve_2021_26084_confluence_rce_exploit.yml" ], "tags": [ @@ -59289,6 +76535,15 @@ "attack.t1190" ] }, + "related": [ + { + "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "38825179-3c78-4fed-b222-2e2166b926b1", "value": "Potential CVE-2021-26084 Exploitation Attempt" }, @@ -59313,6 +76568,15 @@ "attack.initial_access" ] }, + "related": [ + { + "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "6f55f047-112b-4101-ad32-43913f52db46", "value": "SonicWall SSL/VPN Jarrewrite Exploit" }, @@ -59338,6 +76602,15 @@ "attack.t1190" ] }, + "related": [ + { + "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "67bce556-312f-4c81-9162-c3c9ff2599b2", "value": "Exchange Exploitation Used by HAFNIUM" }, @@ -59354,8 +76627,8 @@ "logsource.category": "webserver", "logsource.product": "No established product", "refs": [ - "https://www.guidepointsecurity.com/supernova-solarwinds-net-webshell-analysis/", "https://www.anquanke.com/post/id/226029", + "https://www.guidepointsecurity.com/supernova-solarwinds-net-webshell-analysis/", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_solarwinds_supernova_webshell.yml" ], "tags": [ @@ -59391,6 +76664,15 @@ "cve.2018.2894" ] }, + "related": [ + { + "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "37e8369b-43bb-4bf8-83b6-6dd43bda2000", "value": "Oracle WebLogic Exploit" }, @@ -59407,9 +76689,9 @@ "logsource.category": "webserver", "logsource.product": "No established product", "refs": [ - "https://research.nccgroup.com/2020/07/10/rift-citrix-adc-vulnerabilities-cve-2020-8193-cve-2020-8195-and-cve-2020-8196-intelligence/", "https://dmaasland.github.io/posts/citrix.html", "https://support.citrix.com/article/CTX276688", + "https://research.nccgroup.com/2020/07/10/rift-citrix-adc-vulnerabilities-cve-2020-8193-cve-2020-8195-and-cve-2020-8196-intelligence/", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_cve_2020_8193_8195_citrix_exploit.yml" ], "tags": [ @@ -59417,6 +76699,15 @@ "attack.t1190" ] }, + "related": [ + { + "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "0d0d9a8a-a49e-4e27-b061-7ce4b936cfb7", "value": "Citrix ADS Exploitation CVE-2020-8193 CVE-2020-8195" }, @@ -59433,8 +76724,8 @@ "logsource.category": "webserver", "logsource.product": "No established product", "refs": [ - "https://github.com/search?q=CVE-2021-43798", "https://grafana.com/blog/2021/12/07/grafana-8.3.1-8.2.7-8.1.8-and-8.0.7-released-with-high-severity-security-fix/", + "https://github.com/search?q=CVE-2021-43798", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_cve_2021_43798_grafana.yml" ], "tags": [ @@ -59442,6 +76733,15 @@ "attack.t1190" ] }, + "related": [ + { + "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "7b72b328-5708-414f-9a2a-6a6867c26e16", "value": "Grafana Path Traversal Exploitation CVE-2021-43798" }, @@ -59480,10 +76780,10 @@ "logsource.category": "webserver", "logsource.product": "No established product", "refs": [ + "https://twitter.com/Al1ex4/status/1382981479727128580", + "https://mp.weixin.qq.com/s?__biz=Mzg3NDU2MTg0Ng==&mid=2247484117&idx=1&sn=2fdab8cbe4b873f8dd8abb35d935d186", "https://nsfocusglobal.com/apache-solr-arbitrary-file-read-and-ssrf-vulnerability-threat-alert/", "https://twitter.com/sec715/status/1373472323538362371", - "https://mp.weixin.qq.com/s?__biz=Mzg3NDU2MTg0Ng==&mid=2247484117&idx=1&sn=2fdab8cbe4b873f8dd8abb35d935d186", - "https://twitter.com/Al1ex4/status/1382981479727128580", "https://github.com/murataydemir/CVE-2021-27905", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_cve_2021_27905_apache_solr_exploit.yml" ], @@ -59493,6 +76793,15 @@ "cve.2021.27905" ] }, + "related": [ + { + "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "0bbcd74b-0596-41a4-94a0-4e88a76ffdb3", "value": "Potential CVE-2021-27905 Exploitation Attempt" }, @@ -59509,8 +76818,8 @@ "logsource.category": "webserver", "logsource.product": "No established product", "refs": [ - "https://www.volexity.com/blog/2022/08/10/mass-exploitation-of-unauthenticated-zimbra-rce-cve-2022-27925/", "https://github.com/vnhacker1337/CVE-2022-27925-PoC", + "https://www.volexity.com/blog/2022/08/10/mass-exploitation-of-unauthenticated-zimbra-rce-cve-2022-27925/", "https://www.yang99.top/index.php/archives/82/", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_cve_2022_27925_exploit.yml" ], @@ -59520,6 +76829,15 @@ "cve.2022.27925" ] }, + "related": [ + { + "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "dd218fb6-4d02-42dc-85f0-a0a376072efd", "value": "Zimbra Collaboration Suite Email Server Unauthenticated RCE" }, @@ -59536,10 +76854,10 @@ "logsource.category": "webserver", "logsource.product": "No established product", "refs": [ - "https://confluence.atlassian.com/bitbucketserver/bitbucket-server-and-data-center-advisory-2022-08-24-1155489835.html", "https://blog.assetnote.io/2022/09/14/rce-in-bitbucket-server/", - "https://twitter.com/_0xf4n9x_/status/1572052954538192901", "https://www.rapid7.com/blog/post/2022/09/20/cve-2022-36804-easily-exploitable-vulnerability-in-atlassian-bitbucket-server-and-data-center/", + "https://confluence.atlassian.com/bitbucketserver/bitbucket-server-and-data-center-advisory-2022-08-24-1155489835.html", + "https://twitter.com/_0xf4n9x_/status/1572052954538192901", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_cve_2022_36804_atlassian_bitbucket_command_injection.yml" ], "tags": [ @@ -59548,6 +76866,15 @@ "cve.2022.36804" ] }, + "related": [ + { + "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "65c0a0ab-d675-4441-bd6b-d3db226a2685", "value": "Atlassian Bitbucket Command Injection Via Archive API" }, @@ -59566,10 +76893,10 @@ "logsource.category": "webserver", "logsource.product": "No established product", "refs": [ - "https://www.acunetix.com/blog/articles/using-logs-to-investigate-a-web-application-attack/", - "https://www.acunetix.com/blog/articles/exploiting-sql-injection-example/", "https://github.com/payloadbox/sql-injection-payload-list", "https://brightsec.com/blog/sql-injection-payloads/", + "https://www.acunetix.com/blog/articles/exploiting-sql-injection-example/", + "https://www.acunetix.com/blog/articles/using-logs-to-investigate-a-web-application-attack/", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_sql_injection_in_access_logs.yml" ], "tags": "No established tags" @@ -59590,9 +76917,9 @@ "logsource.category": "webserver", "logsource.product": "No established product", "refs": [ - "https://twitter.com/purp1ew0lf/status/1602989967776808961?s=12&t=OkZJl_ViICeiftVEsohRyw", "https://www.rapid7.com/blog/post/2022/12/21/cve-2022-41080-cve-2022-41082-rapid7-observed-exploitation-of-owassrf-in-exchange-for-rce/", "https://www.crowdstrike.com/blog/owassrf-exploit-analysis-and-recommendations/", + "https://twitter.com/purp1ew0lf/status/1602989967776808961?s=12&t=OkZJl_ViICeiftVEsohRyw", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_exchange_owassrf_poc_exploitation.yml" ], "tags": [ @@ -59600,6 +76927,15 @@ "attack.t1190" ] }, + "related": [ + { + "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "92d78c63-5a5c-4c40-9b60-463810ffb082", "value": "OWASSRF Exploitation Attempt Using Public POC - Webserver" }, @@ -59626,6 +76962,15 @@ "cve.2021.26814" ] }, + "related": [ + { + "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "b9888738-29ed-4c54-96a4-f38c57b84bb3", "value": "Exploitation of CVE-2021-26814 in Wazuh" }, @@ -59651,6 +76996,15 @@ "attack.t1190" ] }, + "related": [ + { + "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "181f49fa-0b21-4665-a98c-a57025ebb8c7", "value": "Potential OWASSRF Exploitation Attempt - Webserver" }, @@ -59667,8 +77021,8 @@ "logsource.category": "No established category", "logsource.product": "No established product", "refs": [ - "https://docs.nginx.com/nginx/admin-guide/monitoring/debugging/#enabling-core-dumps", "https://www.x41-dsec.de/lab/advisories/x41-2021-002-nginx-resolver-copy/", + "https://docs.nginx.com/nginx/admin-guide/monitoring/debugging/#enabling-core-dumps", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_nginx_core_dump.yml" ], "tags": [ @@ -59676,6 +77030,15 @@ "attack.t1499.004" ] }, + "related": [ + { + "dest-uuid": "2bee5ffb-7a7a-4119-b1f2-158151b19ac0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "59ec40bb-322e-40ab-808d-84fa690d7e56", "value": "Nginx Core Dump" }, @@ -59701,6 +77064,15 @@ "attack.t1190" ] }, + "related": [ + { + "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "5525edac-f599-4bfd-b926-3fa69860e766", "value": "Pulse Connect Secure RCE Attack CVE-2021-22893" }, @@ -59726,6 +77098,15 @@ "attack.t1190" ] }, + "related": [ + { + "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "a4a899e8-fd7a-49dd-b5a8-7044def72d61", "value": "CVE-2010-5278 Exploitation Attempt" }, @@ -59742,8 +77123,8 @@ "logsource.category": "webserver", "logsource.product": "No established product", "refs": [ - "https://pentester.land/tutorials/2018/10/25/source-code-disclosure-via-exposed-git-folder.html", "https://medium.com/@logicbomb_1/bugbounty-how-i-was-able-to-download-the-source-code-of-indias-largest-telecom-service-52cf5c5640a1", + "https://pentester.land/tutorials/2018/10/25/source-code-disclosure-via-exposed-git-folder.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_source_code_enumeration.yml" ], "tags": [ @@ -59767,9 +77148,9 @@ "logsource.category": "webserver", "logsource.product": "No established product", "refs": [ - "https://support.f5.com/csp/article/K52145254", "https://twitter.com/yorickkoster/status/1279709009151434754", "https://www.ptsecurity.com/ww-en/about/news/f5-fixes-critical-vulnerability-discovered-by-positive-technologies-in-big-ip-application-delivery-controller/", + "https://support.f5.com/csp/article/K52145254", "https://www.criticalstart.com/f5-big-ip-remote-code-execution-exploit/", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_cve_2020_5902_f5_bigip.yml" ], @@ -59778,6 +77159,15 @@ "attack.t1190" ] }, + "related": [ + { + "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "44b53b1c-e60f-4a7b-948e-3435a7918478", "value": "CVE-2020-5902 F5 BIG-IP Exploitation Attempt" }, @@ -59794,9 +77184,9 @@ "logsource.category": "webserver", "logsource.product": "No established product", "refs": [ - "https://www.vmware.com/security/advisories/VMSA-2021-0002.html", - "https://swarm.ptsecurity.com/unauth-rce-vmware", "https://f5.pm/go-59627.html", + "https://swarm.ptsecurity.com/unauth-rce-vmware", + "https://www.vmware.com/security/advisories/VMSA-2021-0002.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_cve_2021_21972_vsphere_unauth_rce_exploit.yml" ], "tags": [ @@ -59804,6 +77194,15 @@ "attack.t1190" ] }, + "related": [ + { + "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "179ed852-0f9b-4009-93a7-68475910fd86", "value": "CVE-2021-21972 VSphere Exploitation" }, @@ -59828,6 +77227,15 @@ "attack.t1190" ] }, + "related": [ + { + "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "6fdfc796-06b3-46e8-af08-58f3505318af", "value": "Multiple Suspicious Resp Codes Caused by Single Client" }, @@ -59855,6 +77263,15 @@ "cve.2022.46169" ] }, + "related": [ + { + "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "738cb115-881f-4df3-82cc-56ab02fc5192", "value": "Potential CVE-2022-46169 Exploitation Attempt" }, @@ -59871,12 +77288,12 @@ "logsource.category": "webserver", "logsource.product": "No established product", "refs": [ - "https://www.lunasec.io/docs/blog/log4j-zero-day/", - "https://github.com/tangxiaofeng7/apache-log4j-poc", - "https://twitter.com/shutingrz/status/1469255861394866177?s=21", "https://gist.github.com/Neo23x0/e4c8b03ff8cdf1fa63b7d15db6e3860b", "https://news.ycombinator.com/item?id=29504755", + "https://github.com/tangxiaofeng7/apache-log4j-poc", "https://github.com/YfryTchsGD/Log4jAttackSurface", + "https://twitter.com/shutingrz/status/1469255861394866177?s=21", + "https://www.lunasec.io/docs/blog/log4j-zero-day/", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_cve_2021_44228_log4j_fields.yml" ], "tags": [ @@ -59884,6 +77301,15 @@ "attack.t1190" ] }, + "related": [ + { + "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "9be472ed-893c-4ec0-94da-312d2765f654", "value": "Log4j RCE CVE-2021-44228 in Fields" }, @@ -59932,6 +77358,15 @@ "attack.t1190" ] }, + "related": [ + { + "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "2dbc10d7-a797-49a8-8776-49efa6442e60", "value": "Pulse Secure Attack CVE-2019-11510" }, @@ -59948,10 +77383,10 @@ "logsource.category": "webserver", "logsource.product": "No established product", "refs": [ - "https://twitter.com/httpvoid0x2f/status/1532924261035384832", - "https://github.com/httpvoid/writeups/blob/62d3751945289d088ccfdf4d0ffbf61598a2cd7d/Confluence-RCE.md", "https://www.rapid7.com/blog/post/2021/09/02/active-exploitation-of-confluence-server-cve-2021-26084/", "https://www.rapid7.com/blog/post/2022/06/02/active-exploitation-of-confluence-cve-2022-26134/", + "https://github.com/httpvoid/writeups/blob/62d3751945289d088ccfdf4d0ffbf61598a2cd7d/Confluence-RCE.md", + "https://twitter.com/httpvoid0x2f/status/1532924261035384832", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_java_payload_in_access_logs.yml" ], "tags": [ @@ -59983,6 +77418,15 @@ "attack.t1190" ] }, + "related": [ + { + "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "a2a9d722-0acb-4096-bccc-daaf91a5037b", "value": "Exchange Exploitation CVE-2021-28480" }, @@ -60023,8 +77467,8 @@ "logsource.category": "webserver", "logsource.product": "No established product", "refs": [ - "https://mp.weixin.qq.com/s/wX9TMXl1KVWwB_k6EZOklw", "https://twitter.com/pyn3rd/status/1351696768065409026", + "https://mp.weixin.qq.com/s/wX9TMXl1KVWwB_k6EZOklw", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_cve_2021_2109_weblogic_rce_exploit.yml" ], "tags": [ @@ -60033,6 +77477,15 @@ "cve.2021.2109" ] }, + "related": [ + { + "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "687f6504-7f44-4549-91fc-f07bab065821", "value": "Oracle WebLogic Exploit CVE-2021-2109" }, @@ -60058,6 +77511,15 @@ "attack.t1190" ] }, + "related": [ + { + "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "7745c2ea-24a5-4290-b680-04359cb84b35", "value": "Path Traversal Exploitation Attempts" }, @@ -60083,6 +77545,15 @@ "attack.t1190" ] }, + "related": [ + { + "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "20c6ed1c-f7f0-4ea3-aa65-4f198e6acb0f", "value": "Sitecore Pre-Auth RCE CVE-2021-42237" }, @@ -60099,9 +77570,9 @@ "logsource.category": "webserver", "logsource.product": "No established product", "refs": [ - "https://github.com/W01fh4cker/cve-2022-33891/blob/fd973b56e78bca8822caa3a2e3cf1b5aff5d0950/cve_2022_33891_poc.py", - "https://sumsec.me/2022/CVE-2022-33891%20Apache%20Spark%20shell%20command%20injection.html", "https://github.com/apache/spark/pull/36315/files", + "https://sumsec.me/2022/CVE-2022-33891%20Apache%20Spark%20shell%20command%20injection.html", + "https://github.com/W01fh4cker/cve-2022-33891/blob/fd973b56e78bca8822caa3a2e3cf1b5aff5d0950/cve_2022_33891_poc.py", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_cve_2022_33891_spark_shell_command_injection.yml" ], "tags": [ @@ -60110,6 +77581,15 @@ "cve.2022.33891" ] }, + "related": [ + { + "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "1a9a04fd-02d1-465c-abad-d733fd409f9c", "value": "Apache Spark Shell Command Injection - Weblogs" }, @@ -60126,9 +77606,9 @@ "logsource.category": "webserver", "logsource.product": "No established product", "refs": [ - "https://github.com/wpscanteam/wpscan/blob/196fbab5b1ce3870a43515153d4f07878a89d410/lib/wpscan/browser.rb", - "https://github.com/xmendez/wfuzz/blob/1b695ee9a87d66a7d7bf6cae70d60a33fae51541/docs/user/basicusage.rst", "https://github.com/lanmaster53/recon-ng/blob/9e907dfe09fce2997f0301d746796408e01a60b7/recon/core/base.py#L92", + "https://github.com/xmendez/wfuzz/blob/1b695ee9a87d66a7d7bf6cae70d60a33fae51541/docs/user/basicusage.rst", + "https://github.com/wpscanteam/wpscan/blob/196fbab5b1ce3870a43515153d4f07878a89d410/lib/wpscan/browser.rb", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_susp_useragents.yml" ], "tags": [ @@ -60136,6 +77616,15 @@ "attack.t1190" ] }, + "related": [ + { + "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "19aa4f58-94ca-45ff-bc34-92e533c0994a", "value": "Suspicious User-Agents Related To Recon Tools" }, @@ -60161,6 +77650,15 @@ "attack.t1190" ] }, + "related": [ + { + "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "efdb2003-a922-48aa-8f37-8b80021a9706", "value": "CVE-2022-31659 VMware Workspace ONE Access RCE" }, @@ -60185,30 +77683,18 @@ "attack.t1190" ] }, + "related": [ + { + "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "a2e97350-4285-43f2-a63f-d0daff291738", "value": "Fortinet CVE-2018-13379 Exploitation" }, - { - "description": "Detects an issue in apache logs that reports threading related errors", - "meta": { - "author": "Florian Roth", - "creation_date": "2019/01/22", - "falsepositive": [ - "3rd party apache modules - https://bz.apache.org/bugzilla/show_bug.cgi?id=46185" - ], - "filename": "web_apache_threading_error.yml", - "level": "medium", - "logsource.category": "No established category", - "logsource.product": "No established product", - "refs": [ - "https://github.com/hannob/apache-uaf/blob/da40f2be3684c8095ec6066fa68eb5c07a086233/README.md", - "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_apache_threading_error.yml" - ], - "tags": "No established tags" - }, - "uuid": "e9a2b582-3f6a-48ac-b4a1-6849cdc50b3c", - "value": "Apache Threading Error" - }, { "description": "Detects CVE-2021-22123 exploitation attempt against Fortinet WAFs", "meta": { @@ -60230,6 +77716,15 @@ "attack.t1190" ] }, + "related": [ + { + "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "f425637f-891c-4191-a6c4-3bb1b70513b4", "value": "Fortinet CVE-2021-22123 Exploitation" }, @@ -60256,6 +77751,15 @@ "attack.t1190" ] }, + "related": [ + { + "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "23eee45e-933b-49f9-ae1b-df706d2d52ef", "value": "Exchange ProxyShell Pattern" }, @@ -60297,8 +77801,8 @@ "logsource.category": "webserver", "logsource.product": "No established product", "refs": [ - "https://github.com/sensepost/reGeorg", "https://community.rsa.com/community/products/netwitness/blog/2019/02/19/web-shells-and-netwitness-part-3", + "https://github.com/sensepost/reGeorg", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_webshell_regeorg.yml" ], "tags": [ @@ -60322,12 +77826,12 @@ "logsource.category": "webserver", "logsource.product": "No established product", "refs": [ - "https://www.lunasec.io/docs/blog/log4j-zero-day/", - "https://github.com/tangxiaofeng7/apache-log4j-poc", - "https://twitter.com/shutingrz/status/1469255861394866177?s=21", "https://gist.github.com/Neo23x0/e4c8b03ff8cdf1fa63b7d15db6e3860b", "https://news.ycombinator.com/item?id=29504755", + "https://github.com/tangxiaofeng7/apache-log4j-poc", "https://github.com/YfryTchsGD/Log4jAttackSurface", + "https://twitter.com/shutingrz/status/1469255861394866177?s=21", + "https://www.lunasec.io/docs/blog/log4j-zero-day/", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_cve_2021_44228_log4j.yml" ], "tags": [ @@ -60335,33 +77839,18 @@ "attack.t1190" ] }, + "related": [ + { + "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "5ea8faa8-db8b-45be-89b0-151b84c82702", "value": "Log4j RCE CVE-2021-44228 Generic" }, - { - "description": "Detects a segmentation fault error message caused by a creashing apache worker process", - "meta": { - "author": "Florian Roth", - "creation_date": "2017/02/28", - "falsepositive": [ - "Unknown" - ], - "filename": "web_apache_segfault.yml", - "level": "high", - "logsource.category": "No established category", - "logsource.product": "No established product", - "refs": [ - "http://www.securityfocus.com/infocus/1633", - "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_apache_segfault.yml" - ], - "tags": [ - "attack.impact", - "attack.t1499.004" - ] - }, - "uuid": "1da8ce0b-855d-4004-8860-7d64d42063b1", - "value": "Apache Segmentation Fault" - }, { "description": "Detects the exploitation of the Confluence vulnerability described in CVE-2019-3398", "meta": { @@ -60383,6 +77872,15 @@ "attack.t1190" ] }, + "related": [ + { + "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "e9bc39ae-978a-4e49-91ab-5bd481fc668b", "value": "Confluence Exploitation CVE-2019-3398" }, @@ -60407,6 +77905,15 @@ "attack.t1190" ] }, + "related": [ + { + "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "56973b50-3382-4b56-bdf5-f51a3183797a", "value": "CVE-2021-33766 Exchange ProxyToken Exploitation" }, @@ -60424,8 +77931,8 @@ "logsource.product": "No established product", "refs": [ "https://medium.com/tenable-techblog/bypassing-authentication-on-arcadyan-routers-with-cve-2021-20090-and-rooting-some-buffalo-ea1dd30980c2", - "https://www.tenable.com/security/research/tra-2021-13", "https://blogs.juniper.net/en-us/security/freshly-disclosed-vulnerability-cve-2021-20090-exploited-in-the-wild", + "https://www.tenable.com/security/research/tra-2021-13", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_cve_2021_20090_2021_20091_arcadyan_router_exploit.yml" ], "tags": [ @@ -60435,6 +77942,15 @@ "cve.2021.20091" ] }, + "related": [ + { + "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "f0500377-bc70-425d-ac8c-e956cd906871", "value": "Arcadyan Router Exploitations" }, @@ -60461,6 +77977,15 @@ "cve.2020.28188" ] }, + "related": [ + { + "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "15c312b9-00d0-4feb-8870-7d940a4bdc5e", "value": "TerraMaster TOS CVE-2020-28188" }, @@ -60485,6 +78010,15 @@ "attack.t1190" ] }, + "related": [ + { + "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "5a35116f-43bc-4901-b62d-ef131f42a9af", "value": "CVE-2020-10148 SolarWinds Orion API Auth Bypass" }, @@ -60501,8 +78035,8 @@ "logsource.category": "webserver", "logsource.product": "No established product", "refs": [ - "https://www.tenable.com/blog/cve-2021-22005-critical-file-upload-vulnerability-in-vmware-vcenter-server", "https://kb.vmware.com/s/article/85717", + "https://www.tenable.com/blog/cve-2021-22005-critical-file-upload-vulnerability-in-vmware-vcenter-server", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_cve_2021_22005_vmware_file_upload.yml" ], "tags": [ @@ -60510,6 +78044,15 @@ "attack.t1190" ] }, + "related": [ + { + "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "b014ea07-8ea0-4859-b517-50a4e5b7ecec", "value": "VMware vCenter Server File Upload CVE-2021-22005" }, @@ -60526,12 +78069,12 @@ "logsource.category": "webserver", "logsource.product": "No established product", "refs": [ - "https://nvd.nist.gov/vuln/detail/CVE-2021-41773", "https://twitter.com/bl4sty/status/1445462677824761878", + "https://twitter.com/ptswarm/status/1445376079548624899", "https://github.com/apache/httpd/commit/e150697086e70c552b2588f369f2d17815cb1782", "https://github.com/projectdiscovery/nuclei-templates/blob/9d2889356eebba661c8407038e430759dfd4ec31/cves/2021/CVE-2021-41773.yaml", - "https://twitter.com/ptswarm/status/1445376079548624899", "https://twitter.com/h4x0r_dz/status/1445401960371429381", + "https://nvd.nist.gov/vuln/detail/CVE-2021-41773", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_cve_2021_41773_apache_path_traversal.yml" ], "tags": [ @@ -60539,6 +78082,15 @@ "attack.t1190" ] }, + "related": [ + { + "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "3007fec6-e761-4319-91af-e32e20ac43f5", "value": "CVE-2021-41773 Exploitation Attempt" }, @@ -60567,6 +78119,15 @@ "cve.2014.6287" ] }, + "related": [ + { + "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "a133193c-2daa-4a29-8022-018695fcf0ae", "value": "Rejetto HTTP File Server RCE" }, @@ -60584,8 +78145,8 @@ "logsource.product": "No established product", "refs": [ "https://github.com/lijiejie/IIS_shortname_Scanner", - "https://www.exploit-db.com/exploits/19525", "https://github.com/projectdiscovery/nuclei-templates/blob/9d2889356eebba661c8407038e430759dfd4ec31/fuzzing/iis-shortname.yaml", + "https://www.exploit-db.com/exploits/19525", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_iis_tilt_shortname_scan.yml" ], "tags": [ @@ -60593,6 +78154,15 @@ "attack.t1190" ] }, + "related": [ + { + "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "7cb02516-6d95-4ffc-8eee-162075e111ac", "value": "Successful IIS Shortname Fuzzing Scan" }, @@ -60617,6 +78187,15 @@ "attack.t1190" ] }, + "related": [ + { + "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "fcf1101d-07c9-49b2-ad81-7e421ff96d80", "value": "CVE-2022-31656 VMware Workspace ONE Access Auth Bypass" }, @@ -60633,8 +78212,8 @@ "logsource.category": "webserver", "logsource.product": "No established product", "refs": [ - "https://github.com/darklotuskdb/CISCO-CVE-2020-3452-Scanner-Exploiter", "https://twitter.com/aboul3la/status/1286012324722155525", + "https://github.com/darklotuskdb/CISCO-CVE-2020-3452-Scanner-Exploiter", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_cve_2020_3452_cisco_asa_ftd.yml" ], "tags": [ @@ -60643,6 +78222,15 @@ "cve.2020.3452" ] }, + "related": [ + { + "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "aba47adc-4847-4970-95c1-61dce62a8b29", "value": "Cisco ASA FTD Exploit CVE-2020-3452" }, @@ -60688,6 +78276,15 @@ "attack.t1190" ] }, + "related": [ + { + "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "fce2c2e2-0fb5-41ab-a14c-5391e1fd70a5", "value": "CVE-2020-0688 Exchange Exploitation via Web Log" }, @@ -60729,11 +78326,11 @@ "logsource.category": "webserver", "logsource.product": "No established product", "refs": [ - "https://isc.sans.edu/diary/25686", - "https://support.citrix.com/article/CTX267027", "https://support.citrix.com/article/CTX267679", - "https://github.com/x1sec/CVE-2019-19781/blob/25f7ab97275b2d41800bb3414dac8ca3a78af7e5/CVE-2019-19781-DFIR.md", + "https://support.citrix.com/article/CTX267027", + "https://isc.sans.edu/diary/25686", "https://twitter.com/mpgn_x64/status/1216787131210829826", + "https://github.com/x1sec/CVE-2019-19781/blob/25f7ab97275b2d41800bb3414dac8ca3a78af7e5/CVE-2019-19781-DFIR.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_cve_2019_19781_citrix_exploit.yml" ], "tags": [ @@ -60741,6 +78338,15 @@ "attack.t1190" ] }, + "related": [ + { + "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "ac5a6409-8c89-44c2-8d64-668c29a2d756", "value": "Citrix Netscaler Attack CVE-2019-19781" }, @@ -60765,6 +78371,15 @@ "attack.t1190" ] }, + "related": [ + { + "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "7c64e577-d72e-4c3d-9d75-8de6d1f9146a", "value": "CVE-2020-0688 Exploitation Attempt" }, @@ -60826,8 +78441,8 @@ "logsource.product": "No established product", "refs": [ "https://www.manageengine.com/products/self-service-password/kb/how-to-fix-authentication-bypass-vulnerability-in-REST-API.html", - "https://us-cert.cisa.gov/ncas/alerts/aa21-259a", "https://therecord.media/cisa-warns-of-zoho-server-zero-day-exploited-in-the-wild/", + "https://us-cert.cisa.gov/ncas/alerts/aa21-259a", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_cve_2021_40539_manageengine_adselfservice_exploit.yml" ], "tags": [ @@ -60837,6 +78452,15 @@ "attack.t1505.003" ] }, + "related": [ + { + "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "fcbb4a77-f368-4945-b046-4499a1da69d1", "value": "CVE-2021-40539 Zoho ManageEngine ADSelfService Plus Exploit" }, @@ -60862,6 +78486,15 @@ "attack.t1037.005" ] }, + "related": [ + { + "dest-uuid": "c0dfe7b0-b873-4618-9ff8-53e31f70907f", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "dfe8b941-4e54-4242-b674-6b613d521962", "value": "Startup Items" }, @@ -60878,8 +78511,8 @@ "logsource.category": "file_event", "logsource.product": "macos", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1546.014/T1546.014.md", "https://posts.specterops.io/leveraging-emond-on-macos-for-persistence-a040a2785124", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1546.014/T1546.014.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/file_event/file_event_macos_emond_launch_daemon.yml" ], "tags": [ @@ -60888,6 +78521,15 @@ "attack.t1546.014" ] }, + "related": [ + { + "dest-uuid": "9c45eaa3-8604-4780-8988-b5074dbb9ecd", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "23c43900-e732-45a4-8354-63e4a6c187ce", "value": "MacOS Emond Launch Daemon" }, @@ -60985,6 +78627,15 @@ "attack.t1059.002" ] }, + "related": [ + { + "dest-uuid": "37b11151-1776-4f8f-b328-30939fbf2ceb", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "1bc2e6c5-0885-472b-bed6-be5ea8eace55", "value": "MacOS Scripting Interpreter AppleScript" }, @@ -61009,6 +78660,15 @@ "attack.t1553.001" ] }, + "related": [ + { + "dest-uuid": "31a0a2ac-c67c-4a7e-b9ed-6a96477d4e8e", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "f5141b6d-9f42-41c6-a7bf-2a780678b29b", "value": "Gatekeeper Bypass via Xattr" }, @@ -61049,8 +78709,8 @@ "logsource.category": "process_creation", "logsource.product": "macos", "refs": [ - "https://github.com/elastic/protections-artifacts/commit/746086721fd385d9f5c6647cada1788db4aea95f#diff-7f541fbc4a4a28a92970e8bf53effea5bd934604429112c920affb457f5b2685", "https://wojciechregula.blog/post/macos-red-teaming-initial-access-via-applescript-url/", + "https://github.com/elastic/protections-artifacts/commit/746086721fd385d9f5c6647cada1788db4aea95f#diff-7f541fbc4a4a28a92970e8bf53effea5bd934604429112c920affb457f5b2685", "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_susp_execution_macos_script_editor.yml" ], "tags": [ @@ -61067,6 +78727,43 @@ "attack.defense_evasion" ] }, + "related": [ + { + "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "37b11151-1776-4f8f-b328-30939fbf2ceb", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "8c32eb4d-805f-4fc5-bf60-c4d476c131b5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "ef67e13e-5598-4adc-bdb2-998225874fa9", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "b83e166d-13d7-4b52-8677-dff90c548fd7", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "6e4dcdd1-e48b-42f7-b2d8-3b413fc58cb4", "value": "Suspicious Execution via macOS Script Editor" }, @@ -61115,6 +78812,15 @@ "attack.persistence" ] }, + "related": [ + { + "dest-uuid": "635cbe30-392d-4e27-978e-66774357c762", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "51719bf5-e4fd-4e44-8ba8-b830e7ac0731", "value": "Creation Of A Local User Account" }, @@ -61163,6 +78869,15 @@ "attack.t1564.002" ] }, + "related": [ + { + "dest-uuid": "8c4aef43-48d5-49aa-b2af-c0cd58d30c3d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "b22a5b36-2431-493a-8be1-0bae56c28ef3", "value": "Hidden User Creation" }, @@ -61188,6 +78903,15 @@ "attack.t1552.003" ] }, + "related": [ + { + "dest-uuid": "8187bd2a-866f-4457-9009-86b0ddedffa3", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "508a9374-ad52-4789-b568-fc358def2c65", "value": "Suspicious History File Operations" }, @@ -61212,6 +78936,15 @@ "attack.t1049" ] }, + "related": [ + { + "dest-uuid": "7e150503-88e7-4861-866b-ff1ac82c4475", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "9a7a0393-2144-4626-9bf1-7c2f5a7321db", "value": "System Network Connections Discovery - MacOs" }, @@ -61252,8 +78985,8 @@ "logsource.category": "process_creation", "logsource.product": "macos", "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/osx.xcsset", "https://github.com/elastic/protections-artifacts/commit/746086721fd385d9f5c6647cada1788db4aea95f#diff-f5deb07688e1a8dec9530bc3071967b2da5c16b482e671812b864c37beb28f08", + "https://malpedia.caad.fkie.fraunhofer.de/details/osx.xcsset", "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_xcsset_malware_infection.yml" ], "tags": [ @@ -61300,8 +79033,8 @@ "logsource.category": "process_creation", "logsource.product": "macos", "refs": [ - "https://support.apple.com/guide/security/firmware-password-protection-sec28382c9ca/web", "https://www.manpagez.com/man/8/firmwarepasswd/", + "https://support.apple.com/guide/security/firmware-password-protection-sec28382c9ca/web", "https://github.com/usnistgov/macos_security/blob/932a51f3e819dd3e02ebfcf3ef433cfffafbe28b/rules/os/os_firmware_password_require.yaml", "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_susp_macos_firmware_activity.yml" ], @@ -61333,6 +79066,15 @@ "attack.t1070.006" ] }, + "related": [ + { + "dest-uuid": "47f2d673-ca62-47e9-929b-1b0be9657611", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "88c0f9d8-30a8-4120-bb6b-ebb54abcf2a0", "value": "File Time Attribute Change" }, @@ -61362,6 +79104,29 @@ "attack.s0402" ] }, + "related": [ + { + "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "8c32eb4d-805f-4fc5-bf60-c4d476c131b5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "234dc5df-40b5-49d1-bf53-0d44ce778eca", "value": "Payload Decoded and Decrypted via Built-in Utilities" }, @@ -61410,6 +79175,15 @@ "attack.t1069.001" ] }, + "related": [ + { + "dest-uuid": "a01bf75f-00b2-4568-a58f-565ff9bf202b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "89bb1f97-c7b9-40e8-b52b-7d6afbd67276", "value": "Local Groups Discovery - MacOs" }, @@ -61436,6 +79210,15 @@ "attack.t1053.003" ] }, + "related": [ + { + "dest-uuid": "2acf44aa-542f-4366-b4eb-55ef5747759c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "7c3b43d8-d794-47d2-800a-d277715aa460", "value": "Scheduled Cron Task/Job - MacOs" }, @@ -61508,6 +79291,15 @@ "attack.t1030" ] }, + "related": [ + { + "dest-uuid": "c3888c54-775d-4b2f-b759-75a2ececcbfd", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "7f2bb9d5-6395-4de5-969c-70c11fbe6b12", "value": "Split A File Into Pieces" }, @@ -61524,8 +79316,8 @@ "logsource.category": "process_creation", "logsource.product": "macos", "refs": [ - "https://scriptingosx.com/2018/08/user-interaction-from-bash-scripts/", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1056.002/T1056.002.md", + "https://scriptingosx.com/2018/08/user-interaction-from-bash-scripts/", "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_gui_input_capture.yml" ], "tags": [ @@ -61557,6 +79349,15 @@ "attack.t1087.001" ] }, + "related": [ + { + "dest-uuid": "25659dd6-ea12-45c4-97e6-381e3e4b593e", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "ddf36b67-e872-4507-ab2e-46bda21b842c", "value": "Local System Accounts Discovery - MacOs" }, @@ -61606,6 +79407,15 @@ "attack.t1070.002" ] }, + "related": [ + { + "dest-uuid": "2bce5b30-7014-4a5d-ade7-12913fe6ac36", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "acf61bd8-d814-4272-81f0-a7a269aa69aa", "value": "Indicator Removal on Host - Clear Mac System Logs" }, @@ -61630,6 +79440,15 @@ "attack.t1529" ] }, + "related": [ + { + "dest-uuid": "ff73aa03-0090-4464-83ac-f89e233c02bc", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "40b1fbe2-18ea-4ee7-be47-0294285811de", "value": "System Shutdown/Reboot - MacOs" }, @@ -61679,6 +79498,15 @@ "attack.t1555.001" ] }, + "related": [ + { + "dest-uuid": "1eaebf46-e361-4437-bc23-d5d65a3b92e3", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "b120b587-a4c2-4b94-875d-99c9807d6955", "value": "Credentials from Password Stores - Keychain" }, @@ -61720,9 +79548,9 @@ "logsource.category": "No established category", "logsource.product": "qualys", "refs": [ - "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf", "https://community.qualys.com/docs/DOC-6406-reporting-toolbox-focused-search-lists", "https://www.cisecurity.org/controls/cis-controls-list/", + "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf", "https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf", "https://github.com/SigmaHQ/sigma/tree/master/rules/compliance/default_credentials_usage.yml" ], @@ -61742,8 +79570,8 @@ "logsource.category": "No established category", "logsource.product": "qualys", "refs": [ - "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf", "https://www.cisecurity.org/controls/cis-controls-list/", + "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf", "https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf", "https://github.com/SigmaHQ/sigma/tree/master/rules/compliance/host_without_firewall.yml" ], @@ -61765,8 +79593,8 @@ "logsource.category": "No established category", "logsource.product": "No established product", "refs": [ - "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf", "https://www.cisecurity.org/controls/cis-controls-list/", + "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf", "https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf", "https://github.com/SigmaHQ/sigma/tree/master/rules/compliance/netflow_cleartext_protocols.yml" ], @@ -61801,6 +79629,29 @@ "attack.t1203" ] }, + "related": [ + { + "dest-uuid": "b21c3b2d-02e6-45b1-980b-e69051040839", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "be2dcee9-a7a7-4e38-afd6-21b31ecc3d63", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "045b5f9c-49f7-4419-a236-9854fb3c827a", "value": "OMIGOD SCX RunAsProvider ExecuteShellCommand - Auditd" }, @@ -61849,6 +79700,15 @@ "attack.t1222.002" ] }, + "related": [ + { + "dest-uuid": "09b130a2-a77e-4af0-a361-f46f9aad1345", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "74c01ace-0152-4094-8ae2-6fd776dd43e5", "value": "File or Folder Permissions Change" }, @@ -61890,7 +79750,6 @@ "logsource.product": "linux", "refs": [ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1543.002/T1543.002.md", - "https://attack.mitre.org/techniques/T1543/002/", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_systemd_service_creation.yml" ], "tags": [ @@ -61924,6 +79783,22 @@ "attack.t1059" ] }, + "related": [ + { + "dest-uuid": "391d824f-0ef1-47a0-b0ee-c59a75e27670", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "808146b2-9332-4d78-9416-d7e47012d83d", "value": "BPFDoor Abnormal Process ID or Lock File Accessed" }, @@ -61940,7 +79815,6 @@ "logsource.category": "No established category", "logsource.product": "linux", "refs": [ - "https://attack.mitre.org/techniques/T1123/", "https://linux.die.net/man/1/arecord", "https://linuxconfig.org/how-to-test-microphone-with-audio-linux-sound-architecture-alsa", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_audio_capture.yml" @@ -61983,7 +79857,7 @@ "author": "Igor Fits, oscd.community", "creation_date": "2020/10/13", "falsepositive": [ - "Legitimate script work" + "Unknown" ], "filename": "lnx_auditd_binary_padding.yml", "level": "high", @@ -62015,7 +79889,6 @@ "logsource.product": "linux", "refs": [ "https://vitux.com/how-to-hide-confidential-files-in-images-on-debian-using-steganography/", - "https://attack.mitre.org/techniques/T1027/003/", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_steghide_embed_steganography.yml" ], "tags": [ @@ -62088,7 +79961,6 @@ "refs": [ "https://www.cyberciti.biz/faq/xclip-linux-insert-files-command-output-intoclipboard/", "https://linux.die.net/man/1/xclip", - "https://attack.mitre.org/techniques/T1115/", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_clipboard_collection.yml" ], "tags": [ @@ -62113,7 +79985,6 @@ "logsource.product": "linux", "refs": [ "https://vitux.com/how-to-hide-confidential-files-in-images-on-debian-using-steganography/", - "https://attack.mitre.org/techniques/T1027/003/", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_steghide_extract_steganography.yml" ], "tags": [ @@ -62138,7 +80009,6 @@ "logsource.product": "linux", "refs": [ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.006/T1547.006.md", - "https://attack.mitre.org/techniques/T1547/006/", "https://linux.die.net/man/8/insmod", "https://man7.org/linux/man-pages/man8/kmod.8.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_load_module_insmod.yml" @@ -62149,6 +80019,15 @@ "attack.t1547.006" ] }, + "related": [ + { + "dest-uuid": "a1b52199-c8c5-438a-9ded-656f1d0888c6", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "106d7cbd-80ff-4985-b682-a7043e5acb72", "value": "Loading of Kernel Module via Insmod" }, @@ -62190,8 +80069,8 @@ "logsource.category": "No established category", "logsource.product": "linux", "refs": [ - "https://access.redhat.com/security/cve/CVE-2021-4034", "https://github.com/berdav/CVE-2021-4034", + "https://access.redhat.com/security/cve/CVE-2021-4034", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-4034", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_cve_2021_4034.yml" ], @@ -62200,6 +80079,15 @@ "attack.t1068" ] }, + "related": [ + { + "dest-uuid": "b21c3b2d-02e6-45b1-980b-e69051040839", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "40a016ab-4f48-4eee-adde-bbf612695c53", "value": "Potential CVE-2021-4034 Exploitation Attempt" }, @@ -62216,10 +80104,9 @@ "logsource.category": "No established category", "logsource.product": "linux", "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1113/T1113.md", "https://linux.die.net/man/1/import", "https://imagemagick.org/", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1113/T1113.md", - "https://attack.mitre.org/techniques/T1113/", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_screencapture_import.yml" ], "tags": [ @@ -62243,7 +80130,6 @@ "logsource.category": "No established category", "logsource.product": "linux", "refs": [ - "https://attack.mitre.org/techniques/T1562/004/", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.004/T1562.004.md", "https://firewalld.org/documentation/man-pages/firewall-cmd.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_disable_system_firewall.yml" @@ -62253,6 +80139,15 @@ "attack.defense_evasion" ] }, + "related": [ + { + "dest-uuid": "5372c5fe-f424-4def-bcd5-d3a8e770f07b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "53059bc0-1472-438b-956a-7508a94a91f0", "value": "Disable System Firewall" }, @@ -62270,7 +80165,6 @@ "logsource.product": "linux", "refs": [ "https://zerotoroot.me/steganography-hiding-a-zip-in-a-jpeg-file/", - "https://attack.mitre.org/techniques/T1027/003/", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_unzip_hidden_zip_files_steganography.yml" ], "tags": [ @@ -62296,8 +80190,8 @@ "refs": [ "https://www.hackingarticles.in/linux-privilege-escalation-using-capabilities/", "https://mn3m.info/posts/suid-vs-capabilities/", - "https://man7.org/linux/man-pages/man8/getcap.8.html", "https://int0x33.medium.com/day-44-linux-capabilities-privilege-escalation-via-openssl-with-selinux-enabled-and-enforced-74d2bec02099", + "https://man7.org/linux/man-pages/man8/getcap.8.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_capabilities_discovery.yml" ], "tags": [ @@ -62307,6 +80201,15 @@ "attack.t1548" ] }, + "related": [ + { + "dest-uuid": "67720091-eee3-4d2d-ae16-8264567f6f5b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "fe10751f-1995-40a5-aaa2-c97ccb4123fe", "value": "Linux Capabilities Discovery" }, @@ -62372,8 +80275,8 @@ "logsource.category": "No established category", "logsource.product": "linux", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1574.006/T1574.006.md", "https://eqllib.readthedocs.io/en/latest/analytics/fd9b987a-1101-4ed3-bda6-a70300eaf57e.html", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1574.006/T1574.006.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_ld_so_preload_mod.yml" ], "tags": [ @@ -62403,6 +80306,15 @@ "attack.t1036.003" ] }, + "related": [ + { + "dest-uuid": "bd5b58a4-a52d-4a29-bc0d-3f1d3968eb6b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "9d4548fa-bba0-4e88-bd66-5d5bf516cda0", "value": "Masquerading as Linux Crond Process" }, @@ -62420,7 +80332,6 @@ "logsource.product": "linux", "refs": [ "https://zerotoroot.me/steganography-hiding-a-zip-in-a-jpeg-file/", - "https://attack.mitre.org/techniques/T1027/003/", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_hidden_zip_files_steganography.yml" ], "tags": [ @@ -62453,6 +80364,15 @@ "attack.t1552.003" ] }, + "related": [ + { + "dest-uuid": "8187bd2a-866f-4457-9009-86b0ddedffa3", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "eae8ce9f-bde9-47a6-8e79-f20d18419910", "value": "Suspicious History File Operations - Linux" }, @@ -62477,6 +80397,15 @@ "attack.t1070.006" ] }, + "related": [ + { + "dest-uuid": "47f2d673-ca62-47e9-929b-1b0be9657611", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "b3cec4e7-6901-4b0d-a02d-8ab2d8eb818b", "value": "File Time Attribute Change - Linux" }, @@ -62501,6 +80430,15 @@ "attack.t1068" ] }, + "related": [ + { + "dest-uuid": "b21c3b2d-02e6-45b1-980b-e69051040839", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "071d5e5a-9cef-47ec-bc4e-a42e34d8d0ed", "value": "Possible Coin Miner CPU Priority Param" }, @@ -62526,6 +80464,15 @@ "cve.2021.3156" ] }, + "related": [ + { + "dest-uuid": "b21c3b2d-02e6-45b1-980b-e69051040839", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "b9748c98-9ea7-4fdb-80b6-29bed6ba71d2", "value": "CVE-2021-3156 Exploitation Attempt Bruteforcing" }, @@ -62567,7 +80514,6 @@ "logsource.category": "No established category", "logsource.product": "linux", "refs": [ - "https://attack.mitre.org/tactics/TA0010/", "https://linux.die.net/man/1/wget", "https://gtfobins.github.io/gtfobins/wget/", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_data_exfil_wget.yml" @@ -62577,6 +80523,15 @@ "attack.t1048.003" ] }, + "related": [ + { + "dest-uuid": "fb8d023d-45be-47e9-bc51-f56bcae6435b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "cb39d16b-b3b6-4a7a-8222-1cf24b686ffc", "value": "Data Exfiltration with Wget" }, @@ -62595,7 +80550,6 @@ "logsource.product": "linux", "refs": [ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1543.002/T1543.002.md", - "https://attack.mitre.org/techniques/T1543/002/", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_pers_systemd_reload.yml" ], "tags": [ @@ -62627,6 +80581,15 @@ "attack.t1030" ] }, + "related": [ + { + "dest-uuid": "c3888c54-775d-4b2f-b759-75a2ececcbfd", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "2dad0cba-c62a-4a4f-949f-5f6ecd619769", "value": "Split A File Into Pieces - Linux" }, @@ -62644,7 +80607,6 @@ "logsource.product": "linux", "refs": [ "https://linux.die.net/man/1/xclip", - "https://attack.mitre.org/techniques/T1115/", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_clipboard_image_collection.yml" ], "tags": [ @@ -62677,6 +80639,15 @@ "cve.2021.3156" ] }, + "related": [ + { + "dest-uuid": "b21c3b2d-02e6-45b1-980b-e69051040839", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "5ee37487-4eb8-4ac2-9be1-d7d14cdc559f", "value": "CVE-2021-3156 Exploitation Attempt" }, @@ -62702,6 +80673,15 @@ "attack.t1562.004" ] }, + "related": [ + { + "dest-uuid": "5372c5fe-f424-4def-bcd5-d3a8e770f07b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "70b4156e-50fc-4523-aa50-c9dddf1993fc", "value": "Bpfdoor TCP Ports Redirect" }, @@ -62728,6 +80708,22 @@ "attack.resource_development" ] }, + "related": [ + { + "dest-uuid": "edadea33-549c-4ed1-9783-8f5a5853cbdf", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "7e3beebd-8bfe-4e7b-a892-e44ab06a75f9", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "a39d7fa7-3fbd-4dc2-97e1-d87f546b1bbc", "value": "Program Executions in Suspicious Folders" }, @@ -62752,6 +80748,15 @@ "attack.t1222.002" ] }, + "related": [ + { + "dest-uuid": "09b130a2-a77e-4af0-a361-f46f9aad1345", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "a5b977d6-8a81-4475-91b9-49dbfcd941f7", "value": "Remove Immutable File Attribute - Auditd" }, @@ -62776,6 +80781,15 @@ "attack.t1560.001" ] }, + "related": [ + { + "dest-uuid": "00f90846-cbd1-4fc5-9233-df5c2bf2a662", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "a3b5e3e9-1b49-4119-8b8e-0344a01f21ee", "value": "Data Compressed" }, @@ -62818,7 +80832,6 @@ "refs": [ "https://linux.die.net/man/1/xwd", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1113/T1113.md#atomic-test-3---x-windows-capture", - "https://attack.mitre.org/techniques/T1113/", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_screencaputre_xwd.yml" ], "tags": [ @@ -62850,6 +80863,15 @@ "attack.t1529" ] }, + "related": [ + { + "dest-uuid": "ff73aa03-0090-4464-83ac-f89e233c02bc", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "4cb57c2f-1f29-41f8-893d-8bed8e1c1d2f", "value": "System Shutdown/Reboot - Linux" }, @@ -62875,6 +80897,15 @@ "attack.t1006" ] }, + "related": [ + { + "dest-uuid": "0c8ab3eb-df48-4b9c-ace7-beacaac81cc5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "fb0647d7-371a-4553-8e20-33bbbe122956", "value": "Use of Debugfs to Access a Raw Disk" }, @@ -62891,10 +80922,9 @@ "logsource.category": "No established category", "logsource.product": "linux", "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1201/T1201.md", "https://superuser.com/questions/150675/how-to-display-password-policy-information-for-a-user-ubuntu", "https://man7.org/linux/man-pages/man1/passwd.1.html", - "https://attack.mitre.org/techniques/T1201/", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1201/T1201.md", "https://linux.die.net/man/1/chage", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_password_policy_discovery.yml" ], @@ -62903,6 +80933,15 @@ "attack.t1201" ] }, + "related": [ + { + "dest-uuid": "b6075259-dba3-44e9-87c7-e954f37ec0d5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "ca94a6db-8106-4737-9ed2-3e3bb826af0a", "value": "Password Policy Discovery" }, @@ -62920,7 +80959,6 @@ "logsource.product": "linux", "refs": [ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1082/T1082.md", - "https://attack.mitre.org/techniques/T1082/", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_system_info_discovery.yml" ], "tags": [ @@ -62953,6 +80991,15 @@ "attack.t1546.004" ] }, + "related": [ + { + "dest-uuid": "b63a34e8-0a61-4c97-a23b-bf8a2ed812e2", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "e74e15cc-c4b6-4c80-b7eb-dfe49feb7fe9", "value": "Edit of .bash_profile and .bashrc" }, @@ -62978,6 +81025,15 @@ "attack.t1485" ] }, + "related": [ + { + "dest-uuid": "d45a3d09-b3cf-48f4-9f0f-f521ee5cb05c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "37222991-11e9-4b6d-8bdf-60fbe48f753e", "value": "Overwriting the File with Dev Zero or Null" }, @@ -62994,11 +81050,10 @@ "logsource.category": "No established category", "logsource.product": "linux", "refs": [ - "https://attack.mitre.org/techniques/T1003/", - "https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/security_guide/sec-configuring_pam_for_auditing", "https://linux.die.net/man/8/pam_tty_audit", - "https://access.redhat.com/articles/4409591#audit-record-types-2", + "https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/security_guide/sec-configuring_pam_for_auditing", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1056.001/T1056.001.md", + "https://access.redhat.com/articles/4409591#audit-record-types-2", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_keylogging_with_pam_d.yml" ], "tags": [ @@ -63007,6 +81062,15 @@ "attack.t1056.001" ] }, + "related": [ + { + "dest-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "49aae26c-450e-448b-911d-b3c13d178dfc", "value": "Linux Keylogging with Pam.d" }, @@ -63031,6 +81095,15 @@ "attack.t1059.004" ] }, + "related": [ + { + "dest-uuid": "a9d4b653-6915-42af-98b2-5758c4ceee56", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "1543ae20-cbdf-4ec1-8d12-7664d667a825", "value": "Suspicious Commands Linux" }, @@ -63047,7 +81120,6 @@ "logsource.category": "No established category", "logsource.product": "linux", "refs": [ - "https://attack.mitre.org/techniques/T1564/001/", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1564.001/T1564.001.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_hidden_files_directories.yml" ], @@ -63056,6 +81128,15 @@ "attack.t1564.001" ] }, + "related": [ + { + "dest-uuid": "ec8fc7e2-b356-455c-8db5-2e37be158e7d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "d08722cd-3d09-449a-80b4-83ea2d9d4616", "value": "Hidden Files and Directories" }, @@ -63073,8 +81154,8 @@ "logsource.product": "linux", "refs": [ "https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/security_guide/sec-understanding_audit_log_files", - "https://access.redhat.com/articles/4409591#audit-record-types-2", "https://www.youtube.com/watch?v=VmvY5SQm5-Y&ab_channel=M45C07", + "https://access.redhat.com/articles/4409591#audit-record-types-2", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_create_account.yml" ], "tags": [ @@ -63082,6 +81163,15 @@ "attack.persistence" ] }, + "related": [ + { + "dest-uuid": "635cbe30-392d-4e27-978e-66774357c762", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "759d0d51-bc99-4b5e-9add-8f5b2c8e7512", "value": "Creation Of An User Account" }, @@ -63099,8 +81189,8 @@ "logsource.product": "linux", "refs": [ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1046/T1046.md#atomic-test-1---port-scan", - "https://book.hacktricks.xyz/shells/shells/linux", "https://www.andreafortuna.org/2021/03/06/some-useful-tips-about-dev-tcp/", + "https://book.hacktricks.xyz/shells/shells/linux", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/builtin/lnx_susp_dev_tcp.yml" ], "tags": [ @@ -63156,6 +81246,15 @@ "attack.t1105" ] }, + "related": [ + { + "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "7a14080d-a048-4de8-ae58-604ce58a795b", "value": "Remote File Copy" }, @@ -63181,6 +81280,15 @@ "attack.t1059.004" ] }, + "related": [ + { + "dest-uuid": "a9d4b653-6915-42af-98b2-5758c4ceee56", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "41e5c73d-9983-4b69-bd03-e13b67e9623c", "value": "Equation Group Indicators" }, @@ -63205,6 +81313,15 @@ "attack.execution" ] }, + "related": [ + { + "dest-uuid": "ef67e13e-5598-4adc-bdb2-998225874fa9", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "c67fc22a-0be5-4b4f-aad5-2b32c4b69523", "value": "Symlink Etc Passwd" }, @@ -63229,6 +81346,15 @@ "attack.t1565.001" ] }, + "related": [ + { + "dest-uuid": "1cfcb312-b8d7-47a4-b560-4b16cc677292", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "e09eb557-96d2-4de9-ba2d-30f712a5afd3", "value": "Commands to Clear or Remove the Syslog - Builtin" }, @@ -63253,6 +81379,15 @@ "attack.privilege_escalation" ] }, + "related": [ + { + "dest-uuid": "b21c3b2d-02e6-45b1-980b-e69051040839", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "18b042f0-2ecd-4b6e-9f8d-aa7a7e7de781", "value": "Buffer Overflow Attempts" }, @@ -63277,6 +81412,15 @@ "attack.t1059.004" ] }, + "related": [ + { + "dest-uuid": "a9d4b653-6915-42af-98b2-5758c4ceee56", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "738d9bcf-6999-4fdb-b4ac-3033037db8ab", "value": "Suspicious Reverse Shell Command Line" }, @@ -63326,6 +81470,22 @@ "attack.t1098" ] }, + "related": [ + { + "dest-uuid": "635cbe30-392d-4e27-978e-66774357c762", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "a10641f4-87b4-45a3-a906-92a149cb2c27", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "0ac15ec3-d24f-4246-aa2a-3077bb1cf90e", "value": "Privileged User Has Been Created" }, @@ -63351,6 +81511,15 @@ "attack.t1068" ] }, + "related": [ + { + "dest-uuid": "b21c3b2d-02e6-45b1-980b-e69051040839", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "7ba05b43-adad-4c02-b5e9-c8c35cdf9fa8", "value": "Nimbuspwn Exploitation" }, @@ -63375,6 +81544,15 @@ "attack.t1059.004" ] }, + "related": [ + { + "dest-uuid": "a9d4b653-6915-42af-98b2-5758c4ceee56", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "8ec2c8b4-557a-4121-b87c-5dfb3a602fae", "value": "JexBoss Command Sequence" }, @@ -63439,10 +81617,10 @@ "logsource.category": "No established category", "logsource.product": "linux", "refs": [ - "https://artkond.com/2017/03/23/pivoting-guide/", - "https://github.com/rapid7/metasploit-framework/blob/eb6535009f5fdafa954525687f09294918b5398d/modules/exploits/multi/http/struts_code_exec_exception_delegator.rb", "http://pastebin.com/FtygZ1cg", + "https://github.com/rapid7/metasploit-framework/blob/eb6535009f5fdafa954525687f09294918b5398d/modules/exploits/multi/http/struts_code_exec_exception_delegator.rb", "http://www.threatgeek.com/2017/03/widespread-exploitation-attempts-using-cve-2017-5638.html", + "https://artkond.com/2017/03/23/pivoting-guide/", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/builtin/lnx_shell_susp_commands.yml" ], "tags": [ @@ -63450,6 +81628,15 @@ "attack.t1059.004" ] }, + "related": [ + { + "dest-uuid": "a9d4b653-6915-42af-98b2-5758c4ceee56", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "2aa1440c-9ae9-4d92-84a7-a9e5f5e31695", "value": "Suspicious Activity in Shell Commands" }, @@ -63466,9 +81653,9 @@ "logsource.category": "No established category", "logsource.product": "linux", "refs": [ + "https://github.com/uber-common/metta/blob/master/MITRE/Privilege_Escalation/privesc_linux_filesystemweakness.yml", "https://patrick-bareiss.com/detect-privilege-escalation-preparation-in-linux-with-sigma/", "https://blog.g0tmi1k.com/2011/08/basic-linux-privilege-escalation/", - "https://github.com/uber-common/metta/blob/master/MITRE/Privilege_Escalation/privesc_linux_filesystemweakness.yml", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/builtin/lnx_shell_priv_esc_prep.yml" ], "tags": [ @@ -63476,6 +81663,15 @@ "attack.t1059.004" ] }, + "related": [ + { + "dest-uuid": "a9d4b653-6915-42af-98b2-5758c4ceee56", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "444ade84-c362-4260-b1f3-e45e20e1a905", "value": "Privilege Escalation Preparation" }, @@ -63494,7 +81690,6 @@ "refs": [ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070.003/T1070.003.md", "https://www.hackers-arise.com/single-post/2016/06/20/Covering-your-BASH-Shell-Tracks-AntiForensics", - "https://attack.mitre.org/techniques/T1070/003/", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/builtin/lnx_shell_clear_cmd_history.yml" ], "tags": [ @@ -63502,6 +81697,15 @@ "attack.t1070.003" ] }, + "related": [ + { + "dest-uuid": "3aef9463-9a7a-43ba-8957-a867e07c1e6a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "fdc88d25-96fb-4b7c-9633-c0e417fdbd4e", "value": "Clear Command History" }, @@ -63513,19 +81717,28 @@ "falsepositive": [ "Unknown" ], - "filename": "lnx_susp_guacamole.yml", + "filename": "lnx_guacamole_susp_guacamole.yml", "level": "high", "logsource.category": "No established category", "logsource.product": "linux", "refs": [ "https://research.checkpoint.com/2020/apache-guacamole-rce/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/builtin/guacamole/lnx_susp_guacamole.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/builtin/guacamole/lnx_guacamole_susp_guacamole.yml" ], "tags": [ "attack.credential_access", "attack.t1212" ] }, + "related": [ + { + "dest-uuid": "9c306d8d-cde7-4b4c-b6e8-d0bb16caca36", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "1edd77db-0669-4fef-9598-165bda82826d", "value": "Guacamole Two Users Sharing Session Anomaly" }, @@ -63537,19 +81750,28 @@ "falsepositive": [ "Unknown" ], - "filename": "lnx_susp_vsftp.yml", + "filename": "lnx_vsftpd_susp_error_messages.yml", "level": "medium", "logsource.category": "No established category", "logsource.product": "linux", "refs": [ "https://github.com/dagwieers/vsftpd/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/builtin/vsftpd/lnx_susp_vsftp.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/builtin/vsftpd/lnx_vsftpd_susp_error_messages.yml" ], "tags": [ "attack.initial_access", "attack.t1190" ] }, + "related": [ + { + "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "377f33a1-4b36-4ee1-acee-1dbe4b43cfbe", "value": "Suspicious VSFTPD Error Messages" }, @@ -63561,19 +81783,28 @@ "falsepositive": [ "Unknown" ], - "filename": "lnx_clamav.yml", + "filename": "lnx_clamav_relevant_message.yml", "level": "high", "logsource.category": "No established category", "logsource.product": "linux", "refs": [ "https://github.com/ossec/ossec-hids/blob/1ecffb1b884607cb12e619f9ab3c04f530801083/etc/rules/clam_av_rules.xml", - "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/builtin/clamav/lnx_clamav.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/builtin/clamav/lnx_clamav_relevant_message.yml" ], "tags": [ "attack.resource_development", "attack.t1588.001" ] }, + "related": [ + { + "dest-uuid": "7807d3a4-a885-4639-a786-c1ed41484970", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "36aa86ca-fd9d-4456-814e-d3b1b8e1e0bb", "value": "Relevant ClamAV Message" }, @@ -63585,19 +81816,28 @@ "falsepositive": [ "Legitimate modification of crontab" ], - "filename": "lnx_crontab_file_modification.yml", + "filename": "lnx_cron_crontab_file_modification.yml", "level": "medium", "logsource.category": "No established category", "logsource.product": "linux", "refs": [ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1053.003/T1053.003.md", - "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/builtin/cron/lnx_crontab_file_modification.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/builtin/cron/lnx_cron_crontab_file_modification.yml" ], "tags": [ "attack.persistence", "attack.t1053.003" ] }, + "related": [ + { + "dest-uuid": "2acf44aa-542f-4366-b4eb-55ef5747759c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "af202fd3-7bff-4212-a25a-fb34606cfcbe", "value": "Modifying Crontab" }, @@ -63609,19 +81849,28 @@ "falsepositive": [ "Unknown" ], - "filename": "lnx_pwnkit_local_privilege_escalation.yml", + "filename": "lnx_auth_pwnkit_local_privilege_escalation.yml", "level": "high", "logsource.category": "No established category", "logsource.product": "linux", "refs": [ "https://twitter.com/wdormann/status/1486161836961579020", - "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/builtin/auth/lnx_pwnkit_local_privilege_escalation.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/builtin/auth/lnx_auth_pwnkit_local_privilege_escalation.yml" ], "tags": [ "attack.privilege_escalation", "attack.t1548.001" ] }, + "related": [ + { + "dest-uuid": "6831414d-bb70-42b7-8030-d4e06b2660c9", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "0506a799-698b-43b4-85a1-ac4c84c720e9", "value": "PwnKit Local Privilege Escalation" }, @@ -63635,12 +81884,12 @@ "Jump servers", "Workstations with frequently changing users" ], - "filename": "lnx_susp_failed_logons_single_source.yml", + "filename": "lnx_auth_susp_failed_logons_single_source.yml", "level": "medium", "logsource.category": "No established category", "logsource.product": "linux", "refs": [ - "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/builtin/auth/lnx_susp_failed_logons_single_source.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/builtin/auth/lnx_auth_susp_failed_logons_single_source.yml" ], "tags": [ "attack.credential_access", @@ -63658,19 +81907,28 @@ "falsepositive": [ "Unknown" ], - "filename": "lnx_ssh_cve_2018_15473.yml", + "filename": "lnx_sshd_ssh_cve_2018_15473.yml", "level": "medium", "logsource.category": "No established category", "logsource.product": "linux", "refs": [ "https://github.com/Rhynorater/CVE-2018-15473-Exploit", - "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/builtin/sshd/lnx_ssh_cve_2018_15473.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/builtin/sshd/lnx_sshd_ssh_cve_2018_15473.yml" ], "tags": [ "attack.reconnaissance", "attack.t1589" ] }, + "related": [ + { + "dest-uuid": "5282dd9a-d26d-4e16-88b7-7c0f4553daf4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "4c9d903d-4939-4094-ade0-3cb748f4d7da", "value": "SSHD Error Message CVE-2018-15473" }, @@ -63682,47 +81940,32 @@ "falsepositive": [ "Unknown" ], - "filename": "lnx_susp_ssh.yml", + "filename": "lnx_sshd_susp_ssh.yml", "level": "medium", "logsource.category": "No established category", "logsource.product": "linux", "refs": [ - "https://github.com/ossec/ossec-hids/blob/1ecffb1b884607cb12e619f9ab3c04f530801083/etc/rules/sshd_rules.xml", "https://github.com/openssh/openssh-portable/blob/c483a5c0fb8e8b8915fad85c5f6113386a4341ca/ssherr.c", - "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/builtin/sshd/lnx_susp_ssh.yml" + "https://github.com/ossec/ossec-hids/blob/1ecffb1b884607cb12e619f9ab3c04f530801083/etc/rules/sshd_rules.xml", + "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/builtin/sshd/lnx_sshd_susp_ssh.yml" ], "tags": [ "attack.initial_access", "attack.t1190" ] }, + "related": [ + { + "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "e76b413a-83d0-4b94-8e4c-85db4a5b8bdc", "value": "Suspicious OpenSSH Daemon Error" }, - { - "description": "Detects multiple blocks by the mod_security module (Web Application Firewall)", - "meta": { - "author": "Florian Roth", - "creation_date": "2017/02/28", - "falsepositive": [ - "Vulnerability scanners", - "Frequent attacks if system faces Internet" - ], - "filename": "modsec_mulitple_blocks.yml", - "level": "medium", - "logsource.category": "No established category", - "logsource.product": "linux", - "refs": [ - "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/builtin/modsecurity/modsec_mulitple_blocks.yml" - ], - "tags": [ - "attack.impact", - "attack.t1499" - ] - }, - "uuid": "a06eea10-d932-4aa6-8ba9-186df72c8d23", - "value": "Multiple Modsecurity Blocks" - }, { "description": "Detects users trying to exploit sudo vulnerability reported in CVE-2019-14287", "meta": { @@ -63736,9 +81979,9 @@ "logsource.category": "No established category", "logsource.product": "linux", "refs": [ - "https://access.redhat.com/security/cve/cve-2019-14287", "https://twitter.com/matthieugarin/status/1183970598210412546", "https://www.openwall.com/lists/oss-security/2019/10/14/1", + "https://access.redhat.com/security/cve/cve-2019-14287", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/builtin/sudo/lnx_sudo_cve_2019_14287_user.yml" ], "tags": [ @@ -63748,33 +81991,25 @@ "cve.2019.14287" ] }, + "related": [ + { + "dest-uuid": "b21c3b2d-02e6-45b1-980b-e69051040839", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "1365fe3b-0f50-455d-b4da-266ce31c23b0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "7fcc54cb-f27d-4684-84b7-436af096f858", "value": "Sudo Privilege Escalation CVE-2019-14287 - Builtin" }, - { - "description": "Detects disabling security tools", - "meta": { - "author": "Ömer Günal, Alejandro Ortuno, oscd.community", - "creation_date": "2020/06/17", - "falsepositive": [ - "Legitimate administration activities" - ], - "filename": "lnx_security_tools_disabling_syslog.yml", - "level": "medium", - "logsource.category": "No established category", - "logsource.product": "linux", - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.004/T1562.004.md", - "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/builtin/syslog/lnx_security_tools_disabling_syslog.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1562.004" - ] - }, - "uuid": "49f5dfc1-f92e-4d34-96fa-feba3f6acf36", - "value": "Disabling Security Tools - Builtin" - }, { "description": "Detects suspicious DNS error messages that indicate a fatal or suspicious error that could be caused by exploiting attempts", "meta": { @@ -63783,22 +82018,64 @@ "falsepositive": [ "Unknown" ], - "filename": "lnx_susp_named.yml", + "filename": "lnx_syslog_susp_named.yml", "level": "high", "logsource.category": "No established category", "logsource.product": "linux", "refs": [ "https://github.com/ossec/ossec-hids/blob/1ecffb1b884607cb12e619f9ab3c04f530801083/etc/rules/named_rules.xml", - "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/builtin/syslog/lnx_susp_named.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/builtin/syslog/lnx_syslog_susp_named.yml" ], "tags": [ "attack.initial_access", "attack.t1190" ] }, + "related": [ + { + "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "c8e35e96-19ce-4f16-aeb6-fd5588dc5365", "value": "Suspicious Named Error" }, + { + "description": "Detects disabling security tools", + "meta": { + "author": "Ömer Günal, Alejandro Ortuno, oscd.community", + "creation_date": "2020/06/17", + "falsepositive": [ + "Legitimate administration activities" + ], + "filename": "lnx_syslog_security_tools_disabling_syslog.yml", + "level": "medium", + "logsource.category": "No established category", + "logsource.product": "linux", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.004/T1562.004.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/builtin/syslog/lnx_syslog_security_tools_disabling_syslog.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1562.004" + ] + }, + "related": [ + { + "dest-uuid": "5372c5fe-f424-4def-bcd5-d3a8e770f07b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "49f5dfc1-f92e-4d34-96fa-feba3f6acf36", + "value": "Disabling Security Tools - Builtin" + }, { "description": "Detects creation of cron file or files in Cron directories which could indicates potential persistence.", "meta": { @@ -63820,6 +82097,15 @@ "attack.t1053.003" ] }, + "related": [ + { + "dest-uuid": "2acf44aa-542f-4366-b4eb-55ef5747759c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "6c4e2f43-d94d-4ead-b64d-97e53fa2bd05", "value": "Persistence Via Cron Files" }, @@ -63844,6 +82130,15 @@ "attack.t1053.003" ] }, + "related": [ + { + "dest-uuid": "2acf44aa-542f-4366-b4eb-55ef5747759c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "ddb26b76-4447-4807-871f-1b035b2bfa5d", "value": "Persistence Via Sudoers Files" }, @@ -63892,6 +82187,15 @@ "attack.t1053.003" ] }, + "related": [ + { + "dest-uuid": "2acf44aa-542f-4366-b4eb-55ef5747759c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "1a2ea919-d11d-4d1e-8535-06cda13be20f", "value": "Triple Cross eBPF Rootkit Default Persistence" }, @@ -63917,6 +82221,15 @@ "attack.t1548" ] }, + "related": [ + { + "dest-uuid": "67720091-eee3-4d2d-ae16-8264567f6f5b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "00eee2a5-fdb0-4746-a21d-e43fbdea5681", "value": "Linux Doas Conf File Creation" }, @@ -63948,6 +82261,43 @@ "attack.s0508" ] }, + "related": [ + { + "dest-uuid": "40597f16-0963-4249-bf4c-ac93b7fb9807", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "118f61a5-eb3e-4fb6-931f-2096647f4ecd", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "4fe28b27-b13c-453e-a386-c2ef362a573b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "731f4f55-b6d0-41d1-a7a9-072a66389aea", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "830c9528-df21-472c-8c14-a036bf17d665", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "19bf6fdb-7721-4f3d-867f-53467f6a5db6", "value": "Communication To Ngrok Tunneling Service - Linux" }, @@ -64006,9 +82356,9 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ - "https://access.redhat.com/security/cve/cve-2019-14287", "https://twitter.com/matthieugarin/status/1183970598210412546", "https://www.openwall.com/lists/oss-security/2019/10/14/1", + "https://access.redhat.com/security/cve/cve-2019-14287", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_sudo_cve_2019_14287.yml" ], "tags": [ @@ -64018,6 +82368,22 @@ "cve.2019.14287" ] }, + "related": [ + { + "dest-uuid": "b21c3b2d-02e6-45b1-980b-e69051040839", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "1365fe3b-0f50-455d-b4da-266ce31c23b0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "f74107df-b6c6-4e80-bf00-4170b658162b", "value": "Sudo Privilege Escalation CVE-2019-14287" }, @@ -64090,6 +82456,15 @@ "attack.t1562.004" ] }, + "related": [ + { + "dest-uuid": "5372c5fe-f424-4def-bcd5-d3a8e770f07b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "e3a8a052-111f-4606-9aee-f28ebeb76776", "value": "Disabling Security Tools" }, @@ -64130,8 +82505,8 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ - "https://gtfobins.github.io/gtfobins/vim/", "https://gtfobins.github.io/gtfobins/vimdiff/", + "https://gtfobins.github.io/gtfobins/vim/", "https://gtfobins.github.io/gtfobins/rvim/", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_gtfobin_vim.yml" ], @@ -64257,6 +82632,15 @@ "attack.t1087.001" ] }, + "related": [ + { + "dest-uuid": "25659dd6-ea12-45c4-97e6-381e3e4b593e", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "b45e3d6f-42c6-47d8-a478-df6bd6cf534c", "value": "Local System Accounts Discovery - Linux" }, @@ -64283,6 +82667,15 @@ "attack.t1552.001" ] }, + "related": [ + { + "dest-uuid": "774ad5bb-2366-4c13-a8a9-65e50b292e7c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "0cf7a157-8879-41a2-8f55-388dd23746b7", "value": "Linux Recon Indicators" }, @@ -64308,6 +82701,15 @@ "attack.t1222.002" ] }, + "related": [ + { + "dest-uuid": "09b130a2-a77e-4af0-a361-f46f9aad1345", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "6419afd1-3742-47a5-a7e6-b50386cd15f8", "value": "Chmod Suspicious Directory" }, @@ -64332,6 +82734,15 @@ "attack.t1059" ] }, + "related": [ + { + "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "c4042d54-110d-45dd-a0e1-05c47822c937", "value": "Python Spawning Pretty TTY" }, @@ -64359,6 +82770,22 @@ "cve.2022.26134" ] }, + "related": [ + { + "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "7fb14105-530e-4e2e-8cfb-99f7d8700b66", "value": "Atlassian Confluence CVE-2022-26134" }, @@ -64375,11 +82802,11 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ - "https://twitter.com/d1r4c/status/1279042657508081664", - "https://curl.se/docs/manpage.html", "https://medium.com/@petehouston/upload-files-with-curl-93064dcccc76", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1105/T1105.md#atomic-test-19---curl-upload-file", + "https://twitter.com/d1r4c/status/1279042657508081664", "https://www.trendmicro.com/en_us/research/22/i/how-malicious-actors-abuse-native-linux-tools-in-their-attacks.html", + "https://curl.se/docs/manpage.html", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1105/T1105.md#atomic-test-19---curl-upload-file", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_susp_curl_fileupload.yml" ], "tags": [ @@ -64388,6 +82815,22 @@ "attack.t1105" ] }, + "related": [ + { + "dest-uuid": "40597f16-0963-4249-bf4c-ac93b7fb9807", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "00b90cc1-17ec-402c-96ad-3a8117d7a582", "value": "Suspicious Curl File Upload - Linux" }, @@ -64404,8 +82847,8 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ - "https://gtfobins.github.io/gtfobins/apt/", "https://gtfobins.github.io/gtfobins/apt-get/", + "https://gtfobins.github.io/gtfobins/apt/", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_gtfobin_apt.yml" ], "tags": [ @@ -64429,10 +82872,10 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ - "https://linuxize.com/post/how-to-delete-group-in-linux/", "https://www.cybrary.it/blog/0p3n/linux-commands-used-attackers/", - "https://linux.die.net/man/8/userdel", "https://www.cyberciti.biz/faq/linux-remove-user-command/", + "https://linuxize.com/post/how-to-delete-group-in-linux/", + "https://linux.die.net/man/8/userdel", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_userdel.yml" ], "tags": [ @@ -64440,6 +82883,15 @@ "attack.t1531" ] }, + "related": [ + { + "dest-uuid": "b24e2a20-3b3d-4bf0-823b-1ed765398fb0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "08f26069-6f80-474b-8d1f-d971c6fedea0", "value": "User Has Been Deleted Via Userdel" }, @@ -64509,6 +82961,15 @@ "attack.t1485" ] }, + "related": [ + { + "dest-uuid": "d45a3d09-b3cf-48f4-9f0f-f521ee5cb05c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "2953194b-e33c-4859-b9e8-05948c167447", "value": "DD File Overwrite" }, @@ -64559,6 +83020,15 @@ "attack.t1053.003" ] }, + "related": [ + { + "dest-uuid": "2acf44aa-542f-4366-b4eb-55ef5747759c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "6b14bac8-3e3a-4324-8109-42f0546a347f", "value": "Scheduled Cron Task/Job - Linux" }, @@ -64583,6 +83053,15 @@ "attack.t1049" ] }, + "related": [ + { + "dest-uuid": "7e150503-88e7-4861-866b-ff1ac82c4475", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "4c519226-f0cd-4471-bd2f-6fbb2bb68a79", "value": "System Network Connections Discovery - Linux" }, @@ -64632,6 +83111,15 @@ "attack.t1071.001" ] }, + "related": [ + { + "dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "b86d356d-6093-443d-971c-9b07db583c68", "value": "Suspicious Curl Change User Agents - Linux" }, @@ -64648,8 +83136,8 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ - "https://www.acunetix.com/blog/articles/web-shells-101-using-php-introduction-web-shells-part-2/", "https://media.defense.gov/2020/Jun/09/2002313081/-1/-1/0/CSI-DETECT-AND-PREVENT-WEB-SHELL-MALWARE-20200422.PDF", + "https://www.acunetix.com/blog/articles/web-shells-101-using-php-introduction-web-shells-part-2/", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_webshell_detection.yml" ], "tags": [ @@ -64681,6 +83169,15 @@ "attack.t1053.002" ] }, + "related": [ + { + "dest-uuid": "f3d95a1f-bba2-44ce-9af7-37866cd63fd0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "d2d642d7-b393-43fe-bae4-e81ed5915c4b", "value": "Scheduled Task/Job At" }, @@ -64706,6 +83203,15 @@ "attack.t1592.004" ] }, + "related": [ + { + "dest-uuid": "774ad5bb-2366-4c13-a8a9-65e50b292e7c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "d7821ff1-4527-4e33-9f84-d0d57fa2fb66", "value": "Print History File Contents" }, @@ -64722,8 +83228,8 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ - "https://embracethered.com/blog/posts/2021/offensive-bpf-bpftrace/", "https://bpftrace.org/", + "https://embracethered.com/blog/posts/2021/offensive-bpf-bpftrace/", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_bpftrace_unsafe_option_usage.yml" ], "tags": [ @@ -64731,6 +83237,15 @@ "attack.t1059.004" ] }, + "related": [ + { + "dest-uuid": "a9d4b653-6915-42af-98b2-5758c4ceee56", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "f8341cb2-ee25-43fa-a975-d8a5a9714b39", "value": "BPFtrace Unsafe Option Usage" }, @@ -64760,6 +83275,29 @@ "attack.t1203" ] }, + "related": [ + { + "dest-uuid": "b21c3b2d-02e6-45b1-980b-e69051040839", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "be2dcee9-a7a7-4e38-afd6-21b31ecc3d63", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "6eea1bf6-f8d2-488a-a742-e6ef6c1b67db", "value": "OMIGOD SCX RunAsProvider ExecuteScript" }, @@ -64784,6 +83322,15 @@ "attack.t1140" ] }, + "related": [ + { + "dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "ba592c6d-6888-43c3-b8c6-689b8fe47337", "value": "Linux Base64 Encoded Pipe to Shell" }, @@ -64808,6 +83355,15 @@ "attack.t1070.002" ] }, + "related": [ + { + "dest-uuid": "2bce5b30-7014-4a5d-ade7-12913fe6ac36", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "80915f59-9b56-4616-9de0-fd0dea6c12fe", "value": "Clear Linux Logs" }, @@ -64824,10 +83380,10 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ - "https://linuxize.com/post/how-to-delete-group-in-linux/", - "https://www.cybrary.it/blog/0p3n/linux-commands-used-attackers/", "https://linux.die.net/man/8/groupdel", + "https://www.cybrary.it/blog/0p3n/linux-commands-used-attackers/", "https://www.cyberciti.biz/faq/linux-remove-user-command/", + "https://linuxize.com/post/how-to-delete-group-in-linux/", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_groupdel.yml" ], "tags": [ @@ -64835,6 +83391,15 @@ "attack.t1531" ] }, + "related": [ + { + "dest-uuid": "b24e2a20-3b3d-4bf0-823b-1ed765398fb0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "8a46f16c-8c4c-82d1-b121-0fdd3ba70a84", "value": "Group Has Been Deleted Via Groupdel" }, @@ -64860,6 +83425,15 @@ "attack.t1140" ] }, + "related": [ + { + "dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "fe2f9663-41cb-47e2-b954-8a228f3b9dff", "value": "Linux Base64 Encoded Shebang In CLI" }, @@ -64876,8 +83450,8 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ - "https://github.com/SaiSathvik1/Linux-Privilege-Escalation-Notes", "https://github.com/carlospolop/PEASS-ng", + "https://github.com/SaiSathvik1/Linux-Privilege-Escalation-Notes", "https://github.com/diego-treitos/linux-smart-enumeration", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_capa_discovery.yml" ], @@ -64910,6 +83484,15 @@ "attack.t1140" ] }, + "related": [ + { + "dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "880973f3-9708-491c-a77b-2a35a1921158", "value": "Linux Shell Pipe to Shell" }, @@ -64935,6 +83518,15 @@ "attack.t1105" ] }, + "related": [ + { + "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "ea34fb97-e2c4-4afb-810f-785e4459b194", "value": "Curl Usage on Linux" }, @@ -65006,6 +83598,15 @@ "attack.t1070.002" ] }, + "related": [ + { + "dest-uuid": "2bce5b30-7014-4a5d-ade7-12913fe6ac36", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "3fcc9b35-39e4-44c0-a2ad-9e82b6902b31", "value": "Commands to Clear or Remove the Syslog" }, @@ -65030,6 +83631,15 @@ "attack.t1059" ] }, + "related": [ + { + "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "d292e0af-9a18-420c-9525-ec0ac3936892", "value": "Suspicious Java Children Processes" }, @@ -65078,6 +83688,15 @@ "attack.t1222.002" ] }, + "related": [ + { + "dest-uuid": "09b130a2-a77e-4af0-a361-f46f9aad1345", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "34979410-e4b5-4e5d-8cfb-389fdff05c12", "value": "Remove Immutable File Attribute" }, @@ -65107,6 +83726,29 @@ "attack.t1203" ] }, + "related": [ + { + "dest-uuid": "b21c3b2d-02e6-45b1-980b-e69051040839", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "be2dcee9-a7a7-4e38-afd6-21b31ecc3d63", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "21541900-27a9-4454-9c4c-3f0a4240344a", "value": "OMIGOD SCX RunAsProvider ExecuteShellCommand" }, @@ -65123,8 +83765,8 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ - "https://gtfobins.github.io/gtfobins/nohup/", "https://www.computerhope.com/unix/unohup.htm", + "https://gtfobins.github.io/gtfobins/nohup/", "https://en.wikipedia.org/wiki/Nohup", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_nohup.yml" ], @@ -65201,6 +83843,15 @@ "attack.t1090" ] }, + "related": [ + { + "dest-uuid": "731f4f55-b6d0-41d1-a7a9-072a66389aea", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "72f4ab3f-787d-495d-a55d-68c2ff46cf4c", "value": "Connection Proxy" }, @@ -65248,6 +83899,15 @@ "attack.t1070.004" ] }, + "related": [ + { + "dest-uuid": "d63a3fb8-9452-4e9d-a60a-54be68d5998c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "30aed7b6-d2c1-4eaf-9382-b6bc43e50c57", "value": "File Deletion" }, @@ -65264,8 +83924,8 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ - "https://research.splunk.com/endpoint/linux_doas_tool_execution/", "https://www.makeuseof.com/how-to-install-and-use-doas/", + "https://research.splunk.com/endpoint/linux_doas_tool_execution/", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_doas_execution.yml" ], "tags": [ @@ -65273,6 +83933,15 @@ "attack.t1548" ] }, + "related": [ + { + "dest-uuid": "67720091-eee3-4d2d-ae16-8264567f6f5b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "067d8238-7127-451c-a9ec-fa78045b618b", "value": "Linux Doas Tool Execution" }, @@ -65298,6 +83967,15 @@ "attack.t1565.001" ] }, + "related": [ + { + "dest-uuid": "1cfcb312-b8d7-47a4-b560-4b16cc677292", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "1182f3b3-e716-4efa-99ab-d2685d04360f", "value": "History File Deletion" }, @@ -65322,6 +84000,15 @@ "attack.t1592.004" ] }, + "related": [ + { + "dest-uuid": "774ad5bb-2366-4c13-a8a9-65e50b292e7c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "0f79c4d2-4e1f-4683-9c36-b5469a665e06", "value": "Cat Sudoers" }, @@ -65346,6 +84033,15 @@ "attack.t1593.003" ] }, + "related": [ + { + "dest-uuid": "70910fbd-58dc-4c1c-8c48-814d11fcd022", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "cfec9d29-64ec-4a0f-9ffe-0fdb856d5446", "value": "Suspicious Git Clone - Linux" }, @@ -65362,14 +84058,24 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1548.001/T1548.001.md", "https://attack.mitre.org/techniques/T1548/001/", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1548.001/T1548.001.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_setgid_setuid.yml" ], "tags": [ - "attack.persistence" + "attack.persistence", + "attack.t1548.001" ] }, + "related": [ + { + "dest-uuid": "6831414d-bb70-42b7-8030-d4e06b2660c9", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "c21c4eaa-ba2e-419a-92b2-8371703cbe21", "value": "Setuid and Setgid" }, @@ -65386,9 +84092,9 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ - "https://github.com/W01fh4cker/cve-2022-33891/blob/fd973b56e78bca8822caa3a2e3cf1b5aff5d0950/cve_2022_33891_poc.py", - "https://sumsec.me/2022/CVE-2022-33891%20Apache%20Spark%20shell%20command%20injection.html", "https://github.com/apache/spark/pull/36315/files", + "https://sumsec.me/2022/CVE-2022-33891%20Apache%20Spark%20shell%20command%20injection.html", + "https://github.com/W01fh4cker/cve-2022-33891/blob/fd973b56e78bca8822caa3a2e3cf1b5aff5d0950/cve_2022_33891_poc.py", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_cve_2022_33891_spark_shell_command_injection.yml" ], "tags": [ @@ -65397,6 +84103,15 @@ "cve.2022.33891" ] }, + "related": [ + { + "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "c8a5f584-cdc8-42cc-8cce-0398e4265de3", "value": "Apache Spark Shell Command Injection - ProcessCreation" }, @@ -65421,6 +84136,15 @@ "attack.t1069.001" ] }, + "related": [ + { + "dest-uuid": "a01bf75f-00b2-4568-a58f-565ff9bf202b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "676381a6-15ca-4d73-a9c8-6a22e970b90d", "value": "Local Groups Discovery - Linux" }, @@ -65437,8 +84161,8 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ - "https://www.configserverfirewall.com/ubuntu-linux/ubuntu-add-user-to-root-group/", "https://pberba.github.io/security/2021/11/23/linux-threat-hunting-for-persistence-account-creation-manipulation/", + "https://www.configserverfirewall.com/ubuntu-linux/ubuntu-add-user-to-root-group/", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_usermod_susp_group.yml" ], "tags": [ From fd226d47a27f09523f1301c33690c17af06f4271 Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Thu, 12 Jan 2023 14:10:22 +0100 Subject: [PATCH 03/13] chg: [sigma] new version of the cluster --- clusters/sigma-rules.json | 2150 ++++++++++++++++++------------------- 1 file changed, 1075 insertions(+), 1075 deletions(-) diff --git a/clusters/sigma-rules.json b/clusters/sigma-rules.json index 9954344..504a13a 100644 --- a/clusters/sigma-rules.json +++ b/clusters/sigma-rules.json @@ -174,9 +174,9 @@ "logsource.category": "firewall", "logsource.product": "No established product", "refs": [ - "https://www.cisecurity.org/controls/cis-controls-list/", - "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf", "https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf", + "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf", + "https://www.cisecurity.org/controls/cis-controls-list/", "https://github.com/SigmaHQ/sigma/tree/master/rules/network/firewall/net_firewall_cleartext_protocols.yml" ], "tags": "No established tags" @@ -232,9 +232,9 @@ "logsource.category": "dns", "logsource.product": "No established product", "refs": [ + "https://www.welivesecurity.com/2016/12/13/rise-telebots-analyzing-disruptive-killdisk-attacks/", "https://blog.malwarebytes.com/threat-analysis/2016/11/telecrypt-the-ransomware-abusing-telegram-api-defeated/", "https://researchcenter.paloaltonetworks.com/2018/03/unit42-telerat-another-android-trojan-leveraging-telegrams-bot-api-to-target-iranian-users/", - "https://www.welivesecurity.com/2016/12/13/rise-telebots-analyzing-disruptive-killdisk-attacks/", "https://core.telegram.org/bots/faq", "https://github.com/SigmaHQ/sigma/tree/master/rules/network/dns/net_dns_susp_telegram_api.yml" ], @@ -310,8 +310,8 @@ "logsource.category": "dns", "logsource.product": "No established product", "refs": [ - "https://www.sekoia.io/en/hunting-and-detecting-cobalt-strike/", "https://www.icebrg.io/blog/footprints-of-fin7-tracking-actor-patterns", + "https://www.sekoia.io/en/hunting-and-detecting-cobalt-strike/", "https://github.com/SigmaHQ/sigma/tree/master/rules/network/dns/net_dns_mal_cobaltstrike.yml" ], "tags": [ @@ -417,8 +417,8 @@ "logsource.category": "dns", "logsource.product": "No established product", "refs": [ - "https://patrick-bareiss.com/detect-c2-traffic-over-dns-using-sigma/", "https://zeltser.com/c2-dns-tunneling/", + "https://patrick-bareiss.com/detect-c2-traffic-over-dns-using-sigma/", "https://github.com/SigmaHQ/sigma/tree/master/rules/network/dns/net_dns_c2_detection.yml" ], "tags": [ @@ -460,8 +460,8 @@ "logsource.category": "dns", "logsource.product": "No established product", "refs": [ - "https://github.com/samratashok/nishang/blob/414ee1104526d7057f9adaeee196d91ae447283e/Backdoors/DNS_TXT_Pwnage.ps1", "https://twitter.com/stvemillertime/status/1024707932447854592", + "https://github.com/samratashok/nishang/blob/414ee1104526d7057f9adaeee196d91ae447283e/Backdoors/DNS_TXT_Pwnage.ps1", "https://github.com/SigmaHQ/sigma/tree/master/rules/network/dns/net_dns_susp_txt_exec_strings.yml" ], "tags": [ @@ -1329,10 +1329,10 @@ "logsource.category": "No established category", "logsource.product": "zeek", "refs": [ - "https://github.com/topotam/PetitPotam/blob/d83ac8f2dd34654628c17490f99106eb128e7d1e/PetitPotam/PetitPotam.cpp", "https://threatpost.com/microsoft-petitpotam-poc/168163/", - "https://msrc.microsoft.com/update-guide/vulnerability/ADV210003", "https://vx-underground.org/archive/Symantec/windows-vista-network-attack-07-en.pdf", + "https://github.com/topotam/PetitPotam/blob/d83ac8f2dd34654628c17490f99106eb128e7d1e/PetitPotam/PetitPotam.cpp", + "https://msrc.microsoft.com/update-guide/vulnerability/ADV210003", "https://github.com/SigmaHQ/sigma/tree/master/rules/network/zeek/zeek_dce_rpc_potential_petit_potam_efs_rpc_call.yml" ], "tags": [ @@ -1700,9 +1700,9 @@ "logsource.category": "No established category", "logsource.product": "zeek", "refs": [ + "https://unit42.paloaltonetworks.com/manageengine-godzilla-nglite-kdcsponge/", "https://github.com/Maka8ka/NGLite", "https://github.com/nknorg/nkn-sdk-go", - "https://unit42.paloaltonetworks.com/manageengine-godzilla-nglite-kdcsponge/", "https://github.com/SigmaHQ/sigma/tree/master/rules/network/zeek/zeek_dns_nkn.yml" ], "tags": [ @@ -1751,8 +1751,8 @@ "logsource.product": "zeek", "refs": [ "https://posts.specterops.io/hunting-in-active-directory-unconstrained-delegation-forests-trusts-71f2b33688e1", - "https://twitter.com/_dirkjan/status/1309214379003588608", "https://dirkjanm.io/a-different-way-of-abusing-zerologon/", + "https://twitter.com/_dirkjan/status/1309214379003588608", "https://github.com/SigmaHQ/sigma/tree/master/rules/network/zeek/zeek_dce_rpc_smb_spoolss_named_pipe.yml" ], "tags": [ @@ -1843,11 +1843,11 @@ "logsource.category": "No established category", "logsource.product": "zeek", "refs": [ - "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-par/93d1915d-4d9f-4ceb-90a7-e8f2a59adc29", - "https://www.crowdstrike.com/blog/cve-2021-1678-printer-spooler-relay-security-advisory/", "https://old.zeek.org/zeekweek2019/slides/bzar.pdf", "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527", + "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-par/93d1915d-4d9f-4ceb-90a7-e8f2a59adc29", "https://github.com/zeek/zeek/blob/691b099de13649d6576c7b9d637f8213ff818832/scripts/base/protocols/dce-rpc/consts.zeek", + "https://www.crowdstrike.com/blog/cve-2021-1678-printer-spooler-relay-security-advisory/", "https://github.com/corelight/CVE-2021-1675", "https://github.com/SigmaHQ/sigma/tree/master/rules/network/zeek/zeek_dce_rpc_printnightmare_print_driver_install.yml" ], @@ -2148,10 +2148,10 @@ "logsource.category": "application", "logsource.product": "ruby_on_rails", "refs": [ - "http://guides.rubyonrails.org/action_controller_overview.html", - "https://stackoverflow.com/questions/25892194/does-rails-come-with-a-not-authorized-exception", "http://edgeguides.rubyonrails.org/security.html", "https://github.com/rails/rails/blob/cd08e6bcc4cd8948fe01e0be1ea0c7ca60373a25/actionpack/lib/action_dispatch/middleware/exception_wrapper.rb", + "https://stackoverflow.com/questions/25892194/does-rails-come-with-a-not-authorized-exception", + "http://guides.rubyonrails.org/action_controller_overview.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/ruby/appframework_ruby_on_rails_exceptions.yml" ], "tags": [ @@ -2184,10 +2184,10 @@ "logsource.category": "application", "logsource.product": "rpc_firewall", "refs": [ - "https://zeronetworks.com/blog/stopping_lateral_movement_via_the_rpc_firewall/", - "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-wkst/55118c55-2122-4ef9-8664-0c1ff9e168f3", - "https://github.com/zeronetworks/rpcfirewall", "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-WKST.md", + "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-wkst/55118c55-2122-4ef9-8664-0c1ff9e168f3", + "https://zeronetworks.com/blog/stopping_lateral_movement_via_the_rpc_firewall/", + "https://github.com/zeronetworks/rpcfirewall", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/rpc_firewall/rpc_firewall_sharphound_recon_account.yml" ], "tags": [ @@ -2211,10 +2211,10 @@ "logsource.category": "application", "logsource.product": "rpc_firewall", "refs": [ - "https://zeronetworks.com/blog/stopping_lateral_movement_via_the_rpc_firewall/", "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rrp/0fa3191d-bb79-490a-81bd-54c2601b7a78", - "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-RRP.md", + "https://zeronetworks.com/blog/stopping_lateral_movement_via_the_rpc_firewall/", "https://github.com/zeronetworks/rpcfirewall", + "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-RRP.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/rpc_firewall/rpc_firewall_remote_registry_recon.yml" ], "tags": [ @@ -2237,8 +2237,8 @@ "logsource.category": "application", "logsource.product": "rpc_firewall", "refs": [ - "https://zeronetworks.com/blog/stopping_lateral_movement_via_the_rpc_firewall/", "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-tsch/d1058a28-7e02-4948-8b8d-4a347fa64931", + "https://zeronetworks.com/blog/stopping_lateral_movement_via_the_rpc_firewall/", "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-TSCH.md", "https://github.com/zeronetworks/rpcfirewall", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/rpc_firewall/rpc_firewall_itaskschedulerservice_recon.yml" @@ -2263,9 +2263,9 @@ "logsource.category": "application", "logsource.product": "rpc_firewall", "refs": [ - "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-SCMR.md", "https://zeronetworks.com/blog/stopping_lateral_movement_via_the_rpc_firewall/", "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-srvs/accf23b0-0f57-441c-9185-43041f1b0ee9", + "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-SCMR.md", "https://github.com/zeronetworks/rpcfirewall", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/rpc_firewall/rpc_firewall_remote_service_lateral_movement.yml" ], @@ -2299,8 +2299,8 @@ "logsource.category": "application", "logsource.product": "rpc_firewall", "refs": [ - "https://zeronetworks.com/blog/stopping_lateral_movement_via_the_rpc_firewall/", "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-tsch/d1058a28-7e02-4948-8b8d-4a347fa64931", + "https://zeronetworks.com/blog/stopping_lateral_movement_via_the_rpc_firewall/", "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-TSCH.md", "https://github.com/zeronetworks/rpcfirewall", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/rpc_firewall/rpc_firewall_atsvc_lateral_movement.yml" @@ -2337,9 +2337,9 @@ "logsource.product": "rpc_firewall", "refs": [ "https://zeronetworks.com/blog/stopping_lateral_movement_via_the_rpc_firewall/", + "https://github.com/zeronetworks/rpcfirewall", "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-drsr/f977faaa-673e-4f66-b9bf-48c640241d47?redirectedfrom=MSDN", "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-DRSR.md", - "https://github.com/zeronetworks/rpcfirewall", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/rpc_firewall/rpc_firewall_dcsync_attack.yml" ], "tags": [ @@ -2387,8 +2387,8 @@ "logsource.category": "application", "logsource.product": "rpc_firewall", "refs": [ - "https://zeronetworks.com/blog/stopping_lateral_movement_via_the_rpc_firewall/", "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-tsch/d1058a28-7e02-4948-8b8d-4a347fa64931", + "https://zeronetworks.com/blog/stopping_lateral_movement_via_the_rpc_firewall/", "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-TSCH.md", "https://github.com/zeronetworks/rpcfirewall", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/rpc_firewall/rpc_firewall_itaskschedulerservice_lateral_movement.yml" @@ -2424,8 +2424,8 @@ "logsource.category": "application", "logsource.product": "rpc_firewall", "refs": [ - "https://zeronetworks.com/blog/stopping_lateral_movement_via_the_rpc_firewall/", "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-srvs/accf23b0-0f57-441c-9185-43041f1b0ee9", + "https://zeronetworks.com/blog/stopping_lateral_movement_via_the_rpc_firewall/", "https://github.com/zeronetworks/rpcfirewall", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/rpc_firewall/rpc_firewall_remote_dcom_or_wmi.yml" ], @@ -2467,8 +2467,8 @@ "logsource.category": "application", "logsource.product": "rpc_firewall", "refs": [ - "https://zeronetworks.com/blog/stopping_lateral_movement_via_the_rpc_firewall/", "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-tsch/d1058a28-7e02-4948-8b8d-4a347fa64931", + "https://zeronetworks.com/blog/stopping_lateral_movement_via_the_rpc_firewall/", "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-TSCH.md", "https://github.com/zeronetworks/rpcfirewall", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/rpc_firewall/rpc_firewall_sasec_lateral_movement.yml" @@ -2504,12 +2504,12 @@ "logsource.category": "application", "logsource.product": "rpc_firewall", "refs": [ - "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-pan/e44d984c-07d3-414c-8ffc-f8c8ad8512a8", + "https://github.com/zeronetworks/rpcfirewall", "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527", "https://zeronetworks.com/blog/stopping_lateral_movement_via_the_rpc_firewall/", - "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-RPRN-PAR.md", "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rprn/d42db7d5-f141-4466-8f47-0a4be14e2fc1", - "https://github.com/zeronetworks/rpcfirewall", + "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-RPRN-PAR.md", + "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-pan/e44d984c-07d3-414c-8ffc-f8c8ad8512a8", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/rpc_firewall/rpc_firewall_printing_lateral_movement.yml" ], "tags": [ @@ -2532,9 +2532,9 @@ "logsource.category": "application", "logsource.product": "rpc_firewall", "refs": [ - "https://zeronetworks.com/blog/stopping_lateral_movement_via_the_rpc_firewall/", "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-srvs/02b1f559-fda2-4ba3-94c2-806eb2777183", "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-SRVS.md", + "https://zeronetworks.com/blog/stopping_lateral_movement_via_the_rpc_firewall/", "https://github.com/zeronetworks/rpcfirewall", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/rpc_firewall/rpc_firewall_sharphound_recon_sessions.yml" ], @@ -2558,9 +2558,9 @@ "logsource.category": "application", "logsource.product": "rpc_firewall", "refs": [ - "https://zeronetworks.com/blog/stopping_lateral_movement_via_the_rpc_firewall/", "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-36942", "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-EFSR.md", + "https://zeronetworks.com/blog/stopping_lateral_movement_via_the_rpc_firewall/", "https://github.com/zeronetworks/rpcfirewall", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/rpc_firewall/rpc_firewall_efs_abuse.yml" ], @@ -2584,8 +2584,8 @@ "logsource.category": "application", "logsource.product": "rpc_firewall", "refs": [ - "https://zeronetworks.com/blog/stopping_lateral_movement_via_the_rpc_firewall/", "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-tsch/d1058a28-7e02-4948-8b8d-4a347fa64931", + "https://zeronetworks.com/blog/stopping_lateral_movement_via_the_rpc_firewall/", "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-TSCH.md", "https://github.com/zeronetworks/rpcfirewall", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/rpc_firewall/rpc_firewall_sasec_recon.yml" @@ -2610,10 +2610,10 @@ "logsource.category": "application", "logsource.product": "rpc_firewall", "refs": [ - "https://zeronetworks.com/blog/stopping_lateral_movement_via_the_rpc_firewall/", "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rrp/0fa3191d-bb79-490a-81bd-54c2601b7a78", - "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-RRP.md", + "https://zeronetworks.com/blog/stopping_lateral_movement_via_the_rpc_firewall/", "https://github.com/zeronetworks/rpcfirewall", + "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-RRP.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/rpc_firewall/rpc_firewall_remote_registry_lateral_movement.yml" ], "tags": [ @@ -2637,9 +2637,9 @@ "logsource.category": "application", "logsource.product": "rpc_firewall", "refs": [ - "https://zeronetworks.com/blog/stopping_lateral_movement_via_the_rpc_firewall/", "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-SRVS.md", "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-srvs/accf23b0-0f57-441c-9185-43041f1b0ee9", + "https://zeronetworks.com/blog/stopping_lateral_movement_via_the_rpc_firewall/", "https://github.com/zeronetworks/rpcfirewall", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/rpc_firewall/rpc_firewall_remote_server_service_abuse.yml" ], @@ -2663,9 +2663,9 @@ "logsource.category": "application", "logsource.product": "rpc_firewall", "refs": [ + "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-tsch/d1058a28-7e02-4948-8b8d-4a347fa64931", "https://zeronetworks.com/blog/stopping_lateral_movement_via_the_rpc_firewall/", "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-TSCH.md", - "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-tsch/d1058a28-7e02-4948-8b8d-4a347fa64931", "https://github.com/zeronetworks/rpcfirewall", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/rpc_firewall/rpc_firewall_atsvc_recon.yml" ], @@ -2722,11 +2722,11 @@ "logsource.category": "process_access", "logsource.product": "windows", "refs": [ - "https://cyberwardog.blogspot.com/2017/03/chronicles-of-threat-hunter-hunting-for_22.html", + "http://security-research.dyndns.org/pub/slides/FIRST2017/FIRST-2017_Tom-Ueltschi_Sysmon_FINAL_notes.pdf", + "https://docs.microsoft.com/en-us/windows/win32/procthread/process-security-and-access-rights", "https://onedrive.live.com/view.aspx?resid=D026B4699190F1E6!2843&ithint=file%2cpptx&app=PowerPoint&authkey=!AMvCRTKB_V1J5ow", "https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment", - "https://docs.microsoft.com/en-us/windows/win32/procthread/process-security-and-access-rights", - "http://security-research.dyndns.org/pub/slides/FIRST2017/FIRST-2017_Tom-Ueltschi_Sysmon_FINAL_notes.pdf", + "https://cyberwardog.blogspot.com/2017/03/chronicles-of-threat-hunter-hunting-for_22.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_access/proc_access_win_susp_proc_access_lsass_susp_source.yml" ], "tags": [ @@ -2760,8 +2760,8 @@ "logsource.category": "process_access", "logsource.product": "windows", "refs": [ - "https://modexp.wordpress.com/2019/08/30/minidumpwritedump-via-com-services-dll/", "https://twitter.com/shantanukhande/status/1229348874298388484", + "https://modexp.wordpress.com/2019/08/30/minidumpwritedump-via-com-services-dll/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_access/proc_access_win_lsass_dump_comsvcs_dll.yml" ], "tags": [ @@ -2941,9 +2941,9 @@ "logsource.category": "process_access", "logsource.product": "windows", "refs": [ + "https://www.ired.team/offensive-security/credential-access-and-credential-dumping/dump-credentials-from-lsass-process-without-mimikatz", "https://twitter.com/mrd0x/status/1460597833917251595", "https://twitter.com/_xpn_/status/1491557187168178176", - "https://www.ired.team/offensive-security/credential-access-and-credential-dumping/dump-credentials-from-lsass-process-without-mimikatz", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_access/proc_access_win_lsass_memdump_evasion.yml" ], "tags": [ @@ -3188,10 +3188,10 @@ "logsource.category": "process_access", "logsource.product": "windows", "refs": [ - "https://cyberwardog.blogspot.com/2017/03/chronicles-of-threat-hunter-hunting-for_22.html", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1003.001/T1003.001.md", - "https://research.splunk.com/endpoint/windows_possible_credential_dumping/", "https://blog.menasec.net/2019/02/threat-hunting-21-procdump-or-taskmgr.html", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1003.001/T1003.001.md", + "https://cyberwardog.blogspot.com/2017/03/chronicles-of-threat-hunter-hunting-for_22.html", + "https://research.splunk.com/endpoint/windows_possible_credential_dumping/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_access/proc_access_win_lsass_memdump.yml" ], "tags": [ @@ -3225,10 +3225,10 @@ "logsource.category": "process_access", "logsource.product": "windows", "refs": [ - "https://cyberwardog.blogspot.com/2017/03/chronicles-of-threat-hunter-hunting-for_22.html", + "http://security-research.dyndns.org/pub/slides/FIRST2017/FIRST-2017_Tom-Ueltschi_Sysmon_FINAL_notes.pdf", "https://onedrive.live.com/view.aspx?resid=D026B4699190F1E6!2843&ithint=file%2cpptx&app=PowerPoint&authkey=!AMvCRTKB_V1J5ow", "https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment", - "http://security-research.dyndns.org/pub/slides/FIRST2017/FIRST-2017_Tom-Ueltschi_Sysmon_FINAL_notes.pdf", + "https://cyberwardog.blogspot.com/2017/03/chronicles-of-threat-hunter-hunting-for_22.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_access/proc_access_win_cred_dump_lsass_access.yml" ], "tags": [ @@ -3263,11 +3263,11 @@ "logsource.category": "process_access", "logsource.product": "windows", "refs": [ - "https://cyberwardog.blogspot.com/2017/03/chronicles-of-threat-hunter-hunting-for_22.html", + "http://security-research.dyndns.org/pub/slides/FIRST2017/FIRST-2017_Tom-Ueltschi_Sysmon_FINAL_notes.pdf", + "https://docs.microsoft.com/en-us/windows/win32/procthread/process-security-and-access-rights", "https://onedrive.live.com/view.aspx?resid=D026B4699190F1E6!2843&ithint=file%2cpptx&app=PowerPoint&authkey=!AMvCRTKB_V1J5ow", "https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment", - "https://docs.microsoft.com/en-us/windows/win32/procthread/process-security-and-access-rights", - "http://security-research.dyndns.org/pub/slides/FIRST2017/FIRST-2017_Tom-Ueltschi_Sysmon_FINAL_notes.pdf", + "https://cyberwardog.blogspot.com/2017/03/chronicles-of-threat-hunter-hunting-for_22.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_access/proc_access_win_rare_proc_access_lsass.yml" ], "tags": [ @@ -3301,11 +3301,11 @@ "logsource.category": "process_access", "logsource.product": "windows", "refs": [ - "https://cyberwardog.blogspot.com/2017/03/chronicles-of-threat-hunter-hunting-for_22.html", + "http://security-research.dyndns.org/pub/slides/FIRST2017/FIRST-2017_Tom-Ueltschi_Sysmon_FINAL_notes.pdf", + "https://docs.microsoft.com/en-us/windows/win32/procthread/process-security-and-access-rights", "https://onedrive.live.com/view.aspx?resid=D026B4699190F1E6!2843&ithint=file%2cpptx&app=PowerPoint&authkey=!AMvCRTKB_V1J5ow", "https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment", - "https://docs.microsoft.com/en-us/windows/win32/procthread/process-security-and-access-rights", - "http://security-research.dyndns.org/pub/slides/FIRST2017/FIRST-2017_Tom-Ueltschi_Sysmon_FINAL_notes.pdf", + "https://cyberwardog.blogspot.com/2017/03/chronicles-of-threat-hunter-hunting-for_22.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_access/proc_access_win_susp_proc_access_lsass.yml" ], "tags": [ @@ -3396,8 +3396,8 @@ "logsource.category": "process_access", "logsource.product": "windows", "refs": [ - "https://github.com/D1rkMtr/UnhookingPatch", "https://twitter.com/D1rkMtr/status/1611471891193298944?s=20", + "https://github.com/D1rkMtr/UnhookingPatch", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_access/proc_access_win_invoke_patchingapi.yml" ], "tags": [ @@ -3513,8 +3513,8 @@ "logsource.category": "process_access", "logsource.product": "windows", "refs": [ - "https://twitter.com/_xpn_/status/1491557187168178176", "https://www.ired.team/offensive-security/credential-access-and-credential-dumping/dump-credentials-from-lsass-process-without-mimikatz", + "https://twitter.com/_xpn_/status/1491557187168178176", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_access/proc_access_win_lsass_memdump_indicators.yml" ], "tags": [ @@ -3619,8 +3619,8 @@ "logsource.category": "process_access", "logsource.product": "windows", "refs": [ - "https://splintercod3.blogspot.com/p/the-hidden-side-of-seclogon-part-3.html", "https://twitter.com/SBousseaden/status/1541920424635912196", + "https://splintercod3.blogspot.com/p/the-hidden-side-of-seclogon-part-3.html", "https://github.com/elastic/detection-rules/blob/2bc1795f3d7bcc3946452eb4f07ae799a756d94e/rules/windows/credential_access_lsass_handle_via_malseclogon.toml", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_access/proc_access_win_susp_seclogon.yml" ], @@ -3700,8 +3700,8 @@ "logsource.category": "process_tampering", "logsource.product": "windows", "refs": [ - "https://www.bleepingcomputer.com/news/microsoft/microsoft-sysmon-now-detects-malware-process-tampering-attempts/", "https://twitter.com/SecurePeacock/status/1486054048390332423?s=20", + "https://www.bleepingcomputer.com/news/microsoft/microsoft-sysmon-now-detects-malware-process-tampering-attempts/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/sysmon/sysmon_process_hollowing.yml" ], "tags": [ @@ -3912,11 +3912,11 @@ "logsource.category": "pipe_created", "logsource.product": "windows", "refs": [ - "https://labs.f-secure.com/blog/detecting-cobalt-strike-default-modules-via-named-pipe-analysis/", + "https://twitter.com/d4rksystem/status/1357010969264873472", "https://blog.cobaltstrike.com/2021/02/09/learn-pipe-fitting-for-all-of-your-offense-projects/", "https://github.com/SigmaHQ/sigma/issues/253", "https://redcanary.com/threat-detection-report/threats/cobalt-strike/", - "https://twitter.com/d4rksystem/status/1357010969264873472", + "https://labs.f-secure.com/blog/detecting-cobalt-strike-default-modules-via-named-pipe-analysis/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/pipe_created/pipe_created_mal_cobaltstrike.yml" ], "tags": [ @@ -4227,18 +4227,18 @@ "logsource.category": "pipe_created", "logsource.product": "windows", "refs": [ - "https://thedfirreport.com/2022/02/21/qbot-and-zerologon-lead-to-full-domain-compromise/", "https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf", - "https://unit42.paloaltonetworks.com/emissary-panda-attacks-middle-east-government-sharepoint-servers/", - "https://www.us-cert.gov/ncas/alerts/TA17-117A", - "https://us-cert.cisa.gov/ncas/analysis-reports/ar19-304a", - "https://securelist.com/faq-the-projectsauron-apt/75533/", - "https://github.com/RiccardoAncarani/LiquidSnake", "https://download.bitdefender.com/resources/files/News/CaseStudies/study/115/Bitdefender-Whitepaper-PAC-A4-en-EN1.pdf", "https://www.accenture.com/us-en/blogs/cyber-defense/turla-belugasturgeon-compromises-government-entity", - "https://thedfirreport.com/2020/06/21/snatch-ransomware/", + "https://securelist.com/faq-the-projectsauron-apt/75533/", + "https://github.com/RiccardoAncarani/LiquidSnake", + "https://www.us-cert.gov/ncas/alerts/TA17-117A", + "https://thedfirreport.com/2022/02/21/qbot-and-zerologon-lead-to-full-domain-compromise/", + "https://unit42.paloaltonetworks.com/emissary-panda-attacks-middle-east-government-sharepoint-servers/", "https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html", + "https://thedfirreport.com/2020/06/21/snatch-ransomware/", "https://securelist.com/wild-neutron-economic-espionage-threat-actor-returns-with-new-tricks/71275/", + "https://us-cert.cisa.gov/ncas/analysis-reports/ar19-304a", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/pipe_created/pipe_created_mal_namedpipes.yml" ], "tags": [ @@ -4298,9 +4298,9 @@ "logsource.category": "pipe_created", "logsource.product": "windows", "refs": [ - "https://github.com/Azure/Azure-Sentinel/blob/f99542b94afe0ad2f19a82cc08262e7ac8e1428e/Detections/SecurityEvent/ADFSDBNamedPipeConnection.yaml", - "https://github.com/Azure/SimuLand", "https://o365blog.com/post/adfs/", + "https://github.com/Azure/SimuLand", + "https://github.com/Azure/Azure-Sentinel/blob/f99542b94afe0ad2f19a82cc08262e7ac8e1428e/Detections/SecurityEvent/ADFSDBNamedPipeConnection.yaml", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/pipe_created/pipe_created_susp_adfs_namedpipe_connection.yml" ], "tags": [ @@ -4710,8 +4710,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://www.hybrid-analysis.com/sample/027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745?environmentId=100", "https://twitter.com/deviouspolack/status/832535435960209408", + "https://www.hybrid-analysis.com/sample/027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745?environmentId=100", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_susp_eventlog_cleared.yml" ], "tags": [ @@ -4745,9 +4745,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://www.trendmicro.com/vinfo/hk-en/security/news/cybercrime-and-digital-threats/malicious-spam-campaign-uses-iso-image-files-to-deliver-lokibot-and-nanocore", - "https://twitter.com/MsftSecIntel/status/1257324139515269121", "https://www.proofpoint.com/us/blog/threat-insight/threat-actor-profile-ta2719-uses-colorful-lures-deliver-rats-local-languages", + "https://twitter.com/MsftSecIntel/status/1257324139515269121", + "https://www.trendmicro.com/vinfo/hk-en/security/news/cybercrime-and-digital-threats/malicious-spam-campaign-uses-iso-image-files-to-deliver-lokibot-and-nanocore", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_iso_mount.yml" ], "tags": [ @@ -4840,8 +4840,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://cyberwardog.blogspot.com/2017/03/chronicles-of-threat-hunter-hunting-for_22.html", "https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment", + "https://cyberwardog.blogspot.com/2017/03/chronicles-of-threat-hunter-hunting-for_22.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_susp_lsass_dump_generic.yml" ], "tags": [ @@ -4922,8 +4922,8 @@ "logsource.product": "windows", "refs": [ "https://github.com/Yamato-Security/EnableWindowsLogSettings/blob/7f6d755d45ac7cc9fc35b0cbf498e6aa4ef19def/ConfiguringSecurityLogAuditPolicies.md", - "https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4964", "https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4672", + "https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4964", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_admin_logon.yml" ], "tags": "No established tags" @@ -5009,8 +5009,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://github.com/OTRF/Set-AuditRule/blob/c3dec5443414231714d850565d364ca73475ade5/rules/registry/aad_connect_health_monitoring_agent.yml", "https://o365blog.com/post/hybridhealthagent/", + "https://github.com/OTRF/Set-AuditRule/blob/c3dec5443414231714d850565d364ca73475ade5/rules/registry/aad_connect_health_monitoring_agent.yml", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_aadhealth_mon_agent_regkey_access.yml" ], "tags": [ @@ -5228,10 +5228,10 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://github.com/sensepost/ruler/issues/47", - "https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4624", - "https://github.com/sensepost/ruler", "https://github.com/staaldraad/go-ntlm/blob/cd032d41aa8ce5751c07cb7945400c0f5c81e2eb/ntlm/ntlmv1.go#L427", + "https://github.com/sensepost/ruler", + "https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4624", + "https://github.com/sensepost/ruler/issues/47", "https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4776", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_alert_ruler.yml" ], @@ -5309,8 +5309,8 @@ "logsource.product": "windows", "refs": [ "https://awakesecurity.com/blog/threat-hunting-for-paexec/", - "https://www.fireeye.com/blog/threat-research/2017/05/wannacry-malware-profile.html", "https://blog.f-secure.com/wp-content/uploads/2019/10/CosmicDuke.pdf", + "https://www.fireeye.com/blog/threat-research/2017/05/wannacry-malware-profile.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_mal_service_installs.yml" ], "tags": [ @@ -5463,9 +5463,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ + "https://github.com/Yamato-Security/EnableWindowsLogSettings/blob/7f6d755d45ac7cc9fc35b0cbf498e6aa4ef19def/ConfiguringSecurityLogAuditPolicies.md", "https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4647", "https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4634", - "https://github.com/Yamato-Security/EnableWindowsLogSettings/blob/7f6d755d45ac7cc9fc35b0cbf498e6aa4ef19def/ConfiguringSecurityLogAuditPolicies.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_user_logoff.yml" ], "tags": "No established tags" @@ -5533,9 +5533,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ + "https://github.com/iadgov/Event-Forwarding-Guidance/tree/master/Events", "https://blog.stealthbits.com/how-to-detect-pass-the-hash-attacks/", "https://blog.binarydefense.com/reliably-detecting-pass-the-hash-through-event-log-analysis", - "https://github.com/iadgov/Event-Forwarding-Guidance/tree/master/Events", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_pass_the_hash_2.yml" ], "tags": [ @@ -5559,9 +5559,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-gb/sysinternals/downloads/sdelete", "https://jpcertcc.github.io/ToolAnalysisResultSheet/details/sdelete.htm", "https://www.jpcert.or.jp/english/pub/sr/ir_research.html", + "https://docs.microsoft.com/en-gb/sysinternals/downloads/sdelete", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_susp_sdelete.yml" ], "tags": [ @@ -5692,8 +5692,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://www.fox-it.com/en/news/whitepapers/operation-wocao-shining-a-light-on-one-of-chinas-hidden-hacking-groups/", "https://twitter.com/SBousseaden/status/1207671369963646976", + "https://www.fox-it.com/en/news/whitepapers/operation-wocao-shining-a-light-on-one-of-chinas-hidden-hacking-groups/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_apt_wocao.yml" ], "tags": [ @@ -5747,8 +5747,8 @@ "logsource.product": "windows", "refs": [ "https://posts.specterops.io/hunting-in-active-directory-unconstrained-delegation-forests-trusts-71f2b33688e1", - "https://twitter.com/_dirkjan/status/1309214379003588608", "https://dirkjanm.io/a-different-way-of-abusing-zerologon/", + "https://twitter.com/_dirkjan/status/1309214379003588608", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_dce_rpc_smb_spoolss_named_pipe.yml" ], "tags": [ @@ -5964,13 +5964,13 @@ "logsource.product": "windows", "refs": [ "https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=632", - "https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf", "https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4729", - "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf", - "https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=633", - "https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=634", - "https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4728", "https://www.cisecurity.org/controls/cis-controls-list/", + "https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4728", + "https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf", + "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf", + "https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=634", + "https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=633", "https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4730", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_group_modification_logging.yml" ], @@ -6041,8 +6041,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://twitter.com/sbousseaden/status/1518976397364056071?s=12&t=qKO5eKHvWhAP19a50FTZ7g", "https://github.com/elastic/detection-rules/blob/fb6ee2c69864ffdfe347bf3b050cb931f53067a6/rules/windows/privilege_escalation_krbrelayup_suspicious_logon.toml", + "https://twitter.com/sbousseaden/status/1518976397364056071?s=12&t=qKO5eKHvWhAP19a50FTZ7g", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_susp_krbrelayup.yml" ], "tags": [ @@ -6099,9 +6099,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ + "https://medium.com/@ivecodoe/detecting-ldapfragger-a-newly-released-cobalt-strike-beacon-using-ldap-for-c2-communication-c274a7f00961", "https://blog.fox-it.com/2020/03/19/ldapfragger-command-and-control-over-ldap-attributes/", "https://github.com/fox-it/LDAPFragger", - "https://medium.com/@ivecodoe/detecting-ldapfragger-a-newly-released-cobalt-strike-beacon-using-ldap-for-c2-communication-c274a7f00961", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_susp_ldap_dataexchange.yml" ], "tags": [ @@ -6270,9 +6270,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ + "https://blog.alsid.eu/dcshadow-explained-4510f52fc19d", "https://twitter.com/gentilkiwi/status/1003236624925413376", "https://gist.github.com/gentilkiwi/dcc132457408cf11ad2061340dcb53c2", - "https://blog.alsid.eu/dcshadow-explained-4510f52fc19d", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_possible_dc_shadow.yml" ], "tags": [ @@ -6410,8 +6410,8 @@ "logsource.product": "windows", "refs": [ "https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4616", - "Private Cuckoo Sandbox (from many years ago, no longer have hash, NDA as well)", "Live environment caused by malware", + "Private Cuckoo Sandbox (from many years ago, no longer have hash, NDA as well)", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_susp_time_modification.yml" ], "tags": [ @@ -6775,8 +6775,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://www.manageengine.com/log-management/cyber-security/access-token-manipulation.html", "https://www.elastic.co/fr/blog/how-attackers-abuse-access-token-manipulation", + "https://www.manageengine.com/log-management/cyber-security/access-token-manipulation.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_access_token_abuse.yml" ], "tags": [ @@ -6833,8 +6833,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://twitter.com/menasec1/status/1111556090137903104", "https://www.specterops.io/assets/resources/an_ace_up_the_sleeve.pdf", + "https://twitter.com/menasec1/status/1111556090137903104", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_account_backdoor_dcsync_rights.yml" ], "tags": [ @@ -7084,8 +7084,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4649", "https://github.com/Yamato-Security/EnableWindowsLogSettings/blob/7f6d755d45ac7cc9fc35b0cbf498e6aa4ef19def/ConfiguringSecurityLogAuditPolicies.md", + "https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4649", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_replay_attack_detected.yml" ], "tags": "No established tags" @@ -7107,9 +7107,9 @@ "logsource.product": "windows", "refs": [ "https://securityjosh.github.io/2020/04/23/Mute-Sysmon.html", - "https://gist.github.com/Cyb3rWard0g/cf08c38c61f7e46e8404b38201ca01c8", - "https://twitter.com/Flangvik/status/1283054508084473861", "https://twitter.com/SecurityJosh/status/1283027365770276866", + "https://twitter.com/Flangvik/status/1283054508084473861", + "https://gist.github.com/Cyb3rWard0g/cf08c38c61f7e46e8404b38201ca01c8", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_sysmon_channel_reference_deletion.yml" ], "tags": [ @@ -7388,9 +7388,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ + "https://github.com/splunk/security_content/blob/develop/detections/endpoint/petitpotam_suspicious_kerberos_tgt_request.yml", "https://github.com/topotam/PetitPotam", "https://isc.sans.edu/forums/diary/Active+Directory+Certificate+Services+ADCS+PKI+domain+admin+vulnerability/27668/", - "https://github.com/splunk/security_content/blob/develop/detections/endpoint/petitpotam_suspicious_kerberos_tgt_request.yml", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_petitpotam_susp_tgt_request.yml" ], "tags": [ @@ -7423,8 +7423,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://blog.dylan.codes/evading-sysmon-and-windows-event-logging/", "https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4673", + "https://blog.dylan.codes/evading-sysmon-and-windows-event-logging/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_user_driver_loaded.yml" ], "tags": [ @@ -8160,10 +8160,10 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4800", - "https://www.cisecurity.org/controls/cis-controls-list/", - "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf", "https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf", + "https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4800", + "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf", + "https://www.cisecurity.org/controls/cis-controls-list/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_workstation_was_locked.yml" ], "tags": "No established tags" @@ -8213,16 +8213,16 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://github.com/dotnet/runtime/blob/ee2355c801d892f2894b0f7b14a20e6cc50e0e54/docs/design/coreclr/jit/viewing-jit-dumps.md#setting-configuration-variables", - "https://github.com/dotnet/runtime/blob/4f9ae42d861fcb4be2fcd5d3d55d5f227d30e723/docs/coding-guidelines/clr-jit-coding-conventions.md#1412-disabling-code", - "https://bunnyinside.com/?term=f71e8cb9c76a", - "https://github.com/dotnet/runtime/blob/7abe42dc1123722ed385218268bb9fe04556e3d3/src/coreclr/src/inc/clrconfig.h#L33-L39", - "https://github.com/dotnet/runtime/search?p=1&q=COMPlus_&unscoped_q=COMPlus_", "https://github.com/dotnet/runtime/blob/f62e93416a1799aecc6b0947adad55a0d9870732/src/coreclr/src/inc/clrconfigvalues.h#L35-L38", - "http://managed670.rssing.com/chan-5590147/all_p1.html", - "https://twitter.com/_xpn_/status/1268712093928378368", - "https://social.msdn.microsoft.com/Forums/vstudio/en-US/0878832e-39d7-4eaf-8e16-a729c4c40975/what-can-i-use-e13c0d23ccbc4e12931bd9cc2eee27e4-for?forum=clr", "https://i.blackhat.com/EU-21/Wednesday/EU-21-Teodorescu-Veni-No-Vidi-No-Vici-Attacks-On-ETW-Blind-EDRs.pdf", + "https://github.com/dotnet/runtime/blob/7abe42dc1123722ed385218268bb9fe04556e3d3/src/coreclr/src/inc/clrconfig.h#L33-L39", + "https://twitter.com/_xpn_/status/1268712093928378368", + "https://github.com/dotnet/runtime/blob/4f9ae42d861fcb4be2fcd5d3d55d5f227d30e723/docs/coding-guidelines/clr-jit-coding-conventions.md#1412-disabling-code", + "https://social.msdn.microsoft.com/Forums/vstudio/en-US/0878832e-39d7-4eaf-8e16-a729c4c40975/what-can-i-use-e13c0d23ccbc4e12931bd9cc2eee27e4-for?forum=clr", + "https://github.com/dotnet/runtime/search?p=1&q=COMPlus_&unscoped_q=COMPlus_", + "http://managed670.rssing.com/chan-5590147/all_p1.html", + "https://github.com/dotnet/runtime/blob/ee2355c801d892f2894b0f7b14a20e6cc50e0e54/docs/design/coreclr/jit/viewing-jit-dumps.md#setting-configuration-variables", + "https://bunnyinside.com/?term=f71e8cb9c76a", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_dot_net_etw_tamper.yml" ], "tags": [ @@ -8350,8 +8350,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://github.com/sbousseaden/EVTX-ATTACK-SAMPLES/blob/44fbe85f72ee91582876b49678f9a26292a155fb/Command%20and%20Control/DE_RDP_Tunnel_5156.evtx", "https://twitter.com/SBousseaden/status/1096148422984384514", + "https://github.com/sbousseaden/EVTX-ATTACK-SAMPLES/blob/44fbe85f72ee91582876b49678f9a26292a155fb/Command%20and%20Control/DE_RDP_Tunnel_5156.evtx", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_rdp_reverse_tunnel.yml" ], "tags": [ @@ -8396,8 +8396,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://github.com/OTRF/Set-AuditRule/blob/c3dec5443414231714d850565d364ca73475ade5/rules/registry/aad_connect_health_service_agent.yml", "https://o365blog.com/post/hybridhealthagent/", + "https://github.com/OTRF/Set-AuditRule/blob/c3dec5443414231714d850565d364ca73475ade5/rules/registry/aad_connect_health_service_agent.yml", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_aadhealth_svc_agent_regkey_access.yml" ], "tags": [ @@ -8454,8 +8454,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://www.bleepingcomputer.com/news/security/microsoft-teams-stores-auth-tokens-as-cleartext-in-windows-linux-macs/", "https://www.vectra.ai/blogpost/undermining-microsoft-teams-security-by-mining-tokens", + "https://www.bleepingcomputer.com/news/security/microsoft-teams-stores-auth-tokens-as-cleartext-in-windows-linux-macs/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_teams_suspicious_objectaccess.yml" ], "tags": [ @@ -8719,8 +8719,8 @@ "logsource.product": "windows", "refs": [ "http://www.stuffithoughtiknew.com/2019/02/detecting-bloodhound.html", - "https://docs.microsoft.com/en-us/windows/win32/adschema/attributes-all", "https://www.specterops.io/assets/resources/an_ace_up_the_sleeve.pdf", + "https://docs.microsoft.com/en-us/windows/win32/adschema/attributes-all", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_ad_user_enumeration.yml" ], "tags": [ @@ -8967,10 +8967,10 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://twitter.com/gentilkiwi/status/1003236624925413376", - "https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4662", - "https://gist.github.com/gentilkiwi/dcc132457408cf11ad2061340dcb53c2", "https://blog.blacklanternsecurity.com/p/detecting-dcsync?s=r", + "https://twitter.com/gentilkiwi/status/1003236624925413376", + "https://gist.github.com/gentilkiwi/dcc132457408cf11ad2061340dcb53c2", + "https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4662", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_dcsync.yml" ], "tags": [ @@ -9089,8 +9089,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://www.elastic.co/guide/en/security/current/windows-service-installed-via-an-unusual-client.html", "https://twitter.com/SBousseaden/status/1490608838701166596", + "https://www.elastic.co/guide/en/security/current/windows-service-installed-via-an-unusual-client.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_service_installation_by_unusal_client.yml" ], "tags": [ @@ -9156,8 +9156,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://github.com/WazeHell/sam-theadmin/blob/main/sam_the_admin.py", "https://twitter.com/malmoeb/status/1511760068743766026", + "https://github.com/WazeHell/sam-theadmin/blob/main/sam_the_admin.py", "https://github.com/helloexp/0day/blob/614227a7b9beb0e91e7e2c6a5e532e6f7a8e883c/00-CVE_EXP/CVE-2021-42287/sam-the-admin/sam_the_admin.py", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_susp_computer_name.yml" ], @@ -9349,8 +9349,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://twitter.com/JohnLaTwC/status/1004895028995477505", "https://goo.gl/PsqrhT", + "https://twitter.com/JohnLaTwC/status/1004895028995477505", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/ntlm/win_susp_ntlm_auth.yml" ], "tags": [ @@ -9630,8 +9630,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://www.virustotal.com/gui/file/15b57c1b68cd6ce3c161042e0f3be9f32d78151fe95461eedc59a79fc222c7ed", "https://www.virustotal.com/gui/file/13828b390d5f58b002e808c2c4f02fdd920e236cc8015480fa33b6c1a9300e31", + "https://www.virustotal.com/gui/file/15b57c1b68cd6ce3c161042e0f3be9f32d78151fe95461eedc59a79fc222c7ed", "https://www.virustotal.com/gui/file/5092b2672b4cb87a8dd1c2e6047b487b95995ad8ed5e9fc217f46b8bfb1b8c01", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/application/win_av_relevant_match.yml" ], @@ -9665,8 +9665,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/sql/relational-databases/system-stored-procedures/sp-procoption-transact-sql?view=sql-server-ver16", "https://www.netspi.com/blog/technical/network-penetration-testing/sql-server-persistence-part-1-startup-stored-procedures/", + "https://docs.microsoft.com/en-us/sql/relational-databases/system-stored-procedures/sp-procoption-transact-sql?view=sql-server-ver16", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/application/win_mssql_sp_procoption_set.yml" ], "tags": [ @@ -9745,8 +9745,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://technet.microsoft.com/en-us/library/security/4022344", "https://bugs.chromium.org/p/project-zero/issues/detail?id=1252&desc=5", + "https://technet.microsoft.com/en-us/library/security/4022344", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/application/win_susp_msmpeng_crash.yml" ], "tags": [ @@ -9805,9 +9805,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-erref/596a1078-e883-4972-9bbc-49e60bebca55", - "https://github.com/deepinstinct/Lsass-Shtinkering", "https://media.defcon.org/DEF%20CON%2030/DEF%20CON%2030%20presentations/Asaf%20Gilboa%20-%20LSASS%20Shtinkering%20Abusing%20Windows%20Error%20Reporting%20to%20Dump%20LSASS.pdf", + "https://github.com/deepinstinct/Lsass-Shtinkering", + "https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-erref/596a1078-e883-4972-9bbc-49e60bebca55", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/application/win_werfault_susp_lsass_credential_dump.yml" ], "tags": [ @@ -9840,11 +9840,11 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://twitter.com/DidierStevens/status/1217533958096924676", - "https://nullsec.us/windows-event-log-audit-cve/", - "https://twitter.com/VM_vivisector/status/1217190929330655232", "https://twitter.com/FlemmingRiis/status/1217147415482060800", + "https://nullsec.us/windows-event-log-audit-cve/", "https://www.youtube.com/watch?v=ebmW42YYveI", + "https://twitter.com/DidierStevens/status/1217533958096924676", + "https://twitter.com/VM_vivisector/status/1217190929330655232", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/application/win_audit_cve.yml" ], "tags": [ @@ -10003,8 +10003,8 @@ "logsource.product": "windows", "refs": [ "https://docs.microsoft.com/en-us/sql/t-sql/statements/drop-server-audit-transact-sql?view=sql-server-ver16", - "https://docs.microsoft.com/en-us/sql/t-sql/statements/alter-server-audit-transact-sql?view=sql-server-ver16", "https://www.netspi.com/blog/technical/network-penetration-testing/sql-server-persistence-part-1-startup-stored-procedures/", + "https://docs.microsoft.com/en-us/sql/t-sql/statements/alter-server-audit-transact-sql?view=sql-server-ver16", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/application/win_mssql_disable_audit_settings.yml" ], "tags": [ @@ -10233,8 +10233,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://www.bsi.bund.de/SharedDocs/Downloads/EN/BSI/Cyber-Security/SiSyPHuS/AP10/Logging_Configuration_Guideline.pdf?__blob=publicationFile&v=5", "https://twitter.com/moti_b/status/1032645458634653697", + "https://www.bsi.bund.de/SharedDocs/Downloads/EN/BSI/Cyber-Security/SiSyPHuS/AP10/Logging_Configuration_Guideline.pdf?__blob=publicationFile&v=5", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/smbclient/win_susp_failed_hidden_share_mount.yml" ], "tags": [ @@ -10307,10 +10307,10 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://medium.com/threatpunter/detecting-adversary-tradecraft-with-image-load-event-logging-and-eql-8de93338c16", - "https://winaero.com/enable-openssh-server-windows-10/", - "https://docs.microsoft.com/en-us/windows-server/administration/openssh/openssh_install_firstuse", "https://github.com/mdecrevoisier/EVTX-to-MITRE-Attack/tree/master/TA0008-Lateral%20Movement/T1021.004-Remote%20Service%20SSH", + "https://winaero.com/enable-openssh-server-windows-10/", + "https://medium.com/threatpunter/detecting-adversary-tradecraft-with-image-load-event-logging-and-eql-8de93338c16", + "https://docs.microsoft.com/en-us/windows-server/administration/openssh/openssh_install_firstuse", "https://virtualizationreview.com/articles/2020/05/21/ssh-server-on-windows-10.aspx", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/openssh/win_sshd_openssh_server_listening_on_socket.yml" ], @@ -10335,9 +10335,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ + "https://twitter.com/fuzzyf10w/status/1410202370835898371", "https://github.com/afwu/PrintNightmare", "https://github.com/hhlxf/PrintNightmare", - "https://twitter.com/fuzzyf10w/status/1410202370835898371", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/printservice/win_exploit_cve_2021_1675_printspooler.yml" ], "tags": [ @@ -10405,8 +10405,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://bhabeshraj.com/post/tampering-with-microsoft-defenders-tamper-protection", "https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/troubleshoot-microsoft-defender-antivirus?view=o365-worldwide", + "https://bhabeshraj.com/post/tampering-with-microsoft-defenders-tamper-protection", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/windefend/win_defender_tamper_protection_trigger.yml" ], "tags": [ @@ -10556,8 +10556,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://answers.microsoft.com/en-us/protect/forum/mse-protect_scanning/microsoft-antimalware-has-removed-history-of/f15af6c9-01a9-4065-8c6c-3f2bdc7de45e", "https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-antivirus/troubleshoot-microsoft-defender-antivirus", + "https://answers.microsoft.com/en-us/protect/forum/mse-protect_scanning/microsoft-antimalware-has-removed-history-of/f15af6c9-01a9-4065-8c6c-3f2bdc7de45e", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/windefend/win_defender_history_delete.yml" ], "tags": [ @@ -10719,10 +10719,10 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/Binaries/Bitsadmin/", - "https://isc.sans.edu/diary/22264", "https://blog.netspi.com/15-ways-to-download-a-file/#bitsadmin", + "https://lolbas-project.github.io/lolbas/Binaries/Bitsadmin/", "https://blog.talosintelligence.com/breaking-the-silence-recent-truebot-activity/", + "https://isc.sans.edu/diary/22264", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/bits_client/win_bits_client_direct_ip_access.yml" ], "tags": [ @@ -10892,9 +10892,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://twitter.com/malmoeb/status/1535142803075960832", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1197/T1197.md", "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ransomware-hive-conti-avoslocker", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1197/T1197.md", + "https://twitter.com/malmoeb/status/1535142803075960832", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/bits_client/win_bits_client_susp_domain.yml" ], "tags": [ @@ -10928,8 +10928,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://twitter.com/malmoeb/status/1535142803075960832", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1197/T1197.md", + "https://twitter.com/malmoeb/status/1535142803075960832", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/bits_client/win_bits_client_uncommon_domain.yml" ], "tags": [ @@ -10963,8 +10963,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://ngrok.com/", "https://twitter.com/tekdefense/status/1519711183162556416?s=12&t=OTsHCBkQOTNs1k3USz65Zg", + "https://ngrok.com/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/terminalservices/win_terminalservices_rdp_ngrok.yml" ], "tags": [ @@ -10998,8 +10998,8 @@ "logsource.product": "windows", "refs": [ "https://medium.com/@esnesenon/feature-not-bug-dnsadmin-to-dc-compromise-in-one-line-a0f779b8dc83", - "https://twitter.com/gentilkiwi/status/861641945944391680", "https://technet.microsoft.com/en-us/library/cc735829(v=ws.10).aspx", + "https://twitter.com/gentilkiwi/status/861641945944391680", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/dns_server/win_dns_server_susp_dns_config.yml" ], "tags": [ @@ -11587,8 +11587,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://technet.microsoft.com/en-us/library/cc726884(v=ws.10).aspx", "https://blog.3or.de/mimilib-dhcp-server-callout-dll-injection.html", + "https://technet.microsoft.com/en-us/library/cc726884(v=ws.10).aspx", "https://msdn.microsoft.com/de-de/library/windows/desktop/aa363389(v=vs.85).aspx", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/win_system_susp_dhcp_config.yml" ], @@ -11682,8 +11682,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://github.com/Ekultek/BlueKeep", "https://github.com/zerosum0x0/CVE-2019-0708", + "https://github.com/Ekultek/BlueKeep", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/win_system_rdp_potential_cve_2019_0708.yml" ], "tags": [ @@ -11715,8 +11715,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://bi-zone.medium.com/hunting-for-zerologon-f65c61586382", "https://www.secura.com/blog/zero-logon", + "https://bi-zone.medium.com/hunting-for-zerologon-f65c61586382", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/win_system_possible_zerologon_exploitation_using_wellknown_tools.yml" ], "tags": [ @@ -12102,8 +12102,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://www.hybrid-analysis.com/sample/027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745?environmentId=100", "https://twitter.com/deviouspolack/status/832535435960209408", + "https://www.hybrid-analysis.com/sample/027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745?environmentId=100", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/win_system_eventlog_cleared.yml" ], "tags": [ @@ -12330,8 +12330,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://www.hybrid-analysis.com/sample/027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745?environmentId=100", "https://twitter.com/deviouspolack/status/832535435960209408", + "https://www.hybrid-analysis.com/sample/027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745?environmentId=100", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/win_system_susp_eventlog_cleared.yml" ], "tags": [ @@ -12365,8 +12365,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://technet.microsoft.com/en-us/library/cc726884(v=ws.10).aspx", "https://blog.3or.de/mimilib-dhcp-server-callout-dll-injection.html", + "https://technet.microsoft.com/en-us/library/cc726884(v=ws.10).aspx", "https://msdn.microsoft.com/de-de/library/windows/desktop/aa363389(v=vs.85).aspx", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/win_system_susp_dhcp_config_failed.yml" ], @@ -13101,8 +13101,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://www.microsoft.com/security/blog/2019/12/12/gallium-targeting-global-telecom/", "https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn800669(v=ws.11)", + "https://www.microsoft.com/security/blog/2019/12/12/gallium-targeting-global-telecom/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/dns_server_analytic/win_dns_analytic_apt_gallium.yml" ], "tags": [ @@ -13244,11 +13244,11 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://github.com/fox-it/BloodHound.py/blob/d65eb614831cd30f26028ccb072f5e77ca287e0b/bloodhound/ad/domain.py#L427", + "https://github.com/PowerShellMafia/PowerSploit/blob/d943001a7defb5e0d1657085a77a0e78609be58f/Recon/PowerView.ps1", "https://github.com/BloodHoundAD/SharpHound3/blob/7d96b991b1887ff50349ce59c80980bc0d95c86a/SharpHound3/LdapBuilder.cs", + "https://github.com/fox-it/BloodHound.py/blob/d65eb614831cd30f26028ccb072f5e77ca287e0b/bloodhound/ad/domain.py#L427", "https://medium.com/falconforce/falconfriday-detecting-active-directory-data-collection-0xff21-c22d1a57494c", "https://techcommunity.microsoft.com/t5/microsoft-defender-for-endpoint/hunting-for-reconnaissance-activities-using-ldap-search-filters/ba-p/824726", - "https://github.com/PowerShellMafia/PowerSploit/blob/d943001a7defb5e0d1657085a77a0e78609be58f/Recon/PowerView.ps1", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/ldap/win_ldap_recon.yml" ], "tags": [ @@ -13290,10 +13290,10 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/windows/win32/appxpkg/troubleshooting", "Internal Research", - "https://news.sophos.com/en-us/2021/11/11/bazarloader-call-me-back-attack-abuses-windows-10-apps-mechanism/", + "https://learn.microsoft.com/en-us/windows/win32/appxpkg/troubleshooting", "https://www.sentinelone.com/labs/inside-malicious-windows-apps-for-malware-deployment/", + "https://news.sophos.com/en-us/2021/11/11/bazarloader-call-me-back-attack-abuses-windows-10-apps-mechanism/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/appxdeployment_server/appxdeployment_server_susp_appx_package_installation.yml" ], "tags": [ @@ -13316,10 +13316,10 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/windows/win32/appxpkg/troubleshooting", "Internal Research", - "https://news.sophos.com/en-us/2021/11/11/bazarloader-call-me-back-attack-abuses-windows-10-apps-mechanism/", + "https://learn.microsoft.com/en-us/windows/win32/appxpkg/troubleshooting", "https://www.sentinelone.com/labs/inside-malicious-windows-apps-for-malware-deployment/", + "https://news.sophos.com/en-us/2021/11/11/bazarloader-call-me-back-attack-abuses-windows-10-apps-mechanism/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/appxdeployment_server/appxdeployment_server_susp_package_locations.yml" ], "tags": [ @@ -13342,9 +13342,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ + "https://www.sentinelone.com/labs/inside-malicious-windows-apps-for-malware-deployment/", "https://news.sophos.com/en-us/2021/11/11/bazarloader-call-me-back-attack-abuses-windows-10-apps-mechanism/", "https://forensicitguy.github.io/analyzing-magnitude-magniber-appx/", - "https://www.sentinelone.com/labs/inside-malicious-windows-apps-for-malware-deployment/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/appxdeployment_server/appxdeployment_server_mal_appx_names.yml" ], "tags": [ @@ -13367,10 +13367,10 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/windows/win32/appxpkg/troubleshooting", "Internal Research", - "https://news.sophos.com/en-us/2021/11/11/bazarloader-call-me-back-attack-abuses-windows-10-apps-mechanism/", + "https://learn.microsoft.com/en-us/windows/win32/appxpkg/troubleshooting", "https://www.sentinelone.com/labs/inside-malicious-windows-apps-for-malware-deployment/", + "https://news.sophos.com/en-us/2021/11/11/bazarloader-call-me-back-attack-abuses-windows-10-apps-mechanism/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/appxdeployment_server/appxdeployment_server_susp_domains.yml" ], "tags": [ @@ -13393,10 +13393,10 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/windows/win32/appxpkg/troubleshooting", "Internal Research", - "https://news.sophos.com/en-us/2021/11/11/bazarloader-call-me-back-attack-abuses-windows-10-apps-mechanism/", + "https://learn.microsoft.com/en-us/windows/win32/appxpkg/troubleshooting", "https://www.sentinelone.com/labs/inside-malicious-windows-apps-for-malware-deployment/", + "https://news.sophos.com/en-us/2021/11/11/bazarloader-call-me-back-attack-abuses-windows-10-apps-mechanism/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/appxdeployment_server/appxdeployment_server_uncommon_package_locations.yml" ], "tags": [ @@ -13647,8 +13647,8 @@ "logsource.category": "create_stream_hash", "logsource.product": "windows", "refs": [ - "https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f", "https://lolbas-project.github.io/lolbas/Binaries/Regedit/", + "https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/create_stream_hash/create_stream_hash_regedit_export_to_ads.yml" ], "tags": [ @@ -13959,9 +13959,9 @@ "logsource.category": "registry_event", "logsource.product": "windows", "refs": [ - "https://adepts.of0x.cc/netsh-portproxy-code/", "https://www.fireeye.com/blog/threat-research/2019/01/bypassing-network-restrictions-through-rdp-tunneling.html", "https://www.dfirnotes.net/portproxy_detection/", + "https://adepts.of0x.cc/netsh-portproxy-code/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_portproxy_registry_key.yml" ], "tags": [ @@ -13996,9 +13996,9 @@ "logsource.category": "registry_event", "logsource.product": "windows", "refs": [ - "https://www.hexacorn.com/blog/2018/05/28/beyond-good-ol-run-key-part-78-2/", - "https://github.com/vxunderground/VXUG-Papers/blob/751edb8d50f95bd7baa730adf2c6c3bb1b034276/The%20Persistence%20Series/Persistence%20via%20Recycle%20Bin/Persistence_via_Recycle_Bin.pdf", "https://persistence-info.github.io/Data/recyclebin.html", + "https://github.com/vxunderground/VXUG-Papers/blob/751edb8d50f95bd7baa730adf2c6c3bb1b034276/The%20Persistence%20Series/Persistence%20via%20Recycle%20Bin/Persistence_via_Recycle_Bin.pdf", + "https://www.hexacorn.com/blog/2018/05/28/beyond-good-ol-run-key-part-78-2/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_persistence_recycle_bin.yml" ], "tags": [ @@ -14057,8 +14057,8 @@ "logsource.category": "registry_event", "logsource.product": "windows", "refs": [ - "https://www.welivesecurity.com/wp-content/uploads/2017/08/eset-gazer.pdf", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1546.002/T1546.002.md", + "https://www.welivesecurity.com/wp-content/uploads/2017/08/eset-gazer.pdf", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_modify_screensaver_binary_path.yml" ], "tags": [ @@ -14359,8 +14359,8 @@ "logsource.category": "registry_event", "logsource.product": "windows", "refs": [ - "https://github.com/eset/malware-ioc/tree/master/oceanlotus", "https://www.welivesecurity.com/2019/03/20/fake-or-fake-keeping-up-with-oceanlotus-decoys/", + "https://github.com/eset/malware-ioc/tree/master/oceanlotus", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_apt_oceanlotus_registry.yml" ], "tags": [ @@ -14384,8 +14384,8 @@ "logsource.category": "registry_event", "logsource.product": "windows", "refs": [ - "https://www.bleepingcomputer.com/news/security/trickbot-uses-a-new-windows-10-uac-bypass-to-launch-quietly", "https://lolbas-project.github.io/lolbas/Binaries/Wsreset", + "https://www.bleepingcomputer.com/news/security/trickbot-uses-a-new-windows-10-uac-bypass-to-launch-quietly", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_bypass_via_wsreset.yml" ], "tags": [ @@ -14764,10 +14764,10 @@ "logsource.category": "registry_event", "logsource.product": "windows", "refs": [ - "https://winscripting.blog/2017/05/12/first-entry-welcome-and-uac-bypass/", "https://github.com/hfiref0x/UACME", - "https://tria.ge/211119-gs7rtshcfr/behavioral2 [Lokibot sample from Nov 2021]", + "https://winscripting.blog/2017/05/12/first-entry-welcome-and-uac-bypass/", "https://github.com/RhinoSecurityLabs/Aggressor-Scripts/tree/master/UACBypass", + "https://tria.ge/211119-gs7rtshcfr/behavioral2 [Lokibot sample from Nov 2021]", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_shell_open_keys_manipulation.yml" ], "tags": [ @@ -15007,8 +15007,8 @@ "logsource.category": "registry_delete", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/troubleshoot/windows-server/remote/remove-entries-from-remote-desktop-connection-computer", "http://woshub.com/how-to-clear-rdp-connections-history/", + "https://docs.microsoft.com/en-us/troubleshoot/windows-server/remote/remove-entries-from-remote-desktop-connection-computer", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_delete/registry_delete_mstsc_history_cleared.yml" ], "tags": [ @@ -15115,11 +15115,11 @@ "logsource.category": "registry_delete", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/windows/win32/shell/shell-and-managed-code", "https://docs.microsoft.com/en-us/windows/win32/shell/launch", - "https://threathunterplaybook.com/evals/apt29/detections/3.C.1_22A46621-7A92-48C1-81BF-B3937EB4FDC3.html", "https://docs.microsoft.com/en-us/windows/win32/api/shobjidl_core/nn-shobjidl_core-iexecutecommand", + "https://threathunterplaybook.com/evals/apt29/detections/3.C.1_22A46621-7A92-48C1-81BF-B3937EB4FDC3.html", "https://github.com/OTRF/detection-hackathon-apt29/issues/7", + "https://docs.microsoft.com/en-us/windows/win32/shell/shell-and-managed-code", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_delete/registry_delete_removal_com_hijacking_registry_key.yml" ], "tags": [ @@ -15176,8 +15176,8 @@ "logsource.category": "registry_add", "logsource.product": "windows", "refs": [ - "https://blog.yoroi.company/research/ursnif-long-live-the-steganography/", "https://blog.trendmicro.com/trendlabs-security-intelligence/phishing-campaign-uses-hijacked-emails-to-deliver-ursnif-by-replying-to-ongoing-threads/", + "https://blog.yoroi.company/research/ursnif-long-live-the-steganography/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_add/registry_add_mal_ursnif.yml" ], "tags": [ @@ -15325,10 +15325,10 @@ "logsource.category": "registry_add", "logsource.product": "windows", "refs": [ - "https://unit42.paloaltonetworks.com/guloader-installing-netwire-rat/", - "https://app.any.run/tasks/41ecdbde-4997-4301-a350-0270448b4c8f/", "https://blogs.blackberry.com/en/2021/09/threat-thursday-netwire-rat-is-coming-down-the-line", + "https://unit42.paloaltonetworks.com/guloader-installing-netwire-rat/", "https://resources.infosecinstitute.com/topic/netwire-malware-what-it-is-how-it-works-and-how-to-prevent-it-malware-spotlight/", + "https://app.any.run/tasks/41ecdbde-4997-4301-a350-0270448b4c8f/", "https://www.fortinet.com/blog/threat-research/new-netwire-rat-variant-spread-by-phishing", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_add/registry_add_mal_netwire.yml" ], @@ -15353,8 +15353,8 @@ "logsource.category": "registry_add", "logsource.product": "windows", "refs": [ - "https://persistence-info.github.io/Data/amsi.html", "https://github.com/gtworek/PSBits/blob/8d767892f3b17eefa4d0668f5d2df78e844f01d8/FakeAMSI/FakeAMSI.c", + "https://persistence-info.github.io/Data/amsi.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_add/registry_add_amsi_providers_persistence.yml" ], "tags": [ @@ -15575,8 +15575,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://www.hexacorn.com/blog/2018/04/22/beyond-good-ol-run-key-part-76/", "https://persistence-info.github.io/Data/htmlhelpauthor.html", + "https://www.hexacorn.com/blog/2018/04/22/beyond-good-ol-run-key-part-76/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_persistence_chm.yml" ], "tags": [ @@ -15825,13 +15825,13 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://twitter.com/SagieSec/status/1469001618863624194?t=HRf0eA0W1YYzkTSHb-Ky1A&s=03", - "https://admx.help/HKLM/SOFTWARE/Policies/Microsoft/Windows%20NT/Terminal%20Services", - "https://threathunterplaybook.com/notebooks/windows/05_defense_evasion/WIN-190407183310.html", - "http://etutorials.org/Microsoft+Products/microsoft+windows+server+2003+terminal+services/Chapter+6+Registry/Registry+Keys+for+Terminal+Services/", - "https://bazaar.abuse.ch/sample/6f3aa9362d72e806490a8abce245331030d1ab5ac77e400dd475748236a6cc81/", "http://woshub.com/rds-shadow-how-to-connect-to-a-user-session-in-windows-server-2012-r2/", + "https://admx.help/HKLM/SOFTWARE/Policies/Microsoft/Windows%20NT/Terminal%20Services", + "https://bazaar.abuse.ch/sample/6f3aa9362d72e806490a8abce245331030d1ab5ac77e400dd475748236a6cc81/", "https://blog.menasec.net/2019/02/threat-hunting-rdp-hijacking-via.html", + "http://etutorials.org/Microsoft+Products/microsoft+windows+server+2003+terminal+services/Chapter+6+Registry/Registry+Keys+for+Terminal+Services/", + "https://twitter.com/SagieSec/status/1469001618863624194?t=HRf0eA0W1YYzkTSHb-Ky1A&s=03", + "https://threathunterplaybook.com/notebooks/windows/05_defense_evasion/WIN-190407183310.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_terminal_server_suspicious.yml" ], "tags": [ @@ -15917,8 +15917,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://www.hexacorn.com/blog/2019/09/20/beyond-good-ol-run-key-part-116/", "https://persistence-info.github.io/Data/wer_debugger.html", + "https://www.hexacorn.com/blog/2019/09/20/beyond-good-ol-run-key-part-116/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_hangs_debugger_persistence.yml" ], "tags": [ @@ -16030,8 +16030,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/blackbyte-ransomware-pt-1-in-depth-analysis/", "https://redcanary.com/blog/blackbyte-ransomware/?utm_source=twitter&utm_medium=social", + "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/blackbyte-ransomware-pt-1-in-depth-analysis/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_blackbyte_ransomware.yml" ], "tags": [ @@ -16055,9 +16055,9 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://securelist.com/scarcruft-surveilling-north-korean-defectors-and-human-rights-activists/105074/", "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/zloader-with-a-new-infection-technique/", "https://twitter.com/inversecos/status/1494174785621819397", + "https://securelist.com/scarcruft-surveilling-north-korean-defectors-and-human-rights-activists/105074/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_office_security.yml" ], "tags": [ @@ -16177,8 +16177,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://oddvar.moe/2018/03/21/persistence-using-runonceex-hidden-from-autoruns-exe/", "https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d", + "https://oddvar.moe/2018/03/21/persistence-using-runonceex-hidden-from-autoruns-exe/", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md", "https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_wow6432node.yml" @@ -16262,8 +16262,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://support.microsoft.com/en-us/topic/microsoft-security-advisory-update-to-improve-credentials-protection-and-management-may-13-2014-93434251-04ac-b7f3-52aa-9f951c14b649", "https://threathunterplaybook.com/notebooks/windows/02_execution/WIN-190511223310.html", + "https://support.microsoft.com/en-us/topic/microsoft-security-advisory-update-to-improve-credentials-protection-and-management-may-13-2014-93434251-04ac-b7f3-52aa-9f951c14b649", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_wdigest_enable_uselogoncredential.yml" ], "tags": [ @@ -16370,9 +16370,9 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://github.com/gtworek/PSBits/tree/master/SIP", "https://persistence-info.github.io/Data/codesigning.html", "https://specterops.io/assets/resources/SpecterOps_Subverting_Trust_in_Windows.pdf", + "https://github.com/gtworek/PSBits/tree/master/SIP", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_sip_persistence.yml" ], "tags": [ @@ -16672,8 +16672,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1112/T1112.md#atomic-test-33---windows-add-registry-value-to-load-service-in-safe-mode-without-network", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1112/T1112.md#atomic-test-34---windows-add-registry-value-to-load-service-in-safe-mode-with-network", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1112/T1112.md#atomic-test-33---windows-add-registry-value-to-load-service-in-safe-mode-without-network", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_add_load_service_in_safe_mode.yml" ], "tags": [ @@ -16741,8 +16741,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://www.trendmicro.com/en_us/research/22/j/lv-ransomware-exploits-proxyshell-in-attack.html", "https://github.com/frack113/atomic-red-team/blob/a9051c38de8a5320b31c7039efcbd3b56cf2d65a/atomics/T1547.001/T1547.001.md#atomic-test-9---systembc-malware-as-a-service-registry", + "https://www.trendmicro.com/en_us/research/22/j/lv-ransomware-exploits-proxyshell-in-attack.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_powershell_in_run_keys.yml" ], "tags": [ @@ -16790,8 +16790,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://oddvar.moe/2018/04/10/persistence-using-globalflags-in-image-file-execution-options-hidden-from-autoruns-exe/", "https://www.deepinstinct.com/2021/02/16/lsass-memory-dumps-are-stealthier-than-ever-before-part-2/", + "https://oddvar.moe/2018/04/10/persistence-using-globalflags-in-image-file-execution-options-hidden-from-autoruns-exe/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_persistence_globalflags.yml" ], "tags": [ @@ -16874,8 +16874,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://www.fireeye.com/blog/threat-research/2017/05/fin7-shim-databases-persistence.html", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1546.011/T1546.011.md#atomic-test-3---registry-key-creation-andor-modification-events-for-sdb", + "https://www.fireeye.com/blog/threat-research/2017/05/fin7-shim-databases-persistence.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_persistence_shim_databases.yml" ], "tags": [ @@ -17013,8 +17013,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1137/T1137.md", "https://docs.microsoft.com/en-us/outlook/troubleshoot/security/information-about-email-security-settings", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1137/T1137.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_outlook_security.yml" ], "tags": [ @@ -17049,9 +17049,9 @@ "logsource.product": "windows", "refs": [ "https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d", + "https://persistence-info.github.io/Data/userinitmprlogonscript.html", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md", "https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns", - "https://persistence-info.github.io/Data/userinitmprlogonscript.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_common.yml" ], "tags": [ @@ -17166,13 +17166,13 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://twitter.com/SagieSec/status/1469001618863624194?t=HRf0eA0W1YYzkTSHb-Ky1A&s=03", - "https://admx.help/HKLM/SOFTWARE/Policies/Microsoft/Windows%20NT/Terminal%20Services", - "https://threathunterplaybook.com/notebooks/windows/05_defense_evasion/WIN-190407183310.html", - "http://etutorials.org/Microsoft+Products/microsoft+windows+server+2003+terminal+services/Chapter+6+Registry/Registry+Keys+for+Terminal+Services/", - "https://bazaar.abuse.ch/sample/6f3aa9362d72e806490a8abce245331030d1ab5ac77e400dd475748236a6cc81/", "http://woshub.com/rds-shadow-how-to-connect-to-a-user-session-in-windows-server-2012-r2/", + "https://admx.help/HKLM/SOFTWARE/Policies/Microsoft/Windows%20NT/Terminal%20Services", + "https://bazaar.abuse.ch/sample/6f3aa9362d72e806490a8abce245331030d1ab5ac77e400dd475748236a6cc81/", "https://blog.menasec.net/2019/02/threat-hunting-rdp-hijacking-via.html", + "http://etutorials.org/Microsoft+Products/microsoft+windows+server+2003+terminal+services/Chapter+6+Registry/Registry+Keys+for+Terminal+Services/", + "https://twitter.com/SagieSec/status/1469001618863624194?t=HRf0eA0W1YYzkTSHb-Ky1A&s=03", + "https://threathunterplaybook.com/notebooks/windows/05_defense_evasion/WIN-190407183310.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_terminal_server_tampering.yml" ], "tags": [ @@ -17308,8 +17308,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://msrc-blog.microsoft.com/2022/05/30/guidance-for-cve-2022-30190-microsoft-support-diagnostic-tool-vulnerability/", "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-30190", + "https://msrc-blog.microsoft.com/2022/05/30/guidance-for-cve-2022-30190-microsoft-support-diagnostic-tool-vulnerability/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_cve_2022_30190_msdt_follina.yml" ], "tags": [ @@ -17491,9 +17491,9 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/windows/win32/api/winevt/", - "https://app.any.run/tasks/77b2e328-8f36-46b2-b2e2-8a80398217ab/", "https://itconnect.uw.edu/tools-services-support/it-systems-infrastructure/msinf/other-help/understanding-sddl-syntax/", + "https://app.any.run/tasks/77b2e328-8f36-46b2-b2e2-8a80398217ab/", + "https://learn.microsoft.com/en-us/windows/win32/api/winevt/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_change_winevt_channelaccess.yml" ], "tags": [ @@ -17758,10 +17758,10 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://gist.github.com/anadr/7465a9fde63d41341136949f14c21105", - "https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/", - "https://admx.help/?Category=Windows_7_2008R2&Policy=Microsoft.Policies.WindowsDefender::SpyNetReporting", "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ransomware-hive-conti-avoslocker", + "https://admx.help/?Category=Windows_7_2008R2&Policy=Microsoft.Policies.WindowsDefender::SpyNetReporting", + "https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/", + "https://gist.github.com/anadr/7465a9fde63d41341136949f14c21105", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_windows_defender_tamper.yml" ], "tags": [ @@ -17819,8 +17819,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://enigma0x3.net/2017/03/17/fileless-uac-bypass-using-sdclt-exe/", "https://github.com/hfiref0x/UACME", + "https://enigma0x3.net/2017/03/17/fileless-uac-bypass-using-sdclt-exe/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_uac_bypass_sdclt.yml" ], "tags": [ @@ -17855,8 +17855,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://www.hexacorn.com/blog/2018/04/23/beyond-good-ol-run-key-part-77/", "https://persistence-info.github.io/Data/hhctrl.html", + "https://www.hexacorn.com/blog/2018/04/23/beyond-good-ol-run-key-part-77/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_hhctrl_persistence.yml" ], "tags": [ @@ -18075,8 +18075,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1112/T1112.md#atomic-test-4---add-domain-to-trusted-sites-zone", "https://docs.microsoft.com/en-us/troubleshoot/developer/browsers/security-privacy/ie-security-zones-registry-entries", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1112/T1112.md#atomic-test-4---add-domain-to-trusted-sites-zone", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_change_security_zones.yml" ], "tags": [ @@ -18166,8 +18166,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://www.hybrid-analysis.com/sample/e122bc8bf291f15cab182a5d2d27b8db1e7019e4e96bb5cdbd1dfe7446f3f51f?environmentId=100", "https://enigma0x3.net/2016/08/15/fileless-uac-bypass-using-eventvwr-exe-and-registry-hijacking/", + "https://www.hybrid-analysis.com/sample/e122bc8bf291f15cab182a5d2d27b8db1e7019e4e96bb5cdbd1dfe7446f3f51f?environmentId=100", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_uac_bypass_eventvwr.yml" ], "tags": [ @@ -18313,8 +18313,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/windows/win32/debug/configuring-automatic-debugging", "https://persistence-info.github.io/Data/aedebug.html", + "https://docs.microsoft.com/en-us/windows/win32/debug/configuring-automatic-debugging", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_aedebug_persistence.yml" ], "tags": [ @@ -18388,9 +18388,9 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://github.com/deepinstinct/Lsass-Shtinkering", - "https://learn.microsoft.com/en-us/windows/win32/wer/collecting-user-mode-dumps", "https://media.defcon.org/DEF%20CON%2030/DEF%20CON%2030%20presentations/Asaf%20Gilboa%20-%20LSASS%20Shtinkering%20Abusing%20Windows%20Error%20Reporting%20to%20Dump%20LSASS.pdf", + "https://learn.microsoft.com/en-us/windows/win32/wer/collecting-user-mode-dumps", + "https://github.com/deepinstinct/Lsass-Shtinkering", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_lsass_usermode_dumping.yml" ], "tags": [ @@ -18423,8 +18423,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://technet.microsoft.com/en-us/library/cc726884(v=ws.10).aspx", "https://blog.3or.de/mimilib-dhcp-server-callout-dll-injection.html", + "https://technet.microsoft.com/en-us/library/cc726884(v=ws.10).aspx", "https://msdn.microsoft.com/de-de/library/windows/desktop/aa363389(v=vs.85).aspx", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_dhcp_calloutdll.yml" ], @@ -18483,9 +18483,9 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1548.002/T1548.002.md#atomic-test-7---bypass-uac-using-sdclt-delegateexecute", - "https://docs.microsoft.com/en-us/windows/win32/api/shobjidl_core/nn-shobjidl_core-iexecutecommand", "https://devblogs.microsoft.com/oldnewthing/20100312-01/?p=14623", + "https://docs.microsoft.com/en-us/windows/win32/api/shobjidl_core/nn-shobjidl_core-iexecutecommand", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1548.002/T1548.002.md#atomic-test-7---bypass-uac-using-sdclt-delegateexecute", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_bypass_uac_using_delegateexecute.yml" ], "tags": [ @@ -18519,8 +18519,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1112/T1112.md#atomic-test-4---add-domain-to-trusted-sites-zone", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1112/T1112.md#atomic-test-5---javascript-in-registry", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1112/T1112.md#atomic-test-4---add-domain-to-trusted-sites-zone", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_persistence_ie.yml" ], "tags": [ @@ -18575,9 +18575,9 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://twitter.com/jamieantisocial/status/1304520651248668673", - "https://www.sans.org/cyber-security-summit/archives", "https://www.slideshare.net/JamieWilliams130/started-from-the-bottom-exploiting-data-sources-to-uncover-attck-behaviors", + "https://www.sans.org/cyber-security-summit/archives", + "https://twitter.com/jamieantisocial/status/1304520651248668673", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_enabling_cor_profiler_env_variables.yml" ], "tags": [ @@ -18834,8 +18834,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1548.002/T1548.002.md#atomic-test-1---bypass-uac-using-event-viewer-cmd", "https://enigma0x3.net/2016/08/15/fileless-uac-bypass-using-eventvwr-exe-and-registry-hijacking/", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1548.002/T1548.002.md#atomic-test-1---bypass-uac-using-event-viewer-cmd", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_bypass_uac_using_eventviewer.yml" ], "tags": [ @@ -18963,8 +18963,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://gist.github.com/anadr/7465a9fde63d41341136949f14c21105", "https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/", + "https://gist.github.com/anadr/7465a9fde63d41341136949f14c21105", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_disable_windows_defender_service.yml" ], "tags": [ @@ -18988,8 +18988,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://twitter.com/pabraeken/status/998627081360695297", "https://jstnk9.github.io/jstnk9/research/InstallScreenSaver-SCR-files", + "https://twitter.com/pabraeken/status/998627081360695297", "https://twitter.com/VakninHai/status/1517027824984547329", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_scr_file_executed_by_rundll32.yml" ], @@ -19098,8 +19098,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://oddvar.moe/2018/03/21/persistence-using-runonceex-hidden-from-autoruns-exe/", "https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d", + "https://oddvar.moe/2018/03/21/persistence-using-runonceex-hidden-from-autoruns-exe/", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md", "https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_currentversion.yml" @@ -19158,9 +19158,9 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1112/T1112.md#atomic-test-1---modify-registry-of-current-user-profile---cmd", - "https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?name=TrojanSpy%3aMSIL%2fHakey.A", "https://unit42.paloaltonetworks.com/ransomware-families/", + "https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?name=TrojanSpy%3aMSIL%2fHakey.A", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1112/T1112.md#atomic-test-1---modify-registry-of-current-user-profile---cmd", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_hidden_extention.yml" ], "tags": [ @@ -19191,8 +19191,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://www.first.org/resources/papers/conf2017/Advanced-Incident-Detection-and-Threat-Hunting-using-Sysmon-and-Splunk.pdf", "https://www.hybrid-analysis.com/sample/ba86fa0d4b6af2db0656a88b1dd29f36fe362473ae8ad04255c4e52f214a541c?environmentId=100", + "https://www.first.org/resources/papers/conf2017/Advanced-Incident-Detection-and-Threat-Hunting-using-Sysmon-and-Splunk.pdf", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_mal_adwind.yml" ], "tags": [ @@ -19233,8 +19233,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1548.002/T1548.002.md#atomic-test-9---bypass-uac-using-silentcleanup-task", "https://www.reddit.com/r/hacking/comments/ajtrws/bypassing_highest_uac_level_windows_810/", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1548.002/T1548.002.md#atomic-test-9---bypass-uac-using-silentcleanup-task", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_bypass_uac_using_silentcleanup_task.yml" ], "tags": [ @@ -19269,8 +19269,8 @@ "logsource.product": "windows", "refs": [ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md", - "https://yoroi.company/research/cyber-criminal-espionage-operation-insists-on-italian-manufacturing/", "https://unit42.paloaltonetworks.com/unit42-gorgon-group-slithering-nation-state-cybercrime/", + "https://yoroi.company/research/cyber-criminal-espionage-operation-insists-on-italian-manufacturing/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_disable_microsoft_office_security_features.yml" ], "tags": [ @@ -19318,9 +19318,9 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://www.microsoft.com/en-us/security/blog/2018/09/12/office-vba-amsi-parting-the-veil-on-malicious-macros/", - "https://admx.help/?Category=Office2016&Policy=office16.Office.Microsoft.Policies.Windows::L_MacroRuntimeScanScope", "https://github.com/S3cur3Th1sSh1t/OffensiveVBA/blob/28cc6a2802d8176195ac19b3c8e9a749009a82a3/src/AMSIbypasses.vba", + "https://admx.help/?Category=Office2016&Policy=office16.Office.Microsoft.Policies.Windows::L_MacroRuntimeScanScope", + "https://www.microsoft.com/en-us/security/blog/2018/09/12/office-vba-amsi-parting-the-veil-on-malicious-macros/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_disable_macroruntimescanscope.yml" ], "tags": [ @@ -19343,10 +19343,10 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://admx.help/HKLM/Software/Policies/Mozilla/Firefox/DNSOverHTTPS", - "https://github.com/elastic/detection-rules/issues/1371", "https://www.tenforums.com/tutorials/151318-how-enable-disable-dns-over-https-doh-microsoft-edge.html", + "https://admx.help/HKLM/Software/Policies/Mozilla/Firefox/DNSOverHTTPS", "https://chromeenterprise.google/policies/?policy=DnsOverHttpsMode", + "https://github.com/elastic/detection-rules/issues/1371", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_dns_over_https_enabled.yml" ], "tags": [ @@ -19437,8 +19437,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://i.blackhat.com/EU-21/Wednesday/EU-21-Teodorescu-Veni-No-Vidi-No-Vici-Attacks-On-ETW-Blind-EDRs.pdf", "https://twitter.com/MichalKoczwara/status/1553634816016498688", + "https://i.blackhat.com/EU-21/Wednesday/EU-21-Teodorescu-Veni-No-Vidi-No-Vici-Attacks-On-ETW-Blind-EDRs.pdf", "https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_disable_autologger_sessions.yml" ], @@ -19462,17 +19462,17 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://blog.xpnsec.com/hiding-your-dotnet-complus-etwenabled/", - "https://github.com/dotnet/runtime/blob/ee2355c801d892f2894b0f7b14a20e6cc50e0e54/docs/design/coreclr/jit/viewing-jit-dumps.md#setting-configuration-variables", - "https://github.com/dotnet/runtime/blob/4f9ae42d861fcb4be2fcd5d3d55d5f227d30e723/docs/coding-guidelines/clr-jit-coding-conventions.md#1412-disabling-code", - "https://bunnyinside.com/?term=f71e8cb9c76a", - "https://github.com/dotnet/runtime/blob/7abe42dc1123722ed385218268bb9fe04556e3d3/src/coreclr/src/inc/clrconfig.h#L33-L39", - "https://github.com/dotnet/runtime/search?p=1&q=COMPlus_&unscoped_q=COMPlus_", "https://github.com/dotnet/runtime/blob/f62e93416a1799aecc6b0947adad55a0d9870732/src/coreclr/src/inc/clrconfigvalues.h#L35-L38", - "http://managed670.rssing.com/chan-5590147/all_p1.html", - "https://twitter.com/_xpn_/status/1268712093928378368", - "https://social.msdn.microsoft.com/Forums/vstudio/en-US/0878832e-39d7-4eaf-8e16-a729c4c40975/what-can-i-use-e13c0d23ccbc4e12931bd9cc2eee27e4-for?forum=clr", "https://i.blackhat.com/EU-21/Wednesday/EU-21-Teodorescu-Veni-No-Vidi-No-Vici-Attacks-On-ETW-Blind-EDRs.pdf", + "https://github.com/dotnet/runtime/blob/7abe42dc1123722ed385218268bb9fe04556e3d3/src/coreclr/src/inc/clrconfig.h#L33-L39", + "https://twitter.com/_xpn_/status/1268712093928378368", + "https://blog.xpnsec.com/hiding-your-dotnet-complus-etwenabled/", + "https://github.com/dotnet/runtime/blob/4f9ae42d861fcb4be2fcd5d3d55d5f227d30e723/docs/coding-guidelines/clr-jit-coding-conventions.md#1412-disabling-code", + "https://social.msdn.microsoft.com/Forums/vstudio/en-US/0878832e-39d7-4eaf-8e16-a729c4c40975/what-can-i-use-e13c0d23ccbc4e12931bd9cc2eee27e4-for?forum=clr", + "https://github.com/dotnet/runtime/search?p=1&q=COMPlus_&unscoped_q=COMPlus_", + "http://managed670.rssing.com/chan-5590147/all_p1.html", + "https://github.com/dotnet/runtime/blob/ee2355c801d892f2894b0f7b14a20e6cc50e0e54/docs/design/coreclr/jit/viewing-jit-dumps.md#setting-configuration-variables", + "https://bunnyinside.com/?term=f71e8cb9c76a", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_dot_net_etw_tamper.yml" ], "tags": [ @@ -19651,10 +19651,10 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://twitter.com/0gtweet/status/1468548924600459267", - "https://github.com/gtworek/PSBits/tree/master/IFilter", "https://persistence-info.github.io/Data/ifilters.html", + "https://github.com/gtworek/PSBits/tree/master/IFilter", "https://github.com/gtworek/PSBits/blob/8d767892f3b17eefa4d0668f5d2df78e844f01d8/IFilter/Dll.cpp#L281-L308", + "https://twitter.com/0gtweet/status/1468548924600459267", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_persistence_ifilter.yml" ], "tags": [ @@ -19812,9 +19812,9 @@ "logsource.category": "image_load", "logsource.product": "windows", "refs": [ + "https://lolbas-project.github.io/lolbas/Binaries/Wmic/", "https://securitydatasets.com/notebooks/small/windows/05_defense_evasion/SDWIN-201017061100.html", "https://twitter.com/dez_/status/986614411711442944", - "https://lolbas-project.github.io/lolbas/Binaries/Wmic/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_wmic_remote_xsl_scripting_dlls.yml" ], "tags": [ @@ -19914,8 +19914,8 @@ "logsource.category": "image_load", "logsource.product": "windows", "refs": [ - "https://github.com/sailay1996/awesome_windows_logical_bugs/blob/60cbb23a801f4c3195deac1cc46df27c225c3d07/dir_create2system.txt", "https://github.com/binderlabs/DirCreate2System", + "https://github.com/sailay1996/awesome_windows_logical_bugs/blob/60cbb23a801f4c3195deac1cc46df27c225c3d07/dir_create2system.txt", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_side_load_comctl32.yml" ], "tags": [ @@ -19942,9 +19942,9 @@ "logsource.category": "image_load", "logsource.product": "windows", "refs": [ - "https://github.com/bohops/WSMan-WinRM", - "https://bohops.com/2020/05/12/ws-management-com-another-approach-for-winrm-lateral-movement/", "https://docs.microsoft.com/en-us/windows/win32/winrm/windows-remote-management-architecture", + "https://bohops.com/2020/05/12/ws-management-com-another-approach-for-winrm-lateral-movement/", + "https://github.com/bohops/WSMan-WinRM", "https://twitter.com/chadtilbury/status/1275851297770610688", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_wsman_provider_image_load.yml" ], @@ -20020,8 +20020,8 @@ "logsource.category": "image_load", "logsource.product": "windows", "refs": [ - "https://www.virustotal.com/gui/file/ba88ca45589fae0139a40ca27738a8fc2dfbe1be5a64a9558f4e0f52b35c5add", "https://twitter.com/am0nsec/status/1412232114980982787", + "https://www.virustotal.com/gui/file/ba88ca45589fae0139a40ca27738a8fc2dfbe1be5a64a9558f4e0f52b35c5add", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_susp_vss_ps_load.yml" ], "tags": [ @@ -20158,8 +20158,8 @@ "logsource.category": "image_load", "logsource.product": "windows", "refs": [ - "https://twitter.com/wdormann/status/1547583317410607110", "https://github.com/hackerhouse-opensource/iscsicpl_bypassUAC", + "https://twitter.com/wdormann/status/1547583317410607110", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_uac_bypass_iscsicpl.yml" ], "tags": [ @@ -20226,8 +20226,8 @@ "logsource.category": "image_load", "logsource.product": "windows", "refs": [ - "https://app.any.run/tasks/4a54c651-b70b-4b72-84d7-f34d301d6406", "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/backdoor-at-the-end-of-the-icmp-tunnel", + "https://app.any.run/tasks/4a54c651-b70b-4b72-84d7-f34d301d6406", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_pingback_backdoor.yml" ], "tags": [ @@ -20348,11 +20348,11 @@ "logsource.product": "windows", "refs": [ "https://www.hexacorn.com/blog/2013/12/08/beyond-good-ol-run-key-part-5/", + "https://github.com/Wh04m1001/SysmonEoP", + "https://clement.notin.org/blog/2020/09/12/CVE-2020-7315-McAfee-Agent-DLL-injection/", "https://posts.specterops.io/lateral-movement-scm-and-dll-hijacking-primer-d2f61e8ab992", "https://decoded.avast.io/martinchlumecky/png-steganography/", - "https://github.com/Wh04m1001/SysmonEoP", "http://remoteawesomethoughts.blogspot.com/2019/05/windows-10-task-schedulerservice.html", - "https://clement.notin.org/blog/2020/09/12/CVE-2020-7315-McAfee-Agent-DLL-injection/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_side_load_non_existent_dlls.yml" ], "tags": [ @@ -20467,8 +20467,8 @@ "logsource.category": "image_load", "logsource.product": "windows", "refs": [ - "https://www.welivesecurity.com/2022/12/14/unmasking-mirrorface-operation-liberalface-targeting-japanese-political-entities/", "http://www.windowexe.com/bbs/board.php?q=jsschhlp-exe-c-program-files-common-files-justsystem-jsschhlp-jsschhlp", + "https://www.welivesecurity.com/2022/12/14/unmasking-mirrorface-operation-liberalface-targeting-japanese-political-entities/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_side_load_jsschhlp.yml" ], "tags": [ @@ -20553,10 +20553,10 @@ "logsource.category": "image_load", "logsource.product": "windows", "refs": [ - "https://github.com/XForceIR/SideLoadHunter/blob/cc7ef2e5d8908279b0c4cee4e8b6f85f7b8eed52/SideLoads/README.md", "https://blog.cyble.com/2022/07/21/qakbot-resurfaces-with-new-playbook/", - "https://blog.cyble.com/2022/07/27/targeted-attacks-being-carried-out-via-dll-sideloading/", "https://hijacklibs.net/", + "https://blog.cyble.com/2022/07/27/targeted-attacks-being-carried-out-via-dll-sideloading/", + "https://github.com/XForceIR/SideLoadHunter/blob/cc7ef2e5d8908279b0c4cee4e8b6f85f7b8eed52/SideLoads/README.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_side_load_from_non_system_location.yml" ], "tags": [ @@ -20801,8 +20801,8 @@ "logsource.product": "windows", "refs": [ "https://github.com/tyranid/DotNetToJScript", - "https://web.archive.org/web/20221026202428/https://gist.github.com/code-scrap/d7f152ffcdb3e0b02f7f394f5187f008", "https://blog.menasec.net/2019/07/interesting-difr-traces-of-net-clr.html", + "https://web.archive.org/web/20221026202428/https://gist.github.com/code-scrap/d7f152ffcdb3e0b02f7f394f5187f008", "https://thewover.github.io/Introducing-Donut/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_susp_script_dotnet_clr_dll_load.yml" ], @@ -20887,8 +20887,8 @@ "logsource.category": "image_load", "logsource.product": "windows", "refs": [ - "https://app.any.run/tasks/6d8cabb0-dcda-44b6-8050-28d6ce281687/", "https://blogs.blackberry.com/en/2022/12/mustang-panda-uses-the-russian-ukrainian-war-to-attack-europe-and-asia-pacific-targets", + "https://app.any.run/tasks/6d8cabb0-dcda-44b6-8050-28d6ce281687/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_side_load_classicexplorer32.yml" ], "tags": [ @@ -21268,8 +21268,8 @@ "logsource.category": "image_load", "logsource.product": "windows", "refs": [ - "https://www.mdsec.co.uk/2020/09/i-like-to-move-it-windows-lateral-movement-part-1-wmi-event-subscription/", "https://twitter.com/HunterPlaybook/status/1301207718355759107", + "https://www.mdsec.co.uk/2020/09/i-like-to-move-it-windows-lateral-movement-part-1-wmi-event-subscription/", "https://threathunterplaybook.com/notebooks/windows/08_lateral_movement/WIN-200902020333.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_scrcons_imageload_wmi_scripteventconsumer.yml" ], @@ -21490,9 +21490,9 @@ "logsource.category": "image_load", "logsource.product": "windows", "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1056.002/T1056.002.md#atomic-test-2---powershell---prompt-user-for-password", "https://docs.microsoft.com/en-us/windows/win32/api/wincred/nf-wincred-creduipromptforcredentialsa", "https://securitydatasets.com/notebooks/small/windows/06_credential_access/SDWIN-201020013208.html", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1056.002/T1056.002.md#atomic-test-2---powershell---prompt-user-for-password", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_uipromptforcreds_dlls.yml" ], "tags": [ @@ -21517,9 +21517,9 @@ "logsource.category": "image_load", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/Binaries/Tttracer/", - "https://twitter.com/oulusoyum/status/1191329746069655553", "https://twitter.com/mattifestation/status/1196390321783025666", + "https://twitter.com/oulusoyum/status/1191329746069655553", + "https://lolbas-project.github.io/lolbas/Binaries/Tttracer/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_tttracer_mod_load.yml" ], "tags": [ @@ -21659,9 +21659,9 @@ "logsource.category": "wmi_event", "logsource.product": "windows", "refs": [ - "https://github.com/Neo23x0/signature-base/blob/615bf1f6bac3c1bdc417025c40c073e6c2771a76/yara/gen_susp_lnk_files.yar#L19", - "https://in.security/an-intro-into-abusing-and-identifying-wmi-event-subscriptions-for-persistence/", "https://github.com/RiccardoAncarani/LiquidSnake", + "https://in.security/an-intro-into-abusing-and-identifying-wmi-event-subscriptions-for-persistence/", + "https://github.com/Neo23x0/signature-base/blob/615bf1f6bac3c1bdc417025c40c073e6c2771a76/yara/gen_susp_lnk_files.yar#L19", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/wmi_event/sysmon_wmi_susp_scripting.yml" ], "tags": [ @@ -21695,8 +21695,8 @@ "logsource.product": "windows", "refs": [ "https://nmap.org/ncat/", - "https://github.com/besimorhino/powercat", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1095/T1095.md", + "https://github.com/besimorhino/powercat", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_classic/posh_pc_powercat.yml" ], "tags": [ @@ -21729,8 +21729,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://github.com/bohops/WSMan-WinRM", "https://bohops.com/2020/05/12/ws-management-com-another-approach-for-winrm-lateral-movement/", + "https://github.com/bohops/WSMan-WinRM", "https://twitter.com/chadtilbury/status/1275851297770610688", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_classic/posh_pc_wsman_com_provider_no_powershell.yml" ], @@ -21882,8 +21882,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/AtomicTestHarnesses/blob/7e1e4da116801e3d6fcc6bedb207064577e40572/TestHarnesses/T1218_SignedBinaryProxyExecution/InvokeRemoteFXvGPUDisablementCommand.ps1", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218/T1218.md", + "https://github.com/redcanaryco/AtomicTestHarnesses/blob/7e1e4da116801e3d6fcc6bedb207064577e40572/TestHarnesses/T1218_SignedBinaryProxyExecution/InvokeRemoteFXvGPUDisablementCommand.ps1", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_classic/posh_pc_susp_athremotefxvgpudisablementcommand.yml" ], "tags": [ @@ -21985,8 +21985,8 @@ "logsource.category": "ps_classic_start", "logsource.product": "windows", "refs": [ - "https://www.fortinet.com/blog/threat-research/stomping-shadow-copies-a-second-look-into-deletion-methods", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1490/T1490.md", + "https://www.fortinet.com/blog/threat-research/stomping-shadow-copies-a-second-look-into-deletion-methods", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_classic/posh_pc_delete_volume_shadow_copies.yml" ], "tags": [ @@ -22278,9 +22278,9 @@ "logsource.category": "ps_module", "logsource.product": "windows", "refs": [ + "https://newtonpaul.com/analysing-fileless-malware-cobalt-strike-beacon/", "https://www.mdeditor.tw/pl/pgRt", "https://labs.sentinelone.com/top-tier-russian-organized-cybercrime-group-unveils-fileless-stealthy-powertrick-backdoor-for-high-value-targets/", - "https://newtonpaul.com/analysing-fileless-malware-cobalt-strike-beacon/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_module/posh_pm_bad_opsec_artifacts.yml" ], "tags": [ @@ -22338,8 +22338,8 @@ "logsource.category": "ps_module", "logsource.product": "windows", "refs": [ - "https://github.com/OTRF/detection-hackathon-apt29/issues/8", "https://threathunterplaybook.com/evals/apt29/detections/4.A.3_09F29912-8E93-461E-9E89-3F06F6763383.html", + "https://github.com/OTRF/detection-hackathon-apt29/issues/8", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_module/posh_pm_decompress_commands.yml" ], "tags": [ @@ -22543,8 +22543,8 @@ "logsource.product": "windows", "refs": [ "https://nmap.org/ncat/", - "https://github.com/besimorhino/powercat", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1095/T1095.md", + "https://github.com/besimorhino/powercat", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_module/posh_pm_powercat.yml" ], "tags": [ @@ -23084,8 +23084,8 @@ "logsource.category": "ps_module", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/AtomicTestHarnesses/blob/7e1e4da116801e3d6fcc6bedb207064577e40572/TestHarnesses/T1218_SignedBinaryProxyExecution/InvokeRemoteFXvGPUDisablementCommand.ps1", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218/T1218.md", + "https://github.com/redcanaryco/AtomicTestHarnesses/blob/7e1e4da116801e3d6fcc6bedb207064577e40572/TestHarnesses/T1218_SignedBinaryProxyExecution/InvokeRemoteFXvGPUDisablementCommand.ps1", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_module/posh_pm_susp_athremotefxvgpudisablementcommand.yml" ], "tags": [ @@ -23285,8 +23285,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.management/get-wmiobject?view=powershell-5.1&viewFallbackFrom=powershell-7", "https://attack.mitre.org/datasources/DS0005/", + "https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.management/get-wmiobject?view=powershell-5.1&viewFallbackFrom=powershell-7", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_gwmi.yml" ], "tags": [ @@ -23319,8 +23319,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://blog.jourdant.me/post/3-ways-to-download-files-with-powershell", "https://4sysops.com/archives/use-powershell-to-download-a-file-with-http-https-and-ftp/", + "https://blog.jourdant.me/post/3-ways-to-download-files-with-powershell", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_web_request_cmd_and_cmdlets.yml" ], "tags": [ @@ -23454,8 +23454,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1059.001/T1059.001.md#atomic-test-10---powershell-invoke-downloadcradle", "https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.core/new-pssession?view=powershell-7.2", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1059.001/T1059.001.md#atomic-test-10---powershell-invoke-downloadcradle", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_remote_session_creation.yml" ], "tags": [ @@ -23578,9 +23578,9 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://www.trendmicro.com/en_id/research/22/e/uncovering-a-kingminer-botnet-attack-using-trend-micro-managed-x.html", "https://docs.microsoft.com/en-us/previous-versions/windows/desktop/ms766431(v=vs.85)", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1059.001/T1059.001.md#atomic-test-7---powershell-msxml-com-object---with-prompt", + "https://www.trendmicro.com/en_id/research/22/e/uncovering-a-kingminer-botnet-attack-using-trend-micro-managed-x.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_msxml_com.yml" ], "tags": [ @@ -23613,8 +23613,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1497.001/T1497.001.md", "https://techgenix.com/malicious-powershell-scripts-evade-detection/", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1497.001/T1497.001.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_detect_vm_env.yml" ], "tags": [ @@ -23717,10 +23717,10 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://adsecurity.org/?p=2277", - "https://github.com/PowerShellMafia/PowerSploit/tree/master/Recon", "https://powersploit.readthedocs.io/en/stable/Recon/README", "https://thedfirreport.com/2020/10/08/ryuks-return", + "https://adsecurity.org/?p=2277", + "https://github.com/PowerShellMafia/PowerSploit/tree/master/Recon", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_powerview_malicious_commandlets.yml" ], "tags": [ @@ -23795,8 +23795,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/Scripts/Cl_invocation/", "https://twitter.com/bohops/status/948061991012327424", + "https://lolbas-project.github.io/lolbas/Scripts/Cl_invocation/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_cl_invocation_lolscript.yml" ], "tags": [ @@ -23862,9 +23862,9 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.utility/send-mailmessage?view=powershell-7.2", "https://www.ietf.org/rfc/rfc2821.txt", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1048.003/T1048.003.md#atomic-test-5---exfiltration-over-alternative-protocol---smtp", + "https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.utility/send-mailmessage?view=powershell-7.2", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_send_mailmessage.yml" ], "tags": [ @@ -23898,8 +23898,8 @@ "logsource.product": "windows", "refs": [ "https://www.cisa.gov/uscert/sites/default/files/publications/aa22-320a_joint_csa_iranian_government-sponsored_apt_actors_compromise_federal%20network_deploy_crypto%20miner_credential_harvester.pdf", - "http://blog.talosintelligence.com/2022/09/lazarus-three-rats.html", "https://www.microsoft.com/en-us/security/blog/2022/10/18/defenders-beware-a-case-for-post-ransomware-investigations/", + "http://blog.talosintelligence.com/2022/09/lazarus-three-rats.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_computer_discovery_get_adcomputer.yml" ], "tags": [ @@ -24073,10 +24073,10 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://www.elastic.co/guide/en/security/current/windows-firewall-disabled-via-powershell.html", "https://docs.microsoft.com/en-us/powershell/module/netsecurity/set-netfirewallprofile?view=windowsserver2019-ps", - "http://powershellhelp.space/commands/set-netfirewallrule-psv5.php", "https://www.tutorialspoint.com/how-to-get-windows-firewall-profile-settings-using-powershell", + "http://powershellhelp.space/commands/set-netfirewallrule-psv5.php", + "https://www.elastic.co/guide/en/security/current/windows-firewall-disabled-via-powershell.html", "http://woshub.com/manage-windows-firewall-powershell/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_windows_firewall_profile_disabled.yml" ], @@ -24110,8 +24110,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/dotnet/api/system.directoryservices.accountmanagement?view=dotnet-plat-ext-6.0", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1136.002/T1136.002.md#atomic-test-3---create-a-new-domain-account-using-powershell", + "https://docs.microsoft.com/en-us/dotnet/api/system.directoryservices.accountmanagement?view=dotnet-plat-ext-6.0", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_directoryservices_accountmanagement.yml" ], "tags": [ @@ -24236,9 +24236,9 @@ "logsource.product": "windows", "refs": [ "https://youtu.be/5mqid-7zp8k?t=2481", + "https://m365internals.com/2022/10/07/hunting-in-on-premises-exchange-server-logs/", "https://peterjson.medium.com/reproducing-the-proxyshell-pwn2own-exploit-49743a4ea9a1", "https://blog.orange.tw/2021/08/proxylogon-a-new-attack-surface-on-ms-exchange-part-1.html", - "https://m365internals.com/2022/10/07/hunting-in-on-premises-exchange-server-logs/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_mailboxexport_share.yml" ], "tags": [ @@ -24447,8 +24447,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://www.powershellgallery.com/packages/DSInternals", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1003.006/T1003.006.md#atomic-test-2---run-dsinternals-get-adreplaccount", + "https://www.powershellgallery.com/packages/DSInternals", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_get_adreplaccount.yml" ], "tags": [ @@ -24507,8 +24507,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://adsecurity.org/?p=2604", "https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.security/set-executionpolicy?view=powershell-7.1", + "https://adsecurity.org/?p=2604", "https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_execution_policies?view=powershell-7.1", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_set_policies_to_unsecure_level.yml" ], @@ -24566,8 +24566,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.utility/unblock-file?view=powershell-7.2", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1553.005/T1553.005.md#atomic-test-3---remove-the-zoneidentifier-alternate-data-stream", + "https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.utility/unblock-file?view=powershell-7.2", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_unblock_file.yml" ], "tags": [ @@ -24692,8 +24692,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/powershell/module/dism/disable-windowsoptionalfeature?view=windowsserver2022-ps", "https://github.com/redcanaryco/atomic-red-team/blob/5b67c9b141fa3918017f8fa44f2f88f0b1ecb9e1/atomics/T1562.001/T1562.001.md", + "https://docs.microsoft.com/en-us/powershell/module/dism/disable-windowsoptionalfeature?view=windowsserver2022-ps", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_disable_windowsoptionalfeature.yml" ], "tags": [ @@ -24999,8 +24999,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://t.co/ezOTGy1a1G", "https://twitter.com/JohnLaTwC/status/850381440629981184", + "https://t.co/ezOTGy1a1G", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_prompt_credentials.yml" ], "tags": [ @@ -25226,8 +25226,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://bi-zone.medium.com/from-pentest-to-apt-attack-cybercriminal-group-fin7-disguises-its-malware-as-an-ethical-hackers-c23c9a75e319", "https://github.com/sense-of-security/ADRecon/blob/11881a24e9c8b207f31b56846809ce1fb189bcc9/ADRecon.ps1", + "https://bi-zone.medium.com/from-pentest-to-apt-attack-cybercriminal-group-fin7-disguises-its-malware-as-an-ethical-hackers-c23c9a75e319", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_adrecon_execution.yml" ], "tags": [ @@ -25423,8 +25423,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/powershell/module/nettcpip/test-netconnection?view=windowsserver2022-ps", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1571/T1571.md#atomic-test-1---testing-usage-of-uncommonly-used-port-with-powershell", + "https://docs.microsoft.com/en-us/powershell/module/nettcpip/test-netconnection?view=windowsserver2022-ps", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_test_netconnection.yml" ], "tags": [ @@ -25481,8 +25481,8 @@ "logsource.product": "windows", "refs": [ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md", - "https://docs.microsoft.com/en-us/powershell/module/defender/set-mppreference?view=windowsserver2022-ps", "https://bidouillesecurity.com/disable-windows-defender-in-powershell/", + "https://docs.microsoft.com/en-us/powershell/module/defender/set-mppreference?view=windowsserver2022-ps", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_tamper_defender.yml" ], "tags": [ @@ -25595,8 +25595,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://github.com/Gerenios/AADInternals", "https://o365blog.com/aadinternals/", + "https://github.com/Gerenios/AADInternals", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_aadinternals_cmdlets_execution.yml" ], "tags": [ @@ -25742,8 +25742,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1564.004/T1564.004.md", "http://www.powertheshell.com/ntfsstreams/", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1564.004/T1564.004.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_ntfs_ads_access.yml" ], "tags": [ @@ -25785,8 +25785,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1069.002/T1069.002.md#atomic-test-11---get-aduser-enumeration-using-useraccountcontrol-flags-as-rep-roasting", "https://shellgeek.com/useraccountcontrol-flags-to-manipulate-properties/", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1069.002/T1069.002.md#atomic-test-11---get-aduser-enumeration-using-useraccountcontrol-flags-as-rep-roasting", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_as_rep_roasting.yml" ], "tags": [ @@ -25844,8 +25844,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070.006/T1070.006.md", "https://www.offensive-security.com/metasploit-unleashed/timestomp/", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070.006/T1070.006.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_timestomp.yml" ], "tags": [ @@ -25911,8 +25911,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1564.006/T1564.006.md#atomic-test-3---create-and-start-hyper-v-virtual-machine", "https://docs.microsoft.com/en-us/virtualization/hyper-v-on-windows/quick-start/enable-hyper-v", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1564.006/T1564.006.md#atomic-test-3---create-and-start-hyper-v-virtual-machine", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_hyper_v_condlet.yml" ], "tags": [ @@ -25945,8 +25945,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.security/get-acl?view=powershell-7.2", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1574.011/T1574.011.md#atomic-test-1---service-registry-permissions-weakness", + "https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.security/get-acl?view=powershell-7.2", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_get_acl_service.yml" ], "tags": [ @@ -25970,8 +25970,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.management/get-wmiobject?view=powershell-5.1&viewFallbackFrom=powershell-7", "https://attack.mitre.org/datasources/DS0005/", + "https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.management/get-wmiobject?view=powershell-5.1&viewFallbackFrom=powershell-7", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_create_volume_shadow_copy.yml" ], "tags": [ @@ -26004,8 +26004,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.core/enable-psremoting?view=powershell-7.2", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1021.006/T1021.006.md#atomic-test-1---enable-windows-remote-management", + "https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.core/enable-psremoting?view=powershell-7.2", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_enable_psremoting.yml" ], "tags": [ @@ -26183,9 +26183,9 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://www.absolomb.com/2018-01-26-Windows-Privilege-Escalation-Guide/", "https://github.com/S3cur3Th1sSh1t/Creds/blob/eac23d67f7f90c7fc8e3130587d86158c22aa398/PowershellScripts/jaws-enum.ps1", "https://github.com/nccgroup/redsnarf/blob/35949b30106ae543dc6f2bc3f1be10c6d9a8d40e/redsnarf.py", + "https://www.absolomb.com/2018-01-26-Windows-Privilege-Escalation-Guide/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_wmi_unquoted_service_search.yml" ], "tags": [ @@ -26218,8 +26218,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://twitter.com/cyb3rops/status/1588574518057979905?s=20&t=A7hh93ONM7ni1Rj1jO5OaA", "https://www.mdsec.co.uk/2018/06/exploring-powershell-amsi-and-logging-evasion/", + "https://twitter.com/cyb3rops/status/1588574518057979905?s=20&t=A7hh93ONM7ni1Rj1jO5OaA", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_amsi_bypass_pattern_nov22.yml" ], "tags": [ @@ -26311,8 +26311,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1033/T1033.md#atomic-test-5---getcurrent-user-with-powershell-script", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1033/T1033.md#atomic-test-4---user-discovery-with-env-vars-powershell-script", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1033/T1033.md#atomic-test-5---getcurrent-user-with-powershell-script", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_get_current_user.yml" ], "tags": [ @@ -26336,8 +26336,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "http://blog.talosintelligence.com/2022/09/lazarus-three-rats.html", "https://www.microsoft.com/en-us/security/blog/2022/10/18/defenders-beware-a-case-for-post-ransomware-investigations/", + "http://blog.talosintelligence.com/2022/09/lazarus-three-rats.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_user_discovery_get_aduser.yml" ], "tags": [ @@ -26361,8 +26361,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/Scripts/Cl_invocation/", "https://twitter.com/bohops/status/948061991012327424", + "https://lolbas-project.github.io/lolbas/Scripts/Cl_invocation/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_cl_invocation_lolscript_count.yml" ], "tags": [ @@ -26724,9 +26724,9 @@ "logsource.product": "windows", "refs": [ "https://gist.github.com/MHaggis/0dbe00ad401daa7137c81c99c268cfb7", - "https://github.com/PowerShellMafia/PowerSploit/blob/d943001a7defb5e0d1657085a77a0e78609be58f/CodeExecution/Invoke-ReflectivePEInjection.ps1", "https://posts.specterops.io/entering-a-covenant-net-command-and-control-e11038bcf462", "https://github.com/hlldz/Phant0m/blob/30c2935d8cf4aafda17ee2fab7cd0c4aa9a607c2/old/Invoke-Phant0m.ps1", + "https://github.com/PowerShellMafia/PowerSploit/blob/d943001a7defb5e0d1657085a77a0e78609be58f/CodeExecution/Invoke-ReflectivePEInjection.ps1", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_keywords.yml" ], "tags": [ @@ -26850,8 +26850,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1036.003/T1036.003.md", "https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.management/Start-Process?view=powershell-5.1&viewFallbackFrom=powershell-7", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1036.003/T1036.003.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_start_process.yml" ], "tags": [ @@ -27120,8 +27120,8 @@ "logsource.product": "windows", "refs": [ "https://learn.microsoft.com/en-us/windows/win32/projfs/enabling-windows-projected-file-system", - "https://learn.microsoft.com/en-us/windows/wsl/install-on-server", "https://docs.microsoft.com/en-us/powershell/module/dism/enable-windowsoptionalfeature?view=windowsserver2022-ps", + "https://learn.microsoft.com/en-us/windows/wsl/install-on-server", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_enable_windowsoptionalfeature.yml" ], "tags": [ @@ -27144,10 +27144,10 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://www.virustotal.com/gui/file/d4486b63512755316625230e0c9c81655093be93876e0d80732e7eeaf7d83476/content", - "https://learn.microsoft.com/en-us/dotnet/api/system.windows.input.keyboard.iskeydown?view=windowsdesktop-7.0", "https://twitter.com/ScumBots/status/1610626724257046529", + "https://learn.microsoft.com/en-us/dotnet/api/system.windows.input.keyboard.iskeydown?view=windowsdesktop-7.0", "https://www.virustotal.com/gui/file/720a7ee9f2178c70501d7e3f4bcc28a4f456e200486dbd401b25af6da3b4da62/content", + "https://www.virustotal.com/gui/file/d4486b63512755316625230e0c9c81655093be93876e0d80732e7eeaf7d83476/content", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_keylogger_activity.yml" ], "tags": [ @@ -27326,19 +27326,19 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ + "https://github.com/calebstewart/CVE-2021-1675", + "https://github.com/samratashok/nishang", + "https://github.com/S3cur3Th1sSh1t/PowerSharpPack/tree/master/PowerSharpBinaries", "https://github.com/dafthack/DomainPasswordSpray/blob/b13d64a5834694aa73fd2aea9911a83027c465a7/DomainPasswordSpray.ps1", - "https://github.com/rvrsh3ll/Misc-Powershell-Scripts/blob/6f23bb41f9675d7e2d32bacccff75e931ae00554/OfficeMemScraper.ps1", "https://unit42.paloaltonetworks.com/threat-assessment-black-basta-ransomware/", "https://adsecurity.org/?p=2921", - "https://github.com/BC-SECURITY/Invoke-ZeroLogon/blob/111d17c7fec486d9bb23387e2e828b09a26075e4/Invoke-ZeroLogon.ps1", "https://bloodhound.readthedocs.io/en/latest/data-collection/azurehound.html", - "https://github.com/calebstewart/CVE-2021-1675", - "https://github.com/HarmJ0y/DAMP", "https://github.com/xorrior/RandomPS-Scripts/blob/848c919bfce4e2d67b626cbcf4404341cfe3d3b6/Get-DXWebcamVideo.ps1", - "https://research.nccgroup.com/2022/06/06/shining-the-light-on-black-basta/", - "https://github.com/S3cur3Th1sSh1t/PowerSharpPack/tree/master/PowerSharpBinaries", + "https://github.com/rvrsh3ll/Misc-Powershell-Scripts/blob/6f23bb41f9675d7e2d32bacccff75e931ae00554/OfficeMemScraper.ps1", + "https://github.com/HarmJ0y/DAMP", "https://github.com/BloodHoundAD/BloodHound/blob/0927441f67161cc6dc08a53c63ceb8e333f55874/Collectors/AzureHound.ps1", - "https://github.com/samratashok/nishang", + "https://github.com/BC-SECURITY/Invoke-ZeroLogon/blob/111d17c7fec486d9bb23387e2e828b09a26075e4/Invoke-ZeroLogon.ps1", + "https://research.nccgroup.com/2022/06/06/shining-the-light-on-black-basta/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_malicious_commandlets.yml" ], "tags": [ @@ -27443,8 +27443,8 @@ "logsource.product": "windows", "refs": [ "https://stefanos.cloud/blog/kb/how-to-clear-the-powershell-command-history/", - "https://www.shellhacks.com/clear-history-powershell/", "https://community.sophos.com/sophos-labs/b/blog/posts/powershell-command-history-forensics", + "https://www.shellhacks.com/clear-history-powershell/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_clearing_windows_console_history.yml" ], "tags": [ @@ -27585,9 +27585,9 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ + "https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=42", "https://learn.microsoft.com/en-us/dotnet/api/microsoft.hpc.scheduler.store.cx509enrollmentwebclassfactoryclass?view=hpc-sdk-5.1.6115", "https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=41", - "https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=42", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_x509enrollment.yml" ], "tags": "No established tags" @@ -27843,8 +27843,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1546.003/T1546.003.md", "https://github.com/EmpireProject/Empire/blob/08cbd274bef78243d7a8ed6443b8364acd1fc48b/data/module_source/persistence/Persistence.psm1#L545", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1546.003/T1546.003.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_wmi_persistence.yml" ], "tags": [ @@ -27945,8 +27945,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://www.mandiant.com/resources/tactics-techniques-procedures-associated-with-maze-ransomware-incidents", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1083/T1083.md", + "https://www.mandiant.com/resources/tactics-techniques-procedures-associated-with-maze-ransomware-incidents", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_directory_enum.yml" ], "tags": [ @@ -28474,9 +28474,9 @@ "logsource.category": "create_remote_thread", "logsource.product": "windows", "refs": [ - "https://github.com/GhostPack/KeeThief", "https://www.cisa.gov/uscert/ncas/alerts/aa20-259a", "https://github.com/denandz/KeeFarce", + "https://github.com/GhostPack/KeeThief", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/create_remote_thread/create_remote_thread_win_password_dumper_keepass.yml" ], "tags": [ @@ -28509,8 +28509,8 @@ "logsource.category": "create_remote_thread", "logsource.product": "windows", "refs": [ - "https://twitter.com/SBousseaden/status/1090588499517079552", "https://github.com/mdsecactivebreach/CACTUSTORCH", + "https://twitter.com/SBousseaden/status/1090588499517079552", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/create_remote_thread/create_remote_thread_win_cactustorch.yml" ], "tags": [ @@ -28812,11 +28812,11 @@ "logsource.category": "driver_load", "logsource.product": "windows", "refs": [ - "https://www.virustotal.com/gui/file/31f4cfb4c71da44120752721103a16512444c13c2ac2d857a7e6f13cb679b427/details", - "https://github.com/fengjixuchui/gdrv-loader", - "https://twitter.com/malmoeb/status/1551449425842786306", - "https://medium.com/@fsx30/weaponizing-vulnerable-driver-for-privilege-escalation-gigabyte-edition-e73ee523598b", "https://www.virustotal.com/gui/file/cfc5c585dd4e592dd1a08887ded28b92d9a5820587b6f4f8fa4f56d60289259b/details", + "https://github.com/fengjixuchui/gdrv-loader", + "https://www.virustotal.com/gui/file/31f4cfb4c71da44120752721103a16512444c13c2ac2d857a7e6f13cb679b427/details", + "https://medium.com/@fsx30/weaponizing-vulnerable-driver-for-privilege-escalation-gigabyte-edition-e73ee523598b", + "https://twitter.com/malmoeb/status/1551449425842786306", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/driver_load/driver_load_win_vuln_gigabyte_driver.yml" ], "tags": [ @@ -28865,18 +28865,18 @@ "logsource.category": "driver_load", "logsource.product": "windows", "refs": [ - "https://github.com/jbaines-r7/dellicious", - "https://www.rapid7.com/blog/post/2021/12/13/driver-based-attacks-past-and-present/", + "https://github.com/stong/CVE-2020-15368", + "https://github.com/CaledoniaProject/drivers-binaries", "https://eclypsium.com/2019/11/12/mother-of-all-drivers/", + "https://github.com/namazso/physmem_drivers", + "https://github.com/Chigusa0w0/AsusDriversPrivEscala", "https://github.com/eclypsium/Screwed-Drivers/blob/master/DRIVERS.md", "https://github.com/MicrosoftDocs/windows-itpro-docs/blob/public/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules.md", - "https://github.com/CaledoniaProject/drivers-binaries", - "https://github.com/stong/CVE-2020-15368", - "https://github.com/Chigusa0w0/AsusDriversPrivEscala", "https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-37969", - "https://github.com/namazso/physmem_drivers", "https://www.welivesecurity.com/2022/01/11/signed-kernel-drivers-unguarded-gateway-windows-core/", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-37969", + "https://www.rapid7.com/blog/post/2021/12/13/driver-based-attacks-past-and-present/", + "https://github.com/jbaines-r7/dellicious", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/driver_load/driver_load_win_vuln_drivers_names.yml" ], "tags": [ @@ -29011,22 +29011,22 @@ "logsource.category": "driver_load", "logsource.product": "windows", "refs": [ - "https://github.com/jbaines-r7/dellicious", - "https://github.com/tandasat/ExploitCapcom", - "https://github.com/Chigusa0w0/AsusDriversPrivEscala/blob/master/ATSZIO.md", - "https://www.rapid7.com/blog/post/2021/12/13/driver-based-attacks-past-and-present/", + "https://github.com/stong/CVE-2020-15368", + "https://github.com/CaledoniaProject/drivers-binaries", "https://www.unknowncheats.me/forum/downloads.php?do=file&id=25444", + "https://github.com/namazso/physmem_drivers", + "https://github.com/tandasat/ExploitCapcom", + "https://www.unknowncheats.me/forum/downloads.php?do=file&id=21780", + "https://github.com/Chigusa0w0/AsusDriversPrivEscala/blob/master/DRIVER7.md", + "https://www.zscaler.com/blogs/security-research/technical-analysis-windows-clfs-zero-day-vulnerability-cve-2022-37969-part", + "https://github.com/Chigusa0w0/AsusDriversPrivEscala/blob/master/ATSZIO.md", + "https://www.rapid7.com/db/modules/exploit/windows/local/razer_zwopenprocess/", "https://github.com/eclypsium/Screwed-Drivers/blob/master/DRIVERS.md", "https://github.com/MicrosoftDocs/windows-itpro-docs/blob/public/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules.md", - "https://github.com/CaledoniaProject/drivers-binaries", - "https://github.com/stong/CVE-2020-15368", - "https://www.rapid7.com/db/modules/exploit/windows/local/razer_zwopenprocess/", - "https://www.zscaler.com/blogs/security-research/technical-analysis-windows-clfs-zero-day-vulnerability-cve-2022-37969-part", - "https://www.unknowncheats.me/forum/anti-cheat-bypass/334557-vulnerable-driver-megathread.html", "https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules", - "https://www.unknowncheats.me/forum/downloads.php?do=file&id=21780", - "https://github.com/namazso/physmem_drivers", - "https://github.com/Chigusa0w0/AsusDriversPrivEscala/blob/master/DRIVER7.md", + "https://www.rapid7.com/blog/post/2021/12/13/driver-based-attacks-past-and-present/", + "https://github.com/jbaines-r7/dellicious", + "https://www.unknowncheats.me/forum/anti-cheat-bypass/334557-vulnerable-driver-megathread.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/driver_load/driver_load_win_vuln_drivers.yml" ], "tags": [ @@ -29177,8 +29177,8 @@ "logsource.category": "driver_load", "logsource.product": "windows", "refs": [ - "https://systeminformer.sourceforge.io/", "https://processhacker.sourceforge.io/", + "https://systeminformer.sourceforge.io/", "https://github.com/winsiderss/systeminformer", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/driver_load/driver_load_win_process_hacker.yml" ], @@ -29213,8 +29213,8 @@ "logsource.category": "driver_load", "logsource.product": "windows", "refs": [ - "https://www.virustotal.com/gui/file/6a4875ae86131a594019dec4abd46ac6ba47e57a88287b814d07d929858fe3e5/details", "https://decoded.avast.io/janvojtesek/the-return-of-candiru-zero-days-in-the-middle-east/", + "https://www.virustotal.com/gui/file/6a4875ae86131a594019dec4abd46ac6ba47e57a88287b814d07d929858fe3e5/details", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/driver_load/driver_load_win_vuln_hw_driver.yml" ], "tags": [ @@ -29238,8 +29238,8 @@ "logsource.category": "driver_load", "logsource.product": "windows", "refs": [ - "https://github.com/alfarom256/CVE-2022-3699/", "https://support.lenovo.com/de/en/product_security/ps500533-lenovo-diagnostics-vulnerabilities", + "https://github.com/alfarom256/CVE-2022-3699/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/driver_load/driver_load_win_vuln_lenovo_driver.yml" ], "tags": [ @@ -29308,9 +29308,9 @@ "logsource.category": "network_connection", "logsource.product": "windows", "refs": [ - "https://github.com/EmpireProject/Empire/blob/e37fb2eef8ff8f5a0a689f1589f424906fe13055/data/module_source/exfil/Invoke-ExfilDataToGitHub.ps1", - "https://twitter.com/M_haggis/status/1032799638213066752", "https://twitter.com/M_haggis/status/900741347035889665", + "https://twitter.com/M_haggis/status/1032799638213066752", + "https://github.com/EmpireProject/Empire/blob/e37fb2eef8ff8f5a0a689f1589f424906fe13055/data/module_source/exfil/Invoke-ExfilDataToGitHub.ps1", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_binary_github_com.yml" ], "tags": [ @@ -29352,8 +29352,8 @@ "logsource.category": "network_connection", "logsource.product": "windows", "refs": [ - "https://pypi.org/project/scapy/", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1046/T1046.md#atomic-test-4---port-scan-using-python", + "https://pypi.org/project/scapy/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_python.yml" ], "tags": [ @@ -29404,9 +29404,9 @@ "logsource.category": "network_connection", "logsource.product": "windows", "refs": [ - "https://securelist.com/the-tetrade-brazilian-banking-malware/97779/", "https://blog.bushidotoken.net/2021/04/dead-drop-resolvers-espionage-inspired.html", "https://content.fireeye.com/apt-41/rpt-apt41", + "https://securelist.com/the-tetrade-brazilian-banking-malware/97779/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_dead_drop_resolvers.yml" ], "tags": [ @@ -29503,8 +29503,8 @@ "logsource.category": "network_connection", "logsource.product": "windows", "refs": [ - "https://www.splunk.com/en_us/blog/security/follina-for-protocol-handlers.html", "https://github.com/redcanaryco/atomic-red-team/blob/1cf4dd51f83dcb0ebe6ade902d6157ad2dbc6ac8/atomics/T1218.001/T1218.001.md", + "https://www.splunk.com/en_us/blog/security/follina-for-protocol-handlers.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_hh.yml" ], "tags": [ @@ -29630,8 +29630,8 @@ "logsource.category": "network_connection", "logsource.product": "windows", "refs": [ - "https://oddvar.moe/2017/12/13/applocker-case-study-how-insecure-is-it-really-part-1/", "https://pentestlab.blog/2017/05/11/applocker-bypass-regsvr32/", + "https://oddvar.moe/2017/12/13/applocker-case-study-how-insecure-is-it-really-part-1/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_regsvr32_network_activity.yml" ], "tags": [ @@ -29890,10 +29890,10 @@ "logsource.category": "network_connection", "logsource.product": "windows", "refs": [ - "https://twitter.com/M_haggis/status/1032799638213066752", - "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ransomware-hive-conti-avoslocker", - "https://www.cisa.gov/uscert/ncas/alerts/aa22-321a", "https://twitter.com/M_haggis/status/900741347035889665", + "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ransomware-hive-conti-avoslocker", + "https://twitter.com/M_haggis/status/1032799638213066752", + "https://www.cisa.gov/uscert/ncas/alerts/aa22-321a", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_binary_susp_com.yml" ], "tags": [ @@ -29926,8 +29926,8 @@ "logsource.category": "network_connection", "logsource.product": "windows", "refs": [ - "https://ngrok.com/docs/secure-tunnels/tunnels/ssh-reverse-tunnel-agent", "https://twitter.com/hakluke/status/1587733971814977537/photo/1", + "https://ngrok.com/docs/secure-tunnels/tunnels/ssh-reverse-tunnel-agent", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_ngrok_tunnel.yml" ], "tags": [ @@ -30211,8 +30211,8 @@ "logsource.category": "network_connection", "logsource.product": "windows", "refs": [ - "https://ngrok.com/", "https://www.virustotal.com/gui/file/cca0c1182ac114b44dc52dd2058fcd38611c20bb6b5ad84710681d38212f835a/", + "https://ngrok.com/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_ngrok_io.yml" ], "tags": [ @@ -30245,8 +30245,8 @@ "logsource.category": "network_connection", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1105/T1105.md#atomic-test-10---windows---powershell-download", "https://lolbas-project.github.io/lolbas/Binaries/IMEWDBLD/", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1105/T1105.md#atomic-test-10---windows---powershell-download", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_imewdbld.yml" ], "tags": [ @@ -30355,8 +30355,8 @@ "logsource.category": "network_connection", "logsource.product": "windows", "refs": [ - "https://twitter.com/forensicitguy/status/1513538712986079238", "https://news.sophos.com/en-us/2019/07/18/a-new-equation-editor-exploit-goes-commercial-as-maldoc-attacks-using-it-spike/", + "https://twitter.com/forensicitguy/status/1513538712986079238", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_eqnedt.yml" ], "tags": [ @@ -30389,8 +30389,8 @@ "logsource.category": "network_connection", "logsource.product": "windows", "refs": [ - "https://app.any.run/tasks/7e906adc-9d11-447f-8641-5f40375ecebb", "https://www.zscaler.com/blogs/security-research/new-espionage-attack-molerats-apt-targeting-users-middle-east", + "https://app.any.run/tasks/7e906adc-9d11-447f-8641-5f40375ecebb", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_susp_dropbox_api.yml" ], "tags": "No established tags" @@ -30411,8 +30411,8 @@ "logsource.category": "network_connection", "logsource.product": "windows", "refs": [ - "https://www.mandiant.com/resources/russian-targeting-gov-business", "https://megatools.megous.com/", + "https://www.mandiant.com/resources/russian-targeting-gov-business", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_mega_nz.yml" ], "tags": [ @@ -30478,8 +30478,8 @@ "logsource.category": "network_connection", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218.007/T1218.007.md", "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/msiexec", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218.007/T1218.007.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_msiexec.yml" ], "tags": [ @@ -30512,8 +30512,8 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://adsecurity.org/?p=2398", "https://stealthbits.com/blog/extracting-password-hashes-from-the-ntds-dit-file/", + "https://adsecurity.org/?p=2398", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_susp_ntds_dit.yml" ], "tags": [ @@ -30554,8 +30554,8 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://github.com/sailay1996/awesome_windows_logical_bugs/blob/60cbb23a801f4c3195deac1cc46df27c225c3d07/dir_create2system.txt", "https://github.com/binderlabs/DirCreate2System", + "https://github.com/sailay1996/awesome_windows_logical_bugs/blob/60cbb23a801f4c3195deac1cc46df27c225c3d07/dir_create2system.txt", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_system32_local_folder_privilege_escalation.yml" ], "tags": [ @@ -30581,9 +30581,9 @@ "logsource.product": "windows", "refs": [ "https://www.cybereason.com/blog/research/a-bazar-of-tricks-following-team9s-development-cycles", - "https://www.anomali.com/blog/china-based-apt-mustang-panda-targets-minority-groups-public-and-private-sector-organizations", "https://twitter.com/luc4m/status/1073181154126254080", "https://twitter.com/malwrhunterteam/status/1235135745611960321", + "https://www.anomali.com/blog/china-based-apt-mustang-panda-targets-minority-groups-public-and-private-sector-organizations", "https://www.crowdstrike.com/blog/meet-crowdstrikes-adversary-of-the-month-for-june-mustang-panda/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_susp_lnk_double_extension.yml" ], @@ -30786,11 +30786,11 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://www.whiteoaksecurity.com/blog/attacks-defenses-dumping-lsass-no-mimikatz/", - "https://github.com/elastic/detection-rules/blob/c76a39796972ecde44cb1da6df47f1b6562c9770/rules/windows/credential_access_lsass_memdump_file_created.toml", - "https://www.google.com/search?q=procdump+lsass", "https://github.com/helpsystems/nanodump", + "https://github.com/elastic/detection-rules/blob/c76a39796972ecde44cb1da6df47f1b6562c9770/rules/windows/credential_access_lsass_memdump_file_created.toml", "https://medium.com/@markmotig/some-ways-to-dump-lsass-exe-c4a75fdc49bf", + "https://www.whiteoaksecurity.com/blog/attacks-defenses-dumping-lsass-no-mimikatz/", + "https://www.google.com/search?q=procdump+lsass", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_lsass_dump.yml" ], "tags": [ @@ -30857,8 +30857,8 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://github.com/outflanknl/Dumpert", "https://unit42.paloaltonetworks.com/actors-still-exploiting-sharepoint-vulnerability/", + "https://github.com/outflanknl/Dumpert", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_hack_dumpert.yml" ], "tags": [ @@ -30951,9 +30951,9 @@ "logsource.product": "windows", "refs": [ "https://www.cybereason.com/blog/research/a-bazar-of-tricks-following-team9s-development-cycles", - "https://www.anomali.com/blog/china-based-apt-mustang-panda-targets-minority-groups-public-and-private-sector-organizations", "https://twitter.com/luc4m/status/1073181154126254080", "https://twitter.com/malwrhunterteam/status/1235135745611960321", + "https://www.anomali.com/blog/china-based-apt-mustang-panda-targets-minority-groups-public-and-private-sector-organizations", "https://www.crowdstrike.com/blog/meet-crowdstrikes-adversary-of-the-month-for-june-mustang-panda/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_susp_double_extension.yml" ], @@ -31286,8 +31286,8 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://github.com/cube0x0/CVE-2021-1675", "https://github.com/afwu/PrintNightmare", + "https://github.com/cube0x0/CVE-2021-1675", "https://github.com/hhlxf/PrintNightmare", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_cve_2021_1675_printspooler.yml" ], @@ -31638,9 +31638,9 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://thedfirreport.com/2020/11/23/pysa-mespinoza-ransomware/", "https://github.com/Kevin-Robertson/Inveigh/blob/29d9e3c3a625b3033cdaf4683efaafadcecb9007/Inveigh/Support/Control.cs", "https://github.com/Kevin-Robertson/Inveigh/blob/29d9e3c3a625b3033cdaf4683efaafadcecb9007/Inveigh/Support/Output.cs", + "https://thedfirreport.com/2020/11/23/pysa-mespinoza-ransomware/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_inveigh_artefacts.yml" ], "tags": [ @@ -31766,10 +31766,10 @@ "logsource.product": "windows", "refs": [ "https://labs.f-secure.com/blog/prelude-to-ransomware-systembc", - "https://thedfirreport.com/2021/01/18/all-that-for-a-coinminer", "https://news.sophos.com/en-us/2019/12/09/snatch-ransomware-reboots-pcs-into-safe-mode-to-bypass-protection/", - "https://assets.documentcloud.org/documents/20444693/fbi-pin-egregor-ransomware-bc-01062021.pdf", + "https://thedfirreport.com/2021/01/18/all-that-for-a-coinminer", "https://www.fireeye.com/blog/threat-research/2020/05/tactics-techniques-procedures-associated-with-maze-ransomware-incidents.html", + "https://assets.documentcloud.org/documents/20444693/fbi-pin-egregor-ransomware-bc-01062021.pdf", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_advanced_ip_scanner.yml" ], "tags": [ @@ -31793,8 +31793,8 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://www.hexacorn.com/blog/2022/01/16/beyond-good-ol-run-key-part-135/", "https://github.com/last-byte/PersistenceSniper", + "https://www.hexacorn.com/blog/2022/01/16/beyond-good-ol-run-key-part-135/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_error_handler_cmd_persistence.yml" ], "tags": [ @@ -31851,21 +31851,21 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://github.com/dafthack/DomainPasswordSpray/blob/b13d64a5834694aa73fd2aea9911a83027c465a7/DomainPasswordSpray.ps1", - "https://github.com/nettitude/Invoke-PowerThIEf", - "https://github.com/rvrsh3ll/Misc-Powershell-Scripts/blob/6f23bb41f9675d7e2d32bacccff75e931ae00554/OfficeMemScraper.ps1", - "https://unit42.paloaltonetworks.com/threat-assessment-black-basta-ransomware/", - "https://github.com/BC-SECURITY/Invoke-ZeroLogon/blob/111d17c7fec486d9bb23387e2e828b09a26075e4/Invoke-ZeroLogon.ps1", + "https://github.com/samratashok/nishang", "https://github.com/PowerShellMafia/PowerSploit", - "https://github.com/HarmJ0y/DAMP", + "https://github.com/rvrsh3ll/Misc-Powershell-Scripts/blob/6f23bb41f9675d7e2d32bacccff75e931ae00554/OfficeMemScraper.ps1", + "https://github.com/S3cur3Th1sSh1t/PowerSharpPack/tree/master/PowerSharpBinaries", + "https://github.com/dafthack/DomainPasswordSpray/blob/b13d64a5834694aa73fd2aea9911a83027c465a7/DomainPasswordSpray.ps1", + "https://unit42.paloaltonetworks.com/threat-assessment-black-basta-ransomware/", + "https://github.com/nettitude/Invoke-PowerThIEf", "https://github.com/AlsidOfficial/WSUSpendu/", "https://github.com/xorrior/RandomPS-Scripts/blob/848c919bfce4e2d67b626cbcf4404341cfe3d3b6/Get-DXWebcamVideo.ps1", "https://github.com/NetSPI/PowerUpSQL", "https://github.com/CsEnox/EventViewer-UACBypass", "https://github.com/S3cur3Th1sSh1t/WinPwn", + "https://github.com/HarmJ0y/DAMP", + "https://github.com/BC-SECURITY/Invoke-ZeroLogon/blob/111d17c7fec486d9bb23387e2e828b09a26075e4/Invoke-ZeroLogon.ps1", "https://research.nccgroup.com/2022/06/06/shining-the-light-on-black-basta/", - "https://github.com/S3cur3Th1sSh1t/PowerSharpPack/tree/master/PowerSharpBinaries", - "https://github.com/samratashok/nishang", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_powershell_exploit_scripts.yml" ], "tags": [ @@ -31898,8 +31898,8 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://www.microsoft.com/security/blog/2022/09/30/analyzing-attacks-using-the-exchange-vulnerabilities-cve-2022-41040-and-cve-2022-41082/", "https://en.gteltsc.vn/blog/cap-nhat-nhe-ve-lo-hong-bao-mat-0day-microsoft-exchange-dang-duoc-su-dung-de-tan-cong-cac-to-chuc-tai-viet-nam-9685.html", + "https://www.microsoft.com/security/blog/2022/09/30/analyzing-attacks-using-the-exchange-vulnerabilities-cve-2022-41040-and-cve-2022-41082/", "https://www.gteltsc.vn/blog/canh-bao-chien-dich-tan-cong-su-dung-lo-hong-zero-day-tren-microsoft-exchange-server-12714.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_exchange_webshell_drop_suspicious.yml" ], @@ -32093,8 +32093,8 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://persistence-info.github.io/Data/powershellprofile.html", "https://www.welivesecurity.com/2019/05/29/turla-powershell-usage/", + "https://persistence-info.github.io/Data/powershellprofile.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_susp_powershell_profile.yml" ], "tags": [ @@ -32359,8 +32359,8 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://github.com/OTRF/detection-hackathon-apt29/issues/14", "https://threathunterplaybook.com/evals/apt29/detections/6.B.1_6392C9F1-D975-4F75-8A70-433DEDD7F622.html", + "https://github.com/OTRF/detection-hackathon-apt29/issues/14", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_susp_pfx_file_creation.yml" ], "tags": [ @@ -32394,8 +32394,8 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://www.zerodayinitiative.com/advisories/ZDI-21-1308/", "https://github.com/klinix5/InstallerFileTakeOver", + "https://www.zerodayinitiative.com/advisories/ZDI-21-1308/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_cve_2021_41379_msi_lpe.yml" ], "tags": [ @@ -32452,10 +32452,10 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://bohops.com/2021/03/16/investigating-net-clr-usage-log-tampering-techniques-for-edr-evasion/", - "https://web.archive.org/web/20221026202428/https://gist.github.com/code-scrap/d7f152ffcdb3e0b02f7f394f5187f008", - "https://blog.menasec.net/2019/07/interesting-difr-traces-of-net-clr.html", "https://github.com/olafhartong/sysmon-modular/blob/fa1ae53132403d262be2bbd7f17ceea7e15e8c78/11_file_create/include_dotnet.xml", + "https://web.archive.org/web/20221026202428/https://gist.github.com/code-scrap/d7f152ffcdb3e0b02f7f394f5187f008", + "https://bohops.com/2021/03/16/investigating-net-clr-usage-log-tampering-techniques-for-edr-evasion/", + "https://blog.menasec.net/2019/07/interesting-difr-traces-of-net-clr.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_net_cli_artefact.yml" ], "tags": [ @@ -32488,9 +32488,9 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ + "https://lolbas-project.github.io/lolbas/Binaries/Eventvwr/#execute", "https://twitter.com/orange_8361/status/1518970259868626944?s=20&t=RFXqZjtA7tWM3HxqEH78Aw", "https://twitter.com/splinter_code/status/1519075134296006662?s=12&t=DLUXH86WtcmG_AZ5gY3C6g", - "https://lolbas-project.github.io/lolbas/Binaries/Eventvwr/#execute", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_uac_bypass_eventvwr.yml" ], "tags": [ @@ -32514,8 +32514,8 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://www.microsoft.com/security/blog/2022/09/30/analyzing-attacks-using-the-exchange-vulnerabilities-cve-2022-41040-and-cve-2022-41082/", "https://en.gteltsc.vn/blog/cap-nhat-nhe-ve-lo-hong-bao-mat-0day-microsoft-exchange-dang-duoc-su-dung-de-tan-cong-cac-to-chuc-tai-viet-nam-9685.html", + "https://www.microsoft.com/security/blog/2022/09/30/analyzing-attacks-using-the-exchange-vulnerabilities-cve-2022-41040-and-cve-2022-41082/", "https://www.gteltsc.vn/blog/canh-bao-chien-dich-tan-cong-su-dung-lo-hong-zero-day-tren-microsoft-exchange-server-12714.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_exchange_webshell_drop.yml" ], @@ -32538,8 +32538,8 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://www.first.org/resources/papers/conf2017/Advanced-Incident-Detection-and-Threat-Hunting-using-Sysmon-and-Splunk.pdf", "https://www.hybrid-analysis.com/sample/ba86fa0d4b6af2db0656a88b1dd29f36fe362473ae8ad04255c4e52f214a541c?environmentId=100", + "https://www.first.org/resources/papers/conf2017/Advanced-Incident-Detection-and-Threat-Hunting-using-Sysmon-and-Splunk.pdf", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_mal_adwind.yml" ], "tags": [ @@ -32613,8 +32613,8 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://github.com/deepinstinct/Lsass-Shtinkering", "https://media.defcon.org/DEF%20CON%2030/DEF%20CON%2030%20presentations/Asaf%20Gilboa%20-%20LSASS%20Shtinkering%20Abusing%20Windows%20Error%20Reporting%20to%20Dump%20LSASS.pdf", + "https://github.com/deepinstinct/Lsass-Shtinkering", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_lsass_shtinkering.yml" ], "tags": [ @@ -32647,8 +32647,8 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://github.com/SecureAuthCorp/impacket/blob/master/examples/secretsdump.py", "https://github.com/Porchetta-Industries/CrackMapExec", + "https://github.com/SecureAuthCorp/impacket/blob/master/examples/secretsdump.py", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_remote_cred_dump.yml" ], "tags": [ @@ -32747,8 +32747,8 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1566.001/T1566.001.md", "https://docs.microsoft.com/en-us/deployoffice/compat/office-file-format-reference", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1566.001/T1566.001.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_macro_file.yml" ], "tags": [ @@ -32806,8 +32806,8 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/36d49de4c8b00bf36054294b4a1fcbab3917d7c5/atomics/T1547.001/T1547.001.md#atomic-test-7---add-executable-shortcut-link-to-user-startup-folder", "https://redcanary.com/blog/intelligence-insights-october-2021/", + "https://github.com/redcanaryco/atomic-red-team/blob/36d49de4c8b00bf36054294b4a1fcbab3917d7c5/atomics/T1547.001/T1547.001.md#atomic-test-7---add-executable-shortcut-link-to-user-startup-folder", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_powershell_startup_shortcuts.yml" ], "tags": [ @@ -32898,8 +32898,8 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://threathunterplaybook.com/evals/apt29/detections/5.B.1_611FCA99-97D0-4873-9E51-1C1BA2DBB40D.html", "https://github.com/OTRF/detection-hackathon-apt29/issues/12", + "https://threathunterplaybook.com/evals/apt29/detections/5.B.1_611FCA99-97D0-4873-9E51-1C1BA2DBB40D.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_startup_folder_file_write.yml" ], "tags": [ @@ -32958,9 +32958,9 @@ "logsource.product": "windows", "refs": [ "https://www.ired.team/offensive-security/credential-access-and-credential-dumping/ntds.dit-enumeration", - "https://www.n00py.io/2022/03/manipulating-user-passwords-without-mimikatz/", "https://github.com/samratashok/nishang/blob/414ee1104526d7057f9adaeee196d91ae447283e/Gather/Copy-VSS.ps1", "https://pentestlab.blog/tag/ntds-dit/", + "https://www.n00py.io/2022/03/manipulating-user-passwords-without-mimikatz/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_ntds_dit.yml" ], "tags": [ @@ -32993,8 +32993,8 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://github.com/rapid7/metasploit-framework/blob/eb6535009f5fdafa954525687f09294918b5398d/modules/post/windows/gather/ntds_grabber.rb", "https://github.com/rapid7/metasploit-framework/blob/eb6535009f5fdafa954525687f09294918b5398d/data/post/powershell/NTDSgrab.ps1", + "https://github.com/rapid7/metasploit-framework/blob/eb6535009f5fdafa954525687f09294918b5398d/modules/post/windows/gather/ntds_grabber.rb", "https://github.com/SecureAuthCorp/impacket/blob/7d2991d78836b376452ca58b3d14daa61b67cb40/impacket/examples/secretsdump.py#L2405", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_ntds_exfil_tools.yml" ], @@ -33062,8 +33062,8 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://twitter.com/vanitasnk/status/1437329511142420483?s=21", "https://twitter.com/RonnyTNL/status/1436334640617373699?s=20", + "https://twitter.com/vanitasnk/status/1437329511142420483?s=21", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_winword_cve_2021_40444.yml" ], "tags": [ @@ -33153,8 +33153,8 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://labs.sentinelone.com/living-off-windows-land-a-new-native-file-downldr/", "https://twitter.com/SBousseaden/status/1278977301745741825", + "https://labs.sentinelone.com/living-off-windows-land-a-new-native-file-downldr/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_susp_desktopimgdownldr_file.yml" ], "tags": [ @@ -33221,11 +33221,11 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ + "https://github.com/cube0x0/CVE-2021-36934", + "https://www.google.com/search?q=%22reg.exe+save%22+sam", + "https://github.com/search?q=CVE-2021-36934", "https://github.com/HuskyHacks/ShadowSteal", "https://github.com/FireFart/hivenightmare", - "https://github.com/cube0x0/CVE-2021-36934", - "https://github.com/search?q=CVE-2021-36934", - "https://www.google.com/search?q=%22reg.exe+save%22+sam", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_sam_dump.yml" ], "tags": [ @@ -33375,10 +33375,10 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://twitter.com/cube0x0/status/1418920190759378944", - "https://github.com/GossiTheDog/HiveNightmare", - "https://github.com/FireFart/hivenightmare/", "https://github.com/WiredPulse/Invoke-HiveNightmare", + "https://github.com/FireFart/hivenightmare/", + "https://github.com/GossiTheDog/HiveNightmare", + "https://twitter.com/cube0x0/status/1418920190759378944", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_hivenightmare_file_exports.yml" ], "tags": [ @@ -33470,9 +33470,9 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://www.kaspersky.com/blog/lazarus-vhd-ransomware/36559/", - "https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/", "https://redcanary.com/blog/intelligence-insights-october-2021/", + "https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/", + "https://www.kaspersky.com/blog/lazarus-vhd-ransomware/36559/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_mal_vhd_download.yml" ], "tags": [ @@ -33572,8 +33572,8 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://github.com/elastic/protections-artifacts/commit/746086721fd385d9f5c6647cada1788db4aea95f#diff-5d46dd4ac6866b4337ec126be8cee0e115467b3e8703794ba6f6df6432c806bc", "https://posts.specterops.io/automating-dll-hijack-discovery-81c4295904b0", + "https://github.com/elastic/protections-artifacts/commit/746086721fd385d9f5c6647cada1788db4aea95f#diff-5d46dd4ac6866b4337ec126be8cee0e115467b3e8703794ba6f6df6432c806bc", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_initial_access_dll_search_order_hijacking.yml" ], "tags": [ @@ -33754,8 +33754,8 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://insights.sei.cmu.edu/blog/the-dangers-of-vhd-and-vhdx-files/", "https://blog.emsisoft.com/en/32373/beware-new-wave-of-malware-spreads-via-iso-file-email-attachments/", + "https://insights.sei.cmu.edu/blog/the-dangers-of-vhd-and-vhdx-files/", "https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/malicious-spam-campaign-uses-iso-image-files-to-deliver-lokibot-and-nanocore", "https://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_iso_file_recent.yml" @@ -33812,8 +33812,8 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://msrc-blog.microsoft.com/2022/05/30/guidance-for-cve-2022-30190-microsoft-support-diagnostic-tool-vulnerability/", "https://irsl.medium.com/the-trouble-with-microsofts-troubleshooters-6e32fc80b8bd", + "https://msrc-blog.microsoft.com/2022/05/30/guidance-for-cve-2022-30190-microsoft-support-diagnostic-tool-vulnerability/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_msdt_autorun.yml" ], "tags": [ @@ -33897,9 +33897,9 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ + "https://medium.com/@ivecodoe/detecting-ldapfragger-a-newly-released-cobalt-strike-beacon-using-ldap-for-c2-communication-c274a7f00961", "https://blog.fox-it.com/2020/03/19/ldapfragger-command-and-control-over-ldap-attributes/", "https://github.com/fox-it/LDAPFragger", - "https://medium.com/@ivecodoe/detecting-ldapfragger-a-newly-released-cobalt-strike-beacon-using-ldap-for-c2-communication-c274a7f00961", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_susp_adsi_cache_usage.yml" ], "tags": [ @@ -34038,8 +34038,8 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://www.joesandbox.com/analysis/465533/0/html", "https://blog.malwarebytes.com/threat-intelligence/2022/04/colibri-loader-combines-task-scheduler-and-powershell-in-clever-persistence-technique/", + "https://www.joesandbox.com/analysis/465533/0/html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_susp_get_variable.yml" ], "tags": [ @@ -34107,8 +34107,8 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://www.bleepingcomputer.com/news/security/microsoft-teams-stores-auth-tokens-as-cleartext-in-windows-linux-macs/", "https://www.vectra.ai/blogpost/undermining-microsoft-teams-security-by-mining-tokens", + "https://www.bleepingcomputer.com/news/security/microsoft-teams-stores-auth-tokens-as-cleartext-in-windows-linux-macs/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_access_susp_teams.yml" ], "tags": [ @@ -34274,10 +34274,10 @@ "logsource.product": "windows", "refs": [ "https://www.hexacorn.com/blog/2013/12/08/beyond-good-ol-run-key-part-5/", - "https://posts.specterops.io/lateral-movement-scm-and-dll-hijacking-primer-d2f61e8ab992", - "https://decoded.avast.io/martinchlumecky/png-steganography/", "https://github.com/Wh04m1001/SysmonEoP", "https://clement.notin.org/blog/2020/09/12/CVE-2020-7315-McAfee-Agent-DLL-injection/", + "https://posts.specterops.io/lateral-movement-scm-and-dll-hijacking-primer-d2f61e8ab992", + "https://decoded.avast.io/martinchlumecky/png-steganography/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_create_non_existent_dlls.yml" ], "tags": [ @@ -34372,9 +34372,9 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "Malware Sandbox https://app.any.run/tasks/d6fe6624-6ef8-485d-aa75-3d1bdda2a08c/", - "http://addbalance.com/word/startup.htm", "https://answers.microsoft.com/en-us/msoffice/forum/all/document-in-word-startup-folder-doesnt-open-when/44ab0932-2917-4150-8cdc-2f2cf39e86f3", + "http://addbalance.com/word/startup.htm", + "Malware Sandbox https://app.any.run/tasks/d6fe6624-6ef8-485d-aa75-3d1bdda2a08c/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_susp_winword_startup.yml" ], "tags": [ @@ -34407,8 +34407,8 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://app.any.run/tasks/4a54c651-b70b-4b72-84d7-f34d301d6406", "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/backdoor-at-the-end-of-the-icmp-tunnel", + "https://app.any.run/tasks/4a54c651-b70b-4b72-84d7-f34d301d6406", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_pingback_backdoor.yml" ], "tags": [ @@ -34465,8 +34465,8 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows", "https://twitter.com/cyb3rops/status/1552932770464292864", + "https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_dll_sideloading_space_path.yml" ], "tags": [ @@ -34815,8 +34815,8 @@ "logsource.category": "file_access", "logsource.product": "windows", "refs": [ - "https://hunter2.gitbook.io/darthsidious/privilege-escalation/mimikatz", "https://www.absolomb.com/2018-01-26-Windows-Privilege-Escalation-Guide/", + "https://hunter2.gitbook.io/darthsidious/privilege-escalation/mimikatz", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_access/file_access_win_credential_manager_stealing.yml" ], "tags": [ @@ -34849,8 +34849,8 @@ "logsource.category": "file_access", "logsource.product": "windows", "refs": [ - "https://web.archive.org/web/20181130065817/http://www.harmj0y.net/blog/redteaming/operational-guidance-for-offensive-user-dpapi-abuse/", "https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation/dpapi-extracting-passwords", + "https://web.archive.org/web/20181130065817/http://www.harmj0y.net/blog/redteaming/operational-guidance-for-offensive-user-dpapi-abuse/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_access/file_access_win_dpapi_master_key_access.yml" ], "tags": [ @@ -34886,8 +34886,8 @@ "logsource.category": "file_access", "logsource.product": "windows", "refs": [ - "https://www.zscaler.com/blogs/security-research/ffdroider-stealer-targeting-social-media-platform-users", "https://github.com/lclevy/firepwd", + "https://www.zscaler.com/blogs/security-research/ffdroider-stealer-targeting-social-media-platform-users", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_access/file_access_win_browser_credential_stealing.yml" ], "tags": [ @@ -35011,8 +35011,8 @@ "logsource.category": "dns_query", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/Binaries/AppInstaller/", "https://twitter.com/notwhickey/status/1333900137232523264", + "https://lolbas-project.github.io/lolbas/Binaries/AppInstaller/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/dns_query/dns_query_win_lolbin_appinstaller.yml" ], "tags": [ @@ -35111,10 +35111,10 @@ "logsource.category": "dns_query", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1219/T1219.md#atomic-test-6---ammyy-admin-software-execution", - "https://redcanary.com/blog/misbehaving-rats/", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1219/T1219.md#atomic-test-4---gotoassist-files-detected-test-on-windows", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1219/T1219.md#atomic-test-3---logmein-files-detected-test-on-windows", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1219/T1219.md#atomic-test-6---ammyy-admin-software-execution", + "https://redcanary.com/blog/misbehaving-rats/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/dns_query/dns_query_win_remote_access_software_domains.yml" ], "tags": [ @@ -35147,8 +35147,8 @@ "logsource.category": "dns_query", "logsource.product": "windows", "refs": [ - "https://oddvar.moe/2017/12/13/applocker-case-study-how-insecure-is-it-really-part-1/", "https://pentestlab.blog/2017/05/11/applocker-bypass-regsvr32/", + "https://oddvar.moe/2017/12/13/applocker-case-study-how-insecure-is-it-really-part-1/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/dns_query/dns_query_win_regsvr32_network_activity.yml" ], "tags": [ @@ -35256,8 +35256,8 @@ "logsource.category": "dns_query", "logsource.product": "windows", "refs": [ - "https://www.sekoia.io/en/hunting-and-detecting-cobalt-strike/", "https://www.icebrg.io/blog/footprints-of-fin7-tracking-actor-patterns", + "https://www.sekoia.io/en/hunting-and-detecting-cobalt-strike/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/dns_query/dns_query_win_mal_cobaltstrike.yml" ], "tags": [ @@ -35421,8 +35421,8 @@ "logsource.category": "dns_query", "logsource.product": "windows", "refs": [ - "https://twitter.com/neonprimetime/status/1436376497980428318", "https://www.binarydefense.com/analysis-of-hancitor-when-boring-begets-beacon", + "https://twitter.com/neonprimetime/status/1436376497980428318", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/dns_query/dns_query_win_susp_ipify.yml" ], "tags": [ @@ -35747,8 +35747,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/AtomicTestHarnesses/blob/7e1e4da116801e3d6fcc6bedb207064577e40572/TestHarnesses/T1218_SignedBinaryProxyExecution/InvokeRemoteFXvGPUDisablementCommand.ps1", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218/T1218.md", + "https://github.com/redcanaryco/AtomicTestHarnesses/blob/7e1e4da116801e3d6fcc6bedb207064577e40572/TestHarnesses/T1218_SignedBinaryProxyExecution/InvokeRemoteFXvGPUDisablementCommand.ps1", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_athremotefxvgpudisablementcommand.yml" ], "tags": [ @@ -35844,9 +35844,9 @@ "logsource.product": "windows", "refs": [ "https://twitter.com/eral4m/status/1479106975967240209", + "https://twitter.com/nas_bench/status/1433344116071583746", "https://twitter.com/Hexacorn/status/885258886428725250", "https://gist.github.com/ryhanson/227229866af52e2d963cf941af135a52", - "https://twitter.com/nas_bench/status/1433344116071583746", "http://www.hexacorn.com/blog/2017/05/01/running-programs-via-proxy-jumping-on-a-edr-bypass-trampoline/", "https://twitter.com/eral4m/status/1479080793003671557", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_rundll32_activity.yml" @@ -35981,8 +35981,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://securelist.com/my-name-is-dtrack/93338/", "https://app.any.run/tasks/4bc9860d-ab51-4077-9e09-59ad346b92fd/", + "https://securelist.com/my-name-is-dtrack/93338/", "https://app.any.run/tasks/ce4deab5-3263-494f-93e3-afb2b9d79f14/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_malware_dtrack.yml" ], @@ -36074,8 +36074,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://docs.connectwise.com/ConnectWise_Control_Documentation/Get_started/Host_client/View_menu/Backstage_mode", "https://www.mandiant.com/resources/telegram-malware-iranian-espionage", + "https://docs.connectwise.com/ConnectWise_Control_Documentation/Get_started/Host_client/View_menu/Backstage_mode", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_screenconnect_anomaly.yml" ], "tags": [ @@ -36157,8 +36157,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/Scripts/CL_LoadAssembly/", "https://bohops.com/2018/01/07/executing-commands-and-bypassing-applocker-with-powershell-diagnostic-scripts/", + "https://lolbas-project.github.io/lolbas/Scripts/CL_LoadAssembly/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_cl_loadassembly.yml" ], "tags": [ @@ -36235,8 +36235,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/espionage-asia-governments", "https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc731620(v=ws.11)", + "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/espionage-asia-governments", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_ntdsutil_usage.yml" ], "tags": [ @@ -36303,9 +36303,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.acunetix.com/blog/articles/windows-short-8-3-filenames-web-security-problem/", - "https://twitter.com/frack113/status/1555830623633375232", "https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-2000-server/cc959352(v=technet.10)?redirectedfrom=MSDN", + "https://twitter.com/frack113/status/1555830623633375232", + "https://www.acunetix.com/blog/articles/windows-short-8-3-filenames-web-security-problem/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_ntfs_short_name_path_use_image.yml" ], "tags": [ @@ -36482,9 +36482,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/countuponsec/status/910969424215232518", - "https://twitter.com/countuponsec/status/910977826853068800", "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Sqldumper/", + "https://twitter.com/countuponsec/status/910977826853068800", + "https://twitter.com/countuponsec/status/910969424215232518", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_susp_sqldumper_activity.yml" ], "tags": [ @@ -36574,9 +36574,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://www.13cubed.com/downloads/windows_process_genealogy_v2.pdf", "https://www.carbonblack.com/2014/06/10/screenshot-demo-hunt-evil-faster-than-ever-with-carbon-black/", "https://securitybytes.io/blue-team-fundamentals-part-two-windows-processes-759fe15965e2", - "https://www.13cubed.com/downloads/windows_process_genealogy_v2.pdf", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_proc_wrong_parent.yml" ], "tags": [ @@ -36691,9 +36691,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://medium.com/@reegun/unsanitized-file-validation-leads-to-malicious-payload-download-via-office-binaries-202d02db7191", "Reegun J (OCBC Bank)", "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Powerpnt/", - "https://medium.com/@reegun/unsanitized-file-validation-leads-to-malicious-payload-download-via-office-binaries-202d02db7191", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_msoffice.yml" ], "tags": [ @@ -36828,10 +36828,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/Binaries/Bitsadmin/", - "https://isc.sans.edu/diary/22264", "https://blog.netspi.com/15-ways-to-download-a-file/#bitsadmin", + "https://lolbas-project.github.io/lolbas/Binaries/Bitsadmin/", "https://blog.talosintelligence.com/breaking-the-silence-recent-truebot-activity/", + "https://isc.sans.edu/diary/22264", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_bitsadmin_download_susp_ip.yml" ], "tags": [ @@ -36874,9 +36874,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.matteomalvica.com/blog/2019/12/02/win-defender-atp-cred-bypass/", - "https://twitter.com/SBousseaden/status/1464566846594691073?s=20", "https://twitter.com/Hexacorn/status/1420053502554951689", + "https://twitter.com/SBousseaden/status/1464566846594691073?s=20", + "https://www.matteomalvica.com/blog/2019/12/02/win-defender-atp-cred-bypass/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_lsass_clone.yml" ], "tags": [ @@ -36918,8 +36918,8 @@ "logsource.product": "windows", "refs": [ "https://github.com/electron/rcedit", - "https://security.stackexchange.com/questions/210843/is-it-possible-to-change-original-filename-of-an-exe", "https://www.virustotal.com/gui/file/02e8e8c5d430d8b768980f517b62d7792d690982b9ba0f7e04163cbc1a6e7915", + "https://security.stackexchange.com/questions/210843/is-it-possible-to-change-original-filename-of-an-exe", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_rcedit_execution.yml" ], "tags": [ @@ -36997,9 +36997,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.microsoft.com/en-us/security/blog/2022/10/27/raspberry-robin-worm-part-of-larger-ecosystem-facilitating-pre-ransomware-activity/", - "https://github.com/SigmaHQ/sigma/issues/1009", "https://redcanary.com/blog/raspberry-robin/", + "https://github.com/SigmaHQ/sigma/issues/1009", + "https://www.microsoft.com/en-us/security/blog/2022/10/27/raspberry-robin-worm-part-of-larger-ecosystem-facilitating-pre-ransomware-activity/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_shellexec_rundll_usage.yml" ], "tags": [ @@ -37079,10 +37079,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://research.nccgroup.com/2022/08/19/back-in-black-unlocking-a-lockbit-3-0-ransomware-attack/", - "https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc731935(v=ws.11)", - "https://thedfirreport.com/2021/08/16/trickbot-leads-up-to-fake-1password-installation/", "https://book.hacktricks.xyz/windows/basic-cmd-for-pentesters", + "https://thedfirreport.com/2021/08/16/trickbot-leads-up-to-fake-1password-installation/", + "https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc731935(v=ws.11)", + "https://research.nccgroup.com/2022/08/19/back-in-black-unlocking-a-lockbit-3-0-ransomware-attack/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_nltest_recon.yml" ], "tags": [ @@ -37312,8 +37312,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://mgreen27.github.io/posts/2018/04/02/DownloadCradle.html", "https://www.hybrid-analysis.com/sample/465aabe132ccb949e75b8ab9c5bda36d80cf2fd503d52b8bad54e295f28bbc21?environmentId=100", + "https://mgreen27.github.io/posts/2018/04/02/DownloadCradle.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_office_shell.yml" ], "tags": [ @@ -37387,8 +37387,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/mandiant/SharPersist", "https://www.mandiant.com/resources/blog/sharpersist-windows-persistence-toolkit", + "https://github.com/mandiant/SharPersist", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hack_sharpersist.yml" ], "tags": [ @@ -37438,8 +37438,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/BloodHoundAD/BloodHound", "https://github.com/BloodHoundAD/SharpHound", + "https://github.com/BloodHoundAD/BloodHound", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hack_bloodhound.yml" ], "tags": [ @@ -37506,8 +37506,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/johnlatwc/status/1408062131321270282?s=12", "https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/wp-windows-management-instrumentation.pdf", + "https://twitter.com/johnlatwc/status/1408062131321270282?s=12", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_wmic_eventconsumer_create.yml" ], "tags": [ @@ -37575,8 +37575,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.microsoft.com/security/blog/2022/08/24/looking-for-the-sliver-lining-hunting-for-emerging-command-and-control-frameworks/", "https://github.com/BishopFox/sliver/blob/79f2d48fcdfc2bee4713b78d431ea4b27f733f30/implant/sliver/shell/shell_windows.go#L36", + "https://www.microsoft.com/security/blog/2022/08/24/looking-for-the-sliver-lining-hunting-for-emerging-command-and-control-frameworks/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_c2_sliver.yml" ], "tags": [ @@ -37745,8 +37745,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://hackingiscool.pl/cmdhijack-command-argument-confusion-with-path-traversal-in-cmd-exe/", "https://twitter.com/Oddvarmoe/status/1270633613449723905", + "https://hackingiscool.pl/cmdhijack-command-argument-confusion-with-path-traversal-in-cmd-exe/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_commandline_path_traversal.yml" ], "tags": [ @@ -37871,8 +37871,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.youtube.com/watch?v=ro2QuZTIMBM", "https://docs.microsoft.com/en-us/sysinternals/downloads/psexec", + "https://www.youtube.com/watch?v=ro2QuZTIMBM", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_psexesvc.yml" ], "tags": [ @@ -37928,11 +37928,11 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://isc.sans.edu/diary/22264", - "https://www.cisa.gov/uscert/ncas/alerts/aa22-321a", "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ransomware-hive-conti-avoslocker", - "https://lolbas-project.github.io/lolbas/Binaries/Bitsadmin/", "https://blog.netspi.com/15-ways-to-download-a-file/#bitsadmin", + "https://www.cisa.gov/uscert/ncas/alerts/aa22-321a", + "https://lolbas-project.github.io/lolbas/Binaries/Bitsadmin/", + "https://isc.sans.edu/diary/22264", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_bitsadmin_download_susp_domain.yml" ], "tags": [ @@ -37975,9 +37975,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://twitter.com/nas_bench/status/1534915321856917506", "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Adplus/", "https://twitter.com/nas_bench/status/1534916659676422152", - "https://twitter.com/nas_bench/status/1534915321856917506", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_adplus.yml" ], "tags": [ @@ -38012,8 +38012,8 @@ "logsource.product": "windows", "refs": [ "https://www.nirsoft.net/utils/nircmd.html", - "https://www.winhelponline.com/blog/run-program-as-system-localsystem-account-windows/", "https://www.nirsoft.net/utils/nircmd2.html#using", + "https://www.winhelponline.com/blog/run-program-as-system-localsystem-account-windows/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_tool_nircmd_as_system.yml" ], "tags": [ @@ -38275,8 +38275,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://unit42.paloaltonetworks.com/bumblebee-webshell-xhunt-campaign/", "https://www.fireeye.com/blog/threat-research/2013/08/breaking-down-the-china-chopper-web-shell-part-ii.html", + "https://unit42.paloaltonetworks.com/bumblebee-webshell-xhunt-campaign/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_webshell_detection.yml" ], "tags": [ @@ -38586,9 +38586,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.trendmicro.com/en_us/research/22/j/black-basta-infiltrates-networks-via-qakbot-brute-ratel-and-coba.html", "https://github.com/binderlabs/DirCreate2System", "https://www.echotrail.io/insights/search/wermgr.exe", + "https://www.trendmicro.com/en_us/research/22/j/black-basta-infiltrates-networks-via-qakbot-brute-ratel-and-coba.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_wermgr.yml" ], "tags": "No established tags" @@ -38643,8 +38643,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://ss64.com/nt/cmd.html", "https://twitter.com/cyb3rops/status/1562072617552678912", + "https://ss64.com/nt/cmd.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_missing_spaces.yml" ], "tags": [ @@ -38677,10 +38677,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/elastic/protections-artifacts/commit/746086721fd385d9f5c6647cada1788db4aea95f#diff-94a1964b682707e4e3f77dd61a3bfface5401d08d8cf81145f388e09614aceca", - "https://lolbas-project.github.io/lolbas/Binaries/Odbcconf/", "https://redcanary.com/blog/raspberry-robin/", + "https://lolbas-project.github.io/lolbas/Binaries/Odbcconf/", "https://twitter.com/Hexacorn/status/1187143326673330176", + "https://github.com/elastic/protections-artifacts/commit/746086721fd385d9f5c6647cada1788db4aea95f#diff-94a1964b682707e4e3f77dd61a3bfface5401d08d8cf81145f388e09614aceca", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_odbcconf.yml" ], "tags": [ @@ -38747,8 +38747,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://ss64.com/nt/dsacls.html", "https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc771151(v=ws.11)", + "https://ss64.com/nt/dsacls.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_dsacls_abuse_permissions.yml" ], "tags": [ @@ -38815,9 +38815,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1615/T1615.md", - "https://www.welivesecurity.com/wp-content/uploads/2020/05/ESET_Turla_ComRAT.pdf", "https://unit42.paloaltonetworks.com/emissary-trojan-changelog-did-operation-lotus-blossom-cause-it-to-evolve/", + "https://www.welivesecurity.com/wp-content/uploads/2020/05/ESET_Turla_ComRAT.pdf", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1615/T1615.md", "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/gpresult", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_gpresult.yml" ], @@ -38913,8 +38913,8 @@ "logsource.product": "windows", "refs": [ "https://github.com/SecureAuthCorp/impacket/blob/8b1a99f7c715702eafe3f24851817bb64721b156/examples/atexec.py", - "https://github.com/SecureAuthCorp/impacket/blob/8b1a99f7c715702eafe3f24851817bb64721b156/examples/smbexec.py", "https://github.com/SecureAuthCorp/impacket/blob/8b1a99f7c715702eafe3f24851817bb64721b156/examples/dcomexec.py", + "https://github.com/SecureAuthCorp/impacket/blob/8b1a99f7c715702eafe3f24851817bb64721b156/examples/smbexec.py", "https://github.com/SecureAuthCorp/impacket/blob/8b1a99f7c715702eafe3f24851817bb64721b156/examples/wmiexec.py", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_impacket_lateralization.yml" ], @@ -39079,8 +39079,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://pentestlab.blog/2018/07/04/dumping-domain-password-hashes/", "https://twitter.com/vxunderground/status/1423336151860002816?s=20", + "https://pentestlab.blog/2018/07/04/dumping-domain-password-hashes/", "https://www.virustotal.com/gui/file/03e9b8c2e86d6db450e5eceec057d7e369ee2389b9daecaf06331a95410aa5f8/detection", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_malware_conti_shadowcopy.yml" ], @@ -39342,9 +39342,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://researchcenter.paloaltonetworks.com/2018/02/unit42-sofacy-attacks-multiple-government-entities/", "https://www.reverse.it/sample/e3399d4802f9e6d6d539e3ae57e7ea9a54610a7c4155a6541df8e94d67af086e?environmentId=100", "https://twitter.com/ClearskySec/status/960924755355369472", + "https://researchcenter.paloaltonetworks.com/2018/02/unit42-sofacy-attacks-multiple-government-entities/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_apt_sofacy.yml" ], "tags": [ @@ -39437,8 +39437,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.virustotal.com/gui/file/5ad401c3a568bd87dd13f8a9ddc4e450ece61cd9ce4d1b23f68ce0b1f3c190b7/", "https://www.vmray.com/analyses/5ad401c3a568/report/overview.html", + "https://www.virustotal.com/gui/file/5ad401c3a568bd87dd13f8a9ddc4e450ece61cd9ce4d1b23f68ce0b1f3c190b7/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_apt_muddywater_dnstunnel.yml" ], "tags": [ @@ -39611,8 +39611,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/windows-hardware/design/device-experiences/powercfg-command-line-options", "https://blogs.vmware.com/security/2022/11/batloader-the-evasive-downloader-malware.html", + "https://learn.microsoft.com/en-us/windows-hardware/design/device-experiences/powercfg-command-line-options", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_powercfg.yml" ], "tags": [ @@ -39636,9 +39636,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://docs.microsoft.com/en-us/sysinternals/downloads/psexec", "https://www.poweradmin.com/paexec/", "https://www.fireeye.com/blog/threat-research/2020/10/kegtap-and-singlemalt-with-a-ransomware-chaser.html", - "https://docs.microsoft.com/en-us/sysinternals/downloads/psexec", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_psexex_paexec_escalate_system.yml" ], "tags": [ @@ -39671,8 +39671,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.symantec.com/blogs/threat-intelligence/thrip-hits-satellite-telecoms-defense-targets", "https://app.any.run/tasks/61a296bb-81ad-4fee-955f-3b399f4aaf4b", + "https://www.symantec.com/blogs/threat-intelligence/thrip-hits-satellite-telecoms-defense-targets", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_sysprep_appdata.yml" ], "tags": [ @@ -39705,8 +39705,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://labs.sentinelone.com/living-off-windows-land-a-new-native-file-downldr/", "https://twitter.com/SBousseaden/status/1278977301745741825", + "https://labs.sentinelone.com/living-off-windows-land-a-new-native-file-downldr/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_desktopimgdownldr.yml" ], "tags": [ @@ -39772,14 +39772,14 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/keyboardcrunch/SentinelOne-ATTACK-Queries/blob/6a228d23eefe963ca81f2d52f94b815f61ef5ee0/Tactics/DefenseEvasion.md#t1055-process-injection", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1056.004/T1056.004.md", - "https://reaqta.com/2017/12/mavinject-microsoft-injector/", - "https://github.com/SigmaHQ/sigma/issues/3742", - "https://twitter.com/Hexacorn/status/776122138063409152", - "https://twitter.com/gN3mes1s/status/941315826107510784", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218/T1218.md", + "https://github.com/keyboardcrunch/SentinelOne-ATTACK-Queries/blob/6a228d23eefe963ca81f2d52f94b815f61ef5ee0/Tactics/DefenseEvasion.md#t1055-process-injection", "https://posts.specterops.io/mavinject-exe-functionality-deconstructed-c29ab2cf5c0e", + "https://twitter.com/gN3mes1s/status/941315826107510784", + "https://reaqta.com/2017/12/mavinject-microsoft-injector/", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1056.004/T1056.004.md", + "https://twitter.com/Hexacorn/status/776122138063409152", + "https://github.com/SigmaHQ/sigma/issues/3742", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_renamed_mavinject.yml" ], "tags": [ @@ -39821,8 +39821,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.volexity.com/blog/2021/03/02/active-exploitation-of-microsoft-exchange-zero-day-vulnerabilities/", "https://github.com/samratashok/nishang/blob/414ee1104526d7057f9adaeee196d91ae447283e/Shells/Invoke-PowerShellTcpOneLine.ps1", + "https://www.volexity.com/blog/2021/03/02/active-exploitation-of-microsoft-exchange-zero-day-vulnerabilities/", "https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_reverse_shell_connection.yml" ], @@ -39915,9 +39915,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://adepts.of0x.cc/netsh-portproxy-code/", "https://www.fireeye.com/blog/threat-research/2019/01/bypassing-network-restrictions-through-rdp-tunneling.html", "https://www.dfirnotes.net/portproxy_detection/", + "https://adepts.of0x.cc/netsh-portproxy-code/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_netsh_port_fwd.yml" ], "tags": [ @@ -40117,8 +40117,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.fox-it.com/en/news/whitepapers/operation-wocao-shining-a-light-on-one-of-chinas-hidden-hacking-groups/", "https://twitter.com/SBousseaden/status/1207671369963646976", + "https://www.fox-it.com/en/news/whitepapers/operation-wocao-shining-a-light-on-one-of-chinas-hidden-hacking-groups/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_apt_wocao.yml" ], "tags": [ @@ -40205,11 +40205,11 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/vadim-hunter/Detection-Ideas-Rules/blob/02bcbfc2bfb8b4da601bb30de0344ae453aa1afe/Threat%20Intelligence/The%20DFIR%20Report/20210329_Sodinokibi_(aka_REvil)_Ransomware.yaml", - "https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e", "https://github.com/splunk/security_content/blob/develop/detections/endpoint/office_spawning_control.yml", + "https://github.com/vadim-hunter/Detection-Ideas-Rules/blob/02bcbfc2bfb8b4da601bb30de0344ae453aa1afe/Threat%20Intelligence/The%20DFIR%20Report/20210329_Sodinokibi_(aka_REvil)_Ransomware.yaml", "https://www.elastic.co/security-labs/exploring-the-ref2731-intrusion-set", "https://twitter.com/andythevariable/status/1576953781581144064?s=20&t=QiJILvK4ZiBdR8RJe24u-A", + "https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e", "https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbins_by_office_applications.yml" ], @@ -40260,8 +40260,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/higaisa-or-winnti-apt-41-backdoors-old-and-new/", "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/chm-badness-delivers-a-banking-trojan/", + "https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/higaisa-or-winnti-apt-41-backdoors-old-and-new/", "https://github.com/elastic/protections-artifacts/commit/746086721fd385d9f5c6647cada1788db4aea95f#diff-27939090904026cc396b0b629c8e4314acd6f5dac40a676edbc87f4567b47eb7", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_html_help_spawn.yml" ], @@ -40390,8 +40390,8 @@ "logsource.product": "windows", "refs": [ "https://dfironthemountain.wordpress.com/2018/12/06/locked-file-access-using-esentutl-exe/", - "https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment", "https://room362.com/post/2013/2013-06-10-volume-shadow-copy-ntdsdit-domain-hashes-remotely-part-1/", + "https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_copying_sensitive_files_with_credential_data.yml" ], "tags": [ @@ -40434,10 +40434,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.volexity.com/blog/2022/07/28/sharptongue-deploys-clever-mail-stealing-browser-extension-sharpext/", "https://twitter.com/max_mal_/status/1542461200797163522", "https://github.com/pr0xylife/Qakbot/blob/4f0795d79dabee5bc9dd69f17a626b48852e7869/Qakbot_AA_23.06.2022.txt", "https://web.archive.org/web/20200128160046/https://twitter.com/reegun21/status/1222093798009790464", + "https://www.volexity.com/blog/2022/07/28/sharptongue-deploys-clever-mail-stealing-browser-extension-sharpext/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_curl_download.yml" ], "tags": [ @@ -40470,8 +40470,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/0gtweet/status/1477925112561209344", "https://twitter.com/wdormann/status/1478011052130459653?s=20", + "https://twitter.com/0gtweet/status/1477925112561209344", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_format.yml" ], "tags": [ @@ -40494,9 +40494,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/using-dsacls-to-check-ad-object-permissions#password-spraying-anyone", - "https://ss64.com/nt/dsacls.html", "https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc771151(v=ws.11)", + "https://ss64.com/nt/dsacls.html", + "https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/using-dsacls-to-check-ad-object-permissions#password-spraying-anyone", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_dsacls_password_spray.yml" ], "tags": [ @@ -40606,8 +40606,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://thedfirreport.com/2020/10/08/ryuks-return/", "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ransomware-hive-conti-avoslocker", + "https://thedfirreport.com/2020/10/08/ryuks-return/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_wmic_proc_create.yml" ], "tags": [ @@ -40641,8 +40641,8 @@ "logsource.product": "windows", "refs": [ "https://twitter.com/0gtweet/status/1588815661085917186?cxt=HHwWhIDUyaDbzYwsAAAA", - "https://www.netspi.com/blog/technical/network-penetration-testing/decrypting-iis-passwords-to-break-out-of-the-dmz-part-2/", "https://www.elastic.co/guide/en/security/current/microsoft-iis-service-account-password-dumped.html", + "https://www.netspi.com/blog/technical/network-penetration-testing/decrypting-iis-passwords-to-break-out-of-the-dmz-part-2/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_iis_service_account_password_dumped.yml" ], "tags": [ @@ -40769,9 +40769,9 @@ "logsource.product": "windows", "refs": [ "https://youtu.be/5mqid-7zp8k?t=2481", + "https://m365internals.com/2022/10/07/hunting-in-on-premises-exchange-server-logs/", "https://peterjson.medium.com/reproducing-the-proxyshell-pwn2own-exploit-49743a4ea9a1", "https://blog.orange.tw/2021/08/proxylogon-a-new-attack-surface-on-ms-exchange-part-1.html", - "https://m365internals.com/2022/10/07/hunting-in-on-premises-exchange-server-logs/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_mailboxexport_share.yml" ], "tags": [ @@ -40925,9 +40925,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Dotnet/", "https://twitter.com/_felamos/status/1204705548668555264", "https://bohops.com/2019/08/19/dotnet-core-a-vector-for-awl-bypass-defense-evasion/", + "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Dotnet/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_dotnet.yml" ], "tags": [ @@ -40960,8 +40960,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f", "https://lolbas-project.github.io/lolbas/Binaries/Regedit/", + "https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_regedit_import_keys_ads.yml" ], "tags": [ @@ -41199,8 +41199,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://threathunterplaybook.com/evals/apt29/detections/7.B.4_C10730EA-6345-4934-AA0F-B0EFCA0C4BA6.html", "https://github.com/OTRF/detection-hackathon-apt29/issues/17", + "https://threathunterplaybook.com/evals/apt29/detections/7.B.4_C10730EA-6345-4934-AA0F-B0EFCA0C4BA6.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_webdav_client_execution.yml" ], "tags": [ @@ -41290,8 +41290,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/subTee/status/1216465628946563073", "https://gist.github.com/am0nsec/8378da08f848424e4ab0cc5b317fdd26", + "https://twitter.com/subTee/status/1216465628946563073", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_task_folder_evasion.yml" ], "tags": [ @@ -41358,8 +41358,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/swisscom_csirt/status/1331634525722521602?s=20", "https://app.any.run/tasks/f74c5157-8508-4ac6-9805-d63fe7b0d399/", + "https://twitter.com/swisscom_csirt/status/1331634525722521602?s=20", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_renamed_rundll32_dllregisterserver.yml" ], "tags": [ @@ -41472,8 +41472,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-41120", "https://twitter.com/filip_dragovic/status/1590052248260055041", + "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-41120", "https://twitter.com/filip_dragovic/status/1590104354727436290", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sysmon_exploitation.yml" ], @@ -41529,8 +41529,8 @@ "logsource.product": "windows", "refs": [ "https://app.any.run/tasks/b12cccf3-1c22-4e28-9d3e-c7a6062f3914/", - "https://www.anomali.com/blog/china-based-apt-mustang-panda-targets-minority-groups-public-and-private-sector-organizations", "https://app.any.run/tasks/7ca5661d-a67b-43ec-98c1-dd7a8103c256/", + "https://www.anomali.com/blog/china-based-apt-mustang-panda-targets-minority-groups-public-and-private-sector-organizations", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_apt_mustangpanda.yml" ], "tags": [ @@ -41563,8 +41563,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/mrd0x/status/1511415432888131586?s=20&t=DvVrzeZ1OcGiWowbhPV8Lg", "https://twitter.com/mrd0x/status/1511489821247684615", + "https://twitter.com/mrd0x/status/1511415432888131586?s=20&t=DvVrzeZ1OcGiWowbhPV8Lg", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_proc_dump_dumpminitool.yml" ], "tags": [ @@ -41598,8 +41598,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://securelist.com/muddywater/88059/", "https://www.virustotal.com/#/file/276a765a10f98cda1a38d3a31e7483585ca3722ecad19d784441293acf1b7beb/detection", + "https://securelist.com/muddywater/88059/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_file_characteristics.yml" ], "tags": [ @@ -41708,10 +41708,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.activecyber.us/activelabs/windows-uac-bypass", "https://twitter.com/ReaQta/status/1222548288731217921", "https://lolbas-project.github.io/lolbas/Binaries/Wsreset/", "https://eqllib.readthedocs.io/en/latest/analytics/532b5ed4-7930-11e9-8f5c-d46d6d62a49e.html", + "https://www.activecyber.us/activelabs/windows-uac-bypass", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_uac_bypass_wsreset.yml" ], "tags": [ @@ -41745,8 +41745,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://medium.com/@malwaredancer/lockergoga-input-arguments-ipc-communication-and-others-bd4e5a7ba80a", "https://www.carbonblack.com/blog/tau-threat-intelligence-notification-lockergoga-ransomware/", + "https://medium.com/@malwaredancer/lockergoga-input-arguments-ipc-communication-and-others-bd4e5a7ba80a", "https://blog.f-secure.com/analysis-of-lockergoga-ransomware/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_mal_lockergoga_ransomware.yml" ], @@ -41780,9 +41780,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://docs.python.org/3/using/cmdline.html#cmdoption-c", "https://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet", "https://www.revshells.com/", - "https://docs.python.org/3/using/cmdline.html#cmdoption-c", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_python_inline_command_execution.yml" ], "tags": [ @@ -42146,8 +42146,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/PhilipTsukerman/status/992021361106268161", "https://lolbas-project.github.io/lolbas/Binaries/Register-cimprovider/", + "https://twitter.com/PhilipTsukerman/status/992021361106268161", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_register_cimprovider.yml" ], "tags": [ @@ -42214,14 +42214,14 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.bleepingcomputer.com/news/security/why-everyone-should-disable-vssadmin-exe-now/", - "https://blog.talosintelligence.com/2017/05/wannacry.html", - "https://www.hybrid-analysis.com/sample/ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa?environmentId=100", - "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/blackbyte-exbyte-ransomware", - "https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment", - "https://github.com/Neo23x0/Raccine#the-process", - "https://redcanary.com/blog/intelligence-insights-october-2021/", "https://github.com/Neo23x0/Raccine/blob/20a569fa21625086433dcce8bb2765d0ea08dcb6/yara/gen_ransomware_command_lines.yar", + "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/blackbyte-exbyte-ransomware", + "https://www.bleepingcomputer.com/news/security/why-everyone-should-disable-vssadmin-exe-now/", + "https://github.com/Neo23x0/Raccine#the-process", + "https://www.hybrid-analysis.com/sample/ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa?environmentId=100", + "https://blog.talosintelligence.com/2017/05/wannacry.html", + "https://redcanary.com/blog/intelligence-insights-october-2021/", + "https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment", "https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/new-teslacrypt-ransomware-arrives-via-spam/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_shadow_copies_deletion.yml" ], @@ -42258,8 +42258,8 @@ "logsource.product": "windows", "refs": [ "https://thedfirreport.com/2022/08/08/bumblebee-roasts-its-way-to-domain-admin/", - "https://thedfirreport.com/2022/09/26/bumblebee-round-two/", "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/bumblebee-loader-cybercrime", + "https://thedfirreport.com/2022/09/26/bumblebee-round-two/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wab_execution_from_non_default_location.yml" ], "tags": [ @@ -42283,9 +42283,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://blog.netspi.com/15-ways-to-download-a-file/#bitsadmin", "https://lolbas-project.github.io/lolbas/Binaries/Bitsadmin/", "https://isc.sans.edu/diary/22264", - "https://blog.netspi.com/15-ways-to-download-a-file/#bitsadmin", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_bitsadmin_download.yml" ], "tags": [ @@ -42362,8 +42362,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://s3cur3th1ssh1t.github.io/SharpImpersonation-Introduction/", "https://github.com/S3cur3Th1sSh1t/SharpImpersonation", + "https://s3cur3th1ssh1t.github.io/SharpImpersonation-Introduction/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sharp_impersonation_tool.yml" ], "tags": [ @@ -42495,11 +42495,11 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/bohops/status/980659399495741441", "https://twitter.com/JohnLaTwC/status/1223292479270600706", "https://lolbas-project.github.io/lolbas/Scripts/Manage-bde/", - "https://gist.github.com/bohops/735edb7494fe1bd1010d67823842b712", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1216/T1216.md", + "https://twitter.com/bohops/status/980659399495741441", + "https://gist.github.com/bohops/735edb7494fe1bd1010d67823842b712", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_manage_bde_lolbas.yml" ], "tags": [ @@ -42600,8 +42600,8 @@ "logsource.product": "windows", "refs": [ "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Sqlps/", - "https://twitter.com/bryon_/status/975835709587075072", "https://docs.microsoft.com/en-us/sql/tools/sqlps-utility?view=sql-server-ver15", + "https://twitter.com/bryon_/status/975835709587075072", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_use_of_sqlps_bin.yml" ], "tags": [ @@ -42801,8 +42801,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/cube0x0", "https://www.virustotal.com/gui/search/metadata%253ACube0x0/files", + "https://github.com/cube0x0", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hack_cube0x0_tools.yml" ], "tags": "No established tags" @@ -42823,8 +42823,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/swisscom_csirt/status/1331634525722521602?s=20", "https://app.any.run/tasks/f74c5157-8508-4ac6-9805-d63fe7b0d399/", + "https://twitter.com/swisscom_csirt/status/1331634525722521602?s=20", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_malware_trickbot_wermgr.yml" ], "tags": [ @@ -42857,10 +42857,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://enigma0x3.net/2016/11/21/bypassing-application-whitelisting-by-using-rcsi-exe/", - "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Rcsi/", - "https://twitter.com/Z3Jpa29z/status/1317545798981324801", "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Csi/", + "https://enigma0x3.net/2016/11/21/bypassing-application-whitelisting-by-using-rcsi-exe/", + "https://twitter.com/Z3Jpa29z/status/1317545798981324801", + "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Rcsi/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_csi.yml" ], "tags": [ @@ -43031,8 +43031,8 @@ "logsource.product": "windows", "refs": [ "https://www.nirsoft.net/utils/nircmd.html", - "https://www.winhelponline.com/blog/run-program-as-system-localsystem-account-windows/", "https://www.nirsoft.net/utils/nircmd2.html#using", + "https://www.winhelponline.com/blog/run-program-as-system-localsystem-account-windows/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_tool_nircmd.yml" ], "tags": [ @@ -43124,10 +43124,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://web.archive.org/web/20190720093911/http://www.endurant.io/cmstp/detecting-cmstp-enabled-code-execution-and-uac-bypass-with-sysmon/", + "https://github.com/hfiref0x/UACME", "https://twitter.com/hFireF0X/status/897640081053364225", "https://medium.com/falconforce/falconfriday-detecting-uac-bypasses-0xff16-86c2a9107abf", - "https://github.com/hfiref0x/UACME", - "https://web.archive.org/web/20190720093911/http://www.endurant.io/cmstp/detecting-cmstp-enabled-code-execution-and-uac-bypass-with-sysmon/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_cmstp_com_object_access.yml" ], "tags": [ @@ -43197,8 +43197,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://svch0st.medium.com/stats-from-hunting-cobalt-strike-beacons-c17e56255f9b", "https://twitter.com/x86matthew/status/1505476263464607744?s=12", + "https://svch0st.medium.com/stats-from-hunting-cobalt-strike-beacons-c17e56255f9b", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_parents.yml" ], "tags": "No established tags" @@ -43271,8 +43271,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md", "https://twitter.com/AdamTheAnalyst/status/1483497517119590403", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md", "https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/configure-process-opened-file-exclusions-microsoft-defender-antivirus", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_defender_exclusion.yml" ], @@ -43299,8 +43299,8 @@ "logsource.product": "windows", "refs": [ "https://twitter.com/cyb3rops/status/1186631731543236608", - "https://techtalk.pcmatic.com/2017/11/30/running-dll-files-malware-analysis/", "https://www.welivesecurity.com/2022/03/01/isaacwiper-hermeticwizard-wiper-worm-targeting-ukraine/", + "https://techtalk.pcmatic.com/2017/11/30/running-dll-files-malware-analysis/", "https://github.com/Neo23x0/DLLRunner", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_rundll32_by_ordinal.yml" ], @@ -43435,8 +43435,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218.007/T1218.007.md", "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/msiexec", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218.007/T1218.007.md", "https://twitter.com/_st0pp3r_/status/1583914515996897281", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_msiexec_dll.yml" ], @@ -43604,8 +43604,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://streamable.com/q2dsji", "https://twitter.com/j0nh4t/status/1429049506021138437", + "https://streamable.com/q2dsji", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_razorinstaller_explorer.yml" ], "tags": [ @@ -43671,8 +43671,8 @@ "logsource.product": "windows", "refs": [ "https://learn.microsoft.com/en-us/windows/win32/projfs/enabling-windows-projected-file-system", - "https://learn.microsoft.com/en-us/windows/wsl/install-on-server", "https://docs.microsoft.com/en-us/powershell/module/dism/enable-windowsoptionalfeature?view=windowsserver2022-ps", + "https://learn.microsoft.com/en-us/windows/wsl/install-on-server", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_windowsoptionalfeature.yml" ], "tags": [ @@ -43728,8 +43728,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.microsoft.com/security/blog/2018/12/03/analysis-of-cyberattack-on-u-s-think-tanks-non-profits-public-sector-by-unidentified-attackers/", "https://www.fireeye.com/blog/threat-research/2018/11/not-so-cozy-an-uncomfortable-examination-of-a-suspected-apt29-phishing-campaign.html", + "https://www.microsoft.com/security/blog/2018/12/03/analysis-of-cyberattack-on-u-s-think-tanks-non-profits-public-sector-by-unidentified-attackers/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_apt_apt29_thinktanks.yml" ], "tags": [ @@ -43901,10 +43901,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://strontic.github.io/xcyclopedia/library/setres.exe-0E30E4C09637D7A128A37B59A3BC4D09.html", "https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc731033(v=ws.11)", - "https://twitter.com/0gtweet/status/1583356502340870144", + "https://strontic.github.io/xcyclopedia/library/setres.exe-0E30E4C09637D7A128A37B59A3BC4D09.html", "https://lolbas-project.github.io/lolbas/Binaries/Setres/", + "https://twitter.com/0gtweet/status/1583356502340870144", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_setres.yml" ], "tags": [ @@ -43946,8 +43946,8 @@ "logsource.product": "windows", "refs": [ "https://www.splunk.com/en_us/blog/security/darkside-ransomware-splunk-threat-update-and-detections.html", - "https://research.nccgroup.com/2021/05/27/detecting-rclone-an-effective-tool-for-exfiltration/", "https://labs.sentinelone.com/egregor-raas-continues-the-chaos-with-cobalt-strike-and-rclone", + "https://research.nccgroup.com/2021/05/27/detecting-rclone-an-effective-tool-for-exfiltration/", "https://us-cert.cisa.gov/ncas/analysis-reports/ar21-126a", "https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_rclone_execution.yml" @@ -43982,8 +43982,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://pentestlab.blog/2018/07/04/dumping-domain-password-hashes/", "https://twitter.com/vxunderground/status/1423336151860002816?s=20", + "https://pentestlab.blog/2018/07/04/dumping-domain-password-hashes/", "https://www.virustotal.com/gui/file/03e9b8c2e86d6db450e5eceec057d7e369ee2389b9daecaf06331a95410aa5f8/detection", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_cmd_shadowcopy_access.yml" ], @@ -44017,9 +44017,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/c_APT_ure/status/939475433711722497", "https://www.fireeye.com/blog/threat-research/2016/05/targeted_attacksaga.html", "https://twitter.com/haroonmeer/status/939099379834658817", + "https://twitter.com/c_APT_ure/status/939475433711722497", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_builtin_commands_recon.yml" ], "tags": [ @@ -44459,8 +44459,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://thedfirreport.com/2022/03/21/apt35-automates-initial-access-using-proxyshell/", "https://github.com/swagkarna/Defeat-Defender-V1.2.0", + "https://thedfirreport.com/2022/03/21/apt35-automates-initial-access-using-proxyshell/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_reg_defender_tampering.yml" ], "tags": [ @@ -44546,9 +44546,9 @@ "logsource.product": "windows", "refs": [ "https://securityboulevard.com/2019/08/agent-tesla-evading-edr-by-removing-api-hooks/", - "https://app.any.run/tasks/c6993447-d1d8-414e-b856-675325e5aa09/", "https://twitter.com/gN3mes1s/status/1206874118282448897", "https://www.clearskysec.com/wp-content/uploads/2018/11/MuddyWater-Operations-in-Lebanon-and-Oman.pdf", + "https://app.any.run/tasks/c6993447-d1d8-414e-b856-675325e5aa09/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_csc_folder.yml" ], "tags": [ @@ -44648,8 +44648,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.microsoft.com/security/blog/2019/12/12/gallium-targeting-global-telecom/", "https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn800669(v=ws.11)", + "https://www.microsoft.com/security/blog/2019/12/12/gallium-targeting-global-telecom/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_apt_gallium.yml" ], "tags": [ @@ -44758,8 +44758,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://mgreen27.github.io/posts/2018/04/02/DownloadCradle.html", "https://www.hybrid-analysis.com/sample/465aabe132ccb949e75b8ab9c5bda36d80cf2fd503d52b8bad54e295f28bbc21?environmentId=100", + "https://mgreen27.github.io/posts/2018/04/02/DownloadCradle.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_outlook_shell.yml" ], "tags": [ @@ -44951,11 +44951,11 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/egre55/status/1087685529016193025", "https://blogs.technet.microsoft.com/pki/2006/11/30/basic-crl-checking-with-certutil/", - "https://www.trustedsec.com/2017/07/new-tool-release-nps_payload/", - "https://twitter.com/JohnLaTwC/status/835149808817991680", "https://lolbas-project.github.io/lolbas/Binaries/Certutil/", + "https://www.trustedsec.com/2017/07/new-tool-release-nps_payload/", + "https://twitter.com/egre55/status/1087685529016193025", + "https://twitter.com/JohnLaTwC/status/835149808817991680", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_certutil_command.yml" ], "tags": [ @@ -45197,8 +45197,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/EmpireProject/Empire/blob/e37fb2eef8ff8f5a0a689f1589f424906fe13055/data/module_source/privesc/Invoke-FodHelperBypass.ps1#L64", "https://github.com/EmpireProject/Empire/blob/e37fb2eef8ff8f5a0a689f1589f424906fe13055/data/module_source/privesc/Invoke-EventVwrBypass.ps1#L64", + "https://github.com/EmpireProject/Empire/blob/e37fb2eef8ff8f5a0a689f1589f424906fe13055/data/module_source/privesc/Invoke-FodHelperBypass.ps1#L64", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_powershell_empire_uac_bypass.yml" ], "tags": [ @@ -45266,10 +45266,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/Binaries/Bitsadmin/", - "https://isc.sans.edu/diary/22264", "https://blog.netspi.com/15-ways-to-download-a-file/#bitsadmin", + "https://lolbas-project.github.io/lolbas/Binaries/Bitsadmin/", "https://blog.talosintelligence.com/breaking-the-silence-recent-truebot-activity/", + "https://isc.sans.edu/diary/22264", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_bitsadmin_download_uncommon_targetfolder.yml" ], "tags": [ @@ -45361,8 +45361,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/cyb3rops/status/1168863899531132929", "https://app.any.run/tasks/579e7587-f09d-4aae-8b07-472833262965", + "https://twitter.com/cyb3rops/status/1168863899531132929", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_apt_emissarypanda_sep19.yml" ], "tags": [ @@ -45387,9 +45387,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.virustotal.com/gui/search/content%253A%2522Set-MpPreference%2520-Disable%2522/files", "https://docs.microsoft.com/en-us/powershell/module/defender/set-mppreference?view=windowsserver2022-ps", "https://www.virustotal.com/gui/file/d609799091731d83d75ec5d1f030571af20c45efeeb94840b67ea09a3283ab65/behavior/C2AE", + "https://www.virustotal.com/gui/search/content%253A%2522Set-MpPreference%2520-Disable%2522/files", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_defender_disable_feature.yml" ], "tags": [ @@ -45447,8 +45447,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.peew.pw/blog/2017/11/26/exploring-cmdkey-an-edge-case-for-privilege-escalation", "https://technet.microsoft.com/en-us/library/cc754243(v=ws.11).aspx", + "https://www.peew.pw/blog/2017/11/26/exploring-cmdkey-an-edge-case-for-privilege-escalation", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_cmdkey_recon.yml" ], "tags": [ @@ -45481,10 +45481,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/Binaries/Bitsadmin/", - "https://isc.sans.edu/diary/22264", "https://blog.netspi.com/15-ways-to-download-a-file/#bitsadmin", + "https://lolbas-project.github.io/lolbas/Binaries/Bitsadmin/", "https://blog.talosintelligence.com/breaking-the-silence-recent-truebot-activity/", + "https://isc.sans.edu/diary/22264", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_bitsadmin_download_susp_targetfolder.yml" ], "tags": [ @@ -45560,11 +45560,11 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://pentestlab.blog/2017/04/13/hot-potato/", - "https://github.com/ohpe/juicy-potato", - "https://foxglovesecurity.com/2016/09/26/rotten-potato-privilege-escalation-from-service-accounts-to-system/", - "https://hunter2.gitbook.io/darthsidious/execution/responder-with-ntlm-relay-and-empire", "https://hunter2.gitbook.io/darthsidious/other/war-stories/domain-admin-in-30-minutes", + "https://github.com/ohpe/juicy-potato", + "https://hunter2.gitbook.io/darthsidious/execution/responder-with-ntlm-relay-and-empire", + "https://pentestlab.blog/2017/04/13/hot-potato/", + "https://foxglovesecurity.com/2016/09/26/rotten-potato-privilege-escalation-from-service-accounts-to-system/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_tools_relay_attacks.yml" ], "tags": [ @@ -45631,9 +45631,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.revshells.com/", "https://nmap.org/ncat/", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1095/T1095.md", + "https://www.revshells.com/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_netcat_execution.yml" ], "tags": [ @@ -45699,9 +45699,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://medium.com/palantir/tampering-with-windows-event-tracing-background-offense-and-defense-4be7ac62ac63", "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/wevtutil", "https://abuse.io/lockergoga.txt", + "https://medium.com/palantir/tampering-with-windows-event-tracing-background-offense-and-defense-4be7ac62ac63", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_etw_trace_evasion.yml" ], "tags": [ @@ -45727,10 +45727,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/EmpireProject/Empire/blob/c2ba61ca8d2031dad0cfc1d5770ba723e8b710db/lib/common/helpers.py#L165", - "https://github.com/EmpireProject/Empire/blob/e37fb2eef8ff8f5a0a689f1589f424906fe13055/lib/modules/powershell/persistence/powerbreach/deaduser.py#L191", "https://github.com/EmpireProject/Empire/blob/e37fb2eef8ff8f5a0a689f1589f424906fe13055/lib/modules/powershell/persistence/powerbreach/resolver.py#L178", "https://github.com/EmpireProject/Empire/blob/e37fb2eef8ff8f5a0a689f1589f424906fe13055/data/module_source/privesc/Invoke-EventVwrBypass.ps1#L64", + "https://github.com/EmpireProject/Empire/blob/e37fb2eef8ff8f5a0a689f1589f424906fe13055/lib/modules/powershell/persistence/powerbreach/deaduser.py#L191", + "https://github.com/EmpireProject/Empire/blob/c2ba61ca8d2031dad0cfc1d5770ba723e8b710db/lib/common/helpers.py#L165", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_powershell_empire_launch.yml" ], "tags": [ @@ -45789,9 +45789,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://github.com/3CORESec/MAL-CL/tree/master/Descriptors/Sysinternals/PsLogList", "https://research.nccgroup.com/2021/01/12/abusing-cloud-services-to-fly-under-the-radar/", "https://www.cybereason.com/blog/deadringer-exposing-chinese-threat-actors-targeting-major-telcos", - "https://github.com/3CORESec/MAL-CL/tree/master/Descriptors/Sysinternals/PsLogList", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_psloglist.yml" ], "tags": [ @@ -45826,9 +45826,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.acunetix.com/blog/articles/windows-short-8-3-filenames-web-security-problem/", - "https://twitter.com/frack113/status/1555830623633375232", "https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-2000-server/cc959352(v=technet.10)?redirectedfrom=MSDN", + "https://twitter.com/frack113/status/1555830623633375232", + "https://www.acunetix.com/blog/articles/windows-short-8-3-filenames-web-security-problem/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_ntfs_short_name_path_use_cli.yml" ], "tags": [ @@ -45927,9 +45927,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://blog.netspi.com/15-ways-to-download-a-file/#bitsadmin", "https://lolbas-project.github.io/lolbas/Binaries/Bitsadmin/", "https://isc.sans.edu/diary/22264", - "https://blog.netspi.com/15-ways-to-download-a-file/#bitsadmin", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_bitsadmin_download_susp_ext.yml" ], "tags": [ @@ -46097,11 +46097,11 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/vysecurity/status/885545634958385153", - "https://twitter.com/Hexacorn/status/885553465417756673", - "https://twitter.com/Hexacorn/status/885570278637678592", - "https://www.fireeye.com/blog/threat-research/2017/06/obfuscation-in-the-wild.html", "http://www.windowsinspired.com/understanding-the-command-line-string-and-arguments-received-by-a-windows-program/", + "https://twitter.com/Hexacorn/status/885553465417756673", + "https://twitter.com/vysecurity/status/885545634958385153", + "https://www.fireeye.com/blog/threat-research/2017/06/obfuscation-in-the-wild.html", + "https://twitter.com/Hexacorn/status/885570278637678592", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_cli_escape.yml" ], "tags": [ @@ -46191,8 +46191,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://processhacker.sourceforge.io/", "https://www.crowdstrike.com/blog/falcon-overwatch-report-finds-increase-in-ecrime/", + "https://processhacker.sourceforge.io/", "https://github.com/winsiderss/systeminformer", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_process_hacker.yml" ], @@ -46214,8 +46214,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment", "https://pentestlab.blog/2017/03/31/insecure-registry-permissions/", + "https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_possible_privilege_escalation_via_service_reg_perm.yml" ], "tags": [ @@ -46295,8 +46295,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/windows/package-manager/winget/install#local-install", "https://lolbas-project.github.io/lolbas/Binaries/Winget/", + "https://docs.microsoft.com/en-us/windows/package-manager/winget/install#local-install", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_execution_via_winget.yml" ], "tags": [ @@ -46385,8 +46385,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.first.org/resources/papers/conf2017/Advanced-Incident-Detection-and-Threat-Hunting-using-Sysmon-and-Splunk.pdf", "https://www.hybrid-analysis.com/sample/ba86fa0d4b6af2db0656a88b1dd29f36fe362473ae8ad04255c4e52f214a541c?environmentId=100", + "https://www.first.org/resources/papers/conf2017/Advanced-Incident-Detection-and-Threat-Hunting-using-Sysmon-and-Splunk.pdf", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_mal_adwind.yml" ], "tags": [ @@ -46730,9 +46730,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/Binaries/Tttracer/", - "https://twitter.com/oulusoyum/status/1191329746069655553", "https://twitter.com/mattifestation/status/1196390321783025666", + "https://twitter.com/oulusoyum/status/1191329746069655553", + "https://lolbas-project.github.io/lolbas/Binaries/Tttracer/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_tttracer_mod_load.yml" ], "tags": [ @@ -46809,8 +46809,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://oddvar.moe/2018/04/11/putting-data-in-alternate-data-streams-and-how-to-execute-it-part-2/", "https://lolbas-project.github.io/lolbas/Binaries/Findstr/", + "https://oddvar.moe/2018/04/11/putting-data-in-alternate-data-streams-and-how-to-execute-it-part-2/", "https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_findstr.yml" ], @@ -46861,10 +46861,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.trendmicro.com/en_us/research/22/i/play-ransomware-s-attack-playbook-unmasks-it-as-another-hive-aff.html", - "https://thedfirreport.com/2022/11/28/emotet-strikes-again-lnk-file-leads-to-domain-wide-ransomware/", - "https://www.softpedia.com/get/Antivirus/Removal-Tools/ithurricane-PowerTool.shtml", "https://twitter.com/gbti_sa/status/1249653895900602375?lang=en", + "https://www.trendmicro.com/en_us/research/22/i/play-ransomware-s-attack-playbook-unmasks-it-as-another-hive-aff.html", + "https://www.softpedia.com/get/Antivirus/Removal-Tools/ithurricane-PowerTool.shtml", + "https://thedfirreport.com/2022/11/28/emotet-strikes-again-lnk-file-leads-to-domain-wide-ransomware/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powertool_execution.yml" ], "tags": [ @@ -47167,8 +47167,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Devtoolslauncher/", "https://twitter.com/_felamos/status/1179811992841797632", + "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Devtoolslauncher/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_devtoolslauncher.yml" ], "tags": [ @@ -47235,9 +47235,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://lolbas-project.github.io/lolbas/Binaries/Regini/", "https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f", "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/regini", - "https://lolbas-project.github.io/lolbas/Binaries/Regini/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_regini.yml" ], "tags": [ @@ -47294,8 +47294,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://blu3-team.blogspot.com/2019/06/misleading-extensions-xlsexe-docexe.html", "https://twitter.com/blackorbird/status/1140519090961825792", + "https://blu3-team.blogspot.com/2019/06/misleading-extensions-xlsexe-docexe.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_double_extension.yml" ], "tags": [ @@ -47895,8 +47895,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://thedfirreport.com/2022/05/09/seo-poisoning-a-gootloader-story/", "https://github.com/Neo23x0/Raccine/blob/20a569fa21625086433dcce8bb2765d0ea08dcb6/yara/mal_revil.yar", + "https://thedfirreport.com/2022/05/09/seo-poisoning-a-gootloader-story/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_base64_reflective_assembly_load.yml" ], "tags": [ @@ -47939,8 +47939,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "http://blog.talosintelligence.com/2022/09/lazarus-three-rats.html", "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/schtasks-create", + "http://blog.talosintelligence.com/2022/09/lazarus-three-rats.html", "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/schtasks-change", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_schtasks_schedule_type.yml" ], @@ -47974,8 +47974,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1027/T1027.md#atomic-test-6---dlp-evasion-via-sensitive-data-in-vba-macro-over-http", "https://www.wietzebeukema.nl/blog/windows-command-line-obfuscation", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1027/T1027.md#atomic-test-6---dlp-evasion-via-sensitive-data-in-vba-macro-over-http", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_char_in_cmd.yml" ], "tags": [ @@ -47999,8 +47999,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://oddvar.moe/2017/05/18/bypassing-application-whitelisting-with-bginfo/", "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Bginfo/", + "https://oddvar.moe/2017/05/18/bypassing-application-whitelisting-with-bginfo/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_bginfo.yml" ], "tags": [ @@ -48050,9 +48050,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.absolomb.com/2018-01-26-Windows-Privilege-Escalation-Guide/", "https://github.com/S3cur3Th1sSh1t/Creds/blob/eac23d67f7f90c7fc8e3130587d86158c22aa398/PowershellScripts/jaws-enum.ps1", "https://github.com/nccgroup/redsnarf/blob/35949b30106ae543dc6f2bc3f1be10c6d9a8d40e/redsnarf.py", + "https://www.absolomb.com/2018-01-26-Windows-Privilege-Escalation-Guide/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wmic_unquoted_service_search.yml" ], "tags": [ @@ -48085,8 +48085,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/orange_8361/status/1518970259868626944", "https://lolbas-project.github.io/lolbas/Binaries/Eventvwr/#execute", + "https://twitter.com/orange_8361/status/1518970259868626944", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_uac_bypass_eventvwr.yml" ], "tags": [ @@ -48110,12 +48110,12 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.joeware.net/freetools/tools/adfind/", - "https://thedfirreport.com/2020/05/08/adfind-recon/", "https://thedfirreport.com/2021/01/11/trickbot-still-alive-and-well/", - "https://github.com/center-for-threat-informed-defense/adversary_emulation_library/blob/bf62ece1c679b07b5fb49c4bae947fe24c81811f/fin6/Emulation_Plan/Phase1.md", + "https://www.joeware.net/freetools/tools/adfind/", "https://www.microsoft.com/security/blog/2021/01/20/deep-dive-into-the-solorigate-second-stage-activation-from-sunburst-to-teardrop-and-raindrop/", + "https://thedfirreport.com/2020/05/08/adfind-recon/", "https://social.technet.microsoft.com/wiki/contents/articles/7535.adfind-command-examples.aspx", + "https://github.com/center-for-threat-informed-defense/adversary_emulation_library/blob/bf62ece1c679b07b5fb49c4bae947fe24c81811f/fin6/Emulation_Plan/Phase1.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_renamed_adfind.yml" ], "tags": [ @@ -48194,8 +48194,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://app.any.run/tasks/9c0f37bc-867a-4314-b685-e101566766d7/", "https://docs.microsoft.com/en-us/windows/win32/setupapi/run-and-runonce-registry-keys", + "https://app.any.run/tasks/9c0f37bc-867a-4314-b685-e101566766d7/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_reg_add_run_key.yml" ], "tags": [ @@ -48363,8 +48363,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.php.net/manual/en/features.commandline.php", "https://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet", + "https://www.php.net/manual/en/features.commandline.php", "https://www.revshells.com/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_php_inline_command_execution.yml" ], @@ -48528,8 +48528,8 @@ "logsource.product": "windows", "refs": [ "https://app.any.run/tasks/7eaba74e-c1ea-400f-9c17-5e30eee89906/", - "https://brica.de/alerts/alert/public/1247926/agent-tesla-keylogger-delivered-inside-a-power-iso-daa-archive/", "https://www.youtube.com/watch?v=DsJ9ByX84o4&t=6s", + "https://brica.de/alerts/alert/public/1247926/agent-tesla-keylogger-delivered-inside-a-power-iso-daa-archive/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_whoami_anomaly.yml" ], "tags": [ @@ -48587,8 +48587,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.zerodayinitiative.com/advisories/ZDI-21-1308/", "https://github.com/klinix5/InstallerFileTakeOver", + "https://www.zerodayinitiative.com/advisories/ZDI-21-1308/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_exploit_lpe_cve_2021_41379.yml" ], "tags": [ @@ -48657,8 +48657,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.sans.org/blog/red-team-tactics-hiding-windows-services/", "https://docs.microsoft.com/pt-br/windows/win32/secauthz/sid-strings", + "https://www.sans.org/blog/red-team-tactics-hiding-windows-services/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_service_dacl_modification.yml" ], "tags": [ @@ -48882,14 +48882,14 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/keyboardcrunch/SentinelOne-ATTACK-Queries/blob/6a228d23eefe963ca81f2d52f94b815f61ef5ee0/Tactics/DefenseEvasion.md#t1055-process-injection", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1056.004/T1056.004.md", - "https://reaqta.com/2017/12/mavinject-microsoft-injector/", - "https://github.com/SigmaHQ/sigma/issues/3742", - "https://twitter.com/Hexacorn/status/776122138063409152", - "https://twitter.com/gN3mes1s/status/941315826107510784", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218/T1218.md", + "https://github.com/keyboardcrunch/SentinelOne-ATTACK-Queries/blob/6a228d23eefe963ca81f2d52f94b815f61ef5ee0/Tactics/DefenseEvasion.md#t1055-process-injection", "https://posts.specterops.io/mavinject-exe-functionality-deconstructed-c29ab2cf5c0e", + "https://twitter.com/gN3mes1s/status/941315826107510784", + "https://reaqta.com/2017/12/mavinject-microsoft-injector/", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1056.004/T1056.004.md", + "https://twitter.com/Hexacorn/status/776122138063409152", + "https://github.com/SigmaHQ/sigma/issues/3742", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_mavinject_process_injection.yml" ], "tags": [ @@ -49055,11 +49055,11 @@ "logsource.product": "windows", "refs": [ "https://labs.f-secure.com/blog/prelude-to-ransomware-systembc", - "https://thedfirreport.com/2021/01/18/all-that-for-a-coinminer", - "https://news.sophos.com/en-us/2019/12/09/snatch-ransomware-reboots-pcs-into-safe-mode-to-bypass-protection/", - "https://assets.documentcloud.org/documents/20444693/fbi-pin-egregor-ransomware-bc-01062021.pdf", "https://github.com/3CORESec/MAL-CL/tree/master/Descriptors/Other/Advanced%20IP%20Scanner", + "https://news.sophos.com/en-us/2019/12/09/snatch-ransomware-reboots-pcs-into-safe-mode-to-bypass-protection/", + "https://thedfirreport.com/2021/01/18/all-that-for-a-coinminer", "https://www.fireeye.com/blog/threat-research/2020/05/tactics-techniques-procedures-associated-with-maze-ransomware-incidents.html", + "https://assets.documentcloud.org/documents/20444693/fbi-pin-egregor-ransomware-bc-01062021.pdf", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_advanced_ip_scanner.yml" ], "tags": [ @@ -49084,8 +49084,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/elastic/detection-rules/blob/dd224fb3f81d0b4bf8593c5f02a029d647ba2b2d/rules/windows/credential_access_relay_ntlm_auth_via_http_spoolss.toml", "https://twitter.com/med0x2e/status/1520402518685200384", + "https://github.com/elastic/detection-rules/blob/dd224fb3f81d0b4bf8593c5f02a029d647ba2b2d/rules/windows/credential_access_relay_ntlm_auth_via_http_spoolss.toml", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_ntlmrelay.yml" ], "tags": [ @@ -49144,8 +49144,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://labs.sentinelone.com/meteorexpress-mysterious-wiper-paralyzes-iranian-trains-with-epic-troll", "https://blog.malwarebytes.com/threat-intelligence/2021/08/new-variant-of-konni-malware-used-in-campaign-targetting-russia/", + "https://labs.sentinelone.com/meteorexpress-mysterious-wiper-paralyzes-iranian-trains-with-epic-troll", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_expand_cabinet_files.yml" ], "tags": [ @@ -49399,8 +49399,8 @@ "logsource.product": "windows", "refs": [ "https://www.fortiguard.com/threat-signal-report/4718?s=09", - "https://lolbas-project.github.io/lolbas/Binaries/Regsvcs/", "https://lolbas-project.github.io/lolbas/Binaries/Regasm/", + "https://lolbas-project.github.io/lolbas/Binaries/Regsvcs/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_regasm.yml" ], "tags": [ @@ -49433,10 +49433,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/defaultnamehere/cookie_crimes/", "https://yoroi.company/wp-content/uploads/2022/05/EternityGroup_report_compressed.pdf", - "https://www.mdsec.co.uk/2022/10/analysing-lastpass-part-1/", + "https://github.com/defaultnamehere/cookie_crimes/", "https://github.com/wunderwuzzi23/firefox-cookiemonster", + "https://www.mdsec.co.uk/2022/10/analysing-lastpass-part-1/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_browser_remote_debugging.yml" ], "tags": [ @@ -49469,8 +49469,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.pdq.com/pdq-deploy/", "https://github.com/redcanaryco/atomic-red-team/blob/9e5b12c4912c07562aec7500447b11fa3e17e254/atomics/T1072/T1072.md", + "https://www.pdq.com/pdq-deploy/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pdq_deploy.yml" ], "tags": [ @@ -49517,8 +49517,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://app.any.run/tasks/4a54c651-b70b-4b72-84d7-f34d301d6406", "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/backdoor-at-the-end-of-the-icmp-tunnel", + "https://app.any.run/tasks/4a54c651-b70b-4b72-84d7-f34d301d6406", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pingback_backdoor.yml" ], "tags": [ @@ -49576,8 +49576,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://eqllib.readthedocs.io/en/latest/analytics/c4732632-9c1d-4980-9fa8-1d98c93f918e.html", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1490/T1490.md", + "https://eqllib.readthedocs.io/en/latest/analytics/c4732632-9c1d-4980-9fa8-1d98c93f918e.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_bootconf_mod.yml" ], "tags": [ @@ -49701,8 +49701,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.hybrid-analysis.com/sample/f2943f5e45befa52fb12748ca7171d30096e1d4fc3c365561497c618341299d5?environmentId=100", "https://adsecurity.org/?p=2288", + "https://www.hybrid-analysis.com/sample/f2943f5e45befa52fb12748ca7171d30096e1d4fc3c365561497c618341299d5?environmentId=100", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_sysvol_access.yml" ], "tags": [ @@ -49736,8 +49736,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.joesandbox.com/analysis/514608/0/html#324415FF7D8324231381BAD48A052F85DF04", "https://www.welivesecurity.com/2022/01/18/donot-go-do-not-respawn/", + "https://www.joesandbox.com/analysis/514608/0/html#324415FF7D8324231381BAD48A052F85DF04", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_schtasks_env_folder.yml" ], "tags": [ @@ -49770,8 +49770,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.sans.org/blog/red-team-tactics-hiding-windows-services/", "https://docs.microsoft.com/pt-br/windows/win32/secauthz/sid-strings", + "https://www.sans.org/blog/red-team-tactics-hiding-windows-services/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_service_dacl_modification_set_service.yml" ], "tags": [ @@ -49795,8 +49795,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f", "https://lolbas-project.github.io/lolbas/Binaries/Regedit/", + "https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_regedit_export_critical_keys.yml" ], "tags": [ @@ -49854,8 +49854,8 @@ "logsource.product": "windows", "refs": [ "https://thedfirreport.com/2022/08/08/bumblebee-roasts-its-way-to-domain-admin/", - "https://thedfirreport.com/2022/09/26/bumblebee-round-two/", "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/bumblebee-loader-cybercrime", + "https://thedfirreport.com/2022/09/26/bumblebee-round-two/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wab_unusual_parents.yml" ], "tags": [ @@ -49964,9 +49964,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://eqllib.readthedocs.io/en/latest/analytics/210b4ea4-12fc-11e9-8d76-4d6bb837cda4.html", "https://eqllib.readthedocs.io/en/latest/analytics/1e1ef6be-12fc-11e9-8d76-4d6bb837cda4.html", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1003/T1003.md", - "https://eqllib.readthedocs.io/en/latest/analytics/210b4ea4-12fc-11e9-8d76-4d6bb837cda4.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lsass_dump.yml" ], "tags": [ @@ -50032,8 +50032,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://app.any.run/tasks/cfc8870b-ccd7-4210-88cf-a8087476a6d0", "https://app.any.run/tasks/c28cabc8-a19f-40f3-a78b-cae506a5c0d4", + "https://app.any.run/tasks/cfc8870b-ccd7-4210-88cf-a8087476a6d0", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_attrib_system_susp_paths.yml" ], "tags": [ @@ -50099,8 +50099,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.hybrid-analysis.com/sample/64b0b58a2c030c77fdb2b537b2fcc4af432bc55ffb36599a31d418c7c69e94b1?environmentId=100", "https://securelist.com/schroedingers-petya/78870/", + "https://www.hybrid-analysis.com/sample/64b0b58a2c030c77fdb2b537b2fcc4af432bc55ffb36599a31d418c7c69e94b1?environmentId=100", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_malware_notpetya.yml" ], "tags": [ @@ -50151,8 +50151,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/fatedier/frp", "https://asec.ahnlab.com/en/38156/", + "https://github.com/fatedier/frp", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_frp.yml" ], "tags": [ @@ -50297,8 +50297,8 @@ "logsource.product": "windows", "refs": [ "https://eqllib.readthedocs.io/en/latest/analytics/aed95fc6-5e3f-49dc-8b35-06508613f979.html", - "https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment", "https://www.wietzebeukema.nl/blog/windows-command-line-obfuscation", + "https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1003/T1003.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_grabbing_sensitive_hives_via_reg.yml" ], @@ -50349,12 +50349,12 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.joeware.net/freetools/tools/adfind/", - "https://thedfirreport.com/2020/05/08/adfind-recon/", "https://thedfirreport.com/2021/01/11/trickbot-still-alive-and-well/", - "https://github.com/center-for-threat-informed-defense/adversary_emulation_library/blob/bf62ece1c679b07b5fb49c4bae947fe24c81811f/fin6/Emulation_Plan/Phase1.md", + "https://www.joeware.net/freetools/tools/adfind/", "https://www.microsoft.com/security/blog/2021/01/20/deep-dive-into-the-solorigate-second-stage-activation-from-sunburst-to-teardrop-and-raindrop/", + "https://thedfirreport.com/2020/05/08/adfind-recon/", "https://social.technet.microsoft.com/wiki/contents/articles/7535.adfind-command-examples.aspx", + "https://github.com/center-for-threat-informed-defense/adversary_emulation_library/blob/bf62ece1c679b07b5fb49c4bae947fe24c81811f/fin6/Emulation_Plan/Phase1.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_adfind_usage.yml" ], "tags": [ @@ -50397,11 +50397,11 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.hybrid-analysis.com/search?query=context:74940dcc5b38f9f9b1a0fea760d344735d7d91b610e6d5bd34533dd0153402c5&from_sample=5db135000388385a7644131f&block_redirect=1", "https://blog.alyac.co.kr/1901", - "https://www.securitynewspaper.com/2016/11/23/technical-teardown-exploit-malware-hwp-files/", - "https://en.wikipedia.org/wiki/Hangul_(word_processor)", "https://twitter.com/cyberwar_15/status/1187287262054076416", + "https://www.securitynewspaper.com/2016/11/23/technical-teardown-exploit-malware-hwp-files/", + "https://www.hybrid-analysis.com/search?query=context:74940dcc5b38f9f9b1a0fea760d344735d7d91b610e6d5bd34533dd0153402c5&from_sample=5db135000388385a7644131f&block_redirect=1", + "https://en.wikipedia.org/wiki/Hangul_(word_processor)", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hwp_exploits.yml" ], "tags": [ @@ -50511,8 +50511,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/kagancapar/status/1515219358234161153", "https://github.com/kagancapar/CVE-2022-29072", + "https://twitter.com/kagancapar/status/1515219358234161153", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_7zip_cve_2022_29072.yml" ], "tags": [ @@ -50737,8 +50737,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1047/T1047.md", "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/wmic", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1047/T1047.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wmic_remote_service.yml" ], "tags": [ @@ -50806,8 +50806,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://posts.specterops.io/arbitrary-unsigned-code-execution-vector-in-microsoft-workflow-compiler-exe-3d9294bc5efb", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218/T1218.md", + "https://posts.specterops.io/arbitrary-unsigned-code-execution-vector-in-microsoft-workflow-compiler-exe-3d9294bc5efb", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_workflow_compiler.yml" ], "tags": [ @@ -50883,8 +50883,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://blogs.blackberry.com/en/2022/05/dirty-deeds-done-dirt-cheap-russian-rat-offers-backdoor-bargains", "https://github.com/redcanaryco/atomic-red-team/blob/d0dad62dbcae9c60c519368e82c196a3db577055/atomics/T1124/T1124.md", + "https://blogs.blackberry.com/en/2022/05/dirty-deeds-done-dirt-cheap-russian-rat-offers-backdoor-bargains", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_w32tm.yml" ], "tags": [ @@ -51035,8 +51035,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://news.sophos.com/en-us/2020/05/21/ragnar-locker-ransomware-deploys-virtual-machine-to-dodge-security/", "https://threatpost.com/maze-ransomware-ragnar-locker-virtual-machine/159350/", + "https://news.sophos.com/en-us/2020/05/21/ragnar-locker-ransomware-deploys-virtual-machine-to-dodge-security/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_run_virtualbox.yml" ], "tags": [ @@ -51110,9 +51110,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.echotrail.io/insights/search/mshta.exe", - "https://app.any.run/tasks/34221348-072d-4b70-93f3-aa71f6ebecad/", "https://en.wikipedia.org/wiki/HTML_Application", + "https://app.any.run/tasks/34221348-072d-4b70-93f3-aa71f6ebecad/", + "https://www.echotrail.io/insights/search/mshta.exe", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_mshta_pattern.yml" ], "tags": [ @@ -51167,8 +51167,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://blog.talosintelligence.com/2022/09/lazarus-three-rats.html", "https://github.com/3proxy/3proxy", + "https://blog.talosintelligence.com/2022/09/lazarus-three-rats.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_3proxy_usage.yml" ], "tags": [ @@ -51203,8 +51203,8 @@ "refs": [ "https://twitter.com/d1r4c/status/1279042657508081664", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1105/T1105.md#atomic-test-19---curl-upload-file", - "https://curl.se/docs/manpage.html", "https://medium.com/@petehouston/upload-files-with-curl-93064dcccc76", + "https://curl.se/docs/manpage.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_curl_fileupload.yml" ], "tags": [ @@ -51460,9 +51460,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://thedfirreport.com/2021/11/29/continuing-the-bazar-ransomware-story/", "https://guides.lib.umich.edu/c.php?g=282942&p=1885348", "https://blog.talosintelligence.com/2021/10/threat-hunting-in-large-datasets-by.html", + "https://thedfirreport.com/2021/11/29/continuing-the-bazar-ransomware-story/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_regsvr32_image.yml" ], "tags": [ @@ -51495,8 +51495,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://redcanary.com/blog/lateral-movement-winrm-wmi/", "https://twitter.com/bohops/status/994405551751815170", + "https://redcanary.com/blog/lateral-movement-winrm-wmi/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_winrm_execution.yml" ], "tags": [ @@ -51530,8 +51530,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070/T1070.md", "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/fsutil-usn", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070/T1070.md", "https://eqllib.readthedocs.io/en/latest/analytics/c91f422a-5214-4b17-8664-c5fcf115c0a2.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_fsutil_usage.yml" ], @@ -51556,9 +51556,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://twitter.com/SBousseaden/status/1211636381086339073", "https://drive.google.com/file/d/1lKya3_mLnR3UQuCoiYruO3qgu052_iS_/view", "https://www.elastic.co/guide/en/security/current/remote-file-copy-to-a-hidden-share.html", - "https://twitter.com/SBousseaden/status/1211636381086339073", "https://www.microsoft.com/en-us/security/blog/2022/10/18/defenders-beware-a-case-for-post-ransomware-investigations/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_copy_lateral_movement.yml" ], @@ -51804,9 +51804,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-2000-server/cc959352(v=technet.10)?redirectedfrom=MSDN", "https://twitter.com/jonasLyk/status/1555914501802921984", "https://www.acunetix.com/blog/articles/windows-short-8-3-filenames-web-security-problem/", - "https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-2000-server/cc959352(v=technet.10)?redirectedfrom=MSDN", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_ntfs_short_name_use_image.yml" ], "tags": [ @@ -51981,8 +51981,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/Binaries/Infdefaultinstall/", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218/T1218.md#atomic-test-4---infdefaultinstallexe-inf-execution", + "https://lolbas-project.github.io/lolbas/Binaries/Infdefaultinstall/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_infdefaultinstall.yml" ], "tags": [ @@ -52050,8 +52050,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/Scripts/Cl_invocation/", "https://twitter.com/bohops/status/948061991012327424", + "https://lolbas-project.github.io/lolbas/Scripts/Cl_invocation/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_cl_invocation.yml" ], "tags": [ @@ -52300,9 +52300,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/_JohnHammond/status/1531672601067675648", "https://twitter.com/nao_sec/status/1530196847679401984", "https://app.any.run/tasks/713f05d2-fe78-4b9d-a744-f7c133e3fafb/", + "https://twitter.com/_JohnHammond/status/1531672601067675648", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_msdt.yml" ], "tags": [ @@ -52401,11 +52401,11 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://discuss.elastic.co/t/detection-and-response-for-hafnium-activity/266289/3", + "https://twitter.com/GadixCRK/status/1369313704869834753?s=20", "https://twitter.com/BleepinComputer/status/1372218235949617161", + "https://discuss.elastic.co/t/detection-and-response-for-hafnium-activity/266289/3", "https://blog.truesec.com/2021/03/07/exchange-zero-day-proxylogon-and-hafnium/", "https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/", - "https://twitter.com/GadixCRK/status/1369313704869834753?s=20", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_apt_hafnium.yml" ], "tags": [ @@ -52439,9 +52439,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1047/T1047.md#atomic-test-7---create-a-process-using-wmi-query-and-an-encoded-command", "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/solarwinds-raindrop-malware", "https://www.microsoft.com/security/blog/2020/12/18/analyzing-solorigate-the-compromised-dll-file-that-started-a-sophisticated-cyberattack-and-how-microsoft-defender-helps-protect/", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1047/T1047.md#atomic-test-7---create-a-process-using-wmi-query-and-an-encoded-command", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_apt_unc2452_ps.yml" ], "tags": [ @@ -52606,10 +52606,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/windows/compatibility/ntvdm-and-16-bit-app-support", "https://app.any.run/tasks/93fe92fa-8b2b-4d92-8c09-a841aed2e793/", - "https://support.microsoft.com/fr-fr/topic/an-ms-dos-based-program-that-uses-the-ms-dos-protected-mode-interface-crashes-on-a-computer-that-is-running-windows-7-5dc739ea-987b-b458-15e4-d28d5cca63c7", + "https://docs.microsoft.com/en-us/windows/compatibility/ntvdm-and-16-bit-app-support", "https://app.any.run/tasks/214094a7-0abc-4a7b-a564-1b757faed79d/", + "https://support.microsoft.com/fr-fr/topic/an-ms-dos-based-program-that-uses-the-ms-dos-protected-mode-interface-crashes-on-a-computer-that-is-running-windows-7-5dc739ea-987b-b458-15e4-d28d5cca63c7", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_16bit_application.yml" ], "tags": [ @@ -52860,8 +52860,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://news.sophos.com/en-us/2021/11/11/bazarloader-call-me-back-attack-abuses-windows-10-apps-mechanism/", "https://www.sentinelone.com/labs/inside-malicious-windows-apps-for-malware-deployment/", + "https://news.sophos.com/en-us/2021/11/11/bazarloader-call-me-back-attack-abuses-windows-10-apps-mechanism/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_appx_execution.yml" ], "tags": [ @@ -52997,8 +52997,8 @@ "logsource.product": "windows", "refs": [ "https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1562.001/T1562.001.md", - "https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1112/T1112.md", "https://www.absolomb.com/2018-01-26-Windows-Privilege-Escalation-Guide/", + "https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1112/T1112.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_reg_add.yml" ], "tags": [ @@ -53023,8 +53023,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://h.43z.one/ipconverter/", "https://twitter.com/Yasser_Elsnbary/status/1553804135354564608", + "https://h.43z.one/ipconverter/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_obfuscated_ip_via_cli.yml" ], "tags": [ @@ -53082,8 +53082,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://redcanary.com/blog/intelligence-insights-april-2022/", "https://www.echotrail.io/insights/search/regsvr32.exe", + "https://redcanary.com/blog/intelligence-insights-april-2022/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_regsvr32_spawn_explorer.yml" ], "tags": [ @@ -53116,8 +53116,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/OTRF/detection-hackathon-apt29/issues/6", "https://threathunterplaybook.com/evals/apt29/detections/3.B.2_C36B49B5-DF58-4A34-9FE9-56189B9DEFEA.html", + "https://github.com/OTRF/detection-hackathon-apt29/issues/6", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_high_integrity_sdclt.yml" ], "tags": [ @@ -53151,9 +53151,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://ragged-lab.blogspot.com/2020/06/it-is-always-dns-powershell-edition.html", - "https://blu3-team.blogspot.com/2019/08/powershell-dns-c2-notes.html", "https://github.com/lukebaggett/dnscat2-powershell", + "https://blu3-team.blogspot.com/2019/08/powershell-dns-c2-notes.html", + "https://ragged-lab.blogspot.com/2020/06/it-is-always-dns-powershell-edition.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_dnscat2_powershell_implementation.yml" ], "tags": [ @@ -53251,9 +53251,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.hybrid-analysis.com/sample/4be06ecd234e2110bd615649fe4a6fa95403979acf889d7e45a78985eb50acf9?environmentId=1", "https://blog.malwarebytes.com/threat-analysis/2016/04/rokku-ransomware/", "https://digital-forensics.sans.org/blog/2010/06/04/wmic-draft/", + "https://www.hybrid-analysis.com/sample/4be06ecd234e2110bd615649fe4a6fa95403979acf889d7e45a78985eb50acf9?environmentId=1", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_wmic_execution.yml" ], "tags": [ @@ -53287,8 +53287,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "Internal Research", "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/schtasks", + "Internal Research", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_schtasks_change.yml" ], "tags": [ @@ -53391,8 +53391,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.hybrid-analysis.com/sample/8da5b75b6380a41eee3a399c43dfe0d99eeefaa1fd21027a07b1ecaa4cd96fdd?environmentId=120", "https://web.archive.org/web/20180331144337/https://www.fireeye.com/blog/threat-research/2018/03/sanny-malware-delivery-method-updated-in-recently-observed-attacks.html", + "https://www.hybrid-analysis.com/sample/8da5b75b6380a41eee3a399c43dfe0d99eeefaa1fd21027a07b1ecaa4cd96fdd?environmentId=120", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_copy_system32.yml" ], "tags": [ @@ -53601,8 +53601,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/attrib", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1564.001/T1564.001.md#atomic-test-3---create-windows-system-file-with-attrib", + "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/attrib", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_attrib_system.yml" ], "tags": [ @@ -53775,8 +53775,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://eqllib.readthedocs.io/en/latest/analytics/ab7a6ef4-0983-4275-a4f1-5c6bd3c31c23.html", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1123/T1123.md", + "https://eqllib.readthedocs.io/en/latest/analytics/ab7a6ef4-0983-4275-a4f1-5c6bd3c31c23.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_audio_capture.yml" ], "tags": [ @@ -53800,10 +53800,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.rapid7.com/blog/post/2022/01/18/active-exploitation-of-vmware-horizon-servers/", - "http://blog.talosintelligence.com/2022/09/lazarus-three-rats.html", "https://www.sprocketsecurity.com/resources/crossing-the-log4j-horizon-a-vulnerability-with-no-return", "https://nodejs.org/api/cli.html", + "http://blog.talosintelligence.com/2022/09/lazarus-three-rats.html", + "https://www.rapid7.com/blog/post/2022/01/18/active-exploitation-of-vmware-horizon-servers/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_node_abuse.yml" ], "tags": [ @@ -53871,8 +53871,8 @@ "logsource.product": "windows", "refs": [ "https://mattharr0ey.medium.com/privilege-escalation-uac-bypass-in-changepk-c40b92818d1b", - "https://medium.com/falconforce/falconfriday-detecting-uac-bypasses-0xff16-86c2a9107abf", "https://github.com/hfiref0x/UACME", + "https://medium.com/falconforce/falconfriday-detecting-uac-bypasses-0xff16-86c2a9107abf", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_uac_bypass_changepk_slui.yml" ], "tags": [ @@ -53906,8 +53906,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.hybrid-analysis.com/sample/2a4ae284c76f868fc51d3bb65da8caa6efacb707f265b25c30f34250b76b7507?environmentId=100", "https://www.google.com/url?hl=en&q=https://embedi.com/blog/skeleton-closet-ms-office-vulnerability-you-didnt-know-about&source=gmail&ust=1511481120837000&usg=AFQjCNGdL7gVwLXaNSl2Td8ylDYbSJFmPw", + "https://www.hybrid-analysis.com/sample/2a4ae284c76f868fc51d3bb65da8caa6efacb707f265b25c30f34250b76b7507?environmentId=100", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_exploit_cve_2017_11882.yml" ], "tags": [ @@ -54040,10 +54040,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://adsecurity.org/?p=2604", "https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.security/set-executionpolicy?view=powershell-7.1", - "https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_execution_policies?view=powershell-7.1", "https://thedfirreport.com/2021/11/01/from-zero-to-domain-admin/", + "https://adsecurity.org/?p=2604", + "https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_execution_policies?view=powershell-7.1", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_set_policies_to_unsecure_level.yml" ], "tags": [ @@ -54076,9 +54076,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://twitter.com/0gtweet/status/1602644163824156672?s=20&t=kuxbUnZPltpvFPZdCrqPXA", "https://twitter.com/pabraeken/status/990717080805789697", "https://lolbas-project.github.io/lolbas/Binaries/Runonce/", - "https://twitter.com/0gtweet/status/1602644163824156672?s=20&t=kuxbUnZPltpvFPZdCrqPXA", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_runonce_execution.yml" ], "tags": [ @@ -54195,11 +54195,11 @@ "logsource.product": "windows", "refs": [ "https://twitter.com/Wietze/status/1542107456507203586", - "https://twitter.com/pythonresponder/status/1385064506049630211?s=21", + "https://twitter.com/shantanukhande/status/1229348874298388484", "https://twitter.com/Hexacorn/status/1224848930795552769", + "https://twitter.com/pythonresponder/status/1385064506049630211?s=21", "https://twitter.com/SBousseaden/status/1167417096374050817", "https://modexp.wordpress.com/2019/08/30/minidumpwritedump-via-com-services-dll/", - "https://twitter.com/shantanukhande/status/1229348874298388484", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_process_dump_rundll32_comsvcs.yml" ], "tags": [ @@ -54235,16 +54235,16 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/dotnet/runtime/blob/ee2355c801d892f2894b0f7b14a20e6cc50e0e54/docs/design/coreclr/jit/viewing-jit-dumps.md#setting-configuration-variables", - "https://github.com/dotnet/runtime/blob/4f9ae42d861fcb4be2fcd5d3d55d5f227d30e723/docs/coding-guidelines/clr-jit-coding-conventions.md#1412-disabling-code", - "https://bunnyinside.com/?term=f71e8cb9c76a", - "https://github.com/dotnet/runtime/blob/7abe42dc1123722ed385218268bb9fe04556e3d3/src/coreclr/src/inc/clrconfig.h#L33-L39", - "https://github.com/dotnet/runtime/search?p=1&q=COMPlus_&unscoped_q=COMPlus_", "https://github.com/dotnet/runtime/blob/f62e93416a1799aecc6b0947adad55a0d9870732/src/coreclr/src/inc/clrconfigvalues.h#L35-L38", - "http://managed670.rssing.com/chan-5590147/all_p1.html", - "https://twitter.com/_xpn_/status/1268712093928378368", - "https://social.msdn.microsoft.com/Forums/vstudio/en-US/0878832e-39d7-4eaf-8e16-a729c4c40975/what-can-i-use-e13c0d23ccbc4e12931bd9cc2eee27e4-for?forum=clr", "https://i.blackhat.com/EU-21/Wednesday/EU-21-Teodorescu-Veni-No-Vidi-No-Vici-Attacks-On-ETW-Blind-EDRs.pdf", + "https://github.com/dotnet/runtime/blob/7abe42dc1123722ed385218268bb9fe04556e3d3/src/coreclr/src/inc/clrconfig.h#L33-L39", + "https://twitter.com/_xpn_/status/1268712093928378368", + "https://github.com/dotnet/runtime/blob/4f9ae42d861fcb4be2fcd5d3d55d5f227d30e723/docs/coding-guidelines/clr-jit-coding-conventions.md#1412-disabling-code", + "https://social.msdn.microsoft.com/Forums/vstudio/en-US/0878832e-39d7-4eaf-8e16-a729c4c40975/what-can-i-use-e13c0d23ccbc4e12931bd9cc2eee27e4-for?forum=clr", + "https://github.com/dotnet/runtime/search?p=1&q=COMPlus_&unscoped_q=COMPlus_", + "http://managed670.rssing.com/chan-5590147/all_p1.html", + "https://github.com/dotnet/runtime/blob/ee2355c801d892f2894b0f7b14a20e6cc50e0e54/docs/design/coreclr/jit/viewing-jit-dumps.md#setting-configuration-variables", + "https://bunnyinside.com/?term=f71e8cb9c76a", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_etw_modification_cmdline.yml" ], "tags": [ @@ -54432,8 +54432,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.winhelponline.com/blog/run-program-as-system-localsystem-account-windows/", "https://www.d7xtech.com/free-software/runx/", + "https://www.winhelponline.com/blog/run-program-as-system-localsystem-account-windows/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_tool_runx_as_system.yml" ], "tags": [ @@ -54467,9 +54467,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://docs.microsoft.com/en-us/visualstudio/debugger/debug-using-the-just-in-time-debugger?view=vs-2019", "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Vsjitdebugger/", "https://twitter.com/pabraeken/status/990758590020452353", - "https://docs.microsoft.com/en-us/visualstudio/debugger/debug-using-the-just-in-time-debugger?view=vs-2019", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_use_of_vsjitdebugger_bin.yml" ], "tags": [ @@ -54502,9 +54502,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://blog.f-secure.com/hunting-for-koadic-a-com-based-rootkit/", "https://unit42.paloaltonetworks.com/unit42-sofacy-groups-parallel-attacks/", "https://github.com/offsecginger/koadic/blob/457f9a3ff394c989cdb4c599ab90eb34fb2c762c/data/stager/js/stdlib.js", - "https://blog.f-secure.com/hunting-for-koadic-a-com-based-rootkit/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hack_koadic.yml" ], "tags": [ @@ -54620,8 +54620,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1071.001/T1071.001.md#atomic-test-2---malicious-user-agents---cmd", "https://curl.se/docs/manpage.html", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1071.001/T1071.001.md#atomic-test-2---malicious-user-agents---cmd", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_curl_useragent.yml" ], "tags": [ @@ -54710,8 +54710,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.microsoft.com/security/blog/2021/07/15/protecting-customers-from-a-private-sector-offensive-actor-using-0-day-exploits-and-devilstongue-malware/", "https://github.com/Azure/Azure-Sentinel/blob/43e9be273dca321295190bfc4902858e009d4a35/Detections/MultipleDataSources/SOURGUM_IOC.yaml", + "https://www.microsoft.com/security/blog/2021/07/15/protecting-customers-from-a-private-sector-offensive-actor-using-0-day-exploits-and-devilstongue-malware/", "https://www.virustotal.com/gui/file/c299063e3eae8ddc15839767e83b9808fd43418dc5a1af7e4f44b97ba53fbd3d/detection", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_apt_sourgrum.yml" ], @@ -54788,10 +54788,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://twitter.com/vysecurity/status/873181705024266241", + "https://lolbas-project.github.io/lolbas/Binaries/Rpcping/", "https://twitter.com/vysecurity/status/974806438316072960", "https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/hh875578(v=ws.11)", - "https://lolbas-project.github.io/lolbas/Binaries/Rpcping/", - "https://twitter.com/vysecurity/status/873181705024266241", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_rpcping.yml" ], "tags": [ @@ -54859,8 +54859,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/Binaries/Syncappvpublishingserver/", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1216/T1216.md", + "https://lolbas-project.github.io/lolbas/Binaries/Syncappvpublishingserver/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_syncappvpublishingserver_vbs_execute_psh.yml" ], "tags": [ @@ -54901,9 +54901,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://arcticwolf.com/resources/blog/lorenz-ransomware-chiseling-in/", "https://blog.sekoia.io/lucky-mouse-incident-response-to-detection-engineering/", "https://github.com/jpillora/chisel/", - "https://arcticwolf.com/resources/blog/lorenz-ransomware-chiseling-in/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_chisel_usage.yml" ], "tags": [ @@ -54993,8 +54993,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/pabraeken/status/993497996179492864", "https://github.com/LOLBAS-Project/LOLBAS/blob/4db780e0f0b2e2bb8cb1fa13e09196da9b9f1834/yml/LOLUtilz/OtherBinaries/VBoxDrvInst.yml", + "https://twitter.com/pabraeken/status/993497996179492864", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_vboxdrvinst.yml" ], "tags": [ @@ -55094,9 +55094,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://research.nccgroup.com/2020/06/23/wastedlocker-a-new-ransomware-variant-developed-by-the-evil-corp-group/", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md", "https://rvsec0n.wordpress.com/2020/01/24/malwares-that-bypass-windows-defender/", - "https://research.nccgroup.com/2020/06/23/wastedlocker-a-new-ransomware-variant-developed-by-the-evil-corp-group/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_disable_defender_av_security_monitoring.yml" ], "tags": [ @@ -55187,8 +55187,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/outflanknl/Dumpert", "https://unit42.paloaltonetworks.com/actors-still-exploiting-sharepoint-vulnerability/", + "https://github.com/outflanknl/Dumpert", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hack_dumpert.yml" ], "tags": [ @@ -55346,8 +55346,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://pentestlab.blog/2020/02/10/credential-access-password-filter-dll/", "https://github.com/3gstudent/PasswordFilter/tree/master/PasswordFilter", + "https://pentestlab.blog/2020/02/10/credential-access-password-filter-dll/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_credential_access_via_password_filter.yml" ], "tags": [ @@ -55489,8 +55489,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/clip", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1115/T1115.md", + "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/clip", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_clip.yml" ], "tags": [ @@ -55581,9 +55581,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://blog.jourdant.me/post/3-ways-to-download-files-with-powershell", "https://docs.microsoft.com/en-us/powershell/module/bitstransfer/add-bitsfile?view=windowsserver2019-ps", "https://4sysops.com/archives/use-powershell-to-download-a-file-with-http-https-and-ftp/", + "https://blog.jourdant.me/post/3-ways-to-download-files-with-powershell", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_web_request_cmd_and_cmdlets.yml" ], "tags": [ @@ -55650,9 +55650,9 @@ "logsource.product": "windows", "refs": [ "https://app.any.run/tasks/e13ab713-64cf-4b23-ad93-6dceaa5429ac/", - "https://app.any.run/tasks/84fc9b4a-ea2b-47b1-8aa6-9014402dfb56/", "https://app.any.run/tasks/81f3c28c-c686-425d-8a2b-a98198d244e1/", "https://app.any.run/tasks/97f875e8-0e08-4328-815f-055e971ba754/", + "https://app.any.run/tasks/84fc9b4a-ea2b-47b1-8aa6-9014402dfb56/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_malware_emotet.yml" ], "tags": [ @@ -55825,9 +55825,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.intrinsec.com/apt27-analysis/", "https://www.volexity.com/blog/2021/03/02/active-exploitation-of-microsoft-exchange-zero-day-vulnerabilities/", "https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/", + "https://www.intrinsec.com/apt27-analysis/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_snapins_hafnium.yml" ], "tags": [ @@ -55973,8 +55973,8 @@ "logsource.product": "windows", "refs": [ "https://gist.github.com/NickTyrer/0598b60112eaafe6d07789f7964290d5", - "https://lolbas-project.github.io/lolbas/Binaries/Verclsid/", "https://bohops.com/2018/08/18/abusing-the-com-registry-structure-part-2-loading-techniques-for-evasion-and-persistence/", + "https://lolbas-project.github.io/lolbas/Binaries/Verclsid/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_verclsid_runs_com.yml" ], "tags": [ @@ -56007,8 +56007,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://ss64.com/nt/mklink.html", "https://github.com/redcanaryco/atomic-red-team/blob/5c1e6f1b4fafd01c8d1ece85f510160fc1275fbf/atomics/T1546.008/T1546.008.md", + "https://ss64.com/nt/mklink.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_create_link_osk_cmd.yml" ], "tags": [ @@ -56032,8 +56032,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.hybrid-analysis.com/sample/3a1f01206684410dbe8f1900bbeaaa543adfcd07368ba646b499fa5274b9edf6?environmentId=100", "https://www.hybrid-analysis.com/sample/f16c729aad5c74f19784a24257236a8bbe27f7cdc4a89806031ec7f1bebbd475?environmentId=100", + "https://www.hybrid-analysis.com/sample/3a1f01206684410dbe8f1900bbeaaa543adfcd07368ba646b499fa5274b9edf6?environmentId=100", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_cmd_http_appdata.yml" ], "tags": [ @@ -56150,9 +56150,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.fireeye.com/blog/threat-research/2021/05/shining-a-light-on-darkside-ransomware-operations.html", "https://www.joesandbox.com/analysis/411752/0/html#7048BB9A06B8F2DD9D24C77F389D7B2B58D2", "https://app.any.run/tasks/8b9a571b-bcc1-4783-ba32-df4ba623b9c0/", + "https://www.fireeye.com/blog/threat-research/2021/05/shining-a-light-on-darkside-ransomware-operations.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_mal_darkside_ransomware.yml" ], "tags": [ @@ -56296,8 +56296,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-RAT-and-Staging-Report.pdf", "https://attack.mitre.org/software/S0246/ (Lazarus HARDRAIN)", + "https://www.operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-RAT-and-Staging-Report.pdf", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_netsh_fw_add.yml" ], "tags": [ @@ -56330,8 +56330,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218.011/T1218.011.md", "https://gist.github.com/ryhanson/227229866af52e2d963cf941af135a52", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218.011/T1218.011.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_rundll32_script_run.yml" ], "tags": [ @@ -56422,10 +56422,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://foxglovesecurity.com/2016/09/26/rotten-potato-privilege-escalation-from-service-accounts-to-system/", "https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment", - "https://github.com/antonioCoco/RogueWinRM", "https://twitter.com/Cyb3rWard0g/status/1453123054243024897", + "https://foxglovesecurity.com/2016/09/26/rotten-potato-privilege-escalation-from-service-accounts-to-system/", + "https://github.com/antonioCoco/RogueWinRM", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_child_process_as_system_.yml" ], "tags": [ @@ -56459,9 +56459,9 @@ "logsource.product": "windows", "refs": [ "https://blog.truesec.com/2021/07/04/kaseya-supply-chain-attack-targeting-msps-to-deliver-revil-ransomware/", - "https://community.sophos.com/b/security-blog/posts/active-ransomware-attack-on-kaseya-customers", - "https://therecord.media/revil-ransomware-executes-supply-chain-attack-via-malicious-kaseya-update/", "https://doublepulsar.com/kaseya-supply-chain-attack-delivers-mass-ransomware-event-to-us-companies-76e4ec6ec64b", + "https://therecord.media/revil-ransomware-executes-supply-chain-attack-via-malicious-kaseya-update/", + "https://community.sophos.com/b/security-blog/posts/active-ransomware-attack-on-kaseya-customers", "https://www.joesandbox.com/analysis/443736/0/html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_apt_revil_kaseya.yml" ], @@ -56496,8 +56496,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://h.43z.one/ipconverter/", "https://twitter.com/Yasser_Elsnbary/status/1553804135354564608", + "https://h.43z.one/ipconverter/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_obfuscated_ip_download.yml" ], "tags": [ @@ -56520,9 +56520,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://thedfirreport.com/2020/10/18/ryuk-in-5-hours/", - "https://redcanary.com/threat-detection-report/", "https://www.cobaltstrike.com/help-windows-executable", + "https://redcanary.com/threat-detection-report/", + "https://thedfirreport.com/2020/10/18/ryuk-in-5-hours/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_cobaltstrike_load_by_rundll32.yml" ], "tags": [ @@ -56634,10 +56634,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.virustotal.com/gui/search/filename%253A*spoof*%2520filename%253A*ppid*/files", - "https://pentestlab.blog/2020/02/24/parent-pid-spoofing/", "https://www.picussecurity.com/resource/blog/how-to-detect-parent-pid-ppid-spoofing-attacks", + "https://pentestlab.blog/2020/02/24/parent-pid-spoofing/", "https://www.ired.team/offensive-security/defense-evasion/parent-process-id-ppid-spoofing", + "https://www.virustotal.com/gui/search/filename%253A*spoof*%2520filename%253A*ppid*/files", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_selectmyparent.yml" ], "tags": [ @@ -56671,8 +56671,8 @@ "logsource.product": "windows", "refs": [ "https://medium.com/s2wblog/analysis-of-destructive-malware-whispergate-targeting-ukraine-9d5d158f19f3", - "https://twitter.com/splinter_code/status/1483815103279603714", "https://www.winhelponline.com/blog/run-program-as-system-localsystem-account-windows/", + "https://twitter.com/splinter_code/status/1483815103279603714", "https://elastic.github.io/security-research/malware/2022/01/01.operation-bleeding-bear/article/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_advancedrun_priv_user.yml" ], @@ -56694,8 +56694,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/azure/dns/dns-zones-records", "https://lolbas-project.github.io/lolbas/Binaries/Dnscmd/", + "https://docs.microsoft.com/en-us/azure/dns/dns-zones-records", "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/dnscmd", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_dnscmd_discovery.yml" ], @@ -56754,8 +56754,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/SwiftOnSecurity/status/1455897435063074824", "https://lolbas-project.github.io/lolbas/Binaries/Cmdl32/", + "https://twitter.com/SwiftOnSecurity/status/1455897435063074824", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_cmdl32.yml" ], "tags": [ @@ -56797,8 +56797,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1059.001/T1059.001.md#atomic-test-20---powershell-invoke-known-malicious-cmdlets", "https://unit42.paloaltonetworks.com/unit42-pulling-back-the-curtains-on-encodedcommand-powershell-attacks/", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1059.001/T1059.001.md#atomic-test-20---powershell-invoke-known-malicious-cmdlets", "https://mikefrobbins.com/2017/06/15/simple-obfuscation-with-powershell-using-base64-encoding/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_powershell_encode.yml" ], @@ -56935,8 +56935,8 @@ "logsource.product": "windows", "refs": [ "https://lolbas-project.github.io/lolbas/Binaries/Rasautou/", - "https://www.fireeye.com/blog/threat-research/2019/10/staying-hidden-on-the-endpoint-evading-detection-with-shellcode.html", "https://github.com/fireeye/DueDLLigence", + "https://www.fireeye.com/blog/threat-research/2019/10/staying-hidden-on-the-endpoint-evading-detection-with-shellcode.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_rasautou_dll_execution.yml" ], "tags": [ @@ -57002,9 +57002,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/tevora-threat/SharpView/", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1049/T1049.md#atomic-test-4---system-discovery-using-sharpview", "https://github.com/PowerShellMafia/PowerSploit/blob/dev/Recon/PowerView.ps1", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1049/T1049.md#atomic-test-4---system-discovery-using-sharpview", + "https://github.com/tevora-threat/SharpView/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_sharpview.yml" ], "tags": [ @@ -57055,8 +57055,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.microsoft.com/security/blog/2022/07/26/malicious-iis-extensions-quietly-open-persistent-backdoors-into-servers/", "https://researchcenter.paloaltonetworks.com/2018/01/unit42-oilrig-uses-rgdoor-iis-backdoor-targets-middle-east/", + "https://www.microsoft.com/security/blog/2022/07/26/malicious-iis-extensions-quietly-open-persistent-backdoors-into-servers/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_iss_module_install.yml" ], "tags": [ @@ -57080,8 +57080,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://cybercryptosec.medium.com/covid-19-cyber-infection-c615ead7c29", "https://learn.microsoft.com/en-us/windows/win32/secauthz/mandatory-integrity-control", + "https://cybercryptosec.medium.com/covid-19-cyber-infection-c615ead7c29", "https://thedfirreport.com/2022/04/04/stolen-images-campaign-ends-in-conti-ransomware/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_conhost_option.yml" ], @@ -57182,8 +57182,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://attack.mitre.org/software/S0108/", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1546.007/T1546.007.md", + "https://attack.mitre.org/software/S0108/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_netsh_dll_persistence.yml" ], "tags": [ @@ -57241,8 +57241,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment", "https://tools.thehacker.recipes/mimikatz/modules", + "https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_mimikatz_command_line.yml" ], "tags": [ @@ -57366,8 +57366,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://embracethered.com/blog/posts/2020/chrome-spy-remote-control/", "https://github.com/defaultnamehere/cookie_crimes/", + "https://embracethered.com/blog/posts/2020/chrome-spy-remote-control/", "https://mango.pdf.zone/stealing-chrome-cookies-without-a-password", "https://embracethered.com/blog/posts/2020/cookie-crimes-on-mirosoft-edge/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_chromium_headless_debugging.yml" @@ -57481,8 +57481,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://pentestlab.blog/2017/03/30/weak-service-permissions/", "https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment", + "https://pentestlab.blog/2017/03/30/weak-service-permissions/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_using_sc_to_change_sevice_image_path_by_non_admin.yml" ], "tags": [ @@ -57508,8 +57508,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://paste.cryptolaemus.com/emotet/2020/12/22/emotet-malware-IoCs_12-22-20.html", "https://cyber.wtf/2021/11/15/guess-whos-back/", + "https://paste.cryptolaemus.com/emotet/2020/12/22/emotet-malware-IoCs_12-22-20.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_emotet_rundll32_execution.yml" ], "tags": [ @@ -57566,8 +57566,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/OTRF/detection-hackathon-apt29/issues/6", "https://threathunterplaybook.com/evals/apt29/detections/3.B.2_C36B49B5-DF58-4A34-9FE9-56189B9DEFEA.html", + "https://github.com/OTRF/detection-hackathon-apt29/issues/6", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sdclt_child_process.yml" ], "tags": [ @@ -57600,8 +57600,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.youtube.com/watch?v=ro2QuZTIMBM", "https://docs.microsoft.com/en-us/sysinternals/downloads/psexec", + "https://www.youtube.com/watch?v=ro2QuZTIMBM", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_psexesvc_renamed.yml" ], "tags": [ @@ -57624,9 +57624,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-40444", "https://www.joesandbox.com/analysis/476188/1/iochtml", "https://twitter.com/neonprimetime/status/1435584010202255375", + "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-40444", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_control_cve_2021_40444.yml" ], "tags": [ @@ -57659,8 +57659,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://securelist.com/lazarus-covets-covid-19-related-intelligence/99906/", "https://www.hvs-consulting.de/lazarus-report/", + "https://securelist.com/lazarus-covets-covid-19-related-intelligence/99906/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_apt_lazarus_activity_dec20.yml" ], "tags": [ @@ -57694,8 +57694,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://unit42.paloaltonetworks.com/unit-42-title-gamaredon-group-toolset-evolution", "https://www.ria.ee/sites/default/files/content-editors/kuberturve/tale_of_gamaredon_infection.pdf", + "https://unit42.paloaltonetworks.com/unit-42-title-gamaredon-group-toolset-evolution", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_apt_gamaredon_ultravnc.yml" ], "tags": [ @@ -57720,9 +57720,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/sblmsrsn/status/1445758411803480072?s=20", - "https://github.com/elastic/protections-artifacts/commit/746086721fd385d9f5c6647cada1788db4aea95f#diff-fe98e74189873d6df72a15df2eaa0315c59ba9cdaca93ecd68afc4ea09194ef2", "https://lolbas-project.github.io/lolbas/Binaries/Certoc/", + "https://github.com/elastic/protections-artifacts/commit/746086721fd385d9f5c6647cada1788db4aea95f#diff-fe98e74189873d6df72a15df2eaa0315c59ba9cdaca93ecd68afc4ea09194ef2", + "https://twitter.com/sblmsrsn/status/1445758411803480072?s=20", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_certoc_execution.yml" ], "tags": [ @@ -57823,8 +57823,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.hybrid-analysis.com/sample/e122bc8bf291f15cab182a5d2d27b8db1e7019e4e96bb5cdbd1dfe7446f3f51f?environmentId=100", "https://enigma0x3.net/2016/08/15/fileless-uac-bypass-using-eventvwr-exe-and-registry-hijacking/", + "https://www.hybrid-analysis.com/sample/e122bc8bf291f15cab182a5d2d27b8db1e7019e4e96bb5cdbd1dfe7446f3f51f?environmentId=100", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sysmon_uac_bypass_eventvwr.yml" ], "tags": [ @@ -57917,8 +57917,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f", "https://lolbas-project.github.io/lolbas/Binaries/Regedit/", + "https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_regedit_export_keys.yml" ], "tags": [ @@ -58119,8 +58119,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://thedfirreport.com/2021/08/29/cobalt-strike-a-defenders-guide/", "https://hausec.com/2021/07/26/cobalt-strike-and-tradecraft/", + "https://thedfirreport.com/2021/08/29/cobalt-strike-a-defenders-guide/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_cobaltstrike_process_patterns.yml" ], "tags": [ @@ -58213,8 +58213,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://the.earth.li/~sgtatham/putty/0.58/htmldoc/Chapter7.html", "https://thedfirreport.com/2022/06/06/will-the-real-msiexec-please-stand-up-exploit-leads-to-data-exfiltration/", + "https://the.earth.li/~sgtatham/putty/0.58/htmldoc/Chapter7.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_renamed_plink.yml" ], "tags": [ @@ -58272,8 +58272,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.hybrid-analysis.com/sample/5567408950b744c4e846ba8ae726883cb15268a539f3bb21758a466e47021ae8?environmentId=100", "https://www.virustotal.com/en/file/5567408950b744c4e846ba8ae726883cb15268a539f3bb21758a466e47021ae8/analysis/", + "https://www.hybrid-analysis.com/sample/5567408950b744c4e846ba8ae726883cb15268a539f3bb21758a466e47021ae8?environmentId=100", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_exploit_cve_2015_1641.yml" ], "tags": [ @@ -58297,9 +58297,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.crowdstrike.com/resources/reports/2019-crowdstrike-global-threat-report/", "https://github.com/mbevilacqua/appcompatprocessor/blob/6c847937c5a836e2ce2fe2b915f213c345a3c389/AppCompatSearch.txt", "https://github.com/ThreatHuntingProject/ThreatHunting/blob/cb22598bb70651f88e0285abc8d835757d2cb596/hunts/suspicious_process_creation_via_windows_event_logs.md", + "https://www.crowdstrike.com/resources/reports/2019-crowdstrike-global-threat-report/", "https://www.secureworks.com/research/bronze-butler-targets-japanese-businesses", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_execution_path.yml" ], @@ -58324,8 +58324,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.microsoft.com/security/blog/2021/12/09/a-closer-look-at-qakbots-latest-building-blocks-and-how-to-knock-them-down/", "https://www.fortinet.com/content/dam/fortinet/assets/analyst-reports/ar-qakbot.pdf", + "https://www.microsoft.com/security/blog/2021/12/09/a-closer-look-at-qakbots-latest-building-blocks-and-how-to-knock-them-down/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_msra_process_injection.yml" ], "tags": [ @@ -58349,9 +58349,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "http://0xthem.blogspot.com/2014/03/t-emporal-persistence-with-and-schtasks.html", - "https://www.fireeye.com/blog/threat-research/2020/10/kegtap-and-singlemalt-with-a-ransomware-chaser.html", "https://isc.sans.edu/diary/Wipe+the+drive+Stealthy+Malware+Persistence+Mechanism+-+Part+1/15394", + "https://www.fireeye.com/blog/threat-research/2020/10/kegtap-and-singlemalt-with-a-ransomware-chaser.html", + "http://0xthem.blogspot.com/2014/03/t-emporal-persistence-with-and-schtasks.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_monitoring_for_persistence_via_bits.yml" ], "tags": [ @@ -58500,8 +58500,8 @@ "logsource.product": "windows", "refs": [ "https://twitter.com/cyb3rops/status/972186477512839170", - "https://securelist.com/apt-slingshot/84312/", "https://github.com/adamcaudill/EquationGroupLeak/search?utf8=%E2%9C%93&q=dll_u&type=", + "https://securelist.com/apt-slingshot/84312/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_apt_equationgroup_dll_u_load.yml" ], "tags": [ @@ -58535,9 +58535,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.hexacorn.com/blog/2018/04/20/kernel-hacking-tool-you-might-have-never-heard-of-xuetr-pchunter/", - "https://www.crowdstrike.com/blog/falcon-overwatch-report-finds-increase-in-ecrime/", "http://www.xuetr.com/", + "https://www.crowdstrike.com/blog/falcon-overwatch-report-finds-increase-in-ecrime/", + "https://www.hexacorn.com/blog/2018/04/20/kernel-hacking-tool-you-might-have-never-heard-of-xuetr-pchunter/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_pchunter.yml" ], "tags": "No established tags" @@ -58559,13 +58559,13 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.fireeye.com/blog/threat-research/2021/05/shining-a-light-on-darkside-ransomware-operations.html", "https://cybleinc.com/2021/02/15/ngrok-platform-abused-by-hackers-to-deliver-a-new-wave-of-phishing-attacks/", - "https://twitter.com/xorJosh/status/1598646907802451969", - "https://ngrok.com/docs", - "https://stackoverflow.com/questions/42442320/ssh-tunnel-to-ngrok-and-initiate-rdp", "https://www.virustotal.com/gui/file/58d21840d915aaf4040ceb89522396124c82f325282f805d1085527e1e2ccfa1/detection", + "https://www.fireeye.com/blog/threat-research/2021/05/shining-a-light-on-darkside-ransomware-operations.html", + "https://stackoverflow.com/questions/42442320/ssh-tunnel-to-ngrok-and-initiate-rdp", "https://www.softwaretestinghelp.com/how-to-use-ngrok/", + "https://ngrok.com/docs", + "https://twitter.com/xorJosh/status/1598646907802451969", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_ngrok_pua.yml" ], "tags": [ @@ -58645,8 +58645,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://bohops.com/2020/11/02/exploring-the-wdac-microsoft-recommended-block-rules-part-ii-wfc-fsi/", "https://lolbas-project.github.io/lolbas/OtherMSBinaries/FsiAnyCpu/", + "https://bohops.com/2020/11/02/exploring-the-wdac-microsoft-recommended-block-rules-part-ii-wfc-fsi/", "https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules", "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Fsi/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_fsharp_interpreters.yml" @@ -58733,8 +58733,8 @@ "logsource.product": "windows", "refs": [ "https://twitter.com/pabraeken/status/999090532839313408", - "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Msdeploy/", "https://twitter.com/pabraeken/status/995837734379032576", + "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Msdeploy/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_msdeploy.yml" ], "tags": [ @@ -58767,8 +58767,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.bleepingcomputer.com/news/security/microsoft-teams-stores-auth-tokens-as-cleartext-in-windows-linux-macs/", "https://www.vectra.ai/blogpost/undermining-microsoft-teams-security-by-mining-tokens", + "https://www.bleepingcomputer.com/news/security/microsoft-teams-stores-auth-tokens-as-cleartext-in-windows-linux-macs/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_teams_suspicious_command_line_cred_access.yml" ], "tags": [ @@ -58850,8 +58850,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1003.002/T1003.002.md#atomic-test-2---registry-parse-with-pypykatz", "https://github.com/skelsec/pypykatz", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1003.002/T1003.002.md#atomic-test-2---registry-parse-with-pypykatz", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pypykatz.yml" ], "tags": [ @@ -58884,9 +58884,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/OtherMSBinaries/AccCheckConsole/", - "https://twitter.com/bohops/status/1477717351017680899?s=12", "https://gist.github.com/bohops/2444129419c8acf837aedda5f0e7f340", + "https://twitter.com/bohops/status/1477717351017680899?s=12", + "https://lolbas-project.github.io/lolbas/OtherMSBinaries/AccCheckConsole/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_susp_acccheckconsole.yml" ], "tags": [ @@ -58909,9 +58909,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc731033(v=ws.11)", "https://twitter.com/0gtweet/status/1564968845726580736", "https://strontic.github.io/xcyclopedia/library/ldifde.exe-979DE101F5059CEC1D2C56967CA2BAC0.html", - "https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc731033(v=ws.11)", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_ldifde_file_load.yml" ], "tags": [ @@ -59004,10 +59004,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/carlospolop/PEASS-ng/blob/fa0f2e17fbc1d86f1fd66338a40e665e7182501d/winPEAS/winPEASbat/winPEAS.bat", "https://www.youtube.com/watch?v=JGs-aKf2OtU&ab_channel=OFFZONEMOSCOW", - "https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment?slide=43", + "https://github.com/carlospolop/PEASS-ng/blob/fa0f2e17fbc1d86f1fd66338a40e665e7182501d/winPEAS/winPEASbat/winPEAS.bat", "https://github.com/gladiatx0r/Powerless/blob/04f553bbc0c65baf4e57344deff84e3f016e6b51/Powerless.bat", + "https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment?slide=43", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_accesschk_usage_after_priv_escalation.yml" ], "tags": [ @@ -59109,8 +59109,8 @@ "refs": [ "https://www.acronis.com/en-us/blog/posts/lockbit-ransomware/", "https://blog.sygnia.co/kaseya-ransomware-supply-chain-attack", - "https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/06/23093553/Common-TTPs-of-the-modern-ransomware_low-res.pdf", "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/blackbyte-exbyte-ransomware", + "https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/06/23093553/Common-TTPs-of-the-modern-ransomware_low-res.pdf", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_ping_del.yml" ], "tags": [ @@ -59328,8 +59328,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.zerodayinitiative.com/blog/2019/11/19/thanksgiving-treat-easy-as-pie-windows-7-secure-desktop-escalation-of-privilege", "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1388", + "https://www.zerodayinitiative.com/blog/2019/11/19/thanksgiving-treat-easy-as-pie-windows-7-secure-desktop-escalation-of-privilege", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_exploit_cve_2019_1388.yml" ], "tags": [ @@ -59521,8 +59521,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.harmj0y.net/blog/redteaming/from-kekeo-to-rubeus/", "https://github.com/GhostPack/Rubeus", + "https://www.harmj0y.net/blog/redteaming/from-kekeo-to-rubeus/", "https://m0chan.github.io/2019/07/31/How-To-Attack-Kerberos-101.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hack_rubeus.yml" ], @@ -59635,11 +59635,11 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://eqllib.readthedocs.io/en/latest/analytics/9b3dd402-891c-4c4d-a662-28947168ce61.html", + "https://eqllib.readthedocs.io/en/latest/analytics/e61f557c-a9d0-4c25-ab5b-bbc46bb24deb.html", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1007/T1007.md#atomic-test-2---system-service-discovery---netexe", "https://eqllib.readthedocs.io/en/latest/analytics/4d2e7fc1-af0b-4915-89aa-03d25ba7805e.html", + "https://eqllib.readthedocs.io/en/latest/analytics/9b3dd402-891c-4c4d-a662-28947168ce61.html", "https://pentest.blog/windows-privilege-escalation-methods-for-pentesters/", - "https://eqllib.readthedocs.io/en/latest/analytics/e61f557c-a9d0-4c25-ab5b-bbc46bb24deb.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_net_execution.yml" ], "tags": [ @@ -59810,8 +59810,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.winhelponline.com/blog/run-program-as-system-localsystem-account-windows/", "https://nsudo.m2team.org/en-us/", + "https://www.winhelponline.com/blog/run-program-as-system-localsystem-account-windows/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_tool_nsudo_execution.yml" ], "tags": [ @@ -59878,10 +59878,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/Z3Jpa29z/status/1313742350292746241?s=20", "https://raw.githubusercontent.com/huntresslabs/evading-autoruns/master/shady.inf", - "https://lolbas-project.github.io/lolbas/Libraries/Setupapi/", "https://gist.githubusercontent.com/bohops/0cc6586f205f3691e04a1ebf1806aabd/raw/baf7b29891bb91e76198e30889fbf7d6642e8974/calc_exe.inf", + "https://lolbas-project.github.io/lolbas/Libraries/Setupapi/", + "https://twitter.com/Z3Jpa29z/status/1313742350292746241?s=20", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_rundll32_setupapi_installhinfsection.yml" ], "tags": [ @@ -59915,8 +59915,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1136.001/T1136.001.md", "https://eqllib.readthedocs.io/en/latest/analytics/014c3f51-89c6-40f1-ac9c-5688f26090ab.html", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1136.001/T1136.001.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_net_user_add.yml" ], "tags": [ @@ -59971,8 +59971,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://medium.com/@networksecurity/rdp-hijacking-how-to-hijack-rds-and-remoteapp-sessions-transparently-to-move-through-an-da2a1e73a5f6", "http://www.korznikov.com/2017/03/0-day-or-feature-privilege-escalation.html", + "https://medium.com/@networksecurity/rdp-hijacking-how-to-hijack-rds-and-remoteapp-sessions-transparently-to-move-through-an-da2a1e73a5f6", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_tscon_rdp_redirect.yml" ], "tags": [ @@ -60074,8 +60074,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://thedfirreport.com/2022/05/09/seo-poisoning-a-gootloader-story/", "https://github.com/Neo23x0/Raccine/blob/20a569fa21625086433dcce8bb2765d0ea08dcb6/yara/mal_revil.yar", + "https://thedfirreport.com/2022/05/09/seo-poisoning-a-gootloader-story/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_base64_load.yml" ], "tags": [ @@ -60110,8 +60110,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/deepinstinct/Lsass-Shtinkering", "https://media.defcon.org/DEF%20CON%2030/DEF%20CON%2030%20presentations/Asaf%20Gilboa%20-%20LSASS%20Shtinkering%20Abusing%20Windows%20Error%20Reporting%20to%20Dump%20LSASS.pdf", + "https://github.com/deepinstinct/Lsass-Shtinkering", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lsass_shtinkering.yml" ], "tags": [ @@ -60287,8 +60287,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://subt0x10.blogspot.de/2017/04/bypass-application-whitelisting-script.html", "https://app.any.run/tasks/34221348-072d-4b70-93f3-aa71f6ebecad/", + "https://subt0x10.blogspot.de/2017/04/bypass-application-whitelisting-script.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_regsvr32_anomalies.yml" ], "tags": [ @@ -60324,8 +60324,8 @@ "logsource.product": "windows", "refs": [ "https://twitter.com/MichalKoczwara/status/1553634816016498688", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1490/T1490.md#atomic-test-8---windows---disable-the-sr-scheduled-task", "https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1490/T1490.md#atomic-test-8---windows---disable-the-sr-scheduled-task", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_schtasks_disable.yml" ], "tags": [ @@ -60468,8 +60468,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.welivesecurity.com/wp-content/uploads/2017/08/eset-gazer.pdf", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1546.002/T1546.002.md", + "https://www.welivesecurity.com/wp-content/uploads/2017/08/eset-gazer.pdf", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_screensaver_reg.yml" ], "tags": [ @@ -60561,8 +60561,8 @@ "logsource.product": "windows", "refs": [ "https://twitter.com/gN3mes1s/status/1222088214581825540", - "https://twitter.com/gN3mes1s/status/1222095371175911424", "https://twitter.com/gN3mes1s/status/1222095963789111296", + "https://twitter.com/gN3mes1s/status/1222095371175911424", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_dctask64_proc_inject.yml" ], "tags": [ @@ -60652,8 +60652,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://enigma0x3.net/2016/11/17/bypassing-application-whitelisting-by-using-dnx-exe/", "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Csi/", + "https://enigma0x3.net/2016/11/17/bypassing-application-whitelisting-by-using-dnx-exe/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_dnx.yml" ], "tags": [ @@ -60694,9 +60694,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://github.com/MicrosoftDocs/windows-itpro-docs/commit/937db704b9148e9cee7c7010cad4d00ce9c4fdad", "https://lolbas-project.github.io/lolbas/OtherMSBinaries/VisualUiaVerifyNative/", "https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules", - "https://github.com/MicrosoftDocs/windows-itpro-docs/commit/937db704b9148e9cee7c7010cad4d00ce9c4fdad", "https://bohops.com/2020/10/15/exploring-the-wdac-microsoft-recommended-block-rules-visualuiaverifynative/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_visualuiaverifynative.yml" ], @@ -60796,8 +60796,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://thedfirreport.com/2022/09/26/bumblebee-round-two/", "https://redcanary.com/blog/raspberry-robin/", + "https://thedfirreport.com/2022/09/26/bumblebee-round-two/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_rundll32_parent_explorer.yml" ], "tags": [ @@ -60897,9 +60897,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/hh750728(v=ws.11)", "https://github.com/swagkarna/Defeat-Defender-V1.2.0", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1222.001/T1222.001.md", + "https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/hh750728(v=ws.11)", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_file_permission_modifications.yml" ], "tags": [ @@ -60992,9 +60992,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://eqllib.readthedocs.io/en/latest/analytics/e584f1a1-c303-4885-8a66-21360c90995b.html", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218.003/T1218.003.md", "https://lolbas-project.github.io/lolbas/Binaries/Cmstp/", - "https://eqllib.readthedocs.io/en/latest/analytics/e584f1a1-c303-4885-8a66-21360c90995b.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_uac_bypass_cmstp.yml" ], "tags": [ @@ -61037,8 +61037,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md", "https://twitter.com/AdamTheAnalyst/status/1483497517119590403", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md", "https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/configure-process-opened-file-exclusions-microsoft-defender-antivirus", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_defender_base64.yml" ], @@ -61186,8 +61186,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://redcanary.com/blog/intelligence-insights-december-2021", "https://www.synacktiv.com/en/publications/how-to-exploit-cve-2021-40539-on-manageengine-adselfservice-plus.html", + "https://redcanary.com/blog/intelligence-insights-december-2021", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_shell_spawn_by_java_keytool.yml" ], "tags": [ @@ -61271,8 +61271,8 @@ "logsource.product": "windows", "refs": [ "https://www.cisa.gov/uscert/sites/default/files/publications/aa22-320a_joint_csa_iranian_government-sponsored_apt_actors_compromise_federal%20network_deploy_crypto%20miner_credential_harvester.pdf", - "http://blog.talosintelligence.com/2022/09/lazarus-three-rats.html", "https://www.microsoft.com/en-us/security/blog/2022/10/18/defenders-beware-a-case-for-post-ransomware-investigations/", + "http://blog.talosintelligence.com/2022/09/lazarus-three-rats.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_computer_discovery_get_adcomputer.yml" ], "tags": [ @@ -61296,9 +61296,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://medium.com/falconforce/falconfriday-detecting-uac-bypasses-0xff16-86c2a9107abf", "https://github.com/hfiref0x/UACME", "https://lolbas-project.github.io/lolbas/Binaries/Wsreset/", + "https://medium.com/falconforce/falconfriday-detecting-uac-bypasses-0xff16-86c2a9107abf", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_uac_bypass_wsreset_integrity_level.yml" ], "tags": [ @@ -61851,8 +61851,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://app.any.run/tasks/33d37fdf-158d-4930-aa68-813e1d5eb8ba/", "https://www.welivesecurity.com/2020/07/09/more-evil-deep-look-evilnum-toolset/", + "https://app.any.run/tasks/33d37fdf-158d-4930-aa68-813e1d5eb8ba/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_apt_evilnum_jul20.yml" ], "tags": [ @@ -62088,11 +62088,11 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://eqllib.readthedocs.io/en/latest/analytics/5b223758-07d6-4100-9e11-238cfdd0fe97.html", "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/wevtutil", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070.001/T1070.001.md", - "https://jdhnet.wordpress.com/2017/12/19/changing-the-location-of-the-windows-event-logs/", "https://gist.github.com/fovtran/ac0624983c7722e80a8f5a4babb170ee", + "https://eqllib.readthedocs.io/en/latest/analytics/5b223758-07d6-4100-9e11-238cfdd0fe97.html", + "https://jdhnet.wordpress.com/2017/12/19/changing-the-location-of-the-windows-event-logs/", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070.001/T1070.001.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_eventlog_clear.yml" ], "tags": [ @@ -62407,8 +62407,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.bluetangle.dev/2022/08/fastening-seatbelt-on-threat-hunting.html", "https://github.com/GhostPack/Seatbelt", + "https://www.bluetangle.dev/2022/08/fastening-seatbelt-on-threat-hunting.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pua_seatbelt.yml" ], "tags": [ @@ -62614,8 +62614,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://eqllib.readthedocs.io/en/latest/analytics/f72a98cb-7b3d-4100-99c3-a138b6e9ff6e.html", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1123/T1123.md", + "https://eqllib.readthedocs.io/en/latest/analytics/f72a98cb-7b3d-4100-99c3-a138b6e9ff6e.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_soundrec_audio_capture.yml" ], "tags": [ @@ -62639,8 +62639,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/dotnet/framework/tools/installutil-exe-installer-tool", "https://securelist.com/moonbounce-the-dark-side-of-uefi-firmware/105468/", + "https://docs.microsoft.com/en-us/dotnet/framework/tools/installutil-exe-installer-tool", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_instalutil.yml" ], "tags": [ @@ -62663,8 +62663,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "http://blog.talosintelligence.com/2022/09/lazarus-three-rats.html", "https://www.microsoft.com/en-us/security/blog/2022/10/18/defenders-beware-a-case-for-post-ransomware-investigations/", + "http://blog.talosintelligence.com/2022/09/lazarus-three-rats.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_user_discovery_get_aduser.yml" ], "tags": [ @@ -62791,8 +62791,8 @@ "logsource.product": "windows", "refs": [ "https://medium.com/s2wblog/analysis-of-destructive-malware-whispergate-targeting-ukraine-9d5d158f19f3", - "https://twitter.com/splinter_code/status/1483815103279603714", "https://www.winhelponline.com/blog/run-program-as-system-localsystem-account-windows/", + "https://twitter.com/splinter_code/status/1483815103279603714", "https://elastic.github.io/security-research/malware/2022/01/01.operation-bleeding-bear/article/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_advancedrun.yml" ], @@ -62909,8 +62909,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.splunk.com/en_us/blog/security/follina-for-protocol-handlers.html", "https://github.com/redcanaryco/atomic-red-team/blob/1cf4dd51f83dcb0ebe6ade902d6157ad2dbc6ac8/atomics/T1218.001/T1218.001.md", + "https://www.splunk.com/en_us/blog/security/follina-for-protocol-handlers.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hh_chm_http.yml" ], "tags": [ @@ -63143,8 +63143,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.sentinelone.com/labs/wading-through-muddy-waters-recent-activity-of-an-iranian-state-sponsored-threat-actor/", "https://github.com/shantanu561993/SharpChisel", + "https://www.sentinelone.com/labs/wading-through-muddy-waters-recent-activity-of-an-iranian-state-sponsored-threat-actor/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sharp_chisel_usage.yml" ], "tags": [ @@ -63178,8 +63178,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f", "https://lolbas-project.github.io/lolbas/Binaries/Regedit/", + "https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_regedit_import_keys.yml" ], "tags": [ @@ -63203,11 +63203,11 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://medium.com/tsscyber/pentesting-and-hta-bypassing-powershell-constrained-language-mode-53a42856c997", "http://blog.sevagas.com/?Hacking-around-HTA-files", - "https://docs.microsoft.com/en-us/dotnet/standard/data/xml/xslt-stylesheet-scripting-using-msxsl-script", "https://0x00sec.org/t/clientside-exploitation-in-2018-how-pentesting-has-changed/7356", "https://twitter.com/mattifestation/status/1326228491302563846", + "https://medium.com/tsscyber/pentesting-and-hta-bypassing-powershell-constrained-language-mode-53a42856c997", + "https://docs.microsoft.com/en-us/dotnet/standard/data/xml/xslt-stylesheet-scripting-using-msxsl-script", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_mshta_execution.yml" ], "tags": [ @@ -63395,8 +63395,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/harr0ey/status/991670870384021504", "https://github.com/LOLBAS-Project/LOLBAS/blob/4db780e0f0b2e2bb8cb1fa13e09196da9b9f1834/yml/LOLUtilz/OSBinaries/Openwith.yml", + "https://twitter.com/harr0ey/status/991670870384021504", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_openwith.yml" ], "tags": [ @@ -63429,9 +63429,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://redacted.com/blog/bianlian-ransomware-gang-gives-it-a-go/", "https://www.trellix.com/en-sg/about/newsroom/stories/threat-labs/lockergoga-ransomware-family-used-in-targeted-attacks.html", "https://www.microsoft.com/security/blog/2022/09/07/profiling-dev-0270-phosphorus-ransomware-operations/", - "https://redacted.com/blog/bianlian-ransomware-gang-gives-it-a-go/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_net_default_accounts_manipulation.yml" ], "tags": [ @@ -63555,9 +63555,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-2000-server/cc959352(v=technet.10)?redirectedfrom=MSDN", "https://twitter.com/jonasLyk/status/1555914501802921984", "https://www.acunetix.com/blog/articles/windows-short-8-3-filenames-web-security-problem/", - "https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-2000-server/cc959352(v=technet.10)?redirectedfrom=MSDN", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_ntfs_short_name_use_cli.yml" ], "tags": [ @@ -63590,8 +63590,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/LOLBAS-Project/LOLBAS/blob/4db780e0f0b2e2bb8cb1fa13e09196da9b9f1834/yml/LOLUtilz/OSBinaries/Powershell.yml", "https://twitter.com/Moriarty_Meng/status/984380793383370752", + "https://github.com/LOLBAS-Project/LOLBAS/blob/4db780e0f0b2e2bb8cb1fa13e09196da9b9f1834/yml/LOLUtilz/OSBinaries/Powershell.yml", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_run_powershell_script_from_input_stream.yml" ], "tags": [ @@ -63998,8 +63998,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/secedit", "https://blueteamops.medium.com/secedit-and-i-know-it-595056dee53d", + "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/secedit", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_secedit.yml" ], "tags": [ @@ -64105,8 +64105,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218.007/T1218.007.md", "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/msiexec", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218.007/T1218.007.md", "https://twitter.com/_st0pp3r_/status/1583914515996897281", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_msiexec_execute_dll.yml" ], @@ -64173,9 +64173,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://community.broadcom.com/symantecenterprise/communities/community-home/digestviewer/viewthread?MessageKey=6ce94b67-74e1-4333-b16f-000b7fd874f0&CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68&tab=digestviewer", "https://community.spiceworks.com/topic/2195015-batch-script-to-uninstall-symantec-endpoint-protection", "https://www.exploit-db.com/exploits/37525", - "https://community.broadcom.com/symantecenterprise/communities/community-home/digestviewer/viewthread?MessageKey=6ce94b67-74e1-4333-b16f-000b7fd874f0&CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68&tab=digestviewer", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_taskkill_sep.yml" ], "tags": [ @@ -64331,8 +64331,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/0xdeadbeefJERKY/PowerSploit/blob/8690399ef70d2cad10213575ac67e8fa90ddf7c3/Persistence/Persistence.psm1", "https://github.com/EmpireProject/Empire/blob/08cbd274bef78243d7a8ed6443b8364acd1fc48b/lib/modules/powershell/persistence/userland/schtasks.py", + "https://github.com/0xdeadbeefJERKY/PowerSploit/blob/8690399ef70d2cad10213575ac67e8fa90ddf7c3/Persistence/Persistence.psm1", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powersploit_empire_schtasks.yml" ], "tags": [ @@ -64412,10 +64412,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.mandiant.com/resources/unc2165-shifts-to-evade-sanctions", - "https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/", - "https://twitter.com/cglyer/status/1355171195654709249", "https://research.nccgroup.com/2022/08/19/back-in-black-unlocking-a-lockbit-3-0-ransomware-attack/", + "https://twitter.com/cglyer/status/1355171195654709249", + "https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/", + "https://www.mandiant.com/resources/unc2165-shifts-to-evade-sanctions", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_wmic_security_product_uninstall.yml" ], "tags": [ @@ -64512,11 +64512,11 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/dotnet/framework/data/wcf/how-to-add-a-data-service-reference-wcf-data-services", - "https://gist.github.com/teixeira0xfffff/837e5bfed0d1b0a29a7cb1e5dbdd9ca6", "https://lolbas-project.github.io/lolbas/Binaries/DataSvcUtil/", "https://docs.microsoft.com/en-us/dotnet/framework/data/wcf/wcf-data-service-client-utility-datasvcutil-exe", "https://docs.microsoft.com/en-us/dotnet/framework/data/wcf/generating-the-data-service-client-library-wcf-data-services", + "https://docs.microsoft.com/en-us/dotnet/framework/data/wcf/how-to-add-a-data-service-reference-wcf-data-services", + "https://gist.github.com/teixeira0xfffff/837e5bfed0d1b0a29a7cb1e5dbdd9ca6", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_data_exfiltration_by_using_datasvcutil.yml" ], "tags": [ @@ -64653,8 +64653,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/Binaries/Psr/", "https://www.sans.org/summit-archives/file/summit-archive-1493861893.pdf", + "https://lolbas-project.github.io/lolbas/Binaries/Psr/", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1560.001/T1560.001.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_psr_capture_screenshots.yml" ], @@ -64703,10 +64703,10 @@ "logsource.product": "windows", "refs": [ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1482/T1482.md", - "https://www.harmj0y.net/blog/redteaming/a-guide-to-attacking-domain-trusts/", - "https://eqllib.readthedocs.io/en/latest/analytics/03e231a6-74bc-467a-acb1-e5676b0fb55e.html", "https://thedfirreport.com/2020/10/18/ryuk-in-5-hours/", "https://redcanary.com/blog/how-one-hospital-thwarted-a-ryuk-ransomware-outbreak/", + "https://www.harmj0y.net/blog/redteaming/a-guide-to-attacking-domain-trusts/", + "https://eqllib.readthedocs.io/en/latest/analytics/03e231a6-74bc-467a-acb1-e5676b0fb55e.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_trust_discovery.yml" ], "tags": [ @@ -64739,8 +64739,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://unit42.paloaltonetworks.com/operation-ke3chang-resurfaces-with-new-tidepool-malware/", "https://www.verfassungsschutz.de/embed/broschuere-2020-06-bfv-cyber-brief-2020-01.pdf", + "https://unit42.paloaltonetworks.com/operation-ke3chang-resurfaces-with-new-tidepool-malware/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_apt_ke3chang_regadd.yml" ], "tags": [ @@ -64790,8 +64790,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.microsoft.com/security/blog/2019/12/12/gallium-targeting-global-telecom/", "https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn800669(v=ws.11)", + "https://www.microsoft.com/security/blog/2019/12/12/gallium-targeting-global-telecom/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_apt_gallium_sha1.yml" ], "tags": [ @@ -64877,9 +64877,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://docs.microsoft.com/en-us/sysinternals/downloads/psexec", "https://www.poweradmin.com/paexec/", "https://www.fireeye.com/blog/threat-research/2020/10/kegtap-and-singlemalt-with-a-ransomware-chaser.html", - "https://docs.microsoft.com/en-us/sysinternals/downloads/psexec", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_psexex_paexec_flags.yml" ], "tags": [ @@ -64912,8 +64912,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/1ZRR4H/status/1534259727059787783", "https://app.any.run/tasks/e1fe6a62-bce8-4323-a49a-63795d9afd5d/", + "https://twitter.com/1ZRR4H/status/1534259727059787783", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_archiver_iso_phishing.yml" ], "tags": [ @@ -65073,9 +65073,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://app.any.run/tasks/8e22486b-5edc-4cef-821c-373e945f296c/", - "https://app.any.run/tasks/388d5802-aa48-4826-b069-250420504758/", "https://inquest.net/blog/2018/06/22/a-look-at-formbook-stealer", + "https://app.any.run/tasks/388d5802-aa48-4826-b069-250420504758/", + "https://app.any.run/tasks/8e22486b-5edc-4cef-821c-373e945f296c/", "https://app.any.run/tasks/62bb01ae-25a4-4180-b278-8e464a90b8d7/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_malware_formbook.yml" ], @@ -65109,8 +65109,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://medium.com/@networksecurity/rdp-hijacking-how-to-hijack-rds-and-remoteapp-sessions-transparently-to-move-through-an-da2a1e73a5f6", "http://www.korznikov.com/2017/03/0-day-or-feature-privilege-escalation.html", + "https://medium.com/@networksecurity/rdp-hijacking-how-to-hijack-rds-and-remoteapp-sessions-transparently-to-move-through-an-da2a1e73a5f6", "https://www.ired.team/offensive-security/lateral-movement/t1076-rdp-hijacking-for-lateral-movement", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_tscon_localsystem.yml" ], @@ -65177,9 +65177,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/_st0pp3r_/status/1583914244344799235", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218.007/T1218.007.md", "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/msiexec", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218.007/T1218.007.md", + "https://twitter.com/_st0pp3r_/status/1583914244344799235", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_msiexec_install_quiet.yml" ], "tags": [ @@ -65271,8 +65271,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/Gerenios/AADInternals", "https://o365blog.com/aadinternals/", + "https://github.com/Gerenios/AADInternals", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_aadinternals_cmdlets_execution.yml" ], "tags": [ @@ -65299,9 +65299,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=42", "https://learn.microsoft.com/en-us/dotnet/api/microsoft.hpc.scheduler.store.cx509enrollmentwebclassfactoryclass?view=hpc-sdk-5.1.6115", "https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=41", - "https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=42", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_x509enrollment.yml" ], "tags": "No established tags" @@ -65477,8 +65477,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://attack.mitre.org/software/S0404/", "https://thedfirreport.com/2021/08/01/bazarcall-to-conti-ransomware-via-trickbot-and-cobalt-strike/", + "https://attack.mitre.org/software/S0404/", "https://twitter.com/vxunderground/status/1423336151860002816", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_esentutl_params.yml" ], @@ -65521,8 +65521,8 @@ "logsource.product": "windows", "refs": [ "https://twitter.com/gN3mes1s/status/1222088214581825540", - "https://twitter.com/gN3mes1s/status/1222095371175911424", "https://twitter.com/gN3mes1s/status/1222095963789111296", + "https://twitter.com/gN3mes1s/status/1222095371175911424", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_renamed_dctask64.yml" ], "tags": [ @@ -65686,8 +65686,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1047/T1047.md", "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/wmic", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1047/T1047.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wmic_reconnaissance.yml" ], "tags": [ @@ -65938,10 +65938,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://bidouillesecurity.com/disable-windows-defender-in-powershell/", "https://github.com/gordonbay/Windows-On-Reins/blob/e587ac7a0407847865926d575e3c46f68cf7c68d/wor.ps1", - "https://vms.drweb.fr/virus/?i=24144899", "https://twitter.com/JohnLaTwC/status/1415295021041979392", + "https://vms.drweb.fr/virus/?i=24144899", + "https://bidouillesecurity.com/disable-windows-defender-in-powershell/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_reg_disable_sec_services.yml" ], "tags": [ @@ -65965,8 +65965,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/certutil", "https://unit42.paloaltonetworks.com/new-babyshark-malware-targets-u-s-national-security-think-tanks/", + "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/certutil", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_certutil_encode.yml" ], "tags": [ @@ -66166,8 +66166,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/mattifestation/status/986280382042595328", "https://subt0x11.blogspot.ch/2018/04/wmicexe-whitelisting-bypass-hacking.html", + "https://twitter.com/mattifestation/status/986280382042595328", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_bypass_squiblytwo.yml" ], "tags": [ @@ -66285,8 +66285,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/shutdown", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1529/T1529.md", + "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/shutdown", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_shutdown.yml" ], "tags": [ @@ -66393,8 +66393,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Te/", "https://docs.microsoft.com/en-us/windows-hardware/drivers/taef/", + "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Te/", "https://twitter.com/pabraeken/status/993298228840992768", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_use_of_te_bin.yml" ], @@ -66448,8 +66448,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://thedfirreport.com/2022/04/04/stolen-images-campaign-ends-in-conti-ransomware/", "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/chcp", + "https://thedfirreport.com/2022/04/04/stolen-images-campaign-ends-in-conti-ransomware/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_codepage_lookup.yml" ], "tags": [ @@ -66583,8 +66583,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/troubleshoot/windows-server/networking/netsh-advfirewall-firewall-control-firewall-behavior", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.004/T1562.004.md#atomic-test-3---allow-smb-and-rdp-on-microsoft-defender-firewall", + "https://docs.microsoft.com/en-us/troubleshoot/windows-server/networking/netsh-advfirewall-firewall-control-firewall-behavior", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_netsh_fw_enable_group_rule.yml" ], "tags": [ @@ -66617,10 +66617,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/nas_bench/status/1535322450858233858", "https://twitter.com/CyberRaiju/status/1273597319322058752", - "https://securityboulevard.com/2019/09/deobfuscating-ostap-trickbots-34000-line-javascript-downloader/", "https://twitter.com/bohops/status/1276357235954909188?s=12", + "https://twitter.com/nas_bench/status/1535322450858233858", + "https://securityboulevard.com/2019/09/deobfuscating-ostap-trickbots-34000-line-javascript-downloader/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_explorer_break_proctree.yml" ], "tags": [ @@ -66644,10 +66644,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/lefterispan/status/1286259016436514816", "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Agentexecutor/", - "https://twitter.com/jseerden/status/1247985304667066373/photo/1", + "https://twitter.com/lefterispan/status/1286259016436514816", "https://docs.microsoft.com/en-us/mem/intune/apps/intune-management-extension", + "https://twitter.com/jseerden/status/1247985304667066373/photo/1", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_agentexecutor_susp_usage.yml" ], "tags": [ @@ -66772,8 +66772,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://pentestlab.blog/2020/07/06/indirect-command-execution/", "https://lolbas-project.github.io/lolbas/Binaries/Forfiles/", + "https://pentestlab.blog/2020/07/06/indirect-command-execution/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_forfiles.yml" ], "tags": [ @@ -66865,11 +66865,11 @@ "logsource.product": "windows", "refs": [ "https://www.ired.team/offensive-security/credential-access-and-credential-dumping/ntds.dit-enumeration", - "https://www.n00py.io/2022/03/manipulating-user-passwords-without-mimikatz/", - "https://github.com/zcgonvh/NTDSDumpEx", - "https://github.com/samratashok/nishang/blob/414ee1104526d7057f9adaeee196d91ae447283e/Gather/Copy-VSS.ps1", "https://pentestlab.blog/tag/ntds-dit/", "https://github.com/rapid7/metasploit-framework/blob/d297adcebb5c1df6fe30b12ca79b161deb71571c/data/post/powershell/NTDSgrab.ps1", + "https://github.com/zcgonvh/NTDSDumpEx", + "https://www.n00py.io/2022/03/manipulating-user-passwords-without-mimikatz/", + "https://github.com/samratashok/nishang/blob/414ee1104526d7057f9adaeee196d91ae447283e/Gather/Copy-VSS.ps1", "https://blog.talosintelligence.com/2022/08/recent-cyber-attack.html?m=1", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_ntds.yml" ], @@ -66903,9 +66903,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/sql/tools/sqlcmd-utility?view=sql-server-ver15", "https://twitter.com/vxunderground/status/1423336151860002816?s=20", "https://www.virustotal.com/gui/file/03e9b8c2e86d6db450e5eceec057d7e369ee2389b9daecaf06331a95410aa5f8/detection", + "https://docs.microsoft.com/en-us/sql/tools/sqlcmd-utility?view=sql-server-ver15", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_conti_sqlcmd.yml" ], "tags": [ @@ -66938,11 +66938,11 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.cobaltstrike.com/help-opsec", - "https://blog.malwarebytes.com/malwarebytes-news/2020/10/kraken-attack-abuses-wer-service/", - "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/regsvr32", - "https://docs.microsoft.com/en-us/dotnet/framework/tools/regsvcs-exe-net-services-installation-tool#feedback", "https://docs.microsoft.com/en-us/dotnet/framework/tools/regasm-exe-assembly-registration-tool", + "https://docs.microsoft.com/en-us/dotnet/framework/tools/regsvcs-exe-net-services-installation-tool#feedback", + "https://blog.malwarebytes.com/malwarebytes-news/2020/10/kraken-attack-abuses-wer-service/", + "https://www.cobaltstrike.com/help-opsec", + "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/regsvr32", "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/rundll32", "https://twitter.com/CyberRaiju/status/1251492025678983169", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_bad_opsec_sacrificial_processes.yml" @@ -67010,9 +67010,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.infosecmatter.com/crackmapexec-module-library/?cmem=mssql-mimikatz", "https://mpgn.gitbook.io/crackmapexec/smb-protocol/authentication/checking-credentials-local", "https://www.mandiant.com/resources/telegram-malware-iranian-espionage", + "https://www.infosecmatter.com/crackmapexec-module-library/?cmem=mssql-mimikatz", "https://www.infosecmatter.com/crackmapexec-module-library/?cmem=smb-pe_inject", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_crackmapexec_flags.yml" ], @@ -67091,8 +67091,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.trendmicro.com/en_us/research/22/j/lv-ransomware-exploits-proxyshell-in-attack.html", "https://gist.github.com/jivoi/c354eaaf3019352ce32522f916c03d70", + "https://www.trendmicro.com/en_us/research/22/j/lv-ransomware-exploits-proxyshell-in-attack.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_download_patterns.yml" ], "tags": [ @@ -67125,8 +67125,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://securityxploded.com/", "https://cyberx-labs.com/blog/gangnam-industrial-style-apt-campaign-targets-korean-industrial-companies/", + "https://securityxploded.com/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hack_secutyxploded.yml" ], "tags": [ @@ -67160,9 +67160,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://www.microsoft.com/en-us/security/blog/2022/10/25/dev-0832-vice-society-opportunistic-ransomware-campaigns-impacting-us-education-sector/", "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/espionage-asia-governments", "https://thedfirreport.com/2022/09/26/bumblebee-round-two/", - "https://www.microsoft.com/en-us/security/blog/2022/10/25/dev-0832-vice-society-opportunistic-ransomware-campaigns-impacting-us-education-sector/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_weak_or_abused_passwords.yml" ], "tags": [ @@ -67253,8 +67253,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/replace", "https://lolbas-project.github.io/lolbas/Binaries/Replace/", + "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/replace", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_replace.yml" ], "tags": [ @@ -67424,8 +67424,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://securelist.com/lazarus-covets-covid-19-related-intelligence/99906/", "https://www.hvs-consulting.de/lazarus-report/", + "https://securelist.com/lazarus-covets-covid-19-related-intelligence/99906/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_apt_lazarus_loader.yml" ], "tags": [ @@ -67459,8 +67459,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1087.002/T1087.002.md", "https://www.joeware.net/freetools/tools/adfind/", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1087.002/T1087.002.md", "https://social.technet.microsoft.com/wiki/contents/articles/7535.adfind-command-examples.aspx", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_adfind_enumeration.yml" ], @@ -67485,8 +67485,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.microsoft.com/security/blog/2022/01/15/destructive-malware-targeting-ukrainian-organizations/", "http://blog.talosintelligence.com/2022/09/lazarus-three-rats.html", + "https://www.microsoft.com/security/blog/2022/01/15/destructive-malware-targeting-ukrainian-organizations/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_redirect_local_admin_share.yml" ], "tags": "No established tags" @@ -67574,8 +67574,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://securelist.com/moonbounce-the-dark-side-of-uefi-firmware/105468/", "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/wmic", + "https://securelist.com/moonbounce-the-dark-side-of-uefi-firmware/105468/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wmic_remote_command.yml" ], "tags": [ @@ -67608,8 +67608,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://jstnk9.github.io/jstnk9/research/Jlaive-Antivirus-Evasion-Tool", "https://github.com/ch2sh/Jlaive", + "https://jstnk9.github.io/jstnk9/research/Jlaive-Antivirus-Evasion-Tool", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_jlaive_batch_execution.yml" ], "tags": [ @@ -67711,9 +67711,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://lolbas-project.github.io/lolbas/Binaries/Regini/", "https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f", "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/regini", - "https://lolbas-project.github.io/lolbas/Binaries/Regini/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_regini_ads.yml" ], "tags": [ @@ -67804,9 +67804,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.sans.org/blog/red-team-tactics-hiding-windows-services/", "https://twitter.com/Alh4zr3d/status/1580925761996828672", "https://blog.talosintelligence.com/2021/10/threat-hunting-in-large-datasets-by.html", + "https://www.sans.org/blog/red-team-tactics-hiding-windows-services/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_using_sc_to_hide_sevices.yml" ], "tags": [ @@ -67832,10 +67832,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/HyperSine/how-does-MobaXterm-encrypt-password", - "https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#inside-the-registry", - "https://github.com/synacktiv/Radmin3-Password-Cracker/blob/acfc87393e4b7c06353973a14a6c7126a51f36ac/regkey.txt", "https://isc.sans.edu/diary/More+Data+Exfiltration/25698", + "https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#inside-the-registry", + "https://github.com/HyperSine/how-does-MobaXterm-encrypt-password", + "https://github.com/synacktiv/Radmin3-Password-Cracker/blob/acfc87393e4b7c06353973a14a6c7126a51f36ac/regkey.txt", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_enumeration_for_credentials_cli.yml" ], "tags": [ @@ -67955,8 +67955,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.fireeye.com/blog/threat-research/2018/12/overruled-containing-a-potentially-destructive-adversary.html", "https://github.com/sensepost/ruler", + "https://www.fireeye.com/blog/threat-research/2018/12/overruled-containing-a-potentially-destructive-adversary.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_outlook.yml" ], "tags": [ @@ -68044,19 +68044,19 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://github.com/calebstewart/CVE-2021-1675", + "https://github.com/samratashok/nishang", + "https://github.com/S3cur3Th1sSh1t/PowerSharpPack/tree/master/PowerSharpBinaries", "https://github.com/dafthack/DomainPasswordSpray/blob/b13d64a5834694aa73fd2aea9911a83027c465a7/DomainPasswordSpray.ps1", - "https://github.com/rvrsh3ll/Misc-Powershell-Scripts/blob/6f23bb41f9675d7e2d32bacccff75e931ae00554/OfficeMemScraper.ps1", "https://unit42.paloaltonetworks.com/threat-assessment-black-basta-ransomware/", "https://adsecurity.org/?p=2921", - "https://github.com/BC-SECURITY/Invoke-ZeroLogon/blob/111d17c7fec486d9bb23387e2e828b09a26075e4/Invoke-ZeroLogon.ps1", "https://bloodhound.readthedocs.io/en/latest/data-collection/azurehound.html", - "https://github.com/calebstewart/CVE-2021-1675", - "https://github.com/HarmJ0y/DAMP", "https://github.com/xorrior/RandomPS-Scripts/blob/848c919bfce4e2d67b626cbcf4404341cfe3d3b6/Get-DXWebcamVideo.ps1", - "https://research.nccgroup.com/2022/06/06/shining-the-light-on-black-basta/", - "https://github.com/S3cur3Th1sSh1t/PowerSharpPack/tree/master/PowerSharpBinaries", + "https://github.com/rvrsh3ll/Misc-Powershell-Scripts/blob/6f23bb41f9675d7e2d32bacccff75e931ae00554/OfficeMemScraper.ps1", + "https://github.com/HarmJ0y/DAMP", "https://github.com/BloodHoundAD/BloodHound/blob/0927441f67161cc6dc08a53c63ceb8e333f55874/Collectors/AzureHound.ps1", - "https://github.com/samratashok/nishang", + "https://github.com/BC-SECURITY/Invoke-ZeroLogon/blob/111d17c7fec486d9bb23387e2e828b09a26075e4/Invoke-ZeroLogon.ps1", + "https://research.nccgroup.com/2022/06/06/shining-the-light-on-black-basta/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_malicious_cmdlets.yml" ], "tags": [ @@ -68289,9 +68289,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "http://hyp3rlinx.altervista.org/advisories/Windows_TCPIP_Finger_Command_C2_Channel_and_Bypassing_Security_Software.txt", - "https://twitter.com/bigmacjpg/status/1349727699863011328?s=12", "https://app.any.run/tasks/40115012-a919-4208-bfed-41e82cb3dadf/", + "https://twitter.com/bigmacjpg/status/1349727699863011328?s=12", + "http://hyp3rlinx.altervista.org/advisories/Windows_TCPIP_Finger_Command_C2_Channel_and_Bypassing_Security_Software.txt", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_finger_usage.yml" ], "tags": [ @@ -68324,8 +68324,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/powershell/high-performance-computing/mpiexec?view=hpc19-ps", "https://twitter.com/mrd0x/status/1465058133303246867", + "https://docs.microsoft.com/en-us/powershell/high-performance-computing/mpiexec?view=hpc19-ps", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_mpiexec_lolbin.yml" ], "tags": [ @@ -68384,9 +68384,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/elastic/protections-artifacts/commit/746086721fd385d9f5c6647cada1788db4aea95f#diff-9015912909545e72ed42cbac4d1e96295e8964579c406d23fd9c47a8091576a0", - "https://irsl.medium.com/the-trouble-with-microsofts-troubleshooters-6e32fc80b8bd", "https://github.com/GossiTheDog/ThreatHunting/blob/e85884abbf05d5b41efc809ea6532b10b45bd05c/AdvancedHuntingQueries/DogWalk-DiagCab", + "https://irsl.medium.com/the-trouble-with-microsofts-troubleshooters-6e32fc80b8bd", + "https://github.com/elastic/protections-artifacts/commit/746086721fd385d9f5c6647cada1788db4aea95f#diff-9015912909545e72ed42cbac4d1e96295e8964579c406d23fd9c47a8091576a0", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_msdt_diagcab.yml" ], "tags": [ @@ -68419,10 +68419,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/lefterispan/status/1286259016436514816", "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Agentexecutor/", - "https://twitter.com/jseerden/status/1247985304667066373/photo/1", + "https://twitter.com/lefterispan/status/1286259016436514816", "https://docs.microsoft.com/en-us/mem/intune/apps/intune-management-extension", + "https://twitter.com/jseerden/status/1247985304667066373/photo/1", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_agentexecutor.yml" ], "tags": [ @@ -68626,9 +68626,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-26809", "https://twitter.com/cyb3rops/status/1514217991034097664", "https://www.bleepingcomputer.com/startups/RpcSs.exe-14544.html", - "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-26809", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_rpcss_anomalies.yml" ], "tags": [ @@ -68670,8 +68670,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/harr0ey/status/992008180904419328", "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Dxcap/", + "https://twitter.com/harr0ey/status/992008180904419328", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_susp_dxcap.yml" ], "tags": [ @@ -68704,8 +68704,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/VK_Intel/status/1447795359900704769?t=Xz7vaLTvaaCZ5kHoZa6gMw&s=19", "https://news.sophos.com/en-us/2021/09/03/conti-affiliates-use-proxyshell-exchange-exploit-in-ransomware-attacks/", + "https://twitter.com/VK_Intel/status/1447795359900704769?t=Xz7vaLTvaaCZ5kHoZa6gMw&s=19", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_conti_cmd_ransomware.yml" ], "tags": [ @@ -68772,8 +68772,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/mrd0x/status/1511415432888131586", "https://twitter.com/mrd0x/status/1511489821247684615", + "https://twitter.com/mrd0x/status/1511415432888131586", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_proc_dump_susp_dumpminitool.yml" ], "tags": [ @@ -68807,8 +68807,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/Binaries/Xwizard/", "http://www.hexacorn.com/blog/2017/07/31/the-wizard-of-x-oppa-plugx-style/", + "https://lolbas-project.github.io/lolbas/Binaries/Xwizard/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_dll_sideload_xwizard.yml" ], "tags": [ @@ -68856,8 +68856,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1124/T1124.md", "https://eqllib.readthedocs.io/en/latest/analytics/fcdb99c2-ac3c-4bde-b664-4b336329bed2.html", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1124/T1124.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_remote_time_discovery.yml" ], "tags": [ @@ -69041,8 +69041,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1053.002/T1053.002.md", "https://eqllib.readthedocs.io/en/latest/analytics/d8db43cf-ed52-4f5c-9fb3-c9a4b95a0b56.html", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1053.002/T1053.002.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_interactive_at.yml" ], "tags": [ @@ -69183,8 +69183,8 @@ "logsource.category": "antivirus", "logsource.product": "No established product", "refs": [ - "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-1675", "https://twitter.com/mvelazco/status/1410291741241102338", + "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-1675", "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527", "https://github.com/SigmaHQ/sigma/tree/master/rules/category/antivirus/av_printernightmare_cve_2021_34527.yml" ], @@ -69317,15 +69317,15 @@ "logsource.category": "antivirus", "logsource.product": "No established product", "refs": [ - "https://www.virustotal.com/gui/file/7d3cb8a8ff28f82b07f382789247329ad2d7782a72dde9867941f13266310c80/detection", - "https://www.virustotal.com/gui/file/a80042c61a0372eaa0c2c1e831adf0d13ef09feaf71d1d20b216156269045801/detection", - "https://www.virustotal.com/gui/file/e841675a4b82250c75273ebf0861245f80c6a1c3d5803c2d995d9d3b18d5c4b5/detection", - "https://www.virustotal.com/gui/file/bd1d52289203866645e556e2766a21d2275877fbafa056a76fe0cf884b7f8819/detection", "https://www.nextron-systems.com/2021/03/25/antivirus-event-analysis-cheat-sheet-v1-8/", + "https://www.virustotal.com/gui/file/a80042c61a0372eaa0c2c1e831adf0d13ef09feaf71d1d20b216156269045801/detection", "https://www.virustotal.com/gui/file/308487ed28a3d9abc1fec7ebc812d4b5c07ab025037535421f64c60d3887a3e8/detection", "https://www.virustotal.com/gui/file/b8702acf32fd651af9f809ed42d15135f842788cd98d81a8e1b154ee2a2b76a2/detection", - "https://github.com/tennc/webshell", "https://www.virustotal.com/gui/file/b219f7d3c26f8bad7e175934cd5eda4ddb5e3983503e94ff07d39c0666821b7e/detection", + "https://github.com/tennc/webshell", + "https://www.virustotal.com/gui/file/e841675a4b82250c75273ebf0861245f80c6a1c3d5803c2d995d9d3b18d5c4b5/detection", + "https://www.virustotal.com/gui/file/7d3cb8a8ff28f82b07f382789247329ad2d7782a72dde9867941f13266310c80/detection", + "https://www.virustotal.com/gui/file/bd1d52289203866645e556e2766a21d2275877fbafa056a76fe0cf884b7f8819/detection", "https://github.com/SigmaHQ/sigma/tree/master/rules/category/antivirus/av_webshell.yml" ], "tags": [ @@ -69504,9 +69504,9 @@ "logsource.category": "No established category", "logsource.product": "okta", "refs": [ - "https://developer.okta.com/docs/reference/api/system-log/", - "https://okta.github.io/okta-help/en/prod/Content/Topics/Security/threat-insight/configure-threatinsight-system-log.htm", "https://developer.okta.com/docs/reference/api/event-types/", + "https://okta.github.io/okta-help/en/prod/Content/Topics/Security/threat-insight/configure-threatinsight-system-log.htm", + "https://developer.okta.com/docs/reference/api/system-log/", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/okta/okta_security_threat_detected.yml" ], "tags": "No established tags" @@ -69527,8 +69527,8 @@ "logsource.category": "No established category", "logsource.product": "okta", "refs": [ - "https://developer.okta.com/docs/reference/api/system-log/", "https://developer.okta.com/docs/reference/api/event-types/", + "https://developer.okta.com/docs/reference/api/system-log/", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/okta/okta_user_account_locked_out.yml" ], "tags": [ @@ -69551,8 +69551,8 @@ "logsource.category": "No established category", "logsource.product": "okta", "refs": [ - "https://developer.okta.com/docs/reference/api/system-log/", "https://developer.okta.com/docs/reference/api/event-types/", + "https://developer.okta.com/docs/reference/api/system-log/", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/okta/okta_api_token_revoked.yml" ], "tags": [ @@ -69575,8 +69575,8 @@ "logsource.category": "No established category", "logsource.product": "okta", "refs": [ - "https://developer.okta.com/docs/reference/api/system-log/", "https://developer.okta.com/docs/reference/api/event-types/", + "https://developer.okta.com/docs/reference/api/system-log/", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/okta/okta_policy_rule_modified_or_deleted.yml" ], "tags": [ @@ -69599,8 +69599,8 @@ "logsource.category": "No established category", "logsource.product": "okta", "refs": [ - "https://developer.okta.com/docs/reference/api/system-log/", "https://developer.okta.com/docs/reference/api/event-types/", + "https://developer.okta.com/docs/reference/api/system-log/", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/okta/okta_unauthorized_access_to_app.yml" ], "tags": [ @@ -69623,8 +69623,8 @@ "logsource.category": "No established category", "logsource.product": "okta", "refs": [ - "https://developer.okta.com/docs/reference/api/system-log/", "https://developer.okta.com/docs/reference/api/event-types/", + "https://developer.okta.com/docs/reference/api/system-log/", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/okta/okta_application_sign_on_policy_modified_or_deleted.yml" ], "tags": [ @@ -69647,8 +69647,8 @@ "logsource.category": "No established category", "logsource.product": "okta", "refs": [ - "https://developer.okta.com/docs/reference/api/system-log/", "https://developer.okta.com/docs/reference/api/event-types/", + "https://developer.okta.com/docs/reference/api/system-log/", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/okta/okta_admin_role_assigned_to_user_or_group.yml" ], "tags": [ @@ -69671,8 +69671,8 @@ "logsource.category": "No established category", "logsource.product": "okta", "refs": [ - "https://developer.okta.com/docs/reference/api/system-log/", "https://developer.okta.com/docs/reference/api/event-types/", + "https://developer.okta.com/docs/reference/api/system-log/", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/okta/okta_application_modified_or_deleted.yml" ], "tags": [ @@ -69695,8 +69695,8 @@ "logsource.category": "No established category", "logsource.product": "okta", "refs": [ - "https://developer.okta.com/docs/reference/api/system-log/", "https://developer.okta.com/docs/reference/api/event-types/", + "https://developer.okta.com/docs/reference/api/system-log/", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/okta/okta_network_zone_deactivated_or_deleted.yml" ], "tags": [ @@ -69719,8 +69719,8 @@ "logsource.category": "No established category", "logsource.product": "okta", "refs": [ - "https://developer.okta.com/docs/reference/api/system-log/", "https://developer.okta.com/docs/reference/api/event-types/", + "https://developer.okta.com/docs/reference/api/system-log/", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/okta/okta_api_token_created.yml" ], "tags": [ @@ -69743,8 +69743,8 @@ "logsource.category": "No established category", "logsource.product": "okta", "refs": [ - "https://developer.okta.com/docs/reference/api/system-log/", "https://developer.okta.com/docs/reference/api/event-types/", + "https://developer.okta.com/docs/reference/api/system-log/", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/okta/okta_mfa_reset_or_deactivated.yml" ], "tags": [ @@ -69769,8 +69769,8 @@ "logsource.category": "No established category", "logsource.product": "okta", "refs": [ - "https://developer.okta.com/docs/reference/api/system-log/", "https://developer.okta.com/docs/reference/api/event-types/", + "https://developer.okta.com/docs/reference/api/system-log/", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/okta/okta_policy_modified_or_deleted.yml" ], "tags": [ @@ -69793,8 +69793,8 @@ "logsource.category": "No established category", "logsource.product": "m365", "refs": [ - "https://docs.microsoft.com/en-us/cloud-app-security/anomaly-detection-policy", "https://docs.microsoft.com/en-us/cloud-app-security/policy-template-reference", + "https://docs.microsoft.com/en-us/cloud-app-security/anomaly-detection-policy", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/m365/microsoft365_activity_from_anonymous_ip_addresses.yml" ], "tags": [ @@ -69827,8 +69827,8 @@ "logsource.category": "No established category", "logsource.product": "m365", "refs": [ - "https://docs.microsoft.com/en-us/cloud-app-security/anomaly-detection-policy", "https://docs.microsoft.com/en-us/cloud-app-security/policy-template-reference", + "https://docs.microsoft.com/en-us/cloud-app-security/anomaly-detection-policy", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/m365/microsoft365_data_exfiltration_to_unsanctioned_app.yml" ], "tags": [ @@ -69861,8 +69861,8 @@ "logsource.category": "No established category", "logsource.product": "m365", "refs": [ - "https://docs.microsoft.com/en-us/cloud-app-security/anomaly-detection-policy", "https://docs.microsoft.com/en-us/cloud-app-security/policy-template-reference", + "https://docs.microsoft.com/en-us/cloud-app-security/anomaly-detection-policy", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/m365/microsoft365_from_susp_ip_addresses.yml" ], "tags": [ @@ -69895,8 +69895,8 @@ "logsource.category": "No established category", "logsource.product": "m365", "refs": [ - "https://docs.microsoft.com/en-us/cloud-app-security/anomaly-detection-policy", "https://docs.microsoft.com/en-us/cloud-app-security/policy-template-reference", + "https://docs.microsoft.com/en-us/cloud-app-security/anomaly-detection-policy", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/m365/microsoft365_susp_inbox_forwarding.yml" ], "tags": [ @@ -69929,8 +69929,8 @@ "logsource.category": "No established category", "logsource.product": "m365", "refs": [ - "https://docs.microsoft.com/en-us/cloud-app-security/anomaly-detection-policy", "https://docs.microsoft.com/en-us/cloud-app-security/policy-template-reference", + "https://docs.microsoft.com/en-us/cloud-app-security/anomaly-detection-policy", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/m365/microsoft365_activity_by_terminated_user.yml" ], "tags": [ @@ -69953,11 +69953,11 @@ "logsource.category": "No established category", "logsource.product": "m365", "refs": [ - "https://us-cert.cisa.gov/ncas/alerts/aa21-008a", - "https://www.splunk.com/en_us/blog/security/a-golden-saml-journey-solarwinds-continued.html", "https://o365blog.com/post/aadbackdoor/", - "https://www.fireeye.com/content/dam/fireeye-www/blog/pdfs/wp-m-unc2452-2021-000343-01.pdf", "https://www.sygnia.co/golden-saml-advisory", + "https://www.splunk.com/en_us/blog/security/a-golden-saml-journey-solarwinds-continued.html", + "https://www.fireeye.com/content/dam/fireeye-www/blog/pdfs/wp-m-unc2452-2021-000343-01.pdf", + "https://us-cert.cisa.gov/ncas/alerts/aa21-008a", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/m365/microsoft365_new_federated_domain_added.yml" ], "tags": [ @@ -69990,8 +69990,8 @@ "logsource.category": "No established category", "logsource.product": "m365", "refs": [ - "https://docs.microsoft.com/en-us/cloud-app-security/anomaly-detection-policy", "https://docs.microsoft.com/en-us/cloud-app-security/policy-template-reference", + "https://docs.microsoft.com/en-us/cloud-app-security/anomaly-detection-policy", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/m365/microsoft365_logon_from_risky_ip_address.yml" ], "tags": [ @@ -70048,8 +70048,8 @@ "logsource.category": "No established category", "logsource.product": "m365", "refs": [ - "https://docs.microsoft.com/en-us/cloud-app-security/anomaly-detection-policy", "https://docs.microsoft.com/en-us/cloud-app-security/policy-template-reference", + "https://docs.microsoft.com/en-us/cloud-app-security/anomaly-detection-policy", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/m365/microsoft365_unusual_volume_of_file_deletion.yml" ], "tags": [ @@ -70082,8 +70082,8 @@ "logsource.category": "No established category", "logsource.product": "m365", "refs": [ - "https://docs.microsoft.com/en-us/cloud-app-security/anomaly-detection-policy", "https://docs.microsoft.com/en-us/cloud-app-security/policy-template-reference", + "https://docs.microsoft.com/en-us/cloud-app-security/anomaly-detection-policy", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/m365/microsoft365_user_restricted_from_sending_email.yml" ], "tags": [ @@ -70116,8 +70116,8 @@ "logsource.category": "No established category", "logsource.product": "m365", "refs": [ - "https://docs.microsoft.com/en-us/cloud-app-security/anomaly-detection-policy", "https://docs.microsoft.com/en-us/cloud-app-security/policy-template-reference", + "https://docs.microsoft.com/en-us/cloud-app-security/anomaly-detection-policy", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/m365/microsoft365_susp_oauth_app_file_download_activities.yml" ], "tags": [ @@ -70140,8 +70140,8 @@ "logsource.category": "No established category", "logsource.product": "m365", "refs": [ - "https://docs.microsoft.com/en-us/cloud-app-security/anomaly-detection-policy", "https://docs.microsoft.com/en-us/cloud-app-security/policy-template-reference", + "https://docs.microsoft.com/en-us/cloud-app-security/anomaly-detection-policy", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/m365/microsoft365_impossible_travel_activity.yml" ], "tags": [ @@ -70165,8 +70165,8 @@ "logsource.category": "No established category", "logsource.product": "m365", "refs": [ - "https://docs.microsoft.com/en-us/cloud-app-security/anomaly-detection-policy", "https://docs.microsoft.com/en-us/cloud-app-security/policy-template-reference", + "https://docs.microsoft.com/en-us/cloud-app-security/anomaly-detection-policy", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/m365/microsoft365_potential_ransomware_activity.yml" ], "tags": [ @@ -70232,8 +70232,8 @@ "logsource.category": "No established category", "logsource.product": "m365", "refs": [ - "https://docs.microsoft.com/en-us/cloud-app-security/anomaly-detection-policy", "https://docs.microsoft.com/en-us/cloud-app-security/policy-template-reference", + "https://docs.microsoft.com/en-us/cloud-app-security/anomaly-detection-policy", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/m365/microsoft365_activity_from_infrequent_country.yml" ], "tags": [ @@ -70365,9 +70365,9 @@ "refs": [ "https://cloud.google.com/kubernetes-engine/docs/how-to/role-based-access-control", "https://kubernetes.io/docs/reference/kubernetes-api/authorization-resources/cluster-role-v1/#ClusterRole", + "https://kubernetes.io/docs/reference/access-authn-authz/rbac/", "https://github.com/elastic/detection-rules/pull/1267", "https://cloud.google.com/kubernetes-engine/docs/how-to/audit-logging", - "https://kubernetes.io/docs/reference/access-authn-authz/rbac/", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/gcp/gcp_kubernetes_rolebinding.yml" ], "tags": [ @@ -70415,8 +70415,8 @@ "logsource.category": "No established category", "logsource.product": "gcp", "refs": [ - "https://cloud.google.com/kubernetes-engine/docs", "https://kubernetes.io/docs/concepts/workloads/controllers/cron-jobs/", + "https://cloud.google.com/kubernetes-engine/docs", "https://kubernetes.io/docs/concepts/workloads/controllers/job/", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/gcp/gcp_kubernetes_cronjob.yml" ], @@ -70468,8 +70468,8 @@ "logsource.category": "No established category", "logsource.product": "gcp", "refs": [ - "https://cloud.google.com/kubernetes-engine/docs/how-to/audit-logging", "https://developers.google.com/resources/api-libraries/documentation/compute/v1/java/latest/com/google/api/services/compute/Compute.Firewalls.html", + "https://cloud.google.com/kubernetes-engine/docs/how-to/audit-logging", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/gcp/gcp_firewall_rule_modified_or_deleted.yml" ], "tags": [ @@ -70638,8 +70638,8 @@ "logsource.category": "No established category", "logsource.product": "gcp", "refs": [ - "https://cloud.google.com/kubernetes-engine/docs/how-to/audit-logging", "https://developers.google.com/resources/api-libraries/documentation/compute/v1/java/latest/com/google/api/services/compute/Compute.PacketMirrorings.html", + "https://cloud.google.com/kubernetes-engine/docs/how-to/audit-logging", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/gcp/gcp_full_network_traffic_packet_capture.yml" ], "tags": [ @@ -70672,9 +70672,9 @@ "logsource.category": "No established category", "logsource.product": "google_workspace", "refs": [ + "https://cloud.google.com/logging/docs/audit/gsuite-audit-logging#3", "https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-domain-settings?hl=en#REMOVE_APPLICATION_FROM_WHITELIST", "https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-domain-settings?hl=en#REMOVE_APPLICATION", - "https://cloud.google.com/logging/docs/audit/gsuite-audit-logging#3", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/gworkspace/gworkspace_application_removed.yml" ], "tags": [ @@ -70697,8 +70697,8 @@ "logsource.category": "No established category", "logsource.product": "google_workspace", "refs": [ - "https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-user-settings#GRANT_ADMIN_PRIVILEGE", "https://cloud.google.com/logging/docs/audit/gsuite-audit-logging#3", + "https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-user-settings#GRANT_ADMIN_PRIVILEGE", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/gworkspace/gworkspace_user_granted_admin_privileges.yml" ], "tags": [ @@ -70731,8 +70731,8 @@ "logsource.category": "No established category", "logsource.product": "google_workspace", "refs": [ - "https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-delegated-admin-settings", "https://cloud.google.com/logging/docs/audit/gsuite-audit-logging#3", + "https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-delegated-admin-settings", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/gworkspace/gworkspace_role_modified_or_deleted.yml" ], "tags": [ @@ -70755,8 +70755,8 @@ "logsource.category": "No established category", "logsource.product": "google_workspace", "refs": [ - "https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-delegated-admin-settings", "https://cloud.google.com/logging/docs/audit/gsuite-audit-logging#3", + "https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-delegated-admin-settings", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/gworkspace/gworkspace_role_privilege_deleted.yml" ], "tags": [ @@ -70779,9 +70779,9 @@ "logsource.category": "No established category", "logsource.product": "google_workspace", "refs": [ - "https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-security-settings?hl=en#ALLOW_STRONG_AUTHENTICATION", - "https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-security-settings#ENFORCE_STRONG_AUTHENTICATION", "https://cloud.google.com/logging/docs/audit/gsuite-audit-logging#3", + "https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-security-settings#ENFORCE_STRONG_AUTHENTICATION", + "https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-security-settings?hl=en#ALLOW_STRONG_AUTHENTICATION", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/gworkspace/gworkspace_mfa_disabled.yml" ], "tags": [ @@ -70804,8 +70804,8 @@ "logsource.category": "No established category", "logsource.product": "google_workspace", "refs": [ - "https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-domain-settings#AUTHORIZE_API_CLIENT_ACCESS", "https://cloud.google.com/logging/docs/audit/gsuite-audit-logging#3", + "https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-domain-settings#AUTHORIZE_API_CLIENT_ACCESS", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/gworkspace/gworkspace_granted_domain_api_access.yml" ], "tags": [ @@ -70885,12 +70885,12 @@ "logsource.product": "aws", "refs": [ "https://docs.aws.amazon.com/AmazonS3/latest/API/API_PutBucketEncryption.html", - "https://docs.aws.amazon.com/AmazonS3/latest/API/API_PutBucketLogging.html", - "https://github.com/elastic/detection-rules/pull/1145/files", - "https://docs.aws.amazon.com/AmazonS3/latest/userguide/setting-repl-config-perm-overview.html", - "https://docs.aws.amazon.com/AmazonS3/latest/API/API_RestoreObject.html", - "https://docs.aws.amazon.com/AmazonS3/latest/API/API_Operations.html", "https://docs.aws.amazon.com/AmazonS3/latest/API/API_PutBucketWebsite.html", + "https://docs.aws.amazon.com/AmazonS3/latest/API/API_Operations.html", + "https://docs.aws.amazon.com/AmazonS3/latest/API/API_RestoreObject.html", + "https://docs.aws.amazon.com/AmazonS3/latest/userguide/setting-repl-config-perm-overview.html", + "https://github.com/elastic/detection-rules/pull/1145/files", + "https://docs.aws.amazon.com/AmazonS3/latest/API/API_PutBucketLogging.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/aws/aws_s3_data_management_tampering.yml" ], "tags": [ @@ -71033,8 +71033,8 @@ "logsource.category": "No established category", "logsource.product": "aws", "refs": [ - "https://docs.aws.amazon.com/AmazonECS/latest/APIReference/API_RegisterTaskDefinition.html", "https://github.com/RhinoSecurityLabs/pacu/blob/866376cd711666c775bbfcde0524c817f2c5b181/pacu/modules/ecs__backdoor_task_def/main.py", + "https://docs.aws.amazon.com/AmazonECS/latest/APIReference/API_RegisterTaskDefinition.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/aws/aws_ecs_task_definition_backdoor.yml" ], "tags": [ @@ -71429,8 +71429,8 @@ "logsource.category": "No established category", "logsource.product": "aws", "refs": [ - "https://docs.aws.amazon.com/IAM/latest/APIReference/API_UpdateSAMLProvider.html", "https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRoleWithSAML.html", + "https://docs.aws.amazon.com/IAM/latest/APIReference/API_UpdateSAMLProvider.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/aws/aws_susp_saml_activity.yml" ], "tags": [ @@ -71616,9 +71616,9 @@ "logsource.category": "No established category", "logsource.product": "aws", "refs": [ + "https://github.com/Lifka/hacking-resources/blob/c2ae355d381bd0c9f0b32c4ead049f44e5b1573f/cloud-hacking-cheat-sheets.md", "https://jamesonhacking.blogspot.com/2020/12/pivoting-to-private-aws-s3-buckets.html", "https://securitycafe.ro/2022/12/14/aws-enumeration-part-ii-practical-enumeration/", - "https://github.com/Lifka/hacking-resources/blob/c2ae355d381bd0c9f0b32c4ead049f44e5b1573f/cloud-hacking-cheat-sheets.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/aws/aws_enum_buckets.yml" ], "tags": [ @@ -71757,8 +71757,8 @@ "logsource.category": "No established category", "logsource.product": "aws", "refs": [ - "https://docs.aws.amazon.com/STS/latest/APIReference/API_GetSessionToken.html", "https://github.com/elastic/detection-rules/pull/1213", + "https://docs.aws.amazon.com/STS/latest/APIReference/API_GetSessionToken.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/aws/aws_sts_getsessiontoken_misuse.yml" ], "tags": [ @@ -71849,9 +71849,9 @@ "logsource.category": "No established category", "logsource.product": "aws", "refs": [ + "https://docs.aws.amazon.com/Route53/latest/APIReference/API_Operations_Amazon_Route_53.html", "https://github.com/elastic/detection-rules/blob/c76a39796972ecde44cb1da6df47f1b6562c9770/rules/integrations/aws/persistence_route_53_domain_transfer_lock_disabled.toml", "https://docs.aws.amazon.com/Route53/latest/APIReference/API_domains_DisableDomainTransferLock.html", - "https://docs.aws.amazon.com/Route53/latest/APIReference/API_Operations_Amazon_Route_53.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/aws/aws_route_53_domain_transferred_lock_disabled.yml" ], "tags": [ @@ -71989,8 +71989,8 @@ "logsource.category": "No established category", "logsource.product": "aws", "refs": [ - "https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/", "https://docs.aws.amazon.com/glue/latest/webapi/API_CreateDevEndpoint.html", + "https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/aws/aws_passed_role_to_glue_development_endpoint.yml" ], "tags": [ @@ -72843,8 +72843,8 @@ "logsource.category": "No established category", "logsource.product": "azure", "refs": [ - "https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes", "https://github.com/elastic/detection-rules/blob/065bf48a9987cd8bd826c098a30ce36e6868ee46/rules/integrations/azure/impact_kubernetes_pod_deleted.toml", + "https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_kubernetes_pods_deleted.yml" ], "tags": [ @@ -73064,11 +73064,11 @@ "logsource.category": "No established category", "logsource.product": "azure", "refs": [ + "https://www.microsoft.com/security/blog/2021/03/23/secure-containerized-environments-with-updated-threat-matrix-for-kubernetes/", "https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/", "https://medium.com/mitre-engenuity/att-ck-for-containers-now-available-4c2359654bf1", "https://attack.mitre.org/matrices/enterprise/cloud/", "https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes", - "https://www.microsoft.com/security/blog/2021/03/23/secure-containerized-environments-with-updated-threat-matrix-for-kubernetes/", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_kubernetes_cluster_created_or_deleted.yml" ], "tags": [ @@ -74003,11 +74003,11 @@ "logsource.category": "No established category", "logsource.product": "azure", "refs": [ + "https://www.microsoft.com/security/blog/2021/03/23/secure-containerized-environments-with-updated-threat-matrix-for-kubernetes/", "https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/", "https://medium.com/mitre-engenuity/att-ck-for-containers-now-available-4c2359654bf1", "https://attack.mitre.org/matrices/enterprise/cloud/", "https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes", - "https://www.microsoft.com/security/blog/2021/03/23/secure-containerized-environments-with-updated-threat-matrix-for-kubernetes/", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_kubernetes_secret_or_config_object_access.yml" ], "tags": [ @@ -74065,11 +74065,11 @@ "logsource.category": "No established category", "logsource.product": "azure", "refs": [ + "https://www.microsoft.com/security/blog/2021/03/23/secure-containerized-environments-with-updated-threat-matrix-for-kubernetes/", "https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/", "https://medium.com/mitre-engenuity/att-ck-for-containers-now-available-4c2359654bf1", "https://attack.mitre.org/matrices/enterprise/cloud/", "https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes", - "https://www.microsoft.com/security/blog/2021/03/23/secure-containerized-environments-with-updated-threat-matrix-for-kubernetes/", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_kubernetes_role_access.yml" ], "tags": [ @@ -74211,11 +74211,11 @@ "logsource.category": "No established category", "logsource.product": "azure", "refs": [ + "https://www.microsoft.com/security/blog/2021/03/23/secure-containerized-environments-with-updated-threat-matrix-for-kubernetes/", "https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/", "https://medium.com/mitre-engenuity/att-ck-for-containers-now-available-4c2359654bf1", "https://attack.mitre.org/matrices/enterprise/cloud/", "https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes", - "https://www.microsoft.com/security/blog/2021/03/23/secure-containerized-environments-with-updated-threat-matrix-for-kubernetes/", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_container_registry_created_or_deleted.yml" ], "tags": [ @@ -74271,8 +74271,8 @@ "logsource.category": "No established category", "logsource.product": "azure", "refs": [ - "https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes", "https://github.com/elastic/detection-rules/blob/da3852b681cf1a33898b1535892eab1f3a76177a/rules/integrations/azure/defense_evasion_kubernetes_events_deleted.toml", + "https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_kubernetes_events_deleted.yml" ], "tags": [ @@ -74340,9 +74340,9 @@ "logsource.category": "No established category", "logsource.product": "azure", "refs": [ - "https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes", "https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/", "https://kubernetes.io/docs/concepts/workloads/controllers/cron-jobs/", + "https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes", "https://kubernetes.io/docs/concepts/workloads/controllers/job/", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_kubernetes_cronjob.yml" ], @@ -74426,11 +74426,11 @@ "logsource.category": "No established category", "logsource.product": "azure", "refs": [ + "https://www.microsoft.com/security/blog/2021/03/23/secure-containerized-environments-with-updated-threat-matrix-for-kubernetes/", "https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/", "https://medium.com/mitre-engenuity/att-ck-for-containers-now-available-4c2359654bf1", "https://attack.mitre.org/matrices/enterprise/cloud/", "https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes", - "https://www.microsoft.com/security/blog/2021/03/23/secure-containerized-environments-with-updated-threat-matrix-for-kubernetes/", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_kubernetes_rolebinding_modified_or_deleted.yml" ], "tags": [ @@ -74991,11 +74991,11 @@ "logsource.category": "No established category", "logsource.product": "azure", "refs": [ + "https://www.microsoft.com/security/blog/2021/03/23/secure-containerized-environments-with-updated-threat-matrix-for-kubernetes/", "https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/", "https://medium.com/mitre-engenuity/att-ck-for-containers-now-available-4c2359654bf1", "https://attack.mitre.org/matrices/enterprise/cloud/", "https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes", - "https://www.microsoft.com/security/blog/2021/03/23/secure-containerized-environments-with-updated-threat-matrix-for-kubernetes/", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_kubernetes_network_policy_change.yml" ], "tags": [ @@ -75020,11 +75020,11 @@ "logsource.category": "No established category", "logsource.product": "azure", "refs": [ + "https://www.microsoft.com/security/blog/2021/03/23/secure-containerized-environments-with-updated-threat-matrix-for-kubernetes/", "https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/", "https://medium.com/mitre-engenuity/att-ck-for-containers-now-available-4c2359654bf1", "https://attack.mitre.org/matrices/enterprise/cloud/", "https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes", - "https://www.microsoft.com/security/blog/2021/03/23/secure-containerized-environments-with-updated-threat-matrix-for-kubernetes/", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_kubernetes_service_account_modified_or_deleted.yml" ], "tags": [ @@ -75157,8 +75157,8 @@ "logsource.category": "proxy", "logsource.product": "No established product", "refs": [ - "https://isc.sans.edu/forums/diary/Investigating+Microsoft+BITS+Activity/23281/", "https://twitter.com/jhencinski/status/1102695118455349248", + "https://isc.sans.edu/forums/diary/Investigating+Microsoft+BITS+Activity/23281/", "https://github.com/SigmaHQ/sigma/tree/master/rules/proxy/proxy_ua_bitsadmin_susp_tld.yml" ], "tags": [ @@ -75270,9 +75270,9 @@ "logsource.category": "proxy", "logsource.product": "No established product", "refs": [ - "https://www.rapid7.com/blog/post/2022/12/21/cve-2022-41080-cve-2022-41082-rapid7-observed-exploitation-of-owassrf-in-exchange-for-rce/", "https://www.crowdstrike.com/blog/owassrf-exploit-analysis-and-recommendations/", "https://twitter.com/purp1ew0lf/status/1602989967776808961?s=12&t=OkZJl_ViICeiftVEsohRyw", + "https://www.rapid7.com/blog/post/2022/12/21/cve-2022-41080-cve-2022-41082-rapid7-observed-exploitation-of-owassrf-in-exchange-for-rce/", "https://github.com/SigmaHQ/sigma/tree/master/rules/proxy/proxy_exchange_owassrf_poc_exploitation.yml" ], "tags": [ @@ -75482,9 +75482,9 @@ "logsource.category": "proxy", "logsource.product": "No established product", "refs": [ + "https://blog.malwarebytes.com/threat-analysis/2016/11/telecrypt-the-ransomware-abusing-telegram-api-defeated/", "https://researchcenter.paloaltonetworks.com/2018/03/unit42-telerat-another-android-trojan-leveraging-telegrams-bot-api-to-target-iranian-users/", "https://www.welivesecurity.com/2016/12/13/rise-telebots-analyzing-disruptive-killdisk-attacks/", - "https://blog.malwarebytes.com/threat-analysis/2016/11/telecrypt-the-ransomware-abusing-telegram-api-defeated/", "https://github.com/SigmaHQ/sigma/tree/master/rules/proxy/proxy_telegram_api.yml" ], "tags": [ @@ -75569,10 +75569,10 @@ "logsource.product": "No established product", "refs": [ "http://rules.emergingthreats.net/open/snort-2.9.0/rules/emerging-user_agents.rules", - "https://networkraptor.blogspot.com/2015/01/user-agent-strings.html", "https://www.bluecoat.com/en-gb/security-blog/2015-05-05/know-your-agents", "http://www.botopedia.org/search?searchword=scan&searchphrase=all", "https://perishablepress.com/blacklist/ua-2013.txt", + "https://networkraptor.blogspot.com/2015/01/user-agent-strings.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/proxy/proxy_ua_malware.yml" ], "tags": [ @@ -75648,8 +75648,8 @@ "logsource.category": "proxy", "logsource.product": "No established product", "refs": [ - "https://rclone.org/", "https://www.kroll.com/en/insights/publications/cyber/new-m365-business-email-compromise-attacks-with-rclone", + "https://rclone.org/", "https://github.com/SigmaHQ/sigma/tree/master/rules/proxy/proxy_ua_rclone.yml" ], "tags": [ @@ -75682,8 +75682,8 @@ "logsource.category": "proxy", "logsource.product": "No established product", "refs": [ - "https://www.rapid7.com/blog/post/2022/12/21/cve-2022-41080-cve-2022-41082-rapid7-observed-exploitation-of-owassrf-in-exchange-for-rce/", "https://www.crowdstrike.com/blog/owassrf-exploit-analysis-and-recommendations/", + "https://www.rapid7.com/blog/post/2022/12/21/cve-2022-41080-cve-2022-41082-rapid7-observed-exploitation-of-owassrf-in-exchange-for-rce/", "https://github.com/SigmaHQ/sigma/tree/master/rules/proxy/proxy_exchange_owassrf_exploitation.yml" ], "tags": [ @@ -75915,8 +75915,8 @@ "logsource.category": "proxy", "logsource.product": "No established product", "refs": [ - "https://www.advanced-port-scanner.com/", "https://www.advanced-ip-scanner.com/", + "https://www.advanced-port-scanner.com/", "https://github.com/SigmaHQ/sigma/tree/master/rules/proxy/proxy_adv_ip_port_scanner_upd_check.yml" ], "tags": [ @@ -75949,10 +75949,10 @@ "logsource.category": "proxy", "logsource.product": "No established product", "refs": [ - "https://krebsonsecurity.com/2018/06/bad-men-at-work-please-dont-click/", - "https://www.spamhaus.org/statistics/tlds/", - "https://www.symantec.com/connect/blogs/shady-tld-research-gdn-and-our-2016-wrap", "https://promos.mcafee.com/en-US/PDF/MTMW_Report.pdf", + "https://www.symantec.com/connect/blogs/shady-tld-research-gdn-and-our-2016-wrap", + "https://www.spamhaus.org/statistics/tlds/", + "https://krebsonsecurity.com/2018/06/bad-men-at-work-please-dont-click/", "https://github.com/SigmaHQ/sigma/tree/master/rules/proxy/proxy_download_susp_tlds_blacklist.yml" ], "tags": [ @@ -76463,8 +76463,8 @@ "logsource.category": "webserver", "logsource.product": "No established product", "refs": [ - "https://bad-jubies.github.io/RCE-NOW-WHAT/", "https://m365internals.com/2022/10/07/hunting-in-on-premises-exchange-server-logs/", + "https://bad-jubies.github.io/RCE-NOW-WHAT/", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_win_webshells_in_access_logs.yml" ], "tags": [ @@ -76488,9 +76488,9 @@ "logsource.category": "webserver", "logsource.product": "No established product", "refs": [ + "https://twitter.com/jas502n/status/1321416053050667009?s=20", "https://twitter.com/sudo_sudoka/status/1323951871078223874", "https://isc.sans.edu/diary/26734", - "https://twitter.com/jas502n/status/1321416053050667009?s=20", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_cve_2020_14882_weblogic_exploit.yml" ], "tags": [ @@ -76524,10 +76524,10 @@ "logsource.category": "webserver", "logsource.product": "No established product", "refs": [ - "https://github.com/TesterCC/exp_poc_library/blob/master/exp_poc/CVE-2021-26084_Confluence_OGNL_injection/CVE-2021-26084.md", - "https://confluence.atlassian.com/doc/confluence-security-advisory-2021-08-25-1077906215.html", "https://github.com/httpvoid/writeups/blob/main/Confluence-RCE.md", + "https://confluence.atlassian.com/doc/confluence-security-advisory-2021-08-25-1077906215.html", "https://mraddon.blog/2017/03/20/confluence-trick-to-create-pages-from-blueprint-templates/", + "https://github.com/TesterCC/exp_poc_library/blob/master/exp_poc/CVE-2021-26084_Confluence_OGNL_injection/CVE-2021-26084.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_cve_2021_26084_confluence_rce_exploit.yml" ], "tags": [ @@ -76627,8 +76627,8 @@ "logsource.category": "webserver", "logsource.product": "No established product", "refs": [ - "https://www.anquanke.com/post/id/226029", "https://www.guidepointsecurity.com/supernova-solarwinds-net-webshell-analysis/", + "https://www.anquanke.com/post/id/226029", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_solarwinds_supernova_webshell.yml" ], "tags": [ @@ -76652,8 +76652,8 @@ "logsource.category": "webserver", "logsource.product": "No established product", "refs": [ - "https://github.com/LandGrey/CVE-2018-2894", "https://twitter.com/pyn3rd/status/1020620932967223296", + "https://github.com/LandGrey/CVE-2018-2894", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_cve_2018_2894_weblogic_exploit.yml" ], "tags": [ @@ -76689,9 +76689,9 @@ "logsource.category": "webserver", "logsource.product": "No established product", "refs": [ - "https://dmaasland.github.io/posts/citrix.html", "https://support.citrix.com/article/CTX276688", "https://research.nccgroup.com/2020/07/10/rift-citrix-adc-vulnerabilities-cve-2020-8193-cve-2020-8195-and-cve-2020-8196-intelligence/", + "https://dmaasland.github.io/posts/citrix.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_cve_2020_8193_8195_citrix_exploit.yml" ], "tags": [ @@ -76724,8 +76724,8 @@ "logsource.category": "webserver", "logsource.product": "No established product", "refs": [ - "https://grafana.com/blog/2021/12/07/grafana-8.3.1-8.2.7-8.1.8-and-8.0.7-released-with-high-severity-security-fix/", "https://github.com/search?q=CVE-2021-43798", + "https://grafana.com/blog/2021/12/07/grafana-8.3.1-8.2.7-8.1.8-and-8.0.7-released-with-high-severity-security-fix/", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_cve_2021_43798_grafana.yml" ], "tags": [ @@ -76758,8 +76758,8 @@ "logsource.category": "webserver", "logsource.product": "No established product", "refs": [ - "https://githubmemory.com/repo/FunctFan/JNDIExploit", "https://github.com/pimps/JNDI-Exploit-Kit", + "https://githubmemory.com/repo/FunctFan/JNDIExploit", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_jndi_exploit.yml" ], "tags": "No established tags" @@ -76780,11 +76780,11 @@ "logsource.category": "webserver", "logsource.product": "No established product", "refs": [ + "https://twitter.com/sec715/status/1373472323538362371", "https://twitter.com/Al1ex4/status/1382981479727128580", + "https://github.com/murataydemir/CVE-2021-27905", "https://mp.weixin.qq.com/s?__biz=Mzg3NDU2MTg0Ng==&mid=2247484117&idx=1&sn=2fdab8cbe4b873f8dd8abb35d935d186", "https://nsfocusglobal.com/apache-solr-arbitrary-file-read-and-ssrf-vulnerability-threat-alert/", - "https://twitter.com/sec715/status/1373472323538362371", - "https://github.com/murataydemir/CVE-2021-27905", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_cve_2021_27905_apache_solr_exploit.yml" ], "tags": [ @@ -76818,9 +76818,9 @@ "logsource.category": "webserver", "logsource.product": "No established product", "refs": [ + "https://www.yang99.top/index.php/archives/82/", "https://github.com/vnhacker1337/CVE-2022-27925-PoC", "https://www.volexity.com/blog/2022/08/10/mass-exploitation-of-unauthenticated-zimbra-rce-cve-2022-27925/", - "https://www.yang99.top/index.php/archives/82/", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_cve_2022_27925_exploit.yml" ], "tags": [ @@ -76854,10 +76854,10 @@ "logsource.category": "webserver", "logsource.product": "No established product", "refs": [ - "https://blog.assetnote.io/2022/09/14/rce-in-bitbucket-server/", + "https://twitter.com/_0xf4n9x_/status/1572052954538192901", "https://www.rapid7.com/blog/post/2022/09/20/cve-2022-36804-easily-exploitable-vulnerability-in-atlassian-bitbucket-server-and-data-center/", "https://confluence.atlassian.com/bitbucketserver/bitbucket-server-and-data-center-advisory-2022-08-24-1155489835.html", - "https://twitter.com/_0xf4n9x_/status/1572052954538192901", + "https://blog.assetnote.io/2022/09/14/rce-in-bitbucket-server/", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_cve_2022_36804_atlassian_bitbucket_command_injection.yml" ], "tags": [ @@ -76895,8 +76895,8 @@ "refs": [ "https://github.com/payloadbox/sql-injection-payload-list", "https://brightsec.com/blog/sql-injection-payloads/", - "https://www.acunetix.com/blog/articles/exploiting-sql-injection-example/", "https://www.acunetix.com/blog/articles/using-logs-to-investigate-a-web-application-attack/", + "https://www.acunetix.com/blog/articles/exploiting-sql-injection-example/", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_sql_injection_in_access_logs.yml" ], "tags": "No established tags" @@ -76917,9 +76917,9 @@ "logsource.category": "webserver", "logsource.product": "No established product", "refs": [ - "https://www.rapid7.com/blog/post/2022/12/21/cve-2022-41080-cve-2022-41082-rapid7-observed-exploitation-of-owassrf-in-exchange-for-rce/", "https://www.crowdstrike.com/blog/owassrf-exploit-analysis-and-recommendations/", "https://twitter.com/purp1ew0lf/status/1602989967776808961?s=12&t=OkZJl_ViICeiftVEsohRyw", + "https://www.rapid7.com/blog/post/2022/12/21/cve-2022-41080-cve-2022-41082-rapid7-observed-exploitation-of-owassrf-in-exchange-for-rce/", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_exchange_owassrf_poc_exploitation.yml" ], "tags": [ @@ -76987,8 +76987,8 @@ "logsource.category": "webserver", "logsource.product": "No established product", "refs": [ - "https://www.rapid7.com/blog/post/2022/12/21/cve-2022-41080-cve-2022-41082-rapid7-observed-exploitation-of-owassrf-in-exchange-for-rce/", "https://www.crowdstrike.com/blog/owassrf-exploit-analysis-and-recommendations/", + "https://www.rapid7.com/blog/post/2022/12/21/cve-2022-41080-cve-2022-41082-rapid7-observed-exploitation-of-owassrf-in-exchange-for-rce/", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_exchange_owassrf_exploitation.yml" ], "tags": [ @@ -77021,8 +77021,8 @@ "logsource.category": "No established category", "logsource.product": "No established product", "refs": [ - "https://www.x41-dsec.de/lab/advisories/x41-2021-002-nginx-resolver-copy/", "https://docs.nginx.com/nginx/admin-guide/monitoring/debugging/#enabling-core-dumps", + "https://www.x41-dsec.de/lab/advisories/x41-2021-002-nginx-resolver-copy/", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_nginx_core_dump.yml" ], "tags": [ @@ -77055,8 +77055,8 @@ "logsource.category": "webserver", "logsource.product": "No established product", "refs": [ - "https://www.fireeye.com/blog/threat-research/2021/04/suspected-apt-actors-leverage-bypass-techniques-pulse-secure-zero-day.html", "https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44784", + "https://www.fireeye.com/blog/threat-research/2021/04/suspected-apt-actors-leverage-bypass-techniques-pulse-secure-zero-day.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_cve_2021_22893_pulse_secure_rce_exploit.yml" ], "tags": [ @@ -77148,10 +77148,10 @@ "logsource.category": "webserver", "logsource.product": "No established product", "refs": [ - "https://twitter.com/yorickkoster/status/1279709009151434754", - "https://www.ptsecurity.com/ww-en/about/news/f5-fixes-critical-vulnerability-discovered-by-positive-technologies-in-big-ip-application-delivery-controller/", "https://support.f5.com/csp/article/K52145254", "https://www.criticalstart.com/f5-big-ip-remote-code-execution-exploit/", + "https://www.ptsecurity.com/ww-en/about/news/f5-fixes-critical-vulnerability-discovered-by-positive-technologies-in-big-ip-application-delivery-controller/", + "https://twitter.com/yorickkoster/status/1279709009151434754", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_cve_2020_5902_f5_bigip.yml" ], "tags": [ @@ -77184,9 +77184,9 @@ "logsource.category": "webserver", "logsource.product": "No established product", "refs": [ + "https://www.vmware.com/security/advisories/VMSA-2021-0002.html", "https://f5.pm/go-59627.html", "https://swarm.ptsecurity.com/unauth-rce-vmware", - "https://www.vmware.com/security/advisories/VMSA-2021-0002.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_cve_2021_21972_vsphere_unauth_rce_exploit.yml" ], "tags": [ @@ -77252,9 +77252,9 @@ "logsource.category": "webserver", "logsource.product": "No established product", "refs": [ + "https://github.com/rapid7/metasploit-framework/pull/17407", "https://github.com/0xf4n9x/CVE-2022-46169", "https://github.com/Cacti/cacti/security/advisories/GHSA-6p93-p743-35gf", - "https://github.com/rapid7/metasploit-framework/pull/17407", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_cve_2022_46169_cacti_exploitation_attempt.yml" ], "tags": [ @@ -77289,11 +77289,11 @@ "logsource.product": "No established product", "refs": [ "https://gist.github.com/Neo23x0/e4c8b03ff8cdf1fa63b7d15db6e3860b", - "https://news.ycombinator.com/item?id=29504755", "https://github.com/tangxiaofeng7/apache-log4j-poc", - "https://github.com/YfryTchsGD/Log4jAttackSurface", "https://twitter.com/shutingrz/status/1469255861394866177?s=21", "https://www.lunasec.io/docs/blog/log4j-zero-day/", + "https://news.ycombinator.com/item?id=29504755", + "https://github.com/YfryTchsGD/Log4jAttackSurface", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_cve_2021_44228_log4j_fields.yml" ], "tags": [ @@ -77384,9 +77384,9 @@ "logsource.product": "No established product", "refs": [ "https://www.rapid7.com/blog/post/2021/09/02/active-exploitation-of-confluence-server-cve-2021-26084/", - "https://www.rapid7.com/blog/post/2022/06/02/active-exploitation-of-confluence-cve-2022-26134/", "https://github.com/httpvoid/writeups/blob/62d3751945289d088ccfdf4d0ffbf61598a2cd7d/Confluence-RCE.md", "https://twitter.com/httpvoid0x2f/status/1532924261035384832", + "https://www.rapid7.com/blog/post/2022/06/02/active-exploitation-of-confluence-cve-2022-26134/", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_java_payload_in_access_logs.yml" ], "tags": [ @@ -77445,8 +77445,8 @@ "logsource.category": "webserver", "logsource.product": "No established product", "refs": [ - "https://portswigger.net/web-security/cross-site-scripting/contexts", "https://github.com/payloadbox/xss-payload-list", + "https://portswigger.net/web-security/cross-site-scripting/contexts", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_xss_in_access_logs.yml" ], "tags": "No established tags" @@ -77467,8 +77467,8 @@ "logsource.category": "webserver", "logsource.product": "No established product", "refs": [ - "https://twitter.com/pyn3rd/status/1351696768065409026", "https://mp.weixin.qq.com/s/wX9TMXl1KVWwB_k6EZOklw", + "https://twitter.com/pyn3rd/status/1351696768065409026", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_cve_2021_2109_weblogic_rce_exploit.yml" ], "tags": [ @@ -77607,8 +77607,8 @@ "logsource.product": "No established product", "refs": [ "https://github.com/lanmaster53/recon-ng/blob/9e907dfe09fce2997f0301d746796408e01a60b7/recon/core/base.py#L92", - "https://github.com/xmendez/wfuzz/blob/1b695ee9a87d66a7d7bf6cae70d60a33fae51541/docs/user/basicusage.rst", "https://github.com/wpscanteam/wpscan/blob/196fbab5b1ce3870a43515153d4f07878a89d410/lib/wpscan/browser.rb", + "https://github.com/xmendez/wfuzz/blob/1b695ee9a87d66a7d7bf6cae70d60a33fae51541/docs/user/basicusage.rst", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_susp_useragents.yml" ], "tags": [ @@ -77741,8 +77741,8 @@ "logsource.category": "webserver", "logsource.product": "No established product", "refs": [ - "https://youtu.be/5mqid-7zp8k?t=2231", "https://peterjson.medium.com/reproducing-the-proxyshell-pwn2own-exploit-49743a4ea9a1", + "https://youtu.be/5mqid-7zp8k?t=2231", "https://blog.orange.tw/2021/08/proxylogon-a-new-attack-surface-on-ms-exchange-part-1.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_exchange_proxyshell.yml" ], @@ -77776,8 +77776,8 @@ "logsource.category": "webserver", "logsource.product": "No established product", "refs": [ - "https://youtu.be/5mqid-7zp8k?t=2231", "https://peterjson.medium.com/reproducing-the-proxyshell-pwn2own-exploit-49743a4ea9a1", + "https://youtu.be/5mqid-7zp8k?t=2231", "https://blog.orange.tw/2021/08/proxylogon-a-new-attack-surface-on-ms-exchange-part-1.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_exchange_proxyshell_successful.yml" ], @@ -77827,11 +77827,11 @@ "logsource.product": "No established product", "refs": [ "https://gist.github.com/Neo23x0/e4c8b03ff8cdf1fa63b7d15db6e3860b", - "https://news.ycombinator.com/item?id=29504755", "https://github.com/tangxiaofeng7/apache-log4j-poc", - "https://github.com/YfryTchsGD/Log4jAttackSurface", "https://twitter.com/shutingrz/status/1469255861394866177?s=21", "https://www.lunasec.io/docs/blog/log4j-zero-day/", + "https://news.ycombinator.com/item?id=29504755", + "https://github.com/YfryTchsGD/Log4jAttackSurface", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_cve_2021_44228_log4j.yml" ], "tags": [ @@ -77930,9 +77930,9 @@ "logsource.category": "webserver", "logsource.product": "No established product", "refs": [ - "https://medium.com/tenable-techblog/bypassing-authentication-on-arcadyan-routers-with-cve-2021-20090-and-rooting-some-buffalo-ea1dd30980c2", - "https://blogs.juniper.net/en-us/security/freshly-disclosed-vulnerability-cve-2021-20090-exploited-in-the-wild", "https://www.tenable.com/security/research/tra-2021-13", + "https://blogs.juniper.net/en-us/security/freshly-disclosed-vulnerability-cve-2021-20090-exploited-in-the-wild", + "https://medium.com/tenable-techblog/bypassing-authentication-on-arcadyan-routers-with-cve-2021-20090-and-rooting-some-buffalo-ea1dd30980c2", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_cve_2021_20090_2021_20091_arcadyan_router_exploit.yml" ], "tags": [ @@ -78035,8 +78035,8 @@ "logsource.category": "webserver", "logsource.product": "No established product", "refs": [ - "https://kb.vmware.com/s/article/85717", "https://www.tenable.com/blog/cve-2021-22005-critical-file-upload-vulnerability-in-vmware-vcenter-server", + "https://kb.vmware.com/s/article/85717", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_cve_2021_22005_vmware_file_upload.yml" ], "tags": [ @@ -78069,12 +78069,12 @@ "logsource.category": "webserver", "logsource.product": "No established product", "refs": [ - "https://twitter.com/bl4sty/status/1445462677824761878", - "https://twitter.com/ptswarm/status/1445376079548624899", - "https://github.com/apache/httpd/commit/e150697086e70c552b2588f369f2d17815cb1782", - "https://github.com/projectdiscovery/nuclei-templates/blob/9d2889356eebba661c8407038e430759dfd4ec31/cves/2021/CVE-2021-41773.yaml", - "https://twitter.com/h4x0r_dz/status/1445401960371429381", "https://nvd.nist.gov/vuln/detail/CVE-2021-41773", + "https://github.com/apache/httpd/commit/e150697086e70c552b2588f369f2d17815cb1782", + "https://twitter.com/h4x0r_dz/status/1445401960371429381", + "https://twitter.com/bl4sty/status/1445462677824761878", + "https://github.com/projectdiscovery/nuclei-templates/blob/9d2889356eebba661c8407038e430759dfd4ec31/cves/2021/CVE-2021-41773.yaml", + "https://twitter.com/ptswarm/status/1445376079548624899", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_cve_2021_41773_apache_path_traversal.yml" ], "tags": [ @@ -78107,9 +78107,9 @@ "logsource.category": "webserver", "logsource.product": "No established product", "refs": [ + "https://github.com/Twigonometry/Cybersecurity-Notes/blob/c875b0f52df7d2c7a870e75e1f0c2679d417931d/Writeups/Hack%20the%20Box/Boxes/Optimum/10%20-%20Website.md", "https://vk9-sec.com/hfs-code-execution-cve-2014-6287/", "https://www.exploit-db.com/exploits/39161", - "https://github.com/Twigonometry/Cybersecurity-Notes/blob/c875b0f52df7d2c7a870e75e1f0c2679d417931d/Writeups/Hack%20the%20Box/Boxes/Optimum/10%20-%20Website.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_cve_2014_6287_hfs_rce.yml" ], "tags": [ @@ -78144,9 +78144,9 @@ "logsource.category": "webserver", "logsource.product": "No established product", "refs": [ - "https://github.com/lijiejie/IIS_shortname_Scanner", - "https://github.com/projectdiscovery/nuclei-templates/blob/9d2889356eebba661c8407038e430759dfd4ec31/fuzzing/iis-shortname.yaml", "https://www.exploit-db.com/exploits/19525", + "https://github.com/projectdiscovery/nuclei-templates/blob/9d2889356eebba661c8407038e430759dfd4ec31/fuzzing/iis-shortname.yaml", + "https://github.com/lijiejie/IIS_shortname_Scanner", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_iis_tilt_shortname_scan.yml" ], "tags": [ @@ -78326,11 +78326,11 @@ "logsource.category": "webserver", "logsource.product": "No established product", "refs": [ - "https://support.citrix.com/article/CTX267679", "https://support.citrix.com/article/CTX267027", + "https://github.com/x1sec/CVE-2019-19781/blob/25f7ab97275b2d41800bb3414dac8ca3a78af7e5/CVE-2019-19781-DFIR.md", + "https://support.citrix.com/article/CTX267679", "https://isc.sans.edu/diary/25686", "https://twitter.com/mpgn_x64/status/1216787131210829826", - "https://github.com/x1sec/CVE-2019-19781/blob/25f7ab97275b2d41800bb3414dac8ca3a78af7e5/CVE-2019-19781-DFIR.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_cve_2019_19781_citrix_exploit.yml" ], "tags": [ @@ -78440,8 +78440,8 @@ "logsource.category": "webserver", "logsource.product": "No established product", "refs": [ - "https://www.manageengine.com/products/self-service-password/kb/how-to-fix-authentication-bypass-vulnerability-in-REST-API.html", "https://therecord.media/cisa-warns-of-zoho-server-zero-day-exploited-in-the-wild/", + "https://www.manageengine.com/products/self-service-password/kb/how-to-fix-authentication-bypass-vulnerability-in-REST-API.html", "https://us-cert.cisa.gov/ncas/alerts/aa21-259a", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_cve_2021_40539_manageengine_adselfservice_exploit.yml" ], @@ -78511,8 +78511,8 @@ "logsource.category": "file_event", "logsource.product": "macos", "refs": [ - "https://posts.specterops.io/leveraging-emond-on-macos-for-persistence-a040a2785124", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1546.014/T1546.014.md", + "https://posts.specterops.io/leveraging-emond-on-macos-for-persistence-a040a2785124", "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/file_event/file_event_macos_emond_launch_daemon.yml" ], "tags": [ @@ -78570,8 +78570,8 @@ "logsource.category": "process_creation", "logsource.product": "macos", "refs": [ - "https://github.com/EmpireProject/Empire/blob/08cbd274bef78243d7a8ed6443b8364acd1fc48b/lib/modules/python/collection/osx/screenshot.py", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1113/T1113.md", + "https://github.com/EmpireProject/Empire/blob/08cbd274bef78243d7a8ed6443b8364acd1fc48b/lib/modules/python/collection/osx/screenshot.py", "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_screencapture.yml" ], "tags": [ @@ -79033,9 +79033,9 @@ "logsource.category": "process_creation", "logsource.product": "macos", "refs": [ - "https://www.manpagez.com/man/8/firmwarepasswd/", - "https://support.apple.com/guide/security/firmware-password-protection-sec28382c9ca/web", "https://github.com/usnistgov/macos_security/blob/932a51f3e819dd3e02ebfcf3ef433cfffafbe28b/rules/os/os_firmware_password_require.yaml", + "https://support.apple.com/guide/security/firmware-password-protection-sec28382c9ca/web", + "https://www.manpagez.com/man/8/firmwarepasswd/", "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_susp_macos_firmware_activity.yml" ], "tags": [ @@ -79374,9 +79374,9 @@ "logsource.category": "process_creation", "logsource.product": "macos", "refs": [ - "https://github.com/elastic/protections-artifacts/commit/746086721fd385d9f5c6647cada1788db4aea95f#diff-c68a1fcbf7a3f80c87225d7fdc031f691e9f3b6a14a36754be00762bfe6eae97", "https://www.microsoft.com/security/blog/2022/02/02/the-evolution-of-a-mac-trojan-updateagents-progression/", "https://malpedia.caad.fkie.fraunhofer.de/details/osx.xcsset", + "https://github.com/elastic/protections-artifacts/commit/746086721fd385d9f5c6647cada1788db4aea95f#diff-c68a1fcbf7a3f80c87225d7fdc031f691e9f3b6a14a36754be00762bfe6eae97", "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_wizardupdate_malware_infection.yml" ], "tags": [ @@ -79489,8 +79489,8 @@ "logsource.category": "process_creation", "logsource.product": "macos", "refs": [ - "https://gist.github.com/Capybara/6228955", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1555.001/T1555.001.md", + "https://gist.github.com/Capybara/6228955", "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_creds_from_keychain.yml" ], "tags": [ @@ -79548,10 +79548,10 @@ "logsource.category": "No established category", "logsource.product": "qualys", "refs": [ - "https://community.qualys.com/docs/DOC-6406-reporting-toolbox-focused-search-lists", - "https://www.cisecurity.org/controls/cis-controls-list/", - "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf", "https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf", + "https://community.qualys.com/docs/DOC-6406-reporting-toolbox-focused-search-lists", + "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf", + "https://www.cisecurity.org/controls/cis-controls-list/", "https://github.com/SigmaHQ/sigma/tree/master/rules/compliance/default_credentials_usage.yml" ], "tags": "No established tags" @@ -79570,9 +79570,9 @@ "logsource.category": "No established category", "logsource.product": "qualys", "refs": [ - "https://www.cisecurity.org/controls/cis-controls-list/", - "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf", "https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf", + "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf", + "https://www.cisecurity.org/controls/cis-controls-list/", "https://github.com/SigmaHQ/sigma/tree/master/rules/compliance/host_without_firewall.yml" ], "tags": "No established tags" @@ -79593,9 +79593,9 @@ "logsource.category": "No established category", "logsource.product": "No established product", "refs": [ - "https://www.cisecurity.org/controls/cis-controls-list/", - "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf", "https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf", + "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf", + "https://www.cisecurity.org/controls/cis-controls-list/", "https://github.com/SigmaHQ/sigma/tree/master/rules/compliance/netflow_cleartext_protocols.yml" ], "tags": "No established tags" @@ -79773,8 +79773,8 @@ "logsource.category": "No established category", "logsource.product": "linux", "refs": [ - "https://www.sandflysecurity.com/blog/bpfdoor-an-evasive-linux-backdoor-technical-analysis/", "https://www.elastic.co/security-labs/a-peek-behind-the-bpfdoor", + "https://www.sandflysecurity.com/blog/bpfdoor-an-evasive-linux-backdoor-technical-analysis/", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_bpfdoor_file_accessed.yml" ], "tags": [ @@ -79815,8 +79815,8 @@ "logsource.category": "No established category", "logsource.product": "linux", "refs": [ - "https://linux.die.net/man/1/arecord", "https://linuxconfig.org/how-to-test-microphone-with-audio-linux-sound-architecture-alsa", + "https://linux.die.net/man/1/arecord", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_audio_capture.yml" ], "tags": [ @@ -79959,8 +79959,8 @@ "logsource.category": "No established category", "logsource.product": "linux", "refs": [ - "https://www.cyberciti.biz/faq/xclip-linux-insert-files-command-output-intoclipboard/", "https://linux.die.net/man/1/xclip", + "https://www.cyberciti.biz/faq/xclip-linux-insert-files-command-output-intoclipboard/", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_clipboard_collection.yml" ], "tags": [ @@ -80008,9 +80008,9 @@ "logsource.category": "No established category", "logsource.product": "linux", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.006/T1547.006.md", "https://linux.die.net/man/8/insmod", "https://man7.org/linux/man-pages/man8/kmod.8.html", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.006/T1547.006.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_load_module_insmod.yml" ], "tags": [ @@ -80069,9 +80069,9 @@ "logsource.category": "No established category", "logsource.product": "linux", "refs": [ - "https://github.com/berdav/CVE-2021-4034", "https://access.redhat.com/security/cve/CVE-2021-4034", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-4034", + "https://github.com/berdav/CVE-2021-4034", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_cve_2021_4034.yml" ], "tags": [ @@ -80105,8 +80105,8 @@ "logsource.product": "linux", "refs": [ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1113/T1113.md", - "https://linux.die.net/man/1/import", "https://imagemagick.org/", + "https://linux.die.net/man/1/import", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_screencapture_import.yml" ], "tags": [ @@ -80188,9 +80188,9 @@ "logsource.category": "No established category", "logsource.product": "linux", "refs": [ - "https://www.hackingarticles.in/linux-privilege-escalation-using-capabilities/", "https://mn3m.info/posts/suid-vs-capabilities/", "https://int0x33.medium.com/day-44-linux-capabilities-privilege-escalation-via-openssl-with-selinux-enabled-and-enforced-74d2bec02099", + "https://www.hackingarticles.in/linux-privilege-escalation-using-capabilities/", "https://man7.org/linux/man-pages/man8/getcap.8.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_capabilities_discovery.yml" ], @@ -80275,8 +80275,8 @@ "logsource.category": "No established category", "logsource.product": "linux", "refs": [ - "https://eqllib.readthedocs.io/en/latest/analytics/fd9b987a-1101-4ed3-bda6-a70300eaf57e.html", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1574.006/T1574.006.md", + "https://eqllib.readthedocs.io/en/latest/analytics/fd9b987a-1101-4ed3-bda6-a70300eaf57e.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_ld_so_preload_mod.yml" ], "tags": [ @@ -80514,8 +80514,8 @@ "logsource.category": "No established category", "logsource.product": "linux", "refs": [ - "https://linux.die.net/man/1/wget", "https://gtfobins.github.io/gtfobins/wget/", + "https://linux.die.net/man/1/wget", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_data_exfil_wget.yml" ], "tags": [ @@ -80664,8 +80664,8 @@ "logsource.category": "No established category", "logsource.product": "linux", "refs": [ - "https://www.sandflysecurity.com/blog/bpfdoor-an-evasive-linux-backdoor-technical-analysis/", "https://www.elastic.co/security-labs/a-peek-behind-the-bpfdoor", + "https://www.sandflysecurity.com/blog/bpfdoor-an-evasive-linux-backdoor-technical-analysis/", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_bpfdoor_port_redirect.yml" ], "tags": [ @@ -80830,8 +80830,8 @@ "logsource.category": "No established category", "logsource.product": "linux", "refs": [ - "https://linux.die.net/man/1/xwd", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1113/T1113.md#atomic-test-3---x-windows-capture", + "https://linux.die.net/man/1/xwd", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_screencaputre_xwd.yml" ], "tags": [ @@ -80922,10 +80922,10 @@ "logsource.category": "No established category", "logsource.product": "linux", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1201/T1201.md", - "https://superuser.com/questions/150675/how-to-display-password-policy-information-for-a-user-ubuntu", "https://man7.org/linux/man-pages/man1/passwd.1.html", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1201/T1201.md", "https://linux.die.net/man/1/chage", + "https://superuser.com/questions/150675/how-to-display-password-policy-information-for-a-user-ubuntu", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_password_policy_discovery.yml" ], "tags": [ @@ -81050,10 +81050,10 @@ "logsource.category": "No established category", "logsource.product": "linux", "refs": [ - "https://linux.die.net/man/8/pam_tty_audit", - "https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/security_guide/sec-configuring_pam_for_auditing", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1056.001/T1056.001.md", + "https://linux.die.net/man/8/pam_tty_audit", "https://access.redhat.com/articles/4409591#audit-record-types-2", + "https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/security_guide/sec-configuring_pam_for_auditing", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_keylogging_with_pam_d.yml" ], "tags": [ @@ -81153,9 +81153,9 @@ "logsource.category": "No established category", "logsource.product": "linux", "refs": [ - "https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/security_guide/sec-understanding_audit_log_files", "https://www.youtube.com/watch?v=VmvY5SQm5-Y&ab_channel=M45C07", "https://access.redhat.com/articles/4409591#audit-record-types-2", + "https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/security_guide/sec-understanding_audit_log_files", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_create_account.yml" ], "tags": [ @@ -81188,9 +81188,9 @@ "logsource.category": "No established category", "logsource.product": "linux", "refs": [ + "https://book.hacktricks.xyz/shells/shells/linux", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1046/T1046.md#atomic-test-1---port-scan", "https://www.andreafortuna.org/2021/03/06/some-useful-tips-about-dev-tcp/", - "https://book.hacktricks.xyz/shells/shells/linux", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/builtin/lnx_susp_dev_tcp.yml" ], "tags": [ @@ -81460,8 +81460,8 @@ "logsource.product": "linux", "refs": [ "https://digital.nhs.uk/cyber-alerts/2018/cc-2825", - "https://linux.die.net/man/8/useradd", "https://github.com/redcanaryco/atomic-red-team/blob/25acadc0b43a07125a8a5b599b28bbc1a91ffb06/atomics/T1136.001/T1136.001.md#atomic-test-5---create-a-new-user-in-linux-with-root-uid-and-gid", + "https://linux.die.net/man/8/useradd", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/builtin/lnx_privileged_user_creation.yml" ], "tags": [ @@ -81502,8 +81502,8 @@ "logsource.category": "No established category", "logsource.product": "linux", "refs": [ - "https://github.com/Immersive-Labs-Sec/nimbuspwn", "https://www.microsoft.com/security/blog/2022/04/26/microsoft-finds-new-elevation-of-privilege-linux-vulnerability-nimbuspwn/", + "https://github.com/Immersive-Labs-Sec/nimbuspwn", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/builtin/lnx_nimbuspwn_privilege_escalation_exploit.yml" ], "tags": [ @@ -81617,8 +81617,8 @@ "logsource.category": "No established category", "logsource.product": "linux", "refs": [ - "http://pastebin.com/FtygZ1cg", "https://github.com/rapid7/metasploit-framework/blob/eb6535009f5fdafa954525687f09294918b5398d/modules/exploits/multi/http/struts_code_exec_exception_delegator.rb", + "http://pastebin.com/FtygZ1cg", "http://www.threatgeek.com/2017/03/widespread-exploitation-attempts-using-cve-2017-5638.html", "https://artkond.com/2017/03/23/pivoting-guide/", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/builtin/lnx_shell_susp_commands.yml" @@ -81654,8 +81654,8 @@ "logsource.product": "linux", "refs": [ "https://github.com/uber-common/metta/blob/master/MITRE/Privilege_Escalation/privesc_linux_filesystemweakness.yml", - "https://patrick-bareiss.com/detect-privilege-escalation-preparation-in-linux-with-sigma/", "https://blog.g0tmi1k.com/2011/08/basic-linux-privilege-escalation/", + "https://patrick-bareiss.com/detect-privilege-escalation-preparation-in-linux-with-sigma/", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/builtin/lnx_shell_priv_esc_prep.yml" ], "tags": [ @@ -81945,8 +81945,8 @@ "logsource.category": "No established category", "logsource.product": "linux", "refs": [ - "https://github.com/openssh/openssh-portable/blob/c483a5c0fb8e8b8915fad85c5f6113386a4341ca/ssherr.c", "https://github.com/ossec/ossec-hids/blob/1ecffb1b884607cb12e619f9ab3c04f530801083/etc/rules/sshd_rules.xml", + "https://github.com/openssh/openssh-portable/blob/c483a5c0fb8e8b8915fad85c5f6113386a4341ca/ssherr.c", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/builtin/sshd/lnx_sshd_susp_ssh.yml" ], "tags": [ @@ -81980,8 +81980,8 @@ "logsource.product": "linux", "refs": [ "https://twitter.com/matthieugarin/status/1183970598210412546", - "https://www.openwall.com/lists/oss-security/2019/10/14/1", "https://access.redhat.com/security/cve/cve-2019-14287", + "https://www.openwall.com/lists/oss-security/2019/10/14/1", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/builtin/sudo/lnx_sudo_cve_2019_14287_user.yml" ], "tags": [ @@ -82212,8 +82212,8 @@ "logsource.category": "file_event", "logsource.product": "linux", "refs": [ - "https://research.splunk.com/endpoint/linux_doas_conf_file_creation/", "https://www.makeuseof.com/how-to-install-and-use-doas/", + "https://research.splunk.com/endpoint/linux_doas_conf_file_creation/", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/file_event/file_event_lnx_doas_conf_creation.yml" ], "tags": [ @@ -82246,8 +82246,8 @@ "logsource.category": "network_connection", "logsource.product": "linux", "refs": [ - "https://ngrok.com/docs/secure-tunnels/tunnels/ssh-reverse-tunnel-agent", "https://twitter.com/hakluke/status/1587733971814977537/photo/1", + "https://ngrok.com/docs/secure-tunnels/tunnels/ssh-reverse-tunnel-agent", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/network_connection/net_connection_lnx_ngrok_tunnel.yml" ], "tags": [ @@ -82357,8 +82357,8 @@ "logsource.product": "linux", "refs": [ "https://twitter.com/matthieugarin/status/1183970598210412546", - "https://www.openwall.com/lists/oss-security/2019/10/14/1", "https://access.redhat.com/security/cve/cve-2019-14287", + "https://www.openwall.com/lists/oss-security/2019/10/14/1", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_sudo_cve_2019_14287.yml" ], "tags": [ @@ -82505,8 +82505,8 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ - "https://gtfobins.github.io/gtfobins/vimdiff/", "https://gtfobins.github.io/gtfobins/vim/", + "https://gtfobins.github.io/gtfobins/vimdiff/", "https://gtfobins.github.io/gtfobins/rvim/", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_gtfobin_vim.yml" ], @@ -82692,8 +82692,8 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1222.002/T1222.002.md", "https://www.intezer.com/blog/malware-analysis/new-backdoor-sysjoker/", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1222.002/T1222.002.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_susp_chmod_directories.yml" ], "tags": [ @@ -82803,10 +82803,10 @@ "logsource.product": "linux", "refs": [ "https://medium.com/@petehouston/upload-files-with-curl-93064dcccc76", - "https://twitter.com/d1r4c/status/1279042657508081664", - "https://www.trendmicro.com/en_us/research/22/i/how-malicious-actors-abuse-native-linux-tools-in-their-attacks.html", - "https://curl.se/docs/manpage.html", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1105/T1105.md#atomic-test-19---curl-upload-file", + "https://www.trendmicro.com/en_us/research/22/i/how-malicious-actors-abuse-native-linux-tools-in-their-attacks.html", + "https://twitter.com/d1r4c/status/1279042657508081664", + "https://curl.se/docs/manpage.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_susp_curl_fileupload.yml" ], "tags": [ @@ -82847,8 +82847,8 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ - "https://gtfobins.github.io/gtfobins/apt-get/", "https://gtfobins.github.io/gtfobins/apt/", + "https://gtfobins.github.io/gtfobins/apt-get/", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_gtfobin_apt.yml" ], "tags": [ @@ -82872,9 +82872,9 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ + "https://linuxize.com/post/how-to-delete-group-in-linux/", "https://www.cybrary.it/blog/0p3n/linux-commands-used-attackers/", "https://www.cyberciti.biz/faq/linux-remove-user-command/", - "https://linuxize.com/post/how-to-delete-group-in-linux/", "https://linux.die.net/man/8/userdel", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_userdel.yml" ], @@ -83381,9 +83381,9 @@ "logsource.product": "linux", "refs": [ "https://linux.die.net/man/8/groupdel", + "https://linuxize.com/post/how-to-delete-group-in-linux/", "https://www.cybrary.it/blog/0p3n/linux-commands-used-attackers/", "https://www.cyberciti.biz/faq/linux-remove-user-command/", - "https://linuxize.com/post/how-to-delete-group-in-linux/", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_groupdel.yml" ], "tags": [ @@ -83416,8 +83416,8 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ - "https://github.com/carlospolop/PEASS-ng/tree/master/linPEAS", "https://www.trendmicro.com/pl_pl/research/20/i/the-evolution-of-malicious-shell-scripts.html", + "https://github.com/carlospolop/PEASS-ng/tree/master/linPEAS", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_base64_shebang_cli.yml" ], "tags": [ @@ -83451,8 +83451,8 @@ "logsource.product": "linux", "refs": [ "https://github.com/carlospolop/PEASS-ng", - "https://github.com/SaiSathvik1/Linux-Privilege-Escalation-Notes", "https://github.com/diego-treitos/linux-smart-enumeration", + "https://github.com/SaiSathvik1/Linux-Privilege-Escalation-Notes", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_capa_discovery.yml" ], "tags": [ @@ -83765,9 +83765,9 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ - "https://www.computerhope.com/unix/unohup.htm", "https://gtfobins.github.io/gtfobins/nohup/", "https://en.wikipedia.org/wiki/Nohup", + "https://www.computerhope.com/unix/unohup.htm", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_nohup.yml" ], "tags": "No established tags" @@ -83924,8 +83924,8 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ - "https://www.makeuseof.com/how-to-install-and-use-doas/", "https://research.splunk.com/endpoint/linux_doas_tool_execution/", + "https://www.makeuseof.com/how-to-install-and-use-doas/", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_doas_execution.yml" ], "tags": [ @@ -84058,8 +84058,8 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ - "https://attack.mitre.org/techniques/T1548/001/", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1548.001/T1548.001.md", + "https://attack.mitre.org/techniques/T1548/001/", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_setgid_setuid.yml" ], "tags": [ @@ -84161,8 +84161,8 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ - "https://pberba.github.io/security/2021/11/23/linux-threat-hunting-for-persistence-account-creation-manipulation/", "https://www.configserverfirewall.com/ubuntu-linux/ubuntu-add-user-to-root-group/", + "https://pberba.github.io/security/2021/11/23/linux-threat-hunting-for-persistence-account-creation-manipulation/", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_usermod_susp_group.yml" ], "tags": [ @@ -84222,5 +84222,5 @@ "value": "Security Software Discovery - Linux" } ], - "version": 1 + "version": "20230112" } From 5804065e16f7deca8d75e0c2c027973bc8a3ab4c Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Thu, 12 Jan 2023 14:16:20 +0100 Subject: [PATCH 04/13] chg: [tools] sigma tools updated --- tools/sigma/config.ini | 3 ++ tools/sigma/sigma-to-galaxy.py | 55 ++++++++++++++++++++++++++++++++-- 2 files changed, 55 insertions(+), 3 deletions(-) create mode 100644 tools/sigma/config.ini diff --git a/tools/sigma/config.ini b/tools/sigma/config.ini new file mode 100644 index 0000000..8c4bab2 --- /dev/null +++ b/tools/sigma/config.ini @@ -0,0 +1,3 @@ +[MISP] +cluster_path = ../../clusters/ +mitre_attack_cluster = mitre-attack-pattern.json diff --git a/tools/sigma/sigma-to-galaxy.py b/tools/sigma/sigma-to-galaxy.py index cde7a57..ef912e6 100644 --- a/tools/sigma/sigma-to-galaxy.py +++ b/tools/sigma/sigma-to-galaxy.py @@ -3,7 +3,7 @@ Author: Jose Luis Sanchez Martinez Twitter: @Joseliyo_Jstnk date: 2022/11/18 - Modified: 2022/12/05 + Modified: 2023/01/03 GitHub: https://github.com/jstnk9/MISP Description: This script can create MISP Galaxies from Sigma Rules. It can be done setting the path where you have stored your sigma rules in the system. @@ -12,7 +12,7 @@ """ -import os, json, yaml, argparse, uuid +import os, json, yaml, argparse, uuid, configparser, time unique_uuid = '9cf7cd2e-d5f1-48c4-9909-7896ba1c96b2' @@ -22,10 +22,56 @@ def main(args): galaxyCluster = create_cluster(uuidGalaxy=unique_uuid) valuesData = create_cluster_value(args.inputPath, args.recursive, galaxyCluster) galaxyCluster["values"].extend(valuesData) + galaxyCluster = createRelations(galaxyCluster) create_cluster_json(galaxyCluster) check_duplicates(galaxyCluster) +def createRelations(galaxyCluster): + """ + :param galaxyCluster: Content of the cluster with all the values related to the Sigma Rules + + :return galaxyCluster: Content of the cluster adding the relation between sigma rule and MITRE technique + """ + for obj in galaxyCluster["values"]: + for attack in obj["meta"]["tags"]: + if attack.startswith("attack.t"): + with open( + config["MISP"]["cluster_path"] + + config["MISP"]["mitre_attack_cluster"], + "r", + ) as mitreCluster: + data = json.load(mitreCluster) + for technique in data["values"]: + if ( + technique["meta"]["external_id"] + == attack.split(".", 1)[1].upper() + ): + if obj.get("related"): + obj["related"].append( + { + "dest-uuid": "%s" % (technique["uuid"]), + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to", + } + ) + else: + obj["related"] = [] + obj["related"].append( + { + "dest-uuid": "%s" % (technique["uuid"]), + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to", + } + ) + + return galaxyCluster + + def check_duplicates(galaxy): """ :param galaxy: Content of the cluster with all the values @@ -81,6 +127,7 @@ def create_cluster(uuidGalaxy=unique_uuid): :return cluster: Dict with the basic information needed for the JSON file. """ + version = time.strftime("%Y%m%d") cluster = { "authors": ["@Joseliyo_Jstnk"], "category": "rules", @@ -90,7 +137,7 @@ def create_cluster(uuidGalaxy=unique_uuid): "type": "sigma-rules", "uuid": uuidGalaxy, "values": [], - "version": 1, + "version": version } return cluster @@ -197,6 +244,8 @@ def create_galaxy_json(): if __name__ == '__main__': + config = configparser.ConfigParser() + config.read("config.ini") parser = argparse.ArgumentParser( description="This script can convert your sigma rules in MISP galaxies, generating both files needed for cluster and galaxies. If you need more information about how to import it, please, go to https://github.com/jstnk9/MISP/tree/main/misp-galaxy/sigma" ) From 323f9f47a11dadb95cb072b7fdb06f40d3ab0252 Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Thu, 12 Jan 2023 16:45:21 +0100 Subject: [PATCH 05/13] chg: [sigma] version must be an integer --- clusters/sigma-rules.json | 2192 +++++++++++++++++++------------------ 1 file changed, 1108 insertions(+), 1084 deletions(-) diff --git a/clusters/sigma-rules.json b/clusters/sigma-rules.json index 504a13a..f7a6bd3 100644 --- a/clusters/sigma-rules.json +++ b/clusters/sigma-rules.json @@ -174,9 +174,9 @@ "logsource.category": "firewall", "logsource.product": "No established product", "refs": [ + "https://www.cisecurity.org/controls/cis-controls-list/", "https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf", "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf", - "https://www.cisecurity.org/controls/cis-controls-list/", "https://github.com/SigmaHQ/sigma/tree/master/rules/network/firewall/net_firewall_cleartext_protocols.yml" ], "tags": "No established tags" @@ -197,8 +197,8 @@ "logsource.category": "firewall", "logsource.product": "No established product", "refs": [ - "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation", "https://medium.com/@msuiche/the-nsa-compromised-swift-network-50ec3000b195", + "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation", "https://github.com/SigmaHQ/sigma/tree/master/rules/network/firewall/net_firewall_apt_equationgroup_c2.yml" ], "tags": [ @@ -232,10 +232,10 @@ "logsource.category": "dns", "logsource.product": "No established product", "refs": [ - "https://www.welivesecurity.com/2016/12/13/rise-telebots-analyzing-disruptive-killdisk-attacks/", - "https://blog.malwarebytes.com/threat-analysis/2016/11/telecrypt-the-ransomware-abusing-telegram-api-defeated/", - "https://researchcenter.paloaltonetworks.com/2018/03/unit42-telerat-another-android-trojan-leveraging-telegrams-bot-api-to-target-iranian-users/", "https://core.telegram.org/bots/faq", + "https://blog.malwarebytes.com/threat-analysis/2016/11/telecrypt-the-ransomware-abusing-telegram-api-defeated/", + "https://www.welivesecurity.com/2016/12/13/rise-telebots-analyzing-disruptive-killdisk-attacks/", + "https://researchcenter.paloaltonetworks.com/2018/03/unit42-telerat-another-android-trojan-leveraging-telegrams-bot-api-to-target-iranian-users/", "https://github.com/SigmaHQ/sigma/tree/master/rules/network/dns/net_dns_susp_telegram_api.yml" ], "tags": [ @@ -460,8 +460,8 @@ "logsource.category": "dns", "logsource.product": "No established product", "refs": [ - "https://twitter.com/stvemillertime/status/1024707932447854592", "https://github.com/samratashok/nishang/blob/414ee1104526d7057f9adaeee196d91ae447283e/Backdoors/DNS_TXT_Pwnage.ps1", + "https://twitter.com/stvemillertime/status/1024707932447854592", "https://github.com/SigmaHQ/sigma/tree/master/rules/network/dns/net_dns_susp_txt_exec_strings.yml" ], "tags": [ @@ -1330,9 +1330,9 @@ "logsource.product": "zeek", "refs": [ "https://threatpost.com/microsoft-petitpotam-poc/168163/", - "https://vx-underground.org/archive/Symantec/windows-vista-network-attack-07-en.pdf", - "https://github.com/topotam/PetitPotam/blob/d83ac8f2dd34654628c17490f99106eb128e7d1e/PetitPotam/PetitPotam.cpp", "https://msrc.microsoft.com/update-guide/vulnerability/ADV210003", + "https://github.com/topotam/PetitPotam/blob/d83ac8f2dd34654628c17490f99106eb128e7d1e/PetitPotam/PetitPotam.cpp", + "https://vx-underground.org/archive/Symantec/windows-vista-network-attack-07-en.pdf", "https://github.com/SigmaHQ/sigma/tree/master/rules/network/zeek/zeek_dce_rpc_potential_petit_potam_efs_rpc_call.yml" ], "tags": [ @@ -1441,8 +1441,8 @@ "logsource.category": "No established category", "logsource.product": "zeek", "refs": [ - "https://github.com/OTRF/detection-hackathon-apt29", "http://carnal0wnage.attackresearch.com/2012/06/webdav-server-to-download-custom.html", + "https://github.com/OTRF/detection-hackathon-apt29", "https://github.com/SigmaHQ/sigma/tree/master/rules/network/zeek/zeek_http_executable_download_from_webdav.yml" ], "tags": [ @@ -1700,9 +1700,9 @@ "logsource.category": "No established category", "logsource.product": "zeek", "refs": [ - "https://unit42.paloaltonetworks.com/manageengine-godzilla-nglite-kdcsponge/", "https://github.com/Maka8ka/NGLite", "https://github.com/nknorg/nkn-sdk-go", + "https://unit42.paloaltonetworks.com/manageengine-godzilla-nglite-kdcsponge/", "https://github.com/SigmaHQ/sigma/tree/master/rules/network/zeek/zeek_dns_nkn.yml" ], "tags": [ @@ -1777,8 +1777,8 @@ "logsource.category": "No established category", "logsource.product": "zeek", "refs": [ - "https://github.com/OTRF/detection-hackathon-apt29", "https://github.com/OTRF/detection-hackathon-apt29/issues/37", + "https://github.com/OTRF/detection-hackathon-apt29", "https://github.com/SigmaHQ/sigma/tree/master/rules/network/zeek/zeek_dce_rpc_domain_user_enumeration.yml" ], "tags": [ @@ -1843,12 +1843,12 @@ "logsource.category": "No established category", "logsource.product": "zeek", "refs": [ - "https://old.zeek.org/zeekweek2019/slides/bzar.pdf", - "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527", - "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-par/93d1915d-4d9f-4ceb-90a7-e8f2a59adc29", - "https://github.com/zeek/zeek/blob/691b099de13649d6576c7b9d637f8213ff818832/scripts/base/protocols/dce-rpc/consts.zeek", "https://www.crowdstrike.com/blog/cve-2021-1678-printer-spooler-relay-security-advisory/", + "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527", + "https://github.com/zeek/zeek/blob/691b099de13649d6576c7b9d637f8213ff818832/scripts/base/protocols/dce-rpc/consts.zeek", + "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-par/93d1915d-4d9f-4ceb-90a7-e8f2a59adc29", "https://github.com/corelight/CVE-2021-1675", + "https://old.zeek.org/zeekweek2019/slides/bzar.pdf", "https://github.com/SigmaHQ/sigma/tree/master/rules/network/zeek/zeek_dce_rpc_printnightmare_print_driver_install.yml" ], "tags": [ @@ -1971,9 +1971,9 @@ "logsource.category": "No established category", "logsource.product": "zeek", "refs": [ + "https://www.netresec.com/?page=Blog&month=2021-01&post=Finding-Targeted-SUNBURST-Victims-with-pDNS", "https://tools.ietf.org/html/rfc2929#section-2.1", "https://twitter.com/neu5ron/status/1346245602502443009", - "https://www.netresec.com/?page=Blog&month=2021-01&post=Finding-Targeted-SUNBURST-Victims-with-pDNS", "https://tdm.socprime.com/tdm/info/eLbyj4JjI15v#sigma", "https://github.com/SigmaHQ/sigma/tree/master/rules/network/zeek/zeek_dns_susp_zbit_flag.yml" ], @@ -2148,10 +2148,10 @@ "logsource.category": "application", "logsource.product": "ruby_on_rails", "refs": [ - "http://edgeguides.rubyonrails.org/security.html", - "https://github.com/rails/rails/blob/cd08e6bcc4cd8948fe01e0be1ea0c7ca60373a25/actionpack/lib/action_dispatch/middleware/exception_wrapper.rb", "https://stackoverflow.com/questions/25892194/does-rails-come-with-a-not-authorized-exception", + "https://github.com/rails/rails/blob/cd08e6bcc4cd8948fe01e0be1ea0c7ca60373a25/actionpack/lib/action_dispatch/middleware/exception_wrapper.rb", "http://guides.rubyonrails.org/action_controller_overview.html", + "http://edgeguides.rubyonrails.org/security.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/ruby/appframework_ruby_on_rails_exceptions.yml" ], "tags": [ @@ -2184,10 +2184,10 @@ "logsource.category": "application", "logsource.product": "rpc_firewall", "refs": [ - "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-WKST.md", - "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-wkst/55118c55-2122-4ef9-8664-0c1ff9e168f3", "https://zeronetworks.com/blog/stopping_lateral_movement_via_the_rpc_firewall/", "https://github.com/zeronetworks/rpcfirewall", + "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-wkst/55118c55-2122-4ef9-8664-0c1ff9e168f3", + "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-WKST.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/rpc_firewall/rpc_firewall_sharphound_recon_account.yml" ], "tags": [ @@ -2211,10 +2211,10 @@ "logsource.category": "application", "logsource.product": "rpc_firewall", "refs": [ - "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rrp/0fa3191d-bb79-490a-81bd-54c2601b7a78", - "https://zeronetworks.com/blog/stopping_lateral_movement_via_the_rpc_firewall/", "https://github.com/zeronetworks/rpcfirewall", + "https://zeronetworks.com/blog/stopping_lateral_movement_via_the_rpc_firewall/", "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-RRP.md", + "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rrp/0fa3191d-bb79-490a-81bd-54c2601b7a78", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/rpc_firewall/rpc_firewall_remote_registry_recon.yml" ], "tags": [ @@ -2237,8 +2237,8 @@ "logsource.category": "application", "logsource.product": "rpc_firewall", "refs": [ - "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-tsch/d1058a28-7e02-4948-8b8d-4a347fa64931", "https://zeronetworks.com/blog/stopping_lateral_movement_via_the_rpc_firewall/", + "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-tsch/d1058a28-7e02-4948-8b8d-4a347fa64931", "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-TSCH.md", "https://github.com/zeronetworks/rpcfirewall", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/rpc_firewall/rpc_firewall_itaskschedulerservice_recon.yml" @@ -2299,8 +2299,8 @@ "logsource.category": "application", "logsource.product": "rpc_firewall", "refs": [ - "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-tsch/d1058a28-7e02-4948-8b8d-4a347fa64931", "https://zeronetworks.com/blog/stopping_lateral_movement_via_the_rpc_firewall/", + "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-tsch/d1058a28-7e02-4948-8b8d-4a347fa64931", "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-TSCH.md", "https://github.com/zeronetworks/rpcfirewall", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/rpc_firewall/rpc_firewall_atsvc_lateral_movement.yml" @@ -2336,10 +2336,10 @@ "logsource.category": "application", "logsource.product": "rpc_firewall", "refs": [ - "https://zeronetworks.com/blog/stopping_lateral_movement_via_the_rpc_firewall/", - "https://github.com/zeronetworks/rpcfirewall", - "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-drsr/f977faaa-673e-4f66-b9bf-48c640241d47?redirectedfrom=MSDN", "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-DRSR.md", + "https://zeronetworks.com/blog/stopping_lateral_movement_via_the_rpc_firewall/", + "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-drsr/f977faaa-673e-4f66-b9bf-48c640241d47?redirectedfrom=MSDN", + "https://github.com/zeronetworks/rpcfirewall", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/rpc_firewall/rpc_firewall_dcsync_attack.yml" ], "tags": [ @@ -2387,8 +2387,8 @@ "logsource.category": "application", "logsource.product": "rpc_firewall", "refs": [ - "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-tsch/d1058a28-7e02-4948-8b8d-4a347fa64931", "https://zeronetworks.com/blog/stopping_lateral_movement_via_the_rpc_firewall/", + "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-tsch/d1058a28-7e02-4948-8b8d-4a347fa64931", "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-TSCH.md", "https://github.com/zeronetworks/rpcfirewall", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/rpc_firewall/rpc_firewall_itaskschedulerservice_lateral_movement.yml" @@ -2424,8 +2424,8 @@ "logsource.category": "application", "logsource.product": "rpc_firewall", "refs": [ - "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-srvs/accf23b0-0f57-441c-9185-43041f1b0ee9", "https://zeronetworks.com/blog/stopping_lateral_movement_via_the_rpc_firewall/", + "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-srvs/accf23b0-0f57-441c-9185-43041f1b0ee9", "https://github.com/zeronetworks/rpcfirewall", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/rpc_firewall/rpc_firewall_remote_dcom_or_wmi.yml" ], @@ -2467,8 +2467,8 @@ "logsource.category": "application", "logsource.product": "rpc_firewall", "refs": [ - "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-tsch/d1058a28-7e02-4948-8b8d-4a347fa64931", "https://zeronetworks.com/blog/stopping_lateral_movement_via_the_rpc_firewall/", + "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-tsch/d1058a28-7e02-4948-8b8d-4a347fa64931", "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-TSCH.md", "https://github.com/zeronetworks/rpcfirewall", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/rpc_firewall/rpc_firewall_sasec_lateral_movement.yml" @@ -2504,12 +2504,12 @@ "logsource.category": "application", "logsource.product": "rpc_firewall", "refs": [ - "https://github.com/zeronetworks/rpcfirewall", + "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-RPRN-PAR.md", + "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rprn/d42db7d5-f141-4466-8f47-0a4be14e2fc1", + "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-pan/e44d984c-07d3-414c-8ffc-f8c8ad8512a8", "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527", "https://zeronetworks.com/blog/stopping_lateral_movement_via_the_rpc_firewall/", - "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rprn/d42db7d5-f141-4466-8f47-0a4be14e2fc1", - "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-RPRN-PAR.md", - "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-pan/e44d984c-07d3-414c-8ffc-f8c8ad8512a8", + "https://github.com/zeronetworks/rpcfirewall", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/rpc_firewall/rpc_firewall_printing_lateral_movement.yml" ], "tags": [ @@ -2532,10 +2532,10 @@ "logsource.category": "application", "logsource.product": "rpc_firewall", "refs": [ - "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-srvs/02b1f559-fda2-4ba3-94c2-806eb2777183", - "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-SRVS.md", "https://zeronetworks.com/blog/stopping_lateral_movement_via_the_rpc_firewall/", + "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-SRVS.md", "https://github.com/zeronetworks/rpcfirewall", + "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-srvs/02b1f559-fda2-4ba3-94c2-806eb2777183", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/rpc_firewall/rpc_firewall_sharphound_recon_sessions.yml" ], "tags": [ @@ -2558,10 +2558,10 @@ "logsource.category": "application", "logsource.product": "rpc_firewall", "refs": [ - "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-36942", - "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-EFSR.md", "https://zeronetworks.com/blog/stopping_lateral_movement_via_the_rpc_firewall/", + "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-EFSR.md", "https://github.com/zeronetworks/rpcfirewall", + "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-36942", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/rpc_firewall/rpc_firewall_efs_abuse.yml" ], "tags": [ @@ -2584,8 +2584,8 @@ "logsource.category": "application", "logsource.product": "rpc_firewall", "refs": [ - "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-tsch/d1058a28-7e02-4948-8b8d-4a347fa64931", "https://zeronetworks.com/blog/stopping_lateral_movement_via_the_rpc_firewall/", + "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-tsch/d1058a28-7e02-4948-8b8d-4a347fa64931", "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-TSCH.md", "https://github.com/zeronetworks/rpcfirewall", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/rpc_firewall/rpc_firewall_sasec_recon.yml" @@ -2610,10 +2610,10 @@ "logsource.category": "application", "logsource.product": "rpc_firewall", "refs": [ - "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rrp/0fa3191d-bb79-490a-81bd-54c2601b7a78", - "https://zeronetworks.com/blog/stopping_lateral_movement_via_the_rpc_firewall/", "https://github.com/zeronetworks/rpcfirewall", + "https://zeronetworks.com/blog/stopping_lateral_movement_via_the_rpc_firewall/", "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-RRP.md", + "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rrp/0fa3191d-bb79-490a-81bd-54c2601b7a78", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/rpc_firewall/rpc_firewall_remote_registry_lateral_movement.yml" ], "tags": [ @@ -2637,10 +2637,10 @@ "logsource.category": "application", "logsource.product": "rpc_firewall", "refs": [ - "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-SRVS.md", - "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-srvs/accf23b0-0f57-441c-9185-43041f1b0ee9", "https://zeronetworks.com/blog/stopping_lateral_movement_via_the_rpc_firewall/", "https://github.com/zeronetworks/rpcfirewall", + "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-srvs/accf23b0-0f57-441c-9185-43041f1b0ee9", + "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-SRVS.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/rpc_firewall/rpc_firewall_remote_server_service_abuse.yml" ], "tags": [ @@ -2663,8 +2663,8 @@ "logsource.category": "application", "logsource.product": "rpc_firewall", "refs": [ - "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-tsch/d1058a28-7e02-4948-8b8d-4a347fa64931", "https://zeronetworks.com/blog/stopping_lateral_movement_via_the_rpc_firewall/", + "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-tsch/d1058a28-7e02-4948-8b8d-4a347fa64931", "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-TSCH.md", "https://github.com/zeronetworks/rpcfirewall", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/rpc_firewall/rpc_firewall_atsvc_recon.yml" @@ -2722,10 +2722,10 @@ "logsource.category": "process_access", "logsource.product": "windows", "refs": [ - "http://security-research.dyndns.org/pub/slides/FIRST2017/FIRST-2017_Tom-Ueltschi_Sysmon_FINAL_notes.pdf", + "https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment", "https://docs.microsoft.com/en-us/windows/win32/procthread/process-security-and-access-rights", "https://onedrive.live.com/view.aspx?resid=D026B4699190F1E6!2843&ithint=file%2cpptx&app=PowerPoint&authkey=!AMvCRTKB_V1J5ow", - "https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment", + "http://security-research.dyndns.org/pub/slides/FIRST2017/FIRST-2017_Tom-Ueltschi_Sysmon_FINAL_notes.pdf", "https://cyberwardog.blogspot.com/2017/03/chronicles-of-threat-hunter-hunting-for_22.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_access/proc_access_win_susp_proc_access_lsass_susp_source.yml" ], @@ -2907,8 +2907,8 @@ "logsource.category": "process_access", "logsource.product": "windows", "refs": [ - "https://github.com/hlldz/Invoke-Phant0m", "https://twitter.com/timbmsft/status/900724491076214784", + "https://github.com/hlldz/Invoke-Phant0m", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_access/proc_access_win_invoke_phantom.yml" ], "tags": [ @@ -2941,9 +2941,9 @@ "logsource.category": "process_access", "logsource.product": "windows", "refs": [ - "https://www.ired.team/offensive-security/credential-access-and-credential-dumping/dump-credentials-from-lsass-process-without-mimikatz", "https://twitter.com/mrd0x/status/1460597833917251595", "https://twitter.com/_xpn_/status/1491557187168178176", + "https://www.ired.team/offensive-security/credential-access-and-credential-dumping/dump-credentials-from-lsass-process-without-mimikatz", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_access/proc_access_win_lsass_memdump_evasion.yml" ], "tags": [ @@ -3189,9 +3189,9 @@ "logsource.product": "windows", "refs": [ "https://blog.menasec.net/2019/02/threat-hunting-21-procdump-or-taskmgr.html", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1003.001/T1003.001.md", "https://cyberwardog.blogspot.com/2017/03/chronicles-of-threat-hunter-hunting-for_22.html", "https://research.splunk.com/endpoint/windows_possible_credential_dumping/", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1003.001/T1003.001.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_access/proc_access_win_lsass_memdump.yml" ], "tags": [ @@ -3225,9 +3225,9 @@ "logsource.category": "process_access", "logsource.product": "windows", "refs": [ - "http://security-research.dyndns.org/pub/slides/FIRST2017/FIRST-2017_Tom-Ueltschi_Sysmon_FINAL_notes.pdf", "https://onedrive.live.com/view.aspx?resid=D026B4699190F1E6!2843&ithint=file%2cpptx&app=PowerPoint&authkey=!AMvCRTKB_V1J5ow", "https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment", + "http://security-research.dyndns.org/pub/slides/FIRST2017/FIRST-2017_Tom-Ueltschi_Sysmon_FINAL_notes.pdf", "https://cyberwardog.blogspot.com/2017/03/chronicles-of-threat-hunter-hunting-for_22.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_access/proc_access_win_cred_dump_lsass_access.yml" ], @@ -3263,10 +3263,10 @@ "logsource.category": "process_access", "logsource.product": "windows", "refs": [ - "http://security-research.dyndns.org/pub/slides/FIRST2017/FIRST-2017_Tom-Ueltschi_Sysmon_FINAL_notes.pdf", + "https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment", "https://docs.microsoft.com/en-us/windows/win32/procthread/process-security-and-access-rights", "https://onedrive.live.com/view.aspx?resid=D026B4699190F1E6!2843&ithint=file%2cpptx&app=PowerPoint&authkey=!AMvCRTKB_V1J5ow", - "https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment", + "http://security-research.dyndns.org/pub/slides/FIRST2017/FIRST-2017_Tom-Ueltschi_Sysmon_FINAL_notes.pdf", "https://cyberwardog.blogspot.com/2017/03/chronicles-of-threat-hunter-hunting-for_22.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_access/proc_access_win_rare_proc_access_lsass.yml" ], @@ -3301,10 +3301,10 @@ "logsource.category": "process_access", "logsource.product": "windows", "refs": [ - "http://security-research.dyndns.org/pub/slides/FIRST2017/FIRST-2017_Tom-Ueltschi_Sysmon_FINAL_notes.pdf", + "https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment", "https://docs.microsoft.com/en-us/windows/win32/procthread/process-security-and-access-rights", "https://onedrive.live.com/view.aspx?resid=D026B4699190F1E6!2843&ithint=file%2cpptx&app=PowerPoint&authkey=!AMvCRTKB_V1J5ow", - "https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment", + "http://security-research.dyndns.org/pub/slides/FIRST2017/FIRST-2017_Tom-Ueltschi_Sysmon_FINAL_notes.pdf", "https://cyberwardog.blogspot.com/2017/03/chronicles-of-threat-hunter-hunting-for_22.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_access/proc_access_win_susp_proc_access_lsass.yml" ], @@ -3513,8 +3513,8 @@ "logsource.category": "process_access", "logsource.product": "windows", "refs": [ - "https://www.ired.team/offensive-security/credential-access-and-credential-dumping/dump-credentials-from-lsass-process-without-mimikatz", "https://twitter.com/_xpn_/status/1491557187168178176", + "https://www.ired.team/offensive-security/credential-access-and-credential-dumping/dump-credentials-from-lsass-process-without-mimikatz", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_access/proc_access_win_lsass_memdump_indicators.yml" ], "tags": [ @@ -3548,9 +3548,9 @@ "logsource.category": "process_access", "logsource.product": "windows", "refs": [ + "https://github.com/codewhitesec/SysmonEnte/blob/main/screens/1.png", "https://codewhitesec.blogspot.com/2022/09/attacks-on-sysmon-revisited-sysmonente.html", "https://github.com/codewhitesec/SysmonEnte/", - "https://github.com/codewhitesec/SysmonEnte/blob/main/screens/1.png", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_access/proc_access_win_hack_sysmonente.yml" ], "tags": [ @@ -3583,8 +3583,8 @@ "logsource.category": "process_access", "logsource.product": "windows", "refs": [ - "https://github.com/boku7/spawn", "https://github.com/boku7/injectAmsiBypass", + "https://github.com/boku7/spawn", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_access/proc_access_win_cobaltstrike_bof_injection_pattern.yml" ], "tags": [ @@ -3619,9 +3619,9 @@ "logsource.category": "process_access", "logsource.product": "windows", "refs": [ - "https://twitter.com/SBousseaden/status/1541920424635912196", "https://splintercod3.blogspot.com/p/the-hidden-side-of-seclogon-part-3.html", "https://github.com/elastic/detection-rules/blob/2bc1795f3d7bcc3946452eb4f07ae799a756d94e/rules/windows/credential_access_lsass_handle_via_malseclogon.toml", + "https://twitter.com/SBousseaden/status/1541920424635912196", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_access/proc_access_win_susp_seclogon.yml" ], "tags": [ @@ -3735,8 +3735,8 @@ "logsource.category": "sysmon_error", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md", "https://talesfrominfosec.blogspot.com/2017/12/killing-sysmon-silently.html", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/sysmon/sysmon_config_modification_error.yml" ], "tags": [ @@ -3769,8 +3769,8 @@ "logsource.category": "sysmon_status", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md", "https://talesfrominfosec.blogspot.com/2017/12/killing-sysmon-silently.html", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/sysmon/sysmon_config_modification_status.yml" ], "tags": [ @@ -3803,8 +3803,8 @@ "logsource.category": "pipe_created", "logsource.product": "windows", "refs": [ - "https://svch0st.medium.com/guide-to-named-pipes-and-hunting-for-cobalt-strike-pipes-dc46b2c5f575", "https://gist.github.com/MHaggis/6c600e524045a6d49c35291a21e10752", + "https://svch0st.medium.com/guide-to-named-pipes-and-hunting-for-cobalt-strike-pipes-dc46b2c5f575", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/pipe_created/pipe_created_susp_cobaltstrike_pipe_patterns.yml" ], "tags": [ @@ -3829,8 +3829,8 @@ "logsource.category": "pipe_created", "logsource.product": "windows", "refs": [ - "https://svch0st.medium.com/guide-to-named-pipes-and-hunting-for-cobalt-strike-pipes-dc46b2c5f575", "https://gist.github.com/MHaggis/6c600e524045a6d49c35291a21e10752", + "https://svch0st.medium.com/guide-to-named-pipes-and-hunting-for-cobalt-strike-pipes-dc46b2c5f575", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/pipe_created/pipe_created_mal_cobaltstrike_re.yml" ], "tags": [ @@ -3912,10 +3912,10 @@ "logsource.category": "pipe_created", "logsource.product": "windows", "refs": [ - "https://twitter.com/d4rksystem/status/1357010969264873472", - "https://blog.cobaltstrike.com/2021/02/09/learn-pipe-fitting-for-all-of-your-offense-projects/", "https://github.com/SigmaHQ/sigma/issues/253", + "https://blog.cobaltstrike.com/2021/02/09/learn-pipe-fitting-for-all-of-your-offense-projects/", "https://redcanary.com/threat-detection-report/threats/cobalt-strike/", + "https://twitter.com/d4rksystem/status/1357010969264873472", "https://labs.f-secure.com/blog/detecting-cobalt-strike-default-modules-via-named-pipe-analysis/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/pipe_created/pipe_created_mal_cobaltstrike.yml" ], @@ -3941,8 +3941,8 @@ "logsource.category": "pipe_created", "logsource.product": "windows", "refs": [ - "Internal Research", "https://attack.mitre.org/groups/G0010/", + "Internal Research", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/pipe_created/pipe_created_apt_turla_namedpipes.yml" ], "tags": [ @@ -4166,8 +4166,8 @@ "logsource.category": "pipe_created", "logsource.product": "windows", "refs": [ - "https://github.com/zcgonvh/EfsPotato", "https://twitter.com/SBousseaden/status/1429530155291193354?s=20", + "https://github.com/zcgonvh/EfsPotato", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/pipe_created/pipe_created_efspotato_namedpipe.yml" ], "tags": [ @@ -4227,18 +4227,18 @@ "logsource.category": "pipe_created", "logsource.product": "windows", "refs": [ - "https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf", - "https://download.bitdefender.com/resources/files/News/CaseStudies/study/115/Bitdefender-Whitepaper-PAC-A4-en-EN1.pdf", - "https://www.accenture.com/us-en/blogs/cyber-defense/turla-belugasturgeon-compromises-government-entity", - "https://securelist.com/faq-the-projectsauron-apt/75533/", "https://github.com/RiccardoAncarani/LiquidSnake", + "https://www.accenture.com/us-en/blogs/cyber-defense/turla-belugasturgeon-compromises-government-entity", + "https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf", + "https://securelist.com/wild-neutron-economic-espionage-threat-actor-returns-with-new-tricks/71275/", "https://www.us-cert.gov/ncas/alerts/TA17-117A", - "https://thedfirreport.com/2022/02/21/qbot-and-zerologon-lead-to-full-domain-compromise/", + "https://download.bitdefender.com/resources/files/News/CaseStudies/study/115/Bitdefender-Whitepaper-PAC-A4-en-EN1.pdf", "https://unit42.paloaltonetworks.com/emissary-panda-attacks-middle-east-government-sharepoint-servers/", + "https://us-cert.cisa.gov/ncas/analysis-reports/ar19-304a", "https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html", "https://thedfirreport.com/2020/06/21/snatch-ransomware/", - "https://securelist.com/wild-neutron-economic-espionage-threat-actor-returns-with-new-tricks/71275/", - "https://us-cert.cisa.gov/ncas/analysis-reports/ar19-304a", + "https://thedfirreport.com/2022/02/21/qbot-and-zerologon-lead-to-full-domain-compromise/", + "https://securelist.com/faq-the-projectsauron-apt/75533/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/pipe_created/pipe_created_mal_namedpipes.yml" ], "tags": [ @@ -4298,9 +4298,9 @@ "logsource.category": "pipe_created", "logsource.product": "windows", "refs": [ + "https://github.com/Azure/Azure-Sentinel/blob/f99542b94afe0ad2f19a82cc08262e7ac8e1428e/Detections/SecurityEvent/ADFSDBNamedPipeConnection.yaml", "https://o365blog.com/post/adfs/", "https://github.com/Azure/SimuLand", - "https://github.com/Azure/Azure-Sentinel/blob/f99542b94afe0ad2f19a82cc08262e7ac8e1428e/Detections/SecurityEvent/ADFSDBNamedPipeConnection.yaml", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/pipe_created/pipe_created_susp_adfs_namedpipe_connection.yml" ], "tags": [ @@ -4683,8 +4683,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://docs.splunk.com/Documentation/ESSOC/3.22.0/stories/UseCase#Active_directory_password_spraying", "https://www.trimarcsecurity.com/single-post/2018/05/06/trimarc-research-detecting-password-spraying-with-security-event-auditing", + "https://docs.splunk.com/Documentation/ESSOC/3.22.0/stories/UseCase#Active_directory_password_spraying", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_susp_failed_logons_single_process.yml" ], "tags": [ @@ -4710,8 +4710,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://twitter.com/deviouspolack/status/832535435960209408", "https://www.hybrid-analysis.com/sample/027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745?environmentId=100", + "https://twitter.com/deviouspolack/status/832535435960209408", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_susp_eventlog_cleared.yml" ], "tags": [ @@ -4921,9 +4921,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ + "https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4964", "https://github.com/Yamato-Security/EnableWindowsLogSettings/blob/7f6d755d45ac7cc9fc35b0cbf498e6aa4ef19def/ConfiguringSecurityLogAuditPolicies.md", "https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4672", - "https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4964", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_admin_logon.yml" ], "tags": "No established tags" @@ -4973,8 +4973,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://jpcertcc.github.io/ToolAnalysisResultSheet/details/nltest.htm", "https://attack.mitre.org/software/S0359/", + "https://jpcertcc.github.io/ToolAnalysisResultSheet/details/nltest.htm", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_lolbas_execution_of_nltest.yml" ], "tags": [ @@ -5034,8 +5034,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://twitter.com/mattifestation/status/899646620148539397", "https://www.eideon.com/2018-03-02-THL03-WMIBackdoors/", + "https://twitter.com/mattifestation/status/899646620148539397", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_wmi_persistence.yml" ], "tags": [ @@ -5090,8 +5090,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://www.secureworks.com/blog/ransomware-as-a-distraction", "https://twitter.com/menasec1/status/1106899890377052160", + "https://www.secureworks.com/blog/ransomware-as-a-distraction", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_gpo_scheduledtasks.yml" ], "tags": [ @@ -5229,9 +5229,9 @@ "logsource.product": "windows", "refs": [ "https://github.com/staaldraad/go-ntlm/blob/cd032d41aa8ce5751c07cb7945400c0f5c81e2eb/ntlm/ntlmv1.go#L427", + "https://github.com/sensepost/ruler/issues/47", "https://github.com/sensepost/ruler", "https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4624", - "https://github.com/sensepost/ruler/issues/47", "https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4776", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_alert_ruler.yml" ], @@ -5463,8 +5463,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://github.com/Yamato-Security/EnableWindowsLogSettings/blob/7f6d755d45ac7cc9fc35b0cbf498e6aa4ef19def/ConfiguringSecurityLogAuditPolicies.md", "https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4647", + "https://github.com/Yamato-Security/EnableWindowsLogSettings/blob/7f6d755d45ac7cc9fc35b0cbf498e6aa4ef19def/ConfiguringSecurityLogAuditPolicies.md", "https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4634", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_user_logoff.yml" ], @@ -5534,8 +5534,8 @@ "logsource.product": "windows", "refs": [ "https://github.com/iadgov/Event-Forwarding-Guidance/tree/master/Events", - "https://blog.stealthbits.com/how-to-detect-pass-the-hash-attacks/", "https://blog.binarydefense.com/reliably-detecting-pass-the-hash-through-event-log-analysis", + "https://blog.stealthbits.com/how-to-detect-pass-the-hash-attacks/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_pass_the_hash_2.yml" ], "tags": [ @@ -5559,9 +5559,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ + "https://docs.microsoft.com/en-gb/sysinternals/downloads/sdelete", "https://jpcertcc.github.io/ToolAnalysisResultSheet/details/sdelete.htm", "https://www.jpcert.or.jp/english/pub/sr/ir_research.html", - "https://docs.microsoft.com/en-gb/sysinternals/downloads/sdelete", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_susp_sdelete.yml" ], "tags": [ @@ -5692,8 +5692,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://twitter.com/SBousseaden/status/1207671369963646976", "https://www.fox-it.com/en/news/whitepapers/operation-wocao-shining-a-light-on-one-of-chinas-hidden-hacking-groups/", + "https://twitter.com/SBousseaden/status/1207671369963646976", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_apt_wocao.yml" ], "tags": [ @@ -5963,15 +5963,15 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=632", - "https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4729", - "https://www.cisecurity.org/controls/cis-controls-list/", - "https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4728", - "https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf", - "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf", - "https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=634", - "https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=633", "https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4730", + "https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=634", + "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf", + "https://www.cisecurity.org/controls/cis-controls-list/", + "https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=633", + "https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=632", + "https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf", + "https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4729", + "https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4728", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_group_modification_logging.yml" ], "tags": "No established tags" @@ -6041,8 +6041,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://github.com/elastic/detection-rules/blob/fb6ee2c69864ffdfe347bf3b050cb931f53067a6/rules/windows/privilege_escalation_krbrelayup_suspicious_logon.toml", "https://twitter.com/sbousseaden/status/1518976397364056071?s=12&t=qKO5eKHvWhAP19a50FTZ7g", + "https://github.com/elastic/detection-rules/blob/fb6ee2c69864ffdfe347bf3b050cb931f53067a6/rules/windows/privilege_escalation_krbrelayup_suspicious_logon.toml", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_susp_krbrelayup.yml" ], "tags": [ @@ -6099,9 +6099,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ + "https://github.com/fox-it/LDAPFragger", "https://medium.com/@ivecodoe/detecting-ldapfragger-a-newly-released-cobalt-strike-beacon-using-ldap-for-c2-communication-c274a7f00961", "https://blog.fox-it.com/2020/03/19/ldapfragger-command-and-control-over-ldap-attributes/", - "https://github.com/fox-it/LDAPFragger", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_susp_ldap_dataexchange.yml" ], "tags": [ @@ -6270,9 +6270,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ + "https://gist.github.com/gentilkiwi/dcc132457408cf11ad2061340dcb53c2", "https://blog.alsid.eu/dcshadow-explained-4510f52fc19d", "https://twitter.com/gentilkiwi/status/1003236624925413376", - "https://gist.github.com/gentilkiwi/dcc132457408cf11ad2061340dcb53c2", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_possible_dc_shadow.yml" ], "tags": [ @@ -6338,8 +6338,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4699", "https://twitter.com/matthewdunwoody/status/1352356685982146562", + "https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4699", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_scheduled_task_deletion.yml" ], "tags": [ @@ -6410,8 +6410,8 @@ "logsource.product": "windows", "refs": [ "https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4616", - "Live environment caused by malware", "Private Cuckoo Sandbox (from many years ago, no longer have hash, NDA as well)", + "Live environment caused by malware", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_susp_time_modification.yml" ], "tags": [ @@ -7106,10 +7106,10 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://securityjosh.github.io/2020/04/23/Mute-Sysmon.html", - "https://twitter.com/SecurityJosh/status/1283027365770276866", "https://twitter.com/Flangvik/status/1283054508084473861", + "https://securityjosh.github.io/2020/04/23/Mute-Sysmon.html", "https://gist.github.com/Cyb3rWard0g/cf08c38c61f7e46e8404b38201ca01c8", + "https://twitter.com/SecurityJosh/status/1283027365770276866", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_sysmon_channel_reference_deletion.yml" ], "tags": [ @@ -7388,9 +7388,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://github.com/splunk/security_content/blob/develop/detections/endpoint/petitpotam_suspicious_kerberos_tgt_request.yml", - "https://github.com/topotam/PetitPotam", "https://isc.sans.edu/forums/diary/Active+Directory+Certificate+Services+ADCS+PKI+domain+admin+vulnerability/27668/", + "https://github.com/topotam/PetitPotam", + "https://github.com/splunk/security_content/blob/develop/detections/endpoint/petitpotam_suspicious_kerberos_tgt_request.yml", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_petitpotam_susp_tgt_request.yml" ], "tags": [ @@ -7423,8 +7423,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4673", "https://blog.dylan.codes/evading-sysmon-and-windows-event-logging/", + "https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4673", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_user_driver_loaded.yml" ], "tags": [ @@ -7799,8 +7799,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4701", "https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4699", + "https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4701", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_susp_scheduled_task_delete.yml" ], "tags": [ @@ -7928,8 +7928,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://twitter.com/AdamTheAnalyst/status/1134394070045003776", "https://github.com/zerosum0x0/CVE-2019-0708", + "https://twitter.com/AdamTheAnalyst/status/1134394070045003776", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_rdp_bluekeep_poc_scanner.yml" ], "tags": [ @@ -8160,10 +8160,10 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf", - "https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4800", - "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf", "https://www.cisecurity.org/controls/cis-controls-list/", + "https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4800", + "https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf", + "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_workstation_was_locked.yml" ], "tags": "No established tags" @@ -8214,15 +8214,15 @@ "logsource.product": "windows", "refs": [ "https://github.com/dotnet/runtime/blob/f62e93416a1799aecc6b0947adad55a0d9870732/src/coreclr/src/inc/clrconfigvalues.h#L35-L38", - "https://i.blackhat.com/EU-21/Wednesday/EU-21-Teodorescu-Veni-No-Vidi-No-Vici-Attacks-On-ETW-Blind-EDRs.pdf", - "https://github.com/dotnet/runtime/blob/7abe42dc1123722ed385218268bb9fe04556e3d3/src/coreclr/src/inc/clrconfig.h#L33-L39", "https://twitter.com/_xpn_/status/1268712093928378368", - "https://github.com/dotnet/runtime/blob/4f9ae42d861fcb4be2fcd5d3d55d5f227d30e723/docs/coding-guidelines/clr-jit-coding-conventions.md#1412-disabling-code", - "https://social.msdn.microsoft.com/Forums/vstudio/en-US/0878832e-39d7-4eaf-8e16-a729c4c40975/what-can-i-use-e13c0d23ccbc4e12931bd9cc2eee27e4-for?forum=clr", - "https://github.com/dotnet/runtime/search?p=1&q=COMPlus_&unscoped_q=COMPlus_", "http://managed670.rssing.com/chan-5590147/all_p1.html", + "https://github.com/dotnet/runtime/search?p=1&q=COMPlus_&unscoped_q=COMPlus_", + "https://i.blackhat.com/EU-21/Wednesday/EU-21-Teodorescu-Veni-No-Vidi-No-Vici-Attacks-On-ETW-Blind-EDRs.pdf", "https://github.com/dotnet/runtime/blob/ee2355c801d892f2894b0f7b14a20e6cc50e0e54/docs/design/coreclr/jit/viewing-jit-dumps.md#setting-configuration-variables", + "https://github.com/dotnet/runtime/blob/7abe42dc1123722ed385218268bb9fe04556e3d3/src/coreclr/src/inc/clrconfig.h#L33-L39", + "https://social.msdn.microsoft.com/Forums/vstudio/en-US/0878832e-39d7-4eaf-8e16-a729c4c40975/what-can-i-use-e13c0d23ccbc4e12931bd9cc2eee27e4-for?forum=clr", "https://bunnyinside.com/?term=f71e8cb9c76a", + "https://github.com/dotnet/runtime/blob/4f9ae42d861fcb4be2fcd5d3d55d5f227d30e723/docs/coding-guidelines/clr-jit-coding-conventions.md#1412-disabling-code", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_dot_net_etw_tamper.yml" ], "tags": [ @@ -8350,8 +8350,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://twitter.com/SBousseaden/status/1096148422984384514", "https://github.com/sbousseaden/EVTX-ATTACK-SAMPLES/blob/44fbe85f72ee91582876b49678f9a26292a155fb/Command%20and%20Control/DE_RDP_Tunnel_5156.evtx", + "https://twitter.com/SBousseaden/status/1096148422984384514", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_rdp_reverse_tunnel.yml" ], "tags": [ @@ -8396,8 +8396,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://o365blog.com/post/hybridhealthagent/", "https://github.com/OTRF/Set-AuditRule/blob/c3dec5443414231714d850565d364ca73475ade5/rules/registry/aad_connect_health_service_agent.yml", + "https://o365blog.com/post/hybridhealthagent/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_aadhealth_svc_agent_regkey_access.yml" ], "tags": [ @@ -8601,8 +8601,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://securitydatasets.com/notebooks/small/windows/08_lateral_movement/SDWIN-200806015757.html?highlight=create%20file", "https://github.com/OTRF/ThreatHunter-Playbook/blob/f7a58156dbfc9b019f17f638b8c62d22e557d350/playbooks/WIN-201012004336.yaml", + "https://securitydatasets.com/notebooks/small/windows/08_lateral_movement/SDWIN-200806015757.html?highlight=create%20file", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_smb_file_creation_admin_shares.yml" ], "tags": [ @@ -8626,8 +8626,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://medium.com/@7a616368/can-you-track-processes-accessing-the-camera-and-microphone-7e6885b37072", "https://twitter.com/duzvik/status/1269671601852813320", + "https://medium.com/@7a616368/can-you-track-processes-accessing-the-camera-and-microphone-7e6885b37072", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_camera_microphone_access.yml" ], "tags": [ @@ -8718,9 +8718,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "http://www.stuffithoughtiknew.com/2019/02/detecting-bloodhound.html", "https://www.specterops.io/assets/resources/an_ace_up_the_sleeve.pdf", "https://docs.microsoft.com/en-us/windows/win32/adschema/attributes-all", + "http://www.stuffithoughtiknew.com/2019/02/detecting-bloodhound.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_ad_user_enumeration.yml" ], "tags": [ @@ -8744,9 +8744,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ + "https://msdn.microsoft.com/en-us/library/cc220234.aspx", "https://www.harmj0y.net/blog/redteaming/another-word-on-delegation/", "https://adsecurity.org/?p=3466", - "https://msdn.microsoft.com/en-us/library/cc220234.aspx", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_alert_ad_user_backdoors.yml" ], "tags": [ @@ -8804,9 +8804,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://twitter.com/SBousseaden/status/1581300963650187264?", - "https://www.elastic.co/guide/en/security/8.4/potential-shadow-credentials-added-to-ad-object.html", "https://cyberstoph.org/posts/2022/03/detecting-shadow-credentials/", + "https://www.elastic.co/guide/en/security/8.4/potential-shadow-credentials-added-to-ad-object.html", + "https://twitter.com/SBousseaden/status/1581300963650187264?", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_susp_possible_shadow_credentials_added.yml" ], "tags": [ @@ -8874,9 +8874,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ + "https://thedfirreport.com/2021/08/29/cobalt-strike-a-defenders-guide/", "https://www.sans.org/webcasts/119395", "https://www.crowdstrike.com/blog/getting-the-bacon-from-cobalt-strike-beacon/", - "https://thedfirreport.com/2021/08/29/cobalt-strike-a-defenders-guide/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_cobaltstrike_service_installs.yml" ], "tags": [ @@ -8967,10 +8967,10 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://blog.blacklanternsecurity.com/p/detecting-dcsync?s=r", - "https://twitter.com/gentilkiwi/status/1003236624925413376", "https://gist.github.com/gentilkiwi/dcc132457408cf11ad2061340dcb53c2", "https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4662", + "https://twitter.com/gentilkiwi/status/1003236624925413376", + "https://blog.blacklanternsecurity.com/p/detecting-dcsync?s=r", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_dcsync.yml" ], "tags": [ @@ -9157,8 +9157,8 @@ "logsource.product": "windows", "refs": [ "https://twitter.com/malmoeb/status/1511760068743766026", - "https://github.com/WazeHell/sam-theadmin/blob/main/sam_the_admin.py", "https://github.com/helloexp/0day/blob/614227a7b9beb0e91e7e2c6a5e532e6f7a8e883c/00-CVE_EXP/CVE-2021-42287/sam-the-admin/sam_the_admin.py", + "https://github.com/WazeHell/sam-theadmin/blob/main/sam_the_admin.py", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_susp_computer_name.yml" ], "tags": [ @@ -9349,8 +9349,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://goo.gl/PsqrhT", "https://twitter.com/JohnLaTwC/status/1004895028995477505", + "https://goo.gl/PsqrhT", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/ntlm/win_susp_ntlm_auth.yml" ], "tags": [ @@ -9409,8 +9409,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://www.trustedsec.com/blog/detecting-cve-20200688-remote-code-execution-vulnerability-on-microsoft-exchange-server/", "https://cyberpolygon.com/materials/okhota-na-ataki-ms-exchange-chast-2-cve-2020-0688-cve-2020-16875-cve-2021-24085/", + "https://www.trustedsec.com/blog/detecting-cve-20200688-remote-code-execution-vulnerability-on-microsoft-exchange-server/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/application/win_vul_cve_2020_0688.yml" ], "tags": [ @@ -9631,8 +9631,8 @@ "logsource.product": "windows", "refs": [ "https://www.virustotal.com/gui/file/13828b390d5f58b002e808c2c4f02fdd920e236cc8015480fa33b6c1a9300e31", - "https://www.virustotal.com/gui/file/15b57c1b68cd6ce3c161042e0f3be9f32d78151fe95461eedc59a79fc222c7ed", "https://www.virustotal.com/gui/file/5092b2672b4cb87a8dd1c2e6047b487b95995ad8ed5e9fc217f46b8bfb1b8c01", + "https://www.virustotal.com/gui/file/15b57c1b68cd6ce3c161042e0f3be9f32d78151fe95461eedc59a79fc222c7ed", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/application/win_av_relevant_match.yml" ], "tags": [ @@ -9745,8 +9745,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://bugs.chromium.org/p/project-zero/issues/detail?id=1252&desc=5", "https://technet.microsoft.com/en-us/library/security/4022344", + "https://bugs.chromium.org/p/project-zero/issues/detail?id=1252&desc=5", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/application/win_susp_msmpeng_crash.yml" ], "tags": [ @@ -9781,8 +9781,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://thedfirreport.com/2022/07/11/select-xmrig-from-sqlserver/", "https://www.netspi.com/blog/technical/network-penetration-testing/sql-server-persistence-part-1-startup-stored-procedures/", + "https://thedfirreport.com/2022/07/11/select-xmrig-from-sqlserver/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/application/win_mssql_xp_cmdshell_change.yml" ], "tags": [ @@ -9805,9 +9805,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://media.defcon.org/DEF%20CON%2030/DEF%20CON%2030%20presentations/Asaf%20Gilboa%20-%20LSASS%20Shtinkering%20Abusing%20Windows%20Error%20Reporting%20to%20Dump%20LSASS.pdf", - "https://github.com/deepinstinct/Lsass-Shtinkering", "https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-erref/596a1078-e883-4972-9bbc-49e60bebca55", + "https://github.com/deepinstinct/Lsass-Shtinkering", + "https://media.defcon.org/DEF%20CON%2030/DEF%20CON%2030%20presentations/Asaf%20Gilboa%20-%20LSASS%20Shtinkering%20Abusing%20Windows%20Error%20Reporting%20to%20Dump%20LSASS.pdf", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/application/win_werfault_susp_lsass_credential_dump.yml" ], "tags": [ @@ -9840,11 +9840,11 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://twitter.com/FlemmingRiis/status/1217147415482060800", - "https://nullsec.us/windows-event-log-audit-cve/", "https://www.youtube.com/watch?v=ebmW42YYveI", "https://twitter.com/DidierStevens/status/1217533958096924676", "https://twitter.com/VM_vivisector/status/1217190929330655232", + "https://nullsec.us/windows-event-log-audit-cve/", + "https://twitter.com/FlemmingRiis/status/1217147415482060800", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/application/win_audit_cve.yml" ], "tags": [ @@ -9955,8 +9955,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://thedfirreport.com/2022/07/11/select-xmrig-from-sqlserver/", "https://www.netspi.com/blog/technical/network-penetration-testing/sql-server-persistence-part-1-startup-stored-procedures/", + "https://thedfirreport.com/2022/07/11/select-xmrig-from-sqlserver/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/application/win_mssql_xp_cmdshell_audit_log.yml" ], "tags": [ @@ -10002,9 +10002,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/sql/t-sql/statements/drop-server-audit-transact-sql?view=sql-server-ver16", "https://www.netspi.com/blog/technical/network-penetration-testing/sql-server-persistence-part-1-startup-stored-procedures/", "https://docs.microsoft.com/en-us/sql/t-sql/statements/alter-server-audit-transact-sql?view=sql-server-ver16", + "https://docs.microsoft.com/en-us/sql/t-sql/statements/drop-server-audit-transact-sql?view=sql-server-ver16", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/application/win_mssql_disable_audit_settings.yml" ], "tags": [ @@ -10092,8 +10092,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://www.techrepublic.com/article/how-to-track-down-usb-flash-drive-usage-in-windows-10s-event-viewer/", "https://df-stream.com/2014/01/the-windows-7-event-log-and-usb-device/", + "https://www.techrepublic.com/article/how-to-track-down-usb-flash-drive-usage-in-windows-10s-event-viewer/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/driverframeworks/win_usb_device_plugged.yml" ], "tags": [ @@ -10117,8 +10117,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://twitter.com/nas_bench/status/1539679555908141061", "https://twitter.com/j00sean/status/1537750439701225472", + "https://twitter.com/nas_bench/status/1539679555908141061", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/diagnosis/scripted/win_diagnosis_scripted_load_remote_diagcab.yml" ], "tags": [ @@ -10141,8 +10141,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://twitter.com/SBousseaden/status/1483810148602814466", "https://github.com/MicrosoftDocs/windows-itpro-docs/blob/40fe118976734578f83e5e839b9c63ae7a4af82d/windows/security/threat-protection/windows-defender-application-control/event-id-explanations.md#windows-codeintegrity-operational-log", + "https://twitter.com/SBousseaden/status/1483810148602814466", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/code_integrity/win_codeintegrity_attempted_dll_load.yml" ], "tags": [ @@ -10165,8 +10165,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://twitter.com/wdormann/status/1590434950335320065", "https://github.com/MicrosoftDocs/windows-itpro-docs/blob/40fe118976734578f83e5e839b9c63ae7a4af82d/windows/security/threat-protection/windows-defender-application-control/event-id-explanations.md#windows-codeintegrity-operational-log", + "https://twitter.com/wdormann/status/1590434950335320065", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/code_integrity/win_codeintegrity_blocked_driver_load.yml" ], "tags": [ @@ -10233,8 +10233,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://twitter.com/moti_b/status/1032645458634653697", "https://www.bsi.bund.de/SharedDocs/Downloads/EN/BSI/Cyber-Security/SiSyPHuS/AP10/Logging_Configuration_Guideline.pdf?__blob=publicationFile&v=5", + "https://twitter.com/moti_b/status/1032645458634653697", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/smbclient/win_susp_failed_hidden_share_mount.yml" ], "tags": [ @@ -10258,9 +10258,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://github.com/afwu/PrintNightmare", - "https://twitter.com/KevTheHermit/status/1410203844064301056", "https://github.com/hhlxf/PrintNightmare", + "https://twitter.com/KevTheHermit/status/1410203844064301056", + "https://github.com/afwu/PrintNightmare", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/smbclient/win_susp_failed_guest_logon.yml" ], "tags": [ @@ -10308,10 +10308,10 @@ "logsource.product": "windows", "refs": [ "https://github.com/mdecrevoisier/EVTX-to-MITRE-Attack/tree/master/TA0008-Lateral%20Movement/T1021.004-Remote%20Service%20SSH", + "https://virtualizationreview.com/articles/2020/05/21/ssh-server-on-windows-10.aspx", "https://winaero.com/enable-openssh-server-windows-10/", "https://medium.com/threatpunter/detecting-adversary-tradecraft-with-image-load-event-logging-and-eql-8de93338c16", "https://docs.microsoft.com/en-us/windows-server/administration/openssh/openssh_install_firstuse", - "https://virtualizationreview.com/articles/2020/05/21/ssh-server-on-windows-10.aspx", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/openssh/win_sshd_openssh_server_listening_on_socket.yml" ], "tags": [ @@ -10336,8 +10336,8 @@ "logsource.product": "windows", "refs": [ "https://twitter.com/fuzzyf10w/status/1410202370835898371", - "https://github.com/afwu/PrintNightmare", "https://github.com/hhlxf/PrintNightmare", + "https://github.com/afwu/PrintNightmare", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/printservice/win_exploit_cve_2021_1675_printspooler.yml" ], "tags": [ @@ -10405,8 +10405,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/troubleshoot-microsoft-defender-antivirus?view=o365-worldwide", "https://bhabeshraj.com/post/tampering-with-microsoft-defenders-tamper-protection", + "https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/troubleshoot-microsoft-defender-antivirus?view=o365-worldwide", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/windefend/win_defender_tamper_protection_trigger.yml" ], "tags": [ @@ -10430,8 +10430,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md", "https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-antivirus/troubleshoot-windows-defender-antivirus", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/windefend/win_defender_disabled.yml" ], "tags": [ @@ -10556,8 +10556,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-antivirus/troubleshoot-microsoft-defender-antivirus", "https://answers.microsoft.com/en-us/protect/forum/mse-protect_scanning/microsoft-antimalware-has-removed-history-of/f15af6c9-01a9-4065-8c6c-3f2bdc7de45e", + "https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-antivirus/troubleshoot-microsoft-defender-antivirus", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/windefend/win_defender_history_delete.yml" ], "tags": [ @@ -10670,8 +10670,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/troubleshoot-microsoft-defender-antivirus?view=o365-worldwide", "https://bidouillesecurity.com/disable-windows-defender-in-powershell/#DisableAntiSpyware", + "https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/troubleshoot-microsoft-defender-antivirus?view=o365-worldwide", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/windefend/win_defender_suspicious_features_tampering.yml" ], "tags": [ @@ -10719,8 +10719,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://blog.netspi.com/15-ways-to-download-a-file/#bitsadmin", "https://lolbas-project.github.io/lolbas/Binaries/Bitsadmin/", + "https://blog.netspi.com/15-ways-to-download-a-file/#bitsadmin", "https://blog.talosintelligence.com/breaking-the-silence-recent-truebot-activity/", "https://isc.sans.edu/diary/22264", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/bits_client/win_bits_client_direct_ip_access.yml" @@ -10892,8 +10892,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ransomware-hive-conti-avoslocker", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1197/T1197.md", + "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ransomware-hive-conti-avoslocker", "https://twitter.com/malmoeb/status/1535142803075960832", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/bits_client/win_bits_client_susp_domain.yml" ], @@ -10963,8 +10963,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://twitter.com/tekdefense/status/1519711183162556416?s=12&t=OTsHCBkQOTNs1k3USz65Zg", "https://ngrok.com/", + "https://twitter.com/tekdefense/status/1519711183162556416?s=12&t=OTsHCBkQOTNs1k3USz65Zg", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/terminalservices/win_terminalservices_rdp_ngrok.yml" ], "tags": [ @@ -10997,9 +10997,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://medium.com/@esnesenon/feature-not-bug-dnsadmin-to-dc-compromise-in-one-line-a0f779b8dc83", "https://technet.microsoft.com/en-us/library/cc735829(v=ws.10).aspx", "https://twitter.com/gentilkiwi/status/861641945944391680", + "https://medium.com/@esnesenon/feature-not-bug-dnsadmin-to-dc-compromise-in-one-line-a0f779b8dc83", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/dns_server/win_dns_server_susp_dns_config.yml" ], "tags": [ @@ -11516,9 +11516,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ + "https://thedfirreport.com/2021/08/29/cobalt-strike-a-defenders-guide/", "https://www.sans.org/webcasts/119395", "https://www.crowdstrike.com/blog/getting-the-bacon-from-cobalt-strike-beacon/", - "https://thedfirreport.com/2021/08/29/cobalt-strike-a-defenders-guide/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/win_system_cobaltstrike_service_installs.yml" ], "tags": [ @@ -11588,8 +11588,8 @@ "logsource.product": "windows", "refs": [ "https://blog.3or.de/mimilib-dhcp-server-callout-dll-injection.html", - "https://technet.microsoft.com/en-us/library/cc726884(v=ws.10).aspx", "https://msdn.microsoft.com/de-de/library/windows/desktop/aa363389(v=vs.85).aspx", + "https://technet.microsoft.com/en-us/library/cc726884(v=ws.10).aspx", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/win_system_susp_dhcp_config.yml" ], "tags": [ @@ -11682,8 +11682,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://github.com/zerosum0x0/CVE-2019-0708", "https://github.com/Ekultek/BlueKeep", + "https://github.com/zerosum0x0/CVE-2019-0708", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/win_system_rdp_potential_cve_2019_0708.yml" ], "tags": [ @@ -11715,8 +11715,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://www.secura.com/blog/zero-logon", "https://bi-zone.medium.com/hunting-for-zerologon-f65c61586382", + "https://www.secura.com/blog/zero-logon", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/win_system_possible_zerologon_exploitation_using_wellknown_tools.yml" ], "tags": [ @@ -12102,8 +12102,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://twitter.com/deviouspolack/status/832535435960209408", "https://www.hybrid-analysis.com/sample/027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745?environmentId=100", + "https://twitter.com/deviouspolack/status/832535435960209408", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/win_system_eventlog_cleared.yml" ], "tags": [ @@ -12161,8 +12161,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md", "https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-antivirus/troubleshoot-windows-defender-antivirus", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/win_system_defender_disabled.yml" ], "tags": [ @@ -12278,8 +12278,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://twitter.com/wdormann/status/1347958161609809921", "https://www.bleepingcomputer.com/news/security/windows-10-bug-corrupts-your-hard-drive-on-seeing-this-files-icon/", + "https://twitter.com/wdormann/status/1347958161609809921", "https://twitter.com/jonasLyk/status/1347900440000811010", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/win_system_ntfs_vuln_exploit.yml" ], @@ -12330,8 +12330,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://twitter.com/deviouspolack/status/832535435960209408", "https://www.hybrid-analysis.com/sample/027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745?environmentId=100", + "https://twitter.com/deviouspolack/status/832535435960209408", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/win_system_susp_eventlog_cleared.yml" ], "tags": [ @@ -12366,8 +12366,8 @@ "logsource.product": "windows", "refs": [ "https://blog.3or.de/mimilib-dhcp-server-callout-dll-injection.html", - "https://technet.microsoft.com/en-us/library/cc726884(v=ws.10).aspx", "https://msdn.microsoft.com/de-de/library/windows/desktop/aa363389(v=vs.85).aspx", + "https://technet.microsoft.com/en-us/library/cc726884(v=ws.10).aspx", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/win_system_susp_dhcp_config_failed.yml" ], "tags": [ @@ -13101,8 +13101,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn800669(v=ws.11)", "https://www.microsoft.com/security/blog/2019/12/12/gallium-targeting-global-telecom/", + "https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn800669(v=ws.11)", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/dns_server_analytic/win_dns_analytic_apt_gallium.yml" ], "tags": [ @@ -13136,8 +13136,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://twitter.com/mattifestation/status/899646620148539397", "https://www.eideon.com/2018-03-02-THL03-WMIBackdoors/", + "https://twitter.com/mattifestation/status/899646620148539397", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/wmi/win_wmi_persistence.yml" ], "tags": [ @@ -13171,9 +13171,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/applocker/what-is-applocker", "https://nxlog.co/documentation/nxlog-user-guide/applocker.html", "https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/applocker/using-event-viewer-with-applocker", + "https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/applocker/what-is-applocker", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/applocker/win_applocker_file_was_not_allowed_to_run.yml" ], "tags": [ @@ -13244,11 +13244,11 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://github.com/PowerShellMafia/PowerSploit/blob/d943001a7defb5e0d1657085a77a0e78609be58f/Recon/PowerView.ps1", - "https://github.com/BloodHoundAD/SharpHound3/blob/7d96b991b1887ff50349ce59c80980bc0d95c86a/SharpHound3/LdapBuilder.cs", + "https://techcommunity.microsoft.com/t5/microsoft-defender-for-endpoint/hunting-for-reconnaissance-activities-using-ldap-search-filters/ba-p/824726", "https://github.com/fox-it/BloodHound.py/blob/d65eb614831cd30f26028ccb072f5e77ca287e0b/bloodhound/ad/domain.py#L427", "https://medium.com/falconforce/falconfriday-detecting-active-directory-data-collection-0xff21-c22d1a57494c", - "https://techcommunity.microsoft.com/t5/microsoft-defender-for-endpoint/hunting-for-reconnaissance-activities-using-ldap-search-filters/ba-p/824726", + "https://github.com/PowerShellMafia/PowerSploit/blob/d943001a7defb5e0d1657085a77a0e78609be58f/Recon/PowerView.ps1", + "https://github.com/BloodHoundAD/SharpHound3/blob/7d96b991b1887ff50349ce59c80980bc0d95c86a/SharpHound3/LdapBuilder.cs", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/ldap/win_ldap_recon.yml" ], "tags": [ @@ -13290,10 +13290,10 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "Internal Research", - "https://learn.microsoft.com/en-us/windows/win32/appxpkg/troubleshooting", - "https://www.sentinelone.com/labs/inside-malicious-windows-apps-for-malware-deployment/", "https://news.sophos.com/en-us/2021/11/11/bazarloader-call-me-back-attack-abuses-windows-10-apps-mechanism/", + "https://www.sentinelone.com/labs/inside-malicious-windows-apps-for-malware-deployment/", + "https://learn.microsoft.com/en-us/windows/win32/appxpkg/troubleshooting", + "Internal Research", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/appxdeployment_server/appxdeployment_server_susp_appx_package_installation.yml" ], "tags": [ @@ -13316,10 +13316,10 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "Internal Research", - "https://learn.microsoft.com/en-us/windows/win32/appxpkg/troubleshooting", - "https://www.sentinelone.com/labs/inside-malicious-windows-apps-for-malware-deployment/", "https://news.sophos.com/en-us/2021/11/11/bazarloader-call-me-back-attack-abuses-windows-10-apps-mechanism/", + "https://www.sentinelone.com/labs/inside-malicious-windows-apps-for-malware-deployment/", + "https://learn.microsoft.com/en-us/windows/win32/appxpkg/troubleshooting", + "Internal Research", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/appxdeployment_server/appxdeployment_server_susp_package_locations.yml" ], "tags": [ @@ -13330,7 +13330,7 @@ "value": "Suspicious AppX Package Locations" }, { - "description": "Detects installation of known malicious appx packages", + "description": "Detects potential installation or installation attempts of known malicious appx packages", "meta": { "author": "Nasreddine Bencherchali", "creation_date": "2023/01/11", @@ -13342,9 +13342,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ + "https://forensicitguy.github.io/analyzing-magnitude-magniber-appx/", "https://www.sentinelone.com/labs/inside-malicious-windows-apps-for-malware-deployment/", "https://news.sophos.com/en-us/2021/11/11/bazarloader-call-me-back-attack-abuses-windows-10-apps-mechanism/", - "https://forensicitguy.github.io/analyzing-magnitude-magniber-appx/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/appxdeployment_server/appxdeployment_server_mal_appx_names.yml" ], "tags": [ @@ -13352,7 +13352,7 @@ ] }, "uuid": "09d3b48b-be17-47f5-bf4e-94e7e75d09ce", - "value": "Malicious AppX Package Installed" + "value": "Potential Malicious AppX Package Installation Attempts" }, { "description": "Detects an appx package added the pipeline of the \"to be processed\" packages which is downloaded from a suspicious domain", @@ -13367,10 +13367,10 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "Internal Research", - "https://learn.microsoft.com/en-us/windows/win32/appxpkg/troubleshooting", - "https://www.sentinelone.com/labs/inside-malicious-windows-apps-for-malware-deployment/", "https://news.sophos.com/en-us/2021/11/11/bazarloader-call-me-back-attack-abuses-windows-10-apps-mechanism/", + "https://www.sentinelone.com/labs/inside-malicious-windows-apps-for-malware-deployment/", + "https://learn.microsoft.com/en-us/windows/win32/appxpkg/troubleshooting", + "Internal Research", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/appxdeployment_server/appxdeployment_server_susp_domains.yml" ], "tags": [ @@ -13393,10 +13393,10 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "Internal Research", - "https://learn.microsoft.com/en-us/windows/win32/appxpkg/troubleshooting", - "https://www.sentinelone.com/labs/inside-malicious-windows-apps-for-malware-deployment/", "https://news.sophos.com/en-us/2021/11/11/bazarloader-call-me-back-attack-abuses-windows-10-apps-mechanism/", + "https://www.sentinelone.com/labs/inside-malicious-windows-apps-for-malware-deployment/", + "https://learn.microsoft.com/en-us/windows/win32/appxpkg/troubleshooting", + "Internal Research", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/appxdeployment_server/appxdeployment_server_uncommon_package_locations.yml" ], "tags": [ @@ -13647,8 +13647,8 @@ "logsource.category": "create_stream_hash", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/Binaries/Regedit/", "https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f", + "https://lolbas-project.github.io/lolbas/Binaries/Regedit/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/create_stream_hash/create_stream_hash_regedit_export_to_ads.yml" ], "tags": [ @@ -13959,9 +13959,9 @@ "logsource.category": "registry_event", "logsource.product": "windows", "refs": [ - "https://www.fireeye.com/blog/threat-research/2019/01/bypassing-network-restrictions-through-rdp-tunneling.html", "https://www.dfirnotes.net/portproxy_detection/", "https://adepts.of0x.cc/netsh-portproxy-code/", + "https://www.fireeye.com/blog/threat-research/2019/01/bypassing-network-restrictions-through-rdp-tunneling.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_portproxy_registry_key.yml" ], "tags": [ @@ -13996,8 +13996,8 @@ "logsource.category": "registry_event", "logsource.product": "windows", "refs": [ - "https://persistence-info.github.io/Data/recyclebin.html", "https://github.com/vxunderground/VXUG-Papers/blob/751edb8d50f95bd7baa730adf2c6c3bb1b034276/The%20Persistence%20Series/Persistence%20via%20Recycle%20Bin/Persistence_via_Recycle_Bin.pdf", + "https://persistence-info.github.io/Data/recyclebin.html", "https://www.hexacorn.com/blog/2018/05/28/beyond-good-ol-run-key-part-78-2/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_persistence_recycle_bin.yml" ], @@ -14057,8 +14057,8 @@ "logsource.category": "registry_event", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1546.002/T1546.002.md", "https://www.welivesecurity.com/wp-content/uploads/2017/08/eset-gazer.pdf", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1546.002/T1546.002.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_modify_screensaver_binary_path.yml" ], "tags": [ @@ -14359,8 +14359,8 @@ "logsource.category": "registry_event", "logsource.product": "windows", "refs": [ - "https://www.welivesecurity.com/2019/03/20/fake-or-fake-keeping-up-with-oceanlotus-decoys/", "https://github.com/eset/malware-ioc/tree/master/oceanlotus", + "https://www.welivesecurity.com/2019/03/20/fake-or-fake-keeping-up-with-oceanlotus-decoys/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_apt_oceanlotus_registry.yml" ], "tags": [ @@ -14384,8 +14384,8 @@ "logsource.category": "registry_event", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/Binaries/Wsreset", "https://www.bleepingcomputer.com/news/security/trickbot-uses-a-new-windows-10-uac-bypass-to-launch-quietly", + "https://lolbas-project.github.io/lolbas/Binaries/Wsreset", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_bypass_via_wsreset.yml" ], "tags": [ @@ -14589,8 +14589,8 @@ "logsource.category": "registry_event", "logsource.product": "windows", "refs": [ - "https://outflank.nl/blog/2018/01/16/hunting-for-evil-detect-macros-being-executed/", "http://az4n6.blogspot.com/2016/02/more-on-trust-records-macros-and.html", + "https://outflank.nl/blog/2018/01/16/hunting-for-evil-detect-macros-being-executed/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_trust_record_modification.yml" ], "tags": [ @@ -14614,8 +14614,8 @@ "logsource.category": "registry_event", "logsource.product": "windows", "refs": [ - "http://www.hexacorn.com/blog/2016/07/22/beyond-good-ol-run-key-part-42/", "https://lolbas-project.github.io/lolbas/Binaries/Atbroker/", + "http://www.hexacorn.com/blog/2016/07/22/beyond-good-ol-run-key-part-42/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_susp_atbroker_change.yml" ], "tags": [ @@ -14764,10 +14764,10 @@ "logsource.category": "registry_event", "logsource.product": "windows", "refs": [ - "https://github.com/hfiref0x/UACME", - "https://winscripting.blog/2017/05/12/first-entry-welcome-and-uac-bypass/", - "https://github.com/RhinoSecurityLabs/Aggressor-Scripts/tree/master/UACBypass", "https://tria.ge/211119-gs7rtshcfr/behavioral2 [Lokibot sample from Nov 2021]", + "https://github.com/RhinoSecurityLabs/Aggressor-Scripts/tree/master/UACBypass", + "https://winscripting.blog/2017/05/12/first-entry-welcome-and-uac-bypass/", + "https://github.com/hfiref0x/UACME", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_shell_open_keys_manipulation.yml" ], "tags": [ @@ -14826,8 +14826,8 @@ "logsource.category": "registry_event", "logsource.product": "windows", "refs": [ - "https://oddvar.moe/2018/04/10/persistence-using-globalflags-in-image-file-execution-options-hidden-from-autoruns-exe/", "https://www.deepinstinct.com/2021/02/16/lsass-memory-dumps-are-stealthier-than-ever-before-part-2/", + "https://oddvar.moe/2018/04/10/persistence-using-globalflags-in-image-file-execution-options-hidden-from-autoruns-exe/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_silentprocessexit_lsass.yml" ], "tags": [ @@ -14940,8 +14940,8 @@ "logsource.category": "registry_event", "logsource.product": "windows", "refs": [ - "https://wikileaks.org/vault7/#Pandemic", "https://twitter.com/MalwareJake/status/870349480356454401", + "https://wikileaks.org/vault7/#Pandemic", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_apt_pandemic.yml" ], "tags": [ @@ -15007,8 +15007,8 @@ "logsource.category": "registry_delete", "logsource.product": "windows", "refs": [ - "http://woshub.com/how-to-clear-rdp-connections-history/", "https://docs.microsoft.com/en-us/troubleshoot/windows-server/remote/remove-entries-from-remote-desktop-connection-computer", + "http://woshub.com/how-to-clear-rdp-connections-history/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_delete/registry_delete_mstsc_history_cleared.yml" ], "tags": [ @@ -15066,8 +15066,8 @@ "logsource.category": "registry_delete", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md", "https://seclists.org/fulldisclosure/2020/Mar/45", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_delete/registry_delete_removal_amsi_registry_key.yml" ], "tags": [ @@ -15115,11 +15115,11 @@ "logsource.category": "registry_delete", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/windows/win32/shell/launch", "https://docs.microsoft.com/en-us/windows/win32/api/shobjidl_core/nn-shobjidl_core-iexecutecommand", - "https://threathunterplaybook.com/evals/apt29/detections/3.C.1_22A46621-7A92-48C1-81BF-B3937EB4FDC3.html", "https://github.com/OTRF/detection-hackathon-apt29/issues/7", "https://docs.microsoft.com/en-us/windows/win32/shell/shell-and-managed-code", + "https://threathunterplaybook.com/evals/apt29/detections/3.C.1_22A46621-7A92-48C1-81BF-B3937EB4FDC3.html", + "https://docs.microsoft.com/en-us/windows/win32/shell/launch", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_delete/registry_delete_removal_com_hijacking_registry_key.yml" ], "tags": [ @@ -15268,8 +15268,8 @@ "logsource.category": "registry_add", "logsource.product": "windows", "refs": [ - "https://persistence-info.github.io/Data/diskcleanuphandler.html", "https://www.hexacorn.com/blog/2018/09/02/beyond-good-ol-run-key-part-86/", + "https://persistence-info.github.io/Data/diskcleanuphandler.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_add/registry_add_disk_cleanup_handler_new_entry_persistence.yml" ], "tags": [ @@ -15325,11 +15325,11 @@ "logsource.category": "registry_add", "logsource.product": "windows", "refs": [ - "https://blogs.blackberry.com/en/2021/09/threat-thursday-netwire-rat-is-coming-down-the-line", - "https://unit42.paloaltonetworks.com/guloader-installing-netwire-rat/", "https://resources.infosecinstitute.com/topic/netwire-malware-what-it-is-how-it-works-and-how-to-prevent-it-malware-spotlight/", + "https://blogs.blackberry.com/en/2021/09/threat-thursday-netwire-rat-is-coming-down-the-line", "https://app.any.run/tasks/41ecdbde-4997-4301-a350-0270448b4c8f/", "https://www.fortinet.com/blog/threat-research/new-netwire-rat-variant-spread-by-phishing", + "https://unit42.paloaltonetworks.com/guloader-installing-netwire-rat/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_add/registry_add_mal_netwire.yml" ], "tags": [ @@ -15353,8 +15353,8 @@ "logsource.category": "registry_add", "logsource.product": "windows", "refs": [ - "https://github.com/gtworek/PSBits/blob/8d767892f3b17eefa4d0668f5d2df78e844f01d8/FakeAMSI/FakeAMSI.c", "https://persistence-info.github.io/Data/amsi.html", + "https://github.com/gtworek/PSBits/blob/8d767892f3b17eefa4d0668f5d2df78e844f01d8/FakeAMSI/FakeAMSI.c", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_add/registry_add_amsi_providers_persistence.yml" ], "tags": [ @@ -15575,8 +15575,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://persistence-info.github.io/Data/htmlhelpauthor.html", "https://www.hexacorn.com/blog/2018/04/22/beyond-good-ol-run-key-part-76/", + "https://persistence-info.github.io/Data/htmlhelpauthor.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_persistence_chm.yml" ], "tags": [ @@ -15599,8 +15599,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://oddvar.moe/2018/09/06/persistence-using-universal-windows-platform-apps-appx/", "https://github.com/rootm0s/WinPwnage", + "https://oddvar.moe/2018/09/06/persistence-using-universal-windows-platform-apps-appx/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_persistence_appx_debugger.yml" ], "tags": [ @@ -15700,8 +15700,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://speakerdeck.com/heirhabarov/hunting-for-persistence-via-microsoft-exchange-server-or-outlook?slide=70", "https://support.microsoft.com/en-us/topic/outlook-home-page-feature-is-missing-in-folder-properties-d207edb7-aa02-46c5-b608-5d9dbed9bd04?ui=en-us&rs=en-us&ad=us", + "https://speakerdeck.com/heirhabarov/hunting-for-persistence-via-microsoft-exchange-server-or-outlook?slide=70", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_outlook_registry_webview.yml" ], "tags": [ @@ -15749,8 +15749,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://www.virustotal.com/gui/file/2bcd5702a7565952c44075ac6fb946c7780526640d1264f692c7664c02c68465", "https://support.microsoft.com/en-us/topic/information-about-the-attachment-manager-in-microsoft-windows-c48a4dcd-8de5-2af5-ee9b-cd795ae42738", + "https://www.virustotal.com/gui/file/2bcd5702a7565952c44075ac6fb946c7780526640d1264f692c7664c02c68465", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_policies_associations_tamper.yml" ], "tags": [ @@ -15799,9 +15799,9 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ + "https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns", "https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md", - "https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_currentversion_nt.yml" ], "tags": [ @@ -15825,13 +15825,13 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "http://woshub.com/rds-shadow-how-to-connect-to-a-user-session-in-windows-server-2012-r2/", - "https://admx.help/HKLM/SOFTWARE/Policies/Microsoft/Windows%20NT/Terminal%20Services", - "https://bazaar.abuse.ch/sample/6f3aa9362d72e806490a8abce245331030d1ab5ac77e400dd475748236a6cc81/", - "https://blog.menasec.net/2019/02/threat-hunting-rdp-hijacking-via.html", - "http://etutorials.org/Microsoft+Products/microsoft+windows+server+2003+terminal+services/Chapter+6+Registry/Registry+Keys+for+Terminal+Services/", "https://twitter.com/SagieSec/status/1469001618863624194?t=HRf0eA0W1YYzkTSHb-Ky1A&s=03", "https://threathunterplaybook.com/notebooks/windows/05_defense_evasion/WIN-190407183310.html", + "http://woshub.com/rds-shadow-how-to-connect-to-a-user-session-in-windows-server-2012-r2/", + "https://blog.menasec.net/2019/02/threat-hunting-rdp-hijacking-via.html", + "https://bazaar.abuse.ch/sample/6f3aa9362d72e806490a8abce245331030d1ab5ac77e400dd475748236a6cc81/", + "https://admx.help/HKLM/SOFTWARE/Policies/Microsoft/Windows%20NT/Terminal%20Services", + "http://etutorials.org/Microsoft+Products/microsoft+windows+server+2003+terminal+services/Chapter+6+Registry/Registry+Keys+for+Terminal+Services/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_terminal_server_suspicious.yml" ], "tags": [ @@ -15867,6 +15867,30 @@ "uuid": "7d995e63-ec83-4aa3-89d5-8a17b5c87c86", "value": "Scripted Diagnostics Turn Off Check Enabled - Registry" }, + { + "description": "Detects when the enablement of developer features such as \"Developer Mode\" or \"Application Sideloading\". Which allows the user to install untrusted packages.", + "meta": { + "author": "Nasreddine Bencherchali", + "creation_date": "2023/01/12", + "falsepositive": [ + "Unknown" + ], + "filename": "registry_set_turn_on_dev_features.yml", + "level": "high", + "logsource.category": "registry_set", + "logsource.product": "windows", + "refs": [ + "https://twitter.com/malmoeb/status/1560536653709598721", + "https://www.sentinelone.com/labs/inside-malicious-windows-apps-for-malware-deployment/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_turn_on_dev_features.yml" + ], + "tags": [ + "attack.defense_evasion" + ] + }, + "uuid": "b110ebaf-697f-4da1-afd5-b536fa27a2c1", + "value": "Potential Signing Bypass Via Windows Developer Features - Registry" + }, { "description": "Detects modification of autostart extensibility point (ASEP) in registry.", "meta": { @@ -15881,9 +15905,9 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ + "https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns", "https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md", - "https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_session_manager.yml" ], "tags": [ @@ -15917,8 +15941,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://persistence-info.github.io/Data/wer_debugger.html", "https://www.hexacorn.com/blog/2019/09/20/beyond-good-ol-run-key-part-116/", + "https://persistence-info.github.io/Data/wer_debugger.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_hangs_debugger_persistence.yml" ], "tags": [ @@ -15964,8 +15988,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "http://blog.sevagas.com/?Yet-another-sdclt-UAC-bypass", "https://www.exploit-db.com/exploits/47696", + "http://blog.sevagas.com/?Yet-another-sdclt-UAC-bypass", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_comhijack_sdclt.yml" ], "tags": [ @@ -16030,8 +16054,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://redcanary.com/blog/blackbyte-ransomware/?utm_source=twitter&utm_medium=social", "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/blackbyte-ransomware-pt-1-in-depth-analysis/", + "https://redcanary.com/blog/blackbyte-ransomware/?utm_source=twitter&utm_medium=social", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_blackbyte_ransomware.yml" ], "tags": [ @@ -16055,9 +16079,9 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/zloader-with-a-new-infection-technique/", "https://twitter.com/inversecos/status/1494174785621819397", "https://securelist.com/scarcruft-surveilling-north-korean-defectors-and-human-rights-activists/105074/", + "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/zloader-with-a-new-infection-technique/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_office_security.yml" ], "tags": [ @@ -16142,8 +16166,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://twitter.com/_vivami/status/1347925307643355138", "https://vanmieghem.io/stealth-outlook-persistence/", + "https://twitter.com/_vivami/status/1347925307643355138", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_persistence_office_vsto.yml" ], "tags": [ @@ -16177,10 +16201,10 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d", - "https://oddvar.moe/2018/03/21/persistence-using-runonceex-hidden-from-autoruns-exe/", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md", "https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns", + "https://oddvar.moe/2018/03/21/persistence-using-runonceex-hidden-from-autoruns-exe/", + "https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_wow6432node.yml" ], "tags": [ @@ -16262,8 +16286,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://threathunterplaybook.com/notebooks/windows/02_execution/WIN-190511223310.html", "https://support.microsoft.com/en-us/topic/microsoft-security-advisory-update-to-improve-credentials-protection-and-management-may-13-2014-93434251-04ac-b7f3-52aa-9f951c14b649", + "https://threathunterplaybook.com/notebooks/windows/02_execution/WIN-190511223310.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_wdigest_enable_uselogoncredential.yml" ], "tags": [ @@ -16287,8 +16311,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://twitter.com/dottor_morte/status/1544652325570191361", "https://raw.githubusercontent.com/RiccardoAncarani/talks/master/F-Secure/unorthodox-lateral-movement.pdf", + "https://twitter.com/dottor_morte/status/1544652325570191361", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_fax_dll_persistance.yml" ], "tags": [ @@ -16370,9 +16394,9 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ + "https://github.com/gtworek/PSBits/tree/master/SIP", "https://persistence-info.github.io/Data/codesigning.html", "https://specterops.io/assets/resources/SpecterOps_Subverting_Trust_in_Windows.pdf", - "https://github.com/gtworek/PSBits/tree/master/SIP", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_sip_persistence.yml" ], "tags": [ @@ -16407,9 +16431,9 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ + "https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns", "https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md", - "https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_classes.yml" ], "tags": [ @@ -16490,8 +16514,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://www.hexacorn.com/blog/2013/09/19/beyond-good-ol-run-key-part-4/", "https://github.com/last-byte/PersistenceSniper", + "https://www.hexacorn.com/blog/2013/09/19/beyond-good-ol-run-key-part-4/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_dbgmanageddebugger_persistence.yml" ], "tags": [ @@ -16581,8 +16605,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://www.youtube.com/watch?v=3gz1QmiMhss&t=1251s", "https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1546.015/T1546.015.md", + "https://www.youtube.com/watch?v=3gz1QmiMhss&t=1251s", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_treatas_persistence.yml" ], "tags": [ @@ -16638,8 +16662,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://twitter.com/WhichbufferArda/status/1543900539280293889", "https://github.com/DebugPrivilege/CPP/blob/c39d365617dbfbcb01fffad200d52b6239b2918c/Windows%20Defender/RestoreDefenderConfig.cpp", + "https://twitter.com/WhichbufferArda/status/1543900539280293889", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_disable_winevt_logging.yml" ], "tags": [ @@ -16706,8 +16730,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://labs.f-secure.com/blog/scheduled-task-tampering/", "https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/", + "https://labs.f-secure.com/blog/scheduled-task-tampering/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_taskcache_entry.yml" ], "tags": [ @@ -16827,8 +16851,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://persistence-info.github.io/Data/diskcleanuphandler.html", "https://www.hexacorn.com/blog/2018/09/02/beyond-good-ol-run-key-part-86/", + "https://persistence-info.github.io/Data/diskcleanuphandler.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_disk_cleanup_handler_autorun_persistence.yml" ], "tags": [ @@ -17048,10 +17072,10 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d", - "https://persistence-info.github.io/Data/userinitmprlogonscript.html", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md", "https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns", + "https://persistence-info.github.io/Data/userinitmprlogonscript.html", + "https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_common.yml" ], "tags": [ @@ -17166,13 +17190,13 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "http://woshub.com/rds-shadow-how-to-connect-to-a-user-session-in-windows-server-2012-r2/", - "https://admx.help/HKLM/SOFTWARE/Policies/Microsoft/Windows%20NT/Terminal%20Services", - "https://bazaar.abuse.ch/sample/6f3aa9362d72e806490a8abce245331030d1ab5ac77e400dd475748236a6cc81/", - "https://blog.menasec.net/2019/02/threat-hunting-rdp-hijacking-via.html", - "http://etutorials.org/Microsoft+Products/microsoft+windows+server+2003+terminal+services/Chapter+6+Registry/Registry+Keys+for+Terminal+Services/", "https://twitter.com/SagieSec/status/1469001618863624194?t=HRf0eA0W1YYzkTSHb-Ky1A&s=03", "https://threathunterplaybook.com/notebooks/windows/05_defense_evasion/WIN-190407183310.html", + "http://woshub.com/rds-shadow-how-to-connect-to-a-user-session-in-windows-server-2012-r2/", + "https://blog.menasec.net/2019/02/threat-hunting-rdp-hijacking-via.html", + "https://bazaar.abuse.ch/sample/6f3aa9362d72e806490a8abce245331030d1ab5ac77e400dd475748236a6cc81/", + "https://admx.help/HKLM/SOFTWARE/Policies/Microsoft/Windows%20NT/Terminal%20Services", + "http://etutorials.org/Microsoft+Products/microsoft+windows+server+2003+terminal+services/Chapter+6+Registry/Registry+Keys+for+Terminal+Services/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_terminal_server_tampering.yml" ], "tags": [ @@ -17231,9 +17255,9 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ + "https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns", "https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md", - "https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_office.yml" ], "tags": [ @@ -17258,9 +17282,9 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ + "https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns", "https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md", - "https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_wow6432node_classes.yml" ], "tags": [ @@ -17308,8 +17332,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-30190", "https://msrc-blog.microsoft.com/2022/05/30/guidance-for-cve-2022-30190-microsoft-support-diagnostic-tool-vulnerability/", + "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-30190", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_cve_2022_30190_msdt_follina.yml" ], "tags": [ @@ -17443,8 +17467,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://www.virustotal.com/gui/file/2bcd5702a7565952c44075ac6fb946c7780526640d1264f692c7664c02c68465", "https://support.microsoft.com/en-us/topic/information-about-the-attachment-manager-in-microsoft-windows-c48a4dcd-8de5-2af5-ee9b-cd795ae42738", + "https://www.virustotal.com/gui/file/2bcd5702a7565952c44075ac6fb946c7780526640d1264f692c7664c02c68465", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_policies_attachments_tamper.yml" ], "tags": [ @@ -17491,9 +17515,9 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://itconnect.uw.edu/tools-services-support/it-systems-infrastructure/msinf/other-help/understanding-sddl-syntax/", - "https://app.any.run/tasks/77b2e328-8f36-46b2-b2e2-8a80398217ab/", "https://learn.microsoft.com/en-us/windows/win32/api/winevt/", + "https://app.any.run/tasks/77b2e328-8f36-46b2-b2e2-8a80398217ab/", + "https://itconnect.uw.edu/tools-services-support/it-systems-infrastructure/msinf/other-help/understanding-sddl-syntax/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_change_winevt_channelaccess.yml" ], "tags": [ @@ -17527,9 +17551,9 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ + "https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns", "https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md", - "https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_winsock2.yml" ], "tags": [ @@ -17758,9 +17782,9 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ + "https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/", "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ransomware-hive-conti-avoslocker", "https://admx.help/?Category=Windows_7_2008R2&Policy=Microsoft.Policies.WindowsDefender::SpyNetReporting", - "https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/", "https://gist.github.com/anadr/7465a9fde63d41341136949f14c21105", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_windows_defender_tamper.yml" ], @@ -17785,8 +17809,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://posts.specterops.io/code-signing-certificate-cloning-attacks-and-defenses-6f98657fc6ec", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1553.004/T1553.004.md#atomic-test-6---add-root-certificate-to-currentuser-certificate-store", + "https://posts.specterops.io/code-signing-certificate-cloning-attacks-and-defenses-6f98657fc6ec", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_install_root_or_ca_certificat.yml" ], "tags": [ @@ -17819,8 +17843,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://github.com/hfiref0x/UACME", "https://enigma0x3.net/2017/03/17/fileless-uac-bypass-using-sdclt-exe/", + "https://github.com/hfiref0x/UACME", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_uac_bypass_sdclt.yml" ], "tags": [ @@ -17855,8 +17879,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://persistence-info.github.io/Data/hhctrl.html", "https://www.hexacorn.com/blog/2018/04/23/beyond-good-ol-run-key-part-77/", + "https://persistence-info.github.io/Data/hhctrl.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_hhctrl_persistence.yml" ], "tags": [ @@ -18075,8 +18099,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/troubleshoot/developer/browsers/security-privacy/ie-security-zones-registry-entries", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1112/T1112.md#atomic-test-4---add-domain-to-trusted-sites-zone", + "https://docs.microsoft.com/en-us/troubleshoot/developer/browsers/security-privacy/ie-security-zones-registry-entries", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_change_security_zones.yml" ], "tags": [ @@ -18203,9 +18227,9 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ + "https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns", "https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md", - "https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_wow6432node_currentversion.yml" ], "tags": [ @@ -18254,9 +18278,9 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ + "https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns", "https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md", - "https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_currentcontrolset.yml" ], "tags": [ @@ -18313,8 +18337,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://persistence-info.github.io/Data/aedebug.html", "https://docs.microsoft.com/en-us/windows/win32/debug/configuring-automatic-debugging", + "https://persistence-info.github.io/Data/aedebug.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_aedebug_persistence.yml" ], "tags": [ @@ -18362,9 +18386,9 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ + "https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns", "https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md", - "https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_system_scripts.yml" ], "tags": [ @@ -18388,9 +18412,9 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ + "https://github.com/deepinstinct/Lsass-Shtinkering", "https://media.defcon.org/DEF%20CON%2030/DEF%20CON%2030%20presentations/Asaf%20Gilboa%20-%20LSASS%20Shtinkering%20Abusing%20Windows%20Error%20Reporting%20to%20Dump%20LSASS.pdf", "https://learn.microsoft.com/en-us/windows/win32/wer/collecting-user-mode-dumps", - "https://github.com/deepinstinct/Lsass-Shtinkering", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_lsass_usermode_dumping.yml" ], "tags": [ @@ -18424,8 +18448,8 @@ "logsource.product": "windows", "refs": [ "https://blog.3or.de/mimilib-dhcp-server-callout-dll-injection.html", - "https://technet.microsoft.com/en-us/library/cc726884(v=ws.10).aspx", "https://msdn.microsoft.com/de-de/library/windows/desktop/aa363389(v=vs.85).aspx", + "https://technet.microsoft.com/en-us/library/cc726884(v=ws.10).aspx", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_dhcp_calloutdll.yml" ], "tags": [ @@ -18483,8 +18507,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://devblogs.microsoft.com/oldnewthing/20100312-01/?p=14623", "https://docs.microsoft.com/en-us/windows/win32/api/shobjidl_core/nn-shobjidl_core-iexecutecommand", + "https://devblogs.microsoft.com/oldnewthing/20100312-01/?p=14623", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1548.002/T1548.002.md#atomic-test-7---bypass-uac-using-sdclt-delegateexecute", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_bypass_uac_using_delegateexecute.yml" ], @@ -18575,9 +18599,9 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://www.slideshare.net/JamieWilliams130/started-from-the-bottom-exploiting-data-sources-to-uncover-attck-behaviors", - "https://www.sans.org/cyber-security-summit/archives", "https://twitter.com/jamieantisocial/status/1304520651248668673", + "https://www.sans.org/cyber-security-summit/archives", + "https://www.slideshare.net/JamieWilliams130/started-from-the-bottom-exploiting-data-sources-to-uncover-attck-behaviors", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_enabling_cor_profiler_env_variables.yml" ], "tags": [ @@ -18728,8 +18752,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://twitter.com/dottor_morte/status/1544652325570191361", "https://raw.githubusercontent.com/RiccardoAncarani/talks/master/F-Secure/unorthodox-lateral-movement.pdf", + "https://twitter.com/dottor_morte/status/1544652325570191361", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_fax_change_service_user.yml" ], "tags": [ @@ -19098,10 +19122,10 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d", - "https://oddvar.moe/2018/03/21/persistence-using-runonceex-hidden-from-autoruns-exe/", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md", "https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns", + "https://oddvar.moe/2018/03/21/persistence-using-runonceex-hidden-from-autoruns-exe/", + "https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_currentversion.yml" ], "tags": [ @@ -19158,8 +19182,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://unit42.paloaltonetworks.com/ransomware-families/", "https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?name=TrojanSpy%3aMSIL%2fHakey.A", + "https://unit42.paloaltonetworks.com/ransomware-families/", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1112/T1112.md#atomic-test-1---modify-registry-of-current-user-profile---cmd", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_hidden_extention.yml" ], @@ -19191,8 +19215,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://www.hybrid-analysis.com/sample/ba86fa0d4b6af2db0656a88b1dd29f36fe362473ae8ad04255c4e52f214a541c?environmentId=100", "https://www.first.org/resources/papers/conf2017/Advanced-Incident-Detection-and-Threat-Hunting-using-Sysmon-and-Splunk.pdf", + "https://www.hybrid-analysis.com/sample/ba86fa0d4b6af2db0656a88b1dd29f36fe362473ae8ad04255c4e52f214a541c?environmentId=100", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_mal_adwind.yml" ], "tags": [ @@ -19233,8 +19257,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://www.reddit.com/r/hacking/comments/ajtrws/bypassing_highest_uac_level_windows_810/", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1548.002/T1548.002.md#atomic-test-9---bypass-uac-using-silentcleanup-task", + "https://www.reddit.com/r/hacking/comments/ajtrws/bypassing_highest_uac_level_windows_810/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_bypass_uac_using_silentcleanup_task.yml" ], "tags": [ @@ -19268,9 +19292,9 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md", "https://unit42.paloaltonetworks.com/unit42-gorgon-group-slithering-nation-state-cybercrime/", "https://yoroi.company/research/cyber-criminal-espionage-operation-insists-on-italian-manufacturing/", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_disable_microsoft_office_security_features.yml" ], "tags": [ @@ -19343,10 +19367,10 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://www.tenforums.com/tutorials/151318-how-enable-disable-dns-over-https-doh-microsoft-edge.html", - "https://admx.help/HKLM/Software/Policies/Mozilla/Firefox/DNSOverHTTPS", - "https://chromeenterprise.google/policies/?policy=DnsOverHttpsMode", "https://github.com/elastic/detection-rules/issues/1371", + "https://chromeenterprise.google/policies/?policy=DnsOverHttpsMode", + "https://admx.help/HKLM/Software/Policies/Mozilla/Firefox/DNSOverHTTPS", + "https://www.tenforums.com/tutorials/151318-how-enable-disable-dns-over-https-doh-microsoft-edge.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_dns_over_https_enabled.yml" ], "tags": [ @@ -19438,8 +19462,8 @@ "logsource.product": "windows", "refs": [ "https://twitter.com/MichalKoczwara/status/1553634816016498688", - "https://i.blackhat.com/EU-21/Wednesday/EU-21-Teodorescu-Veni-No-Vidi-No-Vici-Attacks-On-ETW-Blind-EDRs.pdf", "https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/", + "https://i.blackhat.com/EU-21/Wednesday/EU-21-Teodorescu-Veni-No-Vidi-No-Vici-Attacks-On-ETW-Blind-EDRs.pdf", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_disable_autologger_sessions.yml" ], "tags": [ @@ -19463,16 +19487,16 @@ "logsource.product": "windows", "refs": [ "https://github.com/dotnet/runtime/blob/f62e93416a1799aecc6b0947adad55a0d9870732/src/coreclr/src/inc/clrconfigvalues.h#L35-L38", - "https://i.blackhat.com/EU-21/Wednesday/EU-21-Teodorescu-Veni-No-Vidi-No-Vici-Attacks-On-ETW-Blind-EDRs.pdf", - "https://github.com/dotnet/runtime/blob/7abe42dc1123722ed385218268bb9fe04556e3d3/src/coreclr/src/inc/clrconfig.h#L33-L39", - "https://twitter.com/_xpn_/status/1268712093928378368", "https://blog.xpnsec.com/hiding-your-dotnet-complus-etwenabled/", - "https://github.com/dotnet/runtime/blob/4f9ae42d861fcb4be2fcd5d3d55d5f227d30e723/docs/coding-guidelines/clr-jit-coding-conventions.md#1412-disabling-code", - "https://social.msdn.microsoft.com/Forums/vstudio/en-US/0878832e-39d7-4eaf-8e16-a729c4c40975/what-can-i-use-e13c0d23ccbc4e12931bd9cc2eee27e4-for?forum=clr", - "https://github.com/dotnet/runtime/search?p=1&q=COMPlus_&unscoped_q=COMPlus_", + "https://twitter.com/_xpn_/status/1268712093928378368", "http://managed670.rssing.com/chan-5590147/all_p1.html", + "https://github.com/dotnet/runtime/search?p=1&q=COMPlus_&unscoped_q=COMPlus_", + "https://i.blackhat.com/EU-21/Wednesday/EU-21-Teodorescu-Veni-No-Vidi-No-Vici-Attacks-On-ETW-Blind-EDRs.pdf", "https://github.com/dotnet/runtime/blob/ee2355c801d892f2894b0f7b14a20e6cc50e0e54/docs/design/coreclr/jit/viewing-jit-dumps.md#setting-configuration-variables", + "https://github.com/dotnet/runtime/blob/7abe42dc1123722ed385218268bb9fe04556e3d3/src/coreclr/src/inc/clrconfig.h#L33-L39", + "https://social.msdn.microsoft.com/Forums/vstudio/en-US/0878832e-39d7-4eaf-8e16-a729c4c40975/what-can-i-use-e13c0d23ccbc4e12931bd9cc2eee27e4-for?forum=clr", "https://bunnyinside.com/?term=f71e8cb9c76a", + "https://github.com/dotnet/runtime/blob/4f9ae42d861fcb4be2fcd5d3d55d5f227d30e723/docs/coding-guidelines/clr-jit-coding-conventions.md#1412-disabling-code", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_dot_net_etw_tamper.yml" ], "tags": [ @@ -19540,9 +19564,9 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ + "https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns", "https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md", - "https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_internet_explorer.yml" ], "tags": [ @@ -19566,8 +19590,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://github.com/gtworek/PSBits/tree/master/PasswordStealing/NPPSpy", "https://docs.microsoft.com/en-us/troubleshoot/windows-client/deployment/network-provider-settings-removed-in-place-upgrade", + "https://github.com/gtworek/PSBits/tree/master/PasswordStealing/NPPSpy", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_new_network_provider.yml" ], "tags": [ @@ -19601,8 +19625,8 @@ "logsource.product": "windows", "refs": [ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1112/T1112.md", - "https://blogs.vmware.com/security/2022/11/batloader-the-evasive-downloader-malware.html", "https://www.mandiant.com/resources/unc2165-shifts-to-evade-sanctions", + "https://blogs.vmware.com/security/2022/11/batloader-the-evasive-downloader-malware.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_disable_function_user.yml" ], "tags": [ @@ -19626,8 +19650,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://enigma0x3.net/2017/07/19/bypassing-amsi-via-com-server-hijacking/", "https://github.com/r00t-3xp10it/hacking-material-books/blob/43cb1e1932c16ff1f58b755bc9ab6b096046853f/obfuscation/simple_obfuscation.md#amsi-comreg-bypass", + "https://enigma0x3.net/2017/07/19/bypassing-amsi-via-com-server-hijacking/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_amsi_com_hijack.yml" ], "tags": [ @@ -19653,8 +19677,8 @@ "refs": [ "https://persistence-info.github.io/Data/ifilters.html", "https://github.com/gtworek/PSBits/tree/master/IFilter", - "https://github.com/gtworek/PSBits/blob/8d767892f3b17eefa4d0668f5d2df78e844f01d8/IFilter/Dll.cpp#L281-L308", "https://twitter.com/0gtweet/status/1468548924600459267", + "https://github.com/gtworek/PSBits/blob/8d767892f3b17eefa4d0668f5d2df78e844f01d8/IFilter/Dll.cpp#L281-L308", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_persistence_ifilter.yml" ], "tags": [ @@ -19812,9 +19836,9 @@ "logsource.category": "image_load", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/Binaries/Wmic/", "https://securitydatasets.com/notebooks/small/windows/05_defense_evasion/SDWIN-201017061100.html", "https://twitter.com/dez_/status/986614411711442944", + "https://lolbas-project.github.io/lolbas/Binaries/Wmic/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_wmic_remote_xsl_scripting_dlls.yml" ], "tags": [ @@ -19914,8 +19938,8 @@ "logsource.category": "image_load", "logsource.product": "windows", "refs": [ - "https://github.com/binderlabs/DirCreate2System", "https://github.com/sailay1996/awesome_windows_logical_bugs/blob/60cbb23a801f4c3195deac1cc46df27c225c3d07/dir_create2system.txt", + "https://github.com/binderlabs/DirCreate2System", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_side_load_comctl32.yml" ], "tags": [ @@ -19942,10 +19966,10 @@ "logsource.category": "image_load", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/windows/win32/winrm/windows-remote-management-architecture", - "https://bohops.com/2020/05/12/ws-management-com-another-approach-for-winrm-lateral-movement/", "https://github.com/bohops/WSMan-WinRM", "https://twitter.com/chadtilbury/status/1275851297770610688", + "https://bohops.com/2020/05/12/ws-management-com-another-approach-for-winrm-lateral-movement/", + "https://docs.microsoft.com/en-us/windows/win32/winrm/windows-remote-management-architecture", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_wsman_provider_image_load.yml" ], "tags": [ @@ -20020,8 +20044,8 @@ "logsource.category": "image_load", "logsource.product": "windows", "refs": [ - "https://twitter.com/am0nsec/status/1412232114980982787", "https://www.virustotal.com/gui/file/ba88ca45589fae0139a40ca27738a8fc2dfbe1be5a64a9558f4e0f52b35c5add", + "https://twitter.com/am0nsec/status/1412232114980982787", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_susp_vss_ps_load.yml" ], "tags": [ @@ -20347,12 +20371,12 @@ "logsource.category": "image_load", "logsource.product": "windows", "refs": [ - "https://www.hexacorn.com/blog/2013/12/08/beyond-good-ol-run-key-part-5/", - "https://github.com/Wh04m1001/SysmonEoP", - "https://clement.notin.org/blog/2020/09/12/CVE-2020-7315-McAfee-Agent-DLL-injection/", - "https://posts.specterops.io/lateral-movement-scm-and-dll-hijacking-primer-d2f61e8ab992", - "https://decoded.avast.io/martinchlumecky/png-steganography/", "http://remoteawesomethoughts.blogspot.com/2019/05/windows-10-task-schedulerservice.html", + "https://posts.specterops.io/lateral-movement-scm-and-dll-hijacking-primer-d2f61e8ab992", + "https://www.hexacorn.com/blog/2013/12/08/beyond-good-ol-run-key-part-5/", + "https://clement.notin.org/blog/2020/09/12/CVE-2020-7315-McAfee-Agent-DLL-injection/", + "https://decoded.avast.io/martinchlumecky/png-steganography/", + "https://github.com/Wh04m1001/SysmonEoP", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_side_load_non_existent_dlls.yml" ], "tags": [ @@ -20467,8 +20491,8 @@ "logsource.category": "image_load", "logsource.product": "windows", "refs": [ - "http://www.windowexe.com/bbs/board.php?q=jsschhlp-exe-c-program-files-common-files-justsystem-jsschhlp-jsschhlp", "https://www.welivesecurity.com/2022/12/14/unmasking-mirrorface-operation-liberalface-targeting-japanese-political-entities/", + "http://www.windowexe.com/bbs/board.php?q=jsschhlp-exe-c-program-files-common-files-justsystem-jsschhlp-jsschhlp", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_side_load_jsschhlp.yml" ], "tags": [ @@ -20528,8 +20552,8 @@ "logsource.category": "image_load", "logsource.product": "windows", "refs": [ - "https://threathunterplaybook.com/evals/apt29/detections/7.A.1_3B4E5808-3C71-406A-B181-17B0CE3178C9.html", "https://github.com/OTRF/detection-hackathon-apt29/issues/16", + "https://threathunterplaybook.com/evals/apt29/detections/7.A.1_3B4E5808-3C71-406A-B181-17B0CE3178C9.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_susp_system_drawing_load.yml" ], "tags": [ @@ -20555,8 +20579,8 @@ "refs": [ "https://blog.cyble.com/2022/07/21/qakbot-resurfaces-with-new-playbook/", "https://hijacklibs.net/", - "https://blog.cyble.com/2022/07/27/targeted-attacks-being-carried-out-via-dll-sideloading/", "https://github.com/XForceIR/SideLoadHunter/blob/cc7ef2e5d8908279b0c4cee4e8b6f85f7b8eed52/SideLoads/README.md", + "https://blog.cyble.com/2022/07/27/targeted-attacks-being-carried-out-via-dll-sideloading/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_side_load_from_non_system_location.yml" ], "tags": [ @@ -20800,10 +20824,10 @@ "logsource.category": "image_load", "logsource.product": "windows", "refs": [ - "https://github.com/tyranid/DotNetToJScript", - "https://blog.menasec.net/2019/07/interesting-difr-traces-of-net-clr.html", "https://web.archive.org/web/20221026202428/https://gist.github.com/code-scrap/d7f152ffcdb3e0b02f7f394f5187f008", "https://thewover.github.io/Introducing-Donut/", + "https://github.com/tyranid/DotNetToJScript", + "https://blog.menasec.net/2019/07/interesting-difr-traces-of-net-clr.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_susp_script_dotnet_clr_dll_load.yml" ], "tags": [ @@ -20887,8 +20911,8 @@ "logsource.category": "image_load", "logsource.product": "windows", "refs": [ - "https://blogs.blackberry.com/en/2022/12/mustang-panda-uses-the-russian-ukrainian-war-to-attack-europe-and-asia-pacific-targets", "https://app.any.run/tasks/6d8cabb0-dcda-44b6-8050-28d6ce281687/", + "https://blogs.blackberry.com/en/2022/12/mustang-panda-uses-the-russian-ukrainian-war-to-attack-europe-and-asia-pacific-targets", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_side_load_classicexplorer32.yml" ], "tags": [ @@ -21268,9 +21292,9 @@ "logsource.category": "image_load", "logsource.product": "windows", "refs": [ - "https://twitter.com/HunterPlaybook/status/1301207718355759107", - "https://www.mdsec.co.uk/2020/09/i-like-to-move-it-windows-lateral-movement-part-1-wmi-event-subscription/", "https://threathunterplaybook.com/notebooks/windows/08_lateral_movement/WIN-200902020333.html", + "https://www.mdsec.co.uk/2020/09/i-like-to-move-it-windows-lateral-movement-part-1-wmi-event-subscription/", + "https://twitter.com/HunterPlaybook/status/1301207718355759107", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_scrcons_imageload_wmi_scripteventconsumer.yml" ], "tags": [ @@ -21425,8 +21449,8 @@ "logsource.category": "image_load", "logsource.product": "windows", "refs": [ - "https://github.com/ly4k/SpoolFool", "https://github.com/hhlxf/PrintNightmare", + "https://github.com/ly4k/SpoolFool", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_spoolsv_dll_load.yml" ], "tags": [ @@ -21490,9 +21514,9 @@ "logsource.category": "image_load", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1056.002/T1056.002.md#atomic-test-2---powershell---prompt-user-for-password", "https://docs.microsoft.com/en-us/windows/win32/api/wincred/nf-wincred-creduipromptforcredentialsa", "https://securitydatasets.com/notebooks/small/windows/06_credential_access/SDWIN-201020013208.html", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1056.002/T1056.002.md#atomic-test-2---powershell---prompt-user-for-password", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_uipromptforcreds_dlls.yml" ], "tags": [ @@ -21660,8 +21684,8 @@ "logsource.product": "windows", "refs": [ "https://github.com/RiccardoAncarani/LiquidSnake", - "https://in.security/an-intro-into-abusing-and-identifying-wmi-event-subscriptions-for-persistence/", "https://github.com/Neo23x0/signature-base/blob/615bf1f6bac3c1bdc417025c40c073e6c2771a76/yara/gen_susp_lnk_files.yar#L19", + "https://in.security/an-intro-into-abusing-and-identifying-wmi-event-subscriptions-for-persistence/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/wmi_event/sysmon_wmi_susp_scripting.yml" ], "tags": [ @@ -21695,8 +21719,8 @@ "logsource.product": "windows", "refs": [ "https://nmap.org/ncat/", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1095/T1095.md", "https://github.com/besimorhino/powercat", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1095/T1095.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_classic/posh_pc_powercat.yml" ], "tags": [ @@ -21729,9 +21753,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://bohops.com/2020/05/12/ws-management-com-another-approach-for-winrm-lateral-movement/", "https://github.com/bohops/WSMan-WinRM", "https://twitter.com/chadtilbury/status/1275851297770610688", + "https://bohops.com/2020/05/12/ws-management-com-another-approach-for-winrm-lateral-movement/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_classic/posh_pc_wsman_com_provider_no_powershell.yml" ], "tags": [ @@ -21882,8 +21906,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218/T1218.md", "https://github.com/redcanaryco/AtomicTestHarnesses/blob/7e1e4da116801e3d6fcc6bedb207064577e40572/TestHarnesses/T1218_SignedBinaryProxyExecution/InvokeRemoteFXvGPUDisablementCommand.ps1", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218/T1218.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_classic/posh_pc_susp_athremotefxvgpudisablementcommand.yml" ], "tags": [ @@ -21985,8 +22009,8 @@ "logsource.category": "ps_classic_start", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1490/T1490.md", "https://www.fortinet.com/blog/threat-research/stomping-shadow-copies-a-second-look-into-deletion-methods", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1490/T1490.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_classic/posh_pc_delete_volume_shadow_copies.yml" ], "tags": [ @@ -22278,9 +22302,9 @@ "logsource.category": "ps_module", "logsource.product": "windows", "refs": [ - "https://newtonpaul.com/analysing-fileless-malware-cobalt-strike-beacon/", - "https://www.mdeditor.tw/pl/pgRt", "https://labs.sentinelone.com/top-tier-russian-organized-cybercrime-group-unveils-fileless-stealthy-powertrick-backdoor-for-high-value-targets/", + "https://www.mdeditor.tw/pl/pgRt", + "https://newtonpaul.com/analysing-fileless-malware-cobalt-strike-beacon/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_module/posh_pm_bad_opsec_artifacts.yml" ], "tags": [ @@ -22313,8 +22337,8 @@ "logsource.category": "ps_module", "logsource.product": "windows", "refs": [ - "https://threathunterplaybook.com/evals/apt29/detections/7.A.2_F4609F7E-C4DB-4327-91D4-59A58C962A02.html", "https://github.com/OTRF/detection-hackathon-apt29/issues/16", + "https://threathunterplaybook.com/evals/apt29/detections/7.A.2_F4609F7E-C4DB-4327-91D4-59A58C962A02.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_module/posh_pm_get_clipboard.yml" ], "tags": [ @@ -22508,8 +22532,8 @@ "logsource.category": "ps_module", "logsource.product": "windows", "refs": [ - "https://github.com/MichaelGrafnetter/DSInternals/blob/7ba59c12ee9a1cb430d7dc186a3366842dd612c8/Documentation/PowerShell/Get-ADDBAccount.md", "https://www.n00py.io/2022/03/manipulating-user-passwords-without-mimikatz/", + "https://github.com/MichaelGrafnetter/DSInternals/blob/7ba59c12ee9a1cb430d7dc186a3366842dd612c8/Documentation/PowerShell/Get-ADDBAccount.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_module/posh_pm_get_addbaccount.yml" ], "tags": [ @@ -22543,8 +22567,8 @@ "logsource.product": "windows", "refs": [ "https://nmap.org/ncat/", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1095/T1095.md", "https://github.com/besimorhino/powercat", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1095/T1095.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_module/posh_pm_powercat.yml" ], "tags": [ @@ -23059,8 +23083,8 @@ "logsource.category": "ps_module", "logsource.product": "windows", "refs": [ - "https://thedfirreport.com/2022/02/21/qbot-and-zerologon-lead-to-full-domain-compromise/", "https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.management/reset-computermachinepassword?view=powershell-5.1", + "https://thedfirreport.com/2022/02/21/qbot-and-zerologon-lead-to-full-domain-compromise/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_module/posh_pm_susp_reset_computermachinepassword.yml" ], "tags": [ @@ -23084,8 +23108,8 @@ "logsource.category": "ps_module", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218/T1218.md", "https://github.com/redcanaryco/AtomicTestHarnesses/blob/7e1e4da116801e3d6fcc6bedb207064577e40572/TestHarnesses/T1218_SignedBinaryProxyExecution/InvokeRemoteFXvGPUDisablementCommand.ps1", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218/T1218.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_module/posh_pm_susp_athremotefxvgpudisablementcommand.yml" ], "tags": [ @@ -23285,8 +23309,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://attack.mitre.org/datasources/DS0005/", "https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.management/get-wmiobject?view=powershell-5.1&viewFallbackFrom=powershell-7", + "https://attack.mitre.org/datasources/DS0005/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_gwmi.yml" ], "tags": [ @@ -23454,8 +23478,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.core/new-pssession?view=powershell-7.2", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1059.001/T1059.001.md#atomic-test-10---powershell-invoke-downloadcradle", + "https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.core/new-pssession?view=powershell-7.2", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_remote_session_creation.yml" ], "tags": [ @@ -23613,8 +23637,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://techgenix.com/malicious-powershell-scripts-evade-detection/", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1497.001/T1497.001.md", + "https://techgenix.com/malicious-powershell-scripts-evade-detection/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_detect_vm_env.yml" ], "tags": [ @@ -23717,10 +23741,10 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://powersploit.readthedocs.io/en/stable/Recon/README", - "https://thedfirreport.com/2020/10/08/ryuks-return", - "https://adsecurity.org/?p=2277", "https://github.com/PowerShellMafia/PowerSploit/tree/master/Recon", + "https://thedfirreport.com/2020/10/08/ryuks-return", + "https://powersploit.readthedocs.io/en/stable/Recon/README", + "https://adsecurity.org/?p=2277", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_powerview_malicious_commandlets.yml" ], "tags": [ @@ -23862,8 +23886,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://www.ietf.org/rfc/rfc2821.txt", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1048.003/T1048.003.md#atomic-test-5---exfiltration-over-alternative-protocol---smtp", + "https://www.ietf.org/rfc/rfc2821.txt", "https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.utility/send-mailmessage?view=powershell-7.2", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_send_mailmessage.yml" ], @@ -23897,9 +23921,9 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://www.cisa.gov/uscert/sites/default/files/publications/aa22-320a_joint_csa_iranian_government-sponsored_apt_actors_compromise_federal%20network_deploy_crypto%20miner_credential_harvester.pdf", "https://www.microsoft.com/en-us/security/blog/2022/10/18/defenders-beware-a-case-for-post-ransomware-investigations/", "http://blog.talosintelligence.com/2022/09/lazarus-three-rats.html", + "https://www.cisa.gov/uscert/sites/default/files/publications/aa22-320a_joint_csa_iranian_government-sponsored_apt_actors_compromise_federal%20network_deploy_crypto%20miner_credential_harvester.pdf", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_computer_discovery_get_adcomputer.yml" ], "tags": [ @@ -23924,8 +23948,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://twitter.com/Alh4zr3d/status/1580925761996828672", "https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.management/set-service?view=powershell-7.2", + "https://twitter.com/Alh4zr3d/status/1580925761996828672", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_using_set_service_to_hide_services.yml" ], "tags": [ @@ -24073,10 +24097,10 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/powershell/module/netsecurity/set-netfirewallprofile?view=windowsserver2019-ps", "https://www.tutorialspoint.com/how-to-get-windows-firewall-profile-settings-using-powershell", "http://powershellhelp.space/commands/set-netfirewallrule-psv5.php", "https://www.elastic.co/guide/en/security/current/windows-firewall-disabled-via-powershell.html", + "https://docs.microsoft.com/en-us/powershell/module/netsecurity/set-netfirewallprofile?view=windowsserver2019-ps", "http://woshub.com/manage-windows-firewall-powershell/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_windows_firewall_profile_disabled.yml" ], @@ -24110,8 +24134,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1136.002/T1136.002.md#atomic-test-3---create-a-new-domain-account-using-powershell", "https://docs.microsoft.com/en-us/dotnet/api/system.directoryservices.accountmanagement?view=dotnet-plat-ext-6.0", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1136.002/T1136.002.md#atomic-test-3---create-a-new-domain-account-using-powershell", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_directoryservices_accountmanagement.yml" ], "tags": [ @@ -24177,8 +24201,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218/T1218.md", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1056.001/src/Get-Keystrokes.ps1", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218/T1218.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_keylogging.yml" ], "tags": [ @@ -24235,10 +24259,10 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://youtu.be/5mqid-7zp8k?t=2481", "https://m365internals.com/2022/10/07/hunting-in-on-premises-exchange-server-logs/", - "https://peterjson.medium.com/reproducing-the-proxyshell-pwn2own-exploit-49743a4ea9a1", "https://blog.orange.tw/2021/08/proxylogon-a-new-attack-surface-on-ms-exchange-part-1.html", + "https://youtu.be/5mqid-7zp8k?t=2481", + "https://peterjson.medium.com/reproducing-the-proxyshell-pwn2own-exploit-49743a4ea9a1", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_mailboxexport_share.yml" ], "tags": [ @@ -24351,8 +24375,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://medium.com/walmartglobaltech/openssl-server-reverse-shell-from-windows-client-aee2dbfa0926", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1573/T1573.md#atomic-test-1---openssl-c2", + "https://medium.com/walmartglobaltech/openssl-server-reverse-shell-from-windows-client-aee2dbfa0926", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_ssl_keyword.yml" ], "tags": [ @@ -24507,9 +24531,9 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.security/set-executionpolicy?view=powershell-7.1", "https://adsecurity.org/?p=2604", "https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_execution_policies?view=powershell-7.1", + "https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.security/set-executionpolicy?view=powershell-7.1", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_set_policies_to_unsecure_level.yml" ], "tags": [ @@ -24566,8 +24590,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1553.005/T1553.005.md#atomic-test-3---remove-the-zoneidentifier-alternate-data-stream", "https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.utility/unblock-file?view=powershell-7.2", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1553.005/T1553.005.md#atomic-test-3---remove-the-zoneidentifier-alternate-data-stream", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_unblock_file.yml" ], "tags": [ @@ -24965,8 +24989,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070.004/T1070.004.md", "https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.management/Remove-Item?view=powershell-5.1&viewFallbackFrom=powershell-7", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070.004/T1070.004.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_remove_item_path.yml" ], "tags": [ @@ -25226,8 +25250,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://github.com/sense-of-security/ADRecon/blob/11881a24e9c8b207f31b56846809ce1fb189bcc9/ADRecon.ps1", "https://bi-zone.medium.com/from-pentest-to-apt-attack-cybercriminal-group-fin7-disguises-its-malware-as-an-ethical-hackers-c23c9a75e319", + "https://github.com/sense-of-security/ADRecon/blob/11881a24e9c8b207f31b56846809ce1fb189bcc9/ADRecon.ps1", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_adrecon_execution.yml" ], "tags": [ @@ -25261,8 +25285,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1615/T1615.md", "https://docs.microsoft.com/en-us/powershell/module/grouppolicy/get-gpo?view=windowsserver2022-ps", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1615/T1615.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_get_gpo.yml" ], "tags": [ @@ -25423,8 +25447,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1571/T1571.md#atomic-test-1---testing-usage-of-uncommonly-used-port-with-powershell", "https://docs.microsoft.com/en-us/powershell/module/nettcpip/test-netconnection?view=windowsserver2022-ps", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1571/T1571.md#atomic-test-1---testing-usage-of-uncommonly-used-port-with-powershell", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_test_netconnection.yml" ], "tags": [ @@ -25480,9 +25504,9 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ + "https://docs.microsoft.com/en-us/powershell/module/defender/set-mppreference?view=windowsserver2022-ps", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md", "https://bidouillesecurity.com/disable-windows-defender-in-powershell/", - "https://docs.microsoft.com/en-us/powershell/module/defender/set-mppreference?view=windowsserver2022-ps", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_tamper_defender.yml" ], "tags": [ @@ -25810,8 +25834,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1053.005/T1053.005.md#atomic-test-6---wmi-invoke-cimmethod-scheduled-task", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1053.005/T1053.005.md#atomic-test-4---powershell-cmdlet-scheduled-task", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1053.005/T1053.005.md#atomic-test-6---wmi-invoke-cimmethod-scheduled-task", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_cmdlet_scheduled_task.yml" ], "tags": [ @@ -25911,8 +25935,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/virtualization/hyper-v-on-windows/quick-start/enable-hyper-v", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1564.006/T1564.006.md#atomic-test-3---create-and-start-hyper-v-virtual-machine", + "https://docs.microsoft.com/en-us/virtualization/hyper-v-on-windows/quick-start/enable-hyper-v", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_hyper_v_condlet.yml" ], "tags": [ @@ -25945,8 +25969,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1574.011/T1574.011.md#atomic-test-1---service-registry-permissions-weakness", "https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.security/get-acl?view=powershell-7.2", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1574.011/T1574.011.md#atomic-test-1---service-registry-permissions-weakness", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_get_acl_service.yml" ], "tags": [ @@ -25970,8 +25994,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://attack.mitre.org/datasources/DS0005/", "https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.management/get-wmiobject?view=powershell-5.1&viewFallbackFrom=powershell-7", + "https://attack.mitre.org/datasources/DS0005/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_create_volume_shadow_copy.yml" ], "tags": [ @@ -26004,8 +26028,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1021.006/T1021.006.md#atomic-test-1---enable-windows-remote-management", "https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.core/enable-psremoting?view=powershell-7.2", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1021.006/T1021.006.md#atomic-test-1---enable-windows-remote-management", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_enable_psremoting.yml" ], "tags": [ @@ -26061,9 +26085,9 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ + "https://eqllib.readthedocs.io/en/latest/analytics/5b223758-07d6-4100-9e11-238cfdd0fe97.html", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070.001/T1070.001.md", "https://twitter.com/oroneequalsone/status/1568432028361830402", - "https://eqllib.readthedocs.io/en/latest/analytics/5b223758-07d6-4100-9e11-238cfdd0fe97.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_clear_eventlog.yml" ], "tags": [ @@ -26184,8 +26208,8 @@ "logsource.product": "windows", "refs": [ "https://github.com/S3cur3Th1sSh1t/Creds/blob/eac23d67f7f90c7fc8e3130587d86158c22aa398/PowershellScripts/jaws-enum.ps1", - "https://github.com/nccgroup/redsnarf/blob/35949b30106ae543dc6f2bc3f1be10c6d9a8d40e/redsnarf.py", "https://www.absolomb.com/2018-01-26-Windows-Privilege-Escalation-Guide/", + "https://github.com/nccgroup/redsnarf/blob/35949b30106ae543dc6f2bc3f1be10c6d9a8d40e/redsnarf.py", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_wmi_unquoted_service_search.yml" ], "tags": [ @@ -26244,8 +26268,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/powershell/module/storage/mount-diskimage?view=windowsserver2022-ps", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1553.005/T1553.005.md#atomic-test-2---mount-an-iso-image-and-run-executable-from-the-iso", + "https://docs.microsoft.com/en-us/powershell/module/storage/mount-diskimage?view=windowsserver2022-ps", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_run_from_mount_diskimage.yml" ], "tags": [ @@ -26311,8 +26335,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1033/T1033.md#atomic-test-4---user-discovery-with-env-vars-powershell-script", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1033/T1033.md#atomic-test-5---getcurrent-user-with-powershell-script", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1033/T1033.md#atomic-test-4---user-discovery-with-env-vars-powershell-script", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_get_current_user.yml" ], "tags": [ @@ -26453,8 +26477,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://twitter.com/Alh4zr3d/status/1580925761996828672", "https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.management/set-service?view=powershell-7.2", + "https://twitter.com/Alh4zr3d/status/1580925761996828672", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_service_dacl_modification_set_service.yml" ], "tags": [ @@ -26547,8 +26571,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://twitter.com/pabraeken/status/995111125447577600", "https://lolbas-project.github.io/lolbas/Scripts/CL_mutexverifiers/", + "https://twitter.com/pabraeken/status/995111125447577600", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_cl_mutexverifiers_lolscript.yml" ], "tags": [ @@ -26689,8 +26713,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/powershell/module/storage/mount-diskimage?view=windowsserver2022-ps", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1553.005/T1553.005.md#atomic-test-1---mount-iso-image", + "https://docs.microsoft.com/en-us/powershell/module/storage/mount-diskimage?view=windowsserver2022-ps", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_mount_diskimage.yml" ], "tags": [ @@ -26724,9 +26748,9 @@ "logsource.product": "windows", "refs": [ "https://gist.github.com/MHaggis/0dbe00ad401daa7137c81c99c268cfb7", + "https://github.com/PowerShellMafia/PowerSploit/blob/d943001a7defb5e0d1657085a77a0e78609be58f/CodeExecution/Invoke-ReflectivePEInjection.ps1", "https://posts.specterops.io/entering-a-covenant-net-command-and-control-e11038bcf462", "https://github.com/hlldz/Phant0m/blob/30c2935d8cf4aafda17ee2fab7cd0c4aa9a607c2/old/Invoke-Phant0m.ps1", - "https://github.com/PowerShellMafia/PowerSploit/blob/d943001a7defb5e0d1657085a77a0e78609be58f/CodeExecution/Invoke-ReflectivePEInjection.ps1", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_keywords.yml" ], "tags": [ @@ -26816,8 +26840,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1201/T1201.md#atomic-test-9---enumerate-active-directory-password-policy-with-get-addefaultdomainpasswordpolicy", "https://docs.microsoft.com/en-us/powershell/module/activedirectory/get-addefaultdomainpasswordpolicy", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1201/T1201.md#atomic-test-9---enumerate-active-directory-password-policy-with-get-addefaultdomainpasswordpolicy", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_get_addefaultdomainpasswordpolicy.yml" ], "tags": [ @@ -27019,8 +27043,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/powershell/module/pki/export-pfxcertificate", "https://us-cert.cisa.gov/ncas/analysis-reports/ar21-112a", + "https://docs.microsoft.com/en-us/powershell/module/pki/export-pfxcertificate", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_export_pfxcertificate.yml" ], "tags": [ @@ -27119,8 +27143,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/windows/win32/projfs/enabling-windows-projected-file-system", "https://docs.microsoft.com/en-us/powershell/module/dism/enable-windowsoptionalfeature?view=windowsserver2022-ps", + "https://learn.microsoft.com/en-us/windows/win32/projfs/enabling-windows-projected-file-system", "https://learn.microsoft.com/en-us/windows/wsl/install-on-server", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_enable_windowsoptionalfeature.yml" ], @@ -27144,10 +27168,10 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://twitter.com/ScumBots/status/1610626724257046529", - "https://learn.microsoft.com/en-us/dotnet/api/system.windows.input.keyboard.iskeydown?view=windowsdesktop-7.0", - "https://www.virustotal.com/gui/file/720a7ee9f2178c70501d7e3f4bcc28a4f456e200486dbd401b25af6da3b4da62/content", "https://www.virustotal.com/gui/file/d4486b63512755316625230e0c9c81655093be93876e0d80732e7eeaf7d83476/content", + "https://www.virustotal.com/gui/file/720a7ee9f2178c70501d7e3f4bcc28a4f456e200486dbd401b25af6da3b4da62/content", + "https://learn.microsoft.com/en-us/dotnet/api/system.windows.input.keyboard.iskeydown?view=windowsdesktop-7.0", + "https://twitter.com/ScumBots/status/1610626724257046529", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_keylogger_activity.yml" ], "tags": [ @@ -27172,8 +27196,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.management/get-process?view=powershell-7", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1057/T1057.md#atomic-test-3---process-discovery---get-process", + "https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.management/get-process?view=powershell-7", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_get_process.yml" ], "tags": [ @@ -27263,8 +27287,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=57", "https://learn.microsoft.com/en-us/dotnet/api/system.type.gettypefromclsid?view=net-7.0", + "https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=57", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_download_com_cradles.yml" ], "tags": "No established tags" @@ -27326,19 +27350,19 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://github.com/calebstewart/CVE-2021-1675", + "https://github.com/HarmJ0y/DAMP", "https://github.com/samratashok/nishang", - "https://github.com/S3cur3Th1sSh1t/PowerSharpPack/tree/master/PowerSharpBinaries", - "https://github.com/dafthack/DomainPasswordSpray/blob/b13d64a5834694aa73fd2aea9911a83027c465a7/DomainPasswordSpray.ps1", - "https://unit42.paloaltonetworks.com/threat-assessment-black-basta-ransomware/", + "https://github.com/calebstewart/CVE-2021-1675", + "https://github.com/rvrsh3ll/Misc-Powershell-Scripts/blob/6f23bb41f9675d7e2d32bacccff75e931ae00554/OfficeMemScraper.ps1", + "https://research.nccgroup.com/2022/06/06/shining-the-light-on-black-basta/", + "https://github.com/BloodHoundAD/BloodHound/blob/0927441f67161cc6dc08a53c63ceb8e333f55874/Collectors/AzureHound.ps1", "https://adsecurity.org/?p=2921", "https://bloodhound.readthedocs.io/en/latest/data-collection/azurehound.html", "https://github.com/xorrior/RandomPS-Scripts/blob/848c919bfce4e2d67b626cbcf4404341cfe3d3b6/Get-DXWebcamVideo.ps1", - "https://github.com/rvrsh3ll/Misc-Powershell-Scripts/blob/6f23bb41f9675d7e2d32bacccff75e931ae00554/OfficeMemScraper.ps1", - "https://github.com/HarmJ0y/DAMP", - "https://github.com/BloodHoundAD/BloodHound/blob/0927441f67161cc6dc08a53c63ceb8e333f55874/Collectors/AzureHound.ps1", + "https://github.com/S3cur3Th1sSh1t/PowerSharpPack/tree/master/PowerSharpBinaries", + "https://unit42.paloaltonetworks.com/threat-assessment-black-basta-ransomware/", + "https://github.com/dafthack/DomainPasswordSpray/blob/b13d64a5834694aa73fd2aea9911a83027c465a7/DomainPasswordSpray.ps1", "https://github.com/BC-SECURITY/Invoke-ZeroLogon/blob/111d17c7fec486d9bb23387e2e828b09a26075e4/Invoke-ZeroLogon.ps1", - "https://research.nccgroup.com/2022/06/06/shining-the-light-on-black-basta/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_malicious_commandlets.yml" ], "tags": [ @@ -27442,9 +27466,9 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://stefanos.cloud/blog/kb/how-to-clear-the-powershell-command-history/", "https://community.sophos.com/sophos-labs/b/blog/posts/powershell-command-history-forensics", "https://www.shellhacks.com/clear-history-powershell/", + "https://stefanos.cloud/blog/kb/how-to-clear-the-powershell-command-history/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_clearing_windows_console_history.yml" ], "tags": [ @@ -27586,8 +27610,8 @@ "logsource.product": "windows", "refs": [ "https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=42", - "https://learn.microsoft.com/en-us/dotnet/api/microsoft.hpc.scheduler.store.cx509enrollmentwebclassfactoryclass?view=hpc-sdk-5.1.6115", "https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=41", + "https://learn.microsoft.com/en-us/dotnet/api/microsoft.hpc.scheduler.store.cx509enrollmentwebclassfactoryclass?view=hpc-sdk-5.1.6115", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_x509enrollment.yml" ], "tags": "No established tags" @@ -27749,8 +27773,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://github.com/Arno0x/DNSExfiltrator", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1048/T1048.md#atomic-test-3---dnsexfiltration-doh", + "https://github.com/Arno0x/DNSExfiltrator", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_invoke_dnsexfiltration.yml" ], "tags": [ @@ -27877,9 +27901,9 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.utility/invoke-webrequest?view=powershell-7.2", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1020/T1020.md", "https://www.w3.org/Protocols/rfc2616/rfc2616-sec9.html", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1020/T1020.md", + "https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.utility/invoke-webrequest?view=powershell-7.2", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_upload.yml" ], "tags": [ @@ -28197,8 +28221,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://twitter.com/pabraeken/status/995111125447577600", "https://lolbas-project.github.io/lolbas/Scripts/CL_mutexverifiers/", + "https://twitter.com/pabraeken/status/995111125447577600", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_cl_mutexverifiers_lolscript_count.yml" ], "tags": [ @@ -28474,9 +28498,9 @@ "logsource.category": "create_remote_thread", "logsource.product": "windows", "refs": [ - "https://www.cisa.gov/uscert/ncas/alerts/aa20-259a", - "https://github.com/denandz/KeeFarce", "https://github.com/GhostPack/KeeThief", + "https://github.com/denandz/KeeFarce", + "https://www.cisa.gov/uscert/ncas/alerts/aa20-259a", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/create_remote_thread/create_remote_thread_win_password_dumper_keepass.yml" ], "tags": [ @@ -28509,8 +28533,8 @@ "logsource.category": "create_remote_thread", "logsource.product": "windows", "refs": [ - "https://github.com/mdsecactivebreach/CACTUSTORCH", "https://twitter.com/SBousseaden/status/1090588499517079552", + "https://github.com/mdsecactivebreach/CACTUSTORCH", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/create_remote_thread/create_remote_thread_win_cactustorch.yml" ], "tags": [ @@ -28568,8 +28592,8 @@ "logsource.category": "create_remote_thread", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io", "Personal research, statistical analysis", + "https://lolbas-project.github.io", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/create_remote_thread/create_remote_thread_win_susp_remote_thread_source.yml" ], "tags": [ @@ -28812,9 +28836,9 @@ "logsource.category": "driver_load", "logsource.product": "windows", "refs": [ - "https://www.virustotal.com/gui/file/cfc5c585dd4e592dd1a08887ded28b92d9a5820587b6f4f8fa4f56d60289259b/details", - "https://github.com/fengjixuchui/gdrv-loader", "https://www.virustotal.com/gui/file/31f4cfb4c71da44120752721103a16512444c13c2ac2d857a7e6f13cb679b427/details", + "https://github.com/fengjixuchui/gdrv-loader", + "https://www.virustotal.com/gui/file/cfc5c585dd4e592dd1a08887ded28b92d9a5820587b6f4f8fa4f56d60289259b/details", "https://medium.com/@fsx30/weaponizing-vulnerable-driver-for-privilege-escalation-gigabyte-edition-e73ee523598b", "https://twitter.com/malmoeb/status/1551449425842786306", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/driver_load/driver_load_win_vuln_gigabyte_driver.yml" @@ -28865,18 +28889,18 @@ "logsource.category": "driver_load", "logsource.product": "windows", "refs": [ - "https://github.com/stong/CVE-2020-15368", - "https://github.com/CaledoniaProject/drivers-binaries", - "https://eclypsium.com/2019/11/12/mother-of-all-drivers/", - "https://github.com/namazso/physmem_drivers", + "https://github.com/jbaines-r7/dellicious", + "https://www.welivesecurity.com/2022/01/11/signed-kernel-drivers-unguarded-gateway-windows-core/", "https://github.com/Chigusa0w0/AsusDriversPrivEscala", - "https://github.com/eclypsium/Screwed-Drivers/blob/master/DRIVERS.md", + "https://github.com/CaledoniaProject/drivers-binaries", + "https://www.rapid7.com/blog/post/2021/12/13/driver-based-attacks-past-and-present/", "https://github.com/MicrosoftDocs/windows-itpro-docs/blob/public/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules.md", "https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules", - "https://www.welivesecurity.com/2022/01/11/signed-kernel-drivers-unguarded-gateway-windows-core/", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-37969", - "https://www.rapid7.com/blog/post/2021/12/13/driver-based-attacks-past-and-present/", - "https://github.com/jbaines-r7/dellicious", + "https://github.com/eclypsium/Screwed-Drivers/blob/master/DRIVERS.md", + "https://eclypsium.com/2019/11/12/mother-of-all-drivers/", + "https://github.com/namazso/physmem_drivers", + "https://github.com/stong/CVE-2020-15368", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/driver_load/driver_load_win_vuln_drivers_names.yml" ], "tags": [ @@ -28943,8 +28967,8 @@ "logsource.category": "driver_load", "logsource.product": "windows", "refs": [ - "https://github.com/xmrig/xmrig/tree/master/bin/WinRing0", "https://www.rapid7.com/blog/post/2021/12/13/driver-based-attacks-past-and-present/", + "https://github.com/xmrig/xmrig/tree/master/bin/WinRing0", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/driver_load/driver_load_win_vuln_winring0_driver.yml" ], "tags": [ @@ -28968,8 +28992,8 @@ "logsource.category": "driver_load", "logsource.product": "windows", "refs": [ - "https://rastamouse.me/ntlm-relaying-via-cobalt-strike/", "https://reqrypt.org/windivert-doc.html", + "https://rastamouse.me/ntlm-relaying-via-cobalt-strike/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/driver_load/driver_load_win_windivert.yml" ], "tags": [ @@ -29011,22 +29035,22 @@ "logsource.category": "driver_load", "logsource.product": "windows", "refs": [ - "https://github.com/stong/CVE-2020-15368", - "https://github.com/CaledoniaProject/drivers-binaries", - "https://www.unknowncheats.me/forum/downloads.php?do=file&id=25444", - "https://github.com/namazso/physmem_drivers", + "https://github.com/jbaines-r7/dellicious", "https://github.com/tandasat/ExploitCapcom", - "https://www.unknowncheats.me/forum/downloads.php?do=file&id=21780", - "https://github.com/Chigusa0w0/AsusDriversPrivEscala/blob/master/DRIVER7.md", - "https://www.zscaler.com/blogs/security-research/technical-analysis-windows-clfs-zero-day-vulnerability-cve-2022-37969-part", - "https://github.com/Chigusa0w0/AsusDriversPrivEscala/blob/master/ATSZIO.md", "https://www.rapid7.com/db/modules/exploit/windows/local/razer_zwopenprocess/", - "https://github.com/eclypsium/Screwed-Drivers/blob/master/DRIVERS.md", + "https://github.com/CaledoniaProject/drivers-binaries", + "https://www.rapid7.com/blog/post/2021/12/13/driver-based-attacks-past-and-present/", "https://github.com/MicrosoftDocs/windows-itpro-docs/blob/public/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules.md", "https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules", - "https://www.rapid7.com/blog/post/2021/12/13/driver-based-attacks-past-and-present/", - "https://github.com/jbaines-r7/dellicious", + "https://github.com/Chigusa0w0/AsusDriversPrivEscala/blob/master/DRIVER7.md", + "https://github.com/eclypsium/Screwed-Drivers/blob/master/DRIVERS.md", + "https://www.unknowncheats.me/forum/downloads.php?do=file&id=25444", + "https://www.unknowncheats.me/forum/downloads.php?do=file&id=21780", "https://www.unknowncheats.me/forum/anti-cheat-bypass/334557-vulnerable-driver-megathread.html", + "https://github.com/namazso/physmem_drivers", + "https://github.com/Chigusa0w0/AsusDriversPrivEscala/blob/master/ATSZIO.md", + "https://www.zscaler.com/blogs/security-research/technical-analysis-windows-clfs-zero-day-vulnerability-cve-2022-37969-part", + "https://github.com/stong/CVE-2020-15368", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/driver_load/driver_load_win_vuln_drivers.yml" ], "tags": [ @@ -29177,8 +29201,8 @@ "logsource.category": "driver_load", "logsource.product": "windows", "refs": [ - "https://processhacker.sourceforge.io/", "https://systeminformer.sourceforge.io/", + "https://processhacker.sourceforge.io/", "https://github.com/winsiderss/systeminformer", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/driver_load/driver_load_win_process_hacker.yml" ], @@ -29213,8 +29237,8 @@ "logsource.category": "driver_load", "logsource.product": "windows", "refs": [ - "https://decoded.avast.io/janvojtesek/the-return-of-candiru-zero-days-in-the-middle-east/", "https://www.virustotal.com/gui/file/6a4875ae86131a594019dec4abd46ac6ba47e57a88287b814d07d929858fe3e5/details", + "https://decoded.avast.io/janvojtesek/the-return-of-candiru-zero-days-in-the-middle-east/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/driver_load/driver_load_win_vuln_hw_driver.yml" ], "tags": [ @@ -29238,8 +29262,8 @@ "logsource.category": "driver_load", "logsource.product": "windows", "refs": [ - "https://support.lenovo.com/de/en/product_security/ps500533-lenovo-diagnostics-vulnerabilities", "https://github.com/alfarom256/CVE-2022-3699/", + "https://support.lenovo.com/de/en/product_security/ps500533-lenovo-diagnostics-vulnerabilities", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/driver_load/driver_load_win_vuln_lenovo_driver.yml" ], "tags": [ @@ -29309,8 +29333,8 @@ "logsource.product": "windows", "refs": [ "https://twitter.com/M_haggis/status/900741347035889665", - "https://twitter.com/M_haggis/status/1032799638213066752", "https://github.com/EmpireProject/Empire/blob/e37fb2eef8ff8f5a0a689f1589f424906fe13055/data/module_source/exfil/Invoke-ExfilDataToGitHub.ps1", + "https://twitter.com/M_haggis/status/1032799638213066752", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_binary_github_com.yml" ], "tags": [ @@ -29352,8 +29376,8 @@ "logsource.category": "network_connection", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1046/T1046.md#atomic-test-4---port-scan-using-python", "https://pypi.org/project/scapy/", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1046/T1046.md#atomic-test-4---port-scan-using-python", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_python.yml" ], "tags": [ @@ -29751,8 +29775,8 @@ "logsource.category": "network_connection", "logsource.product": "windows", "refs": [ - "https://twitter.com/tekdefense/status/1519711183162556416?s=12&t=OTsHCBkQOTNs1k3USz65Zg", "https://www.mandiant.com/resources/bypassing-network-restrictions-through-rdp-tunneling", + "https://twitter.com/tekdefense/status/1519711183162556416?s=12&t=OTsHCBkQOTNs1k3USz65Zg", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_rdp_to_http.yml" ], "tags": [ @@ -29856,8 +29880,8 @@ "logsource.category": "network_connection", "logsource.product": "windows", "refs": [ - "https://www.ietf.org/rfc/rfc2821.txt", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1048.003/T1048.003.md#atomic-test-5---exfiltration-over-alternative-protocol---smtp", + "https://www.ietf.org/rfc/rfc2821.txt", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_susp_outbound_smtp_connections.yml" ], "tags": [ @@ -29891,9 +29915,9 @@ "logsource.product": "windows", "refs": [ "https://twitter.com/M_haggis/status/900741347035889665", + "https://www.cisa.gov/uscert/ncas/alerts/aa22-321a", "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ransomware-hive-conti-avoslocker", "https://twitter.com/M_haggis/status/1032799638213066752", - "https://www.cisa.gov/uscert/ncas/alerts/aa22-321a", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_binary_susp_com.yml" ], "tags": [ @@ -29926,8 +29950,8 @@ "logsource.category": "network_connection", "logsource.product": "windows", "refs": [ - "https://twitter.com/hakluke/status/1587733971814977537/photo/1", "https://ngrok.com/docs/secure-tunnels/tunnels/ssh-reverse-tunnel-agent", + "https://twitter.com/hakluke/status/1587733971814977537/photo/1", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_ngrok_tunnel.yml" ], "tags": [ @@ -30211,8 +30235,8 @@ "logsource.category": "network_connection", "logsource.product": "windows", "refs": [ - "https://www.virustotal.com/gui/file/cca0c1182ac114b44dc52dd2058fcd38611c20bb6b5ad84710681d38212f835a/", "https://ngrok.com/", + "https://www.virustotal.com/gui/file/cca0c1182ac114b44dc52dd2058fcd38611c20bb6b5ad84710681d38212f835a/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_ngrok_io.yml" ], "tags": [ @@ -30279,8 +30303,8 @@ "logsource.category": "network_connection", "logsource.product": "windows", "refs": [ - "https://nasbench.medium.com/what-is-the-dllhost-exe-process-actually-running-ef9fe4c19c08", "https://redcanary.com/blog/child-processes/", + "https://nasbench.medium.com/what-is-the-dllhost-exe-process-actually-running-ef9fe4c19c08", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_dllhost_net_connections.yml" ], "tags": [ @@ -30389,8 +30413,8 @@ "logsource.category": "network_connection", "logsource.product": "windows", "refs": [ - "https://www.zscaler.com/blogs/security-research/new-espionage-attack-molerats-apt-targeting-users-middle-east", "https://app.any.run/tasks/7e906adc-9d11-447f-8641-5f40375ecebb", + "https://www.zscaler.com/blogs/security-research/new-espionage-attack-molerats-apt-targeting-users-middle-east", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_susp_dropbox_api.yml" ], "tags": "No established tags" @@ -30411,8 +30435,8 @@ "logsource.category": "network_connection", "logsource.product": "windows", "refs": [ - "https://megatools.megous.com/", "https://www.mandiant.com/resources/russian-targeting-gov-business", + "https://megatools.megous.com/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_mega_nz.yml" ], "tags": [ @@ -30554,8 +30578,8 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://github.com/binderlabs/DirCreate2System", "https://github.com/sailay1996/awesome_windows_logical_bugs/blob/60cbb23a801f4c3195deac1cc46df27c225c3d07/dir_create2system.txt", + "https://github.com/binderlabs/DirCreate2System", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_system32_local_folder_privilege_escalation.yml" ], "tags": [ @@ -30581,10 +30605,10 @@ "logsource.product": "windows", "refs": [ "https://www.cybereason.com/blog/research/a-bazar-of-tricks-following-team9s-development-cycles", - "https://twitter.com/luc4m/status/1073181154126254080", "https://twitter.com/malwrhunterteam/status/1235135745611960321", "https://www.anomali.com/blog/china-based-apt-mustang-panda-targets-minority-groups-public-and-private-sector-organizations", "https://www.crowdstrike.com/blog/meet-crowdstrikes-adversary-of-the-month-for-june-mustang-panda/", + "https://twitter.com/luc4m/status/1073181154126254080", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_susp_lnk_double_extension.yml" ], "tags": [ @@ -30650,8 +30674,8 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1003/T1003.md#atomic-test-2---credential-dumping-with-nppspy", "https://twitter.com/0gtweet/status/1465282548494487554", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1003/T1003.md#atomic-test-2---credential-dumping-with-nppspy", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_hktl_nppspy.yml" ], "tags": [ @@ -30786,11 +30810,11 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://github.com/helpsystems/nanodump", "https://github.com/elastic/detection-rules/blob/c76a39796972ecde44cb1da6df47f1b6562c9770/rules/windows/credential_access_lsass_memdump_file_created.toml", + "https://github.com/helpsystems/nanodump", "https://medium.com/@markmotig/some-ways-to-dump-lsass-exe-c4a75fdc49bf", - "https://www.whiteoaksecurity.com/blog/attacks-defenses-dumping-lsass-no-mimikatz/", "https://www.google.com/search?q=procdump+lsass", + "https://www.whiteoaksecurity.com/blog/attacks-defenses-dumping-lsass-no-mimikatz/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_lsass_dump.yml" ], "tags": [ @@ -30951,10 +30975,10 @@ "logsource.product": "windows", "refs": [ "https://www.cybereason.com/blog/research/a-bazar-of-tricks-following-team9s-development-cycles", - "https://twitter.com/luc4m/status/1073181154126254080", "https://twitter.com/malwrhunterteam/status/1235135745611960321", "https://www.anomali.com/blog/china-based-apt-mustang-panda-targets-minority-groups-public-and-private-sector-organizations", "https://www.crowdstrike.com/blog/meet-crowdstrikes-adversary-of-the-month-for-june-mustang-panda/", + "https://twitter.com/luc4m/status/1073181154126254080", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_susp_double_extension.yml" ], "tags": [ @@ -31286,9 +31310,9 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://github.com/afwu/PrintNightmare", "https://github.com/cube0x0/CVE-2021-1675", "https://github.com/hhlxf/PrintNightmare", + "https://github.com/afwu/PrintNightmare", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_cve_2021_1675_printspooler.yml" ], "tags": [ @@ -31638,9 +31662,9 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://github.com/Kevin-Robertson/Inveigh/blob/29d9e3c3a625b3033cdaf4683efaafadcecb9007/Inveigh/Support/Control.cs", - "https://github.com/Kevin-Robertson/Inveigh/blob/29d9e3c3a625b3033cdaf4683efaafadcecb9007/Inveigh/Support/Output.cs", "https://thedfirreport.com/2020/11/23/pysa-mespinoza-ransomware/", + "https://github.com/Kevin-Robertson/Inveigh/blob/29d9e3c3a625b3033cdaf4683efaafadcecb9007/Inveigh/Support/Output.cs", + "https://github.com/Kevin-Robertson/Inveigh/blob/29d9e3c3a625b3033cdaf4683efaafadcecb9007/Inveigh/Support/Control.cs", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_inveigh_artefacts.yml" ], "tags": [ @@ -31765,11 +31789,11 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://labs.f-secure.com/blog/prelude-to-ransomware-systembc", "https://news.sophos.com/en-us/2019/12/09/snatch-ransomware-reboots-pcs-into-safe-mode-to-bypass-protection/", - "https://thedfirreport.com/2021/01/18/all-that-for-a-coinminer", - "https://www.fireeye.com/blog/threat-research/2020/05/tactics-techniques-procedures-associated-with-maze-ransomware-incidents.html", "https://assets.documentcloud.org/documents/20444693/fbi-pin-egregor-ransomware-bc-01062021.pdf", + "https://www.fireeye.com/blog/threat-research/2020/05/tactics-techniques-procedures-associated-with-maze-ransomware-incidents.html", + "https://labs.f-secure.com/blog/prelude-to-ransomware-systembc", + "https://thedfirreport.com/2021/01/18/all-that-for-a-coinminer", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_advanced_ip_scanner.yml" ], "tags": [ @@ -31851,21 +31875,21 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ + "https://github.com/HarmJ0y/DAMP", "https://github.com/samratashok/nishang", + "https://github.com/BC-SECURITY/Invoke-ZeroLogon/blob/111d17c7fec486d9bb23387e2e828b09a26075e4/Invoke-ZeroLogon.ps1", "https://github.com/PowerShellMafia/PowerSploit", "https://github.com/rvrsh3ll/Misc-Powershell-Scripts/blob/6f23bb41f9675d7e2d32bacccff75e931ae00554/OfficeMemScraper.ps1", - "https://github.com/S3cur3Th1sSh1t/PowerSharpPack/tree/master/PowerSharpBinaries", - "https://github.com/dafthack/DomainPasswordSpray/blob/b13d64a5834694aa73fd2aea9911a83027c465a7/DomainPasswordSpray.ps1", - "https://unit42.paloaltonetworks.com/threat-assessment-black-basta-ransomware/", - "https://github.com/nettitude/Invoke-PowerThIEf", - "https://github.com/AlsidOfficial/WSUSpendu/", - "https://github.com/xorrior/RandomPS-Scripts/blob/848c919bfce4e2d67b626cbcf4404341cfe3d3b6/Get-DXWebcamVideo.ps1", - "https://github.com/NetSPI/PowerUpSQL", - "https://github.com/CsEnox/EventViewer-UACBypass", - "https://github.com/S3cur3Th1sSh1t/WinPwn", - "https://github.com/HarmJ0y/DAMP", - "https://github.com/BC-SECURITY/Invoke-ZeroLogon/blob/111d17c7fec486d9bb23387e2e828b09a26075e4/Invoke-ZeroLogon.ps1", "https://research.nccgroup.com/2022/06/06/shining-the-light-on-black-basta/", + "https://github.com/nettitude/Invoke-PowerThIEf", + "https://github.com/S3cur3Th1sSh1t/WinPwn", + "https://github.com/xorrior/RandomPS-Scripts/blob/848c919bfce4e2d67b626cbcf4404341cfe3d3b6/Get-DXWebcamVideo.ps1", + "https://github.com/S3cur3Th1sSh1t/PowerSharpPack/tree/master/PowerSharpBinaries", + "https://unit42.paloaltonetworks.com/threat-assessment-black-basta-ransomware/", + "https://github.com/AlsidOfficial/WSUSpendu/", + "https://github.com/CsEnox/EventViewer-UACBypass", + "https://github.com/dafthack/DomainPasswordSpray/blob/b13d64a5834694aa73fd2aea9911a83027c465a7/DomainPasswordSpray.ps1", + "https://github.com/NetSPI/PowerUpSQL", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_powershell_exploit_scripts.yml" ], "tags": [ @@ -31898,9 +31922,9 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ + "https://www.gteltsc.vn/blog/canh-bao-chien-dich-tan-cong-su-dung-lo-hong-zero-day-tren-microsoft-exchange-server-12714.html", "https://en.gteltsc.vn/blog/cap-nhat-nhe-ve-lo-hong-bao-mat-0day-microsoft-exchange-dang-duoc-su-dung-de-tan-cong-cac-to-chuc-tai-viet-nam-9685.html", "https://www.microsoft.com/security/blog/2022/09/30/analyzing-attacks-using-the-exchange-vulnerabilities-cve-2022-41040-and-cve-2022-41082/", - "https://www.gteltsc.vn/blog/canh-bao-chien-dich-tan-cong-su-dung-lo-hong-zero-day-tren-microsoft-exchange-server-12714.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_exchange_webshell_drop_suspicious.yml" ], "tags": [ @@ -32093,8 +32117,8 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://www.welivesecurity.com/2019/05/29/turla-powershell-usage/", "https://persistence-info.github.io/Data/powershellprofile.html", + "https://www.welivesecurity.com/2019/05/29/turla-powershell-usage/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_susp_powershell_profile.yml" ], "tags": [ @@ -32453,9 +32477,9 @@ "logsource.product": "windows", "refs": [ "https://github.com/olafhartong/sysmon-modular/blob/fa1ae53132403d262be2bbd7f17ceea7e15e8c78/11_file_create/include_dotnet.xml", - "https://web.archive.org/web/20221026202428/https://gist.github.com/code-scrap/d7f152ffcdb3e0b02f7f394f5187f008", - "https://bohops.com/2021/03/16/investigating-net-clr-usage-log-tampering-techniques-for-edr-evasion/", "https://blog.menasec.net/2019/07/interesting-difr-traces-of-net-clr.html", + "https://bohops.com/2021/03/16/investigating-net-clr-usage-log-tampering-techniques-for-edr-evasion/", + "https://web.archive.org/web/20221026202428/https://gist.github.com/code-scrap/d7f152ffcdb3e0b02f7f394f5187f008", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_net_cli_artefact.yml" ], "tags": [ @@ -32488,9 +32512,9 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/Binaries/Eventvwr/#execute", - "https://twitter.com/orange_8361/status/1518970259868626944?s=20&t=RFXqZjtA7tWM3HxqEH78Aw", "https://twitter.com/splinter_code/status/1519075134296006662?s=12&t=DLUXH86WtcmG_AZ5gY3C6g", + "https://twitter.com/orange_8361/status/1518970259868626944?s=20&t=RFXqZjtA7tWM3HxqEH78Aw", + "https://lolbas-project.github.io/lolbas/Binaries/Eventvwr/#execute", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_uac_bypass_eventvwr.yml" ], "tags": [ @@ -32514,9 +32538,9 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ + "https://www.gteltsc.vn/blog/canh-bao-chien-dich-tan-cong-su-dung-lo-hong-zero-day-tren-microsoft-exchange-server-12714.html", "https://en.gteltsc.vn/blog/cap-nhat-nhe-ve-lo-hong-bao-mat-0day-microsoft-exchange-dang-duoc-su-dung-de-tan-cong-cac-to-chuc-tai-viet-nam-9685.html", "https://www.microsoft.com/security/blog/2022/09/30/analyzing-attacks-using-the-exchange-vulnerabilities-cve-2022-41040-and-cve-2022-41082/", - "https://www.gteltsc.vn/blog/canh-bao-chien-dich-tan-cong-su-dung-lo-hong-zero-day-tren-microsoft-exchange-server-12714.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_exchange_webshell_drop.yml" ], "tags": [ @@ -32538,8 +32562,8 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://www.hybrid-analysis.com/sample/ba86fa0d4b6af2db0656a88b1dd29f36fe362473ae8ad04255c4e52f214a541c?environmentId=100", "https://www.first.org/resources/papers/conf2017/Advanced-Incident-Detection-and-Threat-Hunting-using-Sysmon-and-Splunk.pdf", + "https://www.hybrid-analysis.com/sample/ba86fa0d4b6af2db0656a88b1dd29f36fe362473ae8ad04255c4e52f214a541c?environmentId=100", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_mal_adwind.yml" ], "tags": [ @@ -32613,8 +32637,8 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://media.defcon.org/DEF%20CON%2030/DEF%20CON%2030%20presentations/Asaf%20Gilboa%20-%20LSASS%20Shtinkering%20Abusing%20Windows%20Error%20Reporting%20to%20Dump%20LSASS.pdf", "https://github.com/deepinstinct/Lsass-Shtinkering", + "https://media.defcon.org/DEF%20CON%2030/DEF%20CON%2030%20presentations/Asaf%20Gilboa%20-%20LSASS%20Shtinkering%20Abusing%20Windows%20Error%20Reporting%20to%20Dump%20LSASS.pdf", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_lsass_shtinkering.yml" ], "tags": [ @@ -32747,8 +32771,8 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/deployoffice/compat/office-file-format-reference", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1566.001/T1566.001.md", + "https://docs.microsoft.com/en-us/deployoffice/compat/office-file-format-reference", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_macro_file.yml" ], "tags": [ @@ -32831,8 +32855,8 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://github.com/vadim-hunter/Detection-Ideas-Rules/blob/02bcbfc2bfb8b4da601bb30de0344ae453aa1afe/Threat%20Intelligence/The%20DFIR%20Report/20210329_Sodinokibi_(aka_REvil)_Ransomware.yaml", "https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/", + "https://github.com/vadim-hunter/Detection-Ideas-Rules/blob/02bcbfc2bfb8b4da601bb30de0344ae453aa1afe/Threat%20Intelligence/The%20DFIR%20Report/20210329_Sodinokibi_(aka_REvil)_Ransomware.yaml", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_script_creation_by_office_using_file_ext.yml" ], "tags": [ @@ -32958,8 +32982,8 @@ "logsource.product": "windows", "refs": [ "https://www.ired.team/offensive-security/credential-access-and-credential-dumping/ntds.dit-enumeration", - "https://github.com/samratashok/nishang/blob/414ee1104526d7057f9adaeee196d91ae447283e/Gather/Copy-VSS.ps1", "https://pentestlab.blog/tag/ntds-dit/", + "https://github.com/samratashok/nishang/blob/414ee1104526d7057f9adaeee196d91ae447283e/Gather/Copy-VSS.ps1", "https://www.n00py.io/2022/03/manipulating-user-passwords-without-mimikatz/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_ntds_dit.yml" ], @@ -32993,9 +33017,9 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://github.com/rapid7/metasploit-framework/blob/eb6535009f5fdafa954525687f09294918b5398d/data/post/powershell/NTDSgrab.ps1", "https://github.com/rapid7/metasploit-framework/blob/eb6535009f5fdafa954525687f09294918b5398d/modules/post/windows/gather/ntds_grabber.rb", "https://github.com/SecureAuthCorp/impacket/blob/7d2991d78836b376452ca58b3d14daa61b67cb40/impacket/examples/secretsdump.py#L2405", + "https://github.com/rapid7/metasploit-framework/blob/eb6535009f5fdafa954525687f09294918b5398d/data/post/powershell/NTDSgrab.ps1", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_ntds_exfil_tools.yml" ], "tags": [ @@ -33062,8 +33086,8 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://twitter.com/RonnyTNL/status/1436334640617373699?s=20", "https://twitter.com/vanitasnk/status/1437329511142420483?s=21", + "https://twitter.com/RonnyTNL/status/1436334640617373699?s=20", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_winword_cve_2021_40444.yml" ], "tags": [ @@ -33153,8 +33177,8 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://twitter.com/SBousseaden/status/1278977301745741825", "https://labs.sentinelone.com/living-off-windows-land-a-new-native-file-downldr/", + "https://twitter.com/SBousseaden/status/1278977301745741825", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_susp_desktopimgdownldr_file.yml" ], "tags": [ @@ -33221,11 +33245,11 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://github.com/cube0x0/CVE-2021-36934", - "https://www.google.com/search?q=%22reg.exe+save%22+sam", - "https://github.com/search?q=CVE-2021-36934", - "https://github.com/HuskyHacks/ShadowSteal", "https://github.com/FireFart/hivenightmare", + "https://github.com/search?q=CVE-2021-36934", + "https://www.google.com/search?q=%22reg.exe+save%22+sam", + "https://github.com/cube0x0/CVE-2021-36934", + "https://github.com/HuskyHacks/ShadowSteal", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_sam_dump.yml" ], "tags": [ @@ -33375,10 +33399,10 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://github.com/WiredPulse/Invoke-HiveNightmare", - "https://github.com/FireFart/hivenightmare/", - "https://github.com/GossiTheDog/HiveNightmare", "https://twitter.com/cube0x0/status/1418920190759378944", + "https://github.com/FireFart/hivenightmare/", + "https://github.com/WiredPulse/Invoke-HiveNightmare", + "https://github.com/GossiTheDog/HiveNightmare", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_hivenightmare_file_exports.yml" ], "tags": [ @@ -33470,9 +33494,9 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ + "https://www.kaspersky.com/blog/lazarus-vhd-ransomware/36559/", "https://redcanary.com/blog/intelligence-insights-october-2021/", "https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/", - "https://www.kaspersky.com/blog/lazarus-vhd-ransomware/36559/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_mal_vhd_download.yml" ], "tags": [ @@ -33572,8 +33596,8 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://posts.specterops.io/automating-dll-hijack-discovery-81c4295904b0", "https://github.com/elastic/protections-artifacts/commit/746086721fd385d9f5c6647cada1788db4aea95f#diff-5d46dd4ac6866b4337ec126be8cee0e115467b3e8703794ba6f6df6432c806bc", + "https://posts.specterops.io/automating-dll-hijack-discovery-81c4295904b0", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_initial_access_dll_search_order_hijacking.yml" ], "tags": [ @@ -33755,9 +33779,9 @@ "logsource.product": "windows", "refs": [ "https://blog.emsisoft.com/en/32373/beware-new-wave-of-malware-spreads-via-iso-file-email-attachments/", + "https://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/", "https://insights.sei.cmu.edu/blog/the-dangers-of-vhd-and-vhdx-files/", "https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/malicious-spam-campaign-uses-iso-image-files-to-deliver-lokibot-and-nanocore", - "https://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_iso_file_recent.yml" ], "tags": "No established tags" @@ -33812,8 +33836,8 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://irsl.medium.com/the-trouble-with-microsofts-troubleshooters-6e32fc80b8bd", "https://msrc-blog.microsoft.com/2022/05/30/guidance-for-cve-2022-30190-microsoft-support-diagnostic-tool-vulnerability/", + "https://irsl.medium.com/the-trouble-with-microsofts-troubleshooters-6e32fc80b8bd", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_msdt_autorun.yml" ], "tags": [ @@ -33897,9 +33921,9 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ + "https://github.com/fox-it/LDAPFragger", "https://medium.com/@ivecodoe/detecting-ldapfragger-a-newly-released-cobalt-strike-beacon-using-ldap-for-c2-communication-c274a7f00961", "https://blog.fox-it.com/2020/03/19/ldapfragger-command-and-control-over-ldap-attributes/", - "https://github.com/fox-it/LDAPFragger", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_susp_adsi_cache_usage.yml" ], "tags": [ @@ -33932,8 +33956,8 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://securityaffairs.co/wordpress/133680/malware/dll-sideloading-spread-qakbot.html", "https://twitter.com/Sam0x90/status/1552011547974696960", + "https://securityaffairs.co/wordpress/133680/malware/dll-sideloading-spread-qakbot.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_iso_file_mount.yml" ], "tags": [ @@ -34273,11 +34297,11 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://www.hexacorn.com/blog/2013/12/08/beyond-good-ol-run-key-part-5/", - "https://github.com/Wh04m1001/SysmonEoP", - "https://clement.notin.org/blog/2020/09/12/CVE-2020-7315-McAfee-Agent-DLL-injection/", "https://posts.specterops.io/lateral-movement-scm-and-dll-hijacking-primer-d2f61e8ab992", + "https://www.hexacorn.com/blog/2013/12/08/beyond-good-ol-run-key-part-5/", + "https://clement.notin.org/blog/2020/09/12/CVE-2020-7315-McAfee-Agent-DLL-injection/", "https://decoded.avast.io/martinchlumecky/png-steganography/", + "https://github.com/Wh04m1001/SysmonEoP", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_create_non_existent_dlls.yml" ], "tags": [ @@ -34373,8 +34397,8 @@ "logsource.product": "windows", "refs": [ "https://answers.microsoft.com/en-us/msoffice/forum/all/document-in-word-startup-folder-doesnt-open-when/44ab0932-2917-4150-8cdc-2f2cf39e86f3", - "http://addbalance.com/word/startup.htm", "Malware Sandbox https://app.any.run/tasks/d6fe6624-6ef8-485d-aa75-3d1bdda2a08c/", + "http://addbalance.com/word/startup.htm", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_susp_winword_startup.yml" ], "tags": [ @@ -34465,8 +34489,8 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://twitter.com/cyb3rops/status/1552932770464292864", "https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows", + "https://twitter.com/cyb3rops/status/1552932770464292864", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_dll_sideloading_space_path.yml" ], "tags": [ @@ -34517,8 +34541,8 @@ "logsource.category": "file_rename", "logsource.product": "windows", "refs": [ - "https://app.any.run/tasks/d66ead5a-faf4-4437-93aa-65785afaf9e5/", "https://blog.cyble.com/2022/08/10/onyx-ransomware-renames-its-leak-site-to-vsop/", + "https://app.any.run/tasks/d66ead5a-faf4-4437-93aa-65785afaf9e5/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_rename/file_rename_win_ransomware.yml" ], "tags": [ @@ -34886,8 +34910,8 @@ "logsource.category": "file_access", "logsource.product": "windows", "refs": [ - "https://github.com/lclevy/firepwd", "https://www.zscaler.com/blogs/security-research/ffdroider-stealer-targeting-social-media-platform-users", + "https://github.com/lclevy/firepwd", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_access/file_access_win_browser_credential_stealing.yml" ], "tags": [ @@ -35011,8 +35035,8 @@ "logsource.category": "dns_query", "logsource.product": "windows", "refs": [ - "https://twitter.com/notwhickey/status/1333900137232523264", "https://lolbas-project.github.io/lolbas/Binaries/AppInstaller/", + "https://twitter.com/notwhickey/status/1333900137232523264", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/dns_query/dns_query_win_lolbin_appinstaller.yml" ], "tags": [ @@ -35111,10 +35135,10 @@ "logsource.category": "dns_query", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1219/T1219.md#atomic-test-4---gotoassist-files-detected-test-on-windows", + "https://redcanary.com/blog/misbehaving-rats/", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1219/T1219.md#atomic-test-3---logmein-files-detected-test-on-windows", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1219/T1219.md#atomic-test-6---ammyy-admin-software-execution", - "https://redcanary.com/blog/misbehaving-rats/", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1219/T1219.md#atomic-test-4---gotoassist-files-detected-test-on-windows", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/dns_query/dns_query_win_remote_access_software_domains.yml" ], "tags": [ @@ -35455,8 +35479,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.bleepingcomputer.com/news/security/gootkit-malware-bypasses-windows-defender-by-setting-path-exclusions/", "https://github.com/redcanaryco/atomic-red-team/blob/5c1e6f1b4fafd01c8d1ece85f510160fc1275fbf/atomics/T1562.001/T1562.001.md", + "https://www.bleepingcomputer.com/news/security/gootkit-malware-bypasses-windows-defender-by-setting-path-exclusions/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wmic_tamper_defender.yml" ], "tags": [ @@ -35613,8 +35637,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment", "https://nsudo.m2team.org/en-us/", + "https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_whoami_as_priv_user.yml" ], "tags": [ @@ -35747,8 +35771,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218/T1218.md", "https://github.com/redcanaryco/AtomicTestHarnesses/blob/7e1e4da116801e3d6fcc6bedb207064577e40572/TestHarnesses/T1218_SignedBinaryProxyExecution/InvokeRemoteFXvGPUDisablementCommand.ps1", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218/T1218.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_athremotefxvgpudisablementcommand.yml" ], "tags": [ @@ -35845,10 +35869,10 @@ "refs": [ "https://twitter.com/eral4m/status/1479106975967240209", "https://twitter.com/nas_bench/status/1433344116071583746", - "https://twitter.com/Hexacorn/status/885258886428725250", - "https://gist.github.com/ryhanson/227229866af52e2d963cf941af135a52", "http://www.hexacorn.com/blog/2017/05/01/running-programs-via-proxy-jumping-on-a-edr-bypass-trampoline/", "https://twitter.com/eral4m/status/1479080793003671557", + "https://twitter.com/Hexacorn/status/885258886428725250", + "https://gist.github.com/ryhanson/227229866af52e2d963cf941af135a52", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_rundll32_activity.yml" ], "tags": [ @@ -35981,9 +36005,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://app.any.run/tasks/4bc9860d-ab51-4077-9e09-59ad346b92fd/", - "https://securelist.com/my-name-is-dtrack/93338/", "https://app.any.run/tasks/ce4deab5-3263-494f-93e3-afb2b9d79f14/", + "https://securelist.com/my-name-is-dtrack/93338/", + "https://app.any.run/tasks/4bc9860d-ab51-4077-9e09-59ad346b92fd/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_malware_dtrack.yml" ], "tags": [ @@ -36074,8 +36098,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.mandiant.com/resources/telegram-malware-iranian-espionage", "https://docs.connectwise.com/ConnectWise_Control_Documentation/Get_started/Host_client/View_menu/Backstage_mode", + "https://www.mandiant.com/resources/telegram-malware-iranian-espionage", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_screenconnect_anomaly.yml" ], "tags": [ @@ -36157,8 +36181,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://bohops.com/2018/01/07/executing-commands-and-bypassing-applocker-with-powershell-diagnostic-scripts/", "https://lolbas-project.github.io/lolbas/Scripts/CL_LoadAssembly/", + "https://bohops.com/2018/01/07/executing-commands-and-bypassing-applocker-with-powershell-diagnostic-scripts/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_cl_loadassembly.yml" ], "tags": [ @@ -36303,9 +36327,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://www.acunetix.com/blog/articles/windows-short-8-3-filenames-web-security-problem/", "https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-2000-server/cc959352(v=technet.10)?redirectedfrom=MSDN", "https://twitter.com/frack113/status/1555830623633375232", - "https://www.acunetix.com/blog/articles/windows-short-8-3-filenames-web-security-problem/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_ntfs_short_name_path_use_image.yml" ], "tags": [ @@ -36482,9 +36506,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Sqldumper/", - "https://twitter.com/countuponsec/status/910977826853068800", "https://twitter.com/countuponsec/status/910969424215232518", + "https://twitter.com/countuponsec/status/910977826853068800", + "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Sqldumper/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_susp_sqldumper_activity.yml" ], "tags": [ @@ -36575,8 +36599,8 @@ "logsource.product": "windows", "refs": [ "https://www.13cubed.com/downloads/windows_process_genealogy_v2.pdf", - "https://www.carbonblack.com/2014/06/10/screenshot-demo-hunt-evil-faster-than-ever-with-carbon-black/", "https://securitybytes.io/blue-team-fundamentals-part-two-windows-processes-759fe15965e2", + "https://www.carbonblack.com/2014/06/10/screenshot-demo-hunt-evil-faster-than-ever-with-carbon-black/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_proc_wrong_parent.yml" ], "tags": [ @@ -36657,8 +36681,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218/T1218.md", "https://lolbas-project.github.io/lolbas/Binaries/Syncappvpublishingserver/", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218/T1218.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_syncappvpublishingserver_execute_psh.yml" ], "tags": [ @@ -36691,9 +36715,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://medium.com/@reegun/unsanitized-file-validation-leads-to-malicious-payload-download-via-office-binaries-202d02db7191", "Reegun J (OCBC Bank)", "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Powerpnt/", + "https://medium.com/@reegun/unsanitized-file-validation-leads-to-malicious-payload-download-via-office-binaries-202d02db7191", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_msoffice.yml" ], "tags": [ @@ -36759,9 +36783,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://medium.com/tenable-techblog/uac-bypass-by-mocking-trusted-directories-24a96675f6e", "https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows", "https://github.com/netero1010/TrustedPath-UACBypass-BOF", - "https://medium.com/tenable-techblog/uac-bypass-by-mocking-trusted-directories-24a96675f6e", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_uac_bypass_trustedpath.yml" ], "tags": [ @@ -36794,8 +36818,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Wfc/", "https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules", + "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Wfc/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_wfc.yml" ], "tags": [ @@ -36828,8 +36852,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://blog.netspi.com/15-ways-to-download-a-file/#bitsadmin", "https://lolbas-project.github.io/lolbas/Binaries/Bitsadmin/", + "https://blog.netspi.com/15-ways-to-download-a-file/#bitsadmin", "https://blog.talosintelligence.com/breaking-the-silence-recent-truebot-activity/", "https://isc.sans.edu/diary/22264", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_bitsadmin_download_susp_ip.yml" @@ -36875,8 +36899,8 @@ "logsource.product": "windows", "refs": [ "https://twitter.com/Hexacorn/status/1420053502554951689", - "https://twitter.com/SBousseaden/status/1464566846594691073?s=20", "https://www.matteomalvica.com/blog/2019/12/02/win-defender-atp-cred-bypass/", + "https://twitter.com/SBousseaden/status/1464566846594691073?s=20", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_lsass_clone.yml" ], "tags": [ @@ -36997,9 +37021,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://redcanary.com/blog/raspberry-robin/", "https://github.com/SigmaHQ/sigma/issues/1009", "https://www.microsoft.com/en-us/security/blog/2022/10/27/raspberry-robin-worm-part-of-larger-ecosystem-facilitating-pre-ransomware-activity/", + "https://redcanary.com/blog/raspberry-robin/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_shellexec_rundll_usage.yml" ], "tags": [ @@ -37081,8 +37105,8 @@ "refs": [ "https://book.hacktricks.xyz/windows/basic-cmd-for-pentesters", "https://thedfirreport.com/2021/08/16/trickbot-leads-up-to-fake-1password-installation/", - "https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc731935(v=ws.11)", "https://research.nccgroup.com/2022/08/19/back-in-black-unlocking-a-lockbit-3-0-ransomware-attack/", + "https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc731935(v=ws.11)", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_nltest_recon.yml" ], "tags": [ @@ -37312,8 +37336,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.hybrid-analysis.com/sample/465aabe132ccb949e75b8ab9c5bda36d80cf2fd503d52b8bad54e295f28bbc21?environmentId=100", "https://mgreen27.github.io/posts/2018/04/02/DownloadCradle.html", + "https://www.hybrid-analysis.com/sample/465aabe132ccb949e75b8ab9c5bda36d80cf2fd503d52b8bad54e295f28bbc21?environmentId=100", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_office_shell.yml" ], "tags": [ @@ -37387,8 +37411,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.mandiant.com/resources/blog/sharpersist-windows-persistence-toolkit", "https://github.com/mandiant/SharPersist", + "https://www.mandiant.com/resources/blog/sharpersist-windows-persistence-toolkit", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hack_sharpersist.yml" ], "tags": [ @@ -37802,8 +37826,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.hexacorn.com/blog/2018/04/27/i-shot-the-sigverif-exe-the-gui-based-lolbin/", "https://twitter.com/0gtweet/status/1457676633809330184", + "https://www.hexacorn.com/blog/2018/04/27/i-shot-the-sigverif-exe-the-gui-based-lolbin/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_sigverif.yml" ], "tags": [ @@ -37871,8 +37895,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/sysinternals/downloads/psexec", "https://www.youtube.com/watch?v=ro2QuZTIMBM", + "https://docs.microsoft.com/en-us/sysinternals/downloads/psexec", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_psexesvc.yml" ], "tags": [ @@ -37928,11 +37952,11 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ransomware-hive-conti-avoslocker", - "https://blog.netspi.com/15-ways-to-download-a-file/#bitsadmin", - "https://www.cisa.gov/uscert/ncas/alerts/aa22-321a", - "https://lolbas-project.github.io/lolbas/Binaries/Bitsadmin/", "https://isc.sans.edu/diary/22264", + "https://lolbas-project.github.io/lolbas/Binaries/Bitsadmin/", + "https://www.cisa.gov/uscert/ncas/alerts/aa22-321a", + "https://blog.netspi.com/15-ways-to-download-a-file/#bitsadmin", + "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ransomware-hive-conti-avoslocker", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_bitsadmin_download_susp_domain.yml" ], "tags": [ @@ -38012,8 +38036,8 @@ "logsource.product": "windows", "refs": [ "https://www.nirsoft.net/utils/nircmd.html", - "https://www.nirsoft.net/utils/nircmd2.html#using", "https://www.winhelponline.com/blog/run-program-as-system-localsystem-account-windows/", + "https://www.nirsoft.net/utils/nircmd2.html#using", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_tool_nircmd_as_system.yml" ], "tags": [ @@ -38241,8 +38265,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/harr0ey/status/989617817849876488", "https://lolbas-project.github.io/lolbas/Libraries/Pcwutl/", + "https://twitter.com/harr0ey/status/989617817849876488", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_pcwutl.yml" ], "tags": [ @@ -38586,9 +38610,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/binderlabs/DirCreate2System", - "https://www.echotrail.io/insights/search/wermgr.exe", "https://www.trendmicro.com/en_us/research/22/j/black-basta-infiltrates-networks-via-qakbot-brute-ratel-and-coba.html", + "https://www.echotrail.io/insights/search/wermgr.exe", + "https://github.com/binderlabs/DirCreate2System", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_wermgr.yml" ], "tags": "No established tags" @@ -38677,10 +38701,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://github.com/elastic/protections-artifacts/commit/746086721fd385d9f5c6647cada1788db4aea95f#diff-94a1964b682707e4e3f77dd61a3bfface5401d08d8cf81145f388e09614aceca", + "https://twitter.com/Hexacorn/status/1187143326673330176", "https://redcanary.com/blog/raspberry-robin/", "https://lolbas-project.github.io/lolbas/Binaries/Odbcconf/", - "https://twitter.com/Hexacorn/status/1187143326673330176", - "https://github.com/elastic/protections-artifacts/commit/746086721fd385d9f5c6647cada1788db4aea95f#diff-94a1964b682707e4e3f77dd61a3bfface5401d08d8cf81145f388e09614aceca", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_odbcconf.yml" ], "tags": [ @@ -38816,8 +38840,8 @@ "logsource.product": "windows", "refs": [ "https://unit42.paloaltonetworks.com/emissary-trojan-changelog-did-operation-lotus-blossom-cause-it-to-evolve/", - "https://www.welivesecurity.com/wp-content/uploads/2020/05/ESET_Turla_ComRAT.pdf", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1615/T1615.md", + "https://www.welivesecurity.com/wp-content/uploads/2020/05/ESET_Turla_ComRAT.pdf", "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/gpresult", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_gpresult.yml" ], @@ -39079,9 +39103,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/vxunderground/status/1423336151860002816?s=20", - "https://pentestlab.blog/2018/07/04/dumping-domain-password-hashes/", "https://www.virustotal.com/gui/file/03e9b8c2e86d6db450e5eceec057d7e369ee2389b9daecaf06331a95410aa5f8/detection", + "https://pentestlab.blog/2018/07/04/dumping-domain-password-hashes/", + "https://twitter.com/vxunderground/status/1423336151860002816?s=20", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_malware_conti_shadowcopy.yml" ], "tags": [ @@ -39504,8 +39528,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/sblmsrsn/status/1456613494783160325?s=20", "https://ss64.com/vb/cscript.html", + "https://twitter.com/sblmsrsn/status/1456613494783160325?s=20", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_registration_via_cscript.yml" ], "tags": [ @@ -39611,8 +39635,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://blogs.vmware.com/security/2022/11/batloader-the-evasive-downloader-malware.html", "https://learn.microsoft.com/en-us/windows-hardware/design/device-experiences/powercfg-command-line-options", + "https://blogs.vmware.com/security/2022/11/batloader-the-evasive-downloader-malware.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_powercfg.yml" ], "tags": [ @@ -39636,9 +39660,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/sysinternals/downloads/psexec", - "https://www.poweradmin.com/paexec/", "https://www.fireeye.com/blog/threat-research/2020/10/kegtap-and-singlemalt-with-a-ransomware-chaser.html", + "https://www.poweradmin.com/paexec/", + "https://docs.microsoft.com/en-us/sysinternals/downloads/psexec", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_psexex_paexec_escalate_system.yml" ], "tags": [ @@ -39671,8 +39695,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://app.any.run/tasks/61a296bb-81ad-4fee-955f-3b399f4aaf4b", "https://www.symantec.com/blogs/threat-intelligence/thrip-hits-satellite-telecoms-defense-targets", + "https://app.any.run/tasks/61a296bb-81ad-4fee-955f-3b399f4aaf4b", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_sysprep_appdata.yml" ], "tags": [ @@ -39705,8 +39729,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/SBousseaden/status/1278977301745741825", "https://labs.sentinelone.com/living-off-windows-land-a-new-native-file-downldr/", + "https://twitter.com/SBousseaden/status/1278977301745741825", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_desktopimgdownldr.yml" ], "tags": [ @@ -39772,14 +39796,14 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218/T1218.md", - "https://github.com/keyboardcrunch/SentinelOne-ATTACK-Queries/blob/6a228d23eefe963ca81f2d52f94b815f61ef5ee0/Tactics/DefenseEvasion.md#t1055-process-injection", + "https://twitter.com/Hexacorn/status/776122138063409152", "https://posts.specterops.io/mavinject-exe-functionality-deconstructed-c29ab2cf5c0e", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218/T1218.md", + "https://github.com/SigmaHQ/sigma/issues/3742", + "https://github.com/keyboardcrunch/SentinelOne-ATTACK-Queries/blob/6a228d23eefe963ca81f2d52f94b815f61ef5ee0/Tactics/DefenseEvasion.md#t1055-process-injection", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1056.004/T1056.004.md", "https://twitter.com/gN3mes1s/status/941315826107510784", "https://reaqta.com/2017/12/mavinject-microsoft-injector/", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1056.004/T1056.004.md", - "https://twitter.com/Hexacorn/status/776122138063409152", - "https://github.com/SigmaHQ/sigma/issues/3742", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_renamed_mavinject.yml" ], "tags": [ @@ -39821,9 +39845,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/samratashok/nishang/blob/414ee1104526d7057f9adaeee196d91ae447283e/Shells/Invoke-PowerShellTcpOneLine.ps1", - "https://www.volexity.com/blog/2021/03/02/active-exploitation-of-microsoft-exchange-zero-day-vulnerabilities/", "https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/", + "https://www.volexity.com/blog/2021/03/02/active-exploitation-of-microsoft-exchange-zero-day-vulnerabilities/", + "https://github.com/samratashok/nishang/blob/414ee1104526d7057f9adaeee196d91ae447283e/Shells/Invoke-PowerShellTcpOneLine.ps1", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_reverse_shell_connection.yml" ], "tags": [ @@ -39890,8 +39914,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "Internal Research", "https://www.sentinelone.com/labs/inside-malicious-windows-apps-for-malware-deployment/", + "Internal Research", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_turn_on_dev_features.yml" ], "tags": [ @@ -39915,9 +39939,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.fireeye.com/blog/threat-research/2019/01/bypassing-network-restrictions-through-rdp-tunneling.html", "https://www.dfirnotes.net/portproxy_detection/", "https://adepts.of0x.cc/netsh-portproxy-code/", + "https://www.fireeye.com/blog/threat-research/2019/01/bypassing-network-restrictions-through-rdp-tunneling.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_netsh_port_fwd.yml" ], "tags": [ @@ -39952,8 +39976,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/nao_sec/status/1530196847679401984", "https://app.any.run/tasks/713f05d2-fe78-4b9d-a744-f7c133e3fafb/", + "https://twitter.com/nao_sec/status/1530196847679401984", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_msdt_susp_parent.yml" ], "tags": [ @@ -40117,8 +40141,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/SBousseaden/status/1207671369963646976", "https://www.fox-it.com/en/news/whitepapers/operation-wocao-shining-a-light-on-one-of-chinas-hidden-hacking-groups/", + "https://twitter.com/SBousseaden/status/1207671369963646976", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_apt_wocao.yml" ], "tags": [ @@ -40206,11 +40230,11 @@ "logsource.product": "windows", "refs": [ "https://github.com/splunk/security_content/blob/develop/detections/endpoint/office_spawning_control.yml", - "https://github.com/vadim-hunter/Detection-Ideas-Rules/blob/02bcbfc2bfb8b4da601bb30de0344ae453aa1afe/Threat%20Intelligence/The%20DFIR%20Report/20210329_Sodinokibi_(aka_REvil)_Ransomware.yaml", - "https://www.elastic.co/security-labs/exploring-the-ref2731-intrusion-set", - "https://twitter.com/andythevariable/status/1576953781581144064?s=20&t=QiJILvK4ZiBdR8RJe24u-A", - "https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e", "https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/", + "https://www.elastic.co/security-labs/exploring-the-ref2731-intrusion-set", + "https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e", + "https://twitter.com/andythevariable/status/1576953781581144064?s=20&t=QiJILvK4ZiBdR8RJe24u-A", + "https://github.com/vadim-hunter/Detection-Ideas-Rules/blob/02bcbfc2bfb8b4da601bb30de0344ae453aa1afe/Threat%20Intelligence/The%20DFIR%20Report/20210329_Sodinokibi_(aka_REvil)_Ransomware.yaml", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbins_by_office_applications.yml" ], "tags": [ @@ -40260,9 +40284,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/chm-badness-delivers-a-banking-trojan/", "https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/higaisa-or-winnti-apt-41-backdoors-old-and-new/", "https://github.com/elastic/protections-artifacts/commit/746086721fd385d9f5c6647cada1788db4aea95f#diff-27939090904026cc396b0b629c8e4314acd6f5dac40a676edbc87f4567b47eb7", + "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/chm-badness-delivers-a-banking-trojan/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_html_help_spawn.yml" ], "tags": [ @@ -40363,8 +40387,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://web.archive.org/web/20180331144337/https://www.fireeye.com/blog/threat-research/2018/03/sanny-malware-delivery-method-updated-in-recently-observed-attacks.html", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1543.003/T1543.003.md", + "https://web.archive.org/web/20180331144337/https://www.fireeye.com/blog/threat-research/2018/03/sanny-malware-delivery-method-updated-in-recently-observed-attacks.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_service_path_modification.yml" ], "tags": [ @@ -40390,8 +40414,8 @@ "logsource.product": "windows", "refs": [ "https://dfironthemountain.wordpress.com/2018/12/06/locked-file-access-using-esentutl-exe/", - "https://room362.com/post/2013/2013-06-10-volume-shadow-copy-ntdsdit-domain-hashes-remotely-part-1/", "https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment", + "https://room362.com/post/2013/2013-06-10-volume-shadow-copy-ntdsdit-domain-hashes-remotely-part-1/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_copying_sensitive_files_with_credential_data.yml" ], "tags": [ @@ -40435,8 +40459,8 @@ "logsource.product": "windows", "refs": [ "https://twitter.com/max_mal_/status/1542461200797163522", - "https://github.com/pr0xylife/Qakbot/blob/4f0795d79dabee5bc9dd69f17a626b48852e7869/Qakbot_AA_23.06.2022.txt", "https://web.archive.org/web/20200128160046/https://twitter.com/reegun21/status/1222093798009790464", + "https://github.com/pr0xylife/Qakbot/blob/4f0795d79dabee5bc9dd69f17a626b48852e7869/Qakbot_AA_23.06.2022.txt", "https://www.volexity.com/blog/2022/07/28/sharptongue-deploys-clever-mail-stealing-browser-extension-sharpext/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_curl_download.yml" ], @@ -40495,8 +40519,8 @@ "logsource.product": "windows", "refs": [ "https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc771151(v=ws.11)", - "https://ss64.com/nt/dsacls.html", "https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/using-dsacls-to-check-ad-object-permissions#password-spraying-anyone", + "https://ss64.com/nt/dsacls.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_dsacls_password_spray.yml" ], "tags": [ @@ -40529,9 +40553,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/h3v0x/CVE-2021-26084_Confluence", "https://confluence.atlassian.com/doc/confluence-security-advisory-2021-08-25-1077906215.html", "https://nvd.nist.gov/vuln/detail/CVE-2021-26084", + "https://github.com/h3v0x/CVE-2021-26084_Confluence", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_atlassian_confluence_cve_2021_26084_exploit.yml" ], "tags": [ @@ -40640,9 +40664,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/0gtweet/status/1588815661085917186?cxt=HHwWhIDUyaDbzYwsAAAA", "https://www.elastic.co/guide/en/security/current/microsoft-iis-service-account-password-dumped.html", "https://www.netspi.com/blog/technical/network-penetration-testing/decrypting-iis-passwords-to-break-out-of-the-dmz-part-2/", + "https://twitter.com/0gtweet/status/1588815661085917186?cxt=HHwWhIDUyaDbzYwsAAAA", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_iis_service_account_password_dumped.yml" ], "tags": [ @@ -40768,10 +40792,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://youtu.be/5mqid-7zp8k?t=2481", "https://m365internals.com/2022/10/07/hunting-in-on-premises-exchange-server-logs/", - "https://peterjson.medium.com/reproducing-the-proxyshell-pwn2own-exploit-49743a4ea9a1", "https://blog.orange.tw/2021/08/proxylogon-a-new-attack-surface-on-ms-exchange-part-1.html", + "https://youtu.be/5mqid-7zp8k?t=2481", + "https://peterjson.medium.com/reproducing-the-proxyshell-pwn2own-exploit-49743a4ea9a1", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_mailboxexport_share.yml" ], "tags": [ @@ -40925,9 +40949,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/_felamos/status/1204705548668555264", - "https://bohops.com/2019/08/19/dotnet-core-a-vector-for-awl-bypass-defense-evasion/", "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Dotnet/", + "https://bohops.com/2019/08/19/dotnet-core-a-vector-for-awl-bypass-defense-evasion/", + "https://twitter.com/_felamos/status/1204705548668555264", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_dotnet.yml" ], "tags": [ @@ -40960,8 +40984,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/Binaries/Regedit/", "https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f", + "https://lolbas-project.github.io/lolbas/Binaries/Regedit/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_regedit_import_keys_ads.yml" ], "tags": [ @@ -41109,8 +41133,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://web.archive.org/web/20180331144337/https://www.fireeye.com/blog/threat-research/2018/03/sanny-malware-delivery-method-updated-in-recently-observed-attacks.html", "https://www.echotrail.io/insights/search/wusa.exe/", + "https://web.archive.org/web/20180331144337/https://www.fireeye.com/blog/threat-research/2018/03/sanny-malware-delivery-method-updated-in-recently-observed-attacks.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wusa_susp_cap_extraction_from_susp_paths.yml" ], "tags": [ @@ -41199,8 +41223,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/OTRF/detection-hackathon-apt29/issues/17", "https://threathunterplaybook.com/evals/apt29/detections/7.B.4_C10730EA-6345-4934-AA0F-B0EFCA0C4BA6.html", + "https://github.com/OTRF/detection-hackathon-apt29/issues/17", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_webdav_client_execution.yml" ], "tags": [ @@ -41358,8 +41382,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://app.any.run/tasks/f74c5157-8508-4ac6-9805-d63fe7b0d399/", "https://twitter.com/swisscom_csirt/status/1331634525722521602?s=20", + "https://app.any.run/tasks/f74c5157-8508-4ac6-9805-d63fe7b0d399/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_renamed_rundll32_dllregisterserver.yml" ], "tags": [ @@ -41472,9 +41496,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/filip_dragovic/status/1590052248260055041", "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-41120", "https://twitter.com/filip_dragovic/status/1590104354727436290", + "https://twitter.com/filip_dragovic/status/1590052248260055041", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sysmon_exploitation.yml" ], "tags": "No established tags" @@ -41528,9 +41552,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://www.anomali.com/blog/china-based-apt-mustang-panda-targets-minority-groups-public-and-private-sector-organizations", "https://app.any.run/tasks/b12cccf3-1c22-4e28-9d3e-c7a6062f3914/", "https://app.any.run/tasks/7ca5661d-a67b-43ec-98c1-dd7a8103c256/", - "https://www.anomali.com/blog/china-based-apt-mustang-panda-targets-minority-groups-public-and-private-sector-organizations", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_apt_mustangpanda.yml" ], "tags": [ @@ -41708,8 +41732,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/ReaQta/status/1222548288731217921", "https://lolbas-project.github.io/lolbas/Binaries/Wsreset/", + "https://twitter.com/ReaQta/status/1222548288731217921", "https://eqllib.readthedocs.io/en/latest/analytics/532b5ed4-7930-11e9-8f5c-d46d6d62a49e.html", "https://www.activecyber.us/activelabs/windows-uac-bypass", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_uac_bypass_wsreset.yml" @@ -41745,9 +41769,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.carbonblack.com/blog/tau-threat-intelligence-notification-lockergoga-ransomware/", - "https://medium.com/@malwaredancer/lockergoga-input-arguments-ipc-communication-and-others-bd4e5a7ba80a", "https://blog.f-secure.com/analysis-of-lockergoga-ransomware/", + "https://medium.com/@malwaredancer/lockergoga-input-arguments-ipc-communication-and-others-bd4e5a7ba80a", + "https://www.carbonblack.com/blog/tau-threat-intelligence-notification-lockergoga-ransomware/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_mal_lockergoga_ransomware.yml" ], "tags": [ @@ -41843,8 +41867,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/vysecurity/status/977198418354491392", "https://github.com/vysecurity/Aggressor-VYSEC/blob/0d61c80387b9432dab64b8b8a9fb52d20cfef80e/ping.cna", + "https://twitter.com/vysecurity/status/977198418354491392", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_ping_hex_ip.yml" ], "tags": [ @@ -41878,8 +41902,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/schtasks", "https://www.elastic.co/security-labs/exploring-the-qbot-attack-pattern", + "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/schtasks", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_schtasks_system.yml" ], "tags": [ @@ -42021,8 +42045,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "Turla has used fsutil fsinfo drives to list connected drives.", "https://github.com/elastic/detection-rules/blob/414d32027632a49fb239abb8fbbb55d3fa8dd861/rules/windows/discovery_peripheral_device.toml", + "Turla has used fsutil fsinfo drives to list connected drives.", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_fsutil_drive_enumeration.yml" ], "tags": [ @@ -42214,15 +42238,15 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/Neo23x0/Raccine/blob/20a569fa21625086433dcce8bb2765d0ea08dcb6/yara/gen_ransomware_command_lines.yar", "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/blackbyte-exbyte-ransomware", - "https://www.bleepingcomputer.com/news/security/why-everyone-should-disable-vssadmin-exe-now/", - "https://github.com/Neo23x0/Raccine#the-process", - "https://www.hybrid-analysis.com/sample/ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa?environmentId=100", + "https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/new-teslacrypt-ransomware-arrives-via-spam/", "https://blog.talosintelligence.com/2017/05/wannacry.html", "https://redcanary.com/blog/intelligence-insights-october-2021/", + "https://www.hybrid-analysis.com/sample/ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa?environmentId=100", "https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment", - "https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/new-teslacrypt-ransomware-arrives-via-spam/", + "https://github.com/Neo23x0/Raccine#the-process", + "https://www.bleepingcomputer.com/news/security/why-everyone-should-disable-vssadmin-exe-now/", + "https://github.com/Neo23x0/Raccine/blob/20a569fa21625086433dcce8bb2765d0ea08dcb6/yara/gen_ransomware_command_lines.yar", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_shadow_copies_deletion.yml" ], "tags": [ @@ -42257,9 +42281,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://thedfirreport.com/2022/09/26/bumblebee-round-two/", "https://thedfirreport.com/2022/08/08/bumblebee-roasts-its-way-to-domain-admin/", "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/bumblebee-loader-cybercrime", - "https://thedfirreport.com/2022/09/26/bumblebee-round-two/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wab_execution_from_non_default_location.yml" ], "tags": [ @@ -42283,8 +42307,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://blog.netspi.com/15-ways-to-download-a-file/#bitsadmin", "https://lolbas-project.github.io/lolbas/Binaries/Bitsadmin/", + "https://blog.netspi.com/15-ways-to-download-a-file/#bitsadmin", "https://isc.sans.edu/diary/22264", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_bitsadmin_download.yml" ], @@ -42328,8 +42352,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://eqllib.readthedocs.io/en/latest/analytics/1ec33c93-3d0b-4a28-8014-dbdaae5c60ae.html", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1560.001/T1560.001.md", + "https://eqllib.readthedocs.io/en/latest/analytics/1ec33c93-3d0b-4a28-8014-dbdaae5c60ae.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_data_compressed_with_rar.yml" ], "tags": [ @@ -42362,8 +42386,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/S3cur3Th1sSh1t/SharpImpersonation", "https://s3cur3th1ssh1t.github.io/SharpImpersonation-Introduction/", + "https://github.com/S3cur3Th1sSh1t/SharpImpersonation", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sharp_impersonation_tool.yml" ], "tags": [ @@ -42495,11 +42519,11 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/JohnLaTwC/status/1223292479270600706", - "https://lolbas-project.github.io/lolbas/Scripts/Manage-bde/", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1216/T1216.md", - "https://twitter.com/bohops/status/980659399495741441", "https://gist.github.com/bohops/735edb7494fe1bd1010d67823842b712", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1216/T1216.md", + "https://twitter.com/JohnLaTwC/status/1223292479270600706", + "https://twitter.com/bohops/status/980659399495741441", + "https://lolbas-project.github.io/lolbas/Scripts/Manage-bde/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_manage_bde_lolbas.yml" ], "tags": [ @@ -42599,9 +42623,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://twitter.com/bryon_/status/975835709587075072", "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Sqlps/", "https://docs.microsoft.com/en-us/sql/tools/sqlps-utility?view=sql-server-ver15", - "https://twitter.com/bryon_/status/975835709587075072", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_use_of_sqlps_bin.yml" ], "tags": [ @@ -42801,8 +42825,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.virustotal.com/gui/search/metadata%253ACube0x0/files", "https://github.com/cube0x0", + "https://www.virustotal.com/gui/search/metadata%253ACube0x0/files", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hack_cube0x0_tools.yml" ], "tags": "No established tags" @@ -42823,8 +42847,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://app.any.run/tasks/f74c5157-8508-4ac6-9805-d63fe7b0d399/", "https://twitter.com/swisscom_csirt/status/1331634525722521602?s=20", + "https://app.any.run/tasks/f74c5157-8508-4ac6-9805-d63fe7b0d399/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_malware_trickbot_wermgr.yml" ], "tags": [ @@ -42858,9 +42882,9 @@ "logsource.product": "windows", "refs": [ "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Csi/", - "https://enigma0x3.net/2016/11/21/bypassing-application-whitelisting-by-using-rcsi-exe/", "https://twitter.com/Z3Jpa29z/status/1317545798981324801", "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Rcsi/", + "https://enigma0x3.net/2016/11/21/bypassing-application-whitelisting-by-using-rcsi-exe/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_csi.yml" ], "tags": [ @@ -42963,8 +42987,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://thedfirreport.com/2021/12/13/diavol-ransomware/", "https://www.scythe.io/library/threat-emulation-qakbot", + "https://thedfirreport.com/2021/12/13/diavol-ransomware/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_not_from_c_drive.yml" ], "tags": [ @@ -43031,8 +43055,8 @@ "logsource.product": "windows", "refs": [ "https://www.nirsoft.net/utils/nircmd.html", - "https://www.nirsoft.net/utils/nircmd2.html#using", "https://www.winhelponline.com/blog/run-program-as-system-localsystem-account-windows/", + "https://www.nirsoft.net/utils/nircmd2.html#using", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_tool_nircmd.yml" ], "tags": [ @@ -43099,8 +43123,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1082/T1082.md#atomic-test-6---hostname-discovery-windows", "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/hostname", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1082/T1082.md#atomic-test-6---hostname-discovery-windows", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_hostname.yml" ], "tags": [ @@ -43124,10 +43148,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://web.archive.org/web/20190720093911/http://www.endurant.io/cmstp/detecting-cmstp-enabled-code-execution-and-uac-bypass-with-sysmon/", - "https://github.com/hfiref0x/UACME", "https://twitter.com/hFireF0X/status/897640081053364225", "https://medium.com/falconforce/falconfriday-detecting-uac-bypasses-0xff16-86c2a9107abf", + "https://web.archive.org/web/20190720093911/http://www.endurant.io/cmstp/detecting-cmstp-enabled-code-execution-and-uac-bypass-with-sysmon/", + "https://github.com/hfiref0x/UACME", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_cmstp_com_object_access.yml" ], "tags": [ @@ -43298,9 +43322,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/cyb3rops/status/1186631731543236608", - "https://www.welivesecurity.com/2022/03/01/isaacwiper-hermeticwizard-wiper-worm-targeting-ukraine/", "https://techtalk.pcmatic.com/2017/11/30/running-dll-files-malware-analysis/", + "https://www.welivesecurity.com/2022/03/01/isaacwiper-hermeticwizard-wiper-worm-targeting-ukraine/", + "https://twitter.com/cyb3rops/status/1186631731543236608", "https://github.com/Neo23x0/DLLRunner", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_rundll32_by_ordinal.yml" ], @@ -43435,9 +43459,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://twitter.com/_st0pp3r_/status/1583914515996897281", "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/msiexec", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218.007/T1218.007.md", - "https://twitter.com/_st0pp3r_/status/1583914515996897281", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_msiexec_dll.yml" ], "tags": [ @@ -43579,8 +43603,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md", "https://unit42.paloaltonetworks.com/unit42-gorgon-group-slithering-nation-state-cybercrime/", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_remove_windows_defender_definition_files.yml" ], "tags": [ @@ -43670,8 +43694,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/windows/win32/projfs/enabling-windows-projected-file-system", "https://docs.microsoft.com/en-us/powershell/module/dism/enable-windowsoptionalfeature?view=windowsserver2022-ps", + "https://learn.microsoft.com/en-us/windows/win32/projfs/enabling-windows-projected-file-system", "https://learn.microsoft.com/en-us/windows/wsl/install-on-server", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_windowsoptionalfeature.yml" ], @@ -43876,8 +43900,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://nasbench.medium.com/what-is-the-dllhost-exe-process-actually-running-ef9fe4c19c08", "https://redcanary.com/blog/child-processes/", + "https://nasbench.medium.com/what-is-the-dllhost-exe-process-actually-running-ef9fe4c19c08", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_dllhost_no_cli.yml" ], "tags": [ @@ -43901,10 +43925,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc731033(v=ws.11)", - "https://strontic.github.io/xcyclopedia/library/setres.exe-0E30E4C09637D7A128A37B59A3BC4D09.html", - "https://lolbas-project.github.io/lolbas/Binaries/Setres/", "https://twitter.com/0gtweet/status/1583356502340870144", + "https://lolbas-project.github.io/lolbas/Binaries/Setres/", + "https://strontic.github.io/xcyclopedia/library/setres.exe-0E30E4C09637D7A128A37B59A3BC4D09.html", + "https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc731033(v=ws.11)", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_setres.yml" ], "tags": [ @@ -43945,11 +43969,11 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.splunk.com/en_us/blog/security/darkside-ransomware-splunk-threat-update-and-detections.html", "https://labs.sentinelone.com/egregor-raas-continues-the-chaos-with-cobalt-strike-and-rclone", - "https://research.nccgroup.com/2021/05/27/detecting-rclone-an-effective-tool-for-exfiltration/", "https://us-cert.cisa.gov/ncas/analysis-reports/ar21-126a", "https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware", + "https://www.splunk.com/en_us/blog/security/darkside-ransomware-splunk-threat-update-and-detections.html", + "https://research.nccgroup.com/2021/05/27/detecting-rclone-an-effective-tool-for-exfiltration/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_rclone_execution.yml" ], "tags": [ @@ -43982,9 +44006,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/vxunderground/status/1423336151860002816?s=20", - "https://pentestlab.blog/2018/07/04/dumping-domain-password-hashes/", "https://www.virustotal.com/gui/file/03e9b8c2e86d6db450e5eceec057d7e369ee2389b9daecaf06331a95410aa5f8/detection", + "https://pentestlab.blog/2018/07/04/dumping-domain-password-hashes/", + "https://twitter.com/vxunderground/status/1423336151860002816?s=20", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_cmd_shadowcopy_access.yml" ], "tags": [ @@ -44017,9 +44041,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.fireeye.com/blog/threat-research/2016/05/targeted_attacksaga.html", "https://twitter.com/haroonmeer/status/939099379834658817", "https://twitter.com/c_APT_ure/status/939475433711722497", + "https://www.fireeye.com/blog/threat-research/2016/05/targeted_attacksaga.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_builtin_commands_recon.yml" ], "tags": [ @@ -44380,8 +44404,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/mrd0x/status/1475085452784844803?s=12", "https://twitter.com/an0n_r0/status/1474698356635193346?s=12", + "https://twitter.com/mrd0x/status/1475085452784844803?s=12", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_download_office_domain.yml" ], "tags": "No established tags" @@ -44509,8 +44533,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.echotrail.io/insights/search/defaultpack.exe", "https://lolbas-project.github.io/lolbas/OtherMSBinaries/DefaultPack/", + "https://www.echotrail.io/insights/search/defaultpack.exe", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_defaultpack.yml" ], "tags": [ @@ -44545,8 +44569,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://securityboulevard.com/2019/08/agent-tesla-evading-edr-by-removing-api-hooks/", "https://twitter.com/gN3mes1s/status/1206874118282448897", + "https://securityboulevard.com/2019/08/agent-tesla-evading-edr-by-removing-api-hooks/", "https://www.clearskysec.com/wp-content/uploads/2018/11/MuddyWater-Operations-in-Lebanon-and-Oman.pdf", "https://app.any.run/tasks/c6993447-d1d8-414e-b856-675325e5aa09/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_csc_folder.yml" @@ -44614,8 +44638,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://thedfirreport.com/2020/11/23/pysa-mespinoza-ransomware/", "https://github.com/Kevin-Robertson/Inveigh", + "https://thedfirreport.com/2020/11/23/pysa-mespinoza-ransomware/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hack_inveigh.yml" ], "tags": [ @@ -44648,8 +44672,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn800669(v=ws.11)", "https://www.microsoft.com/security/blog/2019/12/12/gallium-targeting-global-telecom/", + "https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn800669(v=ws.11)", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_apt_gallium.yml" ], "tags": [ @@ -44758,8 +44782,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.hybrid-analysis.com/sample/465aabe132ccb949e75b8ab9c5bda36d80cf2fd503d52b8bad54e295f28bbc21?environmentId=100", "https://mgreen27.github.io/posts/2018/04/02/DownloadCradle.html", + "https://www.hybrid-analysis.com/sample/465aabe132ccb949e75b8ab9c5bda36d80cf2fd503d52b8bad54e295f28bbc21?environmentId=100", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_outlook_shell.yml" ], "tags": [ @@ -44951,11 +44975,11 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://blogs.technet.microsoft.com/pki/2006/11/30/basic-crl-checking-with-certutil/", - "https://lolbas-project.github.io/lolbas/Binaries/Certutil/", - "https://www.trustedsec.com/2017/07/new-tool-release-nps_payload/", - "https://twitter.com/egre55/status/1087685529016193025", "https://twitter.com/JohnLaTwC/status/835149808817991680", + "https://lolbas-project.github.io/lolbas/Binaries/Certutil/", + "https://blogs.technet.microsoft.com/pki/2006/11/30/basic-crl-checking-with-certutil/", + "https://twitter.com/egre55/status/1087685529016193025", + "https://www.trustedsec.com/2017/07/new-tool-release-nps_payload/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_certutil_command.yml" ], "tags": [ @@ -45266,8 +45290,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://blog.netspi.com/15-ways-to-download-a-file/#bitsadmin", "https://lolbas-project.github.io/lolbas/Binaries/Bitsadmin/", + "https://blog.netspi.com/15-ways-to-download-a-file/#bitsadmin", "https://blog.talosintelligence.com/breaking-the-silence-recent-truebot-activity/", "https://isc.sans.edu/diary/22264", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_bitsadmin_download_uncommon_targetfolder.yml" @@ -45387,8 +45411,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/powershell/module/defender/set-mppreference?view=windowsserver2022-ps", "https://www.virustotal.com/gui/file/d609799091731d83d75ec5d1f030571af20c45efeeb94840b67ea09a3283ab65/behavior/C2AE", + "https://docs.microsoft.com/en-us/powershell/module/defender/set-mppreference?view=windowsserver2022-ps", "https://www.virustotal.com/gui/search/content%253A%2522Set-MpPreference%2520-Disable%2522/files", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_defender_disable_feature.yml" ], @@ -45447,8 +45471,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://technet.microsoft.com/en-us/library/cc754243(v=ws.11).aspx", "https://www.peew.pw/blog/2017/11/26/exploring-cmdkey-an-edge-case-for-privilege-escalation", + "https://technet.microsoft.com/en-us/library/cc754243(v=ws.11).aspx", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_cmdkey_recon.yml" ], "tags": [ @@ -45481,8 +45505,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://blog.netspi.com/15-ways-to-download-a-file/#bitsadmin", "https://lolbas-project.github.io/lolbas/Binaries/Bitsadmin/", + "https://blog.netspi.com/15-ways-to-download-a-file/#bitsadmin", "https://blog.talosintelligence.com/breaking-the-silence-recent-truebot-activity/", "https://isc.sans.edu/diary/22264", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_bitsadmin_download_susp_targetfolder.yml" @@ -45561,10 +45585,10 @@ "logsource.product": "windows", "refs": [ "https://hunter2.gitbook.io/darthsidious/other/war-stories/domain-admin-in-30-minutes", - "https://github.com/ohpe/juicy-potato", - "https://hunter2.gitbook.io/darthsidious/execution/responder-with-ntlm-relay-and-empire", - "https://pentestlab.blog/2017/04/13/hot-potato/", "https://foxglovesecurity.com/2016/09/26/rotten-potato-privilege-escalation-from-service-accounts-to-system/", + "https://pentestlab.blog/2017/04/13/hot-potato/", + "https://hunter2.gitbook.io/darthsidious/execution/responder-with-ntlm-relay-and-empire", + "https://github.com/ohpe/juicy-potato", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_tools_relay_attacks.yml" ], "tags": [ @@ -45632,8 +45656,8 @@ "logsource.product": "windows", "refs": [ "https://nmap.org/ncat/", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1095/T1095.md", "https://www.revshells.com/", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1095/T1095.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_netcat_execution.yml" ], "tags": [ @@ -45727,8 +45751,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/EmpireProject/Empire/blob/e37fb2eef8ff8f5a0a689f1589f424906fe13055/lib/modules/powershell/persistence/powerbreach/resolver.py#L178", "https://github.com/EmpireProject/Empire/blob/e37fb2eef8ff8f5a0a689f1589f424906fe13055/data/module_source/privesc/Invoke-EventVwrBypass.ps1#L64", + "https://github.com/EmpireProject/Empire/blob/e37fb2eef8ff8f5a0a689f1589f424906fe13055/lib/modules/powershell/persistence/powerbreach/resolver.py#L178", "https://github.com/EmpireProject/Empire/blob/e37fb2eef8ff8f5a0a689f1589f424906fe13055/lib/modules/powershell/persistence/powerbreach/deaduser.py#L191", "https://github.com/EmpireProject/Empire/blob/c2ba61ca8d2031dad0cfc1d5770ba723e8b710db/lib/common/helpers.py#L165", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_powershell_empire_launch.yml" @@ -45763,8 +45787,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://hashcat.net/wiki/doku.php?id=hashcat", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1110.002/T1110.002.md#atomic-test-1---password-cracking-with-hashcat", + "https://hashcat.net/wiki/doku.php?id=hashcat", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hashcat.yml" ], "tags": [ @@ -45826,9 +45850,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://www.acunetix.com/blog/articles/windows-short-8-3-filenames-web-security-problem/", "https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-2000-server/cc959352(v=technet.10)?redirectedfrom=MSDN", "https://twitter.com/frack113/status/1555830623633375232", - "https://www.acunetix.com/blog/articles/windows-short-8-3-filenames-web-security-problem/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_ntfs_short_name_path_use_cli.yml" ], "tags": [ @@ -45927,8 +45951,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://blog.netspi.com/15-ways-to-download-a-file/#bitsadmin", "https://lolbas-project.github.io/lolbas/Binaries/Bitsadmin/", + "https://blog.netspi.com/15-ways-to-download-a-file/#bitsadmin", "https://isc.sans.edu/diary/22264", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_bitsadmin_download_susp_ext.yml" ], @@ -46097,11 +46121,11 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "http://www.windowsinspired.com/understanding-the-command-line-string-and-arguments-received-by-a-windows-program/", "https://twitter.com/Hexacorn/status/885553465417756673", - "https://twitter.com/vysecurity/status/885545634958385153", - "https://www.fireeye.com/blog/threat-research/2017/06/obfuscation-in-the-wild.html", "https://twitter.com/Hexacorn/status/885570278637678592", + "http://www.windowsinspired.com/understanding-the-command-line-string-and-arguments-received-by-a-windows-program/", + "https://www.fireeye.com/blog/threat-research/2017/06/obfuscation-in-the-wild.html", + "https://twitter.com/vysecurity/status/885545634958385153", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_cli_escape.yml" ], "tags": [ @@ -46191,9 +46215,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.crowdstrike.com/blog/falcon-overwatch-report-finds-increase-in-ecrime/", "https://processhacker.sourceforge.io/", "https://github.com/winsiderss/systeminformer", + "https://www.crowdstrike.com/blog/falcon-overwatch-report-finds-increase-in-ecrime/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_process_hacker.yml" ], "tags": "No established tags" @@ -46214,8 +46238,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://pentestlab.blog/2017/03/31/insecure-registry-permissions/", "https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment", + "https://pentestlab.blog/2017/03/31/insecure-registry-permissions/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_possible_privilege_escalation_via_service_reg_perm.yml" ], "tags": [ @@ -46385,8 +46409,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.hybrid-analysis.com/sample/ba86fa0d4b6af2db0656a88b1dd29f36fe362473ae8ad04255c4e52f214a541c?environmentId=100", "https://www.first.org/resources/papers/conf2017/Advanced-Incident-Detection-and-Threat-Hunting-using-Sysmon-and-Splunk.pdf", + "https://www.hybrid-analysis.com/sample/ba86fa0d4b6af2db0656a88b1dd29f36fe362473ae8ad04255c4e52f214a541c?environmentId=100", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_mal_adwind.yml" ], "tags": [ @@ -46461,8 +46485,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://thedfirreport.com/2020/06/21/snatch-ransomware/", "https://github.com/yosqueoy/ditsnap", + "https://thedfirreport.com/2020/06/21/snatch-ransomware/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_ditsnap.yml" ], "tags": [ @@ -46495,8 +46519,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/carlospolop/PEASS-ng/blob/fa0f2e17fbc1d86f1fd66338a40e665e7182501d/winPEAS/winPEASbat/winPEAS.bat", "https://sushant747.gitbooks.io/total-oscp-guide/content/privilege_escalation_windows.html", + "https://github.com/carlospolop/PEASS-ng/blob/fa0f2e17fbc1d86f1fd66338a40e665e7182501d/winPEAS/winPEASbat/winPEAS.bat", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wmic_hotfix_enum.yml" ], "tags": [ @@ -46529,8 +46553,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://ss64.com/nt/for.html", "https://ss64.com/ps/foreach-object.htmll", + "https://ss64.com/nt/for.html", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1018/T1018.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_network_scan_loop.yml" ], @@ -46587,8 +46611,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.trellix.com/en-sg/about/newsroom/stories/threat-labs/lockergoga-ransomware-family-used-in-targeted-attacks.html", "https://www.trendmicro.com/content/dam/trendmicro/global/en/research/22/h/ransomware-actor-abuses-genshin-impact-anti-cheat-driver-to-kill-antivirus/Genshin%20Impact%20Figure%2010.jpg", + "https://www.trellix.com/en-sg/about/newsroom/stories/threat-labs/lockergoga-ransomware-family-used-in-targeted-attacks.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_service_stop.yml" ], "tags": [ @@ -46662,8 +46686,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/dsnezhkov/TruffleSnout", "https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1482/T1482.md", + "https://github.com/dsnezhkov/TruffleSnout", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_trufflesnout.yml" ], "tags": [ @@ -46775,8 +46799,8 @@ "logsource.product": "windows", "refs": [ "https://thedfirreport.com/2022/02/07/qbot-likes-to-move-it-move-it/", - "https://thedfirreport.com/2022/10/31/follina-exploit-leads-to-domain-compromise/", "https://redcanary.com/threat-detection-report/threats/qbot/", + "https://thedfirreport.com/2022/10/31/follina-exploit-leads-to-domain-compromise/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_esentutl_webcache.yml" ], "tags": [ @@ -46809,9 +46833,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/Binaries/Findstr/", - "https://oddvar.moe/2018/04/11/putting-data-in-alternate-data-streams-and-how-to-execute-it-part-2/", "https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f", + "https://oddvar.moe/2018/04/11/putting-data-in-alternate-data-streams-and-how-to-execute-it-part-2/", + "https://lolbas-project.github.io/lolbas/Binaries/Findstr/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_findstr.yml" ], "tags": [ @@ -46861,10 +46885,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/gbti_sa/status/1249653895900602375?lang=en", - "https://www.trendmicro.com/en_us/research/22/i/play-ransomware-s-attack-playbook-unmasks-it-as-another-hive-aff.html", "https://www.softpedia.com/get/Antivirus/Removal-Tools/ithurricane-PowerTool.shtml", "https://thedfirreport.com/2022/11/28/emotet-strikes-again-lnk-file-leads-to-domain-wide-ransomware/", + "https://www.trendmicro.com/en_us/research/22/i/play-ransomware-s-attack-playbook-unmasks-it-as-another-hive-aff.html", + "https://twitter.com/gbti_sa/status/1249653895900602375?lang=en", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powertool_execution.yml" ], "tags": [ @@ -47118,8 +47142,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/previous-versions/office/troubleshoot/office-developer/automate-word-create-file-using-visual-basic", "https://github.com/med0x2e/vba2clr", + "https://learn.microsoft.com/en-us/previous-versions/office/troubleshoot/office-developer/automate-word-create-file-using-visual-basic", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_office_svchost_child.yml" ], "tags": [ @@ -47167,8 +47191,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/_felamos/status/1179811992841797632", "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Devtoolslauncher/", + "https://twitter.com/_felamos/status/1179811992841797632", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_devtoolslauncher.yml" ], "tags": [ @@ -47235,9 +47259,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/Binaries/Regini/", - "https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f", "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/regini", + "https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f", + "https://lolbas-project.github.io/lolbas/Binaries/Regini/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_regini.yml" ], "tags": [ @@ -47319,8 +47343,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.fireeye.com/blog/threat-research/2020/03/apt41-initiates-global-intrusion-campaign-using-multiple-exploits.html", "https://vulmon.com/exploitdetails?qidtp=exploitdb&qid=48224", + "https://www.fireeye.com/blog/threat-research/2020/03/apt41-initiates-global-intrusion-campaign-using-multiple-exploits.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_exploit_cve_2020_10189.yml" ], "tags": [ @@ -47465,8 +47489,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/vadim-hunter/Detection-Ideas-Rules/blob/02bcbfc2bfb8b4da601bb30de0344ae453aa1afe/Threat%20Intelligence/The%20DFIR%20Report/20210329_Sodinokibi_(aka_REvil)_Ransomware.yaml", "https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/", + "https://github.com/vadim-hunter/Detection-Ideas-Rules/blob/02bcbfc2bfb8b4da601bb30de0344ae453aa1afe/Threat%20Intelligence/The%20DFIR%20Report/20210329_Sodinokibi_(aka_REvil)_Ransomware.yaml", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_office_proxy_exec_wmic.yml" ], "tags": [ @@ -47516,8 +47540,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/tccontre18/status/1480950986650832903", "https://twitter.com/mrd0x/status/1461041276514623491c19-ps", + "https://twitter.com/tccontre18/status/1480950986650832903", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_regsvr32_http_pattern.yml" ], "tags": [ @@ -47729,8 +47753,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.reverse.it/sample/0b4ef455e385b750d9f90749f1467eaf00e46e8d6c2885c260e1b78211a51684?environmentId=100", "https://www.hybrid-analysis.com/sample/0b4ef455e385b750d9f90749f1467eaf00e46e8d6c2885c260e1b78211a51684?environmentId=100", + "https://www.reverse.it/sample/0b4ef455e385b750d9f90749f1467eaf00e46e8d6c2885c260e1b78211a51684?environmentId=100", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_exploit_cve_2017_8759.yml" ], "tags": [ @@ -47895,8 +47919,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/Neo23x0/Raccine/blob/20a569fa21625086433dcce8bb2765d0ea08dcb6/yara/mal_revil.yar", "https://thedfirreport.com/2022/05/09/seo-poisoning-a-gootloader-story/", + "https://github.com/Neo23x0/Raccine/blob/20a569fa21625086433dcce8bb2765d0ea08dcb6/yara/mal_revil.yar", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_base64_reflective_assembly_load.yml" ], "tags": [ @@ -47999,8 +48023,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Bginfo/", "https://oddvar.moe/2017/05/18/bypassing-application-whitelisting-with-bginfo/", + "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Bginfo/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_bginfo.yml" ], "tags": [ @@ -48051,8 +48075,8 @@ "logsource.product": "windows", "refs": [ "https://github.com/S3cur3Th1sSh1t/Creds/blob/eac23d67f7f90c7fc8e3130587d86158c22aa398/PowershellScripts/jaws-enum.ps1", - "https://github.com/nccgroup/redsnarf/blob/35949b30106ae543dc6f2bc3f1be10c6d9a8d40e/redsnarf.py", "https://www.absolomb.com/2018-01-26-Windows-Privilege-Escalation-Guide/", + "https://github.com/nccgroup/redsnarf/blob/35949b30106ae543dc6f2bc3f1be10c6d9a8d40e/redsnarf.py", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wmic_unquoted_service_search.yml" ], "tags": [ @@ -48085,8 +48109,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/Binaries/Eventvwr/#execute", "https://twitter.com/orange_8361/status/1518970259868626944", + "https://lolbas-project.github.io/lolbas/Binaries/Eventvwr/#execute", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_uac_bypass_eventvwr.yml" ], "tags": [ @@ -48111,11 +48135,11 @@ "logsource.product": "windows", "refs": [ "https://thedfirreport.com/2021/01/11/trickbot-still-alive-and-well/", - "https://www.joeware.net/freetools/tools/adfind/", - "https://www.microsoft.com/security/blog/2021/01/20/deep-dive-into-the-solorigate-second-stage-activation-from-sunburst-to-teardrop-and-raindrop/", - "https://thedfirreport.com/2020/05/08/adfind-recon/", "https://social.technet.microsoft.com/wiki/contents/articles/7535.adfind-command-examples.aspx", "https://github.com/center-for-threat-informed-defense/adversary_emulation_library/blob/bf62ece1c679b07b5fb49c4bae947fe24c81811f/fin6/Emulation_Plan/Phase1.md", + "https://www.microsoft.com/security/blog/2021/01/20/deep-dive-into-the-solorigate-second-stage-activation-from-sunburst-to-teardrop-and-raindrop/", + "https://thedfirreport.com/2020/05/08/adfind-recon/", + "https://www.joeware.net/freetools/tools/adfind/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_renamed_adfind.yml" ], "tags": [ @@ -48364,8 +48388,8 @@ "logsource.product": "windows", "refs": [ "https://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet", - "https://www.php.net/manual/en/features.commandline.php", "https://www.revshells.com/", + "https://www.php.net/manual/en/features.commandline.php", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_php_inline_command_execution.yml" ], "tags": [ @@ -48422,9 +48446,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://ss64.com/bash/rar.html", - "https://labs.sentinelone.com/the-anatomy-of-an-apt-attack-and-cobaltstrike-beacons-encoded-configuration/", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1560.001/T1560.001.md", + "https://labs.sentinelone.com/the-anatomy-of-an-apt-attack-and-cobaltstrike-beacons-encoded-configuration/", + "https://ss64.com/bash/rar.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_rar_flags.yml" ], "tags": [ @@ -48528,8 +48552,8 @@ "logsource.product": "windows", "refs": [ "https://app.any.run/tasks/7eaba74e-c1ea-400f-9c17-5e30eee89906/", - "https://www.youtube.com/watch?v=DsJ9ByX84o4&t=6s", "https://brica.de/alerts/alert/public/1247926/agent-tesla-keylogger-delivered-inside-a-power-iso-daa-archive/", + "https://www.youtube.com/watch?v=DsJ9ByX84o4&t=6s", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_whoami_anomaly.yml" ], "tags": [ @@ -48657,8 +48681,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/pt-br/windows/win32/secauthz/sid-strings", "https://www.sans.org/blog/red-team-tactics-hiding-windows-services/", + "https://docs.microsoft.com/pt-br/windows/win32/secauthz/sid-strings", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_service_dacl_modification.yml" ], "tags": [ @@ -48882,14 +48906,14 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218/T1218.md", - "https://github.com/keyboardcrunch/SentinelOne-ATTACK-Queries/blob/6a228d23eefe963ca81f2d52f94b815f61ef5ee0/Tactics/DefenseEvasion.md#t1055-process-injection", + "https://twitter.com/Hexacorn/status/776122138063409152", "https://posts.specterops.io/mavinject-exe-functionality-deconstructed-c29ab2cf5c0e", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218/T1218.md", + "https://github.com/SigmaHQ/sigma/issues/3742", + "https://github.com/keyboardcrunch/SentinelOne-ATTACK-Queries/blob/6a228d23eefe963ca81f2d52f94b815f61ef5ee0/Tactics/DefenseEvasion.md#t1055-process-injection", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1056.004/T1056.004.md", "https://twitter.com/gN3mes1s/status/941315826107510784", "https://reaqta.com/2017/12/mavinject-microsoft-injector/", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1056.004/T1056.004.md", - "https://twitter.com/Hexacorn/status/776122138063409152", - "https://github.com/SigmaHQ/sigma/issues/3742", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_mavinject_process_injection.yml" ], "tags": [ @@ -49054,12 +49078,12 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://news.sophos.com/en-us/2019/12/09/snatch-ransomware-reboots-pcs-into-safe-mode-to-bypass-protection/", + "https://assets.documentcloud.org/documents/20444693/fbi-pin-egregor-ransomware-bc-01062021.pdf", + "https://www.fireeye.com/blog/threat-research/2020/05/tactics-techniques-procedures-associated-with-maze-ransomware-incidents.html", "https://labs.f-secure.com/blog/prelude-to-ransomware-systembc", "https://github.com/3CORESec/MAL-CL/tree/master/Descriptors/Other/Advanced%20IP%20Scanner", - "https://news.sophos.com/en-us/2019/12/09/snatch-ransomware-reboots-pcs-into-safe-mode-to-bypass-protection/", "https://thedfirreport.com/2021/01/18/all-that-for-a-coinminer", - "https://www.fireeye.com/blog/threat-research/2020/05/tactics-techniques-procedures-associated-with-maze-ransomware-incidents.html", - "https://assets.documentcloud.org/documents/20444693/fbi-pin-egregor-ransomware-bc-01062021.pdf", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_advanced_ip_scanner.yml" ], "tags": [ @@ -49084,8 +49108,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/med0x2e/status/1520402518685200384", "https://github.com/elastic/detection-rules/blob/dd224fb3f81d0b4bf8593c5f02a029d647ba2b2d/rules/windows/credential_access_relay_ntlm_auth_via_http_spoolss.toml", + "https://twitter.com/med0x2e/status/1520402518685200384", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_ntlmrelay.yml" ], "tags": [ @@ -49119,8 +49143,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://threathunterplaybook.com/evals/apt29/detections/7.A.2_F4609F7E-C4DB-4327-91D4-59A58C962A02.html", "https://github.com/OTRF/detection-hackathon-apt29/issues/16", + "https://threathunterplaybook.com/evals/apt29/detections/7.A.2_F4609F7E-C4DB-4327-91D4-59A58C962A02.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_get_clipboard.yml" ], "tags": [ @@ -49144,8 +49168,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://blog.malwarebytes.com/threat-intelligence/2021/08/new-variant-of-konni-malware-used-in-campaign-targetting-russia/", "https://labs.sentinelone.com/meteorexpress-mysterious-wiper-paralyzes-iranian-trains-with-epic-troll", + "https://blog.malwarebytes.com/threat-intelligence/2021/08/new-variant-of-konni-malware-used-in-campaign-targetting-russia/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_expand_cabinet_files.yml" ], "tags": [ @@ -49269,8 +49293,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://thedfirreport.com/2022/07/11/select-xmrig-from-sqlserver/", "https://docs.microsoft.com/en-us/windows/win32/wmisdk/mofcomp", + "https://thedfirreport.com/2022/07/11/select-xmrig-from-sqlserver/", "https://github.com/The-DFIR-Report/Sigma-Rules/blob/75260568a7ffe61b2458ca05f6f25914efb44337/win_mofcomp_execution.yml", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_mofcomp_execution.yml" ], @@ -49329,9 +49353,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://app.any.run/tasks/210244b9-0b6b-4a2c-83a3-04bd3175d017/", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.004/T1562.004.md#atomic-test-1---disable-microsoft-defender-firewall", "https://www.winhelponline.com/blog/enable-and-disable-windows-firewall-quickly-using-command-line/", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.004/T1562.004.md#atomic-test-1---disable-microsoft-defender-firewall", + "https://app.any.run/tasks/210244b9-0b6b-4a2c-83a3-04bd3175d017/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_netsh_firewall_disable.yml" ], "tags": [ @@ -49398,9 +49422,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.fortiguard.com/threat-signal-report/4718?s=09", "https://lolbas-project.github.io/lolbas/Binaries/Regasm/", "https://lolbas-project.github.io/lolbas/Binaries/Regsvcs/", + "https://www.fortiguard.com/threat-signal-report/4718?s=09", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_regasm.yml" ], "tags": [ @@ -49433,10 +49457,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://yoroi.company/wp-content/uploads/2022/05/EternityGroup_report_compressed.pdf", + "https://www.mdsec.co.uk/2022/10/analysing-lastpass-part-1/", "https://github.com/defaultnamehere/cookie_crimes/", "https://github.com/wunderwuzzi23/firefox-cookiemonster", - "https://www.mdsec.co.uk/2022/10/analysing-lastpass-part-1/", + "https://yoroi.company/wp-content/uploads/2022/05/EternityGroup_report_compressed.pdf", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_browser_remote_debugging.yml" ], "tags": [ @@ -49576,8 +49600,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1490/T1490.md", "https://eqllib.readthedocs.io/en/latest/analytics/c4732632-9c1d-4980-9fa8-1d98c93f918e.html", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1490/T1490.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_bootconf_mod.yml" ], "tags": [ @@ -49736,8 +49760,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.welivesecurity.com/2022/01/18/donot-go-do-not-respawn/", "https://www.joesandbox.com/analysis/514608/0/html#324415FF7D8324231381BAD48A052F85DF04", + "https://www.welivesecurity.com/2022/01/18/donot-go-do-not-respawn/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_schtasks_env_folder.yml" ], "tags": [ @@ -49770,8 +49794,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/pt-br/windows/win32/secauthz/sid-strings", "https://www.sans.org/blog/red-team-tactics-hiding-windows-services/", + "https://docs.microsoft.com/pt-br/windows/win32/secauthz/sid-strings", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_service_dacl_modification_set_service.yml" ], "tags": [ @@ -49795,8 +49819,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/Binaries/Regedit/", "https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f", + "https://lolbas-project.github.io/lolbas/Binaries/Regedit/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_regedit_export_critical_keys.yml" ], "tags": [ @@ -49853,9 +49877,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://thedfirreport.com/2022/09/26/bumblebee-round-two/", "https://thedfirreport.com/2022/08/08/bumblebee-roasts-its-way-to-domain-admin/", "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/bumblebee-loader-cybercrime", - "https://thedfirreport.com/2022/09/26/bumblebee-round-two/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wab_unusual_parents.yml" ], "tags": [ @@ -49964,8 +49988,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://eqllib.readthedocs.io/en/latest/analytics/210b4ea4-12fc-11e9-8d76-4d6bb837cda4.html", "https://eqllib.readthedocs.io/en/latest/analytics/1e1ef6be-12fc-11e9-8d76-4d6bb837cda4.html", + "https://eqllib.readthedocs.io/en/latest/analytics/210b4ea4-12fc-11e9-8d76-4d6bb837cda4.html", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1003/T1003.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lsass_dump.yml" ], @@ -50032,8 +50056,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://app.any.run/tasks/c28cabc8-a19f-40f3-a78b-cae506a5c0d4", "https://app.any.run/tasks/cfc8870b-ccd7-4210-88cf-a8087476a6d0", + "https://app.any.run/tasks/c28cabc8-a19f-40f3-a78b-cae506a5c0d4", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_attrib_system_susp_paths.yml" ], "tags": [ @@ -50296,10 +50320,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://eqllib.readthedocs.io/en/latest/analytics/aed95fc6-5e3f-49dc-8b35-06508613f979.html", - "https://www.wietzebeukema.nl/blog/windows-command-line-obfuscation", - "https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1003/T1003.md", + "https://eqllib.readthedocs.io/en/latest/analytics/aed95fc6-5e3f-49dc-8b35-06508613f979.html", + "https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment", + "https://www.wietzebeukema.nl/blog/windows-command-line-obfuscation", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_grabbing_sensitive_hives_via_reg.yml" ], "tags": [ @@ -50350,11 +50374,11 @@ "logsource.product": "windows", "refs": [ "https://thedfirreport.com/2021/01/11/trickbot-still-alive-and-well/", - "https://www.joeware.net/freetools/tools/adfind/", - "https://www.microsoft.com/security/blog/2021/01/20/deep-dive-into-the-solorigate-second-stage-activation-from-sunburst-to-teardrop-and-raindrop/", - "https://thedfirreport.com/2020/05/08/adfind-recon/", "https://social.technet.microsoft.com/wiki/contents/articles/7535.adfind-command-examples.aspx", "https://github.com/center-for-threat-informed-defense/adversary_emulation_library/blob/bf62ece1c679b07b5fb49c4bae947fe24c81811f/fin6/Emulation_Plan/Phase1.md", + "https://www.microsoft.com/security/blog/2021/01/20/deep-dive-into-the-solorigate-second-stage-activation-from-sunburst-to-teardrop-and-raindrop/", + "https://thedfirreport.com/2020/05/08/adfind-recon/", + "https://www.joeware.net/freetools/tools/adfind/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_adfind_usage.yml" ], "tags": [ @@ -50397,11 +50421,11 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://blog.alyac.co.kr/1901", + "https://en.wikipedia.org/wiki/Hangul_(word_processor)", "https://twitter.com/cyberwar_15/status/1187287262054076416", "https://www.securitynewspaper.com/2016/11/23/technical-teardown-exploit-malware-hwp-files/", "https://www.hybrid-analysis.com/search?query=context:74940dcc5b38f9f9b1a0fea760d344735d7d91b610e6d5bd34533dd0153402c5&from_sample=5db135000388385a7644131f&block_redirect=1", - "https://en.wikipedia.org/wiki/Hangul_(word_processor)", + "https://blog.alyac.co.kr/1901", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hwp_exploits.yml" ], "tags": [ @@ -50602,9 +50626,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://twitter.com/nas_bench/status/1534957360032120833", "https://web.archive.org/web/20170715043507/http://www.exploit-monday.com/2016/08/windbg-cdb-shellcode-runner.html", "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Cdb/", - "https://twitter.com/nas_bench/status/1534957360032120833", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_cdb.yml" ], "tags": [ @@ -50737,8 +50761,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/wmic", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1047/T1047.md", + "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/wmic", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wmic_remote_service.yml" ], "tags": [ @@ -50771,8 +50795,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.hybrid-analysis.com/sample/9b4971349ae85aa09c0a69852ed3e626c954954a3927b3d1b6646f139b930022?environmentId=100", "https://www.virustotal.com/en/file/9b4971349ae85aa09c0a69852ed3e626c954954a3927b3d1b6646f139b930022/analysis/", + "https://www.hybrid-analysis.com/sample/9b4971349ae85aa09c0a69852ed3e626c954954a3927b3d1b6646f139b930022?environmentId=100", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_crime_fireball.yml" ], "tags": [ @@ -50806,8 +50830,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218/T1218.md", "https://posts.specterops.io/arbitrary-unsigned-code-execution-vector-in-microsoft-workflow-compiler-exe-3d9294bc5efb", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218/T1218.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_workflow_compiler.yml" ], "tags": [ @@ -50849,8 +50873,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/Oddvarmoe/status/985518877076541440", "https://lolbas-project.github.io/lolbas/Binaries/Print/", + "https://twitter.com/Oddvarmoe/status/985518877076541440", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_print.yml" ], "tags": [ @@ -51035,8 +51059,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://threatpost.com/maze-ransomware-ragnar-locker-virtual-machine/159350/", "https://news.sophos.com/en-us/2020/05/21/ragnar-locker-ransomware-deploys-virtual-machine-to-dodge-security/", + "https://threatpost.com/maze-ransomware-ragnar-locker-virtual-machine/159350/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_run_virtualbox.yml" ], "tags": [ @@ -51110,9 +51134,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://www.echotrail.io/insights/search/mshta.exe", "https://en.wikipedia.org/wiki/HTML_Application", "https://app.any.run/tasks/34221348-072d-4b70-93f3-aa71f6ebecad/", - "https://www.echotrail.io/insights/search/mshta.exe", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_mshta_pattern.yml" ], "tags": [ @@ -51145,8 +51169,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=57", "https://learn.microsoft.com/en-us/dotnet/api/system.type.gettypefromclsid?view=net-7.0", + "https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=57", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_ps_download_com_cradles.yml" ], "tags": "No established tags" @@ -51201,10 +51225,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/d1r4c/status/1279042657508081664", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1105/T1105.md#atomic-test-19---curl-upload-file", "https://medium.com/@petehouston/upload-files-with-curl-93064dcccc76", + "https://twitter.com/d1r4c/status/1279042657508081664", "https://curl.se/docs/manpage.html", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1105/T1105.md#atomic-test-19---curl-upload-file", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_curl_fileupload.yml" ], "tags": [ @@ -51530,9 +51554,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/fsutil-usn", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070/T1070.md", "https://eqllib.readthedocs.io/en/latest/analytics/c91f422a-5214-4b17-8664-c5fcf115c0a2.html", + "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/fsutil-usn", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_fsutil_usage.yml" ], "tags": [ @@ -51557,9 +51581,9 @@ "logsource.product": "windows", "refs": [ "https://twitter.com/SBousseaden/status/1211636381086339073", - "https://drive.google.com/file/d/1lKya3_mLnR3UQuCoiYruO3qgu052_iS_/view", - "https://www.elastic.co/guide/en/security/current/remote-file-copy-to-a-hidden-share.html", "https://www.microsoft.com/en-us/security/blog/2022/10/18/defenders-beware-a-case-for-post-ransomware-investigations/", + "https://www.elastic.co/guide/en/security/current/remote-file-copy-to-a-hidden-share.html", + "https://drive.google.com/file/d/1lKya3_mLnR3UQuCoiYruO3qgu052_iS_/view", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_copy_lateral_movement.yml" ], "tags": [ @@ -51663,8 +51687,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/sensepost/impersonate", "https://sensepost.com/blog/2022/abusing-windows-tokens-to-compromise-active-directory-without-touching-lsass/", + "https://github.com/sensepost/impersonate", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_impersonate_tool.yml" ], "tags": [ @@ -51706,8 +51730,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/Alh4zr3d/status/1580925761996828672", "https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.management/set-service?view=powershell-7.2", + "https://twitter.com/Alh4zr3d/status/1580925761996828672", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_using_set_service_to_hide_services.yml" ], "tags": [ @@ -51804,9 +51828,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://www.acunetix.com/blog/articles/windows-short-8-3-filenames-web-security-problem/", "https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-2000-server/cc959352(v=technet.10)?redirectedfrom=MSDN", "https://twitter.com/jonasLyk/status/1555914501802921984", - "https://www.acunetix.com/blog/articles/windows-short-8-3-filenames-web-security-problem/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_ntfs_short_name_use_image.yml" ], "tags": [ @@ -51907,8 +51931,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/Gal_B1t/status/1062971006078345217", "https://twitter.com/hexacorn/status/1448037865435320323", + "https://twitter.com/Gal_B1t/status/1062971006078345217", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_commandline_path_traversal_evasion.yml" ], "tags": [ @@ -52015,9 +52039,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://hstechdocs.helpsystems.com/manuals/cobaltstrike/current/userguide/content/cobalt-4-5-user-guide.pdf", "https://thedfirreport.com/2021/10/04/bazarloader-and-the-conti-leaks/", "https://thedfirreport.com/2022/06/16/sans-ransomware-summit-2022-can-you-detect-this/", + "https://hstechdocs.helpsystems.com/manuals/cobaltstrike/current/userguide/content/cobalt-4-5-user-guide.pdf", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_cobaltstrike_bloopers_modules.yml" ], "tags": [ @@ -52300,9 +52324,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/nao_sec/status/1530196847679401984", - "https://app.any.run/tasks/713f05d2-fe78-4b9d-a744-f7c133e3fafb/", "https://twitter.com/_JohnHammond/status/1531672601067675648", + "https://app.any.run/tasks/713f05d2-fe78-4b9d-a744-f7c133e3fafb/", + "https://twitter.com/nao_sec/status/1530196847679401984", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_msdt.yml" ], "tags": [ @@ -52401,11 +52425,11 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://blog.truesec.com/2021/03/07/exchange-zero-day-proxylogon-and-hafnium/", "https://twitter.com/GadixCRK/status/1369313704869834753?s=20", + "https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/", "https://twitter.com/BleepinComputer/status/1372218235949617161", "https://discuss.elastic.co/t/detection-and-response-for-hafnium-activity/266289/3", - "https://blog.truesec.com/2021/03/07/exchange-zero-day-proxylogon-and-hafnium/", - "https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_apt_hafnium.yml" ], "tags": [ @@ -52439,8 +52463,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/solarwinds-raindrop-malware", "https://www.microsoft.com/security/blog/2020/12/18/analyzing-solorigate-the-compromised-dll-file-that-started-a-sophisticated-cyberattack-and-how-microsoft-defender-helps-protect/", + "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/solarwinds-raindrop-malware", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1047/T1047.md#atomic-test-7---create-a-process-using-wmi-query-and-an-encoded-command", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_apt_unc2452_ps.yml" ], @@ -52606,10 +52630,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://app.any.run/tasks/93fe92fa-8b2b-4d92-8c09-a841aed2e793/", "https://docs.microsoft.com/en-us/windows/compatibility/ntvdm-and-16-bit-app-support", - "https://app.any.run/tasks/214094a7-0abc-4a7b-a564-1b757faed79d/", + "https://app.any.run/tasks/93fe92fa-8b2b-4d92-8c09-a841aed2e793/", "https://support.microsoft.com/fr-fr/topic/an-ms-dos-based-program-that-uses-the-ms-dos-protected-mode-interface-crashes-on-a-computer-that-is-running-windows-7-5dc739ea-987b-b458-15e4-d28d5cca63c7", + "https://app.any.run/tasks/214094a7-0abc-4a7b-a564-1b757faed79d/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_16bit_application.yml" ], "tags": [ @@ -52700,8 +52724,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/windows-hardware/drivers/devtest/pnputil-command-syntax", "https://strontic.github.io/xcyclopedia/library/pnputil.exe-60EDC5E6BDBAEE441F2E3AEACD0340D2.html", + "https://docs.microsoft.com/en-us/windows-hardware/drivers/devtest/pnputil-command-syntax", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_susp_driver_installed_by_pnputil.yml" ], "tags": [ @@ -52860,8 +52884,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.sentinelone.com/labs/inside-malicious-windows-apps-for-malware-deployment/", "https://news.sophos.com/en-us/2021/11/11/bazarloader-call-me-back-attack-abuses-windows-10-apps-mechanism/", + "https://www.sentinelone.com/labs/inside-malicious-windows-apps-for-malware-deployment/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_appx_execution.yml" ], "tags": [ @@ -52884,8 +52908,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/pr0xylife/Qakbot/blob/main/Qakbot_BB_30.09.2022.txt", "https://app.any.run/tasks/4985c746-601e-401a-9ccf-ae350ac2e887/", + "https://github.com/pr0xylife/Qakbot/blob/main/Qakbot_BB_30.09.2022.txt", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_lolbin_non_c_drive.yml" ], "tags": [ @@ -52996,9 +53020,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1112/T1112.md", "https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1562.001/T1562.001.md", "https://www.absolomb.com/2018-01-26-Windows-Privilege-Escalation-Guide/", - "https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1112/T1112.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_reg_add.yml" ], "tags": [ @@ -53151,9 +53175,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/lukebaggett/dnscat2-powershell", "https://blu3-team.blogspot.com/2019/08/powershell-dns-c2-notes.html", "https://ragged-lab.blogspot.com/2020/06/it-is-always-dns-powershell-edition.html", + "https://github.com/lukebaggett/dnscat2-powershell", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_dnscat2_powershell_implementation.yml" ], "tags": [ @@ -53252,8 +53276,8 @@ "logsource.product": "windows", "refs": [ "https://blog.malwarebytes.com/threat-analysis/2016/04/rokku-ransomware/", - "https://digital-forensics.sans.org/blog/2010/06/04/wmic-draft/", "https://www.hybrid-analysis.com/sample/4be06ecd234e2110bd615649fe4a6fa95403979acf889d7e45a78985eb50acf9?environmentId=1", + "https://digital-forensics.sans.org/blog/2010/06/04/wmic-draft/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_wmic_execution.yml" ], "tags": [ @@ -53321,8 +53345,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "http://www.leeholmes.com/blog/2017/03/17/detecting-and-preventing-powershell-downgrade-attacks/", "https://github.com/r00t-3xp10it/hacking-material-books/blob/43cb1e1932c16ff1f58b755bc9ab6b096046853f/obfuscation/simple_obfuscation.md#bypass-or-avoid-amsi-by-version-downgrade-", + "http://www.leeholmes.com/blog/2017/03/17/detecting-and-preventing-powershell-downgrade-attacks/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_downgrade_attack.yml" ], "tags": [ @@ -53601,8 +53625,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1564.001/T1564.001.md#atomic-test-3---create-windows-system-file-with-attrib", "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/attrib", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1564.001/T1564.001.md#atomic-test-3---create-windows-system-file-with-attrib", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_attrib_system.yml" ], "tags": [ @@ -53800,10 +53824,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.sprocketsecurity.com/resources/crossing-the-log4j-horizon-a-vulnerability-with-no-return", "https://nodejs.org/api/cli.html", - "http://blog.talosintelligence.com/2022/09/lazarus-three-rats.html", "https://www.rapid7.com/blog/post/2022/01/18/active-exploitation-of-vmware-horizon-servers/", + "http://blog.talosintelligence.com/2022/09/lazarus-three-rats.html", + "https://www.sprocketsecurity.com/resources/crossing-the-log4j-horizon-a-vulnerability-with-no-return", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_node_abuse.yml" ], "tags": [ @@ -53836,8 +53860,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/JohnLaTwC/status/1082851155481288706", "https://app.any.run/tasks/f87f1c4e-47e2-4c46-9cf4-31454c06ce03", + "https://twitter.com/JohnLaTwC/status/1082851155481288706", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_ps_appdata.yml" ], "tags": [ @@ -53871,8 +53895,8 @@ "logsource.product": "windows", "refs": [ "https://mattharr0ey.medium.com/privilege-escalation-uac-bypass-in-changepk-c40b92818d1b", - "https://github.com/hfiref0x/UACME", "https://medium.com/falconforce/falconfriday-detecting-uac-bypasses-0xff16-86c2a9107abf", + "https://github.com/hfiref0x/UACME", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_uac_bypass_changepk_slui.yml" ], "tags": [ @@ -54040,10 +54064,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.security/set-executionpolicy?view=powershell-7.1", - "https://thedfirreport.com/2021/11/01/from-zero-to-domain-admin/", "https://adsecurity.org/?p=2604", + "https://thedfirreport.com/2021/11/01/from-zero-to-domain-admin/", "https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_execution_policies?view=powershell-7.1", + "https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.security/set-executionpolicy?view=powershell-7.1", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_set_policies_to_unsecure_level.yml" ], "tags": [ @@ -54076,8 +54100,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/0gtweet/status/1602644163824156672?s=20&t=kuxbUnZPltpvFPZdCrqPXA", "https://twitter.com/pabraeken/status/990717080805789697", + "https://twitter.com/0gtweet/status/1602644163824156672?s=20&t=kuxbUnZPltpvFPZdCrqPXA", "https://lolbas-project.github.io/lolbas/Binaries/Runonce/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_runonce_execution.yml" ], @@ -54137,8 +54161,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/mttaggart/quasar", "https://taggart-tech.com/quasar-electron/", + "https://github.com/mttaggart/quasar", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_electron_app_children.yml" ], "tags": [ @@ -54194,12 +54218,12 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/Wietze/status/1542107456507203586", + "https://modexp.wordpress.com/2019/08/30/minidumpwritedump-via-com-services-dll/", "https://twitter.com/shantanukhande/status/1229348874298388484", - "https://twitter.com/Hexacorn/status/1224848930795552769", "https://twitter.com/pythonresponder/status/1385064506049630211?s=21", "https://twitter.com/SBousseaden/status/1167417096374050817", - "https://modexp.wordpress.com/2019/08/30/minidumpwritedump-via-com-services-dll/", + "https://twitter.com/Hexacorn/status/1224848930795552769", + "https://twitter.com/Wietze/status/1542107456507203586", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_process_dump_rundll32_comsvcs.yml" ], "tags": [ @@ -54236,15 +54260,15 @@ "logsource.product": "windows", "refs": [ "https://github.com/dotnet/runtime/blob/f62e93416a1799aecc6b0947adad55a0d9870732/src/coreclr/src/inc/clrconfigvalues.h#L35-L38", - "https://i.blackhat.com/EU-21/Wednesday/EU-21-Teodorescu-Veni-No-Vidi-No-Vici-Attacks-On-ETW-Blind-EDRs.pdf", - "https://github.com/dotnet/runtime/blob/7abe42dc1123722ed385218268bb9fe04556e3d3/src/coreclr/src/inc/clrconfig.h#L33-L39", "https://twitter.com/_xpn_/status/1268712093928378368", - "https://github.com/dotnet/runtime/blob/4f9ae42d861fcb4be2fcd5d3d55d5f227d30e723/docs/coding-guidelines/clr-jit-coding-conventions.md#1412-disabling-code", - "https://social.msdn.microsoft.com/Forums/vstudio/en-US/0878832e-39d7-4eaf-8e16-a729c4c40975/what-can-i-use-e13c0d23ccbc4e12931bd9cc2eee27e4-for?forum=clr", - "https://github.com/dotnet/runtime/search?p=1&q=COMPlus_&unscoped_q=COMPlus_", "http://managed670.rssing.com/chan-5590147/all_p1.html", + "https://github.com/dotnet/runtime/search?p=1&q=COMPlus_&unscoped_q=COMPlus_", + "https://i.blackhat.com/EU-21/Wednesday/EU-21-Teodorescu-Veni-No-Vidi-No-Vici-Attacks-On-ETW-Blind-EDRs.pdf", "https://github.com/dotnet/runtime/blob/ee2355c801d892f2894b0f7b14a20e6cc50e0e54/docs/design/coreclr/jit/viewing-jit-dumps.md#setting-configuration-variables", + "https://github.com/dotnet/runtime/blob/7abe42dc1123722ed385218268bb9fe04556e3d3/src/coreclr/src/inc/clrconfig.h#L33-L39", + "https://social.msdn.microsoft.com/Forums/vstudio/en-US/0878832e-39d7-4eaf-8e16-a729c4c40975/what-can-i-use-e13c0d23ccbc4e12931bd9cc2eee27e4-for?forum=clr", "https://bunnyinside.com/?term=f71e8cb9c76a", + "https://github.com/dotnet/runtime/blob/4f9ae42d861fcb4be2fcd5d3d55d5f227d30e723/docs/coding-guidelines/clr-jit-coding-conventions.md#1412-disabling-code", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_etw_modification_cmdline.yml" ], "tags": [ @@ -54377,8 +54401,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://app.any.run/tasks/f74c5157-8508-4ac6-9805-d63fe7b0d399/", "https://www.sneakymonkey.net/2019/05/22/trickbot-analysis/", + "https://app.any.run/tasks/f74c5157-8508-4ac6-9805-d63fe7b0d399/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_malware_trickbot_recon_activity.yml" ], "tags": [ @@ -54467,9 +54491,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://twitter.com/pabraeken/status/990758590020452353", "https://docs.microsoft.com/en-us/visualstudio/debugger/debug-using-the-just-in-time-debugger?view=vs-2019", "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Vsjitdebugger/", - "https://twitter.com/pabraeken/status/990758590020452353", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_use_of_vsjitdebugger_bin.yml" ], "tags": [ @@ -54502,9 +54526,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://github.com/offsecginger/koadic/blob/457f9a3ff394c989cdb4c599ab90eb34fb2c762c/data/stager/js/stdlib.js", "https://blog.f-secure.com/hunting-for-koadic-a-com-based-rootkit/", "https://unit42.paloaltonetworks.com/unit42-sofacy-groups-parallel-attacks/", - "https://github.com/offsecginger/koadic/blob/457f9a3ff394c989cdb4c599ab90eb34fb2c762c/data/stager/js/stdlib.js", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hack_koadic.yml" ], "tags": [ @@ -54710,9 +54734,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://www.virustotal.com/gui/file/c299063e3eae8ddc15839767e83b9808fd43418dc5a1af7e4f44b97ba53fbd3d/detection", "https://github.com/Azure/Azure-Sentinel/blob/43e9be273dca321295190bfc4902858e009d4a35/Detections/MultipleDataSources/SOURGUM_IOC.yaml", "https://www.microsoft.com/security/blog/2021/07/15/protecting-customers-from-a-private-sector-offensive-actor-using-0-day-exploits-and-devilstongue-malware/", - "https://www.virustotal.com/gui/file/c299063e3eae8ddc15839767e83b9808fd43418dc5a1af7e4f44b97ba53fbd3d/detection", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_apt_sourgrum.yml" ], "tags": [ @@ -54788,10 +54812,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/vysecurity/status/873181705024266241", - "https://lolbas-project.github.io/lolbas/Binaries/Rpcping/", "https://twitter.com/vysecurity/status/974806438316072960", + "https://lolbas-project.github.io/lolbas/Binaries/Rpcping/", "https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/hh875578(v=ws.11)", + "https://twitter.com/vysecurity/status/873181705024266241", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_rpcping.yml" ], "tags": [ @@ -54859,8 +54883,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1216/T1216.md", "https://lolbas-project.github.io/lolbas/Binaries/Syncappvpublishingserver/", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1216/T1216.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_syncappvpublishingserver_vbs_execute_psh.yml" ], "tags": [ @@ -54901,8 +54925,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://arcticwolf.com/resources/blog/lorenz-ransomware-chiseling-in/", "https://blog.sekoia.io/lucky-mouse-incident-response-to-detection-engineering/", + "https://arcticwolf.com/resources/blog/lorenz-ransomware-chiseling-in/", "https://github.com/jpillora/chisel/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_chisel_usage.yml" ], @@ -54993,8 +55017,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/LOLBAS-Project/LOLBAS/blob/4db780e0f0b2e2bb8cb1fa13e09196da9b9f1834/yml/LOLUtilz/OtherBinaries/VBoxDrvInst.yml", "https://twitter.com/pabraeken/status/993497996179492864", + "https://github.com/LOLBAS-Project/LOLBAS/blob/4db780e0f0b2e2bb8cb1fa13e09196da9b9f1834/yml/LOLUtilz/OtherBinaries/VBoxDrvInst.yml", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_vboxdrvinst.yml" ], "tags": [ @@ -55095,8 +55119,8 @@ "logsource.product": "windows", "refs": [ "https://research.nccgroup.com/2020/06/23/wastedlocker-a-new-ransomware-variant-developed-by-the-evil-corp-group/", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md", "https://rvsec0n.wordpress.com/2020/01/24/malwares-that-bypass-windows-defender/", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_disable_defender_av_security_monitoring.yml" ], "tags": [ @@ -55120,8 +55144,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1548.002/T1548.002.md", "https://eqllib.readthedocs.io/en/latest/analytics/e491ce22-792f-11e9-8f5c-d46d6d62a49e.html", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1548.002/T1548.002.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_uac_bypass_fodhelper.yml" ], "tags": [ @@ -55514,8 +55538,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218/T1218.md", "https://lolbas-project.github.io/lolbas/OtherMSBinaries/ProtocolHandler/", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218/T1218.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_protocolhandler_download.yml" ], "tags": [ @@ -55581,8 +55605,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/powershell/module/bitstransfer/add-bitsfile?view=windowsserver2019-ps", "https://4sysops.com/archives/use-powershell-to-download-a-file-with-http-https-and-ftp/", + "https://docs.microsoft.com/en-us/powershell/module/bitstransfer/add-bitsfile?view=windowsserver2019-ps", "https://blog.jourdant.me/post/3-ways-to-download-files-with-powershell", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_web_request_cmd_and_cmdlets.yml" ], @@ -55649,10 +55673,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://app.any.run/tasks/e13ab713-64cf-4b23-ad93-6dceaa5429ac/", + "https://app.any.run/tasks/84fc9b4a-ea2b-47b1-8aa6-9014402dfb56/", "https://app.any.run/tasks/81f3c28c-c686-425d-8a2b-a98198d244e1/", "https://app.any.run/tasks/97f875e8-0e08-4328-815f-055e971ba754/", - "https://app.any.run/tasks/84fc9b4a-ea2b-47b1-8aa6-9014402dfb56/", + "https://app.any.run/tasks/e13ab713-64cf-4b23-ad93-6dceaa5429ac/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_malware_emotet.yml" ], "tags": [ @@ -55825,9 +55849,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.volexity.com/blog/2021/03/02/active-exploitation-of-microsoft-exchange-zero-day-vulnerabilities/", "https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/", "https://www.intrinsec.com/apt27-analysis/", + "https://www.volexity.com/blog/2021/03/02/active-exploitation-of-microsoft-exchange-zero-day-vulnerabilities/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_snapins_hafnium.yml" ], "tags": [ @@ -55903,8 +55927,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/cw1997/NATBypass", "https://github.com/HiwinCN/HTran", + "https://github.com/cw1997/NATBypass", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hack_htran.yml" ], "tags": [ @@ -55938,8 +55962,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/shutdown", "https://github.com/redcanaryco/atomic-red-team/blob/9e5b12c4912c07562aec7500447b11fa3e17e254/atomics/T1529/T1529.md", + "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/shutdown", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_logoff.yml" ], "tags": [ @@ -55972,9 +55996,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://gist.github.com/NickTyrer/0598b60112eaafe6d07789f7964290d5", - "https://bohops.com/2018/08/18/abusing-the-com-registry-structure-part-2-loading-techniques-for-evasion-and-persistence/", "https://lolbas-project.github.io/lolbas/Binaries/Verclsid/", + "https://bohops.com/2018/08/18/abusing-the-com-registry-structure-part-2-loading-techniques-for-evasion-and-persistence/", + "https://gist.github.com/NickTyrer/0598b60112eaafe6d07789f7964290d5", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_verclsid_runs_com.yml" ], "tags": [ @@ -56330,8 +56354,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://gist.github.com/ryhanson/227229866af52e2d963cf941af135a52", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218.011/T1218.011.md", + "https://gist.github.com/ryhanson/227229866af52e2d963cf941af135a52", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_rundll32_script_run.yml" ], "tags": [ @@ -56422,10 +56446,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://github.com/antonioCoco/RogueWinRM", + "https://foxglovesecurity.com/2016/09/26/rotten-potato-privilege-escalation-from-service-accounts-to-system/", "https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment", "https://twitter.com/Cyb3rWard0g/status/1453123054243024897", - "https://foxglovesecurity.com/2016/09/26/rotten-potato-privilege-escalation-from-service-accounts-to-system/", - "https://github.com/antonioCoco/RogueWinRM", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_child_process_as_system_.yml" ], "tags": [ @@ -56458,10 +56482,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://blog.truesec.com/2021/07/04/kaseya-supply-chain-attack-targeting-msps-to-deliver-revil-ransomware/", - "https://doublepulsar.com/kaseya-supply-chain-attack-delivers-mass-ransomware-event-to-us-companies-76e4ec6ec64b", "https://therecord.media/revil-ransomware-executes-supply-chain-attack-via-malicious-kaseya-update/", "https://community.sophos.com/b/security-blog/posts/active-ransomware-attack-on-kaseya-customers", + "https://blog.truesec.com/2021/07/04/kaseya-supply-chain-attack-targeting-msps-to-deliver-revil-ransomware/", + "https://doublepulsar.com/kaseya-supply-chain-attack-delivers-mass-ransomware-event-to-us-companies-76e4ec6ec64b", "https://www.joesandbox.com/analysis/443736/0/html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_apt_revil_kaseya.yml" ], @@ -56520,9 +56544,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.cobaltstrike.com/help-windows-executable", - "https://redcanary.com/threat-detection-report/", "https://thedfirreport.com/2020/10/18/ryuk-in-5-hours/", + "https://redcanary.com/threat-detection-report/", + "https://www.cobaltstrike.com/help-windows-executable", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_cobaltstrike_load_by_rundll32.yml" ], "tags": [ @@ -56635,9 +56659,9 @@ "logsource.product": "windows", "refs": [ "https://www.picussecurity.com/resource/blog/how-to-detect-parent-pid-ppid-spoofing-attacks", - "https://pentestlab.blog/2020/02/24/parent-pid-spoofing/", - "https://www.ired.team/offensive-security/defense-evasion/parent-process-id-ppid-spoofing", "https://www.virustotal.com/gui/search/filename%253A*spoof*%2520filename%253A*ppid*/files", + "https://www.ired.team/offensive-security/defense-evasion/parent-process-id-ppid-spoofing", + "https://pentestlab.blog/2020/02/24/parent-pid-spoofing/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_selectmyparent.yml" ], "tags": [ @@ -56670,10 +56694,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://medium.com/s2wblog/analysis-of-destructive-malware-whispergate-targeting-ukraine-9d5d158f19f3", - "https://www.winhelponline.com/blog/run-program-as-system-localsystem-account-windows/", - "https://twitter.com/splinter_code/status/1483815103279603714", "https://elastic.github.io/security-research/malware/2022/01/01.operation-bleeding-bear/article/", + "https://twitter.com/splinter_code/status/1483815103279603714", + "https://www.winhelponline.com/blog/run-program-as-system-localsystem-account-windows/", + "https://medium.com/s2wblog/analysis-of-destructive-malware-whispergate-targeting-ukraine-9d5d158f19f3", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_advancedrun_priv_user.yml" ], "tags": "No established tags" @@ -56694,9 +56718,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/dnscmd", "https://lolbas-project.github.io/lolbas/Binaries/Dnscmd/", "https://docs.microsoft.com/en-us/azure/dns/dns-zones-records", - "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/dnscmd", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_dnscmd_discovery.yml" ], "tags": [ @@ -56754,8 +56778,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/Binaries/Cmdl32/", "https://twitter.com/SwiftOnSecurity/status/1455897435063074824", + "https://lolbas-project.github.io/lolbas/Binaries/Cmdl32/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_cmdl32.yml" ], "tags": [ @@ -56798,8 +56822,8 @@ "logsource.product": "windows", "refs": [ "https://unit42.paloaltonetworks.com/unit42-pulling-back-the-curtains-on-encodedcommand-powershell-attacks/", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1059.001/T1059.001.md#atomic-test-20---powershell-invoke-known-malicious-cmdlets", "https://mikefrobbins.com/2017/06/15/simple-obfuscation-with-powershell-using-base64-encoding/", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1059.001/T1059.001.md#atomic-test-20---powershell-invoke-known-malicious-cmdlets", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_powershell_encode.yml" ], "tags": [ @@ -56865,8 +56889,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "http://www.hexacorn.com/blog/2016/07/22/beyond-good-ol-run-key-part-42/", "https://lolbas-project.github.io/lolbas/Binaries/Atbroker/", + "http://www.hexacorn.com/blog/2016/07/22/beyond-good-ol-run-key-part-42/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_susp_atbroker.yml" ], "tags": [ @@ -56935,8 +56959,8 @@ "logsource.product": "windows", "refs": [ "https://lolbas-project.github.io/lolbas/Binaries/Rasautou/", - "https://github.com/fireeye/DueDLLigence", "https://www.fireeye.com/blog/threat-research/2019/10/staying-hidden-on-the-endpoint-evading-detection-with-shellcode.html", + "https://github.com/fireeye/DueDLLigence", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_rasautou_dll_execution.yml" ], "tags": [ @@ -57003,8 +57027,8 @@ "logsource.product": "windows", "refs": [ "https://github.com/PowerShellMafia/PowerSploit/blob/dev/Recon/PowerView.ps1", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1049/T1049.md#atomic-test-4---system-discovery-using-sharpview", "https://github.com/tevora-threat/SharpView/", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1049/T1049.md#atomic-test-4---system-discovery-using-sharpview", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_sharpview.yml" ], "tags": [ @@ -57055,8 +57079,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://researchcenter.paloaltonetworks.com/2018/01/unit42-oilrig-uses-rgdoor-iis-backdoor-targets-middle-east/", "https://www.microsoft.com/security/blog/2022/07/26/malicious-iis-extensions-quietly-open-persistent-backdoors-into-servers/", + "https://researchcenter.paloaltonetworks.com/2018/01/unit42-oilrig-uses-rgdoor-iis-backdoor-targets-middle-east/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_iss_module_install.yml" ], "tags": [ @@ -57081,8 +57105,8 @@ "logsource.product": "windows", "refs": [ "https://learn.microsoft.com/en-us/windows/win32/secauthz/mandatory-integrity-control", - "https://cybercryptosec.medium.com/covid-19-cyber-infection-c615ead7c29", "https://thedfirreport.com/2022/04/04/stolen-images-campaign-ends-in-conti-ransomware/", + "https://cybercryptosec.medium.com/covid-19-cyber-infection-c615ead7c29", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_conhost_option.yml" ], "tags": [ @@ -57182,8 +57206,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1546.007/T1546.007.md", "https://attack.mitre.org/software/S0108/", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1546.007/T1546.007.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_netsh_dll_persistence.yml" ], "tags": [ @@ -57217,8 +57241,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.echotrail.io/insights/search/msbuild.exe", "https://app.any.run/tasks/abdf586e-df0c-4d39-89a7-06bf24913401/", + "https://www.echotrail.io/insights/search/msbuild.exe", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_msbuild.yml" ], "tags": [ @@ -57341,8 +57365,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/windows/win32/intl/code-page-identifiers", "https://twitter.com/cglyer/status/1183756892952248325", + "https://docs.microsoft.com/en-us/windows/win32/intl/code-page-identifiers", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_codepage_switch.yml" ], "tags": [ @@ -57367,9 +57391,9 @@ "logsource.product": "windows", "refs": [ "https://github.com/defaultnamehere/cookie_crimes/", - "https://embracethered.com/blog/posts/2020/chrome-spy-remote-control/", "https://mango.pdf.zone/stealing-chrome-cookies-without-a-password", "https://embracethered.com/blog/posts/2020/cookie-crimes-on-mirosoft-edge/", + "https://embracethered.com/blog/posts/2020/chrome-spy-remote-control/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_chromium_headless_debugging.yml" ], "tags": [ @@ -57600,8 +57624,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/sysinternals/downloads/psexec", "https://www.youtube.com/watch?v=ro2QuZTIMBM", + "https://docs.microsoft.com/en-us/sysinternals/downloads/psexec", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_psexesvc_renamed.yml" ], "tags": [ @@ -57624,8 +57648,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.joesandbox.com/analysis/476188/1/iochtml", "https://twitter.com/neonprimetime/status/1435584010202255375", + "https://www.joesandbox.com/analysis/476188/1/iochtml", "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-40444", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_control_cve_2021_40444.yml" ], @@ -57694,8 +57718,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.ria.ee/sites/default/files/content-editors/kuberturve/tale_of_gamaredon_infection.pdf", "https://unit42.paloaltonetworks.com/unit-42-title-gamaredon-group-toolset-evolution", + "https://www.ria.ee/sites/default/files/content-editors/kuberturve/tale_of_gamaredon_infection.pdf", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_apt_gamaredon_ultravnc.yml" ], "tags": [ @@ -57720,9 +57744,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://twitter.com/sblmsrsn/status/1445758411803480072?s=20", "https://lolbas-project.github.io/lolbas/Binaries/Certoc/", "https://github.com/elastic/protections-artifacts/commit/746086721fd385d9f5c6647cada1788db4aea95f#diff-fe98e74189873d6df72a15df2eaa0315c59ba9cdaca93ecd68afc4ea09194ef2", - "https://twitter.com/sblmsrsn/status/1445758411803480072?s=20", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_certoc_execution.yml" ], "tags": [ @@ -57917,8 +57941,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/Binaries/Regedit/", "https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f", + "https://lolbas-project.github.io/lolbas/Binaries/Regedit/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_regedit_export_keys.yml" ], "tags": [ @@ -58085,8 +58109,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/gtworek/PSBits/tree/master/PasswordStealing/NPPSpy", "https://docs.microsoft.com/en-us/troubleshoot/windows-client/deployment/network-provider-settings-removed-in-place-upgrade", + "https://github.com/gtworek/PSBits/tree/master/PasswordStealing/NPPSpy", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_new_network_provider.yml" ], "tags": [ @@ -58119,8 +58143,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://hausec.com/2021/07/26/cobalt-strike-and-tradecraft/", "https://thedfirreport.com/2021/08/29/cobalt-strike-a-defenders-guide/", + "https://hausec.com/2021/07/26/cobalt-strike-and-tradecraft/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_cobaltstrike_process_patterns.yml" ], "tags": [ @@ -58213,8 +58237,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://thedfirreport.com/2022/06/06/will-the-real-msiexec-please-stand-up-exploit-leads-to-data-exfiltration/", "https://the.earth.li/~sgtatham/putty/0.58/htmldoc/Chapter7.html", + "https://thedfirreport.com/2022/06/06/will-the-real-msiexec-please-stand-up-exploit-leads-to-data-exfiltration/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_renamed_plink.yml" ], "tags": [ @@ -58298,8 +58322,8 @@ "logsource.product": "windows", "refs": [ "https://github.com/mbevilacqua/appcompatprocessor/blob/6c847937c5a836e2ce2fe2b915f213c345a3c389/AppCompatSearch.txt", - "https://github.com/ThreatHuntingProject/ThreatHunting/blob/cb22598bb70651f88e0285abc8d835757d2cb596/hunts/suspicious_process_creation_via_windows_event_logs.md", "https://www.crowdstrike.com/resources/reports/2019-crowdstrike-global-threat-report/", + "https://github.com/ThreatHuntingProject/ThreatHunting/blob/cb22598bb70651f88e0285abc8d835757d2cb596/hunts/suspicious_process_creation_via_windows_event_logs.md", "https://www.secureworks.com/research/bronze-butler-targets-japanese-businesses", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_execution_path.yml" ], @@ -58349,8 +58373,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://isc.sans.edu/diary/Wipe+the+drive+Stealthy+Malware+Persistence+Mechanism+-+Part+1/15394", "https://www.fireeye.com/blog/threat-research/2020/10/kegtap-and-singlemalt-with-a-ransomware-chaser.html", + "https://isc.sans.edu/diary/Wipe+the+drive+Stealthy+Malware+Persistence+Mechanism+-+Part+1/15394", "http://0xthem.blogspot.com/2014/03/t-emporal-persistence-with-and-schtasks.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_monitoring_for_persistence_via_bits.yml" ], @@ -58465,8 +58489,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/kmkz_security/status/1220694202301976576", "https://github.com/kmkz/Pentesting/blob/47592e5e160d3b86c2024f09ef04ceb87d204995/Post-Exploitation-Cheat-Sheet", + "https://twitter.com/kmkz_security/status/1220694202301976576", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_rdp_hijack_shadowing.yml" ], "tags": [ @@ -58536,8 +58560,8 @@ "logsource.product": "windows", "refs": [ "http://www.xuetr.com/", - "https://www.crowdstrike.com/blog/falcon-overwatch-report-finds-increase-in-ecrime/", "https://www.hexacorn.com/blog/2018/04/20/kernel-hacking-tool-you-might-have-never-heard-of-xuetr-pchunter/", + "https://www.crowdstrike.com/blog/falcon-overwatch-report-finds-increase-in-ecrime/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_pchunter.yml" ], "tags": "No established tags" @@ -58559,11 +58583,11 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://cybleinc.com/2021/02/15/ngrok-platform-abused-by-hackers-to-deliver-a-new-wave-of-phishing-attacks/", "https://www.virustotal.com/gui/file/58d21840d915aaf4040ceb89522396124c82f325282f805d1085527e1e2ccfa1/detection", + "https://cybleinc.com/2021/02/15/ngrok-platform-abused-by-hackers-to-deliver-a-new-wave-of-phishing-attacks/", "https://www.fireeye.com/blog/threat-research/2021/05/shining-a-light-on-darkside-ransomware-operations.html", - "https://stackoverflow.com/questions/42442320/ssh-tunnel-to-ngrok-and-initiate-rdp", "https://www.softwaretestinghelp.com/how-to-use-ngrok/", + "https://stackoverflow.com/questions/42442320/ssh-tunnel-to-ngrok-and-initiate-rdp", "https://ngrok.com/docs", "https://twitter.com/xorJosh/status/1598646907802451969", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_ngrok_pua.yml" @@ -58645,9 +58669,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/OtherMSBinaries/FsiAnyCpu/", "https://bohops.com/2020/11/02/exploring-the-wdac-microsoft-recommended-block-rules-part-ii-wfc-fsi/", "https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules", + "https://lolbas-project.github.io/lolbas/OtherMSBinaries/FsiAnyCpu/", "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Fsi/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_fsharp_interpreters.yml" ], @@ -58681,8 +58705,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/vadim-hunter/Detection-Ideas-Rules/blob/02bcbfc2bfb8b4da601bb30de0344ae453aa1afe/Threat%20Intelligence/The%20DFIR%20Report/20210329_Sodinokibi_(aka_REvil)_Ransomware.yaml", "https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/", + "https://github.com/vadim-hunter/Detection-Ideas-Rules/blob/02bcbfc2bfb8b4da601bb30de0344ae453aa1afe/Threat%20Intelligence/The%20DFIR%20Report/20210329_Sodinokibi_(aka_REvil)_Ransomware.yaml", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_office_applications_spawning_wmi_commandline.yml" ], "tags": [ @@ -58884,8 +58908,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://gist.github.com/bohops/2444129419c8acf837aedda5f0e7f340", "https://twitter.com/bohops/status/1477717351017680899?s=12", + "https://gist.github.com/bohops/2444129419c8acf837aedda5f0e7f340", "https://lolbas-project.github.io/lolbas/OtherMSBinaries/AccCheckConsole/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_susp_acccheckconsole.yml" ], @@ -58909,9 +58933,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc731033(v=ws.11)", "https://twitter.com/0gtweet/status/1564968845726580736", "https://strontic.github.io/xcyclopedia/library/ldifde.exe-979DE101F5059CEC1D2C56967CA2BAC0.html", + "https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc731033(v=ws.11)", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_ldifde_file_load.yml" ], "tags": [ @@ -59004,9 +59028,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.youtube.com/watch?v=JGs-aKf2OtU&ab_channel=OFFZONEMOSCOW", "https://github.com/carlospolop/PEASS-ng/blob/fa0f2e17fbc1d86f1fd66338a40e665e7182501d/winPEAS/winPEASbat/winPEAS.bat", "https://github.com/gladiatx0r/Powerless/blob/04f553bbc0c65baf4e57344deff84e3f016e6b51/Powerless.bat", + "https://www.youtube.com/watch?v=JGs-aKf2OtU&ab_channel=OFFZONEMOSCOW", "https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment?slide=43", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_accesschk_usage_after_priv_escalation.yml" ], @@ -59108,9 +59132,9 @@ "logsource.product": "windows", "refs": [ "https://www.acronis.com/en-us/blog/posts/lockbit-ransomware/", - "https://blog.sygnia.co/kaseya-ransomware-supply-chain-attack", "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/blackbyte-exbyte-ransomware", "https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/06/23093553/Common-TTPs-of-the-modern-ransomware_low-res.pdf", + "https://blog.sygnia.co/kaseya-ransomware-supply-chain-attack", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_ping_del.yml" ], "tags": [ @@ -59328,8 +59352,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1388", "https://www.zerodayinitiative.com/blog/2019/11/19/thanksgiving-treat-easy-as-pie-windows-7-secure-desktop-escalation-of-privilege", + "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1388", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_exploit_cve_2019_1388.yml" ], "tags": [ @@ -59521,8 +59545,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/GhostPack/Rubeus", "https://www.harmj0y.net/blog/redteaming/from-kekeo-to-rubeus/", + "https://github.com/GhostPack/Rubeus", "https://m0chan.github.io/2019/07/31/How-To-Attack-Kerberos-101.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hack_rubeus.yml" ], @@ -59635,10 +59659,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://eqllib.readthedocs.io/en/latest/analytics/e61f557c-a9d0-4c25-ab5b-bbc46bb24deb.html", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1007/T1007.md#atomic-test-2---system-service-discovery---netexe", "https://eqllib.readthedocs.io/en/latest/analytics/4d2e7fc1-af0b-4915-89aa-03d25ba7805e.html", "https://eqllib.readthedocs.io/en/latest/analytics/9b3dd402-891c-4c4d-a662-28947168ce61.html", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1007/T1007.md#atomic-test-2---system-service-discovery---netexe", + "https://eqllib.readthedocs.io/en/latest/analytics/e61f557c-a9d0-4c25-ab5b-bbc46bb24deb.html", "https://pentest.blog/windows-privilege-escalation-methods-for-pentesters/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_net_execution.yml" ], @@ -59880,8 +59904,8 @@ "refs": [ "https://raw.githubusercontent.com/huntresslabs/evading-autoruns/master/shady.inf", "https://gist.githubusercontent.com/bohops/0cc6586f205f3691e04a1ebf1806aabd/raw/baf7b29891bb91e76198e30889fbf7d6642e8974/calc_exe.inf", - "https://lolbas-project.github.io/lolbas/Libraries/Setupapi/", "https://twitter.com/Z3Jpa29z/status/1313742350292746241?s=20", + "https://lolbas-project.github.io/lolbas/Libraries/Setupapi/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_rundll32_setupapi_installhinfsection.yml" ], "tags": [ @@ -59971,8 +59995,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "http://www.korznikov.com/2017/03/0-day-or-feature-privilege-escalation.html", "https://medium.com/@networksecurity/rdp-hijacking-how-to-hijack-rds-and-remoteapp-sessions-transparently-to-move-through-an-da2a1e73a5f6", + "http://www.korznikov.com/2017/03/0-day-or-feature-privilege-escalation.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_tscon_rdp_redirect.yml" ], "tags": [ @@ -60074,8 +60098,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/Neo23x0/Raccine/blob/20a569fa21625086433dcce8bb2765d0ea08dcb6/yara/mal_revil.yar", "https://thedfirreport.com/2022/05/09/seo-poisoning-a-gootloader-story/", + "https://github.com/Neo23x0/Raccine/blob/20a569fa21625086433dcce8bb2765d0ea08dcb6/yara/mal_revil.yar", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_base64_load.yml" ], "tags": [ @@ -60110,8 +60134,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://media.defcon.org/DEF%20CON%2030/DEF%20CON%2030%20presentations/Asaf%20Gilboa%20-%20LSASS%20Shtinkering%20Abusing%20Windows%20Error%20Reporting%20to%20Dump%20LSASS.pdf", "https://github.com/deepinstinct/Lsass-Shtinkering", + "https://media.defcon.org/DEF%20CON%2030/DEF%20CON%2030%20presentations/Asaf%20Gilboa%20-%20LSASS%20Shtinkering%20Abusing%20Windows%20Error%20Reporting%20to%20Dump%20LSASS.pdf", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lsass_shtinkering.yml" ], "tags": [ @@ -60186,8 +60210,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://emkc.org/s/RJjuLa", "https://redcanary.com/blog/chromeloader/", + "https://emkc.org/s/RJjuLa", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_chrome_load_extension.yml" ], "tags": [ @@ -60287,8 +60311,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://app.any.run/tasks/34221348-072d-4b70-93f3-aa71f6ebecad/", "https://subt0x10.blogspot.de/2017/04/bypass-application-whitelisting-script.html", + "https://app.any.run/tasks/34221348-072d-4b70-93f3-aa71f6ebecad/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_regsvr32_anomalies.yml" ], "tags": [ @@ -60324,8 +60348,8 @@ "logsource.product": "windows", "refs": [ "https://twitter.com/MichalKoczwara/status/1553634816016498688", - "https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1490/T1490.md#atomic-test-8---windows---disable-the-sr-scheduled-task", + "https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_schtasks_disable.yml" ], "tags": [ @@ -60425,8 +60449,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/_st0pp3r_/status/1560072680887525378", "https://twitter.com/Oddvarmoe/status/993383596244258816", + "https://twitter.com/_st0pp3r_/status/1560072680887525378", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_pester_parent.yml" ], "tags": [ @@ -60468,8 +60492,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1546.002/T1546.002.md", "https://www.welivesecurity.com/wp-content/uploads/2017/08/eset-gazer.pdf", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1546.002/T1546.002.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_screensaver_reg.yml" ], "tags": [ @@ -60561,8 +60585,8 @@ "logsource.product": "windows", "refs": [ "https://twitter.com/gN3mes1s/status/1222088214581825540", - "https://twitter.com/gN3mes1s/status/1222095963789111296", "https://twitter.com/gN3mes1s/status/1222095371175911424", + "https://twitter.com/gN3mes1s/status/1222095963789111296", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_dctask64_proc_inject.yml" ], "tags": [ @@ -60694,10 +60718,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/MicrosoftDocs/windows-itpro-docs/commit/937db704b9148e9cee7c7010cad4d00ce9c4fdad", - "https://lolbas-project.github.io/lolbas/OtherMSBinaries/VisualUiaVerifyNative/", "https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules", + "https://github.com/MicrosoftDocs/windows-itpro-docs/commit/937db704b9148e9cee7c7010cad4d00ce9c4fdad", "https://bohops.com/2020/10/15/exploring-the-wdac-microsoft-recommended-block-rules-visualuiaverifynative/", + "https://lolbas-project.github.io/lolbas/OtherMSBinaries/VisualUiaVerifyNative/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_visualuiaverifynative.yml" ], "tags": [ @@ -60796,8 +60820,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://redcanary.com/blog/raspberry-robin/", "https://thedfirreport.com/2022/09/26/bumblebee-round-two/", + "https://redcanary.com/blog/raspberry-robin/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_rundll32_parent_explorer.yml" ], "tags": [ @@ -60992,9 +61016,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://eqllib.readthedocs.io/en/latest/analytics/e584f1a1-c303-4885-8a66-21360c90995b.html", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218.003/T1218.003.md", "https://lolbas-project.github.io/lolbas/Binaries/Cmstp/", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218.003/T1218.003.md", + "https://eqllib.readthedocs.io/en/latest/analytics/e584f1a1-c303-4885-8a66-21360c90995b.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_uac_bypass_cmstp.yml" ], "tags": [ @@ -61186,8 +61210,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.synacktiv.com/en/publications/how-to-exploit-cve-2021-40539-on-manageengine-adselfservice-plus.html", "https://redcanary.com/blog/intelligence-insights-december-2021", + "https://www.synacktiv.com/en/publications/how-to-exploit-cve-2021-40539-on-manageengine-adselfservice-plus.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_shell_spawn_by_java_keytool.yml" ], "tags": [ @@ -61270,9 +61294,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.cisa.gov/uscert/sites/default/files/publications/aa22-320a_joint_csa_iranian_government-sponsored_apt_actors_compromise_federal%20network_deploy_crypto%20miner_credential_harvester.pdf", "https://www.microsoft.com/en-us/security/blog/2022/10/18/defenders-beware-a-case-for-post-ransomware-investigations/", "http://blog.talosintelligence.com/2022/09/lazarus-three-rats.html", + "https://www.cisa.gov/uscert/sites/default/files/publications/aa22-320a_joint_csa_iranian_government-sponsored_apt_actors_compromise_federal%20network_deploy_crypto%20miner_credential_harvester.pdf", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_computer_discovery_get_adcomputer.yml" ], "tags": [ @@ -61296,9 +61320,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/hfiref0x/UACME", "https://lolbas-project.github.io/lolbas/Binaries/Wsreset/", "https://medium.com/falconforce/falconfriday-detecting-uac-bypasses-0xff16-86c2a9107abf", + "https://github.com/hfiref0x/UACME", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_uac_bypass_wsreset_integrity_level.yml" ], "tags": [ @@ -61414,8 +61438,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/vadim-hunter/Detection-Ideas-Rules/blob/02bcbfc2bfb8b4da601bb30de0344ae453aa1afe/Threat%20Intelligence/The%20DFIR%20Report/20210329_Sodinokibi_(aka_REvil)_Ransomware.yaml", "https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/", + "https://github.com/vadim-hunter/Detection-Ideas-Rules/blob/02bcbfc2bfb8b4da601bb30de0344ae453aa1afe/Threat%20Intelligence/The%20DFIR%20Report/20210329_Sodinokibi_(aka_REvil)_Ransomware.yaml", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_office_spawning_wmi_commandline.yml" ], "tags": [ @@ -62088,11 +62112,11 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/wevtutil", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070.001/T1070.001.md", + "https://jdhnet.wordpress.com/2017/12/19/changing-the-location-of-the-windows-event-logs/", "https://gist.github.com/fovtran/ac0624983c7722e80a8f5a4babb170ee", "https://eqllib.readthedocs.io/en/latest/analytics/5b223758-07d6-4100-9e11-238cfdd0fe97.html", - "https://jdhnet.wordpress.com/2017/12/19/changing-the-location-of-the-windows-event-logs/", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070.001/T1070.001.md", + "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/wevtutil", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_eventlog_clear.yml" ], "tags": [ @@ -62579,8 +62603,8 @@ "refs": [ "https://app.any.run/tasks/f420d295-0457-4e9b-9b9e-6732be227583/", "https://app.any.run/tasks/c4117d9a-f463-461a-b90f-4cd258746798/", - "https://twitter.com/nao_sec/status/1530196847679401984", "https://app.any.run/tasks/713f05d2-fe78-4b9d-a744-f7c133e3fafb/", + "https://twitter.com/nao_sec/status/1530196847679401984", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sdiagnhost_susp_child.yml" ], "tags": [ @@ -62639,8 +62663,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://securelist.com/moonbounce-the-dark-side-of-uefi-firmware/105468/", "https://docs.microsoft.com/en-us/dotnet/framework/tools/installutil-exe-installer-tool", + "https://securelist.com/moonbounce-the-dark-side-of-uefi-firmware/105468/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_instalutil.yml" ], "tags": [ @@ -62790,10 +62814,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://medium.com/s2wblog/analysis-of-destructive-malware-whispergate-targeting-ukraine-9d5d158f19f3", - "https://www.winhelponline.com/blog/run-program-as-system-localsystem-account-windows/", - "https://twitter.com/splinter_code/status/1483815103279603714", "https://elastic.github.io/security-research/malware/2022/01/01.operation-bleeding-bear/article/", + "https://twitter.com/splinter_code/status/1483815103279603714", + "https://www.winhelponline.com/blog/run-program-as-system-localsystem-account-windows/", + "https://medium.com/s2wblog/analysis-of-destructive-malware-whispergate-targeting-ukraine-9d5d158f19f3", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_advancedrun.yml" ], "tags": "No established tags" @@ -62814,8 +62838,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://web.archive.org/web/20180331144337/https://www.fireeye.com/blog/threat-research/2018/03/sanny-malware-delivery-method-updated-in-recently-observed-attacks.html", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1543.003/T1543.003.md", + "https://web.archive.org/web/20180331144337/https://www.fireeye.com/blog/threat-research/2018/03/sanny-malware-delivery-method-updated-in-recently-observed-attacks.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_new_service_creation.yml" ], "tags": [ @@ -62873,8 +62897,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://2019.offzone.moscow/ru/report/hunting-for-powershell-abuses/", "https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=66", + "https://2019.offzone.moscow/ru/report/hunting-for-powershell-abuses/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_cmdline_reversed_strings.yml" ], "tags": [ @@ -62943,8 +62967,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/vxunderground/status/1423336151860002816?s=20", "https://www.virustotal.com/gui/file/03e9b8c2e86d6db450e5eceec057d7e369ee2389b9daecaf06331a95410aa5f8/detection", + "https://twitter.com/vxunderground/status/1423336151860002816?s=20", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_malware_conti_7zip.yml" ], "tags": [ @@ -63143,8 +63167,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/shantanu561993/SharpChisel", "https://www.sentinelone.com/labs/wading-through-muddy-waters-recent-activity-of-an-iranian-state-sponsored-threat-actor/", + "https://github.com/shantanu561993/SharpChisel", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sharp_chisel_usage.yml" ], "tags": [ @@ -63178,8 +63202,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/Binaries/Regedit/", "https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f", + "https://lolbas-project.github.io/lolbas/Binaries/Regedit/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_regedit_import_keys.yml" ], "tags": [ @@ -63204,10 +63228,10 @@ "logsource.product": "windows", "refs": [ "http://blog.sevagas.com/?Hacking-around-HTA-files", + "https://docs.microsoft.com/en-us/dotnet/standard/data/xml/xslt-stylesheet-scripting-using-msxsl-script", "https://0x00sec.org/t/clientside-exploitation-in-2018-how-pentesting-has-changed/7356", "https://twitter.com/mattifestation/status/1326228491302563846", "https://medium.com/tsscyber/pentesting-and-hta-bypassing-powershell-constrained-language-mode-53a42856c997", - "https://docs.microsoft.com/en-us/dotnet/standard/data/xml/xslt-stylesheet-scripting-using-msxsl-script", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_mshta_execution.yml" ], "tags": [ @@ -63328,8 +63352,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://thedfirreport.com/2021/12/13/diavol-ransomware/", "https://forums.veeam.com/veeam-backup-replication-f2/recover-esxi-password-in-veeam-t34630.html", + "https://thedfirreport.com/2021/12/13/diavol-ransomware/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sqlcmd_veeam_dump.yml" ], "tags": [ @@ -63429,9 +63453,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://www.microsoft.com/security/blog/2022/09/07/profiling-dev-0270-phosphorus-ransomware-operations/", "https://redacted.com/blog/bianlian-ransomware-gang-gives-it-a-go/", "https://www.trellix.com/en-sg/about/newsroom/stories/threat-labs/lockergoga-ransomware-family-used-in-targeted-attacks.html", - "https://www.microsoft.com/security/blog/2022/09/07/profiling-dev-0270-phosphorus-ransomware-operations/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_net_default_accounts_manipulation.yml" ], "tags": [ @@ -63555,9 +63579,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://www.acunetix.com/blog/articles/windows-short-8-3-filenames-web-security-problem/", "https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-2000-server/cc959352(v=technet.10)?redirectedfrom=MSDN", "https://twitter.com/jonasLyk/status/1555914501802921984", - "https://www.acunetix.com/blog/articles/windows-short-8-3-filenames-web-security-problem/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_ntfs_short_name_use_cli.yml" ], "tags": [ @@ -63590,8 +63614,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/Moriarty_Meng/status/984380793383370752", "https://github.com/LOLBAS-Project/LOLBAS/blob/4db780e0f0b2e2bb8cb1fa13e09196da9b9f1834/yml/LOLUtilz/OSBinaries/Powershell.yml", + "https://twitter.com/Moriarty_Meng/status/984380793383370752", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_run_powershell_script_from_input_stream.yml" ], "tags": [ @@ -63973,8 +63997,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md", "https://research.nccgroup.com/2022/08/19/back-in-black-unlocking-a-lockbit-3-0-ransomware-attack/", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_service_modification.yml" ], "tags": [ @@ -63998,8 +64022,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://blueteamops.medium.com/secedit-and-i-know-it-595056dee53d", "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/secedit", + "https://blueteamops.medium.com/secedit-and-i-know-it-595056dee53d", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_secedit.yml" ], "tags": [ @@ -64105,9 +64129,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://twitter.com/_st0pp3r_/status/1583914515996897281", "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/msiexec", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218.007/T1218.007.md", - "https://twitter.com/_st0pp3r_/status/1583914515996897281", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_msiexec_execute_dll.yml" ], "tags": [ @@ -64173,8 +64197,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://community.broadcom.com/symantecenterprise/communities/community-home/digestviewer/viewthread?MessageKey=6ce94b67-74e1-4333-b16f-000b7fd874f0&CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68&tab=digestviewer", "https://community.spiceworks.com/topic/2195015-batch-script-to-uninstall-symantec-endpoint-protection", + "https://community.broadcom.com/symantecenterprise/communities/community-home/digestviewer/viewthread?MessageKey=6ce94b67-74e1-4333-b16f-000b7fd874f0&CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68&tab=digestviewer", "https://www.exploit-db.com/exploits/37525", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_taskkill_sep.yml" ], @@ -64331,8 +64355,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/EmpireProject/Empire/blob/08cbd274bef78243d7a8ed6443b8364acd1fc48b/lib/modules/powershell/persistence/userland/schtasks.py", "https://github.com/0xdeadbeefJERKY/PowerSploit/blob/8690399ef70d2cad10213575ac67e8fa90ddf7c3/Persistence/Persistence.psm1", + "https://github.com/EmpireProject/Empire/blob/08cbd274bef78243d7a8ed6443b8364acd1fc48b/lib/modules/powershell/persistence/userland/schtasks.py", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powersploit_empire_schtasks.yml" ], "tags": [ @@ -64412,10 +64436,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://research.nccgroup.com/2022/08/19/back-in-black-unlocking-a-lockbit-3-0-ransomware-attack/", - "https://twitter.com/cglyer/status/1355171195654709249", "https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/", "https://www.mandiant.com/resources/unc2165-shifts-to-evade-sanctions", + "https://research.nccgroup.com/2022/08/19/back-in-black-unlocking-a-lockbit-3-0-ransomware-attack/", + "https://twitter.com/cglyer/status/1355171195654709249", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_wmic_security_product_uninstall.yml" ], "tags": [ @@ -64512,9 +64536,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://docs.microsoft.com/en-us/dotnet/framework/data/wcf/generating-the-data-service-client-library-wcf-data-services", "https://lolbas-project.github.io/lolbas/Binaries/DataSvcUtil/", "https://docs.microsoft.com/en-us/dotnet/framework/data/wcf/wcf-data-service-client-utility-datasvcutil-exe", - "https://docs.microsoft.com/en-us/dotnet/framework/data/wcf/generating-the-data-service-client-library-wcf-data-services", "https://docs.microsoft.com/en-us/dotnet/framework/data/wcf/how-to-add-a-data-service-reference-wcf-data-services", "https://gist.github.com/teixeira0xfffff/837e5bfed0d1b0a29a7cb1e5dbdd9ca6", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_data_exfiltration_by_using_datasvcutil.yml" @@ -64653,9 +64677,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.sans.org/summit-archives/file/summit-archive-1493861893.pdf", "https://lolbas-project.github.io/lolbas/Binaries/Psr/", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1560.001/T1560.001.md", + "https://www.sans.org/summit-archives/file/summit-archive-1493861893.pdf", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_psr_capture_screenshots.yml" ], "tags": [ @@ -64702,11 +64726,11 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1482/T1482.md", - "https://thedfirreport.com/2020/10/18/ryuk-in-5-hours/", - "https://redcanary.com/blog/how-one-hospital-thwarted-a-ryuk-ransomware-outbreak/", "https://www.harmj0y.net/blog/redteaming/a-guide-to-attacking-domain-trusts/", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1482/T1482.md", + "https://redcanary.com/blog/how-one-hospital-thwarted-a-ryuk-ransomware-outbreak/", "https://eqllib.readthedocs.io/en/latest/analytics/03e231a6-74bc-467a-acb1-e5676b0fb55e.html", + "https://thedfirreport.com/2020/10/18/ryuk-in-5-hours/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_trust_discovery.yml" ], "tags": [ @@ -64790,8 +64814,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn800669(v=ws.11)", "https://www.microsoft.com/security/blog/2019/12/12/gallium-targeting-global-telecom/", + "https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn800669(v=ws.11)", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_apt_gallium_sha1.yml" ], "tags": [ @@ -64877,9 +64901,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/sysinternals/downloads/psexec", - "https://www.poweradmin.com/paexec/", "https://www.fireeye.com/blog/threat-research/2020/10/kegtap-and-singlemalt-with-a-ransomware-chaser.html", + "https://www.poweradmin.com/paexec/", + "https://docs.microsoft.com/en-us/sysinternals/downloads/psexec", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_psexex_paexec_flags.yml" ], "tags": [ @@ -64912,8 +64936,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://app.any.run/tasks/e1fe6a62-bce8-4323-a49a-63795d9afd5d/", "https://twitter.com/1ZRR4H/status/1534259727059787783", + "https://app.any.run/tasks/e1fe6a62-bce8-4323-a49a-63795d9afd5d/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_archiver_iso_phishing.yml" ], "tags": [ @@ -64937,9 +64961,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://hstechdocs.helpsystems.com/manuals/cobaltstrike/current/userguide/content/cobalt-4-5-user-guide.pdf", "https://thedfirreport.com/2021/10/04/bazarloader-and-the-conti-leaks/", "https://thedfirreport.com/2022/06/16/sans-ransomware-summit-2022-can-you-detect-this/", + "https://hstechdocs.helpsystems.com/manuals/cobaltstrike/current/userguide/content/cobalt-4-5-user-guide.pdf", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_cobaltstrike_bloopers_cmd.yml" ], "tags": [ @@ -65073,9 +65097,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://inquest.net/blog/2018/06/22/a-look-at-formbook-stealer", "https://app.any.run/tasks/388d5802-aa48-4826-b069-250420504758/", "https://app.any.run/tasks/8e22486b-5edc-4cef-821c-373e945f296c/", + "https://inquest.net/blog/2018/06/22/a-look-at-formbook-stealer", "https://app.any.run/tasks/62bb01ae-25a4-4180-b278-8e464a90b8d7/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_malware_formbook.yml" ], @@ -65109,9 +65133,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "http://www.korznikov.com/2017/03/0-day-or-feature-privilege-escalation.html", - "https://medium.com/@networksecurity/rdp-hijacking-how-to-hijack-rds-and-remoteapp-sessions-transparently-to-move-through-an-da2a1e73a5f6", "https://www.ired.team/offensive-security/lateral-movement/t1076-rdp-hijacking-for-lateral-movement", + "https://medium.com/@networksecurity/rdp-hijacking-how-to-hijack-rds-and-remoteapp-sessions-transparently-to-move-through-an-da2a1e73a5f6", + "http://www.korznikov.com/2017/03/0-day-or-feature-privilege-escalation.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_tscon_localsystem.yml" ], "tags": [ @@ -65177,9 +65201,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://twitter.com/_st0pp3r_/status/1583914244344799235", "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/msiexec", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218.007/T1218.007.md", - "https://twitter.com/_st0pp3r_/status/1583914244344799235", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_msiexec_install_quiet.yml" ], "tags": [ @@ -65300,8 +65324,8 @@ "logsource.product": "windows", "refs": [ "https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=42", - "https://learn.microsoft.com/en-us/dotnet/api/microsoft.hpc.scheduler.store.cx509enrollmentwebclassfactoryclass?view=hpc-sdk-5.1.6115", "https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=41", + "https://learn.microsoft.com/en-us/dotnet/api/microsoft.hpc.scheduler.store.cx509enrollmentwebclassfactoryclass?view=hpc-sdk-5.1.6115", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_x509enrollment.yml" ], "tags": "No established tags" @@ -65477,9 +65501,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://thedfirreport.com/2021/08/01/bazarcall-to-conti-ransomware-via-trickbot-and-cobalt-strike/", "https://attack.mitre.org/software/S0404/", "https://twitter.com/vxunderground/status/1423336151860002816", + "https://thedfirreport.com/2021/08/01/bazarcall-to-conti-ransomware-via-trickbot-and-cobalt-strike/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_esentutl_params.yml" ], "tags": [ @@ -65521,8 +65545,8 @@ "logsource.product": "windows", "refs": [ "https://twitter.com/gN3mes1s/status/1222088214581825540", - "https://twitter.com/gN3mes1s/status/1222095963789111296", "https://twitter.com/gN3mes1s/status/1222095371175911424", + "https://twitter.com/gN3mes1s/status/1222095963789111296", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_renamed_dctask64.yml" ], "tags": [ @@ -65686,8 +65710,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/wmic", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1047/T1047.md", + "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/wmic", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wmic_reconnaissance.yml" ], "tags": [ @@ -65720,8 +65744,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.echotrail.io/insights/search/ilasm.exe", "https://lolbas-project.github.io/lolbas/Binaries/Ilasm/", + "https://www.echotrail.io/insights/search/ilasm.exe", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_ilasm.yml" ], "tags": [ @@ -65901,8 +65925,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://medium.com/@informationsecurity/remote-ssh-tunneling-with-plink-exe-7831072b3d7d", "https://www.real-sec.com/2019/04/bypassing-network-restrictions-through-rdp-tunneling/", + "https://medium.com/@informationsecurity/remote-ssh-tunneling-with-plink-exe-7831072b3d7d", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_plink_port_forward.yml" ], "tags": [ @@ -65938,10 +65962,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://bidouillesecurity.com/disable-windows-defender-in-powershell/", + "https://vms.drweb.fr/virus/?i=24144899", "https://github.com/gordonbay/Windows-On-Reins/blob/e587ac7a0407847865926d575e3c46f68cf7c68d/wor.ps1", "https://twitter.com/JohnLaTwC/status/1415295021041979392", - "https://vms.drweb.fr/virus/?i=24144899", - "https://bidouillesecurity.com/disable-windows-defender-in-powershell/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_reg_disable_sec_services.yml" ], "tags": [ @@ -65965,8 +65989,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://unit42.paloaltonetworks.com/new-babyshark-malware-targets-u-s-national-security-think-tanks/", "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/certutil", + "https://unit42.paloaltonetworks.com/new-babyshark-malware-targets-u-s-national-security-think-tanks/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_certutil_encode.yml" ], "tags": [ @@ -66166,8 +66190,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://subt0x11.blogspot.ch/2018/04/wmicexe-whitelisting-bypass-hacking.html", "https://twitter.com/mattifestation/status/986280382042595328", + "https://subt0x11.blogspot.ch/2018/04/wmicexe-whitelisting-bypass-hacking.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_bypass_squiblytwo.yml" ], "tags": [ @@ -66393,8 +66417,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/windows-hardware/drivers/taef/", "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Te/", + "https://docs.microsoft.com/en-us/windows-hardware/drivers/taef/", "https://twitter.com/pabraeken/status/993298228840992768", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_use_of_te_bin.yml" ], @@ -66482,8 +66506,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/vadim-hunter/Detection-Ideas-Rules/blob/02bcbfc2bfb8b4da601bb30de0344ae453aa1afe/Threat%20Intelligence/The%20DFIR%20Report/20210329_Sodinokibi_(aka_REvil)_Ransomware.yaml", "https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/", + "https://github.com/vadim-hunter/Detection-Ideas-Rules/blob/02bcbfc2bfb8b4da601bb30de0344ae453aa1afe/Threat%20Intelligence/The%20DFIR%20Report/20210329_Sodinokibi_(aka_REvil)_Ransomware.yaml", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbins_with_wmiprvse_parent_process.yml" ], "tags": [ @@ -66583,8 +66607,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.004/T1562.004.md#atomic-test-3---allow-smb-and-rdp-on-microsoft-defender-firewall", "https://docs.microsoft.com/en-us/troubleshoot/windows-server/networking/netsh-advfirewall-firewall-control-firewall-behavior", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.004/T1562.004.md#atomic-test-3---allow-smb-and-rdp-on-microsoft-defender-firewall", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_netsh_fw_enable_group_rule.yml" ], "tags": [ @@ -66617,8 +66641,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/CyberRaiju/status/1273597319322058752", "https://twitter.com/bohops/status/1276357235954909188?s=12", + "https://twitter.com/CyberRaiju/status/1273597319322058752", "https://twitter.com/nas_bench/status/1535322450858233858", "https://securityboulevard.com/2019/09/deobfuscating-ostap-trickbots-34000-line-javascript-downloader/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_explorer_break_proctree.yml" @@ -66644,10 +66668,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Agentexecutor/", - "https://twitter.com/lefterispan/status/1286259016436514816", - "https://docs.microsoft.com/en-us/mem/intune/apps/intune-management-extension", "https://twitter.com/jseerden/status/1247985304667066373/photo/1", + "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Agentexecutor/", + "https://docs.microsoft.com/en-us/mem/intune/apps/intune-management-extension", + "https://twitter.com/lefterispan/status/1286259016436514816", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_agentexecutor_susp_usage.yml" ], "tags": [ @@ -66772,8 +66796,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/Binaries/Forfiles/", "https://pentestlab.blog/2020/07/06/indirect-command-execution/", + "https://lolbas-project.github.io/lolbas/Binaries/Forfiles/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_forfiles.yml" ], "tags": [ @@ -66806,8 +66830,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://persistence-info.github.io/Data/windowsterminalprofile.html", "https://twitter.com/nas_bench/status/1550836225652686848", + "https://persistence-info.github.io/Data/windowsterminalprofile.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_windows_terminal_susp_children.yml" ], "tags": [ @@ -66864,13 +66888,13 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://blog.talosintelligence.com/2022/08/recent-cyber-attack.html?m=1", "https://www.ired.team/offensive-security/credential-access-and-credential-dumping/ntds.dit-enumeration", "https://pentestlab.blog/tag/ntds-dit/", - "https://github.com/rapid7/metasploit-framework/blob/d297adcebb5c1df6fe30b12ca79b161deb71571c/data/post/powershell/NTDSgrab.ps1", "https://github.com/zcgonvh/NTDSDumpEx", + "https://github.com/rapid7/metasploit-framework/blob/d297adcebb5c1df6fe30b12ca79b161deb71571c/data/post/powershell/NTDSgrab.ps1", "https://www.n00py.io/2022/03/manipulating-user-passwords-without-mimikatz/", "https://github.com/samratashok/nishang/blob/414ee1104526d7057f9adaeee196d91ae447283e/Gather/Copy-VSS.ps1", - "https://blog.talosintelligence.com/2022/08/recent-cyber-attack.html?m=1", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_ntds.yml" ], "tags": [ @@ -66903,8 +66927,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/vxunderground/status/1423336151860002816?s=20", "https://www.virustotal.com/gui/file/03e9b8c2e86d6db450e5eceec057d7e369ee2389b9daecaf06331a95410aa5f8/detection", + "https://twitter.com/vxunderground/status/1423336151860002816?s=20", "https://docs.microsoft.com/en-us/sql/tools/sqlcmd-utility?view=sql-server-ver15", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_conti_sqlcmd.yml" ], @@ -66939,12 +66963,12 @@ "logsource.product": "windows", "refs": [ "https://docs.microsoft.com/en-us/dotnet/framework/tools/regasm-exe-assembly-registration-tool", - "https://docs.microsoft.com/en-us/dotnet/framework/tools/regsvcs-exe-net-services-installation-tool#feedback", - "https://blog.malwarebytes.com/malwarebytes-news/2020/10/kraken-attack-abuses-wer-service/", - "https://www.cobaltstrike.com/help-opsec", - "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/regsvr32", "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/rundll32", "https://twitter.com/CyberRaiju/status/1251492025678983169", + "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/regsvr32", + "https://www.cobaltstrike.com/help-opsec", + "https://blog.malwarebytes.com/malwarebytes-news/2020/10/kraken-attack-abuses-wer-service/", + "https://docs.microsoft.com/en-us/dotnet/framework/tools/regsvcs-exe-net-services-installation-tool#feedback", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_bad_opsec_sacrificial_processes.yml" ], "tags": [ @@ -67010,10 +67034,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://www.infosecmatter.com/crackmapexec-module-library/?cmem=smb-pe_inject", + "https://www.infosecmatter.com/crackmapexec-module-library/?cmem=mssql-mimikatz", "https://mpgn.gitbook.io/crackmapexec/smb-protocol/authentication/checking-credentials-local", "https://www.mandiant.com/resources/telegram-malware-iranian-espionage", - "https://www.infosecmatter.com/crackmapexec-module-library/?cmem=mssql-mimikatz", - "https://www.infosecmatter.com/crackmapexec-module-library/?cmem=smb-pe_inject", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_crackmapexec_flags.yml" ], "tags": "No established tags" @@ -67091,8 +67115,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://gist.github.com/jivoi/c354eaaf3019352ce32522f916c03d70", "https://www.trendmicro.com/en_us/research/22/j/lv-ransomware-exploits-proxyshell-in-attack.html", + "https://gist.github.com/jivoi/c354eaaf3019352ce32522f916c03d70", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_download_patterns.yml" ], "tags": [ @@ -67160,9 +67184,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://thedfirreport.com/2022/09/26/bumblebee-round-two/", "https://www.microsoft.com/en-us/security/blog/2022/10/25/dev-0832-vice-society-opportunistic-ransomware-campaigns-impacting-us-education-sector/", "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/espionage-asia-governments", - "https://thedfirreport.com/2022/09/26/bumblebee-round-two/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_weak_or_abused_passwords.yml" ], "tags": [ @@ -67253,8 +67277,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/Binaries/Replace/", "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/replace", + "https://lolbas-project.github.io/lolbas/Binaries/Replace/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_replace.yml" ], "tags": [ @@ -67321,8 +67345,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/Binaries/Pcwrun/", "https://twitter.com/pabraeken/status/991335019833708544", + "https://lolbas-project.github.io/lolbas/Binaries/Pcwrun/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_pcwrun.yml" ], "tags": [ @@ -67459,9 +67483,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.joeware.net/freetools/tools/adfind/", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1087.002/T1087.002.md", "https://social.technet.microsoft.com/wiki/contents/articles/7535.adfind-command-examples.aspx", + "https://www.joeware.net/freetools/tools/adfind/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_adfind_enumeration.yml" ], "tags": [ @@ -67485,8 +67509,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "http://blog.talosintelligence.com/2022/09/lazarus-three-rats.html", "https://www.microsoft.com/security/blog/2022/01/15/destructive-malware-targeting-ukrainian-organizations/", + "http://blog.talosintelligence.com/2022/09/lazarus-three-rats.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_redirect_local_admin_share.yml" ], "tags": "No established tags" @@ -67507,8 +67531,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://docs.paloaltonetworks.com/cortex/cortex-xdr/cortex-xdr-analytics-alert-reference/cortex-xdr-analytics-alert-reference/scrcons-exe-rare-child-process.html", "https://redcanary.com/blog/child-processes/", + "https://docs.paloaltonetworks.com/cortex/cortex-xdr/cortex-xdr-analytics-alert-reference/cortex-xdr-analytics-alert-reference/scrcons-exe-rare-child-process.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_script_event_consumer_spawn.yml" ], "tags": [ @@ -67643,8 +67667,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/mstsc", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1021.001/T1021.001.md#t1021001---remote-desktop-protocol", + "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/mstsc", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_mstsc.yml" ], "tags": [ @@ -67711,9 +67735,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/Binaries/Regini/", - "https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f", "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/regini", + "https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f", + "https://lolbas-project.github.io/lolbas/Binaries/Regini/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_regini_ads.yml" ], "tags": [ @@ -67804,9 +67828,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/Alh4zr3d/status/1580925761996828672", - "https://blog.talosintelligence.com/2021/10/threat-hunting-in-large-datasets-by.html", "https://www.sans.org/blog/red-team-tactics-hiding-windows-services/", + "https://blog.talosintelligence.com/2021/10/threat-hunting-in-large-datasets-by.html", + "https://twitter.com/Alh4zr3d/status/1580925761996828672", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_using_sc_to_hide_sevices.yml" ], "tags": [ @@ -67832,10 +67856,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://isc.sans.edu/diary/More+Data+Exfiltration/25698", - "https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#inside-the-registry", - "https://github.com/HyperSine/how-does-MobaXterm-encrypt-password", "https://github.com/synacktiv/Radmin3-Password-Cracker/blob/acfc87393e4b7c06353973a14a6c7126a51f36ac/regkey.txt", + "https://isc.sans.edu/diary/More+Data+Exfiltration/25698", + "https://github.com/HyperSine/how-does-MobaXterm-encrypt-password", + "https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#inside-the-registry", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_enumeration_for_credentials_cli.yml" ], "tags": [ @@ -68044,19 +68068,19 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/calebstewart/CVE-2021-1675", + "https://github.com/HarmJ0y/DAMP", "https://github.com/samratashok/nishang", - "https://github.com/S3cur3Th1sSh1t/PowerSharpPack/tree/master/PowerSharpBinaries", - "https://github.com/dafthack/DomainPasswordSpray/blob/b13d64a5834694aa73fd2aea9911a83027c465a7/DomainPasswordSpray.ps1", - "https://unit42.paloaltonetworks.com/threat-assessment-black-basta-ransomware/", + "https://github.com/calebstewart/CVE-2021-1675", + "https://github.com/rvrsh3ll/Misc-Powershell-Scripts/blob/6f23bb41f9675d7e2d32bacccff75e931ae00554/OfficeMemScraper.ps1", + "https://research.nccgroup.com/2022/06/06/shining-the-light-on-black-basta/", + "https://github.com/BloodHoundAD/BloodHound/blob/0927441f67161cc6dc08a53c63ceb8e333f55874/Collectors/AzureHound.ps1", "https://adsecurity.org/?p=2921", "https://bloodhound.readthedocs.io/en/latest/data-collection/azurehound.html", "https://github.com/xorrior/RandomPS-Scripts/blob/848c919bfce4e2d67b626cbcf4404341cfe3d3b6/Get-DXWebcamVideo.ps1", - "https://github.com/rvrsh3ll/Misc-Powershell-Scripts/blob/6f23bb41f9675d7e2d32bacccff75e931ae00554/OfficeMemScraper.ps1", - "https://github.com/HarmJ0y/DAMP", - "https://github.com/BloodHoundAD/BloodHound/blob/0927441f67161cc6dc08a53c63ceb8e333f55874/Collectors/AzureHound.ps1", + "https://github.com/S3cur3Th1sSh1t/PowerSharpPack/tree/master/PowerSharpBinaries", + "https://unit42.paloaltonetworks.com/threat-assessment-black-basta-ransomware/", + "https://github.com/dafthack/DomainPasswordSpray/blob/b13d64a5834694aa73fd2aea9911a83027c465a7/DomainPasswordSpray.ps1", "https://github.com/BC-SECURITY/Invoke-ZeroLogon/blob/111d17c7fec486d9bb23387e2e828b09a26075e4/Invoke-ZeroLogon.ps1", - "https://research.nccgroup.com/2022/06/06/shining-the-light-on-black-basta/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_malicious_cmdlets.yml" ], "tags": [ @@ -68289,8 +68313,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://app.any.run/tasks/40115012-a919-4208-bfed-41e82cb3dadf/", "https://twitter.com/bigmacjpg/status/1349727699863011328?s=12", + "https://app.any.run/tasks/40115012-a919-4208-bfed-41e82cb3dadf/", "http://hyp3rlinx.altervista.org/advisories/Windows_TCPIP_Finger_Command_C2_Channel_and_Bypassing_Security_Software.txt", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_finger_usage.yml" ], @@ -68359,8 +68383,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/systeminfo", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1082/T1082.md#atomic-test-1---system-information-discovery", + "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/systeminfo", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_systeminfo.yml" ], "tags": [ @@ -68384,9 +68408,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/GossiTheDog/ThreatHunting/blob/e85884abbf05d5b41efc809ea6532b10b45bd05c/AdvancedHuntingQueries/DogWalk-DiagCab", "https://irsl.medium.com/the-trouble-with-microsofts-troubleshooters-6e32fc80b8bd", "https://github.com/elastic/protections-artifacts/commit/746086721fd385d9f5c6647cada1788db4aea95f#diff-9015912909545e72ed42cbac4d1e96295e8964579c406d23fd9c47a8091576a0", + "https://github.com/GossiTheDog/ThreatHunting/blob/e85884abbf05d5b41efc809ea6532b10b45bd05c/AdvancedHuntingQueries/DogWalk-DiagCab", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_msdt_diagcab.yml" ], "tags": [ @@ -68419,10 +68443,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Agentexecutor/", - "https://twitter.com/lefterispan/status/1286259016436514816", - "https://docs.microsoft.com/en-us/mem/intune/apps/intune-management-extension", "https://twitter.com/jseerden/status/1247985304667066373/photo/1", + "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Agentexecutor/", + "https://docs.microsoft.com/en-us/mem/intune/apps/intune-management-extension", + "https://twitter.com/lefterispan/status/1286259016436514816", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_agentexecutor.yml" ], "tags": [ @@ -68626,9 +68650,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-26809", - "https://twitter.com/cyb3rops/status/1514217991034097664", "https://www.bleepingcomputer.com/startups/RpcSs.exe-14544.html", + "https://twitter.com/cyb3rops/status/1514217991034097664", + "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-26809", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_rpcss_anomalies.yml" ], "tags": [ @@ -68772,8 +68796,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/mrd0x/status/1511489821247684615", "https://twitter.com/mrd0x/status/1511415432888131586", + "https://twitter.com/mrd0x/status/1511489821247684615", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_proc_dump_susp_dumpminitool.yml" ], "tags": [ @@ -68807,8 +68831,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "http://www.hexacorn.com/blog/2017/07/31/the-wizard-of-x-oppa-plugx-style/", "https://lolbas-project.github.io/lolbas/Binaries/Xwizard/", + "http://www.hexacorn.com/blog/2017/07/31/the-wizard-of-x-oppa-plugx-style/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_dll_sideload_xwizard.yml" ], "tags": [ @@ -68856,8 +68880,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://eqllib.readthedocs.io/en/latest/analytics/fcdb99c2-ac3c-4bde-b664-4b336329bed2.html", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1124/T1124.md", + "https://eqllib.readthedocs.io/en/latest/analytics/fcdb99c2-ac3c-4bde-b664-4b336329bed2.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_remote_time_discovery.yml" ], "tags": [ @@ -68981,8 +69005,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1072/T1072.md", "https://www.radmin.fr/", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1072/T1072.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_radmin.yml" ], "tags": [ @@ -69007,8 +69031,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/vxunderground/status/1423336151860002816?s=20", "https://www.virustotal.com/gui/file/03e9b8c2e86d6db450e5eceec057d7e369ee2389b9daecaf06331a95410aa5f8/detection", + "https://twitter.com/vxunderground/status/1423336151860002816?s=20", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_malware_conti.yml" ], "tags": [ @@ -69041,8 +69065,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://eqllib.readthedocs.io/en/latest/analytics/d8db43cf-ed52-4f5c-9fb3-c9a4b95a0b56.html", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1053.002/T1053.002.md", + "https://eqllib.readthedocs.io/en/latest/analytics/d8db43cf-ed52-4f5c-9fb3-c9a4b95a0b56.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_interactive_at.yml" ], "tags": [ @@ -69183,9 +69207,9 @@ "logsource.category": "antivirus", "logsource.product": "No established product", "refs": [ - "https://twitter.com/mvelazco/status/1410291741241102338", - "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-1675", "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527", + "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-1675", + "https://twitter.com/mvelazco/status/1410291741241102338", "https://github.com/SigmaHQ/sigma/tree/master/rules/category/antivirus/av_printernightmare_cve_2021_34527.yml" ], "tags": [ @@ -69317,15 +69341,15 @@ "logsource.category": "antivirus", "logsource.product": "No established product", "refs": [ - "https://www.nextron-systems.com/2021/03/25/antivirus-event-analysis-cheat-sheet-v1-8/", - "https://www.virustotal.com/gui/file/a80042c61a0372eaa0c2c1e831adf0d13ef09feaf71d1d20b216156269045801/detection", "https://www.virustotal.com/gui/file/308487ed28a3d9abc1fec7ebc812d4b5c07ab025037535421f64c60d3887a3e8/detection", - "https://www.virustotal.com/gui/file/b8702acf32fd651af9f809ed42d15135f842788cd98d81a8e1b154ee2a2b76a2/detection", - "https://www.virustotal.com/gui/file/b219f7d3c26f8bad7e175934cd5eda4ddb5e3983503e94ff07d39c0666821b7e/detection", + "https://www.virustotal.com/gui/file/a80042c61a0372eaa0c2c1e831adf0d13ef09feaf71d1d20b216156269045801/detection", "https://github.com/tennc/webshell", + "https://www.virustotal.com/gui/file/bd1d52289203866645e556e2766a21d2275877fbafa056a76fe0cf884b7f8819/detection", + "https://www.virustotal.com/gui/file/b8702acf32fd651af9f809ed42d15135f842788cd98d81a8e1b154ee2a2b76a2/detection", "https://www.virustotal.com/gui/file/e841675a4b82250c75273ebf0861245f80c6a1c3d5803c2d995d9d3b18d5c4b5/detection", "https://www.virustotal.com/gui/file/7d3cb8a8ff28f82b07f382789247329ad2d7782a72dde9867941f13266310c80/detection", - "https://www.virustotal.com/gui/file/bd1d52289203866645e556e2766a21d2275877fbafa056a76fe0cf884b7f8819/detection", + "https://www.virustotal.com/gui/file/b219f7d3c26f8bad7e175934cd5eda4ddb5e3983503e94ff07d39c0666821b7e/detection", + "https://www.nextron-systems.com/2021/03/25/antivirus-event-analysis-cheat-sheet-v1-8/", "https://github.com/SigmaHQ/sigma/tree/master/rules/category/antivirus/av_webshell.yml" ], "tags": [ @@ -69504,9 +69528,9 @@ "logsource.category": "No established category", "logsource.product": "okta", "refs": [ + "https://developer.okta.com/docs/reference/api/system-log/", "https://developer.okta.com/docs/reference/api/event-types/", "https://okta.github.io/okta-help/en/prod/Content/Topics/Security/threat-insight/configure-threatinsight-system-log.htm", - "https://developer.okta.com/docs/reference/api/system-log/", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/okta/okta_security_threat_detected.yml" ], "tags": "No established tags" @@ -69527,8 +69551,8 @@ "logsource.category": "No established category", "logsource.product": "okta", "refs": [ - "https://developer.okta.com/docs/reference/api/event-types/", "https://developer.okta.com/docs/reference/api/system-log/", + "https://developer.okta.com/docs/reference/api/event-types/", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/okta/okta_user_account_locked_out.yml" ], "tags": [ @@ -69551,8 +69575,8 @@ "logsource.category": "No established category", "logsource.product": "okta", "refs": [ - "https://developer.okta.com/docs/reference/api/event-types/", "https://developer.okta.com/docs/reference/api/system-log/", + "https://developer.okta.com/docs/reference/api/event-types/", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/okta/okta_api_token_revoked.yml" ], "tags": [ @@ -69575,8 +69599,8 @@ "logsource.category": "No established category", "logsource.product": "okta", "refs": [ - "https://developer.okta.com/docs/reference/api/event-types/", "https://developer.okta.com/docs/reference/api/system-log/", + "https://developer.okta.com/docs/reference/api/event-types/", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/okta/okta_policy_rule_modified_or_deleted.yml" ], "tags": [ @@ -69599,8 +69623,8 @@ "logsource.category": "No established category", "logsource.product": "okta", "refs": [ - "https://developer.okta.com/docs/reference/api/event-types/", "https://developer.okta.com/docs/reference/api/system-log/", + "https://developer.okta.com/docs/reference/api/event-types/", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/okta/okta_unauthorized_access_to_app.yml" ], "tags": [ @@ -69623,8 +69647,8 @@ "logsource.category": "No established category", "logsource.product": "okta", "refs": [ - "https://developer.okta.com/docs/reference/api/event-types/", "https://developer.okta.com/docs/reference/api/system-log/", + "https://developer.okta.com/docs/reference/api/event-types/", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/okta/okta_application_sign_on_policy_modified_or_deleted.yml" ], "tags": [ @@ -69647,8 +69671,8 @@ "logsource.category": "No established category", "logsource.product": "okta", "refs": [ - "https://developer.okta.com/docs/reference/api/event-types/", "https://developer.okta.com/docs/reference/api/system-log/", + "https://developer.okta.com/docs/reference/api/event-types/", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/okta/okta_admin_role_assigned_to_user_or_group.yml" ], "tags": [ @@ -69671,8 +69695,8 @@ "logsource.category": "No established category", "logsource.product": "okta", "refs": [ - "https://developer.okta.com/docs/reference/api/event-types/", "https://developer.okta.com/docs/reference/api/system-log/", + "https://developer.okta.com/docs/reference/api/event-types/", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/okta/okta_application_modified_or_deleted.yml" ], "tags": [ @@ -69695,8 +69719,8 @@ "logsource.category": "No established category", "logsource.product": "okta", "refs": [ - "https://developer.okta.com/docs/reference/api/event-types/", "https://developer.okta.com/docs/reference/api/system-log/", + "https://developer.okta.com/docs/reference/api/event-types/", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/okta/okta_network_zone_deactivated_or_deleted.yml" ], "tags": [ @@ -69719,8 +69743,8 @@ "logsource.category": "No established category", "logsource.product": "okta", "refs": [ - "https://developer.okta.com/docs/reference/api/event-types/", "https://developer.okta.com/docs/reference/api/system-log/", + "https://developer.okta.com/docs/reference/api/event-types/", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/okta/okta_api_token_created.yml" ], "tags": [ @@ -69743,8 +69767,8 @@ "logsource.category": "No established category", "logsource.product": "okta", "refs": [ - "https://developer.okta.com/docs/reference/api/event-types/", "https://developer.okta.com/docs/reference/api/system-log/", + "https://developer.okta.com/docs/reference/api/event-types/", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/okta/okta_mfa_reset_or_deactivated.yml" ], "tags": [ @@ -69769,8 +69793,8 @@ "logsource.category": "No established category", "logsource.product": "okta", "refs": [ - "https://developer.okta.com/docs/reference/api/event-types/", "https://developer.okta.com/docs/reference/api/system-log/", + "https://developer.okta.com/docs/reference/api/event-types/", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/okta/okta_policy_modified_or_deleted.yml" ], "tags": [ @@ -69953,11 +69977,11 @@ "logsource.category": "No established category", "logsource.product": "m365", "refs": [ - "https://o365blog.com/post/aadbackdoor/", - "https://www.sygnia.co/golden-saml-advisory", "https://www.splunk.com/en_us/blog/security/a-golden-saml-journey-solarwinds-continued.html", "https://www.fireeye.com/content/dam/fireeye-www/blog/pdfs/wp-m-unc2452-2021-000343-01.pdf", + "https://www.sygnia.co/golden-saml-advisory", "https://us-cert.cisa.gov/ncas/alerts/aa21-008a", + "https://o365blog.com/post/aadbackdoor/", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/m365/microsoft365_new_federated_domain_added.yml" ], "tags": [ @@ -70363,11 +70387,11 @@ "logsource.category": "No established category", "logsource.product": "gcp", "refs": [ - "https://cloud.google.com/kubernetes-engine/docs/how-to/role-based-access-control", - "https://kubernetes.io/docs/reference/kubernetes-api/authorization-resources/cluster-role-v1/#ClusterRole", "https://kubernetes.io/docs/reference/access-authn-authz/rbac/", "https://github.com/elastic/detection-rules/pull/1267", + "https://kubernetes.io/docs/reference/kubernetes-api/authorization-resources/cluster-role-v1/#ClusterRole", "https://cloud.google.com/kubernetes-engine/docs/how-to/audit-logging", + "https://cloud.google.com/kubernetes-engine/docs/how-to/role-based-access-control", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/gcp/gcp_kubernetes_rolebinding.yml" ], "tags": [ @@ -70416,8 +70440,8 @@ "logsource.product": "gcp", "refs": [ "https://kubernetes.io/docs/concepts/workloads/controllers/cron-jobs/", - "https://cloud.google.com/kubernetes-engine/docs", "https://kubernetes.io/docs/concepts/workloads/controllers/job/", + "https://cloud.google.com/kubernetes-engine/docs", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/gcp/gcp_kubernetes_cronjob.yml" ], "tags": [ @@ -70468,8 +70492,8 @@ "logsource.category": "No established category", "logsource.product": "gcp", "refs": [ - "https://developers.google.com/resources/api-libraries/documentation/compute/v1/java/latest/com/google/api/services/compute/Compute.Firewalls.html", "https://cloud.google.com/kubernetes-engine/docs/how-to/audit-logging", + "https://developers.google.com/resources/api-libraries/documentation/compute/v1/java/latest/com/google/api/services/compute/Compute.Firewalls.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/gcp/gcp_firewall_rule_modified_or_deleted.yml" ], "tags": [ @@ -70638,8 +70662,8 @@ "logsource.category": "No established category", "logsource.product": "gcp", "refs": [ - "https://developers.google.com/resources/api-libraries/documentation/compute/v1/java/latest/com/google/api/services/compute/Compute.PacketMirrorings.html", "https://cloud.google.com/kubernetes-engine/docs/how-to/audit-logging", + "https://developers.google.com/resources/api-libraries/documentation/compute/v1/java/latest/com/google/api/services/compute/Compute.PacketMirrorings.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/gcp/gcp_full_network_traffic_packet_capture.yml" ], "tags": [ @@ -70672,8 +70696,8 @@ "logsource.category": "No established category", "logsource.product": "google_workspace", "refs": [ - "https://cloud.google.com/logging/docs/audit/gsuite-audit-logging#3", "https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-domain-settings?hl=en#REMOVE_APPLICATION_FROM_WHITELIST", + "https://cloud.google.com/logging/docs/audit/gsuite-audit-logging#3", "https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-domain-settings?hl=en#REMOVE_APPLICATION", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/gworkspace/gworkspace_application_removed.yml" ], @@ -70779,8 +70803,8 @@ "logsource.category": "No established category", "logsource.product": "google_workspace", "refs": [ - "https://cloud.google.com/logging/docs/audit/gsuite-audit-logging#3", "https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-security-settings#ENFORCE_STRONG_AUTHENTICATION", + "https://cloud.google.com/logging/docs/audit/gsuite-audit-logging#3", "https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-security-settings?hl=en#ALLOW_STRONG_AUTHENTICATION", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/gworkspace/gworkspace_mfa_disabled.yml" ], @@ -70884,13 +70908,13 @@ "logsource.category": "No established category", "logsource.product": "aws", "refs": [ - "https://docs.aws.amazon.com/AmazonS3/latest/API/API_PutBucketEncryption.html", - "https://docs.aws.amazon.com/AmazonS3/latest/API/API_PutBucketWebsite.html", - "https://docs.aws.amazon.com/AmazonS3/latest/API/API_Operations.html", - "https://docs.aws.amazon.com/AmazonS3/latest/API/API_RestoreObject.html", - "https://docs.aws.amazon.com/AmazonS3/latest/userguide/setting-repl-config-perm-overview.html", "https://github.com/elastic/detection-rules/pull/1145/files", + "https://docs.aws.amazon.com/AmazonS3/latest/API/API_PutBucketEncryption.html", + "https://docs.aws.amazon.com/AmazonS3/latest/API/API_RestoreObject.html", + "https://docs.aws.amazon.com/AmazonS3/latest/API/API_Operations.html", + "https://docs.aws.amazon.com/AmazonS3/latest/userguide/setting-repl-config-perm-overview.html", "https://docs.aws.amazon.com/AmazonS3/latest/API/API_PutBucketLogging.html", + "https://docs.aws.amazon.com/AmazonS3/latest/API/API_PutBucketWebsite.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/aws/aws_s3_data_management_tampering.yml" ], "tags": [ @@ -71033,8 +71057,8 @@ "logsource.category": "No established category", "logsource.product": "aws", "refs": [ - "https://github.com/RhinoSecurityLabs/pacu/blob/866376cd711666c775bbfcde0524c817f2c5b181/pacu/modules/ecs__backdoor_task_def/main.py", "https://docs.aws.amazon.com/AmazonECS/latest/APIReference/API_RegisterTaskDefinition.html", + "https://github.com/RhinoSecurityLabs/pacu/blob/866376cd711666c775bbfcde0524c817f2c5b181/pacu/modules/ecs__backdoor_task_def/main.py", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/aws/aws_ecs_task_definition_backdoor.yml" ], "tags": [ @@ -71429,8 +71453,8 @@ "logsource.category": "No established category", "logsource.product": "aws", "refs": [ - "https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRoleWithSAML.html", "https://docs.aws.amazon.com/IAM/latest/APIReference/API_UpdateSAMLProvider.html", + "https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRoleWithSAML.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/aws/aws_susp_saml_activity.yml" ], "tags": [ @@ -71616,9 +71640,9 @@ "logsource.category": "No established category", "logsource.product": "aws", "refs": [ + "https://securitycafe.ro/2022/12/14/aws-enumeration-part-ii-practical-enumeration/", "https://github.com/Lifka/hacking-resources/blob/c2ae355d381bd0c9f0b32c4ead049f44e5b1573f/cloud-hacking-cheat-sheets.md", "https://jamesonhacking.blogspot.com/2020/12/pivoting-to-private-aws-s3-buckets.html", - "https://securitycafe.ro/2022/12/14/aws-enumeration-part-ii-practical-enumeration/", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/aws/aws_enum_buckets.yml" ], "tags": [ @@ -71849,9 +71873,9 @@ "logsource.category": "No established category", "logsource.product": "aws", "refs": [ - "https://docs.aws.amazon.com/Route53/latest/APIReference/API_Operations_Amazon_Route_53.html", - "https://github.com/elastic/detection-rules/blob/c76a39796972ecde44cb1da6df47f1b6562c9770/rules/integrations/aws/persistence_route_53_domain_transfer_lock_disabled.toml", "https://docs.aws.amazon.com/Route53/latest/APIReference/API_domains_DisableDomainTransferLock.html", + "https://github.com/elastic/detection-rules/blob/c76a39796972ecde44cb1da6df47f1b6562c9770/rules/integrations/aws/persistence_route_53_domain_transfer_lock_disabled.toml", + "https://docs.aws.amazon.com/Route53/latest/APIReference/API_Operations_Amazon_Route_53.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/aws/aws_route_53_domain_transferred_lock_disabled.yml" ], "tags": [ @@ -71989,8 +72013,8 @@ "logsource.category": "No established category", "logsource.product": "aws", "refs": [ - "https://docs.aws.amazon.com/glue/latest/webapi/API_CreateDevEndpoint.html", "https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/", + "https://docs.aws.amazon.com/glue/latest/webapi/API_CreateDevEndpoint.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/aws/aws_passed_role_to_glue_development_endpoint.yml" ], "tags": [ @@ -72843,8 +72867,8 @@ "logsource.category": "No established category", "logsource.product": "azure", "refs": [ - "https://github.com/elastic/detection-rules/blob/065bf48a9987cd8bd826c098a30ce36e6868ee46/rules/integrations/azure/impact_kubernetes_pod_deleted.toml", "https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes", + "https://github.com/elastic/detection-rules/blob/065bf48a9987cd8bd826c098a30ce36e6868ee46/rules/integrations/azure/impact_kubernetes_pod_deleted.toml", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_kubernetes_pods_deleted.yml" ], "tags": [ @@ -73064,11 +73088,11 @@ "logsource.category": "No established category", "logsource.product": "azure", "refs": [ + "https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes", "https://www.microsoft.com/security/blog/2021/03/23/secure-containerized-environments-with-updated-threat-matrix-for-kubernetes/", "https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/", "https://medium.com/mitre-engenuity/att-ck-for-containers-now-available-4c2359654bf1", "https://attack.mitre.org/matrices/enterprise/cloud/", - "https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_kubernetes_cluster_created_or_deleted.yml" ], "tags": [ @@ -74003,11 +74027,11 @@ "logsource.category": "No established category", "logsource.product": "azure", "refs": [ + "https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes", "https://www.microsoft.com/security/blog/2021/03/23/secure-containerized-environments-with-updated-threat-matrix-for-kubernetes/", "https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/", "https://medium.com/mitre-engenuity/att-ck-for-containers-now-available-4c2359654bf1", "https://attack.mitre.org/matrices/enterprise/cloud/", - "https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_kubernetes_secret_or_config_object_access.yml" ], "tags": [ @@ -74065,11 +74089,11 @@ "logsource.category": "No established category", "logsource.product": "azure", "refs": [ + "https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes", "https://www.microsoft.com/security/blog/2021/03/23/secure-containerized-environments-with-updated-threat-matrix-for-kubernetes/", "https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/", "https://medium.com/mitre-engenuity/att-ck-for-containers-now-available-4c2359654bf1", "https://attack.mitre.org/matrices/enterprise/cloud/", - "https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_kubernetes_role_access.yml" ], "tags": [ @@ -74211,11 +74235,11 @@ "logsource.category": "No established category", "logsource.product": "azure", "refs": [ + "https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes", "https://www.microsoft.com/security/blog/2021/03/23/secure-containerized-environments-with-updated-threat-matrix-for-kubernetes/", "https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/", "https://medium.com/mitre-engenuity/att-ck-for-containers-now-available-4c2359654bf1", "https://attack.mitre.org/matrices/enterprise/cloud/", - "https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_container_registry_created_or_deleted.yml" ], "tags": [ @@ -74271,8 +74295,8 @@ "logsource.category": "No established category", "logsource.product": "azure", "refs": [ - "https://github.com/elastic/detection-rules/blob/da3852b681cf1a33898b1535892eab1f3a76177a/rules/integrations/azure/defense_evasion_kubernetes_events_deleted.toml", "https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes", + "https://github.com/elastic/detection-rules/blob/da3852b681cf1a33898b1535892eab1f3a76177a/rules/integrations/azure/defense_evasion_kubernetes_events_deleted.toml", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_kubernetes_events_deleted.yml" ], "tags": [ @@ -74340,10 +74364,10 @@ "logsource.category": "No established category", "logsource.product": "azure", "refs": [ - "https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/", "https://kubernetes.io/docs/concepts/workloads/controllers/cron-jobs/", "https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes", "https://kubernetes.io/docs/concepts/workloads/controllers/job/", + "https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_kubernetes_cronjob.yml" ], "tags": [ @@ -74426,11 +74450,11 @@ "logsource.category": "No established category", "logsource.product": "azure", "refs": [ + "https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes", "https://www.microsoft.com/security/blog/2021/03/23/secure-containerized-environments-with-updated-threat-matrix-for-kubernetes/", "https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/", "https://medium.com/mitre-engenuity/att-ck-for-containers-now-available-4c2359654bf1", "https://attack.mitre.org/matrices/enterprise/cloud/", - "https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_kubernetes_rolebinding_modified_or_deleted.yml" ], "tags": [ @@ -74991,11 +75015,11 @@ "logsource.category": "No established category", "logsource.product": "azure", "refs": [ + "https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes", "https://www.microsoft.com/security/blog/2021/03/23/secure-containerized-environments-with-updated-threat-matrix-for-kubernetes/", "https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/", "https://medium.com/mitre-engenuity/att-ck-for-containers-now-available-4c2359654bf1", "https://attack.mitre.org/matrices/enterprise/cloud/", - "https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_kubernetes_network_policy_change.yml" ], "tags": [ @@ -75020,11 +75044,11 @@ "logsource.category": "No established category", "logsource.product": "azure", "refs": [ + "https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes", "https://www.microsoft.com/security/blog/2021/03/23/secure-containerized-environments-with-updated-threat-matrix-for-kubernetes/", "https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/", "https://medium.com/mitre-engenuity/att-ck-for-containers-now-available-4c2359654bf1", "https://attack.mitre.org/matrices/enterprise/cloud/", - "https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_kubernetes_service_account_modified_or_deleted.yml" ], "tags": [ @@ -75157,8 +75181,8 @@ "logsource.category": "proxy", "logsource.product": "No established product", "refs": [ - "https://twitter.com/jhencinski/status/1102695118455349248", "https://isc.sans.edu/forums/diary/Investigating+Microsoft+BITS+Activity/23281/", + "https://twitter.com/jhencinski/status/1102695118455349248", "https://github.com/SigmaHQ/sigma/tree/master/rules/proxy/proxy_ua_bitsadmin_susp_tld.yml" ], "tags": [ @@ -75483,8 +75507,8 @@ "logsource.product": "No established product", "refs": [ "https://blog.malwarebytes.com/threat-analysis/2016/11/telecrypt-the-ransomware-abusing-telegram-api-defeated/", - "https://researchcenter.paloaltonetworks.com/2018/03/unit42-telerat-another-android-trojan-leveraging-telegrams-bot-api-to-target-iranian-users/", "https://www.welivesecurity.com/2016/12/13/rise-telebots-analyzing-disruptive-killdisk-attacks/", + "https://researchcenter.paloaltonetworks.com/2018/03/unit42-telerat-another-android-trojan-leveraging-telegrams-bot-api-to-target-iranian-users/", "https://github.com/SigmaHQ/sigma/tree/master/rules/proxy/proxy_telegram_api.yml" ], "tags": [ @@ -75568,11 +75592,11 @@ "logsource.category": "proxy", "logsource.product": "No established product", "refs": [ + "https://networkraptor.blogspot.com/2015/01/user-agent-strings.html", "http://rules.emergingthreats.net/open/snort-2.9.0/rules/emerging-user_agents.rules", "https://www.bluecoat.com/en-gb/security-blog/2015-05-05/know-your-agents", "http://www.botopedia.org/search?searchword=scan&searchphrase=all", "https://perishablepress.com/blacklist/ua-2013.txt", - "https://networkraptor.blogspot.com/2015/01/user-agent-strings.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/proxy/proxy_ua_malware.yml" ], "tags": [ @@ -75716,8 +75740,8 @@ "logsource.category": "proxy", "logsource.product": "No established product", "refs": [ - "https://github.com/xmrig/xmrig/blob/427b6516e0550200c17ca28675118f0fffcc323f/src/version.h", "https://github.com/xmrig/xmrig/blob/da22b3e6c45825f3ac1f208255126cb8585cd4fc/src/base/kernel/Platform_win.cpp#L65", + "https://github.com/xmrig/xmrig/blob/427b6516e0550200c17ca28675118f0fffcc323f/src/version.h", "https://github.com/SigmaHQ/sigma/tree/master/rules/proxy/proxy_ua_cryptominer.yml" ], "tags": [ @@ -75770,8 +75794,8 @@ "logsource.category": "proxy", "logsource.product": "No established product", "refs": [ - "https://googleprojectzero.blogspot.com/2019/08/implant-teardown.html", "https://twitter.com/craiu/status/1167358457344925696", + "https://googleprojectzero.blogspot.com/2019/08/implant-teardown.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/proxy/proxy_ios_implant.yml" ], "tags": [ @@ -75915,8 +75939,8 @@ "logsource.category": "proxy", "logsource.product": "No established product", "refs": [ - "https://www.advanced-ip-scanner.com/", "https://www.advanced-port-scanner.com/", + "https://www.advanced-ip-scanner.com/", "https://github.com/SigmaHQ/sigma/tree/master/rules/proxy/proxy_adv_ip_port_scanner_upd_check.yml" ], "tags": [ @@ -75949,10 +75973,10 @@ "logsource.category": "proxy", "logsource.product": "No established product", "refs": [ - "https://promos.mcafee.com/en-US/PDF/MTMW_Report.pdf", "https://www.symantec.com/connect/blogs/shady-tld-research-gdn-and-our-2016-wrap", "https://www.spamhaus.org/statistics/tlds/", "https://krebsonsecurity.com/2018/06/bad-men-at-work-please-dont-click/", + "https://promos.mcafee.com/en-US/PDF/MTMW_Report.pdf", "https://github.com/SigmaHQ/sigma/tree/master/rules/proxy/proxy_download_susp_tlds_blacklist.yml" ], "tags": [ @@ -76018,8 +76042,8 @@ "logsource.category": "proxy", "logsource.product": "No established product", "refs": [ - "https://www.hybrid-analysis.com/sample/ee5eca8648e45e2fea9dac0d920ef1a1792d8690c41ee7f20343de1927cc88b9?environmentId=100", "https://github.com/rsmudge/Malleable-C2-Profiles/blob/26323784672913923d20c5a638c6ca79459e8529/normal/amazon.profile", + "https://www.hybrid-analysis.com/sample/ee5eca8648e45e2fea9dac0d920ef1a1792d8690c41ee7f20343de1927cc88b9?environmentId=100", "https://github.com/SigmaHQ/sigma/tree/master/rules/proxy/proxy_cobalt_amazon.yml" ], "tags": [ @@ -76427,8 +76451,8 @@ "logsource.category": "webserver", "logsource.product": "No established product", "refs": [ - "https://twitter.com/wugeej/status/1369476795255320580", "https://paper.seebug.org/1495/", + "https://twitter.com/wugeej/status/1369476795255320580", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_cve_2021_21978_vmware_view_planner_exploit.yml" ], "tags": [ @@ -76488,9 +76512,9 @@ "logsource.category": "webserver", "logsource.product": "No established product", "refs": [ - "https://twitter.com/jas502n/status/1321416053050667009?s=20", - "https://twitter.com/sudo_sudoka/status/1323951871078223874", "https://isc.sans.edu/diary/26734", + "https://twitter.com/sudo_sudoka/status/1323951871078223874", + "https://twitter.com/jas502n/status/1321416053050667009?s=20", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_cve_2020_14882_weblogic_exploit.yml" ], "tags": [ @@ -76524,10 +76548,10 @@ "logsource.category": "webserver", "logsource.product": "No established product", "refs": [ + "https://github.com/TesterCC/exp_poc_library/blob/master/exp_poc/CVE-2021-26084_Confluence_OGNL_injection/CVE-2021-26084.md", + "https://mraddon.blog/2017/03/20/confluence-trick-to-create-pages-from-blueprint-templates/", "https://github.com/httpvoid/writeups/blob/main/Confluence-RCE.md", "https://confluence.atlassian.com/doc/confluence-security-advisory-2021-08-25-1077906215.html", - "https://mraddon.blog/2017/03/20/confluence-trick-to-create-pages-from-blueprint-templates/", - "https://github.com/TesterCC/exp_poc_library/blob/master/exp_poc/CVE-2021-26084_Confluence_OGNL_injection/CVE-2021-26084.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_cve_2021_26084_confluence_rce_exploit.yml" ], "tags": [ @@ -76593,8 +76617,8 @@ "logsource.category": "webserver", "logsource.product": "No established product", "refs": [ - "https://www.volexity.com/blog/2021/03/02/active-exploitation-of-microsoft-exchange-zero-day-vulnerabilities/", "https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/", + "https://www.volexity.com/blog/2021/03/02/active-exploitation-of-microsoft-exchange-zero-day-vulnerabilities/", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_exchange_exploitation_hafnium.yml" ], "tags": [ @@ -76627,8 +76651,8 @@ "logsource.category": "webserver", "logsource.product": "No established product", "refs": [ - "https://www.guidepointsecurity.com/supernova-solarwinds-net-webshell-analysis/", "https://www.anquanke.com/post/id/226029", + "https://www.guidepointsecurity.com/supernova-solarwinds-net-webshell-analysis/", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_solarwinds_supernova_webshell.yml" ], "tags": [ @@ -76724,8 +76748,8 @@ "logsource.category": "webserver", "logsource.product": "No established product", "refs": [ - "https://github.com/search?q=CVE-2021-43798", "https://grafana.com/blog/2021/12/07/grafana-8.3.1-8.2.7-8.1.8-and-8.0.7-released-with-high-severity-security-fix/", + "https://github.com/search?q=CVE-2021-43798", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_cve_2021_43798_grafana.yml" ], "tags": [ @@ -76780,11 +76804,11 @@ "logsource.category": "webserver", "logsource.product": "No established product", "refs": [ - "https://twitter.com/sec715/status/1373472323538362371", "https://twitter.com/Al1ex4/status/1382981479727128580", "https://github.com/murataydemir/CVE-2021-27905", - "https://mp.weixin.qq.com/s?__biz=Mzg3NDU2MTg0Ng==&mid=2247484117&idx=1&sn=2fdab8cbe4b873f8dd8abb35d935d186", + "https://twitter.com/sec715/status/1373472323538362371", "https://nsfocusglobal.com/apache-solr-arbitrary-file-read-and-ssrf-vulnerability-threat-alert/", + "https://mp.weixin.qq.com/s?__biz=Mzg3NDU2MTg0Ng==&mid=2247484117&idx=1&sn=2fdab8cbe4b873f8dd8abb35d935d186", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_cve_2021_27905_apache_solr_exploit.yml" ], "tags": [ @@ -76818,9 +76842,9 @@ "logsource.category": "webserver", "logsource.product": "No established product", "refs": [ + "https://www.volexity.com/blog/2022/08/10/mass-exploitation-of-unauthenticated-zimbra-rce-cve-2022-27925/", "https://www.yang99.top/index.php/archives/82/", "https://github.com/vnhacker1337/CVE-2022-27925-PoC", - "https://www.volexity.com/blog/2022/08/10/mass-exploitation-of-unauthenticated-zimbra-rce-cve-2022-27925/", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_cve_2022_27925_exploit.yml" ], "tags": [ @@ -76854,10 +76878,10 @@ "logsource.category": "webserver", "logsource.product": "No established product", "refs": [ - "https://twitter.com/_0xf4n9x_/status/1572052954538192901", - "https://www.rapid7.com/blog/post/2022/09/20/cve-2022-36804-easily-exploitable-vulnerability-in-atlassian-bitbucket-server-and-data-center/", "https://confluence.atlassian.com/bitbucketserver/bitbucket-server-and-data-center-advisory-2022-08-24-1155489835.html", + "https://www.rapid7.com/blog/post/2022/09/20/cve-2022-36804-easily-exploitable-vulnerability-in-atlassian-bitbucket-server-and-data-center/", "https://blog.assetnote.io/2022/09/14/rce-in-bitbucket-server/", + "https://twitter.com/_0xf4n9x_/status/1572052954538192901", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_cve_2022_36804_atlassian_bitbucket_command_injection.yml" ], "tags": [ @@ -76893,10 +76917,10 @@ "logsource.category": "webserver", "logsource.product": "No established product", "refs": [ - "https://github.com/payloadbox/sql-injection-payload-list", - "https://brightsec.com/blog/sql-injection-payloads/", "https://www.acunetix.com/blog/articles/using-logs-to-investigate-a-web-application-attack/", "https://www.acunetix.com/blog/articles/exploiting-sql-injection-example/", + "https://brightsec.com/blog/sql-injection-payloads/", + "https://github.com/payloadbox/sql-injection-payload-list", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_sql_injection_in_access_logs.yml" ], "tags": "No established tags" @@ -77021,8 +77045,8 @@ "logsource.category": "No established category", "logsource.product": "No established product", "refs": [ - "https://docs.nginx.com/nginx/admin-guide/monitoring/debugging/#enabling-core-dumps", "https://www.x41-dsec.de/lab/advisories/x41-2021-002-nginx-resolver-copy/", + "https://docs.nginx.com/nginx/admin-guide/monitoring/debugging/#enabling-core-dumps", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_nginx_core_dump.yml" ], "tags": [ @@ -77123,8 +77147,8 @@ "logsource.category": "webserver", "logsource.product": "No established product", "refs": [ - "https://medium.com/@logicbomb_1/bugbounty-how-i-was-able-to-download-the-source-code-of-indias-largest-telecom-service-52cf5c5640a1", "https://pentester.land/tutorials/2018/10/25/source-code-disclosure-via-exposed-git-folder.html", + "https://medium.com/@logicbomb_1/bugbounty-how-i-was-able-to-download-the-source-code-of-indias-largest-telecom-service-52cf5c5640a1", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_source_code_enumeration.yml" ], "tags": [ @@ -77148,10 +77172,10 @@ "logsource.category": "webserver", "logsource.product": "No established product", "refs": [ - "https://support.f5.com/csp/article/K52145254", "https://www.criticalstart.com/f5-big-ip-remote-code-execution-exploit/", "https://www.ptsecurity.com/ww-en/about/news/f5-fixes-critical-vulnerability-discovered-by-positive-technologies-in-big-ip-application-delivery-controller/", "https://twitter.com/yorickkoster/status/1279709009151434754", + "https://support.f5.com/csp/article/K52145254", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_cve_2020_5902_f5_bigip.yml" ], "tags": [ @@ -77184,9 +77208,9 @@ "logsource.category": "webserver", "logsource.product": "No established product", "refs": [ - "https://www.vmware.com/security/advisories/VMSA-2021-0002.html", "https://f5.pm/go-59627.html", "https://swarm.ptsecurity.com/unauth-rce-vmware", + "https://www.vmware.com/security/advisories/VMSA-2021-0002.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_cve_2021_21972_vsphere_unauth_rce_exploit.yml" ], "tags": [ @@ -77252,9 +77276,9 @@ "logsource.category": "webserver", "logsource.product": "No established product", "refs": [ - "https://github.com/rapid7/metasploit-framework/pull/17407", - "https://github.com/0xf4n9x/CVE-2022-46169", "https://github.com/Cacti/cacti/security/advisories/GHSA-6p93-p743-35gf", + "https://github.com/0xf4n9x/CVE-2022-46169", + "https://github.com/rapid7/metasploit-framework/pull/17407", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_cve_2022_46169_cacti_exploitation_attempt.yml" ], "tags": [ @@ -77288,12 +77312,12 @@ "logsource.category": "webserver", "logsource.product": "No established product", "refs": [ - "https://gist.github.com/Neo23x0/e4c8b03ff8cdf1fa63b7d15db6e3860b", - "https://github.com/tangxiaofeng7/apache-log4j-poc", - "https://twitter.com/shutingrz/status/1469255861394866177?s=21", - "https://www.lunasec.io/docs/blog/log4j-zero-day/", - "https://news.ycombinator.com/item?id=29504755", "https://github.com/YfryTchsGD/Log4jAttackSurface", + "https://github.com/tangxiaofeng7/apache-log4j-poc", + "https://www.lunasec.io/docs/blog/log4j-zero-day/", + "https://twitter.com/shutingrz/status/1469255861394866177?s=21", + "https://news.ycombinator.com/item?id=29504755", + "https://gist.github.com/Neo23x0/e4c8b03ff8cdf1fa63b7d15db6e3860b", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_cve_2021_44228_log4j_fields.yml" ], "tags": [ @@ -77383,10 +77407,10 @@ "logsource.category": "webserver", "logsource.product": "No established product", "refs": [ - "https://www.rapid7.com/blog/post/2021/09/02/active-exploitation-of-confluence-server-cve-2021-26084/", - "https://github.com/httpvoid/writeups/blob/62d3751945289d088ccfdf4d0ffbf61598a2cd7d/Confluence-RCE.md", - "https://twitter.com/httpvoid0x2f/status/1532924261035384832", "https://www.rapid7.com/blog/post/2022/06/02/active-exploitation-of-confluence-cve-2022-26134/", + "https://twitter.com/httpvoid0x2f/status/1532924261035384832", + "https://github.com/httpvoid/writeups/blob/62d3751945289d088ccfdf4d0ffbf61598a2cd7d/Confluence-RCE.md", + "https://www.rapid7.com/blog/post/2021/09/02/active-exploitation-of-confluence-server-cve-2021-26084/", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_java_payload_in_access_logs.yml" ], "tags": [ @@ -77445,8 +77469,8 @@ "logsource.category": "webserver", "logsource.product": "No established product", "refs": [ - "https://github.com/payloadbox/xss-payload-list", "https://portswigger.net/web-security/cross-site-scripting/contexts", + "https://github.com/payloadbox/xss-payload-list", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_xss_in_access_logs.yml" ], "tags": "No established tags" @@ -77536,8 +77560,8 @@ "logsource.category": "webserver", "logsource.product": "No established product", "refs": [ - "https://blog.assetnote.io/2021/11/02/sitecore-rce/", "https://support.sitecore.com/kb?id=kb_article_view&sysparm_article=KB1000776", + "https://blog.assetnote.io/2021/11/02/sitecore-rce/", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_cve_2021_42237_sitecore_report_ashx.yml" ], "tags": [ @@ -77570,8 +77594,8 @@ "logsource.category": "webserver", "logsource.product": "No established product", "refs": [ - "https://github.com/apache/spark/pull/36315/files", "https://sumsec.me/2022/CVE-2022-33891%20Apache%20Spark%20shell%20command%20injection.html", + "https://github.com/apache/spark/pull/36315/files", "https://github.com/W01fh4cker/cve-2022-33891/blob/fd973b56e78bca8822caa3a2e3cf1b5aff5d0950/cve_2022_33891_poc.py", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_cve_2022_33891_spark_shell_command_injection.yml" ], @@ -77606,8 +77630,8 @@ "logsource.category": "webserver", "logsource.product": "No established product", "refs": [ - "https://github.com/lanmaster53/recon-ng/blob/9e907dfe09fce2997f0301d746796408e01a60b7/recon/core/base.py#L92", "https://github.com/wpscanteam/wpscan/blob/196fbab5b1ce3870a43515153d4f07878a89d410/lib/wpscan/browser.rb", + "https://github.com/lanmaster53/recon-ng/blob/9e907dfe09fce2997f0301d746796408e01a60b7/recon/core/base.py#L92", "https://github.com/xmendez/wfuzz/blob/1b695ee9a87d66a7d7bf6cae70d60a33fae51541/docs/user/basicusage.rst", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_susp_useragents.yml" ], @@ -77741,9 +77765,9 @@ "logsource.category": "webserver", "logsource.product": "No established product", "refs": [ + "https://blog.orange.tw/2021/08/proxylogon-a-new-attack-surface-on-ms-exchange-part-1.html", "https://peterjson.medium.com/reproducing-the-proxyshell-pwn2own-exploit-49743a4ea9a1", "https://youtu.be/5mqid-7zp8k?t=2231", - "https://blog.orange.tw/2021/08/proxylogon-a-new-attack-surface-on-ms-exchange-part-1.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_exchange_proxyshell.yml" ], "tags": [ @@ -77776,9 +77800,9 @@ "logsource.category": "webserver", "logsource.product": "No established product", "refs": [ + "https://blog.orange.tw/2021/08/proxylogon-a-new-attack-surface-on-ms-exchange-part-1.html", "https://peterjson.medium.com/reproducing-the-proxyshell-pwn2own-exploit-49743a4ea9a1", "https://youtu.be/5mqid-7zp8k?t=2231", - "https://blog.orange.tw/2021/08/proxylogon-a-new-attack-surface-on-ms-exchange-part-1.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_exchange_proxyshell_successful.yml" ], "tags": [ @@ -77826,12 +77850,12 @@ "logsource.category": "webserver", "logsource.product": "No established product", "refs": [ - "https://gist.github.com/Neo23x0/e4c8b03ff8cdf1fa63b7d15db6e3860b", - "https://github.com/tangxiaofeng7/apache-log4j-poc", - "https://twitter.com/shutingrz/status/1469255861394866177?s=21", - "https://www.lunasec.io/docs/blog/log4j-zero-day/", - "https://news.ycombinator.com/item?id=29504755", "https://github.com/YfryTchsGD/Log4jAttackSurface", + "https://github.com/tangxiaofeng7/apache-log4j-poc", + "https://www.lunasec.io/docs/blog/log4j-zero-day/", + "https://twitter.com/shutingrz/status/1469255861394866177?s=21", + "https://news.ycombinator.com/item?id=29504755", + "https://gist.github.com/Neo23x0/e4c8b03ff8cdf1fa63b7d15db6e3860b", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_cve_2021_44228_log4j.yml" ], "tags": [ @@ -77930,9 +77954,9 @@ "logsource.category": "webserver", "logsource.product": "No established product", "refs": [ - "https://www.tenable.com/security/research/tra-2021-13", - "https://blogs.juniper.net/en-us/security/freshly-disclosed-vulnerability-cve-2021-20090-exploited-in-the-wild", "https://medium.com/tenable-techblog/bypassing-authentication-on-arcadyan-routers-with-cve-2021-20090-and-rooting-some-buffalo-ea1dd30980c2", + "https://blogs.juniper.net/en-us/security/freshly-disclosed-vulnerability-cve-2021-20090-exploited-in-the-wild", + "https://www.tenable.com/security/research/tra-2021-13", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_cve_2021_20090_2021_20091_arcadyan_router_exploit.yml" ], "tags": [ @@ -77967,8 +77991,8 @@ "logsource.category": "webserver", "logsource.product": "No established product", "refs": [ - "https://www.ihteam.net/advisory/terramaster-tos-multiple-vulnerabilities/", "https://research.checkpoint.com/2021/freakout-leveraging-newest-vulnerabilities-for-creating-a-botnet/", + "https://www.ihteam.net/advisory/terramaster-tos-multiple-vulnerabilities/", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_cve_2020_28188_terramaster_rce_exploit.yml" ], "tags": [ @@ -78069,12 +78093,12 @@ "logsource.category": "webserver", "logsource.product": "No established product", "refs": [ - "https://nvd.nist.gov/vuln/detail/CVE-2021-41773", "https://github.com/apache/httpd/commit/e150697086e70c552b2588f369f2d17815cb1782", - "https://twitter.com/h4x0r_dz/status/1445401960371429381", "https://twitter.com/bl4sty/status/1445462677824761878", - "https://github.com/projectdiscovery/nuclei-templates/blob/9d2889356eebba661c8407038e430759dfd4ec31/cves/2021/CVE-2021-41773.yaml", + "https://twitter.com/h4x0r_dz/status/1445401960371429381", "https://twitter.com/ptswarm/status/1445376079548624899", + "https://nvd.nist.gov/vuln/detail/CVE-2021-41773", + "https://github.com/projectdiscovery/nuclei-templates/blob/9d2889356eebba661c8407038e430759dfd4ec31/cves/2021/CVE-2021-41773.yaml", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_cve_2021_41773_apache_path_traversal.yml" ], "tags": [ @@ -78107,9 +78131,9 @@ "logsource.category": "webserver", "logsource.product": "No established product", "refs": [ - "https://github.com/Twigonometry/Cybersecurity-Notes/blob/c875b0f52df7d2c7a870e75e1f0c2679d417931d/Writeups/Hack%20the%20Box/Boxes/Optimum/10%20-%20Website.md", "https://vk9-sec.com/hfs-code-execution-cve-2014-6287/", "https://www.exploit-db.com/exploits/39161", + "https://github.com/Twigonometry/Cybersecurity-Notes/blob/c875b0f52df7d2c7a870e75e1f0c2679d417931d/Writeups/Hack%20the%20Box/Boxes/Optimum/10%20-%20Website.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_cve_2014_6287_hfs_rce.yml" ], "tags": [ @@ -78144,9 +78168,9 @@ "logsource.category": "webserver", "logsource.product": "No established product", "refs": [ + "https://github.com/lijiejie/IIS_shortname_Scanner", "https://www.exploit-db.com/exploits/19525", "https://github.com/projectdiscovery/nuclei-templates/blob/9d2889356eebba661c8407038e430759dfd4ec31/fuzzing/iis-shortname.yaml", - "https://github.com/lijiejie/IIS_shortname_Scanner", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_iis_tilt_shortname_scan.yml" ], "tags": [ @@ -78326,10 +78350,10 @@ "logsource.category": "webserver", "logsource.product": "No established product", "refs": [ - "https://support.citrix.com/article/CTX267027", - "https://github.com/x1sec/CVE-2019-19781/blob/25f7ab97275b2d41800bb3414dac8ca3a78af7e5/CVE-2019-19781-DFIR.md", - "https://support.citrix.com/article/CTX267679", "https://isc.sans.edu/diary/25686", + "https://support.citrix.com/article/CTX267679", + "https://github.com/x1sec/CVE-2019-19781/blob/25f7ab97275b2d41800bb3414dac8ca3a78af7e5/CVE-2019-19781-DFIR.md", + "https://support.citrix.com/article/CTX267027", "https://twitter.com/mpgn_x64/status/1216787131210829826", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_cve_2019_19781_citrix_exploit.yml" ], @@ -78440,9 +78464,9 @@ "logsource.category": "webserver", "logsource.product": "No established product", "refs": [ - "https://therecord.media/cisa-warns-of-zoho-server-zero-day-exploited-in-the-wild/", - "https://www.manageengine.com/products/self-service-password/kb/how-to-fix-authentication-bypass-vulnerability-in-REST-API.html", "https://us-cert.cisa.gov/ncas/alerts/aa21-259a", + "https://www.manageengine.com/products/self-service-password/kb/how-to-fix-authentication-bypass-vulnerability-in-REST-API.html", + "https://therecord.media/cisa-warns-of-zoho-server-zero-day-exploited-in-the-wild/", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_cve_2021_40539_manageengine_adselfservice_exploit.yml" ], "tags": [ @@ -78709,8 +78733,8 @@ "logsource.category": "process_creation", "logsource.product": "macos", "refs": [ - "https://wojciechregula.blog/post/macos-red-teaming-initial-access-via-applescript-url/", "https://github.com/elastic/protections-artifacts/commit/746086721fd385d9f5c6647cada1788db4aea95f#diff-7f541fbc4a4a28a92970e8bf53effea5bd934604429112c920affb457f5b2685", + "https://wojciechregula.blog/post/macos-red-teaming-initial-access-via-applescript-url/", "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_susp_execution_macos_script_editor.yml" ], "tags": [ @@ -79316,8 +79340,8 @@ "logsource.category": "process_creation", "logsource.product": "macos", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1056.002/T1056.002.md", "https://scriptingosx.com/2018/08/user-interaction-from-bash-scripts/", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1056.002/T1056.002.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_gui_input_capture.yml" ], "tags": [ @@ -79374,9 +79398,9 @@ "logsource.category": "process_creation", "logsource.product": "macos", "refs": [ + "https://github.com/elastic/protections-artifacts/commit/746086721fd385d9f5c6647cada1788db4aea95f#diff-c68a1fcbf7a3f80c87225d7fdc031f691e9f3b6a14a36754be00762bfe6eae97", "https://www.microsoft.com/security/blog/2022/02/02/the-evolution-of-a-mac-trojan-updateagents-progression/", "https://malpedia.caad.fkie.fraunhofer.de/details/osx.xcsset", - "https://github.com/elastic/protections-artifacts/commit/746086721fd385d9f5c6647cada1788db4aea95f#diff-c68a1fcbf7a3f80c87225d7fdc031f691e9f3b6a14a36754be00762bfe6eae97", "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_wizardupdate_malware_infection.yml" ], "tags": [ @@ -79489,8 +79513,8 @@ "logsource.category": "process_creation", "logsource.product": "macos", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1555.001/T1555.001.md", "https://gist.github.com/Capybara/6228955", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1555.001/T1555.001.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_creds_from_keychain.yml" ], "tags": [ @@ -79548,10 +79572,10 @@ "logsource.category": "No established category", "logsource.product": "qualys", "refs": [ - "https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf", - "https://community.qualys.com/docs/DOC-6406-reporting-toolbox-focused-search-lists", - "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf", "https://www.cisecurity.org/controls/cis-controls-list/", + "https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf", + "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf", + "https://community.qualys.com/docs/DOC-6406-reporting-toolbox-focused-search-lists", "https://github.com/SigmaHQ/sigma/tree/master/rules/compliance/default_credentials_usage.yml" ], "tags": "No established tags" @@ -79570,9 +79594,9 @@ "logsource.category": "No established category", "logsource.product": "qualys", "refs": [ + "https://www.cisecurity.org/controls/cis-controls-list/", "https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf", "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf", - "https://www.cisecurity.org/controls/cis-controls-list/", "https://github.com/SigmaHQ/sigma/tree/master/rules/compliance/host_without_firewall.yml" ], "tags": "No established tags" @@ -79593,9 +79617,9 @@ "logsource.category": "No established category", "logsource.product": "No established product", "refs": [ + "https://www.cisecurity.org/controls/cis-controls-list/", "https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf", "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf", - "https://www.cisecurity.org/controls/cis-controls-list/", "https://github.com/SigmaHQ/sigma/tree/master/rules/compliance/netflow_cleartext_protocols.yml" ], "tags": "No established tags" @@ -79616,8 +79640,8 @@ "logsource.category": "No established category", "logsource.product": "linux", "refs": [ - "https://github.com/Azure/Azure-Sentinel/pull/3059", "https://www.wiz.io/blog/omigod-critical-vulnerabilities-in-omi-azure", + "https://github.com/Azure/Azure-Sentinel/pull/3059", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_omigod_scx_runasprovider_executeshellcommand.yml" ], "tags": [ @@ -79773,8 +79797,8 @@ "logsource.category": "No established category", "logsource.product": "linux", "refs": [ - "https://www.elastic.co/security-labs/a-peek-behind-the-bpfdoor", "https://www.sandflysecurity.com/blog/bpfdoor-an-evasive-linux-backdoor-technical-analysis/", + "https://www.elastic.co/security-labs/a-peek-behind-the-bpfdoor", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_bpfdoor_file_accessed.yml" ], "tags": [ @@ -80008,9 +80032,9 @@ "logsource.category": "No established category", "logsource.product": "linux", "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.006/T1547.006.md", "https://linux.die.net/man/8/insmod", "https://man7.org/linux/man-pages/man8/kmod.8.html", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.006/T1547.006.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_load_module_insmod.yml" ], "tags": [ @@ -80069,9 +80093,9 @@ "logsource.category": "No established category", "logsource.product": "linux", "refs": [ + "https://github.com/berdav/CVE-2021-4034", "https://access.redhat.com/security/cve/CVE-2021-4034", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-4034", - "https://github.com/berdav/CVE-2021-4034", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_cve_2021_4034.yml" ], "tags": [ @@ -80104,8 +80128,8 @@ "logsource.category": "No established category", "logsource.product": "linux", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1113/T1113.md", "https://imagemagick.org/", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1113/T1113.md", "https://linux.die.net/man/1/import", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_screencapture_import.yml" ], @@ -80130,8 +80154,8 @@ "logsource.category": "No established category", "logsource.product": "linux", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.004/T1562.004.md", "https://firewalld.org/documentation/man-pages/firewall-cmd.html", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.004/T1562.004.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_disable_system_firewall.yml" ], "tags": [ @@ -80189,9 +80213,9 @@ "logsource.product": "linux", "refs": [ "https://mn3m.info/posts/suid-vs-capabilities/", + "https://man7.org/linux/man-pages/man8/getcap.8.html", "https://int0x33.medium.com/day-44-linux-capabilities-privilege-escalation-via-openssl-with-selinux-enabled-and-enforced-74d2bec02099", "https://www.hackingarticles.in/linux-privilege-escalation-using-capabilities/", - "https://man7.org/linux/man-pages/man8/getcap.8.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_capabilities_discovery.yml" ], "tags": [ @@ -80250,8 +80274,8 @@ "logsource.category": "No established category", "logsource.product": "linux", "refs": [ - "Self Experience", "https://github.com/Neo23x0/auditd/blob/master/audit.rules", + "Self Experience", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_auditing_config_change.yml" ], "tags": [ @@ -80275,8 +80299,8 @@ "logsource.category": "No established category", "logsource.product": "linux", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1574.006/T1574.006.md", "https://eqllib.readthedocs.io/en/latest/analytics/fd9b987a-1101-4ed3-bda6-a70300eaf57e.html", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1574.006/T1574.006.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_ld_so_preload_mod.yml" ], "tags": [ @@ -80664,8 +80688,8 @@ "logsource.category": "No established category", "logsource.product": "linux", "refs": [ - "https://www.elastic.co/security-labs/a-peek-behind-the-bpfdoor", "https://www.sandflysecurity.com/blog/bpfdoor-an-evasive-linux-backdoor-technical-analysis/", + "https://www.elastic.co/security-labs/a-peek-behind-the-bpfdoor", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_bpfdoor_port_redirect.yml" ], "tags": [ @@ -80830,8 +80854,8 @@ "logsource.category": "No established category", "logsource.product": "linux", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1113/T1113.md#atomic-test-3---x-windows-capture", "https://linux.die.net/man/1/xwd", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1113/T1113.md#atomic-test-3---x-windows-capture", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_screencaputre_xwd.yml" ], "tags": [ @@ -80922,10 +80946,10 @@ "logsource.category": "No established category", "logsource.product": "linux", "refs": [ + "https://superuser.com/questions/150675/how-to-display-password-policy-information-for-a-user-ubuntu", + "https://linux.die.net/man/1/chage", "https://man7.org/linux/man-pages/man1/passwd.1.html", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1201/T1201.md", - "https://linux.die.net/man/1/chage", - "https://superuser.com/questions/150675/how-to-display-password-policy-information-for-a-user-ubuntu", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_password_policy_discovery.yml" ], "tags": [ @@ -81050,10 +81074,10 @@ "logsource.category": "No established category", "logsource.product": "linux", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1056.001/T1056.001.md", "https://linux.die.net/man/8/pam_tty_audit", - "https://access.redhat.com/articles/4409591#audit-record-types-2", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1056.001/T1056.001.md", "https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/security_guide/sec-configuring_pam_for_auditing", + "https://access.redhat.com/articles/4409591#audit-record-types-2", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_keylogging_with_pam_d.yml" ], "tags": [ @@ -81153,9 +81177,9 @@ "logsource.category": "No established category", "logsource.product": "linux", "refs": [ + "https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/security_guide/sec-understanding_audit_log_files", "https://www.youtube.com/watch?v=VmvY5SQm5-Y&ab_channel=M45C07", "https://access.redhat.com/articles/4409591#audit-record-types-2", - "https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/security_guide/sec-understanding_audit_log_files", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_create_account.yml" ], "tags": [ @@ -81188,9 +81212,9 @@ "logsource.category": "No established category", "logsource.product": "linux", "refs": [ - "https://book.hacktricks.xyz/shells/shells/linux", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1046/T1046.md#atomic-test-1---port-scan", "https://www.andreafortuna.org/2021/03/06/some-useful-tips-about-dev-tcp/", + "https://book.hacktricks.xyz/shells/shells/linux", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/builtin/lnx_susp_dev_tcp.yml" ], "tags": [ @@ -81459,9 +81483,9 @@ "logsource.category": "No established category", "logsource.product": "linux", "refs": [ - "https://digital.nhs.uk/cyber-alerts/2018/cc-2825", "https://github.com/redcanaryco/atomic-red-team/blob/25acadc0b43a07125a8a5b599b28bbc1a91ffb06/atomics/T1136.001/T1136.001.md#atomic-test-5---create-a-new-user-in-linux-with-root-uid-and-gid", "https://linux.die.net/man/8/useradd", + "https://digital.nhs.uk/cyber-alerts/2018/cc-2825", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/builtin/lnx_privileged_user_creation.yml" ], "tags": [ @@ -81618,9 +81642,9 @@ "logsource.product": "linux", "refs": [ "https://github.com/rapid7/metasploit-framework/blob/eb6535009f5fdafa954525687f09294918b5398d/modules/exploits/multi/http/struts_code_exec_exception_delegator.rb", + "https://artkond.com/2017/03/23/pivoting-guide/", "http://pastebin.com/FtygZ1cg", "http://www.threatgeek.com/2017/03/widespread-exploitation-attempts-using-cve-2017-5638.html", - "https://artkond.com/2017/03/23/pivoting-guide/", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/builtin/lnx_shell_susp_commands.yml" ], "tags": [ @@ -81653,9 +81677,9 @@ "logsource.category": "No established category", "logsource.product": "linux", "refs": [ + "https://patrick-bareiss.com/detect-privilege-escalation-preparation-in-linux-with-sigma/", "https://github.com/uber-common/metta/blob/master/MITRE/Privilege_Escalation/privesc_linux_filesystemweakness.yml", "https://blog.g0tmi1k.com/2011/08/basic-linux-privilege-escalation/", - "https://patrick-bareiss.com/detect-privilege-escalation-preparation-in-linux-with-sigma/", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/builtin/lnx_shell_priv_esc_prep.yml" ], "tags": [ @@ -81945,8 +81969,8 @@ "logsource.category": "No established category", "logsource.product": "linux", "refs": [ - "https://github.com/ossec/ossec-hids/blob/1ecffb1b884607cb12e619f9ab3c04f530801083/etc/rules/sshd_rules.xml", "https://github.com/openssh/openssh-portable/blob/c483a5c0fb8e8b8915fad85c5f6113386a4341ca/ssherr.c", + "https://github.com/ossec/ossec-hids/blob/1ecffb1b884607cb12e619f9ab3c04f530801083/etc/rules/sshd_rules.xml", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/builtin/sshd/lnx_sshd_susp_ssh.yml" ], "tags": [ @@ -82212,8 +82236,8 @@ "logsource.category": "file_event", "logsource.product": "linux", "refs": [ - "https://www.makeuseof.com/how-to-install-and-use-doas/", "https://research.splunk.com/endpoint/linux_doas_conf_file_creation/", + "https://www.makeuseof.com/how-to-install-and-use-doas/", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/file_event/file_event_lnx_doas_conf_creation.yml" ], "tags": [ @@ -82246,8 +82270,8 @@ "logsource.category": "network_connection", "logsource.product": "linux", "refs": [ - "https://twitter.com/hakluke/status/1587733971814977537/photo/1", "https://ngrok.com/docs/secure-tunnels/tunnels/ssh-reverse-tunnel-agent", + "https://twitter.com/hakluke/status/1587733971814977537/photo/1", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/network_connection/net_connection_lnx_ngrok_tunnel.yml" ], "tags": [ @@ -82506,8 +82530,8 @@ "logsource.product": "linux", "refs": [ "https://gtfobins.github.io/gtfobins/vim/", - "https://gtfobins.github.io/gtfobins/vimdiff/", "https://gtfobins.github.io/gtfobins/rvim/", + "https://gtfobins.github.io/gtfobins/vimdiff/", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_gtfobin_vim.yml" ], "tags": [ @@ -82802,11 +82826,11 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ + "https://curl.se/docs/manpage.html", + "https://twitter.com/d1r4c/status/1279042657508081664", + "https://www.trendmicro.com/en_us/research/22/i/how-malicious-actors-abuse-native-linux-tools-in-their-attacks.html", "https://medium.com/@petehouston/upload-files-with-curl-93064dcccc76", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1105/T1105.md#atomic-test-19---curl-upload-file", - "https://www.trendmicro.com/en_us/research/22/i/how-malicious-actors-abuse-native-linux-tools-in-their-attacks.html", - "https://twitter.com/d1r4c/status/1279042657508081664", - "https://curl.se/docs/manpage.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_susp_curl_fileupload.yml" ], "tags": [ @@ -82847,8 +82871,8 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ - "https://gtfobins.github.io/gtfobins/apt/", "https://gtfobins.github.io/gtfobins/apt-get/", + "https://gtfobins.github.io/gtfobins/apt/", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_gtfobin_apt.yml" ], "tags": [ @@ -82872,10 +82896,10 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ - "https://linuxize.com/post/how-to-delete-group-in-linux/", - "https://www.cybrary.it/blog/0p3n/linux-commands-used-attackers/", - "https://www.cyberciti.biz/faq/linux-remove-user-command/", "https://linux.die.net/man/8/userdel", + "https://linuxize.com/post/how-to-delete-group-in-linux/", + "https://www.cyberciti.biz/faq/linux-remove-user-command/", + "https://www.cybrary.it/blog/0p3n/linux-commands-used-attackers/", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_userdel.yml" ], "tags": [ @@ -83136,8 +83160,8 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ - "https://media.defense.gov/2020/Jun/09/2002313081/-1/-1/0/CSI-DETECT-AND-PREVENT-WEB-SHELL-MALWARE-20200422.PDF", "https://www.acunetix.com/blog/articles/web-shells-101-using-php-introduction-web-shells-part-2/", + "https://media.defense.gov/2020/Jun/09/2002313081/-1/-1/0/CSI-DETECT-AND-PREVENT-WEB-SHELL-MALWARE-20200422.PDF", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_webshell_detection.yml" ], "tags": [ @@ -83262,8 +83286,8 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ - "https://github.com/Azure/Azure-Sentinel/pull/3059", "https://www.wiz.io/blog/omigod-critical-vulnerabilities-in-omi-azure", + "https://github.com/Azure/Azure-Sentinel/pull/3059", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_omigod_scx_runasprovider_executescript.yml" ], "tags": [ @@ -83380,10 +83404,10 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ - "https://linux.die.net/man/8/groupdel", "https://linuxize.com/post/how-to-delete-group-in-linux/", - "https://www.cybrary.it/blog/0p3n/linux-commands-used-attackers/", "https://www.cyberciti.biz/faq/linux-remove-user-command/", + "https://www.cybrary.it/blog/0p3n/linux-commands-used-attackers/", + "https://linux.die.net/man/8/groupdel", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_groupdel.yml" ], "tags": [ @@ -83416,8 +83440,8 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ - "https://www.trendmicro.com/pl_pl/research/20/i/the-evolution-of-malicious-shell-scripts.html", "https://github.com/carlospolop/PEASS-ng/tree/master/linPEAS", + "https://www.trendmicro.com/pl_pl/research/20/i/the-evolution-of-malicious-shell-scripts.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_base64_shebang_cli.yml" ], "tags": [ @@ -83450,8 +83474,8 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ - "https://github.com/carlospolop/PEASS-ng", "https://github.com/diego-treitos/linux-smart-enumeration", + "https://github.com/carlospolop/PEASS-ng", "https://github.com/SaiSathvik1/Linux-Privilege-Escalation-Notes", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_capa_discovery.yml" ], @@ -83713,8 +83737,8 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ - "https://github.com/Azure/Azure-Sentinel/pull/3059", "https://www.wiz.io/blog/omigod-critical-vulnerabilities-in-omi-azure", + "https://github.com/Azure/Azure-Sentinel/pull/3059", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_omigod_scx_runasprovider_executeshellcommand.yml" ], "tags": [ @@ -83765,9 +83789,9 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ - "https://gtfobins.github.io/gtfobins/nohup/", "https://en.wikipedia.org/wiki/Nohup", "https://www.computerhope.com/unix/unohup.htm", + "https://gtfobins.github.io/gtfobins/nohup/", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_nohup.yml" ], "tags": "No established tags" @@ -84058,8 +84082,8 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1548.001/T1548.001.md", "https://attack.mitre.org/techniques/T1548/001/", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1548.001/T1548.001.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_setgid_setuid.yml" ], "tags": [ @@ -84092,8 +84116,8 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ - "https://github.com/apache/spark/pull/36315/files", "https://sumsec.me/2022/CVE-2022-33891%20Apache%20Spark%20shell%20command%20injection.html", + "https://github.com/apache/spark/pull/36315/files", "https://github.com/W01fh4cker/cve-2022-33891/blob/fd973b56e78bca8822caa3a2e3cf1b5aff5d0950/cve_2022_33891_poc.py", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_cve_2022_33891_spark_shell_command_injection.yml" ], @@ -84161,8 +84185,8 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ - "https://www.configserverfirewall.com/ubuntu-linux/ubuntu-add-user-to-root-group/", "https://pberba.github.io/security/2021/11/23/linux-threat-hunting-for-persistence-account-creation-manipulation/", + "https://www.configserverfirewall.com/ubuntu-linux/ubuntu-add-user-to-root-group/", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_usermod_susp_group.yml" ], "tags": [ @@ -84222,5 +84246,5 @@ "value": "Security Software Discovery - Linux" } ], - "version": "20230112" + "version": 20230112 } From 997e570ad23aad74ddd3ec6517c71b907fa0cdfd Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Fri, 13 Jan 2023 16:38:56 +0100 Subject: [PATCH 06/13] fix: [sigma] version must be an int --- tools/sigma/sigma-to-galaxy.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tools/sigma/sigma-to-galaxy.py b/tools/sigma/sigma-to-galaxy.py index ef912e6..50b8e50 100644 --- a/tools/sigma/sigma-to-galaxy.py +++ b/tools/sigma/sigma-to-galaxy.py @@ -127,7 +127,7 @@ def create_cluster(uuidGalaxy=unique_uuid): :return cluster: Dict with the basic information needed for the JSON file. """ - version = time.strftime("%Y%m%d") + version = int(time.strftime("%Y%m%d")) cluster = { "authors": ["@Joseliyo_Jstnk"], "category": "rules", From 071ecb8a52dd98bdc07e82d6df01c39e4f5d1ef9 Mon Sep 17 00:00:00 2001 From: Christian Studer Date: Mon, 16 Jan 2023 21:35:22 +0100 Subject: [PATCH 07/13] add: [country] Added references between `country` cluster values and the related region they're located in, from the `region` galaxy cluster --- clusters/country.json | 1284 +++++++++++++++++++++++++++++++++++++++++ 1 file changed, 1284 insertions(+) diff --git a/clusters/country.json b/clusters/country.json index d564991..066d876 100644 --- a/clusters/country.json +++ b/clusters/country.json @@ -22,6 +22,12 @@ "Population": "84000", "tld": ".ad" }, + "related": [ + { + "dest-uuid": "63880bb3-f959-4200-b8ae-e25d9fa84c22", + "type": "located-in" + } + ], "uuid": "84668357-5a8c-4bdd-9f0f-6b50b2414e44", "value": "andorra" }, @@ -38,6 +44,12 @@ "Population": "4975593", "tld": ".ae" }, + "related": [ + { + "dest-uuid": "d66b2e98-39fb-4710-b075-5bee2fa00cd4", + "type": "located-in" + } + ], "uuid": "84668357-5a8c-4bdd-9f0f-6b50b2415245", "value": "united arab emirates" }, @@ -54,6 +66,12 @@ "Population": "29121286", "tld": ".af" }, + "related": [ + { + "dest-uuid": "f86776cd-274f-438a-8beb-9349aebda0bb", + "type": "located-in" + } + ], "uuid": "84668357-5a8c-4bdd-9f0f-6b50b2414647", "value": "afghanistan" }, @@ -70,6 +88,12 @@ "Population": "86754", "tld": ".ag" }, + "related": [ + { + "dest-uuid": "e16efc93-ae3b-471a-a888-eda66d1da22b", + "type": "located-in" + } + ], "uuid": "84668357-5a8c-4bdd-9f0f-6b50b2415447", "value": "antigua and barbuda" }, @@ -86,6 +110,12 @@ "Population": "13254", "tld": ".ai" }, + "related": [ + { + "dest-uuid": "e16efc93-ae3b-471a-a888-eda66d1da22b", + "type": "located-in" + } + ], "uuid": "84668357-5a8c-4bdd-9f0f-6b50b2414941", "value": "anguilla" }, @@ -102,6 +132,12 @@ "Population": "2986952", "tld": ".al" }, + "related": [ + { + "dest-uuid": "63880bb3-f959-4200-b8ae-e25d9fa84c22", + "type": "located-in" + } + ], "uuid": "84668357-5a8c-4bdd-9f0f-6b50b2414c42", "value": "albania" }, @@ -118,6 +154,12 @@ "Population": "2968000", "tld": ".am" }, + "related": [ + { + "dest-uuid": "d66b2e98-39fb-4710-b075-5bee2fa00cd4", + "type": "located-in" + } + ], "uuid": "84668357-5a8c-4bdd-9f0f-6b50b241524d", "value": "armenia" }, @@ -134,6 +176,12 @@ "Population": "13068161", "tld": ".ao" }, + "related": [ + { + "dest-uuid": "1a79ac27-1580-4482-826e-d4db9a26b080", + "type": "located-in" + } + ], "uuid": "84668357-5a8c-4bdd-9f0f-6b50b241474f", "value": "angola" }, @@ -150,6 +198,12 @@ "Population": "0", "tld": ".aq" }, + "related": [ + { + "dest-uuid": "8d87018b-e8bb-472e-841b-4429fb6b9bc0", + "type": "located-in" + } + ], "uuid": "84668357-5a8c-4bdd-9f0f-6b50b2415441", "value": "antarctica" }, @@ -166,6 +220,12 @@ "Population": "41343201", "tld": ".ar" }, + "related": [ + { + "dest-uuid": "e9ee6728-d325-4726-be7d-08b5ccf3f3d6", + "type": "located-in" + } + ], "uuid": "84668357-5a8c-4bdd-9f0f-6b50b2415247", "value": "argentina" }, @@ -182,6 +242,12 @@ "Population": "57881", "tld": ".as" }, + "related": [ + { + "dest-uuid": "a387db42-cdb4-4f75-98c4-5b51a03d0c68", + "type": "located-in" + } + ], "uuid": "84668357-5a8c-4bdd-9f0f-6b50b241534d", "value": "american samoa" }, @@ -198,6 +264,12 @@ "Population": "8205000", "tld": ".at" }, + "related": [ + { + "dest-uuid": "7048c324-c9c2-4c53-a42a-912e78f3aeec", + "type": "located-in" + } + ], "uuid": "84668357-5a8c-4bdd-9f0f-6b50b2415554", "value": "austria" }, @@ -214,6 +286,12 @@ "Population": "21515754", "tld": ".au" }, + "related": [ + { + "dest-uuid": "93dd8987-1466-493f-b5dc-c2b7fe762d75", + "type": "located-in" + } + ], "uuid": "84668357-5a8c-4bdd-9f0f-6b50b2415553", "value": "australia" }, @@ -230,6 +308,12 @@ "Population": "71566", "tld": ".aw" }, + "related": [ + { + "dest-uuid": "e16efc93-ae3b-471a-a888-eda66d1da22b", + "type": "located-in" + } + ], "uuid": "84668357-5a8c-4bdd-9f0f-6b50b2414257", "value": "aruba" }, @@ -262,6 +346,12 @@ "Population": "8303512", "tld": ".az" }, + "related": [ + { + "dest-uuid": "d66b2e98-39fb-4710-b075-5bee2fa00cd4", + "type": "located-in" + } + ], "uuid": "84668357-5a8c-4bdd-9f0f-6b50b2415a45", "value": "azerbaijan" }, @@ -278,6 +368,12 @@ "Population": "4590000", "tld": ".ba" }, + "related": [ + { + "dest-uuid": "63880bb3-f959-4200-b8ae-e25d9fa84c22", + "type": "located-in" + } + ], "uuid": "84668357-5a8c-4bdd-9f0f-6b50b2424948", "value": "bosnia and herzegovina" }, @@ -294,6 +390,12 @@ "Population": "285653", "tld": ".bb" }, + "related": [ + { + "dest-uuid": "e16efc93-ae3b-471a-a888-eda66d1da22b", + "type": "located-in" + } + ], "uuid": "84668357-5a8c-4bdd-9f0f-6b50b2425242", "value": "barbados" }, @@ -310,6 +412,12 @@ "Population": "156118464", "tld": ".bd" }, + "related": [ + { + "dest-uuid": "f86776cd-274f-438a-8beb-9349aebda0bb", + "type": "located-in" + } + ], "uuid": "84668357-5a8c-4bdd-9f0f-6b50b2424744", "value": "bangladesh" }, @@ -326,6 +434,12 @@ "Population": "10403000", "tld": ".be" }, + "related": [ + { + "dest-uuid": "7048c324-c9c2-4c53-a42a-912e78f3aeec", + "type": "located-in" + } + ], "uuid": "84668357-5a8c-4bdd-9f0f-6b50b242454c", "value": "belgium" }, @@ -342,6 +456,12 @@ "Population": "16241811", "tld": ".bf" }, + "related": [ + { + "dest-uuid": "d44cf4b4-8025-4827-960c-b666dfdc5243", + "type": "located-in" + } + ], "uuid": "84668357-5a8c-4bdd-9f0f-6b50b2424641", "value": "burkina faso" }, @@ -358,6 +478,12 @@ "Population": "7000039", "tld": ".bg" }, + "related": [ + { + "dest-uuid": "c7cb0859-5680-4bdb-9c78-46cab3504a62", + "type": "located-in" + } + ], "uuid": "84668357-5a8c-4bdd-9f0f-6b50b2424752", "value": "bulgaria" }, @@ -374,6 +500,12 @@ "Population": "738004", "tld": ".bh" }, + "related": [ + { + "dest-uuid": "d66b2e98-39fb-4710-b075-5bee2fa00cd4", + "type": "located-in" + } + ], "uuid": "84668357-5a8c-4bdd-9f0f-6b50b2424852", "value": "bahrain" }, @@ -390,6 +522,12 @@ "Population": "9863117", "tld": ".bi" }, + "related": [ + { + "dest-uuid": "9b15e8e9-2adb-4aa8-baea-d63ccc434428", + "type": "located-in" + } + ], "uuid": "84668357-5a8c-4bdd-9f0f-6b50b2424449", "value": "burundi" }, @@ -406,6 +544,12 @@ "Population": "9056010", "tld": ".bj" }, + "related": [ + { + "dest-uuid": "d44cf4b4-8025-4827-960c-b666dfdc5243", + "type": "located-in" + } + ], "uuid": "84668357-5a8c-4bdd-9f0f-6b50b242454e", "value": "benin" }, @@ -438,6 +582,12 @@ "Population": "65365", "tld": ".bm" }, + "related": [ + { + "dest-uuid": "64974dea-c6c9-462d-9fcf-4456a397d591", + "type": "located-in" + } + ], "uuid": "84668357-5a8c-4bdd-9f0f-6b50b2424d55", "value": "bermuda" }, @@ -502,6 +652,12 @@ "Population": "201103330", "tld": ".br" }, + "related": [ + { + "dest-uuid": "e9ee6728-d325-4726-be7d-08b5ccf3f3d6", + "type": "located-in" + } + ], "uuid": "84668357-5a8c-4bdd-9f0f-6b50b2425241", "value": "brazil" }, @@ -518,6 +674,12 @@ "Population": "301790", "tld": ".bs" }, + "related": [ + { + "dest-uuid": "e16efc93-ae3b-471a-a888-eda66d1da22b", + "type": "located-in" + } + ], "uuid": "84668357-5a8c-4bdd-9f0f-6b50b2424853", "value": "bahamas" }, @@ -534,6 +696,12 @@ "Population": "699847", "tld": ".bt" }, + "related": [ + { + "dest-uuid": "f86776cd-274f-438a-8beb-9349aebda0bb", + "type": "located-in" + } + ], "uuid": "84668357-5a8c-4bdd-9f0f-6b50b242544e", "value": "bhutan" }, @@ -550,6 +718,12 @@ "Population": "0", "tld": ".bv" }, + "related": [ + { + "dest-uuid": "e9ee6728-d325-4726-be7d-08b5ccf3f3d6", + "type": "located-in" + } + ], "uuid": "84668357-5a8c-4bdd-9f0f-6b50b2425654", "value": "bouvet island" }, @@ -566,6 +740,12 @@ "Population": "2029307", "tld": ".bw" }, + "related": [ + { + "dest-uuid": "b95340de-8f29-4dbf-ad0f-a4c0be367e59", + "type": "located-in" + } + ], "uuid": "84668357-5a8c-4bdd-9f0f-6b50b2425741", "value": "botswana" }, @@ -582,6 +762,12 @@ "Population": "9685000", "tld": ".by" }, + "related": [ + { + "dest-uuid": "c7cb0859-5680-4bdb-9c78-46cab3504a62", + "type": "located-in" + } + ], "uuid": "84668357-5a8c-4bdd-9f0f-6b50b2424c52", "value": "belarus" }, @@ -598,6 +784,12 @@ "Population": "314522", "tld": ".bz" }, + "related": [ + { + "dest-uuid": "105247d9-e619-4231-b88e-17dd9aed1580", + "type": "located-in" + } + ], "uuid": "84668357-5a8c-4bdd-9f0f-6b50b2424c5a", "value": "belize" }, @@ -614,6 +806,12 @@ "Population": "33679000", "tld": ".ca" }, + "related": [ + { + "dest-uuid": "64974dea-c6c9-462d-9fcf-4456a397d591", + "type": "located-in" + } + ], "uuid": "84668357-5a8c-4bdd-9f0f-6b50b243414e", "value": "canada" }, @@ -646,6 +844,12 @@ "Population": "70916439", "tld": ".cd" }, + "related": [ + { + "dest-uuid": "1a79ac27-1580-4482-826e-d4db9a26b080", + "type": "located-in" + } + ], "uuid": "84668357-5a8c-4bdd-9f0f-6b50b2434f44", "value": "democratic republic of the congo" }, @@ -662,6 +866,12 @@ "Population": "4844927", "tld": ".cf" }, + "related": [ + { + "dest-uuid": "1a79ac27-1580-4482-826e-d4db9a26b080", + "type": "located-in" + } + ], "uuid": "84668357-5a8c-4bdd-9f0f-6b50b2434146", "value": "central african republic" }, @@ -694,6 +904,12 @@ "Population": "8484100", "tld": ".ch" }, + "related": [ + { + "dest-uuid": "7048c324-c9c2-4c53-a42a-912e78f3aeec", + "type": "located-in" + } + ], "uuid": "84668357-5a8c-4bdd-9f0f-6b50b2434845", "value": "switzerland" }, @@ -726,6 +942,12 @@ "Population": "21388", "tld": ".ck" }, + "related": [ + { + "dest-uuid": "a387db42-cdb4-4f75-98c4-5b51a03d0c68", + "type": "located-in" + } + ], "uuid": "84668357-5a8c-4bdd-9f0f-6b50b2434f4b", "value": "cook islands" }, @@ -742,6 +964,12 @@ "Population": "16746491", "tld": ".cl" }, + "related": [ + { + "dest-uuid": "e9ee6728-d325-4726-be7d-08b5ccf3f3d6", + "type": "located-in" + } + ], "uuid": "84668357-5a8c-4bdd-9f0f-6b50b243484c", "value": "chile" }, @@ -758,6 +986,12 @@ "Population": "19294149", "tld": ".cm" }, + "related": [ + { + "dest-uuid": "1a79ac27-1580-4482-826e-d4db9a26b080", + "type": "located-in" + } + ], "uuid": "84668357-5a8c-4bdd-9f0f-6b50b2434d52", "value": "cameroon" }, @@ -774,6 +1008,12 @@ "Population": "1330044000", "tld": ".cn" }, + "related": [ + { + "dest-uuid": "aa46fbd1-54df-4e1e-a5d6-7bced5c59803", + "type": "located-in" + } + ], "uuid": "84668357-5a8c-4bdd-9f0f-6b50b243484e", "value": "china" }, @@ -790,6 +1030,12 @@ "Population": "47790000", "tld": ".co" }, + "related": [ + { + "dest-uuid": "e9ee6728-d325-4726-be7d-08b5ccf3f3d6", + "type": "located-in" + } + ], "uuid": "84668357-5a8c-4bdd-9f0f-6b50b2434f4c", "value": "colombia" }, @@ -806,6 +1052,12 @@ "Population": "4516220", "tld": ".cr" }, + "related": [ + { + "dest-uuid": "105247d9-e619-4231-b88e-17dd9aed1580", + "type": "located-in" + } + ], "uuid": "84668357-5a8c-4bdd-9f0f-6b50b2435249", "value": "costa rica" }, @@ -822,6 +1074,12 @@ "Population": "11423000", "tld": ".cu" }, + "related": [ + { + "dest-uuid": "e16efc93-ae3b-471a-a888-eda66d1da22b", + "type": "located-in" + } + ], "uuid": "84668357-5a8c-4bdd-9f0f-6b50b2435542", "value": "cuba" }, @@ -838,6 +1096,12 @@ "Population": "508659", "tld": ".cv" }, + "related": [ + { + "dest-uuid": "d44cf4b4-8025-4827-960c-b666dfdc5243", + "type": "located-in" + } + ], "uuid": "84668357-5a8c-4bdd-9f0f-6b50b2435056", "value": "cabo verde" }, @@ -870,6 +1134,12 @@ "Population": "1500", "tld": ".cx" }, + "related": [ + { + "dest-uuid": "93dd8987-1466-493f-b5dc-c2b7fe762d75", + "type": "located-in" + } + ], "uuid": "84668357-5a8c-4bdd-9f0f-6b50b2435852", "value": "christmas island" }, @@ -886,6 +1156,12 @@ "Population": "1102677", "tld": ".cy" }, + "related": [ + { + "dest-uuid": "d66b2e98-39fb-4710-b075-5bee2fa00cd4", + "type": "located-in" + } + ], "uuid": "84668357-5a8c-4bdd-9f0f-6b50b2435950", "value": "cyprus" }, @@ -902,6 +1178,12 @@ "Population": "10476000", "tld": ".cz" }, + "related": [ + { + "dest-uuid": "c7cb0859-5680-4bdb-9c78-46cab3504a62", + "type": "located-in" + } + ], "uuid": "84668357-5a8c-4bdd-9f0f-6b50b2435a45", "value": "czechia" }, @@ -918,6 +1200,12 @@ "Population": "81802257", "tld": ".de" }, + "related": [ + { + "dest-uuid": "7048c324-c9c2-4c53-a42a-912e78f3aeec", + "type": "located-in" + } + ], "uuid": "84668357-5a8c-4bdd-9f0f-6b50b2444555", "value": "germany" }, @@ -934,6 +1222,12 @@ "Population": "740528", "tld": ".dj" }, + "related": [ + { + "dest-uuid": "9b15e8e9-2adb-4aa8-baea-d63ccc434428", + "type": "located-in" + } + ], "uuid": "84668357-5a8c-4bdd-9f0f-6b50b2444a49", "value": "djibouti" }, @@ -950,6 +1244,12 @@ "Population": "5484000", "tld": ".dk" }, + "related": [ + { + "dest-uuid": "f93cb275-0366-4ecc-abf0-a17928d1e177", + "type": "located-in" + } + ], "uuid": "84668357-5a8c-4bdd-9f0f-6b50b2444e4b", "value": "denmark" }, @@ -966,6 +1266,12 @@ "Population": "72813", "tld": ".dm" }, + "related": [ + { + "dest-uuid": "e16efc93-ae3b-471a-a888-eda66d1da22b", + "type": "located-in" + } + ], "uuid": "84668357-5a8c-4bdd-9f0f-6b50b2444d41", "value": "dominica" }, @@ -982,6 +1288,12 @@ "Population": "9823821", "tld": ".do" }, + "related": [ + { + "dest-uuid": "e16efc93-ae3b-471a-a888-eda66d1da22b", + "type": "located-in" + } + ], "uuid": "84668357-5a8c-4bdd-9f0f-6b50b2444f4d", "value": "dominican republic" }, @@ -998,6 +1310,12 @@ "Population": "34586184", "tld": ".dz" }, + "related": [ + { + "dest-uuid": "4a65b439-849b-4fdd-b34d-e80f738a4309", + "type": "located-in" + } + ], "uuid": "84668357-5a8c-4bdd-9f0f-6b50b2445a41", "value": "algeria" }, @@ -1014,6 +1332,12 @@ "Population": "14790608", "tld": ".ec" }, + "related": [ + { + "dest-uuid": "e9ee6728-d325-4726-be7d-08b5ccf3f3d6", + "type": "located-in" + } + ], "uuid": "84668357-5a8c-4bdd-9f0f-6b50b2454355", "value": "ecuador" }, @@ -1030,6 +1354,12 @@ "Population": "1291170", "tld": ".ee" }, + "related": [ + { + "dest-uuid": "f93cb275-0366-4ecc-abf0-a17928d1e177", + "type": "located-in" + } + ], "uuid": "84668357-5a8c-4bdd-9f0f-6b50b2455354", "value": "estonia" }, @@ -1046,6 +1376,12 @@ "Population": "80471869", "tld": ".eg" }, + "related": [ + { + "dest-uuid": "4a65b439-849b-4fdd-b34d-e80f738a4309", + "type": "located-in" + } + ], "uuid": "84668357-5a8c-4bdd-9f0f-6b50b2454759", "value": "egypt" }, @@ -1062,6 +1398,12 @@ "Population": "273008", "tld": ".eh" }, + "related": [ + { + "dest-uuid": "4a65b439-849b-4fdd-b34d-e80f738a4309", + "type": "located-in" + } + ], "uuid": "84668357-5a8c-4bdd-9f0f-6b50b2455348", "value": "western sahara" }, @@ -1078,6 +1420,12 @@ "Population": "5792984", "tld": ".er" }, + "related": [ + { + "dest-uuid": "9b15e8e9-2adb-4aa8-baea-d63ccc434428", + "type": "located-in" + } + ], "uuid": "84668357-5a8c-4bdd-9f0f-6b50b2455249", "value": "eritrea" }, @@ -1094,6 +1442,12 @@ "Population": "46505963", "tld": ".es" }, + "related": [ + { + "dest-uuid": "63880bb3-f959-4200-b8ae-e25d9fa84c22", + "type": "located-in" + } + ], "uuid": "84668357-5a8c-4bdd-9f0f-6b50b2455350", "value": "spain" }, @@ -1110,6 +1464,12 @@ "Population": "88013491", "tld": ".et" }, + "related": [ + { + "dest-uuid": "9b15e8e9-2adb-4aa8-baea-d63ccc434428", + "type": "located-in" + } + ], "uuid": "84668357-5a8c-4bdd-9f0f-6b50b2455448", "value": "ethiopia" }, @@ -1126,6 +1486,12 @@ "Population": "5244000", "tld": ".fi" }, + "related": [ + { + "dest-uuid": "f93cb275-0366-4ecc-abf0-a17928d1e177", + "type": "located-in" + } + ], "uuid": "84668357-5a8c-4bdd-9f0f-6b50b246494e", "value": "finland" }, @@ -1142,6 +1508,12 @@ "Population": "875983", "tld": ".fj" }, + "related": [ + { + "dest-uuid": "4cb4b767-2db4-4858-bb28-656816350fef", + "type": "located-in" + } + ], "uuid": "84668357-5a8c-4bdd-9f0f-6b50b2464a49", "value": "fiji" }, @@ -1190,6 +1562,12 @@ "Population": "48228", "tld": ".fo" }, + "related": [ + { + "dest-uuid": "f93cb275-0366-4ecc-abf0-a17928d1e177", + "type": "located-in" + } + ], "uuid": "84668357-5a8c-4bdd-9f0f-6b50b246524f", "value": "faroe islands" }, @@ -1206,6 +1584,12 @@ "Population": "64768389", "tld": ".fr" }, + "related": [ + { + "dest-uuid": "7048c324-c9c2-4c53-a42a-912e78f3aeec", + "type": "located-in" + } + ], "uuid": "84668357-5a8c-4bdd-9f0f-6b50b2465241", "value": "france" }, @@ -1222,6 +1606,12 @@ "Population": "1545255", "tld": ".ga" }, + "related": [ + { + "dest-uuid": "1a79ac27-1580-4482-826e-d4db9a26b080", + "type": "located-in" + } + ], "uuid": "84668357-5a8c-4bdd-9f0f-6b50b2474142", "value": "gabon" }, @@ -1254,6 +1644,12 @@ "Population": "107818", "tld": ".gd" }, + "related": [ + { + "dest-uuid": "e16efc93-ae3b-471a-a888-eda66d1da22b", + "type": "located-in" + } + ], "uuid": "84668357-5a8c-4bdd-9f0f-6b50b2475244", "value": "grenada" }, @@ -1270,6 +1666,12 @@ "Population": "4630000", "tld": ".ge" }, + "related": [ + { + "dest-uuid": "d66b2e98-39fb-4710-b075-5bee2fa00cd4", + "type": "located-in" + } + ], "uuid": "84668357-5a8c-4bdd-9f0f-6b50b247454f", "value": "georgia" }, @@ -1286,6 +1688,12 @@ "Population": "195506", "tld": ".gf" }, + "related": [ + { + "dest-uuid": "e9ee6728-d325-4726-be7d-08b5ccf3f3d6", + "type": "located-in" + } + ], "uuid": "84668357-5a8c-4bdd-9f0f-6b50b2475546", "value": "french guiana" }, @@ -1302,6 +1710,12 @@ "Population": "65228", "tld": ".gg" }, + "related": [ + { + "dest-uuid": "76adc9e0-215a-4496-8642-b98ac7715d0f", + "type": "located-in" + } + ], "uuid": "84668357-5a8c-4bdd-9f0f-6b50b2474759", "value": "guernsey" }, @@ -1318,6 +1732,12 @@ "Population": "24339838", "tld": ".gh" }, + "related": [ + { + "dest-uuid": "d44cf4b4-8025-4827-960c-b666dfdc5243", + "type": "located-in" + } + ], "uuid": "84668357-5a8c-4bdd-9f0f-6b50b2474841", "value": "ghana" }, @@ -1334,6 +1754,12 @@ "Population": "27884", "tld": ".gi" }, + "related": [ + { + "dest-uuid": "63880bb3-f959-4200-b8ae-e25d9fa84c22", + "type": "located-in" + } + ], "uuid": "84668357-5a8c-4bdd-9f0f-6b50b2474942", "value": "gibraltar" }, @@ -1350,6 +1776,12 @@ "Population": "56375", "tld": ".gl" }, + "related": [ + { + "dest-uuid": "64974dea-c6c9-462d-9fcf-4456a397d591", + "type": "located-in" + } + ], "uuid": "84668357-5a8c-4bdd-9f0f-6b50b247524c", "value": "greenland" }, @@ -1366,6 +1798,12 @@ "Population": "1593256", "tld": ".gm" }, + "related": [ + { + "dest-uuid": "d44cf4b4-8025-4827-960c-b666dfdc5243", + "type": "located-in" + } + ], "uuid": "84668357-5a8c-4bdd-9f0f-6b50b2474d42", "value": "gambia" }, @@ -1382,6 +1820,12 @@ "Population": "10324025", "tld": ".gn" }, + "related": [ + { + "dest-uuid": "d44cf4b4-8025-4827-960c-b666dfdc5243", + "type": "located-in" + } + ], "uuid": "84668357-5a8c-4bdd-9f0f-6b50b247494e", "value": "guinea" }, @@ -1398,6 +1842,12 @@ "Population": "443000", "tld": ".gp" }, + "related": [ + { + "dest-uuid": "e16efc93-ae3b-471a-a888-eda66d1da22b", + "type": "located-in" + } + ], "uuid": "84668357-5a8c-4bdd-9f0f-6b50b2474c50", "value": "guadeloupe" }, @@ -1414,6 +1864,12 @@ "Population": "1014999", "tld": ".gq" }, + "related": [ + { + "dest-uuid": "1a79ac27-1580-4482-826e-d4db9a26b080", + "type": "located-in" + } + ], "uuid": "84668357-5a8c-4bdd-9f0f-6b50b2474e51", "value": "equatorial guinea" }, @@ -1430,6 +1886,12 @@ "Population": "11000000", "tld": ".gr" }, + "related": [ + { + "dest-uuid": "63880bb3-f959-4200-b8ae-e25d9fa84c22", + "type": "located-in" + } + ], "uuid": "84668357-5a8c-4bdd-9f0f-6b50b2475243", "value": "greece" }, @@ -1446,6 +1908,12 @@ "Population": "30", "tld": ".gs" }, + "related": [ + { + "dest-uuid": "e9ee6728-d325-4726-be7d-08b5ccf3f3d6", + "type": "located-in" + } + ], "uuid": "84668357-5a8c-4bdd-9f0f-6b50b2534753", "value": "south georgia and the south sandwich islands" }, @@ -1462,6 +1930,12 @@ "Population": "13550440", "tld": ".gt" }, + "related": [ + { + "dest-uuid": "105247d9-e619-4231-b88e-17dd9aed1580", + "type": "located-in" + } + ], "uuid": "84668357-5a8c-4bdd-9f0f-6b50b247544d", "value": "guatemala" }, @@ -1478,6 +1952,12 @@ "Population": "159358", "tld": ".gu" }, + "related": [ + { + "dest-uuid": "fbe052e0-a4ab-4d74-8765-5a9786e7bdbc", + "type": "located-in" + } + ], "uuid": "84668357-5a8c-4bdd-9f0f-6b50b247554d", "value": "guam" }, @@ -1494,6 +1974,12 @@ "Population": "1565126", "tld": ".gw" }, + "related": [ + { + "dest-uuid": "d44cf4b4-8025-4827-960c-b666dfdc5243", + "type": "located-in" + } + ], "uuid": "84668357-5a8c-4bdd-9f0f-6b50b2474e42", "value": "guinea-bissau" }, @@ -1510,6 +1996,12 @@ "Population": "748486", "tld": ".gy" }, + "related": [ + { + "dest-uuid": "e9ee6728-d325-4726-be7d-08b5ccf3f3d6", + "type": "located-in" + } + ], "uuid": "84668357-5a8c-4bdd-9f0f-6b50b2475559", "value": "guyana" }, @@ -1542,6 +2034,12 @@ "Population": "0", "tld": ".hm" }, + "related": [ + { + "dest-uuid": "93dd8987-1466-493f-b5dc-c2b7fe762d75", + "type": "located-in" + } + ], "uuid": "84668357-5a8c-4bdd-9f0f-6b50b2484d44", "value": "heard island and mcdonald islands" }, @@ -1558,6 +2056,12 @@ "Population": "7989415", "tld": ".hn" }, + "related": [ + { + "dest-uuid": "105247d9-e619-4231-b88e-17dd9aed1580", + "type": "located-in" + } + ], "uuid": "84668357-5a8c-4bdd-9f0f-6b50b2484e44", "value": "honduras" }, @@ -1574,6 +2078,12 @@ "Population": "4284889", "tld": ".hr" }, + "related": [ + { + "dest-uuid": "63880bb3-f959-4200-b8ae-e25d9fa84c22", + "type": "located-in" + } + ], "uuid": "84668357-5a8c-4bdd-9f0f-6b50b2485256", "value": "croatia" }, @@ -1590,6 +2100,12 @@ "Population": "9648924", "tld": ".ht" }, + "related": [ + { + "dest-uuid": "e16efc93-ae3b-471a-a888-eda66d1da22b", + "type": "located-in" + } + ], "uuid": "84668357-5a8c-4bdd-9f0f-6b50b2485449", "value": "haiti" }, @@ -1606,6 +2122,12 @@ "Population": "9982000", "tld": ".hu" }, + "related": [ + { + "dest-uuid": "c7cb0859-5680-4bdb-9c78-46cab3504a62", + "type": "located-in" + } + ], "uuid": "84668357-5a8c-4bdd-9f0f-6b50b248554e", "value": "hungary" }, @@ -1622,6 +2144,12 @@ "Population": "242968342", "tld": ".id" }, + "related": [ + { + "dest-uuid": "990d0e8e-dfd0-45d1-ab8b-758b9139c0fe", + "type": "located-in" + } + ], "uuid": "84668357-5a8c-4bdd-9f0f-6b50b249444e", "value": "indonesia" }, @@ -1638,6 +2166,12 @@ "Population": "4622917", "tld": ".ie" }, + "related": [ + { + "dest-uuid": "f93cb275-0366-4ecc-abf0-a17928d1e177", + "type": "located-in" + } + ], "uuid": "84668357-5a8c-4bdd-9f0f-6b50b249524c", "value": "ireland" }, @@ -1654,6 +2188,12 @@ "Population": "7353985", "tld": ".il" }, + "related": [ + { + "dest-uuid": "d66b2e98-39fb-4710-b075-5bee2fa00cd4", + "type": "located-in" + } + ], "uuid": "84668357-5a8c-4bdd-9f0f-6b50b2495352", "value": "israel" }, @@ -1670,6 +2210,12 @@ "Population": "75049", "tld": ".im" }, + "related": [ + { + "dest-uuid": "f93cb275-0366-4ecc-abf0-a17928d1e177", + "type": "located-in" + } + ], "uuid": "84668357-5a8c-4bdd-9f0f-6b50b2494d4e", "value": "isle of man" }, @@ -1686,6 +2232,12 @@ "Population": "1173108018", "tld": ".in" }, + "related": [ + { + "dest-uuid": "f86776cd-274f-438a-8beb-9349aebda0bb", + "type": "located-in" + } + ], "uuid": "84668357-5a8c-4bdd-9f0f-6b50b2494e44", "value": "india" }, @@ -1702,6 +2254,12 @@ "Population": "4000", "tld": ".io" }, + "related": [ + { + "dest-uuid": "9b15e8e9-2adb-4aa8-baea-d63ccc434428", + "type": "located-in" + } + ], "uuid": "84668357-5a8c-4bdd-9f0f-6b50b2494f54", "value": "british indian ocean territory" }, @@ -1718,6 +2276,12 @@ "Population": "29671605", "tld": ".iq" }, + "related": [ + { + "dest-uuid": "d66b2e98-39fb-4710-b075-5bee2fa00cd4", + "type": "located-in" + } + ], "uuid": "84668357-5a8c-4bdd-9f0f-6b50b2495251", "value": "iraq" }, @@ -1750,6 +2314,12 @@ "Population": "308910", "tld": ".is" }, + "related": [ + { + "dest-uuid": "f93cb275-0366-4ecc-abf0-a17928d1e177", + "type": "located-in" + } + ], "uuid": "84668357-5a8c-4bdd-9f0f-6b50b249534c", "value": "iceland" }, @@ -1766,6 +2336,12 @@ "Population": "60340328", "tld": ".it" }, + "related": [ + { + "dest-uuid": "63880bb3-f959-4200-b8ae-e25d9fa84c22", + "type": "located-in" + } + ], "uuid": "84668357-5a8c-4bdd-9f0f-6b50b2495441", "value": "italy" }, @@ -1782,6 +2358,12 @@ "Population": "90812", "tld": ".je" }, + "related": [ + { + "dest-uuid": "76adc9e0-215a-4496-8642-b98ac7715d0f", + "type": "located-in" + } + ], "uuid": "84668357-5a8c-4bdd-9f0f-6b50b24a4559", "value": "jersey" }, @@ -1798,6 +2380,12 @@ "Population": "2847232", "tld": ".jm" }, + "related": [ + { + "dest-uuid": "e16efc93-ae3b-471a-a888-eda66d1da22b", + "type": "located-in" + } + ], "uuid": "84668357-5a8c-4bdd-9f0f-6b50b24a414d", "value": "jamaica" }, @@ -1814,6 +2402,12 @@ "Population": "6407085", "tld": ".jo" }, + "related": [ + { + "dest-uuid": "d66b2e98-39fb-4710-b075-5bee2fa00cd4", + "type": "located-in" + } + ], "uuid": "84668357-5a8c-4bdd-9f0f-6b50b24a4f52", "value": "jordan" }, @@ -1830,6 +2424,12 @@ "Population": "127288000", "tld": ".jp" }, + "related": [ + { + "dest-uuid": "aa46fbd1-54df-4e1e-a5d6-7bced5c59803", + "type": "located-in" + } + ], "uuid": "84668357-5a8c-4bdd-9f0f-6b50b24a504e", "value": "japan" }, @@ -1846,6 +2446,12 @@ "Population": "40046566", "tld": ".ke" }, + "related": [ + { + "dest-uuid": "9b15e8e9-2adb-4aa8-baea-d63ccc434428", + "type": "located-in" + } + ], "uuid": "84668357-5a8c-4bdd-9f0f-6b50b24b454e", "value": "kenya" }, @@ -1862,6 +2468,12 @@ "Population": "5776500", "tld": ".kg" }, + "related": [ + { + "dest-uuid": "a5515b7c-594b-4e37-a60f-3bab8808c54c", + "type": "located-in" + } + ], "uuid": "84668357-5a8c-4bdd-9f0f-6b50b24b475a", "value": "kyrgyzstan" }, @@ -1878,6 +2490,12 @@ "Population": "14453680", "tld": ".kh" }, + "related": [ + { + "dest-uuid": "990d0e8e-dfd0-45d1-ab8b-758b9139c0fe", + "type": "located-in" + } + ], "uuid": "84668357-5a8c-4bdd-9f0f-6b50b24b484d", "value": "cambodia" }, @@ -1894,6 +2512,12 @@ "Population": "92533", "tld": ".ki" }, + "related": [ + { + "dest-uuid": "fbe052e0-a4ab-4d74-8765-5a9786e7bdbc", + "type": "located-in" + } + ], "uuid": "84668357-5a8c-4bdd-9f0f-6b50b24b4952", "value": "kiribati" }, @@ -1910,6 +2534,12 @@ "Population": "773407", "tld": ".km" }, + "related": [ + { + "dest-uuid": "9b15e8e9-2adb-4aa8-baea-d63ccc434428", + "type": "located-in" + } + ], "uuid": "84668357-5a8c-4bdd-9f0f-6b50b2434f4d", "value": "comoros" }, @@ -1926,6 +2556,12 @@ "Population": "51134", "tld": ".kn" }, + "related": [ + { + "dest-uuid": "e16efc93-ae3b-471a-a888-eda66d1da22b", + "type": "located-in" + } + ], "uuid": "84668357-5a8c-4bdd-9f0f-6b50b24b4e41", "value": "saint kitts and nevis" }, @@ -1990,6 +2626,12 @@ "Population": "2789132", "tld": ".kw" }, + "related": [ + { + "dest-uuid": "d66b2e98-39fb-4710-b075-5bee2fa00cd4", + "type": "located-in" + } + ], "uuid": "84668357-5a8c-4bdd-9f0f-6b50b24b5754", "value": "kuwait" }, @@ -2006,6 +2648,12 @@ "Population": "44270", "tld": ".ky" }, + "related": [ + { + "dest-uuid": "e16efc93-ae3b-471a-a888-eda66d1da22b", + "type": "located-in" + } + ], "uuid": "84668357-5a8c-4bdd-9f0f-6b50b243594d", "value": "cayman islands" }, @@ -2022,6 +2670,12 @@ "Population": "15340000", "tld": ".kz" }, + "related": [ + { + "dest-uuid": "a5515b7c-594b-4e37-a60f-3bab8808c54c", + "type": "located-in" + } + ], "uuid": "84668357-5a8c-4bdd-9f0f-6b50b24b415a", "value": "kazakhstan" }, @@ -2054,6 +2708,12 @@ "Population": "4125247", "tld": ".lb" }, + "related": [ + { + "dest-uuid": "d66b2e98-39fb-4710-b075-5bee2fa00cd4", + "type": "located-in" + } + ], "uuid": "84668357-5a8c-4bdd-9f0f-6b50b24c424e", "value": "lebanon" }, @@ -2070,6 +2730,12 @@ "Population": "160922", "tld": ".lc" }, + "related": [ + { + "dest-uuid": "e16efc93-ae3b-471a-a888-eda66d1da22b", + "type": "located-in" + } + ], "uuid": "84668357-5a8c-4bdd-9f0f-6b50b24c4341", "value": "saint lucia" }, @@ -2086,6 +2752,12 @@ "Population": "35000", "tld": ".li" }, + "related": [ + { + "dest-uuid": "7048c324-c9c2-4c53-a42a-912e78f3aeec", + "type": "located-in" + } + ], "uuid": "84668357-5a8c-4bdd-9f0f-6b50b24c4945", "value": "liechtenstein" }, @@ -2102,6 +2774,12 @@ "Population": "21513990", "tld": ".lk" }, + "related": [ + { + "dest-uuid": "f86776cd-274f-438a-8beb-9349aebda0bb", + "type": "located-in" + } + ], "uuid": "84668357-5a8c-4bdd-9f0f-6b50b24c4b41", "value": "sri lanka" }, @@ -2118,6 +2796,12 @@ "Population": "3685076", "tld": ".lr" }, + "related": [ + { + "dest-uuid": "d44cf4b4-8025-4827-960c-b666dfdc5243", + "type": "located-in" + } + ], "uuid": "84668357-5a8c-4bdd-9f0f-6b50b24c4252", "value": "liberia" }, @@ -2134,6 +2818,12 @@ "Population": "1919552", "tld": ".ls" }, + "related": [ + { + "dest-uuid": "b95340de-8f29-4dbf-ad0f-a4c0be367e59", + "type": "located-in" + } + ], "uuid": "84668357-5a8c-4bdd-9f0f-6b50b24c534f", "value": "lesotho" }, @@ -2150,6 +2840,12 @@ "Population": "2944459", "tld": ".lt" }, + "related": [ + { + "dest-uuid": "f93cb275-0366-4ecc-abf0-a17928d1e177", + "type": "located-in" + } + ], "uuid": "84668357-5a8c-4bdd-9f0f-6b50b24c5455", "value": "lithuania" }, @@ -2166,6 +2862,12 @@ "Population": "497538", "tld": ".lu" }, + "related": [ + { + "dest-uuid": "7048c324-c9c2-4c53-a42a-912e78f3aeec", + "type": "located-in" + } + ], "uuid": "84668357-5a8c-4bdd-9f0f-6b50b24c5558", "value": "luxembourg" }, @@ -2182,6 +2884,12 @@ "Population": "2217969", "tld": ".lv" }, + "related": [ + { + "dest-uuid": "f93cb275-0366-4ecc-abf0-a17928d1e177", + "type": "located-in" + } + ], "uuid": "84668357-5a8c-4bdd-9f0f-6b50b24c5641", "value": "latvia" }, @@ -2198,6 +2906,12 @@ "Population": "6461454", "tld": ".ly" }, + "related": [ + { + "dest-uuid": "4a65b439-849b-4fdd-b34d-e80f738a4309", + "type": "located-in" + } + ], "uuid": "84668357-5a8c-4bdd-9f0f-6b50b24c4259", "value": "libya" }, @@ -2214,6 +2928,12 @@ "Population": "33848242", "tld": ".ma" }, + "related": [ + { + "dest-uuid": "4a65b439-849b-4fdd-b34d-e80f738a4309", + "type": "located-in" + } + ], "uuid": "84668357-5a8c-4bdd-9f0f-6b50b24d4152", "value": "morocco" }, @@ -2230,6 +2950,12 @@ "Population": "32965", "tld": ".mc" }, + "related": [ + { + "dest-uuid": "7048c324-c9c2-4c53-a42a-912e78f3aeec", + "type": "located-in" + } + ], "uuid": "84668357-5a8c-4bdd-9f0f-6b50b24d434f", "value": "monaco" }, @@ -2262,6 +2988,12 @@ "Population": "666730", "tld": ".me" }, + "related": [ + { + "dest-uuid": "63880bb3-f959-4200-b8ae-e25d9fa84c22", + "type": "located-in" + } + ], "uuid": "84668357-5a8c-4bdd-9f0f-6b50b24d4e45", "value": "montenegro" }, @@ -2294,6 +3026,12 @@ "Population": "21281844", "tld": ".mg" }, + "related": [ + { + "dest-uuid": "9b15e8e9-2adb-4aa8-baea-d63ccc434428", + "type": "located-in" + } + ], "uuid": "84668357-5a8c-4bdd-9f0f-6b50b24d4447", "value": "madagascar" }, @@ -2310,6 +3048,12 @@ "Population": "65859", "tld": ".mh" }, + "related": [ + { + "dest-uuid": "fbe052e0-a4ab-4d74-8765-5a9786e7bdbc", + "type": "located-in" + } + ], "uuid": "84668357-5a8c-4bdd-9f0f-6b50b24d484c", "value": "marshall islands" }, @@ -2326,6 +3070,12 @@ "Population": "2062294", "tld": ".mk" }, + "related": [ + { + "dest-uuid": "63880bb3-f959-4200-b8ae-e25d9fa84c22", + "type": "located-in" + } + ], "uuid": "84668357-5a8c-4bdd-9f0f-6b50b24d4b44", "value": "north macedonia" }, @@ -2342,6 +3092,12 @@ "Population": "13796354", "tld": ".ml" }, + "related": [ + { + "dest-uuid": "d44cf4b4-8025-4827-960c-b666dfdc5243", + "type": "located-in" + } + ], "uuid": "84668357-5a8c-4bdd-9f0f-6b50b24d4c49", "value": "mali" }, @@ -2358,6 +3114,12 @@ "Population": "53414374", "tld": ".mm" }, + "related": [ + { + "dest-uuid": "990d0e8e-dfd0-45d1-ab8b-758b9139c0fe", + "type": "located-in" + } + ], "uuid": "84668357-5a8c-4bdd-9f0f-6b50b24d4d52", "value": "myanmar" }, @@ -2374,6 +3136,12 @@ "Population": "3086918", "tld": ".mn" }, + "related": [ + { + "dest-uuid": "aa46fbd1-54df-4e1e-a5d6-7bced5c59803", + "type": "located-in" + } + ], "uuid": "84668357-5a8c-4bdd-9f0f-6b50b24d4e47", "value": "mongolia" }, @@ -2406,6 +3174,12 @@ "Population": "53883", "tld": ".mp" }, + "related": [ + { + "dest-uuid": "fbe052e0-a4ab-4d74-8765-5a9786e7bdbc", + "type": "located-in" + } + ], "uuid": "84668357-5a8c-4bdd-9f0f-6b50b24d4e50", "value": "northern mariana islands" }, @@ -2422,6 +3196,12 @@ "Population": "432900", "tld": ".mq" }, + "related": [ + { + "dest-uuid": "e16efc93-ae3b-471a-a888-eda66d1da22b", + "type": "located-in" + } + ], "uuid": "84668357-5a8c-4bdd-9f0f-6b50b24d5451", "value": "martinique" }, @@ -2438,6 +3218,12 @@ "Population": "3205060", "tld": ".mr" }, + "related": [ + { + "dest-uuid": "d44cf4b4-8025-4827-960c-b666dfdc5243", + "type": "located-in" + } + ], "uuid": "84668357-5a8c-4bdd-9f0f-6b50b24d5254", "value": "mauritania" }, @@ -2454,6 +3240,12 @@ "Population": "9341", "tld": ".ms" }, + "related": [ + { + "dest-uuid": "e16efc93-ae3b-471a-a888-eda66d1da22b", + "type": "located-in" + } + ], "uuid": "84668357-5a8c-4bdd-9f0f-6b50b24d5352", "value": "montserrat" }, @@ -2470,6 +3262,12 @@ "Population": "403000", "tld": ".mt" }, + "related": [ + { + "dest-uuid": "63880bb3-f959-4200-b8ae-e25d9fa84c22", + "type": "located-in" + } + ], "uuid": "84668357-5a8c-4bdd-9f0f-6b50b24d4c54", "value": "malta" }, @@ -2486,6 +3284,12 @@ "Population": "1294104", "tld": ".mu" }, + "related": [ + { + "dest-uuid": "9b15e8e9-2adb-4aa8-baea-d63ccc434428", + "type": "located-in" + } + ], "uuid": "84668357-5a8c-4bdd-9f0f-6b50b24d5553", "value": "mauritius" }, @@ -2502,6 +3306,12 @@ "Population": "395650", "tld": ".mv" }, + "related": [ + { + "dest-uuid": "f86776cd-274f-438a-8beb-9349aebda0bb", + "type": "located-in" + } + ], "uuid": "84668357-5a8c-4bdd-9f0f-6b50b24d4456", "value": "maldives" }, @@ -2518,6 +3328,12 @@ "Population": "17563749", "tld": ".mw" }, + "related": [ + { + "dest-uuid": "9b15e8e9-2adb-4aa8-baea-d63ccc434428", + "type": "located-in" + } + ], "uuid": "84668357-5a8c-4bdd-9f0f-6b50b24d5749", "value": "malawi" }, @@ -2534,6 +3350,12 @@ "Population": "112468855", "tld": ".mx" }, + "related": [ + { + "dest-uuid": "105247d9-e619-4231-b88e-17dd9aed1580", + "type": "located-in" + } + ], "uuid": "84668357-5a8c-4bdd-9f0f-6b50b24d4558", "value": "mexico" }, @@ -2550,6 +3372,12 @@ "Population": "28274729", "tld": ".my" }, + "related": [ + { + "dest-uuid": "990d0e8e-dfd0-45d1-ab8b-758b9139c0fe", + "type": "located-in" + } + ], "uuid": "84668357-5a8c-4bdd-9f0f-6b50b24d5953", "value": "malaysia" }, @@ -2566,6 +3394,12 @@ "Population": "22061451", "tld": ".mz" }, + "related": [ + { + "dest-uuid": "9b15e8e9-2adb-4aa8-baea-d63ccc434428", + "type": "located-in" + } + ], "uuid": "84668357-5a8c-4bdd-9f0f-6b50b24d4f5a", "value": "mozambique" }, @@ -2582,6 +3416,12 @@ "Population": "2128471", "tld": ".na" }, + "related": [ + { + "dest-uuid": "b95340de-8f29-4dbf-ad0f-a4c0be367e59", + "type": "located-in" + } + ], "uuid": "84668357-5a8c-4bdd-9f0f-6b50b24e414d", "value": "namibia" }, @@ -2598,6 +3438,12 @@ "Population": "216494", "tld": ".nc" }, + "related": [ + { + "dest-uuid": "4cb4b767-2db4-4858-bb28-656816350fef", + "type": "located-in" + } + ], "uuid": "84668357-5a8c-4bdd-9f0f-6b50b24e434c", "value": "new caledonia" }, @@ -2614,6 +3460,12 @@ "Population": "15878271", "tld": ".ne" }, + "related": [ + { + "dest-uuid": "d44cf4b4-8025-4827-960c-b666dfdc5243", + "type": "located-in" + } + ], "uuid": "84668357-5a8c-4bdd-9f0f-6b50b24e4552", "value": "niger" }, @@ -2630,6 +3482,12 @@ "Population": "1828", "tld": ".nf" }, + "related": [ + { + "dest-uuid": "93dd8987-1466-493f-b5dc-c2b7fe762d75", + "type": "located-in" + } + ], "uuid": "84668357-5a8c-4bdd-9f0f-6b50b24e464b", "value": "norfolk island" }, @@ -2646,6 +3504,12 @@ "Population": "154000000", "tld": ".ng" }, + "related": [ + { + "dest-uuid": "d44cf4b4-8025-4827-960c-b666dfdc5243", + "type": "located-in" + } + ], "uuid": "84668357-5a8c-4bdd-9f0f-6b50b24e4741", "value": "nigeria" }, @@ -2662,6 +3526,12 @@ "Population": "5995928", "tld": ".ni" }, + "related": [ + { + "dest-uuid": "105247d9-e619-4231-b88e-17dd9aed1580", + "type": "located-in" + } + ], "uuid": "84668357-5a8c-4bdd-9f0f-6b50b24e4943", "value": "nicaragua" }, @@ -2678,6 +3548,12 @@ "Population": "16645000", "tld": ".nl" }, + "related": [ + { + "dest-uuid": "7048c324-c9c2-4c53-a42a-912e78f3aeec", + "type": "located-in" + } + ], "uuid": "84668357-5a8c-4bdd-9f0f-6b50b24e4c44", "value": "netherlands" }, @@ -2694,6 +3570,12 @@ "Population": "5009150", "tld": ".no" }, + "related": [ + { + "dest-uuid": "f93cb275-0366-4ecc-abf0-a17928d1e177", + "type": "located-in" + } + ], "uuid": "84668357-5a8c-4bdd-9f0f-6b50b24e4f52", "value": "norway" }, @@ -2710,6 +3592,12 @@ "Population": "28951852", "tld": ".np" }, + "related": [ + { + "dest-uuid": "f86776cd-274f-438a-8beb-9349aebda0bb", + "type": "located-in" + } + ], "uuid": "84668357-5a8c-4bdd-9f0f-6b50b24e504c", "value": "nepal" }, @@ -2726,6 +3614,12 @@ "Population": "10065", "tld": ".nr" }, + "related": [ + { + "dest-uuid": "fbe052e0-a4ab-4d74-8765-5a9786e7bdbc", + "type": "located-in" + } + ], "uuid": "84668357-5a8c-4bdd-9f0f-6b50b24e5255", "value": "nauru" }, @@ -2742,6 +3636,12 @@ "Population": "2166", "tld": ".nu" }, + "related": [ + { + "dest-uuid": "a387db42-cdb4-4f75-98c4-5b51a03d0c68", + "type": "located-in" + } + ], "uuid": "84668357-5a8c-4bdd-9f0f-6b50b24e4955", "value": "niue" }, @@ -2758,6 +3658,12 @@ "Population": "4252277", "tld": ".nz" }, + "related": [ + { + "dest-uuid": "93dd8987-1466-493f-b5dc-c2b7fe762d75", + "type": "located-in" + } + ], "uuid": "84668357-5a8c-4bdd-9f0f-6b50b24e5a4c", "value": "new zealand" }, @@ -2774,6 +3680,12 @@ "Population": "2967717", "tld": ".om" }, + "related": [ + { + "dest-uuid": "d66b2e98-39fb-4710-b075-5bee2fa00cd4", + "type": "located-in" + } + ], "uuid": "84668357-5a8c-4bdd-9f0f-6b50b24f4d4e", "value": "oman" }, @@ -2790,6 +3702,12 @@ "Population": "3410676", "tld": ".pa" }, + "related": [ + { + "dest-uuid": "105247d9-e619-4231-b88e-17dd9aed1580", + "type": "located-in" + } + ], "uuid": "84668357-5a8c-4bdd-9f0f-6b50b250414e", "value": "panama" }, @@ -2806,6 +3724,12 @@ "Population": "29907003", "tld": ".pe" }, + "related": [ + { + "dest-uuid": "e9ee6728-d325-4726-be7d-08b5ccf3f3d6", + "type": "located-in" + } + ], "uuid": "84668357-5a8c-4bdd-9f0f-6b50b2504552", "value": "peru" }, @@ -2822,6 +3746,12 @@ "Population": "270485", "tld": ".pf" }, + "related": [ + { + "dest-uuid": "a387db42-cdb4-4f75-98c4-5b51a03d0c68", + "type": "located-in" + } + ], "uuid": "84668357-5a8c-4bdd-9f0f-6b50b2505946", "value": "french polynesia" }, @@ -2838,6 +3768,12 @@ "Population": "6064515", "tld": ".pg" }, + "related": [ + { + "dest-uuid": "4cb4b767-2db4-4858-bb28-656816350fef", + "type": "located-in" + } + ], "uuid": "84668357-5a8c-4bdd-9f0f-6b50b2504e47", "value": "papua new guinea" }, @@ -2854,6 +3790,12 @@ "Population": "99900177", "tld": ".ph" }, + "related": [ + { + "dest-uuid": "990d0e8e-dfd0-45d1-ab8b-758b9139c0fe", + "type": "located-in" + } + ], "uuid": "84668357-5a8c-4bdd-9f0f-6b50b250484c", "value": "philippines" }, @@ -2870,6 +3812,12 @@ "Population": "184404791", "tld": ".pk" }, + "related": [ + { + "dest-uuid": "f86776cd-274f-438a-8beb-9349aebda0bb", + "type": "located-in" + } + ], "uuid": "84668357-5a8c-4bdd-9f0f-6b50b250414b", "value": "pakistan" }, @@ -2886,6 +3834,12 @@ "Population": "38500000", "tld": ".pl" }, + "related": [ + { + "dest-uuid": "c7cb0859-5680-4bdb-9c78-46cab3504a62", + "type": "located-in" + } + ], "uuid": "84668357-5a8c-4bdd-9f0f-6b50b2504f4c", "value": "poland" }, @@ -2902,6 +3856,12 @@ "Population": "7012", "tld": ".pm" }, + "related": [ + { + "dest-uuid": "64974dea-c6c9-462d-9fcf-4456a397d591", + "type": "located-in" + } + ], "uuid": "84668357-5a8c-4bdd-9f0f-6b50b253504d", "value": "saint pierre and miquelon" }, @@ -2918,6 +3878,12 @@ "Population": "46", "tld": ".pn" }, + "related": [ + { + "dest-uuid": "a387db42-cdb4-4f75-98c4-5b51a03d0c68", + "type": "located-in" + } + ], "uuid": "84668357-5a8c-4bdd-9f0f-6b50b250434e", "value": "pitcairn" }, @@ -2934,6 +3900,12 @@ "Population": "3916632", "tld": ".pr" }, + "related": [ + { + "dest-uuid": "e16efc93-ae3b-471a-a888-eda66d1da22b", + "type": "located-in" + } + ], "uuid": "84668357-5a8c-4bdd-9f0f-6b50b2505249", "value": "puerto rico" }, @@ -2966,6 +3938,12 @@ "Population": "10676000", "tld": ".pt" }, + "related": [ + { + "dest-uuid": "63880bb3-f959-4200-b8ae-e25d9fa84c22", + "type": "located-in" + } + ], "uuid": "84668357-5a8c-4bdd-9f0f-6b50b2505254", "value": "portugal" }, @@ -2982,6 +3960,12 @@ "Population": "19907", "tld": ".pw" }, + "related": [ + { + "dest-uuid": "fbe052e0-a4ab-4d74-8765-5a9786e7bdbc", + "type": "located-in" + } + ], "uuid": "84668357-5a8c-4bdd-9f0f-6b50b2504c57", "value": "palau" }, @@ -2998,6 +3982,12 @@ "Population": "6375830", "tld": ".py" }, + "related": [ + { + "dest-uuid": "e9ee6728-d325-4726-be7d-08b5ccf3f3d6", + "type": "located-in" + } + ], "uuid": "84668357-5a8c-4bdd-9f0f-6b50b2505259", "value": "paraguay" }, @@ -3014,6 +4004,12 @@ "Population": "840926", "tld": ".qa" }, + "related": [ + { + "dest-uuid": "d66b2e98-39fb-4710-b075-5bee2fa00cd4", + "type": "located-in" + } + ], "uuid": "84668357-5a8c-4bdd-9f0f-6b50b2514154", "value": "qatar" }, @@ -3046,6 +4042,12 @@ "Population": "21959278", "tld": ".ro" }, + "related": [ + { + "dest-uuid": "c7cb0859-5680-4bdb-9c78-46cab3504a62", + "type": "located-in" + } + ], "uuid": "84668357-5a8c-4bdd-9f0f-6b50b2524f55", "value": "romania" }, @@ -3062,6 +4064,12 @@ "Population": "7344847", "tld": ".rs" }, + "related": [ + { + "dest-uuid": "63880bb3-f959-4200-b8ae-e25d9fa84c22", + "type": "located-in" + } + ], "uuid": "84668357-5a8c-4bdd-9f0f-6b50b2535242", "value": "serbia" }, @@ -3094,6 +4102,12 @@ "Population": "11055976", "tld": ".rw" }, + "related": [ + { + "dest-uuid": "9b15e8e9-2adb-4aa8-baea-d63ccc434428", + "type": "located-in" + } + ], "uuid": "84668357-5a8c-4bdd-9f0f-6b50b2525741", "value": "rwanda" }, @@ -3110,6 +4124,12 @@ "Population": "25731776", "tld": ".sa" }, + "related": [ + { + "dest-uuid": "d66b2e98-39fb-4710-b075-5bee2fa00cd4", + "type": "located-in" + } + ], "uuid": "84668357-5a8c-4bdd-9f0f-6b50b2534155", "value": "saudi arabia" }, @@ -3126,6 +4146,12 @@ "Population": "559198", "tld": ".sb" }, + "related": [ + { + "dest-uuid": "4cb4b767-2db4-4858-bb28-656816350fef", + "type": "located-in" + } + ], "uuid": "84668357-5a8c-4bdd-9f0f-6b50b2534c42", "value": "solomon islands" }, @@ -3142,6 +4168,12 @@ "Population": "88340", "tld": ".sc" }, + "related": [ + { + "dest-uuid": "9b15e8e9-2adb-4aa8-baea-d63ccc434428", + "type": "located-in" + } + ], "uuid": "84668357-5a8c-4bdd-9f0f-6b50b2535943", "value": "seychelles" }, @@ -3158,6 +4190,12 @@ "Population": "35000000", "tld": ".sd" }, + "related": [ + { + "dest-uuid": "4a65b439-849b-4fdd-b34d-e80f738a4309", + "type": "located-in" + } + ], "uuid": "84668357-5a8c-4bdd-9f0f-6b50b253444e", "value": "sudan" }, @@ -3174,6 +4212,12 @@ "Population": "8260490", "tld": "" }, + "related": [ + { + "dest-uuid": "9b15e8e9-2adb-4aa8-baea-d63ccc434428", + "type": "located-in" + } + ], "uuid": "84668357-5a8c-4bdd-9f0f-6b50b2535344", "value": "south sudan" }, @@ -3190,6 +4234,12 @@ "Population": "9828655", "tld": ".se" }, + "related": [ + { + "dest-uuid": "f93cb275-0366-4ecc-abf0-a17928d1e177", + "type": "located-in" + } + ], "uuid": "84668357-5a8c-4bdd-9f0f-6b50b2535745", "value": "sweden" }, @@ -3206,6 +4256,12 @@ "Population": "4701069", "tld": ".sg" }, + "related": [ + { + "dest-uuid": "990d0e8e-dfd0-45d1-ab8b-758b9139c0fe", + "type": "located-in" + } + ], "uuid": "84668357-5a8c-4bdd-9f0f-6b50b2534750", "value": "singapore" }, @@ -3222,6 +4278,12 @@ "Population": "7460", "tld": ".sh" }, + "related": [ + { + "dest-uuid": "d44cf4b4-8025-4827-960c-b666dfdc5243", + "type": "located-in" + } + ], "uuid": "84668357-5a8c-4bdd-9f0f-6b50b253484e", "value": "saint helena" }, @@ -3238,6 +4300,12 @@ "Population": "2007000", "tld": ".si" }, + "related": [ + { + "dest-uuid": "63880bb3-f959-4200-b8ae-e25d9fa84c22", + "type": "located-in" + } + ], "uuid": "84668357-5a8c-4bdd-9f0f-6b50b253564e", "value": "slovenia" }, @@ -3270,6 +4338,12 @@ "Population": "5455000", "tld": ".sk" }, + "related": [ + { + "dest-uuid": "c7cb0859-5680-4bdb-9c78-46cab3504a62", + "type": "located-in" + } + ], "uuid": "84668357-5a8c-4bdd-9f0f-6b50b253564b", "value": "slovakia" }, @@ -3286,6 +4360,12 @@ "Population": "5245695", "tld": ".sl" }, + "related": [ + { + "dest-uuid": "d44cf4b4-8025-4827-960c-b666dfdc5243", + "type": "located-in" + } + ], "uuid": "84668357-5a8c-4bdd-9f0f-6b50b2534c45", "value": "sierra leone" }, @@ -3302,6 +4382,12 @@ "Population": "31477", "tld": ".sm" }, + "related": [ + { + "dest-uuid": "63880bb3-f959-4200-b8ae-e25d9fa84c22", + "type": "located-in" + } + ], "uuid": "84668357-5a8c-4bdd-9f0f-6b50b2534d52", "value": "san marino" }, @@ -3318,6 +4404,12 @@ "Population": "12323252", "tld": ".sn" }, + "related": [ + { + "dest-uuid": "d44cf4b4-8025-4827-960c-b666dfdc5243", + "type": "located-in" + } + ], "uuid": "84668357-5a8c-4bdd-9f0f-6b50b253454e", "value": "senegal" }, @@ -3334,6 +4426,12 @@ "Population": "10112453", "tld": ".so" }, + "related": [ + { + "dest-uuid": "9b15e8e9-2adb-4aa8-baea-d63ccc434428", + "type": "located-in" + } + ], "uuid": "84668357-5a8c-4bdd-9f0f-6b50b2534f4d", "value": "somalia" }, @@ -3350,6 +4448,12 @@ "Population": "492829", "tld": ".sr" }, + "related": [ + { + "dest-uuid": "e9ee6728-d325-4726-be7d-08b5ccf3f3d6", + "type": "located-in" + } + ], "uuid": "84668357-5a8c-4bdd-9f0f-6b50b2535552", "value": "suriname" }, @@ -3366,6 +4470,12 @@ "Population": "197700", "tld": ".st" }, + "related": [ + { + "dest-uuid": "1a79ac27-1580-4482-826e-d4db9a26b080", + "type": "located-in" + } + ], "uuid": "84668357-5a8c-4bdd-9f0f-6b50b2535450", "value": "sao tome and principe" }, @@ -3382,6 +4492,12 @@ "Population": "6052064", "tld": ".sv" }, + "related": [ + { + "dest-uuid": "105247d9-e619-4231-b88e-17dd9aed1580", + "type": "located-in" + } + ], "uuid": "84668357-5a8c-4bdd-9f0f-6b50b2534c56", "value": "el salvador" }, @@ -3430,6 +4546,12 @@ "Population": "1354051", "tld": ".sz" }, + "related": [ + { + "dest-uuid": "b95340de-8f29-4dbf-ad0f-a4c0be367e59", + "type": "located-in" + } + ], "uuid": "84668357-5a8c-4bdd-9f0f-6b50b253575a", "value": "eswatini" }, @@ -3446,6 +4568,12 @@ "Population": "20556", "tld": ".tc" }, + "related": [ + { + "dest-uuid": "e16efc93-ae3b-471a-a888-eda66d1da22b", + "type": "located-in" + } + ], "uuid": "84668357-5a8c-4bdd-9f0f-6b50b2544341", "value": "turks and caicos islands" }, @@ -3462,6 +4590,12 @@ "Population": "10543464", "tld": ".td" }, + "related": [ + { + "dest-uuid": "1a79ac27-1580-4482-826e-d4db9a26b080", + "type": "located-in" + } + ], "uuid": "84668357-5a8c-4bdd-9f0f-6b50b2544344", "value": "chad" }, @@ -3478,6 +4612,12 @@ "Population": "140", "tld": ".tf" }, + "related": [ + { + "dest-uuid": "9b15e8e9-2adb-4aa8-baea-d63ccc434428", + "type": "located-in" + } + ], "uuid": "84668357-5a8c-4bdd-9f0f-6b50b2415446", "value": "french southern territories" }, @@ -3494,6 +4634,12 @@ "Population": "6587239", "tld": ".tg" }, + "related": [ + { + "dest-uuid": "d44cf4b4-8025-4827-960c-b666dfdc5243", + "type": "located-in" + } + ], "uuid": "84668357-5a8c-4bdd-9f0f-6b50b254474f", "value": "togo" }, @@ -3510,6 +4656,12 @@ "Population": "67089500", "tld": ".th" }, + "related": [ + { + "dest-uuid": "990d0e8e-dfd0-45d1-ab8b-758b9139c0fe", + "type": "located-in" + } + ], "uuid": "84668357-5a8c-4bdd-9f0f-6b50b2544841", "value": "thailand" }, @@ -3526,6 +4678,12 @@ "Population": "7487489", "tld": ".tj" }, + "related": [ + { + "dest-uuid": "a5515b7c-594b-4e37-a60f-3bab8808c54c", + "type": "located-in" + } + ], "uuid": "84668357-5a8c-4bdd-9f0f-6b50b2544a4b", "value": "tajikistan" }, @@ -3542,6 +4700,12 @@ "Population": "1466", "tld": ".tk" }, + "related": [ + { + "dest-uuid": "a387db42-cdb4-4f75-98c4-5b51a03d0c68", + "type": "located-in" + } + ], "uuid": "84668357-5a8c-4bdd-9f0f-6b50b2544b4c", "value": "tokelau" }, @@ -3574,6 +4738,12 @@ "Population": "4940916", "tld": ".tm" }, + "related": [ + { + "dest-uuid": "a5515b7c-594b-4e37-a60f-3bab8808c54c", + "type": "located-in" + } + ], "uuid": "84668357-5a8c-4bdd-9f0f-6b50b2544b4d", "value": "turkmenistan" }, @@ -3590,6 +4760,12 @@ "Population": "10589025", "tld": ".tn" }, + "related": [ + { + "dest-uuid": "4a65b439-849b-4fdd-b34d-e80f738a4309", + "type": "located-in" + } + ], "uuid": "84668357-5a8c-4bdd-9f0f-6b50b254554e", "value": "tunisia" }, @@ -3606,6 +4782,12 @@ "Population": "122580", "tld": ".to" }, + "related": [ + { + "dest-uuid": "a387db42-cdb4-4f75-98c4-5b51a03d0c68", + "type": "located-in" + } + ], "uuid": "84668357-5a8c-4bdd-9f0f-6b50b2544f4e", "value": "tonga" }, @@ -3622,6 +4804,12 @@ "Population": "77804122", "tld": ".tr" }, + "related": [ + { + "dest-uuid": "d66b2e98-39fb-4710-b075-5bee2fa00cd4", + "type": "located-in" + } + ], "uuid": "84668357-5a8c-4bdd-9f0f-6b50b2545552", "value": "turkey" }, @@ -3638,6 +4826,12 @@ "Population": "1328019", "tld": ".tt" }, + "related": [ + { + "dest-uuid": "e16efc93-ae3b-471a-a888-eda66d1da22b", + "type": "located-in" + } + ], "uuid": "84668357-5a8c-4bdd-9f0f-6b50b254544f", "value": "trinidad and tobago" }, @@ -3654,6 +4848,12 @@ "Population": "10472", "tld": ".tv" }, + "related": [ + { + "dest-uuid": "a387db42-cdb4-4f75-98c4-5b51a03d0c68", + "type": "located-in" + } + ], "uuid": "84668357-5a8c-4bdd-9f0f-6b50b2545556", "value": "tuvalu" }, @@ -3702,6 +4902,12 @@ "Population": "45415596", "tld": ".ua" }, + "related": [ + { + "dest-uuid": "c7cb0859-5680-4bdb-9c78-46cab3504a62", + "type": "located-in" + } + ], "uuid": "84668357-5a8c-4bdd-9f0f-6b50b2554b52", "value": "ukraine" }, @@ -3718,6 +4924,12 @@ "Population": "33398682", "tld": ".ug" }, + "related": [ + { + "dest-uuid": "9b15e8e9-2adb-4aa8-baea-d63ccc434428", + "type": "located-in" + } + ], "uuid": "84668357-5a8c-4bdd-9f0f-6b50b2554741", "value": "uganda" }, @@ -3734,6 +4946,12 @@ "Population": "0", "tld": ".um" }, + "related": [ + { + "dest-uuid": "fbe052e0-a4ab-4d74-8765-5a9786e7bdbc", + "type": "located-in" + } + ], "uuid": "84668357-5a8c-4bdd-9f0f-6b50b2554d49", "value": "united states minor outlying islands" }, @@ -3766,6 +4984,12 @@ "Population": "3477000", "tld": ".uy" }, + "related": [ + { + "dest-uuid": "e9ee6728-d325-4726-be7d-08b5ccf3f3d6", + "type": "located-in" + } + ], "uuid": "84668357-5a8c-4bdd-9f0f-6b50b2555259", "value": "uruguay" }, @@ -3782,6 +5006,12 @@ "Population": "27865738", "tld": ".uz" }, + "related": [ + { + "dest-uuid": "a5515b7c-594b-4e37-a60f-3bab8808c54c", + "type": "located-in" + } + ], "uuid": "84668357-5a8c-4bdd-9f0f-6b50b2555a42", "value": "uzbekistan" }, @@ -3814,6 +5044,12 @@ "Population": "104217", "tld": ".vc" }, + "related": [ + { + "dest-uuid": "e16efc93-ae3b-471a-a888-eda66d1da22b", + "type": "located-in" + } + ], "uuid": "84668357-5a8c-4bdd-9f0f-6b50b2564354", "value": "saint vincent and the grenadines" }, @@ -3846,6 +5082,12 @@ "Population": "21730", "tld": ".vg" }, + "related": [ + { + "dest-uuid": "e16efc93-ae3b-471a-a888-eda66d1da22b", + "type": "located-in" + } + ], "uuid": "84668357-5a8c-4bdd-9f0f-6b50b2564742", "value": "british virgin islands" }, @@ -3894,6 +5136,12 @@ "Population": "221552", "tld": ".vu" }, + "related": [ + { + "dest-uuid": "4cb4b767-2db4-4858-bb28-656816350fef", + "type": "located-in" + } + ], "uuid": "84668357-5a8c-4bdd-9f0f-6b50b2565554", "value": "vanuatu" }, @@ -3926,6 +5174,12 @@ "Population": "192001", "tld": ".ws" }, + "related": [ + { + "dest-uuid": "a387db42-cdb4-4f75-98c4-5b51a03d0c68", + "type": "located-in" + } + ], "uuid": "84668357-5a8c-4bdd-9f0f-6b50b257534d", "value": "samoa" }, @@ -3942,6 +5196,12 @@ "Population": "23495361", "tld": ".ye" }, + "related": [ + { + "dest-uuid": "d66b2e98-39fb-4710-b075-5bee2fa00cd4", + "type": "located-in" + } + ], "uuid": "84668357-5a8c-4bdd-9f0f-6b50b259454d", "value": "yemen" }, @@ -3958,6 +5218,12 @@ "Population": "159042", "tld": ".yt" }, + "related": [ + { + "dest-uuid": "9b15e8e9-2adb-4aa8-baea-d63ccc434428", + "type": "located-in" + } + ], "uuid": "84668357-5a8c-4bdd-9f0f-6b50b24d5954", "value": "mayotte" }, @@ -3974,6 +5240,12 @@ "Population": "49000000", "tld": ".za" }, + "related": [ + { + "dest-uuid": "b95340de-8f29-4dbf-ad0f-a4c0be367e59", + "type": "located-in" + } + ], "uuid": "84668357-5a8c-4bdd-9f0f-6b50b25a4146", "value": "south africa" }, @@ -3990,6 +5262,12 @@ "Population": "13460305", "tld": ".zm" }, + "related": [ + { + "dest-uuid": "9b15e8e9-2adb-4aa8-baea-d63ccc434428", + "type": "located-in" + } + ], "uuid": "84668357-5a8c-4bdd-9f0f-6b50b25a4d42", "value": "zambia" }, @@ -4006,6 +5284,12 @@ "Population": "13061000", "tld": ".zw" }, + "related": [ + { + "dest-uuid": "9b15e8e9-2adb-4aa8-baea-d63ccc434428", + "type": "located-in" + } + ], "uuid": "84668357-5a8c-4bdd-9f0f-6b50b25a5745", "value": "zimbabwe" }, From 325f51479b7c9706e792b44bf2c5b2499e197678 Mon Sep 17 00:00:00 2001 From: Christian Studer Date: Mon, 16 Jan 2023 22:20:30 +0100 Subject: [PATCH 08/13] chg: [country] Clarified the US cluster value --- clusters/country.json | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/clusters/country.json b/clusters/country.json index 066d876..e496e0f 100644 --- a/clusters/country.json +++ b/clusters/country.json @@ -4956,7 +4956,7 @@ "value": "united states minor outlying islands" }, { - "description": "United States", + "description": "United States of America", "meta": { "Capital": "Washington", "Continent": "NA", @@ -4969,7 +4969,7 @@ "tld": ".us" }, "uuid": "84668357-5a8c-4bdd-9f0f-6b50b2555341", - "value": "united states" + "value": "united states of america" }, { "description": "Uruguay", From 5c21588d7c6e68ad913a64d73d1480b60ab135bf Mon Sep 17 00:00:00 2001 From: Christian Studer Date: Mon, 16 Jan 2023 22:22:42 +0100 Subject: [PATCH 09/13] add: [country] Manually added the missing relations to some `country` cluster values - The previous commit (071ecb8) that added the mahority of relations between countries and regions were automatically added based on the country names specified in the `region` cluster. The relations added here are the remaining countries that are not litterally defined the same way they are in the `region` cluster --- clusters/country.json | 228 ++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 228 insertions(+) diff --git a/clusters/country.json b/clusters/country.json index e496e0f..c9f0c43 100644 --- a/clusters/country.json +++ b/clusters/country.json @@ -330,6 +330,12 @@ "Population": "26711", "tld": ".ax" }, + "related": [ + { + "dest-uuid": "f93cb275-0366-4ecc-abf0-a17928d1e177", + "type": "located-in" + } + ], "uuid": "84668357-5a8c-4bdd-9f0f-6b50b2414c41", "value": "aland islands" }, @@ -566,6 +572,12 @@ "Population": "8450", "tld": ".gp" }, + "related": [ + { + "dest-uuid": "e16efc93-ae3b-471a-a888-eda66d1da22b", + "type": "located-in" + } + ], "uuid": "84668357-5a8c-4bdd-9f0f-6b50b2424c4d", "value": "saint barthelemy" }, @@ -604,6 +616,12 @@ "Population": "395027", "tld": ".bn" }, + "related": [ + { + "dest-uuid": "990d0e8e-dfd0-45d1-ab8b-758b9139c0fe", + "type": "located-in" + } + ], "uuid": "84668357-5a8c-4bdd-9f0f-6b50b242524e", "value": "brunei" }, @@ -620,6 +638,12 @@ "Population": "9947418", "tld": ".bo" }, + "related": [ + { + "dest-uuid": "e9ee6728-d325-4726-be7d-08b5ccf3f3d", + "type": "located-in" + } + ], "uuid": "84668357-5a8c-4bdd-9f0f-6b50b2424f4c", "value": "bolivia" }, @@ -636,6 +660,12 @@ "Population": "18012", "tld": ".bq" }, + "related": [ + { + "dest-uuid": "e16efc93-ae3b-471a-a888-eda66d1da22b", + "type": "located-in" + } + ], "uuid": "84668357-5a8c-4bdd-9f0f-6b50b2424553", "value": "bonaire, saint eustatius and saba " }, @@ -828,6 +858,12 @@ "Population": "628", "tld": ".cc" }, + "related": [ + { + "dest-uuid": "93dd8987-1466-493f-b5dc-c2b7fe762d75", + "type": "located-in" + } + ], "uuid": "84668357-5a8c-4bdd-9f0f-6b50b243434b", "value": "cocos islands" }, @@ -888,6 +924,12 @@ "Population": "3039126", "tld": ".cg" }, + "related": [ + { + "dest-uuid": "1a79ac27-1580-4482-826e-d4db9a26b080", + "type": "located-in" + } + ], "uuid": "84668357-5a8c-4bdd-9f0f-6b50b2434f47", "value": "republic of the congo" }, @@ -926,6 +968,12 @@ "Population": "21058798", "tld": ".ci" }, + "related": [ + { + "dest-uuid": "d44cf4b4-8025-4827-960c-b666dfdc5243", + "type": "located-in" + } + ], "uuid": "84668357-5a8c-4bdd-9f0f-6b50b2434956", "value": "ivory coast" }, @@ -1118,6 +1166,12 @@ "Population": "141766", "tld": ".cw" }, + "related": [ + { + "dest-uuid": "e16efc93-ae3b-471a-a888-eda66d1da22b", + "type": "located-in" + } + ], "uuid": "84668357-5a8c-4bdd-9f0f-6b50b2435557", "value": "curacao" }, @@ -1530,6 +1584,12 @@ "Population": "2638", "tld": ".fk" }, + "related": [ + { + "dest-uuid": "e9ee6728-d325-4726-be7d-08b5ccf3f3d6", + "type": "located-in" + } + ], "uuid": "84668357-5a8c-4bdd-9f0f-6b50b2464c4b", "value": "falkland islands" }, @@ -1546,6 +1606,12 @@ "Population": "107708", "tld": ".fm" }, + "related": [ + { + "dest-uuid": "d9e8c021-b387-4d67-8b8e-5e5ae57e6647", + "type": "located-in" + } + ], "uuid": "84668357-5a8c-4bdd-9f0f-6b50b246534d", "value": "micronesia" }, @@ -1628,6 +1694,12 @@ "Population": "62348447", "tld": ".uk" }, + "related": [ + { + "dest-uuid": "f93cb275-0366-4ecc-abf0-a17928d1e177", + "type": "located-in" + } + ], "uuid": "84668357-5a8c-4bdd-9f0f-6b50b2474252", "value": "united kingdom" }, @@ -2018,6 +2090,12 @@ "Population": "6898686", "tld": ".hk" }, + "related": [ + { + "dest-uuid": "aa46fbd1-54df-4e1e-a5d6-7bced5c59803", + "type": "located-in" + } + ], "uuid": "84668357-5a8c-4bdd-9f0f-6b50b2484b47", "value": "hong kong" }, @@ -2298,6 +2376,12 @@ "Population": "76923300", "tld": ".ir" }, + "related": [ + { + "dest-uuid": "f86776cd-274f-438a-8beb-9349aebda0bb", + "type": "located-in" + } + ], "uuid": "84668357-5a8c-4bdd-9f0f-6b50b249524e", "value": "iran" }, @@ -2578,6 +2662,12 @@ "Population": "22912177", "tld": ".kp" }, + "related": [ + { + "dest-uuid": "aa46fbd1-54df-4e1e-a5d6-7bced5c59803", + "type": "located-in" + } + ], "uuid": "84668357-5a8c-4bdd-9f0f-6b50b250524b", "value": "north korea" }, @@ -2594,6 +2684,12 @@ "Population": "48422644", "tld": ".kr" }, + "related": [ + { + "dest-uuid": "aa46fbd1-54df-4e1e-a5d6-7bced5c59803", + "type": "located-in" + } + ], "uuid": "84668357-5a8c-4bdd-9f0f-6b50b24b4f52", "value": "south korea" }, @@ -2610,6 +2706,12 @@ "Population": "1800000", "tld": "" }, + "related": [ + { + "dest-uuid": "63880bb3-f959-4200-b8ae-e25d9fa84c22", + "type": "located-in" + } + ], "uuid": "84668357-5a8c-4bdd-9f0f-6b50b2584b58", "value": "kosovo" }, @@ -2692,6 +2794,12 @@ "Population": "6368162", "tld": ".la" }, + "related": [ + { + "dest-uuid": "990d0e8e-dfd0-45d1-ab8b-758b9139c0fe", + "type": "located-in" + } + ], "uuid": "84668357-5a8c-4bdd-9f0f-6b50b24c414f", "value": "laos" }, @@ -2972,6 +3080,12 @@ "Population": "4324000", "tld": ".md" }, + "related": [ + { + "dest-uuid": "c7cb0859-5680-4bdb-9c78-46cab3504a62", + "type": "located-in" + } + ], "uuid": "84668357-5a8c-4bdd-9f0f-6b50b24d4441", "value": "moldova" }, @@ -3010,6 +3124,12 @@ "Population": "35925", "tld": ".gp" }, + "related": [ + { + "dest-uuid": "e16efc93-ae3b-471a-a888-eda66d1da22b", + "type": "located-in" + } + ], "uuid": "84668357-5a8c-4bdd-9f0f-6b50b24d4146", "value": "saint martin" }, @@ -3158,6 +3278,12 @@ "Population": "449198", "tld": ".mo" }, + "related": [ + { + "dest-uuid": "aa46fbd1-54df-4e1e-a5d6-7bced5c59803", + "type": "located-in" + } + ], "uuid": "84668357-5a8c-4bdd-9f0f-6b50b24d4143", "value": "macao" }, @@ -3922,6 +4048,12 @@ "Population": "3800000", "tld": ".ps" }, + "related": [ + { + "dest-uuid": "d66b2e98-39fb-4710-b075-5bee2fa00cd4", + "type": "located-in" + } + ], "uuid": "84668357-5a8c-4bdd-9f0f-6b50b2505345", "value": "palestinian territory" }, @@ -4026,6 +4158,12 @@ "Population": "776948", "tld": ".re" }, + "related": [ + { + "dest-uuid": "9b15e8e9-2adb-4aa8-baea-d63ccc434428", + "type": "located-in" + } + ], "uuid": "84668357-5a8c-4bdd-9f0f-6b50b2524555", "value": "reunion" }, @@ -4086,6 +4224,12 @@ "Population": "140702000", "tld": ".ru" }, + "related": [ + { + "dest-uuid": "c7cb0859-5680-4bdb-9c78-46cab3504a62", + "type": "located-in" + } + ], "uuid": "84668357-5a8c-4bdd-9f0f-6b50b2525553", "value": "russia" }, @@ -4322,6 +4466,12 @@ "Population": "2550", "tld": ".sj" }, + "related": [ + { + "dest-uuid": "f93cb275-0366-4ecc-abf0-a17928d1e177", + "type": "located-in" + } + ], "uuid": "84668357-5a8c-4bdd-9f0f-6b50b2534a4d", "value": "svalbard and jan mayen" }, @@ -4514,6 +4664,12 @@ "Population": "37429", "tld": ".sx" }, + "related": [ + { + "dest-uuid": "e16efc93-ae3b-471a-a888-eda66d1da22b", + "type": "located-in" + } + ], "uuid": "84668357-5a8c-4bdd-9f0f-6b50b253584d", "value": "sint maarten" }, @@ -4530,6 +4686,12 @@ "Population": "22198110", "tld": ".sy" }, + "related": [ + { + "dest-uuid": "d66b2e98-39fb-4710-b075-5bee2fa00cd4", + "type": "located-in" + } + ], "uuid": "84668357-5a8c-4bdd-9f0f-6b50b2535952", "value": "syria" }, @@ -4722,6 +4884,12 @@ "Population": "1154625", "tld": ".tl" }, + "related": [ + { + "dest-uuid": "990d0e8e-dfd0-45d1-ab8b-758b9139c0fe", + "type": "located-in" + } + ], "uuid": "84668357-5a8c-4bdd-9f0f-6b50b2544c53", "value": "timor leste" }, @@ -4870,6 +5038,12 @@ "Population": "22894384", "tld": ".tw" }, + "related": [ + { + "dest-uuid": "aa46fbd1-54df-4e1e-a5d6-7bced5c59803", + "type": "located-in" + } + ], "uuid": "84668357-5a8c-4bdd-9f0f-6b50b254574e", "value": "taiwan" }, @@ -4886,6 +5060,12 @@ "Population": "41892895", "tld": ".tz" }, + "related": [ + { + "dest-uuid": "9b15e8e9-2adb-4aa8-baea-d63ccc434428", + "type": "located-in" + } + ], "uuid": "84668357-5a8c-4bdd-9f0f-6b50b2545a41", "value": "tanzania" }, @@ -4968,6 +5148,12 @@ "Population": "310232863", "tld": ".us" }, + "related": [ + { + "dest-uuid": "64974dea-c6c9-462d-9fcf-4456a397d591", + "type": "located-in" + } + ], "uuid": "84668357-5a8c-4bdd-9f0f-6b50b2555341", "value": "united states of america" }, @@ -5028,6 +5214,12 @@ "Population": "921", "tld": ".va" }, + "related": [ + { + "dest-uuid": "63880bb3-f959-4200-b8ae-e25d9fa84c22", + "type": "located-in" + } + ], "uuid": "84668357-5a8c-4bdd-9f0f-6b50b2564154", "value": "vatican" }, @@ -5066,6 +5258,12 @@ "Population": "27223228", "tld": ".ve" }, + "related": [ + { + "dest-uuid": "e9ee6728-d325-4726-be7d-08b5ccf3f3d6", + "type": "located-in" + } + ], "uuid": "84668357-5a8c-4bdd-9f0f-6b50b256454e", "value": "venezuela" }, @@ -5104,6 +5302,12 @@ "Population": "108708", "tld": ".vi" }, + "related": [ + { + "dest-uuid": "e16efc93-ae3b-471a-a888-eda66d1da22b", + "type": "located-in" + } + ], "uuid": "84668357-5a8c-4bdd-9f0f-6b50b2564952", "value": "u.s. virgin islands" }, @@ -5120,6 +5324,12 @@ "Population": "89571130", "tld": ".vn" }, + "related": [ + { + "dest-uuid": "990d0e8e-dfd0-45d1-ab8b-758b9139c0fe", + "type": "located-in" + } + ], "uuid": "84668357-5a8c-4bdd-9f0f-6b50b2564e4d", "value": "vietnam" }, @@ -5158,6 +5368,12 @@ "Population": "16025", "tld": ".wf" }, + "related": [ + { + "dest-uuid": "a387db42-cdb4-4f75-98c4-5b51a03d0c68", + "type": "located-in" + } + ], "uuid": "84668357-5a8c-4bdd-9f0f-6b50b2574c46", "value": "wallis and futuna" }, @@ -5306,6 +5522,12 @@ "Population": "10829175", "tld": ".cs" }, + "related": [ + { + "dest-uuid": "63880bb3-f959-4200-b8ae-e25d9fa84c22", + "type": "located-in" + } + ], "uuid": "84668357-5a8c-4bdd-9f0f-6b50b2534347", "value": "serbia and montenegro" }, @@ -5322,6 +5544,12 @@ "Population": "300000", "tld": ".an" }, + "related": [ + { + "dest-uuid": "e16efc93-ae3b-471a-a888-eda66d1da22b", + "type": "located-in" + } + ], "uuid": "84668357-5a8c-4bdd-9f0f-6b50b2414e54", "value": "netherlands antilles" } From 4a342354f9bf09dc99c30d3e5af9e828a4d46a4b Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Fri, 20 Jan 2023 13:58:11 +0100 Subject: [PATCH 10/13] chg: [sigma] updated --- clusters/sigma-rules.json | 3479 +++++++++++++++++++++---------------- 1 file changed, 2001 insertions(+), 1478 deletions(-) diff --git a/clusters/sigma-rules.json b/clusters/sigma-rules.json index f7a6bd3..5783bf7 100644 --- a/clusters/sigma-rules.json +++ b/clusters/sigma-rules.json @@ -174,9 +174,9 @@ "logsource.category": "firewall", "logsource.product": "No established product", "refs": [ - "https://www.cisecurity.org/controls/cis-controls-list/", "https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf", "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf", + "https://www.cisecurity.org/controls/cis-controls-list/", "https://github.com/SigmaHQ/sigma/tree/master/rules/network/firewall/net_firewall_cleartext_protocols.yml" ], "tags": "No established tags" @@ -232,10 +232,10 @@ "logsource.category": "dns", "logsource.product": "No established product", "refs": [ + "https://researchcenter.paloaltonetworks.com/2018/03/unit42-telerat-another-android-trojan-leveraging-telegrams-bot-api-to-target-iranian-users/", "https://core.telegram.org/bots/faq", "https://blog.malwarebytes.com/threat-analysis/2016/11/telecrypt-the-ransomware-abusing-telegram-api-defeated/", "https://www.welivesecurity.com/2016/12/13/rise-telebots-analyzing-disruptive-killdisk-attacks/", - "https://researchcenter.paloaltonetworks.com/2018/03/unit42-telerat-another-android-trojan-leveraging-telegrams-bot-api-to-target-iranian-users/", "https://github.com/SigmaHQ/sigma/tree/master/rules/network/dns/net_dns_susp_telegram_api.yml" ], "tags": [ @@ -460,8 +460,8 @@ "logsource.category": "dns", "logsource.product": "No established product", "refs": [ - "https://github.com/samratashok/nishang/blob/414ee1104526d7057f9adaeee196d91ae447283e/Backdoors/DNS_TXT_Pwnage.ps1", "https://twitter.com/stvemillertime/status/1024707932447854592", + "https://github.com/samratashok/nishang/blob/414ee1104526d7057f9adaeee196d91ae447283e/Backdoors/DNS_TXT_Pwnage.ps1", "https://github.com/SigmaHQ/sigma/tree/master/rules/network/dns/net_dns_susp_txt_exec_strings.yml" ], "tags": [ @@ -1286,6 +1286,7 @@ "https://github.com/SigmaHQ/sigma/tree/master/rules/network/zeek/zeek_rdp_public_listener.yml" ], "tags": [ + "attack.lateral_movement", "attack.t1021.001" ] }, @@ -1330,9 +1331,9 @@ "logsource.product": "zeek", "refs": [ "https://threatpost.com/microsoft-petitpotam-poc/168163/", + "https://vx-underground.org/archive/Symantec/windows-vista-network-attack-07-en.pdf", "https://msrc.microsoft.com/update-guide/vulnerability/ADV210003", "https://github.com/topotam/PetitPotam/blob/d83ac8f2dd34654628c17490f99106eb128e7d1e/PetitPotam/PetitPotam.cpp", - "https://vx-underground.org/archive/Symantec/windows-vista-network-attack-07-en.pdf", "https://github.com/SigmaHQ/sigma/tree/master/rules/network/zeek/zeek_dce_rpc_potential_petit_potam_efs_rpc_call.yml" ], "tags": [ @@ -1479,6 +1480,7 @@ "https://github.com/SigmaHQ/sigma/tree/master/rules/network/zeek/zeek_dns_torproxy.yml" ], "tags": [ + "attack.exfiltration", "attack.t1048" ] }, @@ -1508,8 +1510,8 @@ "logsource.category": "No established category", "logsource.product": "zeek", "refs": [ - "https://twitter.com/neu5ron/status/1438987292971053057?s=20", "https://www.wiz.io/blog/omigod-critical-vulnerabilities-in-omi-azure", + "https://twitter.com/neu5ron/status/1438987292971053057?s=20", "https://github.com/SigmaHQ/sigma/tree/master/rules/network/zeek/zeek_http_omigod_no_auth_rce.yml" ], "tags": [ @@ -1750,9 +1752,9 @@ "logsource.category": "No established category", "logsource.product": "zeek", "refs": [ - "https://posts.specterops.io/hunting-in-active-directory-unconstrained-delegation-forests-trusts-71f2b33688e1", - "https://dirkjanm.io/a-different-way-of-abusing-zerologon/", "https://twitter.com/_dirkjan/status/1309214379003588608", + "https://dirkjanm.io/a-different-way-of-abusing-zerologon/", + "https://posts.specterops.io/hunting-in-active-directory-unconstrained-delegation-forests-trusts-71f2b33688e1", "https://github.com/SigmaHQ/sigma/tree/master/rules/network/zeek/zeek_dce_rpc_smb_spoolss_named_pipe.yml" ], "tags": [ @@ -1807,7 +1809,9 @@ "https://github.com/SigmaHQ/sigma/tree/master/rules/network/zeek/zeek_dns_mining_pools.yml" ], "tags": [ + "attack.execution", "attack.t1569.002", + "attack.impact", "attack.t1496" ] }, @@ -1843,12 +1847,12 @@ "logsource.category": "No established category", "logsource.product": "zeek", "refs": [ - "https://www.crowdstrike.com/blog/cve-2021-1678-printer-spooler-relay-security-advisory/", - "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527", "https://github.com/zeek/zeek/blob/691b099de13649d6576c7b9d637f8213ff818832/scripts/base/protocols/dce-rpc/consts.zeek", "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-par/93d1915d-4d9f-4ceb-90a7-e8f2a59adc29", "https://github.com/corelight/CVE-2021-1675", + "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527", "https://old.zeek.org/zeekweek2019/slides/bzar.pdf", + "https://www.crowdstrike.com/blog/cve-2021-1678-printer-spooler-relay-security-advisory/", "https://github.com/SigmaHQ/sigma/tree/master/rules/network/zeek/zeek_dce_rpc_printnightmare_print_driver_install.yml" ], "tags": [ @@ -1971,10 +1975,10 @@ "logsource.category": "No established category", "logsource.product": "zeek", "refs": [ - "https://www.netresec.com/?page=Blog&month=2021-01&post=Finding-Targeted-SUNBURST-Victims-with-pDNS", - "https://tools.ietf.org/html/rfc2929#section-2.1", - "https://twitter.com/neu5ron/status/1346245602502443009", "https://tdm.socprime.com/tdm/info/eLbyj4JjI15v#sigma", + "https://twitter.com/neu5ron/status/1346245602502443009", + "https://tools.ietf.org/html/rfc2929#section-2.1", + "https://www.netresec.com/?page=Blog&month=2021-01&post=Finding-Targeted-SUNBURST-Victims-with-pDNS", "https://github.com/SigmaHQ/sigma/tree/master/rules/network/zeek/zeek_dns_susp_zbit_flag.yml" ], "tags": [ @@ -2015,8 +2019,8 @@ "logsource.category": "application", "logsource.product": "django", "refs": [ - "https://docs.djangoproject.com/en/1.11/ref/exceptions/", "https://docs.djangoproject.com/en/1.11/topics/logging/#django-security", + "https://docs.djangoproject.com/en/1.11/ref/exceptions/", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/django/appframework_django_exceptions.yml" ], "tags": [ @@ -2148,9 +2152,9 @@ "logsource.category": "application", "logsource.product": "ruby_on_rails", "refs": [ - "https://stackoverflow.com/questions/25892194/does-rails-come-with-a-not-authorized-exception", - "https://github.com/rails/rails/blob/cd08e6bcc4cd8948fe01e0be1ea0c7ca60373a25/actionpack/lib/action_dispatch/middleware/exception_wrapper.rb", "http://guides.rubyonrails.org/action_controller_overview.html", + "https://github.com/rails/rails/blob/cd08e6bcc4cd8948fe01e0be1ea0c7ca60373a25/actionpack/lib/action_dispatch/middleware/exception_wrapper.rb", + "https://stackoverflow.com/questions/25892194/does-rails-come-with-a-not-authorized-exception", "http://edgeguides.rubyonrails.org/security.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/ruby/appframework_ruby_on_rails_exceptions.yml" ], @@ -2184,10 +2188,10 @@ "logsource.category": "application", "logsource.product": "rpc_firewall", "refs": [ - "https://zeronetworks.com/blog/stopping_lateral_movement_via_the_rpc_firewall/", - "https://github.com/zeronetworks/rpcfirewall", - "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-wkst/55118c55-2122-4ef9-8664-0c1ff9e168f3", "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-WKST.md", + "https://zeronetworks.com/blog/stopping_lateral_movement_via_the_rpc_firewall/", + "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-wkst/55118c55-2122-4ef9-8664-0c1ff9e168f3", + "https://github.com/zeronetworks/rpcfirewall", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/rpc_firewall/rpc_firewall_sharphound_recon_account.yml" ], "tags": [ @@ -2212,9 +2216,9 @@ "logsource.product": "rpc_firewall", "refs": [ "https://github.com/zeronetworks/rpcfirewall", + "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rrp/0fa3191d-bb79-490a-81bd-54c2601b7a78", "https://zeronetworks.com/blog/stopping_lateral_movement_via_the_rpc_firewall/", "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-RRP.md", - "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rrp/0fa3191d-bb79-490a-81bd-54c2601b7a78", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/rpc_firewall/rpc_firewall_remote_registry_recon.yml" ], "tags": [ @@ -2237,9 +2241,9 @@ "logsource.category": "application", "logsource.product": "rpc_firewall", "refs": [ - "https://zeronetworks.com/blog/stopping_lateral_movement_via_the_rpc_firewall/", "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-tsch/d1058a28-7e02-4948-8b8d-4a347fa64931", "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-TSCH.md", + "https://zeronetworks.com/blog/stopping_lateral_movement_via_the_rpc_firewall/", "https://github.com/zeronetworks/rpcfirewall", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/rpc_firewall/rpc_firewall_itaskschedulerservice_recon.yml" ], @@ -2263,9 +2267,9 @@ "logsource.category": "application", "logsource.product": "rpc_firewall", "refs": [ - "https://zeronetworks.com/blog/stopping_lateral_movement_via_the_rpc_firewall/", "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-srvs/accf23b0-0f57-441c-9185-43041f1b0ee9", "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-SCMR.md", + "https://zeronetworks.com/blog/stopping_lateral_movement_via_the_rpc_firewall/", "https://github.com/zeronetworks/rpcfirewall", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/rpc_firewall/rpc_firewall_remote_service_lateral_movement.yml" ], @@ -2299,9 +2303,9 @@ "logsource.category": "application", "logsource.product": "rpc_firewall", "refs": [ - "https://zeronetworks.com/blog/stopping_lateral_movement_via_the_rpc_firewall/", "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-tsch/d1058a28-7e02-4948-8b8d-4a347fa64931", "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-TSCH.md", + "https://zeronetworks.com/blog/stopping_lateral_movement_via_the_rpc_firewall/", "https://github.com/zeronetworks/rpcfirewall", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/rpc_firewall/rpc_firewall_atsvc_lateral_movement.yml" ], @@ -2336,9 +2340,9 @@ "logsource.category": "application", "logsource.product": "rpc_firewall", "refs": [ - "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-DRSR.md", "https://zeronetworks.com/blog/stopping_lateral_movement_via_the_rpc_firewall/", "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-drsr/f977faaa-673e-4f66-b9bf-48c640241d47?redirectedfrom=MSDN", + "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-DRSR.md", "https://github.com/zeronetworks/rpcfirewall", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/rpc_firewall/rpc_firewall_dcsync_attack.yml" ], @@ -2387,9 +2391,9 @@ "logsource.category": "application", "logsource.product": "rpc_firewall", "refs": [ - "https://zeronetworks.com/blog/stopping_lateral_movement_via_the_rpc_firewall/", "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-tsch/d1058a28-7e02-4948-8b8d-4a347fa64931", "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-TSCH.md", + "https://zeronetworks.com/blog/stopping_lateral_movement_via_the_rpc_firewall/", "https://github.com/zeronetworks/rpcfirewall", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/rpc_firewall/rpc_firewall_itaskschedulerservice_lateral_movement.yml" ], @@ -2424,8 +2428,8 @@ "logsource.category": "application", "logsource.product": "rpc_firewall", "refs": [ - "https://zeronetworks.com/blog/stopping_lateral_movement_via_the_rpc_firewall/", "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-srvs/accf23b0-0f57-441c-9185-43041f1b0ee9", + "https://zeronetworks.com/blog/stopping_lateral_movement_via_the_rpc_firewall/", "https://github.com/zeronetworks/rpcfirewall", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/rpc_firewall/rpc_firewall_remote_dcom_or_wmi.yml" ], @@ -2467,9 +2471,9 @@ "logsource.category": "application", "logsource.product": "rpc_firewall", "refs": [ - "https://zeronetworks.com/blog/stopping_lateral_movement_via_the_rpc_firewall/", "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-tsch/d1058a28-7e02-4948-8b8d-4a347fa64931", "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-TSCH.md", + "https://zeronetworks.com/blog/stopping_lateral_movement_via_the_rpc_firewall/", "https://github.com/zeronetworks/rpcfirewall", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/rpc_firewall/rpc_firewall_sasec_lateral_movement.yml" ], @@ -2504,11 +2508,11 @@ "logsource.category": "application", "logsource.product": "rpc_firewall", "refs": [ - "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-RPRN-PAR.md", - "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rprn/d42db7d5-f141-4466-8f47-0a4be14e2fc1", "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-pan/e44d984c-07d3-414c-8ffc-f8c8ad8512a8", "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527", "https://zeronetworks.com/blog/stopping_lateral_movement_via_the_rpc_firewall/", + "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-RPRN-PAR.md", + "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rprn/d42db7d5-f141-4466-8f47-0a4be14e2fc1", "https://github.com/zeronetworks/rpcfirewall", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/rpc_firewall/rpc_firewall_printing_lateral_movement.yml" ], @@ -2532,10 +2536,10 @@ "logsource.category": "application", "logsource.product": "rpc_firewall", "refs": [ - "https://zeronetworks.com/blog/stopping_lateral_movement_via_the_rpc_firewall/", "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-SRVS.md", - "https://github.com/zeronetworks/rpcfirewall", + "https://zeronetworks.com/blog/stopping_lateral_movement_via_the_rpc_firewall/", "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-srvs/02b1f559-fda2-4ba3-94c2-806eb2777183", + "https://github.com/zeronetworks/rpcfirewall", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/rpc_firewall/rpc_firewall_sharphound_recon_sessions.yml" ], "tags": [ @@ -2559,9 +2563,9 @@ "logsource.product": "rpc_firewall", "refs": [ "https://zeronetworks.com/blog/stopping_lateral_movement_via_the_rpc_firewall/", - "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-EFSR.md", - "https://github.com/zeronetworks/rpcfirewall", "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-36942", + "https://github.com/zeronetworks/rpcfirewall", + "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-EFSR.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/rpc_firewall/rpc_firewall_efs_abuse.yml" ], "tags": [ @@ -2584,9 +2588,9 @@ "logsource.category": "application", "logsource.product": "rpc_firewall", "refs": [ - "https://zeronetworks.com/blog/stopping_lateral_movement_via_the_rpc_firewall/", "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-tsch/d1058a28-7e02-4948-8b8d-4a347fa64931", "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-TSCH.md", + "https://zeronetworks.com/blog/stopping_lateral_movement_via_the_rpc_firewall/", "https://github.com/zeronetworks/rpcfirewall", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/rpc_firewall/rpc_firewall_sasec_recon.yml" ], @@ -2611,9 +2615,9 @@ "logsource.product": "rpc_firewall", "refs": [ "https://github.com/zeronetworks/rpcfirewall", + "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rrp/0fa3191d-bb79-490a-81bd-54c2601b7a78", "https://zeronetworks.com/blog/stopping_lateral_movement_via_the_rpc_firewall/", "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-RRP.md", - "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rrp/0fa3191d-bb79-490a-81bd-54c2601b7a78", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/rpc_firewall/rpc_firewall_remote_registry_lateral_movement.yml" ], "tags": [ @@ -2637,10 +2641,10 @@ "logsource.category": "application", "logsource.product": "rpc_firewall", "refs": [ - "https://zeronetworks.com/blog/stopping_lateral_movement_via_the_rpc_firewall/", - "https://github.com/zeronetworks/rpcfirewall", "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-srvs/accf23b0-0f57-441c-9185-43041f1b0ee9", "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-SRVS.md", + "https://zeronetworks.com/blog/stopping_lateral_movement_via_the_rpc_firewall/", + "https://github.com/zeronetworks/rpcfirewall", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/rpc_firewall/rpc_firewall_remote_server_service_abuse.yml" ], "tags": [ @@ -2663,9 +2667,9 @@ "logsource.category": "application", "logsource.product": "rpc_firewall", "refs": [ - "https://zeronetworks.com/blog/stopping_lateral_movement_via_the_rpc_firewall/", "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-tsch/d1058a28-7e02-4948-8b8d-4a347fa64931", "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-TSCH.md", + "https://zeronetworks.com/blog/stopping_lateral_movement_via_the_rpc_firewall/", "https://github.com/zeronetworks/rpcfirewall", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/rpc_firewall/rpc_firewall_atsvc_recon.yml" ], @@ -2722,11 +2726,11 @@ "logsource.category": "process_access", "logsource.product": "windows", "refs": [ - "https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment", - "https://docs.microsoft.com/en-us/windows/win32/procthread/process-security-and-access-rights", - "https://onedrive.live.com/view.aspx?resid=D026B4699190F1E6!2843&ithint=file%2cpptx&app=PowerPoint&authkey=!AMvCRTKB_V1J5ow", "http://security-research.dyndns.org/pub/slides/FIRST2017/FIRST-2017_Tom-Ueltschi_Sysmon_FINAL_notes.pdf", + "https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment", "https://cyberwardog.blogspot.com/2017/03/chronicles-of-threat-hunter-hunting-for_22.html", + "https://onedrive.live.com/view.aspx?resid=D026B4699190F1E6!2843&ithint=file%2cpptx&app=PowerPoint&authkey=!AMvCRTKB_V1J5ow", + "https://docs.microsoft.com/en-us/windows/win32/procthread/process-security-and-access-rights", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_access/proc_access_win_susp_proc_access_lsass_susp_source.yml" ], "tags": [ @@ -2760,8 +2764,8 @@ "logsource.category": "process_access", "logsource.product": "windows", "refs": [ - "https://twitter.com/shantanukhande/status/1229348874298388484", "https://modexp.wordpress.com/2019/08/30/minidumpwritedump-via-com-services-dll/", + "https://twitter.com/shantanukhande/status/1229348874298388484", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_access/proc_access_win_lsass_dump_comsvcs_dll.yml" ], "tags": [ @@ -2942,8 +2946,8 @@ "logsource.product": "windows", "refs": [ "https://twitter.com/mrd0x/status/1460597833917251595", - "https://twitter.com/_xpn_/status/1491557187168178176", "https://www.ired.team/offensive-security/credential-access-and-credential-dumping/dump-credentials-from-lsass-process-without-mimikatz", + "https://twitter.com/_xpn_/status/1491557187168178176", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_access/proc_access_win_lsass_memdump_evasion.yml" ], "tags": [ @@ -3188,10 +3192,10 @@ "logsource.category": "process_access", "logsource.product": "windows", "refs": [ - "https://blog.menasec.net/2019/02/threat-hunting-21-procdump-or-taskmgr.html", - "https://cyberwardog.blogspot.com/2017/03/chronicles-of-threat-hunter-hunting-for_22.html", - "https://research.splunk.com/endpoint/windows_possible_credential_dumping/", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1003.001/T1003.001.md", + "https://cyberwardog.blogspot.com/2017/03/chronicles-of-threat-hunter-hunting-for_22.html", + "https://blog.menasec.net/2019/02/threat-hunting-21-procdump-or-taskmgr.html", + "https://research.splunk.com/endpoint/windows_possible_credential_dumping/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_access/proc_access_win_lsass_memdump.yml" ], "tags": [ @@ -3225,10 +3229,10 @@ "logsource.category": "process_access", "logsource.product": "windows", "refs": [ - "https://onedrive.live.com/view.aspx?resid=D026B4699190F1E6!2843&ithint=file%2cpptx&app=PowerPoint&authkey=!AMvCRTKB_V1J5ow", - "https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment", "http://security-research.dyndns.org/pub/slides/FIRST2017/FIRST-2017_Tom-Ueltschi_Sysmon_FINAL_notes.pdf", + "https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment", "https://cyberwardog.blogspot.com/2017/03/chronicles-of-threat-hunter-hunting-for_22.html", + "https://onedrive.live.com/view.aspx?resid=D026B4699190F1E6!2843&ithint=file%2cpptx&app=PowerPoint&authkey=!AMvCRTKB_V1J5ow", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_access/proc_access_win_cred_dump_lsass_access.yml" ], "tags": [ @@ -3263,11 +3267,11 @@ "logsource.category": "process_access", "logsource.product": "windows", "refs": [ - "https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment", - "https://docs.microsoft.com/en-us/windows/win32/procthread/process-security-and-access-rights", - "https://onedrive.live.com/view.aspx?resid=D026B4699190F1E6!2843&ithint=file%2cpptx&app=PowerPoint&authkey=!AMvCRTKB_V1J5ow", "http://security-research.dyndns.org/pub/slides/FIRST2017/FIRST-2017_Tom-Ueltschi_Sysmon_FINAL_notes.pdf", + "https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment", "https://cyberwardog.blogspot.com/2017/03/chronicles-of-threat-hunter-hunting-for_22.html", + "https://onedrive.live.com/view.aspx?resid=D026B4699190F1E6!2843&ithint=file%2cpptx&app=PowerPoint&authkey=!AMvCRTKB_V1J5ow", + "https://docs.microsoft.com/en-us/windows/win32/procthread/process-security-and-access-rights", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_access/proc_access_win_rare_proc_access_lsass.yml" ], "tags": [ @@ -3301,11 +3305,11 @@ "logsource.category": "process_access", "logsource.product": "windows", "refs": [ - "https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment", - "https://docs.microsoft.com/en-us/windows/win32/procthread/process-security-and-access-rights", - "https://onedrive.live.com/view.aspx?resid=D026B4699190F1E6!2843&ithint=file%2cpptx&app=PowerPoint&authkey=!AMvCRTKB_V1J5ow", "http://security-research.dyndns.org/pub/slides/FIRST2017/FIRST-2017_Tom-Ueltschi_Sysmon_FINAL_notes.pdf", + "https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment", "https://cyberwardog.blogspot.com/2017/03/chronicles-of-threat-hunter-hunting-for_22.html", + "https://onedrive.live.com/view.aspx?resid=D026B4699190F1E6!2843&ithint=file%2cpptx&app=PowerPoint&authkey=!AMvCRTKB_V1J5ow", + "https://docs.microsoft.com/en-us/windows/win32/procthread/process-security-and-access-rights", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_access/proc_access_win_susp_proc_access_lsass.yml" ], "tags": [ @@ -3513,8 +3517,8 @@ "logsource.category": "process_access", "logsource.product": "windows", "refs": [ - "https://twitter.com/_xpn_/status/1491557187168178176", "https://www.ired.team/offensive-security/credential-access-and-credential-dumping/dump-credentials-from-lsass-process-without-mimikatz", + "https://twitter.com/_xpn_/status/1491557187168178176", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_access/proc_access_win_lsass_memdump_indicators.yml" ], "tags": [ @@ -3548,8 +3552,8 @@ "logsource.category": "process_access", "logsource.product": "windows", "refs": [ - "https://github.com/codewhitesec/SysmonEnte/blob/main/screens/1.png", "https://codewhitesec.blogspot.com/2022/09/attacks-on-sysmon-revisited-sysmonente.html", + "https://github.com/codewhitesec/SysmonEnte/blob/main/screens/1.png", "https://github.com/codewhitesec/SysmonEnte/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_access/proc_access_win_hack_sysmonente.yml" ], @@ -3619,9 +3623,9 @@ "logsource.category": "process_access", "logsource.product": "windows", "refs": [ + "https://twitter.com/SBousseaden/status/1541920424635912196", "https://splintercod3.blogspot.com/p/the-hidden-side-of-seclogon-part-3.html", "https://github.com/elastic/detection-rules/blob/2bc1795f3d7bcc3946452eb4f07ae799a756d94e/rules/windows/credential_access_lsass_handle_via_malseclogon.toml", - "https://twitter.com/SBousseaden/status/1541920424635912196", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_access/proc_access_win_susp_seclogon.yml" ], "tags": [ @@ -3700,8 +3704,8 @@ "logsource.category": "process_tampering", "logsource.product": "windows", "refs": [ - "https://twitter.com/SecurePeacock/status/1486054048390332423?s=20", "https://www.bleepingcomputer.com/news/microsoft/microsoft-sysmon-now-detects-malware-process-tampering-attempts/", + "https://twitter.com/SecurePeacock/status/1486054048390332423?s=20", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/sysmon/sysmon_process_hollowing.yml" ], "tags": [ @@ -3912,11 +3916,11 @@ "logsource.category": "pipe_created", "logsource.product": "windows", "refs": [ - "https://github.com/SigmaHQ/sigma/issues/253", + "https://twitter.com/d4rksystem/status/1357010969264873472", "https://blog.cobaltstrike.com/2021/02/09/learn-pipe-fitting-for-all-of-your-offense-projects/", "https://redcanary.com/threat-detection-report/threats/cobalt-strike/", - "https://twitter.com/d4rksystem/status/1357010969264873472", "https://labs.f-secure.com/blog/detecting-cobalt-strike-default-modules-via-named-pipe-analysis/", + "https://github.com/SigmaHQ/sigma/issues/253", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/pipe_created/pipe_created_mal_cobaltstrike.yml" ], "tags": [ @@ -3941,8 +3945,8 @@ "logsource.category": "pipe_created", "logsource.product": "windows", "refs": [ - "https://attack.mitre.org/groups/G0010/", "Internal Research", + "https://attack.mitre.org/groups/G0010/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/pipe_created/pipe_created_apt_turla_namedpipes.yml" ], "tags": [ @@ -4131,8 +4135,8 @@ "logsource.category": "pipe_created", "logsource.product": "windows", "refs": [ - "https://jpcertcc.github.io/ToolAnalysisResultSheet", "https://www.jpcert.or.jp/english/pub/sr/ir_research.html", + "https://jpcertcc.github.io/ToolAnalysisResultSheet", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/pipe_created/pipe_created_psexec_default_pipe_from_susp_location.yml" ], "tags": [ @@ -4227,18 +4231,18 @@ "logsource.category": "pipe_created", "logsource.product": "windows", "refs": [ - "https://github.com/RiccardoAncarani/LiquidSnake", - "https://www.accenture.com/us-en/blogs/cyber-defense/turla-belugasturgeon-compromises-government-entity", - "https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf", - "https://securelist.com/wild-neutron-economic-espionage-threat-actor-returns-with-new-tricks/71275/", "https://www.us-cert.gov/ncas/alerts/TA17-117A", - "https://download.bitdefender.com/resources/files/News/CaseStudies/study/115/Bitdefender-Whitepaper-PAC-A4-en-EN1.pdf", - "https://unit42.paloaltonetworks.com/emissary-panda-attacks-middle-east-government-sharepoint-servers/", - "https://us-cert.cisa.gov/ncas/analysis-reports/ar19-304a", "https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html", "https://thedfirreport.com/2020/06/21/snatch-ransomware/", - "https://thedfirreport.com/2022/02/21/qbot-and-zerologon-lead-to-full-domain-compromise/", + "https://github.com/RiccardoAncarani/LiquidSnake", + "https://securelist.com/wild-neutron-economic-espionage-threat-actor-returns-with-new-tricks/71275/", + "https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf", + "https://unit42.paloaltonetworks.com/emissary-panda-attacks-middle-east-government-sharepoint-servers/", + "https://www.accenture.com/us-en/blogs/cyber-defense/turla-belugasturgeon-compromises-government-entity", + "https://us-cert.cisa.gov/ncas/analysis-reports/ar19-304a", "https://securelist.com/faq-the-projectsauron-apt/75533/", + "https://download.bitdefender.com/resources/files/News/CaseStudies/study/115/Bitdefender-Whitepaper-PAC-A4-en-EN1.pdf", + "https://thedfirreport.com/2022/02/21/qbot-and-zerologon-lead-to-full-domain-compromise/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/pipe_created/pipe_created_mal_namedpipes.yml" ], "tags": [ @@ -4263,8 +4267,8 @@ "logsource.category": "pipe_created", "logsource.product": "windows", "refs": [ - "https://jpcertcc.github.io/ToolAnalysisResultSheet", "https://www.jpcert.or.jp/english/pub/sr/ir_research.html", + "https://jpcertcc.github.io/ToolAnalysisResultSheet", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/pipe_created/pipe_created_psexec_default_pipe.yml" ], "tags": [ @@ -4298,8 +4302,8 @@ "logsource.category": "pipe_created", "logsource.product": "windows", "refs": [ - "https://github.com/Azure/Azure-Sentinel/blob/f99542b94afe0ad2f19a82cc08262e7ac8e1428e/Detections/SecurityEvent/ADFSDBNamedPipeConnection.yaml", "https://o365blog.com/post/adfs/", + "https://github.com/Azure/Azure-Sentinel/blob/f99542b94afe0ad2f19a82cc08262e7ac8e1428e/Detections/SecurityEvent/ADFSDBNamedPipeConnection.yaml", "https://github.com/Azure/SimuLand", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/pipe_created/pipe_created_susp_adfs_namedpipe_connection.yml" ], @@ -4426,7 +4430,7 @@ "value": "Mimikatz Use" }, { - "description": "A rule has been modified in the Windows Firewall exception list", + "description": "Detects when a rule has been modified in the windows firewall exception list", "meta": { "author": "frack113", "creation_date": "2022/02/19", @@ -4442,10 +4446,29 @@ "tags": "No established tags" }, "uuid": "5570c4d9-8fdd-4622-965b-403a5a101aa0", - "value": "Modified Rule in Windows Firewall with Advanced Security" + "value": "Firewall Rule Modified In The Windows Firewall Exception List" }, { - "description": "A rule has been deleted in the Windows Firewall exception list.", + "description": "Detects activity when The Windows Defender Firewall service failed to load Group Policy", + "meta": { + "author": "frack113", + "creation_date": "2022/02/19", + "falsepositive": "No established falsepositives", + "filename": "win_firewall_as_failed_load_gpo.yml", + "level": "low", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/dd364427(v=ws.10)", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/firewall_as/win_firewall_as_failed_load_gpo.yml" + ], + "tags": "No established tags" + }, + "uuid": "7ec15688-fd24-4177-ba43-1a950537ee39", + "value": "The Windows Defender Firewall Service Failed To Load Group Policy" + }, + { + "description": "Detects when a singe rules or all of the rules have been deleted from the Windows Defender Firewall", "meta": { "author": "frack113", "creation_date": "2022/02/19", @@ -4461,48 +4484,48 @@ "tags": "No established tags" }, "uuid": "c187c075-bb3e-4c62-b4fa-beae0ffc211f", - "value": "Delete Rule in Windows Firewall with Advanced Security" + "value": "A Rule Has Been Deleted From The Windows Firewall Exception List" }, { - "description": "The Windows Firewall service failed to load Group Policy.", + "description": "Detects activity when Windows Defender Firewall has been reset to its default configuration", "meta": { "author": "frack113", "creation_date": "2022/02/19", "falsepositive": "No established falsepositives", - "filename": "win_firewall_as_failed.yml", + "filename": "win_firewall_as_reset_config.yml", "level": "low", "logsource.category": "No established category", "logsource.product": "windows", "refs": [ "https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/dd364427(v=ws.10)", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/firewall_as/win_firewall_as_failed.yml" - ], - "tags": "No established tags" - }, - "uuid": "7ec15688-fd24-4177-ba43-1a950537ee39", - "value": "Failed to Load Policy in Windows Firewall with Advanced Security" - }, - { - "description": "Windows Firewall has been reset to its default configuration.", - "meta": { - "author": "frack113", - "creation_date": "2022/02/19", - "falsepositive": "No established falsepositives", - "filename": "win_firewall_as_reset.yml", - "level": "low", - "logsource.category": "No established category", - "logsource.product": "windows", - "refs": [ - "https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/dd364427(v=ws.10)", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/firewall_as/win_firewall_as_reset.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/firewall_as/win_firewall_as_reset_config.yml" ], "tags": "No established tags" }, "uuid": "04b60639-39c0-412a-9fbe-e82499c881a3", - "value": "Reset to Default Configuration Windows Firewall with Advanced Security" + "value": "Windows Defender Firewall Has Been Reset To Its Default Configuration" }, { - "description": "Setting have been change in Windows Firewall", + "description": "Detects when a all the rules have been deleted from the Windows Defender Firewall configuration", + "meta": { + "author": "frack113, Nasreddine Bencherchali", + "creation_date": "2023/01/17", + "falsepositive": "No established falsepositives", + "filename": "win_firewall_as_delete_all_rules.yml", + "level": "high", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/dd364427(v=ws.10)", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/firewall_as/win_firewall_as_delete_all_rules.yml" + ], + "tags": "No established tags" + }, + "uuid": "79609c82-a488-426e-abcf-9f341a39365d", + "value": "All Rules Have Been Deleted From The Windows Firewall Configuration" + }, + { + "description": "Detects activity when the settings of the Windows firewall have been changed", "meta": { "author": "frack113", "creation_date": "2022/02/19", @@ -4518,10 +4541,10 @@ "tags": "No established tags" }, "uuid": "00bb5bd5-1379-4fcf-a965-a5b6f7478064", - "value": "Setting Change in Windows Firewall with Advanced Security" + "value": "Windows Firewall Settings Have Been Changed" }, { - "description": "A rule has been modified in the Windows Firewall exception list", + "description": "Detects when a rule has been added to the Windows Firewall exception list", "meta": { "author": "frack113", "creation_date": "2022/02/19", @@ -4537,7 +4560,7 @@ "tags": "No established tags" }, "uuid": "cde0a575-7d3d-4a49-9817-b8004a7bf105", - "value": "Added Rule in Windows Firewall with Advanced Security" + "value": "New Firewall Rule Added In Windows Firewall Exception List" }, { "description": "Detects local user creation on windows servers, which shouldn't happen in an Active Directory environment. Apply this Sigma Use Case on your windows server logs and not on your DC logs.", @@ -4683,8 +4706,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://www.trimarcsecurity.com/single-post/2018/05/06/trimarc-research-detecting-password-spraying-with-security-event-auditing", "https://docs.splunk.com/Documentation/ESSOC/3.22.0/stories/UseCase#Active_directory_password_spraying", + "https://www.trimarcsecurity.com/single-post/2018/05/06/trimarc-research-detecting-password-spraying-with-security-event-auditing", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_susp_failed_logons_single_process.yml" ], "tags": [ @@ -4745,9 +4768,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://www.proofpoint.com/us/blog/threat-insight/threat-actor-profile-ta2719-uses-colorful-lures-deliver-rats-local-languages", "https://twitter.com/MsftSecIntel/status/1257324139515269121", "https://www.trendmicro.com/vinfo/hk-en/security/news/cybercrime-and-digital-threats/malicious-spam-campaign-uses-iso-image-files-to-deliver-lokibot-and-nanocore", + "https://www.proofpoint.com/us/blog/threat-insight/threat-actor-profile-ta2719-uses-colorful-lures-deliver-rats-local-languages", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_iso_mount.yml" ], "tags": [ @@ -4921,9 +4944,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4964", - "https://github.com/Yamato-Security/EnableWindowsLogSettings/blob/7f6d755d45ac7cc9fc35b0cbf498e6aa4ef19def/ConfiguringSecurityLogAuditPolicies.md", "https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4672", + "https://github.com/Yamato-Security/EnableWindowsLogSettings/blob/7f6d755d45ac7cc9fc35b0cbf498e6aa4ef19def/ConfiguringSecurityLogAuditPolicies.md", + "https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4964", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_admin_logon.yml" ], "tags": "No established tags" @@ -4973,8 +4996,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://attack.mitre.org/software/S0359/", "https://jpcertcc.github.io/ToolAnalysisResultSheet/details/nltest.htm", + "https://attack.mitre.org/software/S0359/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_lolbas_execution_of_nltest.yml" ], "tags": [ @@ -5009,8 +5032,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://o365blog.com/post/hybridhealthagent/", "https://github.com/OTRF/Set-AuditRule/blob/c3dec5443414231714d850565d364ca73475ade5/rules/registry/aad_connect_health_monitoring_agent.yml", + "https://o365blog.com/post/hybridhealthagent/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_aadhealth_mon_agent_regkey_access.yml" ], "tags": [ @@ -5034,8 +5057,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://www.eideon.com/2018-03-02-THL03-WMIBackdoors/", "https://twitter.com/mattifestation/status/899646620148539397", + "https://www.eideon.com/2018-03-02-THL03-WMIBackdoors/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_wmi_persistence.yml" ], "tags": [ @@ -5090,8 +5113,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://twitter.com/menasec1/status/1106899890377052160", "https://www.secureworks.com/blog/ransomware-as-a-distraction", + "https://twitter.com/menasec1/status/1106899890377052160", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_gpo_scheduledtasks.yml" ], "tags": [ @@ -5228,11 +5251,11 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://github.com/staaldraad/go-ntlm/blob/cd032d41aa8ce5751c07cb7945400c0f5c81e2eb/ntlm/ntlmv1.go#L427", - "https://github.com/sensepost/ruler/issues/47", - "https://github.com/sensepost/ruler", "https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4624", "https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4776", + "https://github.com/sensepost/ruler", + "https://github.com/staaldraad/go-ntlm/blob/cd032d41aa8ce5751c07cb7945400c0f5c81e2eb/ntlm/ntlmv1.go#L427", + "https://github.com/sensepost/ruler/issues/47", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_alert_ruler.yml" ], "tags": [ @@ -5308,9 +5331,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://awakesecurity.com/blog/threat-hunting-for-paexec/", - "https://blog.f-secure.com/wp-content/uploads/2019/10/CosmicDuke.pdf", "https://www.fireeye.com/blog/threat-research/2017/05/wannacry-malware-profile.html", + "https://blog.f-secure.com/wp-content/uploads/2019/10/CosmicDuke.pdf", + "https://awakesecurity.com/blog/threat-hunting-for-paexec/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_mal_service_installs.yml" ], "tags": [ @@ -5463,9 +5486,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4647", "https://github.com/Yamato-Security/EnableWindowsLogSettings/blob/7f6d755d45ac7cc9fc35b0cbf498e6aa4ef19def/ConfiguringSecurityLogAuditPolicies.md", "https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4634", + "https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4647", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_user_logoff.yml" ], "tags": "No established tags" @@ -5533,9 +5556,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://github.com/iadgov/Event-Forwarding-Guidance/tree/master/Events", "https://blog.binarydefense.com/reliably-detecting-pass-the-hash-through-event-log-analysis", "https://blog.stealthbits.com/how-to-detect-pass-the-hash-attacks/", + "https://github.com/iadgov/Event-Forwarding-Guidance/tree/master/Events", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_pass_the_hash_2.yml" ], "tags": [ @@ -5560,8 +5583,8 @@ "logsource.product": "windows", "refs": [ "https://docs.microsoft.com/en-gb/sysinternals/downloads/sdelete", - "https://jpcertcc.github.io/ToolAnalysisResultSheet/details/sdelete.htm", "https://www.jpcert.or.jp/english/pub/sr/ir_research.html", + "https://jpcertcc.github.io/ToolAnalysisResultSheet/details/sdelete.htm", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_susp_sdelete.yml" ], "tags": [ @@ -5692,8 +5715,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://www.fox-it.com/en/news/whitepapers/operation-wocao-shining-a-light-on-one-of-chinas-hidden-hacking-groups/", "https://twitter.com/SBousseaden/status/1207671369963646976", + "https://www.fox-it.com/en/news/whitepapers/operation-wocao-shining-a-light-on-one-of-chinas-hidden-hacking-groups/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_apt_wocao.yml" ], "tags": [ @@ -5746,9 +5769,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://posts.specterops.io/hunting-in-active-directory-unconstrained-delegation-forests-trusts-71f2b33688e1", - "https://dirkjanm.io/a-different-way-of-abusing-zerologon/", "https://twitter.com/_dirkjan/status/1309214379003588608", + "https://dirkjanm.io/a-different-way-of-abusing-zerologon/", + "https://posts.specterops.io/hunting-in-active-directory-unconstrained-delegation-forests-trusts-71f2b33688e1", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_dce_rpc_smb_spoolss_named_pipe.yml" ], "tags": [ @@ -5963,15 +5986,15 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4730", - "https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=634", - "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf", "https://www.cisecurity.org/controls/cis-controls-list/", - "https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=633", - "https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=632", - "https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf", "https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4729", + "https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=632", "https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4728", + "https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf", + "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf", + "https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=634", + "https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=633", + "https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4730", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_group_modification_logging.yml" ], "tags": "No established tags" @@ -6041,8 +6064,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://twitter.com/sbousseaden/status/1518976397364056071?s=12&t=qKO5eKHvWhAP19a50FTZ7g", "https://github.com/elastic/detection-rules/blob/fb6ee2c69864ffdfe347bf3b050cb931f53067a6/rules/windows/privilege_escalation_krbrelayup_suspicious_logon.toml", + "https://twitter.com/sbousseaden/status/1518976397364056071?s=12&t=qKO5eKHvWhAP19a50FTZ7g", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_susp_krbrelayup.yml" ], "tags": [ @@ -6100,8 +6123,8 @@ "logsource.product": "windows", "refs": [ "https://github.com/fox-it/LDAPFragger", - "https://medium.com/@ivecodoe/detecting-ldapfragger-a-newly-released-cobalt-strike-beacon-using-ldap-for-c2-communication-c274a7f00961", "https://blog.fox-it.com/2020/03/19/ldapfragger-command-and-control-over-ldap-attributes/", + "https://medium.com/@ivecodoe/detecting-ldapfragger-a-newly-released-cobalt-strike-beacon-using-ldap-for-c2-communication-c274a7f00961", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_susp_ldap_dataexchange.yml" ], "tags": [ @@ -6270,9 +6293,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://gist.github.com/gentilkiwi/dcc132457408cf11ad2061340dcb53c2", "https://blog.alsid.eu/dcshadow-explained-4510f52fc19d", "https://twitter.com/gentilkiwi/status/1003236624925413376", + "https://gist.github.com/gentilkiwi/dcc132457408cf11ad2061340dcb53c2", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_possible_dc_shadow.yml" ], "tags": [ @@ -7106,10 +7129,10 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://twitter.com/Flangvik/status/1283054508084473861", - "https://securityjosh.github.io/2020/04/23/Mute-Sysmon.html", - "https://gist.github.com/Cyb3rWard0g/cf08c38c61f7e46e8404b38201ca01c8", "https://twitter.com/SecurityJosh/status/1283027365770276866", + "https://twitter.com/Flangvik/status/1283054508084473861", + "https://gist.github.com/Cyb3rWard0g/cf08c38c61f7e46e8404b38201ca01c8", + "https://securityjosh.github.io/2020/04/23/Mute-Sysmon.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_sysmon_channel_reference_deletion.yml" ], "tags": [ @@ -7388,9 +7411,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://isc.sans.edu/forums/diary/Active+Directory+Certificate+Services+ADCS+PKI+domain+admin+vulnerability/27668/", - "https://github.com/topotam/PetitPotam", "https://github.com/splunk/security_content/blob/develop/detections/endpoint/petitpotam_suspicious_kerberos_tgt_request.yml", + "https://github.com/topotam/PetitPotam", + "https://isc.sans.edu/forums/diary/Active+Directory+Certificate+Services+ADCS+PKI+domain+admin+vulnerability/27668/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_petitpotam_susp_tgt_request.yml" ], "tags": [ @@ -7423,8 +7446,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://blog.dylan.codes/evading-sysmon-and-windows-event-logging/", "https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4673", + "https://blog.dylan.codes/evading-sysmon-and-windows-event-logging/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_user_driver_loaded.yml" ], "tags": [ @@ -7483,8 +7506,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment", "https://blog.cobaltstrike.com/2014/04/02/what-happens-when-i-type-getsystem/", + "https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_meterpreter_or_cobaltstrike_getsystem_service_install.yml" ], "tags": [ @@ -7560,8 +7583,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://www.trimarcsecurity.com/single-post/TrimarcResearch/Detecting-Kerberoasting-Activity", "https://adsecurity.org/?p=3458", + "https://www.trimarcsecurity.com/single-post/TrimarcResearch/Detecting-Kerberoasting-Activity", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_susp_rc4_kerberos.yml" ], "tags": [ @@ -7702,9 +7725,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ + "https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4743", "https://github.com/Yamato-Security/EnableWindowsLogSettings/blob/7f6d755d45ac7cc9fc35b0cbf498e6aa4ef19def/ConfiguringSecurityLogAuditPolicies.md", "https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4741", - "https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4743", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_add_remove_computer.yml" ], "tags": "No established tags" @@ -7787,7 +7810,7 @@ "value": "Suspicious Windows ANONYMOUS LOGON Local Account Created" }, { - "description": "Detects when adversaries stop services or processes by deleting or disabling their respective schdueled tasks in order to conduct data destructive activities", + "description": "Detects when adversaries stop services or processes by deleting or disabling their respective scheduled tasks in order to conduct data destructive activities", "meta": { "author": "Nasreddine Bencherchali", "creation_date": "2022/12/05", @@ -8160,10 +8183,10 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://www.cisecurity.org/controls/cis-controls-list/", "https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4800", "https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf", "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf", + "https://www.cisecurity.org/controls/cis-controls-list/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_workstation_was_locked.yml" ], "tags": "No established tags" @@ -8213,16 +8236,16 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://github.com/dotnet/runtime/blob/f62e93416a1799aecc6b0947adad55a0d9870732/src/coreclr/src/inc/clrconfigvalues.h#L35-L38", + "https://github.com/dotnet/runtime/blob/4f9ae42d861fcb4be2fcd5d3d55d5f227d30e723/docs/coding-guidelines/clr-jit-coding-conventions.md#1412-disabling-code", + "https://github.com/dotnet/runtime/blob/7abe42dc1123722ed385218268bb9fe04556e3d3/src/coreclr/src/inc/clrconfig.h#L33-L39", "https://twitter.com/_xpn_/status/1268712093928378368", + "https://github.com/dotnet/runtime/blob/ee2355c801d892f2894b0f7b14a20e6cc50e0e54/docs/design/coreclr/jit/viewing-jit-dumps.md#setting-configuration-variables", + "https://github.com/dotnet/runtime/blob/f62e93416a1799aecc6b0947adad55a0d9870732/src/coreclr/src/inc/clrconfigvalues.h#L35-L38", "http://managed670.rssing.com/chan-5590147/all_p1.html", "https://github.com/dotnet/runtime/search?p=1&q=COMPlus_&unscoped_q=COMPlus_", - "https://i.blackhat.com/EU-21/Wednesday/EU-21-Teodorescu-Veni-No-Vidi-No-Vici-Attacks-On-ETW-Blind-EDRs.pdf", - "https://github.com/dotnet/runtime/blob/ee2355c801d892f2894b0f7b14a20e6cc50e0e54/docs/design/coreclr/jit/viewing-jit-dumps.md#setting-configuration-variables", - "https://github.com/dotnet/runtime/blob/7abe42dc1123722ed385218268bb9fe04556e3d3/src/coreclr/src/inc/clrconfig.h#L33-L39", - "https://social.msdn.microsoft.com/Forums/vstudio/en-US/0878832e-39d7-4eaf-8e16-a729c4c40975/what-can-i-use-e13c0d23ccbc4e12931bd9cc2eee27e4-for?forum=clr", "https://bunnyinside.com/?term=f71e8cb9c76a", - "https://github.com/dotnet/runtime/blob/4f9ae42d861fcb4be2fcd5d3d55d5f227d30e723/docs/coding-guidelines/clr-jit-coding-conventions.md#1412-disabling-code", + "https://social.msdn.microsoft.com/Forums/vstudio/en-US/0878832e-39d7-4eaf-8e16-a729c4c40975/what-can-i-use-e13c0d23ccbc4e12931bd9cc2eee27e4-for?forum=clr", + "https://i.blackhat.com/EU-21/Wednesday/EU-21-Teodorescu-Veni-No-Vidi-No-Vici-Attacks-On-ETW-Blind-EDRs.pdf", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_dot_net_etw_tamper.yml" ], "tags": [ @@ -8396,8 +8419,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://github.com/OTRF/Set-AuditRule/blob/c3dec5443414231714d850565d364ca73475ade5/rules/registry/aad_connect_health_service_agent.yml", "https://o365blog.com/post/hybridhealthagent/", + "https://github.com/OTRF/Set-AuditRule/blob/c3dec5443414231714d850565d364ca73475ade5/rules/registry/aad_connect_health_service_agent.yml", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_aadhealth_svc_agent_regkey_access.yml" ], "tags": [ @@ -8488,8 +8511,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://www.harmj0y.net/blog/activedirectory/roasting-as-reps/", "https://adsecurity.org/?p=2053", + "https://www.harmj0y.net/blog/activedirectory/roasting-as-reps/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_alert_enable_weak_encryption.yml" ], "tags": [ @@ -8601,8 +8624,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://github.com/OTRF/ThreatHunter-Playbook/blob/f7a58156dbfc9b019f17f638b8c62d22e557d350/playbooks/WIN-201012004336.yaml", "https://securitydatasets.com/notebooks/small/windows/08_lateral_movement/SDWIN-200806015757.html?highlight=create%20file", + "https://github.com/OTRF/ThreatHunter-Playbook/blob/f7a58156dbfc9b019f17f638b8c62d22e557d350/playbooks/WIN-201012004336.yaml", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_smb_file_creation_admin_shares.yml" ], "tags": [ @@ -8744,8 +8767,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://msdn.microsoft.com/en-us/library/cc220234.aspx", "https://www.harmj0y.net/blog/redteaming/another-word-on-delegation/", + "https://msdn.microsoft.com/en-us/library/cc220234.aspx", "https://adsecurity.org/?p=3466", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_alert_ad_user_backdoors.yml" ], @@ -8804,9 +8827,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ + "https://twitter.com/SBousseaden/status/1581300963650187264?", "https://cyberstoph.org/posts/2022/03/detecting-shadow-credentials/", "https://www.elastic.co/guide/en/security/8.4/potential-shadow-credentials-added-to-ad-object.html", - "https://twitter.com/SBousseaden/status/1581300963650187264?", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_susp_possible_shadow_credentials_added.yml" ], "tags": [ @@ -8839,8 +8862,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://jpcertcc.github.io/ToolAnalysisResultSheet", "https://www.jpcert.or.jp/english/pub/sr/ir_research.html", + "https://jpcertcc.github.io/ToolAnalysisResultSheet", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_mal_wceaux_dll.yml" ], "tags": [ @@ -8875,8 +8898,8 @@ "logsource.product": "windows", "refs": [ "https://thedfirreport.com/2021/08/29/cobalt-strike-a-defenders-guide/", - "https://www.sans.org/webcasts/119395", "https://www.crowdstrike.com/blog/getting-the-bacon-from-cobalt-strike-beacon/", + "https://www.sans.org/webcasts/119395", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_cobaltstrike_service_installs.yml" ], "tags": [ @@ -8967,10 +8990,10 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://gist.github.com/gentilkiwi/dcc132457408cf11ad2061340dcb53c2", "https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4662", - "https://twitter.com/gentilkiwi/status/1003236624925413376", "https://blog.blacklanternsecurity.com/p/detecting-dcsync?s=r", + "https://twitter.com/gentilkiwi/status/1003236624925413376", + "https://gist.github.com/gentilkiwi/dcc132457408cf11ad2061340dcb53c2", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_dcsync.yml" ], "tags": [ @@ -9156,9 +9179,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://twitter.com/malmoeb/status/1511760068743766026", - "https://github.com/helloexp/0day/blob/614227a7b9beb0e91e7e2c6a5e532e6f7a8e883c/00-CVE_EXP/CVE-2021-42287/sam-the-admin/sam_the_admin.py", "https://github.com/WazeHell/sam-theadmin/blob/main/sam_the_admin.py", + "https://github.com/helloexp/0day/blob/614227a7b9beb0e91e7e2c6a5e532e6f7a8e883c/00-CVE_EXP/CVE-2021-42287/sam-the-admin/sam_the_admin.py", + "https://twitter.com/malmoeb/status/1511760068743766026", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_susp_computer_name.yml" ], "tags": [ @@ -9349,8 +9372,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://twitter.com/JohnLaTwC/status/1004895028995477505", "https://goo.gl/PsqrhT", + "https://twitter.com/JohnLaTwC/status/1004895028995477505", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/ntlm/win_susp_ntlm_auth.yml" ], "tags": [ @@ -9529,6 +9552,31 @@ "uuid": "7dbb86de-a0cc-494c-8aa8-b2996c9ef3c8", "value": "LPE InstallerFileTakeOver PoC CVE-2021-41379" }, + { + "description": "Detects restricted access to applications by the Software Restriction Policies (SRP) policy", + "meta": { + "author": "frack113", + "creation_date": "2023/01/12", + "falsepositive": [ + "Unknown" + ], + "filename": "win_software_restriction_policies_block.yml", + "level": "high", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://github.com/nasbench/EVTX-ETW-Resources/blob/7a806a148b3d9d381193d4a80356016e6e8b1ee8/ETWEventsList/CSV/Windows11/22H2/W11_22H2_Pro_20220920_22621.382/Providers/Microsoft-Windows-AppXDeployment-Server.csv", + "https://learn.microsoft.com/en-us/windows-server/identity/software-restriction-policies/software-restriction-policies", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/application/win_software_restriction_policies_block.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1072" + ] + }, + "uuid": "b4c8da4a-1c12-46b0-8a2b-0a8521d03442", + "value": "Restricted Software Access By SRP" + }, { "description": "Detects MSI package installation from suspicious locations", "meta": { @@ -9606,8 +9654,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/jj574207(v=ws.11)", "https://twitter.com/mgreen27/status/1558223256704122882", + "https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/jj574207(v=ws.11)", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/application/win_esent_ntdsutil_abuse_susp_location.yml" ], "tags": [ @@ -9630,9 +9678,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://www.virustotal.com/gui/file/13828b390d5f58b002e808c2c4f02fdd920e236cc8015480fa33b6c1a9300e31", "https://www.virustotal.com/gui/file/5092b2672b4cb87a8dd1c2e6047b487b95995ad8ed5e9fc217f46b8bfb1b8c01", "https://www.virustotal.com/gui/file/15b57c1b68cd6ce3c161042e0f3be9f32d78151fe95461eedc59a79fc222c7ed", + "https://www.virustotal.com/gui/file/13828b390d5f58b002e808c2c4f02fdd920e236cc8015480fa33b6c1a9300e31", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/application/win_av_relevant_match.yml" ], "tags": [ @@ -9665,8 +9713,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://www.netspi.com/blog/technical/network-penetration-testing/sql-server-persistence-part-1-startup-stored-procedures/", "https://docs.microsoft.com/en-us/sql/relational-databases/system-stored-procedures/sp-procoption-transact-sql?view=sql-server-ver16", + "https://www.netspi.com/blog/technical/network-penetration-testing/sql-server-persistence-part-1-startup-stored-procedures/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/application/win_mssql_sp_procoption_set.yml" ], "tags": [ @@ -9689,8 +9737,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/jj574207(v=ws.11)", "https://twitter.com/mgreen27/status/1558223256704122882", + "https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/jj574207(v=ws.11)", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/application/win_esent_ntdsutil_abuse.yml" ], "tags": [ @@ -9745,8 +9793,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://technet.microsoft.com/en-us/library/security/4022344", "https://bugs.chromium.org/p/project-zero/issues/detail?id=1252&desc=5", + "https://technet.microsoft.com/en-us/library/security/4022344", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/application/win_susp_msmpeng_crash.yml" ], "tags": [ @@ -9781,8 +9829,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://www.netspi.com/blog/technical/network-penetration-testing/sql-server-persistence-part-1-startup-stored-procedures/", "https://thedfirreport.com/2022/07/11/select-xmrig-from-sqlserver/", + "https://www.netspi.com/blog/technical/network-penetration-testing/sql-server-persistence-part-1-startup-stored-procedures/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/application/win_mssql_xp_cmdshell_change.yml" ], "tags": [ @@ -9806,8 +9854,8 @@ "logsource.product": "windows", "refs": [ "https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-erref/596a1078-e883-4972-9bbc-49e60bebca55", - "https://github.com/deepinstinct/Lsass-Shtinkering", "https://media.defcon.org/DEF%20CON%2030/DEF%20CON%2030%20presentations/Asaf%20Gilboa%20-%20LSASS%20Shtinkering%20Abusing%20Windows%20Error%20Reporting%20to%20Dump%20LSASS.pdf", + "https://github.com/deepinstinct/Lsass-Shtinkering", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/application/win_werfault_susp_lsass_credential_dump.yml" ], "tags": [ @@ -9841,10 +9889,10 @@ "logsource.product": "windows", "refs": [ "https://www.youtube.com/watch?v=ebmW42YYveI", - "https://twitter.com/DidierStevens/status/1217533958096924676", "https://twitter.com/VM_vivisector/status/1217190929330655232", - "https://nullsec.us/windows-event-log-audit-cve/", + "https://twitter.com/DidierStevens/status/1217533958096924676", "https://twitter.com/FlemmingRiis/status/1217147415482060800", + "https://nullsec.us/windows-event-log-audit-cve/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/application/win_audit_cve.yml" ], "tags": [ @@ -9955,8 +10003,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://www.netspi.com/blog/technical/network-penetration-testing/sql-server-persistence-part-1-startup-stored-procedures/", "https://thedfirreport.com/2022/07/11/select-xmrig-from-sqlserver/", + "https://www.netspi.com/blog/technical/network-penetration-testing/sql-server-persistence-part-1-startup-stored-procedures/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/application/win_mssql_xp_cmdshell_audit_log.yml" ], "tags": [ @@ -10002,9 +10050,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://www.netspi.com/blog/technical/network-penetration-testing/sql-server-persistence-part-1-startup-stored-procedures/", "https://docs.microsoft.com/en-us/sql/t-sql/statements/alter-server-audit-transact-sql?view=sql-server-ver16", "https://docs.microsoft.com/en-us/sql/t-sql/statements/drop-server-audit-transact-sql?view=sql-server-ver16", + "https://www.netspi.com/blog/technical/network-penetration-testing/sql-server-persistence-part-1-startup-stored-procedures/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/application/win_mssql_disable_audit_settings.yml" ], "tags": [ @@ -10047,6 +10095,38 @@ "uuid": "b20f6158-9438-41be-83da-a5a16ac90c2b", "value": "Rare Scheduled Task Creations" }, + { + "description": "Detects when adversaries stop services or processes by deleting their respective scheduled tasks in order to conduct data destructive activities", + "meta": { + "author": "frack113", + "creation_date": "2023/01/13", + "falsepositive": [ + "Unknown" + ], + "filename": "win_taskscheduler_susp_schtasks_delete.yml", + "level": "high", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/taskscheduler/win_taskscheduler_susp_schtasks_delete.yml" + ], + "tags": [ + "attack.impact", + "attack.t1489" + ] + }, + "related": [ + { + "dest-uuid": "20fb2507-d71c-455d-9b6d-6104461cf26b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "9e3cb244-bdb8-4632-8c90-6079c8f4f16d", + "value": "Suspicious Security Scheduled Tasks Deleted" + }, { "description": "Detects the execution of Scheduled Tasks where the Program being run is located in a suspicious location or it's an unusale program to be run from a Scheduled Task", "meta": { @@ -10259,8 +10339,8 @@ "logsource.product": "windows", "refs": [ "https://github.com/hhlxf/PrintNightmare", - "https://twitter.com/KevTheHermit/status/1410203844064301056", "https://github.com/afwu/PrintNightmare", + "https://twitter.com/KevTheHermit/status/1410203844064301056", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/smbclient/win_susp_failed_guest_logon.yml" ], "tags": [ @@ -10307,11 +10387,11 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ + "https://docs.microsoft.com/en-us/windows-server/administration/openssh/openssh_install_firstuse", + "https://winaero.com/enable-openssh-server-windows-10/", "https://github.com/mdecrevoisier/EVTX-to-MITRE-Attack/tree/master/TA0008-Lateral%20Movement/T1021.004-Remote%20Service%20SSH", "https://virtualizationreview.com/articles/2020/05/21/ssh-server-on-windows-10.aspx", - "https://winaero.com/enable-openssh-server-windows-10/", "https://medium.com/threatpunter/detecting-adversary-tradecraft-with-image-load-event-logging-and-eql-8de93338c16", - "https://docs.microsoft.com/en-us/windows-server/administration/openssh/openssh_install_firstuse", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/openssh/win_sshd_openssh_server_listening_on_socket.yml" ], "tags": [ @@ -10335,9 +10415,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://twitter.com/fuzzyf10w/status/1410202370835898371", "https://github.com/hhlxf/PrintNightmare", "https://github.com/afwu/PrintNightmare", + "https://twitter.com/fuzzyf10w/status/1410202370835898371", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/printservice/win_exploit_cve_2021_1675_printspooler.yml" ], "tags": [ @@ -10392,6 +10472,56 @@ "uuid": "f34d942d-c8c4-4f1f-b196-22471aecf10a", "value": "CVE-2021-1675 Print Spooler Exploitation" }, + { + "description": "Detect standard users login that are part of high privileged groups such as the Administrator group", + "meta": { + "author": "frack113", + "creation_date": "2023/01/13", + "falsepositive": [ + "Standard domain users who are part of the administrator group. These users shouldn't have these right. But in the case where it's necessary. They should be filtered out using the \"TargetUserName\" field" + ], + "filename": "win_lsa_server_normal_user_admin.yml", + "level": "high", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://learn.microsoft.com/en-us/windows-server/security/credentials-protection-and-management/configuring-additional-lsa-protection", + "https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/manage/understand-security-identifiers", + "https://github.com/nasbench/EVTX-ETW-Resources/blob/7a806a148b3d9d381193d4a80356016e6e8b1ee8/ETWProvidersManifests/Windows11/22H2/W11_22H2_Pro_20221220_22621.963/WEPExplorer/LsaSrv.xml", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/lsa_server/win_lsa_server_normal_user_admin.yml" + ], + "tags": [ + "attack.credential_access", + "attack.privilege_escalation" + ] + }, + "uuid": "7ac407cc-0f48-4328-aede-de1d2e6fef41", + "value": "Standard User In High Privileged Group" + }, + { + "description": "Detects execution of Sysinternals tools via an AppX package. Attackers could instal the Sysinternals Suite to get access to tools such as psexec and procdump to avoid detection based on System paths", + "meta": { + "author": "Nasreddine Bencherchali", + "creation_date": "2023/01/16", + "falsepositive": [ + "Legitimate usage of the applications from the Windows Store" + ], + "filename": "win_appmodel_runtime_sysinternals_tools_appx_execution.yml", + "level": "medium", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "Internal Research", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/appmodel_runtime/win_appmodel_runtime_sysinternals_tools_appx_execution.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.execution" + ] + }, + "uuid": "d29a20b2-be4b-4827-81f2-3d8a59eab5fc", + "value": "Sysinternals Tools AppX Versions Execution" + }, { "description": "Detects blocked attempts to change any of Defender's settings such as \"Real Time Monitoring\" and \"Behavior Monitoring\"", "meta": { @@ -10405,8 +10535,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://bhabeshraj.com/post/tampering-with-microsoft-defenders-tamper-protection", "https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/troubleshoot-microsoft-defender-antivirus?view=o365-worldwide", + "https://bhabeshraj.com/post/tampering-with-microsoft-defenders-tamper-protection", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/windefend/win_defender_tamper_protection_trigger.yml" ], "tags": [ @@ -10556,8 +10686,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://answers.microsoft.com/en-us/protect/forum/mse-protect_scanning/microsoft-antimalware-has-removed-history-of/f15af6c9-01a9-4065-8c6c-3f2bdc7de45e", "https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-antivirus/troubleshoot-microsoft-defender-antivirus", + "https://answers.microsoft.com/en-us/protect/forum/mse-protect_scanning/microsoft-antimalware-has-removed-history-of/f15af6c9-01a9-4065-8c6c-3f2bdc7de45e", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/windefend/win_defender_history_delete.yml" ], "tags": [ @@ -10670,8 +10800,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://bidouillesecurity.com/disable-windows-defender-in-powershell/#DisableAntiSpyware", "https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/troubleshoot-microsoft-defender-antivirus?view=o365-worldwide", + "https://bidouillesecurity.com/disable-windows-defender-in-powershell/#DisableAntiSpyware", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/windefend/win_defender_suspicious_features_tampering.yml" ], "tags": [ @@ -10719,10 +10849,10 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/Binaries/Bitsadmin/", - "https://blog.netspi.com/15-ways-to-download-a-file/#bitsadmin", "https://blog.talosintelligence.com/breaking-the-silence-recent-truebot-activity/", "https://isc.sans.edu/diary/22264", + "https://blog.netspi.com/15-ways-to-download-a-file/#bitsadmin", + "https://lolbas-project.github.io/lolbas/Binaries/Bitsadmin/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/bits_client/win_bits_client_direct_ip_access.yml" ], "tags": [ @@ -10892,9 +11022,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ + "https://twitter.com/malmoeb/status/1535142803075960832", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1197/T1197.md", "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ransomware-hive-conti-avoslocker", - "https://twitter.com/malmoeb/status/1535142803075960832", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/bits_client/win_bits_client_susp_domain.yml" ], "tags": [ @@ -10928,8 +11058,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1197/T1197.md", "https://twitter.com/malmoeb/status/1535142803075960832", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1197/T1197.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/bits_client/win_bits_client_uncommon_domain.yml" ], "tags": [ @@ -10963,8 +11093,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://ngrok.com/", "https://twitter.com/tekdefense/status/1519711183162556416?s=12&t=OTsHCBkQOTNs1k3USz65Zg", + "https://ngrok.com/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/terminalservices/win_terminalservices_rdp_ngrok.yml" ], "tags": [ @@ -10997,9 +11127,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ + "https://medium.com/@esnesenon/feature-not-bug-dnsadmin-to-dc-compromise-in-one-line-a0f779b8dc83", "https://technet.microsoft.com/en-us/library/cc735829(v=ws.10).aspx", "https://twitter.com/gentilkiwi/status/861641945944391680", - "https://medium.com/@esnesenon/feature-not-bug-dnsadmin-to-dc-compromise-in-one-line-a0f779b8dc83", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/dns_server/win_dns_server_susp_dns_config.yml" ], "tags": [ @@ -11093,8 +11223,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment", "https://blog.cobaltstrike.com/2014/04/02/what-happens-when-i-type-getsystem/", + "https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/win_system_meterpreter_or_cobaltstrike_getsystem_service_installation.yml" ], "tags": [ @@ -11517,8 +11647,8 @@ "logsource.product": "windows", "refs": [ "https://thedfirreport.com/2021/08/29/cobalt-strike-a-defenders-guide/", - "https://www.sans.org/webcasts/119395", "https://www.crowdstrike.com/blog/getting-the-bacon-from-cobalt-strike-beacon/", + "https://www.sans.org/webcasts/119395", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/win_system_cobaltstrike_service_installs.yml" ], "tags": [ @@ -11587,9 +11717,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://blog.3or.de/mimilib-dhcp-server-callout-dll-injection.html", "https://msdn.microsoft.com/de-de/library/windows/desktop/aa363389(v=vs.85).aspx", "https://technet.microsoft.com/en-us/library/cc726884(v=ws.10).aspx", + "https://blog.3or.de/mimilib-dhcp-server-callout-dll-injection.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/win_system_susp_dhcp_config.yml" ], "tags": [ @@ -11682,8 +11812,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://github.com/Ekultek/BlueKeep", "https://github.com/zerosum0x0/CVE-2019-0708", + "https://github.com/Ekultek/BlueKeep", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/win_system_rdp_potential_cve_2019_0708.yml" ], "tags": [ @@ -11715,8 +11845,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://bi-zone.medium.com/hunting-for-zerologon-f65c61586382", "https://www.secura.com/blog/zero-logon", + "https://bi-zone.medium.com/hunting-for-zerologon-f65c61586382", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/win_system_possible_zerologon_exploitation_using_wellknown_tools.yml" ], "tags": [ @@ -11842,8 +11972,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://github.com/BishopFox/sliver/blob/79f2d48fcdfc2bee4713b78d431ea4b27f733f30/client/command/commands.go#L1231", "https://www.microsoft.com/security/blog/2022/08/24/looking-for-the-sliver-lining-hunting-for-emerging-command-and-control-frameworks/", + "https://github.com/BishopFox/sliver/blob/79f2d48fcdfc2bee4713b78d431ea4b27f733f30/client/command/commands.go#L1231", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/win_system_service_install_sliver.yml" ], "tags": [ @@ -12098,7 +12228,7 @@ "System provisioning (system reset before the golden image creation)" ], "filename": "win_system_eventlog_cleared.yml", - "level": "low", + "level": "medium", "logsource.category": "No established category", "logsource.product": "windows", "refs": [ @@ -12278,9 +12408,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://www.bleepingcomputer.com/news/security/windows-10-bug-corrupts-your-hard-drive-on-seeing-this-files-icon/", - "https://twitter.com/wdormann/status/1347958161609809921", "https://twitter.com/jonasLyk/status/1347900440000811010", + "https://twitter.com/wdormann/status/1347958161609809921", + "https://www.bleepingcomputer.com/news/security/windows-10-bug-corrupts-your-hard-drive-on-seeing-this-files-icon/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/win_system_ntfs_vuln_exploit.yml" ], "tags": [ @@ -12317,7 +12447,7 @@ "value": "Turla Service Install" }, { - "description": "One of the Windows Core Eventlogs has been cleared. e.g. caused by \"wevtutil cl\" command execution", + "description": "Detects the clearing of one of the Windows Core Eventlogs. e.g. caused by \"wevtutil cl\" command execution", "meta": { "author": "Florian Roth, Tim Shelton", "creation_date": "2022/05/17", @@ -12350,7 +12480,7 @@ } ], "uuid": "100ef69e-3327-481c-8e5c-6d80d9507556", - "value": "System Eventlog Cleared" + "value": "Important Windows Eventlog Cleared" }, { "description": "This rule detects a DHCP server error in which a specified Callout DLL (in registry) could not be loaded", @@ -12365,9 +12495,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://blog.3or.de/mimilib-dhcp-server-callout-dll-injection.html", "https://msdn.microsoft.com/de-de/library/windows/desktop/aa363389(v=vs.85).aspx", "https://technet.microsoft.com/en-us/library/cc726884(v=ws.10).aspx", + "https://blog.3or.de/mimilib-dhcp-server-callout-dll-injection.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/win_system_susp_dhcp_config_failed.yml" ], "tags": [ @@ -12913,8 +13043,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://jpcertcc.github.io/ToolAnalysisResultSheet", "https://www.jpcert.or.jp/english/pub/sr/ir_research.html", + "https://jpcertcc.github.io/ToolAnalysisResultSheet", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/win_system_service_install_psexec.yml" ], "tags": [ @@ -13007,6 +13137,31 @@ "uuid": "44bbff3e-4ca3-452d-a49a-6efa4cafa06f", "value": "Exploit SamAccountName Spoofing with Kerberos" }, + { + "description": "Detects execution of AppX packages with known suspicious or malicious signature", + "meta": { + "author": "Nasreddine Bencherchali", + "creation_date": "2023/01/16", + "falsepositive": [ + "Unknown" + ], + "filename": "win_appxpackaging_om_sups_appx_signature.yml", + "level": "medium", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://www.sentinelone.com/labs/inside-malicious-windows-apps-for-malware-deployment/", + "Internal Research", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/appxpackaging_om/win_appxpackaging_om_sups_appx_signature.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.execution" + ] + }, + "uuid": "b5aa7d60-c17e-4538-97de-09029d6cd76b", + "value": "Suspicious Digital Signature Of AppX Package" + }, { "description": "Rule to detect the Hybrid Connection Manager service running on an endpoint.", "meta": { @@ -13136,8 +13291,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://www.eideon.com/2018-03-02-THL03-WMIBackdoors/", "https://twitter.com/mattifestation/status/899646620148539397", + "https://www.eideon.com/2018-03-02-THL03-WMIBackdoors/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/wmi/win_wmi_persistence.yml" ], "tags": [ @@ -13158,6 +13313,172 @@ "uuid": "0b7889b4-5577-4521-a60a-3376ee7f9f7b", "value": "WMI Persistence" }, + { + "description": "Detects DNS queries for anonfiles.com, which is an anonymous file upload platform often used for malicious purposes", + "meta": { + "author": "Nasreddine Bencherchali", + "creation_date": "2023/01/16", + "falsepositive": [ + "Rare legitimate access to anonfiles.com" + ], + "filename": "win_dns_client_anonymfiles_com.yml", + "level": "high", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-blackbyte", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/dns_client/win_dns_client_anonymfiles_com.yml" + ], + "tags": [ + "attack.exfiltration", + "attack.t1567.002" + ] + }, + "related": [ + { + "dest-uuid": "bf1b6176-597c-4600-bfcd-ac989670f96b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "29f171d7-aa47-42c7-9c7b-3c87938164d9", + "value": "DNS Query for Anonfiles.com Domain - DNS Client" + }, + { + "description": "Detects DNS queries for subdomains used for upload to MEGA.io", + "meta": { + "author": "Nasreddine Bencherchali", + "creation_date": "2023/01/16", + "falsepositive": [ + "Legitimate DNS queries and usage of Mega" + ], + "filename": "win_dns_client_mega_nz.yml", + "level": "high", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://research.nccgroup.com/2021/05/27/detecting-rclone-an-effective-tool-for-exfiltration/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/dns_client/win_dns_client_mega_nz.yml" + ], + "tags": [ + "attack.exfiltration", + "attack.t1567.002" + ] + }, + "related": [ + { + "dest-uuid": "bf1b6176-597c-4600-bfcd-ac989670f96b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "66474410-b883-415f-9f8d-75345a0a66a6", + "value": "DNS Query for MEGA.io Upload Domain - DNS Client" + }, + { + "description": "Detects DNS resolution of an .onion address related to Tor routing networks", + "meta": { + "author": "Nasreddine Bencherchali", + "creation_date": "2022/02/20", + "falsepositive": [ + "Unlikely" + ], + "filename": "win_dns_client_tor_onion.yml", + "level": "high", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://www.logpoint.com/en/blog/detecting-tor-use-with-logpoint/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/dns_client/win_dns_client_tor_onion.yml" + ], + "tags": [ + "attack.command_and_control", + "attack.t1090.003" + ] + }, + "related": [ + { + "dest-uuid": "a782ebe2-daba-42c7-bc82-e8e9d923162d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "8384bd26-bde6-4da9-8e5d-4174a7a47ca2", + "value": "Query Tor Onion Address - DNS Client" + }, + { + "description": "Detects DNS queries to \"ufile.io\". Which is often abused by malware for upload and exfiltration", + "meta": { + "author": "Nasreddine Bencherchali", + "creation_date": "2023/01/16", + "falsepositive": [ + "Legitimate DNS queries and usage of Ufile" + ], + "filename": "win_dns_client_ufile_io.yml", + "level": "high", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://thedfirreport.com/2021/12/13/diavol-ransomware/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/dns_client/win_dns_client_ufile_io.yml" + ], + "tags": [ + "attack.exfiltration", + "attack.t1567.002" + ] + }, + "related": [ + { + "dest-uuid": "bf1b6176-597c-4600-bfcd-ac989670f96b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "090ffaad-c01a-4879-850c-6d57da98452d", + "value": "DNS Query for Ufile.io Upload Domain - DNS Client" + }, + { + "description": "Detects a program that invoked suspicious DNS queries known from Cobalt Strike beacons", + "meta": { + "author": "Nasreddine Bencherchali", + "creation_date": "2023/01/16", + "falsepositive": [ + "Unknown" + ], + "filename": "win_dns_client__mal_cobaltstrike.yml", + "level": "critical", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://www.icebrg.io/blog/footprints-of-fin7-tracking-actor-patterns", + "https://www.sekoia.io/en/hunting-and-detecting-cobalt-strike/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/dns_client/win_dns_client__mal_cobaltstrike.yml" + ], + "tags": [ + "attack.command_and_control", + "attack.t1071.004" + ] + }, + "related": [ + { + "dest-uuid": "1996eef1-ced3-4d7f-bf94-33298cabbf72", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "0d18728b-f5bf-4381-9dcf-915539fff6c2", + "value": "Suspicious Cobalt Strike DNS Beaconing - DNS Client" + }, { "description": "Detect run not allowed files. Applocker is a very useful tool, especially on servers where unprivileged users have access. For example terminal servers. You need configure applocker and log collect to receive these events.", "meta": { @@ -13172,8 +13493,8 @@ "logsource.product": "windows", "refs": [ "https://nxlog.co/documentation/nxlog-user-guide/applocker.html", - "https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/applocker/using-event-viewer-with-applocker", "https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/applocker/what-is-applocker", + "https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/applocker/using-event-viewer-with-applocker", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/applocker/win_applocker_file_was_not_allowed_to_run.yml" ], "tags": [ @@ -13244,11 +13565,11 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://techcommunity.microsoft.com/t5/microsoft-defender-for-endpoint/hunting-for-reconnaissance-activities-using-ldap-search-filters/ba-p/824726", - "https://github.com/fox-it/BloodHound.py/blob/d65eb614831cd30f26028ccb072f5e77ca287e0b/bloodhound/ad/domain.py#L427", "https://medium.com/falconforce/falconfriday-detecting-active-directory-data-collection-0xff21-c22d1a57494c", - "https://github.com/PowerShellMafia/PowerSploit/blob/d943001a7defb5e0d1657085a77a0e78609be58f/Recon/PowerView.ps1", + "https://techcommunity.microsoft.com/t5/microsoft-defender-for-endpoint/hunting-for-reconnaissance-activities-using-ldap-search-filters/ba-p/824726", "https://github.com/BloodHoundAD/SharpHound3/blob/7d96b991b1887ff50349ce59c80980bc0d95c86a/SharpHound3/LdapBuilder.cs", + "https://github.com/fox-it/BloodHound.py/blob/d65eb614831cd30f26028ccb072f5e77ca287e0b/bloodhound/ad/domain.py#L427", + "https://github.com/PowerShellMafia/PowerSploit/blob/d943001a7defb5e0d1657085a77a0e78609be58f/Recon/PowerView.ps1", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/ldap/win_ldap_recon.yml" ], "tags": [ @@ -13278,30 +13599,30 @@ "value": "Potential Active Directory Reconnaissance/Enumeration Via LDAP" }, { - "description": "Detects an appx package installation with the error code \"0x80073cff\". Whihc indicates that the package didn't meet the sgining requirements and could be suspicious", + "description": "Detects an appx package added the pipeline of the \"to be processed\" packages which is located in uncommon locations", "meta": { "author": "Nasreddine Bencherchali", "creation_date": "2023/01/11", "falsepositive": [ - "Legitimate AppX packages not signed by MS used part of an enterprise" + "Unknown" ], - "filename": "appxdeployment_server_susp_appx_package_installation.yml", + "filename": "win_appxdeployment_server_uncommon_package_locations.yml", "level": "medium", "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://news.sophos.com/en-us/2021/11/11/bazarloader-call-me-back-attack-abuses-windows-10-apps-mechanism/", "https://www.sentinelone.com/labs/inside-malicious-windows-apps-for-malware-deployment/", - "https://learn.microsoft.com/en-us/windows/win32/appxpkg/troubleshooting", "Internal Research", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/appxdeployment_server/appxdeployment_server_susp_appx_package_installation.yml" + "https://learn.microsoft.com/en-us/windows/win32/appxpkg/troubleshooting", + "https://news.sophos.com/en-us/2021/11/11/bazarloader-call-me-back-attack-abuses-windows-10-apps-mechanism/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/appxdeployment_server/win_appxdeployment_server_uncommon_package_locations.yml" ], "tags": [ "attack.defense_evasion" ] }, - "uuid": "898d5fc9-fbc3-43de-93ad-38e97237c344", - "value": "Suspicious AppX Package Installation Attempt" + "uuid": "c977cb50-3dff-4a9f-b873-9290f56132f1", + "value": "Uncommon AppX Package Locations" }, { "description": "Detects an appx package added the pipeline of the \"to be processed\" packages which is located in suspicious locations", @@ -13311,16 +13632,16 @@ "falsepositive": [ "Unknown" ], - "filename": "appxdeployment_server_susp_package_locations.yml", + "filename": "win_appxdeployment_server_susp_package_locations.yml", "level": "high", "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://news.sophos.com/en-us/2021/11/11/bazarloader-call-me-back-attack-abuses-windows-10-apps-mechanism/", "https://www.sentinelone.com/labs/inside-malicious-windows-apps-for-malware-deployment/", - "https://learn.microsoft.com/en-us/windows/win32/appxpkg/troubleshooting", "Internal Research", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/appxdeployment_server/appxdeployment_server_susp_package_locations.yml" + "https://learn.microsoft.com/en-us/windows/win32/appxpkg/troubleshooting", + "https://news.sophos.com/en-us/2021/11/11/bazarloader-call-me-back-attack-abuses-windows-10-apps-mechanism/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/appxdeployment_server/win_appxdeployment_server_susp_package_locations.yml" ], "tags": [ "attack.defense_evasion" @@ -13329,31 +13650,6 @@ "uuid": "5cdeaf3d-1489-477c-95ab-c318559fc051", "value": "Suspicious AppX Package Locations" }, - { - "description": "Detects potential installation or installation attempts of known malicious appx packages", - "meta": { - "author": "Nasreddine Bencherchali", - "creation_date": "2023/01/11", - "falsepositive": [ - "Rare occasions where a malicious package uses the exact same name and version as a legtimate application" - ], - "filename": "appxdeployment_server_mal_appx_names.yml", - "level": "medium", - "logsource.category": "No established category", - "logsource.product": "windows", - "refs": [ - "https://forensicitguy.github.io/analyzing-magnitude-magniber-appx/", - "https://www.sentinelone.com/labs/inside-malicious-windows-apps-for-malware-deployment/", - "https://news.sophos.com/en-us/2021/11/11/bazarloader-call-me-back-attack-abuses-windows-10-apps-mechanism/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/appxdeployment_server/appxdeployment_server_mal_appx_names.yml" - ], - "tags": [ - "attack.defense_evasion" - ] - }, - "uuid": "09d3b48b-be17-47f5-bf4e-94e7e75d09ce", - "value": "Potential Malicious AppX Package Installation Attempts" - }, { "description": "Detects an appx package added the pipeline of the \"to be processed\" packages which is downloaded from a suspicious domain", "meta": { @@ -13362,16 +13658,16 @@ "falsepositive": [ "Unknown" ], - "filename": "appxdeployment_server_susp_domains.yml", + "filename": "win_appxdeployment_server_susp_domains.yml", "level": "high", "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://news.sophos.com/en-us/2021/11/11/bazarloader-call-me-back-attack-abuses-windows-10-apps-mechanism/", "https://www.sentinelone.com/labs/inside-malicious-windows-apps-for-malware-deployment/", - "https://learn.microsoft.com/en-us/windows/win32/appxpkg/troubleshooting", "Internal Research", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/appxdeployment_server/appxdeployment_server_susp_domains.yml" + "https://learn.microsoft.com/en-us/windows/win32/appxpkg/troubleshooting", + "https://news.sophos.com/en-us/2021/11/11/bazarloader-call-me-back-attack-abuses-windows-10-apps-mechanism/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/appxdeployment_server/win_appxdeployment_server_susp_domains.yml" ], "tags": [ "attack.defense_evasion" @@ -13381,30 +13677,103 @@ "value": "Suspicious Remote AppX Package Locations" }, { - "description": "Detects an appx package added the pipeline of the \"to be processed\" packages which is located in uncommon locations", + "description": "Detects an appx package installation with the error code \"0x80073cff\". Whihc indicates that the package didn't meet the sgining requirements and could be suspicious", "meta": { "author": "Nasreddine Bencherchali", "creation_date": "2023/01/11", "falsepositive": [ - "Unknown" + "Legitimate AppX packages not signed by MS used part of an enterprise" ], - "filename": "appxdeployment_server_uncommon_package_locations.yml", + "filename": "win_appxdeployment_server_susp_appx_package_installation.yml", "level": "medium", "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://news.sophos.com/en-us/2021/11/11/bazarloader-call-me-back-attack-abuses-windows-10-apps-mechanism/", "https://www.sentinelone.com/labs/inside-malicious-windows-apps-for-malware-deployment/", - "https://learn.microsoft.com/en-us/windows/win32/appxpkg/troubleshooting", "Internal Research", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/appxdeployment_server/appxdeployment_server_uncommon_package_locations.yml" + "https://learn.microsoft.com/en-us/windows/win32/appxpkg/troubleshooting", + "https://news.sophos.com/en-us/2021/11/11/bazarloader-call-me-back-attack-abuses-windows-10-apps-mechanism/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/appxdeployment_server/win_appxdeployment_server_susp_appx_package_installation.yml" ], "tags": [ "attack.defense_evasion" ] }, - "uuid": "c977cb50-3dff-4a9f-b873-9290f56132f1", - "value": "Uncommon AppX Package Locations" + "uuid": "898d5fc9-fbc3-43de-93ad-38e97237c344", + "value": "Suspicious AppX Package Installation Attempt" + }, + { + "description": "Detects an appx package deployment that was blocked by the local computer policy", + "meta": { + "author": "frack113", + "creation_date": "2023/01/11", + "falsepositive": [ + "Unknown" + ], + "filename": "win_appxdeployment_server_policy_block.yml", + "level": "medium", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://github.com/nasbench/EVTX-ETW-Resources/blob/7a806a148b3d9d381193d4a80356016e6e8b1ee8/ETWEventsList/CSV/Windows11/22H2/W11_22H2_Pro_20220920_22621.382/Providers/Microsoft-Windows-AppXDeployment-Server.csv", + "https://learn.microsoft.com/en-us/windows/win32/appxpkg/troubleshooting", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/appxdeployment_server/win_appxdeployment_server_policy_block.yml" + ], + "tags": [ + "attack.defense_evasion" + ] + }, + "uuid": "e021bbb5-407f-41f5-9dc9-1864c45a7a51", + "value": "Deployment Of The AppX Package Was Blocked By The Policy" + }, + { + "description": "Detects potential installation or installation attempts of known malicious appx packages", + "meta": { + "author": "Nasreddine Bencherchali", + "creation_date": "2023/01/11", + "falsepositive": [ + "Rare occasions where a malicious package uses the exact same name and version as a legtimate application" + ], + "filename": "win_appxdeployment_server_mal_appx_names.yml", + "level": "medium", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://www.sentinelone.com/labs/inside-malicious-windows-apps-for-malware-deployment/", + "https://forensicitguy.github.io/analyzing-magnitude-magniber-appx/", + "https://news.sophos.com/en-us/2021/11/11/bazarloader-call-me-back-attack-abuses-windows-10-apps-mechanism/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/appxdeployment_server/win_appxdeployment_server_mal_appx_names.yml" + ], + "tags": [ + "attack.defense_evasion" + ] + }, + "uuid": "09d3b48b-be17-47f5-bf4e-94e7e75d09ce", + "value": "Potential Malicious AppX Package Installation Attempts" + }, + { + "description": "Detects an appx package deployment that was blocked by AppLocker policy", + "meta": { + "author": "frack113", + "creation_date": "2023/01/11", + "falsepositive": [ + "Unknown" + ], + "filename": "win_appxdeployment_server_applocker_block.yml", + "level": "medium", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://github.com/nasbench/EVTX-ETW-Resources/blob/7a806a148b3d9d381193d4a80356016e6e8b1ee8/ETWEventsList/CSV/Windows11/22H2/W11_22H2_Pro_20220920_22621.382/Providers/Microsoft-Windows-AppXDeployment-Server.csv", + "https://learn.microsoft.com/en-us/windows/win32/appxpkg/troubleshooting", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/appxdeployment_server/win_appxdeployment_server_applocker_block.yml" + ], + "tags": [ + "attack.defense_evasion" + ] + }, + "uuid": "6ae53108-c3a0-4bee-8f45-c7591a2c337f", + "value": "Deployment AppX Package Was Blocked By AppLocker" }, { "description": "Detects removal of an exported Exchange mailbox which could be to cover tracks from ProxyShell exploit", @@ -13647,8 +14016,8 @@ "logsource.category": "create_stream_hash", "logsource.product": "windows", "refs": [ - "https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f", "https://lolbas-project.github.io/lolbas/Binaries/Regedit/", + "https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/create_stream_hash/create_stream_hash_regedit_export_to_ads.yml" ], "tags": [ @@ -13681,8 +14050,8 @@ "logsource.category": "create_stream_hash", "logsource.product": "windows", "refs": [ - "https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=90015", "https://www.cisa.gov/uscert/ncas/alerts/aa22-321a", + "https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=90015", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/create_stream_hash/create_stream_hash_susp_domain_ext_combo.yml" ], "tags": [ @@ -13716,8 +14085,8 @@ "logsource.category": "create_stream_hash", "logsource.product": "windows", "refs": [ - "https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=90015", "https://www.cisa.gov/uscert/ncas/alerts/aa22-321a", + "https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=90015", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/create_stream_hash/create_stream_hash_susp_domain_ext_combo_med.yml" ], "tags": [ @@ -13996,9 +14365,9 @@ "logsource.category": "registry_event", "logsource.product": "windows", "refs": [ + "https://www.hexacorn.com/blog/2018/05/28/beyond-good-ol-run-key-part-78-2/", "https://github.com/vxunderground/VXUG-Papers/blob/751edb8d50f95bd7baa730adf2c6c3bb1b034276/The%20Persistence%20Series/Persistence%20via%20Recycle%20Bin/Persistence_via_Recycle_Bin.pdf", "https://persistence-info.github.io/Data/recyclebin.html", - "https://www.hexacorn.com/blog/2018/05/28/beyond-good-ol-run-key-part-78-2/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_persistence_recycle_bin.yml" ], "tags": [ @@ -14092,9 +14461,9 @@ "logsource.category": "registry_event", "logsource.product": "windows", "refs": [ - "https://www.lexjansen.com/sesug/1993/SESUG93035.pdf", "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rprn/4464eaf0-f34f-40d5-b970-736437a21913", "https://github.com/gentilkiwi/mimikatz/commit/c21276072b3f2a47a21e215a46962a17d54b3760", + "https://www.lexjansen.com/sesug/1993/SESUG93035.pdf", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_mimikatz_printernightmare.yml" ], "tags": [ @@ -14153,8 +14522,8 @@ "logsource.category": "registry_event", "logsource.product": "windows", "refs": [ - "https://twitter.com/pabraeken/status/990717080805789697", "https://lolbas-project.github.io/lolbas/Binaries/Runonce/", + "https://twitter.com/pabraeken/status/990717080805789697", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_runonce_persistence.yml" ], "tags": [ @@ -14384,8 +14753,8 @@ "logsource.category": "registry_event", "logsource.product": "windows", "refs": [ - "https://www.bleepingcomputer.com/news/security/trickbot-uses-a-new-windows-10-uac-bypass-to-launch-quietly", "https://lolbas-project.github.io/lolbas/Binaries/Wsreset", + "https://www.bleepingcomputer.com/news/security/trickbot-uses-a-new-windows-10-uac-bypass-to-launch-quietly", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_bypass_via_wsreset.yml" ], "tags": [ @@ -14444,8 +14813,8 @@ "logsource.category": "registry_event", "logsource.product": "windows", "refs": [ - "https://bazaar.abuse.ch/sample/6f3aa9362d72e806490a8abce245331030d1ab5ac77e400dd475748236a6cc81/", "https://blogs.technet.microsoft.com/jonathantrull/2016/10/03/detecting-sticky-key-backdoors/", + "https://bazaar.abuse.ch/sample/6f3aa9362d72e806490a8abce245331030d1ab5ac77e400dd475748236a6cc81/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_stickykey_like_backdoor.yml" ], "tags": [ @@ -14589,8 +14958,8 @@ "logsource.category": "registry_event", "logsource.product": "windows", "refs": [ - "http://az4n6.blogspot.com/2016/02/more-on-trust-records-macros-and.html", "https://outflank.nl/blog/2018/01/16/hunting-for-evil-detect-macros-being-executed/", + "http://az4n6.blogspot.com/2016/02/more-on-trust-records-macros-and.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_trust_record_modification.yml" ], "tags": [ @@ -14614,8 +14983,8 @@ "logsource.category": "registry_event", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/Binaries/Atbroker/", "http://www.hexacorn.com/blog/2016/07/22/beyond-good-ol-run-key-part-42/", + "https://lolbas-project.github.io/lolbas/Binaries/Atbroker/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_susp_atbroker_change.yml" ], "tags": [ @@ -14764,10 +15133,10 @@ "logsource.category": "registry_event", "logsource.product": "windows", "refs": [ - "https://tria.ge/211119-gs7rtshcfr/behavioral2 [Lokibot sample from Nov 2021]", - "https://github.com/RhinoSecurityLabs/Aggressor-Scripts/tree/master/UACBypass", "https://winscripting.blog/2017/05/12/first-entry-welcome-and-uac-bypass/", + "https://github.com/RhinoSecurityLabs/Aggressor-Scripts/tree/master/UACBypass", "https://github.com/hfiref0x/UACME", + "https://tria.ge/211119-gs7rtshcfr/behavioral2 [Lokibot sample from Nov 2021]", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_shell_open_keys_manipulation.yml" ], "tags": [ @@ -15066,8 +15435,8 @@ "logsource.category": "registry_delete", "logsource.product": "windows", "refs": [ - "https://seclists.org/fulldisclosure/2020/Mar/45", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md", + "https://seclists.org/fulldisclosure/2020/Mar/45", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_delete/registry_delete_removal_amsi_registry_key.yml" ], "tags": [ @@ -15115,11 +15484,11 @@ "logsource.category": "registry_delete", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/windows/win32/api/shobjidl_core/nn-shobjidl_core-iexecutecommand", "https://github.com/OTRF/detection-hackathon-apt29/issues/7", + "https://docs.microsoft.com/en-us/windows/win32/api/shobjidl_core/nn-shobjidl_core-iexecutecommand", + "https://docs.microsoft.com/en-us/windows/win32/shell/launch", "https://docs.microsoft.com/en-us/windows/win32/shell/shell-and-managed-code", "https://threathunterplaybook.com/evals/apt29/detections/3.C.1_22A46621-7A92-48C1-81BF-B3937EB4FDC3.html", - "https://docs.microsoft.com/en-us/windows/win32/shell/launch", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_delete/registry_delete_removal_com_hijacking_registry_key.yml" ], "tags": [ @@ -15201,8 +15570,8 @@ "logsource.category": "registry_add", "logsource.product": "windows", "refs": [ - "https://github.com/OTRF/detection-hackathon-apt29/issues/9", "https://threathunterplaybook.com/evals/apt29/detections/4.B.2_59A9AC92-124D-4C4B-A6BF-3121C98677C3.html", + "https://github.com/OTRF/detection-hackathon-apt29/issues/9", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_add/registry_add_sysinternals_sdelete_registry_keys.yml" ], "tags": [ @@ -15326,10 +15695,10 @@ "logsource.product": "windows", "refs": [ "https://resources.infosecinstitute.com/topic/netwire-malware-what-it-is-how-it-works-and-how-to-prevent-it-malware-spotlight/", - "https://blogs.blackberry.com/en/2021/09/threat-thursday-netwire-rat-is-coming-down-the-line", - "https://app.any.run/tasks/41ecdbde-4997-4301-a350-0270448b4c8f/", "https://www.fortinet.com/blog/threat-research/new-netwire-rat-variant-spread-by-phishing", + "https://blogs.blackberry.com/en/2021/09/threat-thursday-netwire-rat-is-coming-down-the-line", "https://unit42.paloaltonetworks.com/guloader-installing-netwire-rat/", + "https://app.any.run/tasks/41ecdbde-4997-4301-a350-0270448b4c8f/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_add/registry_add_mal_netwire.yml" ], "tags": [ @@ -15353,8 +15722,8 @@ "logsource.category": "registry_add", "logsource.product": "windows", "refs": [ - "https://persistence-info.github.io/Data/amsi.html", "https://github.com/gtworek/PSBits/blob/8d767892f3b17eefa4d0668f5d2df78e844f01d8/FakeAMSI/FakeAMSI.c", + "https://persistence-info.github.io/Data/amsi.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_add/registry_add_amsi_providers_persistence.yml" ], "tags": [ @@ -15445,9 +15814,9 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ + "http://www.hexacorn.com/blog/2018/05/01/wab-exe-as-a-lolbin/", "https://twitter.com/Hexacorn/status/991447379864932352", "https://github.com/LOLBAS-Project/LOLBAS/blob/8283d8d91552213ded165fd36deb6cb9534cb443/yml/OSBinaries/Wab.yml", - "http://www.hexacorn.com/blog/2018/05/01/wab-exe-as-a-lolbin/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_wab_dllpath_reg_change.yml" ], "tags": [ @@ -15480,8 +15849,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://www.hexacorn.com/blog/2013/01/19/beyond-good-ol-run-key-part-3/", "https://docs.microsoft.com/en-us/windows/win32/shell/app-registration?redirectedfrom=MSDN", + "https://www.hexacorn.com/blog/2013/01/19/beyond-good-ol-run-key-part-3/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_persistence_app_paths.yml" ], "tags": [ @@ -15749,8 +16118,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://support.microsoft.com/en-us/topic/information-about-the-attachment-manager-in-microsoft-windows-c48a4dcd-8de5-2af5-ee9b-cd795ae42738", "https://www.virustotal.com/gui/file/2bcd5702a7565952c44075ac6fb946c7780526640d1264f692c7664c02c68465", + "https://support.microsoft.com/en-us/topic/information-about-the-attachment-manager-in-microsoft-windows-c48a4dcd-8de5-2af5-ee9b-cd795ae42738", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_policies_associations_tamper.yml" ], "tags": [ @@ -15800,8 +16169,8 @@ "logsource.product": "windows", "refs": [ "https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns", - "https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md", + "https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_currentversion_nt.yml" ], "tags": [ @@ -15825,13 +16194,13 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://twitter.com/SagieSec/status/1469001618863624194?t=HRf0eA0W1YYzkTSHb-Ky1A&s=03", - "https://threathunterplaybook.com/notebooks/windows/05_defense_evasion/WIN-190407183310.html", - "http://woshub.com/rds-shadow-how-to-connect-to-a-user-session-in-windows-server-2012-r2/", - "https://blog.menasec.net/2019/02/threat-hunting-rdp-hijacking-via.html", - "https://bazaar.abuse.ch/sample/6f3aa9362d72e806490a8abce245331030d1ab5ac77e400dd475748236a6cc81/", - "https://admx.help/HKLM/SOFTWARE/Policies/Microsoft/Windows%20NT/Terminal%20Services", "http://etutorials.org/Microsoft+Products/microsoft+windows+server+2003+terminal+services/Chapter+6+Registry/Registry+Keys+for+Terminal+Services/", + "https://blog.menasec.net/2019/02/threat-hunting-rdp-hijacking-via.html", + "http://woshub.com/rds-shadow-how-to-connect-to-a-user-session-in-windows-server-2012-r2/", + "https://twitter.com/SagieSec/status/1469001618863624194?t=HRf0eA0W1YYzkTSHb-Ky1A&s=03", + "https://admx.help/HKLM/SOFTWARE/Policies/Microsoft/Windows%20NT/Terminal%20Services", + "https://threathunterplaybook.com/notebooks/windows/05_defense_evasion/WIN-190407183310.html", + "https://bazaar.abuse.ch/sample/6f3aa9362d72e806490a8abce245331030d1ab5ac77e400dd475748236a6cc81/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_terminal_server_suspicious.yml" ], "tags": [ @@ -15880,8 +16249,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://twitter.com/malmoeb/status/1560536653709598721", "https://www.sentinelone.com/labs/inside-malicious-windows-apps-for-malware-deployment/", + "https://twitter.com/malmoeb/status/1560536653709598721", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_turn_on_dev_features.yml" ], "tags": [ @@ -15906,8 +16275,8 @@ "logsource.product": "windows", "refs": [ "https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns", - "https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md", + "https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_session_manager.yml" ], "tags": [ @@ -15941,8 +16310,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://www.hexacorn.com/blog/2019/09/20/beyond-good-ol-run-key-part-116/", "https://persistence-info.github.io/Data/wer_debugger.html", + "https://www.hexacorn.com/blog/2019/09/20/beyond-good-ol-run-key-part-116/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_hangs_debugger_persistence.yml" ], "tags": [ @@ -15988,8 +16357,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://www.exploit-db.com/exploits/47696", "http://blog.sevagas.com/?Yet-another-sdclt-UAC-bypass", + "https://www.exploit-db.com/exploits/47696", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_comhijack_sdclt.yml" ], "tags": [ @@ -16054,8 +16423,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/blackbyte-ransomware-pt-1-in-depth-analysis/", "https://redcanary.com/blog/blackbyte-ransomware/?utm_source=twitter&utm_medium=social", + "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/blackbyte-ransomware-pt-1-in-depth-analysis/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_blackbyte_ransomware.yml" ], "tags": [ @@ -16202,9 +16571,9 @@ "logsource.product": "windows", "refs": [ "https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md", "https://oddvar.moe/2018/03/21/persistence-using-runonceex-hidden-from-autoruns-exe/", "https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_wow6432node.yml" ], "tags": [ @@ -16286,8 +16655,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://support.microsoft.com/en-us/topic/microsoft-security-advisory-update-to-improve-credentials-protection-and-management-may-13-2014-93434251-04ac-b7f3-52aa-9f951c14b649", "https://threathunterplaybook.com/notebooks/windows/02_execution/WIN-190511223310.html", + "https://support.microsoft.com/en-us/topic/microsoft-security-advisory-update-to-improve-credentials-protection-and-management-may-13-2014-93434251-04ac-b7f3-52aa-9f951c14b649", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_wdigest_enable_uselogoncredential.yml" ], "tags": [ @@ -16394,9 +16763,9 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://github.com/gtworek/PSBits/tree/master/SIP", - "https://persistence-info.github.io/Data/codesigning.html", "https://specterops.io/assets/resources/SpecterOps_Subverting_Trust_in_Windows.pdf", + "https://persistence-info.github.io/Data/codesigning.html", + "https://github.com/gtworek/PSBits/tree/master/SIP", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_sip_persistence.yml" ], "tags": [ @@ -16432,8 +16801,8 @@ "logsource.product": "windows", "refs": [ "https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns", - "https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md", + "https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_classes.yml" ], "tags": [ @@ -16605,8 +16974,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1546.015/T1546.015.md", "https://www.youtube.com/watch?v=3gz1QmiMhss&t=1251s", + "https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1546.015/T1546.015.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_treatas_persistence.yml" ], "tags": [ @@ -16681,7 +17050,7 @@ } ], "uuid": "2f78da12-f7c7-430b-8b19-a28f269b77a3", - "value": "Disable Winevt Event Logging Via Registry" + "value": "Disable Windows Event Logging Via Registry" }, { "description": "Detects the modification of the registry to allow a driver or service to persist in Safe Mode.", @@ -16696,8 +17065,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1112/T1112.md#atomic-test-34---windows-add-registry-value-to-load-service-in-safe-mode-with-network", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1112/T1112.md#atomic-test-33---windows-add-registry-value-to-load-service-in-safe-mode-without-network", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1112/T1112.md#atomic-test-34---windows-add-registry-value-to-load-service-in-safe-mode-with-network", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_add_load_service_in_safe_mode.yml" ], "tags": [ @@ -16730,8 +17099,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/", "https://labs.f-secure.com/blog/scheduled-task-tampering/", + "https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_taskcache_entry.yml" ], "tags": [ @@ -16814,8 +17183,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://www.deepinstinct.com/2021/02/16/lsass-memory-dumps-are-stealthier-than-ever-before-part-2/", "https://oddvar.moe/2018/04/10/persistence-using-globalflags-in-image-file-execution-options-hidden-from-autoruns-exe/", + "https://www.deepinstinct.com/2021/02/16/lsass-memory-dumps-are-stealthier-than-ever-before-part-2/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_persistence_globalflags.yml" ], "tags": [ @@ -17037,8 +17406,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/outlook/troubleshoot/security/information-about-email-security-settings", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1137/T1137.md", + "https://docs.microsoft.com/en-us/outlook/troubleshoot/security/information-about-email-security-settings", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_outlook_security.yml" ], "tags": [ @@ -17073,9 +17442,9 @@ "logsource.product": "windows", "refs": [ "https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md", "https://persistence-info.github.io/Data/userinitmprlogonscript.html", "https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_common.yml" ], "tags": [ @@ -17190,13 +17559,13 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://twitter.com/SagieSec/status/1469001618863624194?t=HRf0eA0W1YYzkTSHb-Ky1A&s=03", - "https://threathunterplaybook.com/notebooks/windows/05_defense_evasion/WIN-190407183310.html", - "http://woshub.com/rds-shadow-how-to-connect-to-a-user-session-in-windows-server-2012-r2/", - "https://blog.menasec.net/2019/02/threat-hunting-rdp-hijacking-via.html", - "https://bazaar.abuse.ch/sample/6f3aa9362d72e806490a8abce245331030d1ab5ac77e400dd475748236a6cc81/", - "https://admx.help/HKLM/SOFTWARE/Policies/Microsoft/Windows%20NT/Terminal%20Services", "http://etutorials.org/Microsoft+Products/microsoft+windows+server+2003+terminal+services/Chapter+6+Registry/Registry+Keys+for+Terminal+Services/", + "https://blog.menasec.net/2019/02/threat-hunting-rdp-hijacking-via.html", + "http://woshub.com/rds-shadow-how-to-connect-to-a-user-session-in-windows-server-2012-r2/", + "https://twitter.com/SagieSec/status/1469001618863624194?t=HRf0eA0W1YYzkTSHb-Ky1A&s=03", + "https://admx.help/HKLM/SOFTWARE/Policies/Microsoft/Windows%20NT/Terminal%20Services", + "https://threathunterplaybook.com/notebooks/windows/05_defense_evasion/WIN-190407183310.html", + "https://bazaar.abuse.ch/sample/6f3aa9362d72e806490a8abce245331030d1ab5ac77e400dd475748236a6cc81/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_terminal_server_tampering.yml" ], "tags": [ @@ -17256,8 +17625,8 @@ "logsource.product": "windows", "refs": [ "https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns", - "https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md", + "https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_office.yml" ], "tags": [ @@ -17283,8 +17652,8 @@ "logsource.product": "windows", "refs": [ "https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns", - "https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md", + "https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_wow6432node_classes.yml" ], "tags": [ @@ -17332,8 +17701,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://msrc-blog.microsoft.com/2022/05/30/guidance-for-cve-2022-30190-microsoft-support-diagnostic-tool-vulnerability/", "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-30190", + "https://msrc-blog.microsoft.com/2022/05/30/guidance-for-cve-2022-30190-microsoft-support-diagnostic-tool-vulnerability/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_cve_2022_30190_msdt_follina.yml" ], "tags": [ @@ -17467,8 +17836,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://support.microsoft.com/en-us/topic/information-about-the-attachment-manager-in-microsoft-windows-c48a4dcd-8de5-2af5-ee9b-cd795ae42738", "https://www.virustotal.com/gui/file/2bcd5702a7565952c44075ac6fb946c7780526640d1264f692c7664c02c68465", + "https://support.microsoft.com/en-us/topic/information-about-the-attachment-manager-in-microsoft-windows-c48a4dcd-8de5-2af5-ee9b-cd795ae42738", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_policies_attachments_tamper.yml" ], "tags": [ @@ -17552,8 +17921,8 @@ "logsource.product": "windows", "refs": [ "https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns", - "https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md", + "https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_winsock2.yml" ], "tags": [ @@ -17784,8 +18153,8 @@ "refs": [ "https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/", "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ransomware-hive-conti-avoslocker", - "https://admx.help/?Category=Windows_7_2008R2&Policy=Microsoft.Policies.WindowsDefender::SpyNetReporting", "https://gist.github.com/anadr/7465a9fde63d41341136949f14c21105", + "https://admx.help/?Category=Windows_7_2008R2&Policy=Microsoft.Policies.WindowsDefender::SpyNetReporting", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_windows_defender_tamper.yml" ], "tags": [ @@ -17879,8 +18248,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://www.hexacorn.com/blog/2018/04/23/beyond-good-ol-run-key-part-77/", "https://persistence-info.github.io/Data/hhctrl.html", + "https://www.hexacorn.com/blog/2018/04/23/beyond-good-ol-run-key-part-77/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_hhctrl_persistence.yml" ], "tags": [ @@ -18099,8 +18468,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1112/T1112.md#atomic-test-4---add-domain-to-trusted-sites-zone", "https://docs.microsoft.com/en-us/troubleshoot/developer/browsers/security-privacy/ie-security-zones-registry-entries", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1112/T1112.md#atomic-test-4---add-domain-to-trusted-sites-zone", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_change_security_zones.yml" ], "tags": [ @@ -18228,8 +18597,8 @@ "logsource.product": "windows", "refs": [ "https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns", - "https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md", + "https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_wow6432node_currentversion.yml" ], "tags": [ @@ -18279,8 +18648,8 @@ "logsource.product": "windows", "refs": [ "https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns", - "https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md", + "https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_currentcontrolset.yml" ], "tags": [ @@ -18337,8 +18706,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/windows/win32/debug/configuring-automatic-debugging", "https://persistence-info.github.io/Data/aedebug.html", + "https://docs.microsoft.com/en-us/windows/win32/debug/configuring-automatic-debugging", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_aedebug_persistence.yml" ], "tags": [ @@ -18387,8 +18756,8 @@ "logsource.product": "windows", "refs": [ "https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns", - "https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md", + "https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_system_scripts.yml" ], "tags": [ @@ -18399,6 +18768,31 @@ "uuid": "e7a2fd40-3ae1-4a85-bf80-15cf624fb1b1", "value": "System Scripts Autorun Keys Modification" }, + { + "description": "Detect activation of DisableRestrictedAdmin to desable RestrictedAdmin mode.\nRestrictedAdmin mode prevents the transmission of reusable credentials to the remote system to which you connect using Remote Desktop.\nThis prevents your credentials from being harvested during the initial connection process if the remote server has been compromise\n", + "meta": { + "author": "frack113", + "creation_date": "2023/01/13", + "falsepositive": [ + "Unknown" + ], + "filename": "registry_set_lsa_disablerestrictedadmin.yml", + "level": "high", + "logsource.category": "registry_set", + "logsource.product": "windows", + "refs": [ + "https://social.technet.microsoft.com/wiki/contents/articles/32905.remote-desktop-services-enable-restricted-admin-mode.aspx", + "https://github.com/redcanaryco/atomic-red-team/blob/a8e3cf63e97b973a25903d3df9fd55da6252e564/atomics/T1112/T1112.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_lsa_disablerestrictedadmin.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1112" + ] + }, + "uuid": "d6ce7ebd-260b-4323-9768-a9631c8d4db2", + "value": "Disabled RestrictedAdminMode For RDS" + }, { "description": "Detects the setting of the \"DumpType\" registry value to \"2\" which stands for a \"Full Dump\". Technique such as LSASS Shtinkering requires this value to be \"2\" in order to dump LSASS.", "meta": { @@ -18412,8 +18806,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://github.com/deepinstinct/Lsass-Shtinkering", "https://media.defcon.org/DEF%20CON%2030/DEF%20CON%2030%20presentations/Asaf%20Gilboa%20-%20LSASS%20Shtinkering%20Abusing%20Windows%20Error%20Reporting%20to%20Dump%20LSASS.pdf", + "https://github.com/deepinstinct/Lsass-Shtinkering", "https://learn.microsoft.com/en-us/windows/win32/wer/collecting-user-mode-dumps", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_lsass_usermode_dumping.yml" ], @@ -18447,9 +18841,9 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://blog.3or.de/mimilib-dhcp-server-callout-dll-injection.html", "https://msdn.microsoft.com/de-de/library/windows/desktop/aa363389(v=vs.85).aspx", "https://technet.microsoft.com/en-us/library/cc726884(v=ws.10).aspx", + "https://blog.3or.de/mimilib-dhcp-server-callout-dll-injection.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_dhcp_calloutdll.yml" ], "tags": [ @@ -18507,9 +18901,9 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/windows/win32/api/shobjidl_core/nn-shobjidl_core-iexecutecommand", - "https://devblogs.microsoft.com/oldnewthing/20100312-01/?p=14623", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1548.002/T1548.002.md#atomic-test-7---bypass-uac-using-sdclt-delegateexecute", + "https://devblogs.microsoft.com/oldnewthing/20100312-01/?p=14623", + "https://docs.microsoft.com/en-us/windows/win32/api/shobjidl_core/nn-shobjidl_core-iexecutecommand", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_bypass_uac_using_delegateexecute.yml" ], "tags": [ @@ -18543,8 +18937,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1112/T1112.md#atomic-test-5---javascript-in-registry", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1112/T1112.md#atomic-test-4---add-domain-to-trusted-sites-zone", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1112/T1112.md#atomic-test-5---javascript-in-registry", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_persistence_ie.yml" ], "tags": [ @@ -18599,9 +18993,9 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ + "https://www.slideshare.net/JamieWilliams130/started-from-the-bottom-exploiting-data-sources-to-uncover-attck-behaviors", "https://twitter.com/jamieantisocial/status/1304520651248668673", "https://www.sans.org/cyber-security-summit/archives", - "https://www.slideshare.net/JamieWilliams130/started-from-the-bottom-exploiting-data-sources-to-uncover-attck-behaviors", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_enabling_cor_profiler_env_variables.yml" ], "tags": [ @@ -18953,8 +19347,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://github.com/OTRF/detection-hackathon-apt29/issues/1", "https://threathunterplaybook.com/evals/apt29/detections/1.A.1_DFD6A782-9BDB-4550-AB6B-525E825B095E.html", + "https://github.com/OTRF/detection-hackathon-apt29/issues/1", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_new_application_appcompat.yml" ], "tags": [ @@ -19012,8 +19406,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://jstnk9.github.io/jstnk9/research/InstallScreenSaver-SCR-files", "https://twitter.com/pabraeken/status/998627081360695297", + "https://jstnk9.github.io/jstnk9/research/InstallScreenSaver-SCR-files", "https://twitter.com/VakninHai/status/1517027824984547329", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_scr_file_executed_by_rundll32.yml" ], @@ -19123,9 +19517,9 @@ "logsource.product": "windows", "refs": [ "https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md", "https://oddvar.moe/2018/03/21/persistence-using-runonceex-hidden-from-autoruns-exe/", "https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_currentversion.yml" ], "tags": [ @@ -19183,8 +19577,8 @@ "logsource.product": "windows", "refs": [ "https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?name=TrojanSpy%3aMSIL%2fHakey.A", - "https://unit42.paloaltonetworks.com/ransomware-families/", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1112/T1112.md#atomic-test-1---modify-registry-of-current-user-profile---cmd", + "https://unit42.paloaltonetworks.com/ransomware-families/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_hidden_extention.yml" ], "tags": [ @@ -19257,8 +19651,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1548.002/T1548.002.md#atomic-test-9---bypass-uac-using-silentcleanup-task", "https://www.reddit.com/r/hacking/comments/ajtrws/bypassing_highest_uac_level_windows_810/", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1548.002/T1548.002.md#atomic-test-9---bypass-uac-using-silentcleanup-task", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_bypass_uac_using_silentcleanup_task.yml" ], "tags": [ @@ -19292,8 +19686,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://unit42.paloaltonetworks.com/unit42-gorgon-group-slithering-nation-state-cybercrime/", "https://yoroi.company/research/cyber-criminal-espionage-operation-insists-on-italian-manufacturing/", + "https://unit42.paloaltonetworks.com/unit42-gorgon-group-slithering-nation-state-cybercrime/", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_disable_microsoft_office_security_features.yml" ], @@ -19342,8 +19736,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://github.com/S3cur3Th1sSh1t/OffensiveVBA/blob/28cc6a2802d8176195ac19b3c8e9a749009a82a3/src/AMSIbypasses.vba", "https://admx.help/?Category=Office2016&Policy=office16.Office.Microsoft.Policies.Windows::L_MacroRuntimeScanScope", + "https://github.com/S3cur3Th1sSh1t/OffensiveVBA/blob/28cc6a2802d8176195ac19b3c8e9a749009a82a3/src/AMSIbypasses.vba", "https://www.microsoft.com/en-us/security/blog/2018/09/12/office-vba-amsi-parting-the-veil-on-malicious-macros/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_disable_macroruntimescanscope.yml" ], @@ -19415,6 +19809,40 @@ "uuid": "3ae1a046-f7db-439d-b7ce-b8b366b81fa6", "value": "Disable Windows Security Center Notifications" }, + { + "description": "Detect potential persistence via the creation of an excel add-in (XLL) file to make it run automatically when Excel is started.", + "meta": { + "author": "frack113", + "creation_date": "2023/01/15", + "falsepositive": [ + "Unknown" + ], + "filename": "registry_set_persistance_xll.yml", + "level": "high", + "logsource.category": "registry_set", + "logsource.product": "windows", + "refs": [ + "https://labs.withsecure.com/publications/add-in-opportunities-for-office-persistence", + "https://github.com/redcanaryco/atomic-red-team/blob/4ae9580a1a8772db87a1b6cdb0d03e5af231e966/atomics/T1137.006/T1137.006.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_persistance_xll.yml" + ], + "tags": [ + "attack.persistence", + "attack.t1137.006" + ] + }, + "related": [ + { + "dest-uuid": "34f1d81d-fe88-4f97-bd3b-a3164536255d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "961e33d1-4f86-4fcf-80ab-930a708b2f82", + "value": "Potential Persistence Via Excel Add-in - Registry" + }, { "description": "Detects when the \"index\" value of a scheduled task is modified from the registry\nWhich effectively hides it from any tooling such as \"schtasks /query\" (Read the referenced link for more information about the effects of this technique)\n", "meta": { @@ -19449,7 +19877,7 @@ "value": "Hide Schedule Task Via Index Value Tamper" }, { - "description": "Detects tampering of autologger trace sessions which is a technique used by attackers to disable logging", + "description": "Detects tampering with autologger trace sessions which is a technique used by attackers to disable logging", "meta": { "author": "Nasreddine Bencherchali", "creation_date": "2022/08/01", @@ -19461,8 +19889,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://twitter.com/MichalKoczwara/status/1553634816016498688", "https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/", + "https://twitter.com/MichalKoczwara/status/1553634816016498688", "https://i.blackhat.com/EU-21/Wednesday/EU-21-Teodorescu-Veni-No-Vidi-No-Vici-Attacks-On-ETW-Blind-EDRs.pdf", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_disable_autologger_sessions.yml" ], @@ -19471,7 +19899,7 @@ ] }, "uuid": "f37b4bce-49d0-4087-9f5b-58bffda77316", - "value": "AutoLogger Sessions Tamper" + "value": "Potential AutoLogger Sessions Tampering" }, { "description": "Potential adversaries stopping ETW providers recording loaded .NET assemblies.", @@ -19486,17 +19914,17 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://github.com/dotnet/runtime/blob/f62e93416a1799aecc6b0947adad55a0d9870732/src/coreclr/src/inc/clrconfigvalues.h#L35-L38", - "https://blog.xpnsec.com/hiding-your-dotnet-complus-etwenabled/", + "https://github.com/dotnet/runtime/blob/4f9ae42d861fcb4be2fcd5d3d55d5f227d30e723/docs/coding-guidelines/clr-jit-coding-conventions.md#1412-disabling-code", + "https://github.com/dotnet/runtime/blob/7abe42dc1123722ed385218268bb9fe04556e3d3/src/coreclr/src/inc/clrconfig.h#L33-L39", "https://twitter.com/_xpn_/status/1268712093928378368", - "http://managed670.rssing.com/chan-5590147/all_p1.html", - "https://github.com/dotnet/runtime/search?p=1&q=COMPlus_&unscoped_q=COMPlus_", "https://i.blackhat.com/EU-21/Wednesday/EU-21-Teodorescu-Veni-No-Vidi-No-Vici-Attacks-On-ETW-Blind-EDRs.pdf", "https://github.com/dotnet/runtime/blob/ee2355c801d892f2894b0f7b14a20e6cc50e0e54/docs/design/coreclr/jit/viewing-jit-dumps.md#setting-configuration-variables", - "https://github.com/dotnet/runtime/blob/7abe42dc1123722ed385218268bb9fe04556e3d3/src/coreclr/src/inc/clrconfig.h#L33-L39", - "https://social.msdn.microsoft.com/Forums/vstudio/en-US/0878832e-39d7-4eaf-8e16-a729c4c40975/what-can-i-use-e13c0d23ccbc4e12931bd9cc2eee27e4-for?forum=clr", + "https://github.com/dotnet/runtime/blob/f62e93416a1799aecc6b0947adad55a0d9870732/src/coreclr/src/inc/clrconfigvalues.h#L35-L38", + "http://managed670.rssing.com/chan-5590147/all_p1.html", + "https://github.com/dotnet/runtime/search?p=1&q=COMPlus_&unscoped_q=COMPlus_", "https://bunnyinside.com/?term=f71e8cb9c76a", - "https://github.com/dotnet/runtime/blob/4f9ae42d861fcb4be2fcd5d3d55d5f227d30e723/docs/coding-guidelines/clr-jit-coding-conventions.md#1412-disabling-code", + "https://social.msdn.microsoft.com/Forums/vstudio/en-US/0878832e-39d7-4eaf-8e16-a729c4c40975/what-can-i-use-e13c0d23ccbc4e12931bd9cc2eee27e4-for?forum=clr", + "https://blog.xpnsec.com/hiding-your-dotnet-complus-etwenabled/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_dot_net_etw_tamper.yml" ], "tags": [ @@ -19565,8 +19993,8 @@ "logsource.product": "windows", "refs": [ "https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns", - "https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md", + "https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_internet_explorer.yml" ], "tags": [ @@ -19590,8 +20018,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/troubleshoot/windows-client/deployment/network-provider-settings-removed-in-place-upgrade", "https://github.com/gtworek/PSBits/tree/master/PasswordStealing/NPPSpy", + "https://docs.microsoft.com/en-us/troubleshoot/windows-client/deployment/network-provider-settings-removed-in-place-upgrade", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_new_network_provider.yml" ], "tags": [ @@ -19624,9 +20052,9 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ + "https://blogs.vmware.com/security/2022/11/batloader-the-evasive-downloader-malware.html", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1112/T1112.md", "https://www.mandiant.com/resources/unc2165-shifts-to-evade-sanctions", - "https://blogs.vmware.com/security/2022/11/batloader-the-evasive-downloader-malware.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_disable_function_user.yml" ], "tags": [ @@ -19676,8 +20104,8 @@ "logsource.product": "windows", "refs": [ "https://persistence-info.github.io/Data/ifilters.html", - "https://github.com/gtworek/PSBits/tree/master/IFilter", "https://twitter.com/0gtweet/status/1468548924600459267", + "https://github.com/gtworek/PSBits/tree/master/IFilter", "https://github.com/gtworek/PSBits/blob/8d767892f3b17eefa4d0668f5d2df78e844f01d8/IFilter/Dll.cpp#L281-L308", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_persistence_ifilter.yml" ], @@ -19750,8 +20178,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1543.003/T1543.003.md#atomic-test-4---tinyturla-backdoor-service-w64time", "https://www.hexacorn.com/blog/2013/09/19/beyond-good-ol-run-key-part-4/", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1543.003/T1543.003.md#atomic-test-4---tinyturla-backdoor-service-w64time", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_servicedll_hijack.yml" ], "tags": [ @@ -19966,10 +20394,10 @@ "logsource.category": "image_load", "logsource.product": "windows", "refs": [ - "https://github.com/bohops/WSMan-WinRM", - "https://twitter.com/chadtilbury/status/1275851297770610688", - "https://bohops.com/2020/05/12/ws-management-com-another-approach-for-winrm-lateral-movement/", "https://docs.microsoft.com/en-us/windows/win32/winrm/windows-remote-management-architecture", + "https://github.com/bohops/WSMan-WinRM", + "https://bohops.com/2020/05/12/ws-management-com-another-approach-for-winrm-lateral-movement/", + "https://twitter.com/chadtilbury/status/1275851297770610688", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_wsman_provider_image_load.yml" ], "tags": [ @@ -20115,8 +20543,8 @@ "logsource.category": "image_load", "logsource.product": "windows", "refs": [ - "https://twitter.com/rbmaslen/status/1321859647091970051", "https://twitter.com/tifkin_/status/1321916444557365248", + "https://twitter.com/rbmaslen/status/1321859647091970051", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_pcre_net_load.yml" ], "tags": [ @@ -20250,8 +20678,8 @@ "logsource.category": "image_load", "logsource.product": "windows", "refs": [ - "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/backdoor-at-the-end-of-the-icmp-tunnel", "https://app.any.run/tasks/4a54c651-b70b-4b72-84d7-f34d301d6406", + "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/backdoor-at-the-end-of-the-icmp-tunnel", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_pingback_backdoor.yml" ], "tags": [ @@ -20372,11 +20800,11 @@ "logsource.product": "windows", "refs": [ "http://remoteawesomethoughts.blogspot.com/2019/05/windows-10-task-schedulerservice.html", - "https://posts.specterops.io/lateral-movement-scm-and-dll-hijacking-primer-d2f61e8ab992", "https://www.hexacorn.com/blog/2013/12/08/beyond-good-ol-run-key-part-5/", "https://clement.notin.org/blog/2020/09/12/CVE-2020-7315-McAfee-Agent-DLL-injection/", "https://decoded.avast.io/martinchlumecky/png-steganography/", "https://github.com/Wh04m1001/SysmonEoP", + "https://posts.specterops.io/lateral-movement-scm-and-dll-hijacking-primer-d2f61e8ab992", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_side_load_non_existent_dlls.yml" ], "tags": [ @@ -20491,8 +20919,8 @@ "logsource.category": "image_load", "logsource.product": "windows", "refs": [ - "https://www.welivesecurity.com/2022/12/14/unmasking-mirrorface-operation-liberalface-targeting-japanese-political-entities/", "http://www.windowexe.com/bbs/board.php?q=jsschhlp-exe-c-program-files-common-files-justsystem-jsschhlp-jsschhlp", + "https://www.welivesecurity.com/2022/12/14/unmasking-mirrorface-operation-liberalface-targeting-japanese-political-entities/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_side_load_jsschhlp.yml" ], "tags": [ @@ -20577,10 +21005,10 @@ "logsource.category": "image_load", "logsource.product": "windows", "refs": [ - "https://blog.cyble.com/2022/07/21/qakbot-resurfaces-with-new-playbook/", - "https://hijacklibs.net/", "https://github.com/XForceIR/SideLoadHunter/blob/cc7ef2e5d8908279b0c4cee4e8b6f85f7b8eed52/SideLoads/README.md", "https://blog.cyble.com/2022/07/27/targeted-attacks-being-carried-out-via-dll-sideloading/", + "https://hijacklibs.net/", + "https://blog.cyble.com/2022/07/21/qakbot-resurfaces-with-new-playbook/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_side_load_from_non_system_location.yml" ], "tags": [ @@ -20673,8 +21101,8 @@ "logsource.category": "image_load", "logsource.product": "windows", "refs": [ - "https://medium.com/@fsx30/bypass-edrs-memory-protection-introduction-to-hooking-2efb21acffd6", "https://docs.microsoft.com/en-us/windows/win32/api/minidumpapiset/nf-minidumpapiset-minidumpwritedump", + "https://medium.com/@fsx30/bypass-edrs-memory-protection-introduction-to-hooking-2efb21acffd6", "https://www.pinvoke.net/default.aspx/dbghelp/MiniDumpWriteDump.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_susp_dbghelp_dbgcore_load.yml" ], @@ -20824,10 +21252,10 @@ "logsource.category": "image_load", "logsource.product": "windows", "refs": [ - "https://web.archive.org/web/20221026202428/https://gist.github.com/code-scrap/d7f152ffcdb3e0b02f7f394f5187f008", - "https://thewover.github.io/Introducing-Donut/", - "https://github.com/tyranid/DotNetToJScript", "https://blog.menasec.net/2019/07/interesting-difr-traces-of-net-clr.html", + "https://thewover.github.io/Introducing-Donut/", + "https://web.archive.org/web/20221026202428/https://gist.github.com/code-scrap/d7f152ffcdb3e0b02f7f394f5187f008", + "https://github.com/tyranid/DotNetToJScript", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_susp_script_dotnet_clr_dll_load.yml" ], "tags": [ @@ -20999,8 +21427,8 @@ "logsource.category": "image_load", "logsource.product": "windows", "refs": [ - "https://posts.specterops.io/lateral-movement-scm-and-dll-hijacking-primer-d2f61e8ab992", "https://decoded.avast.io/martinchlumecky/png-steganography/", + "https://posts.specterops.io/lateral-movement-scm-and-dll-hijacking-primer-d2f61e8ab992", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_side_load_scm.yml" ], "tags": [ @@ -21292,9 +21720,9 @@ "logsource.category": "image_load", "logsource.product": "windows", "refs": [ - "https://threathunterplaybook.com/notebooks/windows/08_lateral_movement/WIN-200902020333.html", - "https://www.mdsec.co.uk/2020/09/i-like-to-move-it-windows-lateral-movement-part-1-wmi-event-subscription/", "https://twitter.com/HunterPlaybook/status/1301207718355759107", + "https://www.mdsec.co.uk/2020/09/i-like-to-move-it-windows-lateral-movement-part-1-wmi-event-subscription/", + "https://threathunterplaybook.com/notebooks/windows/08_lateral_movement/WIN-200902020333.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_scrcons_imageload_wmi_scripteventconsumer.yml" ], "tags": [ @@ -21449,8 +21877,8 @@ "logsource.category": "image_load", "logsource.product": "windows", "refs": [ - "https://github.com/hhlxf/PrintNightmare", "https://github.com/ly4k/SpoolFool", + "https://github.com/hhlxf/PrintNightmare", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_spoolsv_dll_load.yml" ], "tags": [ @@ -21514,9 +21942,9 @@ "logsource.category": "image_load", "logsource.product": "windows", "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1056.002/T1056.002.md#atomic-test-2---powershell---prompt-user-for-password", "https://docs.microsoft.com/en-us/windows/win32/api/wincred/nf-wincred-creduipromptforcredentialsa", "https://securitydatasets.com/notebooks/small/windows/06_credential_access/SDWIN-201020013208.html", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1056.002/T1056.002.md#atomic-test-2---powershell---prompt-user-for-password", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_uipromptforcreds_dlls.yml" ], "tags": [ @@ -21541,8 +21969,8 @@ "logsource.category": "image_load", "logsource.product": "windows", "refs": [ - "https://twitter.com/mattifestation/status/1196390321783025666", "https://twitter.com/oulusoyum/status/1191329746069655553", + "https://twitter.com/mattifestation/status/1196390321783025666", "https://lolbas-project.github.io/lolbas/Binaries/Tttracer/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_tttracer_mod_load.yml" ], @@ -21684,8 +22112,8 @@ "logsource.product": "windows", "refs": [ "https://github.com/RiccardoAncarani/LiquidSnake", - "https://github.com/Neo23x0/signature-base/blob/615bf1f6bac3c1bdc417025c40c073e6c2771a76/yara/gen_susp_lnk_files.yar#L19", "https://in.security/an-intro-into-abusing-and-identifying-wmi-event-subscriptions-for-persistence/", + "https://github.com/Neo23x0/signature-base/blob/615bf1f6bac3c1bdc417025c40c073e6c2771a76/yara/gen_susp_lnk_files.yar#L19", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/wmi_event/sysmon_wmi_susp_scripting.yml" ], "tags": [ @@ -21718,8 +22146,8 @@ "logsource.category": "ps_classic_start", "logsource.product": "windows", "refs": [ - "https://nmap.org/ncat/", "https://github.com/besimorhino/powercat", + "https://nmap.org/ncat/", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1095/T1095.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_classic/posh_pc_powercat.yml" ], @@ -21754,8 +22182,8 @@ "logsource.product": "windows", "refs": [ "https://github.com/bohops/WSMan-WinRM", - "https://twitter.com/chadtilbury/status/1275851297770610688", "https://bohops.com/2020/05/12/ws-management-com-another-approach-for-winrm-lateral-movement/", + "https://twitter.com/chadtilbury/status/1275851297770610688", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_classic/posh_pc_wsman_com_provider_no_powershell.yml" ], "tags": [ @@ -21906,8 +22334,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/AtomicTestHarnesses/blob/7e1e4da116801e3d6fcc6bedb207064577e40572/TestHarnesses/T1218_SignedBinaryProxyExecution/InvokeRemoteFXvGPUDisablementCommand.ps1", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218/T1218.md", + "https://github.com/redcanaryco/AtomicTestHarnesses/blob/7e1e4da116801e3d6fcc6bedb207064577e40572/TestHarnesses/T1218_SignedBinaryProxyExecution/InvokeRemoteFXvGPUDisablementCommand.ps1", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_classic/posh_pc_susp_athremotefxvgpudisablementcommand.yml" ], "tags": [ @@ -22362,8 +22790,8 @@ "logsource.category": "ps_module", "logsource.product": "windows", "refs": [ - "https://threathunterplaybook.com/evals/apt29/detections/4.A.3_09F29912-8E93-461E-9E89-3F06F6763383.html", "https://github.com/OTRF/detection-hackathon-apt29/issues/8", + "https://threathunterplaybook.com/evals/apt29/detections/4.A.3_09F29912-8E93-461E-9E89-3F06F6763383.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_module/posh_pm_decompress_commands.yml" ], "tags": [ @@ -22532,8 +22960,8 @@ "logsource.category": "ps_module", "logsource.product": "windows", "refs": [ - "https://www.n00py.io/2022/03/manipulating-user-passwords-without-mimikatz/", "https://github.com/MichaelGrafnetter/DSInternals/blob/7ba59c12ee9a1cb430d7dc186a3366842dd612c8/Documentation/PowerShell/Get-ADDBAccount.md", + "https://www.n00py.io/2022/03/manipulating-user-passwords-without-mimikatz/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_module/posh_pm_get_addbaccount.yml" ], "tags": [ @@ -22566,8 +22994,8 @@ "logsource.category": "ps_module", "logsource.product": "windows", "refs": [ - "https://nmap.org/ncat/", "https://github.com/besimorhino/powercat", + "https://nmap.org/ncat/", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1095/T1095.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_module/posh_pm_powercat.yml" ], @@ -23108,8 +23536,8 @@ "logsource.category": "ps_module", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/AtomicTestHarnesses/blob/7e1e4da116801e3d6fcc6bedb207064577e40572/TestHarnesses/T1218_SignedBinaryProxyExecution/InvokeRemoteFXvGPUDisablementCommand.ps1", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218/T1218.md", + "https://github.com/redcanaryco/AtomicTestHarnesses/blob/7e1e4da116801e3d6fcc6bedb207064577e40572/TestHarnesses/T1218_SignedBinaryProxyExecution/InvokeRemoteFXvGPUDisablementCommand.ps1", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_module/posh_pm_susp_athremotefxvgpudisablementcommand.yml" ], "tags": [ @@ -23343,8 +23771,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://4sysops.com/archives/use-powershell-to-download-a-file-with-http-https-and-ftp/", "https://blog.jourdant.me/post/3-ways-to-download-files-with-powershell", + "https://4sysops.com/archives/use-powershell-to-download-a-file-with-http-https-and-ftp/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_web_request_cmd_and_cmdlets.yml" ], "tags": [ @@ -23478,8 +23906,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1059.001/T1059.001.md#atomic-test-10---powershell-invoke-downloadcradle", "https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.core/new-pssession?view=powershell-7.2", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1059.001/T1059.001.md#atomic-test-10---powershell-invoke-downloadcradle", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_remote_session_creation.yml" ], "tags": [ @@ -23602,9 +24030,9 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/previous-versions/windows/desktop/ms766431(v=vs.85)", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1059.001/T1059.001.md#atomic-test-7---powershell-msxml-com-object---with-prompt", "https://www.trendmicro.com/en_id/research/22/e/uncovering-a-kingminer-botnet-attack-using-trend-micro-managed-x.html", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1059.001/T1059.001.md#atomic-test-7---powershell-msxml-com-object---with-prompt", + "https://docs.microsoft.com/en-us/previous-versions/windows/desktop/ms766431(v=vs.85)", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_msxml_com.yml" ], "tags": [ @@ -23742,9 +24170,9 @@ "logsource.product": "windows", "refs": [ "https://github.com/PowerShellMafia/PowerSploit/tree/master/Recon", + "https://adsecurity.org/?p=2277", "https://thedfirreport.com/2020/10/08/ryuks-return", "https://powersploit.readthedocs.io/en/stable/Recon/README", - "https://adsecurity.org/?p=2277", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_powerview_malicious_commandlets.yml" ], "tags": [ @@ -23819,8 +24247,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://twitter.com/bohops/status/948061991012327424", "https://lolbas-project.github.io/lolbas/Scripts/Cl_invocation/", + "https://twitter.com/bohops/status/948061991012327424", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_cl_invocation_lolscript.yml" ], "tags": [ @@ -23886,9 +24314,9 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1048.003/T1048.003.md#atomic-test-5---exfiltration-over-alternative-protocol---smtp", - "https://www.ietf.org/rfc/rfc2821.txt", "https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.utility/send-mailmessage?view=powershell-7.2", + "https://www.ietf.org/rfc/rfc2821.txt", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1048.003/T1048.003.md#atomic-test-5---exfiltration-over-alternative-protocol---smtp", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_send_mailmessage.yml" ], "tags": [ @@ -23921,9 +24349,9 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ + "https://www.cisa.gov/uscert/sites/default/files/publications/aa22-320a_joint_csa_iranian_government-sponsored_apt_actors_compromise_federal%20network_deploy_crypto%20miner_credential_harvester.pdf", "https://www.microsoft.com/en-us/security/blog/2022/10/18/defenders-beware-a-case-for-post-ransomware-investigations/", "http://blog.talosintelligence.com/2022/09/lazarus-three-rats.html", - "https://www.cisa.gov/uscert/sites/default/files/publications/aa22-320a_joint_csa_iranian_government-sponsored_apt_actors_compromise_federal%20network_deploy_crypto%20miner_credential_harvester.pdf", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_computer_discovery_get_adcomputer.yml" ], "tags": [ @@ -23948,8 +24376,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.management/set-service?view=powershell-7.2", "https://twitter.com/Alh4zr3d/status/1580925761996828672", + "https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.management/set-service?view=powershell-7.2", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_using_set_service_to_hide_services.yml" ], "tags": [ @@ -24099,8 +24527,8 @@ "refs": [ "https://www.tutorialspoint.com/how-to-get-windows-firewall-profile-settings-using-powershell", "http://powershellhelp.space/commands/set-netfirewallrule-psv5.php", - "https://www.elastic.co/guide/en/security/current/windows-firewall-disabled-via-powershell.html", "https://docs.microsoft.com/en-us/powershell/module/netsecurity/set-netfirewallprofile?view=windowsserver2019-ps", + "https://www.elastic.co/guide/en/security/current/windows-firewall-disabled-via-powershell.html", "http://woshub.com/manage-windows-firewall-powershell/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_windows_firewall_profile_disabled.yml" ], @@ -24134,8 +24562,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/dotnet/api/system.directoryservices.accountmanagement?view=dotnet-plat-ext-6.0", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1136.002/T1136.002.md#atomic-test-3---create-a-new-domain-account-using-powershell", + "https://docs.microsoft.com/en-us/dotnet/api/system.directoryservices.accountmanagement?view=dotnet-plat-ext-6.0", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_directoryservices_accountmanagement.yml" ], "tags": [ @@ -24155,6 +24583,29 @@ "uuid": "b29a93fb-087c-4b5b-a84d-ee3309e69d08", "value": "Manipulation of User Computer or Group Security Principals Across AD" }, + { + "description": "Detects potential exfiltration attempt via audio file using PowerShell", + "meta": { + "author": "Nasreddine Bencherchali", + "creation_date": "2023/01/16", + "falsepositive": [ + "Unknown" + ], + "filename": "posh_ps_audio_exfiltration.yml", + "level": "medium", + "logsource.category": "ps_script", + "logsource.product": "windows", + "refs": [ + "https://github.com/gtworek/PSBits/blob/e97cbbb173b31cbc4d37244d3412de0a114dacfb/NoDLP/bin2wav.ps1", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_audio_exfiltration.yml" + ], + "tags": [ + "attack.exfiltration" + ] + }, + "uuid": "e4f93c99-396f-47c8-bb0f-201b1fa69034", + "value": "Potential Data Exfiltration Via Audio File" + }, { "description": "Detects scripts or commands that disabled the Powershell command history by removing psreadline module", "meta": { @@ -24259,9 +24710,9 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ + "https://youtu.be/5mqid-7zp8k?t=2481", "https://m365internals.com/2022/10/07/hunting-in-on-premises-exchange-server-logs/", "https://blog.orange.tw/2021/08/proxylogon-a-new-attack-surface-on-ms-exchange-part-1.html", - "https://youtu.be/5mqid-7zp8k?t=2481", "https://peterjson.medium.com/reproducing-the-proxyshell-pwn2own-exploit-49743a4ea9a1", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_mailboxexport_share.yml" ], @@ -24375,8 +24826,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1573/T1573.md#atomic-test-1---openssl-c2", "https://medium.com/walmartglobaltech/openssl-server-reverse-shell-from-windows-client-aee2dbfa0926", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1573/T1573.md#atomic-test-1---openssl-c2", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_ssl_keyword.yml" ], "tags": [ @@ -24531,9 +24982,9 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://adsecurity.org/?p=2604", "https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_execution_policies?view=powershell-7.1", "https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.security/set-executionpolicy?view=powershell-7.1", + "https://adsecurity.org/?p=2604", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_set_policies_to_unsecure_level.yml" ], "tags": [ @@ -24590,8 +25041,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.utility/unblock-file?view=powershell-7.2", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1553.005/T1553.005.md#atomic-test-3---remove-the-zoneidentifier-alternate-data-stream", + "https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.utility/unblock-file?view=powershell-7.2", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_unblock_file.yml" ], "tags": [ @@ -24989,8 +25440,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.management/Remove-Item?view=powershell-5.1&viewFallbackFrom=powershell-7", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070.004/T1070.004.md", + "https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.management/Remove-Item?view=powershell-5.1&viewFallbackFrom=powershell-7", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_remove_item_path.yml" ], "tags": [ @@ -25023,8 +25474,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://twitter.com/JohnLaTwC/status/850381440629981184", "https://t.co/ezOTGy1a1G", + "https://twitter.com/JohnLaTwC/status/850381440629981184", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_prompt_credentials.yml" ], "tags": [ @@ -25058,8 +25509,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.core/invoke-command?view=powershell-7.2", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1021.006/T1021.006.md#atomic-test-2---invoke-command", + "https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.core/invoke-command?view=powershell-7.2", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_invoke_command_remote.yml" ], "tags": [ @@ -25250,8 +25701,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://bi-zone.medium.com/from-pentest-to-apt-attack-cybercriminal-group-fin7-disguises-its-malware-as-an-ethical-hackers-c23c9a75e319", "https://github.com/sense-of-security/ADRecon/blob/11881a24e9c8b207f31b56846809ce1fb189bcc9/ADRecon.ps1", + "https://bi-zone.medium.com/from-pentest-to-apt-attack-cybercriminal-group-fin7-disguises-its-malware-as-an-ethical-hackers-c23c9a75e319", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_adrecon_execution.yml" ], "tags": [ @@ -25285,8 +25736,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/powershell/module/grouppolicy/get-gpo?view=windowsserver2022-ps", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1615/T1615.md", + "https://docs.microsoft.com/en-us/powershell/module/grouppolicy/get-gpo?view=windowsserver2022-ps", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_get_gpo.yml" ], "tags": [ @@ -25494,7 +25945,7 @@ { "description": "Detects powershell scripts attempting to disable scheduled scanning and other parts of windows defender atp or set default actions to allow.", "meta": { - "author": "frack113, elhoim", + "author": "frack113, elhoim, Tim Shelton (fps, alias support)", "creation_date": "2022/01/16", "falsepositive": [ "Legitimate PowerShell scripts" @@ -25766,8 +26217,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "http://www.powertheshell.com/ntfsstreams/", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1564.004/T1564.004.md", + "http://www.powertheshell.com/ntfsstreams/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_ntfs_ads_access.yml" ], "tags": [ @@ -25809,8 +26260,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://shellgeek.com/useraccountcontrol-flags-to-manipulate-properties/", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1069.002/T1069.002.md#atomic-test-11---get-aduser-enumeration-using-useraccountcontrol-flags-as-rep-roasting", + "https://shellgeek.com/useraccountcontrol-flags-to-manipulate-properties/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_as_rep_roasting.yml" ], "tags": [ @@ -25834,8 +26285,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1053.005/T1053.005.md#atomic-test-4---powershell-cmdlet-scheduled-task", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1053.005/T1053.005.md#atomic-test-6---wmi-invoke-cimmethod-scheduled-task", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1053.005/T1053.005.md#atomic-test-4---powershell-cmdlet-scheduled-task", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_cmdlet_scheduled_task.yml" ], "tags": [ @@ -25868,8 +26319,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://www.offensive-security.com/metasploit-unleashed/timestomp/", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070.006/T1070.006.md", + "https://www.offensive-security.com/metasploit-unleashed/timestomp/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_timestomp.yml" ], "tags": [ @@ -25935,8 +26386,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1564.006/T1564.006.md#atomic-test-3---create-and-start-hyper-v-virtual-machine", "https://docs.microsoft.com/en-us/virtualization/hyper-v-on-windows/quick-start/enable-hyper-v", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1564.006/T1564.006.md#atomic-test-3---create-and-start-hyper-v-virtual-machine", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_hyper_v_condlet.yml" ], "tags": [ @@ -25969,8 +26420,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.security/get-acl?view=powershell-7.2", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1574.011/T1574.011.md#atomic-test-1---service-registry-permissions-weakness", + "https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.security/get-acl?view=powershell-7.2", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_get_acl_service.yml" ], "tags": [ @@ -26028,8 +26479,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.core/enable-psremoting?view=powershell-7.2", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1021.006/T1021.006.md#atomic-test-1---enable-windows-remote-management", + "https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.core/enable-psremoting?view=powershell-7.2", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_enable_psremoting.yml" ], "tags": [ @@ -26268,8 +26719,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1553.005/T1553.005.md#atomic-test-2---mount-an-iso-image-and-run-executable-from-the-iso", "https://docs.microsoft.com/en-us/powershell/module/storage/mount-diskimage?view=windowsserver2022-ps", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1553.005/T1553.005.md#atomic-test-2---mount-an-iso-image-and-run-executable-from-the-iso", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_run_from_mount_diskimage.yml" ], "tags": [ @@ -26385,8 +26836,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://twitter.com/bohops/status/948061991012327424", "https://lolbas-project.github.io/lolbas/Scripts/Cl_invocation/", + "https://twitter.com/bohops/status/948061991012327424", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_cl_invocation_lolscript_count.yml" ], "tags": [ @@ -26477,8 +26928,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.management/set-service?view=powershell-7.2", "https://twitter.com/Alh4zr3d/status/1580925761996828672", + "https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.management/set-service?view=powershell-7.2", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_service_dacl_modification_set_service.yml" ], "tags": [ @@ -26571,8 +27022,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/Scripts/CL_mutexverifiers/", "https://twitter.com/pabraeken/status/995111125447577600", + "https://lolbas-project.github.io/lolbas/Scripts/CL_mutexverifiers/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_cl_mutexverifiers_lolscript.yml" ], "tags": [ @@ -26629,8 +27080,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://github.com/harleyQu1nn/AggressorScripts", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1518/T1518.md", + "https://github.com/harleyQu1nn/AggressorScripts", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_software_discovery.yml" ], "tags": [ @@ -26713,8 +27164,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1553.005/T1553.005.md#atomic-test-1---mount-iso-image", "https://docs.microsoft.com/en-us/powershell/module/storage/mount-diskimage?view=windowsserver2022-ps", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1553.005/T1553.005.md#atomic-test-1---mount-iso-image", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_mount_diskimage.yml" ], "tags": [ @@ -26747,10 +27198,10 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ + "https://github.com/hlldz/Phant0m/blob/30c2935d8cf4aafda17ee2fab7cd0c4aa9a607c2/old/Invoke-Phant0m.ps1", "https://gist.github.com/MHaggis/0dbe00ad401daa7137c81c99c268cfb7", "https://github.com/PowerShellMafia/PowerSploit/blob/d943001a7defb5e0d1657085a77a0e78609be58f/CodeExecution/Invoke-ReflectivePEInjection.ps1", "https://posts.specterops.io/entering-a-covenant-net-command-and-control-e11038bcf462", - "https://github.com/hlldz/Phant0m/blob/30c2935d8cf4aafda17ee2fab7cd0c4aa9a607c2/old/Invoke-Phant0m.ps1", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_keywords.yml" ], "tags": [ @@ -26874,8 +27325,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.management/Start-Process?view=powershell-5.1&viewFallbackFrom=powershell-7", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1036.003/T1036.003.md", + "https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.management/Start-Process?view=powershell-5.1&viewFallbackFrom=powershell-7", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_start_process.yml" ], "tags": [ @@ -27143,9 +27594,9 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ + "https://learn.microsoft.com/en-us/windows/wsl/install-on-server", "https://docs.microsoft.com/en-us/powershell/module/dism/enable-windowsoptionalfeature?view=windowsserver2022-ps", "https://learn.microsoft.com/en-us/windows/win32/projfs/enabling-windows-projected-file-system", - "https://learn.microsoft.com/en-us/windows/wsl/install-on-server", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_enable_windowsoptionalfeature.yml" ], "tags": [ @@ -27168,10 +27619,10 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://www.virustotal.com/gui/file/d4486b63512755316625230e0c9c81655093be93876e0d80732e7eeaf7d83476/content", - "https://www.virustotal.com/gui/file/720a7ee9f2178c70501d7e3f4bcc28a4f456e200486dbd401b25af6da3b4da62/content", "https://learn.microsoft.com/en-us/dotnet/api/system.windows.input.keyboard.iskeydown?view=windowsdesktop-7.0", "https://twitter.com/ScumBots/status/1610626724257046529", + "https://www.virustotal.com/gui/file/720a7ee9f2178c70501d7e3f4bcc28a4f456e200486dbd401b25af6da3b4da62/content", + "https://www.virustotal.com/gui/file/d4486b63512755316625230e0c9c81655093be93876e0d80732e7eeaf7d83476/content", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_keylogger_activity.yml" ], "tags": [ @@ -27196,8 +27647,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1057/T1057.md#atomic-test-3---process-discovery---get-process", "https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.management/get-process?view=powershell-7", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1057/T1057.md#atomic-test-3---process-discovery---get-process", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_get_process.yml" ], "tags": [ @@ -27350,19 +27801,20 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://github.com/HarmJ0y/DAMP", - "https://github.com/samratashok/nishang", - "https://github.com/calebstewart/CVE-2021-1675", - "https://github.com/rvrsh3ll/Misc-Powershell-Scripts/blob/6f23bb41f9675d7e2d32bacccff75e931ae00554/OfficeMemScraper.ps1", "https://research.nccgroup.com/2022/06/06/shining-the-light-on-black-basta/", - "https://github.com/BloodHoundAD/BloodHound/blob/0927441f67161cc6dc08a53c63ceb8e333f55874/Collectors/AzureHound.ps1", - "https://adsecurity.org/?p=2921", - "https://bloodhound.readthedocs.io/en/latest/data-collection/azurehound.html", + "https://github.com/HarmJ0y/DAMP", "https://github.com/xorrior/RandomPS-Scripts/blob/848c919bfce4e2d67b626cbcf4404341cfe3d3b6/Get-DXWebcamVideo.ps1", + "https://adsecurity.org/?p=2921", "https://github.com/S3cur3Th1sSh1t/PowerSharpPack/tree/master/PowerSharpBinaries", "https://unit42.paloaltonetworks.com/threat-assessment-black-basta-ransomware/", + "https://github.com/calebstewart/CVE-2021-1675", "https://github.com/dafthack/DomainPasswordSpray/blob/b13d64a5834694aa73fd2aea9911a83027c465a7/DomainPasswordSpray.ps1", + "https://bloodhound.readthedocs.io/en/latest/data-collection/azurehound.html", + "https://github.com/DarkCoderSc/PowerRunAsSystem/", + "https://github.com/samratashok/nishang", + "https://github.com/BloodHoundAD/BloodHound/blob/0927441f67161cc6dc08a53c63ceb8e333f55874/Collectors/AzureHound.ps1", "https://github.com/BC-SECURITY/Invoke-ZeroLogon/blob/111d17c7fec486d9bb23387e2e828b09a26075e4/Invoke-ZeroLogon.ps1", + "https://github.com/rvrsh3ll/Misc-Powershell-Scripts/blob/6f23bb41f9675d7e2d32bacccff75e931ae00554/OfficeMemScraper.ps1", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_malicious_commandlets.yml" ], "tags": [ @@ -27466,9 +27918,9 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ + "https://stefanos.cloud/blog/kb/how-to-clear-the-powershell-command-history/", "https://community.sophos.com/sophos-labs/b/blog/posts/powershell-command-history-forensics", "https://www.shellhacks.com/clear-history-powershell/", - "https://stefanos.cloud/blog/kb/how-to-clear-the-powershell-command-history/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_clearing_windows_console_history.yml" ], "tags": [ @@ -27609,8 +28061,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=42", "https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=41", + "https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=42", "https://learn.microsoft.com/en-us/dotnet/api/microsoft.hpc.scheduler.store.cx509enrollmentwebclassfactoryclass?view=hpc-sdk-5.1.6115", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_x509enrollment.yml" ], @@ -27773,8 +28225,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1048/T1048.md#atomic-test-3---dnsexfiltration-doh", "https://github.com/Arno0x/DNSExfiltrator", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1048/T1048.md#atomic-test-3---dnsexfiltration-doh", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_invoke_dnsexfiltration.yml" ], "tags": [ @@ -27901,9 +28353,9 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://www.w3.org/Protocols/rfc2616/rfc2616-sec9.html", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1020/T1020.md", "https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.utility/invoke-webrequest?view=powershell-7.2", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1020/T1020.md", + "https://www.w3.org/Protocols/rfc2616/rfc2616-sec9.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_upload.yml" ], "tags": [ @@ -28027,8 +28479,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1490/T1490.md#atomic-test-5---windows---delete-volume-shadow-copies-via-wmi-with-powershell", "https://www.elastic.co/guide/en/security/current/volume-shadow-copy-deletion-via-powershell.html", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1490/T1490.md#atomic-test-5---windows---delete-volume-shadow-copies-via-wmi-with-powershell", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_win32_shadowcopy_deletion.yml" ], "tags": [ @@ -28221,8 +28673,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/Scripts/CL_mutexverifiers/", "https://twitter.com/pabraeken/status/995111125447577600", + "https://lolbas-project.github.io/lolbas/Scripts/CL_mutexverifiers/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_cl_mutexverifiers_lolscript_count.yml" ], "tags": [ @@ -28243,7 +28695,7 @@ "value": "Execution via CL_Mutexverifiers.ps1 (2 Lines)" }, { - "description": "Raw disk access using illegitimate tools, possible defence evasion", + "description": "Detects raw disk access using uncommon tools, which could indicate possible defense evasion attempts", "meta": { "author": "Teymur Kheirkhabarov, oscd.community", "creation_date": "2019/10/22", @@ -28273,7 +28725,7 @@ } ], "uuid": "db809f10-56ce-4420-8c86-d6a7d793c79c", - "value": "Raw Disk Access Using Illegitimate Tools" + "value": "Potential Defense Evasion Via Raw Disk Access By Uncommon Tools" }, { "description": "Detects a possible remote threat creation with certain characteristics which are typical for Cobalt Strike beacons", @@ -28288,8 +28740,8 @@ "logsource.category": "create_remote_thread", "logsource.product": "windows", "refs": [ - "https://medium.com/@olafhartong/cobalt-strike-remote-threads-detection-206372d11d0f", "https://blog.cobaltstrike.com/2018/04/09/cobalt-strike-3-11-the-snake-that-eats-its-tail/", + "https://medium.com/@olafhartong/cobalt-strike-remote-threads-detection-206372d11d0f", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/create_remote_thread/create_remote_thread_win_cobaltstrike_process_injection.yml" ], "tags": [ @@ -28498,9 +28950,9 @@ "logsource.category": "create_remote_thread", "logsource.product": "windows", "refs": [ - "https://github.com/GhostPack/KeeThief", - "https://github.com/denandz/KeeFarce", "https://www.cisa.gov/uscert/ncas/alerts/aa20-259a", + "https://github.com/denandz/KeeFarce", + "https://github.com/GhostPack/KeeThief", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/create_remote_thread/create_remote_thread_win_password_dumper_keepass.yml" ], "tags": [ @@ -28533,8 +28985,8 @@ "logsource.category": "create_remote_thread", "logsource.product": "windows", "refs": [ - "https://twitter.com/SBousseaden/status/1090588499517079552", "https://github.com/mdsecactivebreach/CACTUSTORCH", + "https://twitter.com/SBousseaden/status/1090588499517079552", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/create_remote_thread/create_remote_thread_win_cactustorch.yml" ], "tags": [ @@ -28836,11 +29288,11 @@ "logsource.category": "driver_load", "logsource.product": "windows", "refs": [ - "https://www.virustotal.com/gui/file/31f4cfb4c71da44120752721103a16512444c13c2ac2d857a7e6f13cb679b427/details", - "https://github.com/fengjixuchui/gdrv-loader", "https://www.virustotal.com/gui/file/cfc5c585dd4e592dd1a08887ded28b92d9a5820587b6f4f8fa4f56d60289259b/details", "https://medium.com/@fsx30/weaponizing-vulnerable-driver-for-privilege-escalation-gigabyte-edition-e73ee523598b", + "https://github.com/fengjixuchui/gdrv-loader", "https://twitter.com/malmoeb/status/1551449425842786306", + "https://www.virustotal.com/gui/file/31f4cfb4c71da44120752721103a16512444c13c2ac2d857a7e6f13cb679b427/details", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/driver_load/driver_load_win_vuln_gigabyte_driver.yml" ], "tags": [ @@ -28889,18 +29341,18 @@ "logsource.category": "driver_load", "logsource.product": "windows", "refs": [ - "https://github.com/jbaines-r7/dellicious", - "https://www.welivesecurity.com/2022/01/11/signed-kernel-drivers-unguarded-gateway-windows-core/", - "https://github.com/Chigusa0w0/AsusDriversPrivEscala", - "https://github.com/CaledoniaProject/drivers-binaries", "https://www.rapid7.com/blog/post/2021/12/13/driver-based-attacks-past-and-present/", - "https://github.com/MicrosoftDocs/windows-itpro-docs/blob/public/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules.md", - "https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-37969", - "https://github.com/eclypsium/Screwed-Drivers/blob/master/DRIVERS.md", + "https://github.com/CaledoniaProject/drivers-binaries", "https://eclypsium.com/2019/11/12/mother-of-all-drivers/", - "https://github.com/namazso/physmem_drivers", + "https://www.welivesecurity.com/2022/01/11/signed-kernel-drivers-unguarded-gateway-windows-core/", "https://github.com/stong/CVE-2020-15368", + "https://github.com/Chigusa0w0/AsusDriversPrivEscala", + "https://github.com/namazso/physmem_drivers", + "https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules", + "https://github.com/MicrosoftDocs/windows-itpro-docs/blob/public/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules.md", + "https://github.com/eclypsium/Screwed-Drivers/blob/master/DRIVERS.md", + "https://github.com/jbaines-r7/dellicious", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/driver_load/driver_load_win_vuln_drivers_names.yml" ], "tags": [ @@ -29035,22 +29487,22 @@ "logsource.category": "driver_load", "logsource.product": "windows", "refs": [ - "https://github.com/jbaines-r7/dellicious", - "https://github.com/tandasat/ExploitCapcom", - "https://www.rapid7.com/db/modules/exploit/windows/local/razer_zwopenprocess/", - "https://github.com/CaledoniaProject/drivers-binaries", - "https://www.rapid7.com/blog/post/2021/12/13/driver-based-attacks-past-and-present/", - "https://github.com/MicrosoftDocs/windows-itpro-docs/blob/public/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules.md", - "https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules", - "https://github.com/Chigusa0w0/AsusDriversPrivEscala/blob/master/DRIVER7.md", - "https://github.com/eclypsium/Screwed-Drivers/blob/master/DRIVERS.md", "https://www.unknowncheats.me/forum/downloads.php?do=file&id=25444", - "https://www.unknowncheats.me/forum/downloads.php?do=file&id=21780", - "https://www.unknowncheats.me/forum/anti-cheat-bypass/334557-vulnerable-driver-megathread.html", - "https://github.com/namazso/physmem_drivers", + "https://www.rapid7.com/blog/post/2021/12/13/driver-based-attacks-past-and-present/", "https://github.com/Chigusa0w0/AsusDriversPrivEscala/blob/master/ATSZIO.md", - "https://www.zscaler.com/blogs/security-research/technical-analysis-windows-clfs-zero-day-vulnerability-cve-2022-37969-part", + "https://github.com/CaledoniaProject/drivers-binaries", + "https://github.com/Chigusa0w0/AsusDriversPrivEscala/blob/master/DRIVER7.md", + "https://www.unknowncheats.me/forum/anti-cheat-bypass/334557-vulnerable-driver-megathread.html", + "https://www.unknowncheats.me/forum/downloads.php?do=file&id=21780", "https://github.com/stong/CVE-2020-15368", + "https://www.rapid7.com/db/modules/exploit/windows/local/razer_zwopenprocess/", + "https://github.com/tandasat/ExploitCapcom", + "https://www.zscaler.com/blogs/security-research/technical-analysis-windows-clfs-zero-day-vulnerability-cve-2022-37969-part", + "https://github.com/namazso/physmem_drivers", + "https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules", + "https://github.com/MicrosoftDocs/windows-itpro-docs/blob/public/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules.md", + "https://github.com/eclypsium/Screwed-Drivers/blob/master/DRIVERS.md", + "https://github.com/jbaines-r7/dellicious", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/driver_load/driver_load_win_vuln_drivers.yml" ], "tags": [ @@ -29202,8 +29654,8 @@ "logsource.product": "windows", "refs": [ "https://systeminformer.sourceforge.io/", - "https://processhacker.sourceforge.io/", "https://github.com/winsiderss/systeminformer", + "https://processhacker.sourceforge.io/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/driver_load/driver_load_win_process_hacker.yml" ], "tags": [ @@ -29237,8 +29689,8 @@ "logsource.category": "driver_load", "logsource.product": "windows", "refs": [ - "https://www.virustotal.com/gui/file/6a4875ae86131a594019dec4abd46ac6ba47e57a88287b814d07d929858fe3e5/details", "https://decoded.avast.io/janvojtesek/the-return-of-candiru-zero-days-in-the-middle-east/", + "https://www.virustotal.com/gui/file/6a4875ae86131a594019dec4abd46ac6ba47e57a88287b814d07d929858fe3e5/details", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/driver_load/driver_load_win_vuln_hw_driver.yml" ], "tags": [ @@ -29262,8 +29714,8 @@ "logsource.category": "driver_load", "logsource.product": "windows", "refs": [ - "https://github.com/alfarom256/CVE-2022-3699/", "https://support.lenovo.com/de/en/product_security/ps500533-lenovo-diagnostics-vulnerabilities", + "https://github.com/alfarom256/CVE-2022-3699/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/driver_load/driver_load_win_vuln_lenovo_driver.yml" ], "tags": [ @@ -29332,9 +29784,9 @@ "logsource.category": "network_connection", "logsource.product": "windows", "refs": [ - "https://twitter.com/M_haggis/status/900741347035889665", - "https://github.com/EmpireProject/Empire/blob/e37fb2eef8ff8f5a0a689f1589f424906fe13055/data/module_source/exfil/Invoke-ExfilDataToGitHub.ps1", "https://twitter.com/M_haggis/status/1032799638213066752", + "https://github.com/EmpireProject/Empire/blob/e37fb2eef8ff8f5a0a689f1589f424906fe13055/data/module_source/exfil/Invoke-ExfilDataToGitHub.ps1", + "https://twitter.com/M_haggis/status/900741347035889665", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_binary_github_com.yml" ], "tags": [ @@ -29376,8 +29828,8 @@ "logsource.category": "network_connection", "logsource.product": "windows", "refs": [ - "https://pypi.org/project/scapy/", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1046/T1046.md#atomic-test-4---port-scan-using-python", + "https://pypi.org/project/scapy/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_python.yml" ], "tags": [ @@ -29428,9 +29880,9 @@ "logsource.category": "network_connection", "logsource.product": "windows", "refs": [ - "https://blog.bushidotoken.net/2021/04/dead-drop-resolvers-espionage-inspired.html", "https://content.fireeye.com/apt-41/rpt-apt41", "https://securelist.com/the-tetrade-brazilian-banking-malware/97779/", + "https://blog.bushidotoken.net/2021/04/dead-drop-resolvers-espionage-inspired.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_dead_drop_resolvers.yml" ], "tags": [ @@ -29775,8 +30227,8 @@ "logsource.category": "network_connection", "logsource.product": "windows", "refs": [ - "https://www.mandiant.com/resources/bypassing-network-restrictions-through-rdp-tunneling", "https://twitter.com/tekdefense/status/1519711183162556416?s=12&t=OTsHCBkQOTNs1k3USz65Zg", + "https://www.mandiant.com/resources/bypassing-network-restrictions-through-rdp-tunneling", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_rdp_to_http.yml" ], "tags": [ @@ -29880,8 +30332,8 @@ "logsource.category": "network_connection", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1048.003/T1048.003.md#atomic-test-5---exfiltration-over-alternative-protocol---smtp", "https://www.ietf.org/rfc/rfc2821.txt", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1048.003/T1048.003.md#atomic-test-5---exfiltration-over-alternative-protocol---smtp", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_susp_outbound_smtp_connections.yml" ], "tags": [ @@ -29914,10 +30366,10 @@ "logsource.category": "network_connection", "logsource.product": "windows", "refs": [ - "https://twitter.com/M_haggis/status/900741347035889665", "https://www.cisa.gov/uscert/ncas/alerts/aa22-321a", - "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ransomware-hive-conti-avoslocker", "https://twitter.com/M_haggis/status/1032799638213066752", + "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ransomware-hive-conti-avoslocker", + "https://twitter.com/M_haggis/status/900741347035889665", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_binary_susp_com.yml" ], "tags": [ @@ -30303,8 +30755,8 @@ "logsource.category": "network_connection", "logsource.product": "windows", "refs": [ - "https://redcanary.com/blog/child-processes/", "https://nasbench.medium.com/what-is-the-dllhost-exe-process-actually-running-ef9fe4c19c08", + "https://redcanary.com/blog/child-processes/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_dllhost_net_connections.yml" ], "tags": [ @@ -30379,8 +30831,8 @@ "logsource.category": "network_connection", "logsource.product": "windows", "refs": [ - "https://news.sophos.com/en-us/2019/07/18/a-new-equation-editor-exploit-goes-commercial-as-maldoc-attacks-using-it-spike/", "https://twitter.com/forensicitguy/status/1513538712986079238", + "https://news.sophos.com/en-us/2019/07/18/a-new-equation-editor-exploit-goes-commercial-as-maldoc-attacks-using-it-spike/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_eqnedt.yml" ], "tags": [ @@ -30413,8 +30865,8 @@ "logsource.category": "network_connection", "logsource.product": "windows", "refs": [ - "https://app.any.run/tasks/7e906adc-9d11-447f-8641-5f40375ecebb", "https://www.zscaler.com/blogs/security-research/new-espionage-attack-molerats-apt-targeting-users-middle-east", + "https://app.any.run/tasks/7e906adc-9d11-447f-8641-5f40375ecebb", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_susp_dropbox_api.yml" ], "tags": "No established tags" @@ -30435,8 +30887,8 @@ "logsource.category": "network_connection", "logsource.product": "windows", "refs": [ - "https://www.mandiant.com/resources/russian-targeting-gov-business", "https://megatools.megous.com/", + "https://www.mandiant.com/resources/russian-targeting-gov-business", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_mega_nz.yml" ], "tags": [ @@ -30536,8 +30988,8 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://stealthbits.com/blog/extracting-password-hashes-from-the-ntds-dit-file/", "https://adsecurity.org/?p=2398", + "https://stealthbits.com/blog/extracting-password-hashes-from-the-ntds-dit-file/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_susp_ntds_dit.yml" ], "tags": [ @@ -30604,11 +31056,11 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://www.cybereason.com/blog/research/a-bazar-of-tricks-following-team9s-development-cycles", + "https://twitter.com/luc4m/status/1073181154126254080", "https://twitter.com/malwrhunterteam/status/1235135745611960321", + "https://www.cybereason.com/blog/research/a-bazar-of-tricks-following-team9s-development-cycles", "https://www.anomali.com/blog/china-based-apt-mustang-panda-targets-minority-groups-public-and-private-sector-organizations", "https://www.crowdstrike.com/blog/meet-crowdstrikes-adversary-of-the-month-for-june-mustang-panda/", - "https://twitter.com/luc4m/status/1073181154126254080", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_susp_lnk_double_extension.yml" ], "tags": [ @@ -30810,11 +31262,11 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://github.com/elastic/detection-rules/blob/c76a39796972ecde44cb1da6df47f1b6562c9770/rules/windows/credential_access_lsass_memdump_file_created.toml", - "https://github.com/helpsystems/nanodump", - "https://medium.com/@markmotig/some-ways-to-dump-lsass-exe-c4a75fdc49bf", - "https://www.google.com/search?q=procdump+lsass", "https://www.whiteoaksecurity.com/blog/attacks-defenses-dumping-lsass-no-mimikatz/", + "https://medium.com/@markmotig/some-ways-to-dump-lsass-exe-c4a75fdc49bf", + "https://github.com/helpsystems/nanodump", + "https://github.com/elastic/detection-rules/blob/c76a39796972ecde44cb1da6df47f1b6562c9770/rules/windows/credential_access_lsass_memdump_file_created.toml", + "https://www.google.com/search?q=procdump+lsass", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_lsass_dump.yml" ], "tags": [ @@ -30915,8 +31367,8 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://jpcertcc.github.io/ToolAnalysisResultSheet", "https://www.jpcert.or.jp/english/pub/sr/ir_research.html", + "https://jpcertcc.github.io/ToolAnalysisResultSheet", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_tool_psexec.yml" ], "tags": [ @@ -30974,11 +31426,11 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://www.cybereason.com/blog/research/a-bazar-of-tricks-following-team9s-development-cycles", + "https://twitter.com/luc4m/status/1073181154126254080", "https://twitter.com/malwrhunterteam/status/1235135745611960321", + "https://www.cybereason.com/blog/research/a-bazar-of-tricks-following-team9s-development-cycles", "https://www.anomali.com/blog/china-based-apt-mustang-panda-targets-minority-groups-public-and-private-sector-organizations", "https://www.crowdstrike.com/blog/meet-crowdstrikes-adversary-of-the-month-for-june-mustang-panda/", - "https://twitter.com/luc4m/status/1073181154126254080", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_susp_double_extension.yml" ], "tags": [ @@ -31181,7 +31633,7 @@ "value": "WScript or CScript Dropper - File" }, { - "description": "Detects add-ins that load when Microsoft Word or Excel starts (.wll/.xll are simply .dll fit for Word or Excel).", + "description": "Detects add-ins that load when Microsoft Office starts (.wll/.xll are simply .dll fit for Word or Excel).", "meta": { "author": "NVISO", "creation_date": "2020/05/11", @@ -31193,7 +31645,9 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ + "https://labs.withsecure.com/publications/add-in-opportunities-for-office-persistence", "Internal Research", + "https://github.com/redcanaryco/atomic-red-team/blob/4ae9580a1a8772db87a1b6cdb0d03e5af231e966/atomics/T1137.006/T1137.006.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_office_persistence.yml" ], "tags": [ @@ -31310,8 +31764,8 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://github.com/cube0x0/CVE-2021-1675", "https://github.com/hhlxf/PrintNightmare", + "https://github.com/cube0x0/CVE-2021-1675", "https://github.com/afwu/PrintNightmare", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_cve_2021_1675_printspooler.yml" ], @@ -31444,8 +31898,8 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://persistence-info.github.io/Data/wpbbin.html", "https://grzegorztworek.medium.com/using-uefi-to-inject-executable-files-into-bitlocker-protected-drives-8ff4ca59c94c", + "https://persistence-info.github.io/Data/wpbbin.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_wpbbin_persistence.yml" ], "tags": [ @@ -31663,8 +32117,8 @@ "logsource.product": "windows", "refs": [ "https://thedfirreport.com/2020/11/23/pysa-mespinoza-ransomware/", - "https://github.com/Kevin-Robertson/Inveigh/blob/29d9e3c3a625b3033cdaf4683efaafadcecb9007/Inveigh/Support/Output.cs", "https://github.com/Kevin-Robertson/Inveigh/blob/29d9e3c3a625b3033cdaf4683efaafadcecb9007/Inveigh/Support/Control.cs", + "https://github.com/Kevin-Robertson/Inveigh/blob/29d9e3c3a625b3033cdaf4683efaafadcecb9007/Inveigh/Support/Output.cs", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_inveigh_artefacts.yml" ], "tags": [ @@ -31789,11 +32243,11 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ + "https://www.fireeye.com/blog/threat-research/2020/05/tactics-techniques-procedures-associated-with-maze-ransomware-incidents.html", + "https://thedfirreport.com/2021/01/18/all-that-for-a-coinminer", "https://news.sophos.com/en-us/2019/12/09/snatch-ransomware-reboots-pcs-into-safe-mode-to-bypass-protection/", "https://assets.documentcloud.org/documents/20444693/fbi-pin-egregor-ransomware-bc-01062021.pdf", - "https://www.fireeye.com/blog/threat-research/2020/05/tactics-techniques-procedures-associated-with-maze-ransomware-incidents.html", "https://labs.f-secure.com/blog/prelude-to-ransomware-systembc", - "https://thedfirreport.com/2021/01/18/all-that-for-a-coinminer", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_advanced_ip_scanner.yml" ], "tags": [ @@ -31875,20 +32329,21 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://github.com/HarmJ0y/DAMP", - "https://github.com/samratashok/nishang", - "https://github.com/BC-SECURITY/Invoke-ZeroLogon/blob/111d17c7fec486d9bb23387e2e828b09a26075e4/Invoke-ZeroLogon.ps1", - "https://github.com/PowerShellMafia/PowerSploit", + "https://github.com/AlsidOfficial/WSUSpendu/", "https://github.com/rvrsh3ll/Misc-Powershell-Scripts/blob/6f23bb41f9675d7e2d32bacccff75e931ae00554/OfficeMemScraper.ps1", "https://research.nccgroup.com/2022/06/06/shining-the-light-on-black-basta/", "https://github.com/nettitude/Invoke-PowerThIEf", - "https://github.com/S3cur3Th1sSh1t/WinPwn", + "https://github.com/PowerShellMafia/PowerSploit", + "https://github.com/BC-SECURITY/Invoke-ZeroLogon/blob/111d17c7fec486d9bb23387e2e828b09a26075e4/Invoke-ZeroLogon.ps1", "https://github.com/xorrior/RandomPS-Scripts/blob/848c919bfce4e2d67b626cbcf4404341cfe3d3b6/Get-DXWebcamVideo.ps1", + "https://github.com/HarmJ0y/DAMP", "https://github.com/S3cur3Th1sSh1t/PowerSharpPack/tree/master/PowerSharpBinaries", "https://unit42.paloaltonetworks.com/threat-assessment-black-basta-ransomware/", - "https://github.com/AlsidOfficial/WSUSpendu/", - "https://github.com/CsEnox/EventViewer-UACBypass", "https://github.com/dafthack/DomainPasswordSpray/blob/b13d64a5834694aa73fd2aea9911a83027c465a7/DomainPasswordSpray.ps1", + "https://github.com/S3cur3Th1sSh1t/WinPwn", + "https://github.com/DarkCoderSc/PowerRunAsSystem/", + "https://github.com/samratashok/nishang", + "https://github.com/CsEnox/EventViewer-UACBypass", "https://github.com/NetSPI/PowerUpSQL", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_powershell_exploit_scripts.yml" ], @@ -31922,9 +32377,9 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://www.gteltsc.vn/blog/canh-bao-chien-dich-tan-cong-su-dung-lo-hong-zero-day-tren-microsoft-exchange-server-12714.html", - "https://en.gteltsc.vn/blog/cap-nhat-nhe-ve-lo-hong-bao-mat-0day-microsoft-exchange-dang-duoc-su-dung-de-tan-cong-cac-to-chuc-tai-viet-nam-9685.html", "https://www.microsoft.com/security/blog/2022/09/30/analyzing-attacks-using-the-exchange-vulnerabilities-cve-2022-41040-and-cve-2022-41082/", + "https://en.gteltsc.vn/blog/cap-nhat-nhe-ve-lo-hong-bao-mat-0day-microsoft-exchange-dang-duoc-su-dung-de-tan-cong-cac-to-chuc-tai-viet-nam-9685.html", + "https://www.gteltsc.vn/blog/canh-bao-chien-dich-tan-cong-su-dung-lo-hong-zero-day-tren-microsoft-exchange-server-12714.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_exchange_webshell_drop_suspicious.yml" ], "tags": [ @@ -31994,8 +32449,8 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://twitter.com/rbmaslen/status/1321859647091970051", "https://twitter.com/tifkin_/status/1321916444557365248", + "https://twitter.com/rbmaslen/status/1321859647091970051", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_pcre_net_temp_file.yml" ], "tags": [ @@ -32117,8 +32572,8 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://persistence-info.github.io/Data/powershellprofile.html", "https://www.welivesecurity.com/2019/05/29/turla-powershell-usage/", + "https://persistence-info.github.io/Data/powershellprofile.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_susp_powershell_profile.yml" ], "tags": [ @@ -32383,8 +32838,8 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://threathunterplaybook.com/evals/apt29/detections/6.B.1_6392C9F1-D975-4F75-8A70-433DEDD7F622.html", "https://github.com/OTRF/detection-hackathon-apt29/issues/14", + "https://threathunterplaybook.com/evals/apt29/detections/6.B.1_6392C9F1-D975-4F75-8A70-433DEDD7F622.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_susp_pfx_file_creation.yml" ], "tags": [ @@ -32418,8 +32873,8 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://github.com/klinix5/InstallerFileTakeOver", "https://www.zerodayinitiative.com/advisories/ZDI-21-1308/", + "https://github.com/klinix5/InstallerFileTakeOver", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_cve_2021_41379_msi_lpe.yml" ], "tags": [ @@ -32476,9 +32931,9 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://github.com/olafhartong/sysmon-modular/blob/fa1ae53132403d262be2bbd7f17ceea7e15e8c78/11_file_create/include_dotnet.xml", "https://blog.menasec.net/2019/07/interesting-difr-traces-of-net-clr.html", "https://bohops.com/2021/03/16/investigating-net-clr-usage-log-tampering-techniques-for-edr-evasion/", + "https://github.com/olafhartong/sysmon-modular/blob/fa1ae53132403d262be2bbd7f17ceea7e15e8c78/11_file_create/include_dotnet.xml", "https://web.archive.org/web/20221026202428/https://gist.github.com/code-scrap/d7f152ffcdb3e0b02f7f394f5187f008", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_net_cli_artefact.yml" ], @@ -32513,8 +32968,8 @@ "logsource.product": "windows", "refs": [ "https://twitter.com/splinter_code/status/1519075134296006662?s=12&t=DLUXH86WtcmG_AZ5gY3C6g", - "https://twitter.com/orange_8361/status/1518970259868626944?s=20&t=RFXqZjtA7tWM3HxqEH78Aw", "https://lolbas-project.github.io/lolbas/Binaries/Eventvwr/#execute", + "https://twitter.com/orange_8361/status/1518970259868626944?s=20&t=RFXqZjtA7tWM3HxqEH78Aw", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_uac_bypass_eventvwr.yml" ], "tags": [ @@ -32538,9 +32993,9 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://www.gteltsc.vn/blog/canh-bao-chien-dich-tan-cong-su-dung-lo-hong-zero-day-tren-microsoft-exchange-server-12714.html", - "https://en.gteltsc.vn/blog/cap-nhat-nhe-ve-lo-hong-bao-mat-0day-microsoft-exchange-dang-duoc-su-dung-de-tan-cong-cac-to-chuc-tai-viet-nam-9685.html", "https://www.microsoft.com/security/blog/2022/09/30/analyzing-attacks-using-the-exchange-vulnerabilities-cve-2022-41040-and-cve-2022-41082/", + "https://en.gteltsc.vn/blog/cap-nhat-nhe-ve-lo-hong-bao-mat-0day-microsoft-exchange-dang-duoc-su-dung-de-tan-cong-cac-to-chuc-tai-viet-nam-9685.html", + "https://www.gteltsc.vn/blog/canh-bao-chien-dich-tan-cong-su-dung-lo-hong-zero-day-tren-microsoft-exchange-server-12714.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_exchange_webshell_drop.yml" ], "tags": [ @@ -32637,8 +33092,8 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://github.com/deepinstinct/Lsass-Shtinkering", "https://media.defcon.org/DEF%20CON%2030/DEF%20CON%2030%20presentations/Asaf%20Gilboa%20-%20LSASS%20Shtinkering%20Abusing%20Windows%20Error%20Reporting%20to%20Dump%20LSASS.pdf", + "https://github.com/deepinstinct/Lsass-Shtinkering", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_lsass_shtinkering.yml" ], "tags": [ @@ -32830,8 +33285,8 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://redcanary.com/blog/intelligence-insights-october-2021/", "https://github.com/redcanaryco/atomic-red-team/blob/36d49de4c8b00bf36054294b4a1fcbab3917d7c5/atomics/T1547.001/T1547.001.md#atomic-test-7---add-executable-shortcut-link-to-user-startup-folder", + "https://redcanary.com/blog/intelligence-insights-october-2021/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_powershell_startup_shortcuts.yml" ], "tags": [ @@ -32855,8 +33310,8 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/", "https://github.com/vadim-hunter/Detection-Ideas-Rules/blob/02bcbfc2bfb8b4da601bb30de0344ae453aa1afe/Threat%20Intelligence/The%20DFIR%20Report/20210329_Sodinokibi_(aka_REvil)_Ransomware.yaml", + "https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_script_creation_by_office_using_file_ext.yml" ], "tags": [ @@ -32981,10 +33436,10 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://www.ired.team/offensive-security/credential-access-and-credential-dumping/ntds.dit-enumeration", "https://pentestlab.blog/tag/ntds-dit/", "https://github.com/samratashok/nishang/blob/414ee1104526d7057f9adaeee196d91ae447283e/Gather/Copy-VSS.ps1", "https://www.n00py.io/2022/03/manipulating-user-passwords-without-mimikatz/", + "https://www.ired.team/offensive-security/credential-access-and-credential-dumping/ntds.dit-enumeration", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_ntds_dit.yml" ], "tags": [ @@ -33017,9 +33472,9 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ + "https://github.com/rapid7/metasploit-framework/blob/eb6535009f5fdafa954525687f09294918b5398d/data/post/powershell/NTDSgrab.ps1", "https://github.com/rapid7/metasploit-framework/blob/eb6535009f5fdafa954525687f09294918b5398d/modules/post/windows/gather/ntds_grabber.rb", "https://github.com/SecureAuthCorp/impacket/blob/7d2991d78836b376452ca58b3d14daa61b67cb40/impacket/examples/secretsdump.py#L2405", - "https://github.com/rapid7/metasploit-framework/blob/eb6535009f5fdafa954525687f09294918b5398d/data/post/powershell/NTDSgrab.ps1", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_ntds_exfil_tools.yml" ], "tags": [ @@ -33086,8 +33541,8 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://twitter.com/vanitasnk/status/1437329511142420483?s=21", "https://twitter.com/RonnyTNL/status/1436334640617373699?s=20", + "https://twitter.com/vanitasnk/status/1437329511142420483?s=21", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_winword_cve_2021_40444.yml" ], "tags": [ @@ -33177,8 +33632,8 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://labs.sentinelone.com/living-off-windows-land-a-new-native-file-downldr/", "https://twitter.com/SBousseaden/status/1278977301745741825", + "https://labs.sentinelone.com/living-off-windows-land-a-new-native-file-downldr/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_susp_desktopimgdownldr_file.yml" ], "tags": [ @@ -33245,10 +33700,10 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ + "https://github.com/cube0x0/CVE-2021-36934", + "https://www.google.com/search?q=%22reg.exe+save%22+sam", "https://github.com/FireFart/hivenightmare", "https://github.com/search?q=CVE-2021-36934", - "https://www.google.com/search?q=%22reg.exe+save%22+sam", - "https://github.com/cube0x0/CVE-2021-36934", "https://github.com/HuskyHacks/ShadowSteal", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_sam_dump.yml" ], @@ -33399,10 +33854,10 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://twitter.com/cube0x0/status/1418920190759378944", - "https://github.com/FireFart/hivenightmare/", - "https://github.com/WiredPulse/Invoke-HiveNightmare", "https://github.com/GossiTheDog/HiveNightmare", + "https://github.com/FireFart/hivenightmare/", + "https://twitter.com/cube0x0/status/1418920190759378944", + "https://github.com/WiredPulse/Invoke-HiveNightmare", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_hivenightmare_file_exports.yml" ], "tags": [ @@ -33495,8 +33950,8 @@ "logsource.product": "windows", "refs": [ "https://www.kaspersky.com/blog/lazarus-vhd-ransomware/36559/", - "https://redcanary.com/blog/intelligence-insights-october-2021/", "https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/", + "https://redcanary.com/blog/intelligence-insights-october-2021/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_mal_vhd_download.yml" ], "tags": [ @@ -33778,10 +34233,10 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ + "https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/malicious-spam-campaign-uses-iso-image-files-to-deliver-lokibot-and-nanocore", + "https://insights.sei.cmu.edu/blog/the-dangers-of-vhd-and-vhdx-files/", "https://blog.emsisoft.com/en/32373/beware-new-wave-of-malware-spreads-via-iso-file-email-attachments/", "https://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/", - "https://insights.sei.cmu.edu/blog/the-dangers-of-vhd-and-vhdx-files/", - "https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/malicious-spam-campaign-uses-iso-image-files-to-deliver-lokibot-and-nanocore", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_iso_file_recent.yml" ], "tags": "No established tags" @@ -33922,8 +34377,8 @@ "logsource.product": "windows", "refs": [ "https://github.com/fox-it/LDAPFragger", - "https://medium.com/@ivecodoe/detecting-ldapfragger-a-newly-released-cobalt-strike-beacon-using-ldap-for-c2-communication-c274a7f00961", "https://blog.fox-it.com/2020/03/19/ldapfragger-command-and-control-over-ldap-attributes/", + "https://medium.com/@ivecodoe/detecting-ldapfragger-a-newly-released-cobalt-strike-beacon-using-ldap-for-c2-communication-c274a7f00961", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_susp_adsi_cache_usage.yml" ], "tags": [ @@ -33956,8 +34411,8 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://twitter.com/Sam0x90/status/1552011547974696960", "https://securityaffairs.co/wordpress/133680/malware/dll-sideloading-spread-qakbot.html", + "https://twitter.com/Sam0x90/status/1552011547974696960", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_iso_file_mount.yml" ], "tags": [ @@ -34297,11 +34752,11 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://posts.specterops.io/lateral-movement-scm-and-dll-hijacking-primer-d2f61e8ab992", "https://www.hexacorn.com/blog/2013/12/08/beyond-good-ol-run-key-part-5/", "https://clement.notin.org/blog/2020/09/12/CVE-2020-7315-McAfee-Agent-DLL-injection/", "https://decoded.avast.io/martinchlumecky/png-steganography/", "https://github.com/Wh04m1001/SysmonEoP", + "https://posts.specterops.io/lateral-movement-scm-and-dll-hijacking-primer-d2f61e8ab992", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_create_non_existent_dlls.yml" ], "tags": [ @@ -34431,8 +34886,8 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/backdoor-at-the-end-of-the-icmp-tunnel", "https://app.any.run/tasks/4a54c651-b70b-4b72-84d7-f34d301d6406", + "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/backdoor-at-the-end-of-the-icmp-tunnel", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_pingback_backdoor.yml" ], "tags": [ @@ -34754,8 +35209,8 @@ "logsource.category": "file_delete", "logsource.product": "windows", "refs": [ - "https://github.com/cube0x0/CVE-2021-1675", "https://github.com/hhlxf/PrintNightmare", + "https://github.com/cube0x0/CVE-2021-1675", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_delete/file_delete_win_cve_2021_1675_printspooler_del.yml" ], "tags": [ @@ -34839,8 +35294,8 @@ "logsource.category": "file_access", "logsource.product": "windows", "refs": [ - "https://www.absolomb.com/2018-01-26-Windows-Privilege-Escalation-Guide/", "https://hunter2.gitbook.io/darthsidious/privilege-escalation/mimikatz", + "https://www.absolomb.com/2018-01-26-Windows-Privilege-Escalation-Guide/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_access/file_access_win_credential_manager_stealing.yml" ], "tags": [ @@ -34910,8 +35365,8 @@ "logsource.category": "file_access", "logsource.product": "windows", "refs": [ - "https://www.zscaler.com/blogs/security-research/ffdroider-stealer-targeting-social-media-platform-users", "https://github.com/lclevy/firepwd", + "https://www.zscaler.com/blogs/security-research/ffdroider-stealer-targeting-social-media-platform-users", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_access/file_access_win_browser_credential_stealing.yml" ], "tags": [ @@ -35035,8 +35490,8 @@ "logsource.category": "dns_query", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/Binaries/AppInstaller/", "https://twitter.com/notwhickey/status/1333900137232523264", + "https://lolbas-project.github.io/lolbas/Binaries/AppInstaller/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/dns_query/dns_query_win_lolbin_appinstaller.yml" ], "tags": [ @@ -35090,12 +35545,12 @@ "value": "DNS HybridConnectionManager Service Bus" }, { - "description": "Detects DNS queries for anonfiles.com, which is an anonymous file upload platform often used for malicious purposes", + "description": "Detects DNS queries for \"anonfiles.com\", which is an anonymous file upload platform often used for malicious purposes", "meta": { "author": "pH-T", "creation_date": "2022/07/15", "falsepositive": [ - "Legitimate access to anonfiles.com" + "Rare legitimate access to anonfiles.com" ], "filename": "dns_query_win_anonymfiles_com.yml", "level": "high", @@ -35120,7 +35575,7 @@ } ], "uuid": "065cceea-77ec-4030-9052-fc0affea7110", - "value": "DNS Query for Anonfiles.com Domain" + "value": "DNS Query for Anonfiles.com Domain - Sysmon" }, { "description": "An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks.\nThese services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment.\nRemote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land)\n", @@ -35136,9 +35591,9 @@ "logsource.product": "windows", "refs": [ "https://redcanary.com/blog/misbehaving-rats/", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1219/T1219.md#atomic-test-3---logmein-files-detected-test-on-windows", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1219/T1219.md#atomic-test-6---ammyy-admin-software-execution", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1219/T1219.md#atomic-test-4---gotoassist-files-detected-test-on-windows", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1219/T1219.md#atomic-test-3---logmein-files-detected-test-on-windows", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/dns_query/dns_query_win_remote_access_software_domains.yml" ], "tags": [ @@ -35202,12 +35657,12 @@ "value": "Regsvr32 Network Activity - DNS" }, { - "description": "Detects DNS queries for subdomains used for upload to ufile.io", + "description": "Detects DNS queries to \"ufile.io\". Which is often abused by malware for upload and exfiltration", "meta": { "author": "yatinwad and TheDFIRReport", "creation_date": "2022/06/23", "falsepositive": [ - "Legitimate Ufile upload" + "Legitimate DNS queries and usage of Ufile" ], "filename": "dns_query_win_ufile_io.yml", "level": "high", @@ -35232,7 +35687,7 @@ } ], "uuid": "1cbbeaaf-3c8c-4e4c-9d72-49485b6a176b", - "value": "DNS Query for Ufile.io Upload Domain" + "value": "DNS Query for Ufile.io Upload Domain - Sysmon" }, { "description": "Detects DNS queries for subdomains used for upload to MEGA.io", @@ -35240,7 +35695,7 @@ "author": "Aaron Greetham (@beardofbinary) - NCC Group", "creation_date": "2021/05/26", "falsepositive": [ - "Legitimate Mega upload" + "Legitimate DNS queries and usage of Mega" ], "filename": "dns_query_win_mega_nz.yml", "level": "high", @@ -35265,7 +35720,7 @@ } ], "uuid": "613c03ba-0779-4a53-8a1f-47f914a4ded3", - "value": "DNS Query for MEGA.io Upload Domain" + "value": "DNS Query for MEGA.io Upload Domain - Sysmon" }, { "description": "Detects a program that invoked suspicious DNS queries known from Cobalt Strike beacons", @@ -35299,7 +35754,7 @@ } ], "uuid": "f356a9c4-effd-4608-bbf8-408afd5cd006", - "value": "Suspicious Cobalt Strike DNS Beaconing" + "value": "Suspicious Cobalt Strike DNS Beaconing - Sysmon" }, { "description": "Detects DNS queries to a TeamViewer domain only resolved by a TeamViewer client by an image that isn't named TeamViewer (sometimes used by threat actors for obfuscation)", @@ -35336,7 +35791,7 @@ "value": "Suspicious TeamViewer Domain Access" }, { - "description": "Detects DNS resolution of an .onion address related to Tor routing networks", + "description": "Detects DNS queries to an \".onion\" address related to Tor routing networks", "meta": { "author": "frack113", "creation_date": "2022/02/20", @@ -35366,7 +35821,7 @@ } ], "uuid": "b55ca2a3-7cff-4dda-8bdd-c7bfa63bf544", - "value": "Query Tor Onion Address" + "value": "DNS Query Tor Onion Address - Sysmon" }, { "description": "Detect suspicious LDAP request from non-Windows application", @@ -35445,8 +35900,8 @@ "logsource.category": "dns_query", "logsource.product": "windows", "refs": [ - "https://www.binarydefense.com/analysis-of-hancitor-when-boring-begets-beacon", "https://twitter.com/neonprimetime/status/1436376497980428318", + "https://www.binarydefense.com/analysis-of-hancitor-when-boring-begets-beacon", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/dns_query/dns_query_win_susp_ipify.yml" ], "tags": [ @@ -35637,8 +36092,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://nsudo.m2team.org/en-us/", "https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment", + "https://nsudo.m2team.org/en-us/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_whoami_as_priv_user.yml" ], "tags": [ @@ -35771,8 +36226,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/AtomicTestHarnesses/blob/7e1e4da116801e3d6fcc6bedb207064577e40572/TestHarnesses/T1218_SignedBinaryProxyExecution/InvokeRemoteFXvGPUDisablementCommand.ps1", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218/T1218.md", + "https://github.com/redcanaryco/AtomicTestHarnesses/blob/7e1e4da116801e3d6fcc6bedb207064577e40572/TestHarnesses/T1218_SignedBinaryProxyExecution/InvokeRemoteFXvGPUDisablementCommand.ps1", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_athremotefxvgpudisablementcommand.yml" ], "tags": [ @@ -35867,12 +36322,12 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/eral4m/status/1479106975967240209", - "https://twitter.com/nas_bench/status/1433344116071583746", - "http://www.hexacorn.com/blog/2017/05/01/running-programs-via-proxy-jumping-on-a-edr-bypass-trampoline/", - "https://twitter.com/eral4m/status/1479080793003671557", "https://twitter.com/Hexacorn/status/885258886428725250", "https://gist.github.com/ryhanson/227229866af52e2d963cf941af135a52", + "https://twitter.com/eral4m/status/1479106975967240209", + "http://www.hexacorn.com/blog/2017/05/01/running-programs-via-proxy-jumping-on-a-edr-bypass-trampoline/", + "https://twitter.com/nas_bench/status/1433344116071583746", + "https://twitter.com/eral4m/status/1479080793003671557", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_rundll32_activity.yml" ], "tags": [ @@ -36005,8 +36460,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://app.any.run/tasks/ce4deab5-3263-494f-93e3-afb2b9d79f14/", "https://securelist.com/my-name-is-dtrack/93338/", + "https://app.any.run/tasks/ce4deab5-3263-494f-93e3-afb2b9d79f14/", "https://app.any.run/tasks/4bc9860d-ab51-4077-9e09-59ad346b92fd/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_malware_dtrack.yml" ], @@ -36052,39 +36507,6 @@ "uuid": "e9142d84-fbe0-401d-ac50-3e519fb00c89", "value": "WhoAmI as Parameter" }, - { - "description": "Detect use of sqlite binary to query the Chrome Cookies database and steal the cookie data contained within it", - "meta": { - "author": "TropChaud", - "creation_date": "2022/12/19", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_sqlite_chrome_cookies.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/84d9edaaaa2c5511144521b0e4af726d1c7276ce/atomics/T1539/T1539.md#atomic-test-2---steal-chrome-cookies-windows", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sqlite_chrome_cookies.yml" - ], - "tags": [ - "attack.credential_access", - "attack.t1539" - ] - }, - "related": [ - { - "dest-uuid": "10ffac09-e42d-4f56-ab20-db94c67d76ff", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "24c77512-782b-448a-8950-eddb0785fc71", - "value": "SQLite Chrome Cookie DB Access" - }, { "description": "Detects suspicious sub processes started by the ScreenConnect client service, which indicates the use of the so-called Backstage mode", "meta": { @@ -36181,8 +36603,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/Scripts/CL_LoadAssembly/", "https://bohops.com/2018/01/07/executing-commands-and-bypassing-applocker-with-powershell-diagnostic-scripts/", + "https://lolbas-project.github.io/lolbas/Scripts/CL_LoadAssembly/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_cl_loadassembly.yml" ], "tags": [ @@ -36327,9 +36749,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://twitter.com/frack113/status/1555830623633375232", "https://www.acunetix.com/blog/articles/windows-short-8-3-filenames-web-security-problem/", "https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-2000-server/cc959352(v=technet.10)?redirectedfrom=MSDN", - "https://twitter.com/frack113/status/1555830623633375232", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_ntfs_short_name_path_use_image.yml" ], "tags": [ @@ -36598,8 +37020,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.13cubed.com/downloads/windows_process_genealogy_v2.pdf", "https://securitybytes.io/blue-team-fundamentals-part-two-windows-processes-759fe15965e2", + "https://www.13cubed.com/downloads/windows_process_genealogy_v2.pdf", "https://www.carbonblack.com/2014/06/10/screenshot-demo-hunt-evil-faster-than-ever-with-carbon-black/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_proc_wrong_parent.yml" ], @@ -36715,9 +37137,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "Reegun J (OCBC Bank)", - "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Powerpnt/", "https://medium.com/@reegun/unsanitized-file-validation-leads-to-malicious-payload-download-via-office-binaries-202d02db7191", + "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Powerpnt/", + "Reegun J (OCBC Bank)", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_msoffice.yml" ], "tags": [ @@ -36783,8 +37205,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://medium.com/tenable-techblog/uac-bypass-by-mocking-trusted-directories-24a96675f6e", "https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows", + "https://medium.com/tenable-techblog/uac-bypass-by-mocking-trusted-directories-24a96675f6e", "https://github.com/netero1010/TrustedPath-UACBypass-BOF", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_uac_bypass_trustedpath.yml" ], @@ -36852,10 +37274,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/Binaries/Bitsadmin/", - "https://blog.netspi.com/15-ways-to-download-a-file/#bitsadmin", "https://blog.talosintelligence.com/breaking-the-silence-recent-truebot-activity/", "https://isc.sans.edu/diary/22264", + "https://blog.netspi.com/15-ways-to-download-a-file/#bitsadmin", + "https://lolbas-project.github.io/lolbas/Binaries/Bitsadmin/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_bitsadmin_download_susp_ip.yml" ], "tags": [ @@ -36898,9 +37320,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/Hexacorn/status/1420053502554951689", - "https://www.matteomalvica.com/blog/2019/12/02/win-defender-atp-cred-bypass/", "https://twitter.com/SBousseaden/status/1464566846594691073?s=20", + "https://www.matteomalvica.com/blog/2019/12/02/win-defender-atp-cred-bypass/", + "https://twitter.com/Hexacorn/status/1420053502554951689", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_lsass_clone.yml" ], "tags": [ @@ -37021,9 +37443,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/SigmaHQ/sigma/issues/1009", "https://www.microsoft.com/en-us/security/blog/2022/10/27/raspberry-robin-worm-part-of-larger-ecosystem-facilitating-pre-ransomware-activity/", "https://redcanary.com/blog/raspberry-robin/", + "https://github.com/SigmaHQ/sigma/issues/1009", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_shellexec_rundll_usage.yml" ], "tags": [ @@ -37104,9 +37526,9 @@ "logsource.product": "windows", "refs": [ "https://book.hacktricks.xyz/windows/basic-cmd-for-pentesters", - "https://thedfirreport.com/2021/08/16/trickbot-leads-up-to-fake-1password-installation/", "https://research.nccgroup.com/2022/08/19/back-in-black-unlocking-a-lockbit-3-0-ransomware-attack/", "https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc731935(v=ws.11)", + "https://thedfirreport.com/2021/08/16/trickbot-leads-up-to-fake-1password-installation/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_nltest_recon.yml" ], "tags": [ @@ -37411,8 +37833,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/mandiant/SharPersist", "https://www.mandiant.com/resources/blog/sharpersist-windows-persistence-toolkit", + "https://github.com/mandiant/SharPersist", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hack_sharpersist.yml" ], "tags": [ @@ -37599,8 +38021,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/BishopFox/sliver/blob/79f2d48fcdfc2bee4713b78d431ea4b27f733f30/implant/sliver/shell/shell_windows.go#L36", "https://www.microsoft.com/security/blog/2022/08/24/looking-for-the-sliver-lining-hunting-for-emerging-command-and-control-frameworks/", + "https://github.com/BishopFox/sliver/blob/79f2d48fcdfc2bee4713b78d431ea4b27f733f30/implant/sliver/shell/shell_windows.go#L36", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_c2_sliver.yml" ], "tags": [ @@ -37826,8 +38248,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/0gtweet/status/1457676633809330184", "https://www.hexacorn.com/blog/2018/04/27/i-shot-the-sigverif-exe-the-gui-based-lolbin/", + "https://twitter.com/0gtweet/status/1457676633809330184", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_sigverif.yml" ], "tags": [ @@ -37895,8 +38317,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.youtube.com/watch?v=ro2QuZTIMBM", "https://docs.microsoft.com/en-us/sysinternals/downloads/psexec", + "https://www.youtube.com/watch?v=ro2QuZTIMBM", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_psexesvc.yml" ], "tags": [ @@ -37952,10 +38374,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://isc.sans.edu/diary/22264", - "https://lolbas-project.github.io/lolbas/Binaries/Bitsadmin/", "https://www.cisa.gov/uscert/ncas/alerts/aa22-321a", "https://blog.netspi.com/15-ways-to-download-a-file/#bitsadmin", + "https://lolbas-project.github.io/lolbas/Binaries/Bitsadmin/", + "https://isc.sans.edu/diary/22264", "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ransomware-hive-conti-avoslocker", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_bitsadmin_download_susp_domain.yml" ], @@ -37999,9 +38421,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/nas_bench/status/1534915321856917506", - "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Adplus/", "https://twitter.com/nas_bench/status/1534916659676422152", + "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Adplus/", + "https://twitter.com/nas_bench/status/1534915321856917506", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_adplus.yml" ], "tags": [ @@ -38265,8 +38687,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/Libraries/Pcwutl/", "https://twitter.com/harr0ey/status/989617817849876488", + "https://lolbas-project.github.io/lolbas/Libraries/Pcwutl/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_pcwutl.yml" ], "tags": [ @@ -38610,8 +39032,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.trendmicro.com/en_us/research/22/j/black-basta-infiltrates-networks-via-qakbot-brute-ratel-and-coba.html", "https://www.echotrail.io/insights/search/wermgr.exe", + "https://www.trendmicro.com/en_us/research/22/j/black-basta-infiltrates-networks-via-qakbot-brute-ratel-and-coba.html", "https://github.com/binderlabs/DirCreate2System", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_wermgr.yml" ], @@ -38667,8 +39089,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/cyb3rops/status/1562072617552678912", "https://ss64.com/nt/cmd.html", + "https://twitter.com/cyb3rops/status/1562072617552678912", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_missing_spaces.yml" ], "tags": [ @@ -38701,9 +39123,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/elastic/protections-artifacts/commit/746086721fd385d9f5c6647cada1788db4aea95f#diff-94a1964b682707e4e3f77dd61a3bfface5401d08d8cf81145f388e09614aceca", - "https://twitter.com/Hexacorn/status/1187143326673330176", "https://redcanary.com/blog/raspberry-robin/", + "https://twitter.com/Hexacorn/status/1187143326673330176", + "https://github.com/elastic/protections-artifacts/commit/746086721fd385d9f5c6647cada1788db4aea95f#diff-94a1964b682707e4e3f77dd61a3bfface5401d08d8cf81145f388e09614aceca", "https://lolbas-project.github.io/lolbas/Binaries/Odbcconf/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_odbcconf.yml" ], @@ -38839,10 +39261,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/gpresult", "https://unit42.paloaltonetworks.com/emissary-trojan-changelog-did-operation-lotus-blossom-cause-it-to-evolve/", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1615/T1615.md", "https://www.welivesecurity.com/wp-content/uploads/2020/05/ESET_Turla_ComRAT.pdf", - "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/gpresult", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_gpresult.yml" ], "tags": [ @@ -38926,7 +39348,7 @@ { "description": "Detects wmiexec/dcomexec/atexec/smbexec from Impacket framework", "meta": { - "author": "Ecco, oscd.community, Jonhnathan Ribeiro", + "author": "Ecco, oscd.community, Jonhnathan Ribeiro, Tim Rauch", "creation_date": "2019/09/03", "falsepositive": [ "Unknown" @@ -38936,9 +39358,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/SecureAuthCorp/impacket/blob/8b1a99f7c715702eafe3f24851817bb64721b156/examples/atexec.py", - "https://github.com/SecureAuthCorp/impacket/blob/8b1a99f7c715702eafe3f24851817bb64721b156/examples/dcomexec.py", "https://github.com/SecureAuthCorp/impacket/blob/8b1a99f7c715702eafe3f24851817bb64721b156/examples/smbexec.py", + "https://www.elastic.co/guide/en/security/current/suspicious-cmd-execution-via-wmi.html", + "https://github.com/SecureAuthCorp/impacket/blob/8b1a99f7c715702eafe3f24851817bb64721b156/examples/dcomexec.py", + "https://github.com/SecureAuthCorp/impacket/blob/8b1a99f7c715702eafe3f24851817bb64721b156/examples/atexec.py", "https://github.com/SecureAuthCorp/impacket/blob/8b1a99f7c715702eafe3f24851817bb64721b156/examples/wmiexec.py", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_impacket_lateralization.yml" ], @@ -38966,7 +39389,7 @@ } ], "uuid": "10c14723-61c7-4c75-92ca-9af245723ad2", - "value": "Impacket Lateralization Detection" + "value": "Potential Impacket Lateral Movement Activity" }, { "description": "Detects code execution via Pester.bat (Pester - Powershell Modulte for testing)", @@ -39103,9 +39526,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.virustotal.com/gui/file/03e9b8c2e86d6db450e5eceec057d7e369ee2389b9daecaf06331a95410aa5f8/detection", "https://pentestlab.blog/2018/07/04/dumping-domain-password-hashes/", "https://twitter.com/vxunderground/status/1423336151860002816?s=20", + "https://www.virustotal.com/gui/file/03e9b8c2e86d6db450e5eceec057d7e369ee2389b9daecaf06331a95410aa5f8/detection", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_malware_conti_shadowcopy.yml" ], "tags": [ @@ -39332,8 +39755,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/D4Vinci/One-Lin3r/blob/9fdfa5f0b9c698dfbd4cdfe7d2473192777ae1c6/one_lin3r/core/liners/windows/cmd/dll_loader_word.py", "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Winword/", + "https://github.com/D4Vinci/One-Lin3r/blob/9fdfa5f0b9c698dfbd4cdfe7d2473192777ae1c6/one_lin3r/core/liners/windows/cmd/dll_loader_word.py", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_winword.yml" ], "tags": [ @@ -39366,8 +39789,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.reverse.it/sample/e3399d4802f9e6d6d539e3ae57e7ea9a54610a7c4155a6541df8e94d67af086e?environmentId=100", "https://twitter.com/ClearskySec/status/960924755355369472", + "https://www.reverse.it/sample/e3399d4802f9e6d6d539e3ae57e7ea9a54610a7c4155a6541df8e94d67af086e?environmentId=100", "https://researchcenter.paloaltonetworks.com/2018/02/unit42-sofacy-attacks-multiple-government-entities/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_apt_sofacy.yml" ], @@ -39461,8 +39884,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.vmray.com/analyses/5ad401c3a568/report/overview.html", "https://www.virustotal.com/gui/file/5ad401c3a568bd87dd13f8a9ddc4e450ece61cd9ce4d1b23f68ce0b1f3c190b7/", + "https://www.vmray.com/analyses/5ad401c3a568/report/overview.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_apt_muddywater_dnstunnel.yml" ], "tags": [ @@ -39635,8 +40058,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/windows-hardware/design/device-experiences/powercfg-command-line-options", "https://blogs.vmware.com/security/2022/11/batloader-the-evasive-downloader-malware.html", + "https://learn.microsoft.com/en-us/windows-hardware/design/device-experiences/powercfg-command-line-options", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_powercfg.yml" ], "tags": [ @@ -39660,9 +40083,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.fireeye.com/blog/threat-research/2020/10/kegtap-and-singlemalt-with-a-ransomware-chaser.html", "https://www.poweradmin.com/paexec/", "https://docs.microsoft.com/en-us/sysinternals/downloads/psexec", + "https://www.fireeye.com/blog/threat-research/2020/10/kegtap-and-singlemalt-with-a-ransomware-chaser.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_psexex_paexec_escalate_system.yml" ], "tags": [ @@ -39695,8 +40118,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.symantec.com/blogs/threat-intelligence/thrip-hits-satellite-telecoms-defense-targets", "https://app.any.run/tasks/61a296bb-81ad-4fee-955f-3b399f4aaf4b", + "https://www.symantec.com/blogs/threat-intelligence/thrip-hits-satellite-telecoms-defense-targets", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_sysprep_appdata.yml" ], "tags": [ @@ -39729,8 +40152,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://labs.sentinelone.com/living-off-windows-land-a-new-native-file-downldr/", "https://twitter.com/SBousseaden/status/1278977301745741825", + "https://labs.sentinelone.com/living-off-windows-land-a-new-native-file-downldr/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_desktopimgdownldr.yml" ], "tags": [ @@ -39796,14 +40219,14 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/Hexacorn/status/776122138063409152", - "https://posts.specterops.io/mavinject-exe-functionality-deconstructed-c29ab2cf5c0e", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218/T1218.md", - "https://github.com/SigmaHQ/sigma/issues/3742", "https://github.com/keyboardcrunch/SentinelOne-ATTACK-Queries/blob/6a228d23eefe963ca81f2d52f94b815f61ef5ee0/Tactics/DefenseEvasion.md#t1055-process-injection", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1056.004/T1056.004.md", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218/T1218.md", "https://twitter.com/gN3mes1s/status/941315826107510784", + "https://posts.specterops.io/mavinject-exe-functionality-deconstructed-c29ab2cf5c0e", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1056.004/T1056.004.md", + "https://github.com/SigmaHQ/sigma/issues/3742", "https://reaqta.com/2017/12/mavinject-microsoft-injector/", + "https://twitter.com/Hexacorn/status/776122138063409152", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_renamed_mavinject.yml" ], "tags": [ @@ -39845,8 +40268,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/", "https://www.volexity.com/blog/2021/03/02/active-exploitation-of-microsoft-exchange-zero-day-vulnerabilities/", + "https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/", "https://github.com/samratashok/nishang/blob/414ee1104526d7057f9adaeee196d91ae447283e/Shells/Invoke-PowerShellTcpOneLine.ps1", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_reverse_shell_connection.yml" ], @@ -39880,8 +40303,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.ired.team/offensive-security/credential-access-and-credential-dumping/ntds.dit-enumeration", "https://bohops.com/2018/03/26/diskshadow-the-return-of-vss-evasion-persistence-and-active-directory-database-extraction/", + "https://www.ired.team/offensive-security/credential-access-and-credential-dumping/ntds.dit-enumeration", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_diskshadow.yml" ], "tags": [ @@ -40107,8 +40530,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.hybrid-analysis.com/sample/07e789f4f2f3259e7559fdccb36e96814c2dbff872a21e1fa03de9ee377d581f?environmentId=100", "https://www.virusradar.com/en/Win32_Kasidet.AD/description", + "https://www.hybrid-analysis.com/sample/07e789f4f2f3259e7559fdccb36e96814c2dbff872a21e1fa03de9ee377d581f?environmentId=100", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_netsh_fw_add_susp_image.yml" ], "tags": [ @@ -40141,8 +40564,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.fox-it.com/en/news/whitepapers/operation-wocao-shining-a-light-on-one-of-chinas-hidden-hacking-groups/", "https://twitter.com/SBousseaden/status/1207671369963646976", + "https://www.fox-it.com/en/news/whitepapers/operation-wocao-shining-a-light-on-one-of-chinas-hidden-hacking-groups/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_apt_wocao.yml" ], "tags": [ @@ -40229,12 +40652,12 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/splunk/security_content/blob/develop/detections/endpoint/office_spawning_control.yml", - "https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/", - "https://www.elastic.co/security-labs/exploring-the-ref2731-intrusion-set", - "https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e", - "https://twitter.com/andythevariable/status/1576953781581144064?s=20&t=QiJILvK4ZiBdR8RJe24u-A", "https://github.com/vadim-hunter/Detection-Ideas-Rules/blob/02bcbfc2bfb8b4da601bb30de0344ae453aa1afe/Threat%20Intelligence/The%20DFIR%20Report/20210329_Sodinokibi_(aka_REvil)_Ransomware.yaml", + "https://twitter.com/andythevariable/status/1576953781581144064?s=20&t=QiJILvK4ZiBdR8RJe24u-A", + "https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e", + "https://www.elastic.co/security-labs/exploring-the-ref2731-intrusion-set", + "https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/", + "https://github.com/splunk/security_content/blob/develop/detections/endpoint/office_spawning_control.yml", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbins_by_office_applications.yml" ], "tags": [ @@ -40284,9 +40707,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/higaisa-or-winnti-apt-41-backdoors-old-and-new/", - "https://github.com/elastic/protections-artifacts/commit/746086721fd385d9f5c6647cada1788db4aea95f#diff-27939090904026cc396b0b629c8e4314acd6f5dac40a676edbc87f4567b47eb7", "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/chm-badness-delivers-a-banking-trojan/", + "https://github.com/elastic/protections-artifacts/commit/746086721fd385d9f5c6647cada1788db4aea95f#diff-27939090904026cc396b0b629c8e4314acd6f5dac40a676edbc87f4567b47eb7", + "https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/higaisa-or-winnti-apt-41-backdoors-old-and-new/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_html_help_spawn.yml" ], "tags": [ @@ -40458,10 +40881,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/max_mal_/status/1542461200797163522", - "https://web.archive.org/web/20200128160046/https://twitter.com/reegun21/status/1222093798009790464", - "https://github.com/pr0xylife/Qakbot/blob/4f0795d79dabee5bc9dd69f17a626b48852e7869/Qakbot_AA_23.06.2022.txt", "https://www.volexity.com/blog/2022/07/28/sharptongue-deploys-clever-mail-stealing-browser-extension-sharpext/", + "https://twitter.com/max_mal_/status/1542461200797163522", + "https://github.com/pr0xylife/Qakbot/blob/4f0795d79dabee5bc9dd69f17a626b48852e7869/Qakbot_AA_23.06.2022.txt", + "https://web.archive.org/web/20200128160046/https://twitter.com/reegun21/status/1222093798009790464", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_curl_download.yml" ], "tags": [ @@ -40540,6 +40963,57 @@ "uuid": "bac9fb54-2da7-44e9-988f-11e9a5edbc0c", "value": "Password Spraying Attempts Using Dsacls" }, + { + "description": "Detect usage of the \"sqlite\" binary to query databases in Chromium-based browsers for potential data stealing.", + "meta": { + "author": "TropChaud", + "creation_date": "2022/12/19", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_sqlite_chromium_profile_data.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/84d9edaaaa2c5511144521b0e4af726d1c7276ce/atomics/T1539/T1539.md#atomic-test-2---steal-chrome-cookies-windows", + "https://blog.cyble.com/2022/04/21/prynt-stealer-a-new-info-stealer-performing-clipper-and-keylogger-activities/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sqlite_chromium_profile_data.yml" + ], + "tags": [ + "attack.credential_access", + "attack.t1539", + "attack.t1555.003", + "attack.collection", + "attack.t1005" + ] + }, + "related": [ + { + "dest-uuid": "10ffac09-e42d-4f56-ab20-db94c67d76ff", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "58a3e6aa-4453-4cc8-a51f-4befe80b31a8", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "24c77512-782b-448a-8950-eddb0785fc71", + "value": "SQLite Chromium Profile Data DB Access" + }, { "description": "Detects spawning of suspicious child processes by Atlassian Confluence server which may indicate successful exploitation of CVE-2021-26084", "meta": { @@ -40553,9 +41027,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://confluence.atlassian.com/doc/confluence-security-advisory-2021-08-25-1077906215.html", - "https://nvd.nist.gov/vuln/detail/CVE-2021-26084", "https://github.com/h3v0x/CVE-2021-26084_Confluence", + "https://nvd.nist.gov/vuln/detail/CVE-2021-26084", + "https://confluence.atlassian.com/doc/confluence-security-advisory-2021-08-25-1077906215.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_atlassian_confluence_cve_2021_26084_exploit.yml" ], "tags": [ @@ -40630,8 +41104,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ransomware-hive-conti-avoslocker", "https://thedfirreport.com/2020/10/08/ryuks-return/", + "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ransomware-hive-conti-avoslocker", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_wmic_proc_create.yml" ], "tags": [ @@ -40664,9 +41138,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://twitter.com/0gtweet/status/1588815661085917186?cxt=HHwWhIDUyaDbzYwsAAAA", "https://www.elastic.co/guide/en/security/current/microsoft-iis-service-account-password-dumped.html", "https://www.netspi.com/blog/technical/network-penetration-testing/decrypting-iis-passwords-to-break-out-of-the-dmz-part-2/", - "https://twitter.com/0gtweet/status/1588815661085917186?cxt=HHwWhIDUyaDbzYwsAAAA", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_iis_service_account_password_dumped.yml" ], "tags": [ @@ -40792,9 +41266,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://youtu.be/5mqid-7zp8k?t=2481", "https://m365internals.com/2022/10/07/hunting-in-on-premises-exchange-server-logs/", "https://blog.orange.tw/2021/08/proxylogon-a-new-attack-surface-on-ms-exchange-part-1.html", - "https://youtu.be/5mqid-7zp8k?t=2481", "https://peterjson.medium.com/reproducing-the-proxyshell-pwn2own-exploit-49743a4ea9a1", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_mailboxexport_share.yml" ], @@ -40949,9 +41423,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Dotnet/", - "https://bohops.com/2019/08/19/dotnet-core-a-vector-for-awl-bypass-defense-evasion/", "https://twitter.com/_felamos/status/1204705548668555264", + "https://bohops.com/2019/08/19/dotnet-core-a-vector-for-awl-bypass-defense-evasion/", + "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Dotnet/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_dotnet.yml" ], "tags": [ @@ -40984,8 +41458,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f", "https://lolbas-project.github.io/lolbas/Binaries/Regedit/", + "https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_regedit_import_keys_ads.yml" ], "tags": [ @@ -41082,8 +41556,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/harleyQu1nn/AggressorScripts", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1518/T1518.md", + "https://github.com/harleyQu1nn/AggressorScripts", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_software_discovery.yml" ], "tags": [ @@ -41107,8 +41581,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://sourceforge.net/projects/mouselock/", "https://github.com/klsecservices/Publications/blob/657deb6a6eb6e00669afd40173f425fb49682eaa/Incident-Response-Analyst-Report-2020.pdf", + "https://sourceforge.net/projects/mouselock/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_mouse_lock.yml" ], "tags": [ @@ -41223,8 +41697,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://threathunterplaybook.com/evals/apt29/detections/7.B.4_C10730EA-6345-4934-AA0F-B0EFCA0C4BA6.html", "https://github.com/OTRF/detection-hackathon-apt29/issues/17", + "https://threathunterplaybook.com/evals/apt29/detections/7.B.4_C10730EA-6345-4934-AA0F-B0EFCA0C4BA6.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_webdav_client_execution.yml" ], "tags": [ @@ -41382,8 +41856,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/swisscom_csirt/status/1331634525722521602?s=20", "https://app.any.run/tasks/f74c5157-8508-4ac6-9805-d63fe7b0d399/", + "https://twitter.com/swisscom_csirt/status/1331634525722521602?s=20", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_renamed_rundll32_dllregisterserver.yml" ], "tags": [ @@ -41552,8 +42026,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.anomali.com/blog/china-based-apt-mustang-panda-targets-minority-groups-public-and-private-sector-organizations", "https://app.any.run/tasks/b12cccf3-1c22-4e28-9d3e-c7a6062f3914/", + "https://www.anomali.com/blog/china-based-apt-mustang-panda-targets-minority-groups-public-and-private-sector-organizations", "https://app.any.run/tasks/7ca5661d-a67b-43ec-98c1-dd7a8103c256/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_apt_mustangpanda.yml" ], @@ -41587,8 +42061,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/mrd0x/status/1511489821247684615", "https://twitter.com/mrd0x/status/1511415432888131586?s=20&t=DvVrzeZ1OcGiWowbhPV8Lg", + "https://twitter.com/mrd0x/status/1511489821247684615", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_proc_dump_dumpminitool.yml" ], "tags": [ @@ -41657,8 +42131,8 @@ "logsource.product": "windows", "refs": [ "https://app.any.run/tasks/51e7185c-52d7-4efb-ac0d-e86340053473/", - "https://www.fireeye.com/blog/threat-research/2020/05/tactics-techniques-procedures-associated-with-maze-ransomware-incidents.html", "https://app.any.run/tasks/65a79440-373a-4725-8d74-77db9f2abda4/", + "https://www.fireeye.com/blog/threat-research/2020/05/tactics-techniques-procedures-associated-with-maze-ransomware-incidents.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_crime_maze_ransomware.yml" ], "tags": [ @@ -41732,10 +42206,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/Binaries/Wsreset/", "https://twitter.com/ReaQta/status/1222548288731217921", "https://eqllib.readthedocs.io/en/latest/analytics/532b5ed4-7930-11e9-8f5c-d46d6d62a49e.html", "https://www.activecyber.us/activelabs/windows-uac-bypass", + "https://lolbas-project.github.io/lolbas/Binaries/Wsreset/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_uac_bypass_wsreset.yml" ], "tags": [ @@ -41769,9 +42243,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://blog.f-secure.com/analysis-of-lockergoga-ransomware/", "https://medium.com/@malwaredancer/lockergoga-input-arguments-ipc-communication-and-others-bd4e5a7ba80a", "https://www.carbonblack.com/blog/tau-threat-intelligence-notification-lockergoga-ransomware/", + "https://blog.f-secure.com/analysis-of-lockergoga-ransomware/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_mal_lockergoga_ransomware.yml" ], "tags": [ @@ -41804,9 +42278,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://docs.python.org/3/using/cmdline.html#cmdoption-c", "https://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet", "https://www.revshells.com/", + "https://docs.python.org/3/using/cmdline.html#cmdoption-c", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_python_inline_command_execution.yml" ], "tags": [ @@ -41867,8 +42341,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/vysecurity/Aggressor-VYSEC/blob/0d61c80387b9432dab64b8b8a9fb52d20cfef80e/ping.cna", "https://twitter.com/vysecurity/status/977198418354491392", + "https://github.com/vysecurity/Aggressor-VYSEC/blob/0d61c80387b9432dab64b8b8a9fb52d20cfef80e/ping.cna", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_ping_hex_ip.yml" ], "tags": [ @@ -41902,8 +42376,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.elastic.co/security-labs/exploring-the-qbot-attack-pattern", "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/schtasks", + "https://www.elastic.co/security-labs/exploring-the-qbot-attack-pattern", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_schtasks_system.yml" ], "tags": [ @@ -42045,8 +42519,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/elastic/detection-rules/blob/414d32027632a49fb239abb8fbbb55d3fa8dd861/rules/windows/discovery_peripheral_device.toml", "Turla has used fsutil fsinfo drives to list connected drives.", + "https://github.com/elastic/detection-rules/blob/414d32027632a49fb239abb8fbbb55d3fa8dd861/rules/windows/discovery_peripheral_device.toml", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_fsutil_drive_enumeration.yml" ], "tags": [ @@ -42127,8 +42601,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/pabraeken/status/993298228840992768", "https://github.com/LOLBAS-Project/LOLBAS/blob/8283d8d91552213ded165fd36deb6cb9534cb443/yml/OtherMSBinaries/Sqltoolsps.yml", + "https://twitter.com/pabraeken/status/993298228840992768", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_use_of_sqltoolsps_bin.yml" ], "tags": [ @@ -42170,8 +42644,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/Binaries/Register-cimprovider/", "https://twitter.com/PhilipTsukerman/status/992021361106268161", + "https://lolbas-project.github.io/lolbas/Binaries/Register-cimprovider/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_register_cimprovider.yml" ], "tags": [ @@ -42238,15 +42712,15 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/blackbyte-exbyte-ransomware", - "https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/new-teslacrypt-ransomware-arrives-via-spam/", - "https://blog.talosintelligence.com/2017/05/wannacry.html", - "https://redcanary.com/blog/intelligence-insights-october-2021/", - "https://www.hybrid-analysis.com/sample/ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa?environmentId=100", "https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment", - "https://github.com/Neo23x0/Raccine#the-process", + "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/blackbyte-exbyte-ransomware", + "https://www.hybrid-analysis.com/sample/ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa?environmentId=100", "https://www.bleepingcomputer.com/news/security/why-everyone-should-disable-vssadmin-exe-now/", + "https://blog.talosintelligence.com/2017/05/wannacry.html", + "https://github.com/Neo23x0/Raccine#the-process", + "https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/new-teslacrypt-ransomware-arrives-via-spam/", "https://github.com/Neo23x0/Raccine/blob/20a569fa21625086433dcce8bb2765d0ea08dcb6/yara/gen_ransomware_command_lines.yar", + "https://redcanary.com/blog/intelligence-insights-october-2021/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_shadow_copies_deletion.yml" ], "tags": [ @@ -42281,9 +42755,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://thedfirreport.com/2022/09/26/bumblebee-round-two/", - "https://thedfirreport.com/2022/08/08/bumblebee-roasts-its-way-to-domain-admin/", "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/bumblebee-loader-cybercrime", + "https://thedfirreport.com/2022/08/08/bumblebee-roasts-its-way-to-domain-admin/", + "https://thedfirreport.com/2022/09/26/bumblebee-round-two/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wab_execution_from_non_default_location.yml" ], "tags": [ @@ -42307,9 +42781,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/Binaries/Bitsadmin/", - "https://blog.netspi.com/15-ways-to-download-a-file/#bitsadmin", "https://isc.sans.edu/diary/22264", + "https://blog.netspi.com/15-ways-to-download-a-file/#bitsadmin", + "https://lolbas-project.github.io/lolbas/Binaries/Bitsadmin/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_bitsadmin_download.yml" ], "tags": [ @@ -42386,8 +42860,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://s3cur3th1ssh1t.github.io/SharpImpersonation-Introduction/", "https://github.com/S3cur3Th1sSh1t/SharpImpersonation", + "https://s3cur3th1ssh1t.github.io/SharpImpersonation-Introduction/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sharp_impersonation_tool.yml" ], "tags": [ @@ -42519,11 +42993,11 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://gist.github.com/bohops/735edb7494fe1bd1010d67823842b712", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1216/T1216.md", - "https://twitter.com/JohnLaTwC/status/1223292479270600706", "https://twitter.com/bohops/status/980659399495741441", "https://lolbas-project.github.io/lolbas/Scripts/Manage-bde/", + "https://twitter.com/JohnLaTwC/status/1223292479270600706", + "https://gist.github.com/bohops/735edb7494fe1bd1010d67823842b712", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1216/T1216.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_manage_bde_lolbas.yml" ], "tags": [ @@ -42589,8 +43063,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.virustotal.com/gui/file/7872d8845a332dce517adae9c3389fde5313ff2fed38c2577f3b498da786db68/behavior", "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/bluebottle-banks-targeted-africa", + "https://www.virustotal.com/gui/file/7872d8845a332dce517adae9c3389fde5313ff2fed38c2577f3b498da786db68/behavior", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_double_ext_parent.yml" ], "tags": [ @@ -42825,8 +43299,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/cube0x0", "https://www.virustotal.com/gui/search/metadata%253ACube0x0/files", + "https://github.com/cube0x0", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hack_cube0x0_tools.yml" ], "tags": "No established tags" @@ -42847,8 +43321,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/swisscom_csirt/status/1331634525722521602?s=20", "https://app.any.run/tasks/f74c5157-8508-4ac6-9805-d63fe7b0d399/", + "https://twitter.com/swisscom_csirt/status/1331634525722521602?s=20", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_malware_trickbot_wermgr.yml" ], "tags": [ @@ -42881,10 +43355,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Csi/", - "https://twitter.com/Z3Jpa29z/status/1317545798981324801", - "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Rcsi/", "https://enigma0x3.net/2016/11/21/bypassing-application-whitelisting-by-using-rcsi-exe/", + "https://twitter.com/Z3Jpa29z/status/1317545798981324801", + "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Csi/", + "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Rcsi/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_csi.yml" ], "tags": [ @@ -43020,8 +43494,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/Binaries/Pcalua/", "https://pentestlab.blog/2020/07/06/indirect-command-execution/", + "https://lolbas-project.github.io/lolbas/Binaries/Pcalua/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_pcalua.yml" ], "tags": [ @@ -43123,8 +43597,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/hostname", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1082/T1082.md#atomic-test-6---hostname-discovery-windows", + "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/hostname", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_hostname.yml" ], "tags": [ @@ -43148,10 +43622,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/hFireF0X/status/897640081053364225", - "https://medium.com/falconforce/falconfriday-detecting-uac-bypasses-0xff16-86c2a9107abf", "https://web.archive.org/web/20190720093911/http://www.endurant.io/cmstp/detecting-cmstp-enabled-code-execution-and-uac-bypass-with-sysmon/", + "https://twitter.com/hFireF0X/status/897640081053364225", "https://github.com/hfiref0x/UACME", + "https://medium.com/falconforce/falconfriday-detecting-uac-bypasses-0xff16-86c2a9107abf", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_cmstp_com_object_access.yml" ], "tags": [ @@ -43221,8 +43695,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/x86matthew/status/1505476263464607744?s=12", "https://svch0st.medium.com/stats-from-hunting-cobalt-strike-beacons-c17e56255f9b", + "https://twitter.com/x86matthew/status/1505476263464607744?s=12", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_parents.yml" ], "tags": "No established tags" @@ -43296,8 +43770,8 @@ "logsource.product": "windows", "refs": [ "https://twitter.com/AdamTheAnalyst/status/1483497517119590403", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md", "https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/configure-process-opened-file-exclusions-microsoft-defender-antivirus", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_defender_exclusion.yml" ], "tags": [ @@ -43322,10 +43796,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://techtalk.pcmatic.com/2017/11/30/running-dll-files-malware-analysis/", - "https://www.welivesecurity.com/2022/03/01/isaacwiper-hermeticwizard-wiper-worm-targeting-ukraine/", - "https://twitter.com/cyb3rops/status/1186631731543236608", "https://github.com/Neo23x0/DLLRunner", + "https://techtalk.pcmatic.com/2017/11/30/running-dll-files-malware-analysis/", + "https://twitter.com/cyb3rops/status/1186631731543236608", + "https://www.welivesecurity.com/2022/03/01/isaacwiper-hermeticwizard-wiper-worm-targeting-ukraine/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_rundll32_by_ordinal.yml" ], "tags": [ @@ -43628,8 +44102,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/j0nh4t/status/1429049506021138437", "https://streamable.com/q2dsji", + "https://twitter.com/j0nh4t/status/1429049506021138437", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_razorinstaller_explorer.yml" ], "tags": [ @@ -43694,9 +44168,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://learn.microsoft.com/en-us/windows/wsl/install-on-server", "https://docs.microsoft.com/en-us/powershell/module/dism/enable-windowsoptionalfeature?view=windowsserver2022-ps", "https://learn.microsoft.com/en-us/windows/win32/projfs/enabling-windows-projected-file-system", - "https://learn.microsoft.com/en-us/windows/wsl/install-on-server", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_windowsoptionalfeature.yml" ], "tags": [ @@ -43752,8 +44226,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.fireeye.com/blog/threat-research/2018/11/not-so-cozy-an-uncomfortable-examination-of-a-suspected-apt29-phishing-campaign.html", "https://www.microsoft.com/security/blog/2018/12/03/analysis-of-cyberattack-on-u-s-think-tanks-non-profits-public-sector-by-unidentified-attackers/", + "https://www.fireeye.com/blog/threat-research/2018/11/not-so-cozy-an-uncomfortable-examination-of-a-suspected-apt29-phishing-campaign.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_apt_apt29_thinktanks.yml" ], "tags": [ @@ -43872,8 +44346,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.ncsc.gov.uk/alerts/hostile-state-actors-compromising-uk-organisations-focus-engineering-and-industrial-control", "https://attack.mitre.org/software/S0488/", + "https://www.ncsc.gov.uk/alerts/hostile-state-actors-compromising-uk-organisations-focus-engineering-and-industrial-control", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_apt_dragonfly.yml" ], "tags": [ @@ -43900,8 +44374,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://redcanary.com/blog/child-processes/", "https://nasbench.medium.com/what-is-the-dllhost-exe-process-actually-running-ef9fe4c19c08", + "https://redcanary.com/blog/child-processes/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_dllhost_no_cli.yml" ], "tags": [ @@ -43925,10 +44399,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/0gtweet/status/1583356502340870144", "https://lolbas-project.github.io/lolbas/Binaries/Setres/", - "https://strontic.github.io/xcyclopedia/library/setres.exe-0E30E4C09637D7A128A37B59A3BC4D09.html", "https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc731033(v=ws.11)", + "https://strontic.github.io/xcyclopedia/library/setres.exe-0E30E4C09637D7A128A37B59A3BC4D09.html", + "https://twitter.com/0gtweet/status/1583356502340870144", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_setres.yml" ], "tags": [ @@ -43969,11 +44443,11 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://research.nccgroup.com/2021/05/27/detecting-rclone-an-effective-tool-for-exfiltration/", + "https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware", "https://labs.sentinelone.com/egregor-raas-continues-the-chaos-with-cobalt-strike-and-rclone", "https://us-cert.cisa.gov/ncas/analysis-reports/ar21-126a", - "https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware", "https://www.splunk.com/en_us/blog/security/darkside-ransomware-splunk-threat-update-and-detections.html", - "https://research.nccgroup.com/2021/05/27/detecting-rclone-an-effective-tool-for-exfiltration/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_rclone_execution.yml" ], "tags": [ @@ -44006,9 +44480,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.virustotal.com/gui/file/03e9b8c2e86d6db450e5eceec057d7e369ee2389b9daecaf06331a95410aa5f8/detection", "https://pentestlab.blog/2018/07/04/dumping-domain-password-hashes/", "https://twitter.com/vxunderground/status/1423336151860002816?s=20", + "https://www.virustotal.com/gui/file/03e9b8c2e86d6db450e5eceec057d7e369ee2389b9daecaf06331a95410aa5f8/detection", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_cmd_shadowcopy_access.yml" ], "tags": [ @@ -44041,9 +44515,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/haroonmeer/status/939099379834658817", "https://twitter.com/c_APT_ure/status/939475433711722497", "https://www.fireeye.com/blog/threat-research/2016/05/targeted_attacksaga.html", + "https://twitter.com/haroonmeer/status/939099379834658817", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_builtin_commands_recon.yml" ], "tags": [ @@ -44404,8 +44878,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/an0n_r0/status/1474698356635193346?s=12", "https://twitter.com/mrd0x/status/1475085452784844803?s=12", + "https://twitter.com/an0n_r0/status/1474698356635193346?s=12", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_download_office_domain.yml" ], "tags": "No established tags" @@ -44533,8 +45007,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/OtherMSBinaries/DefaultPack/", "https://www.echotrail.io/insights/search/defaultpack.exe", + "https://lolbas-project.github.io/lolbas/OtherMSBinaries/DefaultPack/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_defaultpack.yml" ], "tags": [ @@ -44571,8 +45045,8 @@ "refs": [ "https://twitter.com/gN3mes1s/status/1206874118282448897", "https://securityboulevard.com/2019/08/agent-tesla-evading-edr-by-removing-api-hooks/", - "https://www.clearskysec.com/wp-content/uploads/2018/11/MuddyWater-Operations-in-Lebanon-and-Oman.pdf", "https://app.any.run/tasks/c6993447-d1d8-414e-b856-675325e5aa09/", + "https://www.clearskysec.com/wp-content/uploads/2018/11/MuddyWater-Operations-in-Lebanon-and-Oman.pdf", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_csc_folder.yml" ], "tags": [ @@ -44702,6 +45176,58 @@ "uuid": "18739897-21b1-41da-8ee4-5b786915a676", "value": "GALLIUM Artefacts" }, + { + "description": "Detects suspicious and uncommon child processes of WmiPrvSE", + "meta": { + "author": "Vadim Khrykov (ThreatIntel), Cyb3rEng", + "creation_date": "2021/08/23", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_wmiprvse_susp_child_processes.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://blog.osarmor.com/319/onenote-attachment-delivers-asyncrat-malware/", + "https://github.com/vadim-hunter/Detection-Ideas-Rules/blob/02bcbfc2bfb8b4da601bb30de0344ae453aa1afe/Threat%20Intelligence/The%20DFIR%20Report/20210329_Sodinokibi_(aka_REvil)_Ransomware.yaml", + "https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wmiprvse_susp_child_processes.yml" + ], + "tags": [ + "attack.execution", + "attack.defense_evasion", + "attack.t1047", + "attack.t1204.002", + "attack.t1218.010" + ] + }, + "related": [ + { + "dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "232b7f21-adf9-4b42-b936-b9d6f7df856e", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "b97f1d35-4249-4486-a6b5-ee60ccf24fab", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "8a582fe2-0882-4b89-a82a-da6b2dc32937", + "value": "Suspicious WmiPrvse Child Process Spawned" + }, { "description": "Detects suspicious command line patterns as seen being used by MERCURY threat actor", "meta": { @@ -44962,6 +45488,49 @@ "uuid": "ca621ba5-54ab-4035-9942-d378e6fcde3c", "value": "HandleKatz LSASS Dumper Usage" }, + { + "description": "Detect usage of the \"sqlite\" binary to query databases in Firefox and other Gecko-based browsers for potential data stealing.", + "meta": { + "author": "frack113", + "creation_date": "2022/04/08", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_sqlite_firefox_gecko_profile_data.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1539/T1539.md#atomic-test-1---steal-firefox-cookies-windows", + "https://blog.cyble.com/2022/04/21/prynt-stealer-a-new-info-stealer-performing-clipper-and-keylogger-activities/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sqlite_firefox_gecko_profile_data.yml" + ], + "tags": [ + "attack.credential_access", + "attack.t1539", + "attack.collection", + "attack.t1005" + ] + }, + "related": [ + { + "dest-uuid": "10ffac09-e42d-4f56-ab20-db94c67d76ff", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "4833155a-4053-4c9c-a997-777fcea0baa7", + "value": "SQLite Firefox Profile Data DB Access" + }, { "description": "Detects a suspicious Microsoft certutil execution with sub commands like 'decode' sub command, which is sometimes used to decode malicious code", "meta": { @@ -44975,11 +45544,11 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://www.trustedsec.com/2017/07/new-tool-release-nps_payload/", "https://twitter.com/JohnLaTwC/status/835149808817991680", - "https://lolbas-project.github.io/lolbas/Binaries/Certutil/", "https://blogs.technet.microsoft.com/pki/2006/11/30/basic-crl-checking-with-certutil/", "https://twitter.com/egre55/status/1087685529016193025", - "https://www.trustedsec.com/2017/07/new-tool-release-nps_payload/", + "https://lolbas-project.github.io/lolbas/Binaries/Certutil/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_certutil_command.yml" ], "tags": [ @@ -45055,8 +45624,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://tools.thehacker.recipes/mimikatz/modules", "Internal Research", + "https://tools.thehacker.recipes/mimikatz/modules", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_system_user_anomaly.yml" ], "tags": "No established tags" @@ -45221,8 +45790,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/EmpireProject/Empire/blob/e37fb2eef8ff8f5a0a689f1589f424906fe13055/data/module_source/privesc/Invoke-EventVwrBypass.ps1#L64", "https://github.com/EmpireProject/Empire/blob/e37fb2eef8ff8f5a0a689f1589f424906fe13055/data/module_source/privesc/Invoke-FodHelperBypass.ps1#L64", + "https://github.com/EmpireProject/Empire/blob/e37fb2eef8ff8f5a0a689f1589f424906fe13055/data/module_source/privesc/Invoke-EventVwrBypass.ps1#L64", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_powershell_empire_uac_bypass.yml" ], "tags": [ @@ -45290,10 +45859,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/Binaries/Bitsadmin/", - "https://blog.netspi.com/15-ways-to-download-a-file/#bitsadmin", "https://blog.talosintelligence.com/breaking-the-silence-recent-truebot-activity/", "https://isc.sans.edu/diary/22264", + "https://blog.netspi.com/15-ways-to-download-a-file/#bitsadmin", + "https://lolbas-project.github.io/lolbas/Binaries/Bitsadmin/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_bitsadmin_download_uncommon_targetfolder.yml" ], "tags": [ @@ -45471,8 +46040,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.peew.pw/blog/2017/11/26/exploring-cmdkey-an-edge-case-for-privilege-escalation", "https://technet.microsoft.com/en-us/library/cc754243(v=ws.11).aspx", + "https://www.peew.pw/blog/2017/11/26/exploring-cmdkey-an-edge-case-for-privilege-escalation", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_cmdkey_recon.yml" ], "tags": [ @@ -45505,10 +46074,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/Binaries/Bitsadmin/", - "https://blog.netspi.com/15-ways-to-download-a-file/#bitsadmin", "https://blog.talosintelligence.com/breaking-the-silence-recent-truebot-activity/", "https://isc.sans.edu/diary/22264", + "https://blog.netspi.com/15-ways-to-download-a-file/#bitsadmin", + "https://lolbas-project.github.io/lolbas/Binaries/Bitsadmin/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_bitsadmin_download_susp_targetfolder.yml" ], "tags": [ @@ -45585,10 +46154,11 @@ "logsource.product": "windows", "refs": [ "https://hunter2.gitbook.io/darthsidious/other/war-stories/domain-admin-in-30-minutes", - "https://foxglovesecurity.com/2016/09/26/rotten-potato-privilege-escalation-from-service-accounts-to-system/", "https://pentestlab.blog/2017/04/13/hot-potato/", - "https://hunter2.gitbook.io/darthsidious/execution/responder-with-ntlm-relay-and-empire", "https://github.com/ohpe/juicy-potato", + "https://hunter2.gitbook.io/darthsidious/execution/responder-with-ntlm-relay-and-empire", + "https://foxglovesecurity.com/2016/09/26/rotten-potato-privilege-escalation-from-service-accounts-to-system/", + "https://www.localpotato.com/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_tools_relay_attacks.yml" ], "tags": [ @@ -45655,8 +46225,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://nmap.org/ncat/", "https://www.revshells.com/", + "https://nmap.org/ncat/", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1095/T1095.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_netcat_execution.yml" ], @@ -45724,8 +46294,8 @@ "logsource.product": "windows", "refs": [ "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/wevtutil", - "https://abuse.io/lockergoga.txt", "https://medium.com/palantir/tampering-with-windows-event-tracing-background-offense-and-defense-4be7ac62ac63", + "https://abuse.io/lockergoga.txt", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_etw_trace_evasion.yml" ], "tags": [ @@ -45751,10 +46321,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/EmpireProject/Empire/blob/e37fb2eef8ff8f5a0a689f1589f424906fe13055/data/module_source/privesc/Invoke-EventVwrBypass.ps1#L64", "https://github.com/EmpireProject/Empire/blob/e37fb2eef8ff8f5a0a689f1589f424906fe13055/lib/modules/powershell/persistence/powerbreach/resolver.py#L178", - "https://github.com/EmpireProject/Empire/blob/e37fb2eef8ff8f5a0a689f1589f424906fe13055/lib/modules/powershell/persistence/powerbreach/deaduser.py#L191", "https://github.com/EmpireProject/Empire/blob/c2ba61ca8d2031dad0cfc1d5770ba723e8b710db/lib/common/helpers.py#L165", + "https://github.com/EmpireProject/Empire/blob/e37fb2eef8ff8f5a0a689f1589f424906fe13055/lib/modules/powershell/persistence/powerbreach/deaduser.py#L191", + "https://github.com/EmpireProject/Empire/blob/e37fb2eef8ff8f5a0a689f1589f424906fe13055/data/module_source/privesc/Invoke-EventVwrBypass.ps1#L64", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_powershell_empire_launch.yml" ], "tags": [ @@ -45800,9 +46370,9 @@ "value": "Password Cracking with Hashcat" }, { - "description": "Threat actors can use the PsLogList utility to dump event log in order to extract admin accounts and perform account discovery.", + "description": "Detects usage of the PsLogList utility to dump event log in order to extract admin accounts and perform account discovery or delete events logs", "meta": { - "author": "Nasreddine Bencherchali @nas_bench", + "author": "Nasreddine Bencherchali", "creation_date": "2021/12/18", "falsepositive": [ "Another tool that uses the command line switches of PsLogList", @@ -45813,9 +46383,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/3CORESec/MAL-CL/tree/master/Descriptors/Sysinternals/PsLogList", - "https://research.nccgroup.com/2021/01/12/abusing-cloud-services-to-fly-under-the-radar/", "https://www.cybereason.com/blog/deadringer-exposing-chinese-threat-actors-targeting-major-telcos", + "https://research.nccgroup.com/2021/01/12/abusing-cloud-services-to-fly-under-the-radar/", + "https://twitter.com/EricaZelic/status/1614075109827874817", + "https://github.com/3CORESec/MAL-CL/tree/master/Descriptors/Sysinternals/PsLogList", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_psloglist.yml" ], "tags": [ @@ -45850,9 +46421,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://twitter.com/frack113/status/1555830623633375232", "https://www.acunetix.com/blog/articles/windows-short-8-3-filenames-web-security-problem/", "https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-2000-server/cc959352(v=technet.10)?redirectedfrom=MSDN", - "https://twitter.com/frack113/status/1555830623633375232", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_ntfs_short_name_path_use_cli.yml" ], "tags": [ @@ -45951,9 +46522,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/Binaries/Bitsadmin/", - "https://blog.netspi.com/15-ways-to-download-a-file/#bitsadmin", "https://isc.sans.edu/diary/22264", + "https://blog.netspi.com/15-ways-to-download-a-file/#bitsadmin", + "https://lolbas-project.github.io/lolbas/Binaries/Bitsadmin/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_bitsadmin_download_susp_ext.yml" ], "tags": [ @@ -46121,11 +46692,11 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/Hexacorn/status/885553465417756673", "https://twitter.com/Hexacorn/status/885570278637678592", - "http://www.windowsinspired.com/understanding-the-command-line-string-and-arguments-received-by-a-windows-program/", - "https://www.fireeye.com/blog/threat-research/2017/06/obfuscation-in-the-wild.html", "https://twitter.com/vysecurity/status/885545634958385153", + "https://twitter.com/Hexacorn/status/885553465417756673", + "https://www.fireeye.com/blog/threat-research/2017/06/obfuscation-in-the-wild.html", + "http://www.windowsinspired.com/understanding-the-command-line-string-and-arguments-received-by-a-windows-program/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_cli_escape.yml" ], "tags": [ @@ -46215,9 +46786,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://processhacker.sourceforge.io/", "https://github.com/winsiderss/systeminformer", "https://www.crowdstrike.com/blog/falcon-overwatch-report-finds-increase-in-ecrime/", + "https://processhacker.sourceforge.io/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_process_hacker.yml" ], "tags": "No established tags" @@ -46238,8 +46809,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment", "https://pentestlab.blog/2017/03/31/insecure-registry-permissions/", + "https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_possible_privilege_escalation_via_service_reg_perm.yml" ], "tags": [ @@ -46319,8 +46890,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/Binaries/Winget/", "https://docs.microsoft.com/en-us/windows/package-manager/winget/install#local-install", + "https://lolbas-project.github.io/lolbas/Binaries/Winget/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_execution_via_winget.yml" ], "tags": [ @@ -46553,9 +47124,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://ss64.com/ps/foreach-object.htmll", "https://ss64.com/nt/for.html", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1018/T1018.md", + "https://ss64.com/ps/foreach-object.htmll", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_network_scan_loop.yml" ], "tags": [ @@ -46611,8 +47182,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.trendmicro.com/content/dam/trendmicro/global/en/research/22/h/ransomware-actor-abuses-genshin-impact-anti-cheat-driver-to-kill-antivirus/Genshin%20Impact%20Figure%2010.jpg", "https://www.trellix.com/en-sg/about/newsroom/stories/threat-labs/lockergoga-ransomware-family-used-in-targeted-attacks.html", + "https://www.trendmicro.com/content/dam/trendmicro/global/en/research/22/h/ransomware-actor-abuses-genshin-impact-anti-cheat-driver-to-kill-antivirus/Genshin%20Impact%20Figure%2010.jpg", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_service_stop.yml" ], "tags": [ @@ -46754,8 +47325,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/mattifestation/status/1196390321783025666", "https://twitter.com/oulusoyum/status/1191329746069655553", + "https://twitter.com/mattifestation/status/1196390321783025666", "https://lolbas-project.github.io/lolbas/Binaries/Tttracer/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_tttracer_mod_load.yml" ], @@ -46798,9 +47369,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://thedfirreport.com/2022/02/07/qbot-likes-to-move-it-move-it/", - "https://redcanary.com/threat-detection-report/threats/qbot/", "https://thedfirreport.com/2022/10/31/follina-exploit-leads-to-domain-compromise/", + "https://redcanary.com/threat-detection-report/threats/qbot/", + "https://thedfirreport.com/2022/02/07/qbot-likes-to-move-it-move-it/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_esentutl_webcache.yml" ], "tags": [ @@ -46886,9 +47457,9 @@ "logsource.product": "windows", "refs": [ "https://www.softpedia.com/get/Antivirus/Removal-Tools/ithurricane-PowerTool.shtml", - "https://thedfirreport.com/2022/11/28/emotet-strikes-again-lnk-file-leads-to-domain-wide-ransomware/", "https://www.trendmicro.com/en_us/research/22/i/play-ransomware-s-attack-playbook-unmasks-it-as-another-hive-aff.html", "https://twitter.com/gbti_sa/status/1249653895900602375?lang=en", + "https://thedfirreport.com/2022/11/28/emotet-strikes-again-lnk-file-leads-to-domain-wide-ransomware/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powertool_execution.yml" ], "tags": [ @@ -47142,8 +47713,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/med0x2e/vba2clr", "https://learn.microsoft.com/en-us/previous-versions/office/troubleshoot/office-developer/automate-word-create-file-using-visual-basic", + "https://github.com/med0x2e/vba2clr", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_office_svchost_child.yml" ], "tags": [ @@ -47259,9 +47830,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://lolbas-project.github.io/lolbas/Binaries/Regini/", "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/regini", "https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f", - "https://lolbas-project.github.io/lolbas/Binaries/Regini/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_regini.yml" ], "tags": [ @@ -47318,8 +47889,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/blackorbird/status/1140519090961825792", "https://blu3-team.blogspot.com/2019/06/misleading-extensions-xlsexe-docexe.html", + "https://twitter.com/blackorbird/status/1140519090961825792", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_double_extension.yml" ], "tags": [ @@ -47489,8 +48060,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/", "https://github.com/vadim-hunter/Detection-Ideas-Rules/blob/02bcbfc2bfb8b4da601bb30de0344ae453aa1afe/Threat%20Intelligence/The%20DFIR%20Report/20210329_Sodinokibi_(aka_REvil)_Ransomware.yaml", + "https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_office_proxy_exec_wmic.yml" ], "tags": [ @@ -47540,8 +48111,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/mrd0x/status/1461041276514623491c19-ps", "https://twitter.com/tccontre18/status/1480950986650832903", + "https://twitter.com/mrd0x/status/1461041276514623491c19-ps", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_regsvr32_http_pattern.yml" ], "tags": [ @@ -47719,8 +48290,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/ShadowChasing1/status/1552595370961944576", "https://www.virustotal.com/gui/file/a63376ee1dba76361df73338928e528ca5b20171ea74c24581605366dcaa0104/behavior", + "https://twitter.com/ShadowChasing1/status/1552595370961944576", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_net_use.yml" ], "tags": [ @@ -47964,8 +48535,8 @@ "logsource.product": "windows", "refs": [ "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/schtasks-create", - "http://blog.talosintelligence.com/2022/09/lazarus-three-rats.html", "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/schtasks-change", + "http://blog.talosintelligence.com/2022/09/lazarus-three-rats.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_schtasks_schedule_type.yml" ], "tags": [ @@ -48023,8 +48594,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://oddvar.moe/2017/05/18/bypassing-application-whitelisting-with-bginfo/", "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Bginfo/", + "https://oddvar.moe/2017/05/18/bypassing-application-whitelisting-with-bginfo/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_bginfo.yml" ], "tags": [ @@ -48134,11 +48705,11 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://thedfirreport.com/2021/01/11/trickbot-still-alive-and-well/", - "https://social.technet.microsoft.com/wiki/contents/articles/7535.adfind-command-examples.aspx", - "https://github.com/center-for-threat-informed-defense/adversary_emulation_library/blob/bf62ece1c679b07b5fb49c4bae947fe24c81811f/fin6/Emulation_Plan/Phase1.md", - "https://www.microsoft.com/security/blog/2021/01/20/deep-dive-into-the-solorigate-second-stage-activation-from-sunburst-to-teardrop-and-raindrop/", "https://thedfirreport.com/2020/05/08/adfind-recon/", + "https://social.technet.microsoft.com/wiki/contents/articles/7535.adfind-command-examples.aspx", + "https://thedfirreport.com/2021/01/11/trickbot-still-alive-and-well/", + "https://www.microsoft.com/security/blog/2021/01/20/deep-dive-into-the-solorigate-second-stage-activation-from-sunburst-to-teardrop-and-raindrop/", + "https://github.com/center-for-threat-informed-defense/adversary_emulation_library/blob/bf62ece1c679b07b5fb49c4bae947fe24c81811f/fin6/Emulation_Plan/Phase1.md", "https://www.joeware.net/freetools/tools/adfind/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_renamed_adfind.yml" ], @@ -48218,8 +48789,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/windows/win32/setupapi/run-and-runonce-registry-keys", "https://app.any.run/tasks/9c0f37bc-867a-4314-b685-e101566766d7/", + "https://docs.microsoft.com/en-us/windows/win32/setupapi/run-and-runonce-registry-keys", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_reg_add_run_key.yml" ], "tags": [ @@ -48446,8 +49017,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1560.001/T1560.001.md", "https://labs.sentinelone.com/the-anatomy-of-an-apt-attack-and-cobaltstrike-beacons-encoded-configuration/", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1560.001/T1560.001.md", "https://ss64.com/bash/rar.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_rar_flags.yml" ], @@ -48611,8 +49182,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/klinix5/InstallerFileTakeOver", "https://www.zerodayinitiative.com/advisories/ZDI-21-1308/", + "https://github.com/klinix5/InstallerFileTakeOver", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_exploit_lpe_cve_2021_41379.yml" ], "tags": [ @@ -48846,8 +49417,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://persistence-info.github.io/Data/wpbbin.html", "https://grzegorztworek.medium.com/using-uefi-to-inject-executable-files-into-bitlocker-protected-drives-8ff4ca59c94c", + "https://persistence-info.github.io/Data/wpbbin.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wpbbin_persistence.yml" ], "tags": [ @@ -48906,14 +49477,14 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/Hexacorn/status/776122138063409152", - "https://posts.specterops.io/mavinject-exe-functionality-deconstructed-c29ab2cf5c0e", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218/T1218.md", - "https://github.com/SigmaHQ/sigma/issues/3742", "https://github.com/keyboardcrunch/SentinelOne-ATTACK-Queries/blob/6a228d23eefe963ca81f2d52f94b815f61ef5ee0/Tactics/DefenseEvasion.md#t1055-process-injection", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1056.004/T1056.004.md", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218/T1218.md", "https://twitter.com/gN3mes1s/status/941315826107510784", + "https://posts.specterops.io/mavinject-exe-functionality-deconstructed-c29ab2cf5c0e", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1056.004/T1056.004.md", + "https://github.com/SigmaHQ/sigma/issues/3742", "https://reaqta.com/2017/12/mavinject-microsoft-injector/", + "https://twitter.com/Hexacorn/status/776122138063409152", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_mavinject_process_injection.yml" ], "tags": [ @@ -49078,12 +49649,12 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://news.sophos.com/en-us/2019/12/09/snatch-ransomware-reboots-pcs-into-safe-mode-to-bypass-protection/", - "https://assets.documentcloud.org/documents/20444693/fbi-pin-egregor-ransomware-bc-01062021.pdf", "https://www.fireeye.com/blog/threat-research/2020/05/tactics-techniques-procedures-associated-with-maze-ransomware-incidents.html", - "https://labs.f-secure.com/blog/prelude-to-ransomware-systembc", - "https://github.com/3CORESec/MAL-CL/tree/master/Descriptors/Other/Advanced%20IP%20Scanner", "https://thedfirreport.com/2021/01/18/all-that-for-a-coinminer", + "https://news.sophos.com/en-us/2019/12/09/snatch-ransomware-reboots-pcs-into-safe-mode-to-bypass-protection/", + "https://github.com/3CORESec/MAL-CL/tree/master/Descriptors/Other/Advanced%20IP%20Scanner", + "https://assets.documentcloud.org/documents/20444693/fbi-pin-egregor-ransomware-bc-01062021.pdf", + "https://labs.f-secure.com/blog/prelude-to-ransomware-systembc", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_advanced_ip_scanner.yml" ], "tags": [ @@ -49108,8 +49679,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/elastic/detection-rules/blob/dd224fb3f81d0b4bf8593c5f02a029d647ba2b2d/rules/windows/credential_access_relay_ntlm_auth_via_http_spoolss.toml", "https://twitter.com/med0x2e/status/1520402518685200384", + "https://github.com/elastic/detection-rules/blob/dd224fb3f81d0b4bf8593c5f02a029d647ba2b2d/rules/windows/credential_access_relay_ntlm_auth_via_http_spoolss.toml", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_ntlmrelay.yml" ], "tags": [ @@ -49315,6 +49886,29 @@ "uuid": "1dd05363-104e-4b4a-b963-196a534b03a1", "value": "Suspicious Mofcomp Execution" }, + { + "description": "Detects suspicious sub processes started by the Manage Engine ServiceDesk Plus Java web service process", + "meta": { + "author": "Florian Roth", + "creation_date": "2023/01/18", + "falsepositive": [ + "Legitimate sub processes started by Manage Engine ServiceDesk Pro" + ], + "filename": "proc_creation_win_susp_manageengine_pattern.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://blog.viettelcybersecurity.com/saml-show-stopper/", + "https://github.com/horizon3ai/CVE-2022-47966/blob/3a51c6b72ebbd87392babd955a8fbeaee2090b35/CVE-2022-47966.py", + "https://www.horizon3.ai/manageengine-cve-2022-47966-technical-deep-dive/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_manageengine_pattern.yml" + ], + "tags": "No established tags" + }, + "uuid": "cea2b7ea-792b-405f-95a1-b903ea06458f", + "value": "Manage Engine Java Suspicious Sub Process" + }, { "description": "Detects specific process characteristics of Winnti malware noticed in Dec/Jan 2020 in a campaign against Honk Kong universities", "meta": { @@ -49353,9 +49947,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://app.any.run/tasks/210244b9-0b6b-4a2c-83a3-04bd3175d017/", "https://www.winhelponline.com/blog/enable-and-disable-windows-firewall-quickly-using-command-line/", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.004/T1562.004.md#atomic-test-1---disable-microsoft-defender-firewall", - "https://app.any.run/tasks/210244b9-0b6b-4a2c-83a3-04bd3175d017/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_netsh_firewall_disable.yml" ], "tags": [ @@ -49457,8 +50051,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.mdsec.co.uk/2022/10/analysing-lastpass-part-1/", "https://github.com/defaultnamehere/cookie_crimes/", + "https://www.mdsec.co.uk/2022/10/analysing-lastpass-part-1/", "https://github.com/wunderwuzzi23/firefox-cookiemonster", "https://yoroi.company/wp-content/uploads/2022/05/EternityGroup_report_compressed.pdf", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_browser_remote_debugging.yml" @@ -49541,8 +50135,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/backdoor-at-the-end-of-the-icmp-tunnel", "https://app.any.run/tasks/4a54c651-b70b-4b72-84d7-f34d301d6406", + "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/backdoor-at-the-end-of-the-icmp-tunnel", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pingback_backdoor.yml" ], "tags": [ @@ -49556,7 +50150,7 @@ { "description": "Detects the execution of a renamed binary often used by attackers or malware leveraging new Sysmon OriginalFileName datapoint.", "meta": { - "author": "Matthew Green - @mgreen27, Florian Roth", + "author": "Matthew Green - @mgreen27, Florian Roth, frack113", "creation_date": "2019/06/15", "falsepositive": [ "Custom applications use renamed binaries adding slight change to binary name. Typically this is easy to spot and add to whitelist" @@ -49567,12 +50161,16 @@ "logsource.product": "windows", "refs": [ "https://mgreen27.github.io/posts/2019/05/12/BinaryRename.html", + "https://www.trendmicro.com/vinfo/hk-en/security/news/cybercrime-and-digital-threats/megacortex-ransomware-spotted-attacking-enterprise-networks", "https://mgreen27.github.io/posts/2019/05/29/BinaryRename2.html", + "https://threatresearch.ext.hp.com/svcready-a-new-loader-reveals-itself/", + "https://twitter.com/christophetd/status/1164506034720952320", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_renamed_binary_highly_relevant.yml" ], "tags": [ "attack.defense_evasion", - "attack.t1036.003" + "attack.t1036.003", + "car.2013-05-009" ] }, "related": [ @@ -49585,7 +50183,7 @@ } ], "uuid": "0ba1da6d-b6ce-4366-828c-18826c9de23e", - "value": "Highly Relevant Renamed Binary" + "value": "Potential Defense Evasion Via Rename Of Highly Relevant Binaries" }, { "description": "Identifies use of the bcdedit command to delete boot configuration data. This tactic is sometimes used as by malware or an attacker as a destructive technique.", @@ -49725,8 +50323,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://adsecurity.org/?p=2288", "https://www.hybrid-analysis.com/sample/f2943f5e45befa52fb12748ca7171d30096e1d4fc3c365561497c618341299d5?environmentId=100", + "https://adsecurity.org/?p=2288", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_sysvol_access.yml" ], "tags": [ @@ -49819,8 +50417,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f", "https://lolbas-project.github.io/lolbas/Binaries/Regedit/", + "https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_regedit_export_critical_keys.yml" ], "tags": [ @@ -49877,9 +50475,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://thedfirreport.com/2022/09/26/bumblebee-round-two/", - "https://thedfirreport.com/2022/08/08/bumblebee-roasts-its-way-to-domain-admin/", "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/bumblebee-loader-cybercrime", + "https://thedfirreport.com/2022/08/08/bumblebee-roasts-its-way-to-domain-admin/", + "https://thedfirreport.com/2022/09/26/bumblebee-round-two/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wab_unusual_parents.yml" ], "tags": [ @@ -49929,8 +50527,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://bazaar.abuse.ch/sample/6f3aa9362d72e806490a8abce245331030d1ab5ac77e400dd475748236a6cc81/", "https://blogs.technet.microsoft.com/jonathantrull/2016/10/03/detecting-sticky-key-backdoors/", + "https://bazaar.abuse.ch/sample/6f3aa9362d72e806490a8abce245331030d1ab5ac77e400dd475748236a6cc81/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_install_reg_debugger_backdoor.yml" ], "tags": [ @@ -49988,8 +50586,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://eqllib.readthedocs.io/en/latest/analytics/1e1ef6be-12fc-11e9-8d76-4d6bb837cda4.html", "https://eqllib.readthedocs.io/en/latest/analytics/210b4ea4-12fc-11e9-8d76-4d6bb837cda4.html", + "https://eqllib.readthedocs.io/en/latest/analytics/1e1ef6be-12fc-11e9-8d76-4d6bb837cda4.html", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1003/T1003.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lsass_dump.yml" ], @@ -50056,8 +50654,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://app.any.run/tasks/cfc8870b-ccd7-4210-88cf-a8087476a6d0", "https://app.any.run/tasks/c28cabc8-a19f-40f3-a78b-cae506a5c0d4", + "https://app.any.run/tasks/cfc8870b-ccd7-4210-88cf-a8087476a6d0", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_attrib_system_susp_paths.yml" ], "tags": [ @@ -50123,8 +50721,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://securelist.com/schroedingers-petya/78870/", "https://www.hybrid-analysis.com/sample/64b0b58a2c030c77fdb2b537b2fcc4af432bc55ffb36599a31d418c7c69e94b1?environmentId=100", + "https://securelist.com/schroedingers-petya/78870/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_malware_notpetya.yml" ], "tags": [ @@ -50175,8 +50773,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://asec.ahnlab.com/en/38156/", "https://github.com/fatedier/frp", + "https://asec.ahnlab.com/en/38156/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_frp.yml" ], "tags": [ @@ -50210,8 +50808,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://mgreen27.github.io/posts/2019/05/12/BinaryRename.html", "https://mgreen27.github.io/posts/2019/05/29/BinaryRename2.html", + "https://mgreen27.github.io/posts/2019/05/12/BinaryRename.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_renamed_binary.yml" ], "tags": [ @@ -50229,7 +50827,7 @@ } ], "uuid": "36480ae1-a1cb-4eaa-a0d6-29801d7e9142", - "value": "Renamed Binary" + "value": "Potential Defense Evasion Via Binary Rename" }, { "description": "Detects the malicious use of a control panel item", @@ -50307,6 +50905,31 @@ "uuid": "344482e4-a477-436c-aa70-7536d18a48c7", "value": "Execution via MSSQL Xp_cmdshell Stored Procedure" }, + { + "description": "Detect activation of DisableRestrictedAdmin to desable RestrictedAdmin mode.\nRestrictedAdmin mode prevents the transmission of reusable credentials to the remote system to which you connect using Remote Desktop.\nThis prevents your credentials from being harvested during the initial connection process if the remote server has been compromise\n", + "meta": { + "author": "frack113", + "creation_date": "2023/01/13", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_lsa_disablerestrictedadmin.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://social.technet.microsoft.com/wiki/contents/articles/32905.remote-desktop-services-enable-restricted-admin-mode.aspx", + "https://github.com/redcanaryco/atomic-red-team/blob/a8e3cf63e97b973a25903d3df9fd55da6252e564/atomics/T1112/T1112.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lsa_disablerestrictedadmin.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1112" + ] + }, + "uuid": "28ac00d6-22d9-4a3c-927f-bbd770104573", + "value": "Disabled RestrictedAdminMode For RDS - ProcCreation" + }, { "description": "Dump sam, system or security hives using REG.exe utility", "meta": { @@ -50320,10 +50943,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1003/T1003.md", - "https://eqllib.readthedocs.io/en/latest/analytics/aed95fc6-5e3f-49dc-8b35-06508613f979.html", - "https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment", "https://www.wietzebeukema.nl/blog/windows-command-line-obfuscation", + "https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment", + "https://eqllib.readthedocs.io/en/latest/analytics/aed95fc6-5e3f-49dc-8b35-06508613f979.html", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1003/T1003.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_grabbing_sensitive_hives_via_reg.yml" ], "tags": [ @@ -50373,11 +50996,11 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://thedfirreport.com/2021/01/11/trickbot-still-alive-and-well/", - "https://social.technet.microsoft.com/wiki/contents/articles/7535.adfind-command-examples.aspx", - "https://github.com/center-for-threat-informed-defense/adversary_emulation_library/blob/bf62ece1c679b07b5fb49c4bae947fe24c81811f/fin6/Emulation_Plan/Phase1.md", - "https://www.microsoft.com/security/blog/2021/01/20/deep-dive-into-the-solorigate-second-stage-activation-from-sunburst-to-teardrop-and-raindrop/", "https://thedfirreport.com/2020/05/08/adfind-recon/", + "https://social.technet.microsoft.com/wiki/contents/articles/7535.adfind-command-examples.aspx", + "https://thedfirreport.com/2021/01/11/trickbot-still-alive-and-well/", + "https://www.microsoft.com/security/blog/2021/01/20/deep-dive-into-the-solorigate-second-stage-activation-from-sunburst-to-teardrop-and-raindrop/", + "https://github.com/center-for-threat-informed-defense/adversary_emulation_library/blob/bf62ece1c679b07b5fb49c4bae947fe24c81811f/fin6/Emulation_Plan/Phase1.md", "https://www.joeware.net/freetools/tools/adfind/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_adfind_usage.yml" ], @@ -50421,10 +51044,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://en.wikipedia.org/wiki/Hangul_(word_processor)", - "https://twitter.com/cyberwar_15/status/1187287262054076416", "https://www.securitynewspaper.com/2016/11/23/technical-teardown-exploit-malware-hwp-files/", + "https://en.wikipedia.org/wiki/Hangul_(word_processor)", "https://www.hybrid-analysis.com/search?query=context:74940dcc5b38f9f9b1a0fea760d344735d7d91b610e6d5bd34533dd0153402c5&from_sample=5db135000388385a7644131f&block_redirect=1", + "https://twitter.com/cyberwar_15/status/1187287262054076416", "https://blog.alyac.co.kr/1901", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hwp_exploits.yml" ], @@ -50535,8 +51158,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/kagancapar/CVE-2022-29072", "https://twitter.com/kagancapar/status/1515219358234161153", + "https://github.com/kagancapar/CVE-2022-29072", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_7zip_cve_2022_29072.yml" ], "tags": [ @@ -50559,8 +51182,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/quarkslab/quarkspwdump", "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/seedworm-apt-iran-middle-east", + "https://github.com/quarkslab/quarkspwdump", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_quarks_pwdump.yml" ], "tags": [ @@ -50626,9 +51249,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Cdb/", "https://twitter.com/nas_bench/status/1534957360032120833", "https://web.archive.org/web/20170715043507/http://www.exploit-monday.com/2016/08/windbg-cdb-shellcode-runner.html", - "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Cdb/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_cdb.yml" ], "tags": [ @@ -50678,8 +51301,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/tutorial-for-ntds-goodness-vssadmin-wmis-ntdsdit-system/", "https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment", + "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/tutorial-for-ntds-goodness-vssadmin-wmis-ntdsdit-system/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_shadow_copies_creation.yml" ], "tags": [ @@ -50761,8 +51384,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1047/T1047.md", "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/wmic", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1047/T1047.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wmic_remote_service.yml" ], "tags": [ @@ -51059,8 +51682,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://news.sophos.com/en-us/2020/05/21/ragnar-locker-ransomware-deploys-virtual-machine-to-dodge-security/", "https://threatpost.com/maze-ransomware-ragnar-locker-virtual-machine/159350/", + "https://news.sophos.com/en-us/2020/05/21/ragnar-locker-ransomware-deploys-virtual-machine-to-dodge-security/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_run_virtualbox.yml" ], "tags": [ @@ -51134,9 +51757,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.echotrail.io/insights/search/mshta.exe", - "https://en.wikipedia.org/wiki/HTML_Application", "https://app.any.run/tasks/34221348-072d-4b70-93f3-aa71f6ebecad/", + "https://en.wikipedia.org/wiki/HTML_Application", + "https://www.echotrail.io/insights/search/mshta.exe", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_mshta_pattern.yml" ], "tags": [ @@ -51191,8 +51814,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/3proxy/3proxy", "https://blog.talosintelligence.com/2022/09/lazarus-three-rats.html", + "https://github.com/3proxy/3proxy", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_3proxy_usage.yml" ], "tags": [ @@ -51212,6 +51835,31 @@ "uuid": "f38a82d2-fba3-4781-b549-525efbec8506", "value": "3Proxy Usage" }, + { + "description": "Detect usage of the \"driverquery\" utility to perform reconnaissance on installed drivers", + "meta": { + "author": "Nasreddine Bencherchali", + "creation_date": "2023/01/19", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_driverquery_recon.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://www.vmray.com/cyber-security-blog/analyzing-ursnif-behavior-malware-sandbox/", + "https://www.fireeye.com/blog/threat-research/2020/01/saigon-mysterious-ursnif-fork.html", + "https://thedfirreport.com/2023/01/09/unwrapping-ursnifs-gifts/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_driverquery_recon.yml" + ], + "tags": [ + "attack.discovery" + ] + }, + "uuid": "9fc3072c-dc8f-4bf7-b231-18950000fadd", + "value": "Potential Recon Activity Using DriverQuery.EXE" + }, { "description": "Detects a suspicious curl process start the adds a file to a web request", "meta": { @@ -51303,8 +51951,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/Tylous/ZipExec", "https://twitter.com/SBousseaden/status/1451237393017839616", + "https://github.com/Tylous/ZipExec", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_zipexec.yml" ], "tags": [ @@ -51484,9 +52132,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://guides.lib.umich.edu/c.php?g=282942&p=1885348", - "https://blog.talosintelligence.com/2021/10/threat-hunting-in-large-datasets-by.html", "https://thedfirreport.com/2021/11/29/continuing-the-bazar-ransomware-story/", + "https://blog.talosintelligence.com/2021/10/threat-hunting-in-large-datasets-by.html", + "https://guides.lib.umich.edu/c.php?g=282942&p=1885348", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_regsvr32_image.yml" ], "tags": [ @@ -51519,8 +52167,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/bohops/status/994405551751815170", "https://redcanary.com/blog/lateral-movement-winrm-wmi/", + "https://twitter.com/bohops/status/994405551751815170", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_winrm_execution.yml" ], "tags": [ @@ -51580,10 +52228,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/SBousseaden/status/1211636381086339073", "https://www.microsoft.com/en-us/security/blog/2022/10/18/defenders-beware-a-case-for-post-ransomware-investigations/", "https://www.elastic.co/guide/en/security/current/remote-file-copy-to-a-hidden-share.html", "https://drive.google.com/file/d/1lKya3_mLnR3UQuCoiYruO3qgu052_iS_/view", + "https://twitter.com/SBousseaden/status/1211636381086339073", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_copy_lateral_movement.yml" ], "tags": [ @@ -51730,8 +52378,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.management/set-service?view=powershell-7.2", "https://twitter.com/Alh4zr3d/status/1580925761996828672", + "https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.management/set-service?view=powershell-7.2", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_using_set_service_to_hide_services.yml" ], "tags": [ @@ -51828,9 +52476,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://twitter.com/jonasLyk/status/1555914501802921984", "https://www.acunetix.com/blog/articles/windows-short-8-3-filenames-web-security-problem/", "https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-2000-server/cc959352(v=technet.10)?redirectedfrom=MSDN", - "https://twitter.com/jonasLyk/status/1555914501802921984", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_ntfs_short_name_use_image.yml" ], "tags": [ @@ -51850,73 +52498,6 @@ "uuid": "3ef5605c-9eb9-47b0-9a71-b727e6aa5c3b", "value": "Use NTFS Short Name in Image" }, - { - "description": "Detects the execution of a renamed PowerShell often used by attackers or malware", - "meta": { - "author": "Florian Roth, frack113", - "creation_date": "2019/08/22", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_renamed_powershell.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://twitter.com/christophetd/status/1164506034720952320", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_renamed_powershell.yml" - ], - "tags": [ - "car.2013-05-009", - "attack.defense_evasion", - "attack.t1036.003" - ] - }, - "related": [ - { - "dest-uuid": "bd5b58a4-a52d-4a29-bc0d-3f1d3968eb6b", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "d178a2d7-129a-4ba4-8ee6-d6e1fecd5d20", - "value": "Renamed PowerShell" - }, - { - "description": "Detect use of sqlite binary to query the Firefox cookies.sqlite database and steal the cookie data contained within it", - "meta": { - "author": "frack113", - "creation_date": "2022/04/08", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_sqlite_firefox_cookies.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1539/T1539.md#atomic-test-1---steal-firefox-cookies-windows", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sqlite_firefox_cookies.yml" - ], - "tags": [ - "attack.credential_access", - "attack.t1539" - ] - }, - "related": [ - { - "dest-uuid": "10ffac09-e42d-4f56-ab20-db94c67d76ff", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "4833155a-4053-4c9c-a997-777fcea0baa7", - "value": "SQLite Firefox Cookie DB Access" - }, { "description": "Detects the attempt to evade or obfuscate the executed command on the CommandLine using bogus path traversal", "meta": { @@ -51931,8 +52512,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/hexacorn/status/1448037865435320323", "https://twitter.com/Gal_B1t/status/1062971006078345217", + "https://twitter.com/hexacorn/status/1448037865435320323", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_commandline_path_traversal_evasion.yml" ], "tags": [ @@ -52005,8 +52586,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218/T1218.md#atomic-test-4---infdefaultinstallexe-inf-execution", "https://lolbas-project.github.io/lolbas/Binaries/Infdefaultinstall/", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218/T1218.md#atomic-test-4---infdefaultinstallexe-inf-execution", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_infdefaultinstall.yml" ], "tags": [ @@ -52074,8 +52655,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/bohops/status/948061991012327424", "https://lolbas-project.github.io/lolbas/Scripts/Cl_invocation/", + "https://twitter.com/bohops/status/948061991012327424", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_cl_invocation.yml" ], "tags": [ @@ -52256,27 +52837,6 @@ "uuid": "7f43c430-5001-4f8b-aaa9-c3b88f18fa5c", "value": "Execute From Alternate Data Streams" }, - { - "description": "Detects the execution of rundll32.exe that has been renamed to a different name to avoid detection", - "meta": { - "author": "Florian Roth", - "creation_date": "2022/06/08", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_renamed_rundll32.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://threatresearch.ext.hp.com/svcready-a-new-loader-reveals-itself/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_renamed_rundll32.yml" - ], - "tags": "No established tags" - }, - "uuid": "d4d2574f-ac17-4d9e-b986-aeeae0dc8fe2", - "value": "Renamed Rundll32.exe Execution" - }, { "description": "Detect malicious GPO modifications can be used to implement many other malicious behaviors.", "meta": { @@ -52324,8 +52884,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/_JohnHammond/status/1531672601067675648", "https://app.any.run/tasks/713f05d2-fe78-4b9d-a744-f7c133e3fafb/", + "https://twitter.com/_JohnHammond/status/1531672601067675648", "https://twitter.com/nao_sec/status/1530196847679401984", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_msdt.yml" ], @@ -52344,7 +52904,7 @@ } ], "uuid": "258fc8ce-8352-443a-9120-8a11e4857fa5", - "value": "Execute Arbitrary Commands Using MSDT.EXE" + "value": "Potential Arbitrary Command Execution Using MSDT.EXE" }, { "description": "Adversaries may search the Registry on compromised systems for insecurely stored credentials.\nThe Windows Registry stores configuration information that can be used by the system or other programs.\nAdversaries may query the Registry looking for credentials and passwords that have been stored for use by other programs or services\n", @@ -52425,11 +52985,11 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://blog.truesec.com/2021/03/07/exchange-zero-day-proxylogon-and-hafnium/", "https://twitter.com/GadixCRK/status/1369313704869834753?s=20", - "https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/", - "https://twitter.com/BleepinComputer/status/1372218235949617161", "https://discuss.elastic.co/t/detection-and-response-for-hafnium-activity/266289/3", + "https://twitter.com/BleepinComputer/status/1372218235949617161", + "https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/", + "https://blog.truesec.com/2021/03/07/exchange-zero-day-proxylogon-and-hafnium/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_apt_hafnium.yml" ], "tags": [ @@ -53020,8 +53580,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1112/T1112.md", "https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1562.001/T1562.001.md", + "https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1112/T1112.md", "https://www.absolomb.com/2018-01-26-Windows-Privilege-Escalation-Guide/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_reg_add.yml" ], @@ -53047,8 +53607,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/Yasser_Elsnbary/status/1553804135354564608", "https://h.43z.one/ipconverter/", + "https://twitter.com/Yasser_Elsnbary/status/1553804135354564608", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_obfuscated_ip_via_cli.yml" ], "tags": [ @@ -53106,8 +53666,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.echotrail.io/insights/search/regsvr32.exe", "https://redcanary.com/blog/intelligence-insights-april-2022/", + "https://www.echotrail.io/insights/search/regsvr32.exe", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_regsvr32_spawn_explorer.yml" ], "tags": [ @@ -53175,9 +53735,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://blu3-team.blogspot.com/2019/08/powershell-dns-c2-notes.html", - "https://ragged-lab.blogspot.com/2020/06/it-is-always-dns-powershell-edition.html", "https://github.com/lukebaggett/dnscat2-powershell", + "https://ragged-lab.blogspot.com/2020/06/it-is-always-dns-powershell-edition.html", + "https://blu3-team.blogspot.com/2019/08/powershell-dns-c2-notes.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_dnscat2_powershell_implementation.yml" ], "tags": [ @@ -53275,9 +53835,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://digital-forensics.sans.org/blog/2010/06/04/wmic-draft/", "https://blog.malwarebytes.com/threat-analysis/2016/04/rokku-ransomware/", "https://www.hybrid-analysis.com/sample/4be06ecd234e2110bd615649fe4a6fa95403979acf889d7e45a78985eb50acf9?environmentId=1", - "https://digital-forensics.sans.org/blog/2010/06/04/wmic-draft/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_wmic_execution.yml" ], "tags": [ @@ -53345,8 +53905,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/r00t-3xp10it/hacking-material-books/blob/43cb1e1932c16ff1f58b755bc9ab6b096046853f/obfuscation/simple_obfuscation.md#bypass-or-avoid-amsi-by-version-downgrade-", "http://www.leeholmes.com/blog/2017/03/17/detecting-and-preventing-powershell-downgrade-attacks/", + "https://github.com/r00t-3xp10it/hacking-material-books/blob/43cb1e1932c16ff1f58b755bc9ab6b096046853f/obfuscation/simple_obfuscation.md#bypass-or-avoid-amsi-by-version-downgrade-", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_downgrade_attack.yml" ], "tags": [ @@ -53415,8 +53975,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://web.archive.org/web/20180331144337/https://www.fireeye.com/blog/threat-research/2018/03/sanny-malware-delivery-method-updated-in-recently-observed-attacks.html", "https://www.hybrid-analysis.com/sample/8da5b75b6380a41eee3a399c43dfe0d99eeefaa1fd21027a07b1ecaa4cd96fdd?environmentId=120", + "https://web.archive.org/web/20180331144337/https://www.fireeye.com/blog/threat-research/2018/03/sanny-malware-delivery-method-updated-in-recently-observed-attacks.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_copy_system32.yml" ], "tags": [ @@ -53799,8 +54359,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1123/T1123.md", "https://eqllib.readthedocs.io/en/latest/analytics/ab7a6ef4-0983-4275-a4f1-5c6bd3c31c23.html", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1123/T1123.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_audio_capture.yml" ], "tags": [ @@ -53825,9 +54385,9 @@ "logsource.product": "windows", "refs": [ "https://nodejs.org/api/cli.html", + "https://www.sprocketsecurity.com/resources/crossing-the-log4j-horizon-a-vulnerability-with-no-return", "https://www.rapid7.com/blog/post/2022/01/18/active-exploitation-of-vmware-horizon-servers/", "http://blog.talosintelligence.com/2022/09/lazarus-three-rats.html", - "https://www.sprocketsecurity.com/resources/crossing-the-log4j-horizon-a-vulnerability-with-no-return", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_node_abuse.yml" ], "tags": [ @@ -53860,8 +54420,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://app.any.run/tasks/f87f1c4e-47e2-4c46-9cf4-31454c06ce03", "https://twitter.com/JohnLaTwC/status/1082851155481288706", + "https://app.any.run/tasks/f87f1c4e-47e2-4c46-9cf4-31454c06ce03", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_ps_appdata.yml" ], "tags": [ @@ -53894,9 +54454,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://mattharr0ey.medium.com/privilege-escalation-uac-bypass-in-changepk-c40b92818d1b", "https://medium.com/falconforce/falconfriday-detecting-uac-bypasses-0xff16-86c2a9107abf", "https://github.com/hfiref0x/UACME", + "https://mattharr0ey.medium.com/privilege-escalation-uac-bypass-in-changepk-c40b92818d1b", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_uac_bypass_changepk_slui.yml" ], "tags": [ @@ -53930,8 +54490,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.google.com/url?hl=en&q=https://embedi.com/blog/skeleton-closet-ms-office-vulnerability-you-didnt-know-about&source=gmail&ust=1511481120837000&usg=AFQjCNGdL7gVwLXaNSl2Td8ylDYbSJFmPw", "https://www.hybrid-analysis.com/sample/2a4ae284c76f868fc51d3bb65da8caa6efacb707f265b25c30f34250b76b7507?environmentId=100", + "https://www.google.com/url?hl=en&q=https://embedi.com/blog/skeleton-closet-ms-office-vulnerability-you-didnt-know-about&source=gmail&ust=1511481120837000&usg=AFQjCNGdL7gVwLXaNSl2Td8ylDYbSJFmPw", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_exploit_cve_2017_11882.yml" ], "tags": [ @@ -54064,10 +54624,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://adsecurity.org/?p=2604", - "https://thedfirreport.com/2021/11/01/from-zero-to-domain-admin/", "https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_execution_policies?view=powershell-7.1", "https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.security/set-executionpolicy?view=powershell-7.1", + "https://thedfirreport.com/2021/11/01/from-zero-to-domain-admin/", + "https://adsecurity.org/?p=2604", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_set_policies_to_unsecure_level.yml" ], "tags": [ @@ -54100,9 +54660,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/pabraeken/status/990717080805789697", - "https://twitter.com/0gtweet/status/1602644163824156672?s=20&t=kuxbUnZPltpvFPZdCrqPXA", "https://lolbas-project.github.io/lolbas/Binaries/Runonce/", + "https://twitter.com/0gtweet/status/1602644163824156672?s=20&t=kuxbUnZPltpvFPZdCrqPXA", + "https://twitter.com/pabraeken/status/990717080805789697", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_runonce_execution.yml" ], "tags": [ @@ -54161,8 +54721,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://taggart-tech.com/quasar-electron/", "https://github.com/mttaggart/quasar", + "https://taggart-tech.com/quasar-electron/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_electron_app_children.yml" ], "tags": [ @@ -54219,11 +54779,11 @@ "logsource.product": "windows", "refs": [ "https://modexp.wordpress.com/2019/08/30/minidumpwritedump-via-com-services-dll/", + "https://twitter.com/Hexacorn/status/1224848930795552769", + "https://twitter.com/SBousseaden/status/1167417096374050817", + "https://twitter.com/Wietze/status/1542107456507203586", "https://twitter.com/shantanukhande/status/1229348874298388484", "https://twitter.com/pythonresponder/status/1385064506049630211?s=21", - "https://twitter.com/SBousseaden/status/1167417096374050817", - "https://twitter.com/Hexacorn/status/1224848930795552769", - "https://twitter.com/Wietze/status/1542107456507203586", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_process_dump_rundll32_comsvcs.yml" ], "tags": [ @@ -54259,16 +54819,16 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/dotnet/runtime/blob/f62e93416a1799aecc6b0947adad55a0d9870732/src/coreclr/src/inc/clrconfigvalues.h#L35-L38", + "https://github.com/dotnet/runtime/blob/4f9ae42d861fcb4be2fcd5d3d55d5f227d30e723/docs/coding-guidelines/clr-jit-coding-conventions.md#1412-disabling-code", + "https://github.com/dotnet/runtime/blob/7abe42dc1123722ed385218268bb9fe04556e3d3/src/coreclr/src/inc/clrconfig.h#L33-L39", "https://twitter.com/_xpn_/status/1268712093928378368", + "https://github.com/dotnet/runtime/blob/ee2355c801d892f2894b0f7b14a20e6cc50e0e54/docs/design/coreclr/jit/viewing-jit-dumps.md#setting-configuration-variables", + "https://github.com/dotnet/runtime/blob/f62e93416a1799aecc6b0947adad55a0d9870732/src/coreclr/src/inc/clrconfigvalues.h#L35-L38", "http://managed670.rssing.com/chan-5590147/all_p1.html", "https://github.com/dotnet/runtime/search?p=1&q=COMPlus_&unscoped_q=COMPlus_", - "https://i.blackhat.com/EU-21/Wednesday/EU-21-Teodorescu-Veni-No-Vidi-No-Vici-Attacks-On-ETW-Blind-EDRs.pdf", - "https://github.com/dotnet/runtime/blob/ee2355c801d892f2894b0f7b14a20e6cc50e0e54/docs/design/coreclr/jit/viewing-jit-dumps.md#setting-configuration-variables", - "https://github.com/dotnet/runtime/blob/7abe42dc1123722ed385218268bb9fe04556e3d3/src/coreclr/src/inc/clrconfig.h#L33-L39", - "https://social.msdn.microsoft.com/Forums/vstudio/en-US/0878832e-39d7-4eaf-8e16-a729c4c40975/what-can-i-use-e13c0d23ccbc4e12931bd9cc2eee27e4-for?forum=clr", "https://bunnyinside.com/?term=f71e8cb9c76a", - "https://github.com/dotnet/runtime/blob/4f9ae42d861fcb4be2fcd5d3d55d5f227d30e723/docs/coding-guidelines/clr-jit-coding-conventions.md#1412-disabling-code", + "https://social.msdn.microsoft.com/Forums/vstudio/en-US/0878832e-39d7-4eaf-8e16-a729c4c40975/what-can-i-use-e13c0d23ccbc4e12931bd9cc2eee27e4-for?forum=clr", + "https://i.blackhat.com/EU-21/Wednesday/EU-21-Teodorescu-Veni-No-Vidi-No-Vici-Attacks-On-ETW-Blind-EDRs.pdf", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_etw_modification_cmdline.yml" ], "tags": [ @@ -54401,8 +54961,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.sneakymonkey.net/2019/05/22/trickbot-analysis/", "https://app.any.run/tasks/f74c5157-8508-4ac6-9805-d63fe7b0d399/", + "https://www.sneakymonkey.net/2019/05/22/trickbot-analysis/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_malware_trickbot_recon_activity.yml" ], "tags": [ @@ -54491,9 +55051,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/pabraeken/status/990758590020452353", "https://docs.microsoft.com/en-us/visualstudio/debugger/debug-using-the-just-in-time-debugger?view=vs-2019", "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Vsjitdebugger/", + "https://twitter.com/pabraeken/status/990758590020452353", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_use_of_vsjitdebugger_bin.yml" ], "tags": [ @@ -54644,8 +55204,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://curl.se/docs/manpage.html", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1071.001/T1071.001.md#atomic-test-2---malicious-user-agents---cmd", + "https://curl.se/docs/manpage.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_curl_useragent.yml" ], "tags": [ @@ -54719,7 +55279,32 @@ ] }, "uuid": "beaa66d6-aa1b-4e3c-80f5-e0145369bfaf", - "value": "Wevtutil Recon" + "value": "Potential Recon Activity Using Wevtutil" + }, + { + "description": "Detect usage of the \"driverquery\" utility. Which can be used to perform reconnaissance on installed drivers", + "meta": { + "author": "Nasreddine Bencherchali", + "creation_date": "2023/01/19", + "falsepositive": [ + "Legitimate use by third party tools in order to investigate installed drivers" + ], + "filename": "proc_creation_win_driverquery_usage.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://www.vmray.com/cyber-security-blog/analyzing-ursnif-behavior-malware-sandbox/", + "https://www.fireeye.com/blog/threat-research/2020/01/saigon-mysterious-ursnif-fork.html", + "https://thedfirreport.com/2023/01/09/unwrapping-ursnifs-gifts/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_driverquery_usage.yml" + ], + "tags": [ + "attack.discovery" + ] + }, + "uuid": "a20def93-0709-4eae-9bd2-31206e21e6b2", + "value": "DriverQuery.EXE Usage" }, { "description": "Suspicious behaviours related to an actor tracked by Microsoft as SOURGUM", @@ -54734,9 +55319,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://www.microsoft.com/security/blog/2021/07/15/protecting-customers-from-a-private-sector-offensive-actor-using-0-day-exploits-and-devilstongue-malware/", "https://www.virustotal.com/gui/file/c299063e3eae8ddc15839767e83b9808fd43418dc5a1af7e4f44b97ba53fbd3d/detection", "https://github.com/Azure/Azure-Sentinel/blob/43e9be273dca321295190bfc4902858e009d4a35/Detections/MultipleDataSources/SOURGUM_IOC.yaml", - "https://www.microsoft.com/security/blog/2021/07/15/protecting-customers-from-a-private-sector-offensive-actor-using-0-day-exploits-and-devilstongue-malware/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_apt_sourgrum.yml" ], "tags": [ @@ -54778,8 +55363,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1490/T1490.md#atomic-test-5---windows---delete-volume-shadow-copies-via-wmi-with-powershell", "https://www.elastic.co/guide/en/security/current/volume-shadow-copy-deletion-via-powershell.html", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1490/T1490.md#atomic-test-5---windows---delete-volume-shadow-copies-via-wmi-with-powershell", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_shadowcopy_deletion_via_powershell.yml" ], "tags": [ @@ -54812,10 +55397,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/vysecurity/status/974806438316072960", - "https://lolbas-project.github.io/lolbas/Binaries/Rpcping/", "https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/hh875578(v=ws.11)", + "https://lolbas-project.github.io/lolbas/Binaries/Rpcping/", "https://twitter.com/vysecurity/status/873181705024266241", + "https://twitter.com/vysecurity/status/974806438316072960", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_rpcping.yml" ], "tags": [ @@ -54848,8 +55433,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.crowdstrike.com/blog/overwatch-exposes-aquatic-panda-in-possession-of-log-4-shell-exploit-tools/", "https://twitter.com/bopin2020/status/1366400799199272960", + "https://www.crowdstrike.com/blog/overwatch-exposes-aquatic-panda-in-possession-of-log-4-shell-exploit-tools/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_renamed_createdump.yml" ], "tags": [ @@ -54883,8 +55468,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/Binaries/Syncappvpublishingserver/", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1216/T1216.md", + "https://lolbas-project.github.io/lolbas/Binaries/Syncappvpublishingserver/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_syncappvpublishingserver_vbs_execute_psh.yml" ], "tags": [ @@ -54925,9 +55510,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://github.com/jpillora/chisel/", "https://blog.sekoia.io/lucky-mouse-incident-response-to-detection-engineering/", "https://arcticwolf.com/resources/blog/lorenz-ransomware-chiseling-in/", - "https://github.com/jpillora/chisel/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_chisel_usage.yml" ], "tags": [ @@ -55118,8 +55703,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://research.nccgroup.com/2020/06/23/wastedlocker-a-new-ransomware-variant-developed-by-the-evil-corp-group/", "https://rvsec0n.wordpress.com/2020/01/24/malwares-that-bypass-windows-defender/", + "https://research.nccgroup.com/2020/06/23/wastedlocker-a-new-ransomware-variant-developed-by-the-evil-corp-group/", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_disable_defender_av_security_monitoring.yml" ], @@ -55144,8 +55729,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://eqllib.readthedocs.io/en/latest/analytics/e491ce22-792f-11e9-8f5c-d46d6d62a49e.html", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1548.002/T1548.002.md", + "https://eqllib.readthedocs.io/en/latest/analytics/e491ce22-792f-11e9-8f5c-d46d6d62a49e.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_uac_bypass_fodhelper.yml" ], "tags": [ @@ -55605,9 +56190,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://4sysops.com/archives/use-powershell-to-download-a-file-with-http-https-and-ftp/", "https://docs.microsoft.com/en-us/powershell/module/bitstransfer/add-bitsfile?view=windowsserver2019-ps", "https://blog.jourdant.me/post/3-ways-to-download-files-with-powershell", + "https://4sysops.com/archives/use-powershell-to-download-a-file-with-http-https-and-ftp/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_web_request_cmd_and_cmdlets.yml" ], "tags": [ @@ -55673,10 +56258,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://app.any.run/tasks/84fc9b4a-ea2b-47b1-8aa6-9014402dfb56/", "https://app.any.run/tasks/81f3c28c-c686-425d-8a2b-a98198d244e1/", - "https://app.any.run/tasks/97f875e8-0e08-4328-815f-055e971ba754/", "https://app.any.run/tasks/e13ab713-64cf-4b23-ad93-6dceaa5429ac/", + "https://app.any.run/tasks/84fc9b4a-ea2b-47b1-8aa6-9014402dfb56/", + "https://app.any.run/tasks/97f875e8-0e08-4328-815f-055e971ba754/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_malware_emotet.yml" ], "tags": [ @@ -55712,9 +56297,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://thedfirreport.com/2020/10/18/ryuk-in-5-hours/", - "https://research.nccgroup.com/2022/08/19/back-in-black-unlocking-a-lockbit-3-0-ransomware-attack/", "https://redcanary.com/blog/how-one-hospital-thwarted-a-ryuk-ransomware-outbreak/", + "https://research.nccgroup.com/2022/08/19/back-in-black-unlocking-a-lockbit-3-0-ransomware-attack/", + "https://thedfirreport.com/2020/10/18/ryuk-in-5-hours/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_net_recon.yml" ], "tags": [ @@ -55794,48 +56379,6 @@ "uuid": "07e3cb2c-0608-410d-be4b-1511cb1a0448", "value": "Tamper Windows Defender Remove-MpPreference" }, - { - "description": "Detects WMI spawning a PowerShell process", - "meta": { - "author": "Markus Neis / @Karneades", - "creation_date": "2019/04/03", - "falsepositive": [ - "AppvClient", - "CCM" - ], - "filename": "proc_creation_win_wmi_spwns_powershell.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://any.run/report/68bc255f9b0db6a0d30a8f2dadfbee3256acfe12497bf93943bc1eab0735e45e/a2385d6f-34f7-403c-90d3-b1f9d2a90a5e", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wmi_spwns_powershell.yml" - ], - "tags": [ - "attack.execution", - "attack.t1047", - "attack.t1059.001" - ] - }, - "related": [ - { - "dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - }, - { - "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "692f0bec-83ba-4d04-af7e-e884a96059b6", - "value": "WMI Spawning Windows PowerShell" - }, { "description": "Detects adding and using Exchange PowerShell snap-ins to export mailbox data. As seen used by HAFNIUM and APT27", "meta": { @@ -55849,9 +56392,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://www.volexity.com/blog/2021/03/02/active-exploitation-of-microsoft-exchange-zero-day-vulnerabilities/", "https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/", "https://www.intrinsec.com/apt27-analysis/", - "https://www.volexity.com/blog/2021/03/02/active-exploitation-of-microsoft-exchange-zero-day-vulnerabilities/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_snapins_hafnium.yml" ], "tags": [ @@ -55996,9 +56539,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/Binaries/Verclsid/", "https://bohops.com/2018/08/18/abusing-the-com-registry-structure-part-2-loading-techniques-for-evasion-and-persistence/", "https://gist.github.com/NickTyrer/0598b60112eaafe6d07789f7964290d5", + "https://lolbas-project.github.io/lolbas/Binaries/Verclsid/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_verclsid_runs_com.yml" ], "tags": [ @@ -56056,8 +56599,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.hybrid-analysis.com/sample/f16c729aad5c74f19784a24257236a8bbe27f7cdc4a89806031ec7f1bebbd475?environmentId=100", "https://www.hybrid-analysis.com/sample/3a1f01206684410dbe8f1900bbeaaa543adfcd07368ba646b499fa5274b9edf6?environmentId=100", + "https://www.hybrid-analysis.com/sample/f16c729aad5c74f19784a24257236a8bbe27f7cdc4a89806031ec7f1bebbd475?environmentId=100", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_cmd_http_appdata.yml" ], "tags": [ @@ -56175,8 +56718,8 @@ "logsource.product": "windows", "refs": [ "https://www.joesandbox.com/analysis/411752/0/html#7048BB9A06B8F2DD9D24C77F389D7B2B58D2", - "https://app.any.run/tasks/8b9a571b-bcc1-4783-ba32-df4ba623b9c0/", "https://www.fireeye.com/blog/threat-research/2021/05/shining-a-light-on-darkside-ransomware-operations.html", + "https://app.any.run/tasks/8b9a571b-bcc1-4783-ba32-df4ba623b9c0/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_mal_darkside_ransomware.yml" ], "tags": [ @@ -56320,8 +56863,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://attack.mitre.org/software/S0246/ (Lazarus HARDRAIN)", "https://www.operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-RAT-and-Staging-Report.pdf", + "https://attack.mitre.org/software/S0246/ (Lazarus HARDRAIN)", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_netsh_fw_add.yml" ], "tags": [ @@ -56354,8 +56897,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218.011/T1218.011.md", "https://gist.github.com/ryhanson/227229866af52e2d963cf941af135a52", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218.011/T1218.011.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_rundll32_script_run.yml" ], "tags": [ @@ -56446,10 +56989,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/antonioCoco/RogueWinRM", - "https://foxglovesecurity.com/2016/09/26/rotten-potato-privilege-escalation-from-service-accounts-to-system/", "https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment", "https://twitter.com/Cyb3rWard0g/status/1453123054243024897", + "https://foxglovesecurity.com/2016/09/26/rotten-potato-privilege-escalation-from-service-accounts-to-system/", + "https://github.com/antonioCoco/RogueWinRM", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_child_process_as_system_.yml" ], "tags": [ @@ -56482,11 +57025,11 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://therecord.media/revil-ransomware-executes-supply-chain-attack-via-malicious-kaseya-update/", - "https://community.sophos.com/b/security-blog/posts/active-ransomware-attack-on-kaseya-customers", - "https://blog.truesec.com/2021/07/04/kaseya-supply-chain-attack-targeting-msps-to-deliver-revil-ransomware/", "https://doublepulsar.com/kaseya-supply-chain-attack-delivers-mass-ransomware-event-to-us-companies-76e4ec6ec64b", + "https://therecord.media/revil-ransomware-executes-supply-chain-attack-via-malicious-kaseya-update/", + "https://blog.truesec.com/2021/07/04/kaseya-supply-chain-attack-targeting-msps-to-deliver-revil-ransomware/", "https://www.joesandbox.com/analysis/443736/0/html", + "https://community.sophos.com/b/security-blog/posts/active-ransomware-attack-on-kaseya-customers", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_apt_revil_kaseya.yml" ], "tags": [ @@ -56520,8 +57063,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/Yasser_Elsnbary/status/1553804135354564608", "https://h.43z.one/ipconverter/", + "https://twitter.com/Yasser_Elsnbary/status/1553804135354564608", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_obfuscated_ip_download.yml" ], "tags": [ @@ -56545,8 +57088,8 @@ "logsource.product": "windows", "refs": [ "https://thedfirreport.com/2020/10/18/ryuk-in-5-hours/", - "https://redcanary.com/threat-detection-report/", "https://www.cobaltstrike.com/help-windows-executable", + "https://redcanary.com/threat-detection-report/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_cobaltstrike_load_by_rundll32.yml" ], "tags": [ @@ -56613,7 +57156,7 @@ "value": "Network Sniffing" }, { - "description": "Detects a suspicious parents of powershell.exe process", + "description": "Detects a suspicious or uncommon parent processes of PowerShell", "meta": { "author": "Teymur Kheirkhabarov, Harish Segar (rule)", "creation_date": "2020/03/20", @@ -56658,10 +57201,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.picussecurity.com/resource/blog/how-to-detect-parent-pid-ppid-spoofing-attacks", - "https://www.virustotal.com/gui/search/filename%253A*spoof*%2520filename%253A*ppid*/files", "https://www.ired.team/offensive-security/defense-evasion/parent-process-id-ppid-spoofing", "https://pentestlab.blog/2020/02/24/parent-pid-spoofing/", + "https://www.picussecurity.com/resource/blog/how-to-detect-parent-pid-ppid-spoofing-attacks", + "https://www.virustotal.com/gui/search/filename%253A*spoof*%2520filename%253A*ppid*/files", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_selectmyparent.yml" ], "tags": [ @@ -56694,10 +57237,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://elastic.github.io/security-research/malware/2022/01/01.operation-bleeding-bear/article/", "https://twitter.com/splinter_code/status/1483815103279603714", "https://www.winhelponline.com/blog/run-program-as-system-localsystem-account-windows/", "https://medium.com/s2wblog/analysis-of-destructive-malware-whispergate-targeting-ukraine-9d5d158f19f3", + "https://elastic.github.io/security-research/malware/2022/01/01.operation-bleeding-bear/article/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_advancedrun_priv_user.yml" ], "tags": "No established tags" @@ -56718,9 +57261,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/dnscmd", "https://lolbas-project.github.io/lolbas/Binaries/Dnscmd/", "https://docs.microsoft.com/en-us/azure/dns/dns-zones-records", + "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/dnscmd", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_dnscmd_discovery.yml" ], "tags": [ @@ -56821,9 +57364,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1059.001/T1059.001.md#atomic-test-20---powershell-invoke-known-malicious-cmdlets", "https://unit42.paloaltonetworks.com/unit42-pulling-back-the-curtains-on-encodedcommand-powershell-attacks/", "https://mikefrobbins.com/2017/06/15/simple-obfuscation-with-powershell-using-base64-encoding/", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1059.001/T1059.001.md#atomic-test-20---powershell-invoke-known-malicious-cmdlets", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_powershell_encode.yml" ], "tags": [ @@ -56889,8 +57432,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/Binaries/Atbroker/", "http://www.hexacorn.com/blog/2016/07/22/beyond-good-ol-run-key-part-42/", + "https://lolbas-project.github.io/lolbas/Binaries/Atbroker/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_susp_atbroker.yml" ], "tags": [ @@ -56958,8 +57501,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/Binaries/Rasautou/", "https://www.fireeye.com/blog/threat-research/2019/10/staying-hidden-on-the-endpoint-evading-detection-with-shellcode.html", + "https://lolbas-project.github.io/lolbas/Binaries/Rasautou/", "https://github.com/fireeye/DueDLLigence", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_rasautou_dll_execution.yml" ], @@ -57026,9 +57569,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/PowerShellMafia/PowerSploit/blob/dev/Recon/PowerView.ps1", "https://github.com/tevora-threat/SharpView/", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1049/T1049.md#atomic-test-4---system-discovery-using-sharpview", + "https://github.com/PowerShellMafia/PowerSploit/blob/dev/Recon/PowerView.ps1", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_sharpview.yml" ], "tags": [ @@ -57079,8 +57622,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.microsoft.com/security/blog/2022/07/26/malicious-iis-extensions-quietly-open-persistent-backdoors-into-servers/", "https://researchcenter.paloaltonetworks.com/2018/01/unit42-oilrig-uses-rgdoor-iis-backdoor-targets-middle-east/", + "https://www.microsoft.com/security/blog/2022/07/26/malicious-iis-extensions-quietly-open-persistent-backdoors-into-servers/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_iss_module_install.yml" ], "tags": [ @@ -57105,8 +57648,8 @@ "logsource.product": "windows", "refs": [ "https://learn.microsoft.com/en-us/windows/win32/secauthz/mandatory-integrity-control", - "https://thedfirreport.com/2022/04/04/stolen-images-campaign-ends-in-conti-ransomware/", "https://cybercryptosec.medium.com/covid-19-cyber-infection-c615ead7c29", + "https://thedfirreport.com/2022/04/04/stolen-images-campaign-ends-in-conti-ransomware/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_conhost_option.yml" ], "tags": [ @@ -57206,8 +57749,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://attack.mitre.org/software/S0108/", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1546.007/T1546.007.md", + "https://attack.mitre.org/software/S0108/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_netsh_dll_persistence.yml" ], "tags": [ @@ -57265,8 +57808,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://tools.thehacker.recipes/mimikatz/modules", "https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment", + "https://tools.thehacker.recipes/mimikatz/modules", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_mimikatz_command_line.yml" ], "tags": [ @@ -57391,9 +57934,9 @@ "logsource.product": "windows", "refs": [ "https://github.com/defaultnamehere/cookie_crimes/", - "https://mango.pdf.zone/stealing-chrome-cookies-without-a-password", "https://embracethered.com/blog/posts/2020/cookie-crimes-on-mirosoft-edge/", "https://embracethered.com/blog/posts/2020/chrome-spy-remote-control/", + "https://mango.pdf.zone/stealing-chrome-cookies-without-a-password", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_chromium_headless_debugging.yml" ], "tags": [ @@ -57532,8 +58075,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://cyber.wtf/2021/11/15/guess-whos-back/", "https://paste.cryptolaemus.com/emotet/2020/12/22/emotet-malware-IoCs_12-22-20.html", + "https://cyber.wtf/2021/11/15/guess-whos-back/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_emotet_rundll32_execution.yml" ], "tags": [ @@ -57624,8 +58167,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.youtube.com/watch?v=ro2QuZTIMBM", "https://docs.microsoft.com/en-us/sysinternals/downloads/psexec", + "https://www.youtube.com/watch?v=ro2QuZTIMBM", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_psexesvc_renamed.yml" ], "tags": [ @@ -57648,9 +58191,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/neonprimetime/status/1435584010202255375", "https://www.joesandbox.com/analysis/476188/1/iochtml", "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-40444", + "https://twitter.com/neonprimetime/status/1435584010202255375", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_control_cve_2021_40444.yml" ], "tags": [ @@ -57683,8 +58226,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.hvs-consulting.de/lazarus-report/", "https://securelist.com/lazarus-covets-covid-19-related-intelligence/99906/", + "https://www.hvs-consulting.de/lazarus-report/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_apt_lazarus_activity_dec20.yml" ], "tags": [ @@ -57744,9 +58287,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/sblmsrsn/status/1445758411803480072?s=20", - "https://lolbas-project.github.io/lolbas/Binaries/Certoc/", "https://github.com/elastic/protections-artifacts/commit/746086721fd385d9f5c6647cada1788db4aea95f#diff-fe98e74189873d6df72a15df2eaa0315c59ba9cdaca93ecd68afc4ea09194ef2", + "https://lolbas-project.github.io/lolbas/Binaries/Certoc/", + "https://twitter.com/sblmsrsn/status/1445758411803480072?s=20", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_certoc_execution.yml" ], "tags": [ @@ -57941,8 +58484,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f", "https://lolbas-project.github.io/lolbas/Binaries/Regedit/", + "https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_regedit_export_keys.yml" ], "tags": [ @@ -58072,7 +58615,7 @@ "Unknown" ], "filename": "proc_creation_win_wmiprvse_spawning_process.yml", - "level": "high", + "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ @@ -58094,7 +58637,7 @@ } ], "uuid": "d21374ff-f574-44a7-9998-4a8c8bf33d7d", - "value": "Wmiprvse Spawning Process" + "value": "WmiPrvSE Spawned A Process" }, { "description": "Detects when an attacker tries to add a new network provider in order to dump clear text credentials, similar to how the NPPSpy tool does it", @@ -58109,8 +58652,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/troubleshoot/windows-client/deployment/network-provider-settings-removed-in-place-upgrade", "https://github.com/gtworek/PSBits/tree/master/PasswordStealing/NPPSpy", + "https://docs.microsoft.com/en-us/troubleshoot/windows-client/deployment/network-provider-settings-removed-in-place-upgrade", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_new_network_provider.yml" ], "tags": [ @@ -58177,8 +58720,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://dtm.uk/wuauclt/", "https://blog.malwarebytes.com/threat-intelligence/2022/01/north-koreas-lazarus-apt-leverages-windows-update-client-github-in-latest-campaign/", + "https://dtm.uk/wuauclt/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_proxy_execution_wuauclt.yml" ], "tags": [ @@ -58237,8 +58780,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://the.earth.li/~sgtatham/putty/0.58/htmldoc/Chapter7.html", "https://thedfirreport.com/2022/06/06/will-the-real-msiexec-please-stand-up-exploit-leads-to-data-exfiltration/", + "https://the.earth.li/~sgtatham/putty/0.58/htmldoc/Chapter7.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_renamed_plink.yml" ], "tags": [ @@ -58321,10 +58864,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/mbevilacqua/appcompatprocessor/blob/6c847937c5a836e2ce2fe2b915f213c345a3c389/AppCompatSearch.txt", "https://www.crowdstrike.com/resources/reports/2019-crowdstrike-global-threat-report/", "https://github.com/ThreatHuntingProject/ThreatHunting/blob/cb22598bb70651f88e0285abc8d835757d2cb596/hunts/suspicious_process_creation_via_windows_event_logs.md", "https://www.secureworks.com/research/bronze-butler-targets-japanese-businesses", + "https://github.com/mbevilacqua/appcompatprocessor/blob/6c847937c5a836e2ce2fe2b915f213c345a3c389/AppCompatSearch.txt", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_execution_path.yml" ], "tags": [ @@ -58348,8 +58891,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.fortinet.com/content/dam/fortinet/assets/analyst-reports/ar-qakbot.pdf", "https://www.microsoft.com/security/blog/2021/12/09/a-closer-look-at-qakbots-latest-building-blocks-and-how-to-knock-them-down/", + "https://www.fortinet.com/content/dam/fortinet/assets/analyst-reports/ar-qakbot.pdf", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_msra_process_injection.yml" ], "tags": [ @@ -58373,9 +58916,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.fireeye.com/blog/threat-research/2020/10/kegtap-and-singlemalt-with-a-ransomware-chaser.html", - "https://isc.sans.edu/diary/Wipe+the+drive+Stealthy+Malware+Persistence+Mechanism+-+Part+1/15394", "http://0xthem.blogspot.com/2014/03/t-emporal-persistence-with-and-schtasks.html", + "https://isc.sans.edu/diary/Wipe+the+drive+Stealthy+Malware+Persistence+Mechanism+-+Part+1/15394", + "https://www.fireeye.com/blog/threat-research/2020/10/kegtap-and-singlemalt-with-a-ransomware-chaser.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_monitoring_for_persistence_via_bits.yml" ], "tags": [ @@ -58489,8 +59032,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/kmkz/Pentesting/blob/47592e5e160d3b86c2024f09ef04ceb87d204995/Post-Exploitation-Cheat-Sheet", "https://twitter.com/kmkz_security/status/1220694202301976576", + "https://github.com/kmkz/Pentesting/blob/47592e5e160d3b86c2024f09ef04ceb87d204995/Post-Exploitation-Cheat-Sheet", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_rdp_hijack_shadowing.yml" ], "tags": [ @@ -58523,9 +59066,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://securelist.com/apt-slingshot/84312/", "https://twitter.com/cyb3rops/status/972186477512839170", "https://github.com/adamcaudill/EquationGroupLeak/search?utf8=%E2%9C%93&q=dll_u&type=", - "https://securelist.com/apt-slingshot/84312/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_apt_equationgroup_dll_u_load.yml" ], "tags": [ @@ -58559,9 +59102,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "http://www.xuetr.com/", "https://www.hexacorn.com/blog/2018/04/20/kernel-hacking-tool-you-might-have-never-heard-of-xuetr-pchunter/", "https://www.crowdstrike.com/blog/falcon-overwatch-report-finds-increase-in-ecrime/", + "http://www.xuetr.com/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_pchunter.yml" ], "tags": "No established tags" @@ -58583,13 +59126,13 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.virustotal.com/gui/file/58d21840d915aaf4040ceb89522396124c82f325282f805d1085527e1e2ccfa1/detection", "https://cybleinc.com/2021/02/15/ngrok-platform-abused-by-hackers-to-deliver-a-new-wave-of-phishing-attacks/", - "https://www.fireeye.com/blog/threat-research/2021/05/shining-a-light-on-darkside-ransomware-operations.html", - "https://www.softwaretestinghelp.com/how-to-use-ngrok/", - "https://stackoverflow.com/questions/42442320/ssh-tunnel-to-ngrok-and-initiate-rdp", - "https://ngrok.com/docs", + "https://www.virustotal.com/gui/file/58d21840d915aaf4040ceb89522396124c82f325282f805d1085527e1e2ccfa1/detection", "https://twitter.com/xorJosh/status/1598646907802451969", + "https://www.softwaretestinghelp.com/how-to-use-ngrok/", + "https://ngrok.com/docs", + "https://stackoverflow.com/questions/42442320/ssh-tunnel-to-ngrok-and-initiate-rdp", + "https://www.fireeye.com/blog/threat-research/2021/05/shining-a-light-on-darkside-ransomware-operations.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_ngrok_pua.yml" ], "tags": [ @@ -58669,10 +59212,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Fsi/", + "https://lolbas-project.github.io/lolbas/OtherMSBinaries/FsiAnyCpu/", "https://bohops.com/2020/11/02/exploring-the-wdac-microsoft-recommended-block-rules-part-ii-wfc-fsi/", "https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules", - "https://lolbas-project.github.io/lolbas/OtherMSBinaries/FsiAnyCpu/", - "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Fsi/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_fsharp_interpreters.yml" ], "tags": [ @@ -58705,8 +59248,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/", "https://github.com/vadim-hunter/Detection-Ideas-Rules/blob/02bcbfc2bfb8b4da601bb30de0344ae453aa1afe/Threat%20Intelligence/The%20DFIR%20Report/20210329_Sodinokibi_(aka_REvil)_Ransomware.yaml", + "https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_office_applications_spawning_wmi_commandline.yml" ], "tags": [ @@ -58756,9 +59299,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/pabraeken/status/999090532839313408", "https://twitter.com/pabraeken/status/995837734379032576", "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Msdeploy/", + "https://twitter.com/pabraeken/status/999090532839313408", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_msdeploy.yml" ], "tags": [ @@ -58825,8 +59368,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.hybrid-analysis.com/sample/0ced17419e01663a0cd836c9c2eb925e3031ffb5b18ccf35f4dea5d586d0203e?environmentId=120", "https://twitter.com/mattifestation/status/735261176745988096", + "https://www.hybrid-analysis.com/sample/0ced17419e01663a0cd836c9c2eb925e3031ffb5b18ccf35f4dea5d586d0203e?environmentId=120", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_amsi_bypass.yml" ], "tags": [ @@ -58908,8 +59451,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/bohops/status/1477717351017680899?s=12", "https://gist.github.com/bohops/2444129419c8acf837aedda5f0e7f340", + "https://twitter.com/bohops/status/1477717351017680899?s=12", "https://lolbas-project.github.io/lolbas/OtherMSBinaries/AccCheckConsole/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_susp_acccheckconsole.yml" ], @@ -58933,9 +59476,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/0gtweet/status/1564968845726580736", "https://strontic.github.io/xcyclopedia/library/ldifde.exe-979DE101F5059CEC1D2C56967CA2BAC0.html", "https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc731033(v=ws.11)", + "https://twitter.com/0gtweet/status/1564968845726580736", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_ldifde_file_load.yml" ], "tags": [ @@ -58965,7 +59508,7 @@ "value": "Suspicious Ldifde Command Usage" }, { - "description": "Detects a suspicious child process of a Windows shell", + "description": "Detects suspicious child processes of a Windows shell and scripting processes such as wscript, rundll32, powershell, mshta...etc.", "meta": { "author": "Florian Roth, Tim Shelton", "creation_date": "2018/04/06", @@ -59013,7 +59556,7 @@ } ], "uuid": "3a6586ad-127a-4d3b-a677-1e6eacdf8fde", - "value": "Windows Shell Spawning Suspicious Program" + "value": "Windows Shell/Scripting Processes Spawning Suspicious Programs" }, { "description": "Accesschk is an access and privilege audit tool developed by SysInternal and often being used by attacker to verify privileges", @@ -59028,10 +59571,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/carlospolop/PEASS-ng/blob/fa0f2e17fbc1d86f1fd66338a40e665e7182501d/winPEAS/winPEASbat/winPEAS.bat", - "https://github.com/gladiatx0r/Powerless/blob/04f553bbc0c65baf4e57344deff84e3f016e6b51/Powerless.bat", - "https://www.youtube.com/watch?v=JGs-aKf2OtU&ab_channel=OFFZONEMOSCOW", "https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment?slide=43", + "https://github.com/carlospolop/PEASS-ng/blob/fa0f2e17fbc1d86f1fd66338a40e665e7182501d/winPEAS/winPEASbat/winPEAS.bat", + "https://www.youtube.com/watch?v=JGs-aKf2OtU&ab_channel=OFFZONEMOSCOW", + "https://github.com/gladiatx0r/Powerless/blob/04f553bbc0c65baf4e57344deff84e3f016e6b51/Powerless.bat", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_accesschk_usage_after_priv_escalation.yml" ], "tags": [ @@ -59131,10 +59674,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://blog.sygnia.co/kaseya-ransomware-supply-chain-attack", + "https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/06/23093553/Common-TTPs-of-the-modern-ransomware_low-res.pdf", "https://www.acronis.com/en-us/blog/posts/lockbit-ransomware/", "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/blackbyte-exbyte-ransomware", - "https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/06/23093553/Common-TTPs-of-the-modern-ransomware_low-res.pdf", - "https://blog.sygnia.co/kaseya-ransomware-supply-chain-attack", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_ping_del.yml" ], "tags": [ @@ -59352,8 +59895,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.zerodayinitiative.com/blog/2019/11/19/thanksgiving-treat-easy-as-pie-windows-7-secure-desktop-escalation-of-privilege", "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1388", + "https://www.zerodayinitiative.com/blog/2019/11/19/thanksgiving-treat-easy-as-pie-windows-7-secure-desktop-escalation-of-privilege", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_exploit_cve_2019_1388.yml" ], "tags": [ @@ -59419,8 +59962,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.crowdstrike.com/blog/overwatch-exposes-aquatic-panda-in-possession-of-log-4-shell-exploit-tools/", "https://twitter.com/bopin2020/status/1366400799199272960", + "https://www.crowdstrike.com/blog/overwatch-exposes-aquatic-panda-in-possession-of-log-4-shell-exploit-tools/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_proc_dump_createdump.yml" ], "tags": [ @@ -59545,8 +60088,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.harmj0y.net/blog/redteaming/from-kekeo-to-rubeus/", "https://github.com/GhostPack/Rubeus", + "https://www.harmj0y.net/blog/redteaming/from-kekeo-to-rubeus/", "https://m0chan.github.io/2019/07/31/How-To-Attack-Kerberos-101.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hack_rubeus.yml" ], @@ -59660,10 +60203,10 @@ "logsource.product": "windows", "refs": [ "https://eqllib.readthedocs.io/en/latest/analytics/4d2e7fc1-af0b-4915-89aa-03d25ba7805e.html", - "https://eqllib.readthedocs.io/en/latest/analytics/9b3dd402-891c-4c4d-a662-28947168ce61.html", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1007/T1007.md#atomic-test-2---system-service-discovery---netexe", - "https://eqllib.readthedocs.io/en/latest/analytics/e61f557c-a9d0-4c25-ab5b-bbc46bb24deb.html", "https://pentest.blog/windows-privilege-escalation-methods-for-pentesters/", + "https://eqllib.readthedocs.io/en/latest/analytics/e61f557c-a9d0-4c25-ab5b-bbc46bb24deb.html", + "https://eqllib.readthedocs.io/en/latest/analytics/9b3dd402-891c-4c4d-a662-28947168ce61.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_net_execution.yml" ], "tags": [ @@ -59902,9 +60445,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://raw.githubusercontent.com/huntresslabs/evading-autoruns/master/shady.inf", "https://gist.githubusercontent.com/bohops/0cc6586f205f3691e04a1ebf1806aabd/raw/baf7b29891bb91e76198e30889fbf7d6642e8974/calc_exe.inf", "https://twitter.com/Z3Jpa29z/status/1313742350292746241?s=20", + "https://raw.githubusercontent.com/huntresslabs/evading-autoruns/master/shady.inf", "https://lolbas-project.github.io/lolbas/Libraries/Setupapi/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_rundll32_setupapi_installhinfsection.yml" ], @@ -59973,8 +60516,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/windows-hardware/drivers/devtest/dtrace", "https://twitter.com/0gtweet/status/1474899714290208777?s=12", + "https://docs.microsoft.com/en-us/windows-hardware/drivers/devtest/dtrace", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_dtrace_kernel_dump.yml" ], "tags": "No established tags" @@ -59995,8 +60538,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://medium.com/@networksecurity/rdp-hijacking-how-to-hijack-rds-and-remoteapp-sessions-transparently-to-move-through-an-da2a1e73a5f6", "http://www.korznikov.com/2017/03/0-day-or-feature-privilege-escalation.html", + "https://medium.com/@networksecurity/rdp-hijacking-how-to-hijack-rds-and-remoteapp-sessions-transparently-to-move-through-an-da2a1e73a5f6", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_tscon_rdp_redirect.yml" ], "tags": [ @@ -60134,8 +60677,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/deepinstinct/Lsass-Shtinkering", "https://media.defcon.org/DEF%20CON%2030/DEF%20CON%2030%20presentations/Asaf%20Gilboa%20-%20LSASS%20Shtinkering%20Abusing%20Windows%20Error%20Reporting%20to%20Dump%20LSASS.pdf", + "https://github.com/deepinstinct/Lsass-Shtinkering", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lsass_shtinkering.yml" ], "tags": [ @@ -60311,8 +60854,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://subt0x10.blogspot.de/2017/04/bypass-application-whitelisting-script.html", "https://app.any.run/tasks/34221348-072d-4b70-93f3-aa71f6ebecad/", + "https://subt0x10.blogspot.de/2017/04/bypass-application-whitelisting-script.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_regsvr32_anomalies.yml" ], "tags": [ @@ -60335,7 +60878,7 @@ "value": "Regsvr32 Anomaly" }, { - "description": "Detects when adversaries stop services or processes by disabling their respective schdueled tasks in order to conduct data destructive activities", + "description": "Detects when adversaries stop services or processes by disabling their respective scheduled tasks in order to conduct data destructive activities", "meta": { "author": "frack113, Nasreddine Bencherchali", "creation_date": "2021/12/26", @@ -60347,9 +60890,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/", "https://twitter.com/MichalKoczwara/status/1553634816016498688", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1490/T1490.md#atomic-test-8---windows---disable-the-sr-scheduled-task", - "https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_schtasks_disable.yml" ], "tags": [ @@ -60449,8 +60992,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/Oddvarmoe/status/993383596244258816", "https://twitter.com/_st0pp3r_/status/1560072680887525378", + "https://twitter.com/Oddvarmoe/status/993383596244258816", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_pester_parent.yml" ], "tags": [ @@ -60584,9 +61127,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://twitter.com/gN3mes1s/status/1222095963789111296", "https://twitter.com/gN3mes1s/status/1222088214581825540", "https://twitter.com/gN3mes1s/status/1222095371175911424", - "https://twitter.com/gN3mes1s/status/1222095963789111296", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_dctask64_proc_inject.yml" ], "tags": [ @@ -60676,8 +61219,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Csi/", "https://enigma0x3.net/2016/11/17/bypassing-application-whitelisting-by-using-dnx-exe/", + "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Csi/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_dnx.yml" ], "tags": [ @@ -60718,10 +61261,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules", - "https://github.com/MicrosoftDocs/windows-itpro-docs/commit/937db704b9148e9cee7c7010cad4d00ce9c4fdad", - "https://bohops.com/2020/10/15/exploring-the-wdac-microsoft-recommended-block-rules-visualuiaverifynative/", "https://lolbas-project.github.io/lolbas/OtherMSBinaries/VisualUiaVerifyNative/", + "https://bohops.com/2020/10/15/exploring-the-wdac-microsoft-recommended-block-rules-visualuiaverifynative/", + "https://github.com/MicrosoftDocs/windows-itpro-docs/commit/937db704b9148e9cee7c7010cad4d00ce9c4fdad", + "https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_visualuiaverifynative.yml" ], "tags": [ @@ -60741,39 +61284,6 @@ "uuid": "b30a8bc5-e21b-4ca2-9420-0a94019ac56a", "value": "Use of VisualUiaVerifyNative.exe" }, - { - "description": "Detects suspicious command execution (cmd) via Windows Management Instrumentation (WMI) on a remote host. This could be indicative of adversary lateral movement.", - "meta": { - "author": "Tim Rauch", - "creation_date": "2022/09/27", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_susp_cmd_exectution_via_wmi.yml", - "level": "medium", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://www.elastic.co/guide/en/security/current/suspicious-cmd-execution-via-wmi.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_cmd_exectution_via_wmi.yml" - ], - "tags": [ - "attack.execution", - "attack.t1047" - ] - }, - "related": [ - { - "dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "e31f89f7-36fb-4697-8ab6-48823708353b", - "value": "Suspicious Cmd Execution via WMI" - }, { "description": "Detects command line parameters used by ADCSPwn, a tool to escalate privileges in an active directory network by coercing authenticate from machine accounts and relaying to the certificate service", "meta": { @@ -60922,8 +61432,8 @@ "logsource.product": "windows", "refs": [ "https://github.com/swagkarna/Defeat-Defender-V1.2.0", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1222.001/T1222.001.md", "https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/hh750728(v=ws.11)", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1222.001/T1222.001.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_file_permission_modifications.yml" ], "tags": [ @@ -61016,9 +61526,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://eqllib.readthedocs.io/en/latest/analytics/e584f1a1-c303-4885-8a66-21360c90995b.html", "https://lolbas-project.github.io/lolbas/Binaries/Cmstp/", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218.003/T1218.003.md", - "https://eqllib.readthedocs.io/en/latest/analytics/e584f1a1-c303-4885-8a66-21360c90995b.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_uac_bypass_cmstp.yml" ], "tags": [ @@ -61062,8 +61572,8 @@ "logsource.product": "windows", "refs": [ "https://twitter.com/AdamTheAnalyst/status/1483497517119590403", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md", "https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/configure-process-opened-file-exclusions-microsoft-defender-antivirus", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_defender_base64.yml" ], "tags": [ @@ -61087,8 +61597,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://jpcertcc.github.io/ToolAnalysisResultSheet", "https://www.jpcert.or.jp/english/pub/sr/ir_research.html", + "https://jpcertcc.github.io/ToolAnalysisResultSheet", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_tool_psexec.yml" ], "tags": [ @@ -61294,9 +61804,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://www.cisa.gov/uscert/sites/default/files/publications/aa22-320a_joint_csa_iranian_government-sponsored_apt_actors_compromise_federal%20network_deploy_crypto%20miner_credential_harvester.pdf", "https://www.microsoft.com/en-us/security/blog/2022/10/18/defenders-beware-a-case-for-post-ransomware-investigations/", "http://blog.talosintelligence.com/2022/09/lazarus-three-rats.html", - "https://www.cisa.gov/uscert/sites/default/files/publications/aa22-320a_joint_csa_iranian_government-sponsored_apt_actors_compromise_federal%20network_deploy_crypto%20miner_credential_harvester.pdf", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_computer_discovery_get_adcomputer.yml" ], "tags": [ @@ -61320,9 +61830,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/Binaries/Wsreset/", "https://medium.com/falconforce/falconfriday-detecting-uac-bypasses-0xff16-86c2a9107abf", "https://github.com/hfiref0x/UACME", + "https://lolbas-project.github.io/lolbas/Binaries/Wsreset/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_uac_bypass_wsreset_integrity_level.yml" ], "tags": [ @@ -61438,8 +61948,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/", "https://github.com/vadim-hunter/Detection-Ideas-Rules/blob/02bcbfc2bfb8b4da601bb30de0344ae453aa1afe/Threat%20Intelligence/The%20DFIR%20Report/20210329_Sodinokibi_(aka_REvil)_Ransomware.yaml", + "https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_office_spawning_wmi_commandline.yml" ], "tags": [ @@ -61644,41 +62154,6 @@ "uuid": "dd3ee8cc-f751-41c9-ba53-5a32ed47e563", "value": "Suspicious Reg Add Open Command" }, - { - "description": "Detects the execution of a renamed PsExec often used by attackers or malware", - "meta": { - "author": "Florian Roth", - "creation_date": "2019/05/21", - "falsepositive": [ - "Software that illegaly integrates PsExec in a renamed form", - "Administrators that have renamed PsExec and no one knows why" - ], - "filename": "proc_creation_win_renamed_psexec.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://www.trendmicro.com/vinfo/hk-en/security/news/cybercrime-and-digital-threats/megacortex-ransomware-spotted-attacking-enterprise-networks", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_renamed_psexec.yml" - ], - "tags": [ - "car.2013-05-009", - "attack.defense_evasion", - "attack.t1036.003" - ] - }, - "related": [ - { - "dest-uuid": "bd5b58a4-a52d-4a29-bc0d-3f1d3968eb6b", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "a7a7e0e5-1d57-49df-9c58-9fe5bc0346a2", - "value": "Renamed PsExec" - }, { "description": "Detects suspicious file execution by wscript and cscript", "meta": { @@ -61825,8 +62300,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://thedfirreport.com/2022/02/07/qbot-likes-to-move-it-move-it/", "https://redcanary.com/threat-detection-report/threats/qbot/", + "https://thedfirreport.com/2022/02/07/qbot-likes-to-move-it-move-it/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_reg_defender_exclusion.yml" ], "tags": [ @@ -61850,8 +62325,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.clearskysec.com/wp-content/uploads/2020/02/ClearSky-Fox-Kitten-Campaign-v1.pdf", "https://www.fireeye.com/blog/threat-research/2017/03/apt29_domain_frontin.html", + "https://www.clearskysec.com/wp-content/uploads/2020/02/ClearSky-Fox-Kitten-Campaign-v1.pdf", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sticky_keys_unauthenticated_privileged_cmd_access.yml" ], "tags": [ @@ -61897,7 +62372,7 @@ "value": "EvilNum Golden Chickens Deployment via OCX Files" }, { - "description": "Detects when adversaries stop services or processes by deleting their respective schdueled tasks in order to conduct data destructive activities", + "description": "Detects when adversaries stop services or processes by deleting their respective scheduled tasks in order to conduct data destructive activities", "meta": { "author": "Nasreddine Bencherchali", "creation_date": "2022/09/09", @@ -62113,10 +62588,10 @@ "logsource.product": "windows", "refs": [ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070.001/T1070.001.md", - "https://jdhnet.wordpress.com/2017/12/19/changing-the-location-of-the-windows-event-logs/", - "https://gist.github.com/fovtran/ac0624983c7722e80a8f5a4babb170ee", - "https://eqllib.readthedocs.io/en/latest/analytics/5b223758-07d6-4100-9e11-238cfdd0fe97.html", "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/wevtutil", + "https://jdhnet.wordpress.com/2017/12/19/changing-the-location-of-the-windows-event-logs/", + "https://eqllib.readthedocs.io/en/latest/analytics/5b223758-07d6-4100-9e11-238cfdd0fe97.html", + "https://gist.github.com/fovtran/ac0624983c7722e80a8f5a4babb170ee", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_eventlog_clear.yml" ], "tags": [ @@ -62143,7 +62618,7 @@ } ], "uuid": "cc36992a-4671-4f21-a91d-6c2b72a2edf5", - "value": "Suspicious Eventlog Clear or Configuration Using Wevtutil" + "value": "Suspicious Eventlog Clear or Configuration Change" }, { "description": "Detects the usage and installation of a backdoor that uses an option to register a malicious debugger for built-in tools that are accessible in the login screen", @@ -62218,8 +62693,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment", "https://blog.cobaltstrike.com/2014/04/02/what-happens-when-i-type-getsystem/", + "https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_meterpreter_or_cobaltstrike_getsystem_service_start.yml" ], "tags": [ @@ -62431,8 +62906,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/GhostPack/Seatbelt", "https://www.bluetangle.dev/2022/08/fastening-seatbelt-on-threat-hunting.html", + "https://github.com/GhostPack/Seatbelt", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pua_seatbelt.yml" ], "tags": [ @@ -62601,9 +63076,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://app.any.run/tasks/f420d295-0457-4e9b-9b9e-6732be227583/", - "https://app.any.run/tasks/c4117d9a-f463-461a-b90f-4cd258746798/", "https://app.any.run/tasks/713f05d2-fe78-4b9d-a744-f7c133e3fafb/", + "https://app.any.run/tasks/c4117d9a-f463-461a-b90f-4cd258746798/", + "https://app.any.run/tasks/f420d295-0457-4e9b-9b9e-6732be227583/", "https://twitter.com/nao_sec/status/1530196847679401984", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sdiagnhost_susp_child.yml" ], @@ -62638,8 +63113,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1123/T1123.md", "https://eqllib.readthedocs.io/en/latest/analytics/f72a98cb-7b3d-4100-99c3-a138b6e9ff6e.html", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1123/T1123.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_soundrec_audio_capture.yml" ], "tags": [ @@ -62663,8 +63138,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/dotnet/framework/tools/installutil-exe-installer-tool", "https://securelist.com/moonbounce-the-dark-side-of-uefi-firmware/105468/", + "https://docs.microsoft.com/en-us/dotnet/framework/tools/installutil-exe-installer-tool", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_instalutil.yml" ], "tags": [ @@ -62814,10 +63289,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://elastic.github.io/security-research/malware/2022/01/01.operation-bleeding-bear/article/", "https://twitter.com/splinter_code/status/1483815103279603714", "https://www.winhelponline.com/blog/run-program-as-system-localsystem-account-windows/", "https://medium.com/s2wblog/analysis-of-destructive-malware-whispergate-targeting-ukraine-9d5d158f19f3", + "https://elastic.github.io/security-research/malware/2022/01/01.operation-bleeding-bear/article/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_advancedrun.yml" ], "tags": "No established tags" @@ -62967,8 +63442,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.virustotal.com/gui/file/03e9b8c2e86d6db450e5eceec057d7e369ee2389b9daecaf06331a95410aa5f8/detection", "https://twitter.com/vxunderground/status/1423336151860002816?s=20", + "https://www.virustotal.com/gui/file/03e9b8c2e86d6db450e5eceec057d7e369ee2389b9daecaf06331a95410aa5f8/detection", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_malware_conti_7zip.yml" ], "tags": [ @@ -63167,8 +63642,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.sentinelone.com/labs/wading-through-muddy-waters-recent-activity-of-an-iranian-state-sponsored-threat-actor/", "https://github.com/shantanu561993/SharpChisel", + "https://www.sentinelone.com/labs/wading-through-muddy-waters-recent-activity-of-an-iranian-state-sponsored-threat-actor/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sharp_chisel_usage.yml" ], "tags": [ @@ -63202,8 +63677,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f", "https://lolbas-project.github.io/lolbas/Binaries/Regedit/", + "https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_regedit_import_keys.yml" ], "tags": [ @@ -63227,10 +63702,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "http://blog.sevagas.com/?Hacking-around-HTA-files", - "https://docs.microsoft.com/en-us/dotnet/standard/data/xml/xslt-stylesheet-scripting-using-msxsl-script", - "https://0x00sec.org/t/clientside-exploitation-in-2018-how-pentesting-has-changed/7356", "https://twitter.com/mattifestation/status/1326228491302563846", + "https://docs.microsoft.com/en-us/dotnet/standard/data/xml/xslt-stylesheet-scripting-using-msxsl-script", + "http://blog.sevagas.com/?Hacking-around-HTA-files", + "https://0x00sec.org/t/clientside-exploitation-in-2018-how-pentesting-has-changed/7356", "https://medium.com/tsscyber/pentesting-and-hta-bypassing-powershell-constrained-language-mode-53a42856c997", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_mshta_execution.yml" ], @@ -63419,8 +63894,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/LOLBAS-Project/LOLBAS/blob/4db780e0f0b2e2bb8cb1fa13e09196da9b9f1834/yml/LOLUtilz/OSBinaries/Openwith.yml", "https://twitter.com/harr0ey/status/991670870384021504", + "https://github.com/LOLBAS-Project/LOLBAS/blob/4db780e0f0b2e2bb8cb1fa13e09196da9b9f1834/yml/LOLUtilz/OSBinaries/Openwith.yml", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_openwith.yml" ], "tags": [ @@ -63453,9 +63928,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.microsoft.com/security/blog/2022/09/07/profiling-dev-0270-phosphorus-ransomware-operations/", "https://redacted.com/blog/bianlian-ransomware-gang-gives-it-a-go/", "https://www.trellix.com/en-sg/about/newsroom/stories/threat-labs/lockergoga-ransomware-family-used-in-targeted-attacks.html", + "https://www.microsoft.com/security/blog/2022/09/07/profiling-dev-0270-phosphorus-ransomware-operations/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_net_default_accounts_manipulation.yml" ], "tags": [ @@ -63488,8 +63963,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://nasbench.medium.com/a-deep-dive-into-rundll32-exe-642344b41e90", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1546.015/T1546.015.md", + "https://nasbench.medium.com/a-deep-dive-into-rundll32-exe-642344b41e90", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_rundll32_registered_com_objects.yml" ], "tags": [ @@ -63579,9 +64054,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://twitter.com/jonasLyk/status/1555914501802921984", "https://www.acunetix.com/blog/articles/windows-short-8-3-filenames-web-security-problem/", "https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-2000-server/cc959352(v=technet.10)?redirectedfrom=MSDN", - "https://twitter.com/jonasLyk/status/1555914501802921984", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_ntfs_short_name_use_cli.yml" ], "tags": [ @@ -63614,8 +64089,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/LOLBAS-Project/LOLBAS/blob/4db780e0f0b2e2bb8cb1fa13e09196da9b9f1834/yml/LOLUtilz/OSBinaries/Powershell.yml", "https://twitter.com/Moriarty_Meng/status/984380793383370752", + "https://github.com/LOLBAS-Project/LOLBAS/blob/4db780e0f0b2e2bb8cb1fa13e09196da9b9f1834/yml/LOLUtilz/OSBinaries/Powershell.yml", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_run_powershell_script_from_input_stream.yml" ], "tags": [ @@ -63913,8 +64388,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://eqllib.readthedocs.io/en/latest/analytics/b25aa548-7937-11e9-8f5c-d46d6d62a49e.html", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218.001/T1218.001.md", + "https://eqllib.readthedocs.io/en/latest/analytics/b25aa548-7937-11e9-8f5c-d46d6d62a49e.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hh_chm.yml" ], "tags": [ @@ -64198,8 +64673,8 @@ "logsource.product": "windows", "refs": [ "https://community.spiceworks.com/topic/2195015-batch-script-to-uninstall-symantec-endpoint-protection", - "https://community.broadcom.com/symantecenterprise/communities/community-home/digestviewer/viewthread?MessageKey=6ce94b67-74e1-4333-b16f-000b7fd874f0&CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68&tab=digestviewer", "https://www.exploit-db.com/exploits/37525", + "https://community.broadcom.com/symantecenterprise/communities/community-home/digestviewer/viewthread?MessageKey=6ce94b67-74e1-4333-b16f-000b7fd874f0&CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68&tab=digestviewer", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_taskkill_sep.yml" ], "tags": [ @@ -64438,8 +64913,8 @@ "refs": [ "https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/", "https://www.mandiant.com/resources/unc2165-shifts-to-evade-sanctions", - "https://research.nccgroup.com/2022/08/19/back-in-black-unlocking-a-lockbit-3-0-ransomware-attack/", "https://twitter.com/cglyer/status/1355171195654709249", + "https://research.nccgroup.com/2022/08/19/back-in-black-unlocking-a-lockbit-3-0-ransomware-attack/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_wmic_security_product_uninstall.yml" ], "tags": [ @@ -64536,10 +65011,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/dotnet/framework/data/wcf/generating-the-data-service-client-library-wcf-data-services", "https://lolbas-project.github.io/lolbas/Binaries/DataSvcUtil/", - "https://docs.microsoft.com/en-us/dotnet/framework/data/wcf/wcf-data-service-client-utility-datasvcutil-exe", "https://docs.microsoft.com/en-us/dotnet/framework/data/wcf/how-to-add-a-data-service-reference-wcf-data-services", + "https://docs.microsoft.com/en-us/dotnet/framework/data/wcf/generating-the-data-service-client-library-wcf-data-services", + "https://docs.microsoft.com/en-us/dotnet/framework/data/wcf/wcf-data-service-client-utility-datasvcutil-exe", "https://gist.github.com/teixeira0xfffff/837e5bfed0d1b0a29a7cb1e5dbdd9ca6", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_data_exfiltration_by_using_datasvcutil.yml" ], @@ -64726,11 +65201,11 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.harmj0y.net/blog/redteaming/a-guide-to-attacking-domain-trusts/", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1482/T1482.md", - "https://redcanary.com/blog/how-one-hospital-thwarted-a-ryuk-ransomware-outbreak/", - "https://eqllib.readthedocs.io/en/latest/analytics/03e231a6-74bc-467a-acb1-e5676b0fb55e.html", "https://thedfirreport.com/2020/10/18/ryuk-in-5-hours/", + "https://eqllib.readthedocs.io/en/latest/analytics/03e231a6-74bc-467a-acb1-e5676b0fb55e.html", + "https://redcanary.com/blog/how-one-hospital-thwarted-a-ryuk-ransomware-outbreak/", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1482/T1482.md", + "https://www.harmj0y.net/blog/redteaming/a-guide-to-attacking-domain-trusts/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_trust_discovery.yml" ], "tags": [ @@ -64763,8 +65238,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.verfassungsschutz.de/embed/broschuere-2020-06-bfv-cyber-brief-2020-01.pdf", "https://unit42.paloaltonetworks.com/operation-ke3chang-resurfaces-with-new-tidepool-malware/", + "https://www.verfassungsschutz.de/embed/broschuere-2020-06-bfv-cyber-brief-2020-01.pdf", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_apt_ke3chang_regadd.yml" ], "tags": [ @@ -64901,9 +65376,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.fireeye.com/blog/threat-research/2020/10/kegtap-and-singlemalt-with-a-ransomware-chaser.html", "https://www.poweradmin.com/paexec/", "https://docs.microsoft.com/en-us/sysinternals/downloads/psexec", + "https://www.fireeye.com/blog/threat-research/2020/10/kegtap-and-singlemalt-with-a-ransomware-chaser.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_psexex_paexec_flags.yml" ], "tags": [ @@ -64936,8 +65411,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/1ZRR4H/status/1534259727059787783", "https://app.any.run/tasks/e1fe6a62-bce8-4323-a49a-63795d9afd5d/", + "https://twitter.com/1ZRR4H/status/1534259727059787783", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_archiver_iso_phishing.yml" ], "tags": [ @@ -65097,10 +65572,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://app.any.run/tasks/62bb01ae-25a4-4180-b278-8e464a90b8d7/", "https://app.any.run/tasks/388d5802-aa48-4826-b069-250420504758/", "https://app.any.run/tasks/8e22486b-5edc-4cef-821c-373e945f296c/", "https://inquest.net/blog/2018/06/22/a-look-at-formbook-stealer", - "https://app.any.run/tasks/62bb01ae-25a4-4180-b278-8e464a90b8d7/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_malware_formbook.yml" ], "tags": [ @@ -65133,9 +65608,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.ired.team/offensive-security/lateral-movement/t1076-rdp-hijacking-for-lateral-movement", - "https://medium.com/@networksecurity/rdp-hijacking-how-to-hijack-rds-and-remoteapp-sessions-transparently-to-move-through-an-da2a1e73a5f6", "http://www.korznikov.com/2017/03/0-day-or-feature-privilege-escalation.html", + "https://medium.com/@networksecurity/rdp-hijacking-how-to-hijack-rds-and-remoteapp-sessions-transparently-to-move-through-an-da2a1e73a5f6", + "https://www.ired.team/offensive-security/lateral-movement/t1076-rdp-hijacking-for-lateral-movement", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_tscon_localsystem.yml" ], "tags": [ @@ -65323,8 +65798,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=42", "https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=41", + "https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=42", "https://learn.microsoft.com/en-us/dotnet/api/microsoft.hpc.scheduler.store.cx509enrollmentwebclassfactoryclass?view=hpc-sdk-5.1.6115", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_x509enrollment.yml" ], @@ -65456,8 +65931,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "sha256=01a461ad68d11b5b5096f45eb54df9ba62c5af413fa9eb544eacb598373a26bc", "https://summit.fireeye.com/content/dam/fireeye-www/summit/cds-2018/presentations/cds18-technical-s05-att&cking-fin7.pdf", + "sha256=01a461ad68d11b5b5096f45eb54df9ba62c5af413fa9eb544eacb598373a26bc", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_renamed_paexec.yml" ], "tags": [ @@ -65501,9 +65976,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://attack.mitre.org/software/S0404/", - "https://twitter.com/vxunderground/status/1423336151860002816", "https://thedfirreport.com/2021/08/01/bazarcall-to-conti-ransomware-via-trickbot-and-cobalt-strike/", + "https://twitter.com/vxunderground/status/1423336151860002816", + "https://attack.mitre.org/software/S0404/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_esentutl_params.yml" ], "tags": [ @@ -65544,9 +66019,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://twitter.com/gN3mes1s/status/1222095963789111296", "https://twitter.com/gN3mes1s/status/1222088214581825540", "https://twitter.com/gN3mes1s/status/1222095371175911424", - "https://twitter.com/gN3mes1s/status/1222095963789111296", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_renamed_dctask64.yml" ], "tags": [ @@ -65710,8 +66185,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1047/T1047.md", "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/wmic", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1047/T1047.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wmic_reconnaissance.yml" ], "tags": [ @@ -65962,9 +66437,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://bidouillesecurity.com/disable-windows-defender-in-powershell/", - "https://vms.drweb.fr/virus/?i=24144899", "https://github.com/gordonbay/Windows-On-Reins/blob/e587ac7a0407847865926d575e3c46f68cf7c68d/wor.ps1", + "https://vms.drweb.fr/virus/?i=24144899", + "https://bidouillesecurity.com/disable-windows-defender-in-powershell/", "https://twitter.com/JohnLaTwC/status/1415295021041979392", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_reg_disable_sec_services.yml" ], @@ -66190,8 +66665,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/mattifestation/status/986280382042595328", "https://subt0x11.blogspot.ch/2018/04/wmicexe-whitelisting-bypass-hacking.html", + "https://twitter.com/mattifestation/status/986280382042595328", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_bypass_squiblytwo.yml" ], "tags": [ @@ -66309,8 +66784,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1529/T1529.md", "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/shutdown", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1529/T1529.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_shutdown.yml" ], "tags": [ @@ -66417,9 +66892,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Te/", - "https://docs.microsoft.com/en-us/windows-hardware/drivers/taef/", "https://twitter.com/pabraeken/status/993298228840992768", + "https://docs.microsoft.com/en-us/windows-hardware/drivers/taef/", + "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Te/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_use_of_te_bin.yml" ], "tags": [ @@ -66493,57 +66968,6 @@ "uuid": "7090adee-82e2-4269-bd59-80691e7c6338", "value": "CHCP CodePage Locale Lookup" }, - { - "description": "This rule will monitor LOLBin process creations by wmiprvse. Add more LOLBins to rule logic if needed.", - "meta": { - "author": "Vadim Khrykov (ThreatIntel), Cyb3rEng (Rule)", - "creation_date": "2021/08/23", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_lolbins_with_wmiprvse_parent_process.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/", - "https://github.com/vadim-hunter/Detection-Ideas-Rules/blob/02bcbfc2bfb8b4da601bb30de0344ae453aa1afe/Threat%20Intelligence/The%20DFIR%20Report/20210329_Sodinokibi_(aka_REvil)_Ransomware.yaml", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbins_with_wmiprvse_parent_process.yml" - ], - "tags": [ - "attack.t1204.002", - "attack.t1047", - "attack.t1218.010", - "attack.execution", - "attack.defense_evasion" - ] - }, - "related": [ - { - "dest-uuid": "232b7f21-adf9-4b42-b936-b9d6f7df856e", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - }, - { - "dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - }, - { - "dest-uuid": "b97f1d35-4249-4486-a6b5-ee60ccf24fab", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "8a582fe2-0882-4b89-a82a-da6b2dc32937", - "value": "Lolbins Process Creation with WmiPrvse" - }, { "description": "Detects actions caused by the RedMimicry Winnti playbook", "meta": { @@ -66642,9 +67066,9 @@ "logsource.product": "windows", "refs": [ "https://twitter.com/bohops/status/1276357235954909188?s=12", - "https://twitter.com/CyberRaiju/status/1273597319322058752", "https://twitter.com/nas_bench/status/1535322450858233858", "https://securityboulevard.com/2019/09/deobfuscating-ostap-trickbots-34000-line-javascript-downloader/", + "https://twitter.com/CyberRaiju/status/1273597319322058752", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_explorer_break_proctree.yml" ], "tags": [ @@ -66668,10 +67092,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/jseerden/status/1247985304667066373/photo/1", "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Agentexecutor/", - "https://docs.microsoft.com/en-us/mem/intune/apps/intune-management-extension", "https://twitter.com/lefterispan/status/1286259016436514816", + "https://twitter.com/jseerden/status/1247985304667066373/photo/1", + "https://docs.microsoft.com/en-us/mem/intune/apps/intune-management-extension", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_agentexecutor_susp_usage.yml" ], "tags": [ @@ -66759,6 +67183,48 @@ "uuid": "1fb76ab8-fa60-4b01-bddd-71e89bf555da", "value": "Pubprn.vbs Proxy Execution" }, + { + "description": "Detects Powershell as a child of the WmiPrvSE process. Which could be a signe of remote access via WMI", + "meta": { + "author": "Markus Neis @Karneades", + "creation_date": "2019/04/03", + "falsepositive": [ + "AppvClient", + "CCM" + ], + "filename": "proc_creation_win_wmiprvse_spawns_powershell.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://any.run/report/68bc255f9b0db6a0d30a8f2dadfbee3256acfe12497bf93943bc1eab0735e45e/a2385d6f-34f7-403c-90d3-b1f9d2a90a5e", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wmiprvse_spawns_powershell.yml" + ], + "tags": [ + "attack.execution", + "attack.t1047", + "attack.t1059.001" + ] + }, + "related": [ + { + "dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "692f0bec-83ba-4d04-af7e-e884a96059b6", + "value": "WmiPrvSE Spawned PowerShell" + }, { "description": "Detects unusual parent or children of the ImagingDevices.exe (Windows Contacts) and Wabmig.exe (Microsoft Address Book Import Tool) processes as seen being used with bumblebee activity", "meta": { @@ -66888,13 +67354,13 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://blog.talosintelligence.com/2022/08/recent-cyber-attack.html?m=1", - "https://www.ired.team/offensive-security/credential-access-and-credential-dumping/ntds.dit-enumeration", - "https://pentestlab.blog/tag/ntds-dit/", - "https://github.com/zcgonvh/NTDSDumpEx", "https://github.com/rapid7/metasploit-framework/blob/d297adcebb5c1df6fe30b12ca79b161deb71571c/data/post/powershell/NTDSgrab.ps1", - "https://www.n00py.io/2022/03/manipulating-user-passwords-without-mimikatz/", + "https://github.com/zcgonvh/NTDSDumpEx", + "https://pentestlab.blog/tag/ntds-dit/", "https://github.com/samratashok/nishang/blob/414ee1104526d7057f9adaeee196d91ae447283e/Gather/Copy-VSS.ps1", + "https://blog.talosintelligence.com/2022/08/recent-cyber-attack.html?m=1", + "https://www.n00py.io/2022/03/manipulating-user-passwords-without-mimikatz/", + "https://www.ired.team/offensive-security/credential-access-and-credential-dumping/ntds.dit-enumeration", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_ntds.yml" ], "tags": [ @@ -66927,9 +67393,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.virustotal.com/gui/file/03e9b8c2e86d6db450e5eceec057d7e369ee2389b9daecaf06331a95410aa5f8/detection", - "https://twitter.com/vxunderground/status/1423336151860002816?s=20", "https://docs.microsoft.com/en-us/sql/tools/sqlcmd-utility?view=sql-server-ver15", + "https://twitter.com/vxunderground/status/1423336151860002816?s=20", + "https://www.virustotal.com/gui/file/03e9b8c2e86d6db450e5eceec057d7e369ee2389b9daecaf06331a95410aa5f8/detection", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_conti_sqlcmd.yml" ], "tags": [ @@ -66962,13 +67428,13 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/dotnet/framework/tools/regasm-exe-assembly-registration-tool", "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/rundll32", - "https://twitter.com/CyberRaiju/status/1251492025678983169", - "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/regsvr32", "https://www.cobaltstrike.com/help-opsec", - "https://blog.malwarebytes.com/malwarebytes-news/2020/10/kraken-attack-abuses-wer-service/", + "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/regsvr32", "https://docs.microsoft.com/en-us/dotnet/framework/tools/regsvcs-exe-net-services-installation-tool#feedback", + "https://twitter.com/CyberRaiju/status/1251492025678983169", + "https://docs.microsoft.com/en-us/dotnet/framework/tools/regasm-exe-assembly-registration-tool", + "https://blog.malwarebytes.com/malwarebytes-news/2020/10/kraken-attack-abuses-wer-service/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_bad_opsec_sacrificial_processes.yml" ], "tags": [ @@ -67034,8 +67500,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.infosecmatter.com/crackmapexec-module-library/?cmem=smb-pe_inject", "https://www.infosecmatter.com/crackmapexec-module-library/?cmem=mssql-mimikatz", + "https://www.infosecmatter.com/crackmapexec-module-library/?cmem=smb-pe_inject", "https://mpgn.gitbook.io/crackmapexec/smb-protocol/authentication/checking-credentials-local", "https://www.mandiant.com/resources/telegram-malware-iranian-espionage", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_crackmapexec_flags.yml" @@ -67115,8 +67581,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.trendmicro.com/en_us/research/22/j/lv-ransomware-exploits-proxyshell-in-attack.html", "https://gist.github.com/jivoi/c354eaaf3019352ce32522f916c03d70", + "https://www.trendmicro.com/en_us/research/22/j/lv-ransomware-exploits-proxyshell-in-attack.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_download_patterns.yml" ], "tags": [ @@ -67185,8 +67651,8 @@ "logsource.product": "windows", "refs": [ "https://thedfirreport.com/2022/09/26/bumblebee-round-two/", - "https://www.microsoft.com/en-us/security/blog/2022/10/25/dev-0832-vice-society-opportunistic-ransomware-campaigns-impacting-us-education-sector/", "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/espionage-asia-governments", + "https://www.microsoft.com/en-us/security/blog/2022/10/25/dev-0832-vice-society-opportunistic-ransomware-campaigns-impacting-us-education-sector/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_weak_or_abused_passwords.yml" ], "tags": [ @@ -67277,8 +67743,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/replace", "https://lolbas-project.github.io/lolbas/Binaries/Replace/", + "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/replace", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_replace.yml" ], "tags": [ @@ -67345,8 +67811,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/pabraeken/status/991335019833708544", "https://lolbas-project.github.io/lolbas/Binaries/Pcwrun/", + "https://twitter.com/pabraeken/status/991335019833708544", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_pcwrun.yml" ], "tags": [ @@ -67448,8 +67914,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.hvs-consulting.de/lazarus-report/", "https://securelist.com/lazarus-covets-covid-19-related-intelligence/99906/", + "https://www.hvs-consulting.de/lazarus-report/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_apt_lazarus_loader.yml" ], "tags": [ @@ -67484,8 +67950,8 @@ "logsource.product": "windows", "refs": [ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1087.002/T1087.002.md", - "https://social.technet.microsoft.com/wiki/contents/articles/7535.adfind-command-examples.aspx", "https://www.joeware.net/freetools/tools/adfind/", + "https://social.technet.microsoft.com/wiki/contents/articles/7535.adfind-command-examples.aspx", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_adfind_enumeration.yml" ], "tags": [ @@ -67531,8 +67997,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://redcanary.com/blog/child-processes/", "https://docs.paloaltonetworks.com/cortex/cortex-xdr/cortex-xdr-analytics-alert-reference/cortex-xdr-analytics-alert-reference/scrcons-exe-rare-child-process.html", + "https://redcanary.com/blog/child-processes/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_script_event_consumer_spawn.yml" ], "tags": [ @@ -67598,8 +68064,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/wmic", "https://securelist.com/moonbounce-the-dark-side-of-uefi-firmware/105468/", + "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/wmic", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wmic_remote_command.yml" ], "tags": [ @@ -67632,8 +68098,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/ch2sh/Jlaive", "https://jstnk9.github.io/jstnk9/research/Jlaive-Antivirus-Evasion-Tool", + "https://github.com/ch2sh/Jlaive", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_jlaive_batch_execution.yml" ], "tags": [ @@ -67735,9 +68201,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://lolbas-project.github.io/lolbas/Binaries/Regini/", "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/regini", "https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f", - "https://lolbas-project.github.io/lolbas/Binaries/Regini/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_regini_ads.yml" ], "tags": [ @@ -67828,9 +68294,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://twitter.com/Alh4zr3d/status/1580925761996828672", "https://www.sans.org/blog/red-team-tactics-hiding-windows-services/", "https://blog.talosintelligence.com/2021/10/threat-hunting-in-large-datasets-by.html", - "https://twitter.com/Alh4zr3d/status/1580925761996828672", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_using_sc_to_hide_sevices.yml" ], "tags": [ @@ -67856,10 +68322,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/synacktiv/Radmin3-Password-Cracker/blob/acfc87393e4b7c06353973a14a6c7126a51f36ac/regkey.txt", "https://isc.sans.edu/diary/More+Data+Exfiltration/25698", - "https://github.com/HyperSine/how-does-MobaXterm-encrypt-password", "https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#inside-the-registry", + "https://github.com/HyperSine/how-does-MobaXterm-encrypt-password", + "https://github.com/synacktiv/Radmin3-Password-Cracker/blob/acfc87393e4b7c06353973a14a6c7126a51f36ac/regkey.txt", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_enumeration_for_credentials_cli.yml" ], "tags": [ @@ -67979,8 +68445,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/sensepost/ruler", "https://www.fireeye.com/blog/threat-research/2018/12/overruled-containing-a-potentially-destructive-adversary.html", + "https://github.com/sensepost/ruler", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_outlook.yml" ], "tags": [ @@ -68068,19 +68534,20 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/HarmJ0y/DAMP", - "https://github.com/samratashok/nishang", - "https://github.com/calebstewart/CVE-2021-1675", - "https://github.com/rvrsh3ll/Misc-Powershell-Scripts/blob/6f23bb41f9675d7e2d32bacccff75e931ae00554/OfficeMemScraper.ps1", "https://research.nccgroup.com/2022/06/06/shining-the-light-on-black-basta/", - "https://github.com/BloodHoundAD/BloodHound/blob/0927441f67161cc6dc08a53c63ceb8e333f55874/Collectors/AzureHound.ps1", - "https://adsecurity.org/?p=2921", - "https://bloodhound.readthedocs.io/en/latest/data-collection/azurehound.html", + "https://github.com/HarmJ0y/DAMP", "https://github.com/xorrior/RandomPS-Scripts/blob/848c919bfce4e2d67b626cbcf4404341cfe3d3b6/Get-DXWebcamVideo.ps1", + "https://adsecurity.org/?p=2921", "https://github.com/S3cur3Th1sSh1t/PowerSharpPack/tree/master/PowerSharpBinaries", "https://unit42.paloaltonetworks.com/threat-assessment-black-basta-ransomware/", + "https://github.com/calebstewart/CVE-2021-1675", "https://github.com/dafthack/DomainPasswordSpray/blob/b13d64a5834694aa73fd2aea9911a83027c465a7/DomainPasswordSpray.ps1", + "https://bloodhound.readthedocs.io/en/latest/data-collection/azurehound.html", + "https://github.com/DarkCoderSc/PowerRunAsSystem/", + "https://github.com/samratashok/nishang", + "https://github.com/BloodHoundAD/BloodHound/blob/0927441f67161cc6dc08a53c63ceb8e333f55874/Collectors/AzureHound.ps1", "https://github.com/BC-SECURITY/Invoke-ZeroLogon/blob/111d17c7fec486d9bb23387e2e828b09a26075e4/Invoke-ZeroLogon.ps1", + "https://github.com/rvrsh3ll/Misc-Powershell-Scripts/blob/6f23bb41f9675d7e2d32bacccff75e931ae00554/OfficeMemScraper.ps1", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_malicious_cmdlets.yml" ], "tags": [ @@ -68313,9 +68780,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/bigmacjpg/status/1349727699863011328?s=12", - "https://app.any.run/tasks/40115012-a919-4208-bfed-41e82cb3dadf/", "http://hyp3rlinx.altervista.org/advisories/Windows_TCPIP_Finger_Command_C2_Channel_and_Bypassing_Security_Software.txt", + "https://app.any.run/tasks/40115012-a919-4208-bfed-41e82cb3dadf/", + "https://twitter.com/bigmacjpg/status/1349727699863011328?s=12", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_finger_usage.yml" ], "tags": [ @@ -68348,8 +68815,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/mrd0x/status/1465058133303246867", "https://docs.microsoft.com/en-us/powershell/high-performance-computing/mpiexec?view=hpc19-ps", + "https://twitter.com/mrd0x/status/1465058133303246867", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_mpiexec_lolbin.yml" ], "tags": [ @@ -68383,8 +68850,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1082/T1082.md#atomic-test-1---system-information-discovery", "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/systeminfo", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1082/T1082.md#atomic-test-1---system-information-discovery", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_systeminfo.yml" ], "tags": [ @@ -68443,10 +68910,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/jseerden/status/1247985304667066373/photo/1", "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Agentexecutor/", - "https://docs.microsoft.com/en-us/mem/intune/apps/intune-management-extension", "https://twitter.com/lefterispan/status/1286259016436514816", + "https://twitter.com/jseerden/status/1247985304667066373/photo/1", + "https://docs.microsoft.com/en-us/mem/intune/apps/intune-management-extension", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_agentexecutor.yml" ], "tags": [ @@ -68694,8 +69161,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Dxcap/", "https://twitter.com/harr0ey/status/992008180904419328", + "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Dxcap/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_susp_dxcap.yml" ], "tags": [ @@ -68728,8 +69195,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://news.sophos.com/en-us/2021/09/03/conti-affiliates-use-proxyshell-exchange-exploit-in-ransomware-attacks/", "https://twitter.com/VK_Intel/status/1447795359900704769?t=Xz7vaLTvaaCZ5kHoZa6gMw&s=19", + "https://news.sophos.com/en-us/2021/09/03/conti-affiliates-use-proxyshell-exchange-exploit-in-ransomware-attacks/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_conti_cmd_ransomware.yml" ], "tags": [ @@ -68796,8 +69263,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/mrd0x/status/1511415432888131586", "https://twitter.com/mrd0x/status/1511489821247684615", + "https://twitter.com/mrd0x/status/1511415432888131586", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_proc_dump_susp_dumpminitool.yml" ], "tags": [ @@ -68831,8 +69298,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/Binaries/Xwizard/", "http://www.hexacorn.com/blog/2017/07/31/the-wizard-of-x-oppa-plugx-style/", + "https://lolbas-project.github.io/lolbas/Binaries/Xwizard/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_dll_sideload_xwizard.yml" ], "tags": [ @@ -68980,8 +69447,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://strontic.github.io/xcyclopedia/library/DeviceEnroller.exe-24BEF0D6B0ECED36BB41831759FDE18D.html", "https://mobile.twitter.com/0gtweet/status/1564131230941122561", + "https://strontic.github.io/xcyclopedia/library/DeviceEnroller.exe-24BEF0D6B0ECED36BB41831759FDE18D.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_deviceenroller_evasion.yml" ], "tags": [ @@ -69031,8 +69498,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.virustotal.com/gui/file/03e9b8c2e86d6db450e5eceec057d7e369ee2389b9daecaf06331a95410aa5f8/detection", "https://twitter.com/vxunderground/status/1423336151860002816?s=20", + "https://www.virustotal.com/gui/file/03e9b8c2e86d6db450e5eceec057d7e369ee2389b9daecaf06331a95410aa5f8/detection", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_malware_conti.yml" ], "tags": [ @@ -69156,8 +69623,9 @@ "logsource.category": "antivirus", "logsource.product": "No established product", "refs": [ - "https://www.virustotal.com/gui/file/5fcda49ee7f202559a6cbbb34edb65c33c9a1e0bde9fa2af06a6f11b55ded619/detection", - "https://www.nextron-systems.com/2018/09/08/antivirus-event-analysis-cheat-sheet-v1-4/", + "https://www.nextron-systems.com/?s=antivirus", + "https://www.virustotal.com/gui/file/a4edfbd42595d5bddb442c82a02cf0aaa10893c1bf79ea08b9ce576f82749448", + "https://www.virustotal.com/gui/file/5fcda49ee7f202559a6cbbb34edb65c33c9a1e0bde9fa2af06a6f11b55ded619", "https://github.com/SigmaHQ/sigma/tree/master/rules/category/antivirus/av_password_dumper.yml" ], "tags": [ @@ -69207,9 +69675,9 @@ "logsource.category": "antivirus", "logsource.product": "No established product", "refs": [ - "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527", "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-1675", "https://twitter.com/mvelazco/status/1410291741241102338", + "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527", "https://github.com/SigmaHQ/sigma/tree/master/rules/category/antivirus/av_printernightmare_cve_2021_34527.yml" ], "tags": [ @@ -69233,7 +69701,7 @@ "logsource.category": "antivirus", "logsource.product": "No established product", "refs": [ - "https://www.nextron-systems.com/2021/03/25/antivirus-event-analysis-cheat-sheet-v1-8/", + "https://www.nextron-systems.com/?s=antivirus", "https://github.com/SigmaHQ/sigma/tree/master/rules/category/antivirus/av_relevant_files.yml" ], "tags": [ @@ -69256,7 +69724,7 @@ { "description": "Detects a highly relevant Antivirus alert that reports an exploitation framework", "meta": { - "author": "Florian Roth", + "author": "Florian Roth, Arnim Rupp", "creation_date": "2018/09/09", "falsepositive": [ "Unlikely" @@ -69266,7 +69734,10 @@ "logsource.category": "antivirus", "logsource.product": "No established product", "refs": [ - "https://www.nextron-systems.com/2018/09/08/antivirus-event-analysis-cheat-sheet-v1-4/", + "https://www.virustotal.com/gui/file/d9669f7e3eb3a9cdf6a750eeb2ba303b5ae148a43e36546896f1d1801e912466", + "https://www.virustotal.com/gui/file/8f8daabe1c8ceb5710949283818e16c4aa8059bf2ce345e2f2c90b8692978424", + "https://www.nextron-systems.com/?s=antivirus", + "https://www.virustotal.com/gui/file/925b0b28472d4d79b4bf92050e38cc2b8f722691c713fc28743ac38551bc3797", "https://github.com/SigmaHQ/sigma/tree/master/rules/category/antivirus/av_exploiting.yml" ], "tags": [ @@ -69298,7 +69769,7 @@ { "description": "Detects a highly relevant Antivirus alert that reports a hack tool or other attack tool", "meta": { - "author": "Florian Roth", + "author": "Florian Roth, Arnim Rupp", "creation_date": "2021/08/16", "falsepositive": [ "Unlikely" @@ -69309,6 +69780,7 @@ "logsource.product": "No established product", "refs": [ "https://www.nextron-systems.com/2021/08/16/antivirus-event-analysis-cheat-sheet-v1-8-2/", + "https://www.nextron-systems.com/?s=antivirus", "https://github.com/SigmaHQ/sigma/tree/master/rules/category/antivirus/av_hacktool.yml" ], "tags": [ @@ -69341,15 +69813,16 @@ "logsource.category": "antivirus", "logsource.product": "No established product", "refs": [ + "https://www.nextron-systems.com/?s=antivirus", "https://www.virustotal.com/gui/file/308487ed28a3d9abc1fec7ebc812d4b5c07ab025037535421f64c60d3887a3e8/detection", - "https://www.virustotal.com/gui/file/a80042c61a0372eaa0c2c1e831adf0d13ef09feaf71d1d20b216156269045801/detection", - "https://github.com/tennc/webshell", - "https://www.virustotal.com/gui/file/bd1d52289203866645e556e2766a21d2275877fbafa056a76fe0cf884b7f8819/detection", - "https://www.virustotal.com/gui/file/b8702acf32fd651af9f809ed42d15135f842788cd98d81a8e1b154ee2a2b76a2/detection", - "https://www.virustotal.com/gui/file/e841675a4b82250c75273ebf0861245f80c6a1c3d5803c2d995d9d3b18d5c4b5/detection", - "https://www.virustotal.com/gui/file/7d3cb8a8ff28f82b07f382789247329ad2d7782a72dde9867941f13266310c80/detection", "https://www.virustotal.com/gui/file/b219f7d3c26f8bad7e175934cd5eda4ddb5e3983503e94ff07d39c0666821b7e/detection", - "https://www.nextron-systems.com/2021/03/25/antivirus-event-analysis-cheat-sheet-v1-8/", + "https://github.com/tennc/webshell", + "https://www.virustotal.com/gui/file/7d3cb8a8ff28f82b07f382789247329ad2d7782a72dde9867941f13266310c80/detection", + "https://www.virustotal.com/gui/file/b8702acf32fd651af9f809ed42d15135f842788cd98d81a8e1b154ee2a2b76a2/detection", + "https://www.virustotal.com/gui/file/13ae8bfbc02254b389ab052aba5e1ba169b16a399d9bc4cb7414c4a73cd7dc78/detection", + "https://www.virustotal.com/gui/file/a80042c61a0372eaa0c2c1e831adf0d13ef09feaf71d1d20b216156269045801/detection", + "https://www.virustotal.com/gui/file/e841675a4b82250c75273ebf0861245f80c6a1c3d5803c2d995d9d3b18d5c4b5/detection", + "https://www.virustotal.com/gui/file/bd1d52289203866645e556e2766a21d2275877fbafa056a76fe0cf884b7f8819/detection", "https://github.com/SigmaHQ/sigma/tree/master/rules/category/antivirus/av_webshell.yml" ], "tags": [ @@ -69363,7 +69836,7 @@ { "description": "Detects a highly relevant Antivirus alert that reports ransomware", "meta": { - "author": "Florian Roth", + "author": "Florian Roth, Arnim Rupp", "creation_date": "2022/05/12", "falsepositive": [ "Unlikely" @@ -69373,7 +69846,12 @@ "logsource.category": "antivirus", "logsource.product": "No established product", "refs": [ + "https://www.virustotal.com/gui/file/69fe77dd558e281621418980040e2af89a2547d377d0f2875502005ce22bc95c", "https://www.nextron-systems.com/?s=antivirus", + "https://www.virustotal.com/gui/file/43b0f7872900bd234975a0877744554f4f355dc57505517abd1ef611e1ce6916", + "https://www.virustotal.com/gui/file/c312c05ddbd227cbb08958876df2b69d0f7c1b09e5689eb9d93c5b357f63eff7", + "https://www.virustotal.com/gui/file/20179093c59bca3acc6ce9a4281e8462f577ffd29fd7bf51cf2a70d106062045", + "https://www.virustotal.com/gui/file/554db97ea82f17eba516e6a6fdb9dc04b1d25580a1eb8cb755eeb260ad0bd61d", "https://github.com/SigmaHQ/sigma/tree/master/rules/category/antivirus/av_ransomware.yml" ], "tags": [ @@ -69528,9 +70006,9 @@ "logsource.category": "No established category", "logsource.product": "okta", "refs": [ - "https://developer.okta.com/docs/reference/api/system-log/", "https://developer.okta.com/docs/reference/api/event-types/", "https://okta.github.io/okta-help/en/prod/Content/Topics/Security/threat-insight/configure-threatinsight-system-log.htm", + "https://developer.okta.com/docs/reference/api/system-log/", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/okta/okta_security_threat_detected.yml" ], "tags": "No established tags" @@ -69551,14 +70029,24 @@ "logsource.category": "No established category", "logsource.product": "okta", "refs": [ - "https://developer.okta.com/docs/reference/api/system-log/", "https://developer.okta.com/docs/reference/api/event-types/", + "https://developer.okta.com/docs/reference/api/system-log/", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/okta/okta_user_account_locked_out.yml" ], "tags": [ - "attack.impact" + "attack.impact", + "attack.t1531" ] }, + "related": [ + { + "dest-uuid": "b24e2a20-3b3d-4bf0-823b-1ed765398fb0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "14701da0-4b0f-4ee6-9c95-2ffb4e73bb9a", "value": "Okta User Account Locked Out" }, @@ -69575,8 +70063,8 @@ "logsource.category": "No established category", "logsource.product": "okta", "refs": [ - "https://developer.okta.com/docs/reference/api/system-log/", "https://developer.okta.com/docs/reference/api/event-types/", + "https://developer.okta.com/docs/reference/api/system-log/", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/okta/okta_api_token_revoked.yml" ], "tags": [ @@ -69599,8 +70087,8 @@ "logsource.category": "No established category", "logsource.product": "okta", "refs": [ - "https://developer.okta.com/docs/reference/api/system-log/", "https://developer.okta.com/docs/reference/api/event-types/", + "https://developer.okta.com/docs/reference/api/system-log/", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/okta/okta_policy_rule_modified_or_deleted.yml" ], "tags": [ @@ -69623,8 +70111,8 @@ "logsource.category": "No established category", "logsource.product": "okta", "refs": [ - "https://developer.okta.com/docs/reference/api/system-log/", "https://developer.okta.com/docs/reference/api/event-types/", + "https://developer.okta.com/docs/reference/api/system-log/", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/okta/okta_unauthorized_access_to_app.yml" ], "tags": [ @@ -69647,8 +70135,8 @@ "logsource.category": "No established category", "logsource.product": "okta", "refs": [ - "https://developer.okta.com/docs/reference/api/system-log/", "https://developer.okta.com/docs/reference/api/event-types/", + "https://developer.okta.com/docs/reference/api/system-log/", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/okta/okta_application_sign_on_policy_modified_or_deleted.yml" ], "tags": [ @@ -69671,14 +70159,24 @@ "logsource.category": "No established category", "logsource.product": "okta", "refs": [ - "https://developer.okta.com/docs/reference/api/system-log/", "https://developer.okta.com/docs/reference/api/event-types/", + "https://developer.okta.com/docs/reference/api/system-log/", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/okta/okta_admin_role_assigned_to_user_or_group.yml" ], "tags": [ - "attack.impact" + "attack.persistence", + "attack.t1098.003" ] }, + "related": [ + { + "dest-uuid": "2dbbdcd5-92cf-44c0-aea2-fe24783a6bc3", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "413d4a81-6c98-4479-9863-014785fd579c", "value": "Okta Admin Role Assigned to an User or Group" }, @@ -69695,8 +70193,8 @@ "logsource.category": "No established category", "logsource.product": "okta", "refs": [ - "https://developer.okta.com/docs/reference/api/system-log/", "https://developer.okta.com/docs/reference/api/event-types/", + "https://developer.okta.com/docs/reference/api/system-log/", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/okta/okta_application_modified_or_deleted.yml" ], "tags": [ @@ -69719,8 +70217,8 @@ "logsource.category": "No established category", "logsource.product": "okta", "refs": [ - "https://developer.okta.com/docs/reference/api/system-log/", "https://developer.okta.com/docs/reference/api/event-types/", + "https://developer.okta.com/docs/reference/api/system-log/", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/okta/okta_network_zone_deactivated_or_deleted.yml" ], "tags": [ @@ -69736,15 +70234,15 @@ "author": "Austin Songer @austinsonger", "creation_date": "2021/09/12", "falsepositive": [ - "Unknown" + "Legitimate creation of an API token by authorized users" ], "filename": "okta_api_token_created.yml", "level": "medium", "logsource.category": "No established category", "logsource.product": "okta", "refs": [ - "https://developer.okta.com/docs/reference/api/system-log/", "https://developer.okta.com/docs/reference/api/event-types/", + "https://developer.okta.com/docs/reference/api/system-log/", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/okta/okta_api_token_created.yml" ], "tags": [ @@ -69767,14 +70265,26 @@ "logsource.category": "No established category", "logsource.product": "okta", "refs": [ - "https://developer.okta.com/docs/reference/api/system-log/", "https://developer.okta.com/docs/reference/api/event-types/", + "https://developer.okta.com/docs/reference/api/system-log/", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/okta/okta_mfa_reset_or_deactivated.yml" ], "tags": [ - "attack.persistence" + "attack.persistence", + "attack.credential_access", + "attack.defense_evasion", + "attack.t1556.006" ] }, + "related": [ + { + "dest-uuid": "b4409cd8-0da9-46e1-a401-a241afd4d1cc", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "50e068d7-1e6b-4054-87e5-0a592c40c7e0", "value": "Okta MFA Reset or Deactivated" }, @@ -69793,8 +70303,8 @@ "logsource.category": "No established category", "logsource.product": "okta", "refs": [ - "https://developer.okta.com/docs/reference/api/system-log/", "https://developer.okta.com/docs/reference/api/event-types/", + "https://developer.okta.com/docs/reference/api/system-log/", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/okta/okta_policy_modified_or_deleted.yml" ], "tags": [ @@ -69817,8 +70327,8 @@ "logsource.category": "No established category", "logsource.product": "m365", "refs": [ - "https://docs.microsoft.com/en-us/cloud-app-security/policy-template-reference", "https://docs.microsoft.com/en-us/cloud-app-security/anomaly-detection-policy", + "https://docs.microsoft.com/en-us/cloud-app-security/policy-template-reference", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/m365/microsoft365_activity_from_anonymous_ip_addresses.yml" ], "tags": [ @@ -69851,8 +70361,8 @@ "logsource.category": "No established category", "logsource.product": "m365", "refs": [ - "https://docs.microsoft.com/en-us/cloud-app-security/policy-template-reference", "https://docs.microsoft.com/en-us/cloud-app-security/anomaly-detection-policy", + "https://docs.microsoft.com/en-us/cloud-app-security/policy-template-reference", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/m365/microsoft365_data_exfiltration_to_unsanctioned_app.yml" ], "tags": [ @@ -69885,8 +70395,8 @@ "logsource.category": "No established category", "logsource.product": "m365", "refs": [ - "https://docs.microsoft.com/en-us/cloud-app-security/policy-template-reference", "https://docs.microsoft.com/en-us/cloud-app-security/anomaly-detection-policy", + "https://docs.microsoft.com/en-us/cloud-app-security/policy-template-reference", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/m365/microsoft365_from_susp_ip_addresses.yml" ], "tags": [ @@ -69919,8 +70429,8 @@ "logsource.category": "No established category", "logsource.product": "m365", "refs": [ - "https://docs.microsoft.com/en-us/cloud-app-security/policy-template-reference", "https://docs.microsoft.com/en-us/cloud-app-security/anomaly-detection-policy", + "https://docs.microsoft.com/en-us/cloud-app-security/policy-template-reference", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/m365/microsoft365_susp_inbox_forwarding.yml" ], "tags": [ @@ -69953,8 +70463,8 @@ "logsource.category": "No established category", "logsource.product": "m365", "refs": [ - "https://docs.microsoft.com/en-us/cloud-app-security/policy-template-reference", "https://docs.microsoft.com/en-us/cloud-app-security/anomaly-detection-policy", + "https://docs.microsoft.com/en-us/cloud-app-security/policy-template-reference", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/m365/microsoft365_activity_by_terminated_user.yml" ], "tags": [ @@ -69977,11 +70487,11 @@ "logsource.category": "No established category", "logsource.product": "m365", "refs": [ - "https://www.splunk.com/en_us/blog/security/a-golden-saml-journey-solarwinds-continued.html", "https://www.fireeye.com/content/dam/fireeye-www/blog/pdfs/wp-m-unc2452-2021-000343-01.pdf", - "https://www.sygnia.co/golden-saml-advisory", - "https://us-cert.cisa.gov/ncas/alerts/aa21-008a", "https://o365blog.com/post/aadbackdoor/", + "https://www.splunk.com/en_us/blog/security/a-golden-saml-journey-solarwinds-continued.html", + "https://us-cert.cisa.gov/ncas/alerts/aa21-008a", + "https://www.sygnia.co/golden-saml-advisory", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/m365/microsoft365_new_federated_domain_added.yml" ], "tags": [ @@ -70014,8 +70524,8 @@ "logsource.category": "No established category", "logsource.product": "m365", "refs": [ - "https://docs.microsoft.com/en-us/cloud-app-security/policy-template-reference", "https://docs.microsoft.com/en-us/cloud-app-security/anomaly-detection-policy", + "https://docs.microsoft.com/en-us/cloud-app-security/policy-template-reference", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/m365/microsoft365_logon_from_risky_ip_address.yml" ], "tags": [ @@ -70072,8 +70582,8 @@ "logsource.category": "No established category", "logsource.product": "m365", "refs": [ - "https://docs.microsoft.com/en-us/cloud-app-security/policy-template-reference", "https://docs.microsoft.com/en-us/cloud-app-security/anomaly-detection-policy", + "https://docs.microsoft.com/en-us/cloud-app-security/policy-template-reference", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/m365/microsoft365_unusual_volume_of_file_deletion.yml" ], "tags": [ @@ -70106,8 +70616,8 @@ "logsource.category": "No established category", "logsource.product": "m365", "refs": [ - "https://docs.microsoft.com/en-us/cloud-app-security/policy-template-reference", "https://docs.microsoft.com/en-us/cloud-app-security/anomaly-detection-policy", + "https://docs.microsoft.com/en-us/cloud-app-security/policy-template-reference", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/m365/microsoft365_user_restricted_from_sending_email.yml" ], "tags": [ @@ -70140,8 +70650,8 @@ "logsource.category": "No established category", "logsource.product": "m365", "refs": [ - "https://docs.microsoft.com/en-us/cloud-app-security/policy-template-reference", "https://docs.microsoft.com/en-us/cloud-app-security/anomaly-detection-policy", + "https://docs.microsoft.com/en-us/cloud-app-security/policy-template-reference", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/m365/microsoft365_susp_oauth_app_file_download_activities.yml" ], "tags": [ @@ -70164,8 +70674,8 @@ "logsource.category": "No established category", "logsource.product": "m365", "refs": [ - "https://docs.microsoft.com/en-us/cloud-app-security/policy-template-reference", "https://docs.microsoft.com/en-us/cloud-app-security/anomaly-detection-policy", + "https://docs.microsoft.com/en-us/cloud-app-security/policy-template-reference", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/m365/microsoft365_impossible_travel_activity.yml" ], "tags": [ @@ -70189,8 +70699,8 @@ "logsource.category": "No established category", "logsource.product": "m365", "refs": [ - "https://docs.microsoft.com/en-us/cloud-app-security/policy-template-reference", "https://docs.microsoft.com/en-us/cloud-app-security/anomaly-detection-policy", + "https://docs.microsoft.com/en-us/cloud-app-security/policy-template-reference", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/m365/microsoft365_potential_ransomware_activity.yml" ], "tags": [ @@ -70256,8 +70766,8 @@ "logsource.category": "No established category", "logsource.product": "m365", "refs": [ - "https://docs.microsoft.com/en-us/cloud-app-security/policy-template-reference", "https://docs.microsoft.com/en-us/cloud-app-security/anomaly-detection-policy", + "https://docs.microsoft.com/en-us/cloud-app-security/policy-template-reference", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/m365/microsoft365_activity_from_infrequent_country.yml" ], "tags": [ @@ -70387,9 +70897,9 @@ "logsource.category": "No established category", "logsource.product": "gcp", "refs": [ - "https://kubernetes.io/docs/reference/access-authn-authz/rbac/", "https://github.com/elastic/detection-rules/pull/1267", "https://kubernetes.io/docs/reference/kubernetes-api/authorization-resources/cluster-role-v1/#ClusterRole", + "https://kubernetes.io/docs/reference/access-authn-authz/rbac/", "https://cloud.google.com/kubernetes-engine/docs/how-to/audit-logging", "https://cloud.google.com/kubernetes-engine/docs/how-to/role-based-access-control", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/gcp/gcp_kubernetes_rolebinding.yml" @@ -70439,9 +70949,9 @@ "logsource.category": "No established category", "logsource.product": "gcp", "refs": [ - "https://kubernetes.io/docs/concepts/workloads/controllers/cron-jobs/", "https://kubernetes.io/docs/concepts/workloads/controllers/job/", "https://cloud.google.com/kubernetes-engine/docs", + "https://kubernetes.io/docs/concepts/workloads/controllers/cron-jobs/", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/gcp/gcp_kubernetes_cronjob.yml" ], "tags": [ @@ -70696,9 +71206,9 @@ "logsource.category": "No established category", "logsource.product": "google_workspace", "refs": [ + "https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-domain-settings?hl=en#REMOVE_APPLICATION", "https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-domain-settings?hl=en#REMOVE_APPLICATION_FROM_WHITELIST", "https://cloud.google.com/logging/docs/audit/gsuite-audit-logging#3", - "https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-domain-settings?hl=en#REMOVE_APPLICATION", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/gworkspace/gworkspace_application_removed.yml" ], "tags": [ @@ -70721,8 +71231,8 @@ "logsource.category": "No established category", "logsource.product": "google_workspace", "refs": [ - "https://cloud.google.com/logging/docs/audit/gsuite-audit-logging#3", "https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-user-settings#GRANT_ADMIN_PRIVILEGE", + "https://cloud.google.com/logging/docs/audit/gsuite-audit-logging#3", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/gworkspace/gworkspace_user_granted_admin_privileges.yml" ], "tags": [ @@ -70755,8 +71265,8 @@ "logsource.category": "No established category", "logsource.product": "google_workspace", "refs": [ - "https://cloud.google.com/logging/docs/audit/gsuite-audit-logging#3", "https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-delegated-admin-settings", + "https://cloud.google.com/logging/docs/audit/gsuite-audit-logging#3", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/gworkspace/gworkspace_role_modified_or_deleted.yml" ], "tags": [ @@ -70779,8 +71289,8 @@ "logsource.category": "No established category", "logsource.product": "google_workspace", "refs": [ - "https://cloud.google.com/logging/docs/audit/gsuite-audit-logging#3", "https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-delegated-admin-settings", + "https://cloud.google.com/logging/docs/audit/gsuite-audit-logging#3", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/gworkspace/gworkspace_role_privilege_deleted.yml" ], "tags": [ @@ -70804,8 +71314,8 @@ "logsource.product": "google_workspace", "refs": [ "https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-security-settings#ENFORCE_STRONG_AUTHENTICATION", - "https://cloud.google.com/logging/docs/audit/gsuite-audit-logging#3", "https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-security-settings?hl=en#ALLOW_STRONG_AUTHENTICATION", + "https://cloud.google.com/logging/docs/audit/gsuite-audit-logging#3", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/gworkspace/gworkspace_mfa_disabled.yml" ], "tags": [ @@ -70828,8 +71338,8 @@ "logsource.category": "No established category", "logsource.product": "google_workspace", "refs": [ - "https://cloud.google.com/logging/docs/audit/gsuite-audit-logging#3", "https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-domain-settings#AUTHORIZE_API_CLIENT_ACCESS", + "https://cloud.google.com/logging/docs/audit/gsuite-audit-logging#3", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/gworkspace/gworkspace_granted_domain_api_access.yml" ], "tags": [ @@ -70909,12 +71419,12 @@ "logsource.product": "aws", "refs": [ "https://github.com/elastic/detection-rules/pull/1145/files", - "https://docs.aws.amazon.com/AmazonS3/latest/API/API_PutBucketEncryption.html", - "https://docs.aws.amazon.com/AmazonS3/latest/API/API_RestoreObject.html", - "https://docs.aws.amazon.com/AmazonS3/latest/API/API_Operations.html", - "https://docs.aws.amazon.com/AmazonS3/latest/userguide/setting-repl-config-perm-overview.html", "https://docs.aws.amazon.com/AmazonS3/latest/API/API_PutBucketLogging.html", "https://docs.aws.amazon.com/AmazonS3/latest/API/API_PutBucketWebsite.html", + "https://docs.aws.amazon.com/AmazonS3/latest/userguide/setting-repl-config-perm-overview.html", + "https://docs.aws.amazon.com/AmazonS3/latest/API/API_Operations.html", + "https://docs.aws.amazon.com/AmazonS3/latest/API/API_RestoreObject.html", + "https://docs.aws.amazon.com/AmazonS3/latest/API/API_PutBucketEncryption.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/aws/aws_s3_data_management_tampering.yml" ], "tags": [ @@ -71057,8 +71567,8 @@ "logsource.category": "No established category", "logsource.product": "aws", "refs": [ - "https://docs.aws.amazon.com/AmazonECS/latest/APIReference/API_RegisterTaskDefinition.html", "https://github.com/RhinoSecurityLabs/pacu/blob/866376cd711666c775bbfcde0524c817f2c5b181/pacu/modules/ecs__backdoor_task_def/main.py", + "https://docs.aws.amazon.com/AmazonECS/latest/APIReference/API_RegisterTaskDefinition.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/aws/aws_ecs_task_definition_backdoor.yml" ], "tags": [ @@ -71641,8 +72151,8 @@ "logsource.product": "aws", "refs": [ "https://securitycafe.ro/2022/12/14/aws-enumeration-part-ii-practical-enumeration/", - "https://github.com/Lifka/hacking-resources/blob/c2ae355d381bd0c9f0b32c4ead049f44e5b1573f/cloud-hacking-cheat-sheets.md", "https://jamesonhacking.blogspot.com/2020/12/pivoting-to-private-aws-s3-buckets.html", + "https://github.com/Lifka/hacking-resources/blob/c2ae355d381bd0c9f0b32c4ead049f44e5b1573f/cloud-hacking-cheat-sheets.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/aws/aws_enum_buckets.yml" ], "tags": [ @@ -72013,8 +72523,8 @@ "logsource.category": "No established category", "logsource.product": "aws", "refs": [ - "https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/", "https://docs.aws.amazon.com/glue/latest/webapi/API_CreateDevEndpoint.html", + "https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/aws/aws_passed_role_to_glue_development_endpoint.yml" ], "tags": [ @@ -73088,11 +73598,11 @@ "logsource.category": "No established category", "logsource.product": "azure", "refs": [ - "https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes", "https://www.microsoft.com/security/blog/2021/03/23/secure-containerized-environments-with-updated-threat-matrix-for-kubernetes/", - "https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/", - "https://medium.com/mitre-engenuity/att-ck-for-containers-now-available-4c2359654bf1", "https://attack.mitre.org/matrices/enterprise/cloud/", + "https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes", + "https://medium.com/mitre-engenuity/att-ck-for-containers-now-available-4c2359654bf1", + "https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_kubernetes_cluster_created_or_deleted.yml" ], "tags": [ @@ -74027,11 +74537,11 @@ "logsource.category": "No established category", "logsource.product": "azure", "refs": [ - "https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes", "https://www.microsoft.com/security/blog/2021/03/23/secure-containerized-environments-with-updated-threat-matrix-for-kubernetes/", - "https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/", - "https://medium.com/mitre-engenuity/att-ck-for-containers-now-available-4c2359654bf1", "https://attack.mitre.org/matrices/enterprise/cloud/", + "https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes", + "https://medium.com/mitre-engenuity/att-ck-for-containers-now-available-4c2359654bf1", + "https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_kubernetes_secret_or_config_object_access.yml" ], "tags": [ @@ -74089,11 +74599,11 @@ "logsource.category": "No established category", "logsource.product": "azure", "refs": [ - "https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes", "https://www.microsoft.com/security/blog/2021/03/23/secure-containerized-environments-with-updated-threat-matrix-for-kubernetes/", - "https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/", - "https://medium.com/mitre-engenuity/att-ck-for-containers-now-available-4c2359654bf1", "https://attack.mitre.org/matrices/enterprise/cloud/", + "https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes", + "https://medium.com/mitre-engenuity/att-ck-for-containers-now-available-4c2359654bf1", + "https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_kubernetes_role_access.yml" ], "tags": [ @@ -74235,11 +74745,11 @@ "logsource.category": "No established category", "logsource.product": "azure", "refs": [ - "https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes", "https://www.microsoft.com/security/blog/2021/03/23/secure-containerized-environments-with-updated-threat-matrix-for-kubernetes/", - "https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/", - "https://medium.com/mitre-engenuity/att-ck-for-containers-now-available-4c2359654bf1", "https://attack.mitre.org/matrices/enterprise/cloud/", + "https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes", + "https://medium.com/mitre-engenuity/att-ck-for-containers-now-available-4c2359654bf1", + "https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_container_registry_created_or_deleted.yml" ], "tags": [ @@ -74364,9 +74874,9 @@ "logsource.category": "No established category", "logsource.product": "azure", "refs": [ - "https://kubernetes.io/docs/concepts/workloads/controllers/cron-jobs/", "https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes", "https://kubernetes.io/docs/concepts/workloads/controllers/job/", + "https://kubernetes.io/docs/concepts/workloads/controllers/cron-jobs/", "https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_kubernetes_cronjob.yml" ], @@ -74450,11 +74960,11 @@ "logsource.category": "No established category", "logsource.product": "azure", "refs": [ - "https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes", "https://www.microsoft.com/security/blog/2021/03/23/secure-containerized-environments-with-updated-threat-matrix-for-kubernetes/", - "https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/", - "https://medium.com/mitre-engenuity/att-ck-for-containers-now-available-4c2359654bf1", "https://attack.mitre.org/matrices/enterprise/cloud/", + "https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes", + "https://medium.com/mitre-engenuity/att-ck-for-containers-now-available-4c2359654bf1", + "https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_kubernetes_rolebinding_modified_or_deleted.yml" ], "tags": [ @@ -75015,11 +75525,11 @@ "logsource.category": "No established category", "logsource.product": "azure", "refs": [ - "https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes", "https://www.microsoft.com/security/blog/2021/03/23/secure-containerized-environments-with-updated-threat-matrix-for-kubernetes/", - "https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/", - "https://medium.com/mitre-engenuity/att-ck-for-containers-now-available-4c2359654bf1", "https://attack.mitre.org/matrices/enterprise/cloud/", + "https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes", + "https://medium.com/mitre-engenuity/att-ck-for-containers-now-available-4c2359654bf1", + "https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_kubernetes_network_policy_change.yml" ], "tags": [ @@ -75044,11 +75554,11 @@ "logsource.category": "No established category", "logsource.product": "azure", "refs": [ - "https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes", "https://www.microsoft.com/security/blog/2021/03/23/secure-containerized-environments-with-updated-threat-matrix-for-kubernetes/", - "https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/", - "https://medium.com/mitre-engenuity/att-ck-for-containers-now-available-4c2359654bf1", "https://attack.mitre.org/matrices/enterprise/cloud/", + "https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes", + "https://medium.com/mitre-engenuity/att-ck-for-containers-now-available-4c2359654bf1", + "https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_kubernetes_service_account_modified_or_deleted.yml" ], "tags": [ @@ -75181,8 +75691,8 @@ "logsource.category": "proxy", "logsource.product": "No established product", "refs": [ - "https://isc.sans.edu/forums/diary/Investigating+Microsoft+BITS+Activity/23281/", "https://twitter.com/jhencinski/status/1102695118455349248", + "https://isc.sans.edu/forums/diary/Investigating+Microsoft+BITS+Activity/23281/", "https://github.com/SigmaHQ/sigma/tree/master/rules/proxy/proxy_ua_bitsadmin_susp_tld.yml" ], "tags": [ @@ -75295,8 +75805,8 @@ "logsource.product": "No established product", "refs": [ "https://www.crowdstrike.com/blog/owassrf-exploit-analysis-and-recommendations/", - "https://twitter.com/purp1ew0lf/status/1602989967776808961?s=12&t=OkZJl_ViICeiftVEsohRyw", "https://www.rapid7.com/blog/post/2022/12/21/cve-2022-41080-cve-2022-41082-rapid7-observed-exploitation-of-owassrf-in-exchange-for-rce/", + "https://twitter.com/purp1ew0lf/status/1602989967776808961?s=12&t=OkZJl_ViICeiftVEsohRyw", "https://github.com/SigmaHQ/sigma/tree/master/rules/proxy/proxy_exchange_owassrf_poc_exploitation.yml" ], "tags": [ @@ -75506,9 +76016,9 @@ "logsource.category": "proxy", "logsource.product": "No established product", "refs": [ + "https://researchcenter.paloaltonetworks.com/2018/03/unit42-telerat-another-android-trojan-leveraging-telegrams-bot-api-to-target-iranian-users/", "https://blog.malwarebytes.com/threat-analysis/2016/11/telecrypt-the-ransomware-abusing-telegram-api-defeated/", "https://www.welivesecurity.com/2016/12/13/rise-telebots-analyzing-disruptive-killdisk-attacks/", - "https://researchcenter.paloaltonetworks.com/2018/03/unit42-telerat-another-android-trojan-leveraging-telegrams-bot-api-to-target-iranian-users/", "https://github.com/SigmaHQ/sigma/tree/master/rules/proxy/proxy_telegram_api.yml" ], "tags": [ @@ -75593,10 +76103,10 @@ "logsource.product": "No established product", "refs": [ "https://networkraptor.blogspot.com/2015/01/user-agent-strings.html", - "http://rules.emergingthreats.net/open/snort-2.9.0/rules/emerging-user_agents.rules", + "https://perishablepress.com/blacklist/ua-2013.txt", "https://www.bluecoat.com/en-gb/security-blog/2015-05-05/know-your-agents", "http://www.botopedia.org/search?searchword=scan&searchphrase=all", - "https://perishablepress.com/blacklist/ua-2013.txt", + "http://rules.emergingthreats.net/open/snort-2.9.0/rules/emerging-user_agents.rules", "https://github.com/SigmaHQ/sigma/tree/master/rules/proxy/proxy_ua_malware.yml" ], "tags": [ @@ -75672,8 +76182,8 @@ "logsource.category": "proxy", "logsource.product": "No established product", "refs": [ - "https://www.kroll.com/en/insights/publications/cyber/new-m365-business-email-compromise-attacks-with-rclone", "https://rclone.org/", + "https://www.kroll.com/en/insights/publications/cyber/new-m365-business-email-compromise-attacks-with-rclone", "https://github.com/SigmaHQ/sigma/tree/master/rules/proxy/proxy_ua_rclone.yml" ], "tags": [ @@ -75776,8 +76286,20 @@ "refs": [ "https://github.com/SigmaHQ/sigma/tree/master/rules/proxy/proxy_ursnif_malware_download_url.yml" ], - "tags": "No established tags" + "tags": [ + "attack.command_and_control", + "attack.t1071.001" + ] }, + "related": [ + { + "dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "a36ce77e-30db-4ea0-8795-644d7af5dfb4", "value": "Ursnif Malware Download URL Pattern" }, @@ -75974,9 +76496,9 @@ "logsource.product": "No established product", "refs": [ "https://www.symantec.com/connect/blogs/shady-tld-research-gdn-and-our-2016-wrap", - "https://www.spamhaus.org/statistics/tlds/", - "https://krebsonsecurity.com/2018/06/bad-men-at-work-please-dont-click/", "https://promos.mcafee.com/en-US/PDF/MTMW_Report.pdf", + "https://krebsonsecurity.com/2018/06/bad-men-at-work-please-dont-click/", + "https://www.spamhaus.org/statistics/tlds/", "https://github.com/SigmaHQ/sigma/tree/master/rules/proxy/proxy_download_susp_tlds_blacklist.yml" ], "tags": [ @@ -76042,8 +76564,8 @@ "logsource.category": "proxy", "logsource.product": "No established product", "refs": [ - "https://github.com/rsmudge/Malleable-C2-Profiles/blob/26323784672913923d20c5a638c6ca79459e8529/normal/amazon.profile", "https://www.hybrid-analysis.com/sample/ee5eca8648e45e2fea9dac0d920ef1a1792d8690c41ee7f20343de1927cc88b9?environmentId=100", + "https://github.com/rsmudge/Malleable-C2-Profiles/blob/26323784672913923d20c5a638c6ca79459e8529/normal/amazon.profile", "https://github.com/SigmaHQ/sigma/tree/master/rules/proxy/proxy_cobalt_amazon.yml" ], "tags": [ @@ -76251,8 +76773,8 @@ "logsource.category": "proxy", "logsource.product": "No established product", "refs": [ - "http://rules.emergingthreats.net/open/snort-2.9.0/rules/emerging-user_agents.rules", "https://github.com/fastly/waf_testbed/blob/8bfc406551f3045e418cbaad7596cff8da331dfc/templates/default/scanners-user-agents.data.erb", + "http://rules.emergingthreats.net/open/snort-2.9.0/rules/emerging-user_agents.rules", "https://github.com/SigmaHQ/sigma/tree/master/rules/proxy/proxy_ua_hacktool.yml" ], "tags": [ @@ -76512,9 +77034,9 @@ "logsource.category": "webserver", "logsource.product": "No established product", "refs": [ - "https://isc.sans.edu/diary/26734", - "https://twitter.com/sudo_sudoka/status/1323951871078223874", "https://twitter.com/jas502n/status/1321416053050667009?s=20", + "https://twitter.com/sudo_sudoka/status/1323951871078223874", + "https://isc.sans.edu/diary/26734", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_cve_2020_14882_weblogic_exploit.yml" ], "tags": [ @@ -76548,10 +77070,10 @@ "logsource.category": "webserver", "logsource.product": "No established product", "refs": [ - "https://github.com/TesterCC/exp_poc_library/blob/master/exp_poc/CVE-2021-26084_Confluence_OGNL_injection/CVE-2021-26084.md", + "https://confluence.atlassian.com/doc/confluence-security-advisory-2021-08-25-1077906215.html", "https://mraddon.blog/2017/03/20/confluence-trick-to-create-pages-from-blueprint-templates/", "https://github.com/httpvoid/writeups/blob/main/Confluence-RCE.md", - "https://confluence.atlassian.com/doc/confluence-security-advisory-2021-08-25-1077906215.html", + "https://github.com/TesterCC/exp_poc_library/blob/master/exp_poc/CVE-2021-26084_Confluence_OGNL_injection/CVE-2021-26084.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_cve_2021_26084_confluence_rce_exploit.yml" ], "tags": [ @@ -76617,8 +77139,8 @@ "logsource.category": "webserver", "logsource.product": "No established product", "refs": [ - "https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/", "https://www.volexity.com/blog/2021/03/02/active-exploitation-of-microsoft-exchange-zero-day-vulnerabilities/", + "https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_exchange_exploitation_hafnium.yml" ], "tags": [ @@ -76651,8 +77173,8 @@ "logsource.category": "webserver", "logsource.product": "No established product", "refs": [ - "https://www.anquanke.com/post/id/226029", "https://www.guidepointsecurity.com/supernova-solarwinds-net-webshell-analysis/", + "https://www.anquanke.com/post/id/226029", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_solarwinds_supernova_webshell.yml" ], "tags": [ @@ -76676,8 +77198,8 @@ "logsource.category": "webserver", "logsource.product": "No established product", "refs": [ - "https://twitter.com/pyn3rd/status/1020620932967223296", "https://github.com/LandGrey/CVE-2018-2894", + "https://twitter.com/pyn3rd/status/1020620932967223296", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_cve_2018_2894_weblogic_exploit.yml" ], "tags": [ @@ -76713,9 +77235,9 @@ "logsource.category": "webserver", "logsource.product": "No established product", "refs": [ - "https://support.citrix.com/article/CTX276688", - "https://research.nccgroup.com/2020/07/10/rift-citrix-adc-vulnerabilities-cve-2020-8193-cve-2020-8195-and-cve-2020-8196-intelligence/", "https://dmaasland.github.io/posts/citrix.html", + "https://research.nccgroup.com/2020/07/10/rift-citrix-adc-vulnerabilities-cve-2020-8193-cve-2020-8195-and-cve-2020-8196-intelligence/", + "https://support.citrix.com/article/CTX276688", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_cve_2020_8193_8195_citrix_exploit.yml" ], "tags": [ @@ -76805,8 +77327,8 @@ "logsource.product": "No established product", "refs": [ "https://twitter.com/Al1ex4/status/1382981479727128580", - "https://github.com/murataydemir/CVE-2021-27905", "https://twitter.com/sec715/status/1373472323538362371", + "https://github.com/murataydemir/CVE-2021-27905", "https://nsfocusglobal.com/apache-solr-arbitrary-file-read-and-ssrf-vulnerability-threat-alert/", "https://mp.weixin.qq.com/s?__biz=Mzg3NDU2MTg0Ng==&mid=2247484117&idx=1&sn=2fdab8cbe4b873f8dd8abb35d935d186", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_cve_2021_27905_apache_solr_exploit.yml" @@ -76842,9 +77364,9 @@ "logsource.category": "webserver", "logsource.product": "No established product", "refs": [ - "https://www.volexity.com/blog/2022/08/10/mass-exploitation-of-unauthenticated-zimbra-rce-cve-2022-27925/", "https://www.yang99.top/index.php/archives/82/", "https://github.com/vnhacker1337/CVE-2022-27925-PoC", + "https://www.volexity.com/blog/2022/08/10/mass-exploitation-of-unauthenticated-zimbra-rce-cve-2022-27925/", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_cve_2022_27925_exploit.yml" ], "tags": [ @@ -76878,10 +77400,10 @@ "logsource.category": "webserver", "logsource.product": "No established product", "refs": [ - "https://confluence.atlassian.com/bitbucketserver/bitbucket-server-and-data-center-advisory-2022-08-24-1155489835.html", + "https://twitter.com/_0xf4n9x_/status/1572052954538192901", "https://www.rapid7.com/blog/post/2022/09/20/cve-2022-36804-easily-exploitable-vulnerability-in-atlassian-bitbucket-server-and-data-center/", "https://blog.assetnote.io/2022/09/14/rce-in-bitbucket-server/", - "https://twitter.com/_0xf4n9x_/status/1572052954538192901", + "https://confluence.atlassian.com/bitbucketserver/bitbucket-server-and-data-center-advisory-2022-08-24-1155489835.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_cve_2022_36804_atlassian_bitbucket_command_injection.yml" ], "tags": [ @@ -76919,8 +77441,8 @@ "refs": [ "https://www.acunetix.com/blog/articles/using-logs-to-investigate-a-web-application-attack/", "https://www.acunetix.com/blog/articles/exploiting-sql-injection-example/", - "https://brightsec.com/blog/sql-injection-payloads/", "https://github.com/payloadbox/sql-injection-payload-list", + "https://brightsec.com/blog/sql-injection-payloads/", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_sql_injection_in_access_logs.yml" ], "tags": "No established tags" @@ -76942,8 +77464,8 @@ "logsource.product": "No established product", "refs": [ "https://www.crowdstrike.com/blog/owassrf-exploit-analysis-and-recommendations/", - "https://twitter.com/purp1ew0lf/status/1602989967776808961?s=12&t=OkZJl_ViICeiftVEsohRyw", "https://www.rapid7.com/blog/post/2022/12/21/cve-2022-41080-cve-2022-41082-rapid7-observed-exploitation-of-owassrf-in-exchange-for-rce/", + "https://twitter.com/purp1ew0lf/status/1602989967776808961?s=12&t=OkZJl_ViICeiftVEsohRyw", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_exchange_owassrf_poc_exploitation.yml" ], "tags": [ @@ -77147,8 +77669,8 @@ "logsource.category": "webserver", "logsource.product": "No established product", "refs": [ - "https://pentester.land/tutorials/2018/10/25/source-code-disclosure-via-exposed-git-folder.html", "https://medium.com/@logicbomb_1/bugbounty-how-i-was-able-to-download-the-source-code-of-indias-largest-telecom-service-52cf5c5640a1", + "https://pentester.land/tutorials/2018/10/25/source-code-disclosure-via-exposed-git-folder.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_source_code_enumeration.yml" ], "tags": [ @@ -77172,8 +77694,8 @@ "logsource.category": "webserver", "logsource.product": "No established product", "refs": [ - "https://www.criticalstart.com/f5-big-ip-remote-code-execution-exploit/", "https://www.ptsecurity.com/ww-en/about/news/f5-fixes-critical-vulnerability-discovered-by-positive-technologies-in-big-ip-application-delivery-controller/", + "https://www.criticalstart.com/f5-big-ip-remote-code-execution-exploit/", "https://twitter.com/yorickkoster/status/1279709009151434754", "https://support.f5.com/csp/article/K52145254", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_cve_2020_5902_f5_bigip.yml" @@ -77208,9 +77730,9 @@ "logsource.category": "webserver", "logsource.product": "No established product", "refs": [ - "https://f5.pm/go-59627.html", - "https://swarm.ptsecurity.com/unauth-rce-vmware", "https://www.vmware.com/security/advisories/VMSA-2021-0002.html", + "https://swarm.ptsecurity.com/unauth-rce-vmware", + "https://f5.pm/go-59627.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_cve_2021_21972_vsphere_unauth_rce_exploit.yml" ], "tags": [ @@ -77312,12 +77834,12 @@ "logsource.category": "webserver", "logsource.product": "No established product", "refs": [ - "https://github.com/YfryTchsGD/Log4jAttackSurface", "https://github.com/tangxiaofeng7/apache-log4j-poc", + "https://github.com/YfryTchsGD/Log4jAttackSurface", + "https://gist.github.com/Neo23x0/e4c8b03ff8cdf1fa63b7d15db6e3860b", + "https://news.ycombinator.com/item?id=29504755", "https://www.lunasec.io/docs/blog/log4j-zero-day/", "https://twitter.com/shutingrz/status/1469255861394866177?s=21", - "https://news.ycombinator.com/item?id=29504755", - "https://gist.github.com/Neo23x0/e4c8b03ff8cdf1fa63b7d15db6e3860b", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_cve_2021_44228_log4j_fields.yml" ], "tags": [ @@ -77397,7 +77919,7 @@ { "description": "Detects possible Java payloads in web access logs", "meta": { - "author": "frack113", + "author": "frack113, Harjot Singh, \"@cyb3rjy0t\" (update)", "creation_date": "2022/06/04", "falsepositive": [ "Legitimate apps" @@ -77407,10 +77929,11 @@ "logsource.category": "webserver", "logsource.product": "No established product", "refs": [ - "https://www.rapid7.com/blog/post/2022/06/02/active-exploitation-of-confluence-cve-2022-26134/", - "https://twitter.com/httpvoid0x2f/status/1532924261035384832", - "https://github.com/httpvoid/writeups/blob/62d3751945289d088ccfdf4d0ffbf61598a2cd7d/Confluence-RCE.md", "https://www.rapid7.com/blog/post/2021/09/02/active-exploitation-of-confluence-server-cve-2021-26084/", + "https://twitter.com/httpvoid0x2f/status/1532924261035384832", + "https://www.rapid7.com/blog/post/2022/06/02/active-exploitation-of-confluence-cve-2022-26134/", + "https://github.com/httpvoid/writeups/blob/62d3751945289d088ccfdf4d0ffbf61598a2cd7d/Confluence-RCE.md", + "https://medium.com/geekculture/text4shell-exploit-walkthrough-ebc02a01f035", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_java_payload_in_access_logs.yml" ], "tags": [ @@ -77491,8 +78014,8 @@ "logsource.category": "webserver", "logsource.product": "No established product", "refs": [ - "https://mp.weixin.qq.com/s/wX9TMXl1KVWwB_k6EZOklw", "https://twitter.com/pyn3rd/status/1351696768065409026", + "https://mp.weixin.qq.com/s/wX9TMXl1KVWwB_k6EZOklw", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_cve_2021_2109_weblogic_rce_exploit.yml" ], "tags": [ @@ -77595,8 +78118,8 @@ "logsource.product": "No established product", "refs": [ "https://sumsec.me/2022/CVE-2022-33891%20Apache%20Spark%20shell%20command%20injection.html", - "https://github.com/apache/spark/pull/36315/files", "https://github.com/W01fh4cker/cve-2022-33891/blob/fd973b56e78bca8822caa3a2e3cf1b5aff5d0950/cve_2022_33891_poc.py", + "https://github.com/apache/spark/pull/36315/files", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_cve_2022_33891_spark_shell_command_injection.yml" ], "tags": [ @@ -77630,9 +78153,9 @@ "logsource.category": "webserver", "logsource.product": "No established product", "refs": [ - "https://github.com/wpscanteam/wpscan/blob/196fbab5b1ce3870a43515153d4f07878a89d410/lib/wpscan/browser.rb", - "https://github.com/lanmaster53/recon-ng/blob/9e907dfe09fce2997f0301d746796408e01a60b7/recon/core/base.py#L92", "https://github.com/xmendez/wfuzz/blob/1b695ee9a87d66a7d7bf6cae70d60a33fae51541/docs/user/basicusage.rst", + "https://github.com/lanmaster53/recon-ng/blob/9e907dfe09fce2997f0301d746796408e01a60b7/recon/core/base.py#L92", + "https://github.com/wpscanteam/wpscan/blob/196fbab5b1ce3870a43515153d4f07878a89d410/lib/wpscan/browser.rb", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_susp_useragents.yml" ], "tags": [ @@ -77765,9 +78288,9 @@ "logsource.category": "webserver", "logsource.product": "No established product", "refs": [ + "https://youtu.be/5mqid-7zp8k?t=2231", "https://blog.orange.tw/2021/08/proxylogon-a-new-attack-surface-on-ms-exchange-part-1.html", "https://peterjson.medium.com/reproducing-the-proxyshell-pwn2own-exploit-49743a4ea9a1", - "https://youtu.be/5mqid-7zp8k?t=2231", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_exchange_proxyshell.yml" ], "tags": [ @@ -77800,9 +78323,9 @@ "logsource.category": "webserver", "logsource.product": "No established product", "refs": [ + "https://youtu.be/5mqid-7zp8k?t=2231", "https://blog.orange.tw/2021/08/proxylogon-a-new-attack-surface-on-ms-exchange-part-1.html", "https://peterjson.medium.com/reproducing-the-proxyshell-pwn2own-exploit-49743a4ea9a1", - "https://youtu.be/5mqid-7zp8k?t=2231", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_exchange_proxyshell_successful.yml" ], "tags": [ @@ -77850,12 +78373,12 @@ "logsource.category": "webserver", "logsource.product": "No established product", "refs": [ - "https://github.com/YfryTchsGD/Log4jAttackSurface", "https://github.com/tangxiaofeng7/apache-log4j-poc", + "https://github.com/YfryTchsGD/Log4jAttackSurface", + "https://gist.github.com/Neo23x0/e4c8b03ff8cdf1fa63b7d15db6e3860b", + "https://news.ycombinator.com/item?id=29504755", "https://www.lunasec.io/docs/blog/log4j-zero-day/", "https://twitter.com/shutingrz/status/1469255861394866177?s=21", - "https://news.ycombinator.com/item?id=29504755", - "https://gist.github.com/Neo23x0/e4c8b03ff8cdf1fa63b7d15db6e3860b", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_cve_2021_44228_log4j.yml" ], "tags": [ @@ -77954,9 +78477,9 @@ "logsource.category": "webserver", "logsource.product": "No established product", "refs": [ - "https://medium.com/tenable-techblog/bypassing-authentication-on-arcadyan-routers-with-cve-2021-20090-and-rooting-some-buffalo-ea1dd30980c2", - "https://blogs.juniper.net/en-us/security/freshly-disclosed-vulnerability-cve-2021-20090-exploited-in-the-wild", "https://www.tenable.com/security/research/tra-2021-13", + "https://blogs.juniper.net/en-us/security/freshly-disclosed-vulnerability-cve-2021-20090-exploited-in-the-wild", + "https://medium.com/tenable-techblog/bypassing-authentication-on-arcadyan-routers-with-cve-2021-20090-and-rooting-some-buffalo-ea1dd30980c2", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_cve_2021_20090_2021_20091_arcadyan_router_exploit.yml" ], "tags": [ @@ -77991,8 +78514,8 @@ "logsource.category": "webserver", "logsource.product": "No established product", "refs": [ - "https://research.checkpoint.com/2021/freakout-leveraging-newest-vulnerabilities-for-creating-a-botnet/", "https://www.ihteam.net/advisory/terramaster-tos-multiple-vulnerabilities/", + "https://research.checkpoint.com/2021/freakout-leveraging-newest-vulnerabilities-for-creating-a-botnet/", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_cve_2020_28188_terramaster_rce_exploit.yml" ], "tags": [ @@ -78093,12 +78616,12 @@ "logsource.category": "webserver", "logsource.product": "No established product", "refs": [ - "https://github.com/apache/httpd/commit/e150697086e70c552b2588f369f2d17815cb1782", - "https://twitter.com/bl4sty/status/1445462677824761878", - "https://twitter.com/h4x0r_dz/status/1445401960371429381", "https://twitter.com/ptswarm/status/1445376079548624899", "https://nvd.nist.gov/vuln/detail/CVE-2021-41773", "https://github.com/projectdiscovery/nuclei-templates/blob/9d2889356eebba661c8407038e430759dfd4ec31/cves/2021/CVE-2021-41773.yaml", + "https://twitter.com/h4x0r_dz/status/1445401960371429381", + "https://twitter.com/bl4sty/status/1445462677824761878", + "https://github.com/apache/httpd/commit/e150697086e70c552b2588f369f2d17815cb1782", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_cve_2021_41773_apache_path_traversal.yml" ], "tags": [ @@ -78236,8 +78759,8 @@ "logsource.category": "webserver", "logsource.product": "No established product", "refs": [ - "https://twitter.com/aboul3la/status/1286012324722155525", "https://github.com/darklotuskdb/CISCO-CVE-2020-3452-Scanner-Exploiter", + "https://twitter.com/aboul3la/status/1286012324722155525", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_cve_2020_3452_cisco_asa_ftd.yml" ], "tags": [ @@ -78350,11 +78873,11 @@ "logsource.category": "webserver", "logsource.product": "No established product", "refs": [ - "https://isc.sans.edu/diary/25686", - "https://support.citrix.com/article/CTX267679", "https://github.com/x1sec/CVE-2019-19781/blob/25f7ab97275b2d41800bb3414dac8ca3a78af7e5/CVE-2019-19781-DFIR.md", + "https://support.citrix.com/article/CTX267679", "https://support.citrix.com/article/CTX267027", "https://twitter.com/mpgn_x64/status/1216787131210829826", + "https://isc.sans.edu/diary/25686", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_cve_2019_19781_citrix_exploit.yml" ], "tags": [ @@ -78464,8 +78987,8 @@ "logsource.category": "webserver", "logsource.product": "No established product", "refs": [ - "https://us-cert.cisa.gov/ncas/alerts/aa21-259a", "https://www.manageengine.com/products/self-service-password/kb/how-to-fix-authentication-bypass-vulnerability-in-REST-API.html", + "https://us-cert.cisa.gov/ncas/alerts/aa21-259a", "https://therecord.media/cisa-warns-of-zoho-server-zero-day-exploited-in-the-wild/", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_cve_2021_40539_manageengine_adselfservice_exploit.yml" ], @@ -78535,8 +79058,8 @@ "logsource.category": "file_event", "logsource.product": "macos", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1546.014/T1546.014.md", "https://posts.specterops.io/leveraging-emond-on-macos-for-persistence-a040a2785124", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1546.014/T1546.014.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/file_event/file_event_macos_emond_launch_daemon.yml" ], "tags": [ @@ -78733,8 +79256,8 @@ "logsource.category": "process_creation", "logsource.product": "macos", "refs": [ - "https://github.com/elastic/protections-artifacts/commit/746086721fd385d9f5c6647cada1788db4aea95f#diff-7f541fbc4a4a28a92970e8bf53effea5bd934604429112c920affb457f5b2685", "https://wojciechregula.blog/post/macos-red-teaming-initial-access-via-applescript-url/", + "https://github.com/elastic/protections-artifacts/commit/746086721fd385d9f5c6647cada1788db4aea95f#diff-7f541fbc4a4a28a92970e8bf53effea5bd934604429112c920affb457f5b2685", "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_susp_execution_macos_script_editor.yml" ], "tags": [ @@ -79009,8 +79532,8 @@ "logsource.category": "process_creation", "logsource.product": "macos", "refs": [ - "https://github.com/elastic/protections-artifacts/commit/746086721fd385d9f5c6647cada1788db4aea95f#diff-f5deb07688e1a8dec9530bc3071967b2da5c16b482e671812b864c37beb28f08", "https://malpedia.caad.fkie.fraunhofer.de/details/osx.xcsset", + "https://github.com/elastic/protections-artifacts/commit/746086721fd385d9f5c6647cada1788db4aea95f#diff-f5deb07688e1a8dec9530bc3071967b2da5c16b482e671812b864c37beb28f08", "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_xcsset_malware_infection.yml" ], "tags": [ @@ -79057,9 +79580,9 @@ "logsource.category": "process_creation", "logsource.product": "macos", "refs": [ - "https://github.com/usnistgov/macos_security/blob/932a51f3e819dd3e02ebfcf3ef433cfffafbe28b/rules/os/os_firmware_password_require.yaml", - "https://support.apple.com/guide/security/firmware-password-protection-sec28382c9ca/web", "https://www.manpagez.com/man/8/firmwarepasswd/", + "https://support.apple.com/guide/security/firmware-password-protection-sec28382c9ca/web", + "https://github.com/usnistgov/macos_security/blob/932a51f3e819dd3e02ebfcf3ef433cfffafbe28b/rules/os/os_firmware_password_require.yaml", "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_susp_macos_firmware_activity.yml" ], "tags": [ @@ -79340,8 +79863,8 @@ "logsource.category": "process_creation", "logsource.product": "macos", "refs": [ - "https://scriptingosx.com/2018/08/user-interaction-from-bash-scripts/", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1056.002/T1056.002.md", + "https://scriptingosx.com/2018/08/user-interaction-from-bash-scripts/", "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_gui_input_capture.yml" ], "tags": [ @@ -79398,8 +79921,8 @@ "logsource.category": "process_creation", "logsource.product": "macos", "refs": [ - "https://github.com/elastic/protections-artifacts/commit/746086721fd385d9f5c6647cada1788db4aea95f#diff-c68a1fcbf7a3f80c87225d7fdc031f691e9f3b6a14a36754be00762bfe6eae97", "https://www.microsoft.com/security/blog/2022/02/02/the-evolution-of-a-mac-trojan-updateagents-progression/", + "https://github.com/elastic/protections-artifacts/commit/746086721fd385d9f5c6647cada1788db4aea95f#diff-c68a1fcbf7a3f80c87225d7fdc031f691e9f3b6a14a36754be00762bfe6eae97", "https://malpedia.caad.fkie.fraunhofer.de/details/osx.xcsset", "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_wizardupdate_malware_infection.yml" ], @@ -79572,10 +80095,10 @@ "logsource.category": "No established category", "logsource.product": "qualys", "refs": [ - "https://www.cisecurity.org/controls/cis-controls-list/", + "https://community.qualys.com/docs/DOC-6406-reporting-toolbox-focused-search-lists", "https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf", "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf", - "https://community.qualys.com/docs/DOC-6406-reporting-toolbox-focused-search-lists", + "https://www.cisecurity.org/controls/cis-controls-list/", "https://github.com/SigmaHQ/sigma/tree/master/rules/compliance/default_credentials_usage.yml" ], "tags": "No established tags" @@ -79594,9 +80117,9 @@ "logsource.category": "No established category", "logsource.product": "qualys", "refs": [ - "https://www.cisecurity.org/controls/cis-controls-list/", "https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf", "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf", + "https://www.cisecurity.org/controls/cis-controls-list/", "https://github.com/SigmaHQ/sigma/tree/master/rules/compliance/host_without_firewall.yml" ], "tags": "No established tags" @@ -79617,9 +80140,9 @@ "logsource.category": "No established category", "logsource.product": "No established product", "refs": [ - "https://www.cisecurity.org/controls/cis-controls-list/", "https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf", "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf", + "https://www.cisecurity.org/controls/cis-controls-list/", "https://github.com/SigmaHQ/sigma/tree/master/rules/compliance/netflow_cleartext_protocols.yml" ], "tags": "No established tags" @@ -79640,8 +80163,8 @@ "logsource.category": "No established category", "logsource.product": "linux", "refs": [ - "https://www.wiz.io/blog/omigod-critical-vulnerabilities-in-omi-azure", "https://github.com/Azure/Azure-Sentinel/pull/3059", + "https://www.wiz.io/blog/omigod-critical-vulnerabilities-in-omi-azure", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_omigod_scx_runasprovider_executeshellcommand.yml" ], "tags": [ @@ -79797,8 +80320,8 @@ "logsource.category": "No established category", "logsource.product": "linux", "refs": [ - "https://www.sandflysecurity.com/blog/bpfdoor-an-evasive-linux-backdoor-technical-analysis/", "https://www.elastic.co/security-labs/a-peek-behind-the-bpfdoor", + "https://www.sandflysecurity.com/blog/bpfdoor-an-evasive-linux-backdoor-technical-analysis/", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_bpfdoor_file_accessed.yml" ], "tags": [ @@ -80032,9 +80555,9 @@ "logsource.category": "No established category", "logsource.product": "linux", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.006/T1547.006.md", - "https://linux.die.net/man/8/insmod", "https://man7.org/linux/man-pages/man8/kmod.8.html", + "https://linux.die.net/man/8/insmod", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.006/T1547.006.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_load_module_insmod.yml" ], "tags": [ @@ -80094,8 +80617,8 @@ "logsource.product": "linux", "refs": [ "https://github.com/berdav/CVE-2021-4034", - "https://access.redhat.com/security/cve/CVE-2021-4034", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-4034", + "https://access.redhat.com/security/cve/CVE-2021-4034", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_cve_2021_4034.yml" ], "tags": [ @@ -80154,8 +80677,8 @@ "logsource.category": "No established category", "logsource.product": "linux", "refs": [ - "https://firewalld.org/documentation/man-pages/firewall-cmd.html", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.004/T1562.004.md", + "https://firewalld.org/documentation/man-pages/firewall-cmd.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_disable_system_firewall.yml" ], "tags": [ @@ -80212,9 +80735,9 @@ "logsource.category": "No established category", "logsource.product": "linux", "refs": [ - "https://mn3m.info/posts/suid-vs-capabilities/", - "https://man7.org/linux/man-pages/man8/getcap.8.html", "https://int0x33.medium.com/day-44-linux-capabilities-privilege-escalation-via-openssl-with-selinux-enabled-and-enforced-74d2bec02099", + "https://man7.org/linux/man-pages/man8/getcap.8.html", + "https://mn3m.info/posts/suid-vs-capabilities/", "https://www.hackingarticles.in/linux-privilege-escalation-using-capabilities/", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_capabilities_discovery.yml" ], @@ -80274,8 +80797,8 @@ "logsource.category": "No established category", "logsource.product": "linux", "refs": [ - "https://github.com/Neo23x0/auditd/blob/master/audit.rules", "Self Experience", + "https://github.com/Neo23x0/auditd/blob/master/audit.rules", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_auditing_config_change.yml" ], "tags": [ @@ -80688,8 +81211,8 @@ "logsource.category": "No established category", "logsource.product": "linux", "refs": [ - "https://www.sandflysecurity.com/blog/bpfdoor-an-evasive-linux-backdoor-technical-analysis/", "https://www.elastic.co/security-labs/a-peek-behind-the-bpfdoor", + "https://www.sandflysecurity.com/blog/bpfdoor-an-evasive-linux-backdoor-technical-analysis/", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_bpfdoor_port_redirect.yml" ], "tags": [ @@ -80912,8 +81435,8 @@ "logsource.category": "No established category", "logsource.product": "linux", "refs": [ - "https://twitter.com/0xm1rch/status/1600857731073654784?s=20&t=MdrBPqv4hnBEfAJBayMCZA", "https://github.com/Neo23x0/auditd/blob/master/audit.rules", + "https://twitter.com/0xm1rch/status/1600857731073654784?s=20&t=MdrBPqv4hnBEfAJBayMCZA", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_debugfs_usage.yml" ], "tags": [ @@ -80946,9 +81469,9 @@ "logsource.category": "No established category", "logsource.product": "linux", "refs": [ + "https://man7.org/linux/man-pages/man1/passwd.1.html", "https://superuser.com/questions/150675/how-to-display-password-policy-information-for-a-user-ubuntu", "https://linux.die.net/man/1/chage", - "https://man7.org/linux/man-pages/man1/passwd.1.html", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1201/T1201.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_password_policy_discovery.yml" ], @@ -81074,10 +81597,10 @@ "logsource.category": "No established category", "logsource.product": "linux", "refs": [ - "https://linux.die.net/man/8/pam_tty_audit", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1056.001/T1056.001.md", - "https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/security_guide/sec-configuring_pam_for_auditing", "https://access.redhat.com/articles/4409591#audit-record-types-2", + "https://linux.die.net/man/8/pam_tty_audit", + "https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/security_guide/sec-configuring_pam_for_auditing", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_keylogging_with_pam_d.yml" ], "tags": [ @@ -81178,8 +81701,8 @@ "logsource.product": "linux", "refs": [ "https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/security_guide/sec-understanding_audit_log_files", - "https://www.youtube.com/watch?v=VmvY5SQm5-Y&ab_channel=M45C07", "https://access.redhat.com/articles/4409591#audit-record-types-2", + "https://www.youtube.com/watch?v=VmvY5SQm5-Y&ab_channel=M45C07", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_create_account.yml" ], "tags": [ @@ -81212,8 +81735,8 @@ "logsource.category": "No established category", "logsource.product": "linux", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1046/T1046.md#atomic-test-1---port-scan", "https://www.andreafortuna.org/2021/03/06/some-useful-tips-about-dev-tcp/", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1046/T1046.md#atomic-test-1---port-scan", "https://book.hacktricks.xyz/shells/shells/linux", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/builtin/lnx_susp_dev_tcp.yml" ], @@ -81484,8 +82007,8 @@ "logsource.product": "linux", "refs": [ "https://github.com/redcanaryco/atomic-red-team/blob/25acadc0b43a07125a8a5b599b28bbc1a91ffb06/atomics/T1136.001/T1136.001.md#atomic-test-5---create-a-new-user-in-linux-with-root-uid-and-gid", - "https://linux.die.net/man/8/useradd", "https://digital.nhs.uk/cyber-alerts/2018/cc-2825", + "https://linux.die.net/man/8/useradd", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/builtin/lnx_privileged_user_creation.yml" ], "tags": [ @@ -81526,8 +82049,8 @@ "logsource.category": "No established category", "logsource.product": "linux", "refs": [ - "https://www.microsoft.com/security/blog/2022/04/26/microsoft-finds-new-elevation-of-privilege-linux-vulnerability-nimbuspwn/", "https://github.com/Immersive-Labs-Sec/nimbuspwn", + "https://www.microsoft.com/security/blog/2022/04/26/microsoft-finds-new-elevation-of-privilege-linux-vulnerability-nimbuspwn/", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/builtin/lnx_nimbuspwn_privilege_escalation_exploit.yml" ], "tags": [ @@ -81641,10 +82164,10 @@ "logsource.category": "No established category", "logsource.product": "linux", "refs": [ + "http://www.threatgeek.com/2017/03/widespread-exploitation-attempts-using-cve-2017-5638.html", "https://github.com/rapid7/metasploit-framework/blob/eb6535009f5fdafa954525687f09294918b5398d/modules/exploits/multi/http/struts_code_exec_exception_delegator.rb", "https://artkond.com/2017/03/23/pivoting-guide/", "http://pastebin.com/FtygZ1cg", - "http://www.threatgeek.com/2017/03/widespread-exploitation-attempts-using-cve-2017-5638.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/builtin/lnx_shell_susp_commands.yml" ], "tags": [ @@ -81712,8 +82235,8 @@ "logsource.category": "No established category", "logsource.product": "linux", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070.003/T1070.003.md", "https://www.hackers-arise.com/single-post/2016/06/20/Covering-your-BASH-Shell-Tracks-AntiForensics", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070.003/T1070.003.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/builtin/lnx_shell_clear_cmd_history.yml" ], "tags": [ @@ -82530,8 +83053,8 @@ "logsource.product": "linux", "refs": [ "https://gtfobins.github.io/gtfobins/vim/", - "https://gtfobins.github.io/gtfobins/rvim/", "https://gtfobins.github.io/gtfobins/vimdiff/", + "https://gtfobins.github.io/gtfobins/rvim/", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_gtfobin_vim.yml" ], "tags": [ @@ -82826,11 +83349,11 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ - "https://curl.se/docs/manpage.html", - "https://twitter.com/d1r4c/status/1279042657508081664", - "https://www.trendmicro.com/en_us/research/22/i/how-malicious-actors-abuse-native-linux-tools-in-their-attacks.html", "https://medium.com/@petehouston/upload-files-with-curl-93064dcccc76", + "https://twitter.com/d1r4c/status/1279042657508081664", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1105/T1105.md#atomic-test-19---curl-upload-file", + "https://curl.se/docs/manpage.html", + "https://www.trendmicro.com/en_us/research/22/i/how-malicious-actors-abuse-native-linux-tools-in-their-attacks.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_susp_curl_fileupload.yml" ], "tags": [ @@ -82896,9 +83419,9 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ - "https://linux.die.net/man/8/userdel", "https://linuxize.com/post/how-to-delete-group-in-linux/", "https://www.cyberciti.biz/faq/linux-remove-user-command/", + "https://linux.die.net/man/8/userdel", "https://www.cybrary.it/blog/0p3n/linux-commands-used-attackers/", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_userdel.yml" ], @@ -83286,8 +83809,8 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ - "https://www.wiz.io/blog/omigod-critical-vulnerabilities-in-omi-azure", "https://github.com/Azure/Azure-Sentinel/pull/3059", + "https://www.wiz.io/blog/omigod-critical-vulnerabilities-in-omi-azure", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_omigod_scx_runasprovider_executescript.yml" ], "tags": [ @@ -83406,8 +83929,8 @@ "refs": [ "https://linuxize.com/post/how-to-delete-group-in-linux/", "https://www.cyberciti.biz/faq/linux-remove-user-command/", - "https://www.cybrary.it/blog/0p3n/linux-commands-used-attackers/", "https://linux.die.net/man/8/groupdel", + "https://www.cybrary.it/blog/0p3n/linux-commands-used-attackers/", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_groupdel.yml" ], "tags": [ @@ -83440,8 +83963,8 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ - "https://github.com/carlospolop/PEASS-ng/tree/master/linPEAS", "https://www.trendmicro.com/pl_pl/research/20/i/the-evolution-of-malicious-shell-scripts.html", + "https://github.com/carlospolop/PEASS-ng/tree/master/linPEAS", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_base64_shebang_cli.yml" ], "tags": [ @@ -83474,8 +83997,8 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ - "https://github.com/diego-treitos/linux-smart-enumeration", "https://github.com/carlospolop/PEASS-ng", + "https://github.com/diego-treitos/linux-smart-enumeration", "https://github.com/SaiSathvik1/Linux-Privilege-Escalation-Notes", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_capa_discovery.yml" ], @@ -83737,8 +84260,8 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ - "https://www.wiz.io/blog/omigod-critical-vulnerabilities-in-omi-azure", "https://github.com/Azure/Azure-Sentinel/pull/3059", + "https://www.wiz.io/blog/omigod-critical-vulnerabilities-in-omi-azure", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_omigod_scx_runasprovider_executeshellcommand.yml" ], "tags": [ @@ -83789,9 +84312,9 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ - "https://en.wikipedia.org/wiki/Nohup", - "https://www.computerhope.com/unix/unohup.htm", "https://gtfobins.github.io/gtfobins/nohup/", + "https://www.computerhope.com/unix/unohup.htm", + "https://en.wikipedia.org/wiki/Nohup", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_nohup.yml" ], "tags": "No established tags" @@ -84117,8 +84640,8 @@ "logsource.product": "linux", "refs": [ "https://sumsec.me/2022/CVE-2022-33891%20Apache%20Spark%20shell%20command%20injection.html", - "https://github.com/apache/spark/pull/36315/files", "https://github.com/W01fh4cker/cve-2022-33891/blob/fd973b56e78bca8822caa3a2e3cf1b5aff5d0950/cve_2022_33891_poc.py", + "https://github.com/apache/spark/pull/36315/files", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_cve_2022_33891_spark_shell_command_injection.yml" ], "tags": [ @@ -84246,5 +84769,5 @@ "value": "Security Software Discovery - Linux" } ], - "version": 20230112 + "version": 20230120 } From 2f0dfc765667f1b7ef2dd21eb2aaa3c587e13c26 Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Mon, 23 Jan 2023 10:10:46 +0100 Subject: [PATCH 11/13] chg: [sigma] updated --- clusters/sigma-rules.json | 2686 ++++++++++++++++++++++--------------- 1 file changed, 1572 insertions(+), 1114 deletions(-) diff --git a/clusters/sigma-rules.json b/clusters/sigma-rules.json index 5783bf7..e33434b 100644 --- a/clusters/sigma-rules.json +++ b/clusters/sigma-rules.json @@ -174,9 +174,9 @@ "logsource.category": "firewall", "logsource.product": "No established product", "refs": [ - "https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf", - "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf", "https://www.cisecurity.org/controls/cis-controls-list/", + "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf", + "https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf", "https://github.com/SigmaHQ/sigma/tree/master/rules/network/firewall/net_firewall_cleartext_protocols.yml" ], "tags": "No established tags" @@ -232,9 +232,9 @@ "logsource.category": "dns", "logsource.product": "No established product", "refs": [ - "https://researchcenter.paloaltonetworks.com/2018/03/unit42-telerat-another-android-trojan-leveraging-telegrams-bot-api-to-target-iranian-users/", "https://core.telegram.org/bots/faq", "https://blog.malwarebytes.com/threat-analysis/2016/11/telecrypt-the-ransomware-abusing-telegram-api-defeated/", + "https://researchcenter.paloaltonetworks.com/2018/03/unit42-telerat-another-android-trojan-leveraging-telegrams-bot-api-to-target-iranian-users/", "https://www.welivesecurity.com/2016/12/13/rise-telebots-analyzing-disruptive-killdisk-attacks/", "https://github.com/SigmaHQ/sigma/tree/master/rules/network/dns/net_dns_susp_telegram_api.yml" ], @@ -460,8 +460,8 @@ "logsource.category": "dns", "logsource.product": "No established product", "refs": [ - "https://twitter.com/stvemillertime/status/1024707932447854592", "https://github.com/samratashok/nishang/blob/414ee1104526d7057f9adaeee196d91ae447283e/Backdoors/DNS_TXT_Pwnage.ps1", + "https://twitter.com/stvemillertime/status/1024707932447854592", "https://github.com/SigmaHQ/sigma/tree/master/rules/network/dns/net_dns_susp_txt_exec_strings.yml" ], "tags": [ @@ -1330,8 +1330,8 @@ "logsource.category": "No established category", "logsource.product": "zeek", "refs": [ - "https://threatpost.com/microsoft-petitpotam-poc/168163/", "https://vx-underground.org/archive/Symantec/windows-vista-network-attack-07-en.pdf", + "https://threatpost.com/microsoft-petitpotam-poc/168163/", "https://msrc.microsoft.com/update-guide/vulnerability/ADV210003", "https://github.com/topotam/PetitPotam/blob/d83ac8f2dd34654628c17490f99106eb128e7d1e/PetitPotam/PetitPotam.cpp", "https://github.com/SigmaHQ/sigma/tree/master/rules/network/zeek/zeek_dce_rpc_potential_petit_potam_efs_rpc_call.yml" @@ -1702,9 +1702,9 @@ "logsource.category": "No established category", "logsource.product": "zeek", "refs": [ + "https://unit42.paloaltonetworks.com/manageengine-godzilla-nglite-kdcsponge/", "https://github.com/Maka8ka/NGLite", "https://github.com/nknorg/nkn-sdk-go", - "https://unit42.paloaltonetworks.com/manageengine-godzilla-nglite-kdcsponge/", "https://github.com/SigmaHQ/sigma/tree/master/rules/network/zeek/zeek_dns_nkn.yml" ], "tags": [ @@ -1752,9 +1752,9 @@ "logsource.category": "No established category", "logsource.product": "zeek", "refs": [ - "https://twitter.com/_dirkjan/status/1309214379003588608", "https://dirkjanm.io/a-different-way-of-abusing-zerologon/", "https://posts.specterops.io/hunting-in-active-directory-unconstrained-delegation-forests-trusts-71f2b33688e1", + "https://twitter.com/_dirkjan/status/1309214379003588608", "https://github.com/SigmaHQ/sigma/tree/master/rules/network/zeek/zeek_dce_rpc_smb_spoolss_named_pipe.yml" ], "tags": [ @@ -1779,8 +1779,8 @@ "logsource.category": "No established category", "logsource.product": "zeek", "refs": [ - "https://github.com/OTRF/detection-hackathon-apt29/issues/37", "https://github.com/OTRF/detection-hackathon-apt29", + "https://github.com/OTRF/detection-hackathon-apt29/issues/37", "https://github.com/SigmaHQ/sigma/tree/master/rules/network/zeek/zeek_dce_rpc_domain_user_enumeration.yml" ], "tags": [ @@ -1847,12 +1847,12 @@ "logsource.category": "No established category", "logsource.product": "zeek", "refs": [ - "https://github.com/zeek/zeek/blob/691b099de13649d6576c7b9d637f8213ff818832/scripts/base/protocols/dce-rpc/consts.zeek", "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-par/93d1915d-4d9f-4ceb-90a7-e8f2a59adc29", + "https://old.zeek.org/zeekweek2019/slides/bzar.pdf", + "https://github.com/zeek/zeek/blob/691b099de13649d6576c7b9d637f8213ff818832/scripts/base/protocols/dce-rpc/consts.zeek", + "https://www.crowdstrike.com/blog/cve-2021-1678-printer-spooler-relay-security-advisory/", "https://github.com/corelight/CVE-2021-1675", "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527", - "https://old.zeek.org/zeekweek2019/slides/bzar.pdf", - "https://www.crowdstrike.com/blog/cve-2021-1678-printer-spooler-relay-security-advisory/", "https://github.com/SigmaHQ/sigma/tree/master/rules/network/zeek/zeek_dce_rpc_printnightmare_print_driver_install.yml" ], "tags": [ @@ -1976,9 +1976,9 @@ "logsource.product": "zeek", "refs": [ "https://tdm.socprime.com/tdm/info/eLbyj4JjI15v#sigma", + "https://www.netresec.com/?page=Blog&month=2021-01&post=Finding-Targeted-SUNBURST-Victims-with-pDNS", "https://twitter.com/neu5ron/status/1346245602502443009", "https://tools.ietf.org/html/rfc2929#section-2.1", - "https://www.netresec.com/?page=Blog&month=2021-01&post=Finding-Targeted-SUNBURST-Victims-with-pDNS", "https://github.com/SigmaHQ/sigma/tree/master/rules/network/zeek/zeek_dns_susp_zbit_flag.yml" ], "tags": [ @@ -2152,10 +2152,10 @@ "logsource.category": "application", "logsource.product": "ruby_on_rails", "refs": [ - "http://guides.rubyonrails.org/action_controller_overview.html", - "https://github.com/rails/rails/blob/cd08e6bcc4cd8948fe01e0be1ea0c7ca60373a25/actionpack/lib/action_dispatch/middleware/exception_wrapper.rb", - "https://stackoverflow.com/questions/25892194/does-rails-come-with-a-not-authorized-exception", "http://edgeguides.rubyonrails.org/security.html", + "http://guides.rubyonrails.org/action_controller_overview.html", + "https://stackoverflow.com/questions/25892194/does-rails-come-with-a-not-authorized-exception", + "https://github.com/rails/rails/blob/cd08e6bcc4cd8948fe01e0be1ea0c7ca60373a25/actionpack/lib/action_dispatch/middleware/exception_wrapper.rb", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/ruby/appframework_ruby_on_rails_exceptions.yml" ], "tags": [ @@ -2188,10 +2188,10 @@ "logsource.category": "application", "logsource.product": "rpc_firewall", "refs": [ - "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-WKST.md", "https://zeronetworks.com/blog/stopping_lateral_movement_via_the_rpc_firewall/", "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-wkst/55118c55-2122-4ef9-8664-0c1ff9e168f3", "https://github.com/zeronetworks/rpcfirewall", + "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-WKST.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/rpc_firewall/rpc_firewall_sharphound_recon_account.yml" ], "tags": [ @@ -2215,10 +2215,10 @@ "logsource.category": "application", "logsource.product": "rpc_firewall", "refs": [ - "https://github.com/zeronetworks/rpcfirewall", - "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rrp/0fa3191d-bb79-490a-81bd-54c2601b7a78", - "https://zeronetworks.com/blog/stopping_lateral_movement_via_the_rpc_firewall/", "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-RRP.md", + "https://zeronetworks.com/blog/stopping_lateral_movement_via_the_rpc_firewall/", + "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rrp/0fa3191d-bb79-490a-81bd-54c2601b7a78", + "https://github.com/zeronetworks/rpcfirewall", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/rpc_firewall/rpc_firewall_remote_registry_recon.yml" ], "tags": [ @@ -2241,10 +2241,10 @@ "logsource.category": "application", "logsource.product": "rpc_firewall", "refs": [ - "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-tsch/d1058a28-7e02-4948-8b8d-4a347fa64931", - "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-TSCH.md", "https://zeronetworks.com/blog/stopping_lateral_movement_via_the_rpc_firewall/", + "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-tsch/d1058a28-7e02-4948-8b8d-4a347fa64931", "https://github.com/zeronetworks/rpcfirewall", + "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-TSCH.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/rpc_firewall/rpc_firewall_itaskschedulerservice_recon.yml" ], "tags": [ @@ -2267,10 +2267,10 @@ "logsource.category": "application", "logsource.product": "rpc_firewall", "refs": [ - "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-srvs/accf23b0-0f57-441c-9185-43041f1b0ee9", - "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-SCMR.md", "https://zeronetworks.com/blog/stopping_lateral_movement_via_the_rpc_firewall/", + "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-srvs/accf23b0-0f57-441c-9185-43041f1b0ee9", "https://github.com/zeronetworks/rpcfirewall", + "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-SCMR.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/rpc_firewall/rpc_firewall_remote_service_lateral_movement.yml" ], "tags": [ @@ -2303,10 +2303,10 @@ "logsource.category": "application", "logsource.product": "rpc_firewall", "refs": [ - "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-tsch/d1058a28-7e02-4948-8b8d-4a347fa64931", - "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-TSCH.md", "https://zeronetworks.com/blog/stopping_lateral_movement_via_the_rpc_firewall/", + "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-tsch/d1058a28-7e02-4948-8b8d-4a347fa64931", "https://github.com/zeronetworks/rpcfirewall", + "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-TSCH.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/rpc_firewall/rpc_firewall_atsvc_lateral_movement.yml" ], "tags": [ @@ -2341,8 +2341,8 @@ "logsource.product": "rpc_firewall", "refs": [ "https://zeronetworks.com/blog/stopping_lateral_movement_via_the_rpc_firewall/", - "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-drsr/f977faaa-673e-4f66-b9bf-48c640241d47?redirectedfrom=MSDN", "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-DRSR.md", + "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-drsr/f977faaa-673e-4f66-b9bf-48c640241d47?redirectedfrom=MSDN", "https://github.com/zeronetworks/rpcfirewall", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/rpc_firewall/rpc_firewall_dcsync_attack.yml" ], @@ -2391,10 +2391,10 @@ "logsource.category": "application", "logsource.product": "rpc_firewall", "refs": [ - "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-tsch/d1058a28-7e02-4948-8b8d-4a347fa64931", - "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-TSCH.md", "https://zeronetworks.com/blog/stopping_lateral_movement_via_the_rpc_firewall/", + "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-tsch/d1058a28-7e02-4948-8b8d-4a347fa64931", "https://github.com/zeronetworks/rpcfirewall", + "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-TSCH.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/rpc_firewall/rpc_firewall_itaskschedulerservice_lateral_movement.yml" ], "tags": [ @@ -2428,8 +2428,8 @@ "logsource.category": "application", "logsource.product": "rpc_firewall", "refs": [ - "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-srvs/accf23b0-0f57-441c-9185-43041f1b0ee9", "https://zeronetworks.com/blog/stopping_lateral_movement_via_the_rpc_firewall/", + "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-srvs/accf23b0-0f57-441c-9185-43041f1b0ee9", "https://github.com/zeronetworks/rpcfirewall", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/rpc_firewall/rpc_firewall_remote_dcom_or_wmi.yml" ], @@ -2471,10 +2471,10 @@ "logsource.category": "application", "logsource.product": "rpc_firewall", "refs": [ - "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-tsch/d1058a28-7e02-4948-8b8d-4a347fa64931", - "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-TSCH.md", "https://zeronetworks.com/blog/stopping_lateral_movement_via_the_rpc_firewall/", + "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-tsch/d1058a28-7e02-4948-8b8d-4a347fa64931", "https://github.com/zeronetworks/rpcfirewall", + "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-TSCH.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/rpc_firewall/rpc_firewall_sasec_lateral_movement.yml" ], "tags": [ @@ -2508,12 +2508,12 @@ "logsource.category": "application", "logsource.product": "rpc_firewall", "refs": [ - "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-pan/e44d984c-07d3-414c-8ffc-f8c8ad8512a8", - "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527", "https://zeronetworks.com/blog/stopping_lateral_movement_via_the_rpc_firewall/", + "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-pan/e44d984c-07d3-414c-8ffc-f8c8ad8512a8", + "https://github.com/zeronetworks/rpcfirewall", "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-RPRN-PAR.md", "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rprn/d42db7d5-f141-4466-8f47-0a4be14e2fc1", - "https://github.com/zeronetworks/rpcfirewall", + "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/rpc_firewall/rpc_firewall_printing_lateral_movement.yml" ], "tags": [ @@ -2536,10 +2536,10 @@ "logsource.category": "application", "logsource.product": "rpc_firewall", "refs": [ - "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-SRVS.md", "https://zeronetworks.com/blog/stopping_lateral_movement_via_the_rpc_firewall/", - "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-srvs/02b1f559-fda2-4ba3-94c2-806eb2777183", "https://github.com/zeronetworks/rpcfirewall", + "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-srvs/02b1f559-fda2-4ba3-94c2-806eb2777183", + "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-SRVS.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/rpc_firewall/rpc_firewall_sharphound_recon_sessions.yml" ], "tags": [ @@ -2564,8 +2564,8 @@ "refs": [ "https://zeronetworks.com/blog/stopping_lateral_movement_via_the_rpc_firewall/", "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-36942", - "https://github.com/zeronetworks/rpcfirewall", "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-EFSR.md", + "https://github.com/zeronetworks/rpcfirewall", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/rpc_firewall/rpc_firewall_efs_abuse.yml" ], "tags": [ @@ -2588,10 +2588,10 @@ "logsource.category": "application", "logsource.product": "rpc_firewall", "refs": [ - "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-tsch/d1058a28-7e02-4948-8b8d-4a347fa64931", - "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-TSCH.md", "https://zeronetworks.com/blog/stopping_lateral_movement_via_the_rpc_firewall/", + "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-tsch/d1058a28-7e02-4948-8b8d-4a347fa64931", "https://github.com/zeronetworks/rpcfirewall", + "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-TSCH.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/rpc_firewall/rpc_firewall_sasec_recon.yml" ], "tags": [ @@ -2614,10 +2614,10 @@ "logsource.category": "application", "logsource.product": "rpc_firewall", "refs": [ - "https://github.com/zeronetworks/rpcfirewall", - "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rrp/0fa3191d-bb79-490a-81bd-54c2601b7a78", - "https://zeronetworks.com/blog/stopping_lateral_movement_via_the_rpc_firewall/", "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-RRP.md", + "https://zeronetworks.com/blog/stopping_lateral_movement_via_the_rpc_firewall/", + "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rrp/0fa3191d-bb79-490a-81bd-54c2601b7a78", + "https://github.com/zeronetworks/rpcfirewall", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/rpc_firewall/rpc_firewall_remote_registry_lateral_movement.yml" ], "tags": [ @@ -2641,9 +2641,9 @@ "logsource.category": "application", "logsource.product": "rpc_firewall", "refs": [ - "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-srvs/accf23b0-0f57-441c-9185-43041f1b0ee9", - "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-SRVS.md", "https://zeronetworks.com/blog/stopping_lateral_movement_via_the_rpc_firewall/", + "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-SRVS.md", + "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-srvs/accf23b0-0f57-441c-9185-43041f1b0ee9", "https://github.com/zeronetworks/rpcfirewall", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/rpc_firewall/rpc_firewall_remote_server_service_abuse.yml" ], @@ -2667,9 +2667,9 @@ "logsource.category": "application", "logsource.product": "rpc_firewall", "refs": [ + "https://zeronetworks.com/blog/stopping_lateral_movement_via_the_rpc_firewall/", "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-tsch/d1058a28-7e02-4948-8b8d-4a347fa64931", "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-TSCH.md", - "https://zeronetworks.com/blog/stopping_lateral_movement_via_the_rpc_firewall/", "https://github.com/zeronetworks/rpcfirewall", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/rpc_firewall/rpc_firewall_atsvc_recon.yml" ], @@ -2727,10 +2727,10 @@ "logsource.product": "windows", "refs": [ "http://security-research.dyndns.org/pub/slides/FIRST2017/FIRST-2017_Tom-Ueltschi_Sysmon_FINAL_notes.pdf", - "https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment", + "https://docs.microsoft.com/en-us/windows/win32/procthread/process-security-and-access-rights", "https://cyberwardog.blogspot.com/2017/03/chronicles-of-threat-hunter-hunting-for_22.html", "https://onedrive.live.com/view.aspx?resid=D026B4699190F1E6!2843&ithint=file%2cpptx&app=PowerPoint&authkey=!AMvCRTKB_V1J5ow", - "https://docs.microsoft.com/en-us/windows/win32/procthread/process-security-and-access-rights", + "https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_access/proc_access_win_susp_proc_access_lsass_susp_source.yml" ], "tags": [ @@ -2911,8 +2911,8 @@ "logsource.category": "process_access", "logsource.product": "windows", "refs": [ - "https://twitter.com/timbmsft/status/900724491076214784", "https://github.com/hlldz/Invoke-Phant0m", + "https://twitter.com/timbmsft/status/900724491076214784", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_access/proc_access_win_invoke_phantom.yml" ], "tags": [ @@ -2946,8 +2946,8 @@ "logsource.product": "windows", "refs": [ "https://twitter.com/mrd0x/status/1460597833917251595", - "https://www.ired.team/offensive-security/credential-access-and-credential-dumping/dump-credentials-from-lsass-process-without-mimikatz", "https://twitter.com/_xpn_/status/1491557187168178176", + "https://www.ired.team/offensive-security/credential-access-and-credential-dumping/dump-credentials-from-lsass-process-without-mimikatz", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_access/proc_access_win_lsass_memdump_evasion.yml" ], "tags": [ @@ -3192,10 +3192,10 @@ "logsource.category": "process_access", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1003.001/T1003.001.md", - "https://cyberwardog.blogspot.com/2017/03/chronicles-of-threat-hunter-hunting-for_22.html", "https://blog.menasec.net/2019/02/threat-hunting-21-procdump-or-taskmgr.html", "https://research.splunk.com/endpoint/windows_possible_credential_dumping/", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1003.001/T1003.001.md", + "https://cyberwardog.blogspot.com/2017/03/chronicles-of-threat-hunter-hunting-for_22.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_access/proc_access_win_lsass_memdump.yml" ], "tags": [ @@ -3229,10 +3229,10 @@ "logsource.category": "process_access", "logsource.product": "windows", "refs": [ - "http://security-research.dyndns.org/pub/slides/FIRST2017/FIRST-2017_Tom-Ueltschi_Sysmon_FINAL_notes.pdf", + "https://onedrive.live.com/view.aspx?resid=D026B4699190F1E6!2843&ithint=file%2cpptx&app=PowerPoint&authkey=!AMvCRTKB_V1J5ow", "https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment", "https://cyberwardog.blogspot.com/2017/03/chronicles-of-threat-hunter-hunting-for_22.html", - "https://onedrive.live.com/view.aspx?resid=D026B4699190F1E6!2843&ithint=file%2cpptx&app=PowerPoint&authkey=!AMvCRTKB_V1J5ow", + "http://security-research.dyndns.org/pub/slides/FIRST2017/FIRST-2017_Tom-Ueltschi_Sysmon_FINAL_notes.pdf", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_access/proc_access_win_cred_dump_lsass_access.yml" ], "tags": [ @@ -3268,10 +3268,10 @@ "logsource.product": "windows", "refs": [ "http://security-research.dyndns.org/pub/slides/FIRST2017/FIRST-2017_Tom-Ueltschi_Sysmon_FINAL_notes.pdf", - "https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment", + "https://docs.microsoft.com/en-us/windows/win32/procthread/process-security-and-access-rights", "https://cyberwardog.blogspot.com/2017/03/chronicles-of-threat-hunter-hunting-for_22.html", "https://onedrive.live.com/view.aspx?resid=D026B4699190F1E6!2843&ithint=file%2cpptx&app=PowerPoint&authkey=!AMvCRTKB_V1J5ow", - "https://docs.microsoft.com/en-us/windows/win32/procthread/process-security-and-access-rights", + "https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_access/proc_access_win_rare_proc_access_lsass.yml" ], "tags": [ @@ -3306,10 +3306,10 @@ "logsource.product": "windows", "refs": [ "http://security-research.dyndns.org/pub/slides/FIRST2017/FIRST-2017_Tom-Ueltschi_Sysmon_FINAL_notes.pdf", - "https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment", + "https://docs.microsoft.com/en-us/windows/win32/procthread/process-security-and-access-rights", "https://cyberwardog.blogspot.com/2017/03/chronicles-of-threat-hunter-hunting-for_22.html", "https://onedrive.live.com/view.aspx?resid=D026B4699190F1E6!2843&ithint=file%2cpptx&app=PowerPoint&authkey=!AMvCRTKB_V1J5ow", - "https://docs.microsoft.com/en-us/windows/win32/procthread/process-security-and-access-rights", + "https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_access/proc_access_win_susp_proc_access_lsass.yml" ], "tags": [ @@ -3517,8 +3517,8 @@ "logsource.category": "process_access", "logsource.product": "windows", "refs": [ - "https://www.ired.team/offensive-security/credential-access-and-credential-dumping/dump-credentials-from-lsass-process-without-mimikatz", "https://twitter.com/_xpn_/status/1491557187168178176", + "https://www.ired.team/offensive-security/credential-access-and-credential-dumping/dump-credentials-from-lsass-process-without-mimikatz", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_access/proc_access_win_lsass_memdump_indicators.yml" ], "tags": [ @@ -3587,8 +3587,8 @@ "logsource.category": "process_access", "logsource.product": "windows", "refs": [ - "https://github.com/boku7/injectAmsiBypass", "https://github.com/boku7/spawn", + "https://github.com/boku7/injectAmsiBypass", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_access/proc_access_win_cobaltstrike_bof_injection_pattern.yml" ], "tags": [ @@ -3623,9 +3623,9 @@ "logsource.category": "process_access", "logsource.product": "windows", "refs": [ - "https://twitter.com/SBousseaden/status/1541920424635912196", - "https://splintercod3.blogspot.com/p/the-hidden-side-of-seclogon-part-3.html", "https://github.com/elastic/detection-rules/blob/2bc1795f3d7bcc3946452eb4f07ae799a756d94e/rules/windows/credential_access_lsass_handle_via_malseclogon.toml", + "https://splintercod3.blogspot.com/p/the-hidden-side-of-seclogon-part-3.html", + "https://twitter.com/SBousseaden/status/1541920424635912196", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_access/proc_access_win_susp_seclogon.yml" ], "tags": [ @@ -3739,8 +3739,8 @@ "logsource.category": "sysmon_error", "logsource.product": "windows", "refs": [ - "https://talesfrominfosec.blogspot.com/2017/12/killing-sysmon-silently.html", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md", + "https://talesfrominfosec.blogspot.com/2017/12/killing-sysmon-silently.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/sysmon/sysmon_config_modification_error.yml" ], "tags": [ @@ -3773,8 +3773,8 @@ "logsource.category": "sysmon_status", "logsource.product": "windows", "refs": [ - "https://talesfrominfosec.blogspot.com/2017/12/killing-sysmon-silently.html", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md", + "https://talesfrominfosec.blogspot.com/2017/12/killing-sysmon-silently.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/sysmon/sysmon_config_modification_status.yml" ], "tags": [ @@ -3807,8 +3807,8 @@ "logsource.category": "pipe_created", "logsource.product": "windows", "refs": [ - "https://gist.github.com/MHaggis/6c600e524045a6d49c35291a21e10752", "https://svch0st.medium.com/guide-to-named-pipes-and-hunting-for-cobalt-strike-pipes-dc46b2c5f575", + "https://gist.github.com/MHaggis/6c600e524045a6d49c35291a21e10752", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/pipe_created/pipe_created_susp_cobaltstrike_pipe_patterns.yml" ], "tags": [ @@ -3833,8 +3833,8 @@ "logsource.category": "pipe_created", "logsource.product": "windows", "refs": [ - "https://gist.github.com/MHaggis/6c600e524045a6d49c35291a21e10752", "https://svch0st.medium.com/guide-to-named-pipes-and-hunting-for-cobalt-strike-pipes-dc46b2c5f575", + "https://gist.github.com/MHaggis/6c600e524045a6d49c35291a21e10752", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/pipe_created/pipe_created_mal_cobaltstrike_re.yml" ], "tags": [ @@ -3916,10 +3916,10 @@ "logsource.category": "pipe_created", "logsource.product": "windows", "refs": [ - "https://twitter.com/d4rksystem/status/1357010969264873472", + "https://labs.f-secure.com/blog/detecting-cobalt-strike-default-modules-via-named-pipe-analysis/", "https://blog.cobaltstrike.com/2021/02/09/learn-pipe-fitting-for-all-of-your-offense-projects/", "https://redcanary.com/threat-detection-report/threats/cobalt-strike/", - "https://labs.f-secure.com/blog/detecting-cobalt-strike-default-modules-via-named-pipe-analysis/", + "https://twitter.com/d4rksystem/status/1357010969264873472", "https://github.com/SigmaHQ/sigma/issues/253", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/pipe_created/pipe_created_mal_cobaltstrike.yml" ], @@ -3945,8 +3945,8 @@ "logsource.category": "pipe_created", "logsource.product": "windows", "refs": [ - "Internal Research", "https://attack.mitre.org/groups/G0010/", + "Internal Research", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/pipe_created/pipe_created_apt_turla_namedpipes.yml" ], "tags": [ @@ -4135,8 +4135,8 @@ "logsource.category": "pipe_created", "logsource.product": "windows", "refs": [ - "https://www.jpcert.or.jp/english/pub/sr/ir_research.html", "https://jpcertcc.github.io/ToolAnalysisResultSheet", + "https://www.jpcert.or.jp/english/pub/sr/ir_research.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/pipe_created/pipe_created_psexec_default_pipe_from_susp_location.yml" ], "tags": [ @@ -4170,8 +4170,8 @@ "logsource.category": "pipe_created", "logsource.product": "windows", "refs": [ - "https://twitter.com/SBousseaden/status/1429530155291193354?s=20", "https://github.com/zcgonvh/EfsPotato", + "https://twitter.com/SBousseaden/status/1429530155291193354?s=20", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/pipe_created/pipe_created_efspotato_namedpipe.yml" ], "tags": [ @@ -4231,18 +4231,18 @@ "logsource.category": "pipe_created", "logsource.product": "windows", "refs": [ - "https://www.us-cert.gov/ncas/alerts/TA17-117A", - "https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html", - "https://thedfirreport.com/2020/06/21/snatch-ransomware/", - "https://github.com/RiccardoAncarani/LiquidSnake", - "https://securelist.com/wild-neutron-economic-espionage-threat-actor-returns-with-new-tricks/71275/", - "https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf", - "https://unit42.paloaltonetworks.com/emissary-panda-attacks-middle-east-government-sharepoint-servers/", - "https://www.accenture.com/us-en/blogs/cyber-defense/turla-belugasturgeon-compromises-government-entity", - "https://us-cert.cisa.gov/ncas/analysis-reports/ar19-304a", "https://securelist.com/faq-the-projectsauron-apt/75533/", - "https://download.bitdefender.com/resources/files/News/CaseStudies/study/115/Bitdefender-Whitepaper-PAC-A4-en-EN1.pdf", + "https://us-cert.cisa.gov/ncas/analysis-reports/ar19-304a", + "https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html", + "https://www.us-cert.gov/ncas/alerts/TA17-117A", + "https://unit42.paloaltonetworks.com/emissary-panda-attacks-middle-east-government-sharepoint-servers/", "https://thedfirreport.com/2022/02/21/qbot-and-zerologon-lead-to-full-domain-compromise/", + "https://download.bitdefender.com/resources/files/News/CaseStudies/study/115/Bitdefender-Whitepaper-PAC-A4-en-EN1.pdf", + "https://www.accenture.com/us-en/blogs/cyber-defense/turla-belugasturgeon-compromises-government-entity", + "https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf", + "https://securelist.com/wild-neutron-economic-espionage-threat-actor-returns-with-new-tricks/71275/", + "https://github.com/RiccardoAncarani/LiquidSnake", + "https://thedfirreport.com/2020/06/21/snatch-ransomware/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/pipe_created/pipe_created_mal_namedpipes.yml" ], "tags": [ @@ -4267,8 +4267,8 @@ "logsource.category": "pipe_created", "logsource.product": "windows", "refs": [ - "https://www.jpcert.or.jp/english/pub/sr/ir_research.html", "https://jpcertcc.github.io/ToolAnalysisResultSheet", + "https://www.jpcert.or.jp/english/pub/sr/ir_research.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/pipe_created/pipe_created_psexec_default_pipe.yml" ], "tags": [ @@ -4302,9 +4302,9 @@ "logsource.category": "pipe_created", "logsource.product": "windows", "refs": [ - "https://o365blog.com/post/adfs/", - "https://github.com/Azure/Azure-Sentinel/blob/f99542b94afe0ad2f19a82cc08262e7ac8e1428e/Detections/SecurityEvent/ADFSDBNamedPipeConnection.yaml", "https://github.com/Azure/SimuLand", + "https://github.com/Azure/Azure-Sentinel/blob/f99542b94afe0ad2f19a82cc08262e7ac8e1428e/Detections/SecurityEvent/ADFSDBNamedPipeConnection.yaml", + "https://o365blog.com/post/adfs/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/pipe_created/pipe_created_susp_adfs_namedpipe_connection.yml" ], "tags": [ @@ -4768,9 +4768,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ + "https://www.proofpoint.com/us/blog/threat-insight/threat-actor-profile-ta2719-uses-colorful-lures-deliver-rats-local-languages", "https://twitter.com/MsftSecIntel/status/1257324139515269121", "https://www.trendmicro.com/vinfo/hk-en/security/news/cybercrime-and-digital-threats/malicious-spam-campaign-uses-iso-image-files-to-deliver-lokibot-and-nanocore", - "https://www.proofpoint.com/us/blog/threat-insight/threat-actor-profile-ta2719-uses-colorful-lures-deliver-rats-local-languages", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_iso_mount.yml" ], "tags": [ @@ -4898,8 +4898,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://github.com/Yamato-Security/EnableWindowsLogSettings/blob/7f6d755d45ac7cc9fc35b0cbf498e6aa4ef19def/ConfiguringSecurityLogAuditPolicies.md", "https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-6423", + "https://github.com/Yamato-Security/EnableWindowsLogSettings/blob/7f6d755d45ac7cc9fc35b0cbf498e6aa4ef19def/ConfiguringSecurityLogAuditPolicies.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_device_installation_blocked.yml" ], "tags": "No established tags" @@ -4945,8 +4945,8 @@ "logsource.product": "windows", "refs": [ "https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4672", - "https://github.com/Yamato-Security/EnableWindowsLogSettings/blob/7f6d755d45ac7cc9fc35b0cbf498e6aa4ef19def/ConfiguringSecurityLogAuditPolicies.md", "https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4964", + "https://github.com/Yamato-Security/EnableWindowsLogSettings/blob/7f6d755d45ac7cc9fc35b0cbf498e6aa4ef19def/ConfiguringSecurityLogAuditPolicies.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_admin_logon.yml" ], "tags": "No established tags" @@ -5032,8 +5032,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://github.com/OTRF/Set-AuditRule/blob/c3dec5443414231714d850565d364ca73475ade5/rules/registry/aad_connect_health_monitoring_agent.yml", "https://o365blog.com/post/hybridhealthagent/", + "https://github.com/OTRF/Set-AuditRule/blob/c3dec5443414231714d850565d364ca73475ade5/rules/registry/aad_connect_health_monitoring_agent.yml", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_aadhealth_mon_agent_regkey_access.yml" ], "tags": [ @@ -5253,9 +5253,9 @@ "refs": [ "https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4624", "https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4776", - "https://github.com/sensepost/ruler", - "https://github.com/staaldraad/go-ntlm/blob/cd032d41aa8ce5751c07cb7945400c0f5c81e2eb/ntlm/ntlmv1.go#L427", "https://github.com/sensepost/ruler/issues/47", + "https://github.com/staaldraad/go-ntlm/blob/cd032d41aa8ce5751c07cb7945400c0f5c81e2eb/ntlm/ntlmv1.go#L427", + "https://github.com/sensepost/ruler", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_alert_ruler.yml" ], "tags": [ @@ -5331,8 +5331,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://www.fireeye.com/blog/threat-research/2017/05/wannacry-malware-profile.html", "https://blog.f-secure.com/wp-content/uploads/2019/10/CosmicDuke.pdf", + "https://www.fireeye.com/blog/threat-research/2017/05/wannacry-malware-profile.html", "https://awakesecurity.com/blog/threat-hunting-for-paexec/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_mal_service_installs.yml" ], @@ -5486,9 +5486,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://github.com/Yamato-Security/EnableWindowsLogSettings/blob/7f6d755d45ac7cc9fc35b0cbf498e6aa4ef19def/ConfiguringSecurityLogAuditPolicies.md", "https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4634", "https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4647", + "https://github.com/Yamato-Security/EnableWindowsLogSettings/blob/7f6d755d45ac7cc9fc35b0cbf498e6aa4ef19def/ConfiguringSecurityLogAuditPolicies.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_user_logoff.yml" ], "tags": "No established tags" @@ -5556,9 +5556,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://blog.binarydefense.com/reliably-detecting-pass-the-hash-through-event-log-analysis", - "https://blog.stealthbits.com/how-to-detect-pass-the-hash-attacks/", "https://github.com/iadgov/Event-Forwarding-Guidance/tree/master/Events", + "https://blog.stealthbits.com/how-to-detect-pass-the-hash-attacks/", + "https://blog.binarydefense.com/reliably-detecting-pass-the-hash-through-event-log-analysis", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_pass_the_hash_2.yml" ], "tags": [ @@ -5715,8 +5715,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://twitter.com/SBousseaden/status/1207671369963646976", "https://www.fox-it.com/en/news/whitepapers/operation-wocao-shining-a-light-on-one-of-chinas-hidden-hacking-groups/", + "https://twitter.com/SBousseaden/status/1207671369963646976", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_apt_wocao.yml" ], "tags": [ @@ -5769,9 +5769,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://twitter.com/_dirkjan/status/1309214379003588608", "https://dirkjanm.io/a-different-way-of-abusing-zerologon/", "https://posts.specterops.io/hunting-in-active-directory-unconstrained-delegation-forests-trusts-71f2b33688e1", + "https://twitter.com/_dirkjan/status/1309214379003588608", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_dce_rpc_smb_spoolss_named_pipe.yml" ], "tags": [ @@ -5986,15 +5986,15 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://www.cisecurity.org/controls/cis-controls-list/", "https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4729", + "https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4730", + "https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=634", + "https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf", + "https://www.cisecurity.org/controls/cis-controls-list/", "https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=632", "https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4728", - "https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf", "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf", - "https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=634", "https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=633", - "https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4730", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_group_modification_logging.yml" ], "tags": "No established tags" @@ -6064,8 +6064,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://github.com/elastic/detection-rules/blob/fb6ee2c69864ffdfe347bf3b050cb931f53067a6/rules/windows/privilege_escalation_krbrelayup_suspicious_logon.toml", "https://twitter.com/sbousseaden/status/1518976397364056071?s=12&t=qKO5eKHvWhAP19a50FTZ7g", + "https://github.com/elastic/detection-rules/blob/fb6ee2c69864ffdfe347bf3b050cb931f53067a6/rules/windows/privilege_escalation_krbrelayup_suspicious_logon.toml", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_susp_krbrelayup.yml" ], "tags": [ @@ -6294,8 +6294,8 @@ "logsource.product": "windows", "refs": [ "https://blog.alsid.eu/dcshadow-explained-4510f52fc19d", - "https://twitter.com/gentilkiwi/status/1003236624925413376", "https://gist.github.com/gentilkiwi/dcc132457408cf11ad2061340dcb53c2", + "https://twitter.com/gentilkiwi/status/1003236624925413376", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_possible_dc_shadow.yml" ], "tags": [ @@ -6432,9 +6432,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4616", "Private Cuckoo Sandbox (from many years ago, no longer have hash, NDA as well)", "Live environment caused by malware", + "https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4616", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_susp_time_modification.yml" ], "tags": [ @@ -7107,8 +7107,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://github.com/Yamato-Security/EnableWindowsLogSettings/blob/7f6d755d45ac7cc9fc35b0cbf498e6aa4ef19def/ConfiguringSecurityLogAuditPolicies.md", "https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4649", + "https://github.com/Yamato-Security/EnableWindowsLogSettings/blob/7f6d755d45ac7cc9fc35b0cbf498e6aa4ef19def/ConfiguringSecurityLogAuditPolicies.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_replay_attack_detected.yml" ], "tags": "No established tags" @@ -7129,9 +7129,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ + "https://gist.github.com/Cyb3rWard0g/cf08c38c61f7e46e8404b38201ca01c8", "https://twitter.com/SecurityJosh/status/1283027365770276866", "https://twitter.com/Flangvik/status/1283054508084473861", - "https://gist.github.com/Cyb3rWard0g/cf08c38c61f7e46e8404b38201ca01c8", "https://securityjosh.github.io/2020/04/23/Mute-Sysmon.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_sysmon_channel_reference_deletion.yml" ], @@ -7411,9 +7411,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://github.com/splunk/security_content/blob/develop/detections/endpoint/petitpotam_suspicious_kerberos_tgt_request.yml", - "https://github.com/topotam/PetitPotam", "https://isc.sans.edu/forums/diary/Active+Directory+Certificate+Services+ADCS+PKI+domain+admin+vulnerability/27668/", + "https://github.com/topotam/PetitPotam", + "https://github.com/splunk/security_content/blob/develop/detections/endpoint/petitpotam_suspicious_kerberos_tgt_request.yml", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_petitpotam_susp_tgt_request.yml" ], "tags": [ @@ -7583,8 +7583,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://adsecurity.org/?p=3458", "https://www.trimarcsecurity.com/single-post/TrimarcResearch/Detecting-Kerberoasting-Activity", + "https://adsecurity.org/?p=3458", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_susp_rc4_kerberos.yml" ], "tags": [ @@ -7725,9 +7725,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ + "https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4741", "https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4743", "https://github.com/Yamato-Security/EnableWindowsLogSettings/blob/7f6d755d45ac7cc9fc35b0cbf498e6aa4ef19def/ConfiguringSecurityLogAuditPolicies.md", - "https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4741", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_add_remove_computer.yml" ], "tags": "No established tags" @@ -7822,8 +7822,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4699", "https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4701", + "https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4699", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_susp_scheduled_task_delete.yml" ], "tags": [ @@ -8183,10 +8183,10 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ + "https://www.cisecurity.org/controls/cis-controls-list/", + "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf", "https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4800", "https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf", - "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf", - "https://www.cisecurity.org/controls/cis-controls-list/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_workstation_was_locked.yml" ], "tags": "No established tags" @@ -8236,16 +8236,16 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://github.com/dotnet/runtime/blob/4f9ae42d861fcb4be2fcd5d3d55d5f227d30e723/docs/coding-guidelines/clr-jit-coding-conventions.md#1412-disabling-code", - "https://github.com/dotnet/runtime/blob/7abe42dc1123722ed385218268bb9fe04556e3d3/src/coreclr/src/inc/clrconfig.h#L33-L39", - "https://twitter.com/_xpn_/status/1268712093928378368", "https://github.com/dotnet/runtime/blob/ee2355c801d892f2894b0f7b14a20e6cc50e0e54/docs/design/coreclr/jit/viewing-jit-dumps.md#setting-configuration-variables", - "https://github.com/dotnet/runtime/blob/f62e93416a1799aecc6b0947adad55a0d9870732/src/coreclr/src/inc/clrconfigvalues.h#L35-L38", "http://managed670.rssing.com/chan-5590147/all_p1.html", + "https://github.com/dotnet/runtime/blob/7abe42dc1123722ed385218268bb9fe04556e3d3/src/coreclr/src/inc/clrconfig.h#L33-L39", "https://github.com/dotnet/runtime/search?p=1&q=COMPlus_&unscoped_q=COMPlus_", - "https://bunnyinside.com/?term=f71e8cb9c76a", + "https://github.com/dotnet/runtime/blob/f62e93416a1799aecc6b0947adad55a0d9870732/src/coreclr/src/inc/clrconfigvalues.h#L35-L38", "https://social.msdn.microsoft.com/Forums/vstudio/en-US/0878832e-39d7-4eaf-8e16-a729c4c40975/what-can-i-use-e13c0d23ccbc4e12931bd9cc2eee27e4-for?forum=clr", + "https://bunnyinside.com/?term=f71e8cb9c76a", + "https://twitter.com/_xpn_/status/1268712093928378368", "https://i.blackhat.com/EU-21/Wednesday/EU-21-Teodorescu-Veni-No-Vidi-No-Vici-Attacks-On-ETW-Blind-EDRs.pdf", + "https://github.com/dotnet/runtime/blob/4f9ae42d861fcb4be2fcd5d3d55d5f227d30e723/docs/coding-guidelines/clr-jit-coding-conventions.md#1412-disabling-code", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_dot_net_etw_tamper.yml" ], "tags": [ @@ -8373,8 +8373,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://github.com/sbousseaden/EVTX-ATTACK-SAMPLES/blob/44fbe85f72ee91582876b49678f9a26292a155fb/Command%20and%20Control/DE_RDP_Tunnel_5156.evtx", "https://twitter.com/SBousseaden/status/1096148422984384514", + "https://github.com/sbousseaden/EVTX-ATTACK-SAMPLES/blob/44fbe85f72ee91582876b49678f9a26292a155fb/Command%20and%20Control/DE_RDP_Tunnel_5156.evtx", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_rdp_reverse_tunnel.yml" ], "tags": [ @@ -8477,8 +8477,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://www.vectra.ai/blogpost/undermining-microsoft-teams-security-by-mining-tokens", "https://www.bleepingcomputer.com/news/security/microsoft-teams-stores-auth-tokens-as-cleartext-in-windows-linux-macs/", + "https://www.vectra.ai/blogpost/undermining-microsoft-teams-security-by-mining-tokens", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_teams_suspicious_objectaccess.yml" ], "tags": [ @@ -8511,8 +8511,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://adsecurity.org/?p=2053", "https://www.harmj0y.net/blog/activedirectory/roasting-as-reps/", + "https://adsecurity.org/?p=2053", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_alert_enable_weak_encryption.yml" ], "tags": [ @@ -8624,8 +8624,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://securitydatasets.com/notebooks/small/windows/08_lateral_movement/SDWIN-200806015757.html?highlight=create%20file", "https://github.com/OTRF/ThreatHunter-Playbook/blob/f7a58156dbfc9b019f17f638b8c62d22e557d350/playbooks/WIN-201012004336.yaml", + "https://securitydatasets.com/notebooks/small/windows/08_lateral_movement/SDWIN-200806015757.html?highlight=create%20file", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_smb_file_creation_admin_shares.yml" ], "tags": [ @@ -8649,8 +8649,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://twitter.com/duzvik/status/1269671601852813320", "https://medium.com/@7a616368/can-you-track-processes-accessing-the-camera-and-microphone-7e6885b37072", + "https://twitter.com/duzvik/status/1269671601852813320", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_camera_microphone_access.yml" ], "tags": [ @@ -8741,9 +8741,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ + "http://www.stuffithoughtiknew.com/2019/02/detecting-bloodhound.html", "https://www.specterops.io/assets/resources/an_ace_up_the_sleeve.pdf", "https://docs.microsoft.com/en-us/windows/win32/adschema/attributes-all", - "http://www.stuffithoughtiknew.com/2019/02/detecting-bloodhound.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_ad_user_enumeration.yml" ], "tags": [ @@ -8767,9 +8767,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://www.harmj0y.net/blog/redteaming/another-word-on-delegation/", - "https://msdn.microsoft.com/en-us/library/cc220234.aspx", "https://adsecurity.org/?p=3466", + "https://msdn.microsoft.com/en-us/library/cc220234.aspx", + "https://www.harmj0y.net/blog/redteaming/another-word-on-delegation/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_alert_ad_user_backdoors.yml" ], "tags": [ @@ -8827,8 +8827,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://twitter.com/SBousseaden/status/1581300963650187264?", "https://cyberstoph.org/posts/2022/03/detecting-shadow-credentials/", + "https://twitter.com/SBousseaden/status/1581300963650187264?", "https://www.elastic.co/guide/en/security/8.4/potential-shadow-credentials-added-to-ad-object.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_susp_possible_shadow_credentials_added.yml" ], @@ -8862,8 +8862,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://www.jpcert.or.jp/english/pub/sr/ir_research.html", "https://jpcertcc.github.io/ToolAnalysisResultSheet", + "https://www.jpcert.or.jp/english/pub/sr/ir_research.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_mal_wceaux_dll.yml" ], "tags": [ @@ -8897,8 +8897,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://thedfirreport.com/2021/08/29/cobalt-strike-a-defenders-guide/", "https://www.crowdstrike.com/blog/getting-the-bacon-from-cobalt-strike-beacon/", + "https://thedfirreport.com/2021/08/29/cobalt-strike-a-defenders-guide/", "https://www.sans.org/webcasts/119395", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_cobaltstrike_service_installs.yml" ], @@ -8990,10 +8990,10 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4662", "https://blog.blacklanternsecurity.com/p/detecting-dcsync?s=r", - "https://twitter.com/gentilkiwi/status/1003236624925413376", "https://gist.github.com/gentilkiwi/dcc132457408cf11ad2061340dcb53c2", + "https://twitter.com/gentilkiwi/status/1003236624925413376", + "https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4662", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_dcsync.yml" ], "tags": [ @@ -9084,8 +9084,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4625", "https://twitter.com/SBousseaden/status/1101431884540710913", + "https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4625", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_susp_failed_logon_reasons.yml" ], "tags": [ @@ -9112,8 +9112,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://twitter.com/SBousseaden/status/1490608838701166596", "https://www.elastic.co/guide/en/security/current/windows-service-installed-via-an-unusual-client.html", + "https://twitter.com/SBousseaden/status/1490608838701166596", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_service_installation_by_unusal_client.yml" ], "tags": [ @@ -9179,9 +9179,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ + "https://twitter.com/malmoeb/status/1511760068743766026", "https://github.com/WazeHell/sam-theadmin/blob/main/sam_the_admin.py", "https://github.com/helloexp/0day/blob/614227a7b9beb0e91e7e2c6a5e532e6f7a8e883c/00-CVE_EXP/CVE-2021-42287/sam-the-admin/sam_the_admin.py", - "https://twitter.com/malmoeb/status/1511760068743766026", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_susp_computer_name.yml" ], "tags": [ @@ -9372,8 +9372,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://goo.gl/PsqrhT", "https://twitter.com/JohnLaTwC/status/1004895028995477505", + "https://goo.gl/PsqrhT", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/ntlm/win_susp_ntlm_auth.yml" ], "tags": [ @@ -9678,8 +9678,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://www.virustotal.com/gui/file/5092b2672b4cb87a8dd1c2e6047b487b95995ad8ed5e9fc217f46b8bfb1b8c01", "https://www.virustotal.com/gui/file/15b57c1b68cd6ce3c161042e0f3be9f32d78151fe95461eedc59a79fc222c7ed", + "https://www.virustotal.com/gui/file/5092b2672b4cb87a8dd1c2e6047b487b95995ad8ed5e9fc217f46b8bfb1b8c01", "https://www.virustotal.com/gui/file/13828b390d5f58b002e808c2c4f02fdd920e236cc8015480fa33b6c1a9300e31", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/application/win_av_relevant_match.yml" ], @@ -9793,8 +9793,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://bugs.chromium.org/p/project-zero/issues/detail?id=1252&desc=5", "https://technet.microsoft.com/en-us/library/security/4022344", + "https://bugs.chromium.org/p/project-zero/issues/detail?id=1252&desc=5", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/application/win_susp_msmpeng_crash.yml" ], "tags": [ @@ -9853,9 +9853,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-erref/596a1078-e883-4972-9bbc-49e60bebca55", "https://media.defcon.org/DEF%20CON%2030/DEF%20CON%2030%20presentations/Asaf%20Gilboa%20-%20LSASS%20Shtinkering%20Abusing%20Windows%20Error%20Reporting%20to%20Dump%20LSASS.pdf", "https://github.com/deepinstinct/Lsass-Shtinkering", + "https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-erref/596a1078-e883-4972-9bbc-49e60bebca55", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/application/win_werfault_susp_lsass_credential_dump.yml" ], "tags": [ @@ -9888,10 +9888,10 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://www.youtube.com/watch?v=ebmW42YYveI", "https://twitter.com/VM_vivisector/status/1217190929330655232", - "https://twitter.com/DidierStevens/status/1217533958096924676", + "https://www.youtube.com/watch?v=ebmW42YYveI", "https://twitter.com/FlemmingRiis/status/1217147415482060800", + "https://twitter.com/DidierStevens/status/1217533958096924676", "https://nullsec.us/windows-event-log-audit-cve/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/application/win_audit_cve.yml" ], @@ -10050,8 +10050,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/sql/t-sql/statements/alter-server-audit-transact-sql?view=sql-server-ver16", "https://docs.microsoft.com/en-us/sql/t-sql/statements/drop-server-audit-transact-sql?view=sql-server-ver16", + "https://docs.microsoft.com/en-us/sql/t-sql/statements/alter-server-audit-transact-sql?view=sql-server-ver16", "https://www.netspi.com/blog/technical/network-penetration-testing/sql-server-persistence-part-1-startup-stored-procedures/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/application/win_mssql_disable_audit_settings.yml" ], @@ -10172,8 +10172,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://df-stream.com/2014/01/the-windows-7-event-log-and-usb-device/", "https://www.techrepublic.com/article/how-to-track-down-usb-flash-drive-usage-in-windows-10s-event-viewer/", + "https://df-stream.com/2014/01/the-windows-7-event-log-and-usb-device/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/driverframeworks/win_usb_device_plugged.yml" ], "tags": [ @@ -10197,8 +10197,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://twitter.com/j00sean/status/1537750439701225472", "https://twitter.com/nas_bench/status/1539679555908141061", + "https://twitter.com/j00sean/status/1537750439701225472", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/diagnosis/scripted/win_diagnosis_scripted_load_remote_diagcab.yml" ], "tags": [ @@ -10221,8 +10221,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://github.com/MicrosoftDocs/windows-itpro-docs/blob/40fe118976734578f83e5e839b9c63ae7a4af82d/windows/security/threat-protection/windows-defender-application-control/event-id-explanations.md#windows-codeintegrity-operational-log", "https://twitter.com/SBousseaden/status/1483810148602814466", + "https://github.com/MicrosoftDocs/windows-itpro-docs/blob/40fe118976734578f83e5e839b9c63ae7a4af82d/windows/security/threat-protection/windows-defender-application-control/event-id-explanations.md#windows-codeintegrity-operational-log", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/code_integrity/win_codeintegrity_attempted_dll_load.yml" ], "tags": [ @@ -10245,8 +10245,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://github.com/MicrosoftDocs/windows-itpro-docs/blob/40fe118976734578f83e5e839b9c63ae7a4af82d/windows/security/threat-protection/windows-defender-application-control/event-id-explanations.md#windows-codeintegrity-operational-log", "https://twitter.com/wdormann/status/1590434950335320065", + "https://github.com/MicrosoftDocs/windows-itpro-docs/blob/40fe118976734578f83e5e839b9c63ae7a4af82d/windows/security/threat-protection/windows-defender-application-control/event-id-explanations.md#windows-codeintegrity-operational-log", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/code_integrity/win_codeintegrity_blocked_driver_load.yml" ], "tags": [ @@ -10338,9 +10338,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://github.com/hhlxf/PrintNightmare", - "https://github.com/afwu/PrintNightmare", "https://twitter.com/KevTheHermit/status/1410203844064301056", + "https://github.com/afwu/PrintNightmare", + "https://github.com/hhlxf/PrintNightmare", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/smbclient/win_susp_failed_guest_logon.yml" ], "tags": [ @@ -10387,11 +10387,11 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/windows-server/administration/openssh/openssh_install_firstuse", "https://winaero.com/enable-openssh-server-windows-10/", + "https://docs.microsoft.com/en-us/windows-server/administration/openssh/openssh_install_firstuse", "https://github.com/mdecrevoisier/EVTX-to-MITRE-Attack/tree/master/TA0008-Lateral%20Movement/T1021.004-Remote%20Service%20SSH", - "https://virtualizationreview.com/articles/2020/05/21/ssh-server-on-windows-10.aspx", "https://medium.com/threatpunter/detecting-adversary-tradecraft-with-image-load-event-logging-and-eql-8de93338c16", + "https://virtualizationreview.com/articles/2020/05/21/ssh-server-on-windows-10.aspx", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/openssh/win_sshd_openssh_server_listening_on_socket.yml" ], "tags": [ @@ -10415,9 +10415,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://github.com/hhlxf/PrintNightmare", - "https://github.com/afwu/PrintNightmare", "https://twitter.com/fuzzyf10w/status/1410202370835898371", + "https://github.com/afwu/PrintNightmare", + "https://github.com/hhlxf/PrintNightmare", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/printservice/win_exploit_cve_2021_1675_printspooler.yml" ], "tags": [ @@ -10485,9 +10485,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ + "https://github.com/nasbench/EVTX-ETW-Resources/blob/7a806a148b3d9d381193d4a80356016e6e8b1ee8/ETWProvidersManifests/Windows11/22H2/W11_22H2_Pro_20221220_22621.963/WEPExplorer/LsaSrv.xml", "https://learn.microsoft.com/en-us/windows-server/security/credentials-protection-and-management/configuring-additional-lsa-protection", "https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/manage/understand-security-identifiers", - "https://github.com/nasbench/EVTX-ETW-Resources/blob/7a806a148b3d9d381193d4a80356016e6e8b1ee8/ETWProvidersManifests/Windows11/22H2/W11_22H2_Pro_20221220_22621.963/WEPExplorer/LsaSrv.xml", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/lsa_server/win_lsa_server_normal_user_admin.yml" ], "tags": [ @@ -10535,8 +10535,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/troubleshoot-microsoft-defender-antivirus?view=o365-worldwide", "https://bhabeshraj.com/post/tampering-with-microsoft-defenders-tamper-protection", + "https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/troubleshoot-microsoft-defender-antivirus?view=o365-worldwide", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/windefend/win_defender_tamper_protection_trigger.yml" ], "tags": [ @@ -10560,8 +10560,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-antivirus/troubleshoot-windows-defender-antivirus", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md", + "https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-antivirus/troubleshoot-windows-defender-antivirus", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/windefend/win_defender_disabled.yml" ], "tags": [ @@ -10686,8 +10686,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-antivirus/troubleshoot-microsoft-defender-antivirus", "https://answers.microsoft.com/en-us/protect/forum/mse-protect_scanning/microsoft-antimalware-has-removed-history-of/f15af6c9-01a9-4065-8c6c-3f2bdc7de45e", + "https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-antivirus/troubleshoot-microsoft-defender-antivirus", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/windefend/win_defender_history_delete.yml" ], "tags": [ @@ -10849,10 +10849,10 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ + "https://lolbas-project.github.io/lolbas/Binaries/Bitsadmin/", + "https://blog.netspi.com/15-ways-to-download-a-file/#bitsadmin", "https://blog.talosintelligence.com/breaking-the-silence-recent-truebot-activity/", "https://isc.sans.edu/diary/22264", - "https://blog.netspi.com/15-ways-to-download-a-file/#bitsadmin", - "https://lolbas-project.github.io/lolbas/Binaries/Bitsadmin/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/bits_client/win_bits_client_direct_ip_access.yml" ], "tags": [ @@ -11022,8 +11022,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://twitter.com/malmoeb/status/1535142803075960832", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1197/T1197.md", + "https://twitter.com/malmoeb/status/1535142803075960832", "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ransomware-hive-conti-avoslocker", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/bits_client/win_bits_client_susp_domain.yml" ], @@ -11058,8 +11058,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://twitter.com/malmoeb/status/1535142803075960832", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1197/T1197.md", + "https://twitter.com/malmoeb/status/1535142803075960832", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/bits_client/win_bits_client_uncommon_domain.yml" ], "tags": [ @@ -11646,8 +11646,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://thedfirreport.com/2021/08/29/cobalt-strike-a-defenders-guide/", "https://www.crowdstrike.com/blog/getting-the-bacon-from-cobalt-strike-beacon/", + "https://thedfirreport.com/2021/08/29/cobalt-strike-a-defenders-guide/", "https://www.sans.org/webcasts/119395", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/win_system_cobaltstrike_service_installs.yml" ], @@ -11717,9 +11717,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ + "https://blog.3or.de/mimilib-dhcp-server-callout-dll-injection.html", "https://msdn.microsoft.com/de-de/library/windows/desktop/aa363389(v=vs.85).aspx", "https://technet.microsoft.com/en-us/library/cc726884(v=ws.10).aspx", - "https://blog.3or.de/mimilib-dhcp-server-callout-dll-injection.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/win_system_susp_dhcp_config.yml" ], "tags": [ @@ -11845,8 +11845,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://www.secura.com/blog/zero-logon", "https://bi-zone.medium.com/hunting-for-zerologon-f65c61586382", + "https://www.secura.com/blog/zero-logon", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/win_system_possible_zerologon_exploitation_using_wellknown_tools.yml" ], "tags": [ @@ -12291,8 +12291,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-antivirus/troubleshoot-windows-defender-antivirus", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md", + "https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-antivirus/troubleshoot-windows-defender-antivirus", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/win_system_defender_disabled.yml" ], "tags": [ @@ -12409,8 +12409,8 @@ "logsource.product": "windows", "refs": [ "https://twitter.com/jonasLyk/status/1347900440000811010", - "https://twitter.com/wdormann/status/1347958161609809921", "https://www.bleepingcomputer.com/news/security/windows-10-bug-corrupts-your-hard-drive-on-seeing-this-files-icon/", + "https://twitter.com/wdormann/status/1347958161609809921", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/win_system_ntfs_vuln_exploit.yml" ], "tags": [ @@ -12495,9 +12495,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ + "https://blog.3or.de/mimilib-dhcp-server-callout-dll-injection.html", "https://msdn.microsoft.com/de-de/library/windows/desktop/aa363389(v=vs.85).aspx", "https://technet.microsoft.com/en-us/library/cc726884(v=ws.10).aspx", - "https://blog.3or.de/mimilib-dhcp-server-callout-dll-injection.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/win_system_susp_dhcp_config_failed.yml" ], "tags": [ @@ -13043,8 +13043,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://www.jpcert.or.jp/english/pub/sr/ir_research.html", "https://jpcertcc.github.io/ToolAnalysisResultSheet", + "https://www.jpcert.or.jp/english/pub/sr/ir_research.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/win_system_service_install_psexec.yml" ], "tags": [ @@ -13256,8 +13256,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://www.microsoft.com/security/blog/2019/12/12/gallium-targeting-global-telecom/", "https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn800669(v=ws.11)", + "https://www.microsoft.com/security/blog/2019/12/12/gallium-targeting-global-telecom/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/dns_server_analytic/win_dns_analytic_apt_gallium.yml" ], "tags": [ @@ -13492,9 +13492,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://nxlog.co/documentation/nxlog-user-guide/applocker.html", "https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/applocker/what-is-applocker", "https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/applocker/using-event-viewer-with-applocker", + "https://nxlog.co/documentation/nxlog-user-guide/applocker.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/applocker/win_applocker_file_was_not_allowed_to_run.yml" ], "tags": [ @@ -13565,11 +13565,11 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ + "https://github.com/BloodHoundAD/SharpHound3/blob/7d96b991b1887ff50349ce59c80980bc0d95c86a/SharpHound3/LdapBuilder.cs", + "https://github.com/PowerShellMafia/PowerSploit/blob/d943001a7defb5e0d1657085a77a0e78609be58f/Recon/PowerView.ps1", + "https://github.com/fox-it/BloodHound.py/blob/d65eb614831cd30f26028ccb072f5e77ca287e0b/bloodhound/ad/domain.py#L427", "https://medium.com/falconforce/falconfriday-detecting-active-directory-data-collection-0xff21-c22d1a57494c", "https://techcommunity.microsoft.com/t5/microsoft-defender-for-endpoint/hunting-for-reconnaissance-activities-using-ldap-search-filters/ba-p/824726", - "https://github.com/BloodHoundAD/SharpHound3/blob/7d96b991b1887ff50349ce59c80980bc0d95c86a/SharpHound3/LdapBuilder.cs", - "https://github.com/fox-it/BloodHound.py/blob/d65eb614831cd30f26028ccb072f5e77ca287e0b/bloodhound/ad/domain.py#L427", - "https://github.com/PowerShellMafia/PowerSploit/blob/d943001a7defb5e0d1657085a77a0e78609be58f/Recon/PowerView.ps1", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/ldap/win_ldap_recon.yml" ], "tags": [ @@ -13611,10 +13611,10 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://www.sentinelone.com/labs/inside-malicious-windows-apps-for-malware-deployment/", - "Internal Research", "https://learn.microsoft.com/en-us/windows/win32/appxpkg/troubleshooting", + "https://www.sentinelone.com/labs/inside-malicious-windows-apps-for-malware-deployment/", "https://news.sophos.com/en-us/2021/11/11/bazarloader-call-me-back-attack-abuses-windows-10-apps-mechanism/", + "Internal Research", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/appxdeployment_server/win_appxdeployment_server_uncommon_package_locations.yml" ], "tags": [ @@ -13637,10 +13637,10 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://www.sentinelone.com/labs/inside-malicious-windows-apps-for-malware-deployment/", - "Internal Research", "https://learn.microsoft.com/en-us/windows/win32/appxpkg/troubleshooting", + "https://www.sentinelone.com/labs/inside-malicious-windows-apps-for-malware-deployment/", "https://news.sophos.com/en-us/2021/11/11/bazarloader-call-me-back-attack-abuses-windows-10-apps-mechanism/", + "Internal Research", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/appxdeployment_server/win_appxdeployment_server_susp_package_locations.yml" ], "tags": [ @@ -13663,10 +13663,10 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://www.sentinelone.com/labs/inside-malicious-windows-apps-for-malware-deployment/", - "Internal Research", "https://learn.microsoft.com/en-us/windows/win32/appxpkg/troubleshooting", + "https://www.sentinelone.com/labs/inside-malicious-windows-apps-for-malware-deployment/", "https://news.sophos.com/en-us/2021/11/11/bazarloader-call-me-back-attack-abuses-windows-10-apps-mechanism/", + "Internal Research", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/appxdeployment_server/win_appxdeployment_server_susp_domains.yml" ], "tags": [ @@ -13689,10 +13689,10 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://www.sentinelone.com/labs/inside-malicious-windows-apps-for-malware-deployment/", - "Internal Research", "https://learn.microsoft.com/en-us/windows/win32/appxpkg/troubleshooting", + "https://www.sentinelone.com/labs/inside-malicious-windows-apps-for-malware-deployment/", "https://news.sophos.com/en-us/2021/11/11/bazarloader-call-me-back-attack-abuses-windows-10-apps-mechanism/", + "Internal Research", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/appxdeployment_server/win_appxdeployment_server_susp_appx_package_installation.yml" ], "tags": [ @@ -13739,8 +13739,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://www.sentinelone.com/labs/inside-malicious-windows-apps-for-malware-deployment/", "https://forensicitguy.github.io/analyzing-magnitude-magniber-appx/", + "https://www.sentinelone.com/labs/inside-malicious-windows-apps-for-malware-deployment/", "https://news.sophos.com/en-us/2021/11/11/bazarloader-call-me-back-attack-abuses-windows-10-apps-mechanism/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/appxdeployment_server/win_appxdeployment_server_mal_appx_names.yml" ], @@ -14050,8 +14050,8 @@ "logsource.category": "create_stream_hash", "logsource.product": "windows", "refs": [ - "https://www.cisa.gov/uscert/ncas/alerts/aa22-321a", "https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=90015", + "https://www.cisa.gov/uscert/ncas/alerts/aa22-321a", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/create_stream_hash/create_stream_hash_susp_domain_ext_combo.yml" ], "tags": [ @@ -14085,8 +14085,8 @@ "logsource.category": "create_stream_hash", "logsource.product": "windows", "refs": [ - "https://www.cisa.gov/uscert/ncas/alerts/aa22-321a", "https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=90015", + "https://www.cisa.gov/uscert/ncas/alerts/aa22-321a", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/create_stream_hash/create_stream_hash_susp_domain_ext_combo_med.yml" ], "tags": [ @@ -14328,9 +14328,9 @@ "logsource.category": "registry_event", "logsource.product": "windows", "refs": [ - "https://www.dfirnotes.net/portproxy_detection/", "https://adepts.of0x.cc/netsh-portproxy-code/", "https://www.fireeye.com/blog/threat-research/2019/01/bypassing-network-restrictions-through-rdp-tunneling.html", + "https://www.dfirnotes.net/portproxy_detection/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_portproxy_registry_key.yml" ], "tags": [ @@ -14462,8 +14462,8 @@ "logsource.product": "windows", "refs": [ "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rprn/4464eaf0-f34f-40d5-b970-736437a21913", - "https://github.com/gentilkiwi/mimikatz/commit/c21276072b3f2a47a21e215a46962a17d54b3760", "https://www.lexjansen.com/sesug/1993/SESUG93035.pdf", + "https://github.com/gentilkiwi/mimikatz/commit/c21276072b3f2a47a21e215a46962a17d54b3760", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_mimikatz_printernightmare.yml" ], "tags": [ @@ -14522,8 +14522,8 @@ "logsource.category": "registry_event", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/Binaries/Runonce/", "https://twitter.com/pabraeken/status/990717080805789697", + "https://lolbas-project.github.io/lolbas/Binaries/Runonce/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_runonce_persistence.yml" ], "tags": [ @@ -14547,8 +14547,8 @@ "logsource.category": "registry_event", "logsource.product": "windows", "refs": [ - "https://eqllib.readthedocs.io/en/latest/analytics/14f90406-10a0-4d36-a672-31cabe149f2f.html", "http://www.hexacorn.com/blog/2013/01/19/beyond-good-ol-run-key-part-3/", + "https://eqllib.readthedocs.io/en/latest/analytics/14f90406-10a0-4d36-a672-31cabe149f2f.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_new_dll_added_to_appcertdlls_registry_key.yml" ], "tags": [ @@ -14728,8 +14728,8 @@ "logsource.category": "registry_event", "logsource.product": "windows", "refs": [ - "https://github.com/eset/malware-ioc/tree/master/oceanlotus", "https://www.welivesecurity.com/2019/03/20/fake-or-fake-keeping-up-with-oceanlotus-decoys/", + "https://github.com/eset/malware-ioc/tree/master/oceanlotus", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_apt_oceanlotus_registry.yml" ], "tags": [ @@ -14813,8 +14813,8 @@ "logsource.category": "registry_event", "logsource.product": "windows", "refs": [ - "https://blogs.technet.microsoft.com/jonathantrull/2016/10/03/detecting-sticky-key-backdoors/", "https://bazaar.abuse.ch/sample/6f3aa9362d72e806490a8abce245331030d1ab5ac77e400dd475748236a6cc81/", + "https://blogs.technet.microsoft.com/jonathantrull/2016/10/03/detecting-sticky-key-backdoors/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_stickykey_like_backdoor.yml" ], "tags": [ @@ -14958,8 +14958,8 @@ "logsource.category": "registry_event", "logsource.product": "windows", "refs": [ - "https://outflank.nl/blog/2018/01/16/hunting-for-evil-detect-macros-being-executed/", "http://az4n6.blogspot.com/2016/02/more-on-trust-records-macros-and.html", + "https://outflank.nl/blog/2018/01/16/hunting-for-evil-detect-macros-being-executed/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_trust_record_modification.yml" ], "tags": [ @@ -14983,8 +14983,8 @@ "logsource.category": "registry_event", "logsource.product": "windows", "refs": [ - "http://www.hexacorn.com/blog/2016/07/22/beyond-good-ol-run-key-part-42/", "https://lolbas-project.github.io/lolbas/Binaries/Atbroker/", + "http://www.hexacorn.com/blog/2016/07/22/beyond-good-ol-run-key-part-42/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_susp_atbroker_change.yml" ], "tags": [ @@ -15135,8 +15135,8 @@ "refs": [ "https://winscripting.blog/2017/05/12/first-entry-welcome-and-uac-bypass/", "https://github.com/RhinoSecurityLabs/Aggressor-Scripts/tree/master/UACBypass", - "https://github.com/hfiref0x/UACME", "https://tria.ge/211119-gs7rtshcfr/behavioral2 [Lokibot sample from Nov 2021]", + "https://github.com/hfiref0x/UACME", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_shell_open_keys_manipulation.yml" ], "tags": [ @@ -15484,11 +15484,11 @@ "logsource.category": "registry_delete", "logsource.product": "windows", "refs": [ - "https://github.com/OTRF/detection-hackathon-apt29/issues/7", + "https://threathunterplaybook.com/evals/apt29/detections/3.C.1_22A46621-7A92-48C1-81BF-B3937EB4FDC3.html", "https://docs.microsoft.com/en-us/windows/win32/api/shobjidl_core/nn-shobjidl_core-iexecutecommand", "https://docs.microsoft.com/en-us/windows/win32/shell/launch", + "https://github.com/OTRF/detection-hackathon-apt29/issues/7", "https://docs.microsoft.com/en-us/windows/win32/shell/shell-and-managed-code", - "https://threathunterplaybook.com/evals/apt29/detections/3.C.1_22A46621-7A92-48C1-81BF-B3937EB4FDC3.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_delete/registry_delete_removal_com_hijacking_registry_key.yml" ], "tags": [ @@ -15694,11 +15694,11 @@ "logsource.category": "registry_add", "logsource.product": "windows", "refs": [ - "https://resources.infosecinstitute.com/topic/netwire-malware-what-it-is-how-it-works-and-how-to-prevent-it-malware-spotlight/", "https://www.fortinet.com/blog/threat-research/new-netwire-rat-variant-spread-by-phishing", + "https://resources.infosecinstitute.com/topic/netwire-malware-what-it-is-how-it-works-and-how-to-prevent-it-malware-spotlight/", + "https://app.any.run/tasks/41ecdbde-4997-4301-a350-0270448b4c8f/", "https://blogs.blackberry.com/en/2021/09/threat-thursday-netwire-rat-is-coming-down-the-line", "https://unit42.paloaltonetworks.com/guloader-installing-netwire-rat/", - "https://app.any.run/tasks/41ecdbde-4997-4301-a350-0270448b4c8f/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_add/registry_add_mal_netwire.yml" ], "tags": [ @@ -15814,8 +15814,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "http://www.hexacorn.com/blog/2018/05/01/wab-exe-as-a-lolbin/", "https://twitter.com/Hexacorn/status/991447379864932352", + "http://www.hexacorn.com/blog/2018/05/01/wab-exe-as-a-lolbin/", "https://github.com/LOLBAS-Project/LOLBAS/blob/8283d8d91552213ded165fd36deb6cb9534cb443/yml/OSBinaries/Wab.yml", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_wab_dllpath_reg_change.yml" ], @@ -15883,8 +15883,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://citizenlab.ca/2021/07/hooking-candiru-another-mercenary-spyware-vendor-comes-into-focus/", "https://www.microsoft.com/security/blog/2021/07/15/protecting-customers-from-a-private-sector-offensive-actor-using-0-day-exploits-and-devilstongue-malware/", + "https://citizenlab.ca/2021/07/hooking-candiru-another-mercenary-spyware-vendor-comes-into-focus/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_cve_2021_31979_cve_2021_33771_exploits.yml" ], "tags": [ @@ -15944,8 +15944,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://www.hexacorn.com/blog/2018/04/22/beyond-good-ol-run-key-part-76/", "https://persistence-info.github.io/Data/htmlhelpauthor.html", + "https://www.hexacorn.com/blog/2018/04/22/beyond-good-ol-run-key-part-76/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_persistence_chm.yml" ], "tags": [ @@ -16168,9 +16168,9 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md", "https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md", + "https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_currentversion_nt.yml" ], "tags": [ @@ -16194,13 +16194,13 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "http://etutorials.org/Microsoft+Products/microsoft+windows+server+2003+terminal+services/Chapter+6+Registry/Registry+Keys+for+Terminal+Services/", "https://blog.menasec.net/2019/02/threat-hunting-rdp-hijacking-via.html", + "https://bazaar.abuse.ch/sample/6f3aa9362d72e806490a8abce245331030d1ab5ac77e400dd475748236a6cc81/", + "https://admx.help/HKLM/SOFTWARE/Policies/Microsoft/Windows%20NT/Terminal%20Services", + "http://etutorials.org/Microsoft+Products/microsoft+windows+server+2003+terminal+services/Chapter+6+Registry/Registry+Keys+for+Terminal+Services/", "http://woshub.com/rds-shadow-how-to-connect-to-a-user-session-in-windows-server-2012-r2/", "https://twitter.com/SagieSec/status/1469001618863624194?t=HRf0eA0W1YYzkTSHb-Ky1A&s=03", - "https://admx.help/HKLM/SOFTWARE/Policies/Microsoft/Windows%20NT/Terminal%20Services", "https://threathunterplaybook.com/notebooks/windows/05_defense_evasion/WIN-190407183310.html", - "https://bazaar.abuse.ch/sample/6f3aa9362d72e806490a8abce245331030d1ab5ac77e400dd475748236a6cc81/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_terminal_server_suspicious.yml" ], "tags": [ @@ -16274,9 +16274,9 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md", "https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md", + "https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_session_manager.yml" ], "tags": [ @@ -16357,8 +16357,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "http://blog.sevagas.com/?Yet-another-sdclt-UAC-bypass", "https://www.exploit-db.com/exploits/47696", + "http://blog.sevagas.com/?Yet-another-sdclt-UAC-bypass", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_comhijack_sdclt.yml" ], "tags": [ @@ -16448,9 +16448,9 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ + "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/zloader-with-a-new-infection-technique/", "https://twitter.com/inversecos/status/1494174785621819397", "https://securelist.com/scarcruft-surveilling-north-korean-defectors-and-human-rights-activists/105074/", - "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/zloader-with-a-new-infection-technique/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_office_security.yml" ], "tags": [ @@ -16570,10 +16570,10 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns", + "https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md", "https://oddvar.moe/2018/03/21/persistence-using-runonceex-hidden-from-autoruns-exe/", - "https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d", + "https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_wow6432node.yml" ], "tags": [ @@ -16597,8 +16597,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://renenyffenegger.ch/notes/Windows/registry/tree/HKEY_CURRENT_USER/Keyboard-Layout/Preload/index", "https://github.com/SwiftOnSecurity/sysmon-config/pull/92/files", + "https://renenyffenegger.ch/notes/Windows/registry/tree/HKEY_CURRENT_USER/Keyboard-Layout/Preload/index", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_susp_keyboard_layout_load.yml" ], "tags": [ @@ -16764,8 +16764,8 @@ "logsource.product": "windows", "refs": [ "https://specterops.io/assets/resources/SpecterOps_Subverting_Trust_in_Windows.pdf", - "https://persistence-info.github.io/Data/codesigning.html", "https://github.com/gtworek/PSBits/tree/master/SIP", + "https://persistence-info.github.io/Data/codesigning.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_sip_persistence.yml" ], "tags": [ @@ -16800,9 +16800,9 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md", "https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md", + "https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_classes.yml" ], "tags": [ @@ -16974,8 +16974,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://www.youtube.com/watch?v=3gz1QmiMhss&t=1251s", "https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1546.015/T1546.015.md", + "https://www.youtube.com/watch?v=3gz1QmiMhss&t=1251s", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_treatas_persistence.yml" ], "tags": [ @@ -17031,8 +17031,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://github.com/DebugPrivilege/CPP/blob/c39d365617dbfbcb01fffad200d52b6239b2918c/Windows%20Defender/RestoreDefenderConfig.cpp", "https://twitter.com/WhichbufferArda/status/1543900539280293889", + "https://github.com/DebugPrivilege/CPP/blob/c39d365617dbfbcb01fffad200d52b6239b2918c/Windows%20Defender/RestoreDefenderConfig.cpp", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_disable_winevt_logging.yml" ], "tags": [ @@ -17065,8 +17065,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1112/T1112.md#atomic-test-33---windows-add-registry-value-to-load-service-in-safe-mode-without-network", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1112/T1112.md#atomic-test-34---windows-add-registry-value-to-load-service-in-safe-mode-with-network", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1112/T1112.md#atomic-test-33---windows-add-registry-value-to-load-service-in-safe-mode-without-network", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_add_load_service_in_safe_mode.yml" ], "tags": [ @@ -17183,8 +17183,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://oddvar.moe/2018/04/10/persistence-using-globalflags-in-image-file-execution-options-hidden-from-autoruns-exe/", "https://www.deepinstinct.com/2021/02/16/lsass-memory-dumps-are-stealthier-than-ever-before-part-2/", + "https://oddvar.moe/2018/04/10/persistence-using-globalflags-in-image-file-execution-options-hidden-from-autoruns-exe/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_persistence_globalflags.yml" ], "tags": [ @@ -17406,8 +17406,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1137/T1137.md", "https://docs.microsoft.com/en-us/outlook/troubleshoot/security/information-about-email-security-settings", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1137/T1137.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_outlook_security.yml" ], "tags": [ @@ -17441,10 +17441,10 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md", - "https://persistence-info.github.io/Data/userinitmprlogonscript.html", "https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d", + "https://persistence-info.github.io/Data/userinitmprlogonscript.html", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md", + "https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_common.yml" ], "tags": [ @@ -17559,13 +17559,13 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "http://etutorials.org/Microsoft+Products/microsoft+windows+server+2003+terminal+services/Chapter+6+Registry/Registry+Keys+for+Terminal+Services/", "https://blog.menasec.net/2019/02/threat-hunting-rdp-hijacking-via.html", + "https://bazaar.abuse.ch/sample/6f3aa9362d72e806490a8abce245331030d1ab5ac77e400dd475748236a6cc81/", + "https://admx.help/HKLM/SOFTWARE/Policies/Microsoft/Windows%20NT/Terminal%20Services", + "http://etutorials.org/Microsoft+Products/microsoft+windows+server+2003+terminal+services/Chapter+6+Registry/Registry+Keys+for+Terminal+Services/", "http://woshub.com/rds-shadow-how-to-connect-to-a-user-session-in-windows-server-2012-r2/", "https://twitter.com/SagieSec/status/1469001618863624194?t=HRf0eA0W1YYzkTSHb-Ky1A&s=03", - "https://admx.help/HKLM/SOFTWARE/Policies/Microsoft/Windows%20NT/Terminal%20Services", "https://threathunterplaybook.com/notebooks/windows/05_defense_evasion/WIN-190407183310.html", - "https://bazaar.abuse.ch/sample/6f3aa9362d72e806490a8abce245331030d1ab5ac77e400dd475748236a6cc81/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_terminal_server_tampering.yml" ], "tags": [ @@ -17624,9 +17624,9 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md", "https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md", + "https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_office.yml" ], "tags": [ @@ -17651,9 +17651,9 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md", "https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md", + "https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_wow6432node_classes.yml" ], "tags": [ @@ -17701,8 +17701,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-30190", "https://msrc-blog.microsoft.com/2022/05/30/guidance-for-cve-2022-30190-microsoft-support-diagnostic-tool-vulnerability/", + "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-30190", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_cve_2022_30190_msdt_follina.yml" ], "tags": [ @@ -17884,9 +17884,9 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ + "https://itconnect.uw.edu/tools-services-support/it-systems-infrastructure/msinf/other-help/understanding-sddl-syntax/", "https://learn.microsoft.com/en-us/windows/win32/api/winevt/", "https://app.any.run/tasks/77b2e328-8f36-46b2-b2e2-8a80398217ab/", - "https://itconnect.uw.edu/tools-services-support/it-systems-infrastructure/msinf/other-help/understanding-sddl-syntax/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_change_winevt_channelaccess.yml" ], "tags": [ @@ -17920,9 +17920,9 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md", "https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md", + "https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_winsock2.yml" ], "tags": [ @@ -18151,10 +18151,10 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/", "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ransomware-hive-conti-avoslocker", "https://gist.github.com/anadr/7465a9fde63d41341136949f14c21105", "https://admx.help/?Category=Windows_7_2008R2&Policy=Microsoft.Policies.WindowsDefender::SpyNetReporting", + "https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_windows_defender_tamper.yml" ], "tags": [ @@ -18468,8 +18468,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/troubleshoot/developer/browsers/security-privacy/ie-security-zones-registry-entries", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1112/T1112.md#atomic-test-4---add-domain-to-trusted-sites-zone", + "https://docs.microsoft.com/en-us/troubleshoot/developer/browsers/security-privacy/ie-security-zones-registry-entries", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_change_security_zones.yml" ], "tags": [ @@ -18502,8 +18502,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://www.hexacorn.com/blog/2018/12/30/beyond-good-ol-run-key-part-98/", "https://persistence-info.github.io/Data/naturallanguage6.html", + "https://www.hexacorn.com/blog/2018/12/30/beyond-good-ol-run-key-part-98/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_persistence_natural_language.yml" ], "tags": [ @@ -18559,8 +18559,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://enigma0x3.net/2016/08/15/fileless-uac-bypass-using-eventvwr-exe-and-registry-hijacking/", "https://www.hybrid-analysis.com/sample/e122bc8bf291f15cab182a5d2d27b8db1e7019e4e96bb5cdbd1dfe7446f3f51f?environmentId=100", + "https://enigma0x3.net/2016/08/15/fileless-uac-bypass-using-eventvwr-exe-and-registry-hijacking/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_uac_bypass_eventvwr.yml" ], "tags": [ @@ -18596,9 +18596,9 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md", "https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md", + "https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_wow6432node_currentversion.yml" ], "tags": [ @@ -18647,9 +18647,9 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md", "https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md", + "https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_currentcontrolset.yml" ], "tags": [ @@ -18755,9 +18755,9 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md", "https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md", + "https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_system_scripts.yml" ], "tags": [ @@ -18781,8 +18781,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://social.technet.microsoft.com/wiki/contents/articles/32905.remote-desktop-services-enable-restricted-admin-mode.aspx", "https://github.com/redcanaryco/atomic-red-team/blob/a8e3cf63e97b973a25903d3df9fd55da6252e564/atomics/T1112/T1112.md", + "https://social.technet.microsoft.com/wiki/contents/articles/32905.remote-desktop-services-enable-restricted-admin-mode.aspx", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_lsa_disablerestrictedadmin.yml" ], "tags": [ @@ -18807,8 +18807,8 @@ "logsource.product": "windows", "refs": [ "https://media.defcon.org/DEF%20CON%2030/DEF%20CON%2030%20presentations/Asaf%20Gilboa%20-%20LSASS%20Shtinkering%20Abusing%20Windows%20Error%20Reporting%20to%20Dump%20LSASS.pdf", - "https://github.com/deepinstinct/Lsass-Shtinkering", "https://learn.microsoft.com/en-us/windows/win32/wer/collecting-user-mode-dumps", + "https://github.com/deepinstinct/Lsass-Shtinkering", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_lsass_usermode_dumping.yml" ], "tags": [ @@ -18841,9 +18841,9 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ + "https://blog.3or.de/mimilib-dhcp-server-callout-dll-injection.html", "https://msdn.microsoft.com/de-de/library/windows/desktop/aa363389(v=vs.85).aspx", "https://technet.microsoft.com/en-us/library/cc726884(v=ws.10).aspx", - "https://blog.3or.de/mimilib-dhcp-server-callout-dll-injection.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_dhcp_calloutdll.yml" ], "tags": [ @@ -18901,9 +18901,9 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1548.002/T1548.002.md#atomic-test-7---bypass-uac-using-sdclt-delegateexecute", - "https://devblogs.microsoft.com/oldnewthing/20100312-01/?p=14623", "https://docs.microsoft.com/en-us/windows/win32/api/shobjidl_core/nn-shobjidl_core-iexecutecommand", + "https://devblogs.microsoft.com/oldnewthing/20100312-01/?p=14623", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1548.002/T1548.002.md#atomic-test-7---bypass-uac-using-sdclt-delegateexecute", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_bypass_uac_using_delegateexecute.yml" ], "tags": [ @@ -18993,8 +18993,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://www.slideshare.net/JamieWilliams130/started-from-the-bottom-exploiting-data-sources-to-uncover-attck-behaviors", "https://twitter.com/jamieantisocial/status/1304520651248668673", + "https://www.slideshare.net/JamieWilliams130/started-from-the-bottom-exploiting-data-sources-to-uncover-attck-behaviors", "https://www.sans.org/cyber-security-summit/archives", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_enabling_cor_profiler_env_variables.yml" ], @@ -19252,8 +19252,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://enigma0x3.net/2016/08/15/fileless-uac-bypass-using-eventvwr-exe-and-registry-hijacking/", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1548.002/T1548.002.md#atomic-test-1---bypass-uac-using-event-viewer-cmd", + "https://enigma0x3.net/2016/08/15/fileless-uac-bypass-using-eventvwr-exe-and-registry-hijacking/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_bypass_uac_using_eventviewer.yml" ], "tags": [ @@ -19347,8 +19347,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://threathunterplaybook.com/evals/apt29/detections/1.A.1_DFD6A782-9BDB-4550-AB6B-525E825B095E.html", "https://github.com/OTRF/detection-hackathon-apt29/issues/1", + "https://threathunterplaybook.com/evals/apt29/detections/1.A.1_DFD6A782-9BDB-4550-AB6B-525E825B095E.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_new_application_appcompat.yml" ], "tags": [ @@ -19381,8 +19381,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/", "https://gist.github.com/anadr/7465a9fde63d41341136949f14c21105", + "https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_disable_windows_defender_service.yml" ], "tags": [ @@ -19407,8 +19407,8 @@ "logsource.product": "windows", "refs": [ "https://twitter.com/pabraeken/status/998627081360695297", - "https://jstnk9.github.io/jstnk9/research/InstallScreenSaver-SCR-files", "https://twitter.com/VakninHai/status/1517027824984547329", + "https://jstnk9.github.io/jstnk9/research/InstallScreenSaver-SCR-files", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_scr_file_executed_by_rundll32.yml" ], "tags": [ @@ -19516,10 +19516,10 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns", + "https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md", "https://oddvar.moe/2018/03/21/persistence-using-runonceex-hidden-from-autoruns-exe/", - "https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d", + "https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_currentversion.yml" ], "tags": [ @@ -19576,9 +19576,9 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?name=TrojanSpy%3aMSIL%2fHakey.A", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1112/T1112.md#atomic-test-1---modify-registry-of-current-user-profile---cmd", "https://unit42.paloaltonetworks.com/ransomware-families/", + "https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?name=TrojanSpy%3aMSIL%2fHakey.A", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_hidden_extention.yml" ], "tags": [ @@ -19651,8 +19651,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://www.reddit.com/r/hacking/comments/ajtrws/bypassing_highest_uac_level_windows_810/", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1548.002/T1548.002.md#atomic-test-9---bypass-uac-using-silentcleanup-task", + "https://www.reddit.com/r/hacking/comments/ajtrws/bypassing_highest_uac_level_windows_810/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_bypass_uac_using_silentcleanup_task.yml" ], "tags": [ @@ -19686,9 +19686,9 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md", "https://yoroi.company/research/cyber-criminal-espionage-operation-insists-on-italian-manufacturing/", "https://unit42.paloaltonetworks.com/unit42-gorgon-group-slithering-nation-state-cybercrime/", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_disable_microsoft_office_security_features.yml" ], "tags": [ @@ -19736,8 +19736,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://admx.help/?Category=Office2016&Policy=office16.Office.Microsoft.Policies.Windows::L_MacroRuntimeScanScope", "https://github.com/S3cur3Th1sSh1t/OffensiveVBA/blob/28cc6a2802d8176195ac19b3c8e9a749009a82a3/src/AMSIbypasses.vba", + "https://admx.help/?Category=Office2016&Policy=office16.Office.Microsoft.Policies.Windows::L_MacroRuntimeScanScope", "https://www.microsoft.com/en-us/security/blog/2018/09/12/office-vba-amsi-parting-the-veil-on-malicious-macros/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_disable_macroruntimescanscope.yml" ], @@ -19761,10 +19761,10 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://github.com/elastic/detection-rules/issues/1371", "https://chromeenterprise.google/policies/?policy=DnsOverHttpsMode", - "https://admx.help/HKLM/Software/Policies/Mozilla/Firefox/DNSOverHTTPS", "https://www.tenforums.com/tutorials/151318-how-enable-disable-dns-over-https-doh-microsoft-edge.html", + "https://github.com/elastic/detection-rules/issues/1371", + "https://admx.help/HKLM/Software/Policies/Mozilla/Firefox/DNSOverHTTPS", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_dns_over_https_enabled.yml" ], "tags": [ @@ -19822,8 +19822,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://labs.withsecure.com/publications/add-in-opportunities-for-office-persistence", "https://github.com/redcanaryco/atomic-red-team/blob/4ae9580a1a8772db87a1b6cdb0d03e5af231e966/atomics/T1137.006/T1137.006.md", + "https://labs.withsecure.com/publications/add-in-opportunities-for-office-persistence", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_persistance_xll.yml" ], "tags": [ @@ -19889,9 +19889,9 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/", "https://twitter.com/MichalKoczwara/status/1553634816016498688", "https://i.blackhat.com/EU-21/Wednesday/EU-21-Teodorescu-Veni-No-Vidi-No-Vici-Attacks-On-ETW-Blind-EDRs.pdf", + "https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_disable_autologger_sessions.yml" ], "tags": [ @@ -19914,17 +19914,17 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://github.com/dotnet/runtime/blob/4f9ae42d861fcb4be2fcd5d3d55d5f227d30e723/docs/coding-guidelines/clr-jit-coding-conventions.md#1412-disabling-code", + "https://blog.xpnsec.com/hiding-your-dotnet-complus-etwenabled/", + "https://github.com/dotnet/runtime/blob/ee2355c801d892f2894b0f7b14a20e6cc50e0e54/docs/design/coreclr/jit/viewing-jit-dumps.md#setting-configuration-variables", + "http://managed670.rssing.com/chan-5590147/all_p1.html", "https://github.com/dotnet/runtime/blob/7abe42dc1123722ed385218268bb9fe04556e3d3/src/coreclr/src/inc/clrconfig.h#L33-L39", + "https://github.com/dotnet/runtime/search?p=1&q=COMPlus_&unscoped_q=COMPlus_", + "https://github.com/dotnet/runtime/blob/f62e93416a1799aecc6b0947adad55a0d9870732/src/coreclr/src/inc/clrconfigvalues.h#L35-L38", + "https://social.msdn.microsoft.com/Forums/vstudio/en-US/0878832e-39d7-4eaf-8e16-a729c4c40975/what-can-i-use-e13c0d23ccbc4e12931bd9cc2eee27e4-for?forum=clr", + "https://bunnyinside.com/?term=f71e8cb9c76a", "https://twitter.com/_xpn_/status/1268712093928378368", "https://i.blackhat.com/EU-21/Wednesday/EU-21-Teodorescu-Veni-No-Vidi-No-Vici-Attacks-On-ETW-Blind-EDRs.pdf", - "https://github.com/dotnet/runtime/blob/ee2355c801d892f2894b0f7b14a20e6cc50e0e54/docs/design/coreclr/jit/viewing-jit-dumps.md#setting-configuration-variables", - "https://github.com/dotnet/runtime/blob/f62e93416a1799aecc6b0947adad55a0d9870732/src/coreclr/src/inc/clrconfigvalues.h#L35-L38", - "http://managed670.rssing.com/chan-5590147/all_p1.html", - "https://github.com/dotnet/runtime/search?p=1&q=COMPlus_&unscoped_q=COMPlus_", - "https://bunnyinside.com/?term=f71e8cb9c76a", - "https://social.msdn.microsoft.com/Forums/vstudio/en-US/0878832e-39d7-4eaf-8e16-a729c4c40975/what-can-i-use-e13c0d23ccbc4e12931bd9cc2eee27e4-for?forum=clr", - "https://blog.xpnsec.com/hiding-your-dotnet-complus-etwenabled/", + "https://github.com/dotnet/runtime/blob/4f9ae42d861fcb4be2fcd5d3d55d5f227d30e723/docs/coding-guidelines/clr-jit-coding-conventions.md#1412-disabling-code", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_dot_net_etw_tamper.yml" ], "tags": [ @@ -19992,9 +19992,9 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md", "https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md", + "https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_internet_explorer.yml" ], "tags": [ @@ -20018,8 +20018,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://github.com/gtworek/PSBits/tree/master/PasswordStealing/NPPSpy", "https://docs.microsoft.com/en-us/troubleshoot/windows-client/deployment/network-provider-settings-removed-in-place-upgrade", + "https://github.com/gtworek/PSBits/tree/master/PasswordStealing/NPPSpy", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_new_network_provider.yml" ], "tags": [ @@ -20053,8 +20053,8 @@ "logsource.product": "windows", "refs": [ "https://blogs.vmware.com/security/2022/11/batloader-the-evasive-downloader-malware.html", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1112/T1112.md", "https://www.mandiant.com/resources/unc2165-shifts-to-evade-sanctions", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1112/T1112.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_disable_function_user.yml" ], "tags": [ @@ -20103,9 +20103,9 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://persistence-info.github.io/Data/ifilters.html", "https://twitter.com/0gtweet/status/1468548924600459267", "https://github.com/gtworek/PSBits/tree/master/IFilter", + "https://persistence-info.github.io/Data/ifilters.html", "https://github.com/gtworek/PSBits/blob/8d767892f3b17eefa4d0668f5d2df78e844f01d8/IFilter/Dll.cpp#L281-L308", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_persistence_ifilter.yml" ], @@ -20153,8 +20153,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://twitter.com/dez_/status/1560101453150257154", "https://forensafe.com/blogs/typedpaths.html", + "https://twitter.com/dez_/status/1560101453150257154", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_persistence_typed_paths.yml" ], "tags": [ @@ -20178,8 +20178,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://www.hexacorn.com/blog/2013/09/19/beyond-good-ol-run-key-part-4/", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1543.003/T1543.003.md#atomic-test-4---tinyturla-backdoor-service-w64time", + "https://www.hexacorn.com/blog/2013/09/19/beyond-good-ol-run-key-part-4/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_servicedll_hijack.yml" ], "tags": [ @@ -20394,10 +20394,10 @@ "logsource.category": "image_load", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/windows/win32/winrm/windows-remote-management-architecture", "https://github.com/bohops/WSMan-WinRM", - "https://bohops.com/2020/05/12/ws-management-com-another-approach-for-winrm-lateral-movement/", "https://twitter.com/chadtilbury/status/1275851297770610688", + "https://bohops.com/2020/05/12/ws-management-com-another-approach-for-winrm-lateral-movement/", + "https://docs.microsoft.com/en-us/windows/win32/winrm/windows-remote-management-architecture", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_wsman_provider_image_load.yml" ], "tags": [ @@ -20472,8 +20472,8 @@ "logsource.category": "image_load", "logsource.product": "windows", "refs": [ - "https://www.virustotal.com/gui/file/ba88ca45589fae0139a40ca27738a8fc2dfbe1be5a64a9558f4e0f52b35c5add", "https://twitter.com/am0nsec/status/1412232114980982787", + "https://www.virustotal.com/gui/file/ba88ca45589fae0139a40ca27738a8fc2dfbe1be5a64a9558f4e0f52b35c5add", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_susp_vss_ps_load.yml" ], "tags": [ @@ -20543,8 +20543,8 @@ "logsource.category": "image_load", "logsource.product": "windows", "refs": [ - "https://twitter.com/tifkin_/status/1321916444557365248", "https://twitter.com/rbmaslen/status/1321859647091970051", + "https://twitter.com/tifkin_/status/1321916444557365248", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_pcre_net_load.yml" ], "tags": [ @@ -20799,12 +20799,12 @@ "logsource.category": "image_load", "logsource.product": "windows", "refs": [ - "http://remoteawesomethoughts.blogspot.com/2019/05/windows-10-task-schedulerservice.html", - "https://www.hexacorn.com/blog/2013/12/08/beyond-good-ol-run-key-part-5/", "https://clement.notin.org/blog/2020/09/12/CVE-2020-7315-McAfee-Agent-DLL-injection/", - "https://decoded.avast.io/martinchlumecky/png-steganography/", - "https://github.com/Wh04m1001/SysmonEoP", "https://posts.specterops.io/lateral-movement-scm-and-dll-hijacking-primer-d2f61e8ab992", + "https://decoded.avast.io/martinchlumecky/png-steganography/", + "https://www.hexacorn.com/blog/2013/12/08/beyond-good-ol-run-key-part-5/", + "http://remoteawesomethoughts.blogspot.com/2019/05/windows-10-task-schedulerservice.html", + "https://github.com/Wh04m1001/SysmonEoP", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_side_load_non_existent_dlls.yml" ], "tags": [ @@ -20919,8 +20919,8 @@ "logsource.category": "image_load", "logsource.product": "windows", "refs": [ - "http://www.windowexe.com/bbs/board.php?q=jsschhlp-exe-c-program-files-common-files-justsystem-jsschhlp-jsschhlp", "https://www.welivesecurity.com/2022/12/14/unmasking-mirrorface-operation-liberalface-targeting-japanese-political-entities/", + "http://www.windowexe.com/bbs/board.php?q=jsschhlp-exe-c-program-files-common-files-justsystem-jsschhlp-jsschhlp", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_side_load_jsschhlp.yml" ], "tags": [ @@ -21006,8 +21006,8 @@ "logsource.product": "windows", "refs": [ "https://github.com/XForceIR/SideLoadHunter/blob/cc7ef2e5d8908279b0c4cee4e8b6f85f7b8eed52/SideLoads/README.md", - "https://blog.cyble.com/2022/07/27/targeted-attacks-being-carried-out-via-dll-sideloading/", "https://hijacklibs.net/", + "https://blog.cyble.com/2022/07/27/targeted-attacks-being-carried-out-via-dll-sideloading/", "https://blog.cyble.com/2022/07/21/qakbot-resurfaces-with-new-playbook/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_side_load_from_non_system_location.yml" ], @@ -21102,8 +21102,8 @@ "logsource.product": "windows", "refs": [ "https://docs.microsoft.com/en-us/windows/win32/api/minidumpapiset/nf-minidumpapiset-minidumpwritedump", - "https://medium.com/@fsx30/bypass-edrs-memory-protection-introduction-to-hooking-2efb21acffd6", "https://www.pinvoke.net/default.aspx/dbghelp/MiniDumpWriteDump.html", + "https://medium.com/@fsx30/bypass-edrs-memory-protection-introduction-to-hooking-2efb21acffd6", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_susp_dbghelp_dbgcore_load.yml" ], "tags": [ @@ -21252,10 +21252,10 @@ "logsource.category": "image_load", "logsource.product": "windows", "refs": [ - "https://blog.menasec.net/2019/07/interesting-difr-traces-of-net-clr.html", - "https://thewover.github.io/Introducing-Donut/", - "https://web.archive.org/web/20221026202428/https://gist.github.com/code-scrap/d7f152ffcdb3e0b02f7f394f5187f008", "https://github.com/tyranid/DotNetToJScript", + "https://web.archive.org/web/20221026202428/https://gist.github.com/code-scrap/d7f152ffcdb3e0b02f7f394f5187f008", + "https://thewover.github.io/Introducing-Donut/", + "https://blog.menasec.net/2019/07/interesting-difr-traces-of-net-clr.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_susp_script_dotnet_clr_dll_load.yml" ], "tags": [ @@ -21427,8 +21427,8 @@ "logsource.category": "image_load", "logsource.product": "windows", "refs": [ - "https://decoded.avast.io/martinchlumecky/png-steganography/", "https://posts.specterops.io/lateral-movement-scm-and-dll-hijacking-primer-d2f61e8ab992", + "https://decoded.avast.io/martinchlumecky/png-steganography/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_side_load_scm.yml" ], "tags": [ @@ -21720,9 +21720,9 @@ "logsource.category": "image_load", "logsource.product": "windows", "refs": [ - "https://twitter.com/HunterPlaybook/status/1301207718355759107", - "https://www.mdsec.co.uk/2020/09/i-like-to-move-it-windows-lateral-movement-part-1-wmi-event-subscription/", "https://threathunterplaybook.com/notebooks/windows/08_lateral_movement/WIN-200902020333.html", + "https://www.mdsec.co.uk/2020/09/i-like-to-move-it-windows-lateral-movement-part-1-wmi-event-subscription/", + "https://twitter.com/HunterPlaybook/status/1301207718355759107", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_scrcons_imageload_wmi_scripteventconsumer.yml" ], "tags": [ @@ -21758,8 +21758,8 @@ "logsource.category": "image_load", "logsource.product": "windows", "refs": [ - "https://github.com/p3nt4/PowerShdll", "https://adsecurity.org/?p=2921", + "https://github.com/p3nt4/PowerShdll", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_in_memory_powershell.yml" ], "tags": [ @@ -21942,8 +21942,8 @@ "logsource.category": "image_load", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1056.002/T1056.002.md#atomic-test-2---powershell---prompt-user-for-password", "https://docs.microsoft.com/en-us/windows/win32/api/wincred/nf-wincred-creduipromptforcredentialsa", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1056.002/T1056.002.md#atomic-test-2---powershell---prompt-user-for-password", "https://securitydatasets.com/notebooks/small/windows/06_credential_access/SDWIN-201020013208.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_uipromptforcreds_dlls.yml" ], @@ -21969,9 +21969,9 @@ "logsource.category": "image_load", "logsource.product": "windows", "refs": [ - "https://twitter.com/oulusoyum/status/1191329746069655553", "https://twitter.com/mattifestation/status/1196390321783025666", "https://lolbas-project.github.io/lolbas/Binaries/Tttracer/", + "https://twitter.com/oulusoyum/status/1191329746069655553", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_tttracer_mod_load.yml" ], "tags": [ @@ -22112,8 +22112,8 @@ "logsource.product": "windows", "refs": [ "https://github.com/RiccardoAncarani/LiquidSnake", - "https://in.security/an-intro-into-abusing-and-identifying-wmi-event-subscriptions-for-persistence/", "https://github.com/Neo23x0/signature-base/blob/615bf1f6bac3c1bdc417025c40c073e6c2771a76/yara/gen_susp_lnk_files.yar#L19", + "https://in.security/an-intro-into-abusing-and-identifying-wmi-event-subscriptions-for-persistence/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/wmi_event/sysmon_wmi_susp_scripting.yml" ], "tags": [ @@ -22146,8 +22146,8 @@ "logsource.category": "ps_classic_start", "logsource.product": "windows", "refs": [ - "https://github.com/besimorhino/powercat", "https://nmap.org/ncat/", + "https://github.com/besimorhino/powercat", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1095/T1095.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_classic/posh_pc_powercat.yml" ], @@ -22182,8 +22182,8 @@ "logsource.product": "windows", "refs": [ "https://github.com/bohops/WSMan-WinRM", - "https://bohops.com/2020/05/12/ws-management-com-another-approach-for-winrm-lateral-movement/", "https://twitter.com/chadtilbury/status/1275851297770610688", + "https://bohops.com/2020/05/12/ws-management-com-another-approach-for-winrm-lateral-movement/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_classic/posh_pc_wsman_com_provider_no_powershell.yml" ], "tags": [ @@ -22334,8 +22334,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218/T1218.md", "https://github.com/redcanaryco/AtomicTestHarnesses/blob/7e1e4da116801e3d6fcc6bedb207064577e40572/TestHarnesses/T1218_SignedBinaryProxyExecution/InvokeRemoteFXvGPUDisablementCommand.ps1", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218/T1218.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_classic/posh_pc_susp_athremotefxvgpudisablementcommand.yml" ], "tags": [ @@ -22752,6 +22752,33 @@ "uuid": "8d31a8ce-46b5-4dd6-bdc3-680931f1db86", "value": "Bad Opsec Powershell Code Artifacts" }, + { + "description": "Detects usage of the \"Import-Module\" cmdlet to load the \"Microsoft.ActiveDirectory.Management.dl\" DLL. Which is often used by attackers to perform AD enumeration.", + "meta": { + "author": "Nasreddine Bencherchali, frack113", + "creation_date": "2023/01/22", + "falsepositive": [ + "Legitimate use of the library for administrative activity" + ], + "filename": "posh_pm_active_directory_module_dll_import.yml", + "level": "medium", + "logsource.category": "ps_module", + "logsource.product": "windows", + "refs": [ + "https://github.com/samratashok/ADModule", + "https://twitter.com/cyb3rops/status/1617108657166061568?s=20", + "https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/active-directory-enumeration-with-ad-module-without-rsat-or-admin-privileges", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_module/posh_pm_active_directory_module_dll_import.yml" + ], + "tags": [ + "attack.reconnaissance", + "attack.discovery", + "attack.impact" + ] + }, + "uuid": "74176142-4684-4d8a-8b0a-713257e7df8e", + "value": "Potential Active Directory Enumeration Using AD Module - PsModule" + }, { "description": "A General detection for the Get-Clipboard commands in PowerShell logs. This could be an adversary capturing clipboard contents.", "meta": { @@ -22790,8 +22817,8 @@ "logsource.category": "ps_module", "logsource.product": "windows", "refs": [ - "https://github.com/OTRF/detection-hackathon-apt29/issues/8", "https://threathunterplaybook.com/evals/apt29/detections/4.A.3_09F29912-8E93-461E-9E89-3F06F6763383.html", + "https://github.com/OTRF/detection-hackathon-apt29/issues/8", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_module/posh_pm_decompress_commands.yml" ], "tags": [ @@ -22981,41 +23008,6 @@ "uuid": "b140afd9-474b-4072-958e-2ebb435abd68", "value": "Suspicious Get-ADDBAccount Usage" }, - { - "description": "Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network", - "meta": { - "author": "frack113", - "creation_date": "2021/07/21", - "falsepositive": [ - "Unknown" - ], - "filename": "posh_pm_powercat.yml", - "level": "medium", - "logsource.category": "ps_module", - "logsource.product": "windows", - "refs": [ - "https://github.com/besimorhino/powercat", - "https://nmap.org/ncat/", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1095/T1095.md", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_module/posh_pm_powercat.yml" - ], - "tags": [ - "attack.command_and_control", - "attack.t1095" - ] - }, - "related": [ - { - "dest-uuid": "c21d5a77-d422-4a69-acd7-2c53c1faa34b", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "bf7286e7-c0be-460b-a7e8-5b2e07ecc2f2", - "value": "Netcat The Powershell Version - PowerShell Module" - }, { "description": "Detects keywords that could indicate clearing PowerShell history", "meta": { @@ -23084,6 +23076,89 @@ "uuid": "2f211361-7dce-442d-b78a-c04039677378", "value": "Invoke-Obfuscation Obfuscated IEX Invocation - PowerShell Module" }, + { + "description": "Detects Commandlet names from well-known PowerShell exploitation frameworks", + "meta": { + "author": "Nasreddine Bencherchali", + "creation_date": "2023/01/20", + "falsepositive": [ + "Unknown" + ], + "filename": "posh_pm_malicious_commandlets.yml", + "level": "high", + "logsource.category": "ps_module", + "logsource.product": "windows", + "refs": [ + "https://github.com/calebstewart/CVE-2021-1675", + "https://github.com/dafthack/DomainPasswordSpray/blob/b13d64a5834694aa73fd2aea9911a83027c465a7/DomainPasswordSpray.ps1", + "https://github.com/besimorhino/powercat", + "https://github.com/xorrior/RandomPS-Scripts/blob/848c919bfce4e2d67b626cbcf4404341cfe3d3b6/Get-DXWebcamVideo.ps1", + "https://research.nccgroup.com/2022/06/06/shining-the-light-on-black-basta/", + "https://github.com/BloodHoundAD/BloodHound/blob/0927441f67161cc6dc08a53c63ceb8e333f55874/Collectors/AzureHound.ps1", + "https://github.com/HarmJ0y/DAMP", + "https://github.com/rvrsh3ll/Misc-Powershell-Scripts/blob/6f23bb41f9675d7e2d32bacccff75e931ae00554/OfficeMemScraper.ps1", + "https://github.com/DarkCoderSc/PowerRunAsSystem/", + "https://adsecurity.org/?p=2921", + "https://github.com/BC-SECURITY/Invoke-ZeroLogon/blob/111d17c7fec486d9bb23387e2e828b09a26075e4/Invoke-ZeroLogon.ps1", + "https://github.com/samratashok/nishang", + "https://unit42.paloaltonetworks.com/threat-assessment-black-basta-ransomware/", + "https://github.com/S3cur3Th1sSh1t/PowerSharpPack/tree/master/PowerSharpBinaries", + "https://bloodhound.readthedocs.io/en/latest/data-collection/azurehound.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_module/posh_pm_malicious_commandlets.yml" + ], + "tags": [ + "attack.execution", + "attack.discovery", + "attack.t1482", + "attack.t1087", + "attack.t1087.001", + "attack.t1087.002", + "attack.t1069.001", + "attack.t1069.002", + "attack.t1069", + "attack.t1059.001" + ] + }, + "related": [ + { + "dest-uuid": "767dbf9e-df3f-45cb-8998-4903ab5f80c0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "25659dd6-ea12-45c4-97e6-381e3e4b593e", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "a01bf75f-00b2-4568-a58f-565ff9bf202b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "2aed01ad-3df3-4410-a8cb-11ea4ded587c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "7d0d0329-0ef1-4e84-a9f5-49500f9d7c6c", + "value": "Malicious PowerShell Commandlets - PoshModule" + }, { "description": "Detects remote PowerShell sessions", "meta": { @@ -23259,7 +23334,7 @@ } ], "uuid": "de41232e-12e8-49fa-86bc-c05c7e722df9", - "value": "Suspicious PowerShell Download - PowerShell Module" + "value": "Suspicious PowerShell Download - PoshModule" }, { "description": "Detects Obfuscated Powershell via Stdin in Scripts", @@ -23331,6 +23406,55 @@ "uuid": "a136cde0-61ad-4a61-9b82-8dc490e60dd2", "value": "Invoke-Obfuscation CLIP+ Launcher - PowerShell Module" }, + { + "description": "Detects the execution of known offensive powershell scripts used for exploitation or reconnaissance", + "meta": { + "author": "frack113, Nasreddine Bencherchali", + "creation_date": "2023/01/20", + "falsepositive": [ + "Unknown" + ], + "filename": "posh_pm_exploit_scripts.yml", + "level": "high", + "logsource.category": "ps_module", + "logsource.product": "windows", + "refs": [ + "https://github.com/PowerShellMafia/PowerSploit", + "https://github.com/AlsidOfficial/WSUSpendu/", + "https://github.com/dafthack/DomainPasswordSpray/blob/b13d64a5834694aa73fd2aea9911a83027c465a7/DomainPasswordSpray.ps1", + "https://github.com/besimorhino/powercat", + "https://github.com/S3cur3Th1sSh1t/PowerSharpPack/tree/master/PowerSharpBinaries", + "https://github.com/xorrior/RandomPS-Scripts/blob/848c919bfce4e2d67b626cbcf4404341cfe3d3b6/Get-DXWebcamVideo.ps1", + "https://research.nccgroup.com/2022/06/06/shining-the-light-on-black-basta/", + "https://github.com/HarmJ0y/DAMP", + "https://github.com/S3cur3Th1sSh1t/WinPwn", + "https://github.com/rvrsh3ll/Misc-Powershell-Scripts/blob/6f23bb41f9675d7e2d32bacccff75e931ae00554/OfficeMemScraper.ps1", + "https://github.com/DarkCoderSc/PowerRunAsSystem/", + "https://github.com/BC-SECURITY/Invoke-ZeroLogon/blob/111d17c7fec486d9bb23387e2e828b09a26075e4/Invoke-ZeroLogon.ps1", + "https://github.com/nettitude/Invoke-PowerThIEf", + "https://github.com/samratashok/nishang", + "https://unit42.paloaltonetworks.com/threat-assessment-black-basta-ransomware/", + "https://github.com/CsEnox/EventViewer-UACBypass", + "https://github.com/NetSPI/PowerUpSQL", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_module/posh_pm_exploit_scripts.yml" + ], + "tags": [ + "attack.execution", + "attack.t1059.001" + ] + }, + "related": [ + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "41025fd7-0466-4650-a813-574aaacbe7f4", + "value": "Malicious PowerShell Scripts - PoshModule" + }, { "description": "Detects suspicious PowerShell invocation command parameters", "meta": { @@ -23536,8 +23660,8 @@ "logsource.category": "ps_module", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218/T1218.md", "https://github.com/redcanaryco/AtomicTestHarnesses/blob/7e1e4da116801e3d6fcc6bedb207064577e40572/TestHarnesses/T1218_SignedBinaryProxyExecution/InvokeRemoteFXvGPUDisablementCommand.ps1", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218/T1218.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_module/posh_pm_susp_athremotefxvgpudisablementcommand.yml" ], "tags": [ @@ -23906,8 +24030,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.core/new-pssession?view=powershell-7.2", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1059.001/T1059.001.md#atomic-test-10---powershell-invoke-downloadcradle", + "https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.core/new-pssession?view=powershell-7.2", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_remote_session_creation.yml" ], "tags": [ @@ -24030,9 +24154,9 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ + "https://docs.microsoft.com/en-us/previous-versions/windows/desktop/ms766431(v=vs.85)", "https://www.trendmicro.com/en_id/research/22/e/uncovering-a-kingminer-botnet-attack-using-trend-micro-managed-x.html", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1059.001/T1059.001.md#atomic-test-7---powershell-msxml-com-object---with-prompt", - "https://docs.microsoft.com/en-us/previous-versions/windows/desktop/ms766431(v=vs.85)", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_msxml_com.yml" ], "tags": [ @@ -24169,10 +24293,10 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://github.com/PowerShellMafia/PowerSploit/tree/master/Recon", - "https://adsecurity.org/?p=2277", "https://thedfirreport.com/2020/10/08/ryuks-return", "https://powersploit.readthedocs.io/en/stable/Recon/README", + "https://adsecurity.org/?p=2277", + "https://github.com/PowerShellMafia/PowerSploit/tree/master/Recon", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_powerview_malicious_commandlets.yml" ], "tags": [ @@ -24314,8 +24438,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.utility/send-mailmessage?view=powershell-7.2", "https://www.ietf.org/rfc/rfc2821.txt", + "https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.utility/send-mailmessage?view=powershell-7.2", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1048.003/T1048.003.md#atomic-test-5---exfiltration-over-alternative-protocol---smtp", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_send_mailmessage.yml" ], @@ -24376,8 +24500,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://twitter.com/Alh4zr3d/status/1580925761996828672", "https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.management/set-service?view=powershell-7.2", + "https://twitter.com/Alh4zr3d/status/1580925761996828672", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_using_set_service_to_hide_services.yml" ], "tags": [ @@ -24525,11 +24649,11 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://www.tutorialspoint.com/how-to-get-windows-firewall-profile-settings-using-powershell", "http://powershellhelp.space/commands/set-netfirewallrule-psv5.php", "https://docs.microsoft.com/en-us/powershell/module/netsecurity/set-netfirewallprofile?view=windowsserver2019-ps", "https://www.elastic.co/guide/en/security/current/windows-firewall-disabled-via-powershell.html", "http://woshub.com/manage-windows-firewall-powershell/", + "https://www.tutorialspoint.com/how-to-get-windows-firewall-profile-settings-using-powershell", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_windows_firewall_profile_disabled.yml" ], "tags": [ @@ -24652,8 +24776,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1056.001/src/Get-Keystrokes.ps1", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218/T1218.md", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1056.001/src/Get-Keystrokes.ps1", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_keylogging.yml" ], "tags": [ @@ -24710,10 +24834,10 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://youtu.be/5mqid-7zp8k?t=2481", "https://m365internals.com/2022/10/07/hunting-in-on-premises-exchange-server-logs/", - "https://blog.orange.tw/2021/08/proxylogon-a-new-attack-surface-on-ms-exchange-part-1.html", "https://peterjson.medium.com/reproducing-the-proxyshell-pwn2own-exploit-49743a4ea9a1", + "https://youtu.be/5mqid-7zp8k?t=2481", + "https://blog.orange.tw/2021/08/proxylogon-a-new-attack-surface-on-ms-exchange-part-1.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_mailboxexport_share.yml" ], "tags": [ @@ -24982,9 +25106,9 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ + "https://adsecurity.org/?p=2604", "https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_execution_policies?view=powershell-7.1", "https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.security/set-executionpolicy?view=powershell-7.1", - "https://adsecurity.org/?p=2604", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_set_policies_to_unsecure_level.yml" ], "tags": [ @@ -25041,8 +25165,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1553.005/T1553.005.md#atomic-test-3---remove-the-zoneidentifier-alternate-data-stream", "https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.utility/unblock-file?view=powershell-7.2", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1553.005/T1553.005.md#atomic-test-3---remove-the-zoneidentifier-alternate-data-stream", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_unblock_file.yml" ], "tags": [ @@ -25167,8 +25291,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/5b67c9b141fa3918017f8fa44f2f88f0b1ecb9e1/atomics/T1562.001/T1562.001.md", "https://docs.microsoft.com/en-us/powershell/module/dism/disable-windowsoptionalfeature?view=windowsserver2022-ps", + "https://github.com/redcanaryco/atomic-red-team/blob/5b67c9b141fa3918017f8fa44f2f88f0b1ecb9e1/atomics/T1562.001/T1562.001.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_disable_windowsoptionalfeature.yml" ], "tags": [ @@ -25509,8 +25633,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1021.006/T1021.006.md#atomic-test-2---invoke-command", "https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.core/invoke-command?view=powershell-7.2", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1021.006/T1021.006.md#atomic-test-2---invoke-command", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_invoke_command_remote.yml" ], "tags": [ @@ -25543,8 +25667,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://twitter.com/NathanMcNulty/status/1569497348841287681", "https://docs.microsoft.com/en-us/powershell/module/dnsclient/add-dnsclientnrptrule?view=windowsserver2022-ps", + "https://twitter.com/NathanMcNulty/status/1569497348841287681", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_add_dnsclient_rule.yml" ], "tags": [ @@ -25688,6 +25812,33 @@ "uuid": "35f41cd7-c98e-469f-8a02-ec4ba0cc7a7e", "value": "PowerShell Write-EventLog Usage" }, + { + "description": "Detects usage of the \"Import-Module\" cmdlet to load the \"Microsoft.ActiveDirectory.Management.dl\" DLL. Which is often used by attackers to perform AD enumeration.", + "meta": { + "author": "frack113, Nasreddine Bencherchali", + "creation_date": "2023/01/22", + "falsepositive": [ + "Legitimate use of the library for administrative activity" + ], + "filename": "posh_ps_active_directory_module_dll_import.yml", + "level": "medium", + "logsource.category": "ps_script", + "logsource.product": "windows", + "refs": [ + "https://github.com/samratashok/ADModule", + "https://twitter.com/cyb3rops/status/1617108657166061568?s=20", + "https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/active-directory-enumeration-with-ad-module-without-rsat-or-admin-privileges", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_active_directory_module_dll_import.yml" + ], + "tags": [ + "attack.reconnaissance", + "attack.discovery", + "attack.impact" + ] + }, + "uuid": "9e620995-f2d8-4630-8430-4afd89f77604", + "value": "Potential Active Directory Enumeration Using AD Module - PsScript" + }, { "description": "Detects execution of ADRecon.ps1 for AD reconnaissance which has been reported to be actively used by FIN7", "meta": { @@ -25736,8 +25887,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1615/T1615.md", "https://docs.microsoft.com/en-us/powershell/module/grouppolicy/get-gpo?view=windowsserver2022-ps", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1615/T1615.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_get_gpo.yml" ], "tags": [ @@ -25898,8 +26049,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/powershell/module/nettcpip/test-netconnection?view=windowsserver2022-ps", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1571/T1571.md#atomic-test-1---testing-usage-of-uncommonly-used-port-with-powershell", + "https://docs.microsoft.com/en-us/powershell/module/nettcpip/test-netconnection?view=windowsserver2022-ps", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_test_netconnection.yml" ], "tags": [ @@ -25955,9 +26106,9 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/powershell/module/defender/set-mppreference?view=windowsserver2022-ps", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md", "https://bidouillesecurity.com/disable-windows-defender-in-powershell/", + "https://docs.microsoft.com/en-us/powershell/module/defender/set-mppreference?view=windowsserver2022-ps", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_tamper_defender.yml" ], "tags": [ @@ -26070,8 +26221,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://o365blog.com/aadinternals/", "https://github.com/Gerenios/AADInternals", + "https://o365blog.com/aadinternals/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_aadinternals_cmdlets_execution.yml" ], "tags": [ @@ -26168,8 +26319,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1021.002/T1021.002.md#atomic-test-2---map-admin-share-powershell", "https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.management/new-psdrive?view=powershell-7.2", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1021.002/T1021.002.md#atomic-test-2---map-admin-share-powershell", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_new_psdrive.yml" ], "tags": [ @@ -26217,8 +26368,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1564.004/T1564.004.md", "http://www.powertheshell.com/ntfsstreams/", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1564.004/T1564.004.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_ntfs_ads_access.yml" ], "tags": [ @@ -26285,8 +26436,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1053.005/T1053.005.md#atomic-test-6---wmi-invoke-cimmethod-scheduled-task", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1053.005/T1053.005.md#atomic-test-4---powershell-cmdlet-scheduled-task", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1053.005/T1053.005.md#atomic-test-6---wmi-invoke-cimmethod-scheduled-task", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_cmdlet_scheduled_task.yml" ], "tags": [ @@ -26420,8 +26571,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1574.011/T1574.011.md#atomic-test-1---service-registry-permissions-weakness", "https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.security/get-acl?view=powershell-7.2", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1574.011/T1574.011.md#atomic-test-1---service-registry-permissions-weakness", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_get_acl_service.yml" ], "tags": [ @@ -26536,9 +26687,9 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://eqllib.readthedocs.io/en/latest/analytics/5b223758-07d6-4100-9e11-238cfdd0fe97.html", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070.001/T1070.001.md", "https://twitter.com/oroneequalsone/status/1568432028361830402", + "https://eqllib.readthedocs.io/en/latest/analytics/5b223758-07d6-4100-9e11-238cfdd0fe97.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_clear_eventlog.yml" ], "tags": [ @@ -26658,9 +26809,9 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://github.com/S3cur3Th1sSh1t/Creds/blob/eac23d67f7f90c7fc8e3130587d86158c22aa398/PowershellScripts/jaws-enum.ps1", - "https://www.absolomb.com/2018-01-26-Windows-Privilege-Escalation-Guide/", "https://github.com/nccgroup/redsnarf/blob/35949b30106ae543dc6f2bc3f1be10c6d9a8d40e/redsnarf.py", + "https://www.absolomb.com/2018-01-26-Windows-Privilege-Escalation-Guide/", + "https://github.com/S3cur3Th1sSh1t/Creds/blob/eac23d67f7f90c7fc8e3130587d86158c22aa398/PowershellScripts/jaws-enum.ps1", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_wmi_unquoted_service_search.yml" ], "tags": [ @@ -26719,8 +26870,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/powershell/module/storage/mount-diskimage?view=windowsserver2022-ps", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1553.005/T1553.005.md#atomic-test-2---mount-an-iso-image-and-run-executable-from-the-iso", + "https://docs.microsoft.com/en-us/powershell/module/storage/mount-diskimage?view=windowsserver2022-ps", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_run_from_mount_diskimage.yml" ], "tags": [ @@ -26928,8 +27079,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://twitter.com/Alh4zr3d/status/1580925761996828672", "https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.management/set-service?view=powershell-7.2", + "https://twitter.com/Alh4zr3d/status/1580925761996828672", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_service_dacl_modification_set_service.yml" ], "tags": [ @@ -26988,8 +27139,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://twitter.com/nas_bench/status/1537919885031772161", "https://lolbas-project.github.io/lolbas/Binaries/Msdt/", + "https://twitter.com/nas_bench/status/1537919885031772161", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_follina_execution.yml" ], "tags": [ @@ -27022,8 +27173,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://twitter.com/pabraeken/status/995111125447577600", "https://lolbas-project.github.io/lolbas/Scripts/CL_mutexverifiers/", + "https://twitter.com/pabraeken/status/995111125447577600", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_cl_mutexverifiers_lolscript.yml" ], "tags": [ @@ -27198,10 +27349,10 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://github.com/hlldz/Phant0m/blob/30c2935d8cf4aafda17ee2fab7cd0c4aa9a607c2/old/Invoke-Phant0m.ps1", + "https://posts.specterops.io/entering-a-covenant-net-command-and-control-e11038bcf462", "https://gist.github.com/MHaggis/0dbe00ad401daa7137c81c99c268cfb7", "https://github.com/PowerShellMafia/PowerSploit/blob/d943001a7defb5e0d1657085a77a0e78609be58f/CodeExecution/Invoke-ReflectivePEInjection.ps1", - "https://posts.specterops.io/entering-a-covenant-net-command-and-control-e11038bcf462", + "https://github.com/hlldz/Phant0m/blob/30c2935d8cf4aafda17ee2fab7cd0c4aa9a607c2/old/Invoke-Phant0m.ps1", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_keywords.yml" ], "tags": [ @@ -27325,8 +27476,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1036.003/T1036.003.md", "https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.management/Start-Process?view=powershell-5.1&viewFallbackFrom=powershell-7", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1036.003/T1036.003.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_start_process.yml" ], "tags": [ @@ -27594,8 +27745,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/windows/wsl/install-on-server", "https://docs.microsoft.com/en-us/powershell/module/dism/enable-windowsoptionalfeature?view=windowsserver2022-ps", + "https://learn.microsoft.com/en-us/windows/wsl/install-on-server", "https://learn.microsoft.com/en-us/windows/win32/projfs/enabling-windows-projected-file-system", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_enable_windowsoptionalfeature.yml" ], @@ -27619,10 +27770,10 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/dotnet/api/system.windows.input.keyboard.iskeydown?view=windowsdesktop-7.0", - "https://twitter.com/ScumBots/status/1610626724257046529", - "https://www.virustotal.com/gui/file/720a7ee9f2178c70501d7e3f4bcc28a4f456e200486dbd401b25af6da3b4da62/content", "https://www.virustotal.com/gui/file/d4486b63512755316625230e0c9c81655093be93876e0d80732e7eeaf7d83476/content", + "https://www.virustotal.com/gui/file/720a7ee9f2178c70501d7e3f4bcc28a4f456e200486dbd401b25af6da3b4da62/content", + "https://twitter.com/ScumBots/status/1610626724257046529", + "https://learn.microsoft.com/en-us/dotnet/api/system.windows.input.keyboard.iskeydown?view=windowsdesktop-7.0", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_keylogger_activity.yml" ], "tags": [ @@ -27647,8 +27798,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.management/get-process?view=powershell-7", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1057/T1057.md#atomic-test-3---process-discovery---get-process", + "https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.management/get-process?view=powershell-7", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_get_process.yml" ], "tags": [ @@ -27801,20 +27952,21 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://research.nccgroup.com/2022/06/06/shining-the-light-on-black-basta/", - "https://github.com/HarmJ0y/DAMP", - "https://github.com/xorrior/RandomPS-Scripts/blob/848c919bfce4e2d67b626cbcf4404341cfe3d3b6/Get-DXWebcamVideo.ps1", - "https://adsecurity.org/?p=2921", - "https://github.com/S3cur3Th1sSh1t/PowerSharpPack/tree/master/PowerSharpBinaries", - "https://unit42.paloaltonetworks.com/threat-assessment-black-basta-ransomware/", "https://github.com/calebstewart/CVE-2021-1675", "https://github.com/dafthack/DomainPasswordSpray/blob/b13d64a5834694aa73fd2aea9911a83027c465a7/DomainPasswordSpray.ps1", - "https://bloodhound.readthedocs.io/en/latest/data-collection/azurehound.html", - "https://github.com/DarkCoderSc/PowerRunAsSystem/", - "https://github.com/samratashok/nishang", + "https://github.com/besimorhino/powercat", + "https://github.com/xorrior/RandomPS-Scripts/blob/848c919bfce4e2d67b626cbcf4404341cfe3d3b6/Get-DXWebcamVideo.ps1", + "https://research.nccgroup.com/2022/06/06/shining-the-light-on-black-basta/", "https://github.com/BloodHoundAD/BloodHound/blob/0927441f67161cc6dc08a53c63ceb8e333f55874/Collectors/AzureHound.ps1", - "https://github.com/BC-SECURITY/Invoke-ZeroLogon/blob/111d17c7fec486d9bb23387e2e828b09a26075e4/Invoke-ZeroLogon.ps1", + "https://github.com/HarmJ0y/DAMP", "https://github.com/rvrsh3ll/Misc-Powershell-Scripts/blob/6f23bb41f9675d7e2d32bacccff75e931ae00554/OfficeMemScraper.ps1", + "https://github.com/DarkCoderSc/PowerRunAsSystem/", + "https://adsecurity.org/?p=2921", + "https://github.com/BC-SECURITY/Invoke-ZeroLogon/blob/111d17c7fec486d9bb23387e2e828b09a26075e4/Invoke-ZeroLogon.ps1", + "https://github.com/samratashok/nishang", + "https://unit42.paloaltonetworks.com/threat-assessment-black-basta-ransomware/", + "https://github.com/S3cur3Th1sSh1t/PowerSharpPack/tree/master/PowerSharpBinaries", + "https://bloodhound.readthedocs.io/en/latest/data-collection/azurehound.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_malicious_commandlets.yml" ], "tags": [ @@ -27918,9 +28070,9 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://stefanos.cloud/blog/kb/how-to-clear-the-powershell-command-history/", "https://community.sophos.com/sophos-labs/b/blog/posts/powershell-command-history-forensics", "https://www.shellhacks.com/clear-history-powershell/", + "https://stefanos.cloud/blog/kb/how-to-clear-the-powershell-command-history/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_clearing_windows_console_history.yml" ], "tags": [ @@ -28061,9 +28213,9 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ + "https://learn.microsoft.com/en-us/dotnet/api/microsoft.hpc.scheduler.store.cx509enrollmentwebclassfactoryclass?view=hpc-sdk-5.1.6115", "https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=41", "https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=42", - "https://learn.microsoft.com/en-us/dotnet/api/microsoft.hpc.scheduler.store.cx509enrollmentwebclassfactoryclass?view=hpc-sdk-5.1.6115", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_x509enrollment.yml" ], "tags": "No established tags" @@ -28225,8 +28377,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://github.com/Arno0x/DNSExfiltrator", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1048/T1048.md#atomic-test-3---dnsexfiltration-doh", + "https://github.com/Arno0x/DNSExfiltrator", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_invoke_dnsexfiltration.yml" ], "tags": [ @@ -28319,8 +28471,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://github.com/EmpireProject/Empire/blob/08cbd274bef78243d7a8ed6443b8364acd1fc48b/data/module_source/persistence/Persistence.psm1#L545", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1546.003/T1546.003.md", + "https://github.com/EmpireProject/Empire/blob/08cbd274bef78243d7a8ed6443b8364acd1fc48b/data/module_source/persistence/Persistence.psm1#L545", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_wmi_persistence.yml" ], "tags": [ @@ -28353,9 +28505,9 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.utility/invoke-webrequest?view=powershell-7.2", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1020/T1020.md", "https://www.w3.org/Protocols/rfc2616/rfc2616-sec9.html", + "https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.utility/invoke-webrequest?view=powershell-7.2", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_upload.yml" ], "tags": [ @@ -28479,8 +28631,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://www.elastic.co/guide/en/security/current/volume-shadow-copy-deletion-via-powershell.html", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1490/T1490.md#atomic-test-5---windows---delete-volume-shadow-copies-via-wmi-with-powershell", + "https://www.elastic.co/guide/en/security/current/volume-shadow-copy-deletion-via-powershell.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_win32_shadowcopy_deletion.yml" ], "tags": [ @@ -28673,8 +28825,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://twitter.com/pabraeken/status/995111125447577600", "https://lolbas-project.github.io/lolbas/Scripts/CL_mutexverifiers/", + "https://twitter.com/pabraeken/status/995111125447577600", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_cl_mutexverifiers_lolscript_count.yml" ], "tags": [ @@ -28950,9 +29102,9 @@ "logsource.category": "create_remote_thread", "logsource.product": "windows", "refs": [ + "https://github.com/GhostPack/KeeThief", "https://www.cisa.gov/uscert/ncas/alerts/aa20-259a", "https://github.com/denandz/KeeFarce", - "https://github.com/GhostPack/KeeThief", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/create_remote_thread/create_remote_thread_win_password_dumper_keepass.yml" ], "tags": [ @@ -29288,10 +29440,10 @@ "logsource.category": "driver_load", "logsource.product": "windows", "refs": [ + "https://twitter.com/malmoeb/status/1551449425842786306", + "https://github.com/fengjixuchui/gdrv-loader", "https://www.virustotal.com/gui/file/cfc5c585dd4e592dd1a08887ded28b92d9a5820587b6f4f8fa4f56d60289259b/details", "https://medium.com/@fsx30/weaponizing-vulnerable-driver-for-privilege-escalation-gigabyte-edition-e73ee523598b", - "https://github.com/fengjixuchui/gdrv-loader", - "https://twitter.com/malmoeb/status/1551449425842786306", "https://www.virustotal.com/gui/file/31f4cfb4c71da44120752721103a16512444c13c2ac2d857a7e6f13cb679b427/details", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/driver_load/driver_load_win_vuln_gigabyte_driver.yml" ], @@ -29341,18 +29493,18 @@ "logsource.category": "driver_load", "logsource.product": "windows", "refs": [ - "https://www.rapid7.com/blog/post/2021/12/13/driver-based-attacks-past-and-present/", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-37969", - "https://github.com/CaledoniaProject/drivers-binaries", - "https://eclypsium.com/2019/11/12/mother-of-all-drivers/", - "https://www.welivesecurity.com/2022/01/11/signed-kernel-drivers-unguarded-gateway-windows-core/", - "https://github.com/stong/CVE-2020-15368", - "https://github.com/Chigusa0w0/AsusDriversPrivEscala", - "https://github.com/namazso/physmem_drivers", - "https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules", - "https://github.com/MicrosoftDocs/windows-itpro-docs/blob/public/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules.md", "https://github.com/eclypsium/Screwed-Drivers/blob/master/DRIVERS.md", "https://github.com/jbaines-r7/dellicious", + "https://github.com/stong/CVE-2020-15368", + "https://github.com/CaledoniaProject/drivers-binaries", + "https://eclypsium.com/2019/11/12/mother-of-all-drivers/", + "https://github.com/Chigusa0w0/AsusDriversPrivEscala", + "https://www.welivesecurity.com/2022/01/11/signed-kernel-drivers-unguarded-gateway-windows-core/", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-37969", + "https://www.rapid7.com/blog/post/2021/12/13/driver-based-attacks-past-and-present/", + "https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules", + "https://github.com/namazso/physmem_drivers", + "https://github.com/MicrosoftDocs/windows-itpro-docs/blob/public/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/driver_load/driver_load_win_vuln_drivers_names.yml" ], "tags": [ @@ -29419,8 +29571,8 @@ "logsource.category": "driver_load", "logsource.product": "windows", "refs": [ - "https://www.rapid7.com/blog/post/2021/12/13/driver-based-attacks-past-and-present/", "https://github.com/xmrig/xmrig/tree/master/bin/WinRing0", + "https://www.rapid7.com/blog/post/2021/12/13/driver-based-attacks-past-and-present/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/driver_load/driver_load_win_vuln_winring0_driver.yml" ], "tags": [ @@ -29444,8 +29596,8 @@ "logsource.category": "driver_load", "logsource.product": "windows", "refs": [ - "https://reqrypt.org/windivert-doc.html", "https://rastamouse.me/ntlm-relaying-via-cobalt-strike/", + "https://reqrypt.org/windivert-doc.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/driver_load/driver_load_win_windivert.yml" ], "tags": [ @@ -29488,21 +29640,21 @@ "logsource.product": "windows", "refs": [ "https://www.unknowncheats.me/forum/downloads.php?do=file&id=25444", - "https://www.rapid7.com/blog/post/2021/12/13/driver-based-attacks-past-and-present/", - "https://github.com/Chigusa0w0/AsusDriversPrivEscala/blob/master/ATSZIO.md", - "https://github.com/CaledoniaProject/drivers-binaries", - "https://github.com/Chigusa0w0/AsusDriversPrivEscala/blob/master/DRIVER7.md", - "https://www.unknowncheats.me/forum/anti-cheat-bypass/334557-vulnerable-driver-megathread.html", - "https://www.unknowncheats.me/forum/downloads.php?do=file&id=21780", - "https://github.com/stong/CVE-2020-15368", - "https://www.rapid7.com/db/modules/exploit/windows/local/razer_zwopenprocess/", - "https://github.com/tandasat/ExploitCapcom", - "https://www.zscaler.com/blogs/security-research/technical-analysis-windows-clfs-zero-day-vulnerability-cve-2022-37969-part", - "https://github.com/namazso/physmem_drivers", - "https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules", - "https://github.com/MicrosoftDocs/windows-itpro-docs/blob/public/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules.md", "https://github.com/eclypsium/Screwed-Drivers/blob/master/DRIVERS.md", "https://github.com/jbaines-r7/dellicious", + "https://github.com/stong/CVE-2020-15368", + "https://github.com/CaledoniaProject/drivers-binaries", + "https://www.zscaler.com/blogs/security-research/technical-analysis-windows-clfs-zero-day-vulnerability-cve-2022-37969-part", + "https://github.com/Chigusa0w0/AsusDriversPrivEscala/blob/master/ATSZIO.md", + "https://www.rapid7.com/db/modules/exploit/windows/local/razer_zwopenprocess/", + "https://www.rapid7.com/blog/post/2021/12/13/driver-based-attacks-past-and-present/", + "https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules", + "https://www.unknowncheats.me/forum/anti-cheat-bypass/334557-vulnerable-driver-megathread.html", + "https://github.com/namazso/physmem_drivers", + "https://github.com/Chigusa0w0/AsusDriversPrivEscala/blob/master/DRIVER7.md", + "https://www.unknowncheats.me/forum/downloads.php?do=file&id=21780", + "https://github.com/MicrosoftDocs/windows-itpro-docs/blob/public/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules.md", + "https://github.com/tandasat/ExploitCapcom", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/driver_load/driver_load_win_vuln_drivers.yml" ], "tags": [ @@ -29653,9 +29805,9 @@ "logsource.category": "driver_load", "logsource.product": "windows", "refs": [ - "https://systeminformer.sourceforge.io/", - "https://github.com/winsiderss/systeminformer", "https://processhacker.sourceforge.io/", + "https://github.com/winsiderss/systeminformer", + "https://systeminformer.sourceforge.io/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/driver_load/driver_load_win_process_hacker.yml" ], "tags": [ @@ -29785,8 +29937,8 @@ "logsource.product": "windows", "refs": [ "https://twitter.com/M_haggis/status/1032799638213066752", - "https://github.com/EmpireProject/Empire/blob/e37fb2eef8ff8f5a0a689f1589f424906fe13055/data/module_source/exfil/Invoke-ExfilDataToGitHub.ps1", "https://twitter.com/M_haggis/status/900741347035889665", + "https://github.com/EmpireProject/Empire/blob/e37fb2eef8ff8f5a0a689f1589f424906fe13055/data/module_source/exfil/Invoke-ExfilDataToGitHub.ps1", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_binary_github_com.yml" ], "tags": [ @@ -29880,9 +30032,9 @@ "logsource.category": "network_connection", "logsource.product": "windows", "refs": [ + "https://blog.bushidotoken.net/2021/04/dead-drop-resolvers-espionage-inspired.html", "https://content.fireeye.com/apt-41/rpt-apt41", "https://securelist.com/the-tetrade-brazilian-banking-malware/97779/", - "https://blog.bushidotoken.net/2021/04/dead-drop-resolvers-espionage-inspired.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_dead_drop_resolvers.yml" ], "tags": [ @@ -29979,8 +30131,8 @@ "logsource.category": "network_connection", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/1cf4dd51f83dcb0ebe6ade902d6157ad2dbc6ac8/atomics/T1218.001/T1218.001.md", "https://www.splunk.com/en_us/blog/security/follina-for-protocol-handlers.html", + "https://github.com/redcanaryco/atomic-red-team/blob/1cf4dd51f83dcb0ebe6ade902d6157ad2dbc6ac8/atomics/T1218.001/T1218.001.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_hh.yml" ], "tags": [ @@ -30106,8 +30258,8 @@ "logsource.category": "network_connection", "logsource.product": "windows", "refs": [ - "https://pentestlab.blog/2017/05/11/applocker-bypass-regsvr32/", "https://oddvar.moe/2017/12/13/applocker-case-study-how-insecure-is-it-really-part-1/", + "https://pentestlab.blog/2017/05/11/applocker-bypass-regsvr32/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_regsvr32_network_activity.yml" ], "tags": [ @@ -30366,10 +30518,10 @@ "logsource.category": "network_connection", "logsource.product": "windows", "refs": [ - "https://www.cisa.gov/uscert/ncas/alerts/aa22-321a", "https://twitter.com/M_haggis/status/1032799638213066752", - "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ransomware-hive-conti-avoslocker", + "https://www.cisa.gov/uscert/ncas/alerts/aa22-321a", "https://twitter.com/M_haggis/status/900741347035889665", + "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ransomware-hive-conti-avoslocker", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_binary_susp_com.yml" ], "tags": [ @@ -30402,8 +30554,8 @@ "logsource.category": "network_connection", "logsource.product": "windows", "refs": [ - "https://ngrok.com/docs/secure-tunnels/tunnels/ssh-reverse-tunnel-agent", "https://twitter.com/hakluke/status/1587733971814977537/photo/1", + "https://ngrok.com/docs/secure-tunnels/tunnels/ssh-reverse-tunnel-agent", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_ngrok_tunnel.yml" ], "tags": [ @@ -30687,8 +30839,8 @@ "logsource.category": "network_connection", "logsource.product": "windows", "refs": [ - "https://ngrok.com/", "https://www.virustotal.com/gui/file/cca0c1182ac114b44dc52dd2058fcd38611c20bb6b5ad84710681d38212f835a/", + "https://ngrok.com/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_ngrok_io.yml" ], "tags": [ @@ -30721,8 +30873,8 @@ "logsource.category": "network_connection", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/Binaries/IMEWDBLD/", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1105/T1105.md#atomic-test-10---windows---powershell-download", + "https://lolbas-project.github.io/lolbas/Binaries/IMEWDBLD/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_imewdbld.yml" ], "tags": [ @@ -30755,8 +30907,8 @@ "logsource.category": "network_connection", "logsource.product": "windows", "refs": [ - "https://nasbench.medium.com/what-is-the-dllhost-exe-process-actually-running-ef9fe4c19c08", "https://redcanary.com/blog/child-processes/", + "https://nasbench.medium.com/what-is-the-dllhost-exe-process-actually-running-ef9fe4c19c08", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_dllhost_net_connections.yml" ], "tags": [ @@ -30831,8 +30983,8 @@ "logsource.category": "network_connection", "logsource.product": "windows", "refs": [ - "https://twitter.com/forensicitguy/status/1513538712986079238", "https://news.sophos.com/en-us/2019/07/18/a-new-equation-editor-exploit-goes-commercial-as-maldoc-attacks-using-it-spike/", + "https://twitter.com/forensicitguy/status/1513538712986079238", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_eqnedt.yml" ], "tags": [ @@ -30887,8 +31039,8 @@ "logsource.category": "network_connection", "logsource.product": "windows", "refs": [ - "https://megatools.megous.com/", "https://www.mandiant.com/resources/russian-targeting-gov-business", + "https://megatools.megous.com/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_mega_nz.yml" ], "tags": [ @@ -30988,8 +31140,8 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://adsecurity.org/?p=2398", "https://stealthbits.com/blog/extracting-password-hashes-from-the-ntds-dit-file/", + "https://adsecurity.org/?p=2398", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_susp_ntds_dit.yml" ], "tags": [ @@ -31056,10 +31208,10 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ + "https://www.anomali.com/blog/china-based-apt-mustang-panda-targets-minority-groups-public-and-private-sector-organizations", + "https://www.cybereason.com/blog/research/a-bazar-of-tricks-following-team9s-development-cycles", "https://twitter.com/luc4m/status/1073181154126254080", "https://twitter.com/malwrhunterteam/status/1235135745611960321", - "https://www.cybereason.com/blog/research/a-bazar-of-tricks-following-team9s-development-cycles", - "https://www.anomali.com/blog/china-based-apt-mustang-panda-targets-minority-groups-public-and-private-sector-organizations", "https://www.crowdstrike.com/blog/meet-crowdstrikes-adversary-of-the-month-for-june-mustang-panda/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_susp_lnk_double_extension.yml" ], @@ -31262,11 +31414,11 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://www.whiteoaksecurity.com/blog/attacks-defenses-dumping-lsass-no-mimikatz/", "https://medium.com/@markmotig/some-ways-to-dump-lsass-exe-c4a75fdc49bf", - "https://github.com/helpsystems/nanodump", - "https://github.com/elastic/detection-rules/blob/c76a39796972ecde44cb1da6df47f1b6562c9770/rules/windows/credential_access_lsass_memdump_file_created.toml", "https://www.google.com/search?q=procdump+lsass", + "https://github.com/elastic/detection-rules/blob/c76a39796972ecde44cb1da6df47f1b6562c9770/rules/windows/credential_access_lsass_memdump_file_created.toml", + "https://www.whiteoaksecurity.com/blog/attacks-defenses-dumping-lsass-no-mimikatz/", + "https://github.com/helpsystems/nanodump", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_lsass_dump.yml" ], "tags": [ @@ -31367,8 +31519,8 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://www.jpcert.or.jp/english/pub/sr/ir_research.html", "https://jpcertcc.github.io/ToolAnalysisResultSheet", + "https://www.jpcert.or.jp/english/pub/sr/ir_research.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_tool_psexec.yml" ], "tags": [ @@ -31426,10 +31578,10 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ + "https://www.anomali.com/blog/china-based-apt-mustang-panda-targets-minority-groups-public-and-private-sector-organizations", + "https://www.cybereason.com/blog/research/a-bazar-of-tricks-following-team9s-development-cycles", "https://twitter.com/luc4m/status/1073181154126254080", "https://twitter.com/malwrhunterteam/status/1235135745611960321", - "https://www.cybereason.com/blog/research/a-bazar-of-tricks-following-team9s-development-cycles", - "https://www.anomali.com/blog/china-based-apt-mustang-panda-targets-minority-groups-public-and-private-sector-organizations", "https://www.crowdstrike.com/blog/meet-crowdstrikes-adversary-of-the-month-for-june-mustang-panda/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_susp_double_extension.yml" ], @@ -31645,9 +31797,9 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/4ae9580a1a8772db87a1b6cdb0d03e5af231e966/atomics/T1137.006/T1137.006.md", "https://labs.withsecure.com/publications/add-in-opportunities-for-office-persistence", "Internal Research", - "https://github.com/redcanaryco/atomic-red-team/blob/4ae9580a1a8772db87a1b6cdb0d03e5af231e966/atomics/T1137.006/T1137.006.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_office_persistence.yml" ], "tags": [ @@ -31730,8 +31882,8 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://medium.com/@SumitVerma101/windows-privilege-escalation-part-1-unquoted-service-path-c7a011a8d8ae", "https://app.any.run/tasks/76c69e2d-01e8-49d9-9aea-fb7cc0c4d3ad/", + "https://medium.com/@SumitVerma101/windows-privilege-escalation-part-1-unquoted-service-path-c7a011a8d8ae", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_susp_executable_creation.yml" ], "tags": [ @@ -31764,9 +31916,9 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ + "https://github.com/afwu/PrintNightmare", "https://github.com/hhlxf/PrintNightmare", "https://github.com/cube0x0/CVE-2021-1675", - "https://github.com/afwu/PrintNightmare", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_cve_2021_1675_printspooler.yml" ], "tags": [ @@ -31861,8 +32013,8 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://citizenlab.ca/2021/07/hooking-candiru-another-mercenary-spyware-vendor-comes-into-focus/", "https://www.microsoft.com/security/blog/2021/07/15/protecting-customers-from-a-private-sector-offensive-actor-using-0-day-exploits-and-devilstongue-malware/", + "https://citizenlab.ca/2021/07/hooking-candiru-another-mercenary-spyware-vendor-comes-into-focus/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_cve_2021_31979_cve_2021_33771_exploits.yml" ], "tags": [ @@ -31898,8 +32050,8 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://grzegorztworek.medium.com/using-uefi-to-inject-executable-files-into-bitlocker-protected-drives-8ff4ca59c94c", "https://persistence-info.github.io/Data/wpbbin.html", + "https://grzegorztworek.medium.com/using-uefi-to-inject-executable-files-into-bitlocker-protected-drives-8ff4ca59c94c", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_wpbbin_persistence.yml" ], "tags": [ @@ -32117,8 +32269,8 @@ "logsource.product": "windows", "refs": [ "https://thedfirreport.com/2020/11/23/pysa-mespinoza-ransomware/", - "https://github.com/Kevin-Robertson/Inveigh/blob/29d9e3c3a625b3033cdaf4683efaafadcecb9007/Inveigh/Support/Control.cs", "https://github.com/Kevin-Robertson/Inveigh/blob/29d9e3c3a625b3033cdaf4683efaafadcecb9007/Inveigh/Support/Output.cs", + "https://github.com/Kevin-Robertson/Inveigh/blob/29d9e3c3a625b3033cdaf4683efaafadcecb9007/Inveigh/Support/Control.cs", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_inveigh_artefacts.yml" ], "tags": [ @@ -32243,11 +32395,11 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ + "https://news.sophos.com/en-us/2019/12/09/snatch-ransomware-reboots-pcs-into-safe-mode-to-bypass-protection/", + "https://labs.f-secure.com/blog/prelude-to-ransomware-systembc", "https://www.fireeye.com/blog/threat-research/2020/05/tactics-techniques-procedures-associated-with-maze-ransomware-incidents.html", "https://thedfirreport.com/2021/01/18/all-that-for-a-coinminer", - "https://news.sophos.com/en-us/2019/12/09/snatch-ransomware-reboots-pcs-into-safe-mode-to-bypass-protection/", "https://assets.documentcloud.org/documents/20444693/fbi-pin-egregor-ransomware-bc-01062021.pdf", - "https://labs.f-secure.com/blog/prelude-to-ransomware-systembc", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_advanced_ip_scanner.yml" ], "tags": [ @@ -32271,8 +32423,8 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://github.com/last-byte/PersistenceSniper", "https://www.hexacorn.com/blog/2022/01/16/beyond-good-ol-run-key-part-135/", + "https://github.com/last-byte/PersistenceSniper", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_error_handler_cmd_persistence.yml" ], "tags": [ @@ -32329,20 +32481,21 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://github.com/AlsidOfficial/WSUSpendu/", - "https://github.com/rvrsh3ll/Misc-Powershell-Scripts/blob/6f23bb41f9675d7e2d32bacccff75e931ae00554/OfficeMemScraper.ps1", - "https://research.nccgroup.com/2022/06/06/shining-the-light-on-black-basta/", - "https://github.com/nettitude/Invoke-PowerThIEf", "https://github.com/PowerShellMafia/PowerSploit", - "https://github.com/BC-SECURITY/Invoke-ZeroLogon/blob/111d17c7fec486d9bb23387e2e828b09a26075e4/Invoke-ZeroLogon.ps1", - "https://github.com/xorrior/RandomPS-Scripts/blob/848c919bfce4e2d67b626cbcf4404341cfe3d3b6/Get-DXWebcamVideo.ps1", - "https://github.com/HarmJ0y/DAMP", - "https://github.com/S3cur3Th1sSh1t/PowerSharpPack/tree/master/PowerSharpBinaries", - "https://unit42.paloaltonetworks.com/threat-assessment-black-basta-ransomware/", + "https://github.com/AlsidOfficial/WSUSpendu/", "https://github.com/dafthack/DomainPasswordSpray/blob/b13d64a5834694aa73fd2aea9911a83027c465a7/DomainPasswordSpray.ps1", + "https://github.com/besimorhino/powercat", + "https://github.com/S3cur3Th1sSh1t/PowerSharpPack/tree/master/PowerSharpBinaries", + "https://github.com/xorrior/RandomPS-Scripts/blob/848c919bfce4e2d67b626cbcf4404341cfe3d3b6/Get-DXWebcamVideo.ps1", + "https://research.nccgroup.com/2022/06/06/shining-the-light-on-black-basta/", + "https://github.com/HarmJ0y/DAMP", "https://github.com/S3cur3Th1sSh1t/WinPwn", + "https://github.com/rvrsh3ll/Misc-Powershell-Scripts/blob/6f23bb41f9675d7e2d32bacccff75e931ae00554/OfficeMemScraper.ps1", "https://github.com/DarkCoderSc/PowerRunAsSystem/", + "https://github.com/BC-SECURITY/Invoke-ZeroLogon/blob/111d17c7fec486d9bb23387e2e828b09a26075e4/Invoke-ZeroLogon.ps1", + "https://github.com/nettitude/Invoke-PowerThIEf", "https://github.com/samratashok/nishang", + "https://unit42.paloaltonetworks.com/threat-assessment-black-basta-ransomware/", "https://github.com/CsEnox/EventViewer-UACBypass", "https://github.com/NetSPI/PowerUpSQL", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_powershell_exploit_scripts.yml" @@ -32362,7 +32515,7 @@ } ], "uuid": "f331aa1f-8c53-4fc3-b083-cc159bc971cb", - "value": "Malicious PowerShell Commandlets - FileCreation" + "value": "Malicious PowerShell Scripts - FileCreation" }, { "description": "Detects suspicious file type dropped by an Exchange component in IIS", @@ -32377,9 +32530,9 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://www.microsoft.com/security/blog/2022/09/30/analyzing-attacks-using-the-exchange-vulnerabilities-cve-2022-41040-and-cve-2022-41082/", "https://en.gteltsc.vn/blog/cap-nhat-nhe-ve-lo-hong-bao-mat-0day-microsoft-exchange-dang-duoc-su-dung-de-tan-cong-cac-to-chuc-tai-viet-nam-9685.html", "https://www.gteltsc.vn/blog/canh-bao-chien-dich-tan-cong-su-dung-lo-hong-zero-day-tren-microsoft-exchange-server-12714.html", + "https://www.microsoft.com/security/blog/2022/09/30/analyzing-attacks-using-the-exchange-vulnerabilities-cve-2022-41040-and-cve-2022-41082/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_exchange_webshell_drop_suspicious.yml" ], "tags": [ @@ -32449,8 +32602,8 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://twitter.com/tifkin_/status/1321916444557365248", "https://twitter.com/rbmaslen/status/1321859647091970051", + "https://twitter.com/tifkin_/status/1321916444557365248", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_pcre_net_temp_file.yml" ], "tags": [ @@ -32674,8 +32827,8 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://github.com/horizon3ai/CVE-2021-44077/blob/b7a48e25824e8ead95e028475c7fd0e107e6e6bf/exploit.py", "https://thedfirreport.com/2022/06/06/will-the-real-msiexec-please-stand-up-exploit-leads-to-data-exfiltration/", + "https://github.com/horizon3ai/CVE-2021-44077/blob/b7a48e25824e8ead95e028475c7fd0e107e6e6bf/exploit.py", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_cve_2021_44077_poc_default_files.yml" ], "tags": [ @@ -32838,8 +32991,8 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://github.com/OTRF/detection-hackathon-apt29/issues/14", "https://threathunterplaybook.com/evals/apt29/detections/6.B.1_6392C9F1-D975-4F75-8A70-433DEDD7F622.html", + "https://github.com/OTRF/detection-hackathon-apt29/issues/14", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_susp_pfx_file_creation.yml" ], "tags": [ @@ -32873,8 +33026,8 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://www.zerodayinitiative.com/advisories/ZDI-21-1308/", "https://github.com/klinix5/InstallerFileTakeOver", + "https://www.zerodayinitiative.com/advisories/ZDI-21-1308/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_cve_2021_41379_msi_lpe.yml" ], "tags": [ @@ -32931,10 +33084,10 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://blog.menasec.net/2019/07/interesting-difr-traces-of-net-clr.html", - "https://bohops.com/2021/03/16/investigating-net-clr-usage-log-tampering-techniques-for-edr-evasion/", "https://github.com/olafhartong/sysmon-modular/blob/fa1ae53132403d262be2bbd7f17ceea7e15e8c78/11_file_create/include_dotnet.xml", + "https://blog.menasec.net/2019/07/interesting-difr-traces-of-net-clr.html", "https://web.archive.org/web/20221026202428/https://gist.github.com/code-scrap/d7f152ffcdb3e0b02f7f394f5187f008", + "https://bohops.com/2021/03/16/investigating-net-clr-usage-log-tampering-techniques-for-edr-evasion/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_net_cli_artefact.yml" ], "tags": [ @@ -32967,9 +33120,9 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://twitter.com/splinter_code/status/1519075134296006662?s=12&t=DLUXH86WtcmG_AZ5gY3C6g", "https://lolbas-project.github.io/lolbas/Binaries/Eventvwr/#execute", "https://twitter.com/orange_8361/status/1518970259868626944?s=20&t=RFXqZjtA7tWM3HxqEH78Aw", + "https://twitter.com/splinter_code/status/1519075134296006662?s=12&t=DLUXH86WtcmG_AZ5gY3C6g", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_uac_bypass_eventvwr.yml" ], "tags": [ @@ -32993,9 +33146,9 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://www.microsoft.com/security/blog/2022/09/30/analyzing-attacks-using-the-exchange-vulnerabilities-cve-2022-41040-and-cve-2022-41082/", "https://en.gteltsc.vn/blog/cap-nhat-nhe-ve-lo-hong-bao-mat-0day-microsoft-exchange-dang-duoc-su-dung-de-tan-cong-cac-to-chuc-tai-viet-nam-9685.html", "https://www.gteltsc.vn/blog/canh-bao-chien-dich-tan-cong-su-dung-lo-hong-zero-day-tren-microsoft-exchange-server-12714.html", + "https://www.microsoft.com/security/blog/2022/09/30/analyzing-attacks-using-the-exchange-vulnerabilities-cve-2022-41040-and-cve-2022-41082/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_exchange_webshell_drop.yml" ], "tags": [ @@ -33226,8 +33379,8 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1566.001/T1566.001.md", "https://docs.microsoft.com/en-us/deployoffice/compat/office-file-format-reference", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1566.001/T1566.001.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_macro_file.yml" ], "tags": [ @@ -33285,8 +33438,8 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/36d49de4c8b00bf36054294b4a1fcbab3917d7c5/atomics/T1547.001/T1547.001.md#atomic-test-7---add-executable-shortcut-link-to-user-startup-folder", "https://redcanary.com/blog/intelligence-insights-october-2021/", + "https://github.com/redcanaryco/atomic-red-team/blob/36d49de4c8b00bf36054294b4a1fcbab3917d7c5/atomics/T1547.001/T1547.001.md#atomic-test-7---add-executable-shortcut-link-to-user-startup-folder", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_powershell_startup_shortcuts.yml" ], "tags": [ @@ -33436,9 +33589,9 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://pentestlab.blog/tag/ntds-dit/", "https://github.com/samratashok/nishang/blob/414ee1104526d7057f9adaeee196d91ae447283e/Gather/Copy-VSS.ps1", "https://www.n00py.io/2022/03/manipulating-user-passwords-without-mimikatz/", + "https://pentestlab.blog/tag/ntds-dit/", "https://www.ired.team/offensive-security/credential-access-and-credential-dumping/ntds.dit-enumeration", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_ntds_dit.yml" ], @@ -33472,9 +33625,9 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://github.com/rapid7/metasploit-framework/blob/eb6535009f5fdafa954525687f09294918b5398d/data/post/powershell/NTDSgrab.ps1", "https://github.com/rapid7/metasploit-framework/blob/eb6535009f5fdafa954525687f09294918b5398d/modules/post/windows/gather/ntds_grabber.rb", "https://github.com/SecureAuthCorp/impacket/blob/7d2991d78836b376452ca58b3d14daa61b67cb40/impacket/examples/secretsdump.py#L2405", + "https://github.com/rapid7/metasploit-framework/blob/eb6535009f5fdafa954525687f09294918b5398d/data/post/powershell/NTDSgrab.ps1", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_ntds_exfil_tools.yml" ], "tags": [ @@ -33507,8 +33660,8 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://github.com/GhostPack/SafetyKatz", "https://github.com/GhostPack/SafetyKatz/blob/715b311f76eb3a4c8d00a1bd29c6cd1899e450b7/SafetyKatz/Program.cs#L63", + "https://github.com/GhostPack/SafetyKatz", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_ghostpack_safetykatz.yml" ], "tags": [ @@ -33541,8 +33694,8 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://twitter.com/RonnyTNL/status/1436334640617373699?s=20", "https://twitter.com/vanitasnk/status/1437329511142420483?s=21", + "https://twitter.com/RonnyTNL/status/1436334640617373699?s=20", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_winword_cve_2021_40444.yml" ], "tags": [ @@ -33700,10 +33853,10 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://github.com/cube0x0/CVE-2021-36934", - "https://www.google.com/search?q=%22reg.exe+save%22+sam", "https://github.com/FireFart/hivenightmare", "https://github.com/search?q=CVE-2021-36934", + "https://github.com/cube0x0/CVE-2021-36934", + "https://www.google.com/search?q=%22reg.exe+save%22+sam", "https://github.com/HuskyHacks/ShadowSteal", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_sam_dump.yml" ], @@ -33854,10 +34007,10 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://github.com/GossiTheDog/HiveNightmare", - "https://github.com/FireFart/hivenightmare/", "https://twitter.com/cube0x0/status/1418920190759378944", "https://github.com/WiredPulse/Invoke-HiveNightmare", + "https://github.com/GossiTheDog/HiveNightmare", + "https://github.com/FireFart/hivenightmare/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_hivenightmare_file_exports.yml" ], "tags": [ @@ -33949,9 +34102,9 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://www.kaspersky.com/blog/lazarus-vhd-ransomware/36559/", - "https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/", "https://redcanary.com/blog/intelligence-insights-october-2021/", + "https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/", + "https://www.kaspersky.com/blog/lazarus-vhd-ransomware/36559/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_mal_vhd_download.yml" ], "tags": [ @@ -34051,8 +34204,8 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://github.com/elastic/protections-artifacts/commit/746086721fd385d9f5c6647cada1788db4aea95f#diff-5d46dd4ac6866b4337ec126be8cee0e115467b3e8703794ba6f6df6432c806bc", "https://posts.specterops.io/automating-dll-hijack-discovery-81c4295904b0", + "https://github.com/elastic/protections-artifacts/commit/746086721fd385d9f5c6647cada1788db4aea95f#diff-5d46dd4ac6866b4337ec126be8cee0e115467b3e8703794ba6f6df6432c806bc", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_initial_access_dll_search_order_hijacking.yml" ], "tags": [ @@ -34234,9 +34387,9 @@ "logsource.product": "windows", "refs": [ "https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/malicious-spam-campaign-uses-iso-image-files-to-deliver-lokibot-and-nanocore", - "https://insights.sei.cmu.edu/blog/the-dangers-of-vhd-and-vhdx-files/", - "https://blog.emsisoft.com/en/32373/beware-new-wave-of-malware-spreads-via-iso-file-email-attachments/", "https://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/", + "https://blog.emsisoft.com/en/32373/beware-new-wave-of-malware-spreads-via-iso-file-email-attachments/", + "https://insights.sei.cmu.edu/blog/the-dangers-of-vhd-and-vhdx-files/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_iso_file_recent.yml" ], "tags": "No established tags" @@ -34411,8 +34564,8 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://securityaffairs.co/wordpress/133680/malware/dll-sideloading-spread-qakbot.html", "https://twitter.com/Sam0x90/status/1552011547974696960", + "https://securityaffairs.co/wordpress/133680/malware/dll-sideloading-spread-qakbot.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_iso_file_mount.yml" ], "tags": [ @@ -34423,6 +34576,53 @@ "uuid": "2f9356ae-bf43-41b8-b858-4496d83b2acb", "value": "ISO File Created Within Temp Folders" }, + { + "description": "Detects creation of the PSEXEC key file. Which is created anytime a PsExec command is executed and gets written to the file system and will be recorded in the USN Journal on the target system", + "meta": { + "author": "Nasreddine Bencherchali", + "creation_date": "2023/01/21", + "falsepositive": [ + "Unlikely" + ], + "filename": "file_event_win_psexec_service_key.yml", + "level": "high", + "logsource.category": "file_event", + "logsource.product": "windows", + "refs": [ + "https://aboutdfir.com/the-key-to-identify-psexec/", + "https://twitter.com/davisrichardg/status/1616518800584704028", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_psexec_service_key.yml" + ], + "tags": [ + "attack.lateral_movement", + "attack.privilege_escalation", + "attack.execution", + "attack.persistence", + "attack.t1136.002", + "attack.t1543.003", + "attack.t1570", + "attack.s0029" + ] + }, + "related": [ + { + "dest-uuid": "7610cada-1499-41a4-b3dd-46467b68d177", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "bf90d72c-c00b-45e3-b3aa-68560560d4c5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "304afd73-55a5-4bb9-8c21-0b1fc84ea9e4", + "value": "Potential PSEXEC Remote Execution - FileCreation" + }, { "description": "Detects execution of attacker-controlled WsmPty.xsl or WsmTxt.xsl via winrm.vbs and copied cscript.exe (can be renamed)", "meta": { @@ -34517,8 +34717,8 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://blog.malwarebytes.com/threat-intelligence/2022/04/colibri-loader-combines-task-scheduler-and-powershell-in-clever-persistence-technique/", "https://www.joesandbox.com/analysis/465533/0/html", + "https://blog.malwarebytes.com/threat-intelligence/2022/04/colibri-loader-combines-task-scheduler-and-powershell-in-clever-persistence-technique/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_susp_get_variable.yml" ], "tags": [ @@ -34586,8 +34786,8 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://www.vectra.ai/blogpost/undermining-microsoft-teams-security-by-mining-tokens", "https://www.bleepingcomputer.com/news/security/microsoft-teams-stores-auth-tokens-as-cleartext-in-windows-linux-macs/", + "https://www.vectra.ai/blogpost/undermining-microsoft-teams-security-by-mining-tokens", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_access_susp_teams.yml" ], "tags": [ @@ -34752,11 +34952,11 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://www.hexacorn.com/blog/2013/12/08/beyond-good-ol-run-key-part-5/", "https://clement.notin.org/blog/2020/09/12/CVE-2020-7315-McAfee-Agent-DLL-injection/", - "https://decoded.avast.io/martinchlumecky/png-steganography/", - "https://github.com/Wh04m1001/SysmonEoP", "https://posts.specterops.io/lateral-movement-scm-and-dll-hijacking-primer-d2f61e8ab992", + "https://decoded.avast.io/martinchlumecky/png-steganography/", + "https://www.hexacorn.com/blog/2013/12/08/beyond-good-ol-run-key-part-5/", + "https://github.com/Wh04m1001/SysmonEoP", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_create_non_existent_dlls.yml" ], "tags": [ @@ -34851,9 +35051,9 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ + "http://addbalance.com/word/startup.htm", "https://answers.microsoft.com/en-us/msoffice/forum/all/document-in-word-startup-folder-doesnt-open-when/44ab0932-2917-4150-8cdc-2f2cf39e86f3", "Malware Sandbox https://app.any.run/tasks/d6fe6624-6ef8-485d-aa75-3d1bdda2a08c/", - "http://addbalance.com/word/startup.htm", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_susp_winword_startup.yml" ], "tags": [ @@ -34944,8 +35144,8 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows", "https://twitter.com/cyb3rops/status/1552932770464292864", + "https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_dll_sideloading_space_path.yml" ], "tags": [ @@ -34996,8 +35196,8 @@ "logsource.category": "file_rename", "logsource.product": "windows", "refs": [ - "https://blog.cyble.com/2022/08/10/onyx-ransomware-renames-its-leak-site-to-vsop/", "https://app.any.run/tasks/d66ead5a-faf4-4437-93aa-65785afaf9e5/", + "https://blog.cyble.com/2022/08/10/onyx-ransomware-renames-its-leak-site-to-vsop/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_rename/file_rename_win_ransomware.yml" ], "tags": [ @@ -35110,8 +35310,8 @@ "logsource.category": "file_delete", "logsource.product": "windows", "refs": [ - "https://github.com/OTRF/detection-hackathon-apt29/issues/9", "https://threathunterplaybook.com/evals/apt29/detections/4.B.4_83D62033-105A-4A02-8B75-DAB52D8D51EC.html", + "https://github.com/OTRF/detection-hackathon-apt29/issues/9", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_delete/file_delete_win_sysinternals_sdelete_file_deletion.yml" ], "tags": [ @@ -35294,8 +35494,8 @@ "logsource.category": "file_access", "logsource.product": "windows", "refs": [ - "https://hunter2.gitbook.io/darthsidious/privilege-escalation/mimikatz", "https://www.absolomb.com/2018-01-26-Windows-Privilege-Escalation-Guide/", + "https://hunter2.gitbook.io/darthsidious/privilege-escalation/mimikatz", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_access/file_access_win_credential_manager_stealing.yml" ], "tags": [ @@ -35365,8 +35565,8 @@ "logsource.category": "file_access", "logsource.product": "windows", "refs": [ - "https://github.com/lclevy/firepwd", "https://www.zscaler.com/blogs/security-research/ffdroider-stealer-targeting-social-media-platform-users", + "https://github.com/lclevy/firepwd", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_access/file_access_win_browser_credential_stealing.yml" ], "tags": [ @@ -35490,8 +35690,8 @@ "logsource.category": "dns_query", "logsource.product": "windows", "refs": [ - "https://twitter.com/notwhickey/status/1333900137232523264", "https://lolbas-project.github.io/lolbas/Binaries/AppInstaller/", + "https://twitter.com/notwhickey/status/1333900137232523264", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/dns_query/dns_query_win_lolbin_appinstaller.yml" ], "tags": [ @@ -35590,10 +35790,10 @@ "logsource.category": "dns_query", "logsource.product": "windows", "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1219/T1219.md#atomic-test-3---logmein-files-detected-test-on-windows", "https://redcanary.com/blog/misbehaving-rats/", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1219/T1219.md#atomic-test-6---ammyy-admin-software-execution", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1219/T1219.md#atomic-test-4---gotoassist-files-detected-test-on-windows", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1219/T1219.md#atomic-test-3---logmein-files-detected-test-on-windows", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/dns_query/dns_query_win_remote_access_software_domains.yml" ], "tags": [ @@ -35626,8 +35826,8 @@ "logsource.category": "dns_query", "logsource.product": "windows", "refs": [ - "https://pentestlab.blog/2017/05/11/applocker-bypass-regsvr32/", "https://oddvar.moe/2017/12/13/applocker-case-study-how-insecure-is-it-really-part-1/", + "https://pentestlab.blog/2017/05/11/applocker-bypass-regsvr32/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/dns_query/dns_query_win_regsvr32_network_activity.yml" ], "tags": [ @@ -36092,8 +36292,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment", "https://nsudo.m2team.org/en-us/", + "https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_whoami_as_priv_user.yml" ], "tags": [ @@ -36226,8 +36426,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218/T1218.md", "https://github.com/redcanaryco/AtomicTestHarnesses/blob/7e1e4da116801e3d6fcc6bedb207064577e40572/TestHarnesses/T1218_SignedBinaryProxyExecution/InvokeRemoteFXvGPUDisablementCommand.ps1", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218/T1218.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_athremotefxvgpudisablementcommand.yml" ], "tags": [ @@ -36322,12 +36522,12 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/Hexacorn/status/885258886428725250", - "https://gist.github.com/ryhanson/227229866af52e2d963cf941af135a52", - "https://twitter.com/eral4m/status/1479106975967240209", "http://www.hexacorn.com/blog/2017/05/01/running-programs-via-proxy-jumping-on-a-edr-bypass-trampoline/", - "https://twitter.com/nas_bench/status/1433344116071583746", "https://twitter.com/eral4m/status/1479080793003671557", + "https://twitter.com/eral4m/status/1479106975967240209", + "https://gist.github.com/ryhanson/227229866af52e2d963cf941af135a52", + "https://twitter.com/nas_bench/status/1433344116071583746", + "https://twitter.com/Hexacorn/status/885258886428725250", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_rundll32_activity.yml" ], "tags": [ @@ -36460,9 +36660,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://securelist.com/my-name-is-dtrack/93338/", "https://app.any.run/tasks/ce4deab5-3263-494f-93e3-afb2b9d79f14/", "https://app.any.run/tasks/4bc9860d-ab51-4077-9e09-59ad346b92fd/", + "https://securelist.com/my-name-is-dtrack/93338/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_malware_dtrack.yml" ], "tags": [ @@ -36603,8 +36803,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://bohops.com/2018/01/07/executing-commands-and-bypassing-applocker-with-powershell-diagnostic-scripts/", "https://lolbas-project.github.io/lolbas/Scripts/CL_LoadAssembly/", + "https://bohops.com/2018/01/07/executing-commands-and-bypassing-applocker-with-powershell-diagnostic-scripts/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_cl_loadassembly.yml" ], "tags": [ @@ -36681,8 +36881,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc731620(v=ws.11)", "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/espionage-asia-governments", + "https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc731620(v=ws.11)", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_ntdsutil_usage.yml" ], "tags": [ @@ -37137,9 +37337,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "Reegun J (OCBC Bank)", "https://medium.com/@reegun/unsanitized-file-validation-leads-to-malicious-payload-download-via-office-binaries-202d02db7191", "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Powerpnt/", - "Reegun J (OCBC Bank)", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_msoffice.yml" ], "tags": [ @@ -37205,9 +37405,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows", - "https://medium.com/tenable-techblog/uac-bypass-by-mocking-trusted-directories-24a96675f6e", "https://github.com/netero1010/TrustedPath-UACBypass-BOF", + "https://medium.com/tenable-techblog/uac-bypass-by-mocking-trusted-directories-24a96675f6e", + "https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_uac_bypass_trustedpath.yml" ], "tags": [ @@ -37240,8 +37440,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules", "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Wfc/", + "https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_wfc.yml" ], "tags": [ @@ -37274,10 +37474,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://lolbas-project.github.io/lolbas/Binaries/Bitsadmin/", + "https://blog.netspi.com/15-ways-to-download-a-file/#bitsadmin", "https://blog.talosintelligence.com/breaking-the-silence-recent-truebot-activity/", "https://isc.sans.edu/diary/22264", - "https://blog.netspi.com/15-ways-to-download-a-file/#bitsadmin", - "https://lolbas-project.github.io/lolbas/Binaries/Bitsadmin/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_bitsadmin_download_susp_ip.yml" ], "tags": [ @@ -37320,8 +37520,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/SBousseaden/status/1464566846594691073?s=20", "https://www.matteomalvica.com/blog/2019/12/02/win-defender-atp-cred-bypass/", + "https://twitter.com/SBousseaden/status/1464566846594691073?s=20", "https://twitter.com/Hexacorn/status/1420053502554951689", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_lsass_clone.yml" ], @@ -37364,8 +37564,8 @@ "logsource.product": "windows", "refs": [ "https://github.com/electron/rcedit", - "https://www.virustotal.com/gui/file/02e8e8c5d430d8b768980f517b62d7792d690982b9ba0f7e04163cbc1a6e7915", "https://security.stackexchange.com/questions/210843/is-it-possible-to-change-original-filename-of-an-exe", + "https://www.virustotal.com/gui/file/02e8e8c5d430d8b768980f517b62d7792d690982b9ba0f7e04163cbc1a6e7915", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_rcedit_execution.yml" ], "tags": [ @@ -37444,8 +37644,8 @@ "logsource.product": "windows", "refs": [ "https://www.microsoft.com/en-us/security/blog/2022/10/27/raspberry-robin-worm-part-of-larger-ecosystem-facilitating-pre-ransomware-activity/", - "https://redcanary.com/blog/raspberry-robin/", "https://github.com/SigmaHQ/sigma/issues/1009", + "https://redcanary.com/blog/raspberry-robin/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_shellexec_rundll_usage.yml" ], "tags": [ @@ -37525,10 +37725,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://book.hacktricks.xyz/windows/basic-cmd-for-pentesters", - "https://research.nccgroup.com/2022/08/19/back-in-black-unlocking-a-lockbit-3-0-ransomware-attack/", - "https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc731935(v=ws.11)", "https://thedfirreport.com/2021/08/16/trickbot-leads-up-to-fake-1password-installation/", + "https://research.nccgroup.com/2022/08/19/back-in-black-unlocking-a-lockbit-3-0-ransomware-attack/", + "https://book.hacktricks.xyz/windows/basic-cmd-for-pentesters", + "https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc731935(v=ws.11)", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_nltest_recon.yml" ], "tags": [ @@ -37758,8 +37958,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://mgreen27.github.io/posts/2018/04/02/DownloadCradle.html", "https://www.hybrid-analysis.com/sample/465aabe132ccb949e75b8ab9c5bda36d80cf2fd503d52b8bad54e295f28bbc21?environmentId=100", + "https://mgreen27.github.io/posts/2018/04/02/DownloadCradle.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_office_shell.yml" ], "tags": [ @@ -37833,8 +38033,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.mandiant.com/resources/blog/sharpersist-windows-persistence-toolkit", "https://github.com/mandiant/SharPersist", + "https://www.mandiant.com/resources/blog/sharpersist-windows-persistence-toolkit", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hack_sharpersist.yml" ], "tags": [ @@ -37884,8 +38084,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/BloodHoundAD/SharpHound", "https://github.com/BloodHoundAD/BloodHound", + "https://github.com/BloodHoundAD/SharpHound", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hack_bloodhound.yml" ], "tags": [ @@ -37952,8 +38152,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/wp-windows-management-instrumentation.pdf", "https://twitter.com/johnlatwc/status/1408062131321270282?s=12", + "https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/wp-windows-management-instrumentation.pdf", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_wmic_eventconsumer_create.yml" ], "tags": [ @@ -38191,8 +38391,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/Oddvarmoe/status/1270633613449723905", "https://hackingiscool.pl/cmdhijack-command-argument-confusion-with-path-traversal-in-cmd-exe/", + "https://twitter.com/Oddvarmoe/status/1270633613449723905", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_commandline_path_traversal.yml" ], "tags": [ @@ -38375,10 +38575,10 @@ "logsource.product": "windows", "refs": [ "https://www.cisa.gov/uscert/ncas/alerts/aa22-321a", - "https://blog.netspi.com/15-ways-to-download-a-file/#bitsadmin", "https://lolbas-project.github.io/lolbas/Binaries/Bitsadmin/", - "https://isc.sans.edu/diary/22264", + "https://blog.netspi.com/15-ways-to-download-a-file/#bitsadmin", "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ransomware-hive-conti-avoslocker", + "https://isc.sans.edu/diary/22264", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_bitsadmin_download_susp_domain.yml" ], "tags": [ @@ -38421,9 +38621,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/nas_bench/status/1534916659676422152", "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Adplus/", "https://twitter.com/nas_bench/status/1534915321856917506", + "https://twitter.com/nas_bench/status/1534916659676422152", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_adplus.yml" ], "tags": [ @@ -38721,8 +38921,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.fireeye.com/blog/threat-research/2013/08/breaking-down-the-china-chopper-web-shell-part-ii.html", "https://unit42.paloaltonetworks.com/bumblebee-webshell-xhunt-campaign/", + "https://www.fireeye.com/blog/threat-research/2013/08/breaking-down-the-china-chopper-web-shell-part-ii.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_webshell_detection.yml" ], "tags": [ @@ -38817,8 +39017,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1222.001/T1222.001.md#atomic-test-1---take-ownership-using-takeown-utility", "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/takeown", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1222.001/T1222.001.md#atomic-test-1---take-ownership-using-takeown-utility", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_takeown.yml" ], "tags": [ @@ -39032,9 +39232,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.echotrail.io/insights/search/wermgr.exe", - "https://www.trendmicro.com/en_us/research/22/j/black-basta-infiltrates-networks-via-qakbot-brute-ratel-and-coba.html", "https://github.com/binderlabs/DirCreate2System", + "https://www.trendmicro.com/en_us/research/22/j/black-basta-infiltrates-networks-via-qakbot-brute-ratel-and-coba.html", + "https://www.echotrail.io/insights/search/wermgr.exe", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_wermgr.yml" ], "tags": "No established tags" @@ -39123,10 +39323,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://redcanary.com/blog/raspberry-robin/", "https://twitter.com/Hexacorn/status/1187143326673330176", - "https://github.com/elastic/protections-artifacts/commit/746086721fd385d9f5c6647cada1788db4aea95f#diff-94a1964b682707e4e3f77dd61a3bfface5401d08d8cf81145f388e09614aceca", + "https://redcanary.com/blog/raspberry-robin/", "https://lolbas-project.github.io/lolbas/Binaries/Odbcconf/", + "https://github.com/elastic/protections-artifacts/commit/746086721fd385d9f5c6647cada1788db4aea95f#diff-94a1964b682707e4e3f77dd61a3bfface5401d08d8cf81145f388e09614aceca", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_odbcconf.yml" ], "tags": [ @@ -39193,8 +39393,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc771151(v=ws.11)", "https://ss64.com/nt/dsacls.html", + "https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc771151(v=ws.11)", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_dsacls_abuse_permissions.yml" ], "tags": [ @@ -39261,10 +39461,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/gpresult", "https://unit42.paloaltonetworks.com/emissary-trojan-changelog-did-operation-lotus-blossom-cause-it-to-evolve/", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1615/T1615.md", "https://www.welivesecurity.com/wp-content/uploads/2020/05/ESET_Turla_ComRAT.pdf", + "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/gpresult", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1615/T1615.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_gpresult.yml" ], "tags": [ @@ -39324,8 +39524,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://strontic.github.io/xcyclopedia/library/stordiag.exe-1F08FC87C373673944F6A7E8B18CD845.html", "https://twitter.com/eral4m/status/1451112385041911809", + "https://strontic.github.io/xcyclopedia/library/stordiag.exe-1F08FC87C373673944F6A7E8B18CD845.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_stordiag_execution.yml" ], "tags": [ @@ -39358,11 +39558,11 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://github.com/SecureAuthCorp/impacket/blob/8b1a99f7c715702eafe3f24851817bb64721b156/examples/wmiexec.py", "https://github.com/SecureAuthCorp/impacket/blob/8b1a99f7c715702eafe3f24851817bb64721b156/examples/smbexec.py", "https://www.elastic.co/guide/en/security/current/suspicious-cmd-execution-via-wmi.html", - "https://github.com/SecureAuthCorp/impacket/blob/8b1a99f7c715702eafe3f24851817bb64721b156/examples/dcomexec.py", "https://github.com/SecureAuthCorp/impacket/blob/8b1a99f7c715702eafe3f24851817bb64721b156/examples/atexec.py", - "https://github.com/SecureAuthCorp/impacket/blob/8b1a99f7c715702eafe3f24851817bb64721b156/examples/wmiexec.py", + "https://github.com/SecureAuthCorp/impacket/blob/8b1a99f7c715702eafe3f24851817bb64721b156/examples/dcomexec.py", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_impacket_lateralization.yml" ], "tags": [ @@ -39526,9 +39726,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://pentestlab.blog/2018/07/04/dumping-domain-password-hashes/", - "https://twitter.com/vxunderground/status/1423336151860002816?s=20", "https://www.virustotal.com/gui/file/03e9b8c2e86d6db450e5eceec057d7e369ee2389b9daecaf06331a95410aa5f8/detection", + "https://twitter.com/vxunderground/status/1423336151860002816?s=20", + "https://pentestlab.blog/2018/07/04/dumping-domain-password-hashes/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_malware_conti_shadowcopy.yml" ], "tags": [ @@ -39696,8 +39896,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/Binaries/Runexehelper/", "https://twitter.com/0gtweet/status/1206692239839289344", + "https://lolbas-project.github.io/lolbas/Binaries/Runexehelper/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_runexehelper.yml" ], "tags": [ @@ -39789,9 +39989,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/ClearskySec/status/960924755355369472", "https://www.reverse.it/sample/e3399d4802f9e6d6d539e3ae57e7ea9a54610a7c4155a6541df8e94d67af086e?environmentId=100", "https://researchcenter.paloaltonetworks.com/2018/02/unit42-sofacy-attacks-multiple-government-entities/", + "https://twitter.com/ClearskySec/status/960924755355369472", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_apt_sofacy.yml" ], "tags": [ @@ -39859,8 +40059,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md#atomic-test-26---disable-windows-defender-with-dism", "https://www.trendmicro.com/en_us/research/22/h/ransomware-actor-abuses-genshin-impact-anti-cheat-driver-to-kill-antivirus.html", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md#atomic-test-26---disable-windows-defender-with-dism", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_dsim_remove.yml" ], "tags": [ @@ -39884,8 +40084,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.virustotal.com/gui/file/5ad401c3a568bd87dd13f8a9ddc4e450ece61cd9ce4d1b23f68ce0b1f3c190b7/", "https://www.vmray.com/analyses/5ad401c3a568/report/overview.html", + "https://www.virustotal.com/gui/file/5ad401c3a568bd87dd13f8a9ddc4e450ece61cd9ce4d1b23f68ce0b1f3c190b7/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_apt_muddywater_dnstunnel.yml" ], "tags": [ @@ -39951,8 +40151,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://ss64.com/vb/cscript.html", "https://twitter.com/sblmsrsn/status/1456613494783160325?s=20", + "https://ss64.com/vb/cscript.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_registration_via_cscript.yml" ], "tags": [ @@ -39985,8 +40185,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/Azure/Azure-Sentinel/blob/7e6aa438e254d468feec061618a7877aa528ee9f/Hunting%20Queries/Microsoft%20365%20Defender/Ransomware/DEV-0270/Email%20data%20exfiltration%20via%20PowerShell.yaml", "https://www.microsoft.com/security/blog/2022/09/07/profiling-dev-0270-phosphorus-ransomware-operations/", + "https://github.com/Azure/Azure-Sentinel/blob/7e6aa438e254d468feec061618a7877aa528ee9f/Hunting%20Queries/Microsoft%20365%20Defender/Ransomware/DEV-0270/Email%20data%20exfiltration%20via%20PowerShell.yaml", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_email_exfil_via_powershell.yml" ], "tags": [ @@ -40033,8 +40233,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1046/T1046.md#atomic-test-3---port-scan-nmap-for-windows", "https://nmap.org/", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1046/T1046.md#atomic-test-3---port-scan-nmap-for-windows", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_nmap_zenmap.yml" ], "tags": [ @@ -40058,8 +40258,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://blogs.vmware.com/security/2022/11/batloader-the-evasive-downloader-malware.html", "https://learn.microsoft.com/en-us/windows-hardware/design/device-experiences/powercfg-command-line-options", + "https://blogs.vmware.com/security/2022/11/batloader-the-evasive-downloader-malware.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_powercfg.yml" ], "tags": [ @@ -40083,9 +40283,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.poweradmin.com/paexec/", "https://docs.microsoft.com/en-us/sysinternals/downloads/psexec", "https://www.fireeye.com/blog/threat-research/2020/10/kegtap-and-singlemalt-with-a-ransomware-chaser.html", + "https://www.poweradmin.com/paexec/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_psexex_paexec_escalate_system.yml" ], "tags": [ @@ -40105,6 +40305,39 @@ "uuid": "8834e2f7-6b4b-4f09-8906-d2276470ee23", "value": "PsExec/PAExec Escalation to LOCAL SYSTEM" }, + { + "description": "Detects execution of rundll32 where the DLL being called is stored in an Alternate Data Stream (ADS).", + "meta": { + "author": "Harjot Singh, '@cyb3rjy0t'", + "creation_date": "2023/01/21", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_ads_stored_dll_execution_rundll32.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://lolbas-project.github.io/lolbas/Binaries/Rundll32", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_ads_stored_dll_execution_rundll32.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1564.004" + ] + }, + "related": [ + { + "dest-uuid": "f2857333-11d4-45bf-b064-2c28d8525be5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "9248c7e1-2bf3-4661-a22c-600a8040b446", + "value": "Potential Rundll32 Execution With DLL Stored In ADS" + }, { "description": "Detects suspicious sysprep process start with AppData folder as target (as used by Trojan Syndicasec in Thrip report by Symantec)", "meta": { @@ -40118,8 +40351,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://app.any.run/tasks/61a296bb-81ad-4fee-955f-3b399f4aaf4b", "https://www.symantec.com/blogs/threat-intelligence/thrip-hits-satellite-telecoms-defense-targets", + "https://app.any.run/tasks/61a296bb-81ad-4fee-955f-3b399f4aaf4b", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_sysprep_appdata.yml" ], "tags": [ @@ -40220,13 +40453,13 @@ "logsource.product": "windows", "refs": [ "https://github.com/keyboardcrunch/SentinelOne-ATTACK-Queries/blob/6a228d23eefe963ca81f2d52f94b815f61ef5ee0/Tactics/DefenseEvasion.md#t1055-process-injection", + "https://twitter.com/Hexacorn/status/776122138063409152", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218/T1218.md", "https://twitter.com/gN3mes1s/status/941315826107510784", + "https://reaqta.com/2017/12/mavinject-microsoft-injector/", + "https://github.com/SigmaHQ/sigma/issues/3742", "https://posts.specterops.io/mavinject-exe-functionality-deconstructed-c29ab2cf5c0e", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1056.004/T1056.004.md", - "https://github.com/SigmaHQ/sigma/issues/3742", - "https://reaqta.com/2017/12/mavinject-microsoft-injector/", - "https://twitter.com/Hexacorn/status/776122138063409152", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_renamed_mavinject.yml" ], "tags": [ @@ -40268,9 +40501,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.volexity.com/blog/2021/03/02/active-exploitation-of-microsoft-exchange-zero-day-vulnerabilities/", "https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/", "https://github.com/samratashok/nishang/blob/414ee1104526d7057f9adaeee196d91ae447283e/Shells/Invoke-PowerShellTcpOneLine.ps1", + "https://www.volexity.com/blog/2021/03/02/active-exploitation-of-microsoft-exchange-zero-day-vulnerabilities/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_reverse_shell_connection.yml" ], "tags": [ @@ -40362,9 +40595,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.dfirnotes.net/portproxy_detection/", "https://adepts.of0x.cc/netsh-portproxy-code/", "https://www.fireeye.com/blog/threat-research/2019/01/bypassing-network-restrictions-through-rdp-tunneling.html", + "https://www.dfirnotes.net/portproxy_detection/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_netsh_port_fwd.yml" ], "tags": [ @@ -40530,8 +40763,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.virusradar.com/en/Win32_Kasidet.AD/description", "https://www.hybrid-analysis.com/sample/07e789f4f2f3259e7559fdccb36e96814c2dbff872a21e1fa03de9ee377d581f?environmentId=100", + "https://www.virusradar.com/en/Win32_Kasidet.AD/description", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_netsh_fw_add_susp_image.yml" ], "tags": [ @@ -40564,8 +40797,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/SBousseaden/status/1207671369963646976", "https://www.fox-it.com/en/news/whitepapers/operation-wocao-shining-a-light-on-one-of-chinas-hidden-hacking-groups/", + "https://twitter.com/SBousseaden/status/1207671369963646976", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_apt_wocao.yml" ], "tags": [ @@ -40652,12 +40885,12 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://www.elastic.co/security-labs/exploring-the-ref2731-intrusion-set", "https://github.com/vadim-hunter/Detection-Ideas-Rules/blob/02bcbfc2bfb8b4da601bb30de0344ae453aa1afe/Threat%20Intelligence/The%20DFIR%20Report/20210329_Sodinokibi_(aka_REvil)_Ransomware.yaml", "https://twitter.com/andythevariable/status/1576953781581144064?s=20&t=QiJILvK4ZiBdR8RJe24u-A", - "https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e", - "https://www.elastic.co/security-labs/exploring-the-ref2731-intrusion-set", - "https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/", "https://github.com/splunk/security_content/blob/develop/detections/endpoint/office_spawning_control.yml", + "https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e", + "https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbins_by_office_applications.yml" ], "tags": [ @@ -40810,8 +41043,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1543.003/T1543.003.md", "https://web.archive.org/web/20180331144337/https://www.fireeye.com/blog/threat-research/2018/03/sanny-malware-delivery-method-updated-in-recently-observed-attacks.html", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1543.003/T1543.003.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_service_path_modification.yml" ], "tags": [ @@ -40836,9 +41069,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://dfironthemountain.wordpress.com/2018/12/06/locked-file-access-using-esentutl-exe/", - "https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment", "https://room362.com/post/2013/2013-06-10-volume-shadow-copy-ntdsdit-domain-hashes-remotely-part-1/", + "https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment", + "https://dfironthemountain.wordpress.com/2018/12/06/locked-file-access-using-esentutl-exe/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_copying_sensitive_files_with_credential_data.yml" ], "tags": [ @@ -40882,8 +41115,8 @@ "logsource.product": "windows", "refs": [ "https://www.volexity.com/blog/2022/07/28/sharptongue-deploys-clever-mail-stealing-browser-extension-sharpext/", - "https://twitter.com/max_mal_/status/1542461200797163522", "https://github.com/pr0xylife/Qakbot/blob/4f0795d79dabee5bc9dd69f17a626b48852e7869/Qakbot_AA_23.06.2022.txt", + "https://twitter.com/max_mal_/status/1542461200797163522", "https://web.archive.org/web/20200128160046/https://twitter.com/reegun21/status/1222093798009790464", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_curl_download.yml" ], @@ -40941,9 +41174,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc771151(v=ws.11)", - "https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/using-dsacls-to-check-ad-object-permissions#password-spraying-anyone", "https://ss64.com/nt/dsacls.html", + "https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/using-dsacls-to-check-ad-object-permissions#password-spraying-anyone", + "https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc771151(v=ws.11)", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_dsacls_password_spray.yml" ], "tags": [ @@ -41027,8 +41260,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/h3v0x/CVE-2021-26084_Confluence", "https://nvd.nist.gov/vuln/detail/CVE-2021-26084", + "https://github.com/h3v0x/CVE-2021-26084_Confluence", "https://confluence.atlassian.com/doc/confluence-security-advisory-2021-08-25-1077906215.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_atlassian_confluence_cve_2021_26084_exploit.yml" ], @@ -41104,8 +41337,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://thedfirreport.com/2020/10/08/ryuks-return/", "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ransomware-hive-conti-avoslocker", + "https://thedfirreport.com/2020/10/08/ryuks-return/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_wmic_proc_create.yml" ], "tags": [ @@ -41139,8 +41372,8 @@ "logsource.product": "windows", "refs": [ "https://twitter.com/0gtweet/status/1588815661085917186?cxt=HHwWhIDUyaDbzYwsAAAA", - "https://www.elastic.co/guide/en/security/current/microsoft-iis-service-account-password-dumped.html", "https://www.netspi.com/blog/technical/network-penetration-testing/decrypting-iis-passwords-to-break-out-of-the-dmz-part-2/", + "https://www.elastic.co/guide/en/security/current/microsoft-iis-service-account-password-dumped.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_iis_service_account_password_dumped.yml" ], "tags": [ @@ -41266,10 +41499,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://youtu.be/5mqid-7zp8k?t=2481", "https://m365internals.com/2022/10/07/hunting-in-on-premises-exchange-server-logs/", - "https://blog.orange.tw/2021/08/proxylogon-a-new-attack-surface-on-ms-exchange-part-1.html", "https://peterjson.medium.com/reproducing-the-proxyshell-pwn2own-exploit-49743a4ea9a1", + "https://youtu.be/5mqid-7zp8k?t=2481", + "https://blog.orange.tw/2021/08/proxylogon-a-new-attack-surface-on-ms-exchange-part-1.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_mailboxexport_share.yml" ], "tags": [ @@ -41423,8 +41656,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/_felamos/status/1204705548668555264", "https://bohops.com/2019/08/19/dotnet-core-a-vector-for-awl-bypass-defense-evasion/", + "https://twitter.com/_felamos/status/1204705548668555264", "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Dotnet/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_dotnet.yml" ], @@ -41581,8 +41814,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/klsecservices/Publications/blob/657deb6a6eb6e00669afd40173f425fb49682eaa/Incident-Response-Analyst-Report-2020.pdf", "https://sourceforge.net/projects/mouselock/", + "https://github.com/klsecservices/Publications/blob/657deb6a6eb6e00669afd40173f425fb49682eaa/Incident-Response-Analyst-Report-2020.pdf", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_mouse_lock.yml" ], "tags": [ @@ -41607,8 +41840,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.echotrail.io/insights/search/wusa.exe/", "https://web.archive.org/web/20180331144337/https://www.fireeye.com/blog/threat-research/2018/03/sanny-malware-delivery-method-updated-in-recently-observed-attacks.html", + "https://www.echotrail.io/insights/search/wusa.exe/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wusa_susp_cap_extraction_from_susp_paths.yml" ], "tags": [ @@ -41697,8 +41930,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/OTRF/detection-hackathon-apt29/issues/17", "https://threathunterplaybook.com/evals/apt29/detections/7.B.4_C10730EA-6345-4934-AA0F-B0EFCA0C4BA6.html", + "https://github.com/OTRF/detection-hackathon-apt29/issues/17", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_webdav_client_execution.yml" ], "tags": [ @@ -41754,8 +41987,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/TheDFIRReport/status/1423361119926816776?s=20", "https://support.anydesk.com/Automatic_Deployment", + "https://twitter.com/TheDFIRReport/status/1423361119926816776?s=20", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_anydesk_silent_install.yml" ], "tags": [ @@ -41856,8 +42089,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://app.any.run/tasks/f74c5157-8508-4ac6-9805-d63fe7b0d399/", "https://twitter.com/swisscom_csirt/status/1331634525722521602?s=20", + "https://app.any.run/tasks/f74c5157-8508-4ac6-9805-d63fe7b0d399/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_renamed_rundll32_dllregisterserver.yml" ], "tags": [ @@ -41970,9 +42203,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-41120", "https://twitter.com/filip_dragovic/status/1590104354727436290", "https://twitter.com/filip_dragovic/status/1590052248260055041", + "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-41120", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sysmon_exploitation.yml" ], "tags": "No established tags" @@ -42027,8 +42260,8 @@ "logsource.product": "windows", "refs": [ "https://app.any.run/tasks/b12cccf3-1c22-4e28-9d3e-c7a6062f3914/", - "https://www.anomali.com/blog/china-based-apt-mustang-panda-targets-minority-groups-public-and-private-sector-organizations", "https://app.any.run/tasks/7ca5661d-a67b-43ec-98c1-dd7a8103c256/", + "https://www.anomali.com/blog/china-based-apt-mustang-panda-targets-minority-groups-public-and-private-sector-organizations", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_apt_mustangpanda.yml" ], "tags": [ @@ -42061,8 +42294,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/mrd0x/status/1511415432888131586?s=20&t=DvVrzeZ1OcGiWowbhPV8Lg", "https://twitter.com/mrd0x/status/1511489821247684615", + "https://twitter.com/mrd0x/status/1511415432888131586?s=20&t=DvVrzeZ1OcGiWowbhPV8Lg", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_proc_dump_dumpminitool.yml" ], "tags": [ @@ -42096,8 +42329,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.virustotal.com/#/file/276a765a10f98cda1a38d3a31e7483585ca3722ecad19d784441293acf1b7beb/detection", "https://securelist.com/muddywater/88059/", + "https://www.virustotal.com/#/file/276a765a10f98cda1a38d3a31e7483585ca3722ecad19d784441293acf1b7beb/detection", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_file_characteristics.yml" ], "tags": [ @@ -42130,9 +42363,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://app.any.run/tasks/51e7185c-52d7-4efb-ac0d-e86340053473/", - "https://app.any.run/tasks/65a79440-373a-4725-8d74-77db9f2abda4/", "https://www.fireeye.com/blog/threat-research/2020/05/tactics-techniques-procedures-associated-with-maze-ransomware-incidents.html", + "https://app.any.run/tasks/65a79440-373a-4725-8d74-77db9f2abda4/", + "https://app.any.run/tasks/51e7185c-52d7-4efb-ac0d-e86340053473/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_crime_maze_ransomware.yml" ], "tags": [ @@ -42206,10 +42439,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/ReaQta/status/1222548288731217921", "https://eqllib.readthedocs.io/en/latest/analytics/532b5ed4-7930-11e9-8f5c-d46d6d62a49e.html", "https://www.activecyber.us/activelabs/windows-uac-bypass", "https://lolbas-project.github.io/lolbas/Binaries/Wsreset/", + "https://twitter.com/ReaQta/status/1222548288731217921", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_uac_bypass_wsreset.yml" ], "tags": [ @@ -42243,9 +42476,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://medium.com/@malwaredancer/lockergoga-input-arguments-ipc-communication-and-others-bd4e5a7ba80a", "https://www.carbonblack.com/blog/tau-threat-intelligence-notification-lockergoga-ransomware/", "https://blog.f-secure.com/analysis-of-lockergoga-ransomware/", + "https://medium.com/@malwaredancer/lockergoga-input-arguments-ipc-communication-and-others-bd4e5a7ba80a", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_mal_lockergoga_ransomware.yml" ], "tags": [ @@ -42341,8 +42574,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/vysecurity/status/977198418354491392", "https://github.com/vysecurity/Aggressor-VYSEC/blob/0d61c80387b9432dab64b8b8a9fb52d20cfef80e/ping.cna", + "https://twitter.com/vysecurity/status/977198418354491392", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_ping_hex_ip.yml" ], "tags": [ @@ -42601,8 +42834,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/LOLBAS-Project/LOLBAS/blob/8283d8d91552213ded165fd36deb6cb9534cb443/yml/OtherMSBinaries/Sqltoolsps.yml", "https://twitter.com/pabraeken/status/993298228840992768", + "https://github.com/LOLBAS-Project/LOLBAS/blob/8283d8d91552213ded165fd36deb6cb9534cb443/yml/OtherMSBinaries/Sqltoolsps.yml", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_use_of_sqltoolsps_bin.yml" ], "tags": [ @@ -42712,15 +42945,15 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment", - "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/blackbyte-exbyte-ransomware", + "https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/new-teslacrypt-ransomware-arrives-via-spam/", + "https://github.com/Neo23x0/Raccine#the-process", + "https://blog.talosintelligence.com/2017/05/wannacry.html", "https://www.hybrid-analysis.com/sample/ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa?environmentId=100", "https://www.bleepingcomputer.com/news/security/why-everyone-should-disable-vssadmin-exe-now/", - "https://blog.talosintelligence.com/2017/05/wannacry.html", - "https://github.com/Neo23x0/Raccine#the-process", - "https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/new-teslacrypt-ransomware-arrives-via-spam/", "https://github.com/Neo23x0/Raccine/blob/20a569fa21625086433dcce8bb2765d0ea08dcb6/yara/gen_ransomware_command_lines.yar", + "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/blackbyte-exbyte-ransomware", "https://redcanary.com/blog/intelligence-insights-october-2021/", + "https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_shadow_copies_deletion.yml" ], "tags": [ @@ -42755,9 +42988,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/bumblebee-loader-cybercrime", "https://thedfirreport.com/2022/08/08/bumblebee-roasts-its-way-to-domain-admin/", "https://thedfirreport.com/2022/09/26/bumblebee-round-two/", + "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/bumblebee-loader-cybercrime", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wab_execution_from_non_default_location.yml" ], "tags": [ @@ -42781,9 +43014,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://isc.sans.edu/diary/22264", - "https://blog.netspi.com/15-ways-to-download-a-file/#bitsadmin", "https://lolbas-project.github.io/lolbas/Binaries/Bitsadmin/", + "https://blog.netspi.com/15-ways-to-download-a-file/#bitsadmin", + "https://isc.sans.edu/diary/22264", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_bitsadmin_download.yml" ], "tags": [ @@ -42826,8 +43059,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1560.001/T1560.001.md", "https://eqllib.readthedocs.io/en/latest/analytics/1ec33c93-3d0b-4a28-8014-dbdaae5c60ae.html", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1560.001/T1560.001.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_data_compressed_with_rar.yml" ], "tags": [ @@ -42993,10 +43226,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/bohops/status/980659399495741441", "https://lolbas-project.github.io/lolbas/Scripts/Manage-bde/", "https://twitter.com/JohnLaTwC/status/1223292479270600706", "https://gist.github.com/bohops/735edb7494fe1bd1010d67823842b712", + "https://twitter.com/bohops/status/980659399495741441", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1216/T1216.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_manage_bde_lolbas.yml" ], @@ -43097,9 +43330,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/bryon_/status/975835709587075072", "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Sqlps/", "https://docs.microsoft.com/en-us/sql/tools/sqlps-utility?view=sql-server-ver15", + "https://twitter.com/bryon_/status/975835709587075072", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_use_of_sqlps_bin.yml" ], "tags": [ @@ -43299,8 +43532,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.virustotal.com/gui/search/metadata%253ACube0x0/files", "https://github.com/cube0x0", + "https://www.virustotal.com/gui/search/metadata%253ACube0x0/files", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hack_cube0x0_tools.yml" ], "tags": "No established tags" @@ -43321,8 +43554,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://app.any.run/tasks/f74c5157-8508-4ac6-9805-d63fe7b0d399/", "https://twitter.com/swisscom_csirt/status/1331634525722521602?s=20", + "https://app.any.run/tasks/f74c5157-8508-4ac6-9805-d63fe7b0d399/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_malware_trickbot_wermgr.yml" ], "tags": [ @@ -43355,10 +43588,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://enigma0x3.net/2016/11/21/bypassing-application-whitelisting-by-using-rcsi-exe/", + "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Rcsi/", "https://twitter.com/Z3Jpa29z/status/1317545798981324801", "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Csi/", - "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Rcsi/", + "https://enigma0x3.net/2016/11/21/bypassing-application-whitelisting-by-using-rcsi-exe/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_csi.yml" ], "tags": [ @@ -43597,8 +43830,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1082/T1082.md#atomic-test-6---hostname-discovery-windows", "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/hostname", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1082/T1082.md#atomic-test-6---hostname-discovery-windows", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_hostname.yml" ], "tags": [ @@ -43622,10 +43855,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://web.archive.org/web/20190720093911/http://www.endurant.io/cmstp/detecting-cmstp-enabled-code-execution-and-uac-bypass-with-sysmon/", - "https://twitter.com/hFireF0X/status/897640081053364225", - "https://github.com/hfiref0x/UACME", "https://medium.com/falconforce/falconfriday-detecting-uac-bypasses-0xff16-86c2a9107abf", + "https://twitter.com/hFireF0X/status/897640081053364225", + "https://web.archive.org/web/20190720093911/http://www.endurant.io/cmstp/detecting-cmstp-enabled-code-execution-and-uac-bypass-with-sysmon/", + "https://github.com/hfiref0x/UACME", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_cmstp_com_object_access.yml" ], "tags": [ @@ -43695,8 +43928,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://svch0st.medium.com/stats-from-hunting-cobalt-strike-beacons-c17e56255f9b", "https://twitter.com/x86matthew/status/1505476263464607744?s=12", + "https://svch0st.medium.com/stats-from-hunting-cobalt-strike-beacons-c17e56255f9b", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_parents.yml" ], "tags": "No established tags" @@ -43769,9 +44002,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md", "https://twitter.com/AdamTheAnalyst/status/1483497517119590403", "https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/configure-process-opened-file-exclusions-microsoft-defender-antivirus", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_defender_exclusion.yml" ], "tags": [ @@ -43796,10 +44029,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/Neo23x0/DLLRunner", + "https://www.welivesecurity.com/2022/03/01/isaacwiper-hermeticwizard-wiper-worm-targeting-ukraine/", "https://techtalk.pcmatic.com/2017/11/30/running-dll-files-malware-analysis/", "https://twitter.com/cyb3rops/status/1186631731543236608", - "https://www.welivesecurity.com/2022/03/01/isaacwiper-hermeticwizard-wiper-worm-targeting-ukraine/", + "https://github.com/Neo23x0/DLLRunner", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_rundll32_by_ordinal.yml" ], "tags": [ @@ -44077,8 +44310,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://unit42.paloaltonetworks.com/unit42-gorgon-group-slithering-nation-state-cybercrime/", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md", + "https://unit42.paloaltonetworks.com/unit42-gorgon-group-slithering-nation-state-cybercrime/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_remove_windows_defender_definition_files.yml" ], "tags": [ @@ -44102,8 +44335,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://streamable.com/q2dsji", "https://twitter.com/j0nh4t/status/1429049506021138437", + "https://streamable.com/q2dsji", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_razorinstaller_explorer.yml" ], "tags": [ @@ -44168,8 +44401,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/windows/wsl/install-on-server", "https://docs.microsoft.com/en-us/powershell/module/dism/enable-windowsoptionalfeature?view=windowsserver2022-ps", + "https://learn.microsoft.com/en-us/windows/wsl/install-on-server", "https://learn.microsoft.com/en-us/windows/win32/projfs/enabling-windows-projected-file-system", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_windowsoptionalfeature.yml" ], @@ -44374,8 +44607,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://nasbench.medium.com/what-is-the-dllhost-exe-process-actually-running-ef9fe4c19c08", "https://redcanary.com/blog/child-processes/", + "https://nasbench.medium.com/what-is-the-dllhost-exe-process-actually-running-ef9fe4c19c08", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_dllhost_no_cli.yml" ], "tags": [ @@ -44386,6 +44619,33 @@ "uuid": "e7888eb1-13b0-4616-bd99-4bc0c2b054b9", "value": "Dllhost Process With No CommandLine" }, + { + "description": "Detects usage of the \"Import-Module\" cmdlet to load the \"Microsoft.ActiveDirectory.Management.dl\" DLL. Which is often used by attackers to perform AD enumeration.", + "meta": { + "author": "frack113", + "creation_date": "2023/01/22", + "falsepositive": [ + "Legitimate use of the library for administrative activity" + ], + "filename": "proc_creation_win_powershell_active_directory_module_dll_import.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://github.com/samratashok/ADModule", + "https://twitter.com/cyb3rops/status/1617108657166061568?s=20", + "https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/active-directory-enumeration-with-ad-module-without-rsat-or-admin-privileges", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_active_directory_module_dll_import.yml" + ], + "tags": [ + "attack.reconnaissance", + "attack.discovery", + "attack.impact" + ] + }, + "uuid": "70bc5215-526f-4477-963c-a47a5c9ebd12", + "value": "Potential Active Directory Enumeration Using AD Module - ProcCreation" + }, { "description": "Detects the use of Setres.exe to set the screen resolution and then potentially launch a file named \"choice\" (with any executable extension such as \".cmd\" or \".exe\") from the current execution path", "meta": { @@ -44399,10 +44659,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/Binaries/Setres/", "https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc731033(v=ws.11)", - "https://strontic.github.io/xcyclopedia/library/setres.exe-0E30E4C09637D7A128A37B59A3BC4D09.html", "https://twitter.com/0gtweet/status/1583356502340870144", + "https://lolbas-project.github.io/lolbas/Binaries/Setres/", + "https://strontic.github.io/xcyclopedia/library/setres.exe-0E30E4C09637D7A128A37B59A3BC4D09.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_setres.yml" ], "tags": [ @@ -44443,11 +44703,11 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://research.nccgroup.com/2021/05/27/detecting-rclone-an-effective-tool-for-exfiltration/", "https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware", "https://labs.sentinelone.com/egregor-raas-continues-the-chaos-with-cobalt-strike-and-rclone", - "https://us-cert.cisa.gov/ncas/analysis-reports/ar21-126a", "https://www.splunk.com/en_us/blog/security/darkside-ransomware-splunk-threat-update-and-detections.html", + "https://us-cert.cisa.gov/ncas/analysis-reports/ar21-126a", + "https://research.nccgroup.com/2021/05/27/detecting-rclone-an-effective-tool-for-exfiltration/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_rclone_execution.yml" ], "tags": [ @@ -44480,9 +44740,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://pentestlab.blog/2018/07/04/dumping-domain-password-hashes/", - "https://twitter.com/vxunderground/status/1423336151860002816?s=20", "https://www.virustotal.com/gui/file/03e9b8c2e86d6db450e5eceec057d7e369ee2389b9daecaf06331a95410aa5f8/detection", + "https://twitter.com/vxunderground/status/1423336151860002816?s=20", + "https://pentestlab.blog/2018/07/04/dumping-domain-password-hashes/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_cmd_shadowcopy_access.yml" ], "tags": [ @@ -44516,8 +44776,8 @@ "logsource.product": "windows", "refs": [ "https://twitter.com/c_APT_ure/status/939475433711722497", - "https://www.fireeye.com/blog/threat-research/2016/05/targeted_attacksaga.html", "https://twitter.com/haroonmeer/status/939099379834658817", + "https://www.fireeye.com/blog/threat-research/2016/05/targeted_attacksaga.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_builtin_commands_recon.yml" ], "tags": [ @@ -44900,8 +45160,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/dez_/status/1560101453150257154", "https://forensafe.com/blogs/typedpaths.html", + "https://twitter.com/dez_/status/1560101453150257154", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_persistence_typed_paths.yml" ], "tags": [ @@ -44957,8 +45217,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/swagkarna/Defeat-Defender-V1.2.0", "https://thedfirreport.com/2022/03/21/apt35-automates-initial-access-using-proxyshell/", + "https://github.com/swagkarna/Defeat-Defender-V1.2.0", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_reg_defender_tampering.yml" ], "tags": [ @@ -45112,8 +45372,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/Kevin-Robertson/Inveigh", "https://thedfirreport.com/2020/11/23/pysa-mespinoza-ransomware/", + "https://github.com/Kevin-Robertson/Inveigh", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hack_inveigh.yml" ], "tags": [ @@ -45146,8 +45406,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.microsoft.com/security/blog/2019/12/12/gallium-targeting-global-telecom/", "https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn800669(v=ws.11)", + "https://www.microsoft.com/security/blog/2019/12/12/gallium-targeting-global-telecom/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_apt_gallium.yml" ], "tags": [ @@ -45189,8 +45449,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://blog.osarmor.com/319/onenote-attachment-delivers-asyncrat-malware/", "https://github.com/vadim-hunter/Detection-Ideas-Rules/blob/02bcbfc2bfb8b4da601bb30de0344ae453aa1afe/Threat%20Intelligence/The%20DFIR%20Report/20210329_Sodinokibi_(aka_REvil)_Ransomware.yaml", + "https://blog.osarmor.com/319/onenote-attachment-delivers-asyncrat-malware/", "https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wmiprvse_susp_child_processes.yml" ], @@ -45308,8 +45568,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://mgreen27.github.io/posts/2018/04/02/DownloadCradle.html", "https://www.hybrid-analysis.com/sample/465aabe132ccb949e75b8ab9c5bda36d80cf2fd503d52b8bad54e295f28bbc21?environmentId=100", + "https://mgreen27.github.io/posts/2018/04/02/DownloadCradle.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_outlook_shell.yml" ], "tags": [ @@ -45544,11 +45804,11 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.trustedsec.com/2017/07/new-tool-release-nps_payload/", "https://twitter.com/JohnLaTwC/status/835149808817991680", + "https://lolbas-project.github.io/lolbas/Binaries/Certutil/", + "https://www.trustedsec.com/2017/07/new-tool-release-nps_payload/", "https://blogs.technet.microsoft.com/pki/2006/11/30/basic-crl-checking-with-certutil/", "https://twitter.com/egre55/status/1087685529016193025", - "https://lolbas-project.github.io/lolbas/Binaries/Certutil/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_certutil_command.yml" ], "tags": [ @@ -45597,8 +45857,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://eqllib.readthedocs.io/en/latest/analytics/b8a94d2f-dc75-4630-9d73-1edc6bd26fff.html", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1018/T1018.md", + "https://eqllib.readthedocs.io/en/latest/analytics/b8a94d2f-dc75-4630-9d73-1edc6bd26fff.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_net_enum.yml" ], "tags": [ @@ -45624,8 +45884,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "Internal Research", "https://tools.thehacker.recipes/mimikatz/modules", + "Internal Research", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_system_user_anomaly.yml" ], "tags": "No established tags" @@ -45790,8 +46050,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/EmpireProject/Empire/blob/e37fb2eef8ff8f5a0a689f1589f424906fe13055/data/module_source/privesc/Invoke-FodHelperBypass.ps1#L64", "https://github.com/EmpireProject/Empire/blob/e37fb2eef8ff8f5a0a689f1589f424906fe13055/data/module_source/privesc/Invoke-EventVwrBypass.ps1#L64", + "https://github.com/EmpireProject/Empire/blob/e37fb2eef8ff8f5a0a689f1589f424906fe13055/data/module_source/privesc/Invoke-FodHelperBypass.ps1#L64", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_powershell_empire_uac_bypass.yml" ], "tags": [ @@ -45859,10 +46119,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://lolbas-project.github.io/lolbas/Binaries/Bitsadmin/", + "https://blog.netspi.com/15-ways-to-download-a-file/#bitsadmin", "https://blog.talosintelligence.com/breaking-the-silence-recent-truebot-activity/", "https://isc.sans.edu/diary/22264", - "https://blog.netspi.com/15-ways-to-download-a-file/#bitsadmin", - "https://lolbas-project.github.io/lolbas/Binaries/Bitsadmin/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_bitsadmin_download_uncommon_targetfolder.yml" ], "tags": [ @@ -46074,10 +46334,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://lolbas-project.github.io/lolbas/Binaries/Bitsadmin/", + "https://blog.netspi.com/15-ways-to-download-a-file/#bitsadmin", "https://blog.talosintelligence.com/breaking-the-silence-recent-truebot-activity/", "https://isc.sans.edu/diary/22264", - "https://blog.netspi.com/15-ways-to-download-a-file/#bitsadmin", - "https://lolbas-project.github.io/lolbas/Binaries/Bitsadmin/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_bitsadmin_download_susp_targetfolder.yml" ], "tags": [ @@ -46153,8 +46413,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://hunter2.gitbook.io/darthsidious/other/war-stories/domain-admin-in-30-minutes", "https://pentestlab.blog/2017/04/13/hot-potato/", + "https://hunter2.gitbook.io/darthsidious/other/war-stories/domain-admin-in-30-minutes", "https://github.com/ohpe/juicy-potato", "https://hunter2.gitbook.io/darthsidious/execution/responder-with-ntlm-relay-and-empire", "https://foxglovesecurity.com/2016/09/26/rotten-potato-privilege-escalation-from-service-accounts-to-system/", @@ -46225,8 +46485,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.revshells.com/", "https://nmap.org/ncat/", + "https://www.revshells.com/", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1095/T1095.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_netcat_execution.yml" ], @@ -46294,8 +46554,8 @@ "logsource.product": "windows", "refs": [ "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/wevtutil", - "https://medium.com/palantir/tampering-with-windows-event-tracing-background-offense-and-defense-4be7ac62ac63", "https://abuse.io/lockergoga.txt", + "https://medium.com/palantir/tampering-with-windows-event-tracing-background-offense-and-defense-4be7ac62ac63", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_etw_trace_evasion.yml" ], "tags": [ @@ -46321,10 +46581,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://github.com/EmpireProject/Empire/blob/e37fb2eef8ff8f5a0a689f1589f424906fe13055/data/module_source/privesc/Invoke-EventVwrBypass.ps1#L64", + "https://github.com/EmpireProject/Empire/blob/e37fb2eef8ff8f5a0a689f1589f424906fe13055/lib/modules/powershell/persistence/powerbreach/deaduser.py#L191", "https://github.com/EmpireProject/Empire/blob/e37fb2eef8ff8f5a0a689f1589f424906fe13055/lib/modules/powershell/persistence/powerbreach/resolver.py#L178", "https://github.com/EmpireProject/Empire/blob/c2ba61ca8d2031dad0cfc1d5770ba723e8b710db/lib/common/helpers.py#L165", - "https://github.com/EmpireProject/Empire/blob/e37fb2eef8ff8f5a0a689f1589f424906fe13055/lib/modules/powershell/persistence/powerbreach/deaduser.py#L191", - "https://github.com/EmpireProject/Empire/blob/e37fb2eef8ff8f5a0a689f1589f424906fe13055/data/module_source/privesc/Invoke-EventVwrBypass.ps1#L64", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_powershell_empire_launch.yml" ], "tags": [ @@ -46383,9 +46643,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.cybereason.com/blog/deadringer-exposing-chinese-threat-actors-targeting-major-telcos", "https://research.nccgroup.com/2021/01/12/abusing-cloud-services-to-fly-under-the-radar/", "https://twitter.com/EricaZelic/status/1614075109827874817", + "https://www.cybereason.com/blog/deadringer-exposing-chinese-threat-actors-targeting-major-telcos", "https://github.com/3CORESec/MAL-CL/tree/master/Descriptors/Sysinternals/PsLogList", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_psloglist.yml" ], @@ -46522,9 +46782,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://isc.sans.edu/diary/22264", - "https://blog.netspi.com/15-ways-to-download-a-file/#bitsadmin", "https://lolbas-project.github.io/lolbas/Binaries/Bitsadmin/", + "https://blog.netspi.com/15-ways-to-download-a-file/#bitsadmin", + "https://isc.sans.edu/diary/22264", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_bitsadmin_download_susp_ext.yml" ], "tags": [ @@ -46692,11 +46952,11 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/Hexacorn/status/885570278637678592", - "https://twitter.com/vysecurity/status/885545634958385153", - "https://twitter.com/Hexacorn/status/885553465417756673", - "https://www.fireeye.com/blog/threat-research/2017/06/obfuscation-in-the-wild.html", "http://www.windowsinspired.com/understanding-the-command-line-string-and-arguments-received-by-a-windows-program/", + "https://twitter.com/Hexacorn/status/885570278637678592", + "https://twitter.com/Hexacorn/status/885553465417756673", + "https://twitter.com/vysecurity/status/885545634958385153", + "https://www.fireeye.com/blog/threat-research/2017/06/obfuscation-in-the-wild.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_cli_escape.yml" ], "tags": [ @@ -46786,9 +47046,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/winsiderss/systeminformer", - "https://www.crowdstrike.com/blog/falcon-overwatch-report-finds-increase-in-ecrime/", "https://processhacker.sourceforge.io/", + "https://www.crowdstrike.com/blog/falcon-overwatch-report-finds-increase-in-ecrime/", + "https://github.com/winsiderss/systeminformer", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_process_hacker.yml" ], "tags": "No established tags" @@ -47056,8 +47316,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/yosqueoy/ditsnap", "https://thedfirreport.com/2020/06/21/snatch-ransomware/", + "https://github.com/yosqueoy/ditsnap", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_ditsnap.yml" ], "tags": [ @@ -47124,8 +47384,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://ss64.com/nt/for.html", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1018/T1018.md", + "https://ss64.com/nt/for.html", "https://ss64.com/ps/foreach-object.htmll", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_network_scan_loop.yml" ], @@ -47257,8 +47517,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1482/T1482.md", "https://github.com/dsnezhkov/TruffleSnout", + "https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1482/T1482.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_trufflesnout.yml" ], "tags": [ @@ -47325,9 +47585,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/oulusoyum/status/1191329746069655553", "https://twitter.com/mattifestation/status/1196390321783025666", "https://lolbas-project.github.io/lolbas/Binaries/Tttracer/", + "https://twitter.com/oulusoyum/status/1191329746069655553", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_tttracer_mod_load.yml" ], "tags": [ @@ -47369,9 +47629,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://thedfirreport.com/2022/10/31/follina-exploit-leads-to-domain-compromise/", - "https://redcanary.com/threat-detection-report/threats/qbot/", "https://thedfirreport.com/2022/02/07/qbot-likes-to-move-it-move-it/", + "https://redcanary.com/threat-detection-report/threats/qbot/", + "https://thedfirreport.com/2022/10/31/follina-exploit-leads-to-domain-compromise/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_esentutl_webcache.yml" ], "tags": [ @@ -47404,9 +47664,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f", - "https://oddvar.moe/2018/04/11/putting-data-in-alternate-data-streams-and-how-to-execute-it-part-2/", "https://lolbas-project.github.io/lolbas/Binaries/Findstr/", + "https://oddvar.moe/2018/04/11/putting-data-in-alternate-data-streams-and-how-to-execute-it-part-2/", + "https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_findstr.yml" ], "tags": [ @@ -47456,10 +47716,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.softpedia.com/get/Antivirus/Removal-Tools/ithurricane-PowerTool.shtml", - "https://www.trendmicro.com/en_us/research/22/i/play-ransomware-s-attack-playbook-unmasks-it-as-another-hive-aff.html", "https://twitter.com/gbti_sa/status/1249653895900602375?lang=en", + "https://www.softpedia.com/get/Antivirus/Removal-Tools/ithurricane-PowerTool.shtml", "https://thedfirreport.com/2022/11/28/emotet-strikes-again-lnk-file-leads-to-domain-wide-ransomware/", + "https://www.trendmicro.com/en_us/research/22/i/play-ransomware-s-attack-playbook-unmasks-it-as-another-hive-aff.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powertool_execution.yml" ], "tags": [ @@ -47527,8 +47787,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Wsl/", "https://twitter.com/nas_bench/status/1535431474429808642", + "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Wsl/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_susp_wsl.yml" ], "tags": [ @@ -47713,8 +47973,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/previous-versions/office/troubleshoot/office-developer/automate-word-create-file-using-visual-basic", "https://github.com/med0x2e/vba2clr", + "https://learn.microsoft.com/en-us/previous-versions/office/troubleshoot/office-developer/automate-word-create-file-using-visual-basic", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_office_svchost_child.yml" ], "tags": [ @@ -47762,8 +48022,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Devtoolslauncher/", "https://twitter.com/_felamos/status/1179811992841797632", + "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Devtoolslauncher/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_devtoolslauncher.yml" ], "tags": [ @@ -47830,9 +48090,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/Binaries/Regini/", - "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/regini", "https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f", + "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/regini", + "https://lolbas-project.github.io/lolbas/Binaries/Regini/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_regini.yml" ], "tags": [ @@ -47889,8 +48149,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://blu3-team.blogspot.com/2019/06/misleading-extensions-xlsexe-docexe.html", "https://twitter.com/blackorbird/status/1140519090961825792", + "https://blu3-team.blogspot.com/2019/06/misleading-extensions-xlsexe-docexe.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_double_extension.yml" ], "tags": [ @@ -48290,8 +48550,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.virustotal.com/gui/file/a63376ee1dba76361df73338928e528ca5b20171ea74c24581605366dcaa0104/behavior", "https://twitter.com/ShadowChasing1/status/1552595370961944576", + "https://www.virustotal.com/gui/file/a63376ee1dba76361df73338928e528ca5b20171ea74c24581605366dcaa0104/behavior", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_net_use.yml" ], "tags": [ @@ -48324,8 +48584,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.hybrid-analysis.com/sample/0b4ef455e385b750d9f90749f1467eaf00e46e8d6c2885c260e1b78211a51684?environmentId=100", "https://www.reverse.it/sample/0b4ef455e385b750d9f90749f1467eaf00e46e8d6c2885c260e1b78211a51684?environmentId=100", + "https://www.hybrid-analysis.com/sample/0b4ef455e385b750d9f90749f1467eaf00e46e8d6c2885c260e1b78211a51684?environmentId=100", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_exploit_cve_2017_8759.yml" ], "tags": [ @@ -48490,8 +48750,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://thedfirreport.com/2022/05/09/seo-poisoning-a-gootloader-story/", "https://github.com/Neo23x0/Raccine/blob/20a569fa21625086433dcce8bb2765d0ea08dcb6/yara/mal_revil.yar", + "https://thedfirreport.com/2022/05/09/seo-poisoning-a-gootloader-story/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_base64_reflective_assembly_load.yml" ], "tags": [ @@ -48535,8 +48795,8 @@ "logsource.product": "windows", "refs": [ "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/schtasks-create", - "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/schtasks-change", "http://blog.talosintelligence.com/2022/09/lazarus-three-rats.html", + "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/schtasks-change", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_schtasks_schedule_type.yml" ], "tags": [ @@ -48569,8 +48829,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.wietzebeukema.nl/blog/windows-command-line-obfuscation", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1027/T1027.md#atomic-test-6---dlp-evasion-via-sensitive-data-in-vba-macro-over-http", + "https://www.wietzebeukema.nl/blog/windows-command-line-obfuscation", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_char_in_cmd.yml" ], "tags": [ @@ -48645,9 +48905,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/S3cur3Th1sSh1t/Creds/blob/eac23d67f7f90c7fc8e3130587d86158c22aa398/PowershellScripts/jaws-enum.ps1", - "https://www.absolomb.com/2018-01-26-Windows-Privilege-Escalation-Guide/", "https://github.com/nccgroup/redsnarf/blob/35949b30106ae543dc6f2bc3f1be10c6d9a8d40e/redsnarf.py", + "https://www.absolomb.com/2018-01-26-Windows-Privilege-Escalation-Guide/", + "https://github.com/S3cur3Th1sSh1t/Creds/blob/eac23d67f7f90c7fc8e3130587d86158c22aa398/PowershellScripts/jaws-enum.ps1", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wmic_unquoted_service_search.yml" ], "tags": [ @@ -48705,12 +48965,12 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://thedfirreport.com/2020/05/08/adfind-recon/", - "https://social.technet.microsoft.com/wiki/contents/articles/7535.adfind-command-examples.aspx", - "https://thedfirreport.com/2021/01/11/trickbot-still-alive-and-well/", - "https://www.microsoft.com/security/blog/2021/01/20/deep-dive-into-the-solorigate-second-stage-activation-from-sunburst-to-teardrop-and-raindrop/", "https://github.com/center-for-threat-informed-defense/adversary_emulation_library/blob/bf62ece1c679b07b5fb49c4bae947fe24c81811f/fin6/Emulation_Plan/Phase1.md", + "https://social.technet.microsoft.com/wiki/contents/articles/7535.adfind-command-examples.aspx", "https://www.joeware.net/freetools/tools/adfind/", + "https://thedfirreport.com/2021/01/11/trickbot-still-alive-and-well/", + "https://thedfirreport.com/2020/05/08/adfind-recon/", + "https://www.microsoft.com/security/blog/2021/01/20/deep-dive-into-the-solorigate-second-stage-activation-from-sunburst-to-teardrop-and-raindrop/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_renamed_adfind.yml" ], "tags": [ @@ -49018,8 +49278,8 @@ "logsource.product": "windows", "refs": [ "https://labs.sentinelone.com/the-anatomy-of-an-apt-attack-and-cobaltstrike-beacons-encoded-configuration/", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1560.001/T1560.001.md", "https://ss64.com/bash/rar.html", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1560.001/T1560.001.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_rar_flags.yml" ], "tags": [ @@ -49182,8 +49442,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.zerodayinitiative.com/advisories/ZDI-21-1308/", "https://github.com/klinix5/InstallerFileTakeOver", + "https://www.zerodayinitiative.com/advisories/ZDI-21-1308/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_exploit_lpe_cve_2021_41379.yml" ], "tags": [ @@ -49252,8 +49512,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.sans.org/blog/red-team-tactics-hiding-windows-services/", "https://docs.microsoft.com/pt-br/windows/win32/secauthz/sid-strings", + "https://www.sans.org/blog/red-team-tactics-hiding-windows-services/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_service_dacl_modification.yml" ], "tags": [ @@ -49417,8 +49677,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://grzegorztworek.medium.com/using-uefi-to-inject-executable-files-into-bitlocker-protected-drives-8ff4ca59c94c", "https://persistence-info.github.io/Data/wpbbin.html", + "https://grzegorztworek.medium.com/using-uefi-to-inject-executable-files-into-bitlocker-protected-drives-8ff4ca59c94c", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wpbbin_persistence.yml" ], "tags": [ @@ -49478,13 +49738,13 @@ "logsource.product": "windows", "refs": [ "https://github.com/keyboardcrunch/SentinelOne-ATTACK-Queries/blob/6a228d23eefe963ca81f2d52f94b815f61ef5ee0/Tactics/DefenseEvasion.md#t1055-process-injection", + "https://twitter.com/Hexacorn/status/776122138063409152", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218/T1218.md", "https://twitter.com/gN3mes1s/status/941315826107510784", + "https://reaqta.com/2017/12/mavinject-microsoft-injector/", + "https://github.com/SigmaHQ/sigma/issues/3742", "https://posts.specterops.io/mavinject-exe-functionality-deconstructed-c29ab2cf5c0e", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1056.004/T1056.004.md", - "https://github.com/SigmaHQ/sigma/issues/3742", - "https://reaqta.com/2017/12/mavinject-microsoft-injector/", - "https://twitter.com/Hexacorn/status/776122138063409152", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_mavinject_process_injection.yml" ], "tags": [ @@ -49649,12 +49909,12 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://github.com/3CORESec/MAL-CL/tree/master/Descriptors/Other/Advanced%20IP%20Scanner", + "https://news.sophos.com/en-us/2019/12/09/snatch-ransomware-reboots-pcs-into-safe-mode-to-bypass-protection/", + "https://labs.f-secure.com/blog/prelude-to-ransomware-systembc", "https://www.fireeye.com/blog/threat-research/2020/05/tactics-techniques-procedures-associated-with-maze-ransomware-incidents.html", "https://thedfirreport.com/2021/01/18/all-that-for-a-coinminer", - "https://news.sophos.com/en-us/2019/12/09/snatch-ransomware-reboots-pcs-into-safe-mode-to-bypass-protection/", - "https://github.com/3CORESec/MAL-CL/tree/master/Descriptors/Other/Advanced%20IP%20Scanner", "https://assets.documentcloud.org/documents/20444693/fbi-pin-egregor-ransomware-bc-01062021.pdf", - "https://labs.f-secure.com/blog/prelude-to-ransomware-systembc", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_advanced_ip_scanner.yml" ], "tags": [ @@ -49679,8 +49939,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/med0x2e/status/1520402518685200384", "https://github.com/elastic/detection-rules/blob/dd224fb3f81d0b4bf8593c5f02a029d647ba2b2d/rules/windows/credential_access_relay_ntlm_auth_via_http_spoolss.toml", + "https://twitter.com/med0x2e/status/1520402518685200384", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_ntlmrelay.yml" ], "tags": [ @@ -49739,8 +49999,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://labs.sentinelone.com/meteorexpress-mysterious-wiper-paralyzes-iranian-trains-with-epic-troll", "https://blog.malwarebytes.com/threat-intelligence/2021/08/new-variant-of-konni-malware-used-in-campaign-targetting-russia/", + "https://labs.sentinelone.com/meteorexpress-mysterious-wiper-paralyzes-iranian-trains-with-epic-troll", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_expand_cabinet_files.yml" ], "tags": [ @@ -49864,9 +50124,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/windows/win32/wmisdk/mofcomp", - "https://thedfirreport.com/2022/07/11/select-xmrig-from-sqlserver/", "https://github.com/The-DFIR-Report/Sigma-Rules/blob/75260568a7ffe61b2458ca05f6f25914efb44337/win_mofcomp_execution.yml", + "https://thedfirreport.com/2022/07/11/select-xmrig-from-sqlserver/", + "https://docs.microsoft.com/en-us/windows/win32/wmisdk/mofcomp", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_mofcomp_execution.yml" ], "tags": [ @@ -49899,9 +50159,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://blog.viettelcybersecurity.com/saml-show-stopper/", - "https://github.com/horizon3ai/CVE-2022-47966/blob/3a51c6b72ebbd87392babd955a8fbeaee2090b35/CVE-2022-47966.py", "https://www.horizon3.ai/manageengine-cve-2022-47966-technical-deep-dive/", + "https://github.com/horizon3ai/CVE-2022-47966/blob/3a51c6b72ebbd87392babd955a8fbeaee2090b35/CVE-2022-47966.py", + "https://blog.viettelcybersecurity.com/saml-show-stopper/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_manageengine_pattern.yml" ], "tags": "No established tags" @@ -50016,9 +50276,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://www.fortiguard.com/threat-signal-report/4718?s=09", "https://lolbas-project.github.io/lolbas/Binaries/Regasm/", "https://lolbas-project.github.io/lolbas/Binaries/Regsvcs/", - "https://www.fortiguard.com/threat-signal-report/4718?s=09", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_regasm.yml" ], "tags": [ @@ -50051,10 +50311,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/defaultnamehere/cookie_crimes/", - "https://www.mdsec.co.uk/2022/10/analysing-lastpass-part-1/", "https://github.com/wunderwuzzi23/firefox-cookiemonster", "https://yoroi.company/wp-content/uploads/2022/05/EternityGroup_report_compressed.pdf", + "https://www.mdsec.co.uk/2022/10/analysing-lastpass-part-1/", + "https://github.com/defaultnamehere/cookie_crimes/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_browser_remote_debugging.yml" ], "tags": [ @@ -50160,11 +50420,11 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://mgreen27.github.io/posts/2019/05/12/BinaryRename.html", "https://www.trendmicro.com/vinfo/hk-en/security/news/cybercrime-and-digital-threats/megacortex-ransomware-spotted-attacking-enterprise-networks", - "https://mgreen27.github.io/posts/2019/05/29/BinaryRename2.html", - "https://threatresearch.ext.hp.com/svcready-a-new-loader-reveals-itself/", + "https://mgreen27.github.io/posts/2019/05/12/BinaryRename.html", "https://twitter.com/christophetd/status/1164506034720952320", + "https://threatresearch.ext.hp.com/svcready-a-new-loader-reveals-itself/", + "https://mgreen27.github.io/posts/2019/05/29/BinaryRename2.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_renamed_binary_highly_relevant.yml" ], "tags": [ @@ -50198,8 +50458,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://eqllib.readthedocs.io/en/latest/analytics/c4732632-9c1d-4980-9fa8-1d98c93f918e.html", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1490/T1490.md", + "https://eqllib.readthedocs.io/en/latest/analytics/c4732632-9c1d-4980-9fa8-1d98c93f918e.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_bootconf_mod.yml" ], "tags": [ @@ -50358,8 +50618,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.joesandbox.com/analysis/514608/0/html#324415FF7D8324231381BAD48A052F85DF04", "https://www.welivesecurity.com/2022/01/18/donot-go-do-not-respawn/", + "https://www.joesandbox.com/analysis/514608/0/html#324415FF7D8324231381BAD48A052F85DF04", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_schtasks_env_folder.yml" ], "tags": [ @@ -50392,8 +50652,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.sans.org/blog/red-team-tactics-hiding-windows-services/", "https://docs.microsoft.com/pt-br/windows/win32/secauthz/sid-strings", + "https://www.sans.org/blog/red-team-tactics-hiding-windows-services/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_service_dacl_modification_set_service.yml" ], "tags": [ @@ -50475,9 +50735,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/bumblebee-loader-cybercrime", "https://thedfirreport.com/2022/08/08/bumblebee-roasts-its-way-to-domain-admin/", "https://thedfirreport.com/2022/09/26/bumblebee-round-two/", + "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/bumblebee-loader-cybercrime", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wab_unusual_parents.yml" ], "tags": [ @@ -50501,8 +50761,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://countuponsecurity.com/2017/06/07/threat-hunting-in-the-enterprise-with-appcompatprocessor/", "http://www.hexacorn.com/blog/2016/03/10/beyond-good-ol-run-key-part-36/", + "https://countuponsecurity.com/2017/06/07/threat-hunting-in-the-enterprise-with-appcompatprocessor/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_plugx_susp_exe_locations.yml" ], "tags": [ @@ -50527,8 +50787,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://blogs.technet.microsoft.com/jonathantrull/2016/10/03/detecting-sticky-key-backdoors/", "https://bazaar.abuse.ch/sample/6f3aa9362d72e806490a8abce245331030d1ab5ac77e400dd475748236a6cc81/", + "https://blogs.technet.microsoft.com/jonathantrull/2016/10/03/detecting-sticky-key-backdoors/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_install_reg_debugger_backdoor.yml" ], "tags": [ @@ -50586,9 +50846,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://eqllib.readthedocs.io/en/latest/analytics/210b4ea4-12fc-11e9-8d76-4d6bb837cda4.html", "https://eqllib.readthedocs.io/en/latest/analytics/1e1ef6be-12fc-11e9-8d76-4d6bb837cda4.html", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1003/T1003.md", + "https://eqllib.readthedocs.io/en/latest/analytics/210b4ea4-12fc-11e9-8d76-4d6bb837cda4.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lsass_dump.yml" ], "tags": [ @@ -50654,8 +50914,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://app.any.run/tasks/c28cabc8-a19f-40f3-a78b-cae506a5c0d4", "https://app.any.run/tasks/cfc8870b-ccd7-4210-88cf-a8087476a6d0", + "https://app.any.run/tasks/c28cabc8-a19f-40f3-a78b-cae506a5c0d4", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_attrib_system_susp_paths.yml" ], "tags": [ @@ -50721,8 +50981,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.hybrid-analysis.com/sample/64b0b58a2c030c77fdb2b537b2fcc4af432bc55ffb36599a31d418c7c69e94b1?environmentId=100", "https://securelist.com/schroedingers-petya/78870/", + "https://www.hybrid-analysis.com/sample/64b0b58a2c030c77fdb2b537b2fcc4af432bc55ffb36599a31d418c7c69e94b1?environmentId=100", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_malware_notpetya.yml" ], "tags": [ @@ -50808,8 +51068,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://mgreen27.github.io/posts/2019/05/29/BinaryRename2.html", "https://mgreen27.github.io/posts/2019/05/12/BinaryRename.html", + "https://mgreen27.github.io/posts/2019/05/29/BinaryRename2.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_renamed_binary.yml" ], "tags": [ @@ -50918,8 +51178,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://social.technet.microsoft.com/wiki/contents/articles/32905.remote-desktop-services-enable-restricted-admin-mode.aspx", "https://github.com/redcanaryco/atomic-red-team/blob/a8e3cf63e97b973a25903d3df9fd55da6252e564/atomics/T1112/T1112.md", + "https://social.technet.microsoft.com/wiki/contents/articles/32905.remote-desktop-services-enable-restricted-admin-mode.aspx", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lsa_disablerestrictedadmin.yml" ], "tags": [ @@ -50943,8 +51203,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.wietzebeukema.nl/blog/windows-command-line-obfuscation", "https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment", + "https://www.wietzebeukema.nl/blog/windows-command-line-obfuscation", "https://eqllib.readthedocs.io/en/latest/analytics/aed95fc6-5e3f-49dc-8b35-06508613f979.html", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1003/T1003.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_grabbing_sensitive_hives_via_reg.yml" @@ -50996,12 +51256,12 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://thedfirreport.com/2020/05/08/adfind-recon/", - "https://social.technet.microsoft.com/wiki/contents/articles/7535.adfind-command-examples.aspx", - "https://thedfirreport.com/2021/01/11/trickbot-still-alive-and-well/", - "https://www.microsoft.com/security/blog/2021/01/20/deep-dive-into-the-solorigate-second-stage-activation-from-sunburst-to-teardrop-and-raindrop/", "https://github.com/center-for-threat-informed-defense/adversary_emulation_library/blob/bf62ece1c679b07b5fb49c4bae947fe24c81811f/fin6/Emulation_Plan/Phase1.md", + "https://social.technet.microsoft.com/wiki/contents/articles/7535.adfind-command-examples.aspx", "https://www.joeware.net/freetools/tools/adfind/", + "https://thedfirreport.com/2021/01/11/trickbot-still-alive-and-well/", + "https://thedfirreport.com/2020/05/08/adfind-recon/", + "https://www.microsoft.com/security/blog/2021/01/20/deep-dive-into-the-solorigate-second-stage-activation-from-sunburst-to-teardrop-and-raindrop/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_adfind_usage.yml" ], "tags": [ @@ -51044,10 +51304,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.securitynewspaper.com/2016/11/23/technical-teardown-exploit-malware-hwp-files/", - "https://en.wikipedia.org/wiki/Hangul_(word_processor)", "https://www.hybrid-analysis.com/search?query=context:74940dcc5b38f9f9b1a0fea760d344735d7d91b610e6d5bd34533dd0153402c5&from_sample=5db135000388385a7644131f&block_redirect=1", + "https://www.securitynewspaper.com/2016/11/23/technical-teardown-exploit-malware-hwp-files/", "https://twitter.com/cyberwar_15/status/1187287262054076416", + "https://en.wikipedia.org/wiki/Hangul_(word_processor)", "https://blog.alyac.co.kr/1901", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hwp_exploits.yml" ], @@ -51158,8 +51418,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/kagancapar/status/1515219358234161153", "https://github.com/kagancapar/CVE-2022-29072", + "https://twitter.com/kagancapar/status/1515219358234161153", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_7zip_cve_2022_29072.yml" ], "tags": [ @@ -51249,9 +51509,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Cdb/", "https://twitter.com/nas_bench/status/1534957360032120833", "https://web.archive.org/web/20170715043507/http://www.exploit-monday.com/2016/08/windbg-cdb-shellcode-runner.html", + "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Cdb/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_cdb.yml" ], "tags": [ @@ -51384,8 +51644,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/wmic", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1047/T1047.md", + "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/wmic", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wmic_remote_service.yml" ], "tags": [ @@ -51453,8 +51713,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://posts.specterops.io/arbitrary-unsigned-code-execution-vector-in-microsoft-workflow-compiler-exe-3d9294bc5efb", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218/T1218.md", + "https://posts.specterops.io/arbitrary-unsigned-code-execution-vector-in-microsoft-workflow-compiler-exe-3d9294bc5efb", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_workflow_compiler.yml" ], "tags": [ @@ -51530,8 +51790,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/d0dad62dbcae9c60c519368e82c196a3db577055/atomics/T1124/T1124.md", "https://blogs.blackberry.com/en/2022/05/dirty-deeds-done-dirt-cheap-russian-rat-offers-backdoor-bargains", + "https://github.com/redcanaryco/atomic-red-team/blob/d0dad62dbcae9c60c519368e82c196a3db577055/atomics/T1124/T1124.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_w32tm.yml" ], "tags": [ @@ -51848,9 +52108,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.vmray.com/cyber-security-blog/analyzing-ursnif-behavior-malware-sandbox/", "https://www.fireeye.com/blog/threat-research/2020/01/saigon-mysterious-ursnif-fork.html", "https://thedfirreport.com/2023/01/09/unwrapping-ursnifs-gifts/", + "https://www.vmray.com/cyber-security-blog/analyzing-ursnif-behavior-malware-sandbox/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_driverquery_recon.yml" ], "tags": [ @@ -51873,10 +52133,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://medium.com/@petehouston/upload-files-with-curl-93064dcccc76", "https://twitter.com/d1r4c/status/1279042657508081664", - "https://curl.se/docs/manpage.html", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1105/T1105.md#atomic-test-19---curl-upload-file", + "https://curl.se/docs/manpage.html", + "https://medium.com/@petehouston/upload-files-with-curl-93064dcccc76", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_curl_fileupload.yml" ], "tags": [ @@ -51951,8 +52211,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/SBousseaden/status/1451237393017839616", "https://github.com/Tylous/ZipExec", + "https://twitter.com/SBousseaden/status/1451237393017839616", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_zipexec.yml" ], "tags": [ @@ -52132,8 +52392,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://thedfirreport.com/2021/11/29/continuing-the-bazar-ransomware-story/", "https://blog.talosintelligence.com/2021/10/threat-hunting-in-large-datasets-by.html", + "https://thedfirreport.com/2021/11/29/continuing-the-bazar-ransomware-story/", "https://guides.lib.umich.edu/c.php?g=282942&p=1885348", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_regsvr32_image.yml" ], @@ -52167,8 +52427,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://redcanary.com/blog/lateral-movement-winrm-wmi/", "https://twitter.com/bohops/status/994405551751815170", + "https://redcanary.com/blog/lateral-movement-winrm-wmi/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_winrm_execution.yml" ], "tags": [ @@ -52228,10 +52488,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.microsoft.com/en-us/security/blog/2022/10/18/defenders-beware-a-case-for-post-ransomware-investigations/", - "https://www.elastic.co/guide/en/security/current/remote-file-copy-to-a-hidden-share.html", - "https://drive.google.com/file/d/1lKya3_mLnR3UQuCoiYruO3qgu052_iS_/view", "https://twitter.com/SBousseaden/status/1211636381086339073", + "https://www.elastic.co/guide/en/security/current/remote-file-copy-to-a-hidden-share.html", + "https://www.microsoft.com/en-us/security/blog/2022/10/18/defenders-beware-a-case-for-post-ransomware-investigations/", + "https://drive.google.com/file/d/1lKya3_mLnR3UQuCoiYruO3qgu052_iS_/view", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_copy_lateral_movement.yml" ], "tags": [ @@ -52335,8 +52595,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://sensepost.com/blog/2022/abusing-windows-tokens-to-compromise-active-directory-without-touching-lsass/", "https://github.com/sensepost/impersonate", + "https://sensepost.com/blog/2022/abusing-windows-tokens-to-compromise-active-directory-without-touching-lsass/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_impersonate_tool.yml" ], "tags": [ @@ -52378,8 +52638,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/Alh4zr3d/status/1580925761996828672", "https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.management/set-service?view=powershell-7.2", + "https://twitter.com/Alh4zr3d/status/1580925761996828672", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_using_set_service_to_hide_services.yml" ], "tags": [ @@ -52620,8 +52880,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://thedfirreport.com/2021/10/04/bazarloader-and-the-conti-leaks/", "https://thedfirreport.com/2022/06/16/sans-ransomware-summit-2022-can-you-detect-this/", + "https://thedfirreport.com/2021/10/04/bazarloader-and-the-conti-leaks/", "https://hstechdocs.helpsystems.com/manuals/cobaltstrike/current/userguide/content/cobalt-4-5-user-guide.pdf", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_cobaltstrike_bloopers_modules.yml" ], @@ -52884,8 +53144,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://app.any.run/tasks/713f05d2-fe78-4b9d-a744-f7c133e3fafb/", "https://twitter.com/_JohnHammond/status/1531672601067675648", + "https://app.any.run/tasks/713f05d2-fe78-4b9d-a744-f7c133e3fafb/", "https://twitter.com/nao_sec/status/1530196847679401984", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_msdt.yml" ], @@ -52985,10 +53245,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/GadixCRK/status/1369313704869834753?s=20", - "https://discuss.elastic.co/t/detection-and-response-for-hafnium-activity/266289/3", "https://twitter.com/BleepinComputer/status/1372218235949617161", "https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/", + "https://twitter.com/GadixCRK/status/1369313704869834753?s=20", + "https://discuss.elastic.co/t/detection-and-response-for-hafnium-activity/266289/3", "https://blog.truesec.com/2021/03/07/exchange-zero-day-proxylogon-and-hafnium/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_apt_hafnium.yml" ], @@ -53023,9 +53283,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1047/T1047.md#atomic-test-7---create-a-process-using-wmi-query-and-an-encoded-command", "https://www.microsoft.com/security/blog/2020/12/18/analyzing-solorigate-the-compromised-dll-file-that-started-a-sophisticated-cyberattack-and-how-microsoft-defender-helps-protect/", "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/solarwinds-raindrop-malware", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1047/T1047.md#atomic-test-7---create-a-process-using-wmi-query-and-an-encoded-command", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_apt_unc2452_ps.yml" ], "tags": [ @@ -53190,10 +53450,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/windows/compatibility/ntvdm-and-16-bit-app-support", - "https://app.any.run/tasks/93fe92fa-8b2b-4d92-8c09-a841aed2e793/", "https://support.microsoft.com/fr-fr/topic/an-ms-dos-based-program-that-uses-the-ms-dos-protected-mode-interface-crashes-on-a-computer-that-is-running-windows-7-5dc739ea-987b-b458-15e4-d28d5cca63c7", + "https://docs.microsoft.com/en-us/windows/compatibility/ntvdm-and-16-bit-app-support", "https://app.any.run/tasks/214094a7-0abc-4a7b-a564-1b757faed79d/", + "https://app.any.run/tasks/93fe92fa-8b2b-4d92-8c09-a841aed2e793/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_16bit_application.yml" ], "tags": [ @@ -53284,8 +53544,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://strontic.github.io/xcyclopedia/library/pnputil.exe-60EDC5E6BDBAEE441F2E3AEACD0340D2.html", "https://docs.microsoft.com/en-us/windows-hardware/drivers/devtest/pnputil-command-syntax", + "https://strontic.github.io/xcyclopedia/library/pnputil.exe-60EDC5E6BDBAEE441F2E3AEACD0340D2.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_susp_driver_installed_by_pnputil.yml" ], "tags": [ @@ -53444,8 +53704,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://news.sophos.com/en-us/2021/11/11/bazarloader-call-me-back-attack-abuses-windows-10-apps-mechanism/", "https://www.sentinelone.com/labs/inside-malicious-windows-apps-for-malware-deployment/", + "https://news.sophos.com/en-us/2021/11/11/bazarloader-call-me-back-attack-abuses-windows-10-apps-mechanism/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_appx_execution.yml" ], "tags": [ @@ -53580,9 +53840,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1562.001/T1562.001.md", "https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1112/T1112.md", "https://www.absolomb.com/2018-01-26-Windows-Privilege-Escalation-Guide/", + "https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1562.001/T1562.001.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_reg_add.yml" ], "tags": [ @@ -53700,8 +53960,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://threathunterplaybook.com/evals/apt29/detections/3.B.2_C36B49B5-DF58-4A34-9FE9-56189B9DEFEA.html", "https://github.com/OTRF/detection-hackathon-apt29/issues/6", + "https://threathunterplaybook.com/evals/apt29/detections/3.B.2_C36B49B5-DF58-4A34-9FE9-56189B9DEFEA.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_high_integrity_sdclt.yml" ], "tags": [ @@ -54385,8 +54645,8 @@ "logsource.product": "windows", "refs": [ "https://nodejs.org/api/cli.html", - "https://www.sprocketsecurity.com/resources/crossing-the-log4j-horizon-a-vulnerability-with-no-return", "https://www.rapid7.com/blog/post/2022/01/18/active-exploitation-of-vmware-horizon-servers/", + "https://www.sprocketsecurity.com/resources/crossing-the-log4j-horizon-a-vulnerability-with-no-return", "http://blog.talosintelligence.com/2022/09/lazarus-three-rats.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_node_abuse.yml" ], @@ -54490,8 +54750,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.hybrid-analysis.com/sample/2a4ae284c76f868fc51d3bb65da8caa6efacb707f265b25c30f34250b76b7507?environmentId=100", "https://www.google.com/url?hl=en&q=https://embedi.com/blog/skeleton-closet-ms-office-vulnerability-you-didnt-know-about&source=gmail&ust=1511481120837000&usg=AFQjCNGdL7gVwLXaNSl2Td8ylDYbSJFmPw", + "https://www.hybrid-analysis.com/sample/2a4ae284c76f868fc51d3bb65da8caa6efacb707f265b25c30f34250b76b7507?environmentId=100", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_exploit_cve_2017_11882.yml" ], "tags": [ @@ -54534,8 +54794,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.cybereason.com/blog/cybereason-vs.-blackcat-ransomware", "https://docs.microsoft.com/fr-fr/windows-server/administration/windows-commands/fsutil-behavior", + "https://www.cybereason.com/blog/cybereason-vs.-blackcat-ransomware", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_fsutil_symlinkevaluation.yml" ], "tags": [ @@ -54624,10 +54884,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://adsecurity.org/?p=2604", "https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_execution_policies?view=powershell-7.1", "https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.security/set-executionpolicy?view=powershell-7.1", "https://thedfirreport.com/2021/11/01/from-zero-to-domain-admin/", - "https://adsecurity.org/?p=2604", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_set_policies_to_unsecure_level.yml" ], "tags": [ @@ -54660,9 +54920,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/Binaries/Runonce/", "https://twitter.com/0gtweet/status/1602644163824156672?s=20&t=kuxbUnZPltpvFPZdCrqPXA", "https://twitter.com/pabraeken/status/990717080805789697", + "https://lolbas-project.github.io/lolbas/Binaries/Runonce/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_runonce_execution.yml" ], "tags": [ @@ -54778,12 +55038,12 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://modexp.wordpress.com/2019/08/30/minidumpwritedump-via-com-services-dll/", - "https://twitter.com/Hexacorn/status/1224848930795552769", - "https://twitter.com/SBousseaden/status/1167417096374050817", "https://twitter.com/Wietze/status/1542107456507203586", - "https://twitter.com/shantanukhande/status/1229348874298388484", + "https://modexp.wordpress.com/2019/08/30/minidumpwritedump-via-com-services-dll/", + "https://twitter.com/SBousseaden/status/1167417096374050817", "https://twitter.com/pythonresponder/status/1385064506049630211?s=21", + "https://twitter.com/shantanukhande/status/1229348874298388484", + "https://twitter.com/Hexacorn/status/1224848930795552769", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_process_dump_rundll32_comsvcs.yml" ], "tags": [ @@ -54819,16 +55079,16 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/dotnet/runtime/blob/4f9ae42d861fcb4be2fcd5d3d55d5f227d30e723/docs/coding-guidelines/clr-jit-coding-conventions.md#1412-disabling-code", - "https://github.com/dotnet/runtime/blob/7abe42dc1123722ed385218268bb9fe04556e3d3/src/coreclr/src/inc/clrconfig.h#L33-L39", - "https://twitter.com/_xpn_/status/1268712093928378368", "https://github.com/dotnet/runtime/blob/ee2355c801d892f2894b0f7b14a20e6cc50e0e54/docs/design/coreclr/jit/viewing-jit-dumps.md#setting-configuration-variables", - "https://github.com/dotnet/runtime/blob/f62e93416a1799aecc6b0947adad55a0d9870732/src/coreclr/src/inc/clrconfigvalues.h#L35-L38", "http://managed670.rssing.com/chan-5590147/all_p1.html", + "https://github.com/dotnet/runtime/blob/7abe42dc1123722ed385218268bb9fe04556e3d3/src/coreclr/src/inc/clrconfig.h#L33-L39", "https://github.com/dotnet/runtime/search?p=1&q=COMPlus_&unscoped_q=COMPlus_", - "https://bunnyinside.com/?term=f71e8cb9c76a", + "https://github.com/dotnet/runtime/blob/f62e93416a1799aecc6b0947adad55a0d9870732/src/coreclr/src/inc/clrconfigvalues.h#L35-L38", "https://social.msdn.microsoft.com/Forums/vstudio/en-US/0878832e-39d7-4eaf-8e16-a729c4c40975/what-can-i-use-e13c0d23ccbc4e12931bd9cc2eee27e4-for?forum=clr", + "https://bunnyinside.com/?term=f71e8cb9c76a", + "https://twitter.com/_xpn_/status/1268712093928378368", "https://i.blackhat.com/EU-21/Wednesday/EU-21-Teodorescu-Veni-No-Vidi-No-Vici-Attacks-On-ETW-Blind-EDRs.pdf", + "https://github.com/dotnet/runtime/blob/4f9ae42d861fcb4be2fcd5d3d55d5f227d30e723/docs/coding-guidelines/clr-jit-coding-conventions.md#1412-disabling-code", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_etw_modification_cmdline.yml" ], "tags": [ @@ -54961,8 +55221,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://app.any.run/tasks/f74c5157-8508-4ac6-9805-d63fe7b0d399/", "https://www.sneakymonkey.net/2019/05/22/trickbot-analysis/", + "https://app.any.run/tasks/f74c5157-8508-4ac6-9805-d63fe7b0d399/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_malware_trickbot_recon_activity.yml" ], "tags": [ @@ -55086,8 +55346,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/offsecginger/koadic/blob/457f9a3ff394c989cdb4c599ab90eb34fb2c762c/data/stager/js/stdlib.js", "https://blog.f-secure.com/hunting-for-koadic-a-com-based-rootkit/", + "https://github.com/offsecginger/koadic/blob/457f9a3ff394c989cdb4c599ab90eb34fb2c762c/data/stager/js/stdlib.js", "https://unit42.paloaltonetworks.com/unit42-sofacy-groups-parallel-attacks/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hack_koadic.yml" ], @@ -55204,8 +55464,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1071.001/T1071.001.md#atomic-test-2---malicious-user-agents---cmd", "https://curl.se/docs/manpage.html", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1071.001/T1071.001.md#atomic-test-2---malicious-user-agents---cmd", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_curl_useragent.yml" ], "tags": [ @@ -55294,9 +55554,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.vmray.com/cyber-security-blog/analyzing-ursnif-behavior-malware-sandbox/", "https://www.fireeye.com/blog/threat-research/2020/01/saigon-mysterious-ursnif-fork.html", "https://thedfirreport.com/2023/01/09/unwrapping-ursnifs-gifts/", + "https://www.vmray.com/cyber-security-blog/analyzing-ursnif-behavior-malware-sandbox/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_driverquery_usage.yml" ], "tags": [ @@ -55319,9 +55579,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://github.com/Azure/Azure-Sentinel/blob/43e9be273dca321295190bfc4902858e009d4a35/Detections/MultipleDataSources/SOURGUM_IOC.yaml", "https://www.microsoft.com/security/blog/2021/07/15/protecting-customers-from-a-private-sector-offensive-actor-using-0-day-exploits-and-devilstongue-malware/", "https://www.virustotal.com/gui/file/c299063e3eae8ddc15839767e83b9808fd43418dc5a1af7e4f44b97ba53fbd3d/detection", - "https://github.com/Azure/Azure-Sentinel/blob/43e9be273dca321295190bfc4902858e009d4a35/Detections/MultipleDataSources/SOURGUM_IOC.yaml", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_apt_sourgrum.yml" ], "tags": [ @@ -55363,8 +55623,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.elastic.co/guide/en/security/current/volume-shadow-copy-deletion-via-powershell.html", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1490/T1490.md#atomic-test-5---windows---delete-volume-shadow-copies-via-wmi-with-powershell", + "https://www.elastic.co/guide/en/security/current/volume-shadow-copy-deletion-via-powershell.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_shadowcopy_deletion_via_powershell.yml" ], "tags": [ @@ -55397,10 +55657,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/hh875578(v=ws.11)", "https://lolbas-project.github.io/lolbas/Binaries/Rpcping/", - "https://twitter.com/vysecurity/status/873181705024266241", "https://twitter.com/vysecurity/status/974806438316072960", + "https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/hh875578(v=ws.11)", + "https://twitter.com/vysecurity/status/873181705024266241", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_rpcping.yml" ], "tags": [ @@ -55433,8 +55693,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/bopin2020/status/1366400799199272960", "https://www.crowdstrike.com/blog/overwatch-exposes-aquatic-panda-in-possession-of-log-4-shell-exploit-tools/", + "https://twitter.com/bopin2020/status/1366400799199272960", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_renamed_createdump.yml" ], "tags": [ @@ -55511,8 +55771,8 @@ "logsource.product": "windows", "refs": [ "https://github.com/jpillora/chisel/", - "https://blog.sekoia.io/lucky-mouse-incident-response-to-detection-engineering/", "https://arcticwolf.com/resources/blog/lorenz-ransomware-chiseling-in/", + "https://blog.sekoia.io/lucky-mouse-incident-response-to-detection-engineering/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_chisel_usage.yml" ], "tags": [ @@ -55602,8 +55862,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/pabraeken/status/993497996179492864", "https://github.com/LOLBAS-Project/LOLBAS/blob/4db780e0f0b2e2bb8cb1fa13e09196da9b9f1834/yml/LOLUtilz/OtherBinaries/VBoxDrvInst.yml", + "https://twitter.com/pabraeken/status/993497996179492864", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_vboxdrvinst.yml" ], "tags": [ @@ -55660,8 +55920,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.youtube.com/watch?v=Ie831jF0bb0", "https://twitter.com/_xpn_/status/1491557187168178176", + "https://www.youtube.com/watch?v=Ie831jF0bb0", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_trolleyexpress_procdump.yml" ], "tags": [ @@ -55703,9 +55963,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://rvsec0n.wordpress.com/2020/01/24/malwares-that-bypass-windows-defender/", - "https://research.nccgroup.com/2020/06/23/wastedlocker-a-new-ransomware-variant-developed-by-the-evil-corp-group/", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md", + "https://research.nccgroup.com/2020/06/23/wastedlocker-a-new-ransomware-variant-developed-by-the-evil-corp-group/", + "https://rvsec0n.wordpress.com/2020/01/24/malwares-that-bypass-windows-defender/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_disable_defender_av_security_monitoring.yml" ], "tags": [ @@ -55955,8 +56215,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/3gstudent/PasswordFilter/tree/master/PasswordFilter", "https://pentestlab.blog/2020/02/10/credential-access-password-filter-dll/", + "https://github.com/3gstudent/PasswordFilter/tree/master/PasswordFilter", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_credential_access_via_password_filter.yml" ], "tags": [ @@ -56123,8 +56383,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/OtherMSBinaries/ProtocolHandler/", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218/T1218.md", + "https://lolbas-project.github.io/lolbas/OtherMSBinaries/ProtocolHandler/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_protocolhandler_download.yml" ], "tags": [ @@ -56258,10 +56518,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://app.any.run/tasks/81f3c28c-c686-425d-8a2b-a98198d244e1/", - "https://app.any.run/tasks/e13ab713-64cf-4b23-ad93-6dceaa5429ac/", "https://app.any.run/tasks/84fc9b4a-ea2b-47b1-8aa6-9014402dfb56/", + "https://app.any.run/tasks/e13ab713-64cf-4b23-ad93-6dceaa5429ac/", "https://app.any.run/tasks/97f875e8-0e08-4328-815f-055e971ba754/", + "https://app.any.run/tasks/81f3c28c-c686-425d-8a2b-a98198d244e1/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_malware_emotet.yml" ], "tags": [ @@ -56297,9 +56557,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://redcanary.com/blog/how-one-hospital-thwarted-a-ryuk-ransomware-outbreak/", "https://research.nccgroup.com/2022/08/19/back-in-black-unlocking-a-lockbit-3-0-ransomware-attack/", "https://thedfirreport.com/2020/10/18/ryuk-in-5-hours/", + "https://redcanary.com/blog/how-one-hospital-thwarted-a-ryuk-ransomware-outbreak/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_net_recon.yml" ], "tags": [ @@ -56392,9 +56652,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.volexity.com/blog/2021/03/02/active-exploitation-of-microsoft-exchange-zero-day-vulnerabilities/", "https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/", "https://www.intrinsec.com/apt27-analysis/", + "https://www.volexity.com/blog/2021/03/02/active-exploitation-of-microsoft-exchange-zero-day-vulnerabilities/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_snapins_hafnium.yml" ], "tags": [ @@ -56470,8 +56730,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/HiwinCN/HTran", "https://github.com/cw1997/NATBypass", + "https://github.com/HiwinCN/HTran", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hack_htran.yml" ], "tags": [ @@ -56505,8 +56765,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/9e5b12c4912c07562aec7500447b11fa3e17e254/atomics/T1529/T1529.md", "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/shutdown", + "https://github.com/redcanaryco/atomic-red-team/blob/9e5b12c4912c07562aec7500447b11fa3e17e254/atomics/T1529/T1529.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_logoff.yml" ], "tags": [ @@ -56539,8 +56799,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://bohops.com/2018/08/18/abusing-the-com-registry-structure-part-2-loading-techniques-for-evasion-and-persistence/", "https://gist.github.com/NickTyrer/0598b60112eaafe6d07789f7964290d5", + "https://bohops.com/2018/08/18/abusing-the-com-registry-structure-part-2-loading-techniques-for-evasion-and-persistence/", "https://lolbas-project.github.io/lolbas/Binaries/Verclsid/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_verclsid_runs_com.yml" ], @@ -56717,9 +56977,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://app.any.run/tasks/8b9a571b-bcc1-4783-ba32-df4ba623b9c0/", "https://www.joesandbox.com/analysis/411752/0/html#7048BB9A06B8F2DD9D24C77F389D7B2B58D2", "https://www.fireeye.com/blog/threat-research/2021/05/shining-a-light-on-darkside-ransomware-operations.html", - "https://app.any.run/tasks/8b9a571b-bcc1-4783-ba32-df4ba623b9c0/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_mal_darkside_ransomware.yml" ], "tags": [ @@ -56863,8 +57123,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-RAT-and-Staging-Report.pdf", "https://attack.mitre.org/software/S0246/ (Lazarus HARDRAIN)", + "https://www.operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-RAT-and-Staging-Report.pdf", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_netsh_fw_add.yml" ], "tags": [ @@ -56931,8 +57191,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/GelosSnake/status/934900723426439170", "https://asec.ahnlab.com/en/39828/", + "https://twitter.com/GelosSnake/status/934900723426439170", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_system_exe_anomaly.yml" ], "tags": [ @@ -56989,10 +57249,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment", - "https://twitter.com/Cyb3rWard0g/status/1453123054243024897", "https://foxglovesecurity.com/2016/09/26/rotten-potato-privilege-escalation-from-service-accounts-to-system/", "https://github.com/antonioCoco/RogueWinRM", + "https://twitter.com/Cyb3rWard0g/status/1453123054243024897", + "https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_child_process_as_system_.yml" ], "tags": [ @@ -57025,11 +57285,11 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://doublepulsar.com/kaseya-supply-chain-attack-delivers-mass-ransomware-event-to-us-companies-76e4ec6ec64b", - "https://therecord.media/revil-ransomware-executes-supply-chain-attack-via-malicious-kaseya-update/", - "https://blog.truesec.com/2021/07/04/kaseya-supply-chain-attack-targeting-msps-to-deliver-revil-ransomware/", - "https://www.joesandbox.com/analysis/443736/0/html", "https://community.sophos.com/b/security-blog/posts/active-ransomware-attack-on-kaseya-customers", + "https://www.joesandbox.com/analysis/443736/0/html", + "https://therecord.media/revil-ransomware-executes-supply-chain-attack-via-malicious-kaseya-update/", + "https://doublepulsar.com/kaseya-supply-chain-attack-delivers-mass-ransomware-event-to-us-companies-76e4ec6ec64b", + "https://blog.truesec.com/2021/07/04/kaseya-supply-chain-attack-targeting-msps-to-deliver-revil-ransomware/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_apt_revil_kaseya.yml" ], "tags": [ @@ -57087,8 +57347,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://thedfirreport.com/2020/10/18/ryuk-in-5-hours/", "https://www.cobaltstrike.com/help-windows-executable", + "https://thedfirreport.com/2020/10/18/ryuk-in-5-hours/", "https://redcanary.com/threat-detection-report/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_cobaltstrike_load_by_rundll32.yml" ], @@ -57201,9 +57461,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://www.picussecurity.com/resource/blog/how-to-detect-parent-pid-ppid-spoofing-attacks", "https://www.ired.team/offensive-security/defense-evasion/parent-process-id-ppid-spoofing", "https://pentestlab.blog/2020/02/24/parent-pid-spoofing/", - "https://www.picussecurity.com/resource/blog/how-to-detect-parent-pid-ppid-spoofing-attacks", "https://www.virustotal.com/gui/search/filename%253A*spoof*%2520filename%253A*ppid*/files", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_selectmyparent.yml" ], @@ -57237,10 +57497,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/splinter_code/status/1483815103279603714", "https://www.winhelponline.com/blog/run-program-as-system-localsystem-account-windows/", - "https://medium.com/s2wblog/analysis-of-destructive-malware-whispergate-targeting-ukraine-9d5d158f19f3", "https://elastic.github.io/security-research/malware/2022/01/01.operation-bleeding-bear/article/", + "https://medium.com/s2wblog/analysis-of-destructive-malware-whispergate-targeting-ukraine-9d5d158f19f3", + "https://twitter.com/splinter_code/status/1483815103279603714", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_advancedrun_priv_user.yml" ], "tags": "No established tags" @@ -57261,9 +57521,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/Binaries/Dnscmd/", "https://docs.microsoft.com/en-us/azure/dns/dns-zones-records", "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/dnscmd", + "https://lolbas-project.github.io/lolbas/Binaries/Dnscmd/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_dnscmd_discovery.yml" ], "tags": [ @@ -57364,8 +57624,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1059.001/T1059.001.md#atomic-test-20---powershell-invoke-known-malicious-cmdlets", "https://unit42.paloaltonetworks.com/unit42-pulling-back-the-curtains-on-encodedcommand-powershell-attacks/", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1059.001/T1059.001.md#atomic-test-20---powershell-invoke-known-malicious-cmdlets", "https://mikefrobbins.com/2017/06/15/simple-obfuscation-with-powershell-using-base64-encoding/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_powershell_encode.yml" ], @@ -57432,8 +57692,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "http://www.hexacorn.com/blog/2016/07/22/beyond-good-ol-run-key-part-42/", "https://lolbas-project.github.io/lolbas/Binaries/Atbroker/", + "http://www.hexacorn.com/blog/2016/07/22/beyond-good-ol-run-key-part-42/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_susp_atbroker.yml" ], "tags": [ @@ -57501,9 +57761,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://github.com/fireeye/DueDLLigence", "https://www.fireeye.com/blog/threat-research/2019/10/staying-hidden-on-the-endpoint-evading-detection-with-shellcode.html", "https://lolbas-project.github.io/lolbas/Binaries/Rasautou/", - "https://github.com/fireeye/DueDLLigence", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_rasautou_dll_execution.yml" ], "tags": [ @@ -57622,8 +57882,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://researchcenter.paloaltonetworks.com/2018/01/unit42-oilrig-uses-rgdoor-iis-backdoor-targets-middle-east/", "https://www.microsoft.com/security/blog/2022/07/26/malicious-iis-extensions-quietly-open-persistent-backdoors-into-servers/", + "https://researchcenter.paloaltonetworks.com/2018/01/unit42-oilrig-uses-rgdoor-iis-backdoor-targets-middle-east/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_iss_module_install.yml" ], "tags": [ @@ -57647,9 +57907,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/windows/win32/secauthz/mandatory-integrity-control", - "https://cybercryptosec.medium.com/covid-19-cyber-infection-c615ead7c29", "https://thedfirreport.com/2022/04/04/stolen-images-campaign-ends-in-conti-ransomware/", + "https://cybercryptosec.medium.com/covid-19-cyber-infection-c615ead7c29", + "https://learn.microsoft.com/en-us/windows/win32/secauthz/mandatory-integrity-control", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_conhost_option.yml" ], "tags": [ @@ -57933,10 +58193,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/defaultnamehere/cookie_crimes/", - "https://embracethered.com/blog/posts/2020/cookie-crimes-on-mirosoft-edge/", - "https://embracethered.com/blog/posts/2020/chrome-spy-remote-control/", "https://mango.pdf.zone/stealing-chrome-cookies-without-a-password", + "https://embracethered.com/blog/posts/2020/chrome-spy-remote-control/", + "https://embracethered.com/blog/posts/2020/cookie-crimes-on-mirosoft-edge/", + "https://github.com/defaultnamehere/cookie_crimes/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_chromium_headless_debugging.yml" ], "tags": [ @@ -58048,8 +58308,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment", "https://pentestlab.blog/2017/03/30/weak-service-permissions/", + "https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_using_sc_to_change_sevice_image_path_by_non_admin.yml" ], "tags": [ @@ -58075,8 +58335,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://paste.cryptolaemus.com/emotet/2020/12/22/emotet-malware-IoCs_12-22-20.html", "https://cyber.wtf/2021/11/15/guess-whos-back/", + "https://paste.cryptolaemus.com/emotet/2020/12/22/emotet-malware-IoCs_12-22-20.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_emotet_rundll32_execution.yml" ], "tags": [ @@ -58133,8 +58393,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://threathunterplaybook.com/evals/apt29/detections/3.B.2_C36B49B5-DF58-4A34-9FE9-56189B9DEFEA.html", "https://github.com/OTRF/detection-hackathon-apt29/issues/6", + "https://threathunterplaybook.com/evals/apt29/detections/3.B.2_C36B49B5-DF58-4A34-9FE9-56189B9DEFEA.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sdclt_child_process.yml" ], "tags": [ @@ -58191,8 +58451,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.joesandbox.com/analysis/476188/1/iochtml", "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-40444", + "https://www.joesandbox.com/analysis/476188/1/iochtml", "https://twitter.com/neonprimetime/status/1435584010202255375", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_control_cve_2021_40444.yml" ], @@ -58261,8 +58521,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://unit42.paloaltonetworks.com/unit-42-title-gamaredon-group-toolset-evolution", "https://www.ria.ee/sites/default/files/content-editors/kuberturve/tale_of_gamaredon_infection.pdf", + "https://unit42.paloaltonetworks.com/unit-42-title-gamaredon-group-toolset-evolution", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_apt_gamaredon_ultravnc.yml" ], "tags": [ @@ -58287,9 +58547,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/elastic/protections-artifacts/commit/746086721fd385d9f5c6647cada1788db4aea95f#diff-fe98e74189873d6df72a15df2eaa0315c59ba9cdaca93ecd68afc4ea09194ef2", "https://lolbas-project.github.io/lolbas/Binaries/Certoc/", "https://twitter.com/sblmsrsn/status/1445758411803480072?s=20", + "https://github.com/elastic/protections-artifacts/commit/746086721fd385d9f5c6647cada1788db4aea95f#diff-fe98e74189873d6df72a15df2eaa0315c59ba9cdaca93ecd68afc4ea09194ef2", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_certoc_execution.yml" ], "tags": [ @@ -58356,8 +58616,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/Binaries/Ie4uinit/", "https://bohops.com/2018/03/10/leveraging-inf-sct-fetch-execute-techniques-for-bypass-evasion-persistence-part-2/", + "https://lolbas-project.github.io/lolbas/Binaries/Ie4uinit/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_ie4uinit.yml" ], "tags": [ @@ -58390,8 +58650,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://enigma0x3.net/2016/08/15/fileless-uac-bypass-using-eventvwr-exe-and-registry-hijacking/", "https://www.hybrid-analysis.com/sample/e122bc8bf291f15cab182a5d2d27b8db1e7019e4e96bb5cdbd1dfe7446f3f51f?environmentId=100", + "https://enigma0x3.net/2016/08/15/fileless-uac-bypass-using-eventvwr-exe-and-registry-hijacking/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sysmon_uac_bypass_eventvwr.yml" ], "tags": [ @@ -58652,8 +58912,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/gtworek/PSBits/tree/master/PasswordStealing/NPPSpy", "https://docs.microsoft.com/en-us/troubleshoot/windows-client/deployment/network-provider-settings-removed-in-place-upgrade", + "https://github.com/gtworek/PSBits/tree/master/PasswordStealing/NPPSpy", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_new_network_provider.yml" ], "tags": [ @@ -58686,8 +58946,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://thedfirreport.com/2021/08/29/cobalt-strike-a-defenders-guide/", "https://hausec.com/2021/07/26/cobalt-strike-and-tradecraft/", + "https://thedfirreport.com/2021/08/29/cobalt-strike-a-defenders-guide/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_cobaltstrike_process_patterns.yml" ], "tags": [ @@ -58864,10 +59124,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.crowdstrike.com/resources/reports/2019-crowdstrike-global-threat-report/", - "https://github.com/ThreatHuntingProject/ThreatHunting/blob/cb22598bb70651f88e0285abc8d835757d2cb596/hunts/suspicious_process_creation_via_windows_event_logs.md", "https://www.secureworks.com/research/bronze-butler-targets-japanese-businesses", + "https://www.crowdstrike.com/resources/reports/2019-crowdstrike-global-threat-report/", "https://github.com/mbevilacqua/appcompatprocessor/blob/6c847937c5a836e2ce2fe2b915f213c345a3c389/AppCompatSearch.txt", + "https://github.com/ThreatHuntingProject/ThreatHunting/blob/cb22598bb70651f88e0285abc8d835757d2cb596/hunts/suspicious_process_creation_via_windows_event_logs.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_execution_path.yml" ], "tags": [ @@ -58891,8 +59151,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.microsoft.com/security/blog/2021/12/09/a-closer-look-at-qakbots-latest-building-blocks-and-how-to-knock-them-down/", "https://www.fortinet.com/content/dam/fortinet/assets/analyst-reports/ar-qakbot.pdf", + "https://www.microsoft.com/security/blog/2021/12/09/a-closer-look-at-qakbots-latest-building-blocks-and-how-to-knock-them-down/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_msra_process_injection.yml" ], "tags": [ @@ -59066,8 +59326,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://securelist.com/apt-slingshot/84312/", "https://twitter.com/cyb3rops/status/972186477512839170", + "https://securelist.com/apt-slingshot/84312/", "https://github.com/adamcaudill/EquationGroupLeak/search?utf8=%E2%9C%93&q=dll_u&type=", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_apt_equationgroup_dll_u_load.yml" ], @@ -59102,9 +59362,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.hexacorn.com/blog/2018/04/20/kernel-hacking-tool-you-might-have-never-heard-of-xuetr-pchunter/", "https://www.crowdstrike.com/blog/falcon-overwatch-report-finds-increase-in-ecrime/", "http://www.xuetr.com/", + "https://www.hexacorn.com/blog/2018/04/20/kernel-hacking-tool-you-might-have-never-heard-of-xuetr-pchunter/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_pchunter.yml" ], "tags": "No established tags" @@ -59126,13 +59386,13 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://cybleinc.com/2021/02/15/ngrok-platform-abused-by-hackers-to-deliver-a-new-wave-of-phishing-attacks/", - "https://www.virustotal.com/gui/file/58d21840d915aaf4040ceb89522396124c82f325282f805d1085527e1e2ccfa1/detection", - "https://twitter.com/xorJosh/status/1598646907802451969", - "https://www.softwaretestinghelp.com/how-to-use-ngrok/", "https://ngrok.com/docs", - "https://stackoverflow.com/questions/42442320/ssh-tunnel-to-ngrok-and-initiate-rdp", "https://www.fireeye.com/blog/threat-research/2021/05/shining-a-light-on-darkside-ransomware-operations.html", + "https://twitter.com/xorJosh/status/1598646907802451969", + "https://www.virustotal.com/gui/file/58d21840d915aaf4040ceb89522396124c82f325282f805d1085527e1e2ccfa1/detection", + "https://stackoverflow.com/questions/42442320/ssh-tunnel-to-ngrok-and-initiate-rdp", + "https://www.softwaretestinghelp.com/how-to-use-ngrok/", + "https://cybleinc.com/2021/02/15/ngrok-platform-abused-by-hackers-to-deliver-a-new-wave-of-phishing-attacks/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_ngrok_pua.yml" ], "tags": [ @@ -59212,10 +59472,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Fsi/", - "https://lolbas-project.github.io/lolbas/OtherMSBinaries/FsiAnyCpu/", - "https://bohops.com/2020/11/02/exploring-the-wdac-microsoft-recommended-block-rules-part-ii-wfc-fsi/", "https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules", + "https://bohops.com/2020/11/02/exploring-the-wdac-microsoft-recommended-block-rules-part-ii-wfc-fsi/", + "https://lolbas-project.github.io/lolbas/OtherMSBinaries/FsiAnyCpu/", + "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Fsi/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_fsharp_interpreters.yml" ], "tags": [ @@ -59299,9 +59559,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/pabraeken/status/995837734379032576", "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Msdeploy/", "https://twitter.com/pabraeken/status/999090532839313408", + "https://twitter.com/pabraeken/status/995837734379032576", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_msdeploy.yml" ], "tags": [ @@ -59334,8 +59594,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.vectra.ai/blogpost/undermining-microsoft-teams-security-by-mining-tokens", "https://www.bleepingcomputer.com/news/security/microsoft-teams-stores-auth-tokens-as-cleartext-in-windows-linux-macs/", + "https://www.vectra.ai/blogpost/undermining-microsoft-teams-security-by-mining-tokens", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_teams_suspicious_command_line_cred_access.yml" ], "tags": [ @@ -59451,9 +59711,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://gist.github.com/bohops/2444129419c8acf837aedda5f0e7f340", "https://twitter.com/bohops/status/1477717351017680899?s=12", "https://lolbas-project.github.io/lolbas/OtherMSBinaries/AccCheckConsole/", + "https://gist.github.com/bohops/2444129419c8acf837aedda5f0e7f340", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_susp_acccheckconsole.yml" ], "tags": [ @@ -59571,10 +59831,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment?slide=43", - "https://github.com/carlospolop/PEASS-ng/blob/fa0f2e17fbc1d86f1fd66338a40e665e7182501d/winPEAS/winPEASbat/winPEAS.bat", - "https://www.youtube.com/watch?v=JGs-aKf2OtU&ab_channel=OFFZONEMOSCOW", "https://github.com/gladiatx0r/Powerless/blob/04f553bbc0c65baf4e57344deff84e3f016e6b51/Powerless.bat", + "https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment?slide=43", + "https://www.youtube.com/watch?v=JGs-aKf2OtU&ab_channel=OFFZONEMOSCOW", + "https://github.com/carlospolop/PEASS-ng/blob/fa0f2e17fbc1d86f1fd66338a40e665e7182501d/winPEAS/winPEASbat/winPEAS.bat", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_accesschk_usage_after_priv_escalation.yml" ], "tags": [ @@ -59675,9 +59935,9 @@ "logsource.product": "windows", "refs": [ "https://blog.sygnia.co/kaseya-ransomware-supply-chain-attack", + "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/blackbyte-exbyte-ransomware", "https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/06/23093553/Common-TTPs-of-the-modern-ransomware_low-res.pdf", "https://www.acronis.com/en-us/blog/posts/lockbit-ransomware/", - "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/blackbyte-exbyte-ransomware", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_ping_del.yml" ], "tags": [ @@ -59962,8 +60222,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/bopin2020/status/1366400799199272960", "https://www.crowdstrike.com/blog/overwatch-exposes-aquatic-panda-in-possession-of-log-4-shell-exploit-tools/", + "https://twitter.com/bopin2020/status/1366400799199272960", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_proc_dump_createdump.yml" ], "tags": [ @@ -60088,9 +60348,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/GhostPack/Rubeus", - "https://www.harmj0y.net/blog/redteaming/from-kekeo-to-rubeus/", "https://m0chan.github.io/2019/07/31/How-To-Attack-Kerberos-101.html", + "https://www.harmj0y.net/blog/redteaming/from-kekeo-to-rubeus/", + "https://github.com/GhostPack/Rubeus", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hack_rubeus.yml" ], "tags": [ @@ -60126,8 +60386,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://app.any.run/tasks/2e0647b7-eb86-4f72-904b-d2d0ecac07d1/", "https://twitter.com/killamjr/status/1179034907932315648", + "https://app.any.run/tasks/2e0647b7-eb86-4f72-904b-d2d0ecac07d1/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_malware_qbot.yml" ], "tags": [ @@ -60202,11 +60462,11 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://eqllib.readthedocs.io/en/latest/analytics/4d2e7fc1-af0b-4915-89aa-03d25ba7805e.html", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1007/T1007.md#atomic-test-2---system-service-discovery---netexe", - "https://pentest.blog/windows-privilege-escalation-methods-for-pentesters/", - "https://eqllib.readthedocs.io/en/latest/analytics/e61f557c-a9d0-4c25-ab5b-bbc46bb24deb.html", "https://eqllib.readthedocs.io/en/latest/analytics/9b3dd402-891c-4c4d-a662-28947168ce61.html", + "https://pentest.blog/windows-privilege-escalation-methods-for-pentesters/", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1007/T1007.md#atomic-test-2---system-service-discovery---netexe", + "https://eqllib.readthedocs.io/en/latest/analytics/4d2e7fc1-af0b-4915-89aa-03d25ba7805e.html", + "https://eqllib.readthedocs.io/en/latest/analytics/e61f557c-a9d0-4c25-ab5b-bbc46bb24deb.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_net_execution.yml" ], "tags": [ @@ -60377,8 +60637,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://nsudo.m2team.org/en-us/", "https://www.winhelponline.com/blog/run-program-as-system-localsystem-account-windows/", + "https://nsudo.m2team.org/en-us/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_tool_nsudo_execution.yml" ], "tags": [ @@ -60446,9 +60706,9 @@ "logsource.product": "windows", "refs": [ "https://gist.githubusercontent.com/bohops/0cc6586f205f3691e04a1ebf1806aabd/raw/baf7b29891bb91e76198e30889fbf7d6642e8974/calc_exe.inf", - "https://twitter.com/Z3Jpa29z/status/1313742350292746241?s=20", - "https://raw.githubusercontent.com/huntresslabs/evading-autoruns/master/shady.inf", "https://lolbas-project.github.io/lolbas/Libraries/Setupapi/", + "https://raw.githubusercontent.com/huntresslabs/evading-autoruns/master/shady.inf", + "https://twitter.com/Z3Jpa29z/status/1313742350292746241?s=20", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_rundll32_setupapi_installhinfsection.yml" ], "tags": [ @@ -60641,8 +60901,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://thedfirreport.com/2022/05/09/seo-poisoning-a-gootloader-story/", "https://github.com/Neo23x0/Raccine/blob/20a569fa21625086433dcce8bb2765d0ea08dcb6/yara/mal_revil.yar", + "https://thedfirreport.com/2022/05/09/seo-poisoning-a-gootloader-story/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_base64_load.yml" ], "tags": [ @@ -60854,8 +61114,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://app.any.run/tasks/34221348-072d-4b70-93f3-aa71f6ebecad/", "https://subt0x10.blogspot.de/2017/04/bypass-application-whitelisting-script.html", + "https://app.any.run/tasks/34221348-072d-4b70-93f3-aa71f6ebecad/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_regsvr32_anomalies.yml" ], "tags": [ @@ -60890,9 +61150,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/", - "https://twitter.com/MichalKoczwara/status/1553634816016498688", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1490/T1490.md#atomic-test-8---windows---disable-the-sr-scheduled-task", + "https://twitter.com/MichalKoczwara/status/1553634816016498688", + "https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_schtasks_disable.yml" ], "tags": [ @@ -60992,8 +61252,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/_st0pp3r_/status/1560072680887525378", "https://twitter.com/Oddvarmoe/status/993383596244258816", + "https://twitter.com/_st0pp3r_/status/1560072680887525378", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_pester_parent.yml" ], "tags": [ @@ -61127,8 +61387,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/gN3mes1s/status/1222095963789111296", "https://twitter.com/gN3mes1s/status/1222088214581825540", + "https://twitter.com/gN3mes1s/status/1222095963789111296", "https://twitter.com/gN3mes1s/status/1222095371175911424", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_dctask64_proc_inject.yml" ], @@ -61262,9 +61522,9 @@ "logsource.product": "windows", "refs": [ "https://lolbas-project.github.io/lolbas/OtherMSBinaries/VisualUiaVerifyNative/", - "https://bohops.com/2020/10/15/exploring-the-wdac-microsoft-recommended-block-rules-visualuiaverifynative/", - "https://github.com/MicrosoftDocs/windows-itpro-docs/commit/937db704b9148e9cee7c7010cad4d00ce9c4fdad", "https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules", + "https://github.com/MicrosoftDocs/windows-itpro-docs/commit/937db704b9148e9cee7c7010cad4d00ce9c4fdad", + "https://bohops.com/2020/10/15/exploring-the-wdac-microsoft-recommended-block-rules-visualuiaverifynative/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_visualuiaverifynative.yml" ], "tags": [ @@ -61330,8 +61590,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://thedfirreport.com/2022/09/26/bumblebee-round-two/", "https://redcanary.com/blog/raspberry-robin/", + "https://thedfirreport.com/2022/09/26/bumblebee-round-two/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_rundll32_parent_explorer.yml" ], "tags": [ @@ -61431,9 +61691,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1222.001/T1222.001.md", "https://github.com/swagkarna/Defeat-Defender-V1.2.0", "https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/hh750728(v=ws.11)", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1222.001/T1222.001.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_file_permission_modifications.yml" ], "tags": [ @@ -61526,9 +61786,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://eqllib.readthedocs.io/en/latest/analytics/e584f1a1-c303-4885-8a66-21360c90995b.html", "https://lolbas-project.github.io/lolbas/Binaries/Cmstp/", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218.003/T1218.003.md", + "https://eqllib.readthedocs.io/en/latest/analytics/e584f1a1-c303-4885-8a66-21360c90995b.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_uac_bypass_cmstp.yml" ], "tags": [ @@ -61571,9 +61831,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md", "https://twitter.com/AdamTheAnalyst/status/1483497517119590403", "https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/configure-process-opened-file-exclusions-microsoft-defender-antivirus", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_defender_base64.yml" ], "tags": [ @@ -61597,8 +61857,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.jpcert.or.jp/english/pub/sr/ir_research.html", "https://jpcertcc.github.io/ToolAnalysisResultSheet", + "https://www.jpcert.or.jp/english/pub/sr/ir_research.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_tool_psexec.yml" ], "tags": [ @@ -61831,8 +62091,8 @@ "logsource.product": "windows", "refs": [ "https://medium.com/falconforce/falconfriday-detecting-uac-bypasses-0xff16-86c2a9107abf", - "https://github.com/hfiref0x/UACME", "https://lolbas-project.github.io/lolbas/Binaries/Wsreset/", + "https://github.com/hfiref0x/UACME", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_uac_bypass_wsreset_integrity_level.yml" ], "tags": [ @@ -62300,8 +62560,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://redcanary.com/threat-detection-report/threats/qbot/", "https://thedfirreport.com/2022/02/07/qbot-likes-to-move-it-move-it/", + "https://redcanary.com/threat-detection-report/threats/qbot/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_reg_defender_exclusion.yml" ], "tags": [ @@ -62325,8 +62585,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.fireeye.com/blog/threat-research/2017/03/apt29_domain_frontin.html", "https://www.clearskysec.com/wp-content/uploads/2020/02/ClearSky-Fox-Kitten-Campaign-v1.pdf", + "https://www.fireeye.com/blog/threat-research/2017/03/apt29_domain_frontin.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sticky_keys_unauthenticated_privileged_cmd_access.yml" ], "tags": [ @@ -62350,8 +62610,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.welivesecurity.com/2020/07/09/more-evil-deep-look-evilnum-toolset/", "https://app.any.run/tasks/33d37fdf-158d-4930-aa68-813e1d5eb8ba/", + "https://www.welivesecurity.com/2020/07/09/more-evil-deep-look-evilnum-toolset/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_apt_evilnum_jul20.yml" ], "tags": [ @@ -62588,10 +62848,10 @@ "logsource.product": "windows", "refs": [ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070.001/T1070.001.md", - "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/wevtutil", - "https://jdhnet.wordpress.com/2017/12/19/changing-the-location-of-the-windows-event-logs/", - "https://eqllib.readthedocs.io/en/latest/analytics/5b223758-07d6-4100-9e11-238cfdd0fe97.html", "https://gist.github.com/fovtran/ac0624983c7722e80a8f5a4babb170ee", + "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/wevtutil", + "https://eqllib.readthedocs.io/en/latest/analytics/5b223758-07d6-4100-9e11-238cfdd0fe97.html", + "https://jdhnet.wordpress.com/2017/12/19/changing-the-location-of-the-windows-event-logs/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_eventlog_clear.yml" ], "tags": [ @@ -62906,8 +63166,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.bluetangle.dev/2022/08/fastening-seatbelt-on-threat-hunting.html", "https://github.com/GhostPack/Seatbelt", + "https://www.bluetangle.dev/2022/08/fastening-seatbelt-on-threat-hunting.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pua_seatbelt.yml" ], "tags": [ @@ -63076,9 +63336,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://app.any.run/tasks/713f05d2-fe78-4b9d-a744-f7c133e3fafb/", - "https://app.any.run/tasks/c4117d9a-f463-461a-b90f-4cd258746798/", "https://app.any.run/tasks/f420d295-0457-4e9b-9b9e-6732be227583/", + "https://app.any.run/tasks/c4117d9a-f463-461a-b90f-4cd258746798/", + "https://app.any.run/tasks/713f05d2-fe78-4b9d-a744-f7c133e3fafb/", "https://twitter.com/nao_sec/status/1530196847679401984", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sdiagnhost_susp_child.yml" ], @@ -63289,10 +63549,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/splinter_code/status/1483815103279603714", "https://www.winhelponline.com/blog/run-program-as-system-localsystem-account-windows/", - "https://medium.com/s2wblog/analysis-of-destructive-malware-whispergate-targeting-ukraine-9d5d158f19f3", "https://elastic.github.io/security-research/malware/2022/01/01.operation-bleeding-bear/article/", + "https://medium.com/s2wblog/analysis-of-destructive-malware-whispergate-targeting-ukraine-9d5d158f19f3", + "https://twitter.com/splinter_code/status/1483815103279603714", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_advancedrun.yml" ], "tags": "No established tags" @@ -63313,8 +63573,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1543.003/T1543.003.md", "https://web.archive.org/web/20180331144337/https://www.fireeye.com/blog/threat-research/2018/03/sanny-malware-delivery-method-updated-in-recently-observed-attacks.html", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1543.003/T1543.003.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_new_service_creation.yml" ], "tags": [ @@ -63372,8 +63632,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=66", "https://2019.offzone.moscow/ru/report/hunting-for-powershell-abuses/", + "https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=66", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_cmdline_reversed_strings.yml" ], "tags": [ @@ -63408,8 +63668,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/1cf4dd51f83dcb0ebe6ade902d6157ad2dbc6ac8/atomics/T1218.001/T1218.001.md", "https://www.splunk.com/en_us/blog/security/follina-for-protocol-handlers.html", + "https://github.com/redcanaryco/atomic-red-team/blob/1cf4dd51f83dcb0ebe6ade902d6157ad2dbc6ac8/atomics/T1218.001/T1218.001.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hh_chm_http.yml" ], "tags": [ @@ -63442,8 +63702,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/vxunderground/status/1423336151860002816?s=20", "https://www.virustotal.com/gui/file/03e9b8c2e86d6db450e5eceec057d7e369ee2389b9daecaf06331a95410aa5f8/detection", + "https://twitter.com/vxunderground/status/1423336151860002816?s=20", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_malware_conti_7zip.yml" ], "tags": [ @@ -63642,8 +63902,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/shantanu561993/SharpChisel", "https://www.sentinelone.com/labs/wading-through-muddy-waters-recent-activity-of-an-iranian-state-sponsored-threat-actor/", + "https://github.com/shantanu561993/SharpChisel", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sharp_chisel_usage.yml" ], "tags": [ @@ -63703,10 +63963,10 @@ "logsource.product": "windows", "refs": [ "https://twitter.com/mattifestation/status/1326228491302563846", - "https://docs.microsoft.com/en-us/dotnet/standard/data/xml/xslt-stylesheet-scripting-using-msxsl-script", - "http://blog.sevagas.com/?Hacking-around-HTA-files", - "https://0x00sec.org/t/clientside-exploitation-in-2018-how-pentesting-has-changed/7356", "https://medium.com/tsscyber/pentesting-and-hta-bypassing-powershell-constrained-language-mode-53a42856c997", + "http://blog.sevagas.com/?Hacking-around-HTA-files", + "https://docs.microsoft.com/en-us/dotnet/standard/data/xml/xslt-stylesheet-scripting-using-msxsl-script", + "https://0x00sec.org/t/clientside-exploitation-in-2018-how-pentesting-has-changed/7356", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_mshta_execution.yml" ], "tags": [ @@ -63894,8 +64154,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/harr0ey/status/991670870384021504", "https://github.com/LOLBAS-Project/LOLBAS/blob/4db780e0f0b2e2bb8cb1fa13e09196da9b9f1834/yml/LOLUtilz/OSBinaries/Openwith.yml", + "https://twitter.com/harr0ey/status/991670870384021504", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_openwith.yml" ], "tags": [ @@ -63928,9 +64188,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://redacted.com/blog/bianlian-ransomware-gang-gives-it-a-go/", "https://www.trellix.com/en-sg/about/newsroom/stories/threat-labs/lockergoga-ransomware-family-used-in-targeted-attacks.html", "https://www.microsoft.com/security/blog/2022/09/07/profiling-dev-0270-phosphorus-ransomware-operations/", + "https://redacted.com/blog/bianlian-ransomware-gang-gives-it-a-go/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_net_default_accounts_manipulation.yml" ], "tags": [ @@ -63963,8 +64223,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1546.015/T1546.015.md", "https://nasbench.medium.com/a-deep-dive-into-rundll32-exe-642344b41e90", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1546.015/T1546.015.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_rundll32_registered_com_objects.yml" ], "tags": [ @@ -64388,8 +64648,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218.001/T1218.001.md", "https://eqllib.readthedocs.io/en/latest/analytics/b25aa548-7937-11e9-8f5c-d46d6d62a49e.html", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218.001/T1218.001.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hh_chm.yml" ], "tags": [ @@ -64472,8 +64732,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://research.nccgroup.com/2022/08/19/back-in-black-unlocking-a-lockbit-3-0-ransomware-attack/", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md", + "https://research.nccgroup.com/2022/08/19/back-in-black-unlocking-a-lockbit-3-0-ransomware-attack/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_service_modification.yml" ], "tags": [ @@ -64497,8 +64757,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/secedit", "https://blueteamops.medium.com/secedit-and-i-know-it-595056dee53d", + "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/secedit", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_secedit.yml" ], "tags": [ @@ -64672,9 +64932,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://community.spiceworks.com/topic/2195015-batch-script-to-uninstall-symantec-endpoint-protection", - "https://www.exploit-db.com/exploits/37525", "https://community.broadcom.com/symantecenterprise/communities/community-home/digestviewer/viewthread?MessageKey=6ce94b67-74e1-4333-b16f-000b7fd874f0&CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68&tab=digestviewer", + "https://www.exploit-db.com/exploits/37525", + "https://community.spiceworks.com/topic/2195015-batch-script-to-uninstall-symantec-endpoint-protection", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_taskkill_sep.yml" ], "tags": [ @@ -64696,8 +64956,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/malwrhunterteam/status/1372536434125512712/photo/2", "https://docs.microsoft.com/en-us/windows-hardware/drivers/devtest/bcdedit--set", + "https://twitter.com/malwrhunterteam/status/1372536434125512712/photo/2", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_bcdedit.yml" ], "tags": [ @@ -64911,10 +65171,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/", - "https://www.mandiant.com/resources/unc2165-shifts-to-evade-sanctions", "https://twitter.com/cglyer/status/1355171195654709249", "https://research.nccgroup.com/2022/08/19/back-in-black-unlocking-a-lockbit-3-0-ransomware-attack/", + "https://www.mandiant.com/resources/unc2165-shifts-to-evade-sanctions", + "https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_wmic_security_product_uninstall.yml" ], "tags": [ @@ -65011,11 +65271,11 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/Binaries/DataSvcUtil/", - "https://docs.microsoft.com/en-us/dotnet/framework/data/wcf/how-to-add-a-data-service-reference-wcf-data-services", - "https://docs.microsoft.com/en-us/dotnet/framework/data/wcf/generating-the-data-service-client-library-wcf-data-services", "https://docs.microsoft.com/en-us/dotnet/framework/data/wcf/wcf-data-service-client-utility-datasvcutil-exe", + "https://docs.microsoft.com/en-us/dotnet/framework/data/wcf/generating-the-data-service-client-library-wcf-data-services", + "https://lolbas-project.github.io/lolbas/Binaries/DataSvcUtil/", "https://gist.github.com/teixeira0xfffff/837e5bfed0d1b0a29a7cb1e5dbdd9ca6", + "https://docs.microsoft.com/en-us/dotnet/framework/data/wcf/how-to-add-a-data-service-reference-wcf-data-services", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_data_exfiltration_by_using_datasvcutil.yml" ], "tags": [ @@ -65153,8 +65413,8 @@ "logsource.product": "windows", "refs": [ "https://lolbas-project.github.io/lolbas/Binaries/Psr/", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1560.001/T1560.001.md", "https://www.sans.org/summit-archives/file/summit-archive-1493861893.pdf", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1560.001/T1560.001.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_psr_capture_screenshots.yml" ], "tags": [ @@ -65201,11 +65461,11 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://www.harmj0y.net/blog/redteaming/a-guide-to-attacking-domain-trusts/", "https://thedfirreport.com/2020/10/18/ryuk-in-5-hours/", "https://eqllib.readthedocs.io/en/latest/analytics/03e231a6-74bc-467a-acb1-e5676b0fb55e.html", - "https://redcanary.com/blog/how-one-hospital-thwarted-a-ryuk-ransomware-outbreak/", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1482/T1482.md", - "https://www.harmj0y.net/blog/redteaming/a-guide-to-attacking-domain-trusts/", + "https://redcanary.com/blog/how-one-hospital-thwarted-a-ryuk-ransomware-outbreak/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_trust_discovery.yml" ], "tags": [ @@ -65289,8 +65549,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.microsoft.com/security/blog/2019/12/12/gallium-targeting-global-telecom/", "https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn800669(v=ws.11)", + "https://www.microsoft.com/security/blog/2019/12/12/gallium-targeting-global-telecom/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_apt_gallium_sha1.yml" ], "tags": [ @@ -65376,9 +65636,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.poweradmin.com/paexec/", "https://docs.microsoft.com/en-us/sysinternals/downloads/psexec", "https://www.fireeye.com/blog/threat-research/2020/10/kegtap-and-singlemalt-with-a-ransomware-chaser.html", + "https://www.poweradmin.com/paexec/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_psexex_paexec_flags.yml" ], "tags": [ @@ -65411,8 +65671,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://app.any.run/tasks/e1fe6a62-bce8-4323-a49a-63795d9afd5d/", "https://twitter.com/1ZRR4H/status/1534259727059787783", + "https://app.any.run/tasks/e1fe6a62-bce8-4323-a49a-63795d9afd5d/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_archiver_iso_phishing.yml" ], "tags": [ @@ -65436,8 +65696,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://thedfirreport.com/2021/10/04/bazarloader-and-the-conti-leaks/", "https://thedfirreport.com/2022/06/16/sans-ransomware-summit-2022-can-you-detect-this/", + "https://thedfirreport.com/2021/10/04/bazarloader-and-the-conti-leaks/", "https://hstechdocs.helpsystems.com/manuals/cobaltstrike/current/userguide/content/cobalt-4-5-user-guide.pdf", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_cobaltstrike_bloopers_cmd.yml" ], @@ -65572,10 +65832,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://app.any.run/tasks/62bb01ae-25a4-4180-b278-8e464a90b8d7/", "https://app.any.run/tasks/388d5802-aa48-4826-b069-250420504758/", - "https://app.any.run/tasks/8e22486b-5edc-4cef-821c-373e945f296c/", + "https://app.any.run/tasks/62bb01ae-25a4-4180-b278-8e464a90b8d7/", "https://inquest.net/blog/2018/06/22/a-look-at-formbook-stealer", + "https://app.any.run/tasks/8e22486b-5edc-4cef-821c-373e945f296c/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_malware_formbook.yml" ], "tags": [ @@ -65609,8 +65869,8 @@ "logsource.product": "windows", "refs": [ "http://www.korznikov.com/2017/03/0-day-or-feature-privilege-escalation.html", - "https://medium.com/@networksecurity/rdp-hijacking-how-to-hijack-rds-and-remoteapp-sessions-transparently-to-move-through-an-da2a1e73a5f6", "https://www.ired.team/offensive-security/lateral-movement/t1076-rdp-hijacking-for-lateral-movement", + "https://medium.com/@networksecurity/rdp-hijacking-how-to-hijack-rds-and-remoteapp-sessions-transparently-to-move-through-an-da2a1e73a5f6", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_tscon_localsystem.yml" ], "tags": [ @@ -65676,8 +65936,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/_st0pp3r_/status/1583914244344799235", "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/msiexec", + "https://twitter.com/_st0pp3r_/status/1583914244344799235", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218.007/T1218.007.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_msiexec_install_quiet.yml" ], @@ -65770,8 +66030,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://o365blog.com/aadinternals/", "https://github.com/Gerenios/AADInternals", + "https://o365blog.com/aadinternals/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_aadinternals_cmdlets_execution.yml" ], "tags": [ @@ -65798,9 +66058,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://learn.microsoft.com/en-us/dotnet/api/microsoft.hpc.scheduler.store.cx509enrollmentwebclassfactoryclass?view=hpc-sdk-5.1.6115", "https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=41", "https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=42", - "https://learn.microsoft.com/en-us/dotnet/api/microsoft.hpc.scheduler.store.cx509enrollmentwebclassfactoryclass?view=hpc-sdk-5.1.6115", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_x509enrollment.yml" ], "tags": "No established tags" @@ -65886,7 +66146,7 @@ "value": "Rundll32 UNC Path Execution" }, { - "description": "Detects non-interactive PowerShell activity by looking at powershell.exe with not explorer.exe as a parent.", + "description": "Detects non-interactive PowerShell activity by looking at powershell.exe with a non user process such as \"explorer.exe\" as a parent.", "meta": { "author": "Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements)", "creation_date": "2019/09/12", @@ -65916,7 +66176,7 @@ } ], "uuid": "f4bbd493-b796-416e-bbf2-121235348529", - "value": "Non Interactive PowerShell" + "value": "Non Interactive PowerShell Process Spawned" }, { "description": "Detects execution of renamed paexec via imphash and executable product string", @@ -66019,8 +66279,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/gN3mes1s/status/1222095963789111296", "https://twitter.com/gN3mes1s/status/1222088214581825540", + "https://twitter.com/gN3mes1s/status/1222095963789111296", "https://twitter.com/gN3mes1s/status/1222095371175911424", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_renamed_dctask64.yml" ], @@ -66071,8 +66331,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Remote/", "https://blog.thecybersecuritytutor.com/Exeuction-AWL-Bypass-Remote-exe-LOLBin/", + "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Remote/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_remote.yml" ], "tags": [ @@ -66185,8 +66445,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/wmic", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1047/T1047.md", + "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/wmic", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wmic_reconnaissance.yml" ], "tags": [ @@ -66219,8 +66479,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/Binaries/Ilasm/", "https://www.echotrail.io/insights/search/ilasm.exe", + "https://lolbas-project.github.io/lolbas/Binaries/Ilasm/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_ilasm.yml" ], "tags": [ @@ -66437,9 +66697,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://bidouillesecurity.com/disable-windows-defender-in-powershell/", "https://github.com/gordonbay/Windows-On-Reins/blob/e587ac7a0407847865926d575e3c46f68cf7c68d/wor.ps1", "https://vms.drweb.fr/virus/?i=24144899", - "https://bidouillesecurity.com/disable-windows-defender-in-powershell/", "https://twitter.com/JohnLaTwC/status/1415295021041979392", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_reg_disable_sec_services.yml" ], @@ -66464,8 +66724,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/certutil", "https://unit42.paloaltonetworks.com/new-babyshark-malware-targets-u-s-national-security-think-tanks/", + "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/certutil", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_certutil_encode.yml" ], "tags": [ @@ -66724,8 +66984,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1552.001/T1552.001.md", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1119/T1119.md", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1552.001/T1552.001.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_automated_collection.yml" ], "tags": [ @@ -66784,8 +67044,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/shutdown", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1529/T1529.md", + "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/shutdown", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_shutdown.yml" ], "tags": [ @@ -66892,9 +67152,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Te/", "https://twitter.com/pabraeken/status/993298228840992768", "https://docs.microsoft.com/en-us/windows-hardware/drivers/taef/", - "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Te/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_use_of_te_bin.yml" ], "tags": [ @@ -66947,8 +67207,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/chcp", "https://thedfirreport.com/2022/04/04/stolen-images-campaign-ends-in-conti-ransomware/", + "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/chcp", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_codepage_lookup.yml" ], "tags": [ @@ -67065,10 +67325,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/bohops/status/1276357235954909188?s=12", - "https://twitter.com/nas_bench/status/1535322450858233858", - "https://securityboulevard.com/2019/09/deobfuscating-ostap-trickbots-34000-line-javascript-downloader/", "https://twitter.com/CyberRaiju/status/1273597319322058752", + "https://securityboulevard.com/2019/09/deobfuscating-ostap-trickbots-34000-line-javascript-downloader/", + "https://twitter.com/nas_bench/status/1535322450858233858", + "https://twitter.com/bohops/status/1276357235954909188?s=12", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_explorer_break_proctree.yml" ], "tags": [ @@ -67092,9 +67352,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://twitter.com/jseerden/status/1247985304667066373/photo/1", "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Agentexecutor/", "https://twitter.com/lefterispan/status/1286259016436514816", - "https://twitter.com/jseerden/status/1247985304667066373/photo/1", "https://docs.microsoft.com/en-us/mem/intune/apps/intune-management-extension", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_agentexecutor_susp_usage.yml" ], @@ -67262,8 +67522,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://pentestlab.blog/2020/07/06/indirect-command-execution/", "https://lolbas-project.github.io/lolbas/Binaries/Forfiles/", + "https://pentestlab.blog/2020/07/06/indirect-command-execution/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_forfiles.yml" ], "tags": [ @@ -67354,13 +67614,13 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/rapid7/metasploit-framework/blob/d297adcebb5c1df6fe30b12ca79b161deb71571c/data/post/powershell/NTDSgrab.ps1", "https://github.com/zcgonvh/NTDSDumpEx", - "https://pentestlab.blog/tag/ntds-dit/", - "https://github.com/samratashok/nishang/blob/414ee1104526d7057f9adaeee196d91ae447283e/Gather/Copy-VSS.ps1", + "https://github.com/rapid7/metasploit-framework/blob/d297adcebb5c1df6fe30b12ca79b161deb71571c/data/post/powershell/NTDSgrab.ps1", "https://blog.talosintelligence.com/2022/08/recent-cyber-attack.html?m=1", + "https://github.com/samratashok/nishang/blob/414ee1104526d7057f9adaeee196d91ae447283e/Gather/Copy-VSS.ps1", "https://www.n00py.io/2022/03/manipulating-user-passwords-without-mimikatz/", "https://www.ired.team/offensive-security/credential-access-and-credential-dumping/ntds.dit-enumeration", + "https://pentestlab.blog/tag/ntds-dit/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_ntds.yml" ], "tags": [ @@ -67393,9 +67653,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/sql/tools/sqlcmd-utility?view=sql-server-ver15", - "https://twitter.com/vxunderground/status/1423336151860002816?s=20", "https://www.virustotal.com/gui/file/03e9b8c2e86d6db450e5eceec057d7e369ee2389b9daecaf06331a95410aa5f8/detection", + "https://twitter.com/vxunderground/status/1423336151860002816?s=20", + "https://docs.microsoft.com/en-us/sql/tools/sqlcmd-utility?view=sql-server-ver15", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_conti_sqlcmd.yml" ], "tags": [ @@ -67428,12 +67688,12 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/rundll32", - "https://www.cobaltstrike.com/help-opsec", "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/regsvr32", - "https://docs.microsoft.com/en-us/dotnet/framework/tools/regsvcs-exe-net-services-installation-tool#feedback", "https://twitter.com/CyberRaiju/status/1251492025678983169", + "https://www.cobaltstrike.com/help-opsec", + "https://docs.microsoft.com/en-us/dotnet/framework/tools/regsvcs-exe-net-services-installation-tool#feedback", "https://docs.microsoft.com/en-us/dotnet/framework/tools/regasm-exe-assembly-registration-tool", + "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/rundll32", "https://blog.malwarebytes.com/malwarebytes-news/2020/10/kraken-attack-abuses-wer-service/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_bad_opsec_sacrificial_processes.yml" ], @@ -67501,9 +67761,9 @@ "logsource.product": "windows", "refs": [ "https://www.infosecmatter.com/crackmapexec-module-library/?cmem=mssql-mimikatz", + "https://www.mandiant.com/resources/telegram-malware-iranian-espionage", "https://www.infosecmatter.com/crackmapexec-module-library/?cmem=smb-pe_inject", "https://mpgn.gitbook.io/crackmapexec/smb-protocol/authentication/checking-credentials-local", - "https://www.mandiant.com/resources/telegram-malware-iranian-espionage", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_crackmapexec_flags.yml" ], "tags": "No established tags" @@ -67615,8 +67875,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://cyberx-labs.com/blog/gangnam-industrial-style-apt-campaign-targets-korean-industrial-companies/", "https://securityxploded.com/", + "https://cyberx-labs.com/blog/gangnam-industrial-style-apt-campaign-targets-korean-industrial-companies/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hack_secutyxploded.yml" ], "tags": [ @@ -67650,8 +67910,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://thedfirreport.com/2022/09/26/bumblebee-round-two/", "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/espionage-asia-governments", + "https://thedfirreport.com/2022/09/26/bumblebee-round-two/", "https://www.microsoft.com/en-us/security/blog/2022/10/25/dev-0832-vice-society-opportunistic-ransomware-campaigns-impacting-us-education-sector/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_weak_or_abused_passwords.yml" ], @@ -67811,8 +68071,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/Binaries/Pcwrun/", "https://twitter.com/pabraeken/status/991335019833708544", + "https://lolbas-project.github.io/lolbas/Binaries/Pcwrun/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_pcwrun.yml" ], "tags": [ @@ -67949,9 +68209,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1087.002/T1087.002.md", "https://www.joeware.net/freetools/tools/adfind/", "https://social.technet.microsoft.com/wiki/contents/articles/7535.adfind-command-examples.aspx", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1087.002/T1087.002.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_adfind_enumeration.yml" ], "tags": [ @@ -67997,8 +68257,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://docs.paloaltonetworks.com/cortex/cortex-xdr/cortex-xdr-analytics-alert-reference/cortex-xdr-analytics-alert-reference/scrcons-exe-rare-child-process.html", "https://redcanary.com/blog/child-processes/", + "https://docs.paloaltonetworks.com/cortex/cortex-xdr/cortex-xdr-analytics-alert-reference/cortex-xdr-analytics-alert-reference/scrcons-exe-rare-child-process.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_script_event_consumer_spawn.yml" ], "tags": [ @@ -68158,8 +68418,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself/", "https://github.com/malcomvetter/CSExec", + "https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_csexec.yml" ], "tags": [ @@ -68201,9 +68461,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/Binaries/Regini/", - "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/regini", "https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f", + "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/regini", + "https://lolbas-project.github.io/lolbas/Binaries/Regini/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_regini_ads.yml" ], "tags": [ @@ -68295,8 +68555,8 @@ "logsource.product": "windows", "refs": [ "https://twitter.com/Alh4zr3d/status/1580925761996828672", - "https://www.sans.org/blog/red-team-tactics-hiding-windows-services/", "https://blog.talosintelligence.com/2021/10/threat-hunting-in-large-datasets-by.html", + "https://www.sans.org/blog/red-team-tactics-hiding-windows-services/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_using_sc_to_hide_sevices.yml" ], "tags": [ @@ -68322,9 +68582,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://isc.sans.edu/diary/More+Data+Exfiltration/25698", "https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#inside-the-registry", "https://github.com/HyperSine/how-does-MobaXterm-encrypt-password", + "https://isc.sans.edu/diary/More+Data+Exfiltration/25698", "https://github.com/synacktiv/Radmin3-Password-Cracker/blob/acfc87393e4b7c06353973a14a6c7126a51f36ac/regkey.txt", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_enumeration_for_credentials_cli.yml" ], @@ -68445,8 +68705,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.fireeye.com/blog/threat-research/2018/12/overruled-containing-a-potentially-destructive-adversary.html", "https://github.com/sensepost/ruler", + "https://www.fireeye.com/blog/threat-research/2018/12/overruled-containing-a-potentially-destructive-adversary.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_outlook.yml" ], "tags": [ @@ -68534,20 +68794,21 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://research.nccgroup.com/2022/06/06/shining-the-light-on-black-basta/", - "https://github.com/HarmJ0y/DAMP", - "https://github.com/xorrior/RandomPS-Scripts/blob/848c919bfce4e2d67b626cbcf4404341cfe3d3b6/Get-DXWebcamVideo.ps1", - "https://adsecurity.org/?p=2921", - "https://github.com/S3cur3Th1sSh1t/PowerSharpPack/tree/master/PowerSharpBinaries", - "https://unit42.paloaltonetworks.com/threat-assessment-black-basta-ransomware/", "https://github.com/calebstewart/CVE-2021-1675", "https://github.com/dafthack/DomainPasswordSpray/blob/b13d64a5834694aa73fd2aea9911a83027c465a7/DomainPasswordSpray.ps1", - "https://bloodhound.readthedocs.io/en/latest/data-collection/azurehound.html", - "https://github.com/DarkCoderSc/PowerRunAsSystem/", - "https://github.com/samratashok/nishang", + "https://github.com/besimorhino/powercat", + "https://github.com/xorrior/RandomPS-Scripts/blob/848c919bfce4e2d67b626cbcf4404341cfe3d3b6/Get-DXWebcamVideo.ps1", + "https://research.nccgroup.com/2022/06/06/shining-the-light-on-black-basta/", "https://github.com/BloodHoundAD/BloodHound/blob/0927441f67161cc6dc08a53c63ceb8e333f55874/Collectors/AzureHound.ps1", - "https://github.com/BC-SECURITY/Invoke-ZeroLogon/blob/111d17c7fec486d9bb23387e2e828b09a26075e4/Invoke-ZeroLogon.ps1", + "https://github.com/HarmJ0y/DAMP", "https://github.com/rvrsh3ll/Misc-Powershell-Scripts/blob/6f23bb41f9675d7e2d32bacccff75e931ae00554/OfficeMemScraper.ps1", + "https://github.com/DarkCoderSc/PowerRunAsSystem/", + "https://adsecurity.org/?p=2921", + "https://github.com/BC-SECURITY/Invoke-ZeroLogon/blob/111d17c7fec486d9bb23387e2e828b09a26075e4/Invoke-ZeroLogon.ps1", + "https://github.com/samratashok/nishang", + "https://unit42.paloaltonetworks.com/threat-assessment-black-basta-ransomware/", + "https://github.com/S3cur3Th1sSh1t/PowerSharpPack/tree/master/PowerSharpBinaries", + "https://bloodhound.readthedocs.io/en/latest/data-collection/azurehound.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_malicious_cmdlets.yml" ], "tags": [ @@ -68875,9 +69136,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://github.com/GossiTheDog/ThreatHunting/blob/e85884abbf05d5b41efc809ea6532b10b45bd05c/AdvancedHuntingQueries/DogWalk-DiagCab", "https://irsl.medium.com/the-trouble-with-microsofts-troubleshooters-6e32fc80b8bd", "https://github.com/elastic/protections-artifacts/commit/746086721fd385d9f5c6647cada1788db4aea95f#diff-9015912909545e72ed42cbac4d1e96295e8964579c406d23fd9c47a8091576a0", - "https://github.com/GossiTheDog/ThreatHunting/blob/e85884abbf05d5b41efc809ea6532b10b45bd05c/AdvancedHuntingQueries/DogWalk-DiagCab", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_msdt_diagcab.yml" ], "tags": [ @@ -68910,9 +69171,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://twitter.com/jseerden/status/1247985304667066373/photo/1", "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Agentexecutor/", "https://twitter.com/lefterispan/status/1286259016436514816", - "https://twitter.com/jseerden/status/1247985304667066373/photo/1", "https://docs.microsoft.com/en-us/mem/intune/apps/intune-management-extension", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_agentexecutor.yml" ], @@ -69117,9 +69378,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.bleepingcomputer.com/startups/RpcSs.exe-14544.html", "https://twitter.com/cyb3rops/status/1514217991034097664", "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-26809", + "https://www.bleepingcomputer.com/startups/RpcSs.exe-14544.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_rpcss_anomalies.yml" ], "tags": [ @@ -69161,8 +69422,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/harr0ey/status/992008180904419328", "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Dxcap/", + "https://twitter.com/harr0ey/status/992008180904419328", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_susp_dxcap.yml" ], "tags": [ @@ -69263,8 +69524,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/mrd0x/status/1511489821247684615", "https://twitter.com/mrd0x/status/1511415432888131586", + "https://twitter.com/mrd0x/status/1511489821247684615", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_proc_dump_susp_dumpminitool.yml" ], "tags": [ @@ -69447,8 +69708,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://mobile.twitter.com/0gtweet/status/1564131230941122561", "https://strontic.github.io/xcyclopedia/library/DeviceEnroller.exe-24BEF0D6B0ECED36BB41831759FDE18D.html", + "https://mobile.twitter.com/0gtweet/status/1564131230941122561", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_deviceenroller_evasion.yml" ], "tags": [ @@ -69459,6 +69720,28 @@ "uuid": "e173ad47-4388-4012-ae62-bd13f71c18a8", "value": "DLL Sideloading via DeviceEnroller.exe" }, + { + "description": "Detects potential exploitation attempt of undocumented Windows Server Pre Auth Remote Code Execution (RCE)", + "meta": { + "author": "Florian Roth, Nasreddine Bencherchali", + "creation_date": "2023/01/21", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_susp_win_server_undocumented_rce.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://twitter.com/hackerfantastic/status/1616455335203438592?s=20", + "https://twitter.com/YanZiShuang/status/1616777483646533632?s=20&t=TQT9tUuPbQJai4v6HtsOQw", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_win_server_undocumented_rce.yml" + ], + "tags": "No established tags" + }, + "uuid": "6d5b8176-d87d-4402-8af4-53aee9db7b5d", + "value": "Potential Exploitation Attempt Of Undocumented WindowsServer RCE" + }, { "description": "An adversary may use Radmin Viewer Utility to remotely control Windows device", "meta": { @@ -69498,8 +69781,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/vxunderground/status/1423336151860002816?s=20", "https://www.virustotal.com/gui/file/03e9b8c2e86d6db450e5eceec057d7e369ee2389b9daecaf06331a95410aa5f8/detection", + "https://twitter.com/vxunderground/status/1423336151860002816?s=20", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_malware_conti.yml" ], "tags": [ @@ -69624,8 +69907,8 @@ "logsource.product": "No established product", "refs": [ "https://www.nextron-systems.com/?s=antivirus", - "https://www.virustotal.com/gui/file/a4edfbd42595d5bddb442c82a02cf0aaa10893c1bf79ea08b9ce576f82749448", "https://www.virustotal.com/gui/file/5fcda49ee7f202559a6cbbb34edb65c33c9a1e0bde9fa2af06a6f11b55ded619", + "https://www.virustotal.com/gui/file/a4edfbd42595d5bddb442c82a02cf0aaa10893c1bf79ea08b9ce576f82749448", "https://github.com/SigmaHQ/sigma/tree/master/rules/category/antivirus/av_password_dumper.yml" ], "tags": [ @@ -69675,9 +69958,9 @@ "logsource.category": "antivirus", "logsource.product": "No established product", "refs": [ - "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-1675", "https://twitter.com/mvelazco/status/1410291741241102338", "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527", + "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-1675", "https://github.com/SigmaHQ/sigma/tree/master/rules/category/antivirus/av_printernightmare_cve_2021_34527.yml" ], "tags": [ @@ -69734,9 +70017,9 @@ "logsource.category": "antivirus", "logsource.product": "No established product", "refs": [ - "https://www.virustotal.com/gui/file/d9669f7e3eb3a9cdf6a750eeb2ba303b5ae148a43e36546896f1d1801e912466", - "https://www.virustotal.com/gui/file/8f8daabe1c8ceb5710949283818e16c4aa8059bf2ce345e2f2c90b8692978424", "https://www.nextron-systems.com/?s=antivirus", + "https://www.virustotal.com/gui/file/8f8daabe1c8ceb5710949283818e16c4aa8059bf2ce345e2f2c90b8692978424", + "https://www.virustotal.com/gui/file/d9669f7e3eb3a9cdf6a750eeb2ba303b5ae148a43e36546896f1d1801e912466", "https://www.virustotal.com/gui/file/925b0b28472d4d79b4bf92050e38cc2b8f722691c713fc28743ac38551bc3797", "https://github.com/SigmaHQ/sigma/tree/master/rules/category/antivirus/av_exploiting.yml" ], @@ -69779,8 +70062,8 @@ "logsource.category": "antivirus", "logsource.product": "No established product", "refs": [ - "https://www.nextron-systems.com/2021/08/16/antivirus-event-analysis-cheat-sheet-v1-8-2/", "https://www.nextron-systems.com/?s=antivirus", + "https://www.nextron-systems.com/2021/08/16/antivirus-event-analysis-cheat-sheet-v1-8-2/", "https://github.com/SigmaHQ/sigma/tree/master/rules/category/antivirus/av_hacktool.yml" ], "tags": [ @@ -69813,16 +70096,16 @@ "logsource.category": "antivirus", "logsource.product": "No established product", "refs": [ - "https://www.nextron-systems.com/?s=antivirus", - "https://www.virustotal.com/gui/file/308487ed28a3d9abc1fec7ebc812d4b5c07ab025037535421f64c60d3887a3e8/detection", "https://www.virustotal.com/gui/file/b219f7d3c26f8bad7e175934cd5eda4ddb5e3983503e94ff07d39c0666821b7e/detection", "https://github.com/tennc/webshell", - "https://www.virustotal.com/gui/file/7d3cb8a8ff28f82b07f382789247329ad2d7782a72dde9867941f13266310c80/detection", - "https://www.virustotal.com/gui/file/b8702acf32fd651af9f809ed42d15135f842788cd98d81a8e1b154ee2a2b76a2/detection", "https://www.virustotal.com/gui/file/13ae8bfbc02254b389ab052aba5e1ba169b16a399d9bc4cb7414c4a73cd7dc78/detection", "https://www.virustotal.com/gui/file/a80042c61a0372eaa0c2c1e831adf0d13ef09feaf71d1d20b216156269045801/detection", + "https://www.virustotal.com/gui/file/7d3cb8a8ff28f82b07f382789247329ad2d7782a72dde9867941f13266310c80/detection", "https://www.virustotal.com/gui/file/e841675a4b82250c75273ebf0861245f80c6a1c3d5803c2d995d9d3b18d5c4b5/detection", + "https://www.virustotal.com/gui/file/b8702acf32fd651af9f809ed42d15135f842788cd98d81a8e1b154ee2a2b76a2/detection", "https://www.virustotal.com/gui/file/bd1d52289203866645e556e2766a21d2275877fbafa056a76fe0cf884b7f8819/detection", + "https://www.nextron-systems.com/?s=antivirus", + "https://www.virustotal.com/gui/file/308487ed28a3d9abc1fec7ebc812d4b5c07ab025037535421f64c60d3887a3e8/detection", "https://github.com/SigmaHQ/sigma/tree/master/rules/category/antivirus/av_webshell.yml" ], "tags": [ @@ -69846,11 +70129,11 @@ "logsource.category": "antivirus", "logsource.product": "No established product", "refs": [ + "https://www.virustotal.com/gui/file/20179093c59bca3acc6ce9a4281e8462f577ffd29fd7bf51cf2a70d106062045", "https://www.virustotal.com/gui/file/69fe77dd558e281621418980040e2af89a2547d377d0f2875502005ce22bc95c", + "https://www.virustotal.com/gui/file/c312c05ddbd227cbb08958876df2b69d0f7c1b09e5689eb9d93c5b357f63eff7", "https://www.nextron-systems.com/?s=antivirus", "https://www.virustotal.com/gui/file/43b0f7872900bd234975a0877744554f4f355dc57505517abd1ef611e1ce6916", - "https://www.virustotal.com/gui/file/c312c05ddbd227cbb08958876df2b69d0f7c1b09e5689eb9d93c5b357f63eff7", - "https://www.virustotal.com/gui/file/20179093c59bca3acc6ce9a4281e8462f577ffd29fd7bf51cf2a70d106062045", "https://www.virustotal.com/gui/file/554db97ea82f17eba516e6a6fdb9dc04b1d25580a1eb8cb755eeb260ad0bd61d", "https://github.com/SigmaHQ/sigma/tree/master/rules/category/antivirus/av_ransomware.yml" ], @@ -70006,9 +70289,9 @@ "logsource.category": "No established category", "logsource.product": "okta", "refs": [ - "https://developer.okta.com/docs/reference/api/event-types/", "https://okta.github.io/okta-help/en/prod/Content/Topics/Security/threat-insight/configure-threatinsight-system-log.htm", "https://developer.okta.com/docs/reference/api/system-log/", + "https://developer.okta.com/docs/reference/api/event-types/", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/okta/okta_security_threat_detected.yml" ], "tags": "No established tags" @@ -70029,8 +70312,8 @@ "logsource.category": "No established category", "logsource.product": "okta", "refs": [ - "https://developer.okta.com/docs/reference/api/event-types/", "https://developer.okta.com/docs/reference/api/system-log/", + "https://developer.okta.com/docs/reference/api/event-types/", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/okta/okta_user_account_locked_out.yml" ], "tags": [ @@ -70063,8 +70346,8 @@ "logsource.category": "No established category", "logsource.product": "okta", "refs": [ - "https://developer.okta.com/docs/reference/api/event-types/", "https://developer.okta.com/docs/reference/api/system-log/", + "https://developer.okta.com/docs/reference/api/event-types/", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/okta/okta_api_token_revoked.yml" ], "tags": [ @@ -70087,8 +70370,8 @@ "logsource.category": "No established category", "logsource.product": "okta", "refs": [ - "https://developer.okta.com/docs/reference/api/event-types/", "https://developer.okta.com/docs/reference/api/system-log/", + "https://developer.okta.com/docs/reference/api/event-types/", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/okta/okta_policy_rule_modified_or_deleted.yml" ], "tags": [ @@ -70111,8 +70394,8 @@ "logsource.category": "No established category", "logsource.product": "okta", "refs": [ - "https://developer.okta.com/docs/reference/api/event-types/", "https://developer.okta.com/docs/reference/api/system-log/", + "https://developer.okta.com/docs/reference/api/event-types/", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/okta/okta_unauthorized_access_to_app.yml" ], "tags": [ @@ -70135,8 +70418,8 @@ "logsource.category": "No established category", "logsource.product": "okta", "refs": [ - "https://developer.okta.com/docs/reference/api/event-types/", "https://developer.okta.com/docs/reference/api/system-log/", + "https://developer.okta.com/docs/reference/api/event-types/", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/okta/okta_application_sign_on_policy_modified_or_deleted.yml" ], "tags": [ @@ -70146,6 +70429,30 @@ "uuid": "8f668cc4-c18e-45fe-ad00-624a981cf88a", "value": "Okta Application Sign-On Policy Modified or Deleted" }, + { + "description": "Detects when a new admin role assignment is created. Which could be a sign of privilege escalation or persistence", + "meta": { + "author": "Nikita Khalimonenkov", + "creation_date": "2023/01/19", + "falsepositive": [ + "Legitimate creation of a new admin role assignment" + ], + "filename": "okta_admin_role_assignment_created.yml", + "level": "medium", + "logsource.category": "No established category", + "logsource.product": "okta", + "refs": [ + "https://developer.okta.com/docs/reference/api/system-log/", + "https://developer.okta.com/docs/reference/api/event-types/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/okta/okta_admin_role_assignment_created.yml" + ], + "tags": [ + "attack.persistence" + ] + }, + "uuid": "139bdd4b-9cd7-49ba-a2f4-744d0a8f5d8c", + "value": "Okta Admin Role Assignment Created" + }, { "description": "Detects when an the Administrator role is assigned to an user or group.", "meta": { @@ -70159,8 +70466,8 @@ "logsource.category": "No established category", "logsource.product": "okta", "refs": [ - "https://developer.okta.com/docs/reference/api/event-types/", "https://developer.okta.com/docs/reference/api/system-log/", + "https://developer.okta.com/docs/reference/api/event-types/", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/okta/okta_admin_role_assigned_to_user_or_group.yml" ], "tags": [ @@ -70193,8 +70500,8 @@ "logsource.category": "No established category", "logsource.product": "okta", "refs": [ - "https://developer.okta.com/docs/reference/api/event-types/", "https://developer.okta.com/docs/reference/api/system-log/", + "https://developer.okta.com/docs/reference/api/event-types/", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/okta/okta_application_modified_or_deleted.yml" ], "tags": [ @@ -70217,8 +70524,8 @@ "logsource.category": "No established category", "logsource.product": "okta", "refs": [ - "https://developer.okta.com/docs/reference/api/event-types/", "https://developer.okta.com/docs/reference/api/system-log/", + "https://developer.okta.com/docs/reference/api/event-types/", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/okta/okta_network_zone_deactivated_or_deleted.yml" ], "tags": [ @@ -70241,8 +70548,8 @@ "logsource.category": "No established category", "logsource.product": "okta", "refs": [ - "https://developer.okta.com/docs/reference/api/event-types/", "https://developer.okta.com/docs/reference/api/system-log/", + "https://developer.okta.com/docs/reference/api/event-types/", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/okta/okta_api_token_created.yml" ], "tags": [ @@ -70265,8 +70572,8 @@ "logsource.category": "No established category", "logsource.product": "okta", "refs": [ - "https://developer.okta.com/docs/reference/api/event-types/", "https://developer.okta.com/docs/reference/api/system-log/", + "https://developer.okta.com/docs/reference/api/event-types/", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/okta/okta_mfa_reset_or_deactivated.yml" ], "tags": [ @@ -70303,8 +70610,8 @@ "logsource.category": "No established category", "logsource.product": "okta", "refs": [ - "https://developer.okta.com/docs/reference/api/event-types/", "https://developer.okta.com/docs/reference/api/system-log/", + "https://developer.okta.com/docs/reference/api/event-types/", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/okta/okta_policy_modified_or_deleted.yml" ], "tags": [ @@ -70487,11 +70794,11 @@ "logsource.category": "No established category", "logsource.product": "m365", "refs": [ - "https://www.fireeye.com/content/dam/fireeye-www/blog/pdfs/wp-m-unc2452-2021-000343-01.pdf", - "https://o365blog.com/post/aadbackdoor/", + "https://www.sygnia.co/golden-saml-advisory", "https://www.splunk.com/en_us/blog/security/a-golden-saml-journey-solarwinds-continued.html", "https://us-cert.cisa.gov/ncas/alerts/aa21-008a", - "https://www.sygnia.co/golden-saml-advisory", + "https://www.fireeye.com/content/dam/fireeye-www/blog/pdfs/wp-m-unc2452-2021-000343-01.pdf", + "https://o365blog.com/post/aadbackdoor/", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/m365/microsoft365_new_federated_domain_added.yml" ], "tags": [ @@ -70787,6 +71094,122 @@ "uuid": "0f2468a2-5055-4212-a368-7321198ee706", "value": "Activity from Infrequent Country" }, + { + "description": "Detects when a user creates action secret for the organization, environment, codespaces or repository.", + "meta": { + "author": "Muhammad Faisal", + "creation_date": "2023/01/20", + "falsepositive": [ + "This detection cloud be noisy depending on the environment. It is recommended to keep a check on the new secrets when created and validate the \"actor\"." + ], + "filename": "github_new_secret_created.yml", + "level": "low", + "logsource.category": "No established category", + "logsource.product": "github", + "refs": [ + "https://docs.github.com/en/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/reviewing-the-audit-log-for-your-organization#audit-log-actions", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/github/github_new_secret_created.yml" + ], + "tags": [ + "attack.t1078", + "attack.t1078.004" + ] + }, + "related": [ + { + "dest-uuid": "f232fa7a-025c-4d43-abc7-318e81a73d65", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "f9405037-bc97-4eb7-baba-167dad399b83", + "value": "Github New Secret Created" + }, + { + "description": "Detects delete action in the Github audit logs for codespaces, environment, project and repo.", + "meta": { + "author": "Muhammad Faisal", + "creation_date": "2023/01/19", + "falsepositive": [ + "Validate the deletion activity is permitted. The \"actor\" field need to be validated." + ], + "filename": "github_delete_action_invoked.yml", + "level": "medium", + "logsource.category": "No established category", + "logsource.product": "github", + "refs": [ + "https://docs.github.com/en/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/reviewing-the-audit-log-for-your-organization#audit-log-actions", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/github/github_delete_action_invoked.yml" + ], + "tags": [ + "attack.impact", + "attack.t1213.003" + ] + }, + "related": [ + { + "dest-uuid": "cff94884-3b1c-4987-a70b-6d5643c621c3", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "16a71777-0b2e-4db7-9888-9d59cb75200b", + "value": "Github Delete Action Invoked" + }, + { + "description": "Detects when an organization member or outside collaborator is added to or removed from a project board or has their permission level changed or when an owner removes an outside collaborator from an organization or when two-factor authentication is required in an organization and an outside collaborator does not use 2FA or disables 2FA.", + "meta": { + "author": "Muhammad Faisal", + "creation_date": "2023/01/20", + "falsepositive": [ + "Validate the actor if permitted to access the repo.", + "Validate the Multifactor Authentication changes." + ], + "filename": "github_outside_collaborator_detected.yml", + "level": "medium", + "logsource.category": "No established category", + "logsource.product": "github", + "refs": [ + "https://docs.github.com/en/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/reviewing-the-audit-log-for-your-organization#audit-log-actions", + "https://docs.github.com/en/organizations/keeping-your-organization-secure/managing-two-factor-authentication-for-your-organization/requiring-two-factor-authentication-in-your-organization", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/github/github_outside_collaborator_detected.yml" + ], + "tags": [ + "attack.t1098.001", + "attack.t1213.003", + "attack.t1098.003" + ] + }, + "related": [ + { + "dest-uuid": "8a2f40cf-8325-47f9-96e4-b1ca4c7389bd", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "cff94884-3b1c-4987-a70b-6d5643c621c3", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "2dbbdcd5-92cf-44c0-aea2-fe24783a6bc3", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "eaa9ac35-1730-441f-9587-25767bde99d7", + "value": "Github Outside Collaborator Detected" + }, { "description": "Identifies when a DNS Zone is modified or deleted in Google Cloud.", "meta": { @@ -70897,10 +71320,10 @@ "logsource.category": "No established category", "logsource.product": "gcp", "refs": [ + "https://cloud.google.com/kubernetes-engine/docs/how-to/audit-logging", + "https://kubernetes.io/docs/reference/access-authn-authz/rbac/", "https://github.com/elastic/detection-rules/pull/1267", "https://kubernetes.io/docs/reference/kubernetes-api/authorization-resources/cluster-role-v1/#ClusterRole", - "https://kubernetes.io/docs/reference/access-authn-authz/rbac/", - "https://cloud.google.com/kubernetes-engine/docs/how-to/audit-logging", "https://cloud.google.com/kubernetes-engine/docs/how-to/role-based-access-control", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/gcp/gcp_kubernetes_rolebinding.yml" ], @@ -70950,8 +71373,8 @@ "logsource.product": "gcp", "refs": [ "https://kubernetes.io/docs/concepts/workloads/controllers/job/", - "https://cloud.google.com/kubernetes-engine/docs", "https://kubernetes.io/docs/concepts/workloads/controllers/cron-jobs/", + "https://cloud.google.com/kubernetes-engine/docs", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/gcp/gcp_kubernetes_cronjob.yml" ], "tags": [ @@ -71206,8 +71629,8 @@ "logsource.category": "No established category", "logsource.product": "google_workspace", "refs": [ - "https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-domain-settings?hl=en#REMOVE_APPLICATION", "https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-domain-settings?hl=en#REMOVE_APPLICATION_FROM_WHITELIST", + "https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-domain-settings?hl=en#REMOVE_APPLICATION", "https://cloud.google.com/logging/docs/audit/gsuite-audit-logging#3", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/gworkspace/gworkspace_application_removed.yml" ], @@ -71313,8 +71736,8 @@ "logsource.category": "No established category", "logsource.product": "google_workspace", "refs": [ - "https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-security-settings#ENFORCE_STRONG_AUTHENTICATION", "https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-security-settings?hl=en#ALLOW_STRONG_AUTHENTICATION", + "https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-security-settings#ENFORCE_STRONG_AUTHENTICATION", "https://cloud.google.com/logging/docs/audit/gsuite-audit-logging#3", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/gworkspace/gworkspace_mfa_disabled.yml" ], @@ -71418,12 +71841,12 @@ "logsource.category": "No established category", "logsource.product": "aws", "refs": [ - "https://github.com/elastic/detection-rules/pull/1145/files", "https://docs.aws.amazon.com/AmazonS3/latest/API/API_PutBucketLogging.html", + "https://github.com/elastic/detection-rules/pull/1145/files", "https://docs.aws.amazon.com/AmazonS3/latest/API/API_PutBucketWebsite.html", - "https://docs.aws.amazon.com/AmazonS3/latest/userguide/setting-repl-config-perm-overview.html", "https://docs.aws.amazon.com/AmazonS3/latest/API/API_Operations.html", "https://docs.aws.amazon.com/AmazonS3/latest/API/API_RestoreObject.html", + "https://docs.aws.amazon.com/AmazonS3/latest/userguide/setting-repl-config-perm-overview.html", "https://docs.aws.amazon.com/AmazonS3/latest/API/API_PutBucketEncryption.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/aws/aws_s3_data_management_tampering.yml" ], @@ -71567,8 +71990,8 @@ "logsource.category": "No established category", "logsource.product": "aws", "refs": [ - "https://github.com/RhinoSecurityLabs/pacu/blob/866376cd711666c775bbfcde0524c817f2c5b181/pacu/modules/ecs__backdoor_task_def/main.py", "https://docs.aws.amazon.com/AmazonECS/latest/APIReference/API_RegisterTaskDefinition.html", + "https://github.com/RhinoSecurityLabs/pacu/blob/866376cd711666c775bbfcde0524c817f2c5b181/pacu/modules/ecs__backdoor_task_def/main.py", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/aws/aws_ecs_task_definition_backdoor.yml" ], "tags": [ @@ -72150,9 +72573,9 @@ "logsource.category": "No established category", "logsource.product": "aws", "refs": [ + "https://github.com/Lifka/hacking-resources/blob/c2ae355d381bd0c9f0b32c4ead049f44e5b1573f/cloud-hacking-cheat-sheets.md", "https://securitycafe.ro/2022/12/14/aws-enumeration-part-ii-practical-enumeration/", "https://jamesonhacking.blogspot.com/2020/12/pivoting-to-private-aws-s3-buckets.html", - "https://github.com/Lifka/hacking-resources/blob/c2ae355d381bd0c9f0b32c4ead049f44e5b1573f/cloud-hacking-cheat-sheets.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/aws/aws_enum_buckets.yml" ], "tags": [ @@ -72291,8 +72714,8 @@ "logsource.category": "No established category", "logsource.product": "aws", "refs": [ - "https://github.com/elastic/detection-rules/pull/1213", "https://docs.aws.amazon.com/STS/latest/APIReference/API_GetSessionToken.html", + "https://github.com/elastic/detection-rules/pull/1213", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/aws/aws_sts_getsessiontoken_misuse.yml" ], "tags": [ @@ -72383,9 +72806,9 @@ "logsource.category": "No established category", "logsource.product": "aws", "refs": [ - "https://docs.aws.amazon.com/Route53/latest/APIReference/API_domains_DisableDomainTransferLock.html", "https://github.com/elastic/detection-rules/blob/c76a39796972ecde44cb1da6df47f1b6562c9770/rules/integrations/aws/persistence_route_53_domain_transfer_lock_disabled.toml", "https://docs.aws.amazon.com/Route53/latest/APIReference/API_Operations_Amazon_Route_53.html", + "https://docs.aws.amazon.com/Route53/latest/APIReference/API_domains_DisableDomainTransferLock.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/aws/aws_route_53_domain_transferred_lock_disabled.yml" ], "tags": [ @@ -72523,8 +72946,8 @@ "logsource.category": "No established category", "logsource.product": "aws", "refs": [ - "https://docs.aws.amazon.com/glue/latest/webapi/API_CreateDevEndpoint.html", "https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/", + "https://docs.aws.amazon.com/glue/latest/webapi/API_CreateDevEndpoint.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/aws/aws_passed_role_to_glue_development_endpoint.yml" ], "tags": [ @@ -73598,11 +74021,11 @@ "logsource.category": "No established category", "logsource.product": "azure", "refs": [ - "https://www.microsoft.com/security/blog/2021/03/23/secure-containerized-environments-with-updated-threat-matrix-for-kubernetes/", "https://attack.mitre.org/matrices/enterprise/cloud/", + "https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/", + "https://www.microsoft.com/security/blog/2021/03/23/secure-containerized-environments-with-updated-threat-matrix-for-kubernetes/", "https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes", "https://medium.com/mitre-engenuity/att-ck-for-containers-now-available-4c2359654bf1", - "https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_kubernetes_cluster_created_or_deleted.yml" ], "tags": [ @@ -74537,11 +74960,11 @@ "logsource.category": "No established category", "logsource.product": "azure", "refs": [ - "https://www.microsoft.com/security/blog/2021/03/23/secure-containerized-environments-with-updated-threat-matrix-for-kubernetes/", "https://attack.mitre.org/matrices/enterprise/cloud/", + "https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/", + "https://www.microsoft.com/security/blog/2021/03/23/secure-containerized-environments-with-updated-threat-matrix-for-kubernetes/", "https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes", "https://medium.com/mitre-engenuity/att-ck-for-containers-now-available-4c2359654bf1", - "https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_kubernetes_secret_or_config_object_access.yml" ], "tags": [ @@ -74599,11 +75022,11 @@ "logsource.category": "No established category", "logsource.product": "azure", "refs": [ - "https://www.microsoft.com/security/blog/2021/03/23/secure-containerized-environments-with-updated-threat-matrix-for-kubernetes/", "https://attack.mitre.org/matrices/enterprise/cloud/", + "https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/", + "https://www.microsoft.com/security/blog/2021/03/23/secure-containerized-environments-with-updated-threat-matrix-for-kubernetes/", "https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes", "https://medium.com/mitre-engenuity/att-ck-for-containers-now-available-4c2359654bf1", - "https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_kubernetes_role_access.yml" ], "tags": [ @@ -74745,11 +75168,11 @@ "logsource.category": "No established category", "logsource.product": "azure", "refs": [ - "https://www.microsoft.com/security/blog/2021/03/23/secure-containerized-environments-with-updated-threat-matrix-for-kubernetes/", "https://attack.mitre.org/matrices/enterprise/cloud/", + "https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/", + "https://www.microsoft.com/security/blog/2021/03/23/secure-containerized-environments-with-updated-threat-matrix-for-kubernetes/", "https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes", "https://medium.com/mitre-engenuity/att-ck-for-containers-now-available-4c2359654bf1", - "https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_container_registry_created_or_deleted.yml" ], "tags": [ @@ -74805,8 +75228,8 @@ "logsource.category": "No established category", "logsource.product": "azure", "refs": [ - "https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes", "https://github.com/elastic/detection-rules/blob/da3852b681cf1a33898b1535892eab1f3a76177a/rules/integrations/azure/defense_evasion_kubernetes_events_deleted.toml", + "https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_kubernetes_events_deleted.yml" ], "tags": [ @@ -74874,10 +75297,10 @@ "logsource.category": "No established category", "logsource.product": "azure", "refs": [ - "https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes", "https://kubernetes.io/docs/concepts/workloads/controllers/job/", - "https://kubernetes.io/docs/concepts/workloads/controllers/cron-jobs/", "https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/", + "https://kubernetes.io/docs/concepts/workloads/controllers/cron-jobs/", + "https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_kubernetes_cronjob.yml" ], "tags": [ @@ -74960,11 +75383,11 @@ "logsource.category": "No established category", "logsource.product": "azure", "refs": [ - "https://www.microsoft.com/security/blog/2021/03/23/secure-containerized-environments-with-updated-threat-matrix-for-kubernetes/", "https://attack.mitre.org/matrices/enterprise/cloud/", + "https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/", + "https://www.microsoft.com/security/blog/2021/03/23/secure-containerized-environments-with-updated-threat-matrix-for-kubernetes/", "https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes", "https://medium.com/mitre-engenuity/att-ck-for-containers-now-available-4c2359654bf1", - "https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_kubernetes_rolebinding_modified_or_deleted.yml" ], "tags": [ @@ -75525,11 +75948,11 @@ "logsource.category": "No established category", "logsource.product": "azure", "refs": [ - "https://www.microsoft.com/security/blog/2021/03/23/secure-containerized-environments-with-updated-threat-matrix-for-kubernetes/", "https://attack.mitre.org/matrices/enterprise/cloud/", + "https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/", + "https://www.microsoft.com/security/blog/2021/03/23/secure-containerized-environments-with-updated-threat-matrix-for-kubernetes/", "https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes", "https://medium.com/mitre-engenuity/att-ck-for-containers-now-available-4c2359654bf1", - "https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_kubernetes_network_policy_change.yml" ], "tags": [ @@ -75554,11 +75977,11 @@ "logsource.category": "No established category", "logsource.product": "azure", "refs": [ - "https://www.microsoft.com/security/blog/2021/03/23/secure-containerized-environments-with-updated-threat-matrix-for-kubernetes/", "https://attack.mitre.org/matrices/enterprise/cloud/", + "https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/", + "https://www.microsoft.com/security/blog/2021/03/23/secure-containerized-environments-with-updated-threat-matrix-for-kubernetes/", "https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes", "https://medium.com/mitre-engenuity/att-ck-for-containers-now-available-4c2359654bf1", - "https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_kubernetes_service_account_modified_or_deleted.yml" ], "tags": [ @@ -75691,8 +76114,8 @@ "logsource.category": "proxy", "logsource.product": "No established product", "refs": [ - "https://twitter.com/jhencinski/status/1102695118455349248", "https://isc.sans.edu/forums/diary/Investigating+Microsoft+BITS+Activity/23281/", + "https://twitter.com/jhencinski/status/1102695118455349248", "https://github.com/SigmaHQ/sigma/tree/master/rules/proxy/proxy_ua_bitsadmin_susp_tld.yml" ], "tags": [ @@ -75805,8 +76228,8 @@ "logsource.product": "No established product", "refs": [ "https://www.crowdstrike.com/blog/owassrf-exploit-analysis-and-recommendations/", - "https://www.rapid7.com/blog/post/2022/12/21/cve-2022-41080-cve-2022-41082-rapid7-observed-exploitation-of-owassrf-in-exchange-for-rce/", "https://twitter.com/purp1ew0lf/status/1602989967776808961?s=12&t=OkZJl_ViICeiftVEsohRyw", + "https://www.rapid7.com/blog/post/2022/12/21/cve-2022-41080-cve-2022-41082-rapid7-observed-exploitation-of-owassrf-in-exchange-for-rce/", "https://github.com/SigmaHQ/sigma/tree/master/rules/proxy/proxy_exchange_owassrf_poc_exploitation.yml" ], "tags": [ @@ -76016,8 +76439,8 @@ "logsource.category": "proxy", "logsource.product": "No established product", "refs": [ - "https://researchcenter.paloaltonetworks.com/2018/03/unit42-telerat-another-android-trojan-leveraging-telegrams-bot-api-to-target-iranian-users/", "https://blog.malwarebytes.com/threat-analysis/2016/11/telecrypt-the-ransomware-abusing-telegram-api-defeated/", + "https://researchcenter.paloaltonetworks.com/2018/03/unit42-telerat-another-android-trojan-leveraging-telegrams-bot-api-to-target-iranian-users/", "https://www.welivesecurity.com/2016/12/13/rise-telebots-analyzing-disruptive-killdisk-attacks/", "https://github.com/SigmaHQ/sigma/tree/master/rules/proxy/proxy_telegram_api.yml" ], @@ -76102,11 +76525,11 @@ "logsource.category": "proxy", "logsource.product": "No established product", "refs": [ - "https://networkraptor.blogspot.com/2015/01/user-agent-strings.html", - "https://perishablepress.com/blacklist/ua-2013.txt", - "https://www.bluecoat.com/en-gb/security-blog/2015-05-05/know-your-agents", "http://www.botopedia.org/search?searchword=scan&searchphrase=all", + "https://networkraptor.blogspot.com/2015/01/user-agent-strings.html", "http://rules.emergingthreats.net/open/snort-2.9.0/rules/emerging-user_agents.rules", + "https://www.bluecoat.com/en-gb/security-blog/2015-05-05/know-your-agents", + "https://perishablepress.com/blacklist/ua-2013.txt", "https://github.com/SigmaHQ/sigma/tree/master/rules/proxy/proxy_ua_malware.yml" ], "tags": [ @@ -76182,8 +76605,8 @@ "logsource.category": "proxy", "logsource.product": "No established product", "refs": [ - "https://rclone.org/", "https://www.kroll.com/en/insights/publications/cyber/new-m365-business-email-compromise-attacks-with-rclone", + "https://rclone.org/", "https://github.com/SigmaHQ/sigma/tree/master/rules/proxy/proxy_ua_rclone.yml" ], "tags": [ @@ -76316,8 +76739,8 @@ "logsource.category": "proxy", "logsource.product": "No established product", "refs": [ - "https://twitter.com/craiu/status/1167358457344925696", "https://googleprojectzero.blogspot.com/2019/08/implant-teardown.html", + "https://twitter.com/craiu/status/1167358457344925696", "https://github.com/SigmaHQ/sigma/tree/master/rules/proxy/proxy_ios_implant.yml" ], "tags": [ @@ -76495,8 +76918,8 @@ "logsource.category": "proxy", "logsource.product": "No established product", "refs": [ - "https://www.symantec.com/connect/blogs/shady-tld-research-gdn-and-our-2016-wrap", "https://promos.mcafee.com/en-US/PDF/MTMW_Report.pdf", + "https://www.symantec.com/connect/blogs/shady-tld-research-gdn-and-our-2016-wrap", "https://krebsonsecurity.com/2018/06/bad-men-at-work-please-dont-click/", "https://www.spamhaus.org/statistics/tlds/", "https://github.com/SigmaHQ/sigma/tree/master/rules/proxy/proxy_download_susp_tlds_blacklist.yml" @@ -76973,8 +77396,8 @@ "logsource.category": "webserver", "logsource.product": "No established product", "refs": [ - "https://paper.seebug.org/1495/", "https://twitter.com/wugeej/status/1369476795255320580", + "https://paper.seebug.org/1495/", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_cve_2021_21978_vmware_view_planner_exploit.yml" ], "tags": [ @@ -77070,10 +77493,10 @@ "logsource.category": "webserver", "logsource.product": "No established product", "refs": [ - "https://confluence.atlassian.com/doc/confluence-security-advisory-2021-08-25-1077906215.html", - "https://mraddon.blog/2017/03/20/confluence-trick-to-create-pages-from-blueprint-templates/", - "https://github.com/httpvoid/writeups/blob/main/Confluence-RCE.md", "https://github.com/TesterCC/exp_poc_library/blob/master/exp_poc/CVE-2021-26084_Confluence_OGNL_injection/CVE-2021-26084.md", + "https://mraddon.blog/2017/03/20/confluence-trick-to-create-pages-from-blueprint-templates/", + "https://confluence.atlassian.com/doc/confluence-security-advisory-2021-08-25-1077906215.html", + "https://github.com/httpvoid/writeups/blob/main/Confluence-RCE.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_cve_2021_26084_confluence_rce_exploit.yml" ], "tags": [ @@ -77139,8 +77562,8 @@ "logsource.category": "webserver", "logsource.product": "No established product", "refs": [ - "https://www.volexity.com/blog/2021/03/02/active-exploitation-of-microsoft-exchange-zero-day-vulnerabilities/", "https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/", + "https://www.volexity.com/blog/2021/03/02/active-exploitation-of-microsoft-exchange-zero-day-vulnerabilities/", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_exchange_exploitation_hafnium.yml" ], "tags": [ @@ -77173,8 +77596,8 @@ "logsource.category": "webserver", "logsource.product": "No established product", "refs": [ - "https://www.guidepointsecurity.com/supernova-solarwinds-net-webshell-analysis/", "https://www.anquanke.com/post/id/226029", + "https://www.guidepointsecurity.com/supernova-solarwinds-net-webshell-analysis/", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_solarwinds_supernova_webshell.yml" ], "tags": [ @@ -77235,8 +77658,8 @@ "logsource.category": "webserver", "logsource.product": "No established product", "refs": [ - "https://dmaasland.github.io/posts/citrix.html", "https://research.nccgroup.com/2020/07/10/rift-citrix-adc-vulnerabilities-cve-2020-8193-cve-2020-8195-and-cve-2020-8196-intelligence/", + "https://dmaasland.github.io/posts/citrix.html", "https://support.citrix.com/article/CTX276688", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_cve_2020_8193_8195_citrix_exploit.yml" ], @@ -77327,10 +77750,10 @@ "logsource.product": "No established product", "refs": [ "https://twitter.com/Al1ex4/status/1382981479727128580", - "https://twitter.com/sec715/status/1373472323538362371", - "https://github.com/murataydemir/CVE-2021-27905", "https://nsfocusglobal.com/apache-solr-arbitrary-file-read-and-ssrf-vulnerability-threat-alert/", + "https://github.com/murataydemir/CVE-2021-27905", "https://mp.weixin.qq.com/s?__biz=Mzg3NDU2MTg0Ng==&mid=2247484117&idx=1&sn=2fdab8cbe4b873f8dd8abb35d935d186", + "https://twitter.com/sec715/status/1373472323538362371", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_cve_2021_27905_apache_solr_exploit.yml" ], "tags": [ @@ -77364,9 +77787,9 @@ "logsource.category": "webserver", "logsource.product": "No established product", "refs": [ - "https://www.yang99.top/index.php/archives/82/", "https://github.com/vnhacker1337/CVE-2022-27925-PoC", "https://www.volexity.com/blog/2022/08/10/mass-exploitation-of-unauthenticated-zimbra-rce-cve-2022-27925/", + "https://www.yang99.top/index.php/archives/82/", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_cve_2022_27925_exploit.yml" ], "tags": [ @@ -77400,10 +77823,10 @@ "logsource.category": "webserver", "logsource.product": "No established product", "refs": [ - "https://twitter.com/_0xf4n9x_/status/1572052954538192901", "https://www.rapid7.com/blog/post/2022/09/20/cve-2022-36804-easily-exploitable-vulnerability-in-atlassian-bitbucket-server-and-data-center/", - "https://blog.assetnote.io/2022/09/14/rce-in-bitbucket-server/", "https://confluence.atlassian.com/bitbucketserver/bitbucket-server-and-data-center-advisory-2022-08-24-1155489835.html", + "https://twitter.com/_0xf4n9x_/status/1572052954538192901", + "https://blog.assetnote.io/2022/09/14/rce-in-bitbucket-server/", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_cve_2022_36804_atlassian_bitbucket_command_injection.yml" ], "tags": [ @@ -77464,8 +77887,8 @@ "logsource.product": "No established product", "refs": [ "https://www.crowdstrike.com/blog/owassrf-exploit-analysis-and-recommendations/", - "https://www.rapid7.com/blog/post/2022/12/21/cve-2022-41080-cve-2022-41082-rapid7-observed-exploitation-of-owassrf-in-exchange-for-rce/", "https://twitter.com/purp1ew0lf/status/1602989967776808961?s=12&t=OkZJl_ViICeiftVEsohRyw", + "https://www.rapid7.com/blog/post/2022/12/21/cve-2022-41080-cve-2022-41082-rapid7-observed-exploitation-of-owassrf-in-exchange-for-rce/", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_exchange_owassrf_poc_exploitation.yml" ], "tags": [ @@ -77694,10 +78117,10 @@ "logsource.category": "webserver", "logsource.product": "No established product", "refs": [ - "https://www.ptsecurity.com/ww-en/about/news/f5-fixes-critical-vulnerability-discovered-by-positive-technologies-in-big-ip-application-delivery-controller/", + "https://support.f5.com/csp/article/K52145254", "https://www.criticalstart.com/f5-big-ip-remote-code-execution-exploit/", "https://twitter.com/yorickkoster/status/1279709009151434754", - "https://support.f5.com/csp/article/K52145254", + "https://www.ptsecurity.com/ww-en/about/news/f5-fixes-critical-vulnerability-discovered-by-positive-technologies-in-big-ip-application-delivery-controller/", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_cve_2020_5902_f5_bigip.yml" ], "tags": [ @@ -77731,8 +78154,8 @@ "logsource.product": "No established product", "refs": [ "https://www.vmware.com/security/advisories/VMSA-2021-0002.html", - "https://swarm.ptsecurity.com/unauth-rce-vmware", "https://f5.pm/go-59627.html", + "https://swarm.ptsecurity.com/unauth-rce-vmware", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_cve_2021_21972_vsphere_unauth_rce_exploit.yml" ], "tags": [ @@ -77798,9 +78221,9 @@ "logsource.category": "webserver", "logsource.product": "No established product", "refs": [ - "https://github.com/Cacti/cacti/security/advisories/GHSA-6p93-p743-35gf", - "https://github.com/0xf4n9x/CVE-2022-46169", "https://github.com/rapid7/metasploit-framework/pull/17407", + "https://github.com/0xf4n9x/CVE-2022-46169", + "https://github.com/Cacti/cacti/security/advisories/GHSA-6p93-p743-35gf", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_cve_2022_46169_cacti_exploitation_attempt.yml" ], "tags": [ @@ -77834,11 +78257,11 @@ "logsource.category": "webserver", "logsource.product": "No established product", "refs": [ - "https://github.com/tangxiaofeng7/apache-log4j-poc", "https://github.com/YfryTchsGD/Log4jAttackSurface", - "https://gist.github.com/Neo23x0/e4c8b03ff8cdf1fa63b7d15db6e3860b", - "https://news.ycombinator.com/item?id=29504755", "https://www.lunasec.io/docs/blog/log4j-zero-day/", + "https://news.ycombinator.com/item?id=29504755", + "https://github.com/tangxiaofeng7/apache-log4j-poc", + "https://gist.github.com/Neo23x0/e4c8b03ff8cdf1fa63b7d15db6e3860b", "https://twitter.com/shutingrz/status/1469255861394866177?s=21", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_cve_2021_44228_log4j_fields.yml" ], @@ -77930,10 +78353,10 @@ "logsource.product": "No established product", "refs": [ "https://www.rapid7.com/blog/post/2021/09/02/active-exploitation-of-confluence-server-cve-2021-26084/", - "https://twitter.com/httpvoid0x2f/status/1532924261035384832", - "https://www.rapid7.com/blog/post/2022/06/02/active-exploitation-of-confluence-cve-2022-26134/", "https://github.com/httpvoid/writeups/blob/62d3751945289d088ccfdf4d0ffbf61598a2cd7d/Confluence-RCE.md", "https://medium.com/geekculture/text4shell-exploit-walkthrough-ebc02a01f035", + "https://twitter.com/httpvoid0x2f/status/1532924261035384832", + "https://www.rapid7.com/blog/post/2022/06/02/active-exploitation-of-confluence-cve-2022-26134/", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_java_payload_in_access_logs.yml" ], "tags": [ @@ -78153,9 +78576,9 @@ "logsource.category": "webserver", "logsource.product": "No established product", "refs": [ - "https://github.com/xmendez/wfuzz/blob/1b695ee9a87d66a7d7bf6cae70d60a33fae51541/docs/user/basicusage.rst", - "https://github.com/lanmaster53/recon-ng/blob/9e907dfe09fce2997f0301d746796408e01a60b7/recon/core/base.py#L92", "https://github.com/wpscanteam/wpscan/blob/196fbab5b1ce3870a43515153d4f07878a89d410/lib/wpscan/browser.rb", + "https://github.com/lanmaster53/recon-ng/blob/9e907dfe09fce2997f0301d746796408e01a60b7/recon/core/base.py#L92", + "https://github.com/xmendez/wfuzz/blob/1b695ee9a87d66a7d7bf6cae70d60a33fae51541/docs/user/basicusage.rst", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_susp_useragents.yml" ], "tags": [ @@ -78288,9 +78711,9 @@ "logsource.category": "webserver", "logsource.product": "No established product", "refs": [ + "https://peterjson.medium.com/reproducing-the-proxyshell-pwn2own-exploit-49743a4ea9a1", "https://youtu.be/5mqid-7zp8k?t=2231", "https://blog.orange.tw/2021/08/proxylogon-a-new-attack-surface-on-ms-exchange-part-1.html", - "https://peterjson.medium.com/reproducing-the-proxyshell-pwn2own-exploit-49743a4ea9a1", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_exchange_proxyshell.yml" ], "tags": [ @@ -78323,9 +78746,9 @@ "logsource.category": "webserver", "logsource.product": "No established product", "refs": [ + "https://peterjson.medium.com/reproducing-the-proxyshell-pwn2own-exploit-49743a4ea9a1", "https://youtu.be/5mqid-7zp8k?t=2231", "https://blog.orange.tw/2021/08/proxylogon-a-new-attack-surface-on-ms-exchange-part-1.html", - "https://peterjson.medium.com/reproducing-the-proxyshell-pwn2own-exploit-49743a4ea9a1", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_exchange_proxyshell_successful.yml" ], "tags": [ @@ -78348,8 +78771,8 @@ "logsource.category": "webserver", "logsource.product": "No established product", "refs": [ - "https://community.rsa.com/community/products/netwitness/blog/2019/02/19/web-shells-and-netwitness-part-3", "https://github.com/sensepost/reGeorg", + "https://community.rsa.com/community/products/netwitness/blog/2019/02/19/web-shells-and-netwitness-part-3", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_webshell_regeorg.yml" ], "tags": [ @@ -78373,11 +78796,11 @@ "logsource.category": "webserver", "logsource.product": "No established product", "refs": [ - "https://github.com/tangxiaofeng7/apache-log4j-poc", "https://github.com/YfryTchsGD/Log4jAttackSurface", - "https://gist.github.com/Neo23x0/e4c8b03ff8cdf1fa63b7d15db6e3860b", - "https://news.ycombinator.com/item?id=29504755", "https://www.lunasec.io/docs/blog/log4j-zero-day/", + "https://news.ycombinator.com/item?id=29504755", + "https://github.com/tangxiaofeng7/apache-log4j-poc", + "https://gist.github.com/Neo23x0/e4c8b03ff8cdf1fa63b7d15db6e3860b", "https://twitter.com/shutingrz/status/1469255861394866177?s=21", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_cve_2021_44228_log4j.yml" ], @@ -78398,6 +78821,41 @@ "uuid": "5ea8faa8-db8b-45be-89b0-151b84c82702", "value": "Log4j RCE CVE-2021-44228 Generic" }, + { + "description": "Detects potential exploitation attempts that target the Centos Web Panel 7 Unauthenticated Remote Code Execution CVE-2022-44877", + "meta": { + "author": "Nasreddine Bencherchali", + "creation_date": "2023/01/20", + "falsepositive": [ + "Web vulnerability scanners" + ], + "filename": "web_cve_2022_44877_exploitation_attempt.yml", + "level": "high", + "logsource.category": "webserver", + "logsource.product": "No established product", + "refs": [ + "https://www.rapid7.com/blog/post/2023/01/19/etr-exploitation-of-control-web-panel-cve-2022-44877/", + "https://seclists.org/fulldisclosure/2023/Jan/1", + "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_cve_2022_44877_exploitation_attempt.yml" + ], + "tags": [ + "attack.initial_access", + "attack.t1190", + "cve.2022.44877" + ] + }, + "related": [ + { + "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "1b2eeb27-949b-4704-8bfa-d8e5cfa045a1", + "value": "Potential Centos Web Panel Exploitation Attempt - CVE-2022-44877" + }, { "description": "Detects the exploitation of the Confluence vulnerability described in CVE-2019-3398", "meta": { @@ -78477,8 +78935,8 @@ "logsource.category": "webserver", "logsource.product": "No established product", "refs": [ - "https://www.tenable.com/security/research/tra-2021-13", "https://blogs.juniper.net/en-us/security/freshly-disclosed-vulnerability-cve-2021-20090-exploited-in-the-wild", + "https://www.tenable.com/security/research/tra-2021-13", "https://medium.com/tenable-techblog/bypassing-authentication-on-arcadyan-routers-with-cve-2021-20090-and-rooting-some-buffalo-ea1dd30980c2", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_cve_2021_20090_2021_20091_arcadyan_router_exploit.yml" ], @@ -78514,8 +78972,8 @@ "logsource.category": "webserver", "logsource.product": "No established product", "refs": [ - "https://www.ihteam.net/advisory/terramaster-tos-multiple-vulnerabilities/", "https://research.checkpoint.com/2021/freakout-leveraging-newest-vulnerabilities-for-creating-a-botnet/", + "https://www.ihteam.net/advisory/terramaster-tos-multiple-vulnerabilities/", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_cve_2020_28188_terramaster_rce_exploit.yml" ], "tags": [ @@ -78616,11 +79074,11 @@ "logsource.category": "webserver", "logsource.product": "No established product", "refs": [ - "https://twitter.com/ptswarm/status/1445376079548624899", - "https://nvd.nist.gov/vuln/detail/CVE-2021-41773", "https://github.com/projectdiscovery/nuclei-templates/blob/9d2889356eebba661c8407038e430759dfd4ec31/cves/2021/CVE-2021-41773.yaml", + "https://twitter.com/ptswarm/status/1445376079548624899", "https://twitter.com/h4x0r_dz/status/1445401960371429381", "https://twitter.com/bl4sty/status/1445462677824761878", + "https://nvd.nist.gov/vuln/detail/CVE-2021-41773", "https://github.com/apache/httpd/commit/e150697086e70c552b2588f369f2d17815cb1782", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_cve_2021_41773_apache_path_traversal.yml" ], @@ -78654,9 +79112,9 @@ "logsource.category": "webserver", "logsource.product": "No established product", "refs": [ - "https://vk9-sec.com/hfs-code-execution-cve-2014-6287/", "https://www.exploit-db.com/exploits/39161", "https://github.com/Twigonometry/Cybersecurity-Notes/blob/c875b0f52df7d2c7a870e75e1f0c2679d417931d/Writeups/Hack%20the%20Box/Boxes/Optimum/10%20-%20Website.md", + "https://vk9-sec.com/hfs-code-execution-cve-2014-6287/", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_cve_2014_6287_hfs_rce.yml" ], "tags": [ @@ -78691,9 +79149,9 @@ "logsource.category": "webserver", "logsource.product": "No established product", "refs": [ - "https://github.com/lijiejie/IIS_shortname_Scanner", "https://www.exploit-db.com/exploits/19525", "https://github.com/projectdiscovery/nuclei-templates/blob/9d2889356eebba661c8407038e430759dfd4ec31/fuzzing/iis-shortname.yaml", + "https://github.com/lijiejie/IIS_shortname_Scanner", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_iis_tilt_shortname_scan.yml" ], "tags": [ @@ -78759,8 +79217,8 @@ "logsource.category": "webserver", "logsource.product": "No established product", "refs": [ - "https://github.com/darklotuskdb/CISCO-CVE-2020-3452-Scanner-Exploiter", "https://twitter.com/aboul3la/status/1286012324722155525", + "https://github.com/darklotuskdb/CISCO-CVE-2020-3452-Scanner-Exploiter", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_cve_2020_3452_cisco_asa_ftd.yml" ], "tags": [ @@ -78873,11 +79331,11 @@ "logsource.category": "webserver", "logsource.product": "No established product", "refs": [ - "https://github.com/x1sec/CVE-2019-19781/blob/25f7ab97275b2d41800bb3414dac8ca3a78af7e5/CVE-2019-19781-DFIR.md", - "https://support.citrix.com/article/CTX267679", - "https://support.citrix.com/article/CTX267027", - "https://twitter.com/mpgn_x64/status/1216787131210829826", "https://isc.sans.edu/diary/25686", + "https://twitter.com/mpgn_x64/status/1216787131210829826", + "https://github.com/x1sec/CVE-2019-19781/blob/25f7ab97275b2d41800bb3414dac8ca3a78af7e5/CVE-2019-19781-DFIR.md", + "https://support.citrix.com/article/CTX267027", + "https://support.citrix.com/article/CTX267679", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_cve_2019_19781_citrix_exploit.yml" ], "tags": [ @@ -78944,8 +79402,8 @@ "logsource.category": "webserver", "logsource.product": "No established product", "refs": [ - "https://book.hacktricks.xyz/pentesting-web/ssti-server-side-template-injection", "https://github.com/payloadbox/ssti-payloads", + "https://book.hacktricks.xyz/pentesting-web/ssti-server-side-template-injection", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_ssti_in_access_logs.yml" ], "tags": "No established tags" @@ -79058,8 +79516,8 @@ "logsource.category": "file_event", "logsource.product": "macos", "refs": [ - "https://posts.specterops.io/leveraging-emond-on-macos-for-persistence-a040a2785124", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1546.014/T1546.014.md", + "https://posts.specterops.io/leveraging-emond-on-macos-for-persistence-a040a2785124", "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/file_event/file_event_macos_emond_launch_daemon.yml" ], "tags": [ @@ -79256,8 +79714,8 @@ "logsource.category": "process_creation", "logsource.product": "macos", "refs": [ - "https://wojciechregula.blog/post/macos-red-teaming-initial-access-via-applescript-url/", "https://github.com/elastic/protections-artifacts/commit/746086721fd385d9f5c6647cada1788db4aea95f#diff-7f541fbc4a4a28a92970e8bf53effea5bd934604429112c920affb457f5b2685", + "https://wojciechregula.blog/post/macos-red-teaming-initial-access-via-applescript-url/", "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_susp_execution_macos_script_editor.yml" ], "tags": [ @@ -79532,8 +79990,8 @@ "logsource.category": "process_creation", "logsource.product": "macos", "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/osx.xcsset", "https://github.com/elastic/protections-artifacts/commit/746086721fd385d9f5c6647cada1788db4aea95f#diff-f5deb07688e1a8dec9530bc3071967b2da5c16b482e671812b864c37beb28f08", + "https://malpedia.caad.fkie.fraunhofer.de/details/osx.xcsset", "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_xcsset_malware_infection.yml" ], "tags": [ @@ -79863,8 +80321,8 @@ "logsource.category": "process_creation", "logsource.product": "macos", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1056.002/T1056.002.md", "https://scriptingosx.com/2018/08/user-interaction-from-bash-scripts/", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1056.002/T1056.002.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_gui_input_capture.yml" ], "tags": [ @@ -79922,8 +80380,8 @@ "logsource.product": "macos", "refs": [ "https://www.microsoft.com/security/blog/2022/02/02/the-evolution-of-a-mac-trojan-updateagents-progression/", - "https://github.com/elastic/protections-artifacts/commit/746086721fd385d9f5c6647cada1788db4aea95f#diff-c68a1fcbf7a3f80c87225d7fdc031f691e9f3b6a14a36754be00762bfe6eae97", "https://malpedia.caad.fkie.fraunhofer.de/details/osx.xcsset", + "https://github.com/elastic/protections-artifacts/commit/746086721fd385d9f5c6647cada1788db4aea95f#diff-c68a1fcbf7a3f80c87225d7fdc031f691e9f3b6a14a36754be00762bfe6eae97", "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_wizardupdate_malware_infection.yml" ], "tags": [ @@ -80036,8 +80494,8 @@ "logsource.category": "process_creation", "logsource.product": "macos", "refs": [ - "https://gist.github.com/Capybara/6228955", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1555.001/T1555.001.md", + "https://gist.github.com/Capybara/6228955", "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_creds_from_keychain.yml" ], "tags": [ @@ -80095,10 +80553,10 @@ "logsource.category": "No established category", "logsource.product": "qualys", "refs": [ + "https://www.cisecurity.org/controls/cis-controls-list/", + "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf", "https://community.qualys.com/docs/DOC-6406-reporting-toolbox-focused-search-lists", "https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf", - "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf", - "https://www.cisecurity.org/controls/cis-controls-list/", "https://github.com/SigmaHQ/sigma/tree/master/rules/compliance/default_credentials_usage.yml" ], "tags": "No established tags" @@ -80117,9 +80575,9 @@ "logsource.category": "No established category", "logsource.product": "qualys", "refs": [ - "https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf", - "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf", "https://www.cisecurity.org/controls/cis-controls-list/", + "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf", + "https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf", "https://github.com/SigmaHQ/sigma/tree/master/rules/compliance/host_without_firewall.yml" ], "tags": "No established tags" @@ -80140,9 +80598,9 @@ "logsource.category": "No established category", "logsource.product": "No established product", "refs": [ - "https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf", - "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf", "https://www.cisecurity.org/controls/cis-controls-list/", + "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf", + "https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf", "https://github.com/SigmaHQ/sigma/tree/master/rules/compliance/netflow_cleartext_protocols.yml" ], "tags": "No established tags" @@ -80506,8 +80964,8 @@ "logsource.category": "No established category", "logsource.product": "linux", "refs": [ - "https://linux.die.net/man/1/xclip", "https://www.cyberciti.biz/faq/xclip-linux-insert-files-command-output-intoclipboard/", + "https://linux.die.net/man/1/xclip", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_clipboard_collection.yml" ], "tags": [ @@ -80555,9 +81013,9 @@ "logsource.category": "No established category", "logsource.product": "linux", "refs": [ - "https://man7.org/linux/man-pages/man8/kmod.8.html", "https://linux.die.net/man/8/insmod", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.006/T1547.006.md", + "https://man7.org/linux/man-pages/man8/kmod.8.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_load_module_insmod.yml" ], "tags": [ @@ -80616,8 +81074,8 @@ "logsource.category": "No established category", "logsource.product": "linux", "refs": [ - "https://github.com/berdav/CVE-2021-4034", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-4034", + "https://github.com/berdav/CVE-2021-4034", "https://access.redhat.com/security/cve/CVE-2021-4034", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_cve_2021_4034.yml" ], @@ -80651,9 +81109,9 @@ "logsource.category": "No established category", "logsource.product": "linux", "refs": [ - "https://imagemagick.org/", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1113/T1113.md", "https://linux.die.net/man/1/import", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1113/T1113.md", + "https://imagemagick.org/", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_screencapture_import.yml" ], "tags": [ @@ -80677,8 +81135,8 @@ "logsource.category": "No established category", "logsource.product": "linux", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.004/T1562.004.md", "https://firewalld.org/documentation/man-pages/firewall-cmd.html", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.004/T1562.004.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_disable_system_firewall.yml" ], "tags": [ @@ -80735,9 +81193,9 @@ "logsource.category": "No established category", "logsource.product": "linux", "refs": [ - "https://int0x33.medium.com/day-44-linux-capabilities-privilege-escalation-via-openssl-with-selinux-enabled-and-enforced-74d2bec02099", "https://man7.org/linux/man-pages/man8/getcap.8.html", "https://mn3m.info/posts/suid-vs-capabilities/", + "https://int0x33.medium.com/day-44-linux-capabilities-privilege-escalation-via-openssl-with-selinux-enabled-and-enforced-74d2bec02099", "https://www.hackingarticles.in/linux-privilege-escalation-using-capabilities/", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_capabilities_discovery.yml" ], @@ -81435,8 +81893,8 @@ "logsource.category": "No established category", "logsource.product": "linux", "refs": [ - "https://github.com/Neo23x0/auditd/blob/master/audit.rules", "https://twitter.com/0xm1rch/status/1600857731073654784?s=20&t=MdrBPqv4hnBEfAJBayMCZA", + "https://github.com/Neo23x0/auditd/blob/master/audit.rules", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_debugfs_usage.yml" ], "tags": [ @@ -81470,9 +81928,9 @@ "logsource.product": "linux", "refs": [ "https://man7.org/linux/man-pages/man1/passwd.1.html", - "https://superuser.com/questions/150675/how-to-display-password-policy-information-for-a-user-ubuntu", - "https://linux.die.net/man/1/chage", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1201/T1201.md", + "https://linux.die.net/man/1/chage", + "https://superuser.com/questions/150675/how-to-display-password-policy-information-for-a-user-ubuntu", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_password_policy_discovery.yml" ], "tags": [ @@ -81597,10 +82055,10 @@ "logsource.category": "No established category", "logsource.product": "linux", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1056.001/T1056.001.md", - "https://access.redhat.com/articles/4409591#audit-record-types-2", - "https://linux.die.net/man/8/pam_tty_audit", "https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/security_guide/sec-configuring_pam_for_auditing", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1056.001/T1056.001.md", + "https://linux.die.net/man/8/pam_tty_audit", + "https://access.redhat.com/articles/4409591#audit-record-types-2", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_keylogging_with_pam_d.yml" ], "tags": [ @@ -81700,8 +82158,8 @@ "logsource.category": "No established category", "logsource.product": "linux", "refs": [ - "https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/security_guide/sec-understanding_audit_log_files", "https://access.redhat.com/articles/4409591#audit-record-types-2", + "https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/security_guide/sec-understanding_audit_log_files", "https://www.youtube.com/watch?v=VmvY5SQm5-Y&ab_channel=M45C07", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_create_account.yml" ], @@ -82006,9 +82464,9 @@ "logsource.category": "No established category", "logsource.product": "linux", "refs": [ + "https://linux.die.net/man/8/useradd", "https://github.com/redcanaryco/atomic-red-team/blob/25acadc0b43a07125a8a5b599b28bbc1a91ffb06/atomics/T1136.001/T1136.001.md#atomic-test-5---create-a-new-user-in-linux-with-root-uid-and-gid", "https://digital.nhs.uk/cyber-alerts/2018/cc-2825", - "https://linux.die.net/man/8/useradd", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/builtin/lnx_privileged_user_creation.yml" ], "tags": [ @@ -82759,8 +83217,8 @@ "logsource.category": "file_event", "logsource.product": "linux", "refs": [ - "https://research.splunk.com/endpoint/linux_doas_conf_file_creation/", "https://www.makeuseof.com/how-to-install-and-use-doas/", + "https://research.splunk.com/endpoint/linux_doas_conf_file_creation/", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/file_event/file_event_lnx_doas_conf_creation.yml" ], "tags": [ @@ -82793,8 +83251,8 @@ "logsource.category": "network_connection", "logsource.product": "linux", "refs": [ - "https://ngrok.com/docs/secure-tunnels/tunnels/ssh-reverse-tunnel-agent", "https://twitter.com/hakluke/status/1587733971814977537/photo/1", + "https://ngrok.com/docs/secure-tunnels/tunnels/ssh-reverse-tunnel-agent", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/network_connection/net_connection_lnx_ngrok_tunnel.yml" ], "tags": [ @@ -83239,8 +83697,8 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ - "https://www.intezer.com/blog/malware-analysis/new-backdoor-sysjoker/", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1222.002/T1222.002.md", + "https://www.intezer.com/blog/malware-analysis/new-backdoor-sysjoker/", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_susp_chmod_directories.yml" ], "tags": [ @@ -83349,11 +83807,11 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ - "https://medium.com/@petehouston/upload-files-with-curl-93064dcccc76", "https://twitter.com/d1r4c/status/1279042657508081664", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1105/T1105.md#atomic-test-19---curl-upload-file", - "https://curl.se/docs/manpage.html", "https://www.trendmicro.com/en_us/research/22/i/how-malicious-actors-abuse-native-linux-tools-in-their-attacks.html", + "https://medium.com/@petehouston/upload-files-with-curl-93064dcccc76", + "https://curl.se/docs/manpage.html", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1105/T1105.md#atomic-test-19---curl-upload-file", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_susp_curl_fileupload.yml" ], "tags": [ @@ -83419,9 +83877,9 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ - "https://linuxize.com/post/how-to-delete-group-in-linux/", - "https://www.cyberciti.biz/faq/linux-remove-user-command/", "https://linux.die.net/man/8/userdel", + "https://www.cyberciti.biz/faq/linux-remove-user-command/", + "https://linuxize.com/post/how-to-delete-group-in-linux/", "https://www.cybrary.it/blog/0p3n/linux-commands-used-attackers/", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_userdel.yml" ], @@ -83741,8 +84199,8 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ - "https://github.com/sleventyeleven/linuxprivchecker/", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1552.003/T1552.003.md", + "https://github.com/sleventyeleven/linuxprivchecker/", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_susp_history_recon.yml" ], "tags": [ @@ -83927,9 +84385,9 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ - "https://linuxize.com/post/how-to-delete-group-in-linux/", - "https://www.cyberciti.biz/faq/linux-remove-user-command/", "https://linux.die.net/man/8/groupdel", + "https://www.cyberciti.biz/faq/linux-remove-user-command/", + "https://linuxize.com/post/how-to-delete-group-in-linux/", "https://www.cybrary.it/blog/0p3n/linux-commands-used-attackers/", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_groupdel.yml" ], @@ -83997,8 +84455,8 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ - "https://github.com/carlospolop/PEASS-ng", "https://github.com/diego-treitos/linux-smart-enumeration", + "https://github.com/carlospolop/PEASS-ng", "https://github.com/SaiSathvik1/Linux-Privilege-Escalation-Notes", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_capa_discovery.yml" ], @@ -84313,8 +84771,8 @@ "logsource.product": "linux", "refs": [ "https://gtfobins.github.io/gtfobins/nohup/", - "https://www.computerhope.com/unix/unohup.htm", "https://en.wikipedia.org/wiki/Nohup", + "https://www.computerhope.com/unix/unohup.htm", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_nohup.yml" ], "tags": "No established tags" @@ -84471,8 +84929,8 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ - "https://research.splunk.com/endpoint/linux_doas_tool_execution/", "https://www.makeuseof.com/how-to-install-and-use-doas/", + "https://research.splunk.com/endpoint/linux_doas_tool_execution/", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_doas_execution.yml" ], "tags": [ @@ -84505,8 +84963,8 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ - "https://github.com/sleventyeleven/linuxprivchecker/", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1552.003/T1552.003.md", + "https://github.com/sleventyeleven/linuxprivchecker/", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_susp_history_delete.yml" ], "tags": [ @@ -84605,8 +85063,8 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ - "https://attack.mitre.org/techniques/T1548/001/", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1548.001/T1548.001.md", + "https://attack.mitre.org/techniques/T1548/001/", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_setgid_setuid.yml" ], "tags": [ @@ -84769,5 +85227,5 @@ "value": "Security Software Discovery - Linux" } ], - "version": 20230120 + "version": 20230123 } From f605f041d99057b767231831d7f5970be6c1fcb9 Mon Sep 17 00:00:00 2001 From: Christian Studer Date: Tue, 24 Jan 2023 01:21:54 +0100 Subject: [PATCH 12/13] fix: [tools] Added missing closing `'` --- .../create_mitre-enterprise-attack-attack-pattern_galaxy.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tools/mitre-cti/v2.0/create_mitre-enterprise-attack-attack-pattern_galaxy.py b/tools/mitre-cti/v2.0/create_mitre-enterprise-attack-attack-pattern_galaxy.py index ea0053d..4452603 100644 --- a/tools/mitre-cti/v2.0/create_mitre-enterprise-attack-attack-pattern_galaxy.py +++ b/tools/mitre-cti/v2.0/create_mitre-enterprise-attack-attack-pattern_galaxy.py @@ -29,7 +29,7 @@ for element in os.listdir('.'): for reference in temp['external_references']: if 'url' in reference and reference['url'] not in value['meta']['refs']: value['meta']['refs'].append(reference['url']) - if 'external_id' in reference and reference['external_id'] not in value['meta']['external_id]: + if 'external_id' in reference and reference['external_id'] not in value['meta']['external_id']: value['meta']['external_id'].append(reference['external_id']) value['meta']['kill_chain'] = [] for killchain in temp['kill_chain_phases']: From cb8d700e622b694021ad248116de3a0feb9e2430 Mon Sep 17 00:00:00 2001 From: ofenomeno Date: Tue, 24 Jan 2023 19:55:46 +0100 Subject: [PATCH 13/13] adding uavs --- clusters/uavs.json | 482 +++++++++++++++++++++++++++++++++++++++++++++ galaxies/uavs.json | 8 + 2 files changed, 490 insertions(+) create mode 100644 clusters/uavs.json create mode 100644 galaxies/uavs.json diff --git a/clusters/uavs.json b/clusters/uavs.json new file mode 100644 index 0000000..bb268ee --- /dev/null +++ b/clusters/uavs.json @@ -0,0 +1,482 @@ +{ + "authors": [ + "Enes AYATA" + ], + "category": "military equipment", + "description": "Unmanned Aerial Vehicles / Unmanned Combat Aerial Vehicles", + "name": "UAVs/UCAVs", + "source": "Popular Mechanics", + "type": "uavs", + "uuid": "bef5c29d-b0db-4923-aa9a-80921f26d3ab", + "values": [ + { + "description": "R18", + "meta": { + "Flight time": "40 minutes", + "Made in": "Ukraine", + "Operator": "Ukraine", + "Powerplant": "Electric", + "Top speed": "N/A", + "Wingspan": "About 6 feet" + }, + "uuid": "82a0a264-59dd-467a-9830-72c3fc8b25e6", + "value": "R18" + }, + { + "description": "KBLA-IVT", + "meta": { + "Flight time": "60 minutes", + "Made in": "Russia", + "Operator": "Russia", + "Power plant": "Internal combustion", + "Top speed": "N/A", + "Wingspan": "15 feet" + }, + "uuid": "25bc036b-8b71-4098-8615-bf63204509d2", + "value": "KBLA-IVT" + }, + { + "description": "Autel Evo II", + "meta": { + "Flight time": "40 minutes", + "Made in": "China", + "Operator": "Ukraine", + "Powerplant": "Electric", + "Top speed": "45 mph", + "Wingspan": "16 inches" + }, + "uuid": "c24e2133-23c7-4dcf-8fa1-5a38c713ad68", + "value": "Autel Evo II" + }, + { + "description": "DJI Mavic Series", + "meta": { + "Flight time": "31 minutes", + "Made in": "China", + "Operator": "Ukraine", + "Powerplant": "Electric", + "Top speed": "29 mph", + "Wingspan": "8 inches" + }, + "uuid": "8df0e639-8ce6-4b6a-b35a-cab3e6ccb56a", + "value": "DJI Mavic Series" + }, + { + "description": "Golden Eagle", + "meta": { + "Flight time": "Up to 55 minutes", + "Made in": "USA", + "Operator": "Ukraine", + "Powerplant": "Electric", + "Top Speed": "50 mph", + "Wingspan": "About 20 inches" + }, + "uuid": "de616d7c-8a9d-427f-8c6d-aeed9a3f2f3a", + "value": "Golden Eagle" + }, + { + "description": "Skydio X2", + "meta": { + "Flight time": "35 minutes", + "Made in": "USA", + "Operator": "Ukraine", + "Powerplant": "Electric", + "Top speed": "25 mph", + "Wingspan": "26 inches" + }, + "uuid": "50b4a527-b371-4daf-8f93-8e5de4de6c90", + "value": "Skydio X2" + }, + { + "description": "RQ-4 Global Hawk", + "meta": { + "Flight time": "More than 34 hours", + "Made in": "USA", + "Operator": "USA", + "Powerplant": "Turbofan jet", + "Top speed": "Faster than 350 mph", + "Wingspan": "131 feet" + }, + "uuid": "5ca96911-329e-4c0c-a582-e7857cc64963", + "value": "RQ-4 Global Hawk" + }, + { + "description": "Orion", + "meta": { + "Flight time": "24 hours", + "Made in": "Russia", + "Operator": "Russia", + "Powerplant": "Internal combustion", + "Top speed": "120 mph", + "Wingspan": "48 feet" + }, + "uuid": "8c35bf52-03ae-4155-ba7c-ca1141001395", + "value": "Orion" + }, + { + "description": "Bayraktar TB2", + "meta": { + "Flight time": "More than 20 hours", + "Made in": "Turkey", + "Operator": "Ukraine", + "Powerplant": "Gasoline internal combustion", + "Top speed": "100 mph", + "Wingspan": "39 feet" + }, + "uuid": "6b4b821a-fd00-47b4-b2da-451cf2017621", + "value": "Bayraktar TB2" + }, + { + "description": "UJ-22 Airborne", + "meta": { + "Flight time": "7 hours", + "Made in": "Ukraine", + "Operator": "Ukraine", + "Powerplant": "Gasoline internal combustion", + "Top speed": "100 mph", + "Wingspan": "32 feet" + }, + "uuid": "0177e51e-6c68-415f-a887-4b40392f8010", + "value": "UJ-22 Airborne" + }, + { + "description": "Forpost", + "meta": { + "Flight time": "20 hours", + "Made in": "Russia", + "Operator": "Russia", + "Power plant": "Gasoline internal combustion", + "Top speed": "125 mph", + "Wingspan": "28 feet" + }, + "uuid": "5f6f611d-4edb-48da-ac71-abb93f687270", + "value": "Forpost" + }, + { + "description": "Zala 421", + "meta": { + "Flight time": "6 hours", + "Made in": "Russia", + "Operator": "Russia", + "Powerplant": "Electric", + "Top speed": "74 mph", + "Wingspan": "17 feet" + }, + "uuid": "385e7996-1f7e-4bc2-9606-e85aa9760448", + "value": "Zala 421" + }, + { + "description": "PD-1 People’s Drone", + "meta": { + "Flight time": "7 hours", + "Made in": "Ukraine", + "Operator": "Ukraine", + "Powerplant": "Internal combustion engine", + "Top speed": "90 mph", + "Wingspan": "13 feet" + }, + "uuid": "c33bdc2c-8a52-4a74-8e7d-602ad4a4d3f4", + "value": "PD-1 People’s Drone" + }, + { + "description": "Tupolev Tu-141 Strizh", + "meta": { + "Flight time": "60 minutes", + "Made in": "Former USSR Member States", + "Operator": "Unknown", + "Powerplant": "Turbojet", + "Top speed": "680 mph", + "Wingspan": "12 feet" + }, + "uuid": "e90bee1e-0e27-4712-90d9-86093b0dafee", + "value": "Tupolev Tu-141 Strizh" + }, + { + "description": "WB FlyEye", + "meta": { + "Flight time": "2.5 hours", + "Made in": "Poland", + "Operator": "Ukraine", + "Powerplant": "Electric", + "Top speed": "80 mph", + "Wingspan": "12 feet" + }, + "uuid": "5048ea6b-1df9-4d19-8a7a-0837289a1399", + "value": "WB FlyEye" + }, + { + "description": "Granat-4", + "meta": { + "Flight time": "6 hours", + "Made in": "Russia", + "Operator": "Russia", + "Powerplant": "Gasoline internal combustion", + "Top speed": "90 mph", + "Wingspan": "11 feet" + }, + "uuid": "e2c10d80-0641-4d82-b5b5-ea2d6d4d74d8", + "value": "Granat-4" + }, + { + "description": "Orlan-10", + "meta": { + "Flight time": "18 hours", + "Made in": "Russia", + "Operator": "Russia", + "Powerplant": "Internal combustion", + "Top speed": "93 mph", + "Wingspan": "10 feet" + }, + "uuid": "4d604fd6-80b2-45dc-ab2b-a4f9e7f87a0d", + "value": "Orlan-10" + }, + { + "description": "Orlan-30", + "meta": { + "Flight time": "5 hours", + "Made in": "Russia", + "Operator": "Russia", + "Powerplant": "Internal combustion", + "Top speed": "93 mph", + "Wingspan": "10 feet" + }, + "uuid": "9536d2ee-e4a2-46ee-a4d2-313169312cdf", + "value": "Orlan-30" + }, + { + "description": "Quantum Systems Vector", + "meta": { + "Flight time": "2 hours", + "Made in": "Germany", + "Operator": "Ukraine", + "Powerplant": "Electric", + "Top speed": "Over 25 mph", + "Wingspan": "9 feet" + }, + "uuid": "b9e20493-a291-46f5-be3d-17c1335412c9", + "value": "Quantum Systems Vector" + }, + { + "description": "Spectator", + "meta": { + "Flight time": "2 hours", + "Made in": "Ukraine", + "Operator": "Ukraine", + "Powerplant": "Electric", + "Top speed": "75 mph", + "Wingspan": "10 feet" + }, + "uuid": "a5b73ec0-a229-4117-b960-1a6636cfdd55", + "value": "Spectator" + }, + { + "description": "RQ-20 Puma", + "meta": { + "Flight time": "2.5 hours", + "Made in": "USA", + "Operator": "Ukraine", + "Powerplant": "Electric", + "Top speed": "47 mph", + "Wingspan": "9 feet" + }, + "uuid": "9e390aab-cd07-4d3f-96ba-872605b22186", + "value": "RQ-20 Puma" + }, + { + "description": "E95", + "meta": { + "Flight time": "30 minutes", + "Made in": "Russia", + "Operator": "Russia", + "Powerplant": "Pulse jet", + "Top speed": "250 mph", + "Wingspan": "8 feet" + }, + "uuid": "098c796d-0798-4506-a5eb-724b438448fc", + "value": "E95" + }, + { + "description": "Tupolev Tu-143 Reis", + "meta": { + "Flight time": "13 minutes", + "Made in": "Former Soviet Union", + "Operator": "Ukraine", + "Powerplant": "Turbojet", + "Top speed": "Over 600 mph", + "Wingspan": "9 feet" + }, + "uuid": "381f9b9a-617c-4908-9081-2b1d0e6507b2", + "value": "Tupolev Tu-143 Reis" + }, + { + "description": "Zastava", + "meta": { + "Flight time": "80 minutes", + "Made in": "Russia and Israel", + "Operator": "Russia", + "Powerplant": "Electric", + "Top speed": "52 mph", + "Wingspan": "7 feet" + }, + "uuid": "fcc0f47a-f148-4e94-a8e5-683984e9c489", + "value": "Zastava" + }, + { + "description": "Punisher", + "meta": { + "Flight time": "90 minutes", + "Made in": "Ukraine", + "Operator": "Ukraine", + "Power plant": "Electric", + "Top speed": "Over 50 mph", + "Wingspan": "7.5 feet" + }, + "uuid": "38a1456f-85d5-4714-aebd-dcfc92a409b3", + "value": "Punisher" + }, + { + "description": "Mini-Bayraktar", + "meta": { + "Flight time": "60 minutes", + "Made in": "Turkey", + "Operator": "Ukraine", + "Powerplant": "Electric", + "Top speed": "Over 45 mph", + "Wingspan": "7 feet" + }, + "uuid": "ac021cef-204f-4d14-8960-c3b40734f477", + "value": "Mini-Bayraktar" + }, + { + "description": "Takion", + "meta": { + "Flight time": "2 hours", + "Made in": "Russia", + "Operator": "Russia", + "Powerplant": "Electric", + "Top speed": "75 mph", + "Wingspan": "7 feet" + }, + "uuid": "f5e68cef-7eca-483b-8487-2fc8384310ca", + "value": "Takion" + }, + { + "description": "Leleka-100 “Stork”", + "meta": { + "Flight time": "2.5 hours", + "Made in": "Ukraine", + "Operator": "Ukraine", + "Powerplant": "Electric", + "Top speed": "75 mph", + "Wingspan": "7 feet" + }, + "uuid": "7e46ff41-3f34-4dd7-8b58-67c7bb2130c6", + "value": "Leleka-100 “Stork”" + }, + { + "description": "Athlon Avia A1-CM Furia", + "meta": { + "Flight time": "3 hours", + "Made in": "Ukraine", + "Operator": "Ukraine", + "Powerplant": "Electric", + "Top speed": "Over 60 mph", + "Wingspan": "7 feet" + }, + "uuid": "4c535ed3-2fee-43a4-a220-1ed8b85498d2", + "value": "Athlon Avia A1-CM Furia" + }, + { + "description": "Eleron-3", + "meta": { + "Flight time": "100 minutes", + "Made in": "Russia", + "Operator": "Russia", + "Powerplant": "Electric", + "Top speed": "80 mph", + "Wingspan": "4 feet" + }, + "uuid": "7d741517-6e70-4267-8b6f-7df4e025a0b0", + "value": "Eleron-3" + }, + { + "description": "AeroVironment Quantix", + "meta": { + "Flight time": "45 minutes", + "Made in": "USA", + "Operator": "Ukraine", + "Powerplant": "Electric", + "Top speed": "Over 40 mph", + "Wingspan": "About 4 feet" + }, + "uuid": "91e4c548-fd50-43da-891a-8d5990c32cda", + "value": "AeroVironment Quantix" + }, + { + "description": "Switchblade 300", + "meta": { + "Flight time": "Over 15 minutes", + "Made in": "USA", + "Operator": "Ukraine", + "Powerplant": "Electric", + "Top speed": "Over 100 mph", + "Wingspan": "About 4 feet" + }, + "uuid": "cd70cac7-e795-48ed-84cf-83fc688e368e", + "value": "Switchblade 300" + }, + { + "description": "Switchblade 600", + "meta": { + "Flight time": "Over 40 minutes", + "Made in": "USA", + "Operator": "Ukraine", + "Powerplant": "Electric", + "Top speed": "115 mph", + "Wingspan": "About 6 feet" + }, + "uuid": "809bbef1-3477-4dd3-90ec-68c6f45cd76b", + "value": "Switchblade 600" + }, + { + "description": "Phoenix Ghost", + "meta": { + "Flight Time": "6 hours", + "Made in": "USA", + "Operator": "Ukraine", + "Power plant": "Electric", + "Top speed": "N/A", + "Wingspan": "N/A" + }, + "uuid": "2a15042a-55a3-47f5-b1bf-d1319d3d2c87", + "value": "Phoenix Ghost" + }, + { + "description": "WB Group Warmate", + "meta": { + "Flight time": "50 minutes", + "Made in": "Poland and Ukraine", + "Operator": "Ukraine", + "Power plant": "Electric", + "Top speed": "50 mph", + "Wingspan": "4.5 feet" + }, + "uuid": "7eab87c7-608c-4837-8adb-7aae9e422fa9", + "value": "WB Group Warmate" + }, + { + "description": "Zala KYB", + "meta": { + "Flight time": "30 minutes", + "Made in": "Russia", + "Operator": "Russia", + "Power plant": "Electric", + "Top speed": "80 mph", + "Wingspan": "4 feet" + }, + "uuid": "7329fec9-c22c-42e4-83be-e778872c7b3d", + "value": "Zala KYB" + } + ], + "version": 1 +} diff --git a/galaxies/uavs.json b/galaxies/uavs.json new file mode 100644 index 0000000..a437ed8 --- /dev/null +++ b/galaxies/uavs.json @@ -0,0 +1,8 @@ +{ + "description": "Unmanned Aerial Vehicles / Unmanned Combat Aerial Vehicles", + "icon": "plane", + "name": "UAVs/UCAVs", + "type": "uavs", + "uuid": "bef5c29d-b0db-4923-aa9a-80921f26d3ab", + "version": 1 +}